From db20322182b39f9fc7efebef49dca51dfec0d659 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Wed, 4 Oct 2017 10:42:40 +1000
Subject: [PATCH] Fix TLV type defs and config size for HTTP migrate

---
 .../extensions/python/Lib/meterpreter/core.py |  3 ++-
 .../source/server/server_setup_win.c          |  2 +-
 .../server/win/server_transport_winhttp.c     | 25 +++++++++++++------
 .../metasploit/meterpreter/HttpTransport.java |  4 +++
 .../com/metasploit/meterpreter/TLVType.java   |  3 ++-
 .../meterpreter/core/core_transport_list.java |  4 +++
 .../Meterpreter/Enumerations.cs               |  3 ++-
 7 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/c/meterpreter/source/extensions/python/Lib/meterpreter/core.py b/c/meterpreter/source/extensions/python/Lib/meterpreter/core.py
index 7adbcbdd..7f1b91e5 100644
--- a/c/meterpreter/source/extensions/python/Lib/meterpreter/core.py
+++ b/c/meterpreter/source/extensions/python/Lib/meterpreter/core.py
@@ -104,7 +104,8 @@ TLV_TYPE_TRANS_PROXY_USER      = TLV_META_TYPE_STRING  | 437
 TLV_TYPE_TRANS_PROXY_PASS      = TLV_META_TYPE_STRING  | 438
 TLV_TYPE_TRANS_RETRY_TOTAL     = TLV_META_TYPE_UINT    | 439
 TLV_TYPE_TRANS_RETRY_WAIT      = TLV_META_TYPE_UINT    | 440
-TLV_TYPE_TRANS_GROUP           = TLV_META_TYPE_GROUP   | 441
+TLV_TYPE_TRANS_HEADERS         = TLV_META_TYPE_STRING  | 441
+TLV_TYPE_TRANS_GROUP           = TLV_META_TYPE_GROUP   | 442
 
 TLV_TYPE_MACHINE_ID            = TLV_META_TYPE_STRING  | 460
 TLV_TYPE_UUID                  = TLV_META_TYPE_RAW     | 461
diff --git a/c/meterpreter/source/server/server_setup_win.c b/c/meterpreter/source/server/server_setup_win.c
index 1f8ae6bc..fe83b334 100755
--- a/c/meterpreter/source/server/server_setup_win.c
+++ b/c/meterpreter/source/server/server_setup_win.c
@@ -240,7 +240,7 @@ static void config_create(Remote* remote, LPBYTE uuid, MetsrvConfig** config, LP
 		// extend memory appropriately
 		DWORD neededSize = t->get_config_size(t);
 
-		dprintf("[CONFIG] Allocating %u bytes for transport, total of %u bytes", neededSize, s);
+		dprintf("[CONFIG] Allocating %u bytes for transport, total of %u bytes", neededSize, s + neededSize);
 
 		sess = (MetsrvSession*)realloc(sess, s + neededSize);
 
diff --git a/c/meterpreter/source/server/win/server_transport_winhttp.c b/c/meterpreter/source/server/win/server_transport_winhttp.c
index 83f2f889..fa777921 100755
--- a/c/meterpreter/source/server/win/server_transport_winhttp.c
+++ b/c/meterpreter/source/server/win/server_transport_winhttp.c
@@ -855,42 +855,51 @@ void transport_write_http_config(Transport* transport, MetsrvTransportHttp* conf
 {
 	HttpTransportContext* ctx = (HttpTransportContext*)transport->ctx;
 
+	dprintf("[HTTP CONF] Writing timeouts");
 	config->common.comms_timeout = transport->timeouts.comms;
 	config->common.retry_total = transport->timeouts.retry_total;
 	config->common.retry_wait = transport->timeouts.retry_wait;
 	wcsncpy(config->common.url, transport->url, URL_SIZE);
 
 	if (ctx->ua)
-	{
+	{
+		dprintf("[HTTP CONF] Writing UA");
 		wcsncpy(config->ua, ctx->ua, UA_SIZE);
 	}
 
 	if (ctx->cert_hash)
-	{
+	{
+		dprintf("[HTTP CONF] Writing cert hash");
 		memcpy(config->ssl_cert_hash, ctx->cert_hash, CERT_HASH_SIZE);
 	}
 
 	if (ctx->proxy)
-	{
+	{
+		dprintf("[HTTP CONF] Writing proxy");
 		wcsncpy(config->proxy.hostname, ctx->proxy, PROXY_HOST_SIZE);
 	}
 
 	if (ctx->proxy_user)
-	{
+	{
+		dprintf("[HTTP CONF] Writing user");
 		wcsncpy(config->proxy.username, ctx->proxy_user, PROXY_USER_SIZE);
 	}
 
 	if (ctx->proxy_pass)
-	{
+	{
+		dprintf("[HTTP CONF] Writing pass");
 		wcsncpy(config->proxy.password, ctx->proxy_pass, PROXY_PASS_SIZE);
 	}
 
 	if (ctx->custom_headers)
-	{
+	{
+		dprintf("[HTTP CONF] Writing custom headers");
 		// let's hope they've allocated the right amount of space based on what we told them
 		// in transport_get_config_size_http
 		wcscpy(config->custom_headers, ctx->custom_headers);
-	}
+	}
+
+	dprintf("[HTTP CONF] Done.");
 }
 
 /*!
@@ -900,7 +909,7 @@ void transport_write_http_config(Transport* transport, MetsrvTransportHttp* conf
  */
 static DWORD transport_get_config_size_http(Transport* t)
 {
-	DWORD size = sizeof(MetsrvTransportNamedPipe);
+	DWORD size = sizeof(MetsrvTransportHttp);
 
 	// Make sure we account for the custom headers, if there are any, which aren't
 	// of a predetermined size.
diff --git a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/HttpTransport.java b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/HttpTransport.java
index a1370c7f..715903d5 100644
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/HttpTransport.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/HttpTransport.java
@@ -101,6 +101,10 @@ public class HttpTransport extends Transport {
         this.certHash = certHash;
     }
 
+    public String getCustomHeaders() {
+        return this.customHeaders;
+    }
+
     public void disconnect() {
     }
 
diff --git a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java
index 46b905a1..d8616428 100644
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java
@@ -62,7 +62,8 @@ public interface TLVType {
     public static final int TLV_TYPE_TRANS_PROXY_PASS   = TLVPacket.TLV_META_TYPE_STRING | 438;
     public static final int TLV_TYPE_TRANS_RETRY_TOTAL  = TLVPacket.TLV_META_TYPE_UINT   | 439;
     public static final int TLV_TYPE_TRANS_RETRY_WAIT   = TLVPacket.TLV_META_TYPE_UINT   | 440;
-    public static final int TLV_TYPE_TRANS_GROUP        = TLVPacket.TLV_META_TYPE_GROUP  | 441;
+    public static final int TLV_TYPE_TRANS_HEADERS      = TLVPacket.TLV_META_TYPE_STRING | 441;
+    public static final int TLV_TYPE_TRANS_GROUP        = TLVPacket.TLV_META_TYPE_GROUP  | 442;
 
     public static final int TLV_TYPE_MACHINE_ID   = TLVPacket.TLV_META_TYPE_STRING | 460;
     public static final int TLV_TYPE_UUID         = TLVPacket.TLV_META_TYPE_RAW    | 461;
diff --git a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/core_transport_list.java b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/core_transport_list.java
index ab2588b4..37d72334 100644
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/core_transport_list.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/core_transport_list.java
@@ -47,6 +47,10 @@ public class core_transport_list implements Command {
                 if (h.getCertHash() != null) {
                     transportData.add(TLVType.TLV_TYPE_TRANS_CERT_HASH, h.getCertHash());
                 }
+
+                if (h.getCustomHeaders() != null) {
+                    transportData.add(TLVType.TLV_TYPE_TRANS_HEADERS, h.getCustomHeaders());
+                }
             }
 
             response.addOverflow(TLVType.TLV_TYPE_TRANS_GROUP, transportData);
diff --git a/powershell/MSF.Powershell/Meterpreter/Enumerations.cs b/powershell/MSF.Powershell/Meterpreter/Enumerations.cs
index 232a610a..860635a7 100755
--- a/powershell/MSF.Powershell/Meterpreter/Enumerations.cs
+++ b/powershell/MSF.Powershell/Meterpreter/Enumerations.cs
@@ -82,7 +82,8 @@ namespace MSF.Powershell.Meterpreter
         TransProxyPass = MetaType.String | 438,
         TransRetryTotal = MetaType.Uint | 439,
         TransRetryWait = MetaType.Uint | 440,
-        TransGroup = MetaType.Group | 441,
+        TransHeaders = MetaType.String | 441,
+        TransGroup = MetaType.Group | 442,
 
         MachineId = MetaType.String | 460,
         Uuid = MetaType.Raw | 461,