Fix TLV type defs and config size for HTTP migrate

2024-11-20 14:39:22 +01:00 · 2017-10-04 10:42:40 +10:00 · 2017-10-04 10:42:40 +10:00 · db20322182
commit db20322182
parent 32ddcf716f
7 changed files with 32 additions and 12 deletions
--- a/c/meterpreter/source/extensions/python/Lib/meterpreter/core.py
+++ b/c/meterpreter/source/extensions/python/Lib/meterpreter/core.py
@ -104,7 +104,8 @@ TLV_TYPE_TRANS_PROXY_USER      = TLV_META_TYPE_STRING  | 437
 TLV_TYPE_TRANS_PROXY_PASS      = TLV_META_TYPE_STRING  | 438
 TLV_TYPE_TRANS_RETRY_TOTAL     = TLV_META_TYPE_UINT    | 439
 TLV_TYPE_TRANS_RETRY_WAIT      = TLV_META_TYPE_UINT    | 440
-TLV_TYPE_TRANS_GROUP           = TLV_META_TYPE_GROUP   | 441
+TLV_TYPE_TRANS_HEADERS         = TLV_META_TYPE_STRING  | 441
+TLV_TYPE_TRANS_GROUP           = TLV_META_TYPE_GROUP   | 442

 TLV_TYPE_MACHINE_ID            = TLV_META_TYPE_STRING  | 460
 TLV_TYPE_UUID                  = TLV_META_TYPE_RAW     | 461
--- a/c/meterpreter/source/server/server_setup_win.c
+++ b/c/meterpreter/source/server/server_setup_win.c
@ -240,7 +240,7 @@ static void config_create(Remote* remote, LPBYTE uuid, MetsrvConfig** config, LP
 		// extend memory appropriately
 		DWORD neededSize = t->get_config_size(t);

-		dprintf("[CONFIG] Allocating %u bytes for transport, total of %u bytes", neededSize, s);
+		dprintf("[CONFIG] Allocating %u bytes for transport, total of %u bytes", neededSize, s + neededSize);

 		sess = (MetsrvSession*)realloc(sess, s + neededSize);

--- a/c/meterpreter/source/server/win/server_transport_winhttp.c
+++ b/c/meterpreter/source/server/win/server_transport_winhttp.c
@ -855,6 +855,7 @@ void transport_write_http_config(Transport* transport, MetsrvTransportHttp* conf
 {
 	HttpTransportContext* ctx = (HttpTransportContext*)transport->ctx;

+	dprintf("[HTTP CONF] Writing timeouts");
 	config->common.comms_timeout = transport->timeouts.comms;
 	config->common.retry_total = transport->timeouts.retry_total;
 	config->common.retry_wait = transport->timeouts.retry_wait;
@ -862,35 +863,43 @@ void transport_write_http_config(Transport* transport, MetsrvTransportHttp* conf

 	if (ctx->ua)
 	{
+		dprintf("[HTTP CONF] Writing UA");
 		wcsncpy(config->ua, ctx->ua, UA_SIZE);
 	}

 	if (ctx->cert_hash)
 	{
+		dprintf("[HTTP CONF] Writing cert hash");
 		memcpy(config->ssl_cert_hash, ctx->cert_hash, CERT_HASH_SIZE);
 	}

 	if (ctx->proxy)
 	{
+		dprintf("[HTTP CONF] Writing proxy");
 		wcsncpy(config->proxy.hostname, ctx->proxy, PROXY_HOST_SIZE);
 	}

 	if (ctx->proxy_user)
 	{
+		dprintf("[HTTP CONF] Writing user");
 		wcsncpy(config->proxy.username, ctx->proxy_user, PROXY_USER_SIZE);
 	}

 	if (ctx->proxy_pass)
 	{
+		dprintf("[HTTP CONF] Writing pass");
 		wcsncpy(config->proxy.password, ctx->proxy_pass, PROXY_PASS_SIZE);
 	}

 	if (ctx->custom_headers)
 	{
+		dprintf("[HTTP CONF] Writing custom headers");
 		// let's hope they've allocated the right amount of space based on what we told them
 		// in transport_get_config_size_http
 		wcscpy(config->custom_headers, ctx->custom_headers);
 	}
+
+	dprintf("[HTTP CONF] Done.");
 }

 /*!
@ -900,7 +909,7 @@ void transport_write_http_config(Transport* transport, MetsrvTransportHttp* conf
 */
 static DWORD transport_get_config_size_http(Transport* t)
 {
-	DWORD size = sizeof(MetsrvTransportNamedPipe);
+	DWORD size = sizeof(MetsrvTransportHttp);

 	// Make sure we account for the custom headers, if there are any, which aren't
 	// of a predetermined size.
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/HttpTransport.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/HttpTransport.java
@ -101,6 +101,10 @@ public class HttpTransport extends Transport {
        this.certHash = certHash;
    }

+    public String getCustomHeaders() {
+        return this.customHeaders;
+    }
+
    public void disconnect() {
    }

--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java
@ -62,7 +62,8 @@ public interface TLVType {
    public static final int TLV_TYPE_TRANS_PROXY_PASS   = TLVPacket.TLV_META_TYPE_STRING | 438;
    public static final int TLV_TYPE_TRANS_RETRY_TOTAL  = TLVPacket.TLV_META_TYPE_UINT   | 439;
    public static final int TLV_TYPE_TRANS_RETRY_WAIT   = TLVPacket.TLV_META_TYPE_UINT   | 440;
-    public static final int TLV_TYPE_TRANS_GROUP        = TLVPacket.TLV_META_TYPE_GROUP  | 441;
+    public static final int TLV_TYPE_TRANS_HEADERS      = TLVPacket.TLV_META_TYPE_STRING | 441;
+    public static final int TLV_TYPE_TRANS_GROUP        = TLVPacket.TLV_META_TYPE_GROUP  | 442;

    public static final int TLV_TYPE_MACHINE_ID   = TLVPacket.TLV_META_TYPE_STRING | 460;
    public static final int TLV_TYPE_UUID         = TLVPacket.TLV_META_TYPE_RAW    | 461;
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/core_transport_list.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/core_transport_list.java
@ -47,6 +47,10 @@ public class core_transport_list implements Command {
                if (h.getCertHash() != null) {
                    transportData.add(TLVType.TLV_TYPE_TRANS_CERT_HASH, h.getCertHash());
                }
+
+                if (h.getCustomHeaders() != null) {
+                    transportData.add(TLVType.TLV_TYPE_TRANS_HEADERS, h.getCustomHeaders());
+                }
            }

            response.addOverflow(TLVType.TLV_TYPE_TRANS_GROUP, transportData);
--- a/powershell/MSF.Powershell/Meterpreter/Enumerations.cs
+++ b/powershell/MSF.Powershell/Meterpreter/Enumerations.cs
@ -82,7 +82,8 @@ namespace MSF.Powershell.Meterpreter
        TransProxyPass = MetaType.String | 438,
        TransRetryTotal = MetaType.Uint | 439,
        TransRetryWait = MetaType.Uint | 440,
-        TransGroup = MetaType.Group | 441,
+        TransHeaders = MetaType.String | 441,
+        TransGroup = MetaType.Group | 442,

        MachineId = MetaType.String | 460,
        Uuid = MetaType.Raw | 461,