From ee807408ec84e8270af917fcefc4dd9a56009814 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Tue, 22 Mar 2016 16:06:43 +1000
Subject: [PATCH] Beginning of work on the building blocks for PSH->Meterp
 bindings

---
 c/meterpreter/source/common/common.h          |   2 +-
 .../source/extensions/powershell/powershell.c |   2 +
 .../powershell/powershell_bindings.cpp        |  47 ++++++
 .../powershell/powershell_bindings.h          |  13 ++
 .../powershell/powershell_bridge.cpp          |   2 +-
 .../ext_server_powershell.vcxproj             |   2 +
 powershell/MSF.Powershell/Enumerations.cs     | 148 ++++++++++++++++++
 .../MSF.Powershell/MSF.Powershell.csproj      |   3 +
 .../MSF.PowershellTester/Program.cs           |  18 ++-
 powershell/MSF.Powershell/Meterpreter.cs      |  59 +++++++
 powershell/MSF.Powershell/Tlv.cs              | 108 +++++++++++++
 11 files changed, 397 insertions(+), 7 deletions(-)
 create mode 100755 c/meterpreter/source/extensions/powershell/powershell_bindings.cpp
 create mode 100755 c/meterpreter/source/extensions/powershell/powershell_bindings.h
 create mode 100755 powershell/MSF.Powershell/Enumerations.cs
 create mode 100755 powershell/MSF.Powershell/Meterpreter.cs
 create mode 100755 powershell/MSF.Powershell/Tlv.cs

diff --git a/c/meterpreter/source/common/common.h b/c/meterpreter/source/common/common.h
index 45889798..c0c5ea0c 100755
--- a/c/meterpreter/source/common/common.h
+++ b/c/meterpreter/source/common/common.h
@@ -6,7 +6,7 @@
 #define _METERPRETER_SOURCE_COMMON_COMMON_H
 
 /*! @brief Set to 0 for "normal", and 1 to "verbose", comment out to disable completely. */
-//#define DEBUGTRACE 0
+#define DEBUGTRACE 0
 
 #include <stdlib.h>
 #include <stdio.h>
diff --git a/c/meterpreter/source/extensions/powershell/powershell.c b/c/meterpreter/source/extensions/powershell/powershell.c
index dad4289a..1ef18076 100755
--- a/c/meterpreter/source/extensions/powershell/powershell.c
+++ b/c/meterpreter/source/extensions/powershell/powershell.c
@@ -11,6 +11,7 @@
 #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
 
 #include "powershell_bridge.h"
+#include "powershell_bindings.h"
 
 // this sets the delay load hook function, see DelayLoadMetSrv.h
 EnableDelayLoadMetSrv();
@@ -34,6 +35,7 @@ Command customCommands[] =
 DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
 {
 	hMetSrv = remote->met_srv;
+	gRemote = remote;
 
 	DWORD result = initialize_dotnet_host();
 
diff --git a/c/meterpreter/source/extensions/powershell/powershell_bindings.cpp b/c/meterpreter/source/extensions/powershell/powershell_bindings.cpp
new file mode 100755
index 00000000..8338c38e
--- /dev/null
+++ b/c/meterpreter/source/extensions/powershell/powershell_bindings.cpp
@@ -0,0 +1,47 @@
+/*!
+ * @file powershell_bindings.cpp
+ * @brief Wrapper functions for bridging native meterp calls to powershell
+ */
+extern "C" {
+#include "../../common/common.h"
+#include "powershell_bindings.h"
+}
+
+Remote* gRemote = NULL;
+
+VOID MeterpreterInvoke(unsigned int isLocal, unsigned char* input, unsigned int inputLength, unsigned char** output, unsigned int* outputLength)
+{
+	dprintf("[PSH BINDING] Input %p of %d bytes received", input, inputLength);
+	/*
+	dprintf("[PYTHON] a function was invoked on: %s", self->ob_type->tp_name);
+	const char* packetBytes = NULL;
+	BOOL isLocal = FALSE;
+	Py_ssize_t packetLength = 0;
+
+	PyArg_ParseTuple(args, "is#", &isLocal, &packetBytes, &packetLength);
+	dprintf("[PYTHON] packet %p is %u bytes and is %s", packetBytes, packetLength, isLocal ? "local" : "not local");
+
+	Packet packet = { 0 };
+	packet.header = *(PacketHeader*)packetBytes;
+	packet.payload = (PUCHAR)(packetBytes + sizeof(PacketHeader));
+	packet.payloadLength = (ULONG)packetLength - sizeof(TlvHeader);
+
+	// If the functionality doesn't require interaction with MSF, then
+	// make the packet as local so that the packet receives the request
+	// and so that the packet doesn't get sent to Meterpreter
+	packet.local = isLocal;
+
+	command_handle(gRemote, &packet);
+
+	// really not sure how to deal with the non-local responses at this point.
+	if (packet.partner == NULL)
+	{
+		// "None"
+		return Py_BuildValue("");
+	}
+
+	PyObject* result = PyString_FromStringAndSize(packet.partner->payload, packet.partner->payloadLength);
+	packet_destroy(packet.partner);
+	return result;
+*/
+}
\ No newline at end of file
diff --git a/c/meterpreter/source/extensions/powershell/powershell_bindings.h b/c/meterpreter/source/extensions/powershell/powershell_bindings.h
new file mode 100755
index 00000000..da98dfbc
--- /dev/null
+++ b/c/meterpreter/source/extensions/powershell/powershell_bindings.h
@@ -0,0 +1,13 @@
+/*!
+ * @file powershell_bindings.h
+ * @brief Declarations for bindings to meterpreter functions that can be called from Powershell.
+ */
+#ifndef _METERPRETER_SOURCE_EXTENSION_POWERSHELL_BINDINGS_H
+#define _METERPRETER_SOURCE_EXTENSION_POWERSHELL_BINDINGS_H
+
+extern Remote* gRemote;
+
+VOID MeterpreterInvoke(unsigned char* input, unsigned int inputLength, unsigned char** output, unsigned int* outputLength);
+
+#endif
+
diff --git a/c/meterpreter/source/extensions/powershell/powershell_bridge.cpp b/c/meterpreter/source/extensions/powershell/powershell_bridge.cpp
index ecff718c..08ee2b77 100755
--- a/c/meterpreter/source/extensions/powershell/powershell_bridge.cpp
+++ b/c/meterpreter/source/extensions/powershell/powershell_bridge.cpp
@@ -1,5 +1,5 @@
 /*!
- * @file powershell_bridge.c
+ * @file powershell_bridge.cpp
  * @brief Wrapper functions for bridging native meterp calls to powershell
  */
 extern "C" {
diff --git a/c/meterpreter/workspace/ext_server_powershell/ext_server_powershell.vcxproj b/c/meterpreter/workspace/ext_server_powershell/ext_server_powershell.vcxproj
index 65f8f4d2..5678cc4e 100644
--- a/c/meterpreter/workspace/ext_server_powershell/ext_server_powershell.vcxproj
+++ b/c/meterpreter/workspace/ext_server_powershell/ext_server_powershell.vcxproj
@@ -273,11 +273,13 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="..\..\source\extensions\powershell\powershell.c" />
+    <ClCompile Include="..\..\source\extensions\powershell\powershell_bindings.cpp" />
     <ClCompile Include="..\..\source\extensions\powershell\powershell_bridge.cpp" />
     <ClCompile Include="..\..\source\extensions\powershell\powershell_runner.cpp" />
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="..\..\source\extensions\powershell\powershell.h" />
+    <ClInclude Include="..\..\source\extensions\powershell\powershell_bindings.h" />
     <ClInclude Include="..\..\source\extensions\powershell\powershell_bridge.h" />
     <ClInclude Include="..\..\source\extensions\powershell\powershell_runner.h" />
   </ItemGroup>
diff --git a/powershell/MSF.Powershell/Enumerations.cs b/powershell/MSF.Powershell/Enumerations.cs
new file mode 100755
index 00000000..9bb1e782
--- /dev/null
+++ b/powershell/MSF.Powershell/Enumerations.cs
@@ -0,0 +1,148 @@
+using System;
+
+namespace MSF.Powershell
+{
+    public enum PacketType
+    {
+        Request = 0,
+        Response = 1,
+        PlainRequest = 10,
+        PlainResponse = 11
+    };
+
+    [Flags]
+    public enum MetaType
+    {
+        None = 0,
+        String = 1 << 16,
+        Uint = 1 << 17,
+        Raw = 1 << 18,
+        Bool = 1 << 19,
+        Qword = 1 << 20,
+        Compressed = 1 << 21,
+
+        Group = 1 << 30,
+        Complex = 1 << 31
+    };
+
+    public enum ExtensionBase
+    {
+        Stdapi = 0,
+        Incognito = 20000,
+        Priv = 20000,
+        Kiwi = 20000
+    };
+
+    public enum TlvType
+    {
+        // Actual types
+        Any = MetaType.None,
+        Method = MetaType.String | 1,
+        RequestId = MetaType.String | 2,
+        Exception = MetaType.Group | 3,
+        Result = MetaType.Uint | 4,
+
+        String = MetaType.String | 10,
+        Uint = MetaType.Uint | 11,
+        Bool = MetaType.Bool | 12,
+
+        Length = MetaType.Uint | 25,
+        Data = MetaType.Raw | 26,
+        Flags = MetaType.Uint | 27,
+
+        ChannelId = MetaType.Uint | 50,
+        ChannelType = MetaType.String | 51,
+        ChannelData = MetaType.Raw | 52,
+        ChannelDataGroup = MetaType.Group | 53,
+        ChannelClass = MetaType.Uint | 54,
+        ChannelParentId = MetaType.Uint | 55,
+
+        SeekWhence = MetaType.Uint | 70,
+        SeekOffset = MetaType.Uint | 71,
+        SeekPos = MetaType.Uint | 72,
+
+        ExceptionCode = MetaType.Uint | 300,
+        ExceptionString = MetaType.String | 301,
+
+        LibraryPath = MetaType.String | 400,
+        TargetPath = MetaType.String | 401,
+        MigratePid = MetaType.Uint | 402,
+        MigrateLen = MetaType.Uint | 403,
+
+        TransType = MetaType.Uint | 430,
+        TransUrl = MetaType.String | 431,
+        TransUa = MetaType.String | 432,
+        TransCommTimeout = MetaType.Uint | 433,
+        TransSessExp = MetaType.Uint | 434,
+        TransCertHash = MetaType.Raw | 435,
+        TransProxyHost = MetaType.String | 436,
+        TransProxyUser = MetaType.String | 437,
+        TransProxyPass = MetaType.String | 438,
+        TransRetryTotal = MetaType.Uint | 439,
+        TransRetryWait = MetaType.Uint | 440,
+        TransGroup = MetaType.Group | 441,
+
+        MachineId = MetaType.String | 460,
+        Uuid = MetaType.Raw | 461,
+
+        CipherName = MetaType.String | 500,
+        CipherParameters = MetaType.Group | 501,
+
+        PeerHost = MetaType.String | 1500,
+        PeerPort = MetaType.Uint | 1501,
+        LocalHost = MetaType.String | 1502,
+        LocalPort = MetaType.Uint | 1503,
+
+        // STDAPI stuff
+        ComputerName = MetaType.String | (ExtensionBase.Stdapi + 1040),
+        OsName = MetaType.String | (ExtensionBase.Stdapi + 1041),
+        UserName = MetaType.String | (ExtensionBase.Stdapi + 1042),
+        Architecture = MetaType.String | (ExtensionBase.Stdapi + 1043),
+        LangSystem = MetaType.String | (ExtensionBase.Stdapi + 1044),
+        Sid = MetaType.String | (ExtensionBase.Stdapi + 1045),
+        Domain = MetaType.String | (ExtensionBase.Stdapi + 1046),
+        LoggedOnUserCount = MetaType.Uint | (ExtensionBase.Stdapi + 1047),
+
+        Mount = MetaType.Group | (ExtensionBase.Stdapi + 1207),
+        MountName = MetaType.String | (ExtensionBase.Stdapi + 1208),
+        MountType = MetaType.Uint | (ExtensionBase.Stdapi + 1209),
+        MountSpaceUser = MetaType.Qword | (ExtensionBase.Stdapi + 1210),
+        MountSpaceTotal = MetaType.Qword | (ExtensionBase.Stdapi + 1211),
+        MountSpaceFree = MetaType.Qword | (ExtensionBase.Stdapi + 1212),
+        MountUncPath = MetaType.String | (ExtensionBase.Stdapi + 1213),
+
+        Pid = MetaType.Uint | (ExtensionBase.Stdapi + 2300),
+        ProcessName = MetaType.String | (ExtensionBase.Stdapi + 2301),
+        ProcessPath = MetaType.String | (ExtensionBase.Stdapi + 2302),
+        ProcessGroup = MetaType.Group | (ExtensionBase.Stdapi + 2303),
+        ProcessArch = MetaType.Uint | (ExtensionBase.Stdapi + 2306),
+        ParentPid = MetaType.Uint | (ExtensionBase.Stdapi + 2307),
+        ProcessSession = MetaType.Uint | (ExtensionBase.Stdapi + 2308),
+
+        // PRIV stuff
+        ElevateTechnique = MetaType.Uint | (ExtensionBase.Priv + 200),
+        ElevateServiceName = MetaType.String | (ExtensionBase.Priv + 201),
+
+        // KIWI stuff
+        KiwiPwdId = MetaType.Uint | (ExtensionBase.Kiwi + 1),
+        KiwiPwdResult = MetaType.Group | (ExtensionBase.Kiwi + 2),
+        KiwiPwdUserName = MetaType.String | (ExtensionBase.Kiwi + 3),
+        KiwiPwdDomain = MetaType.String | (ExtensionBase.Kiwi + 4),
+        KiwiPwdPassword = MetaType.String | (ExtensionBase.Kiwi + 5),
+        KiwiPwdAuthHi = MetaType.Uint | (ExtensionBase.Kiwi + 6),
+        KiwiPwdAuthLo = MetaType.Uint | (ExtensionBase.Kiwi + 7),
+        KiwiPwdLmHash = MetaType.String | (ExtensionBase.Kiwi + 8),
+        KiwiPwdNtlmHash = MetaType.String | (ExtensionBase.Kiwi + 9),
+
+        // INCOGNITO stuff
+        IncognitoListTokensDelegation = MetaType.String | (ExtensionBase.Incognito + 2),
+        IncognitoListTokensImpersonation = MetaType.String | (ExtensionBase.Incognito + 3),
+        IncognitoListTokensTokenOrder = MetaType.Uint | (ExtensionBase.Incognito + 4),
+        IncognitoImpersonateToken = MetaType.String | (ExtensionBase.Incognito + 5),
+        IncognitoGenericResponse = MetaType.String | (ExtensionBase.Incognito + 6),
+        IncognitoUserName = MetaType.String | (ExtensionBase.Incognito + 7),
+        IncognitoPassword = MetaType.String | (ExtensionBase.Incognito + 8),
+        IncognitoServerName = MetaType.String | (ExtensionBase.Incognito + 9),
+        IncognitoGroupName = MetaType.String | (ExtensionBase.Incognito + 10)
+    };
+}
diff --git a/powershell/MSF.Powershell/MSF.Powershell.csproj b/powershell/MSF.Powershell/MSF.Powershell.csproj
index 57c59a93..9770440c 100755
--- a/powershell/MSF.Powershell/MSF.Powershell.csproj
+++ b/powershell/MSF.Powershell/MSF.Powershell.csproj
@@ -38,8 +38,11 @@
     </Reference>
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="Enumerations.cs" />
+    <Compile Include="Meterpreter.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
     <Compile Include="Runner.cs" />
+    <Compile Include="Tlv.cs" />
   </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
diff --git a/powershell/MSF.Powershell/MSF.PowershellTester/Program.cs b/powershell/MSF.Powershell/MSF.PowershellTester/Program.cs
index 6629c721..cd027192 100755
--- a/powershell/MSF.Powershell/MSF.PowershellTester/Program.cs
+++ b/powershell/MSF.Powershell/MSF.PowershellTester/Program.cs
@@ -1,4 +1,5 @@
-using System;
+using MSF.Powershell;
+using System;
 using System.Collections.Generic;
 using System.Text;
 
@@ -8,10 +9,17 @@ namespace MSF.PowershellTester
     {
         static void Main(string[] args)
         {
-            var x = MSF.Powershell.Runner.Get("Default");
-            System.Console.Write(x.Execute("$x = $(whoami)"));
-            System.Console.Write(x.Execute("$x"));
-            MSF.Powershell.Runner.Remove("Default");
+            //var x = MSF.Powershell.Runner.Get("Default");
+            //System.Console.Write(x.Execute("$x = $(whoami)"));
+            //System.Console.Write(x.Execute("$x"));
+            //MSF.Powershell.Runner.Remove("Default");
+
+            Tlv t = new Tlv();
+            t.Pack(TlvType.ElevateTechnique, 1);
+            t.Pack(TlvType.ElevateServiceName, "abcd1234");
+
+            var x = t.Bytes;
+            var y = 0;
         }
     }
 }
diff --git a/powershell/MSF.Powershell/Meterpreter.cs b/powershell/MSF.Powershell/Meterpreter.cs
new file mode 100755
index 00000000..7ee9ab93
--- /dev/null
+++ b/powershell/MSF.Powershell/Meterpreter.cs
@@ -0,0 +1,59 @@
+using System;
+using System.Runtime.InteropServices;
+using System.Text;
+
+namespace MSF.Powershell
+{
+    public static class Meterpreter
+    {
+        private delegate void MeterpreterInvoke(uint isLocal, byte[] input, uint inputSize, ref IntPtr output, ref uint outputSize);
+
+        private static MeterpreterInvoke _callback = null;
+
+        public static void SetInvocationPointer(Int64 callbackPointer)
+        {
+            _callback = (MeterpreterInvoke)Marshal.GetDelegateForFunctionPointer(new IntPtr(callbackPointer), typeof(MeterpreterInvoke));
+        }
+
+        public static string RandomString(int length)
+        {
+            var r = new Random();
+            var chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+            var bytes = new byte[length];
+            for (int i = 0; i < length; ++i)
+            {
+                bytes[i] = (byte)chars[r.Next(chars.Length)];
+            }
+
+            return Encoding.ASCII.GetString(bytes);
+        }
+
+        internal static byte[] InvokeMeterpreterBinding(bool isLocal, byte[] input)
+        {
+            if (_callback != null)
+            {
+
+                IntPtr output = IntPtr.Zero;
+                try
+                {
+                    uint outputLength = 0;
+                    _callback(isLocal ? 1U : 0U, input, (uint)input.Length, ref output, ref outputLength);
+
+                    var result = new byte[outputLength];
+                    Marshal.Copy(output, result, 0, result.Length);
+
+                    return result;
+                }
+                finally
+                {
+                    if (output != IntPtr.Zero)
+                    {
+                        Marshal.FreeCoTaskMem(output);
+                    }
+                }
+            }
+
+            return null;
+        }
+    }
+}
diff --git a/powershell/MSF.Powershell/Tlv.cs b/powershell/MSF.Powershell/Tlv.cs
new file mode 100755
index 00000000..a9debb58
--- /dev/null
+++ b/powershell/MSF.Powershell/Tlv.cs
@@ -0,0 +1,108 @@
+using System;
+using System.IO;
+using System.Net;
+using System.Text;
+
+namespace MSF.Powershell
+{
+    public class Tlv
+    {
+        private MemoryStream _stream = null;
+
+        public byte[] Bytes
+        {
+            get
+            {
+                if (_stream != null)
+                {
+                    return _stream.ToArray();
+                }
+                return null;
+            }
+        }
+
+        public Tlv()
+        {
+            _stream = new MemoryStream();
+        }
+
+        public void Pack(TlvType t, bool b)
+        {
+            ValidateMetaType(MetaType.Bool, t);
+            Append(t, b ? new byte[] { 1 } : new byte[] { 0 });
+        }
+
+        public void Pack(TlvType t, uint i)
+        {
+            ValidateMetaType(MetaType.Uint, t);
+            Append(t, ToBytes(i));
+        }
+
+        public void Pack(TlvType t, int i)
+        {
+            ValidateMetaType(MetaType.Uint, t);
+            Append(t, ToBytes(i));
+        }
+
+        public void Pack(TlvType t, Int64 i)
+        {
+            ValidateMetaType(MetaType.Qword, t);
+            Append(t, ToBytes(i));
+        }
+
+        public void Pack(TlvType t, string s)
+        {
+            ValidateMetaType(MetaType.String, t);
+            var value = Encoding.UTF8.GetBytes(s + "\x00");
+            Append(t, value);
+        }
+
+        public void Pack(TlvType t, Tlv tlv)
+        {
+            ValidateMetaType(MetaType.Group, t);
+            var tlvBytes = tlv.Bytes;
+            if (tlvBytes != null)
+            {
+                Append(t, tlv.Bytes);
+            }
+        }
+
+        public void Pack(TlvType t, byte[] value)
+        {
+            ValidateMetaType(MetaType.Raw, t);
+            Append(t, value);
+        }
+
+        private void Append(TlvType t, byte[] value)
+        {
+            var type = ToBytes((int)t);
+            var length = ToBytes(value.Length);
+            _stream.Write(length, 0, length.Length);
+            _stream.Write(type, 0, type.Length);
+            _stream.Write(value, 0, value.Length);
+        }
+
+        private void ValidateMetaType(MetaType expected, TlvType actual)
+        {
+            if ((MetaType)((TlvType)expected & actual) != expected)
+            {
+                throw new ArgumentException("Invalid Meta type given");
+            }
+        }
+
+        private byte[] ToBytes(Int64 i)
+        {
+            return BitConverter.GetBytes(IPAddress.HostToNetworkOrder(i));
+        }
+
+        private byte[] ToBytes(int i)
+        {
+            return BitConverter.GetBytes(IPAddress.HostToNetworkOrder(i));
+        }
+
+        private byte[] ToBytes(uint i)
+        {
+            return BitConverter.GetBytes(IPAddress.HostToNetworkOrder(i));
+        }
+    }
+}