Lots of transported related things were in the core library which didn't make any sense given that the only thing that needed it was metsrv. This moves the functionality out into metsrv, reformats stuff and gets rid of some dead code.
TODO: Make this work with POSIX.
This changeset fixes an issue with POSIX failing to keep track of loaded
extensions properly. The timeout calcs for waiting were trying to be too
smart and hence were simplified.
Also added another flush when reconnecting so that the body of the
second instance of metsrv is ignored by the POSIX side. In future, when
stageless meterpreter works with POSIX, we won't have to do this.
Currently, the select timeout on the server socket is 100 ns, meaning that
while idle, the process can wake up 100k times per second. This switches the
timeout to 0.5 second, reducing the idle CPU usage and seemingly increasing
the reliability of posix meterpreter as well.
Tested with various test post test modules without failures.
This commit includes code which will allow for HTTP/S payload URIs to be hot-patched by the server without losing the UUID information. This was put in so that the stageless payloads can be used over and over again and not have issues with session URIs colliding.
The mechanism used for validation of the SSL cert string was the same as for many of the other global replacement options. However, the string value that was used for checking was also the same. The result was that the patch mechanism wasn't patching the right instance of the string.
DERP!
Why this hit stageless only I'm really not sure.
Updated the code so that the TCP stuff is moved into its own file and doesn't pollute the main server file with stuff that is specific to TCP transports.
Updated the winhttp functionality in the same way so that functionality is properly segregated.
Modified the global parameters so that they're part of a structure that can be passed around.
Added a stack of documnetation as well.
This commit just adds the braces around single-line blocks as per our "standard". This is important, especially in the case where those single lines contain macros which could expand to multiple lines.
Also added the use of the group packet functionality to make the search result code a little easier on the eye.
Querying of the status of SSL cert verification is now possible. This commit allows for this to be enabled and disabled on the fly.
Also include some code tidy/refactoring.
Instead of basing everything on URLs, the transport hopping now actually supports the creation of a whole new transport on the fly. The transport instance is stored in the remote as a "next transport" pointer.
This better facilitates the notion of being able to set all of the parameters on the transport when doing the switch, and is a step closer to being able to support chains of transports.
This commit includes code which attempts to bind to both IPv4 and IPv6 addresses so that the attacker can connect on either interface.
In the case of Windows XP, the IPv6 stack doesn't allow modification of the socket options so that both address types can be listened to on the same socket. Rather than create separate sockets for both cases, XP and earlier simply fall back to IPv4 only.
The transport refactor appears to be working, but the transport swtching
requires more work on the side of stageless posix before it will work.
At the moment, the POSIX implementation of the transport switching is
commented out so that it can't be used or built into the binaries.
This should mean we can move forward on other friends without this
holding us back.
This commit includes code which attempts to bind to both IPv4 and IPv6 addresses so that the attacker can connect on either interface.
In the case of Windows XP, the IPv6 stack doesn't allow modification of the socket options so that both address types can be listened to on the same socket. Rather than create separate sockets for both cases, XP and earlier simply fall back to IPv4 only.
LibreSSL does not yet work well with Windows meterpreter for 2 reasons:
1. because its built with mingw/gcc, it does not have SAFESEH, requiring that
protection to be disabled for the whole stack. It could, it just needs a
way to be built with MSVS instead.
2. OpenSSL 1.0.1 and Libressl both make metsrv about 50% larger.
When transports are more abstracted and LibreSSL can build with MSVS, we will
revisit this.
Switching works, but doesn't do anything nice with session management. Still need to get things wired into posix, and probably rip out the wininet stuff as well given that I probably won't refactor it to support this.
I am working on automating POSIX meterpreter builds, and one step is
removing the requirement to download files from external sites during
the build process. So, this incorporates the latest stable libpcap
source and updates the patches as needed.
The Makefile also moves (@wvu-r7 was amused that Makefile.pcap wasn't
actually a pcap file :) and simplifies a little build foo.
I updated and got the 64-bit kernel + 32-bit userspace TPACKET v1 patch
merged upstream, but its not in a release yet, so the patch is still
needed. See https://github.com/the-tcpdump-group/libpcap/pull/421
* Transports are now defined by a set of callbacks that are bound to the Remote.
* Transport initialisation and dispatching is seprated.
* The context of the transport should be switchable depending on new transport requirements.
More to do, but it has begun.
* Make sure POSIX has the new extension command enumeration function.
* Add support for deinit of extensions.
* Make sure extensions are tracked like they in Windows.
* Fix up a few export definitions.
* Stop using strncpy_s in POSIX code.
* bury common _snprintf that snuck in while testing the Windows version back
into the platform-specific code.
* remove now-unneeded separator defines
* don't free a stack variable on windows
Separate the stdapi handling code from the OS-dependent code. This makes
testing and maintaining the code easier.
This also happens to fix a number of bugs as a side-effect, because it is
clearer what is happening now.
Tweak the SSL implemention so that for https meterpreters the SSL certificate is validated against a hash that is specified in the payload. If the hash isn't specified, then certificate validation isn't attempted.
metsrv now makes use of the METERRPETER_URL for stageless payloads. This value is checked when Meterpreter starts to determine what should be done with communications. If the URL indicates that the payload is stageless, it then establishes communications appropriately, depending on the configuration.
This commit contains a bunch of code tidying (formatting, spaces, naming, etc) as well as new exports for each of the modules so that the extension can be identified. The plan is for the loader to know which modules are loaded so that when stageless meterpreter fires up MSF can query the existing extensions and load the appropriate functionality on the client side.
By making this a static _inline, it is not necessary to guard it, since
an inline is only instantiated if it is used. This also allows adding
one-off debug message for use during debugging sessions, without turning
on DEBUGTRACE all over the place.
Convert a few of the extensions to also do this as well, making them perhaps
slightly smaller.
I am curious why Windows builds define debug this way, vs posix that
just includes it in common.c. Could I just do that instead, assuming
there's no historical reason.
Finally, correct the docs in the posix version of real_dprintf.
If a user attempts to start the clipboard monitor when it is already started then the code path that is taken results in the current clipboard monitor state pointers being lost. The net effect of this is that the existing monitor thread will never be shut down. Not a good thing!
This code fixes that case so that the monitor doesn't create a new monitor thread and doesn't reset important pointers to NULL.
This change also results in a "success" status being returned to the caller. This means it looks like the clipboard monitor has been started even if it was already running. I think this is acceptable and is better than an obscure error.
- try to share some bits between different makefiles, make modifying
global compiler flags not such a huge pain.
- directly specify we should be using the gold rather than bpf linker
- make compiler output largely quiet except where we care - allow
warnings to actually be visible
- don't delete downloaded tarballs with --really-clean
- add missing dependencies between libraries
(--no-add-needed/--no-copy-dt-needed-entries causes lots of trouble)
- update readme to show what to install to build
I made minimal changes to the loader makefile - it breaks easily.
-Os prevents if from being able to load libc, for instance
This adds registry access methods that do an atomic open/<action>/close on
registry keys. They improve efficiency and safety, since we're not passing
HKEY's back and forth to enumerate or read registry keys. This fits the common
use pattern in MSF better anyway.
Now includes group nesting which will require work on the MSF side to
fully support it. But this option is way better as we don't lose info
thanks to serialising to strings.
Added support for a the getsid command so that it's easy to
determine the SID of the current user. This will be useful for
a number of different use cases.
source/common/arch/win/i386/base_dispatch.c was referring to:
see '/msf3/external/source/shellcode/x86/migrate/migrate.asm'
which was updated to:
see '/msf3/external/source/shellcode/windows/x86/src/migrate/migrate.asm'
and see '/msf3/external/source/shellcode/x64/migrate/migrate.asm'
was updated to:
see '/msf3/external/source/shellcode/windows/x64/src/migrate/migrate.asm'
