The goal is to avoid pointer truncation where possible so this commit
changes parameter types to qword where it makes the most sense. This
includes all handles (event, process, thread, registry), addresses
and generic parameters.
In some cases this extension would crash. This was due to the code using the
incorrect "length" variable when dumping LSA data. This commit includes addition
of some debug output, removal of other debug output, and changing of the
kiwi-specific debug definition.
Another packet function was added to aid in construction of this fix, and the
group packet function was added to one of the calls.
Despite rigorous testing, the x64 version seemed to be dropping a column
from the result set. This would appear to be due to the differences in
the way the x86 version of the API handles the ubound parameter of the
enumeration.
x86 ubounds are inclusive, where as x64 are exclusive. Hence in the case
of x86 we need to subtract one from the field set, but not in x64.
The existing make file would use `pwd` to figure out the current
folder instead of using the base directory of the script. This
causes issues when running commands from different locations (such
as in the case of from the meterpreter_binds folder).
This commit fixes this problem.
This commit adds service status to the query functionality for a single
service so that it doesn't have to be found in the full list of services.
It also adds the ability for the caller to control services using the
typical start/stop/pause/resume/restart style functions. To use these
functions the caller has to have appropriate rights.
Gathering of function pointers is now done during initialisation. This
means that it doesn't have to be done each time a function is called
and allows for reuse across other functions.
The create thread functionality would work in all cases except where
the thread was being created in an x64 process from an x86 process.
This commit adds support for this by reusing the wow64 injection code
in this case.
A group packet is a special packet that is to be used as a group of TLVs that
will live under another packet. Using this functionality means that we can
easily nest groupings of data to arbitrary depths, which wasn't something we
were able to do before easily.
The MSF side is easily capable of handling this scenario, but this side had
always been lacking.
The clipboard dump code has been updated to show how this can be used.
The existing implementation wasn't really solid and I never liked it
anyway. Egypt rightfully pointed out flaws in the code, so it has
been changed so that it allocates the required memory up front
and returns that string to the caller, who then has to free it up.
Added a function to render SIDS.
Made the build set warnings as errors. Still no idea why this wasn't
the case already.
Previous commits removed the stack size parameter from the remote thread
creation function call. This caused issues in systems prior to Vista/2k8.
This fix puts that value back in and now everything is honky dory.
Tested on 2k/XP/2k3/Vista/7/2k8
Thanks to sinner being on the ball, x64 was broken and causing some
crazy things to happen. The CPU would peg at 100% despite x86 being
quite happy. It turns out, I suck at C, so I had to fix that up.
This commit includes the following changes:
* Fix up the WNDPROC callback so that the parameters are in the right
order.
* Specify the correct array size for wait handles in the monitor thread.
* Add extra debugging.
* Handle WM_* messages correctly and add WM_NCCREATE.
* Correctly use the CREATESTRUCT to pass in the state.
"How on earth did this ever work?"
Fixed now, thanks again sinner!
Hashdumping on Windows XP and earlier worked fine for processes
running as SYSTEM because CreateRemoteThread didn't have security
in place that Vista and later operating systems do. However, Vista
onwards required migration to SYSTEM processes (which behind the
scenes uses injection via APC) before hashdumping would succeed.
This commit fixes this so that in those cases the hidden API function
RtlCreateUserThread() to create the remote thread in lsass exe. The
result is that hashdumping works without having to migrate first.
Win.
When non-supported types were returned in queries, ADSI just pooped
itself and tore down the Meterpreter session. This a happy tester
Meterpreter does not make!
This code includes more support for ADSI types with attempts to be
semi-sane in stringifying them.
Plus, Meterpreter no longer crashes.
In a previous commit, I rejigged the way commands were overloaded,
and added what appeared to be a micro-optimisation to prevent
the thread from being imperonsated twice. Ultimately it wouldn't
make any differnce, so why I put it in there I really don't know.
The optimisation actually resulted in a breakage in the case where
base commands weren't present but extension commands were. As a
result all extended commands didn't get impersonated unless they
were overloading. This is not a good thing at all.
This fix removed that total stupidity and restores some level of
sanity.
Apologies for my idiocy.
In similar vein to the migration issue, incognito was crashing when
running under SYSTEM processes (such as lsass.exe). This was because
of a pointer truncation problem when processes were being enumerated.
There was also some other quirky logic going on, but nothing too
damaging. I added some other simple code tidies while I was in there.
This is a seprate extension because the old Mimikatz supports more
operating systems, while the new Mimikatz has more features for
less operating systems.
* We now check to make sure that the required files are on disk and
show an error message if not found.
* README updated to indicate that submodule initialisation is needed.
Sometimes results can be success values but not S_OK, so this change
contains code which will force the result to S_OK in those cases so that
the caller doesn't get an indication which makes it believe that there is
an error.
The ADSI API is supposed to support the notion of only returning
a fixed number of results from AD when we specify the
ADS_SEARCHPREF_SIZE_LIMIT value in the search parameters, but it
doesn't appear to do that (at least not my Win2k setup).
This change includes a bit more debugging output and keeps track of
the number of rows processed so that the maximum site is actually
honoured.
A few minor issues around formatting collisions, nothing huge.
.gitignore fixes too
Conflicts:
source/common/base_dispatch_common.c
source/extensions/stdapi/server/stdapi.c
This is a new command in the stdapi which allows the caller to pass in a set of
environment variable names and retrieve a hash of the names and values.
I felt into the C progrmmer's trap of accidentally using `=` instead of `==`. This is
not good. Good catch @jlee-r7.
This commit fixes this, swaps the values around and tidies up code a bit.
MSF side has been attempting to open keys to see if they exist, which isn't
fantastic as it results in an error. This change adds a function which indicates
to the caller if the given reg key exists.
The work that was done a while back to fix up command dispatching allowed
inline commands to run so that the server could be told to shutdown. Those
commands that want the server to terminate (such as migrate and shutdown)
should have returned `FALSE` instead of `TRUE` to tell the server thread to
stop.
I have no idea why those values were incorrect, but it's my work so it's
definitely my fault. I will have to sick back and lick my wounds for a while.
I hate it when I'm stupid.
Thanks to Kevin Mitnick for the bug, and @todb-r7 for the investigating the
history.
Redmine: [FixRM #8696]
I found that the BREAK_* macros behaved differently on POSIX and in
some cases this was causing a brutal exit of POSIX meterpteter in
cases where it should just gracefully fail.
After talking to egypt, we decided to use `break` statements instead
given that's how it should function.
During the call which establishes a TCP client channel, the call
to `connect` can sometimes fail if the settings that are used are
incorrect (such as an invalid port number). When this call fails
the result was being set to `GetLastError()`, which isn't correct.
On Windows it should be `WSAGetLastError()` and on POSIX the `errno`
value should be used instead. This wasnt causing issues on Windows
but on POSIX it was causing problems because the `GetLastError()`
call was returning zero, which was returned to the function that
invokes `create_tcp_client_channel()`.
Given that `ERROR_SUCCESS` == 0, the caller believed the function
had completed successfully and hence relied on context being set up
correctly. This was resulting crashes because this obviously wasn't
the case.
I also added a code chance which makes meterpreter attempt to bind
to `0.0.0.0` if binding to the specified address fails.
In previous work done during the command refactor the mechanism for overriding
commands changed such that it wasn't invoking commands if they were overriden
by an extension. This, it would appear, broke some stuff. Badly.
This commit fixes this issue by reinstating the way things were done before.
If a base command exists, it is always executed. If an extension also exists
which overrides this command then the base command result is ignored, the
extension command is executed, and the result of that command is returned.
Fixed up the cusom command declarations in the sniffer extension so
that they're using the new macros. I don't know how they were missed.
Various bits of tidying up, while trying to sort out the sniffer prob.
Crashes were occuring when the underlying channel had no more output
because the value of the `bytesRead` variable was not set to zero.
Consumers of the function assumed that bytesRead was value if non-zero.
POSIX would also hang when unsupported commands are executed, this
commit changes this so that a response is returned when the command
isn't supported.
This exploit has been causing crashes and BSODs on various systems and
hence is deemed too unstable to be included in the default deployment of
Meterpreter. `getsystem` should only contain code which attempts to get
SYSTEM privileges via safe means; it should not have exploits in it.
This commit removes kitrap0d from `getsystem`. The code will be moved to a
windows local exploit in MSF instead.
Note: webcam stuff doesn't work on Windows 2012. Work needs to be done to
make it work on this platform because the DX classes used to do the webcam
capture are not present on the system.
Does as it says on the tin. Various tweaks made to source and to project
files to make the builds come out with ZERO warnings.
Let's keep it clean from here!
This commit tidies up the webcam code, adds documentation and adds a
couple of small clean-ups and optimisations around resource usage.
`audio.h` is not included in `webcam.h` any more as it's not needed at all
by that code, however it has been added to `precomp.h` so that `stdapi.c`
can use and see it along with the other files.
This fixes the issue where the calculation for the offset of the image
data was incorrect. Instead of just looking at the first byte past the end
of the BITMAPINFOHEADER we now correctly calculate the offset past the
color palette and begin reading the image there. This stops the problems
where sometimes the image looked like it had been shifted, or other cases
where the image colors went retro.
Change includes fixes which allow for images to be downloaded optionally.
The user can specify -d to get the image. Image dimensions are shown as
well.
VS 2013 appears to have built-in formatting for C++, so this commit tidies
up the code a bit to fit within those rules.
It also removes a few warnings which the new compiler has shown.
This changeset brings windows into line with the last set of POSIX
changes. With this changeset we are now in a position where both POSIX and
Windows are able to create and open interactive channels, put them in the
background, and terminate them without crashing, hanging or leaving
processes running behind the scenes.
POSIX was out of whack with Windows as a result of the changes made
around channels. The schedular in posix was very different, and this
commit brings it into line.
Other than the obvious issues, a non-obvious issue with the changes
was that the channel was being freed up on close prior to the thread
terminating. This doesn't appear to be an issue on Windows, but was
causing crashes on close in POSIX.
The changes go quite deep. This changeset requires a lot of testing.
The goals of this work are:
* To fix issue where backgrounding and re-interacting with channels wasn't
working.
* To fix issue where closing of meterpreter was not closing off background
prcoesses (such as cmd.exe).
The two things preventing this stuff from working were:
* When interactive channels are backgrounded their handles were destroyed
along with the context that wraps them up. Making them interactive again
had no impact because the handle and context were invalid. If anything,
this made meterpreter unstable. Sometimes the session would die when
attempting to interact with the channel again.
* When closing channels, there was no way of terminating the process that
sat behind the scenes because no reference to the process was retained.
Channels would close and handles would close, but no process termination
was done.
To fix these problems:
* The interactive thread no longer terminates when backgrounded. Instead
its put in a suspended state where it's waiting a signal from a resume
handle that's associated with the channel's context. This means that the
destruction of the context doesn't happen at all until the termination
of the channel, which is exactly when it should happen anyway.
* Process handles are stored alongside the input/output handles so that
when the time comes, the process can be terminated if required. This
means that when the channels are closed, the code has a reference to the
associated process which can be terminated. This is only done for
interactive processes, non-interactive processes do not have this
problem because meterpreter doesn't have to keep track of them.
The clipboard code now supports the `CF_DIB` format on the clipboard. When
found, it takes the data and uses GDI+ to convert it into a JPEG. GDI+ was
used because:
* It's on every Windows machine from XP SP0 onwards (Win2k doesn't work).
* It requires linking to a small gdiplus.lib instead of a massive jpeg
library.
* It's a really easy interface to use that interops easily with the
Windows bitmap header information structures.
I think it'd be worth considering this approach for the other screenshot
applications as well, as it'd reduce the jpeg lib dependency and simplify
the codebase.
Previous change stopped the session from crashing on NULL, but this change
actually has more realistic messages coming back intead of always
indicating that things happened correctly. It's still up to the caller to
check the return code to make sure it's ok
* Updated `thread_create` so that it has 3 parameters, and removed
`thread_create3`.
* Updated all calls to `thread_create` and added the extra parameter of
`NULL`.
* Fixed comment typo.
* Removed assignment where value is not used.
* Checked for `NULL` prior to setting the result.
* Undefined `DEBUGTRACE`.
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
Fix issue where the railgun API was relyling on FormatMessage returning a
valid pointer when the error is `ERROR_SUCCESS`. On some platforms, such
as XP SP3, the function would return a NULL pointer for this case. This
fix makes sure that in the case of a NULL pointer the error message is set
to a value that matches that found on other platforms.
[FixRM 8505]
Updated to use `EXCLUDE_PATTERNS` instead of `EXCLUDE_PATHS`. This
properly excludes the source of the libraries we use and also the
generated output on POSIX.
Thanks again to @jlee-r7 for the catch.
Lists of files can now be downloaded from the clipboard. Downloading of
the files themselves is something that should be done by MSF as that's
already built in.
This commit adds the beginnings of clipboard munging support. Getting and
setting of text-based data is supported. Over time, more formats will be
supported.
Enumeration of child windows is now possible if the appropriate TLV is
included in the request message.
Inclusion of "unknown" windows is also possible now, again if the
appropriate TLV is included.
Big job, this documentation lark. Also modified the prototype the
packet_is_tlv_null_terminated function, which used to take a Packet
instance as well as the TLV, but never used the packet in its
implementation.
This commit adds the ability to enumerate services on the target machine,
showing the PID, the service name, the display name and an indication of
the service's ability to interact with the desktop.
Some other small code tidies were done too.
Decided to kick off a new extended API extension with mubix and
kernelsmith to include some more advanced enumeration stuff. The goal of
this extension is to take stuff that wouldn't be part of the std api but
is rather useful for enumeration of a target once meterpreter has been
established.
This commit kicks things off with enumeration of top level windows on the
current desktop.
No idea why they were broken, but they shouldn't have been. This fixes
them up and tidies a few other things up, especially the guts of the
stdapi project.
The boiler extension wasn't used and was old so it was removed. I've added
a new "bare" extension which is, as it says, just bare and doesn't do
anything. This can be used to create new extension projets just by copying
and pasting, then editing a couple of small things.
This will be added to the documentation.
Webcam code was sometimes causing crashes in Meterpreter when attempting
to stop the camera after a frame had been captured. This appeared to be
because the thread that started the capture was not the same thread that
ended it.
CoInitialize() and CoUninitialize() need to be called on the same thread
and objects created on one thread need to be released on the same thread.
This change results in a new worker thread that is used for the lifetime
of the capture, and the callers have to interact with this thread via
basic threading events.
This is currently "proof of concept" code, rather than production-ready
code. The goal is to see if it solves the issue on the known targets
before tidying it up and locking it down for release.
The main issue with things being broken was because the calling
convention was not defaulting to "stdapi" and hence the call would
fail. Adding the default fixed it.
While fixing this, I brought the mulit-call functionality up to speed
with the error message functionality, so the calls all return the
properly formatted error message.
Thanks to @jvazquez-r7 doing some investigation we have a better solution
to this crash. This commit implements this fix and removes the need to
check the status of the memory that's being read.
* Added the doxygen binaries and configuration.
* Added a `make docs` which generates documentation to the `docs` folder.
* Added some documentation to various areas of the source that I was
working with. Over time I'll be adding more and more rather than trying
to do it all in one hit.
* Refactored the kitrap0d code a bit to try to reduce code size.
Tidies up the API to be more intuitive, including conversion of the
first parameter to a char pointer (removing MAX_PATH) and renaming
the second parameter to be more indicative of what it means.
Thanks to @jvazquez-r7 for the great discussion!
* Modified first and second parameters to use `dwOutputLength` which
is given to the function as an indicator of buffer size in bytes
anyway.
* Check the return value of the function call to see if the result
was a truncation, and if so, break from the current loop.
Realistically, truncation will not happen because the default windows
installation location folder name is very short.
Thanks @jvazquez-r7 for prodding me to validate this.
Calling getsystem or getsystem -t 4 was resulting in crashes due to
an incorrect usage of sizes in a call to _sprintf_s in the kitrap0d
code. This might have come about as a result of a move to the new
compiler which is C++11.
This code forces the size check to be correct and results in the
exploit functioning correctly on all platforms.
* Added the build status notification to the top of the README.
* Updated the order of details in the docs (put Linux build after Windows).
* Updated the details about where this repo came from.
Note: this PR should be merged AFTER #20 for ease of merging.
* Rather than having various places where the PSSDK path is set scattered
through the solution I created a property which contains the version.
This means we can update that version property in the project and it'll
take effect everywhere it's required.
* Removed debug and release configurations from ext_server_sniffer.
