Make the XOR key an array of bytes as a start to normalise the way the
XOR happens across the board. Given that we're going to be adding
encryption to the packet level and adding more stuff to the packet
header, now is the time to fix this up once and for all.
Updated the code so that the TCP stuff is moved into its own file and doesn't pollute the main server file with stuff that is specific to TCP transports.
Updated the winhttp functionality in the same way so that functionality is properly segregated.
Modified the global parameters so that they're part of a structure that can be passed around.
Added a stack of documnetation as well.
Instead of basing everything on URLs, the transport hopping now actually supports the creation of a whole new transport on the fly. The transport instance is stored in the remote as a "next transport" pointer.
This better facilitates the notion of being able to set all of the parameters on the transport when doing the switch, and is a step closer to being able to support chains of transports.
* Transports are now defined by a set of callbacks that are bound to the Remote.
* Transport initialisation and dispatching is seprated.
* The context of the transport should be switchable depending on new transport requirements.
More to do, but it has begun.
Tweak the SSL implemention so that for https meterpreters the SSL certificate is validated against a hash that is specified in the payload. If the hash isn't specified, then certificate validation isn't attempted.
This commit contains a bunch of code tidying (formatting, spaces, naming, etc) as well as new exports for each of the modules so that the extension can be identified. The plan is for the loader to know which modules are loaded so that when stageless meterpreter fires up MSF can query the existing extensions and load the appropriate functionality on the client side.
By making this a static _inline, it is not necessary to guard it, since
an inline is only instantiated if it is used. This also allows adding
one-off debug message for use during debugging sessions, without turning
on DEBUGTRACE all over the place.
Convert a few of the extensions to also do this as well, making them perhaps
slightly smaller.
I am curious why Windows builds define debug this way, vs posix that
just includes it in common.c. Could I just do that instead, assuming
there's no historical reason.
Finally, correct the docs in the posix version of real_dprintf.
- try to share some bits between different makefiles, make modifying
global compiler flags not such a huge pain.
- directly specify we should be using the gold rather than bpf linker
- make compiler output largely quiet except where we care - allow
warnings to actually be visible
- don't delete downloaded tarballs with --really-clean
- add missing dependencies between libraries
(--no-add-needed/--no-copy-dt-needed-entries causes lots of trouble)
- update readme to show what to install to build
I made minimal changes to the loader makefile - it breaks easily.
-Os prevents if from being able to load libc, for instance
In previous work done during the command refactor the mechanism for overriding
commands changed such that it wasn't invoking commands if they were overriden
by an extension. This, it would appear, broke some stuff. Badly.
This commit fixes this issue by reinstating the way things were done before.
If a base command exists, it is always executed. If an extension also exists
which overrides this command then the base command result is ignored, the
extension command is executed, and the result of that command is returned.
Note: webcam stuff doesn't work on Windows 2012. Work needs to be done to
make it work on this platform because the DX classes used to do the webcam
capture are not present on the system.
* Updated `thread_create` so that it has 3 parameters, and removed
`thread_create3`.
* Updated all calls to `thread_create` and added the extra parameter of
`NULL`.
* Fixed comment typo.
* Removed assignment where value is not used.
* Checked for `NULL` prior to setting the result.
* Undefined `DEBUGTRACE`.
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
* Added the doxygen binaries and configuration.
* Added a `make docs` which generates documentation to the `docs` folder.
* Added some documentation to various areas of the source that I was
working with. Over time I'll be adding more and more rather than trying
to do it all in one hit.
* Refactored the kitrap0d code a bit to try to reduce code size.
