Lists of files can now be downloaded from the clipboard. Downloading of
the files themselves is something that should be done by MSF as that's
already built in.
This commit adds the beginnings of clipboard munging support. Getting and
setting of text-based data is supported. Over time, more formats will be
supported.
Enumeration of child windows is now possible if the appropriate TLV is
included in the request message.
Inclusion of "unknown" windows is also possible now, again if the
appropriate TLV is included.
This commit adds the ability to enumerate services on the target machine,
showing the PID, the service name, the display name and an indication of
the service's ability to interact with the desktop.
Some other small code tidies were done too.
Decided to kick off a new extended API extension with mubix and
kernelsmith to include some more advanced enumeration stuff. The goal of
this extension is to take stuff that wouldn't be part of the std api but
is rather useful for enumeration of a target once meterpreter has been
established.
This commit kicks things off with enumeration of top level windows on the
current desktop.
The boiler extension wasn't used and was old so it was removed. I've added
a new "bare" extension which is, as it says, just bare and doesn't do
anything. This can be used to create new extension projets just by copying
and pasting, then editing a couple of small things.
This will be added to the documentation.
Thanks to @jvazquez-r7 doing some investigation we have a better solution
to this crash. This commit implements this fix and removes the need to
check the status of the memory that's being read.
Tidies up the API to be more intuitive, including conversion of the
first parameter to a char pointer (removing MAX_PATH) and renaming
the second parameter to be more indicative of what it means.
Thanks to @jvazquez-r7 for the great discussion!
* Modified first and second parameters to use `dwOutputLength` which
is given to the function as an indicator of buffer size in bytes
anyway.
* Check the return value of the function call to see if the result
was a truncation, and if so, break from the current loop.
Realistically, truncation will not happen because the default windows
installation location folder name is very short.
Thanks @jvazquez-r7 for prodding me to validate this.
Calling getsystem or getsystem -t 4 was resulting in crashes due to
an incorrect usage of sizes in a call to _sprintf_s in the kitrap0d
code. This might have come about as a result of a move to the new
compiler which is C++11.
This code forces the size check to be correct and results in the
exploit functioning correctly on all platforms.
Exploitation of the System process on Windows XP SP0 resulted in crashes
when metepreter was enumerating network interfaces. It appears that the
System process isn't able to read from the address that contains prefixes
(stored in pPrefix in interfaces.c). In other cases, such as exploitation
of svchost.exe or via an msfpayload-generated exe, there was no such
crash. This is not an issue on later versions of Windows.
This crash happens in the current "production" version of Meterpreter that
was deployed with MSF v4.7.
The MS08-067 exploit targets the System process, and hence crashes.
The MS03-26 exploit targets svchost, and hence does not crash.
Checking the protection of the memory in each of those cases showed that
the MEM_COMMIT was set when not the System process, and was MEM_RESERVED
when it was. Sample runs can be seen here: http://pastebin.com/2WHqJ90A
This commit is an attempt to avoid this crash down the track, and it just
does a simple check to see if querying the area of memory for the current
process shows a state of MEM_COMMIT. If so, it carries on as per normal,
if not it uses the other legacy code path to traverse the network
interfaces.
With this "fix" in place I have not seen a crash at all on Windows XP,
Windows 7, Windows 8 and Windows 2012.
* r7_debug and r7_release configurations added.
* Make now detects if the appropriate libraries are on disk and will build
whatever it can. If PSSDK is present in the appropriate location then it
will attempt to build ext_server_sniffer.
* ext_server_sniffer is now buildable with VS 2012 with all the settings
correct.
* ext_server_sniffer was failing to load once built. The cause of this was
that the hMetSrv handle wasn't being set to a valid value prior to the
command_register calls happening, it was being set too late. I'm not
sure why this results in a crash, but moving this one call to a location
prior to the command_register calls does resolve that problem.
This code was lost in the transition when the meterpreter source was
removed from the metasploit-framework source. I'm pulling this in by
request of @dmaloney-r7 who originally requested this code be inculded
as part of https://github.com/rapid7/metasploit-framework/pull/740
I added an extra bit of code to free up memory that is allocated by the
call to FormatMessage and forced the ASCII-version (FormatMessageA) of
the call.
* Pulled source from Stephen Fewer which contains a few updates including
support for Windows RT.
* Added Stephen Fewer's fix which includes a correct pointer size for the
reflective DLL loader function.
* Added ENABLE_STOPAGING to allow toggling of VirtualLock() call (defined
by default).
* Added ENABLE_OUTPUTDEBUG to allow toggling of calls to pOutputDebug
(undefined by default).
* Remove more warnings in some areas of the code.
* make_pair() changed in C++11 so this change fixes the code so that the
compiler doesn't complain any more.
* Compiler was also complaining about redefinition of U_CHAR. Undefining
before redefining resolves the issue.
