The video and audio capture things didn't do anything other than leave
artifacts on disk. So this commit removes the code that does that,
resulting in just one feature being available for this extension. Might
be worth ditching it entirely?
The 'common' library has been removed. The only project that actually
used it was metsrv, so the code that metsrv required from common is now
directly compiled in as part of that project.
The common folder now contains files that are importanta cross all of
the projects, with a primary focus on the new "API" style function. What
this means is that MetSrv has an API that it exposes through a function
pointer that is passed to the extension when it's initialised. This
pointer references a structure with all the API functions wired in. This
means that:
* Extensions don't need to know anything about metsrv at compile time.
* The delay loading code can be removed, which was one of the last
instances of "metsrv.dll" as a string.
* Metsrv.dll no longer exports any functions.
More to come.
Added /MP for parallel builds, and removed precompiled headers as /Yc
isn't compat with /MP.
Not enabled for the Powershell extension because of it's .NET-ness.
This was a bit of a pain, but was well worth it. Had to add a couple of
hacks to make it all work, but this is a nicer solution than having to
depend on OpenSSL and its horrendous build experience.
Warnings as errors, builds clean. Had to do some horrible hacks:
1) Include custom implementation of a lib function just so we could
link against stuff built with older VS.
2) Include legacy symbols for old io for the same reason.
I found an edge case where stageless payloads did not work when they
were embedded in .NET applications. The reason for this is because the
configuration block is stored alongside the code in stageless payloads
and hence is loaded into memory as part of the section when it's mapped.
This section, in native world, remains RWX, and hence we don't have a
problem reading from and writing to it. We write to it for various
reasons, such as when the session guid changes.
In .NET land, this section is mapped as RX instead of RWX. This means
that when we try to write to it, the program segfaults due to an access
violation.
This code modifies the loading of the configuration so that instead of
maintaining a pointer to the original configuration, it instead creates
a copy of it on the heap. I preferred this fix over marking the memory
as RWX, which obviously stands out a bit more.
DWORD dwResult = ERROR_ACCESS_DENIED; -> DWORD dwResult; (in functions search_all_drivers, request_fs_search)
Comments in function request_fs_search were deleted
Windows Meterpreter that uses http/s-based transports wasn't correctly checking for cases where pivoted packets were handled. When pivoted packets are forwarded to the correct handler, the packet is set to NULL. For TCP transports, a check already existed to carry on when the packet was NULL, but this wasn't the case for HTTP/S.
This commit fixes this problem and so the pivot session no longer dies when Meterpreter is using an HTTP/S transport.
For funzies, the fix for this was implemented on a live stream to help other people learn some of Meterp's internals. That video can be found here: https://www.youtube.com/watch?v=de-UYWnafow
This commit adds two new scripts and modifies some of the powershell transport binding functionality.
Code has been added that generates valid Metasploit URIs for use with stageless listeners. This means that it's possible to add HTTP/S transports on the fly and have a URL generated that will work with the current architecture of the process.
Two new scripts will appear in each of the powershell sessions:
* Add-WebTransport - adds http/s transports to the session.
* Add-TcpTransport - adds TCP transports to the session.
These two scripts are just abstractions on top of the built-in Meterpreter transport binding functionality, but it makes it a lot easier to interact with the feature and makes it more.. er.. Powershelly.
The functions come with documnetation, so `Get-Help Add-WebTransport -Full` will show how it's used.
From here, people can do some more fun stuff, such as adding init scripts to their stageless payloads that add support for more transports.
I stuffed up when dealing with values that are being passed back and forth across components when in x86 processes. I was passing 64 bit ints around even in 32 bit mode, which resulted in some natstiness. This commit fixes that problem by forcing everything to be 64 bit regardless of arch, and casting to the appropriate pointer at the right time.
The previous commit hard coded the LM hash to the empty value. This commit changes this so that if the LM hash isn't present it'll manually specify the empty one, but use the existing one if it is present.
This commit changes the channel functionality within the powershell extension so that commands do execute behind the scenes and stream the results to the UI in the current channel.
This comes with the caveat that users are patient. I haven't yet made sure that running separate commands while long running ones are running will not cause problems. We'll have to see.
DCSync functionality is exposed, and from this it is possible to enumerate all users in the domain and dump each user's hash one by one. This code has a few extension functions built into the runner, and also has some baked-in powershell functions that are available in every powershell runner session in the host.
I've also added a powershell version of the build command that lets us generate the source to the powershell assembly wiring from PSH as well as Python.
This was left over code from me trying to do some fixes to getprivs
which didn't make sense in the middle of the packet pivot work. This was
left over by me as a result of my half-baked revert. This caused issues
with both the `getprivs` and `getsystem` command. I'm pretty sure that
as a result of breaking the latter, I will never live down the "make
getsystem great again" meme.
This commit fixes an issue where the transports were calculating an
incorrect size for the packet that was being received. This wasn't
noticable until packet pivot work started, and for some reason wasn't
causing breakages during local testing. Either way, it's fixed now!
This updates the packet header so that the encryption byte flag is now
32 bits. This also updates the powershell and python extensions so that
both of the bindings work correctly as a result of the TLV packet header
changes.
