Windows Meterpreter that uses http/s-based transports wasn't correctly checking for cases where pivoted packets were handled. When pivoted packets are forwarded to the correct handler, the packet is set to NULL. For TCP transports, a check already existed to carry on when the packet was NULL, but this wasn't the case for HTTP/S.
This commit fixes this problem and so the pivot session no longer dies when Meterpreter is using an HTTP/S transport.
For funzies, the fix for this was implemented on a live stream to help other people learn some of Meterp's internals. That video can be found here: https://www.youtube.com/watch?v=de-UYWnafow
This commit adds two new scripts and modifies some of the powershell transport binding functionality.
Code has been added that generates valid Metasploit URIs for use with stageless listeners. This means that it's possible to add HTTP/S transports on the fly and have a URL generated that will work with the current architecture of the process.
Two new scripts will appear in each of the powershell sessions:
* Add-WebTransport - adds http/s transports to the session.
* Add-TcpTransport - adds TCP transports to the session.
These two scripts are just abstractions on top of the built-in Meterpreter transport binding functionality, but it makes it a lot easier to interact with the feature and makes it more.. er.. Powershelly.
The functions come with documnetation, so `Get-Help Add-WebTransport -Full` will show how it's used.
From here, people can do some more fun stuff, such as adding init scripts to their stageless payloads that add support for more transports.
I stuffed up when dealing with values that are being passed back and forth across components when in x86 processes. I was passing 64 bit ints around even in 32 bit mode, which resulted in some natstiness. This commit fixes that problem by forcing everything to be 64 bit regardless of arch, and casting to the appropriate pointer at the right time.
The previous commit hard coded the LM hash to the empty value. This commit changes this so that if the LM hash isn't present it'll manually specify the empty one, but use the existing one if it is present.
This commit changes the channel functionality within the powershell extension so that commands do execute behind the scenes and stream the results to the UI in the current channel.
This comes with the caveat that users are patient. I haven't yet made sure that running separate commands while long running ones are running will not cause problems. We'll have to see.
DCSync functionality is exposed, and from this it is possible to enumerate all users in the domain and dump each user's hash one by one. This code has a few extension functions built into the runner, and also has some baked-in powershell functions that are available in every powershell runner session in the host.
I've also added a powershell version of the build command that lets us generate the source to the powershell assembly wiring from PSH as well as Python.