1
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-01-08 14:36:22 +01:00
Commit Graph

1351 Commits

Author SHA1 Message Date
OJ
d7c741f858
Fix reconnect pipe read issue
Also fix up issue with the pivot tree code
2017-07-21 20:50:43 +10:00
OJ
82cf5e7941
Fix issue with inspection of the wrong byte for xor keys 2017-07-21 18:33:15 +10:00
OJ
e12e711ec5
Interim commit while debugging 2017-07-21 18:27:04 +10:00
OJ
293d79d0ed
Adjust HTTP/S transport to support packet pivot 2017-07-18 21:15:08 +10:00
OJ
415665ef59
Pivot stability, fixes, tidies, etc 2017-07-18 20:58:23 +10:00
OJ
5a04de0780
Fix transport list command to support named pipes 2017-07-18 13:40:40 +10:00
OJ
fac1bfa489
Fix issue with packet size calculation
This commit fixes an issue where the transports were calculating an
incorrect size for the packet that was being received. This wasn't
noticable until packet pivot work started, and for some reason wasn't
causing breakages during local testing. Either way, it's fixed now!
2017-07-17 11:11:25 +10:00
OJ
2ede006025
First working packet pivot session! 2017-07-16 19:33:24 +10:00
William Webb
6fc00bc812
cleanup memleak 2017-07-14 01:24:54 -05:00
OJ
cba5e86ac2
Add support for the pivot ID 2017-07-11 19:43:23 +10:00
OJ
6d2582102d
Slow progress on pipe packet pivots 2017-07-10 20:00:37 +10:00
William Webb
d25ff91ca2
axe errant DebugBreak() 2017-07-06 20:21:22 -05:00
William Webb
c144bac8d9
gracefully handle threading and correctly destroy msg only window 2017-07-06 19:57:07 -05:00
OJ
f96fe3542f
Next phase of packet pivot work 2017-07-06 15:40:32 +10:00
William Webb
519194dc6c
log pid on new active window 2017-07-05 20:34:37 -05:00
OJ
fc6c593eb7
Add the first pass of named pipe pivot code 2017-07-05 16:15:06 +10:00
OJ
c74376fb69
Make enc flags 32 bit, fix extension bindings
This updates the packet header so that the encryption byte flag is now
32 bits. This also updates the powershell and python extensions so that
both of the bindings work correctly as a result of the TLV packet header
changes.
2017-07-03 16:51:57 +10:00
OJ
f5b29bd7c6
Land #210 : set thread error mode 2017-06-29 17:33:46 +10:00
Brent Cook
1a9bfc8c68 disable thread error reporting globally 2017-06-29 01:07:22 -04:00
OJ
9fd56beba0
Refactor pub key encryption code
Extract the publicy key encryption code out into another method and
cater for more error conditions.
2017-06-28 12:50:53 +10:00
Brent Cook
f95710249b
Land #209, Make keyscan active window tracking discretionary 2017-06-25 17:39:41 -05:00
OJ
a911045d5e
Merge upstrea/master + fix issues 2017-06-25 19:52:11 +10:00
OJ
12055fca25
Finalised support for RSA-encrypted AES key negotiation
Still needs to be wired into HTTP/S.
2017-06-25 10:24:40 +10:00
Brent Cook
0356a5068d add thread preamble that sets the per-thread error mode 2017-06-23 20:37:56 -05:00
Artem
fe8920640d Add Disable Windows Error Messages 2017-06-23 20:37:56 -05:00
Brent Cook
c7f614a799
Land #200, Fix winpmem builds, warnings, cleanup logging 2017-06-23 18:00:22 -05:00
William Webb
cad32aaa33
kill whitespace 2017-06-23 14:08:08 -05:00
William Webb
419533ce48
kill whitespace 2017-06-23 13:56:07 -05:00
William Webb
f437e6aef7
use conventional option/TLV scheme instead of dumb stuff 2017-06-23 13:51:08 -05:00
Brent Cook
fb80f87ee3
Land #204, Update to Mimikatz 2.1.1 20170608 for changentlm function 2017-06-22 10:45:34 -05:00
OJ
8ffb877610
Initial version of working AES encrypted TLV packets 2017-06-21 21:02:33 +10:00
Brent Cook
efe6f32197 fix 64-bit r7 target build 2017-06-21 03:01:56 -05:00
OJ
cb9ae6acd4
Rework the packet XOR code
Make the XOR key an array of bytes as a start to normalise the way the
XOR happens across the board. Given that we're going to be adding
encryption to the packet level and adding more stuff to the packet
header, now is the time to fix this up once and for all.
2017-06-20 19:20:41 +10:00
OJ
8858acb618
Initial attempt to AES encryption at the packet level 2017-06-20 17:50:58 +10:00
OJ
813760a9e2
Remove support for the crypto context
Crypto context stuff appears to have only ever been supported in
Meterpreter on Windows. The only thing it allowed for is XOR, which is
redundant given that we have packet level XOR in place. Also, it would
appear that MSF didn't have support for it anyway!

With the move torwards packet-level encryption, this is unnecessary so
it needs to go bye bye.
2017-06-19 16:51:54 +10:00
OJ
9e3aef62bc
Hack to ignore metsrv.dll stage when connecting to staged listener
The last issue we had in removing the OpenSSL library from Windows
meterp is making it so that reconnects would behave. With a staged
listener, the first thing that gets sent down the wire is metsrv.dll. As
a result, when a fully staged connect comes in (whether it be from
a stageless payload, from a transport switch or from a sleeping session
waking up), Meterpreter needs to handle the case that the data coming
down the wire is no actually a TLV packet, and hence ignore it.

This "hack" abuses the properties of the XOR key for the packet,
relying on the fact that the XOR key will never contain NULl bytes and
that the first 4 bytes from a staged listener starts with the length of
the metsrv DLL, which is small enough to result in a NULL byte in the
MSB position.

If we see a NULL byte in that position, we assume it's the metsrv header
coming in, and we just ignore it and move on. If the XOR key looks
legit, we assume it's a valid TLV packet.

Dirty, but it's quick and it works!
2017-06-16 13:34:46 +10:00
OJ
3554aff9de
Remove SSL from all but the python extension
Re-implement MD5 and SHA1 file hashing using CSP.
2017-06-14 21:40:20 +10:00
Brent Cook
28a9f42e14 more ssl flensing 2017-06-14 04:56:47 -05:00
Brent Cook
36f3d346fe fix line endings 2017-06-14 04:56:47 -05:00
Brent Cook
36771d6309 initial pass at flensing openssl code from reverse_tcp 2017-06-14 04:56:47 -05:00
OJ
5fcff5ea76
Update to Mimikatz 2.1.1 20170608 for changentlm function 2017-06-13 15:29:02 +10:00
Brent Cook
0ba547b360
Land #203, Add session GUID support 2017-06-09 00:59:37 -05:00
OJ
cf575a05dd
Add session GUID support to Meterpreter payloads 2017-06-06 17:24:36 +10:00
RaMMicHaeL
dd224a91f0 Fixed an elusive bug on AMD CPUs
Details:
http://blog.rewolf.pl/blog/?p=1484
8771485dd3
2017-06-03 11:24:01 +03:00
Brent Cook
0a2d768e77 delete Linux meterpreter support 2017-05-14 02:11:57 -05:00
Brent Cook
dc712150af
Land #199, Adjust proxy code to support DNS/DHCP resolution 2017-05-08 16:57:08 -05:00
OJ
91558d0c16
Adjust proxy code to support DNS/DHCP resolution
This code is blatantly poached from the blog post locted at
https://medium.com/@br4nsh/a-meterpreter-and-windows-proxy-case-4af2b866f4a1
which was written by Juan. A great deal of time and effort went into
that research and all credit for this work should go to him.
2017-05-05 16:16:54 +10:00
OJ
7c65e621a1
Fix stageless URI redirect parsing
This commit fixes the case where we incorrectly assume that the URIs
used in the transport don't make use of the LURI setting in MSF.

The bug was that the code iterated through the URI string in reverse,
looking for a slash and then using that as the point to patch the new
URI over the existing. This meant that with the LURI parameter used, the
actual LURI field was missed, and the patch would result in the LURI
value appearing again.

The fix put in iterates from the start of the string and looks for the
third instance of the slash. This means that the LURI field is patched
as well as the UUID section.

Fixes #197
2017-05-03 10:36:53 +10:00
Brent Cook
995471faad
Land #190, list all possible privileges with the getprivs command 2017-04-21 14:46:30 -05:00
Brent Cook
37bc1689b2
fix a compiler warning 2017-04-15 05:51:12 -05:00
ouahib-el-hanchi
4f9866d035 Fixed issue #189 2017-04-15 02:55:00 +01:00
Brent Cook
6e7d55898e
Land #185, Keyscan system updates 2017-04-14 13:48:32 -05:00
William Webb
8bd164bbbb some minor cleanup 2017-04-12 21:19:45 -05:00
OJ
541e879023
Update the kiwi extension source to v2.1.1
This brings the source up to date with the source from the Rapid7 repo
which includes the v2.1.1 source released by Ben.
2017-04-11 20:21:57 +10:00
William Webb
88f240c26c
specify globals in variable names because its 2017 bro 2017-04-10 14:28:22 -05:00
William Webb
017a4e107e
final cleanup and type check 2017-04-10 14:08:46 -05:00
William Webb
3653169513
save wip 2017-04-05 00:18:02 -05:00
William Webb
145285c549
add focused windows enumeration and date/time stamping 2017-04-01 22:21:54 -05:00
William Webb
5d917565c0
add known working keylog code 2017-03-31 13:19:53 -05:00
William Webb
9272af7863
save initial unicode keyscan updates 2017-03-20 21:47:47 -05:00
Jeff Tang
e97b8449c2 Add universal unhooking call to meterpreter server
metsrv will unhook its current process before initializing the
connection
2017-02-27 17:11:18 -05:00
Brent Cook
d840805ad4 end-of-line mismatches in common.h 2017-01-24 18:49:14 -06:00
Brent Cook
f0b9f6b76a replace timestomp code with rewritten versions 2017-01-24 18:49:14 -06:00
OJ
6872495da6
Remove Migrate TLVs from php/py, adjust for Java 2017-01-24 07:38:59 +10:00
Brent Cook
8d84a89c5a
Land #160, Revamp Kiwi to work off Mimikatz subrepo 2016-12-29 14:31:19 -06:00
Brent Cook
c635df826d
Land #156, use ctypes to extract Windows sysinfo directly 2016-12-29 14:29:24 -06:00
Brent Cook
8e4af5500a Windows 2016 is released 2016-12-29 13:31:05 -06:00
OJ
a4982ca307
Remove unused kiwi TLVs 2016-12-23 09:58:26 +10:00
OJ
f68bf83fec
Update again to mimikatz subrepo head 2016-12-23 09:50:52 +10:00
OJ
e7bf6adb37
Updated to mimiktaz master 2016-12-23 09:37:20 +10:00
OJ
bc90795ab4
Remove bulk comments, update to latest mimikatz 2016-12-23 08:33:04 +10:00
OJ
3bc2d697a4
Update the mimikatz head 2016-12-20 18:24:32 +10:00
OJ
58cad3a426
Re-add wifi support, and update subrepo 2016-12-10 11:19:30 +10:00
OJ
69d5c98020
Bump submodule to use R7 master for mimikatz 2016-12-09 09:09:45 +10:00
OJ
4f0c9407d2
Adjust TLV lable in POSIX to match updates 2016-12-08 16:46:50 +10:00
OJ
e42ef7a17e
Change PBYTE to LPBYTE to keep POSIX happy 2016-12-08 16:39:38 +10:00
OJ
ff56b36a98
Move migration stub code to MSF
This commit changes the code so that the migration stubs are generated
in MSF and are transport specific (so that we only do the work we need
to).
2016-12-08 16:00:04 +10:00
OJ
752fe2f6f2
Update to latest mimikatz version 2016-12-07 17:27:17 +10:00
OJ
4c5c6e79b1
Mimikatz external deps dancing 2016-12-07 17:22:32 +10:00
OJ
e312cc934f
Add short comment to explain user of powershell function 2016-12-07 14:41:33 +10:00
OJ
ffc9c1d37a
Add mimikatz submodule with MSF changes
This includes a few changes that are in an open branch waiting to be
merged into the mimikatz source.
2016-12-07 14:41:33 +10:00
OJ
a31b16452c
Remove old kiwi code 2016-12-07 14:41:33 +10:00
OJ
86f2093968
Re-add key UUID sending functionality
As part of b50955a924 important code that
sent UUIDs along with each request was accidentally removed. This PR
re-includes it so that the UUIDs are in fact sent when they should be
sent.

This fixes issues where UUID commands don't work, and fixes migration in
a bunch of scenarios.
2016-12-07 13:27:34 +10:00
Tim
db85f099c3
stdapi_fs_file_copy 2016-11-29 13:58:46 +08:00
Brent Cook
b50955a924 Revert "Refactor XOR code, dedup packet writing code"
This reverts commit 7e8b4c3c52.
2016-11-17 06:22:53 -06:00
Brent Cook
79cff67de4
Merge remote-tracking branch 'upstream/master' into fix-143 2016-11-14 12:01:31 -06:00
Brent Cook
e5f695fde7 fix posix build, remove dos EOLs 2016-11-14 11:58:52 -06:00
Brent Cook
17fb30204e
Land #112, Added Winpmem Meterpreter extension 2016-11-14 11:47:31 -06:00
OJ
4d145d78a7
Merge upstream/master into uuid-to-tlv 2016-10-29 15:25:21 +10:00
OJ
70812fd1ce
Remove core_uuid and add core_set_uuid 2016-10-29 12:42:36 +10:00
OJ
ed1e912e6b
Remove presence of WOW64 in the architecture string 2016-10-29 06:43:26 +10:00
Brent Cook
af34146109
disable debug messages 2016-10-26 05:21:39 -05:00
Danil Bazin
e529a2a351 Add fcat.exe 2016-10-17 21:28:59 +02:00
OJ
b96eaff14f
Remove check for UUID, force add without check 2016-10-14 13:27:45 +10:00
OJ
d06d7e1807
Include UUID in each request, update UUID on migrate 2016-10-14 10:53:21 +10:00
Brent Cook
f302463f94
Land #133, add local time command 2016-10-10 23:28:20 -05:00
OJ
7e8b4c3c52
Refactor XOR code, dedup packet writing code 2016-10-10 14:40:05 +10:00
Danil Bazin
0883a471d7 Add license file from winpmem projet 2016-10-08 19:54:57 +02:00
Brent Cook
0385a93530
Land #132, Add support for listing of loaded drivers 2016-10-03 23:06:08 -05:00
Brent Cook
c304eb79c3 revert mode changes 2016-10-03 23:05:57 -05:00
OJ
d10795ba09
Update to use wchar_t API functions and unicode results 2016-10-04 13:50:28 +10:00
OJ
2b9aac9c45
Add support for listing of loaded drivers 2016-10-04 11:30:12 +10:00
OJ
12368749df
Fix pack format string issue in python extension 2016-10-04 09:46:53 +10:00
OJ
46484c2f35
Small space/comment fix 2016-10-03 15:26:54 +10:00
OJ
0cbb86c59b
Add localtime support to php, tidy python and c 2016-10-03 15:26:54 +10:00
OJ
5e6dc8ca85
Add localtime command support for POSIX 2016-10-03 15:26:54 +10:00
OJ
38fe6e1188
Add localtime command to Windows native meterp 2016-10-03 15:26:54 +10:00
Brent Cook
42a1e49768 fix unicode string writes for REG_EXPAND_SZ types 2016-09-29 23:10:27 -05:00
Tim
015d57d0fe fix clipboard 2016-09-04 15:12:26 +01:00
Danil Bazin
ec18721bd1 Winpmem meterpreter extension working 2016-08-30 18:40:14 +02:00
ssyy201506
6625248fc7 fix crash after closing channel 2016-07-08 15:40:29 +09:00
ssyy201506
baad192ba6 Fix the immediate closing of a interactive channel. 2016-06-16 11:14:12 +09:00
Brent Cook
0057809573 fix registry class, take 2 2016-05-03 22:05:14 -05:00
Brent Cook
167b2d2ac1
Land #94, Enable support for IPv6 address binding 2016-05-03 20:40:54 -05:00
Brent Cook
90f5cd2c3a fix the length calculation for meterpreter registry class reads 2016-05-03 16:40:58 -05:00
OJ
4763c24cfe Small tidy, and adding of debug code 2016-05-03 12:09:46 +10:00
Brent Cook
84140c23ba
Revert "fix Linux threads to actually use allocated memory"
This reverts commit f95152dfc1.
2016-04-26 16:49:46 -04:00
OJ
d6387fcd90 Typedef the sockaddr_in6 struct for POSIX 2016-04-06 16:14:27 +10:00
OJ
61b91d276b Enable support of IPv6 address binding 2016-04-06 15:38:03 +10:00
OJ
fe048683c9
Land #93 - Fix threads in POSIX 2016-04-06 10:59:01 +10:00
Brent Cook
f95152dfc1 fix Linux threads to actually use allocated memory 2016-04-05 17:35:55 -05:00
Brendan Watters
73d548be48
Land #85, UTF-8 Registry Support 2016-04-05 16:20:39 -05:00
Brent Cook
f43bc0a3ac
Land #89, Add Powershell meterpreter bindings 2016-04-01 19:38:56 -05:00
OJ
3c17f4e9aa Fix package script, update package
The package script was (stupidly) written (by me) to replace '\\' with
'.' when generating python import module names. Of course, this works
great on windows, but it means if you generate the package on linux
things break horribly. The result was that the latest package wouldn't
resolve anything useful when importing key stuff like ctypes or pty.

This PR fixes the issue so that the modules are correctly wired in
regardless of the OS that the package was constructed on.
2016-03-31 11:14:19 +10:00
Brent Cook
e460c1d241
Land #87, initial powershell extension 2016-03-24 21:19:22 -05:00
OJ
e229995f2d Added powershell_import and sample DLL for import testing 2016-03-25 12:16:13 +10:00
OJ
cf6287e031 Fix runner to properly support multi-line scripts
This commit actually changes the PS runner code so that it's
base64-encoded before being sent to the interpreter. It's a bit of
a hack but it means that all multiline commands are properly supported.
IEX for the win!
2016-03-25 10:28:14 +10:00
OJ
6bbfd51ab4 Stageless init support, multi-line command support 2016-03-25 09:56:00 +10:00
OJ
1a75953b7c Add transport support, tidy up some code 2016-03-25 09:12:53 +10:00
OJ
d286618b13 Add support for incognito 2016-03-24 15:01:50 +10:00
OJ
ecf10f7e43 Added ProcessList to Sys 2016-03-24 10:42:56 +10:00
OJ
1d85ea8513 Add sysinfo, code tidy 2016-03-24 10:13:56 +10:00
OJ
3f9681c34e Add show mount binding, tweak output to be tidier 2016-03-23 22:54:02 +10:00
OJ
4b142d35a0 Add Kiwi bindings, add debug, fix issue with missing commands in local
packets
2016-03-23 22:21:54 +10:00
OJ
64c57f203b Add the last few features to the User binding 2016-03-23 15:25:17 +10:00
OJ
b32fd52bfd Fix LocalAlloc call, start on the handling of other bindings (user) 2016-03-23 15:13:09 +10:00
OJ
41ac07dbe0 Finish the elevate bindings for powershell 2016-03-23 14:40:41 +10:00
OJ
8b702f7008 Remove invalid prints 2016-03-23 14:32:19 +10:00
OJ
7ba39c982a First version of "working" bindings (getsystem works)
More to do, including reading of TLV packets.
2016-03-23 13:39:25 +10:00
OJ
110306e115 Fix python meterpreter bindings by adding 0 xor key 2016-03-23 13:13:15 +10:00
OJ
ee807408ec Beginning of work on the building blocks for PSH->Meterp bindings 2016-03-22 16:06:43 +10:00
OJ
62c48c6ecc Fix a small issue with the TLV generation in getsystem 2016-03-22 16:02:26 +10:00
OJ
6e5afca1b3 Include the MSF.Powershell project 2016-03-22 13:11:49 +10:00
OJ
d48066c4cf Add support for hosts with .NET 2 only support 2016-03-22 12:36:31 +10:00
OJ
a8d0fadc5a Fallback to v4 runtime if v2 isn't present 2016-03-21 17:16:28 +10:00
OJ
cd162a88f8 Fix issue with channel interaction functioning incorrectly on close 2016-03-21 16:01:21 +10:00
OJ
43e6aae784 Proper functioning powershell sessions 2016-03-21 15:14:24 +10:00
OJ
df581ce638 Change from Auto to Manual reset event
This stops the CPU thrashing, and should have been the default when the
work was first done.
2016-03-15 21:16:48 +10:00
Brent Cook
423dbaeba2 consistency and bug fixes 2016-03-15 05:45:21 -05:00
Brent Cook
31e6ae1a63 Convert registry access to use UTF-8 2016-03-15 02:58:36 -05:00
OJ
a7ef4b91e3 Add powershell interactive prompt 2016-03-14 20:23:44 +10:00
OJ
3d94391292 Add support for unmanaged powershell
This commit includes the ability to run a single powershell command in
the current session.
2016-03-14 17:12:29 +10:00
OJ
af32e7289d Initial shell of the powershell extension project 2016-03-14 12:56:34 +10:00
OJ
e2285737a8 Make comment a little more sensible 2016-03-09 08:53:21 +10:00
OJ
62455e57f9 make the GetIpAddr function interactions deal with dynamic size 2016-03-09 08:27:59 +10:00
Brent Cook
fc26790e9a simplify error handling, remove 30 IP limit, remove unneeded free() checks 2016-03-08 03:50:32 -06:00
OJ
f015f53b6b Fix network interface enumeration limitation
This moves the existing network interface enumeration code over to the
group TLV packet approach which allows for arbitrary numbers of entities
to be added on the fly instead of fixed numbers.
2016-03-08 12:11:27 +10:00
Brent Cook
08e008fc77
Land #64, add xor encoding to TLV messages 2016-02-10 21:32:43 -06:00
Brent Cook
263fc0a00a posix xor 2016-02-04 05:50:47 -06:00
BAZIN-HSC
8ddd54c565 Build correction for fedora on not EN system 2016-01-29 10:41:18 +01:00
Brent Cook
ed3c35ed0b allow duplicate symbols building libm 2016-01-16 22:12:02 -06:00
OJ
246c78fccc Remove extra call to scheduler init 2016-01-13 10:08:12 +10:00
OJ
29f88366ac
Merge branch 'upstream/master' into default-xor 2016-01-13 07:34:40 +10:00
Brent Cook
c125f72c1a
Land #59, simplify sniffer conditional logic 2015-12-24 06:40:58 -06:00
Brent Cook
9e2c799b3e
Land #57, include multiprocessing module in python extension 2015-12-23 03:09:59 -06:00
Romero Malaquias
70a8d43949 Avoiding conditional directives that break statements. 2015-12-21 12:23:08 -03:00
OJ
4424029d3c Add python extension multiprocessing
This commit includes code that was missing from the original Python PR which adds support for the multiprocessing module in Python. I have no idea why this was missed, but it was. The code also includes adjustments to the loader which attempts to resolve modules appropriately based on name. This is a bit of a kludge thanks to the way that Python module resolution hooks work, as it's not clear exactly which namespace the module is intended to be loaded from at runtime as it's not passed to the resolver. Down the track we may need to get smarter with the resolver so that we have a per-module resolver (ie. a tree of resolvers).
2015-12-19 09:40:44 +10:00
OJ
d5fb6821ae Fix python core lib mistake 2015-12-13 11:52:42 +10:00
OJ
3d598c4275 Remove superfluous comments from code 2015-12-08 16:57:40 +10:00
Brent Cook
099da2b4b7 Revert "Convert registry access to use UTF-8"
This reverts commit bc8dfb17b5.
2015-12-07 14:17:52 -06:00
Brent Cook
2f575a45a0 Revert "fixup buffer sizes"
This reverts commit 2d6c0194c9.
2015-12-07 14:17:50 -06:00
OJ
1061df8b8d Remove the RECV POST request 2015-12-07 13:26:33 +10:00
OJ
5ca5fe89f0 Begin to enable DWORD xor out of the box 2015-12-02 13:30:22 +10:00
Brent Cook
2d6c0194c9 fixup buffer sizes 2015-12-01 14:58:20 -06:00
Brent Cook
bc8dfb17b5 Convert registry access to use UTF-8 2015-12-01 13:53:45 -06:00
OJ
29c8639025 Updated init script method 2015-11-20 12:49:36 +10:00
OJ
c692e76332 Finalise stageless initialisation scripts 2015-11-10 20:00:34 +10:00
OJ
dca4cc46be
Merge branch 'upstream/master' into stageless-init 2015-11-10 15:44:39 +10:00
OJ
175d6d93f1 First pass of stageless initialisation script 2015-11-10 15:43:59 +10:00
Brent Cook
bc0138093d
Land #47, add python transport bindings 2015-11-09 21:13:18 -06:00
Brent Cook
98fae3e075 change source perms back to non-executable 2015-11-09 21:10:30 -06:00
Brent Cook
888ec2574a
Land #46, add misc python bindings. 2015-11-09 20:56:51 -06:00
OJ
380f3e27aa Update python core lib archive 2015-11-04 15:33:12 +10:00
OJ
578ac70fd9 Add transport add command to python binding 2015-11-04 14:37:57 +10:00
OJ
4b44e69ce9 Add transport list binding 2015-11-04 14:04:22 +10:00
OJ
73b8422c14 Update packaged libs 2015-11-03 17:56:20 +10:00
OJ
e016e6d526 Add incognito binding, code tidies 2015-11-03 17:52:06 +10:00
OJ
cbb50227a5 Refactor TLV layout, add more debug output, token stealing 2015-11-03 14:03:33 +10:00
OJ
7c592a63d2 Add show_mount, ps_list, and some core tweaks 2015-11-03 13:25:47 +10:00
Brent Cook
7d94abd9b0
Land #44, don't fall back to 0.0.0.0 it the user-specified bind fails 2015-11-02 17:24:57 -06:00
Brent Cook
ecbcb17dec
Land #43, add show_mount support for Windows meterpreter 2015-10-30 15:26:33 -05:00
OJ
5602977bce Ignore SSL changes in POSIX code
This ifdef's our way to glory, given that POSIX Python extension is out
of scope for now.
2015-10-30 15:23:01 -05:00
OJ
71212bba43 Turn off debug trace 2015-10-30 15:23:01 -05:00
OJ
f572570b7d Initial work to get python talking to metsrv's ssl 2015-10-30 15:23:01 -05:00
OJ
a004655b03 Fix silly typo in extapi python module 2015-10-30 15:23:01 -05:00
OJ
def28cf927 Init the msvcrt extension 2015-10-30 15:23:01 -05:00
OJ
1c438bd13a Add some adsi functionality bindings 2015-10-30 15:23:01 -05:00
OJ
fb36d94c05 Clean up packet once processed 2015-10-30 15:23:01 -05:00
OJ
4b2257c791 More bindings, including kiwi as an example 2015-10-30 15:23:01 -05:00
OJ
04cb09737e More work on the meterpreter bindings for python 2015-10-30 15:23:00 -05:00
OJ
eaabcabca8 Starting work on meterpreter bindings 2015-10-30 15:23:00 -05:00
OJ
08d27edb76 Tidying up, add persistent stdout/stderr 2015-10-30 15:23:00 -05:00
OJ
8ae2ae5682 Turn off debug trace 2015-10-30 15:23:00 -05:00
OJ
4a474b963f Small tidy up of python related stuff 2015-10-30 15:23:00 -05:00
OJ
116da1c0ff Support import of py and pyc 2015-10-30 15:23:00 -05:00
OJ
007afeae2a Stacks of work getting modules wired up 2015-10-30 15:23:00 -05:00
OJ
126c3b8e07 Add stdout/stderr capture and result extraction 2015-10-30 15:22:59 -05:00
OJ
90be1cc878 First attempt at the python extension
It builds for x64 and x86. There is a single command implemented that
allows for single-shot python commands to be run.
2015-10-30 15:22:59 -05:00
Brent Cook
e878ac3286 import 1cf077a from python 2.7 branch (2.7.10+) 2015-10-30 15:12:58 -05:00
James Lee
4d37ec6646
Don't fall back to 0.0.0.0
This allows the client side to determine whether to fall back and gives
the user a better chance of seeing that it isn't listening where they
told it to.
2015-10-30 11:46:25 -05:00
OJ
14740bfa9c Add support for the show_mount command (windows) 2015-10-29 07:22:59 +10:00
Brent Cook
7ab7d13add
Land #32, switch transports on certificate validation failure 2015-09-25 09:05:48 -04:00
Brent Cook
15de43bf11
Land #31, Use RtlGetVersion for detecting Windows versions 2015-09-25 09:04:33 -04:00
OJ
2422f0926b Support transport failover for SSL cert failures
This commit will result in SSL cert failures causing failovers to other
transports, even to itself, instead of shutting the session down. This
will result in repeated calls back to the endpoint, every "retry wait"
seconds, and will continue to do so until the session expires, or the
SSL verification works.

Be warned, this can be noisy in your console if you haven't configured
things properly. The result is a lot of callbacks over the life of the
session.
2015-09-25 12:47:18 +10:00
OJ
f76b51e265 Use RtlGetVersion to detect version
This means we can actually correctly detect the version of Windows in
use past 8.1 (ie including 10 and later).
2015-09-24 15:42:37 +10:00
Brent Cook
636d143447 @NickSampanis's getsystem cleanup
from https://github.com/rapid7/meterpreter/pull/183
2015-09-23 21:33:10 -05:00
Brent Cook
600ed34f1e merge and cleanup @stufus's pageantjacker extension into extapi
see https://github.com/rapid7/meterpreter/pull/164 for details
2015-09-20 20:18:02 -05:00
Brent Cook
73e57f258a add initial Windows 10 matching to sysinfo output 2015-08-24 15:50:28 -05:00
Brent Cook
8732204833
Land #7, fix posix transport switching/deleting 2015-07-12 00:29:06 -05:00
OJ
a0c7262624 Remove invalid SAFE_FREE call 2015-07-12 13:21:20 +10:00
Brent Cook
8de19e788a We don't have to log an error if it's expected.
There is a close log message right below anyway.
2015-07-10 07:11:53 -05:00
Brent Cook
28425e7a99 On socket flush, stop reading on error
We are currently inconsistently handling errors in recv() when flushing data from a TCP socket. In one case, we handle the graceful close, but not the error case. In the other, we handle exactly the opposite.

Both of these loops may spin indefinitely depending on the recv value from the remote server. In one, if the TCP connection is abruptly closed in stageless meterpreter or on a transport switch, the flush function may loop. In the other, if the remote server does a socket shutdown, but not a close, we will also loop.
2015-07-10 07:04:57 -05:00
OJ
d16e5276c5 Use temp storage for URL parsing
This removes the issue where URLs were truncated during parsing,
resulting in them not working later on when transports are changed.
2015-07-10 14:57:23 +10:00
Brent Cook
819f6a3455
Land #5, add WinInet fallback when WinHTTP cannot work against certain proxies 2015-07-09 23:00:16 -05:00
OJ
863138d803 Avoid fallback when SSL cert verification is on
This is to avoid unintended MITM when Meterpreter is configured in
paranoid mode.
2015-07-04 14:45:49 +10:00
OJ
18a814d3a0 Refactor wininet/winhttp code to reduce code duplication 2015-07-03 20:46:18 +10:00
OJ
09c4d8b137 Initial WinINET fallback implementation 2015-07-03 18:55:14 +10:00
Brent Cook
3a0427bcbc cleanup record_mic handler, use the right heap for freeing
When reallocating the record buffer, we need to pass the correct heap pointer
or this will crash.

This also simplifies error handling and switches audio.h to use Windows EOL
characters.
2015-06-30 21:36:36 -05:00
Brent Cook
91f10aa760 Land #175, fix clipboard file size confusion 2015-06-28 12:21:16 -05:00
OJ
c8de66fd31 Remove extra htonq call 2015-06-27 21:44:41 +10:00
OJ
86eb62832d Fix silly mistake with type casts 2015-06-27 21:37:05 +10:00
OJ
c2f141679e Fix up URI switching for stageless
This prevents horrible crashes when migrating from a stageless HTTP/S session.
2015-06-27 21:19:04 +10:00
Brent Cook
701d30197e Land #154, NTDS parsing support 2015-06-22 09:07:02 -05:00
Brent Cook
ba86e968d7 fix broken partial-batch / eof handling 2015-06-22 03:58:24 -05:00
Brent Cook
9ff7339644 move ntds parser from priv to extapi 2015-06-22 03:58:24 -05:00
Brent Cook
eb7c696f00 Land #170, support deleting transports 2015-06-19 15:46:10 -05:00
OJ
2e78a4379a Add POSIX support for transport remove 2015-06-16 12:24:00 +10:00
OJ
149e4c2a7e Implement transport removal 2015-06-16 11:37:09 +10:00
Brent Cook
bfe1060b40 Merge branch 'master' into land-154-ntds 2015-06-04 13:47:44 -05:00
Brent Cook
905f25a03b compile error 2015-06-04 13:16:05 -05:00
Brent Cook
25731fee03 free utf8 conversion strings and avoid non-null terminated values 2015-06-04 09:00:24 -05:00
Brent Cook
c47c973b83 logon names can actually be up to 104 characters
practical limit is 64, this gives us margin
2015-06-04 08:53:09 -05:00
Brent Cook
773008d921 whitespace tweaks 2015-06-04 08:50:24 -05:00
OJ
ef14f0e7ab Update to simpler, less hacky implementation 2015-06-03 16:27:31 +10:00
OJ
d89cd69bc5 Implement a sleep in windows that lasts longer 2015-06-03 14:06:17 +10:00
David Maloney
2b07377328 fix copy error
use strncpy not memcpy to transfer the re-encoded
name and description into our account object.
also use sizeof for precise copy size. eliminates lingering
errors

MSP-12356
2015-06-02 12:44:49 -05:00
David Maloney
84cea10260 use all unicode for ntds account struct
force convert account name and description
to unicode for transport over the wire

MSP-12356
2015-06-02 12:35:30 -05:00
OJ
ddd82d20fc Fix check for auto detect proxy settings
This setting doesn't appear to have any bearing at all on the way the proxy stuff is managed, as a result looking for this flag doesn't make sense. Instead, we just look for presence of the URLs to use, and if found, that's what we use.

This also uses the WinHttpSetOption function for setting credentials which allows for independenc use of user and password.
2015-05-25 16:35:31 +10:00
David Maloney
37e7ab2fc9 just a little more cleanup
this should hpefully address the last of Juan's code review
feedback appropriately.

MSP-12356
2015-05-18 11:21:10 -05:00
David Maloney
a3b4b53029 size and signedness issue fixes
fixes several size and signedness issues caught
during code review

MSP-12356
2015-05-18 11:08:58 -05:00
David Maloney
7c0c78d766 more missing garbage collection
pek structures also were not being garbage collected properly

MSP-12356
2015-05-18 10:46:43 -05:00
David Maloney
6c15c0c0a0 better garbage collection on initial setup
the ntds_parse method that gets everything started
was missing garbage collection for accountColumns.

MSP-12356
2015-05-18 10:43:27 -05:00
Brent Cook
bb00b00b2c do not log UUID as a string 2015-05-17 09:25:33 -05:00
OJ
5f7c2e7207 Fix handling of UUIDs in Meterpreter
The original implementation assumed that the UUIDs were coming through a strings, but this was changed at some point to use the 16-byte UUID format straight out of MSF.

This was causing issues when UUIDs had null bytes in them because the UUID was being truncated and the result was that UUIDs that were being parsed in MSF were too small, resulting in exceptions.
2015-05-17 17:43:59 +10:00
Brent Cook
68a24e3a47 Land #159, user proxy settings support with winhttp 2015-05-15 16:41:22 -05:00
Brent Cook
602e18591c fixup build for posix, fix memory leak in utf conversion 2015-05-15 16:01:59 -05:00
David Maloney
e8449a1698 Merge branch 'master' into feature/MSP-12715/sysinfo-upgrade 2015-05-15 15:14:23 -05:00
David Maloney
30a1ecbbcb add domain and loggedonusers to sysinfo
added the domain name and logged on user counts
to the sysinfo command

MSP-12715
2015-05-15 15:10:35 -05:00
Brent Cook
ed1bccd0fc Land #160, fix the bare example extension 2015-05-15 15:04:14 -05:00
OJ
7ff8263ce0 Actually set the result to success 2015-05-15 15:03:47 -05:00
OJ
f6c1485ebe Add support for the sleep command 2015-05-15 15:03:47 -05:00
Meatballs
fded7311c4 Fixup bare met_svc var name 2015-05-15 20:43:47 +01:00
Brent Cook
f390649c46 Merge branch 'master' into land-157- 2015-05-14 11:30:56 -05:00
Brent Cook
d9ce138eed remove hash sizeof workaround 2015-05-14 11:29:44 -05:00
David Maloney
1bfd8526b6 Merge branch 'master' into feature/MSP-12356/ntds-parser 2015-05-14 10:55:55 -05:00
David Maloney
7e0c23e228 fixed missing type cast
needed explicit typecast for x64

MSP-12356
2015-05-13 14:54:32 -05:00
OJ
a7c2b4fcdd Utilise IE configuration for proxies where possible 2015-05-13 15:46:33 +10:00
Brent Cook
e158093b38 Land #156, final tweaks for multi-transport support 2015-05-12 22:35:59 -05:00
Brent Cook
595d975337 quit concatenating serials after the first one 2015-05-12 21:31:36 -05:00
Brent Cook
716330ee7c make machine_id on POSIX more resilient
Only compute the value once, this prevents changing if drive topology changes.
Consider ata and md drive prefixes.
Always set a MACHINE_ID value, upstream expects it in the reply.
2015-05-12 21:25:39 -05:00
OJ
6ee3b53786 Tweak transport change
Cosmetic stuff really.
2015-05-13 09:15:03 +10:00
OJ
98822709b5 Slight tweaks to proxy config function 2015-05-11 17:22:37 +10:00
Tim
caf6c0c6c8 add TLV_TYPE_FILE_HASH 2015-05-10 14:57:03 +01:00
OJ
44f581c0e7 Merge branch 'multi-transport-support' of github.com:OJ/meterpreter into multi-transport-support 2015-05-08 14:33:35 +10:00
OJ
70397a5c42 Only write socket when SSL comms in place 2015-05-08 14:32:12 +10:00
David Maloney
f3d0a7bdde enable compression on our channel
since we will be sending lots of null bytes,
we want to make sure we make good use of compression
still doesn't solve our crash problems though

MSP-12356
2015-05-07 14:26:54 -05:00
David Maloney
f288256e19 remove all unneccsary callback stubs
channels seem to work fine without stubbed callbacks
removed all of these to eliminate them as a source
of this madness. evrything still works exactly as it did
before, which to say badly.

MSP-12356
2015-05-07 13:47:58 -05:00
David Maloney
7595156c90 make jet instance name unique
use date and time to make sure the Jet
Instance name is unique. Hasn't actually
solved our issue, but that name is supposed
to be unique anyways.

MSP-12356
2015-05-07 12:39:46 -05:00
David Maloney
2fa794f1c9 more cleanup/split up
split the date stuff up into their own subfunction tooo

MSP-12356
2015-05-06 14:00:15 -05:00
David Maloney
1daa927175 split off hash reading functions
moved the reading o the nt and lm hash records
into seperate sub functions. more cleanup/readability work

MSP-12356
2015-05-06 13:30:44 -05:00
David Maloney
bc5b6a1554 split off hash history reading
moved the hash history read into a seperate sub function
to make it easier to read

MSP-12356
2015-05-06 13:20:21 -05:00
David Maloney
879d062aa0 un typedef structs
bcook says to not typedef structs and just use them as
raw structs, so i have made that conversion here

MSP-12356
2015-05-06 11:24:06 -05:00
David Maloney
dff1a12c38 some more code cleanup
just some various bits and bobs here to make
the code a little cleaner and easier to read

MSP-12356
2015-05-06 10:42:03 -05:00
David Maloney
a8b4010ed0 cleanup #get_column_info a bit
bcook showed me how to do this the way i originally
wanted to but didn't know how. This is much cleaner to read

MSP-12356
2015-05-06 10:31:18 -05:00
David Maloney
df1181fe32 cleanup flag conversion
use simpler conversion of bit flags to
quasi-boolean values. just a little space saved and easier to read hopefully

MSP-12356
2015-05-06 09:54:36 -05:00
David Maloney
39d1860f7d switch from malloc to calloc
calloc does our memory init for us
so all the malloc/memset usage was totally
redudnant

MSP-12356
2015-05-06 09:45:31 -05:00
David Maloney
9d1af4c696 add doxygen to new code
added doygen style comments to the new NTDS
functions and typedefs as requested by OJ.

MSP-12356
2015-05-05 13:32:32 -05:00
OJ
ff3121b6f7 Merge branch 'upstream/master' into multi-transport-support
Conflicts:
	source/server/server_setup_posix.c
2015-05-05 20:55:26 +10:00
OJ
76b61f22d6 Update POSIX for configuration support 2015-05-05 08:58:21 +10:00
OJ
952bcd7f32 Add transport listing 2015-05-05 08:58:21 +10:00
Brent Cook
bfccf50c6b disable debug by default 2015-05-05 08:58:21 +10:00
Brent Cook
4e2f6932db remove duplicate check in SAFE_FREE 2015-05-05 08:58:21 +10:00
Brent Cook
c7617615e4 Land #155, remove file and console output from kiwi 2015-05-04 15:10:16 -05:00
David Maloney
e0665a2ba5 add some additional function comments
add some basic function documentation in
the form of comments. not eprfect, but a start
on propper documentation

MSP-12356
2015-05-04 11:14:42 -05:00
David Maloney
dee9a5efab some more code smell cleanup
bad memory cleanup issues around CAPI
and another constant for the length of a hash string

MSP-12356
2015-05-04 10:47:49 -05:00
David Maloney
8e93c26ce8 add constants for HASH Length
added constants for byte length of a hash
as well as athe null terminated length

MSP-12356
2015-05-04 10:41:48 -05:00
OJ
b5f5d0ae17 Remove console and file output from kiwi
This PR removes both log file and console output from kiwi. This is done so that those people who are unfortunate enough to migrate to a console app before running kiwi don't end up rendering all of the console output to a window that the user can see.
2015-05-04 09:14:37 +10:00
David Maloney
651e7a5135 Revert "Revert "Merge branch 'master' into feature/MSP-12356/ntds-parser""
This reverts commit 5a7d2ae84f830242486301cad0b26168f3ec973b.
2015-05-01 10:32:15 -05:00
David Maloney
a208343153 and again
another missing free

MSP-12356
2015-04-30 16:01:22 -05:00
David Maloney
c9cf6be97a more memory cleanup
more missing free calls

MSP-12356
2015-04-30 15:43:58 -05:00
David Maloney
e2f4438dc4 do account reads in batches
a channel read on the ntds channel will now read
up to 20 accounts at a time. when we run out of accounts
we set the EOF flag to let the other side know
we are done

MSP-12356
2015-04-30 14:05:10 -05:00
David Maloney
8ff6ebab85 add channel close
the channel close will now initiate the jet engine
shutdown, and free the context

MSP-12356
2015-04-30 13:23:39 -05:00
David Maloney
5c1c9c317d free the useraccount each time too
make sure we are doing good memory cleanup

MSP-12356
2015-04-30 13:18:55 -05:00
David Maloney
3ebf0513b0 properly cleanup memory around hash history
we were not freeing the buffers we created
as palceholders for decrypting hash history.
this would cause crashes when we wold start dealing
with multiple accounts in a row with a hash history.
freeing the buffers seems to fix the problem

MSP-12356
2015-04-30 13:15:17 -05:00
OJ
1c9c199e74 Fix up issues with transport hopping
Transport hopping checks for prev/next weren't right. Also, moving from TCP comms was resulting failure due to the fact that it's close to impossible to get Windows to flush the buffer to MSF prior to terminating the socket without doing all kinds of horrible stuff to the socket options (which would ultimately bloat the stagers).

Instead we rely on MSf to clean things up.
2015-04-30 22:39:24 +10:00
David Maloney
1612fce10c Revert "Merge branch 'master' into feature/MSP-12356/ntds-parser"
This reverts commit 336fb48756942c73846f191135751e5d4e9b552d, reversing
changes made to be7e34858b88bbc816f208d16259b058c5819ad8.
2015-04-29 15:08:17 -05:00
David Maloney
6dc046eeea Merge branch 'master' into feature/MSP-12356/ntds-parser 2015-04-28 08:23:17 -05:00
OJ
a046d80877 More transport features, UUID fetcher
Users can now add transports without switching to them straight away. They can then move forward and backwards using the next and prev commands in MSF. There's also the get UUID facility too.
2015-04-28 20:20:40 +10:00
OJ
b36c6d96b7 Generate config on the fly for the sake of migration
Migration now works again, and supports all the transports while migrating as well. At the moment we don't have the ability to take extensions across as well, though that might come when we have fixed up the issues with stageless meterpreter.
2015-04-28 17:43:22 +10:00
OJ
479b501fec Remove commented out stuff from header files 2015-04-28 14:03:24 +10:00
OJ
26b82dfb83 Remove guesswork and SOCKADDR persistence from remote
Instead, we'll rely on the configuration block for the transport.
2015-04-28 13:50:13 +10:00
OJ
c33e486ccc Prevent transport deletion on failure 2015-04-28 12:50:03 +10:00
OJ
04429dc6de Remove crud code 2015-04-28 12:35:09 +10:00
OJ
081d89f23e Re-add the session exiry to transport switching 2015-04-28 12:30:13 +10:00
OJ
b8f3eafb6e Fix transport switching
Creation of transports for switching is done a little differently now. But the transports do cycle correctly now when things fail, each with their respective retry times.
2015-04-28 11:23:37 +10:00
Brent Cook
c268efc325 disable debug by default 2015-04-27 12:12:24 -05:00
Brent Cook
644bef77f6 remove duplicate check in SAFE_FREE 2015-04-27 11:43:35 -05:00
OJ
87a2bf6189 Fix small issues, code tidy 2015-04-25 20:38:17 +10:00
OJ
9d8489a972 First pass of configuration changes for multi transport
This relies on some work done to the RDI repository, need to get
that landed before I can get this going.
2015-04-25 11:11:29 +10:00
David Maloney
6914b3947a move on to the next user each time 2015-04-24 13:33:37 -05:00
David Maloney
3bfeec2a7a w00t pulled an account down
successfully pulled an account down over the chanel

MSP-12356
2015-04-24 13:04:36 -05:00
David Maloney
52571872c4 move to the first user record
move through the datatable until we find
the first sam user object.

MSP-12356
2015-04-23 16:51:07 -05:00
David Maloney
9d5c3c1610 pass CRYPT_VERIFYCONTEXT flag
not passing this flag was causing an error attempting
to open the keyset. by setting this we are telling the
CAPI that we only care about ephemeral keys, and so we don't
run into the container issues.

MSP-12356
2015-04-23 15:27:00 -05:00
David Maloney
ac0978abcd attaching database correctly
we have the database attaching properly
seems to be an error decrypting the PEK though

MSP-12356
2015-04-23 14:43:28 -05:00
David Maloney
54b91aab08 clean build
the project now builds cleanly. the code isn't fully itnegrated
but it's in there and it builds which means it's nearly
perfect =P

MSP-12356
2015-04-23 11:53:33 -05:00
David Maloney
2769d986fe migrate all the poc code in
all of the poc libs are migrated in,
compiler warnings are blocking compile at this moment
2015-04-23 10:39:25 -05:00
OJ
1b600dbfbe Couple of small tweaks to make posix happy again 2015-04-23 20:00:57 +10:00
OJ
fe566d5f07 Moved transport stuff from core to metsrv
Lots of transported related things were in the core library which didn't make any sense given that the only thing that needed it was metsrv. This moves the functionality out into metsrv, reformats stuff and gets rid of some dead code.

TODO: Make this work with POSIX.
2015-04-23 19:41:25 +10:00
David Maloney
85987b9cbe start migrating ntds code in
moving the code chunks from the poc into
the actual meterp project
2015-04-22 16:03:30 -05:00
David Maloney
1d1ebe0592 Merge branch 'master' into feature/MSP-12356/ntds-parser 2015-04-21 09:46:34 -05:00
David Maloney
b6d8909227 testing channel creation
just a simple test to make sure i
understand streampool channel creation
2015-04-21 09:45:30 -05:00
OJ
969b8fb4af Update of code from Windows 2015-04-21 20:11:53 +10:00
OJ
5f0422943f Merge branch 'connection-recovery' of github.com:OJ/meterpreter into connection-recovery 2015-04-21 20:02:54 +10:00
OJ
4ca9daa254 Merge branch 'upstream/master' into connection-recovery 2015-04-21 19:59:16 +10:00
OJ
60c4749a91 Land #150 : WinHttp send/receive code dedupe 2015-04-21 19:57:50 +10:00
Brent Cook
9269a14e6a Merge common WinHttp init code between send and receive functions.
So we don't have any missing initialization between send and receive, this
factors out the common bits.
2015-04-20 16:30:26 -05:00
OJ
9bc8eac20c More posix work for connection resiliency 2015-04-18 19:22:53 +10:00
OJ
1d6e87180a Fix posix extension tracking and transport sleeps
This changeset fixes an issue with POSIX failing to keep track of loaded
extensions properly. The timeout calcs for waiting were trying to be too
smart and hence were simplified.

Also added another flush when reconnecting so that the body of the
second instance of metsrv is ignored by the POSIX side. In future, when
stageless meterpreter works with POSIX, we won't have to do this.
2015-04-17 21:22:16 +10:00
OJ
83f82f3129 Adjust http func pointer type, adjust poll timeout 2015-04-17 19:58:24 +10:00
OJ
fa0d3fc95c Porting of connection reslience work to POSIX 2015-04-17 18:08:26 +10:00
OJ
4807375480 More work moving towards POSIX 2015-04-17 16:41:47 +10:00
OJ
f83dfb46f4 Merge branch 'upstream/master' into connection-recovery
Conflicts:
	source/common/arch/win/i386/base_dispatch.c
	source/server/server_setup_win.c
2015-04-17 14:41:27 +10:00
OJ
60b5eff975 Land #149 : relax the select timeout interval 2015-04-17 11:26:25 +10:00
Brent Cook
78860c8d30 Land #148, support URI patching 2015-04-16 18:03:30 -05:00
Brent Cook
416939af00 relax the select timeout interval on the server socket
Currently, the select timeout on the server socket is 100 ns, meaning that
while idle, the process can wake up 100k times per second. This switches the
timeout to 0.5 second, reducing the idle CPU usage and seemingly increasing
the reliability of posix meterpreter as well.

Tested with various test post test modules without failures.
2015-04-15 16:14:21 -05:00
OJ
4ff18b8bab Add support for URI patching
This commit includes code which will allow for HTTP/S payload URIs to be hot-patched by the server without losing the UUID information. This was put in so that the stageless payloads can be used over and over again and not have issues with session URIs colliding.
2015-04-14 15:26:45 +10:00
OJ
22b207a7a4 More tidying/refactoring, gearing up for POSIX 2015-04-14 13:06:27 +10:00
OJ
e8d136c35a Constants are better than magic numbers 2015-04-14 08:56:44 +10:00
OJ
dbf33e2fb9 Remove second instance of the SSL check string
The mechanism used for validation of the SSL cert string was the same as for many of the other global replacement options. However, the string value that was used for checking was also the same. The result was that the patch mechanism wasn't patching the right instance of the string.

DERP!

Why this hit stageless only I'm really not sure.
2015-04-14 07:53:31 +10:00
OJ
edfea3624b Add support for sets
Removed the get call, as the set can do the same thing.
2015-04-13 10:42:37 +10:00
OJ
93b48b9bdf Add support for getting timeouts for comms 2015-04-13 10:07:15 +10:00
OJ
5c1f39623e Rejigging of timeouts for session resliency 2015-04-09 17:59:06 +10:00
OJ
8a65f4770a Fix small issue with incorrect URL 2015-04-08 15:44:05 +10:00
OJ
e5a3c8748c More refactoring and code tidying 2015-04-08 14:42:26 +10:00
OJ
b3b9726b4b Refactored TCP/HTTP transport functions
Updated the code so that the TCP stuff is moved into its own file and doesn't pollute the main server file with stuff that is specific to TCP transports.

Updated the winhttp functionality in the same way so that functionality is properly segregated.

Modified the global parameters so that they're part of a structure that can be passed around.

Added a stack of documnetation as well.
2015-04-08 12:48:07 +10:00
OJ
6de5738e21 Merge branch 'upstream/master' into cert-hash-switching
Conflicts:
	source/server/server_setup_win.c - line endings
2015-04-08 08:10:10 +10:00
OJ
ba70b2b222 Begin work on connection recovery when things go wrong 2015-04-07 22:14:27 +10:00
OJ
553f369492 Land #145 : Add unicode support in fs search 2015-04-07 11:39:13 +10:00
OJ
602715aaf8 Use group packets and add curlieeees
This commit just adds the braces around single-line blocks as per our "standard". This is important, especially in the case where those single lines contain macros which could expand to multiple lines.

Also added the use of the group packet functionality to make the search result code a little easier on the eye.
2015-04-07 10:02:41 +10:00
Brent Cook
21b4064a3d normalize slashes, remove debug output 2015-04-06 07:47:27 -05:00
OJ
bea5c1a4ff Merge branch 'upstream/master' into bind-ipv6-and-ipv4 2015-04-06 15:18:27 +10:00
OJ
5def755239 Implement support for ssl cert verify toggling
Querying of the status of SSL cert verification is now possible. This commit allows for this to be enabled and disabled on the fly.

Also include some code tidy/refactoring.
2015-04-06 14:48:59 +10:00
Brent Cook
cc2dbb2045 use size_t for wcslen results 2015-04-05 20:45:52 -05:00
Brent Cook
b1dadbb98e make search_all_drives a separate function 2015-04-05 18:41:02 -05:00
Brent Cook
5c16ddf270 avoid infinite recursion when encountering a bad symlink
reduce stack usage per level
2015-04-05 18:41:01 -05:00
Brent Cook
e1148a0bca first working unicode search
refactor a few giant functions into smaller ones
2015-04-05 18:41:01 -05:00
Brent Cook
61b19560d7 cleanups, use utf8_to_wchar 2015-04-05 18:41:01 -05:00
Brent Cook
517dcfea05 convert wds queries to use unicode 2015-04-05 18:41:01 -05:00
Brent Cook
7e017d4771 move unicode helper functions to a common place 2015-04-05 18:36:36 -05:00
Brent Cook
69d6b48e67 normalize and tidy the code a bit 2015-04-05 18:36:36 -05:00
OJ
8a41324dd1 Fix stupid mistake with the use of wchar_t in posix 2015-04-03 07:57:16 +10:00
OJ
5ba41da726 Fix compiler error with incorrect var name 2015-04-02 23:13:08 +10:00
OJ
eb1ebbefc2 Tweaks and update of POSIX 2015-04-02 23:12:22 +10:00
OJ
8b637d7248 Refactored windows transport hopping
Instead of basing everything on URLs, the transport hopping now actually supports the creation of a whole new transport on the fly. The transport instance is stored in the remote as a "next transport" pointer.

This better facilitates the notion of being able to set all of the parameters on the transport when doing the switch, and is a step closer to being able to support chains of transports.
2015-04-02 22:51:12 +10:00
OJ
23117bb73c Merge branch 'upstream/master' into transport-refactor 2015-04-02 15:24:57 +10:00
Brent Cook
ff123debc5 Land #143: OJ's stageless winhttp proxy support fixes 2015-04-01 22:25:46 -05:00
OJ
0bdf322889 Bind to IPv4 and IPv6 on the bind transport
This commit includes code which attempts to bind to both IPv4 and IPv6 addresses so that the attacker can connect on either interface.

In the case of Windows XP, the IPv6 stack doesn't allow modification of the socket options so that both address types can be listened to on the same socket. Rather than create separate sockets for both cases, XP and earlier simply fall back to IPv4 only.
2015-04-01 21:49:07 -05:00
OJ
934525d2e7 Remove traces of wininet from the source
WinInet won't work any more thanks to use making modifications on the MSF that will cause it to break. We're basically all-in for WinHTTP now.
2015-04-02 12:36:17 +10:00
OJ
a8f4ea5e3d Remove unused reference code and shady ifdef 2015-04-02 08:59:26 +10:00
OJ
420fb927d7 Undo keyboard failure 2015-04-02 08:51:39 +10:00
OJ
e03b381869 Rejig code for the machine ID extraction 2015-04-01 16:23:57 +10:00
OJ
ebf116d4f5 Added POSIX machine ID support 2015-04-01 16:15:51 +10:00
OJ
e28718d1b6 Remvoe const from SSL method 2015-04-01 15:11:20 +10:00
OJ
47cb3cddb2 Merge branch 'transport-refactor' of github.com:OJ/meterpreter into transport-refactor 2015-04-01 14:31:01 +10:00
OJ
94897b7331 Add machine ID support to the Win32 side 2015-04-01 14:29:44 +10:00
OJ
3c32f762a7 More transport refactor work for POSIX
The transport refactor appears to be working, but the transport swtching
requires more work on the side of stageless posix before it will work.
At the moment, the POSIX implementation of the transport switching is
commented out so that it can't be used or built into the binaries.

This should mean we can move forward on other friends without this
holding us back.
2015-04-01 12:10:49 +10:00
OJ
cfa12053bd Fix up WinHTTP proxy implementation 2015-04-01 11:43:53 +10:00
OJ
e2338709aa POSIX transport refactoring
Still more to do here to support transport switching, but progress being
made.
2015-03-30 22:54:52 +10:00
OJ
4758a31f5b Source rejig, refactor POSIX to support changes 2015-03-30 20:14:16 +10:00
OJ
6ba59b87b3 Merge 'upstream/master' 2015-03-30 19:29:21 +10:00
OJ
afcef4f312 Bind to IPv4 and IPv6 on the bind transport
This commit includes code which attempts to bind to both IPv4 and IPv6 addresses so that the attacker can connect on either interface.

In the case of Windows XP, the IPv6 stack doesn't allow modification of the socket options so that both address types can be listened to on the same socket. Rather than create separate sockets for both cases, XP and earlier simply fall back to IPv4 only.
2015-03-30 18:47:56 +10:00
Brent Cook
5132b8d176 disable linker debug 2015-03-26 11:04:03 -05:00
Brent Cook
9a71a575b7 use OpenSSL with Windows builds for now
LibreSSL does not yet work well with Windows meterpreter for 2 reasons:
  1. because its built with mingw/gcc, it does not have SAFESEH, requiring that
	 protection to be disabled for the whole stack. It could, it just needs a
	 way to be built with MSVS instead.
  2. OpenSSL 1.0.1 and Libressl both make metsrv about 50% larger.

When transports are more abstracted and LibreSSL can build with MSVS, we will
revisit this.
2015-03-25 09:12:11 -05:00
OJ
a2f74d99d6 Transport switch v0.0.1-preAlpha
Switching works, but doesn't do anything nice with session management. Still need to get things wired into posix, and probably rip out the wininet stuff as well given that I probably won't refactor it to support this.
2015-03-25 12:59:50 +10:00
Brent Cook
26effa7328 fix include path 2015-03-24 10:29:50 -05:00
Brent Cook
6cb8061e8e Fix build issues using OpenSSL APIs >= 1.0
There are duplicate defines between the Windows crypto API and OpenSSL.
2015-03-24 10:29:50 -05:00
Brent Cook
f45756e37b update SSL libs to libressl 2.1.4 2015-03-24 10:28:58 -05:00
Brent Cook
b30d2df4ad update and integrate libpcap for POSIX meterpreter
I am working on automating POSIX meterpreter builds, and one step is
removing the requirement to download files from external sites during
the build process. So, this incorporates the latest stable libpcap
source and updates the patches as needed.

The Makefile also moves (@wvu-r7 was amused that Makefile.pcap wasn't
actually a pcap file :) and simplifies a little build foo.

I updated and got the 64-bit kernel + 32-bit userspace TPACKET v1 patch
merged upstream, but its not in a release yet, so the patch is still
needed. See https://github.com/the-tcpdump-group/libpcap/pull/421
2015-03-24 10:28:58 -05:00
OJ
5cf9ae53ea Update from winhttp branch after proxy fixes 2015-03-23 12:47:03 +10:00
OJ
97398e0c07 Adjust length to include NULL terminator 2015-03-23 12:43:10 +10:00