Windows Meterpreter that uses http/s-based transports wasn't correctly checking for cases where pivoted packets were handled. When pivoted packets are forwarded to the correct handler, the packet is set to NULL. For TCP transports, a check already existed to carry on when the packet was NULL, but this wasn't the case for HTTP/S.
This commit fixes this problem and so the pivot session no longer dies when Meterpreter is using an HTTP/S transport.
For funzies, the fix for this was implemented on a live stream to help other people learn some of Meterp's internals. That video can be found here: https://www.youtube.com/watch?v=de-UYWnafow
This commit adds two new scripts and modifies some of the powershell transport binding functionality.
Code has been added that generates valid Metasploit URIs for use with stageless listeners. This means that it's possible to add HTTP/S transports on the fly and have a URL generated that will work with the current architecture of the process.
Two new scripts will appear in each of the powershell sessions:
* Add-WebTransport - adds http/s transports to the session.
* Add-TcpTransport - adds TCP transports to the session.
These two scripts are just abstractions on top of the built-in Meterpreter transport binding functionality, but it makes it a lot easier to interact with the feature and makes it more.. er.. Powershelly.
The functions come with documnetation, so `Get-Help Add-WebTransport -Full` will show how it's used.
From here, people can do some more fun stuff, such as adding init scripts to their stageless payloads that add support for more transports.
I stuffed up when dealing with values that are being passed back and forth across components when in x86 processes. I was passing 64 bit ints around even in 32 bit mode, which resulted in some natstiness. This commit fixes that problem by forcing everything to be 64 bit regardless of arch, and casting to the appropriate pointer at the right time.
The previous commit hard coded the LM hash to the empty value. This commit changes this so that if the LM hash isn't present it'll manually specify the empty one, but use the existing one if it is present.
This commit changes the channel functionality within the powershell extension so that commands do execute behind the scenes and stream the results to the UI in the current channel.
This comes with the caveat that users are patient. I haven't yet made sure that running separate commands while long running ones are running will not cause problems. We'll have to see.
DCSync functionality is exposed, and from this it is possible to enumerate all users in the domain and dump each user's hash one by one. This code has a few extension functions built into the runner, and also has some baked-in powershell functions that are available in every powershell runner session in the host.
I've also added a powershell version of the build command that lets us generate the source to the powershell assembly wiring from PSH as well as Python.
This was left over code from me trying to do some fixes to getprivs
which didn't make sense in the middle of the packet pivot work. This was
left over by me as a result of my half-baked revert. This caused issues
with both the `getprivs` and `getsystem` command. I'm pretty sure that
as a result of breaking the latter, I will never live down the "make
getsystem great again" meme.
This commit fixes an issue where the transports were calculating an
incorrect size for the packet that was being received. This wasn't
noticable until packet pivot work started, and for some reason wasn't
causing breakages during local testing. Either way, it's fixed now!
This updates the packet header so that the encryption byte flag is now
32 bits. This also updates the powershell and python extensions so that
both of the bindings work correctly as a result of the TLV packet header
changes.
Make the XOR key an array of bytes as a start to normalise the way the
XOR happens across the board. Given that we're going to be adding
encryption to the packet level and adding more stuff to the packet
header, now is the time to fix this up once and for all.
Crypto context stuff appears to have only ever been supported in
Meterpreter on Windows. The only thing it allowed for is XOR, which is
redundant given that we have packet level XOR in place. Also, it would
appear that MSF didn't have support for it anyway!
With the move torwards packet-level encryption, this is unnecessary so
it needs to go bye bye.
The last issue we had in removing the OpenSSL library from Windows
meterp is making it so that reconnects would behave. With a staged
listener, the first thing that gets sent down the wire is metsrv.dll. As
a result, when a fully staged connect comes in (whether it be from
a stageless payload, from a transport switch or from a sleeping session
waking up), Meterpreter needs to handle the case that the data coming
down the wire is no actually a TLV packet, and hence ignore it.
This "hack" abuses the properties of the XOR key for the packet,
relying on the fact that the XOR key will never contain NULl bytes and
that the first 4 bytes from a staged listener starts with the length of
the metsrv DLL, which is small enough to result in a NULL byte in the
MSB position.
If we see a NULL byte in that position, we assume it's the metsrv header
coming in, and we just ignore it and move on. If the XOR key looks
legit, we assume it's a valid TLV packet.
Dirty, but it's quick and it works!
This commit fixes the case where we incorrectly assume that the URIs
used in the transport don't make use of the LURI setting in MSF.
The bug was that the code iterated through the URI string in reverse,
looking for a slash and then using that as the point to patch the new
URI over the existing. This meant that with the LURI parameter used, the
actual LURI field was missed, and the patch would result in the LURI
value appearing again.
The fix put in iterates from the start of the string and looks for the
third instance of the slash. This means that the LURI field is patched
as well as the UUID section.
Fixes#197
As part of b50955a924 important code that
sent UUIDs along with each request was accidentally removed. This PR
re-includes it so that the UUIDs are in fact sent when they should be
sent.
This fixes issues where UUID commands don't work, and fixes migration in
a bunch of scenarios.
