The debug builds of Meterpreter compiled fine, but the resulting binaries were never functional. No debugging is really ever done with the debug builds anyway, so instead of carry them forward, this commit removes both `debug` and `r7_debug` from the source.
This allows the client side to determine whether to fall back and gives
the user a better chance of seeing that it isn't listening where they
told it to.
This commit will result in SSL cert failures causing failovers to other
transports, even to itself, instead of shutting the session down. This
will result in repeated calls back to the endpoint, every "retry wait"
seconds, and will continue to do so until the session expires, or the
SSL verification works.
Be warned, this can be noisy in your console if you haven't configured
things properly. The result is a lot of callbacks over the life of the
session.
We are currently inconsistently handling errors in recv() when flushing data from a TCP socket. In one case, we handle the graceful close, but not the error case. In the other, we handle exactly the opposite.
Both of these loops may spin indefinitely depending on the recv value from the remote server. In one, if the TCP connection is abruptly closed in stageless meterpreter or on a transport switch, the flush function may loop. In the other, if the remote server does a socket shutdown, but not a close, we will also loop.
When reallocating the record buffer, we need to pass the correct heap pointer
or this will crash.
This also simplifies error handling and switches audio.h to use Windows EOL
characters.
use strncpy not memcpy to transfer the re-encoded
name and description into our account object.
also use sizeof for precise copy size. eliminates lingering
errors
MSP-12356
This setting doesn't appear to have any bearing at all on the way the proxy stuff is managed, as a result looking for this flag doesn't make sense. Instead, we just look for presence of the URLs to use, and if found, that's what we use.
This also uses the WinHttpSetOption function for setting credentials which allows for independenc use of user and password.
The original implementation assumed that the UUIDs were coming through a strings, but this was changed at some point to use the 16-byte UUID format straight out of MSF.
This was causing issues when UUIDs had null bytes in them because the UUID was being truncated and the result was that UUIDs that were being parsed in MSF were too small, resulting in exceptions.
Only compute the value once, this prevents changing if drive topology changes.
Consider ata and md drive prefixes.
Always set a MACHINE_ID value, upstream expects it in the reply.
since we will be sending lots of null bytes,
we want to make sure we make good use of compression
still doesn't solve our crash problems though
MSP-12356
channels seem to work fine without stubbed callbacks
removed all of these to eliminate them as a source
of this madness. evrything still works exactly as it did
before, which to say badly.
MSP-12356
use date and time to make sure the Jet
Instance name is unique. Hasn't actually
solved our issue, but that name is supposed
to be unique anyways.
MSP-12356
This PR removes both log file and console output from kiwi. This is done so that those people who are unfortunate enough to migrate to a console app before running kiwi don't end up rendering all of the console output to a window that the user can see.
a channel read on the ntds channel will now read
up to 20 accounts at a time. when we run out of accounts
we set the EOF flag to let the other side know
we are done
MSP-12356
we were not freeing the buffers we created
as palceholders for decrypting hash history.
this would cause crashes when we wold start dealing
with multiple accounts in a row with a hash history.
freeing the buffers seems to fix the problem
MSP-12356
Transport hopping checks for prev/next weren't right. Also, moving from TCP comms was resulting failure due to the fact that it's close to impossible to get Windows to flush the buffer to MSF prior to terminating the socket without doing all kinds of horrible stuff to the socket options (which would ultimately bloat the stagers).
Instead we rely on MSf to clean things up.
Users can now add transports without switching to them straight away. They can then move forward and backwards using the next and prev commands in MSF. There's also the get UUID facility too.
Migration now works again, and supports all the transports while migrating as well. At the moment we don't have the ability to take extensions across as well, though that might come when we have fixed up the issues with stageless meterpreter.
Creation of transports for switching is done a little differently now. But the transports do cycle correctly now when things fail, each with their respective retry times.
not passing this flag was causing an error attempting
to open the keyset. by setting this we are telling the
CAPI that we only care about ephemeral keys, and so we don't
run into the container issues.
MSP-12356
Lots of transported related things were in the core library which didn't make any sense given that the only thing that needed it was metsrv. This moves the functionality out into metsrv, reformats stuff and gets rid of some dead code.
TODO: Make this work with POSIX.
This changeset fixes an issue with POSIX failing to keep track of loaded
extensions properly. The timeout calcs for waiting were trying to be too
smart and hence were simplified.
Also added another flush when reconnecting so that the body of the
second instance of metsrv is ignored by the POSIX side. In future, when
stageless meterpreter works with POSIX, we won't have to do this.
Currently, the select timeout on the server socket is 100 ns, meaning that
while idle, the process can wake up 100k times per second. This switches the
timeout to 0.5 second, reducing the idle CPU usage and seemingly increasing
the reliability of posix meterpreter as well.
Tested with various test post test modules without failures.
This commit includes code which will allow for HTTP/S payload URIs to be hot-patched by the server without losing the UUID information. This was put in so that the stageless payloads can be used over and over again and not have issues with session URIs colliding.
The mechanism used for validation of the SSL cert string was the same as for many of the other global replacement options. However, the string value that was used for checking was also the same. The result was that the patch mechanism wasn't patching the right instance of the string.
DERP!
Why this hit stageless only I'm really not sure.
Updated the code so that the TCP stuff is moved into its own file and doesn't pollute the main server file with stuff that is specific to TCP transports.
Updated the winhttp functionality in the same way so that functionality is properly segregated.
Modified the global parameters so that they're part of a structure that can be passed around.
Added a stack of documnetation as well.
This commit just adds the braces around single-line blocks as per our "standard". This is important, especially in the case where those single lines contain macros which could expand to multiple lines.
Also added the use of the group packet functionality to make the search result code a little easier on the eye.
Querying of the status of SSL cert verification is now possible. This commit allows for this to be enabled and disabled on the fly.
Also include some code tidy/refactoring.
Instead of basing everything on URLs, the transport hopping now actually supports the creation of a whole new transport on the fly. The transport instance is stored in the remote as a "next transport" pointer.
This better facilitates the notion of being able to set all of the parameters on the transport when doing the switch, and is a step closer to being able to support chains of transports.
This commit includes code which attempts to bind to both IPv4 and IPv6 addresses so that the attacker can connect on either interface.
In the case of Windows XP, the IPv6 stack doesn't allow modification of the socket options so that both address types can be listened to on the same socket. Rather than create separate sockets for both cases, XP and earlier simply fall back to IPv4 only.
The transport refactor appears to be working, but the transport swtching
requires more work on the side of stageless posix before it will work.
At the moment, the POSIX implementation of the transport switching is
commented out so that it can't be used or built into the binaries.
This should mean we can move forward on other friends without this
holding us back.
This commit includes code which attempts to bind to both IPv4 and IPv6 addresses so that the attacker can connect on either interface.
In the case of Windows XP, the IPv6 stack doesn't allow modification of the socket options so that both address types can be listened to on the same socket. Rather than create separate sockets for both cases, XP and earlier simply fall back to IPv4 only.
LibreSSL does not yet work well with Windows meterpreter for 2 reasons:
1. because its built with mingw/gcc, it does not have SAFESEH, requiring that
protection to be disabled for the whole stack. It could, it just needs a
way to be built with MSVS instead.
2. OpenSSL 1.0.1 and Libressl both make metsrv about 50% larger.
When transports are more abstracted and LibreSSL can build with MSVS, we will
revisit this.
Switching works, but doesn't do anything nice with session management. Still need to get things wired into posix, and probably rip out the wininet stuff as well given that I probably won't refactor it to support this.
I am working on automating POSIX meterpreter builds, and one step is
removing the requirement to download files from external sites during
the build process. So, this incorporates the latest stable libpcap
source and updates the patches as needed.
The Makefile also moves (@wvu-r7 was amused that Makefile.pcap wasn't
actually a pcap file :) and simplifies a little build foo.
I updated and got the 64-bit kernel + 32-bit userspace TPACKET v1 patch
merged upstream, but its not in a release yet, so the patch is still
needed. See https://github.com/the-tcpdump-group/libpcap/pull/421
* Transports are now defined by a set of callbacks that are bound to the Remote.
* Transport initialisation and dispatching is seprated.
* The context of the transport should be switchable depending on new transport requirements.
More to do, but it has begun.
* Make sure POSIX has the new extension command enumeration function.
* Add support for deinit of extensions.
* Make sure extensions are tracked like they in Windows.
* Fix up a few export definitions.
* Stop using strncpy_s in POSIX code.
* bury common _snprintf that snuck in while testing the Windows version back
into the platform-specific code.
* remove now-unneeded separator defines
* don't free a stack variable on windows
