mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-04-12 04:12:05 +02:00
315 lines
15 KiB
C
Executable File
315 lines
15 KiB
C
Executable File
/*!
|
|
* @file remote.h
|
|
* @brief Declarations of functions and types that interact with a remote endpoint.
|
|
*/
|
|
#ifndef _METERPRETER_LIB_REMOTE_H
|
|
#define _METERPRETER_LIB_REMOTE_H
|
|
|
|
#include "crypto.h"
|
|
#include "thread.h"
|
|
#include "config.h"
|
|
|
|
// Include SSL related declarations for required pointers.
|
|
#include "openssl/ssl.h"
|
|
#include "openssl/err.h"
|
|
#include "openssl/x509v3.h"
|
|
|
|
/*! @brief This is the size of the certificate hash that is validated (sha1) */
|
|
#define CERT_HASH_SIZE 20
|
|
|
|
#ifdef _WIN32
|
|
typedef wchar_t CHARTYPE;
|
|
typedef CHARTYPE* STRTYPE;
|
|
#else
|
|
typedef char CHARTYPE;
|
|
typedef CHARTYPE* STRTYPE;
|
|
#endif
|
|
|
|
// Forward declarations required to keep compilers happy.
|
|
typedef struct _Packet Packet;
|
|
typedef struct _PacketRequestCompletion PacketRequestCompletion;
|
|
typedef struct _Transport Transport;
|
|
typedef struct _SslLib SslLib;
|
|
typedef struct _Remote Remote;
|
|
typedef struct _TimeoutSettings TimeoutSettings;
|
|
typedef struct _HttpTransportContext HttpTransportContext;
|
|
|
|
typedef SOCKET(*PTransportGetSocket)(Transport* transport);
|
|
typedef void(*PTransportReset)(Transport* transport, BOOL shuttingDown);
|
|
typedef BOOL(*PTransportInit)(Transport* transport);
|
|
typedef BOOL(*PTransportDeinit)(Transport* transport);
|
|
typedef void(*PTransportDestroy)(Transport* transport);
|
|
typedef Transport*(*PTransportCreate)(Remote* remote, MetsrvTransportCommon* config, LPDWORD size);
|
|
typedef void(*PTransportRemove)(Remote* remote, Transport* oldTransport);
|
|
typedef void(*PConfigCreate)(Remote* remote, MetsrvConfig** config, LPDWORD size);
|
|
|
|
typedef BOOL(*PServerDispatch)(Remote* remote, THREAD* dispatchThread);
|
|
typedef DWORD(*PPacketTransmit)(Remote* remote, Packet* packet, PacketRequestCompletion* completion);
|
|
|
|
typedef HANDLE(*PCreateHttpRequest)(HttpTransportContext* ctx, BOOL isGet, const char* direction);
|
|
typedef BOOL(*PSendHttpRequest)(HANDLE hReq, LPVOID buffer, DWORD size);
|
|
typedef BOOL(*PCloseRequest)(HANDLE hReq);
|
|
typedef DWORD(*PValidateResponse)(HANDLE hReq, HttpTransportContext* ctx);
|
|
typedef BOOL(*PReceiveResponse)(HANDLE hReq);
|
|
typedef BOOL(*PReadResponse)(HANDLE hReq, LPVOID buffer, DWORD bytesToRead, LPDWORD bytesRead);
|
|
|
|
typedef struct _TimeoutSettings
|
|
{
|
|
/*! @ brief The total number of seconds to wait for a new packet before killing off the session. */
|
|
int comms;
|
|
/*! @ brief The total number of seconds to keep retrying for before a new session is established. */
|
|
UINT retry_total;
|
|
/*! @ brief The number of seconds to wait between reconnects. */
|
|
UINT retry_wait;
|
|
} TimeoutSettings;
|
|
|
|
#ifdef _WIN32
|
|
typedef struct _SslLib
|
|
{
|
|
int(*RAND_status)();
|
|
void(*RAND_add)(const void*, int, double);
|
|
int(*RAND_egd)(const char *path);
|
|
ERR_STATE*(*ERR_get_state)();
|
|
const char*(*ERR_reason_error_string)(unsigned long);
|
|
void(*ERR_clear_error)();
|
|
unsigned long(*ERR_peek_last_error)();
|
|
const COMP_METHOD *(*SSL_get_current_compression)(SSL*);
|
|
void*(*SSL_get_ex_data)(const SSL*, int);
|
|
SSL_CTX*(*SSL_set_SSL_CTX)(SSL*, SSL_CTX*);
|
|
SSL_CTX*(*SSL_get_SSL_CTX)(const SSL*);
|
|
int(*SSL_CTX_load_verify_locations)(SSL_CTX*, const char*, const char*);
|
|
int(*SSL_CTX_set_default_verify_paths)(SSL_CTX*);
|
|
int(*SSL_get_shutdown)(const SSL*);
|
|
int(*SSL_library_init)();
|
|
void(*SSL_set_accept_state)(SSL*);
|
|
void(*SSL_set_connect_state)(SSL*);
|
|
int(*SSL_shutdown)(SSL*);
|
|
int(*SSL_do_handshake)(SSL*);
|
|
SSL_METHOD *(*TLSv1_method)();
|
|
SSL_METHOD*(*SSLv23_method)();
|
|
SSL_METHOD*(*SSLv3_method)();
|
|
SSL_METHOD*(*SSLv2_method)();
|
|
const char*(*SSL_get_version)(const SSL*);
|
|
int(*SSL_get_error)(const SSL*, int);
|
|
long(*SSL_CTX_callback_ctrl)(SSL_CTX*, int, void(*)(void));
|
|
long(*SSL_CTX_ctrl)(SSL_CTX*, int, long, void*);
|
|
void(*SSL_free)(SSL*);
|
|
int(*SSL_read)(SSL*, void*, int);
|
|
int(*SSL_write)(SSL*, const void*, int);
|
|
SSL*(*SSL_new)(SSL_CTX*);
|
|
int(*SSL_CTX_set_session_id_context)(SSL_CTX*, const unsigned char*, unsigned int);
|
|
int(*SSL_CTX_check_private_key)(const SSL_CTX*);
|
|
void(*SSL_CTX_set_default_passwd_cb)(SSL_CTX*, pem_password_cb*);
|
|
void(*SSL_CTX_set_default_passwd_cb_userdata)(SSL_CTX*, void*);
|
|
int(*SSL_set_ex_data)(SSL *ssl, int idx, void *data);
|
|
long(*SSL_ctrl)(SSL *ssl, int cmd, long larg, void *parg);
|
|
void(*SSL_CTX_set_verify)(SSL_CTX *ctx, int mode, int(*callback)(int, X509_STORE_CTX *));
|
|
int(*SSL_CTX_get_verify_mode)(const SSL_CTX *ctx);
|
|
X509*(*SSL_get_peer_certificate)(const SSL *s);
|
|
void(*SSL_load_error_strings)(void);
|
|
int(*SSL_CTX_use_certificate_chain_file)(SSL_CTX *ctx, const char *file); /* PEM type */
|
|
int(*SSL_CTX_use_PrivateKey_file)(SSL_CTX *ctx, const char *file, int type);
|
|
void(*SSL_set_read_ahead)(SSL *s, int yes);
|
|
BIO*(*SSL_get_wbio)(const SSL *s);
|
|
BIO*(*SSL_get_rbio)(const SSL *s);
|
|
int(*SSL_set_fd)(SSL *s, int fd);
|
|
int(*SSL_pending)(const SSL *s);
|
|
char*(*SSL_CIPHER_get_version)(const SSL_CIPHER *c);
|
|
const char*(*SSL_CIPHER_get_name)(const SSL_CIPHER *c);
|
|
int(*SSL_CIPHER_get_bits)(const SSL_CIPHER *c, int *alg_bits);
|
|
SSL_CIPHER*(*SSL_get_current_cipher)(const SSL *s);
|
|
X509_STORE*(*SSL_CTX_get_cert_store)(const SSL_CTX *);
|
|
void(*SSL_CTX_free)(SSL_CTX *);
|
|
SSL_CTX *(*SSL_CTX_new)(SSL_METHOD *meth);
|
|
int(*SSL_CTX_set_cipher_list)(SSL_CTX *, const char *str);
|
|
size_t(*SSL_get_finished)(const SSL *s, void *buf, size_t count);
|
|
size_t(*SSL_get_peer_finished)(const SSL *s, void *buf, size_t count);
|
|
const char*(*SSL_get_servername)(const SSL *s, const int type);
|
|
int(*PEM_read_bio)(BIO *bp, char **name, char **header, unsigned char **data, long *len);
|
|
X509*(*PEM_read_bio_X509)(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
|
|
X509*(*PEM_read_bio_X509_AUX)(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
|
|
int(*X509_check_ca)(X509 *x);
|
|
DH *(*PEM_read_bio_DHparams)(BIO *bp, DH **x, pem_password_cb *cb, void *u);
|
|
X509V3_EXT_METHOD *(*X509V3_EXT_get)(X509_EXTENSION *ext);
|
|
void(*AUTHORITY_INFO_ACCESS_free)(AUTHORITY_INFO_ACCESS* a);
|
|
int(*GENERAL_NAME_print)(BIO* out, GENERAL_NAME* gen);
|
|
void(*GENERAL_NAME_free)(GENERAL_NAME* gen);
|
|
int(*X509_add_ext)(X509 *x, X509_EXTENSION *ex, int loc);
|
|
void*(*X509_get_ext_d2i)(X509 *x, int nid, int *crit, int *idx);
|
|
int(*X509_get_ext_by_NID)(X509 *x, int nid, int lastpos);
|
|
ASN1_OBJECT*(*X509_NAME_ENTRY_get_object)(X509_NAME_ENTRY *ne);
|
|
ASN1_STRING*(*X509_NAME_ENTRY_get_data)(X509_NAME_ENTRY *ne);
|
|
X509_NAME_ENTRY*(*X509_NAME_get_entry)(X509_NAME *name, int loc);
|
|
int(*X509_NAME_entry_count)(X509_NAME *name);
|
|
X509_NAME*(*X509_get_subject_name)(X509 *a);
|
|
ASN1_INTEGER*(*X509_get_serialNumber)(X509 *x);
|
|
X509_EXTENSION*(*X509_get_ext)(X509 *x, int loc);
|
|
X509_NAME*(*X509_get_issuer_name)(X509 *a);
|
|
void(*X509_free)(X509*);
|
|
int(*i2d_X509)(X509* a, unsigned char** out);
|
|
char*(*sk_value)(const STACK*, int);
|
|
int(*sk_num)(const STACK* s);
|
|
void(*sk_pop_free)(STACK *st, void (*func)(void *));
|
|
const char*(*SSLeay_version)(int type);
|
|
unsigned long(*SSLeay)(void);
|
|
int(*CRYPTO_num_locks)(void);
|
|
void(*CRYPTO_set_locking_callback)(void (*func)(int mode,int type, const char *file,int line));
|
|
void(*CRYPTO_set_id_callback)(unsigned long (*func)(void));
|
|
void(*CRYPTO_free)(void* p);
|
|
BIO_METHOD*(*BIO_s_file)(void);
|
|
BIO*(*BIO_new_file)(const char *filename, const char *mode);
|
|
BIO*(*BIO_new)(BIO_METHOD *type);
|
|
int(*BIO_gets)(BIO *bp,char *buf, int size);
|
|
long(*BIO_ctrl)(BIO *bp,int cmd,long larg,void *parg);
|
|
BIO_METHOD*(*BIO_s_mem)(void);
|
|
BIO*(*BIO_new_mem_buf)(void *buf, int len);
|
|
int(*BIO_free)(BIO *a);
|
|
void(*ASN1_OBJECT_free)(ASN1_OBJECT *a);
|
|
int(*ASN1_STRING_length)(ASN1_STRING *x);
|
|
unsigned char*(*ASN1_STRING_data)(ASN1_STRING *x);
|
|
int(*i2a_ASN1_INTEGER)(BIO *bp, ASN1_INTEGER *a);
|
|
long(*ASN1_INTEGER_get)(ASN1_INTEGER *a);
|
|
int(*ASN1_STRING_to_UTF8)(unsigned char **out, ASN1_STRING *in);
|
|
int(*ASN1_TIME_print)(BIO *fp,ASN1_TIME *a);
|
|
ASN1_VALUE*(*ASN1_item_d2i)(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_ITEM *it);
|
|
ASN1_OBJECT*(*OBJ_nid2obj)(int n);
|
|
const char*(*OBJ_nid2ln)(int n);
|
|
const char*(*OBJ_nid2sn)(int n);
|
|
int(*OBJ_obj2nid)(const ASN1_OBJECT *o);
|
|
ASN1_OBJECT*(*OBJ_txt2obj)(const char *s, int no_name);
|
|
int(*OBJ_obj2txt)(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name);
|
|
int(*OBJ_sn2nid)(const char *s);
|
|
void(*OPENSSL_add_all_algorithms_noconf)(void);
|
|
EC_KEY*(*EC_KEY_new_by_curve_name)(int nid);
|
|
void(*EC_KEY_free)(EC_KEY *);
|
|
void(*DH_free)(DH *dh);
|
|
int(*X509_STORE_add_cert)(X509_STORE *ctx, X509 *x);
|
|
int(*X509_VERIFY_PARAM_set_flags)(X509_VERIFY_PARAM *param, unsigned long flags);
|
|
int(*X509_VERIFY_PARAM_clear_flags)(X509_VERIFY_PARAM *param, unsigned long flags);
|
|
unsigned long(*X509_VERIFY_PARAM_get_flags)(X509_VERIFY_PARAM *param);
|
|
X509*(*d2i_X509_bio)(BIO *bp,X509 **x509);
|
|
const char*(*X509_get_default_cert_dir)();
|
|
const char*(*X509_get_default_cert_file)();
|
|
const char*(*X509_get_default_cert_dir_env)();
|
|
const char*(*X509_get_default_cert_file_env)();
|
|
} SslLib;
|
|
#endif
|
|
|
|
typedef struct _TcpTransportContext
|
|
{
|
|
SOCKET fd; ///! Remote socket file descriptor.
|
|
SOCKET listen; ///! Listen socket descriptor, if any.
|
|
SSL_METHOD* meth; ///! The current SSL method in use.
|
|
SSL_CTX* ctx; ///! SSL-specific context information.
|
|
SSL* ssl; ///! Pointer to the SSL detail/version/etc.
|
|
} TcpTransportContext;
|
|
|
|
typedef struct _HttpTransportContext
|
|
{
|
|
BOOL ssl; ///! Flag indicating whether the connection uses SSL.
|
|
HANDLE internet; ///! Handle to the internet module for use with HTTP and HTTPS.
|
|
HANDLE connection; ///! Handle to the HTTP or HTTPS connection.
|
|
unsigned char* cert_hash; ///! Pointer to the 20-byte certificate hash to validate
|
|
|
|
CSTRTYPE url; ///! Pointer to the URL stored with the transport.
|
|
STRTYPE ua; ///! User agent string.
|
|
STRTYPE uri; ///! UUID encoded as a URI.
|
|
STRTYPE new_uri; ///! New URI for stageless URI switches
|
|
STRTYPE proxy; ///! Proxy details.
|
|
STRTYPE proxy_user; ///! Proxy username.
|
|
STRTYPE proxy_pass; ///! Proxy password.
|
|
|
|
BOOL proxy_configured; ///! Indication of whether the proxy has been configured.
|
|
LPVOID proxy_for_url; ///! Pointer to the proxy for the current url (if required).
|
|
|
|
BOOL move_to_wininet; ///! If set, winhttp is busted, and we need to move to wininet.
|
|
|
|
PCreateHttpRequest create_req; ///! WinHTTP/WinINET specific request creation.
|
|
PSendHttpRequest send_req; ///! WinHTTP/WinINET specifc request sending.
|
|
PCloseRequest close_req; ///! WinHTTP/WinINET specifc request closing.
|
|
PValidateResponse validate_response; ///! WinHTTP/WinINET specific response validation.
|
|
PReceiveResponse receive_response; ///! WinHttp/WinINET specific response data reception.
|
|
PReadResponse read_response; ///! WinHttp/WinINET specific response data reading.
|
|
} HttpTransportContext;
|
|
|
|
typedef struct _Transport
|
|
{
|
|
DWORD type; ///! The type of transport in use.
|
|
PTransportGetSocket get_socket; ///! Function to get the socket from the transport.
|
|
PTransportReset transport_reset; ///! Function to reset/clean the transport ready for restarting.
|
|
PTransportInit transport_init; ///! Initialises the transport.
|
|
PTransportDeinit transport_deinit; ///! Deinitialises the transport.
|
|
PTransportDestroy transport_destroy; ///! Destroy the transport.
|
|
PServerDispatch server_dispatch; ///! Transport dispatch function.
|
|
PPacketTransmit packet_transmit; ///! Transmits a packet over the transport.
|
|
STRTYPE url; ///! Full URL describing the comms in use.
|
|
VOID* ctx; ///! Pointer to the type-specific transport context;
|
|
TimeoutSettings timeouts; ///! Container for the timeout settings.
|
|
int comms_last_packet; ///! Unix timestamp of the last packet received.
|
|
struct _Transport* next_transport; ///! Pointer to the next transport in the list.
|
|
struct _Transport* prev_transport; ///! Pointer to the previous transport in the list.
|
|
LOCK* lock; ///! Shared reference to the lock used in Remote.
|
|
} Transport;
|
|
|
|
/*!
|
|
* @brief Remote context allocation.
|
|
* @details Wraps the initialized file descriptor for extension purposes.
|
|
* A \c Remote is effectively a pointer to a remote client context
|
|
* which contains magic pixie dust that identifies the connection
|
|
* along with a way to interact with it.
|
|
* @remark The `Original` and `Current` members are used to allow for
|
|
* functionality such as `rev2self` and reverting back to the initial
|
|
* desktop stations/desktops.
|
|
*/
|
|
typedef struct _Remote
|
|
{
|
|
HMODULE met_srv; ///! Reference to the Meterpreter server instance.
|
|
|
|
CryptoContext* crypto; ///! Cryptographic context associated with the connection.
|
|
|
|
PConfigCreate config_create; ///! Pointer to the function that will create a configuration block from the curren setup.
|
|
|
|
Transport* transport; ///! Pointer to the currently used transport mechanism in a circular list of transports
|
|
Transport* next_transport; ///! Set externally when transports are requested to be changed.
|
|
DWORD next_transport_wait; ///! Number of seconds to wait before going to the next transport (used for sleeping).
|
|
|
|
MetsrvConfig* orig_config; ///! Pointer to the original configuration.
|
|
|
|
LOCK* lock; ///! General transport usage lock (used by SSL, and desktop stuff too).
|
|
|
|
HANDLE server_thread; ///! Handle to the current server thread.
|
|
HANDLE server_token; ///! Handle to the current server security token.
|
|
HANDLE thread_token; ///! Handle to the current thread security token.
|
|
|
|
DWORD orig_sess_id; ///! ID of the original Meterpreter session.
|
|
DWORD curr_sess_id; ///! ID of the currently active session.
|
|
char* orig_station_name; ///! Original station name.
|
|
char* curr_station_name; ///! Name of the current station.
|
|
|
|
#ifdef _WIN32
|
|
char* orig_desktop_name; ///! Original desktop name.
|
|
char* curr_desktop_name; ///! Name of the current desktop.
|
|
#endif
|
|
|
|
PTransportCreate trans_create; ///! Helper to create transports from configuration.
|
|
PTransportRemove trans_remove; ///! Helper to remove transports from the current session.
|
|
|
|
int sess_expiry_time; ///! Number of seconds that the session runs for.
|
|
int sess_expiry_end; ///! Unix timestamp for when the server should shut down.
|
|
int sess_start_time; ///! Unix timestamp representing the session startup time.
|
|
|
|
#ifdef _WIN32
|
|
SslLib ssl; ///! Pointer to SSL related functions, for sharing across extensions.
|
|
#endif
|
|
} Remote;
|
|
|
|
Remote* remote_allocate();
|
|
VOID remote_deallocate(Remote *remote);
|
|
|
|
VOID remote_set_fd(Remote *remote, SOCKET fd);
|
|
|
|
DWORD remote_set_cipher(Remote *remote, LPCSTR cipher, struct _Packet *initializer);
|
|
CryptoContext *remote_get_cipher(Remote *remote);
|
|
|
|
#endif
|