Fixed reading of payloads off the wire, got to the point where we could invoke Met.Core.Server and we're close to being able to dispatch packets.
Agenda - MSF Commit - Vimeo - YouTube
I was all over the place tonight. Stumbled on a case where we need to support compressed data, but took ages to figure out why. Re-added flags attributes to the MetaType as we caused a few issues removing it in the past. We've got some handling in place for core commands, and will look to fill it out further when done. More to come. We're in the weeds at the moment but we'll start coming out of them soon to do the good stuff. Next stream we'll implement support for compression and rewrite some stuff on the MSF side.
Wow, that was ... frustrating! We did make progress in the end though. In this stream we moved the CLR payload and session code in MSF so that it was no longer associated with the windows platform. As a result, we ended up going down an awful rabbit hole to try to understand why things broke and how to fix them. Thankfully we had it figured out in the end, but it took a while. The big things to remember from this exercise are:
- Ruby is awful.
- MSF's error handling doesn't give you the information you need to fix things (most of the time).
- "Strongly" typed classes are required for individual platforms.
- Don't forget to add any new platforms to the likes of
multi/handleror you end up with errors saying that your payload isn't correct!
It was fun nevertheless. We got to the point where we had created a stdapi instance, and were attempting to load it on the fly. We haven't got there yet though. Things we need to address include:
- Making sure that type references back to
metsrvwork so that the assemblies loaded on the fly can find the right types. - Storing the CLR version with the session/listener information so that we load the right payload off disk down the track when we get to the point where we have
net40in place as well.
MSF Commit - Rex Arch Commit - Vimeo - YouTube
In this stream we managed to get the plugin system working with assembly resolution events. We rejigged the dispatcher so that we can support blocking and non blocking events. We adjusted the callbacks so that they can tell the caller whether or not to exit, and we added initial support for getuid. Progress!
MSF Commit - Vimeo - YouTube
More progress tonight, working through some of the stdapi function calls so that MSF sees our new CLR sessions as valid sessions. The next few streams are going to be more of the same as we pad features out slowly.
On this stream we went back to fill in the P/Invoke approach. We explored how it worked, and why we wanted to hide it away. The result was that we were able to get it working in a way that allowed for the functionality to be enabled at runtime rather than compile time. The goal of the next stream is to abstract this functionality away into something reusable, while also adding full support for loading the dynamic types into another app domain.
Collectively we decided to support TLV encryption. We quickly found that for some reason .NET doesn't natively support parsing PEM-formatted public keys, and so (ironically) we ended up having to steal an open-source implementation that used the native crypto APIs via P/Invoke (ugh). This code looked to work in a similar way to how the native Meterpreter PEM parsing worked. So we basically stole someone else's code. Yay! I didn't have to write it again, that's a huge win.
From there we butted heads against AES encryption before finishing the stream late. In short, we didn't get it working, but we're very close.
As soon as I finished streaming I realised what was wrong. Two things:
- I was using the wrong padding (it should have been ISO10126).
- I was decrypting the packet body before XOR'ing it with the key, which was resulting in absolute garbage.
A quick local test showed that as soon as fixed that up, things "just worked". I reverted those changes (but left some comments in) so that we can finish it off on stream next week.
We managed to fix up the TLV encryption code, and thankfully saw a functional Meterpreter session using TLV encryption. Metasploit even sees it as valid. We went back to the default padding algorithm though, as I was wrong about that at the end of the previous stream.
Once getting that working we moved on to sorting out the version detection code, only to get bitten by our use of RtlGetVersion. Just like last time, I figured out exactly what was going wrong within seconds of killing the stream. Note: make sure you understand the difference between out (ie. "I'll give you a thing") and ref (ie. "You give me a thing and I'll fill it") parameters. We used the former and should have used the latter.
We'll get that fixed at the start of the next stream.
As promised we fixed up the issue with the use of ref vs out and that got us going with the version information. From there, I wanted to move onto finishing off the network interface enumeration (avoiding the use of P/Invoke as we went). I intended to use a native Meterpreter as a baseline and so fired up a standard session to see what the output was. Unfortunately for me, that uncovered an issue in the implementations of core_enumextcmd and core_loadlib (I assumed that the return type of the commands was the same, and it was not!). We dived into the MSF side for a while to fix that up before moving back onto the network interface enumeration.
We nearly finished it, but didn't quite get there. I have a good feeling we'll nail that on the next stream and get going with more stdapi functionality after.
MSF Commit - Vimeo - YouTube
I deem this stream a successful failure. We clearly noticed a few nuances in the mess that is the MSF parsing of network interfaces, and we're going to have to put a proper fix in place at some point down the track. We did, however, get a few things done including some hackery around reflection so that we could reach inner workings such as prefix length on interfaces, because for some reason they're not nicely exposed until .NET 4.8.
One cool thing we did get working was the .NET 4.0 version of the binaries, though in the process we butted up against the TODO item of "make this binary suffix thing work" in MSF. We'll get to that on the next stream I think.
Good fun, we learned stuff!