Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Feature/railgun/error msg #740

Closed
wants to merge 10 commits into from

4 participants

@dmaloney-r7
Collaborator

This pull request adds the actual text represented by the GetLastError code. it is included in the return hash under ErrorMessage. It works in 32 and 64 bit.
Also, it will look for the error message in the specific module being called by Railgun, if it doesn't find the erro code defined in an error table inside that module it then reverts to looking it up in the system error table. This means that DLL specific error codes should still return the correct result.

...rex/post/meterpreter/extensions/stdapi/railgun/dll.rb
@@ -268,13 +268,17 @@ def process_function_call(function, args, client)
rec_out_only_buffers = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT)
rec_return_value = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_RET)
rec_last_error = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_ERR)
+ rec_err_msg = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_MSG)
#puts "received stuff"
#puts "out_only_layout:"
#puts out_only_layout
@jlee-r7 Collaborator
jlee-r7 added a note

Please remove debugging junk

@dmaloney-r7 Collaborator

That's not debugging junk, that's part of the feature. That's what actually grabs the msg tlv

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jlee-r7
Collaborator

Don't bother committing compiled bins, i'll do those when merging.

...ter/source/extensions/stdapi/server/railgun/railgun.c
@@ -105,6 +117,9 @@ DWORD railgun_call( RAILGUN_INPUT * pInput, RAILGUN_OUTPUT * pOutput )
pOutput->pBufferINOUT = pInput->pBufferINOUT;
pOutput->dwBufferSizeOUT = pInput->dwBufferSizeOUT;
pOutput->dwBufferSizeINOUT = pInput->dwBufferSizeINOUT;
+ pOutput->pErrMsg = "Test Message";
@jlee-r7 Collaborator
jlee-r7 added a note

Better default would be NULL

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@dmaloney-r7
Collaborator

@jlee-r7 made requested change, bins will need to be compiled again

@jlee-r7 jlee-r7 was assigned
@todb-r7
Owner

This still has compiled binaries attached?

@dmaloney-r7
Collaborator

they will have to be recompiled anyways

@todb-r7
Owner

How pressing is this? is it reasonable to wait until the stand-alone Meterpreter repo gets off the ground? I just don't know what the normal workflow is when there are new compiled bins for meterpreter, and iirc @jlee-r7 is in the middle of making that all sane.

@todb

bump

@jlee-r7
Collaborator

Needing to be recompiled doesn't change the fact that they are all still in commits on this branch. I'm going to have to dump the diff of these changes and make a new commit to purge them.

Which is actually fine, since I'm going to have to do that anyway to get this into the new repo. I was planning on trying to get all the existing PRs into rapid7/metasploit-framework before moving to the new rapid7/meterpreter. Since the new repo is pretty much ready and I still haven't been able to get through all these PRs, I think it's time to just move forward and take the PRs with it.

@todb-r7
Owner

I'm going to close this out, since Meterpreter has become its own repo, rapid7/meterpreter. These changes should already be reflected over there.

@dmaloney-r7 can you either confirm your stuff is over there now, or rejigger with a diff patch or something? Sorry for the delay on this.

@todb-r7 todb-r7 closed this
@jlee-r7 jlee-r7 referenced this pull request from a commit
@egypt egypt Land #2443, railgun error messages
See #740 and meterpreter#26
9436b6d
@jlee-r7 jlee-r7 referenced this pull request from a commit
@egypt egypt Add bins for #2443
See #740 and meterpreter#26
56b6f0b
@bturner-r7 bturner-r7 referenced this pull request from a commit in bturner-r7/metasploit-framework
@OJ OJ Add error message support to railgun
This code was lost in the transition when the meterpreter source was
removed from the metasploit-framework source. I'm pulling this in by
request of @dmaloney-r7 who originally requested this code be inculded
as part of rapid7#740

I added an extra bit of code to free up memory that is allocated by the
call to FormatMessage and forced the ASCII-version (FormatMessageA) of
the call.

This PR is the MSF side of rapid7/meterpreter#26
82162ef
@Meatballs1 Meatballs1 referenced this pull request from a commit in Meatballs1/meterpreter
@OJ OJ Add error message support to the railgun code
This code was lost in the transition when the meterpreter source was
removed from the metasploit-framework source. I'm pulling this in by
request of @dmaloney-r7 who originally requested this code be inculded
as part of rapid7/metasploit-framework#740

I added an extra bit of code to free up memory that is allocated by the
call to FormatMessage and forced the ASCII-version (FormatMessageA) of
the call.
347e3d7
@wvu-r7 wvu-r7 deleted the branch
@bcook-r7 bcook-r7 referenced this pull request from a commit in bcook-r7/metasploit-payloads
@OJ OJ Add error message support to the railgun code
This code was lost in the transition when the meterpreter source was
removed from the metasploit-framework source. I'm pulling this in by
request of @dmaloney-r7 who originally requested this code be inculded
as part of rapid7/metasploit-framework#740

I added an extra bit of code to free up memory that is allocated by the
call to FormatMessage and forced the ASCII-version (FormatMessageA) of
the call.
8830228
@bcook-r7 bcook-r7 referenced this pull request from a commit in bcook-r7/metasploit-payloads
@egypt egypt Land #26, Railgun error messages 986c70f
@OJ OJ referenced this pull request from a commit in rapid7/metasploit-payloads
@OJ OJ Add error message support to the railgun code
This code was lost in the transition when the meterpreter source was
removed from the metasploit-framework source. I'm pulling this in by
request of @dmaloney-r7 who originally requested this code be inculded
as part of rapid7/metasploit-framework#740

I added an extra bit of code to free up memory that is allocated by the
call to FormatMessage and forced the ASCII-version (FormatMessageA) of
the call.
f0e7e0e
@bcook-r7 bcook-r7 referenced this pull request from a commit in rapid7/metasploit-payloads
@egypt egypt Land #26, Railgun error messages 50b7557
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Aug 25, 2012
  1. @dmaloney-r7

    Working Test Message tlv

    dmaloney-r7 authored
  2. @dmaloney-r7

    Add TLV to Ruby side and add err msg to ret hash

    dmaloney-r7 authored
    *Added the new TLV type to the Ruby side
    *Cleaned up formatting on tlv.rb
    *Added ErrorMessage field to return hash
  3. @dmaloney-r7
Commits on Aug 26, 2012
  1. @dmaloney-r7

    Error Message working as SYSTEM

    dmaloney-r7 authored
    Seems to still be a problem when run inside explorer.exe
Commits on Aug 29, 2012
  1. @dmaloney-r7
  2. @dmaloney-r7

    Merge branch 'master' into feature/railgun/error_msg

    dmaloney-r7 authored
    Conflicts:
    	data/meterpreter/ext_server_stdapi.dll
  3. @dmaloney-r7
Commits on Sep 6, 2012
  1. @dmaloney-r7

    Removed old debug prints

    dmaloney-r7 authored
Commits on Sep 19, 2012
  1. @dmaloney-r7

    Merge branch 'master' into feature/railgun/error_msg

    dmaloney-r7 authored
    Conflicts:
    	data/meterpreter/ext_server_stdapi.dll
  2. @dmaloney-r7
This page is out of date. Refresh to see the latest.
View
BIN  data/meterpreter/ext_server_stdapi.dll
Binary file not shown
View
BIN  data/meterpreter/ext_server_stdapi.x64.dll
Binary file not shown
View
21 external/source/meterpreter/source/extensions/stdapi/server/railgun/railgun.c
@@ -81,6 +81,18 @@ DWORD railgun_call( RAILGUN_INPUT * pInput, RAILGUN_OUTPUT * pOutput )
const ULONG_PTR * pStackDescriptorBuffer = NULL; // do not free! Just convenience ptr to TLV
DWORD dwStackSizeInElements = 0;
DWORD dwIndex = 0;
+
+ //Set up vars for FormateMessage call
+ DWORD dwNumChars = 0;
+ //Set flags to look in the system error tabl if not found in the module table
+ DWORD dwMsgFlags = (FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_IGNORE_INSERTS);
+ //Set the Language ID for the Message to US English
+ DWORD dwLangId = 0;
+ LPTSTR buffer;
+
+
+
+
do
{
@@ -105,6 +117,9 @@ DWORD railgun_call( RAILGUN_INPUT * pInput, RAILGUN_OUTPUT * pOutput )
pOutput->pBufferINOUT = pInput->pBufferINOUT;
pOutput->dwBufferSizeOUT = pInput->dwBufferSizeOUT;
pOutput->dwBufferSizeINOUT = pInput->dwBufferSizeINOUT;
+ pOutput->pErrMsg = NULL;
+
+
if( pOutput->dwBufferSizeOUT )
{
@@ -252,6 +267,9 @@ DWORD railgun_call( RAILGUN_INPUT * pInput, RAILGUN_OUTPUT * pOutput )
}
pOutput->dwLastError = GetLastError();
+ dwNumChars = FormatMessage(dwMsgFlags,hDll,pOutput->dwLastError,dwLangId,(LPTSTR)&buffer,0,NULL);
+ pOutput->pErrMsg = buffer;
+
#ifdef _WIN64
dprintf("[RAILGUN] railgun_call: pOutput->dwLastError=0x%08X, pOutput->qwReturnValue=0x%llX", pOutput->dwLastError, pOutput->qwReturnValue );
@@ -444,6 +462,9 @@ DWORD request_railgun_api( Remote * pRemote, Packet * pPacket )
packet_add_tlv_qword( pResponse, TLV_TYPE_RAILGUN_BACK_RET, rOutput.qwReturnValue );
packet_add_tlv_raw( pResponse, TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT, rOutput.pBufferOUT, (DWORD)rOutput.dwBufferSizeOUT );
packet_add_tlv_raw( pResponse, TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_INOUT, rOutput.pBufferINOUT, (DWORD)rOutput.dwBufferSizeINOUT );
+ packet_add_tlv_string(pResponse, TLV_TYPE_RAILGUN_BACK_MSG, rOutput.pErrMsg);
+
+
}
dwResult = packet_transmit( pRemote, pResponse, NULL );
View
3  external/source/meterpreter/source/extensions/stdapi/server/railgun/railgun.h
@@ -18,6 +18,8 @@
#define TLV_TYPE_RAILGUN_MEM_ADDRESS MAKE_CUSTOM_TLV( TLV_META_TYPE_QWORD, TLV_TYPE_EXTENSION_RAILGUN, TLV_EXTENSIONS + 12 )
#define TLV_TYPE_RAILGUN_MEM_DATA MAKE_CUSTOM_TLV( TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_RAILGUN, TLV_EXTENSIONS + 13 )
#define TLV_TYPE_RAILGUN_MEM_LENGTH MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_RAILGUN, TLV_EXTENSIONS + 14 )
+#define TLV_TYPE_RAILGUN_BACK_MSG MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_RAILGUN, TLV_EXTENSIONS + 15 )
+
typedef struct _RAILGUN_INPUT
{
@@ -35,6 +37,7 @@ typedef struct _RAILGUN_OUTPUT
{
DWORD dwLastError;
QWORD qwReturnValue;
+ const char* pErrMsg;
BYTE * pBufferOUT;
BYTE * pBufferINOUT;
ULONG_PTR dwBufferSizeOUT;
View
13 lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb
@@ -260,21 +260,18 @@ def process_function_call(function, args, client)
response = client.send_request(request)
- #puts "receiving Stuff from meterpreter"
- #puts "out_only_layout:"
- #puts out_only_layout
-
rec_inout_buffers = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_INOUT)
rec_out_only_buffers = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT)
rec_return_value = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_RET)
rec_last_error = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_ERR)
+ rec_err_msg = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_MSG)
- #puts "received stuff"
- #puts "out_only_layout:"
- #puts out_only_layout
# The hash the function returns
- return_hash={"GetLastError" => rec_last_error}
+ return_hash={
+ "GetLastError" => rec_last_error,
+ "ErrorMessage" => rec_err_msg
+ }
#process return value
case function.return_type
View
31 lib/rex/post/meterpreter/extensions/stdapi/railgun/tlv.rb
@@ -32,23 +32,24 @@ module Extensions
module Stdapi
module Railgun
-TLV_TYPE_EXTENSION_RAILGUN = 0
-TLV_TYPE_RAILGUN_SIZE_OUT = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 1)
-TLV_TYPE_RAILGUN_STACKBLOB = TLV_META_TYPE_RAW | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 2)
-TLV_TYPE_RAILGUN_BUFFERBLOB_IN = TLV_META_TYPE_RAW | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 3)
-TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT = TLV_META_TYPE_RAW | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 4)
+TLV_TYPE_EXTENSION_RAILGUN = 0
+TLV_TYPE_RAILGUN_SIZE_OUT = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 1)
+TLV_TYPE_RAILGUN_STACKBLOB = TLV_META_TYPE_RAW | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 2)
+TLV_TYPE_RAILGUN_BUFFERBLOB_IN = TLV_META_TYPE_RAW | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 3)
+TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT = TLV_META_TYPE_RAW | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 4)
-TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT = TLV_META_TYPE_RAW | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 5)
-TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_INOUT = TLV_META_TYPE_RAW | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 6)
-TLV_TYPE_RAILGUN_BACK_RET = TLV_META_TYPE_QWORD | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 7)
-TLV_TYPE_RAILGUN_BACK_ERR = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 8)
+TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT = TLV_META_TYPE_RAW | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 5)
+TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_INOUT = TLV_META_TYPE_RAW | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 6)
+TLV_TYPE_RAILGUN_BACK_RET = TLV_META_TYPE_QWORD | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 7)
+TLV_TYPE_RAILGUN_BACK_ERR = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 8)
-TLV_TYPE_RAILGUN_DLLNAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 9)
-TLV_TYPE_RAILGUN_FUNCNAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 10)
-TLV_TYPE_RAILGUN_MULTI_GROUP = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 11)
+TLV_TYPE_RAILGUN_DLLNAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 9)
+TLV_TYPE_RAILGUN_FUNCNAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 10)
+TLV_TYPE_RAILGUN_MULTI_GROUP = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 11)
-TLV_TYPE_RAILGUN_MEM_ADDRESS = TLV_META_TYPE_QWORD | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 12 )
-TLV_TYPE_RAILGUN_MEM_DATA = TLV_META_TYPE_RAW | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 13 )
-TLV_TYPE_RAILGUN_MEM_LENGTH = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 14 )
+TLV_TYPE_RAILGUN_MEM_ADDRESS = TLV_META_TYPE_QWORD | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 12 )
+TLV_TYPE_RAILGUN_MEM_DATA = TLV_META_TYPE_RAW | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 13 )
+TLV_TYPE_RAILGUN_MEM_LENGTH = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 14 )
+TLV_TYPE_RAILGUN_BACK_MSG = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 15 )
end; end; end; end; end; end
Something went wrong with that request. Please try again.