rapid7 · thelightcosine · Aug 25, 2012 · Aug 25, 2012 · Aug 25, 2012 · Aug 26, 2012
diff --git a/data/meterpreter/ext_server_stdapi.dll b/data/meterpreter/ext_server_stdapi.dll
diff --git a/data/meterpreter/ext_server_stdapi.x64.dll b/data/meterpreter/ext_server_stdapi.x64.dll
diff --git a/external/source/meterpreter/source/extensions/stdapi/server/railgun/railgun.c b/external/source/meterpreter/source/extensions/stdapi/server/railgun/railgun.c
@@ -81,6 +81,18 @@ DWORD railgun_call( RAILGUN_INPUT * pInput, RAILGUN_OUTPUT * pOutput )
 	const ULONG_PTR * pStackDescriptorBuffer = NULL; // do not free! Just convenience ptr to TLV
 	DWORD dwStackSizeInElements              = 0;
 	DWORD dwIndex                            = 0; 
+
+	//Set up vars for FormateMessage call
+	DWORD dwNumChars = 0;
+		//Set flags to look in the system error tabl if not found in the module table
+	DWORD dwMsgFlags = (FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_IGNORE_INSERTS);   
+		//Set the Language ID for the Message to US English
+	DWORD dwLangId = 0;
+	LPTSTR buffer;
+
+
+
+
 
 	do
 	{
@@ -105,6 +117,9 @@ DWORD railgun_call( RAILGUN_INPUT * pInput, RAILGUN_OUTPUT * pOutput )
 		pOutput->pBufferINOUT      = pInput->pBufferINOUT;
 		pOutput->dwBufferSizeOUT   = pInput->dwBufferSizeOUT;
 		pOutput->dwBufferSizeINOUT = pInput->dwBufferSizeINOUT;
+		pOutput->pErrMsg           = NULL;
+
+
 
 		if( pOutput->dwBufferSizeOUT )
 		{
@@ -252,6 +267,9 @@ DWORD railgun_call( RAILGUN_INPUT * pInput, RAILGUN_OUTPUT * pOutput )
 		}
 
 		pOutput->dwLastError = GetLastError();
+		dwNumChars = FormatMessage(dwMsgFlags,hDll,pOutput->dwLastError,dwLangId,(LPTSTR)&buffer,0,NULL);
+		pOutput->pErrMsg = buffer;
+
 
 #ifdef _WIN64
 		dprintf("[RAILGUN] railgun_call: pOutput->dwLastError=0x%08X, pOutput->qwReturnValue=0x%llX", pOutput->dwLastError, pOutput->qwReturnValue );
@@ -444,6 +462,9 @@ DWORD request_railgun_api( Remote * pRemote, Packet * pPacket )
 			packet_add_tlv_qword( pResponse, TLV_TYPE_RAILGUN_BACK_RET, rOutput.qwReturnValue );
 			packet_add_tlv_raw( pResponse, TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT, rOutput.pBufferOUT, (DWORD)rOutput.dwBufferSizeOUT );
 			packet_add_tlv_raw( pResponse, TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_INOUT, rOutput.pBufferINOUT, (DWORD)rOutput.dwBufferSizeINOUT );
+			packet_add_tlv_string(pResponse, TLV_TYPE_RAILGUN_BACK_MSG, rOutput.pErrMsg);
+
+
 		}
 
 		dwResult = packet_transmit( pRemote, pResponse, NULL );

diff --git a/external/source/meterpreter/source/extensions/stdapi/server/railgun/railgun.h b/external/source/meterpreter/source/extensions/stdapi/server/railgun/railgun.h
@@ -18,6 +18,8 @@
 #define TLV_TYPE_RAILGUN_MEM_ADDRESS			MAKE_CUSTOM_TLV( TLV_META_TYPE_QWORD,  TLV_TYPE_EXTENSION_RAILGUN, TLV_EXTENSIONS + 12 )
 #define TLV_TYPE_RAILGUN_MEM_DATA				MAKE_CUSTOM_TLV( TLV_META_TYPE_RAW,    TLV_TYPE_EXTENSION_RAILGUN, TLV_EXTENSIONS + 13 )
 #define TLV_TYPE_RAILGUN_MEM_LENGTH				MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT,   TLV_TYPE_EXTENSION_RAILGUN, TLV_EXTENSIONS + 14 )
+#define TLV_TYPE_RAILGUN_BACK_MSG				MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_RAILGUN, TLV_EXTENSIONS + 15 )
+
 
 typedef struct _RAILGUN_INPUT
 {
@@ -35,6 +37,7 @@ typedef struct _RAILGUN_OUTPUT
 {
 	DWORD dwLastError;
 	QWORD qwReturnValue;
+	const char* pErrMsg;
 	BYTE * pBufferOUT;
 	BYTE * pBufferINOUT;
 	ULONG_PTR dwBufferSizeOUT;

diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb
@@ -260,21 +260,18 @@ def process_function_call(function, args, client)
 
 		response = client.send_request(request)
 
-		#puts "receiving Stuff from meterpreter"
-		#puts "out_only_layout:"
-		#puts out_only_layout
-
 		rec_inout_buffers = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_INOUT)
 		rec_out_only_buffers = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT)
 		rec_return_value = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_RET)
 		rec_last_error = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_ERR)
+		rec_err_msg = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_MSG)
 
-		#puts "received stuff"
-		#puts "out_only_layout:"
-		#puts out_only_layout
 
 		# The hash the function returns
-		return_hash={"GetLastError" => rec_last_error}
+		return_hash={
+			"GetLastError" => rec_last_error,
+			"ErrorMessage" => rec_err_msg
+		}
 
 		#process return value
 		case function.return_type

diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/tlv.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/tlv.rb
@@ -32,23 +32,24 @@ module Extensions
 module Stdapi
 module Railgun
 
-TLV_TYPE_EXTENSION_RAILGUN = 0
+TLV_TYPE_EXTENSION_RAILGUN              = 0
-TLV_TYPE_RAILGUN_SIZE_OUT = 			TLV_META_TYPE_UINT | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 1)
+TLV_TYPE_RAILGUN_SIZE_OUT               = TLV_META_TYPE_UINT    | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 1)
-TLV_TYPE_RAILGUN_STACKBLOB = 			TLV_META_TYPE_RAW | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 2)
+TLV_TYPE_RAILGUN_STACKBLOB              = TLV_META_TYPE_RAW     | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 2)
-TLV_TYPE_RAILGUN_BUFFERBLOB_IN = 		TLV_META_TYPE_RAW | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 3)
+TLV_TYPE_RAILGUN_BUFFERBLOB_IN          = TLV_META_TYPE_RAW     | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 3)
-TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT = 	TLV_META_TYPE_RAW | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 4)
+TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT       = TLV_META_TYPE_RAW     | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 4)
 
-TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT = 		TLV_META_TYPE_RAW | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 5)
+TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT    = TLV_META_TYPE_RAW     | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 5)
-TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_INOUT = 	TLV_META_TYPE_RAW | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 6)
+TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_INOUT  = TLV_META_TYPE_RAW     | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 6)
-TLV_TYPE_RAILGUN_BACK_RET = 			    TLV_META_TYPE_QWORD | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 7)
+TLV_TYPE_RAILGUN_BACK_RET               = TLV_META_TYPE_QWORD   | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 7)
-TLV_TYPE_RAILGUN_BACK_ERR = 			    TLV_META_TYPE_UINT | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 8)
+TLV_TYPE_RAILGUN_BACK_ERR               = TLV_META_TYPE_UINT    | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 8)
 
-TLV_TYPE_RAILGUN_DLLNAME = 			    TLV_META_TYPE_STRING | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 9)
+TLV_TYPE_RAILGUN_DLLNAME                = TLV_META_TYPE_STRING  | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 9)
-TLV_TYPE_RAILGUN_FUNCNAME = 			TLV_META_TYPE_STRING | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 10)
+TLV_TYPE_RAILGUN_FUNCNAME               = TLV_META_TYPE_STRING  | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 10)
-TLV_TYPE_RAILGUN_MULTI_GROUP = 			TLV_META_TYPE_GROUP | 		(TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 11)
+TLV_TYPE_RAILGUN_MULTI_GROUP            = TLV_META_TYPE_GROUP   | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 11)
 
-TLV_TYPE_RAILGUN_MEM_ADDRESS =          TLV_META_TYPE_QWORD | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 12 )
+TLV_TYPE_RAILGUN_MEM_ADDRESS            = TLV_META_TYPE_QWORD   | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 12 )
-TLV_TYPE_RAILGUN_MEM_DATA    =          TLV_META_TYPE_RAW   | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 13 )
+TLV_TYPE_RAILGUN_MEM_DATA               = TLV_META_TYPE_RAW     | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 13 )
-TLV_TYPE_RAILGUN_MEM_LENGTH  =          TLV_META_TYPE_UINT  | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 14 )
+TLV_TYPE_RAILGUN_MEM_LENGTH             = TLV_META_TYPE_UINT    | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 14 )
+TLV_TYPE_RAILGUN_BACK_MSG               = TLV_META_TYPE_STRING  | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 15 )
 
 end; end; end; end; end; end