Add clearev command on Windows using JNA #524
Conversation
|
Will be having an async discussion with Spencer to see if we'd like to use a pattern of loading the JNA dependencies dynamically/on demand, to help keep the initial meterpreter payload small. This approach could be used with a railgun implementation too. |
There was a problem hiding this comment.
We definitely want to test this on platforms that it's not expected to work on like OS X and Linux. If the Java Meterpreter is capable of defining it's commands at runtime, it would be ideal to filter them out to communicate to the Framework that the commands are not available. That will help things just work out of the box framework-side (like the relevant commands in the meterpreter > prompt, etc.).
This is the approach the Python Meterpreter takes in that if the platform doesn't support the command, it's ID is not registered.
sjanusz-r7
force-pushed
the
add-jna-clearev-on-windows
branch
from
5fa7bb8
to
7045c75
Compare
sjanusz-r7
force-pushed
the
add-jna-clearev-on-windows
branch
from
7045c75
to
a7257d3
Compare
|
As we want to conditionally load JNA in the future, we shouldn't rely on it for feature detection. |
sjanusz-r7
force-pushed
the
add-jna-clearev-on-windows
branch
from
39953c1
to
128ff6e
Compare
sjanusz-r7
force-pushed
the
add-jna-clearev-on-windows
branch
from
128ff6e
to
d660af5
Compare
| public class stdapi_sys_eventlog { | ||
| interface AdvAPILibrary extends Library { | ||
| AdvAPILibrary INSTANCE = Native.load( | ||
| (Platform.isWindows() ? "Advapi32" : "THIS SHOULD NEVER BE CALLED."), AdvAPILibrary.class, W32APIOptions.DEFAULT_OPTIONS); |
There was a problem hiding this comment.
Elsewhere in java meterpreter File.pathSeparatorChar == ';' is used as an IsWindows() function. e.g:
https://github.com/rapid7/metasploit-payloads/blob/master/java/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/stdapi_sys_process_get_processes.java#L26
It might be worth pulling it's usage out into Utils.java or somewhere global and re-using it everywhere.
I can send you a pr with this change if needed
Nice work btw!
|
Closing this with the same reason as #529 (comment) |
This PR uses JNA to add the
clearevcommand against a Windows target.To successfully delete the event logs, the payload needs to have admin privs otherwise we get error code 5.
As of right now, the resulting
meterpreter.jarthat is being sent to the target has massively increased in size: it went fromSending stage (58376 bytes)to aboutSending stage (1812903 bytes)as I am including the full JNA library instead of just the jars we need for Windows.These commands are currently only being registered on Windows.