adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Land #17190, fix bufptr data type in netapi32

Browse Source
This commit is contained in:
space-r7
2022-11-01 15:01:44 -05:00
parent c8574cbb6c 1cc5345cf1
commit 4ebea7d7f0
3 changed files with 16 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/msf/core/post/windows/accounts.rb
+5 -5
View File
@@ -604,7 +604,7 @@ module Msf
result = client.railgun.netapi32.NetGroupGetUsers(server_name, groupname, 0, 4, 4096, 4, 4, 0)
if (result['return'] == 0) && ((result['totalentries'] % 4294967296) != 0)
begin
members_info_addr = result['bufptr'].unpack1('V')
members_info_addr = result['bufptr']
unless members_info_addr == 0
# Railgun assumes PDWORDS are pointers and returns 8 bytes for x64 architectures.
# Therefore we need to truncate the result value to an actual
@@ -641,7 +641,7 @@ module Msf
result = client.railgun.netapi32.NetLocalGroupGetMembers(server_name, localgroupname, 3, 4, 4096, 4, 4, 0)
if (result['return'] == 0) && ((result['totalentries'] % 4294967296) != 0)
begin
members_info_addr = result['bufptr'].unpack1('V')
members_info_addr = result['bufptr']
unless members_info_addr == 0
members_info = session.railgun.util.read_array(LOCALGROUP_MEMBERS_INFO, (result['totalentries'] % 4294967296), members_info_addr)
for member in members_info
@@ -675,7 +675,7 @@ module Msf
result = client.railgun.netapi32.NetUserEnum(server_name, 0, client.railgun.const(filter), 4, 4096, 4, 4, 0)
if (result['return'] == 0) && ((result['totalentries'] % 4294967296) != 0)
begin
user_info_addr = result['bufptr'].unpack1('V')
user_info_addr = result['bufptr']
unless user_info_addr == 0
user_info = session.railgun.util.read_array(USER_INFO, (result['totalentries'] % 4294967296), user_info_addr)
for member in user_info
@@ -708,7 +708,7 @@ module Msf
result = client.railgun.netapi32.NetLocalGroupEnum(server_name, 0, 4, 4096, 4, 4, 0)
if (result['return'] == 0) && ((result['totalentries'] % 4294967296) != 0)
begin
localgroup_info_addr = result['bufptr'].unpack1('V')
localgroup_info_addr = result['bufptr']
unless localgroup_info_addr == 0
localgroup_info = session.railgun.util.read_array(LOCALGROUP_INFO, (result['totalentries'] % 4294967296), localgroup_info_addr)
for member in localgroup_info
@@ -741,7 +741,7 @@ module Msf
result = client.railgun.netapi32.NetGroupEnum(server_name, 0, 4, 4096, 4, 4, 0)
if (result['return'] == 0) && ((result['totalentries'] % 4294967296) != 0)
begin
group_info_addr = result['bufptr'].unpack1('V')
group_info_addr = result['bufptr']
unless group_info_addr == 0
group_info = session.railgun.util.read_array(GROUP_INFO, (result['totalentries'] % 4294967296), group_info_addr)
for member in group_info
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/windows/def_netapi32.rb
+10 -10
View File
@@ -22,14 +22,14 @@ class Def_windows_netapi32
["PBLOB","DomainGuid","in"],
["PWCHAR","SiteName","in"],
["DWORD","Flags","in"],
["PDWORD","DomainControllerInfo","out"]
["PLPVOID","DomainControllerInfo","out"]
])
dll.add_function('NetUserEnum', 'DWORD', [
["PWCHAR","servername","in"],
["DWORD","level","in"],
["DWORD","filter","in"],
["PBLOB","bufptr","out"],
["PLPVOID","bufptr","out"],
["DWORD","prefmaxlen","in"],
["PDWORD","entriesread","out"],
["PDWORD","totalentries","out"],
@@ -39,7 +39,7 @@ class Def_windows_netapi32
dll.add_function('NetLocalGroupEnum', 'DWORD', [
["PWCHAR","servername","in"],
["DWORD","level","in"],
["PBLOB","bufptr","out"],
["PLPVOID","bufptr","out"],
["DWORD","prefmaxlen","in"],
["PDWORD","entriesread","out"],
["PDWORD","totalentries","out"],
@@ -49,7 +49,7 @@ class Def_windows_netapi32
dll.add_function('NetGroupEnum', 'DWORD', [
["PWCHAR","servername","in"],
["DWORD","level","in"],
["PBLOB","bufptr","out"],
["PLPVOID","bufptr","out"],
["DWORD","prefmaxlen","in"],
["PDWORD","entriesread","out"],
["PDWORD","totalentries","out"],
@@ -72,7 +72,7 @@ class Def_windows_netapi32
["PWCHAR","servername","in"],
["PWCHAR","groupname","in"],
["DWORD","level","in"],
["PBLOB","bufptr","out"],
["PLPVOID","bufptr","out"],
["DWORD","prefmaxlen","in"],
["PDWORD","entriesread","out"],
["PDWORD","totalentries","out"],
@@ -83,7 +83,7 @@ class Def_windows_netapi32
["PWCHAR","servername","in"],
["PWCHAR","localgroupname","in"],
["DWORD","level","in"],
["PBLOB","bufptr","out"],
["PLPVOID","bufptr","out"],
["DWORD","prefmaxlen","in"],
["PDWORD","entriesread","out"],
["PDWORD","totalentries","out"],
@@ -127,7 +127,7 @@ class Def_windows_netapi32
dll.add_function('NetServerEnum', 'DWORD',[
["PWCHAR","servername","in"],
["DWORD","level","in"],
["PDWORD","bufptr","out"],
["PLPVOID","bufptr","out"],
["DWORD","prefmaxlen","in"],
["PDWORD","entriesread","out"],
["PDWORD","totalentries","out"],
@@ -139,7 +139,7 @@ class Def_windows_netapi32
dll.add_function('NetWkstaUserEnum', 'DWORD', [
["PWCHAR","servername","in"],
["DWORD","level","in"],
["PDWORD","bufptr","out"],
["PLPVOID","bufptr","out"],
["DWORD","prefmaxlen","in"],
["PDWORD","entriesread","out"],
["PDWORD","totalentries","out"],
@@ -150,7 +150,7 @@ class Def_windows_netapi32
["PWCHAR","servername","in"],
["PWCHAR","username","in"],
["DWORD","level","in"],
["PDWORD","bufptr","out"],
["PLPVOID","bufptr","out"],
["DWORD","prefmaxlen","in"],
["PDWORD","entriesread","out"],
["PDWORD","totalentries","out"]
@@ -161,7 +161,7 @@ class Def_windows_netapi32
['PWCHAR','UncClientName','in'],
['PWCHAR','username','in'],
['DWORD','level','in'],
['PDWORD','bufptr','out'],
['PLPVOID','bufptr','out'],
['DWORD','prefmaxlen','in'],
['PDWORD','entriesread','out'],
['PDWORD','totalentries','out'],
lib/rex/post/meterpreter/extensions/stdapi/railgun/library.rb
+1
View File
@@ -50,6 +50,7 @@ class Library
'PHANDLE' => 'PULONG_PTR',
'SIZE_T' => 'ULONG_PTR',
'PSIZE_T' => 'PULONG_PTR',
'PLPVOID' => 'PULONG_PTR'
}.freeze
attr_accessor :functions