Stream audio data via channel (MS-2725).

Author: pbarry-r7

lib/rex/post/meterpreter/channels/pools/audio.rb

@@ -0,0 +1,103 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/channels/pool'
+require 'rex/post/meterpreter/extensions/stdapi/tlv'
+
+module Rex
+module Post
+module Meterpreter
+module Channels
+module Pools
+
+###
+#
+# StreamPool
+# ----------
+#
+# This class represents a channel that is associated with a
+# streaming pool that has no definite end-point.  While this
+# may seem a paradox given the stream class of channels, it's
+# in fact dinstinct because streams automatically forward
+# traffic between the two ends of the channel whereas
+# stream pools are always requested data in a single direction.
+#
+###
+class AudioStreamPool < Rex::Post::Meterpreter::Channels::Pool
+
+  include Rex::IO::StreamAbstraction
+
+  ##
+  #
+  # Constructor
+  #
+  ##
+
+  # Initializes the file channel instance
+  def initialize(client, cid, type, flags)
+    super(client, cid, type, flags)
+
+    initialize_abstraction
+  end
+
+  ##
+  #
+  # Streaming pools don't support tell, seek, or eof.
+  #
+  ##
+
+  #
+  # This method returns the current offset into the pool.
+  #
+  def tell
+    raise NotImplementedError
+  end
+
+  #
+  # This method seeks to an offset in the pool.
+  #
+  def seek
+    raise NotImplementedError
+  end
+
+  #
+  # This method returns whether or not eof has been returned.
+  #
+  def eof
+    return false
+  end
+
+  #
+  # Transfers data to the local half of the pool for reading.
+  #
+  def dio_write_handler(packet, data)
+    rv = Rex::ThreadSafe.select(nil, [rsock], nil, 0.01)
+    if(rv)
+      rsock.write(data)
+      return true
+    else
+      return false
+    end
+  end
+
+  #
+  # Closes the local half of the pool stream.
+  #
+  def dio_close_handler(packet)
+    rsock.close
+
+    return super(packet)
+  end
+
+  #
+  # Cleans up resources used by the channel.
+  #
+  def cleanup
+    super
+
+    cleanup_abstraction
+  end
+
+end
+
+end; end; end; end; end
+

lib/rex/post/meterpreter/channels/pools/audio_stream_pool.rb

@@ -1,7 +1,7 @@
 # -*- coding: binary -*-
 
 require 'rex/post/meterpreter/channel'
-require 'rex/post/meterpreter/channels/pools/audio'
+require 'rex/post/meterpreter/channels/pools/audio_stream_pool'
 
 module Rex
   module Post
@@ -40,6 +40,15 @@ def mic_start
                 request = Packet.create_request('audio_mic_start')
                 request.add_tlv(TLV_TYPE_AUDIO_INTERFACE_NAME, 0)
                 response = client.send_request(request)
+                #channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
+                # If we were creating a channel out of this
+
+                channel = Channel.create(client, 'audio_mic', Rex::Post::Meterpreter::Channels::Pools::AudioStreamPool, CHANNEL_FLAG_SYNCHRONOUS)
+
+                #if (channel_id != nil)
+                #  channel = Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client,
+                #    channel_id, "audio_mic", CHANNEL_FLAG_SYNCHRONOUS)
+                #end
               end
 
               def mic_get_frame(quality)

lib/rex/post/meterpreter/extensions/stdapi/mic/mic.rb

@@ -49,6 +49,29 @@ def cmd_mic_list
             end
           end
 
+          def audio_file_wave_header(sample_rate_hz, num_channels, bits_per_sample, data_size)
+            subchunk1_size = 16
+            chunk_size = 4 + (8 + subchunk1_size) + (8 + data_size)
+            byte_rate = sample_rate_hz * num_channels * bits_per_sample / 8
+            block_align = num_channels * bits_per_sample / 8
+
+            [
+              BinData::Int32be.new(0x52494646),      # ChunkID: "RIFF"
+              BinData::Int32le.new(chunk_size),      # ChunkSize
+              BinData::Int32be.new(0x57415645),      # Format: "WAVE"
+              BinData::Int32be.new(0x666d7420),      # SubChunk1ID: "fmt "
+              BinData::Int32le.new(16),              # SubChunk1Size
+              BinData::Int16le.new(1),               # AudioFormat
+              BinData::Int16le.new(num_channels),    # NumChannels
+              BinData::Int32le.new(sample_rate_hz),  # SampleRate
+              BinData::Int32le.new(byte_rate),       # ByteRate
+              BinData::Int16le.new(block_align),     # BlockAlign
+              BinData::Int16le.new(bits_per_sample), # BitsPerSample
+              BinData::Int32be.new(0x64617461),      # SubChunk2ID: "data"
+              BinData::Int32le.new(data_size)        # SubChunk2Size
+            ]
+          end
+
           def cmd_mic_start(start_delay=4096)
             print_status("Streaming mic audio channel...")
 
@@ -66,39 +89,20 @@ def cmd_mic_start(start_delay=4096)
             print_status("Streaming...")
 
             begin
-              client.mic.mic_start
+              channel = client.mic.mic_start
               mic_started = true
               ::Timeout.timeout(duration) do
                 ::File.open(stream_path, 'wb') do |outfd|
-                  numchannels = 1
-                  sampleratehz = 11025
-                  bitspersample = 16
-                  datasize = 2000000000
-                  subchunk1size = 16
-                  chunksize = 4 + (8 + subchunk1size) + (8 + datasize)
-                  byterate = sampleratehz * numchannels * bitspersample / 8
-                  blockalign = numchannels * bitspersample / 8
-
-                  BinData::Int32be.new(0x52494646).write(outfd)    # ChunkID: "RIFF"
-                  BinData::Int32le.new(chunksize).write(outfd)     # ChunkSize
-                  BinData::Int32be.new(0x57415645).write(outfd)    # Format: "WAVE"
-                  BinData::Int32be.new(0x666d7420).write(outfd)    # SubChunk1ID: "fmt "
-                  BinData::Int32le.new(16).write(outfd)            # SubChunk1Size
-                  BinData::Int16le.new(1).write(outfd)             # AudioFormat
-                  BinData::Int16le.new(numchannels).write(outfd)   # NumChannels
-                  BinData::Int32le.new(sampleratehz).write(outfd)  # SampleRate
-                  BinData::Int32le.new(byterate).write(outfd)      # ByteRate
-                  BinData::Int16le.new(blockalign).write(outfd)    # BlockAlign
-                  BinData::Int16le.new(bitspersample).write(outfd) # BitsPerSample
-                  BinData::Int32be.new(0x64617461).write(outfd)    # SubChunk2ID: "data"
-                  BinData::Int32le.new(datasize).write(outfd)      # SubChunk2Size
+                  audio_file_wave_header(11025, 1, 16, 2000000000).each { |e| e.write(outfd) }
                 end
                 stream_index = 0
                 while client do
                   if stream_index == start_delay
                     cmd_listen(stream_path)
                   end
-                  data = client.mic.mic_get_frame(quality)
+                  Rex::sleep(0.5)
+                  #data = client.mic.mic_get_frame(quality)
+                  data = channel.read(65536)
                   if data
                     ::File.open(stream_path, 'a') do |f|
                       f.write(data)