Landing rapid7#1463, Meatballs' cdecl fixes

Author: egypt

lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb

@@ -16,14 +16,14 @@ def self.create_dll(dll_path = 'wldap32')
 				['PCHAR', 'HostName', 'in'],
 				['DWORD', 'PortNumber', 'in'],
 				['DWORD', 'secure', 'in']
-		])
+		], 'ldap_sslinitA', "cdecl")
 
 		dll.add_function('ldap_bind_sA', 'DWORD',[
 				['DWORD', 'ld', 'in'],
 				['PCHAR', 'dn', 'in'],
 				['PCHAR', 'cred', 'in'],
 				['DWORD', 'method', 'in']
-		])
+		], 'ldap_bind_sA', "cdecl")
 
 		dll.add_function('ldap_search_sA', 'DWORD',[
 				['DWORD', 'ld', 'in'],
@@ -33,70 +33,71 @@ def self.create_dll(dll_path = 'wldap32')
 				['PCHAR', 'attrs[]', 'in'],
 				['DWORD', 'attrsonly', 'in'],
 				['PDWORD', 'res', 'out']
-		])
+		], 'ldap_search_sA', "cdecl")
 
 		dll.add_function('ldap_count_entries', 'DWORD',[
 				['DWORD', 'ld', 'in'],
 				['DWORD', 'res', 'in']
-		])
-				dll.add_function('ldap_first_entry', 'DWORD',[
+		], "ldap_count_entries", "cdecl")
+
+		dll.add_function('ldap_first_entry', 'DWORD',[
 				['DWORD', 'ld', 'in'],
 				['DWORD', 'res', 'in']
-		])
+		], 'ldap_first_entry', "cdecl")
 
 		dll.add_function('ldap_next_entry', 'DWORD',[
 				['DWORD', 'ld', 'in'],
 				['DWORD', 'entry', 'in']
-		])
+		], 'ldap_next_entry', "cdecl")
 
 		dll.add_function('ldap_first_attributeA', 'DWORD',[
 				['DWORD', 'ld', 'in'],
 				['DWORD', 'entry', 'in'],
 				['DWORD', 'ptr', 'in']
-		])
+		], 'ldap_first_attributeA', "cdecl")
 
 		dll.add_function('ldap_next_attributeA', 'DWORD',[
 				['DWORD', 'ld', 'in'],
 				['DWORD', 'entry', 'in'],
 				['DWORD', 'ptr', 'inout']
-		])
+		], 'ldap_next_attributeA', "cdecl")
 
 		dll.add_function('ldap_count_values', 'DWORD',[
 				['DWORD', 'vals', 'in'],
-		])
+		], 'ldap_count_values', "cdecl")
 
 		dll.add_function('ldap_get_values', 'DWORD',[
 				['DWORD', 'ld', 'in'],
 				['DWORD', 'entry', 'in'],
 				['PCHAR', 'attr', 'in']
-		])
+		], 'ldap_get_values', "cdecl")
 
 		dll.add_function('ldap_value_free', 'DWORD',[
 				['DWORD', 'vals', 'in'],
-		])
+		], 'ldap_value_free', "cdecl")
 
 		dll.add_function('ldap_memfree', 'VOID',[
 				['DWORD', 'block', 'in'],
-		])
+		], 'ldap_memfree', "cdecl")
 
 		dll.add_function('ber_free', 'VOID',[
 				['DWORD', 'pBerElement', 'in'],
 				['DWORD', 'fbuf', 'in'],
-		])
+		], 'ber_free', "cdecl")
 
-		dll.add_function('LdapGetLastError', 'DWORD',[])
+		dll.add_function('LdapGetLastError', 'DWORD',[], 'LdapGetLastError', "cdecl")
 
 		dll.add_function('ldap_err2string', 'DWORD',[
 				['DWORD', 'err', 'in']
-		])
+		], 'ldap_err2string', "cdecl")
 
 		dll.add_function('ldap_msgfree', 'DWORD', [
 			['DWORD', 'res', 'in']
-		])
+		], 'ldap_msgfree', "cdecl")
 
 		dll.add_function('ldap_unbind', 'DWORD', [
 			['DWORD', 'ld', 'in']
-		])
+		], 'ldap_unbind', "cdecl")
 		return dll
 	end
 

lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb

@@ -107,11 +107,11 @@ def call_function(func_symbol, args, client)
 	# When the new function is called it will return a list containing the
 	# return value and all inout params.  See #call_function.
 	#
-	def add_function(name, return_type, params, windows_name=nil)
+	def add_function(name, return_type, params, windows_name=nil, calling_conv="stdcall")
 		if windows_name == nil
 			windows_name = name
 		end
-		@functions[name] = DLLFunction.new(return_type, params, windows_name)
+		@functions[name] = DLLFunction.new(return_type, params, windows_name, calling_conv)
 	end
 
 	private
@@ -257,6 +257,7 @@ def process_function_call(function, args, client)
 
 		request.add_tlv(TLV_TYPE_RAILGUN_DLLNAME, @dll_path )
 		request.add_tlv(TLV_TYPE_RAILGUN_FUNCNAME, function.windows_name)
+		request.add_tlv(TLV_TYPE_RAILGUN_CALLCONV, function.calling_conv)
 
 		response = client.send_request(request)
 

lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_function.rb

@@ -48,20 +48,30 @@ class DLLFunction
 		"PBLOB"  => ["in", "out", "inout"],
 	}.freeze
 
+	@@allowed_convs = ["stdcall", "cdecl"]
+
 	@@directions = ["in", "out", "inout", "return"].freeze
 
-	attr_reader :return_type,  :params, :windows_name
+	attr_reader :return_type,  :params, :windows_name, :calling_conv
 
-	def initialize(return_type, params, windows_name)
+	def initialize(return_type, params, windows_name, calling_conv="stdcall")
 		check_return_type(return_type) # we do error checking as early as possible so the library is easier to use
 		check_params(params)
+		check_calling_conv(calling_conv)
 		@return_type = return_type
 		@params = params
 		@windows_name = windows_name
+		@calling_conv = calling_conv
 	end
 
 	private
 
+	def check_calling_conv(conv)
+		if not @@allowed_convs.include?(conv)
+			raise ArgumentError, "Calling convention unknown: #{conv}."
+		end
+	end
+
 	def check_type_exists (type)
 		if not @@allowed_datatypes.has_key?(type)
 			raise ArgumentError, "Type unknown: #{type}. Allowed types: #{PP.pp(@@allowed_datatypes.keys, "")}"

lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb

@@ -180,7 +180,7 @@ def memwrite(address, data, length)
 	# cached dlls) an unfrozen copy is created and used henceforth for this
 	# instance.
 	#
-	def add_function(dll_name, function_name, return_type, params, windows_name=nil)
+	def add_function(dll_name, function_name, return_type, params, windows_name=nil, calling_conv="stdcall")
 
 		unless known_dll_names.include?(dll_name)
 			raise "DLL #{dll_name} not found. Known DLLs: #{PP.pp(known_dll_names, "")}"
@@ -197,7 +197,7 @@ def add_function(dll_name, function_name, return_type, params, windows_name=nil)
 			dlls[dll_name] = dll
 		end
 
-		dll.add_function(function_name, return_type, params, windows_name)
+		dll.add_function(function_name, return_type, params, windows_name, calling_conv)
 	end
 
 	#

lib/rex/post/meterpreter/extensions/stdapi/railgun/tlv.rb

@@ -51,4 +51,5 @@ module Railgun
 TLV_TYPE_RAILGUN_MEM_DATA    =          TLV_META_TYPE_RAW   | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 13 )
 TLV_TYPE_RAILGUN_MEM_LENGTH  =          TLV_META_TYPE_UINT  | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 14 )
 
+TLV_TYPE_RAILGUN_CALLCONV =		TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_RAILGUN + TLV_EXTENSIONS + 15)
 end; end; end; end; end; end

modules/post/windows/gather/enum_ad_computers.rb

@@ -51,11 +51,6 @@ def read_value(addr)
 	end
 
 	def run
-		unless session.platform == "x64/win64"
-			print_error("Does not work in x86 meterpreter (use x64 instead) see: http://dev.metasploit.com/redmine/issues/7639");
-			return
-		end
-
 		print_status("Connecting to default LDAP server")
 		session_handle = bind_default_ldap_server