Fix up the TLVs that are now QWORD values in MSF

Various values were adjusted to become QWORD values in MSF an windows
meterpreter, but the changes were not ported over to python, php and
java. This commit fixes this inconsistency.

Author: OJ

data/meterpreter/ext_server_stdapi.php

@@ -6,10 +6,10 @@
 ##
 # General
 ##
-define("TLV_TYPE_HANDLE",              TLV_META_TYPE_UINT    |  600);
+define("TLV_TYPE_HANDLE",              TLV_META_TYPE_QWORD   |  600);
 define("TLV_TYPE_INHERIT",             TLV_META_TYPE_BOOL    |  601);
-define("TLV_TYPE_PROCESS_HANDLE",      TLV_META_TYPE_UINT    |  630);
-define("TLV_TYPE_THREAD_HANDLE",       TLV_META_TYPE_UINT    |  631);
+define("TLV_TYPE_PROCESS_HANDLE",      TLV_META_TYPE_QWORD   |  630);
+define("TLV_TYPE_THREAD_HANDLE",       TLV_META_TYPE_QWORD   |  631);
 
 ##
 # Fs
@@ -65,7 +65,7 @@
 define("PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN", (1 << 3));
 
 # Registry
-define("TLV_TYPE_HKEY",                TLV_META_TYPE_UINT    | 1000);
+define("TLV_TYPE_HKEY",                TLV_META_TYPE_QWORD   | 1000);
 define("TLV_TYPE_ROOT_KEY",            TLV_TYPE_HKEY);
 define("TLV_TYPE_BASE_KEY",            TLV_META_TYPE_STRING  | 1001);
 define("TLV_TYPE_PERMISSION",          TLV_META_TYPE_UINT    | 1002);
@@ -90,12 +90,12 @@
 define("DELETE_KEY_FLAG_RECURSIVE", (1 << 0));
 
 # Process
-define("TLV_TYPE_BASE_ADDRESS",        TLV_META_TYPE_UINT    | 2000);
+define("TLV_TYPE_BASE_ADDRESS",        TLV_META_TYPE_QWORD   | 2000);
 define("TLV_TYPE_ALLOCATION_TYPE",     TLV_META_TYPE_UINT    | 2001);
 define("TLV_TYPE_PROTECTION",          TLV_META_TYPE_UINT    | 2002);
 define("TLV_TYPE_PROCESS_PERMS",       TLV_META_TYPE_UINT    | 2003);
 define("TLV_TYPE_PROCESS_MEMORY",      TLV_META_TYPE_RAW     | 2004);
-define("TLV_TYPE_ALLOC_BASE_ADDRESS",  TLV_META_TYPE_UINT    | 2005);
+define("TLV_TYPE_ALLOC_BASE_ADDRESS",  TLV_META_TYPE_QWORD   | 2005);
 define("TLV_TYPE_MEMORY_STATE",        TLV_META_TYPE_UINT    | 2006);
 define("TLV_TYPE_MEMORY_TYPE",         TLV_META_TYPE_UINT    | 2007);
 define("TLV_TYPE_ALLOC_PROTECTION",    TLV_META_TYPE_UINT    | 2008);
@@ -109,16 +109,16 @@
 define("TLV_TYPE_IMAGE_FILE",          TLV_META_TYPE_STRING  | 2400);
 define("TLV_TYPE_IMAGE_FILE_PATH",     TLV_META_TYPE_STRING  | 2401);
 define("TLV_TYPE_PROCEDURE_NAME",      TLV_META_TYPE_STRING  | 2402);
-define("TLV_TYPE_PROCEDURE_ADDRESS",   TLV_META_TYPE_UINT    | 2403);
-define("TLV_TYPE_IMAGE_BASE",          TLV_META_TYPE_UINT    | 2404);
+define("TLV_TYPE_PROCEDURE_ADDRESS",   TLV_META_TYPE_QWORD   | 2403);
+define("TLV_TYPE_IMAGE_BASE",          TLV_META_TYPE_QWORD   | 2404);
 define("TLV_TYPE_IMAGE_GROUP",         TLV_META_TYPE_GROUP   | 2405);
 define("TLV_TYPE_IMAGE_NAME",          TLV_META_TYPE_STRING  | 2406);
 
 define("TLV_TYPE_THREAD_ID",           TLV_META_TYPE_UINT    | 2500);
 define("TLV_TYPE_THREAD_PERMS",        TLV_META_TYPE_UINT    | 2502);
 define("TLV_TYPE_EXIT_CODE",           TLV_META_TYPE_UINT    | 2510);
-define("TLV_TYPE_ENTRY_POINT",         TLV_META_TYPE_UINT    | 2511);
-define("TLV_TYPE_ENTRY_PARAMETER",     TLV_META_TYPE_UINT    | 2512);
+define("TLV_TYPE_ENTRY_POINT",         TLV_META_TYPE_QWORD   | 2511);
+define("TLV_TYPE_ENTRY_PARAMETER",     TLV_META_TYPE_QWORD   | 2512);
 define("TLV_TYPE_CREATION_FLAGS",      TLV_META_TYPE_UINT    | 2513);
 
 define("TLV_TYPE_REGISTER_NAME",       TLV_META_TYPE_STRING  | 2540);
@@ -137,7 +137,7 @@
 # Event Log
 ##
 define("TLV_TYPE_EVENT_SOURCENAME",    TLV_META_TYPE_STRING  | 4000);
-define("TLV_TYPE_EVENT_HANDLE",        TLV_META_TYPE_UINT    | 4001);
+define("TLV_TYPE_EVENT_HANDLE",        TLV_META_TYPE_QWORD   | 4001);
 define("TLV_TYPE_EVENT_NUMRECORDS",    TLV_META_TYPE_UINT    | 4002);
 
 define("TLV_TYPE_EVENT_READFLAGS",     TLV_META_TYPE_UINT    | 4003);

data/meterpreter/ext_server_stdapi.py

@@ -252,6 +252,7 @@ class RTATTR(ctypes.Structure):
 TLV_META_TYPE_UINT       = (1 << 17)
 TLV_META_TYPE_RAW        = (1 << 18)
 TLV_META_TYPE_BOOL       = (1 << 19)
+TLV_META_TYPE_QWORD      = (1 << 20)
 TLV_META_TYPE_COMPRESSED = (1 << 29)
 TLV_META_TYPE_GROUP      = (1 << 30)
 TLV_META_TYPE_COMPLEX    = (1 << 31)
@@ -284,10 +285,10 @@ class RTATTR(ctypes.Structure):
 ##
 # General
 ##
-TLV_TYPE_HANDLE                = TLV_META_TYPE_UINT    | 600
+TLV_TYPE_HANDLE                = TLV_META_TYPE_QWORD   | 600
 TLV_TYPE_INHERIT               = TLV_META_TYPE_BOOL    | 601
-TLV_TYPE_PROCESS_HANDLE        = TLV_META_TYPE_UINT    | 630
-TLV_TYPE_THREAD_HANDLE         = TLV_META_TYPE_UINT    | 631
+TLV_TYPE_PROCESS_HANDLE        = TLV_META_TYPE_QWORD   | 630
+TLV_TYPE_THREAD_HANDLE         = TLV_META_TYPE_QWORD   | 631
 
 ##
 # Fs
@@ -346,7 +347,7 @@ class RTATTR(ctypes.Structure):
 ##
 # Registry
 ##
-TLV_TYPE_HKEY                  = TLV_META_TYPE_UINT    | 1000
+TLV_TYPE_HKEY                  = TLV_META_TYPE_QWORD   | 1000
 TLV_TYPE_ROOT_KEY              = TLV_TYPE_HKEY
 TLV_TYPE_BASE_KEY              = TLV_META_TYPE_STRING  | 1001
 TLV_TYPE_PERMISSION            = TLV_META_TYPE_UINT    | 1002
@@ -376,12 +377,12 @@ class RTATTR(ctypes.Structure):
 ##
 # Process
 ##
-TLV_TYPE_BASE_ADDRESS          = TLV_META_TYPE_UINT    | 2000
+TLV_TYPE_BASE_ADDRESS          = TLV_META_TYPE_QWORD   | 2000
 TLV_TYPE_ALLOCATION_TYPE       = TLV_META_TYPE_UINT    | 2001
 TLV_TYPE_PROTECTION            = TLV_META_TYPE_UINT    | 2002
 TLV_TYPE_PROCESS_PERMS         = TLV_META_TYPE_UINT    | 2003
 TLV_TYPE_PROCESS_MEMORY        = TLV_META_TYPE_RAW     | 2004
-TLV_TYPE_ALLOC_BASE_ADDRESS    = TLV_META_TYPE_UINT    | 2005
+TLV_TYPE_ALLOC_BASE_ADDRESS    = TLV_META_TYPE_QWORD   | 2005
 TLV_TYPE_MEMORY_STATE          = TLV_META_TYPE_UINT    | 2006
 TLV_TYPE_MEMORY_TYPE           = TLV_META_TYPE_UINT    | 2007
 TLV_TYPE_ALLOC_PROTECTION      = TLV_META_TYPE_UINT    | 2008
@@ -397,16 +398,16 @@ class RTATTR(ctypes.Structure):
 TLV_TYPE_IMAGE_FILE            = TLV_META_TYPE_STRING  | 2400
 TLV_TYPE_IMAGE_FILE_PATH       = TLV_META_TYPE_STRING  | 2401
 TLV_TYPE_PROCEDURE_NAME        = TLV_META_TYPE_STRING  | 2402
-TLV_TYPE_PROCEDURE_ADDRESS     = TLV_META_TYPE_UINT    | 2403
-TLV_TYPE_IMAGE_BASE            = TLV_META_TYPE_UINT    | 2404
+TLV_TYPE_PROCEDURE_ADDRESS     = TLV_META_TYPE_QWORD   | 2403
+TLV_TYPE_IMAGE_BASE            = TLV_META_TYPE_QWORD   | 2404
 TLV_TYPE_IMAGE_GROUP           = TLV_META_TYPE_GROUP   | 2405
 TLV_TYPE_IMAGE_NAME            = TLV_META_TYPE_STRING  | 2406
 
 TLV_TYPE_THREAD_ID             = TLV_META_TYPE_UINT    | 2500
 TLV_TYPE_THREAD_PERMS          = TLV_META_TYPE_UINT    | 2502
 TLV_TYPE_EXIT_CODE             = TLV_META_TYPE_UINT    | 2510
-TLV_TYPE_ENTRY_POINT           = TLV_META_TYPE_UINT    | 2511
-TLV_TYPE_ENTRY_PARAMETER       = TLV_META_TYPE_UINT    | 2512
+TLV_TYPE_ENTRY_POINT           = TLV_META_TYPE_QWORD   | 2511
+TLV_TYPE_ENTRY_PARAMETER       = TLV_META_TYPE_QWORD   | 2512
 TLV_TYPE_CREATION_FLAGS        = TLV_META_TYPE_UINT    | 2513
 
 TLV_TYPE_REGISTER_NAME         = TLV_META_TYPE_STRING  | 2540
@@ -425,7 +426,7 @@ class RTATTR(ctypes.Structure):
 # Event Log
 ##
 TLV_TYPE_EVENT_SOURCENAME      = TLV_META_TYPE_STRING  | 4000
-TLV_TYPE_EVENT_HANDLE          = TLV_META_TYPE_UINT    | 4001
+TLV_TYPE_EVENT_HANDLE          = TLV_META_TYPE_QWORD   | 4001
 TLV_TYPE_EVENT_NUMRECORDS      = TLV_META_TYPE_UINT    | 4002
 
 TLV_TYPE_EVENT_READFLAGS       = TLV_META_TYPE_UINT    | 4003

data/meterpreter/meterpreter.php

@@ -125,6 +125,7 @@ function socket_set_option($sock, $type, $opt, $value) {
 define("TLV_META_TYPE_UINT",       (1 << 17));
 define("TLV_META_TYPE_RAW",        (1 << 18));
 define("TLV_META_TYPE_BOOL",       (1 << 19));
+define("TLV_META_TYPE_QWORD",      (1 << 20));
 define("TLV_META_TYPE_COMPRESSED", (1 << 29));
 define("TLV_META_TYPE_GROUP",      (1 << 30));
 define("TLV_META_TYPE_COMPLEX",    (1 << 31));
@@ -655,6 +656,11 @@ function tlv_pack($tlv) {
     if (($tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
         $ret = pack("NNa*", 8 + strlen($tlv['value'])+1, $tlv['type'], $tlv['value'] . "\0");
     }
+    elseif (($tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
+        $hi = ($tlv['value'] >> 32) & 0xFFFFFFFF;
+        $lo = $tlv['value'] & 0xFFFFFFFF;
+        $ret = pack("NNNN", 8 + 8, $tlv['type'], $hi, $lo);
+    }
     elseif (($tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
         $ret = pack("NNN", 8 + 4, $tlv['type'], $tlv['value']);
     }
@@ -693,6 +699,10 @@ function tlv_unpack($raw_tlv) {
     elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
         $tlv = unpack("Nlen/Ntype/Nvalue", substr($raw_tlv, 0, $tlv['len']));
     }
+    elseif (($type & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
+        $tlv = unpack("Nlen/Ntype/Nhi/Nlo", substr($raw_tlv, 0, $tlv['len']));
+        $tlv['value'] = $tlv['hi'] << 32 | $tlv['lo'];
+    }
     elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) {
         $tlv = unpack("Nlen/Ntype/cvalue", substr($raw_tlv, 0, $tlv['len']));
     }

data/meterpreter/meterpreter.py

@@ -54,6 +54,7 @@
 TLV_META_TYPE_UINT       = (1 << 17)
 TLV_META_TYPE_RAW        = (1 << 18)
 TLV_META_TYPE_BOOL       = (1 << 19)
+TLV_META_TYPE_QWORD      = (1 << 20)
 TLV_META_TYPE_COMPRESSED = (1 << 29)
 TLV_META_TYPE_GROUP      = (1 << 30)
 TLV_META_TYPE_COMPLEX    = (1 << 31)
@@ -150,6 +151,8 @@ def packet_enum_tlvs(pkt, tlv_type = None):
 				val = str(val.split(NULL_BYTE, 1)[0])
 			elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
 				val = struct.unpack('>I', val)[0]
+			elif (tlv[1] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD:
+				val = struct.unpack('>Q', val)[0]
 			elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
 				val = bool(struct.unpack('b', val)[0])
 			elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
@@ -175,6 +178,8 @@ def tlv_pack(*args):
 	data = ""
 	if (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
 		data = struct.pack('>III', 12, tlv['type'], tlv['value'])
+	elif (tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD:
+		data = struct.pack('>IIQ', 16, tlv['type'], tlv['value'])
 	elif (tlv['type'] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
 		data = struct.pack('>II', 9, tlv['type']) + bytes(chr(int(bool(tlv['value']))), 'UTF-8')
 	else:

lib/rex/post/meterpreter/extensions/stdapi/tlv.rb

@@ -148,7 +148,7 @@ module Stdapi
 TLV_TYPE_IMAGE_FILE_PATH    = TLV_META_TYPE_STRING  | 2401
 TLV_TYPE_PROCEDURE_NAME     = TLV_META_TYPE_STRING  | 2402
 TLV_TYPE_PROCEDURE_ADDRESS  = TLV_META_TYPE_QWORD   | 2403
-TLV_TYPE_IMAGE_BASE         = TLV_META_TYPE_UINT    | 2404
+TLV_TYPE_IMAGE_BASE         = TLV_META_TYPE_QWORD   | 2404
 TLV_TYPE_IMAGE_GROUP        = TLV_META_TYPE_GROUP   | 2405
 TLV_TYPE_IMAGE_NAME         = TLV_META_TYPE_STRING  | 2406