Skip to content

Commit

Permalink
Land rapid7#17562, Fix incorrect defs in def_wldap32.rb
Browse files Browse the repository at this point in the history 
Fix incorrect definitions for ldap_search functions in def_wldap32.rb
  • Loading branch information
@smcintyre-r7
smcintyre-r7 committed Feb 23, 2023
2 parents f4549b0 + 42bd87e commit fbf2e5d
Show file tree
Hide file tree
Showing 5 changed files with 79 additions and 64 deletions.
2 changes: 1 addition & 1 deletion lib/msf/core/post/windows/ldap.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -368,7 +368,7 @@ def bind_default_ldap_server(size_limit, domain = nil)
vprint_status("LDAP Handle: #{session_handle}")

vprint_status('Setting Sizelimit Option')
wldap32.ldap_set_option(session_handle, LDAP_OPT_SIZELIMIT, size_limit)
wldap32.ldap_set_option(session_handle, LDAP_OPT_SIZELIMIT, [size_limit].pack('V'))

vprint_status('Binding to LDAP server')
bind_result = wldap32.ldap_bind_sA(session_handle, nil, nil, LDAP_AUTH_NEGOTIATE)
Expand Down
110 changes: 55 additions & 55 deletions lib/rex/post/meterpreter/extensions/stdapi/railgun/def/windows/def_wldap32.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,111 +12,111 @@ class Def_windows_wldap32
def self.create_library(constant_manager, library_path = 'wldap32')
dll = Library.new(library_path, constant_manager)

dll.add_function('ldap_sslinitA', 'DWORD',[
dll.add_function('ldap_sslinitA', 'LPVOID',[
['PCHAR', 'HostName', 'in'],
['DWORD', 'PortNumber', 'in'],
['ULONG', 'PortNumber', 'in'],
['DWORD', 'secure', 'in']
], 'ldap_sslinitA', "cdecl")

dll.add_function('ldap_bind_sA', 'DWORD',[
['DWORD', 'ld', 'in'],
dll.add_function('ldap_bind_sA', 'ULONG',[
['LPVOID', 'ld', 'in'],
['PCHAR', 'dn', 'in'],
['PCHAR', 'cred', 'in'],
['DWORD', 'method', 'in']
['ULONG', 'method', 'in']
], 'ldap_bind_sA', "cdecl")

dll.add_function('ldap_search_sA', 'DWORD',[
['DWORD', 'ld', 'in'],
dll.add_function('ldap_search_sA', 'ULONG',[
['LPVOID', 'ld', 'in'],
['PCHAR', 'base', 'in'],
['DWORD', 'scope', 'in'],
['ULONG', 'scope', 'in'],
['PCHAR', 'filter', 'in'],
['PCHAR', 'attrs[]', 'in'],
['DWORD', 'attrsonly', 'in'],
['PDWORD', 'res', 'out']
['ULONG', 'attrsonly', 'in'],
['PLPVOID', 'res', 'out']
], 'ldap_search_sA', "cdecl")

dll.add_function('ldap_set_option', 'DWORD',[
['DWORD', 'ld', 'in'],
dll.add_function('ldap_set_option', 'ULONG',[
['LPVOID', 'ld', 'in'],
['DWORD', 'option', 'in'],
['PDWORD', 'invalue', 'in']
['PBLOB', 'invalue', 'in']
], 'ldap_set_option', "cdecl")

dll.add_function('ldap_search_ext_sA', 'DWORD',[
['DWORD', 'ld', 'in'],
dll.add_function('ldap_search_ext_sA', 'ULONG',[
['LPVOID', 'ld', 'in'],
['PCHAR', 'base', 'in'],
['DWORD', 'scope', 'in'],
['ULONG', 'scope', 'in'],
['PCHAR', 'filter', 'in'],
['PCHAR', 'attrs[]', 'in'],
['DWORD', 'attrsonly', 'in'],
['DWORD', 'pServerControls', 'in'],
['DWORD', 'pClientControls', 'in'],
['DWORD', 'pTimeout', 'in'],
['DWORD', 'SizeLimit', 'in'],
['PDWORD', 'res', 'out']
['ULONG', 'attrsonly', 'in'],
['LPVOID', 'pServerControls', 'in'],
['LPVOID', 'pClientControls', 'in'],
['PBLOB', 'pTimeout', 'in'],
['ULONG', 'SizeLimit', 'in'],
['PLPVOID', 'res', 'out']
], 'ldap_search_ext_sA', "cdecl")

dll.add_function('ldap_count_entries', 'DWORD',[
['DWORD', 'ld', 'in'],
['DWORD', 'res', 'in']
dll.add_function('ldap_count_entries', 'ULONG',[
['LPVOID', 'ld', 'in'],
['LPVOID', 'res', 'in']
], "ldap_count_entries", "cdecl")

dll.add_function('ldap_first_entry', 'DWORD',[
['DWORD', 'ld', 'in'],
['DWORD', 'res', 'in']
dll.add_function('ldap_first_entry', 'LPVOID',[
['LPVOID', 'ld', 'in'],
['LPVOID', 'res', 'in']
], 'ldap_first_entry', "cdecl")

dll.add_function('ldap_next_entry', 'DWORD',[
['DWORD', 'ld', 'in'],
['DWORD', 'entry', 'in']
dll.add_function('ldap_next_entry', 'LPVOID',[
['LPVOID', 'ld', 'in'],
['LPVOID', 'entry', 'in']
], 'ldap_next_entry', "cdecl")

dll.add_function('ldap_first_attributeA', 'DWORD',[
['DWORD', 'ld', 'in'],
['DWORD', 'entry', 'in'],
['DWORD', 'ptr', 'in']
dll.add_function('ldap_first_attributeA', 'PCHAR',[
['LPVOID', 'ld', 'in'],
['LPVOID', 'entry', 'in'],
['PLPVOID', 'ptr', 'out']
], 'ldap_first_attributeA', "cdecl")

dll.add_function('ldap_next_attributeA', 'DWORD',[
['DWORD', 'ld', 'in'],
['DWORD', 'entry', 'in'],
['DWORD', 'ptr', 'inout']
dll.add_function('ldap_next_attributeA', 'PCHAR',[
['LPVOID', 'ld', 'in'],
['LPVOID', 'entry', 'in'],
['LPVOID', 'ptr', 'inout']
], 'ldap_next_attributeA', "cdecl")

dll.add_function('ldap_count_values', 'DWORD',[
['DWORD', 'vals', 'in'],
dll.add_function('ldap_count_values', 'ULONG',[
['LPVOID', 'vals', 'in'],
], 'ldap_count_values', "cdecl")

dll.add_function('ldap_get_values', 'DWORD',[
['DWORD', 'ld', 'in'],
['DWORD', 'entry', 'in'],
dll.add_function('ldap_get_values', 'LPVOID',[
['LPVOID', 'ld', 'in'],
['LPVOID', 'entry', 'in'],
['PCHAR', 'attr', 'in']
], 'ldap_get_values', "cdecl")

dll.add_function('ldap_value_free', 'DWORD',[
['DWORD', 'vals', 'in'],
dll.add_function('ldap_value_free', 'ULONG',[
['LPVOID', 'vals', 'in'],
], 'ldap_value_free', "cdecl")

dll.add_function('ldap_memfree', 'VOID',[
['DWORD', 'block', 'in'],
['PCHAR', 'block', 'in'],
], 'ldap_memfree', "cdecl")

dll.add_function('ber_free', 'VOID',[
['DWORD', 'pBerElement', 'in'],
['LPVOID', 'pBerElement', 'in'],
['DWORD', 'fbuf', 'in'],
], 'ber_free', "cdecl")

dll.add_function('LdapGetLastError', 'DWORD',[], 'LdapGetLastError', "cdecl")
dll.add_function('LdapGetLastError', 'ULONG', [], 'LdapGetLastError', "cdecl")

dll.add_function('ldap_err2string', 'DWORD',[
['DWORD', 'err', 'in']
dll.add_function('ldap_err2string', 'PCHAR',[
['ULONG', 'err', 'in']
], 'ldap_err2string', "cdecl")

dll.add_function('ldap_msgfree', 'DWORD', [
['DWORD', 'res', 'in']
dll.add_function('ldap_msgfree', 'ULONG', [
['LPVOID', 'res', 'in']
], 'ldap_msgfree', "cdecl")

dll.add_function('ldap_unbind', 'DWORD', [
['DWORD', 'ld', 'in']
dll.add_function('ldap_unbind', 'ULONG', [
['LPVOID', 'ld', 'in']
], 'ldap_unbind', "cdecl")
return dll
end
Expand Down
23 changes: 19 additions & 4 deletions lib/rex/post/meterpreter/extensions/stdapi/railgun/library.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ class Library
'SIZE_T' => 'ULONG_PTR',
'PSIZE_T' => 'PULONG_PTR',
'PLPVOID' => 'PULONG_PTR',
'ULONG' => 'DWORD',
'PULONG' => 'PDWORD'
}.freeze

Expand Down Expand Up @@ -272,8 +273,8 @@ def build_packet_and_layouts(packet, function, args, arch)
[packet, layouts]
end

def build_response(packet, function, layouts, arch)
case arch
def build_response(packet, function, layouts, client)
case client.native_arch
when ARCH_X64
native = 'Q<'
when ARCH_X86
Expand All @@ -300,7 +301,7 @@ def build_response(packet, function, layouts, arch)
# process return value
case function.return_type
when 'LPVOID', 'ULONG_PTR'
if arch == ARCH_X64
if client.native_arch == ARCH_X64
return_hash['return'] = rec_return_value
else
return_hash['return'] = rec_return_value & 0xffffffff
Expand All @@ -315,6 +316,20 @@ def build_response(packet, function, layouts, arch)
return_hash['return'] = (rec_return_value != 0)
when 'VOID'
return_hash['return'] = nil
when 'PCHAR'
return_hash['return'] = rec_return_value == 0 ? nil : client.railgun.util.read_string(rec_return_value)
return_hash['&return'] = rec_return_value
when 'PWCHAR'
return_hash['return'] = rec_return_value == 0 ? nil : client.railgun.util.read_wstring(rec_return_value)
return_hash['&return'] = rec_return_value
when 'PULONG_PTR'
if client.native_arch == ARCH_X64
return_hash['return'] = rec_return_value == 0 ? nil : client.railgun.util.memread(rec_return_value, 8)&.unpack1('Q<')
return_hash['&return'] = rec_return_value
else
return_hash['return'] = rec_return_value == 0 ? nil : client.railgun.util.memread(rec_return_value, 4)&.unpack1('V')
return_hash['&return'] = rec_return_value
end
else
raise "unexpected return type: #{function.return_type}"
end
Expand Down Expand Up @@ -374,7 +389,7 @@ def process_function_call(function, args, client)

response = client.send_request(request)

build_response(response, function, layouts, client.native_arch)
build_response(response, function, layouts, client)
end

# perform type conversions as necessary to reduce the datatypes to their primitives
Expand Down
6 changes: 3 additions & 3 deletions lib/rex/post/meterpreter/extensions/stdapi/railgun/library_function.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,9 @@ class LibraryFunction
'LPVOID' => ['in', 'return'], # sf: for specifying a memory address (e.g. VirtualAlloc/HeapAlloc/...) where we don't want to back it up with actual mem ala PBLOB
'ULONG_PTR' => ['in', 'return'],
'PDWORD' => ['in', 'out', 'inout'], # todo: support for functions that return pointers to strings
'PULONG_PTR' => ['in', 'out', 'inout'],
'PWCHAR' => ['in', 'out', 'inout'],
'PCHAR' => ['in', 'out', 'inout'],
'PULONG_PTR' => ['in', 'out', 'inout', 'return'],
'PWCHAR' => ['in', 'out', 'inout', 'return'],
'PCHAR' => ['in', 'out', 'inout', 'return'],
'PBLOB' => ['in', 'out', 'inout'],
}.freeze

Expand Down
2 changes: 1 addition & 1 deletion lib/rex/post/meterpreter/extensions/stdapi/railgun/multicall.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ def call(functions)
lib_name, function, args = f
library = @parent.get_library(lib_name)
function = library.functions[function] unless function.instance_of? LibraryFunction
function_results << library.build_response(call_results.shift, function, call_layouts.shift, @client.native_arch)
function_results << library.build_response(call_results.shift, function, call_layouts.shift, @client)
end

function_results
Expand Down

0 comments on commit fbf2e5d

Please sign in to comment.