Adds support for resolving multiple hosts

cgranleese-r7 · cgranleese-r7 · commit 681b85770247 · 2023-10-18T14:52:27.000+01:00
diff --git a/python/meterpreter/ext_server_stdapi.py b/python/meterpreter/ext_server_stdapi.py
@@ -581,6 +581,9 @@ class RTMSG(ctypes.Structure):
 
 TLV_TYPE_SHUTDOWN_HOW          = TLV_META_TYPE_UINT    | 1530
 
+# Resolve hosts/host
+TLV_TYPE_RESOLVE_HOST_ENTRY = TLV_META_TYPE_GROUP   | 1550
+
 ##
 # Railgun
 ##
@@ -1076,8 +1079,12 @@ def netlink_request(req_type, req_data):
 
 def resolve_host(hostname, family):
     address_info = getaddrinfo(hostname, family=family, socktype=socket.SOCK_DGRAM, proto=socket.IPPROTO_UDP)
-    address = address_info[0]['sockaddr'][0]
-    return {'family': family, 'address': address, 'packed_address': inet_pton(family, address)}
+    addresses = []
+    for addr in address_info:
+        binary_address = inet_pton(family, addr['sockaddr'][0])
+        addresses.append(binary_address)
+
+    return [{ 'family': family, 'address': addresses }]
 
 def tlv_pack_local_addrinfo(sock):
     local_host, local_port = sock.getsockname()[:2]
@@ -2641,9 +2648,18 @@ def stdapi_net_resolve_host(request, response):
         family = socket.AF_INET6
     else:
         raise Exception('invalid family')
+
     result = resolve_host(hostname, family)
-    response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
-    response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
+
+    for resolved_host in result:
+        host_tlv  = bytes()
+        for ip in resolved_host['address']:
+            host_tlv +=  tlv_pack(TLV_TYPE_IP, ip)
+            host_tlv += tlv_pack(TLV_TYPE_ADDR_TYPE, family)
+
+
+    response += tlv_pack(TLV_TYPE_RESOLVE_HOST_ENTRY, host_tlv)
+
     return ERROR_SUCCESS, response
 
 @register_function
@@ -2661,8 +2677,13 @@ def stdapi_net_resolve_hosts(request, response):
             result = resolve_host(hostname, family)
         except socket.error:
             result = {'family':family, 'packed_address':''}
-        response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
-        response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
+        for resolved_host in result:
+            host_tlv  = bytes()
+            for ip in resolved_host['address']:
+                host_tlv +=  tlv_pack(TLV_TYPE_IP, ip)
+                host_tlv += tlv_pack(TLV_TYPE_ADDR_TYPE, family)
+
+        response += tlv_pack(TLV_TYPE_RESOLVE_HOST_ENTRY, host_tlv)
     return ERROR_SUCCESS, response
 
 @register_function
diff --git a/python/meterpreter/tests/test_ext_server_stdapi.py b/python/meterpreter/tests/test_ext_server_stdapi.py
@@ -320,6 +320,24 @@ def test_stdapi_sys_config_getsid(self):
         ).get("value")
         self.assertRegex(sid, "S-1-5-.*")
 
+class ExtStdNetResolveTest(ExtServerStdApiTest):
+    def stdapi_net_resolve_hosts(self):
+        # Full request from msfconsole
+        request = b'\x00\x00\x00\x0c\x00\x02\x00\x01\x00\x00\x04\x00\x00\x00\x00)\x00\x01\x00\x0264769531726942037539492283558475\x00\x00\x00\x00\x13\x00\x01\x05xrapid7.com\x00\x00\x00\x00\x0c\x00\x02\x05\xa4\x00\x00\x00\x02'
+        response = bytes()
+        _result_code, result_tlvs = self.assertMethodErrorSuccess(
+            "stdapi_net_resolve_hosts", request, response
+        )
+
+        print(response)
+
+        # TODO: Assert
+        # user_name = self.meterpreter_context["packet_get_tlv"](
+        #     result_tlvs, self.ext_server_stdapi["TLV_TYPE_USER_NAME"]
+        # ).get("value")
+        #
+        #self.assert(response, bytes('......'))
+
 
 if __name__ == "__main__":
     unittest.main()
