Merge pull request #258 from smashery/new_cmd_exec

New process launch API
rapid7 · Oct 10, 2024 · faef056 · faef056
2 parents 3754343 + 3743c74
commit faef056
Show file tree

Hide file tree

Showing 4 changed files with 101 additions and 60 deletions.
diff --git a/mettle/src/process.c b/mettle/src/process.c
@@ -188,33 +188,39 @@ static void exec_child(struct procmgr *mgr,
 	proc = strdup(process_name);
 
 
-	if (opts && opts->args) {
-		if (asprintf(&args, "%s %s", proc, opts->args) <= 0) {
-			abort();
-		}
-	} else {
-		args = proc;
-	}
-
-	char *sh = NULL;
-	if (opts->flags & PROCESS_CREATE_SUBSHELL) {
-		sh = shell_path();
-	}
 
-	if (sh) {
-		execl(sh, sh, "-c", args, (char *)NULL);
+	char **argv = NULL;
+	if (opts->flags & PROCESS_USE_ARG_ARRAY) {
+		argv = opts->argv;
+		execvp(file, argv);
+		free(argv);
 	} else {
-		size_t argc = 0;
-		char **argv = NULL;
-		argv = argv_split(args, argv, &argc);
-		if (argv[0][0] == '/' && access(argv[0], X_OK)) {
-			argv[0] = basename(argv[0]);
+		if (opts && opts->args) {
+			if (asprintf(&args, "%s %s", proc, opts->args) <= 0) {
+				abort();
+			}
+		} else {
+			args = proc;
 		}
-		if (opts->flags & PROCESS_CREATE_REFLECT) {
-			log_debug("%s: reflectively executing %p with %s", __FUNCTION__, file, args);
-			reflect_execv((unsigned char *)file, argv);
+		char *sh = NULL;
+		if (opts->flags & PROCESS_CREATE_SUBSHELL) {
+			sh = shell_path();
+		}
+
+		if (sh) {
+			execl(sh, sh, "-c", args, (char *)NULL);
 		} else {
-			execvp(file, argv);
+			size_t argc = 0;
+			argv = argv_split(args, argv, &argc);
+			if (argv[0][0] == '/' && access(argv[0], X_OK)) {
+				argv[0] = basename(argv[0]);
+			}
+			if (opts->flags & PROCESS_CREATE_REFLECT) {
+				log_debug("%s: reflectively executing %p with %s", __FUNCTION__, file, args);
+				reflect_execv((unsigned char *)file, argv);
+			} else {
+				execvp(file, argv);
+			}
 		}
 	}
 	abort();

diff --git a/mettle/src/process.h b/mettle/src/process.h
@@ -24,13 +24,15 @@ typedef void (*process_exit_cb_t)(struct process *, int exit_status, void *arg);
 typedef	void (*process_read_cb_t)(struct process *, struct buffer_queue *queue, void *arg);
 
 struct process_options {
-	const char *args;               /* Process arguments (none if not specified) */
+	const char *args;               /* Process arguments as a string (none if not specified) */
+	char **argv;                    /* Process arguments as an arg array (none if not specified) */
 	char **env;                     /* Process environment (inherited if not specified) */
 	const char *process_name;       /* Alternate process name */
 	const char *cwd;                /* Current working directory */
 	const char *user;               /* User to start the process as */
 #define PROCESS_CREATE_SUBSHELL		(0x00000001 << 0)
 #define PROCESS_CREATE_REFLECT		(0x00000001 << 1)
+#define PROCESS_USE_ARG_ARRAY		(0x00000001 << 2)
 	int flags;
 };
 

diff --git a/mettle/src/stdapi/sys/process.c b/mettle/src/stdapi/sys/process.c
@@ -306,37 +306,67 @@ sys_process_execute(struct tlv_handler_ctx *ctx)
 	struct mettle *m = ctx->arg;
 	struct channelmgr *cm = mettle_get_channelmgr(m);
 	struct procmgr *pm = mettle_get_procmgr(m);
-	char *path = tlv_packet_get_str(ctx->req, TLV_TYPE_PROCESS_PATH);
-	char *args = tlv_packet_get_str(ctx->req, TLV_TYPE_PROCESS_ARGUMENTS);
-	size_t exe_len;
-	unsigned char *in_mem_exe = tlv_packet_get_raw(ctx->req, TLV_TYPE_VALUE_DATA, &exe_len);
+	char *path = NULL;
 	uint32_t flags = 0;
 
 	tlv_packet_get_u32(ctx->req, TLV_TYPE_PROCESS_FLAGS, &flags);
-
 	struct process_options opts = {
-		.process_name = path,
-		.args = args,
 		.flags = 0
 	};
 
-	if (strchr(path, '$') != NULL || strchr(path, '%') != NULL) {
-		opts.flags |= PROCESS_CREATE_SUBSHELL;
+	if (flags & PROCESS_EXECUTE_FLAG_PTY) {
+		opts.flags |= PROCESS_EXECUTE_FLAG_PTY;
 	}
 
-	if (args && (strchr(args, '$') != NULL || strchr(args, '%') != NULL)) {
-		opts.flags |= PROCESS_CREATE_SUBSHELL;
-	}
+	if (flags & PROCESS_EXECUTE_FLAG_ARG_ARRAY) {
+		path = tlv_packet_get_str(ctx->req, TLV_TYPE_PROCESS_UNESCAPED_PATH);
+		opts.process_name = path;
+		opts.flags |= PROCESS_USE_ARG_ARRAY;
+
+		struct tlv_iterator i = {
+			.packet = ctx->req,
+			.value_type = TLV_TYPE_PROCESS_ARGUMENT,
+		};
+
+		char *arg;
+		int argc = 2; // cmd at start, plus null terminating at end
+		char **argv;
+		while ((arg = tlv_packet_iterate_str(&i))) {
+			argc++;
+		}
+		// Reset the iterator
+		i.offset = 0;
+		argv = (char**)malloc(argc * sizeof(char*));
+		argv[0] = path;
+		argc = 1;
+		while ((arg = tlv_packet_iterate_str(&i))) {
+			argv[argc++] = arg;
+		}
+		argv[argc] = NULL; // Not a null-byte overwrite, because we allocated one more initially
+		opts.argv = argv;
+	} else {
+		if (flags & PROCESS_EXECUTE_FLAG_SUBSHELL) {
+			opts.flags |= PROCESS_CREATE_SUBSHELL;
+		}
 
-	if (flags & PROCESS_EXECUTE_FLAG_SUBSHELL) {
-		opts.flags |= PROCESS_CREATE_SUBSHELL;
-	}
 
-	if (flags & PROCESS_EXECUTE_FLAG_PTY) {
-		opts.flags |= PROCESS_EXECUTE_FLAG_PTY;
+		path = tlv_packet_get_str(ctx->req, TLV_TYPE_PROCESS_PATH);
+		opts.process_name = path;
+
+	    char *args = tlv_packet_get_str(ctx->req, TLV_TYPE_PROCESS_ARGUMENTS);
+		opts.args = args;
+		if (strchr(path, '$') != NULL || strchr(path, '%') != NULL) {
+			opts.flags |= PROCESS_CREATE_SUBSHELL;
+		}
+
+		if (args && (strchr(args, '$') != NULL || strchr(args, '%') != NULL)) {
+			opts.flags |= PROCESS_CREATE_SUBSHELL;
+		}
+		log_debug("process_new: %s %s 0x%08x", path, args, flags);
 	}
 
-	log_debug("process_new: %s %s 0x%08x", path, args, flags);
+	size_t exe_len;
+	unsigned char *in_mem_exe = tlv_packet_get_raw(ctx->req, TLV_TYPE_VALUE_DATA, &exe_len);
 
 	struct process *p;
 	if (in_mem_exe != NULL && exe_len != 0) {

diff --git a/mettle/src/tlv_types.h b/mettle/src/tlv_types.h
@@ -214,24 +214,26 @@
 /*
  * Process
  */
-#define TLV_TYPE_BASE_ADDRESS          (TLV_META_TYPE_QWORD   | 2000)
-#define TLV_TYPE_ALLOCATION_TYPE       (TLV_META_TYPE_UINT    | 2001)
-#define TLV_TYPE_PROTECTION            (TLV_META_TYPE_UINT    | 2002)
-#define TLV_TYPE_PROCESS_PERMS         (TLV_META_TYPE_UINT    | 2003)
-#define TLV_TYPE_PROCESS_MEMORY        (TLV_META_TYPE_RAW     | 2004)
-#define TLV_TYPE_ALLOC_BASE_ADDRESS    (TLV_META_TYPE_QWORD   | 2005)
-#define TLV_TYPE_MEMORY_STATE          (TLV_META_TYPE_UINT    | 2006)
-#define TLV_TYPE_MEMORY_TYPE           (TLV_META_TYPE_UINT    | 2007)
-#define TLV_TYPE_ALLOC_PROTECTION      (TLV_META_TYPE_UINT    | 2008)
-#define TLV_TYPE_PID                   (TLV_META_TYPE_UINT    | 2300)
-#define TLV_TYPE_PROCESS_NAME          (TLV_META_TYPE_STRING  | 2301)
-#define TLV_TYPE_PROCESS_PATH          (TLV_META_TYPE_STRING  | 2302)
-#define TLV_TYPE_PROCESS_GROUP         (TLV_META_TYPE_GROUP   | 2303)
-#define TLV_TYPE_PROCESS_FLAGS         (TLV_META_TYPE_UINT    | 2304)
-#define TLV_TYPE_PROCESS_ARGUMENTS     (TLV_META_TYPE_STRING  | 2305)
-#define TLV_TYPE_PROCESS_ARCH          (TLV_META_TYPE_UINT    | 2306)
-#define TLV_TYPE_PARENT_PID            (TLV_META_TYPE_UINT    | 2307)
-#define TLV_TYPE_PROCESS_ARCH_NAME     (TLV_META_TYPE_STRING  | 2309)
+#define TLV_TYPE_BASE_ADDRESS           (TLV_META_TYPE_QWORD   | 2000)
+#define TLV_TYPE_ALLOCATION_TYPE        (TLV_META_TYPE_UINT    | 2001)
+#define TLV_TYPE_PROTECTION             (TLV_META_TYPE_UINT    | 2002)
+#define TLV_TYPE_PROCESS_PERMS          (TLV_META_TYPE_UINT    | 2003)
+#define TLV_TYPE_PROCESS_MEMORY         (TLV_META_TYPE_RAW     | 2004)
+#define TLV_TYPE_ALLOC_BASE_ADDRESS     (TLV_META_TYPE_QWORD   | 2005)
+#define TLV_TYPE_MEMORY_STATE           (TLV_META_TYPE_UINT    | 2006)
+#define TLV_TYPE_MEMORY_TYPE            (TLV_META_TYPE_UINT    | 2007)
+#define TLV_TYPE_ALLOC_PROTECTION       (TLV_META_TYPE_UINT    | 2008)
+#define TLV_TYPE_PID                    (TLV_META_TYPE_UINT    | 2300)
+#define TLV_TYPE_PROCESS_NAME           (TLV_META_TYPE_STRING  | 2301)
+#define TLV_TYPE_PROCESS_PATH           (TLV_META_TYPE_STRING  | 2302)
+#define TLV_TYPE_PROCESS_GROUP          (TLV_META_TYPE_GROUP   | 2303)
+#define TLV_TYPE_PROCESS_FLAGS          (TLV_META_TYPE_UINT    | 2304)
+#define TLV_TYPE_PROCESS_ARGUMENTS      (TLV_META_TYPE_STRING  | 2305)
+#define TLV_TYPE_PROCESS_ARCH           (TLV_META_TYPE_UINT    | 2306)
+#define TLV_TYPE_PARENT_PID             (TLV_META_TYPE_UINT    | 2307)
+#define TLV_TYPE_PROCESS_ARCH_NAME      (TLV_META_TYPE_STRING  | 2309)
+#define TLV_TYPE_PROCESS_ARGUMENT       (TLV_META_TYPE_STRING  | 2310)
+#define TLV_TYPE_PROCESS_UNESCAPED_PATH (TLV_META_TYPE_STRING  | 2311)
 
 #define TLV_TYPE_IMAGE_FILE            (TLV_META_TYPE_STRING  | 2400)
 #define TLV_TYPE_IMAGE_FILE_PATH       (TLV_META_TYPE_STRING  | 2401)
@@ -317,6 +319,7 @@
 #define PROCESS_EXECUTE_FLAG_SESSION           (1 << 5)
 #define PROCESS_EXECUTE_FLAG_SUBSHELL          (1 << 6)
 #define PROCESS_EXECUTE_FLAG_PTY               (1 << 7)
+#define PROCESS_EXECUTE_FLAG_ARG_ARRAY         (1 << 8)
 
 #define PROCESS_ARCH_UNKNOWN    0
 #define PROCESS_ARCH_X86        1