Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2

3
require 'rex/post/process'
4
require 'rex/post/meterpreter/packet'
5
require 'rex/post/meterpreter/client'
6
require 'rex/post/meterpreter/extensions/stdapi/constants'
7
require 'rex/post/meterpreter/extensions/stdapi/stdapi'
8

9
module Rex
10
module Post
11
module Meterpreter
12
module Extensions
13
module Stdapi
14
module Sys
15

16
###
17
#
18
# This class provides access to remote system configuration and information.
19
#
20
###
21
class Config
22

23
  SYSTEM_SID = 'S-1-5-18'
24

25
  def initialize(client)
26
    self.client = client
27
  end
28

29
  #
30
  # Returns the username that the remote side is running as.
31
  #
32
  def getuid(refresh: true)
33
    if @uid.nil? || refresh
34
      request  = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_GETUID)
35
      response = client.send_request(request)
36
      @uid = client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_USER_NAME) )
37
    end
38
    @uid
39
  end
40

41
  #
42
  # Gets the SID of the current process/thread.
43
  #
44
  def getsid
45
    request = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_GETSID)
46
    response = client.send_request(request)
47
    response.get_tlv_value(TLV_TYPE_SID)
48
  end
49

50
  #
51
  # Determine if the current process/thread is running as SYSTEM
52
  #
53
  def is_system?
54
    getsid == SYSTEM_SID
55
  end
56

57
  #
58
  # Returns a list of currently active drivers used by the target system
59
  #
60
  def getdrivers
61
    request = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_DRIVER_LIST)
62
    response = client.send_request(request)
63

64
    result = []
65

66
    response.each(TLV_TYPE_DRIVER_ENTRY) do |driver|
67
      result << {
68
        basename: driver.get_tlv_value(TLV_TYPE_DRIVER_BASENAME),
69
        filename: driver.get_tlv_value(TLV_TYPE_DRIVER_FILENAME)
70
      }
71
    end
72

73
    result
74
  end
75

76
  #
77
  # Returns a hash of requested environment variables, along with their values.
78
  # If a requested value doesn't exist in the response, then the value wasn't found.
79
  #
80
  def getenvs(*var_names)
81
    request = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_GETENV)
82

83
    var_names.each do |v|
84
      request.add_tlv(TLV_TYPE_ENV_VARIABLE, v)
85
    end
86

87
    response = client.send_request(request)
88
    result = {}
89

90
    response.each(TLV_TYPE_ENV_GROUP) do |env|
91
      var_name = env.get_tlv_value(TLV_TYPE_ENV_VARIABLE)
92
      var_value = env.get_tlv_value(TLV_TYPE_ENV_VALUE)
93
      result[var_name] = var_value
94
    end
95

96
    result
97
  end
98

99
  #
100
  # Returns the value of a single requested environment variable name
101
  #
102
  def getenv(var_name)
103
    _, value = getenvs(var_name).first
104
    value
105
  end
106

107
  #
108
  # Returns the target's local system date and time.
109
  #
110
  def localtime
111
    request = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_LOCALTIME)
112
    response = client.send_request(request)
113
    (response.get_tlv_value(TLV_TYPE_LOCAL_DATETIME) || "").strip
114
  end
115

116
  #
117
  # Returns a hash of information about the remote computer.
118
  #
119
  def sysinfo(refresh: false)
120
    request  = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_SYSINFO)
121
    if @sysinfo.nil? || refresh
122
      response = client.send_request(request)
123

124
      @sysinfo = {
125
        'Computer'        => response.get_tlv_value(TLV_TYPE_COMPUTER_NAME),
126
        'OS'              => response.get_tlv_value(TLV_TYPE_OS_NAME),
127
        'Architecture'    => response.get_tlv_value(TLV_TYPE_ARCHITECTURE),
128
        'BuildTuple'      => response.get_tlv_value(TLV_TYPE_BUILD_TUPLE),
129
        'System Language' => response.get_tlv_value(TLV_TYPE_LANG_SYSTEM),
130
        'Domain'          => response.get_tlv_value(TLV_TYPE_DOMAIN),
131
        'Logged On Users' => response.get_tlv_value(TLV_TYPE_LOGGED_ON_USER_COUNT)
132
      }
133

134
      # make sure we map the architecture across to x64 if x86_64 is returned
135
      # to keep arch consistent across all session/machine types
136
      if @sysinfo['Architecture']
137
        @sysinfo['Architecture'] = ARCH_X64 if @sysinfo['Architecture'].strip == ARCH_X86_64
138
      end
139
    end
140
    @sysinfo
141
  end
142

143
  #
144
  # Calls RevertToSelf on the remote machine.
145
  #
146
  def revert_to_self
147
    client.send_request(Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_REV2SELF))
148
  end
149

150
  #
151
  # Steals the primary token from a target process
152
  #
153
  def steal_token(pid)
154
    req = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_STEAL_TOKEN)
155
    req.add_tlv(TLV_TYPE_PID, pid.to_i)
156
    res = client.send_request(req)
157
    client.unicode_filter_encode( res.get_tlv_value(TLV_TYPE_USER_NAME) )
158
  end
159

160
  #
161
  # Drops any assumed token
162
  #
163
  def drop_token
164
    req = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_DROP_TOKEN)
165
    res = client.send_request(req)
166
    client.unicode_filter_encode( res.get_tlv_value(TLV_TYPE_USER_NAME) )
167
  end
168

169
  #
170
  # Updates the current token for impersonation
171
  #
172
  def update_token(token_handle)
173
    req = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_UPDATE_TOKEN)
174
    req.add_tlv(TLV_TYPE_HANDLE, token_handle.to_i)
175
    res = client.send_request(req)
176
  end
177

178
  #
179
  # Enables all possible privileges
180
  #
181
  def getprivs
182
    req = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_GETPRIVS)
183
    ret = []
184
    res = client.send_request(req)
185
    res.each(TLV_TYPE_PRIVILEGE) do |p|
186
      ret << p.value
187
    end
188
    ret
189
  end
190

191
protected
192

193
  attr_accessor :client
194

195
end
196

197
end; end; end; end; end; end
198

199

200