Class: Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb

Overview

This class provides access to remote system configuration and information.

Constant Summary collapse

SYSTEM_SID =
'S-1-5-18'

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(client) ⇒ Config

Returns a new instance of Config.



25
26
27
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 25

def initialize(client)
  self.client = client
end

Instance Attribute Details

#clientObject (protected)

Returns the value of attribute client.



193
194
195
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 193

def client
  @client
end

Instance Method Details

#drop_tokenObject

Drops any assumed token



163
164
165
166
167
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 163

def drop_token
  req = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_DROP_TOKEN)
  res = client.send_request(req)
  client.unicode_filter_encode( res.get_tlv_value(TLV_TYPE_USER_NAME) )
end

#getdriversObject

Returns a list of currently active drivers used by the target system



60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 60

def getdrivers
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_DRIVER_LIST)
  response = client.send_request(request)

  result = []

  response.each(TLV_TYPE_DRIVER_ENTRY) do |driver|
    result << {
      basename: driver.get_tlv_value(TLV_TYPE_DRIVER_BASENAME),
      filename: driver.get_tlv_value(TLV_TYPE_DRIVER_FILENAME)
    }
  end

  result
end

#getenv(var_name) ⇒ Object

Returns the value of a single requested environment variable name



102
103
104
105
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 102

def getenv(var_name)
  _, value = getenvs(var_name).first
  value
end

#getenvs(*var_names) ⇒ Object

Returns a hash of requested environment variables, along with their values. If a requested value doesn’t exist in the response, then the value wasn’t found.



80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 80

def getenvs(*var_names)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_GETENV)

  var_names.each do |v|
    request.add_tlv(TLV_TYPE_ENV_VARIABLE, v)
  end

  response = client.send_request(request)
  result = {}

  response.each(TLV_TYPE_ENV_GROUP) do |env|
    var_name = env.get_tlv_value(TLV_TYPE_ENV_VARIABLE)
    var_value = env.get_tlv_value(TLV_TYPE_ENV_VALUE)
    result[var_name] = var_value
  end

  result
end

#getprivsObject

Enables all possible privileges



181
182
183
184
185
186
187
188
189
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 181

def getprivs
  req = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_GETPRIVS)
  ret = []
  res = client.send_request(req)
  res.each(TLV_TYPE_PRIVILEGE) do |p|
    ret << p.value
  end
  ret
end

#getsidObject

Gets the SID of the current process/thread.



44
45
46
47
48
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 44

def getsid
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_GETSID)
  response = client.send_request(request)
  response.get_tlv_value(TLV_TYPE_SID)
end

#getuid(refresh: true) ⇒ Object

Returns the username that the remote side is running as.



32
33
34
35
36
37
38
39
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 32

def getuid(refresh: true)
  if @uid.nil? || refresh
    request  = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_GETUID)
    response = client.send_request(request)
    @uid = client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_USER_NAME) )
  end
  @uid
end

#is_system?Boolean

Determine if the current process/thread is running as SYSTEM

Returns:

  • (Boolean)


53
54
55
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 53

def is_system?
  getsid == SYSTEM_SID
end

#localtimeObject

Returns the target’s local system date and time.



110
111
112
113
114
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 110

def localtime
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_LOCALTIME)
  response = client.send_request(request)
  (response.get_tlv_value(TLV_TYPE_LOCAL_DATETIME) || "").strip
end

#revert_to_selfObject

Calls RevertToSelf on the remote machine.



146
147
148
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 146

def revert_to_self
  client.send_request(Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_REV2SELF))
end

#steal_token(pid) ⇒ Object

Steals the primary token from a target process



153
154
155
156
157
158
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 153

def steal_token(pid)
  req = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_STEAL_TOKEN)
  req.add_tlv(TLV_TYPE_PID, pid.to_i)
  res = client.send_request(req)
  client.unicode_filter_encode( res.get_tlv_value(TLV_TYPE_USER_NAME) )
end

#sysinfo(refresh: false) ⇒ Object

Returns a hash of information about the remote computer.



119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 119

def sysinfo(refresh: false)
  request  = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_SYSINFO)
  if @sysinfo.nil? || refresh
    response = client.send_request(request)

    @sysinfo = {
      'Computer'        => response.get_tlv_value(TLV_TYPE_COMPUTER_NAME),
      'OS'              => response.get_tlv_value(TLV_TYPE_OS_NAME),
      'Architecture'    => response.get_tlv_value(TLV_TYPE_ARCHITECTURE),
      'BuildTuple'      => response.get_tlv_value(TLV_TYPE_BUILD_TUPLE),
      'System Language' => response.get_tlv_value(TLV_TYPE_LANG_SYSTEM),
      'Domain'          => response.get_tlv_value(TLV_TYPE_DOMAIN),
      'Logged On Users' => response.get_tlv_value(TLV_TYPE_LOGGED_ON_USER_COUNT)
    }

    # make sure we map the architecture across to x64 if x86_64 is returned
    # to keep arch consistent across all session/machine types
    if @sysinfo['Architecture']
      @sysinfo['Architecture'] = ARCH_X64 if @sysinfo['Architecture'].strip == ARCH_X86_64
    end
  end
  @sysinfo
end

#update_token(token_handle) ⇒ Object

Updates the current token for impersonation



172
173
174
175
176
# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 172

def update_token(token_handle)
  req = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_UPDATE_TOKEN)
  req.add_tlv(TLV_TYPE_HANDLE, token_handle.to_i)
  res = client.send_request(req)
end