Class: Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Priv::Elevate

Inherits:
Object
  • Object
show all
Includes:
Rex::Post::Meterpreter::Ui::Console::CommandDispatcher
Defined in:
lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb

Overview

The local privilege escalation portion of the extension.

Constant Summary collapse

Klass =
Console::CommandDispatcher::Priv::Elevate
ELEVATE_TECHNIQUE_NONE =
-1
ELEVATE_TECHNIQUE_ANY =
0
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE =
1
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2 =
2
ELEVATE_TECHNIQUE_SERVICE_TOKENDUP =
3
ELEVATE_TECHNIQUE_DESCRIPTION =
[
  'All techniques available',
  'Named Pipe Impersonation (In Memory/Admin)',
  'Named Pipe Impersonation (Dropper/Admin)',
  'Token Duplication (In Memory/Admin)'
]

Instance Attribute Summary

Attributes included from Ui::Text::DispatcherShell::CommandDispatcher

#shell, #tab_complete_items

Instance Method Summary collapse

Methods included from Rex::Post::Meterpreter::Ui::Console::CommandDispatcher

check_hash, #client, #docs_dir, #filter_commands, #initialize, #log_error, #msf_loaded?, set_hash

Methods included from Ui::Text::DispatcherShell::CommandDispatcher

#cmd_help, #cmd_help_help, #cmd_help_tabs, #deprecated_cmd, #deprecated_commands, #deprecated_help, #docs_dir, #help_to_s, #initialize, #print, #print_error, #print_good, #print_line, #print_status, #print_warning, #tab_complete_directory, #tab_complete_filenames, #tab_complete_generic, #tab_complete_source_address, #update_prompt

Instance Method Details

#cmd_getsystem(*args) ⇒ Object

Attempt to elevate the meterpreter to that of local system.


73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb', line 73

def cmd_getsystem( *args )

  technique = ELEVATE_TECHNIQUE_ANY

  desc = ""
  ELEVATE_TECHNIQUE_DESCRIPTION.each_index { |i| desc += "\n\t\t#{i} : #{ELEVATE_TECHNIQUE_DESCRIPTION[i]}" }

  getsystem_opts = Rex::Parser::Arguments.new(
    "-h" => [ false, "Help Banner." ],
    "-t" => [ true, "The technique to use. (Default to \'#{technique}\')." + desc ]
  )

  getsystem_opts.parse(args) { | opt, idx, val |
    case opt
      when "-h"
        print_line( "Usage: getsystem [options]\n" )
        print_line( "Attempt to elevate your privilege to that of local system." )
        print_line( getsystem_opts.usage )
        return
      when "-t"
        technique = val.to_i
    end
  }

  if( technique < 0 or technique >= ELEVATE_TECHNIQUE_DESCRIPTION.length )
    print_error( "Technique '#{technique}' is out of range." )
    return false;
  end

  begin
    result = client.priv.getsystem( technique )
  rescue Rex::Post::Meterpreter::RequestError => e
    print_error("#{e.message} The following was attempted:")
    translate_technique_index(technique).each do |desc|
      print_error(desc)
    end
    elog("Technique: #{technique})", error: e)
    return
  end

  # got system?
  if result[0]
    print_line( "...got system via technique #{result[1]} (#{translate_technique_index(result[1]).first})." )
  else
    print_line( "...failed to get system while attempting the following:" )
    translate_technique_index(technique).each do |desc|
      print_error(desc)
    end
  end

  return result
end

#commandsObject

List of supported commands.


37
38
39
40
41
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb', line 37

def commands
  {
    'getsystem' => 'Attempt to elevate your privilege to that of local system.'
  }
end

#nameObject

Name for this dispatcher.


46
47
48
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb', line 46

def name
  'Priv: Elevate'
end

#translate_technique_index(index) ⇒ Object

Returns the description of the technique(s)


54
55
56
57
58
59
60
61
62
63
64
65
66
67
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb', line 54

def translate_technique_index(index)
  translation = ''

  case index
  when 0
    desc = ELEVATE_TECHNIQUE_DESCRIPTION.dup
    desc.shift
    translation = desc
  else
    translation = [ ELEVATE_TECHNIQUE_DESCRIPTION[index] ]
  end

  translation
end