Class: Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Priv::Elevate

Inherits:
Object
  • Object
show all
Includes:
Rex::Post::Meterpreter::Ui::Console::CommandDispatcher
Defined in:
lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb

Overview

The local privilege escalation portion of the extension.

Constant Summary collapse

Klass =
Console::CommandDispatcher::Priv::Elevate
ELEVATE_TECHNIQUE_NONE =
-1
ELEVATE_TECHNIQUE_ANY =
0
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE =
1
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2 =
2
ELEVATE_TECHNIQUE_SERVICE_TOKENDUP =
3
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE_RPCSS =
4
ELEVATE_TECHNIQUE_NAMEDPIPE_PRINTSPOOLER =
5
ELEVATE_TECHNIQUE_NAMEDPIPE_EFS =
6
ELEVATE_TECHNIQUE_DESCRIPTION =
[
  'All techniques available',
  'Named Pipe Impersonation (In Memory/Admin)',
  'Named Pipe Impersonation (Dropper/Admin)',
  'Token Duplication (In Memory/Admin)',
  'Named Pipe Impersonation (RPCSS variant)',
  'Named Pipe Impersonation (PrintSpooler variant)',
  'Named Pipe Impersonation (EFSRPC variant - AKA EfsPotato)'
]

Instance Attribute Summary

Attributes included from Ui::Text::DispatcherShell::CommandDispatcher

#shell, #tab_complete_items

Instance Method Summary collapse

Methods included from Rex::Post::Meterpreter::Ui::Console::CommandDispatcher

check_hash, #client, #docs_dir, #filter_commands, #initialize, #log_error, #msf_loaded?, set_hash, #unknown_command

Methods included from Ui::Text::DispatcherShell::CommandDispatcher

#cmd_help, #cmd_help_help, #cmd_help_tabs, #deprecated_cmd, #deprecated_commands, #deprecated_help, #docs_dir, #help_to_s, included, #initialize, #print, #print_error, #print_good, #print_line, #print_status, #print_warning, #tab_complete_directory, #tab_complete_filenames, #tab_complete_generic, #tab_complete_source_address, #unknown_command, #update_prompt

Instance Method Details

#cmd_getsystem(*args) ⇒ Object

Attempt to elevate the meterpreter to that of local system.



79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb', line 79

def cmd_getsystem( *args )

  technique = ELEVATE_TECHNIQUE_ANY

  desc = ""
  ELEVATE_TECHNIQUE_DESCRIPTION.each_index { |i| desc += "\n\t\t#{i} : #{ELEVATE_TECHNIQUE_DESCRIPTION[i]}" }

  getsystem_opts = Rex::Parser::Arguments.new(
    "-h" => [ false, "Help Banner." ],
    "-t" => [ true, "The technique to use. (Default to '#{technique}')." + desc ]
  )

  getsystem_opts.parse(args) { | opt, idx, val |
    case opt
      when "-h"
        print_line( "Usage: getsystem [options]\n" )
        print_line( "Attempt to elevate your privilege to that of local system." )
        print_line( getsystem_opts.usage )
        return
      when "-t"
        technique = val.to_i
    end
  }

  if( technique < 0 or technique >= ELEVATE_TECHNIQUE_DESCRIPTION.length )
    print_error( "Technique '#{technique}' is out of range." )
    return false
  end

  if client.sys.config.is_system?
    print_error("Already running as SYSTEM")
    return
  end
  begin
    result = client.priv.getsystem( technique )
  rescue Rex::Post::Meterpreter::RequestError => e
    print_error("#{e.message} The following was attempted:")
    translate_technique_index(technique).each do |desc|
      print_error(desc)
    end
    elog("Technique: #{technique})", error: e)
    return
  end

  # got system?
  if result[0]
    print_line( "...got system via technique #{result[1]} (#{translate_technique_index(result[1]).first})." )
  else
    print_line( "...failed to get system while attempting the following:" )
    translate_technique_index(technique).each do |desc|
      print_error(desc)
    end
  end

  return result
end

#commandsObject

List of supported commands.



43
44
45
46
47
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb', line 43

def commands
  {
    'getsystem' => 'Attempt to elevate your privilege to that of local system.'
  }
end

#nameObject

Name for this dispatcher.



52
53
54
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb', line 52

def name
  'Priv: Elevate'
end

#translate_technique_index(index) ⇒ Object

Returns the description of the technique(s)



60
61
62
63
64
65
66
67
68
69
70
71
72
73
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb', line 60

def translate_technique_index(index)
  translation = ''

  case index
  when 0
    desc = ELEVATE_TECHNIQUE_DESCRIPTION.dup
    desc.shift
    translation = desc
  else
    translation = [ ELEVATE_TECHNIQUE_DESCRIPTION[index] ]
  end

  translation
end