Class: Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config

Inherits:

Object

• Object
• Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config

Defined in:

lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb

Overview

This class provides access to remote system configuration and information.

Constant Summary

SYSTEM_SID =

'S-1-5-18'

Instance Attribute Summary

• #client ⇒ Object protected

  Returns the value of attribute client.

Instance Method Summary

• #drop_token ⇒ Object

  Drops any assumed token.

• #getdrivers ⇒ Object

  Returns a list of currently active drivers used by the target system.

• #getenv(var_name) ⇒ Object

  Returns the value of a single requested environment variable name.

• #getenvs(*var_names) ⇒ Object

  Returns a hash of requested environment variables, along with their values.

• #getprivs ⇒ Object

  Enables all possible privileges.

• #getsid ⇒ Object

  Gets the SID of the current process/thread.

• #getuid(refresh: true) ⇒ Object

  Returns the username that the remote side is running as.

• #initialize(client) ⇒ Config constructor

  A new instance of Config.

• #is_system? ⇒ Boolean

  Determine if the current process/thread is running as SYSTEM.

• #localtime ⇒ Object

  Returns the target’s local system date and time.

• #revert_to_self ⇒ Object

  Calls RevertToSelf on the remote machine.

• #steal_token(pid) ⇒ Object

  Steals the primary token from a target process.

• #sysinfo(refresh: false) ⇒ Object

  Returns a hash of information about the remote computer.

• #update_token(token_handle) ⇒ Object

  Updates the current token for impersonation.

Constructor Details

#initialize(client) ⇒ Config

Returns a new instance of Config.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 25

def initialize(client)
  self.client = client
end

Instance Attribute Details

#client ⇒ Object (protected)

Returns the value of attribute client.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 193

def client
  @client
end

Instance Method Details

#drop_token ⇒ Object

Drops any assumed token

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 163

def drop_token
  req = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_DROP_TOKEN)
  res = client.send_request(req)
  client.unicode_filter_encode( res.get_tlv_value(TLV_TYPE_USER_NAME) )
end

#getdrivers ⇒ Object

Returns a list of currently active drivers used by the target system

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 60

def getdrivers
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_DRIVER_LIST)
  response = client.send_request(request)

  result = []

  response.each(TLV_TYPE_DRIVER_ENTRY) do |driver|
    result << {
      basename: driver.get_tlv_value(TLV_TYPE_DRIVER_BASENAME),
      filename: driver.get_tlv_value(TLV_TYPE_DRIVER_FILENAME)
    }
  end

  result
end

#getenv(var_name) ⇒ Object

Returns the value of a single requested environment variable name

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 102

def getenv(var_name)
  _, value = getenvs(var_name).first
  value
end

#getenvs(*var_names) ⇒ Object

Returns a hash of requested environment variables, along with their values. If a requested value doesn’t exist in the response, then the value wasn’t found.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 80

def getenvs(*var_names)
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_GETENV)

  var_names.each do |v|
    request.add_tlv(TLV_TYPE_ENV_VARIABLE, v)
  end

  response = client.send_request(request)
  result = {}

  response.each(TLV_TYPE_ENV_GROUP) do |env|
    var_name = env.get_tlv_value(TLV_TYPE_ENV_VARIABLE)
    var_value = env.get_tlv_value(TLV_TYPE_ENV_VALUE)
    result[var_name] = var_value
  end

  result
end

#getprivs ⇒ Object

Enables all possible privileges

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 181

def getprivs
  req = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_GETPRIVS)
  ret = []
  res = client.send_request(req)
  res.each(TLV_TYPE_PRIVILEGE) do |p|
    ret << p.value
  end
  ret
end

#getsid ⇒ Object

Gets the SID of the current process/thread.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 44

def getsid
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_GETSID)
  response = client.send_request(request)
  response.get_tlv_value(TLV_TYPE_SID)
end

#getuid(refresh: true) ⇒ Object

Returns the username that the remote side is running as.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 32

def getuid(refresh: true)
  if @uid.nil? || refresh
    request  = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_GETUID)
    response = client.send_request(request)
    @uid = client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_USER_NAME) )
  end
  @uid
end

#is_system? ⇒ Boolean

Determine if the current process/thread is running as SYSTEM

Returns:

• (Boolean)

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 53

def is_system?
  getsid == SYSTEM_SID
end

#localtime ⇒ Object

Returns the target’s local system date and time.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 110

def localtime
  request = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_LOCALTIME)
  response = client.send_request(request)
  (response.get_tlv_value(TLV_TYPE_LOCAL_DATETIME) || "").strip
end

#revert_to_self ⇒ Object

Calls RevertToSelf on the remote machine.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 146

def revert_to_self
  client.send_request(Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_REV2SELF))
end

#steal_token(pid) ⇒ Object

Steals the primary token from a target process

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 153

def steal_token(pid)
  req = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_STEAL_TOKEN)
  req.add_tlv(TLV_TYPE_PID, pid.to_i)
  res = client.send_request(req)
  client.unicode_filter_encode( res.get_tlv_value(TLV_TYPE_USER_NAME) )
end

#sysinfo(refresh: false) ⇒ Object

Returns a hash of information about the remote computer.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 119

def sysinfo(refresh: false)
  request  = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_SYSINFO)
  if @sysinfo.nil? || refresh
    response = client.send_request(request)

    @sysinfo = {
      'Computer'        => response.get_tlv_value(TLV_TYPE_COMPUTER_NAME),
      'OS'              => response.get_tlv_value(TLV_TYPE_OS_NAME),
      'Architecture'    => response.get_tlv_value(TLV_TYPE_ARCHITECTURE),
      'BuildTuple'      => response.get_tlv_value(TLV_TYPE_BUILD_TUPLE),
      'System Language' => response.get_tlv_value(TLV_TYPE_LANG_SYSTEM),
      'Domain'          => response.get_tlv_value(TLV_TYPE_DOMAIN),
      'Logged On Users' => response.get_tlv_value(TLV_TYPE_LOGGED_ON_USER_COUNT)
    }

    # make sure we map the architecture across to x64 if x86_64 is returned
    # to keep arch consistent across all session/machine types
    if @sysinfo['Architecture']
      @sysinfo['Architecture'] = ARCH_X64 if @sysinfo['Architecture'].strip == ARCH_X86_64
    end
  end
  @sysinfo
end

#update_token(token_handle) ⇒ Object

Updates the current token for impersonation

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb', line 172

def update_token(token_handle)
  req = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_UPDATE_TOKEN)
  req.add_tlv(TLV_TYPE_HANDLE, token_handle.to_i)
  res = client.send_request(req)
end