adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
860e29228b09467d78894de3b0ec7ca10055bbb2
metasploit-gs/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb
T
HD Moore 4d7aec7c2d Fixes #745. This commit changes how token manipulation works, adds the steal_token, drop_token, and getprivs commands. Tested on NT 4.0, 2000 SP4, XP SP3, 2003 SP2, Vista, and Windows 7 
git-svn-id: file:///home/svn/framework3/trunk@8055 4d416f70-5f16-0410-b530-b9f4589650da
2010-01-02 00:35:10 +00:00

98 lines
2.1 KiB
Ruby
Raw Blame History

#!/usr/bin/env ruby
require 'rex/post/process'
require 'rex/post/meterpreter/packet'
require 'rex/post/meterpreter/client'
require 'rex/post/meterpreter/extensions/stdapi/constants'
require 'rex/post/meterpreter/extensions/stdapi/stdapi'
module Rex
module Post
module Meterpreter
module Extensions
module Stdapi
module Sys
###
#
# This class provides access to remote system configuration and information.
#
###
class Config
def initialize(client)
self.client = client
end
#
# Returns the username that the remote side is running as.
#
def getuid
request = Packet.create_request('stdapi_sys_config_getuid')
response = client.send_request(request)
return response.get_tlv_value(TLV_TYPE_USER_NAME)
end
#
# Returns a hash of information about the remote computer.
#
def sysinfo
request = Packet.create_request('stdapi_sys_config_sysinfo')
response = client.send_request(request)
{
'Computer' => response.get_tlv_value(TLV_TYPE_COMPUTER_NAME),
'OS' => response.get_tlv_value(TLV_TYPE_OS_NAME),
'Architecture' => response.get_tlv_value(TLV_TYPE_ARCHITECTURE),
'System Language' => response.get_tlv_value(TLV_TYPE_LANG_SYSTEM),
}
end
#
# Calls RevertToSelf on the remote machine.
#
def revert_to_self
client.send_request(Packet.create_request('stdapi_sys_config_rev2self'))
end
#
# Steals the primary token from a target process
#
def steal_token(pid)
req = Packet.create_request('stdapi_sys_config_steal_token')
req.add_tlv(TLV_TYPE_PID, pid.to_i)
res = client.send_request(req)
return res.get_tlv_value(TLV_TYPE_USER_NAME)
end
#
# Drops any assumed token
#
def drop_token
req = Packet.create_request('stdapi_sys_config_drop_token')
res = client.send_request(req)
return res.get_tlv_value(TLV_TYPE_USER_NAME)
end
#
# Enables all possible privileges
#
def getprivs
req = Packet.create_request('stdapi_sys_config_getprivs')
ret = []
res = client.send_request(req)
res.each(TLV_TYPE_PRIVILEGE) do |p|
ret << p.value
end
return ret
end
protected
attr_accessor :client
end
end; end; end; end; end; end
Reference in New Issue View Git Blame Copy Permalink