librex 0.0.13 → 0.0.15

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb

@@ -1,61 +0,0 @@
-require 'rex/post/meterpreter'
-
-module Rex
-module Post
-module Meterpreter
-module Ui
-
-###
-#
-# Privilege escalation extension user interface.
-#
-###
-class Console::CommandDispatcher::Priv
-
-	require 'rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate'
-	require 'rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd'
-	require 'rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp'
-
-	Klass = Console::CommandDispatcher::Priv
-
-	Dispatchers = 
-		[
-			Klass::Elevate,
-			Klass::Passwd,
-			Klass::Timestomp,
-		]
-
-	include Console::CommandDispatcher
-
-	#
-	# Initializes an instance of the priv command interaction.
-	#
-	def initialize(shell)
-		super
-
-		Dispatchers.each { |d|
-			shell.enstack_dispatcher(d)
-		}
-	end
-
-	#
-	# List of supported commands.
-	#
-	def commands
-		{
-		}
-	end
-
-	#
-	# Name for this dispatcher
-	#
-	def name
-		"Privilege Escalation"
-	end
-
-end
-
-end
-end
-end
-end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb

@@ -1,98 +0,0 @@
-require 'rex/post/meterpreter'
-
-module Rex
-module Post
-module Meterpreter
-module Ui
-
-###
-#
-# The local privilege escalation portion of the extension.
-#
-###
-class Console::CommandDispatcher::Priv::Elevate
-
-	Klass = Console::CommandDispatcher::Priv::Elevate
-
-	include Console::CommandDispatcher
-	
-	ELEVATE_TECHNIQUE_NONE					= -1
-	ELEVATE_TECHNIQUE_ANY					= 0
-	ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE		= 1
-	ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2	= 2
-	ELEVATE_TECHNIQUE_SERVICE_TOKENDUP		= 3
-	ELEVATE_TECHNIQUE_VULN_KITRAP0D			= 4
-
-	ELEVATE_TECHNIQUE_DESCRIPTION = [ 	"All techniques available", 
-										"Service - Named Pipe Impersonation (In Memory/Admin)",
-										"Service - Named Pipe Impersonation (Dropper/Admin)",
-										"Service - Token Duplication (In Memory/Admin)",
-										"Exploit - KiTrap0D (In Memory/User)"
-									]
-	#
-	# List of supported commands.
-	#
-	def commands
-		{
-			"getsystem" => "Attempt to elevate your privilege to that of local system."
-		}
-	end
-
-	#
-	# Name for this dispatcher.
-	#
-	def name
-		"Priv: Elevate"
-	end
-	
-
-	#
-	# Attempt to elevate the meterpreter to that of local system.
-	#
-	def cmd_getsystem( *args )
-	
-		technique = ELEVATE_TECHNIQUE_ANY
-		
-		desc = ""
-		ELEVATE_TECHNIQUE_DESCRIPTION.each_index { |i| desc += "\n\t\t#{i} : #{ELEVATE_TECHNIQUE_DESCRIPTION[i]}" }
-		
-		getsystem_opts = Rex::Parser::Arguments.new(
-			"-h" => [ false, "Help Banner." ],
-			"-t" => [ true, "The technique to use. (Default to \'#{technique}\')." + desc ]
-		)
-		
-		getsystem_opts.parse(args) { | opt, idx, val |
-			case opt
-				when "-h"
-					print_line( "Usage: getsystem [options]\n" )
-					print_line( "Attempt to elevate your privilege to that of local system." )
-					print_line( getsystem_opts.usage )
-					return
-				when "-t"
-					technique = val.to_i
-			end
-		}
-
-		if( technique < 0 or technique >= ELEVATE_TECHNIQUE_DESCRIPTION.length )
-			print_error( "Technique '#{technique}' is out of range." );
-			return false;
-		end
-			
-		result = client.priv.getsystem( technique )
-		
-		# got system?
-		if result[0]
-			print_line( "...got system (via technique #{result[1]})." );
-		else
-			print_line( "...failed to get system." );
-		end
-		
-		return result
-	end
-
-end
-
-end
-end
-end
-end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb

@@ -1,51 +0,0 @@
-require 'rex/post/meterpreter'
-
-module Rex
-module Post
-module Meterpreter
-module Ui
-
-###
-#
-# The password database portion of the privilege escalation extension.
-#
-###
-class Console::CommandDispatcher::Priv::Passwd
-
-	Klass = Console::CommandDispatcher::Priv::Passwd
-
-	include Console::CommandDispatcher
-
-	#
-	# List of supported commands.
-	#
-	def commands
-		{
-			"hashdump" => "Dumps the contents of the SAM database"
-		}
-	end
-
-	#
-	# Name for this dispatcher.
-	#
-	def name
-		"Priv: Password database"
-	end
-
-	#
-	# Displays the contents of the SAM database
-	#
-	def cmd_hashdump(*args)
-		client.priv.sam_hashes.each { |user|
-			print_line("#{user}")
-		}
-		
-		return true
-	end
-
-end
-
-end
-end
-end
-end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb

@@ -1,132 +0,0 @@
-require 'rex/post/meterpreter'
-
-module Rex
-module Post
-module Meterpreter
-module Ui
-
-###
-#
-# This class provides commands that interact with the timestomp feature set of
-# the privilege escalation extension.
-#
-###
-class Console::CommandDispatcher::Priv::Timestomp
-
-	Klass = Console::CommandDispatcher::Priv::Timestomp
-
-	include Console::CommandDispatcher
-
-	@@timestomp_opts = Rex::Parser::Arguments.new(
-		"-m" => [ true,  "Set the \"last written\" time of the file" ],
-		"-a" => [ true,  "Set the \"last accessed\" time of the file" ],
-		"-c" => [ true,  "Set the \"creation\" time of the file" ],
-		"-e" => [ true,  "Set the \"mft entry modified\" time of the file" ],
-		"-z" => [ true,  "Set all four attributes (MACE) of the file" ],
-		"-f" => [ true,  "Set the MACE of attributes equal to the supplied file" ],
-		"-b" => [ false, "Set the MACE timestamps so that EnCase shows blanks" ],
-		"-r" => [ false, "Set the MACE timestamps recursively on a directory" ],
-		"-v" => [ false, "Display the UTC MACE values of the file" ],
-		"-h" => [ false, "Help banner" ])
-
-	#
-	# List of supported commands.
-	#
-	def commands
-		{
-			"timestomp" => "Manipulate file MACE attributes"
-		}
-	end
-
-	#
-	# Name for this dispatcher.
-	#
-	def name
-		"Priv: Timestomp"
-	end
-
-	#
-	# This command provides the same level of features that vinnie's command
-	# line timestomp interface provides with a similar argument set.
-	#
-	def cmd_timestomp(*args)
-		if (args.length < 2)
-			print_line("\nUsage: timestomp file_path OPTIONS\n" +
-				@@timestomp_opts.usage)
-			return
-		end
-
-		file_path = args.shift
-		modified  = nil
-		accessed  = nil
-		creation  = nil
-		emodified = nil
-
-		@@timestomp_opts.parse(args) { |opt, idx, val|
-			case opt
-				when "-m"
-					modified  = str_to_time(val)
-				when "-a"
-					accessed  = str_to_time(val)
-				when "-c"
-					creation  = str_to_time(val)
-				when "-e"
-					emodified = str_to_time(val)
-				when "-z"
-					puts "#{val}"
-					modified  = str_to_time(val)
-					accessed  = str_to_time(val)
-					creation  = str_to_time(val)
-					emodified = str_to_time(val)
-				when "-f"
-					print_status("Setting MACE attributes on #{file_path} from #{val}")
-					client.priv.fs.set_file_mace_from_file(file_path, val)
-				when "-b"
-					print_status("Blanking file MACE attributes on #{file_path}")
-					client.priv.fs.blank_file_mace(file_path)
-				when "-r"
-					print_status("Blanking directory MACE attributes on #{file_path}")
-					client.priv.fs.blank_directory_mace(file_path)
-				when "-v"
-					hash = client.priv.fs.get_file_mace(file_path)
-
-					print_line("Modified      : #{hash['Modified']}")
-					print_line("Accessed      : #{hash['Accessed']}")
-					print_line("Created       : #{hash['Created']}")
-					print_line("Entry Modified: #{hash['Entry Modified']}")
-				when "-h"
-					print_line("\nUsage: timestomp file_path OPTIONS\n" +
-						@@timestomp_opts.usage)
-					return
-			end
-		}
-
-		# If any one of the four times were specified, change them.
-		if (modified or accessed or creation or emodified)
-			print_status("Setting specific MACE attributes on #{file_path}")
-			client.priv.fs.set_file_mace(file_path, modified, accessed, 
-				creation, emodified)
-		end
-	end
-
-protected
-
-	#
-	# Converts a date/time in the form of MM/DD/YYYY HH24:MI:SS
-	#
-	def str_to_time(str) # :nodoc:
-		r, mon, day, year, hour, min, sec = str.match("^(\\d+?)/(\\d+?)/(\\d+?) (\\d+?):(\\d+?):(\\d+?)$").to_a
-
-		if (mon == nil)
-			raise ArgumentError, "Invalid date format, expected MM/DD/YYYY HH24:MI:SS (got #{str})"
-		end
-
-		Time.mktime(year, mon, day, hour, min, sec, 0)
-	end
-
-end
-
-end
-end
-end
-end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/sniffer.rb

@@ -1,187 +0,0 @@
-require 'rex/post/meterpreter'
-
-module Rex
-module Post
-module Meterpreter
-module Ui
-
-###
-#
-# Packet sniffer extension user interface.
-#
-###
-class Console::CommandDispatcher::Sniffer
-
-	Klass = Console::CommandDispatcher::Sniffer
-
-	include Console::CommandDispatcher
-
-	#
-	# Initializes an instance of the sniffer command interaction.
-	#
-	def initialize(shell)
-		super
-	end
-
-	#
-	# List of supported commands.
-	#
-	def commands
-		{
-			"sniffer_interfaces" => "Enumerate all sniffable network interfaces",
-			"sniffer_start" => "Start packet capture on a specific interface",
-			"sniffer_stop"  => "Stop packet capture on a specific interface",
-			"sniffer_stats" => "View statistics of an active capture",
-			"sniffer_dump"  => "Retrieve captured packet data to PCAP file",
-		}
-	end
-
-
-	def cmd_sniffer_interfaces(*args)
-		
-		ifaces = client.sniffer.interfaces()
-
-		print_line()
-
-		ifaces.each do |i|
-			print_line(sprintf("%d - '%s' ( type:%d mtu:%d usable:%s dhcp:%s wifi:%s )", 
-				i['idx'], i['description'],
-				i['type'], i['mtu'], i['usable'], i['dhcp'], i['wireless'])
-			)
-		end
-		
-		print_line()
-
-		return true
-	end
-	
-	def cmd_sniffer_start(*args)
-		intf = args.shift.to_i
-		if (intf == 0)
-			print_error("Usage: sniffer_start [interface-id] [packet-buffer (1-200000)] [bpf filter (posix meterpreter only)]")
-			return
-		end
-		maxp = (args.shift || 50000).to_i
-		bpf  = args.join(" ")
-		
-		client.sniffer.capture_start(intf, maxp, bpf)
-		print_status("Capture started on interface #{intf} (#{maxp} packet buffer)")
-		return true
-	end
-	
-	def cmd_sniffer_stop(*args)
-	   intf = args[0].to_i
-		if (intf == 0)
-			print_error("Usage: sniffer_stop [interface-id]")
-			return
-		end
-		
-		client.sniffer.capture_stop(intf)
-		print_status("Capture stopped on interface #{intf}")
-		return true
-	end
-	
-	def cmd_sniffer_stats(*args)
-	   intf = args[0].to_i
-		if (intf == 0)
-			print_error("Usage: sniffer_stats [interface-id]")
-			return
-		end
-		
-		stats = client.sniffer.capture_stats(intf)
-		print_status("Capture statistics for interface #{intf}")
-		stats.each_key do |k|
-			puts "\t#{k}: #{stats[k]}"
-		end
-		
-		return true		
-	end
-	
-	def cmd_sniffer_dump(*args)
-	   intf = args[0].to_i
-		if (intf == 0 or not args[1])
-			print_error("Usage: sniffer_dump [interface-id] [pcap-file]")
-			return
-		end
-		
-		path_cap = args[1]
-		path_raw = args[1] + '.raw'
-		
-		fd = ::File.new(path_raw, 'wb+')
-		
-		print_status("Flushing packet capture buffer for interface #{intf}...")
-		res = client.sniffer.capture_dump(intf)
-		print_status("Flushed #{res[:packets]} packets (#{res[:bytes]} bytes)")
-		
-		bytes_all = res[:bytes] || 0
-		bytes_got = 0
-		bytes_pct = 0
-
-		while (bytes_all > 0)
-			res = client.sniffer.capture_dump_read(intf,1024*512)
-			
-			bytes_got += res[:bytes]
-
-			pct = ((bytes_got.to_f / bytes_all.to_f) * 100).to_i
-			if(pct > bytes_pct)
-				print_status("Downloaded #{"%.3d" % pct}% (#{bytes_got}/#{bytes_all})...")
-				bytes_pct = pct
-			end		
-			break if res[:bytes] == 0
-			fd.write(res[:data])
-		end
-		
-		fd.close
-		
-		print_status("Download completed, converting to PCAP...")
-		
-		fd = nil
-		if(::File.exist?(path_cap))
-			fd = ::File.new(path_cap, 'ab+')
-		else
-			fd = ::File.new(path_cap, 'wb+')
-			fd.write([0xa1b2c3d4, 2, 4, 0, 0, 65536, 1].pack('NnnNNNN'))
-		end	
-
-		pkts = {}		
-		od = ::File.new(path_raw, 'rb')
-
-
-		# TODO: reorder packets based on the ID (only an issue if the buffer wraps)
-		while(true)
-			buf = od.read(20)
-			break if not buf
-		
-			idh,idl,thi,tlo,len = buf.unpack('N5')
-			break if not len
-			if(len > 10000) 
-				print_error("Corrupted packet data (length:#{len})")
-				break
-			end
-			
-			pkt_id = (idh << 32) +idl
-			pkt_ts = Rex::Proto::SMB::Utils.time_smb_to_unix(thi,tlo)
-			pkt    = od.read(len)
-			
-			fd.write([pkt_ts,0,len,len].pack('NNNN')+pkt)
-		end
-		od.close
-		fd.close
-		
-		::File.unlink(path_raw)
-		print_status("PCAP file written to #{path_cap}")
-	end	
-	
-	#
-	# Name for this dispatcher
-	# sni
-	def name
-		"Sniffer"
-	end
-
-end
-
-end
-end
-end
-end