rex 1.0.2 → 2.0.2

data/lib/rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager.rb

@@ -0,0 +1,96 @@
+# -*- coding: binary -*-
+# Copyright (c) 2010, patrickHVE@googlemail.com
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * The names of the author may not be used to endorse or promote products
+#       derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL patrickHVE@googlemail.com BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Railgun
+
+#
+# Manages our library of windows constants
+#
+class WinConstManager
+  attr_reader :consts
+
+  def initialize(initial_consts = {})
+    @consts = {}
+
+    initial_consts.each_pair do |name, value|
+      add_const(name, value)
+    end
+  end
+
+  def add_const(name, value)
+    consts[name] = value
+  end
+
+  # parses a string constaining constants and returns an integer
+  # the string can be either "CONST" or "CONST1 | CONST2"
+  #
+  # this function will NOT throw an exception but return "nil" if it can't parse a string
+  def parse(s)
+    if s.class != String
+      return nil # it's not even a string'
+    end
+    return_value = 0
+    for one_const in s.split('|')
+      one_const = one_const.strip()
+      if not consts.has_key? one_const
+        return nil # at least one "Constant" is unknown to us
+      end
+      return_value |= consts[one_const]
+    end
+    return return_value
+  end
+
+  def is_parseable(s)
+    return !parse(s).nil?
+  end
+
+  #
+  # Returns an array of constant names that have a value matching "winconst"
+  # and (optionally) a name that matches "filter_regex"
+  #
+  def select_const_names(winconst, filter_regex=nil)
+    matches = []
+
+    consts.each_pair do |name, value|
+      matches << name if value == winconst
+    end
+
+    # Filter matches by name if a filter has been provided
+    unless filter_regex.nil?
+      matches.reject! do |name|
+        name !~ filter_regex
+      end
+    end
+
+    return matches
+  end
+end
+
+end; end; end; end; end; end

data/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb

@@ -0,0 +1,151 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/object_aliases'
+require 'rex/post/meterpreter/extension'
+require 'rex/post/meterpreter/extensions/stdapi/constants'
+require 'rex/post/meterpreter/extensions/stdapi/tlv'
+require 'rex/post/meterpreter/extensions/stdapi/fs/dir'
+require 'rex/post/meterpreter/extensions/stdapi/fs/file'
+require 'rex/post/meterpreter/extensions/stdapi/fs/file_stat'
+require 'rex/post/meterpreter/extensions/stdapi/net/resolve'
+require 'rex/post/meterpreter/extensions/stdapi/net/config'
+require 'rex/post/meterpreter/extensions/stdapi/net/socket'
+require 'rex/post/meterpreter/extensions/stdapi/sys/config'
+require 'rex/post/meterpreter/extensions/stdapi/sys/process'
+require 'rex/post/meterpreter/extensions/stdapi/sys/registry'
+require 'rex/post/meterpreter/extensions/stdapi/sys/event_log'
+require 'rex/post/meterpreter/extensions/stdapi/sys/power'
+require 'rex/post/meterpreter/extensions/stdapi/railgun/railgun'
+require 'rex/post/meterpreter/extensions/stdapi/ui'
+require 'rex/post/meterpreter/extensions/stdapi/webcam/webcam'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+
+###
+#
+# Standard ruby interface to remote entities for meterpreter.  It provides
+# basic access to files, network, system, and other properties of the remote
+# machine that are fairly universal.
+#
+###
+class Stdapi < Extension
+
+  #
+  # Initializes an instance of the standard API extension.
+  #
+  def initialize(client)
+    super(client, 'stdapi')
+
+    # Alias the following things on the client object so that they
+    # can be directly referenced
+    client.register_extension_aliases(
+      [
+        {
+          'name' => 'fs',
+          'ext'  => ObjectAliases.new(
+            {
+              'dir'      => self.dir,
+              'file'     => self.file,
+              'filestat' => self.filestat
+            })
+        },
+        {
+          'name' => 'sys',
+          'ext'  => ObjectAliases.new(
+            {
+              'config'   => Sys::Config.new(client),
+              'process'  => self.process,
+              'registry' => self.registry,
+              'eventlog' => self.eventlog,
+              'power'    => self.power
+            })
+        },
+        {
+          'name' => 'net',
+          'ext'  => ObjectAliases.new(
+            {
+              'config'   => Rex::Post::Meterpreter::Extensions::Stdapi::Net::Config.new(client),
+              'socket'   => Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client),
+              'resolve'  => Rex::Post::Meterpreter::Extensions::Stdapi::Net::Resolve.new(client)
+            })
+        },
+        {
+          'name' => 'railgun',
+          'ext'  => Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::Railgun.new(client)
+        },
+        {
+          'name' => 'webcam',
+          'ext'  => Rex::Post::Meterpreter::Extensions::Stdapi::Webcam::Webcam.new(client)
+        },
+        {
+          'name' => 'ui',
+          'ext'  => UI.new(client)
+        }
+
+      ])
+  end
+
+  #
+  # Sets the client instance on a duplicated copy of the supplied class.
+  #
+  def brand(klass)
+    klass = klass.dup
+    klass.client = self.client
+    return klass
+  end
+
+  #
+  # Returns a copy of the Dir class.
+  #
+  def dir
+    brand(Rex::Post::Meterpreter::Extensions::Stdapi::Fs::Dir)
+  end
+
+  #
+  # Returns a copy of the File class.
+  #
+  def file
+    brand(Rex::Post::Meterpreter::Extensions::Stdapi::Fs::File)
+  end
+
+  #
+  # Returns a copy of the FileStat class.
+  #
+  def filestat
+    brand(Rex::Post::Meterpreter::Extensions::Stdapi::Fs::FileStat)
+  end
+
+  #
+  # Returns a copy of the Process class.
+  #
+  def process
+    brand(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Process)
+  end
+
+  #
+  # Returns a copy of the Registry class.
+  #
+  def registry
+    brand(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Registry)
+  end
+
+  #
+  # Returns a copy of the EventLog class.
+  #
+  def eventlog
+    brand(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::EventLog)
+  end
+
+  #
+  # Returns a copy of the Power class.
+  #
+  def power
+    brand(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Power)
+  end
+end
+
+end; end; end; end; end

data/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb

@@ -0,0 +1,128 @@
+# -*- coding: binary -*-
+
+require 'rex/post/process'
+require 'rex/post/meterpreter/packet'
+require 'rex/post/meterpreter/client'
+require 'rex/post/meterpreter/extensions/stdapi/constants'
+require 'rex/post/meterpreter/extensions/stdapi/stdapi'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Sys
+
+###
+#
+# This class provides access to remote system configuration and information.
+#
+###
+class Config
+
+  def initialize(client)
+    self.client = client
+  end
+
+  #
+  # Returns the username that the remote side is running as.
+  #
+  def getuid
+    request  = Packet.create_request('stdapi_sys_config_getuid')
+    response = client.send_request(request)
+    client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_USER_NAME) )
+  end
+
+  #
+  # Returns a hash of requested environment variables, along with their values.
+  # If a requested value doesn't exist in the response, then the value wasn't found.
+  #
+  def getenvs(*var_names)
+    request = Packet.create_request('stdapi_sys_config_getenv')
+
+    var_names.each do |v|
+      request.add_tlv(TLV_TYPE_ENV_VARIABLE, v)
+    end
+
+    response = client.send_request(request)
+    result = {}
+
+    response.each(TLV_TYPE_ENV_GROUP) do |env|
+      var_name = env.get_tlv_value(TLV_TYPE_ENV_VARIABLE)
+      var_value = env.get_tlv_value(TLV_TYPE_ENV_VALUE)
+      result[var_name] = var_value
+    end
+
+    result
+  end
+
+  #
+  # Returns the value of a single requested environment variable name
+  #
+  def getenv(var_name)
+    _, value = getenvs(var_name).first
+    value
+  end
+
+  #
+  # Returns a hash of information about the remote computer.
+  #
+  def sysinfo
+    request  = Packet.create_request('stdapi_sys_config_sysinfo')
+    response = client.send_request(request)
+
+    {
+      'Computer'        => response.get_tlv_value(TLV_TYPE_COMPUTER_NAME),
+      'OS'              => response.get_tlv_value(TLV_TYPE_OS_NAME),
+      'Architecture'    => response.get_tlv_value(TLV_TYPE_ARCHITECTURE),
+      'System Language' => response.get_tlv_value(TLV_TYPE_LANG_SYSTEM),
+    }
+  end
+
+  #
+  # Calls RevertToSelf on the remote machine.
+  #
+  def revert_to_self
+    client.send_request(Packet.create_request('stdapi_sys_config_rev2self'))
+  end
+
+  #
+  # Steals the primary token from a target process
+  #
+  def steal_token(pid)
+    req = Packet.create_request('stdapi_sys_config_steal_token')
+    req.add_tlv(TLV_TYPE_PID, pid.to_i)
+    res = client.send_request(req)
+    client.unicode_filter_encode( res.get_tlv_value(TLV_TYPE_USER_NAME) )
+  end
+
+  #
+  # Drops any assumed token
+  #
+  def drop_token
+    req = Packet.create_request('stdapi_sys_config_drop_token')
+    res = client.send_request(req)
+    client.unicode_filter_encode( res.get_tlv_value(TLV_TYPE_USER_NAME) )
+  end
+
+  #
+  # Enables all possible privileges
+  #
+  def getprivs
+    req = Packet.create_request('stdapi_sys_config_getprivs')
+    ret = []
+    res = client.send_request(req)
+    res.each(TLV_TYPE_PRIVILEGE) do |p|
+      ret << p.value
+    end
+    ret
+  end
+
+protected
+
+  attr_accessor :client
+
+end
+
+end; end; end; end; end; end
+

data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb

@@ -0,0 +1,192 @@
+# -*- coding: binary -*-
+
+require 'rex/post/process'
+require 'rex/post/meterpreter/packet'
+require 'rex/post/meterpreter/client'
+require 'rex/post/meterpreter/extensions/stdapi/constants'
+require 'rex/post/meterpreter/extensions/stdapi/stdapi'
+require 'rex/post/meterpreter/extensions/stdapi/sys/event_log_subsystem/event_record'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Sys
+
+###
+#
+# This class provides access to the Windows event log on the remote
+# machine.
+#
+###
+class EventLog
+
+  class << self
+    attr_accessor :client
+  end
+
+  #
+  # Opens the supplied event log.
+  #
+  #--
+  # NOTE: should support UNCServerName sometime
+  #++
+  #
+  def EventLog.open(name)
+    request = Packet.create_request('stdapi_sys_eventlog_open')
+
+    request.add_tlv(TLV_TYPE_EVENT_SOURCENAME, name);
+
+    response = client.send_request(request)
+
+    return self.new(response.get_tlv_value(TLV_TYPE_EVENT_HANDLE))
+  end
+
+  ##
+  #
+  # Event Log Instance Stuffs!
+  #
+  ##
+
+  attr_accessor :handle # :nodoc:
+  attr_accessor :client # :nodoc:
+
+  public
+
+  #
+  # Initializes an instance of the eventlog manipulator.
+  #
+  def initialize(hand)
+    self.client = self.class.client
+    self.handle = hand
+    ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.handle) )
+  end
+
+  def self.finalize(client,handle)
+    proc { self.close(client,handle) }
+  end
+
+  #
+  # Return the number of records in the event log.
+  #
+  def length
+    request = Packet.create_request('stdapi_sys_eventlog_numrecords')
+
+    request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle);
+
+    response = client.send_request(request)
+
+    return response.get_tlv_value(TLV_TYPE_EVENT_NUMRECORDS)
+  end
+
+  #
+  # the low level read function (takes flags, not hash, etc).
+  #
+  def _read(flags, offset = 0)
+    request = Packet.create_request('stdapi_sys_eventlog_read')
+
+    request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle)
+    request.add_tlv(TLV_TYPE_EVENT_READFLAGS, flags)
+    request.add_tlv(TLV_TYPE_EVENT_RECORDOFFSET, offset)
+
+    response = client.send_request(request)
+
+    EventLogSubsystem::EventRecord.new(
+      response.get_tlv_value(TLV_TYPE_EVENT_RECORDNUMBER),
+      response.get_tlv_value(TLV_TYPE_EVENT_TIMEGENERATED),
+      response.get_tlv_value(TLV_TYPE_EVENT_TIMEWRITTEN),
+      response.get_tlv_value(TLV_TYPE_EVENT_ID),
+      response.get_tlv_value(TLV_TYPE_EVENT_TYPE),
+      response.get_tlv_value(TLV_TYPE_EVENT_CATEGORY),
+      response.get_tlv_values(TLV_TYPE_EVENT_STRING),
+      response.get_tlv_value(TLV_TYPE_EVENT_DATA)
+    )
+  end
+
+  #
+  # Read the eventlog forwards, meaning from oldest to newest.
+  # Returns a EventRecord, and throws an exception after no more records.
+  #
+  def read_forwards
+    _read(EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ)
+  end
+
+  #
+  # Iterator for read_forwards.
+  #
+  def each_forwards
+    begin
+      loop do
+        yield(read_forwards)
+      end
+    rescue ::Exception
+    end
+  end
+
+  #
+  # Read the eventlog backwards, meaning from newest to oldest.
+  # Returns a EventRecord, and throws an exception after no more records.
+  #
+  def read_backwards
+    _read(EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ)
+  end
+
+  #
+  # Iterator for read_backwards.
+  #
+  def each_backwards
+    begin
+      loop do
+        yield(read_backwards)
+      end
+    rescue ::Exception
+    end
+  end
+
+  #
+  # Return the record number of the oldest event (not necessarily 1).
+  #
+  def oldest
+    request = Packet.create_request('stdapi_sys_eventlog_oldest')
+
+    request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle);
+
+    response = client.send_request(request)
+
+    return response.get_tlv_value(TLV_TYPE_EVENT_RECORDNUMBER)
+  end
+
+  #
+  # Clear the specified event log (and return nil).
+  #
+  #--
+  # I should eventually support BackupFile
+  #++
+  #
+  def clear
+    request = Packet.create_request('stdapi_sys_eventlog_clear')
+
+    request.add_tlv(TLV_TYPE_EVENT_HANDLE, self.handle);
+
+    response = client.send_request(request)
+    return self
+  end
+
+  #
+  # Close the event log
+  #
+  def self.close(client, handle)
+    request = Packet.create_request('stdapi_sys_eventlog_close')
+    request.add_tlv(TLV_TYPE_EVENT_HANDLE, handle);
+    response = client.send_request(request, nil)
+    return nil
+  end
+
+  # Instance method
+  def close
+    self.class.close(self.client, self.handle)
+  end
+end
+
+end end end end end end