rex 2.0.8 → 2.0.9

data/lib/rex/post/meterpreter/extensions/priv/priv.rb

@@ -45,7 +45,7 @@ class Priv < Extension
 
     elevator_name = Rex::Text.rand_text_alpha_lower( 6 )
 
-    elevator_path = MeterpreterBinaries.path('elevator', client.binary_suffix)
+    elevator_path = MetasploitPayloads.meterpreter_path('elevator', client.binary_suffix)
     if elevator_path.nil?
       raise RuntimeError, "elevator.#{binary_suffix} not found", caller
     end

data/lib/rex/post/meterpreter/extensions/python/python.rb

@@ -0,0 +1,114 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/extensions/python/tlv'
+require 'set'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Python
+
+###
+#
+# Python extension - gives remote python scripting capabilities on the target.
+#
+###
+
+class Python < Extension
+
+  PY_CODE_TYPE_STRING = 0
+  PY_CODE_TYPE_PY     = 1
+  PY_CODE_TYPE_PYC    = 2
+
+  PY_CODE_FILE_TYPES = [ '.py', '.pyc' ]
+
+  PY_CODE_FILE_TYPE_MAP = {
+    '.py'  => PY_CODE_TYPE_PY,
+    '.pyc' => PY_CODE_TYPE_PYC
+  }
+
+  #
+  # Typical extension initialization routine.
+  #
+  # @param client (see Extension#initialize)
+  def initialize(client)
+    super(client, 'python')
+
+    client.register_extension_aliases(
+      [
+        {
+          'name' => 'python',
+          'ext'  => self
+        }
+      ])
+  end
+
+  def reset
+    request = Packet.create_request('python_reset')
+    client.send_request(request)
+
+    return true
+  end
+
+  def import(file, mod_name, result_var)
+    unless ::File.file?(file)
+      raise ArgumentError, "File not found: #{file}"
+    end
+
+    ext = ::File.extname(file).downcase
+    unless PY_CODE_FILE_TYPES.include?(ext)
+      raise ArgumentError, "File not a valid type: #{file}"
+    end
+
+    code = ::File.read(file)
+
+    request = Packet.create_request('python_execute')
+    request.add_tlv(TLV_TYPE_PYTHON_CODE, code)
+    request.add_tlv(TLV_TYPE_PYTHON_CODE_LEN, code.length)
+    request.add_tlv(TLV_TYPE_PYTHON_CODE_TYPE, PY_CODE_FILE_TYPE_MAP[ext])
+    request.add_tlv(TLV_TYPE_PYTHON_NAME, mod_name) if mod_name
+    request.add_tlv(TLV_TYPE_PYTHON_RESULT_VAR, result_var) if result_var
+
+    run_exec_request(request)
+  end
+
+  #
+  # Dump the LSA secrets from the target machine.
+  #
+  # @return [Hash<Symbol,Object>]
+  def execute_string(code, result_var)
+    request = Packet.create_request('python_execute')
+    request.add_tlv(TLV_TYPE_PYTHON_CODE, code)
+    request.add_tlv(TLV_TYPE_PYTHON_CODE_TYPE, PY_CODE_TYPE_STRING)
+    request.add_tlv(TLV_TYPE_PYTHON_RESULT_VAR, result_var) if result_var
+
+    run_exec_request(request)
+  end
+
+private
+
+  def run_exec_request(request)
+    response = client.send_request(request)
+
+    result = {
+      result: response.get_tlv_value(TLV_TYPE_PYTHON_RESULT),
+      stdout: "",
+      stderr: ""
+    }
+
+    response.each(TLV_TYPE_PYTHON_STDOUT) do |o|
+      result[:stdout] << o.value
+    end
+
+    response.each(TLV_TYPE_PYTHON_STDERR) do |e|
+      result[:stderr] << e.value
+    end
+
+    result
+  end
+
+end
+
+end; end; end; end; end
+

data/lib/rex/post/meterpreter/extensions/python/tlv.rb

@@ -0,0 +1,21 @@
+# -*- coding: binary -*-
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Python
+
+TLV_TYPE_PYTHON_STDOUT             = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 1)
+TLV_TYPE_PYTHON_STDERR             = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2)
+TLV_TYPE_PYTHON_CODE               = TLV_META_TYPE_RAW    | (TLV_EXTENSIONS + 3)
+TLV_TYPE_PYTHON_CODE_LEN           = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 4)
+TLV_TYPE_PYTHON_CODE_TYPE          = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 5)
+TLV_TYPE_PYTHON_NAME               = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 6)
+TLV_TYPE_PYTHON_RESULT_VAR         = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 7)
+TLV_TYPE_PYTHON_RESULT             = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 8)
+
+end
+end
+end
+end
+end

data/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb

@@ -52,16 +52,17 @@ class Dir < Rex::Post::Dir
   #
   # Enumerates all of the files/folders in a given directory.
   #
-  def Dir.entries(name = getwd)
+  def Dir.entries(name = getwd, glob = nil)
     request = Packet.create_request('stdapi_fs_ls')
     files   = []
+    name = name + ::File::SEPARATOR + glob if glob
 
     request.add_tlv(TLV_TYPE_DIRECTORY_PATH, client.unicode_filter_decode(name))
 
     response = client.send_request(request)
 
     response.each(TLV_TYPE_FILE_NAME) { |file_name|
-      files << client.unicode_filter_encode( file_name.value )
+      files << client.unicode_filter_encode(file_name.value)
     }
 
     return files
@@ -79,6 +80,7 @@ class Dir < Rex::Post::Dir
     response = client.send_request(request)
 
     fname = response.get_tlvs(TLV_TYPE_FILE_NAME)
+    fsname = response.get_tlvs(TLV_TYPE_FILE_SHORT_NAME)
     fpath = response.get_tlvs(TLV_TYPE_FILE_PATH)
     sbuf  = response.get_tlvs(TLV_TYPE_STAT_BUF)
 
@@ -96,8 +98,9 @@ class Dir < Rex::Post::Dir
 
       files <<
         {
-          'FileName' => client.unicode_filter_encode( file_name.value ),
-          'FilePath' => client.unicode_filter_encode( fpath[idx].value ),
+          'FileName' => client.unicode_filter_encode(file_name.value),
+          'FilePath' => client.unicode_filter_encode(fpath[idx].value),
+          'FileShortName' => fsname[idx] ? fsname[idx].value : nil,
           'StatBuf'  => st,
         }
     }
@@ -145,7 +148,7 @@ class Dir < Rex::Post::Dir
 
     response = client.send_request(request)
 
-    return client.unicode_filter_encode( response.get_tlv(TLV_TYPE_DIRECTORY_PATH).value )
+    return client.unicode_filter_encode(response.get_tlv(TLV_TYPE_DIRECTORY_PATH).value)
   end
 
   #
@@ -192,11 +195,11 @@ class Dir < Rex::Post::Dir
   # Downloads the contents of a remote directory a
   # local directory, optionally in a recursive fashion.
   #
-  def Dir.download(dst, src, recursive = false, force = true, &stat)
+  def Dir.download(dst, src, recursive = false, force = true, glob = nil, &stat)
 
-    self.entries(src).each { |src_sub|
-      dst_item = dst + ::File::SEPARATOR + client.unicode_filter_encode( src_sub )
-      src_item = src + client.fs.file.separator + client.unicode_filter_encode( src_sub )
+    self.entries(src, glob).each { |src_sub|
+      dst_item = dst + ::File::SEPARATOR + client.unicode_filter_encode(src_sub)
+      src_item = src + client.fs.file.separator + client.unicode_filter_encode(src_sub)
 
       if (src_sub == '.' or src_sub == '..')
         next
@@ -207,8 +210,8 @@ class Dir < Rex::Post::Dir
       if (src_stat.file?)
         stat.call('downloading', src_item, dst_item) if (stat)
         begin
-          client.fs.file.download(dst_item, src_item)
-          stat.call('downloaded', src_item, dst_item) if (stat)
+          result = client.fs.file.download_file(dst_item, src_item)
+          stat.call(result, src_item, dst_item) if (stat)
         rescue ::Rex::Post::Meterpreter::RequestError => e
           if force
             stat.call('failed', src_item, dst_item) if (stat)
@@ -228,7 +231,7 @@ class Dir < Rex::Post::Dir
         end
 
         stat.call('mirroring', src_item, dst_item) if (stat)
-        download(dst_item, src_item, recursive, force, &stat)
+        download(dst_item, src_item, recursive, force, glob, &stat)
         stat.call('mirrored', src_item, dst_item) if (stat)
       end
     }
@@ -240,8 +243,8 @@ class Dir < Rex::Post::Dir
   #
   def Dir.upload(dst, src, recursive = false, &stat)
     ::Dir.entries(src).each { |src_sub|
-      dst_item = dst + client.fs.file.separator + client.unicode_filter_encode( src_sub )
-      src_item = src + ::File::SEPARATOR + client.unicode_filter_encode( src_sub )
+      dst_item = dst + client.fs.file.separator + client.unicode_filter_encode(src_sub)
+      src_item = src + ::File::SEPARATOR + client.unicode_filter_encode(src_sub)
 
       if (src_sub == '.' or src_sub == '..')
         next

data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb

@@ -91,9 +91,9 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
     if( response.result == 0 )
       response.each( TLV_TYPE_SEARCH_RESULTS ) do | results |
         files << {
-          'path' => client.unicode_filter_encode( results.get_tlv_value( TLV_TYPE_FILE_PATH ).chomp( '\\' ) ),
-          'name' => client.unicode_filter_encode( results.get_tlv_value( TLV_TYPE_FILE_NAME ) ),
-          'size' => results.get_tlv_value( TLV_TYPE_FILE_SIZE )
+          'path' => client.unicode_filter_encode(results.get_tlv_value(TLV_TYPE_FILE_PATH).chomp( '\\' )),
+          'name' => client.unicode_filter_encode(results.get_tlv_value(TLV_TYPE_FILE_NAME)),
+          'size' => results.get_tlv_value(TLV_TYPE_FILE_SIZE)
         }
       end
     end
@@ -138,7 +138,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
 
     response = client.send_request(request)
 
-    return client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_FILE_PATH) )
+    return client.unicode_filter_encode(response.get_tlv_value(TLV_TYPE_FILE_PATH))
   end
 
 
@@ -152,8 +152,10 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
 
     response = client.send_request(request)
 
-    # This is not really a file name, but a raw hash in bytes
-    return response.get_tlv_value(TLV_TYPE_FILE_NAME)
+    # older meterpreter binaries will send FILE_NAME containing the hash
+    hash = response.get_tlv_value(TLV_TYPE_FILE_HASH) ||
+      response.get_tlv_value(TLV_TYPE_FILE_NAME)
+    return hash
   end
 
   #
@@ -166,8 +168,10 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
 
     response = client.send_request(request)
 
-    # This is not really a file name, but a raw hash in bytes
-    return response.get_tlv_value(TLV_TYPE_FILE_NAME)
+    # older meterpreter binaries will send FILE_NAME containing the hash
+    hash = response.get_tlv_value(TLV_TYPE_FILE_HASH) ||
+      response.get_tlv_value(TLV_TYPE_FILE_NAME)
+    return hash
   end
 
   #
@@ -265,6 +269,10 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
     stat.call('uploaded', src_file, dest_file) if (stat)
   end
 
+  def File.is_glob?(name)
+    /\*|\[|\?/ === name
+  end
+
   #
   # Download one or more files from the remote computer to the local
   # directory supplied in destination.
@@ -281,10 +289,8 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
       end
 
       stat.call('downloading', src, dest) if (stat)
-
-      download_file(dest, src)
-
-      stat.call('downloaded', src, dest) if (stat)
+      result = download_file(dest, src)
+      stat.call(result, src, dest) if (stat)
     }
   end
 
@@ -293,6 +299,17 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
   #
   def File.download_file(dest_file, src_file)
     src_fd = client.fs.file.new(src_file, "rb")
+
+    # Check for changes
+    src_stat = client.fs.filestat.new(src_file)
+    if ::File.exists?(dest_file)
+      dst_stat = ::File.stat(dest_file)
+      if src_stat.size == dst_stat.size && src_stat.mtime == dst_stat.mtime
+        return 'skipped'
+      end
+    end
+
+    # Make the destination path if necessary
     dir = ::File.dirname(dest_file)
     ::FileUtils.mkdir_p(dir) if dir and not ::File.directory?(dir)
 
@@ -308,6 +325,10 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
       src_fd.close
       dst_fd.close
     end
+
+    # Clone the times from the remote file
+    ::File.utime(src_stat.atime, src_stat.mtime, dest_file)
+    return 'download'
   end
 
   #

data/lib/rex/post/meterpreter/extensions/stdapi/fs/mount.rb

@@ -0,0 +1,57 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/extensions/stdapi/stdapi'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Fs
+
+class Mount
+
+  # Used when matching against windows drive types
+  DRIVE_TYPES = [
+    :unknown,
+    :no_root,
+    :removable,
+    :fixed,
+    :remote,
+    :cdrom,
+    :ramdisk
+  ]
+
+  def initialize(client)
+    self.client = client
+  end
+
+  def show_mount
+    request = Packet.create_request('stdapi_fs_mount_show')
+
+    response = client.send_request(request)
+
+    results = []
+
+    response.each(TLV_TYPE_MOUNT) do |d|
+      results << {
+        name:        d.get_tlv_value(TLV_TYPE_MOUNT_NAME),
+        type:        DRIVE_TYPES[d.get_tlv_value(TLV_TYPE_MOUNT_TYPE)],
+        user_space:  d.get_tlv_value(TLV_TYPE_MOUNT_SPACE_USER),
+        total_space: d.get_tlv_value(TLV_TYPE_MOUNT_SPACE_TOTAL),
+        free_space:  d.get_tlv_value(TLV_TYPE_MOUNT_SPACE_FREE),
+        unc:         d.get_tlv_value(TLV_TYPE_MOUNT_UNCPATH)
+      }
+    end
+
+    results
+  end
+
+protected
+  attr_accessor :client # :nodoc:
+
+end
+
+end; end; end; end; end; end
+
+

data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb

@@ -2159,13 +2159,13 @@ class Def_kernel32
       ])
 
     dll.add_function( 'InterlockedCompareExchange', 'DWORD',[
-      ["PDWORD","Destination","inout"],
+      ["PDWORD","Destination","in"],
       ["DWORD","ExChange","in"],
       ["DWORD","Comperand","in"],
       ])
 
     dll.add_function( 'InterlockedCompareExchange64', 'LPVOID',[
-      ["PBLOB","Destination","inout"],
+      ["PBLOB","Destination","in"],
       ["PBLOB","ExChange","in"],
       ["PBLOB","Comperand","in"],
       ])
@@ -2175,7 +2175,7 @@ class Def_kernel32
       ])
 
     dll.add_function( 'InterlockedExchange', 'DWORD',[
-      ["PDWORD","Target","inout"],
+      ["PDWORD","Target","in"],
       ["DWORD","Value","in"],
       ])
 

data/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb

@@ -7,6 +7,7 @@ require 'rex/post/meterpreter/extensions/stdapi/tlv'
 require 'rex/post/meterpreter/extensions/stdapi/fs/dir'
 require 'rex/post/meterpreter/extensions/stdapi/fs/file'
 require 'rex/post/meterpreter/extensions/stdapi/fs/file_stat'
+require 'rex/post/meterpreter/extensions/stdapi/fs/mount'
 require 'rex/post/meterpreter/extensions/stdapi/net/resolve'
 require 'rex/post/meterpreter/extensions/stdapi/net/config'
 require 'rex/post/meterpreter/extensions/stdapi/net/socket'
@@ -50,7 +51,8 @@ class Stdapi < Extension
             {
               'dir'      => self.dir,
               'file'     => self.file,
-              'filestat' => self.filestat
+              'filestat' => self.filestat,
+              'mount'    => Fs::Mount.new(client)
             })
         },
         {

data/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb

@@ -94,6 +94,8 @@ class Config
       'OS'              => response.get_tlv_value(TLV_TYPE_OS_NAME),
       'Architecture'    => response.get_tlv_value(TLV_TYPE_ARCHITECTURE),
       'System Language' => response.get_tlv_value(TLV_TYPE_LANG_SYSTEM),
+      'Domain'          => response.get_tlv_value(TLV_TYPE_DOMAIN),
+      'Logged On Users' => response.get_tlv_value(TLV_TYPE_LOGGED_ON_USER_COUNT)
     }
   end