Finish the elevate bindings for powershell

c/meterpreter/source/extensions/powershell/powershell_runner.h

@@ -6,7 +6,7 @@
 #ifndef _METERPRETER_SOURCE_EXTENSION_POWERSHELL_RUNNER_H
 #define _METERPRETER_SOURCE_EXTENSION_POWERSHELL_RUNNER_H
 
-#define PSHRUNNER_DLL_LEN 18944
+#define PSHRUNNER_DLL_LEN 20992
 
 extern unsigned char PowerShellRunnerDll[PSHRUNNER_DLL_LEN];
 

powershell/MSF.Powershell/Meterpreter/Elevate.cs

@@ -15,10 +15,70 @@ namespace MSF.Powershell.Meterpreter
             tlv.Pack(TlvType.ElevateServiceName, "abcd1234");
 
             var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("priv_elevate_getsystem"));
-            System.Diagnostics.Debug.Write(string.Format("[PSH BINDING] Invoked binding call GetSystem, response was {0}null", result == null ? "" : "not "));
-            System.Diagnostics.Debug.Write(string.Format("[PSH BINDING] Invoked binding call GetSystem, response: {0} bytes", result.Length));
 
-            return true;
+            if (result != null)
+            {
+                var responseTlv = Tlv.FromResponse(result);
+                return responseTlv[TlvType.Result].Count > 0 &&
+                    (int)responseTlv[TlvType.Result][0] == 0;
+            }
+
+            return false;
+        }
+
+        public static bool Rev2Self()
+        {
+            System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call Rev2Self");
+
+            Tlv tlv = new Tlv();
+
+            var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_sys_config_rev2self"));
+
+            if (result != null)
+            {
+                var responseTlv = Tlv.FromResponse(result);
+                return responseTlv[TlvType.Result].Count > 0 &&
+                    (int)responseTlv[TlvType.Result][0] == 0;
+            }
+
+            return false;
+        }
+
+        public static bool StealToken(int pid)
+        {
+            System.Diagnostics.Debug.Write(string.Format("[PSH BINDING] Invoking binding call StealToken({0})", pid));
+
+            Tlv tlv = new Tlv();
+            tlv.Pack(TlvType.Pid, pid);
+
+            var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_sys_config_steal_token"));
+
+            if (result != null)
+            {
+                var responseTlv = Tlv.FromResponse(result);
+                return responseTlv[TlvType.Result].Count > 0 &&
+                    (int)responseTlv[TlvType.Result][0] == 0;
+            }
+
+            return false;
+        }
+
+        public static bool DropToken()
+        {
+            System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call DropToken");
+
+            Tlv tlv = new Tlv();
+
+            var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_sys_config_drop_token"));
+
+            if (result != null)
+            {
+                var responseTlv = Tlv.FromResponse(result);
+                return responseTlv[TlvType.Result].Count > 0 &&
+                    (int)responseTlv[TlvType.Result][0] == 0;
+            }
+
+            return false;
         }
     }
 }

powershell/MSF.Powershell/Meterpreter/Enumerations.cs

@@ -22,7 +22,9 @@ namespace MSF.Powershell.Meterpreter
         Compressed = 1 << 21,
 
         Group = 1 << 30,
-        Complex = 1 << 31
+        Complex = 1 << 31,
+
+        All = String | Uint | Raw | Bool | Qword | Compressed | Group | Complex
     };
 
     public enum ExtensionBase

powershell/MSF.Powershell/Meterpreter/Tlv.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.IO;
 using System.Net;
 using System.Text;
@@ -43,6 +44,66 @@ namespace MSF.Powershell.Meterpreter
             }
         }
 
+        public static Dictionary<TlvType, List<object>> FromResponse(byte[] response, int length = 0)
+        {
+            var dict = new Dictionary<TlvType, List<object>>();
+
+            var offset = 0;
+
+            if (length == 0)
+            {
+                length = response.Length;
+            }
+
+            while (offset < length)
+            {
+                var size = BytesToInt(response, offset);
+                var tlvType = BytesToTlvType(response, offset + 4);
+                System.Diagnostics.Debug.Write(string.Format("Type {0} found that's {1} bytes", tlvType, size));
+
+                if (!dict.ContainsKey(tlvType))
+                {
+                    dict.Add(tlvType, new List<object>());
+                }
+
+                switch (TlvTypeToMetaType(tlvType))
+                {
+                    case MetaType.String:
+                        {
+                            var value = BytesToString(response, size - 8, offset + 8);
+                            System.Diagnostics.Debug.Write(string.Format("Type {0} value is: {1}", tlvType, value));
+                            dict[tlvType].Add(value);
+                            break;
+                        }
+                    case MetaType.Uint:
+                        {
+                            var value = BytesToInt(response, offset + 8);
+                            System.Diagnostics.Debug.Write(string.Format("Type {0} value is: {1}", tlvType, value));
+                            dict[tlvType].Add(value);
+                            break;
+                        }
+                    case MetaType.Qword:
+                        {
+                            var value = BytesToQword(response, offset + 8);
+                            System.Diagnostics.Debug.Write(string.Format("Type {0} value is: {1}", tlvType, value));
+                            dict[tlvType].Add(value);
+                            break;
+                        }
+                    case MetaType.Bool:
+                        {
+                            var value = BytesToBool(response, offset + 8);
+                            System.Diagnostics.Debug.Write(string.Format("Type {0} value is: {1}", tlvType, value));
+                            dict[tlvType].Add(value);
+                            break;
+                        }
+                }
+
+                offset += size;
+            }
+
+            return dict;
+        }
+
         public byte[] Bytes
         {
             get
@@ -138,6 +199,37 @@ namespace MSF.Powershell.Meterpreter
             }
         }
 
+        private static PacketType BytesToPacketType(byte[] bytes, int offset = 0)
+        {
+            return (PacketType)BytesToInt(bytes, offset);
+        }
+
+        private static TlvType BytesToTlvType(byte[] bytes, int offset = 0)
+        {
+            return (TlvType)BytesToInt(bytes, offset);
+        }
+
+        private static bool BytesToBool(byte[] bytes, int offset = 0)
+        {
+            return bytes[offset] == 1;
+        }
+
+        private static int BytesToInt(byte[] bytes, int offset = 0)
+        {
+            return IPAddress.NetworkToHostOrder(BitConverter.ToInt32(bytes, offset));
+        }
+
+        private static Int64 BytesToQword(byte[] bytes, int offset = 0)
+        {
+            return IPAddress.NetworkToHostOrder(BitConverter.ToInt64(bytes, offset));
+        }
+
+        private static string BytesToString(byte[] bytes, int length, int offset = 0)
+        {
+            // discard the trailing null byte
+            return Encoding.UTF8.GetString(bytes, offset, length - 1);
+        }
+
         private static byte[] ToBytes(Int64 i)
         {
             return BitConverter.GetBytes(IPAddress.HostToNetworkOrder(i));
@@ -157,5 +249,10 @@ namespace MSF.Powershell.Meterpreter
         {
             return Encoding.UTF8.GetBytes(s + "\x00");
         }
+
+        private static MetaType TlvTypeToMetaType(TlvType tlvType)
+        {
+            return (MetaType)((int)MetaType.All & (int)tlvType);
+        }
     }
 }