github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2024-12-27 08:33:43 +01:00
Code Releases Activity

Finish the elevate bindings for powershell

Browse Source
This commit is contained in:
OJ 2016-03-23 14:40:41 +10:00
parent 7ba39c982a
commit 41ac07dbe0
5 changed files with 1715 additions and 1385 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2931
c/meterpreter/source/extensions/powershell/powershell_runner.cpp
View File

File diff suppressed because it is too large Load Diff

2
c/meterpreter/source/extensions/powershell/powershell_runner.h
View File

@ -6,7 +6,7 @@
#ifndef _METERPRETER_SOURCE_EXTENSION_POWERSHELL_RUNNER_H
#define _METERPRETER_SOURCE_EXTENSION_POWERSHELL_RUNNER_H
#define PSHRUNNER_DLL_LEN 18944
#define PSHRUNNER_DLL_LEN 20992
extern unsigned char PowerShellRunnerDll[PSHRUNNER_DLL_LEN];

66
powershell/MSF.Powershell/Meterpreter/Elevate.cs
View File

@ -15,10 +15,70 @@ namespace MSF.Powershell.Meterpreter
tlv.Pack(TlvType.ElevateServiceName, "abcd1234");
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("priv_elevate_getsystem"));
System.Diagnostics.Debug.Write(string.Format("[PSH BINDING] Invoked binding call GetSystem, response was {0}null", result == null ? "" : "not "));
System.Diagnostics.Debug.Write(string.Format("[PSH BINDING] Invoked binding call GetSystem, response: {0} bytes", result.Length));
return true;
if (result != null)
{
var responseTlv = Tlv.FromResponse(result);
return responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0;
}
return false;
}
public static bool Rev2Self()
{
System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call Rev2Self");
Tlv tlv = new Tlv();
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_sys_config_rev2self"));
if (result != null)
{
var responseTlv = Tlv.FromResponse(result);
return responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0;
}
return false;
}
public static bool StealToken(int pid)
{
System.Diagnostics.Debug.Write(string.Format("[PSH BINDING] Invoking binding call StealToken({0})", pid));
Tlv tlv = new Tlv();
tlv.Pack(TlvType.Pid, pid);
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_sys_config_steal_token"));
if (result != null)
{
var responseTlv = Tlv.FromResponse(result);
return responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0;
}
return false;
}
public static bool DropToken()
{
System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call DropToken");
Tlv tlv = new Tlv();
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_sys_config_drop_token"));
if (result != null)
{
var responseTlv = Tlv.FromResponse(result);
return responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0;
}
return false;
}
}
}

4
powershell/MSF.Powershell/Meterpreter/Enumerations.cs
View File

@ -22,7 +22,9 @@ namespace MSF.Powershell.Meterpreter
Compressed = 1 << 21,
Group = 1 << 30,
Complex = 1 << 31
Complex = 1 << 31,
All = String | Uint | Raw | Bool | Qword | Compressed | Group | Complex
};
public enum ExtensionBase

97
powershell/MSF.Powershell/Meterpreter/Tlv.cs
View File

@ -1,4 +1,5 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using System.Text;
@ -43,6 +44,66 @@ namespace MSF.Powershell.Meterpreter
}
}
public static Dictionary<TlvType, List<object>> FromResponse(byte[] response, int length = 0)
{
var dict = new Dictionary<TlvType, List<object>>();
var offset = 0;
if (length == 0)
{
length = response.Length;
}
while (offset < length)
{
var size = BytesToInt(response, offset);
var tlvType = BytesToTlvType(response, offset + 4);
System.Diagnostics.Debug.Write(string.Format("Type {0} found that's {1} bytes", tlvType, size));
if (!dict.ContainsKey(tlvType))
{
dict.Add(tlvType, new List<object>());
}
switch (TlvTypeToMetaType(tlvType))
{
case MetaType.String:
{
var value = BytesToString(response, size - 8, offset + 8);
System.Diagnostics.Debug.Write(string.Format("Type {0} value is: {1}", tlvType, value));
dict[tlvType].Add(value);
break;
}
case MetaType.Uint:
{
var value = BytesToInt(response, offset + 8);
System.Diagnostics.Debug.Write(string.Format("Type {0} value is: {1}", tlvType, value));
dict[tlvType].Add(value);
break;
}
case MetaType.Qword:
{
var value = BytesToQword(response, offset + 8);
System.Diagnostics.Debug.Write(string.Format("Type {0} value is: {1}", tlvType, value));
dict[tlvType].Add(value);
break;
}
case MetaType.Bool:
{
var value = BytesToBool(response, offset + 8);
System.Diagnostics.Debug.Write(string.Format("Type {0} value is: {1}", tlvType, value));
dict[tlvType].Add(value);
break;
}
}
offset += size;
}
return dict;
}
public byte[] Bytes
{
get
@ -138,6 +199,37 @@ namespace MSF.Powershell.Meterpreter
}
}
private static PacketType BytesToPacketType(byte[] bytes, int offset = 0)
{
return (PacketType)BytesToInt(bytes, offset);
}
private static TlvType BytesToTlvType(byte[] bytes, int offset = 0)
{
return (TlvType)BytesToInt(bytes, offset);
}
private static bool BytesToBool(byte[] bytes, int offset = 0)
{
return bytes[offset] == 1;
}
private static int BytesToInt(byte[] bytes, int offset = 0)
{
return IPAddress.NetworkToHostOrder(BitConverter.ToInt32(bytes, offset));
}
private static Int64 BytesToQword(byte[] bytes, int offset = 0)
{
return IPAddress.NetworkToHostOrder(BitConverter.ToInt64(bytes, offset));
}
private static string BytesToString(byte[] bytes, int length, int offset = 0)
{
// discard the trailing null byte
return Encoding.UTF8.GetString(bytes, offset, length - 1);
}
private static byte[] ToBytes(Int64 i)
{
return BitConverter.GetBytes(IPAddress.HostToNetworkOrder(i));
@ -157,5 +249,10 @@ namespace MSF.Powershell.Meterpreter
{
return Encoding.UTF8.GetBytes(s + "\x00");
}
private static MetaType TlvTypeToMetaType(TlvType tlvType)
{
return (MetaType)((int)MetaType.All & (int)tlvType);
}
}
}