1
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-03-06 09:13:02 +01:00

Land #22 : Add initial windows 10 matching to sysinfo

This commit is contained in:
OJ 2015-09-01 07:48:23 +10:00
commit ee0527f364
No known key found for this signature in database
GPG Key ID: D5DC61FB93260597

View File

@ -325,18 +325,18 @@ DWORD request_sys_config_getprivs(Remote *remote, Packet *packet)
do do
{ {
if( !OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token )) { if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token)) {
res = GetLastError(); res = GetLastError();
break; break;
} }
for( x = 0; privs[x]; ++x ) for (x = 0; privs[x]; ++x)
{ {
memset(&priv, 0, sizeof(priv)); memset(&priv, 0, sizeof(priv));
LookupPrivilegeValue(NULL, privs[x], &priv.Privileges[0].Luid ); LookupPrivilegeValue(NULL, privs[x], &priv.Privileges[0].Luid);
priv.PrivilegeCount = 1; priv.PrivilegeCount = 1;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(AdjustTokenPrivileges(token, FALSE, &priv, 0, 0, 0 )) { if(AdjustTokenPrivileges(token, FALSE, &priv, 0, 0, 0)) {
if(GetLastError() == ERROR_SUCCESS) { if(GetLastError() == ERROR_SUCCESS) {
packet_add_tlv_string(response, TLV_TYPE_PRIVILEGE, privs[x]); packet_add_tlv_string(response, TLV_TYPE_PRIVILEGE, privs[x]);
} }
@ -530,30 +530,40 @@ DWORD request_sys_config_sysinfo(Remote *remote, Packet *packet)
osName = "Windows 2012 R2"; osName = "Windows 2012 R2";
} }
} }
else if (v.dwMajorVersion == 10)
{
if (v.dwMinorVersion == 0)
{
if (v.wProductType == VER_NT_WORKSTATION)
osName = "Windows 10";
else
osName = "Windows Server Technical Preview";
}
}
if (!osName) if (!osName)
osName = "Unknown"; osName = "Unknown";
if( strlen( v.szCSDVersion ) > 0 ) if (strlen(v.szCSDVersion) > 0)
_snprintf(buf, sizeof(buf) - 1, "%s (Build %lu, %s).", osName, v.dwBuildNumber, v.szCSDVersion ); _snprintf(buf, sizeof(buf) - 1, "%s (Build %lu, %s).", osName, v.dwBuildNumber, v.szCSDVersion);
else else
_snprintf(buf, sizeof(buf) - 1, "%s (Build %lu).", osName, v.dwBuildNumber ); _snprintf(buf, sizeof(buf) - 1, "%s (Build %lu).", osName, v.dwBuildNumber);
packet_add_tlv_string(response, TLV_TYPE_OS_NAME, buf); packet_add_tlv_string(response, TLV_TYPE_OS_NAME, buf);
// sf: we dynamically retrieve GetNativeSystemInfo & IsWow64Process as NT and 2000 dont support it. // sf: we dynamically retrieve GetNativeSystemInfo & IsWow64Process as NT and 2000 dont support it.
hKernel32 = LoadLibraryA( "kernel32.dll" ); hKernel32 = LoadLibraryA("kernel32.dll");
if( hKernel32 ) if (hKernel32)
{ {
typedef void (WINAPI * GETNATIVESYSTEMINFO)( LPSYSTEM_INFO lpSystemInfo ); typedef void (WINAPI * GETNATIVESYSTEMINFO)(LPSYSTEM_INFO lpSystemInfo);
typedef BOOL (WINAPI * ISWOW64PROCESS)( HANDLE, PBOOL ); typedef BOOL (WINAPI * ISWOW64PROCESS)(HANDLE, PBOOL);
GETNATIVESYSTEMINFO pGetNativeSystemInfo = (GETNATIVESYSTEMINFO)GetProcAddress( hKernel32, "GetNativeSystemInfo" ); GETNATIVESYSTEMINFO pGetNativeSystemInfo = (GETNATIVESYSTEMINFO)GetProcAddress(hKernel32, "GetNativeSystemInfo");
ISWOW64PROCESS pIsWow64Process = (ISWOW64PROCESS)GetProcAddress( hKernel32, "IsWow64Process" ); ISWOW64PROCESS pIsWow64Process = (ISWOW64PROCESS)GetProcAddress(hKernel32, "IsWow64Process");
if( pGetNativeSystemInfo ) if (pGetNativeSystemInfo)
{ {
SYSTEM_INFO SystemInfo; SYSTEM_INFO SystemInfo;
pGetNativeSystemInfo( &SystemInfo ); pGetNativeSystemInfo(&SystemInfo);
switch( SystemInfo.wProcessorArchitecture ) switch(SystemInfo.wProcessorArchitecture)
{ {
case PROCESSOR_ARCHITECTURE_AMD64: case PROCESSOR_ARCHITECTURE_AMD64:
osArch = "x64"; osArch = "x64";
@ -568,60 +578,60 @@ DWORD request_sys_config_sysinfo(Remote *remote, Packet *packet)
break; break;
} }
} }
if( pIsWow64Process ) if (pIsWow64Process)
{ {
BOOL bIsWow64 = FALSE; BOOL bIsWow64 = FALSE;
pIsWow64Process( GetCurrentProcess(), &bIsWow64 ); pIsWow64Process(GetCurrentProcess(), &bIsWow64);
if( bIsWow64 ) if (bIsWow64)
osWow = " (Current Process is WOW64)"; osWow = " (Current Process is WOW64)";
} }
} }
// if we havnt set the arch it is probably because we are on NT/2000 which is x86 // if we havnt set the arch it is probably because we are on NT/2000 which is x86
if( !osArch ) if (!osArch)
osArch = "x86"; osArch = "x86";
if( !osWow ) if (!osWow)
osWow = ""; osWow = "";
_snprintf( buf, sizeof(buf) - 1, "%s%s", osArch, osWow ); _snprintf(buf, sizeof(buf) - 1, "%s%s", osArch, osWow);
packet_add_tlv_string(response, TLV_TYPE_ARCHITECTURE, buf); packet_add_tlv_string(response, TLV_TYPE_ARCHITECTURE, buf);
if( hKernel32 ) if (hKernel32)
{ {
char * ctryname = NULL, * langname = NULL; char * ctryname = NULL, * langname = NULL;
typedef LANGID (WINAPI * GETSYSTEMDEFAULTLANGID)( VOID ); typedef LANGID (WINAPI * GETSYSTEMDEFAULTLANGID)(VOID);
GETSYSTEMDEFAULTLANGID pGetSystemDefaultLangID = (GETSYSTEMDEFAULTLANGID)GetProcAddress( hKernel32, "GetSystemDefaultLangID" ); GETSYSTEMDEFAULTLANGID pGetSystemDefaultLangID = (GETSYSTEMDEFAULTLANGID)GetProcAddress(hKernel32, "GetSystemDefaultLangID");
if( pGetSystemDefaultLangID ) if (pGetSystemDefaultLangID)
{ {
LANGID langId = pGetSystemDefaultLangID(); LANGID langId = pGetSystemDefaultLangID();
int len = GetLocaleInfo( langId, LOCALE_SISO3166CTRYNAME, 0, 0 ); int len = GetLocaleInfo(langId, LOCALE_SISO3166CTRYNAME, 0, 0);
if( len > 0 ) if (len > 0)
{ {
ctryname = (char *)malloc( len ); ctryname = (char *)malloc(len);
GetLocaleInfo( langId, LOCALE_SISO3166CTRYNAME, ctryname, len ); GetLocaleInfo(langId, LOCALE_SISO3166CTRYNAME, ctryname, len);
} }
len = GetLocaleInfo( langId, LOCALE_SISO639LANGNAME, 0, 0 ); len = GetLocaleInfo(langId, LOCALE_SISO639LANGNAME, 0, 0);
if( len > 0 ) if (len > 0)
{ {
langname = (char *)malloc( len ); langname = (char *)malloc(len);
GetLocaleInfo( langId, LOCALE_SISO639LANGNAME, langname, len ); GetLocaleInfo(langId, LOCALE_SISO639LANGNAME, langname, len);
} }
} }
if( !ctryname || !langname ) if (!ctryname || !langname)
_snprintf( buf, sizeof(buf) - 1, "Unknown"); _snprintf(buf, sizeof(buf) - 1, "Unknown");
else else
_snprintf( buf, sizeof(buf) - 1, "%s_%s", langname, ctryname ); _snprintf(buf, sizeof(buf) - 1, "%s_%s", langname, ctryname);
packet_add_tlv_string( response, TLV_TYPE_LANG_SYSTEM, buf ); packet_add_tlv_string(response, TLV_TYPE_LANG_SYSTEM, buf);
if( ctryname ) if (ctryname)
free( ctryname ); free(ctryname);
if( langname ) if (langname)
free( langname ); free(langname);
} }
LPWKSTA_INFO_102 localSysinfo = NULL; LPWKSTA_INFO_102 localSysinfo = NULL;
@ -642,7 +652,7 @@ DWORD request_sys_config_sysinfo(Remote *remote, Packet *packet)
do { do {
struct utsname utsbuf; struct utsname utsbuf;
if( uname( &utsbuf ) == -1) { if (uname(&utsbuf) == -1) {
res = GetLastError(); res = GetLastError();
break; break;
} }
@ -678,24 +688,24 @@ DWORD request_sys_config_rev2self(Remote *remote, Packet *packet)
do do
{ {
response = packet_create_response( packet ); response = packet_create_response(packet);
if( !response ) if (!response)
{ {
dwResult = ERROR_INVALID_HANDLE; dwResult = ERROR_INVALID_HANDLE;
break; break;
} }
core_update_thread_token( remote, NULL ); core_update_thread_token(remote, NULL);
core_update_desktop( remote, -1, NULL, NULL ); core_update_desktop(remote, -1, NULL, NULL);
if( !RevertToSelf() ) if (!RevertToSelf())
dwResult = GetLastError(); dwResult = GetLastError();
} while( 0 ); } while(0);
if( response ) if (response)
packet_transmit_response( dwResult, remote, response ); packet_transmit_response(dwResult, remote, response);
#else #else
DWORD dwResult = ERROR_NOT_SUPPORTED; DWORD dwResult = ERROR_NOT_SUPPORTED;