mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-03-06 09:13:02 +01:00
Land #22 : Add initial windows 10 matching to sysinfo
This commit is contained in:
OJ
commit
ee0527f364
@ -200,7 +200,7 @@ DWORD populate_uid(Packet* pResponse)
|
|||||||
{
|
{
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!LookupAccountSidA(NULL, ((TOKEN_USER*)tokenUserInfo)->User.Sid, cbUserOnly, &dwUserSize, cbDomainOnly, &dwDomainSize, (PSID_NAME_USE)&dwSidType))
|
if (!LookupAccountSidA(NULL, ((TOKEN_USER*)tokenUserInfo)->User.Sid, cbUserOnly, &dwUserSize, cbDomainOnly, &dwDomainSize, (PSID_NAME_USE)&dwSidType))
|
||||||
{
|
{
|
||||||
BREAK_ON_ERROR("[GETUID] Failed to lookup the account SID data");
|
BREAK_ON_ERROR("[GETUID] Failed to lookup the account SID data");
|
||||||
@ -317,33 +317,33 @@ DWORD request_sys_config_getprivs(Remote *remote, Packet *packet)
|
|||||||
SE_CHANGE_NOTIFY_NAME,
|
SE_CHANGE_NOTIFY_NAME,
|
||||||
SE_REMOTE_SHUTDOWN_NAME,
|
SE_REMOTE_SHUTDOWN_NAME,
|
||||||
SE_UNDOCK_NAME,
|
SE_UNDOCK_NAME,
|
||||||
SE_SYNC_AGENT_NAME,
|
SE_SYNC_AGENT_NAME,
|
||||||
SE_ENABLE_DELEGATION_NAME,
|
SE_ENABLE_DELEGATION_NAME,
|
||||||
SE_MANAGE_VOLUME_NAME,
|
SE_MANAGE_VOLUME_NAME,
|
||||||
0
|
0
|
||||||
};
|
};
|
||||||
|
|
||||||
do
|
do
|
||||||
{
|
{
|
||||||
if( !OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token )) {
|
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token)) {
|
||||||
res = GetLastError();
|
res = GetLastError();
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
for( x = 0; privs[x]; ++x )
|
for (x = 0; privs[x]; ++x)
|
||||||
{
|
{
|
||||||
memset(&priv, 0, sizeof(priv));
|
memset(&priv, 0, sizeof(priv));
|
||||||
LookupPrivilegeValue(NULL, privs[x], &priv.Privileges[0].Luid );
|
LookupPrivilegeValue(NULL, privs[x], &priv.Privileges[0].Luid);
|
||||||
priv.PrivilegeCount = 1;
|
priv.PrivilegeCount = 1;
|
||||||
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
|
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
|
||||||
if(AdjustTokenPrivileges(token, FALSE, &priv, 0, 0, 0 )) {
|
if(AdjustTokenPrivileges(token, FALSE, &priv, 0, 0, 0)) {
|
||||||
if(GetLastError() == ERROR_SUCCESS) {
|
if(GetLastError() == ERROR_SUCCESS) {
|
||||||
packet_add_tlv_string(response, TLV_TYPE_PRIVILEGE, privs[x]);
|
packet_add_tlv_string(response, TLV_TYPE_PRIVILEGE, privs[x]);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
dprintf("[getprivs] Failed to set privilege %s (%u)", privs[x], GetLastError());
|
dprintf("[getprivs] Failed to set privilege %s (%u)", privs[x], GetLastError());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} while (0);
|
} while (0);
|
||||||
|
|
||||||
if(token)
|
if(token)
|
||||||
@ -505,55 +505,65 @@ DWORD request_sys_config_sysinfo(Remote *remote, Packet *packet)
|
|||||||
{
|
{
|
||||||
if (v.wProductType == VER_NT_WORKSTATION)
|
if (v.wProductType == VER_NT_WORKSTATION)
|
||||||
osName = "Windows Vista";
|
osName = "Windows Vista";
|
||||||
else
|
else
|
||||||
osName = "Windows 2008";
|
osName = "Windows 2008";
|
||||||
}
|
}
|
||||||
else if (v.dwMinorVersion == 1)
|
else if (v.dwMinorVersion == 1)
|
||||||
{
|
{
|
||||||
if (v.wProductType == VER_NT_WORKSTATION)
|
if (v.wProductType == VER_NT_WORKSTATION)
|
||||||
osName = "Windows 7";
|
osName = "Windows 7";
|
||||||
else
|
else
|
||||||
osName = "Windows 2008 R2";
|
osName = "Windows 2008 R2";
|
||||||
}
|
}
|
||||||
else if (v.dwMinorVersion == 2)
|
else if (v.dwMinorVersion == 2)
|
||||||
{
|
{
|
||||||
if (v.wProductType == VER_NT_WORKSTATION)
|
if (v.wProductType == VER_NT_WORKSTATION)
|
||||||
osName = "Windows 8";
|
osName = "Windows 8";
|
||||||
else
|
else
|
||||||
osName = "Windows 2012";
|
osName = "Windows 2012";
|
||||||
}
|
}
|
||||||
else if (v.dwMinorVersion == 3)
|
else if (v.dwMinorVersion == 3)
|
||||||
{
|
{
|
||||||
if (v.wProductType == VER_NT_WORKSTATION)
|
if (v.wProductType == VER_NT_WORKSTATION)
|
||||||
osName = "Windows 8.1";
|
osName = "Windows 8.1";
|
||||||
else
|
else
|
||||||
osName = "Windows 2012 R2";
|
osName = "Windows 2012 R2";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
else if (v.dwMajorVersion == 10)
|
||||||
|
{
|
||||||
|
if (v.dwMinorVersion == 0)
|
||||||
|
{
|
||||||
|
if (v.wProductType == VER_NT_WORKSTATION)
|
||||||
|
osName = "Windows 10";
|
||||||
|
else
|
||||||
|
osName = "Windows Server Technical Preview";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (!osName)
|
if (!osName)
|
||||||
osName = "Unknown";
|
osName = "Unknown";
|
||||||
|
|
||||||
if( strlen( v.szCSDVersion ) > 0 )
|
if (strlen(v.szCSDVersion) > 0)
|
||||||
_snprintf(buf, sizeof(buf) - 1, "%s (Build %lu, %s).", osName, v.dwBuildNumber, v.szCSDVersion );
|
_snprintf(buf, sizeof(buf) - 1, "%s (Build %lu, %s).", osName, v.dwBuildNumber, v.szCSDVersion);
|
||||||
else
|
else
|
||||||
_snprintf(buf, sizeof(buf) - 1, "%s (Build %lu).", osName, v.dwBuildNumber );
|
_snprintf(buf, sizeof(buf) - 1, "%s (Build %lu).", osName, v.dwBuildNumber);
|
||||||
|
|
||||||
packet_add_tlv_string(response, TLV_TYPE_OS_NAME, buf);
|
packet_add_tlv_string(response, TLV_TYPE_OS_NAME, buf);
|
||||||
|
|
||||||
// sf: we dynamically retrieve GetNativeSystemInfo & IsWow64Process as NT and 2000 dont support it.
|
// sf: we dynamically retrieve GetNativeSystemInfo & IsWow64Process as NT and 2000 dont support it.
|
||||||
hKernel32 = LoadLibraryA( "kernel32.dll" );
|
hKernel32 = LoadLibraryA("kernel32.dll");
|
||||||
if( hKernel32 )
|
if (hKernel32)
|
||||||
{
|
{
|
||||||
typedef void (WINAPI * GETNATIVESYSTEMINFO)( LPSYSTEM_INFO lpSystemInfo );
|
typedef void (WINAPI * GETNATIVESYSTEMINFO)(LPSYSTEM_INFO lpSystemInfo);
|
||||||
typedef BOOL (WINAPI * ISWOW64PROCESS)( HANDLE, PBOOL );
|
typedef BOOL (WINAPI * ISWOW64PROCESS)(HANDLE, PBOOL);
|
||||||
GETNATIVESYSTEMINFO pGetNativeSystemInfo = (GETNATIVESYSTEMINFO)GetProcAddress( hKernel32, "GetNativeSystemInfo" );
|
GETNATIVESYSTEMINFO pGetNativeSystemInfo = (GETNATIVESYSTEMINFO)GetProcAddress(hKernel32, "GetNativeSystemInfo");
|
||||||
ISWOW64PROCESS pIsWow64Process = (ISWOW64PROCESS)GetProcAddress( hKernel32, "IsWow64Process" );
|
ISWOW64PROCESS pIsWow64Process = (ISWOW64PROCESS)GetProcAddress(hKernel32, "IsWow64Process");
|
||||||
if( pGetNativeSystemInfo )
|
if (pGetNativeSystemInfo)
|
||||||
{
|
{
|
||||||
SYSTEM_INFO SystemInfo;
|
SYSTEM_INFO SystemInfo;
|
||||||
pGetNativeSystemInfo( &SystemInfo );
|
pGetNativeSystemInfo(&SystemInfo);
|
||||||
switch( SystemInfo.wProcessorArchitecture )
|
switch(SystemInfo.wProcessorArchitecture)
|
||||||
{
|
{
|
||||||
case PROCESSOR_ARCHITECTURE_AMD64:
|
case PROCESSOR_ARCHITECTURE_AMD64:
|
||||||
osArch = "x64";
|
osArch = "x64";
|
||||||
@ -568,60 +578,60 @@ DWORD request_sys_config_sysinfo(Remote *remote, Packet *packet)
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if( pIsWow64Process )
|
if (pIsWow64Process)
|
||||||
{
|
{
|
||||||
BOOL bIsWow64 = FALSE;
|
BOOL bIsWow64 = FALSE;
|
||||||
pIsWow64Process( GetCurrentProcess(), &bIsWow64 );
|
pIsWow64Process(GetCurrentProcess(), &bIsWow64);
|
||||||
if( bIsWow64 )
|
if (bIsWow64)
|
||||||
osWow = " (Current Process is WOW64)";
|
osWow = " (Current Process is WOW64)";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// if we havnt set the arch it is probably because we are on NT/2000 which is x86
|
// if we havnt set the arch it is probably because we are on NT/2000 which is x86
|
||||||
if( !osArch )
|
if (!osArch)
|
||||||
osArch = "x86";
|
osArch = "x86";
|
||||||
|
|
||||||
if( !osWow )
|
if (!osWow)
|
||||||
osWow = "";
|
osWow = "";
|
||||||
|
|
||||||
_snprintf( buf, sizeof(buf) - 1, "%s%s", osArch, osWow );
|
_snprintf(buf, sizeof(buf) - 1, "%s%s", osArch, osWow);
|
||||||
packet_add_tlv_string(response, TLV_TYPE_ARCHITECTURE, buf);
|
packet_add_tlv_string(response, TLV_TYPE_ARCHITECTURE, buf);
|
||||||
|
|
||||||
if( hKernel32 )
|
if (hKernel32)
|
||||||
{
|
{
|
||||||
char * ctryname = NULL, * langname = NULL;
|
char * ctryname = NULL, * langname = NULL;
|
||||||
typedef LANGID (WINAPI * GETSYSTEMDEFAULTLANGID)( VOID );
|
typedef LANGID (WINAPI * GETSYSTEMDEFAULTLANGID)(VOID);
|
||||||
GETSYSTEMDEFAULTLANGID pGetSystemDefaultLangID = (GETSYSTEMDEFAULTLANGID)GetProcAddress( hKernel32, "GetSystemDefaultLangID" );
|
GETSYSTEMDEFAULTLANGID pGetSystemDefaultLangID = (GETSYSTEMDEFAULTLANGID)GetProcAddress(hKernel32, "GetSystemDefaultLangID");
|
||||||
if( pGetSystemDefaultLangID )
|
if (pGetSystemDefaultLangID)
|
||||||
{
|
{
|
||||||
LANGID langId = pGetSystemDefaultLangID();
|
LANGID langId = pGetSystemDefaultLangID();
|
||||||
|
|
||||||
int len = GetLocaleInfo( langId, LOCALE_SISO3166CTRYNAME, 0, 0 );
|
int len = GetLocaleInfo(langId, LOCALE_SISO3166CTRYNAME, 0, 0);
|
||||||
if( len > 0 )
|
if (len > 0)
|
||||||
{
|
{
|
||||||
ctryname = (char *)malloc( len );
|
ctryname = (char *)malloc(len);
|
||||||
GetLocaleInfo( langId, LOCALE_SISO3166CTRYNAME, ctryname, len );
|
GetLocaleInfo(langId, LOCALE_SISO3166CTRYNAME, ctryname, len);
|
||||||
}
|
}
|
||||||
|
|
||||||
len = GetLocaleInfo( langId, LOCALE_SISO639LANGNAME, 0, 0 );
|
len = GetLocaleInfo(langId, LOCALE_SISO639LANGNAME, 0, 0);
|
||||||
if( len > 0 )
|
if (len > 0)
|
||||||
{
|
{
|
||||||
langname = (char *)malloc( len );
|
langname = (char *)malloc(len);
|
||||||
GetLocaleInfo( langId, LOCALE_SISO639LANGNAME, langname, len );
|
GetLocaleInfo(langId, LOCALE_SISO639LANGNAME, langname, len);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if( !ctryname || !langname )
|
if (!ctryname || !langname)
|
||||||
_snprintf( buf, sizeof(buf) - 1, "Unknown");
|
_snprintf(buf, sizeof(buf) - 1, "Unknown");
|
||||||
else
|
else
|
||||||
_snprintf( buf, sizeof(buf) - 1, "%s_%s", langname, ctryname );
|
_snprintf(buf, sizeof(buf) - 1, "%s_%s", langname, ctryname);
|
||||||
|
|
||||||
packet_add_tlv_string( response, TLV_TYPE_LANG_SYSTEM, buf );
|
|
||||||
|
|
||||||
if( ctryname )
|
packet_add_tlv_string(response, TLV_TYPE_LANG_SYSTEM, buf);
|
||||||
free( ctryname );
|
|
||||||
|
|
||||||
if( langname )
|
if (ctryname)
|
||||||
free( langname );
|
free(ctryname);
|
||||||
|
|
||||||
|
if (langname)
|
||||||
|
free(langname);
|
||||||
}
|
}
|
||||||
|
|
||||||
LPWKSTA_INFO_102 localSysinfo = NULL;
|
LPWKSTA_INFO_102 localSysinfo = NULL;
|
||||||
@ -633,7 +643,7 @@ DWORD request_sys_config_sysinfo(Remote *remote, Packet *packet)
|
|||||||
free(domainName);
|
free(domainName);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
} while (0);
|
} while (0);
|
||||||
#else
|
#else
|
||||||
CHAR os[512];
|
CHAR os[512];
|
||||||
@ -642,7 +652,7 @@ DWORD request_sys_config_sysinfo(Remote *remote, Packet *packet)
|
|||||||
|
|
||||||
do {
|
do {
|
||||||
struct utsname utsbuf;
|
struct utsname utsbuf;
|
||||||
if( uname( &utsbuf ) == -1) {
|
if (uname(&utsbuf) == -1) {
|
||||||
res = GetLastError();
|
res = GetLastError();
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -675,27 +685,27 @@ DWORD request_sys_config_rev2self(Remote *remote, Packet *packet)
|
|||||||
#ifdef _WIN32
|
#ifdef _WIN32
|
||||||
DWORD dwResult = ERROR_SUCCESS;
|
DWORD dwResult = ERROR_SUCCESS;
|
||||||
Packet * response = NULL;
|
Packet * response = NULL;
|
||||||
|
|
||||||
do
|
do
|
||||||
{
|
{
|
||||||
response = packet_create_response( packet );
|
response = packet_create_response(packet);
|
||||||
if( !response )
|
if (!response)
|
||||||
{
|
{
|
||||||
dwResult = ERROR_INVALID_HANDLE;
|
dwResult = ERROR_INVALID_HANDLE;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
core_update_thread_token( remote, NULL );
|
core_update_thread_token(remote, NULL);
|
||||||
|
|
||||||
core_update_desktop( remote, -1, NULL, NULL );
|
core_update_desktop(remote, -1, NULL, NULL);
|
||||||
|
|
||||||
if( !RevertToSelf() )
|
if (!RevertToSelf())
|
||||||
dwResult = GetLastError();
|
dwResult = GetLastError();
|
||||||
|
|
||||||
} while( 0 );
|
} while(0);
|
||||||
|
|
||||||
if( response )
|
if (response)
|
||||||
packet_transmit_response( dwResult, remote, response );
|
packet_transmit_response(dwResult, remote, response);
|
||||||
|
|
||||||
#else
|
#else
|
||||||
DWORD dwResult = ERROR_NOT_SUPPORTED;
|
DWORD dwResult = ERROR_NOT_SUPPORTED;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user