Add support for the getsid command

There has been Meterpreter work done as well to support this. But this commit allows for a new 'getsid' command which tells you the sid of the current process/thread. This can be used for things like determining whether the current process is running as system. It could also be used for golden ticket creation, among other things.
2014-11-07 10:38:22 +10:00 · 2014-11-07 10:38:22 +10:00 · 08e707225c
parent 0199e4d658
commit 08e707225c
4 changed files with 29 additions and 1 deletions
--- a/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb
@ -20,6 +20,8 @@ module Sys
 ###
 class Config

+  SYSTEM_SID = 'S-1-5-18'
+
  def initialize(client)
    self.client = client
  end
@ -33,6 +35,22 @@ class Config
    client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_USER_NAME) )
  end

+  #
+  # Gets the SID of the current process/thread.
+  #
+  def getsid
+    request = Packet.create_request('stdapi_sys_config_getsid')
+    response = client.send_request(request)
+    response.get_tlv_value(TLV_TYPE_SID)
+  end
+
+  #
+  # Determine if the current process/thread is running as SYSTEM
+  #
+  def is_system?
+    getsid == SYSTEM_SID
+  end
+
  #
  # Returns a hash of requested environment variables, along with their values.
  # If a requested value doesn't exist in the response, then the value wasn't found.
--- a/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb
@ -116,6 +116,7 @@ TLV_TYPE_OS_NAME            = TLV_META_TYPE_STRING  | 1041
 TLV_TYPE_USER_NAME          = TLV_META_TYPE_STRING  | 1042
 TLV_TYPE_ARCHITECTURE       = TLV_META_TYPE_STRING  | 1043
 TLV_TYPE_LANG_SYSTEM        = TLV_META_TYPE_STRING  | 1044
+TLV_TYPE_SID                = TLV_META_TYPE_STRING  | 1045

 # Environment
 TLV_TYPE_ENV_VARIABLE       = TLV_META_TYPE_STRING  | 1100
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb
@ -221,7 +221,7 @@ class Console::CommandDispatcher::Incognito
  end

  def system_privilege_check
-    if (client.sys.config.getuid != "NT AUTHORITY\\SYSTEM")
+    if !client.sys.config.is_system?
      print_line("[-] Warning: Not currently running as SYSTEM, not all tokens will be available")
      print_line("             Call rev2self if primary process token is SYSTEM")
    end
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
@ -88,6 +88,7 @@ class Console::CommandDispatcher::Stdapi::Sys
      "getpid"      => "Get the current process identifier",
      "getprivs"    => "Attempt to enable all privileges available to the current process",
      "getuid"      => "Get the user that the server is running as",
+      "getsid"      => "Get the SID of the user that the server is running as",
      "getenv"      => "Get one or more environment variable values",
      "kill"        => "Terminate a process",
      "ps"          => "List running processes",
@ -107,6 +108,7 @@ class Console::CommandDispatcher::Stdapi::Sys
      "getpid"      => [ "stdapi_sys_process_getpid"  ],
      "getprivs"    => [ "stdapi_sys_config_getprivs" ],
      "getuid"      => [ "stdapi_sys_config_getuid" ],
+      "getsid"      => [ "stdapi_sys_config_getsid" ],
      "getenv"      => [ "stdapi_sys_config_getenv" ],
      "kill"        => [ "stdapi_sys_process_kill" ],
      "ps"          => [ "stdapi_sys_process_get_processes" ],
@ -279,6 +281,13 @@ class Console::CommandDispatcher::Stdapi::Sys
    print_line("Server username: #{client.sys.config.getuid}")
  end

+  #
+  # Display the SID of the user that the server is running as.
+  #
+  def cmd_getsid(*args)
+    print_line("Server SID: #{client.sys.config.getsid}")
+  end
+
  #
  # Get the value of one or more environment variables from the target.
  #