diff --git a/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb b/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb index 82d75c3b6f..58335c5c83 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb @@ -20,6 +20,8 @@ module Sys ### class Config + SYSTEM_SID = 'S-1-5-18' + def initialize(client) self.client = client end @@ -33,6 +35,22 @@ class Config client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_USER_NAME) ) end + # + # Gets the SID of the current process/thread. + # + def getsid + request = Packet.create_request('stdapi_sys_config_getsid') + response = client.send_request(request) + response.get_tlv_value(TLV_TYPE_SID) + end + + # + # Determine if the current process/thread is running as SYSTEM + # + def is_system? + getsid == SYSTEM_SID + end + # # Returns a hash of requested environment variables, along with their values. # If a requested value doesn't exist in the response, then the value wasn't found. diff --git a/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb b/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb index 41fab4d12b..d89f4acc0b 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb @@ -116,6 +116,7 @@ TLV_TYPE_OS_NAME = TLV_META_TYPE_STRING | 1041 TLV_TYPE_USER_NAME = TLV_META_TYPE_STRING | 1042 TLV_TYPE_ARCHITECTURE = TLV_META_TYPE_STRING | 1043 TLV_TYPE_LANG_SYSTEM = TLV_META_TYPE_STRING | 1044 +TLV_TYPE_SID = TLV_META_TYPE_STRING | 1045 # Environment TLV_TYPE_ENV_VARIABLE = TLV_META_TYPE_STRING | 1100 diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb index 7f22f14d2f..0371963bda 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb @@ -221,7 +221,7 @@ class Console::CommandDispatcher::Incognito end def system_privilege_check - if (client.sys.config.getuid != "NT AUTHORITY\\SYSTEM") + if !client.sys.config.is_system? print_line("[-] Warning: Not currently running as SYSTEM, not all tokens will be available") print_line(" Call rev2self if primary process token is SYSTEM") end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb index fd8fe65353..48c7d8fa63 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb @@ -88,6 +88,7 @@ class Console::CommandDispatcher::Stdapi::Sys "getpid" => "Get the current process identifier", "getprivs" => "Attempt to enable all privileges available to the current process", "getuid" => "Get the user that the server is running as", + "getsid" => "Get the SID of the user that the server is running as", "getenv" => "Get one or more environment variable values", "kill" => "Terminate a process", "ps" => "List running processes", @@ -107,6 +108,7 @@ class Console::CommandDispatcher::Stdapi::Sys "getpid" => [ "stdapi_sys_process_getpid" ], "getprivs" => [ "stdapi_sys_config_getprivs" ], "getuid" => [ "stdapi_sys_config_getuid" ], + "getsid" => [ "stdapi_sys_config_getsid" ], "getenv" => [ "stdapi_sys_config_getenv" ], "kill" => [ "stdapi_sys_process_kill" ], "ps" => [ "stdapi_sys_process_get_processes" ], @@ -279,6 +281,13 @@ class Console::CommandDispatcher::Stdapi::Sys print_line("Server username: #{client.sys.config.getuid}") end + # + # Display the SID of the user that the server is running as. + # + def cmd_getsid(*args) + print_line("Server SID: #{client.sys.config.getsid}") + end + # # Get the value of one or more environment variables from the target. #