Moving reused methods to Accounts mixin

2013-01-31 12:59:55 +01:00 · 2013-01-31 12:59:55 +01:00 · 174ab31010
parent 1bc5fd3758
commit 174ab31010
3 changed files with 57 additions and 105 deletions
--- a/lib/msf/core/post/windows/accounts.rb
+++ b/lib/msf/core/post/windows/accounts.rb
@ -177,6 +177,61 @@ module Accounts
 			:integrity_label
 		][enum_value - 1]
 	end
+
+	# Gets an impersonation token from the primary token.
+	#
+	# @return [Fixnum] the impersonate token handle identifier if success, 0 if
+	#	fails
+	def get_imperstoken
+		adv =  session.railgun.advapi32
+		tok_all = "TOKEN_ASSIGN_PRIMARY |TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | "
+		tok_all << "TOKEN_QUERY_SOURCE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS"
+		tok_all << " | TOKEN_ADJUST_DEFAULT"
+
+		pid = session.sys.process.open.pid
+		pr = session.sys.process.open(pid, PROCESS_ALL_ACCESS)
+		pt = adv.OpenProcessToken(pr.handle, tok_all, 4) #get handle to primary token
+		it = adv.DuplicateToken(pt["TokenHandle"],2, 4) # get an impersonation token
+		if it["return"] #if it fails return 0 for error handling
+			return it["DuplicateTokenHandle"]
+		else
+			return 0
+		end
+	end
+
+	# Gets the permissions granted from the Security Descriptor of a directory
+	# to an access token.
+	#
+	# @param [String] dir the directory path
+	# @param [Fixnum] token the access token
+	# @return [String, nil] a String describing the permissions or nil
+	def check_dir(dir, token)
+		adv =  session.railgun.advapi32
+		si = "OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION"
+		result = ""
+
+		#define generic mapping structure
+		gen_map = [0,0,0,0]
+		gen_map = gen_map.pack("L")
+
+		#get Security Descriptor for the directory
+		f = adv.GetFileSecurityA(dir, si, 20, 20, 4)
+		f = adv.GetFileSecurityA(dir, si, f["lpnLengthNeeded"], f["lpnLengthNeeded"], 4)
+		sd = f["pSecurityDescriptor"]
+
+		#check for write access, called once to get buffer size
+		a = adv.AccessCheck(sd, token, "ACCESS_READ | ACCESS_WRITE", gen_map, 0, 0, 4, 8)
+		len = a["PrivilegeSetLength"]
+
+		r = adv.AccessCheck(sd, token, "ACCESS_READ", gen_map, len, len, 4, 8)
+		if !r["return"] then return nil end
+		if r["GrantedAccess"] > 0 then result << "R" end
+
+		w = adv.AccessCheck(sd, token, "ACCESS_WRITE", gen_map, len, len, 4, 8)
+		if !w["return"] then return nil end
+		if w["GrantedAccess"] > 0 then result << "W" end
+	end
+
 end # Accounts
 end # Windows
 end # Post
--- a/modules/exploits/windows/local/ipsec_keyring_service.rb
+++ b/modules/exploits/windows/local/ipsec_keyring_service.rb
@ -17,6 +17,7 @@ class Metasploit3 < Msf::Exploit::Local
 	include Msf::Post::File
 	include Msf::Post::Windows::Priv
 	include Msf::Post::Windows::Services
+	include Msf::Post::Windows::Accounts

 	def initialize(info={})
 		super( update_info( info,
@ -322,51 +323,5 @@ class Metasploit3 < Msf::Exploit::Local
 		end
 	end

-	# Below copied from enum_dirperms
-	def get_imperstoken
-		adv =  session.railgun.advapi32
-		tok_all = "TOKEN_ASSIGN_PRIMARY |TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | "
-		tok_all << "TOKEN_QUERY_SOURCE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS"
-		tok_all << " | TOKEN_ADJUST_DEFAULT"
-
-		#get impersonation token handle it["DuplicateTokenhandle"] carries this value
-		#p = kern.GetCurrentProcess() #get handle to current process
-		pid = session.sys.process.open.pid
-		pr = session.sys.process.open(pid, PROCESS_ALL_ACCESS)
-		pt = adv.OpenProcessToken(pr.handle, tok_all, 4) #get handle to primary token
-		it = adv.DuplicateToken(pt["TokenHandle"],2, 4) # get an impersonation token
-		if it["return"] #if it fails return 0 for error handling
-			return it["DuplicateTokenHandle"]
-		else
-			return 0
-		end
-	end
-
-	def check_dir(dir, token)
-		adv =  session.railgun.advapi32
-		si = "OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION"
-		result = ""
-
-		#define generic mapping structure
-		gen_map = [0,0,0,0]
-		gen_map = gen_map.pack("L")
-
-		#get Security Descriptor for the directory
-		f = adv.GetFileSecurityA(dir, si, 20, 20, 4)
-		f = adv.GetFileSecurityA(dir, si, f["lpnLengthNeeded"], f["lpnLengthNeeded"], 4)
-		sd = f["pSecurityDescriptor"]
-
-		#check for write access, called once to get buffer size
-		a = adv.AccessCheck(sd, token, "ACCESS_READ | ACCESS_WRITE", gen_map, 0, 0, 4, 8)
-		len = a["PrivilegeSetLength"]
-
-		r = adv.AccessCheck(sd, token, "ACCESS_READ", gen_map, len, len, 4, 8)
-		if !r["return"] then return nil end
-		if r["GrantedAccess"] > 0 then result << "R" end
-
-		w = adv.AccessCheck(sd, token, "ACCESS_WRITE", gen_map, len, len, 4, 8)
-		if !w["return"] then return nil end
-		if w["GrantedAccess"] > 0 then result << "W" end
-	end
 end

--- a/modules/post/windows/gather/enum_dirperms.rb
+++ b/modules/post/windows/gather/enum_dirperms.rb
@ -1,7 +1,3 @@
-##
-# $Id$
-##
-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
@ -15,6 +11,7 @@ require 'msf/core/post/common'
 class Metasploit3 < Msf::Post

 	include Msf::Post::Common
+	include Msf::Post::Windows::Accounts

 	def initialize(info={})
 		super(update_info(info,
@ -26,7 +23,6 @@ class Metasploit3 < Msf::Post
 				%PATH% variable.
 			},
 			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision$',
 			'Platform'       => ['win'],
 			'SessionTypes'   => ['meterpreter'],
 			'Author'         =>
@ -45,60 +41,6 @@ class Metasploit3 < Msf::Post
 			], self.class)
 	end

-	def get_imperstoken
-		adv =  session.railgun.advapi32
-		tok_all = "TOKEN_ASSIGN_PRIMARY |TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | "
-		tok_all << "TOKEN_QUERY_SOURCE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS"
-		tok_all << " | TOKEN_ADJUST_DEFAULT"
-
-		#get impersonation token handle it["DuplicateTokenhandle"] carries this value
-		#p = kern.GetCurrentProcess() #get handle to current process
-		pid = session.sys.process.open.pid
-		pr = session.sys.process.open(pid, PROCESS_ALL_ACCESS)
-		pt = adv.OpenProcessToken(pr.handle, tok_all, 4) #get handle to primary token
-		it = adv.DuplicateToken(pt["TokenHandle"],2, 4) # get an impersonation token
-		if it["return"] #if it fails return 0 for error handling
-			return it["DuplicateTokenHandle"]
-		else
-			return 0
-		end
-	end
-
-	def check_dir(dir, token)
-		# If path doesn't exist, do not continue
-		begin
-			session.fs.dir.entries(dir)
-		rescue => e
-			vprint_error("#{e.message}: #{dir}")
-			return nil
-		end
-
-		adv =  session.railgun.advapi32
-		si = "OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION"
-		result = ""
-
-		#define generic mapping structure
-		gen_map = [0,0,0,0]
-		gen_map = gen_map.pack("L")
-
-		#get Security Descriptor for the directory
-		f = adv.GetFileSecurityA(dir, si, 20, 20, 4)
-		f = adv.GetFileSecurityA(dir, si, f["lpnLengthNeeded"], f["lpnLengthNeeded"], 4)
-		sd = f["pSecurityDescriptor"]
-
-		#check for write access, called once to get buffer size
-		a = adv.AccessCheck(sd, token, "ACCESS_READ | ACCESS_WRITE", gen_map, 0, 0, 4, 8)
-		len = a["PrivilegeSetLength"]
-
-		r = adv.AccessCheck(sd, token, "ACCESS_READ", gen_map, len, len, 4, 8)
-		if !r["return"] then return nil end
-		if r["GrantedAccess"] > 0 then result << "R" end
-
-		w = adv.AccessCheck(sd, token, "ACCESS_WRITE", gen_map, len, len, 4, 8)
-		if !w["return"] then return nil end
-		if w["GrantedAccess"] > 0 then result << "W" end
-	end
-
 	def enum_subdirs(perm_filter, dpath, maxdepth, token)
 		filter = datastore['FILTER']
 		filter = nil if datastore['FILTER'] == 'NA'