Fixup railgun utils

Implement DsGetDcNamea to return current domain using example railgun utils techniques.
2014-01-24 16:22:05 +00:00 · 2014-01-24 16:22:05 +00:00 · 9fce617462
parent 4bac297f66
commit 9fce617462
5 changed files with 79 additions and 13 deletions
--- a/lib/msf/core/post/windows/accounts.rb
+++ b/lib/msf/core/post/windows/accounts.rb
@ -5,6 +5,47 @@ module Windows
 module Accounts
  GUID = [
    ['Data1',:DWORD],
    ['Data2',:WORD],
    ['Data3',:WORD],
    ['Data4','BYTE[8]']
  ]
  DOMAIN_CONTROLLER_INFO = [
    ['DomainControllerName',:LPSTR],
    ['DomainControllerAddress',:LPSTR],
    ['DomainControllerAddressType',:ULONG],
    ['DomainGuid',GUID],
    ['DomainName',:LPSTR],
    ['DnsForestName',:LPSTR],
    ['Flags',:ULONG],
    ['DcSiteName',:LPSTR],
    ['ClientSiteName',:LPSTR]
  ]
  def get_domain(server_name=nil)
    domain = nil
    result = session.railgun.netapi32.DsGetDcNameA(
      server_name,
      nil,
      nil,
      nil,
      0,
      4)
    begin
      dc_info_addr = result['DomainControllerInfo']
      dc_info = session.railgun.util.read_data(DOMAIN_CONTROLLER_INFO, dc_info_addr)
      pointer = session.railgun.util.unpack_pointer(dc_info['DomainName'])
      domain = session.railgun.util.read_string(pointer)
    ensure
      session.railgun.netapi32.NetApiBufferFree(dc_info_addr)
    end
    return domain
  end
  ##
  # delete_user(username, server_name = nil)
  #
--- a/lib/msf/core/post/windows/ldap.rb
+++ b/lib/msf/core/post/windows/ldap.rb
@ -119,7 +119,7 @@ module LDAP
    bind_default_ldap_server(1) do |session_handle|
      print_status("Querying default naming context")
-      query_result = query_ldap(session_handle, "", 0, "(objectClass=computer)", ["defaultNamingContext"])
+      query_result = query_ldap(session_handle, "", 0, "(objectClass=*)", ["defaultNamingContext"])
      first_entry_fields = query_result[:results].first
      # Value from First Attribute of First Entry
      default_naming_context = first_entry_fields.first
--- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb
@ -3668,11 +3668,11 @@ class Def_kernel32
    #	])
    dll.add_function( 'lstrlenA', 'DWORD',[
-      ["PCHAR","lpString","in"],
+      ["DWORD","lpString","in"],
      ])
    dll.add_function( 'lstrlenW', 'DWORD',[
-      ["PWCHAR","lpString","in"],
+      ["DWORD","lpString","in"],
      ])
--- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb
@ -12,6 +12,19 @@ class Def_netapi32
  def self.create_dll(dll_path = 'netapi32')
    dll = DLL.new(dll_path, ApiConstants.manager)
    dll.add_function('NetApiBufferFree','DWORD',[
      ["LPVOID","Buffer","in"]
    ])
    dll.add_function('DsGetDcNameA', 'DWORD',[
      ["PWCHAR","ComputerName","in"],
      ["PWCHAR","DomainName","in"],
      ["PBLOB","DomainGuid","in"],
      ["PWCHAR","SiteName","in"],
      ["DWORD","Flags","in"],
      ["PDWORD","DomainControllerInfo","out"]
    ])
    dll.add_function('NetUserDel', 'DWORD',[
      ["PWCHAR","servername","in"],
      ["PWCHAR","username","in"],
--- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb
@ -375,6 +375,19 @@ class  Util
    return str
  end
  def read_string(pointer, length=nil)
    if is_null_pointer(pointer)
      return ''
    end
    unless length
      length = railgun.kernel32.lstrlenA(pointer)['return']
    end
    chars = read_array(:CHAR, length, pointer)
    return chars.join('')
  end
  #
  # Read a given number of bytes from memory or from a provided buffer.
  #
@ -437,7 +450,7 @@ class  Util
      return raw.unpack('l').first
    end
- 		#If nothing worked thus far, return it raw
+    #If nothing worked thus far, return it raw
    return raw
  end
@ -513,10 +526,13 @@ class  Util
      return pointer_size
    end
-    if is_array_type?(type)
+    if type.class == String
-      element_type, length = split_array_type(type)
+      if is_array_type?(type)
-
+        element_type, length = split_array_type(type)
-      return length * sizeof_type(element_type)
+        return length * sizeof_type(element_type)
      else
        return sizeof_type(type.to_sym)
      end
    end
    if is_struct_type?(type)
@ -559,10 +575,8 @@ class  Util
  def struct_offsets(definition, offset)
    padding = 0
    offsets = []
    definition.each do |mapping|
      key, data_type = mapping
      if sizeof_type(data_type) > padding
        offset = offset + padding
      end
@ -570,7 +584,6 @@ class  Util
      offsets.push(offset)
      offset = offset + sizeof_type(data_type)
      padding = calc_padding(offset)
    end
@ -606,12 +619,11 @@ class  Util
    if type =~ /^(\w+)\[(\w+)\]$/
      element_type = $1
      length = $2
      unless length =~ /^\d+$/
        length = railgun.const(length)
      end
-      return element_type, length
+      return element_type.to_sym, length.to_i
    else
      raise "Can not split non-array type #{type}"
    end