Fixup railgun utils

Implement DsGetDcNamea to return current domain using example railgun utils techniques.
2014-01-24 16:22:05 +00:00 · 2014-01-24 16:22:05 +00:00 · 9fce617462
parent 4bac297f66
commit 9fce617462
5 changed files with 79 additions and 13 deletions
--- a/lib/msf/core/post/windows/accounts.rb
+++ b/lib/msf/core/post/windows/accounts.rb
@ -5,6 +5,47 @@ module Windows

 module Accounts

+  GUID = [
+    ['Data1',:DWORD],
+    ['Data2',:WORD],
+    ['Data3',:WORD],
+    ['Data4','BYTE[8]']
+  ]
+
+  DOMAIN_CONTROLLER_INFO = [
+    ['DomainControllerName',:LPSTR],
+    ['DomainControllerAddress',:LPSTR],
+    ['DomainControllerAddressType',:ULONG],
+    ['DomainGuid',GUID],
+    ['DomainName',:LPSTR],
+    ['DnsForestName',:LPSTR],
+    ['Flags',:ULONG],
+    ['DcSiteName',:LPSTR],
+    ['ClientSiteName',:LPSTR]
+  ]
+
+  def get_domain(server_name=nil)
+    domain = nil
+    result = session.railgun.netapi32.DsGetDcNameA(
+      server_name,
+      nil,
+      nil,
+      nil,
+      0,
+      4)
+
+    begin
+      dc_info_addr = result['DomainControllerInfo']
+      dc_info = session.railgun.util.read_data(DOMAIN_CONTROLLER_INFO, dc_info_addr)
+      pointer = session.railgun.util.unpack_pointer(dc_info['DomainName'])
+      domain = session.railgun.util.read_string(pointer)
+    ensure
+      session.railgun.netapi32.NetApiBufferFree(dc_info_addr)
+    end
+
+    return domain
+  end
+
  ##
  # delete_user(username, server_name = nil)
  #
--- a/lib/msf/core/post/windows/ldap.rb
+++ b/lib/msf/core/post/windows/ldap.rb
@ -119,7 +119,7 @@ module LDAP
    bind_default_ldap_server(1) do |session_handle|
      print_status("Querying default naming context")

-      query_result = query_ldap(session_handle, "", 0, "(objectClass=computer)", ["defaultNamingContext"])
+      query_result = query_ldap(session_handle, "", 0, "(objectClass=*)", ["defaultNamingContext"])
      first_entry_fields = query_result[:results].first
      # Value from First Attribute of First Entry
      default_naming_context = first_entry_fields.first
--- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb
@ -3668,11 +3668,11 @@ class Def_kernel32
    #	])

    dll.add_function( 'lstrlenA', 'DWORD',[
-      ["PCHAR","lpString","in"],
+      ["DWORD","lpString","in"],
      ])

    dll.add_function( 'lstrlenW', 'DWORD',[
-      ["PWCHAR","lpString","in"],
+      ["DWORD","lpString","in"],
      ])


--- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb
@ -12,6 +12,19 @@ class Def_netapi32
  def self.create_dll(dll_path = 'netapi32')
    dll = DLL.new(dll_path, ApiConstants.manager)

+    dll.add_function('NetApiBufferFree','DWORD',[
+      ["LPVOID","Buffer","in"]
+    ])
+
+    dll.add_function('DsGetDcNameA', 'DWORD',[
+      ["PWCHAR","ComputerName","in"],
+      ["PWCHAR","DomainName","in"],
+      ["PBLOB","DomainGuid","in"],
+      ["PWCHAR","SiteName","in"],
+      ["DWORD","Flags","in"],
+      ["PDWORD","DomainControllerInfo","out"]
+    ])
+
    dll.add_function('NetUserDel', 'DWORD',[
      ["PWCHAR","servername","in"],
      ["PWCHAR","username","in"],
--- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb
@ -375,6 +375,19 @@ class  Util
    return str
  end

+  def read_string(pointer, length=nil)
+    if is_null_pointer(pointer)
+      return ''
+    end
+
+    unless length
+      length = railgun.kernel32.lstrlenA(pointer)['return']
+    end
+
+    chars = read_array(:CHAR, length, pointer)
+    return chars.join('')
+  end
+
  #
  # Read a given number of bytes from memory or from a provided buffer.
  #
@ -513,10 +526,13 @@ class  Util
      return pointer_size
    end

+    if type.class == String
      if is_array_type?(type)
        element_type, length = split_array_type(type)
-
        return length * sizeof_type(element_type)
+      else
+        return sizeof_type(type.to_sym)
+      end
    end

    if is_struct_type?(type)
@ -559,10 +575,8 @@ class  Util
  def struct_offsets(definition, offset)
    padding = 0
    offsets = []
-
    definition.each do |mapping|
      key, data_type = mapping
-
      if sizeof_type(data_type) > padding
        offset = offset + padding
      end
@ -570,7 +584,6 @@ class  Util
      offsets.push(offset)

      offset = offset + sizeof_type(data_type)
-
      padding = calc_padding(offset)
    end

@ -606,12 +619,11 @@ class  Util
    if type =~ /^(\w+)\[(\w+)\]$/
      element_type = $1
      length = $2
-
      unless length =~ /^\d+$/
        length = railgun.const(length)
      end

-      return element_type, length
+      return element_type.to_sym, length.to_i
    else
      raise "Can not split non-array type #{type}"
    end