From cbaeebeff726efa8ae26c301f736319ae99db7f6 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Fri, 11 Oct 2013 01:02:51 +1000
Subject: [PATCH] Add service_query to ext_server_extapi

Once the user has queried the list of services they can now use the
`service_query` function to get more detail about a specific service.
---
 .../meterpreter/extensions/extapi/extapi.rb   | 20 ++++++++
 .../post/meterpreter/extensions/extapi/tlv.rb | 28 ++++++----
 .../ui/console/command_dispatcher/extapi.rb   | 51 ++++++++++++++++++-
 3 files changed, 87 insertions(+), 12 deletions(-)

diff --git a/lib/rex/post/meterpreter/extensions/extapi/extapi.rb b/lib/rex/post/meterpreter/extensions/extapi/extapi.rb
index c95560bc61..bc941a8cdd 100644
--- a/lib/rex/post/meterpreter/extensions/extapi/extapi.rb
+++ b/lib/rex/post/meterpreter/extensions/extapi/extapi.rb
@@ -71,6 +71,26 @@ class Extapi < Extension
     return services.sort_by { |s| s[:name].upcase }
   end
 
+  # Query some detailed parameters about a particular service.
+  def service_query(service_name)
+    request = Packet.create_request('extapi_service_query')
+    request.add_tlv(TLV_TYPE_EXT_SERVICE_ENUM_NAME, service_name)
+
+    response = client.send_request(request)
+
+    detail = {
+      :starttype   => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTTYPE),
+      :display     => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DISPLAYNAME),
+      :startname   => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTNAME),
+      :path        => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_PATH),
+      :logroup     => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP),
+      :interactive => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE),
+      :dacl        => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DACL)
+    }
+
+    return detail
+  end
+
 end
 
 end; end; end; end; end
diff --git a/lib/rex/post/meterpreter/extensions/extapi/tlv.rb b/lib/rex/post/meterpreter/extensions/extapi/tlv.rb
index b1c043141d..a6d9523d7a 100644
--- a/lib/rex/post/meterpreter/extensions/extapi/tlv.rb
+++ b/lib/rex/post/meterpreter/extensions/extapi/tlv.rb
@@ -7,17 +7,25 @@ module Extapi
 
 TLV_TYPE_EXTENSION_EXTAPI = 0
 
-TLV_TYPE_EXT_WINDOW_ENUM_GROUP  = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 1)
-TLV_TYPE_EXT_WINDOW_ENUM_PID    = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 2)
-TLV_TYPE_EXT_WINDOW_ENUM_HANDLE = TLV_META_TYPE_QWORD  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 3)
-TLV_TYPE_EXT_WINDOW_ENUM_TITLE  = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 4)
+TLV_TYPE_EXT_WINDOW_ENUM_GROUP              = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 1)
+TLV_TYPE_EXT_WINDOW_ENUM_PID                = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 2)
+TLV_TYPE_EXT_WINDOW_ENUM_HANDLE             = TLV_META_TYPE_QWORD  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 3)
+TLV_TYPE_EXT_WINDOW_ENUM_TITLE              = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 4)
 
-TLV_TYPE_EXT_SERVICE_ENUM_GROUP       = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 10)
-TLV_TYPE_EXT_SERVICE_ENUM_NAME        = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 11)
-TLV_TYPE_EXT_SERVICE_ENUM_DISPLAYNAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 12)
-TLV_TYPE_EXT_SERVICE_ENUM_PID         = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 13)
-TLV_TYPE_EXT_SERVICE_ENUM_STATUS      = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 14)
-TLV_TYPE_EXT_SERVICE_ENUM_INTERACTIVE = TLV_META_TYPE_BOOL   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 15)
+TLV_TYPE_EXT_SERVICE_ENUM_GROUP             = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 10)
+TLV_TYPE_EXT_SERVICE_ENUM_NAME              = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 11)
+TLV_TYPE_EXT_SERVICE_ENUM_DISPLAYNAME       = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 12)
+TLV_TYPE_EXT_SERVICE_ENUM_PID               = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 13)
+TLV_TYPE_EXT_SERVICE_ENUM_STATUS            = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 14)
+TLV_TYPE_EXT_SERVICE_ENUM_INTERACTIVE       = TLV_META_TYPE_BOOL   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 15)
+
+TLV_TYPE_EXT_SERVICE_QUERY_STARTTYPE        = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 20)
+TLV_TYPE_EXT_SERVICE_QUERY_DISPLAYNAME      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 21)
+TLV_TYPE_EXT_SERVICE_QUERY_STARTNAME        = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 22)
+TLV_TYPE_EXT_SERVICE_QUERY_PATH             = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 23)
+TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP   = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 24)
+TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE      = TLV_META_TYPE_BOOL   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 25)
+TLV_TYPE_EXT_SERVICE_QUERY_DACL             = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 26)
 
 end
 end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi.rb
index d4b9a545ac..4facb7fc6f 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi.rb
@@ -1,6 +1,5 @@
 # -*- coding: binary -*-
 require 'rex/post/meterpreter'
-
 module Rex
 module Post
 module Meterpreter
@@ -38,13 +37,21 @@ class Console::CommandDispatcher::Extapi
     "-h" => [ false, "Help banner" ]
   )
 
+  #
+  # Options for the service_query command.
+  #
+  @@service_query_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner" ]
+  )
+
   #
   # List of supported commands.
   #
   def commands
     {
       "window_enum" => "Enumerate all current open windows",
-      "service_enum" => "Enumerate all registered Windows services"
+      "service_enum" => "Enumerate all registered Windows services",
+      "service_query" => "Query more detail about a specific Windows service"
     }
   end
 
@@ -125,6 +132,46 @@ class Console::CommandDispatcher::Extapi
     return true
   end
 
+  def cmd_service_query(*args)
+    args << "-h" if args.length == 0
+
+    @@service_query_opts.parse(args) { |opt, idx, val|
+      case opt
+        when "-h"
+          print(
+            "\nUsage: service_query [-h] <servicename>\n" +
+            "     <servicename>:  The name of the service to query.\n\n" +
+            "Gets details information about a particular Windows service, including\n" +
+            "binary path, DACL, load order group, start type and more.\n\n")
+            return true
+      end
+    }
+
+    service_name = args.shift
+
+    start_type_map = {
+      0 => "Boot",
+      1 => "System",
+      2 => "Automatic",
+      3 => "Manual",
+      4 => "Disabled"
+    }
+
+    detail = client.extapi.service_query(service_name)
+
+    print_line()
+    print_line("Name        : #{service_name}")
+    print_line("Display     : #{detail[:display]}")
+    print_line("Account     : #{detail[:startname]}")
+    print_line("Start Type  : #{start_type_map[detail[:starttype]]}")
+    print_line("Path        : #{detail[:path]}")
+    print_line("L.O. Group  : #{detail[:logroup]}")
+    print_line("Interactive : #{detail[:interactive] ? "Yes" : "No"}")
+    print_line("DACL        : #{detail[:dacl]}")
+    print_line()
+
+  end
+
   #
   # Name for this dispatcher
   #