Add service_query to ext_server_extapi

Once the user has queried the list of services they can now use the
`service_query` function to get more detail about a specific service.
bug/bundler_fix
OJ 2013-10-11 01:02:51 +10:00
parent 23340e9df0
commit cbaeebeff7
3 changed files with 87 additions and 12 deletions

View File

@ -71,6 +71,26 @@ class Extapi < Extension
return services.sort_by { |s| s[:name].upcase } return services.sort_by { |s| s[:name].upcase }
end end
# Query some detailed parameters about a particular service.
def service_query(service_name)
request = Packet.create_request('extapi_service_query')
request.add_tlv(TLV_TYPE_EXT_SERVICE_ENUM_NAME, service_name)
response = client.send_request(request)
detail = {
:starttype => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTTYPE),
:display => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DISPLAYNAME),
:startname => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTNAME),
:path => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_PATH),
:logroup => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP),
:interactive => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE),
:dacl => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DACL)
}
return detail
end
end end
end; end; end; end; end end; end; end; end; end

View File

@ -7,17 +7,25 @@ module Extapi
TLV_TYPE_EXTENSION_EXTAPI = 0 TLV_TYPE_EXTENSION_EXTAPI = 0
TLV_TYPE_EXT_WINDOW_ENUM_GROUP = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 1) TLV_TYPE_EXT_WINDOW_ENUM_GROUP = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 1)
TLV_TYPE_EXT_WINDOW_ENUM_PID = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 2) TLV_TYPE_EXT_WINDOW_ENUM_PID = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 2)
TLV_TYPE_EXT_WINDOW_ENUM_HANDLE = TLV_META_TYPE_QWORD | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 3) TLV_TYPE_EXT_WINDOW_ENUM_HANDLE = TLV_META_TYPE_QWORD | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 3)
TLV_TYPE_EXT_WINDOW_ENUM_TITLE = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 4) TLV_TYPE_EXT_WINDOW_ENUM_TITLE = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 4)
TLV_TYPE_EXT_SERVICE_ENUM_GROUP = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 10) TLV_TYPE_EXT_SERVICE_ENUM_GROUP = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 10)
TLV_TYPE_EXT_SERVICE_ENUM_NAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 11) TLV_TYPE_EXT_SERVICE_ENUM_NAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 11)
TLV_TYPE_EXT_SERVICE_ENUM_DISPLAYNAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 12) TLV_TYPE_EXT_SERVICE_ENUM_DISPLAYNAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 12)
TLV_TYPE_EXT_SERVICE_ENUM_PID = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 13) TLV_TYPE_EXT_SERVICE_ENUM_PID = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 13)
TLV_TYPE_EXT_SERVICE_ENUM_STATUS = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 14) TLV_TYPE_EXT_SERVICE_ENUM_STATUS = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 14)
TLV_TYPE_EXT_SERVICE_ENUM_INTERACTIVE = TLV_META_TYPE_BOOL | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 15) TLV_TYPE_EXT_SERVICE_ENUM_INTERACTIVE = TLV_META_TYPE_BOOL | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 15)
TLV_TYPE_EXT_SERVICE_QUERY_STARTTYPE = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 20)
TLV_TYPE_EXT_SERVICE_QUERY_DISPLAYNAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 21)
TLV_TYPE_EXT_SERVICE_QUERY_STARTNAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 22)
TLV_TYPE_EXT_SERVICE_QUERY_PATH = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 23)
TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 24)
TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE = TLV_META_TYPE_BOOL | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 25)
TLV_TYPE_EXT_SERVICE_QUERY_DACL = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 26)
end end
end end

View File

@ -1,6 +1,5 @@
# -*- coding: binary -*- # -*- coding: binary -*-
require 'rex/post/meterpreter' require 'rex/post/meterpreter'
module Rex module Rex
module Post module Post
module Meterpreter module Meterpreter
@ -38,13 +37,21 @@ class Console::CommandDispatcher::Extapi
"-h" => [ false, "Help banner" ] "-h" => [ false, "Help banner" ]
) )
#
# Options for the service_query command.
#
@@service_query_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner" ]
)
# #
# List of supported commands. # List of supported commands.
# #
def commands def commands
{ {
"window_enum" => "Enumerate all current open windows", "window_enum" => "Enumerate all current open windows",
"service_enum" => "Enumerate all registered Windows services" "service_enum" => "Enumerate all registered Windows services",
"service_query" => "Query more detail about a specific Windows service"
} }
end end
@ -125,6 +132,46 @@ class Console::CommandDispatcher::Extapi
return true return true
end end
def cmd_service_query(*args)
args << "-h" if args.length == 0
@@service_query_opts.parse(args) { |opt, idx, val|
case opt
when "-h"
print(
"\nUsage: service_query [-h] <servicename>\n" +
" <servicename>: The name of the service to query.\n\n" +
"Gets details information about a particular Windows service, including\n" +
"binary path, DACL, load order group, start type and more.\n\n")
return true
end
}
service_name = args.shift
start_type_map = {
0 => "Boot",
1 => "System",
2 => "Automatic",
3 => "Manual",
4 => "Disabled"
}
detail = client.extapi.service_query(service_name)
print_line()
print_line("Name : #{service_name}")
print_line("Display : #{detail[:display]}")
print_line("Account : #{detail[:startname]}")
print_line("Start Type : #{start_type_map[detail[:starttype]]}")
print_line("Path : #{detail[:path]}")
print_line("L.O. Group : #{detail[:logroup]}")
print_line("Interactive : #{detail[:interactive] ? "Yes" : "No"}")
print_line("DACL : #{detail[:dacl]}")
print_line()
end
# #
# Name for this dispatcher # Name for this dispatcher
# #