Land rapid7#4150, adds getsid command

Fixes rapid7#3787

Author: kernelsmith

lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb

@@ -20,6 +20,8 @@ module Sys
 ###
 class Config
 
+  SYSTEM_SID = 'S-1-5-18'
+
   def initialize(client)
     self.client = client
   end
@@ -33,6 +35,22 @@ def getuid
     client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_USER_NAME) )
   end
 
+  #
+  # Gets the SID of the current process/thread.
+  #
+  def getsid
+    request = Packet.create_request('stdapi_sys_config_getsid')
+    response = client.send_request(request)
+    response.get_tlv_value(TLV_TYPE_SID)
+  end
+
+  #
+  # Determine if the current process/thread is running as SYSTEM
+  #
+  def is_system?
+    getsid == SYSTEM_SID
+  end
+
   #
   # Returns a hash of requested environment variables, along with their values.
   # If a requested value doesn't exist in the response, then the value wasn't found.

lib/rex/post/meterpreter/extensions/stdapi/tlv.rb

@@ -116,6 +116,7 @@ module Stdapi
 TLV_TYPE_USER_NAME          = TLV_META_TYPE_STRING  | 1042
 TLV_TYPE_ARCHITECTURE       = TLV_META_TYPE_STRING  | 1043
 TLV_TYPE_LANG_SYSTEM        = TLV_META_TYPE_STRING  | 1044
+TLV_TYPE_SID                = TLV_META_TYPE_STRING  | 1045
 
 # Environment
 TLV_TYPE_ENV_VARIABLE       = TLV_META_TYPE_STRING  | 1100

lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb

@@ -221,7 +221,7 @@ def cmd_snarf_hashes(*args)
   end
 
   def system_privilege_check
-    if (client.sys.config.getuid != "NT AUTHORITY\\SYSTEM")
+    unless client.sys.config.is_system?
       print_line("[-] Warning: Not currently running as SYSTEM, not all tokens will be available")
       print_line("             Call rev2self if primary process token is SYSTEM")
     end

lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

@@ -88,6 +88,7 @@ def commands
       "getpid"      => "Get the current process identifier",
       "getprivs"    => "Attempt to enable all privileges available to the current process",
       "getuid"      => "Get the user that the server is running as",
+      "getsid"      => "Get the SID of the user that the server is running as",
       "getenv"      => "Get one or more environment variable values",
       "kill"        => "Terminate a process",
       "ps"          => "List running processes",
@@ -107,6 +108,7 @@ def commands
       "getpid"      => [ "stdapi_sys_process_getpid"  ],
       "getprivs"    => [ "stdapi_sys_config_getprivs" ],
       "getuid"      => [ "stdapi_sys_config_getuid" ],
+      "getsid"      => [ "stdapi_sys_config_getsid" ],
       "getenv"      => [ "stdapi_sys_config_getenv" ],
       "kill"        => [ "stdapi_sys_process_kill" ],
       "ps"          => [ "stdapi_sys_process_get_processes" ],
@@ -279,6 +281,13 @@ def cmd_getuid(*args)
     print_line("Server username: #{client.sys.config.getuid}")
   end
 
+  #
+  # Display the SID of the user that the server is running as.
+  #
+  def cmd_getsid(*args)
+    print_line("Server SID: #{client.sys.config.getsid}")
+  end
+
   #
   # Get the value of one or more environment variables from the target.
   #