Metasploit mailing list archives
meterpreter registry extension, REG_BINARY
From: metasploit at backstep.net (Lukas Kuzmiak)
Date: Thu, 13 Nov 2008 17:05:36 +0100
Hello, I've been playing with registry extension of meterpreter and I have an idea for a little improvement. If you try to read binary value from registry, fe. with reg queryval -k "HKEY_LOCAL_MACHINE\bla\bla\bla" -v "somevalue" You'll get the: Key: HKEY_LOCAL_MACHINE\bla\bla\bla Name: somevalue Type: REG_BINARY Data: <binary value> And that's not very useful (not for me, I don't like to transfer binary values as strings ;)), so here's my little patch for base64 encoding binary values returned from registry and decoding values while writing to registry (so you've to enter your value in base64 of course). I hope it will help someone :) --- lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb (revision 5914) +++ lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb (working copy) @@ -137,6 +137,8 @@ data += "\x00" elsif (type == REG_DWORD) data = [ data.to_i ].pack("V") + elsif (type == REG_BINARY) + data = Rex::Text.decode_base64(data) end request.add_tlv(TLV_TYPE_VALUE_DATA, data) @@ -165,6 +167,8 @@ data = data[0..-2] elsif (type == REG_DWORD) data = data.unpack("N")[0] + elsif (type == REG_BINARY) + data = "(base64 encoded) " + Rex::Text.encode_base64(data) end return Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RegistryValue.new( Regards, lukash
Current thread:
- meterpreter registry extension, REG_BINARY Lukas Kuzmiak (Nov 13)