meterpreter registry extension, REG_BINARY

[metasploit at backstep.net (Lukas Kuzmiak)]

Hello,

I've been playing with registry extension of meterpreter and I have an
idea for a little improvement.
If you try to read binary value from registry, fe. with

reg queryval -k "HKEY_LOCAL_MACHINE\bla\bla\bla" -v "somevalue"

You'll get the:

Key: HKEY_LOCAL_MACHINE\bla\bla\bla
Name: somevalue
Type: REG_BINARY
Data: <binary value>

And that's not very useful (not for me, I don't like to transfer
binary values as strings ;)), so here's my little patch for base64
encoding binary values returned from registry and decoding values
while writing to registry (so you've to enter your value in base64 of
course). I hope it will help someone :)


--- lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb  (revision 5914)
+++ lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb  (working copy)
@@ -137,6 +137,8 @@
                        data += "\x00"
                elsif (type == REG_DWORD)
                        data = [ data.to_i ].pack("V")
+               elsif (type == REG_BINARY)
+                       data = Rex::Text.decode_base64(data)
                end

                request.add_tlv(TLV_TYPE_VALUE_DATA, data)
@@ -165,6 +167,8 @@
                        data = data[0..-2]
                elsif (type == REG_DWORD)
                        data = data.unpack("N")[0]
+               elsif (type == REG_BINARY)
+                       data = "(base64 encoded) " +
Rex::Text.encode_base64(data)
                end

                return
Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RegistryValue.new(


Regards,

lukash