Fix and test writing REG_EXPAND_SZ values

2022-09-08 09:11:43 -04:00 · 2022-09-08 09:11:43 -04:00 · 61a2bde27d
parent eaf149ac21
commit 61a2bde27d
2 changed files with 27 additions and 1 deletions
--- a/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb
@ -218,6 +218,8 @@ class Registry
    case type
    when REG_DWORD
      data = [data.to_i].pack('V')
+    when REG_EXPAND_SZ
+      data << "\x00".b
    when REG_MULTI_SZ
      data = data.join("\x00".b) + "\x00\x00".b
    when REG_SZ
@ -243,6 +245,8 @@ class Registry
    case type
    when REG_DWORD
      data = [data.to_i].pack('V')
+    when REG_EXPAND_SZ
+      data << "\x00".b
    when REG_MULTI_SZ
      data = data.join("\x00".b) + "\x00\x00".b
    when REG_SZ
@ -276,6 +280,8 @@ class Registry
    case type
    when REG_DWORD
      data = data.unpack1('N')
+    when REG_EXPAND_SZ
+      data = data[0..-2]
    when REG_MULTI_SZ
      data = data[0..-3].split("\x00".b)
    when REG_SZ
@ -300,6 +306,8 @@ class Registry
    case type
    when REG_DWORD
      data = data.unpack1('N')
+    when REG_EXPAND_SZ
+      data = data[0..-2]
    when REG_MULTI_SZ
      data = data[0..-3].split("\x00".b)
    when REG_SZ
--- a/test/modules/post/test/registry.rb
+++ b/test/modules/post/test/registry.rb
@ -136,6 +136,24 @@ class MetasploitModule < Msf::Post
        ret &&= !!(valinfo["Data"].kind_of? Numeric)
        ret &&= !!(valinfo["Data"] == 1234)
      end
+
+      ret
+    end
+
+    it "should write REG_EXPAND_SZ values" do
+      ret = true
+      value = '%SystemRoot%\system32'
+      registry_setvaldata(%q#HKCU\test_key#, "test_val_expand_str", value, "REG_EXPAND_SZ")
+      valinfo = registry_getvalinfo(%q#HKCU\test_key#, "test_val_expand_str")
+      if (valinfo.nil?)
+        ret = false
+      else
+        # type == REG_EXPAND_SZ means string
+        ret &&= !!(valinfo["Type"] == 2)
+        ret &&= !!(valinfo["Data"].kind_of? String)
+        ret &&= !!(valinfo["Data"] == 'C:\Windows\system32')
+      end
+
      ret
    end

@ -147,7 +165,7 @@ class MetasploitModule < Msf::Post
      if (valinfo.nil?)
        ret = false
      else
-        # type == REG_MULTI_SZ means string
+        # type == REG_MULTI_SZ means string array
        ret &&= !!(valinfo["Type"] == 7)
        ret &&= !!(valinfo["Data"].kind_of? Array)
        ret &&= !!(valinfo["Data"] == values)