2016-06-12 09:59:57 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2016-06-12 09:59:57 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core/post/common'
|
|
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Post
|
|
|
|
|
include Msf::Post::Windows::Registry
|
|
|
|
|
include Msf::Post::Common
|
|
|
|
|
|
2016-06-15 21:41:59 +00:00
|
|
|
OFFICE_REGISTRY_PATH = 'HKCU\\SOFTWARE\\Microsoft\\Office'
|
|
|
|
|
TRUSTED_LOCATIONS_PATH = 'Security\\Trusted Locations'
|
|
|
|
|
|
2016-06-12 09:59:57 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => 'Windows Gather Microsoft Office Trusted Locations',
|
2016-06-15 21:41:59 +00:00
|
|
|
'Description' => %q( This module will enumerate the Microsoft Office trusted locations on the target host. ),
|
2016-06-12 09:59:57 +00:00
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' => [ 'vysec <vincent.yiu[at]mwrinfosecurity.com>' ],
|
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
|
))
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def print_status(msg='')
|
|
|
|
|
super("#{peer} - #{msg}")
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def print_good(msg='')
|
|
|
|
|
super("#{peer} - #{msg}")
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run
|
2016-06-15 21:41:59 +00:00
|
|
|
locations = ""
|
|
|
|
|
[REGISTRY_VIEW_64_BIT, REGISTRY_VIEW_32_BIT].each do |registry_arch|
|
2016-10-27 21:16:05 +00:00
|
|
|
arch = registry_arch == REGISTRY_VIEW_64_BIT ? ARCH_X64 : ARCH_X86
|
2016-06-15 21:41:59 +00:00
|
|
|
reg_keys = registry_enumkeys(OFFICE_REGISTRY_PATH, registry_arch)
|
|
|
|
|
if reg_keys.nil?
|
2017-07-19 11:48:52 +00:00
|
|
|
print_error("Failed to enumerate Office in #{arch} registry hive.")
|
2016-06-15 21:41:59 +00:00
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
reg_keys.each do |version|
|
|
|
|
|
next if /[0-9][0-9].0/.match(version).nil?
|
|
|
|
|
|
|
|
|
|
print_status("Version found: #{version}")
|
|
|
|
|
version_path = "#{OFFICE_REGISTRY_PATH}\\#{version}"
|
|
|
|
|
applications = registry_enumkeys(version_path, registry_arch)
|
|
|
|
|
|
|
|
|
|
if applications.nil?
|
|
|
|
|
print_status('Failed to enumerate applications.')
|
|
|
|
|
next
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
vprint_status('Found applications.')
|
|
|
|
|
#find version to use
|
|
|
|
|
applications.each do |application|
|
|
|
|
|
trusted_locations_path = "#{version_path}\\#{application}\\#{TRUSTED_LOCATIONS_PATH}"
|
|
|
|
|
trusted_locations = registry_enumkeys(trusted_locations_path, registry_arch)
|
|
|
|
|
next if trusted_locations.nil?
|
2016-06-15 12:41:19 +00:00
|
|
|
|
2016-06-15 21:41:59 +00:00
|
|
|
print_good("Found trusted locations in #{application}")
|
|
|
|
|
#find version to use
|
|
|
|
|
trusted_locations.each do |location|
|
|
|
|
|
location_path = "#{trusted_locations_path}\\#{location}"
|
|
|
|
|
description = registry_getvaldata(location_path, 'Description', registry_arch)
|
|
|
|
|
allow_subfolders = registry_getvaldata(location_path, 'AllowSubFolders', registry_arch)
|
|
|
|
|
path = registry_getvaldata(location_path, 'Path', registry_arch)
|
|
|
|
|
vprint_status("Description: #{description}")
|
|
|
|
|
result = "Application: #{application}, Path: #{path}, AllSubFolders: #{!!allow_subfolders}"
|
|
|
|
|
locations << "#{result}\n"
|
|
|
|
|
print_status(result)
|
|
|
|
|
end
|
2016-06-12 12:00:44 +00:00
|
|
|
end
|
2016-06-12 09:59:57 +00:00
|
|
|
end
|
2016-06-15 21:41:59 +00:00
|
|
|
path = store_loot('host.trusted_locations', 'text/plain', session, locations, 'trusted_locations.txt', 'Trusted Locations')
|
2016-06-12 09:59:57 +00:00
|
|
|
print_good("Results stored in: #{path}")
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
