2011-10-17 04:20:53 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2011-10-17 04:20:53 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => "Windows Gather Directory Permissions Enumeration",
|
|
|
|
'Description' => %q{
|
|
|
|
This module enumerates directories and lists the permissions set
|
2012-11-13 00:29:56 +00:00
|
|
|
on found directories. Please note: if the PATH option isn't specified,
|
|
|
|
then the module will start enumerate whatever is in the target machine's
|
|
|
|
%PATH% variable.
|
2011-10-17 04:20:53 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
2012-10-23 18:33:01 +00:00
|
|
|
'Platform' => ['win'],
|
2011-10-17 04:20:53 +00:00
|
|
|
'SessionTypes' => ['meterpreter'],
|
2012-11-13 00:35:32 +00:00
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Kx499',
|
|
|
|
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>',
|
|
|
|
'sinn3r'
|
|
|
|
]
|
2011-10-17 04:20:53 +00:00
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2012-11-13 00:29:56 +00:00
|
|
|
OptString.new('PATH', [ false, 'Directory to begin search from', '']),
|
2011-10-17 04:20:53 +00:00
|
|
|
OptEnum.new('FILTER', [ false, 'Filter to limit results by', 'NA', [ 'NA', 'R', 'W', 'RW' ]]),
|
|
|
|
OptInt.new('DEPTH', [ true, 'Depth to drill down into subdirs, O = no limit',0]),
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_imperstoken
|
|
|
|
adv = session.railgun.advapi32
|
|
|
|
tok_all = "TOKEN_ASSIGN_PRIMARY |TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | "
|
|
|
|
tok_all << "TOKEN_QUERY_SOURCE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS"
|
|
|
|
tok_all << " | TOKEN_ADJUST_DEFAULT"
|
|
|
|
|
|
|
|
#get impersonation token handle it["DuplicateTokenhandle"] carries this value
|
|
|
|
#p = kern.GetCurrentProcess() #get handle to current process
|
|
|
|
pid = session.sys.process.open.pid
|
|
|
|
pr = session.sys.process.open(pid, PROCESS_ALL_ACCESS)
|
2011-10-23 11:56:13 +00:00
|
|
|
pt = adv.OpenProcessToken(pr.handle, tok_all, 4) #get handle to primary token
|
2011-10-17 04:20:53 +00:00
|
|
|
it = adv.DuplicateToken(pt["TokenHandle"],2, 4) # get an impersonation token
|
|
|
|
if it["return"] #if it fails return 0 for error handling
|
|
|
|
return it["DuplicateTokenHandle"]
|
2011-10-23 11:56:13 +00:00
|
|
|
else
|
2011-10-17 04:20:53 +00:00
|
|
|
return 0
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def check_dir(dir, token)
|
2011-12-24 20:57:46 +00:00
|
|
|
# If path doesn't exist, do not continue
|
|
|
|
begin
|
|
|
|
session.fs.dir.entries(dir)
|
2012-11-13 00:59:44 +00:00
|
|
|
rescue => e
|
|
|
|
vprint_error("#{e.message}: #{dir}")
|
2011-12-24 20:57:46 +00:00
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
2011-10-17 04:20:53 +00:00
|
|
|
adv = session.railgun.advapi32
|
|
|
|
si = "OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION"
|
|
|
|
result = ""
|
|
|
|
|
|
|
|
#define generic mapping structure
|
|
|
|
gen_map = [0,0,0,0]
|
|
|
|
gen_map = gen_map.pack("L")
|
|
|
|
|
2011-10-23 11:56:13 +00:00
|
|
|
#get Security Descriptor for the directory
|
2011-10-17 04:20:53 +00:00
|
|
|
f = adv.GetFileSecurityA(dir, si, 20, 20, 4)
|
|
|
|
f = adv.GetFileSecurityA(dir, si, f["lpnLengthNeeded"], f["lpnLengthNeeded"], 4)
|
|
|
|
sd = f["pSecurityDescriptor"]
|
|
|
|
|
|
|
|
#check for write access, called once to get buffer size
|
|
|
|
a = adv.AccessCheck(sd, token, "ACCESS_READ | ACCESS_WRITE", gen_map, 0, 0, 4, 8)
|
|
|
|
len = a["PrivilegeSetLength"]
|
|
|
|
|
|
|
|
r = adv.AccessCheck(sd, token, "ACCESS_READ", gen_map, len, len, 4, 8)
|
2011-12-24 20:57:46 +00:00
|
|
|
if !r["return"] then return nil end
|
2011-10-17 04:20:53 +00:00
|
|
|
if r["GrantedAccess"] > 0 then result << "R" end
|
|
|
|
|
|
|
|
w = adv.AccessCheck(sd, token, "ACCESS_WRITE", gen_map, len, len, 4, 8)
|
2011-12-24 20:57:46 +00:00
|
|
|
if !w["return"] then return nil end
|
2011-10-17 04:20:53 +00:00
|
|
|
if w["GrantedAccess"] > 0 then result << "W" end
|
|
|
|
end
|
|
|
|
|
2012-11-13 00:29:56 +00:00
|
|
|
def enum_subdirs(perm_filter, dpath, maxdepth, token)
|
2011-10-17 04:20:53 +00:00
|
|
|
filter = datastore['FILTER']
|
|
|
|
filter = nil if datastore['FILTER'] == 'NA'
|
2012-11-13 00:29:56 +00:00
|
|
|
|
2012-11-13 00:59:44 +00:00
|
|
|
begin
|
|
|
|
dirs = session.fs.dir.foreach(dpath)
|
|
|
|
rescue Rex::Post::Meterpreter::RequestError
|
|
|
|
# Sometimes we cannot see the dir
|
|
|
|
dirs = []
|
|
|
|
end
|
2012-11-13 00:29:56 +00:00
|
|
|
|
2011-10-17 04:20:53 +00:00
|
|
|
if maxdepth >= 1 or maxdepth < 0
|
|
|
|
dirs.each do|d|
|
|
|
|
next if d =~ /^(\.|\.\.)$/
|
|
|
|
realpath = dpath + '\\' + d
|
|
|
|
if session.fs.file.stat(realpath).directory?
|
2011-10-23 11:56:13 +00:00
|
|
|
perm = check_dir(realpath, token)
|
2012-11-13 00:54:47 +00:00
|
|
|
if perm_filter and perm and perm.include?(perm_filter)
|
2011-10-17 04:20:53 +00:00
|
|
|
print_status(perm + "\t" + realpath)
|
|
|
|
end
|
2012-11-13 00:29:56 +00:00
|
|
|
enum_subdirs(perm_filter, realpath, maxdepth - 1,token)
|
2011-10-17 04:20:53 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2012-11-13 00:29:56 +00:00
|
|
|
def get_paths
|
|
|
|
p = datastore['PATH']
|
|
|
|
return [p] if not p.nil? and not p.empty?
|
2011-10-17 04:20:53 +00:00
|
|
|
|
2012-11-13 00:29:56 +00:00
|
|
|
begin
|
|
|
|
p = cmd_exec("cmd.exe", "/c echo %PATH%")
|
|
|
|
rescue Rex::Post::Meterpreter::RequestError => e
|
|
|
|
vprint_error(e.message)
|
|
|
|
return []
|
2011-10-17 04:20:53 +00:00
|
|
|
end
|
2012-11-13 00:29:56 +00:00
|
|
|
print_status("Option 'PATH' isn't specified. Using system %PATH%")
|
|
|
|
if p.include?(';')
|
|
|
|
return p.split(';')
|
|
|
|
else
|
|
|
|
return [p]
|
2011-10-17 04:20:53 +00:00
|
|
|
end
|
2012-11-13 00:29:56 +00:00
|
|
|
end
|
2011-10-17 04:20:53 +00:00
|
|
|
|
2012-11-13 00:29:56 +00:00
|
|
|
def get_token
|
2011-10-17 04:20:53 +00:00
|
|
|
print_status("Getting impersonation token...")
|
2012-05-04 16:44:05 +00:00
|
|
|
begin
|
|
|
|
t = get_imperstoken()
|
|
|
|
rescue ::Exception => e
|
|
|
|
# Failure due to timeout, access denied, etc.
|
|
|
|
t = 0
|
|
|
|
vprint_error("Error #{e.message} while using get_imperstoken()")
|
|
|
|
vprint_error(e.backtrace)
|
|
|
|
end
|
2012-11-13 00:29:56 +00:00
|
|
|
return t
|
|
|
|
end
|
2011-10-23 11:56:13 +00:00
|
|
|
|
2012-11-13 00:29:56 +00:00
|
|
|
def enum_perms(perm_filter, token, depth, paths)
|
|
|
|
paths.each do |path|
|
|
|
|
next if path.empty?
|
|
|
|
path = path.strip
|
|
|
|
|
|
|
|
print_status("Checking directory permissions from: #{path}")
|
|
|
|
|
|
|
|
perm = check_dir(path, token)
|
|
|
|
if not perm.nil?
|
|
|
|
# Show the permission of the parent directory
|
|
|
|
if perm_filter and perm.include?(perm_filter)
|
|
|
|
print_status(perm + "\t" + path)
|
|
|
|
end
|
2011-10-17 04:20:53 +00:00
|
|
|
|
2011-12-24 20:57:46 +00:00
|
|
|
#call recursive function to loop through and check all sub directories
|
2012-11-13 00:29:56 +00:00
|
|
|
enum_subdirs(perm_filter, path, depth, token)
|
2011-12-24 20:57:46 +00:00
|
|
|
end
|
2011-10-17 04:20:53 +00:00
|
|
|
end
|
|
|
|
end
|
2012-11-13 00:29:56 +00:00
|
|
|
|
|
|
|
def run
|
|
|
|
perm_filter = datastore['FILTER']
|
|
|
|
perm_filter = nil if datastore['FILTER'] == 'NA'
|
|
|
|
|
|
|
|
paths = get_paths
|
|
|
|
if paths.empty?
|
|
|
|
print_error("Unable to get the path")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
depth = -1
|
|
|
|
if datastore['DEPTH'] > 0
|
|
|
|
depth = datastore['DEPTH']
|
|
|
|
end
|
|
|
|
|
|
|
|
t = get_token
|
|
|
|
|
|
|
|
if t == 0
|
|
|
|
print_error("Getting impersonation token failed")
|
|
|
|
else
|
|
|
|
print_status("Got token: #{t.to_s}...")
|
|
|
|
enum_perms(perm_filter, t, depth, paths)
|
|
|
|
end
|
|
|
|
end
|
2011-10-17 04:20:53 +00:00
|
|
|
end
|