metasploit-framework/modules/post/windows/manage/vss_list.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'
require 'rex'

class MetasploitModule < Msf::Post

  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::ShadowCopy

  def initialize(info={})
    super(update_info(info,
      'Name'                 => "Windows Manage List Shadow Copies",
      'Description'          => %q{
        This module will attempt to list any Volume Shadow Copies
        on the system. This is based on the VSSOwn Script
        originally posted by Tim Tomes and Mark Baggett.

        Works on win2k3 and later.
        },
      'License'              => MSF_LICENSE,
      'Platform'             => ['win'],
      'SessionTypes'         => ['meterpreter'],
      'Author'               => ['theLightCosine'],
      'References'    => [
        [ 'URL', 'http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html' ]
      ]
    ))
  end


  def run
    unless is_admin?
      print_error("This module requires admin privs to run")
      return
    end
    if is_uac_enabled?
      print_error("This module requires UAC to be bypassed first")
      return
    end
    unless start_vss
      return
    end

    list = ""
    shadow_copies = vss_list
    unless shadow_copies.empty?
      shadow_copies.each do |copy|
        tbl = Rex::Text::Table.new(
          'Header'  => 'Shadow Copy Data',
          'Indent'  => 1,
          'Columns' => ['Field', 'Value']
        )
        copy.each_pair{|k,v| tbl << [k,v]}
        list << " #{tbl.to_s} \n\n"
        print_good tbl.to_s
      end
      store_loot(
          'host.shadowcopies',
          'text/plain',
          session,
          list,
          'shadowcopies.txt',
          'Shadow Copy Info'
      )
    end
  end

end
Adds mixin and post modules to manipulate Volume shadowcopy Service(VSS) 2011-12-30 23:03:04 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adds mixin and post modules to manipulate Volume shadowcopy Service(VSS) 2011-12-30 23:03:04 +00:00			`##`


			`require 'msf/core'`
			`require 'rex'`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Post`
Adds mixin and post modules to manipulate Volume shadowcopy Service(VSS) 2011-12-30 23:03:04 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Post::Windows::Priv`
			`include Msf::Post::Windows::ShadowCopy`
Adds mixin and post modules to manipulate Volume shadowcopy Service(VSS) 2011-12-30 23:03:04 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "Windows Manage List Shadow Copies",`
			`'Description' => %q{`
			`This module will attempt to list any Volume Shadow Copies`
			`on the system. This is based on the VSSOwn Script`
			`originally posted by Tim Tomes and Mark Baggett.`
A few more author typos 2012-03-05 20:28:23 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`Works on win2k3 and later.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Platform' => ['win'],`
			`'SessionTypes' => ['meterpreter'],`
			`'Author' => ['theLightCosine'],`
			`'References' => [`
			`[ 'URL', 'http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html' ]`
			`]`
			`))`
			`end`
Adds mixin and post modules to manipulate Volume shadowcopy Service(VSS) 2011-12-30 23:03:04 +00:00

Retab modules 2013-08-30 21:28:54 +00:00			`def run`
			`unless is_admin?`
			`print_error("This module requires admin privs to run")`
			`return`
			`end`
			`if is_uac_enabled?`
			`print_error("This module requires UAC to be bypassed first")`
			`return`
			`end`
			`unless start_vss`
			`return`
			`end`
Massive whitespace cleanup 2012-03-18 05:07:27 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`list = ""`
			`shadow_copies = vss_list`
			`unless shadow_copies.empty?`
			`shadow_copies.each do \|copy\|`
replace old rex::ui::text::table refs everywhere we called the class we have now rewritten it to use the new namespace MS-1875 2016-08-10 18:30:09 +00:00			`tbl = Rex::Text::Table.new(`
Retab modules 2013-08-30 21:28:54 +00:00			`'Header' => 'Shadow Copy Data',`
			`'Indent' => 1,`
			`'Columns' => ['Field', 'Value']`
			`)`
			`copy.each_pair{\|k,v\| tbl << [k,v]}`
			`list << " #{tbl.to_s} \n\n"`
			`print_good tbl.to_s`
			`end`
			`store_loot(`
			`'host.shadowcopies',`
			`'text/plain',`
			`session,`
			`list,`
			`'shadowcopies.txt',`
			`'Shadow Copy Info'`
			`)`
			`end`
			`end`
Adds mixin and post modules to manipulate Volume shadowcopy Service(VSS) 2011-12-30 23:03:04 +00:00
			`end`