Merge branch 'master' of https://github.com/averagesecurityguy/metasploit-framework

2012-01-12 17:06:14 -06:00 · 2012-01-12 17:06:14 -06:00 · 02bd1f3407
parent 6234d13f7c cb146f9021
commit 02bd1f3407
3 changed files with 164 additions and 0 deletions
--- a/data/post/artifacts
+++ b/data/post/artifacts
@ -0,0 +1,14 @@
+# This file contains a list of artifacts used by the enum_artifacts post module
+# Artifacts should be listed one per line and use the following formats:
+# File entries
+#	file|path/to/file|md5sum
+#
+# Registry entries
+#	reg|hive|key|value
+# 
+# Happy hunting
+
+file|c:\ntdetect.com|b2de3452de03674c6cec68b8c8ce7c78
+file|c:\boot.ini|fa579938b0733b87066546afe951082c
+reg|HKEY_LOCAL_MACHINE\SYSTEM\Select|Current|1
+reg|HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI|DisplayName|Microsoft ACPI Driver
--- a/lib/msf/core/post/file.rb
+++ b/lib/msf/core/post/file.rb
@ -33,6 +33,15 @@ module File
 		end
 	end

+	#
+	# Returns a MD5 checksum of a given remote file
+	#
+
+	def file_remote_digestmd5(file2md5)
+		chksum = Digest::MD5.hexdigest(read_file(file2md5))
+		return chksum
+	end
+
 	#
 	# Returns a SHA1 checksum of a given local file
 	#
@ -47,6 +56,15 @@ module File
 		end
 	end

+	#
+	# Returns a SHA1 checksum of a given remote file
+	#
+
+	def file_remote_digestsha1(file2sha1)
+		chksum = Digest::SHA1.hexdigest(read_file(file2sha1))
+		return chksum
+	end
+
 	#
 	# Returns a SHA256 checksum of a given local file
 	#
@ -61,6 +79,15 @@ module File
 		end
 	end

+	#
+	# Returns a SHA2 checksum of a given remote file
+	#
+
+	def file_remote_digestsha2(file2sha2)
+		chksum = Digest::SHA256.hexdigest(read_file(file2sha2))
+		return chksum
+	end
+
 	#
 	# Platform-agnostic file read.  Returns contents of remote file +file_name+
 	# as a String.
--- a/modules/post/windows/gather/enum_artifacts.rb
+++ b/modules/post/windows/gather/enum_artifacts.rb
@ -0,0 +1,123 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'digest/md5'
+require 'rex'
+require 'msf/core'
+require 'msf/core/post/file'
+require 'msf/core/post/windows/registry'
+
+class Metasploit3 < Msf::Post
+
+	include Msf::Auxiliary::Report
+	include Msf::Post::File
+	include Msf::Post::Windows::Registry
+	
+	def initialize(info={})
+		super( update_info( info,
+			'Name'          => 'Windows File and Registry Artifacts Enumeration',
+			'Description'   => %q{ This module will check the file system and registry for particular artifacts. The 
+								   list of artifacts is read from data/post/artifacts or a user specified file. Any
+								   matches are written to the loot. },
+			'License'       => MSF_LICENSE,
+			'Author'        => [ 'averagesecurityguy <stephen[at]averagesecurityguy.info>' ],
+			'Version'       => '$Revision$',
+			'Platform'      => [ 'windows' ],
+			'SessionTypes'  => [ 'meterpreter' ]
+		))
+		register_options(
+			[
+				OptPath.new('ARTIFACTS', [false, 'Full path to artifacts file.', nil]),
+			], self.class)
+
+	end
+
+	def run
+		# Store any found artifacts so they can be written to loot
+		found = Array.new
+
+		if datastore['ARTIFACTS']
+			filename = datastore['ARTIFACTS']
+		else
+			filename = ::File.join(Msf::Config.data_directory, 'post',  'artifacts')
+			print_line(filename)
+		end
+		
+		if ::File.exists?(filename)
+			print_status("Processing artifacts file...")
+			
+			file = ::File.open(filename, "r")
+			file.each_line do |line|
+			    line.strip!
+				next if line.length < 1
+				next if line[0,1] == "#"
+				
+				if line =~ /^reg/
+					type, reg_key, val, data = line.split("|")
+					reg_data = registry_getvaldata(reg_key, val)
+				        if reg_data.to_s == data
+						found << "Matching registry entry: #{reg_key}\\#{val}"
+					end
+				end
+				
+				if line =~ /^file/
+					type, file, hash = line.split("|")
+					digest = file_remote_digestmd5(file)
+					if digest == hash then found << "Matching file entry: #{file}" end
+				end
+			end
+
+			print_status("Artifacts file processed successfully.")
+		else
+			print_error("Artifacts file does not exist!")
+		end
+
+		if found.length > 0
+			print_status("Artifacts found, saving to loot")
+
+			# Store artifacts in the loot.
+			loot_file = store_loot( 'enumerated.artifacts',
+									'text/plain', 
+									session, 
+									found.join("\n"), 
+									nil,
+									'Enumerated Artifacts')
+									
+			print_status("Enumerated artifacts stored in #{loot_file}")
+
+		else
+			print_status("No artifacts found.")
+		end
+	end
+
+    def get_base(str)
+        case str
+        when "HKEY_CLASSES_ROOT"
+            return HKEY_CLASSES_ROOT
+        when "HKEY_CURRENT_USER" 
+            return HKEY_CURRENT_USER
+        when "HKEY_LOCAL_MACHINE"
+            return HKEY_LOCAL_MACHINE
+        when "HKEY_USERS"
+            return HKEY_USERS
+        when "HKEY_PERFORMANCE_DATA"
+            return HKEY_PERFORMANCE_DATA
+        when "HKEY_CURRENT_CONFIG"
+            return HKEY_CURRENT_CONFIG
+        when "HKEY_DYN_DATA"
+            return HKEY_DYN_DATA
+        else
+            print_error "Unrecognized base key #{str}"
+            return nil
+        end
+    end
+end
+