Cleanup
Meatballs
parent
8a68e86a0a
commit
0451d4f079
|
|
@ -11,6 +11,9 @@ class MetasploitModule < Msf::Post
|
||||||
include Msf::Post::Windows::Registry
|
include Msf::Post::Windows::Registry
|
||||||
include Msf::Post::Common
|
include Msf::Post::Common
|
||||||
|
|
||||||
|
OFFICE_REGISTRY_PATH = 'HKCU\\SOFTWARE\\Microsoft\\Office'
|
||||||
|
TRUSTED_LOCATIONS_PATH = 'Security\\Trusted Locations'
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Windows Gather Microsoft Office Trusted Locations',
|
'Name' => 'Windows Gather Microsoft Office Trusted Locations',
|
||||||
|
|
@ -31,57 +34,49 @@ class MetasploitModule < Msf::Post
|
||||||
end
|
end
|
||||||
|
|
||||||
def run
|
def run
|
||||||
reg_view = sysinfo['Architecture'] =~ /x64/ ? REGISTRY_VIEW_64_BIT : REGISTRY_VIEW_32_BIT
|
locations = ""
|
||||||
reg_keys = registry_enumkeys('HKCU\\SOFTWARE\\Microsoft\\Office', reg_view)
|
[REGISTRY_VIEW_64_BIT, REGISTRY_VIEW_32_BIT].each do |registry_arch|
|
||||||
|
arch = registry_arch == REGISTRY_VIEW_64_BIT ? 'x64' : 'x86'
|
||||||
|
reg_keys = registry_enumkeys(OFFICE_REGISTRY_PATH, registry_arch)
|
||||||
if reg_keys.nil?
|
if reg_keys.nil?
|
||||||
print_status('Failed to enumerate Office.')
|
print_status("Failed to enumerate Office in #{arch} registry hive.")
|
||||||
else
|
return
|
||||||
print_status('')
|
end
|
||||||
print_status('Found Office.')
|
|
||||||
#find version to use
|
|
||||||
reg_keys.each do |path|
|
|
||||||
if not /[0-9][0-9].0/.match(path).nil?
|
|
||||||
val1 = path
|
|
||||||
print_status("Version found: #{val1}")
|
|
||||||
reg_keys2 = registry_enumkeys("HKCU\\SOFTWARE\\Microsoft\\Office\\#{val1}", reg_view)
|
|
||||||
if reg_keys2.nil?
|
|
||||||
print_status('Failed to enumerate applications.')
|
|
||||||
else
|
|
||||||
print_status('Found applications.')
|
|
||||||
|
|
||||||
print_status('')
|
reg_keys.each do |version|
|
||||||
|
next if /[0-9][0-9].0/.match(version).nil?
|
||||||
|
|
||||||
|
print_status("Version found: #{version}")
|
||||||
|
version_path = "#{OFFICE_REGISTRY_PATH}\\#{version}"
|
||||||
|
applications = registry_enumkeys(version_path, registry_arch)
|
||||||
|
|
||||||
|
if applications.nil?
|
||||||
|
print_status('Failed to enumerate applications.')
|
||||||
|
next
|
||||||
|
end
|
||||||
|
|
||||||
|
vprint_status('Found applications.')
|
||||||
#find version to use
|
#find version to use
|
||||||
reg_keys2.each do |path2|
|
applications.each do |application|
|
||||||
val2 = path2
|
trusted_locations_path = "#{version_path}\\#{application}\\#{TRUSTED_LOCATIONS_PATH}"
|
||||||
reg_keys3 = registry_enumkeys("HKCU\\SOFTWARE\\Microsoft\\Office\\#{val1}\\#{val2}\\Security\\Trusted Locations", reg_view)
|
trusted_locations = registry_enumkeys(trusted_locations_path, registry_arch)
|
||||||
if not reg_keys3.nil?
|
next if trusted_locations.nil?
|
||||||
print_status('')
|
|
||||||
print_good("Found trusted locations in #{val2}")
|
print_good("Found trusted locations in #{application}")
|
||||||
#find version to use
|
#find version to use
|
||||||
reg_keys3.each do |path3|
|
trusted_locations.each do |location|
|
||||||
val3 = path3
|
location_path = "#{trusted_locations_path}\\#{location}"
|
||||||
#print_status(path3)
|
description = registry_getvaldata(location_path, 'Description', registry_arch)
|
||||||
print_status('')
|
allow_subfolders = registry_getvaldata(location_path, 'AllowSubFolders', registry_arch)
|
||||||
reg_vals = registry_getvaldata("HKCU\\SOFTWARE\\Microsoft\\Office\\#{val1}\\#{val2}\\Security\\Trusted Locations\\#{val3}", "Description", reg_view)
|
path = registry_getvaldata(location_path, 'Path', registry_arch)
|
||||||
if not reg_vals.nil?
|
vprint_status("Description: #{description}")
|
||||||
print_status("Description: #{reg_vals}")
|
result = "Application: #{application}, Path: #{path}, AllSubFolders: #{!!allow_subfolders}"
|
||||||
end
|
locations << "#{result}\n"
|
||||||
reg_vals2 = registry_getvaldata("HKCU\\SOFTWARE\\Microsoft\\Office\\#{val1}\\#{val2}\\Security\\Trusted Locations\\#{val3}", "AllowSubFolders", reg_view)
|
print_status(result)
|
||||||
reg_vals = registry_getvaldata("HKCU\\SOFTWARE\\Microsoft\\Office\\#{val1}\\#{val2}\\Security\\Trusted Locations\\#{val3}", "Path", reg_view)
|
|
||||||
if not reg_vals.nil?
|
|
||||||
if not reg_vals2.nil?
|
|
||||||
print_status("Path: #{reg_vals}, AllowSub: True")
|
|
||||||
else
|
|
||||||
print_status("Path: #{reg_vals}, AllowSub: False")
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
path = store_loot('host.trusted_locations', 'text/plain', session, locations, 'trusted_locations.txt', 'Trusted Locations')
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
path = store_loot('host.trusted_locations', 'text/plain', session, reg_keys.join("\r\n"), 'trusted_locations.txt', 'Trusted Locations')
|
|
||||||
print_good("Results stored in: #{path}")
|
print_good("Results stored in: #{path}")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue