enum_emet

A module to enumerate all the EMET wildcard paths.

modules/post/windows/gather/enum_emet.rb

@@ -0,0 +1,56 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/post/common'
+
+class MetasploitModule < Msf::Post
+
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Registry
+  include Msf::Post::Common
+
+  def initialize(info={})
+    super( update_info( info,
+        'Name'          => 'Windows Gather EMET Protected Paths',
+        'Description'   => %q{ This module will enumerate the EMET protected paths on the target host.},
+        'License'       => MSF_LICENSE,
+        'Author'        => [ 'vysec <vincent.yiu[at]mwrinfosecurity.com>'],
+        'Platform'      => [ 'win' ],
+        'SessionTypes'  => [ 'meterpreter' ]
+      ))
+
+  end
+
+  # Run Method for when run command is issued
+  def run
+    print_status("Running module against #{sysinfo['Computer']}")
+    
+    if sysinfo['Architecture'] =~ /x64/
+        print_status("The underlying OS is 64 bit")
+        if client.platform =~ /x86/
+          print_error("You are in a 32 bit process, migrate to 64 bit and try again.")
+        end
+    end
+    
+    isadmin = is_admin?
+
+    #a = registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System','SystemBiosVersion')
+    reg_vals = registry_enumvals('HKLM\\SOFTWARE\\Microsoft\\EMET\\AppSettings')
+    
+    t = ""
+
+    reg_vals.each do |x|
+        t << "#{x}\r\n"
+    end
+
+    puts t
+
+    p = store_loot("host.emet_paths", "text/plain", session, t, "emet_paths.txt", "EMET Paths")
+    print_status("Results stored in: #{p}")
+  end
+
+end