infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

refactor for use of registry mixin and will now create a note for the hypervisor

unstable
Carlos Perez 2012-12-22 10:27:54 -04:00
parent 924f5283ae
commit ddb9871577
1 changed files with 63 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
modules/post/windows/gather/checkvm.rb
View File

@ -9,11 +9,13 @@ require 'msf/core'
require 'rex'
require 'msf/core/post/windows/registry'
require 'msf/core/post/common'
require 'msf/core/auxiliary/report'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Post::Common
include Msf::Auxiliary::Report
def initialize(info={})
super( update_info( info,
@ -26,7 +28,6 @@ class Metasploit3 < Msf::Post
},
'License' => MSF_LICENSE,
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
'Version' => '',
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
))
@ -36,30 +37,25 @@ class Metasploit3 < Msf::Post
def hypervchk(session)
begin
vm = false
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft', KEY_READ)
sfmsvals = key.enum_key
sfmsvals = registry_enumkeys('HKLM\SOFTWARE\Microsoft')
if sfmsvals.include?("Hyper-V")
vm = true
elsif sfmsvals.include?("VirtualMachine")
vm = true
end
key.close
rescue
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DESCRIPTION\System', KEY_READ)
if key.query_value('SystemBiosVersion').data.downcase =~ /vrtual/
if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System','SystemBiosVersion').data.downcase =~ /vrtual/
vm = true
end
key.close
rescue
end
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\FADT', KEY_READ)
srvvals = key.enum_key
srvvals = registry_enumkeys('HKLM\HARDWARE\ACPI\FADT')
if srvvals.include?("VRTUAL")
vm = true
end
@ -68,8 +64,7 @@ class Metasploit3 < Msf::Post
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\RSDT', KEY_READ)
srvvals = key.enum_key
srvvals = registry_enumkeys('HKLM\HARDWARE\ACPI\RSDT')
if srvvals.include?("VRTUAL")
vm = true
end
@ -78,8 +73,7 @@ class Metasploit3 < Msf::Post
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
srvvals = key.enum_key
srvvals = registry_enumkeys('HKLM\SYSTEM\ControlSet001\Services')
if srvvals.include?("vmicheartbeat")
vm = true
elsif srvvals.include?("vmicvss")
@ -93,6 +87,12 @@ class Metasploit3 < Msf::Post
end
end
if vm
report_note(
:host => session,
:type => 'host.hypervisor',
:data => { :hypervisor => "MS Hyper-V" },
:update => :unique_data
)
print_status("This is a Hyper-V Virtual Machine")
return "MS Hyper-V"
end
@ -102,8 +102,7 @@ class Metasploit3 < Msf::Post
def vmwarechk(session)
vm = false
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
srvvals = key.enum_key
srvvals = registry_enumkeys('HKLM\SYSTEM\ControlSet001\Services')
if srvvals.include?("vmdebug")
vm = true
elsif srvvals.include?("vmmouse")
@ -113,28 +112,24 @@ class Metasploit3 < Msf::Post
elsif srvvals.include?("VMMEMCTL")
vm = true
end
key.close
rescue
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DESCRIPTION\System\BIOS', KEY_READ)
if key.query_value('SystemManufacturer').data.downcase =~ /vmware/
if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System\BIOS','SystemManufacturer').data.downcase =~ /vmware/
vm = true
end
key.close
rescue
end
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0', KEY_READ)
if key.query_value('Identifier').data.downcase =~ /vmware/
key_path = 'HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0'
if registry_getvaldata(key_path,'Identifier').data.downcase =~ /vmware/
vm = true
end
rescue
end
key.close
end
if not vm
vmwareprocs = [
@ -151,6 +146,12 @@ class Metasploit3 < Msf::Post
end
if vm
report_note(
:host => session,
:type => 'host.hypervisor',
:data => { :hypervisor => "VMware" },
:update => :unique_data
)
print_status("This is a VMware Virtual Machine")
return "VMWare"
end
@ -172,9 +173,7 @@ class Metasploit3 < Msf::Post
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
srvvals = key.enum_key
srvvals = registry_enumkeys('HKLM\SYSTEM\ControlSet001\Services')
if srvvals.include?("vpc-s3")
vm = true
elsif srvvals.include?("vpcuhub")
@ -182,11 +181,16 @@ class Metasploit3 < Msf::Post
elsif srvvals.include?("msvmmouf")
vm = true
end
key.close
rescue
end
end
if vm
report_note(
:host => session,
:type => 'host.hypervisor',
:data => { :hypervisor => "VirtualPC" },
:update => :unique_data
)
print_status("This is a VirtualPC Virtual Machine")
return "VirtualPC"
end
@ -208,8 +212,7 @@ class Metasploit3 < Msf::Post
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\DSDT', KEY_READ)
srvvals = key.enum_key
srvvals = registry_enumkeys('HKLM\HARDWARE\ACPI\DSDT')
if srvvals.include?("VBOX__")
vm = true
end
@ -218,8 +221,7 @@ class Metasploit3 < Msf::Post
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\FADT', KEY_READ)
srvvals = key.enum_key
srvvals = registry_enumkeys('HKLM\HARDWARE\ACPI\FADT')
if srvvals.include?("VBOX__")
vm = true
end
@ -228,8 +230,7 @@ class Metasploit3 < Msf::Post
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\RSDT', KEY_READ)
srvvals = key.enum_key
srvvals = registry_enumkeys('HKLM\HARDWARE\ACPI\RSDT')
if srvvals.include?("VBOX__")
vm = true
end
@ -238,8 +239,8 @@ class Metasploit3 < Msf::Post
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0')
if key.query_value('Identifier').data.downcase =~ /vbox/
key_path = 'HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0'
if registry_getvaldata(key_path,'Identifier').data.downcase =~ /vbox/
vm = true
end
rescue
@ -247,8 +248,7 @@ class Metasploit3 < Msf::Post
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DESCRIPTION\System')
if key.query_value('SystemBiosVersion').data.downcase =~ /vbox/
if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System','SystemBiosVersion').data.downcase =~ /vbox/
vm = true
end
rescue
@ -256,8 +256,7 @@ class Metasploit3 < Msf::Post
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
srvvals = key.enum_key
srvvals = registry_enumkeys('HKLM\SYSTEM\ControlSet001\Services')
if srvvals.include?("VBoxMouse")
vm = true
elsif srvvals.include?("VBoxGuest")
@ -267,11 +266,16 @@ class Metasploit3 < Msf::Post
elsif srvvals.include?("VBoxSF")
vm = true
end
key.close
rescue
end
end
if vm
report_note(
:host => session,
:type => 'host.hypervisor',
:data => { :hypervisor => "VirtualBox" },
:update => :unique_data
)
print_status("This is a Sun VirtualBox Virtual Machine")
return "VirtualBox"
end
@ -292,8 +296,7 @@ class Metasploit3 < Msf::Post
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\DSDT', KEY_READ)
srvvals = key.enum_key
srvvals = registry_enumkeys('HKLM\HARDWARE\ACPI\DSDT')
if srvvals.include?("Xen")
vm = true
end
@ -302,8 +305,7 @@ class Metasploit3 < Msf::Post
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\FADT', KEY_READ)
srvvals = key.enum_key
srvvals = registry_enumkeys('HARDWARE\ACPI\FADT')
if srvvals.include?("Xen")
vm = true
end
@ -312,8 +314,7 @@ class Metasploit3 < Msf::Post
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\RSDT', KEY_READ)
srvvals = key.enum_key
srvvals = registry_enumkeys('HKLM\HARDWARE\ACPI\RSDT')
if srvvals.include?("Xen")
vm = true
end
@ -322,8 +323,7 @@ class Metasploit3 < Msf::Post
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
srvvals = key.enum_key
srvvals = registry_enumkeys('HKLM\SYSTEM\ControlSet001\Services')
if srvvals.include?("xenevtchn")
vm = true
elsif srvvals.include?("xennet")
@ -335,11 +335,16 @@ class Metasploit3 < Msf::Post
elsif srvvals.include?("xenvdb")
vm = true
end
key.close
rescue
end
end
if vm
report_note(
:host => session,
:type => 'host.hypervisor',
:data => { :hypervisor => "Xen" },
:update => :unique_data
)
print_status("This is a Xen Virtual Machine")
return "Xen"
end
@ -349,8 +354,8 @@ class Metasploit3 < Msf::Post
vm = false
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0')
if key.query_value('Identifier').data.downcase =~ /qemu/
key_path = 'HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0'
if registry_getvaldata(key_path,'Identifier').data.downcase =~ /qemu/
print_status("This is a QEMU/KVM Virtual Machine")
vm = true
end
@ -359,8 +364,8 @@ class Metasploit3 < Msf::Post
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DESCRIPTION\System\CentralProcessor\0')
if key.query_value('ProcessorNameString').data.downcase =~ /qemu/
key_path = 'HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0'
if registry_getvaldata(key_path,'ProcessorNameString').data.downcase =~ /qemu/
print_status("This is a QEMU/KVM Virtual Machine")
vm = true
end
@ -369,6 +374,12 @@ class Metasploit3 < Msf::Post
end
if vm
report_note(
:host => session,
:type => 'host.hypervisor',
:data => { :hypervisor => "Qemu/KVM" },
:update => :unique_data
)
return "Qemu/KVM"
end
end