diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index c565ffb905..8f7faadf96 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -9,11 +9,13 @@ require 'msf/core' require 'rex' require 'msf/core/post/windows/registry' require 'msf/core/post/common' +require 'msf/core/auxiliary/report' class Metasploit3 < Msf::Post include Msf::Post::Windows::Registry include Msf::Post::Common + include Msf::Auxiliary::Report def initialize(info={}) super( update_info( info, @@ -26,7 +28,6 @@ class Metasploit3 < Msf::Post }, 'License' => MSF_LICENSE, 'Author' => [ 'Carlos Perez '], - 'Version' => '', 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ] )) @@ -36,30 +37,25 @@ class Metasploit3 < Msf::Post def hypervchk(session) begin vm = false - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft', KEY_READ) - sfmsvals = key.enum_key + sfmsvals = registry_enumkeys('HKLM\SOFTWARE\Microsoft') if sfmsvals.include?("Hyper-V") vm = true elsif sfmsvals.include?("VirtualMachine") vm = true end - key.close rescue end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DESCRIPTION\System', KEY_READ) - if key.query_value('SystemBiosVersion').data.downcase =~ /vrtual/ + if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System','SystemBiosVersion').data.downcase =~ /vrtual/ vm = true end - key.close rescue end end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\FADT', KEY_READ) - srvvals = key.enum_key + srvvals = registry_enumkeys('HKLM\HARDWARE\ACPI\FADT') if srvvals.include?("VRTUAL") vm = true end @@ -68,8 +64,7 @@ class Metasploit3 < Msf::Post end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\RSDT', KEY_READ) - srvvals = key.enum_key + srvvals = registry_enumkeys('HKLM\HARDWARE\ACPI\RSDT') if srvvals.include?("VRTUAL") vm = true end @@ -78,8 +73,7 @@ class Metasploit3 < Msf::Post end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ) - srvvals = key.enum_key + srvvals = registry_enumkeys('HKLM\SYSTEM\ControlSet001\Services') if srvvals.include?("vmicheartbeat") vm = true elsif srvvals.include?("vmicvss") @@ -93,6 +87,12 @@ class Metasploit3 < Msf::Post end end if vm + report_note( + :host => session, + :type => 'host.hypervisor', + :data => { :hypervisor => "MS Hyper-V" }, + :update => :unique_data + ) print_status("This is a Hyper-V Virtual Machine") return "MS Hyper-V" end @@ -102,8 +102,7 @@ class Metasploit3 < Msf::Post def vmwarechk(session) vm = false begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ) - srvvals = key.enum_key + srvvals = registry_enumkeys('HKLM\SYSTEM\ControlSet001\Services') if srvvals.include?("vmdebug") vm = true elsif srvvals.include?("vmmouse") @@ -113,28 +112,24 @@ class Metasploit3 < Msf::Post elsif srvvals.include?("VMMEMCTL") vm = true end - key.close rescue end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DESCRIPTION\System\BIOS', KEY_READ) - if key.query_value('SystemManufacturer').data.downcase =~ /vmware/ + if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System\BIOS','SystemManufacturer').data.downcase =~ /vmware/ vm = true end - key.close rescue end end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0', KEY_READ) - if key.query_value('Identifier').data.downcase =~ /vmware/ + key_path = 'HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0' + if registry_getvaldata(key_path,'Identifier').data.downcase =~ /vmware/ vm = true end rescue end - key.close end if not vm vmwareprocs = [ @@ -151,6 +146,12 @@ class Metasploit3 < Msf::Post end if vm + report_note( + :host => session, + :type => 'host.hypervisor', + :data => { :hypervisor => "VMware" }, + :update => :unique_data + ) print_status("This is a VMware Virtual Machine") return "VMWare" end @@ -172,9 +173,7 @@ class Metasploit3 < Msf::Post end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ) - srvvals = key.enum_key - + srvvals = registry_enumkeys('HKLM\SYSTEM\ControlSet001\Services') if srvvals.include?("vpc-s3") vm = true elsif srvvals.include?("vpcuhub") @@ -182,11 +181,16 @@ class Metasploit3 < Msf::Post elsif srvvals.include?("msvmmouf") vm = true end - key.close rescue end end if vm + report_note( + :host => session, + :type => 'host.hypervisor', + :data => { :hypervisor => "VirtualPC" }, + :update => :unique_data + ) print_status("This is a VirtualPC Virtual Machine") return "VirtualPC" end @@ -208,8 +212,7 @@ class Metasploit3 < Msf::Post end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\DSDT', KEY_READ) - srvvals = key.enum_key + srvvals = registry_enumkeys('HKLM\HARDWARE\ACPI\DSDT') if srvvals.include?("VBOX__") vm = true end @@ -218,8 +221,7 @@ class Metasploit3 < Msf::Post end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\FADT', KEY_READ) - srvvals = key.enum_key + srvvals = registry_enumkeys('HKLM\HARDWARE\ACPI\FADT') if srvvals.include?("VBOX__") vm = true end @@ -228,8 +230,7 @@ class Metasploit3 < Msf::Post end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\RSDT', KEY_READ) - srvvals = key.enum_key + srvvals = registry_enumkeys('HKLM\HARDWARE\ACPI\RSDT') if srvvals.include?("VBOX__") vm = true end @@ -238,8 +239,8 @@ class Metasploit3 < Msf::Post end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0') - if key.query_value('Identifier').data.downcase =~ /vbox/ + key_path = 'HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0' + if registry_getvaldata(key_path,'Identifier').data.downcase =~ /vbox/ vm = true end rescue @@ -247,8 +248,7 @@ class Metasploit3 < Msf::Post end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DESCRIPTION\System') - if key.query_value('SystemBiosVersion').data.downcase =~ /vbox/ + if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System','SystemBiosVersion').data.downcase =~ /vbox/ vm = true end rescue @@ -256,8 +256,7 @@ class Metasploit3 < Msf::Post end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ) - srvvals = key.enum_key + srvvals = registry_enumkeys('HKLM\SYSTEM\ControlSet001\Services') if srvvals.include?("VBoxMouse") vm = true elsif srvvals.include?("VBoxGuest") @@ -267,11 +266,16 @@ class Metasploit3 < Msf::Post elsif srvvals.include?("VBoxSF") vm = true end - key.close rescue end end if vm + report_note( + :host => session, + :type => 'host.hypervisor', + :data => { :hypervisor => "VirtualBox" }, + :update => :unique_data + ) print_status("This is a Sun VirtualBox Virtual Machine") return "VirtualBox" end @@ -292,8 +296,7 @@ class Metasploit3 < Msf::Post end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\DSDT', KEY_READ) - srvvals = key.enum_key + srvvals = registry_enumkeys('HKLM\HARDWARE\ACPI\DSDT') if srvvals.include?("Xen") vm = true end @@ -302,8 +305,7 @@ class Metasploit3 < Msf::Post end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\FADT', KEY_READ) - srvvals = key.enum_key + srvvals = registry_enumkeys('HARDWARE\ACPI\FADT') if srvvals.include?("Xen") vm = true end @@ -312,8 +314,7 @@ class Metasploit3 < Msf::Post end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\RSDT', KEY_READ) - srvvals = key.enum_key + srvvals = registry_enumkeys('HKLM\HARDWARE\ACPI\RSDT') if srvvals.include?("Xen") vm = true end @@ -322,8 +323,7 @@ class Metasploit3 < Msf::Post end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ) - srvvals = key.enum_key + srvvals = registry_enumkeys('HKLM\SYSTEM\ControlSet001\Services') if srvvals.include?("xenevtchn") vm = true elsif srvvals.include?("xennet") @@ -335,11 +335,16 @@ class Metasploit3 < Msf::Post elsif srvvals.include?("xenvdb") vm = true end - key.close rescue end end if vm + report_note( + :host => session, + :type => 'host.hypervisor', + :data => { :hypervisor => "Xen" }, + :update => :unique_data + ) print_status("This is a Xen Virtual Machine") return "Xen" end @@ -349,8 +354,8 @@ class Metasploit3 < Msf::Post vm = false if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0') - if key.query_value('Identifier').data.downcase =~ /qemu/ + key_path = 'HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0' + if registry_getvaldata(key_path,'Identifier').data.downcase =~ /qemu/ print_status("This is a QEMU/KVM Virtual Machine") vm = true end @@ -359,8 +364,8 @@ class Metasploit3 < Msf::Post end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DESCRIPTION\System\CentralProcessor\0') - if key.query_value('ProcessorNameString').data.downcase =~ /qemu/ + key_path = 'HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0' + if registry_getvaldata(key_path,'ProcessorNameString').data.downcase =~ /qemu/ print_status("This is a QEMU/KVM Virtual Machine") vm = true end @@ -369,6 +374,12 @@ class Metasploit3 < Msf::Post end if vm + report_note( + :host => session, + :type => 'host.hypervisor', + :data => { :hypervisor => "Qemu/KVM" }, + :update => :unique_data + ) return "Qemu/KVM" end end