Do not error if time can not be obtained
git-svn-id: file:///home/svn/framework3/trunk@13383 4d416f70-5f16-0410-b530-b9f4589650daunstable
Carlos Perez
parent
c7077f2551
commit
f685e179cd
|
|
@ -13,14 +13,12 @@ require 'msf/core'
|
|||
require 'rex'
|
||||
require 'msf/core/post/common'
|
||||
require 'msf/core/post/windows/priv'
|
||||
require 'msf/core/post/windows/registry'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
include Msf::Post::Windows::Registry
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Common
|
||||
|
||||
|
||||
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
|
|
@ -51,20 +49,17 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
print_status(out)
|
||||
|
||||
usb_drive_classes = registry_enumkeys('HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR')
|
||||
usb_drive_classes = enum_subkeys('HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR')
|
||||
usb_uids_to_info = {}
|
||||
usb_drive_uids = []
|
||||
|
||||
if usb_drive_classes
|
||||
usb_drive_classes.each do |x|
|
||||
if x
|
||||
registry_enumkeys(x).each do |y|
|
||||
begin
|
||||
vals = registry_enumvals(y)
|
||||
# enumerate each USB device used on the system
|
||||
usb_uids_to_info.store(x.match(/HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\(.*)$/)[1], vals)
|
||||
rescue
|
||||
end
|
||||
end
|
||||
usb_drive_classes.each do |x|
|
||||
enum_subkeys(x).each do |y|
|
||||
begin
|
||||
vals = enum_values(y)
|
||||
# enumerate each USB device used on the system
|
||||
usb_uids_to_info.store(x.match(/HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\(.*)$/)[1], vals)
|
||||
rescue
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -74,7 +69,12 @@ class Metasploit3 < Msf::Post
|
|||
guid = '##?#USBSTOR#' << u << '#' << '{53f56307-b6bf-11d0-94f2-00a0c91efb8b}'
|
||||
out = "#{v['FriendlyName']}\n" << "="*85 << "\n"
|
||||
if isadmin
|
||||
keytime = ::Time.at(registry_getkeylastwritetime('HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\\' << guid))
|
||||
mace = registry_getkeylastwritetime('HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\\' << guid)
|
||||
if mace
|
||||
keytime = ::Time.at(mace)
|
||||
else
|
||||
keytime = "Unknown"
|
||||
end
|
||||
out << sprintf("%25s\t%50s\n", "Disk lpftLastWriteTime", keytime)
|
||||
end
|
||||
if( not v.key?('ParentIdPrefix') )
|
||||
|
|
@ -83,7 +83,12 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
guid = '##?#STORAGE#RemoveableMedia#' << v['ParentIdPrefix'] << '&RM#' << '{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
|
||||
if isadmin
|
||||
keytime = ::Time.at(registry_getkeylastwritetime('HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\' << guid))
|
||||
mace = registry_getkeylastwritetime('HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\' << guid)
|
||||
if mace
|
||||
keytime = ::Time.at(mace)
|
||||
else
|
||||
keytime = "Unknown"
|
||||
end
|
||||
out << sprintf("%25s\t%50s\n", "Volume lpftLastWriteTime", keytime)
|
||||
end
|
||||
print_status(info_hash_to_str(out, v))
|
||||
|
|
@ -104,16 +109,56 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
#PFILETIME - http://msdn.microsoft.com/en-us/library/ms724284%28v=vs.85%29.aspx, two DWORDS DWORD dwLowDateTime; DWORD dwHighDateTime;
|
||||
# can use Rex::Proto::SMB::Utils.time_smb_to_unix to convert to unix epoch
|
||||
begin
|
||||
r, b = session.sys.registry.splitkey(key_str)
|
||||
key = session.sys.registry.open_key(r, "#{b}", KEY_READ)
|
||||
mytime = session.railgun.advapi32.RegQueryInfoKeyA(key.hkey, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, 8)['lpftLastWriteTime']
|
||||
key.close
|
||||
lo,hi = mytime.unpack('V2')
|
||||
return Rex::Proto::SMB::Utils.time_smb_to_unix(hi,lo)
|
||||
rescue
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
#-------------------------------------------------------------------------------
|
||||
# Function to enumerate the next level of keys from the given key
|
||||
# key_str Full string representation of the key for which subkeys should be enumerated
|
||||
# returns Array of string representations of subkeys
|
||||
def enum_subkeys(key_str = nil)
|
||||
return nil if(! key_str)
|
||||
|
||||
r, b = session.sys.registry.splitkey(key_str)
|
||||
key = session.sys.registry.open_key(r, "#{b}", KEY_READ)
|
||||
mytime = session.railgun.advapi32.RegQueryInfoKeyA(key.hkey, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, 8)['lpftLastWriteTime']
|
||||
full_keys = []
|
||||
key.enum_key.each do |x|
|
||||
full_keys.push("#{key_str}" << '\\' << "#{x}")
|
||||
end
|
||||
|
||||
key.close
|
||||
lo,hi = mytime.unpack('V2')
|
||||
return Rex::Proto::SMB::Utils.time_smb_to_unix(hi,lo)
|
||||
return full_keys
|
||||
end
|
||||
|
||||
|
||||
#-------------------------------------------------------------------------------
|
||||
# Function to enumerate the values in the given key
|
||||
# key_str Full string representation of the key from which values should be enumerated
|
||||
# returns Hash of string representations of: Value.name => Value
|
||||
def enum_values(key_str = nil)
|
||||
return nil if(! key_str)
|
||||
|
||||
r, b = session.sys.registry.splitkey("#{key_str}")
|
||||
key = session.sys.registry.open_key(r, "#{b}", KEY_READ)
|
||||
values = {}
|
||||
key.enum_value.each do |x|
|
||||
values.store(x.name, x.query)
|
||||
end
|
||||
key.close
|
||||
return values
|
||||
end
|
||||
|
||||
#--------------------------------------------------------------------------------------------------
|
||||
# Function to enumerate the disks (not volumes) mounted as contained in HKLM\System\MountedDevices
|
||||
# returns Hash of string representations of: assigned drive letter => UID
|
||||
def enum_disks()
|
||||
|
||||
r, b = session.sys.registry.splitkey('HKLM\\SYSTEM\\MountedDevices')
|
||||
|
|
@ -173,4 +218,4 @@ class Metasploit3 < Msf::Post
|
|||
return out
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue