Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# This module requires Metasploit: https://metasploit.com/download
2
# Current source: https://github.com/rapid7/metasploit-framework
3

4
class MetasploitModule < Msf::Post
5
  def initialize(info = {})
6
    super(
7
      update_info(
8
        info,
9
        'Name' => 'Windows Gather Installed Application Within Chocolatey Enumeration',
10
        'Description' => ' This module will enumerate all installed applications on a Windows system with chocolatey installed ',
11
        'License' => MSF_LICENSE,
12
        'Author' => ['Nick Cottrell <ncottrellweb[at]gmail.com>'],
13
        'Platform' => ['win'],
14
        'Privileged' => false,
15
        'SessionTypes' => %w[meterpreter shell],
16
        'Notes' => {
17
          'Stability' => [CRASH_SAFE],
18
          'Reliability' => [REPEATABLE_SESSION],
19
          'SideEffects' => []
20
        }
21
      )
22
    )
23
    register_advanced_options(
24
      [
25
        OptString.new('ChocoPath', [false, 'The path to the chocolatey executable if it\'s not on default path', 'choco.exe']),
26
      ]
27
    )
28
  end
29

30
  def chocopath
31
    if chocolatey?(datastore['ChocoPath'])
32
      return datastore['ChocoPath']
33
    elsif chocolatey?(cmd_exec('where.exe', 'choco.exe'))
34
      return cmd_exec('where.exe', 'choco.exe')
35
    elsif chocolatey?(cmd_exec('where.exe', 'chocolatey.exe'))
36
      return cmd_exec('where.exe', 'chocolatey.exe')
37
    end
38

39
    nil
40
  end
41

42
  def chocolatey?(path)
43
    !!(cmd_exec(path, '-v') =~ /\d+\.\d+\.\d+/m)
44
  rescue Rex::Post::Meterpreter::RequestError
45
    false
46
  end
47

48
  def run
49
    # checking that session is meterpreter and session has powershell
50
    choco_path = chocopath
51
    fail_with(Failure::NotFound, 'Chocolatey path not found') unless choco_path
52

53
    print_status("Enumerating applications installed on #{sysinfo['Computer']}") if session.type == 'meterpreter'
54

55
    # getting chocolatey version
56
    choco_version = cmd_exec(choco_path, '-v')
57
    print_status("Targets Chocolatey version: #{choco_version}")
58

59
    # Getting results of listing chocolatey applications
60
    print_status('Getting chocolatey applications.')
61

62
    # checking if chocolatey is 2+ or 1.0.0
63
    data = if choco_version.match(/^[10]\.\d+\.\d+$/)
64
             # its version 1, use local only
65
             cmd_exec(choco_path, 'list -lo')
66
           elsif choco_version.match(/^(?:[2-9]|\d{2,})\.\d+\.\d+$/)
67
             # its version 2 or above, no need for local
68
             cmd_exec(choco_path, 'list')
69
           else
70
             fail_with(Failure::UnexpectedReply, "Failed to get chocolatey version. Result was unexpected: #{choco_version}")
71
           end
72
    print_good('Successfully grabbed all items')
73

74
    # making table to better organize applications and their versions
75
    table = Rex::Text::Table.new(
76
      'Header' => 'Installed Chocolatey Applications',
77
      'Indent' => 1,
78
      'Columns' => %w[
79
        Name
80
        Version
81
      ]
82
    )
83

84
    # collecting all lines that match and placing them into table.
85
    items = data.scan(/^(\S+)\s(\d+(?:\.\d+)*)\r?\n/m)
86
    items.each do |set|
87
      table << set
88
    end
89
    results = table.to_s
90

91
    # giving results
92
    print_line(results.to_s)
93
    report_note(
94
      host: session.session_host,
95
      type: 'chocolatey.software.enum',
96
      data: items,
97
      update: :unique_data
98
    )
99
  end
100
end
101

102