Applies a patch from Kieth Faber that fixes #5080
git-svn-id: file:///home/svn/framework3/trunk@13951 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
594b0687c7
commit
729cfe713c
|
@ -352,16 +352,16 @@ protected
|
||||||
rescue Rex::Post::Meterpreter::RequestError => e
|
rescue Rex::Post::Meterpreter::RequestError => e
|
||||||
case e.to_s
|
case e.to_s
|
||||||
when "stdapi_registry_load_key: Operation failed: 1314"
|
when "stdapi_registry_load_key: Operation failed: 1314"
|
||||||
print_error("You appear to be lacking the SeRestorePrivilege. Are you running with Admin privs?")
|
#print_error("You appear to be lacking the SeRestorePrivilege. Are you running with Admin privs?")
|
||||||
return false
|
return false
|
||||||
when "stdapi_registry_load_key: Operation failed: The system cannot find the path specified."
|
when "stdapi_registry_load_key: Operation failed: The system cannot find the path specified."
|
||||||
print_error("The path you provided to the Registry Hive does not Appear to be valid: #{file}")
|
#print_error("The path you provided to the Registry Hive does not Appear to be valid: #{file}")
|
||||||
return false
|
return false
|
||||||
when "stdapi_registry_load_key: Operation failed: The process cannot access the file because it is being used by another process."
|
when "stdapi_registry_load_key: Operation failed: The process cannot access the file because it is being used by another process."
|
||||||
print_error("The file you specified is currently locked by another process: #{file}")
|
#print_error("The file you specified is currently locked by another process: #{file}")
|
||||||
return false
|
return false
|
||||||
when /stdapi_registry_load_key: Operation failed:/
|
when /stdapi_registry_load_key: Operation failed:/
|
||||||
print_error("An unknown error has occured: #{loadres.to_s}")
|
#print_error("An unknown error has occured: #{loadres.to_s}")
|
||||||
return false
|
return false
|
||||||
else
|
else
|
||||||
#print_debug("Registry Hive Loaded Successfully: #{key}")
|
#print_debug("Registry Hive Loaded Successfully: #{key}")
|
||||||
|
@ -384,9 +384,10 @@ protected
|
||||||
rescue Rex::Post::Meterpreter::RequestError => e
|
rescue Rex::Post::Meterpreter::RequestError => e
|
||||||
case e.to_s
|
case e.to_s
|
||||||
when "stdapi_registry_unload_key: Operation failed: The parameter is incorrect."
|
when "stdapi_registry_unload_key: Operation failed: The parameter is incorrect."
|
||||||
print_error("The KEY you provided does not appear to match a loaded Registry Hive: #{key}")
|
#print_error("The KEY you provided does not appear to match a loaded Registry Hive: #{key}")
|
||||||
|
return false
|
||||||
when /stdapi_registry_unload_key: Operation failed:/
|
when /stdapi_registry_unload_key: Operation failed:/
|
||||||
print_error("An unknown error has occured: #{unloadres.to_s}")
|
#print_error("An unknown error has occured: #{unloadres.to_s}")
|
||||||
return false
|
return false
|
||||||
else
|
else
|
||||||
#print_debug("Registry Hive Unloaded Successfully: #{key}")
|
#print_debug("Registry Hive Unloaded Successfully: #{key}")
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
require 'msf/core/post/windows/registry'
|
require 'msf/core/post/windows/registry'
|
||||||
|
require 'msf/core/post/windows/accounts'
|
||||||
|
|
||||||
module Msf
|
module Msf
|
||||||
class Post
|
class Post
|
||||||
|
@ -6,6 +7,7 @@ module Windows
|
||||||
|
|
||||||
module UserProfiles
|
module UserProfiles
|
||||||
include Msf::Post::Windows::Registry
|
include Msf::Post::Windows::Registry
|
||||||
|
include Msf::Post::Windows::Accounts
|
||||||
|
|
||||||
def grab_user_profiles
|
def grab_user_profiles
|
||||||
hives = load_missing_hives()
|
hives = load_missing_hives()
|
||||||
|
@ -32,11 +34,9 @@ module UserProfiles
|
||||||
|
|
||||||
def parse_profile(hive)
|
def parse_profile(hive)
|
||||||
profile={}
|
profile={}
|
||||||
#print_status("Parsing User Profile from Registry Hive: #{hive['HKU']}")
|
sidinf = resolve_sid(hive['SID'].to_s)
|
||||||
profile['UserName'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer", 'Logon User Name')
|
profile['UserName'] = sidinf[:name]
|
||||||
if profile['UserName'] == nil
|
profile['Domain'] = sidinf[:domain]
|
||||||
profile['UserName'] = registry_getvaldata("#{hive['HKU']}\\Volatile Environment", 'USERNAME')
|
|
||||||
end
|
|
||||||
profile['SID'] = hive['SID']
|
profile['SID'] = hive['SID']
|
||||||
profile['ProfileDir'] = hive['PROF']
|
profile['ProfileDir'] = hive['PROF']
|
||||||
profile['AppData'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'AppData')
|
profile['AppData'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'AppData')
|
||||||
|
@ -47,6 +47,8 @@ module UserProfiles
|
||||||
profile['Favorites'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'Favorites')
|
profile['Favorites'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'Favorites')
|
||||||
profile['History'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'History')
|
profile['History'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'History')
|
||||||
profile['Cookies'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'Cookies')
|
profile['Cookies'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'Cookies')
|
||||||
|
profile['Temp'] = registry_getvaldata("#{hive['HKU']}\\Environment", 'TEMP').to_s.sub('%USERPROFILE%',profile['ProfileDir'])
|
||||||
|
profile['Path'] = registry_getvaldata("#{hive['HKU']}\\Environment", 'PATH')
|
||||||
|
|
||||||
return profile
|
return profile
|
||||||
end
|
end
|
||||||
|
@ -55,12 +57,14 @@ module UserProfiles
|
||||||
def load_missing_hives
|
def load_missing_hives
|
||||||
hives=[]
|
hives=[]
|
||||||
read_profile_list().each do |hive|
|
read_profile_list().each do |hive|
|
||||||
|
hive['OURS']=false
|
||||||
if hive['LOADED']== false
|
if hive['LOADED']== false
|
||||||
registry_loadkey(hive['HKU'], hive['DAT'])
|
if session.fs.file.exists?(hive['DAT'])
|
||||||
hive['OURS']=true
|
hive['OURS'] = registry_loadkey(hive['HKU'], hive['DAT'])
|
||||||
|
print_error("Error loading USER #{hive['SID']}: Hive could not be loaded, are you Admin?") unless hive['OURS']
|
||||||
else
|
else
|
||||||
hive['OURS']=false
|
print_error("Error loading USER #{hive['SID']}: Profile doesn't exist or cannot be accessed")
|
||||||
|
end
|
||||||
end
|
end
|
||||||
hives << hive
|
hives << hive
|
||||||
end
|
end
|
||||||
|
@ -75,7 +79,7 @@ module UserProfiles
|
||||||
hive['SID']=profkey
|
hive['SID']=profkey
|
||||||
hive['HKU']= "HKU\\#{profkey}"
|
hive['HKU']= "HKU\\#{profkey}"
|
||||||
hive['PROF']= registry_getvaldata("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\#{profkey}", 'ProfileImagePath')
|
hive['PROF']= registry_getvaldata("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\#{profkey}", 'ProfileImagePath')
|
||||||
hive['PROF']= session.fs.file.expand_path(hive['PROF'])
|
hive['PROF']= session.fs.file.expand_path(hive['PROF']) if hive['PROF']
|
||||||
hive['DAT']= "#{hive['PROF']}\\NTUSER.DAT"
|
hive['DAT']= "#{hive['PROF']}\\NTUSER.DAT"
|
||||||
hive['LOADED'] = loaded_hives.include?(profkey)
|
hive['LOADED'] = loaded_hives.include?(profkey)
|
||||||
hives << hive
|
hives << hive
|
||||||
|
@ -97,3 +101,4 @@ end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue