dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use direct registry lookups to get version data, to cater for different language packs.

This commit is contained in:
Ashley Donaldson 2023-05-30 07:30:37 +10:00
parent 75ba9110e2
commit a94f78ec03
No known key found for this signature in database
GPG Key ID: D4BCDC8C892F7477
1 changed files with 62 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
lib/msf/core/post/windows/version.rb
View File

@ -17,6 +17,20 @@ module Msf::Post::Windows::Version
)
end
def registry_query(key, value)
cmd = 'reg query "' + key + '" /v ' + value
vprint_line("Running registry query: #{cmd}")
raw_output = cmd_exec(cmd)
vprint_line("Output: #{raw_output}")
regexp = "#{value}\\s+REG_\\w+\\s+(.*)"
groups = raw_output.match(regexp)
if groups.nil?
return nil
end
groups[1]
end
def get_version_info
if session.type == 'meterpreter'
result = session.railgun.ntdll.RtlGetVersion(input_os_version_info_ex)
@ -29,31 +43,59 @@ module Msf::Post::Windows::Version
Msf::WindowsVersion.new(major, minor, build, service_pack, product_type)
else
build_num_raw = cmd_exec('systeminfo')
bn_groups = build_num_raw.match(/OS Version:\s+(\d+)\.(\d+)\.(\d+).*((Service Pack\s+(\d+))|N\/A)/)
if bn_groups.nil?
build_str = registry_query('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion', 'CurrentBuildNumber')
version_str = registry_query('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion', 'CurrentVersion')
if build_str.nil? or version_str.nil?
print_error("Couldn't retrieve the target's build number!")
raise RuntimeError.new("Couldn't retrieve the target's build number!")
end
build_num = build_str.to_i
version_match = version_str.match(/(\d+)\.(\d+)/)
if version_match.nil?
print_error("Couldn't retrieve the target's build number!")
raise RuntimeError.new("Couldn't retrieve the target's build number!")
end
major, minor = version_match.captures
major = major.to_i
minor = minor.to_i
product = registry_query('HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions', 'ProductType')
case product
when /WinNT/
product_type = Msf::WindowsVersion::VER_NT_WORKSTATION
when /LanmanNT/
product_type = Msf::WindowsVersion::VER_NT_DOMAIN_CONTROLLER
when /ServerNT/
product_type = Msf::WindowsVersion::VER_NT_SERVER
else
sp = bn_groups[6]
sp = 0 if sp.nil?
workstation = 'Standalone Workstation'
dc = 'Domain Controller'
server = 'Standalone Server'
product_regex_output = build_num_raw.match(/((#{workstation})|(#{dc})|(#{server}))/)
if product_regex_output.nil?
product_type = Msf::WindowsVersion::UnknownProduct
else
case product_regex_output[1]
when workstation
product_type = Msf::WindowsVersion::VER_NT_WORKSTATION
when dc
product_type = Msf::WindowsVersion::VER_NT_DOMAIN_CONTROLLER
when server
product_type = Msf::WindowsVersion::VER_NT_SERVER
product_type = Msf::WindowsVersion::UnknownProduct
end
if major == 6 and minor == 3 and build_num > 9600 # 9600 is Windows 8.1 build number
# This is Windows 10+ - the version numbering is calculated differently
major = registry_query('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion', 'CurrentMajorVersionNumber')
minor = registry_query('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion', 'CurrentMinorVersionNumber')
if major.nil? or minor.nil?
print_error("Couldn't retrieve the target's build number!")
raise RuntimeError.new("Couldn't retrieve the target's build number!")
end
major = major.to_i(16)
minor = minor.to_i(16)
Msf::WindowsVersion.new(major, minor, build_num, 0, product_type)
else
# Pre-Windows 10
service_pack_raw = registry_query('HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion', 'CSDVersion')
service_pack = 0
unless service_pack_raw.nil?
match = service_pack_raw.match(/Service Pack (\d+)/)
unless match.nil?
service_pack = match[1].to_i
end
end
Msf::WindowsVersion.new(bn_groups[1].to_i, bn_groups[2].to_i, bn_groups[3].to_i, sp, product_type)
Msf::WindowsVersion.new(major, minor, build_num, service_pack, product_type)
end
end
end