@@ -85,18 +85,17 @@ def enum_muicache_paths(sys_sids, mui_path)
8585 def enumerate_muicache ( muicache_reg_keys , sys_users , sys_paths , muicache , hive_file )
8686 results = [ ]
8787
88- loot_path = Msf ::Config ::loot_directory
8988 all_user_entries = sys_users . zip ( muicache_reg_keys , sys_paths )
9089
9190 all_user_entries . each do |user , reg_key , sys_path |
92- local_hive_copy = :: File . join ( loot_path , " #{ sysinfo [ 'Computer' ] } _ #{ user } _HIVE_ #{ :: Time . now . utc . strftime ( '%Y%m%d.%M%S' ) } " )
91+
9392 subkeys = registry_enumvals ( reg_key )
9493 if subkeys . blank?
9594 # If the registry_enumvals returns us nothing then we'll know
9695 # that the user is most likely not logged in and we'll need to
9796 # download and process users hive locally.
98- print_error ( "User #{ user } )
99- result = process_hive ( sys_path , user , local_hive_copy , muicache , hive_file )
97+ print_warning ( "User #{ user } )
98+ result = process_hive ( sys_path , user , muicache , hive_file )
10099 unless result . nil?
101100 result . each { |r |
102101 results << r unless r . nil?
@@ -137,60 +136,24 @@ def check_file_exists(key, user)
137136 # downloading the hive. After successfull download it'll continue to
138137 # call the hive_parser function which will extract the contents of
139138 # the MUICache registry key.
140- def process_hive ( sys_path , user , local_hive_copy , muicache , hive_file )
139+ def process_hive ( sys_path , user , muicache , hive_file )
141140 user_home_path = expand_path ( sys_path )
142141 hive_path = user_home_path + hive_file
143142 ntuser_status = file_exist? ( hive_path )
144143
145144 unless ntuser_status == true
146- print_error ( "Couldn't locate/download #{ user } )
145+ print_warning ( "Couldn't locate/download #{ user } )
147146 return nil
148147 end
149148
150149 print_status ( "Downloading #{ user } )
151- hive_status = hive_download_status ( local_hive_copy , hive_path )
152-
153- unless hive_status == true
154- print_error ( "All registry hive download attempts failed. Unable to continue." )
155- return nil
156- end
157-
158- hive_parser ( local_hive_copy , muicache , user )
159- end
160-
161- # This function downloads registry hives and checks for integrity
162- # after the transfer has completed so that we don't end up
163- # processing broken registry hive.
164- def hive_download_status ( local_hive_copy , hive_path )
165- hive_status = false
166-
167- 3 . times do
168- begin
169- remote_hive_hash_raw = file_remote_digestmd5 ( hive_path )
170- rescue EOFError , ::Rex ::Post ::Meterpreter ::RequestError
171- next
172- end
150+ local_hive_copy = Rex ::Quickfile . new ( "jtrtmp" )
151+ local_hive_copy . close
152+ session . fs . file . download_file ( local_hive_copy . path , hive_path )
153+ results = hive_parser ( local_hive_copy . path , muicache , user )
154+ local_hive_copy . unlink rescue nil # Windows often complains about unlinking tempfiles
173155
174- if remote_hive_hash_raw . blank?
175- next
176- end
177-
178- remote_hive_hash = remote_hive_hash_raw . unpack ( 'H*' )
179- session . fs . file . download_file ( local_hive_copy , hive_path )
180- local_hive_hash = file_local_digestmd5 ( local_hive_copy )
181- if local_hive_hash == remote_hive_hash [ 0 ]
182- print_good ( "Hive downloaded successfully." )
183- hive_status = true
184- break
185- else
186- print_error ( "Hive download corrupted, trying again (max 3 times).." )
187- File . delete ( local_hive_copy ) # Downloaded corrupt hive gets deleted before new attempt is made
188- hive_status = false
189- end
190-
191- end
192-
193- hive_status
156+ results
194157 end
195158
196159 # This function is responsible for parsing the downloaded hive and
@@ -231,8 +194,6 @@ def hive_parser(local_hive_copy, muicache, user)
231194 end
232195 end
233196
234- File . delete ( local_hive_copy ) # Downloaded hive gets deleted after processing
235-
236197 results
237198 end
238199
0 commit comments