On new session, check if file has been REALLY deleted

jvazquez-r7 · jvazquez-r7 · commit b1dd2a63fc66 · 2015-05-11T17:14:42.000-05:00
diff --git a/lib/msf/core/exploit/file_dropper.rb b/lib/msf/core/exploit/file_dropper.rb
@@ -3,15 +3,12 @@
 module Msf
 module Exploit::FileDropper
 
-  include Msf::Post::Common
-  include Msf::Post::File
-
   def initialize(info = {})
     super
 
     register_advanced_options(
       [
-        OptInt.new( 'FileDropperDelay', [ false, 'Delay in seconds before attempting file cleanup' ])
+        OptInt.new('FileDropperDelay', [false, 'Delay in seconds before attempting file cleanup'])
       ], self.class)
   end
 
@@ -23,49 +20,22 @@ def initialize(info = {})
   # @return [void]
   #
   def on_new_session(session)
-    super
-
-    @session = session
+    super(session)
 
-    if session.type == "meterpreter"
-      session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
+    if session.type == 'meterpreter'
+      session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')
     end
 
     if not @dropped_files or @dropped_files.empty?
       return true
     end
 
     @dropped_files.delete_if do |file|
-      win_file = file.gsub("/", "\\\\")
-      exists_before = check_file(file, win_file)
-
-      if session.type == "meterpreter"
-        begin
-          # Meterpreter should do this automatically as part of
-          # fs.file.rm().  Until that has been implemented, remove the
-          # read-only flag with a command.
-          if session.platform =~ /win/
-            session.shell_command_token(%Q|attrib.exe -r #{win_file}|)
-          end
-          session.fs.file.rm(file)
-          file_deleted?(file, win_file, exists_before)
-        rescue ::Rex::Post::Meterpreter::RequestError
-          return false
-        end
+      exists_before = file_dropper_check_file(file)
+      if file_dropper_delete(file)
+        file_dropper_deleted?(file, exists_before)
       else
-        win_cmds = [
-            %Q|attrib.exe -r "#{win_file}"|,
-            %Q|del.exe /f /q "#{win_file}"|
-        ]
-        # We need to be platform-independent here. Since we can't be
-        # certain that {#target} is accurate because exploits with
-        # automatic targets frequently change it, we just go ahead and
-        # run both a windows and a unix command in the same line. One
-        # of them will definitely fail and the other will probably
-        # succeed. Doing it this way saves us an extra round-trip.
-        # Trick shared by @mihi42
-        session.shell_command_token("rm -f \"#{file}\" >/dev/null ; echo ' & #{win_cmds.join(" & ")} & echo \" ' >/dev/null")
-        file_deleted?(file, win_file, exists_before)
+        false
       end
     end
   end
@@ -114,9 +84,8 @@ def cleanup
       @dropped_files.delete_if do |file|
         begin
           file_rm(file)
-          print_good("Deleted #{file}")
-          true
-        #rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE, ::Rex::Post::Meterpreter::RequestError => e
+          # We don't know for sure if file has been deleted, so always warn about it to the user
+          false
         rescue ::Exception => e
           vprint_error("Failed to delete #{file}: #{e}")
           elog("Failed to delete #{file}: #{e.class}: #{e}")
@@ -130,39 +99,69 @@ def cleanup
       print_warning("This exploit may require manual cleanup of '#{f}' on the target")
     end
 
-    private
+  end
 
-    def session
-      @session
-    end
+  private
 
-    alias :client :session
+  def file_dropper_win_file(file)
+    file.gsub('/', "\\\\")
+  end
 
-    def check_file(file, win_file)
-      if session.platform =~ /win/
-        res = file_exist?(win_file)
-      else
-        res = file_exist?(file)
+  def file_dropper_delete(file)
+    win_file = file_dropper_win_file(file)
+
+    if session.type == 'meterpreter'
+      begin
+        # Meterpreter should do this automatically as part of
+        # fs.file.rm().  Until that has been implemented, remove the
+        # read-only flag with a command.
+        if session.platform =~ /win/
+          session.shell_command_token(%Q|attrib.exe -r #{win_file}|)
+        end
+        session.fs.file.rm(file)
+        true
+      rescue ::Rex::Post::Meterpreter::RequestError
+        false
       end
+    else
+      win_cmds = [
+        %Q|attrib.exe -r "#{win_file}"|,
+        %Q|del.exe /f /q "#{win_file}"|
+      ]
+      # We need to be platform-independent here. Since we can't be
+      # certain that {#target} is accurate because exploits with
+      # automatic targets frequently change it, we just go ahead and
+      # run both a windows and a unix command in the same line. One
+      # of them will definitely fail and the other will probably
+      # succeed. Doing it this way saves us an extra round-trip.
+      # Trick shared by @mihi42
+      session.shell_command_token("rm -f \"#{file}\" >/dev/null ; echo ' & #{win_cmds.join(" & ")} & echo \" ' >/dev/null")
+      true
+    end
+  end
 
-      res
+  def file_dropper_check_file(file)
+    if session.platform =~ /win/
+      normalized = file_dropper_win_file(file)
+    else
+      normalized = file
     end
 
-    def file_deleted?(file, win_file, exists_before)
-      if exists_before
-        if check_file(file, win_file)
-          print_error("Unable to delete #{file}")
-          false
-        else
-          print_good("Deleted #{file}")
-          true
-        end
-      end
+    Msf::Post::File.file_exist?(normalized)
+  end
 
+  def file_dropper_deleted?(file, exists_before)
+    if exists_before  && file_dropper_check_file(file)
+      print_error("Unable to delete #{file}")
+      false
+    elsif exists_before
+      print_good("Deleted #{file}")
+      true
+    else
       print_warning("Tried to delete #{file}, unknown result")
       true
     end
-
   end
+
 end
 end
