adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/modules/post/windows/gather/enum_trusted_locations.rb
T
adfoster-r7 a81a71c5df Run rubocop on post modules
2023-02-08 13:47:34 +00:00

83 lines
2.9 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Post::Common
OFFICE_REGISTRY_PATH = 'HKCU\\SOFTWARE\\Microsoft\\Office'
TRUSTED_LOCATIONS_PATH = 'Security\\Trusted Locations'
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Gather Microsoft Office Trusted Locations',
'Description' => %q{ This module will enumerate the Microsoft Office trusted locations on the target host. },
'License' => MSF_LICENSE,
'Author' => [ 'vysec <vincent.yiu[at]mwrinfosecurity.com>' ],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
)
)
end
def print_status(msg = '')
super("#{peer} - #{msg}")
end
def print_good(msg = '')
super("#{peer} - #{msg}")
end
def run
locations = ''
[REGISTRY_VIEW_64_BIT, REGISTRY_VIEW_32_BIT].each do |registry_arch|
arch = registry_arch == REGISTRY_VIEW_64_BIT ? ARCH_X64 : ARCH_X86
reg_keys = registry_enumkeys(OFFICE_REGISTRY_PATH, registry_arch)
if reg_keys.nil?
print_error("Failed to enumerate Office in #{arch} registry hive.")
return
end
reg_keys.each do |version|
next if /[0-9][0-9].0/.match(version).nil?
print_status("Version found: #{version}")
version_path = "#{OFFICE_REGISTRY_PATH}\\#{version}"
applications = registry_enumkeys(version_path, registry_arch)
if applications.nil?
print_status('Failed to enumerate applications.')
next
end
vprint_status('Found applications.')
# find version to use
applications.each do |application|
trusted_locations_path = "#{version_path}\\#{application}\\#{TRUSTED_LOCATIONS_PATH}"
trusted_locations = registry_enumkeys(trusted_locations_path, registry_arch)
next if trusted_locations.nil?
print_good("Found trusted locations in #{application}")
# find version to use
trusted_locations.each do |location|
location_path = "#{trusted_locations_path}\\#{location}"
description = registry_getvaldata(location_path, 'Description', registry_arch)
allow_subfolders = registry_getvaldata(location_path, 'AllowSubFolders', registry_arch)
path = registry_getvaldata(location_path, 'Path', registry_arch)
vprint_status("Description: #{description}")
result = "Application: #{application}, Path: #{path}, AllSubFolders: #{!allow_subfolders.nil?}"
locations << "#{result}\n"
print_status(result)
end
end
end
path = store_loot('host.trusted_locations', 'text/plain', session, locations, 'trusted_locations.txt', 'Trusted Locations')
print_good("Results stored in: #{path}")
end
end
end
Reference in New Issue View Git Blame Copy Permalink