Module: Msf::Post::File
- Included in:
- Android::System, Linux::BusyBox, Linux::Compile, Linux::System, OSX::System, Solaris::System, Windows::Runas, Windows::WMIC, Scripts::Meterpreter::Common, Rex::Post::Meterpreter::Extensions::Stdapi::Webcam::Webcam
- Defined in:
- lib/msf/core/post/file.rb
Instance Method Summary collapse
-
#_read_file_meterpreter(file_name) ⇒ String
protected
Meterpreter-specific file read.
-
#_unix_max_line_length ⇒ Integer
protected
Calculate the maximum line length for a unix shell.
-
#_write_file_unix_shell(file_name, data, append = false) ⇒ void
protected
Write
data
to the remote filefile_name
. -
#append_file(file_name, data) ⇒ void
Platform-agnostic file append.
-
#attributes(path) ⇒ Object
Retrieve file attributes for
path
on the remote system. -
#cd(path) ⇒ void
Change directory in the remote session to
path
, which may be relative or absolute. -
#chmod(path, mode = 0700) ⇒ Object
Sets the permissions on a remote file.
-
#dir(directory) ⇒ Array
(also: #ls)
Returns a list of the contents of the specified directory.
-
#directory?(path) ⇒ Boolean
See if
path
exists on the remote system and is a directory. -
#executable?(path) ⇒ Boolean
See if
path
on the remote system exists and is executable. -
#exist?(path) ⇒ Boolean
(also: #exists?)
Check for existence of
path
on the remote file system. -
#expand_path(path) ⇒ String
Expand any environment variables to return the full path specified by
path
. -
#exploit_data(data_directory, file) ⇒ Object
Read a local exploit file binary from the data directory.
-
#file?(path) ⇒ Boolean
(also: #file_exist?)
See if
path
exists on the remote system and is a regular file. -
#file_local_write(local_file_name, data) ⇒ void
Writes a given string to a given local file.
-
#file_remote_digestmd5(file_name) ⇒ String
Returns a MD5 checksum of a given remote file.
-
#file_remote_digestsha1(file_name) ⇒ String
Returns a SHA1 checksum of a given remote file.
-
#file_remote_digestsha2(file_name) ⇒ String
Returns a SHA2 checksum of a given remote file.
-
#immutable?(path) ⇒ Boolean
See if
path
on the remote system exists and is immutable. -
#mkdir(path) ⇒ Object
create and mark directory for cleanup.
-
#pwd ⇒ String
Returns the current working directory in the remote session.
-
#read_file(file_name) ⇒ String, Array
Platform-agnostic file read.
-
#readable?(path) ⇒ Boolean
See if
path
on the remote system exists and is readable. -
#rename_file(old_file, new_file) ⇒ Object
(also: #move_file, #mv_file)
Rename a remote file.
-
#rm_f(*remote_files) ⇒ void
(also: #file_rm)
Delete remote files.
-
#rm_rf(*remote_dirs) ⇒ void
(also: #dir_rm)
Delete remote directories.
-
#setuid?(path) ⇒ Boolean
See if
path
on the remote system is a setuid file. -
#upload_and_chmodx(path, data) ⇒ Object
Upload a binary and write it as an executable file
remote
on the remote filesystem. -
#upload_file(remote, local) ⇒ void
Read a local file
local
and write it asremote
on the remote file system. -
#writable?(path) ⇒ Boolean
See if
path
on the remote system exists and is writable. -
#write_file(file_name, data) ⇒ void
Platform-agnostic file write.
Instance Method Details
#_read_file_meterpreter(file_name) ⇒ String (protected)
Meterpreter-specific file read. Returns contents of remote file file_name
as a String or nil if there was an error
You should never call this method directly. Instead, call #read_file which will call this if it is appropriate for the given session.
520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 |
# File 'lib/msf/core/post/file.rb', line 520 def _read_file_meterpreter(file_name) fd = session.fs.file.new(file_name, "rb") data = fd.read until fd.eof? data << fd.read end data rescue EOFError # Sometimes fd isn't marked EOF in time? '' rescue ::Rex::Post::Meterpreter::RequestError => e print_error("Failed to open file: #{file_name}: #{e}") return nil ensure fd.close if fd end |
#_unix_max_line_length ⇒ Integer (protected)
Calculate the maximum line length for a unix shell.
675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 |
# File 'lib/msf/core/post/file.rb', line 675 def _unix_max_line_length # Based on autoconf's arg_max calculator, see # http://www.in-ulm.de/~mascheck/various/argmax/autoconf_check.html calc_line_max = 'i=0 max= new= str=abcd; \ while (test "X"`echo "X$str" 2>/dev/null` = "XX$str") >/dev/null 2>&1 && \ new=`expr "X$str" : ".*" 2>&1` && \ test "$i" != 17 && \ max=$new; do \ i=`expr $i + 1`; str=$str$str;\ done; echo $max' line_max = session.shell_command_token(calc_line_max).to_i # Fall back to a conservative 4k which should work on even the most # restrictive of embedded shells. line_max = (line_max == 0 ? 4096 : line_max) vprint_status("Max line length is #{line_max}") line_max end |
#_write_file_unix_shell(file_name, data, append = false) ⇒ void (protected)
This method returns an undefined value.
Write data
to the remote file file_name
.
Truncates if append
is false, appends otherwise.
You should never call this method directly. Instead, call #write_file or #append_file which will call this if it is appropriate for the given session.
549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 |
# File 'lib/msf/core/post/file.rb', line 549 def _write_file_unix_shell(file_name, data, append=false) redirect = (append ? ">>" : ">") # Short-circuit an empty string. The : builtin is part of posix # standard and should theoretically exist everywhere. if data.length == 0 session.shell_command_token(": #{redirect} #{file_name}") return end d = data.dup d.force_encoding("binary") if d.respond_to? :force_encoding chunks = [] command = nil encoding = :hex cmd_name = "" line_max = _unix_max_line_length # Leave plenty of room for the filename we're writing to and the # command to echo it out line_max -= file_name.length line_max -= 64 # Ordered by descending likeliness to work [ # POSIX standard requires %b which expands octal (but not hex) # escapes in the argument. However, some versions (notably # FreeBSD) truncate input on nulls, so "printf %b '\0\101'" # produces a 0-length string. Some also allow octal escapes # without a format string, and do not truncate, so start with # that and try %b if it doesn't work. The standalone version seems # to be more likely to work than the buitin version, so try it # first. # # Both of these work for sure on Linux and FreeBSD { :cmd => %q^/usr/bin/printf 'CONTENTS'^ , :enc => :octal, :name => "printf" }, { :cmd => %q^printf 'CONTENTS'^ , :enc => :octal, :name => "printf" }, # Works on Solaris { :cmd => %q^/usr/bin/printf %b 'CONTENTS'^ , :enc => :octal, :name => "printf" }, { :cmd => %q^printf %b 'CONTENTS'^ , :enc => :octal, :name => "printf" }, # Perl supports both octal and hex escapes, but octal is usually # shorter (e.g. 0 becomes \0 instead of \x00) { :cmd => %q^perl -e 'print("CONTENTS")'^ , :enc => :octal, :name => "perl" }, # POSIX awk doesn't have \xNN escapes, use gawk to ensure we're # getting the GNU version. { :cmd => %q^gawk 'BEGIN {ORS="";print "CONTENTS"}' </dev/null^ , :enc => :hex, :name => "awk" }, # xxd's -p flag specifies a postscript-style hexdump of unadorned hex # digits, e.g. ABCD would be 41424344 { :cmd => %q^echo 'CONTENTS'|xxd -p -r^ , :enc => :bare_hex, :name => "xxd" }, # Use echo as a last resort since it frequently doesn't support -e # or -n. bash and zsh's echo builtins are apparently the only ones # that support both. Most others treat all options as just more # arguments to print. In particular, the standalone /bin/echo or # /usr/bin/echo appear never to have -e so don't bother trying # them. { :cmd => %q^echo -ne 'CONTENTS'^ , :enc => :hex }, ].each { |foo| # Some versions of printf mangle %. test_str = "\0\xff\xfe#{Rex::Text.rand_text_alpha_upper(4)}\x7f%%\r\n" #test_str = "\0\xff\xfe" case foo[:enc] when :hex cmd = foo[:cmd].sub("CONTENTS"){ Rex::Text.to_hex(test_str) } when :octal cmd = foo[:cmd].sub("CONTENTS"){ Rex::Text.to_octal(test_str) } when :bare_hex cmd = foo[:cmd].sub("CONTENTS"){ Rex::Text.to_hex(test_str,'') } end a = session.shell_command_token("#{cmd}") if test_str == a command = foo[:cmd] encoding = foo[:enc] cmd_name = foo[:name] break else vprint_status("#{cmd} Failed: #{a.inspect} != #{test_str.inspect}") end } if command.nil? raise RuntimeError, "Can't find command on the victim for writing binary data", caller end # each byte will balloon up to 4 when we encode # (A becomes \x41 or \101) max = line_max/4 i = 0 while (i < d.length) slice = d.slice(i...(i+max)) case encoding when :hex chunks << Rex::Text.to_hex(slice) when :octal chunks << Rex::Text.to_octal(slice) when :bare_hex chunks << Rex::Text.to_hex(slice,'') end i += max end vprint_status("Writing #{d.length} bytes in #{chunks.length} chunks of #{chunks.first.length} bytes (#{encoding}-encoded), using #{cmd_name}") # The first command needs to use the provided redirection for either # appending or truncating. cmd = command.sub("CONTENTS") { chunks.shift } session.shell_command_token("#{cmd} #{redirect} \"#{file_name}\"") # After creating/truncating or appending with the first command, we # need to append from here on out. chunks.each { |chunk| vprint_status("Next chunk is #{chunk.length} bytes") cmd = command.sub("CONTENTS") { chunk } session.shell_command_token("#{cmd} >> '#{file_name}'") } true end |
#append_file(file_name, data) ⇒ void
This method returns an undefined value.
Platform-agnostic file append. Appends given object content to a remote file. Returns Boolean true if successful
NOTE: *This is not binary-safe on Windows shell sessions!*
384 385 386 387 388 389 390 391 392 393 394 395 396 397 |
# File 'lib/msf/core/post/file.rb', line 384 def append_file(file_name, data) if session.type == "meterpreter" fd = session.fs.file.new(file_name, "ab") fd.write(data) fd.close elsif session.respond_to? :shell_command_token if session.platform == 'windows' session.shell_command_token("<nul set /p=\"#{data}\" >> \"#{file_name}\"") else _write_file_unix_shell(file_name, data, true) end end true end |
#attributes(path) ⇒ Object
Retrieve file attributes for path
on the remote system
254 255 256 257 258 |
# File 'lib/msf/core/post/file.rb', line 254 def attributes(path) raise "`attributes' method does not support Windows systems" if session.platform == 'windows' cmd_exec("lsattr -l '#{path}'").to_s.scan(/^#{path}\s+(.+)$/).flatten.first.to_s.split(', ') end |
#cd(path) ⇒ void
This method returns an undefined value.
Change directory in the remote session to path
, which may be relative or absolute.
12 13 14 15 16 17 18 19 |
# File 'lib/msf/core/post/file.rb', line 12 def cd(path) e_path = (path) rescue path if session.type == "meterpreter" session.fs.dir.chdir(e_path) else session.shell_command_token("cd \"#{e_path}\"") end end |
#chmod(path, mode = 0700) ⇒ Object
Sets the permissions on a remote file
427 428 429 430 431 432 433 434 435 436 437 |
# File 'lib/msf/core/post/file.rb', line 427 def chmod(path, mode = 0700) if session.platform == 'windows' raise "`chmod' method does not support Windows systems" end if session.type == 'meterpreter' && session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_FS_CHMOD) session.fs.file.chmod(path, mode) else cmd_exec("chmod #{mode.to_s(8)} '#{path}'") end end |
#dir(directory) ⇒ Array Also known as: ls
Returns a list of the contents of the specified directory
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 |
# File 'lib/msf/core/post/file.rb', line 50 def dir(directory) if session.type == 'meterpreter' return session.fs.dir.entries(directory) end if session.platform == 'windows' return session.shell_command_token("dir #{directory}").split(/[\r\n]+/) end if command_exists?('ls') return session.shell_command_token("ls #{directory}").split(/[\r\n]+/) end # Result on systems without ls command if directory[-1] != '/' directory = directory + "/" end result = [] data = session.shell_command_token("for fn in #{directory}*; do echo $fn; done") parts = data.split("\n") parts.each do |line| line = line.split("/")[-1] result.insert(-1, line) end result end |
#directory?(path) ⇒ Boolean
See if path
exists on the remote system and is a directory
102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 |
# File 'lib/msf/core/post/file.rb', line 102 def directory?(path) if session.type == 'meterpreter' stat = session.fs.file.stat(path) rescue nil return false unless stat return stat.directory? else if session.platform == 'windows' f = cmd_exec("cmd.exe /C IF exist \"#{path}\\*\" ( echo true )") else f = session.shell_command_token("test -d \"#{path}\" && echo true") end return false if f.nil? || f.empty? return false unless f =~ /true/ true end end |
#executable?(path) ⇒ Boolean
See if path
on the remote system exists and is executable
183 184 185 186 187 |
# File 'lib/msf/core/post/file.rb', line 183 def executable?(path) raise "`executable?' method does not support Windows systems" if session.platform == 'windows' cmd_exec("test -x '#{path}' && echo true").to_s.include? 'true' end |
#exist?(path) ⇒ Boolean Also known as: exists?
Check for existence of path
on the remote file system
232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 |
# File 'lib/msf/core/post/file.rb', line 232 def exist?(path) if session.type == 'meterpreter' stat = session.fs.file.stat(path) rescue nil return !!(stat) else if session.platform == 'windows' f = cmd_exec("cmd.exe /C IF exist \"#{path}\" ( echo true )") else f = cmd_exec("test -e \"#{path}\" && echo true") end return false if f.nil? || f.empty? return false unless f =~ /true/ true end end |
#expand_path(path) ⇒ String
Expand any environment variables to return the full path specified by path
.
123 124 125 126 127 128 129 |
# File 'lib/msf/core/post/file.rb', line 123 def (path) if session.type == "meterpreter" return session.fs.file.(path) else return cmd_exec("echo #{path}") end end |
#exploit_data(data_directory, file) ⇒ Object
Read a local exploit file binary from the data directory
444 445 446 447 |
# File 'lib/msf/core/post/file.rb', line 444 def exploit_data(data_directory, file) file_path = ::File.join(::Msf::Config.data_directory, "exploits", data_directory, file) ::File.binread(file_path) end |
#file?(path) ⇒ Boolean Also known as: file_exist?
See if path
exists on the remote system and is a regular file
135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 |
# File 'lib/msf/core/post/file.rb', line 135 def file?(path) if session.type == 'meterpreter' stat = session.fs.file.stat(path) rescue nil return false unless stat return stat.file? else if session.platform == 'windows' f = cmd_exec("cmd.exe /C IF exist \"#{path}\" ( echo true )") if f =~ /true/ f = cmd_exec("cmd.exe /C IF exist \"#{path}\\\\\" ( echo false ) ELSE ( echo true )") end else f = session.shell_command_token("test -f \"#{path}\" && echo true") end return false if f.nil? || f.empty? return false unless f =~ /true/ true end end |
#file_local_write(local_file_name, data) ⇒ void
This method returns an undefined value.
Writes a given string to a given local file
266 267 268 269 270 271 272 273 274 275 276 |
# File 'lib/msf/core/post/file.rb', line 266 def file_local_write(local_file_name, data) fname = Rex::FileUtils.clean_path(local_file_name) unless ::File.exist?(fname) ::FileUtils.touch(fname) end output = ::File.open(fname, "a") data.each_line do |d| output.puts(d) end output.close end |
#file_remote_digestmd5(file_name) ⇒ String
THIS DOWNLOADS THE FILE
Returns a MD5 checksum of a given remote file
284 285 286 287 288 289 290 291 |
# File 'lib/msf/core/post/file.rb', line 284 def file_remote_digestmd5(file_name) data = read_file(file_name) chksum = nil if data chksum = Digest::MD5.hexdigest(data) end return chksum end |
#file_remote_digestsha1(file_name) ⇒ String
THIS DOWNLOADS THE FILE
Returns a SHA1 checksum of a given remote file
299 300 301 302 303 304 305 306 |
# File 'lib/msf/core/post/file.rb', line 299 def file_remote_digestsha1(file_name) data = read_file(file_name) chksum = nil if data chksum = Digest::SHA1.hexdigest(data) end return chksum end |
#file_remote_digestsha2(file_name) ⇒ String
THIS DOWNLOADS THE FILE
Returns a SHA2 checksum of a given remote file
314 315 316 317 318 319 320 321 |
# File 'lib/msf/core/post/file.rb', line 314 def file_remote_digestsha2(file_name) data = read_file(file_name) chksum = nil if data chksum = Digest::SHA256.hexdigest(data) end return chksum end |
#immutable?(path) ⇒ Boolean
See if path
on the remote system exists and is immutable
209 210 211 212 213 |
# File 'lib/msf/core/post/file.rb', line 209 def immutable?(path) raise "`immutable?' method does not support Windows systems" if session.platform == 'windows' attributes(path).include?('Immutable') end |
#mkdir(path) ⇒ Object
create and mark directory for cleanup
81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 |
# File 'lib/msf/core/post/file.rb', line 81 def mkdir(path) vprint_status("Creating directory #{path}") if session.type == 'meterpreter' vprint_status("Meterpreter Session") result = session.fs.dir.mkdir(path) else if session.platform == 'windows' result = cmd_exec("mkdir \"#{path}\"") else result = cmd_exec("mkdir -p '#{path}'") end end vprint_status("#{path} created") register_dir_for_cleanup(path) result end |
#pwd ⇒ String
This may be inaccurate on shell sessions running on Windows before XP/2k3
Returns the current working directory in the remote session
28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
# File 'lib/msf/core/post/file.rb', line 28 def pwd if session.type == "meterpreter" return session.fs.dir.getwd else if session.platform == 'windows' # XXX: %CD% only exists on XP and newer, figure something out for NT4 # and 2k return session.shell_command_token("echo %CD%") else if command_exists?("pwd") return session.shell_command_token("pwd").to_s.strip else # Result on systems without pwd command return session.shell_command_token("echo $PWD").to_s.strip end end end end |
#read_file(file_name) ⇒ String, Array
Platform-agnostic file read. Returns contents of remote file file_name
as a String.
332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 |
# File 'lib/msf/core/post/file.rb', line 332 def read_file(file_name) if session.type == 'meterpreter' return _read_file_meterpreter(file_name) end return nil unless session.type == 'shell' if session.platform == 'windows' return session.shell_command_token("type \"#{file_name}\"") end return nil unless readable?(file_name) if command_exists?('cat') return session.shell_command_token("cat \"#{file_name}\"") end # Result on systems without cat command session.shell_command_token("while read line; do echo $line; done <#{file_name}") end |
#readable?(path) ⇒ Boolean
See if path
on the remote system exists and is readable
222 223 224 225 226 |
# File 'lib/msf/core/post/file.rb', line 222 def readable?(path) raise "`readable?' method does not support Windows systems" if session.platform == 'windows' cmd_exec("test -r '#{path}' && echo true").to_s.include? 'true' end |
#rename_file(old_file, new_file) ⇒ Object Also known as: move_file, mv_file
Rename a remote file.
496 497 498 499 500 501 502 503 504 505 506 |
# File 'lib/msf/core/post/file.rb', line 496 def rename_file(old_file, new_file) if session.type == "meterpreter" return (session.fs.file.mv(old_file, new_file).result == 0) else if session.platform == 'windows' cmd_exec(%Q|move /y "#{old_file}" "#{new_file}"|) =~ /moved/ else cmd_exec(%Q|mv -f "#{old_file}" "#{new_file}"|).empty? end end end |
#rm_f(*remote_files) ⇒ void Also known as: file_rm
This method returns an undefined value.
Delete remote files
455 456 457 458 459 460 461 462 463 464 465 466 467 |
# File 'lib/msf/core/post/file.rb', line 455 def rm_f(*remote_files) remote_files.each do |remote| if session.type == "meterpreter" session.fs.file.delete(remote) if exist?(remote) else if session.platform == 'windows' cmd_exec("del /q /f \"#{remote}\"") else cmd_exec("rm -f \"#{remote}\"") end end end end |
#rm_rf(*remote_dirs) ⇒ void Also known as: dir_rm
This method returns an undefined value.
Delete remote directories
475 476 477 478 479 480 481 482 483 484 485 486 487 |
# File 'lib/msf/core/post/file.rb', line 475 def rm_rf(*remote_dirs) remote_dirs.each do |remote| if session.type == "meterpreter" session.fs.dir.rmdir(remote) if exist?(remote) else if session.platform == 'windows' cmd_exec("rd /s /q \"#{remote}\"") else cmd_exec("rm -rf \"#{remote}\"") end end end end |
#setuid?(path) ⇒ Boolean
See if path
on the remote system is a setuid file
161 162 163 164 165 166 167 168 169 170 171 172 173 174 |
# File 'lib/msf/core/post/file.rb', line 161 def setuid?(path) if session.type == 'meterpreter' stat = session.fs.file.stat(path) rescue nil return false unless stat return stat.setuid? else if session.platform != 'windows' f = session.shell_command_token("test -u \"#{path}\" && echo true") end return false if f.nil? || f.empty? return false unless f =~ /true/ true end end |
#upload_and_chmodx(path, data) ⇒ Object
Upload a binary and write it as an executable file remote
on the remote filesystem.
416 417 418 419 420 |
# File 'lib/msf/core/post/file.rb', line 416 def upload_and_chmodx(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." write_file path, data chmod(path) end |
#upload_file(remote, local) ⇒ void
This method returns an undefined value.
Read a local file local
and write it as remote
on the remote file system
406 407 408 |
# File 'lib/msf/core/post/file.rb', line 406 def upload_file(remote, local) write_file(remote, ::File.read(local)) end |
#writable?(path) ⇒ Boolean
See if path
on the remote system exists and is writable
196 197 198 199 200 |
# File 'lib/msf/core/post/file.rb', line 196 def writable?(path) raise "`writable?' method does not support Windows systems" if session.platform == 'windows' cmd_exec("test -w '#{path}' && echo true").to_s.include? 'true' end |
#write_file(file_name, data) ⇒ void
This method returns an undefined value.
Platform-agnostic file write. Writes given object content to a remote file.
NOTE: *This is not binary-safe on Windows shell sessions!*
360 361 362 363 364 365 366 367 368 369 370 371 372 373 |
# File 'lib/msf/core/post/file.rb', line 360 def write_file(file_name, data) if session.type == "meterpreter" fd = session.fs.file.new(file_name, "wb") fd.write(data) fd.close elsif session.respond_to? :shell_command_token if session.platform == 'windows' session.shell_command_token("echo #{data} > \"#{file_name}\"") else _write_file_unix_shell(file_name, data) end end true end |