Class: Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Priv::Timestomp

Inherits:
Object
  • Object
show all
Includes:
Rex::Post::Meterpreter::Ui::Console::CommandDispatcher
Defined in:
lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb

Overview

This class provides commands that interact with the timestomp feature set of the privilege escalation extension.

Constant Summary collapse

Klass =
Console::CommandDispatcher::Priv::Timestomp
@@timestomp_opts =
Rex::Parser::Arguments.new(
  "-m" => [ true,  "Set the \"last written\" time of the file" ],
  "-a" => [ true,  "Set the \"last accessed\" time of the file" ],
  "-c" => [ true,  "Set the \"creation\" time of the file" ],
  "-e" => [ true,  "Set the \"mft entry modified\" time of the file" ],
  "-z" => [ true,  "Set all four attributes (MACE) of the file" ],
  "-f" => [ true,  "Set the MACE of attributes equal to the supplied file" ],
  "-b" => [ false, "Set the MACE timestamps so that EnCase shows blanks" ],
  "-r" => [ false, "Set the MACE timestamps recursively on a directory" ],
  "-v" => [ false, "Display the UTC MACE values of the file" ],
  "-h" => [ false, "Help banner" ]
)

Instance Attribute Summary

Attributes included from Ui::Text::DispatcherShell::CommandDispatcher

#shell, #tab_complete_items

Instance Method Summary collapse

Methods included from Rex::Post::Meterpreter::Ui::Console::CommandDispatcher

check_hash, #client, #docs_dir, #filter_commands, #initialize, #log_error, #msf_loaded?, set_hash

Methods included from Ui::Text::DispatcherShell::CommandDispatcher

#cmd_help, #cmd_help_help, #cmd_help_tabs, #deprecated_cmd, #deprecated_commands, #deprecated_help, #docs_dir, #help_to_s, #initialize, #print, #print_error, #print_good, #print_line, #print_status, #print_warning, #tab_complete_directory, #tab_complete_filenames, #tab_complete_generic, #tab_complete_source_address, #update_prompt

Instance Method Details

#cmd_timestomp(*args) ⇒ Object

This command provides the same level of features that vinnie's command line timestomp interface provides with a similar argument set.


53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb', line 53

def cmd_timestomp(*args)
  paths = []

  modified  = nil
  accessed  = nil
  creation  = nil
  emodified = nil

  blank_file_mace = false
  blank_directory_mace = false
  get_file_mace = false
  help = false

  @@timestomp_opts.parse(args) do |opt, _idx, val|
    case opt
    when "-m"
      modified  = str_to_time(val)
    when "-a"
      accessed  = str_to_time(val)
    when "-c"
      creation  = str_to_time(val)
    when "-e"
      emodified = str_to_time(val)
    when "-z"
      modified  = str_to_time(val)
      accessed  = str_to_time(val)
      creation  = str_to_time(val)
      emodified = str_to_time(val)
    when "-f"
      print_status("Pulling MACE attributes from #{val}")
      hash = client.priv.fs.get_file_mace(val)
      if hash
        modified = hash['Modified']
        accessed = hash['Accessed']
        creation = hash['Created']
        emodified = hash['Entry Modified']
      end
    when "-b"
      blank_file_mace = true
    when "-r"
      blank_directory_mace = true
    when "-v"
      get_file_mace = true
    when "-h"
      help = true
    when nil
      paths << val
    end
  end

  if paths.empty?
    print_line("\nNo paths specified.")
    return nil
  end

  if !(modified || accessed || creation || emodified ||
       blank_file_mace || blank_directory_mace || get_file_mace) || help
    print_line("\nUsage: timestomp <file(s)> OPTIONS\n" +
      @@timestomp_opts.usage)
    return nil
  end

  paths.uniq.each do |path|

    # If any one of the four times were specified, change them.
    if modified || accessed || creation || emodified
      print_status("Setting specific MACE attributes on #{path}")
      client.priv.fs.set_file_mace(path, modified, accessed, creation, emodified)
    end

    if blank_file_mace
      print_status("Blanking file MACE attributes on #{path}")
      client.priv.fs.blank_file_mace(path)
    end

    if blank_directory_mace
      print_status("Blanking directory MACE attributes on #{path}")
      client.priv.fs.blank_directory_mace(path)
    end

    if get_file_mace
      hash = client.priv.fs.get_file_mace(path)
      print_status("Showing MACE attributes for #{path}")
      print_line("Modified      : #{hash['Modified']}")
      print_line("Accessed      : #{hash['Accessed']}")
      print_line("Created       : #{hash['Created']}")
      print_line("Entry Modified: #{hash['Entry Modified']}")
    end
  end
end

#commandsObject

List of supported commands.


36
37
38
39
40
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb', line 36

def commands
  {
    'timestomp' => 'Manipulate file MACE attributes'
  }
end

#nameObject

Name for this dispatcher.


45
46
47
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb', line 45

def name
  'Priv: Timestomp'
end

#str_to_time(str) ⇒ Object (protected)

Converts a date/time in the form of MM/DD/YYYY HH24:MI:SS


149
150
151
152
153
154
155
156
157
158
159
160
# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb', line 149

def str_to_time(str) # :nodoc:
  unless str.nil?
    _r, mon, day, year, hour, min, sec =
      str.match("^(\\d+?)/(\\d+?)/(\\d+?) (\\d+?):(\\d+?):(\\d+?)$").to_a
  end

  if str.nil? || mon.nil?
    raise ArgumentError, "Invalid date format, expected MM/DD/YYYY HH24:MI:SS (got #{str})"
  end

  Time.mktime(year, mon, day, hour, min, sec, 0)
end