Module: Msf::Post::File

Includes:

Common

Included in:

Exploit::Remote::HTTP::Kubernetes, Android::System, Linux::BusyBox, Linux::Compile, Linux::Kernel, Linux::System, OSX::System, Process, Solaris::System, Vcenter::Database, Vcenter::Vcenter, Windows::Packrat, Windows::Runas, Windows::UserProfiles, Windows::WMIC, Sessions::CommandShell::FileTransfer, Rex::Post::Meterpreter::Extensions::Stdapi::Webcam::Webcam

Defined in:

lib/msf/core/post/file.rb

Defined Under Namespace

Classes: FileStat

Instance Method Summary

• #_append_file_powershell(file_name, data) ⇒ Object protected
• #_append_file_unix_shell(file_name, data) ⇒ void protected

  Append data to the remote file file_name.

• #_can_echo?(data) ⇒ Boolean protected

  Checks to see if there are non-printable characters in a given string.

• #_read_file_meterpreter(file_name) ⇒ String protected

  Meterpreter-specific file read.

• #_read_file_powershell(filename) ⇒ Object protected
• #_read_file_powershell_fragment(filename, chunk_size, offset = 0) ⇒ Object protected
• #_shell_command_with_success_code(cmd) ⇒ Object protected
• #_shell_process_with_success_code(executable, args) ⇒ Object protected
• #_unix_max_line_length ⇒ Integer protected

  Calculate the maximum line length for a unix shell.

• #_win_ansi_append_file(file_name, data, chunk_size = 5000) ⇒ void protected

  Windows ansi file append for shell sessions.

• #_win_ansi_write_file(file_name, data, chunk_size = 5000) ⇒ void protected

  Windows ANSI file write for shell sessions.

• #_win_bin_append_file(file_name, data, chunk_size = 5000) ⇒ void protected

  Windows binary file append for shell sessions.

• #_win_bin_write_file(file_name, data, chunk_size = 5000) ⇒ void protected

  Windows binary file write for shell sessions.

• #_write_file_meterpreter(file_name, data, mode = 'wb') ⇒ Object protected

  Meterpreter-specific file write.

• #_write_file_powershell(file_name, data, append = false) ⇒ Object protected
• #_write_file_powershell_fragment(file_name, data, offset, chunk_size, append = false) ⇒ Object protected
• #_write_file_unix_shell(file_name, data, append = false) ⇒ void protected

  Write data to the remote file file_name.

• #append_file(file_name, data) ⇒ Object

  Platform-agnostic file append.

• #attributes(path) ⇒ Object

  Retrieve file attributes for path on the remote system.

• #cd(path) ⇒ void

  Change directory in the remote session to path, which may be relative or absolute.

• #chmod(path, mode = 0o700) ⇒ Object

  Sets the permissions on a remote file.

• #copy_file(src_file, dst_file) ⇒ Boolean (also: #cp_file)

  Copy a remote file.

• #dir(directory) ⇒ Array (also: #ls)

  Returns a list of the contents of the specified directory.

• #directory?(path) ⇒ Boolean

  See if path exists on the remote system and is a directory.

• #executable?(path) ⇒ Boolean

  See if path on the remote system exists and is executable.

• #exist?(path) ⇒ Boolean (also: #exists?)

  Check for existence of path on the remote file system.

• #expand_path(path) ⇒ String

  Expand any environment variables to return the full path specified by path.

• #exploit_data(data_directory, file) ⇒ Object

  Read a local exploit file binary from the data directory.

• #exploit_source(source_directory, file) ⇒ Object

  Read a local exploit source file from the external exploits directory.

• #file?(path) ⇒ Boolean (also: #file_exist?)

  See if path exists on the remote system and is a regular file.

• #file_local_write(local_file_name, data) ⇒ void

  Writes a given string to a given local file.

• #file_remote_digestmd5(file_name, util: nil) ⇒ String

  Returns a MD5 checksum of a given remote file.

• #file_remote_digestsha1(file_name, util: nil) ⇒ String

  Returns a SHA1 checksum of a given remote file.

• #file_remote_digestsha2(file_name) ⇒ String

  Returns a SHA2 checksum of a given remote file.

• #immutable?(path) ⇒ Boolean

  See if path on the remote system exists and is immutable.

• #initialize(info = {}) ⇒ Object
• #mkdir(path) ⇒ Object

  create and mark directory for cleanup.

• #pwd ⇒ String

  Returns the current working directory in the remote session.

• #read_file(file_name) ⇒ String, Array

  Platform-agnostic file read.

• #readable?(path) ⇒ Boolean

  See if path on the remote system exists and is readable.

• #rename_file(old_file, new_file) ⇒ Boolean (also: #move_file, #mv_file)

  Renames a remote file.

• #rm_f(*remote_files) ⇒ void (also: #file_rm)

  Delete remote files.

• #rm_rf(*remote_dirs) ⇒ void (also: #dir_rm)

  Delete remote directories.

• #setuid?(path) ⇒ Boolean

  See if path on the remote system is a setuid file.

• #stat(filename) ⇒ Object protected
• #upload_and_chmodx(path, data) ⇒ Object

  Upload a binary and write it as an executable file remote on the remote filesystem.

• #upload_file(remote, local) ⇒ Object

  Read a local file local and write it as remote on the remote file system.

• #writable?(path) ⇒ Boolean

  See if path on the remote system exists and is writable.

• #write_file(file_name, data) ⇒ Object

  Platform-agnostic file write.

Methods included from Common

#clear_screen, #cmd_exec, #cmd_exec_get_pid, #cmd_exec_with_result, #command_exists?, #create_process, #get_env, #get_envs, #peer, #report_virtualization, #rhost, #rport

Instance Method Details

#_append_file_powershell(file_name, data) ⇒ Object (protected)

# File 'lib/msf/core/post/file.rb', line 707

def _append_file_powershell(file_name, data)
  _write_file_powershell(file_name, data, true)
end

#_append_file_unix_shell(file_name, data) ⇒ void (protected)

This method returns an undefined value.

Append data to the remote file file_name.

You should never call this method directly. Instead, call #append_file which will call this method if it is appropriate for the given session.

# File 'lib/msf/core/post/file.rb', line 964

def _append_file_unix_shell(file_name, data)
  _write_file_unix_shell(file_name, data, true)
end

#_can_echo?(data) ⇒ Boolean (protected)

Checks to see if there are non-printable characters in a given string

Parameters:

• data (String) —

  String to check for non-printable characters

Returns:

• (Boolean) —

  bool

# File 'lib/msf/core/post/file.rb', line 803

def _can_echo?(data)
  # Ensure all bytes are between ascii 0x20 to 0x7e (ie. [[:print]]), excluding quotes etc
  data.bytes.all? do|b|
    (b >= 0x20 && b <= 0x7e) &&
      b != '"'.ord &&
      b != '%'.ord &&
      b != '$'.ord
  end
end

#_read_file_meterpreter(file_name) ⇒ String (protected)

Meterpreter-specific file read. Returns contents of remote file file_name as a String or nil if there was an error

You should never call this method directly. Instead, call #read_file which will call this if it is appropriate for the given session.

Returns:

• (String)

# File 'lib/msf/core/post/file.rb', line 832

def _read_file_meterpreter(file_name)
  fd = session.fs.file.new(file_name, 'rb')

  data = ''.b
  data << fd.read
  data << fd.read until fd.eof?

  data
rescue EOFError
  # Sometimes fd isn't marked EOF in time?
  data
rescue ::Rex::Post::Meterpreter::RequestError => e
  print_error("Failed to open file: #{file_name}: #{e}")
  return nil
ensure
  fd.close if fd
end

#_read_file_powershell(filename) ⇒ Object (protected)

# File 'lib/msf/core/post/file.rb', line 766

def _read_file_powershell(filename)
  data = ''
  offset = 0
  chunk_size = 65536
  loop do
    chunk = _read_file_powershell_fragment(filename, chunk_size, offset)
    break if chunk.nil?

    data << chunk
    offset += chunk_size
    break if chunk.length < chunk_size
  end
  return data
end

#_read_file_powershell_fragment(filename, chunk_size, offset = 0) ⇒ Object (protected)

# File 'lib/msf/core/post/file.rb', line 781

def _read_file_powershell_fragment(filename, chunk_size, offset = 0)
  pwsh_code = <<~PSH
    $mstream = New-Object System.IO.MemoryStream;
    $gzipstream = New-Object System.IO.Compression.GZipStream($mstream, [System.IO.Compression.CompressionMode]::Compress);
    $get_bytes = [System.IO.File]::ReadAllBytes(\"#{filename}\")[#{offset}..#{offset + chunk_size - 1}];
    $gzipstream.Write($get_bytes, 0, $get_bytes.Length);
    $gzipstream.Close();
    [System.Convert]::ToBase64String($mstream.ToArray());
  PSH
  b64_data = cmd_exec(pwsh_code)
  return nil if b64_data.empty?

  uncompressed_fragment = Zlib::GzipReader.new(StringIO.new(Base64.decode64(b64_data))).read
  return uncompressed_fragment
end

#_shell_command_with_success_code(cmd) ⇒ Object (protected)

# File 'lib/msf/core/post/file.rb', line 1104

def _shell_command_with_success_code(cmd)
  token = "_#{::Rex::Text.rand_text_alpha(32)}"
  result = session.shell_command_token("#{cmd} && echo #{token}")

  return result&.include?(token)
end

#_shell_process_with_success_code(executable, args) ⇒ Object (protected)

# File 'lib/msf/core/post/file.rb', line 1111

def _shell_process_with_success_code(executable, args)
  cmd = session.to_cmd([executable] + args)
  token = "_#{::Rex::Text.rand_text_alpha(32)}"
  result = session.shell_command_token("#{cmd} && echo #{token}")

  return result&.include?(token)
end

#_unix_max_line_length ⇒ Integer (protected)

Calculate the maximum line length for a unix shell.

Returns:

• (Integer)

# File 'lib/msf/core/post/file.rb', line 1124

def _unix_max_line_length
  # Based on autoconf's arg_max calculator, see
  # http://www.in-ulm.de/~mascheck/various/argmax/autoconf_check.html
  calc_line_max = 'i=0 max= new= str=abcd; \
    while (test "X"`echo "X$str" 2>/dev/null` = "XX$str") >/dev/null 2>&1 && \
        new=`expr "X$str" : ".*" 2>&1` && \
        test "$i" != 17 && \
        max=$new; do \
      i=`expr $i + 1`; str=$str$str;\
    done; echo $max'
  line_max = session.shell_command_token(calc_line_max).to_i

  # Fall back to a conservative 4k which should work on even the most
  # restrictive of embedded shells.
  line_max = (line_max == 0 ? 4096 : line_max)
  vprint_status("Max line length is #{line_max}")

  line_max
end

#_win_ansi_append_file(file_name, data, chunk_size = 5000) ⇒ void (protected)

This method returns an undefined value.

Windows ansi file append for shell sessions. Writes given object content to a remote file.

NOTE: *This is not binary-safe on Windows shell sessions!*

Parameters:

• file_name (String) —

  Remote file name to write

• data (String) —

  Contents to put in the file

• chunk_size (int) (defaults to: 5000) —

  max size for the data chunk to write at a time

# File 'lib/msf/core/post/file.rb', line 879

def _win_ansi_append_file(file_name, data, chunk_size = 5000)
  start_index = 0
  write_length = [chunk_size, data.length].min
  while start_index < data.length
    begin
      success = _shell_command_with_success_code("echo | set /p x=\"#{data[start_index, write_length]}\">> \"#{file_name}\"")
      unless success
        print_warning("Write partially succeeded then failed. May need to manually clean up #{file_name}") unless start_index == 0
        return false
      end
      start_index += write_length
      write_length = [chunk_size, data.length - start_index].min
    rescue ::Exception => e
      print_error("Exception while running #{__method__}: #{e}")
      print_warning("May need to manually clean up #{file_name}") unless start_index == 0
      file_rm(file_name)
      return false
    end
  end

  true
end

#_win_ansi_write_file(file_name, data, chunk_size = 5000) ⇒ void (protected)

This method returns an undefined value.

Windows ANSI file write for shell sessions. Writes given object content to a remote file.

NOTE: *This is not binary-safe on Windows shell sessions!*

Parameters:

• file_name (String) —

  Remote file name to write

• data (String) —

  Contents to put in the file

• chunk_size (int) (defaults to: 5000) —

  max size for the data chunk to write at a time

# File 'lib/msf/core/post/file.rb', line 858

def _win_ansi_write_file(file_name, data, chunk_size = 5000)
  start_index = 0
  write_length = [chunk_size, data.length].min
  success = _shell_command_with_success_code("echo | set /p x=\"#{data[0, write_length]}\"> \"#{file_name}\"")
  return false unless success
  if data.length > write_length
    # just use append to finish the rest
    return _win_ansi_append_file(file_name, data[write_length, data.length], chunk_size)
  end

  true
end

#_win_bin_append_file(file_name, data, chunk_size = 5000) ⇒ void (protected)

This method returns an undefined value.

Windows binary file append for shell sessions. Appends given object content to a remote file.

Parameters:

• file_name (String) —

  Remote file name to write

• data (String) —

  Contents to put in the file

• chunk_size (int) (defaults to: 5000) —

  max size for the data chunk to write at a time

# File 'lib/msf/core/post/file.rb', line 933

def _win_bin_append_file(file_name, data, chunk_size = 5000)
  b64_data = Base64.strict_encode64(data)
  b64_filename = "#{file_name}.b64"
  tmp_filename = "#{file_name}.tmp"
  begin
    success = _win_ansi_write_file(b64_filename, b64_data, chunk_size)
    return false unless success
    vprint_status("Uploaded Base64-encoded file. Decoding using certutil")
    success = _shell_process_with_success_code('certutil', ['-decode', b64_filename, tmp_filename])
    return false unless success
    vprint_status("Certutil succeeded. Appending using copy")
    success = _shell_process_with_success_code('copy', ['/b', "#{file_name}+#{tmp_filename}", file_name])
    return false unless success
  rescue ::Exception => e
    print_error("Exception while running #{__method__}: #{e}")
    return false
  ensure
    file_rm(b64_filename)
    file_rm(tmp_filename)
  end

  true
end

#_win_bin_write_file(file_name, data, chunk_size = 5000) ⇒ void (protected)

This method returns an undefined value.

Windows binary file write for shell sessions. Writes given object content to a remote file.

Parameters:

• file_name (String) —

  Remote file name to write

• data (String) —

  Contents to put in the file

• chunk_size (int) (defaults to: 5000) —

  max size for the data chunk to write at a time

# File 'lib/msf/core/post/file.rb', line 908

def _win_bin_write_file(file_name, data, chunk_size = 5000)
  b64_data = Base64.strict_encode64(data)
  b64_filename = "#{file_name}.b64"
  begin
    success = _win_ansi_write_file(b64_filename, b64_data, chunk_size)
    return false unless success
    vprint_status("Uploaded Base64-encoded file. Decoding using certutil")
    success = _shell_process_with_success_code('certutil', ['-f', '-decode', b64_filename, file_name])
    return false unless success
  rescue ::Exception => e
    print_error("Exception while running #{__method__}: #{e}")
    return false
  ensure
    file_rm(b64_filename)
  end

  true
end

#_write_file_meterpreter(file_name, data, mode = 'wb') ⇒ Object (protected)

Meterpreter-specific file write. Returns true on success

# File 'lib/msf/core/post/file.rb', line 816

def _write_file_meterpreter(file_name, data, mode = 'wb')
  fd = session.fs.file.new(file_name, mode)
  fd.write(data)
  fd.close
  return true
rescue ::Rex::Post::Meterpreter::RequestError => e
  return false
end

#_write_file_powershell(file_name, data, append = false) ⇒ Object (protected)

# File 'lib/msf/core/post/file.rb', line 711

def _write_file_powershell(file_name, data, append = false)
  offset = 0
  chunk_size = 1000
  loop do
    success = _write_file_powershell_fragment(file_name, data, offset, chunk_size, append)
    unless success
      unless offset == 0
        print_warning("Write partially succeeded then failed. May need to manually clean up #{file_name}")
      end
      return false
    end

    # Future writes will then append, regardless of whether this is an append or write operation
    append = true
    offset += chunk_size
    break if offset >= data.length
  end

  true
end

#_write_file_powershell_fragment(file_name, data, offset, chunk_size, append = false) ⇒ Object (protected)

# File 'lib/msf/core/post/file.rb', line 732

def _write_file_powershell_fragment(file_name, data, offset, chunk_size, append = false)
  token = "_#{::Rex::Text.rand_text_alpha(32)}"
  chunk = data[offset..(offset + chunk_size-1)]
  length = chunk.length
  compressed_chunk = Rex::Text.gzip(chunk)
  encoded_chunk = Base64.strict_encode64(compressed_chunk)
  if append
    file_mode = 'Append'
  else
    file_mode = 'Create'
  end
  file_name = file_name.gsub("'","''")
  pwsh_code = <<~PSH
    try {
    $encoded='#{encoded_chunk}';
    $gzip_bytes=[System.Convert]::FromBase64String($encoded);
    $mstream = New-Object System.IO.MemoryStream(,$gzip_bytes);
    $gzipstream = New-Object System.IO.Compression.GzipStream $mstream, ([System.IO.Compression.CompressionMode]::Decompress);
    $filestream = [System.IO.File]::Open('#{file_name}', [System.IO.FileMode]::#{file_mode});
    $file_bytes=[System.Byte[]]::CreateInstance([System.Byte],#{length});
    $gzipstream.Read($file_bytes,0,$file_bytes.Length);
    $filestream.Write($file_bytes,0,$file_bytes.Length);
    $filestream.Close();
    $gzipstream.Close();
    echo Done
    } catch {
    echo #{token}
    }
  PSH
  result = cmd_exec(pwsh_code)

  return result.include?(length.to_s) && !result.include?(token) && result.include?('Done')
end

#_write_file_unix_shell(file_name, data, append = false) ⇒ void (protected)

This method returns an undefined value.

Write data to the remote file file_name.

Truncates if append is false, appends otherwise.

You should never call this method directly. Instead, call #write_file or #append_file which will call this if it is appropriate for the given session.

# File 'lib/msf/core/post/file.rb', line 978

def _write_file_unix_shell(file_name, data, append = false)
  redirect = (append ? '>>' : '>')

  # Short-circuit an empty string. The : builtin is part of posix
  # standard and should theoretically exist everywhere.
  if data.empty?
    return _shell_command_with_success_code(": #{redirect} #{session.escape_arg(file_name)}")
  end

  d = data.dup
  d.force_encoding('binary') if d.respond_to? :force_encoding

  chunks = []
  command = nil
  encoding = :hex
  cmd_name = ''

  line_max = _unix_max_line_length
  # Leave plenty of room for the filename we're writing to and the
  # command to echo it out
  line_max -= file_name.length
  line_max -= 64

  # Ordered by descending likeliness to work
  [
    # POSIX standard requires %b which expands octal (but not hex)
    # escapes in the argument. However, some versions (notably
    # FreeBSD) truncate input on nulls, so "printf %b '\0\101'"
    # produces a 0-length string. Some also allow octal escapes
    # without a format string, and do not truncate, so start with
    # that and try %b if it doesn't work. The standalone version seems
    # to be more likely to work than the builtin version, so try it
    # first.
    #
    # Both of these work for sure on Linux and FreeBSD
    { cmd: %q{/usr/bin/printf 'CONTENTS'}, enc: :octal, name: 'printf' },
    { cmd: %q{printf 'CONTENTS'}, enc: :octal, name: 'printf' },
    # Works on Solaris
    { cmd: %q{/usr/bin/printf %b 'CONTENTS'}, enc: :octal, name: 'printf' },
    { cmd: %q{printf %b 'CONTENTS'}, enc: :octal, name: 'printf' },
    # Perl supports both octal and hex escapes, but octal is usually
    # shorter (e.g. 0 becomes \0 instead of \x00)
    { cmd: %q{perl -e 'print("CONTENTS")'}, enc: :octal, name: 'perl' },
    # POSIX awk doesn't have \xNN escapes, use gawk to ensure we're
    # getting the GNU version.
    { cmd: %q^gawk 'BEGIN {ORS="";print "CONTENTS"}' </dev/null^, enc: :hex, name: 'awk' },
    # xxd's -p flag specifies a postscript-style hexdump of unadorned hex
    # digits, e.g. ABCD would be 41424344
    { cmd: %q{echo 'CONTENTS'|xxd -p -r}, enc: :bare_hex, name: 'xxd' },
    # Use echo as a last resort since it frequently doesn't support -e
    # or -n.  bash and zsh's echo builtins are apparently the only ones
    # that support both.  Most others treat all options as just more
    # arguments to print. In particular, the standalone /bin/echo or
    # /usr/bin/echo appear never to have -e so don't bother trying
    # them.
    { cmd: %q{echo -ne 'CONTENTS'}, enc: :hex },
  ].each do |foo|
    # Some versions of printf mangle %.
    test_str = "\0\xff\xfe#{Rex::Text.rand_text_alpha_upper(4)}\x7f%%\r\n"
    # test_str = "\0\xff\xfe"
    case foo[:enc]
    when :hex
      cmd = foo[:cmd].sub('CONTENTS') { Rex::Text.to_hex(test_str) }
    when :octal
      cmd = foo[:cmd].sub('CONTENTS') { Rex::Text.to_octal(test_str) }
    when :bare_hex
      cmd = foo[:cmd].sub('CONTENTS') { Rex::Text.to_hex(test_str, '') }
    end
    a = session.shell_command_token(cmd.to_s)

    if test_str == a
      command = foo[:cmd]
      encoding = foo[:enc]
      cmd_name = foo[:name]
      break
    else
      vprint_status("#{cmd} Failed: #{a.inspect} != #{test_str.inspect}")
    end
  end

  if command.nil?
    raise RuntimeError, "Can't find command on the victim for writing binary data", caller
  end

  # each byte will balloon up to 4 when we encode
  # (A becomes \x41 or \101)
  max = line_max / 4

  i = 0
  while (i < d.length)
    slice = d.slice(i...(i + max))
    case encoding
    when :hex
      chunks << Rex::Text.to_hex(slice)
    when :octal
      chunks << Rex::Text.to_octal(slice)
    when :bare_hex
      chunks << Rex::Text.to_hex(slice, '')
    end
    i += max
  end

  vprint_status("Writing #{d.length} bytes in #{chunks.length} chunks of #{chunks.first.length} bytes (#{encoding}-encoded), using #{cmd_name}")

  # The first command needs to use the provided redirection for either
  # appending or truncating.
  cmd = command.sub('CONTENTS') { chunks.shift }
  succeeded = _shell_command_with_success_code("#{cmd} #{redirect} #{session.escape_arg(file_name)}")
  return false unless succeeded

  # After creating/truncating or appending with the first command, we
  # need to append from here on out.
  chunks.each do |chunk|
    vprint_status("Next chunk is #{chunk.length} bytes")
    cmd = command.sub('CONTENTS') { chunk }

    succeeded = _shell_command_with_success_code("#{cmd} >> #{session.escape_arg(file_name)}")
    unless succeeded
      print_warning("Write partially succeeded then failed. May need to manually clean up #{file_name}")
      return false
    end
  end

  true
end

#append_file(file_name, data) ⇒ Object

Platform-agnostic file append. Appends given object content to a remote file.

Parameters:

• file_name (String) —

  Remote file name to write

• data (String) —

  Contents to put in the file

Returns:

• bool

# File 'lib/msf/core/post/file.rb', line 529

def append_file(file_name, data)
  if session.type == 'meterpreter'
    return _write_file_meterpreter(file_name, data, 'ab')
  elsif session.type == 'powershell'
    return _append_file_powershell(file_name, data)
  elsif session.respond_to? :shell_command_token
    if session.platform == 'windows'
      if _can_echo?(data)
        return _win_ansi_append_file(file_name, data)
      else
        return _win_bin_append_file(file_name, data)
      end
    else
      return _append_file_unix_shell(file_name, data)
    end
  end
end

#attributes(path) ⇒ Object

Retrieve file attributes for path on the remote system

Parameters:

• path (String) —

  Remote filename to check

# File 'lib/msf/core/post/file.rb', line 328

def attributes(path)
  raise "`attributes' method does not support Windows systems" if session.platform == 'windows'

  cmd_exec("lsattr -l '#{path}'").to_s.scan(/^#{path}\s+(.+)$/).flatten.first.to_s.split(', ')
end

#cd(path) ⇒ void

This method returns an undefined value.

Change directory in the remote session to path, which may be relative or absolute.

# File 'lib/msf/core/post/file.rb', line 43

def cd(path)
  e_path = begin
    expand_path(path)
  rescue StandardError
    path
  end
  if session.type == 'meterpreter'
    session.fs.dir.chdir(e_path)
  elsif session.type == 'powershell'
    cmd_exec("Set-Location -Path \"#{e_path}\";[System.IO.Directory]::SetCurrentDirectory($(Get-Location))")
  else
    session.shell_command_token("cd \"#{e_path}\"")
  end
  nil
end

#chmod(path, mode = 0o700) ⇒ Object

Sets the permissions on a remote file

Parameters:

• path (String) —

  Path on the remote filesystem

• mode (Fixnum) (defaults to: 0o700) —

  Mode as an octal number

# File 'lib/msf/core/post/file.rb', line 575

def chmod(path, mode = 0o700)
  if session.platform == 'windows'
    raise "`chmod' method does not support Windows systems"
  end

  if session.type == 'meterpreter' && session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_FS_CHMOD)
    session.fs.file.chmod(path, mode)
  else
    create_process('chmod', args: [mode.to_s(8), path])
  end
end

#copy_file(src_file, dst_file) ⇒ Boolean Also known as: cp_file

Copy a remote file.

Parameters:

• src_file (String) —

  Remote source file name to copy

• dst_file (String) —

  The name for the remote destination file

Returns:

• (Boolean) —

  Return true on success and false on failure

# File 'lib/msf/core/post/file.rb', line 685

def copy_file(src_file, dst_file)
  return false if directory?(dst_file) || directory?(src_file)

  verification_token = Rex::Text.rand_text_alpha_upper(8)
  if session.type == 'meterpreter'
    begin
      return (session.fs.file.cp(src_file, dst_file).result == 0)
    rescue Rex::Post::Meterpreter::RequestError => e # when the source file is not present meterpreter will raise an error
      return false
    end
  elsif session.type == 'powershell'
    cmd_exec("Copy-Item \"#{src_file}\" -Destination \"#{dst_file}\"; if($?){echo #{verification_token}}").include?(verification_token)
  elsif session.platform == 'windows'
    cmd_exec(%(copy /y "#{src_file}" "#{dst_file}" & if not errorlevel 1 echo #{verification_token})).include?(verification_token)
  else
    cmd_exec(%(cp -f "#{src_file}" "#{dst_file}" && echo #{verification_token})).include?(verification_token)
  end
end

#dir(directory) ⇒ Array Also known as: ls

Returns a list of the contents of the specified directory

Parameters:

• directory (String) —

  the directory to list

Returns:

• (Array) —

  the contents of the directory

# File 'lib/msf/core/post/file.rb', line 86

def dir(directory)
  if session.type == 'meterpreter'
    return session.fs.dir.entries(directory)
  end

  if session.type == 'powershell'
    return cmd_exec("Get-ChildItem \"#{directory}\" -Name").split(/[\r\n]+/)
  end

  if session.platform == 'windows'
    return session.shell_command_token("dir /b \"#{directory}\"")&.split(/[\r\n]+/)
  end

  if command_exists?('ls')
    return session.shell_command_token("ls #{directory}").split(/[\r\n]+/)
  end

  # Result on systems without ls command
  if directory[-1] != '/'
    directory += '/'
  end
  result = []
  data = session.shell_command_token("for fn in #{directory}*; do echo $fn; done")
  parts = data.split("\n")
  parts.each do |line|
    line = line.split('/')[-1]
    result.insert(-1, line)
  end

  result
end

#directory?(path) ⇒ Boolean

See if path exists on the remote system and is a directory

Parameters:

• path (String) —

  Remote filename to check

Returns:

• (Boolean)

# File 'lib/msf/core/post/file.rb', line 143

def directory?(path)
  if session.type == 'meterpreter'
    stat = begin
      session.fs.file.stat(path)
    rescue StandardError
      nil
    end
    return false unless stat

    return stat.directory?
  elsif session.type == 'powershell'
    return cmd_exec("Test-Path -Path \"#{path}\" -PathType Container").include?('True')
  else
    if session.platform == 'windows'
      f = cmd_exec("cmd.exe /C IF exist \"#{path}\\*\" ( echo true )")
    else
      f = session.shell_command_token("test -d '#{path}' && echo true")
    end
    return false if f.nil? || f.empty?
    return false unless f =~ /true/

    true
  end
end

#executable?(path) ⇒ Boolean

See if path on the remote system exists and is executable

Parameters:

• path (String) —

  Remote path to check

Returns:

• (Boolean) —

  true if path exists and is executable

# File 'lib/msf/core/post/file.rb', line 234

def executable?(path)
  raise "`executable?' method does not support Windows systems" if session.platform == 'windows'

  cmd_exec("test -x '#{path}' && echo true").to_s.include? 'true'
end

#exist?(path) ⇒ Boolean Also known as: exists?

Check for existence of path on the remote file system

Parameters:

• path (String) —

  Remote filename to check

Returns:

• (Boolean)

# File 'lib/msf/core/post/file.rb', line 299

def exist?(path)
  if session.type == 'meterpreter'
    stat = begin
      session.fs.file.stat(path)
    rescue StandardError
      nil
    end
    return !!stat
  elsif session.type == 'powershell'
    return cmd_exec("Test-Path \"#{path}\"")&.include?('True')
  else
    if session.platform == 'windows'
      f = cmd_exec("cmd.exe /C IF exist \"#{path}\" ( echo true )")
    else
      f = cmd_exec("test -e \"#{path}\" && echo true")
    end
    return false if f.nil? || f.empty?
    return false unless f =~ /true/

    true
  end
end

#expand_path(path) ⇒ String

Expand any environment variables to return the full path specified by path.

Returns:

• (String)

# File 'lib/msf/core/post/file.rb', line 172

def expand_path(path)
  if session.type == 'meterpreter'
    return session.fs.file.expand_path(path)
  elsif session.type == 'powershell'
    return cmd_exec("[Environment]::ExpandEnvironmentVariables(\"#{path}\")")
  else
    return cmd_exec("echo #{path}")
  end
end

#exploit_data(data_directory, file) ⇒ Object

Read a local exploit file binary from the data directory

Parameters:

• data_directory (String) —

  Name of data directory within the exploits folder

• file (String) —

  Filename in the data folder to use.

# File 'lib/msf/core/post/file.rb', line 592

def exploit_data(data_directory, file)
  file_path = ::File.join(::Msf::Config.data_directory, 'exploits', data_directory, file)
  ::File.binread(file_path)
end

#exploit_source(source_directory, file) ⇒ Object

Read a local exploit source file from the external exploits directory

Parameters:

• source_directory (String) —

  Directory in the external/source/exploits directory to use as the source directory.

• file (String) —

  Filename in the source folder to use.

# File 'lib/msf/core/post/file.rb', line 602

def exploit_source(source_directory, file)
  file_path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', source_directory, file)
  ::File.read(file_path)
end

#file?(path) ⇒ Boolean Also known as: file_exist?

See if path exists on the remote system and is a regular file

Parameters:

• path (String) —

  Remote filename to check

Returns:

• (Boolean)

# File 'lib/msf/core/post/file.rb', line 186

def file?(path)
  return false if path.nil?

  if session.type == 'meterpreter'
    stat = begin
      session.fs.file.stat(path)
    rescue StandardError
      nil
    end
    return false unless stat

    return stat.file?
  elsif session.type == 'powershell'
    return cmd_exec("[System.IO.File]::Exists( \"#{path}\")")&.include?('True')
  else
    if session.platform == 'windows'
      f = cmd_exec("cmd.exe /C IF exist \"#{path}\" ( echo true )")
      if f =~ /true/
        f = cmd_exec("cmd.exe /C IF exist \"#{path}\\\\\" ( echo false ) ELSE ( echo true )")
      end
    else
      f = session.shell_command_token("test -f \"#{path}\" && echo true")
    end
    return false if f.nil? || f.empty?
    return false unless f =~ /true/

    true
  end
end

#file_local_write(local_file_name, data) ⇒ void

This method returns an undefined value.

Writes a given string to a given local file

Parameters:

• local_file_name (String)
• data (String)

# File 'lib/msf/core/post/file.rb', line 340

def file_local_write(local_file_name, data)
  fname = Rex::FileUtils.clean_path(local_file_name)
  unless ::File.exist?(fname)
    ::FileUtils.touch(fname)
  end
  output = ::File.open(fname, 'a')
  data.each_line do |d|
    output.puts(d)
  end
  output.close
end

#file_remote_digestmd5(file_name, util: nil) ⇒ String

Note:

For shell sessions, this method downloads the file from the remote host unless a hashing utility for use on the remote host is specified.

Returns a MD5 checksum of a given remote file

Parameters:

• file_name (String) —

  Remote file name

• util (Hash) (defaults to: nil) —

  a customizable set of options

Options Hash (util:):

• Remote (String) —

  file hashing utility

Returns:

• (String) —

  Hex digest of file contents

# File 'lib/msf/core/post/file.rb', line 362

def file_remote_digestmd5(file_name, util: nil)
  if session.type == 'meterpreter'
    begin
      return session.fs.file.md5(file_name)&.unpack('H*').flatten.first
    rescue StandardError => e
      print_error("Exception while running #{__method__}: #{e}")
      return nil
    end
  end

  # Note: This will fail on files larger than 2GB
  if session.type == 'powershell'
    data = cmd_exec("$md5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider; [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes('#{file_name}')))")
    return unless data

    chksum = data.scan(/^([A-F0-9-]+)$/).flatten.first
    return chksum&.gsub(/-/, '')&.downcase
  end

  case util
  when 'md5'
    chksum = session.shell_command_token("md5 -q '#{file_name}'")&.strip
  when 'md5sum'
    chksum = session.shell_command_token("md5sum '#{file_name}'")&.strip.split.first
  when 'certutil'
    data = session.shell_command_token("certutil -hashfile \"#{file_name}\" MD5")
    return unless data
    chksum = data.scan(/^([a-f0-9 ]{47})\r?\n/).flatten.first&.gsub(/\s*/, '')
  else
    data = read_file(file_name)
    return unless data
    chksum = Digest::MD5.hexdigest(data)
  end

  return unless chksum =~ /\A[a-f0-9]{32}\z/

  chksum
end

#file_remote_digestsha1(file_name, util: nil) ⇒ String

Note:

For shell sessions, this method downloads the file from the remote host unless a hashing utility for use on the remote host is specified.

Returns a SHA1 checksum of a given remote file

Parameters:

• file_name (String) —

  Remote file name

• util (Hash) (defaults to: nil) —

  a customizable set of options

Options Hash (util:):

• Remote (String) —

  file hashing utility

Returns:

• (String) —

  Hex digest of file contents

# File 'lib/msf/core/post/file.rb', line 411

def file_remote_digestsha1(file_name, util: nil)
  if session.type == 'meterpreter'
    begin
      return session.fs.file.sha1(file_name)&.unpack('H*').flatten.first
    rescue StandardError => e
      print_error("Exception while running #{__method__}: #{e}")
      return nil
    end
  end

  # Note: This will fail on files larger than 2GB
  if session.type == 'powershell'
    data = cmd_exec("$sha1 = New-Object -TypeName System.Security.Cryptography.SHA1CryptoServiceProvider; [System.BitConverter]::ToString($sha1.ComputeHash([System.IO.File]::ReadAllBytes('#{file_name}')))")
    return unless data
    chksum = data.scan(/^([A-F0-9-]+)$/).flatten.first
    return chksum&.gsub(/-/, '')&.downcase
  end

  case util
  when 'sha1'
    chksum = session.shell_command_token("sha1 -q '#{file_name}'")&.strip
  when 'sha1sum'
    chksum = session.shell_command_token("sha1sum '#{file_name}'")&.strip.split.first
  when 'certutil'
    data = session.shell_command_token("certutil -hashfile \"#{file_name}\" SHA1")
    return unless data
    chksum = data.scan(/^([a-f0-9 ]{59})\r?\n/).flatten.first&.gsub(/\s*/, '')
  else
    data = read_file(file_name)
    return unless data
    chksum = Digest::SHA1.hexdigest(data)
  end

  return unless chksum =~ /\A[a-f0-9]{40}\z/

  chksum
end

#file_remote_digestsha2(file_name) ⇒ String

Note:

THIS DOWNLOADS THE FILE

Returns a SHA2 checksum of a given remote file

Parameters:

• file_name (String) —

  Remote file name

Returns:

• (String) —

  Hex digest of file contents

# File 'lib/msf/core/post/file.rb', line 455

def file_remote_digestsha2(file_name)
  data = read_file(file_name)
  chksum = nil
  if data
    chksum = Digest::SHA256.hexdigest(data)
  end
  return chksum
end

#immutable?(path) ⇒ Boolean

See if path on the remote system exists and is immutable

Parameters:

• path (String) —

  Remote path to check

Returns:

• (Boolean) —

  true if path exists and is immutable

# File 'lib/msf/core/post/file.rb', line 264

def immutable?(path)
  raise "`immutable?' method does not support Windows systems" if session.platform == 'windows'

  attributes(path).include?('Immutable')
end

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/post/file.rb', line 9

def initialize(info = {})
  super(
    update_info(
      info,
      'Compat' => {
        'Meterpreter' => {
          'Commands' => %w[
            core_channel_eof
            core_channel_open
            core_channel_read
            core_channel_write
            stdapi_fs_chdir
            stdapi_fs_chmod
            stdapi_fs_delete_dir
            stdapi_fs_delete_file
            stdapi_fs_file_expand_path
            stdapi_fs_file_move
            stdapi_fs_getwd
            stdapi_fs_ls
            stdapi_fs_mkdir
            stdapi_fs_separator
            stdapi_fs_stat
          ]
        }
      }
    )
    )
end

#mkdir(path) ⇒ Object

create and mark directory for cleanup

# File 'lib/msf/core/post/file.rb', line 121

def mkdir(path)
  result = nil
  vprint_status("Creating directory #{path}")
  if session.type == 'meterpreter'
    # behave like mkdir -p and don't throw an error if the directory exists
    result = session.fs.dir.mkdir(path) unless directory?(path)
  elsif session.type == 'powershell'
    result = cmd_exec("New-Item \"#{path}\" -itemtype directory")
  elsif session.platform == 'windows'
    result = cmd_exec("mkdir \"#{path}\"")
  else
    result = cmd_exec("mkdir -p '#{path}'")
  end
  vprint_status("#{path} created")
  register_dir_for_cleanup(path)
  result
end

#pwd ⇒ String

Note:

This may be inaccurate on shell sessions running on Windows before XP/2k3

Returns the current working directory in the remote session

Returns:

• (String)

# File 'lib/msf/core/post/file.rb', line 66

def pwd
  if session.type == 'meterpreter'
    return session.fs.dir.getwd
  elsif session.type == 'powershell'
    return cmd_exec('(Get-Location).Path').strip
  elsif session.platform == 'windows'
    return session.shell_command_token('echo %CD%').to_s.strip
  # XXX: %CD% only exists on XP and newer, figure something out for NT4
  # and 2k
  elsif command_exists?('pwd')
    return session.shell_command_token('pwd').to_s.strip
  else
    # Result on systems without pwd command
    return session.shell_command_token('echo $PWD').to_s.strip
  end
end

#read_file(file_name) ⇒ String, Array

Platform-agnostic file read. Returns contents of remote file file_name as a String.

Parameters:

• file_name (String) —

  Remote file name to read

Returns:

• (String) —

  Contents of the file

• (Array) —

  of strings(lines)

# File 'lib/msf/core/post/file.rb', line 473

def read_file(file_name)
  if session.type == 'meterpreter'
    return _read_file_meterpreter(file_name)
  end

  return unless %w[shell powershell].include?(session.type)

  if session.type == 'powershell'
    return _read_file_powershell(file_name)
  end

  if session.platform == 'windows'
    return session.shell_command_token("type \"#{file_name}\"")
  end

  return nil unless readable?(file_name)

  if command_exists?('cat')
    return session.shell_command_token("cat \"#{file_name}\"")
  end

  # Result on systems without cat command
  session.shell_command_token("while read line; do echo $line; done <#{file_name}")
end

#readable?(path) ⇒ Boolean

See if path on the remote system exists and is readable

Parameters:

• path (String) —

  Remote path to check

Returns:

• (Boolean) —

  true if path exists and is readable

# File 'lib/msf/core/post/file.rb', line 277

def readable?(path)
  verification_token = Rex::Text.rand_text_alpha(8)
  return false unless exists?(path)

  if session.type == 'powershell'
    if directory?(path)
      return cmd_exec("[System.IO.Directory]::GetFiles('#{path}'); if($?) {echo #{verification_token}}").include?(verification_token)
    else
      return cmd_exec("[System.IO.File]::OpenRead(\"#{path}\");if($?){echo\
        #{verification_token}}").include?(verification_token)
    end
  end

  raise "`readable?' method does not support Windows systems" if session.platform == 'windows'

  cmd_exec("test -r '#{path}' && echo #{verification_token}").to_s.include?(verification_token)
end

#rename_file(old_file, new_file) ⇒ Boolean Also known as: move_file, mv_file

Renames a remote file. If the new file path is a directory, the file will be moved into that directory with the same name.

Parameters:

• old_file (String) —

  Remote file name to move

• new_file (String) —

  The new name for the remote file

Returns:

• (Boolean) —

  Return true on success and false on failure

# File 'lib/msf/core/post/file.rb', line 656

def rename_file(old_file, new_file)
  verification_token = Rex::Text.rand_text_alphanumeric(8)
  if session.type == 'meterpreter'
    begin
      new_file = new_file + session.fs.file.separator + session.fs.file.basename(old_file) if directory?(new_file)
      return (session.fs.file.mv(old_file, new_file).result == 0)
    rescue Rex::Post::Meterpreter::RequestError => e
      return false
    end
  elsif session.type == 'powershell'
    cmd_exec("Move-Item \"#{old_file}\" \"#{new_file}\" -Force; if($?){echo #{verification_token}}").include?(verification_token)
  elsif session.platform == 'windows'
    return false unless file?(old_file) # adding this because when the old_file is not present it hangs for a while, should be removed after this issue is fixed.

    cmd_exec(%(move #{directory?(new_file) ? '' : '/y'} "#{old_file}" "#{new_file}" & if not errorlevel 1 echo #{verification_token})).include?(verification_token)
  else
    cmd_exec(%(mv #{directory?(new_file) ? '' : '-f'} "#{old_file}" "#{new_file}" && echo #{verification_token})).include?(verification_token)
  end
end

#rm_f(*remote_files) ⇒ void Also known as: file_rm

This method returns an undefined value.

Delete remote files

Parameters:

• remote_files (Array<String>) —

  List of remote filenames to delete

# File 'lib/msf/core/post/file.rb', line 613

def rm_f(*remote_files)
  remote_files.each do |remote|
    if session.type == 'meterpreter'
      session.fs.file.delete(remote) if file?(remote)
    elsif session.type == 'powershell'
      cmd_exec("[System.IO.File]::Delete(\"#{remote}\")") if file?(remote)
    elsif session.platform == 'windows'
      cmd_exec("del /q /f \"#{remote}\"")
    else
      cmd_exec("rm -f \"#{remote}\"")
    end
  end
end

#rm_rf(*remote_dirs) ⇒ void Also known as: dir_rm

This method returns an undefined value.

Delete remote directories

Parameters:

• remote_dirs (Array<String>) —

  List of remote directories to delete

# File 'lib/msf/core/post/file.rb', line 633

def rm_rf(*remote_dirs)
  remote_dirs.each do |remote|
    if session.type == 'meterpreter'
      session.fs.dir.rmdir(remote) if exist?(remote)
    elsif session.type == 'powershell'
      cmd_exec("Remove-Item -Path \"#{remote}\" -Force -Recurse")
    elsif session.platform == 'windows'
      cmd_exec("rd /s /q \"#{remote}\"")
    else
      cmd_exec("rm -rf \"#{remote}\"")
    end
  end
end

#setuid?(path) ⇒ Boolean

See if path on the remote system is a setuid file

Parameters:

• path (String) —

  Remote filename to check

Returns:

• (Boolean)

# File 'lib/msf/core/post/file.rb', line 222

def setuid?(path)
  stat = stat(path)
  stat.setuid?
end

#stat(filename) ⇒ Object (protected)

# File 'lib/msf/core/post/file.rb', line 1144

def stat(filename)
  if session.type == 'meterpreter'
    return session.fs.file.stat(filename)
  else
    raise NotImplementedError if session.platform == 'windows'
    raise "`stat' command doesn't exist on target system" unless command_exists?('stat')

    return FileStat.new(filename, session)
  end
end

#upload_and_chmodx(path, data) ⇒ Object

Upload a binary and write it as an executable file remote on the remote filesystem.

Parameters:

• path (String) —

  Path to the destination file on the remote filesystem

• data (String) —

  Data to be uploaded

# File 'lib/msf/core/post/file.rb', line 564

def upload_and_chmodx(path, data)
  print_status "Writing '#{path}' (#{data.size} bytes) ..."
  write_file path, data
  chmod(path)
end

#upload_file(remote, local) ⇒ Object

Read a local file local and write it as remote on the remote file system

Parameters:

• remote (String) —

  Destination file name on the remote filesystem

• local (String) —

  Local file whose contents will be uploaded

Returns:

• bool

# File 'lib/msf/core/post/file.rb', line 554

def upload_file(remote, local)
  write_file(remote, ::File.read(local, mode: 'rb'))
end

#writable?(path) ⇒ Boolean

See if path on the remote system exists and is writable

Parameters:

• path (String) —

  Remote path to check

Returns:

• (Boolean) —

  true if path exists and is writable

# File 'lib/msf/core/post/file.rb', line 247

def writable?(path)
  verification_token = Rex::Text.rand_text_alpha_upper(8)
  if session.type == 'powershell' && file?(path)
    return cmd_exec("$a=[System.IO.File]::OpenWrite('#{path}');if($?){echo #{verification_token}};$a.Close()").include?(verification_token)
  end
  raise "`writable?' method does not support Windows systems" if session.platform == 'windows'

  cmd_exec("(test -w '#{path}' || test -O '#{path}') && echo true").to_s.include? 'true'
end

#write_file(file_name, data) ⇒ Object

Platform-agnostic file write. Writes given object content to a remote file.

Parameters:

• file_name (String) —

  Remote file name to write

• data (String) —

  Contents to put in the file

Returns:

• bool

# File 'lib/msf/core/post/file.rb', line 503

def write_file(file_name, data)
  if session.type == 'meterpreter'
    return _write_file_meterpreter(file_name, data)
  elsif session.type == 'powershell'
    return _write_file_powershell(file_name, data)
  elsif session.respond_to? :shell_command_token
    if session.platform == 'windows'
      if _can_echo?(data)
        return _win_ansi_write_file(file_name, data)
      else
        return _win_bin_write_file(file_name, data)
      end
    else
      return _write_file_unix_shell(file_name, data)
    end
  else
    return false
  end
end