Class: Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Priv::Timestomp

Inherits:

Object

Object
Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Priv::Timestomp

show all

Includes:: Rex::Post::Meterpreter::Ui::Console::CommandDispatcher

Defined in:: lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb

Overview

This class provides commands that interact with the timestomp feature set of the privilege escalation extension.

Constant Summary collapse

Klass =

Console::CommandDispatcher::Priv::Timestomp

@@timestomp_opts =

Rex::Parser::Arguments.new(
  "-m" => [ true,  "Set the \"last written\" time of the file" ],
  "-a" => [ true,  "Set the \"last accessed\" time of the file" ],
  "-c" => [ true,  "Set the \"creation\" time of the file" ],
  "-e" => [ true,  "Set the \"mft entry modified\" time of the file" ],
  "-z" => [ true,  "Set all four attributes (MACE) of the file" ],
  "-f" => [ true,  "Set the MACE of attributes equal to the supplied file" ],
  "-b" => [ false, "Set the MACE timestamps so that EnCase shows blanks" ],
  "-r" => [ false, "Set the MACE timestamps recursively on a directory" ],
  "-v" => [ false, "Display the UTC MACE values of the file" ],
  "-h" => [ false, "Help banner" ]
)

Instance Attribute Summary

Attributes included from Ui::Text::DispatcherShell::CommandDispatcher

#shell, #tab_complete_items

Instance Method Summary collapse

#cmd_timestomp(*args) ⇒ Object

This command provides the same level of features that vinnie’s command line timestomp interface provides with a similar argument set.
#commands ⇒ Object

List of supported commands.
#name ⇒ Object

Name for this dispatcher.
#str_to_time(str) ⇒ Object protected

Converts a date/time in the form of MM/DD/YYYY HH24:MI:SS.

Instance Method Details

#cmd_timestomp(*args) ⇒ `Object`

This command provides the same level of features that vinnie’s command line timestomp interface provides with a similar argument set.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb', line 53

def cmd_timestomp(*args)
  paths = []

  modified  = nil
  accessed  = nil
  creation  = nil
  emodified = nil

  blank_file_mace = false
  blank_directory_mace = false
  get_file_mace = false
  help = false

  @@timestomp_opts.parse(args) do |opt, _idx, val|
    case opt
    when "-m"
      modified  = str_to_time(val)
    when "-a"
      accessed  = str_to_time(val)
    when "-c"
      creation  = str_to_time(val)
    when "-e"
      emodified = str_to_time(val)
    when "-z"
      modified  = str_to_time(val)
      accessed  = str_to_time(val)
      creation  = str_to_time(val)
      emodified = str_to_time(val)
    when "-f"
      print_status("Pulling MACE attributes from #{val}")
      hash = client.priv.fs.get_file_mace(val)
      if hash
        modified = hash['Modified']
        accessed = hash['Accessed']
        creation = hash['Created']
        emodified = hash['Entry Modified']
      end
    when "-b"
      blank_file_mace = true
    when "-r"
      blank_directory_mace = true
    when "-v"
      get_file_mace = true
    when "-h"
      help = true
    when nil
      paths << val
    end
  end

  if paths.empty?
    print_line("\nNo paths specified.")
    return nil
  end

  if !(modified || accessed || creation || emodified ||
       blank_file_mace || blank_directory_mace || get_file_mace) || help
    print_line("\nUsage: timestomp <file(s)> OPTIONS\n" +
      @@timestomp_opts.usage)
    return nil
  end

  paths.uniq.each do |path|

    # If any one of the four times were specified, change them.
    if modified || accessed || creation || emodified
      print_status("Setting specific MACE attributes on #{path}")
      client.priv.fs.set_file_mace(path, modified, accessed, creation, emodified)
    end

    if blank_file_mace
      print_status("Blanking file MACE attributes on #{path}")
      client.priv.fs.blank_file_mace(path)
    end

    if blank_directory_mace
      print_status("Blanking directory MACE attributes on #{path}")
      client.priv.fs.blank_directory_mace(path)
    end

    if get_file_mace
      hash = client.priv.fs.get_file_mace(path)
      print_status("Showing MACE attributes for #{path}")
      print_line("Modified      : #{hash['Modified']}")
      print_line("Accessed      : #{hash['Accessed']}")
      print_line("Created       : #{hash['Created']}")
      print_line("Entry Modified: #{hash['Entry Modified']}")
    end
  end
end

#commands ⇒ `Object`

List of supported commands.

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb', line 36

def commands
  {
    'timestomp' => 'Manipulate file MACE attributes'
  }
end

#name ⇒ `Object`

Name for this dispatcher.



45
46
47

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb', line 45

def name
  'Priv: Timestomp'
end

#str_to_time(str) ⇒ `Object` (protected)

Converts a date/time in the form of MM/DD/YYYY HH24:MI:SS

# File 'lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb', line 149

def str_to_time(str) # :nodoc:
  unless str.nil?
    _r, mon, day, year, hour, min, sec =
      str.match("^(\\d+?)/(\\d+?)/(\\d+?) (\\d+?):(\\d+?):(\\d+?)$").to_a
  end

  if str.nil? || mon.nil?
    raise ArgumentError, "Invalid date format, expected MM/DD/YYYY HH24:MI:SS (got #{str})"
  end

  ::Time.mktime(year, mon, day, hour, min, sec, 0)
end

Class: Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Priv::Timestomp

Overview

Constant Summary collapse

Instance Attribute Summary

Attributes included from Ui::Text::DispatcherShell::CommandDispatcher

Instance Method Summary collapse

Methods included from Rex::Post::Meterpreter::Ui::Console::CommandDispatcher

Methods included from Msf::Ui::Console::CommandDispatcher::Session

Methods included from Ui::Text::DispatcherShell::CommandDispatcher

Instance Method Details

#cmd_timestomp(*args) ⇒ Object

#commands ⇒ Object

#name ⇒ Object

#str_to_time(str) ⇒ Object (protected)

#cmd_timestomp(*args) ⇒ `Object`

#commands ⇒ `Object`

#name ⇒ `Object`

#str_to_time(str) ⇒ `Object` (protected)