Add getenvs, update getenv, change extract_path use

Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.

Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.

The meterpreter console `getenv` command now uses `getenvs`

lib/msf/core/post/windows/shadowcopy.rb

@@ -198,7 +198,7 @@ def wmicexec(wmiccmd)
     tmpout = ''
     session.response_timeout=120
     begin
-      tmp = session.fs.file.expand_path("%TEMP%")
+      tmp = session.sys.config.getenv('TEMP')
       wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
       r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmicfl} #{wmiccmd}", nil, {'Hidden' => true})
       sleep(2)

lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb

@@ -37,7 +37,7 @@ def getuid
   # Returns a hash of requested environment variables, along with their values.
   # If a requested value doesn't exist in the response, then the value wasn't found.
   #
-  def getenv(var_names)
+  def getenvs(*var_names)
     request = Packet.create_request('stdapi_sys_config_getenv')
 
     var_names.each do |v|
@@ -56,6 +56,13 @@ def getenv(var_names)
     return result
   end
 
+  #
+  # Returns the value of a single requested environment variable name
+  #
+  def getenv(var_name)
+    getenvs(var_name)[var_name]
+  end
+
   #
   # Returns a hash of information about the remote computer.
   #

lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

@@ -280,7 +280,7 @@ def cmd_getuid(*args)
   end
 
   def cmd_getenv(*args)
-    vars = client.sys.config.getenv(args)
+    vars = client.sys.config.getenvs(*args)
 
     if vars.length == 0
       print_error("None of the specified environment variables were found/set.")

modules/exploits/multi/http/struts_default_action_mapper.rb

@@ -89,7 +89,7 @@ def on_new_session(session)
       win_file = file.gsub("/", "\\\\")
       if session.type == "meterpreter"
         begin
-          wintemp = session.fs.file.expand_path("%TEMP%")
+          wintemp = session.sys.config.getenv('TEMP')
           win_file = "#{wintemp}\\#{win_file}"
           session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
           session.fs.file.rm(win_file)

modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb

@@ -68,13 +68,11 @@ def exploit
   def on_new_session(session)
     if session.type == "meterpreter"
       session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
-    end
 
-    @dropped_files.delete_if do |file|
-      win_file = file.gsub("/", "\\\\")
-      if session.type == "meterpreter"
+      @dropped_files.delete_if do |file|
+        win_file = file.gsub("/", "\\\\")
         begin
-          wintemp = session.fs.file.expand_path("%TEMP%")
+          wintemp = session.sys.config.getenv('TEMP')
           win_file = "#{wintemp}\\#{win_file}"
           session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
           session.fs.file.rm(win_file)
@@ -84,7 +82,6 @@ def on_new_session(session)
           print_error("Failed to delete #{win_file}")
           false
         end
-
       end
     end
   end

modules/exploits/windows/browser/honeywell_tema_exec.rb

@@ -74,13 +74,11 @@ def exploit
   def on_new_session(session)
     if session.type == "meterpreter"
       session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
-    end
 
-    @dropped_files.each do |file|
-      win_file = file.gsub("/", "\\\\")
-      if session.type == "meterpreter"
+      @dropped_files.each do |file|
+        win_file = file.gsub("/", "\\\\")
         begin
-          wintemp = session.fs.file.expand_path("%WINDIR%")
+          wintemp = session.sys.config.getenv('WINDIR')
           win_file = "#{wintemp}\\Temp\\#{win_file}"
           # Meterpreter should do this automatically as part of
           # fs.file.rm().  Until that has been implemented, remove the
@@ -93,7 +91,6 @@ def on_new_session(session)
           print_error("Failed to delete #{win_file}")
           false
         end
-
       end
     end
 
@@ -169,4 +166,4 @@ def on_request_uri(cli, request)
 
   end
 
-end
+end

modules/exploits/windows/browser/notes_handler_cmdinject.rb

@@ -72,13 +72,11 @@ def exploit
   def on_new_session(session)
     if session.type == "meterpreter"
       session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
-    end
 
-    @dropped_files.delete_if do |file|
-      win_file = file.gsub("/", "\\\\")
-      if session.type == "meterpreter"
+      @dropped_files.delete_if do |file|
+        win_file = file.gsub("/", "\\\\")
         begin
-          wintemp = session.fs.file.expand_path("%TEMP%")
+          wintemp = session.sys.config.getenv('TEMP')
           win_file = "#{wintemp}\\#{win_file}"
           # Meterpreter should do this automatically as part of
           # fs.file.rm().  Until that has been implemented, remove the
@@ -91,7 +89,6 @@ def on_new_session(session)
           print_error("Failed to delete #{win_file}")
           false
         end
-
       end
     end
 
@@ -184,4 +181,4 @@ def on_request_uri(cli, request)
 
   end
 
-end
+end

modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb

@@ -66,13 +66,11 @@ def exploit
   def on_new_session(session)
     if session.type == "meterpreter"
       session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
-    end
 
-    @dropped_files.delete_if do |file|
-      win_file = file.gsub("/", "\\\\")
-      if session.type == "meterpreter"
+      @dropped_files.delete_if do |file|
+        win_file = file.gsub("/", "\\\\")
         begin
-          wintemp = session.fs.file.expand_path("%TEMP%")
+          wintemp = session.sys.config.getenv('TEMP')
           win_file = "#{wintemp}\\#{win_file}"
           session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
           session.fs.file.rm(win_file)
@@ -82,7 +80,6 @@ def on_new_session(session)
           print_error("Failed to delete #{win_file}")
           false
         end
-
       end
     end
   end
@@ -257,4 +254,4 @@ def on_request_uri(cli, request)
 solution because it allows to pass URL's as arguments. And code executed by mshta is on a privileged zone. Other
 executables allow to provide SMB URI's but metasploit only allow to 'simulate' a SMB resource through webdav, so
 the target should have the WebClient service enabled, which is only enabled by default on XP SP3.
-=end
+=end

modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb

@@ -98,7 +98,7 @@ def on_new_session(client)
 
     # Use the system path for executable to run except the wordpad
     if client.sys.config.sysinfo["OS"] =~ /Windows XP/
-      windir = client.fs.file.expand_path("%ProgramFiles%")
+      windir = client.sys.config.getenv('ProgramFiles')
       cmd="#{windir}\\Windows NT\\Accessories\\wordpad.exe"
     else # Windows 2000
         cmd = "notepad.exe"

modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb

@@ -76,7 +76,7 @@ def on_new_session
   # Usint this solution atm because I'm experiencing problems with railgun when trying
   # use GetTokenInformation
   def low_integrity_level?
-    tmp_dir = expand_path("%TEMP%")
+    tmp_dir = session.sys.config.getenv('TEMP')
     cd(tmp_dir)
     new_dir = "#{rand_text_alpha(5)}"
     begin

modules/exploits/windows/local/agnitum_outpost_acs.rb

@@ -137,7 +137,7 @@ def exploit
     if datastore["WritableDir"] and not datastore["WritableDir"].empty?
       temp_dir = datastore["WritableDir"]
     else
-      temp_dir = expand_path("%TEMP%")
+      temp_dir = client.sys.config.getenv('TEMP')
     end
 
     print_status("Using #{temp_dir} to drop malicious DLL...")

modules/exploits/windows/local/ask.rb

@@ -80,7 +80,7 @@ def exploit
     if datastore["PATH"]
       payload_path = datastore["PATH"]
     else
-      payload_path = session.fs.file.expand_path("%TEMP%")
+      payload_path = session.sys.config.getenv('TEMP')
     end
 
     cmd_location = "#{payload_path}\\#{payload_filename}"

modules/exploits/windows/local/bypassuac.rb

@@ -42,7 +42,7 @@ def initialize(info={})
   def runas_method
     payload = generate_payload_exe
     payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
-    tmpdir = expand_path("%TEMP%")
+    tmpdir = session.sys.config.getenv('TEMP')
     tempexe = tmpdir + "\\" + payload_filename
     write_file(tempexe, payload)
     print_status("Uploading payload: #{tempexe}")
@@ -126,7 +126,7 @@ def exploit
       bpexe = ::File.join(path, "bypassuac-x86.exe")
     end
 
-    tmpdir = expand_path("%TEMP%")
+    tmpdir = session.sys.config.getenv('TEMP')
     cmd = "#{tmpdir}\\#{bypass_uac_filename} /c #{tmpdir}\\#{payload_filename}"
 
     print_status("Uploading the bypass UAC executable to the filesystem...")

modules/exploits/windows/local/current_user_psexec.rb

@@ -76,7 +76,7 @@ def exploit
 
       # Build a random name for the share and directory
       share_name = Rex::Text.rand_text_alphanumeric(8)
-      drive = session.fs.file.expand_path("%SYSTEMDRIVE%")
+      drive = session.sys.config.getenv('SYSTEMDRIVE')
       share_dir = "#{drive}\\#{share_name}"
 
       # Create them

modules/exploits/windows/local/ms10_092_schelevator.rb

@@ -93,7 +93,7 @@ def exploit
     cmd = datastore["CMD"] || nil
     upload_fn = nil
 
-    tempdir = session.fs.file.expand_path("%TEMP%")
+    tempdir = session.sys.config.getenv('TEMP')
     if not cmd
       # Get the exe payload.
       exe = generate_payload_exe
@@ -111,7 +111,7 @@ def exploit
     # Create a new task to do our bidding, but make sure it doesn't run.
     #
     taskname ||= Rex::Text.rand_text_alphanumeric(8+rand(8))
-    sysdir = session.fs.file.expand_path("%SystemRoot%")
+    sysdir = session.sys.config.getenv('SystemRoot')
     taskfile = "#{sysdir}\\system32\\tasks\\#{taskname}"
 
     print_status("Creating task: #{taskname}")

modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb

@@ -72,7 +72,7 @@ def initialize(info={})
   end
 
   def low_integrity_level?
-    tmp_dir = expand_path("%USERPROFILE%")
+    tmp_dir = session.sys.config.getenv('USERPROFILE')
     cd(tmp_dir)
     new_dir = "#{rand_text_alpha(5)}"
     begin
@@ -133,7 +133,7 @@ def exploit
     if datastore['TECHNIQUE'] == 'FILE'
       payload_file = "#{rand_text_alpha(5+rand(3))}.exe"
       begin
-        tmp_dir = expand_path("%TEMP%")
+        tmp_dir = session.sys.config.getenv('TEMP')
         tmp_dir << "\\Low" unless tmp_dir[-3,3] =~ /Low/i
         cd(tmp_dir)
         print_status("Trying to drop payload to #{tmp_dir}...")
@@ -186,7 +186,7 @@ def make_it(command)
 
       # Spawn low integrity cmd.exe
       print_status("Spawning Low Integrity Cmd Prompt")
-      windir = client.fs.file.expand_path("%windir%")
+      windir = session.sys.config.getenv('windir')
       li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid
 
       count = count_cmd_procs

modules/exploits/windows/local/ms_ndproxy.rb

@@ -193,7 +193,7 @@ def fill_memory(proc, address, length, content)
   end
 
   def create_proc
-    windir = expand_path("%windir%")
+    windir = session.sys.config.getenv('windir')
     cmd = "#{windir}\\System32\\notepad.exe"
     # run hidden
     begin

modules/exploits/windows/local/nvidia_nvsvc.rb

@@ -138,7 +138,7 @@ def exploit
 
     print_status("Launching notepad to host the exploit...")
 
-    windir = expand_path("%windir%")
+    windir = session.sys.config.getenv('windir')
     cmd = "#{windir}\\SysWOW64\\notepad.exe"
     process = client.sys.process.execute(cmd, nil, {'Hidden' => true})
     host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)

modules/exploits/windows/local/payload_inject.rb

@@ -117,7 +117,7 @@ def arch_check(pid)
   # Creates a temp notepad.exe to inject payload in to given the payload
   # Returns process PID
   def create_temp_proc()
-    windir = client.fs.file.expand_path("%windir%")
+    windir = client.sys.config.getenv('windir')
     # Select path of executable to run depending the architecture
     if @payload_arch.first== "x86" and client.platform =~ /x86/
       cmd = "#{windir}\\System32\\notepad.exe"

modules/exploits/windows/local/persistence.rb

@@ -130,7 +130,7 @@ def log_file(log_path = nil)
 
   # Writes script to target host
   def write_script_to_target(vbs,name)
-    tempdir = expand_path("%TEMP%")
+    tempdir = session.sys.config.getenv('TEMP')
     if name == nil
       tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
     else

modules/exploits/windows/local/ppr_flatten_rec.rb

@@ -78,7 +78,7 @@ def initialize(info={})
   def check
     os = sysinfo["OS"]
     if os =~ /windows/i
-      file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
+      file_path = session.sys.config.getenv('windir') << "\\system32\\win32k.sys"
       major, minor, build, revision, branch = file_version(file_path)
       vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision}")
 

modules/exploits/windows/local/s4u_persistence.rb

@@ -115,7 +115,7 @@ def generate_rexename
   # Returns path for XML and payload
   def generate_path(rexename)
     # Generate a path to write payload and XML
-    path = datastore['PATH'] || expand_path("%TEMP%")
+    path = datastore['PATH'] || session.sys.config.getenv('TEMP')
     xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml"
     rexe_path = "#{path}\\#{rexename}"
     return xml_path,rexe_path

modules/exploits/windows/local/service_permissions.rb

@@ -59,8 +59,9 @@ def exploit
 
     exe = Msf::Util::EXE.to_win32pe_service(session.framework, raw)
 
-    sysdir = session.fs.file.expand_path("%SystemRoot%")
-    tmpdir = session.fs.file.expand_path("%TEMP%")
+    dir_env = session.sys.config.getenvs('SystemRoot', 'TEMP')
+    sysdir = dir_env['SystemRoot']
+    tmpdir = dir_env['TEMP']
 
     print_status("Meterpreter stager executable #{exe.length} bytes long being uploaded..")
     begin
@@ -122,7 +123,7 @@ def exploit
         moved = false
         configed = false
         #default path, but there should be an ImagePath registry key
-        source = session.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
+        source = "#{sysdir}\\system32\\#{serv}.exe"
         #get path to exe; parse out quotes and arguments
         sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
         sourcemaybe = session.fs.file.expand_path(sourceorig)

modules/exploits/windows/misc/altiris_ds_sqli.rb

@@ -190,7 +190,7 @@ def on_new_session(client)
       end
     end
 
-    win_temp = client.fs.file.expand_path("%TEMP%")
+    win_temp = client.sys.config.getenv('TEMP')
     win_file = "#{win_temp}\\#{payload_exe}"
     print_status("Attempting to delete #{win_file} ...")
     client.shell_command_token(%Q|attrib.exe -r #{win_file}|)

modules/exploits/windows/novell/file_reporter_fsfui_upload.rb

@@ -77,7 +77,7 @@ def on_new_session(client)
 
     begin
       print_good("Deleting the VBS payload \"#{@var_vbs_name}.vbs\" ...")
-      windir = client.fs.file.expand_path("%WINDIR%")
+      windir = client.sys.config.getenv('WINDIR')
       client.fs.file.rm("#{windir}\\system32\\" + @var_vbs_name + ".vbs")
       print_good("Deleting the MOF file \"#{@var_mof_name}.mof\" ...")
       cmd = "#{windir}\\system32\\attrib.exe -r " +

modules/exploits/windows/novell/netiq_pum_eval.rb

@@ -92,7 +92,7 @@ def on_new_session(session)
       win_file = file.gsub("/", "\\\\")
       if session.type == "meterpreter"
         begin
-          windir = session.fs.file.expand_path("%WINDIR%")
+          windir = session.sys.config.getenv('WINDIR')
           win_file = "#{windir}\\system32\\#{win_file}"
           # Meterpreter should do this automatically as part of
           # fs.file.rm().  Until that has been implemented, remove the

modules/post/linux/manage/download_exec.rb

@@ -45,7 +45,7 @@ def cmd_exec_vprint(cmd)
   end
 
   def exists_exe?(exe)
-    path = expand_path("$PATH")
+    path = session.sys.config.getenv("PATH")
     if path.nil? or path.empty?
       return false
     end