rex 2.0.8 → 2.0.9

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/dhcp.rb

@@ -177,7 +177,7 @@ class Console::CommandDispatcher::Lanattacks::Dhcp
 
   def print_dhcp_load_options_usage
     print("dhcp_load_options <datastore> [-h]\n\n" +
-          "Load settings from a datstore to the active DHCP server.\n\n" +
+          "Load settings from a datastore to the active DHCP server.\n\n" +
           "The datastore must be a hash of name/value pairs.\n" +
           "Valid names are:\n" +
           @@dhcp_set_option_valid_options.map {|o| "  - #{o}\n" }.join('') +

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb

@@ -37,7 +37,7 @@ class Console::CommandDispatcher::Mimikatz
   #
   def commands
     {
-      "mimikatz_command" => "Run a custom commannd",
+      "mimikatz_command" => "Run a custom command",
       "wdigest" => "Attempt to retrieve wdigest creds",
       "msv" => "Attempt to retrieve msv creds (hashes)",
       "livessp" => "Attempt to retrieve livessp creds",

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb

@@ -17,17 +17,20 @@ class Console::CommandDispatcher::Priv::Elevate
 
   include Console::CommandDispatcher
 
-  ELEVATE_TECHNIQUE_NONE					= -1
-  ELEVATE_TECHNIQUE_ANY					= 0
-  ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE		= 1
-  ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2	= 2
-  ELEVATE_TECHNIQUE_SERVICE_TOKENDUP		= 3
-
-  ELEVATE_TECHNIQUE_DESCRIPTION = [ 	"All techniques available",
-                    "Service - Named Pipe Impersonation (In Memory/Admin)",
-                    "Service - Named Pipe Impersonation (Dropper/Admin)",
-                    "Service - Token Duplication (In Memory/Admin)"
-                  ]
+  ELEVATE_TECHNIQUE_NONE               = -1
+  ELEVATE_TECHNIQUE_ANY                = 0
+  ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE  = 1
+  ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2 = 2
+  ELEVATE_TECHNIQUE_SERVICE_TOKENDUP   = 3
+
+  ELEVATE_TECHNIQUE_DESCRIPTION =
+    [
+      "All techniques available",
+      "Named Pipe Impersonation (In Memory/Admin)",
+      "Named Pipe Impersonation (Dropper/Admin)",
+      "Token Duplication (In Memory/Admin)"
+    ]
+
   #
   # List of supported commands.
   #
@@ -45,6 +48,25 @@ class Console::CommandDispatcher::Priv::Elevate
   end
 
 
+  #
+  # Returns the description of the technique(s)
+  #
+  def translate_technique_index(index)
+    translation = ''
+
+    case index
+    when 0
+      desc = ELEVATE_TECHNIQUE_DESCRIPTION.dup
+      desc.shift
+      translation = desc
+    else
+      translation = [ ELEVATE_TECHNIQUE_DESCRIPTION[index] ]
+    end
+
+    translation
+  end
+
+
   #
   # Attempt to elevate the meterpreter to that of local system.
   #
@@ -73,17 +95,29 @@ class Console::CommandDispatcher::Priv::Elevate
     }
 
     if( technique < 0 or technique >= ELEVATE_TECHNIQUE_DESCRIPTION.length )
-      print_error( "Technique '#{technique}' is out of range." );
+      print_error( "Technique '#{technique}' is out of range." )
       return false;
     end
 
-    result = client.priv.getsystem( technique )
+    begin
+      result = client.priv.getsystem( technique )
+    rescue Rex::Post::Meterpreter::RequestError => e
+      print_error("#{e.message} The following was attempted:")
+      translate_technique_index(technique).each do |desc|
+        print_error(desc)
+      end
+      elog("#{e.class} #{e.message} (Technique: #{technique})\n#{e.backtrace * "\n"}")
+      return
+    end
 
     # got system?
     if result[0]
-      print_line( "...got system (via technique #{result[1]})." );
+      print_line( "...got system via technique #{result[1]} (#{translate_technique_index(result[1]).first})." )
     else
-      print_line( "...failed to get system." );
+      print_line( "...failed to get system while attempting the following:" )
+      translate_technique_index(technique).each do |desc|
+        print_error(desc)
+      end
     end
 
     return result

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb

@@ -52,12 +52,21 @@ class Console::CommandDispatcher::Priv::Timestomp
   #
   def cmd_timestomp(*args)
     if (args.length < 2)
-      print_line("\nUsage: timestomp file_path OPTIONS\n" +
+      print_line("\nUsage: timestomp OPTIONS file_path\n" +
         @@timestomp_opts.usage)
       return
     end
 
-    file_path = args.shift
+    file_path = nil
+    args.each { |a| file_path = a unless a[0] == "-" }
+
+    if file_path.nil?
+      print_line("\nNo file_path specified.")
+      return
+    end
+
+    args.delete(file_path)
+
     modified  = nil
     accessed  = nil
     creation  = nil

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/python.rb

@@ -0,0 +1,187 @@
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Python extension - interact with a python interpreter
+#
+###
+class Console::CommandDispatcher::Python
+
+  Klass = Console::CommandDispatcher::Python
+
+  include Console::CommandDispatcher
+
+  #
+  # Name for this dispatcher
+  #
+  def name
+    'Python'
+  end
+
+  #
+  # List of supported commands.
+  #
+  def commands
+    {
+      'python_reset'              => 'Resets/restarts the Python interpreter',
+      'python_execute'            => 'Execute a python command string',
+      'python_import'             => 'Import/run a python file or module'
+    }
+  end
+
+  def cmd_python_reset(*args)
+    client.python.reset
+    print_good('Python interpreter successfully reset')
+  end
+
+  @@python_import_opts = Rex::Parser::Arguments.new(
+    '-h' => [false, 'Help banner'],
+    '-f' => [true,  'Path to the file (.py, .pyc), or module directory to import'],
+    '-n' => [true,  'Name of the module (optional, for single files only)'],
+    '-r' => [true,  'Name of the variable containing the result (optional, single files only)']
+  )
+
+  def python_import_usage
+    print_line('Usage: python_import <-f file path> [-n mod name] [-r result var name]')
+    print_line
+    print_line('Loads a python code file or module from disk into memory on the target.')
+    print_line('The module loader requires a path to a folder that contains the module,')
+    print_line('and the folder name will be used as the module name. Only .py files will')
+    print_line('work with modules.')
+    print_line(@@python_import_opts.usage)
+  end
+
+  #
+  # Import/run a python file
+  #
+  def cmd_python_import(*args)
+    if args.length == 0 || args.include?('-h')
+      python_import_usage
+      return false
+    end
+
+    result_var = nil
+    source = nil
+    mod_name = nil
+
+    @@python_import_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-f'
+        source = val
+      when '-n'
+        mod_name = val
+      when '-r'
+        result_var = val
+      end
+    }
+
+    unless source
+      print_error("The -f parameter must be specified")
+      return false
+    end
+
+    if ::File.directory?(source)
+      files = ::Find.find(source).select { |p| /.*\.py$/ =~ p }
+      if files.length == 0
+        fail_with("No .py files found in #{source}")
+      end
+
+      base_name = ::File.basename(source)
+      unless source.end_with?('/')
+        source << '/'
+      end
+
+      print_status("Importing #{source} with base module name #{base_name} ...")
+
+      files.each do |file|
+        rel_path = file[source.length, file.length - source.length]
+        parts = rel_path.split('/')
+
+        mod_parts = [base_name] + parts[0, parts.length - 1]
+
+        if parts[-1] != '__init__.py'
+          mod_parts << ::File.basename(parts[-1], '.*')
+        end
+
+        mod_name = mod_parts.join('.')
+        print_status("Importing #{file} as #{mod_name} ...")
+        result = client.python.import(file, mod_name, nil)
+        handle_exec_result(result, nil)
+      end
+    else
+      print_status("Importing #{source} ...")
+      result = client.python.import(source, mod_name, result_var)
+      handle_exec_result(result, result_var)
+    end
+
+  end
+
+  @@python_execute_opts = Rex::Parser::Arguments.new(
+    '-h' => [false, 'Help banner'],
+    '-r' => [true,  'Name of the variable containing the result (optional)']
+  )
+
+  def python_execute_usage
+    print_line('Usage: python_execute <python code> [-r result var name]')
+    print_line
+    print_line('Runs the given python string on the target. If a result is required,')
+    print_line('it should be stored in a python variable, and that variable should')
+    print_line('passed using the -r parameter.')
+    print_line(@@python_execute_opts.usage)
+  end
+
+  #
+  # Execute a simple python command string
+  #
+  def cmd_python_execute(*args)
+    if args.length == 0 || args.include?('-h')
+      python_execute_usage
+      return false
+    end
+
+    code = args.shift
+    result_var = nil
+
+    @@python_execute_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-r'
+        result_var = val
+      end
+    }
+
+    result = client.python.execute_string(code, result_var)
+
+    handle_exec_result(result, result_var)
+  end
+
+private
+
+  def handle_exec_result(result, result_var)
+    if result[:result]
+      print_good("#{result_var} = #{result[:result]}")
+    elsif result[:stdout].length == 0 and result[:stderr].length == 0
+      print_good("Command executed without returning a result")
+    end
+
+    if result[:stdout].length > 0
+      print_good("Content written to stdout:\n#{result[:stdout]}")
+    end
+
+    if result[:stderr].length > 0
+      print_error("Content written to stderr:\n#{result[:stderr]}")
+    end
+  end
+
+end
+
+end
+end
+end
+end
+

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb

@@ -1,5 +1,6 @@
 # -*- coding: binary -*-
 require 'tempfile'
+require 'filesize'
 require 'rex/post/meterpreter'
 
 module Rex
@@ -30,49 +31,63 @@ class Console::CommandDispatcher::Stdapi::Fs
   @@upload_opts = Rex::Parser::Arguments.new(
     "-h" => [ false, "Help banner." ],
     "-r" => [ false, "Upload recursively." ])
+  #
+  # Options for the ls command
+  #
+  @@ls_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner." ],
+    "-S" => [ true, "Search string." ],
+    "-t" => [ false, "Sort by time" ],
+    "-s" => [ false, "Sort by size" ],
+    "-r" => [ false, "Reverse sort order" ],
+    "-x" => [ false, "Show short file names" ],
+    "-l" => [ false, "List in long format (default)" ],
+    "-R" => [ false, "Recursively list subdirectories encountered" ])
 
   #
   # List of supported commands.
   #
   def commands
     all = {
-      "cat"      => "Read the contents of a file to the screen",
-      "cd"       => "Change directory",
-      "del"      => "Delete the specified file",
-      "download" => "Download a file or directory",
-      "edit"     => "Edit a file",
-      "getlwd"   => "Print local working directory",
-      "getwd"    => "Print working directory",
-      "lcd"      => "Change local working directory",
-      "lpwd"     => "Print local working directory",
-      "ls"       => "List files",
-      "mkdir"    => "Make directory",
-      "pwd"      => "Print working directory",
-      "rm"       => "Delete the specified file",
-      "mv"	   => "Move source to destination",
-      "rmdir"    => "Remove directory",
-      "search"   => "Search for files",
-      "upload"   => "Upload a file or directory",
+      'cat'        => 'Read the contents of a file to the screen',
+      'cd'         => 'Change directory',
+      'del'        => 'Delete the specified file',
+      'download'   => 'Download a file or directory',
+      'edit'       => 'Edit a file',
+      'getlwd'     => 'Print local working directory',
+      'getwd'      => 'Print working directory',
+      'lcd'        => 'Change local working directory',
+      'lpwd'       => 'Print local working directory',
+      'ls'         => 'List files',
+      'mkdir'      => 'Make directory',
+      'pwd'        => 'Print working directory',
+      'rm'         => 'Delete the specified file',
+      'mv'	       => 'Move source to destination',
+      'rmdir'      => 'Remove directory',
+      'search'     => 'Search for files',
+      'upload'     => 'Upload a file or directory',
+      'show_mount' => 'List all mount points/logical drives',
     }
 
     reqs = {
-      "cat"      => [ ],
-      "cd"       => [ "stdapi_fs_chdir" ],
-      "del"      => [ "stdapi_fs_rm" ],
-      "download" => [ ],
-      "edit"     => [ ],
-      "getlwd"   => [ ],
-      "getwd"    => [ "stdapi_fs_getwd" ],
-      "lcd"      => [ ],
-      "lpwd"     => [ ],
-      "ls"       => [ "stdapi_fs_stat", "stdapi_fs_ls" ],
-      "mkdir"    => [ "stdapi_fs_mkdir" ],
-      "pwd"      => [ "stdapi_fs_getwd" ],
-      "rmdir"    => [ "stdapi_fs_delete_dir" ],
-      "rm"       => [ "stdapi_fs_delete_file" ],
-      "mv"       => [ "stdapi_fs_file_move" ],
-      "search"   => [ "stdapi_fs_search" ],
-      "upload"   => [ ],
+      'cat'        => [],
+      'cd'         => ['stdapi_fs_chdir'],
+      'del'        => ['stdapi_fs_rm'],
+      'download'   => [],
+      'edit'       => [],
+      'getlwd'     => [],
+      'getwd'      => ['stdapi_fs_getwd'],
+      'lcd'        => [],
+      'lpwd'       => [],
+      'ls'         => ['stdapi_fs_stat', 'stdapi_fs_ls'],
+      'mkdir'      => ['stdapi_fs_mkdir'],
+      'pwd'        => ['stdapi_fs_getwd'],
+      'rmdir'      => ['stdapi_fs_delete_dir'],
+      'rm'         => ['stdapi_fs_delete_file'],
+      'mv'         => ['stdapi_fs_file_move'],
+      'search'     => ['stdapi_fs_search'],
+      'upload'     => [],
+      'show_mount' => ['stdapi_fs_mount_show'],
     }
 
     all.delete_if do |cmd, desc|
@@ -99,57 +114,101 @@ class Console::CommandDispatcher::Stdapi::Fs
   #
   # Search for files.
   #
-  def cmd_search( *args )
+  def cmd_search(*args)
 
     root    = nil
-    glob    = nil
     recurse = true
+    globs   = []
+    files   = []
 
     opts = Rex::Parser::Arguments.new(
       "-h" => [ false, "Help Banner." ],
       "-d" => [ true,  "The directory/drive to begin searching from. Leave empty to search all drives. (Default: #{root})" ],
-      "-f" => [ true,  "The file pattern glob to search for. (e.g. *secret*.doc?)" ],
+      "-f" => [ true,  "A file pattern glob to search for. (e.g. *secret*.doc?)" ],
       "-r" => [ true,  "Recursivly search sub directories. (Default: #{recurse})" ]
     )
 
     opts.parse(args) { | opt, idx, val |
       case opt
         when "-h"
-          print_line( "Usage: search [-d dir] [-r recurse] -f pattern" )
-          print_line( "Search for files." )
-          print_line( opts.usage )
+          print_line("Usage: search [-d dir] [-r recurse] -f pattern [-f pattern]...")
+          print_line("Search for files.")
+          print_line(opts.usage)
           return
         when "-d"
           root = val
         when "-f"
-          glob = val
+          globs << val
         when "-r"
-          recurse = false if( val =~ /^(f|n|0)/i )
+          recurse = false if val =~ /^(f|n|0)/i
       end
     }
 
-    if( not glob )
-      print_error( "You must specify a valid file glob to search for, e.g. >search -f *.doc" )
+    if globs.empty?
+      print_error("You must specify a valid file glob to search for, e.g. >search -f *.doc")
       return
     end
 
-    files = client.fs.file.search( root, glob, recurse )
+    globs.uniq.each do |glob|
+      files += client.fs.file.search(root, glob, recurse)
+    end
 
-    if( not files.empty? )
-      print_line( "Found #{files.length} result#{ files.length > 1 ? 's' : '' }..." )
-      files.each do | file |
-        if( file['size'] > 0 )
-          print( "    #{file['path']}#{ file['path'].empty? ? '' : '\\' }#{file['name']} (#{file['size']} bytes)\n" )
-        else
-          print( "    #{file['path']}#{ file['path'].empty? ? '' : '\\' }#{file['name']}\n" )
-        end
+    if files.empty?
+      print_line("No files matching your search were found.")
+      return
+    end
+
+    print_line("Found #{files.length} result#{ files.length > 1 ? 's' : '' }...")
+    files.each do | file |
+      if file['size'] > 0
+        print("    #{file['path']}#{ file['path'].empty? ? '' : '\\' }#{file['name']} (#{file['size']} bytes)\n")
+      else
+        print("    #{file['path']}#{ file['path'].empty? ? '' : '\\' }#{file['name']}\n")
       end
-    else
-      print_line( "No files matching your search were found." )
     end
 
   end
 
+  #
+  # Show all the mount points/logical drives (currently geared towards
+  # the Windows Meterpreter).
+  #
+  def cmd_show_mount(*args)
+    if args.include?('-h')
+      print_line('Usage: show_mount')
+      return true
+    end
+
+    mounts = client.fs.mount.show_mount
+
+    table = Rex::Ui::Text::Table.new(
+      'Header'    => 'Mounts / Drives',
+      'Indent'    => 0,
+      'SortIndex' => 0,
+      'Columns'   => [
+        'Name', 'Type', 'Size (Total)', 'Size (Free)', 'Mapped to'
+      ]
+    )
+
+    mounts.each do |d|
+      ts = ::Filesize.from("#{d[:total_space]} B").pretty.split(' ')
+      fs = ::Filesize.from("#{d[:free_space]} B").pretty.split(' ')
+      table << [
+        d[:name],
+        d[:type],
+        "#{ts[0].rjust(6)} #{ts[1].ljust(3)}",
+        "#{fs[0].rjust(6)} #{fs[1].ljust(3)}",
+        d[:unc]
+      ]
+    end
+
+    print_line
+    print_line(table.to_s)
+    print_line
+    print_line("Total mounts/drives: #{mounts.length}")
+    print_line
+  end
+
   #
   # Reads the contents of a file and prints them to the screen.
   #
@@ -223,29 +282,41 @@ class Console::CommandDispatcher::Stdapi::Fs
 
   alias :cmd_del :cmd_rm
 
-        #   
-        # Move source to destination
-        #   
-        def cmd_mv(*args)
-                if (args.length < 2)
-                        print_line("Usage: mv oldfile newfile")
-                        return true
-                end 
+  #
+  # Move source to destination
+  #
+  def cmd_mv(*args)
+    if (args.length < 2)
+      print_line("Usage: mv oldfile newfile")
+      return true
+    end
+    client.fs.file.mv(args[0],args[1])
+    return true
+  end
 
-                client.fs.file.mv(args[0],args[1])
+  alias :cmd_move :cmd_mv
+  alias :cmd_rename :cmd_mv
 
-                return true
-        end 
+  #
+  # Move source to destination
+  #
+  def cmd_cp(*args)
+    if (args.length < 2)
+      print_line("Usage: cp oldfile newfile")
+      return true
+    end
+    client.fs.file.cp(args[0],args[1])
+    return true
+  end
 
-        alias :cmd_move :cmd_mv
-  alias :cmd_rename :cmd_mv
+  alias :cmd_copy :cmd_cp
 
 
   def cmd_download_help
-    print_line "Usage: download [options] src1 src2 src3 ... destination"
+    print_line("Usage: download [options] src1 src2 src3 ... destination")
     print_line
-    print_line "Downloads remote files and directories to the local machine."
-    print_line @@download_opts.usage
+    print_line("Downloads remote files and directories to the local machine.")
+    print_line(@@download_opts.usage)
   end
 
   #
@@ -289,24 +360,62 @@ class Console::CommandDispatcher::Stdapi::Fs
       dest = last
     end
 
+    # Download to a directory, not a pattern
+    if client.fs.file.is_glob?(dest)
+      dest = ::File.dirname(dest)
+    end
+
     # Go through each source item and download them
     src_items.each { |src|
-      stat = client.fs.file.stat(src)
+      glob = nil
+      if client.fs.file.is_glob?(src)
+        glob = ::File.basename(src)
+        src = ::File.dirname(src)
+      end
 
-      if (stat.directory?)
-        client.fs.dir.download(dest, src, recursive, true) { |step, src, dst|
-          print_status("#{step.ljust(11)}: #{src} -> #{dst}")
-          client.framework.events.on_session_download(client, src, dest) if msf_loaded?
-        }
-      elsif (stat.file?)
-        client.fs.file.download(dest, src) { |step, src, dst|
-          print_status("#{step.ljust(11)}: #{src} -> #{dst}")
-          client.framework.events.on_session_download(client, src, dest) if msf_loaded?
-        }
+      # Use search if possible for recursive pattern matching. It will work
+      # more intuitively since it will not try to match on intermediate
+      # directories, only file names.
+      if glob && recursive && client.commands.include?('stdapi_fs_search')
+
+        files = client.fs.file.search(src, glob, recursive)
+        if !files.empty?
+          print_line("Downloading #{files.length} file#{files.length > 1 ? 's' : ''}...")
+
+          files.each do |file|
+            src_separator = client.fs.file.separator
+            src_path = file['path'] + client.fs.file.separator + file['name']
+            dest_path = src_path.tr(src_separator, ::File::SEPARATOR)
+
+            client.fs.file.download(dest_path, src_path) do |step, src, dst|
+              puts step
+              print_status("#{step.ljust(11)}: #{src} -> #{dst}")
+              client.framework.events.on_session_download(client, src, dest) if msf_loaded?
+            end
+          end
+
+        else
+          print_status("No matching files found for download")
+        end
+
+      else
+        # Perform direct matching
+        stat = client.fs.file.stat(src)
+        if (stat.directory?)
+          client.fs.dir.download(dest, src, recursive, true, glob) do |step, src, dst|
+            print_status("#{step.ljust(11)}: #{src} -> #{dst}")
+            client.framework.events.on_session_download(client, src, dest) if msf_loaded?
+          end
+        elsif (stat.file?)
+          client.fs.file.download(dest, src) do |step, src, dst|
+            print_status("#{step.ljust(11)}: #{src} -> #{dst}")
+            client.framework.events.on_session_download(client, src, dest) if msf_loaded?
+          end
+        end
       end
     }
 
-    return true
+    true
   end
 
   #
@@ -324,16 +433,8 @@ class Console::CommandDispatcher::Stdapi::Fs
     meterp_temp.binmode
     temp_path = meterp_temp.path
 
-    begin
-      # Download the remote file to the temporary file
-      client.fs.file.download_file(temp_path, args[0])
-    rescue RequestError => re
-      # If the file doesn't exist, then it's okay.  Otherwise, throw the
-      # error.
-      if re.result != 2
-        raise $!
-      end
-    end
+    # Try to download the file, but don't worry if it doesn't exist
+    client.fs.file.download_file(temp_path, args[0]) rescue nil
 
     # Spawn the editor (default to vi)
     editor = Rex::Compat.getenv('EDITOR') || 'vi'
@@ -357,49 +458,139 @@ class Console::CommandDispatcher::Stdapi::Fs
 
   alias cmd_getlwd cmd_lpwd
 
+
+  def cmd_ls_help
+    print_line "Usage: ls [options]"
+    print_line
+    print_line "Lists contents of directory or file info, searchable"
+    print_line @@ls_opts.usage
+  end
+
+  def list_path(path, columns, sort, order, short, recursive = false, depth = 0, search_term = nil)
+
+    # avoid infinite recursion
+    if depth > 100
+      return
+    end
+
+    tbl = Rex::Ui::Text::Table.new(
+      'Header'  => "Listing: #{path}",
+      'SortIndex' => columns.index(sort),
+      'SortOrder' => order,
+      'Columns' => columns,
+      'SearchTerm' => search_term)
+
+    items = 0
+
+    # Enumerate each item...
+    # No need to sort as Table will do it for us
+    client.fs.dir.entries_with_info(path).each do |p|
+
+      ffstat = p['StatBuf']
+      fname = p['FileName'] || 'unknown'
+
+      row = [
+          ffstat ? ffstat.prettymode : '',
+          ffstat ? ffstat.size       : '',
+          ffstat ? ffstat.ftype[0,3] : '',
+          ffstat ? ffstat.mtime      : '',
+          fname
+        ]
+      row.insert(4, p['FileShortName'] || '') if short
+
+      if fname != '.' && fname != '..'
+        if row.join(' ') =~ /#{search_term}/
+          tbl << row
+          items += 1
+        end
+
+        if recursive && ffstat && ffstat.directory?
+          if client.fs.file.is_glob?(path)
+            child_path = ::File.dirname(path) + ::File::SEPARATOR + fname
+            child_path += ::File::SEPARATOR + ::File.basename(path)
+          else
+            child_path = path + ::File::SEPARATOR + fname
+          end
+          begin
+            list_path(child_path, columns, sort, order, short, recursive, depth + 1, search_term)
+          rescue RequestError
+          end
+        end
+      end
+    end
+
+    if items > 0
+      print_line(tbl.to_s)
+    else
+      print_line("No entries exist in #{path}")
+    end
+  end
+
   #
   # Lists files
   #
-  # TODO: make this more useful
-  #
   def cmd_ls(*args)
-    path = args[0] || client.fs.dir.getwd
-    tbl  = Rex::Ui::Text::Table.new(
-      'Header'  => "Listing: #{path}",
-      'SortIndex' => 4,
-      'Columns' =>
-        [
-          'Mode',
-          'Size',
-          'Type',
-          'Last modified',
-          'Name',
-        ])
+    # Set defaults
+    path = client.fs.dir.getwd
+    search_term = nil
+    sort = 'Name'
+    short = nil
+    order = :forward
+    recursive = nil
+
+    # Parse the args
+    @@ls_opts.parse(args) { |opt, idx, val|
+      case opt
+      # Sort options
+      when '-s'
+        sort = 'Size'
+      when '-t'
+        sort = 'Last modified'
+      # Output options
+      when '-x'
+        short = true
+      when '-l'
+        short = nil
+      when '-r'
+        order = :reverse
+      when '-R'
+        recursive = true
+      # Search
+      when '-S'
+        search_term = val
+        if search_term.nil?
+          print_error("Enter a search term")
+          return true
+        else
+          search_term = /#{search_term}/nmi
+        end
+      # Help and path
+      when "-h"
+        cmd_ls_help
+        return 0
+      when nil
+        path = val
+      end
+    }
 
-    items = 0
-    stat = client.fs.file.stat(path)
-    if stat.directory?
-      # Enumerate each item...
-      # No need to sort as Table will do it for us
-      client.fs.dir.entries_with_info(path).each { |p|
-
-        tbl <<
-          [
-            p['StatBuf'] ? p['StatBuf'].prettymode : '',
-            p['StatBuf'] ? p['StatBuf'].size       : '',
-            p['StatBuf'] ? p['StatBuf'].ftype[0,3] : '',
-            p['StatBuf'] ? p['StatBuf'].mtime      : '',
-            p['FileName'] || 'unknown'
-          ]
-
-        items += 1
-      }
-
-      if (items > 0)
-        print("\n" + tbl.to_s + "\n")
-      else
-        print_line("No entries exist in #{path}")
+    columns = [ 'Mode', 'Size', 'Type', 'Last modified', 'Name' ]
+    columns.insert(4, 'Short Name') if short
+
+    stat_path = path
+
+    # Check session capabilities
+    is_glob = client.fs.file.is_glob?(path)
+    if is_glob
+      if !client.commands.include?('stdapi_fs_search')
+        print_line('File globbing not supported with this session')
+        return
       end
+      stat_path = ::File.dirname(path)
+    end
+
+    stat = client.fs.file.stat(stat_path)
+    if stat.directory?
+      list_path(path, columns, sort, order, short, recursive, 0, search_term)
     else
       print_line("#{stat.prettymode}  #{stat.size}  #{stat.ftype[0,3]}  #{stat.mtime}  #{path}")
     end
@@ -452,10 +643,10 @@ class Console::CommandDispatcher::Stdapi::Fs
   end
 
   def cmd_upload_help
-    print_line "Usage: upload [options] src1 src2 src3 ... destination"
+    print_line("Usage: upload [options] src1 src2 src3 ... destination")
     print_line
-    print_line "Uploads local files and directories to the remote machine."
-    print_line @@upload_opts.usage
+    print_line("Uploads local files and directories to the remote machine.")
+    print_line(@@upload_opts.usage)
   end
 
   #