Gather foxmail password #14218
Gather foxmail password #14218
Conversation
documentation/modules/post/windows/gather/credentials/foxmail.md
Outdated
Show resolved
Hide resolved
documentation/modules/post/windows/gather/credentials/foxmail.md
Outdated
Show resolved
Hide resolved
documentation/modules/post/windows/gather/credentials/foxmail.md
Outdated
Show resolved
Hide resolved
documentation/modules/post/windows/gather/credentials/foxmail.md
Outdated
Show resolved
Hide resolved
documentation/modules/post/windows/gather/credentials/foxmail.md
Outdated
Show resolved
Hide resolved
| ) | ||
| end | ||
|
|
||
| def find_string(file, offset, length = 0) |
There was a problem hiding this comment.
You seem to be doing a lot of stuff here that could possibly be replaced with a simpler regex expression. Is there a reason you can't use regex instead of this function?
| while index < file.length | ||
| if (file[index] && file[index] > "\x20" && file[index] < "\x7f" && file[index] != "\x3d") | ||
| buffer += file[index] | ||
| if ['Email', 'IncomingServer', 'OutgoingServer', 'Password'].include?(buffer) | ||
| email_info[buffer] = find_string(file, index + offset) || nil | ||
| elsif ['IncomingPort', 'OutgoingPort'].include?(buffer) | ||
| email_info[buffer] = find_string(file, index + 5, 2) || nil | ||
| elsif ['InComingSSL', 'OutgoingSSL'].include?(buffer) | ||
| email_info[buffer] = find_string(file, index + 5, 2) == 1 || false |
There was a problem hiding this comment.
A lot of this could probably be replaced by regex statements. May be something to consider as it will greatly simplify the logic of this code and help make it easier to maintain.
|
It would appear that this module is sort of working but some of the results are...how do I put it....odd? Here is me dumping a login for a test Gmail account using the current module running on a Windows 10 x64 v2004 machine with FoxMail 7.2.19.158 (latest updates). Not sure what the |
Can share your Account.rec0 Configuration file? my Account.rec0 The file can be decrypted normally |
|
@cn-kali-team Sure, here is the ZIP with all of the files from the Accounts directory of the user: I don't know if the recent versions of FoxMail updated their logic as https://github.com/jacobsoo/FoxmailRecovery notes the code only works for version 6.5 to 7.1.3.52, and the version I tested this on was 7.2.19.158. Were you still able to decrypt the file even on 7.2.19.158? |
I found that I didn't enter the password when I logged in to Gmail. Maybe Gmail used other ways to verify the account. I found "GmailAccessToken", "GmailAuthCode" and "GmailIDToken" in the configuration file. Warning!!! Please make sure that you have cancelled the authentication of Foxmail, otherwise your Gmail may be logged in by others. If you did not revoke Foxmail's authorization, please do so. Your token may have been leaked. |
|
@cn-kali-team The account is a test account, but will remove the token. I would still like to see this case handled so the module will at the very least not return odd data like this and will raise an error stating it found data belonging to some other authentication mechanism but it wasn't able to decode it. |
There was a problem hiding this comment.
New changes look good, though your introduction of the Dir.exist? function clashes with our already built in functions, which should be used instead to ensure we aren't creating multiple custom functions, as this helps reduce complexity regarding code maintenance down the line. Also had a quick question about one of the changes you made to one of the checks, nothing major but just wanted to make sure I understood what the intentions were here.
| end | ||
| tbl = [] | ||
| print_status("Search account files on #{fpath}") | ||
|
|
||
| # enum session file | ||
| account_paths.each do |file_name| | ||
| file = read_file(file_name) if session.fs.file.exist?(file_name) | ||
| if file.nil? || file.empty? | ||
| if file.nil? || file.empty? || file[0, 4] != 'RECF' |
There was a problem hiding this comment.
All of the changes in this file look good but I was a bit curious as to what this fix was for, do you mind explaining?
There was a problem hiding this comment.
This flag ensures that this is a real configuration file, but I can’t find the old version of the installer, maybe this is suitable for the current new version, if it is compatible with other versions, I think this code should be deleted
There was a problem hiding this comment.
@cn-kali-team Sorry are you saying you think this should be deleted? I do see this will check and help ensure that the file is correct by ensuring the starting characters match what is expected, which will work on the current version of FoxMail. I will see if this works on older versions.
Also you can find older versions at hxxps://foxmail.en.uptodown.com/windows/versions if you want to test your module against older versions.
There was a problem hiding this comment.
Ok so I tested this against a few other versions. Looks like version 6.5 build 023 uses a different file format and saves it into a file under C:\Program Files (x86)\Foxmail\mail\foocarddog@gmail.com\Account.stg.
Also some of the older version 7 ones, when I asked it to install to the C:\FoxMail directory, ended up saving the account info in C:\Foxmail\Data\Accounts\Account.rec0. So this may be something to keep in mind.
That being said all the version 7 installations appear to have a .rec0 file that starts with the RECF signature you mentioned so I think it should be okay to keep that in there if we also update the module documentation to note that this module only works on version 7.x of FoxMail.
There was a problem hiding this comment.
So should I add support for older versions? I don't think anyone will use the old version of Foxmail
There was a problem hiding this comment.
@cn-kali-team Its fine to only have support for the 7.x versions but you should note this in your module description. Otherwise people may falsely believe that this module works on all versions of FoxMail including versions such as 6.5, which will not be the case.
…ls/dev/msftidy.rb compliant
…here we could end up logging data where we shouldn't and implement some more error handling
Co-authored-by: bcoles <bcoles@gmail.com>
|
I'm going to attic this for now. The main issue I faced with this is that the software is in Chinese which makes some testing rather hard as there is no equivalent English option to compare the interface with. Additionally, and this is the main blocker, the app appears to be coded in such a way that one can log in with an email and password or an email and an OAuth token, however the application does a really silly thing where both the OAuth token and the password are stored in the same format in the database and since the format of a password could legitimately look the same as an OAuth token there is no way to tell the two apart that I can tell. Due to these limitations and the fact that this code has not gotten any progress on it for several months now, I'm going to have to close this down and attic it. If we do find a better solution I'm open to reopening this issue but as it stands this PR will need some improvements before I'd feel its of appropriate quality to be merged into the main framework. |
gwillcox-r7
added
the
attic
|
Thanks for your contribution to Metasploit Framework! We've looked at this pull request, and we agree that it seems like a good addition to Metasploit, but it looks like it is not quite ready to land. We've labeled it What does this generally mean? It could be one or more of several things:
We would love to land this pull request when it's ready. If you have a chance to address all comments, we would be happy to reopen and discuss how to merge this! |
The module can obtain the login password of Foxmail mail server
You can download and install it on his official website, wikipedia
Verification Steps
meterpretersession on a Windows host.run post/windows/gather/credentials/foxmailOptions
ACCOUNT_PATH
Scenarios