Commit b96ab66537f652acb1a549ded3092e08dce75989
1 parent
a4e3bed8
crypto: added list of default passwords. olevba and msodde now handle documents …
…encrypted with common passwords such as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically.
Showing
4 changed files
with
11 additions
and
6 deletions
README.md
| ... | ... | @@ -29,6 +29,9 @@ News |
| 29 | 29 | - **2019-05-22 v0.54.2**: |
| 30 | 30 | - bugfix release: fixed several issues related to encrypted documents |
| 31 | 31 | and XLM/XLF Excel 4 macros |
| 32 | + - msoffcrypto-tool is now installed by default to handle encrypted documents | |
| 33 | + - olevba and msodde now handle documents encrypted with common passwords such | |
| 34 | + as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically. | |
| 32 | 35 | - **2019-04-04 v0.54**: |
| 33 | 36 | - olevba, msodde: added support for encrypted MS Office files |
| 34 | 37 | - olevba: added detection and extraction of XLM/XLF Excel 4 macros (thanks to plugin_biff from Didier Stevens' oledump) | ... | ... |
oletools/crypto.py
| ... | ... | @@ -90,6 +90,7 @@ http://www.decalage.info/python/oletools |
| 90 | 90 | # CHANGELOG: |
| 91 | 91 | # 2019-02-14 v0.01 CH: - first version with encryption check from oleid |
| 92 | 92 | # 2019-04-01 v0.54 PL: - fixed bug in is_encrypted_ole |
| 93 | +# 2019-05-23 PL: - added DEFAULT_PASSWORDS list | |
| 93 | 94 | |
| 94 | 95 | __version__ = '0.54.2' |
| 95 | 96 | |
| ... | ... | @@ -308,6 +309,9 @@ def _is_encrypted_ole(ole): |
| 308 | 309 | #: using this password |
| 309 | 310 | WRITE_PROTECT_ENCRYPTION_PASSWORD = 'VelvetSweatshop' |
| 310 | 311 | |
| 312 | +#: list of common passwords to be tried by default, used by malware | |
| 313 | +DEFAULT_PASSWORDS = [WRITE_PROTECT_ENCRYPTION_PASSWORD, '123', '1234', '12345', '123456', '4321'] | |
| 314 | + | |
| 311 | 315 | |
| 312 | 316 | def _check_msoffcrypto(): |
| 313 | 317 | """Raise a :py:class:`CryptoLibNotImported` if msoffcrypto not imported.""" |
| ... | ... | @@ -347,7 +351,7 @@ def decrypt(filename, passwords=None, **temp_file_args): |
| 347 | 351 | if isinstance(passwords, str): |
| 348 | 352 | passwords = (passwords, ) |
| 349 | 353 | elif not passwords: |
| 350 | - passwords = (WRITE_PROTECT_ENCRYPTION_PASSWORD, ) | |
| 354 | + passwords = DEFAULT_PASSWORDS | |
| 351 | 355 | |
| 352 | 356 | # check temp file args |
| 353 | 357 | if 'prefix' not in temp_file_args: | ... | ... |
oletools/msodde.py
| ... | ... | @@ -986,10 +986,9 @@ def process_maybe_encrypted(filepath, passwords=None, crypto_nesting=0, |
| 986 | 986 | |
| 987 | 987 | decrypted_file = None |
| 988 | 988 | if passwords is None: |
| 989 | - passwords = [crypto.WRITE_PROTECT_ENCRYPTION_PASSWORD, ] | |
| 989 | + passwords = crypto.DEFAULT_PASSWORDS | |
| 990 | 990 | else: |
| 991 | - passwords = list(passwords) + \ | |
| 992 | - [crypto.WRITE_PROTECT_ENCRYPTION_PASSWORD, ] | |
| 991 | + passwords = list(passwords) + crypto.DEFAULT_PASSWORDS | |
| 993 | 992 | try: |
| 994 | 993 | logger.debug('Trying to decrypt file') |
| 995 | 994 | decrypted_file = crypto.decrypt(filepath, passwords) | ... | ... |
oletools/olevba.py
| ... | ... | @@ -3890,8 +3890,7 @@ def process_file(filename, data, container, options, crypto_nesting=0): |
| 3890 | 3890 | decrypted_file = None |
| 3891 | 3891 | try: |
| 3892 | 3892 | log.debug('Checking encryption passwords {}'.format(options.password)) |
| 3893 | - passwords = options.password + \ | |
| 3894 | - [crypto.WRITE_PROTECT_ENCRYPTION_PASSWORD, ] | |
| 3893 | + passwords = options.password + crypto.DEFAULT_PASSWORDS | |
| 3895 | 3894 | decrypted_file = crypto.decrypt(filename, passwords) |
| 3896 | 3895 | if not decrypted_file: |
| 3897 | 3896 | log.error('Decrypt failed, run with debug output to get details') | ... | ... |