Commit b96ab66537f652acb1a549ded3092e08dce75989
1 parent
a4e3bed8
crypto: added list of default passwords. olevba and msodde now handle documents …
…encrypted with common passwords such as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically.
Showing
4 changed files
with
11 additions
and
6 deletions
README.md
| @@ -29,6 +29,9 @@ News | @@ -29,6 +29,9 @@ News | ||
| 29 | - **2019-05-22 v0.54.2**: | 29 | - **2019-05-22 v0.54.2**: |
| 30 | - bugfix release: fixed several issues related to encrypted documents | 30 | - bugfix release: fixed several issues related to encrypted documents |
| 31 | and XLM/XLF Excel 4 macros | 31 | and XLM/XLF Excel 4 macros |
| 32 | + - msoffcrypto-tool is now installed by default to handle encrypted documents | ||
| 33 | + - olevba and msodde now handle documents encrypted with common passwords such | ||
| 34 | + as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically. | ||
| 32 | - **2019-04-04 v0.54**: | 35 | - **2019-04-04 v0.54**: |
| 33 | - olevba, msodde: added support for encrypted MS Office files | 36 | - olevba, msodde: added support for encrypted MS Office files |
| 34 | - olevba: added detection and extraction of XLM/XLF Excel 4 macros (thanks to plugin_biff from Didier Stevens' oledump) | 37 | - olevba: added detection and extraction of XLM/XLF Excel 4 macros (thanks to plugin_biff from Didier Stevens' oledump) |
oletools/crypto.py
| @@ -90,6 +90,7 @@ http://www.decalage.info/python/oletools | @@ -90,6 +90,7 @@ http://www.decalage.info/python/oletools | ||
| 90 | # CHANGELOG: | 90 | # CHANGELOG: |
| 91 | # 2019-02-14 v0.01 CH: - first version with encryption check from oleid | 91 | # 2019-02-14 v0.01 CH: - first version with encryption check from oleid |
| 92 | # 2019-04-01 v0.54 PL: - fixed bug in is_encrypted_ole | 92 | # 2019-04-01 v0.54 PL: - fixed bug in is_encrypted_ole |
| 93 | +# 2019-05-23 PL: - added DEFAULT_PASSWORDS list | ||
| 93 | 94 | ||
| 94 | __version__ = '0.54.2' | 95 | __version__ = '0.54.2' |
| 95 | 96 | ||
| @@ -308,6 +309,9 @@ def _is_encrypted_ole(ole): | @@ -308,6 +309,9 @@ def _is_encrypted_ole(ole): | ||
| 308 | #: using this password | 309 | #: using this password |
| 309 | WRITE_PROTECT_ENCRYPTION_PASSWORD = 'VelvetSweatshop' | 310 | WRITE_PROTECT_ENCRYPTION_PASSWORD = 'VelvetSweatshop' |
| 310 | 311 | ||
| 312 | +#: list of common passwords to be tried by default, used by malware | ||
| 313 | +DEFAULT_PASSWORDS = [WRITE_PROTECT_ENCRYPTION_PASSWORD, '123', '1234', '12345', '123456', '4321'] | ||
| 314 | + | ||
| 311 | 315 | ||
| 312 | def _check_msoffcrypto(): | 316 | def _check_msoffcrypto(): |
| 313 | """Raise a :py:class:`CryptoLibNotImported` if msoffcrypto not imported.""" | 317 | """Raise a :py:class:`CryptoLibNotImported` if msoffcrypto not imported.""" |
| @@ -347,7 +351,7 @@ def decrypt(filename, passwords=None, **temp_file_args): | @@ -347,7 +351,7 @@ def decrypt(filename, passwords=None, **temp_file_args): | ||
| 347 | if isinstance(passwords, str): | 351 | if isinstance(passwords, str): |
| 348 | passwords = (passwords, ) | 352 | passwords = (passwords, ) |
| 349 | elif not passwords: | 353 | elif not passwords: |
| 350 | - passwords = (WRITE_PROTECT_ENCRYPTION_PASSWORD, ) | 354 | + passwords = DEFAULT_PASSWORDS |
| 351 | 355 | ||
| 352 | # check temp file args | 356 | # check temp file args |
| 353 | if 'prefix' not in temp_file_args: | 357 | if 'prefix' not in temp_file_args: |
oletools/msodde.py
| @@ -986,10 +986,9 @@ def process_maybe_encrypted(filepath, passwords=None, crypto_nesting=0, | @@ -986,10 +986,9 @@ def process_maybe_encrypted(filepath, passwords=None, crypto_nesting=0, | ||
| 986 | 986 | ||
| 987 | decrypted_file = None | 987 | decrypted_file = None |
| 988 | if passwords is None: | 988 | if passwords is None: |
| 989 | - passwords = [crypto.WRITE_PROTECT_ENCRYPTION_PASSWORD, ] | 989 | + passwords = crypto.DEFAULT_PASSWORDS |
| 990 | else: | 990 | else: |
| 991 | - passwords = list(passwords) + \ | ||
| 992 | - [crypto.WRITE_PROTECT_ENCRYPTION_PASSWORD, ] | 991 | + passwords = list(passwords) + crypto.DEFAULT_PASSWORDS |
| 993 | try: | 992 | try: |
| 994 | logger.debug('Trying to decrypt file') | 993 | logger.debug('Trying to decrypt file') |
| 995 | decrypted_file = crypto.decrypt(filepath, passwords) | 994 | decrypted_file = crypto.decrypt(filepath, passwords) |
oletools/olevba.py
| @@ -3890,8 +3890,7 @@ def process_file(filename, data, container, options, crypto_nesting=0): | @@ -3890,8 +3890,7 @@ def process_file(filename, data, container, options, crypto_nesting=0): | ||
| 3890 | decrypted_file = None | 3890 | decrypted_file = None |
| 3891 | try: | 3891 | try: |
| 3892 | log.debug('Checking encryption passwords {}'.format(options.password)) | 3892 | log.debug('Checking encryption passwords {}'.format(options.password)) |
| 3893 | - passwords = options.password + \ | ||
| 3894 | - [crypto.WRITE_PROTECT_ENCRYPTION_PASSWORD, ] | 3893 | + passwords = options.password + crypto.DEFAULT_PASSWORDS |
| 3895 | decrypted_file = crypto.decrypt(filename, passwords) | 3894 | decrypted_file = crypto.decrypt(filename, passwords) |
| 3896 | if not decrypted_file: | 3895 | if not decrypted_file: |
| 3897 | log.error('Decrypt failed, run with debug output to get details') | 3896 | log.error('Decrypt failed, run with debug output to get details') |