Skip to content

Commit

Permalink
crypto: added list of default passwords. olevba and msodde now handle…
Browse files Browse the repository at this point in the history
… documents encrypted with common passwords such as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically.
  • Loading branch information
decalage2 committed May 23, 2019
1 parent a4e3bed commit b96ab66
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 6 deletions.
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ News
- **2019-05-22 v0.54.2**:
- bugfix release: fixed several issues related to encrypted documents
and XLM/XLF Excel 4 macros
- msoffcrypto-tool is now installed by default to handle encrypted documents
- olevba and msodde now handle documents encrypted with common passwords such
as 123, 1234, 4321, 12345, 123456, VelvetSweatShop automatically.
- **2019-04-04 v0.54**:
- olevba, msodde: added support for encrypted MS Office files
- olevba: added detection and extraction of XLM/XLF Excel 4 macros (thanks to plugin_biff from Didier Stevens' oledump)
Expand Down
6 changes: 5 additions & 1 deletion oletools/crypto.py
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ def script_main_function(input_file, passwords, crypto_nesting=0, args):
# CHANGELOG:
# 2019-02-14 v0.01 CH: - first version with encryption check from oleid
# 2019-04-01 v0.54 PL: - fixed bug in is_encrypted_ole
# 2019-05-23 PL: - added DEFAULT_PASSWORDS list

__version__ = '0.54.2'

Expand Down Expand Up @@ -308,6 +309,9 @@ def _is_encrypted_ole(ole):
#: using this password
WRITE_PROTECT_ENCRYPTION_PASSWORD = 'VelvetSweatshop'

#: list of common passwords to be tried by default, used by malware
DEFAULT_PASSWORDS = [WRITE_PROTECT_ENCRYPTION_PASSWORD, '123', '1234', '12345', '123456', '4321']


def _check_msoffcrypto():
"""Raise a :py:class:`CryptoLibNotImported` if msoffcrypto not imported."""
Expand Down Expand Up @@ -347,7 +351,7 @@ def decrypt(filename, passwords=None, **temp_file_args):
if isinstance(passwords, str):
passwords = (passwords, )
elif not passwords:
passwords = (WRITE_PROTECT_ENCRYPTION_PASSWORD, )
passwords = DEFAULT_PASSWORDS

# check temp file args
if 'prefix' not in temp_file_args:
Expand Down
5 changes: 2 additions & 3 deletions oletools/msodde.py
Original file line number Diff line number Diff line change
Expand Up @@ -986,10 +986,9 @@ def process_maybe_encrypted(filepath, passwords=None, crypto_nesting=0,

decrypted_file = None
if passwords is None:
passwords = [crypto.WRITE_PROTECT_ENCRYPTION_PASSWORD, ]
passwords = crypto.DEFAULT_PASSWORDS
else:
passwords = list(passwords) + \
[crypto.WRITE_PROTECT_ENCRYPTION_PASSWORD, ]
passwords = list(passwords) + crypto.DEFAULT_PASSWORDS
try:
logger.debug('Trying to decrypt file')
decrypted_file = crypto.decrypt(filepath, passwords)
Expand Down
3 changes: 1 addition & 2 deletions oletools/olevba.py
Original file line number Diff line number Diff line change
Expand Up @@ -3890,8 +3890,7 @@ def process_file(filename, data, container, options, crypto_nesting=0):
decrypted_file = None
try:
log.debug('Checking encryption passwords {}'.format(options.password))
passwords = options.password + \
[crypto.WRITE_PROTECT_ENCRYPTION_PASSWORD, ]
passwords = options.password + crypto.DEFAULT_PASSWORDS
decrypted_file = crypto.decrypt(filename, passwords)
if not decrypted_file:
log.error('Decrypt failed, run with debug output to get details')
Expand Down

0 comments on commit b96ab66

Please sign in to comment.