Merge pull request #19 from login-securite/dpapikey_fuckup

Patching PVK decryption fuckup
2022-01-29 15:49:22 +01:00 · 2022-01-29 15:49:22 +01:00 · e7bc3e0a3e
parent 98729b1596 9fb50bfef7
commit e7bc3e0a3e
1 changed files with 13 additions and 7 deletions
--- a/lib/dpapi.py
+++ b/lib/dpapi.py
@ -268,15 +268,21 @@ class DPAPI:

 			decryptedKey = cipher.decrypt(dk['SecretData'][::-1], None)
 			if decryptedKey:
-				domain_master_key = DPAPI_DOMAIN_RSA_MASTER_KEY(decryptedKey)
-				key = domain_master_key['buffer'][:domain_master_key['cbMasterKey']]
-				self.logging.debug('Decrypted key with domain backup key provided')
-				self.logging.debug('Decrypted key: 0x%s' % hexlify(key).decode('latin-1'))
-				return '0x%s' % hexlify(key).decode('latin-1')
+				try:
+					domain_master_key = DPAPI_DOMAIN_RSA_MASTER_KEY(decryptedKey)
+					key = domain_master_key['buffer'][:domain_master_key['cbMasterKey']]
+					self.logging.debug('Decrypted key with domain backup key provided')
+					self.logging.debug('Decrypted key: 0x%s' % hexlify(key).decode('latin-1'))
+					return '0x%s' % hexlify(key).decode('latin-1')
+				except:  # on extrait l'info en dur
+					self.logging.debug('excepted, maybe because of a known DPAPI_PVK fuckup. trying to adjust ... ')
+					key = decryptedKey[8:96 + 8 - 32]
+					self.logging.debug('Decrypted key: 0x%s' % hexlify(key).decode('latin-1'))
+					return '0x%s' % hexlify(key).decode('latin-1')
 			else:
 				logging.debug("Error in decryptedKey with PVK")
-				#Lets try to decrypt it with another method
-				#return -1
+		# Lets try to decrypt it with another method
+		# return -1
 		if self.options.key and self.options.sid: #LSA machine/user Key + SID
 			self.logging.debug("Decrypting with SID and key")
 			key = unhexlify(self.options.key[2:])