markuta / bw-dump Goto Github PK
View Code? Open in Web Editor NEWA proof-of-concept for (CVE-2023-38840) that extracts plaintext master passwords from a locked Bitwarden vault.
License: BSD 3-Clause "New" or "Revised" License
A proof-of-concept for (CVE-2023-38840) that extracts plaintext master passwords from a locked Bitwarden vault.
License: BSD 3-Clause "New" or "Revised" License
There is an issue with the latest version with how it searches for patterns in memory. I've realised that each master password has a unique prefix (4-bytes long) pattern that is just before the plaintext password. This is a problem because the tool currently searches for my old master password prefix, which obviously won't find other master passwords.
I need to figure out a better way to do this.
"A proof-of-concept tool that extracts the master password from a locked Bitwarden vault (must be unlocked at least once) from Windows systems, without requiring administrative privileges. Only Windows platforms have been tested."
Bolded section, does this mean for the CURRENT session ONLY, or will an existing session from prior restarts work (if so isnt working for me).
Had a system with .7.0 on it (downgraded to .2.0 when it didnt work the first time) but it didnt not work.
BW Desktop is currently signed in and the lock is with a pin no longer the master password.
Locking/Unlocking with the Pin doesnt work.
I think the wording meant to imply in the current session vs after a restart or with lock w/pin setup.
The tool currently includes ALL strings that match a specific pattern. This means other strings that are obliviously NOT the master password are also included. One quick solution is to retrieve all default strings from a Bitwarden.exe binary which are 8+ characters (minimum password length for registration), and do a compare and exclude.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.