extractTVpasswords: extract passwords from TeamViewer memory using Frida

by do son · Published July 23, 2018 · Updated July 23, 2018

Extract password from TeamViewer memory using Frida (CVE-2018-14333)

TeamViewer automatically authentication

A few days ago I worked on my windows cloud VPS with TeamViewer (where I set a custom password). After work I disconnected, at the next time when I wanted to connect, I saw that TeamViewer had auto-filled the password.

I think “Interesting, how can I get access to the password? How is the password stored in my computer?”

Password location

I dumped the memory of the TeamViewer and grepped password.

Ooo yeees, 😊 password in the memory is stored in Unicode format. It turns out that if you finish work with TeamViewer and don’t kill the process (or exit from TeamViewer

the password will be stored in memory)

After analyzing we understood that the first red area is a start magic data, in the second one – end magic data (from time to time, end magic data has this value = 00 00 00 20 00 00).

A script for getting a password

To extract passwords from memory we wrote two mini-programs, in Python and C++ language.

Thx Frida team for a wonderful tool! Our python script attaches to the TeamViewer.exe process, gets the base address and memory size of each library in this process. After that, it dumps one by one memory area, searches parts with [00 88] bytes at the start and [00 00 00] bytes in the end and copies them in the array. The next and the last step is choosing end decoding raws according to the regexp and password policy.