chainbreaker icon indicating copy to clipboard operation
chainbreaker copied to clipboard

Published 20 hours ago verified publisher icon n0fate

_APPL_DB_HEADER invalid offset for header?

Open AndrewSB opened this issue 3 years ago • 1 comments

Hey! I'm trying to use this to dump my own internet passwords, I'm running into a crash while parsing the _APPL_DB_HEADER. here's my invocation, and the output:

./chainbreaker.py --dump-internet-passwords --password=<somepassword> -a ~/Library/Keychains/53955E52-7540-58CB-93DD-008F838B7EAD/keychain-2.db
2021-06-24 08:36:09,080 - INFO - 

ChainBreaker 2 - https://github.com/gaddie-3/chainbreaker

2021-06-24 08:36:09,081 - INFO - Runtime Command: ./chainbreaker.py --dump-internet-passwords --password=<somepassword> -a /Users/asb/Library/Keychains/53955E52-7540-58CB-93DD-008F838B7EAD/keychain-2.db
2021-06-24 08:36:09,081 - INFO - Keychain: /Users/asb/Library/Keychains/53955E52-7540-58CB-93DD-008F838B7EAD/keychain-2.db
2021-06-24 08:36:09,081 - INFO - Keychain MD5: 56c8eaa212f0f26f5b4616d2b96ff739
2021-06-24 08:36:09,081 - INFO - Keychain 256: f2824d498f1eaa89385a03c11f14bb4bd5c1a923fdb39d7eac6ed916588437a0
2021-06-24 08:36:09,081 - INFO - Dump Start: 2021-06-24 08:36:09.080976
Traceback (most recent call last):
  File "./chainbreaker.py", line 1277, in <module>
    unlock_file=args.unlock_file)
  File "./chainbreaker.py", line 71, in __init__
    self.filepath = filepath
  File "./chainbreaker.py", line 568, in filepath
    self._read_keychain_to_buffer()
  File "./chainbreaker.py", line 169, in _read_keychain_to_buffer
    self.schema_info, self.table_list = self._get_schema_info(self.header.SchemaOffset)
  File "./chainbreaker.py", line 205, in _get_schema_info
    schema_info = _APPL_DB_SCHEMA(self.kc_buffer[offset:offset + _APPL_DB_SCHEMA.STRUCT.size])
  File "/Users/asb/Developer/chainbreaker/schema.py", line 332, in __init__
    (self.SchemaSize, self.TableCount) = _APPL_DB_SCHEMA.STRUCT.unpack(buffer)
struct.error: unpack requires a string argument of length 8

the offset being used to index into the self.kc_buffer is massive, and it looks like the buffer passed into _APPL_DB_SCHEMA.STRUCT.unpack(buffer) is empty.

I'm running macOS 11.2.3 (20D91), is this something you've run into before? could you help me debug this?

AndrewSB avatar Jun 24 '21 15:06 AndrewSB