CVE-2025-60791

# CVE-2025-60791 PoC - Easywork Enterprise License Key Extraction # This PoC demonstrates extracting license keys from process memory after failed activation import os import sys import subprocess import re def dump_process_memory(process_name="EasyWork.exe"): """ Dump process memory using Windows built-in tools or procdump """ print(f"[*] Attempting to dump memory for {process_name}") # Method 1: Using PowerShell to get process ID try: ps_script = f'Get-Process -Name {process_name.replace(".exe", "")} | Select-Object -ExpandProperty Id' result = subprocess.run(['powershell', '-Command', ps_script], capture_output=True, text=True) pid = result.stdout.strip() if not pid: print("[-] Process not found. Make sure Easywork is running.") return None print(f"[+] Found process ID: {pid}") # Method 2: Use procdump if available procdump_path = "procdump.exe" if os.path.exists(procdump_path): dump_file = f"easywork_dump_{pid}.dmp" print(f"[*] Dumping process memory to {dump_file}") subprocess.run([procdump_path, '-accepteula', '-ma', pid, dump_file], capture_output=True) return dump_file else: print("[-] procdump not found. Using alternative method...") # Alternative: Use tasklist and miniダmp via PowerShell return None except Exception as e: print(f"[-] Error: {e}") return None def extract_license_keys(memory_dump): """ Extract potential license keys from memory dump License keys typically follow specific patterns """ print(f"[*] Analyzing memory dump for license keys...") # Common license key patterns patterns = [ r'[A-Z0-9]{4,5}-[A-Z0-9]{4,5}-[A-Z0-9]{4,5}-[A-Z0-9]{4,5}', # XXXX-XXXX-XXXX-XXXX format r'[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}', # UUID-like format r'EW-[A-Z0-9]{16,32}', # EasyWork specific prefix ] potential_keys = [] try: with open(memory_dump, 'rb') as f: content = f.read() # Try to decode as ASCII/UTF-8 try: text_content = content.decode('ascii', errors='ignore') except: text_content = content.decode('utf-8', errors='ignore') for pattern in patterns: matches = re.findall(pattern, text_content) for match in matches: if match not in potential_keys: potential_keys.append(match) print(f"[+] Found potential license key: {match}") except Exception as e: print(f"[-] Error analyzing dump: {e}") return potential_keys def main(): print("="*60) print("CVE-2025-60791 PoC - Easywork Enterprise License Extraction") print("="*60) # Step 1: Trigger failed activation print("\n[*] Step 1: Ensure Easywork activation was attempted and failed") input("Press Enter after failed activation attempt...") # Step 2: Dump process memory dump_file = dump_process_memory() if dump_file: # Step 3: Extract license keys keys = extract_license_keys(dump_file) if keys: print(f"\n[!] Found {len(keys)} potential license key(s)") print("[*] These keys can be used to activate Easywork on this machine") # Save keys to file with open('extracted_keys.txt', 'w') as f: for key in keys: f.write(f"{key}\n") print("[+] Keys saved to extracted_keys.txt") else: print("[-] No license keys found in memory dump") else: print("[-] Could not dump process memory") print("[*] Manual method: Use procdump -ma <pid> easywork.dmp") print("[*] Then analyze with: strings easywork.dmp | grep -E '[A-Z0-9]{4,5}-'") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-60791", "sourceIdentifier": "[email protected]", "published": "2025-10-27T16:15:42.510", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Easywork Enterprise 2.1.3.354 is vulnerable to Cleartext Storage of Sensitive Information in Memory. The application leaves valid device-bound license keys in process memory after a failed activation attempt. The keys can be obtained by attaching a debugger or analyzing the process/memory dump and then they can be used to activate the software on the same machine without purchasing."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-316"}]}], "references": [{"url": "https://packetstorm.news/files/id/210832", "source": "[email protected]"}, {"url": "https://sourceforge.net/projects/easyworkaccounting/", "source": "[email protected]"}]}}