Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200717036
HistorySep 25, 2007 - 12:00 a.m.

Meiping network management family of software vulnerability completely analyze-vulnerability warning-the black bar safety net

2007-09-2500:00:00
佚名
www.myhack58.com
18
JSON

My home city, Internet Cafe 1 0 0% with meiping network management system, no way! Also it is only the first look at Mae ping, also hope everyone to the sea Han it! Meiping network management software series actually also should be considered several network management software one! Reputation quite loud! Today we discuss the content is for the Mei-ping network master " and " Mei-ping computer security guards of a cafe classic combination! Hope you like it!
In the discussion before you make a statement, in view of Article characteristics, I first write the Mei-ping computer security guards》(hereinafter referred to as: security guards to be let the cute newbies to learn basic Internet hack knowledge! While the back of the meiping network management master》(hereinafter referred to as: the network management master, can relate to some of the new entry of the side dishes they do not have the condition, so put it to the back to Big bird we see! On veterans, more have to see! Help me solve the problem!)

One, the Mei-ping computer security guards of the three major vulnerabilities
Security Guardian is an Internet cafe network management system of the client, we often say that the“cafe crack”, mostly refers to cracked clients, so that their use of this machine with the network management system from, so as to achieve free Internet access. Naturally, the security guard is we hack the cafe encountered the first stumbling block you! As the saying goes:“tigers also have NAP time.” Good! Below I will introduce to let this Tiger always doze! Hey Hey! Instead of feeding sleeping pills yo!)
First trick: borrow force to fight force. jst file vulnerability
About this vulnerability, I in 2 0 0 6 year of Phase 1 The X-Files has been introduced. Here I simply tell you about the vulnerabilities of using the method, and want to know the principles of the friends you refer to the Issue No. 1 The X-Files…
Simple way, this vulnerability is the use of the Mae ping software protection mechanisms, to achieve emptying of Mae ping in the administrator password purpose! If the operating fast, one minute you can get! How, badly? See the following steps.
The first thing you have to do is open the QQ(don’t say no to it!!!, the By QQ“file transfer”transfer function can be into the default directory“My Documents”folder! Click on the“Previous”button, Enter C disk, find the“SMENU”folders into, and remove the inside of“the smenu. jst”file! Re-starting the machine, OK! See if the password is not being emptied? We The above method is for disk is hidden in the case of the operation, if you where the Internet cafes did not hide the disks so much the better do! In short you just delete“SMENU”directory under“smenu. jst”file and re-starting the machine will be OK! On this section why is it called leveraging the power, look at the principle you know!
Second trick: the hills hit cattle registration module overflow vulnerability
This vulnerability is not my discovery! So also want to thank the discoverer Zhao learned through a friend!
On the vulnerability name from the end of the closing is unreasonable, I now also not dare to conclusions! Because I just see it a phenomenon like the overflow! Himself did not go to verify, so it have to please veterans. verify it out!
With beautiful ping clearly, before entering the security guards after the Start menu will be masquerade! As Figure 1

! click in the new window, browse this pictures
https://forum.eviloctal.co

Carefully look inside there is not a“software registration”option? Click into the software registration window! In the serial number column added into“w”in the registration number column added into“w”+“e”and other characters, preferably more than 8 0! The letter can be casually Tim! As Figure 2
Figure 2

! click in the new window, browse this pictures
https://forum.eviloctal.co

Then click on“register”it! It will pop up prompt such as“this program has performed an illegal operation…” The dialog box now! Click“Close”to exit the security guard! Unsuccessful while in the“registration number”column in the multi-add some letters! After exiting the“start”bar will disappear! Play a little game in the back of the desktop in General“start”bar will appear! Reason unknown! To see this, we should think, here we are by the program execution error this mountain ride to hit the beauty: this is only a cow! How? Huh!
Read the post, know how to overflow meaning friends should understand why I call this a section called“registration module overflow vulnerability”? On the principle of guessing, I’m here to say it. My guess is Mei ping, the company is not for security guard registration module ready fault tolerance to the test! Only appears this error! On the pop-up“illegal operation”message box I think there may be two reasons! One is more than the defined number of bytes of the fake registration code is the system implementation, and we fill it is some useless information, the system cannot be performed, so the message wrong! Not I fear a similar overflow errors, the second is the more limited number of bytes of the fake registration code affects the operation of the program, causing the message wrong! If it is the first case that could be serious! We think that our input, but some of the useless characters! If it is an executable command? Huh! Isn’t it terror?
Third trick:. - file vulnerability on behalf netlimit. cfg)
This is my 2 0 0 5. 1 2 months found! In fact also not what loophole. But ever since I found out, I’ve been thinking, Mei ping, why not change the settings file content is plain text saving habits?
On the Mae ping file vulnerability, almost everywhere is! Here I selected a representative netlimit. cfg file vulnerability. We take a look at netlimit. cfg file in the security guards is doing something. First look at the Mei-ping computer security guards instructions for use on the inside of the“II. File list”, we can see About netlimit. cfg file described in“NETLIMIT. CFG sites limit the file”huh! What did you expect?
Well, with the old method into“SMENU”folder! Use Notepad to open netlimit. cfg file! What do you see? Huh! Is not what all see very clearly? Meiping afraid we don’t understand behind the English what is the meaning, the front surface of the back we add comment! (Fig 3)
Figure 3

! click in the new window, browse this pictures
https://forum.eviloctal.co

Huh! So what? All are deleted! In just go what the online crack the Internet cafes set up the website, and then want to do it with you myself. In fact, the other file can also use Notepad to open! And there is absolutely plain save it!!! You can also use the same method to change to reach your purpose! In order to avoid everyone that I lied to royalties, so I’m not more wordy…
As long as you make good use of this vulnerability, you can mysteriously to modify the safety guards of some of the important settings! So as to achieve their own purposes, Hey! Called“steal”, I think not?
Some friends will definitely ask“in front of those two method is not already good? This vulnerability seems nothing necessary?” Well, here I am on the way their limitations and the solution!
Vulnerability one:
Disadvantages: empty password in the change your own! Huh! Sounds to be very high! But you can also change the original that the administrator password? Can’t? Administrator if you use your own password to set up the system, it prompt for password error, he will think of what?
Remedy: it is simple, delete“smenu. jst”file, first copy it to another folder, in the front of the machine in the copy it back!
Vulnerability two:
Disadvantages: there are limitations, if the security guards already registered, this method will fail you!
Remedy: there is no meaningful solution!
Vulnerability three:
Disadvantages: in addition to the trouble point, the other nothing to fault! With this method you can not fully crack the Mae ping, the lifting of some restrictions. You can also us ping full blast for free!
Remedies: in addition to the production of special tools, else should nothing approach!
Here, the security guards of the vulnerability if all of the description finished! With this Knowledge backing, I think the Diamondback should also be easy to crack the Mae ping? On the back you want to talk about, are built in you have successfully invaded the cafe host can be carried out, to welcome the big birds take a look! Of course, the rookie learn it anyway.

Second, the meiping network management Master of three vulnerabilities
On the network master Mei ping to release a N version, but the upgraded versions are fixed and what problems, I really didn’t see coming! I am following the description of the vulnerabilities against all current versions of the network master are effective! Huh! Horror? Who has time to look at the Mae ping home, is not also N lot of loopholes? Huh! Funny.
If you successfully invaded the cafe host! You will want to dry what? Whatever you want is what, anyway I think of is how to get your absolutely free on the machine! Now in my mind there are three ideas, one is by modifying the membership database, to their members of time; the second is through a remote control, give their members extra time – think of it, you don’t do it! Easy dead!); Third is the use of the Mae ping“humanized”design, treat yourself to this machine charges change, such as changed to“0.01 Yuan/hour”, etc., huh!
But want to return to think, the theory and practice still has gaps. First, the Mae ping, not“*. mdb”standard database, the modified database is not the desired! The second, with 3 3 8 9 control words, you have to open the network master is much more open limits! But also know the administrator password! If using the direct control… You dare me to what is also indescribable… Third, this is an administrator they cannot change stuff, you need to have the boss’s final permission…
What should I do? Give up? No! Give up is not a hack! So I put it on the network master connected to the socket end! Download to my USB stick, go home slowly study to go… Work pays off! After nearly 5 days, I finally one found a solution to it! The following three vulnerability will therefore come.
First trick: drastic software setting module vulnerability
Remember we are above that third idea? Through this vulnerability, you can put yourself in this machine the standard fees to change! Huh! Is not very heart? Look down…
I’m the network guru end to the home after, it began to hard study! Since temporarily no idea, first with WinHex decompile the network master directory of each file, they begin to see the network master using the method, and experiment with it some of the features. Which I am most interested in Of course is how to change the charging standard, then operation a will… Well, good! I that in VMware the virtual computer of the charging standard has indeed changed, but the administrator they cannot change the settings, I have what way? And the operation is completed, WinHex only remind a few irrelevant file has changed, don’t record my set! Impossible to get the network management master have a directory under the see! Did not expect not to see do not know, a look too wonderful! Network masters competition in its directory to generate a called netmoney. ini files! Open look, is exactly what I just did to change the charges set! As Figure 4
Figure 4

! click in the new window, browse this pictures
https://forum.eviloctal.co

In order to insurance, I try it again. Re-installing the network master, and directly in its directory to create a new netmoney. ini file, and write the relevant information, to the settings interface see success! Such as in Figure 5
Figure 5

! [](/Article/UploadPic/2 0 0 7-9/2007925115435871.gif)click in the new window, browse this pictures
https://forum.eviloctal.co

To this, I also thought of the security guards of the security situation. Is not the network guru also…
Think better to do! So pull out the WinHex began to start with! In the other files one by one after the exclusion, and finally the target locked in Network Management Master of scon. cfg file! And after struggling to the contrast, finally found a network master key code“onlyscon=0 OR 1”It! That’s it, the decision of the network management master whether can be more open, which onlyscon=0 The representative can be more open, if it is 1, it represents the prohibition of open by default prohibited)(Figure 6)。
Figure 6
! click in the new window, browse this pictures
https://forum.eviloctal.co

In the figure, we also see in addition to the network master many of the settings are here! The following is what I now know some of the code meaning hope it helps!
computernum=2 0, the network has a total of 2 0 machine)
mintime=5 a minimum in mind when the unit for 5 minutes
money=1.5(ordinary-on fee 1. $ 5/hour
timehint=1
netmoney=1.6(Internet access on the machine fee 1. 6 Yuan/hour
soundfile=C:\Windows\MEDIA\The Microsoft Sound. wav host limited time in order to, the tone of the music to the C:\Windows\MEDIA\The Microsoft Sound. wav)
clienttime=5, Minimum recorded time units of 5 minutes
isshowtj=1
minmoney=1.2, minimum billing amount of 1. 2.
nightmoney=11.0(Internet packet night fee 1 1. 0 $
whenierunnet=1
closeclientprogram=1
multilogin=0
minjifei=5 1 current time zone for a minimum record time of 5 1% Start billing. This exactly is what mean I also not too clear.)
timehyhint=0
inputuser=0
hotcolor=2 5 5
runcolor=1 5 9 8 6 7 9 7
onlyscon=1 is can be running on the same machine a plurality of Mae ping procedure 0 1 No
hyjf=0
minhuafei=0.56 the base spending amount is 0. 5 $ 6, both the so-called start-up costs.)
socketnum=2 2 1 3 6 out of centralized management mode of the network communication port number 2 2 3 1 6)
nightmoney1=10.0(ordinary night package fee 1 0. 0 $
hintclient=1
autorun=0
enclosewindows=0
hymustpass=0
useipx=1
nhybfb=9 0
ykzkl=9 0
jkzkl=1 0 0
autotx=0
onclosecheck=0
ishyhost=1
AutoTxStop=1
IsUseRemote=0
IsRemoteUseChange=1
IsGroupOpen=0
onclosetime=1 0
untiltime=5 5 on machine time not less than 5 5 minutes
PressTime=8 0, the network master for the membership card a magnetic stripe of the response time for the 8 0 in milliseconds
lowhytime=0
RemotePort=3 3 3 3
setuppassword=x{z, set the network master password, in an encrypted, non-plaintext game!
exitpassword=x{z exit the network master password, in an encrypted, non-plaintext game!
time4=0:0 0:00-7:0 0:0 0(pack The night time of 0:0 0:00-7:0 0:0 0)
It should be noted that this file can be used herein the document directly open and modify! But requires re-starting the machine was back in force. I believe that with these codes, you should be better than the administrator also cattle? Huh! Well, don’t get too happy, behind the more wonderful Oh!
Second trick: collateral(encryption algorithm vulnerability
Seen above is the network management guru scon. cfg file“setuppassword=x{z”this code is after, I believe you are confused?“x{z”what? Huh! Don’t blame you don’t understand, because it is encrypted?, huh! We this section is to crack the network master encryption algorithm! Is not the blood surging! Don’t rush, take your time.
On the encryption algorithm, is I inadvertently found… That will me is nothing to new ideas, so I created a new administrator to play, the name of the 1 2 3, password 1 1 1, and I also carefully looked back to the encrypted ciphertext, is 3 bits! In the new one! Name 3 2 1, password 2 2 2, ha! Can you guess what I see? The ciphertext is still 3! As Figure 7
Figure 7

! click in the new window, browse this pictures
https://forum.eviloctal.co

Some of the side dishes say“the ciphertext is still of 3 bits and how?” You see, don’t understand, is it not? Huh! This can be described meiping encryption algorithm should be the characters one by one encryption! And not for the entire password encrypted! That is, we can by a simple inverse operation or one by one experiment to launch it each character of the encrypted ciphertext is what, so that by the ciphertext to directly launch the plaintext is! Well, since we know the principle, and quickly start it! Here, I is used by one experimental method…
After half an hour of effort, finally worked out all the encrypted characters in the ciphertext is! Here are the results of my work, this is to collect the money! Hey Hey!
Plaintext ciphertext table: the
=i 1=x 2={ 3=z 4=} 5=| 6= 7=~ 8=q 9=p 0=y .= g a=(
b=+ c=* d=- e=, f=/ g=. h=! i= j=# k=" l=% m=$ n=’
o=& p=9 q=8 r=; s=: t== u=< v=? w=> x=1 y=0 z=3 `=)
Note: the character“i”is the“space”of the ciphertext, in turn,“space”is also the“i”of the ciphertext. About the character“6”of the ciphertext, in this article document is displayed“it!” Is not“space”is! Use WinHex to decompile to save the administrator information to the manager. ini file, can be learned of the character“6”ciphertext encrypted with the 1 6 hexadecimal representation is“7F” in.
Method of use: for example, the password is 1 2 3, then the encrypted ciphertext for x{z! Vice versa through!
Example: 1. Password 1 2 3 encrypted ciphertext x{z
2. Password x{z encrypted ciphertext 1 2 3
This time we all know how to use it? Imagine, if you invasion the cafe host, crack a administrator password, this administrator account to add their own 1 0 0 0 Yuan! Hey Hey! The consequences? The administrator of a certain dead quietly! Huh! But you have to dare to use that Membership, you also fast…)
Third trick: sneak a database vulnerability
Change this, delete that, better to give yourself some affiliate affordable! But members of how applied, is a problem! The most basic is the Mae ping, not“*. mdb”standard database! What should I do? The old method! First with this article document open and see! As Figure 8
Figure 8

! click in the new window, browse this pictures
https://forum.eviloctal.co

The member name and the encrypted password is now in front of your eyes! What is your thing, huh!
Some friends that asked“is stolen members? Too boring! There is no more practical point?” Is! I was also think so! So just below! Hey Hey!
On meiping Membership database, should be considered only a useless plaintext save files… So we need to use a professional point of anti-compilation of the software WinHex to disassemble the network management master Membership database file member81. cfg. Disassembly, in addition to the username and encrypted password is we can read, the rest is almost the same in the Bible is! What is the meaning? By I 1 0 Minutes of effort, finally know the Member the amount of the recording position! Huh! Don’t worry, let we slowly see! As Figure 9
Figure 9

! click in the new window, browse this pictures
https://forum.eviloctal.co

By way of illustration, believe that everyone at a minimum understand where is the record of members of the remaining amount of the place? Some friends and asked“I saw or stumbled upon it! Besides, even if I understand what’s the use? That‘HD’is what do you mean?” On the recording member remaining amount of places there is the pattern homing in! General members name followed by the 4-5 Group 1 6 binary code“0 1”Back General that the recording members of the remaining amount of the place! As Figure 1 0)
Figure 1 0

! click in the new window, browse this pictures
https://forum.eviloctal.co

On the recording member remaining amount of the 1 6-ary information, I also counted a piece of table, hope it is useful!
Meiping Membership amount to 1 6-ary information table: the
1 $ 0=2 0 4 1 2 0 $ =A0 4 1 3 $ 0=F0 4 1 4 $ 0=2 0 4 2 5 0 $ =4 8 4 2 6 $ 0=7 0 4 2 7 0 $ =8C 4 2
8 $ 0=A0 4 2 9 $ 0=B4 4 2 1 0 $ 0=C8 4 2 1 1 $ 0=DC 4 2 1 2 $ 0=F0 4 2 2 0 $ 0=4 8 4 3 3 0 $ 0=9 6 4 3
4 0 $ 0=C8 4 3 5 0 $ 0=FA 4 3 6 0 0 RMB=1 6 4 4 7 0 $ 0=2F 4 4 8 0 $ 0=4 8 4 4
With these, I think should be able to meet your needs?
In addition, regarding the modification of the membership database of the remaining amount, is not on the Mae ping any statistical records! This point we need to note! But this also well, save make lovely MM network every day for our out of pocket! Huh! Also, modify the membership database information on the operation of the network master does not have any impact! So as long as you do not particularly conspicuous, is absolutely not to be found! Hey Hey! How?
On meiping network management family of software vulnerabilities, and this even fully voiced over! Not everyone found notI described the vulnerability, the use of is nothing more than on the software settings, etc. file contents of plain text to save it a major vulnerability, to very easily modify the Mae ping of the important settings! So the result in many cases, only need a simple paper document can achieve many of purpose! But also look Mei ping company under the coolies to do some improvements…
I write the purpose of this article is to remind everyone that only we think of a way to make good use of around a number of seemingly unrelated tools, to break those seemingly unbreakable puzzles, in order to bring us a real sense of success to victory! This article is a proof, look at the Mae ping in the simple article document before look how fragile it! There is no impossible, just think it! Hope everyone in the hack this way and go to the Bon voyage it!!!

PostScript: this is my 0 6 years 1 month write articles, due to their technical reasons, a certain there will be some wrong place, also hope to Treatise on. Also this is me in evil octal published the first Chapter of the work, as there is not place also hope you a lot of guidance, Thank you!

JSON