Reversible Rovnix passwords
I got my hands on Rovnix recently.
Not the one who got leaked with Carberp but the ISFB package part (Core, Interceptor, ATS, VNC modules, etc...):

And the panel..

Ive already took some screenshots of inside Rovnix, so lets skip about the screenshots part.
Just check this article if you want see pics from the Rovnix C&C:
http://www.xylibox.com/2012/02/win32rovnix.html?spref=tw
The panel come with a sql dump, and a user/password is already defined inside.
The password looks like a MD5 hash and we know nothing about it.

SQL tables:

By looking the hash on Google we have a correspondence with 21240:

A tool confirm also that the hash is good for 21240

But.. there is a problem somewhere:

So we have to check the code to see whats going on.
admin/index.php use a function getMyHash()

This small function can be found inside mod/main.php:

We have a salt and they use md5() but we have a huge mistake here:

So if we try to hash a password composed only of numbers, we will have a obvious problem.
Like its the case for the default password found inside the sql dump.
If you want an example:
310dcbbf4cce62f762a2aaa148d556bd = getMyHash(123)
310dcbbf4cce62f762a2aaa148d556bd = md5(333)
collision with 2 algo.
We can obtain the password from the hash easily, PoC:
<?php
/**
* Defeat the weak hash function of Rovnix
* to get password from a hash.
*/
$HASH = fbff791ef0770855e599ea6f87d41653;
$value = getNumber($HASH);
$search = search($value, $HASH);
echo(Hash: . $HASH . <br />);
echo(Value: . $value . <br />);
echo(Search: . $search);
// Search an working (number) password
function search($value, $hash) {
$i = 0;
while (true) {
if (getHash($i) == $value)
return $i;
$i++;
}
}
// Get the hashed number
function getNumber($hash) {
$i = 0;
while (true) {
if (md5($i) == $hash)
return $i;
$i++;
}
}
// Hash function without final MD5 (return only numbers)
function getHash($hash) {
$salt = LKJFDJLJkkljKJKJKJkjkj$i%&@(%jkjJn@@j$r@!cdh*!@#$djl1J$r!j@o*$@duJxlJLEKJkJFKJEJ2$jkeJFJLEJFE;
return $hash + $salt + md5($salt) + md5($hash) + $salt[3];
}
?>
/**
* Defeat the weak hash function of Rovnix
* to get password from a hash.
*/
$HASH = fbff791ef0770855e599ea6f87d41653;
$value = getNumber($HASH);
$search = search($value, $HASH);
echo(Hash: . $HASH . <br />);
echo(Value: . $value . <br />);
echo(Search: . $search);
// Search an working (number) password
function search($value, $hash) {
$i = 0;
while (true) {
if (getHash($i) == $value)
return $i;
$i++;
}
}
// Get the hashed number
function getNumber($hash) {
$i = 0;
while (true) {
if (md5($i) == $hash)
return $i;
$i++;
}
}
// Hash function without final MD5 (return only numbers)
function getHash($hash) {
$salt = LKJFDJLJkkljKJKJKJkjkj$i%&@(%jkjJn@@j$r@!cdh*!@#$djl1J$r!j@o*$@duJxlJLEKJkJFKJEJ2$jkeJFJLEJFE;
return $hash + $salt + md5($salt) + md5($hash) + $salt[3];
}
?>
Output for the unknown hash:

So the unknown password for fbff791ef0770855e599ea6f87d41653 is in reality 21173.
Lets try..

download file now