Skip to main content

Reversible Rovnix passwords

Reversible Rovnix passwords


I got my hands on Rovnix recently.
Not the one who got leaked with Carberp but the ISFB package part (Core, Interceptor, ATS, VNC modules, etc...):

And the panel..
Who ask for mod_rewrite for an unknown reason (ok the htaccess, but is it really usefull here?)

Ive already took some screenshots of inside Rovnix, so lets skip about the screenshots part.
Just check this article if you want see pics from the Rovnix C&C:
http://www.xylibox.com/2012/02/win32rovnix.html?spref=tw

The panel come with a sql dump, and a user/password is already defined inside.
The password looks like a MD5 hash and we know nothing about it.

SQL tables:

By looking the hash on Google we have a correspondence with 21240:

A tool confirm also that the hash is good for 21240

But.. there is a problem somewhere:

So we have to check the code to see whats going on.

admin/index.php use a function getMyHash()

This small function can be found inside mod/main.php:

We have a salt and they use md5() but we have a huge mistake here:
+ instead of . everywhere.
So if we try to hash a password composed only of numbers, we will have a obvious problem.
Like its the case for the default password found inside the sql dump.

If you want an example:
310dcbbf4cce62f762a2aaa148d556bd = getMyHash(123)
310dcbbf4cce62f762a2aaa148d556bd = md5(333)
collision with 2 algo.

We can obtain the password from the hash easily, PoC:
<?php
        /**
         * Defeat the weak hash function of Rovnix
         * to get password from a hash.
         */
     
        $HASH   = fbff791ef0770855e599ea6f87d41653;
     
        $value  = getNumber($HASH);
        $search = search($value, $HASH);
     
        echo(Hash:   . $HASH  . <br />);
        echo(Value:   . $value . <br />);
        echo(Search: . $search);
     
        // Search an working (number) password
        function search($value, $hash) {
                $i = 0;
             
                while (true) {
                        if (getHash($i) == $value)
                                return $i;
                     
                        $i++;
                }
        }
     
        // Get the hashed number
        function getNumber($hash) {
                $i = 0;
             
                while (true) {
                        if (md5($i) == $hash)
                                return $i;
                     
                        $i++;
                }
        }
     
        // Hash function without final MD5 (return only numbers)
        function getHash($hash) {
                $salt = LKJFDJLJkkljKJKJKJkjkj$i%&@(%jkjJn@@j$r@!cdh*!@#$djl1J$r!j@o*$@duJxlJLEKJkJFKJEJ2$jkeJFJLEJFE;
             
                return $hash + $salt + md5($salt) + md5($hash) + $salt[3];
        }
?>

Output for the unknown hash:

So the unknown password for fbff791ef0770855e599ea6f87d41653 is in reality 21173.
Lets try..
Excellent, we cant log with 21240 because it will be sent to getMyHash() but its interesting to see this type of bug and how a bad algorithm implementation can cause a security problem.

download file now

Labels:

Popular posts from this blog

Ragnos1997 Low Specs Patches for low PC Download

Ragnos1997 Low Specs Patches for low PC Download Ragnos1997 Low Specs Patches for Low PC Full Download "Let your system breathe, and enjoy even the latest games on your low end hardware. Only with Low Specs Experience�" Which games are affected ? ALAN WAKE ALAN WAKE�S AMERICAN NIGHTMARE ALIEN: ISOLATION ALIEN: COLONIAL MARINES 7 DAYS TO DIE AMERICAN TRUCK SIMULATOR ANNO 2205 ARMA III ASSASSIN�S CREED ASSASSIN�S CREED II ASSASSIN�S CREED BROTHERHOOD ASSASSIN�S CREED REVELATIONS ASSASSIN�S CREED III ASSASSIN�S CREED III LIBERATION HD ASSASSIN�S CREED IV BLACK FLAG ASSASSIN�S CREED UNITY ASSASSIN�S CREED ROGUE ASSASSIN�S CREED SYNDICATE BATMAN ARKHAM ORIGINS BATMAN ARKHAM ORIGINS BATTLEFIELD BAD COMPANY 2 BATTLEFIELD 3 BATTLEFIELD 4 BATTLEFIELD HARDLINE BATTLEFIELD 1 BIOSHOCK INFINITE BORDERLANDS BORDERLANDS 2 BORDERLANDS THE PRE-SEQUEL CALL OF DUTY BLACK OPS CALL OF DUTY BLACK OPS II CALL OF DUTY BLACK OPS III CALL OF DUTY GHOSTS CALL OF DUTY ADVANCED WARFARE CALL OF DUTY INFIN...
Read more

REPOST HAZE Hazecolor Dia 1971 German Hard Psych Rock

REPOST HAZE Hazecolor Dia 1971 German Hard Psych Rock BEAUTIFUL ALBUM!!! GREAT SOUND HARD PSYCH ROCK WHIT FLUTE SOLOS!!! HIGHLY RECOMENDED!!! UMA MANEIRA DE ENCONTRAR O PARA�SO E FUMAR O SEU HAXIXE!! ASSIM ERA DEFINIDO � �POCA O SOM DO HAZE!! GRANDE SOM HARD PSYCH ROCK COM PITADAS DO BLUES, SOLOS DE FLAUTA QUE N�O SE SABE QUAL INTEGRANTE TOCA, VISTO QUE N�O H� ESTA INFORMA��O NA CAPA E NEM NA HIST�RIA DA BANDA!!! O CERTO � QUE � UM SONZA�O ALTAMENTE RECOMENDADO!!!   The sole album released by Haze featured another of those extraordinary artwork sleeves designed by Walter Seyffer of Nine Days Wonder fame. It was made to look exactly like a slide picture, complete with die-cut cover and an attached transparency Picture center of the group Haze on both its front and back covers. What you get here is a photo reproduction of that artwork. Hazecolor-Dia was a Hauke & Dierks production, recorded during April 1971 at the Clerks Studio. All five tracks were written by Dietmar Low. Slow,...
Read more