metasploit-payloads 2.0.105 → 2.0.107

Sign up to get free protection for your applications and to get access to all the features.
Files changed (76) hide show
  1. checksums.yaml +4 -4
  2. checksums.yaml.gz.sig +0 -0
  3. data/data/android/meterpreter.jar +0 -0
  4. data/data/android/metstage.jar +0 -0
  5. data/data/android/shell.jar +0 -0
  6. data/data/meterpreter/elevator.x64.debug.dll +0 -0
  7. data/data/meterpreter/elevator.x64.dll +0 -0
  8. data/data/meterpreter/elevator.x86.debug.dll +0 -0
  9. data/data/meterpreter/elevator.x86.dll +0 -0
  10. data/data/meterpreter/ext_server_bofloader.x64.debug.dll +0 -0
  11. data/data/meterpreter/ext_server_bofloader.x64.dll +0 -0
  12. data/data/meterpreter/ext_server_bofloader.x86.debug.dll +0 -0
  13. data/data/meterpreter/ext_server_bofloader.x86.dll +0 -0
  14. data/data/meterpreter/ext_server_espia.x64.debug.dll +0 -0
  15. data/data/meterpreter/ext_server_espia.x64.dll +0 -0
  16. data/data/meterpreter/ext_server_espia.x86.debug.dll +0 -0
  17. data/data/meterpreter/ext_server_espia.x86.dll +0 -0
  18. data/data/meterpreter/ext_server_extapi.x64.debug.dll +0 -0
  19. data/data/meterpreter/ext_server_extapi.x64.dll +0 -0
  20. data/data/meterpreter/ext_server_extapi.x86.debug.dll +0 -0
  21. data/data/meterpreter/ext_server_extapi.x86.dll +0 -0
  22. data/data/meterpreter/ext_server_incognito.x64.debug.dll +0 -0
  23. data/data/meterpreter/ext_server_incognito.x64.dll +0 -0
  24. data/data/meterpreter/ext_server_incognito.x86.debug.dll +0 -0
  25. data/data/meterpreter/ext_server_incognito.x86.dll +0 -0
  26. data/data/meterpreter/ext_server_kiwi.x64.debug.dll +0 -0
  27. data/data/meterpreter/ext_server_kiwi.x64.dll +0 -0
  28. data/data/meterpreter/ext_server_kiwi.x86.debug.dll +0 -0
  29. data/data/meterpreter/ext_server_kiwi.x86.dll +0 -0
  30. data/data/meterpreter/ext_server_lanattacks.x64.debug.dll +0 -0
  31. data/data/meterpreter/ext_server_lanattacks.x64.dll +0 -0
  32. data/data/meterpreter/ext_server_lanattacks.x86.debug.dll +0 -0
  33. data/data/meterpreter/ext_server_lanattacks.x86.dll +0 -0
  34. data/data/meterpreter/ext_server_peinjector.x64.debug.dll +0 -0
  35. data/data/meterpreter/ext_server_peinjector.x64.dll +0 -0
  36. data/data/meterpreter/ext_server_peinjector.x86.debug.dll +0 -0
  37. data/data/meterpreter/ext_server_peinjector.x86.dll +0 -0
  38. data/data/meterpreter/ext_server_powershell.x64.debug.dll +0 -0
  39. data/data/meterpreter/ext_server_powershell.x64.dll +0 -0
  40. data/data/meterpreter/ext_server_powershell.x86.debug.dll +0 -0
  41. data/data/meterpreter/ext_server_powershell.x86.dll +0 -0
  42. data/data/meterpreter/ext_server_priv.x64.debug.dll +0 -0
  43. data/data/meterpreter/ext_server_priv.x64.dll +0 -0
  44. data/data/meterpreter/ext_server_priv.x86.debug.dll +0 -0
  45. data/data/meterpreter/ext_server_priv.x86.dll +0 -0
  46. data/data/meterpreter/ext_server_python.x64.debug.dll +0 -0
  47. data/data/meterpreter/ext_server_python.x64.dll +0 -0
  48. data/data/meterpreter/ext_server_python.x86.debug.dll +0 -0
  49. data/data/meterpreter/ext_server_python.x86.dll +0 -0
  50. data/data/meterpreter/ext_server_sniffer.x64.dll +0 -0
  51. data/data/meterpreter/ext_server_sniffer.x86.dll +0 -0
  52. data/data/meterpreter/ext_server_stdapi.py +111 -8
  53. data/data/meterpreter/ext_server_stdapi.x64.debug.dll +0 -0
  54. data/data/meterpreter/ext_server_stdapi.x64.dll +0 -0
  55. data/data/meterpreter/ext_server_stdapi.x86.debug.dll +0 -0
  56. data/data/meterpreter/ext_server_stdapi.x86.dll +0 -0
  57. data/data/meterpreter/ext_server_unhook.x64.debug.dll +0 -0
  58. data/data/meterpreter/ext_server_unhook.x64.dll +0 -0
  59. data/data/meterpreter/ext_server_unhook.x86.debug.dll +0 -0
  60. data/data/meterpreter/ext_server_unhook.x86.dll +0 -0
  61. data/data/meterpreter/ext_server_winpmem.x64.debug.dll +0 -0
  62. data/data/meterpreter/ext_server_winpmem.x64.dll +0 -0
  63. data/data/meterpreter/ext_server_winpmem.x86.debug.dll +0 -0
  64. data/data/meterpreter/ext_server_winpmem.x86.dll +0 -0
  65. data/data/meterpreter/metsrv.x64.debug.dll +0 -0
  66. data/data/meterpreter/metsrv.x64.dll +0 -0
  67. data/data/meterpreter/metsrv.x86.debug.dll +0 -0
  68. data/data/meterpreter/metsrv.x86.dll +0 -0
  69. data/data/meterpreter/screenshot.x64.debug.dll +0 -0
  70. data/data/meterpreter/screenshot.x64.dll +0 -0
  71. data/data/meterpreter/screenshot.x86.debug.dll +0 -0
  72. data/data/meterpreter/screenshot.x86.dll +0 -0
  73. data/lib/metasploit-payloads/version.rb +1 -1
  74. data.tar.gz.sig +0 -0
  75. metadata +2 -2
  76. metadata.gz.sig +0 -0
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 492cb2174246773050bdb8303448ea5f024ccaec9eb89ec14c4670019045a0a5
4
- data.tar.gz: 82b26b9fa4527322c301bf6a69b894f726ff6ca2e91b2cb019a63444a3ebbf5c
3
+ metadata.gz: 3d10d21369dd0b6ba5264a4aee52e159c5e50f46cc16ecd41667f2c59a270d7a
4
+ data.tar.gz: 7c8c3a6e15e0fe818931966bac23b89f63e0c84f73afbf662d477a43d397fcb1
5
5
  SHA512:
6
- metadata.gz: 273f6a11ae840e161193c80c9e3048bad2cb2fdd4c264da34213fde52051fadfc59227f04cbe5ffd027b2c8e0bdf23ce5d75ddc2032814f9df859e63294addce
7
- data.tar.gz: 6c44af6c8672acbbf5b9d32a66c81365e9ea8f60bd49e1099475f31fc50e3d5fd68be0241e8ca41a9526896c445cdb3ae6fe1633fb4a32a8f38acf4a5f9715a2
6
+ metadata.gz: c1ed02c18e6180bdf9fe1d63494f44ad3d8301ae24ec9fbdefca7fae136f04177f066bad5c7b259e96e3ceed4ad06c4b613f8300583d7520e4dbdc2451a0442c
7
+ data.tar.gz: 2bf215c24e59beb8e5198570ed321c23d96c054d3cc523c56160faee54e84d26b4f40ffca241f30fc9d08a6c4c1337e1ae225b6c63d1bcab05fe0a7fcdc2c1bf
checksums.yaml.gz.sig CHANGED
Binary file
Binary file
Binary file
Binary file
Binary file
Binary file
@@ -1,4 +1,5 @@
1
1
  import fnmatch
2
+ import functools
2
3
  import getpass
3
4
  import os
4
5
  import platform
@@ -669,7 +670,11 @@ TLV_TYPE_TERMINAL_COLUMNS = TLV_META_TYPE_UINT | 2601
669
670
  ##
670
671
  TLV_TYPE_IDLE_TIME = TLV_META_TYPE_UINT | 3000
671
672
  TLV_TYPE_KEYS_DUMP = TLV_META_TYPE_STRING | 3001
672
- TLV_TYPE_DESKTOP = TLV_META_TYPE_STRING | 3002
673
+
674
+ TLV_TYPE_DESKTOP = TLV_META_TYPE_GROUP | 3004
675
+ TLV_TYPE_DESKTOP_SESSION = TLV_META_TYPE_UINT | 3005
676
+ TLV_TYPE_DESKTOP_STATION = TLV_META_TYPE_STRING | 3006
677
+ TLV_TYPE_DESKTOP_NAME = TLV_META_TYPE_STRING | 3007
673
678
 
674
679
  ##
675
680
  # Event Log
@@ -744,6 +749,9 @@ VER_PLATFORM_WIN32s = 0x0000
744
749
  VER_PLATFORM_WIN32_WINDOWS = 0x0001
745
750
  VER_PLATFORM_WIN32_NT = 0x0002
746
751
 
752
+ # Windows Access Controls
753
+ MAXIMUM_ALLOWED = 0x02000000
754
+
747
755
  WIN_AF_INET = 2
748
756
  WIN_AF_INET6 = 23
749
757
 
@@ -1125,15 +1133,24 @@ def channel_open_stdapi_net_tcp_client(request, response):
1125
1133
 
1126
1134
  @register_function
1127
1135
  def channel_open_stdapi_net_tcp_server(request, response):
1128
- local_host = packet_get_tlv(request, TLV_TYPE_LOCAL_HOST).get('value', '0.0.0.0')
1136
+ use_dual_stack = False
1137
+ local_host = packet_get_tlv(request, TLV_TYPE_LOCAL_HOST).get('value', '')
1129
1138
  local_port = packet_get_tlv(request, TLV_TYPE_LOCAL_PORT)['value']
1130
- local_address_info = getaddrinfo(local_host, local_port, socktype=socket.SOCK_STREAM, proto=socket.IPPROTO_TCP)
1131
- if not local_address_info:
1132
- return ERROR_FAILURE, response
1133
- local_address_info = local_address_info[0]
1134
- server_sock = socket.socket(local_address_info['family'], local_address_info['socktype'], local_address_info['proto'])
1139
+ if local_host:
1140
+ local_address_info = getaddrinfo(local_host, local_port, socktype=socket.SOCK_STREAM, proto=socket.IPPROTO_TCP, flags=socket.AI_NUMERICHOST)
1141
+ if not local_address_info:
1142
+ return ERROR_FAILURE, response
1143
+ local_address_info = local_address_info[0]
1144
+ else:
1145
+ local_address_info = {
1146
+ 'family': socket.AF_INET6,
1147
+ 'sockaddr': ('::', local_port, 0, 0)
1148
+ }
1149
+ use_dual_stack = hasattr(socket, 'IPV6_V6ONLY')
1150
+ debug_print('[*] no local host information, binding to all available interfaces...')
1151
+ server_sock = socket.socket(local_address_info['family'], socket.SOCK_STREAM, socket.IPPROTO_TCP)
1135
1152
  server_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
1136
- if local_address_info['family'] == socket.AF_INET6 and hasattr(socket, 'IPV6_V6ONLY'):
1153
+ if local_address_info['family'] == socket.AF_INET6 and use_dual_stack:
1137
1154
  server_sock.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 0)
1138
1155
  server_sock.bind(local_address_info['sockaddr'])
1139
1156
  server_sock.listen(socket.SOMAXCONN)
@@ -2773,6 +2790,92 @@ def stdapi_ui_get_idle_time(request, response):
2773
2790
  response += tlv_pack(TLV_TYPE_IDLE_TIME, idle_time)
2774
2791
  return ERROR_SUCCESS, response
2775
2792
 
2793
+ @register_function_if(has_windll)
2794
+ def stdapi_ui_desktop_enum(request, response):
2795
+
2796
+ response_parts = []
2797
+ if ctypes.sizeof(ctypes.c_long) == ctypes.sizeof(ctypes.c_void_p):
2798
+ LPARAM = ctypes.c_long
2799
+ elif ctypes.sizeof(ctypes.c_longlong) == ctypes.sizeof(ctypes.c_void_p):
2800
+ LPARAM = ctypes.c_longlong
2801
+
2802
+ DESKTOPENUMPROCA = ctypes.WINFUNCTYPE(ctypes.c_long, ctypes.c_char_p, LPARAM)
2803
+ EnumDesktopsA = ctypes.windll.user32.EnumDesktopsA
2804
+ EnumDesktopsA.argtypes = [ctypes.c_void_p, DESKTOPENUMPROCA, LPARAM]
2805
+ EnumDesktopsA.restype = ctypes.c_long
2806
+
2807
+ WINSTAENUMPROCA = ctypes.WINFUNCTYPE(ctypes.c_long, ctypes.c_char_p, LPARAM)
2808
+ EnumWindowStationsA = ctypes.windll.user32.EnumWindowStationsA
2809
+ EnumWindowStationsA.argtypes = [WINSTAENUMPROCA, LPARAM]
2810
+ EnumWindowStationsA.restype = ctypes.c_long
2811
+
2812
+ OpenWindowStationA = ctypes.windll.user32.OpenWindowStationA
2813
+ OpenWindowStationA.argtypes = [ctypes.c_char_p, ctypes.c_long, ctypes.c_bool]
2814
+ OpenWindowStationA.restype = ctypes.c_void_p
2815
+
2816
+ CloseWindowStation = ctypes.windll.user32.CloseWindowStation
2817
+ CloseWindowStation.argtypes = [ctypes.c_void_p]
2818
+ CloseWindowStation.restype = ctypes.c_long
2819
+
2820
+ GetCurrentProcessId = ctypes.windll.kernel32.GetCurrentProcessId
2821
+ GetCurrentProcessId.restype = ctypes.c_ulong
2822
+
2823
+ GetProcAddress = ctypes.windll.kernel32.GetProcAddress
2824
+ GetProcAddress.argtypes = [ctypes.c_void_p, ctypes.c_char_p]
2825
+ GetProcAddress.restype = ctypes.c_void_p
2826
+
2827
+ def get_session_id(pid):
2828
+ dwSessionId = ctypes.c_ulong(0)
2829
+
2830
+ ProcessIdToSessionId = ctypes.windll.kernel32.ProcessIdToSessionId
2831
+ ProcessIdToSessionId.argtypes = [ctypes.c_ulong, ctypes.POINTER(ctypes.c_ulong)]
2832
+ ProcessIdToSessionId.restype = ctypes.c_bool
2833
+
2834
+ if not ProcessIdToSessionId(ctypes.c_ulong(pid), ctypes.byref(dwSessionId)):
2835
+ dwSessionId = ctypes.c_ulong(-1)
2836
+
2837
+ return dwSessionId
2838
+
2839
+
2840
+ def desktop_enumdesktops_callback(response_parts, session_id, station_name, lpszDesktop, lParam):
2841
+ if not station_name or not lpszDesktop:
2842
+ return True
2843
+
2844
+ entry = bytes()
2845
+ entry += tlv_pack(TLV_TYPE_DESKTOP_SESSION, session_id)
2846
+ entry += tlv_pack(TLV_TYPE_DESKTOP_STATION, station_name)
2847
+ entry += tlv_pack(TLV_TYPE_DESKTOP_NAME, lpszDesktop.decode())
2848
+
2849
+ response_parts.append(tlv_pack(TLV_TYPE_DESKTOP, entry))
2850
+
2851
+ return True
2852
+
2853
+ @WINSTAENUMPROCA
2854
+ def desktop_enumstations_callback(lpszWindowStation, lParam):
2855
+ hWindowStation = OpenWindowStationA(lpszWindowStation, False, MAXIMUM_ALLOWED)
2856
+ if not hWindowStation:
2857
+ return True
2858
+
2859
+ callback = functools.partial(desktop_enumdesktops_callback, response_parts)
2860
+ session_id = get_session_id(GetCurrentProcessId()).value
2861
+ station_name = lpszWindowStation.decode()
2862
+ callback = functools.partial(desktop_enumdesktops_callback, response_parts, session_id, station_name)
2863
+ callback = DESKTOPENUMPROCA(callback)
2864
+ EnumDesktopsA(hWindowStation, callback, 0)
2865
+
2866
+ if hWindowStation:
2867
+ CloseWindowStation(hWindowStation)
2868
+
2869
+ return True
2870
+
2871
+ success = EnumWindowStationsA(desktop_enumstations_callback, 0)
2872
+ if not success:
2873
+ return error_result_windows(), response
2874
+
2875
+ response += bytes().join(response_parts)
2876
+
2877
+ return ERROR_SUCCESS, response
2878
+
2776
2879
  @register_function_if(has_termios and has_fcntl)
2777
2880
  def stdapi_sys_process_set_term_size(request, response):
2778
2881
  channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
Binary file
Binary file
Binary file
Binary file
Binary file
Binary file
@@ -1,6 +1,6 @@
1
1
  # -*- coding:binary -*-
2
2
  module MetasploitPayloads
3
- VERSION = '2.0.105'
3
+ VERSION = '2.0.107'
4
4
 
5
5
  def self.version
6
6
  VERSION
data.tar.gz.sig CHANGED
Binary file
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: metasploit-payloads
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.105
4
+ version: 2.0.107
5
5
  platform: ruby
6
6
  authors:
7
7
  - OJ Reeves
@@ -96,7 +96,7 @@ cert_chain:
96
96
  EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
97
97
  9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
98
98
  -----END CERTIFICATE-----
99
- date: 2022-12-13 00:00:00.000000000 Z
99
+ date: 2023-01-13 00:00:00.000000000 Z
100
100
  dependencies:
101
101
  - !ruby/object:Gem::Dependency
102
102
  name: rake
metadata.gz.sig CHANGED
Binary file