metasploit-payloads 2.0.105 → 2.0.107

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 492cb2174246773050bdb8303448ea5f024ccaec9eb89ec14c4670019045a0a5
-  data.tar.gz: 82b26b9fa4527322c301bf6a69b894f726ff6ca2e91b2cb019a63444a3ebbf5c
+  metadata.gz: 3d10d21369dd0b6ba5264a4aee52e159c5e50f46cc16ecd41667f2c59a270d7a
+  data.tar.gz: 7c8c3a6e15e0fe818931966bac23b89f63e0c84f73afbf662d477a43d397fcb1
 SHA512:
-  metadata.gz: 273f6a11ae840e161193c80c9e3048bad2cb2fdd4c264da34213fde52051fadfc59227f04cbe5ffd027b2c8e0bdf23ce5d75ddc2032814f9df859e63294addce
-  data.tar.gz: 6c44af6c8672acbbf5b9d32a66c81365e9ea8f60bd49e1099475f31fc50e3d5fd68be0241e8ca41a9526896c445cdb3ae6fe1633fb4a32a8f38acf4a5f9715a2
+  metadata.gz: c1ed02c18e6180bdf9fe1d63494f44ad3d8301ae24ec9fbdefca7fae136f04177f066bad5c7b259e96e3ceed4ad06c4b613f8300583d7520e4dbdc2451a0442c
+  data.tar.gz: 2bf215c24e59beb8e5198570ed321c23d96c054d3cc523c56160faee54e84d26b4f40ffca241f30fc9d08a6c4c1337e1ae225b6c63d1bcab05fe0a7fcdc2c1bf

data/data/meterpreter/ext_server_stdapi.py

@@ -1,4 +1,5 @@
 import fnmatch
+import functools
 import getpass
 import os
 import platform
@@ -669,7 +670,11 @@ TLV_TYPE_TERMINAL_COLUMNS      = TLV_META_TYPE_UINT    | 2601
 ##
 TLV_TYPE_IDLE_TIME             = TLV_META_TYPE_UINT    | 3000
 TLV_TYPE_KEYS_DUMP             = TLV_META_TYPE_STRING  | 3001
-TLV_TYPE_DESKTOP               = TLV_META_TYPE_STRING  | 3002
+
+TLV_TYPE_DESKTOP               = TLV_META_TYPE_GROUP   | 3004
+TLV_TYPE_DESKTOP_SESSION       = TLV_META_TYPE_UINT    | 3005
+TLV_TYPE_DESKTOP_STATION       = TLV_META_TYPE_STRING  | 3006
+TLV_TYPE_DESKTOP_NAME          = TLV_META_TYPE_STRING  | 3007
 
 ##
 # Event Log
@@ -744,6 +749,9 @@ VER_PLATFORM_WIN32s               = 0x0000
 VER_PLATFORM_WIN32_WINDOWS        = 0x0001
 VER_PLATFORM_WIN32_NT             = 0x0002
 
+# Windows Access Controls
+MAXIMUM_ALLOWED                   = 0x02000000
+
 WIN_AF_INET  = 2
 WIN_AF_INET6 = 23
 
@@ -1125,15 +1133,24 @@ def channel_open_stdapi_net_tcp_client(request, response):
 
 @register_function
 def channel_open_stdapi_net_tcp_server(request, response):
-    local_host = packet_get_tlv(request, TLV_TYPE_LOCAL_HOST).get('value', '0.0.0.0')
+    use_dual_stack = False
+    local_host = packet_get_tlv(request, TLV_TYPE_LOCAL_HOST).get('value', '')
     local_port = packet_get_tlv(request, TLV_TYPE_LOCAL_PORT)['value']
-    local_address_info = getaddrinfo(local_host, local_port, socktype=socket.SOCK_STREAM, proto=socket.IPPROTO_TCP)
-    if not local_address_info:
-        return ERROR_FAILURE, response
-    local_address_info = local_address_info[0]
-    server_sock = socket.socket(local_address_info['family'], local_address_info['socktype'], local_address_info['proto'])
+    if local_host:
+        local_address_info = getaddrinfo(local_host, local_port, socktype=socket.SOCK_STREAM, proto=socket.IPPROTO_TCP, flags=socket.AI_NUMERICHOST)
+        if not local_address_info:
+            return ERROR_FAILURE, response
+        local_address_info = local_address_info[0]
+    else:
+        local_address_info = {
+            'family': socket.AF_INET6,
+            'sockaddr': ('::', local_port, 0, 0)
+        }
+        use_dual_stack = hasattr(socket, 'IPV6_V6ONLY')
+        debug_print('[*] no local host information, binding to all available interfaces...')
+    server_sock = socket.socket(local_address_info['family'], socket.SOCK_STREAM, socket.IPPROTO_TCP)
     server_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-    if local_address_info['family'] == socket.AF_INET6 and hasattr(socket, 'IPV6_V6ONLY'):
+    if local_address_info['family'] == socket.AF_INET6 and use_dual_stack:
         server_sock.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 0)
     server_sock.bind(local_address_info['sockaddr'])
     server_sock.listen(socket.SOMAXCONN)
@@ -2773,6 +2790,92 @@ def stdapi_ui_get_idle_time(request, response):
     response += tlv_pack(TLV_TYPE_IDLE_TIME, idle_time)
     return ERROR_SUCCESS, response
 
+@register_function_if(has_windll)
+def stdapi_ui_desktop_enum(request, response):
+    
+    response_parts = []
+    if ctypes.sizeof(ctypes.c_long) == ctypes.sizeof(ctypes.c_void_p):
+        LPARAM = ctypes.c_long
+    elif ctypes.sizeof(ctypes.c_longlong) == ctypes.sizeof(ctypes.c_void_p):
+        LPARAM = ctypes.c_longlong
+
+    DESKTOPENUMPROCA = ctypes.WINFUNCTYPE(ctypes.c_long, ctypes.c_char_p, LPARAM)
+    EnumDesktopsA = ctypes.windll.user32.EnumDesktopsA
+    EnumDesktopsA.argtypes = [ctypes.c_void_p, DESKTOPENUMPROCA, LPARAM]
+    EnumDesktopsA.restype = ctypes.c_long
+
+    WINSTAENUMPROCA = ctypes.WINFUNCTYPE(ctypes.c_long, ctypes.c_char_p, LPARAM)
+    EnumWindowStationsA = ctypes.windll.user32.EnumWindowStationsA
+    EnumWindowStationsA.argtypes = [WINSTAENUMPROCA, LPARAM]
+    EnumWindowStationsA.restype = ctypes.c_long
+
+    OpenWindowStationA = ctypes.windll.user32.OpenWindowStationA
+    OpenWindowStationA.argtypes = [ctypes.c_char_p, ctypes.c_long, ctypes.c_bool]
+    OpenWindowStationA.restype = ctypes.c_void_p
+
+    CloseWindowStation = ctypes.windll.user32.CloseWindowStation
+    CloseWindowStation.argtypes = [ctypes.c_void_p]
+    CloseWindowStation.restype = ctypes.c_long
+
+    GetCurrentProcessId = ctypes.windll.kernel32.GetCurrentProcessId
+    GetCurrentProcessId.restype = ctypes.c_ulong
+
+    GetProcAddress = ctypes.windll.kernel32.GetProcAddress
+    GetProcAddress.argtypes = [ctypes.c_void_p, ctypes.c_char_p]
+    GetProcAddress.restype = ctypes.c_void_p
+
+    def get_session_id(pid):
+        dwSessionId = ctypes.c_ulong(0)
+
+        ProcessIdToSessionId = ctypes.windll.kernel32.ProcessIdToSessionId
+        ProcessIdToSessionId.argtypes = [ctypes.c_ulong, ctypes.POINTER(ctypes.c_ulong)]
+        ProcessIdToSessionId.restype = ctypes.c_bool
+        
+        if not ProcessIdToSessionId(ctypes.c_ulong(pid), ctypes.byref(dwSessionId)):
+            dwSessionId = ctypes.c_ulong(-1)
+
+        return dwSessionId
+
+
+    def desktop_enumdesktops_callback(response_parts, session_id, station_name, lpszDesktop, lParam):
+        if not station_name or not lpszDesktop:
+            return True
+
+        entry  = bytes()
+        entry += tlv_pack(TLV_TYPE_DESKTOP_SESSION, session_id)
+        entry += tlv_pack(TLV_TYPE_DESKTOP_STATION, station_name)
+        entry += tlv_pack(TLV_TYPE_DESKTOP_NAME, lpszDesktop.decode())
+
+        response_parts.append(tlv_pack(TLV_TYPE_DESKTOP, entry))
+
+        return True
+
+    @WINSTAENUMPROCA
+    def desktop_enumstations_callback(lpszWindowStation, lParam):
+        hWindowStation = OpenWindowStationA(lpszWindowStation, False, MAXIMUM_ALLOWED)
+        if not hWindowStation:
+            return True
+
+        callback = functools.partial(desktop_enumdesktops_callback, response_parts)
+        session_id = get_session_id(GetCurrentProcessId()).value
+        station_name = lpszWindowStation.decode()
+        callback = functools.partial(desktop_enumdesktops_callback, response_parts, session_id, station_name)
+        callback = DESKTOPENUMPROCA(callback)
+        EnumDesktopsA(hWindowStation, callback, 0)
+
+        if hWindowStation:
+            CloseWindowStation(hWindowStation)
+
+        return True
+
+    success = EnumWindowStationsA(desktop_enumstations_callback, 0)
+    if not success:
+        return error_result_windows(), response
+
+    response += bytes().join(response_parts)
+
+    return ERROR_SUCCESS, response
+
 @register_function_if(has_termios and has_fcntl)
 def stdapi_sys_process_set_term_size(request, response):
     channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']

data/lib/metasploit-payloads/version.rb

@@ -1,6 +1,6 @@
 # -*- coding:binary -*-
 module MetasploitPayloads
-  VERSION = '2.0.105'
+  VERSION = '2.0.107'
 
   def self.version
     VERSION

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: metasploit-payloads
 version: !ruby/object:Gem::Version
-  version: 2.0.105
+  version: 2.0.107
 platform: ruby
 authors:
 - OJ Reeves
@@ -96,7 +96,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2022-12-13 00:00:00.000000000 Z
+date: 2023-01-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake