metasploit-payloads 2.0.117 → 2.0.119

Sign up to get free protection for your applications and to get access to all the features.
Files changed (77) hide show
  1. checksums.yaml +4 -4
  2. checksums.yaml.gz.sig +0 -0
  3. data/data/android/meterpreter.jar +0 -0
  4. data/data/android/metstage.jar +0 -0
  5. data/data/android/shell.jar +0 -0
  6. data/data/meterpreter/elevator.x64.debug.dll +0 -0
  7. data/data/meterpreter/elevator.x64.dll +0 -0
  8. data/data/meterpreter/elevator.x86.debug.dll +0 -0
  9. data/data/meterpreter/elevator.x86.dll +0 -0
  10. data/data/meterpreter/ext_server_bofloader.x64.debug.dll +0 -0
  11. data/data/meterpreter/ext_server_bofloader.x64.dll +0 -0
  12. data/data/meterpreter/ext_server_bofloader.x86.debug.dll +0 -0
  13. data/data/meterpreter/ext_server_bofloader.x86.dll +0 -0
  14. data/data/meterpreter/ext_server_espia.x64.debug.dll +0 -0
  15. data/data/meterpreter/ext_server_espia.x64.dll +0 -0
  16. data/data/meterpreter/ext_server_espia.x86.debug.dll +0 -0
  17. data/data/meterpreter/ext_server_espia.x86.dll +0 -0
  18. data/data/meterpreter/ext_server_extapi.x64.debug.dll +0 -0
  19. data/data/meterpreter/ext_server_extapi.x64.dll +0 -0
  20. data/data/meterpreter/ext_server_extapi.x86.debug.dll +0 -0
  21. data/data/meterpreter/ext_server_extapi.x86.dll +0 -0
  22. data/data/meterpreter/ext_server_incognito.x64.debug.dll +0 -0
  23. data/data/meterpreter/ext_server_incognito.x64.dll +0 -0
  24. data/data/meterpreter/ext_server_incognito.x86.debug.dll +0 -0
  25. data/data/meterpreter/ext_server_incognito.x86.dll +0 -0
  26. data/data/meterpreter/ext_server_kiwi.x64.debug.dll +0 -0
  27. data/data/meterpreter/ext_server_kiwi.x64.dll +0 -0
  28. data/data/meterpreter/ext_server_kiwi.x86.debug.dll +0 -0
  29. data/data/meterpreter/ext_server_kiwi.x86.dll +0 -0
  30. data/data/meterpreter/ext_server_lanattacks.x64.debug.dll +0 -0
  31. data/data/meterpreter/ext_server_lanattacks.x64.dll +0 -0
  32. data/data/meterpreter/ext_server_lanattacks.x86.debug.dll +0 -0
  33. data/data/meterpreter/ext_server_lanattacks.x86.dll +0 -0
  34. data/data/meterpreter/ext_server_peinjector.x64.debug.dll +0 -0
  35. data/data/meterpreter/ext_server_peinjector.x64.dll +0 -0
  36. data/data/meterpreter/ext_server_peinjector.x86.debug.dll +0 -0
  37. data/data/meterpreter/ext_server_peinjector.x86.dll +0 -0
  38. data/data/meterpreter/ext_server_powershell.x64.debug.dll +0 -0
  39. data/data/meterpreter/ext_server_powershell.x64.dll +0 -0
  40. data/data/meterpreter/ext_server_powershell.x86.debug.dll +0 -0
  41. data/data/meterpreter/ext_server_powershell.x86.dll +0 -0
  42. data/data/meterpreter/ext_server_priv.x64.debug.dll +0 -0
  43. data/data/meterpreter/ext_server_priv.x64.dll +0 -0
  44. data/data/meterpreter/ext_server_priv.x86.debug.dll +0 -0
  45. data/data/meterpreter/ext_server_priv.x86.dll +0 -0
  46. data/data/meterpreter/ext_server_python.x64.debug.dll +0 -0
  47. data/data/meterpreter/ext_server_python.x64.dll +0 -0
  48. data/data/meterpreter/ext_server_python.x86.debug.dll +0 -0
  49. data/data/meterpreter/ext_server_python.x86.dll +0 -0
  50. data/data/meterpreter/ext_server_sniffer.x64.dll +0 -0
  51. data/data/meterpreter/ext_server_sniffer.x86.dll +0 -0
  52. data/data/meterpreter/ext_server_stdapi.py +108 -13
  53. data/data/meterpreter/ext_server_stdapi.x64.debug.dll +0 -0
  54. data/data/meterpreter/ext_server_stdapi.x64.dll +0 -0
  55. data/data/meterpreter/ext_server_stdapi.x86.debug.dll +0 -0
  56. data/data/meterpreter/ext_server_stdapi.x86.dll +0 -0
  57. data/data/meterpreter/ext_server_unhook.x64.debug.dll +0 -0
  58. data/data/meterpreter/ext_server_unhook.x64.dll +0 -0
  59. data/data/meterpreter/ext_server_unhook.x86.debug.dll +0 -0
  60. data/data/meterpreter/ext_server_unhook.x86.dll +0 -0
  61. data/data/meterpreter/ext_server_winpmem.x64.debug.dll +0 -0
  62. data/data/meterpreter/ext_server_winpmem.x64.dll +0 -0
  63. data/data/meterpreter/ext_server_winpmem.x86.debug.dll +0 -0
  64. data/data/meterpreter/ext_server_winpmem.x86.dll +0 -0
  65. data/data/meterpreter/meterpreter.py +27 -25
  66. data/data/meterpreter/metsrv.x64.debug.dll +0 -0
  67. data/data/meterpreter/metsrv.x64.dll +0 -0
  68. data/data/meterpreter/metsrv.x86.debug.dll +0 -0
  69. data/data/meterpreter/metsrv.x86.dll +0 -0
  70. data/data/meterpreter/screenshot.x64.debug.dll +0 -0
  71. data/data/meterpreter/screenshot.x64.dll +0 -0
  72. data/data/meterpreter/screenshot.x86.debug.dll +0 -0
  73. data/data/meterpreter/screenshot.x86.dll +0 -0
  74. data/lib/metasploit-payloads/version.rb +1 -1
  75. data.tar.gz.sig +0 -0
  76. metadata +2 -2
  77. metadata.gz.sig +0 -0
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 05c0688e00a3feee84019a39f18e4266fdabf52306270814126790b4696b9d99
4
- data.tar.gz: c8ce328d12b7362b16bceac80da589ea8ad5f49dbfb36bd7398556cae8131787
3
+ metadata.gz: b67e513ed92128da0555d06d5700100438229971a8750aefac72059efec74eb8
4
+ data.tar.gz: 90a3af70071ac13b8b29db40a47868c5221361e14ad21aec997d1cfb52634d03
5
5
  SHA512:
6
- metadata.gz: ffd922676e0fe215e3092cce6ac98846a9321f4f0d622e12989d3df18e16b701dd82724a732398f208c8f5cc097fee200fc4a4749c49d825443b6d6c4de7604d
7
- data.tar.gz: e648692fcc8d4d2e3c9b13dfa790c601dc0bd81556e404ed5fc5783b256d55eb0c4838ceecfee649bec1d8d548b242f8bc93df973cf657add29cf82d55367a22
6
+ metadata.gz: c961adbd35fd2999240f21e45383fa2ebd11edae361b65858361989ca32decc61d79b0259dcc0892ec65d714baed184f00d16499a6c4d5454599d268511c90ae
7
+ data.tar.gz: 7d90eebd468b2f28d536d395e62a29a4f1f342a72fa7141f2c4816887331e7cd5cea21906f8c717fb2b056f09fe316091171ba64170c728f87e7086773e7e95c
checksums.yaml.gz.sig CHANGED
Binary file
Binary file
Binary file
Binary file
Binary file
Binary file
@@ -1002,6 +1002,9 @@ def getaddrinfo_from_request(request, socktype, proto):
1002
1002
  local_address_info = None
1003
1003
  return peer_address_info, local_address_info
1004
1004
 
1005
+ def addr_atoi4(address):
1006
+ return struct.unpack('!I', socket.inet_aton(address))[0]
1007
+
1005
1008
  def netlink_request(req_type, req_data):
1006
1009
  # See RFC 3549
1007
1010
  NLM_F_REQUEST = 0x0001
@@ -1336,6 +1339,28 @@ def stdapi_sys_config_sysinfo(request, response):
1336
1339
  response += tlv_pack(TLV_TYPE_ARCHITECTURE, get_system_arch())
1337
1340
  return ERROR_SUCCESS, response
1338
1341
 
1342
+ @register_function_if(has_windll)
1343
+ def stdapi_sys_process_attach(request, response):
1344
+ pid = packet_get_tlv(request, TLV_TYPE_PID)['value']
1345
+ if not pid:
1346
+ GetCurrentProcess = ctypes.windll.kernel32.GetCurrentProcess
1347
+ GetCurrentProcess.restype = ctypes.c_void_p
1348
+ handle = GetCurrentProcess()
1349
+ else:
1350
+ inherit = packet_get_tlv(request, TLV_TYPE_INHERIT)['value']
1351
+ permissions = packet_get_tlv(request, TLV_TYPE_PROCESS_PERMS)['value']
1352
+
1353
+ OpenProcess = ctypes.windll.kernel32.OpenProcess
1354
+ OpenProcess.argtypes = [ctypes.c_uint32, ctypes.c_bool, ctypes.c_uint32]
1355
+ OpenProcess.restype = ctypes.c_void_p
1356
+ handle = OpenProcess(permissions, inherit, pid)
1357
+ if not handle:
1358
+ return error_result_windows(), response
1359
+ meterpreter.processes[handle] = None
1360
+ debug_print('[*] added process id: ' + str(pid) + ', handle: ' + str(handle))
1361
+ response += tlv_pack(TLV_TYPE_HANDLE, handle)
1362
+ return ERROR_SUCCESS, response
1363
+
1339
1364
  @register_function
1340
1365
  def stdapi_sys_process_close(request, response):
1341
1366
  proc_h_id = packet_get_tlv(request, TLV_TYPE_HANDLE)['value']
@@ -1901,19 +1926,22 @@ def stdapi_net_config_get_arp_table(request, response):
1901
1926
  if not os.path.exists(arp_cache_file):
1902
1927
  return ERROR_NOT_SUPPORTED, response
1903
1928
 
1904
- with open(arp_cache_file, 'r') as arp_cache:
1905
- lines = arp_cache.readlines()
1906
- for line in lines[1:]:
1907
- fields = line.split()
1908
- ip_address = fields[0]
1909
- mac_address = fields[3]
1910
- mac_address = binascii.unhexlify(mac_address.replace(':', ''))
1911
- interface_name = fields[5]
1912
- arp_tlv = bytes()
1913
- arp_tlv += tlv_pack(TLV_TYPE_IP, socket.inet_aton(ip_address))
1914
- arp_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, mac_address)
1915
- arp_tlv += tlv_pack(TLV_TYPE_MAC_NAME, interface_name)
1916
- response += tlv_pack(TLV_TYPE_ARP_ENTRY, arp_tlv)
1929
+ arp_cache = open('/proc/net/arp', 'r')
1930
+ lines = arp_cache.readlines()
1931
+ for line in lines[1:]:
1932
+ fields = line.split()
1933
+ ip_address = fields[0]
1934
+ mac_address = fields[3]
1935
+ mac_address = bytes().join(binascii.unhexlify(h) for h in mac_address.split(':'))
1936
+ interface_name = fields[5]
1937
+ arp_tlv = bytes()
1938
+ arp_tlv += tlv_pack(TLV_TYPE_IP, socket.inet_aton(ip_address))
1939
+ arp_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, mac_address)
1940
+ arp_tlv += tlv_pack(TLV_TYPE_MAC_NAME, interface_name)
1941
+ response += tlv_pack(TLV_TYPE_ARP_ENTRY, arp_tlv)
1942
+ arp_cache.close()
1943
+ else:
1944
+ return ERROR_NOT_SUPPORTED, response
1917
1945
  return ERROR_SUCCESS, response
1918
1946
 
1919
1947
  @register_function
@@ -2124,6 +2152,73 @@ def stdapi_net_config_get_routes(request, response):
2124
2152
  response += tlv_pack(TLV_TYPE_NETWORK_ROUTE, route_tlv)
2125
2153
  return ERROR_SUCCESS, response
2126
2154
 
2155
+ def _win_route_add_remove(is_add, request, response):
2156
+ class IPAddr(ctypes.Structure):
2157
+ _fields_ = [
2158
+ ("S_addr", ctypes.c_ulong)]
2159
+
2160
+ MIB_IPROUTE_TYPE_INDIRECT = 4
2161
+ MIB_IPPROTO_NETMGMT = 3
2162
+
2163
+ GetBestInterface = ctypes.windll.Iphlpapi.GetBestInterface
2164
+ GetBestInterface.argtypes = [IPAddr, ctypes.POINTER(ctypes.c_ulong)]
2165
+ GetBestInterface.restype = ctypes.c_ulong
2166
+
2167
+ CreateIpForwardEntry = ctypes.windll.Iphlpapi.CreateIpForwardEntry
2168
+ CreateIpForwardEntry.argtypes = [PMIB_IPFORWARDROW]
2169
+ CreateIpForwardEntry.restype = ctypes.c_ulong
2170
+
2171
+ DeleteIpForwardEntry = ctypes.windll.Iphlpapi.DeleteIpForwardEntry
2172
+ DeleteIpForwardEntry.argtypes = [PMIB_IPFORWARDROW]
2173
+ DeleteIpForwardEntry.restype = ctypes.c_ulong
2174
+
2175
+ GetIpInterfaceEntry = ctypes.windll.Iphlpapi.GetIpInterfaceEntry
2176
+ GetIpInterfaceEntry.argtypes = [ctypes.POINTER(MIB_IPINTERFACE_ROW)]
2177
+ GetIpInterfaceEntry.restype = ctypes.c_ulong
2178
+
2179
+ subnet = packet_get_tlv(request, TLV_TYPE_SUBNET_STRING)['value']
2180
+ netmask = packet_get_tlv(request, TLV_TYPE_NETMASK_STRING)['value']
2181
+ gateway = packet_get_tlv(request, TLV_TYPE_GATEWAY_STRING)['value']
2182
+
2183
+ route = MIB_IPFORWARDROW()
2184
+ route.dwForwardDest = socket.ntohl(addr_atoi4(subnet))
2185
+ route.dwForwardMask = socket.ntohl(addr_atoi4(netmask))
2186
+ route.dwForwardNextHop = socket.ntohl(addr_atoi4(gateway))
2187
+ route.dwForwardType = MIB_IPROUTE_TYPE_INDIRECT
2188
+ route.dwForwardProto = MIB_IPPROTO_NETMGMT
2189
+ route.dwForwardAge = -1
2190
+ route.dwForwardMetric1 = 0
2191
+
2192
+ best_iface = ctypes.c_ulong()
2193
+ ip_addr = IPAddr(socket.ntohl(addr_atoi4(subnet)))
2194
+ result = GetBestInterface(ip_addr, ctypes.byref(best_iface))
2195
+ if result != ERROR_SUCCESS:
2196
+ return error_result_windows(result), response
2197
+ route.dwForwardIfIndex = best_iface
2198
+
2199
+ iface = MIB_IPINTERFACE_ROW(Family=WIN_AF_INET, InterfaceIndex=route.dwForwardIfIndex)
2200
+ result = GetIpInterfaceEntry(ctypes.byref(iface))
2201
+ if result != ERROR_SUCCESS:
2202
+ return error_result_windows(result), response
2203
+ route.dwForwardMetric1 = iface.Metric
2204
+
2205
+ if is_add:
2206
+ result = CreateIpForwardEntry(ctypes.byref(route))
2207
+ else:
2208
+ result = DeleteIpForwardEntry(ctypes.byref(route))
2209
+ if result != ERROR_SUCCESS:
2210
+ return error_result_windows(result), response
2211
+
2212
+ return ERROR_SUCCESS, response
2213
+
2214
+ @register_function_if(has_windll)
2215
+ def stdapi_net_config_add_route(request, response):
2216
+ return _win_route_add_remove(True, request, response)
2217
+
2218
+ @register_function_if(has_windll)
2219
+ def stdapi_net_config_remove_route(request, response):
2220
+ return _win_route_add_remove(False, request, response)
2221
+
2127
2222
  def stdapi_net_config_get_routes_via_netlink():
2128
2223
  rta_align = lambda l: l+3 & ~3
2129
2224
  responses = netlink_request(RTM_GETROUTE, RTMSG(family=socket.AF_UNSPEC))
@@ -1259,6 +1259,21 @@ class PythonMeterpreter(object):
1259
1259
  self.next_channel_id += 1
1260
1260
  return idx
1261
1261
 
1262
+ def close_channel(self, channel_id):
1263
+ if channel_id not in self.channels:
1264
+ return False
1265
+ channel = self.channels[channel_id]
1266
+ try:
1267
+ channel.close()
1268
+ except Exception:
1269
+ debug_traceback('[-] failed to close channel id: ' + str(channel_id))
1270
+ return False
1271
+ del self.channels[channel_id]
1272
+ if channel_id in self.interact_channels:
1273
+ self.interact_channels.remove(channel_id)
1274
+ debug_print('[*] closed and removed channel id: ' + str(channel_id))
1275
+ return True
1276
+
1262
1277
  def add_process(self, process):
1263
1278
  if has_windll:
1264
1279
  PROCESS_ALL_ACCESS = 0x1fffff
@@ -1274,37 +1289,24 @@ class PythonMeterpreter(object):
1274
1289
  return handle
1275
1290
 
1276
1291
  def close_process(self, proc_h_id):
1277
- proc_h = self.processes.pop(proc_h_id, None)
1278
- if not proc_h:
1292
+ if proc_h_id not in self.processes:
1279
1293
  return False
1280
- for channel_id, channel in self.channels.items():
1281
- if not isinstance(channel, MeterpreterProcess):
1282
- continue
1283
- if not channel.proc_h is proc_h:
1284
- continue
1285
- self.close_channel(channel_id)
1286
- break
1294
+ proc_h = self.processes.pop(proc_h_id)
1295
+ if proc_h:
1296
+ # proc_h is only set when we started the process via execute and not when we attached to it
1297
+ for channel_id, channel in self.channels.items():
1298
+ if not isinstance(channel, MeterpreterProcess):
1299
+ continue
1300
+ if not channel.proc_h is proc_h:
1301
+ continue
1302
+ self.close_channel(channel_id)
1303
+ break
1287
1304
  if has_windll:
1288
1305
  CloseHandle = ctypes.windll.kernel32.CloseHandle
1289
1306
  CloseHandle.argtypes = [ctypes.c_void_p]
1290
1307
  CloseHandle.restype = ctypes.c_long
1291
1308
  CloseHandle(proc_h_id)
1292
- debug_print('[*] closed and removed process id: ' + str(proc_h.pid) + ', handle: ' + str(proc_h_id))
1293
- return True
1294
-
1295
- def close_channel(self, channel_id):
1296
- if channel_id not in self.channels:
1297
- return False
1298
- channel = self.channels[channel_id]
1299
- try:
1300
- channel.close()
1301
- except Exception:
1302
- debug_traceback('[-] failed to close channel id: ' + str(channel_id))
1303
- return False
1304
- del self.channels[channel_id]
1305
- if channel_id in self.interact_channels:
1306
- self.interact_channels.remove(channel_id)
1307
- debug_print('[*] closed and removed channel id: ' + str(channel_id))
1309
+ debug_print('[*] closed and removed process handle: ' + str(proc_h_id))
1308
1310
  return True
1309
1311
 
1310
1312
  def get_packet(self):
Binary file
Binary file
Binary file
Binary file
Binary file
Binary file
@@ -1,6 +1,6 @@
1
1
  # -*- coding:binary -*-
2
2
  module MetasploitPayloads
3
- VERSION = '2.0.117'
3
+ VERSION = '2.0.119'
4
4
 
5
5
  def self.version
6
6
  VERSION
data.tar.gz.sig CHANGED
Binary file
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: metasploit-payloads
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.117
4
+ version: 2.0.119
5
5
  platform: ruby
6
6
  authors:
7
7
  - OJ Reeves
@@ -96,7 +96,7 @@ cert_chain:
96
96
  EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
97
97
  9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
98
98
  -----END CERTIFICATE-----
99
- date: 2023-03-03 00:00:00.000000000 Z
99
+ date: 2023-03-07 00:00:00.000000000 Z
100
100
  dependencies:
101
101
  - !ruby/object:Gem::Dependency
102
102
  name: rake
metadata.gz.sig CHANGED
Binary file