metasploit-payloads 2.0.118 → 2.0.120
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/data/android/meterpreter.jar +0 -0
- data/data/android/metstage.jar +0 -0
- data/data/android/shell.jar +0 -0
- data/data/meterpreter/elevator.x64.debug.dll +0 -0
- data/data/meterpreter/elevator.x64.dll +0 -0
- data/data/meterpreter/elevator.x86.debug.dll +0 -0
- data/data/meterpreter/elevator.x86.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x64.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x86.dll +0 -0
- data/data/meterpreter/ext_server_espia.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_espia.x64.dll +0 -0
- data/data/meterpreter/ext_server_espia.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_espia.x86.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x64.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x86.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x64.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x86.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x64.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x86.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x64.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x86.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x64.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x86.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x64.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x86.dll +0 -0
- data/data/meterpreter/ext_server_priv.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_priv.x64.dll +0 -0
- data/data/meterpreter/ext_server_priv.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_priv.x86.dll +0 -0
- data/data/meterpreter/ext_server_python.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_python.x64.dll +0 -0
- data/data/meterpreter/ext_server_python.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_python.x86.dll +0 -0
- data/data/meterpreter/ext_server_sniffer.x64.dll +0 -0
- data/data/meterpreter/ext_server_sniffer.x86.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.py +147 -13
- data/data/meterpreter/ext_server_stdapi.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x64.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x86.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x64.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x86.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x64.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x86.dll +0 -0
- data/data/meterpreter/metsrv.x64.debug.dll +0 -0
- data/data/meterpreter/metsrv.x64.dll +0 -0
- data/data/meterpreter/metsrv.x86.debug.dll +0 -0
- data/data/meterpreter/metsrv.x86.dll +0 -0
- data/data/meterpreter/screenshot.x64.debug.dll +0 -0
- data/data/meterpreter/screenshot.x64.dll +0 -0
- data/data/meterpreter/screenshot.x86.debug.dll +0 -0
- data/data/meterpreter/screenshot.x86.dll +0 -0
- data/lib/metasploit-payloads/version.rb +1 -1
- data.tar.gz.sig +1 -1
- metadata +2 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2ff980455249d53eb739d2cc6ebde4973bc3bf647932a6bc529f99e4f627e843
|
4
|
+
data.tar.gz: 1a5d9ba1d7a6cc5f6521b11b8c468b51ea13c2a04bd9b93f903e715ebac0d3de
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5b74e3680e087cb1c25f0fb69fcca0ade906ac587aa22926182c9dad92656346677a0eda6d0a9fd152dbae418e8944be471d9c962ef64bff0bc1f709f25e16fe
|
7
|
+
data.tar.gz: 578453774bcf09f5cd5f413efcd2a898424b2ab74ebc646d0d568276d68f2df9e5fcd9c152f26da08848a6d44d4f714b952bfb8c16270f711ca3b1847d9d282a
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
Binary file
|
data/data/android/metstage.jar
CHANGED
Binary file
|
data/data/android/shell.jar
CHANGED
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
@@ -728,6 +728,7 @@ ERROR_FAILURE = 1
|
|
728
728
|
ERROR_INSUFFICIENT_BUFFER = 0x0000007a
|
729
729
|
ERROR_NOT_SUPPORTED = 0x00000032
|
730
730
|
ERROR_NO_DATA = 0x000000e8
|
731
|
+
ERROR_INVALID_PARAMETER = 87
|
731
732
|
|
732
733
|
# Special return value to match up with Windows error codes for network
|
733
734
|
# errors.
|
@@ -1002,6 +1003,9 @@ def getaddrinfo_from_request(request, socktype, proto):
|
|
1002
1003
|
local_address_info = None
|
1003
1004
|
return peer_address_info, local_address_info
|
1004
1005
|
|
1006
|
+
def addr_atoi4(address):
|
1007
|
+
return struct.unpack('!I', socket.inet_aton(address))[0]
|
1008
|
+
|
1005
1009
|
def netlink_request(req_type, req_data):
|
1006
1010
|
# See RFC 3549
|
1007
1011
|
NLM_F_REQUEST = 0x0001
|
@@ -1415,6 +1419,66 @@ def stdapi_sys_process_execute(request, response):
|
|
1415
1419
|
response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
|
1416
1420
|
return ERROR_SUCCESS, response
|
1417
1421
|
|
1422
|
+
@register_function_if(has_windll)
|
1423
|
+
def stdapi_sys_process_get_info(request, response):
|
1424
|
+
proc_h = packet_get_tlv(request, TLV_TYPE_HANDLE).get('value')
|
1425
|
+
if not proc_h:
|
1426
|
+
return ERROR_INVALID_PARAMETER, response
|
1427
|
+
|
1428
|
+
MAX_PATH = 260
|
1429
|
+
|
1430
|
+
EnumProcessModules = ctypes.windll.Psapi.EnumProcessModules
|
1431
|
+
EnumProcessModules.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_ulong, ctypes.POINTER(ctypes.c_ulong)]
|
1432
|
+
EnumProcessModules.restype = ctypes.c_long
|
1433
|
+
|
1434
|
+
GetModuleFileNameExW = ctypes.windll.Psapi.GetModuleFileNameExW
|
1435
|
+
GetModuleFileNameExW.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_ulong]
|
1436
|
+
GetModuleFileNameExW.restype = ctypes.c_ulong
|
1437
|
+
|
1438
|
+
GetModuleBaseNameW = ctypes.windll.Psapi.GetModuleBaseNameW
|
1439
|
+
GetModuleBaseNameW.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_ulong]
|
1440
|
+
GetModuleBaseNameW.restype = ctypes.c_ulong
|
1441
|
+
|
1442
|
+
def enum_process_modules(hProcess):
|
1443
|
+
buf_count = 256
|
1444
|
+
while True:
|
1445
|
+
buffer = (ctypes.c_void_p * buf_count)()
|
1446
|
+
buf_size = ctypes.sizeof(buffer)
|
1447
|
+
needed = ctypes.c_ulong()
|
1448
|
+
if not EnumProcessModules(hProcess, ctypes.byref(buffer), buf_size, ctypes.byref(needed)):
|
1449
|
+
raise OSError('EnumProcessModules')
|
1450
|
+
if buf_size < needed.value:
|
1451
|
+
buf_count = needed.value // (buf_size // buf_count)
|
1452
|
+
continue
|
1453
|
+
count = needed.value // (buf_size // buf_count)
|
1454
|
+
return map(ctypes.c_void_p, buffer[:count])
|
1455
|
+
|
1456
|
+
def get_module_name(hProcess, hModule):
|
1457
|
+
base_name_buffer = ctypes.create_unicode_buffer(MAX_PATH)
|
1458
|
+
if not GetModuleBaseNameW(hProcess, hModule, base_name_buffer, MAX_PATH):
|
1459
|
+
raise OSError('GetModuleBaseNameW')
|
1460
|
+
return base_name_buffer.value
|
1461
|
+
|
1462
|
+
def get_module_filename(hProcess, hModule):
|
1463
|
+
buffer = ctypes.create_unicode_buffer(MAX_PATH)
|
1464
|
+
nSize = ctypes.c_ulong(MAX_PATH)
|
1465
|
+
if not GetModuleFileNameExW(hProcess, hModule, ctypes.byref(buffer), nSize):
|
1466
|
+
raise OSError('GetModuleFileNameExW')
|
1467
|
+
return buffer.value
|
1468
|
+
|
1469
|
+
try:
|
1470
|
+
for hModule in enum_process_modules(proc_h):
|
1471
|
+
module_name = get_module_name(proc_h, hModule)
|
1472
|
+
module_filename = get_module_filename(proc_h, hModule)
|
1473
|
+
response += tlv_pack(TLV_TYPE_PROCESS_NAME, module_name)
|
1474
|
+
response += tlv_pack(TLV_TYPE_PROCESS_PATH, module_filename)
|
1475
|
+
break
|
1476
|
+
except OSError as error:
|
1477
|
+
debug_print('[-] method stdapi_sys_process_get_info failed on: ' + str(error))
|
1478
|
+
return error_result_windows(), response
|
1479
|
+
|
1480
|
+
return ERROR_SUCCESS, response
|
1481
|
+
|
1418
1482
|
@register_function
|
1419
1483
|
def stdapi_sys_process_getpid(request, response):
|
1420
1484
|
response += tlv_pack(TLV_TYPE_PID, os.getpid())
|
@@ -1923,19 +1987,22 @@ def stdapi_net_config_get_arp_table(request, response):
|
|
1923
1987
|
if not os.path.exists(arp_cache_file):
|
1924
1988
|
return ERROR_NOT_SUPPORTED, response
|
1925
1989
|
|
1926
|
-
|
1927
|
-
|
1928
|
-
|
1929
|
-
|
1930
|
-
|
1931
|
-
|
1932
|
-
|
1933
|
-
|
1934
|
-
|
1935
|
-
|
1936
|
-
|
1937
|
-
|
1938
|
-
|
1990
|
+
arp_cache = open('/proc/net/arp', 'r')
|
1991
|
+
lines = arp_cache.readlines()
|
1992
|
+
for line in lines[1:]:
|
1993
|
+
fields = line.split()
|
1994
|
+
ip_address = fields[0]
|
1995
|
+
mac_address = fields[3]
|
1996
|
+
mac_address = bytes().join(binascii.unhexlify(h) for h in mac_address.split(':'))
|
1997
|
+
interface_name = fields[5]
|
1998
|
+
arp_tlv = bytes()
|
1999
|
+
arp_tlv += tlv_pack(TLV_TYPE_IP, socket.inet_aton(ip_address))
|
2000
|
+
arp_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, mac_address)
|
2001
|
+
arp_tlv += tlv_pack(TLV_TYPE_MAC_NAME, interface_name)
|
2002
|
+
response += tlv_pack(TLV_TYPE_ARP_ENTRY, arp_tlv)
|
2003
|
+
arp_cache.close()
|
2004
|
+
else:
|
2005
|
+
return ERROR_NOT_SUPPORTED, response
|
1939
2006
|
return ERROR_SUCCESS, response
|
1940
2007
|
|
1941
2008
|
@register_function
|
@@ -2146,6 +2213,73 @@ def stdapi_net_config_get_routes(request, response):
|
|
2146
2213
|
response += tlv_pack(TLV_TYPE_NETWORK_ROUTE, route_tlv)
|
2147
2214
|
return ERROR_SUCCESS, response
|
2148
2215
|
|
2216
|
+
def _win_route_add_remove(is_add, request, response):
|
2217
|
+
class IPAddr(ctypes.Structure):
|
2218
|
+
_fields_ = [
|
2219
|
+
("S_addr", ctypes.c_ulong)]
|
2220
|
+
|
2221
|
+
MIB_IPROUTE_TYPE_INDIRECT = 4
|
2222
|
+
MIB_IPPROTO_NETMGMT = 3
|
2223
|
+
|
2224
|
+
GetBestInterface = ctypes.windll.Iphlpapi.GetBestInterface
|
2225
|
+
GetBestInterface.argtypes = [IPAddr, ctypes.POINTER(ctypes.c_ulong)]
|
2226
|
+
GetBestInterface.restype = ctypes.c_ulong
|
2227
|
+
|
2228
|
+
CreateIpForwardEntry = ctypes.windll.Iphlpapi.CreateIpForwardEntry
|
2229
|
+
CreateIpForwardEntry.argtypes = [PMIB_IPFORWARDROW]
|
2230
|
+
CreateIpForwardEntry.restype = ctypes.c_ulong
|
2231
|
+
|
2232
|
+
DeleteIpForwardEntry = ctypes.windll.Iphlpapi.DeleteIpForwardEntry
|
2233
|
+
DeleteIpForwardEntry.argtypes = [PMIB_IPFORWARDROW]
|
2234
|
+
DeleteIpForwardEntry.restype = ctypes.c_ulong
|
2235
|
+
|
2236
|
+
GetIpInterfaceEntry = ctypes.windll.Iphlpapi.GetIpInterfaceEntry
|
2237
|
+
GetIpInterfaceEntry.argtypes = [ctypes.POINTER(MIB_IPINTERFACE_ROW)]
|
2238
|
+
GetIpInterfaceEntry.restype = ctypes.c_ulong
|
2239
|
+
|
2240
|
+
subnet = packet_get_tlv(request, TLV_TYPE_SUBNET_STRING)['value']
|
2241
|
+
netmask = packet_get_tlv(request, TLV_TYPE_NETMASK_STRING)['value']
|
2242
|
+
gateway = packet_get_tlv(request, TLV_TYPE_GATEWAY_STRING)['value']
|
2243
|
+
|
2244
|
+
route = MIB_IPFORWARDROW()
|
2245
|
+
route.dwForwardDest = socket.ntohl(addr_atoi4(subnet))
|
2246
|
+
route.dwForwardMask = socket.ntohl(addr_atoi4(netmask))
|
2247
|
+
route.dwForwardNextHop = socket.ntohl(addr_atoi4(gateway))
|
2248
|
+
route.dwForwardType = MIB_IPROUTE_TYPE_INDIRECT
|
2249
|
+
route.dwForwardProto = MIB_IPPROTO_NETMGMT
|
2250
|
+
route.dwForwardAge = -1
|
2251
|
+
route.dwForwardMetric1 = 0
|
2252
|
+
|
2253
|
+
best_iface = ctypes.c_ulong()
|
2254
|
+
ip_addr = IPAddr(socket.ntohl(addr_atoi4(subnet)))
|
2255
|
+
result = GetBestInterface(ip_addr, ctypes.byref(best_iface))
|
2256
|
+
if result != ERROR_SUCCESS:
|
2257
|
+
return error_result_windows(result), response
|
2258
|
+
route.dwForwardIfIndex = best_iface
|
2259
|
+
|
2260
|
+
iface = MIB_IPINTERFACE_ROW(Family=WIN_AF_INET, InterfaceIndex=route.dwForwardIfIndex)
|
2261
|
+
result = GetIpInterfaceEntry(ctypes.byref(iface))
|
2262
|
+
if result != ERROR_SUCCESS:
|
2263
|
+
return error_result_windows(result), response
|
2264
|
+
route.dwForwardMetric1 = iface.Metric
|
2265
|
+
|
2266
|
+
if is_add:
|
2267
|
+
result = CreateIpForwardEntry(ctypes.byref(route))
|
2268
|
+
else:
|
2269
|
+
result = DeleteIpForwardEntry(ctypes.byref(route))
|
2270
|
+
if result != ERROR_SUCCESS:
|
2271
|
+
return error_result_windows(result), response
|
2272
|
+
|
2273
|
+
return ERROR_SUCCESS, response
|
2274
|
+
|
2275
|
+
@register_function_if(has_windll)
|
2276
|
+
def stdapi_net_config_add_route(request, response):
|
2277
|
+
return _win_route_add_remove(True, request, response)
|
2278
|
+
|
2279
|
+
@register_function_if(has_windll)
|
2280
|
+
def stdapi_net_config_remove_route(request, response):
|
2281
|
+
return _win_route_add_remove(False, request, response)
|
2282
|
+
|
2149
2283
|
def stdapi_net_config_get_routes_via_netlink():
|
2150
2284
|
rta_align = lambda l: l+3 & ~3
|
2151
2285
|
responses = netlink_request(RTM_GETROUTE, RTMSG(family=socket.AF_UNSPEC))
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
data.tar.gz.sig
CHANGED
@@ -1 +1 @@
|
|
1
|
-
|
1
|
+
E&�����7!H��Z)8�7�W<�����K��}y^W}J��ʎ1C��� ���e&�U������hT,�(rI��U�Ox�b��f4?�AVw�W��Eou${p��-8��X" ����h�W�8'V��);Z9�d戞ybHd��!���Ȅ�ᗰΜ�-�����#I��:����,@�-��*Oq�a�##�^�����*J"�Al<>��PC�5z`h̠-�H�x��Vg�j�$o���@�W��et�T�fQ77��
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: metasploit-payloads
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.
|
4
|
+
version: 2.0.120
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- OJ Reeves
|
@@ -96,7 +96,7 @@ cert_chain:
|
|
96
96
|
EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
|
97
97
|
9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
|
98
98
|
-----END CERTIFICATE-----
|
99
|
-
date: 2023-03-
|
99
|
+
date: 2023-03-07 00:00:00.000000000 Z
|
100
100
|
dependencies:
|
101
101
|
- !ruby/object:Gem::Dependency
|
102
102
|
name: rake
|
metadata.gz.sig
CHANGED
Binary file
|