metasploit-payloads 2.0.118 → 2.0.120

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 55f62a6ddb8ad54b97366b04f5b95e70859d702e29e461c3cf860c7958b61ec5
-  data.tar.gz: e72be5a99ca78cd07501b9d9cc3f61bd285da2f818e2c4bc23d8fc9ba524fb90
+  metadata.gz: 2ff980455249d53eb739d2cc6ebde4973bc3bf647932a6bc529f99e4f627e843
+  data.tar.gz: 1a5d9ba1d7a6cc5f6521b11b8c468b51ea13c2a04bd9b93f903e715ebac0d3de
 SHA512:
-  metadata.gz: c91365effac6f9f697441f8356f273f403eb92973e3dd8ecb187d4419299a377e12353cfd6708799ced35fe1839faec70586a9131c61f0e7dbcb01a6d5bfb94d
-  data.tar.gz: 47a8af6283b7dc2e668278548580642b94c8808b5df062c5a7cc51f3663f012fd767a86af8e9bbe7ae23bc9c107ed8cc1799c640593c38e42235dad5ca076eda
+  metadata.gz: 5b74e3680e087cb1c25f0fb69fcca0ade906ac587aa22926182c9dad92656346677a0eda6d0a9fd152dbae418e8944be471d9c962ef64bff0bc1f709f25e16fe
+  data.tar.gz: 578453774bcf09f5cd5f413efcd2a898424b2ab74ebc646d0d568276d68f2df9e5fcd9c152f26da08848a6d44d4f714b952bfb8c16270f711ca3b1847d9d282a

data/data/meterpreter/ext_server_stdapi.py

@@ -728,6 +728,7 @@ ERROR_FAILURE = 1
 ERROR_INSUFFICIENT_BUFFER = 0x0000007a
 ERROR_NOT_SUPPORTED = 0x00000032
 ERROR_NO_DATA = 0x000000e8
+ERROR_INVALID_PARAMETER = 87
 
 # Special return value to match up with Windows error codes for network
 # errors.
@@ -1002,6 +1003,9 @@ def getaddrinfo_from_request(request, socktype, proto):
         local_address_info = None
     return peer_address_info, local_address_info
 
+def addr_atoi4(address):
+    return struct.unpack('!I',  socket.inet_aton(address))[0]
+
 def netlink_request(req_type, req_data):
     # See RFC 3549
     NLM_F_REQUEST    = 0x0001
@@ -1415,6 +1419,66 @@ def stdapi_sys_process_execute(request, response):
         response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
     return ERROR_SUCCESS, response
 
+@register_function_if(has_windll)
+def stdapi_sys_process_get_info(request, response):
+    proc_h = packet_get_tlv(request, TLV_TYPE_HANDLE).get('value')
+    if not proc_h:
+        return ERROR_INVALID_PARAMETER, response
+
+    MAX_PATH = 260
+
+    EnumProcessModules = ctypes.windll.Psapi.EnumProcessModules
+    EnumProcessModules.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_ulong, ctypes.POINTER(ctypes.c_ulong)]
+    EnumProcessModules.restype = ctypes.c_long
+
+    GetModuleFileNameExW = ctypes.windll.Psapi.GetModuleFileNameExW
+    GetModuleFileNameExW.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_ulong]
+    GetModuleFileNameExW.restype = ctypes.c_ulong
+
+    GetModuleBaseNameW = ctypes.windll.Psapi.GetModuleBaseNameW
+    GetModuleBaseNameW.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_ulong]
+    GetModuleBaseNameW.restype = ctypes.c_ulong
+
+    def enum_process_modules(hProcess):
+        buf_count = 256
+        while True:
+            buffer = (ctypes.c_void_p * buf_count)()
+            buf_size = ctypes.sizeof(buffer)
+            needed = ctypes.c_ulong()
+            if not EnumProcessModules(hProcess, ctypes.byref(buffer), buf_size, ctypes.byref(needed)):
+                raise OSError('EnumProcessModules')
+            if buf_size < needed.value:
+                buf_count = needed.value // (buf_size // buf_count)
+                continue
+            count = needed.value // (buf_size // buf_count)
+            return map(ctypes.c_void_p, buffer[:count])
+
+    def get_module_name(hProcess, hModule):
+        base_name_buffer = ctypes.create_unicode_buffer(MAX_PATH)
+        if not GetModuleBaseNameW(hProcess, hModule, base_name_buffer, MAX_PATH):
+            raise OSError('GetModuleBaseNameW')
+        return base_name_buffer.value
+
+    def get_module_filename(hProcess, hModule):
+        buffer = ctypes.create_unicode_buffer(MAX_PATH)
+        nSize = ctypes.c_ulong(MAX_PATH)
+        if not GetModuleFileNameExW(hProcess, hModule, ctypes.byref(buffer), nSize):
+            raise OSError('GetModuleFileNameExW')
+        return buffer.value
+
+    try:
+        for hModule in enum_process_modules(proc_h):
+            module_name = get_module_name(proc_h, hModule)
+            module_filename = get_module_filename(proc_h, hModule)
+            response += tlv_pack(TLV_TYPE_PROCESS_NAME, module_name)
+            response += tlv_pack(TLV_TYPE_PROCESS_PATH, module_filename)
+            break
+    except OSError as error:
+        debug_print('[-] method stdapi_sys_process_get_info failed on: ' + str(error))
+        return error_result_windows(), response
+
+    return ERROR_SUCCESS, response
+
 @register_function
 def stdapi_sys_process_getpid(request, response):
     response += tlv_pack(TLV_TYPE_PID, os.getpid())
@@ -1923,19 +1987,22 @@ def stdapi_net_config_get_arp_table(request, response):
         if not os.path.exists(arp_cache_file):
             return ERROR_NOT_SUPPORTED, response
 
-        with open(arp_cache_file, 'r') as arp_cache:
-            lines = arp_cache.readlines()
-            for line in lines[1:]:
-                fields = line.split()
-                ip_address = fields[0]
-                mac_address = fields[3]
-                mac_address = binascii.unhexlify(mac_address.replace(':', ''))
-                interface_name = fields[5]
-                arp_tlv  = bytes()
-                arp_tlv += tlv_pack(TLV_TYPE_IP, socket.inet_aton(ip_address))
-                arp_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, mac_address)
-                arp_tlv += tlv_pack(TLV_TYPE_MAC_NAME, interface_name)
-                response += tlv_pack(TLV_TYPE_ARP_ENTRY, arp_tlv)
+        arp_cache = open('/proc/net/arp', 'r')
+        lines = arp_cache.readlines()
+        for line in lines[1:]:
+            fields = line.split()
+            ip_address = fields[0]
+            mac_address = fields[3]
+            mac_address = bytes().join(binascii.unhexlify(h) for h in mac_address.split(':'))
+            interface_name = fields[5]
+            arp_tlv  = bytes()
+            arp_tlv += tlv_pack(TLV_TYPE_IP, socket.inet_aton(ip_address))
+            arp_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, mac_address)
+            arp_tlv += tlv_pack(TLV_TYPE_MAC_NAME, interface_name)
+            response += tlv_pack(TLV_TYPE_ARP_ENTRY, arp_tlv)
+        arp_cache.close()
+    else:
+        return ERROR_NOT_SUPPORTED, response
     return ERROR_SUCCESS, response
 
 @register_function
@@ -2146,6 +2213,73 @@ def stdapi_net_config_get_routes(request, response):
         response += tlv_pack(TLV_TYPE_NETWORK_ROUTE, route_tlv)
     return ERROR_SUCCESS, response
 
+def _win_route_add_remove(is_add, request, response):
+    class IPAddr(ctypes.Structure):
+        _fields_ = [
+            ("S_addr", ctypes.c_ulong)]
+
+    MIB_IPROUTE_TYPE_INDIRECT = 4
+    MIB_IPPROTO_NETMGMT = 3
+
+    GetBestInterface = ctypes.windll.Iphlpapi.GetBestInterface
+    GetBestInterface.argtypes = [IPAddr, ctypes.POINTER(ctypes.c_ulong)]
+    GetBestInterface.restype = ctypes.c_ulong
+
+    CreateIpForwardEntry = ctypes.windll.Iphlpapi.CreateIpForwardEntry
+    CreateIpForwardEntry.argtypes = [PMIB_IPFORWARDROW]
+    CreateIpForwardEntry.restype = ctypes.c_ulong
+
+    DeleteIpForwardEntry = ctypes.windll.Iphlpapi.DeleteIpForwardEntry
+    DeleteIpForwardEntry.argtypes = [PMIB_IPFORWARDROW]
+    DeleteIpForwardEntry.restype = ctypes.c_ulong
+
+    GetIpInterfaceEntry = ctypes.windll.Iphlpapi.GetIpInterfaceEntry
+    GetIpInterfaceEntry.argtypes = [ctypes.POINTER(MIB_IPINTERFACE_ROW)]
+    GetIpInterfaceEntry.restype = ctypes.c_ulong
+
+    subnet = packet_get_tlv(request, TLV_TYPE_SUBNET_STRING)['value']
+    netmask = packet_get_tlv(request, TLV_TYPE_NETMASK_STRING)['value']
+    gateway = packet_get_tlv(request, TLV_TYPE_GATEWAY_STRING)['value']
+
+    route = MIB_IPFORWARDROW()
+    route.dwForwardDest = socket.ntohl(addr_atoi4(subnet))
+    route.dwForwardMask = socket.ntohl(addr_atoi4(netmask))
+    route.dwForwardNextHop = socket.ntohl(addr_atoi4(gateway))
+    route.dwForwardType = MIB_IPROUTE_TYPE_INDIRECT
+    route.dwForwardProto = MIB_IPPROTO_NETMGMT
+    route.dwForwardAge = -1
+    route.dwForwardMetric1 = 0
+
+    best_iface = ctypes.c_ulong()
+    ip_addr = IPAddr(socket.ntohl(addr_atoi4(subnet)))
+    result = GetBestInterface(ip_addr, ctypes.byref(best_iface))
+    if result != ERROR_SUCCESS:
+        return error_result_windows(result), response
+    route.dwForwardIfIndex = best_iface
+
+    iface = MIB_IPINTERFACE_ROW(Family=WIN_AF_INET, InterfaceIndex=route.dwForwardIfIndex)
+    result = GetIpInterfaceEntry(ctypes.byref(iface))
+    if result != ERROR_SUCCESS:
+        return error_result_windows(result), response
+    route.dwForwardMetric1 = iface.Metric
+
+    if is_add:
+        result = CreateIpForwardEntry(ctypes.byref(route))
+    else:
+        result = DeleteIpForwardEntry(ctypes.byref(route))
+    if result != ERROR_SUCCESS:
+        return error_result_windows(result), response
+
+    return ERROR_SUCCESS, response
+
+@register_function_if(has_windll)
+def stdapi_net_config_add_route(request, response):
+    return _win_route_add_remove(True, request, response)
+
+@register_function_if(has_windll)
+def stdapi_net_config_remove_route(request, response):
+    return _win_route_add_remove(False, request, response)
+
 def stdapi_net_config_get_routes_via_netlink():
     rta_align = lambda l: l+3 & ~3
     responses = netlink_request(RTM_GETROUTE, RTMSG(family=socket.AF_UNSPEC))

data/lib/metasploit-payloads/version.rb

@@ -1,6 +1,6 @@
 # -*- coding:binary -*-
 module MetasploitPayloads
-  VERSION = '2.0.118'
+  VERSION = '2.0.120'
 
   def self.version
     VERSION

data.tar.gz.sig

@@ -1 +1 @@
-:�:R�S�E"���͕�S�58+����=�"�/ҏI��}f�A�Тa��oF��AP�̂W'ګ�7H���{�O�Wƶ�ɸT[P��rִ�"�Ijw��\���bX�5�F��H=���8-Bcu�JOEy-���u��U�ķ܎��p�eJ�9ۢ59�:�$�U֬�]��F�hH�+��@9@�T�Mh<E�������c����07a�zU@)*m�s"���^�q�f8��i��mB��l���F��T�U
+E&�����7!H��Z)8�7�W<�����K��}y^W}J��ʎ1C
���	���e&�U������hT,�(rI��U�Ox�b��f4?�AVw�W��Eou${p��-8��X"	����h�W�8'V��);Z9�d戞ybHd��!���Ȅ�ᗰΜ�-�����#I��:����,@�-��*Oq�a�##�^�����*J"�Al<>��PC�5z`h̠-�H�x��Vg�j�$o���@�W��et�T�fQ77��

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: metasploit-payloads
 version: !ruby/object:Gem::Version
-  version: 2.0.118
+  version: 2.0.120
 platform: ruby
 authors:
 - OJ Reeves
@@ -96,7 +96,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2023-03-03 00:00:00.000000000 Z
+date: 2023-03-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake