metasploit-payloads 2.0.55 → 2.0.59
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/data/android/meterpreter.dex +0 -0
- data/data/android/meterpreter.jar +0 -0
- data/data/android/metstage.jar +0 -0
- data/data/android/shell.jar +0 -0
- data/data/meterpreter/elevator.x64.dll +0 -0
- data/data/meterpreter/elevator.x86.dll +0 -0
- data/data/meterpreter/ext_server_espia.x64.dll +0 -0
- data/data/meterpreter/ext_server_espia.x86.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x64.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x86.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x64.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x86.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x64.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x86.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x64.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x86.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x64.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x86.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x64.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x86.dll +0 -0
- data/data/meterpreter/ext_server_priv.x64.dll +0 -0
- data/data/meterpreter/ext_server_priv.x86.dll +0 -0
- data/data/meterpreter/ext_server_python.x64.dll +0 -0
- data/data/meterpreter/ext_server_python.x86.dll +0 -0
- data/data/meterpreter/ext_server_sniffer.x64.dll +0 -0
- data/data/meterpreter/ext_server_sniffer.x86.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.jar +0 -0
- data/data/meterpreter/ext_server_stdapi.php +31 -11
- data/data/meterpreter/ext_server_stdapi.py +21 -2
- data/data/meterpreter/ext_server_stdapi.x64.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x86.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x64.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x86.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x64.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x86.dll +0 -0
- data/data/meterpreter/meterpreter.py +39 -3
- data/data/meterpreter/metsrv.x64.dll +0 -0
- data/data/meterpreter/metsrv.x86.dll +0 -0
- data/data/meterpreter/screenshot.x64.dll +0 -0
- data/data/meterpreter/screenshot.x86.dll +0 -0
- data/lib/metasploit-payloads/version.rb +1 -1
- data.tar.gz.sig +0 -0
- metadata +2 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 117ff7aceaeba0fa89fb3018437e5c3b66decab1ab147ed014de07b30e23758f
|
|
4
|
+
data.tar.gz: d467e15ae88149f1a945d894d1e1d21c3511c8e249d3973e8b0c71b24ed4110f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 81f991b1b37db4c154663dec36df1a67d0cee57191d9d53c0dfe6a498ef68578d4f33ab10824603764cd8f2c6b34fbe527d115176433d5bb5c20ff7d1c3690a6
|
|
7
|
+
data.tar.gz: 7436e234074f93cc0debeece05ef48aa447a360dc6bede6ddb0f22cc1e96c74981b226344200b5db5e6913b2dc9ec053adeb9db1484ed665e6aa344cc68491a5
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
|
Binary file
|
|
Binary file
|
data/data/android/metstage.jar
CHANGED
|
Binary file
|
data/data/android/shell.jar
CHANGED
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
@@ -27,7 +27,9 @@ define("TLV_TYPE_SEARCH_RECURSE", TLV_META_TYPE_BOOL | 1230);
|
|
|
27
27
|
define("TLV_TYPE_SEARCH_GLOB", TLV_META_TYPE_STRING | 1231);
|
|
28
28
|
define("TLV_TYPE_SEARCH_ROOT", TLV_META_TYPE_STRING | 1232);
|
|
29
29
|
define("TLV_TYPE_SEARCH_RESULTS", TLV_META_TYPE_GROUP | 1233);
|
|
30
|
-
|
|
30
|
+
define("TLV_TYPE_SEARCH_MTIME", TLV_META_TYPE_UINT | 1235);
|
|
31
|
+
define("TLV_TYPE_SEARCH_M_START_DATE", TLV_META_TYPE_UINT | 1236);
|
|
32
|
+
define("TLV_TYPE_SEARCH_M_END_DATE", TLV_META_TYPE_UINT | 1237);
|
|
31
33
|
define("TLV_TYPE_FILE_MODE_T", TLV_META_TYPE_UINT | 1234);
|
|
32
34
|
|
|
33
35
|
##
|
|
@@ -340,7 +342,7 @@ define('GLOB_RECURSE',2048);
|
|
|
340
342
|
* GLOB_NODOTS, GLOB_RECURSE
|
|
341
343
|
*/
|
|
342
344
|
if (!function_exists('safe_glob')) {
|
|
343
|
-
function safe_glob($pattern, $flags=0) {
|
|
345
|
+
function safe_glob($pattern, $flags=0, $start_date=null, $end_date=null) {
|
|
344
346
|
$split=explode('/',str_replace('\\','/',$pattern));
|
|
345
347
|
$mask=array_pop($split);
|
|
346
348
|
$path=implode('/',$split);
|
|
@@ -356,14 +358,21 @@ function safe_glob($pattern, $flags=0) {
|
|
|
356
358
|
&& (!is_link($path."/".$file))
|
|
357
359
|
)
|
|
358
360
|
) {
|
|
359
|
-
$
|
|
360
|
-
|
|
361
|
+
$newglob = safe_glob($path.'/'.$file.'/'.$mask, $flags, $start_date, $end_date);
|
|
362
|
+
if ($newglob !== false) {
|
|
363
|
+
$glob = array_merge($glob, array_prepend($newglob,
|
|
364
|
+
($flags&GLOB_PATH?'':$file.'/')));
|
|
365
|
+
}
|
|
361
366
|
}
|
|
362
367
|
// Match file mask
|
|
363
368
|
if (fnmatch($mask,$file)) {
|
|
369
|
+
$tmp_f_stat = stat($path.'/'.$file);
|
|
370
|
+
$mtime = $tmp_f_stat['mtime'];
|
|
364
371
|
if ( ( (!($flags&GLOB_ONLYDIR)) || is_dir("$path/$file") )
|
|
365
372
|
&& ( (!($flags&GLOB_NODIR)) || (!is_dir($path.'/'.$file)) )
|
|
366
|
-
&& ( (!($flags&GLOB_NODOTS)) || (!in_array($file,array('.','..'))) )
|
|
373
|
+
&& ( (!($flags&GLOB_NODOTS)) || (!in_array($file,array('.','..'))) )
|
|
374
|
+
&& ( ($start_date === null) || ($start_date <= $mtime))
|
|
375
|
+
&& ( ($end_date === null) || ($end_date >= $mtime)) )
|
|
367
376
|
$glob[] = ($flags&GLOB_PATH?$path.'/':'') . $file . ($flags&GLOB_MARK?'/':'');
|
|
368
377
|
}
|
|
369
378
|
}
|
|
@@ -682,27 +691,38 @@ function stdapi_fs_search($req, &$pkt) {
|
|
|
682
691
|
$glob = canonicalize_path($glob_tlv['value']);
|
|
683
692
|
$recurse_tlv = packet_get_tlv($req, TLV_TYPE_SEARCH_RECURSE);
|
|
684
693
|
$recurse = $recurse_tlv['value'];
|
|
694
|
+
$start_date_tlv = packet_get_tlv($req, TLV_TYPE_SEARCH_M_START_DATE);
|
|
695
|
+
$start_date = null;
|
|
696
|
+
if ($start_date_tlv) {
|
|
697
|
+
$start_date = $start_date_tlv['value'];
|
|
698
|
+
}
|
|
699
|
+
$end_date_tlv = packet_get_tlv($req, TLV_TYPE_SEARCH_M_END_DATE);
|
|
700
|
+
$end_date = null;
|
|
701
|
+
if ($end_date_tlv) {
|
|
702
|
+
$end_date = $end_date_tlv['value'];
|
|
703
|
+
}
|
|
685
704
|
|
|
686
705
|
if (!$root) {
|
|
687
706
|
$root = '.';
|
|
688
707
|
}
|
|
689
708
|
|
|
690
709
|
my_print("glob: $glob, root: $root, recurse: $recurse");
|
|
691
|
-
$flags = GLOB_PATH;
|
|
710
|
+
$flags = GLOB_PATH | GLOB_NODOTS;
|
|
692
711
|
if ($recurse) {
|
|
693
712
|
$flags |= GLOB_RECURSE;
|
|
694
713
|
}
|
|
695
|
-
$files = safe_glob($root ."/". $glob, $flags);
|
|
714
|
+
$files = safe_glob($root ."/". $glob, $flags, $start_date, $end_date);
|
|
696
715
|
if ($files and is_array($files)) {
|
|
697
716
|
dump_array($files);
|
|
698
717
|
foreach ($files as $file) {
|
|
699
718
|
$file_tlvs = "";
|
|
700
719
|
$s = stat($file);
|
|
701
|
-
$p = dirname($file);
|
|
702
|
-
$f = basename($file);
|
|
720
|
+
$p = canonicalize_path(dirname($file));
|
|
721
|
+
$f = canonicalize_path(basename($file));
|
|
703
722
|
$file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_FILE_PATH, $p));
|
|
704
723
|
$file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_FILE_NAME, $f));
|
|
705
724
|
$file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_FILE_SIZE, $s['size']));
|
|
725
|
+
$file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_SEARCH_MTIME, $s['mtime']));
|
|
706
726
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_SEARCH_RESULTS, $file_tlvs));
|
|
707
727
|
}
|
|
708
728
|
}
|
|
@@ -756,12 +776,12 @@ function stdapi_sys_config_getuid($req, &$pkt) {
|
|
|
756
776
|
if (is_callable('posix_getuid')) {
|
|
757
777
|
$uid = posix_getuid();
|
|
758
778
|
$pwinfo = posix_getpwuid($uid);
|
|
759
|
-
$user = $pwinfo['name']
|
|
779
|
+
$user = $pwinfo['name'];
|
|
760
780
|
} else {
|
|
761
781
|
# The posix functions aren't available, this is probably windows. Use
|
|
762
782
|
# the functions for getting user name and uid based on file ownership
|
|
763
783
|
# instead.
|
|
764
|
-
$user = get_current_user()
|
|
784
|
+
$user = get_current_user();
|
|
765
785
|
}
|
|
766
786
|
my_print("getuid - returning: " . $user);
|
|
767
787
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_USER_NAME, $user));
|
|
@@ -474,6 +474,9 @@ TLV_TYPE_SEARCH_ROOT = TLV_META_TYPE_STRING | 1232
|
|
|
474
474
|
TLV_TYPE_SEARCH_RESULTS = TLV_META_TYPE_GROUP | 1233
|
|
475
475
|
|
|
476
476
|
TLV_TYPE_FILE_MODE_T = TLV_META_TYPE_UINT | 1234
|
|
477
|
+
TLV_TYPE_SEARCH_MTIME = TLV_META_TYPE_UINT | 1235
|
|
478
|
+
TLV_TYPE_SEARCH_M_START_DATE = TLV_META_TYPE_UINT | 1236
|
|
479
|
+
TLV_TYPE_SEARCH_M_END_DATE = TLV_META_TYPE_UINT | 1237
|
|
477
480
|
|
|
478
481
|
##
|
|
479
482
|
# Net
|
|
@@ -1518,20 +1521,36 @@ def stdapi_fs_search(request, response):
|
|
|
1518
1521
|
search_root = unicode(search_root)
|
|
1519
1522
|
glob = packet_get_tlv(request, TLV_TYPE_SEARCH_GLOB)['value']
|
|
1520
1523
|
recurse = packet_get_tlv(request, TLV_TYPE_SEARCH_RECURSE)['value']
|
|
1524
|
+
start_date = packet_get_tlv(request,TLV_TYPE_SEARCH_M_START_DATE)
|
|
1525
|
+
end_date = packet_get_tlv(request,TLV_TYPE_SEARCH_M_END_DATE)
|
|
1521
1526
|
if recurse:
|
|
1522
1527
|
for root, dirs, files in os.walk(search_root):
|
|
1523
1528
|
for f in filter(lambda f: fnmatch.fnmatch(f, glob), files):
|
|
1529
|
+
file_stat = os.stat(os.path.join(root, f))
|
|
1530
|
+
mtime = int(file_stat.st_mtime)
|
|
1531
|
+
if start_date and start_date['value'] > mtime:
|
|
1532
|
+
continue
|
|
1533
|
+
if end_date and end_date['value'] < mtime:
|
|
1534
|
+
continue
|
|
1524
1535
|
file_tlv = bytes()
|
|
1525
1536
|
file_tlv += tlv_pack(TLV_TYPE_FILE_PATH, root)
|
|
1526
1537
|
file_tlv += tlv_pack(TLV_TYPE_FILE_NAME, f)
|
|
1527
|
-
file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE,
|
|
1538
|
+
file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, file_stat.st_size)
|
|
1539
|
+
file_tlv += tlv_pack(TLV_TYPE_SEARCH_MTIME, mtime)
|
|
1528
1540
|
response += tlv_pack(TLV_TYPE_SEARCH_RESULTS, file_tlv)
|
|
1529
1541
|
else:
|
|
1530
1542
|
for f in filter(lambda f: fnmatch.fnmatch(f, glob), os.listdir(search_root)):
|
|
1543
|
+
file_stat = os.stat(os.path.join(search_root, f))
|
|
1544
|
+
mtime = int(file_stat.st_mtime)
|
|
1545
|
+
if start_date and start_date['value'] > mtime:
|
|
1546
|
+
continue
|
|
1547
|
+
if end_date and end_date['value'] < mtime:
|
|
1548
|
+
continue
|
|
1531
1549
|
file_tlv = bytes()
|
|
1532
1550
|
file_tlv += tlv_pack(TLV_TYPE_FILE_PATH, search_root)
|
|
1533
1551
|
file_tlv += tlv_pack(TLV_TYPE_FILE_NAME, f)
|
|
1534
|
-
file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE,
|
|
1552
|
+
file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, file_stat.st_size)
|
|
1553
|
+
file_tlv += tlv_pack(TLV_TYPE_SEARCH_MTIME, mtime)
|
|
1535
1554
|
response += tlv_pack(TLV_TYPE_SEARCH_RESULTS, file_tlv)
|
|
1536
1555
|
return ERROR_SUCCESS, response
|
|
1537
1556
|
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
@@ -596,6 +596,16 @@ class MeterpreterChannel(object):
|
|
|
596
596
|
response += tlv_pack(TLV_TYPE_LENGTH, self.write(channel_data))
|
|
597
597
|
return ERROR_SUCCESS, response
|
|
598
598
|
|
|
599
|
+
def core_seek(self, request, response):
|
|
600
|
+
offset = packet_get_tlv(request, TLV_TYPE_SEEK_OFFSET)['value']
|
|
601
|
+
whence = packet_get_tlv(request, TLV_TYPE_SEEK_WHENCE)['value']
|
|
602
|
+
self.seek(offset, whence)
|
|
603
|
+
return ERROR_SUCCESS, response
|
|
604
|
+
|
|
605
|
+
def core_tell(self, request, response):
|
|
606
|
+
response += tlv_pack(TLV_TYPE_SEEK_POS, self.tell())
|
|
607
|
+
return ERROR_SUCCESS, response
|
|
608
|
+
|
|
599
609
|
def close(self):
|
|
600
610
|
raise NotImplementedError()
|
|
601
611
|
|
|
@@ -614,6 +624,12 @@ class MeterpreterChannel(object):
|
|
|
614
624
|
def write(self, data):
|
|
615
625
|
raise NotImplementedError()
|
|
616
626
|
|
|
627
|
+
def seek(self, offset, whence=os.SEEK_SET):
|
|
628
|
+
raise NotImplementedError()
|
|
629
|
+
|
|
630
|
+
def tell(self):
|
|
631
|
+
raise NotImplementedError()
|
|
632
|
+
|
|
617
633
|
#@export
|
|
618
634
|
class MeterpreterFile(MeterpreterChannel):
|
|
619
635
|
def __init__(self, file_obj):
|
|
@@ -632,6 +648,12 @@ class MeterpreterFile(MeterpreterChannel):
|
|
|
632
648
|
def write(self, data):
|
|
633
649
|
self.file_obj.write(data)
|
|
634
650
|
return len(data)
|
|
651
|
+
|
|
652
|
+
def seek(self, offset, whence=os.SEEK_SET):
|
|
653
|
+
self.file_obj.seek(offset, whence)
|
|
654
|
+
|
|
655
|
+
def tell(self):
|
|
656
|
+
return self.file_obj.tell()
|
|
635
657
|
export(MeterpreterFile)
|
|
636
658
|
|
|
637
659
|
#@export
|
|
@@ -1315,9 +1337,9 @@ class PythonMeterpreter(object):
|
|
|
1315
1337
|
self.send_packet(tlv_pack_request('stdapi_net_tcp_channel_open', [
|
|
1316
1338
|
{'type': TLV_TYPE_CHANNEL_ID, 'value': client_channel_id},
|
|
1317
1339
|
{'type': TLV_TYPE_CHANNEL_PARENTID, 'value': channel_id},
|
|
1318
|
-
{'type': TLV_TYPE_LOCAL_HOST, 'value':
|
|
1340
|
+
{'type': TLV_TYPE_LOCAL_HOST, 'value': server_addr[0]},
|
|
1319
1341
|
{'type': TLV_TYPE_LOCAL_PORT, 'value': server_addr[1]},
|
|
1320
|
-
{'type': TLV_TYPE_PEER_HOST, 'value':
|
|
1342
|
+
{'type': TLV_TYPE_PEER_HOST, 'value': client_addr[0]},
|
|
1321
1343
|
{'type': TLV_TYPE_PEER_PORT, 'value': client_addr[1]},
|
|
1322
1344
|
]))
|
|
1323
1345
|
elif isinstance(channel, MeterpreterSocketUDPClient):
|
|
@@ -1565,7 +1587,7 @@ class PythonMeterpreter(object):
|
|
|
1565
1587
|
return ERROR_FAILURE, response
|
|
1566
1588
|
channel = self.channels[channel_id]
|
|
1567
1589
|
status, response = channel.core_eof(request, response)
|
|
1568
|
-
return
|
|
1590
|
+
return status, response
|
|
1569
1591
|
|
|
1570
1592
|
def _core_channel_interact(self, request, response):
|
|
1571
1593
|
channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
|
|
@@ -1605,6 +1627,20 @@ class PythonMeterpreter(object):
|
|
|
1605
1627
|
self.handle_dead_resource_channel(channel_id)
|
|
1606
1628
|
return status, response
|
|
1607
1629
|
|
|
1630
|
+
def _core_channel_seek(self, request, response):
|
|
1631
|
+
channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
|
|
1632
|
+
if channel_id not in self.channels:
|
|
1633
|
+
return ERROR_FAILURE, response
|
|
1634
|
+
channel = self.channels[channel_id]
|
|
1635
|
+
return channel.core_seek(request, response)
|
|
1636
|
+
|
|
1637
|
+
def _core_channel_tell(self, request, response):
|
|
1638
|
+
channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
|
|
1639
|
+
if channel_id not in self.channels:
|
|
1640
|
+
return ERROR_FAILURE, response
|
|
1641
|
+
channel = self.channels[channel_id]
|
|
1642
|
+
return channel.core_tell(request, response)
|
|
1643
|
+
|
|
1608
1644
|
def create_response(self, request):
|
|
1609
1645
|
response = struct.pack('>I', PACKET_TYPE_RESPONSE)
|
|
1610
1646
|
commd_id_tlv = packet_get_tlv(request, TLV_TYPE_COMMAND_ID)
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
data.tar.gz.sig
CHANGED
|
Binary file
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: metasploit-payloads
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0.
|
|
4
|
+
version: 2.0.59
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- OJ Reeves
|
|
@@ -96,7 +96,7 @@ cert_chain:
|
|
|
96
96
|
EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
|
|
97
97
|
9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
|
|
98
98
|
-----END CERTIFICATE-----
|
|
99
|
-
date: 2021-
|
|
99
|
+
date: 2021-10-03 00:00:00.000000000 Z
|
|
100
100
|
dependencies:
|
|
101
101
|
- !ruby/object:Gem::Dependency
|
|
102
102
|
name: rake
|
metadata.gz.sig
CHANGED
|
Binary file
|