metasploit-payloads 2.0.96 → 2.0.98

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 14a31678ea188df6a041cd2d9aa4b5e7675e692deac5441309e8f7d28f19971b
-  data.tar.gz: 743083ddf93da1a9447ad45c1d195f7761526bb73595aaa63631d993496011dd
+  metadata.gz: e258521427e2bc71990e2e646fbf617fc70569fc6a1ca41d886eea9a6a5dd9c2
+  data.tar.gz: 77d18985a73b5f3e87f77cfb6f15d346b1316e03ea05bde053e23c828aa432f4
 SHA512:
-  metadata.gz: 58dd28d9fb05c6d5d0742b6316209514f287c9da6c54322eaff3e9d62369ee1a1384d8592ed1b8aa0d14facc62b0014e895dc55e03c534e828bb987ec391ce52
-  data.tar.gz: 6a9f652a9807c1d4288e9c3c87161d858fe4bb63fe8f4216c4b82d6f3b06bd9d5acbc6f8f0978fae5bf87b7198e8e89716dca4a86df6ae7eb2b154c6238a156a
+  metadata.gz: cee1509b9a8f0780c1d5d02d87f6412a463275d6a72743767c4229115448a86a63e25cddb529cd6e2ee4ea2aa44ecfd7f3b331de74b3b085c35961b45e8fb436
+  data.tar.gz: bc60aa01a5781c8a22d78be70fa02665456552fe4fb44c867655ed3e88834f790c3b55c4176d4c1e036bec0a0425b701842f1ab3c3753516f04e0e56aa0970c4

data/data/meterpreter/ext_server_stdapi.py

@@ -21,6 +21,9 @@ except ImportError:
     has_ctypes = False
     has_windll = False
 
+if has_windll:
+    from ctypes import wintypes
+
 try:
     import pty
     has_pty = True
@@ -357,6 +360,36 @@ if has_ctypes:
             ("lpszProxy", ctypes.c_wchar_p),
             ("lpszProxyBypass", ctypes.c_wchar_p)]
 
+    class LUID(ctypes.Structure):
+        _fields_ = [
+            ('LowPart',  wintypes.DWORD),
+            ('HighPart', wintypes.LONG)
+        ]
+
+        def __eq__(self, __o):
+            return (self.LowPart == __o.LowPart and self.HighPart == __o.HighPart)
+
+        def __ne__(self, __o):
+            return (self.LowPart != __o.LowPart or self.HighPart != __o.HighPart)
+
+    class LUID_AND_ATTRIBUTES(ctypes.Structure):
+        _fields_ = [
+            ('Luid',       LUID),
+            ('Attributes', wintypes.DWORD)
+        ]
+
+    class TOKEN_PRIVILEGES(ctypes.Structure):
+        _fields_ = [
+            ('PrivilegeCount', wintypes.DWORD),
+            ('Privileges',     LUID_AND_ATTRIBUTES * 0),
+        ]
+        def get_array(self):
+            array_type = LUID_AND_ATTRIBUTES * self.PrivilegeCount
+            return ctypes.cast(self.Privileges, ctypes.POINTER(array_type)).contents
+
+    PTOKEN_PRIVILEGES = ctypes.POINTER(TOKEN_PRIVILEGES)
+
+
     #
     # Linux Structures
     #
@@ -999,6 +1032,45 @@ def windll_GetVersion():
     dwBuild        = ((dwVersion & 0xffff0000) >> 16)
     return type('Version', (object,), dict(dwMajorVersion = dwMajorVersion, dwMinorVersion = dwMinorVersion, dwBuild = dwBuild))
 
+def enable_privilege(name, enable=True):
+    TOKEN_ALL_ACCESS = 0xf01ff
+    SE_PRIVILEGE_ENABLED = 0x00000002
+
+    GetCurrentProcess = ctypes.windll.kernel32.GetCurrentProcess
+    GetCurrentProcess.restype = wintypes.HANDLE
+
+    OpenProcessToken = ctypes.windll.advapi32.OpenProcessToken
+    OpenProcessToken.argtypes = [wintypes.HANDLE, wintypes.DWORD, ctypes.POINTER(wintypes.HANDLE)]
+    OpenProcessToken.restype = wintypes.BOOL
+
+    LookupPrivilegeValue = ctypes.windll.advapi32.LookupPrivilegeValueW
+    LookupPrivilegeValue.argtypes = [wintypes.LPCWSTR, wintypes.LPCWSTR, ctypes.POINTER(LUID)]
+    LookupPrivilegeValue.restype = wintypes.BOOL
+
+    AdjustTokenPrivileges = ctypes.windll.advapi32.AdjustTokenPrivileges
+    AdjustTokenPrivileges.argtypes = [wintypes.HANDLE, wintypes.BOOL, PTOKEN_PRIVILEGES, wintypes.DWORD, PTOKEN_PRIVILEGES, ctypes.POINTER(wintypes.DWORD)]
+    AdjustTokenPrivileges.restype = wintypes.BOOL
+
+    token = wintypes.HANDLE()
+    success = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, token)
+    if not success:
+        return False
+
+    luid = LUID()
+    name = ctypes.create_unicode_buffer(name)
+    success = LookupPrivilegeValue(None, name, luid)
+    if not success:
+        return False
+
+    size = ctypes.sizeof(TOKEN_PRIVILEGES)
+    size += ctypes.sizeof(LUID_AND_ATTRIBUTES)
+    buffer = ctypes.create_string_buffer(size)
+    tokenPrivileges = ctypes.cast(buffer, PTOKEN_PRIVILEGES).contents
+    tokenPrivileges.PrivilegeCount = 1
+    tokenPrivileges.get_array()[0].Luid = luid
+    tokenPrivileges.get_array()[0].Attributes = SE_PRIVILEGE_ENABLED if enable else 0
+    return AdjustTokenPrivileges(token, False, tokenPrivileges, 0, None, None)
+
 @register_function
 def channel_open_stdapi_fs_file(request, response):
     fpath = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
@@ -1335,6 +1407,23 @@ def stdapi_sys_process_get_processes(request, response):
         return stdapi_sys_process_get_processes_via_ps(request, response)
     return ERROR_FAILURE, response
 
+@register_function_if(has_windll)
+def stdapi_sys_power_exitwindows(request, response):
+    SE_SHUTDOWN_NAME = "SeShutdownPrivilege"
+
+    flags = packet_get_tlv(request, TLV_TYPE_POWER_FLAGS)['value']
+    reason = packet_get_tlv(request, TLV_TYPE_POWER_REASON)['value']
+
+    if not enable_privilege(SE_SHUTDOWN_NAME):
+        return error_result_windows(), response
+
+    ExitWindowsEx = ctypes.windll.user32.ExitWindowsEx
+    ExitWindowsEx.argtypes = [ctypes.c_uint32, ctypes.c_ulong]
+    ExitWindowsEx.restype = ctypes.c_int8
+    if not ExitWindowsEx(flags, reason):
+        return error_result_windows(), response
+    return ERROR_SUCCESS, response
+
 @register_function_if(has_windll)
 def stdapi_sys_eventlog_open(request, response):
     source_name = packet_get_tlv(request, TLV_TYPE_EVENT_SOURCENAME)['value']

data/lib/metasploit-payloads/version.rb

@@ -1,6 +1,6 @@
 # -*- coding:binary -*-
 module MetasploitPayloads
-  VERSION = '2.0.96'
+  VERSION = '2.0.98'
 
   def self.version
     VERSION

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: metasploit-payloads
 version: !ruby/object:Gem::Version
-  version: 2.0.96
+  version: 2.0.98
 platform: ruby
 authors:
 - OJ Reeves
@@ -96,7 +96,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2022-09-22 00:00:00.000000000 Z
+date: 2022-11-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -167,6 +167,10 @@ files:
 - data/meterpreter/elevator.x64.dll
 - data/meterpreter/elevator.x86.debug.dll
 - data/meterpreter/elevator.x86.dll
+- data/meterpreter/ext_server_bofloader.x64.debug.dll
+- data/meterpreter/ext_server_bofloader.x64.dll
+- data/meterpreter/ext_server_bofloader.x86.debug.dll
+- data/meterpreter/ext_server_bofloader.x86.dll
 - data/meterpreter/ext_server_espia.x64.debug.dll
 - data/meterpreter/ext_server_espia.x64.dll
 - data/meterpreter/ext_server_espia.x86.debug.dll