metasploit-payloads 2.0.105 → 2.0.106

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 492cb2174246773050bdb8303448ea5f024ccaec9eb89ec14c4670019045a0a5
-  data.tar.gz: 82b26b9fa4527322c301bf6a69b894f726ff6ca2e91b2cb019a63444a3ebbf5c
+  metadata.gz: 453b3c01afd395af3790b8a9393781f8a90c372945a8b9b4fa597bff94ec47ee
+  data.tar.gz: 16129f118a5a4cee8b66e4a37b824ecf8e0aed43be918ea9b5ef0b9a566d58bc
 SHA512:
-  metadata.gz: 273f6a11ae840e161193c80c9e3048bad2cb2fdd4c264da34213fde52051fadfc59227f04cbe5ffd027b2c8e0bdf23ce5d75ddc2032814f9df859e63294addce
-  data.tar.gz: 6c44af6c8672acbbf5b9d32a66c81365e9ea8f60bd49e1099475f31fc50e3d5fd68be0241e8ca41a9526896c445cdb3ae6fe1633fb4a32a8f38acf4a5f9715a2
+  metadata.gz: 263ccd130cdac66596843e65b9eac343be1bf554896eef1903a6180cf6955326b967a901b0fe7bef73a9e1f1435178d2d47e74aee1c7f4d247e565504726030b
+  data.tar.gz: 63b34db9fe29f7c6bd2d643b40b6a3fdc3963e994226235888de75da78e5d918caa911734b652dfea415a00f4211dede45180e02334fe8111644ba761e17bdc7

data/data/meterpreter/ext_server_stdapi.py

@@ -1,4 +1,5 @@
 import fnmatch
+import functools
 import getpass
 import os
 import platform
@@ -669,7 +670,11 @@ TLV_TYPE_TERMINAL_COLUMNS      = TLV_META_TYPE_UINT    | 2601
 ##
 TLV_TYPE_IDLE_TIME             = TLV_META_TYPE_UINT    | 3000
 TLV_TYPE_KEYS_DUMP             = TLV_META_TYPE_STRING  | 3001
-TLV_TYPE_DESKTOP               = TLV_META_TYPE_STRING  | 3002
+
+TLV_TYPE_DESKTOP               = TLV_META_TYPE_GROUP   | 3004
+TLV_TYPE_DESKTOP_SESSION       = TLV_META_TYPE_UINT    | 3005
+TLV_TYPE_DESKTOP_STATION       = TLV_META_TYPE_STRING  | 3006
+TLV_TYPE_DESKTOP_NAME          = TLV_META_TYPE_STRING  | 3007
 
 ##
 # Event Log
@@ -744,6 +749,9 @@ VER_PLATFORM_WIN32s               = 0x0000
 VER_PLATFORM_WIN32_WINDOWS        = 0x0001
 VER_PLATFORM_WIN32_NT             = 0x0002
 
+# Windows Access Controls
+MAXIMUM_ALLOWED                   = 0x02000000
+
 WIN_AF_INET  = 2
 WIN_AF_INET6 = 23
 
@@ -2773,6 +2781,92 @@ def stdapi_ui_get_idle_time(request, response):
     response += tlv_pack(TLV_TYPE_IDLE_TIME, idle_time)
     return ERROR_SUCCESS, response
 
+@register_function_if(has_windll)
+def stdapi_ui_desktop_enum(request, response):
+    
+    response_parts = []
+    if ctypes.sizeof(ctypes.c_long) == ctypes.sizeof(ctypes.c_void_p):
+        LPARAM = ctypes.c_long
+    elif ctypes.sizeof(ctypes.c_longlong) == ctypes.sizeof(ctypes.c_void_p):
+        LPARAM = ctypes.c_longlong
+
+    DESKTOPENUMPROCA = ctypes.WINFUNCTYPE(ctypes.c_long, ctypes.c_char_p, LPARAM)
+    EnumDesktopsA = ctypes.windll.user32.EnumDesktopsA
+    EnumDesktopsA.argtypes = [ctypes.c_void_p, DESKTOPENUMPROCA, LPARAM]
+    EnumDesktopsA.restype = ctypes.c_long
+
+    WINSTAENUMPROCA = ctypes.WINFUNCTYPE(ctypes.c_long, ctypes.c_char_p, LPARAM)
+    EnumWindowStationsA = ctypes.windll.user32.EnumWindowStationsA
+    EnumWindowStationsA.argtypes = [WINSTAENUMPROCA, LPARAM]
+    EnumWindowStationsA.restype = ctypes.c_long
+
+    OpenWindowStationA = ctypes.windll.user32.OpenWindowStationA
+    OpenWindowStationA.argtypes = [ctypes.c_char_p, ctypes.c_long, ctypes.c_bool]
+    OpenWindowStationA.restype = ctypes.c_void_p
+
+    CloseWindowStation = ctypes.windll.user32.CloseWindowStation
+    CloseWindowStation.argtypes = [ctypes.c_void_p]
+    CloseWindowStation.restype = ctypes.c_long
+
+    GetCurrentProcessId = ctypes.windll.kernel32.GetCurrentProcessId
+    GetCurrentProcessId.restype = ctypes.c_ulong
+
+    GetProcAddress = ctypes.windll.kernel32.GetProcAddress
+    GetProcAddress.argtypes = [ctypes.c_void_p, ctypes.c_char_p]
+    GetProcAddress.restype = ctypes.c_void_p
+
+    def get_session_id(pid):
+        dwSessionId = ctypes.c_ulong(0)
+
+        ProcessIdToSessionId = ctypes.windll.kernel32.ProcessIdToSessionId
+        ProcessIdToSessionId.argtypes = [ctypes.c_ulong, ctypes.POINTER(ctypes.c_ulong)]
+        ProcessIdToSessionId.restype = ctypes.c_bool
+        
+        if not ProcessIdToSessionId(ctypes.c_ulong(pid), ctypes.byref(dwSessionId)):
+            dwSessionId = ctypes.c_ulong(-1)
+
+        return dwSessionId
+
+
+    def desktop_enumdesktops_callback(response_parts, session_id, station_name, lpszDesktop, lParam):
+        if not station_name or not lpszDesktop:
+            return True
+
+        entry  = bytes()
+        entry += tlv_pack(TLV_TYPE_DESKTOP_SESSION, session_id)
+        entry += tlv_pack(TLV_TYPE_DESKTOP_STATION, station_name)
+        entry += tlv_pack(TLV_TYPE_DESKTOP_NAME, lpszDesktop.decode())
+
+        response_parts.append(tlv_pack(TLV_TYPE_DESKTOP, entry))
+
+        return True
+
+    @WINSTAENUMPROCA
+    def desktop_enumstations_callback(lpszWindowStation, lParam):
+        hWindowStation = OpenWindowStationA(lpszWindowStation, False, MAXIMUM_ALLOWED)
+        if not hWindowStation:
+            return True
+
+        callback = functools.partial(desktop_enumdesktops_callback, response_parts)
+        session_id = get_session_id(GetCurrentProcessId()).value
+        station_name = lpszWindowStation.decode()
+        callback = functools.partial(desktop_enumdesktops_callback, response_parts, session_id, station_name)
+        callback = DESKTOPENUMPROCA(callback)
+        EnumDesktopsA(hWindowStation, callback, 0)
+
+        if hWindowStation:
+            CloseWindowStation(hWindowStation)
+
+        return True
+
+    success = EnumWindowStationsA(desktop_enumstations_callback, 0)
+    if not success:
+        return error_result_windows(), response
+
+    response += bytes().join(response_parts)
+
+    return ERROR_SUCCESS, response
+
 @register_function_if(has_termios and has_fcntl)
 def stdapi_sys_process_set_term_size(request, response):
     channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']

data/lib/metasploit-payloads/version.rb

@@ -1,6 +1,6 @@
 # -*- coding:binary -*-
 module MetasploitPayloads
-  VERSION = '2.0.105'
+  VERSION = '2.0.106'
 
   def self.version
     VERSION

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: metasploit-payloads
 version: !ruby/object:Gem::Version
-  version: 2.0.105
+  version: 2.0.106
 platform: ruby
 authors:
 - OJ Reeves
@@ -96,7 +96,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2022-12-13 00:00:00.000000000 Z
+date: 2023-01-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake