metasploit-payloads 2.0.110 → 2.0.111
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/data/android/meterpreter.jar +0 -0
- data/data/android/metstage.jar +0 -0
- data/data/android/shell.jar +0 -0
- data/data/meterpreter/elevator.x64.debug.dll +0 -0
- data/data/meterpreter/elevator.x64.dll +0 -0
- data/data/meterpreter/elevator.x86.debug.dll +0 -0
- data/data/meterpreter/elevator.x86.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x64.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x86.dll +0 -0
- data/data/meterpreter/ext_server_espia.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_espia.x64.dll +0 -0
- data/data/meterpreter/ext_server_espia.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_espia.x86.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x64.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x86.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x64.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x86.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x64.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x86.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x64.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x86.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x64.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x86.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x64.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x86.dll +0 -0
- data/data/meterpreter/ext_server_priv.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_priv.x64.dll +0 -0
- data/data/meterpreter/ext_server_priv.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_priv.x86.dll +0 -0
- data/data/meterpreter/ext_server_python.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_python.x64.dll +0 -0
- data/data/meterpreter/ext_server_python.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_python.x86.dll +0 -0
- data/data/meterpreter/ext_server_sniffer.x64.dll +0 -0
- data/data/meterpreter/ext_server_sniffer.x86.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.py +95 -7
- data/data/meterpreter/ext_server_stdapi.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x64.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x86.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x64.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x86.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x64.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x86.dll +0 -0
- data/data/meterpreter/metsrv.x64.debug.dll +0 -0
- data/data/meterpreter/metsrv.x64.dll +0 -0
- data/data/meterpreter/metsrv.x86.debug.dll +0 -0
- data/data/meterpreter/metsrv.x86.dll +0 -0
- data/data/meterpreter/screenshot.x64.debug.dll +0 -0
- data/data/meterpreter/screenshot.x64.dll +0 -0
- data/data/meterpreter/screenshot.x86.debug.dll +0 -0
- data/data/meterpreter/screenshot.x86.dll +0 -0
- data/lib/metasploit-payloads/version.rb +1 -1
- data.tar.gz.sig +0 -0
- metadata +1 -1
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7909c1b37004dee1af5bed7dbe25381e5a3fcaba7a7d0ee4101f5e518aef6a36
|
|
4
|
+
data.tar.gz: e438b3747393682ffe47594ce438ed27086781602b524071aa73c51f7477e07a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cda77751aa1547b93c6be12c0fe4fbedafa915bf5f34a1931d6bef4e44ad6c7c0a89a96fbe6b4878c050a196aa9fd6032800341a38826b5718d0fa3695772240
|
|
7
|
+
data.tar.gz: d40c9e8db0fd4d02e8f8e807fc26ce095b6703548de0c74cce5ad514a9082cee4ebe3b0010d4f2ab1b978d93c79c7184249540839e52f89b1b3bdb7bc8c594b4
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
|
Binary file
|
data/data/android/metstage.jar
CHANGED
|
Binary file
|
data/data/android/shell.jar
CHANGED
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
@@ -489,6 +489,7 @@ TLV_TYPE_HANDLE = TLV_META_TYPE_QWORD | 600
|
|
|
489
489
|
TLV_TYPE_INHERIT = TLV_META_TYPE_BOOL | 601
|
|
490
490
|
TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_QWORD | 630
|
|
491
491
|
TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_QWORD | 631
|
|
492
|
+
TLV_TYPE_PRIVILEGE = TLV_META_TYPE_STRING | 632
|
|
492
493
|
|
|
493
494
|
##
|
|
494
495
|
# Fs
|
|
@@ -749,6 +750,25 @@ VER_PLATFORM_WIN32s = 0x0000
|
|
|
749
750
|
VER_PLATFORM_WIN32_WINDOWS = 0x0001
|
|
750
751
|
VER_PLATFORM_WIN32_NT = 0x0002
|
|
751
752
|
|
|
753
|
+
# Token Constants
|
|
754
|
+
TOKEN_ASSIGN_PRIMARY = 0x0001
|
|
755
|
+
TOKEN_DUPLICATE = 0x0002
|
|
756
|
+
TOKEN_IMPERSONATE = 0x0004
|
|
757
|
+
TOKEN_QUERY = 0x0008
|
|
758
|
+
TOKEN_QUERY_SOURCE = 0x0010
|
|
759
|
+
TOKEN_ADJUST_PRIVILEGES = 0x0020
|
|
760
|
+
TOKEN_ADJUST_GROUPS = 0x0040
|
|
761
|
+
TOKEN_ADJUST_DEFAULT = 0x0080
|
|
762
|
+
TOKEN_ADJUST_SESSIONID = 0x0100
|
|
763
|
+
TOKEN_ALL_ACCESS = 0xf01ff
|
|
764
|
+
|
|
765
|
+
# Privilege Constants
|
|
766
|
+
DISABLED = 0x0
|
|
767
|
+
SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x1
|
|
768
|
+
SE_PRIVILEGE_ENABLED = 0x2
|
|
769
|
+
SE_PRIVILEGE_REMOVED = 0x4
|
|
770
|
+
SE_PRIVILEGE_USED_FOR_ACCESS = 0x800000000
|
|
771
|
+
|
|
752
772
|
# Windows Access Controls
|
|
753
773
|
MAXIMUM_ALLOWED = 0x02000000
|
|
754
774
|
|
|
@@ -855,7 +875,6 @@ def get_stat_buffer(path):
|
|
|
855
875
|
return st_buf
|
|
856
876
|
|
|
857
877
|
def get_token_user(handle):
|
|
858
|
-
TOKEN_QUERY = 0x0008
|
|
859
878
|
TokenUser = 1
|
|
860
879
|
advapi32 = ctypes.windll.advapi32
|
|
861
880
|
advapi32.OpenProcessToken.argtypes = [ctypes.c_void_p, ctypes.c_uint32, ctypes.POINTER(ctypes.c_void_p)]
|
|
@@ -1054,9 +1073,6 @@ def windll_GetVersion():
|
|
|
1054
1073
|
return type('Version', (object,), dict(dwMajorVersion = dwMajorVersion, dwMinorVersion = dwMinorVersion, dwBuild = dwBuild))
|
|
1055
1074
|
|
|
1056
1075
|
def enable_privilege(name, enable=True):
|
|
1057
|
-
TOKEN_ALL_ACCESS = 0xf01ff
|
|
1058
|
-
SE_PRIVILEGE_ENABLED = 0x00000002
|
|
1059
|
-
|
|
1060
1076
|
GetCurrentProcess = ctypes.windll.kernel32.GetCurrentProcess
|
|
1061
1077
|
GetCurrentProcess.restype = ctypes.c_void_p
|
|
1062
1078
|
|
|
@@ -1216,6 +1232,81 @@ def stdapi_sys_config_getuid(request, response):
|
|
|
1216
1232
|
response += tlv_pack(TLV_TYPE_USER_NAME, username)
|
|
1217
1233
|
return ERROR_SUCCESS, response
|
|
1218
1234
|
|
|
1235
|
+
@register_function_if(has_windll)
|
|
1236
|
+
def stdapi_sys_config_getprivs(request, response):
|
|
1237
|
+
GetCurrentProcess = ctypes.windll.kernel32.GetCurrentProcess
|
|
1238
|
+
GetCurrentProcess.restype = ctypes.c_void_p
|
|
1239
|
+
|
|
1240
|
+
advapi32 = ctypes.windll.advapi32
|
|
1241
|
+
OpenProcessToken = advapi32.OpenProcessToken
|
|
1242
|
+
OpenProcessToken.argtypes = [ctypes.c_void_p, ctypes.c_uint32, ctypes.POINTER(ctypes.c_void_p)]
|
|
1243
|
+
OpenProcessToken.restype = ctypes.c_bool
|
|
1244
|
+
|
|
1245
|
+
LookupPrivilegeValue = advapi32.LookupPrivilegeValueW
|
|
1246
|
+
LookupPrivilegeValue.argtypes = [ctypes.c_wchar_p, ctypes.c_wchar_p, ctypes.POINTER(LUID)]
|
|
1247
|
+
LookupPrivilegeValue.restype = ctypes.c_bool
|
|
1248
|
+
|
|
1249
|
+
AdjustTokenPrivileges = advapi32.AdjustTokenPrivileges
|
|
1250
|
+
AdjustTokenPrivileges.argtypes = [ctypes.c_void_p, ctypes.c_bool, PTOKEN_PRIVILEGES, ctypes.c_uint32, PTOKEN_PRIVILEGES, ctypes.POINTER(ctypes.c_uint32)]
|
|
1251
|
+
AdjustTokenPrivileges.restype = ctypes.c_bool
|
|
1252
|
+
|
|
1253
|
+
token = ctypes.c_void_p()
|
|
1254
|
+
success = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, token)
|
|
1255
|
+
if not success:
|
|
1256
|
+
return error_result_windows(), response
|
|
1257
|
+
|
|
1258
|
+
priv_list = [
|
|
1259
|
+
"SeAssignPrimaryTokenPrivilege",
|
|
1260
|
+
"SeAuditPrivilege",
|
|
1261
|
+
"SeBackupPrivilege",
|
|
1262
|
+
"SeChangeNotifyPrivilege",
|
|
1263
|
+
"SeCreatePagefilePrivilege",
|
|
1264
|
+
"SeCreatePermanentPrivilege",
|
|
1265
|
+
"SeCreateTokenPrivilege",
|
|
1266
|
+
"SeDebugPrivilege",
|
|
1267
|
+
"SeIncreaseBasePriorityPrivilege",
|
|
1268
|
+
"SeIncreaseQuotaPrivilege",
|
|
1269
|
+
"SeLoadDriverPrivilege",
|
|
1270
|
+
"SeLockMemoryPrivilege",
|
|
1271
|
+
"SeMachineAccountPrivilege",
|
|
1272
|
+
"SeProfileSingleProcessPrivilege",
|
|
1273
|
+
"SeRemoteShutdownPrivilege",
|
|
1274
|
+
"SeRestorePrivilege",
|
|
1275
|
+
"SeSecurityPrivilege",
|
|
1276
|
+
"SeShutdownPrivilege",
|
|
1277
|
+
"SeSystemEnvironmentPrivilege",
|
|
1278
|
+
"SeSystemProfilePrivilege",
|
|
1279
|
+
"SeSystemtimePrivilege",
|
|
1280
|
+
"SeTakeOwnershipPrivilege",
|
|
1281
|
+
"SeTcbPrivilege",
|
|
1282
|
+
"SeCreateGlobalPrivilege",
|
|
1283
|
+
"SeCreateSymbolicLinkPrivilege",
|
|
1284
|
+
"SeEnableDelegationPrivilege",
|
|
1285
|
+
"SeImpersonatePrivilege",
|
|
1286
|
+
"SeIncreaseWorkingSetPrivilege",
|
|
1287
|
+
"SeManageVolumePrivilege",
|
|
1288
|
+
"SeRelabelPrivilege",
|
|
1289
|
+
"SeSyncAgentPrivilege",
|
|
1290
|
+
"SeTimeZonePrivilege",
|
|
1291
|
+
"SeTrustedCredManAccessPrivilege",
|
|
1292
|
+
"SeDelegateSessionUserImpersonatePrivilege"
|
|
1293
|
+
]
|
|
1294
|
+
for privilege in priv_list:
|
|
1295
|
+
luid = LUID()
|
|
1296
|
+
name = ctypes.create_unicode_buffer(privilege)
|
|
1297
|
+
success = LookupPrivilegeValue(None, name, luid)
|
|
1298
|
+
if success:
|
|
1299
|
+
size = ctypes.sizeof(TOKEN_PRIVILEGES)
|
|
1300
|
+
size += ctypes.sizeof(LUID_AND_ATTRIBUTES)
|
|
1301
|
+
buffer = ctypes.create_string_buffer(size)
|
|
1302
|
+
tokenPrivileges = ctypes.cast(buffer, PTOKEN_PRIVILEGES).contents
|
|
1303
|
+
tokenPrivileges.PrivilegeCount = 1
|
|
1304
|
+
tokenPrivileges.get_array()[0].Luid = luid
|
|
1305
|
+
tokenPrivileges.get_array()[0].Attributes = SE_PRIVILEGE_ENABLED
|
|
1306
|
+
if AdjustTokenPrivileges(token, False, tokenPrivileges, 0, None, None):
|
|
1307
|
+
response += tlv_pack(TLV_TYPE_PRIVILEGE, privilege)
|
|
1308
|
+
return ERROR_SUCCESS, response
|
|
1309
|
+
|
|
1219
1310
|
@register_function
|
|
1220
1311
|
def stdapi_sys_config_localtime(request, response):
|
|
1221
1312
|
localtime = time.strftime("%Y-%m-%d %H:%M:%S %Z", time.localtime())
|
|
@@ -1374,8 +1465,6 @@ def stdapi_sys_process_get_processes_via_ps(request, response):
|
|
|
1374
1465
|
|
|
1375
1466
|
def stdapi_sys_process_get_processes_via_windll(request, response):
|
|
1376
1467
|
TH32CS_SNAPPROCESS = 2
|
|
1377
|
-
TOKEN_QUERY = 0x0008
|
|
1378
|
-
TokenUser = 1
|
|
1379
1468
|
k32 = ctypes.windll.kernel32
|
|
1380
1469
|
pe32 = PROCESSENTRY32()
|
|
1381
1470
|
pe32.dwSize = ctypes.sizeof(PROCESSENTRY32)
|
|
@@ -1435,7 +1524,6 @@ def stdapi_sys_process_get_processes(request, response):
|
|
|
1435
1524
|
return stdapi_sys_process_get_processes_via_windll(request, response)
|
|
1436
1525
|
else:
|
|
1437
1526
|
return stdapi_sys_process_get_processes_via_ps(request, response)
|
|
1438
|
-
return ERROR_FAILURE, response
|
|
1439
1527
|
|
|
1440
1528
|
@register_function_if(has_windll)
|
|
1441
1529
|
def stdapi_sys_power_exitwindows(request, response):
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
data.tar.gz.sig
CHANGED
|
Binary file
|
metadata
CHANGED
metadata.gz.sig
CHANGED
|
Binary file
|