metasploit-payloads 2.0.144 → 2.0.145

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e1085ae5db328e0de9a3339e6fa48234274ba1c152d75ac3a58c4820165e641d
-  data.tar.gz: ca0176e08ad724ec6b98632ea1786c86e34d22562e958aef903547641f69e6d9
+  metadata.gz: ffd87ebcc6ca35bec62287f50170774f4b0f92244d321dcdce2291e55138a6d2
+  data.tar.gz: 5cea86e080f355c43ddbda321dd1bb90fa6682467a98e2e2ccf8f35491bd4ba6
 SHA512:
-  metadata.gz: fb33cf98cee7b73de2e0b6835de9a3b1c04524827dbfe70561d12c1c1ed63b4a52160ac1b609a23b146ce90113ba9e68486294b2a423cd2d5de710efbccb6e72
-  data.tar.gz: 43c40ed267a4bf5311342eb84dd5ec22a92a7061eab60eaef51c63e65110d68ae248cbd3db9f4f14026a59cd30779d0b15c2eb91c5c5e5df98e11ae3cfb9a153
+  metadata.gz: 5bc2f82c0209ecfa78c16fd6d352a40f114d36c2151a4c5124790ab415801ff89d7c7e53e2fb4b9a3495bbbed4b55c092700b629e0b3f48461123f82a05acaa3
+  data.tar.gz: 83df15304238d68d71cefb16e20009262a46f517bd3128636bcc1b9216a3419da19aa1d69533ef5d6303979764cedba628e9f6e11a84a24d75ce3fd5e3c9e7e3

data/data/meterpreter/ext_server_stdapi.py

@@ -899,7 +899,7 @@ def get_stat_buffer(path):
     st_buf += struct.pack('<QQQQ', long(si.st_size), long(si.st_atime), long(si.st_mtime), long(si.st_ctime))
     return st_buf
 
-def get_token_user(handle):
+def get_token_user_sid(handle):
     TokenUser = 1
     advapi32 = ctypes.windll.advapi32
     advapi32.OpenProcessToken.argtypes = [ctypes.c_void_p, ctypes.c_uint32, ctypes.POINTER(ctypes.c_void_p)]
@@ -913,9 +913,17 @@ def get_token_user(handle):
     ctypes.windll.kernel32.CloseHandle(token_handle)
     if not result:
         return None
-    return ctstruct_unpack(TOKEN_USER, token_user_buffer)
+    token_user = ctstruct_unpack(TOKEN_USER, token_user_buffer)
 
-def get_username_from_token(token_user):
+    GetLengthSid = ctypes.windll.advapi32.GetLengthSid
+    GetLengthSid.argtypes = [ctypes.c_void_p]
+    GetLengthSid.restype = ctypes.c_uint32
+    sid_length = GetLengthSid(token_user.User.Sid)
+    sid_bytes = ctypes.string_at(token_user.User.Sid, sid_length)
+
+    return sid_bytes
+
+def get_username_from_sid(sid):
     user = (ctypes.c_char * 512)()
     domain = (ctypes.c_char * 512)()
     user_len = ctypes.c_uint32()
@@ -926,7 +934,7 @@ def get_username_from_token(token_user):
     use.value = 0
     LookupAccountSid = ctypes.windll.advapi32.LookupAccountSidA
     LookupAccountSid.argtypes = [ctypes.c_void_p] * 7
-    if not LookupAccountSid(None, token_user.User.Sid, user, ctypes.byref(user_len), domain, ctypes.byref(domain_len), ctypes.byref(use)):
+    if not LookupAccountSid(None, sid, user, ctypes.byref(user_len), domain, ctypes.byref(domain_len), ctypes.byref(use)):
         return None
     return str(ctypes.string_at(domain)) + '\\' + str(ctypes.string_at(user))
 
@@ -1232,13 +1240,13 @@ def stdapi_sys_config_getenv(request, response):
 
 @register_function_if(has_windll)
 def stdapi_sys_config_getsid(request, response):
-    token = get_token_user(ctypes.windll.kernel32.GetCurrentProcess())
-    if not token:
+    sid = get_token_user_sid(ctypes.windll.kernel32.GetCurrentProcess())
+    if not sid:
         return error_result_windows(), response
     sid_str = ctypes.c_char_p()
     ConvertSidToStringSid = ctypes.windll.advapi32.ConvertSidToStringSidA
     ConvertSidToStringSid.argtypes = [ctypes.c_void_p, ctypes.c_void_p]
-    if not ConvertSidToStringSid(token.User.Sid, ctypes.byref(sid_str)):
+    if not ConvertSidToStringSid(sid, ctypes.byref(sid_str)):
         return error_result_windows(), response
     sid_str = str(ctypes.string_at(sid_str))
     response += tlv_pack(TLV_TYPE_SID, sid_str)
@@ -1249,10 +1257,10 @@ def stdapi_sys_config_getuid(request, response):
     if has_pwd:
         username = pwd.getpwuid(os.getuid()).pw_name
     elif has_windll:
-        token = get_token_user(ctypes.windll.kernel32.GetCurrentProcess())
-        if not token:
+        sid = get_token_user_sid(ctypes.windll.kernel32.GetCurrentProcess())
+        if not sid:
             return error_result_windows(), response
-        username = get_username_from_token(token)
+        username = get_username_from_sid(sid)
         if not username:
             return error_result_windows(), response
     else:
@@ -1607,9 +1615,9 @@ def stdapi_sys_process_get_processes_via_windll(request, response):
         else:
             exe_path = ''
         process_username = ''
-        process_token_user = get_token_user(proc_h)
-        if process_token_user:
-            process_username = get_username_from_token(process_token_user) or ''
+        process_token_user_sid = get_token_user_sid(proc_h)
+        if process_token_user_sid:
+            process_username = get_username_from_sid(process_token_user_sid) or ''
         parch = windll_GetNativeSystemInfo()
         is_wow64 = ctypes.c_ubyte()
         is_wow64.value = 0

data/lib/metasploit-payloads/version.rb

@@ -1,6 +1,6 @@
 # -*- coding:binary -*-
 module MetasploitPayloads
-  VERSION = '2.0.144'
+  VERSION = '2.0.145'
 
   def self.version
     VERSION

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: metasploit-payloads
 version: !ruby/object:Gem::Version
-  version: 2.0.144
+  version: 2.0.145
 platform: ruby
 authors:
 - OJ Reeves
@@ -96,7 +96,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2023-06-21 00:00:00.000000000 Z
+date: 2023-06-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake

metadata.gz.sig

@@ -1 +1,3 @@
-�!X��ȡ���t�4…g��4Bs~�X�!Y^�^�:6W��\M����._Ty�`��B]�}9��f�� D9����FSv|�IŲg�UG�?
��7��̱�О�lz�"�!1MMϛ�f`$ؙ` bk��iF*DDV�E���U59�E��
+�g�Ds�r�V�qT�rIg���lT�Y��<�
+ɏLU��o'�G{������ܰ���ᶢ؄����w���J���(�0m׊�
+��䑮ʶS%����a��>��r�X��_T��Q%k^�jY���U��
gCn[[\���1���1�U3����)x����(�6�8�z/hQ0��	̜oRi
6�n'��{
:���3IPat��Bm�#RnZBm��ݢ�]kN�ŗ��Wv|���\�O���l6�8d��}y�:a���