diff --git a/README b/README index d8c2e499fd..d0d3b59ccf 100644 --- a/README +++ b/README @@ -37,7 +37,7 @@ This license does not apply to the following components: corresponding header files in the source tree - The Packet Sniffer SDK (MicroOLAP) library embedded into the Meterpreter Sniffer extension. HD Moore has a single-seat developer license. - - The vncdll.dll and vncdll.x64.dll binaries and their associated source code (modified TightVNC) + - The modified TightVNC binaries and their associated source code. - The icons used by msfweb that were not created by Metasploit - The Bit-Struct library located under lib/bit-struct - The Byakugan plugin located under external/source/byakugan diff --git a/data/vncdll.dll b/data/vncdll.dll index e6cb0ef9f0..f0bd4da8a5 100644 Binary files a/data/vncdll.dll and b/data/vncdll.dll differ diff --git a/data/vncdll.x64.dll b/data/vncdll.x64.dll index c86d875d30..c8d1ff48d8 100644 Binary files a/data/vncdll.x64.dll and b/data/vncdll.x64.dll differ diff --git a/modules/payloads/stages/windows/vncinject.rb b/modules/payloads/stages/windows/vncinject.rb index ad65554a43..7b8e3d79ae 100644 --- a/modules/payloads/stages/windows/vncinject.rb +++ b/modules/payloads/stages/windows/vncinject.rb @@ -12,7 +12,7 @@ require 'msf/base/sessions/vncinject' module Metasploit3 include Msf::Payload::Windows::ReflectiveDllInject - + def initialize(info = {}) super(update_info(info, 'Name' => 'VNC Server (Reflective Injection)', @@ -20,7 +20,7 @@ module Metasploit3 'Description' => 'Inject a VNC Dll via a reflective loader (staged)', 'Author' => [ 'sf' ], 'Session' => Msf::Sessions::VncInject )) - + # Override the DLL path with the path to the meterpreter server DLL register_options( @@ -48,11 +48,17 @@ module Metasploit3 register_advanced_options( [ OptBool.new('DisableCourtesyShell', - [ - false, - "Disables the Metasploit Courtesy shell", - false - ]) + [ + false, + "Disables the Metasploit Courtesy shell", + false + ]), + OptBool.new('DisableSessionTracking', + [ + false, + "Disables the VNC payload from following the active session as users log in an out of the input desktop", + false + ]) ], self.class) options.remove_option('DLL') end @@ -71,6 +77,8 @@ module Metasploit3 flags |= 1 if (datastore['DisableCourtesyShell']) + flags |= 2 if (datastore['DisableSessionTracking']) + # Transmit the one byte flag session.rstream.put([ flags ].pack('C')) diff --git a/modules/payloads/stages/windows/x64/vncinject.rb b/modules/payloads/stages/windows/x64/vncinject.rb index dac5c3e39b..0be1215b9a 100644 --- a/modules/payloads/stages/windows/x64/vncinject.rb +++ b/modules/payloads/stages/windows/x64/vncinject.rb @@ -21,7 +21,7 @@ require 'msf/base/sessions/vncinject' module Metasploit3 include Msf::Payload::Windows::ReflectiveDllInject_x64 - + def initialize(info = {}) super(update_info(info, 'Name' => 'Windows x64 VNC Server (Reflective Injection)', @@ -29,7 +29,7 @@ module Metasploit3 'Description' => 'Inject a VNC Dll via a reflective loader (Windows x64) (staged)', 'Author' => [ 'sf' ], 'Session' => Msf::Sessions::VncInject )) - + # Override the DLL path with the path to the meterpreter server DLL register_options( @@ -61,6 +61,12 @@ module Metasploit3 false, "Disables the Metasploit Courtesy shell", false + ]), + OptBool.new('DisableSessionTracking', + [ + false, + "Disables the VNC payload from following the active session as users log in an out of the input desktop", + false ]) ], self.class) options.remove_option('DLL') @@ -79,7 +85,9 @@ module Metasploit3 flags = 0 flags |= 1 if (datastore['DisableCourtesyShell']) - + + flags |= 2 if (datastore['DisableSessionTracking']) + # Transmit the one byte flag session.rstream.put([ flags ].pack('C'))