github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-01-14 17:37:27 +01:00
Code Releases Activity

Updated PHP and Python payloads

Browse Source
This commit is contained in:
test 2021-07-30 23:01:34 -04:00 committed by Tim W
parent e2f9e64779
commit af46841e62
2 changed files with 33 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
php/meterpreter/ext_server_stdapi.php
View File

@ -27,7 +27,9 @@ define("TLV_TYPE_SEARCH_RECURSE", TLV_META_TYPE_BOOL | 1230);
define("TLV_TYPE_SEARCH_GLOB", TLV_META_TYPE_STRING | 1231); define("TLV_TYPE_SEARCH_GLOB", TLV_META_TYPE_STRING | 1231);
define("TLV_TYPE_SEARCH_ROOT", TLV_META_TYPE_STRING | 1232); define("TLV_TYPE_SEARCH_ROOT", TLV_META_TYPE_STRING | 1232);
define("TLV_TYPE_SEARCH_RESULTS", TLV_META_TYPE_GROUP | 1233); define("TLV_TYPE_SEARCH_RESULTS", TLV_META_TYPE_GROUP | 1233);
define("TLV_TYPE_SEARCH_MTIME", TLV_META_TYPE_UINT | 1235);
define("TLV_TYPE_SEARCH_FROM_DATE", TLV_META_TYPE_UINT | 1236);
define("TLV_TYPE_SEARCH_TO_DATE", TLV_META_TYPE_UINT | 1237);
define("TLV_TYPE_FILE_MODE_T", TLV_META_TYPE_UINT | 1234); define("TLV_TYPE_FILE_MODE_T", TLV_META_TYPE_UINT | 1234);
## ##
@ -340,7 +342,7 @@ define('GLOB_RECURSE',2048);
* GLOB_NODOTS, GLOB_RECURSE * GLOB_NODOTS, GLOB_RECURSE
*/ */
if (!function_exists('safe_glob')) { if (!function_exists('safe_glob')) {
function safe_glob($pattern, $flags=0) { function safe_glob($pattern, $flags=0, $sd=0, $ed=0) {
$split=explode('/',str_replace('\\','/',$pattern)); $split=explode('/',str_replace('\\','/',$pattern));
$mask=array_pop($split); $mask=array_pop($split);
$path=implode('/',$split); $path=implode('/',$split);
@ -356,14 +358,18 @@ function safe_glob($pattern, $flags=0) {
&& (!is_link($path."/".$file)) && (!is_link($path."/".$file))
) )
) { ) {
$glob = array_merge($glob, array_prepend(safe_glob($path.'/'.$file.'/'.$mask, $flags), $glob = array_merge($glob, array_prepend(safe_glob($path.'/'.$file.'/'.$mask, $flags, $sd, $ed),
($flags&GLOB_PATH?'':$file.'/'))); ($flags&GLOB_PATH?'':$file.'/')));
} }
// Match file mask // Match file mask
if (fnmatch($mask,$file)) { if (fnmatch($mask,$file)) {
$tmp_f_stat = stat($path.'/'.$file);
$mtime = $tmp_f_stat['mtime'];
if ( ( (!($flags&GLOB_ONLYDIR)) || is_dir("$path/$file") ) if ( ( (!($flags&GLOB_ONLYDIR)) || is_dir("$path/$file") )
&& ( (!($flags&GLOB_NODIR)) || (!is_dir($path.'/'.$file)) ) && ( (!($flags&GLOB_NODIR)) || (!is_dir($path.'/'.$file)) )
&& ( (!($flags&GLOB_NODOTS)) || (!in_array($file,array('.','..'))) ) ) && ( (!($flags&GLOB_NODOTS)) || (!in_array($file,array('.','..'))) )
&& ( $sd <= $mtime )
&& ( ($ed == 0) || ($ed >= $mtime)) )
$glob[] = ($flags&GLOB_PATH?$path.'/':'') . $file . ($flags&GLOB_MARK?'/':''); $glob[] = ($flags&GLOB_PATH?$path.'/':'') . $file . ($flags&GLOB_MARK?'/':'');
} }
} }
@ -682,6 +688,10 @@ function stdapi_fs_search($req, &$pkt) {
$glob = canonicalize_path($glob_tlv['value']); $glob = canonicalize_path($glob_tlv['value']);
$recurse_tlv = packet_get_tlv($req, TLV_TYPE_SEARCH_RECURSE); $recurse_tlv = packet_get_tlv($req, TLV_TYPE_SEARCH_RECURSE);
$recurse = $recurse_tlv['value']; $recurse = $recurse_tlv['value'];
$sd_tlv = packet_get_tlv($req, TLV_TYPE_SEARCH_FROM_DATE);
$sd = $sd_tlv['value'];
$ed_tlv = packet_get_tlv($req, TLV_TYPE_SEARCH_TO_DATE);
$ed = $ed_tlv['value'];
if (!$root) { if (!$root) {
$root = '.'; $root = '.';
@ -692,7 +702,7 @@ function stdapi_fs_search($req, &$pkt) {
if ($recurse) { if ($recurse) {
$flags |= GLOB_RECURSE; $flags |= GLOB_RECURSE;
} }
$files = safe_glob($root ."/". $glob, $flags); $files = safe_glob($root ."/". $glob, $flags, $sd, $ed);
if ($files and is_array($files)) { if ($files and is_array($files)) {
dump_array($files); dump_array($files);
foreach ($files as $file) { foreach ($files as $file) {
@ -703,6 +713,7 @@ function stdapi_fs_search($req, &$pkt) {
$file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_FILE_PATH, $p)); $file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_FILE_PATH, $p));
$file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_FILE_NAME, $f)); $file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_FILE_NAME, $f));
$file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_FILE_SIZE, $s['size'])); $file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_FILE_SIZE, $s['size']));
$file_tlvs .= tlv_pack(create_tlv(TLV_TYPE_SEARCH_MTIME, $s['mtime']));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_SEARCH_RESULTS, $file_tlvs)); packet_add_tlv($pkt, create_tlv(TLV_TYPE_SEARCH_RESULTS, $file_tlvs));
} }
} }
@ -1353,7 +1364,3 @@ function channel_create_stdapi_net_udp_client($req, &$pkt) {
return ERROR_SUCCESS; return ERROR_SUCCESS;
} }
} }

17
python/meterpreter/ext_server_stdapi.py
View File

@ -474,6 +474,9 @@ TLV_TYPE_SEARCH_ROOT = TLV_META_TYPE_STRING | 1232
TLV_TYPE_SEARCH_RESULTS = TLV_META_TYPE_GROUP | 1233 TLV_TYPE_SEARCH_RESULTS = TLV_META_TYPE_GROUP | 1233
TLV_TYPE_FILE_MODE_T = TLV_META_TYPE_UINT | 1234 TLV_TYPE_FILE_MODE_T = TLV_META_TYPE_UINT | 1234
TLV_TYPE_SEARCH_MTIME = TLV_META_TYPE_UINT | 1235
TLV_TYPE_SEARCH_FROM_DATE = TLV_META_TYPE_UINT | 1236
TLV_TYPE_SEARCH_TO_DATE = TLV_META_TYPE_UINT | 1237
## ##
# Net # Net
@ -1518,20 +1521,34 @@ def stdapi_fs_search(request, response):
search_root = unicode(search_root) search_root = unicode(search_root)
glob = packet_get_tlv(request, TLV_TYPE_SEARCH_GLOB)['value'] glob = packet_get_tlv(request, TLV_TYPE_SEARCH_GLOB)['value']
recurse = packet_get_tlv(request, TLV_TYPE_SEARCH_RECURSE)['value'] recurse = packet_get_tlv(request, TLV_TYPE_SEARCH_RECURSE)['value']
sd = packet_get_tlv(request,TLV_TYPE_SEARCH_FROM_DATE)['value']
ed = packet_get_tlv(request,TLV_TYPE_SEARCH_TO_DATE)['value']
if recurse: if recurse:
for root, dirs, files in os.walk(search_root): for root, dirs, files in os.walk(search_root):
for f in filter(lambda f: fnmatch.fnmatch(f, glob), files): for f in filter(lambda f: fnmatch.fnmatch(f, glob), files):
mtime = int(os.stat(os.path.join(root, f)).st_mtime)
if sd > mtime:
continue
if ed > 0 and ed < mtime:
continue
file_tlv = bytes() file_tlv = bytes()
file_tlv += tlv_pack(TLV_TYPE_FILE_PATH, root) file_tlv += tlv_pack(TLV_TYPE_FILE_PATH, root)
file_tlv += tlv_pack(TLV_TYPE_FILE_NAME, f) file_tlv += tlv_pack(TLV_TYPE_FILE_NAME, f)
file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, os.stat(os.path.join(root, f)).st_size) file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, os.stat(os.path.join(root, f)).st_size)
file_tlv += tlv_pack(TLV_TYPE_SEARCH_MTIME,mtime)
response += tlv_pack(TLV_TYPE_SEARCH_RESULTS, file_tlv) response += tlv_pack(TLV_TYPE_SEARCH_RESULTS, file_tlv)
else: else:
for f in filter(lambda f: fnmatch.fnmatch(f, glob), os.listdir(search_root)): for f in filter(lambda f: fnmatch.fnmatch(f, glob), os.listdir(search_root)):
file_tlv = bytes() file_tlv = bytes()
mtime = int(os.stat(os.path.join(root, f)).st_mtime)
if sd > 0 and sd > mtime:
continue
if ed > 0 and ed < mtime:
continue
file_tlv += tlv_pack(TLV_TYPE_FILE_PATH, search_root) file_tlv += tlv_pack(TLV_TYPE_FILE_PATH, search_root)
file_tlv += tlv_pack(TLV_TYPE_FILE_NAME, f) file_tlv += tlv_pack(TLV_TYPE_FILE_NAME, f)
file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, os.stat(os.path.join(search_root, f)).st_size) file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, os.stat(os.path.join(search_root, f)).st_size)
file_tlv += tlv_pack(TLV_TYPE_SEARCH_MTIME,mtime)
response += tlv_pack(TLV_TYPE_SEARCH_RESULTS, file_tlv) response += tlv_pack(TLV_TYPE_SEARCH_RESULTS, file_tlv)
return ERROR_SUCCESS, response return ERROR_SUCCESS, response