├── .gitattributes ├── .gitignore ├── Chains ├── DoubleStar │ └── README.md └── Hydseven │ ├── Forrest_Orr_Hydseven_Stage1_64-bit.html │ ├── Forrest_Orr_Hydseven_Stage2_64-bit.html │ └── README.MD ├── LICENSE ├── Payloads ├── Compiled │ └── JS │ │ ├── MessageBox_DWORD_Array_64-bit.js │ │ ├── MessageBox_Uint8Array_64-bit.js │ │ ├── MessageBox_Unescape_32-bit.js │ │ ├── MessageBox_Unescape_BufferOffset4_32-bit.js │ │ ├── README.md │ │ ├── SpoolPotato64_DWORD_Array_64-bit.js │ │ ├── Test_MessageBox_DWORD_Array.js │ │ ├── Test_WinExec_DWORD_Array.js │ │ ├── WPAD_Escape_DWORD_Array_64-bit.js │ │ ├── WPAD_Escape_Uint8Array_64-bit.js │ │ ├── WinExecSleep_Uint8Array_64-bit.js │ │ ├── WinExec_DWORD_Array_64-bit.js │ │ └── WinExec_Uint8Array_64-bit.js └── Source │ ├── DoubleStar │ ├── Stage1_EggHunter │ │ └── Egghunter64.asm │ ├── Stage2_WpadSandboxEscape │ │ ├── IWinHttpAutoProxySvc.acf │ │ ├── IWinHttpAutoProxySvc.idl │ │ ├── IWinHttpAutoProxySvc_c.c │ │ ├── IWinHttpAutoProxySvc_s.c │ │ ├── README.md │ │ ├── RpcHelpers.c │ │ ├── WpadSandboxEscape.c │ │ ├── WpadSandboxEscape.sln │ │ ├── WpadSandboxEscape.vcxproj │ │ └── WpadSandboxEscape.vcxproj.filters │ └── Stage3_SpoolPotato │ │ ├── IWinSpool.idl │ │ ├── IWinSpool_c.c │ │ ├── IWinSpool_s.c │ │ ├── README.md │ │ ├── RpcHelpers.c │ │ ├── SpoolPotato.c │ │ ├── SpoolPotato.sln │ │ ├── SpoolPotato.vcxproj │ │ └── SpoolPotato.vcxproj.filters │ └── Generic │ ├── EAF │ └── MessageBox32.asm │ ├── Egghunter64 │ ├── Egghunter64.asm │ ├── MessageBox32.asm │ ├── MessageBox64.asm │ ├── WinExec32.asm │ ├── WinExec64 │ ├── WinExec64.asm │ ├── WinExec64.exe │ ├── WinExecSleep64 │ ├── WinExecSleep64.asm │ ├── WinExecSleep64.exe │ └── Windows.inc ├── README.md └── Standalone ├── CVE-2019-11707 ├── Forrest_Orr_CVE-2019-11707_64-bit.html └── Forrest_Orr_CVE-2019-11707_64-bit.js ├── CVE-2019-17026 ├── Forrest_Orr_CVE-2019-17026_64-bit.html └── Forrest_Orr_CVE-2019-17026_64-bit.js ├── CVE-2020-0674 ├── Forrest_Orr_CVE-2020-0674_32-bit.html ├── Forrest_Orr_CVE-2020-0674_32-bit.js ├── Forrest_Orr_CVE-2020-0674_64-bit.html └── Forrest_Orr_CVE-2020-0674_64-bit.js ├── MS12-037 ├── Forrest_Orr_MS12-037_32-bit.js └── Forrest_Orr_MS12_037_32-bit.html ├── MS13-008 └── Forrest_Orr_MS13-008_32-bit.html └── MS14-051 └── Forrest_Orr_MS14-051_32-bit.html /.gitattributes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/.gitattributes -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/.gitignore -------------------------------------------------------------------------------- /Chains/DoubleStar/README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | See https://github.com/forrest-orr/DoubleStar 3 | 4 | ``` -------------------------------------------------------------------------------- /Chains/Hydseven/Forrest_Orr_Hydseven_Stage1_64-bit.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Chains/Hydseven/Forrest_Orr_Hydseven_Stage1_64-bit.html -------------------------------------------------------------------------------- /Chains/Hydseven/Forrest_Orr_Hydseven_Stage2_64-bit.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Chains/Hydseven/Forrest_Orr_Hydseven_Stage2_64-bit.html -------------------------------------------------------------------------------- /Chains/Hydseven/README.MD: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Chains/Hydseven/README.MD -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/LICENSE -------------------------------------------------------------------------------- /Payloads/Compiled/JS/MessageBox_DWORD_Array_64-bit.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Compiled/JS/MessageBox_DWORD_Array_64-bit.js -------------------------------------------------------------------------------- /Payloads/Compiled/JS/MessageBox_Uint8Array_64-bit.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Compiled/JS/MessageBox_Uint8Array_64-bit.js -------------------------------------------------------------------------------- /Payloads/Compiled/JS/MessageBox_Unescape_32-bit.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Compiled/JS/MessageBox_Unescape_32-bit.js -------------------------------------------------------------------------------- /Payloads/Compiled/JS/MessageBox_Unescape_BufferOffset4_32-bit.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Compiled/JS/MessageBox_Unescape_BufferOffset4_32-bit.js -------------------------------------------------------------------------------- /Payloads/Compiled/JS/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Compiled/JS/README.md -------------------------------------------------------------------------------- /Payloads/Compiled/JS/SpoolPotato64_DWORD_Array_64-bit.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Compiled/JS/SpoolPotato64_DWORD_Array_64-bit.js -------------------------------------------------------------------------------- /Payloads/Compiled/JS/Test_MessageBox_DWORD_Array.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Compiled/JS/Test_MessageBox_DWORD_Array.js -------------------------------------------------------------------------------- /Payloads/Compiled/JS/Test_WinExec_DWORD_Array.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Compiled/JS/Test_WinExec_DWORD_Array.js -------------------------------------------------------------------------------- /Payloads/Compiled/JS/WPAD_Escape_DWORD_Array_64-bit.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Compiled/JS/WPAD_Escape_DWORD_Array_64-bit.js -------------------------------------------------------------------------------- /Payloads/Compiled/JS/WPAD_Escape_Uint8Array_64-bit.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Compiled/JS/WPAD_Escape_Uint8Array_64-bit.js -------------------------------------------------------------------------------- /Payloads/Compiled/JS/WinExecSleep_Uint8Array_64-bit.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Compiled/JS/WinExecSleep_Uint8Array_64-bit.js -------------------------------------------------------------------------------- /Payloads/Compiled/JS/WinExec_DWORD_Array_64-bit.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Compiled/JS/WinExec_DWORD_Array_64-bit.js -------------------------------------------------------------------------------- /Payloads/Compiled/JS/WinExec_Uint8Array_64-bit.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Compiled/JS/WinExec_Uint8Array_64-bit.js -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage1_EggHunter/Egghunter64.asm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage1_EggHunter/Egghunter64.asm -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/IWinHttpAutoProxySvc.acf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/IWinHttpAutoProxySvc.acf -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/IWinHttpAutoProxySvc.idl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/IWinHttpAutoProxySvc.idl -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/IWinHttpAutoProxySvc_c.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/IWinHttpAutoProxySvc_c.c -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/IWinHttpAutoProxySvc_s.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/IWinHttpAutoProxySvc_s.c -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/README.md -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/RpcHelpers.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/RpcHelpers.c -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/WpadSandboxEscape.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/WpadSandboxEscape.c -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/WpadSandboxEscape.sln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/WpadSandboxEscape.sln -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/WpadSandboxEscape.vcxproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/WpadSandboxEscape.vcxproj -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/WpadSandboxEscape.vcxproj.filters: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage2_WpadSandboxEscape/WpadSandboxEscape.vcxproj.filters -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage3_SpoolPotato/IWinSpool.idl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage3_SpoolPotato/IWinSpool.idl -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage3_SpoolPotato/IWinSpool_c.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage3_SpoolPotato/IWinSpool_c.c -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage3_SpoolPotato/IWinSpool_s.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage3_SpoolPotato/IWinSpool_s.c -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage3_SpoolPotato/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage3_SpoolPotato/README.md -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage3_SpoolPotato/RpcHelpers.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage3_SpoolPotato/RpcHelpers.c -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage3_SpoolPotato/SpoolPotato.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage3_SpoolPotato/SpoolPotato.c -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage3_SpoolPotato/SpoolPotato.sln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage3_SpoolPotato/SpoolPotato.sln -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage3_SpoolPotato/SpoolPotato.vcxproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage3_SpoolPotato/SpoolPotato.vcxproj -------------------------------------------------------------------------------- /Payloads/Source/DoubleStar/Stage3_SpoolPotato/SpoolPotato.vcxproj.filters: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/DoubleStar/Stage3_SpoolPotato/SpoolPotato.vcxproj.filters -------------------------------------------------------------------------------- /Payloads/Source/Generic/EAF/MessageBox32.asm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/Generic/EAF/MessageBox32.asm -------------------------------------------------------------------------------- /Payloads/Source/Generic/Egghunter64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/Generic/Egghunter64 -------------------------------------------------------------------------------- /Payloads/Source/Generic/Egghunter64.asm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/Generic/Egghunter64.asm -------------------------------------------------------------------------------- /Payloads/Source/Generic/MessageBox32.asm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/Generic/MessageBox32.asm -------------------------------------------------------------------------------- /Payloads/Source/Generic/MessageBox64.asm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/Generic/MessageBox64.asm -------------------------------------------------------------------------------- /Payloads/Source/Generic/WinExec32.asm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/Generic/WinExec32.asm -------------------------------------------------------------------------------- /Payloads/Source/Generic/WinExec64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/Generic/WinExec64 -------------------------------------------------------------------------------- /Payloads/Source/Generic/WinExec64.asm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/Generic/WinExec64.asm -------------------------------------------------------------------------------- /Payloads/Source/Generic/WinExec64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/Generic/WinExec64.exe -------------------------------------------------------------------------------- /Payloads/Source/Generic/WinExecSleep64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/Generic/WinExecSleep64 -------------------------------------------------------------------------------- /Payloads/Source/Generic/WinExecSleep64.asm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/Generic/WinExecSleep64.asm -------------------------------------------------------------------------------- /Payloads/Source/Generic/WinExecSleep64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/Generic/WinExecSleep64.exe -------------------------------------------------------------------------------- /Payloads/Source/Generic/Windows.inc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Payloads/Source/Generic/Windows.inc -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/README.md -------------------------------------------------------------------------------- /Standalone/CVE-2019-11707/Forrest_Orr_CVE-2019-11707_64-bit.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Standalone/CVE-2019-11707/Forrest_Orr_CVE-2019-11707_64-bit.html -------------------------------------------------------------------------------- /Standalone/CVE-2019-11707/Forrest_Orr_CVE-2019-11707_64-bit.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Standalone/CVE-2019-11707/Forrest_Orr_CVE-2019-11707_64-bit.js -------------------------------------------------------------------------------- /Standalone/CVE-2019-17026/Forrest_Orr_CVE-2019-17026_64-bit.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Standalone/CVE-2019-17026/Forrest_Orr_CVE-2019-17026_64-bit.html -------------------------------------------------------------------------------- /Standalone/CVE-2019-17026/Forrest_Orr_CVE-2019-17026_64-bit.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Standalone/CVE-2019-17026/Forrest_Orr_CVE-2019-17026_64-bit.js -------------------------------------------------------------------------------- /Standalone/CVE-2020-0674/Forrest_Orr_CVE-2020-0674_32-bit.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Standalone/CVE-2020-0674/Forrest_Orr_CVE-2020-0674_32-bit.html -------------------------------------------------------------------------------- /Standalone/CVE-2020-0674/Forrest_Orr_CVE-2020-0674_32-bit.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Standalone/CVE-2020-0674/Forrest_Orr_CVE-2020-0674_32-bit.js -------------------------------------------------------------------------------- /Standalone/CVE-2020-0674/Forrest_Orr_CVE-2020-0674_64-bit.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Standalone/CVE-2020-0674/Forrest_Orr_CVE-2020-0674_64-bit.html -------------------------------------------------------------------------------- /Standalone/CVE-2020-0674/Forrest_Orr_CVE-2020-0674_64-bit.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Standalone/CVE-2020-0674/Forrest_Orr_CVE-2020-0674_64-bit.js -------------------------------------------------------------------------------- /Standalone/MS12-037/Forrest_Orr_MS12-037_32-bit.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Standalone/MS12-037/Forrest_Orr_MS12-037_32-bit.js -------------------------------------------------------------------------------- /Standalone/MS12-037/Forrest_Orr_MS12_037_32-bit.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Standalone/MS12-037/Forrest_Orr_MS12_037_32-bit.html -------------------------------------------------------------------------------- /Standalone/MS13-008/Forrest_Orr_MS13-008_32-bit.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Standalone/MS13-008/Forrest_Orr_MS13-008_32-bit.html -------------------------------------------------------------------------------- /Standalone/MS14-051/Forrest_Orr_MS14-051_32-bit.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/forrest-orr/Exploits/HEAD/Standalone/MS14-051/Forrest_Orr_MS14-051_32-bit.html --------------------------------------------------------------------------------