Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-1253 PoC — Microsoft Windows和Microsoft Windows Server 后置链接漏洞

Source
https://github.com/padovah4ck/CVE-2019-1253
Associated Vulnerability
Title:Microsoft Windows和Microsoft Windows Server 后置链接漏洞 (CVE-2019-1253)
Description:Microsoft Windows和Microsoft Windows Server都是美国微软(Microsoft)公司的产品。Microsoft Windows是一套个人设备使用的操作系统。Microsoft Windows Server是一套服务器操作系统。 Microsoft Windows和Microsoft Windows Server中存在安全漏洞。攻击者可通过在用户系统上获取执行权并运行特制的应用程序利用该漏洞提升权限。以下产品及版本受到影响:Microsoft Windows 10版本1
Description
Poc for CVE-2019-1253
Readme
# CVE-2019-1253
Original Poc sent to MSRC.   
This issue has been fixed with September 2019 "Tuesday" regular update.   
Assigned to CVE-2019-1253 - Windows Elevation of Privilege Vulnerability.  

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1253  

There are two PoCs: the one that I've originally sent to MSRC is under "AppxExploit_Edge" directory.    
AppxExploit_Edge PoC works very well but only for Windows 10 (all versions) that are not patched with September (2019) update.

The other PoC is based on Cortana, under "AppxExploit_Cortana" directory, and it was experimentally and never sent to MSRC.  
However, the interesting thing about this, is that it does work with Windows Server 2019 and this one gives USER FULL access, although is a little bit unstable due to a race condition but it usually always works at first time.    

Read the README inside the directory project, it should be self explanatory.  
I suggest you to use VS2017 (or whatever you like).  

There is also a DOS version of the Windows 10 exploit based on Edge, courtesy of [@decoder-it](https://github.com/decoder-it)

Attached a couple of images 

![Screenshot](eop_1.JPG?raw=true)

![Screenshot](eop_2.JPG?raw=true)

---

![Beer](https://icons.iconarchive.com/icons/flat-icons.com/flat/48/Beer-icon.png)  [Buy me a beer if you like ;-)](https://www.buymeacoffee.com/padovah4ck)
File Snapshot

 [4.0K]  /data/pocs/9380f57e75259ee923144e2d7b92647a6da9851d
├── [1.2K]  appexploit.bat
├── [4.0K]  AppxExploit_Cortana
│   ├── [ 184]  App.config
│   ├── [4.6K]  AppxExploit_Cortana.csproj
│   ├── [ 537]  AppxExploit_Cortana.csproj.user
│   ├── [4.0K]  bin
│   │   ├── [4.0K]  Debug
│   │   │   ├── [ 22K]  AppxExploit.exe
│   │   │   ├── [ 184]  AppxExploit.exe.config
│   │   │   ├── [ 38K]  AppxExploit.pdb
│   │   │   └── [841K]  NtApiDotNet.dll
│   │   └── [4.0K]  x64
│   │       └── [4.0K]  Debug
│   │           ├── [ 42K]  AppxExploit.exe
│   │           ├── [ 184]  AppxExploit.exe.config
│   │           ├── [ 72K]  AppxExploit.pdb
│   │           ├── [841K]  NtApiDotNet.dll
│   │           ├── [1.3M]  NtApiDotNet.pdb
│   │           └── [608K]  NtApiDotNet.xml
│   ├── [ 18K]  CortanaExploit.cs
│   ├── [5.4K]  HardLink.cs
│   ├── [ 20K]  JunctionPoint.cs
│   ├── [4.0K]  lib
│   │   └── [841K]  NtApiDotNet.dll
│   ├── [2.1K]  NtHardLink.cs
│   ├── [4.0K]  obj
│   │   ├── [4.0K]  Debug
│   │   │   ├── [  42]  AppxExploit_Cortana.csproj.CoreCompileInputs.cache
│   │   │   ├── [ 610]  AppxExploit_Cortana.csproj.FileListAbsolute.txt
│   │   │   ├── [  42]  AppxExploit.csproj.CoreCompileInputs.cache
│   │   │   ├── [1.0K]  AppxExploit.csproj.FileListAbsolute.txt
│   │   │   ├── [ 22K]  AppxExploit.exe
│   │   │   ├── [ 38K]  AppxExploit.pdb
│   │   │   └── [6.6K]  DesignTimeResolveAssemblyReferencesInput.cache
│   │   └── [4.0K]  x64
│   │       └── [4.0K]  Debug
│   │           ├── [7.8K]  AppxExploit.csprojAssemblyReference.cache
│   │           ├── [  42]  AppxExploit.csproj.CoreCompileInputs.cache
│   │           ├── [1.5K]  AppxExploit.csproj.FileListAbsolute.txt
│   │           ├── [ 42K]  AppxExploit.exe
│   │           ├── [ 72K]  AppxExploit.pdb
│   │           └── [6.7K]  DesignTimeResolveAssemblyReferencesInput.cache
│   └── [4.0K]  Properties
│       └── [1.4K]  AssemblyInfo.cs
├── [4.0K]  AppxExploit_Edge
│   ├── [ 184]  App.config
│   ├── [4.4K]  AppxExploit.csproj
│   ├── [ 537]  AppxExploit.csproj.user
│   ├── [4.0K]  bin
│   │   └── [4.0K]  x64
│   │       └── [4.0K]  Debug
│   │           ├── [ 22K]  AppxExploit.exe
│   │           ├── [ 184]  AppxExploit.exe.config
│   │           └── [ 38K]  AppxExploit.pdb
│   ├── [ 19K]  EdgeExploit.cs
│   ├── [5.4K]  HardLink.cs
│   ├── [ 20K]  JunctionPoint.cs
│   ├── [2.1K]  NtHardLink.cs
│   ├── [4.0K]  obj
│   │   ├── [4.0K]  Debug
│   │   │   ├── [5.7K]  AppxExploit.csprojAssemblyReference.cache
│   │   │   ├── [  42]  AppxExploit.csproj.CoreCompileInputs.cache
│   │   │   ├── [ 480]  AppxExploit.csproj.FileListAbsolute.txt
│   │   │   ├── [ 15K]  AppxExploit.exe
│   │   │   ├── [ 26K]  AppxExploit.pdb
│   │   │   └── [6.4K]  DesignTimeResolveAssemblyReferencesInput.cache
│   │   └── [4.0K]  x64
│   │       └── [4.0K]  Debug
│   │           ├── [  42]  AppxExploit.csproj.CoreCompileInputs.cache
│   │           ├── [1.2K]  AppxExploit.csproj.FileListAbsolute.txt
│   │           ├── [ 22K]  AppxExploit.exe
│   │           ├── [ 38K]  AppxExploit.pdb
│   │           └── [6.6K]  DesignTimeResolveAssemblyReferencesInput.cache
│   ├── [4.0K]  Properties
│   │   └── [1.4K]  AssemblyInfo.cs
│   └── [5.7K]  README.txt
├── [209K]  eop_1.JPG
├── [256K]  eop_2.JPG
└── [1.4K]  README.md

20 directories, 59 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.