Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-0808 PoC — Microsoft Windows 权限许可和访问控制漏洞

Source
https://github.com/exodusintel/CVE-2019-0808
Associated Vulnerability
Title:Microsoft Windows 权限许可和访问控制漏洞 (CVE-2019-0808)
Description:Microsoft Windows Server和Microsoft Windows Server都是美国微软(Microsoft)公司的产品。Microsoft Windows是一套个人设备使用的操作系统。Microsoft Windows Server是一套服务器操作系统。win32k是其中的一个Windows子系统的内核部分,是一个内核模式设备驱动程序,它包含有窗口管理器、后台控制窗口和屏幕输出管理等。 Microsoft Windows中存在提权漏洞,该漏洞源于Win32k组件没有正确地处理内存中
Description
Win32k Exploit by Grant Willcox
Readme
CVE-2019-5786 and CVE-2019-0808 Chrome 72.0.3626.119 stable Windows 7 x86 exploit chain. 

This exploit uses site-isolation to brute-force CVE-2019-5786. `host1_wrapper/iframe.html` is the wrapper script that loads the exploit  repeatedly into an iframe. The actual chain resides in the `host2_single_run` directory. The sandbox escape exploit for CVE-2019-0808 is in the file `host2_single_run/shellcode.js`, converted from its .dll form via [sRDI][https://github.com/monoxgas/sRDI] and msfvenom.

* serve the contents of the `host1_wrapper` directory on one site and the contents of `host2_single_run` on another
* change line 14 in `host1_wrapper/iframe.html` to the URL of `host2_single_run/exploit.html`
* navigate to iframe.html
File Snapshot

 [4.0K]  /data/pocs/9e22460f2ea051d683ba286dfb53a02974e66add
├── [4.0K]  FullChainChromeExploit
│   ├── [4.0K]  FullChainChromeExploit
│   │   ├── [4.0K]  Debug
│   │   │   ├── [ 44K]  dllmain.obj
│   │   │   ├── [4.0K]  FullChai.0ED4478A.tlog
│   │   │   │   ├── [3.3K]  CL.command.1.tlog
│   │   │   │   ├── [ 16K]  CL.read.1.tlog
│   │   │   │   ├── [3.0K]  CL.write.1.tlog
│   │   │   │   ├── [ 233]  FullChainChromeExploit.lastbuildstate
│   │   │   │   ├── [1.8K]  link.command.1.tlog
│   │   │   │   ├── [3.8K]  link.read.1.tlog
│   │   │   │   └── [1.2K]  link.write.1.tlog
│   │   │   ├── [1.6K]  FullChainChromeExploit.Build.CppClean.log
│   │   │   ├── [1.1K]  FullChainChromeExploit.log
│   │   │   ├── [3.2K]  FullChainChromeExploit.obj
│   │   │   ├── [7.2M]  FullChainChromeExploit.pch
│   │   │   ├── [153K]  stdafx.obj
│   │   │   ├── [251K]  vc141.idb
│   │   │   └── [500K]  vc141.pdb
│   │   ├── [ 26K]  dllmain.cpp
│   │   ├── [ 120]  FullChainChromeExploit.cpp
│   │   ├── [8.5K]  FullChainChromeExploit.vcxproj
│   │   ├── [1.3K]  FullChainChromeExploit.vcxproj.filters
│   │   ├── [ 165]  FullChainChromeExploit.vcxproj.user
│   │   ├── [4.0K]  Release
│   │   │   ├── [1.8K]  FullChainChromeExploit.Build.CppClean.log
│   │   │   └── [   3]  FullChainChromeExploit.log
│   │   ├── [  21]  stdafx.cpp
│   │   ├── [ 412]  stdafx.h
│   │   └── [ 314]  targetver.h
│   └── [1.4K]  FullChainChromeExploit.sln
├── [100K]  FullChainChromeExploit.dll
├── [4.0K]  host1_wrapper
│   └── [1.1K]  iframe.html
├── [4.0K]  host2_single_run
│   ├── [ 371]  exploit.html
│   ├── [ 11K]  exploit.js
│   ├── [304K]  shellcode.js
│   ├── [4.0K]  wasm
│   │   ├── [100K]  helloo.html
│   │   ├── [ 95K]  helloo.js
│   │   └── [ 41K]  helloo.wasm
│   └── [  30]  worker.js
└── [ 734]  README.md

8 directories, 36 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.