Exploit for Untrusted Pointer Dereference in Microsoft

ntoskrnl-metadata An IDA Python script for extracting critica...

BugChecker - SoftICE-like Kernel Debugger For Windows 11

Introduction BugChecker is a SoftICE-like kernel and user debugger for Windows 11 and Windows XP as well: it supports Windows versions from XP to 11, both x86 and x64. BugChecker doesn't require a second machine to be connected to the system being debugged, like in the case of WinDbg and KD. This...

Microsoft Windows - (SMBGhost) Remote Code Execution Exploit

!/usr/bin/env python ''' EDB Note Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48537.zip SMBGhostRCEPoC RCE PoC for CVE-2020-0796 "SMBGhost" For demonstration purposes only! Only use this a reference. Seriously. This has not been tested outside of m...

Microsoft Windows - 'SMBGhost' Remote Code Execution

!/usr/bin/env python ''' EDB Note Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/48537.zip SMBGhostRCEPoC RCE PoC for CVE-2020-0796 "SMBGhost" For demonstration purposes only! Only use this a reference. Seriously. This has not been tested outside of my...

Microsoft Windows 10 (19H1 1901 x64) - ws2ifsl.sys Use After Free Local Privilege Escalation Exploit

/ The exploit works on 19H1. It was tested with ntoskrnl version 10.0.18362.295 EDB Note: Download https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47935.zip / include include include include include include include pragma commentlib, "ntdll.lib" // run cmd.exe...

Microsoft Windows 10 (19H1 1901 x64) - 'ws2ifsl.sys' Use After Free Local Privilege Escalation (kASLR kCFG SMEP)

/ The exploit works on 19H1. It was tested with ntoskrnl version 10.0.18362.295 EDB Note: Download https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47935.zip / include include include include include include include pragma commentlib, "ntdll.lib" // run cmd.exe...

Microsoft Windows 10 (19H1 1901 x64) - ws2ifsl.sys Use After Free Local Privilege Escalation (kASLR kCFG SMEP)

Microsoft Windows 10 19H1 1901 x64 - ws2ifsl.sys Use After Free Local Privilege Escalation kASLR kCFG SMEP / The exploit works on 19H1. It was tested with ntoskrnl version 10.0.18362.295 EDB Note: Download https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47935.zi...

Windows WMI Recieve Notification Exploit

This Metasploit module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl. This Metasploit module has been tested on vulnerable builds of Windows 7 SP0 x64 and Windows 7 SP1 x64. This module requires Metasploit: http://metasploit.com/download Current source:...

Windows WMI Receive Notification Exploit

This module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl. This module has been tested on vulnerable builds of Windows 7 SP0 x64 and Windows 7 SP1 x64. This module requires Metasploit: https://metasploit.com/download Current source:...

Microsoft Windows - 'IOCTL_MOUNTMGR_QUERY_POINTS' Kernel Mountmgr Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1150&desc=2 We have discovered that the handler of the IOCTLMOUNTMGRQUERYPOINTS IOCTL in mountmgr.sys discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes. On our test...

Microsoft Windows - IOCTL 0x390400_ operation code 0x00020000 Kernel KsecDD Pool Memory Disclosure

Microsoft Windows - IOCTL 0x390400 operation code 0x00020000 Kernel KsecDD Pool Memory Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1147 We have discovered that the IOCTL sent to the \Device\KsecDD device by the BCryptOpenAlgorithmProvider documented API returns...