From 6c161f26b23dc6ffeb0a3e6ebfc8b70333b60ce3 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Thu, 22 Aug 2019 23:03:48 +0200
Subject: [PATCH] JWT None alternative + MS15-051

---
 JSON Web Token/README.md                       |  6 ++++++
 .../Windows - Privilege Escalation.md          | 18 ++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md
index 7452986..9d83b6b 100644
--- a/JSON Web Token/README.md	
+++ b/JSON Web Token/README.md	
@@ -72,6 +72,12 @@ JWT Encoder – Decoder: `http://jsonwebtoken.io`
 
 JWT supports a None algorithm for signature. This was probably introduced to debug applications. However, this can have a severe impact on the security of the application.
 
+None algorithm variants:
+* none 
+* None
+* NONE
+* nOnE
+
 To exploit this vulnerability, you just need to decode the JWT and change the algorithm used for the signature. Then you can submit your new JWT.
 
 However, this won't work unless you **remove** the signature
diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index e093f98..9401316 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -25,6 +25,7 @@
   * [MS08-067 (NetAPI)](#ms08-067-netapi)
   * [MS10-015 (KiTrap0D)](#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7)
   * [MS11-080 (adf.sys)](#ms11-080-afd.sys---microsoft-windows-xp-2003)
+  * [MS15-051 (Client Copy Image)](#ms15-051---microsoft-windows-2003--2008--7--8--2012)
   * [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
   * [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue)
 * [References](#references)
@@ -775,6 +776,23 @@ Python: https://www.exploit-db.com/exploits/18176
 Metasploit: exploit/windows/local/ms11_080_afdjoinleaf
 ```
 
+### MS15-051 (Client Copy Image) - Microsoft Windows 2003/2008/7/8/2012
+
+```powershell
+printf("[#] usage: ms15-051 command \n");
+printf("[#] eg: ms15-051 \"whoami /all\" \n");
+
+# x32
+https://github.com/rootphantomer/exp/raw/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/Win32/ms15-051.exe
+
+# x64
+https://github.com/rootphantomer/exp/raw/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/x64/ms15-051.exe
+
+https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS15-051
+use exploit/windows/local/ms15_051_client_copy_image
+```
+
+
 ### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
 
 Check if the patch is installed : `wmic qfe list | findstr "3139914"`