exploits-forsale
diff --git a/‎collat_payload/Windows.Xbox.UI.Internal.ToastNotifications.h‎
Lines changed: 4788 additions & 0 deletions b/‎collat_payload/Windows.Xbox.UI.Internal.ToastNotifications.h‎
Lines changed: 4788 additions & 0 deletions
diff --git a/‎collat_payload/collat_payload.c‎
Lines changed: 12 additions & 2 deletions b/‎collat_payload/collat_payload.c‎
Lines changed: 12 additions & 2 deletions
diff --git a/‎collat_payload/collat_payload.vcxproj‎
Lines changed: 3 additions & 0 deletions b/‎collat_payload/collat_payload.vcxproj‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎collat_payload/collat_payload.vcxproj.filters‎
Lines changed: 9 additions & 0 deletions b/‎collat_payload/collat_payload.vcxproj.filters‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎collat_payload/impersonate.h‎
Lines changed: 7 additions & 0 deletions b/‎collat_payload/impersonate.h‎
Lines changed: 7 additions & 0 deletions
@@ -9,6 +9,7 @@
 
 #include "ioring.h"
 #include "nt_offsets.h"
+#include "winrt.h"
 
 // socket stuff
 WSADATA wsaData;
@@ -495,6 +496,16 @@ int main(int argc, char** argv)
         return 0;
     }
 
+    /*
+     * Critical part of the exploit has succeeded.
+     * At this point we are still "Low IL" and can call the WinRT Notification / Toast API.
+     * After ioring_lpe2 has executed, the PackageIdentitiy is lost and the WinRT API would fail.
+     */
+    cur_msg = "Showing toast!\n";
+    send(winSock, cur_msg, strlen(cur_msg), 0);
+    //show_toast();
+    show_toast_rare_achievement(L"Collateral Damage", L"achieved", L"Enjoy!", NULL);
+
     // Setup the IO ring
     ioring_addr = 0;
     int res = ioring_setup(&ioring_addr);
@@ -514,7 +525,6 @@ int main(int argc, char** argv)
 
     // Run our post-exploitation code
     post_exploit(winSock);
-    
 
 	return 0;
-}
+}
@@ -23,12 +23,15 @@
     <ClCompile Include="ioring_lpe.c" />
     <ClCompile Include="nt_offsets.c" />
     <ClCompile Include="post_exploit.c" />
+    <ClCompile Include="winrt.c" />
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="ioring.h" />
     <ClInclude Include="nt_offsets.h" />
     <ClInclude Include="post_exploit.h" />
+    <ClInclude Include="Windows.Xbox.UI.Internal.ToastNotifications.h" />
     <ClInclude Include="win_defs.h" />
+    <ClInclude Include="winrt.h" />
   </ItemGroup>
   <ItemGroup>
     <MASM Include="prefetch_asm.asm" />
 
@@ -27,6 +27,9 @@
     <ClCompile Include="nt_offsets.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="winrt.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="win_defs.h">
@@ -41,6 +44,12 @@
     <ClInclude Include="post_exploit.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="winrt.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Windows.Xbox.UI.Internal.ToastNotifications.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <MASM Include="prefetch_asm.asm">
 
@@ -0,0 +1,7 @@
+#pragma once
+
+#include <winsock2.h>
+#include "win_defs.h"
+
+BOOL ImpersonateProcess(LPWSTR processName);
+BOOL RevertImpersonation();