Skip to content

Commit dd86fbd

Browse files
committed
feat: Add WinRT functionality for Windows.UI.Popups.MessageDialog, Windows.UI.Notifications.ToastNotification and Windows.Xbox.UI.Internal.ToastNotifications.ToastManager
1 parent 9ee486a commit dd86fbd

File tree

7 files changed

+5555
-2
lines changed

7 files changed

+5555
-2
lines changed

collat_payload/Windows.Xbox.UI.Internal.ToastNotifications.h

Lines changed: 4788 additions & 0 deletions
Large diffs are not rendered by default.

collat_payload/collat_payload.c

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99

1010
#include "ioring.h"
1111
#include "nt_offsets.h"
12+
#include "winrt.h"
1213

1314
// socket stuff
1415
WSADATA wsaData;
@@ -495,6 +496,16 @@ int main(int argc, char** argv)
495496
return 0;
496497
}
497498

499+
/*
500+
* Critical part of the exploit has succeeded.
501+
* At this point we are still "Low IL" and can call the WinRT Notification / Toast API.
502+
* After ioring_lpe2 has executed, the PackageIdentitiy is lost and the WinRT API would fail.
503+
*/
504+
cur_msg = "Showing toast!\n";
505+
send(winSock, cur_msg, strlen(cur_msg), 0);
506+
//show_toast();
507+
show_toast_rare_achievement(L"Collateral Damage", L"achieved", L"Enjoy!", NULL);
508+
498509
// Setup the IO ring
499510
ioring_addr = 0;
500511
int res = ioring_setup(&ioring_addr);
@@ -514,7 +525,6 @@ int main(int argc, char** argv)
514525

515526
// Run our post-exploitation code
516527
post_exploit(winSock);
517-
518528

519529
return 0;
520-
}
530+
}

collat_payload/collat_payload.vcxproj

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,12 +23,15 @@
2323
<ClCompile Include="ioring_lpe.c" />
2424
<ClCompile Include="nt_offsets.c" />
2525
<ClCompile Include="post_exploit.c" />
26+
<ClCompile Include="winrt.c" />
2627
</ItemGroup>
2728
<ItemGroup>
2829
<ClInclude Include="ioring.h" />
2930
<ClInclude Include="nt_offsets.h" />
3031
<ClInclude Include="post_exploit.h" />
32+
<ClInclude Include="Windows.Xbox.UI.Internal.ToastNotifications.h" />
3133
<ClInclude Include="win_defs.h" />
34+
<ClInclude Include="winrt.h" />
3235
</ItemGroup>
3336
<ItemGroup>
3437
<MASM Include="prefetch_asm.asm" />

collat_payload/collat_payload.vcxproj.filters

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,9 @@
2727
<ClCompile Include="nt_offsets.c">
2828
<Filter>Source Files</Filter>
2929
</ClCompile>
30+
<ClCompile Include="winrt.c">
31+
<Filter>Source Files</Filter>
32+
</ClCompile>
3033
</ItemGroup>
3134
<ItemGroup>
3235
<ClInclude Include="win_defs.h">
@@ -41,6 +44,12 @@
4144
<ClInclude Include="post_exploit.h">
4245
<Filter>Header Files</Filter>
4346
</ClInclude>
47+
<ClInclude Include="winrt.h">
48+
<Filter>Header Files</Filter>
49+
</ClInclude>
50+
<ClInclude Include="Windows.Xbox.UI.Internal.ToastNotifications.h">
51+
<Filter>Header Files</Filter>
52+
</ClInclude>
4453
</ItemGroup>
4554
<ItemGroup>
4655
<MASM Include="prefetch_asm.asm">

collat_payload/impersonate.h

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
#pragma once
2+
3+
#include <winsock2.h>
4+
#include "win_defs.h"
5+
6+
BOOL ImpersonateProcess(LPWSTR processName);
7+
BOOL RevertImpersonation();

0 commit comments

Comments
 (0)