A personalized/enhanced re-creation of the Darkhotel "Double Star" APT exploit chain with a focus on Windows 8.1 and mixed with some of my own techniques. It can sandbox escape an Internet Explorer or Firefox RCE and achieve privilege escalation to NT AUTHORY\SYSTEM via a hybrid RPC Print Spooler bug and Rotten Potato style imperssonation attack.
The exploit chain contains a 64-bit Firefox IonMonkey Type Confusion RCE in the form of CVE-2019-17026, as well as a 64-bit variation of the legacy jscript.dll UAF CVE-2020-0674, which can serve a dual purpose as both an IE8/11 64-bit RCE as well as a WPAD service attack vector for sandbox escape/EoP via a PAC file over RPC.
This is a re-creation of a classic Internet Explorer heap overflow exploit from an older era, when exploitation techniques were far simpler and contained tricks like heap sprays and BSTR length overflows (often infeasible today).
While initially experimenting with this genre of old classics I studied quite a few of the Metasploit modules and found some very unsatisfactory. MS12-037 in particular, I felt was lacking enough in its Metasploit rendition to merit a re-creation. My variation of the exploit contains bug fixes, as well a memory leak for ASLR bypass and pseudo-dynamic ROP chain creation.