Inject into IE11.

Will work on other sandboxes that allow the opening of windows filepickers through a broker.

You will gain medium IL javascript execution, at which point you simply retrigger your IE RCE bug.

EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46919.zip