Inject into IE11.
Will work on other sandboxes that allow the opening of windows filepickers through a broker.
You will gain medium IL javascript execution, at which point you simply retrigger your IE RCE bug.
EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46919.zip