Weaponizing for privileged file writes bugs with PrintNotify
Service
Imre Rad found this technique in the winspool service which can be triggered via clsid854a20fb-2d44-457d-992f-ef13785d2b51
by any user using OLEView.NET. That service is not running by default and it's running as NT_AUTHORITY\SYSTEM
. When the service is start, it loads a dll denepdency called winspool.drv
which dosen't actually exist in the directory C:\Windows\System32\spool\drivers\x64\3\
. Then, Imre Rad modified the original one winspool.drv
to reference to mod-ms-win-core-apiquery-l1-1-0.dll
.Then, mod-ms-win-core-apiquery-l1-1-0.dll which normally doesn't exist has been loaded by winspool.drv
. After all of this, I just created this poc to get the NT_AUTHORITY\SYSTEM
shell.
This is not local privilege escalation bug. Just a technique which will help to get nt authority system shell via arb file write bugs such as CVE-2019-1315,CVE-2020-0787 and so on.
- As an administrator, copy
winspool.drv
andmod-ms-win-core-apiquery-l1-1-0.dll
toC:\Windows\System32\spool\drivers\x64\3\
- Place all files which included in /bin/ into a same directory.
- Then, run powershell
. .\spooltrigger.ps1
. - Enjoy a shell as
NT AUTHORITY\SYSTEM
.
by @404death
Thanks to: Imre Rad for his finding.
Ref:
https://www.tiraniddo.dev/2018/09/finding-interactive-user-com-objects_9.html
https://github.com/irsl/microsoft-diaghub-case-sensitivity-eop-cve