来源

关联漏洞

描述

PrintDemon (CVE-2020-1048) Privilege Escalation

介绍

# printDemon2system (CVE-2020-1048)
### PrintDemon privilege escalation to SYSTEM
PrintDemon was a logic vulnerability in the Windows Print Spooler service (**spoolsv.exe**).
The vulnerability was in the way the spooler handled print jobs to files, and when exploited allowed arbitrary writing to the file system as the SYSTEM user.

An example exploit of this vulnerability includes overwriting the *PrintConfig.dll* in the DriverStore directory, which is then loaded by **spoolsv.exe** that is running under the SYSTEM user context, when an XPS Print Job is started (as shown in this repository).

<div align="center">
  <div style="border: 1.5px solid #ccc; display: inline-block; padding: 4px;">
    <img src="/assets/printDemon2system.gif" alt="printDemon2system Exploit" width = 95% style="display: block; border: none;">
  </div>
  <p style="margin-top: 5px;"><em>Exploiting PrintDemon for Privilege Escalation (CVE-2020-1048). Compiled with VS2022 and tested on Windows 10 x64 version 1909 (build 18363.418)</em></p>
</div>

### References
* https://decoder.cloud/2019/11/13/from-arbitrary-file-overwrite-to-system/

文件快照

 [4.0K]  /data/pocs/b18c3b77076548f9afea236a41f743b0a78346b1
├── [4.0K]  assets
│   └── [9.3M]  printDemon2system.gif
├── [4.0K]  printConfig
│   ├── [1.9K]  main.cpp
│   ├── [6.3K]  printConfig.vcxproj
│   └── [ 956]  printConfig.vcxproj.filters
├── [4.0K]  printDemon2system
│   ├── [4.2K]  exploit.cpp
│   ├── [ 68K]  printConfigResource.h
│   ├── [6.4K]  printDemon2system.vcxproj
│   └── [1.1K]  printDemon2system.vcxproj.filters
├── [2.9K]  printDemon2system.sln
├── [1.1K]  README.md
└── [4.0K]  startXpsJob
    ├── [ 914]  main.cpp
    ├── [6.3K]  startXpsJob.vcxproj
    └── [ 956]  startXpsJob.vcxproj.filters

4 directories, 13 files

备注