关联漏洞
标题:Microsoft Windows Print Spooler 安全漏洞 (CVE-2020-1337)Description:Microsoft Windows和Microsoft Windows Server都是美国微软(Microsoft)公司的产品。Microsoft Windows是一套个人设备使用的操作系统。Microsoft Windows Server是一套服务器操作系统。Windows Print Spooler是其中的一个打印后台处理程序。 Microsoft Windows Print Spooler中存在提权漏洞。攻击者可借助特制应用程序利用该漏洞以提升的权限运行任意代码。以下产品及版本受到影响:Micro
Description
CVE-2020-1337 Windows Print Spooler Privilege Escalation
介绍
# CVE-2020-1337 Windows Privilege Escalation
this is a WWW(write-what-where) exploit
## credit
Junyu Zhou (@md5_salt), who told me there could be a new bug.
Wenxu Wu (@ma7h1as), I find the bug and write this exploit.
## how it works
in the patch of CVE-2020-1048, Microsoft add the validation code of portname on XcvData function.
which could be triggered by call Add-Printer in Powershell.
now both AddPort and XcvData function would check if current user has access to portname.
but still, We could use junction to solve this problem, once the check is passed, we reparse it to a system folder. for example, C:\windows\system32
after reboot or service restart, user controlled data would be written into portname.
see exploit.ps1 for more details.
文件快照
[4.0K] /data/pocs/d09f84bb7e8c8ce216bd7ffa8b5913b5b3a202a4
├── [169K] exploit.ps1
└── [ 760] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。