sailay1996/CdpSvcLPE

Stars
247
Rank 158,726 (Top 4 %)
Language
C++
Created almost 2 years ago
Updated over 1 year ago

sailay1996/CdpSvcLPE

sailay1996

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Windows Local Privilege Escalation via CdpSvc service (Writeable SYSTEM path Dll Hijacking)

CdpSvcLPE

Windows Local Privilege Escalation via CdpSvc service (Writeable SYSTEM path Dll Hijacking)

Short Description:

Connected Devices Platform Service (or CDPSvc) is a service which runs as NT AUTHORITY\LOCAL SERVICE and tries to load the missing cdpsgshims.dll DLL on startup with a call to LoadLibrary(), without specifying its absolute path. So, it can be hijack dll in the folder of Dll Search Order flow and we will get process or shell access with NT AUTHORITY\LOCAL SERVICE if we hijack the dll in SYSTEM PATH writable place such as C:\python27. Then, I just combine it with @itm4n's PrintSpoofer technique to get NT AUTHORITY\SYSTEM access.

Usage:

Find Writable SYSTEM PATH with acltest.ps1 (such as C:\python27)
C:\CdpSvcLPE> powershell -ep bypass ". .\acltest.ps1"
Copy cdpsgshims.dll to C:\python27
make C:\temp folder and copy impersonate.bin to C:\temp
C:\CdpSvcLPE> mkdir C:\temp
C:\CdpSvcLPE> copy impersonate.bin C:\temp
Reboot (or stop/start CDPSvc as an administrator)
cmd wil prompt up with nt authority\system.

Youtube: https://youtu.be/Jfxfsc04H5o

\m/ Note: when you got system cmd prompt, stop the cdpsvc service and delete dll file and bin file.

by @404death

Ref:

http://zeifan.my/security/eop/2019/11/05/windows-service-host-process-eop.html
https://itm4n.github.io/cdpsvc-dll-hijacking/
https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
https://github.com/itm4n/PrintSpoofer
https://gist.github.com/wdormann/eb714d1d935bf454eb419a34be266f6f

UAC_Bypass_In_The_Wild

Windows 10 UAC bypass for all executable files which are autoelevate true .

awesome_windows_logical_bugs

collect for learning cases

UAC_bypass_windows_store

Windows 10 LPE (UAC Bypass) in Windows Store (WSReset.exe)

cve-2020-1337-poc

poc for CVE-2020-1337 (Windows Print Spooler Elevation of Privilege)

RpcSsImpersonator

Privilege Escalation Via RpcSs svc

WerTrigger

Weaponizing for privileged file writes bugs with windows problem reporting

magnifier0day

Windows 10 Privilege Escalation (magnifier.exe) via Dll Search Order Hijacking

SpoolTrigger

Weaponizing for privileged file writes bugs with PrintNotify Service

Fileless_UAC_bypass_WSReset

I created the python script to bypass UAC to get system shell .

delete2SYSTEM

Weaponizing for Arbitrary Files/Directories Delete bugs to Get NT AUTHORITY\SYSTEM

PrintNightmare-LPE

CVE-2021-1675 (PrintNightmare)

tokenx_privEsc

with metasploit

GUI_UAC_bypassX

gui uac bypass (netplwiz.exe)

eternal-pulsar

Eternalblue-Doublepulsar without Metasploit or python

cve-2022-21882-poc

lpe poc for cve-2022-21882

offsec_WE

learning case to prepare OSWE

SECOMN_EoP

Sound Research SECOMN service Privilege Escalation (windows 10)

amd_eop_poc

CVE-2020-8950 AMD User Experience Program Launcher from Radeon Software Privilege Escalation ( FileWrite eop)

windows-stuff

my learning case about windows

FileWrite2system

File Write Weapon for Privilege Escalation To get SYSTEM

misc-bin

origin_client_LPE

Ea's Origin Client LPE

JustFunctions

Dangerous Functions of Programming Languages

app-sec-checklist

checklist for Application penetration Testing

Windows_System_Programming

my learning journey of windows system programmings

wp_app_dllhijack_poc

NP_impersonate

priv esc for SeImpersonatePrivilege

sec_checklist_bag

Security Checklist for Industry

playing-with-privileged-tokens

just my learning cases

offsecWE-prepare

my learning case for OSWE prepare

pyauthy

Script for Twilio Authy Two-Factor Authentication (2FA)

xApp

trash-bin

MyNotes

awe-win-expx

mozilla-security-checklist

Mozilla - Security Checklist #noted

assem

my learning case for assembly