Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 - 'Spoolss.exe' DLL Insertion

EDB-ID:

19594




Platform:

Windows

Date:

1999-11-04


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

source: https://www.securityfocus.com/bid/769/info

The spooler service (spoolss.exe) allows local users to add their own dll files and have the spooler run them at SYSTEM level. This could lead to privilege escalation all the way up to Administrator level. The problem is in the function AddPrintProvider(). 

This exploit will crash the spooler service and copy a custom dll into c:\winnt\system32. When the spooler service is restarted, the custom dll is loaded and run at SYTEM level. The 'whoami' binary is run and the results logged in a text file for verification. If the target machine's NT directory is not the default c:\winnt, the program will have to be modified. 

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/19594.zip