PowerShell and C++ PoCs for critical / high impact Windows Spooler vulnerabilities found in 2020-22:
The videos of the demonstration of the PoCs are provided inside the Video folder, while more information about each specific vulnerability can be found in the CVEs history file.
We used VirtualBox with a Windows ISO version 19H1, downloaded through Rufus, from this link: Link to ISO.
The link is working on the 22/06/2022, otherwise inside Rufus, follow the follwing steps:
- Click the arrow on the button named "Select" and select "Download";
- A new window will pop up, select the version Windows 10 and press the button "Next";
- On release, select 19H1 one and then press the button "Next";
- Leave the default edition of Windows (i.e., Home/Pro) and press "Next";
- Choose the lenguage and architecture and press "Next";
- If you want to download via browser tick the square and then press "Download".
The Windows ISO in question is not patched, in fact it respects all the requirements for the possible exploitation of the vulnerabilities.
- The name of the user that we gave is: User, it does not have privileges.
The prject is composed by the following files:
- PoC.cpp: contains the main methods of the application and the init functions for each of the attack;
- exploits.h / exploits.cpp: contains the exploits for each vulnerability considered;
- utils.h / utils.cpp: contains utils functions, such as: request the reboot of the system, register the current application to be executed after a reboot and check if a directory exists ;
- printers.h / printers.cpp: contains utility function to interact with printers and manage printer ports and drivers.
In order to create the executable files of the different PoCs, it is needed to statically compile the source code with VisualStudio (have a look to this link for setting the configurations on VisualStudio: Link to static compilation.
Depending on the attack that we want to perform its needed to:
- inside the main function located in PoC.cpp, uncomment the line associated to the init function of the vulnerability considered;
- in the case of CVE 2020-1030 and SpoolFool it is also necessary to create a file "payload.txt" inside "C:\Users\User\Desktop". The payload.txt will contain the data that will be inserted inside the file that will be created in "C:\Windows\System32\spool\drivers\x64\4";
- The executable file will be created inside the x64 folder by Visual Studio.
Beyond using the C++ API, we also wanted to try the exploitation of PrintDemon using Powershell. Inside the directory PoC PrintDemon Powershell there is the implementation of a version of PrintDemon which can be run via Powershell.