Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

Ideas for privilege escalation via a custom [printer] driver

Hello there. First time poster. I've stumbled on this forum from some google searches on SANS certifications ive been interested in. I'm currently doing the OS PWK course, but this question isnt about that certification as much as it is about ideas/guidance for a penetration test I'm participating in for work

I'm somewhat new to penetration testing, and have been drinking from the firehose between the SANS courses I've taken and PWK course I'm currently taking.

Anyways, I'm hoping to get some direction on a test I'm currently participating in. I have local privileges on a windows 10 (x64) box, and I am trying to escalate privileges. The box is fully patched, but the computer is setup so that certain functions/processes are allowed to run with elevated privileges. One said function is adding a printer to the machine.

I noticed that when I go to add a network printer I get a warning asking me if i trust the printer, because windows will install a software driver from it (if I say yes, it goes forth with the installation). From some reading, windows runs this driver installation as system.

So my idea to get admin is to install a local printer, with a malicious printer driver (or a valid printer driver, I've injected with badness). I've never done this before, so I did some research. I found this article, which somewhat describes what I'd like to do but;
  • This would be a local priv. escalation attack, so no need to attack a network printer
  • I dont want to have to reverse engineer a printer driver (at least, not with IDA, and assembly, as I have little experience there)
  • I'd rather avoid reverse/bind shells... I just need it to execute a windows command, to add my local user to the admin group ("net localgroup administrators myuser /add")

I thought it would be as simple as downloading a printer DLL and using the "" script to inject it with badness, then installing the DLL (like a mouse driver), but everywhere I look printer drivers are just executable's. I've tried unpacking (with 7-zip) one of these exe's but I dont see any DLLs in the extracted output.

I've started down the path of writing my own printer driver and then seeing if i can get it installed as as printer driver on my machine, and then from there determining how to inject system commands into my driver code, but I'm starting to feel in over my head.

Could somebody provide some direction that would simplify what I'm trying to do, or at least confirm that writing my own driver is the way to go?


This post first appeared on Recent Blogs Posts - IT Certificatio, please read the originial post: here

Share the post

Ideas for privilege escalation via a custom [printer] driver


Subscribe to Recent Blogs Posts - It Certificatio

Get updates delivered right to your inbox!

Thank you for your subscription