ly4k / spoolfool Goto Github PK

It seems like worked but, I don't know the new password

When I try to use the Powershell script to load a vulnerable dll, the compressed file seems to be corrupted when the script uncompress it.

Tried on fresh Server 2022 Standard.

Windows Defender with default settings appears to block this - the exe won't download, and the PS script won't run. You get "This script contains malicious content and has been blocked by your antivirus software."

So...all okay, I guess?

Admin account not getting created even after successfully loading dll. I have tried it on Windows 20H2 and 21H2. Please advise.

Does the creation failure mean that the vulnerability does not exist in the system? I am very confused about this question, I hope someone can answer it, thank you very much！

Test on windows 2016 :

why error ?

Hi Oliver,

Update : the Poc will work well on an existing printer that the user has full control over

It seems that the provided PoC will not run at several windows Servers.
Windows server 2016 :

PS C:\Users\test\Desktop> .\SpoolFool.exe -dll AddUser.dll
[*] Using printer name: Microsoft XPS Document Writer v4
[*] Using driver directory: 4
[*] Using temporary base directory: C:\Users\test\AppData\Local\Temp\0777935b-9de1-439d-ba02-4d9e5fafcb13
[*] Trying to open existing printer: Microsoft XPS Document Writer v4
[*] Failed to open existing printer: Microsoft XPS Document Writer v4
[*] Trying to create printer: Microsoft XPS Document Writer v4
[-] Failed to create printer: Microsoft XPS Document Writer v4

Tested the same with Win2012R2

I should add that running Add-Printer -Name "test" -DriverName "Microsoft XPS Document Writer v4" -PortName "portprompt:"

Terminates with :

PS C:\Users\test\Desktop> Add-Printer -Name "test" -DriverName "Microsoft XPS Document Writer v4" -PortName "portprompt:" | fl
Add-Printer : Access was denied to the specified resource.
At line:1 char:1
+ Add-Printer -Name "test" -DriverName "Microsoft XPS Document Writer v ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (MSFT_Printer:ROOT/StandardCimv2/MSFT_Printer) [Add-Printer], CimException
    + FullyQualifiedErrorId : HRESULT 0x80070005,Add-Printer

PS C:\Users\test\Desktop>

In the writeup you do mention the lack of the desired permissions in Windows servers, but as I understand it is still should work ?
Accoring MSRC all servers are vulnerable too.

Cheers,
Bryant

I'm not able to run the exploit on my lab environment.
it say "Failed to create driver directory: C:\Windows\system32\spool\DRIVERS\x64\4"
Also I don't have access to the local admin

Readme.md minor fix.