漏洞平台

POC详情： 7ba05516f8ea23036ce79bc9bcd2dd915c399c5a

来源

https://github.com/Malwareman007/CVE-2022-30206

关联漏洞

标题： Microsoft Windows Print Spooler Components 权限许可和访问控制问题漏洞 (CVE-2022-30206)
描述：Microsoft Windows Print Spooler Components是美国微软（Microsoft）公司的一个打印后台处理程序组件。 Microsoft Windows Print Spooler Components存在权限许可和访问控制问题。以下产品和版本受到影响：Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809

描述

A POC of CVE-2022-30206

介绍

# CVE-2022-30206
This is the PoC for CVE-2022-30206.
# Windows Print Spooler Elevation of Privilege Vulnerability. 
## Introduction
Perform the following operations to arbitrary file deletion：
1. Run the `addprinter.exe` to create a printer and set the SpoolDirectory in `C:\Users\Public\tmp\1`.
2. Run the `FileLock.exe TargetFile` to redirect .SHD file to TargetFile and set a oplock on TargetFile.
3. Run the `openprinter.exe` to make the printer work, which will trigger the oplock, then release the oplock, the TargetFile will be deleted.


## PS
1. This PoC needs to be combined with some other tricks(such as <https://github.com/thezdi/PoC/tree/master/FilesystemEoPs>) to make arbitrary file deletion to achieve EoP
2. If the execution is not successful at one time, you need to modify the .SHD filename of the FileLock's main.cpp. Normally, the file id is incremented by two each time after a print job, please try 00005.SHD、00007.SHD…

文件快照


 [4.0K]  /data/pocs/7ba05516f8ea23036ce79bc9bcd2dd915c399c5a
├── [4.0K]  addpriner
│   ├── [4.0K]  addpriner
│   │   ├── [6.9K]  addpriner.vcxproj
│   │   ├── [ 952]  addpriner.vcxproj.filters
│   │   ├── [ 165]  addpriner.vcxproj.user
│   │   └── [1.8K]  main.cpp
│   └── [1.4K]  addpriner.sln
├── [4.0K]  FileLock
│   ├── [4.0K]  CommonUtils
│   │   ├── [2.9K]  CommonUtils.cpp
│   │   ├── [1023]  CommonUtils.h
│   │   ├── [5.3K]  CommonUtils.vcxproj
│   │   ├── [2.6K]  CommonUtils.vcxproj.filters
│   │   ├── [ 165]  CommonUtils.vcxproj.user
│   │   ├── [1.3K]  DirectoryObject.cpp
│   │   ├── [3.7K]  FileOpLock.cpp
│   │   ├── [ 753]  FileOpLock.h
│   │   ├── [4.1K]  FileSymlink.cpp
│   │   ├── [ 562]  FileSymlink.h
│   │   ├── [1008]  Hardlink.cpp
│   │   ├── [1.3K]  NativeSymlink.cpp
│   │   ├── [2.2K]  ntimports.h
│   │   ├── [4.4K]  RegistrySymlink.cpp
│   │   ├── [ 12K]  ReparsePoint.cpp
│   │   ├── [1.2K]  ReparsePoint.h
│   │   ├── [1.1K]  ScopedHandle.cpp
│   │   ├── [ 473]  ScopedHandle.h
│   │   ├── [ 290]  stdafx.cpp
│   │   ├── [ 260]  stdafx.h
│   │   ├── [ 306]  targetver.h
│   │   └── [1.3K]  typed_buffer.h
│   ├── [4.0K]  FileLock
│   │   ├── [7.6K]  FileLock.vcxproj
│   │   ├── [ 952]  FileLock.vcxproj.filters
│   │   ├── [ 221]  FileLock.vcxproj.user
│   │   └── [2.0K]  main.cpp
│   └── [2.1K]  FileLock.sln
├── [ 26K]  LICENSE
├── [4.0K]  openprinter
│   ├── [4.0K]  openprinter
│   │   ├── [ 748]  main.cpp
│   │   ├── [6.9K]  openprinter.vcxproj
│   │   ├── [ 952]  openprinter.vcxproj.filters
│   │   └── [ 165]  openprinter.vcxproj.user
│   └── [1.4K]  openprinter.sln
└── [ 950]  README.md

7 directories, 39 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。