Windows 10 Privilege Escalation (magnify.exe) via Dll Search Order Hijacking
Some of the ppl will say this is not vuln because of default system paths %path% but most of the user have the user writeable path in SYSTEM %PATH% then we can exploit it.
- copy payload dll as igdgmm64.dll to SYSTEM path %PATH% which is writeable such as C:\python27
- Press WinKey+L
- Press Enter
- Press WinKey++(plusKey) on login screen which show password box.
then payload dll will execute as SYSTEM access.
or
WinKey+L (LogonUI) -> Ease of Access - > Magnifier -> login.
payload will execute as SYSTEM