Skip to content

vysecurity/magnifier0day

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits

Magnify_0day.jpg

Magnify_0day.jpg

 
 

README.md

README.md

 
 

igdgmm64.c

igdgmm64.c

 
 

igdgmm64.dll

igdgmm64.dll

 
 

poc.wmv

poc.wmv

 
 

search_order_poc.jpg

search_order_poc.jpg

 
 

Repository files navigation

magnifier0day

Windows 10 Privilege Escalation (magnify.exe) via Dll Search Order Hijacking

Some of the ppl will say this is not vuln because of default system paths %path% but most of the user have the user writeable path in SYSTEM %PATH% then we can exploit it.

steps:

  1. copy payload dll as igdgmm64.dll to SYSTEM path %PATH% which is writeable such as C:\python27
  2. Press WinKey+L
  3. Press Enter
  4. Press WinKey++(plusKey) on login screen which show password box.
    then payload dll will execute as SYSTEM access.

or
WinKey+L (LogonUI) -> Ease of Access - > Magnifier -> login.
payload will execute as SYSTEM

Noted: Use this for finding paths

https://github.com/sailay1996/awesome_windows_logical_bugs/blob/master/find_dir4_privEsc_dll_hijack.txt

test1

@404death

About

Windows 10 Privilege Escalation (magnifier.exe) via Dll Search Order Hijacking

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 100.0%