👾 Overview

🔗 Perfusion

Windows 7, Windows Server 2008R2, Windows 8, and Windows Server 2012 have a vulnerability where the RpcEptMapper and DnsCache registry keys are configured with weak permissions. This allows any user to load a DLL as system.

💾 Installation

  1. Clone the repository
  2. Build the solution as release in Visual Studio

⏯️ Usage

The easiest way to use the tool is to launch an interactive system shell.

# Using Perfusion to get an interactive shell as NT AUTHORITY\SYSTEM
.\Perfusion.exe -c cmd -i
 
# Use this option on Windows 7 or Windows 2008 R2 if the prior command fails to target a different vulnerable key
.\Perfusion.exe -k Dnscache -c cmd -i 

📝 Resources

🔗 Hyperlinkℹ️ Info
PerfusionTool to exploit RpcEptMapper Vulnerability
PrivescCheckWindows privesc script
itm4n’s BlogBlog explaining the RpcEptMapper Vulnerability and the development of Perfusion