Windows 10 Privilege Escalation (magnify.exe) via Dll Search Order Hijacking

can exploit every windows which installed intel Driver.

Some of the ppl will say this is not vuln because of default system paths %path% but most of the user have the user writeable path in SYSTEM %PATH% then we can exploit it.

1. copy payload dll as igdgmm64.dll to SYSTEM path %PATH% which is writeable such as C:\python27
2. Press WinKey+L
3. Press Enter
4. Press WinKey++(plusKey) on login screen which show password box.
   then payload dll will execute as SYSTEM access.

or
WinKey+L (LogonUI) -> Ease of Access - > Magnifier -> login.
payload will execute as SYSTEM

https://github.com/sailay1996/awesome_windows_logical_bugs/blob/master/find_dir4_privEsc_dll_hijack.txt

@404death