CdpSvcLPE

Windows Local Privilege Escalation via CdpSvc service (Writeable SYSTEM path Dll Hijacking)

Short Description:

Connected Devices Platform Service (or CDPSvc) is a service which runs as NT AUTHORITY\LOCAL SERVICE and tries to load the missing cdpsgshims.dll DLL on startup with a call to LoadLibrary(), without specifying its absolute path. So, it can be hijack dll in the folder of Dll Search Order flow and we will get process or shell access with NT AUTHORITY\LOCAL SERVICE if we hijack the dll in SYSTEM PATH writable place such as C:\python27. Then, I just combine it with @itm4n's PrintSpoofer technique to get NT AUTHORITY\SYSTEM access.

Usage:

1. Find Writable SYSTEM PATH with acltest.ps1 (such as C:\python27)
   C:\CdpSvcLPE> powershell -ep bypass ". .\acltest.ps1"
   
2. Copy cdpsgshims.dll to C:\python27
   
3. make C:\temp folder and copy impersonate.bin to C:\temp
   C:\CdpSvcLPE> mkdir C:\temp
C:\CdpSvcLPE> copy impersonate.bin C:\temp
   
4. Reboot (or stop/start CDPSvc as an administrator)
   
5. cmd wil prompt up with nt authority\system.
   

Youtube: https://youtu.be/Jfxfsc04H5o

\m/ Note: when you got system cmd prompt, stop the cdpsvc service and delete dll file and bin file.

by @404death

Ref:

http://zeifan.my/security/eop/2019/11/05/windows-service-host-process-eop.html
https://itm4n.github.io/cdpsvc-dll-hijacking/
https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
https://github.com/itm4n/PrintSpoofer
https://gist.github.com/wdormann/eb714d1d935bf454eb419a34be266f6f