concealed_position icon indicating copy to clipboard operation
concealed_position copied to clipboard

Published 20 hours ago verified publisher icon jacob-baines

ACIDDAMAGE runs as low-privileged user

Open bananabr opened this issue 2 years ago • 3 comments

I tried replicating the attack but my DLL is loaded as the user running cp_client and not as SYSTEM. Any ideas?

bananabr avatar Apr 26 '22 17:04 bananabr

@bananabr Did you ever sort it out? I'm having the same issue.

joshuanutt avatar Aug 24 '22 15:08 joshuanutt

Obviously, I'd need more information to troubleshoot this. Windows version, driver version, etc.

jbaines-r7 avatar Aug 24 '22 15:08 jbaines-r7

I have access to some older versions of Windows at home and will test those when I get off work.

Info from the client PC:

Driver

This is the driver that was installed when connecting to the malicious printer.

From Get-PrinterDriver:

Name Value
Name Lexmark Universal v2
MajorVersion 3
DriverVersion 562992903094277

From lmud1040.GDL

<GDL_ATTRIBUTE Name="*GPDFileVersion" xsi:type="GDLW_string">2.10.0.5</GDL_ATTRIBUTE>
<GDL_ATTRIBUTE Name="*GPDSpecVersion" xsi:type="GDLW_string">1.0</GDL_ATTRIBUTE>

Device Info

Name Value
WindowsProductName Windows 10 Pro
WindowsEditionID Professional
WindowsVersion 2009
OSBuildNumber 19044
OSArchitecture 64-bit

Hotfixes: KB5015730 KB5003791 KB5012170 KB5016616 KB5014671 KB5015895 KB5005699

joshuanutt avatar Aug 24 '22 18:08 joshuanutt