Privilege Escalation - AsusSystemDiagnosis.exe - Proc39()

Full Path: C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_d385bdc0d33d66f9\ASUSSystemDiagnosis\AsusSystemDiagnosis.exe


The ALPC Port \RPC Control\ASHWTestServer, exposed by AsusSystemDiagnosis.exe is fully accessible to any user. Calling Proc39() via RPC through this port spawns a taskmgr.exe process as SYSTEM in the current user's session.


Utilizing Project Zero's NtObjectManager RPC tool from (make sure you take the compiled release) the vulnerable RPC port can be connected to at which point Proc39() can be called. Once the SYSTEM taskmgr.exe process is spawned a cmd.exe shell can be created by utilizing the "Run New Task" functionality via the context menu, File > Run New Task > cmd.exe.


$server = get-rpcserver C:\WINDOWS\System32\DriverStore\FileRepository\asussci2.inf_amd64_d385bdc0d33d66f9\ASUSSystemDiagnosis\AsusSystemDiagnosis.exe

$client = get-rpcclient $server



Privilege Escalation - AsusSystemDiagnosis.exe - Proc40()

Same as above but spawns mmc.exe as system. Can either create a new task or use the browse functionality to open a explorer.exe window and execute cmd.exe from the address bar.

Additional Notes:

Proc53() - spawns systemreset.exe as SYSTEM
Proc54() - spawns RecoveryDrive.exe as SYSTEM