joshuanutt
commented
2 years ago @bananabr Did you ever sort it out? I'm having the same issue.
Open bananabr opened 2 years ago
joshuanutt
commented
2 years ago @bananabr Did you ever sort it out? I'm having the same issue.
jbaines-r7
commented
2 years ago Obviously, I'd need more information to troubleshoot this. Windows version, driver version, etc.
joshuanutt
commented
2 years ago I have access to some older versions of Windows at home and will test those when I get off work.
Info from the client PC:
This is the driver that was installed when connecting to the malicious printer.
From Get-PrinterDriver: |
Name | Value |
|---|---|---|
| Name | Lexmark Universal v2 | |
| MajorVersion | 3 | |
| DriverVersion | 562992903094277 |
From lmud1040.GDL
<GDL_ATTRIBUTE Name="*GPDFileVersion" xsi:type="GDLW_string">2.10.0.5</GDL_ATTRIBUTE>
<GDL_ATTRIBUTE Name="*GPDSpecVersion" xsi:type="GDLW_string">1.0</GDL_ATTRIBUTE>| Name | Value |
|---|---|
| WindowsProductName | Windows 10 Pro |
| WindowsEditionID | Professional |
| WindowsVersion | 2009 |
| OSBuildNumber | 19044 |
| OSArchitecture | 64-bit |
Hotfixes: KB5015730 KB5003791 KB5012170 KB5016616 KB5014671 KB5015895 KB5005699
I tried replicating the attack but my DLL is loaded as the user running cp_client and not as SYSTEM. Any ideas?