Now you can get ADMIN access on Windows by exploiting old Windows Fax Service to gain full SYSTEM level access on a machine. By combining a UAC bypass technique with malicious Fax Service Provider registration, the attack tricks Windows into loading a rogue DLL inside a trusted service running with very high privileges.
In this article, we break down the complete attack flow on how the Windows Fax Service is manipulated to execute attacker controlled code as SYSTEM. This project has 3 important files:
eris.cpp
eris.cpp is the starting program of the whole chain. When compiled, it produces an executable file called eris.exe. This executable acts as the launcher responsible for preparing the environment and starting the privilege escalation sequence. It copies supporting files into public directories and manipulates Windows settings so that trusted Windows components unintentionally execute attacker controlled code.
The executable abuses a Windows scheduled task called SilentCleanup. It changes an environment variable (windir) to redirect Windows into running a fake cleanmgr.exe that was copied earlier by the program. Because the task is trusted by Windows, the fake executable can run with elevated rights without showing the normal User Account Control (UAC) warning popup.
eris.exe primary role is not to directly gain full control, but to silently start the second stage payload (setup.ps1) with higher privileges than a normal user would usually have.
setup.ps1
setup.ps1 is a PowerShell script that acts as the installer and persistence component. It prepares the system so that Windows itself will later load the malicious DLL. The script stops the legitimate Fax service, copies the malicious faxp.dll into the trusted System32 directory, and modifies registry settings so that Windows recognizes the DLL as a valid Fax Service Provider.
The script also changes service configuration settings to ensure the Fax service runs with powerful SYSTEM level privileges. Once the configuration is complete, it restarts the Fax service. During startup, Windows automatically loads the newly registered DLL because it believes it is part of the legitimate Fax infrastructure.
faxp.cpp
faxp.cpp is compiled into faxp.dll, which is the final payload DLL. Unlike a normal executable program, a DLL is designed to be loaded by another application or Windows service. In this case, the Windows Fax service loads the DLL automatically because the registry was modified earlier by setup.ps1.
Once loaded, the DLL searches for a highly privileged Windows process called winlogon.exe. It duplicates the security token associated with that process and uses it to create a new command prompt running with SYSTEM privileges. SYSTEM is one of the highest privilege levels available in Windows, even more powerful than a standard administrator account.
Overall Elevated Privilege Flow
The overall process follows a staged privilege escalation chain. First, eris.exe tricks Windows into running code with elevated permissions by abusing a trusted scheduled task and bypassing normal UAC protections. This allows hidden execution of the PowerShell installer without directly alerting the user.
Next, setup.ps1 installs and registers the malicious DLL as part of the legitimate Windows Fax service infrastructure. Since Windows trusts this service, the DLL will later execute automatically with SYSTEM level permissions when the service starts.
Finally, when the Fax service loads faxp.dll, the DLL impersonates a highly privileged Windows process and launches a SYSTEM level command shell. At this point, the attacker effectively gains full control over the system with the highest privileges available in Windows.
How to Test this
Git clone this project
git clone https://github.com/The-SNEK-Initiative/SNEK_Eris
Now install g++ (minGW-w64) installed, or msys2 and compile this code with below command.
g++ faxp.cpp -shared -o faxp.dll "-Wl,-s,-O2,--kill-at" -lwtsapi32 -luserenv; g++ eris.cpp -o eris.exe -luser32 -lshell32 -ladvapi32 -s -O2
then just run the exe, boom give it a second and you have a elevated shell or, alternatively just run the precompiled binaries we included in releases, also works.
If you are lazing download this zip file and run binary/exe file in this folder:
https://github.com/The-SNEK-Initiative/SNEK_Eris/blob/main/SNEK_Eris_release-1.0.zip
Attack Chain Flow Diagram
User Execution ↓ eris.exe ↓ SilentCleanup Scheduled Task Abuse ↓ Hidden PowerShell Execution ↓ setup.ps1 ↓ Malicious Fax Provider Registration ↓ Fax Service Restart ↓ faxp.dll Loaded by SYSTEM Service ↓ SYSTEM Token Duplication ↓ SYSTEM Shell Spawned
MITRE ATT&CK Mapping
Techniques used:
- Scheduled Task Abuse
- PowerShell
- Registry Modification
- DLL Side-Loading / Service DLL Abuse
- Token Manipulation
- Privilege Escalation
This tool abuses trusted Windows Fax Service to bypass security protections and execute malicious code with very high privileges to get ADMIN access on Windows.
Cyber Security Researcher. Information security specialist, currently working as risk infrastructure specialist & investigator. He is a cyber-security researcher with over 25 years of experience. He has served with the Intelligence Agency as a Senior Intelligence Officer. He has also worked with Google and Citrix in development of cyber security solutions. He has aided the government and many federal agencies in thwarting many cyber crimes. He has been writing for us in his free time since last 5 years.
