Reply to post: Print Spooler

PrintNightmare: Kicking users from Pre-Windows 2000 legacy group may thwart domain controller exploitation

Anonymous Coward
Anonymous Coward

Print Spooler

This has been a favourite vector of attack for decades for many reasons.

I used to store copies of Doom in the spool folder back when I was in college. It was the one place that literally anyone could write anything to.

The best course of action to avoid being immediately caught due to printers spewing out shit endlessly was to fill up some area of C: with as many massive bitmaps made in MS Paint as you could...create the biggest document your machine could handle without crashing and just use the spray tool to fill up the white space with loads of shit. One person in my computer lab back then used to enjoy making 10000 pixel x 10000 pixel files full of dick and balls pictures. It isn't necessary to do this as a bitmap is the same size no matter what, it just passed the time.

Once you had your massive bitmap, you simply threw together a batch file that copied the bitmaps over and over again until you used up approximately 49% of the disk space. Then you needed a second batch file to join up all the bitmaps into one hulking great big file. Just run the batch file until it crashes. The resulting file size varies according to filesystem limitations. Delete all the smaller files.

Once you had the biggest file possible, you needed to copy and paste that file (only once) into the spool folder. With any luck, the amount of RAM on your printer wouldn't be enough for the print job to start and the print queue would just jam.

From there you can deposit your copy of Doom into the spool folder with no fear of the printer spewing reams of shite.

Warning: If you had a typical college grade IT department they would discover this issue rapidly...sometimes as fast as 3 weeks later.

I actually caused one of the college techies to go completely mad, he absolutely lost his shit with me. He heard rumours from students that it was me flooding the network with Doom, but he never figured out how because standard procedure was to just re-image a troublesome machine. He told me they were re-imaging about 10 machines a week and he demanded that I told him how I was getting Doom everywhere. I never told him. He ultimately quit and became an Ice Cream man. I bumped into him many years later serving Ice Cream from his truck and he was serene. He recognised me immediately. Apparently, the final straw was when I found a way to modify the installation images to pre-install Doom every time they ran Ghost...he had a sysprep script in his home folder that dragged in loads of drivers and packages to build his install images, he never renamed any of the packages...so there were bucket loads of 3EFDAC31.exe style files that he was dragging in so I could easily hide IDDQDIDKFALMAO.EXE (which I kept a backup of on one of the JetDirect print servers that had Telnet enabled, saved me carrying floppies) in his script and file repo. Sssh! don't tell him! I'll add an extra 50mb to your home folder quota and £10 of printing credit for the library if you stay quiet.

I actually own the very JetDirect that served me well (<3). They upgraded all the print servers just before I left and they were throwing the old ones out...so I rescued my favourite one. It's still pretty solid and still works. I have it attached to a Laserjet 4050 from the same era...it's properly configured and locked down though. It is also isolated to it's own VLAN with no internet access.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021