:: Deepquest ::

On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented by the task scheduler service can be used to write arbitrary DACLs to .job files located in c:windowstasks because the scheduler does not use impersonation when checking this location. Since users can create files in the c:windowstasks folder, a hardlink can be created to a file the user has read access to. After creating a hardlink, the vulnerability can be triggered to set the DACL on the linked file. WARNING: The PrintConfig.dll (%windir%system32driverstorfilerepositoryprnms003*) on the target host will be overwritten when the exploit runs. This Metasploit module has been tested against Windows 10 Pro x64.