The Windows Print Spooler has a privilege escalation vulnerability that
can be leveraged to achieve code execution as SYSTEM.
The `SpoolDirectory`, a configuration setting that holds the path that
a printer's spooled jobs are sent to, is writable for all users, and it can
be configured via `SetPrinterDataEx()` provided the caller has the
`PRINTER_ACCESS_ADMINISTER` permission. If the `SpoolDirectory` path does not
exist, it will be created once the print spooler reinitializes.
Calling `SetPrinterDataEx()` with the `CopyFiles\` registry key will load the
dll passed in as the `pData` argument, meaning that writing a dll to the `SpoolDirectory`
location can be loaded by the print spooler.
Using a directory junction and UNC path for the `SpoolDirectory`, the exploit
writes a payload to `C:\Windows\System32\spool\drivers\x64\4` and loads it
by calling `SetPrinterDataEx()`, resulting in code execution as SYSTEM.