Rapid7 Vulnerability & Exploit Database

Ricoh Driver Privilege Escalation

Back to Search

Ricoh Driver Privilege Escalation



Various Ricoh printer drivers allow escalation of privileges on Windows systems. For vulnerable drivers, a low-privileged user can read/write files within the `RICOH_DRV` directory and its subdirectories. `PrintIsolationHost.exe`, a Windows process running as NT AUTHORITY\SYSTEM, loads driver-specific DLLs during the installation of a printer. A user can elevate to SYSTEM by writing a malicious DLL to the vulnerable driver directory and adding a new printer with a vulnerable driver. This module leverages the `prnmngr.vbs` script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive.


  • Alexander Pudwill
  • Pentagrid AG
  • Shelby Pace




x86, x64


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/local/ricoh_driver_privesc
msf exploit(ricoh_driver_privesc) > show targets
msf exploit(ricoh_driver_privesc) > set TARGET < target-id >
msf exploit(ricoh_driver_privesc) > show options
    ...show and set options...
msf exploit(ricoh_driver_privesc) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security