Moved Point and Print exploit PoC to distinct repository

Author: itm4n

.github/workflows/build.yml

@@ -111,11 +111,6 @@ jobs:
         run: |
           . ./build/Build.ps1
           Invoke-Build -Name "PrivescCheck" -NoNewSeed
-      - name: Build PointAndPrint script
-        shell: pwsh
-        run: |
-          . ./build/Build.ps1
-          Invoke-Build -Name "PointAndPrint" -NoNewSeed
       - name: Create release
         env:
           GH_TOKEN: ${{ github.token }}

README.md

@@ -128,12 +128,6 @@ Get-Content .\PrivescCheck.ps1 | Out-String | Invoke-Expression
 
 ### PowerShell Version 2
 
-If you see this at the beginning of the script, it just means that the **minimum** PowerShell version required for it to run is PSv2.
-
-```powershell
-#Requires -Version 2
-```
-
 A common way to bypass [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) consists in using PSv2 as it does not implement this protection. Therefore, a significant part of the development effort goes into maintaining this retro-compatibility.
 
 > :information_source: Although PowerShell version 2 ~~is still enabled by default on recent versions of Windows~~ ([PowerShell 2.0 removal from Windows](https://support.microsoft.com/en-us/topic/powershell-2-0-removal-from-windows-fe6d1edc-2ed2-4c33-b297-afe82a64200a)), it cannot run without the .Net framework version 2.0, which requires a manual install.

build/Build.ps1

@@ -3,7 +3,7 @@ function Invoke-Build {
     [CmdletBinding()]
     param(
         [Parameter(Mandatory = $true)]
-        [ValidateSet("PrivescCheck", "PointAndPrint")]
+        [ValidateSet("PrivescCheck")]
         [String] $Name,
 
         [Switch] $NoNewSeed
@@ -24,7 +24,6 @@ function Invoke-Build {
             $SanityCheck = $false
         }
 
-        $ScriptHeader = "#Requires -Version 2`r`n`r`n"
         $RootPath = Split-Path -Path (Split-Path -Path $PSCommandPath -Parent) -Parent
 
         $WordList = Get-FileContent -Type "data" -FileName "WordList.txt" | Where-Object { -not [String]::IsNullOrEmpty($_) }
@@ -70,7 +69,7 @@ function Invoke-Build {
 
         $ScriptFilename = "$($BuildProfileObject.Name).ps1"
         $ScriptPath = Join-Path -Path $RootPath -ChildPath "release\$($ScriptFilename)"
-        $ScriptContent = "$($ScriptHeader)"
+        $ScriptContent = ""
         $ErrorCount = 0
         $Modules = @()
 

build/BuildProfiles.json

@@ -220,12 +220,6 @@
                 "CHECK_CREDENTIALS",
                 "CHECK_MISC"
             ]
-        },
-        {
-            "Id": "EXPLOIT_POINT_AND_PRINT",
-            "Files": [
-                "EXPLOIT_POINT_AND_PRINT"
-            ]
         }
     ],
     "Profiles": [
@@ -237,14 +231,6 @@
                 "HELPERS",
                 "CHECKS"
             ]
-        },
-        {
-            "Id": "POINT_AND_PRINT",
-            "Name": "PointAndPrint",
-            "Includes": [
-                "CORE",
-                "EXPLOIT_POINT_AND_PRINT"
-            ]
         }
     ]
 }

build/Seed.txt

@@ -1 +1 @@
-60903217
+1164642816

info/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 2025-11-09
+
+### Removed
+
+- Point and Print exploit PoC moved to a dedicated repository.
+
 ## 2025-11-08
 
 ### Added

src/core/WinApi.Enum.ps1

@@ -430,18 +430,6 @@ $script:WTS_CONNECTSTATE_CLASS = New-Enum $Module WinApiModule.WTS_CONNECTSTATE_
     Init                                = 9
 }
 
-$script:APD_FILE_COPY_FLAGS = New-Enum $Module WinApiModule.APD_FILE_COPY_FLAGS UInt32 @{
-    APD_STRICT_UPGRADE                  = 0x00000001
-    APD_STRICT_DOWNGRADE                = 0x00000002
-    APD_COPY_ALL_FILES                  = 0x00000004
-    APD_COPY_NEW_FILES                  = 0x00000008
-    APD_COPY_FROM_DIRECTORY             = 0x00000010
-    APD_DONT_COPY_FILES_TO_CLUSTER      = 0x00001000
-    APD_COPY_TO_ALL_SPOOLERS            = 0x00002000
-    APD_INSTALL_WARNED_DRIVER           = 0x00008000
-    APD_RETURN_BLOCKING_STATUS_CODE     = 0x00010000
-} -BitField
-
 $script:ASSOCF = New-Enum $Module WinApiModule.ASSOCF UInt32 @{
     ASSOCF_NONE                         = 0x00000000
     ASSOCF_INIT_NOREMAPCLSID            = 0x00000001

src/core/WinApi.Struct.ps1

@@ -487,82 +487,6 @@ $script:WTS_SESSION_INFO_1W = New-Structure $Module WinApiModule.WTS_SESSION_INF
     FarmName                    = New-StructureField 7 String -MarshalAs @('LPWStr')
 }
 
-$script:DRIVER_INFO_1 = New-Structure $Module WinApiModule.DRIVER_INFO_1 @{
-    Name                        = New-StructureField 0 String -MarshalAs @('LPTStr')
-} -Charset Auto
-
-$script:DRIVER_INFO_2 = New-Structure $Module WinApiModule.DRIVER_INFO_2 @{
-    Version                     = New-StructureField 0 UInt32
-    Name                        = New-StructureField 1 String -MarshalAs @('LPTStr')
-    Environment                 = New-StructureField 2 String -MarshalAs @('LPTStr')
-    DriverPath                  = New-StructureField 3 String -MarshalAs @('LPTStr')
-    DataFile                    = New-StructureField 4 String -MarshalAs @('LPTStr')
-    ConfigFile                  = New-StructureField 5 String -MarshalAs @('LPTStr')
-} -Charset Auto
-
-$script:DRIVER_INFO_3 = New-Structure $Module WinApiModule.DRIVER_INFO_3 @{
-    Version                     = New-StructureField 0 UInt32
-    Name                        = New-StructureField 1 String -MarshalAs @('LPTStr')
-    Environment                 = New-StructureField 2 String -MarshalAs @('LPTStr')
-    DriverPath                  = New-StructureField 3 String -MarshalAs @('LPTStr')
-    DataFile                    = New-StructureField 4 String -MarshalAs @('LPTStr')
-    ConfigFile                  = New-StructureField 5 String -MarshalAs @('LPTStr')
-    HelpFile                    = New-StructureField 6 String -MarshalAs @('LPTStr')
-    DependentFiles              = New-StructureField 7 String -MarshalAs @('LPTStr')
-    MonitorName                 = New-StructureField 8 String -MarshalAs @('LPTStr')
-    DefaultDataType             = New-StructureField 9 String -MarshalAs @('LPTStr')
-} -Charset Auto
-
-$script:DRIVER_INFO_4 = New-Structure $Module WinApiModule.DRIVER_INFO_4 @{
-    Version                     = New-StructureField 0 UInt32
-    Name                        = New-StructureField 1 String -MarshalAs @('LPTStr')
-    Environment                 = New-StructureField 2 String -MarshalAs @('LPTStr')
-    DriverPath                  = New-StructureField 3 String -MarshalAs @('LPTStr')
-    DataFile                    = New-StructureField 4 String -MarshalAs @('LPTStr')
-    ConfigFile                  = New-StructureField 5 String -MarshalAs @('LPTStr')
-    HelpFile                    = New-StructureField 6 String -MarshalAs @('LPTStr')
-    DependentFiles              = New-StructureField 7 String -MarshalAs @('LPTStr')
-    MonitorName                 = New-StructureField 8 String -MarshalAs @('LPTStr')
-    DefaultDataType             = New-StructureField 9 String -MarshalAs @('LPTStr')
-    PreviousNames               = New-StructureField 10 String -MarshalAs @('LPTStr')
-} -Charset Auto
-
-$script:DRIVER_INFO_5 = New-Structure $Module WinApiModule.DRIVER_INFO_5 @{
-    Version                     = New-StructureField 0 UInt32
-    Name                        = New-StructureField 1 String -MarshalAs @('LPTStr')
-    Environment                 = New-StructureField 2 String -MarshalAs @('LPTStr')
-    DriverPath                  = New-StructureField 3 String -MarshalAs @('LPTStr')
-    DataFile                    = New-StructureField 4 String -MarshalAs @('LPTStr')
-    ConfigFile                  = New-StructureField 5 String -MarshalAs @('LPTStr')
-    DriverAttributes            = New-StructureField 6 UInt32
-    ConfigVersion               = New-StructureField 7 UInt32
-    DriverVersion               = New-StructureField 8 UInt32
-} -Charset Auto
-
-$script:PRINTER_INFO_2 = New-Structure $Module WinApiModule.PRINTER_INFO_2 @{
-    ServerName                  = New-StructureField 0 String -MarshalAs @('LPTStr')
-    PrinterName                 = New-StructureField 1 String -MarshalAs @('LPTStr')
-    ShareName                   = New-StructureField 2 String -MarshalAs @('LPTStr')
-    PortName                    = New-StructureField 3 String -MarshalAs @('LPTStr')
-    DriverName                  = New-StructureField 4 String -MarshalAs @('LPTStr')
-    Comment                     = New-StructureField 5 String -MarshalAs @('LPTStr')
-    Location                    = New-StructureField 6 String -MarshalAs @('LPTStr')
-    DevMode                     = New-StructureField 7 IntPtr # Should be a pointer to a DEVMODE structure
-    SepFile                     = New-StructureField 8 String -MarshalAs @('LPTStr')
-    PrintProcessor              = New-StructureField 9 String -MarshalAs @('LPTStr')
-    DataType                    = New-StructureField 10 String -MarshalAs @('LPTStr')
-    Parameters                  = New-StructureField 11 String -MarshalAs @('LPTStr')
-    SecurityDescriptor          = New-StructureField 12 IntPtr # Should be a pointer to a SECURITY_DESCRIPTOR structure
-    Attributes                  = New-StructureField 13 UInt32
-    Priority                    = New-StructureField 14 UInt32
-    DefaultPriority             = New-StructureField 15 UInt32
-    StartTime                   = New-StructureField 16 UInt32
-    UntilTime                   = New-StructureField 17 UInt32
-    Status                      = New-StructureField 18 UInt32
-    Jobs                        = New-StructureField 19 UInt32
-    AveragePPM                  = New-StructureField 20 UInt32
-} -Charset Auto
-
 $script:TPM_DEVICE_INFORMATION = New-Structure $Module WinApiModule.TPM_DEVICE_INFORMATION @{
     TpmVersion                  = New-StructureField 0 UInt32
     ManufacturerId              = New-StructureField 1 String -MarshalAs @('ByValTStr', 5)

src/core/WinApi.ps1

@@ -79,14 +79,6 @@ $FunctionDefinitions = @(
     (New-Function vaultcli VaultFree ([UInt32]) @([IntPtr]) -EntryPoint VaultFree),
     (New-Function vaultcli VaultCloseVault ([UInt32]) @([IntPtr].MakeByRefType()) -EntryPoint VaultCloseVault),
 
-    (New-Function winspool.drv AddPrinterDriverEx ([Bool]) @([String], [UInt32], [IntPtr], [UInt32]) -Charset Auto -SetLastError -EntryPoint AddPrinterDriverEx),
-    (New-Function winspool.drv EnumPrinterDrivers ([Bool]) @([String], [String], [UInt32], [IntPtr], [UInt32], [UInt32].MakeByRefType(), [UInt32].MakeByRefType()) -Charset Auto -SetLastError -EntryPoint EnumPrinterDrivers),
-    (New-Function winspool.drv DeletePrinterDriver ([Bool]) @([String], [String], [String]) -Charset Auto -SetLastError -EntryPoint DeletePrinterDriver),
-    (New-Function winspool.drv DeletePrinterDriverEx ([Bool]) @([String], [String], [String], [UInt32], [UInt32]) -Charset Auto -SetLastError -EntryPoint DeletePrinterDriverEx),
-    (New-Function winspool.drv AddPrinter ([IntPtr]) @([String], [UInt32], [IntPtr]) -Charset Auto -SetLastError -EntryPoint AddPrinter),
-    (New-Function winspool.drv DeletePrinter ([Bool]) @([IntPtr]) -SetLastError -EntryPoint DeletePrinter),
-    (New-Function winspool.drv ClosePrinter ([Bool]) @([IntPtr]) -SetLastError -EntryPoint ClosePrinter),
-
     (New-Function wlanapi WlanOpenHandle ([UInt32]) @([UInt32], [IntPtr], [UInt32].MakeByRefType(), [IntPtr].MakeByRefType()) -EntryPoint WlanOpenHandle),
     (New-Function wlanapi WlanCloseHandle ([UInt32]) @([IntPtr], [IntPtr]) -EntryPoint WlanCloseHandle),
     (New-Function wlanapi WlanEnumInterfaces ([UInt32]) @([IntPtr], [IntPtr], [IntPtr].MakeByRefType()) -EntryPoint WlanEnumInterfaces),