Proof of concept for Local Privilege Escalation in Thales Sentinel HASP LDK. I initially wanted to develop one, but eventually that turned out to be unnecessary. There is no race condition to win, and a simple DLL search order hijacking from a known location suffices to attain SYSTEM.
We simply:
- compile raw.cpp as fltlib.dll and put it into AppData\Local\Temp (it has to be a proper proxy DLL leading to C:\Windows\System32\fltlib.dll).
- then just run msiexec.exe /fa PATH_TO_MSI.