Local Privilege Escalation Edition of CVE-2021-1675/CVE-2021-34527

Local Privilege Escalation implementation of the CVE-2021-1675/CVE-2021-34527 (a.k.a PrintNightmare). The exploit is edited from published by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370).

Open the project on MSVC and compile with x64 Release mode. Exploit automatically finds UNIDRV.DLL, no changes are required in the code.

Usage

When executing the exploit, you need to DLL path as the first argument to the exploit. That's it and go!

CVE-2021-1675-LPE.exe PAYLOAD_DLL_PATH

Exploit has been tested on the fully updated Windows Server 2019 Standard.

Cobalt Strike

For Reflective DLL version only, you have to change the DLL path at line 111 in main.cpp file and then compile the project. Load lpe_cve_2021_1675.cna and use lpe_cve_2021_1675 command for execution of Reflective DLL.

Mitigation

Disable Spooler service

Stop-Service Spooler
REG ADD  "HKLM\SYSTEM\CurrentControlSet\Services\Spooler"  /v "Start " /t REG_DWORD /d "4" /f

Or Uninstall Print-Services

Uninstall-WindowsFeature Print-Services

References

• https://github.com/afwu/PrintNightmare
• https://twitter.com/hackerfantastic/status/1410069557398679552
• https://twitter.com/0gtweet/status/1410150462842544130